passwd_invalid_gid

This built-in function ensures that each group ID (GID) listed in /etc/passwd exists in /etc/group. It succeeds if each GID is properly defined and fails otherwise.

Every time a group ID is defined in /etc/passwd, it should immediately be listed in /etc/group. Otherwise, the system is in an inconsistent state and problems may arise.

Consider the following scenario: a user (“bob”) has a UID of 1000 and GID of 4000. The GID is not defined in /etc/group, which means that the primary group of the user does not grant him any privileges today. A few months later, the system administrator edits /etc/group and adds the group “admin” and selects the “unused” GID #4000 to identify it. Now, user “bob” by default belongs to the “admin” group even though this was not intended.

Edit /etc/group to add the missing GIDs.

Usage

<item>

name: "passwd_invalid_gid"

description: "This check makes sure that every GID defined in /etc/passwd exists in /etc/group."

</item>

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.