|
|
76240a |
From f7bb6fc32091ad9d10ec8253505086670eb135ba Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
76240a |
Date: Mon, 12 Jul 2021 10:06:41 -0400
|
|
|
76240a |
Subject: [PATCH 1/4] Initial commit for RHEL-08-010350 STIG rule
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../ansible/shared.yml | 2 +-
|
|
|
76240a |
.../bash/shared.sh | 2 +-
|
|
|
76240a |
.../oval/shared.xml | 44 +++++++++++++------
|
|
|
76240a |
.../rule.yml | 26 ++++++-----
|
|
|
76240a |
.../tests/correct_group.pass.sh | 2 +-
|
|
|
76240a |
.../tests/incorrect_group.fail.sh | 8 +++-
|
|
|
76240a |
products/rhel8/profiles/stig.profile | 1 +
|
|
|
76240a |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
76240a |
.../data/profile_stability/rhel8/stig.profile | 1 +
|
|
|
76240a |
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
|
|
76240a |
10 files changed, 57 insertions(+), 31 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
|
|
76240a |
index f90c8e26b15..e0bb6b0dc1a 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
|
|
76240a |
@@ -1,4 +1,4 @@
|
|
|
76240a |
-# platform = multi_platform_sle
|
|
|
76240a |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
# reboot = false
|
|
|
76240a |
# strategy = restrict
|
|
|
76240a |
# complexity = high
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
|
|
|
76240a |
index fba25be6132..d5fb89487d5 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
|
|
|
76240a |
@@ -1,4 +1,4 @@
|
|
|
76240a |
-# platform = multi_platform_sle
|
|
|
76240a |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
|
|
|
76240a |
find /lib \
|
|
|
76240a |
/lib64 \
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
76240a |
index 00f733ddc78..e3d64a8390e 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
76240a |
@@ -1,27 +1,45 @@
|
|
|
76240a |
<def-group>
|
|
|
76240a |
- <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
|
|
|
76240a |
+ <definition class="compliance" id="root_permissions_syslibrary_files" version="1">
|
|
|
76240a |
{{{ oval_metadata("
|
|
|
76240a |
- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
|
|
|
76240a |
- are owned by root.
|
|
|
76240a |
+ Checks that /lib, /lib64, /usr/lib, /usr/lib64, and
|
|
|
76240a |
+ objects therein, are group-owned by root.
|
|
|
76240a |
") }}}
|
|
|
76240a |
- <criteria >
|
|
|
76240a |
- <criterion test_ref="test_root_permissions_for_syslibrary_files" />
|
|
|
76240a |
+ <criteria operator="AND">
|
|
|
76240a |
+ <criterion test_ref="test_group_ownership_lib_dir" />
|
|
|
76240a |
+ <criterion test_ref="test_group_ownership_lib_files" />
|
|
|
76240a |
</criteria>
|
|
|
76240a |
</definition>
|
|
|
76240a |
|
|
|
76240a |
- <unix:file_test check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
|
|
|
76240a |
- <unix:object object_ref="root_permissions_for_system_wide_library_files" />
|
|
|
76240a |
+ <unix:file_test check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">
|
|
|
76240a |
+ <unix:object object_ref="object_group_ownership_lib_dir" />
|
|
|
76240a |
</unix:file_test>
|
|
|
76240a |
|
|
|
76240a |
- <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
|
|
|
76240a |
-
|
|
|
76240a |
- are owned by root. -->
|
|
|
76240a |
- <unix:path operation="pattern match">^\/lib(64)?|^\/usr\/lib(64)?</unix:path >
|
|
|
76240a |
+ <unix:file_test check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">
|
|
|
76240a |
+ <unix:object object_ref="object_group_ownership_lib_files" />
|
|
|
76240a |
+ </unix:file_test>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
|
|
|
76240a |
+ <unix:filename xsi:nil="true" />
