ComplianceAsCode · jan-cerny · Nov 6, 2024 · Nov 6, 2024 · Nov 6, 2024 · Nov 7, 2024
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
@@ -8,22 +8,40 @@
   </definition>
 
   <!-- Create a file_state to filter out files group-owned by known groups. -->
-  <ind:textfilecontent54_object id="etc_group_objects" version="1">
+  <ind:textfilecontent54_object id="object_etc_group" version="1">
     <ind:filepath>/etc/group</ind:filepath>
     <ind:pattern operation="pattern match">^[^:]+:[^:]*:([\d]+):[^:]*$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_object id="object_usr_lib_group" version="1">
+    <ind:filepath>/usr/lib/group</ind:filepath>
+    <ind:pattern operation="pattern match">^[^:]+:[^:]*:([\d]+):[^:]*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_all_gids" version="1">
+    <set>
+      <object_reference>object_etc_group</object_reference>
+      <object_reference>object_usr_lib_group</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
   <local_variable id="var_all_local_gids" version="1"
     datatype="int" comment="all GIDs extracted from /etc/group on the target system">
-    <object_component object_ref="etc_group_objects" item_field="subexpression"/>
+    <object_component object_ref="object_all_gids" item_field="subexpression"/>
   </local_variable>
 
   <unix:file_state id="state_file_permissions_ungroupowned_local_group_owner" version="1"
     comment="Used to filter out all files group-owned by a group defined in /etc/group">
     <unix:group_id datatype="int" var_check="at least one" var_ref="var_all_local_gids"/>
   </unix:file_state>
 
+  <unix:file_state id="state_file_permissions_ungroupowned_sysroot" version="1"
+    comment="Used to filter out all files in the /sysroot directory">
+    <unix:filepath operation="pattern match">^/sysroot/.*$</unix:filepath>
+  </unix:file_state>
+
   {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}}
   {{{ create_local_mount_points_list(var_local_mount_points) }}}
 
@@ -40,6 +58,7 @@
       var_ref="{{{ var_local_mount_points }}}"/>
     <unix:filename operation="pattern match">.*</unix:filename>
     <filter action="exclude">state_file_permissions_ungroupowned_local_group_owner</filter>
+    <filter action="exclude">state_file_permissions_ungroupowned_sysroot</filter>
   </unix:file_object>
 
   <unix:file_test id="test_file_permissions_ungroupowned" version="1"

diff --git a/...ide/system/permissions/files/file_permissions_ungroupowned/tests/group_in_usr_lib.pass.sh b/...ide/system/permissions/files/file_permissions_ungroupowned/tests/group_in_usr_lib.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+UNOWNED_FILES=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup)
+
+IFS=$"\n"
+for f in $UNOWNED_FILES; do
+	rm -f "$f"
+done
+
+touch /root/test
+chown 9999:9999 /root/test
+echo "testgroup:x:9999:" >> /usr/lib/group
diff --git a/...e/system/permissions/files/file_permissions_ungroupowned/tests/unowned_in_sysroot.pass.sh b/...e/system/permissions/files/file_permissions_ungroupowned/tests/unowned_in_sysroot.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+#
+# remediation = none
+
+UNOWNED_FILES=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup)
+
+IFS=$"\n"
+for f in $UNOWNED_FILES; do
+	rm -f "$f"
+done
+
+mkdir /sysroot
+touch /sysroot/test
+chown 9999:9999 /sysroot/test