From 119c025d1d09678d7e150b453163eab1c671e2a1 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 30 Nov 2023 15:25:11 +0100
Subject: [PATCH 1/3] Improve rule description in rpm_verify_ownership

Also update warning about high consume of system resources in some
scenarios.
---
 .../rpm_verify_ownership/rule.yml             | 27 ++++++++++---------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
index b5b67ae1fb8..1db39f6a991 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
@@ -5,22 +5,19 @@ prodtype: alinux3,ol7,ol8,ol9,rhcos4,rhel7,rhel8,rhel9,rhv4,sle12,sle15
 title: 'Verify and Correct Ownership with RPM'
 
 description: |-
-    The RPM package management system can check file ownership
-    permissions of installed software packages, including many that are
-    important to system security. After locating a file with incorrect
-    permissions, which can be found with
+    The RPM package management system can check file ownership permissions of installed software
+    packages, including many that are important to system security. After locating a file with
+    incorrect permissions, which can be found with:
     <pre>rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'</pre>
     run the following command to determine which package owns it:
     <pre>$ rpm -qf <i>FILENAME</i></pre>
-    Next, run the following command to reset its permissions to
-    the correct values:
+    Next, run the following command to reset its permissions to the correct values:
     <pre>$ sudo rpm --setugids <i>PACKAGENAME</i></pre>
 
 rationale: |-
-    Ownership of binaries and configuration files that is incorrect
-    could allow an unauthorized user to gain privileges that they should
-    not have. The ownership set by the vendor should be maintained. Any
-    deviations from this baseline should be investigated.
+    Ownership of binaries and configuration files that is incorrect could allow an unauthorized
+    user to gain privileges that they should not have. The ownership set by the vendor should be
+    maintained. Any deviations from this baseline should be investigated.
 
 severity: high
 
@@ -77,6 +74,10 @@ srg_requirement: '{{{ full_name }}} must be configured so that the file ownershi
 warnings:
     - general: |-
         Profiles may require that specific files be owned by root while the default owner defined
-        by the vendor is different.
-        Such files will be reported as a finding and need to be evaluated according to your policy
-        and deployment environment.
+        by the vendor is different. Such files will be reported as a finding and need to be
+        evaluated according to your policy and deployment environment.
+    - general: |-
+        This rule can take a long time to perform the check and might consume a considerable
+        amount of resources depending on the number of packages present on the system. It is not a
+        problem in most cases, but especially systems with a large number of installed packages
+        can be affected. See <code>https://access.redhat.com/articles/6999111</code>.

From d63fb247f09f3170d72826dccb450cafabf3607b Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Thu, 30 Nov 2023 15:47:19 +0100
Subject: [PATCH 2/3] Refactor OVAL in rpm_verify_ownership

