diff --git a/.aide.metadata b/.aide.metadata new file mode 100644 index 0000000..a8e59ce --- /dev/null +++ b/.aide.metadata @@ -0,0 +1 @@ +b97f65bb12701a42baa2cce45b41ed6367a70734 SOURCES/aide-0.16.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f8be39e --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/aide-0.16.tar.gz diff --git a/SOURCES/README.quickstart b/SOURCES/README.quickstart new file mode 100644 index 0000000..87adc63 --- /dev/null +++ b/SOURCES/README.quickstart @@ -0,0 +1,40 @@ +1) Customize /etc/aide.conf to your liking. In particular, add + important directories and files which you would like to be + covered by integrity checks. Avoid files which are expected + to change frequently or which don't affect the safety of your + system. + +2) Run "/usr/sbin/aide --init" to build the initial database. + With the default setup, that creates /var/lib/aide/aide.db.new.gz + +3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz + in a secure location, e.g. on separate read-only media (such as + CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures + of those files in a secure location, so you have means to verify + that nobody modified those files. + +4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz + which is the location of the input database. + +5) Run "/usr/sbin/aide --check" to check your system for inconsistencies + compared with the AIDE database. Prior to running a check manually, + ensure that the AIDE binary and database have not been modified + without your knowledge. + + Caution! + + With the default setup, an AIDE check is not run periodically as a + cron job. It cannot be guaranteed that the AIDE binaries, config + file and database are intact. It is not recommended that you run + automated AIDE checks without verifying AIDE yourself frequently. + In addition to that, AIDE does not implement any password or + encryption protection for its own files. + + It is up to you how to put a file integrity checker to good effect + and how to set up automated checks if you think it adds a level of + safety (e.g. detecting failed/incomplete compromises or unauthorized + modification of special files). On a compromised system, the + intruder could disable the automated check. Or he could replace the + AIDE binary, config file and database easily when they are not + located on read-only media. + diff --git a/SOURCES/aide-0.15-syslog-format.patch b/SOURCES/aide-0.15-syslog-format.patch new file mode 100644 index 0000000..0361434 --- /dev/null +++ b/SOURCES/aide-0.15-syslog-format.patch @@ -0,0 +1,496 @@ +diff -up ./doc/aide.conf.5.in.syslog_format ./doc/aide.conf.5.in +--- ./doc/aide.conf.5.in.syslog_format 2016-07-25 22:58:12.000000000 +0200 ++++ ./doc/aide.conf.5.in 2018-09-27 19:09:09.697371212 +0200 +@@ -57,6 +57,25 @@ inclusive. This parameter can only be gi + occurrence is used. If \-\-verbose or \-V is used then the value from that + is used. The default is 5. If verbosity is 20 then additional report + output is written when doing \-\-check, \-\-update or \-\-compare. ++.IP "syslog_format" ++Valid values are yes,true,no and false. This option enables new syslog format ++which is suitable for logging. Every change is logged as one simple line. This option ++changes verbose level to 0 and prints everything that was changed. It is suggested ++to use this option with "report_url=syslog:...". Default value is "false/no". ++Maximum size of message is 1KB which is limitation of syslog call. If message is ++greater than limit, message will be truncated. ++Option summarize_changes has no impact for this format. ++.nf ++.eo ++ ++Output always starts with: ++"AIDE found differences between database and filesystem!!" ++And it is followed by summary: ++summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1 ++And finally there are logs about changes: ++dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;... ++.ec ++.fi + .IP "report_url" + The url that the output is written to. There can be multiple instances + of this parameter. Output is written to all of them. The default is +diff -up ./include/db_config.h.syslog_format ./include/db_config.h +--- ./include/db_config.h.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./include/db_config.h 2018-09-27 19:09:09.697371212 +0200 +@@ -311,6 +311,7 @@ typedef struct db_config { + FILE* db_out; + + int config_check; ++ int syslog_format; + + struct md_container *mdc_in; + struct md_container *mdc_out; +diff -up ./src/aide.c.syslog_format ./src/aide.c +--- ./src/aide.c.syslog_format 2018-09-27 19:09:09.695371197 +0200 ++++ ./src/aide.c 2018-09-27 19:09:09.698371220 +0200 +@@ -283,6 +283,7 @@ static void setdefaults_before_config() + } + + /* Setting some defaults */ ++ conf->syslog_format=0; + conf->report_db=0; + conf->tree=NULL; + conf->config_check=0; +@@ -495,6 +496,10 @@ static void setdefaults_after_config() + if(conf->verbose_level==-1){ + conf->verbose_level=5; + } ++ if(conf->syslog_format==1){ ++ conf->verbose_level=0; ++ } ++ + } + + +diff -up ./src/compare_db.c.syslog_format ./src/compare_db.c +--- ./src/compare_db.c.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/compare_db.c 2018-09-27 19:09:09.698371220 +0200 +@@ -110,7 +110,7 @@ const DB_ATTR_TYPE details_attributes[] + #endif + }; + +-const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size (>)"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512") ++const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512") + #ifdef WITH_MHASH + , _("CRC32"), _("HAVAL"), _("GOST"), _("CRC32B"), _("WHIRLPOOL") + #endif +@@ -269,12 +269,19 @@ static int xattrs2array(xattrs_type* xat + if ((len == xattrs->ents[num - 1].vsz) || ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) { + length = 8 + width + strlen(xattrs->ents[num - 1].key) + strlen(val); + (*values)[num]=malloc(length *sizeof(char)); +- snprintf((*values)[num], length , "[%.*zd] %s = %s", width, num, xattrs->ents[num - 1].key, val); ++ ++ char * fmt = "[%.*zd] %s = %s"; ++ if (conf->syslog_format) fmt = "[%.*zd]%s=%s"; // its smaller so it has to be enough space allocated. ++ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val); ++ + } else { + val = encode_base64(xattrs->ents[num - 1].val, xattrs->ents[num - 1].vsz); + length = 10 + width + strlen(xattrs->ents[num - 1].key) + strlen(val); + (*values)[num]=malloc( length *sizeof(char)); +- snprintf((*values)[num], length , "[%.*zd] %s <=> %s", width, num, xattrs->ents[num - 1].key, val); ++ ++ char * fmt = "[%.*zd] %s <=> %s"; ++ if (conf->syslog_format) fmt = "[%.*zd]%s<=>%s"; // its smaller so it has to be enough space allocated. ++ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val); + free(val); + } + } +@@ -302,6 +309,26 @@ static int acl2array(acl_type* acl, char + } + if (acl->acl_a || acl->acl_d) { + int j, k, i; ++ if (conf->syslog_format) { ++ *values = malloc(2 * sizeof(char*)); ++ ++ char *A, *D = ""; ++ ++ if (acl->acl_a) { A = acl->acl_a; } ++ if (acl->acl_d) { D = acl->acl_d; } ++ ++ (*values)[0] = (char*) malloc(strlen(A) + 3); // "A:" and \0 ++ snprintf((*values)[0], strlen(A) + 3, "A:%s", A); ++ ++ (*values)[1] = (char*) malloc(strlen(D) + 3); // "D:" and \0 ++ snprintf((*values)[1], strlen(D) + 3, "D:%s", D); ++ ++ i = 0; while ( (*values)[0][i] ) { if ( (*values)[0][i]=='\n') { (*values)[0][i] = ' '; } i++; } ++ i = 0; while ( (*values)[1][i] ) { if ( (*values)[1][i]=='\n') { (*values)[1][i] = ' '; } i++; } ++ ++ return 2; ++ } ++ + if (acl->acl_a) { i = 0; while (acl->acl_a[i]) { if (acl->acl_a[i++]=='\n') { n++; } } } + if (acl->acl_d) { i = 0; while (acl->acl_d[i]) { if (acl->acl_d[i++]=='\n') { n++; } } } + *values = malloc(n * sizeof(char*)); +@@ -338,25 +365,25 @@ static char* e2fsattrs2string(unsigned l + + static char* get_file_type_string(mode_t mode) { + switch (mode & S_IFMT) { +- case S_IFREG: return _("File"); +- case S_IFDIR: return _("Directory"); ++ case S_IFREG: return conf->syslog_format ? "file" : _("File"); ++ case S_IFDIR: return conf->syslog_format ? "dir" : _("Directory"); + #ifdef S_IFIFO +- case S_IFIFO: return _("FIFO"); ++ case S_IFIFO: return conf->syslog_format ? "fifo" : _("FIFO"); + #endif +- case S_IFLNK: return _("Link"); +- case S_IFBLK: return _("Block device"); +- case S_IFCHR: return _("Character device"); ++ case S_IFLNK: return conf->syslog_format ? "link" : _("Link"); ++ case S_IFBLK: return conf->syslog_format ? "blockd" : _("Block device"); ++ case S_IFCHR: return conf->syslog_format ? "chard" : _("Character device"); + #ifdef S_IFSOCK +- case S_IFSOCK: return _("Socket"); ++ case S_IFSOCK: return conf->syslog_format ? "socket" : _("Socket"); + #endif + #ifdef S_IFDOOR +- case S_IFDOOR: return _("Door"); ++ case S_IFDOOR: return conf->syslog_format ? "door" : _("Door"); + #endif + #ifdef S_IFPORT +- case S_IFPORT: return _("Port"); ++ case S_IFPORT: return conf->syslog_format ? "port" : _("Port"); + #endif + case 0: return NULL; +- default: return _("Unknown file type"); ++ default: return conf->syslog_format ? "unknown" : _("Unknown file type"); + } + } + +@@ -554,6 +581,51 @@ static void print_dbline_attributes(db_l + } + } + ++ ++static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE ++ changed_attrs, DB_ATTR_TYPE force_attrs) { ++ char **ovalue, **nvalue; ++ int onumber, nnumber, i, j; ++ int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE); ++ DB_ATTR_TYPE attrs; ++ char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm); ++ if (file_type) { ++ error(0,"%s=", file_type); ++ } ++ error(0,"%s", (nline==NULL?oline:nline)->filename); ++ attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs); ++ for (j=0; j < length; ++j) { ++ if (details_attributes[j]&attrs) { ++ onumber=get_attribute_values(details_attributes[j], oline, &ovalue); ++ nnumber=get_attribute_values(details_attributes[j], nline, &nvalue); ++ ++ if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) { ++ ++ error(0, ";%s_old=|", details_string[j]); ++ ++ for (i = 0 ; i < onumber ; i++) { ++ error(0, "%s|", ovalue[i]); ++ } ++ ++ error(0, ";%s_new=|", details_string[j]); ++ ++ for (i = 0 ; i < nnumber ; i++) { ++ error(0, "%s|", nvalue[i]); ++ } ++ ++ } else { ++ ++ error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue); ++ ++ } ++ ++ for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL; ++ for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL; ++ } ++ } ++ error(0, "\n"); ++} ++ + static void print_attributes_added_node(db_line* line) { + print_dbline_attributes(NULL, line, 0, line->attr); + } +@@ -562,6 +634,26 @@ static void print_attributes_removed_nod + print_dbline_attributes(line, NULL, 0, line->attr); + } + ++static void print_attributes_added_node_syslog(db_line* line) { ++ ++ char *file_type = get_file_type_string(line->perm); ++ if (file_type) { ++ error(0,"%s=", file_type); ++ } ++ error(0,"%s; added\n", line->filename); ++ ++} ++ ++static void print_attributes_removed_node_syslog(db_line* line) { ++ ++ char *file_type = get_file_type_string(line->perm); ++ if (file_type) { ++ error(0,"%s=", file_type); ++ } ++ error(0,"%s; removed\n", line->filename); ++ ++} ++ + static void terse_report(seltree* node) { + list* r=NULL; + if ((node->checked&(DB_OLD|DB_NEW)) != 0) { +@@ -626,6 +718,26 @@ static void print_report_details(seltree + } + } + ++static void print_syslog_format(seltree* node) { ++ list* r=NULL; ++ ++ if (node->checked&NODE_CHANGED) { ++ print_dbline_attributes_syslog(node->old_data, node->new_data, node->changed_attrs, forced_attrs); ++ } ++ ++ if (node->checked&NODE_ADDED) { ++ print_attributes_added_node_syslog(node->new_data); ++ } ++ ++ if (node->checked&NODE_REMOVED) { ++ print_attributes_removed_node_syslog(node->old_data); ++ } ++ ++ for(r=node->childs;r;r=r->next){ ++ print_syslog_format((seltree*)r->data); ++ } ++} ++ + static void print_report_header() { + char *time; + int first = 1; +@@ -747,39 +859,53 @@ int gen_report(seltree* node) { + send_audit_report(); + #endif + if ((nadd|nrem|nchg) > 0 || conf->report_quiet == 0) { +- print_report_header(); +- if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) { +- if (conf->grouped) { +- if (nadd) { +- error(2,(char*)report_top_format,_("Added entries")); +- print_report_list(node, NODE_ADDED); +- } +- if (nrem) { +- error(2,(char*)report_top_format,_("Removed entries")); +- print_report_list(node, NODE_REMOVED); +- } +- if (nchg) { +- error(2,(char*)report_top_format,_("Changed entries")); +- print_report_list(node, NODE_CHANGED); +- } +- } else if (nadd || nrem || nchg) { +- if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); } +- else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); } +- else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); } +- else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); } +- else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); } +- else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); } +- else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); } +- print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED); +- } +- if (nadd || nrem || nchg) { +- error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes")); +- print_report_details(node); +- } +- } +- print_report_databases(); +- conf->end_time=time(&(conf->end_time)); +- print_report_footer(); ++ ++ if (!conf->syslog_format) { ++ print_report_header(); ++ } ++ ++ if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) { ++ if (!conf->syslog_format && conf->grouped) { ++ if (nadd) { ++ error(2,(char*)report_top_format,_("Added entries")); ++ print_report_list(node, NODE_ADDED); ++ } ++ if (nrem) { ++ error(2,(char*)report_top_format,_("Removed entries")); ++ print_report_list(node, NODE_REMOVED); ++ } ++ if (nchg) { ++ error(2,(char*)report_top_format,_("Changed entries")); ++ print_report_list(node, NODE_CHANGED); ++ } ++ } else if (!conf->syslog_format && ( nadd || nrem || nchg ) ) { ++ if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); } ++ else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); } ++ else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); } ++ else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); } ++ else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); } ++ else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); } ++ else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); } ++ print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED); ++ } ++ if (nadd || nrem || nchg) { ++ if (!conf->syslog_format) { ++ error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes")); ++ print_report_details(node); ++ } else { ++ /* Syslog Format */ ++ error(0, "AIDE found differences between database and filesystem!!\n"); ++ error(0, "summary;total_number_of_files=%ld;added_files=%ld;" ++ "removed_files=%ld;changed_files=%ld\n",ntotal,nadd,nrem,nchg); ++ print_syslog_format(node); ++ } ++ } ++ } ++ if (!conf->syslog_format) { ++ print_report_databases(); ++ conf->end_time=time(&(conf->end_time)); ++ print_report_footer(); ++ } + } + + return conf->action&(DO_COMPARE|DO_DIFF) ? (nadd!=0)*1+(nrem!=0)*2+(nchg!=0)*4 : 0; +diff -up ./src/conf_lex.l.syslog_format ./src/conf_lex.l +--- ./src/conf_lex.l.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/conf_lex.l 2018-09-27 19:09:09.698371220 +0200 +@@ -401,6 +401,12 @@ int var_in_conflval=0; + return (TROOT_PREFIX); + } + ++^[\t\ ]*"syslog_format"{E} { ++ error(230,"%li:syslog_format =\n",conf_lineno); ++ BEGIN CONFVALHUNT; ++ return (SYSLOG_FORMAT); ++} ++ + ^[\t\ ]*"recstop"{E} { + error(230,"%li:recstop =\n",conf_lineno); + BEGIN CONFVALHUNT; +diff -up ./src/conf_yacc.y.syslog_format ./src/conf_yacc.y +--- ./src/conf_yacc.y.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/conf_yacc.y 2018-09-27 19:09:09.699371228 +0200 +@@ -89,6 +89,7 @@ extern long conf_lineno; + %token TREPORT_URL + %token TGZIPDBOUT + %token TROOT_PREFIX ++%token SYSLOG_FORMAT + %token TUMASK + %token TTRUE + %token TFALSE +@@ -160,7 +161,7 @@ line : rule | equrule | negrule | define + | ifdefstmt | ifndefstmt | ifhoststmt | ifnhoststmt + | groupdef | db_in | db_out | db_new | db_attrs | verbose | report_detailed_init | config_version + | database_add_metadata | report | gzipdbout | root_prefix | report_base16 | report_quiet +- | report_ignore_e2fsattrs | recursion_stopper | warn_dead_symlinks | grouped ++ | report_ignore_e2fsattrs | syslogformat | recursion_stopper | warn_dead_symlinks | grouped + | summarize_changes | acl_no_symlink_follow | beginconfigstmt | endconfigstmt + | TEOF { + newlinelastinconfig=1; +@@ -408,6 +409,15 @@ conf->gzip_dbout=0; + #endif + } ; + ++syslogformat : SYSLOG_FORMAT TTRUE { ++conf->syslog_format=1; ++} | ++ SYSLOG_FORMAT TFALSE { ++conf->syslog_format=0; ++} ; ++ ++ ++ + recursion_stopper : TRECSTOP TSTRING { + /* FIXME implement me */ + +diff -up ./src/error.c.syslog_format ./src/error.c +--- ./src/error.c.syslog_format 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/error.c 2018-09-27 19:13:40.312416750 +0200 +@@ -38,6 +38,9 @@ + /*for locale support*/ + #include "util.h" + ++#define MAX_BUFFER_SIZE 1024 ++static char syslog_buffer[MAX_BUFFER_SIZE+1]; ++ + int cmp_url(url_t* url1,url_t* url2){ + + return ((url1->type==url2->type)&&(strcmp(url1->value,url2->value)==0)); +@@ -48,7 +51,9 @@ int error_init(url_t* url,int initial) + { + list* r=NULL; + FILE* fh=NULL; +- int sfac; ++ int sfac; ++ ++ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); + + if (url->type==url_database) { + conf->report_db++; +@@ -163,13 +168,24 @@ void error(int errorlevel,char* error_ms + } + #ifdef HAVE_SYSLOG + if(conf->initial_report_url->type==url_syslog){ +-#ifdef HAVE_VSYSLOG +- vsyslog(SYSLOG_PRIORITY,error_msg,ap); +-#else +- char buf[1024]; +- vsnprintf(buf,1024,error_msg,ap); +- syslog(SYSLOG_PRIORITY,"%s",buf); +-#endif ++ ++ char buff[MAX_BUFFER_SIZE+1]; ++ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap); ++ size_t buff_len = strlen(buff); ++ ++ char result_buff[MAX_BUFFER_SIZE+1]; ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wformat-truncation" ++ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff); ++#pragma GCC diagnostic pop ++ ++ if(buff[buff_len-1] == '\n'){ ++ syslog(SYSLOG_PRIORITY,"%s",result_buff); ++ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); ++ } else { ++ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE); ++ } ++ + va_end(ap); + return; + } +@@ -181,17 +197,25 @@ void error(int errorlevel,char* error_ms + + #ifdef HAVE_SYSLOG + if (conf->report_syslog!=0) { +-#ifdef HAVE_VSYSLOG +- va_start(ap,error_msg); +- vsyslog(SYSLOG_PRIORITY,error_msg,ap); +- va_end(ap); +-#else +- char buf[1024]; +- va_start(ap,error_msg); +- vsnprintf(buf,1024,error_msg,ap); ++ va_start(ap, error_msg); ++ ++ char buff[MAX_BUFFER_SIZE+1]; ++ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap); ++ size_t buff_len = strlen(buff); ++ ++ char result_buff[MAX_BUFFER_SIZE+1]; ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wformat-truncation" ++ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff); ++#pragma GCC diagnostic pop ++ ++ if(buff[buff_len-1] == '\n'){ ++ syslog(SYSLOG_PRIORITY,"%s",result_buff); ++ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); ++ } else { ++ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE); ++ } + va_end(ap); +- syslog(SYSLOG_PRIORITY,"%s",buf); +-#endif + } + #endif + diff --git a/SOURCES/aide-0.16-CVE-2021-45417.patch b/SOURCES/aide-0.16-CVE-2021-45417.patch new file mode 100644 index 0000000..1752df3 --- /dev/null +++ b/SOURCES/aide-0.16-CVE-2021-45417.patch @@ -0,0 +1,123 @@ +diff --git a/include/base64.h b/include/base64.h +index 0ff7116..381ef5d 100644 +--- a/include/base64.h ++++ b/include/base64.h +@@ -36,7 +36,6 @@ + #include + #include "types.h" + +-#define B64_BUF 16384 + #define FAIL -1 + #define SKIP -2 + +diff --git a/src/base64.c b/src/base64.c +index fd01bac..1b0f301 100644 +--- a/src/base64.c ++++ b/src/base64.c +@@ -85,11 +85,9 @@ FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL + }; + + /* Returns NULL on error */ +-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */ + char* encode_base64(byte* src,size_t ssize) + { + char* outbuf; +- char* retbuf; + int pos; + int i, l, left; + unsigned long triple; +@@ -101,7 +99,10 @@ char* encode_base64(byte* src,size_t ssize) + error(240,"\n"); + return NULL; + } +- outbuf = (char *)malloc(sizeof(char)*B64_BUF); ++ ++ /* length of encoded base64 string (padded) */ ++ size_t length = sizeof(char)* ((ssize + 2) / 3) * 4; ++ outbuf = (char *)malloc(length + 1); + + /* Initialize working pointers */ + inb = src; +@@ -162,20 +163,14 @@ char* encode_base64(byte* src,size_t ssize) + inb++; + } + +- /* outbuf is not completely used so we use retbuf */ +- retbuf=(char*)malloc(sizeof(char)*(pos+1)); +- memcpy(retbuf,outbuf,pos); +- retbuf[pos]='\0'; +- free(outbuf); ++ outbuf[pos]='\0'; + +- return retbuf; ++ return outbuf; + } + +-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */ + byte* decode_base64(char* src,size_t ssize, size_t *ret_len) + { + byte* outbuf; +- byte* retbuf; + char* inb; + int i; + int l; +@@ -188,10 +183,18 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len) + if (!ssize||src==NULL) + return NULL; + ++ /* exit on unpadded input */ ++ if (ssize % 4) { ++ error(3, "decode_base64: '%s' has invalid length (missing padding characters?)", src); ++ return NULL; ++ } ++ ++ /* calculate length of decoded string, substract padding chars if any (ssize is >= 4) */ ++ size_t length = sizeof(byte) * ((ssize / 4) * 3)- (src[ssize-1] == '=') - (src[ssize-2] == '='); + + /* Initialize working pointers */ + inb = src; +- outbuf = (byte *)malloc(sizeof(byte)*B64_BUF); ++ outbuf = (byte *)malloc(length + 1); + + l = 0; + triple = 0; +@@ -243,15 +246,11 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len) + inb++; + } + +- retbuf=(byte*)malloc(sizeof(byte)*(pos+1)); +- memcpy(retbuf,outbuf,pos); +- retbuf[pos]='\0'; +- +- free(outbuf); ++ outbuf[pos]='\0'; + + if (ret_len) *ret_len = pos; + +- return retbuf; ++ return outbuf; + } + + size_t length_base64(char* src,size_t ssize) +diff --git a/src/db.c b/src/db.c +index 858240d..62c4faa 100644 +--- a/src/db.c ++++ b/src/db.c +@@ -664,13 +664,15 @@ db_line* db_char2line(char** ss,int db){ + + time_t base64totime_t(char* s){ + ++ if(strcmp(s,"0")==0){ ++ return 0; ++ } + byte* b=decode_base64(s,strlen(s),NULL); + char* endp; + +- if (b==NULL||strcmp(s,"0")==0) { ++ if (b==NULL) { + + /* Should we print error here? */ +- free(b); + + return 0; + } else { diff --git a/SOURCES/aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch b/SOURCES/aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch new file mode 100644 index 0000000..0c4fc17 --- /dev/null +++ b/SOURCES/aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch @@ -0,0 +1,58 @@ +From c7caa6027c92b28aa11b8da74d56357e12f56d67 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= +Date: Wed, 20 Feb 2019 12:00:56 +0100 +Subject: [PATCH] Use LDADD for adding curl library to the linker command + +--- + Makefile.am | 2 +- + configure.ac | 5 +++-- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 4b05d7a..1541d56 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -55,7 +55,7 @@ if USE_CURL + aide_SOURCES += include/fopen.h src/fopen.c + endif + +-aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ ++aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ @CURLLIB@ + AM_CFLAGS = @AIDE_DEFS@ -W -Wall -g + AM_CPPFLAGS = -I$(top_srcdir) \ + -I$(top_srcdir)/include \ +diff --git a/configure.ac b/configure.ac +index 3598ebe..0418c59 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -702,24 +702,25 @@ if test x$with_zlib = xyes; then + compoptionstring="${compoptionstring}WITH_ZLIB\\n" + fi + ++CURLLIB= + if test x$with_curl = xyes; then + AC_PATH_PROG(curlconfig, "curl-config") + if test "_$curlconfig" != _ ; then + CURL_CFLAGS=`$curlconfig --cflags` +- CURL_LIBS=`$curlconfig --libs` ++ CURLLIB=`$curlconfig --libs` + else + AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.]) + fi + AC_CHECK_HEADERS(curl/curl.h,, + [AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])]) + CFLAGS="$CFLAGS $CURL_CFLAGS" +- LDFLAGS="$LDFLAGS $CURL_LIBS" + AC_CHECK_LIB(curl,curl_easy_init,havecurl=yes, + [AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])] + ) + AC_DEFINE(WITH_CURL,1,[use curl]) + compoptionstring="${compoptionstring}WITH_CURL\\n" + fi ++AC_SUBST(CURLLIB) + AM_CONDITIONAL(USE_CURL, test x$havecurl = xyes) + + AC_ARG_WITH(mhash, +-- +2.20.1 + diff --git a/SOURCES/aide-0.16-crash-elf.patch b/SOURCES/aide-0.16-crash-elf.patch new file mode 100644 index 0000000..5aa3472 --- /dev/null +++ b/SOURCES/aide-0.16-crash-elf.patch @@ -0,0 +1,17 @@ +--- ./src/do_md.c 2018-03-19 05:10:19.994957024 -0400 ++++ ./src/do_md.c 2018-03-19 05:19:05.829957024 -0400 +@@ -135,8 +135,13 @@ + continue; + + while (!bingo && (data = elf_getdata (scn, data)) != NULL) { +- int maxndx = data->d_size / shdr.sh_entsize; ++ int maxndx; + int ndx; ++ ++ if (shdr.sh_entsize != 0) ++ maxndx = data->d_size / shdr.sh_entsize; ++ else ++ continue; + + for (ndx = 0; ndx < maxndx; ++ndx) { + (void) gelf_getdyn (data, ndx, &dyn); diff --git a/SOURCES/aide-0.16-crypto-disable-haval-and-others.patch b/SOURCES/aide-0.16-crypto-disable-haval-and-others.patch new file mode 100644 index 0000000..a066fd9 --- /dev/null +++ b/SOURCES/aide-0.16-crypto-disable-haval-and-others.patch @@ -0,0 +1,153 @@ +diff -up ./include/md.h.crypto ./include/md.h +--- ./include/md.h.crypto 2016-07-25 22:56:55.000000000 +0200 ++++ ./include/md.h 2018-08-29 15:00:30.827491299 +0200 +@@ -149,6 +149,7 @@ int init_md(struct md_container*); + int update_md(struct md_container*,void*,ssize_t); + int close_md(struct md_container*); + void md2line(struct md_container*,struct db_line*); ++DB_ATTR_TYPE get_available_crypto(); + + + #endif /*_MD_H_INCLUDED*/ +diff -up ./src/aide.c.crypto ./src/aide.c +--- ./src/aide.c.crypto 2018-08-29 15:00:30.825491309 +0200 ++++ ./src/aide.c 2018-08-29 15:00:30.827491299 +0200 +@@ -349,7 +349,7 @@ static void setdefaults_before_config() + + conf->db_attrs = 0; + #if defined(WITH_MHASH) || defined(WITH_GCRYPT) +- conf->db_attrs |= DB_MD5|DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512; ++ conf->db_attrs |= get_available_crypto(); + #ifdef WITH_MHASH + conf->db_attrs |= DB_GOST; + #ifdef HAVE_MHASH_WHIRLPOOL +diff -up ./src/md.c.crypto ./src/md.c +--- ./src/md.c.crypto 2018-08-29 15:00:30.823491319 +0200 ++++ ./src/md.c 2018-08-29 15:02:28.013903479 +0200 +@@ -78,6 +78,49 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) { + return r; + } + ++const char * hash_gcrypt2str(int i) { ++ char * r = "?"; ++#ifdef WITH_GCRYPT ++ switch (i) { ++ case GCRY_MD_MD5: { ++ r = "MD5"; ++ break; ++ } ++ case GCRY_MD_SHA1: { ++ r = "SHA1"; ++ break; ++ } ++ case