{"description": "PAM, or Pluggable Authentication Modules, is a system\nwhich implements modular authentication for Linux programs. PAM provides\na flexible and configurable architecture for authentication, and it should be configured\nto minimize exposure to unnecessary risk. This section contains\nguidance on how to accomplish that.\n<br /><br />\nPAM is implemented as a set of shared objects which are\nloaded and invoked whenever an application wishes to authenticate a\nuser. Typically, the application must be running as root in order\nto take advantage of PAM, because PAM's modules often need to be able\nto access sensitive stores of account information, such as /etc/shadow.\nTraditional privileged network listeners\n(e.g. sshd) or SUID programs (e.g. sudo) already meet this\nrequirement. An SUID root application, userhelper, is provided so\nthat programs which are not SUID or privileged themselves can still\ntake advantage of PAM.\n<br /><br />\nPAM looks in the directory <tt>/etc/pam.d</tt> for\napplication-specific configuration information. For instance, if\nthe program login attempts to authenticate a user, then PAM's\nlibraries follow the instructions in the file <tt>/etc/pam.d/login</tt>\nto determine what actions should be taken.\n<br /><br />\nOne very important file in <tt>/etc/pam.d</tt> is\n<tt>/etc/pam.d/system-auth</tt>. This file, which is included by\nmany other PAM configuration files, defines 'default' system authentication\nmeasures. Modifying this file is a good way to make far-reaching\nauthentication changes, for instance when implementing a\ncentralized authentication service.", "warnings": [{"functionality": "Be careful when making changes to PAM's configuration files.\nThe syntax for these files is complex, and modifications can\nhave unexpected consequences. The default configurations shipped\nwith applications should be sufficient for most users."}, {"functionality": "Running <tt>authconfig</tt> or <tt>system-config-authentication</tt>\nwill re-write the PAM configuration files, destroying any manually\nmade changes and replacing them with a series of system defaults.\nOne reference to the configuration file syntax can be found at\n\n<a xmlns='http://www.w3.org/1999/xhtml' href='https://fossies.org/linux/Linux-PAM-docs/doc/sag/Linux-PAM_SAG.pdf'>https://fossies.org/linux/Linux-PAM-docs/doc/sag/Linux-PAM_SAG.pdf</a>."}], "requires": [], "conflicts": [], "values": ["var_password_hashing_algorithm", "var_password_hashing_algorithm_pam", "var_password_pam_unix_remember"], "groups": ["locking_out_password_attempts", "password_quality", "set_password_hashing_algorithm"], "rules": ["accounts_password_pam_unix_enabled", "disallow_bypass_password_sudo", "display_login_attempts", "enable_pam_namespace", "package_authselect_installed", "package_nss_sss_installed", "package_pam_installed", "package_pam_modules_installed", "package_pam_pwquality_installed", "package_pam_runtime_installed", "package_pam_sss_installed", "pam_disable_automatic_configuration"], "platform": "", "platforms": [], "inherited_platforms": [], "cpe_platform_names": [], "title": "Protect Accounts by Configuring PAM", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/group.yml"}