diff --git a/.aide.metadata b/.aide.metadata new file mode 100644 index 0000000..a8e59ce --- /dev/null +++ b/.aide.metadata @@ -0,0 +1 @@ +b97f65bb12701a42baa2cce45b41ed6367a70734 SOURCES/aide-0.16.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f8be39e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/aide-0.16.tar.gz diff --git a/SOURCES/README.quickstart b/SOURCES/README.quickstart new file mode 100644 index 0000000..87adc63 --- /dev/null +++ b/SOURCES/README.quickstart @@ -0,0 +1,40 @@ +1) Customize /etc/aide.conf to your liking. In particular, add + important directories and files which you would like to be + covered by integrity checks. Avoid files which are expected + to change frequently or which don't affect the safety of your + system. + +2) Run "/usr/sbin/aide --init" to build the initial database. + With the default setup, that creates /var/lib/aide/aide.db.new.gz + +3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz + in a secure location, e.g. on separate read-only media (such as + CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures + of those files in a secure location, so you have means to verify + that nobody modified those files. + +4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz + which is the location of the input database. + +5) Run "/usr/sbin/aide --check" to check your system for inconsistencies + compared with the AIDE database. Prior to running a check manually, + ensure that the AIDE binary and database have not been modified + without your knowledge. + + Caution! + + With the default setup, an AIDE check is not run periodically as a + cron job. It cannot be guaranteed that the AIDE binaries, config + file and database are intact. It is not recommended that you run + automated AIDE checks without verifying AIDE yourself frequently. + In addition to that, AIDE does not implement any password or + encryption protection for its own files. + + It is up to you how to put a file integrity checker to good effect + and how to set up automated checks if you think it adds a level of + safety (e.g. detecting failed/incomplete compromises or unauthorized + modification of special files). On a compromised system, the + intruder could disable the automated check. Or he could replace the + AIDE binary, config file and database easily when they are not + located on read-only media. + diff --git a/SOURCES/aide-0.15-syslog-format.patch b/SOURCES/aide-0.15-syslog-format.patch new file mode 100644 index 0000000..0361434 --- /dev/null +++ b/SOURCES/aide-0.15-syslog-format.patch @@ -0,0 +1,496 @@ +diff -up ./doc/aide.conf.5.in.syslog_format ./doc/aide.conf.5.in +--- ./doc/aide.conf.5.in.syslog_format 2016-07-25 22:58:12.000000000 +0200 ++++ ./doc/aide.conf.5.in 2018-09-27 19:09:09.697371212 +0200 +@@ -57,6 +57,25 @@ inclusive. This parameter can only be gi + occurrence is used. If \-\-verbose or \-V is used then the value from that + is used. The default is 5. If verbosity is 20 then additional report + output is written when doing \-\-check, \-\-update or \-\-compare. ++.IP "syslog_format" ++Valid values are yes,true,no and false. This option enables new syslog format ++which is suitable for logging. Every change is logged as one simple line. This option ++changes verbose level to 0 and prints everything that was changed. It is suggested ++to use this option with "report_url=syslog:...". Default value is "false/no". ++Maximum size of message is 1KB which is limitation of syslog call. If message is ++greater than limit, message will be truncated. ++Option summarize_changes has no impact for this format. ++.nf ++.eo ++ ++Output always starts with: ++"AIDE found differences between database and filesystem!!" ++And it is followed by summary: ++summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1 ++And finally there are logs about changes: ++dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;... ++.ec ++.fi + .IP "report_url" + The url that the output is written to. There can be multiple instances + of this parameter. Output is written to all of them. The default is +diff -up ./include/db_config.h.syslog_format ./include/db_config.h +--- ./include/db_config.h.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./include/db_config.h 2018-09-27 19:09:09.697371212 +0200 +@@ -311,6 +311,7 @@ typedef struct db_config { + FILE* db_out; + + int config_check; ++ int syslog_format; + + struct md_container *mdc_in; + struct md_container *mdc_out; +diff -up ./src/aide.c.syslog_format ./src/aide.c +--- ./src/aide.c.syslog_format 2018-09-27 19:09:09.695371197 +0200 ++++ ./src/aide.c 2018-09-27 19:09:09.698371220 +0200 +@@ -283,6 +283,7 @@ static void setdefaults_before_config() + } + + /* Setting some defaults */ ++ conf->syslog_format=0; + conf->report_db=0; + conf->tree=NULL; + conf->config_check=0; +@@ -495,6 +496,10 @@ static void setdefaults_after_config() + if(conf->verbose_level==-1){ + conf->verbose_level=5; + } ++ if(conf->syslog_format==1){ ++ conf->verbose_level=0; ++ } ++ + } + + +diff -up ./src/compare_db.c.syslog_format ./src/compare_db.c +--- ./src/compare_db.c.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/compare_db.c 2018-09-27 19:09:09.698371220 +0200 +@@ -110,7 +110,7 @@ const DB_ATTR_TYPE details_attributes[] + #endif + }; + +-const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size (>)"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512") ++const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512") + #ifdef WITH_MHASH + , _("CRC32"), _("HAVAL"), _("GOST"), _("CRC32B"), _("WHIRLPOOL") + #endif +@@ -269,12 +269,19 @@ static int xattrs2array(xattrs_type* xat + if ((len == xattrs->ents[num - 1].vsz) || ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) { + length = 8 + width + strlen(xattrs->ents[num - 1].key) + strlen(val); + (*values)[num]=malloc(length *sizeof(char)); +- snprintf((*values)[num], length , "[%.*zd] %s = %s", width, num, xattrs->ents[num - 1].key, val); ++ ++ char * fmt = "[%.*zd] %s = %s"; ++ if (conf->syslog_format) fmt = "[%.*zd]%s=%s"; // its smaller so it has to be enough space allocated. ++ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val); ++ + } else { + val = encode_base64(xattrs->ents[num - 1].val, xattrs->ents[num - 1].vsz); + length = 10 + width + strlen(xattrs->ents[num - 1].key) + strlen(val); + (*values)[num]=malloc( length *sizeof(char)); +- snprintf((*values)[num], length , "[%.*zd] %s <=> %s", width, num, xattrs->ents[num - 1].key, val); ++ ++ char * fmt = "[%.*zd] %s <=> %s"; ++ if (conf->syslog_format) fmt = "[%.