UCF STIG Viewer Logo

Global settings defined in system-auth must be applied in the pam.d definition files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-27285 GEN000600-2 SV-34584r1_rule ECSC-1 Medium
Description
Pam global requirements are generally defined in the /etc/pam.d/system-auth or /etc/pam.d/system-auth-ac file. In order for the requirements to be applied the file containing them must be included directly or indirectly in each program's definition file in /etc/pam.d
STIG Date
Red Hat Enterprise Linux 5 Security Technical Implementation Guide 2017-03-01

Details

Check Text ( C-37566r3_chk )
Verify the system-auth settings are being applied.

Procedure:
Verify the additional pam.d requirements are in use.

The file "/etc/pam.d/system-auth-ac" is auto generated by "authconfig". Any manual changes made to it will be lost next time "authconfig" is run.
Check to see if the systems default of the symlink "/etc/pam.d/system-auth" pointing to "/etc/pam.d/system-auth-ac" has been changed.

# ls -l /etc/pam.d/system-auth

If the symlink points to "/etc/pam.d/system-auth-ac", manual changes cannot be protected. This is a finding.

# grep system-auth-ac /etc/pam.d/system-auth

The local system-auth file pointed to by "/etc/pam.d/system-auth" must contain "/etc/pam.d/system-auth-ac" for the auth, account, password, and session lines. If it does not then the parameters maintained by "authconfig" will not be applied, this is a finding.
Fix Text (F-32809r2_fix)
In the default distribution of RHEL "/etc/pam.d/system-auth" is a symlink "/etc/pam.d/system-auth-ac" which is an autogenerated file. When a site adds password requirements a new system-auth-local file must be created with only the additional requirements and includes for auth, account, passwd and session pointing to "/etc/pam.d/system-auth-ac". Then the symlink "/etc/system-auth" is modified to point to "/etc/pam.d/system-auth-local". This way any changes made do not get lost when "/etc/pam.d/system-auth-ac" is regenerated and each program's pam.d definition file need only have "include system-auth" for auth, account, passwd and session, as needed, in order to assure the password requirements will be applied to it.