From 3fbc53ebf7897d07a2a8237c24fee7c736fc6101 Mon Sep 17 00:00:00 2001
From: Milan Lysonek <mlysonek@redhat.com>
Date: Mon, 15 Mar 2021 18:33:05 +0100
Subject: [PATCH] Add rpm_verify_ownership test scenarios

---
 .../tests/all_ownerships_ok.pass.sh              | 16 ++++++++++++++++
 .../tests/wrong_group_ownership.fail.sh          |  3 +++
 .../tests/wrong_ownership.fail.sh                |  3 +++
 3 files changed, 22 insertions(+)
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/all_ownerships_ok.pass.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/wrong_group_ownership.fail.sh
 create mode 100644 linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/wrong_ownership.fail.sh

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/all_ownerships_ok.pass.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/all_ownerships_ok.pass.sh
new file mode 100644
index 00000000000..acd151f31a1
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/all_ownerships_ok.pass.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Perform same steps as remediation
+declare -A SETOWNER_RPM_LIST
+FILES_WITH_INCORRECT_OWNERSHIP=($(rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'))
+
+for FILE_PATH in "${FILES_WITH_INCORRECT_OWNERSHIP[@]}"; do
+    RPM_PACKAGES=$(rpm -qf "$FILE_PATH")
+    for pkg in $RPM_PACKAGES; do
+        SETOWNER_RPM_LIST["$pkg"]=1
+    done
+done
+
+for RPM_PACKAGE in "${!SETOWNER_RPM_LIST[@]}"; do
+    rpm --setugids "${RPM_PACKAGE}"
+done
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/wrong_group_ownership.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/wrong_group_ownership.fail.sh
new file mode 100644
index 00000000000..39013550c71
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/wrong_group_ownership.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+chown :1 /etc/shadow
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/wrong_ownership.fail.sh b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/wrong_ownership.fail.sh
new file mode 100644
index 00000000000..baff0ccd6ed
--- /dev/null
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/tests/wrong_ownership.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+chown 1 /etc/shadow