Add rule for SLES-15-10352

Clone implementation of file_permissions_library_dirs to dir_permissions_library_dirs

linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/ansible/shared.yml

@@ -0,0 +1,18 @@
+# platform = SUSE Linux Enterprise 15
+# reboot = false
+# strategy = restrict
+# complexity = high
+# disruption = medium
+- name: "Read list of world and group writable subdirectories in libraries directories"
+  command: "find /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type d"
+  register: world_writable_library_dirs
+  changed_when: False
+  failed_when: False
+  check_mode: no
+
+- name: "Disable world/group writability to library files"
+  file:
+    path: "{{ item }}"
+    mode: "go-w"
+  with_items: "{{ world_writable_library_dirs.stdout_lines }}"
+  when: world_writable_library_dirs.stdout_lines | length > 0

linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/bash/shared.sh

@@ -0,0 +1,5 @@
+# platform = SUSE Linux Enterprise 15
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+	find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
+done

linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/oval/shared.xml

@@ -0,0 +1,46 @@
+<def-group>
+  <definition class="compliance" id="dir_permissions_library_dirs" version="1">
+    {{{ oval_metadata("
+        Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
+        objects therein, are not group-writable or world-writable.
+      ") }}}
+    <criteria operator="AND">
+      <criterion test_ref="dir_test_perms_lib_dir" />
+      <criterion test_ref="dir_test_perms_lib_files" />
+    </criteria>
+  </definition>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="dir_test_perms_lib_dir" version="1">
+    <unix:object object_ref="dir_object_file_permissions_lib_dir" />
+  </unix:file_test>
+
+  <unix:file_test check="all" check_existence="none_exist" comment="library files go-w" id="dir_test_perms_lib_files" version="1">
+    <unix:object object_ref="dir_object_file_permissions_lib_files" />
+  </unix:file_test>
+
+  <unix:file_object comment="library directories" id="dir_object_file_permissions_lib_dir" version="1">
+    <!-- Check that /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
+    <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
+    <unix:filename xsi:nil="true" />
+    <filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter>
+    <filter action="exclude">dir_perms_state_symlink</filter>
+  </unix:file_object>
+
+  <unix:file_object comment="library files" id="dir_object_file_permissions_lib_files" version="1">
+    <!-- Check the files within /lib, /lib64, /usr/lib, /usr/lib64 directories have safe permissions (go-w) -->
+    <unix:path operation="pattern match">^\/lib(|64)|^\/usr\/lib(|64)</unix:path>
+    <unix:filename operation="pattern match">^.*$</unix:filename>
+    <filter action="include">dir_state_perms_nogroupwrite_noworldwrite</filter>
+    <filter action="exclude">dir_perms_state_symlink</filter>
+  </unix:file_object>
+
+  <unix:file_state id="dir_state_perms_nogroupwrite_noworldwrite" version="1" operator="OR">
+    <unix:gwrite datatype="boolean">true</unix:gwrite>
+    <unix:owrite datatype="boolean">true</unix:owrite>
+  </unix:file_state>
+
+  <unix:file_state id="dir_perms_state_symlink" version="1">
+    <unix:type operation="equals">symbolic link</unix:type>
+  </unix:file_state>
+
+</def-group>

linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/rule.yml

@@ -0,0 +1,57 @@
+documentation_complete: true
+
+title: |-
+{{% if product in ["sle15"] %}}
+    The SUSE operating system library directories must have mode 0755 or less permissive.
+{{% else %}}
+    Verify that Shared Library Directories Have Restrictive Permissions
+{{% endif %}}
+
+description: |-
+    System-wide shared library directories, which contain are linked to executables
+    during process load time or run time, are stored in the following directories
+    by default:
+    <pre>/lib
+    /lib64
+    /usr/lib
+    /usr/lib64
+    </pre>
+    Kernel modules, which can be added to the kernel during runtime, are
+    stored in <tt>/lib/modules</tt>. All sub-directories in these directories
+    should not be group-writable or world-writable. If any file in these
+    directories is found to be group-writable or world-writable, correct
+    its permission with the following command:
+    <pre>$ sudo chmod go-w <i>DIR</i></pre>
+
+rationale: |-
+    If the SUSE operating system were to allow any user to make changes to software libraries,
+    then those changes might be implemented without undergoing the appropriate testing
+    and approvals that are part of a robust change management process.
+
+    This requirement applies to SUSE operating systems with software libraries that are accessible
+    and configurable, as in the case of interpreted languages. Software libraries also include
+    privileged programs which execute with escalated privileges. Only qualified and authorized
+    individuals must be allowed to obtain access to information system components for purposes
+    of initiating changes, including upgrades and modifications.
+
+identifiers:
+    cce@sle15: CCE-85753-2
+
+severity: medium
+
+references:
+    cci@sle15: CCI-001499
+    stigid@sle15: SLES-15-010352
+
+ocil_clause: 'any of these files are group-writable or world-writable'
+
+ocil: |-
+    Shared libraries are stored in the following directories:
+    <pre>/lib
+    /lib64
+    /usr/lib
+    /usr/lib64
+    </pre>
+    To find shared libraries that are group-writable or world-writable,
+    run the following command for each directory <i>DIR</i> which contains shared libraries:
+    <pre>$ sudo find -L <i>DIR</i> -perm /022 -type d</pre>

linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/all_dirs_ok.pass.sh

@@ -0,0 +1,5 @@
+# platform = SUSE Linux Enterprise 15
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+	find "$dirPath" -perm /022 -type d -exec chmod go-w '{}' \;
+done

linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/owner_only_writable_dir.sh

@@ -0,0 +1,5 @@
+# platform = SUSE Linux Enterprise 15
+DIRS="/lib /lib64 /usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+	mkdir -p "$dirPath/testme" && chmod 700  "$dirPath/testme"
+done

linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_lib.sh

@@ -0,0 +1,5 @@
+# platform = SUSE Linux Enterprise 15
+DIRS="/lib /lib64"
+for dirPath in $DIRS; do
+	mkdir -p "$dirPath/testme" && chmod 777  "$dirPath/testme"
+done

linux_os/guide/system/permissions/files/permissions_within_important_dirs/dir_permissions_library_dirs/tests/world_writable_dir_on_usr_lib.sh

@@ -0,0 +1,5 @@
+# platform = SUSE Linux Enterprise 15
+DIRS="/usr/lib /usr/lib64"
+for dirPath in $DIRS; do
+	mkdir -p "$dirPath/testme" && chmod 777 "$dirPath/test"
+done

sle15/profiles/stig.profile

@@ -147,6 +147,7 @@ selections:
     - dconf_db_up_to_date
     - dconf_gnome_banner_enabled
     - dconf_gnome_login_banner_text
+    - dir_permissions_library_dirs
     - dir_perms_world_writable_sticky_bits
     - dir_perms_world_writable_system_owned_group
     - disable_ctrlaltdel_burstaction