Configure PAMs passwd Module To Implement system-auth Substack When Changing Passwords

An XCCDF Rule

Description

Verify that pam is configured to use /etc/pam.d/system-auth when changing passwords. Look for the following line in /etc/pam.d/passwd:

password substack system-auth

Rationale

Including system-auth from the passwd module ensures that the user must pass through the PAM configuration for system authentication as found in /etc/pam.d/system-auth when changing passwords.

ID: xccdf_org.ssgproject.content_rule_passwd_system-auth_substack
Severity: Medium
References: CCI-000192

IA-5(1)(a) IA-5(1)(a) IA-5(1).1(v)

SRG-OS-000069-GPOS-00037

OL07-00-010118

SV-221667r603260_rule
Updated: about 1 year ago


if ! grep -Eq "^[\s]*password[\s]+substack[\s]+system-auth\s*$" /etc/pam.d/passwd; then
    echo 'password    substack    system-auth' >> /etc/pam.d/passwd
fi

- name: Ensure PAM's passwd implements the system-auth substack
  lineinfile:
    path: /etc/pam.d/passwd
    create: false
    regexp: ^\s*password\s+substack\s+system-auth\s*$
    line: password    substack     system-auth    state: present
  tags:
  - DISA-STIG-OL07-00-010118
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(1)(a)
  - NIST-800-53-IA-5(1).1(v)
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - passwd_system-auth_substack
  - restrict_strategy

Configure PAMs passwd Module To Implement system-auth Substack When Changing Passwords

Description

Rationale

Remediation - Shell Script

Remediation - Ansible