4.4.1.2 Ensure latest version of authselect is installed

Information

Authselect is a utility that simplifies the configuration of user authentication. Authselect offers ready-made profiles that can be universally used with all modern identity management systems

You can create and deploy a custom profile by customizing one of the default profiles, the sssd, winbind, or the nis profile. This is particularly useful if Modifying a ready-made authselect profile is not enough for your needs. When you deploy a custom profile, the profile is applied to every user logging into the given host. This would be the recommended method, so that the existing profiles can remain unmodified.

Updated versions of authselect include additional functionality

Authselect makes testing and troubleshooting easy because it only modifies files in these directories:

- /etc/nsswitch.conf
- /etc/pam.d/*
- /etc/dconf/db/distro.d/*

To ensure the system has full functionality and access to the options covered by this Benchmark, authselect-1.2.6-1 or latter is required

Solution

Run the following command to install authselect :

# dnf install authselect

- IF - the version of authselect on the system is less that version authselect-1.2.6-1 :

Run the following command to update to the latest version of authselect :

# dnf upgrade authselect

Impact:

If local site customizations have been made to an authselect default or custom profile created with the --symlink-pam option, these customizations may be over-written by updating authselect.

WARNING:

Do not use authselect if:

- your host is part of Linux Identity Management. Joining your host to an IdM domain with the ipa-client-install command automatically configures SSSD authentication on your host.
- Your host is part of Active Directory via SSSD. Calling the realm join command to join your host to an Active Directory domain automatically configures SSSD authentication on your host.

It is not recommended to change the authselect profiles configured by ipa-client-install or realm join. If you need to modify them, display the current settings before making any modifications, so you can revert back to them if necessary

See Also

https://workbench.cisecurity.org/benchmarks/15287

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a.

Plugin: Unix

Control ID: b9a4b036870ab789d6d1115121f0b8faa2e1ed8fe7bd7d131c43343a5fcef7fb