highaccess-controlverified ✓rollback-safe
Ensure pam_unix does not include nullok
pam-unix-no-nullok · RHEL ≥ 8 · 2 impls
Description
The pam_unix module should not include the nullok option, which allows users with empty passwords to authenticate.
Rationale
The nullok option permits users to login without a password if their password field is empty. This is a significant security risk.
Check → Remediate
Checkcommand
if grep -E 'pam_unix\.so.*\bnullok\b' /etc/pam.d/system-auth /etc/pam.d/password-auth 2>/dev/null | grep -v '^\s*#'; then echo "FAIL: nullok found in pam_unix configuration" exit 1 fi echo "OK: nullok not configured for pam_unix" exit 0
- expected_exit:
- 0
Remediatepam_module_arg
- action:
- remove
- module:
- pam_unix.so
- arg:
- nullok
- files:
- /etc/pam.d/system-auth, /etc/pam.d/password-auth
Framework references
CIS
rhel9 5.3.3.4.1rhel10 5.3.2.4.1rhel8 5.3.3.4.1
STIG
V-281200 / RHEL-10-600455V-258094 / RHEL-09-611025V-268322 / RHEL-08-020331V-244541 / RHEL-08-020332
NIST 800-53
IA-5
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#authentication#password#security