Merge "V-3850{2,3,4}: Ownership/mode of /etc/shadow"

doc/source/developer-notes/V-38502.rst

@@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
+default. The Ansible task will ensure that the default is maintained.

doc/source/developer-notes/V-38503.rst

@@ -0,0 +1,2 @@
+Ubuntu 14.04 sets the user and group ownership of ``/etc/passwd`` to root by
+default. The Ansible task will ensure that the default is maintained.

doc/source/developer-notes/V-38504.rst

@@ -0,0 +1,5 @@
+Although Ubuntu 14.04's default for ``/etc/shadow`` is ``0640``, the STIG
+requires a mode of ``0000``. This doesn't affect how the system operates since
+root is the only user that should be able to read from and write to
+``/etc/shadow``.  Allowing users to read the file could open up the system
+to attacks since the password hashes can be dumped and brute forced.

tasks/file_perms.yml

@@ -76,3 +76,30 @@
     - file_perms
     - cat2
     - V-38493
+
+- name: V-38502 - The /etc/shadow file must be owned by root
+  file:
+    dest: /etc/shadow
+    owner: root
+  tags:
+   - file_perms
+   - cat2
+   - V-38502
+
+- name: V-38503 - The /etc/shadow file must be group-owned by root
+  file:
+    dest: /etc/shadow
+    group: root
+  tags:
+   - file_perms
+   - cat2
+   - V-38503
+
+- name: V-38504 - The /etc/shadow file must have mode 0000
+  file:
+    dest: /etc/shadow
+    mode: 0000
+  tags:
+   - file_perms
+   - cat2
+   - V-38504