The above STIG audits the presence of any keytab files in the location: /etc/*.keytab
However, this STIG has been revised since 2020 to state that if the installed package of krb5-server or krb5-workstation is newer than 1.17-18, then this check is N/A.
The current Ansible workbook is deleting this file regardless of the version of the above packages. This breaks Kerberos authentication and causes the sssd service to crash on startup.
marcusburghardt
commented
1 month ago
Description of problem:
https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2023-09-11/finding/V-230238
The above STIG audits the presence of any keytab files in the location:
/etc/*.keytabHowever, this STIG has been revised since 2020 to state that if the installed package of krb5-server or krb5-workstation is newer than 1.17-18, then this check is N/A.
The current Ansible workbook is deleting this file regardless of the version of the above packages. This breaks Kerberos authentication and causes the sssd service to crash on startup.
This is directly related to: https://github.com/ComplianceAsCode/content/issues/11750
SCAP Security Guide Version:
0.1.72 (Feb 2024)
Operating System Version:
RHEL 8 RHEL 9