Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable Kerberos by removing host keytab. #4793

Merged
merged 1 commit into from
Sep 4, 2019
Merged

Disable Kerberos by removing host keytab. #4793

merged 1 commit into from
Sep 4, 2019

Conversation

adelton
Copy link
Collaborator

@adelton adelton commented Sep 4, 2019

Description:

  • Disable Kerberos by removing host keytab.

Rationale:

  • The key derivation function (KDF) in Kerberos is not FIPS compatible.

jan-cerny
jan-cerny requested changes Sep 4, 2019
View reviewed changes
linux_os/guide/services/kerberos/kerberos_disable_no_keytab/rule.yml Outdated
description: |-
Kerberos is not an approved key distribution method for
Common Criteria. To prevent using Kerberos by system daemons,
remove the host keytab <tt>/etc/krb5.keytab</tt>.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description mentions specifically /etc/krb5.keytab but the OVAL uses a wildcard and checks any file in /etc which name ends with .keytab.

linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml Outdated
</definition>

<unix:file_object id="obj_kerberos_disable_no_keytab" version="1" comment="fapolicyd.mounts">
<unix:filepath operation="pattern match">/etc/*.keytab</unix:filepath>
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regular expression should be ^/etc/.*\.keytab$.

linux_os/guide/services/kerberos/kerberos_disable_no_keytab/oval/shared.xml Outdated
<description>Check that there is no Kerberos keytab file present in /etc</description>
</metadata>
<criteria>
<criterion test_ref="test_kerberos_disable_no_keytab" negate="true"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think instead of using negation, you can set check="all" check_existence="none_exist" in the file_test element and remove the negate attribute. However, your solution works for me as well.

@jan-cerny
Copy link
Collaborator

@openscap-ci test this please

@jan-cerny jan-cerny self-assigned this Sep 4, 2019
@jan-cerny jan-cerny added this to the 0.1.47 milestone Sep 4, 2019
@adelton
Copy link
Collaborator Author

adelton commented Sep 4, 2019

Addressed the comments -> 7511e33.

Sorry about that, I thought I had the patch updated and pushed before creating the PR but evidently I did not.

@jan-cerny
Copy link
Collaborator

@openscap-ci test this please

@jan-cerny jan-cerny merged commit 4bc4956 into ComplianceAsCode:master Sep 4, 2019
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jan-cerny jan-cerny jan-cerny requested changes

Assignees

@jan-cerny jan-cerny

Labels
None yet
Projects
None yet
Milestone
0.1.47
Development

Successfully merging this pull request may close these issues.
2 participants
@adelton @jan-cerny