Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239492 | VROM-SL-000345 | SV-239492r661927_rule | Medium |
| Description |
|---|
| Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory. In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d. |
| STIG | Date |
|---|---|
| VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide | 2023-09-21 |
Details
| Check Text ( C-42725r661925_chk ) |
|---|
| Verify that common-{account, auth, password, session} settings are being applied: Verify that local customization has occurred in the common- {account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility. The files "/etc/pam.d/common-{account,auth,password,session} -pc" are autogenerated by "pam-config". Any manual changes made to them will be lost if "pam-config" is allowed to run. # ls -l /etc/pam.d/common-{account,auth,password,session} If the symlinks point to "/etc/pam.d/common- {account,auth,password,session}-pc" and manual updates have been made in these files, the updates cannot be protected if pam-config is enabled. # ls -l /usr/sbin/pam-config If the setting for pam-config is not "000", this is a finding. |
| Fix Text (F-42684r661926_fix) |
|---|
| In the default distribution of SLES 11 "/etc/pam.d/common- {account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common- {account,auth,password,session}-pc" files. These common- {account,auth,password,session}-pc files are autogenerated by the pam-config utility. Edit /usr/sbin/pam-config permissions to prevent its use: # chmod 000 /usr/sbin/pam-config |