1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
documentation_complete: true
title: 'Ensure a dedicated group owns sudo'
description: |-
Restrict the execution of privilege escalated commands to a dedicated group of users.
Ensure the group owner of /usr/bin/sudo is {{{ xccdf_value("var_sudo_dedicated_group") }}}.
rationale: |-
Restricting the set of users able to execute commands as privileged user reduces the attack surface.
warnings:
- functionality: |-
Changing group owner of <tt>/usr/bin/sudo</tt> to a group with no member users will prevent
any and all escalatation of privileges.
Additionally, the system may become unmanageable if root logins are not allowed.
- general:
This rule doesn't come with a remediation, before remediating the sysadmin needs to add users to the dedicated sudo group.
severity: medium
identifiers:
cce@rhel8: CCE-83982-9
cce@rhel9: CCE-86101-3
cce@rhel10: CCE-89208-3
cce@sle12: CCE-91500-9
cce@sle15: CCE-91191-7
ocil_clause: '{{{ ocil_clause_file_group_owner(file="/usr/bin/sudo", group=xccdf_value("var_sudo_dedicated_group")) }}}'
ocil: |-
{{{ ocil_file_group_owner(file="/usr/bin/sudo", group=xccdf_value("var_sudo_dedicated_group")) }}}
|
