5.1.1 Ensure all local user accounts have a hashed password

Information

All (unlocked) accounts on the server must have a password.

For this recommendation we look at the so-called files registery - as we cannot reliably review the entries kept in a centralized authentication system such as LDAP or Kerberos

An account password is a secret code word that must be entered to gain access to the account. If an account exists that has a blank password, multiple users may access the account without authentication and leave a weak audit trail. An attacker may gain unauthorized system access or perform malicious actions, which then cannot be attributed to any specific individual.

Solution

Check for accounts with an empty password field. If any, lock the account and assign an

impossible password hash

, as well as flag admin change ( ADMCHG ) to the password record.

set $(/usr/bin/egrep -c -p "password = +$" /etc/security/passwd)
if [[ $1 != "0" ]]; then
# get seconds since epoch
now=$(date +"%s")
# copy everything except entries without password
/usr/bin/egrep -v -p "password = +$" /etc/security/passwd > /etc/security/passwd.cis
# create new entries with an impossible password hash and append to password.cis
/usr/bin/egrep -p "password = +$" /etc/security/passwd | grep ":" | awk -F: '{ print $1 } ' |
while read user; do
print "Locking and giving account ${user} impossible password hash"
/usr/bin/chuser account_locked='true' expires=0101000070 ${user}
printf "%s:
tpassword = *
" ${user} >> /etc/security/passwd.cis
printf "tflags = ADMCHG
tlastupdate=%s

" ${now} >> /etc/security/passwd.cis
done
cat /etc/security/passwd.cis > /etc/security/passwd
rm /etc/security/passwd.cis
fi

Impact:

If no password hash is available and a locked account gets unlocked then the account is available without any verification aka authentication.

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 9d144ce9dd37ac7a79761a2be8cf1da73fe133d61733ddb429df895c75106a11