Global settings defined in system-auth must be applied in the pam.d definition files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-27285	GEN000600-2	SV-34584r1_rule	ECSC-1	Medium

Description
Pam global requirements are generally defined in the /etc/pam.d/system-auth or /etc/pam.d/system-auth-ac file. In order for the requirements to be applied the file containing them must be included directly or indirectly in each program's definition file in /etc/pam.d

STIG	Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide	2016-06-01

Details

Check Text ( C-37566r3_chk )
Verify the system-auth settings are being applied. Procedure: Verify the additional pam.d requirements are in use. The file "/etc/pam.d/system-auth-ac" is auto generated by "authconfig". Any manual changes made to it will be lost next time "authconfig" is run. Check to see if the systems default of the symlink "/etc/pam.d/system-auth" pointing to "/etc/pam.d/system-auth-ac" has been changed. # ls -l /etc/pam.d/system-auth If the symlink points to "/etc/pam.d/system-auth-ac", manual changes cannot be protected. This is a finding. # grep system-auth-ac /etc/pam.d/system-auth The local system-auth file pointed to by "/etc/pam.d/system-auth" must contain "/etc/pam.d/system-auth-ac" for the auth, account, password, and session lines. If it does not then the parameters maintained by "authconfig" will not be applied, this is a finding.

Check Text ( C-37566r3_chk )

Verify the system-auth settings are being applied.

Procedure:
Verify the additional pam.d requirements are in use.

The file "/etc/pam.d/system-auth-ac" is auto generated by "authconfig". Any manual changes made to it will be lost next time "authconfig" is run.
Check to see if the systems default of the symlink "/etc/pam.d/system-auth" pointing to "/etc/pam.d/system-auth-ac" has been changed.

# ls -l /etc/pam.d/system-auth

If the symlink points to "/etc/pam.d/system-auth-ac", manual changes cannot be protected. This is a finding.

# grep system-auth-ac /etc/pam.d/system-auth

The local system-auth file pointed to by "/etc/pam.d/system-auth" must contain "/etc/pam.d/system-auth-ac" for the auth, account, password, and session lines. If it does not then the parameters maintained by "authconfig" will not be applied, this is a finding.

Fix Text (F-32809r2_fix)
In the default distribution of RHEL "/etc/pam.d/system-auth" is a symlink "/etc/pam.d/system-auth-ac" which is an autogenerated file. When a site adds password requirements a new system-auth-local file must be created with only the additional requirements and includes for auth, account, passwd and session pointing to "/etc/pam.d/system-auth-ac". Then the symlink "/etc/system-auth" is modified to point to "/etc/pam.d/system-auth-local". This way any changes made do not get lost when "/etc/pam.d/system-auth-ac" is regenerated and each program's pam.d definition file need only have "include system-auth" for auth, account, passwd and session, as needed, in order to assure the password requirements will be applied to it.

Fix Text (F-32809r2_fix)

In the default distribution of RHEL "/etc/pam.d/system-auth" is a symlink "/etc/pam.d/system-auth-ac" which is an autogenerated file. When a site adds password requirements a new system-auth-local file must be created with only the additional requirements and includes for auth, account, passwd and session pointing to "/etc/pam.d/system-auth-ac". Then the symlink "/etc/system-auth" is modified to point to "/etc/pam.d/system-auth-local". This way any changes made do not get lost when "/etc/pam.d/system-auth-ac" is regenerated and each program's pam.d definition file need only have "include system-auth" for auth, account, passwd and session, as needed, in order to assure the password requirements will be applied to it.