SLEM 5 must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-261402	SLEM-05-631025	SV-261402r996624_rule	CCI-000366	medium
Description
The "pam-config" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security.
STIG			Date
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide			2025-05-08

Related Frameworks

4 paths across 3 frameworks

NIST 800-531 mapping

CM-6

1.00

DISA · 1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1712 mappings

3.4.1

1.00

DISA · 1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.4.2

1.00

DISA · 1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000366

1.00

DISA · 1 · disa_xccdf · related

Details

Check Text (C-261402r996624_chk)

Verify SLEM 5 is configured to not overwrite PAM configuration on package changes with the following command: > find /etc/pam.d/ -type l -iname "common-*" If any results are returned, this is a finding.

Fix Text (F-65039r996623_fix)

Copy the PAM configuration files to their static locations and remove SLEM 5 soft links for the PAM configuration files with the following command: > sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done' Additional information on the configuration of multifactor authentication on SLEM 5 can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.