Remove the Kerberos Server Package
An XCCDF Rule
Description
The krb5-server package should be removed if not in use.
Is this system the Kerberos server? If not, remove the package.
The krb5-server package can be removed with the following command:
$ sudo yum erase krb5-serverThe krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 8 system. It is needed only by the Kerberos servers, not by the clients which use Kerberos for authentication. If the system is not intended for use as a Kerberos Server it should be removed.
Rationale
Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an KDC server, it is not necessary on typical desktop or workstation systems.
- ID
- xccdf_org.ssgproject.content_rule_package_krb5-server_removed
- Severity
- Medium
- References
- Updated
Remediation - Puppet
include remove_krb5-server
class remove_krb5-server {
package { 'krb5-server':
ensure => 'purged',
}
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-85887-8
- DISA-STIG-RHEL-08-010163
Remediation - script:kickstart
package remove krb5-server
Remediation - script:bootc
dnf remove krb5-server
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
# CAUTION: This remediation script will remove krb5-server
# from the system, and may remove any packages
# that depend on krb5-server. Execute this
Remediation - Anaconda Pre-Install Instructions
package --remove=krb5-server