3.1.1.1 All accounts must have a hashed password

Information

All (unlocked) accounts on the server must have a password.

For this recommendation we look at the so-called files registery - as we cannot reliably review the entries kept in a centralized authentication system such as LDAP or Kerberos.

Rationale:

An account password is a secret code word that must be entered to gain access to the account. If an account exists that has a blank password, multiple users may access the account without authentication and leave a weak audit trail. An attacker may gain unauthorized system access or perform malicious actions, which then cannot be attributed to any specific individual.

Impact:

If no password hash is available and a locked account gets unlocked then the account is available without any verification aka authentication.

Solution

Check for accounts with an empty password field. If any, lock the account and assign an impossible password hash, as well as flag admin change (ADMCHG) to the password record.

Check for accounts with an incorrect password field in /etc/password. If any, lock and expire those accounts.

umask 077
PID=$$
# get seconds since epoch
now=$(date +'%s')
set $(/usr/bin/egrep -c -p 'password = +$' /etc/security/passwd)
if [[ $1 != '0' ]]; then
# copy everything except entries without password
/usr/bin/egrep -v -p 'password = +$' /etc/security/passwd > /etc/security/passwd.cis.${PID}
# create new entries with an impossible password hash and append to password.cis
/usr/bin/egrep -p 'password = +$' /etc/security/passwd | grep ':' | awk -F: '{ print $1 } ' |
while read user; do
print 'Locking and giving account ${user} impossible password hash'
/usr/bin/chuser account_locked='true' ${user}
printf '%s:
tpassword = *
' ${user} >> /etc/security/passwd.cis
printf 'tflags = ADMCHG
tlastupdate=%s

' ${now} >> /etc/security/passwd.cis
done
cat /etc/security/passwd.cis.${PID} > /etc/security/passwd
rm /etc/security/passwd.cis.${PID}
fi
/usr/bin/egrep '(::|:[^!]:)[[:digit:]]+:[[:digit:]]+:' /etc/passwd | awk -F: '{ print $1 } |
while read user; do
print 'Locking account '${user}' due to incorrect password field in /etc/passwd.'
/usr/bin/chuser account_locked='true' expires=${now} ${user}
done

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/3525

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: fdd2a1446fcd42651197472daf24077ebc066ee6b8029891b6653cf72c3a6690