Other Articles
- Servers – Disable UDF Filesystem
- Servers – Configure /tmp Partition
- Servers – Configure /home Partition
- Servers – Configure /var Partition
- Servers – Configure Shm Partition
- Servers – Enable dm-verity
- Servers – Enforce Authentication for Single User Mode
- Servers – Restrict Core Dump Generation
- Servers – Enable NX Protection
- Servers – Enable Address Space Layout Randomization (ASLR)
- Servers – Configure Message of the Day (MOTD)
- Servers – Configure Local Login Banner
- Servers – Configure Remote Login Banner
- Servers – Configure Message of the Day (MOTD) Permissions
- Servers – Configure Issue Permissions
- Servers – Configure Password Permissions
- Servers – Configure Group Backup Permissions
- Servers – Configure Group Permissions
- Servers – Configure Gshadow Backup Permissions
- Servers – Configure Gshadow Permissions
- Servers – Configure Passwd Backup Permissions
- Servers – Configure Shadow Permissions
- Servers – Ensure All Users' Home Directories Exist
- Servers – Ensure No Users Have .forward Files
- Servers – Ensure No Users Have .netrc Files
- Servers – Ensure No Users Have .rhosts Files
- Servers – Ensure Root is the Only UID 0 Account
- Servers – Ensure Root PATH Integrity
- Servers – Remove Legacy '+' Entries from Group
- Servers – Remove Legacy '+' Entries from Passwd
- Servers – Remove Legacy '+' Entries from Shadow
- Servers – Restrict Access to .netrc Files
- Servers – Secure System Accounts
- Servers – Ensure Users' Home Directory Permissions are 750 or More Restrictive
- Servers – Ensure Users Own Their Home Directories
- Servers – Verify Security Of Dot Files
- Servers – Verify Existence of passwd Groups
- Servers – Ensure No Duplicate UIDs Exist
- Servers – Ensure No Duplicate GIDs Exist
- Servers – Ensure No Duplicate User Names Exist
- Servers – Ensure No Duplicate Group Names Exist
- Servers – Ensure Shadow Group Has No Members
- Servers – Ensure Logging is Configured
- Servers – Ensure Journald Compression is Configured
- Servers – Ensure Journald Storage is Configured to Persistent Disk
- Servers – Ensure Permissions on All Logfiles are Configured
- Servers – Verify Time Synchronization with Chrony
- Servers – Ensure Chrony is Configured
- Servers – Ensure X Window System is Not Installed
- Servers – Ensure NFS and RPC Services are Disabled
- Servers – Ensure Rsync Service is Disabled
- Servers – Ensure TCP SYN Cookies is Enabled
- Servers – Ensure IPv6 Default Deny Firewall Policy
- Servers – Ensure IPv6 Loopback Traffic is Configured
- Servers – Ensure IPv6 Outbound and Established Connections are Configured
- Servers – Verify IPv6 Open Ports Rules
- Servers – Ensure Default Deny Firewall Policy is Configured
- Servers – Ensure Loopback Traffic is Configured
- Servers – Ensure Outbound and Established Connections are Configured
- Servers – Ensure Iptables is Installed
- Servers – Ensure Packet Redirect Sending is Disabled
- Servers – Ensure Source Routed Packets are Not Accepted
- Servers – Ensure ICMP Redirects are Not Accepted
- Servers – Ensure Secure ICMP Redirects are Disabled
- Servers – Ensure Suspicious Packets Logging is Enabled
- Servers – Ensure Broadcast ICMP Requests are Ignored
- Servers – Ensure Bogus ICMP Responses are Ignored
- Servers – Ensure Reverse Path Filtering is Enabled
- Servers – Ensure Absence of IPv6 Router Advertisements
- Servers – Ensure SSH SSHD Config Permissions Are Configured
- Servers – Ensure SSH Private Host Key Permissions
- Servers – Ensure SSH Public Host Key Permissions Are Configured
- Servers – Ensure SSH Protocol is Set to 2
- Servers – Ensure SSH LogLevel is Appropriate
- Servers – Ensure SSH X11 Forwarding is Disabled
- Servers – Ensure SSH MaxAuthTries is Set to 4 or Less
- Servers – Ensure SSH IgnoreRhosts is Enabled
- Servers – Ensure SSH HostbasedAuthentication is Disabled
- Servers – Disable SSH Root Login
- Servers – Ensure SSH PermitEmptyPasswords is Disabled
- Servers – Verify SSH Strong Ciphers Strength
- Servers – Verify SSH Strong MAC Algorithms
- Servers – Verify SSH Strong Key Exchange Algorithms
- Servers – Ensure SSH Idle Timeout Interval is Configured
- Servers – Ensure SSH Login Grace Time is Configured
- Servers – Configure SSH Warning Banner
- Servers – Enable SSH PAM Authentication
- Servers – Disable SSH AllowTcpForwarding
- Servers – Configure SSH MaxStartups
- Servers – Verify SSH MaxSessions Configuration
- Servers – Ensure Password Creation Requirements are Configured
- Servers – Ensure Password Reuse is Limited
- Servers – Ensure Password Hashing Algorithm is SHA-512
- Servers – Ensure Password Expiration Days is 365 or Less
- Servers – Ensure Minimum Days Between Password Changes is 7 or More
- Servers – Ensure Password Expiration Warning Days is 7 or More
- Servers – Ensure Inactive Password Lock is 30 Days or Less
- Servers – Ensure All Users Last Password Change Date is in the Past
- Servers – Ensure System Accounts Are Secured
- Servers – Ensure Default Group for Root Account is GID 0
- Servers – Verify Default User Umask
- Servers – Ensure Default User Shell Timeout is 900 Seconds or Less
- Servers – Ensure Root Login is Restricted to System Console
- Servers – Ensure Access to su Command is Restricted
Servers – Configure Shadow Backup Permissions
Support > Fixing Checks > Server
06 March, 2026
This check ensures that the permissions on the /etc/shadow- file are configured
correctly. The /etc/shadow- file stores backup information about user accounts, including
hashed passwords and other sensitive security data.
Improper ownership or permissions on this file may allow unauthorized users to access sensitive authentication information, which could compromise system security.
Check Details
- Resource: Server
- Check: Configure Shadow Backup Permissions
-
Risk: If the
/etc/shadow-file has incorrect ownership or permissions, unauthorized users may gain access to sensitive account backup information such as hashed passwords and authentication data.
Remediation Steps
- Open a terminal session on the server with root or sudo privileges.
-
Verify the current ownership and permissions of the
/etc/shadow-file.stat /etc/shadow-
-
Ensure that the file ownership is correctly set to root and the group is set to either root or shadow.
sudo chown root:root /etc/shadow-
sudo chown root:shadow /etc/shadow-
-
Set secure file permissions to ensure that only authorized users can access the file.
sudo chmod o-rwx,g-rw /etc/shadow-
-
Verify that the final configuration matches the following requirements:
- Owner: root
- Group: root or shadow
- Permissions: 640 or more restrictive