← Rules Catalog
highaccess-controlverified

Ensure group root is the only GID 0 group

root-group-only-gid0 · RHEL ≥ 8 · 1 impl

Description

Only the root group should have GID 0. No other groups should be assigned this privileged group ID.

Rationale

Multiple groups with GID 0 could lead to confusion about permissions and unintended privilege escalation.

Check → Remediate

Checkcommand
# Find groups with GID 0 that are not root
gid0_groups=$(awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/group)
if [ -n "$gid0_groups" ]; then
  echo "FAIL: Non-root groups with GID 0: $gid0_groups"
  exit 1
fi
echo "OK: Only root group has GID 0"
exit 0
expected_exit:
0
Remediatemanual
note:
Remove or reassign GID for groups with GID 0 that are not root

Framework references

CIS

rhel9 5.4.2.3rhel10 5.4.2.3rhel8 5.4.2.3

NIST 800-53

AC-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#root#gid#groups#privilege