From f7bb6fc32091ad9d10ec8253505086670eb135ba Mon Sep 17 00:00:00 2001

From: Carlos Matos <cmatos@redhat.com>

Date: Mon, 12 Jul 2021 10:06:41 -0400

Subject: [PATCH 1/4] Initial commit for RHEL-08-010350 STIG rule

---

 .../ansible/shared.yml                        |  2 +-

 .../bash/shared.sh                            |  2 +-

 .../oval/shared.xml                           | 44 +++++++++++++------

 .../rule.yml                                  | 26 ++++++-----

 .../tests/correct_group.pass.sh               |  2 +-

 .../tests/incorrect_group.fail.sh             |  8 +++-

 products/rhel8/profiles/stig.profile          |  1 +

 shared/references/cce-redhat-avail.txt        |  1 -

 .../data/profile_stability/rhel8/stig.profile |  1 +

 .../profile_stability/rhel8/stig_gui.profile  |  1 +

 10 files changed, 57 insertions(+), 31 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml

index f90c8e26b15..e0bb6b0dc1a 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

 # reboot = false

 # strategy = restrict

 # complexity = high

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh

index fba25be6132..d5fb89487d5 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

 find /lib \

 /lib64 \

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

index 00f733ddc78..e3d64a8390e 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

@@ -1,27 +1,45 @@

 <def-group>

-  <definition class="compliance" id="root_permissions_syslibrary_files" version="2">

+  <definition class="compliance" id="root_permissions_syslibrary_files" version="1">

     {{{ oval_metadata("

-        Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64

-        are owned by root.

+        Checks that /lib, /lib64, /usr/lib, /usr/lib64, and

+        objects therein, are group-owned by root.

       ") }}}

-    <criteria >

-      <criterion test_ref="test_root_permissions_for_syslibrary_files" />

+    <criteria operator="AND">

+      <criterion test_ref="test_group_ownership_lib_dir" />

+      <criterion test_ref="test_group_ownership_lib_files" />

     </criteria>

   </definition>

-  <unix:file_test  check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">

-    <unix:object object_ref="root_permissions_for_system_wide_library_files" />

+  <unix:file_test  check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">

+    <unix:object object_ref="object_group_ownership_lib_dir" />

   </unix:file_test>

-  <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">

-    

-        are owned by root. -->

-    <unix:path operation="pattern match">^\/lib(64)?|^\/usr\/lib(64)?</unix:path >    

+  <unix:file_test  check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">

+    <unix:object object_ref="object_group_ownership_lib_files" />

+  </unix:file_test>

+

+  <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">

+    

+    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>

+    <unix:filename xsi:nil="true" />

+    <filter action="include">state_group_ownership_libraries_not_root</filter>

+    <filter action="exclude">group_dir_perms_state_symlink</filter>

+  </unix:file_object>

+

+  <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">

+    

+    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>

     <unix:filename operation="pattern match">^.*$</unix:filename>

-    <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>

+   <filter action="include">state_group_ownership_libraries_not_root</filter>

+   <filter action="exclude">group_dir_perms_state_symlink</filter>

   </unix:file_object>

-  <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >

+  <unix:file_state id="state_group_ownership_libraries_not_root" version="1">

     <unix:group_id datatype="int" operation="not equal">0</unix:group_id>

   </unix:file_state>

+

+  <unix:file_state id="group_dir_perms_state_symlink" version="1">

+    <unix:type operation="equals">symbolic link</unix:type>

+  </unix:file_state>

+

 </def-group>

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml

index ff905dd08d..83371b8b9b 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml

@@ -1,6 +1,6 @@

 documentation_complete: true

-prodtype: sle12,sle15

+prodtype: sle12,sle15,rhel8,fedora

 title: |-

     Verify the system-wide library files in directories

@@ -17,18 +17,18 @@ description: |-

     All system-wide shared library files should be protected from unauthorised

     access. If any of these files is not owned by root, correct its owner with

     the following command:

-    
$ sudo chgrp root DIR

+    
$ sudo chgrp root FILE

 rationale: |-

-  If the operating system were to allow any user to make changes to software libraries,

-  then those changes might be implemented without undergoing the appropriate testing and

-  approvals that are part of a robust change management process.

+    If the operating system were to allow any user to make changes to software libraries,

+    then those changes might be implemented without undergoing the appropriate testing and

+    approvals that are part of a robust change management process.

-  This requirement applies to operating systems with software libraries that are

-  accessible and configurable, as in the case of interpreted languages. Software libraries

-  also include privileged programs which execute with escalated privileges. Only qualified

-  and authorized individuals must be allowed to obtain access to information system components

-  for purposes of initiating changes, including upgrades and modifications.

+    This requirement applies to operating systems with software libraries that are

+    accessible and configurable, as in the case of interpreted languages. Software libraries

+    also include privileged programs which execute with escalated privileges. Only qualified

+    and authorized individuals must be allowed to obtain access to information system components

+    for purposes of initiating changes, including upgrades and modifications.

 severity: medium

@@ -45,7 +45,7 @@ references:

     stigid@sle12: SLES-12-010875

     stigid@sle15: SLES-15-010355

-ocil_clause: 'any system wide library directory is returned'

+ocil_clause: 'system wide library files are not group owned by root'

 ocil: |-

     System-wide library files are stored in the following directories:

@@ -54,6 +54,6 @@ ocil: |-

     /usr/lib

     /usr/lib64

-    To find if system-wide library files stored in these directories are group-owned by

+    To find if system-wide library files stored in these directories are not group-owned by

     root run the following command for each directory DIR:

     
$ sudo find -L DIR ! -group root -type f 

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh

index 7a8e65b4f3a..8722c2add65 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh

@@ -4,6 +4,6 @@ for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64

 do

     if [[ -d $SYSLIBDIRS  ]]

     then

-        find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;

+        find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;

     fi

 done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh

index a4b99a9da14..1079046d14e 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh

@@ -1,6 +1,10 @@

 #!/bin/bash

-  

-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me

+

+# There is a high probability that there will be nested subdirectories within the

+# shared system library directories, therefore we should test to make sure we

+# cover this. - cmm

+test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir

+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me

 do

    if [[ ! -f $TESTFILE ]]

    then

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 2508008d511..9569b2ad629 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -207,6 +207,7 @@ selections:

     - file_ownership_library_dirs

     # RHEL-08-010350

+    - root_permissions_syslibrary_files

     # RHEL-08-010360

     - package_aide_installed

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index f139d2ed76f..e0eb5ac045c 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -662,7 +662,6 @@ CCE-86518-8

 CCE-86520-4

 CCE-86521-2

 CCE-86522-0

-CCE-86523-8

 CCE-86524-6

 CCE-86525-3

 CCE-86526-1

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 765487c6f16..ebe7a91f45d 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -221,6 +221,7 @@ selections:

 - postfix_client_configure_mail_alias

 - require_emergency_target_auth

 - require_singleuser_auth

+- root_permissions_syslibrary_files

 - rsyslog_cron_logging

 - rsyslog_remote_access_monitoring

 - rsyslog_remote_loghost

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index 9fd80aac727..97f940dc9ed 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -232,6 +232,7 @@ selections:

 - postfix_client_configure_mail_alias

 - require_emergency_target_auth

 - require_singleuser_auth

+- root_permissions_syslibrary_files

 - rsyslog_cron_logging

 - rsyslog_remote_access_monitoring

 - rsyslog_remote_loghost

From f16c085894e4dc7974637d44bf226d3acf19f3d1 Mon Sep 17 00:00:00 2001

From: Carlos Matos <cmatos@redhat.com>

Date: Mon, 12 Jul 2021 16:17:23 -0400

Subject: [PATCH 2/4] Updated existing rules for syslibrary files/dirs

---

 .../ansible/shared.yml                        |  6 ++-

 .../bash/shared.sh                            |  7 +++

 .../dir_group_ownership_library_dirs/rule.yml |  4 ++

 .../tests/all_dirs_ok.pass.sh                 |  3 +-

 .../nobody_group_owned_dir_on_lib.fail.sh     |  3 +-

 .../ansible/shared.yml                        | 23 ++++++++--

 .../oval/shared.xml                           | 44 ++++++-------------

 .../tests/correct_group.pass.sh               |  4 +-

 .../tests/incorrect_group.fail.sh             |  8 +---

 products/rhel8/profiles/stig.profile          |  1 +

 shared/references/cce-redhat-avail.txt        |  1 -

 .../data/profile_stability/rhel8/stig.profile |  1 +

 .../profile_stability/rhel8/stig_gui.profile  |  1 +

 13 files changed, 59 insertions(+), 47 deletions(-)

 create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml

index 80562991ac5..f6f2ab48afd 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

 # reboot = false

 # strategy = restrict

 # complexity = medium

@@ -20,4 +20,6 @@

     state: "directory"

     mode: "{{ item.mode }}"

   with_items: "{{ library_dirs_not_group_owned_by_root.files }}"

-  when: library_dirs_not_group_owned_by_root.matched > 0

+  when:

+    - library_dirs_not_group_owned_by_root.matched > 0

+    - item.gid != 0

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh

new file mode 100644

index 00000000000..365b9833188

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh

@@ -0,0 +1,7 @@

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+

+find /lib \

+/lib64 \

+/usr/lib \

+/usr/lib64 \

+\! -group root -type d -exec chgrp root '{}' \;

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml

index 4ff043270c8..cd02d95cb1c 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml

@@ -1,5 +1,7 @@

 documentation_complete: true

+prodtype: sle12,sle15,rhel8,fedora

+

 title: 'Verify that Shared Library Directories Have Root Group Ownership'

 description: |-

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh

index 2a38e9a88bc..50fdb17bd2e 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh

@@ -1,4 +1,5 @@

-# platform = multi_platform_sle

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+

 DIRS="/lib /lib64 /usr/lib /usr/lib64"

 for dirPath in $DIRS; do

 	find "$dirPath" -type d -exec chgrp root '{}' \;

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh

index f794d9e878f..277bd7d60de 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh

@@ -1,4 +1,5 @@

-# platform = multi_platform_sle

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+

 DIRS="/lib /lib64"

 for dirPath in $DIRS; do

 	mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml

index e0bb6b0dc1a..ab3e85c4f7c 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml

@@ -4,7 +4,24 @@

 # complexity = high

 # disruption = medium

-- name: "Set ownership to root of system-wide library files"

-  command: "find {{ item }} ! -group root -type f -exec chgrp root '{}' \\;"

-  with_items: [ '/lib', '/lib64', '/usr/lib', '/usr/lib64' ]

+- name: "Read list libraries without root ownership"

+  find:

+    paths:

+      - "/usr/lib"

+      - "/usr/lib64"

+      - "/lib"

+      - "/lib64"

+    file_type: "file"

+  register: library_files_not_group_owned_by_root

+

+- name: "Set group ownership of system library files to root"

+  file:

+    path: "{{ item.path }}"

+    group: "root"

+    state: "file"

+    mode: "{{ item.mode }}"

+  with_items: "{{ library_files_not_group_owned_by_root.files }}"

+  when:

+    - library_files_not_group_owned_by_root.matched > 0

+    - item.gid != 0

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

index e3d64a8390e..926ff70d1e4 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

@@ -1,45 +1,27 @@

 <def-group>

-  <definition class="compliance" id="root_permissions_syslibrary_files" version="1">

+  <definition class="compliance" id="root_permissions_syslibrary_files" version="2">

     {{{ oval_metadata("

-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, and

-        objects therein, are group-owned by root.

+        Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64

+        are owned by root.