|
|
|
76240a |
+ <filter action="include">state_group_ownership_libraries_not_root</filter>
|
|
|
76240a |
+ <filter action="exclude">group_dir_perms_state_symlink</filter>
|
|
|
76240a |
+ </unix:file_object>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
|
|
|
76240a |
<unix:filename operation="pattern match">^.*$</unix:filename>
|
|
|
76240a |
- <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
|
|
|
76240a |
+ <filter action="include">state_group_ownership_libraries_not_root</filter>
|
|
|
76240a |
+ <filter action="exclude">group_dir_perms_state_symlink</filter>
|
|
|
76240a |
</unix:file_object>
|
|
|
76240a |
|
|
|
76240a |
- <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
|
|
|
76240a |
+ <unix:file_state id="state_group_ownership_libraries_not_root" version="1">
|
|
|
76240a |
<unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
|
|
76240a |
</unix:file_state>
|
|
|
76240a |
+
|
|
|
76240a |
+ <unix:file_state id="group_dir_perms_state_symlink" version="1">
|
|
|
76240a |
+ <unix:type operation="equals">symbolic link</unix:type>
|
|
|
76240a |
+ </unix:file_state>
|
|
|
76240a |
+
|
|
|
76240a |
</def-group>
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
|
|
76240a |
index ff905dd08d..83371b8b9b 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
|
|
|
76240a |
@@ -1,6 +1,6 @@
|
|
|
76240a |
documentation_complete: true
|
|
|
76240a |
|
|
|
76240a |
-prodtype: sle12,sle15
|
|
|
76240a |
+prodtype: sle12,sle15,rhel8,fedora
|
|
|
76240a |
|
|
|
76240a |
title: |-
|
|
|
76240a |
Verify the system-wide library files in directories
|
|
|
76240a |
@@ -17,18 +17,18 @@ description: |-
|
|
|
76240a |
All system-wide shared library files should be protected from unauthorised
|
|
|
76240a |
access. If any of these files is not owned by root, correct its owner with
|
|
|
76240a |
the following command:
|
|
|
76240a |
- $ sudo chgrp root DIR
|
|
|
76240a |
+ $ sudo chgrp root FILE
|
|
|
76240a |
|
|
|
76240a |
rationale: |-
|
|
|
76240a |
- If the operating system were to allow any user to make changes to software libraries,
|
|
|
76240a |
- then those changes might be implemented without undergoing the appropriate testing and
|
|
|
76240a |
- approvals that are part of a robust change management process.
|
|
|
76240a |
+ If the operating system were to allow any user to make changes to software libraries,
|
|
|
76240a |
+ then those changes might be implemented without undergoing the appropriate testing and
|
|
|
76240a |
+ approvals that are part of a robust change management process.
|
|
|
76240a |
|
|
|
76240a |
- This requirement applies to operating systems with software libraries that are
|
|
|
76240a |
- accessible and configurable, as in the case of interpreted languages. Software libraries
|
|
|
76240a |
- also include privileged programs which execute with escalated privileges. Only qualified
|
|
|
76240a |
- and authorized individuals must be allowed to obtain access to information system components
|
|
|
76240a |
- for purposes of initiating changes, including upgrades and modifications.
|
|
|
76240a |
+ This requirement applies to operating systems with software libraries that are
|
|
|
76240a |
+ accessible and configurable, as in the case of interpreted languages. Software libraries
|
|
|
76240a |
+ also include privileged programs which execute with escalated privileges. Only qualified
|
|
|
76240a |
+ and authorized individuals must be allowed to obtain access to information system components
|
|
|
76240a |
+ for purposes of initiating changes, including upgrades and modifications.
