The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.

An XCCDF Rule

Description

"pam-config" is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.

ID: SV-217189r991589_rule
Version: SLES-12-010910
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Copy the PAM configuration files to their static locations and remove the SUSE operating system soft links for the PAM configuration files with the following command:

> sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done'

Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.

The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.

Description

Remediation Templates

A Manual Procedure