STIG ID: RHEL-09-672025 | SRG: SRG-OS-000120-GPOS-00061 | Severity: medium | CCI: | Vulnerability Id: V-258237
Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.
Configure Kerberos to use system crypto policy.
Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command:
$ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /usr/share/crypto-policies/FIPS/krb5.txt
Verify that the symlink exists and targets the correct Kerberos crypto policy, with the following command:
file /etc/crypto-policies/back-ends/krb5.config
If command output shows the following line, Kerberos is configured to use the system-wide crypto policy:
/etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt
If the symlink does not exist or points to a different target, this is a finding.