|
|
|
76240a |
|
|
|
76240a |
severity: medium
|
|
|
76240a |
|
|
|
76240a |
@@ -45,7 +45,7 @@ references:
|
|
|
76240a |
stigid@sle12: SLES-12-010875
|
|
|
76240a |
stigid@sle15: SLES-15-010355
|
|
|
76240a |
|
|
|
76240a |
-ocil_clause: 'any system wide library directory is returned'
|
|
|
76240a |
+ocil_clause: 'system wide library files are not group owned by root'
|
|
|
76240a |
|
|
|
76240a |
ocil: |-
|
|
|
76240a |
System-wide library files are stored in the following directories:
|
|
|
76240a |
@@ -54,6 +54,6 @@ ocil: |-
|
|
|
76240a |
/usr/lib
|
|
|
76240a |
/usr/lib64
|
|
|
76240a |
|
|
|
76240a |
- To find if system-wide library files stored in these directories are group-owned by
|
|
|
76240a |
+ To find if system-wide library files stored in these directories are not group-owned by
|
|
|
76240a |
root run the following command for each directory DIR:
|
|
|
76240a |
$ sudo find -L DIR ! -group root -type f
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
|
|
76240a |
index 7a8e65b4f3a..8722c2add65 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
|
|
76240a |
@@ -4,6 +4,6 @@ for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
|
|
76240a |
do
|
|
|
76240a |
if [[ -d $SYSLIBDIRS ]]
|
|
|
76240a |
then
|
|
|
76240a |
- find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
|
|
|
76240a |
+ find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;
|
|
|
76240a |
fi
|
|
|
76240a |
done
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
|
|
76240a |
index a4b99a9da14..1079046d14e 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
|
|
76240a |
@@ -1,6 +1,10 @@
|
|
|
76240a |
#!/bin/bash
|
|
|
76240a |
-
|
|
|
76240a |
-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
|
|
76240a |
+
|
|
|
76240a |
+# There is a high probability that there will be nested subdirectories within the
|
|
|
76240a |
+# shared system library directories, therefore we should test to make sure we
|
|
|
76240a |
+# cover this. - cmm
|
|
|
76240a |
+test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir
|
|
|
76240a |
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me
|
|
|
76240a |
do
|
|
|
76240a |
if [[ ! -f $TESTFILE ]]
|
|
|
76240a |
then
|
|
|
76240a |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
index 2508008d511..9569b2ad629 100644
|
|
|
76240a |
--- a/products/rhel8/profiles/stig.profile
|
|
|
76240a |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
@@ -207,6 +207,7 @@ selections:
|
|
|
76240a |
- file_ownership_library_dirs
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-010350
|
|
|
76240a |
+ - root_permissions_syslibrary_files
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-010360
|
|
|
76240a |
- package_aide_installed
|
|
|
76240a |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
index f139d2ed76f..e0eb5ac045c 100644
|
|
|
76240a |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
@@ -662,7 +662,6 @@ CCE-86518-8
|
|
|
76240a |
CCE-86520-4
|
|
|
76240a |
CCE-86521-2
|
|
|
76240a |
CCE-86522-0
|
|
|
76240a |
-CCE-86523-8
|
|
|
76240a |
CCE-86524-6
|
|
|
76240a |
CCE-86525-3
|
|
|
76240a |
CCE-86526-1
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
index 765487c6f16..ebe7a91f45d 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