*zd]%s<=>%s"; // its smaller so it has to be enough space allocated. ++ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val); + free(val); + } + } +@@ -302,6 +309,26 @@ static int acl2array(acl_type* acl, char + } + if (acl->acl_a || acl->acl_d) { + int j, k, i; ++ if (conf->syslog_format) { ++ *values = malloc(2 * sizeof(char*)); ++ ++ char *A, *D = ""; ++ ++ if (acl->acl_a) { A = acl->acl_a; } ++ if (acl->acl_d) { D = acl->acl_d; } ++ ++ (*values)[0] = (char*) malloc(strlen(A) + 3); // "A:" and \0 ++ snprintf((*values)[0], strlen(A) + 3, "A:%s", A); ++ ++ (*values)[1] = (char*) malloc(strlen(D) + 3); // "D:" and \0 ++ snprintf((*values)[1], strlen(D) + 3, "D:%s", D); ++ ++ i = 0; while ( (*values)[0][i] ) { if ( (*values)[0][i]=='\n') { (*values)[0][i] = ' '; } i++; } ++ i = 0; while ( (*values)[1][i] ) { if ( (*values)[1][i]=='\n') { (*values)[1][i] = ' '; } i++; } ++ ++ return 2; ++ } ++ + if (acl->acl_a) { i = 0; while (acl->acl_a[i]) { if (acl->acl_a[i++]=='\n') { n++; } } } + if (acl->acl_d) { i = 0; while (acl->acl_d[i]) { if (acl->acl_d[i++]=='\n') { n++; } } } + *values = malloc(n * sizeof(char*)); +@@ -338,25 +365,25 @@ static char* e2fsattrs2string(unsigned l + + static char* get_file_type_string(mode_t mode) { + switch (mode & S_IFMT) { +- case S_IFREG: return _("File"); +- case S_IFDIR: return _("Directory"); ++ case S_IFREG: return conf->syslog_format ? "file" : _("File"); ++ case S_IFDIR: return conf->syslog_format ? "dir" : _("Directory"); + #ifdef S_IFIFO +- case S_IFIFO: return _("FIFO"); ++ case S_IFIFO: return conf->syslog_format ? "fifo" : _("FIFO"); + #endif +- case S_IFLNK: return _("Link"); +- case S_IFBLK: return _("Block device"); +- case S_IFCHR: return _("Character device"); ++ case S_IFLNK: return conf->syslog_format ? "link" : _("Link"); ++ case S_IFBLK: return conf->syslog_format ? "blockd" : _("Block device"); ++ case S_IFCHR: return conf->syslog_format ? "chard" : _("Character device"); + #ifdef S_IFSOCK +- case S_IFSOCK: return _("Socket"); ++ case S_IFSOCK: return conf->syslog_format ? "socket" : _("Socket"); + #endif + #ifdef S_IFDOOR +- case S_IFDOOR: return _("Door"); ++ case S_IFDOOR: return conf->syslog_format ? "door" : _("Door"); + #endif + #ifdef S_IFPORT +- case S_IFPORT: return _("Port"); ++ case S_IFPORT: return conf->syslog_format ? "port" : _("Port"); + #endif + case 0: return NULL; +- default: return _("Unknown file type"); ++ default: return conf->syslog_format ? "unknown" : _("Unknown file type"); + } + } + +@@ -554,6 +581,51 @@ static void print_dbline_attributes(db_l + } + } + ++ ++static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE ++ changed_attrs, DB_ATTR_TYPE force_attrs) { ++ char **ovalue, **nvalue; ++ int onumber, nnumber, i, j; ++ int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE); ++ DB_ATTR_TYPE attrs; ++ char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm); ++ if (file_type) { ++ error(0,"%s=", file_type); ++ } ++ error(0,"%s", (nline==NULL?oline:nline)->filename); ++ attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs); ++ for (j=0; j < length; ++j) { ++ if (details_attributes[j]&attrs) { ++ onumber=get_attribute_values(details_attributes[j], oline, &ovalue); ++ nnumber=get_attribute_values(details_attributes[j], nline, &nvalue); ++ ++ if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) { ++ ++ error(0, ";%s_old=|", details_string[j]); ++ ++ for (i = 0 ; i < onumber ; i++) { ++ error(0, "%s|", ovalue[i]); ++ } ++ ++ error(0, ";%s_new=|", details_string[j]); ++ ++ for (i = 0 ; i < nnumber ; i++) { ++ error(0, "%s|", nvalue[i]); ++ } ++ ++ } else { ++ ++ error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue); ++ ++ } ++ ++ for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL; ++ for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL; ++ } ++ } ++ error(0, "\n"); ++} ++ + static void print_attributes_added_node(db_line* line) { + print_dbline_attributes(NULL, line, 0, line->attr); + } +@@ -562,6 +634,26 @@ static void print_attributes_removed_nod + print_dbline_attributes(line, NULL, 0, line->attr); + } + ++static void print_attributes_added_node_syslog(db_line* line) { ++ ++ char *file_type = get_file_type_string(line->perm); ++ if (file_type) { ++ error(0,"%s=", file_type); ++ } ++ error(0,"%s; added\n", line->filename); ++ ++} ++ ++static void print_attributes_removed_node_syslog(db_line* line) { ++ ++ char *file_type = get_file_type_string(line->perm); ++ if (file_type) { ++ error(0,"%s=", file_type); ++ } ++ error(0,"%s; removed\n", line->filename); ++ ++} ++ + static void terse_report(seltree* node) { + list* r=NULL; + if ((node->checked&(DB_OLD|DB_NEW)) != 0) { +@@ -626,6 +718,26 @@ static void print_report_details(seltree + } + } + ++static void print_syslog_format(seltree* node) { ++ list* r=NULL; ++ ++ if (node->checked&NODE_CHANGED) { ++ print_dbline_attributes_syslog(node->old_data, node->new_data, node->changed_attrs, forced_attrs); ++ } ++ ++ if (node->checked&NODE_ADDED) { ++ print_attributes_added_node_syslog(node->new_data); ++ } ++ ++ if (node->checked&NODE_REMOVED) { ++ print_attributes_removed_node_syslog(node->old_data); ++ } ++ ++ for(r=node->childs;r;r=r->next){ ++ print_syslog_format((seltree*)r->data); ++ } ++} ++ + static void print_report_header() { + char *time; + int first = 1; +@@ -747,39 +859,53 @@ int gen_report(seltree* node) { + send_audit_report(); + #endif + if ((nadd|nrem|nchg) > 0 || conf->report_quiet == 0) { +- print_report_header(); +- if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) { +- if (conf->grouped) { +- if (nadd) { +- error(2,(char*)report_top_format,_("Added entries")); +- print_report_list(node, NODE_ADDED); +- } +- if (nrem) { +- error(2,(char*)report_top_format,_("Removed entries")); +- print_report_list(node, NODE_REMOVED); +- } +- if (nchg) { +- error(2,(char*)report_top_format,_("Changed entries")); +- print_report_list(node, NODE_CHANGED); +- } +- } else if (nadd || nrem || nchg) { +- if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); } +- else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); } +- else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); } +- else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); } +- else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); } +- else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); } +- else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); } +- print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED); +- } +- if (nadd || nrem || nchg) { +- error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes")); +- print_report_details(node); +- } +- } +- print_report_databases(); +- conf->end_time=time(&(conf->end_time)); +- print_report_footer(); ++ ++ if (!conf->syslog_format) { ++ print_report_header(); ++ } ++ ++ if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) { ++ if (!conf->syslog_format && conf->grouped) { ++ if (nadd) { ++ error(2,(char*)report_top_format,_("Added entries")); ++ print_report_list(node, NODE_ADDED); ++ } ++ if (nrem) { ++ error(2,(char*)report_top_format,_("Removed entries")); ++ print_report_list(node, NODE_REMOVED); ++ } ++ if (nchg) { ++ error(2,(char*)report_top_format,_("Changed entries")); ++ print_report_list(node, NODE_CHANGED); ++ } ++ } else if (!conf->syslog_format && ( nadd || nrem || nchg ) ) { ++ if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); } ++ else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); } ++ else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); } ++ else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); } ++ else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); } ++ else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); } ++ else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); } ++ print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED); ++ } ++ if (nadd || nrem || nchg) { ++ if (!conf->syslog_format) { ++ error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes")); ++ print_report_details(node); ++ } else { ++ /* Syslog Format */ ++ error(0, "AIDE found differences between database and filesystem!!\n"); ++ error(0, "summary;total_number_of_files=%ld;added_files=%ld;" ++ "removed_files=%ld;changed_files=%ld\n",ntotal,nadd,nrem,nchg); ++ print_syslog_format(node); ++ } ++ } ++ } ++ if (!conf->syslog_format) { ++ print_report_databases(); ++ conf->end_time=time(&(conf->end_time)); ++ print_report_footer(); ++ } + } + + return conf->action&(DO_COMPARE|DO_DIFF) ? (nadd!