Ensure Default Group for the Root Account Is GID 0 : iCompaas Support

Profile Applicability:
• Level 1

Description:
The root account should have a default group with Group ID (GID) 0, typically the root group. Ensuring the root user is assigned to the correct primary group helps maintain proper permission and security boundaries for this privileged account.

Rationale:
Having the root user’s primary group set to GID 0 enforces expected privilege separation and avoids potential permission misconfigurations that could weaken system security.

Impact:
Pros:

Maintains standard Linux permission model for the root user.
Prevents privilege escalation or access control issues.

Cons:

Incorrect group assignment can cause system administration issues.

Default Value:
By default, the root account is assigned to the root group with GID 0.

Pre-requisites:

Root or sudo privileges to inspect and modify user account settings.

Remediation:

Test Plan:

Using Linux command line:

1. Check the root user’s primary group:

id -gn root

2. Verify the group name corresponds to GID 0:

getent group 0

3. Confirm the root user is part of this group.

Implementation Plan:

Using Linux command line:

1. If the root user’s primary group is not GID 0, change it using:

usermod -g 0 root

2. Verify the change:

id -gn root

Backout Plan:

Using Linux command line:

1. Revert the root user’s primary group if necessary:

usermod -g <previous_group> root

2. Verify the group assignment.

References:

CIS Amazon Linux 2 Benchmark v3.0.0
Linux usermod Manual

Ensure Default Group for the Root Account Is GID 0 Print

Test Plan:

Implementation Plan:

Backout Plan:

Related Articles