highaccess-controlverified ✓
Ensure accounts use shadowed passwords
accounts-password-shadowed · RHEL ≥ 8 · 1 impl
Description
All user accounts in /etc/passwd must have their password field set to 'x', indicating that the actual password hash is stored in /etc/shadow. Direct password hashes in /etc/passwd are a security vulnerability.
Rationale
The /etc/passwd file is world-readable while /etc/shadow has restricted permissions. Storing password hashes in /etc/passwd exposes them to all users on the system, enabling offline password cracking attacks.
Check → Remediate
Checkcommand
awk -F: '($2 != "x") {print $1}' /etc/passwd- expected_exit:
- 0
Remediatecommand_exec
pwconv
- unless:
- awk -F: '($2 != "x") {found=1} END {exit found ? 1 : 0}' /etc/passwd
Framework references
CIS
rhel9 7.2.1rhel10 7.2.1rhel8 7.2.1
STIG
V-258117
NIST 800-53
IA-5AC-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#accounts#passwords#shadow#security