-4

It seems I have extra groups that I need to delete because I think they are related to a breach. I should not have any network shares and am on a fresh install. What are the default groups on a fresh install of 20.04? Can I delete the ones I don't need?

Currently I have these groups.

daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,user
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:user
floppy:x:25:
tape:x:26:
sudo:x:27:user
audio:x:29:pulse
dip:x:30:user
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:user
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:

systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
systemd-timesync:x:104:
crontab:x:105:
messagebus:x:106:
input:x:107:
kvm:x:108:
render:x:109:
syslog:x:110:
tss:x:111:
bluetooth:x:112:
ssl-cert:x:113:
uuidd:x:114:
tcpdump:x:115:
avahi-autoipd:x:116:
rtkit:x:117:
ssh:x:118:
netdev:x:119:
lpadmin:x:120:user
avahi:x:121:
scanner:x:122:saned
saned:x:123:
nm-openvpn:x:124:
whoopsie:x:125:
colord:x:126:
geoclue:x:127:
pulse:x:128:
pulse-access:x:129:
gdm:x:130:
lxd:x:131:user
user:x:1000:
sambashare:x:132:user
Kulfy
  • 17,696
cyberstalked
  • 21
  • If your system was breached or you think your system was breached then your best bet is to to reimage the device and start over. There is no telling what they installed on this device that you can't see, rootkits etc so you're safest just re-imaging and standing up anew. – Robby1212 Jun 23 '20 at 13:36
  • You haven't said if you're talking about a server, or desktop release. It also looks like you've installed a number of additional packages (which have caused extra permissions to be added, groups I don't have on my system). – guiverc Jun 23 '20 at 13:49
  • I don't understand the question - you wrote that this was a fresh install. What makes you believe that a fresh install has extra unnecessary groups? – user535733 Jun 23 '20 at 14:10
  • 1
    Adding to that: someone breaching your system will not be reflected through groups. There is no need for that since it means that person has root access. – Rinzwind Jun 23 '20 at 14:12
  • If it gives you peace of mind then refer to this thread about installing anti-virus software: https://askubuntu.com/questions/1140679/antivirus-for-ubuntu-18-04/1140685#1140685 – graham Jun 23 '20 at 14:22
  • Thanks....I did notice extra groups which is why I am asking. For instance, rtkit? What is that? – cyberstalked Jun 23 '20 at 14:50
  • I would like to know the groups that come from additional packages, please. It was a fresh install.... – cyberstalked Jun 23 '20 at 14:52
  • This was a 'minimal' install on LVM encryption. – cyberstalked Jun 23 '20 at 14:53
  • I need to get rid of the groups that may come from extra packages or from the full version. – cyberstalked Jun 23 '20 at 14:53
  • Why am I being downvoted on a legitimate question. If these are not available on a clean install, I likely have malware running from persistent storage and need to remove those packages. – cyberstalked Jun 23 '20 at 14:59
  • rtkit is the RealTimeKit - "RealtimeKit is a D-Bus system service that changes the scheduling policy of user processes/threads to SCHED_RR (i.e. realtime scheduling mode) on request. It is intended to be used as a secure mechanism to allow real-time scheduling to be used by normal user processes." – Thomas Ward Jun 23 '20 at 15:00
  • 1
    As I stated before, *many of those groups you see are LEGITIMATE and are SUPPOSED to be predefined in a default installation* – Thomas Ward Jun 23 '20 at 15:00
  • 1
    Does this answer your question? Why such long list of users and groups in my system? – Artur Meinild Dec 28 '22 at 12:36

1 Answers1

7

Almost all of these groups are normal to have pre-defined in your system. DO NOT DELETE THEM because these groups are supposed to be predefined in a default installation.

If you believe your system was breached, then wiping your system and reinstalling from scratch will be your best option. None of these groups indicate a breach, but if you believe you were breached you need to clean your system up. Either restore from known backups or just wipe and reinstall.

(Most malware won't alter your users or groups by the way, they'll leverage existing users/groups/systemusers to execute processes)

Thomas Ward
  • 74,764
  • Thank you :) I've been doing a lot of reinstalls and working on live. I end up with a lot of keyloggers from persistent storage. Under 'Other Locations', I am showing 'Windows Network' which does not connect to anything I have access too. Does this show by default as well? – cyberstalked Jun 23 '20 at 14:49
  • 1
    It may if there's Windows devices broadcasting on the network or you use a domain rather than .local or such. If the system sees Windows mDNS announcements/requests or such it may show. I don't see it on my networks unless I connect to a Windows-driven/controlled/dominant network. It may also be shown as long as you have Samba installed/available, which is Normal for what I see for smb file support. – Thomas Ward Jun 23 '20 at 14:51
  • I removed samba and have no other devices running. I have no wifi or bluetooth running. I believe this is part of the breach and on wireshark, I saw numerous local streams. I have set nothing up locally and need to get rid of all of these connections. – cyberstalked Jun 23 '20 at 14:58
  • 1
    Without seeing your wireshark I can't give you any more insights. It sounds like you want to confirm that you've got a breach, which is a much more in-depth job than this site will be able to help you with. As I've said before, if you think you're breached the simplest solution is nuke and start over. – Thomas Ward Jun 23 '20 at 14:59
  • Thanks, you answered my question. I'm on my fourth nuke. :) The issue is that persistent storage is written into the installer usb stick. – cyberstalked Jun 23 '20 at 15:01
  • I'm a little confused - are you using a LiveUSB with persistent storage or a directly-installed system? Normally you wouldn't be using a persistent-storage LiveUSB as a regular use system – Thomas Ward Jun 23 '20 at 15:02
  • I was using live exclusively. Some of the apps from the persistent storage yielded the attacker permissions. I think the attacker is trying to get the same permissions on my minimal install using automated processes. I appreciate your feedback it has been very helpful for me. – cyberstalked Jun 23 '20 at 15:08
  • And believe me, if you're a little confused, I've been way more confused because the attacks have been evolving and changing very quickly. – cyberstalked Jun 23 '20 at 15:10
  • 1
    @cyberstalked stop using live persistent storage. If you want to go through an in-depth analysis of wireshark data, running processes, etc. then that's way beyond the scope of Ask Ubuntu. But none of those groups indicate a breach and you need to hire a cyber-security expert to analyze your system/environment/Live env/packetlogs. And as my answer says, most usual malware does NOT alter users/groups it uses existing groups. And in a live USB environment, your user has no password for sudo so... – Thomas Ward Jun 23 '20 at 15:11
  • Thank you. You've been more helpful than you think. I really appreciate it. – cyberstalked Jun 23 '20 at 15:16