scap-security-guide/scap-security-guide-0.1.61-update_RHEL_STIG-PR_8130.patch

686 lines
37 KiB
Diff

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
index dac47a1c6d1..3a6167a5717 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
@@ -39,7 +39,7 @@ references:
nist: CM-5(6),CM-5(6).1
srg: SRG-OS-000259-GPOS-00100
stigid@ol8: OL08-00-010350
- stigid@rhel8: RHEL-08-010350
+ stigid@rhel8: RHEL-08-010351
stigid@sle12: SLES-12-010876
stigid@sle15: SLES-15-010356
stigid@ubuntu2004: UBTU-20-010431
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
index 50fdb17bd2e..6a05a2b82ea 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
new file mode 100644
index 00000000000..6a05a2b82ea
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
+
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+ find "$dirPath" -type d -exec chgrp root '{}' \;
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
new file mode 100644
index 00000000000..36461f5e5c3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
+
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+ mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
new file mode 100644
index 00000000000..3f09e3dd018
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh
@@ -0,0 +1,6 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
+
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+ mkdir -p "$dirPath/testme/test2" && chgrp nobody "$dirPath/testme/test2"
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
index 043ad6b2dee..36461f5e5c3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
index e2362388678..ba923d8ac55 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml
@@ -27,7 +27,7 @@ references:
srg: SRG-OS-000258-GPOS-00099
stigid@ubuntu2004: UBTU-20-010424
-ocil_clause: 'any system exectables directories are found to not be owned by root'
+ocil_clause: 'any system executables directories are found to not be owned by root'
ocil: |-
System executables are stored in the following directories by default:
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
deleted file mode 100644
index 28e193f827c..00000000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml
+++ /dev/null
@@ -1,28 +0,0 @@
-<def-group>
- <definition class="compliance" id="dir_ownership_library_dirs" version="1">
- {{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
- directories therein, are owned by root.
- ") }}}
- <criteria operator="AND">
- <criterion test_ref="test_dir_ownership_lib_dir" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="test_dir_ownership_lib_dir" version="1">
- <unix:object object_ref="object_dir_ownership_lib_dir" />
- </unix:file_test>
-
-
- <unix:file_object comment="library directories" id="object_dir_ownership_lib_dir" version="1">
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_library_dirs_not_root</filter>
- </unix:file_object>
-
- <unix:file_state id="state_owner_library_dirs_not_root" version="1">
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
index d6a0beddf6e..f0781b307b3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml
@@ -27,6 +27,8 @@ rationale: |-
severity: medium
identifiers:
+ cce@rhel8: CCE-89021-0
+ cce@rhel9: CCE-89022-8
cce@sle12: CCE-83236-0
cce@sle15: CCE-85735-9
@@ -34,6 +36,7 @@ references:
disa: CCI-001499
nist: CM-5(6),CM-5(6).1
srg: SRG-OS-000259-GPOS-00100
+ stigid@rhel8: RHEL-08-010341
stigid@sle12: SLES-12-010874
stigid@sle15: SLES-15-010354
stigid@ubuntu2004: UBTU-20-010429
@@ -49,3 +52,14 @@ ocil: |-
For each of these directories, run the following command to find files not
owned by root:
<pre>$ sudo find -L <i>$DIR</i> ! -user root -type d -exec chown root {} \;</pre>
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ recursive: 'true'
+ fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
similarity index 69%
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
index 01891664f64..a0d4990582e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_rhel
DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
find "$dirPath" -type d -exec chown root '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
similarity index 63%
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
index 59b8a1867eb..f366c2d7922 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh
@@ -1,4 +1,5 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,multi_platform_rhel
+groupadd nogroup
DIRS="/lib /lib64"
for dirPath in $DIRS; do
mkdir -p "$dirPath/testme" && chown nobody:nogroup "$dirPath/testme"
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
index a0e4e24b4f4..add26b2e778 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml
@@ -1,8 +1,8 @@
<def-group>
<definition class="compliance" id="dir_permissions_library_dirs" version="1">
{{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
- objects therein, are not group-writable or world-writable.
