HIGH H2: PAM Empty Passwords P1
Overview
This remediation disables the nullok option in PAM (Pluggable Authentication Modules) configuration, preventing authentication with empty passwords.
Settings
| Setting | Description |
|---|---|
no-empty-passwords |
Disable nullok in PAM system-auth and password-auth |
Implementation
The remediation applies a MachineConfig that modifies PAM configuration files to remove the nullok option:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-pam-auth-high
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/pam.d/system-auth
mode: 0644
overwrite: true
contents:
source: data:text/plain;charset=utf-8;base64,...
- path: /etc/pam.d/password-auth
mode: 0644
overwrite: true
contents:
source: data:text/plain;charset=utf-8;base64,...
The PAM files are configured to require proper authentication without allowing empty passwords.
Compliance Checks Remediated
This group addresses the following compliance checks:
| Check | Profile | Description | Docs |
|---|---|---|---|
rhcos4-e8-worker-no-empty-passwords |
E8 | Prevent empty password authentication (worker) | 📖 |
rhcos4-e8-master-no-empty-passwords |
E8 | Prevent empty password authentication (master) | 📖 |
Source Remediation Files
- high/rhcos4-e8-worker-no-empty-passwords.yaml
- high/rhcos4-e8-master-no-empty-passwords.yaml
Verification
After applying the MachineConfig, verify PAM configuration on a node:
oc debug node/<node-name> -- chroot /host grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
# Expected: No output (nullok should not be present)
Security Impact
Disabling empty passwords ensures that:
- All user accounts must have a password set
- SSH and console logins require proper authentication
- Compliance with CIS and Essential Eight security benchmarks