Global settings defined in common-{account,auth,password,session} must be applied in the pam.d definition files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-34936	GEN000000-ZSLE0002	SV-46164r1_rule	ECSC-1	Medium

Description
Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d

STIG	Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide	2018-09-19

Details

Check Text ( C-43421r1_chk )
Verify that common-{account,auth,password,session} settings are being applied. Procedure: Verify that local customization has occurred in the common-{account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility. The files "/etc/pam.d/common-{account,auth,password,session} -pc " are autogenerated by "pam-config". Any manual changes made to them will be lost the next time "pam-config" is run. Check to see if the system default for any of the symlinks pointing to the "/etc/pam.d/common-{account,auth,password,session} -pc" files have been changed. # ls -l /etc/pam.d/common-{account,auth,password,session} If the symlinks point to "/etc/pam.d/common-{account,auth,password,session}-pc" and manual updates have been made in these files, the updates can not be protected. This is a finding.

Check Text ( C-43421r1_chk )

Verify that common-{account,auth,password,session} settings are being applied.

Procedure:
Verify that local customization has occurred in the common-{account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility.

The files "/etc/pam.d/common-{account,auth,password,session} -pc " are autogenerated by "pam-config". Any manual changes made to them will be lost the next time "pam-config" is run. Check to see if the system default for any of the symlinks pointing to the "/etc/pam.d/common-{account,auth,password,session} -pc" files have been changed.

# ls -l /etc/pam.d/common-{account,auth,password,session}

If the symlinks point to "/etc/pam.d/common-{account,auth,password,session}-pc" and manual updates have been made in these files, the updates can not be protected. This is a finding.

Fix Text (F-39498r1_fix)
In the default distribution of SLES 11 "/etc/pam.d/common-{account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common-{account,auth,password,session}-pc" files. These common-{account,auth,password,session}-pc files are autogenerated by the pam-config utility. When a site adds password requirements(for example), a new /etc/pam.d/common-password-local file must be created with only the additional requirements and an include for "common-password-pc". Then the symlink "/etc/pam.d/common-password" is modified to point to "/etc/pam.d/common-password-local". This way any changes made do not get lost when "/etc/pam.d/common-password-pc" is regenerated and each program's pam.d definition file need only have "include common-password" to assure the password requirements will be applied to it. Use the same technique for any of the common-{account,auth,password,session}-pc files that require local customization.

Fix Text (F-39498r1_fix)

In the default distribution of SLES 11 "/etc/pam.d/common-{account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common-{account,auth,password,session}-pc" files. These common-{account,auth,password,session}-pc files are autogenerated by the pam-config utility. When a site adds password requirements(for example), a new /etc/pam.d/common-password-local file must be created with only the additional requirements and an include for "common-password-pc". Then the symlink "/etc/pam.d/common-password" is modified to point to "/etc/pam.d/common-password-local". This way any changes made do not get lost when "/etc/pam.d/common-password-pc" is regenerated and each program's pam.d definition file need only have "include common-password" to assure the password requirements will be applied to it. Use the same technique for any of the common-{account,auth,password,session}-pc files that require local customization.