6.1.3 Ensure permissions on /etc/shadow are configured

Information

The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information.

Rationale:

If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts.

Solution

Run the following commands to set permissions on /etc/shadow:

# chown root:shadow /etc/shadow
# chmod o-rwx,g-wx /etc/shadow

See Also

https://workbench.cisecurity.org/files/3738

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: ed8972f1357d196b358468748e616a4748f974eccbbe03c64a10b6ce6de70a75