585 B
585 B
---id: V-38504 status: implemented tag: misc ---
Ubuntu 14.04 and Ubuntu 16.04 set the mode of
/etc/shadow
to 0640
, but CentOS 7 sets it to
000
. The STIG requires the mode to be 000
and
the Ansible tasks in the security role ensure that the mode meets the
requirement.
Special note for Ubuntu: This change doesn't affect
how the system operates since root is the only user that should be able
to read from and write to /etc/shadow
. Allowing users to
read the file could open up the system to attacks since the password
hashes can be dumped and brute forced.