← Rules Catalog
mediumfilesystemunverified

Ensure NFS mounts use a Kerberos (krb5) security option

mount-nfs-sec-krb5 · RHEL ≥ 10 · 1 impl

Description

Every NFS file system defined in /etc/fstab must specify a "sec" option using Kerberos authentication (sec=krb5, krb5i, or krb5p). Not applicable when no NFS mounts are configured.

Rationale

Without a Kerberos "sec" option, NFS falls back to AUTH_SYS, which trusts the client-supplied UID/GID and provides no cryptographic authentication or integrity. krb5 authenticates the principal, krb5i adds integrity, and krb5p adds privacy (encryption), protecting exported data in transit.

Check → Remediate

Checkcommand
if ! awk '$1 !~ /^#/ && $3 ~ /^nfs4?$/ {found=1} END{exit found?0:1}' /etc/fstab 2>/dev/null; then
  echo "NOT APPLICABLE: no NFS mounts configured in /etc/fstab"
  exit 0
fi
bad=$(awk '$1 !~ /^#/ && $3 ~ /^nfs4?$/ && $4 !~ /sec=krb5/ {c++} END{print c+0}' /etc/fstab 2>/dev/null)
if [ "$bad" -gt 0 ]; then
  echo "FAIL: $bad NFS mount(s) in /etc/fstab lack a sec=krb5/krb5i/krb5p option"
  exit 1
fi
echo "OK: all NFS mounts specify a Kerberos sec= option"
exit 0
expected_exit:
0
Remediatemanual
note:
Edit /etc/fstab and add a Kerberos security option to each NFS mount's option field (sec=krb5 for authentication, krb5i for integrity, or krb5p for privacy/encryption), then remount (mount -o remount <mountpoint>). Kerberos NFS also requires a configured keytab and the nfs-secure/gssproxy services.

Framework references

STIG

V-281231 / RHEL-10-700115

NIST 800-53

CM-6AC-17
#nfs#mount#kerberos#krb5#stig