Blame SOURCES/scap-security-guide-0.1.58-rhel8_stig_08_010350-PR_7231.patch

76240a
From f7bb6fc32091ad9d10ec8253505086670eb135ba Mon Sep 17 00:00:00 2001
76240a
From: Carlos Matos <cmatos@redhat.com>
76240a
Date: Mon, 12 Jul 2021 10:06:41 -0400
76240a
Subject: [PATCH 1/4] Initial commit for RHEL-08-010350 STIG rule
76240a
76240a
---
76240a
 .../ansible/shared.yml                        |  2 +-
76240a
 .../bash/shared.sh                            |  2 +-
76240a
 .../oval/shared.xml                           | 44 +++++++++++++------
76240a
 .../rule.yml                                  | 26 ++++++-----
76240a
 .../tests/correct_group.pass.sh               |  2 +-
76240a
 .../tests/incorrect_group.fail.sh             |  8 +++-
76240a
 products/rhel8/profiles/stig.profile          |  1 +
76240a
 shared/references/cce-redhat-avail.txt        |  1 -
76240a
 .../data/profile_stability/rhel8/stig.profile |  1 +
76240a
 .../profile_stability/rhel8/stig_gui.profile  |  1 +
76240a
 10 files changed, 57 insertions(+), 31 deletions(-)
76240a
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
76240a
index f90c8e26b15..e0bb6b0dc1a 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
76240a
@@ -1,4 +1,4 @@
76240a
-# platform = multi_platform_sle
76240a
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
 # reboot = false
76240a
 # strategy = restrict
76240a
 # complexity = high
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
76240a
index fba25be6132..d5fb89487d5 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
76240a
@@ -1,4 +1,4 @@
76240a
-# platform = multi_platform_sle
76240a
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
 
76240a
 find /lib \
76240a
 /lib64 \
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
76240a
index 00f733ddc78..e3d64a8390e 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
76240a
@@ -1,27 +1,45 @@
76240a
 <def-group>
76240a
-  <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
76240a
+  <definition class="compliance" id="root_permissions_syslibrary_files" version="1">
76240a
     {{{ oval_metadata("
76240a
-        Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
76240a
-        are owned by root.
76240a
+        Checks that /lib, /lib64, /usr/lib, /usr/lib64, and
76240a
+        objects therein, are group-owned by root.
76240a
       ") }}}
76240a
-    <criteria >
76240a
-      <criterion test_ref="test_root_permissions_for_syslibrary_files" />
76240a
+    <criteria operator="AND">
76240a
+      <criterion test_ref="test_group_ownership_lib_dir" />
76240a
+      <criterion test_ref="test_group_ownership_lib_files" />
76240a
     </criteria>
76240a
   </definition>
76240a
 
76240a
-  <unix:file_test  check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
76240a
-    <unix:object object_ref="root_permissions_for_system_wide_library_files" />
76240a
+  <unix:file_test  check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">
76240a
+    <unix:object object_ref="object_group_ownership_lib_dir" />
76240a
   </unix:file_test>
76240a
 
76240a
-  <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
76240a
-    
76240a
-        are owned by root. -->
76240a
-    <unix:path operation="pattern match">^\/lib(64)?|^\/usr\/lib(64)?</unix:path >    
76240a
+  <unix:file_test  check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">
76240a
+    <unix:object object_ref="object_group_ownership_lib_files" />
76240a
+  </unix:file_test>
76240a
+
76240a
+  <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">
76240a
+    
76240a
+    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
76240a
+    <unix:filename xsi:nil="true" />
76240a
+    <filter action="include">state_group_ownership_libraries_not_root</filter>
76240a
+    <filter action="exclude">group_dir_perms_state_symlink</filter>
76240a
+  </unix:file_object>
76240a
+
76240a
+  <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">
76240a
+    
76240a
+    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
76240a
     <unix:filename operation="pattern match">^.*$</unix:filename>
76240a
-    <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
76240a
+   <filter action="include">state_group_ownership_libraries_not_root</filter>
76240a
+   <filter action="exclude">group_dir_perms_state_symlink</filter>
76240a
   </unix:file_object>
76240a
 
76240a
-  <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
76240a
+  <unix:file_state id="state_group_ownership_libraries_not_root" version="1">
76240a
     <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
76240a
   </unix:file_state>
76240a
+
76240a
+  <unix:file_state id="group_dir_perms_state_symlink" version="1">
76240a
+    <unix:type operation="equals">symbolic link</unix:type>
76240a
+  </unix:file_state>
76240a
+
76240a
 </def-group>
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
76240a
index ff905dd08d..83371b8b9b 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
76240a
@@ -1,6 +1,6 @@
76240a
 documentation_complete: true
76240a
 
