{"description": "Restrict the execution of privilege escalated commands to a dedicated group of users.\nEnsure the group owner of /usr/bin/sudo is <sub idref=\"var_sudo_dedicated_group\" />.", "rationale": "Restricting the set of users able to execute commands as privileged user reduces the attack surface.", "severity": "medium", "references": {"anssi": ["R38"]}, "control_references": {"anssi": ["R38"]}, "components": [], "identifiers": {}, "ocil_clause": "/usr/bin/sudo does not have a group owner of\n<sub idref=\"var_sudo_dedicated_group\" />\n", "ocil": "To check the group ownership of <code>/usr/bin/sudo</code>,\nrun the command:\n<pre>$ ls -lL /usr/bin/sudo</pre>\nIf properly configured, the output should indicate the following group-owner:\n\n  <code><sub idref=\"var_sudo_dedicated_group\" /></code>\n  ", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"functionality": "Changing group owner of <tt>/usr/bin/sudo</tt> to a group with no member users will prevent\nany and all escalatation of privileges.\nAdditionally, the system may become unmanageable if root logins are not allowed."}, {"general": "This rule doesn't come with a remediation, before remediating the sysadmin needs to add users to the dedicated sudo group."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure a dedicated group owns sudo", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/sudo/sudo_dedicated_group/rule.yml", "template": null}