Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-214963 | UBTU-16-010250 | SV-214963r508033_rule | High |
Description |
---|
If the operating system allows empty passwords, anyone could log on and run commands with the privileges. Empty passwords should never be used in operational environments. |
STIG | Date |
---|---|
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide | 2020-09-03 |
Check Text ( C-16162r284757_chk ) |
---|
To verify that null passwords cannot be used, run the following command: # grep pam_unix.so /etc/pam.d/* | grep nullok* If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding. |
Fix Text (F-16160r284758_fix) |
---|
Remove any instances of the "nullok" option in files under "/etc/pam.d/" to prevent logons with empty passwords. |