diff --git a/controls/os_spec.rb b/controls/os_spec.rb
index 625929e..8e80c14 100644
--- a/controls/os_spec.rb
+++ b/controls/os_spec.rb
@@ -93,20 +93,27 @@
 
 control 'os-03' do
   impact 1.0
-  title 'Check owner and permissions for /etc/passwd'
-  desc 'Check periodically the owner and permissions for /etc/passwd'
-  describe file('/etc/passwd') do
-    it { should exist }
-    it { should be_file }
-    it { should be_owned_by 'root' }
-    its('group') { should eq 'root' }
-    it { should_not be_executable }
-    it { should be_writable.by('owner') }
-    it { should_not be_writable.by('group') }
-    it { should_not be_writable.by('other') }
-    it { should be_readable.by('owner') }
-    it { should be_readable.by('group') }
-    it { should be_readable.by('other') }
+  title 'Check owner and permissions for passwd files'
+  desc 'Check periodically the owner and permissions for passwd files '\
+    '(/etc/passwd, /etc/passwd-, /etc/group, /etc/group-)'
+
+  passwd_files = ['/etc/passwd', '/etc/passwd-', '/etc/group', '/etc/group-']
+  passwd_files.each do |passwd_file|
+    next if passwd_file[-1] == '-' && !file(passwd_file).exist?
+
+    describe file(passwd_file) do
+      it { should exist }
+      it { should be_file }
+      it { should be_owned_by 'root' }
+      its('group') { should eq 'root' }
+      it { should_not be_executable }
+      it { should be_writable.by('owner') }
+      it { should_not be_writable.by('group') }
+      it { should_not be_writable.by('other') }
+      it { should be_readable.by('owner') }
+      it { should be_readable.by('group') }
+      it { should be_readable.by('other') }
+    end
   end
 end