GCRY_MD_RMD160: { ++ r = "RMD160"; ++ break; ++ } ++ case GCRY_MD_TIGER: { ++ r = "TIGER"; ++ break; ++ } ++ case GCRY_MD_HAVAL: { ++ r = "HAVAL"; ++ break; ++ } ++ case GCRY_MD_SHA256: { ++ r = "SHA256"; ++ break; ++ } ++ case GCRY_MD_SHA512: { ++ r = "SHA512"; ++ break; ++ } ++ case GCRY_MD_CRC32: { ++ r = "CRC32"; ++ break; ++ } ++ default: ++ break; ++ } ++#endif ++ return r; ++} ++ + DB_ATTR_TYPE hash_mhash2attr(int i) { + DB_ATTR_TYPE r=0; + #ifdef WITH_MHASH +@@ -163,6 +206,44 @@ DB_ATTR_TYPE hash_mhash2attr(int i) { + Initialise md_container according it's todo_attr field + */ + ++DB_ATTR_TYPE get_available_crypto() { ++ ++ DB_ATTR_TYPE ret = 0; ++ ++/* ++ * This function is usually called before config processing ++ * and default verbose level is 5 ++ */ ++#define lvl 255 ++ ++ error(lvl, "get_available_crypto called\n"); ++ ++#ifdef WITH_GCRYPT ++ ++ /* ++ * some initialization for FIPS ++ */ ++ gcry_check_version(NULL); ++ error(lvl, "Found algos:"); ++ ++ for(int i=0;i<=HASH_GCRYPT_COUNT;i++) { ++ ++ if ( (hash_gcrypt2attr(i) & HASH_USE_GCRYPT) == 0 ) ++ continue; ++ ++ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) == 0) { ++ ret |= hash_gcrypt2attr(i); ++ error(lvl, " %s", hash_gcrypt2str(i)); ++ } ++ } ++ error(lvl, "\n"); ++ ++#endif ++ ++ error(lvl, "get_available_crypto_returned with %lld\n", ret); ++ return ret; ++} ++ + int init_md(struct md_container* md) { + + int i; +@@ -201,18 +282,27 @@ int init_md(struct md_container* md) { + } + #endif + #ifdef WITH_GCRYPT +- if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ ++ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ + error(0,"gcrypt_md_open failed\n"); + exit(IO_ERROR); + } + for(i=0;i<=HASH_GCRYPT_COUNT;i++) { ++ ++ + if (((hash_gcrypt2attr(i)&HASH_USE_GCRYPT)&md->todo_attr)!=0) { +- DB_ATTR_TYPE h=hash_gcrypt2attr(i); +- error(255,"inserting %llu\n",h); ++ ++ DB_ATTR_TYPE h=hash_gcrypt2attr(i); ++ ++ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) != 0) { ++ error(0,"Algo %s is not available\n", hash_gcrypt2str(i)); ++ exit(-1); ++ } ++ ++ error(255,"inserting %llu\n",h); + if(gcry_md_enable(md->mdh,i)==GPG_ERR_NO_ERROR){ + md->calc_attr|=h; + } else { +- error(0,"gcry_md_enable %i failed",i); ++ error(0,"gcry_md_enable %i failed\n",i); + md->todo_attr&=~h; + } + } diff --git a/SOURCES/aide-0.16b1-fipsfix.patch b/SOURCES/aide-0.16b1-fipsfix.patch new file mode 100644 index 0000000..434d74e --- /dev/null +++ b/SOURCES/aide-0.16b1-fipsfix.patch @@ -0,0 +1,103 @@ +diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c +--- ./src/aide.c.orig 2016-07-12 11:10:08.013158385 +0200 ++++ ./src/aide.c 2016-07-12 11:30:54.867833064 +0200 +@@ -511,9 +511,28 @@ int main(int argc,char**argv) + #endif + umask(0177); + init_sighandler(); +- + setdefaults_before_config(); + ++#if WITH_GCRYPT ++ error(255,"Gcrypt library initialization\n"); ++ /* ++ * Initialize libgcrypt as per ++ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html ++ * ++ * ++ */ ++ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0); ++ gcry_control(GCRYCTL_INIT_SECMEM, 1); ++ ++ if(!gcry_check_version(GCRYPT_VERSION)) { ++ error(0,"libgcrypt version mismatch\n"); ++ exit(VERSION_MISMATCH_ERROR); ++ } ++ ++ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); ++#endif /* WITH_GCRYPT */ ++ ++ + if(read_param(argc,argv)==RETFAIL){ + error(0, _("Invalid argument\n") ); + exit(INVALID_ARGUMENT_ERROR); +@@ -646,6 +665,9 @@ int main(int argc,char**argv) + } + #endif + } ++#ifdef WITH_GCRYPT ++ gcry_control(GCRYCTL_TERM_SECMEM, 0); ++#endif /* WITH_GCRYPT */ + return RETOK; + } + const char* aide_key_3=CONFHMACKEY_03; +diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c +--- ./src/md.c.orig 2016-04-15 23:30:16.000000000 +0200 ++++ ./src/md.c 2016-07-12 11:35:04.007675329 +0200 +@@ -201,14 +201,7 @@ int init_md(struct md_container* md) { + } + #endif + #ifdef WITH_GCRYPT +- error(255,"Gcrypt library initialization\n"); +- if(!gcry_check_version(GCRYPT_VERSION)) { +- error(0,"libgcrypt version mismatch\n"); +- exit(VERSION_MISMATCH_ERROR); +- } +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){ ++ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ + error(0,"gcrypt_md_open failed\n"); + exit(IO_ERROR); + } +@@ -299,7 +292,7 @@ int close_md(struct md_container* md) { + + /*. There might be more hashes in the library. Add those here.. */ + +- gcry_md_reset(md->mdh); ++ gcry_md_close(md->mdh); + #endif + + #ifdef WITH_MHASH +diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c +--- ./src/util.c.orig 2016-07-12 11:39:17.023437355 +0200 ++++ ./src/util.c 2016-07-12 11:39:51.618721157 +0200 +@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s) + return(AIDE_SYSLOG_FACILITY); + } + +-/* We need these dummy stubs to fool the linker into believing that +- we do not need them at link time */ +- +-void* dlopen(char*filename,int flag) +-{ +- return NULL; +-} +- +-void* dlsym(void*handle,char*symbol) +-{ +- return NULL; +-} +- +-void* dlclose(void*handle) +-{ +- return NULL; +-} +- +-const char* dlerror(void) +-{ +- return NULL; +-} +- + const char* aide_key_2=CONFHMACKEY_02; + const char* db_key_2=DBHMACKEY_02; diff --git a/SOURCES/aide-0.16rc1-man.patch b/SOURCES/aide-0.16rc1-man.patch new file mode 100644 index 0000000..4715552 --- /dev/null +++ b/SOURCES/aide-0.16rc1-man.patch @@ -0,0 +1,15 @@ +diff -up ./doc/aide.1.in.orig ./doc/aide.1.in +--- ./doc/aide.1.in.orig 2016-07-12 16:10:01.724595895 +0200 ++++ ./doc/aide.1.in 2016-07-12 16:06:21.968639822 +0200 +@@ -103,9 +103,9 @@ echo | base64 \-d | h + .SH FILES + .IP \fB@sysconfdir@/aide.conf\fR + Default aide configuration file. +-.IP \fB@sysconfdir@/aide.db\fR ++.IP \fB@localstatedir@/lib/aide/aide.db\fR + Default aide database. +-.IP \fB@sysconfdir@/aide.db.new\fR ++.IP \fB@localstatedir@/lib/aide/aide.db.new\fR + Default aide output database. + .SH SEE ALSO + .BR aide.conf (5) diff --git a/SOURCES/aide-configure.patch b/SOURCES/aide-configure.patch new file mode 100644 index 0000000..e9030eb --- /dev/null +++ b/SOURCES/aide-configure.patch @@ -0,0 +1,51 @@ +diff --color -ru a/configure.ac b/configure.ac +--- a/configure.ac 2021-05-20 09:31:11.686987129 +0200 ++++ b/configure.ac 2021-05-20 09:39:43.369967457 +0200 +@@ -784,11 +784,11 @@ + [if test "x$withval" = "xmd5" ;then + CONFIGHMACTYPE="MHASH_MD5" + else if test "x$withval" = "xsha1" ;then +- CONFIGHMACTYPE="MHASH_SHA1" ++ CONFIGHMACTYPE="MHASH_SHA1" + else if test "x$withval" = "xsha256" ;then +- CONFIGHMACTYPE="MHASH_SHA256" ++ CONFIGHMACTYPE="MHASH_SHA256" + else if test "x$withval" = "xsha512" ;then +- CONFIGHMACTYPE="MHASH_SHA512" ++ CONFIGHMACTYPE="MHASH_SHA512" + else + echo "Valid parameters for --with-confighmactype are md5, sha1, sha256 and sha512" + exit 1 +@@ -799,7 +799,6 @@ + AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,$CONFIGHMACTYPE,[hash type for config file check])], + [ + AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,MHASH_MD5,[hash type for config file check])] +-, + ) + + AC_ARG_WITH([confighmackey], +@@ -846,18 +845,18 @@ + + AC_ARG_WITH([dbhmactype], + AC_HELP_STRING([--with-dbhmactype=TYPE], +- [Hash type to use for checking db. Valid values are md5 and sha1.]), ++ [Hash type to use for checking db. Valid values are md5, sha1, sha256 and sha512.]), + [if test "x$withval" = "xmd5" ;then + DBHMACTYPE="MHASH_MD5" + else if test "x$withval" = "xsha1" ;then +- DBHMACTYPE="MHASH_SHA1" ++ DBHMACTYPE="MHASH_SHA1" + else if test "x$withval" = "xsha256" ;then +- CONFIGHMACTYPE="MHASH_SHA256" ++ DBHMACTYPE="MHASH_SHA256" + else if test "x$withval" = "xsha512" ;then +- CONFIGHMACTYPE="MHASH_SHA512" ++ DBHMACTYPE="MHASH_SHA512" + else +- echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512" +- exit 1 ++ echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512" ++ exit 1 + fi + fi + fi diff --git a/SOURCES/aide-static-analysis.patch b/SOURCES/aide-static-analysis.patch new file mode 100644 index 0000000..78b79ce --- /dev/null +++ b/SOURCES/aide-static-analysis.patch @@ -0,0 +1,171 @@ +Only in b: config.log +diff --color -ru a/contrib/sshaide.sh b/contrib/sshaide.sh +--- a/contrib/sshaide.sh 2016-07-25 22:56:55.000000000 +0200 ++++ b/contrib/sshaide.sh 2021-05-20 11:11:24.112542472 +0200 +@@ -260,7 +260,7 @@ + _randword=`grep -n . ${_wordlist} | grep "^${_linenum}:" | cut -d: -f2` + + # If $_randword has anything other than lower-case chars, try again +- (echo ${_randword} | LC_ALL=C grep '[^a-z]' 2>&1 >> /dev/null \ ++ ({ echo ${_randword} | LC_ALL=C grep '[^a-z]' 2>&1; } >> /dev/null \ + && gen_rand_word ) || \ + + # Return the word +diff --color -ru a/src/commandconf.c b/src/commandconf.c +--- a/src/commandconf.c 2021-05-20 10:37:53.842382143 +0200 ++++ b/src/commandconf.c 2021-05-25 14:16:43.278526146 +0200 +@@ -313,7 +313,7 @@ + } else { + /* gzread returns 0 even if uncompressed bytes were read*/ + error(240,"nread=%d,strlen(buf)=%lu,errno=%s,gzerr=%s\n", +- retval,(unsigned long)strnlen((char*)buf, max_size), ++ retval,(unsigned long)strnlen((char*)buf, retval), + strerror(errno),gzerror(*db_gzp,&err)); + if(retval==0){ + retval=strnlen((char*)buf, max_size); +@@ -836,6 +836,11 @@ + } + break; + } ++ default: { ++ error(0,"Unsupported dbtype.