5.3.6 Ensure no accounts are configured with blank or null passwords - system-auth

Information

The operating system must not have accounts configured with blank or null passwords.

Rationale:

If an account has an blank password, anyone could log on and run commands with the privileges of that account. Accounts with 'blank' passwords should never be used in operational environments.

Solution

If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
Remove any instances of the nullok option in /etc/pam.d/system-auth and /etc/pam.d/password-auth to prevent logons with empty or blank passwords.
Example: vim /etc/pam.d/system-auth
Remove nullok from the line show below:

password sufficient pam_unix.so sha=512 shadow nullok try_first_pass use_authtok

Impact:

Note: Manual changes to the listed files may be overwritten by the authconfig program. The authconfig program should not be used to update the configurations listed in this requirement.

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-71937

Rule ID: SV-86561r3_rule

STIG ID: RHEL-07-010290

Severity: CAT I

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(a)

Plugin: Unix

Control ID: 94b32212c31ae59db0bdac30087916a12287bed2c709677494a4b19a4216588b