=0)*1+(nrem!=0)*2+(nchg!=0)*4 : 0; +diff -up ./src/conf_lex.l.syslog_format ./src/conf_lex.l +--- ./src/conf_lex.l.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/conf_lex.l 2018-09-27 19:09:09.698371220 +0200 +@@ -401,6 +401,12 @@ int var_in_conflval=0; + return (TROOT_PREFIX); + } + ++^[\t\ ]*"syslog_format"{E} { ++ error(230,"%li:syslog_format =\n",conf_lineno); ++ BEGIN CONFVALHUNT; ++ return (SYSLOG_FORMAT); ++} ++ + ^[\t\ ]*"recstop"{E} { + error(230,"%li:recstop =\n",conf_lineno); + BEGIN CONFVALHUNT; +diff -up ./src/conf_yacc.y.syslog_format ./src/conf_yacc.y +--- ./src/conf_yacc.y.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/conf_yacc.y 2018-09-27 19:09:09.699371228 +0200 +@@ -89,6 +89,7 @@ extern long conf_lineno; + %token TREPORT_URL + %token TGZIPDBOUT + %token TROOT_PREFIX ++%token SYSLOG_FORMAT + %token TUMASK + %token TTRUE + %token TFALSE +@@ -160,7 +161,7 @@ line : rule | equrule | negrule | define + | ifdefstmt | ifndefstmt | ifhoststmt | ifnhoststmt + | groupdef | db_in | db_out | db_new | db_attrs | verbose | report_detailed_init | config_version + | database_add_metadata | report | gzipdbout | root_prefix | report_base16 | report_quiet +- | report_ignore_e2fsattrs | recursion_stopper | warn_dead_symlinks | grouped ++ | report_ignore_e2fsattrs | syslogformat | recursion_stopper | warn_dead_symlinks | grouped + | summarize_changes | acl_no_symlink_follow | beginconfigstmt | endconfigstmt + | TEOF { + newlinelastinconfig=1; +@@ -408,6 +409,15 @@ conf->gzip_dbout=0; + #endif + } ; + ++syslogformat : SYSLOG_FORMAT TTRUE { ++conf->syslog_format=1; ++} | ++ SYSLOG_FORMAT TFALSE { ++conf->syslog_format=0; ++} ; ++ ++ ++ + recursion_stopper : TRECSTOP TSTRING { + /* FIXME implement me */ + +diff -up ./src/error.c.syslog_format ./src/error.c +--- ./src/error.c.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/error.c 2018-09-27 19:13:40.312416750 +0200 +@@ -38,6 +38,9 @@ + /*for locale support*/ + #include "util.h" + ++#define MAX_BUFFER_SIZE 1024 ++static char syslog_buffer[MAX_BUFFER_SIZE+1]; ++ + int cmp_url(url_t* url1,url_t* url2){ + + return ((url1->type==url2->type)&&(strcmp(url1->value,url2->value)==0)); +@@ -48,7 +51,9 @@ int error_init(url_t* url,int initial) + { + list* r=NULL; + FILE* fh=NULL; +- int sfac; ++ int sfac; ++ ++ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); + + if (url->type==url_database) { + conf->report_db++; +@@ -163,13 +168,24 @@ void error(int errorlevel,char* error_ms + } + #ifdef HAVE_SYSLOG + if(conf->initial_report_url->type==url_syslog){ +-#ifdef HAVE_VSYSLOG +- vsyslog(SYSLOG_PRIORITY,error_msg,ap); +-#else +- char buf[1024]; +- vsnprintf(buf,1024,error_msg,ap); +- syslog(SYSLOG_PRIORITY,"%s",buf); +-#endif ++ ++ char buff[MAX_BUFFER_SIZE+1]; ++ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap); ++ size_t buff_len = strlen(buff); ++ ++ char result_buff[MAX_BUFFER_SIZE+1]; ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wformat-truncation" ++ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff); ++#pragma GCC diagnostic pop ++ ++ if(buff[buff_len-1] == '\n'){ ++ syslog(SYSLOG_PRIORITY,"%s",result_buff); ++ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); ++ } else { ++ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE); ++ } ++ + va_end(ap); + return; + } +@@ -181,17 +197,25 @@ void error(int errorlevel,char* error_ms + + #ifdef HAVE_SYSLOG + if (conf->report_syslog!=0) { +-#ifdef HAVE_VSYSLOG +- va_start(ap,error_msg); +- vsyslog(SYSLOG_PRIORITY,error_msg,ap); +- va_end(ap); +-#else +- char buf[1024]; +- va_start(ap,error_msg); +- vsnprintf(buf,1024,error_msg,ap); ++ va_start(ap, error_msg); ++ ++ char buff[MAX_BUFFER_SIZE+1]; ++ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap); ++ size_t buff_len = strlen(buff); ++ ++ char result_buff[MAX_BUFFER_SIZE+1]; ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wformat-truncation" ++ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff); ++#pragma GCC diagnostic pop ++ ++ if(buff[buff_len-1] == '\n'){ ++ syslog(SYSLOG_PRIORITY,"%s",result_buff); ++ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); ++ } else { ++ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE); ++ } + va_end(ap); +- syslog(SYSLOG_PRIORITY,"%s",buf); +-#endif + } + #endif + diff --git a/SOURCES/aide-0.16-crash-elf.patch b/SOURCES/aide-0.16-crash-elf.patch new file mode 100644 index 0000000..5aa3472 --- /dev/null +++ b/SOURCES/aide-0.16-crash-elf.patch @@ -0,0 +1,17 @@ +--- ./src/do_md.c 2018-03-19 05:10:19.994957024 -0400 ++++ ./src/do_md.c 2018-03-19 05:19:05.829957024 -0400 +@@ -135,8 +135,13 @@ + continue; + + while (!bingo && (data = elf_getdata (scn, data)) != NULL) { +- int maxndx = data->d_size / shdr.sh_entsize; ++ int maxndx; + int ndx; ++ ++ if (shdr.sh_entsize != 0) ++ maxndx = data->d_size / shdr.sh_entsize; ++ else ++ continue; + + for (ndx = 0; ndx < maxndx; ++ndx) { + (void) gelf_getdyn (data, ndx, &dyn); diff --git a/SOURCES/aide-0.16-crypto-disable-haval-and-others.patch b/SOURCES/aide-0.16-crypto-disable-haval-and-others.patch new file mode 100644 index 0000000..a066fd9 --- /dev/null +++ b/SOURCES/aide-0.16-crypto-disable-haval-and-others.patch @@ -0,0 +1,153 @@ +diff -up ./include/md.h.crypto ./include/md.h +--- ./include/md.h.crypto 2016-07-25 22:56:55.000000000 +0200 ++++ ./include/md.h 2018-08-29 15:00:30.827491299 +0200 +@@ -149,6 +149,7 @@ int init_md(struct md_container*); + int update_md(struct md_container*,void*,ssize_t); + int close_md(struct md_container*); + void md2line(struct md_container*,struct db_line*); ++DB_ATTR_TYPE get_available_crypto(); + + + #endif /*_MD_H_INCLUDED*/ +diff -up ./src/aide.c.crypto ./src/aide.c +--- ./src/aide.c.crypto 2018-08-29 15:00:30.825491309 +0200 ++++ ./src/aide.c 2018-08-29 15:00:30.827491299 +0200 +@@ -349,7 +349,7 @@ static void setdefaults_before_config() + + conf->db_attrs = 0; + #if defined(WITH_MHASH) || defined(WITH_GCRYPT) +- conf->db_attrs |= DB_MD5|DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512; ++ conf->db_attrs |= get_available_crypto(); + #ifdef WITH_MHASH + conf->db_attrs |= DB_GOST; + #ifdef HAVE_MHASH_WHIRLPOOL +diff -up ./src/md.c.crypto ./src/md.c +--- ./src/md.c.crypto 2018-08-29 15:00:30.823491319 +0200 ++++ ./src/md.c 2018-08-29 15:02:28.013903479 +0200 +@@ -78,6 +78,49 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) { + return r; + } + ++const char * hash_gcrypt2str(int i) { ++ char * r = "?"; ++#ifdef WITH_GCRYPT ++ switch (i) { ++ case GCRY_MD_MD5: { ++ r = "MD5"; ++ break; ++ } ++ case GCRY_MD_SHA1: { ++ r = "SHA1"; ++ break; ++ } ++ case GCRY_MD_RMD160: { ++ r = "RMD160"; ++ break; ++ } ++ case GCRY_MD_TIGER: { ++ r = "TIGER"; ++ break; ++ } ++ case GCRY_MD_HAVAL: { ++ r = "HAVAL"; ++ break; ++ } ++ case GCRY_MD_SHA256: { ++ r = "SHA256"; ++ break; ++ } ++ case GCRY_MD_SHA512: { ++ r = "SHA512"; ++ break; ++ } ++ case GCRY_MD_CRC32: { ++ r = "CRC32"; ++ break; ++ } ++ default: ++ break; ++ } ++#endif ++ return r; ++} ++ + DB_ATTR_TYPE hash_mhash2attr(int i) { + DB_ATTR_TYPE r=0; + #ifdef WITH_MHASH +@@ -163,6 +206,44 @@ DB_ATTR_TYPE hash_mhash2attr(int i) { + Initialise md_container according it's todo_attr field + */ + ++DB_ATTR_TYPE get_available_crypto() { ++ ++ DB_ATTR_TYPE ret = 0; ++ ++/* ++ * This function is usually called before config processing ++ * and default verbose level is 5 ++ */ ++#define lvl 255 ++ ++ error(lvl, "get_available_crypto called\n"); ++ ++#ifdef WITH_GCRYPT ++ ++ /* ++ * some initialization for FIPS ++ */ ++ gcry_check_version(NULL); ++ error(lvl, "Found algos:"); ++ ++ for(int i=0;i<=HASH_GCRYPT_COUNT;i++) { ++ ++ if ( (hash_gcrypt2attr(i) & HASH_USE_GCRYPT) == 0 ) ++ continue; ++ ++ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) == 0) { ++ ret |= hash_gcrypt2attr(i); ++ error(lvl, " %s", hash_gcrypt2str(i)); ++ } ++ } ++ error(lvl, "\n"); ++ ++#endif ++ ++ error(lvl, "get_available_crypto_returned with %lld\n", ret); ++ return ret; ++} ++ + int init_md(struct md_container* md) { + + int i; +@@ -201,18 +282,27 @@ int init_md(struct md_container* md) { + } + #endif + #ifdef WITH_GCRYPT +- if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ ++ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ + error(0,"gcrypt_md_open failed\n"); + exit(IO_ERROR); + } + for(i=0;i<=HASH_GCRYPT_COUNT;i++) { ++ ++ + if (((hash_gcrypt2attr(i)&HASH_USE_GCRYPT)&md->todo_attr)!