Spec 2.6 Forbid empty-password users (manual operation).
Description: Empty-password users cannot log in to the system, because these users can be easily found by security scanning software and then serve as channels for invaders to enter the system.
Implementation guide:
A new user must be provided with a password.
# passwd <user name>
View the /the etc/passwd file to check empty-password accounts.
Example:
test::100:9::/home/test:/bin/bash
In the preceding example, the second item is empty, indicating that the test account is an empty-password account.
Location in the SEK tool: Accounts and Password- > Password life time (SEC.LNX.UP.006) -> Lock Users with Empty Password
Answer:
The policy "Lock users with Empty password" will lock all the active users with empty password. This policy does not support rollback. Once locked the system administrator have to find out which of the users are required and unlock it using the command "passwd -u <username>"
The policy "Password life time" does not deal with empty passwords. This policy can be used to set the time after which the password will expire.
The appropriate policy for the above spec will be "Lock users with Empty password"
Question:
I have a empty-password users 'test', I Executed the policy "Lock users with Empty password", but I still can use 'test' login whith empty password. Why?
Security level: high