Policy : Linux: Read password configuration files (KB)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.150130

Category: Policy

Title: Linux: Read password configuration files (KB)

Summary: When a PAM aware privilege granting application is started, it;activates its attachment to the PAM-API. This activation performs a number of tasks, the most;important being the reading of the configuration file(s): /etc/pam.conf. Alternatively, this may be;the contents of the /etc/pam.d/ directory. The presence of this directory will cause Linux-PAM to;ignore /etc/pam.conf.;;These files list the PAMs that will do the authentication tasks required by this service, and the;appropriate behavior of the PAM-API in the event that individual PAMs fail.;; - account: this module type performs non-authentication based account management. It is typically;used to restrict/permit access to a service based on the time of day, currently available system;resources (maximum number of users) or perhaps the location of the applicant user -- 'root' login;only on the console.;; - auth: this module type provides two aspects of authenticating the user. Firstly, it establishes;that the user is who they claim to be, by instructing the application to prompt the user for a;password or other means of identification. Secondly, the module can grant group membership or other;rivileges through its credential granting properties.;; - password: this module type is required for updating the authentication token associated with the;user. Typically, there is one module for each 'challenge/response' based authentication (auth) type.;; - pwhistory: this module saves the last passwords for each user in order to force password change;history and keep the user from alternating between the same password too frequently.;; - unix: this is the standard Unix authentication module. It uses standard calls from the system's;libraries to retrieve and set account information as well as authentication. Usually this is obtained;from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.;;Note: This script read files /etc/pam.d/common-auth, /etc/pam.d/password-auth, /etc/pam.d/system-auth,;/etc/pam.d/common-password, /etc/pam.d/su and /etc/security/pwquality.conf and only stores information;for other Policy Controls.

Description: Summary:
When a PAM aware privilege granting application is started, it
activates its attachment to the PAM-API. This activation performs a number of tasks, the most
important being the reading of the configuration file(s): /etc/pam.conf. Alternatively, this may be
the contents of the /etc/pam.d/ directory. The presence of this directory will cause Linux-PAM to
ignore /etc/pam.conf.

These files list the PAMs that will do the authentication tasks required by this service, and the
appropriate behavior of the PAM-API in the event that individual PAMs fail.

- account: this module type performs non-authentication based account management. It is typically
used to restrict/permit access to a service based on the time of day, currently available system
resources (maximum number of users) or perhaps the location of the applicant user -- 'root' login
only on the console.

- auth: this module type provides two aspects of authenticating the user. Firstly, it establishes
that the user is who they claim to be, by instructing the application to prompt the user for a
password or other means of identification. Secondly, the module can grant group membership or other
rivileges through its credential granting properties.

- password: this module type is required for updating the authentication token associated with the
user. Typically, there is one module for each 'challenge/response' based authentication (auth) type.

- pwhistory: this module saves the last passwords for each user in order to force password change
history and keep the user from alternating between the same password too frequently.

- unix: this is the standard Unix authentication module. It uses standard calls from the system's
libraries to retrieve and set account information as well as authentication. Usually this is obtained
from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.

Note: This script read files /etc/pam.d/common-auth, /etc/pam.d/password-auth, /etc/pam.d/system-auth,
/etc/pam.d/common-password, /etc/pam.d/su and /etc/security/pwquality.conf and only stores information
for other Policy Controls.

CVSS Score:
0.0

CVSS Vector:
AV:L/AC:H/Au:S/C:N/I:N/A:N

Copyright Copyright (C) 2020 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.150130
Category:	Policy
Title:	Linux: Read password configuration files (KB)
Summary:	When a PAM aware privilege granting application is started, it;activates its attachment to the PAM-API. This activation performs a number of tasks, the most;important being the reading of the configuration file(s): /etc/pam.conf. Alternatively, this may be;the contents of the /etc/pam.d/ directory. The presence of this directory will cause Linux-PAM to;ignore /etc/pam.conf.;;These files list the PAMs that will do the authentication tasks required by this service, and the;appropriate behavior of the PAM-API in the event that individual PAMs fail.;; - account: this module type performs non-authentication based account management. It is typically;used to restrict/permit access to a service based on the time of day, currently available system;resources (maximum number of users) or perhaps the location of the applicant user -- 'root' login;only on the console.;; - auth: this module type provides two aspects of authenticating the user. Firstly, it establishes;that the user is who they claim to be, by instructing the application to prompt the user for a;password or other means of identification. Secondly, the module can grant group membership or other;rivileges through its credential granting properties.;; - password: this module type is required for updating the authentication token associated with the;user. Typically, there is one module for each 'challenge/response' based authentication (auth) type.;; - pwhistory: this module saves the last passwords for each user in order to force password change;history and keep the user from alternating between the same password too frequently.;; - unix: this is the standard Unix authentication module. It uses standard calls from the system's;libraries to retrieve and set account information as well as authentication. Usually this is obtained;from the /etc/passwd and the /etc/shadow file as well if shadow is enabled.;;Note: This script read files /etc/pam.d/common-auth, /etc/pam.d/password-auth, /etc/pam.d/system-auth,;/etc/pam.d/common-password, /etc/pam.d/su and /etc/security/pwquality.conf and only stores information;for other Policy Controls.
Description:	Summary: When a PAM aware privilege granting application is started, it activates its attachment to the PAM-API. This activation performs a number of tasks, the most important being the reading of the configuration file(s): /etc/pam.conf. Alternatively, this may be the contents of the /etc/pam.d/ directory. The presence of this directory will cause Linux-PAM to ignore /etc/pam.conf. These files list the PAMs that will do the authentication tasks required by this service, and the appropriate behavior of the PAM-API in the event that individual PAMs fail. - account: this module type performs non-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user -- 'root' login only on the console. - auth: this module type provides two aspects of authenticating the user. Firstly, it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification. Secondly, the module can grant group membership or other rivileges through its credential granting properties. - password: this module type is required for updating the authentication token associated with the user. Typically, there is one module for each 'challenge/response' based authentication (auth) type. - pwhistory: this module saves the last passwords for each user in order to force password change history and keep the user from alternating between the same password too frequently. - unix: this is the standard Unix authentication module. It uses standard calls from the system's libraries to retrieve and set account information as well as authentication. Usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled. Note: This script read files /etc/pam.d/common-auth, /etc/pam.d/password-auth, /etc/pam.d/system-auth, /etc/pam.d/common-password, /etc/pam.d/su and /etc/security/pwquality.conf and only stores information for other Policy Controls. CVSS Score: 0.0 CVSS Vector: AV:L/AC:H/Au:S/C:N/I:N/A:N
Copyright	Copyright (C) 2020 Greenbone Networks GmbH