{"description": "System-wide library files are stored in the following directories\nby default:\n<pre>/lib\n/lib64\n/usr/lib\n/usr/lib64\n</pre>\nAll system-wide shared library files should be protected from unauthorised\naccess. If any of these files is not group-owned by root or a required system account,\ncorrect its group-owner with the following command:\n<pre>$ sudo chgrp root <i>FILE</i></pre>", "rationale": "If the operating system were to allow any user to make changes to software libraries,\nthen those changes might be implemented without undergoing the appropriate testing and\napprovals that are part of a robust change management process.\n\nThis requirement applies to operating systems with software libraries that are\naccessible and configurable, as in the case of interpreted languages. Software libraries\nalso include privileged programs which execute with escalated privileges. Only qualified\nand authorized individuals must be allowed to obtain access to information system components\nfor purposes of initiating changes, including upgrades and modifications.", "severity": "medium", "references": {"nist": ["CM-5(6)", "CM-5(6).1"], "srg": ["SRG-OS-000259-GPOS-00100"], "stigid": ["UBTU-22-232075"], "stigref": ["SV-260500r991560_rule"]}, "control_references": {"stigid": ["UBTU-22-232075"]}, "components": [], "identifiers": {}, "ocil_clause": "any system wide shared library file is returned and is not group-owned by root or a required system account", "ocil": "Verify the system-wide shared library files are group-owned by root or a required system account with the following command:\n\n$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root -exec ls -l {} \\;", "oval_external_content": null, "fixtext": "Configure the system-wide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any library file not group-owned by root or a required system account.\n\n$ sudo chgrp root [FILE]", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 library files must be group-owned by root or a required system account.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 library files must be group-owned by root or a system account.", "vuldiscussion": "If Ubuntu 22.04 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process.\n\nThis requirement applies to Ubuntu 22.04 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.", "checktext": "Verify the systemwide shared library files are group-owned by \"root\" with the following command:\n\n$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -group root ! -type d -exec stat -L -c \"%G %n\" {} \\;\n\nIf any systemwide shared library file is returned and is not group-owned by a required system account, this is a finding.", "fixtext": "Configure the systemwide shared library files (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access.\n\nRun the following command, replacing \"[FILE]\" with any library file not group-owned by \"root\".\n\n$ sudo chgrp root [FILE]"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Verify the system-wide library files in directories\n\"/lib\", \"/lib64\", \"/usr/lib/\" and \"/usr/lib64\" are group-owned by root or a required system account.", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/files/permissions_within_important_dirs/root_permissions_syslibrary_files/rule.yml", "template": null}