-
Notifications
You must be signed in to change notification settings - Fork 686
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Disable Kerberos by removing host keytab.
- Loading branch information
Showing
6 changed files
with
71 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
documentation_complete: true | ||
|
||
title: 'Kerberos' | ||
|
||
description: |- | ||
The Kerberos protocol is used for authentication across | ||
non-secure network. Authentication can happen between | ||
various types of principals -- users, service, or hosts. | ||
Their identity and encryption keys can be stored in keytab | ||
files. | ||
platform: machine |
3 changes: 3 additions & 0 deletions
3
linux_os/guide/services/kerberos/kerberos_disable_no_keytab/bash/shared.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# platform = multi_platform_fedora,Red Hat Enterprise Linux 8,Oracle Linux 8 | ||
|
||
rm -f /etc/*.keytab |
25 changes: 25 additions & 0 deletions
25
linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
<def-group> | ||
<definition class="compliance" id="kerberos_disable_no_keytab" version="1"> | ||
<metadata> | ||
<title>Restrict Kerberos operation by removing keytab files</title> | ||
<affected family="unix"> | ||
<platform>multi_platform_fedora</platform> | ||
<platform>Red Hat Enterprise Linux 8</platform> | ||
<platform>Oracle Linux 8</platform> | ||
</affected> | ||
<description>Check that there is no Kerberos keytab file present in /etc</description> | ||
</metadata> | ||
<criteria> | ||
<criterion test_ref="test_kerberos_disable_no_keytab" negate="true" | ||
comment="Restrict Kerberos operation by removing keytab files" /> | ||
</criteria> | ||
</definition> | ||
|
||
<unix:file_object id="obj_kerberos_disable_no_keytab" version="1" comment="fapolicyd.mounts"> | ||
<unix:filepath operation="pattern match">/etc/*.keytab</unix:filepath> | ||
</unix:file_object> | ||
<unix:file_test id="test_kerberos_disable_no_keytab" check="at least one" version="1" | ||
comment="Ensure a keytab file exists"> | ||
<unix:object object_ref="obj_kerberos_disable_no_keytab"/> | ||
</unix:file_test> | ||
</def-group> |
28 changes: 28 additions & 0 deletions
28
linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
documentation_complete: true | ||
|
||
title: 'Disable Kerberos by removing host keytab' | ||
|
||
description: |- | ||
Kerberos is not an approved key distribution method for | ||
Common Criteria. To prevent using Kerberos by system daemons, | ||
remove the host keytab <tt>/etc/krb5.keytab</tt>. | ||
rationale: |- | ||
The key derivation function (KDF) in Kerberos is not FIPS compatible. | ||
severity: medium | ||
|
||
identifiers: | ||
cce@rhel8: 82175-1 | ||
|
||
references: | ||
ospp: FCS_CKM.1 | ||
|
||
ocil_clause: 'it is present on the system' | ||
|
||
ocil: |- | ||
Run the following command to see if there are some keytabs | ||
that would potentially allow the use of Kerberos by system daemons. | ||
<pre>$ ls -la /etc/*.keytab</pre> | ||
The expected result is | ||
<pre>ls: cannot access '/etc/*.keytab': No such file or directory</pre> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,7 +5,6 @@ CCE-82171-0 | |
CCE-82172-8 | ||
CCE-82173-6 | ||
CCE-82174-4 | ||
CCE-82175-1 | ||
CCE-82178-5 | ||
CCE-82179-3 | ||
CCE-82180-1 | ||
|