3c19f00a7f
This patch adds the right tags to each piece of metadata and corrects small errors found in the deployer notes. Closes-bug: 1595669 Change-Id: Ic04aaad85ebf111be5a0bdb01a350442fdea1433
29 lines
810 B
ReStructuredText
29 lines
810 B
ReStructuredText
---
|
|
id: V-38497
|
|
status: implemented
|
|
tag: auth
|
|
---
|
|
|
|
Ubuntu 14.04, Ubuntu 16.04, and CentOS 7 allow accounts with null passwords to
|
|
authenticate via PAM by default. This STIG requires that those login attempts
|
|
are blocked.
|
|
|
|
For Ubuntu, the ``nullok_secure`` option will be removed from ``/etc/pam.d
|
|
/common-auth``.
|
|
|
|
For CentOS, the ``nullok`` option will be removed from ``/etc/pam.d/system-
|
|
auth``.
|
|
|
|
The effects of the change are **immediate** and no service restarts are
|
|
required.
|
|
|
|
Deployers can opt-out of this change by adjusting an Ansible variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_pam_remove_nullok: no
|
|
|
|
Setting the variable to ``yes`` (the default) will cause the Ansible tasks to
|
|
remove the ``nullok_secure`` parameter while setting the variable to ``no``
|
|
will leave the PAM configuration unchanged.
|