Ensure shadow Group is Empty

Classification:

compliance

Framework:

Control:

Description

The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Rationale

Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

sed -ri 's/(^shadow:[^:]\*:[^:]\*:)([^:]+$)/\1/' /etc/group

Warning

This rule remediation will ensure the group membership is empty in /etc/group. To avoid any disruption the remediation won’t change the primary group of users in /etc/passwd if any user has the shadow GID as primary group.