Profile Applicability:
Level 1
Description:
The /etc/security/opasswd file stores users’ old passwords to enforce password reuse policies. Improper permissions on this file can allow unauthorized users to access password history, increasing the risk of password attacks.
Rationale:
Securing permissions on /etc/security/opasswd protects sensitive password history data, reducing the likelihood of password compromise.
Impact:
Pros:
Protects password history from unauthorized access.
Supports enforcement of password reuse policies securely.
Cons:
Overly restrictive permissions might affect system utilities that need access.
Default Value:
By default, permissions may vary depending on the distribution and configuration.
Pre-requisites:
Root or sudo privileges to audit and modify file permissions.
Remediation:
Test Plan:
Using Linux command line:
Check current permissions of /etc/security/opasswd:
ls -l /etc/security/opasswd
Verify ownership is root:root and permissions are set to 600 or more restrictive.
Implementation Plan:
Using Linux command line:
Set ownership to root:
chown root:root /etc/security/opasswd
Set permissions to 600:
chmod 600 /etc/security/opasswd
Verify changes:
ls -l /etc/security/opasswd
Backout Plan:
Using Linux command line:
Restore previous permissions and ownership from backup if necessary.
Confirm system utilities operate correctly after changes.
References:
CIS Amazon Linux 2 Benchmark v3.0.0