From 6d128bbcea3cd9720a8391a435dac331c6c44a67 Mon Sep 17 00:00:00 2001 From: Carmen Rata Date: Tue, 25 Aug 2020 16:03:36 -0400 Subject: [PATCH] Fix openscap security violation in pam-config rpm Removed all "nullok" occurrences in "system-auth.pamd" file to fix "Prevent Login to Accounts With Empty Password" security violation found using openscap scan. Story: 2008037 Task: 40694 Change-Id: I84fd31dd262dcd3075b14acfcc03b43fb33181f0 Signed-off-by: Carmen Rata --- pam-config/files/system-auth.pamd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pam-config/files/system-auth.pamd b/pam-config/files/system-auth.pamd index 4311426..7f25e71 100755 --- a/pam-config/files/system-auth.pamd +++ b/pam-config/files/system-auth.pamd @@ -1,6 +1,6 @@ #%PAM-1.0 auth required pam_env.so -auth sufficient pam_unix.so nullok try_first_pass +auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so @@ -21,7 +21,7 @@ account required pam_permit.so password requisite pam_pwquality.so try_first_pass retry=3 authtok_type= difok=3 minlen=7 lcredit=-1 ucredit=-1 ocredit=-1 dcredit=-1 enforce_for_root debug password requisite pam_pwhistory.so use_authtok enforce_for_root remember=2 -password [success=2 default=ignore] pam_unix.so sha512 shadow nullok try_first_pass use_authtok +password [success=2 default=ignore] pam_unix.so sha512 shadow try_first_pass use_authtok password [success=1 default=ignore] pam_ldap.so use_authtok session optional pam_keyinit.so revoke