OL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

STIG ID: OL09-00-002424  |  SRG: SRG-OS-000120-GPOS-00061 |  Severity: medium |  CCI: CCI-000803 |  Vulnerability Id: V-271762

Vulnerability Discussion

Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented.

Check

Verify that OL 9 configures Kerberos to use the systemwide crypto policy with the following command:

$ file /etc/crypto-policies/back-ends/krb5.config
/etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt

If the symlink does not exist or points to a different target, this is a finding.

Fix

Configure Kerberos to use system crypto policy.

Remove incorrect symlink if it exists using the following command:

$ sudo rm /etc/crypto-policies/back-ends/krb5.config

Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command:

$ sudo ln -s /usr/share/crypto-policies/FIPS/krb5.txt /etc/crypto-policies/back-ends/krb5.config
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.