@@ -221,6 +221,7 @@ selections:
|
|
|
76240a |
- postfix_client_configure_mail_alias
|
|
|
76240a |
- require_emergency_target_auth
|
|
|
76240a |
- require_singleuser_auth
|
|
|
76240a |
+- root_permissions_syslibrary_files
|
|
|
76240a |
- rsyslog_cron_logging
|
|
|
76240a |
- rsyslog_remote_access_monitoring
|
|
|
76240a |
- rsyslog_remote_loghost
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
index 9fd80aac727..97f940dc9ed 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
@@ -232,6 +232,7 @@ selections:
|
|
|
76240a |
- postfix_client_configure_mail_alias
|
|
|
76240a |
- require_emergency_target_auth
|
|
|
76240a |
- require_singleuser_auth
|
|
|
76240a |
+- root_permissions_syslibrary_files
|
|
|
76240a |
- rsyslog_cron_logging
|
|
|
76240a |
- rsyslog_remote_access_monitoring
|
|
|
76240a |
- rsyslog_remote_loghost
|
|
|
76240a |
|
|
|
76240a |
From f16c085894e4dc7974637d44bf226d3acf19f3d1 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
76240a |
Date: Mon, 12 Jul 2021 16:17:23 -0400
|
|
|
76240a |
Subject: [PATCH 2/4] Updated existing rules for syslibrary files/dirs
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../ansible/shared.yml | 6 ++-
|
|
|
76240a |
.../bash/shared.sh | 7 +++
|
|
|
76240a |
.../dir_group_ownership_library_dirs/rule.yml | 4 ++
|
|
|
76240a |
.../tests/all_dirs_ok.pass.sh | 3 +-
|
|
|
76240a |
.../nobody_group_owned_dir_on_lib.fail.sh | 3 +-
|
|
|
76240a |
.../ansible/shared.yml | 23 ++++++++--
|
|
|
76240a |
.../oval/shared.xml | 44 ++++++-------------
|
|
|
76240a |
.../tests/correct_group.pass.sh | 4 +-
|
|
|
76240a |
.../tests/incorrect_group.fail.sh | 8 +---
|
|
|
76240a |
products/rhel8/profiles/stig.profile | 1 +
|
|
|
76240a |
shared/references/cce-redhat-avail.txt | 1 -
|
|
|
76240a |
.../data/profile_stability/rhel8/stig.profile | 1 +
|
|
|
76240a |
.../profile_stability/rhel8/stig_gui.profile | 1 +
|
|
|
76240a |
13 files changed, 59 insertions(+), 47 deletions(-)
|
|
|
76240a |
create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
|
|
|
76240a |
index 80562991ac5..f6f2ab48afd 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
|
|
|
76240a |
@@ -1,4 +1,4 @@
|
|
|
76240a |
-# platform = multi_platform_sle
|
|
|
76240a |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
# reboot = false
|
|
|
76240a |
# strategy = restrict
|
|
|
76240a |
# complexity = medium
|
|
|
76240a |
@@ -20,4 +20,6 @@
|
|
|
76240a |
state: "directory"
|
|
|
76240a |
mode: "{{ item.mode }}"
|
|
|
76240a |
with_items: "{{ library_dirs_not_group_owned_by_root.files }}"
|
|
|
76240a |
- when: library_dirs_not_group_owned_by_root.matched > 0
|
|
|
76240a |
+ when:
|
|
|
76240a |
+ - library_dirs_not_group_owned_by_root.matched > 0
|
|
|
76240a |
+ - item.gid != 0
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
|
|
|
76240a |
new file mode 100644
|
|
|
76240a |
index 00000000000..365b9833188
|
|
|
76240a |
--- /dev/null
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
|
|
|
76240a |
@@ -0,0 +1,7 @@
|
|
|
76240a |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
+
|
|
|
76240a |
+find /lib \
|
|
|
76240a |
+/lib64 \
|
|
|
76240a |
+/usr/lib \
|
|
|
76240a |
+/usr/lib64 \
|
|
|
76240a |
+\! -group root -type d -exec chgrp root '{}' \;
