Hello all. I'm new to this list/project, and to development teams in general (usually fly solo) so please forgive and explain any faux pas. Now, on to the point...
Depending on where a user is being authenticated, the configuration for that authentication is set in either /etc/pam.d/system-auth-ac or /etc/pam.d/password-auth-ac. For example, when logging into Gnome, the initial login authentication is configured in password-auth-ac. However, the screensaver password for that session is configured in system-auth-ac. After reading and searching through specs, STIGs, forums, mailing lists, etc... I have yet to find any awareness of this configuration distinction. To my experience thus far, the content of the two files should be the same, though I'm sure there is some rationale in having them separate. In any event, the STIG (and derived works) should carry instructions for password-auth-ac in addition to system-auth-ac.
The PAM configuration is actually more complicated than just those two files, but most of the other files in the /etc/pam.d directory point to either password-auth-ac or system-auth-ac for the majority of their instructions. It would be prudent to specify and programmatically verify the configuration of these ancillary files as well.
Comments and questions are always welcome.
Brian Roach
On 3/1/13 12:18 AM, Roach, Brian wrote:
Hello all. I'm new to this list/project, and to development teams in general (usually fly solo) so please forgive and explain any faux pas. Now, on to the point...
Depending on where a user is being authenticated, the configuration for that authentication is set in either /etc/pam.d/system-auth-ac or /etc/pam.d/password-auth-ac. For example, when logging into Gnome, the initial login authentication is configured in password-auth-ac. However, the screensaver password for that session is configured in system-auth-ac. After reading and searching through specs, STIGs, forums, mailing lists, etc... I have yet to find any awareness of this configuration distinction. To my experience thus far, the content of the two files should be the same, though I'm sure there is some rationale in having them separate. In any event, the STIG (and derived works) should carry instructions for password-auth-ac in addition to system-auth-ac.
The PAM configuration is actually more complicated than just those two files, but most of the other files in the /etc/pam.d directory point to either password-auth-ac or system-auth-ac for the majority of their instructions. It would be prudent to specify and programmatically verify the configuration of these ancillary files as well.
Comments and questions are always welcome.
Crap. You're right. It's funny how this wasn't picked up in the past (e.g. RHEL5 content). To ensure this gets addressed as part of the RHEL6 STIG feedback, can you forward your note to DISA FSO ( disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil mailto:disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil)? This will create a formal tracking ticket to make sure we sort this out.
Crap. You're right. It's funny how this wasn't picked up in the past (e.g. RHEL5 content). To ensure this gets addressed as part of the RHEL6 STIG feedback, can you forward your note to DISA FSO ( disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil)? This will create a formal tracking ticket to make sure we sort this out.
Shawn,
There is no /etc/pam.d/password-auth{,-ac} in RHEL5, not even in the man pages, unless my test system is severely broken.
Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
Having both system-auth-ac and password-auth-ac is specific to RHEL6. I've also learned a bit more since my original email... the "-ac" stands for "authconfig", meaning anything ending with "-ac" carries the risk of being overwritten in the event that authconfig is run. Also, whenever authconfig is run it ensures that /etc/pam.d/system-auth, /etc/pam.d/password-auth, and a couple others are symlinks. If they are not symlinks then authconfig turns them back into symlinks pointing to the "-ac" files. The solution to the whole thing is to create distinct files, like "/etc/pam.d/system-auth-stig" and "password-auth-stig" and repoint the symlinks to those files. At that point, an accidental authconfig run ceases to be a risk.
Brian Roach System Administrator 858.762.6893 (office)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Steinke, Leland J CTR DISA FSO (US) Sent: Tuesday, March 05, 2013 1:13 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Configuration of password-auth-ac should mirror that of system-auth-ac
Crap. You're right. It's funny how this wasn't picked up in the past (e.g. RHEL5 content). To ensure this gets addressed as part of the RHEL6 STIG feedback, can you forward your note to DISA FSO ( disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil)? This will create a formal tracking ticket to make sure we sort this out.
Shawn,
There is no /etc/pam.d/password-auth{,-ac} in RHEL5, not even in the man pages, unless my test system is severely broken.
Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
As I recall the RHEL5 STIG did something similar (GEN000600-2 IIRC)...
-Rob
________________________________________ From: scap-security-guide-bounces@lists.fedorahosted.org [scap-security-guide-bounces@lists.fedorahosted.org] on behalf of Roach, Brian [Brian.Roach@ga.com] Sent: Tuesday, March 05, 2013 4:47 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Configuration of password-auth-ac should mirror that of system-auth-ac
Having both system-auth-ac and password-auth-ac is specific to RHEL6. I've also learned a bit more since my original email... the "-ac" stands for "authconfig", meaning anything ending with "-ac" carries the risk of being overwritten in the event that authconfig is run. Also, whenever authconfig is run it ensures that /etc/pam.d/system-auth, /etc/pam.d/password-auth, and a couple others are symlinks. If they are not symlinks then authconfig turns them back into symlinks pointing to the "-ac" files. The solution to the whole thing is to create distinct files, like "/etc/pam.d/system-auth-stig" and "password-auth-stig" and repoint the symlinks to those files. At that point, an accidental authconfig run ceases to be a risk.
Brian Roach System Administrator 858.762.6893 (office)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Steinke, Leland J CTR DISA FSO (US) Sent: Tuesday, March 05, 2013 1:13 PM To: scap-security-guide@lists.fedorahosted.org Subject: RE: Configuration of password-auth-ac should mirror that of system-auth-ac
Crap. You're right. It's funny how this wasn't picked up in the past (e.g. RHEL5 content). To ensure this gets addressed as part of the RHEL6 STIG feedback, can you forward your note to DISA FSO ( disa.letterkenny.FSO.mbx.stig-customer-support-mailbox@mail.mil)? This will create a formal tracking ticket to make sure we sort this out.
Shawn,
There is no /etc/pam.d/password-auth{,-ac} in RHEL5, not even in the man pages, unless my test system is severely broken.
Thanks, Leland -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, Inc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l) _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Roach, Brian -
Robert Sanders -
Shawn Wells -
Steinke, Leland J Sr CTR DISA DD (US)