Configure Kerberos to use System Crypto Policy

Docs > Datadog Security > OOTB Rules > Configure Kerberos to use System Crypto Policy

Classification:

compliance

Framework:

Control:

Description

Crypto Policies provide a centralized control over crypto algorithms usage of many packages. Kerberos is supported by crypto policy, but it’s configuration may be set up to ignore it. To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at /etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config. If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.

Rationale

Overriding the system crypto policy makes the behavior of Kerberos violate expectations, and makes system configuration more fragmented.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

rm -f /etc/krb5.conf.d/crypto-policies
ln -s /etc/crypto-policies/back-ends/krb5.config /etc/krb5.conf.d/crypto-policies

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Configure Kerberos to use System Crypto Policy
 file:
 src: /etc/crypto-policies/back-ends/krb5.config
 path: /etc/krb5.conf.d/crypto-policies
 state: link
 tags:
 - NIST-800-53-SC-12(2)
 - NIST-800-53-SC-12(3)
 - NIST-800-53-SC-13
 - configure\_kerberos\_crypto\_policy
 - configure\_strategy
 - high\_severity
 - low\_complexity
 - low\_disruption
 - reboot\_required