76240a
-prodtype: sle12,sle15
76240a
+prodtype: sle12,sle15,rhel8,fedora
76240a
 
76240a
 title: |-
76240a
     Verify the system-wide library files in directories
76240a
@@ -17,18 +17,18 @@ description: |-
76240a
     All system-wide shared library files should be protected from unauthorised
76240a
     access. If any of these files is not owned by root, correct its owner with
76240a
     the following command:
76240a
-    
$ sudo chgrp root DIR
76240a
+    
$ sudo chgrp root FILE
76240a
 
76240a
 rationale: |-
76240a
-  If the operating system were to allow any user to make changes to software libraries,
76240a
-  then those changes might be implemented without undergoing the appropriate testing and
76240a
-  approvals that are part of a robust change management process.
76240a
+    If the operating system were to allow any user to make changes to software libraries,
76240a
+    then those changes might be implemented without undergoing the appropriate testing and
76240a
+    approvals that are part of a robust change management process.
76240a
 
76240a
-  This requirement applies to operating systems with software libraries that are
76240a
-  accessible and configurable, as in the case of interpreted languages. Software libraries
76240a
-  also include privileged programs which execute with escalated privileges. Only qualified
76240a
-  and authorized individuals must be allowed to obtain access to information system components
76240a
-  for purposes of initiating changes, including upgrades and modifications.
76240a
+    This requirement applies to operating systems with software libraries that are
76240a
+    accessible and configurable, as in the case of interpreted languages. Software libraries
76240a
+    also include privileged programs which execute with escalated privileges. Only qualified
76240a
+    and authorized individuals must be allowed to obtain access to information system components
76240a
+    for purposes of initiating changes, including upgrades and modifications.
76240a
 
76240a
 severity: medium
76240a
 
76240a
@@ -45,7 +45,7 @@ references:
76240a
     stigid@sle12: SLES-12-010875
76240a
     stigid@sle15: SLES-15-010355
76240a
 
76240a
-ocil_clause: 'any system wide library directory is returned'
76240a
+ocil_clause: 'system wide library files are not group owned by root'
76240a
 
76240a
 ocil: |-
76240a
     System-wide library files are stored in the following directories:
76240a
@@ -54,6 +54,6 @@ ocil: |-
76240a
     /usr/lib
76240a
     /usr/lib64
76240a
     
76240a
-    To find if system-wide library files stored in these directories are group-owned by
76240a
+    To find if system-wide library files stored in these directories are not group-owned by
76240a
     root run the following command for each directory DIR:
76240a
     
$ sudo find -L DIR ! -group root -type f 
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
76240a
index 7a8e65b4f3a..8722c2add65 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
76240a
@@ -4,6 +4,6 @@ for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
76240a
 do
76240a
     if [[ -d $SYSLIBDIRS  ]]
76240a
     then
76240a
-        find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
76240a
+        find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;
76240a
     fi
76240a
 done
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
76240a
index a4b99a9da14..1079046d14e 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
76240a
@@ -1,6 +1,10 @@
76240a
 #!/bin/bash
76240a
-  
76240a
-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
76240a
+
76240a
+# There is a high probability that there will be nested subdirectories within the
76240a
+# shared system library directories, therefore we should test to make sure we
76240a
+# cover this. - cmm
76240a
+test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir
76240a
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me
76240a
 do
76240a
    if [[ ! -f $TESTFILE ]]
76240a
    then
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index 2508008d511..9569b2ad629 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -207,6 +207,7 @@ selections:
76240a
     - file_ownership_library_dirs
76240a
 
76240a
     # RHEL-08-010350
76240a
+    - root_permissions_syslibrary_files
76240a
 
