-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable Kerberos by removing host keytab. #4793
Disable Kerberos by removing host keytab. #4793
Conversation
description: |- | ||
Kerberos is not an approved key distribution method for | ||
Common Criteria. To prevent using Kerberos by system daemons, | ||
remove the host keytab <tt>/etc/krb5.keytab</tt>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The description mentions specifically /etc/krb5.keytab
but the OVAL uses a wildcard and checks any file in /etc
which name ends with .keytab
.
</definition> | ||
|
||
<unix:file_object id="obj_kerberos_disable_no_keytab" version="1" comment="fapolicyd.mounts"> | ||
<unix:filepath operation="pattern match">/etc/*.keytab</unix:filepath> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The regular expression should be ^/etc/.*\.keytab$
.
<description>Check that there is no Kerberos keytab file present in /etc</description> | ||
</metadata> | ||
<criteria> | ||
<criterion test_ref="test_kerberos_disable_no_keytab" negate="true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think instead of using negation, you can set check="all" check_existence="none_exist"
in the file_test
element and remove the negate
attribute. However, your solution works for me as well.
@openscap-ci test this please |
7155906
to
7511e33
Compare
Addressed the comments -> 7511e33. Sorry about that, I thought I had the patch updated and pushed before creating the PR but evidently I did not. |
@openscap-ci test this please |
Description:
Rationale: