← Rules Catalog
highaccess-controlverified

Ensure accounts use shadowed passwords

accounts-password-shadowed · RHEL ≥ 8 · 1 impl

Description

All user accounts in /etc/passwd must have their password field set to 'x', indicating that the actual password hash is stored in /etc/shadow. Direct password hashes in /etc/passwd are a security vulnerability.

Rationale

The /etc/passwd file is world-readable while /etc/shadow has restricted permissions. Storing password hashes in /etc/passwd exposes them to all users on the system, enabling offline password cracking attacks.

Check → Remediate

Checkcommand
awk -F: '($2 != "x") {print $1}' /etc/passwd
expected_exit:
0
Remediatecommand_exec
pwconv
unless:
awk -F: '($2 != "x") {found=1} END {exit found ? 1 : 0}' /etc/passwd

Framework references

CIS

rhel9 7.2.1rhel10 7.2.1rhel8 7.2.1

STIG

V-258117

NIST 800-53

IA-5AC-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#accounts#passwords#shadow#security