Verify Permissions and Ownership of Old Passwords File

An XCCDF Rule

Description

To properly set the owner of /etc/security/opasswd, run the command:

$ sudo chown root /etc/security/opasswd

To properly set the group owner of /etc/security/opasswd, run the command:

$ sudo chgrp root /etc/security/opasswd

To properly set the permissions of /etc/security/opasswd, run the command:

$ sudo chmod 0600 /etc/security/opasswd

Rationale

The /etc/security/opasswd file stores old passwords to prevent password reuse. Protection of this file is critical for system security.

ID: xccdf_org.ssgproject.content_rule_file_etc_security_opasswd
Severity: Medium
References: CCI-000200

SRG-OS-000077-GPOS-00045

SLES-15-020240

SV-234893r622137_rule

CCE-85572-6
Updated: about 1 year ago

- name: Ensure /etc/security/opasswd exist and has the correct permissions
  file:
    path: /etc/security/opasswd
    owner: root
    group: root
    mode: 384    state: touch
  tags:
  - CCE-85572-6
  - DISA-STIG-SLES-15-020240
  - file_etc_security_opasswd
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy


# Create /etc/security/opasswd if needed
# Owner group mode root.root 0600
[ -f  /etc/security/opasswd ] || touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 0600 /etc/security/opasswd

Verify Permissions and Ownership of Old Passwords File

Description

Rationale

Remediation - Ansible

Remediation - Shell Script