Rule ID
SV-239492r661927_rule
Version
V2R2
CCIs
CCI-000192
Pam global requirements are generally defined in the common-account, common-auth, common- password and common-session files located in the /etc/pam.d directory. In order for the requirements to be applied the file(s) containing them must be included directly or indirectly in each program's definition file in /etc/pam.d.
Verify that common-{account, auth, password, session} settings are being applied:
Verify that local customization has occurred in the common- {account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility.
The files "/etc/pam.d/common-{account,auth,password,session} -pc" are autogenerated by "pam-config". Any manual changes made to them will be lost if "pam-config" is allowed to run.
# ls -l /etc/pam.d/common-{account,auth,password,session}
If the symlinks point to "/etc/pam.d/common- {account,auth,password,session}-pc" and manual updates have been made in these files, the updates cannot be protected if pam-config is enabled.
# ls -l /usr/sbin/pam-config
If the setting for pam-config is not "000", this is a finding.In the default distribution of SLES 11 "/etc/pam.d/common- {account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common- {account,auth,password,session}-pc" files. These common- {account,auth,password,session}-pc files are autogenerated by the pam-config utility.
Edit /usr/sbin/pam-config permissions to prevent its use:
# chmod 000 /usr/sbin/pam-config