=0) { +- DB_ATTR_TYPE h=hash_gcrypt2attr(i); +- error(255,"inserting %llu\n",h); ++ ++ DB_ATTR_TYPE h=hash_gcrypt2attr(i); ++ ++ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) != 0) { ++ error(0,"Algo %s is not available\n", hash_gcrypt2str(i)); ++ exit(-1); ++ } ++ ++ error(255,"inserting %llu\n",h); + if(gcry_md_enable(md->mdh,i)==GPG_ERR_NO_ERROR){ + md->calc_attr|=h; + } else { +- error(0,"gcry_md_enable %i failed",i); ++ error(0,"gcry_md_enable %i failed\n",i); + md->todo_attr&=~h; + } + } diff --git a/SOURCES/aide-0.16b1-fipsfix.patch b/SOURCES/aide-0.16b1-fipsfix.patch new file mode 100644 index 0000000..434d74e --- /dev/null +++ b/SOURCES/aide-0.16b1-fipsfix.patch @@ -0,0 +1,103 @@ +diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c +--- ./src/aide.c.orig 2016-07-12 11:10:08.013158385 +0200 ++++ ./src/aide.c 2016-07-12 11:30:54.867833064 +0200 +@@ -511,9 +511,28 @@ int main(int argc,char**argv) + #endif + umask(0177); + init_sighandler(); +- + setdefaults_before_config(); + ++#if WITH_GCRYPT ++ error(255,"Gcrypt library initialization\n"); ++ /* ++ * Initialize libgcrypt as per ++ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html ++ * ++ * ++ */ ++ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0); ++ gcry_control(GCRYCTL_INIT_SECMEM, 1); ++ ++ if(!gcry_check_version(GCRYPT_VERSION)) { ++ error(0,"libgcrypt version mismatch\n"); ++ exit(VERSION_MISMATCH_ERROR); ++ } ++ ++ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); ++#endif /* WITH_GCRYPT */ ++ ++ + if(read_param(argc,argv)==RETFAIL){ + error(0, _("Invalid argument\n") ); + exit(INVALID_ARGUMENT_ERROR); +@@ -646,6 +665,9 @@ int main(int argc,char**argv) + } + #endif + } ++#ifdef WITH_GCRYPT ++ gcry_control(GCRYCTL_TERM_SECMEM, 0); ++#endif /* WITH_GCRYPT */ + return RETOK; + } + const char* aide_key_3=CONFHMACKEY_03; +diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c +--- ./src/md.c.orig 2016-04-15 23:30:16.000000000 +0200 ++++ ./src/md.c 2016-07-12 11:35:04.007675329 +0200 +@@ -201,14 +201,7 @@ int init_md(struct md_container* md) { + } + #endif + #ifdef WITH_GCRYPT +- error(255,"Gcrypt library initialization\n"); +- if(!gcry_check_version(GCRYPT_VERSION)) { +- error(0,"libgcrypt version mismatch\n"); +- exit(VERSION_MISMATCH_ERROR); +- } +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){ ++ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ + error(0,"gcrypt_md_open failed\n"); + exit(IO_ERROR); + } +@@ -299,7 +292,7 @@ int close_md(struct md_container* md) { + + /*. There might be more hashes in the library. Add those here.. */ + +- gcry_md_reset(md->mdh); ++ gcry_md_close(md->mdh); + #endif + + #ifdef WITH_MHASH +diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c +--- ./src/util.c.orig 2016-07-12 11:39:17.023437355 +0200 ++++ ./src/util.c 2016-07-12 11:39:51.618721157 +0200 +@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s) + return(AIDE_SYSLOG_FACILITY); + } + +-/* We need these dummy stubs to fool the linker into believing that +- we do not need them at link time */ +- +-void* dlopen(char*filename,int flag) +-{ +- return NULL; +-} +- +-void* dlsym(void*handle,char*symbol) +-{ +- return NULL; +-} +- +-void* dlclose(void*handle) +-{ +- return NULL; +-} +- +-const char* dlerror(void) +-{ +- return NULL; +-} +- + const char* aide_key_2=CONFHMACKEY_02; + const char* db_key_2=DBHMACKEY_02; diff --git a/SOURCES/aide-0.16rc1-man.patch b/SOURCES/aide-0.16rc1-man.patch new file mode 100644 index 0000000..4715552 --- /dev/null +++ b/SOURCES/aide-0.16rc1-man.patch @@ -0,0 +1,15 @@ +diff -up ./doc/aide.1.in.orig ./doc/aide.1.in +--- ./doc/aide.1.in.orig 2016-07-12 16:10:01.724595895 +0200 ++++ ./doc/aide.1.in 2016-07-12 16:06:21.968639822 +0200 +@@ -103,9 +103,9 @@ echo | base64 \-d | h + .SH FILES + .IP \fB@sysconfdir@/aide.conf\fR + Default aide configuration file. +-.IP \fB@sysconfdir@/aide.db\fR ++.IP \fB@localstatedir@/lib/aide/aide.db\fR + Default aide database. +-.IP \fB@sysconfdir@/aide.db.new\fR ++.IP \fB@localstatedir@/lib/aide/aide.db.new\fR + Default aide output database. + .SH SEE ALSO + .BR aide.conf (5) diff --git a/SOURCES/aide.conf b/SOURCES/aide.conf new file mode 100644 index 0000000..efe1f63 --- /dev/null +++ b/SOURCES/aide.conf @@ -0,0 +1,317 @@ +# Example configuration file for AIDE. + +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +# The location of the database to be read. +database=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +verbose=5 + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane +# NORMAL = R+sha512 +NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+u+g+acl+selinux+xattrs + +# Logfile are special, in that they often change +LOG = p+u+g+n+S+acl+selinux+xattrs + +# Content + file type. +CONTENT = sha512+ftype + +# Extended content + file type + access. +CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 + +# Next decide what directories/files you want in the database. + +/boot/ CONTENT_EX +/opt/ CONTENT + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +# Otherwise get all of /root. +/root/ CONTENT_EX + +# These are too volatile +!/usr/src/ +!/usr/tmp/ + +# Otherwise get all of /usr. +/usr/ CONTENT_EX + +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives/ CONTENT_EX +/etc/sysconfig/ CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo/ CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel/ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/sssd/ CONTENT_EX +/etc/machine-id$ CONTENT_EX +/etc/swid/ CONTENT_EX +/etc/system-release-cpe$ CONTENT_EX +/etc/shells$ CONTENT_EX +/etc/tmux.conf$ CONTENT_EX +/etc/xattr.conf$ CONTENT_EX + + +# networking +/etc/hosts.allow$ CONTENT_EX +/etc/hosts.deny$ CONTENT_EX +/etc/firewalld/ CONTENT_EX +!