Require Client SMB Packet Signing, if using mount.cifs
An XCCDF Rule
Description
Require packet signing of clients who mount Samba shares using themount.cifs program (e.g., those who specify shares
in /etc/fstab). To do so, ensure signing options (either
sec=krb5i or sec=ntlmv2i) are used.
See the
mount.cifs(8) man page for more information. A Samba
client should only communicate with servers who can support SMB
packet signing.
Rationale
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
- ID
- xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing
- Severity
- Unknown
- Updated