Use Kerberos Security on All Exports

An XCCDF Rule

Description

Using Kerberos on all exported mounts prevents a malicious client or user from impersonating a system user. To cryptography authenticate users to the NFS server, add sec=krb5:krb5i:krb5p to each export in /etc/exports.

Rationale

When an NFS server is configured to use AUTH_SYS a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The AUTH_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request.

ID: xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports
Severity: Medium
References: 1 12 14 15 16 18 3 5

DSS05.04 DSS05.10 DSS06.10

CCI-000366

164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii)

4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.3

SR 1.1 SR 1.10 SR 1.2 SR 1.5 SR 1.7 SR 1.8 SR 1.9 SR 2.1

A.18.1.4 A.6.1.2 A.9.1.2 A.9.2.1 A.9.2.3 A.9.2.4 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5

AC-17(a) CM-6(a) CM-7(a) CM-7(b) IA-2 IA-2(8) IA-2(9)

PR.AC-4 PR.AC-7

SRG-OS-000480-GPOS-00227

CCE-91416-8
Updated: about 1 year ago


nfs_exports=()
readarray -t nfs_exports < <(grep -E "^/.*[[:space:]]+ .*\(.*\)[[:space:]]*$" /etc/exports | awk '{print $2}')

for nfs_export in "${nfs_exports[@]}"
do    correct_export=""
    if [ "$(grep -c "sec=" <<<"$nfs_export")" -eq 0 ]; then
        correct_export="$(echo $nfs_export|sed  -e 's/).*$/,sec=krb5\:krb5i\:krb5p)/')"
    else
        correct_export="$(echo $nfs_export|sed  -e 's/sec=[^\,\)]*/sec=krb5\:krb5i\:krb5p/')"
    fi
    sed -i "s|$nfs_export|$correct_export|g" /etc/exports
done

- name: Drop any security clause for every export
  replace:
    path: /etc/exports
    regexp: ^(/.*\w+.*\(.*),sec=[^,]*(.*\)\w*$)
    replace: \1\2
  tags:  - CCE-91416-8
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-2
  - NIST-800-53-IA-2(8)
  - NIST-800-53-IA-2(9)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - use_kerberos_security_all_exports

- name: Add kerberos security when no security is defined for an export
  replace:
    path: /etc/exports
    regexp: ^(/.*\w+.*\(.*)(\)\w*$)
    replace: \1,sec=krb5:krb5i:krb5p\2
  tags:
  - CCE-91416-8
  - NIST-800-53-AC-17(a)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-IA-2
  - NIST-800-53-IA-2(8)
  - NIST-800-53-IA-2(9)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - use_kerberos_security_all_exports

Use Kerberos Security on All Exports

Description

Rationale

Remediation - Shell Script

Remediation - Ansible