Title

RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. (Cat II impact)

Discussion

Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented.

Check Content

Verify that the symlink exists and targets the correct Kerberos cryptographic policy with the following command: $ file /etc/crypto-policies/back-ends/krb5.config If command output shows the following line, Kerberos is configured to use the systemwide crypto policy: /etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt If the symlink does not exist or points to a different target, this is a finding.

Fix Text

Configure Kerberos to use system cryptographic policy. Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command: $ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /usr/share/crypto-policies/FIPS/krb5.txt

Additional Identifiers

Rule ID: SV-258237r1051256_rule

Vulnerability ID: V-258237

Group Title: SRG-OS-000120-GPOS-00061

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.