The Ubuntu operating system must not be configured to allow blank or null passwords.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-75479 | UBTU-16-010250 | SV-90159r2_rule | High |
| Description |
|---|
| If the operating system allows empty passwords, anyone could log on and run commands with the privileges. Empty passwords should never be used in operational environments. |
| STIG | Date |
|---|---|
| Canonical Ubuntu 16.04 Security Technical Implementation Guide | 2020-05-29 |
Details
| Check Text ( C-75183r2_chk ) |
|---|
| To verify that null passwords cannot be used, run the following command: # grep pam_unix.so /etc/pam.d/* | grep nullok* If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding. |
| Fix Text (F-82107r2_fix) |
|---|
| Remove any instances of the "nullok" option in files under "/etc/pam.d/" to prevent logons with empty passwords. |