|Finding ID||Version||Rule ID||IA Controls||Severity|
|If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.|
|Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide||2022-12-06|
|Check Text ( C-54939r832975_chk )|
| To verify that null passwords cannot be used, run the following command: |
$ grep nullok /etc/pam.d/common-password
If this produces any output, it may be possible to log on with accounts with empty passwords.
If null passwords can be used, this is a finding.
|Fix Text (F-54893r832976_fix)|
| If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. |
Remove any instances of the "nullok" option in "/etc/pam.d/common-password" to prevent logons with empty passwords.