← Back to Red Hat Enterprise Linux 7 Security Technical Implementation Guide

V-204405

CAT II (Medium)

The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.

Rule ID

SV-204405r982195_rule

STIG

Red Hat Enterprise Linux 7 Security Technical Implementation Guide

Version

V3R15

CCIs

CCI-000192

Discussion

Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized.

Check Content

Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords:

# cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth
password     substack     system-auth

If no results are returned, the line is commented out, this is a finding.

Fix Text

Configure PAM to utilize /etc/pam.d/system-auth when changing passwords.

Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value):

password     substack    system-auth