openstack/openstack-ansible-security
Code Issues Proposed changes
9efb8153f1
openstack-ansible-security/doc/metadata/rhel6/V-38497.rst
Major Hayden 3c19f00a7f [Docs] Metadata cleanup 
This patch adds the right tags to each piece of metadata and corrects
small errors found in the deployer notes.

Closes-bug: 1595669
Change-Id: Ic04aaad85ebf111be5a0bdb01a350442fdea1433
2016-09-12 14:27:49 -05:00

810 B
Raw Blame History

---id: V-38497 status: implemented tag: auth ---

Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to authenticate via PAM by default. This STIG requires that those login attempts are blocked.

For Ubuntu, the nullok_secure option will be removed from /etc/pam.d /common-auth.

For CentOS, the nullok option will be removed from /etc/pam.d/system- auth.

The effects of the change are immediate and no service restarts are required.

Deployers can opt-out of this change by adjusting an Ansible variable:

security_pam_remove_nullok: no

Setting the variable to yes (the default) will cause the Ansible tasks to remove the nullok_secure parameter while setting the variable to no will leave the PAM configuration unchanged.