======6.2.20 Ensure shadow group is empty (Scored)======
=====Profile Applicability=====  
<code>
Level 1 - Server
Level 1 - Workstation 
</code>

=====Description=====
The shadow group allows system programs which require access the ability to read the ''/etc/shadow'' file. No users should be assigned to the shadow group.

=====Rationale=====
Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the ''/etc/shadow'' file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the ''/etc/shadow'' file (such as expiration) could also be useful to subvert additional user accounts.

=====Audit===== 
Run the following script and verify no results are returned:
<Code:bash>
# grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group 
# awk -F: '($4 == "<shadow-gid>") { print }' /etc/passwd
</Code>

=====Remediation=====
Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.