← Rules Catalog
mediumaccess-controlverified

Ensure all local interactive users have a primary group that exists

user-primary-group-exists · RHEL ≥ 8 · 1 impl

Description

All local interactive user accounts must be assigned a primary group that actually exists in /etc/group.

Rationale

If a user's primary group does not exist, the user may be granted unintended access permissions or encounter errors accessing the system. Group consistency ensures the integrity of access controls.

Check → Remediate

Checkcommand
# Check for users with non-existent primary groups (UID >= 1000)
bad_users=""
while IFS=: read -r user _ uid gid _ _ _; do
  if [ "$uid" -ge 1000 ] 2>/dev/null; then
    if ! grep -q "^[^:]*:[^:]*:${gid}:" /etc/group 2>/dev/null; then
      bad_users="$bad_users $user(gid=$gid)"
    fi
  fi
done < /etc/passwd
if [ -z "$bad_users" ]; then
  echo "OK: All interactive users have valid primary groups"
  exit 0
fi
echo "FAIL: Users with non-existent primary groups:$bad_users"
exit 1
expected_exit:
0
Remediatemanual
note:
For each user with a non-existent primary group, either create the missing group with groupadd, or assign the user to an existing group with usermod -g <valid_group> <username>.

Framework references

STIG

V-281174 / RHEL-10-600150V-258048 / RHEL-09-411045

NIST 800-53

IA-4

Live verification

rhel9:check
#user-accounts#groups#integrity