Update sudo_dedicated_group

1. Fix broken test 2. Move to only forbidding root from owning the sudo binary
ComplianceAsCode · Feb 14, 2024 · c7e7073 · c7e7073
1 parent 1c86e52
commit c7e7073
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 7 deletions.
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_dedicated_group/oval/shared.xml
@@ -1,7 +1,7 @@
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{- oval_metadata("This test makes sure that /usr/bin/sudo is owned by the group set in var_sudo_dedicated_group") }}}
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="Check if dedicated group exists" test_ref="test_dedicated_group_exists" />
       <criterion comment="Check file group ownership of /usr/bin/sudo" test_ref="test_sudo_owned_by_dedicated_group" />
     </criteria>
@@ -14,19 +14,17 @@
   <unix:file_object comment="Fetch /usr/bin/sudo" id="object_sudo_file" version="1">
       <unix:filepath>/usr/bin/sudo</unix:filepath>
   </unix:file_object>
+
   <unix:file_state id="state_sudo_file_gid_is_dedicated_group_gid" version="1">
-    <unix:group_id datatype="int" var_ref="local_var_sudo_dedicated_group_gid" />
+    <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
   </unix:file_state>
 
-  <local_variable id="local_var_sudo_dedicated_group_gid" datatype="int" comment="GID of the dedicated group" version="1">
-    <object_component object_ref="sudo_dedicated_group_gid" item_field="subexpression" />
-  </local_variable>
-
   <ind:textfilecontent54_test id="test_dedicated_group_exists"
       comment="Check if dedicated group is listed in /etc/group" check="all"
       check_existence="only_one_exists" version="1">
     <ind:object object_ref="sudo_dedicated_group_gid" />
   </ind:textfilecontent54_test>
+
   <ind:textfilecontent54_object id="sudo_dedicated_group_gid"
       comment="Grab GID of group set in var_sudo_dedicated_group" version="1">
     <ind:filepath operation="equals">/etc/group</ind:filepath>

diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh
@@ -1,6 +1,6 @@
 # platform = multi_platform_all
 # remediation = none
-# value = var_sudo_dedicated_group=othergroup
+# variables = var_sudo_dedicated_group=othergroup
 
 groupadd othergroup
 chown :othergroup /usr/bin/sudo

diff --git a/...dedicated_group/tests/other_group.fail.sh → ...dedicated_group/tests/other_group.pass.sh b/...dedicated_group/tests/other_group.fail.sh → ...dedicated_group/tests/other_group.pass.sh
diff --git a/...edicated_group/tests/root_default.pass.sh → ...edicated_group/tests/root_default.fail.sh b/...edicated_group/tests/root_default.pass.sh → ...edicated_group/tests/root_default.fail.sh