iCompaas Support

Profile Applicability:
Level 1

Description:
 Shadowed passwords store user password hashes in the /etc/shadow file rather than directly in /etc/passwd. This enhances security by restricting access to password hashes to privileged users only.

Rationale:
 Using shadowed passwords prevents exposure of password hashes to non-privileged users, reducing the risk of password cracking and unauthorized access.

Impact:
 Pros:

• Protects password hashes from unauthorized access.
  

• Enhances overall system authentication security.
  

Cons:

• Requires proper shadow password suite configuration.
  

Default Value:
 Most modern Linux systems use shadowed passwords by default; however, legacy or misconfigured systems may store passwords in /etc/passwd.

Pre-requisites:

• Root or sudo privileges to audit and configure password shadowing.
  

Remediation:

Test Plan:

Using Linux command line:

1. Check for accounts with passwords stored in /etc/passwd:

awk -F: '($2 !~ /^x|^!/) {print $1}' /etc/passwd

2. Verify the output is empty (no accounts with passwords in /etc/passwd).

Implementation Plan:

Using Linux command line:

1. Migrate to shadowed passwords by installing or enabling shadow-utils.
    Use the pwconv command to move passwords from /etc/passwd to /etc/shadow:

pwconv

2. Verify that passwords are shadowed and not visible in /etc/passwd.

Backout Plan:

Using Linux command line:

1. Use pwunconv to revert shadowed passwords back to /etc/passwd if necessary (not recommended):

pwunconv

2. Ensure system security policies are evaluated before reverting.

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• Shadow Password Suite Documentation