From 35428ece125c4be5fd5245aaf9eb021bda324b54 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Wed, 7 Oct 2015 11:19:40 -0500
Subject: [PATCH] V-3850{2,3,4}: Ownership/mode of /etc/shadow

Change-Id: Ic86060a4c37c430c61c7b27a08b22d0f9167784c
---
 doc/source/developer-notes/V-38502.rst |  2 ++
 doc/source/developer-notes/V-38503.rst |  2 ++
 doc/source/developer-notes/V-38504.rst |  5 +++++
 tasks/file_perms.yml                   | 27 ++++++++++++++++++++++++++
 4 files changed, 36 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38502.rst
 create mode 100644 doc/source/developer-notes/V-38503.rst
 create mode 100644 doc/source/developer-notes/V-38504.rst

diff --git a/doc/source/developer-notes/V-38502.rst b/doc/source/developer-notes/V-38502.rst
new file mode 100644
index 00000000..98f129f5
--- /dev/null
+++ b/doc/source/developer-notes/V-38502.rst
@@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
+default. The Ansible task will ensure that the default is maintained.
diff --git a/doc/source/developer-notes/V-38503.rst b/doc/source/developer-notes/V-38503.rst
new file mode 100644
index 00000000..98f129f5
--- /dev/null
+++ b/doc/source/developer-notes/V-38503.rst
@@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
+default. The Ansible task will ensure that the default is maintained.
diff --git a/doc/source/developer-notes/V-38504.rst b/doc/source/developer-notes/V-38504.rst
new file mode 100644
index 00000000..e1451c45
--- /dev/null
+++ b/doc/source/developer-notes/V-38504.rst
@@ -0,0 +1,5 @@
+Although Ubuntu 14.04's default for ``/etc/shadow`` is ``0640``, the STIG
+requires a mode of ``0000``. This doesn't affect how the system operates since
+root is the only user that should be able to read from and write to
+``/etc/shadow``.  Allowing users to read the file could open up the system
+to attacks since the password hashes can be dumped and brute forced.
diff --git a/tasks/file_perms.yml b/tasks/file_perms.yml
index c9f6c0e2..66c66be1 100644
--- a/tasks/file_perms.yml
+++ b/tasks/file_perms.yml
@@ -68,3 +68,30 @@
     - file_perms
     - cat2
     - V-38493
+
+- name: V-38502 - The /etc/shadow file must be owned by root
+  file:
+    dest: /etc/shadow
+    owner: root
+  tags:
+   - file_perms
+   - cat2
+   - V-38502
+
+- name: V-38503 - The /etc/shadow file must be group-owned by root
+  file:
+    dest: /etc/shadow
+    group: root
+  tags:
+   - file_perms
+   - cat2
+   - V-38503
+
+- name: V-38504 - The /etc/shadow file must have mode 0000
+  file:
+    dest: /etc/shadow
+    mode: 0000
+  tags:
+   - file_perms
+   - cat2
+   - V-38504