From c11311736558613b13ae051a2908c31eee0b6a43 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 25 Nov 2020 16:52:14 +0100
Subject: [PATCH] Add new rule dir_perms_world_writable_system_owned_group.
Change old STIG reference ID from dir_perms_world_writable_system_owned
because this rule actually checks for UID and not the GID as it was
expected.
---
.../oval/shared.xml | 10 ++---
.../rule.yml | 8 ++--
.../oval/shared.xml | 22 +++++++++
.../rule.yml | 45 +++++++++++++++++++
rhel7/profiles/stig.profile | 1 +
shared/references/cce-redhat-avail.txt | 1 -
6 files changed, 77 insertions(+), 10 deletions(-)
create mode 100644 linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
create mode 100644 linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
index eae7e654a2..8b03bfe0ec 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/oval/shared.xml
@@ -6,16 +6,16 @@
</criteria>
</definition>
<unix:file_test check="all" comment="check for local directories that are world writable and have uid greater than or equal to {{{ auid }}}" id="test_dir_world_writable_uid_gt_value" version="1">
- <unix:object object_ref="all_local_directories" />
- <unix:state state_ref="state_gid_is_user_and_world_writable" />
+ <unix:object object_ref="all_local_directories_uid" />
+ <unix:state state_ref="state_uid_is_user_and_world_writable" />
</unix:file_test>
- <unix:file_object comment="all local directories" id="all_local_directories" version="1">
+ <unix:file_object comment="all local directories" id="all_local_directories_uid" version="1">
<unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
<unix:path operation="equals">/</unix:path>
<unix:filename xsi:nil="true" />
- <filter action="include">state_gid_is_user_and_world_writable</filter>
+ <filter action="include">state_uid_is_user_and_world_writable</filter>
</unix:file_object>
- <unix:file_state comment="uid greater than or equal to {{{ auid }}} and world writable" id="state_gid_is_user_and_world_writable" version="1">
+ <unix:file_state comment="uid greater than or equal to {{{ auid }}} and world writable" id="state_uid_is_user_and_world_writable" version="1">
<unix:user_id datatype="int" operation="greater than or equal">{{{ auid }}}</unix:user_id>
<unix:owrite datatype="boolean">true</unix:owrite>
</unix:file_state>
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
index 100b22943..5271903fe 100644
--- a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned/rule.yml
@@ -7,10 +7,10 @@ title: 'Ensure All World-Writable Directories Are Owned by a System Account'
description: |-
All directories in local partitions which are
world-writable should be owned by root or another
- system account. If any world-writable directories are not
+ system account. If any world-writable directories are not
owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
- appropriate group.
+ appropriate owner.
rationale: |-
Allowing a user account to own a world-writable directory is
@@ -25,14 +25,14 @@ identifiers:
cce@rhel7: CCE-80136-5
references:
- stigid@ol7: OL07-00-021030
+ stigid@ol7: OL07-00-021031
stigid@rhel6: RHEL-06-000337
srg@rhel6: SRG-OS-999999
disa: CCI-000366
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
srg: SRG-OS-000480-GPOS-00227
- stigid@rhel7: RHEL-07-021030
+ stigid@rhel7: RHEL-07-021031
isa-62443-2013: 'SR 2.1,SR 5.2'
isa-62443-2009: 4.3.3.7.3
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
new file mode 100644
index 0000000000..3ac40ecb2d
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/oval/shared.xml
@@ -0,0 +1,22 @@
+<def-group>
+ <definition class="compliance" id="dir_perms_world_writable_system_owned_group" version="1">
+ {{{ oval_metadata("All world writable directories should be group owned by a system user.") }}}
+ <criteria comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" negate="true">
+ <criterion comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" test_ref="test_dir_world_writable_gid_gt_value" />
+ </criteria>
+ </definition>
+ <unix:file_test check="all" comment="check for local directories that are world writable and have gid greater than or equal to {{{ auid }}}" id="test_dir_world_writable_gid_gt_value" version="1">
+ <unix:object object_ref="all_local_directories_gid" />
+ <unix:state state_ref="state_gid_is_user_and_world_writable" />
+ </unix:file_test>
+ <unix:file_object comment="all local directories" id="all_local_directories_gid" version="1">
+ <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local" />
+ <unix:path operation="equals">/</unix:path>
+ <unix:filename xsi:nil="true" />
+ <filter action="include">state_gid_is_user_and_world_writable</filter>
+ </unix:file_object>
+ <unix:file_state comment="gid greater than or equal to {{{ auid }}} and world writable" id="state_gid_is_user_and_world_writable" version="1">
+ <unix:group_id datatype="int" operation="greater than or equal">{{{ auid }}}</unix:group_id>
+ <unix:owrite datatype="boolean">true</unix:owrite>
+ </unix:file_state>
+</def-group>
diff --git a/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
new file mode 100644
index 0000000000..1e3c60b7e3
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/dir_perms_world_writable_system_owned_group/rule.yml
@@ -0,0 +1,45 @@
+documentation_complete: true
+
+prodtype: fedora,ol7,ol8,rhel7,rhel8,rhv4,wrlinux1019
+
+title: 'Ensure All World-Writable Directories Are Group Owned by a System Account'
+
+description: |-
+ All directories in local partitions which are
+ world-writable should be group owned by root or another
+ system account. If any world-writable directories are not
+ group owned by a system account, this should be investigated.
+ Following this, the files should be deleted or assigned to an
+ appropriate group.
+
+rationale: |-
+ Allowing a user account to group own a world-writable directory is
+ undesirable because it allows the owner of that directory to remove
+ or replace any files that may be placed in the directory by other
+ users.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: CCE-83923-3
+
+references:
+ stigid@ol7: OL07-00-021030
+ disa: CCI-000366
+ nist: CM-6(a),AC-6(1)
+ nist-csf: PR.AC-4,PR.DS-5
+ srg: SRG-OS-000480-GPOS-00227
+ stigid@rhel7: RHEL-07-021030
+ isa-62443-2013: 'SR 2.1,SR 5.2'
+ isa-62443-2009: 4.3.3.7.3
+ cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
+ iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
+ cis-csc: 12,13,14,15,16,18,3,5
+
+ocil_clause: 'there is output'
+
+ocil: |-
+ The following command will discover and print world-writable directories that
+ are not group owned by a system account, given the assumption that only system
+ accounts have a gid lower than 500. Run it once for each local partition <i>PART</i>:
+ <pre>$ sudo find <i>PART</i> -xdev -type d -perm -0002 -gid +499 -print</pre>
diff --git a/rhel7/profiles/stig.profile b/rhel7/profiles/stig.profile
index 4698785a49..a16e990202 100644
--- a/rhel7/profiles/stig.profile
+++ b/rhel7/profiles/stig.profile
@@ -155,6 +155,7 @@ selections:
- mount_option_nosuid_removable_partitions
- mount_option_nosuid_remote_filesystems
- dir_perms_world_writable_system_owned
+ - dir_perms_world_writable_system_owned_group
- accounts_umask_interactive_users
- rsyslog_cron_logging
- file_owner_cron_allow
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index c38943b07c..c5d1ff963f 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -473,7 +473,6 @@ CCE-83919-1
CCE-83920-9
CCE-83921-7
CCE-83922-5
-CCE-83923-3
CCE-83924-1
CCE-83925-8
CCE-83926-6