We have CA PAM in our environment and we are just managing the password for Unix server. Some time we found that someone changed the password from server itself and after that PAM is not able to manage the password.
Is there any way to disable the password changed feature from server side and only enable it from PAM for Unix server?
If the users in your environment only use PAM sessions to connect to the Unix endpoints, then you could use the command filtering feature in PAM to prevent them from using the passwd command while connected via PAM. You can find more information about command filtering here.
If users can access the Unix endpoints outside of PAM, then I would suggest using SELinux or CA PAM Server Control policies to restrict access to the passwd command.
CA Support Engineer
Thanks Brian for this information.
As we are not using session from PAM. So could you please help here to use the SELinux option to disable the password change from server side.
You would have to work with your sys admins and/or RedHat to create the SELinux policy so it can adhere to your company's security standards. CA cannot provide such assistance.