Having both system-auth-ac and password-auth-ac is specific to RHEL6. I've also learned a bit more since my original email... the "-ac" stands for "authconfig", meaning anything ending with "-ac" carries the risk of being overwritten in the event that authconfig is run. Also, whenever authconfig is run it ensures that /etc/pam.d/system-auth, /etc/pam.d/password-auth, and a couple others are symlinks. If they are not symlinks then authconfig turns them back into symlinks pointing to the "-ac" files. The solution to the whole thing is to create distinct files, like "/etc/pam.d/system-auth-stig" and "password-auth-stig" and repoint the symlinks to those files. At that point, an accidental authconfig run ceases to be a risk.
Brian Roach System Administrator 858.762.6893 (office)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Steinke, Leland J CTR DISA FSO (US) Sent: Tuesday, March 05, 2013 1:13 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Configuration of password-auth-ac should mirror that of system-auth-ac
Crap. You're right. It's funny how this wasn't picked up in the past (e.g. RHEL5 content). To ensure this gets addressed as part of the RHEL6 STIG feedback, can you forward your note to DISA FSO ( disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil)? This will create a formal tracking ticket to make sure we sort this out.
Shawn,
There is no /etc/pam.d/password-auth{,-ac} in RHEL5, not even in the man pages, unless my test system is severely broken.
Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)