Skip to content

5.3.3.4.2 Ensure pam_unix does not include remember

Audit#

Run the following command to verify that the remember argument is not set on the pam_unix.so module: 

# grep -PHs -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\h+([^#\n\r]+\h+)?remember=\d+\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive}
Nothing should be returned

Remediation#

Run the following command: 

# grep -PH -- '^\h*([^#\n\r]+\h+)?pam_unix\.so\h+([^#\n\r]+\h+)?remember\b' /usr/share/pam-configs/*

Edit any files returned and remove the remember= argument for the pam_unix lines Example File: 

[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt remember=5 # **<- remove remember=<N>**
[success=end default=ignore] pam_unix.so obscure yescrypt remember=5 # **<-remove remember=<N>**

Run the following command to update the files in the /etc/pam.d/ directory: 

# pam-auth-update --enable <MODIFIED_PROFILE_NAME>

Example: 

# pam-auth-update --enable unix

Note: If custom files are being used, the corresponding files in /etc/pam.d/ would need to be edited directly, and the pam-auth-update --enable command skipped