810 B
810 B
---id: V-38497 status: implemented tag: auth ---
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to authenticate via PAM by default. This STIG requires that those login attempts are blocked.
For Ubuntu, the nullok_secure option will be removed
from /etc/pam.d /common-auth.
For CentOS, the nullok option will be removed from
/etc/pam.d/system- auth.
The effects of the change are immediate and no service restarts are required.
Deployers can opt-out of this change by adjusting an Ansible variable:
security_pam_remove_nullok: noSetting the variable to yes (the default) will cause the
Ansible tasks to remove the nullok_secure parameter while
setting the variable to no will leave the PAM configuration
unchanged.