{"description": "Ubuntu 22.04 must be configured to prevent overwriting of custom authentication\nconfiguration settings by the authconfig utility.\nThis can be avoided by creating new local configuration files and creating new or moving\nexisting symbolic links to them. The authconfig utility will recognize the local configuration\nfiles and not overwrite them, while writing its own settings to the original configuration\nfiles.", "rationale": "When using the authconfig utility to modify authentication configuration settings,\nthe \"system-auth\" and \"password-auth\" files and any custom settings that they may\ncontain are overwritten.", "severity": "medium", "references": {"srg": ["SRG-OS-000073-GPOS-00041"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "The system-auth and password-auth files are not symbolic links or they\ndo not point to system-auth-local password-auth-local", "ocil": "Verify \"system-auth\" and \"password-auth\" files are symbolic\nlinks pointing to \"system-auth-local\" and \"password-auth-local\":\n<pre>$ sudo ls -l /etc/pam.d/{password,system}-auth</pre>", "oval_external_content": null, "fixtext": "Create custom configuration files and their corresponding symbolic links:\n\nRename the existing configuration files\n(skip this step if symbolic links are already present):\n<pre>$ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre>\n<pre>$ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac</pre>\n\nCreate custom system- and password-auth configuration file:\n<pre>$ sudo touch /etc/pam.d/{system,password}-auth-local</pre>\n\nMake sure the custom config files include the -ac files:\n<pre>(type)     include       password-auth-ac</pre>\n\nCreate new or move existing symbolic links to the new custom configuration files:\n<pre>$ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth</pre>\n<pre>$ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth</pre>\n\nOnce finished, the file structure should be the following:\n<pre>$ sudo ls -1 /etc/pam.d/{password,system}-auth*\n\n/etc/pam.d/password-auth\n/etc/pam.d/password-auth-ac\n/etc/pam.d/password-auth-local\n/etc/pam.d/system-auth\n/etc/pam.d/system-auth-ac\n/etc/pam.d/system-auth-local</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule doesn't come with a remediation. PAM files are very sensible to ordering and\ncustom PAM files make it nearly impossible to design an automated remediation that\nis safe to use for all cases."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure system-auth and password-auth files are symbolic links pointing\nto system-auth-local and password-auth-local", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/authconfig_config_files_symlinks/rule.yml", "template": null}