From 9e590dd3a08962f26a15c84194cfad398f5463da Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Thu, 30 Apr 2026 08:57:11 +0700
Subject: [PATCH] Include rules section

---
 README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/README.md b/README.md
index c827a95..8060baa 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,22 @@ direct remediation hint:
 | Wrong realm in reply | fix `default_realm` / realm config |
 | AS-REP roasting exposure | enable `requires_preauth` |
 
+## Rules
+
+| Code                           | Description                                                                                       | Severity            |
+|--------------------------------|---------------------------------------------------------------------------------------------------|---------------------|
+| `kerberos.srv_present`         | Verifies that at least one _kerberos._tcp / _kerberos._udp SRV record is published for the realm. | CRITICAL            |
+| `kerberos.kdc_reachable`       | Verifies that at least one KDC endpoint (TCP/UDP 88) accepts a connection.                        | CRITICAL            |
+| `kerberos.as_probe`            | Verifies that the anonymous AS-REQ probe received a sane reply (KRB-ERROR or AS-REP).             | CRITICAL            |
+| `kerberos.realm_match`         | Verifies the KDC answers for the expected realm name.                                             | CRITICAL            |
+| `kerberos.preauth_required`    | Flags KDCs that return an AS-REP without requiring pre-authentication (AS-REP roasting exposure). | WARNING             |
+| `kerberos.clock_skew`          | Verifies the KDC clock is within tolerance of the checker's clock.                                | CRITICAL            |
+| `kerberos.enctypes`            | Reviews the encryption types advertised by the KDC, flagging DES/RC4-only configurations.         | CRITICAL            |
+| `kerberos.kadmin_reachable`    | Flags kadmin endpoints that are published via SRV but not reachable.                              | WARNING             |
+| `kerberos.kpasswd_reachable`   | Flags kpasswd endpoints that are published via SRV but not reachable.                             | WARNING             |
+| `kerberos.auth_tgt`            | Verifies the supplied principal/password can obtain a TGT (only runs when credentials are supplied). | CRITICAL         |
+| `kerberos.auth_tgs`            | Verifies a TGS-REQ succeeds for the supplied target service (only runs when credentials and targetService are supplied). | WARNING |
+
 ## Build
 
 ```sh