From ca285655f80e54738eec2242d5f51aeaf30c7352 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 05 2019 19:47:35 +0000 Subject: import aide-0.16-11.el8 --- diff --git a/SOURCES/aide.conf b/SOURCES/aide.conf index cd95c01..4d5321f 100644 --- a/SOURCES/aide.conf +++ b/SOURCES/aide.conf @@ -51,8 +51,6 @@ report_url=stdout #crc32: crc32 checksum (MHASH only) #whirlpool: whirlpool checksum (MHASH only) -FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 - #R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 #L: p+i+n+u+g+acl+selinux+xattrs #E: Empty group @@ -65,150 +63,245 @@ ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. all changes) EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Sane +# NORMAL = R+sha512 +NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 # For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+selinux+xattrs # Access control only -PERMS = p+i+u+g+acl+selinux +PERMS = p+u+g+acl+selinux+xattrs # Logfile are special, in that they often change -LOG = > +LOG = p+u+g+n+S+acl+selinux+xattrs + +# Content + file type. +CONTENT = sha512+ftype -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 +# Extended content + file type + access. +CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 # Next decide what directories/files you want in the database. -/boot NORMAL -/bin NORMAL -/sbin NORMAL -/lib NORMAL -/lib64 NORMAL -/opt NORMAL -/usr NORMAL -/root NORMAL +/boot CONTENT_EX +/opt/ CONTENT + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +# Otherwise get all of /root. +/root/ CONTENT_EX + # These are too volatile -!/usr/src -!/usr/tmp - -# Check only permissions, inode, user and group for /etc, but -# cover some important files closely. -/etc PERMS -!/etc/mtab -# Ignore backup files -!/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL - -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL - -/etc/sudoers NORMAL -/etc/skel NORMAL - -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL - -# Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL -/etc/profile.d/ NORMAL -/etc/X11/ NORMAL +!/usr/src/ +!/usr/tmp/ + +# Otherwise get all of /usr. +/usr/ CONTENT_EX + +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives/ CONTENT_EX +/etc/sysconfig CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo/ CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel/ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/sssd/ CONTENT_EX +/etc/machine-id$ CONTENT_EX +/etc/swid/ CONTENT_EX +/etc/system-release-cpe$ CONTENT_EX +/etc/shells$ CONTENT_EX +/etc/tmux.conf$ CONTENT_EX +/etc/xattr.conf$ CONTENT_EX + + +# networking +/etc/hosts.allow$ CONTENT_EX +/etc/hosts.deny$ CONTENT_EX +/etc/firewalld/ CONTENT_EX +!/etc/NetworkManager/system-connections/ +/etc/NetworkManager/ CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp/ CONTENT_EX +/etc/wpa_supplicant/ CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ CONTENT_EX + +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock/ PERMS +/etc/pam.d/ CONTENT_EX +/etc/security/ CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1/ CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers CONTENT_EX +/etc/sudoers.d/ CONTENT_EX + +# Shell/X startup files +/etc/profile$ CONTENT_EX +/etc/profile.d/ CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d/ CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11/ CONTENT_EX # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL - -/var/log LOG -/var/run/utmp LOG +/etc/dnf/ CONTENT_EX +/etc/yum.conf$ CONTENT_EX +/etc/yum/ CONTENT_EX +/etc/yum.repos.d/ CONTENT_EX # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... +# auditing # AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP - -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP - -/etc/hosts LSPP -/etc/sysconfig LSPP - -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP - -/etc/ld.so.conf LSPP - -/etc/localtime LSPP - -/etc/sysctl.conf LSPP - -/etc/modprobe.conf LSPP - -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP - -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP - -/etc/stunnel LSPP +/var/log/audit/ PERMS +/etc/audit/ CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX + +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d/ CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d/ CONTENT_EX +/etc/systemd/journald.conf$ CONTENT_EX +/var/log/ LOG+ANF+ARF +/var/run/utmp LOG -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP +# secrets +/etc/pkcs11/ CONTENT_EX +/etc/pki/ CONTENT_EX +/etc/crypto-policies/ CONTENT_EX +/etc/certmonger/ CONTENT_EX +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd/ CONTENT_EX +/etc/rc.d/ CONTENT_EX +/etc/tmpfiles.d/ CONTENT_EX + +# boot config +/etc/default/ CONTENT_EX +/etc/grub.d/ CONTENT_EX +/etc/dracut.conf CONTENT_EX +/etc/dracut.conf.d/ CONTENT_EX + +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d/ CONTENT_EX +/etc/ld.so.preload$ CONTENT_EX + +# kernel config +/etc/sysctl.conf CONTENT_EX +/etc/sysctl.d/ CONTENT_EX +/etc/modprobe.d/ CONTENT_EX +/etc/modules-load.d/ CONTENT_EX +/etc/depmod.d/ CONTENT_EX +/etc/udev/ CONTENT_EX +/etc/crypttab$ CONTENT_EX + +#### Daemons #### + +# cron jobs +/var/spool/at/ CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/var/spool/anacron CONTENT +/etc/anacrontab$ CONTENT_EX +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d/ CONTENT_EX +/etc/cron.daily/ CONTENT_EX +/etc/cron.hourly/ CONTENT_EX +/etc/cron.monthly/ CONTENT_EX +/etc/cron.weekly/ CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root/ CONTENT + +# time keeping +/etc/chrony.conf CONTENT_EX +/etc/chrony.keys$ CONTENT_EX + +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix/ CONTENT_EX + +# ssh +/etc/ssh/sshd_config CONTENT_EX +/etc/ssh/ssh_config CONTENT_EX + +# stunnel +/etc/stunnel/ CONTENT_EX + +# printing +/etc/cups/ CONTENT_EX +/etc/cupshelpers/ CONTENT_EX +/etc/avahi/ CONTENT_EX + +# web server +/etc/httpd/ CONTENT_EX + +# dns +/etc/named/ CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.conf$ CONTENT_EX +/etc/xinetd.d/ CONTENT_EX + +# IPsec +/etc/ipsec.conf CONTENT_EX +/etc/ipsec.secrets CONTENT_EX +/etc/ipsec.d/ CONTENT_EX + +# USB guard +/etc/usbguard/ CONTENT_EX + +# Ignore some files +!/etc/mtab$ +!/etc/.*~ -/etc/issue LSPP -/etc/issue.net LSPP +# Now everything else +/etc/ PERMS -/etc/cups LSPP # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. @@ -221,3 +314,4 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 # Admins dot files constantly change, just check perms /root/\..* PERMS +!/root/.xauth* diff --git a/SOURCES/coverity2.patch b/SOURCES/coverity2.patch new file mode 100644 index 0000000..5052ba3 --- /dev/null +++ b/SOURCES/coverity2.patch @@ -0,0 +1,31 @@ +diff --up ./src/compare_db.c ./src/compare_db.c +--- ./src/compare_db.c ++++ ./src/compare_db.c +@@ -438,7 +438,11 @@ snprintf(*values[0], l, "%s",s); + } else { + *values = malloc(1 * sizeof (char*)); + if (DB_FTYPE&attr) { +- easy_string(get_file_type_string(line->perm)) ++ char *file_type = get_file_type_string(line->perm); ++ if (!file_type) { ++ error(2,"%s: ", file_type); ++ } ++ easy_string(file_type) + } else if (DB_LINKNAME&attr) { + easy_string(line->linkname) + easy_number((DB_SIZE|DB_SIZEG),size,"%li") +diff -up ./src/db_file.c ./src/db_file.c +--- ./src/db_file.c ++++ ./src/db_file.c +@@ -194,6 +194,10 @@ int db_file_read_spec(int db){ + + *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD)); + ++ if (*db_order == NULL){ ++ error(1,"malloc for *db_order failed in %s", __func__); ++ } ++ + while ((i=db_scan())!=TNEWLINE){ + switch (i) { + + diff --git a/SPECS/aide.spec b/SPECS/aide.spec index 22efc0b..eb0f6a3 100644 --- a/SPECS/aide.spec +++ b/SPECS/aide.spec @@ -1,7 +1,7 @@ Summary: Intrusion detection environment Name: aide Version: 0.16 -Release: 8%{?dist} +Release: 11%{?dist} URL: http://sourceforge.net/projects/aide License: GPLv2+ @@ -34,6 +34,9 @@ Patch4: aide-0.16-crypto-disable-haval-and-others.patch Patch5: coverity.patch Patch6: aide-0.16-crash-elf.patch +# 1676487 - Null pointer dereference fix spotted by coverity +Patch7: coverity2.patch + %description AIDE (Advanced Intrusion Detection Environment) is a file integrity checker and intrusion detection program. @@ -78,6 +81,20 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide %dir %attr(0700,root,root) %{_localstatedir}/log/aide %changelog +* Wed Jul 24 2019 Radovan Sroka - 0.16-11 +- rebuild +- minor edit of aide.conf + +* Tue Jul 23 2019 Radovan Sroka - 0.16-10 +- respin +- minor edit of aide.conf + +* Tue Jul 23 2019 Radovan Sroka - 0.16-9 +- Null pointer dereference fix spotted by coverity + resolves: rhbz#1676487 +- aide.conf needs updates for RHEL 8 + resolves: rhbz#1708015 + * Tue Oct 09 2018 Radovan Sroka - 0.16-8 - fixed wrong line wrapping of messages in the syslog format resolves: rhbz#1628153 @@ -111,7 +128,7 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide * Tue Apr 04 2017 Radovan Sroka - 0.16-1 - rebase to stable v0.16 - specfile cleanup -- make doc readable +- make doc readable resolves: #1421355 - make aide binary runable for any user resolves: #1421351 @@ -300,4 +317,3 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide * Sun Sep 07 2003 Michael Schwendt - 0:0.9-0.fdr.0.1.20030902 - Initial package version. -