diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_dedicated_group/ansible/shared.yml deleted file mode 100644 index 199c127b88d9..000000000000 --- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/ansible/shared.yml +++ /dev/null @@ -1,15 +0,0 @@ -# platform = multi_platform_rhel -# reboot = false -# strategy = restrict -# complexity = low -# disruption = low -{{{ ansible_instantiate_variables("var_sudo_dedicated_group") }}} - -- name: Make sure the group dedicated to sudo exists - group: - name: "{{ var_sudo_dedicated_group }}" - -- name: Make sure sudo is owned by the dedicated group - file: - path: /usr/bin/sudo - group: "{{ var_sudo_dedicated_group }}" diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/bash/shared.sh deleted file mode 100644 index 84c165c585b2..000000000000 --- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/bash/shared.sh +++ /dev/null @@ -1,14 +0,0 @@ -# platform = multi_platform_rhel - -# Include source function library. -. /usr/share/scap-security-guide/remediation_functions - -{{{ bash_instantiate_variables("var_sudo_dedicated_group") }}} - -# Make sure the dedicated group exists -if ! grep "^${var_sudo_dedicated_group}:" /etc/group; then - groupadd $var_sudo_dedicated_group -fi - -# Assign sudo to the dedicated group -chown :$var_sudo_dedicated_group /usr/bin/sudo diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml index 124e43397897..770b71445475 100644 --- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml +++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml @@ -16,6 +16,8 @@ warnings: Changing group owner of /usr/bin/sudo to a group with no member users will prevent any and all escalatation of privileges. Additionally, the system may become unmanageable if root logins are not allowed. + - general: + This rule doesn't come with a remediation, before remediating the sysadmin needs to add users to the dedicated sudo group. severity: medium diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh index aed76078968d..971e8ac271e6 100644 --- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh @@ -1,4 +1,5 @@ # platform = multi_platform_all +# remediation = none # value = var_sudo_dedicated_group=othergroup groupadd othergroup diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh index dc7b0931974d..e32b3cd9eebe 100644 --- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh +++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh @@ -1,4 +1,5 @@ # platform = multi_platform_all +# remediation = none groupadd othergroup chown :othergroup /usr/bin/sudo diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh index c5ac3abeeb9e..1c87c96c755f 100644 --- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh +++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh @@ -1,4 +1,5 @@ # platform = multi_platform_rhel +# remediation = none # Make sure sudo is owned by root group chown :root /usr/bin/sudo