Include rules section

2026-04-30 08:57:11 +07:00 · 2026-04-30 08:57:11 +07:00 · 9e590dd3a0
commit 9e590dd3a0
parent bc75accce7
1 changed files with 16 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -35,6 +35,22 @@ direct remediation hint:
 | Wrong realm in reply | fix `default_realm` / realm config |
 | AS-REP roasting exposure | enable `requires_preauth` |

+## Rules
+
+| Code                           | Description                                                                                       | Severity            |
+|--------------------------------|---------------------------------------------------------------------------------------------------|---------------------|
+| `kerberos.srv_present`         | Verifies that at least one _kerberos._tcp / _kerberos._udp SRV record is published for the realm. | CRITICAL            |
+| `kerberos.kdc_reachable`       | Verifies that at least one KDC endpoint (TCP/UDP 88) accepts a connection.                        | CRITICAL            |
+| `kerberos.as_probe`            | Verifies that the anonymous AS-REQ probe received a sane reply (KRB-ERROR or AS-REP).             | CRITICAL            |
+| `kerberos.realm_match`         | Verifies the KDC answers for the expected realm name.                                             | CRITICAL            |
+| `kerberos.preauth_required`    | Flags KDCs that return an AS-REP without requiring pre-authentication (AS-REP roasting exposure). | WARNING             |
+| `kerberos.clock_skew`          | Verifies the KDC clock is within tolerance of the checker's clock.                                | CRITICAL            |
+| `kerberos.enctypes`            | Reviews the encryption types advertised by the KDC, flagging DES/RC4-only configurations.         | CRITICAL            |
+| `kerberos.kadmin_reachable`    | Flags kadmin endpoints that are published via SRV but not reachable.                              | WARNING             |
+| `kerberos.kpasswd_reachable`   | Flags kpasswd endpoints that are published via SRV but not reachable.                             | WARNING             |
+| `kerberos.auth_tgt`            | Verifies the supplied principal/password can obtain a TGT (only runs when credentials are supplied). | CRITICAL         |
+| `kerberos.auth_tgs`            | Verifies a TGS-REQ succeeds for the supplied target service (only runs when credentials and targetService are supplied). | WARNING |
+
 ## Build

 ```sh