Ensure shadow Group is Empty

Docs > Plateforme de sécurité Datadog > OOTB Rules > Ensure shadow Group is Empty

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.

Rationale

Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure interactive local users are the owners of their respective initialization
    files
  ansible.builtin.lineinfile:
    dest: /etc/group
    backrefs: true
    regexp: (^shadow:[^:]*:[^:]*:)([^:]+$)
    line: \1
  tags:
  - PCI-DSS-Req-8.2.1
  - PCI-DSSv4-8.3
  - PCI-DSSv4-8.3.2
  - ensure_shadow_group_empty
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

Warning

This rule remediation will ensure the group membership is empty in /etc/group. To avoid any disruption the remediation won’t change the primary group of users in /etc/passwd if any user has the shadow GID as primary group.