STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

Library files must be owned by a system account.

DISA Rule

SV-208823r603263_rule

Vulnerability Number

V-208823

Group Title

SRG-OS-000259

Rule Version

OL6-00-000046

Severity

CAT II

CCI(s)

CCI-001499 - The organization limits privileges to change software resident within software libraries.

Weight

Fix Recommendation

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64
/usr/local/lib
/usr/local/lib64

If any file in these directories is found to be owned by a user other than “root” and does not match what is expected by the RPM, correct its ownership by running one of the following commands:

# rpm --setugids [PACKAGE_NAME]

Or

# chown root [FILE]

Check Contents

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64
/usr/local/lib
/usr/local/lib64

Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root" and do not match what is expected by the RPM, run the following command:

for i in /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64
do
for j in `find -L $i \! -user root`
do
rpm -V -f $j | grep '^.....U'
done
done

If the command returns any results, this is a finding.

Vulnerability Number

V-208823

Documentable

False

Rule Version

OL6-00-000046

Severity Override Guidance

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64
/usr/local/lib
/usr/local/lib64

Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root" and do not match what is expected by the RPM, run the following command:

for i in /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64
do
for j in `find -L $i \! -user root`
do
rpm -V -f $j | grep '^.....U'
done
done

If the command returns any results, this is a finding.

Check Content Reference

Target Key

2928

Library files must be owned by a system account.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments