{"description": "If an account is configured for password authentication\nbut does not have an assigned password, it may be possible to log\ninto the account without authentication. Remove any instances of the\n<tt>nullok</tt> in\n\n<tt>/etc/pam.d/common-password</tt>\n\nto prevent logins with empty passwords.", "rationale": "If an account has an empty password, anyone could log in and\nrun commands with the privileges of that account. Accounts with\nempty passwords should never be used in operational environments.", "severity": "high", "references": {"cis-csc": ["1", "12", "13", "14", "15", "16", "18", "3", "5"], "cjis": ["5.5.2"], "cobit5": ["APO01.06", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.02", "DSS06.03", "DSS06.10"], "cui": ["3.1.1", "3.1.5"], "hipaa": ["164.308(a)(1)(ii)(B)", "164.308(a)(7)(i)", "164.308(a)(7)(ii)(A)", "164.310(a)(1)", "164.310(a)(2)(i)", "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(b)", "164.310(c)", "164.310(d)(1)", "164.310(d)(2)(iii)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 5.2"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.18.1.4", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.1", "A.9.4.2", "A.9.4.3", "A.9.4.4", "A.9.4.5"], "nist": ["IA-5(1)(a)", "IA-5(c)", "CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-4", "PR.AC-6", "PR.AC-7", "PR.DS-5"], "ospp": ["FIA_UAU.1"], "pcidss": ["Req-8.2.3"], "srg": ["SRG-OS-000480-GPOS-00227"], "ism": ["1546"], "pcidss4": ["8.3.1", "8.3"], "stigid": ["UBTU-22-611060"], "stigref": ["SV-260570r991589_rule"]}, "control_references": {"ism": ["1546"], "pcidss4": ["8.3.1", "8.3"], "stigid": ["UBTU-22-611060"]}, "components": [], "identifiers": {}, "ocil_clause": "NULL passwords can be used", "ocil": "To verify that null passwords cannot be used, run the following command:\n\n<pre>grep nullok /etc/pam.d/common-password</pre>\n\nIf this produces any output, it may be possible to log into accounts\nwith empty passwords. Remove any instances of the <tt>nullok</tt> option to\nprevent logins with empty passwords.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 in the common-password file  to not allow null\npasswords.\n\nRemove any instances of the \"nullok\" option in \"/etc/pam.d/common-password\"\n\nto prevent logons with empty passwords.\n\nNote: Manual changes to the listed file may be overwritten by the \"authselect\" program.", "checktext": "", "vuldiscussion": "", "srg_requirement": "'Ubuntu 22.04 must not allow blank or null passwords in the  common-password file.'", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report.\nNote that this rule is not applicable for systems running within a\ncontainer. Having user with empty password within a container is not\nconsidered a risk, because it should not be possible to directly login into\na container anyway."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must not allow blank or null passwords.", "vuldiscussion": "If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.", "checktext": "Verify that null passwords cannot be used with the following command:\n\n$ sudo grep -i nullok /etc/pam.d/system-auth /etc/pam.d/password-auth\n\nIf output is produced, this is a finding.\n\nIf the system administrator (SA) can demonstrate that the required configuration is contained in a PAM configuration file included or substacked from the system-auth file, this is not a finding.", "fixtext": "If PAM is managed with authselect, use the following command to remove instances of \"nullok\":\n\n$ sudo authselect enable-feature without-nullok\n\nOtherwise, remove any instances of the \"nullok\" option in the \"/etc/pam.d/password-auth\" and \"/etc/pam.d/system-auth\" files to prevent logons with empty passwords.\n\nNote: Manual changes to the listed file may be overwritten by the \"authselect\" program."}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Prevent Login to Accounts With Empty Password", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml", "template": null}