diff --git a/.aide.metadata b/.aide.metadata new file mode 100644 index 0000000..78c4b28 --- /dev/null +++ b/.aide.metadata @@ -0,0 +1 @@ +c5998c04a223416142323fa1bd18db0936099827 SOURCES/aide-0.15.1.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6e9de9a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/aide-0.15.1.tar.gz diff --git a/SOURCES/README.quickstart b/SOURCES/README.quickstart new file mode 100644 index 0000000..87adc63 --- /dev/null +++ b/SOURCES/README.quickstart @@ -0,0 +1,40 @@ +1) Customize /etc/aide.conf to your liking. In particular, add + important directories and files which you would like to be + covered by integrity checks. Avoid files which are expected + to change frequently or which don't affect the safety of your + system. + +2) Run "/usr/sbin/aide --init" to build the initial database. + With the default setup, that creates /var/lib/aide/aide.db.new.gz + +3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz + in a secure location, e.g. on separate read-only media (such as + CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures + of those files in a secure location, so you have means to verify + that nobody modified those files. + +4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz + which is the location of the input database. + +5) Run "/usr/sbin/aide --check" to check your system for inconsistencies + compared with the AIDE database. Prior to running a check manually, + ensure that the AIDE binary and database have not been modified + without your knowledge. + + Caution! + + With the default setup, an AIDE check is not run periodically as a + cron job. It cannot be guaranteed that the AIDE binaries, config + file and database are intact. It is not recommended that you run + automated AIDE checks without verifying AIDE yourself frequently. + In addition to that, AIDE does not implement any password or + encryption protection for its own files. + + It is up to you how to put a file integrity checker to good effect + and how to set up automated checks if you think it adds a level of + safety (e.g. detecting failed/incomplete compromises or unauthorized + modification of special files). On a compromised system, the + intruder could disable the automated check. Or he could replace the + AIDE binary, config file and database easily when they are not + located on read-only media. + diff --git a/SOURCES/aide-0.14-man.patch b/SOURCES/aide-0.14-man.patch new file mode 100644 index 0000000..8192636 --- /dev/null +++ b/SOURCES/aide-0.14-man.patch @@ -0,0 +1,15 @@ +diff -ur aide.orig/doc/aide.1.in aide/doc/aide.1.in +--- aide.orig/doc/aide.1.in 2010-02-24 13:53:49.000000000 -0500 ++++ aide/doc/aide.1.in 2010-02-24 13:57:44.000000000 -0500 +@@ -75,9 +75,9 @@ + .SH FILES + .B @sysconfdir@/aide.conf + Default aide configuration file. +-.B @sysconfdir@/aide.db ++.B @localstatedir@/lib/aide.db + Default aide database. +-.B @sysconfdir@/aide.db.new ++.B @localstatedir@/lib/aide.db.new + Default aide output database. + .SH SEE ALSO + .BR aide.conf (5) diff --git a/SOURCES/aide-0.15-error-messages.patch b/SOURCES/aide-0.15-error-messages.patch new file mode 100644 index 0000000..7dc3ffc --- /dev/null +++ b/SOURCES/aide-0.15-error-messages.patch @@ -0,0 +1,13 @@ +diff -U0 ./ChangeLog.error-messages ./ChangeLog +diff -up ./src/conf_yacc.y.error-messages ./src/conf_yacc.y +--- ./src/conf_yacc.y.error-messages 2017-03-20 16:45:08.885577012 +0100 ++++ ./src/conf_yacc.y 2017-03-20 16:45:08.888577012 +0100 +@@ -37,7 +37,7 @@ DB_ATTR_TYPE retval=0; + extern int conflex(); + void conferror(const char*); + +-extern char conftext[]; ++extern char *conftext; + extern long conf_lineno; + + diff --git a/SOURCES/aide-0.15-syslog-format.patch b/SOURCES/aide-0.15-syslog-format.patch new file mode 100644 index 0000000..961927f --- /dev/null +++ b/SOURCES/aide-0.15-syslog-format.patch @@ -0,0 +1,759 @@ +diff -up ./doc/aide.conf.5.in.syslog-format ./doc/aide.conf.5.in +--- ./doc/aide.conf.5.in.syslog-format 2010-08-08 13:39:31.000000000 -0400 ++++ ./doc/aide.conf.5.in 2017-03-07 11:12:49.964000000 -0500 +@@ -44,6 +44,25 @@ inclusive. This parameter can only be gi + occurence is used. If \-\-verbose or \-V is used then the value from that + is used. The default is 5. If verbosity is 20 then additional report + output is written when doing \-\-check, \-\-update or \-\-compare. ++.IP "syslog_format" ++Valid values are yes,true,no