mediumaccess-controlverified ✓
Prevent system daemons from using Kerberos for authentication
krb5-no-daemon-auth · RHEL ≥ 8 · 1 impl
Description
RHEL 8 must prevent system daemons from using Kerberos for authentication. Keytab files in /etc/ allow daemons to authenticate to the Kerberos realm without interactive credentials. Only explicitly approved services should have keytab files.
Rationale
System daemons using Kerberos authentication without explicit configuration and approval could allow compromised Kerberos credentials to be used for lateral movement. Controlling Kerberos use by daemons limits the impact of credential compromise.
Check → Remediate
Checkcommand
if ! rpm -q krb5-workstation >/dev/null 2>&1 && ! rpm -q krb5-libs >/dev/null 2>&1; then exit 0 fi keytabs=$(find /etc -name '*.keytab' -type f 2>/dev/null) if [ -n "$keytabs" ]; then echo "FAIL: keytab files found in /etc/ (review for authorized use):" echo "$keytabs" exit 1 fi echo "OK: no keytab files found in /etc/"
- expected_exit:
- 0
Remediatemanual
- note:
- Review any .keytab files found in /etc/ and verify they are required and documented. Remove unauthorized keytab files. Contact the Kerberos administrator to validate daemon keytab usage.
Framework references
STIG
V-230238
NIST 800-53
AC-17CM-6
Live verification
rhel8:check
#kerberos#authentication#daemons#security#stig