The Photon operating system must be configured to use the pam_deny.so module.

Severity
Group ID
Group Title
Version
Rule ID
Date
STIG Version
mediumV-285222SRG-OS-000480-GPOS-00228PHTN-40-000267SV-285222r1210426_rule2026-06-022

Description

Configuring the operating system to implement organizationwide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DOD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters impact the security state of the system and include the parameters required to satisfy other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections.

ℹ️ Check

At the command line, run the following commands to verify the pam_deny.so module is used: # grep '^auth' /etc/pam.d/system-auth Example result: auth required pam_faillock.so preauth auth sufficient pam_unix.so auth required pam_faillock.so authfail auth optional pam_faildelay.so delay=4000000 auth required pam_deny.so If the pam_deny.so module is not present, or is not configured as the last auth entry, this is a finding.

✔️ Fix

Navigate to and open: /etc/sysctl.d/zz-stig-hardening.conf Add or update the following line: fs.suid_dumpable = 0 Note: "0" is recommended for normal operation. If core dumps need to be captured for troubleshooting purposes, then "2" is also an acceptable value. At the command line, run the following command to load the new configuration: # /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf Note: If the file zz-stig-hardening.conf does not exist, it must be created.