All AIX NFS anonymous UIDs and GIDs must be configured to values without permissions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-215209 | AIX7-00-001055 | SV-215209r991589_rule | CCI-000366 | medium |
| Description | ||||
| When an NFS server is configured to deny remote root access, a selected UID and GID are used to handle requests from the remote root user. The UID and GID should be chosen from the system to provide the appropriate level of non-privileged access. | ||||
| STIG | Date | |||
| IBM AIX 7.x Security Technical Implementation Guide | 2024-08-16 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-215209r991589_chk)
Check if the "anon" option is set correctly for exported file systems.
List exported file systems using command:
# exportfs -v
/home/doej rw,anon=-1,access=doej
Note: Each of the exported file systems should include an entry for the "anon=" option set to "-1" or an equivalent (60001, 60002, 65534, or 65535).
If an appropriate "anon=" setting is not present for an exported file system, this is a finding.
Fix Text (F-16405r294079_fix)
Edit "/etc/exports" and set the "anon=-1" option for all exported file systems without it.
Re-export the file systems using command:
# exportfs -a