Verify Group Who Owns shadow File

Description

To properly set the group owner of /etc/shadow, run the command:

$ sudo chgrp shadow /etc/shadow

Rationale

The /etc/shadow file stores password hashes. Protection of this file is critical for system security.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

chgrp -L 42 /etc/shadow

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Test for existence /etc/shadow
  stat:
    path: /etc/shadow
  register: file_exists
  tags:
  - CJIS-5.5.2.2
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.7.c
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_groupowner_etc_shadow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner 42 on /etc/shadow
  file:
    path: /etc/shadow
    group: '42'
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - CJIS-5.5.2.2
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.7.c
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_groupowner_etc_shadow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed