← Rules Catalog
highaccess-controlverified rollback-safe

Ensure pam_unix does not include nullok

pam-unix-no-nullok · RHEL ≥ 8 · 2 impls

Description

The pam_unix module should not include the nullok option, which allows users with empty passwords to authenticate.

Rationale

The nullok option permits users to login without a password if their password field is empty. This is a significant security risk.

Check → Remediate

Checkcommand
if grep -E 'pam_unix\.so.*\bnullok\b' /etc/pam.d/system-auth /etc/pam.d/password-auth 2>/dev/null | grep -v '^\s*#'; then
  echo "FAIL: nullok found in pam_unix configuration"
  exit 1
fi
echo "OK: nullok not configured for pam_unix"
exit 0
expected_exit:
0
Remediatepam_module_arg
action:
remove
module:
pam_unix.so
arg:
nullok
files:
/etc/pam.d/system-auth, /etc/pam.d/password-auth

Framework references

CIS

rhel9 5.3.3.4.1rhel10 5.3.2.4.1rhel8 5.3.3.4.1

STIG

V-281200 / RHEL-10-600455V-258094 / RHEL-09-611025V-268322 / RHEL-08-020331V-244541 / RHEL-08-020332

NIST 800-53

IA-5

Live verification

rhel10:checkrhel8:checkrhel9:check
#pam#authentication#password#security