Ensure shadow Group is Empty

An XCCDF Rule

Description

The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

warning alert: Warning

This rule remediation will ensure the group membership is empty in /etc/group. To avoid any disruption the remediation won't change the primary group of users in /etc/passwd if any user has the shadow GID as primary group.

Rationale

Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

ID: xccdf_org.ssgproject.content_rule_ensure_shadow_group_empty
Severity: Medium
References: Req-8.2.1

8.3.2

6.2.4
Updated: about 1 year ago


sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group

Ensure shadow Group is Empty

Description

Rationale

Remediation - Shell Script