GEN000600-2 - Global settings defined in system-auth must be applied in the pam.d definition files - 'link != /etc/pam.d/system-auth'

Information

Pam global requirements are generally defined in the /etc/pam.d/system-auth or /etc/pam.d/system-auth-ac file. In order for the requirements to be applied the file containing them must be included directly or indirectly in each program's definition file in /etc/pam.d

Solution

By default, the operating system delivers /etc/pam.d/system-auth as a symbolic link to /etc/pam.d/system-auth-ac (an automatically generated file). When a site adds password requirements a new system-auth-local file must be created with only the additional requirements and includes for auth, account, passwd and session pointing to '/etc/pam.d/system-auth-ac'. Then the symlink '/etc/system-auth' is modified to point to '/etc/pam.d/system-auth-local'. This way any changes made do not get lost when '/etc/pam.d/system-auth-ac' is regenerated and each program's pam.d definition file need only have 'include system-auth' for auth, account, passwd and session, as needed, in order to assure the password requirements will be applied to it.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_5_V2R1_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a), CAT|II, CCI|CCI-000192, Rule-ID|SV-218232r603259_rule, STIG-ID|GEN000600-2, STIG-Legacy|SV-63987, STIG-Legacy|V-27285, Vuln-ID|V-218232

Plugin: Unix

Control ID: f7380445562560bec7cc469a08040c2c2d1ab76bf9aa9e4ee93f185242234948