Information
All (unlocked) accounts on the server must have a password.
For this recommendation we look at the so-called files registery - as we cannot reliably review the entries kept in a centralized authentication system such as LDAP or Kerberos.
Rationale:
An account password is a secret code word that must be entered to gain access to the account. If an account exists that has a blank password, multiple users may access the account without authentication and leave a weak audit trail. An attacker may gain unauthorized system access or perform malicious actions, which then cannot be attributed to any specific individual.
Impact:
If no password hash is available and a locked account gets unlocked then the account is available without any verification aka authentication.
Solution
Check for accounts with an empty password field. If any, lock the account and assign an impossible password hash, as well as flag admin change (ADMCHG) to the password record.
set $(/usr/bin/egrep -c -p 'password = +$' /etc/security/passwd)
if [[ $1 != '0' ]]; then
# get seconds since epoch
now=$(date +'%s')
# copy everything except entries without password
/usr/bin/egrep -v -p 'password = +$' /etc/security/passwd > /etc/security/passwd.cis
# create new entries with an impossible password hash and append to password.cis
/usr/bin/egrep -p 'password = +$' /etc/security/passwd | grep ':' | awk -F: '{ print $1 } ' |
while read user; do
print 'Locking and giving account ${user} impossible password hash'
/usr/bin/chuser account_locked='true' expires=0101000070 ${user}
printf '%s:
tpassword = *
' ${user} >> /etc/security/passwd.cis
printf 'tflags = ADMCHG
tlastupdate=%s
' ${now} >> /etc/security/passwd.cis
done
cat /etc/security/passwd.cis > /etc/security/passwd
rm /etc/security/passwd.cis
fi
Default Value:
N/A