1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
documentation_complete: true
title: 'Ensure All Files Are Owned by a Group'
description: |-
If any file is not group-owned by a valid defined group, the cause of the lack of
group-ownership must be investigated. Following this, those files should be deleted or
assigned to an appropriate group. The groups need to be defined in <tt>/etc/group</tt>
or in <tt>/usr/lib/group</tt> if <tt>nss-altfiles</tt> are configured to be used
in <tt>/etc/nsswitch.conf</tt>.
Locate the mount points related to local devices by the following command:
<pre>$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)</pre>
For all mount points listed by the previous command, it is necessary to search for files which
do not belong to a valid group using the following command:
<pre>$ sudo find <i>MOUNTPOINT</i> -xdev -nogroup 2>/dev/null</pre>
rationale: |-
Unowned files do not directly imply a security problem, but they are generally a sign that
something is amiss. They may be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging to a deleted account, or
other similar cases. The files should be repaired so they will not cause problems when
accounts are created in the future, and the cause should be discovered and addressed.
severity: medium
identifiers:
cce@rhel8: CCE-83497-8
cce@rhel9: CCE-83906-8
cce@rhel10: CCE-88305-8
cce@sle12: CCE-83073-7
cce@sle15: CCE-85658-3
cce@slmicro5: CCE-93799-5
references:
cis-csc: 1,11,12,13,14,15,16,18,3,5
cis@sle12: 6.1.10
cis@sle15: 6.1.10
cis@slmicro5: 6.1.10
cis@ubuntu2004: 6.1.12
cis@ubuntu2204: 6.1.11
cobit5: APO01.06,DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS05.10,DSS06.02,DSS06.03,DSS06.06,DSS06.10
disa: CCI-000366
isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 5.2'
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.18.1.4,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.1,A.9.2.2,A.9.2.3,A.9.2.4,A.9.2.6,A.9.3.1,A.9.4.1,A.9.4.2,A.9.4.3,A.9.4.4,A.9.4.5
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-1,PR.AC-4,PR.AC-6,PR.AC-7,PR.DS-5,PR.PT-3
srg: SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-020330
stigid@ol8: OL08-00-010790
stigid@rhel8: RHEL-08-010790
stigid@sle12: SLES-12-010700
stigid@sle15: SLES-15-040410
ocil_clause: 'there is output'
ocil: |-
The following command will locate the mount points related to local devices:
<pre>$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)</pre>
The following command will show files which do not belong to a valid group:
<pre>$ sudo find <i>MOUNTPOINT</i> -xdev -nogroup 2>/dev/null</pre>
Replace <i>MOUNTPOINT</i> by the mount points listed by the fist command.
No files without a valid group should be located.
fixtext: |-
Either remove all files and directories from {{{ full_name }}} that do not have a valid group, or assign a valid group to all files and directories on the system with the "chgrp" command:
$ sudo chgrp
srg_requirement: 'All {{{ full_name }}} local files and directories must have a valid group owner.'
warnings:
- general: |-
This rule only considers local groups as valid groups.
If you have your groups defined outside <code>/etc/group</code> or <code>/usr/lib/group</code>, the rule won't consider those.
- general: |-
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of files present on the system. It is not a
problem in most cases, but especially systems with a large number of files can be affected.
See <code>https://access.redhat.com/articles/6999111</code>.
|
