From 01369b19a4319468fb18c0e875a1157b20eb16e1 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 6 Jan 2025 10:08:40 +0000
Subject: [PATCH 1/6] Fix small typo in comment

Minor comment changes

Add a note in Ubuntu control file
---
 controls/cis_ubuntu2404.yml                   |  6 ++++--
 .../accounts_root_gid_zero/oval/shared.xml    | 20 ++++++++++++++++++-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index fbc438cf883..09ba4b99458 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2136,8 +2136,10 @@ controls:
       - l1_workstation
     related_rules:
       - accounts_root_gid_zero
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.5.3.
+    status: automated
+    notes: |
+      The remediation is not automated as the removal or modification
+      of group IDs from a system is too disruptive.
 
   - id: 5.4.2.3
     title: Ensure group root is the only GID 0 group (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/oval/shared.xml
index 1789f224ca3..ae142e0c3a5 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/oval/shared.xml
@@ -6,7 +6,7 @@
     </criteria>
   </definition>
 
-  <ind:textfilecontent54_test id="test_{{{rule_id}}}" check="all" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" version="1">
+  <ind:textfilecontent54_test id="test_{{{rule_id}}}" check="all" comment="test that the root user has GID 0 in the /etc/passwd file" version="1">
     <ind:object object_ref="object_{{{rule_id}}}" />
     <ind:state state_ref="state_{{{rule_id}}}" />
   </ind:textfilecontent54_test>
@@ -20,4 +20,22 @@
   <ind:textfilecontent54_state id="state_{{{rule_id}}}" version="1" comment="root account's gid is equal to 0">
     <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
   </ind:textfilecontent54_state>
+
+  {{% if 'ubuntu' in product %}}
+  <!-- Test for other users with GID 0 (excluding sync, shutdown, halt, operator) -->
+  <ind:textfilecontent54_test id="test_{{{rule_id}}}_no_other_gid_0" check="all" comment="test that there are no other accounts with GID 0 except root" version="1">
+    <ind:object object_ref="object_{{{rule_id}}}_no_other_gid_0" />
+    <ind:state state_ref="state_{{{rule_id}}}_no_other_gid_0" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="object_{{{rule_id}}}_no_other_gid_0" version="1">
+    <ind:filepath>/etc/passwd</ind:filepath>
+    <ind:pattern operation="pattern match">^(?!\b(root|sync|shutdown|halt|operator)\b).+:.+:\d+:(\d+).+</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_state id="state_{{{rule_id}}}_no_other_gid_0" version="1" comment="no other users have GID 0">
+    <ind:subexpression operation="not equal" datatype="int">0</ind:subexpression>
+  </ind:textfilecontent54_state>
+  {{% endif %}}
 </def-group>

From c9ce8775588d00e4e319dd275f4d591eb88aaa7a Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 6 Jan 2025 11:36:24 +0000
Subject: [PATCH 2/6] Add oval check for no other user has primary group 0

Add check none_exist
---
 .../accounts_root_gid_zero/oval/shared.xml         | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/oval/shared.xml
index ae142e0c3a5..1acc77321a8 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/oval/shared.xml
@@ -1,8 +1,11 @@
 <def-group>
   <definition class="compliance" id="{{{rule_id}}}" version="1">
     {{{ oval_metadata("The root account should have primary group of 0") }}}
-    <criteria>
+    <criteria operator="AND">
       <criterion comment="tests that the root account's gid is equal to 0" test_ref="test_{{{rule_id}}}" />
+      {{% if 'ubuntu' in product %}}
+      <criterion comment="no other users have primary group ID 0" test_ref="test_{{{rule_id}}}_no_other_gid_0" />
+      {{% endif %}}
     </criteria>
   </definition>
 
@@ -23,19 +26,14 @@
 
   {{% if 'ubuntu' in product %}}
   <!-- Test for other users with GID 0 (excluding sync, shutdown, halt, operator) -->
-  <ind:textfilecontent54_test id="test_{{{rule_id}}}_no_other_gid_0" check="all" comment="test that there are no other accounts with GID 0 except root" version="1">
+  <ind:textfilecontent54_test id="test_{{{rule_id}}}_no_other_gid_0" check="all" check_existence="none_exist" comment="test that there are no other accounts with GID 0 except root" version="1">
     <ind:object object_ref="object_{{{rule_id}}}_no_other_gid_0" />
-    <ind:state state_ref="state_{{{rule_id}}}_no_other_gid_0" />
   </ind:textfilecontent54_test>
 
   <ind:textfilecontent54_object id="object_{{{rule_id}}}_no_other_gid_0" version="1">
     <ind:filepath>/etc/passwd</ind:filepath>
-    <ind:pattern operation="pattern match">^(?!\b(root|sync|shutdown|halt|operator)\b).+:.+:\d+:(\d+).+</ind:pattern>
+    <ind:pattern operation="pattern match">^(?!\b(root|sync|shutdown|halt|operator)\b).+:.+:\d+:0:.+$</ind:pattern>
     <ind:instance datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
-
-  <ind:textfilecontent54_state id="state_{{{rule_id}}}_no_other_gid_0" version="1" comment="no other users have GID 0">
-    <ind:subexpression operation="not equal" datatype="int">0</ind:subexpression>
-  </ind:textfilecontent54_state>
   {{% endif %}}
 </def-group>

From 0317615da3eace45af227d612597201d0dd56f1a Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 6 Jan 2025 12:56:17 +0000
Subject: [PATCH 3/6] Improve accounts_root_gid_zero test

---
 .../accounts_root_gid_zero/tests/correct_value.pass.sh     | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/correct_value.pass.sh
index 645c46eb847..4a477ce1f1e 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/correct_value.pass.sh
@@ -1,2 +1,9 @@
 #!/bin/bash
 # remediation = none
+
+{{% if 'ubuntu' in product %}}
+users_to_remove=$(awk -F: '$4 == 0 && $1 !~ /^(root|sync|shutdown|halt|operator)$/ {print $1}' /etc/passwd)
+for user in $users_to_remove; do
+    sudo userdel -rf "$user"
+done
+{{% endif %}}

From d39584522e06bd86396041dc1e4017e9afdc532b Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Mon, 6 Jan 2025 12:56:55 +0000
Subject: [PATCH 4/6] Add rule 5.4.2.2 Ensure root is the only GID 0 account

---
 controls/cis_ubuntu2404.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 09ba4b99458..c723fc5dd7a 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2134,7 +2134,7 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
+    rules:
       - accounts_root_gid_zero
     status: automated
     notes: |

From 42f838c90f11c352baa674f25ed65e3f5371a450 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 8 Jan 2025 14:47:51 +0000
Subject: [PATCH 5/6] use xargs in correct_value.pass.sh

---
 .../accounts_root_gid_zero/tests/correct_value.pass.sh       | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/correct_value.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/correct_value.pass.sh
index 4a477ce1f1e..f2ca6274d99 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/correct_value.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/correct_value.pass.sh
@@ -2,8 +2,5 @@
 # remediation = none
 
 {{% if 'ubuntu' in product %}}
-users_to_remove=$(awk -F: '$4 == 0 && $1 !~ /^(root|sync|shutdown|halt|operator)$/ {print $1}' /etc/passwd)
-for user in $users_to_remove; do
-    sudo userdel -rf "$user"
-done
+awk -F: '$4 == 0 && $1 !~ /^(root|sync|shutdown|halt|operator)$/ {print $1}' /etc/passwd | xargs --no-run-if-empty -I '{}' userdel -f '{}'
 {{% endif %}}

From 0ff7fd3266c8dcf8b90d1259c68e1543a3f663d1 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 8 Jan 2025 14:48:19 +0000
Subject: [PATCH 6/6] Add fail test for accounts_root_gid_zero

Avoid -o flag since it's used with -u flag
---
 .../accounts_root_gid_zero/tests/other_user_uid_0.fail.sh  | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/other_user_uid_0.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/other_user_uid_0.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/other_user_uid_0.fail.sh
new file mode 100644
index 00000000000..483e08812eb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/accounts_root_gid_zero/tests/other_user_uid_0.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# Remediation doesn't fix the rule, only locks passwords
+# of non-root accounts with uid 0.
+# remediation = none
+
+useradd --gid 0 root2