5.3.2.1 Ensure pam_unix module is enabled

Information

pam_unix is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and if shadow is enabled, the /etc/shadow file as well.

The account component performs the task of establishing the status of the user's account and password based on the following shadow elements: expire last_change max_change min_change warn_change In the case of the latter, it may offer advice to the user on changing their password or, through the PAM_AUTHTOKEN_REQD return, delay giving service to the user until they have established a new password. The entries listed above are documented in the shadow(5) manual page. Should the user's record not contain one or more of these entries, the corresponding shadow check is not performed.

The authentication component performs the task of checking the users credentials (password). The default action of this module is to not permit the user access to a service if their official password is blank.

The system should only provide access after performing authentication of a user.

Solution

Run the following command to enable the pam_unix module:

# pam-auth-update --enable unix

Note: If a site specific custom profile is being used in your environment to configure PAM that includes the configuration for the pam_faillock module, enable that module instead

See Also

https://workbench.cisecurity.org/benchmarks/18959

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 931bb0cba64b1678417c316fa287dbd2d0a866accc0da7cb3cfd48917412c42e