PIM + system-auth: auth optional pam_seos.so

Document ID : KB000095705
Last Modified Date : 14/05/2018
Show Technical Document Details
Question:
PAM stack modules are being altered after CA PAMSC installation - how can I tell what was modified?
Answer:
This is a standard system-auth file after installing CA PIM: 
#%PAM-1.0 
# This file is auto-generated. 
# User changes will be destroyed the next time authconfig is run. 
auth required pam_env.so 
auth required pam_faildelay.so delay=2000000 
auth sufficient pam_fprintd.so 
auth sufficient pam_unix.so nullok try_first_pass 
auth optional    pam_seos.so 
auth requisite pam_succeed_if.so uid >= 1000 quiet_success 
auth required pam_deny.so 

account optional    pam_seos.so 
account required pam_unix.so 
account sufficient pam_localuser.so 
account sufficient pam_succeed_if.so uid < 1000 quiet 
account required pam_permit.so 

password sufficient pam_seos.so 
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= 
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok 
password required pam_deny.so 

session optional    pam_seos.so 
session optional pam_keyinit.so revoke 
session required pam_limits.so 
-session optional pam_systemd.so 
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
session required pam_unix.so

We add these lines:
auth optional   pam_seos.so
account optional   pam_seos.so
password sufficient pam_seos.so
session optional   pam_seos.so

Any additional modifications done to the PAM stack that is outside our out of the box configuration will be treated as customization and cannot be worked under a Support scoping perspective- any customizations that want to be worked on heavily will need a Services engagement.