/etc/NetworkManager/system-connections/ +/etc/NetworkManager/ CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp/ CONTENT_EX +/etc/wpa_supplicant/ CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ CONTENT_EX + +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock/ PERMS +/etc/pam.d/ CONTENT_EX +/etc/security/ CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1/ CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers$ CONTENT_EX +/etc/sudoers.d/ CONTENT_EX + +# Shell/X startup files +/etc/profile$ CONTENT_EX +/etc/profile.d/ CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d/ CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11/ CONTENT_EX + +# Pkg manager +/etc/dnf/ CONTENT_EX +/etc/yum.conf$ CONTENT_EX +/etc/yum/ CONTENT_EX +/etc/yum.repos.d/ CONTENT_EX + +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log + +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit/ PERMS +/etc/audit/ CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX + +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d/ CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d/ CONTENT_EX +/etc/systemd/journald.conf$ CONTENT_EX +/var/log/ LOG+ANF+ARF +/var/run/utmp/ LOG + +# secrets +/etc/pkcs11/ CONTENT_EX +/etc/pki/ CONTENT_EX +/etc/crypto-policies/ CONTENT_EX +/etc/certmonger/ CONTENT_EX +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd/ CONTENT_EX +/etc/rc.d/ CONTENT_EX +/etc/tmpfiles.d/ CONTENT_EX + +# boot config +/etc/default/ CONTENT_EX +/etc/grub.d/ CONTENT_EX +/etc/dracut.conf$ CONTENT_EX +/etc/dracut.conf.d/ CONTENT_EX + +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d/ CONTENT_EX +/etc/ld.so.preload$ CONTENT_EX + +# kernel config +/etc/sysctl.conf$ CONTENT_EX +/etc/sysctl.d/ CONTENT_EX +/etc/modprobe.d/ CONTENT_EX +/etc/modules-load.d/ CONTENT_EX +/etc/depmod.d/ CONTENT_EX +/etc/udev/ CONTENT_EX +/etc/crypttab$ CONTENT_EX + +#### Daemons #### + +# cron jobs +/var/spool/at/ CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/var/spool/anacron/ CONTENT +/etc/anacrontab$ CONTENT_EX +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d/ CONTENT_EX +/etc/cron.daily/ CONTENT_EX +/etc/cron.hourly/ CONTENT_EX +/etc/cron.monthly/ CONTENT_EX +/etc/cron.weekly/ CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root/ CONTENT + +# time keeping +/etc/chrony.conf$ CONTENT_EX +/etc/chrony.keys$ CONTENT_EX + +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix/ CONTENT_EX + +# ssh +/etc/ssh/sshd_config$ CONTENT_EX +/etc/ssh/ssh_config$ CONTENT_EX + +# stunnel +/etc/stunnel/ CONTENT_EX + +# printing +/etc/cups/ CONTENT_EX +/etc/cupshelpers/ CONTENT_EX +/etc/avahi/ CONTENT_EX + +# web server +/etc/httpd/ CONTENT_EX + +# dns +/etc/named/ CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.conf$ CONTENT_EX +/etc/xinetd.d/ CONTENT_EX + +# IPsec +/etc/ipsec.conf$ CONTENT_EX +/etc/ipsec.secrets$ CONTENT_EX +/etc/ipsec.d/ CONTENT_EX + +# USB guard +/etc/usbguard/ CONTENT_EX + +# Ignore some files +!/etc/mtab$ +!/etc/.*~ + +# Now everything else +/etc/ PERMS + + +# With AIDE's default verbosity level of 5, these would give lots of +# warnings upon tree traversal. It might change with future version. +# +#=/lost\+found DIR +#=/home DIR + +# Ditto /var/log/sa reason... +!/var/log/and-httpd + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* diff --git a/SOURCES/aide.logrotate b/SOURCES/aide.logrotate new file mode 100644 index 0000000..614c6a6 --- /dev/null +++ b/SOURCES/aide.logrotate @@ -0,0 +1,9 @@ +/var/log/aide/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/SOURCES/coverity.patch b/SOURCES/coverity.patch new file mode 100644 index 0000000..9b981be --- /dev/null +++ b/SOURCES/coverity.patch @@ -0,0 +1,642 @@ +diff -up ./include/be.h.coverity ./include/be.h +--- ./include/be.h.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./include/be.h 2018-10-10 19:27:18.680632681 +0200 +@@ -22,6 +22,6 @@ + #define _BE_H_INCLUDED + #include "db_config.h" + +-FILE* be_init(int inout,url_t* u,int iszipped); ++void* be_init(int inout,url_t* u,int iszipped); + + #endif /* _BE_H_INCLUDED */ +diff -up ./include/db_config.h.coverity ./include/db_config.h +--- ./include/db_config.h.coverity 2018-10-10 19:27:18.672632611 +0200 ++++ ./include/db_config.h 2018-10-10 19:27:18.681632689 +0200 +@@ -376,7 +376,7 @@ typedef struct db_config { + #endif + + url_t* initial_report_url; +- FILE* initial_report_fd; ++ void* initial_report_fd; + + /* report_url is a list of url_t*s */ + list* report_url; +diff -up ./src/aide.c.coverity ./src/aide.c +--- ./src/aide.c.coverity 2018-10-10 19:27:18.678632663 +0200 ++++ ./src/aide.c 2018-10-10 19:27:18.681632689 +0200 +@@ -278,7 +278,7 @@ static void setdefaults_before_config() + error(0,_("Couldn't get hostname")); + free(s); + } else { +- s=(char*)realloc((void*)s,strlen(s)+1); ++ // s=(char*)realloc((void*)s,strlen(s)+1); + do_define("HOSTNAME",s); + } + +@@ -506,8 +506,6 @@ static void setdefaults_after_config() + int main(int argc,char**argv) + { + int errorno=0; +- byte* dig=NULL; +- char* digstr=NULL; + + #ifdef USE_LOCALE + setlocale(LC_ALL,""); +@@ -544,6 +542,10 @@ int main(int argc,char**argv) + } + + errorno=commandconf('C',conf->config_file); ++ if (errorno==RETFAIL){ ++ error(0,_("Configuration error\n")); ++ exit(INVALID_CONFIGURELINE_ERROR); ++ } + + errorno=commandconf('D',""); + if (errorno==RETFAIL){ +@@ -594,6 +596,9 @@ int main(int argc,char**argv) + } + } + #ifdef WITH_MHASH ++ byte* dig=NULL; ++ char* digstr=NULL; ++ + if(conf->config_check&&FORCECONFIGMD){ + error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n"); + exit(INVALID_ARGUMENT_ERROR); +diff -up ./src/base64.c.coverity ./src/base64.c +--- ./src/base64.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/base64.c 2018-10-10 19:27:18.681632689 +0200 +@@ -209,6 +209,7 @@ byte* decode_base64(char* src,size_t ssi + case FAIL: + error(3, "decode_base64: Illegal character: %c\n", *inb); + error(230, "decode_base64: Illegal line:\n%s\n", src); ++ free(outbuf); + return NULL; + break; + case SKIP: +@@ -260,7 +261,7 @@ size_t length_base64(char* src,size_t ss + int l; + int left; + size_t pos; +- unsigned long triple; ++ //unsigned long triple; + + error(235, "decode base64\n"); + /* Exit on empty input */ +@@ -273,7 +274,7 @@ size_t length_base64(char* src,size_t ss + inb = src; + + l = 0; +- triple = 0; ++ //triple = 0; + pos=0; + left = ssize; + /* +@@ -293,7 +294,7 @@ size_t length_base64(char* src,size_t ss + case SKIP: + break; + default: +- triple = triple<<6 | (0x3f & i); ++ //triple = triple<<6 | (0x3f & i); + l++; + break; + } +@@ -302,10 +303,10 @@ size_t length_base64(char* src,size_t ss + switch(l) + { + case 2: +- triple = triple>>4; ++ //triple = triple>>4; + break; + case 3: +- triple = triple>>2; ++ //triple = triple>>2; + break; + default: + break; +@@ -314,7 +315,7 @@ size_t length_base64(char* src,size_t ss + { + pos++; + } +- triple = 0; ++ //triple = 0; + l = 0; + } + inb++; +diff -up ./src/be.c.coverity ./src/be.c +--- ./src/be.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/be.c 2018-10-10 19:27:18.681632689 +0200 +@@ -117,9 +117,9 @@ static char* get_first_value(char** in){ + + #endif + +-FILE* be_init(int inout,url_t* u,int iszipped) ++void* be_init(int inout,url_t* u,int iszipped) + { +- FILE* fh=NULL; ++ void* fh=NULL; + long a=0; + char* err=NULL; + int fd; +diff -up ./src/commandconf.c.coverity ./src/commandconf.c +--- ./src/commandconf.