From a38803220a5bdafccd7e6fb3c5f9a9f7be6fef03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Nov 2024 11:53:21 +0100
Subject: [PATCH 1/4] Exclude the /sysroot directory

In systems based on bootable container images the `/sysroot`
directory contains the filesystem of the image which should be
excluded from the scanned files check.
---
 .../files/file_permissions_ungroupowned/oval/shared.xml     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
index b7839d0de26..60c811afe69 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
@@ -24,6 +24,11 @@
     <unix:group_id datatype="int" var_check="at least one" var_ref="var_all_local_gids"/>
   </unix:file_state>
 
+  <unix:file_state id="state_file_permissions_ungroupowned_sysroot" version="1"
+    comment="Used to filter out all files in the /sysroot directory">
+    <unix:filepath operation="pattern match">^/sysroot/.*$</unix:filepath>
+  </unix:file_state>
+
   {{%- set var_local_mount_points = "var_" ~ rule_id ~ "_local_mountpoints" -%}}
   {{{ create_local_mount_points_list(var_local_mount_points) }}}
 
@@ -40,6 +45,7 @@
       var_ref="{{{ var_local_mount_points }}}"/>
     <unix:filename operation="pattern match">.*</unix:filename>
     <filter action="exclude">state_file_permissions_ungroupowned_local_group_owner</filter>
+    <filter action="exclude">state_file_permissions_ungroupowned_sysroot</filter>
   </unix:file_object>
 
   <unix:file_test id="test_file_permissions_ungroupowned" version="1"

From 3eca0f2442f8262b5f2604c1efd9dd39750e8179 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Nov 2024 14:43:28 +0100
Subject: [PATCH 2/4] Add support for /usr/lib/group

If the `nss-altfiles` are installed and `/etc/nsswitch.conf` is
configured to use `nss-altfiles`, the users group can be defined
als in `/usr/lib/group` next to `/etc/group`. The `/usr/lib/group`
is a valid source of group definitions and therefore needs to
be consulted during the check if nsswitch is configured to use
this file. The `nss-altfiles` is often used in bootable containers
base images.
---
 .../oval/shared.xml                             | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
index 60c811afe69..eefdfc816a4 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/oval/shared.xml
@@ -8,15 +8,28 @@
   </definition>
 
   <!-- Create a file_state to filter out files group-owned by known groups. -->
-  <ind:textfilecontent54_object id="etc_group_objects" version="1">
+  <ind:textfilecontent54_object id="object_etc_group" version="1">
     <ind:filepath>/etc/group</ind:filepath>
     <ind:pattern operation="pattern match">^[^:]+:[^:]*:([\d]+):[^:]*$</ind:pattern>
     <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
   </ind:textfilecontent54_object>
 
+  <ind:textfilecontent54_object id="object_usr_lib_group" version="1">
+    <ind:filepath>/usr/lib/group</ind:filepath>
+    <ind:pattern operation="pattern match">^[^:]+:[^:]*:([\d]+):[^:]*$</ind:pattern>
+    <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="object_all_gids" version="1">
+    <set>
+      <object_reference>object_etc_group</object_reference>
+      <object_reference>object_usr_lib_group</object_reference>
+    </set>
+  </ind:textfilecontent54_object>
+
   <local_variable id="var_all_local_gids" version="1"
     datatype="int" comment="all GIDs extracted from /etc/group on the target system">
-    <object_component object_ref="etc_group_objects" item_field="subexpression"/>
+    <object_component object_ref="object_all_gids" item_field="subexpression"/>
   </local_variable>
 
   <unix:file_state id="state_file_permissions_ungroupowned_local_group_owner" version="1"

From fb9b86927a46e507976ab65e3bf0eee291751338 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Wed, 6 Nov 2024 14:48:48 +0100
Subject: [PATCH 3/4] Add new test scenarios

Add new Automatus test scenarios for rule file_permissions_ungroupowned
that cover recent changes - exclusion of /sysroot and addition
of /usr/lib/group as second source of group data.
---
 .../tests/group_in_usr_lib.pass.sh                 | 12 ++++++++++++
 .../tests/unowned_in_sysroot.pass.sh               | 14 ++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/group_in_usr_lib.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/unowned_in_sysroot.pass.sh

diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/group_in_usr_lib.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/group_in_usr_lib.pass.sh
new file mode 100644
index 00000000000..2dba98f1f26
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/group_in_usr_lib.pass.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+UNOWNED_FILES=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup)
+
+IFS=$"\n"
+for f in $UNOWNED_FILES; do
+	rm -f "$f"
+done
+
+touch /root/test
+chown 9999:9999 /root/test
+echo "testgroup:x:9999:" >> /usr/lib/group
diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/unowned_in_sysroot.pass.sh b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/unowned_in_sysroot.pass.sh
new file mode 100644
index 00000000000..a65499c6a64
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/tests/unowned_in_sysroot.pass.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+#
+# remediation = none
+
+UNOWNED_FILES=$(df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup)
+
+IFS=$"\n"
+for f in $UNOWNED_FILES; do
+	rm -f "$f"
+done
+
+mkdir /sysroot
+touch /sysroot/test
+chown 9999:9999 /sysroot/test

From 6a30452f3baff1100f9b42f0270e160d413a6bea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 7 Nov 2024 11:24:21 +0100
Subject: [PATCH 4/4] Update rule description

Reflects the recent change that the check now considers /usr/lib/group
in addition.
---
 .../files/file_permissions_ungroupowned/rule.yml          | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
index 814e0ceb54f..2a432758b02 100644
--- a/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
+++ b/linux_os/guide/system/permissions/files/file_permissions_ungroupowned/rule.yml
@@ -4,9 +4,11 @@ documentation_complete: true
 title: 'Ensure All Files Are Owned by a Group'
 
 description: |-
-    If any file is not group-owned by a group present in /etc/group, the cause of the lack of
+    If any file is not group-owned by a valid defined group, the cause of the lack of
     group-ownership must be investigated. Following this, those files should be deleted or
-    assigned to an appropriate group.
+    assigned to an appropriate group. The groups need to be defined in <tt>/etc/group</tt>
+    or in <tt>/usr/lib/group</tt> if <tt>nss-altfiles</tt> are configured to be used
+    in <tt>/etc/nsswitch.conf</tt>.
 
     Locate the mount points related to local devices by the following command:
     <pre>$ findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,)</pre>
@@ -75,7 +77,7 @@ srg_requirement: 'All {{{ full_name }}} local files and directories must have a
 warnings:
     - general: |-
         This rule only considers local groups as valid groups.
-        If you have your groups defined outside <code>/etc/group</code>, the rule won't consider those.
+        If you have your groups defined outside <code>/etc/group</code> or <code>/usr/lib/group</code>, the rule won't consider those.
     - general: |-
         This rule can take a long time to perform the check and might consume a considerable
         amount of resources depending on the number of files present on the system. It is not a