The OVAL check was inneficient by searching the RPM database twice and
consequently creating two similar objects and two tests. The logic was
simplified to one single test, one single query in the RPM databases and
one single object covering all necessary cases. Besides the
simplification, the performance during the check was also improved.
---
 .../rpm_verify_ownership/oval/shared.xml      | 51 ++++++++-----------
 1 file changed, 21 insertions(+), 30 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml
index ec52adb92cd..96d1bf30535 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/oval/shared.xml
@@ -1,31 +1,22 @@
 <def-group>
-  <definition class="compliance" id="rpm_verify_ownership" version="3">
-    {{{ oval_metadata("Verify ownership of installed packages
-      by comparing the installed files with information about the
-      files taken from the package metadata stored in the RPM
+  <definition class="compliance" id="{{{ rule_id }}}" version="3">
+    {{{ oval_metadata("Verify ownership of installed packages by comparing the installed files
+      with information about the files taken from the package metadata stored in the RPM
       database.") }}}
     <criteria operator="AND">
-      <criterion test_ref="test_verify_all_rpms_user_ownership" comment="user ownership of all files matches local rpm database" />
-      <criterion test_ref="test_verify_all_rpms_group_ownership" comment="group ownership of all files matches local rpm database" />
+      <criterion test_ref="test_rpm_verify_ownership_verify_all_rpms_ownership"
+        comment="user ownership of all files matches local rpm database"/>
     </criteria>
   </definition>
-  <linux:rpmverifyfile_test check_existence="none_exist" id="test_verify_all_rpms_user_ownership" version="1" check="all" comment="user ownership of all files matches local rpm database">
-    <linux:object object_ref="object_files_fail_user_ownership"/>
-  </linux:rpmverifyfile_test>
-  <linux:rpmverifyfile_test check_existence="none_exist" id="test_verify_all_rpms_group_ownership" version="1" check="all" comment="group ownership of all files matches local rpm database">
-    <linux:object object_ref="object_files_fail_group_ownership"/>
-  </linux:rpmverifyfile_test>
-  <linux:rpmverifyfile_object id="object_files_fail_user_ownership" version="1" comment="rpm verify of all files">
-    <linux:behaviors nomd5="true" noghostfiles="true"/>
-    <linux:name operation="pattern match">.*</linux:name>
-    <linux:epoch operation="pattern match">.*</linux:epoch>
-    <linux:version operation="pattern match">.*</linux:version>
-    <linux:release operation="pattern match">.*</linux:release>
-    <linux:arch operation="pattern match">.*</linux:arch>
-    <linux:filepath operation="pattern match">.*</linux:filepath>
-    <filter action="include">state_files_fail_user_ownership</filter>
-  </linux:rpmverifyfile_object>
-  <linux:rpmverifyfile_object id="object_files_fail_group_ownership" version="1" comment="rpm verify of all files">
+
+  <linux:rpmverifyfile_state id="state_rpm_verify_ownership_files_fail_ownership" version="2"
+    operator="OR">
+    <linux:ownership_differs>fail</linux:ownership_differs>
+    <linux:group_differs>fail</linux:group_differs>
+  </linux:rpmverifyfile_state>
+
+  <linux:rpmverifyfile_object id="object_rpm_verify_ownership_files_fail_ownership" version="2"
+    comment="rpm verify ownership of all files">
     <linux:behaviors nomd5="true" noghostfiles="true"/>
     <linux:name operation="pattern match">.*</linux:name>
     <linux:epoch operation="pattern match">.*</linux:epoch>
@@ -33,12 +24,12 @@
     <linux:release operation="pattern match">.*</linux:release>
     <linux:arch operation="pattern match">.*</linux:arch>
     <linux:filepath operation="pattern match">.*</linux:filepath>
-    <filter action="include">state_files_fail_group_ownership</filter>
+    <filter action="include">state_rpm_verify_ownership_files_fail_ownership</filter>
   </linux:rpmverifyfile_object>
-  <linux:rpmverifyfile_state id="state_files_fail_user_ownership" version="1">
-    <linux:ownership_differs>fail</linux:ownership_differs>
-  </linux:rpmverifyfile_state>
-  <linux:rpmverifyfile_state id="state_files_fail_group_ownership" version="1">
-    <linux:group_differs>fail</linux:group_differs>
-  </linux:rpmverifyfile_state>
+
+  <linux:rpmverifyfile_test id="test_rpm_verify_ownership_verify_all_rpms_ownership" version="1"
+    check="all" check_existence="none_exist"
+    comment="Ownership of all files matches local rpm database">
+    <linux:object object_ref="object_rpm_verify_ownership_files_fail_ownership"/>
+  </linux:rpmverifyfile_test>
 </def-group>

From 4475fc9ef15071dbafd3790906b2482923832cd4 Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Tue, 5 Dec 2023 13:22:57 +0100
Subject: [PATCH 3/3] Show rhel article in warning only to rhel products

---
 .../rpm_verification/rpm_verify_ownership/rule.yml           | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
index 1db39f6a991..e7daa6434b5 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
@@ -80,4 +80,7 @@ warnings:
         This rule can take a long time to perform the check and might consume a considerable
         amount of resources depending on the number of packages present on the system. It is not a
         problem in most cases, but especially systems with a large number of installed packages
-        can be affected. See <code>https://access.redhat.com/articles/6999111</code>.
+        can be affected.
+        {{% if "rhel" in product %}}
+        See <code>https://access.redhat.com/articles/6999111</code>.
+        {{% endif %}}