If an account is configured for password authentication however does not have an assigned password, it could be possible to log onto the account without authentication. If an account has an empty password, anyone could log in and run commands with the privileges of that account and cause some serious damage. As a Linux administrator, one should always ensure that accounts with empty passwords are not used in an operational environment. This vulnerability is also categorized as “high-impact” by OSCAP (Open Security Content Automation Protocol).
If you are building your Linux VMs using a base template, if not already, you should immediately update the image to prevent empty passwords.
Fixing the vulnerability in operational environment
Now, fortunately, it is considerably easy to automate the checks for empty password in your operational Oracle Linux environment and fix this vulnerability using the power of Ansible and Jenkins.
The Ansible playbooks to identify users who do not have a password assigned and to fix the vulnerability on running Oracle Linux VMs can be obtained from my GitHub repository.
Once you have obtained the code, the next step would be to automate the execution of these playbooks using Jenkins. Follow the below simple steps to configure and automate these tasks.
Get a report of users with empty password:
Generating a report of users with empty password would prepare you and ensure that appropriate steps are taken before the fix is implemented to avoid any unwanted downtime or, application issues.
- Login to Jenkins and create a new item/ project.
- Add a new build step to call the ansible playbook named “Check-Users-empty-passwd.yml“.
- Ensure that access to the job is only limited to administrators. (You do not want to accidentally expose the vulnerability).
- Optionally add the host subset variable to execute the task on a subset of hosts.
- Click on Save and build the job!
(Caution: Consult your engineered systems team or, Oracle support before executing the playbook on engineered systems)
Prevent login with empty password:
Obtain the playbook named “Prevent_Login_With_Empty_Password.yml” from GitHub. Follow the above steps to configure a job in Jenkins to fix the vulnerability.
Although, fixing this vulnerability does not require a downtime, please ensure that you have scanned the report of users with empty passwords before executing this step!
Hope this helps!