Verify User Who Owns shadow File

Docs > Datadog Security > OOTB Rules > Verify User Who Owns shadow File

Classification:

compliance

Framework:

Control:

Description

To properly set the owner of /etc/shadow, run the command:

$ sudo chown root /etc/shadow

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

chown 0 /etc/shadow

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Test for existence /etc/shadow
 stat:
 path: /etc/shadow
 register: file\_exists
 tags:
 - CJIS-5.5.2.2
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-8.7.c
 - PCI-DSSv4-7.2.6
 - configure\_strategy
 - file\_owner\_etc\_shadow
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure owner 0 on /etc/shadow
 file:
 path: /etc/shadow
 owner: '0'
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - CJIS-5.5.2.2
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-8.7.c
 - PCI-DSSv4-7.2.6
 - configure\_strategy
 - file\_owner\_etc\_shadow
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed