Disable Network File Systems (netfs)

An XCCDF Rule

Description

The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself. The netfs service can be disabled with the following manifest:

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 75-master-netfs-disable
spec:
  config:
    ignition:
      version: 3.1.0
    systemd:
      units:
      - enabled: false
        name: netfs.service

This will disable the netfs service in all the nodes labeled with the "master" role.

Note that this needs to be done for each MachineConfigPool

For more information on how to configure nodes with the Machine Config Operator see the relevant documentation.

ID: xccdf_org.ssgproject.content_rule_service_netfs_disabled
Severity: Unknown
Updated: about 1 year ago

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: netfs.service
        enabled: false
        mask: true
      - name: netfs.socket
        enabled: false
        mask: true

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    systemd:
      units:
      - name: netfs.service
        enabled: false
        mask: true
      - name: netfs.socket
        enabled: false
        mask: true

Disable Network File Systems (netfs)

Description

Remediation - Kubernetes Patch

Remediation - script:ignition