Ensure shadow Group is Empty
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Description
The shadow group allows system programs which require access the ability
to read the /etc/shadow file. No users should be assigned to the shadow group.
Rationale
Any users assigned to the shadow group would be granted read access to the
/etc/shadow file. If attackers can gain read access to the /etc/shadow file,
they can easily run a password cracking program against the hashed passwords
to break them. Other security information that is stored in the /etc/shadow
file (such as expiration) could also be useful to subvert additional user
accounts.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group
Warning
This rule remediation will ensure the group membership is empty in /etc/group. To avoid any
disruption the remediation won’t change the primary group of users in /etc/passwd if any
user has the shadow GID as primary group.