From b79f1eec8d540077c4262e05cbe241c11008e8a6 Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Tue, 24 Sep 2024 10:34:01 -0500
Subject: [PATCH] Move RPM verify rules to use --restore

---
 .../rpm_verify_ownership/bash/shared.sh              |  4 ++++
 .../rpm_verification/rpm_verify_ownership/rule.yml   | 12 +++++++++++-
 .../rpm_verification/rpm_verify_permissions/rule.yml |  8 ++++++++
 3 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh
index 329a00f56d19..b10c07a56844 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/bash/shared.sh
@@ -22,5 +22,9 @@ done
 # correct values
 for RPM_PACKAGE in "${!SETPERMS_RPM_DICT[@]}"
 do
+        {{{% if "rhel" in product %}}}
+        rpm --restore "${RPM_PACKAGE}"
+        {{{% else  %}}}
         rpm --setugids "${RPM_PACKAGE}"
+        {{{% endif %}}}
 done
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
index 4eaf655d32bd..3a42fa5ab965 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/rule.yml
@@ -11,7 +11,13 @@ description: |-
     run the following command to determine which package owns it:
     <pre>$ rpm -qf <i>FILENAME</i></pre>
     Next, run the following command to reset its permissions to the correct values:
-    <pre>$ sudo rpm --setugids <i>PACKAGENAME</i></pre>
+    <pre>
+    {%- if 'rhel' in product %}
+    $ sudo rpm --restore <i>PACKAGENAME</i><
+    {%- else %}
+    $ sudo rpm --setugids <i>PACKAGENAME</i>
+    {% endif %}
+    </pre>
 
 rationale: |-
     Ownership of binaries and configuration files that is incorrect could allow an unauthorized
@@ -60,7 +66,11 @@ fixtext: |-
 
     Reset the user and group ownership of files within a package with the following command:
 
+    {%- if 'rhel' in product %}
+    $ sudo rpm --restore [package]
+    {%- else %}
     $ sudo rpm --setugids [package]
+    {% endif %}
 
 srg_requirement: '{{{ full_name }}} must be configured so that the file ownership and group membership of system files and commands match the vendor values.'
 
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
index 6b237732603a..9adc7d4d1769 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/rule.yml
@@ -16,7 +16,11 @@ description: |-
     <pre>$ rpm -qf <i>FILENAME</i></pre>
     <br />
     Next, run the following command to reset its permissions to the correct values:
+    {% if 'rhel' in product %}
+    <pre>$ sudo rpm --restore <i>PACKAGENAME</i></pre>
+    {% else %}
     <pre>$ sudo rpm --setperms <i>PACKAGENAME</i></pre>
+    {% endif %}
 
 rationale: |-
     Permissions on system binaries and configuration files that are too generous could allow an
@@ -66,7 +70,11 @@ fixtext: |-
 
     Reset the permissions of files within a package with the following command:
 
+    {% if 'rhel' in product %}
+    $ sudo rpm --restore [package]
+    {% else %}
     $ sudo rpm --setperms [package]
+    {% endif %}
 
 srg_requirement: '{{{ full_name }}} must be configured so that the file permissions of system files and commands match the vendor values.'