76240a
     # RHEL-08-010360
76240a
     - package_aide_installed
76240a
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
76240a
index f139d2ed76f..e0eb5ac045c 100644
76240a
--- a/shared/references/cce-redhat-avail.txt
76240a
+++ b/shared/references/cce-redhat-avail.txt
76240a
@@ -662,7 +662,6 @@ CCE-86518-8
76240a
 CCE-86520-4
76240a
 CCE-86521-2
76240a
 CCE-86522-0
76240a
-CCE-86523-8
76240a
 CCE-86524-6
76240a
 CCE-86525-3
76240a
 CCE-86526-1
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index 765487c6f16..ebe7a91f45d 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -221,6 +221,7 @@ selections:
76240a
 - postfix_client_configure_mail_alias
76240a
 - require_emergency_target_auth
76240a
 - require_singleuser_auth
76240a
+- root_permissions_syslibrary_files
76240a
 - rsyslog_cron_logging
76240a
 - rsyslog_remote_access_monitoring
76240a
 - rsyslog_remote_loghost
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index 9fd80aac727..97f940dc9ed 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -232,6 +232,7 @@ selections:
76240a
 - postfix_client_configure_mail_alias
76240a
 - require_emergency_target_auth
76240a
 - require_singleuser_auth
76240a
+- root_permissions_syslibrary_files
76240a
 - rsyslog_cron_logging
76240a
 - rsyslog_remote_access_monitoring
76240a
 - rsyslog_remote_loghost
76240a
76240a
From f16c085894e4dc7974637d44bf226d3acf19f3d1 Mon Sep 17 00:00:00 2001
76240a
From: Carlos Matos <cmatos@redhat.com>
76240a
Date: Mon, 12 Jul 2021 16:17:23 -0400
76240a
Subject: [PATCH 2/4] Updated existing rules for syslibrary files/dirs
76240a
76240a
---
76240a
 .../ansible/shared.yml                        |  6 ++-
76240a
 .../bash/shared.sh                            |  7 +++
76240a
 .../dir_group_ownership_library_dirs/rule.yml |  4 ++
76240a
 .../tests/all_dirs_ok.pass.sh                 |  3 +-
76240a
 .../nobody_group_owned_dir_on_lib.fail.sh     |  3 +-
76240a
 .../ansible/shared.yml                        | 23 ++++++++--
76240a
 .../oval/shared.xml                           | 44 ++++++-------------
76240a
 .../tests/correct_group.pass.sh               |  4 +-
76240a
 .../tests/incorrect_group.fail.sh             |  8 +---
76240a
 products/rhel8/profiles/stig.profile          |  1 +
76240a
 shared/references/cce-redhat-avail.txt        |  1 -
76240a
 .../data/profile_stability/rhel8/stig.profile |  1 +
76240a
 .../profile_stability/rhel8/stig_gui.profile  |  1 +
76240a
 13 files changed, 59 insertions(+), 47 deletions(-)
76240a
 create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
76240a
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
76240a
index 80562991ac5..f6f2ab48afd 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
76240a
@@ -1,4 +1,4 @@
76240a
-# platform = multi_platform_sle
76240a
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
 # reboot = false
76240a
 # strategy = restrict
76240a
 # complexity = medium
76240a
@@ -20,4 +20,6 @@
76240a
     state: "directory"
76240a
     mode: "{{ item.mode }}"
76240a
   with_items: "{{ library_dirs_not_group_owned_by_root.files }}"
76240a
-  when: library_dirs_not_group_owned_by_root.matched > 0
76240a
+  when:
76240a
+    - library_dirs_not_group_owned_by_root.matched > 0
76240a
+    - item.gid != 0
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
76240a
new file mode 100644
76240a
index 00000000000..365b9833188
76240a
--- /dev/null
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
76240a
@@ -0,0 +1,7 @@
76240a
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
+
76240a
+find /lib \
76240a
+/lib64 \
76240a
+/usr/lib \
76240a
+/usr/lib64 \
76240a
+\! -group root -type d -exec chgrp root '{}' \;
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
76240a
index 4ff043270c8..cd02d95cb1c 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
76240a
@@ -1,5 +1,7 @@
76240a
 documentation_complete: true
76240a
 
76240a
+prodtype: sle12,sle15,rhel8,fedora
76240a
+
76240a
 title: 'Verify that Shared Library Directories Have Root Group Ownership'
76240a
 
76240a
 description: |-
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
76240a
index 2a38e9a88bc..50fdb17bd2e 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
76240a
@@ -1,4 +1,5 @@
76240a
-# platform = multi_platform_sle
76240a
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
+
76240a
 DIRS="/lib /lib64 /usr/lib /usr/lib64"
76240a
 for dirPath in $DIRS; do
76240a
 	find "$dirPath" -type d -exec chgrp root '{}' \;
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
76240a
index f794d9e878f..277bd7d60de 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
76240a
@@ -1,4 +1,5 @@
76240a
-# platform = multi_platform_sle
76240a
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
+
76240a
 DIRS="/lib /lib64"
76240a
 for dirPath in $DIRS; do
76240a
 	mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
76240a
index e0bb6b0dc1a..ab3e85c4f7c 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
76240a
@@ -4,7 +4,24 @@
76240a
 # complexity = high
76240a
 # disruption = medium
76240a
 
