From f1a49eb2c4d4137102f07686fe42117d24837cfa Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 06:15:05 +0000 Subject: import aide-0.15.1-11.el7 --- diff --git a/SOURCES/aide.conf b/SOURCES/aide.conf index cd95c01..b8bdf42 100644 --- a/SOURCES/aide.conf +++ b/SOURCES/aide.conf @@ -11,7 +11,7 @@ database=file:@@{DBDIR}/aide.db.gz #database_out=file:aide.db.new database_out=file:@@{DBDIR}/aide.db.new.gz -# Whether to gzip the output to database +# Whether to gzip the output to database. gzip_dbout=yes # Default. @@ -62,153 +62,245 @@ FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 # With MHASH... # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger + # Everything but access time (Ie. all changes) EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Sane, with one good hash. +# NORMAL = sha256 +NORMAL = sha256 -# For directories, don't bother doing hashes +# For directories, don't bother doing hashes. DIR = p+i+n+u+g+acl+selinux+xattrs -# Access control only -PERMS = p+i+u+g+acl+selinux +# Access control only. +PERMS = p+u+g+acl+selinux+xattrs + +# Access + inode changes + file type. +STATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype -# Logfile are special, in that they often change -LOG = > +# Logfiles only check access w/o xattrs. +LOG = p+u+g+n+acl+selinux+ftype -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 +# Content + file type. +CONTENT = sha256+ftype + +# Extended content + file type + access. +CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes +# but we want to know when the data inside them changes. DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 -# Next decide what directories/files you want in the database. - -/boot NORMAL -/bin NORMAL -/sbin NORMAL -/lib NORMAL -/lib64 NORMAL -/opt NORMAL -/usr NORMAL -/root NORMAL -# These are too volatile -!/usr/src -!/usr/tmp - -# Check only permissions, inode, user and group for /etc, but -# cover some important files closely. -/etc PERMS -!/etc/mtab -# Ignore backup files -!/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL +# Next decide what directories/files you want in the database. Aide +# uses a first match system. Put file specific instructions before generic +# matches. e.g. Put file matches before directories. + +/boot/ CONTENT_EX +/bin/ CONTENT_EX +/sbin/ CONTENT_EX +/lib/ CONTENT_EX +/lib64/ CONTENT_EX +/opt/ CONTENT -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# Admin's dot files constantly change, just check perms. +/root/\..* PERMS +# Otherwise get all of /root. +/root/ CONTENT_EX -/etc/sudoers NORMAL -/etc/skel NORMAL +# These are too volatile. +!/usr/src/ +!/usr/tmp/ +# Otherwise get all of /usr. +/usr/ CONTENT_EX -/etc/logrotate.d NORMAL +# Check only permissions, user, group, seliunx for /etc, but +# cover some important files closely. +!/etc/mtab$ -/etc/resolv.conf DATAONLY +# Ignore backup files +!/etc/.*~ -/etc/nscd.conf NORMAL -/etc/securetty NORMAL +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives/ CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo/ CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel/ CONTENT_EX + +# networking +/etc/hosts.allow$ CONTENT_EX +/etc/hosts.deny$ CONTENT_EX +/etc/firewalld/ CONTENT_EX +/etc/NetworkManager/ CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp/ CONTENT_EX +/etc/wpa_supplicant/ CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ NORMAL + +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock/ PERMS +/etc/pam.d/ CONTENT_EX +/etc/security$ CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1/ CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers$ CONTENT_EX +/etc/sudoers.d/ CONTENT_EX # Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL -/etc/profile.d/ NORMAL -/etc/X11/ NORMAL +/etc/profile$ CONTENT_EX +/etc/profile.d/ CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d/ CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11/ CONTENT_EX +/etc/shells$ CONTENT_EX # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL - -/var/log LOG -/var/run/utmp LOG - -# This gets new/removes-old filenames daily -!/var/log/sa +/etc/yum.conf$ CONTENT_EX +/etc/yumex.conf$ CONTENT_EX +/etc/yumex.profiles.conf$ CONTENT_EX +/etc/yum/ CONTENT_EX +/etc/yum.repos.d/ CONTENT_EX + +# This gets new/removes-old filenames daily. +!