From 6d94bdad31caf9c257218575a23618ecdf811c8b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Fri, 22 Jan 2021 11:26:06 +0100
Subject: [PATCH] Drop remediation for sudo_dedicated_group

This rule combined with no root login can render a machine
unadministrable.
This rule requires administrative configurations before being
remediated, like adding admin accounts and adding them to the sudogrp.
---
 .../sudo/sudo_dedicated_group/ansible/shared.yml  | 15 ---------------
 .../sudo/sudo_dedicated_group/bash/shared.sh      | 14 --------------
 .../software/sudo/sudo_dedicated_group/rule.yml   |  2 ++
 .../sudo_dedicated_group/tests/no_group.fail.sh   |  1 +
 .../tests/other_group.fail.sh                     |  1 +
 .../tests/root_default.pass.sh                    |  1 +
 6 files changed, 5 insertions(+), 29 deletions(-)
 delete mode 100644 linux_os/guide/system/software/sudo/sudo_dedicated_group/ansible/shared.yml
 delete mode 100644 linux_os/guide/system/software/sudo/sudo_dedicated_group/bash/shared.sh

diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/ansible/shared.yml b/linux_os/guide/system/software/sudo/sudo_dedicated_group/ansible/shared.yml
deleted file mode 100644
index 199c127b88d9..000000000000
--- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/ansible/shared.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-# platform = multi_platform_rhel
-# reboot = false
-# strategy = restrict
-# complexity = low
-# disruption = low
-{{{ ansible_instantiate_variables("var_sudo_dedicated_group") }}}
-
-- name: Make sure the group dedicated to sudo exists
-  group:
-    name: "{{ var_sudo_dedicated_group }}"
-
-- name: Make sure sudo is owned by the dedicated group
-  file:
-    path: /usr/bin/sudo
-    group: "{{ var_sudo_dedicated_group }}"
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/bash/shared.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/bash/shared.sh
deleted file mode 100644
index 84c165c585b2..000000000000
--- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/bash/shared.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-# platform =  multi_platform_rhel
-
-# Include source function library.
-. /usr/share/scap-security-guide/remediation_functions
-
-{{{ bash_instantiate_variables("var_sudo_dedicated_group") }}}
-
-# Make sure the dedicated group exists
-if ! grep "^${var_sudo_dedicated_group}:" /etc/group; then
-    groupadd $var_sudo_dedicated_group
-fi
-
-# Assign sudo to the dedicated group
-chown :$var_sudo_dedicated_group /usr/bin/sudo
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml
index 124e43397897..770b71445475 100644
--- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml
+++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml
@@ -16,6 +16,8 @@ warnings:
         Changing group owner of <tt>/usr/bin/sudo</tt> to a group with no member users will prevent
         any and all escalatation of privileges.
         Additionally, the system may become unmanageable if root logins are not allowed.
+    - general:
+        This rule doesn't come with a remediation, before remediating the sysadmin needs to add users to the dedicated sudo group.
 
 severity: medium
 
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh
index aed76078968d..971e8ac271e6 100644
--- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh
@@ -1,4 +1,5 @@
 # platform = multi_platform_all
+# remediation = none
 # value = var_sudo_dedicated_group=othergroup
 
 groupadd othergroup
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh
index dc7b0931974d..e32b3cd9eebe 100644
--- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh
@@ -1,4 +1,5 @@
 # platform = multi_platform_all
+# remediation = none
 
 groupadd othergroup
 chown :othergroup /usr/bin/sudo
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh
index c5ac3abeeb9e..1c87c96c755f 100644
--- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh
+++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh
@@ -1,4 +1,5 @@
 # platform = multi_platform_rhel
+# remediation = none
 
 # Make sure sudo is owned by root group
 chown :root /usr/bin/sudo