← Back to IBM AIX 7.x Security Technical Implementation Guide

V-215234

CAT II (Medium)

NFS file systems on AIX must be mounted with the nosuid option unless the NFS file systems contain approved setuid or setgid programs.

Rule ID

SV-215234r1184573_rule

STIG

IBM AIX 7.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-002233

Discussion

The nosuid mount option causes the system to not execute setuid files with owner privileges. This option must be used for mounting any file system not containing approved setuid files. Executing setuid files from untrusted file systems, or file systems not containing approved setuid files, increases the opportunity for unprivileged users to attain unauthorized administrative access.

Check Content

Obtain a list of NFS file systems that contain approved "setuid" or "setgid" files from the information system security officer (ISSO)/information system security officer (ISSM).

Check the "nosuid" mount option is used on all NFS file systems that do not contain approved "setuid" or "setgid" files: 
# mount | grep -E "options|nfs|---"
  node       mounted        mounted over    vfs       date        options 
-------- ---------------  ---------------  ------ ------------ --------------- 
nfs.example.com  /path/to/directory1  /mnt_1  nfs3   Nov 05 14:11  ro,bg,hard,intr,nosuid,sec=sys
nfs.example.com  /path/to/directory2  /mnt_2  nfs3   Nov 05 14:12  ro,bg,hard,intr,sec=sys

If the NFS mounts do not show the "nosuid" setting in their "options" fields, along with other mount options, this is a finding.

Fix Text

For each NFS file systems that does not contain approved "setuid" or "setgid" files, add the "nosuid" option, along with other mount options, to the "options" field in "/etc/filesystems" using the following command:
# chfs -a options=ro,bg,hard,intr,nosuid,sec=sys <NFS_mount_point>

Note that the other mount options (other than the nosuid options) may be different among NFS mounts.