Skip to content

Disable Network File System Lock Service (nfslock)

An XCCDF Rule

Description

The Network File System Lock (nfslock) service starts the required remote procedure call (RPC) processes which allow clients to lock files on the server. If the local system is not configured to mount NFS filesystems then this service should be disabled. The nfslock service can be disabled with the following command:

$ sudo systemctl mask --now nfslock.service

ID
xccdf_org.ssgproject.content_rule_service_nfslock_disabled
Severity
Unknown
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'nfslock.service'
"$SYSTEMCTL_EXEC" disable 'nfslock.service'

Remediation - Kubernetes Patch

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0

Remediation - OS Build Blueprint


[customizations.services]
disabled = ["nfslock"]

Remediation - Ansible

- name: Block Disable service nfslock
  block:

  - name: Disable service nfslock
    block:


Remediation - Puppet

include disable_nfslock

class disable_nfslock {
  service {'nfslock':
    enable => false,
    ensure => 'stopped',