TOSS 5 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-282503 | SRG-OS-000120-GPOS-00061 | TOSS-05-000471 | SV-282503r1200489_rule | 2026-04-01 | 1 |
Description
Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented.
ℹ️ Check
Verify the symlink exists and targets the correct Kerberos crypto policy, using the following command:
file /etc/crypto-policies/back-ends/krb5.config
If command output shows the following line, Kerberos is configured to use the systemwide crypto policy:
/etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt
If the symlink does not exist or points to a different target, this is a finding.
✔️ Fix
Configure Kerberos to use system crypto policy.
Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command:
$ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /usr/share/crypto-policies/FIPS/krb5.txt