Remove the Kerberos Server Package
An XCCDF Rule
Description
The krb5-server
package should be removed if not in use.
Is this system the Kerberos server? If not, remove the package.
The krb5-server
package can be removed with the following command:
$ sudo dnf erase krb5-serverThe krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 9 system. It is needed only by the Kerberos servers, not by the clients which use Kerberos for authentication. If the system is not intended for use as a Kerberos Server it should be removed.
Rationale
Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an KDC server, it is not necessary on typical desktop or workstation systems.
- ID
- xccdf_org.ssgproject.content_rule_package_krb5-server_removed
- Severity
- Medium
- References
- Updated
Remediation - Anaconda Pre-Install Instructions
package --remove=krb5-server
Remediation - Ansible
- name: Ensure krb5-server is removed
package:
name: krb5-server
state: absent
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
Remediation - Puppet
include remove_krb5-server
class remove_krb5-server {
package { 'krb5-server':
ensure => 'purged',
}
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# CAUTION: This remediation script will remove krb5-server
# from the system, and may remove any packages
# that depend on krb5-server. Execute this