SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-261402 | SLEM-05-631025 | SV-261402r996624_rule | CCI-000366 | medium |
| Description | ||||
| The "pam-config" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security. | ||||
| STIG | Date | |||
| SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide | 2025-05-08 | |||
Details
Check Text (C-261402r996624_chk)
Verify SLEM 5 is configured to not overwrite PAM configuration on package changes with the following command:
> find /etc/pam.d/ -type l -iname "common-*"
If any results are returned, this is a finding.
Fix Text (F-65039r996623_fix)
Copy the PAM configuration files to their static locations and remove SLEM 5 soft links for the PAM configuration files with the following command:
> sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done'
Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.