inspec/docs/resources/shadow.md.erb

---
title: About the shadow Resource
platform: linux
---

# shadow

Use the `shadow` InSpec audit resource to test the contents of `/etc/shadow`, which contains password details that are only readable by the `root` user. The format for `/etc/shadow` includes:

* A username
* The hashed password for that user
* The last time a password was changed
* The minimum number of days a password must exist, before it may be changed
* The maximum number of days after which a password must be changed
* The number of days a user is warned about an expiring password
* The number of days a user must be inactive before the user account is disabled
* The number of days a user account has been disabled

These entries are defined as a colon-delimited row in the file, one row per user:

    dannos:Gb7crrO5CDF.:10063:0:99999:7:::

<br>

## Syntax

A `shadow` resource block declares user properties to be tested:

    describe shadow do
      its('users') { should_not include 'forbidden_user' }
    end

Properties can be used as a single query:

    describe shadow.user('root') do
      its('count') { should eq 1 }
    end

Use the `.where` method to find properties that match a value:

    describe shadow.where { min_days == '0' } do
      its ('users') { should include 'nfs' }
    end

    describe shadow.where { password =~ /[x|!|*]/ } do
      its('count') { should eq 0 }
    end

The following properties are available:

* `users`
* `passwords`
* `last_changes`
* `min_days`
* `max_days`
* `warn_days`
* `inactive_days`
* `expiry_dates`
* `reserved`

<br>

## Examples

The following examples show how to use this InSpec audit resource.

### Test for a forbidden user

    describe shadow do
      its('users') { should_not include 'forbidden_user' }
    end

### Test that a user appears one time

    describe shadow.users('bin') do
      its('passwords') { should cmp 'x' }
      its('count') { should eq 1 }
    end

<br>

## Properties

### users

The `users` property tests if the username exists `/etc/shadow`:

    its('users') { should include 'root' }

### passwords

The `passwords` property returns the encrypted password string from the shadow file. The returned string may not be an encrypted password, but rather a `*` or similar which indicates that direct logins are not allowed.

For example:

    its('passwords') { should cmp '*' }

### last\_changes

The `last_changes` property tests the last time a password was changed:

    its('last_changes') { should be_empty }

### min\_days

The `min_days` property tests the minimum number of days a password must exist, before it may be changed:

    its('min_days') { should eq 0 }

### max\_days

The `max_days` property tests the maximum number of days after which a password must be changed:

    its('max_days') { should eq 90 }

### warn\_days

The `warn_days` property tests the number of days a user is warned about an expiring password:

    its('warn_days') { should eq 7 }

### inactive\_days

The `inactive_days` property tests the number of days a user must be inactive before the user account is disabled:

    its('inactive_days') { should be_empty }

### expiry\_dates

The `expiry_dates` property tests the number of days a user account has been disabled:

    its('expiry_dates') { should be_empty }

### count

The `count` property tests the number of times the named property appears:

    describe shadow.user('root') do
      its('count') { should eq 1 }
    end

This property is best used in conjunction with filters. For example:

    describe shadow.where { password =~ /[x|!|*]/ } do
      its('count') { should eq 0 }
    end

<br>

## Matchers

For a full list of available matchers, please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/).