UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Global settings defined in common-{account,auth,password,session} must be applied in the pam.d definition files.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34936 GEN000000-ZSLE0002 SV-46164r1_rule ECSC-1 Medium
Description
Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d
STIG Date
SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide 2018-09-19

Details

Check Text ( C-43421r1_chk )
Verify that common-{account,auth,password,session} settings are being applied.

Procedure:
Verify that local customization has occurred in the common-{account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility.

The files "/etc/pam.d/common-{account,auth,password,session} -pc " are autogenerated by "pam-config". Any manual changes made to them will be lost the next time "pam-config" is run. Check to see if the system default for any of the symlinks pointing to the "/etc/pam.d/common-{account,auth,password,session} -pc" files have been changed.

# ls -l /etc/pam.d/common-{account,auth,password,session}

If the symlinks point to "/etc/pam.d/common-{account,auth,password,session}-pc" and manual updates have been made in these files, the updates can not be protected. This is a finding.
Fix Text (F-39498r1_fix)
In the default distribution of SLES 11 "/etc/pam.d/common-{account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common-{account,auth,password,session}-pc" files. These common-{account,auth,password,session}-pc files are autogenerated by the pam-config utility. When a site adds password requirements(for example), a new /etc/pam.d/common-password-local file must be created with only the additional requirements and an include for "common-password-pc". Then the symlink "/etc/pam.d/common-password" is modified to point to "/etc/pam.d/common-password-local". This way any changes made do not get lost when "/etc/pam.d/common-password-pc" is regenerated and each program's pam.d definition file need only have "include common-password" to assure the password requirements will be applied to it. Use the same technique for any of the common-{account,auth,password,session}-pc files that require local customization.