76240a
-- name: "Set ownership to root of system-wide library files"
76240a
-  command: "find {{ item }} ! -group root -type f -exec chgrp root '{}' \\;"
76240a
-  with_items: [ '/lib', '/lib64', '/usr/lib', '/usr/lib64' ]
76240a
+- name: "Read list libraries without root ownership"
76240a
+  find:
76240a
+    paths:
76240a
+      - "/usr/lib"
76240a
+      - "/usr/lib64"
76240a
+      - "/lib"
76240a
+      - "/lib64"
76240a
+    file_type: "file"
76240a
+  register: library_files_not_group_owned_by_root
76240a
+
76240a
+- name: "Set group ownership of system library files to root"
76240a
+  file:
76240a
+    path: "{{ item.path }}"
76240a
+    group: "root"
76240a
+    state: "file"
76240a
+    mode: "{{ item.mode }}"
76240a
+  with_items: "{{ library_files_not_group_owned_by_root.files }}"
76240a
+  when:
76240a
+    - library_files_not_group_owned_by_root.matched > 0
76240a
+    - item.gid != 0
76240a
 
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
76240a
index e3d64a8390e..926ff70d1e4 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
76240a
@@ -1,45 +1,27 @@
76240a
 <def-group>
76240a
-  <definition class="compliance" id="root_permissions_syslibrary_files" version="1">
76240a
+  <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
76240a
     {{{ oval_metadata("
76240a
-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, and
76240a
-        objects therein, are group-owned by root.
76240a
+        Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
76240a
+        are owned by root.
76240a
       ") }}}
76240a
-    <criteria operator="AND">
76240a
-      <criterion test_ref="test_group_ownership_lib_dir" />
76240a
-      <criterion test_ref="test_group_ownership_lib_files" />
76240a
+    <criteria >
76240a
+      <criterion test_ref="test_root_permissions_for_syslibrary_files" />
76240a
     </criteria>
76240a
   </definition>
76240a
 
76240a
-  <unix:file_test  check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">
76240a
-    <unix:object object_ref="object_group_ownership_lib_dir" />
76240a
+  <unix:file_test  check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
76240a
+    <unix:object object_ref="root_permissions_for_system_wide_library_files" />
76240a
   </unix:file_test>
76240a
 
76240a
-  <unix:file_test  check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">
76240a
-    <unix:object object_ref="object_group_ownership_lib_files" />
76240a
-  </unix:file_test>
76240a
-
76240a
-  <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">
76240a
-    
76240a
-    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
76240a
-    <unix:filename xsi:nil="true" />
76240a
-    <filter action="include">state_group_ownership_libraries_not_root</filter>
76240a
-    <filter action="exclude">group_dir_perms_state_symlink</filter>
76240a
-  </unix:file_object>
76240a
-
76240a
-  <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">
76240a
-    
76240a
-    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
76240a
+  <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
76240a
+    
76240a
+        are owned by root. -->
76240a
+    <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>
76240a
     <unix:filename operation="pattern match">^.*$</unix:filename>
76240a
-   <filter action="include">state_group_ownership_libraries_not_root</filter>
76240a
-   <filter action="exclude">group_dir_perms_state_symlink</filter>
76240a
+    <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
76240a
   </unix:file_object>
76240a
 
76240a
-  <unix:file_state id="state_group_ownership_libraries_not_root" version="1">
76240a
+  <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
76240a
     <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
76240a
   </unix:file_state>
76240a
-
76240a
-  <unix:file_state id="group_dir_perms_state_symlink" version="1">
76240a
-    <unix:type operation="equals">symbolic link</unix:type>
76240a
-  </unix:file_state>
76240a
-
76240a
 </def-group>
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
76240a
index 8722c2add65..a4ae2854db1 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
76240a
@@ -1,9 +1,9 @@
76240a
-#!/bin/bash
76240a
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
 
76240a
 for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
76240a
 do
76240a
     if [[ -d $SYSLIBDIRS  ]]
76240a
     then
76240a
-        find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;
76240a
+        find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
76240a
     fi
76240a
 done
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
76240a
index 1079046d14e..c96f65b989c 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
76240a
@@ -1,10 +1,6 @@
76240a
-#!/bin/bash
76240a
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
 
