The NFS anonymous UID and GID must be configured to values that have no permissions.

From SOLARIS 10 SPARC SECURITY TECHNICAL IMPLEMENTATION GUIDE

Part of GEN005820

Associated with IA controls: ECSC-1

Associated with: CCI-000062

SV-40304r1_rule The NFS anonymous UID and GID must be configured to values that have no permissions.

Vulnerability discussion

When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to provide the appropriate level of non-privileged access.

Check content

Check if the anon option is set correctly for exported file systems. List exported file systems. # exportfs -v OR # more /etc/dfs/sharetab Each of the exported file systems should include an entry for the 'anon=' option set to -1 or an equivalent (60001, 60002, 65534, or 65535). If an appropriate 'anon=' setting is not present for an exported file system, this is a finding.

Fix text

Edit /etc/dfs/dfstab and add the "anon=-1" option for exports lacking it. Re-export the filesystems.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer