documentation_complete: true


title: |-
    Ensure system-auth and password-auth files are symbolic links pointing
    to system-auth-local and password-auth-local

description: |-
    {{{ full_name }}} must be configured to prevent overwriting of custom authentication
    configuration settings by the authconfig utility.
    This can be avoided by creating new local configuration files and creating new or moving
    existing symbolic links to them. The authconfig utility will recognize the local configuration
    files and not overwrite them, while writing its own settings to the original configuration
    files.

rationale: |-
    When using the authconfig utility to modify authentication configuration settings,
    the "system-auth" and "password-auth" files and any custom settings that they may
    contain are overwritten.

severity: medium

references:
    srg: SRG-OS-000073-GPOS-00041
    stigid@ol7: OL07-00-010199

warnings:
    - general: |-
        This rule doesn't come with a remediation. PAM files are very sensible to ordering and
        custom PAM files make it nearly impossible to design an automated remediation that
        is safe to use for all cases.

ocil_clause: |-
    The system-auth and password-auth files are not symbolic links or they
    do not point to system-auth-local password-auth-local

ocil: |-
    Verify "system-auth" and "password-auth" files are symbolic
    links pointing to "system-auth-local" and "password-auth-local":
    <pre>$ sudo ls -l /etc/pam.d/{password,system}-auth</pre>

fixtext: |-
    Create custom configuration files and their corresponding symbolic links:

    Rename the existing configuration files
    (skip this step if symbolic links are already present):
    <pre>$ sudo mv /etc/pam.d/system-auth /etc/pam.d/system-auth-ac</pre>
    <pre>$ sudo mv /etc/pam.d/password-auth /etc/pam.d/password-auth-ac</pre>

    Create custom system- and password-auth configuration file:
    <pre>$ sudo touch /etc/pam.d/{system,password}-auth-local</pre>

    Make sure the custom config files include the -ac files:
    <pre>(type)     include       password-auth-ac</pre>

    Create new or move existing symbolic links to the new custom configuration files:
    <pre>$ sudo ln -sf /etc/pam.d/system-auth-local /etc/pam.d/system-auth</pre>
    <pre>$ sudo ln -sf /etc/pam.d/password-auth-local /etc/pam.d/password-auth</pre>

    Once finished, the file structure should be the following:
    <pre>$ sudo ls -1 /etc/pam.d/{password,system}-auth*

    /etc/pam.d/password-auth
    /etc/pam.d/password-auth-ac
    /etc/pam.d/password-auth-local
    /etc/pam.d/system-auth
    /etc/pam.d/system-auth-ac
    /etc/pam.d/system-auth-local</pre>