Verify Permissions on Backup gshadow File

An XCCDF Rule

Description

To properly set the permissions of /etc/gshadow-, run the command:

$ sudo chmod 0000 /etc/gshadow-

Rationale

The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.

ID: xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
Severity: Medium
References: CCI-002223

AC-6 (1)

SRG-OS-000480-GPOS-00227

CCE-83573-6

6.1.9
Updated: about 1 year ago

- name: Test for existence /etc/gshadow-
  stat:
    path: /etc/gshadow-
  register: file_exists
  tags:
  - CCE-83573-6  - NIST-800-53-AC-6 (1)
  - configure_strategy
  - file_permissions_backup_etc_gshadow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure permission u-xwrs,g-xwrs,o-xwrt on /etc/gshadow-
  file:
    path: /etc/gshadow-
    mode: u-xwrs,g-xwrs,o-xwrt
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - CCE-83573-6
  - NIST-800-53-AC-6 (1)
  - configure_strategy
  - file_permissions_backup_etc_gshadow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed






chmod u-xwrs,g-xwrs,o-xwrt /etc/gshadow-

Verify Permissions on Backup gshadow File

Description

Rationale

Remediation - Ansible

Remediation - Shell Script