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/commandconf.c 2018-10-10 19:27:18.682632698 +0200 +@@ -106,7 +106,7 @@ int commandconf(const char mode,const ch + rv=0; + } else { + +- rv=access(config,R_OK); ++ if (config != NULL) rv=access(config,R_OK); + if(rv==-1){ + error(0,_("Cannot access config file: %s: %s\n"),config,strerror(errno)); + } +@@ -166,14 +166,11 @@ int commandconf(const char mode,const ch + int conf_input_wrapper(char* buf, int max_size, FILE* in) + { + int retval=0; +- int c=0; +- char* tmp=NULL; +- void* key=NULL; +- int keylen=0; + + /* FIXME Add support for gzipped config. :) */ + #ifdef WITH_MHASH + /* Read a character at a time until we are doing md */ ++ int c=0; + if(conf->do_configmd){ + retval=fread(buf,1,max_size,in); + }else { +@@ -185,6 +182,9 @@ int conf_input_wrapper(char* buf, int ma + #endif + + #ifdef WITH_MHASH ++ char* tmp=NULL; ++ void* key=NULL; ++ int keylen=0; + if(conf->do_configmd||conf->config_check){ + if(((conf->do_configmd==1)&&conf->config_check)||!conf->confmd){ + if(conf->do_configmd==1){ +@@ -276,6 +276,9 @@ int db_input_wrapper(char* buf, int max_ + #endif + break; + } ++ default: { ++ return 0; ++ } + } + + #ifdef WITH_CURL +@@ -651,7 +654,6 @@ int handle_endif(int doit,int allow_else + case 0 : { + conferror("@@endif or @@else expected"); + return -1; +- count=0; + } + + default : { +@@ -816,6 +818,7 @@ void do_dbdef(int dbtype,char* val) + if(u==NULL||u->type==url_unknown||u->type==url_stdout + ||u->type==url_stderr) { + error(0,_("Unsupported input URL-type:%s\n"),val); ++ free(u); + } + else { + *conf_db_url=u; +@@ -825,6 +828,7 @@ void do_dbdef(int dbtype,char* val) + case DB_WRITE: { + if(u==NULL||u->type==url_unknown||u->type==url_stdin){ + error(0,_("Unsupported output URL-type:%s\n"),val); ++ free(u); + } + else{ + conf->db_out_url=u; +@@ -848,6 +852,7 @@ void do_dbindef(char* val) + if(u==NULL||u->type==url_unknown||u->type==url_stdout + ||u->type==url_stderr) { + error(0,_("Unsupported input URL-type:%s\n"),val); ++ free(u); + } + else { + conf->db_in_url=u; +@@ -869,6 +874,7 @@ void do_dboutdef(char* val) + * both input and output urls */ + if(u==NULL||u->type==url_unknown||u->type==url_stdin){ + error(0,_("Unsupported output URL-type:%s\n"),val); ++ free(u); + } + else{ + conf->db_out_url=u; +@@ -894,7 +900,8 @@ void do_repurldef(char* val) + } else { + error_init(u,0); + } +- ++ ++ free(u); + } + + void do_verbdef(char* val) +@@ -984,7 +991,7 @@ void do_report_ignore_e2fsattrs(char* va + break; + } + } +- *val++; ++ val++; + } + } + #endif +diff -up ./src/compare_db.c.coverity ./src/compare_db.c +--- ./src/compare_db.c.coverity 2018-10-10 19:27:18.673632619 +0200 ++++ ./src/compare_db.c 2018-10-10 19:27:18.682632698 +0200 +@@ -312,7 +312,7 @@ static int acl2array(acl_type* acl, char + if (conf->syslog_format) { + *values = malloc(2 * sizeof(char*)); + +- char *A, *D = ""; ++ char *A= "", *D = ""; + + if (acl->acl_a) { A = acl->acl_a; } + if (acl->acl_d) { D = acl->acl_d; } +diff -up ./src/conf_lex.l.coverity ./src/conf_lex.l +--- ./src/conf_lex.l.coverity 2018-10-10 19:27:18.673632619 +0200 ++++ ./src/conf_lex.l 2018-10-10 19:27:18.682632698 +0200 +@@ -133,7 +133,7 @@ int var_in_conflval=0; + [\ \t]*\n { + conf_lineno++; + return (TNEWLINE); +- BEGIN 0; ++// BEGIN 0; + } + + \+ { +diff -up ./src/db.c.coverity ./src/db.c +--- ./src/db.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/db.c 2018-10-10 19:27:18.683632707 +0200 +@@ -27,6 +27,7 @@ + #include "db_file.h" + #include "db_disk.h" + #include "md.h" ++#include "fopen.h" + + #ifdef WITH_PSQL + #include "db_sql.h" +@@ -269,6 +270,9 @@ db_line* db_readline(int db){ + db_order=&(conf->db_new_order); + break; + } ++ default: { ++ return NULL; ++ } + } + + switch (db_url->type) { +@@ -368,7 +372,7 @@ db_line* db_char2line(char** ss,int db){ + + int i; + db_line* line=(db_line*)malloc(sizeof(db_line)*1); +- int* db_osize=0; ++ int* db_osize=NULL; + DB_FIELD** db_order=NULL; + + switch (db) { +@@ -382,6 +386,10 @@ db_line* db_char2line(char** ss,int db){ + db_order=&(conf->db_new_order); + break; + } ++ default: { ++ free(line); ++ return NULL; ++ } + } + + +@@ -601,7 +609,9 @@ db_line* db_char2line(char** ss,int db){ + size_t vsz = 0; + + tval = strtok(NULL, ","); +- line->xattrs->ents[num].key = db_readchar(strdup(tval)); ++ char * tmp = strdup(tval); ++ line->xattrs->ents[num].key = db_readchar(tmp); ++ free(tmp); + tval = strtok(NULL, ","); + val = base64tobyte(tval, strlen(tval), &vsz); + line->xattrs->ents[num].val = val; +@@ -648,6 +658,8 @@ db_line* db_char2line(char** ss,int db){ + + default : { + error(0,_("Not implemented in db_char2line %i \n"),(*db_order)[i]); ++ free_db_line(line); ++ free(line); + return NULL; + } + +@@ -826,7 +838,7 @@ void db_close() { + case url_ftp: + { + if (conf->db_out!=NULL) { +- url_fclose(conf->db_out); ++ url_fclose((URL_FILE*)conf->db_out); + } + break; + } +diff -up ./src/db_disk.c.coverity ./src/db_disk.c +--- ./src/db_disk.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/db_disk.c 2018-10-10 19:28:00.108995089 +0200 +@@ -79,9 +79,15 @@ static DIR *open_dir(char* path) { + + static void next_in_dir (void) + { ++ + #ifdef HAVE_READDIR_R +- if (dirh != NULL) ++ if (dirh != NULL) { ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wdeprecated-declarations" + rdres = AIDE_READDIR_R_FUNC (dirh, entp, resp); ++#pragma GCC diagnostic pop ++ } ++ + #else + #ifdef HAVE_READDIR + if (dirh != NULL) { +diff -up ./src/db_file.c.coverity ./src/db_file.c +--- ./src/db_file.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/db_file.c 2018-10-10 19:27:18.683632707 +0200 +@@ -171,7 +171,7 @@ int dofprintf( const char* s,...) + int db_file_read_spec(int db){ + + int i=0; +- int* db_osize=0; ++ int* db_osize=NULL; + DB_FIELD** db_order=NULL; + + switch (db) { +@@ -187,6 +187,9 @@ int db_file_read_spec(int db){ + db_lineno=&db_new_lineno; + break; + } ++ default: { ++ return RETFAIL; ++ } + } + + *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD)); +@@ -198,13 +201,10 @@ int db_file_read_spec(int db){ + int l; + + +- /* Yes... we do not check if realloc returns nonnull */ +- +- *db_order=(DB_FIELD*) +- realloc((void*)*db_order, ++ void * tmp = realloc((void*)*db_order, + ((*db_osize)+1)*sizeof(DB_FIELD)); +- +- if(*db_order==NULL){ ++ if (tmp != NULL) *db_order=(DB_FIELD*) tmp; ++ else { + return RETFAIL; + } + +@@ -291,8 +291,8 @@ char** db_readline_file(int db){ + int* domd=NULL; + #ifdef WITH_MHASH + MHASH* md=NULL; +-#endif + char** oldmdstr=NULL; ++#endif + int* db_osize=0; + DB_FIELD** db_order=NULL; + FILE** db_filep=NULL; +@@ -302,9 +302,9 @@ char** db_readline_file(int db){ + case DB_OLD: { + #ifdef WITH_MHASH + md=&(conf->dboldmd); ++ oldmdstr=&(conf->old_dboldmdstr); + #endif + domd=&(conf->do_dboldmd); +- oldmdstr=&(conf->old_dboldmdstr); + + db_osize=&(conf->db_in_size); + db_order=&(conf->db_in_order); +@@ -316,9 +316,9 @@ char** db_readline_file(int db){ + case DB_NEW: { + #ifdef WITH_MHASH + md=&(conf->dbnewmd); ++ oldmdstr=&(conf->old_dbnewmdstr); + #endif + domd=&(conf->do_dbnewmd); +- oldmdstr=&(conf->old_dbnewmdstr); + + db_osize=&(conf->db_new_size); + db_order=&(conf->db_new_order); +@@ -328,7 +328,9 @@ char** db_readline_file(int db){ + break; + } + } +- ++ ++ if (db_osize == NULL) return NULL; ++ + if (*db_osize==0) { + db_buff(db,*db_filep); + +@@ -737,8 +739,6 @@ int db_writespec_file(db_config* dbconf) + int i=0; + int j=0; + int retval=1; +- void*key=NULL; +- int keylen=0; + struct tm* st; + time_t tim=time(&tim); + st=localtime(&tim); +@@ -750,6 +750,8 @@ int db_writespec_file(db_config* dbconf) + + #ifdef WITH_MHASH + /* From hereon everything must MD'd before write to db */ ++ void*key=NULL; ++ int keylen=0; + if((key=get_db_key())!=NULL){ + keylen=get_db_key_len(); + dbconf->do_dbnewmd=1; +diff -up ./src/do_md.c.coverity ./src/do_md.c +--- ./src/do_md.