Title

Global settings defined in common-{account,auth,password,session} must be applied in the pam.d definition files. (Cat II impact)

Discussion

Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d

Check Content

Verify that common-{account,auth,password,session} settings are being applied. Procedure: Verify that local customization has occurred in the common-{account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility. The files "/etc/pam.d/common-{account,auth,password,session} -pc " are autogenerated by "pam-config". Any manual changes made to them will be lost the next time "pam-config" is run. Check to see if the system default for any of the symlinks pointing to the "/etc/pam.d/common-{account,auth,password,session} -pc" files have been changed. # ls -l /etc/pam.d/common-{account,auth,password,session} If the symlinks point to "/etc/pam.d/common-{account,auth,password,session}-pc" and manual updates have been made in these files, the updates can not be protected. This is a finding.

Fix Text

In the default distribution of SLES 11 "/etc/pam.d/common-{account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common-{account,auth,password,session}-pc" files. These common-{account,auth,password,session}-pc files are autogenerated by the pam-config utility. When a site adds password requirements(for example), a new /etc/pam.d/common-password-local file must be created with only the additional requirements and an include for "common-password-pc". Then the symlink "/etc/pam.d/common-password" is modified to point to "/etc/pam.d/common-password-local". This way any changes made do not get lost when "/etc/pam.d/common-password-pc" is regenerated and each program's pam.d definition file need only have "include common-password" to assure the password requirements will be applied to it. Use the same technique for any of the common-{account,auth,password,session}-pc files that require local customization.

Additional Identifiers

Rule ID: SV-46164r1_rule

Vulnerability ID: V-34936

Group Title: GEN000000-ZSLE0002

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.