diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml
index 35dffe1f94d3..78a18739de13 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/ansible/shared.yml
@@ -4,7 +4,7 @@
# complexity = low
# disruption = medium
{{% if 'ubuntu' in product %}}
-{{%- set pam_config_paths = "['/etc/pam.d/common-password']" %}}
+{{%- set pam_config_paths = "['/etc/pam.d/common-auth', '/etc/pam.d/common-password']" %}}
{{% else %}}
{{%- set pam_config_paths = "['/etc/pam.d/system-auth', '/etc/pam.d/password-auth']" -%}}
{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
index e235cdbdd4ab..90a9c6de3992 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/bash/shared.sh
@@ -25,6 +25,18 @@ sed -i -E '/^Password-Initial:/,/^[^[:space:]]/ {
}
}' "$config_file"
+sed -i -E '/^Auth:/,/^[^[:space:]]/ {
+ /pam_unix\.so/ {
+ s/\s*nullok//g
+ }
+}' "$config_file"
+
+sed -i -E '/^Auth-Initial:/,/^[^[:space:]]/ {
+ /pam_unix\.so/ {
+ s/\s*nullok//g
+ }
+}' "$config_file"
+
DEBIAN_FRONTEND=noninteractive pam-auth-update
{{% else %}}
if [ -f /usr/bin/authselect ]; then
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
index ddbde376b499..ac2fc52abd05 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/oval/shared.xml
@@ -15,7 +15,7 @@
{{% if 'sle' in product or 'slmicro' in product %}}
^/etc/pam.d/.*$
{{% elif 'ubuntu' in product %}}
- ^/etc/pam.d/common-password
+ ^/etc/pam.d/common-(auth|password)$
{{% else %}}
^/etc/pam.d/(system|password)-auth$
{{% endif %}}
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
index 746e729b1057..b88e482f57ca 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/rule.yml
@@ -10,7 +10,7 @@ description: |-
{{% if 'sle' in product or 'slmicro' in product%}}
password authentication configurations in /etc/pam.d/
{{% elif 'ubuntu' in product %}}
- /etc/pam.d/common-password
+ /etc/pam.d/common-auth and /etc/pam.d/common-password
{{% else %}}
/etc/pam.d/system-auth and
/etc/pam.d/password-auth
@@ -63,7 +63,7 @@ ocil: |-
{{% if 'sle' in product or 'slmicro' in product %}}
$ grep pam_unix.so /etc/pam.d/* | grep nullok
{{% elif 'ubuntu' in product %}}
- grep nullok /etc/pam.d/common-password
+ grep nullok /etc/pam.d/common-auth /etc/pam.d/common-password
{{% else %}}
$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
{{% endif %}}
@@ -72,10 +72,10 @@ ocil: |-
prevent logins with empty passwords.
fixtext: |-
- Configure {{{ full_name }}} in the {{% if 'ubuntu' in product %}}common-password file {{% else %}}system-auth and password-auth files {{% endif %}} to not allow null
+ Configure {{{ full_name }}} in the {{% if 'ubuntu' in product %}}common-auth and common-password files {{% else %}}system-auth and password-auth files {{% endif %}} to not allow null
passwords.
{{% if 'ubuntu' in product %}}
- Remove any instances of the "nullok" option in "/etc/pam.d/common-password"
+ Remove any instances of the "nullok" option in "/etc/pam.d/common-auth" and "/etc/pam.d/common-password"
{{% else %}}
Remove any instances of the "nullok" option in the "/etc/pam.d/system-auth" and
"/etc/pam.d/password-auth" files
@@ -85,7 +85,7 @@ fixtext: |-
Note: Manual changes to the listed file may be overwritten by the "authselect" program.
srg_requirement: |-
- '{{{ full_name }}} must not allow blank or null passwords in the {{% if 'ubuntu' in product %}} common-password file.{{% else %}} system-auth file nor
+ '{{{ full_name }}} must not allow blank or null passwords in the {{% if 'ubuntu' in product %}} common-auth and common-password files.{{% else %}} system-auth file nor
password-auth. {{% endif %}}'
warnings:
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh
index 6f56a2e0ddae..d1bfb5fc8de3 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/no_nullok.pass.sh
@@ -12,9 +12,9 @@ Priority: 257
Conflicts: unix
Auth-Type: Primary
Auth:
- [success=end default=ignore] pam_unix.so nullok try_first_pass
+ [success=end default=ignore] pam_unix.so try_first_pass
Auth-Initial:
- [success=end default=ignore] pam_unix.so nullok
+ [success=end default=ignore] pam_unix.so
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh
index 1c20026e7dd0..9c2ed1c87f26 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_commented.pass.sh
@@ -12,9 +12,9 @@ Priority: 257
Conflicts: unix
Auth-Type: Primary
Auth:
- [success=end default=ignore] pam_unix.so nullok try_first_pass
+ [success=end default=ignore] pam_unix.so try_first_pass # nullok
Auth-Initial:
- [success=end default=ignore] pam_unix.so nullok
+ [success=end default=ignore] pam_unix.so # nullok
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_unix.so
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh
new file mode 100644
index 000000000000..4468cb808777
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_auth.fail.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_unix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 257
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so nullok try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so nullok
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh
new file mode 100644
index 000000000000..29e3cf57fcb9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_empty_passwords/tests/nullok_present_password.fail.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+# packages = pam
+
+config_file=/usr/share/pam-configs/tmp_unix
+
+cat << EOF > "$config_file"
+Name: Unix authentication
+Default: yes
+Priority: 257
+Conflicts: unix
+Auth-Type: Primary
+Auth:
+ [success=end default=ignore] pam_unix.so try_first_pass
+Auth-Initial:
+ [success=end default=ignore] pam_unix.so
+Account-Type: Primary
+Account:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Account-Initial:
+ [success=end new_authtok_reqd=done default=ignore] pam_unix.so
+Session-Type: Additional
+Session:
+ required pam_unix.so
+Session-Initial:
+ required pam_unix.so
+Password-Type: Primary
+Password:
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt nullok
+Password-Initial:
+ [success=end default=ignore] pam_unix.so obscure use_authtok try_first_pass yescrypt nullok
+EOF
+
+DEBIAN_FRONTEND=noninteractive pam-auth-update
+rm "$config_file"