The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-235006 | SLES-15-040220 | SV-235006r991589_rule | CCI-000366 | medium |
| Description | ||||
| The "pam-config" command line utility automatically generates a system PAM configuration as packages are installed, updated, or removed from the system. "pam-config" removes configurations for PAM modules and parameters that it does not know about. It may render ineffective PAM configuration by the system administrator and thus impact system security. | ||||
| STIG | Date | |||
| SUSE Linux Enterprise Server 15 Security Technical Implementation Guide | 2025-05-14 | |||
Details
Check Text (C-235006r991589_chk)
Verify the SUSE operating system is configured to not overwrite PAM configuration on package changes.
Check that soft links between PAM configuration files are removed with the following command:
> find /etc/pam.d/ -type l -iname "common-*"
If any results are returned, this is a finding.
Fix Text (F-38157r619288_fix)
Copy the PAM configuration files to their static locations and remove the SUSE operating system soft links for the PAM configuration files with the following command:
> sudo sh -c 'for X in /etc/pam.d/common-*-pc; do cp -ivp --remove-destination $X ${X:0:-3}; done'
Additional information on the configuration of multifactor authentication on the SUSE operating system can be found at https://www.suse.com/communities/blog/configuring-smart-card-authentication-suse-linux-enterprise/.