← Rules Catalog
mediumaccess-controlverified

Prevent system daemons from using Kerberos for authentication

krb5-no-daemon-auth · RHEL ≥ 8 · 1 impl

Description

RHEL 8 must prevent system daemons from using Kerberos for authentication. Keytab files in /etc/ allow daemons to authenticate to the Kerberos realm without interactive credentials. Only explicitly approved services should have keytab files.

Rationale

System daemons using Kerberos authentication without explicit configuration and approval could allow compromised Kerberos credentials to be used for lateral movement. Controlling Kerberos use by daemons limits the impact of credential compromise.

Check → Remediate

Checkcommand
if ! rpm -q krb5-workstation >/dev/null 2>&1 && ! rpm -q krb5-libs >/dev/null 2>&1; then
  exit 0
fi
keytabs=$(find /etc -name '*.keytab' -type f 2>/dev/null)
if [ -n "$keytabs" ]; then
  echo "FAIL: keytab files found in /etc/ (review for authorized use):"
  echo "$keytabs"
  exit 1
fi
echo "OK: no keytab files found in /etc/"
expected_exit:
0
Remediatemanual
note:
Review any .keytab files found in /etc/ and verify they are required and documented. Remove unauthorized keytab files. Contact the Kerberos administrator to validate daemon keytab usage.

Framework references

STIG

V-230238

NIST 800-53

AC-17CM-6

Live verification

rhel8:check
#kerberos#authentication#daemons#security#stig