6.1.6 Ensure permissions on /etc/shadow are configured

Information

The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information.

Rationale:

If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed password to break it. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert the user accounts.

Solution

Run one of the following commands to set ownership of /etc/shadow to root and group to either root or shadow:

# chown root:root /etc/shadow
# chown root:shadow /etc/shadow

Run the following command to remove excess permissions form /etc/shadow:

# chmod u-x,g-wx,o-rwx /etc/shadow

See Also

https://workbench.cisecurity.org/files/3208

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(6), CSCv6|3.1, CSCv6|16.14

Plugin: Unix

Control ID: ae529e8bc3a8c203d252f34980e5a70b5b280680d2957de5f05349f3a732803f