Configure Kerberos to use System Crypto Policy

An XCCDF Rule

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it's configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.

Rationale

Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.

ID: xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
Severity: High
References: 0418 1055 1402

CIP-003-8 R4.2 CIP-007-3 R5.1

SC-12(2) SC-12(3) SC-13

SRG-OS-000120-GPOS-00061
Updated: about 1 year ago

- name: Configure Kerberos to use System Crypto Policy
  file:
    src: /etc/crypto-policies/back-ends/krb5.config
    path: /etc/krb5.conf.d/crypto-policies
    state: link
  tags:  - NIST-800-53-SC-12(2)
  - NIST-800-53-SC-12(3)
  - NIST-800-53-SC-13
  - configure_kerberos_crypto_policy
  - configure_strategy
  - high_severity
  - low_complexity
  - low_disruption
  - reboot_required


rm -f /etc/krb5.conf.d/crypto-policies
ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies

Configure Kerberos to use System Crypto Policy

Description

Rationale

Remediation - Ansible

Remediation - Shell Script