| # CIS 6.1.3 Ensure permissions on /etc/shadow are configured |
| # |
| # Description |
| # =========== |
| # The /etc/shadow file is used to store the information about user accounts |
| # that is critical to the security of those accounts, such as the hashed |
| # password and other security information. |
| # |
| # Rationale |
| # ========= |
| # If attackers can gain read access to the /etc/shadow file, they can easily |
| # run a password cracking program against the hashed password to break it. |
| # Other security information that is stored in the /etc/shadow file (such |
| # as expiration) could also be useful to subvert the user accounts. |
| # |
| # Audit |
| # ===== |
| # Run the following command and verify Uid is 0/root , Gid is <gid>/shadow , |
| # and Access is 640 or more restrictive: |
| # |
| # # stat /etc/shadow |
| # Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow) |
| # |
| # Remediation |
| # =========== |
| # Run the one following commands to set permissions on /etc/shadow : |
| # |
| # # chown root:shadow /etc/shadow |
| # # chmod o-rwx,g-wx /etc/shadow |
| # |
| parameters: |
| linux: |
| system: |
| file: |
| /etc/shadow: |
| user: 'root' |
| group: 'shadow' |
| mode: '0640' |
| |