{"description": "The active authselect profile must include the required PAM modules:\n<tt>pam_pwquality.so</tt>, <tt>pam_pwhistory.so</tt>, <tt>pam_faillock.so</tt>, and <tt>pam_unix.so</tt>\nin both <tt>system-auth</tt> and <tt>password-auth</tt> files.\n\nA custom authselect profile can be created by copying and customizing one of the default profiles.\nThe default profiles include: <tt>local</tt>, <tt>sssd</tt>, and <tt>winbind</tt>. These profiles can be customized\nto follow site specific requirements.", "rationale": "A custom profile is required to customize many of the PAM options.\nModifications made to a default profile may be overwritten during an update.\nWhen you deploy a profile, the profile is applied to every user logging into the given host.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the active authselect profile does not include all required PAM modules", "ocil": "Run the following command to verify the active authselect profile includes lines for the\npwquality, pwhistory, faillock, and unix modules:\n\n<pre># grep -P '\\b(pam_pwquality\\.so|pam_pwhistory\\.so|pam_faillock\\.so|pam_unix\\.so)\\b' /etc/authselect/\"$(head -1 /etc/authselect/authselect.conf)\"/{system,password}-auth</pre>\n\nThe output should show entries for all four modules in both system-auth and password-auth files.", "oval_external_content": null, "fixtext": "Ensure that the active authselect profile includes all required PAM modules.\nIf using a default profile, create a custom profile and ensure it includes:\n<tt>pam_pwquality.so</tt>, <tt>pam_pwhistory.so</tt>, <tt>pam_faillock.so</tt>, and <tt>pam_unix.so</tt>\nin both system-auth and password-auth files.", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "If local site customizations have been made to the authselect template or files in\n/etc/pam.d, these custom entries should be added to the newly created custom profile\nbefore it's applied to the system. The order within the PAM stacks is important when\nadding these entries."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure Active Authselect Profile Includes PAM Modules", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_modules_in_authselect_profile/rule.yml", "template": null}