Skip to content

Verify Permissions on shadow File

An XCCDF Rule

Description

To properly set the permissions of /etc/shadow, run the command:

$ sudo chmod 0640 /etc/shadow

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

ID
xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Severity
Medium
References
Updated



Remediation - Ansible

- name: Test for existence /etc/shadow
  stat:
    path: /etc/shadow
  register: file_exists
  tags:
  - CCE-91479-6

Remediation - Shell Script






chmod u-xs,g-xws,o-xwrt /etc/shadow