TOSS 5 library directories must be group-owned by root or a system account.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282543TOSS-05-000180SV-282543r1201327_ruleCCI-001499medium
Description
If TOSS 5 allowed any user to make changes to software libraries, then those changes might be implemented without undergoing the appropriate testing and approvals that are part of a robust change management process. This requirement applies to TOSS 5 with software libraries that are accessible and configurable, as in the case of interpreted languages. Software libraries also include privileged programs that execute with escalated privileges.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282543r1201327_chk)

Verify the systemwide shared library directories are group-owned by "root" with the following command: $ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d -exec stat -c "%n %G" '{}' \; If any systemwide shared library directory is returned and is not group-owned by a required system account, and is not documented with the information system security officer (ISSO) as an operational requirement, this is a finding.

Fix Text (F-87009r1201326_fix)

Configure the systemwide shared library directories (/lib, /lib64, /usr/lib and /usr/lib64) to be protected from unauthorized access. Run the following command, replacing "[DIRECTORY]" with any library directory not group-owned by "root". $ sudo chgrp root [DIRECTORY]