AlmaLinux OS 9 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-269413 | SRG-OS-000120-GPOS-00061 | ALMA-09-039290 | SV-269413r1050296_rule | 2025-02-20 | 1 |
| Description |
|---|
| The key derivation function (KDF) in Kerberos is not FIPS compatible. Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented. |
| ℹ️ Check |
|---|
| Verify that the symlink exists and targets the correct Kerberos crypto policy, with the following command: $ file /etc/crypto-policies/back-ends/krb5.config /etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt If the symlink does not exist or points to a different target, this is a finding. |
| ✔️ Fix |
|---|
| Configure Kerberos to use systemwide crypto policy. Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command: $ ln -s /etc/crypto-policies/back-ends/krb5.config /usr/share/crypto-policies/FIPS/krb5.txt |