Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added initial version of a Kerberos plugin #1456

Merged
merged 3 commits into from May 15, 2024
Merged

Added initial version of a Kerberos plugin #1456

merged 3 commits into from May 15, 2024

Conversation

pyllyukko
Copy link
Contributor

@pyllyukko pyllyukko commented Feb 14, 2024
edited

As it says in the title, this is only an initial version. I wanted to open this PR to also open the discussion on the Kerberos hardening topic.

All the feedback is very welcome.

I'm planning on extending this and adding tests for at least:

  • Checking krb5.conf (clients) and kdc.conf (KDC) for hardened settings
  • Checking for keys with weak encryption types -> 075e3a6
  • Checking various security related attributes on different principals
    • The principals first need to be placed into different categories such as: hosts, users, services & krb5 internal etc.

@mboelen
Copy link
Member

mboelen commented May 14, 2024

Looks like a good start. The only "thing" is that this would be better to be placed in a category. I guess this could be Authentication or if you feel like it will be a good amount of tests, then we could introduce a new one "Kerberos".

Rationale to move it: these tests do more than just collect information (main purpose of plugins), and may actually provide suggestions/warnings. For that reason it is better to make it part of the core, instead of a plugin.

@mboelen mboelen self-assigned this May 14, 2024
@pyllyukko
Copy link
Contributor Author

Looks like a good start. The only "thing" is that this would be better to be placed in a category. I guess this could be Authentication or if you feel like it will be a good amount of tests, then we could introduce a new one "Kerberos".

Ok. I'll do that then. Surely this is related to authentication, but maybe it would be good to place it into it's own Kerberos category. Or what do you think?

Rationale to move it: these tests do more than just collect information (main purpose of plugins), and may actually provide suggestions/warnings. For that reason it is better to make it part of the core, instead of a plugin.

Makes sense.

@mboelen
Copy link
Member

mboelen commented May 14, 2024

I would say, let's create a new section 🚀

So my suggestions for the steps:

  • The file in this PR can be moved to include/tests_kerberos
  • Include a section header Kerberos
  • The tests named/numbered with KRB-1234
  • My suggestion for the numbering would be to start at KRB-1000 and increase, let's say in steps of 10
  • Then include it from the main program

If possible, it would be good for the layout to first detect if Kerberos is there at all. If not, then let's at least show one line so that the section does not remain empty on the screen. If there is no Kerberos at all, then all remaining tests can be silent if they are skipped. Keeps the screen as clean as possible, unless there is actually something useful to share.

@pyllyukko
Added initial version of a Kerberos plugin
ac526be
@pyllyukko
plugin_krb5_phase1: Added few more tests
4d5b41c 
* Check that admin principals have disallow_tgt_based attribute
* Check that regular user principals have requires_pre_auth and
  disallow_svr attributes
* Check for weak crypto
    * Use kdb5_util for this
@pyllyukko
Changed the Kerberos plugin into a category
5182ce3 
According to @mboelen's recommendations:
CISOfy#1456 (comment)
@mboelen mboelen merged commit ab00091 into CISOfy:master May 15, 2024
@mboelen
Copy link
Member

mboelen commented May 15, 2024

Merged!

@mboelen
Copy link
Member

mboelen commented May 15, 2024

I have updated the language files so they are aware of the translation variable as well.

The section need a few minor adjustments, as it now shows output even though I have no Kerberos on my test system. Will see what I can do tomorrow to improve the output.

@pyllyukko pyllyukko deleted the krb5-plugin branch May 15, 2024 20:26
pyllyukko added a commit to pyllyukko/lynis that referenced this pull request May 15, 2024
@pyllyukko
KRB-1010: Silence output when SKIPTEST != 0
d60c197 
Fixes CISOfy#1456 (comment)
@pyllyukko pyllyukko mentioned this pull request May 15, 2024
Merged
@pyllyukko
Copy link
Contributor Author

The section need a few minor adjustments, as it now shows output even though I have no Kerberos on my test system. Will see what I can do tomorrow to improve the output.

#1499

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mboelen mboelen

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@pyllyukko @mboelen