7.2.4 Ensure shadow group is empty

Information

The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

Solution

Run the following command to remove all users from the shadow group

# sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/1/' /etc/group

Change the primary group of any users with shadow as their primary group.

# usermod -g <primary group> <user>

See Also

https://workbench.cisecurity.org/benchmarks/17045

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: f472c5525d196979554444d8cc4696af5ec95f85cafc14e8385c0c714a8b2725