{"description": "By default, password hashes for local accounts are stored\nin the second field (colon-separated) in\n<tt>/etc/shadow</tt>. This file should be readable only by\nprocesses running with root credentials, preventing users from\ncasually accessing others' password hashes and attempting\nto crack them.\nHowever, it remains possible to misconfigure the system\nand store password hashes\nin world-readable files such as <tt>/etc/passwd</tt>, or\nto even store passwords themselves in plaintext on the system.\nUsing system-provided tools for password change/creation\nshould allow administrators to avoid such misconfiguration.", "warnings": [], "requires": [], "conflicts": [], "values": ["var_password_pam_unix_rounds"], "groups": {}, "rules": ["accounts_password_all_shadowed", "accounts_password_all_shadowed_sha512", "accounts_password_last_change_is_in_past", "accounts_password_pam_unix_no_remember", "accounts_password_pam_unix_rounds_password_auth", "accounts_password_pam_unix_rounds_system_auth", "ensure_sudo_group_restricted", "gid_passwd_group_same", "no_duplicate_uids", "no_empty_passwords", "no_empty_passwords_etc_shadow", "no_empty_passwords_unix", "no_forward_files", "no_legacy_plus_entries_etc_group", "no_legacy_plus_entries_etc_passwd", "no_legacy_plus_entries_etc_shadow", "no_netrc_files", "no_rhost_files"], "platform": "", "platforms": [], "inherited_platforms": [], "cpe_platform_names": [], "title": "Verify Proper Storage and Existence of Password\nHashes", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/password_storage/group.yml"}