openstack-ansible-security/doc/metadata/rhel6/V-38504.rst

---id: V-38504 status: implemented tag: misc ---

Ubuntu 14.04 and Ubuntu 16.04 set the mode of /etc/shadow to 0640, but CentOS 7 sets it to 000. The STIG requires the mode to be 000 and the Ansible tasks in the security role ensure that the mode meets the requirement.

Special note for Ubuntu: This change doesn't affect how the system operates since root is the only user that should be able to read from and write to /etc/shadow. Allowing users to read the file could open up the system to attacks since the password hashes can be dumped and brute forced.