From f7bb6fc32091ad9d10ec8253505086670eb135ba Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Mon, 12 Jul 2021 10:06:41 -0400 Subject: [PATCH 1/4] Initial commit for RHEL-08-010350 STIG rule --- .../ansible/shared.yml | 2 +- .../bash/shared.sh | 2 +- .../oval/shared.xml | 44 +++++++++++++------ .../rule.yml | 26 ++++++----- .../tests/correct_group.pass.sh | 2 +- .../tests/incorrect_group.fail.sh | 8 +++- products/rhel8/profiles/stig.profile | 1 + shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel8/stig.profile | 1 + .../profile_stability/rhel8/stig_gui.profile | 1 + 10 files changed, 57 insertions(+), 31 deletions(-) diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml index f90c8e26b15..e0bb6b0dc1a 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora # reboot = false # strategy = restrict # complexity = high diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh index fba25be6132..d5fb89487d5 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora find /lib \ /lib64 \ diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml index 00f733ddc78..e3d64a8390e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml @@ -1,27 +1,45 @@ - + {{{ oval_metadata(" - Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64 - are owned by root. + Checks that /lib, /lib64, /usr/lib, /usr/lib64, and + objects therein, are group-owned by root. ") }}} - - + + + - - + + - - - ^\/lib(64)?|^\/usr\/lib(64)? + + + + + + + ^\/lib(|64)?\/|^\/usr\/lib(|64)?\/ + + state_group_ownership_libraries_not_root + group_dir_perms_state_symlink + + + + + ^\/lib(|64)?\/|^\/usr\/lib(|64)?\/ ^.*$ - group_permissions_for_system_wide_files_are_not_root + state_group_ownership_libraries_not_root + group_dir_perms_state_symlink - + 0 + + + symbolic link + + diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml index ff905dd08d..83371b8b9b 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -prodtype: sle12,sle15 +prodtype: sle12,sle15,rhel8,fedora title: |- Verify the system-wide library files in directories @@ -17,18 +17,18 @@ description: |- All system-wide shared library files should be protected from unauthorised access. If any of these files is not owned by root, correct its owner with the following command: -
$ sudo chgrp root DIR
+
$ sudo chgrp root FILE
rationale: |- - If the operating system were to allow any user to make changes to software libraries, - then those changes might be implemented without undergoing the appropriate testing and - approvals that are part of a robust change management process. + If the operating system were to allow any user to make changes to software libraries, + then those changes might be implemented without undergoing the appropriate testing and + approvals that are part of a robust change management process. - This requirement applies to operating systems with software libraries that are - accessible and configurable, as in the case of interpreted languages. Software libraries - also include privileged programs which execute with escalated privileges. Only qualified - and authorized individuals must be allowed to obtain access to information system components - for purposes of initiating changes, including upgrades and modifications. + This requirement applies to operating systems with software libraries that are + accessible and configurable, as in the case of interpreted languages. Software libraries + also include privileged programs which execute with escalated privileges. Only qualified + and authorized individuals must be allowed to obtain access to information system components + for purposes of initiating changes, including upgrades and modifications. severity: medium @@ -45,7 +45,7 @@ references: stigid@sle12: SLES-12-010875 stigid@sle15: SLES-15-010355 -ocil_clause: 'any system wide library directory is returned' +ocil_clause: 'system wide library files are not group owned by root' ocil: |- System-wide library files are stored in the following directories: @@ -54,6 +54,6 @@ ocil: |- /usr/lib /usr/lib64 - To find if system-wide library files stored in these directories are group-owned by + To find if system-wide library files stored in these directories are not group-owned by root run the following command for each directory DIR:
$ sudo find -L DIR ! -group root -type f 
