{"description": "The shadow group allows system programs which require access the ability\nto read the /etc/shadow file. No users should be assigned to the shadow group.", "rationale": "Any users assigned to the shadow group would be granted read access to the\n/etc/shadow file. If attackers can gain read access to the /etc/shadow file,\nthey can easily run a password cracking program against the hashed passwords\nto break them. Other security information that is stored in the /etc/shadow\nfile (such as expiration) could also be useful to subvert additional user\naccounts.", "severity": "medium", "references": {"pcidss": ["Req-8.2.1"], "cis": ["7.2.4"], "pcidss4": ["8.3.2", "8.3"]}, "control_references": {"cis": ["7.2.4"], "pcidss4": ["8.3.2", "8.3"]}, "components": [], "identifiers": {}, "ocil_clause": "shadow group is not empty", "ocil": "Run the following commands and verify no results are returned:\n<pre>\ngrep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group\nawk -F: '($4 == \"<shadow-gid>\") { print }' /etc/passwd\n</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "This rule remediation will ensure the group membership is empty in /etc/group. To avoid any\ndisruption the remediation won't change the primary group of users in /etc/passwd if any\nuser has the shadow GID as primary group."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure shadow Group is Empty", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/rule.yml", "template": null}