6.2.1 Ensure accounts in /etc/passwd use shadowed passwords

Information

Local accounts can use shadowed passwords. With shadowed passwords, the passwords are saved in shadow password file, /etc/shadow encrypted by a salted one-way hash. Accounts with a shadowed password have an x in the second field in /etc/passwd

The /etc/passwd file also contains information like user ID's and group ID's that are used by many system programs. Therefore, the /etc/passwd file must remain world readable. In spite of encoding the password with a randomly-generated one-way hash function, an attacker could still break the system if they got access to the /etc/passwd file. This can be mitigated by using shadowed passwords, thus moving the passwords in the /etc/passwd file to /etc/shadow The /etc/shadow file is set so only root will be able to read and write. This helps mitigate the risk of an attacker gaining access to the encoded passwords with which to perform a dictionary attack.

Note:

- All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user.
- A user account with an empty second field in /etc/passwd allows the account to be logged into by providing only the username.

Solution

Run the following command to set accounts to use shadowed passwords and migrate passwords in /etc/passwd to /etc/shadow :

# pwconv

Investigate to determine if the account is logged in and what it is being used for, to determine if it needs to be forced off.

See Also

https://workbench.cisecurity.org/benchmarks/15964

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4

Plugin: Unix

Control ID: 73bcaf0acf16530ad1ade5b2494ea00aec369c23db77b03312349ff8fe8b6dd4