Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-34936 | GEN000000-ZSLE0002 | SV-46164r1_rule | ECSC-1 | Medium |
Description |
---|
Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d |
STIG | Date |
---|---|
SUSE Linux Enterprise Server v11 for System z | 2016-12-20 |
Check Text ( C-43421r1_chk ) |
---|
Verify that common-{account,auth,password,session} settings are being applied. Procedure: Verify that local customization has occurred in the common-{account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility. The files "/etc/pam.d/common-{account,auth,password,session} -pc " are autogenerated by "pam-config". Any manual changes made to them will be lost the next time "pam-config" is run. Check to see if the system default for any of the symlinks pointing to the "/etc/pam.d/common-{account,auth,password,session} -pc" files have been changed. # ls -l /etc/pam.d/common-{account,auth,password,session} If the symlinks point to "/etc/pam.d/common-{account,auth,password,session}-pc" and manual updates have been made in these files, the updates can not be protected. This is a finding. |
Fix Text (F-39498r1_fix) |
---|
In the default distribution of SLES 11 "/etc/pam.d/common-{account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common-{account,auth,password,session}-pc" files. These common-{account,auth,password,session}-pc files are autogenerated by the pam-config utility. When a site adds password requirements(for example), a new /etc/pam.d/common-password-local file must be created with only the additional requirements and an include for "common-password-pc". Then the symlink "/etc/pam.d/common-password" is modified to point to "/etc/pam.d/common-password-local". This way any changes made do not get lost when "/etc/pam.d/common-password-pc" is regenerated and each program's pam.d definition file need only have "include common-password" to assure the password requirements will be applied to it. Use the same technique for any of the common-{account,auth,password,session}-pc files that require local customization. |