Verify Permissions on shadow File

Docs > Datadog Security > OOTB Rules > Verify Permissions on shadow File

Classification:

compliance

Framework:

Control:

Description

To properly set the permissions of /etc/shadow, run the command:

$ sudo chmod 0640 /etc/shadow

Rationale

The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

chmod u-xs,g-xws,o-xwrt /etc/shadow

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Test for existence /etc/shadow
 stat:
 path: /etc/shadow
 register: file\_exists
 tags:
 - CJIS-5.5.2.2
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-8.7.c
 - PCI-DSSv4-7.2.6
 - configure\_strategy
 - file\_permissions\_etc\_shadow
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure permission u-xs,g-xws,o-xwrt on /etc/shadow
 file:
 path: /etc/shadow
 mode: u-xs,g-xws,o-xwrt
 when: file\_exists.stat is defined and file\_exists.stat.exists
 tags:
 - CJIS-5.5.2.2
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSS-Req-8.7.c
 - PCI-DSSv4-7.2.6
 - configure\_strategy
 - file\_permissions\_etc\_shadow
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed