15 lines
585 B
ReStructuredText
15 lines
585 B
ReStructuredText
---
|
|
id: V-38504
|
|
status: implemented
|
|
tag: auth
|
|
---
|
|
|
|
Ubuntu 14.04 and Ubuntu 16.04 set the mode of ``/etc/shadow`` to ``0640``, but
|
|
CentOS 7 sets it to ``000``. The STIG requires the mode to be ``000`` and the
|
|
Ansible tasks in the security role ensure that the mode meets the requirement.
|
|
|
|
**Special note for Ubuntu:** This change doesn't affect how the system operates
|
|
since root is the only user that should be able to read from and write to
|
|
``/etc/shadow``. Allowing users to read the file could open up the system to
|
|
attacks since the password hashes can be dumped and brute forced.
|