Empty Password Field in /etc/shadow

The next topic I want to cover is verifying that there are no empty passwords in the /etc/shadow file. Why is this important??

Well any account that has an empty password is open for anyone to log into. Part of the security within a Linux system is to ensure that all users are proper users and no one has any authorized access beyond what they need. Open user accounts are security risks that can be easily preventable. One way a hacker could use this is to set up a fake account that has root privileges through sudo. Then anytime they need to access your system they will log on through the fake account and they will never have to remember a password.

One way to check this is to go through the /etc/passwd file and look for any account that might have a blank password in the password space. Another is to use the command

awk -F: `($2 == "") { print $1 }` /etc/shadow

this command will return any user account that has an empty password. If there are no lines returned then your system is safe.

User Accounts tips

For the next several posts I want to focus in on user accounts and the user environment. Most of what I want to cover is how to ensure that your system is safe from users going beyond what they are authorized to do within the system. Some of the tips will be ensuring that proper expiration paramters are set for user accounts other tips will help verify that users can't access other resources within a system that they don't have permissions to access.

The first tip is to go through the /etc/password file and verify that there are no user accounts that don't belong and system accounts are not being misused. There is one command that helps here: finger 'sort /etc/passwd | cut -f1 ":"' | less. The finger command displays information relating to the last time an account was used. This command lists each user ID and checks the last login time. Note the single quotes are back ticks. The back tick is found with the tilde (~).
The Linux system also has a utility which will display the last time someone logged in called lastlog that displays the last time a user logged in. The command to use this is simply lastlog.

These commands will list when the last time someone logged into an account, accounts which haven't been used should be checked into whether they still need to exist or not. Also system accounts should never show someone logging into them. If you do show system accounts with a log in the first thing to do is verify there is no shell available for system accounts and if there is change the shell to /dev/null. Changing a shell to /dev/null will prevent any user from using a system account to log into the system and be given root privileges.

Finally, the command pwck should be ran to check for basic integrity, such as ensuring the right number of fields are present and that each name is uniquely identified. For the group file, use grpck.