Skip to content

5.3.3.4.1 Ensure pam_unix does not include nullok

Audit#

Run the following command to verify that the nullok argument is not set on the pam_unix.so module: 

# grep -PHs -- '^\h*[^#\n\r]+\h+pam_unix\.so\h+([^#\n\r]+\h+)?nullok\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive}
Nothing should be returned

Remediation#

Run the following command: 

# grep -PH -- '^\h*([^#\n\r]+\h+)?pam_unix\.so\h+([^#\n\r]+\h+)?nullok\b' /usr/share/pam-configs/*

Edit any files returned and remove the nullok argument for the pam_unix lines Example File: 

Name: Unix authentication
Default: yes
Priority: 256
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_unix.so try_first_pass # <- **ensure line does not include nullok nullok**
Auth-Initial:
[success=end default=ignore] pam_unix.so # <- **ensure line does not include nullok nullok**
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Account-Initial:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
Session-Type: Additional
Session:
required pam_unix.so
Session-Initial:
required pam_unix.so
Password-Type: Primary
Password:
[success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
Password-Initial:
[success=end default=ignore] pam_unix.so obscure yescrypt

Run the following command to update the files in the /etc/pam.d/ directory: 

# pam-auth-update --enable <MODIFIED_PROFILE_NAME>

Example: 

# pam-auth-update --enable pwhistory

Note: If custom files are being used, the corresponding files in /etc/pam.d/ would need to be edited directly, and the pam-auth-update --enable command skipped