The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.

An XCCDF Rule

Description

When using the authconfig utility to modify authentication configuration settings, the "system-auth" and "password-auth" files and any custom settings that they may contain are overwritten. This can be avoided by creating new local configuration files and creating new or moving existing symbolic links to them. The authconfig utility will recognize the local configuration files and not overwrite them, while writing its own settings to the original configuration files.

ID: SV-255928r917838_rule
Version: RHEL-07-010199
Severity: Medium
References: CCI-000196
Updated: 4 days ago

Remediation Templates

Create custom configuration files and their corresponding symbolic links:

Rename the existing configuration files (skip this step if symbolic links are already present):
     $ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac
     $ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac
	Create custom system-auth configuration file:
     $ sudo vi /etc/pam.d/system-auth-local
	
The new file, at minimum, must contain the following lines:
	
auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
auth        include       system-auth-ac
auth        sufficient    pam_unix.so try_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900

account     required      pam_faillock.so
account     include       system-auth-ac

password    requisite     pam_pwhistory.so remember=5 retry=3
password    requisite     pam_pwquality.so retry=3
password    include       system-auth-ac
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok

session     include       system-auth-ac

Create custom password-auth configuration file:
     $ sudo vi /etc/pam.d/password-auth-local
	
The new file, at minimum, must contain the following lines:

auth        required      pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
auth        include       password-auth-ac
auth        sufficient    pam_unix.so try_first_pass
auth        [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900

account     required      pam_faillock.so
account     include       password-auth-ac

password    requisite     pam_pwhistory.so use_authtok remember=5 retry=3
password    requisite     pam_pwquality.so retry=3
password    include       password-auth-ac
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok

session     include       password-auth-ac
	
Create new or move existing symbolic links to the new custom configuration files:
     $ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth
     $ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth

Once finished, the following file structure should be present:
    $ sudo ls -1 /etc/pam.d/{password,system}-auth*

    /etc/pam.d/password-auth
    /etc/pam.d/password-auth-ac
    /etc/pam.d/password-auth-local
    /etc/pam.d/system-auth
    /etc/pam.d/system-auth-ac
    /etc/pam.d/system-auth-local

Note: With this solution in place, any custom settings to "system-auth" and "password-auth" will be retained and not overwritten by the use of the authconfig utility. The authconfig utility will write its settings to "system-auth-ac" and "password-auth-ac" and continue to function as expected.

The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility.

Description

Remediation Templates

A Manual Procedure