{"description": "pam_unix is the standard Unix authentication module. It uses standard calls from the\nsystem's libraries to retrieve and set account information as well as authentication.\nUsually this is obtained from the /etc/passwd and if shadow is enabled, the\n/etc/shadow file as well.\n
\nThe account component performs the task of establishing the status of the user's\naccount and password based on the following shadow elements: expire,\nlast_change, max_change, min_change, warn_change. In the case of the latter, it may\noffer advice to the user on changing their password or, through the\nPAM_AUTHTOKEN_REQD return, delay giving service to the user until they have\nestablished a new password. The entries listed above are documented in the shadow(5)\nmanual page. Should the user's record not contain one or more of these entries, the\ncorresponding shadow check is not performed.\n
\nThe authentication component performs the task of checking the users credentials\n(password). The default action of this module is to not permit the user access to a\nservice if their official password is blank.", "rationale": "The system should only provide access after performing authentication of a user.", "severity": "medium", "references": {"cis": ["5.3.2.1"]}, "control_references": {"cis": ["5.3.2.1"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify pam_unix module is activated", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/accounts_password_pam_unix_enabled/rule.yml", "template": null}