5.4.6 Ensure no accounts are configured with blank or null passwords - password-auth

Information

The operating system must not have accounts configured with blank or null passwords.

Rationale:

If an account has an blank password, anyone could log on and run commands with the privileges of that account. Accounts with 'blank' passwords should never be used in operational environments.

Solution

If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
Remove any instances of the 'nullok' option in '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' to prevent logons with empty passwords.
Note: Manual changes to the listed files may be overwritten by the 'authconfig' program. The 'authconfig' program should not be used to update the configurations listed in this requirement.

Additional Information:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide

Version 3, Release: 4 Benchmark Date: 23 Jul 2021

Vul ID: V-204424

Rule ID: SV-204424r603261_rule

STIG ID: RHEL-07-010290

Severity: CAT I

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|4.4, Rule-ID|SV-204424r603261_rule, STIG-ID|RHEL-07-010290

Plugin: Unix

Control ID: b922ba5e5eebb0dcdaa53e7bb0e048b60f907166f49c241265311d17ba8cf60a