From 60e3ec14ef3539443a227de6d54311b0dabf4829 Mon Sep 17 00:00:00 2001
From: Israel Villar Boillos <israel.villar@ulpgc.es>
Date: Fri, 5 Jun 2026 20:46:37 +0100
Subject: [PATCH] Add service disable rules for Kea DHCP server (CIS 2.1.3)

Add three new rules to disable the Kea DHCP server services:
- service_kea_dhcp4_server_disabled
- service_kea_dhcp6_server_disabled
- service_kea_dhcp_ddns_server_disabled

Kea is the ISC successor to ISC DHCP and ships as the default DHCP
server on Debian 13. CIS Debian Linux 13 Benchmark v1.0.0 section 2.1.3
requires these services to be disabled on systems that do not act as
DHCP servers. All three rules use the service_disabled template.
Map the new rules to the existing kea component.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 components/kea.yml                            |  3 ++
 .../rule.yml                                  | 29 +++++++++++++++++++
 .../rule.yml                                  | 29 +++++++++++++++++++
 .../rule.yml                                  | 29 +++++++++++++++++++
 4 files changed, 90 insertions(+)
 create mode 100644 linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml
 create mode 100644 linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml
 create mode 100644 linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml

diff --git a/components/kea.yml b/components/kea.yml
index b4db421edd9d..c80631898db3 100644
--- a/components/kea.yml
+++ b/components/kea.yml
@@ -3,3 +3,6 @@ packages:
 - kea
 rules:
 - package_kea_removed
+- service_kea_dhcp4_server_disabled
+- service_kea_dhcp6_server_disabled
+- service_kea_dhcp_ddns_server_disabled
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml
new file mode 100644
index 000000000000..7cd770d5d3f1
--- /dev/null
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp4_server_disabled/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Disable kea-dhcp4-server Service'
+
+description: |-
+    The <tt>kea-dhcp4-server</tt> service should be disabled on
+    any system that does not need to act as a DHCPv4 server.
+    {{{ describe_service_disable(service="kea-dhcp4-server") }}}
+
+rationale: |-
+    Unmanaged or unintentionally activated DHCP servers may provide faulty information
+    to clients, interfering with the operation of a legitimate site
+    DHCP server if there is one.
+
+severity: medium
+
+ocil_clause: |-
+    {{{ ocil_clause_service_disabled(service="kea-dhcp4-server") }}}
+
+ocil: |-
+    {{{ ocil_service_disabled(service="kea-dhcp4-server") }}}
+
+platform: system_with_kernel
+
+template:
+    name: service_disabled
+    vars:
+        servicename: kea-dhcp4-server
+        packagename: kea
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml
new file mode 100644
index 000000000000..5545926ebb1e
--- /dev/null
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp6_server_disabled/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Disable kea-dhcp6-server Service'
+
+description: |-
+    The <tt>kea-dhcp6-server</tt> service should be disabled on
+    any system that does not need to act as a DHCPv6 server.
+    {{{ describe_service_disable(service="kea-dhcp6-server") }}}
+
+rationale: |-
+    Unmanaged or unintentionally activated DHCP servers may provide faulty information
+    to clients, interfering with the operation of a legitimate site
+    DHCP server if there is one.
+
+severity: medium
+
+ocil_clause: |-
+    {{{ ocil_clause_service_disabled(service="kea-dhcp6-server") }}}
+
+ocil: |-
+    {{{ ocil_service_disabled(service="kea-dhcp6-server") }}}
+
+platform: system_with_kernel
+
+template:
+    name: service_disabled
+    vars:
+        servicename: kea-dhcp6-server
+        packagename: kea
diff --git a/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml
new file mode 100644
index 000000000000..5b942ac12d20
--- /dev/null
+++ b/linux_os/guide/services/dhcp/disabling_dhcp_server/service_kea_dhcp_ddns_server_disabled/rule.yml
@@ -0,0 +1,29 @@
+documentation_complete: true
+
+title: 'Disable kea-dhcp-ddns-server Service'
+
+description: |-
+    The <tt>kea-dhcp-ddns-server</tt> service should be disabled on
+    any system that does not need to act as a DHCP Dynamic DNS update server.
+    {{{ describe_service_disable(service="kea-dhcp-ddns-server") }}}
+
+rationale: |-
+    Unmanaged or unintentionally activated DHCP servers may provide faulty information
+    to clients, interfering with the operation of a legitimate site
+    DHCP server if there is one.
+
+severity: medium
+
+ocil_clause: |-
+    {{{ ocil_clause_service_disabled(service="kea-dhcp-ddns-server") }}}
+
+ocil: |-
+    {{{ ocil_service_disabled(service="kea-dhcp-ddns-server") }}}
+
+platform: system_with_kernel
+
+template:
+    name: service_disabled
+    vars:
+        servicename: kea-dhcp-ddns-server
+        packagename: kea