← Rules Catalog
criticalaccess-controlverified

Ensure no accounts have empty passwords

accounts-no-empty-passwords · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

All accounts in /etc/shadow must have a password hash or be locked. Empty password fields allow password-less authentication which is a critical security vulnerability.

Rationale

Accounts with empty passwords can be accessed without authentication, providing trivial entry points for attackers. This is especially dangerous for accounts with elevated privileges or shell access.

Check → Remediate

Checkcommand
awk -F: '($2 == "") {print $1}' /etc/shadow
expected_exit:
0
Remediatemanual
note:
Lock accounts with empty passwords using 'passwd -l <username>' or set a strong password. Review each account to determine appropriate action - some may be system accounts that should be locked, others may need passwords set.

Framework references

CIS

rhel9 7.2.2rhel10 7.2.2rhel8 7.2.2

STIG

V-281201 / RHEL-10-600460V-251706 / RHEL-08-010121V-270713 / UBTU-24-300027V-260571 / UBTU-22-611065

NIST 800-53

IA-5AC-6

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#accounts#passwords#authentication#security