Ubuntu 24.04 STIG Rule UBTU-24-300010

Author: ericeberry

controls/stig_ubuntu2404.yml

@@ -546,9 +546,9 @@ controls:
       account.
     levels:
       - medium
-    related_rules:
+    rules:
       - file_groupownership_system_commands_dirs
-    status: planned
+    status: automated
 
   - id: UBTU-24-300014
     title: Ubuntu 24.04 LTS must prevent the use of dictionary words for passwords.

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/shared.sh

@@ -1,6 +1,6 @@
 # platform = multi_platform_fedora,multi_platform_ol,multi_platform_rhel,multi_platform_sle,multi_platform_slmicro,multi_platform_almalinux
 
-for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
+for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin 
 do
    find -L $SYSCMDFILES \! -group root -type f -exec chgrp root '{}' \;
 done

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/bash/ubuntu.sh

@@ -1,6 +1,11 @@
 # platform = multi_platform_ubuntu
 
+{{% if product in ["ubuntu2404"] %}}
+find -L /bin/ /sbin/ /usr/bin/ /usr/sbin/ /usr/local/bin/ /usr/local/sbin/ -maxdepth 1 -type f  ! -group root ! -group daemon ! -group adm ! -group shadow ! -group mail ! -group crontab ! -group _ssh -regextype posix-extended -regex '.*' -exec chgrp -L root {} \;
+
+{{% else %}}
 for SYSCMDFILES in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
 do
    find -L $SYSCMDFILES ! -group root -type f ! -perm /2000 -exec chgrp root '{}' \;
 done
+{{% endif %}}

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/shared.xml

@@ -1,3 +1,4 @@
+{{% if product not in ["ubuntu2404"] %}}
 <def-group>
   <definition class="compliance" id="file_groupownership_system_commands_dirs" version="1">
     {{{ oval_metadata("
@@ -26,3 +27,4 @@
   </unix:file_state>
 
 </def-group>
+{{% endif %}}

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/oval/ubuntu.xml

@@ -1,3 +1,4 @@
+{{% if product not in ["ubuntu2404"] %}}
 <def-group>
   <definition class="compliance" id="file_groupownership_system_commands_dirs" version="1">
     {{{ oval_metadata("
@@ -27,3 +28,4 @@
   </unix:file_state>
 
 </def-group>
+{{% endif %}}

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/rule.yml

@@ -67,3 +67,18 @@ fixtext: |-
 
 srg_requirement:
     {{{ full_name }}} system commands must be group-owned by root or a system account.
+
+{{% if product in ["ubuntu2404"] %}}
+template:
+    name: file_groupowner
+    vars:
+        filepath:
+            - /bin/
+            - /sbin/ 
+            - /usr/bin/ 
+            - /usr/sbin/
+            - /usr/local/bin/
+            - /usr/local/sbin/
+        file_regex: .*
+        gid_or_name: 'root|daemon|adm|shadow|mail|crontab|_ssh'
+{{% endif %}}

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner.pass.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+{{% if product in ["ubuntu2404"] %}}
+useradd crontab
+{{% endif %}}
+
+{{% if 'ubuntu' in product %}}
+for SYSLIBDIRS in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
+{{% else %}}
+for SYSLIBDIRS in /bin /sbin /usr/bin /usr/sbin /usr/local/bin
+{{% endif %}}
+do
+  find -L  $SYSLIBDIRS \! -group root -type f -exec chgrp root '{}' \;
+done

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner_sgid.fail.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{% if product in ["ubuntu2404"] %}}
+useradd crontab
+{{% endif %}}
+
+{{% if 'ubuntu' in product %}}
+for SYSLIBDIRS in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
+{{% else %}}
+for SYSLIBDIRS in /bin /sbin /usr/bin /usr/sbin /usr/local/bin
+{{% endif %}}
+do
+  find -L  $SYSLIBDIRS \! -group root -type f -exec chgrp root '{}' \;
+done
+
+groupadd group_test
+
+{{% if 'ubuntu' in product %}}
+for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
+{{% else %}}
+for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me
+{{% endif %}}
+do
+  if [[ ! -f $TESTFILE ]]
+  then
+    touch $TESTFILE
+  fi
+  chgrp group_test $TESTFILE
+  chmod g+s $TESTFILE
+done

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupowner_sgid.pass.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# platform = multi_platform_ubuntu
+
+{{% if product in ["ubuntu2404"] %}}
+useradd crontab
+{{% endif %}}
+
+
+{{% if 'ubuntu' in product %}}
+for SYSLIBDIRS in /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
+{{% else %}}
+for SYSLIBDIRS in /bin /sbin /usr/bin /usr/sbin /usr/local/bin
+{{% endif %}}
+do
+  find -L  $SYSLIBDIRS \! -group root -type f -exec chgrp root '{}' \;
+done
+
+{{% if 'ubuntu' in product %}}
+for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
+{{% else %}}
+for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me
+{{% endif %}}
+do
+  if [[ ! -f $TESTFILE ]]
+  then
+    touch $TESTFILE
+  fi
+  chgrp root $TESTFILE
+  chmod g+s $TESTFILE
+done

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupownership.pass.sh

@@ -1,12 +1,20 @@
 #!/bin/bash
 
+{{% if product in ["ubuntu2404"] %}}
+useradd crontab
+{{% endif %}}
+
 groupadd group_test
 
+{{% if 'ubuntu' in product %}}
 for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
+{{% else %}}
+for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me
+{{% endif %}}
 do
-   if [[ ! -f $TESTFILE ]]
-   then
-     touch $TESTFILE
-   fi
-   chgrp group_test $TESTFILE
+  if [[ ! -f $TESTFILE ]]
+  then
+    touch $TESTFILE
+  fi
+  chgrp group_test $TESTFILE
 done

linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/tests/correct_groupownership_sgid.pass.sh

@@ -6,11 +6,11 @@
 # gid of sshd group is 74
 test_group="sshd"
 
-for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me /usr/local/sbin/test_me
+for TESTFILE in /bin/test_me /sbin/test_me /usr/bin/test_me /usr/sbin/test_me /usr/local/bin/test_me
 do
-   if [[ ! -f $TESTFILE ]]
-   then
-     touch $TESTFILE
-   fi
-   chgrp "$test_group" $TESTFILE
+  if [[ ! -f $TESTFILE ]]
+  then
+    touch $TESTFILE
+  fi
+  chgrp "$test_group" $TESTFILE
 done