# CIS 6.1.3 Ensure permissions on /etc/shadow are configured
#
# Description
# ===========
# The /etc/shadow file is used to store the information about user accounts
# that is critical to the security of those accounts, such as the hashed
# password and other security information.
#
# Rationale
# =========
# If attackers can gain read access to the /etc/shadow file, they can easily
# run a password cracking program against the hashed password to break it.
# Other security information that is stored in the /etc/shadow file (such
# as expiration) could also be useful to subvert the user accounts.
#
# Audit
# =====
# Run the following command and verify Uid is 0/root , Gid is <gid>/shadow ,
# and Access is 640 or more restrictive:
#
#   # stat /etc/shadow
#   Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow)
#
# Remediation
# ===========
# Run the one following commands to set permissions on /etc/shadow :
#
#   # chown root:shadow /etc/shadow
#   # chmod o-rwx,g-wx /etc/shadow
#
parameters:
  linux:
    system:
      file:
        /etc/shadow:
          user: 'root'
          group: 'shadow'
          mode: '0640'