767 B
767 B
Ubuntu 14.04 allows accounts with null passwords to authenticate via PAM by default. This STIG requires that those login attempts are blocked.
In Ubuntu, this functionality is controlled by the
nullok_secure parameter found in
/etc/pam.d/common-auth. The Ansible task for this STIG will
remove the nullok_secure from the PAM configuration file.
The effects of the change are immediate and no service restarts are
required.
However, deployers can opt-out of this change by adjusting an Ansible variable:
pam_remove_nullok: noSetting the variable to yes (the default) will cause the
Ansible tasks to remove the nullok_secure parameter while
setting the variable to no will leave the PAM configuration
unchanged.