LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-22-2017, 06:54 AM   #1
Fibonacci101
LQ Newbie
 
Registered: Sep 2017
Posts: 1

Rep: Reputation: Disabled
Monitoring /etc/passwd and /etc/shadow


Hi

This is my first post ever!

What are the best ways in securing /etc/shadow and /etc/passwd files? and do I really need to monitor anyone who attempts to access these files?

From my understanding it is making sure these file have 600 permissions. User owner and group owner is root. That's about it right?

Reason behind my question is that we have a SIEM solution and the SIEM administrator wants me to push any attempts to /etc/shadow and /etc/passwd to syslog so that he can pick it up on his dashboard.
Although it would be nice to have but surely it is a waste of time?

Thanks for taking time reading my post.
 
Old 09-22-2017, 06:58 AM   #2
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,859

Rep: Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151Reputation: 1151
Quote:
Originally Posted by Fibonacci101 View Post
Reason behind my question is that we have a SIEM solution and the SIEM administrator wants me to push any attempts to /etc/shadow and /etc/passwd to syslog so that he can pick it up on his dashboard.
Although it would be nice to have but surely it is a waste of time?
Depending on audit standards it may be a requirement to log any attempted access to certain files. Take a look at auditd] as that may provide the capabilities required.
 
1 members found this post helpful.
Old 09-22-2017, 09:10 AM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,139

Rep: Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345
Quote:
Originally Posted by Fibonacci101 View Post
Hi
This is my first post ever! What are the best ways in securing /etc/shadow and /etc/passwd files? and do I really need to monitor anyone who attempts to access these files?

From my understanding it is making sure these file have 600 permissions. User owner and group owner is root. That's about it right?

Reason behind my question is that we have a SIEM solution and the SIEM administrator wants me to push any attempts to /etc/shadow and /etc/passwd to syslog so that he can pick it up on his dashboard. Although it would be nice to have but surely it is a waste of time?

Thanks for taking time reading my post.
Thankfully, its someone elses time to waste monitoring things that are useless in this case.

https://isc.sans.edu/forums/diary/Au...+friend/15163/

You don't say what SIEM solution, but there are some that can pick up auditd stuff.
 
Old 09-22-2017, 02:52 PM   #4
!!!
Member
 
Registered: Jan 2017
Posts: 666

Rep: Reputation: 289Reputation: 289Reputation: 289
Hi & "welcome to LQ" Yes (time waste): there's lots of reasons to read /etc/passwd
Even beginner examples suggest that!!! (A n00b might even innocently >it)

Yes, web-searching is best, in life skills in general too.

I'd suggest an IntroForum post, to tell us about your Linux experience, interests, goals, PC/distro,
for a friendly "hello". But don't tell us the name of the Co.: everyone will 'short' their stock, with all the talk these days about:
https://en.wikipedia.org/wiki/Securi...ent_management
 
Old 09-24-2017, 12:31 AM   #5
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Blog Entries: 2

Rep: Reputation: Disabled
Make sure the passwords are MD5 and that theres no duplicate 0 UID (root) entries, and also make sure there's no accounts without a passphrase set.

Last edited by justmy2cents; 09-24-2017 at 12:33 AM.
 
Old 02-16-2019, 01:22 PM   #6
seraniz
LQ Newbie
 
Registered: Feb 2019
Posts: 3

Rep: Reputation: 0
Quote:
Originally Posted by Fibonacci101 View Post
Hi

This is my first post ever!

What are the best ways in securing /etc/shadow and /etc/passwd files? and do I really need to monitor anyone who attempts to access these files?
From my understanding it is making sure these file have 600 permissions. User owner and group owner is root. That's about it right?

Reason behind my question is that we have a SIEM solution and the SIEM administrator wants me to push any attempts to /etc/shadow and /etc/passwd to syslog so that he can pick it up on his dashboard.
Quote:
Originally Posted by Fibonacci101 View Post
Although it would be nice to have but surely it is a waste of time?

Thanks for taking time reading my post.
Make sure the passwords are MD5 and that theres no duplicate 0 UID (root) entries, and also make sure there's no accounts without a passphrase set.

Last edited by seraniz; 02-16-2019 at 03:41 PM.
 
Old 02-17-2019, 09:43 AM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,139

Rep: Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345Reputation: 5345
Quote:
Originally Posted by seraniz View Post
[U] Make sure the passwords are MD5 and that theres no duplicate 0 UID (root) entries, and also make sure there's no accounts without a passphrase set.
There a reason you just copied/pasted someone elses answer? Or why you reopened a thread from TWO YEARS AGO? Post reported as spam account, since your other two posts follow the same pattern.
 
Old 02-17-2019, 10:09 AM   #8
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 397

Rep: Reputation: 169Reputation: 169
Quote:
Originally Posted by Fibonacci101 View Post
From my understanding it is making sure these file have 600 permissions.
/etc passwd needs READ access for all (644), so:
-rw-r--r-- 1 root root <size> <date/time> /etc/passwd
as all kinds of programs need to be able to read it to determine the user NAME from the User ID (UID). If it's not readable no user names can be given by any non-root program.

/etc/shadow needs to readable by the group shadow (640 with group shadow), so:
-rw-r----- 1 root shadow <size> <date/time> /etc/shadow

so neither should have 600 permissions.

BTW: the same goes for /etc/group (644) and /etc/gshadow (640, group shadow) although I haven't seen many non-corporate machines that actual use group shadow passwords.
 
Old 02-17-2019, 10:20 AM   #9
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 397

Rep: Reputation: 169Reputation: 169
Quote:
Originally Posted by seraniz View Post
[U] Make sure the passwords are MD5
Nowadays there are alternatives to MD5 encryption for passwords:
Code:
The glibc version of this function supports additional encryption algorithms.

   If salt is a character string starting with the characters "$id$" followed by a
   string optionally terminated by "$", then the result has the form:

       $id$salt$encrypted

   id  identifies the encryption method used instead of DES and this then determines
   how the rest of the password string is interpreted.  The following values of id
   are supported:

              ID  | Method
              ─────────────────────────────────────────────────────────
              1   | MD5
              2a  | Blowfish (not in mainline glibc; added in some
                  | Linux distributions)
              5   | SHA-256 (since glibc 2.7)
              6   | SHA-512 (since glibc 2.7)
(from the manpage "man 3 crypt"), so there can be different encryptions IN your /etc/shadow file.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Account in /etc/passwd but not /etc/shadow jeriryan Linux - Security 4 07-25-2011 09:05 AM
shadow and passwd idlehands Linux - Security 2 07-28-2010 03:04 PM
passwd shadow problem rblampain Linux - Distributions 2 10-04-2005 12:00 AM
Moving /etc/passwd and /etc/shadow john8675309 Linux - Software 1 01-24-2005 08:44 PM
/etc/passwd or /etc/shadow? tiger7007 Linux - Security 2 03-21-2004 04:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration