From c7e7073dbf9af3aae86aaa37a33b614f83062c3f Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 13 Feb 2024 18:30:46 -0600
Subject: [PATCH] Update sudo_dedicated_group

1. Fix broken test
2. Move to only forbidding root from owning the sudo binary
---
 .../software/sudo/sudo_dedicated_group/oval/shared.xml | 10 ++++------
 .../sudo/sudo_dedicated_group/tests/no_group.fail.sh   |  2 +-
 .../tests/{other_group.fail.sh => other_group.pass.sh} |  0
 .../{root_default.pass.sh => root_default.fail.sh}     |  0
 4 files changed, 5 insertions(+), 7 deletions(-)
 rename linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/{other_group.fail.sh => other_group.pass.sh} (100%)
 rename linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/{root_default.pass.sh => root_default.fail.sh} (100%)

diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/oval/shared.xml b/linux_os/guide/system/software/sudo/sudo_dedicated_group/oval/shared.xml
index 2ecb1008b94..541de4a3bdf 100644
--- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/oval/shared.xml
+++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/oval/shared.xml
@@ -1,7 +1,7 @@
 <def-group>
   <definition class="compliance" id="{{{ rule_id }}}" version="1">
     {{{- oval_metadata("This test makes sure that /usr/bin/sudo is owned by the group set in var_sudo_dedicated_group") }}}
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="Check if dedicated group exists" test_ref="test_dedicated_group_exists" />
       <criterion comment="Check file group ownership of /usr/bin/sudo" test_ref="test_sudo_owned_by_dedicated_group" />
     </criteria>
@@ -14,19 +14,17 @@
   <unix:file_object comment="Fetch /usr/bin/sudo" id="object_sudo_file" version="1">
       <unix:filepath>/usr/bin/sudo</unix:filepath>
   </unix:file_object>
+
   <unix:file_state id="state_sudo_file_gid_is_dedicated_group_gid" version="1">
-    <unix:group_id datatype="int" var_ref="local_var_sudo_dedicated_group_gid" />
+    <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
   </unix:file_state>
 
-  <local_variable id="local_var_sudo_dedicated_group_gid" datatype="int" comment="GID of the dedicated group" version="1">
-    <object_component object_ref="sudo_dedicated_group_gid" item_field="subexpression" />
-  </local_variable>
-
   <ind:textfilecontent54_test id="test_dedicated_group_exists"
       comment="Check if dedicated group is listed in /etc/group" check="all"
       check_existence="only_one_exists" version="1">
     <ind:object object_ref="sudo_dedicated_group_gid" />
   </ind:textfilecontent54_test>
+
   <ind:textfilecontent54_object id="sudo_dedicated_group_gid"
       comment="Grab GID of group set in var_sudo_dedicated_group" version="1">
     <ind:filepath operation="equals">/etc/group</ind:filepath>
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh
index 971e8ac271e..897e5ac3587 100644
--- a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh
+++ b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/no_group.fail.sh
@@ -1,6 +1,6 @@
 # platform = multi_platform_all
 # remediation = none
-# value = var_sudo_dedicated_group=othergroup
+# variables = var_sudo_dedicated_group=othergroup
 
 groupadd othergroup
 chown :othergroup /usr/bin/sudo
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.pass.sh
similarity index 100%
rename from linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.fail.sh
rename to linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/other_group.pass.sh
diff --git a/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh b/linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.fail.sh
similarity index 100%
rename from linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.pass.sh
rename to linux_os/guide/system/software/sudo/sudo_dedicated_group/tests/root_default.fail.sh