STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The NFS server must not have the all_squash option enabled.

DISA Rule

SV-209060r603263_rule

Vulnerability Number

V-209060

Group Title

SRG-OS-000104

Rule Version

OL6-00-000515

Severity

CAT III

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Remove any instances of the "all_squash" option from the file "/etc/exports". Restart the NFS daemon for the changes to take effect.

# service nfs restart

Check Contents

If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable.

The related "root_squash" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding.

To verify the "all_squash" option has been disabled, run the following command:

# grep all_squash /etc/exports

If there is output, this is a finding.

Vulnerability Number

V-209060

Documentable

False

Rule Version

OL6-00-000515

Severity Override Guidance

If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable.

The related "root_squash" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding.

To verify the "all_squash" option has been disabled, run the following command:

# grep all_squash /etc/exports

If there is output, this is a finding.

Check Content Reference

M

Target Key

2928

Comments