tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add 9.2.14 description to benchmark

This commit is contained in:
samson 2018-09-13 03:57:45 +08:00
parent afde20dd49
commit 6f847099f1
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
View File

@ -329,6 +329,32 @@ Configure the operating system to store only SHA512 encrypted representations of
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
```
## 9.2.14 Check auth config is not blank or null passwords using pam_unix (scored)
### Profile Applicability
Level 2
### Description
The system must not have accounts configured with blank or null passwords.
### Rationale
If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
### Aduit
To verify that null passwords cannot be used, run the following command:
```
# grep nullok /etc/pam.d/common-auth
# grep nullok_secure /etc/pam.d/common-auth
```
If this produces any output, it may be possible to log on with accounts with empty passwords. If null passwords can be used, this is a finding.
### Remediation
If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" to prevent logons with empty passwords.
```
# sed -ie "s/nullok//" /etc/pam.d/common-auth
# sed -ie "s/nullok_secure//" /etc/pam.d/common-auth
```
## 10.1.4 Set encrypt method (Scored)
### Profile Applicability