{"description": "If an account is configured for password authentication\nbut does not have an assigned password, it may be possible to log\ninto the account without authentication. Remove any instances of the\n<tt>nullok</tt> in\n<tt>/etc/pam.d/common-{password,auth,account,session,session-noninteractive}</tt>\nto prevent logins with empty passwords.", "rationale": "If an account has an empty password, anyone could log in and\nrun commands with the privileges of that account. Accounts with\nempty passwords should never be used in operational environments.", "severity": "high", "references": {"cis": ["5.3.3.4.1"]}, "control_references": {"cis": ["5.3.3.4.1"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": null, "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "system_with_kernel and package[pam]", "platforms": ["system_with_kernel and package[pam]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Prevent Login to Accounts With Empty Password", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords_unix/rule.yml", "template": null}