RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258237 | RHEL-09-672025 | SV-258237r1051256_rule | Medium |
| Description |
| Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented. |
| STIG | Date |
| Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2024-12-04 |
Details
| Check Text (C-61978r1051254_chk) |
| Verify that the symlink exists and targets the correct Kerberos cryptographic policy with the following command: $ file /etc/crypto-policies/back-ends/krb5.config If command output shows the following line, Kerberos is configured to use the systemwide crypto policy: /etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt If the symlink does not exist or points to a different target, this is a finding. |
| Fix Text (F-61902r1051255_fix) |
| Configure Kerberos to use system cryptographic policy. Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command: $ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /usr/share/crypto-policies/FIPS/krb5.txt |