commit 94a680f9601fc2119c08fc6514712611d7f0d935

Author: Gabriel Becker <ggasparb@redhat.com>

Date:   Fri Feb 25 14:43:33 2022 +0100

    Manual edited patch scap-security-guide-0.1.61-update_RHEL_STIG-PR_8130.patch.

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml

index 10203c9..3c9e460 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/rule.yml

@@ -37,7 +37,7 @@ references:

     disa: CCI-001499

     nist: CM-5(6),CM-5(6).1

     srg: SRG-OS-000259-GPOS-00100

-    stigid@rhel8: RHEL-08-010350

+    stigid@rhel8: RHEL-08-010351

     stigid@sle12: SLES-12-010876

     stigid@sle15: SLES-15-010356

     stigid@ubuntu2004: UBTU-20-010431

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh

index 50fdb17..6a05a2b 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/all_dirs_ok.pass.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora

 DIRS="/lib /lib64 /usr/lib /usr/lib64"

 for dirPath in $DIRS; do

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh

new file mode 100644

index 0000000..6a05a2b

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/correct_groupowner.pass.sh

@@ -0,0 +1,6 @@

+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora

+

+DIRS="/lib /lib64 /usr/lib /usr/lib64"

+for dirPath in $DIRS; do

+	find "$dirPath" -type d -exec chgrp root '{}' \;

+done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh

new file mode 100644

index 0000000..36461f5

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner.fail.sh

@@ -0,0 +1,6 @@

+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora

+

+DIRS="/lib /lib64 /usr/lib /usr/lib64"

+for dirPath in $DIRS; do

+	mkdir -p "$dirPath/testme" && chgrp nobody "$dirPath/testme"

+done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh

new file mode 100644

index 0000000..3f09e3d

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/incorrect_groupowner_2.fail.sh

@@ -0,0 +1,6 @@

+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora

+

+DIRS="/lib /lib64 /usr/lib /usr/lib64"

+for dirPath in $DIRS; do

+	mkdir -p "$dirPath/testme/test2" && chgrp nobody "$dirPath/testme/test2"

+done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh

index 043ad6b..36461f5 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_group_ownership_library_dirs/tests/nobody_group_owned_dir_on_lib.fail.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora

 DIRS="/lib /lib64 /usr/lib /usr/lib64"

 for dirPath in $DIRS; do

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml

index e236238..ba923d8 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_binary_dirs/rule.yml

@@ -27,7 +27,7 @@ references:

     srg: SRG-OS-000258-GPOS-00099

     stigid@ubuntu2004: UBTU-20-010424

-ocil_clause: 'any system exectables directories are found to not be owned by root'

+ocil_clause: 'any system executables directories are found to not be owned by root'

 ocil: |-

     System executables are stored in the following directories by default:

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml

deleted file mode 100644

index 28e193f..0000000

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/oval/shared.xml

+++ /dev/null

@@ -1,28 +0,0 @@

-<def-group>

-  <definition class="compliance" id="dir_ownership_library_dirs" version="1">

-    {{{ oval_metadata("

-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and

-        directories therein, are owned by root.

-      ") }}}

-    <criteria operator="AND">

-      <criterion test_ref="test_dir_ownership_lib_dir" />

-    </criteria>

-  </definition>

-

-  <unix:file_test  check="all" check_existence="none_exist" comment="library directories uid root" id="test_dir_ownership_lib_dir" version="1">

-    <unix:object object_ref="object_dir_ownership_lib_dir" />

-  </unix:file_test>

-

-

-  <unix:file_object comment="library directories" id="object_dir_ownership_lib_dir" version="1">

-    

-    <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>

-    <unix:filename xsi:nil="true" />

-    <filter action="include">state_owner_library_dirs_not_root</filter>

-  </unix:file_object>

-

-  <unix:file_state id="state_owner_library_dirs_not_root" version="1">

-    <unix:user_id datatype="int" operation="not equal">0</unix:user_id>

-  </unix:file_state>

-

-</def-group>

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml

index d6a0bed..f0781b3 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/rule.yml

@@ -27,6 +27,8 @@ rationale: |-

 severity: medium

 identifiers:

+    cce@rhel8: CCE-89021-0

+    cce@rhel9: CCE-89022-8

     cce@sle12: CCE-83236-0

     cce@sle15: CCE-85735-9

@@ -34,6 +36,7 @@ references:

     disa: CCI-001499

     nist: CM-5(6),CM-5(6).1

     srg: SRG-OS-000259-GPOS-00100

+    stigid@rhel8: RHEL-08-010341

     stigid@sle12: SLES-12-010874

     stigid@sle15: SLES-15-010354

     stigid@ubuntu2004: UBTU-20-010429

@@ -49,3 +52,14 @@ ocil: |-

     For each of these directories, run the following command to find files not

     owned by root:

     
$ sudo find -L $DIR ! -user root -type d -exec chown root {} \;

+

+template:

+    name: file_owner

+    vars:

+        filepath:

+            - /lib/

+            - /lib64/

+            - /usr/lib/

+            - /usr/lib64/

+        recursive: 'true'

+        fileuid: '0'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh

similarity index 69%

rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh

rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh

index 0189166..a0d4990 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/all_dirs_ok.pass.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/correct_owner.pass.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle

+# platform = multi_platform_sle,multi_platform_rhel

 DIRS="/lib /lib64 /usr/lib /usr/lib64"

 for dirPath in $DIRS; do

 	find "$dirPath" -type d -exec chown root '{}' \;

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh

similarity index 63%

rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh

rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh

index 59b8a18..f366c2d 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/nobody_owned_dir_on_lib.fail.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_ownership_library_dirs/tests/incorrect_owner.fail.sh

@@ -1,4 +1,5 @@

-# platform = multi_platform_sle

+# platform = multi_platform_sle,multi_platform_rhel

+groupadd nogroup

 DIRS="/lib /lib64"

 for dirPath in $DIRS; do

 	mkdir -p "$dirPath/testme" && chown nobody:nogroup "$dirPath/testme"

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml

index a0e4e24..add26b2 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml

@@ -1,8 +1,8 @@

 <def-group>

   <definition class="compliance" id="dir_permissions_library_dirs" version="1">

     {{{ oval_metadata("

-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and

-        objects therein, are not group-writable or world-writable.

+        Checks that the directories /lib, /lib64, /usr/lib and /usr/lib64

+        are not group-writable or world-writable.

       ") }}}

     <criteria operator="AND">

       <criterion test_ref="dir_test_perms_lib_dir" />

@@ -19,7 +19,7 @@

     <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>

     <unix:filename xsi:nil="true" />

     <filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter>

-    <filter action="exclude">dir_perms_state_symlink</filter>

+    <filter action="exclude">dir_perms_state_nogroupwrite_noworldwrite_symlink</filter>

   </unix:file_object>

   <unix:file_state id="dir_state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">

@@ -27,7 +27,7 @@

     <unix:owrite datatype="boolean">true</unix:owrite>

   </unix:file_state>

-  <unix:file_state id="dir_perms_state_symlink" version="1">

+  <unix:file_state id="dir_perms_state_nogroupwrite_noworldwrite_symlink" version="1">

     <unix:type operation="equals">symbolic link</unix:type>

   </unix:file_state>

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml

index 853f8ac..558eaa7 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml

@@ -60,3 +60,14 @@ ocil: |-

     To find shared libraries that are group-writable or world-writable,

     run the following command for each directory DIR which contains shared libraries:

     
$ sudo find -L DIR -perm /022 -type d

+

+template:

+    name: file_permissions

+    vars:

+        filepath:

+            - /lib/

+            - /lib64/

+            - /usr/lib/

+            - /usr/lib64/

+        recursive: 'true'

+        filemode: '0755'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml

index 7168288..eec7485 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora

 # reboot = false

 # strategy = restrict

 # complexity = medium

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh

index a9e8c7d..e352dd3 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle,Oracle Linux 8,Red Hat Enterprise Linux 8,multi_platform_fedora,multi_platform_ubuntu

+# platform = multi_platform_sle,Oracle Linux 8,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu

 for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin

 do

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml

deleted file mode 100644

index de81a37..0000000

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/ansible/shared.yml

+++ /dev/null

@@ -1,18 +0,0 @@

-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle

-# reboot = false

-# strategy = restrict

-# complexity = medium

-# disruption = medium

-- name: "Read list libraries without root ownership"

-  command: "find -L /usr/lib /usr/lib64 /lib /lib64 \\! -user root"

-  register: libraries_not_owned_by_root

-  changed_when: False

-  failed_when: False

-  check_mode: no

-

-- name: "Set ownership of system libraries to root"

-  file:

-    path: "{{ item }}"

-    owner: "root"

-  with_items: "{{ libraries_not_owned_by_root.stdout_lines }}"

-  when: libraries_not_owned_by_root | length > 0

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh

deleted file mode 100644

index c75167d..0000000

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/bash/shared.sh

+++ /dev/null

@@ -1,8 +0,0 @@

-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle

-for LIBDIR in /usr/lib /usr/lib64 /lib /lib64

-do

-  if [ -d $LIBDIR ]

-  then

-    find -L $LIBDIR \! -user root -exec chown root {} \; 

-  fi

-done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml

deleted file mode 100644

index 59ee3d8..0000000

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/oval/shared.xml

+++ /dev/null

@@ -1,39 +0,0 @@

-<def-group>

-  <definition class="compliance" id="file_ownership_library_dirs" version="1">

-    {{{ oval_metadata("

-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and

-        objects therein, are owned by root.

