Information
The operating system must not have accounts configured with blank or null passwords.
Rationale:
If an account has an blank password, anyone could log on and run commands with the privileges of that account. Accounts with 'blank' passwords should never be used in operational environments.
Solution
If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating.
Remove any instances of the 'nullok' option in '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' to prevent logons with empty passwords.
Note: Manual changes to the listed files may be overwritten by the 'authconfig' program. The 'authconfig' program should not be used to update the configurations listed in this requirement.
Additional Information:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide
Version 3, Release: 4 Benchmark Date: 23 Jul 2021
Vul ID: V-204424
Rule ID: SV-204424r603261_rule
STIG ID: RHEL-07-010290
Severity: CAT I