{"description": " To properly set the owner of <code>/etc/shadow</code>, run the command:\n<pre>$ sudo chown root /etc/shadow </pre>\n", "rationale": "The <tt>/etc/shadow</tt> file contains the list of local\nsystem accounts and stores password hashes. Protection of this file is\ncritical for system security. Failure to give ownership of this file\nto root provides the designated owner with access to sensitive information\nwhich could weaken the system security posture.", "severity": "medium", "references": {"cis-csc": ["12", "13", "14", "15", "16", "18", "3", "5"], "cjis": ["5.5.2.2"], "cobit5": ["APO01.06", "DSS05.04", "DSS05.07", "DSS06.02"], "isa-62443-2009": ["4.3.3.7.3"], "isa-62443-2013": ["SR 2.1", "SR 5.2"], "iso27001-2013": ["A.10.1.1", "A.11.1.4", "A.11.1.5", "A.11.2.1", "A.13.1.1", "A.13.1.3", "A.13.2.1", "A.13.2.3", "A.13.2.4", "A.14.1.2", "A.14.1.3", "A.6.1.2", "A.7.1.1", "A.7.1.2", "A.7.3.1", "A.8.2.2", "A.8.2.3", "A.9.1.1", "A.9.1.2", "A.9.2.3", "A.9.4.1", "A.9.4.4", "A.9.4.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["CM-6(a)", "AC-6(1)"], "nist-csf": ["PR.AC-4", "PR.DS-5"], "pcidss": ["Req-8.7.c"], "srg": ["SRG-OS-000480-GPOS-00227"], "anssi": ["R50"], "cis": ["7.1.5"], "pcidss4": ["2.2.6", "2.2"]}, "control_references": {"anssi": ["R50"], "cis": ["7.1.5"], "pcidss4": ["2.2.6", "2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "/etc/shadow does not have an owner of root", "ocil": "To check the ownership of <code>/etc/shadow</code>,\nrun the command:\n<pre>$ ls -lL /etc/shadow</pre>\nIf properly configured, the output should indicate the following owner:\n<code>root</code>", "oval_external_content": null, "fixtext": " Change the owner of the file /etc/shadow to root by running the following command:\n$ sudo chown root /etc/shadow", "checktext": "", "vuldiscussion": "", "srg_requirement": " The Ubuntu 22.04 /etc/shadow file must be owned by root.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 /etc/shadow file must be owned by root.", "vuldiscussion": "The \"/etc/shadow\" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information, which could weaken the system security posture.", "checktext": "Verify the ownership of the \"/etc/shadow\" file with the following command:\n\n$ sudo stat -c \"%U %n\" /etc/shadow\n\nroot /etc/shadow\n\nIf \"/etc/shadow\" file does not have an owner of \"root\", this is a finding.", "fixtext": "Change the owner of the file /etc/shadow to root by running the following command:\n\n$ sudo chown root /etc/shadow"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify User Who Owns shadow File", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_etc_shadow/rule.yml", "template": {"name": "file_owner", "vars": {"filepath": "/etc/shadow", "uid_or_name": "0"}, "backends": {}}}