Ensure shadow Group is Empty
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우
언제든지 연락주시기 바랍니다.Description
The shadow group allows system programs which require access the ability
to read the /etc/shadow file. No users should be assigned to the shadow group.
Rationale
Any users assigned to the shadow group would be granted read access to the
/etc/shadow file. If attackers can gain read access to the /etc/shadow file,
they can easily run a password cracking program against the hashed passwords
to break them. Other security information that is stored in the /etc/shadow
file (such as expiration) could also be useful to subvert additional user
accounts.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Ensure interactive local users are the owners of their respective initialization
files
ansible.builtin.lineinfile:
dest: /etc/group
backrefs: true
regexp: (^shadow:[^:]*:[^:]*:)([^:]+$)
line: \1
tags:
- PCI-DSS-Req-8.2.1
- PCI-DSSv4-8.3
- PCI-DSSv4-8.3.2
- ensure_shadow_group_empty
- low_complexity
- medium_disruption
- medium_severity
- no_reboot_needed
- restrict_strategy
Warning
This rule remediation will ensure the group membership is empty in /etc/group. To avoid any
disruption the remediation won’t change the primary group of users in /etc/passwd if any
user has the shadow GID as primary group.