Skip to content

7.2.4 Ensure shadow group is empty

Audit#

Run the following commands and verify no results are returned: 

# awk -F: '($1=="shadow") {print $NF}' /etc/group
# awk -F: '($4 == '"$(getent group shadow | awk -F: '{print $3}' | xargs)"') {print " - user: \"" $1 "\" primary group is the shadow group"}' /etc/passwd

Remediation#

Run the following command to remove all users from the shadow group 

# sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group

Change the primary group of any users with shadow as their primary group. 

# usermod -g <primary group> <user>