From c11311736558613b13ae051a2908c31eee0b6a43 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 25 Nov 2020 16:52:14 +0100
Subject: [PATCH] Add new rule dir_perms_world_writable_system_owned_group.

Change old STIG reference ID from dir_perms_world_writable_system_owned
because this rule actually checks for UID and not the GID as it was
expected.
---
 .../oval/shared.xml                           | 10 ++---
 .../rule.yml                                  |  8 ++--
 .../oval/shared.xml                           | 22 +++++++++
 .../rule.yml                                  | 45 +++++++++++++++++++
 rhel7/profiles/stig.profile                   |  1 +
 shared/references/cce-redhat-avail.txt        |  1 -
 6 files changed, 77 insertions(+), 10 deletions(-)
 create mode 100644 linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
 create mode 100644 linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml

diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
index eae7e654a2..8b03bfe0ec 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
@@ -6,16 +6,16 @@
     </criteria>
   </definition>
   <unix:file_test check="all" comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" id="test_dir_world_writable_uid_gt_value" version="1">
-    <unix:object object_ref="all_local_directories" />
-    <unix:state state_ref="state_gid_is_user_and_world_writable" />
+    <unix:object object_ref="all_local_directories_uid" />
+    <unix:state state_ref="state_uid_is_user_and_world_writable" />
   </unix:file_test>
-  <unix:file_object comment="all local directories" id="all_local_directories" version="1">
+  <unix:file_object comment="all local directories" id="all_local_directories_uid" version="1">
     <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
     <unix:path operation="equals">/</unix:path>
     <unix:filename xsi:nil="true" />
-    <filter action="include">state_gid_is_user_and_world_writable</filter>
+    <filter action="include">state_uid_is_user_and_world_writable</filter>
   </unix:file_object>
-  <unix:file_state comment="uid greater than or equal to {{{ auid }}} and world writable" id="state_gid_is_user_and_world_writable" version="1">
+  <unix:file_state comment="uid greater than or equal to {{{ auid }}} and world writable" id="state_uid_is_user_and_world_writable" version="1">
     <unix:user_id datatype="int" operation="greater than or equal">{{{ auid }}}</unix:user_id>
     <unix:owrite datatype="boolean">true</unix:owrite>
   </unix:file_state>
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
index 100b22943..5271903fe 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
@@ -7,10 +7,10 @@ title: 'Ensure All World-Writable Directories Are Owned by a System Account'
 description: |-
     All directories in local partitions which are
     world-writable should be owned by root or another
-    system account.  If any world-writable directories are not
+    system account. If any world-writable directories are not
     owned by a system account, this should be investigated.
     Following this, the files should be deleted or assigned to an
-    appropriate group.
+    appropriate owner.
 
 rationale: |-
     Allowing a user account to own a world-writable directory is
@@ -25,14 +25,14 @@ identifiers:
     cce@rhel7: CCE-80136-5
 
 references:
-    stigid@ol7: OL07-00-021030
+    stigid@ol7: OL07-00-021031
     stigid@rhel6: RHEL-06-000337
     srg@rhel6: SRG-OS-999999
     disa: CCI-000366
     nist: CM-6(a),AC-6(1)
     nist-csf: PR.AC-4,PR.DS-5
     srg: SRG-OS-000480-GPOS-00227
-    stigid@rhel7: RHEL-07-021030
+    stigid@rhel7: RHEL-07-021031
     isa-62443-2013: 'SR 2.1,SR 5.2'
     isa-62443-2009: 4.3.3.7.3
     cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
new file mode 100644
index 0000000000..3ac40ecb2d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
@@ -0,0 +1,22 @@
+<def-group>
+  <definition class="compliance" id="dir_perms_world_writable_system_owned_group" version="1">
+    {{{ oval_metadata("All world writable directories should be group owned by a system user.") }}}
+    <criteria comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" negate="true">
+      <criterion comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" test_ref="test_dir_world_writable_gid_gt_value" />
+    </criteria>
+  </definition>
+  <unix:file_test check="all" comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" id="test_dir_world_writable_gid_gt_value" version="1">
+    <unix:object object_ref="all_local_directories_gid" />
+    <unix:state state_ref="state_gid_is_user_and_world_writable" />
+  </unix:file_test>
+  <unix:file_object comment="all local directories" id="all_local_directories_gid" version="1">
+    <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+    <unix:path operation="equals">/</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_gid_is_user_and_world_writable</filter>
+  </unix:file_object>
+  <unix:file_state comment="gid greater than or equal to {{{ auid }}} and world writable" id="state_gid_is_user_and_world_writable" version="1">
+    <unix:group_id datatype="int" operation="greater than or equal">{{{ auid }}}</unix:group_id>
+    <unix:owrite datatype="boolean">true</unix:owrite>
+  </unix:file_state>
+</def-group>
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
new file mode 100644
index 0000000000..1e3c60b7e3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
@@ -0,0 +1,45 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+
+title: 'Ensure All World-Writable Directories Are Group Owned by a System Account'
+
+description: |-
+    All directories in local partitions which are
+    world-writable should be group owned by root or another
+    system account. If any world-writable directories are not
+    group owned by a system account, this should be investigated.
+    Following this, the files should be deleted or assigned to an
+    appropriate group.
+
+rationale: |-
+    Allowing a user account to group own a world-writable directory is
+    undesirable because it allows the owner of that directory to remove
+    or replace any files that may be placed in the directory by other
+    users.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-83923-3
+
+references:
+    stigid@ol7: OL07-00-021030
+    disa: CCI-000366
+    nist: CM-6(a),AC-6(1)
+    nist-csf: PR.AC-4,PR.DS-5
+    srg: SRG-OS-000480-GPOS-00227
+    stigid@rhel7: RHEL-07-021030
+    isa-62443-2013: 'SR 2.1,SR 5.2'
+    isa-62443-2009: 4.3.3.7.3
+    cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
+    iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+    cis-csc: 12,13,14,15,16,18,3,5
+
+ocil_clause: 'there is output'
+
+ocil: |-
+    The following command will discover and print world-writable directories that
+    are not group owned by a system account, given the assumption that only system
+    accounts have a gid lower than 500.  Run it once for each local partition <i>PART</i>:
+    <pre>$ sudo find <i>PART</i> -xdev -type d -perm -0002 -gid +499 -print</pre>
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 4698785a49..a16e990202 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -155,6 +155,7 @@ selections:
     - mount_option_nosuid_removable_partitions
     - mount_option_nosuid_remote_filesystems
     - dir_perms_world_writable_system_owned
+    - dir_perms_world_writable_system_owned_group
     - accounts_umask_interactive_users
     - rsyslog_cron_logging
     - file_owner_cron_allow
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index c38943b07c..c5d1ff963f 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -473,7 +473,6 @@ CCE-83919-1
 CCE-83920-9
 CCE-83921-7
 CCE-83922-5
-CCE-83923-3
 CCE-83924-1
 CCE-83925-8
 CCE-83926-6