From b80a9766e9157177edaa01f77841acd7472e64f7 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 30 Sep 2021 09:26:27 -0500
Subject: [PATCH] Add rule "Ensure All Groups on the System Have Unique Group
 Names" to fix #5500

---
 controls/cis_rhel7.yml                        |  4 +-
 controls/cis_rhel8.yml                        |  6 +--
 .../group_unique_name/oval/shared.xml         | 50 +++++++++++++++++++
 .../group_unique_name/rule.yml                | 37 ++++++++++++++
 .../tests/correct_value.pass.sh               |  4 ++
 .../tests/wrong_value.fail.sh                 |  5 ++
 shared/references/cce-redhat-avail.txt        |  2 -
 7 files changed, 102 insertions(+), 6 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
index bd68e32ed99..c07855c259e 100644
--- a/controls/cis_rhel7.yml
+++ b/controls/cis_rhel7.yml
@@ -2212,7 +2212,9 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    automated: no # rule missing
+    automated: yes
+    rules:
+      - group_unique_name
 
   - id: 6.2.7
     title: Ensure no duplicate UIDs exist (Automated)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index cbe1fc4e6a4..08ba462dfeb 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -2294,14 +2294,14 @@ controls:
     rules:
       - account_unique_name
 
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5500
   - id: 6.2.18
     title: Ensure no duplicate group names exist (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: no
+    status: automated
+    rules:
+      - group_unique_name
 
   # NEEDS RULE
   # https://github.com/ComplianceAsCode/content/issues/5499
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
new file mode 100644
index 00000000000..a1d46bbd7c7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/oval/shared.xml
@@ -0,0 +1,50 @@
+<def-group>
+    <definition class="compliance" id="{{{rule_id}}}" version="1">
+        {{{ oval_metadata("All groups on the system should have unique names for proper accountability.") }}}
+        <criteria comment="There should not exist duplicate group names entries in /etc/passwd">
+            <criterion test_ref="test_etc_group_no_duplicate_group_names"/>
+        </criteria>
+    </definition>
+
+    <ind:textfilecontent54_object id="obj_all_group_names" version="1" comment="Get all group names">
+        <ind:filepath>/etc/group</ind:filepath>
+        <ind:pattern operation="pattern match">^(.+):.+</ind:pattern>
+        <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+    <!-- variable storing count of all group names - including duplicates -->
+    <local_variable id="variable_count_of_all_group_names" datatype="int" version="1"
+                    comment="Count of all group names (including duplicates if any)">
+        <count>
+            <object_component item_field="subexpression" object_ref="obj_all_group_names"/>
+        </count>
+    </local_variable>
+
+    <!-- OVAL variable to hold the count of unique group names defined in /etc/group -->
+    <local_variable id="variable_count_of_unique_group_names" datatype="int" version="1"
+                    comment="Count of unique group names">
+        <count>
+            <unique>
+                <object_component item_field="subexpression" object_ref="obj_all_group_names"/>
+            </unique>
+        </count>
+    </local_variable>
+
+    <!-- Turn the OVAL variable representing count of user ids into OVAL object
+       (for use in <variable_test> below)-->
+    <ind:variable_object id="obj_count_of_all_group_names" version="1">
+        <ind:var_ref>variable_count_of_all_group_names</ind:var_ref>
+    </ind:variable_object>
+
+    <!-- this state checks that both counts (unique and non-unique) are the same -->
+    <ind:variable_state id="state_no_duplicate_group_names" version="1">
+        <ind:value var_ref="variable_count_of_unique_group_names" datatype="int"
+                   operation="equals" var_check="at least one"/>
+    </ind:variable_state>
+
+    <ind:variable_test id="test_etc_group_no_duplicate_group_names" check="all" check_existence="all_exist"
+                       comment="There should not exist duplicate group names in /etc/passwd" version="1">
+        <ind:object object_ref="obj_count_of_all_group_names"/>
+        <ind:state state_ref="state_no_duplicate_group_names"/>
+    </ind:variable_test>
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
new file mode 100644
index 00000000000..e56fc785274
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/rule.yml
@@ -0,0 +1,37 @@
+documentation_complete: true
+
+prodtype: fedora,rhel7,rhel8
+
+title: 'Ensure All Groups on the System Have Unique Group Names'
+
+description: 'Change the group name or delete groups, so each has a unique name.'
+
+rationale: 'To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.'
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86327-4
+    cce@rhel8: CCE-86328-2
+
+
+references:
+    cis@rhel7: 6.2.6
+    cis@rhel8: 6.2.18
+
+
+ocil_clause: 'has duplicate group ids'
+
+ocil: |-
+    Run the following command to check for duplicate group names:
+    Check that the operating system contains no duplicate group names for interactive users by running the following command:
+    <pre>
+        cut -d : -f 1 /etc/group | uniq -d
+    </pre>
+    If output is produced, this is a finding.
+    Configure the operating system to contain no duplicate names for groups.
+    Edit the file "/etc/group" and provide each group that has a duplicate group name with a unique group name.
+
+warnings:
+    - general: |-
+          Automatic remediation of this control is not available. Due the unique requirements of each system.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
new file mode 100644
index 00000000000..031b46c8265
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/correct_value.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# remediation = no
+
+groupadd cac_test$(date +%s)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh
new file mode 100644
index 00000000000..e375c555d5b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/group_unique_name/tests/wrong_value.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# remediation = no
+
+echo "testgroup:x:1004:" >> /etc/group
+echo "testgroup:x:1005:" >> /etc/group
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 6b841f9b26b..421543a16e3 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -424,8 +424,6 @@ CCE-86323-3
 CCE-86324-1
 CCE-86325-8
 CCE-86326-6
-CCE-86327-4
-CCE-86328-2
 CCE-86329-0
 CCE-86330-8
 CCE-86331-6