Merge "V-3850{2,3,4}: Ownership/mode of /etc/shadow"

2015-10-13 21:45:08 +00:00 · 2015-10-13 21:45:08 +00:00 · 3e32b8b380
commit 3e32b8b380
parent 9bac117f6e 35428ece12
4 changed files with 36 additions and 0 deletions
--- a/doc/source/developer-notes/V-38502.rst
+++ b/doc/source/developer-notes/V-38502.rst
@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
+default. The Ansible task will ensure that the default is maintained.
--- a/doc/source/developer-notes/V-38503.rst
+++ b/doc/source/developer-notes/V-38503.rst
@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
+default. The Ansible task will ensure that the default is maintained.
--- a/doc/source/developer-notes/V-38504.rst
+++ b/doc/source/developer-notes/V-38504.rst
@ -0,0 +1,5 @@
+Although Ubuntu 14.04's default for ``/etc/shadow`` is ``0640``, the STIG
+requires a mode of ``0000``. This doesn't affect how the system operates since
+root is the only user that should be able to read from and write to
+``/etc/shadow``.  Allowing users to read the file could open up the system
+to attacks since the password hashes can be dumped and brute forced.
--- a/tasks/file_perms.yml
+++ b/tasks/file_perms.yml
@ -76,3 +76,30 @@
    - file_perms
    - cat2
    - V-38493
+
+- name: V-38502 - The /etc/shadow file must be owned by root
+  file:
+    dest: /etc/shadow
+    owner: root
+  tags:
+   - file_perms
+   - cat2
+   - V-38502
+
+- name: V-38503 - The /etc/shadow file must be group-owned by root
+  file:
+    dest: /etc/shadow
+    group: root
+  tags:
+   - file_perms
+   - cat2
+   - V-38503
+
+- name: V-38504 - The /etc/shadow file must have mode 0000
+  file:
+    dest: /etc/shadow
+    mode: 0000
+  tags:
+   - file_perms
+   - cat2
+   - V-38504