mediumfilesystemunverified
Ensure NFS mounts use a Kerberos (krb5) security option
mount-nfs-sec-krb5 · RHEL ≥ 10 · 1 impl
Description
Every NFS file system defined in /etc/fstab must specify a "sec" option using Kerberos authentication (sec=krb5, krb5i, or krb5p). Not applicable when no NFS mounts are configured.
Rationale
Without a Kerberos "sec" option, NFS falls back to AUTH_SYS, which trusts the client-supplied UID/GID and provides no cryptographic authentication or integrity. krb5 authenticates the principal, krb5i adds integrity, and krb5p adds privacy (encryption), protecting exported data in transit.
Check → Remediate
Checkcommand
if ! awk '$1 !~ /^#/ && $3 ~ /^nfs4?$/ {found=1} END{exit found?0:1}' /etc/fstab 2>/dev/null; then
echo "NOT APPLICABLE: no NFS mounts configured in /etc/fstab"
exit 0
fi
bad=$(awk '$1 !~ /^#/ && $3 ~ /^nfs4?$/ && $4 !~ /sec=krb5/ {c++} END{print c+0}' /etc/fstab 2>/dev/null)
if [ "$bad" -gt 0 ]; then
echo "FAIL: $bad NFS mount(s) in /etc/fstab lack a sec=krb5/krb5i/krb5p option"
exit 1
fi
echo "OK: all NFS mounts specify a Kerberos sec= option"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Edit /etc/fstab and add a Kerberos security option to each NFS mount's option field (sec=krb5 for authentication, krb5i for integrity, or krb5p for privacy/encryption), then remount (mount -o remount <mountpoint>). Kerberos NFS also requires a configured keytab and the nfs-secure/gssproxy services.
Framework references
STIG
V-281231 / RHEL-10-700115
NIST 800-53
CM-6AC-17
#nfs#mount#kerberos#krb5#stig