Title

The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. (Cat II impact)

Discussion

"pam-config" is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.

Check Content

Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. Check that soft links between PAM configuration files are removed with the following command: > find /etc/pam.d/ -type l -iname "common-*" If any results are returned, this is a finding.

Fix Text

Copy the PAM configuration files to their static locations and remove the SUSE operating system soft links for the PAM configuration files with the following command: > sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done' Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

Additional Identifiers

Rule ID: SV-217189r646737_rule

Vulnerability ID: V-217189

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.