-3

It seems I have extra groups that I need to delete because I think they are related to a breach. I should not have any network shares and am on a fresh install. What are the default groups on a fresh install of 20.04? Can I delete the ones I don't need?

Currently I have these groups.

daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,user
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:user
floppy:x:25:
tape:x:26:
sudo:x:27:user
audio:x:29:pulse
dip:x:30:user
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:user
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:

systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
systemd-timesync:x:104:
crontab:x:105:
messagebus:x:106:
input:x:107:
kvm:x:108:
render:x:109:
syslog:x:110:
tss:x:111:
bluetooth:x:112:
ssl-cert:x:113:
uuidd:x:114:
tcpdump:x:115:
avahi-autoipd:x:116:
rtkit:x:117:
ssh:x:118:
netdev:x:119:
lpadmin:x:120:user
avahi:x:121:
scanner:x:122:saned
saned:x:123:
nm-openvpn:x:124:
whoopsie:x:125:
colord:x:126:
geoclue:x:127:
pulse:x:128:
pulse-access:x:129:
gdm:x:130:
lxd:x:131:user
user:x:1000:
sambashare:x:132:user
Kulfy
  • 18,154
cyberstalked
  • 31

1 Answers1

7

Almost all of these groups are normal to have pre-defined in your system. DO NOT DELETE THEM because these groups are supposed to be predefined in a default installation.

If you believe your system was breached, then wiping your system and reinstalling from scratch will be your best option. None of these groups indicate a breach, but if you believe you were breached you need to clean your system up. Either restore from known backups or just wipe and reinstall.

(Most malware won't alter your users or groups by the way, they'll leverage existing users/groups/systemusers to execute processes)

Thomas Ward
  • 78,878