/var/log/sa/ # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... +# auditing # AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP - -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP - -/etc/hosts LSPP -/etc/sysconfig LSPP - -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP - -/etc/ld.so.conf LSPP - -/etc/localtime LSPP - -/etc/sysctl.conf LSPP - -/etc/modprobe.conf LSPP - -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP - -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP - -/etc/stunnel LSPP - -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP - -/etc/issue LSPP -/etc/issue.net LSPP - -/etc/cups LSPP +# /var/log/audit/ PERMS+ANF+ARF +/etc/audit/ CONTENT_EX +/etc/audisp/ CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX + +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d/ CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d/ CONTENT_EX +/var/log/ LOG+ANF+ARF +/var/run/utmp$ LOG + +# secrets +/etc/pkcs11/ CONTENT_EX +/etc/pki/ CONTENT_EX +/etc/ssl/ CONTENT_EX +/etc/certmonger/ CONTENT_EX + +# init system +/etc/systemd/ CONTENT_EX +/etc/sysconfig/ CONTENT_EX +/etc/rc.d/ CONTENT_EX +/etc/tmpfiles.d/ CONTENT_EX +/etc/machine-id$ CONTENT_EX + +# boot config +/etc/grub.d/ CONTENT_EX +/etc/grub2.cfg$ CONTENT_EX +/etc/dracut.conf$ CONTENT_EX +/etc/dracut.conf.d/ CONTENT_EX + +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d/ CONTENT_EX + +# kernel config +/etc/sysctl.conf$ CONTENT_EX +/etc/sysctl.d/ CONTENT_EX +/etc/modprobe.d/ CONTENT_EX +/etc/modules-load.d/ CONTENT_EX +/etc/depmod.d/ CONTENT_EX +/etc/udev/ CONTENT_EX +/etc/crypttab$ CONTENT_EX + +#### Daemons #### + +# cron jobs +/var/spool/at/ CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d/ CONTENT_EX +/etc/cron.daily/ CONTENT_EX +/etc/cron.hourly/ CONTENT_EX +/etc/cron.monthly/ CONTENT_EX +/etc/cron.weekly/ CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root/ CONTENT +/etc/anacrontab$ CONTENT_EX + +# time keeping +/etc/ntp.conf$ CONTENT_EX +/etc/ntp/ CONTENT_EX +/etc/chrony.conf$ CONTENT_EX +/etc/chrony.keys$ CONTENT_EX + +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix/ CONTENT_EX +/etc/mail.rc$ CONTENT_EX +/etc/mailcap$ CONTENT_EX + +# ssh +/etc/ssh/sshd_config$ CONTENT_EX +/etc/ssh/ssh_config$ CONTENT_EX + +# stunnel +/etc/stunnel/ CONTENT_EX + +# ftp +/etc/vsftpd.conf$ CONTENT +/etc/vsftpd/ CONTENT + +# printing +/etc/cups/ CONTENT_EX +/etc/cupshelpers/ CONTENT_EX +/etc/avahi/ CONTENT_EX + +# web server +/etc/httpd/ CONTENT_EX + +# dns +/etc/named/ CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.d/ CONTENT_EX + +# Now everything else in /etc. +/etc/ PERMS # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. @@ -216,8 +308,5 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 #=/lost\+found DIR #=/home DIR -# Ditto /var/log/sa reason... -!/var/log/and-httpd - -# Admins dot files constantly change, just check perms -/root/\..* PERMS +# Ditto /var/log/sa/ same reason... +!/var/log/httpd/ diff --git a/SPECS/aide.spec b/SPECS/aide.spec index 85c35f3..4153f33 100644 --- a/SPECS/aide.spec +++ b/SPECS/aide.spec @@ -4,7 +4,7 @@ Summary: Intrusion detection environment Name: aide Version: 0.15.1 -Release: 9%{?dist} +Release: 11%{?dist} URL: http://sourceforge.net/projects/aide License: GPLv2+ Group: Applications/System @@ -18,6 +18,8 @@ Patch1: aide-0.14-man.patch Patch2: aide-0.15.1-fipsfix.patch # warn if processing prelinked binary objects and the prelink binary is not available Patch3: aide-0.15.1-prelinkwarn.patch +# 1266458 - aide can not handle directory name with spaces +#Patch4: aide-0.15-1-dirnamespaces.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n) BuildRequires: mktemp @@ -99,6 +101,15 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Tue Jul 19 2016 Daniel Kopecek - 0.15.1-11 +- Corrected typos in the default configuration file + Resolves: rhbz#1304334 + +* Fri Jun 24 2016 Daniel Kopecek - 0.15.1-10 +- Updated the default configuration file. New defaults contributed + by Steve Grubb. + Resolves: rhbz#1304334 + * Mon Aug 4 2014 Daniel Kopecek - 0.15.1-9 - Don't require prelink on aarch64 and ppc64le Resolves: rhbz#1078555