George,
If you are a direct feed customer you could make use of Nessus compliance
features to audit for passwordless accounts.
To detect "passwordless" accounts you would have to audit the "/etc/shadow"
for accounts with second field empty. Such checks have been implemented in
our published "CIS Red Hat" and "PCI" compliant policies which can be
downloaded from our website.
However, it should be noted that this check can't be reliably applied across
*nix system. For e.g. on a SuSE system I had noticed for accounts with empty
password the second field within "/etc/shadow" was filled with arbitrary
characters which I presume is the encrypted hash value of null/empty
password.
- Mehul
-------- Original Message --------
Subject: Check for passwordless accounts?
Date: Mon, 17 Sep 2007 20:29:49 -0400
From: Kofoed, George x55379 <George.Kofoed@broadridge.com>
To: nessus@list.nessus.org
Hello;
Is it possible to configure Nessus to check for "passwordless" accounts
on any platform?
George
This message and any attachments are intended only for the use of the
addressee and
may contain information that is privileged and confidential. If the
reader of the
message is not the intended recipient or an authorized representative of
the
intended recipient, you are hereby notified that any dissemination of this
communication is strictly prohibited. If you have received this
communication in
error, please notify us immediately by e-mail and delete the message and
any
attachments from your system.
--
theall@tenablesecurity.com
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
