Skip to content

Add service disable rules for Kea DHCP server (CIS 2.1.3)#14765

Open
israel-villar wants to merge 1 commit into
ComplianceAsCode:masterfrom
israel-villar:feat/kea-dhcp-service-disable-rules
Open

Add service disable rules for Kea DHCP server (CIS 2.1.3)#14765
israel-villar wants to merge 1 commit into
ComplianceAsCode:masterfrom
israel-villar:feat/kea-dhcp-service-disable-rules

Conversation

@israel-villar
Copy link
Copy Markdown

@israel-villar israel-villar commented Jun 5, 2026

Add three new rules to disable the Kea DHCP server services:

  • service_kea_dhcp4_server_disabled
  • service_kea_dhcp6_server_disabled
  • service_kea_dhcp_ddns_server_disabled

Kea is the ISC successor to ISC DHCP and ships as the default DHCP server on Debian 13. CIS Debian Linux 13 Benchmark v1.0.0 section 2.1.3 requires these services to be disabled on systems that do not act as DHCP servers. All three rules use the service_disabled template. Map the new rules to the existing kea component.

Description:

  • Add three new rules to disable the Kea DHCP server services:
    service_kea_dhcp4_server_disabled, service_kea_dhcp6_server_disabled,
    and service_kea_dhcp_ddns_server_disabled.
  • Map the new rules to the existing kea component.

Rationale:

  • Kea is the ISC successor to ISC DHCP and ships as the default DHCP server
    on Debian 13. Systems that do not act as DHCP servers should have these
    services disabled to reduce the attack surface.
  • Unmanaged or unintentionally activated DHCP servers may provide faulty
    information to clients, interfering with the operation of a legitimate
    site DHCP server.
  • All three rules use the service_disabled template, consistent with the
    existing service_dhcpd_disabled and service_dhcpd6_disabled rules.

Review Hints:

  • Three new rule directories under
    linux_os/guide/services/dhcp/disabling_dhcp_server/, each with a
    single rule.yml using the service_disabled template.
  • Build to verify: ./build_product debian13 --datastream-only

@israel-villar @claude
Add service disable rules for Kea DHCP server (CIS 2.1.3)
60e3ec1 
Add three new rules to disable the Kea DHCP server services:
- service_kea_dhcp4_server_disabled
- service_kea_dhcp6_server_disabled
- service_kea_dhcp_ddns_server_disabled

Kea is the ISC successor to ISC DHCP and ships as the default DHCP
server on Debian 13. CIS Debian Linux 13 Benchmark v1.0.0 section 2.1.3
requires these services to be disabled on systems that do not act as
DHCP servers. All three rules use the service_disabled template.
Map the new rules to the existing kea component.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Jun 5, 2026

Hi @israel-villar. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@openshift-ci openshift-ci Bot added the needs-ok-to-test Used by openshift-ci bot. label Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@israel-villar