plugin_krb5_phase1: Added few more tests

* Check that admin principals have disallow_tgt_based attribute
* Check that regular user principals have requires_pre_auth and
  disallow_svr attributes
* Check for weak crypto
    * Use kdb5_util for this

include/binaries

@@ -197,6 +197,7 @@
                             istat)                  ISTATBINARY="${BINARY}";           LogText "  Found known binary: istat (file information) - ${BINARY}" ;;
                             journalctl)             JOURNALCTLBINARY="${BINARY}";      LogText "  Found known binary: journalctl (systemd journal) - ${BINARY}" ;;
                             kadmin.local)           KADMINLOCALBINARY="${BINARY}";     LogText "  Found known binary: kadmin.local (krb5) - ${BINARY}" ;;
+                            kdb5_util)              KDB5UTILBINARY="${BINARY}";        LogText "  Found known binary: kdb5_util (krb5) - ${BINARY}" ;;
                             kldstat)                KLDSTATBINARY="${BINARY}";         LogText "  Found known binary: kldstat (kernel modules) - ${BINARY}" ;;
                             kstat)                  KSTATBINARY="${BINARY}";           LogText "  Found known binary: kstat (kernel statistics) - ${BINARY}" ;;
                             launchctl)              LAUNCHCTL_BINARY="${BINARY}";      SERVICE_MANAGER="launchd"; LogText "  Found known binary: launchctl (launchd client) - ${BINARY}" ;;

plugins/plugin_krb5_phase1

@@ -10,14 +10,14 @@
 # PLUGIN_DESC=Kerberos
 # PLUGIN_NAME=krb5
 # PLUGIN_REQUIRED_TESTS=
-# PLUGIN_VERSION=0.1
+# PLUGIN_VERSION=0.2
 #-----------------------------------------------------
 #
 #########################################################################
 #
 
     # Test for the prerequisites first
-    if [ -n "${KADMINLOCALBINARY}" ]
+    if [ -n "${KADMINLOCALBINARY}" ] && [ -n "${KDB5UTILBINARY}" ]
     then
         PREQS_MET="YES"
         # Make sure krb5 debugging doesn't mess up the output
@@ -106,10 +106,39 @@
                 then
                     LogText "Result: Sensitive Kerberos principal ${I} does not have the lockdown_keys attribute"
                 fi
+            elif ContainsString "/admin@" "${I}"
+            then
+                if ! ContainsString "\bDISALLOW_TGT_BASED\b" "${J}"
+                then
+                    LogText "Result: Kerberos admin principal ${I} does not have the disallow_tgt_based attribute"
+                fi
+            elif ContainsString "^[^/$]+@" "${I}"
+            then
+                if ! ContainsString "\bREQUIRES_PRE_AUTH\b.+\bDISALLOW_SVR\b" "${J}"
+                then
+                    LogText "Result: Regular Kerberos user principal ${I} does not have the requires_pre_auth and/or the disallow_svr attribute"
+                fi
             fi
         done
     fi
 
+#
+#################################################################################
+#
+
+    # Test        : KRB5-0005
+    # Description : Check for weak crypto
+    Register --test-no KRB5-0005 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for weak crypto" --progress
+    if [ ${SKIPTEST} -eq 0 ]; then
+        FIND=$(${KDB5UTILBINARY} tabdump keyinfo | ${AWKBINARY} '$4 ~ /(des|arcfour|cbc|sha1)/{print$1,$4}')
+        while read I J
+        do
+            LogText "Result: Kerberos principal ${I} has a key with weak cryptographic algorithm ${J}"
+        done << EOF
+${FIND}
+EOF
+    fi
+
 #
 #################################################################################
 #