Blob Blame History Raw
From f7bb6fc32091ad9d10ec8253505086670eb135ba Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Mon, 12 Jul 2021 10:06:41 -0400
Subject: [PATCH 1/4] Initial commit for RHEL-08-010350 STIG rule

---
 .../ansible/shared.yml                        |  2 +-
 .../bash/shared.sh                            |  2 +-
 .../oval/shared.xml                           | 44 +++++++++++++------
 .../rule.yml                                  | 26 ++++++-----
 .../tests/correct_group.pass.sh               |  2 +-
 .../tests/incorrect_group.fail.sh             |  8 +++-
 products/rhel8/profiles/stig.profile          |  1 +
 shared/references/cce-redhat-avail.txt        |  1 -
 .../data/profile_stability/rhel8/stig.profile |  1 +
 .../profile_stability/rhel8/stig_gui.profile  |  1 +
 10 files changed, 57 insertions(+), 31 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
index f90c8e26b15..e0bb6b0dc1a 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
 # reboot = false
 # strategy = restrict
 # complexity = high
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
index fba25be6132..d5fb89487d5 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/shared.sh
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
 
 find /lib \
 /lib64 \
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
index 00f733ddc78..e3d64a8390e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
@@ -1,27 +1,45 @@
 <def-group>
-  <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
+  <definition class="compliance" id="root_permissions_syslibrary_files" version="1">
     {{{ oval_metadata("
-        Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
-        are owned by root.
+        Checks that /lib, /lib64, /usr/lib, /usr/lib64, and
+        objects therein, are group-owned by root.
       ") }}}
-    <criteria >
-      <criterion test_ref="test_root_permissions_for_syslibrary_files" />
+    <criteria operator="AND">
+      <criterion test_ref="test_group_ownership_lib_dir" />
+      <criterion test_ref="test_group_ownership_lib_files" />
     </criteria>
   </definition>
 
-  <unix:file_test  check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
-    <unix:object object_ref="root_permissions_for_system_wide_library_files" />
+  <unix:file_test  check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">
+    <unix:object object_ref="object_group_ownership_lib_dir" />
   </unix:file_test>
 
-  <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
-    <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
-        are owned by root. -->
-    <unix:path operation="pattern match">^\/lib(64)?|^\/usr\/lib(64)?</unix:path >    
+  <unix:file_test  check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">
+    <unix:object object_ref="object_group_ownership_lib_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">
+    <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
+    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">state_group_ownership_libraries_not_root</filter>
+    <filter action="exclude">group_dir_perms_state_symlink</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">
+    <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
+    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
     <unix:filename operation="pattern match">^.*$</unix:filename>
-    <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
+   <filter action="include">state_group_ownership_libraries_not_root</filter>
+   <filter action="exclude">group_dir_perms_state_symlink</filter>
   </unix:file_object>
 
-  <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
+  <unix:file_state id="state_group_ownership_libraries_not_root" version="1">
     <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
   </unix:file_state>
+
+  <unix:file_state id="group_dir_perms_state_symlink" version="1">
+    <unix:type operation="equals">symbolic link</unix:type>
+  </unix:file_state>
+
 </def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
index ff905dd08d..83371b8b9b 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: sle12,sle15
+prodtype: sle12,sle15,rhel8,fedora
 
 title: |-
     Verify the system-wide library files in directories
@@ -17,18 +17,18 @@ description: |-
     All system-wide shared library files should be protected from unauthorised
     access. If any of these files is not owned by root, correct its owner with
     the following command:
-    <pre>$ sudo chgrp root <i>DIR</i></pre>
+    <pre>$ sudo chgrp root <i>FILE</i></pre>
 
 rationale: |-
-  If the operating system were to allow any user to make changes to software libraries,
-  then those changes might be implemented without undergoing the appropriate testing and
-  approvals that are part of a robust change management process.
+    If the operating system were to allow any user to make changes to software libraries,
+    then those changes might be implemented without undergoing the appropriate testing and
+    approvals that are part of a robust change management process.
 
-  This requirement applies to operating systems with software libraries that are
-  accessible and configurable, as in the case of interpreted languages. Software libraries
-  also include privileged programs which execute with escalated privileges. Only qualified
-  and authorized individuals must be allowed to obtain access to information system components
-  for purposes of initiating changes, including upgrades and modifications.
+    This requirement applies to operating systems with software libraries that are
+    accessible and configurable, as in the case of interpreted languages. Software libraries
+    also include privileged programs which execute with escalated privileges. Only qualified
+    and authorized individuals must be allowed to obtain access to information system components
+    for purposes of initiating changes, including upgrades and modifications.
 
 severity: medium
 
@@ -45,7 +45,7 @@ references:
     stigid@sle12: SLES-12-010875
     stigid@sle15: SLES-15-010355
 
-ocil_clause: 'any system wide library directory is returned'
+ocil_clause: 'system wide library files are not group owned by root'
 
 ocil: |-
     System-wide library files are stored in the following directories:
@@ -54,6 +54,6 @@ ocil: |-
     /usr/lib
     /usr/lib64
     </pre>
-    To find if system-wide library files stored in these directories are group-owned by
+    To find if system-wide library files stored in these directories are not group-owned by
     root run the following command for each directory <i>DIR</i>:
     <pre>$ sudo find -L <i>DIR</i> ! -group root -type f </pre>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
index 7a8e65b4f3a..8722c2add65 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
@@ -4,6 +4,6 @@ for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
 do
     if [[ -d $SYSLIBDIRS  ]]
     then
-        find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
+        find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;
     fi
 done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
index a4b99a9da14..1079046d14e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
@@ -1,6 +1,10 @@
 #!/bin/bash
-  
-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
+
+# There is a high probability that there will be nested subdirectories within the
+# shared system library directories, therefore we should test to make sure we
+# cover this. - cmm
+test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me
 do
    if [[ ! -f $TESTFILE ]]
    then
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 2508008d511..9569b2ad629 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -207,6 +207,7 @@ selections:
     - file_ownership_library_dirs
 
     # RHEL-08-010350
+    - root_permissions_syslibrary_files
 
     # RHEL-08-010360
     - package_aide_installed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index f139d2ed76f..e0eb5ac045c 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -662,7 +662,6 @@ CCE-86518-8
 CCE-86520-4
 CCE-86521-2
 CCE-86522-0
-CCE-86523-8
 CCE-86524-6
 CCE-86525-3
 CCE-86526-1
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 765487c6f16..ebe7a91f45d 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -221,6 +221,7 @@ selections:
 - postfix_client_configure_mail_alias
 - require_emergency_target_auth
 - require_singleuser_auth
+- root_permissions_syslibrary_files
 - rsyslog_cron_logging
 - rsyslog_remote_access_monitoring
 - rsyslog_remote_loghost
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 9fd80aac727..97f940dc9ed 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -232,6 +232,7 @@ selections:
 - postfix_client_configure_mail_alias
 - require_emergency_target_auth
 - require_singleuser_auth
+- root_permissions_syslibrary_files
 - rsyslog_cron_logging
 - rsyslog_remote_access_monitoring
 - rsyslog_remote_loghost

From f16c085894e4dc7974637d44bf226d3acf19f3d1 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Mon, 12 Jul 2021 16:17:23 -0400
Subject: [PATCH 2/4] Updated existing rules for syslibrary files/dirs

---
 .../ansible/shared.yml                        |  6 ++-
 .../bash/shared.sh                            |  7 +++
 .../dir_group_ownership_library_dirs/rule.yml |  4 ++
 .../tests/all_dirs_ok.pass.sh                 |  3 +-
 .../nobody_group_owned_dir_on_lib.fail.sh     |  3 +-
 .../ansible/shared.yml                        | 23 ++++++++--
 .../oval/shared.xml                           | 44 ++++++-------------
 .../tests/correct_group.pass.sh               |  4 +-
 .../tests/incorrect_group.fail.sh             |  8 +---
 products/rhel8/profiles/stig.profile          |  1 +
 shared/references/cce-redhat-avail.txt        |  1 -
 .../data/profile_stability/rhel8/stig.profile |  1 +
 .../profile_stability/rhel8/stig_gui.profile  |  1 +
 13 files changed, 59 insertions(+), 47 deletions(-)
 create mode 100644 linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
index 80562991ac5..f6f2ab48afd 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/ansible/shared.yml
@@ -1,4 +1,4 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
 # reboot = false
 # strategy = restrict
 # complexity = medium
@@ -20,4 +20,6 @@
     state: "directory"
     mode: "{{ item.mode }}"
   with_items: "{{ library_dirs_not_group_owned_by_root.files }}"
-  when: library_dirs_not_group_owned_by_root.matched > 0
+  when:
+    - library_dirs_not_group_owned_by_root.matched > 0
+    - item.gid != 0
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
new file mode 100644
index 00000000000..365b9833188
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
+find /lib \
+/lib64 \
+/usr/lib \
+/usr/lib64 \
+\! -group root -type d -exec chgrp root '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
index 4ff043270c8..cd02d95cb1c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml
@@ -1,5 +1,7 @@
 documentation_complete: true
 
+prodtype: sle12,sle15,rhel8,fedora
+
 title: 'Verify that Shared Library Directories Have Root Group Ownership'
 
 description: |-
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
index 2a38e9a88bc..50fdb17bd2e 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh
@@ -1,4 +1,5 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
 DIRS="/lib /lib64 /usr/lib /usr/lib64"
 for dirPath in $DIRS; do
 	find "$dirPath" -type d -exec chgrp root '{}' \;
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
index f794d9e878f..277bd7d60de 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
@@ -1,4 +1,5 @@
-# platform = multi_platform_sle
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
+
 DIRS="/lib /lib64"
 for dirPath in $DIRS; do
 	mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
index e0bb6b0dc1a..ab3e85c4f7c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/ansible/shared.yml
@@ -4,7 +4,24 @@
 # complexity = high
 # disruption = medium
 
-- name: "Set ownership to root of system-wide library files"
-  command: "find {{ item }} ! -group root -type f -exec chgrp root '{}' \\;"
-  with_items: [ '/lib', '/lib64', '/usr/lib', '/usr/lib64' ]
+- name: "Read list libraries without root ownership"
+  find:
+    paths:
+      - "/usr/lib"
+      - "/usr/lib64"
+      - "/lib"
+      - "/lib64"
+    file_type: "file"
+  register: library_files_not_group_owned_by_root
+
+- name: "Set group ownership of system library files to root"
+  file:
+    path: "{{ item.path }}"
+    group: "root"
+    state: "file"
+    mode: "{{ item.mode }}"
+  with_items: "{{ library_files_not_group_owned_by_root.files }}"
+  when:
+    - library_files_not_group_owned_by_root.matched > 0
+    - item.gid != 0
 
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
index e3d64a8390e..926ff70d1e4 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
@@ -1,45 +1,27 @@
 <def-group>
-  <definition class="compliance" id="root_permissions_syslibrary_files" version="1">
+  <definition class="compliance" id="root_permissions_syslibrary_files" version="2">
     {{{ oval_metadata("
-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, and
-        objects therein, are group-owned by root.
+        Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
+        are owned by root.
       ") }}}
-    <criteria operator="AND">
-      <criterion test_ref="test_group_ownership_lib_dir" />
-      <criterion test_ref="test_group_ownership_lib_files" />
+    <criteria >
+      <criterion test_ref="test_root_permissions_for_syslibrary_files" />
     </criteria>
   </definition>
 
-  <unix:file_test  check="all" check_existence="none_exist" comment="library directories gid root" id="test_group_ownership_lib_dir" version="1">
-    <unix:object object_ref="object_group_ownership_lib_dir" />
+  <unix:file_test  check="all" check_existence="none_exist" comment="test if system-wide files have root permissions" id="test_root_permissions_for_syslibrary_files" version="1">
+    <unix:object object_ref="root_permissions_for_system_wide_library_files" />
   </unix:file_test>
 
-  <unix:file_test  check="all" check_existence="none_exist" comment="library files gid root" id="test_group_ownership_lib_files" version="1">
-    <unix:object object_ref="object_group_ownership_lib_files" />
-  </unix:file_test>
-
-  <unix:file_object comment="library directories" id="object_group_ownership_lib_dir" version="1">
-    <!-- Check that /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
-    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
-    <unix:filename xsi:nil="true" />
-    <filter action="include">state_group_ownership_libraries_not_root</filter>
-    <filter action="exclude">group_dir_perms_state_symlink</filter>
-  </unix:file_object>
-
-  <unix:file_object comment="library files" id="object_group_ownership_lib_files" version="1">
-    <!-- Check that files within /lib, /lib64, /usr/lib, and /usr/lib64 directories belong to group with gid 0 (root) -->
-    <unix:path operation="pattern match">^\/lib(|64)?\/|^\/usr\/lib(|64)?\/</unix:path>
+  <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
+    <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
+        are owned by root. -->
+    <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>
     <unix:filename operation="pattern match">^.*$</unix:filename>
-   <filter action="include">state_group_ownership_libraries_not_root</filter>
-   <filter action="exclude">group_dir_perms_state_symlink</filter>
+    <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
   </unix:file_object>
 
