← Rules Catalog
mediumfilesystemverified rollback-safe

Ensure system library directories are group-owned by root or a system account

library-dirs-group-owner · RHEL ≥ 8 · 1 impl

Description

All system library directories must be group-owned by root or a system account to prevent unauthorized modification.

Rationale

Library directories group-owned by non-system accounts could allow group members to replace legitimate libraries with malicious ones, enabling privilege escalation through library injection attacks.

Check → Remediate

Checkcommand
# Check group ownership of standard library directories
# Group must be root (GID 0) or a system account (GID < 1000)
fail=0
for libdir in /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64; do
  if [ -d "$libdir" ]; then
    gid=$(stat -c '%g' "$libdir" 2>/dev/null)
    if [ -n "$gid" ] && [ "$gid" -ge 1000 ] 2>/dev/null; then
      group=$(stat -c '%G' "$libdir" 2>/dev/null)
      echo "FAIL: $libdir is group-owned by $group (GID $gid, expected system group)"
      fail=1
    fi
  fi
done
if [ "$fail" -eq 0 ]; then
  echo "OK: All library directories are group-owned by root or a system group"
  exit 0
fi
exit 1
expected_exit:
0
Remediatefile_permissions
find_paths:
/lib, /lib64, /usr/lib, /usr/lib64, /usr/local/lib, /usr/local/lib64
find_type:
d
group:
root

Framework references

STIG

V-257923 / RHEL-09-232215

NIST 800-53

AC-6CM-6

Live verification

rhel9:check
#permissions#libraries#group-ownership#hardening