criticalaccess-controlverified ✓
Ensure no accounts have empty passwords
accounts-no-empty-passwords · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
All accounts in /etc/shadow must have a password hash or be locked. Empty password fields allow password-less authentication which is a critical security vulnerability.
Rationale
Accounts with empty passwords can be accessed without authentication, providing trivial entry points for attackers. This is especially dangerous for accounts with elevated privileges or shell access.
Check → Remediate
Checkcommand
awk -F: '($2 == "") {print $1}' /etc/shadow- expected_exit:
- 0
Remediatemanual
- note:
- Lock accounts with empty passwords using 'passwd -l <username>' or set a strong password. Review each account to determine appropriate action - some may be system accounts that should be locked, others may need passwords set.
Framework references
CIS
rhel9 7.2.2rhel10 7.2.2rhel8 7.2.2
STIG
V-281201 / RHEL-10-600460V-251706 / RHEL-08-010121V-270713 / UBTU-24-300027V-260571 / UBTU-22-611065
NIST 800-53
IA-5AC-6
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#accounts#passwords#authentication#security