6.2.1 Ensure password fields are not empty (Scored)

Level 1 - Server
Level 1 - Workstation 

An account with an empty password field means that anybody may log in as that user without providing a password.

All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user.

Run the following command and verify that no output is returned:

# cat /etc/shadow | awk -F: '($2 == "" ) { print $1 " does not have a password "}'

If any accounts in the /etc/shadow file do not have a password, run the following command to lock the account until it can be determined why it does not have a password:

# passwd -l <username>

Also, check to see if the account is logged in and investigate what it is being used for to determine if it needs to be forced off.

  • ubuntu1604/6/2/1.txt
  • Last modified: 2017/05/04 14:15
  • by 127.0.0.1