\n"); ++ free(u); ++ break; ++ } + } + } + free(val); +@@ -900,7 +905,7 @@ + } else { + error_init(u,0); + } +- ++ free(u->value); + free(u); + } + +diff --color -ru a/src/db_disk.c b/src/db_disk.c +--- a/src/db_disk.c 2021-05-20 10:37:53.842382143 +0200 ++++ b/src/db_disk.c 2021-05-20 12:37:00.081493364 +0200 +@@ -125,10 +125,10 @@ + + ret = (char *) malloc (len); + ret[0] = (char) 0; +- strncpy(ret, conf->root_prefix, conf->root_prefix_length+1); +- strncat (ret, r->path, len2); ++ strcpy(ret, conf->root_prefix); ++ strcat (ret, r->path); + if (r->path[len2 - 1] != '/') { +- strncat (ret, "/", 1); ++ strcat (ret, "/"); + } + strcat (ret, s); + return ret; +@@ -207,8 +207,8 @@ + if (!root_handled) { + root_handled = 1; + fullname=malloc((conf->root_prefix_length+2)*sizeof(char)); +- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1); +- strncat (fullname, "/", 1); ++ strcpy(fullname, conf->root_prefix); ++ strcat (fullname, "/"); + if (!get_file_status(&fullname[conf->root_prefix_length], &fs)) { + add = check_rxtree (&fullname[conf->root_prefix_length], conf->tree, &attr, fs.st_mode); + error (240, "%s match=%d, tree=%p, attr=%llu\n", &fullname[conf->root_prefix_length], add, +@@ -346,8 +346,8 @@ + error (255, "r->childs %p, r->parent %p,r->checked %i\n", + r->childs, r->parent, r->checked); + fullname=malloc((conf->root_prefix_length+strlen(r->path)+1)*sizeof(char)); +- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1); +- strncat(fullname, r->path, strlen(r->path)); ++ strcpy(fullname, conf->root_prefix); ++ strcat(fullname, r->path); + dirh=open_dir(fullname); + if (! dirh) { + +@@ -441,8 +441,8 @@ + + + char* fullname=malloc((conf->root_prefix_length+2)*sizeof(char)); +- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1); +- strncat (fullname, "/", 1); ++ strcpy(fullname, conf->root_prefix); ++ strcat (fullname, "/"); + dirh=open_dir(fullname); + free(fullname); + +diff --color -ru a/src/error.c b/src/error.c +--- a/src/error.c 2021-05-20 10:37:53.836382037 +0200 ++++ b/src/error.c 2021-05-21 11:49:09.781313097 +0200 +@@ -125,7 +125,7 @@ + fh=be_init(0,url,0); + if(fh!=NULL) { + conf->report_fd=list_append(conf->report_fd,(void*)fh); +- conf->report_url=list_append(conf->report_url,(void*)url); ++ conf->report_url=list_append(conf->report_url,(void*)strdup(url)); + return RETOK; + } + +diff --color -ru a/src/util.c b/src/util.c +--- a/src/util.c 2021-05-20 10:37:53.843382160 +0200 ++++ b/src/util.c 2021-05-25 11:04:39.507278771 +0200 +@@ -105,13 +105,15 @@ + for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++); + if(r[0]=='\0'){ + error(0,"Invalid file-URL,no path after hostname: file:%s\n",t); ++ free(u); ++ free(val_copy); + free(hostname); + return NULL; + } + u->value=strdup(r); + r[0]='\0'; + if(gethostname(hostname,MAXHOSTNAMELEN)==-1){ +- strncpy(hostname,"localhost", 10); ++ strncpy(hostname,"localhost",MAXHOSTNAMELEN); + } + + if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){ +@@ -119,6 +121,9 @@ + break; + } else { + error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,u->value); ++ free(u->value); ++ free(u); ++ free(val_copy); + free(hostname); + return NULL; + } +@@ -229,6 +234,10 @@ + int i=0; + + pc=(char*)malloc(sizeof(char)*11); ++ if (!pc) { ++ error(0, "Memory allocation failed.\n"); ++ return NULL; ++ } + for(i=0;i<10;i++){ + pc[i]='-'; + } +@@ -369,14 +378,17 @@ + + if (path != NULL) { + if (path[0] == '~') { +- if((homedir=getenv("HOME")) != NULL) { ++ if ((homedir=getenv("HOME")) != NULL) { + path_len = strlen(path+sizeof(char)); + homedir_len = strlen(homedir); + full_len = homedir_len+path_len; + full = malloc(sizeof(char) * (full_len+1)); +- strncpy(full, homedir, homedir_len); +- strncpy(full+homedir_len, path+sizeof(char), path_len); +- full[full_len] = '\0'; ++ if (!full) { ++ error(0, "Memory allocation failed.\n"); ++ return path; ++ } ++ strcpy(full, homedir); ++ strcat(full, path+sizeof(char)); + free(path); + /* Don't free(homedir); because it is not safe on some platforms */ + path = full; diff --git a/SOURCES/aide.conf b/SOURCES/aide.conf new file mode 100644 index 0000000..5221380 --- /dev/null +++ b/SOURCES/aide.conf @@ -0,0 +1,303 @@ +# Example configuration file for AIDE. + +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +# The location of the database to be read. +database=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +verbose=5 + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane +# NORMAL = R+sha512 +NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+u+g+acl+selinux+xattrs + +# Logfile are special, in that they often change +LOG = p+u+g+n+S+acl+selinux+xattrs + +# Content + file type. +CONTENT = sha512+ftype + +# Extended content + file type + access. +CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 + +# Next decide what directories/files you want in the database. + +/boot CONTENT_EX +/opt CONTENT + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* +# Otherwise get all of /root. +/root CONTENT_EX + +# These are too volatile +!/usr/src +!/usr/tmp + +# Otherwise get all of /usr. +/usr CONTENT_EX + +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives CONTENT_EX +/etc/sysconfig CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel CONTENT_EX +/etc/sssd CONTENT_EX +/etc/machine-id$ CONTENT_EX +/etc/swid CONTENT_EX +/etc/system-release-cpe$ CONTENT_EX +/etc/shells$ CONTENT_EX +/etc/tmux.conf$ CONTENT_EX +/etc/xattr.conf$ CONTENT_EX + +# networking +/etc/firewalld CONTENT_EX +!/etc/NetworkManager/system-connections +/etc/NetworkManager CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp CONTENT_EX +/etc/wpa_supplicant CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ CONTENT_EX + +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d CONTENT_EX +/etc/security CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1 CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers$ CONTENT_EX +/etc/sudoers.d CONTENT_EX + +# Shell/X startup files +/etc/profile$ CONTENT_EX +/etc/profile.d CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11 CONTENT_EX + +# Pkg manager +/etc/dnf CONTENT_EX +/etc/yum.conf$ CONTENT_EX +/etc/yum CONTENT_EX +/etc/yum.repos.d CONTENT_EX + +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log + +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX + +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d CONTENT_EX +/etc/systemd/journald.conf$ CONTENT_EX +/var/log LOG+ANF+ARF +/var/run/utmp LOG + +# secrets +/etc/pkcs11 CONTENT_EX +/etc/pki CONTENT_EX +/etc/crypto-policies CONTENT_EX +/etc/certmonger CONTENT_EX +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd CONTENT_EX +/etc/rc.d CONTENT_EX +/etc/tmpfiles.d CONTENT_EX + +# boot config +/etc/default CONTENT_EX +/etc/grub.d CONTENT_EX +/etc/dracut.conf$ CONTENT_EX +/etc/dracut.conf.d CONTENT_EX + +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d CONTENT_EX +/etc/ld.so.preload$ CONTENT_EX + +# kernel config +/etc/sysctl.conf$ CONTENT_EX +/etc/sysctl.d CONTENT_EX +/etc/modprobe.d CONTENT_EX +/etc/modules-load.d CONTENT_EX +/etc/depmod.d CONTENT_EX +/etc/udev CONTENT_EX +/etc/crypttab$ CONTENT_EX + +#### Daemons #### + +# cron jobs +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ CONTENT_EX +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d CONTENT_EX +/etc/cron.daily CONTENT_EX +/etc/cron.hourly CONTENT_EX +/etc/cron.monthly CONTENT_EX +/etc/cron.weekly CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root CONTENT + +# time keeping +/etc/chrony.conf$ CONTENT_EX +/etc/chrony.keys$ CONTENT_EX + +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix CONTENT_EX + +# ssh +/etc/ssh/sshd_config$ CONTENT_EX +/etc/ssh/ssh_config$ CONTENT_EX + +# stunnel +/etc/stunnel CONTENT_EX + +# printing +/etc/cups CONTENT_EX +/etc/cupshelpers CONTENT_EX +/etc/avahi CONTENT_EX + +# web server +/etc/httpd CONTENT_EX + +# dns +/etc/named CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.conf$ CONTENT_EX +/etc/xinetd.d CONTENT_EX + +# IPsec +/etc/ipsec.conf$ CONTENT_EX +/etc/ipsec.secrets$ CONTENT_EX +/etc/ipsec.d CONTENT_EX + +# USB guard +/etc/usbguard CONTENT_EX + +# Ignore some files +!/etc/mtab$ +!/etc/.*~ + +# Now everything else +/etc PERMS + +# With AIDE's default verbosity level of 5, these would give lots of +# warnings upon tree traversal. It might change with future version. +# +#=/lost\+found DIR +#=/home DIR diff --git a/SOURCES/aide.logrotate b/SOURCES/aide.logrotate new file mode 100644 index 0000000..614c6a6 --- /dev/null +++ b/SOURCES/aide.logrotate @@ -0,0 +1,9 @@ +/var/log/aide/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/SOURCES/coverity.patch b/SOURCES/coverity.patch new file mode 100644 index 0000000..9b981be --- /dev/null +++ b/SOURCES/coverity.patch @@ -0,0 +1,642 @@ +diff -up ./include/be.h.coverity ./include/be.h +--- ./include/be.h.