6.2.4 Ensure shadow group is empty

Audit

Run the following commands and verify no results are returned:

# awk -F: '($1=="shadow") {print $NF}' /etc/group
# awk -F: -v GID="$(awk -F: '($1=="shadow") {print $3}' /etc/group)"'($4==GID) {print $1}' /etc/passwd

Remediation

Run the following command to remove all users from the shadow group

# sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group

Change the primary group of any users with shadow as their primary group.

# usermod -g <primary group> <user>