{"description": "Configure user authentication setup to use the <tt>authselect</tt> tool.\nIf authselect profile is selected, the rule will enable the <sub idref=\"var_authselect_profile\" /> profile.", "rationale": "Authselect is a successor to authconfig.\nIt is a tool to select system authentication and identity sources from a list of supported\nprofiles instead of letting the administrator manually build the PAM stack.\n\nThat way, it avoids potential breakage of configuration, as it ships several tested profiles\nthat are well tested and supported to solve different use-cases.", "severity": "medium", "references": {"hipaa": ["164.308(a)(1)(ii)(B)", "164.308(a)(7)(i)", "164.308(a)(7)(ii)(A)", "164.310(a)(1)", "164.310(a)(2)(i)", "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(b)", "164.310(c)", "164.310(d)(1)", "164.310(d)(2)(iii)"], "nist": ["AC-3"], "ospp": ["FIA_UAU.1", "FIA_AFL.1"], "srg": ["SRG-OS-000480-GPOS-00227"], "anssi": ["R31"], "ism": ["1409"], "pcidss4": ["8.3.4", "8.3"]}, "control_references": {"anssi": ["R31"], "ism": ["1409"], "pcidss4": ["8.3.4", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "authselect is not used to manage user authentication setup on the system", "ocil": "Verify that <tt>authselect</tt> is enabled by running\n<pre>authselect current</pre>\nIf authselect is enabled on the system, the output should show the ID of the profile which is currently in use.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to select an authselect profile if one is not already selected.\nUse the following command to enable the <sub idref=\"var_authselect_profile\" /> profile:\n\nsudo authselect select <sub idref=\"var_authselect_profile\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must use authselect to manage PAM settings", "warnings": [{"general": "If the <tt>sudo authselect select</tt> command returns an error informing that the chosen\nprofile cannot be selected, it is probably because PAM files have already been modified by\nthe administrator. If this is the case, in order to not overwrite the desired changes made\nby the administrator, the current PAM settings should be investigated before forcing the\nselection of the chosen authselect profile."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Enable authselect", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/enable_authselect/rule.yml", "template": null}