[Stabilization] revert modifications to file_groupownership template and respective rules

[vojtapolasek]

Description:

• effectively reverting Use specific name in private key groups instead of gid #10622 and partially also New rules to complete CIS requirements for SSH Keys #10552
• CCEs were not put back into the pool in this case... because the rules will be eventually fixed and eventually included into the next upstream release, this is just for the sake of stabilization

Rationale:

• Fixes Error during evaluation of file_groupowner_var_log_syslog on RHEL 7 #10655 by reverting to the previous state. There is a more definite fix in works in fixes in file_groupownership template #10666 but it might not be ready for the release.

Review Hints:

Try to reproduce the fixed issue #10655

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[ggbecker]

I believe the ids from dedicated_ssh_keyowner attribute can be removed as they are not used anywhere.

[vojtapolasek]

@ggbecker thank you, I was not sure. I modified the branch.

[jan-cerny]

I tried to run a scan of the RHEL 7.9 virtual machine where previously I reproduced the issue and I have seen that the problematic error message doesn't appear with this patch.

[root@localhost ~]# rpm -q openscap
openscap-1.2.17-11.el7.x86_64
[root@localhost ~]# oscap xccdf eval --profile '(all)' --rule xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog ./ssg-rhel7-ds.xml 
WARNING: Datastream component 'scap_org.open-scap_cref_security-data-oval-com.redhat.rhsa-RHEL7.xml.bz2' points out to the remote 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2'. Use '--fetch-remote-resources' option to download it.
WARNING: Skipping 'https://access.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2' file which is referenced from datastream
W: oscap: File ssg-rhel7-cpe-oval.xml has already been registered in Source DataStream session: ./ssg-rhel7-ds.xml
WARNING: Skipping ./security-data-oval-com.redhat.rhsa-RHEL7.xml.bz2 file which is referenced from XCCDF content
Title   Verify Group Who Owns /var/log/syslog File
Rule    xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
Result  pass

[root@localhost ~]# 

The rule has passed its test scenarios

[jcerny@thinkpad scap-security-guide{pr/10683}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 file_groupowner_var_log_syslog
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-06-06-1103/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/10683}]$ python3 tests/automatus.py rule --libvirt qemu:///system ssgts_rhel7 --remediate-using ansible file_groupowner_var_log_syslog
Setting console output to log level INFO
INFO - The base image option has not been specified, choosing libvirt-based test environment.
INFO - Logging into /home/jcerny/work/git/scap-security-guide/logs/rule-custom-2023-06-06-1108/test_suite.log
INFO - xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog
INFO - Script correct_groupowner.pass.sh using profile (all) OK
INFO - Script missing_file_test.pass.sh using profile (all) OK
INFO - Script incorrect_groupowner.fail.sh using profile (all) OK
[jcerny@thinkpad scap-security-guide{pr/10683}]$ 

[jan-cerny]

The CI fail on Rawhide isn't related to the contents of this PR because it's a fail in dnf update -y.

[jan-cerny]

I have run TSs for some other rules that use the file_groupowner template and they pass.