diff --git a/doc/source/developer-notes/V-38502.rst b/doc/source/developer-notes/V-38502.rst
new file mode 100644
index 00000000..98f129f5
--- /dev/null
+++ b/doc/source/developer-notes/V-38502.rst
@@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
+default. The Ansible task will ensure that the default is maintained.
diff --git a/doc/source/developer-notes/V-38503.rst b/doc/source/developer-notes/V-38503.rst
new file mode 100644
index 00000000..98f129f5
--- /dev/null
+++ b/doc/source/developer-notes/V-38503.rst
@@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
+default. The Ansible task will ensure that the default is maintained.
diff --git a/doc/source/developer-notes/V-38504.rst b/doc/source/developer-notes/V-38504.rst
new file mode 100644
index 00000000..e1451c45
--- /dev/null
+++ b/doc/source/developer-notes/V-38504.rst
@@ -0,0 +1,5 @@
+Although Ubuntu 14.04's default for ``/etc/shadow`` is ``0640``, the STIG
+requires a mode of ``0000``. This doesn't affect how the system operates since
+root is the only user that should be able to read from and write to
+``/etc/shadow``.  Allowing users to read the file could open up the system
+to attacks since the password hashes can be dumped and brute forced.
diff --git a/tasks/file_perms.yml b/tasks/file_perms.yml
index 00e5d099..5c145984 100644
--- a/tasks/file_perms.yml
+++ b/tasks/file_perms.yml
@@ -76,3 +76,30 @@
     - file_perms
     - cat2
     - V-38493
+
+- name: V-38502 - The /etc/shadow file must be owned by root
+  file:
+    dest: /etc/shadow
+    owner: root
+  tags:
+   - file_perms
+   - cat2
+   - V-38502
+
+- name: V-38503 - The /etc/shadow file must be group-owned by root
+  file:
+    dest: /etc/shadow
+    group: root
+  tags:
+   - file_perms
+   - cat2
+   - V-38503
+
+- name: V-38504 - The /etc/shadow file must have mode 0000
+  file:
+    dest: /etc/shadow
+    mode: 0000
+  tags:
+   - file_perms
+   - cat2
+   - V-38504