RHEL 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-258237	SRG-OS-000120-GPOS-00061	RHEL-09-672025	SV-258237r1051256_rule	2025-02-27	2

Description
Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented.

ℹ️ Check
Verify that the symlink exists and targets the correct Kerberos cryptographic policy with the following command: $ file /etc/crypto-policies/back-ends/krb5.config If command output shows the following line, Kerberos is configured to use the systemwide crypto policy: /etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt If the symlink does not exist or points to a different target, this is a finding.

ℹ️ Check

Verify that the symlink exists and targets the correct Kerberos cryptographic policy with the following command: $ file /etc/crypto-policies/back-ends/krb5.config If command output shows the following line, Kerberos is configured to use the systemwide crypto policy: /etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt If the symlink does not exist or points to a different target, this is a finding.

✔️ Fix
Configure Kerberos to use system cryptographic policy. Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command: $ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /usr/share/crypto-policies/FIPS/krb5.txt