#%PAM-1.0
#
# pam.d/login - PAM login configuration for EAL3/CAPP certification
#               see the Evaluated Configuration Guide for more info
#
# If serial terminals are in use, pam_laus.so MUST be changed to be 'required'
# for CAPP-complaint fail-secure auditing. The default 'optional' setting
# assumes that all terminals are in physically secure locations.
# 

auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
#session    required     pam_laus.so # fail-secure mode
session    optional     pam_laus.so # requires physically secure terminals

