GEN000600-2 - Ensure global settings defined in system-auth are applied in the pam.d definition files - 'link = system-auth-local'

Information

Pam global requirements are generally defined in the /etc/pam.d/system-auth or /etc/pam.d/system-auth-ac file. In order for the requirements to be applied the file containing them must be included directly or indirectly in each program's definition file in /etc/pam.d

Solution

In the default distribution of RHEL '/etc/pam.d/system-auth' is a symlink '/etc/pam.d/system-auth-ac' which is an autogenerated file. When a site adds password requirements a new system-auth-local file must be created with only the additional requirements and includes for auth, account, passwd and session pointing to '/etc/pam.d/system-auth-ac'. Then the symlink '/etc/system-auth' is modified to point to '/etc/pam.d/system-auth-local'. This way any changes made do not get lost when '/etc/pam.d/system-auth-ac' is regenerated and each program's pam.d definition file need only have 'include system-auth' for auth, account, passwd and session, as needed, in order to assure the password requirements will be applied to it.

See Also

http://iasecontent.disa.mil/stigs/zip/U_RedHat_5_V1R18_STIG.zip

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a), CAT|II, CCI|CCI-000192, Group-ID|V-27285, Rule-ID|SV-34584r1_rule, STIG-ID|GEN000600-2, Vuln-ID|V-27285

Plugin: Unix

Control ID: 2fab24202031bee0e3d9fd3553d67bc510a276c3792002808ce2e2d2ef246a2b