Disable Kerberos by removing host keytab.

linux_os/guide/services/kerberos/group.yml

@@ -0,0 +1,12 @@
+documentation_complete: true
+
+title: 'Kerberos'
+
+description: |-
+    The Kerberos protocol is used for authentication across
+    non-secure network. Authentication can happen between
+    various types of principals -- users, service, or hosts.
+    Their identity and encryption keys can be stored in keytab
+    files.
+
+platform: machine

linux_os/guide/services/kerberos/kerberos_disable_no_keytab/bash/shared.sh

@@ -0,0 +1,3 @@
+# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8
+
+rm -f /etc/*.keytab

linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml

@@ -0,0 +1,25 @@
+<def-group>
+  <definition class="compliance" id="kerberos_disable_no_keytab" version="1">
+    <metadata>
+      <title>Restrict Kerberos operation by removing keytab files</title>
+      <affected family="unix">
+        <platform>multi_platform_fedora</platform>
+        <platform>Red Hat Enterprise Linux 8</platform>
+        <platform>Oracle Linux 8</platform>
+      </affected>
+      <description>Check that there is no Kerberos keytab file present in /etc</description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="test_kerberos_disable_no_keytab" negate="true"
+        comment="Restrict Kerberos operation by removing keytab files" />
+    </criteria>
+  </definition>
+
+  <unix:file_object id="obj_kerberos_disable_no_keytab" version="1" comment="fapolicyd.mounts">
+    <unix:filepath operation="pattern match">/etc/*.keytab</unix:filepath>
+  </unix:file_object>
+  <unix:file_test id="test_kerberos_disable_no_keytab" check="at least one" version="1"
+    comment="Ensure a keytab file exists">
+    <unix:object object_ref="obj_kerberos_disable_no_keytab"/>
+  </unix:file_test>
+</def-group>

linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml

@@ -0,0 +1,28 @@
+documentation_complete: true
+
+title: 'Disable Kerberos by removing host keytab'
+
+description: |-
+    Kerberos is not an approved key distribution method for
+    Common Criteria. To prevent using Kerberos by system daemons,
+    remove the host keytab <tt>/etc/krb5.keytab</tt>.
+
+rationale: |-
+    The key derivation function (KDF) in Kerberos is not FIPS compatible.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: 82175-1
+
+references:
+    ospp: FCS_CKM.1
+
+ocil_clause: 'it is present on the system'
+
+ocil: |-
+    Run the following command to see if there are some keytabs
+    that would potentially allow the use of Kerberos by system daemons.
+    <pre>$ ls -la /etc/*.keytab</pre>
+    The expected result is
+    <pre>ls: cannot access '/etc/*.keytab': No such file or directory</pre>

rhel8/profiles/ospp.profile

@@ -394,3 +394,6 @@ selections:
     # Configure TLS for remote logging
     - rsyslog_remote_tls
     - rsyslog_remote_tls_cacert
+
+    # Prevent Kerberos use by system daemons
+    - kerberos_disable_no_keytab

shared/references/cce-redhat-avail.txt

@@ -5,7 +5,6 @@ CCE-82171-0
 CCE-82172-8
 CCE-82173-6
 CCE-82174-4
-CCE-82175-1
 CCE-82178-5
 CCE-82179-3
 CCE-82180-1