5.11.2 Protected databases
The following databases are consulted by the identification and authentication subsystem during user session
initiation:
• /etc/passwd: For all system users, it stores the login name, user ID, primary group ID, real name,
home directory, and shell. Each user’s entry occupies one line, and fields are separated by a colon (:).
The file is owned by the root user and root group, and its mode is 644.
• /etc/security/opasswd: For all system users, it stores X number of most recent passwords in
order to force password change history and keep the users from alternating between the same
password too frequently. (remember = X; this is one of the options supported by pam_unix.so.)
The file is owned by the root user and root group, and its mode is 644.
• /etc/group: For system groups, stores group names, group IDs, supplemental group IDs, and
group memberships. Each group’s entry occupies one line and fields are separated by a colon (:). The
file is owned by the root user and root group, and its mode is 644.
• /etc/shadow: For all system users, it stores the user name, hashed password, last password
change time (in days since epoch), minimum number of days that must pass before password can be
changed again, maximum number of days after which the password must be changed, number of days
before the password expires when the user is warned, number of days after the password expires that
the account is locked, and total lifetime of the account. The MD5 hashing algorithm is used to build
the password checksum. The file is owned by the root user and shadow group, and its mode is 400.
• /etc/gshadow: This is the group counterpart of the shadow file. For all system groups, it stores
group names, group hashed passwords, and membership information. The MD5 hashing algorithm is
used to build the password checksum. The file is owned by the root user and shadow group, and its
mode is 400. Group passwords are not used in the TOE.
• /var/log/lastlog: The time and date of the last successful login for each user is stored here.
The file is owned by the root user and tty group, and its mode is 644.
• /var/log/faillog: faillog maintains the count of login failures and the limits for each user
account. The file is fixed length record, indexed by numerical UID. Each record contains the count of
login failures since the last successful login, the maximum number of failures before the account is
disabled, the line the last login failure occurred on, and the date the last login failure occurred. The
file is owned by the root user and root group, and its mode is 644.
• /etc/login.defs: This data base defines various configuration options for the login process,
such as minimum and maximum user ID for automatic selection by the command useradd, minimum
and maximum group ID for automatic selection by the command groupadd, password aging controls,
default location for mail, and whether to create a home directory when creating a new user. The file
is owned by the root user and root group, and its mode is 644.
• /etc/securetty: Lists ttys from which the root user can log in. Device names are listed one per
line, without the leading /dev/. The file is owned by the root user and root group, and its mode is 644.
• /var/run/utmp: The utmp file stores information about who is currently using the system. The
utmp file contains a sequence of entries with the name of the special file associated with the user's
terminal, the user's login name, and the time of login in the form of time. The file is owned by the
root user and tty group, and its mode is 664.
• /var/log/wtmp: The wtmp file records all logins and logouts. Its format is exactly like utmp
except that a null user name indicates a logout on the associated terminal. Furthermore, the terminal
name tilde (~) with a user name of "shutdown" or "reboot" indicates a system shutdown or reboot,
and the pair of terminal names "|"/"}" logs the old new system time when the command date changes
it. The file is owned by the root user and tty group, and its mode is 664.
175