From e634287f3282ce26200862f6e943a278764a3fe3 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 27 Jun 2017 10:32:46 +0100
Subject: [PATCH] Avoid nfs altogether

---
 src/freedombone-image-customise |  3 +--
 src/freedombone-tests           | 38 ---------------------------------
 src/freedombone-utils-setup     | 23 --------------------
 3 files changed, 1 insertion(+), 63 deletions(-)

diff --git a/src/freedombone-image-customise b/src/freedombone-image-customise
index 66bf38f56..8943069e2 100755
--- a/src/freedombone-image-customise
+++ b/src/freedombone-image-customise
@@ -1039,7 +1039,6 @@ function image_setup_utils {
     chroot "$rootdir" apt-get -yq dist-upgrade
     chroot "$rootdir" apt-get -yq install ca-certificates
     chroot "$rootdir" apt-get -yq install apt-utils
-    chroot "$rootdir" apt-get -yq install nfs-kernel-server
 
     if [[ $ARCHITECTURE == 'amd64' ]]; then
         chroot "$rootdir" apt-get -yq install linux-image-amd64
@@ -1206,7 +1205,7 @@ function image_setup_utils {
     chroot "$rootdir" apt-get -yq install tripwire
 
     # filesystem optimisations
-    sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab
+    #sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab
 }
 
 function image_install_nodejs {
diff --git a/src/freedombone-tests b/src/freedombone-tests
index 2ee1678d6..cc6f2f9c9 100755
--- a/src/freedombone-tests
+++ b/src/freedombone-tests
@@ -844,26 +844,6 @@ function test_stig {
     output "V-38641" $? ${SETLANG}
     ################
 
-    ##RHEL-06-000269
-    ##Remote file systems must be mounted with the nodev option.
-    if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
-        bash $STIG_TESTS_DIR/check-nfs.sh nodev >/dev/null 2>&1 &
-
-        stig_spinner $!
-        output "V-38652" $? ${SETLANG}
-    fi
-    ################
-
-    ##RHEL-06-000270
-    ##Remote file systems must be mounted with the nosuid option.
-    if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
-        bash $STIG_TESTS_DIR/check-nfs.sh nosuid >/dev/null 2>&1 &
-
-        stig_spinner $!
-        output "V-38654" $? ${SETLANG}
-    fi
-    ################
-
     ##RHEL-06-000271
     ##The noexec option must be added to removable media partitions.
     if [ "$(grep -Hv ^0$ /sys/block/*/removable | sed s/removable:.*$/device\\/uevent/ | xargs grep -H ^DRIVER=sd | sed s/device.uevent.*$/size/ | xargs grep -Hv ^0$ | cut -d / -f 4 | wc -l)" -gt 0 ];then
@@ -946,15 +926,6 @@ function test_stig {
     output "V-38675" $? ${SETLANG}
     ################
 
-    ##RHEL-06-000309
-    ##The NFS server must not have the insecure file locking option enabled.
-
-    bash $STIG_TESTS_DIR/check-nfs-insecure.sh > /dev/null 2>&1 &
-
-    stig_spinner $!
-    output "V-38677" $? ${SETLANG}
-    ################
-
     ##RHEL-06-000319
     ##The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
 
@@ -1046,15 +1017,6 @@ function test_stig {
     output "V-38462" $? ${SETLANG}
     ################
 
-    ##RHEL-06-000515
-    ##The NFS server must not have the all_squash option enabled.
-
-    bash $STIG_TESTS_DIR/check-nfs-all-squash.sh > /dev/null 2>&1 &
-
-    stig_spinner $!
-    output "V-38460" $? ${SETLANG}
-    ################
-
     ##RHEL-06-000523
     ##The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
 
diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup
index be4311e88..5e0f139ec 100755
--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@@ -381,15 +381,6 @@ function create_completion_file {
     fi
 }
 
-function disable_nfs_insecure_locks {
-    apt-get -yq install nfs-kernel-server
-    if grep 'insecure_locks' /etc/exports; then
-        sed -i 's|,insecure_locks||g' /etc/exports
-        sed -i 's|insecure_locks,||g' /etc/exports
-        exportfs -a
-    fi
-}
-
 function remove_management_engine_interface {
     # see https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt
     # Disabling this interface doesn't cure the problems of ME, but it
@@ -488,9 +479,6 @@ function disable_ctrl_alt_del {
 }
 
 function lockdown_permissions {
-    if [ -d /etc/fs/nfs ]; then
-        remove_nfs
-    fi
     if [ -d /root/.npm ]; then
         find /root/.npm -name package.json -exec chmod 700 {} \;
     fi
@@ -625,11 +613,6 @@ function create_usb_canary {
     mark_completed $FUNCNAME
 }
 
-function remove_nfs {
-    apt-get -yq remove nfs-kernel-server
-    apt-get -yq remove nfs-common
-}
-
 function setup_firewall {
     function_check create_completion_file
     create_completion_file
@@ -700,9 +683,6 @@ function setup_utils {
     function_check proc_filesystem_settings
     proc_filesystem_settings
 
-    function_check remove_nfs
-    remove_nfs
-
     function_check optimise_filesystem
     optimise_filesystem
 
@@ -730,9 +710,6 @@ function setup_utils {
     function_check remove_bluetooth
     remove_bluetooth
 
-    function_check disable_nfs_insecure_locks
-    disable_nfs_insecure_locks
-
     function_check set_login_umask
     set_login_umask
 
-- 
GitLab