       ") }}}

-    <criteria operator="AND">

-      <criterion test_ref="test_group_ownership_lib_dir" />

-      <criterion test_ref="test_group_ownership_lib_files" />

+    <criteria >

+      <criterion test_ref="test_root_permissions_for_syslibrary_files" />

     </criteria>

   </definition>

-  <unix:file_test  check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">

-    <unix:object object_ref="object_group_ownership_lib_dir" />

+  <unix:file_test  check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">

+    <unix:object object_ref="root_permissions_for_system_wide_library_files" />

   </unix:file_test>

-  <unix:file_test  check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">

-    <unix:object object_ref="object_group_ownership_lib_files" />

-  </unix:file_test>

-

-  <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">

-    

-    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>

-    <unix:filename xsi:nil="true" />

-    <filter action="include">state_group_ownership_libraries_not_root</filter>

-    <filter action="exclude">group_dir_perms_state_symlink</filter>

-  </unix:file_object>

-

-  <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">

-    

-    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>

+  <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">

+    

+        are owned by root. -->

+    <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>

     <unix:filename operation="pattern match">^.*$</unix:filename>

-   <filter action="include">state_group_ownership_libraries_not_root</filter>

-   <filter action="exclude">group_dir_perms_state_symlink</filter>

+    <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>

   </unix:file_object>

-  <unix:file_state id="state_group_ownership_libraries_not_root" version="1">

+  <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >

     <unix:group_id datatype="int" operation="not equal">0</unix:group_id>

   </unix:file_state>

-

-  <unix:file_state id="group_dir_perms_state_symlink" version="1">

-    <unix:type operation="equals">symbolic link</unix:type>

-  </unix:file_state>

-

 </def-group>

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh

index 8722c2add65..a4ae2854db1 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh

@@ -1,9 +1,9 @@

-#!/bin/bash

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

 for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64

 do

     if [[ -d $SYSLIBDIRS  ]]

     then

-        find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;

+        find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;

     fi

 done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh

index 1079046d14e..c96f65b989c 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh

@@ -1,10 +1,6 @@

-#!/bin/bash

+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

-# There is a high probability that there will be nested subdirectories within the

-# shared system library directories, therefore we should test to make sure we

-# cover this. - cmm

-test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir

-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me

+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me

 do

    if [[ ! -f $TESTFILE ]]

    then

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index 9569b2ad629..059750f59d0 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -208,6 +208,7 @@ selections:

     # RHEL-08-010350

     - root_permissions_syslibrary_files

+    - dir_group_ownership_library_dirs

     # RHEL-08-010360

     - package_aide_installed

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index e0eb5ac045c..ae3375fd4d4 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -34,7 +34,6 @@ CCE-85890-2

 CCE-85891-0

 CCE-85892-8

 CCE-85893-6

-CCE-85894-4

 CCE-85895-1

 CCE-85896-9

 CCE-85897-7

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index ebe7a91f45d..49cce4d81cc 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -99,6 +99,7 @@ selections:

 - dconf_gnome_login_banner_text

 - dconf_gnome_screensaver_idle_delay

 - dconf_gnome_screensaver_lock_enabled

+- dir_group_ownership_library_dirs

 - dir_perms_world_writable_root_owned

 - dir_perms_world_writable_sticky_bits

 - directory_permissions_var_log_audit

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index 97f940dc9ed..943a57d3eb8 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -110,6 +110,7 @@ selections:

 - dconf_gnome_login_banner_text

 - dconf_gnome_screensaver_idle_delay

 - dconf_gnome_screensaver_lock_enabled

+- dir_group_ownership_library_dirs

 - dir_perms_world_writable_root_owned

 - dir_perms_world_writable_sticky_bits

 - directory_permissions_var_log_audit

From 71deac482753a13a9f98d6d7382b13e9031a2ce4 Mon Sep 17 00:00:00 2001

From: Carlos Matos <cmatos@redhat.com>

Date: Tue, 13 Jul 2021 13:40:25 -0400

Subject: [PATCH 3/4] Updated test for nobody_group_owned_dir rule

---

 .../tests/nobody_group_owned_dir_on_lib.fail.sh               | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh

index 277bd7d60de..043ad6b2dee 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh

@@ -1,6 +1,6 @@

 # platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

-DIRS="/lib /lib64"

+DIRS="/lib /lib64 /usr/lib /usr/lib64"

 for dirPath in $DIRS; do

-	mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"

+	mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"

 done

From 087359679e4f6794054b6772df6c84c4cd1fee94 Mon Sep 17 00:00:00 2001

From: Carlos Matos <cmatos@redhat.com>

Date: Wed, 14 Jul 2021 10:04:25 -0400

Subject: [PATCH 4/4] Added recommended $ to end of regex pattern to properly

 match dirs

---

 .../root_permissions_syslibrary_files/oval/shared.xml           | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

index 926ff70d1e4..f5ca9380b55 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml

@@ -16,7 +16,7 @@

   <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">

         are owned by root. -->

-    <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>

+    <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>

     <unix:filename operation="pattern match">^.*$</unix:filename>

     <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>

   </unix:file_object>