UCF STIG Viewer Logo

The system must use SMB client signing for connecting to samba servers using mount.cifs.


Finding ID Version Rule ID IA Controls Severity
V-218025 RHEL-06-000273 SV-218025r505923_rule Low
Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit.
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2020-09-03


Check Text ( C-19506r377090_chk )
If Samba is not in use, this is not applicable.

To verify that Samba clients using mount.cifs must use packet signing, run the following command:

# grep sec /etc/fstab /etc/mtab

The output should show either "krb5i" or "ntlmv2i" in use.
If it does not, this is a finding.
Fix Text (F-19504r377091_fix)
Require packet signing of clients who mount Samba shares using the "mount.cifs" program (e.g., those who specify shares in "/etc/fstab"). To do so, ensure signing options (either "sec=krb5i" or "sec=ntlmv2i") are used.

See the "mount.cifs(8)" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing.