ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.19k stars 696 forks source link

RHEL-08-010161 and RHEL-09-611205 removing keytab files, breaking sssd (misaligned with DISA) #11764

Open GitYukari opened 7 months ago

GitYukari commented 7 months ago

Description of problem:

https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230238

The above STIG audits the presence of any keytab files in the location: /etc/*.keytab

However, this STIG has been revised since 2020 to state that if the installed package of krb5-server or krb5-workstation is newer than 1.17-18, then this check is N/A.

The current Ansible workbook is deleting this file regardless of the version of the above packages. This breaks Kerberos authentication and causes the sssd service to crash on startup.

This is directly related to: https://github.com/ComplianceAsCode/content/issues/11750

SCAP Security Guide Version:

0.1.72 (Feb 2024)

Operating System Version:

RHEL 8 RHEL 9

marcusburghardt commented 1 month ago

FYI @Mab879