From wsantos@redhat.com Thu Aug 20 11:31:38 2015
From: Willy Santos <wsantos@redhat.com>
To: scap-security-guide@lists.fedorahosted.org
Subject: Re: [PATCH] Added more NFS prose.
Date: Mon, 16 Jul 2012 09:06:44 -0400
Message-ID: <500411E4.9070500@redhat.com>
In-Reply-To: <5001CF83.1040606@eclipse.ncsc.mil>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3004104301874031240=="

--===============3004104301874031240==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

That's correct.

On 07/14/2012 03:58 PM, Jeffrey Blank wrote:
> ACK.  I believe this will pretty much round out the NFS guidance from
> previous sources such as the NSA RHEL 5 Guide and also the DISA RHEL 5
> STIG, right?
>
> (There might be more that should be said, but this should ensure we've
> included some relevant previous work.)
>
>
>
> On 07/13/2012 04:48 PM, Willy Santos wrote:
>> Signed-off-by: Willy Santos <wsantos(a)redhat.com>
>> ---
>>   RHEL6/input/services/nfs.xml |   50 ++++++++++++++++++++++++++++++++++++=
+----
>>   1 files changed, 45 insertions(+), 5 deletions(-)
>>
>> diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml
>> index 1d20041..7f5e049 100644
>> --- a/RHEL6/input/services/nfs.xml
>> +++ b/RHEL6/input/services/nfs.xml
>> @@ -256,8 +256,8 @@ can leave your NFS configuration more open than intend=
ed. Therefore, exercise ca
>>   the file.
>>   <br /><br />
>>   The syntax of each line in <tt>/etc/exports</tt> is
>> -<pre>/DIR	ipaddr1(opt1,opt2) ipaddr2(opt3)</pre>
>> -where <tt>/DIR</tt> is a directory or filesystem to export, <tt>ipaddrN</=
tt> is an IP address, netblock,
>> +<pre>/DIR	host1(opt1,opt2) host2(opt3)</pre>
>> +where <tt>/DIR</tt> is a directory or filesystem to export, <tt>hostN</tt=
> is an IP address, netblock,
>>   hostname, domain, or netgroup to which to export, and <tt>optN</tt> is a=
n option.
>>   </description>
>>   </Group> <!-- configure_exports_restrictively -->
>> @@ -280,20 +280,60 @@ Authorized hosts can be specified in several differe=
nt formats:
>>   </description>
>>   </Group> <!-- use_acl_enforce_auth_restrictions -->
>>  =20
>> +<Group id=3D"export_filesystems_read_only">
>> +<title>Export Filesystems Read-Only if Possible</title>
>> +<description>If a filesystem is being exported so that users can view the=
 files in a convenient
>> +fashion, but there is no need for users to edit those files, exporting th=
e filesystem read-only
>> +removes an attack vector against the server. The default filesystem expor=
t mode is <tt>ro</tt>,
>> +so do not specify <tt>rw</tt> without a good reason.
>> +</description>
>> +</Group> <!-- export_filesystems_read_only -->
>> +
>> +<Group id=3D"specify_anonymous_uid_gid">
>> +<title>Specify UID and GID for Anonymous Connections</title>
>> +<description>When an NFS server is configured to deny remote <tt>root</tt=
> access, a selected UID and GID
>> +are used to handle requests from the remote <tt>root</tt> user. The UID a=
nd GID should be chosen from the
>> +system to provide the appropriate level of non-privileged access. By defa=
ult, the NFS server will
>> +map remote <tt>root</tt> users to the <tt>nobody</tt> local account. Spec=
ifying the anonymous UID and GID
>> +as -1 ensures that the remote <tt>root</tt> user is mapped to a local acc=
ount which has no permissions on the
>> +system.
>> +<br /><br />
>> +To specify the UID and GID for remote <tt>root</tt> users, edit the <tt>/=
etc/exports</tt> file and add
>> +<tt>anonuid=3D-1</tt> and <tt>anongid=3D-1</tt> to the options list for e=
ach export.
>> +</description>
>> +</Group> <!-- specify_anonymous_uid_gid -->
>> +
>>   <Rule id=3D"use_root_squashing_all_exports">
>>   <title>Use Root-Squashing on All Exports</title>
>>   <description>If a filesystem is exported using root squashing, requests =
from root on the client
>>   are considered to be unprivileged (mapped to a user such as nobody). Thi=
s provides some mild
>>   protection against remote abuse of an NFS server. Root squashing is enab=
led by default, and
>>   should not be disabled.
>> -
>> -Ensure that no line in <tt>/etc/exports</tt> contains the option <tt>no_r=
oot_squash</tt>
>> +<br /><br />
>> +Ensure that no line in <tt>/etc/exports</tt> contains the option <tt>no_r=
oot_squash</tt>.
>>   </description>
>> -<rationale>If the NFS server allows root access to local file systems fro=
m remote hosts, this access could be used to compromise the system.</rational=
e>
>> +<rationale>If the NFS server allows root access to local file systems fro=
m remote hosts, this
>> +access could be used to compromise the system.</rationale>
>>   <ident cce=3D"4544-3" />
>>   <oval id=3D"TO:DO" />
>>   </Rule>
>>  =20
>> +<Rule id=3D"restrict_nfs_clients_to_privileged_ports">
>> +<title>Restrict NFS Clients to Privileged Ports</title>
>> +<description>By default, Linux=E2=80=99s NFS implementation requires that=
 all client requests be made
>> +from ports less than 1024. If your organization has control over machines=
 connected to its
>> +network, and if NFS requests are prohibited at the border firewall, this =
offers some protection
>> +against malicious requests from unprivileged users. Therefore, the defaul=
t should not be changed.
>> +<br /><br />
>> +Ensure that no line in <tt>/etc/exports</tt> contains the option <tt>inse=
cure</tt>.
>> +</description>
>> +<rationale>Allowing client requests to be made from ports higher than 102=
4 could allow a unprivileged
>> +user to initiate an NFS connection. If the unprivileged user account has =
been compromised, an
>> +attacker could gain access to data on the NFS server.</rationale>
>> +<ident cce=3D"4465-1" />
>> +<oval id=3D"TO:DO" />
>> +</Rule>
>> +
>>   </Group> <!-- nfs_configuring_servers -->
>>  =20
>>   </Group>



--===============3004104301874031240==--