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./include/be.h 2018-10-10 19:27:18.680632681 +0200 +@@ -22,6 +22,6 @@ + #define _BE_H_INCLUDED + #include "db_config.h" + +-FILE* be_init(int inout,url_t* u,int iszipped); ++void* be_init(int inout,url_t* u,int iszipped); + + #endif /* _BE_H_INCLUDED */ +diff -up ./include/db_config.h.coverity ./include/db_config.h +--- ./include/db_config.h.coverity 2018-10-10 19:27:18.672632611 +0200 ++++ ./include/db_config.h 2018-10-10 19:27:18.681632689 +0200 +@@ -376,7 +376,7 @@ typedef struct db_config { + #endif + + url_t* initial_report_url; +- FILE* initial_report_fd; ++ void* initial_report_fd; + + /* report_url is a list of url_t*s */ + list* report_url; +diff -up ./src/aide.c.coverity ./src/aide.c +--- ./src/aide.c.coverity 2018-10-10 19:27:18.678632663 +0200 ++++ ./src/aide.c 2018-10-10 19:27:18.681632689 +0200 +@@ -278,7 +278,7 @@ static void setdefaults_before_config() + error(0,_("Couldn't get hostname")); + free(s); + } else { +- s=(char*)realloc((void*)s,strlen(s)+1); ++ // s=(char*)realloc((void*)s,strlen(s)+1); + do_define("HOSTNAME",s); + } + +@@ -506,8 +506,6 @@ static void setdefaults_after_config() + int main(int argc,char**argv) + { + int errorno=0; +- byte* dig=NULL; +- char* digstr=NULL; + + #ifdef USE_LOCALE + setlocale(LC_ALL,""); +@@ -544,6 +542,10 @@ int main(int argc,char**argv) + } + + errorno=commandconf('C',conf->config_file); ++ if (errorno==RETFAIL){ ++ error(0,_("Configuration error\n")); ++ exit(INVALID_CONFIGURELINE_ERROR); ++ } + + errorno=commandconf('D',""); + if (errorno==RETFAIL){ +@@ -594,6 +596,9 @@ int main(int argc,char**argv) + } + } + #ifdef WITH_MHASH ++ byte* dig=NULL; ++ char* digstr=NULL; ++ + if(conf->config_check&&FORCECONFIGMD){ + error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n"); + exit(INVALID_ARGUMENT_ERROR); +diff -up ./src/base64.c.coverity ./src/base64.c +--- ./src/base64.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/base64.c 2018-10-10 19:27:18.681632689 +0200 +@@ -209,6 +209,7 @@ byte* decode_base64(char* src,size_t ssi + case FAIL: + error(3, "decode_base64: Illegal character: %c\n", *inb); + error(230, "decode_base64: Illegal line:\n%s\n", src); ++ free(outbuf); + return NULL; + break; + case SKIP: +@@ -260,7 +261,7 @@ size_t length_base64(char* src,size_t ss + int l; + int left; + size_t pos; +- unsigned long triple; ++ //unsigned long triple; + + error(235, "decode base64\n"); + /* Exit on empty input */ +@@ -273,7 +274,7 @@ size_t length_base64(char* src,size_t ss + inb = src; + + l = 0; +- triple = 0; ++ //triple = 0; + pos=0; + left = ssize; + /* +@@ -293,7 +294,7 @@ size_t length_base64(char* src,size_t ss + case SKIP: + break; + default: +- triple = triple<<6 | (0x3f & i); ++ //triple = triple<<6 | (0x3f & i); + l++; + break; + } +@@ -302,10 +303,10 @@ size_t length_base64(char* src,size_t ss + switch(l) + { + case 2: +- triple = triple>>4; ++ //triple = triple>>4; + break; + case 3: +- triple = triple>>2; ++ //triple = triple>>2; + break; + default: + break; +@@ -314,7 +315,7 @@ size_t length_base64(char* src,size_t ss + { + pos++; + } +- triple = 0; ++ //triple = 0; + l = 0; + } + inb++; +diff -up ./src/be.c.coverity ./src/be.c +--- ./src/be.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/be.c 2018-10-10 19:27:18.681632689 +0200 +@@ -117,9 +117,9 @@ static char* get_first_value(char** in){ + + #endif + +-FILE* be_init(int inout,url_t* u,int iszipped) ++void* be_init(int inout,url_t* u,int iszipped) + { +- FILE* fh=NULL; ++ void* fh=NULL; + long a=0; + char* err=NULL; + int fd; +diff -up ./src/commandconf.c.coverity ./src/commandconf.c +--- ./src/commandconf.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/commandconf.c 2018-10-10 19:27:18.682632698 +0200 +@@ -106,7 +106,7 @@ int commandconf(const char mode,const ch + rv=0; + } else { + +- rv=access(config,R_OK); ++ if (config != NULL) rv=access(config,R_OK); + if(rv==-1){ + error(0,_("Cannot access config file: %s: %s\n"),config,strerror(errno)); + } +@@ -166,14 +166,11 @@ int commandconf(const char mode,const ch + int conf_input_wrapper(char* buf, int max_size, FILE* in) + { + int retval=0; +- int c=0; +- char* tmp=NULL; +- void* key=NULL; +- int keylen=0; + + /* FIXME Add support for gzipped config. :) */ + #ifdef WITH_MHASH + /* Read a character at a time until we are doing md */ ++ int c=0; + if(conf->do_configmd){ + retval=fread(buf,1,max_size,in); + }else { +@@ -185,6 +182,9 @@ int conf_input_wrapper(char* buf, int ma + #endif + + #ifdef WITH_MHASH ++ char* tmp=NULL; ++ void* key=NULL; ++ int keylen=0; + if(conf->do_configmd||conf->config_check){ + if(((conf->do_configmd==1)&&conf->config_check)||!conf->confmd){ + if(conf->do_configmd==1){ +@@ -276,6 +276,9 @@ int db_input_wrapper(char* buf, int max_ + #endif + break; + } ++ default: { ++ return 0; ++ } + } + + #ifdef WITH_CURL +@@ -651,7 +654,6 @@ int handle_endif(int doit,int allow_else + case 0 : { + conferror("@@endif or @@else expected"); + return -1; +- count=0; + } + + default : { +@@ -816,6 +818,7 @@ void do_dbdef(int dbtype,char* val) + if(u==NULL||u->type==url_unknown||u->type==url_stdout + ||u->type==url_stderr) { + error(0,_("Unsupported input URL-type:%s\n"),val); ++ free(u); + } + else { + *conf_db_url=u; +@@ -825,6 +828,7 @@ void do_dbdef(int dbtype,char* val) + case DB_WRITE: { + if(u==NULL||u->type==url_unknown||u->type==url_stdin){ + error(0,_("Unsupported output URL-type:%s\n"),val); ++ free(u); + } + else{ + conf->db_out_url=u; +@@ -848,6 +852,7 @@ void do_dbindef(char* val) + if(u==NULL||u->type==url_unknown||u->type==url_stdout + ||u->type==url_stderr) { + error(0,_("Unsupported input URL-type:%s\n"),val); ++ free(u); + } + else { + conf->db_in_url=u; +@@ -869,6 +874,7 @@ void do_dboutdef(char* val) + * both input and output urls */ + if(u==NULL||u->type==url_unknown||u->type==url_stdin){ + error(0,_("Unsupported output URL-type:%s\n"),val); ++ free(u); + } + else{ + conf->db_out_url=u; +@@ -894,7 +900,8 @@ void do_repurldef(char* val) + } else { + error_init(u,0); + } +- ++ ++ free(u); + } + + void do_verbdef(char* val) +@@ -984,7 +991,7 @@ void do_report_ignore_e2fsattrs(char* va + break; + } + } +- *val++; ++ val++; + } + } + #endif +diff -up ./src/compare_db.c.coverity ./src/compare_db.c +--- ./src/compare_db.c.coverity 2018-10-10 19:27:18.673632619 +0200 ++++ ./src/compare_db.c 2018-10-10 19:27:18.682632698 +0200 +@@ -312,7 +312,7 @@ static int acl2array(acl_type* acl, char + if (conf->syslog_format) { + *values = malloc(2 * sizeof(char*)); + +- char *A, *D = ""; ++ char *A= "", *D = ""; + + if (acl->acl_a) { A = acl->acl_a; } + if (acl->acl_d) { D = acl->acl_d; } +diff -up ./src/conf_lex.l.coverity ./src/conf_lex.l +--- ./src/conf_lex.l.coverity 2018-10-10 19:27:18.673632619 +0200 ++++ ./src/conf_lex.l 2018-10-10 19:27:18.682632698 +0200 +@@ -133,7 +133,7 @@ int var_in_conflval=0; + [\ \t]*\n { + conf_lineno++; + return (TNEWLINE); +- BEGIN 0; ++// BEGIN 0; + } + + \+ { +diff -up ./src/db.c.coverity ./src/db.c +--- ./src/db.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/db.c 2018-10-10 19:27:18.683632707 +0200 +@@ -27,6 +27,7 @@ + #include "db_file.h" + #include "db_disk.h" + #include "md.h" ++#include "fopen.h" + + #ifdef WITH_PSQL + #include "db_sql.h" +@@ -269,6 +270,9 @@ db_line* db_readline(int db){ + db_order=&(conf->db_new_order); + break; + } ++ default: { ++ return NULL; ++ } + } + + switch (db_url->type) { +@@ -368,7 +372,7 @@ db_line* db_char2line(char** ss,int db){ + + int i; + db_line* line=(db_line*)malloc(sizeof(db_line)*1); +- int* db_osize=0; ++ int* db_osize=NULL; + DB_FIELD** db_order=NULL; + + switch (db) { +@@ -382,6 +386,10 @@ db_line* db_char2line(char** ss,int db){ + db_order=&(conf->db_new_order); + break; + } ++ default: { ++ free(line); ++ return NULL; ++ } + } + + +@@ -601,7 +609,9 @@ db_line* db_char2line(char** ss,int db){ + size_t vsz = 0; + + tval = strtok(NULL, ","); +- line->xattrs->ents[num].key = db_readchar(strdup(tval)); ++ char * tmp = strdup(tval); ++ line->xattrs->ents[num].key = db_readchar(tmp); ++ free(tmp); + tval = strtok(NULL, ","); + val = base64tobyte(tval, strlen(tval), &vsz); + line->xattrs->ents[num].val = val; +@@ -648,6 +658,8 @@ db_line* db_char2line(char** ss,int db){ + + default : { + error(0,_("Not implemented in db_char2line %i \n"),(*db_order)[i]); ++ free_db_line(line); ++ free(line); + return NULL; + } + +@@ -826,7 +838,7 @@ void db_close() { + case url_ftp: + { + if (conf->db_out!=NULL) { +- url_fclose(conf->db_out); ++ url_fclose((URL_FILE*)conf->db_out); + } + break; + } +diff -up ./src/db_disk.c.coverity ./src/db_disk.c +--- ./src/db_disk.