Profile Applicability:
Level 1
Description:
The /etc/shadow file contains users’ encrypted password information and related authentication data. Improper permissions on this file can expose sensitive data to unauthorized users, increasing the risk of credential compromise and privilege escalation.
Rationale:
Securing permissions on /etc/shadow ensures that only privileged users (typically root) can access sensitive authentication information, thereby maintaining system security.
Impact:
Pros:
Protects sensitive password hashes from unauthorized access.
Enhances overall system authentication security.
Cons:
Overly restrictive permissions might affect system utilities that require access (rare).
Default Value:
Most Linux distributions set secure default permissions on /etc/shadow, but verification is necessary.
Pre-requisites:
Root or sudo privileges to audit and modify file permissions.
Remediation:
Test Plan:
Using Linux command line:
Check current permissions and ownership of /etc/shadow:
ls -l /etc/shadow
Confirm the file is owned by root and permissions are set to 600 or more restrictive.
Implementation Plan:
Using Linux command line:
Set ownership to root:
chown root:root /etc/shadow
Set permissions to 600:
chmod 600 /etc/shadow
Verify changes:
ls -l /etc/shadow
Backout Plan:
Using Linux command line:
Restore previous permissions and ownership from backups if needed.
Test system utilities for proper functioning.
References:
CIS Amazon Linux 2 Benchmark v3.0.0