passwd_duplicate_gid

This built-in function ensures that the primary group ID (GID) of each user is unique. The test succeeds if every user has a unique GID and fails otherwise.

Security standards recommend creating one group per user (typically with the same name as the username). With this setup, files created by the user are typically “secure by default” as they belong to its primary group, and therefore can only be modified by the user itself. If the user wants the file to be owned by the other members of a group, he will have to explicitly use the chgrp command to change ownership.

Another advantage of this approach is that it unifies group membership management into a single file (/etc/group), instead of a mix between /etc/passwd and /etc/group.

For each user, create a group with the same name. Manage group ownership through /etc/group only.

Usage

<item>

name: "passwd_duplicate_gid"

description: "This check makes sure that every GID in /etc/passwd is unique."

</item>