Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Resources
Documents
Publishers
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of openEuler 2203
System Settings
Account and Access Control
Protect Accounts by Restricting Password-Based Login
Verify Proper Storage and Existence of Password Hashes
Verify Proper Storage and Existence of Password Hashes
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
Verify Proper Storage and Existence of Password Hashes
3 Rules
By default, password hashes for local accounts are stored in the second field (colon-separated) in
/etc/shadow
. This file should be readable only by processes running with root credentials, preventing users from casually accessing others' password hashes and attempting to crack them. However, it remains possible to misconfigure the system and store password hashes in world-readable files such as
/etc/passwd
, or to even store passwords themselves in plaintext on the system. Using system-provided tools for password change/creation should allow administrators to avoid such misconfiguration.
All GIDs referenced in /etc/passwd must be defined in /etc/group
Low Severity
Add a group to the system for each GID referenced without a corresponding group.
Verify No .forward Files Exist
Medium Severity
The
.forward
file specifies an email address to forward the user's mail to.
Verify No netrc Files Exist
Medium Severity
The
.netrc
files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any
.netrc
files should be removed.