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/do_md.c 2018-10-10 19:27:18.683632707 +0200 +@@ -202,7 +202,6 @@ void calc_md(struct AIDE_STAT_TYPE* old_ + and we don't read from a pipe :) + */ + struct AIDE_STAT_TYPE fs; +- int sres=0; + int stat_diff,filedes; + #ifdef WITH_PRELINK + pid_t pid; +@@ -237,7 +236,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ + return; + } + +- sres=AIDE_FSTAT_FUNC(filedes,&fs); ++ AIDE_FSTAT_FUNC(filedes,&fs); + if(!(line->attr&DB_RDEV)) + fs.st_rdev=0; + +@@ -331,7 +330,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ + } + #endif + #endif /* not HAVE_MMAP */ +- buf=malloc(READ_BLOCK_SIZE); ++// buf=malloc(READ_BLOCK_SIZE); + #if READ_BLOCK_SIZE>SSIZE_MAX + #error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE + #endif +diff -up ./src/gen_list.c.coverity ./src/gen_list.c +--- ./src/gen_list.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/gen_list.c 2018-10-10 19:27:18.684632716 +0200 +@@ -843,15 +843,15 @@ static void add_file_to_tree(seltree* tr + DB_ATTR_TYPE localignorelist=0; + DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs; + ++ if(file==NULL){ ++ error(0, "add_file_to_tree was called with NULL db_line\n"); ++ } ++ + node=get_seltree_node(tree,file->filename); + + if(!node){ + node=new_seltree_node(tree,file->filename,0,NULL); + } +- +- if(file==NULL){ +- error(0, "add_file_to_tree was called with NULL db_line\n"); +- } + + /* add note to this node which db has modified it */ + node->checked|=db; +diff -up ./src/md.c.coverity ./src/md.c +--- ./src/md.c.coverity 2018-10-10 19:27:18.679632672 +0200 ++++ ./src/md.c 2018-10-10 19:27:18.684632716 +0200 +@@ -36,8 +36,8 @@ + */ + + DB_ATTR_TYPE hash_gcrypt2attr(int i) { +- DB_ATTR_TYPE r=0; + #ifdef WITH_GCRYPT ++ DB_ATTR_TYPE r=0; + switch (i) { + case GCRY_MD_MD5: { + r=DB_MD5; +@@ -74,13 +74,15 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) { + default: + break; + } +-#endif + return r; ++#else /* !WITH_GCRYPT */ ++ return 0; ++#endif + } + + const char * hash_gcrypt2str(int i) { +- char * r = "?"; + #ifdef WITH_GCRYPT ++ char * r = "?"; + switch (i) { + case GCRY_MD_MD5: { + r = "MD5"; +@@ -117,13 +119,17 @@ const char * hash_gcrypt2str(int i) { + default: + break; + } +-#endif + return r; ++#else /* !WITH_GCRYPT */ ++ return "?"; ++#endif + } + ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-parameter" + DB_ATTR_TYPE hash_mhash2attr(int i) { +- DB_ATTR_TYPE r=0; + #ifdef WITH_MHASH ++ DB_ATTR_TYPE r=0; + switch (i) { + case MHASH_CRC32: { + r=DB_CRC32; +@@ -198,10 +204,15 @@ DB_ATTR_TYPE hash_mhash2attr(int i) { + default: + break; + } +-#endif ++ + return r; ++#else /*!WITH_MHASH */ ++ return 0; ++#endif + } + ++#pragma GCC diagnostic pop ++ + /* + Initialise md_container according it's todo_attr field + */ +@@ -317,7 +328,6 @@ int init_md(struct md_container* md) { + */ + + int update_md(struct md_container* md,void* data,ssize_t size) { +- int i; + + error(255,"update_md called\n"); + +@@ -328,6 +338,7 @@ int update_md(struct md_container* md,vo + #endif + + #ifdef WITH_MHASH ++ int i; + + for(i=0;i<=HASH_MHASH_COUNT;i++) { + if (md->mhash_mdh[i]!=MHASH_FAILED) { +@@ -348,7 +359,6 @@ int update_md(struct md_container* md,vo + */ + + int close_md(struct md_container* md) { +- int i; + #ifdef _PARAMETER_CHECK_ + if (md==NULL) { + return RETFAIL; +@@ -356,6 +366,7 @@ int close_md(struct md_container* md) { + #endif + error(255,"close_md called \n"); + #ifdef WITH_MHASH ++ int i; + for(i=0;i<=HASH_MHASH_COUNT;i++) { + if (md->mhash_mdh[i]!=MHASH_FAILED) { + mhash (md->mhash_mdh[i], NULL, 0); +diff -up ./src/util.c.coverity ./src/util.c +--- ./src/util.c.coverity 2018-10-10 19:27:18.670632593 +0200 ++++ ./src/util.c 2018-10-10 19:27:18.684632716 +0200 +@@ -105,13 +105,15 @@ url_t* parse_url(char* val) + for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++); + if(r[0]=='\0'){ + error(0,"Invalid file-URL,no path after hostname: file:%s\n",t); ++ free(hostname); + return NULL; + } + u->value=strdup(r); + r[0]='\0'; + if(gethostname(hostname,MAXHOSTNAMELEN)==-1){ +- strncpy(hostname,"localhost", 10); ++ strncpy(hostname,"localhost", 10); + } ++ + if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){ + free(hostname); + break; +@@ -120,7 +122,7 @@ url_t* parse_url(char* val) + free(hostname); + return NULL; + } +- free(hostname); ++ + break; + } + u->value=strdup(r); diff --git a/SOURCES/coverity2.patch b/SOURCES/coverity2.patch new file mode 100644 index 0000000..5052ba3 --- /dev/null +++ b/SOURCES/coverity2.patch @@ -0,0 +1,31 @@ +diff --up ./src/compare_db.c ./src/compare_db.c +--- ./src/compare_db.c ++++ ./src/compare_db.c +@@ -438,7 +438,11 @@ snprintf(*values[0], l, "%s",s); + } else { + *values = malloc(1 * sizeof (char*)); + if (DB_FTYPE&attr) { +- easy_string(get_file_type_string(line->perm)) ++ char *file_type = get_file_type_string(line->perm); ++ if (!file_type) { ++ error(2,"%s: ", file_type); ++ } ++ easy_string(file_type) + } else if (DB_LINKNAME&attr) { + easy_string(line->linkname) + easy_number((DB_SIZE|DB_SIZEG),size,"%li") +diff -up ./src/db_file.c ./src/db_file.c +--- ./src/db_file.c ++++ ./src/db_file.c +@@ -194,6 +194,10 @@ int db_file_read_spec(int db){ + + *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD)); + ++ if (*db_order == NULL){ ++ error(1,"malloc for *db_order failed in %s", __func__); ++ } ++ + while ((i=db_scan())!=TNEWLINE){ + switch (i) { + + diff --git a/SPECS/aide.spec b/SPECS/aide.spec new file mode 100644 index 0000000..8cc3cf1 --- /dev/null +++ b/SPECS/aide.spec @@ -0,0 +1,326 @@ +Summary: Intrusion detection environment +Name: aide +Version: 0.16 +Release: 12%{?dist} +URL: http://sourceforge.net/projects/aide +License: GPLv2+ + + +Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz +Source1: aide.conf +Source2: README.quickstart +Source3: aide.logrotate + +BuildRequires: gcc +BuildRequires: make +BuildRequires: bison flex +BuildRequires: pcre-devel +BuildRequires: libgpg-error-devel libgcrypt-devel +BuildRequires: zlib-devel +BuildRequires: libcurl-devel +BuildRequires: libacl-devel +BuildRequires: pkgconfig(libselinux) +BuildRequires: libattr-devel +BuildRequires: e2fsprogs-devel +Buildrequires: audit-libs-devel + +# Customize the database file location in the man page. +Patch1: aide-0.16rc1-man.patch +# fix aide in FIPS mode +Patch2: aide-0.16b1-fipsfix.patch + +Patch3: aide-0.15-syslog-format.patch +Patch4: aide-0.16-crypto-disable-haval-and-others.patch +Patch5: coverity.patch +Patch6: aide-0.16-crash-elf.patch + +# 1676487 - Null pointer dereference fix spotted by coverity +Patch7: coverity2.patch + +%description +AIDE (Advanced Intrusion Detection Environment) is a file integrity +checker and intrusion detection program. + +%prep +%autosetup -p1 + +cp -a %{S:2} . + +%build +%configure \ + --disable-static \ + --with-config_file=%{_sysconfdir}/aide.conf \ + --with-gcrypt \ + --with-zlib \ + --with-curl \ + --with-posix-acl \ + --with-selinux \ + --with-xattr \ + --with-e2fsattrs \ + --with-audit + +%make_build + +%install +%make_install bindir=%{_sbindir} +install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1} +install -Dpm0644 %{S:3} %{buildroot}%{_sysconfdir}/logrotate.d/aide +mkdir -p %{buildroot}%{_localstatedir}/log/aide +mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide + +%files +%license COPYING +%doc AUTHORS ChangeLog NEWS README doc/manual.html contrib/ +%doc README.quickstart +%{_sbindir}/aide +%{_mandir}/man1/*.1* +%{_mandir}/man5/*.5* +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/aide.