mediumaccess-controlverified ✓
Ensure all local interactive users have a primary group that exists
user-primary-group-exists · RHEL ≥ 8 · 1 impl
Description
All local interactive user accounts must be assigned a primary group that actually exists in /etc/group.
Rationale
If a user's primary group does not exist, the user may be granted unintended access permissions or encounter errors accessing the system. Group consistency ensures the integrity of access controls.
Check → Remediate
Checkcommand
# Check for users with non-existent primary groups (UID >= 1000)
bad_users=""
while IFS=: read -r user _ uid gid _ _ _; do
if [ "$uid" -ge 1000 ] 2>/dev/null; then
if ! grep -q "^[^:]*:[^:]*:${gid}:" /etc/group 2>/dev/null; then
bad_users="$bad_users $user(gid=$gid)"
fi
fi
done < /etc/passwd
if [ -z "$bad_users" ]; then
echo "OK: All interactive users have valid primary groups"
exit 0
fi
echo "FAIL: Users with non-existent primary groups:$bad_users"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- For each user with a non-existent primary group, either create the missing group with groupadd, or assign the user to an existing group with usermod -g <valid_group> <username>.
Framework references
STIG
V-281174 / RHEL-10-600150V-258048 / RHEL-09-411045
NIST 800-53
IA-4
Live verification
rhel9:check
#user-accounts#groups#integrity