5.3.3.4.1 Ensure pam_unix does not include nullok

Information

The nullok argument overrides the default action of pam_unix.so to not permit the user access to a service if their official password is blank.

Using a strong password is essential to helping protect personal and sensitive information from unauthorized access

Solution

Run the following command:

# grep -PH -- '^h*([^#
r]+h+)?pam_unix.soh+([^#
r]+h+)?nullokb' /usr/share/pam-configs/*

Edit any files returned and remove the nullok argument for the pam_unix lines

Example File:

Name: Unix authentication
Default: yes
Priority: 256
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so try_first_pass # <- **ensure line does not include nullok nullok**
Auth-Initial:
[success=end default=ignore] pam_unix.so # <- **ensure line does not include nullok nullok**
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Session-Type: Additional
Session:
required pam_unix.so
Session-Initial:
required pam_unix.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
Password-Initial:
[success=end default=ignore] pam_unix.so obscure yescrypt

Run the following command to update the files in the /etc/pam.d/ directory:

# pam-auth-update --enable <EDITED_PROFILE_NAME>

Example:

# pam-auth-update --enable unix

Note: If custom files are being used, the corresponding files in /etc/pam.d/ would need to be edited directly, and the pam-auth-update --enable <EDITED_PROFILE_NAME> command skipped

See Also

https://workbench.cisecurity.org/benchmarks/18959

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: bebbba2d4b9114bb73f9277c17e0f97e6d223db6c6b8ac303251803e0f5772d0