Detections
Analytics

5.4.2.4.1 Ensure pam_unix does not include nullok

Information

The nullok argument overrides the default action of pam_unix.so to not permit the user access to a service if their official password is blank.

Using a strong password is essential to helping protect personal and sensitive information from unauthorized access

Solution

Run the following command to remove the nullok option from all lines in the /ect/pam.d/password-auth and /etc/pam.d/system-auth files:

# sed -ri 's/^(.*)(\s+nullok\s*)(.*$)/\1 \3/' /etc/pam.d/{password,system}-auth

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 46c00392651cd308b47e8da67aa0f810a6e3871c452bae60c92ada100d7b35b5