iCompaas Support

Profile Applicability:
Level 1

Description:
 The /etc/shadow file stores user password hashes and related information. Empty password fields indicate accounts with no password set, which pose a serious security risk by allowing unauthorized access.

Rationale:
 Ensuring password fields are not empty prevents accounts from being accessed without authentication, thereby enhancing system security.

Impact:
 Pros:

• Prevents unauthorized access via passwordless accounts.
  

• Strengthens overall authentication controls.
  

Cons:

• Accounts with empty passwords may be service or system accounts needing special handling.
  

Default Value:
 Password fields may be empty due to misconfiguration or legacy accounts.

Pre-requisites:

• Root or sudo privileges to audit and modify user accounts.
  

Remediation:

Test Plan:

Using Linux command line:

1. Identify accounts with empty password fields in /etc/shadow:   

awk -F: '($2 == "" ) {print $1}' /etc/shadow

2. Verify that the list is empty.

Implementation Plan:

Using Linux command line:

1. For accounts with empty passwords, set a secure password or disable the account:   

passwd <username>
passwd -l <username>  # To lock the account if needed

2. Verify changes are applied.

Backout Plan:

Using Linux command line:

1. Restore previous password states from backups if necessary.
   

2. Communicate with affected users about password changes.
   
   

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• NIST SP 800-53 Revision 5 - IA-5