-      ") }}}

-    <criteria operator="AND">

-      <criterion test_ref="test_ownership_lib_dir" />

-      <criterion test_ref="test_ownership_lib_files" />

-    </criteria>

-  </definition>

-

-  <unix:file_test  check="all" check_existence="none_exist" comment="library directories uid root" id="test_ownership_lib_dir" version="1">

-    <unix:object object_ref="object_file_ownership_lib_dir" />

-  </unix:file_test>

-

-  <unix:file_test  check="all" check_existence="none_exist" comment="library files uid root" id="test_ownership_lib_files" version="1">

-    <unix:object object_ref="object_file_ownership_lib_files" />

-  </unix:file_test>

-

-  <unix:file_object comment="library directories" id="object_file_ownership_lib_dir" version="1">

-    

-    <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>

-    <unix:filename xsi:nil="true" />

-    <filter action="include">state_owner_libraries_not_root</filter>

-  </unix:file_object>

-

-  <unix:file_object comment="library files" id="object_file_ownership_lib_files" version="1">

-    

-    <unix:path operation="pattern match">^\/lib(|64)\/|^\/usr\/lib(|64)\/</unix:path>

-    <unix:filename operation="pattern match">^.*$</unix:filename>

-   <filter action="include">state_owner_libraries_not_root</filter>

-  </unix:file_object>

-

-  <unix:file_state id="state_owner_libraries_not_root" version="1">

-    <unix:user_id datatype="int" operation="not equal">0</unix:user_id>

-  </unix:file_state>

-

-</def-group>

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml

index dfedd25..81089d3 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/rule.yml

@@ -59,3 +59,14 @@ ocil: |-

     For each of these directories, run the following command to find files not

     owned by root:

     
$ sudo find -L $DIR ! -user root -exec chown root {} \;

+

+template:

+    name: file_owner

+    vars:

+        filepath:

+            - /lib/

+            - /lib64/

+            - /usr/lib/

+            - /usr/lib64/

+        file_regex: ^.*$

+        fileuid: '0'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh

new file mode 100644

index 0000000..92c6a08

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/correct_owner.pass.sh

@@ -0,0 +1,9 @@

+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu

+

+for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64

+do

+    if [[ -d $SYSLIBDIRS  ]]

+    then

+        find $SYSLIBDIRS ! -user root -type f -exec chown root '{}' \;

+    fi

+done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh

new file mode 100644

index 0000000..84da71f

--- /dev/null

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_library_dirs/tests/incorrect_owner.fail.sh

@@ -0,0 +1,11 @@

+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu

+

+useradd user_test

+for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me

+do

+   if [[ ! -f $TESTFILE ]]

+   then

+     touch $TESTFILE

+   fi

+   chown user_test $TESTFILE

+done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml

deleted file mode 100644

index cf9eeba..0000000

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/ansible/shared.yml

+++ /dev/null

@@ -1,18 +0,0 @@

-# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel,multi_platform_ol,multi_platform_sle

-# reboot = false

-# strategy = restrict

-# complexity = high

-# disruption = medium

-- name: "Read list of world and group writable files in libraries directories"

-  command: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f"

-  register: world_writable_library_files

-  changed_when: False

-  failed_when: False

-  check_mode: no

-

-- name: "Disable world/group writability to library files"

-  file:

-    path: "{{ item }}"

-    mode: "go-w"

-  with_items: "{{ world_writable_library_files.stdout_lines }}"

-  when: world_writable_library_files.stdout_lines | length > 0

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh

deleted file mode 100644

index af04ad6..0000000

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/bash/shared.sh

+++ /dev/null

@@ -1,5 +0,0 @@

-# platform = multi_platform_all

-DIRS="/lib /lib64 /usr/lib /usr/lib64"

-for dirPath in $DIRS; do

-	find "$dirPath" -perm /022 -type f -exec chmod go-w '{}' \;

-done

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml

deleted file mode 100644

index f25c522..0000000

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/oval/shared.xml

+++ /dev/null

@@ -1,46 +0,0 @@

-<def-group>

-  <definition class="compliance" id="file_permissions_library_dirs" version="1">

-    {{{ oval_metadata("

-        Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and

-        objects therein, are not group-writable or world-writable.

