The PAM configuration should not be changed automatically

An XCCDF Rule

Description

Verify the SUSE operating system is configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.

Rationale

pam-config is a command line utility that automatically generates a system PAM configuration as packages are installed, updated or removed from the system. pam-config removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.

ID: xccdf_org.ssgproject.content_rule_pam_disable_automatic_configuration
Severity: Medium
References: CCI-000366

SRG-OS-000480-GPOS-00227

SLES-15-040220

SV-235006r622137_rule

CCE-85641-9
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-85641-9
  - DISA-STIG-SLES-15-040220  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - pam_disable_automatic_configuration
  - restrict_strategy

- name: Find soft links /etc/pam.d/
  find:
    paths: /etc/pam.d
    file_type: link
    patterns: common-.*
    use_regex: true
  register: find_pam_soft_links_result
  when: '"pam_apparmor" in ansible_facts.packages'
  tags:
  - CCE-85641-9
  - DISA-STIG-SLES-15-040220
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - pam_disable_automatic_configuration
  - restrict_strategy

- name: Remove soft links in /etc/pam.d/
  shell: |
    set -o pipefail
    target=$(readlink -f "{{ item.path }}")
    cp -p --remove-destination "$target" "{{ item.path }}"
  with_items: '{{ find_pam_soft_links_result.files }}'
  when: '"pam_apparmor" in ansible_facts.packages'
  tags:
  - CCE-85641-9
  - DISA-STIG-SLES-15-040220
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - pam_disable_automatic_configuration
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam_apparmor; then

while IFS= read -r -d '' link; do
    target=$(readlink -f "$link")
    cp -p --remove-destination "$target" "$link"done <   <(find /etc/pam.d/ -type l -iname "common-*" -print0)

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

The PAM configuration should not be changed automatically

Description

Rationale

Remediation - Ansible

Remediation - Shell Script