diff --git a/components/kea.yml b/components/kea.yml
index b4db421edd9d..c80631898db3 100644
--- a/components/kea.yml
+++ b/components/kea.yml
@@ -3,3 +3,6 @@ packages:
- kea
rules:
- package_kea_removed
+- service_kea_dhcp4_server_disabled
+- service_kea_dhcp6_server_disabled
+- service_kea_dhcp_ddns_server_disabled
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml
new file mode 100644
index 000000000000..7cd770d5d3f1
--- /dev/null
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Disable kea-dhcp4-server Service'
+
+description: |-
+ The kea-dhcp4-server service should be disabled on
+ any system that does not need to act as a DHCPv4 server.
+ {{{ describe_service_disable(service="kea-dhcp4-server") }}}
+
+rationale: |-
+ Unmanaged or unintentionally activated DHCP servers may provide faulty information
+ to clients, interfering with the operation of a legitimate site
+ DHCP server if there is one.
+
+severity: medium
+
+ocil_clause: |-
+ {{{ ocil_clause_service_disabled(service="kea-dhcp4-server") }}}
+
+ocil: |-
+ {{{ ocil_service_disabled(service="kea-dhcp4-server") }}}
+
+platform: system_with_kernel
+
+template:
+ name: service_disabled
+ vars:
+ servicename: kea-dhcp4-server
+ packagename: kea
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml
new file mode 100644
index 000000000000..5545926ebb1e
--- /dev/null
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Disable kea-dhcp6-server Service'
+
+description: |-
+ The kea-dhcp6-server service should be disabled on
+ any system that does not need to act as a DHCPv6 server.
+ {{{ describe_service_disable(service="kea-dhcp6-server") }}}
+
+rationale: |-
+ Unmanaged or unintentionally activated DHCP servers may provide faulty information
+ to clients, interfering with the operation of a legitimate site
+ DHCP server if there is one.
+
+severity: medium
+
+ocil_clause: |-
+ {{{ ocil_clause_service_disabled(service="kea-dhcp6-server") }}}
+
+ocil: |-
+ {{{ ocil_service_disabled(service="kea-dhcp6-server") }}}
+
+platform: system_with_kernel
+
+template:
+ name: service_disabled
+ vars:
+ servicename: kea-dhcp6-server
+ packagename: kea
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml
new file mode 100644
index 000000000000..5b942ac12d20
--- /dev/null
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Disable kea-dhcp-ddns-server Service'
+
+description: |-
+ The kea-dhcp-ddns-server service should be disabled on
+ any system that does not need to act as a DHCP Dynamic DNS update server.
+ {{{ describe_service_disable(service="kea-dhcp-ddns-server") }}}
+
+rationale: |-
+ Unmanaged or unintentionally activated DHCP servers may provide faulty information
+ to clients, interfering with the operation of a legitimate site
+ DHCP server if there is one.
+
+severity: medium
+
+ocil_clause: |-
+ {{{ ocil_clause_service_disabled(service="kea-dhcp-ddns-server") }}}
+
+ocil: |-
+ {{{ ocil_service_disabled(service="kea-dhcp-ddns-server") }}}
+
+platform: system_with_kernel
+
+template:
+ name: service_disabled
+ vars:
+ servicename: kea-dhcp-ddns-server
+ packagename: kea