RHEL 10 must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-281231 | RHEL-10-700115 | SV-281231r1166645_rule | CCI-000213 | medium |
| Description | ||||
| When an NFS server is configured to use RPCSEC_SYS, a selected userid and groupid are used to handle requests from the remote user. The userid and groupid could mistakenly or maliciously be set incorrectly. The RPCSEC_GSS method of authentication uses certificates on the server and client systems to more securely authenticate the remote mount request. | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 10 Security Technical Implementation Guide | 2026-03-11 | |||
Details
Check Text (C-281231r1166645_chk)
Note: If no NFS mounts are configured, this requirement is not applicable.
Verify RHEL 10 has the "sec" option configured for all NFS mounts with the following command:
$ sudo grep nfs /etc/fstab
192.168.22.2:/mnt/export /data nfs4 rw,nosuid,nodev,noexec,sync,soft,sec=krb5p:krb5i:krb5
If the system is mounting file systems via NFS and has the sec option without the "krb5:krb5i:krb5p" settings, the "sec" option has the "sys" setting, or the "sec" option is missing, this is a finding.
Fix Text (F-85697r1166644_fix)
Configure RHEL 10 so that the "/etc/fstab" file "sec" option is defined for each NFS mounted file system, and the "sec" option does not have the "sys" setting.
Ensure the "sec" option is defined as "krb5p:krb5i:krb5".