6.2.20 Ensure shadow group is empty

Information

The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Rationale:

Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

Solution

Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.

See Also

https://workbench.cisecurity.org/files/2971