-      ") }}}

-    <criteria operator="AND">

-      <criterion test_ref="test_perms_lib_dir" />

-      <criterion test_ref="test_perms_lib_files" />

-    </criteria>

-  </definition>

-

-  <unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="test_perms_lib_dir" version="1">

-    <unix:object object_ref="object_file_permissions_lib_dir" />

-  </unix:file_test>

-

-  <unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="test_perms_lib_files" version="1">

-    <unix:object object_ref="object_file_permissions_lib_files" />

-  </unix:file_test>

-

-  <unix:file_object comment="library directories" id="object_file_permissions_lib_dir" version="1">

-    

-    <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>

-    <unix:filename xsi:nil="true" />

-    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>

-    <filter action="exclude">perms_state_symlink</filter>

-  </unix:file_object>

-

-  <unix:file_object comment="library files" id="object_file_permissions_lib_files" version="1">

-    

-    <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>

-    <unix:filename operation="pattern match">^.*$</unix:filename>

-    <filter action="include">state_perms_nogroupwrite_noworldwrite</filter>

-    <filter action="exclude">perms_state_symlink</filter>

-  </unix:file_object>

-

-  <unix:file_state id="state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">

-    <unix:gwrite datatype="boolean">true</unix:gwrite>

-    <unix:owrite datatype="boolean">true</unix:owrite>

-  </unix:file_state>

-

-  <unix:file_state id="perms_state_symlink" version="1">

-    <unix:type operation="equals">symbolic link</unix:type>

-  </unix:file_state>

-

-</def-group>

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml

index 902d8b5..e9afb91 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/rule.yml

@@ -60,3 +60,14 @@ ocil: |-

     To find shared libraries that are group-writable or world-writable,

     run the following command for each directory DIR which contains shared libraries:

     
$ sudo find -L DIR -perm /022 -type f

+

+template:

+    name: file_permissions

+    vars:

+        filepath:

+            - /lib/

+            - /lib64/

+            - /usr/lib/

+            - /usr/lib64/

+        file_regex: ^.*$

+        filemode: '0755'

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh

similarity index 100%

rename from linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/incorrect_permissions.fail.sh

rename to linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_library_dirs/tests/lenient_permissions.fail.sh

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml

index 3b983de..3a1e5ba 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml

@@ -4,7 +4,7 @@ prodtype: fedora,ol8,rhel8,rhel9,sle12,sle15,ubuntu2004

 title: |-

     Verify the system-wide library files in directories

-    "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are owned by root.

+    "/lib", "/lib64", "/usr/lib/" and "/usr/lib64" are group-owned by root.

 description: |-

     System-wide library files are stored in the following directories

@@ -15,7 +15,7 @@ description: |-

     /usr/lib64

     All system-wide shared library files should be protected from unauthorised

-    access. If any of these files is not owned by root, correct its owner with

+    access. If any of these files is not group-owned by root, correct its group-owner with

     the following command:

     
$ sudo chgrp root FILE

@@ -46,7 +46,7 @@ references:

     stigid@sle15: SLES-15-010355

     stigid@ubuntu2004: UBTU-20-01430

-ocil_clause: 'system wide library files are not group owned by root'

+ocil_clause: 'system wide library files are not group-owned by root'

 ocil: |-

     System-wide library files are stored in the following directories:

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh

index a4ae285..5356d37 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/correct_groupowner.pass.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu

 for SYSLIBDIRS in /lib /lib64 /usr/lib /usr/lib64

 do

diff --git a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh

index c96f65b..9636acf 100644

--- a/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh

+++ b/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/tests/incorrect_groupowner.fail.sh

@@ -1,4 +1,4 @@

-# platform = multi_platform_sle,Red Hat Enterprise Linux 8,multi_platform_fedora

+# platform = multi_platform_sle,multi_platform_rhel,multi_platform_fedora,multi_platform_ubuntu

 for TESTFILE in /lib/test_me /lib64/test_me /usr/lib/test_me /usr/lib64/test_me

 do

diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile

index d6f0793..5b2cc0f 100644

--- a/products/rhel8/profiles/stig.profile

+++ b/products/rhel8/profiles/stig.profile

@@ -233,8 +233,13 @@ selections:

     # RHEL-08-010340

     - file_ownership_library_dirs

+    # RHEL-08-010341

+    - dir_ownership_library_dirs

+

     # RHEL-08-010350

     - root_permissions_syslibrary_files

+

+    # RHEL-08-010351

     - dir_group_ownership_library_dirs

     # RHEL-08-010359

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index d8daeb3..0584677 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -3074,8 +3074,6 @@ CCE-89017-8

