{"description": "Crypto Policies provide a centralized control over crypto algorithms usage of many packages.\nKerberos is supported by crypto policy, but it's configuration may be\nset up to ignore it.\nTo check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at\n/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.\nIf the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.", "rationale": "Overriding the system crypto policy makes the behavior of Kerberos violate expectations,\nand makes system configuration more fragmented.", "severity": "high", "references": {"nerc-cip": ["CIP-003-8 R4.2", "CIP-007-3 R5.1"], "nist": ["SC-13", "SC-12(2)", "SC-12(3)"], "srg": ["SRG-OS-000120-GPOS-00061"], "ism": ["0418", "1055", "1402"]}, "control_references": {"ism": ["0418", "1055", "1402"]}, "components": [], "identifiers": {}, "ocil_clause": "the symlink does not exist or points to a different target", "ocil": "Check that the symlink exists and target the correct Kerberos crypto policy, with the following command:\n<pre>file /etc/krb5.conf.d/crypto-policies</pre>\nIf command output shows the following line, Kerberos is configured to use the system-wide crypto policy.\n<pre>/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config</pre>", "oval_external_content": null, "fixtext": "Configure Kerberos to use system crypto policy.\nCreate a symlink pointing to system crypto policy in the Kerberos configuration using the following command:\n$ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.", "vuldiscussion": "Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented.", "checktext": "Verify that the symlink exists and targets the correct Kerberos cryptographic policy with the following command:\n\n$ file /etc/crypto-policies/back-ends/krb5.config\n\nIf command output shows the following line, Kerberos is configured to use the systemwide crypto policy:\n\n/etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt\n\nIf the symlink does not exist or points to a different target, this is a finding.", "fixtext": "Configure Kerberos to use system cryptographic policy.\n\nCreate a symlink pointing to system crypto policy in the Kerberos configuration using the following command:\n\n$ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /usr/share/crypto-policies/FIPS/krb5.txt"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Configure Kerberos to use System Crypto Policy", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/crypto/configure_kerberos_crypto_policy/rule.yml", "template": null}