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh index 7a8e65b4f3a..8722c2add65 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh @@ -4,6 +4,6 @@ for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64 do if [[ -d $SYSLIBDIRS ]] then - find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \; + find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \; fi done diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh index a4b99a9da14..1079046d14e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh @@ -1,6 +1,10 @@ #!/bin/bash - -for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me + +# There is a high probability that there will be nested subdirectories within the +# shared system library directories, therefore we should test to make sure we +# cover this. - cmm +test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir +for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me do if [[ ! -f $TESTFILE ]] then diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 2508008d511..9569b2ad629 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -207,6 +207,7 @@ selections: - file_ownership_library_dirs # RHEL-08-010350 + - root_permissions_syslibrary_files # RHEL-08-010360 - package_aide_installed diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index f139d2ed76f..e0eb5ac045c 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -662,7 +662,6 @@ CCE-86518-8 CCE-86520-4 CCE-86521-2 CCE-86522-0 -CCE-86523-8 CCE-86524-6 CCE-86525-3 CCE-86526-1 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index 765487c6f16..ebe7a91f45d 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -221,6 +221,7 @@ selections: - postfix_client_configure_mail_alias - require_emergency_target_auth - require_singleuser_auth +- root_permissions_syslibrary_files - rsyslog_cron_logging - rsyslog_remote_access_monitoring - rsyslog_remote_loghost diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 9fd80aac727..97f940dc9ed 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -232,6 +232,7 @@ selections: - postfix_client_configure_mail_alias - require_emergency_target_auth - require_singleuser_auth +- root_permissions_syslibrary_files - rsyslog_cron_logging - rsyslog_remote_access_monitoring - rsyslog_remote_loghost From f16c085894e4dc7974637d44bf226d3acf19f3d1 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Mon, 12 Jul 2021 16:17:23 -0400 Subject: [PATCH 2/4] Updated existing rules for syslibrary files/dirs --- .../ansible/shared.yml | 6 ++- .../bash/shared.sh | 7 +++ .../dir_group_ownership_library_dirs/rule.yml | 4 ++ .../tests/all_dirs_ok.pass.sh | 3 +- .../nobody_group_owned_dir_on_lib.fail.sh | 3 +- .../ansible/shared.yml | 23 ++++++++-- .../oval/shared.xml | 44 ++++++------------- .../tests/correct_group.pass.sh | 4 +- .../tests/incorrect_group.fail.sh | 8 +--- products/rhel8/profiles/stig.profile | 1 + shared/references/cce-redhat-avail.txt | 1 - .../data/profile_stability/rhel8/stig.profile | 1 + .../profile_stability/rhel8/stig_gui.profile | 1 + 13 files changed, 59 insertions(+), 47 deletions(-) create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml index 80562991ac5..f6f2ab48afd 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml @@ -1,4 +1,4 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora # reboot = false # strategy = restrict # complexity = medium @@ -20,4 +20,6 @@ state: "directory" mode: "{{ item.mode }}" with_items: "{{ library_dirs_not_group_owned_by_root.files }}" - when: library_dirs_not_group_owned_by_root.matched > 0 + when: + - library_dirs_not_group_owned_by_root.matched > 0 + - item.gid != 0 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh new file mode 100644 index 00000000000..365b9833188 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora + +find /lib \ +/lib64 \ +/usr/lib \ +/usr/lib64 \ +\! -group root -type d -exec chgrp root '{}' \; diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml index 4ff043270c8..cd02d95cb1c 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml @@ -1,5 +1,7 @@ documentation_complete: true +prodtype: sle12,sle15,rhel8,fedora + title: 'Verify that Shared Library Directories Have Root Group Ownership' description: |- diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh index 2a38e9a88bc..50fdb17bd2e 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh @@ -1,4 +1,5 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora + DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do find "$dirPath" -type d -exec chgrp root '{}' \; diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh index f794d9e878f..277bd7d60de 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh @@ -1,4 +1,5 @@ -# platform = multi_platform_sle +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora + DIRS="/lib /lib64" for dirPath in $DIRS; do mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme" diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml index e0bb6b0dc1a..ab3e85c4f7c 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml @@ -4,7 +4,24 @@ # complexity = high # disruption = medium -- name: "Set ownership to root of system-wide library files" - command: "find {{ item }} ! -group root -type f -exec chgrp root '{}' \\;" - with_items: [ '/lib', '/lib64', '/usr/lib', '/usr/lib64' ] +- name: "Read list libraries without root ownership" + find: + paths: + - "/usr/lib" + - "/usr/lib64" + - "/lib" + - "/lib64" + file_type: "file" + register: library_files_not_group_owned_by_root + +- name: "Set group ownership of system library files to root" + file: + path: "{{ item.path }}" + group: "root" + state: "file" + mode: "{{ item.mode }}" + with_items: "{{ library_files_not_group_owned_by_root.files }}" + when: + - library_files_not_group_owned_by_root.matched > 0 + - item.gid != 0 diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml index e3d64a8390e..926ff70d1e4 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml @@ -1,45 +1,27 @@ - + {{{ oval_metadata(" - Checks that /lib, /lib64, /usr/lib, /usr/lib64, and - objects therein, are group-owned by root. + Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64 + are owned by root. ") }}} - - - + + - - + + - - - - - - - ^\/lib(|64)?