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
|
|
76240a |
index 4ff043270c8..cd02d95cb1c 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
|
|
|
76240a |
@@ -1,5 +1,7 @@
|
|
|
76240a |
documentation_complete: true
|
|
|
76240a |
|
|
|
76240a |
+prodtype: sle12,sle15,rhel8,fedora
|
|
|
76240a |
+
|
|
|
76240a |
title: 'Verify that Shared Library Directories Have Root Group Ownership'
|
|
|
76240a |
|
|
|
76240a |
description: |-
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
|
|
76240a |
index 2a38e9a88bc..50fdb17bd2e 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
|
|
|
76240a |
@@ -1,4 +1,5 @@
|
|
|
76240a |
-# platform = multi_platform_sle
|
|
|
76240a |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
+
|
|
|
76240a |
DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
|
|
76240a |
for dirPath in $DIRS; do
|
|
|
76240a |
find "$dirPath" -type d -exec chgrp root '{}' \;
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
|
|
76240a |
index f794d9e878f..277bd7d60de 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
|
|
76240a |
@@ -1,4 +1,5 @@
|
|
|
76240a |
-# platform = multi_platform_sle
|
|
|
76240a |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
+
|
|
|
76240a |
DIRS="/lib /lib64"
|
|
|
76240a |
for dirPath in $DIRS; do
|
|
|
76240a |
mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
|
|
76240a |
index e0bb6b0dc1a..ab3e85c4f7c 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
|
|
|
76240a |
@@ -4,7 +4,24 @@
|
|
|
76240a |
# complexity = high
|
|
|
76240a |
# disruption = medium
|
|
|
76240a |
|
|
|
76240a |
-- name: "Set ownership to root of system-wide library files"
|
|
|
76240a |
- command: "find {{ item }} ! -group root -type f -exec chgrp root '{}' \\;"
|
|
|
76240a |
- with_items: [ '/lib', '/lib64', '/usr/lib', '/usr/lib64' ]
|
|
|
76240a |
+- name: "Read list libraries without root ownership"
|
|
|
76240a |
+ find:
|
|
|
76240a |
+ paths:
|
|
|
76240a |
+ - "/usr/lib"
|
|
|
76240a |
+ - "/usr/lib64"
|
|
|
76240a |
+ - "/lib"
|
|
|
76240a |
+ - "/lib64"
|
|
|
76240a |
+ file_type: "file"
|
|
|
76240a |
+ register: library_files_not_group_owned_by_root
|
|
|
76240a |
+
|
|
|
76240a |
+- name: "Set group ownership of system library files to root"
|
|
|
76240a |
+ file:
|
|
|
76240a |
+ path: "{{ item.path }}"
|
|
|
76240a |
+ group: "root"
|
|
|
76240a |
+ state: "file"
|
|
|
76240a |
+ mode: "{{ item.mode }}"
|
|
|
76240a |
+ with_items: "{{ library_files_not_group_owned_by_root.files }}"
|
|
|
76240a |
+ when:
|
|
|
76240a |
+ - library_files_not_group_owned_by_root.matched > 0
|
|
|
76240a |
+ - item.gid != 0
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
76240a |
index e3d64a8390e..926ff70d1e4 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
76240a |
@@ -1,45 +1,27 @@
|
|
|
76240a |
<def-group>
|
|
|
76240a |
- <definition class="compliance" id="root_permissions_syslibrary_files" version="1">
|
|
|
76240a |
+ <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
|
|
|
76240a |
{{{ oval_metadata("
|
|
|
76240a |
- Checks that /lib, /lib64, /usr/lib, /usr/lib64, and
|
|
|
76240a |
- objects therein, are group-owned by root.
|
|
|
76240a |
+ Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
|
|
|
76240a |
+ are owned by root.
