STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

Global settings defined in common- {account,auth,password,session} must be applied in the pam.d definition files.

DISA Rule

SV-99105r1_rule

Vulnerability Number

V-88455

Group Title

SRG-OS-000069-GPOS-00037

Rule Version

VROM-SL-000345

Severity

CAT II

CCI(s)

• CCI-000192 - The information system enforces password complexity by the minimum number of upper case characters used.

Weight

10

Fix Recommendation

In the default distribution of SLES 11 "/etc/pam.d/common- {account,auth,password,session}" are symlinks to their respective "/etc/pam.d/common- {account,auth,password,session}-pc" files. These common- {account,auth,password,session}-pc files are autogenerated by the pam-config utility.

Edit /usr/sbin/pam-config permissions to prevent its use:

# chmod 000 /usr/sbin/pam-config

Check Contents

Verify that common-{account, auth, password, session} settings are being applied:

Verify that local customization has occurred in the common- {account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility.

The files "/etc/pam.d/common-{account,auth,password,session} -pc" are autogenerated by "pam-config". Any manual changes made to them will be lost if "pam-config" is allowed to run.

# ls -l /etc/pam.d/common-{account,auth,password,session}

If the symlinks point to "/etc/pam.d/common- {account,auth,password,session}-pc" and manual updates have been made in these files, the updates cannot be protected if pam-config is enabled.

# ls -l /usr/sbin/pam-config

If the setting for pam-config is not "000", this is a finding.

Vulnerability Number

V-88455

Documentable

False

Rule Version

VROM-SL-000345

Severity Override Guidance

Verify that common-{account, auth, password, session} settings are being applied:

Verify that local customization has occurred in the common- {account,auth,password,session}-pc file(s) by some method other than the use of the pam-config utility.

The files "/etc/pam.d/common-{account,auth,password,session} -pc" are autogenerated by "pam-config". Any manual changes made to them will be lost if "pam-config" is allowed to run.

# ls -l /etc/pam.d/common-{account,auth,password,session}

If the symlinks point to "/etc/pam.d/common- {account,auth,password,session}-pc" and manual updates have been made in these files, the updates cannot be protected if pam-config is enabled.

# ls -l /usr/sbin/pam-config

If the setting for pam-config is not "000", this is a finding.

Check Content Reference

M

Target Key

3461

Comments