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/db_disk.c 2018-10-10 19:28:00.108995089 +0200 +@@ -79,9 +79,15 @@ static DIR *open_dir(char* path) { + + static void next_in_dir (void) + { ++ + #ifdef HAVE_READDIR_R +- if (dirh != NULL) ++ if (dirh != NULL) { ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wdeprecated-declarations" + rdres = AIDE_READDIR_R_FUNC (dirh, entp, resp); ++#pragma GCC diagnostic pop ++ } ++ + #else + #ifdef HAVE_READDIR + if (dirh != NULL) { +diff -up ./src/db_file.c.coverity ./src/db_file.c +--- ./src/db_file.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/db_file.c 2018-10-10 19:27:18.683632707 +0200 +@@ -171,7 +171,7 @@ int dofprintf( const char* s,...) + int db_file_read_spec(int db){ + + int i=0; +- int* db_osize=0; ++ int* db_osize=NULL; + DB_FIELD** db_order=NULL; + + switch (db) { +@@ -187,6 +187,9 @@ int db_file_read_spec(int db){ + db_lineno=&db_new_lineno; + break; + } ++ default: { ++ return RETFAIL; ++ } + } + + *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD)); +@@ -198,13 +201,10 @@ int db_file_read_spec(int db){ + int l; + + +- /* Yes... we do not check if realloc returns nonnull */ +- +- *db_order=(DB_FIELD*) +- realloc((void*)*db_order, ++ void * tmp = realloc((void*)*db_order, + ((*db_osize)+1)*sizeof(DB_FIELD)); +- +- if(*db_order==NULL){ ++ if (tmp != NULL) *db_order=(DB_FIELD*) tmp; ++ else { + return RETFAIL; + } + +@@ -291,8 +291,8 @@ char** db_readline_file(int db){ + int* domd=NULL; + #ifdef WITH_MHASH + MHASH* md=NULL; +-#endif + char** oldmdstr=NULL; ++#endif + int* db_osize=0; + DB_FIELD** db_order=NULL; + FILE** db_filep=NULL; +@@ -302,9 +302,9 @@ char** db_readline_file(int db){ + case DB_OLD: { + #ifdef WITH_MHASH + md=&(conf->dboldmd); ++ oldmdstr=&(conf->old_dboldmdstr); + #endif + domd=&(conf->do_dboldmd); +- oldmdstr=&(conf->old_dboldmdstr); + + db_osize=&(conf->db_in_size); + db_order=&(conf->db_in_order); +@@ -316,9 +316,9 @@ char** db_readline_file(int db){ + case DB_NEW: { + #ifdef WITH_MHASH + md=&(conf->dbnewmd); ++ oldmdstr=&(conf->old_dbnewmdstr); + #endif + domd=&(conf->do_dbnewmd); +- oldmdstr=&(conf->old_dbnewmdstr); + + db_osize=&(conf->db_new_size); + db_order=&(conf->db_new_order); +@@ -328,7 +328,9 @@ char** db_readline_file(int db){ + break; + } + } +- ++ ++ if (db_osize == NULL) return NULL; ++ + if (*db_osize==0) { + db_buff(db,*db_filep); + +@@ -737,8 +739,6 @@ int db_writespec_file(db_config* dbconf) + int i=0; + int j=0; + int retval=1; +- void*key=NULL; +- int keylen=0; + struct tm* st; + time_t tim=time(&tim); + st=localtime(&tim); +@@ -750,6 +750,8 @@ int db_writespec_file(db_config* dbconf) + + #ifdef WITH_MHASH + /* From hereon everything must MD'd before write to db */ ++ void*key=NULL; ++ int keylen=0; + if((key=get_db_key())!=NULL){ + keylen=get_db_key_len(); + dbconf->do_dbnewmd=1; +diff -up ./src/do_md.c.coverity ./src/do_md.c +--- ./src/do_md.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/do_md.c 2018-10-10 19:27:18.683632707 +0200 +@@ -202,7 +202,6 @@ void calc_md(struct AIDE_STAT_TYPE* old_ + and we don't read from a pipe :) + */ + struct AIDE_STAT_TYPE fs; +- int sres=0; + int stat_diff,filedes; + #ifdef WITH_PRELINK + pid_t pid; +@@ -237,7 +236,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ + return; + } + +- sres=AIDE_FSTAT_FUNC(filedes,&fs); ++ AIDE_FSTAT_FUNC(filedes,&fs); + if(!(line->attr&DB_RDEV)) + fs.st_rdev=0; + +@@ -331,7 +330,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ + } + #endif + #endif /* not HAVE_MMAP */ +- buf=malloc(READ_BLOCK_SIZE); ++// buf=malloc(READ_BLOCK_SIZE); + #if READ_BLOCK_SIZE>SSIZE_MAX + #error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE + #endif +diff -up ./src/gen_list.c.coverity ./src/gen_list.c +--- ./src/gen_list.c.coverity 2016-07-25 22:56:55.000000000 +0200 ++++ ./src/gen_list.c 2018-10-10 19:27:18.684632716 +0200 +@@ -843,15 +843,15 @@ static void add_file_to_tree(seltree* tr + DB_ATTR_TYPE localignorelist=0; + DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs; + ++ if(file==NULL){ ++ error(0, "add_file_to_tree was called with NULL db_line\n"); ++ } ++ + node=get_seltree_node(tree,file->filename); + + if(!node){ + node=new_seltree_node(tree,file->filename,0,NULL); + } +- +- if(file==NULL){ +- error(0, "add_file_to_tree was called with NULL db_line\n"); +- } + + /* add note to this node which db has modified it */ + node->checked|=db; +diff -up ./src/md.c.coverity ./src/md.c +--- ./src/md.c.coverity 2018-10-10 19:27:18.679632672 +0200 ++++ ./src/md.c 2018-10-10 19:27:18.684632716 +0200 +@@ -36,8 +36,8 @@ + */ + + DB_ATTR_TYPE hash_gcrypt2attr(int i) { +- DB_ATTR_TYPE r=0; + #ifdef WITH_GCRYPT ++ DB_ATTR_TYPE r=0; + switch (i) { + case GCRY_MD_MD5: { + r=DB_MD5; +@@ -74,13 +74,15 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) { + default: + break; + } +-#endif + return r; ++#else /* !WITH_GCRYPT */ ++ return 0; ++#endif + } + + const char * hash_gcrypt2str(int i) { +- char * r = "?"; + #ifdef WITH_GCRYPT ++ char * r = "?"; + switch (i) { + case GCRY_MD_MD5: { + r = "MD5"; +@@ -117,13 +119,17 @@ const char * hash_gcrypt2str(int i) { + default: + break; + } +-#endif + return r; ++#else /* !WITH_GCRYPT */ ++ return "?"; ++#endif + } + ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-parameter" + DB_ATTR_TYPE hash_mhash2attr(int i) { +- DB_ATTR_TYPE r=0; + #ifdef WITH_MHASH ++ DB_ATTR_TYPE r=0; + switch (i) { + case MHASH_CRC32: { + r=DB_CRC32; +@@ -198,10 +204,15 @@ DB_ATTR_TYPE hash_mhash2attr(int i) { + default: + break; + } +-#endif ++ + return r; ++#else /*!WITH_MHASH */ ++ return 0; ++#endif + } + ++#pragma GCC diagnostic pop ++ + /* + Initialise md_container according it's todo_attr field + */ +@@ -317,7 +328,6 @@ int init_md(struct md_container* md) { + */ + + int update_md(struct md_container* md,void* data,ssize_t size) { +- int i; + + error(255,"update_md called\n"); + +@@ -328,6 +338,7 @@ int update_md(struct md_container* md,vo + #endif + + #ifdef WITH_MHASH ++ int i; + + for(i=0;i<=HASH_MHASH_COUNT;i++) { + if (md->mhash_mdh[i]!=MHASH_FAILED) { +@@ -348,7 +359,6 @@ int update_md(struct md_container* md,vo + */ + + int close_md(struct md_container* md) { +- int i; + #ifdef _PARAMETER_CHECK_ + if (md==NULL) { + return RETFAIL; +@@ -356,6 +366,7 @@ int close_md(struct md_container* md) { + #endif + error(255,"close_md called \n"); + #ifdef WITH_MHASH ++ int i; + for(i=0;i<=HASH_MHASH_COUNT;i++) { + if (md->mhash_mdh[i]!=MHASH_FAILED) { + mhash (md->mhash_mdh[i], NULL, 0); +diff -up ./src/util.c.coverity ./src/util.c +--- ./src/util.c.coverity 2018-10-10 19:27:18.670632593 +0200 ++++ ./src/util.c 2018-10-10 19:27:18.684632716 +0200 +@@ -105,13 +105,15 @@ url_t* parse_url(char* val) + for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++); + if(r[0]=='\0'){ + error(0,"Invalid file-URL,no path after hostname: file:%s\n",t); ++ free(hostname); + return NULL; + } + u->value=strdup(r); + r[0]='\0'; + if(gethostname(hostname,MAXHOSTNAMELEN)==-1){ +- strncpy(hostname,"localhost", 10); ++ strncpy(hostname,"localhost", 10); + } ++ + if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){ + free(hostname); + break; +@@ -120,7 +122,7 @@ url_t* parse_url(char* val) + free(hostname); + return NULL; + } +- free(hostname); ++ + break; + } + u->value=strdup(r); diff --git a/SPECS/aide.spec b/SPECS/aide.spec new file mode 100644 index 0000000..7bdd197 --- /dev/null +++ b/SPECS/aide.spec @@ -0,0 +1,357 @@ +Summary: Intrusion detection environment +Name: aide +Version: 0.16 +Release: 100%{?dist} +URL: http://sourceforge.net/projects/aide +License: GPLv2+ + + +Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz +Source1: aide.conf +Source2: README.quickstart +Source3: aide.logrotate + +BuildRequires: gcc +BuildRequires: make +BuildRequires: bison flex +BuildRequires: pcre-devel +BuildRequires: libgpg-error-devel libgcrypt-devel +BuildRequires: zlib-devel +BuildRequires: libcurl-devel +BuildRequires: libacl-devel +BuildRequires: pkgconfig(libselinux) +BuildRequires: libattr-devel +BuildRequires: e2fsprogs-devel +BuildRequires: audit-libs-devel +BuildRequires: autoconf automake libtool + +# Customize the database file location in the man page. +Patch1: aide-0.16rc1-man.patch +# fix aide in FIPS mode +Patch2: aide-0.16b1-fipsfix.patch +# Bug 1674637 - aide: FTBFS in Fedora rawhide/f30 +Patch3: aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch + +Patch4: aide-0.15-syslog-format.patch +Patch5: aide-0.16-crypto-disable-haval-and-others.patch +Patch6: coverity.patch +Patch7: aide-0.16-crash-elf.patch +Patch8: aide-configure.patch +Patch9: aide-static-analysis.patch + +Patch10: aide-0.16-CVE-2021-45417.patch + +%description +AIDE (Advanced Intrusion Detection Environment) is a file integrity +checker and intrusion detection program. + +%prep +%autosetup -p1 +cp -a %{S:2} . + +%build +autoreconf -ivf +%configure \ + --disable-static \ + --with-config_file=%{_sysconfdir}/aide.conf \ + --with-gcrypt \ + --with-zlib \ + --with-curl \ + --with-posix-acl \ + --with-selinux \ + --with-xattr \ + --with-e2fsattrs \ + --with-audit \ + --with-confighmactype=sha512 \ + --with-dbhmactype=sha512 +%make_build + +%install +%make_install bindir=%{_sbindir} +install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1} +install -Dpm0644 %{S:3} %{buildroot}%{_sysconfdir}/logrotate.d/aide +mkdir -p %{buildroot}%{_localstatedir}/log/aide +mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide + +%files +%license COPYING +%doc AUTHORS ChangeLog NEWS README doc/manual.html contrib/ +%doc README.quickstart +%{_sbindir}/aide +%{_mandir}/man1/*.1* +%{_mandir}/man5/*.5* +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/aide.