|
|
|
76240a |
") }}}
|
|
|
76240a |
- <criteria operator="AND">
|
|
|
76240a |
- <criterion test_ref="test_group_ownership_lib_dir" />
|
|
|
76240a |
- <criterion test_ref="test_group_ownership_lib_files" />
|
|
|
76240a |
+ <criteria >
|
|
|
76240a |
+ <criterion test_ref="test_root_permissions_for_syslibrary_files" />
|
|
|
76240a |
</criteria>
|
|
|
76240a |
</definition>
|
|
|
76240a |
|
|
|
76240a |
- <unix:file_test check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">
|
|
|
76240a |
- <unix:object object_ref="object_group_ownership_lib_dir" />
|
|
|
76240a |
+ <unix:file_test check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
|
|
|
76240a |
+ <unix:object object_ref="root_permissions_for_system_wide_library_files" />
|
|
|
76240a |
</unix:file_test>
|
|
|
76240a |
|
|
|
76240a |
- <unix:file_test check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">
|
|
|
76240a |
- <unix:object object_ref="object_group_ownership_lib_files" />
|
|
|
76240a |
- </unix:file_test>
|
|
|
76240a |
-
|
|
|
76240a |
- <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">
|
|
|
76240a |
-
|
|
|
76240a |
- <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
|
|
|
76240a |
- <unix:filename xsi:nil="true" />
|
|
|
76240a |
- <filter action="include">state_group_ownership_libraries_not_root</filter>
|
|
|
76240a |
- <filter action="exclude">group_dir_perms_state_symlink</filter>
|
|
|
76240a |
- </unix:file_object>
|
|
|
76240a |
-
|
|
|
76240a |
- <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">
|
|
|
76240a |
-
|
|
|
76240a |
- <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
|
|
|
76240a |
+ <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
|
|
|
76240a |
+
|
|
|
76240a |
+ are owned by root. -->
|
|
|
76240a |
+ <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>
|
|
|
76240a |
<unix:filename operation="pattern match">^.*$</unix:filename>
|
|
|
76240a |
- <filter action="include">state_group_ownership_libraries_not_root</filter>
|
|
|
76240a |
- <filter action="exclude">group_dir_perms_state_symlink</filter>
|
|
|
76240a |
+ <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
|
|
|
76240a |
</unix:file_object>
|
|
|
76240a |
|
|
|
76240a |
- <unix:file_state id="state_group_ownership_libraries_not_root" version="1">
|
|
|
76240a |
+ <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
|
|
|
76240a |
<unix:group_id datatype="int" operation="not equal">0</unix:group_id>
|
|
|
76240a |
</unix:file_state>
|
|
|
76240a |
-
|
|
|
76240a |
- <unix:file_state id="group_dir_perms_state_symlink" version="1">
|
|
|
76240a |
- <unix:type operation="equals">symbolic link</unix:type>
|
|
|
76240a |
- </unix:file_state>
|
|
|
76240a |
-
|
|
|
76240a |
</def-group>
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
|
|
76240a |
index 8722c2add65..a4ae2854db1 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
|
|
|
76240a |
@@ -1,9 +1,9 @@
|
|
|
76240a |
-#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
|
|
|
76240a |
for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
|
|
|
76240a |
do
|
|
|
76240a |
if [[ -d $SYSLIBDIRS ]]
|
|
|
76240a |
then
|
|
|
76240a |
- find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;
|
|
|
76240a |
+ find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
|
|
|
76240a |
fi
|
|
|
76240a |
done
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
|
|
76240a |
index 1079046d14e..c96f65b989c 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
|
|
|
76240a |
@@ -1,10 +1,6 @@
|
|
|
76240a |
-#!/bin/bash
|
|
|
76240a |
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
|
|
|
76240a |
-# There is a high probability that there will be nested subdirectories within the
|
|
|
76240a |
-# shared system library directories, therefore we should test to make sure we
|
|
|
76240a |
-# cover this. - cmm
|
|
|
76240a |
-test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir
|
|
|
76240a |
-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me
|
|
|
76240a |
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
|
|
|
76240a |
do
|
|
|
76240a |
if [[ ! -f $TESTFILE ]]
|
|
|
76240a |
then
|
|
|
76240a |
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
index 9569b2ad629..059750f59d0 100644