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/aide +%dir %attr(0700,root,root) %{_localstatedir}/lib/aide +%dir %attr(0700,root,root) %{_localstatedir}/log/aide + +%changelog +* Mon Apr 06 2020 Attila Lakatos - 0.16-12 +- RHEL 8.3 +- minor edit of aide.conf + resolves: rhbz#1740754 +- do not generate false warnings when report_ignore_e2fsattrs is specified in aide.conf + resolves: rhbz#1806323 + +* Wed Jul 24 2019 Radovan Sroka - 0.16-11 +- rebuild +- minor edit of aide.conf + +* Tue Jul 23 2019 Radovan Sroka - 0.16-10 +- respin +- minor edit of aide.conf + +* Tue Jul 23 2019 Radovan Sroka - 0.16-9 +- Null pointer dereference fix spotted by coverity + resolves: rhbz#1676487 +- aide.conf needs updates for RHEL 8 + resolves: rhbz#1708015 + +* Tue Oct 09 2018 Radovan Sroka - 0.16-8 +- fixed wrong line wrapping of messages in the syslog format + resolves: rhbz#1628153 +- fixed coverity issues + resolves: rhbz#1602441 +- fixed crash when processing .dynamic section + resolves: rhbz#1597250 + +* Wed Aug 29 2018 Radovan Sroka - 0.16-7 +- fixed crypto problem with libgcrypt (fips) +- resolves: rhbz#1623045 + +* Wed Aug 22 2018 Radovan Sroka - 0.16-6 +- ported syslog format from rhel7 + resolves: rhbz#1584136 +- fixed crypto problem with libgcrypt + resolves: rhbz#1584120 + +* Wed Feb 07 2018 Fedora Release Engineering - 0.16-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 02 2017 Fedora Release Engineering - 0.16-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Apr 05 2017 Radovan Sroka - 0.16-2 +- fixed upstream link + +* Tue Apr 04 2017 Radovan Sroka - 0.16-1 +- rebase to stable v0.16 +- specfile cleanup +- make doc readable + resolves: #1421355 +- make aide binary runable for any user + resolves: #1421351 + +* Fri Feb 10 2017 Fedora Release Engineering - 0.16-0.3.rc1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jul 12 2016 Tomas Sykora - 0.16-0.2.rc1 +- New upstream devel version + +* Mon Jun 20 2016 Tomas Sykora - 0.16-0.1.b1 +- New upstream devel version + +* Wed Feb 03 2016 Fedora Release Engineering - 0.15.1-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Sat Jul 25 2015 Till Maas - 0.15.1-11 +- Remove prelink dependency because prelink was retired + +* Tue Jun 16 2015 Fedora Release Engineering - 0.15.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Aug 15 2014 Fedora Release Engineering - 0.15.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 18 2014 Yaakov Selkowitz - 0.15.1-8 +- Fix FTBFS with -Werror=format-security (#1036983, #1105942) +- Avoid prelink BR on aarch64, ppc64le (#924977, #1078476) + +* Sat Jun 07 2014 Fedora Release Engineering - 0.15.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 0.15.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Feb 13 2013 Fedora Release Engineering - 0.15.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Nov 22 2012 Daniel Kopecek - 0.15.1-4 +- added patch to fix aide in FIPS mode +- use only FIPS approved digest algorithms in aide.conf so that + aide works by default in FIPS mode + +* Wed Jul 18 2012 Fedora Release Engineering - 0.15.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jan 12 2012 Fedora Release Engineering - 0.15.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Nov 11 2010 Steve Grubb - 0.15.1-1 +- New upstream release + +* Tue May 18 2010 Steve Grubb - 0.14-5 +- Apply 2 upstream bug fixes + +* Tue May 18 2010 Steve Grubb - 0.14-4 +- Use upstream's patch to fix bz 590566 + +* Sat May 15 2010 Steve Grubb - 0.14-3 +- Fix bz 590561 aide does not detect the change of SElinux context +- Fix bz 590566 aide reports a changed file when it has not been changed + +* Wed Apr 28 2010 Steve Grubb - 0.14-2 +- Fix bz 574764 by replacing abort calls with exit +- Apply libgcrypt init patch + +* Tue Mar 16 2010 Steve Grubb - 0.14-1 +- New upstream release final 0.14 + +* Thu Feb 25 2010 Steve Grubb - 0.14-0.4.rc3 +- New upstream release + +* Thu Feb 25 2010 Steve Grubb - 0.14-0.3.rc2 +- New upstream release + +* Tue Feb 23 2010 Steve Grubb - 0.14-0.2.rc1 +- Fix dirent detection on 64bit systems + +* Mon Feb 22 2010 Steve Grubb - 0.14-0.1.rc1 +- New upstream release + +* Fri Feb 19 2010 Steve Grubb - 0.13.1-16 +- Add logrotate script and spec file cleanups + +* Fri Dec 11 2009 Steve Grubb - 0.13.1-15 +- Get rid of .dedosify files + +* Wed Dec 09 2009 Steve Grubb - 0.13.1-14 +- Revise patch for Initialize libgcrypt correctly (#530485) + +* Sat Nov 07 2009 Steve Grubb - 0.13.1-13 +- Initialize libgcrypt correctly (#530485) + +* Fri Aug 21 2009 Tomas Mraz - 0.13.1-12 +- rebuilt with new audit + +* Wed Aug 19 2009 Steve Grubb 0.13.1-11 +- rebuild for new audit-libs +- Correct regex for root's dot files (#509370) + +* Fri Jul 24 2009 Fedora Release Engineering - 0.13.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jun 08 2009 Steve Grubb - 0.13.1-9 +- Make aide smarter about prelinked files (Peter Vrabec) +- Add /lib64 to default config + +* Mon Feb 23 2009 Fedora Release Engineering - 0.13.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Jan 30 2009 Steve Grubb - 0.13.1-6 +- enable xattr support and update config file + +* Fri Sep 26 2008 Tom "spot" Callaway - 0.13.1-5 +- fix selcon patch to apply without fuzz + +* Fri Feb 15 2008 Steve Conklin +- rebuild for gcc4.3 + +* Tue Aug 21 2007 Michael Schwendt +- rebuilt + +* Sun Jul 22 2007 Michael Schwendt - 0.13.1-2 +- Apply Steve Conklin's patch to increase displayed portion of + selinux context. + +* Sun Dec 17 2006 Michael Schwendt - 0.13.1-1 +- Update to 0.13.1 release. + +* Sun Dec 10 2006 Michael Schwendt - 0.13-1 +- Update to 0.13 release. +- Include default aide.conf from RHEL5 as doc example file. + +* Sun Oct 29 2006 Michael Schwendt - 0.12-3.20061027cvs +- CAUTION! This changes the database format and results in a report of + false inconsistencies until an old database file is updated. +- Check out CVS 20061027 which now contains Red Hat's + acl/xattr/selinux/audit patches. +- Patches merged upstream. +- Update manual page substitutions. + +* Mon Oct 23 2006 Michael Schwendt - 0.12-2 +- Add "memory leaks and performance updates" patch as posted + to aide-devel by Steve Grubb. + +* Sat Oct 07 2006 Michael Schwendt - 0.12-1 +- Update to 0.12 release. +- now offers --disable-static, so -no-static patch is obsolete +- fill last element of getopt struct array with zeroes + +* Mon Oct 02 2006 Michael Schwendt - 0.11-3 +- rebuilt + +* Mon Sep 11 2006 Michael Schwendt - 0.11-2 +- rebuilt + +* Sun Feb 19 2006 Michael Schwendt - 0.11-1 +- Update to 0.11 release. +- useless-includes patch merged upstream. +- old Russian man pages not available anymore. +- disable static linking. + +* Thu Apr 7 2005 Michael Schwendt +- rebuilt + +* Fri Nov 28 2003 Michael Schwendt - 0:0.10-0.fdr.1 +- Update to 0.10 release. +- memleaks patch merged upstream. +- rootpath patch merged upstream. +- fstat patch not needed anymore. +- Updated URL. + +* Thu Nov 13 2003 Michael Schwendt - 0:0.10-0.fdr.0.2.cvs20031104 +- Added buildreq m4 to work around incomplete deps of bison package. + +* Tue Nov 04 2003 Michael Schwendt - 0:0.10-0.fdr.0.1.cvs20031104 +- Only tar.gz available upstream. +- byacc not needed when bison -y is available. +- Installed Russian manual pages. +- Updated with changes from CVS (2003-11-04). +- getopt patch merged upstream. +- bison-1.35 patch incorporated upstream. + +* Tue Sep 09 2003 Michael Schwendt - 0:0.9-0.fdr.0.2.20030902 +- Added fixes for further memleaks. + +* Sun Sep 07 2003 Michael Schwendt - 0:0.9-0.fdr.0.1.20030902 +- Initial package version.