76240a
-# There is a high probability that there will be nested subdirectories within the
76240a
-# shared system library directories, therefore we should test to make sure we
76240a
-# cover this. - cmm
76240a
-test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir
76240a
-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me
76240a
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
76240a
 do
76240a
    if [[ ! -f $TESTFILE ]]
76240a
    then
76240a
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
76240a
index 9569b2ad629..059750f59d0 100644
76240a
--- a/products/rhel8/profiles/stig.profile
76240a
+++ b/products/rhel8/profiles/stig.profile
76240a
@@ -208,6 +208,7 @@ selections:
76240a
 
76240a
     # RHEL-08-010350
76240a
     - root_permissions_syslibrary_files
76240a
+    - dir_group_ownership_library_dirs
76240a
 
76240a
     # RHEL-08-010360
76240a
     - package_aide_installed
76240a
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
76240a
index e0eb5ac045c..ae3375fd4d4 100644
76240a
--- a/shared/references/cce-redhat-avail.txt
76240a
+++ b/shared/references/cce-redhat-avail.txt
76240a
@@ -34,7 +34,6 @@ CCE-85890-2
76240a
 CCE-85891-0
76240a
 CCE-85892-8
76240a
 CCE-85893-6
76240a
-CCE-85894-4
76240a
 CCE-85895-1
76240a
 CCE-85896-9
76240a
 CCE-85897-7
76240a
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
76240a
index ebe7a91f45d..49cce4d81cc 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig.profile
76240a
@@ -99,6 +99,7 @@ selections:
76240a
 - dconf_gnome_login_banner_text
76240a
 - dconf_gnome_screensaver_idle_delay
76240a
 - dconf_gnome_screensaver_lock_enabled
76240a
+- dir_group_ownership_library_dirs
76240a
 - dir_perms_world_writable_root_owned
76240a
 - dir_perms_world_writable_sticky_bits
76240a
 - directory_permissions_var_log_audit
76240a
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
index 97f940dc9ed..943a57d3eb8 100644
76240a
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
76240a
@@ -110,6 +110,7 @@ selections:
76240a
 - dconf_gnome_login_banner_text
76240a
 - dconf_gnome_screensaver_idle_delay
76240a
 - dconf_gnome_screensaver_lock_enabled
76240a
+- dir_group_ownership_library_dirs
76240a
 - dir_perms_world_writable_root_owned
76240a
 - dir_perms_world_writable_sticky_bits
76240a
 - directory_permissions_var_log_audit
76240a
76240a
From 71deac482753a13a9f98d6d7382b13e9031a2ce4 Mon Sep 17 00:00:00 2001
76240a
From: Carlos Matos <cmatos@redhat.com>
76240a
Date: Tue, 13 Jul 2021 13:40:25 -0400
76240a
Subject: [PATCH 3/4] Updated test for nobody_group_owned_dir rule
76240a
76240a
---
76240a
 .../tests/nobody_group_owned_dir_on_lib.fail.sh               | 4 ++--
76240a
 1 file changed, 2 insertions(+), 2 deletions(-)
76240a
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
76240a
index 277bd7d60de..043ad6b2dee 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
76240a
@@ -1,6 +1,6 @@
76240a
 # platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
76240a
 
76240a
-DIRS="/lib /lib64"
76240a
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
76240a
 for dirPath in $DIRS; do
76240a
-	mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"
76240a
+	mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"
76240a
 done
76240a
76240a
From 087359679e4f6794054b6772df6c84c4cd1fee94 Mon Sep 17 00:00:00 2001
76240a
From: Carlos Matos <cmatos@redhat.com>
76240a
Date: Wed, 14 Jul 2021 10:04:25 -0400
76240a
Subject: [PATCH 4/4] Added recommended $ to end of regex pattern to properly
76240a
 match dirs
76240a
76240a
---
76240a
 .../root_permissions_syslibrary_files/oval/shared.xml           | 2 +-
76240a
 1 file changed, 1 insertion(+), 1 deletion(-)
76240a
76240a
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
76240a
index 926ff70d1e4..f5ca9380b55 100644
76240a
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
76240a
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
76240a
@@ -16,7 +16,7 @@
76240a
   <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
76240a
     
76240a
         are owned by root. -->
76240a
-    <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>
76240a
+    <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
76240a
     <unix:filename operation="pattern match">^.*$</unix:filename>
76240a
     <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
76240a
   </unix:file_object>