Table of Contents

6.2.1 Ensure password fields are not empty (Scored)

Profile Applicability

Level 1 - Server
Level 1 - Workstation 

Description

An account with an empty password field means that anybody may log in as that user without providing a password.

Rationale

All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user.

Audit

Run the following command and verify that no output is returned:

# cat /etc/shadow | awk -F: '($2 == "" ) { print $1 " does not have a password "}'

Remediation

If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password:

# passwd -l <username>

Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off.