Ensure shadow Group is Empty

문서 > Datadog 보안 > OOTB Rules > Ensure shadow Group is Empty

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Rationale

Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure interactive local users are the owners of their respective initialization
    files
  ansible.builtin.lineinfile:
    dest: /etc/group
    backrefs: true
    regexp: (^shadow:[^:]*:[^:]*:)([^:]+$)
    line: \1
  tags:
  - PCI-DSS-Req-8.2.1
  - PCI-DSSv4-8.3
  - PCI-DSSv4-8.3.2
  - ensure_shadow_group_empty
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Warning

This rule remediation will ensure the group membership is empty in /etc/group. To avoid any disruption the remediation won’t change the primary group of users in /etc/passwd if any user has the shadow GID as primary group.