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/aide +%dir %attr(0700,root,root) %{_localstatedir}/lib/aide +%dir %attr(0700,root,root) %{_localstatedir}/log/aide + +%changelog +* Mon Jan 24 2022 Radovan Sroka - 0.16-100 +- backport fix for CVE-2021-45417 + Resolves: rhbz#2041950 + +* Mon Aug 09 2021 Mohan Boddu - 0.16-21 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Thu May 27 2021 Zoltan Fridrich - 0.16-20 +- fix configuration option with-dbhmactype +- do not use sha1 and md5 by default + Resolves: rhbz#1935457 +- fix important static analysis issues + Resolves: rhbz#1938676 + +* Mon May 10 2021 Zoltan Fridrich - 0.16-19 +- use gating and config file from rhel-8.5 +- remove check of periodically changing files + Resolves: rhbz#1957656 +- config cleanup + Resolves: rhbz#1957654 + +* Thu Apr 15 2021 Mohan Boddu - 0.16-18 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Mon Jan 25 2021 Fedora Release Engineering - 0.16-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Fri Jul 31 2020 Fedora Release Engineering - 0.16-16 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 0.16-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jun 24 2020 Radovan Sroka 0.16-14 +- AIDE breaks when setting report_ignore_e2fsattrs + Resolves: rhbz#1850276 + +* Tue Jan 28 2020 Fedora Release Engineering - 0.16-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jul 31 2019 Radovan Sroka - 0.16-12 +- backport some patches + Resolves: rhbz#1717140 + +* Wed Jul 24 2019 Fedora Release Engineering - 0.16-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Feb 20 2019 Daniel Kopecek - 0.16-10 +- Fix building with curl + Resolves: rhbz#1674637 + +* Thu Jan 31 2019 Fedora Release Engineering - 0.16-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Jul 31 2018 Florian Weimer - 0.16-8 +- Rebuild with fixed binutils + +* Thu Jul 12 2018 Fedora Release Engineering - 0.16-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Feb 20 2018 Igor Gnatenko - 0.16-6 +- Rebuild + +* Wed Feb 07 2018 Fedora Release Engineering - 0.16-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Aug 02 2017 Fedora Release Engineering - 0.16-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Apr 05 2017 Radovan Sroka - 0.16-2 +- fixed upstream link + +* Tue Apr 04 2017 Radovan Sroka - 0.16-1 +- rebase to stable v0.16 +- specfile cleanup +- make doc readable + resolves: #1421355 +- make aide binary runable for any user + resolves: #1421351 + +* Fri Feb 10 2017 Fedora Release Engineering - 0.16-0.3.rc1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Jul 12 2016 Tomas Sykora - 0.16-0.2.rc1 +- New upstream devel version + +* Mon Jun 20 2016 Tomas Sykora - 0.16-0.1.b1 +- New upstream devel version + +* Wed Feb 03 2016 Fedora Release Engineering - 0.15.1-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Sat Jul 25 2015 Till Maas - 0.15.1-11 +- Remove prelink dependency because prelink was retired + +* Tue Jun 16 2015 Fedora Release Engineering - 0.15.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Aug 15 2014 Fedora Release Engineering - 0.15.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 18 2014 Yaakov Selkowitz - 0.15.1-8 +- Fix FTBFS with -Werror=format-security (#1036983, #1105942) +- Avoid prelink BR on aarch64, ppc64le (#924977, #1078476) + +* Sat Jun 07 2014 Fedora Release Engineering - 0.15.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Sat Aug 03 2013 Fedora Release Engineering - 0.15.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Feb 13 2013 Fedora Release Engineering - 0.15.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Nov 22 2012 Daniel Kopecek - 0.15.1-4 +- added patch to fix aide in FIPS mode +- use only FIPS approved digest algorithms in aide.conf so that + aide works by default in FIPS mode + +* Wed Jul 18 2012 Fedora Release Engineering - 0.15.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jan 12 2012 Fedora Release Engineering - 0.15.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Nov 11 2010 Steve Grubb - 0.15.1-1 +- New upstream release + +* Tue May 18 2010 Steve Grubb - 0.14-5 +- Apply 2 upstream bug fixes + +* Tue May 18 2010 Steve Grubb - 0.14-4 +- Use upstream's patch to fix bz 590566 + +* Sat May 15 2010 Steve Grubb - 0.14-3 +- Fix bz 590561 aide does not detect the change of SElinux context +- Fix bz 590566 aide reports a changed file when it has not been changed + +* Wed Apr 28 2010 Steve Grubb - 0.14-2 +- Fix bz 574764 by replacing abort calls with exit +- Apply libgcrypt init patch + +* Tue Mar 16 2010 Steve Grubb - 0.14-1 +- New upstream release final 0.14 + +* Thu Feb 25 2010 Steve Grubb - 0.14-0.4.rc3 +- New upstream release + +* Thu Feb 25 2010 Steve Grubb - 0.14-0.3.rc2 +- New upstream release + +* Tue Feb 23 2010 Steve Grubb - 0.14-0.2.rc1 +- Fix dirent detection on 64bit systems + +* Mon Feb 22 2010 Steve Grubb - 0.14-0.1.rc1 +- New upstream release + +* Fri Feb 19 2010 Steve Grubb - 0.13.1-16 +- Add logrotate script and spec file cleanups + +* Fri Dec 11 2009 Steve Grubb - 0.13.1-15 +- Get rid of .dedosify files + +* Wed Dec 09 2009 Steve Grubb - 0.13.1-14 +- Revise patch for Initialize libgcrypt correctly (#530485) + +* Sat Nov 07 2009 Steve Grubb - 0.13.1-13 +- Initialize libgcrypt correctly (#530485) + +* Fri Aug 21 2009 Tomas Mraz - 0.13.1-12 +- rebuilt with new audit + +* Wed Aug 19 2009 Steve Grubb 0.13.1-11 +- rebuild for new audit-libs +- Correct regex for root's dot files (#509370) + +* Fri Jul 24 2009 Fedora Release Engineering - 0.13.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jun 08 2009 Steve Grubb - 0.13.1-9 +- Make aide smarter about prelinked files (Peter Vrabec) +- Add /lib64 to default config + +* Mon Feb 23 2009 Fedora Release Engineering - 0.13.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Jan 30 2009 Steve Grubb - 0.13.1-6 +- enable xattr support and update config file + +* Fri Sep 26 2008 Tom "spot" Callaway - 0.13.1-5 +- fix selcon patch to apply without fuzz + +* Fri Feb 15 2008 Steve Conklin +- rebuild for gcc4.3 + +* Tue Aug 21 2007 Michael Schwendt +- rebuilt + +* Sun Jul 22 2007 Michael Schwendt - 0.13.1-2 +- Apply Steve Conklin's patch to increase displayed portion of + selinux context. + +* Sun Dec 17 2006 Michael Schwendt - 0.13.1-1 +- Update to 0.13.1 release. + +* Sun Dec 10 2006 Michael Schwendt - 0.13-1 +- Update to 0.13 release. +- Include default aide.conf from RHEL5 as doc example file. + +* Sun Oct 29 2006 Michael Schwendt - 0.12-3.20061027cvs +- CAUTION! This changes the database format and results in a report of + false inconsistencies until an old database file is updated. +- Check out CVS 20061027 which now contains Red Hat's + acl/xattr/selinux/audit patches. +- Patches merged upstream. +- Update manual page substitutions. + +* Mon Oct 23 2006 Michael Schwendt - 0.12-2 +- Add "memory leaks and performance updates" patch as posted + to aide-devel by Steve Grubb. + +* Sat Oct 07 2006 Michael Schwendt - 0.12-1 +- Update to 0.12 release. +- now offers --disable-static, so -no-static patch is obsolete +- fill last element of getopt struct array with zeroes + +* Mon Oct 02 2006 Michael Schwendt - 0.11-3 +- rebuilt + +* Mon Sep 11 2006 Michael Schwendt - 0.11-2 +- rebuilt + +* Sun Feb 19 2006 Michael Schwendt - 0.11-1 +- Update to 0.11 release. +- useless-includes patch merged upstream. +- old Russian man pages not available anymore. +- disable static linking. + +* Thu Apr 7 2005 Michael Schwendt +- rebuilt + +* Fri Nov 28 2003 Michael Schwendt - 0:0.10-0.fdr.1 +- Update to 0.10 release. +- memleaks patch merged upstream. +- rootpath patch merged upstream. +- fstat patch not needed anymore. +- Updated URL. + +* Thu Nov 13 2003 Michael Schwendt - 0:0.10-0.fdr.0.2.cvs20031104 +- Added buildreq m4 to work around incomplete deps of bison package. + +* Tue Nov 04 2003 Michael Schwendt - 0:0.10-0.fdr.0.1.cvs20031104 +- Only tar.gz available upstream. +- byacc not needed when bison -y is available. +- Installed Russian manual pages. +- Updated with changes from CVS (2003-11-04). +- getopt patch merged upstream. +- bison-1.35 patch incorporated upstream. + +* Tue Sep 09 2003 Michael Schwendt - 0:0.9-0.fdr.0.2.20030902 +- Added fixes for further memleaks. + +* Sun Sep 07 2003 Michael Schwendt - 0:0.9-0.fdr.0.1.20030902 +- Initial package version.