5.3.3.4.1 Ensure pam_unix does not include nullok

Information

The nullok argument overrides the default action of pam_unix.so to not permit the user access to a service if their official password is blank.

Using a strong password is essential to helping protect personal and sensitive information from unauthorized access

Solution

Run the following script to verify that the active authselect profile's system-auth and password-auth files include {if not "without-nullok":nullok} - OR - don't include the nullok option on the pam_unix.so module:

{
l_module_name="unix"
l_profile_name="$(head -1 /etc/authselect/authselect.conf)"
if [[ ! "$l_profile_name" =~ ^custom/ ]]; then
echo " - Follow Recommendation \"Ensure custom authselect profile is used\" and then return to this Recommendation"
else
grep -P -- "bpam_$l_module_name.sob" /etc/authselect/$l_profile_name/{password,system}-auth
fi
}

Example output with a custom profile named "custom-profile":

/etc/authselect/custom/custom-profile/password-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
/etc/authselect/custom/custom-profile/password-auth:account required pam_unix.so
/etc/authselect/custom/custom-profile/password-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
/etc/authselect/custom/custom-profile/password-auth:session required pam_unix.so

/etc/authselect/custom/custom-profile/system-auth:auth sufficient pam_unix.so {if not "without-nullok":nullok}
/etc/authselect/custom/custom-profile/system-auth:account required pam_unix.so
/etc/authselect/custom/custom-profile/system-auth:password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} use_authtok
/etc/authselect/custom/custom-profile/system-auth:session required pam_unix.so

- IF - any line is returned with nullok that doesn't also include {if not "without-nullok":nullok} run the following script:

#!/usr/bin/env bash

{
for l_pam_file in system-auth password-auth; do
l_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
sed -ri 's/(^s*passwords+(requisite|required|sufficient)s+pam_unix.sos+.*)(nullok)(s*.*)$/124/g' $l_file
done
}

- IF - any line is returned with {if not "without-nullok":nullok} run the following command to enable the authselect without-nullok feature:

# authselect enable-feature without-nullok

Run the following command to update the files in /etc/pam.d to include pam_unix.so without the nullok argument:

# authselect apply-changes

See Also

https://workbench.cisecurity.org/benchmarks/18209

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 3c681935f123a1e879ffd4eef9098b37eff69d8ac85294bc402eaae773b6de57