passwd_shadowed

This built-in check ensures that every password in /etc/passwd is “shadowed” (i.e., that it resides in another file).

Since /etc/passwd is world-readable, storing users’ password hashes in it permits anyone with access to it the ability to run password cracking programs on it. Attempts to guess a user’s password through a brute force attack (repeated login attempts, trying different passwords each time) are usually detected in system log files. If the /etc/passwd file contains the password hashes, the file could be copied offline and used as input to a password cracking program. This permits an attacker the ability to obtain user passwords without detection.

Most modern Unix systems have shadowed password files. Consult your system documentation to learn how to enable shadowed passwords on your system.

Usage

<item>

name: "passwd_shadowed"

description: "(arbitrary user comment)"

</item>