We are doing a security audit of the lab I work at and one of the problems I was given to solve was if the /etc/pam.d/common-account file needs to be in our pam.d setup. Also if so, what it should contain.

After researching a little it seems to me that this module will perform common checks on all accounts that log into the system, i.e. if the account is still valid, password has expired, and any other global checks / restrictions.

This leads me to believe that the file should be included and a good content would be:

'account required /lib/security/pam_unix.so'


I was wondering if anyone could agree with me or offer any suggestions.

Thank you in advance for any guidance.


ned

No, have a look at the /etc/pam.d/system-auth file for one (it's already there).

Hmmm, I do see that 'account required /lib/security/pam_unix.so' is already in system-auth. So why do I see examples of people using /etc/pam.d/common-account? Isn't that a little redundant?

Thank you.

Depends, what examples are you talking about??

Sorry, I think I"m giving too much weight to the few examples I've seen on the web. A more relevant question would be:

When would a person use the /etc/pam.d/common-account if that person also has the /etc/pam.d/system-auth setup?