Verify User Who Owns group File

An XCCDF Rule

Description

To properly set the owner of /etc/group, run the command:

$ sudo chown root /etc/group

Rationale

The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.

ID: xccdf_org.ssgproject.content_rule_file_owner_etc_group
Severity: Medium
References: 12 13 14 15 16 18 3 5

5.5.2.2

APO01.06 DSS05.04 DSS05.07 DSS06.02

4.3.3.7.3

SR 2.1 SR 5.2

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

CIP-003-8 R5.1.1 CIP-003-8 R5.3 CIP-004-6 R2.3 CIP-007-3 R2.1 CIP-007-3 R2.2 CIP-007-3 R2.3 CIP-007-3 R5.1 CIP-007-3 R5.1.1 CIP-007-3 R5.1.2

AC-6(1) CM-6(a)

PR.AC-4 PR.DS-5

Req-8.7.c

SRG-OS-000480-GPOS-00227

6.1.4

CCE-91665-0

2.2 2.2.6

CCI-000366

R50
Updated: about 1 month ago

Remediation Templates

- name: Test for existence /etc/group
  stat:
    path: /etc/group
  register: file_exists
  tags:
  - CCE-91665-0  - CJIS-5.5.2.2
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.7.c
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_owner_etc_group
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
- name: Ensure owner 0 on /etc/group
  file:
    path: /etc/group
    owner: '0'
  when: file_exists.stat is defined and file_exists.stat.exists
  tags:
  - CCE-91665-0
  - CJIS-5.5.2.2
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-8.7.c
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_owner_etc_group
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

chown 0 /etc/group

Verify User Who Owns group File

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script