Skip to content

Update Ubuntu STIG rules for library file permissions #14428

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mpurg wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Ubuntu STIG rules for library file permissions #14428

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .../permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ template:
- /usr/lib/
- /usr/lib64/
recursive: 'true'
{{% if 'ol' in families or 'rhel' in product %}}
{{% if 'ol' in families or 'rhel' in product or 'ubuntu' in product %}}
file_regex: ^.*\.so.*$
{{% else %}}
file_regex: ^.*$
Expand All @@ -74,9 +74,15 @@ template:
fixtext: |-
Configure the system-wide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.

{{%- if 'ubuntu' in product %}}
Run the following command:

<pre>$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -user root -exec chown root {} +</pre>
{{%- else %}}
Run the following command, replacing "[FILE]" with any library file not owned by "root".

$ sudo chown root [FILE]
{{%- endif %}}

srg_requirement:
{{{ full_name }}} library files must be owned by root.
2 changes: 1 addition & 1 deletion ...rmissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_ubuntu,multi_platform_almalinux

useradd user_test
{{% if 'ol' in families or 'rhel' in product %}}
{{% if 'ol' in families or 'rhel' in product or 'ubuntu' in product %}}
for TESTFILE in /lib/test_me.so /lib64/test_me.so /usr/lib/test_me.so /usr/lib64/test_me.so
{{% else %}}
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
Expand Down
2 changes: 1 addition & 1 deletion ...ithin_important_dirs/file_ownership_library_dirs/tests/incorrect_owner_within_dir.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ useradd user_test
TESTDIR="/usr/lib/dir/"

mkdir -p "${TESTDIR}"
{{% if 'ol' in families or 'rhel' in product %}}
{{% if 'ol' in families or 'rhel' in product or 'ubuntu' in product %}}
touch "${TESTDIR}"/test_me.so
chown user_test "${TESTDIR}"/test_me.so
{{% else %}}
Expand Down
8 changes: 7 additions & 1 deletion ...ermissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,17 +64,23 @@ template:
- /usr/lib/
- /usr/lib64/
recursive: 'true'
{{% if 'ol' in families or 'rhel' in product %}}
{{% if 'ol' in families or 'rhel' in product or 'ubuntu' in product %}}
file_regex: ^.*\.so.*$
{{% else %}}
file_regex: ^.*$
{{% endif %}}
filemode: '7755'

fixtext: |-
{{%- if 'ubuntu' in product %}}
Configure the systemwide shared library files contained in the directories "/lib", "/lib64", "/usr/lib", and "/usr/lib64" to have mode 0755 or less permissive with the following command:

<pre>$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' -perm /022 -exec chmod go-w {} +</pre>
{{%- else %}}
Configure the library files to be protected from unauthorized access. Run the following command, replacing "[FILE]" with any library file with a mode more permissive than 755.

$ sudo chmod 755 [FILE]
{{%- endif %}}

srg_requirement:
{{{ full_name }}} library directories must have mode 755 or less permissive.
2 changes: 1 addition & 1 deletion ...ons_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ DIRS="/lib /lib64 /usr/lib /usr/lib64"
for dirPath in $DIRS; do
# Limit the test changes to a subset of file in the directory
# Remediation the whole library dirs is very time consuming
{{% if 'ol' in families or 'rhel' in product %}}
{{% if 'ol' in families or 'rhel' in product or 'ubuntu' in product %}}
find "$dirPath" -type f -regex ".*\.so" -exec chmod go+w '{}' \;
{{% else %}}
find "$dirPath" -type f -regex ".*\.txt" -exec chmod go+w '{}' \;
Expand Down
2 changes: 0 additions & 2 deletions .../files/permissions_within_important_dirs/root_permissions_syslibrary_files/bash/ubuntu.sh
View file
Open in desktop

This file was deleted.

29 changes: 0 additions & 29 deletions ...files/permissions_within_important_dirs/root_permissions_syslibrary_files/oval/ubuntu.xml
View file
Open in desktop

This file was deleted.

26 changes: 13 additions & 13 deletions ...ssions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,8 @@
documentation_complete: true

{{% if 'ubuntu' in product -%}}
{{% set gid_description = ' or a required system account' -%}}
Copy link
Collaborator

@jan-cerny jan-cerny Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the gid_description is still used in ocil_clause

Copy link
Contributor Author

@mpurg mpurg Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed, thanks!

{{% endif -%}}

title: |-
Verify the system-wide library files in directories
"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root{{{ gid_description }}}.
"/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

description: |-
System-wide library files are stored in the following directories
Expand All @@ -17,7 +13,7 @@ description: |-
/usr/lib64
</pre>
All system-wide shared library files should be protected from unauthorised
access. If any of these files is not group-owned by root{{{ gid_description }}},
access. If any of these files is not group-owned by root,
correct its group-owner with the following command:
<pre>$ sudo chgrp root <i>FILE</i></pre>

Expand Down Expand Up @@ -50,14 +46,13 @@ references:
stigid@sle12: SLES-12-010875
stigid@sle15: SLES-15-010355

ocil_clause: any system wide shared library file is returned and is not group-owned by root{{{ gid_description }}}
ocil_clause: any system wide shared library file is returned and is not group-owned by root

ocil: |-
Verify the system-wide shared library files are group-owned by root{{{ gid_description }}} with the following command:
Verify the system-wide shared library files are group-owned by root with the following command:

$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \;

{{% if "ubuntu" not in product %}}
Copy link
Collaborator

@jan-cerny jan-cerny Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want to change the condition in line 64 so that only .so files will be checked like in the other rule?

Copy link
Contributor Author

@mpurg mpurg Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added, thanks!

template:
name: file_groupowner
vars:
Expand All @@ -66,21 +61,26 @@ template:
- /lib64/
- /usr/lib/
- /usr/lib64/
{{% if 'ol' in families or 'rhel' in product %}}
{{% if 'ol' in families or 'rhel' in product or 'ubuntu' in product %}}
file_regex: ^.*\.so.*$
{{% else %}}
file_regex: ^.*$
{{% endif %}}
recursive: 'true'
gid_or_name: '0'
{{% endif %}}

fixtext: |-
Configure the system-wide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.

Run the following command, replacing "[FILE]" with any library file not group-owned by root{{{ gid_description }}}.
{{%- if 'ubuntu' in product %}}
Run the following command:

<pre>$ sudo find /lib /lib64 /usr/lib /usr/lib64 -type f -name '*.so*' ! -group root -exec chgrp root {} +</pre>
{{%- else %}}
Run the following command, replacing "[FILE]" with any library file not group-owned by root.

$ sudo chgrp root [FILE]
{{%- endif %}}

srg_requirement:
{{{ full_name }}} library files must be group-owned by root{{{ gid_description }}}.
{{{ full_name }}} library files must be group-owned by root.
15 changes: 0 additions & 15 deletions ...within_important_dirs/root_permissions_syslibrary_files/tests/excluded_groupowner.pass.sh
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion ...ithin_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu,multi_platform_ol

groupadd group_test
{{% if 'ol' in families or 'rhel' in product %}}
{{% if 'ol' in families or 'rhel' in product or 'ubuntu' in product %}}
for TESTFILE in /lib/test_me.so /lib64/test_me.so /usr/lib/test_me.so /usr/lib64/test_me.so
{{% else %}}
for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me
Expand Down
12 changes: 0 additions & 12 deletions ...s_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_symlink.pass.sh
View file
Open in desktop

This file was deleted.

Loading