NACM: Add default deny rule for reading password hash

This fix #499

src/confd/share/factory.d/10-nacm.json

@@ -1,5 +1,6 @@
 {
     "ietf-netconf-acm:nacm": {
+	"enable-nacm": true,
 	"groups": {
 	    "group": [
 		{
@@ -25,6 +26,19 @@
 			"comment": "Allow 'admin' group complete access to all operations and data."
 		    }
 		]
+	    },
+	    {
+		"name": "default-deny-all",
+		"group": ["*"],
+		"rule": [
+		    {
+			"name":  "deny-password-read",
+			"module-name": "ietf-system",
+			"path": "/ietf-system:system/authentication/user/password",
+			"access-operations": "*",
+			"action": "deny"
+		    }
+		]
 	    }
 	]
     }