TOSS 5 must use mechanisms meeting the requirements of applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-282503 | TOSS-05-000471 | SV-282503r1200489_rule | CCI-000803 | medium |
| Description | ||||
| Overriding the system crypto policy makes the behavior of Kerberos violate expectations and makes system configuration more fragmented. | ||||
| STIG | Date | |||
| Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide | 2026-04-01 | |||
Details
Check Text (C-282503r1200489_chk)
Verify the symlink exists and targets the correct Kerberos crypto policy, using the following command:
file /etc/crypto-policies/back-ends/krb5.config
If command output shows the following line, Kerberos is configured to use the systemwide crypto policy:
/etc/crypto-policies/back-ends/krb5.config: symbolic link to /usr/share/crypto-policies/FIPS/krb5.txt
If the symlink does not exist or points to a different target, this is a finding.
Fix Text (F-86969r1200488_fix)
Configure Kerberos to use system crypto policy.
Create a symlink pointing to system crypto policy in the Kerberos configuration using the following command:
$ sudo ln -s /etc/crypto-policies/back-ends/krb5.config /usr/share/crypto-policies/FIPS/krb5.txt