\/|^\/usr\/lib(|64)?\/ - - state_group_ownership_libraries_not_root - group_dir_perms_state_symlink - - - - - ^\/lib(|64)?\/|^\/usr\/lib(|64)?\/ + + + ^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/ ^.*$ - state_group_ownership_libraries_not_root - group_dir_perms_state_symlink + group_permissions_for_system_wide_files_are_not_root - + 0 - - - symbolic link - - diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh index 8722c2add65..a4ae2854db1 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh @@ -1,9 +1,9 @@ -#!/bin/bash +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64 do if [[ -d $SYSLIBDIRS ]] then - find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \; + find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \; fi done diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh index 1079046d14e..c96f65b989c 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh @@ -1,10 +1,6 @@ -#!/bin/bash +# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora -# There is a high probability that there will be nested subdirectories within the -# shared system library directories, therefore we should test to make sure we -# cover this. - cmm -test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir -for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me +for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me do if [[ ! -f $TESTFILE ]] then diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile index 9569b2ad629..059750f59d0 100644 --- a/products/rhel8/profiles/stig.profile +++ b/products/rhel8/profiles/stig.profile @@ -208,6 +208,7 @@ selections: # RHEL-08-010350 - root_permissions_syslibrary_files + - dir_group_ownership_library_dirs # RHEL-08-010360 - package_aide_installed diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index e0eb5ac045c..ae3375fd4d4 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -34,7 +34,6 @@ CCE-85890-2 CCE-85891-0 CCE-85892-8 CCE-85893-6 -CCE-85894-4 CCE-85895-1 CCE-85896-9 CCE-85897-7 diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile index ebe7a91f45d..49cce4d81cc 100644 --- a/tests/data/profile_stability/rhel8/stig.profile +++ b/tests/data/profile_stability/rhel8/stig.profile @@ -99,6 +99,7 @@ selections: - dconf_gnome_login_banner_text - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_enabled +- dir_group_ownership_library_dirs - dir_perms_world_writable_root_owned - dir_perms_world_writable_sticky_bits - directory_permissions_var_log_audit diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile index 97f940dc9ed..943a57d3eb8 100644 --- a/tests/data/profile_stability/rhel8/stig_gui.profile +++ b/tests/data/profile_stability/rhel8/stig_gui.profile @@ -110,6 +110,7 @@ selections: - dconf_gnome_login_banner_text - dconf_gnome_screensaver_idle_delay - dconf_gnome_screensaver_lock_enabled +- dir_group_ownership_library_dirs - dir_perms_world_writable_root_owned - dir_perms_world_writable_sticky_bits - directory_permissions_var_log_audit From 71deac482753a13a9f98d6d7382b13e9031a2ce4 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Tue, 13 Jul 2021 13:40:25 -0400 Subject: [PATCH 3/4] Updated test for nobody_group_owned_dir rule --- .../tests/nobody_group_owned_dir_on_lib.fail.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh index 277bd7d60de..043ad6b2dee 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh @@ -1,6 +1,6 @@ # platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora -DIRS="/lib /lib64" +DIRS="/lib /lib64 /usr/lib /usr/lib64" for dirPath in $DIRS; do - mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme" + mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme" done From 087359679e4f6794054b6772df6c84c4cd1fee94 Mon Sep 17 00:00:00 2001 From: Carlos Matos Date: Wed, 14 Jul 2021 10:04:25 -0400 Subject: [PATCH 4/4] Added recommended $ to end of regex pattern to properly match dirs --- .../root_permissions_syslibrary_files/oval/shared.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml index 926ff70d1e4..f5ca9380b55 100644 --- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml +++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml @@ -16,7 +16,7 @@ - ^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/ + ^\/lib(|64)?$|^\/usr\/lib(|64)?$ ^.*$ group_permissions_for_system_wide_files_are_not_root