Merge pull request #11333 from marcusburghardt/rpm_verify_ownership_r…

…eview Review rpm_verify_ownership rule
ComplianceAsCode · Dec 5, 2023 · 681d5ce · 681d5ce
2 parents 1d8543b + 4475fc9
commit 681d5ce
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 43 deletions.
diff --git a/...ftware/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml b/...ftware/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml
@@ -1,44 +1,35 @@
 <def-group>
-  <definition class="compliance" id="rpm_verify_ownership" version="3">
-    {{{ oval_metadata("Verify ownership of installed packages
-      by comparing the installed files with information about the
-      files taken from the package metadata stored in the RPM
+  <definition class="compliance" id="{{{ rule_id }}}" version="3">
+    {{{ oval_metadata("Verify ownership of installed packages by comparing the installed files
+      with information about the files taken from the package metadata stored in the RPM
       database.") }}}
     <criteria operator="AND">
-      <criterion test_ref="test_verify_all_rpms_user_ownership" comment="user ownership of all files matches local rpm database" />
-      <criterion test_ref="test_verify_all_rpms_group_ownership" comment="group ownership of all files matches local rpm database" />
+      <criterion test_ref="test_rpm_verify_ownership_verify_all_rpms_ownership"
+        comment="user ownership of all files matches local rpm database"/>
     </criteria>
   </definition>
-  <linux:rpmverifyfile_test check_existence="none_exist" id="test_verify_all_rpms_user_ownership" version="1" check="all" comment="user ownership of all files matches local rpm database">
-    <linux:object object_ref="object_files_fail_user_ownership"/>
-  </linux:rpmverifyfile_test>
-  <linux:rpmverifyfile_test check_existence="none_exist" id="test_verify_all_rpms_group_ownership" version="1" check="all" comment="group ownership of all files matches local rpm database">
-    <linux:object object_ref="object_files_fail_group_ownership"/>
-  </linux:rpmverifyfile_test>
-  <linux:rpmverifyfile_object id="object_files_fail_user_ownership" version="1" comment="rpm verify of all files">
-    <linux:behaviors nomd5="true" noghostfiles="true"/>
-    <linux:name operation="pattern match">.*</linux:name>
-    <linux:epoch operation="pattern match">.*</linux:epoch>
-    <linux:version operation="pattern match">.*</linux:version>
-    <linux:release operation="pattern match">.*</linux:release>
-    <linux:arch operation="pattern match">.*</linux:arch>
-    <linux:filepath operation="pattern match">.*</linux:filepath>
-    <filter action="include">state_files_fail_user_ownership</filter>
-  </linux:rpmverifyfile_object>
-  <linux:rpmverifyfile_object id="object_files_fail_group_ownership" version="1" comment="rpm verify of all files">
+
+  <linux:rpmverifyfile_state id="state_rpm_verify_ownership_files_fail_ownership" version="2"
+    operator="OR">
+    <linux:ownership_differs>fail</linux:ownership_differs>
+    <linux:group_differs>fail</linux:group_differs>
+  </linux:rpmverifyfile_state>
+
+  <linux:rpmverifyfile_object id="object_rpm_verify_ownership_files_fail_ownership" version="2"
+    comment="rpm verify ownership of all files">
     <linux:behaviors nomd5="true" noghostfiles="true"/>
     <linux:name operation="pattern match">.*</linux:name>
     <linux:epoch operation="pattern match">.*</linux:epoch>
     <linux:version operation="pattern match">.*</linux:version>
     <linux:release operation="pattern match">.*</linux:release>
     <linux:arch operation="pattern match">.*</linux:arch>
     <linux:filepath operation="pattern match">.*</linux:filepath>
-    <filter action="include">state_files_fail_group_ownership</filter>
+    <filter action="include">state_rpm_verify_ownership_files_fail_ownership</filter>
   </linux:rpmverifyfile_object>
-  <linux:rpmverifyfile_state id="state_files_fail_user_ownership" version="1">
-    <linux:ownership_differs>fail</linux:ownership_differs>
-  </linux:rpmverifyfile_state>
-  <linux:rpmverifyfile_state id="state_files_fail_group_ownership" version="1">
-    <linux:group_differs>fail</linux:group_differs>
-  </linux:rpmverifyfile_state>
+
+  <linux:rpmverifyfile_test id="test_rpm_verify_ownership_verify_all_rpms_ownership" version="1"
+    check="all" check_existence="none_exist"
+    comment="Ownership of all files matches local rpm database">
+    <linux:object object_ref="object_rpm_verify_ownership_files_fail_ownership"/>
+  </linux:rpmverifyfile_test>
 </def-group>
diff --git a/...stem/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/...stem/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
@@ -5,22 +5,19 @@ prodtype: alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 title: 'Verify and Correct Ownership with RPM'
 
 description: |-
-    The RPM package management system can check file ownership
-    permissions of installed software packages, including many that are
-    important to system security. After locating a file with incorrect
-    permissions, which can be found with
+    The RPM package management system can check file ownership permissions of installed software
+    packages, including many that are important to system security. After locating a file with
+    incorrect permissions, which can be found with:
     <pre>rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'</pre>
     run the following command to determine which package owns it:
     <pre>$ rpm -qf <i>FILENAME</i></pre>
-    Next, run the following command to reset its permissions to
-    the correct values:
+    Next, run the following command to reset its permissions to the correct values:
     <pre>$ sudo rpm --setugids <i>PACKAGENAME</i></pre>
 
 rationale: |-
-    Ownership of binaries and configuration files that is incorrect
-    could allow an unauthorized user to gain privileges that they should
-    not have. The ownership set by the vendor should be maintained. Any
-    deviations from this baseline should be investigated.
+    Ownership of binaries and configuration files that is incorrect could allow an unauthorized
+    user to gain privileges that they should not have. The ownership set by the vendor should be
+    maintained. Any deviations from this baseline should be investigated.
 
 severity: high
 
@@ -77,6 +74,13 @@ srg_requirement: '{{{ full_name }}} must be configured so that the file ownershi
 warnings:
     - general: |-
         Profiles may require that specific files be owned by root while the default owner defined
-        by the vendor is different.
-        Such files will be reported as a finding and need to be evaluated according to your policy
-        and deployment environment.
+        by the vendor is different. Such files will be reported as a finding and need to be
+        evaluated according to your policy and deployment environment.
+    - general: |-
+        This rule can take a long time to perform the check and might consume a considerable
+        amount of resources depending on the number of packages present on the system. It is not a
+        problem in most cases, but especially systems with a large number of installed packages
+        can be affected.
+        {{% if "rhel" in product %}}
+        See <code>https://access.redhat.com/articles/6999111</code>.
+        {{% endif %}}