Skip to content

5.3.2.1 Ensure pam_unix module is enabled

Audit#

Run the following command to verify that pam_unix is enabled: 

# grep -PH -- '\bpam_unix\.so\b' /etc/pam.d/common-{account,auth,password,session,session-noninteractive}

Output should be similar to: 

/etc/pam.d/common-account:account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
/etc/pam.d/common-auth:auth [success=2 default=ignore] pam_unix.so try_first_pass
/etc/pam.d/common-password:password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
/etc/pam.d/common-session:session required pam_unix.so
/etc/pam.d/common-session-noninteractive:session required pam_unix.so

Remediation#

Run the following command to enable the pam_unix module: 

# pam-auth-update --enable unix
Note: If a site specific custom profile is being used in your environment to configure PAM that includes the configuration for the pam_faillock module, enable that module instead