George, If you are a direct feed customer you could make use of Nessus compliance features to audit for passwordless accounts.
To detect "passwordless" accounts you would have to audit the "/etc/shadow" for accounts with second field empty. Such checks have been implemented in our published "CIS Red Hat" and "PCI" compliant policies which can be downloaded from our website. However, it should be noted that this check can't be reliably applied across *nix system. For e.g. on a SuSE system I had noticed for accounts with empty password the second field within "/etc/shadow" was filled with arbitrary characters which I presume is the encrypted hash value of null/empty password. - Mehul > > -------- Original Message -------- > Subject: Check for passwordless accounts? > Date: Mon, 17 Sep 2007 20:29:49 -0400 > From: Kofoed, George x55379 <[EMAIL PROTECTED]> > To: [email protected] > > > > Hello; > > Is it possible to configure Nessus to check for "passwordless" accounts > on any platform? > > George > > > This message and any attachments are intended only for the use of the > addressee and > may contain information that is privileged and confidential. If the > reader of the > message is not the intended recipient or an authorized representative of > the > intended recipient, you are hereby notified that any dissemination of this > communication is strictly prohibited. If you have received this > communication in > error, please notify us immediately by e-mail and delete the message and > any > attachments from your system. > > > -- > [EMAIL PROTECTED] _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
