PAM ESM Module

The PAM ESM Module provides a Linux feature similar to what the OS ESM Module does for Windows, but since the mechanism it uses is different it also has different configuration requirements. For Security Managers using the OS ESM Module, Micro Focus makes the following hardening recommendations:

Module: Set this to pam_esm, with no path, and no bitness, threadedness, or file extension suffixes. ESF loads ESM Modules from the product installation directory automatically – it does not search the library load path. ESF will select the appropriate bitness and threadedness automatically.
Authorized user: The PAM ESM Module uses this as the service name passed to the Linux-PAM API. The PAM API uses the service name to identify a PAM configuration file (or stanza, if PAM is configured to use a single configuration file). The configuration file determines how PAM operates for the caller, so the information in this file is critical. Micro Focus recommends that you create a PAM configuration file specifically for the PAM ESM Module, preferably using the default name "microfocus-es", to avoid unexpected PAM configuration changes with OS updates and to simplify problem determination. You can copy a suitable existing PAM configuration file to create this configuration.
Note: Configuring PAM is outside the scope of this document.

Configuration text settings relevant to hardening

The PAM ESM Module only has a few configuration options which affect hardening:

Process groups: Enable this option if you want the PAM ESM Module to be able to add the user's PAM groups to the groups known to Enterprise Server. If the organization intends to create resource access rules which refer to those groups, enable this option; otherwise, disable it to reduce the processing performed by and attack surface of the PAM ESM Module.
Enable: This setting enables the PAM ESM Module to generate and accept passtokens. Unlike the MLDAP ESM Module, the PAM ESM Module does not offer per-user control over passtokens, so if feasible do not use the PAM ESM Module to provide passtokens.
Note: Only one Security Manager needs to support passtokens, you can disable passtokens entirely if you do not require them. Enabling surrogate passtokens by setting this option to any is a significant security vulnerability.
SecretFile: If ESF passtokens are used, for passing authentication between subsystems such as MFDS and ESMAC, or for DCAS, then Micro Focus strongly recommends using this option. The "secret file" can contain anything, as long as it has at least 128 bits or so of entropy; even 1 KB or so of ordinary text would suffice. The point of this setting is to avoid using either the built-in secret (which is available to anyone with a copy of the product) or a secret in the configuration (which is available to anyone who can view the configuration) to generate passtokens. Otherwise, a technically-skilled attacker could forge passtokens.
Note: There is no space between "Secret" and "File" in the name of this setting.
Trace settings: Tracing is useful in diagnosing issues, but might reveal sensitive data to an attacker who can obtain copies of log files. Disable tracing when it is not required.