Ensure shadow Group is Empty

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Rationale

Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group

Warning

This rule remediation will ensure the group membership is empty in /etc/group. To avoid any disruption the remediation won’t change the primary group of users in /etc/passwd if any user has the shadow GID as primary group.