Verify that Shared Library Files Have Root Ownership

Docs > Datadog Security > OOTB Rules > Verify that Shared Library Files Have Root Ownership

Classification:

compliance

Framework:

Control:

Description

System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:

/lib
/lib64
/usr/lib
/usr/lib64

Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be owned by the root user. If the directory, or any file in these directories, is found to be owned by a user other than root correct its ownership with the following command:

$ sudo chown root *FILE*

Rationale

Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

find /lib/ -type f ! -uid 0 -regex '^.\*$' -exec chown 0 {} \;

find /lib64/ -type f ! -uid 0 -regex '^.\*$' -exec chown 0 {} \;

find /usr/lib/ -type f ! -uid 0 -regex '^.\*$' -exec chown 0 {} \;

find /usr/lib64/ -type f ! -uid 0 -regex '^.\*$' -exec chown 0 {} \;

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Find /lib/ file(s) matching ^.\*$ recursively
 command: find -H /lib/ -type f ! -uid 0 -regex "^.\*$"
 register: files\_found
 changed\_when: false
 failed\_when: false
 check\_mode: false
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-5(6)
 - NIST-800-53-CM-5(6).1
 - NIST-800-53-CM-6(a)
 - configure\_strategy
 - file\_ownership\_library\_dirs
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure owner on /lib/ file(s) matching ^.\*$
 file:
 path: '{{ item }}'
 owner: '0'
 state: file
 with\_items:
 - '{{ files\_found.stdout\_lines }}'
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-5(6)
 - NIST-800-53-CM-5(6).1
 - NIST-800-53-CM-6(a)
 - configure\_strategy
 - file\_ownership\_library\_dirs
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Find /lib64/ file(s) matching ^.\*$ recursively
 command: find -H /lib64/ -type f ! -uid 0 -regex "^.\*$"
 register: files\_found
 changed\_when: false
 failed\_when: false
 check\_mode: false
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-5(6)
 - NIST-800-53-CM-5(6).1
 - NIST-800-53-CM-6(a)
 - configure\_strategy
 - file\_ownership\_library\_dirs
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure owner on /lib64/ file(s) matching ^.\*$
 file:
 path: '{{ item }}'
 owner: '0'
 state: file
 with\_items:
 - '{{ files\_found.stdout\_lines }}'
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-5(6)
 - NIST-800-53-CM-5(6).1
 - NIST-800-53-CM-6(a)
 - configure\_strategy
 - file\_ownership\_library\_dirs
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Find /usr/lib/ file(s) matching ^.\*$ recursively
 command: find -H /usr/lib/ -type f ! -uid 0 -regex "^.\*$"
 register: files\_found
 changed\_when: false
 failed\_when: false
 check\_mode: false
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-5(6)
 - NIST-800-53-CM-5(6).1
 - NIST-800-53-CM-6(a)
 - configure\_strategy
 - file\_ownership\_library\_dirs
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure owner on /usr/lib/ file(s) matching ^.\*$
 file:
 path: '{{ item }}'
 owner: '0'
 state: file
 with\_items:
 - '{{ files\_found.stdout\_lines }}'
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-5(6)
 - NIST-800-53-CM-5(6).1
 - NIST-800-53-CM-6(a)
 - configure\_strategy
 - file\_ownership\_library\_dirs
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Find /usr/lib64/ file(s) matching ^.\*$ recursively
 command: find -H /usr/lib64/ -type f ! -uid 0 -regex "^.\*$"
 register: files\_found
 changed\_when: false
 failed\_when: false
 check\_mode: false
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-5(6)
 - NIST-800-53-CM-5(6).1
 - NIST-800-53-CM-6(a)
 - configure\_strategy
 - file\_ownership\_library\_dirs
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed

- name: Ensure owner on /usr/lib64/ file(s) matching ^.\*$
 file:
 path: '{{ item }}'
 owner: '0'
 state: file
 with\_items:
 - '{{ files\_found.stdout\_lines }}'
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-5(6)
 - NIST-800-53-CM-5(6).1
 - NIST-800-53-CM-6(a)
 - configure\_strategy
 - file\_ownership\_library\_dirs
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed