Check: OL08-00-040370
Oracle Linux 8 STIG:
OL08-00-040370
(in versions v1 r10 through v1 r1)
Title
OL 8 must not have the "gssproxy" package installed if not required for operational support. (Cat II impact)
Discussion
Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. When an application uses Generic Security Services API (GSSAPI), typically it will have direct access to its security credentials, and all cryptographic operations are performed in the application's process. This is undesirable, but "gssproxy" can help in almost all use cases. It provides privilege separation to applications using the GSSAPI: The gssproxy daemon runs on the system, holds the application's credentials, and performs operations on behalf of the application.
Check Content
Determine if the "gssproxy" package is installed with the following command: $ sudo yum list installed gssproxy If the "gssproxy" package is installed, this is a finding.
Fix Text
Configure OL 8 to disable non-essential capabilities by removing the "gssproxy" package from the system with the following command: $ sudo yum remove gssproxy
Additional Identifiers
Rule ID: SV-248904r780278_rule
Vulnerability ID: V-248904
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |