6.2.4 Ensure shadow group is empty

Information

The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

Solution

Run the following command to remove all users from the shadow group

# sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/1/' /etc/group

Change the primary group of any users with shadow as their primary group.

# usermod -g <primary group> <user>

See Also

https://workbench.cisecurity.org/benchmarks/13775