6.1.3 Ensure permissions on /etc/shadow are configured

Information

The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information.

If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts.

Solution

Run the following commands to set owner, group, and permissions on /etc/shadow :

# chown root:root /etc/shadow

# chmod u-x,g-wx,o-rwx /etc/shadow

See Also

https://workbench.cisecurity.org/benchmarks/8498

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: aa0017de0a2d515e12d0b0cab8e023b397d698207c595ca067c24141378b1f32