From 663bec637557e5778da9e035f6e5a9973dcf9a81 Mon Sep 17 00:00:00 2001
From: Brandon Palm <bpalm@redhat.com>
Date: Tue, 5 May 2026 14:21:26 -0500
Subject: [PATCH] Disable empty password authentication via authselect

Activate authselect with the 'without-nullok' feature to remove the
nullok parameter from pam_unix.so in system-auth and password-auth.
This prevents authentication with empty passwords on RHCOS nodes.

Uses the supported RHEL mechanism (authselect) rather than replacing
PAM files directly. The without-nullok feature was purpose-built for
this use case by the authselect maintainer in 2018:
https://github.com/authselect/authselect/commit/e1fbbdc

RHCOS nodes are managed infrastructure with no legitimate use case
for empty password authentication. Flagged as HIGH severity across
all compliance profiles (E8, CIS, Moderate, PCI-DSS).

Related:
- authselect issue: https://github.com/authselect/authselect/issues/94
- Upstream scanner fix: ComplianceAsCode/content#14602
---
 packages-openshift.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/packages-openshift.yaml b/packages-openshift.yaml
index 1a1d9ae7..3a66a6b3 100644
--- a/packages-openshift.yaml
+++ b/packages-openshift.yaml
@@ -86,6 +86,21 @@ postprocess:
     semanage boolean --modify --on container_use_cephfs      # RHBZ#1694045
     semanage boolean --modify --on virt_use_samba            # RHBZ#1754825
 
+  # Disable empty password authentication (HIGH severity, all compliance profiles)
+  # RHCOS nodes are managed infrastructure with no use case for empty passwords.
+  # The RHEL pam RPM ships nullok by default; authselect's without-nullok feature
+  # removes it using the supported RHEL mechanism.
+  # See: https://github.com/authselect/authselect/commit/e1fbbdc
+  - |
+    #!/usr/bin/env bash
+    set -xeuo pipefail
+    authselect select sssd without-nullok --force
+    # Verify nullok was actually removed
+    if grep -q nullok /etc/pam.d/system-auth /etc/pam.d/password-auth; then
+      echo "ERROR: nullok still present after authselect" >&2
+      exit 1
+    fi
+
   # https://gitlab.cee.redhat.com/coreos/redhat-coreos/merge_requests/812
   # https://bugzilla.redhat.com/show_bug.cgi?id=1796537
   - |