Ensure Insecure File Locking is Not Allowed
An XCCDF Rule
Description
By default the NFS server requires secure file-lock requests, which require
credentials from the client in order to lock a file. Most NFS clients send
credentials with file lock requests, however, there are a few clients that
do not send credentials when requesting a file-lock, allowing the client to
only be able to lock world-readable files. To get around this, the
insecure_locks option can be used so these clients can access the
desired export. This poses a security risk by potentially allowing the
client access to data for which it does not have authorization. Remove any
instances of the insecure_locks option from the file
/etc/exports.
Rationale
Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user.
- ID
- xccdf_org.ssgproject.content_rule_no_insecure_locks_exports
- Severity
- Medium
- References
- Updated