 CCE-89018-6

 CCE-89019-4

 CCE-89020-2

-CCE-89021-0

-CCE-89022-8

 CCE-89023-6

 CCE-89024-4

 CCE-89025-1

diff --git a/shared/templates/file_groupowner/ansible.template b/shared/templates/file_groupowner/ansible.template

index 68fc2e1..0b4ab59 100644

--- a/shared/templates/file_groupowner/ansible.template

+++ b/shared/templates/file_groupowner/ansible.template

@@ -12,6 +12,7 @@

     paths: "{{{ path }}}"

     patterns: {{{ FILE_REGEX[loop.index0] }}}

     use_regex: yes

+    hidden: yes

   register: files_found

 - name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}

diff --git a/shared/templates/file_groupowner/oval.template b/shared/templates/file_groupowner/oval.template

index fd2e5db..64a4944 100644

--- a/shared/templates/file_groupowner/oval.template

+++ b/shared/templates/file_groupowner/oval.template

@@ -45,6 +45,10 @@

     {{%- else %}}

       <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>

     {{%- endif %}}

+    <filter action="exclude">symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}</filter>

   </unix:file_object>

   {{% endfor %}}

+  <unix:file_state id="symlink_file_groupowner{{{ FILEID }}}_uid_{{{ FILEGID }}}" version="1">

+    <unix:type operation="equals">symbolic link</unix:type>

+  </unix:file_state>

 </def-group>

diff --git a/shared/templates/file_owner/ansible.template b/shared/templates/file_owner/ansible.template

index 590c9fc..dba9e65 100644

--- a/shared/templates/file_owner/ansible.template

+++ b/shared/templates/file_owner/ansible.template

@@ -12,6 +12,7 @@

     paths: "{{{ path }}}"

     patterns: {{{ FILE_REGEX[loop.index0] }}}

     use_regex: yes

+    hidden: yes

   register: files_found

 - name: Ensure group owner on {{{ path }}} file(s) matching {{{ FILE_REGEX[loop.index0] }}}

diff --git a/shared/templates/file_owner/oval.template b/shared/templates/file_owner/oval.template

index 105e29c..777831d 100644

--- a/shared/templates/file_owner/oval.template

+++ b/shared/templates/file_owner/oval.template

@@ -44,6 +44,10 @@

     {{%- else %}}

       <unix:filepath{{% if FILEPATH_IS_REGEX %}} operation="pattern match"{{% endif %}}>{{{ filepath }}}</unix:filepath>

     {{%- endif %}}

+    <filter action="exclude">symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}</filter>

   </unix:file_object>

   {{% endfor %}}

+  <unix:file_state id="symlink_file_owner{{{ FILEID }}}_uid_{{{ FILEUID }}}" version="1">

+    <unix:type operation="equals">symbolic link</unix:type>

+  </unix:file_state>

 </def-group>

diff --git a/shared/templates/file_permissions/ansible.template b/shared/templates/file_permissions/ansible.template

index fc211bd..6d4dedc 100644

--- a/shared/templates/file_permissions/ansible.template

+++ b/shared/templates/file_permissions/ansible.template

@@ -12,6 +12,7 @@

     paths: "{{{ path }}}"

     patterns: {{{ FILE_REGEX[loop.index0] }}}

     use_regex: yes

+    hidden: yes

   register: files_found

 - name: Set permissions for {{{ path }}} file(s)

diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile

index 1b4b955..c2522c9 100644

--- a/tests/data/profile_stability/rhel8/stig.profile

+++ b/tests/data/profile_stability/rhel8/stig.profile

@@ -175,6 +175,7 @@ selections:

 - dconf_gnome_screensaver_idle_delay

 - dconf_gnome_screensaver_lock_enabled

 - dir_group_ownership_library_dirs

+- dir_ownership_library_dirs

 - dir_permissions_library_dirs

 - dir_perms_world_writable_root_owned

 - dir_perms_world_writable_sticky_bits

diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile

index 3568e07..95d87fd 100644

--- a/tests/data/profile_stability/rhel8/stig_gui.profile

+++ b/tests/data/profile_stability/rhel8/stig_gui.profile

@@ -186,6 +186,7 @@ selections:

 - dconf_gnome_screensaver_idle_delay

 - dconf_gnome_screensaver_lock_enabled

 - dir_group_ownership_library_dirs

+- dir_ownership_library_dirs

 - dir_permissions_library_dirs

 - dir_perms_world_writable_root_owned

 - dir_perms_world_writable_sticky_bits