+ Checks that the directories /lib, /lib64, /usr/lib and /usr/lib64
+ are not group-writable or world-writable.
") }}}
<criteria operator="AND">
<criterion test_ref="dir_test_perms_lib_dir" />
@@ -19,7 +19,7 @@
<unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
<unix:filename xsi:nil="true" />
<filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">dir_perms_state_symlink</filter>
+ <filter action="exclude">dir_perms_state_nogroupwrite_noworldwrite_symlink</filter>
</unix:file_object>
<unix:file_state id="dir_state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
@@ -27,7 +27,7 @@
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
- <unix:file_state id="dir_perms_state_symlink" version="1">
+ <unix:file_state id="dir_perms_state_nogroupwrite_noworldwrite_symlink" version="1">
<unix:type operation="equals">symbolic link</unix:type>
</unix:file_state>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
index db89a5e47a1..6e62e8c6bbf 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml
@@ -60,3 +60,14 @@ ocil: |-
To find shared libraries that are group-writable or world-writable,
run the following command for each directory <i>DIR</i> which contains shared libraries:
<pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>
+
+template:
+ name: file_permissions
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ recursive: 'true'
+ filemode: '0755'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
index 6b3a2905068..eec7485f90c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora
+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora
# reboot = false
# strategy = restrict
# complexity = medium
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
index a9e8c7d8e25..e352dd34a67 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
deleted file mode 100644
index de81a3703b4..00000000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = medium
-# disruption = medium
-- name: "Read list libraries without root ownership"
- command: "find -L /usr/lib /usr/lib64 /lib /lib64 \\! -user root"
- register: libraries_not_owned_by_root
- changed_when: False
- failed_when: False
- check_mode: no
-
-- name: "Set ownership of system libraries to root"
- file:
- path: "{{ item }}"
- owner: "root"
- with_items: "{{ libraries_not_owned_by_root.stdout_lines }}"
- when: libraries_not_owned_by_root | length > 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
deleted file mode 100644
index c75167d2fe7..00000000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
-for LIBDIR in /usr/lib /usr/lib64 /lib /lib64
-do
- if [ -d $LIBDIR ]
- then
- find -L $LIBDIR \! -user root -exec chown root {} \;
- fi
-done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
deleted file mode 100644
index 59ee3d82a21..00000000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml
+++ /dev/null
@@ -1,39 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_ownership_library_dirs" version="1">
- {{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
- objects therein, are owned by root.
- ") }}}
- <criteria operator="AND">
- <criterion test_ref="test_ownership_lib_dir" />
- <criterion test_ref="test_ownership_lib_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="test_ownership_lib_dir" version="1">
- <unix:object object_ref="object_file_ownership_lib_dir" />
- </unix:file_test>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library files uid root" id="test_ownership_lib_files" version="1">
- <unix:object object_ref="object_file_ownership_lib_files" />
- </unix:file_test>
-
- <unix:file_object comment="library directories" id="object_file_ownership_lib_dir" version="1">
- <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_owner_libraries_not_root</filter>
- </unix:file_object>
-
- <unix:file_object comment="library files" id="object_file_ownership_lib_files" version="1">
- <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to user with uid 0 (root) -->
- <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_owner_libraries_not_root</filter>
- </unix:file_object>
-
- <unix:file_state id="state_owner_libraries_not_root" version="1">
- <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
index d80681c1e65..b6bc18e8310 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
@@ -60,3 +60,14 @@ ocil: |-
For each of these directories, run the following command to find files not
owned by root:
<pre>$ sudo find -L <i>$DIR</i> ! -user root -exec chown root {} \;</pre>
+
+template:
+ name: file_owner
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ file_regex: ^.*$
+ fileuid: '0'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
new file mode 100644
index 00000000000..92c6a0889d4
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+
+for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
+do
+ if [[ -d $SYSLIBDIRS ]]
+ then
+ find $SYSLIBDIRS ! -user root -type f -exec chown root '{}' \;
+ fi
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
new file mode 100644
index 00000000000..84da71f45f7
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
@@ -0,0 +1,11 @@
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
+
+useradd user_test
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
+do
+ if [[ ! -f $TESTFILE ]]
+ then
+ touch $TESTFILE
+ fi
+ chown user_test $TESTFILE
+done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
deleted file mode 100644
index cf9eebace8b..00000000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle
-# reboot = false
-# strategy = restrict
-# complexity = high
-# disruption = medium
-- name: "Read list of world and group writable files in libraries directories"
- command: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f"
- register: world_writable_library_files
- changed_when: False
- failed_when: False
- check_mode: no
-
-- name: "Disable world/group writability to library files"
- file:
- path: "{{ item }}"
- mode: "go-w"
- with_items: "{{ world_writable_library_files.stdout_lines }}"
- when: world_writable_library_files.stdout_lines | length > 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
deleted file mode 100644
index af04ad625d3..00000000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# platform = multi_platform_all
-DIRS="/lib /lib64 /usr/lib /usr/lib64"
-for dirPath in $DIRS; do
- find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \;
-done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
deleted file mode 100644
index f25c52260c4..00000000000
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<def-group>
- <definition class="compliance" id="file_permissions_library_dirs" version="1">
- {{{ oval_metadata("
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
- objects therein, are not group-writable or world-writable.
