Require Client SMB Packet Signing, if using mount.cifs
An XCCDF Rule
Description
Require packet signing of clients who mount Samba
shares using the mount.cifs program (e.g., those who specify shares
in /etc/fstab). To do so, ensure signing options (either
sec=krb5i or sec=ntlmv2i) are used.
See the mount.cifs(8) man page for more information. A Samba
client should only communicate with servers who can support SMB
packet signing.
Rationale
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
- ID
- xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing
- Severity
- Unknown
- References
- Updated