The Oracle Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-221667 | SRG-OS-000069-GPOS-00037 | OL07-00-010118 | SV-221667r1015164_rule | 2025-02-20 | 3 |
| Description |
|---|
| Pluggable authentication modules (PAM) allow for a modular approach to integrating authentication methods. PAM operates in a top-down processing model and if the modules are not listed in the correct order, an important security function could be bypassed if stack entries are not centralized. |
| ℹ️ Check |
|---|
| Verify that /etc/pam.d/passwd is configured to use /etc/pam.d/system-auth when changing passwords: # cat /etc/pam.d/passwd | grep -i substack | grep -i system-auth password substack system-auth If no results are returned, the line is commented out, this is a finding. |
| ✔️ Fix |
|---|
| Configure PAM to utilize /etc/pam.d/system-auth when changing passwords. Add the following line to "/etc/pam.d/passwd" (or modify the line to have the required value): password substack system-auth |