- ") }}}
- <criteria operator="AND">
- <criterion test_ref="test_perms_lib_dir" />
- <criterion test_ref="test_perms_lib_files" />
- </criteria>
- </definition>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="test_perms_lib_dir" version="1">
- <unix:object object_ref="object_file_permissions_lib_dir" />
- </unix:file_test>
-
- <unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="test_perms_lib_files" version="1">
- <unix:object object_ref="object_file_permissions_lib_files" />
- </unix:file_test>
-
- <unix:file_object comment="library directories" id="object_file_permissions_lib_dir" version="1">
- <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
- <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
- <unix:filename xsi:nil="true" />
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">perms_state_symlink</filter>
- </unix:file_object>
-
- <unix:file_object comment="library files" id="object_file_permissions_lib_files" version="1">
- <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
- <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
- <unix:filename operation="pattern match">^.*$</unix:filename>
- <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>
- <filter action="exclude">perms_state_symlink</filter>
- </unix:file_object>
-
- <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
- <unix:gwrite datatype="boolean">true</unix:gwrite>
- <unix:owrite datatype="boolean">true</unix:owrite>
- </unix:file_state>
-
- <unix:file_state id="perms_state_symlink" version="1">
- <unix:type operation="equals">symbolic link</unix:type>
- </unix:file_state>
-
-</def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
index 9a07e76929e..5a708cf78c3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
@@ -61,3 +61,14 @@ ocil: |-
To find shared libraries that are group-writable or world-writable,
run the following command for each directory <i>DIR</i> which contains shared libraries:
<pre>$ sudo find -L <i>DIR</i> -perm /022 -type f</pre>
+
+template:
+ name: file_permissions
+ vars:
+ filepath:
+ - /lib/
+ - /lib64/
+ - /usr/lib/
+ - /usr/lib64/
+ file_regex: ^.*$
+ filemode: '0755'
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
similarity index 100%
rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh
rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
index eaf04c8d36c..ec135b5279c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
@@ -4,7 +4,7 @@ prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004
title: |-
Verify the system-wide library files in directories
- "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root.
+ "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.
description: |-
System-wide library files are stored in the following directories
@@ -15,7 +15,7 @@ description: |-
/usr/lib64
</pre>
All system-wide shared library files should be protected from unauthorised
- access. If any of these files is not owned by root, correct its owner with
+ access. If any of these files is not group-owned by root, correct its group-owner with
the following command:
<pre>$ sudo chgrp root <i>FILE</i></pre>
@@ -48,7 +48,7 @@ references:
stigid@sle15: SLES-15-010355
stigid@ubuntu2004: UBTU-20-01430
-ocil_clause: 'system wide library files are not group owned by root'
+ocil_clause: 'system wide library files are not group-owned by root'
ocil: |-
System-wide library files are stored in the following directories:
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
index 0e982c3b8ca..5356d3742d3 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
do
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
index 23a7703f57d..7352b60aa4b 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu
+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu
groupadd group_test
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index ff23f83cfbf..88b3a7e3783 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -235,8 +235,13 @@ selections:
# RHEL-08-010340
- file_ownership_library_dirs
+ # RHEL-08-010341
+ - dir_ownership_library_dirs
+
# RHEL-08-010350
- root_permissions_syslibrary_files
+
+ # RHEL-08-010351
- dir_group_ownership_library_dirs
# RHEL-08-010360
diff --git a/products/rhel9/profiles/stig.profile b/products/rhel9/profiles/stig.profile
index 8cc6d132591..65465be2c07 100644
--- a/products/rhel9/profiles/stig.profile
+++ b/products/rhel9/profiles/stig.profile
@@ -236,8 +236,13 @@ selections:
# RHEL-08-010340
- file_ownership_library_dirs
+ # RHEL-08-010341
+ - dir_ownership_library_dirs
+
# RHEL-08-010350
- root_permissions_syslibrary_files
+
+ # RHEL-08-010351
- dir_group_ownership_library_dirs
# RHEL-08-010360
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 8aad24b20f7..eb3f17f4f3d 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -2957,8 +2957,6 @@ CCE-89017-8
CCE-89018-6
CCE-89019-4
CCE-89020-2
-CCE-89021-0
-CCE-89022-8
CCE-89023-6
CCE-89024-4
CCE-89025-1
diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template
index 68fc2e1e17e..0b4ab594155 100644
--- a/shared/templates/file_groupowner/ansible.template
+++ b/shared/templates/file_groupowner/ansible.template
@@ -12,6 +12,7 @@
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
+ hidden: yes
register: files_found
- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template
index fd2e5db5d93..64a494471a8 100644
--- a/shared/templates/file_groupowner/oval.template
+++ b/shared/templates/file_groupowner/oval.template
@@ -45,6 +45,10 @@
{{%- else %}}
<unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
{{%- endif %}}
+ <filter action="exclude">symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}</filter>
</unix:file_object>
{{% endfor %}}
+ <unix:file_state id="symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}" version="1">
+ <unix:type operation="equals">symbolic link</unix:type>
+ </unix:file_state>
</def-group>
diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template
index 590c9fc6055..dba9e65a277 100644
--- a/shared/templates/file_owner/ansible.template
+++ b/shared/templates/file_owner/ansible.template
@@ -12,6 +12,7 @@
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
+ hidden: yes
register: files_found
- name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}
diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template
index 105e29c81c8..777831d790d 100644
--- a/shared/templates/file_owner/oval.template
+++ b/shared/templates/file_owner/oval.template
@@ -44,6 +44,10 @@
{{%- else %}}
<unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>
{{%- endif %}}
+ <filter action="exclude">symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}</filter>
</unix:file_object>
{{% endfor %}}
+ <unix:file_state id="symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" version="1">
+ <unix:type operation="equals">symbolic link</unix:type>
+ </unix:file_state>
</def-group>
diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template
index fc211bdc4c3..6d4dedcee51 100644
--- a/shared/templates/file_permissions/ansible.template
+++ b/shared/templates/file_permissions/ansible.template
@@ -12,6 +12,7 @@
paths: "{{{ path }}}"
patterns: {{{ FILE_REGEX[loop.index0] }}}
use_regex: yes
+ hidden: yes
register: files_found
- name: Set permissions for {{{ path }}} file(s)
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index b5621425b96..c5a9b6a32ad 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -181,6 +181,7 @@ selections:
- dconf_gnome_screensaver_idle_delay
- dconf_gnome_screensaver_lock_enabled
- dir_group_ownership_library_dirs
+- dir_ownership_library_dirs
- dir_permissions_library_dirs
- dir_perms_world_writable_root_owned
- dir_perms_world_writable_sticky_bits
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 31221ed632c..32d195e28aa 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -192,6 +192,7 @@ selections:
- dconf_gnome_screensaver_idle_delay
- dconf_gnome_screensaver_lock_enabled
- dir_group_ownership_library_dirs
+- dir_ownership_library_dirs
- dir_permissions_library_dirs
- dir_perms_world_writable_root_owned
- dir_perms_world_writable_sticky_bits