Require Client SMB Packet Signing, if using smbclient
An XCCDF Rule
Description
To require samba clients running smbclient to use
packet signing, add the following to the [global] section
of the Samba configuration file, /etc/samba/smb.conf:
client signing = mandatoryRequiring samba clients such as
smbclient to use packet
signing ensures they can
only communicate with servers that support packet signing.
Rationale
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
- ID
- xccdf_org.ssgproject.content_rule_require_smb_client_signing
- Severity
- Unknown
- References
- Updated
Remediation - Ansible
- name: Check if /etc/samba/smb.conf exists
stat:
path: /etc/samba/smb.conf
register: st_smb
tags:
- CCE-80280-1
Remediation - Shell Script
######################################################################
#By Luke "Brisk-OH" Brisk
#luke.brisk@boeing.com or luke.brisk@gmail.com
######################################################################
CLIENTSIGNING=$( grep -ic 'client signing' /etc/samba/smb.conf )