{"description": "SSSD should be configured to run SSSD <tt>pam</tt> services.\nTo configure SSSD to known SSH hosts, add <tt>pam</tt>\nto <tt>services</tt> under the <tt>[sssd]</tt> section in\n<tt>/etc/sssd/sssd.conf</tt>. For example:\n<pre>[sssd]\nservices = sudo, autofs, pam\n</pre>", "rationale": "Using an authentication device, such as a CAC or token that is separate from\nthe information system, ensures that even if the information system is\ncompromised, that compromise will not affect credentials stored on the\nauthentication device.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16", "5"], "cobit5": ["DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.10"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1"], "iso27001-2013": ["A.18.1.4", "A.7.1.1", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["IA-2(1)", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-6", "PR.AC-7"], "srg": ["SRG-OS-000375-GPOS-00160", "SRG-OS-000376-GPOS-00161", "SRG-OS-000377-GPOS-00162"], "anssi": ["R67"]}, "control_references": {"anssi": ["R67"]}, "components": [], "identifiers": {}, "ocil_clause": "it does not exist or 'pam' is not added to the 'services' option under the 'sssd' section", "ocil": "To verify that SSSD is configured for PAM services, run the following command:\n<pre>$ sudo grep services /etc/sssd/sssd.conf</pre>\nIf configured properly, output should be similar to\n<pre>services = pam</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[sssd]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_sssd"], "bash_conditional": null, "fixes": {}, "title": "Configure PAM in SSSD Services", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/sssd/sssd_enable_pam_services/rule.yml", "template": null}