{"description": "\nTo properly set the permissions of <code>/etc/shadow</code>, run the command:\n<pre>$ sudo chmod 0640 /etc/shadow</pre>", "rationale": "The <tt>/etc/shadow</tt> file contains the list of local\nsystem accounts and stores password hashes. Protection of this file is\ncritical for system security. Failure to give ownership of this file\nto root provides the designated owner with access to sensitive information\nwhich could weaken the system security posture.", "severity": "medium", "references": {"cis-csc": ["12", "13", "14", "15", "16", "18", "3", "5"], "cjis": ["5.5.2.2"], "cobit5": ["APO01.06", "DSS05.04", "DSS05.07", "DSS06.02"], "isa-62443-2009": ["4.3.3.7.3"], "isa-62443-2013": ["SR 2.1", "SR 5.2"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-6(a)", "AC-6(1)"], "nist-csf": ["PR.AC-4", "PR.DS-5"], "pcidss": ["Req-8.7.c"], "srg": ["SRG-OS-000480-GPOS-00227"], "anssi": ["R50"], "cis": ["7.1.5"], "pcidss4": ["2.2.6", "2.2"]}, "control_references": {"anssi": ["R50"], "cis": ["7.1.5"], "pcidss4": ["2.2.6", "2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "/etc/shadow does not have unix mode -rw-r-----", "ocil": "To check the permissions of <code>/etc/shadow</code>,\nrun the command:\n<pre>$ ls -l /etc/shadow</pre>\nIf properly configured, the output should indicate the following permissions:\n<code>-rw-r-----</code>", "oval_external_content": null, "fixtext": " Configure the \"/etc/shadow\" file to \"0640\" by running the following command:\n$ sudo chmod 0640 /etc/shadow", "checktext": "", "vuldiscussion": "", "srg_requirement": " The Ubuntu 22.04 /etc/shadow file must have mode 0640 or less permissive to prevent unauthorized access.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 /etc/shadow file must have mode 0000 to prevent unauthorized access.", "vuldiscussion": "The \"/etc/shadow\" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.", "checktext": "Verify that the \"/etc/shadow\" file has mode \"0000\" with the following command:\n\n$ sudo stat -c \"%a %n\" /etc/shadow\n\n0 /etc/shadow\n\nIf a value of \"0\" is not returned, this is a finding.", "fixtext": "Change the mode of the file \"/etc/shadow\" to \"0000\" by running the following command:\n\n$ sudo chmod 0000 /etc/shadow"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify Permissions on shadow File", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml", "template": {"name": "file_permissions", "vars": {"filepath": "/etc/shadow", "filemode": "0640"}, "backends": {}}}