TOSS 5 must not allow blank or null passwords.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282737TOSS-05-000331SV-282737r1201191_ruleCCI-000366high
Description
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282737r1201191_chk)

Verify null passwords cannot be used by running the following command: $ sudo grep -i nullok /etc/pam.d/system-auth /etc/pam.d/password-auth If an output is produced, this is a finding.

Fix Text (F-87203r1201190_fix)

Remove any instances of the "nullok" option in the "/etc/pam.d/password-auth" and "/etc/pam.d/system-auth" files to prevent logons with empty passwords. Note: Manual changes to the listed file may be overwritten by the "authselect" program.