ansible-hardening/doc/source/developer-notes/V-38504.rst

Although Ubuntu 14.04's default for /etc/shadow is 0640, the STIG requires a mode of 0000. This doesn't affect how the system operates since root is the only user that should be able to read from and write to /etc/shadow. Allowing users to read the file could open up the system to attacks since the password hashes can be dumped and brute forced.