Skip to content

Remove the Kerberos Server Package

An XCCDF Rule

Description

The krb5-server package should be removed if not in use. Is this system the Kerberos server? If not, remove the package. The krb5-server package can be removed with the following command:

$ sudo dnf erase krb5-server
The krb5-server RPM is not installed by default on a Red Hat Enterprise Linux 9 system. It is needed only by the Kerberos servers, not by the clients which use Kerberos for authentication. If the system is not intended for use as a Kerberos Server it should be removed.

Rationale

Unnecessary packages should not be installed to decrease the attack surface of the system. While this software is clearly essential on an KDC server, it is not necessary on typical desktop or workstation systems.

ID
xccdf_org.ssgproject.content_rule_package_krb5-server_removed
Severity
Medium
References
Updated



Remediation - Anaconda Pre-Install Instructions


package --remove=krb5-server

Remediation - Ansible

- name: Ensure krb5-server is removed
  package:
    name: krb5-server
    state: absent
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:

Remediation - Puppet

include remove_krb5-server

class remove_krb5-server {
  package { 'krb5-server':
    ensure => 'purged',
  }

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# CAUTION: This remediation script will remove krb5-server
#	   from the system, and may remove any packages
#	   that depend on krb5-server. Execute this