diff --git a/src/freedombone-addcert b/src/freedombone-addcert index 725692f5..350aac33 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -239,6 +239,7 @@ function add_cert_letsencrypt { chgrp -R ssl-cert /etc/letsencrypt chmod -R 600 /etc/letsencrypt chmod -R g=rX /etc/letsencrypt + chown -R root:ssl-cert /etc/letsencrypt systemctl start nginx exit 63216 fi @@ -288,6 +289,7 @@ function add_cert_letsencrypt { chgrp -R ssl-cert /etc/letsencrypt chmod -R 600 /etc/letsencrypt chmod -R g=rX /etc/letsencrypt + chown -R root:ssl-cert /etc/letsencrypt nginx_ensite ${LETSENCRYPT_HOSTNAME} systemctl start nginx diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index c40476e2..b644af42 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -689,6 +689,7 @@ function xmpp_onion_addresses { echo ' ["wtfismyip.com"] = "ofkztxcohimx34la.onion";' >> $filename echo ' ["prosody.xmpp.is"] = "y2qmqomqpszzryei.onion";' >> $filename echo ' ["xndr.de"] = "trcubpttd6zkc3tf.onion";' >> $filename + echo ' ["jabber.cat"] = "sybzodlxacch7st7.onion";' >> $filename echo ' ["trashserver.net"] = "m4c722bvc2r7brnn.onion";' >> $filename echo '};' >> $filename } diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index 7849cfea..51a1ca74 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -645,6 +645,7 @@ function lockdown_permissions { if [ -d /etc/letsencrypt ]; then chmod -R 600 /etc/letsencrypt chmod -R g=rX /etc/letsencrypt + chown -R root:ssl-cert /etc/letsencrypt fi chown -f root:root /etc/motd /etc/issue* chmod -f 0444 /etc/motd /etc/issue* diff --git a/tests/check-libs-owner.sh b/tests/check-libs-owner.sh index ecda7471..b99ef1d7 100644 --- a/tests/check-libs-owner.sh +++ b/tests/check-libs-owner.sh @@ -2,41 +2,41 @@ if [ -d "/lib" ];then - COUNT=$(find -L /lib \! -user root -exec ls -l {} \; | grep -v '> /dev/null' | wc -l) + COUNT=$(find -L /lib \! -user root -exec ls -l {} \; | grep -v '> /dev/null' | wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + exit 1 + fi fi if [ -d "/lib64" ];then - COUNT=$(find -L /lib64 \! -user root -exec ls -l {} \; |wc -l) + COUNT=$(find -L /lib64 \! -user root -exec ls -l {} \; |wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + exit 1 + fi fi if [ -d "/usr/lib" ];then - COUNT=$(find -L /usr/lib \! -user root -exec ls -l {} \; |wc -l) + COUNT=$(find -L /usr/lib \! -user root -exec ls -l {} \; |wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + exit 1 + fi fi if [ -d "/usr/lib64" ];then - COUNT=$(find -L /usr/lib64 \! -user root -exec ls -l {} \; |wc -l) + COUNT=$(find -L /usr/lib64 \! -user root -exec ls -l {} \; |wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + exit 1 + fi fi diff --git a/tests/output.sh b/tests/output.sh index 2174039b..774612f4 100644 --- a/tests/output.sh +++ b/tests/output.sh @@ -485,6 +485,12 @@ time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/ if [ $2 -ne 0 ];then printf '\n######################\n\nSTIG-ID:RHEL-06-000046\n\nVulnerability Discussion: Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system.\n\nFix text: System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/lib\n/usr/lib64\n\nIf any file in these directories is found to be owned by a user other than root, correct its ownership with the following command:\n\n#chown root [FILE]\n\n######################\n\n' >> $LOG fi + find -L /lib \! -user root -exec ls -l {} \; | grep -v '> /dev/null' + find -L /lib64 \! -user root -exec ls -l {} \; + find -L /usr/lib \! -user root -exec ls -l {} \; + if [ -d /usr/lib64 ]; then + find -L /usr/lib64 \! -user root -exec ls -l {} \; + fi ;; V-38469) if [ "$3" = "en" ]; then log_msg $2 'All system command files must have mode 755 or less permissive.'