mediumfilesystemverified ✓rollback-safe
Ensure system library directories are group-owned by root or a system account
library-dirs-group-owner · RHEL ≥ 8 · 1 impl
Description
All system library directories must be group-owned by root or a system account to prevent unauthorized modification.
Rationale
Library directories group-owned by non-system accounts could allow group members to replace legitimate libraries with malicious ones, enabling privilege escalation through library injection attacks.
Check → Remediate
Checkcommand
# Check group ownership of standard library directories
# Group must be root (GID 0) or a system account (GID < 1000)
fail=0
for libdir in /lib /lib64 /usr/lib /usr/lib64 /usr/local/lib /usr/local/lib64; do
if [ -d "$libdir" ]; then
gid=$(stat -c '%g' "$libdir" 2>/dev/null)
if [ -n "$gid" ] && [ "$gid" -ge 1000 ] 2>/dev/null; then
group=$(stat -c '%G' "$libdir" 2>/dev/null)
echo "FAIL: $libdir is group-owned by $group (GID $gid, expected system group)"
fail=1
fi
fi
done
if [ "$fail" -eq 0 ]; then
echo "OK: All library directories are group-owned by root or a system group"
exit 0
fi
exit 1
- expected_exit:
- 0
Remediatefile_permissions
- find_paths:
- /lib, /lib64, /usr/lib, /usr/lib64, /usr/local/lib, /usr/local/lib64
- find_type:
- d
- group:
- root
Framework references
STIG
V-257923 / RHEL-09-232215
NIST 800-53
AC-6CM-6
Live verification
rhel9:check
#permissions#libraries#group-ownership#hardening