linux – Why does the CIS benchmark consider the presence of passwd- a (high) risk

I’ve just seen a “high-risk security alert” for the presence of /etc/passwd- on RHEL 8 servers, and don’t understand the issue. Apparently the issue originates with the CIS benchmarks.

My understanding is that it’s a backup of the passwd file created by utilities like adduser; what I don’t understand is the security implication of having a backup of the file with the same permissions as the original. Given that /etc/passwd is always world-readable anyway (presumably so that ls can convert a UID in an inode to a username amongst other reasons), what’s the risk?

I guess a hacker (who is already on the box as a non-privileged user) could diff the files to see the most recent change, but I can’t see what else constitutes a “risk”. Is this one of those issues raised by not-too-smart security tools? “Oh, a world-readable file in /etc – panic”? What am I missing? Googling doesn’t distinguish “/etc/passwd-” from “/etc/passwd”, so I’ve not managed to find anything relevant elsewhere.

I guess there’s no harm in removing it – well except that it is a forensic clue perhaps, that one of the os tools was used to modify user information, which is pretty spurious, really.