Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What are the best ways in securing /etc/shadow and /etc/passwd files? and do I really need to monitor anyone who attempts to access these files?
From my understanding it is making sure these file have 600 permissions. User owner and group owner is root. That's about it right?
Reason behind my question is that we have a SIEM solution and the SIEM administrator wants me to push any attempts to /etc/shadow and /etc/passwd to syslog so that he can pick it up on his dashboard.
Although it would be nice to have but surely it is a waste of time?
Reason behind my question is that we have a SIEM solution and the SIEM administrator wants me to push any attempts to /etc/shadow and /etc/passwd to syslog so that he can pick it up on his dashboard.
Although it would be nice to have but surely it is a waste of time?
Depending on audit standards it may be a requirement to log any attempted access to certain files. Take a look at auditd] as that may provide the capabilities required.
Hi
This is my first post ever! What are the best ways in securing /etc/shadow and /etc/passwd files? and do I really need to monitor anyone who attempts to access these files?
From my understanding it is making sure these file have 600 permissions. User owner and group owner is root. That's about it right?
Reason behind my question is that we have a SIEM solution and the SIEM administrator wants me to push any attempts to /etc/shadow and /etc/passwd to syslog so that he can pick it up on his dashboard. Although it would be nice to have but surely it is a waste of time?
Thanks for taking time reading my post.
Thankfully, its someone elses time to waste monitoring things that are useless in this case.
Hi & "welcome to LQ" Yes (time waste): there's lots of reasons to read /etc/passwd
Even beginner examples suggest that!!! (A n00b might even innocently >it)
Yes, web-searching is best, in life skills in general too.
I'd suggest an IntroForum post, to tell us about your Linux experience, interests, goals, PC/distro,
for a friendly "hello". But don't tell us the name of the Co.: everyone will 'short' their stock, with all the talk these days about: https://en.wikipedia.org/wiki/Securi...ent_management
What are the best ways in securing /etc/shadow and /etc/passwd files? and do I really need to monitor anyone who attempts to access these files?
From my understanding it is making sure these file have 600 permissions. User owner and group owner is root. That's about it right?
Reason behind my question is that we have a SIEM solution and the SIEM administrator wants me to push any attempts to /etc/shadow and /etc/passwd to syslog so that he can pick it up on his dashboard.
Quote:
Originally Posted by Fibonacci101
Although it would be nice to have but surely it is a waste of time?
Thanks for taking time reading my post.
Make sure the passwords are MD5 and that theres no duplicate 0 UID (root) entries, and also make sure there's no accounts without a passphrase set.
[U] Make sure the passwords are MD5 and that theres no duplicate 0 UID (root) entries, and also make sure there's no accounts without a passphrase set.
There a reason you just copied/pasted someone elses answer? Or why you reopened a thread from TWO YEARS AGO? Post reported as spam account, since your other two posts follow the same pattern.
From my understanding it is making sure these file have 600 permissions.
/etc passwd needs READ access for all (644), so:
-rw-r--r-- 1 root root <size> <date/time> /etc/passwd
as all kinds of programs need to be able to read it to determine the user NAME from the User ID (UID). If it's not readable no user names can be given by any non-root program.
/etc/shadow needs to readable by the group shadow (640 with group shadow), so:
-rw-r----- 1 root shadow <size> <date/time> /etc/shadow
so neither should have 600 permissions.
BTW: the same goes for /etc/group (644) and /etc/gshadow (640, group shadow) although I haven't seen many non-corporate machines that actual use group shadow passwords.
Nowadays there are alternatives to MD5 encryption for passwords:
Code:
The glibc version of this function supports additional encryption algorithms.
If salt is a character string starting with the characters "$id$" followed by a
string optionally terminated by "$", then the result has the form:
$id$salt$encrypted
id identifies the encryption method used instead of DES and this then determines
how the rest of the password string is interpreted. The following values of id
are supported:
ID | Method
─────────────────────────────────────────────────────────
1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)
(from the manpage "man 3 crypt"), so there can be different encryptions IN your /etc/shadow file.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Yes (time waste): there's lots of reasons to read /etc/passwd
