← Back to SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

V-261402

CAT II (Medium)

SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.

Rule ID

SV-261402r996624_rule

STIG

SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide

Version

V1R4

CCIs

CCI-000366

Discussion

The "pam-config" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.

Check Content

Verify SLEM 5 is configured to not overwrite PAM configuration on package changes with the following command:

     > find /etc/pam.d/ -type l -iname "common-*"

If any results are returned, this is a finding.

Fix Text

Copy the PAM configuration files to their static locations and remove SLEM 5 soft links for the PAM configuration files with the following command:

     > sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done'

Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.