Ensure shadow group is emptyID: oval:org.secpod.oval:def:68708 | Date: (C)2021-01-31 (M)2023-12-20 |
Class: COMPLIANCE | Family: unix |
The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.
Rationale:
Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the /etc/shadow file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the /etc/shadow file (such as expiration) could also be useful to subvert additional user accounts.