1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
documentation_complete: true
title: 'Configure PAM in SSSD Services'
description: |-
SSSD should be configured to run SSSD <tt>pam</tt> services.
To configure SSSD to known SSH hosts, add <tt>pam</tt>
to <tt>services</tt> under the <tt>[sssd]</tt> section in
<tt>/etc/sssd/sssd.conf</tt>. For example:
<pre>[sssd]
services = sudo, autofs, pam
</pre>
rationale: |-
Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
severity: medium
identifiers:
cce@rhel8: CCE-82446-6
cce@rhel9: CCE-86087-4
cce@rhel10: CCE-90093-6
references:
cis-csc: 1,12,15,16,5
cobit5: DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.03,DSS06.10
isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.2,4.3.3.7.4
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.7,SR 1.8,SR 1.9,SR 2.1'
iso27001-2013: A.18.1.4,A.7.1.1,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.2,A.9.4.3
nist: IA-2(1),CM-6(a)
nist-csf: PR.AC-1,PR.AC-6,PR.AC-7
srg: SRG-OS-000375-GPOS-00160,SRG-OS-000376-GPOS-00161,SRG-OS-000377-GPOS-00162
stigid@ol7: OL07-00-041002
ocil_clause: 'it does not exist or ''pam'' is not added to the ''services'' option under the ''sssd'' section'
ocil: |-
To verify that SSSD is configured for PAM services, run the following command:
<pre>$ sudo grep services /etc/sssd/sssd.conf</pre>
If configured properly, output should be similar to
<pre>services = pam</pre>
|