|
|
|
76240a |
--- a/products/rhel8/profiles/stig.profile
|
|
|
76240a |
+++ b/products/rhel8/profiles/stig.profile
|
|
|
76240a |
@@ -208,6 +208,7 @@ selections:
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-010350
|
|
|
76240a |
- root_permissions_syslibrary_files
|
|
|
76240a |
+ - dir_group_ownership_library_dirs
|
|
|
76240a |
|
|
|
76240a |
# RHEL-08-010360
|
|
|
76240a |
- package_aide_installed
|
|
|
76240a |
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
index e0eb5ac045c..ae3375fd4d4 100644
|
|
|
76240a |
--- a/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
+++ b/shared/references/cce-redhat-avail.txt
|
|
|
76240a |
@@ -34,7 +34,6 @@ CCE-85890-2
|
|
|
76240a |
CCE-85891-0
|
|
|
76240a |
CCE-85892-8
|
|
|
76240a |
CCE-85893-6
|
|
|
76240a |
-CCE-85894-4
|
|
|
76240a |
CCE-85895-1
|
|
|
76240a |
CCE-85896-9
|
|
|
76240a |
CCE-85897-7
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
index ebe7a91f45d..49cce4d81cc 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig.profile
|
|
|
76240a |
@@ -99,6 +99,7 @@ selections:
|
|
|
76240a |
- dconf_gnome_login_banner_text
|
|
|
76240a |
- dconf_gnome_screensaver_idle_delay
|
|
|
76240a |
- dconf_gnome_screensaver_lock_enabled
|
|
|
76240a |
+- dir_group_ownership_library_dirs
|
|
|
76240a |
- dir_perms_world_writable_root_owned
|
|
|
76240a |
- dir_perms_world_writable_sticky_bits
|
|
|
76240a |
- directory_permissions_var_log_audit
|
|
|
76240a |
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
index 97f940dc9ed..943a57d3eb8 100644
|
|
|
76240a |
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
|
|
|
76240a |
@@ -110,6 +110,7 @@ selections:
|
|
|
76240a |
- dconf_gnome_login_banner_text
|
|
|
76240a |
- dconf_gnome_screensaver_idle_delay
|
|
|
76240a |
- dconf_gnome_screensaver_lock_enabled
|
|
|
76240a |
+- dir_group_ownership_library_dirs
|
|
|
76240a |
- dir_perms_world_writable_root_owned
|
|
|
76240a |
- dir_perms_world_writable_sticky_bits
|
|
|
76240a |
- directory_permissions_var_log_audit
|
|
|
76240a |
|
|
|
76240a |
From 71deac482753a13a9f98d6d7382b13e9031a2ce4 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
76240a |
Date: Tue, 13 Jul 2021 13:40:25 -0400
|
|
|
76240a |
Subject: [PATCH 3/4] Updated test for nobody_group_owned_dir rule
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../tests/nobody_group_owned_dir_on_lib.fail.sh | 4 ++--
|
|
|
76240a |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
|
|
76240a |
index 277bd7d60de..043ad6b2dee 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
|
|
|
76240a |
@@ -1,6 +1,6 @@
|
|
|
76240a |
# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
|
|
|
76240a |
|
|
|
76240a |
-DIRS="/lib /lib64"
|
|
|
76240a |
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
|
|
|
76240a |
for dirPath in $DIRS; do
|
|
|
76240a |
- mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"
|
|
|
76240a |
+ mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"
|
|
|
76240a |
done
|
|
|
76240a |
|
|
|
76240a |
From 087359679e4f6794054b6772df6c84c4cd1fee94 Mon Sep 17 00:00:00 2001
|
|
|
76240a |
From: Carlos Matos <cmatos@redhat.com>
|
|
|
76240a |
Date: Wed, 14 Jul 2021 10:04:25 -0400
|
|
|
76240a |
Subject: [PATCH 4/4] Added recommended $ to end of regex pattern to properly
|
|
|
76240a |
match dirs
|
|
|
76240a |
|
|
|
76240a |
---
|
|
|
76240a |
.../root_permissions_syslibrary_files/oval/shared.xml | 2 +-
|
|
|
76240a |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
76240a |
|
|
|
76240a |
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
76240a |
index 926ff70d1e4..f5ca9380b55 100644
|
|
|
76240a |
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
76240a |
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
|
|
|
76240a |
@@ -16,7 +16,7 @@
|
|
|
76240a |
<unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
|
|
|
76240a |
|
|
|
76240a |
are owned by root. -->
|
|
|
76240a |
- <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>
|
|
|
76240a |
+ <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
|
|
|
76240a |
<unix:filename operation="pattern match">^.*$</unix:filename>
|
|
|
76240a |
<filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
|
|
|
76240a |
</unix:file_object>
|