Skip to content

Mount Remote Filesystems with Kerberos Security

An XCCDF Rule

Description

Add the sec=krb5:krb5i:krb5p option to the fourth column of /etc/fstab for the line which controls mounting of any NFS mounts.

Rationale

When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

ID
xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

vfstype_points=()
readarray -t vfstype_points < <(grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | awk '{print $2}')


Remediation - Ansible

- name: Get nfs and nfs4 mount points, that don't have sec=krb5:krb5i:krb5p
  command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -P
  register: points_register
  check_mode: false
  changed_when: false
  failed_when: false