STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-34936

CAT II (Medium)

Global settings defined in common-{account,auth,password,session} must be applied in the pam.d definition files.

Rule ID

SV-46164r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000192

Discussion

Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d

Check Content

Verify that common-{account,auth,password,session} settings are being applied.

Procedure:
Verify that local customization has occurred in the common-{account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility.

The files "/etc/pam.d/common-{account,auth,password,session} -pc " are autogenerated by "pam-config". Any manual changes made to them will be lost the next time "pam-config" is run. Check to see if the system default for any of the symlinks pointing to the "/etc/pam.d/common-{account,auth,password,session} -pc" files have been changed.

# ls -l /etc/pam.d/common-{account,auth,password,session}

If the symlinks point to "/etc/pam.d/common-{account,auth,password,session}-pc" and manual updates  have been made in these files, the updates can not be protected. This is a finding.

Fix Text

In the default distribution of SLES 11 "/etc/pam.d/common-{account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common-{account,auth,password,session}-pc" files. These common-{account,auth,password,session}-pc files are autogenerated by the pam-config utility.  When a site adds password requirements(for example), a new /etc/pam.d/common-password-local file must be created with only the additional requirements and an include for "common-password-pc". Then the symlink "/etc/pam.d/common-password" is modified to point to "/etc/pam.d/common-password-local". This way any changes made do not get lost when "/etc/pam.d/common-password-pc" is regenerated and each program's pam.d definition file need only have "include common-password" to assure the password requirements will be applied to it.  Use the same technique for any of the common-{account,auth,password,session}-pc files that require local customization.