5.4.2.3 Ensure group root is the only GID 0 group

Information

The groupmod command can be used to specify which group the root group belongs to. This affects permissions of files that are group owned by the root group.

Using GID 0 for the root group helps prevent root group owned files from accidentally becoming accessible to non-privileged users.

Solution

Run the following command to set the root group's GID to 0 :

# groupmod -g 0 root

Remove any groups other than the root group with GID 0 or assign them a new GID if appropriate.

See Also

https://workbench.cisecurity.org/benchmarks/18209

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 7f8971f8d1769f0d23bf0b7d9a44a5995d525b6dc560582f0f5bc5a81f7decce