Rule ID
SV-248904r1184140_rule
Version
V2R8
CCIs
Verify the operating system is configured to disable nonessential capabilities. The most secure way of ensuring a nonessential capability is disabled is to not have the capability installed. When an application uses Generic Security Services API (GSSAPI), typically it will have direct access to its security credentials, and all cryptographic operations are performed in the application's process. This is undesirable, but "gssproxy" can help in almost all use cases. It provides privilege separation to applications using the GSSAPI: The gssproxy daemon runs on the system, holds the application's credentials, and performs operations on behalf of the application.
Note: For Oracle Linux systems, if there is an operational need for gssproxy to be installed, this is not applicable. Note: If NFS mounts are authorized and in use on the system, this control is not applicable. Determine if the "gssproxy" package is installed with the following command: $ sudo yum list installed gssproxy If the "gssproxy" package is installed, this is a finding.
Configure OL 8 to disable nonessential capabilities by removing the "gssproxy" package from the system with the following command: $ sudo yum remove gssproxy