Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Debian 10
Services
NFS and RPC
Configure NFS Clients
Mount Remote Filesystems with Restrictive Options
Mount Remote Filesystems with Restrictive Options
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
Mount Remote Filesystems with Restrictive Options
Edit the file
/etc/fstab
. For each filesystem whose type (column 3) is
nfs
or
nfs4
, add the text
,nodev,nosuid
to the list of mount options in column 4. If appropriate, also add
,noexec
.
See the section titled "Restrict Partition Mount Options" for a description of the effects of these options. In general, execution of files mounted via NFS should be considered risky because of the possibility that an adversary could intercept the request and substitute a malicious file. Allowing setuid files to be executed from remote servers is particularly risky, both for this reason and because it requires the clients to extend root-level trust to the NFS server.