Description
If any password hashes are stored in /etc/passwd (in the second field,
instead of an x or *), the cause of this misconfiguration should be
investigated. The account should have its password reset and the hash should be
properly stored, or the account should be deleted entirely.
Rationale
The hashes for all user account passwords should be stored in
the file /etc/shadow and never in /etc/passwd,
which is readable by all users.
- ID
xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed
- References
CSC: Critical Security Controls
CJIS: Criminal Justice Information Services Security Policy
COBIT®: Control Objectives for Information and Related Technologies
SP 800-171 Rev. 1: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
ISA-62443-2-1-2009, Security for Industrial Automation and Control Systems Part 2-1: Establishing an Industrial Automation and Control Systems Security Program
ANSI/ISA-62443-3-3 (99.03.03)-2013 Security for industrial automation and control systems Part 3-3: System security requirements and security levels
ISM: Information Security Manual
NIST Special Publication 800-53 (Revision 4): Security and Privacy Controls for Federal Information Systems and Organizations
Framework for Improving Critical Infrastructure Cybersecurity
PCI DSS v3: Payment Card Industry Data Security Standard
PCI DSS v4: Payment Card Industry Data Security Standard