-  <unix:file_state id="state_group_ownership_libraries_not_root" version="1">
+  <unix:file_state id="group_permissions_for_system_wide_files_are_not_root" version="1" >
     <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
   </unix:file_state>
-
-  <unix:file_state id="group_dir_perms_state_symlink" version="1">
-    <unix:type operation="equals">symbolic link</unix:type>
-  </unix:file_state>
-
 </def-group>
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
index 8722c2add65..a4ae2854db1 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_group.pass.sh
@@ -1,9 +1,9 @@
-#!/bin/bash
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
 
 for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64
 do
     if [[ -d $SYSLIBDIRS  ]]
     then
-        find $SYSLIBDIRS ! -group root -exec chgrp root '{}' \;
+        find $SYSLIBDIRS ! -group root -type f -exec chgrp root '{}' \;
     fi
 done
diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
index 1079046d14e..c96f65b989c 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_group.fail.sh
@@ -1,10 +1,6 @@
-#!/bin/bash
+# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
 
-# There is a high probability that there will be nested subdirectories within the
-# shared system library directories, therefore we should test to make sure we
-# cover this. - cmm
-test -d /usr/lib/test_dir || mkdir -p /usr/lib/test_dir && chown nobody.nobody /usr/lib/test_dir
-for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me /usr/lib/test_dir/test_me
+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
 do
    if [[ ! -f $TESTFILE ]]
    then
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 9569b2ad629..059750f59d0 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -208,6 +208,7 @@ selections:
 
     # RHEL-08-010350
     - root_permissions_syslibrary_files
+    - dir_group_ownership_library_dirs
 
     # RHEL-08-010360
     - package_aide_installed
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index e0eb5ac045c..ae3375fd4d4 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -34,7 +34,6 @@ CCE-85890-2
 CCE-85891-0
 CCE-85892-8
 CCE-85893-6
-CCE-85894-4
 CCE-85895-1
 CCE-85896-9
 CCE-85897-7
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index ebe7a91f45d..49cce4d81cc 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -99,6 +99,7 @@ selections:
 - dconf_gnome_login_banner_text
 - dconf_gnome_screensaver_idle_delay
 - dconf_gnome_screensaver_lock_enabled
+- dir_group_ownership_library_dirs
 - dir_perms_world_writable_root_owned
 - dir_perms_world_writable_sticky_bits
 - directory_permissions_var_log_audit
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index 97f940dc9ed..943a57d3eb8 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -110,6 +110,7 @@ selections:
 - dconf_gnome_login_banner_text
 - dconf_gnome_screensaver_idle_delay
 - dconf_gnome_screensaver_lock_enabled
+- dir_group_ownership_library_dirs
 - dir_perms_world_writable_root_owned
 - dir_perms_world_writable_sticky_bits
 - directory_permissions_var_log_audit

From 71deac482753a13a9f98d6d7382b13e9031a2ce4 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Tue, 13 Jul 2021 13:40:25 -0400
Subject: [PATCH 3/4] Updated test for nobody_group_owned_dir rule

---
 .../tests/nobody_group_owned_dir_on_lib.fail.sh               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
index 277bd7d60de..043ad6b2dee 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh
@@ -1,6 +1,6 @@
 # platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora
 
-DIRS="/lib /lib64"
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
 for dirPath in $DIRS; do
-	mkdir -p "$dirPath/testme" && chown root:nogroup "$dirPath/testme"
+	mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"
 done

From 087359679e4f6794054b6772df6c84c4cd1fee94 Mon Sep 17 00:00:00 2001
From: Carlos Matos <cmatos@redhat.com>
Date: Wed, 14 Jul 2021 10:04:25 -0400
Subject: [PATCH 4/4] Added recommended $ to end of regex pattern to properly
 match dirs

---
 .../root_permissions_syslibrary_files/oval/shared.xml           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
index 926ff70d1e4..f5ca9380b55 100644
--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/shared.xml
@@ -16,7 +16,7 @@
   <unix:file_object comment="system-wide directories" id="root_permissions_for_system_wide_library_files" version="1">
     <!-- Checks that system-wide library files in /lib, /lib64, /usr/lib, /usr/lib64
         are owned by root. -->
-    <unix:path operation="pattern match">^\/lib\/|^\/lib64\/|^\/usr\/lib\/|^\/usr\/lib64\/</unix:path>
+    <unix:path operation="pattern match">^\/lib(|64)?$|^\/usr\/lib(|64)?$</unix:path>
     <unix:filename operation="pattern match">^.*$</unix:filename>
     <filter action="include">group_permissions_for_system_wide_files_are_not_root</filter>
   </unix:file_object>