Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ======6.2.20 Ensure shadow group is empty (Scored)====== =====Profile Applicability===== <code> Level 1 - Server Level 1 - Workstation </code> =====Description===== The shadow group allows system programs which require access the ability to read the ''/etc/shadow'' file. No users should be assigned to the shadow group. =====Rationale===== Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the ''/etc/shadow'' file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the ''/etc/shadow'' file (such as expiration) could also be useful to subvert additional user accounts. =====Audit===== Run the following script and verify no results are returned: <Code:bash> # grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group # awk -F: '($4 == "<shadow-gid>") { print }' /etc/passwd </Code> =====Remediation===== Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group. ubuntu1604/6/2/20.txt Last modified: 2017/05/04 15:08by Piotr Kłoczewski