5.4.1 Ensure custom authselect profile is used

Information

A custom profile can be created by copying and customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be customized to follow site specific requirements.

You can select a profile for the authselect utility for a specific host. The profile will be applied to every user logging into the host.

A custom profile is required to customize many of the pam options.

When you deploy a profile, the profile is applied to every user logging into the given host

Solution

Run the following command to create a custom authselect profile:

# authselect create-profile <custom-profile name> <options>

Example:

# authselect create-profile custom-profile -b sssd --symlink-meta

Run the following command to select a custom authselect profile:

# authselect select custom/<CUSTOM PROFILE NAME> {with-<OPTIONS>}

Example:

# authselect select custom/custom-profile with-sudo with-faillock without-nullok

See Also

https://workbench.cisecurity.org/files/3742

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, RISK ASSESSMENT

References: 800-53|CA-5, 800-53|RA-1, 800-53|RA-5, CSCv7|16.7

Plugin: Unix

Control ID: 2ec4ad6de64650e2ca1ffe56dd6040d4d0097873e23f4ff3756bfda1b4ea60b7