Move rpm verify rules to use --restore

To match the rpm_verify_permissions bash remedation.
ComplianceAsCode · Oct 7, 2024 · 06fbf18 · 06fbf18
1 parent 94f1ca5
commit 06fbf18
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 7 deletions.
diff --git a/...are/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/...are/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
@@ -19,6 +19,6 @@
  when: (files_with_incorrect_ownership.stdout_lines | length > 0)
 
 - name: "Correct file ownership with RPM"
- command: "rpm --setugids '{{ item }}'"
+ command: "rpm --restore '{{ item }}'"
  with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
  when: (files_with_incorrect_ownership.stdout_lines | length > 0)
diff --git a/...oftware/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh b/...oftware/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh
@@ -22,5 +22,5 @@ done
 # correct values
 for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
 do
- rpm --setugids "${RPM_PACKAGE}"
+ rpm --restore "${RPM_PACKAGE}"
 done
diff --git a/...stem/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/...stem/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
@@ -11,7 +11,7 @@ description: |-
  run the following command to determine which package owns it:
  <pre>$ rpm -qf <i>FILENAME</i></pre>
  Next, run the following command to reset its permissions to the correct values:
- <pre>$ sudo rpm --setugids <i>PACKAGENAME</i></pre>
+ <pre>$ sudo rpm --restore <i>PACKAGENAME</i></pre>
 
 rationale: |-
  Ownership of binaries and configuration files that is incorrect could allow an unauthorized
@@ -60,7 +60,8 @@ fixtext: |-
 
  Reset the user and group ownership of files within a package with the following command:
 
- $ sudo rpm --setugids [package]
+ $ sudo rpm --restore [package]
+
 
 srg_requirement: '{{{ full_name }}} must be configured so that the file ownership and group membership of system files and commands match the vendor values.'
 

diff --git a/...e/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/...e/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
@@ -19,6 +19,6 @@
  when: (files_with_incorrect_permissions.stdout_lines | length > 0)
 
 - name: "Correct file permissions with RPM"
- command: "rpm --setperms '{{ item }}'"
+ command: "rpm --restore '{{ item }}'"
  with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
  when: (files_with_incorrect_permissions.stdout_lines | length > 0)
diff --git a/...em/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/...em/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
@@ -16,7 +16,7 @@ description: |-
  <pre>$ rpm -qf <i>FILENAME</i></pre>
  <br />
  Next, run the following command to reset its permissions to the correct values:
- <pre>$ sudo rpm --setperms <i>PACKAGENAME</i></pre>
+ <pre>$ sudo rpm --restore <i>PACKAGENAME</i></pre>
 
 rationale: |-
  Permissions on system binaries and configuration files that are too generous could allow an
@@ -66,7 +66,8 @@ fixtext: |-
 
  Reset the permissions of files within a package with the following command:
 
- $ sudo rpm --setperms [package]
+ $ sudo rpm --restore [package]
+
 
 srg_requirement: '{{{ full_name }}} must be configured so that the file permissions of system files and commands match the vendor values.'