and false. This option enables new syslog format ++which is suitable for logging. Every change is logged as one simple line. This option ++changes verbose level to 0 and prints everything that was changed. It is suggested ++to use this option with "report_url=syslog:...". Default value is "false/no". ++Maximum size of message is 1KB which is limitation of syslog call. If message is ++greater than limit, message will be truncated. ++Option summarize_changes has no impact for this format. ++.nf ++.eo ++ ++Output always starts with: ++"AIDE found differences between database and filesystem!!" ++And it is followed by summary: ++summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1 ++And finally there are logs about changes: ++dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;... ++.ec ++.fi + .IP "report_url" + The url that the output is written to. There can be multiple instances + of this parameter. Output is written to all of them. The default is +diff -up ./include/db_config.h.syslog-format ./include/db_config.h +--- ./include/db_config.h.syslog-format 2010-08-08 13:39:31.000000000 -0400 ++++ ./include/db_config.h 2017-03-07 11:12:49.964000000 -0500 +@@ -264,6 +264,7 @@ typedef struct db_config { + FILE* db_out; + + int config_check; ++ int syslog_format; + + #ifdef WITH_ZLIB + gzFile db_gzin; +diff -up ./src/aide.c.syslog-format ./src/aide.c +--- ./src/aide.c.syslog-format 2017-03-07 11:12:49.960000000 -0500 ++++ ./src/aide.c 2017-03-07 11:12:49.964000000 -0500 +@@ -264,6 +264,7 @@ void setdefaults_before_config() + } + + /* Setting some defaults */ ++ conf->syslog_format=0; + conf->report_db=0; + conf->tree=NULL; + conf->config_check=0; +@@ -468,6 +469,9 @@ void setdefaults_after_config() + if(conf->verbose_level==-1){ + conf->verbose_level=5; + } ++ if(conf->syslog_format==1){ ++ conf->verbose_level=0; ++ } + } + + +@@ -664,6 +668,7 @@ int main(int argc,char**argv) + gcry_control(GCRYCTL_TERM_SECMEM, 0); + #endif /* WITH_GCRYPT */ + return RETOK; ++ + } + const char* aide_key_3=CONFHMACKEY_03; + const char* db_key_3=DBHMACKEY_03; +diff -up ./src/compare_db.c.syslog-format ./src/compare_db.c +--- ./src/compare_db.c.syslog-format 2010-08-08 13:39:31.000000000 -0400 ++++ ./src/compare_db.c 2017-03-07 11:30:52.630000000 -0500 +@@ -50,6 +50,7 @@ + #include "md.h" + + /*************/ ++#define MESSAGE_SIZE 1024 + /* contruction area for report lines */ + const int old_col = 12; + const int new_col = 40; +@@ -60,6 +61,9 @@ char oline[129]; + char nline[129]; + const char* entry_format= " %-9s: %-33s, %s\n"; + const char* entry_format_justnew=" %-9s: %-33c %s\n"; ++const char* entry_syslog= "%s_old=%s;%s_new=%s"; ++const char* entry_syslog_justnew="%s_new=%s"; ++ + #ifdef WITH_E2FSATTRS + /* flag->character mappings defined in lib/e2p/pf.c (part of e2fsprogs-1.41.12 sources) */ + unsigned long flag_bits[] = { EXT2_SECRM_FL, EXT2_UNRM_FL, EXT2_SYNC_FL, EXT2_DIRSYNC_FL, EXT2_IMMUTABLE_FL, +@@ -415,7 +419,7 @@ DB_ATTR_TYPE compare_dbline(db_line* l1, + return ret; + } + +-void print_str_changes(char*old,char*new,const char *name, DB_ATTR_TYPE force) ++void print_str_changes(char*old,char*new,const char *name, DB_ATTR_TYPE force, char* part_message) + { + int mode = 0; + if(old==NULL){ +@@ -438,50 +442,80 @@ void print_str_changes(char*old,char*new + } + if(mode == 1) { + error(2,(char*)entry_format,name,oline,nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog, name, oline, name, nline); ++ } + } else if (mode == 2) { + error(2,(char*)entry_format_justnew,name,' ',nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog_justnew, name, nline); ++ } ++ } else { ++ part_message="\0"; + } + return; + } + + #ifdef WITH_ACL +-void print_single_acl(acl_type* acl) ++void print_single_acl(acl_type* acl, char* line) + { + if (acl==NULL) { + error(2,"\n"); ++ if (conf->syslog_format)snprintf(line, long_part_len, ""); + } else { + #ifdef WITH_POSIX_ACL +- if (!acl->acl_a) ++ if (!acl->acl_a) { + error(2,"A: \n "); +- else ++ if (conf->syslog_format)snprintf(line, long_part_len, "A:"); ++ } ++ else { + error(2,"A:\n----\n%s----\n ",acl->acl_a); +- if (!acl->acl_d) ++ if (conf->syslog_format)snprintf(line, long_part_len, "A:%s", acl->acl_a); ++ } ++ size_t len=strlen(line); ++ if (!acl->acl_d) { + error(2,"D: \n"); +- else ++ if (conf->syslog_format&&len<(size_t)long_part_len)snprintf(line+len-1, long_part_len, "|D:"); ++ } ++ else { + error(2,"D:\n----\n%s----\n",acl->acl_d); ++ if (conf->syslog_format&&len<(size_t)long_part_len)snprintf(line+len-1, long_part_len, "|D:%s", acl->acl_d); ++ } + #endif + #ifdef WITH_SUN_ACL + aclt=acltotext(acl->acl,acl->entries); + if (aclt==NULL) { + error(2,"ERROR\n"); ++ if (conf->syslog_format)snprintf(line, long_part_len, ""); + } else { + error(2,"%s ,\n",aclt); ++ if (conf->syslog_format)snprintf(line, long_part_len, "%s", aclt); + free(aclt); + } + #endif + } + } + +-void print_acl_changes(acl_type* old,acl_type* new, DB_ATTR_TYPE force) { ++void print_acl_changes(acl_type* old,acl_type* new, DB_ATTR_TYPE force, char* part_message) { + + if (compare_acl(old,new)==RETFAIL) { + error(2," ACL : old = "); +- print_single_acl(old); ++ print_single_acl(old, oline); + error(2," new = "); +- print_single_acl(new); ++ print_single_acl(new, nline); ++ if (conf->syslog_format) { ++ snprintf(part_message, MESSAGE_SIZE, "ACL_old=|%s|;ACL_new=|%s|", oline, nline); ++ unsigned int i; ++ for (i = 0; i < strlen(part_message); i++) if (part_message[i] == '\n') part_message[i] = ' '; ++ } + } else if (old!=NULL && new!=NULL && force) { + error(2," ACL : "); +- print_single_acl(new); ++ print_single_acl(new, nline); ++ if (conf->syslog_format) { ++ snprintf(part_message, MESSAGE_SIZE, "ACL_new=|%s|", nline); ++ unsigned int i; ++ for (i = 0; i < strlen(part_message); i++) if (part_message[i] == '\n') part_message[i] = ' '; ++ } + } + } + #endif +@@ -502,15 +536,18 @@ static size_t xstrnspn(const char *s1, s + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \ + ".-_:;,[]{}<>()!@#$%^&*|\\/?~" + +-void print_single_xattrs(xattrs_type* xattrs) ++void print_single_xattrs(xattrs_type* xattrs, char* line) + { + if (xattrs==NULL) { + error(2,"num=0\n"); ++ if (conf->syslog_format)snprintf(line, MESSAGE_SIZE, "num=0"); + } else { + size_t num = 0; + int width = 0; +- ++ char tmp[MESSAGE_SIZE]={0}; ++ + error(2,"num=%lu\n", (unsigned long)xattrs->num); ++ if (conf->syslog_format)snprintf(line, MESSAGE_SIZE, "num=%lu", (unsigned long)xattrs->num); + + width = log10(xattrs->num); /* make them the same width */ + +@@ -524,33 +561,44 @@ void print_single_xattrs(xattrs_type* xa + len = xstrnspn(val, xattrs->ents[num - 1].vsz, PRINTABLE_XATTR_VALS); + + if ((len == xattrs->ents[num - 1].vsz) || +- ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) ++ ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) { + error(2," [%.*zd] %s = %s\n", width, num, + xattrs->ents[num - 1].key, val); +- else +- { ++ if (conf->syslog_format)snprintf(tmp, MESSAGE_SIZE, "[%.*zd]%s=%s", width, num, ++ xattrs->ents[num - 1].key, val); ++ } ++ else { + val = encode_base64(xattrs->ents[num - 1].val, + xattrs->ents[num - 1].vsz); + error(2," [%.*zd] %s <=> %s\n", width, num, + xattrs->ents[num - 1].key, val); ++ if (conf->syslog_format)snprintf(tmp, MESSAGE_SIZE, "[%.*zd]%s<=>%s", width, num, ++ xattrs->ents[num - 1].key, val); + free(val); + } +- ++ ++ if (conf->syslog_format&&lensyslog_format)snprintf(part_message, MESSAGE_SIZE, "XAttrs_new=|%s|", (char*)new_attrs); + } + + } +@@ -571,7 +619,7 @@ char* e2fsattrs2char(unsigned long flags + } + #endif + +-void print_md_changes(byte*old,byte*new,int len,char* name, DB_ATTR_TYPE force) ++void print_md_changes(byte*old,byte*new,int len,char* name, DB_ATTR_TYPE force, char* part_message) + { + int mode = 0; + if (old!=NULL && new!=NULL) { +@@ -594,8 +642,14 @@ void print_md_changes(byte*old,byte*new, + } + if (mode == 1) { + error(2,(char*)entry_format,name,oline,nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog, name, oline, name, nline); ++ } + } else if (mode == 2) { + error(2,(char*)entry_format_justnew,name,' ',nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog_justnew, name, nline); ++ } + } + return; + } +@@ -607,7 +661,7 @@ int is_time_null(struct tm *ot) + && ot->tm_hour == 1 && ot->tm_min == 0 && ot->tm_sec == 0); + } + +-void print_time_changes(const char* name, time_t old_time, time_t new_time,int justnew) ++void print_time_changes(const char* name, time_t old_time, time_t new_time,int justnew, char* part_message) + { + struct tm otm; + struct tm *ot = &otm; +@@ -640,12 +694,18 @@ void print_time_changes(const char* name + } + if (justnew) { + error(2,(char*)entry_format_justnew,name,' ',nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog_justnew, name, nline); ++ } + } else { +- error(2,(char*)entry_format,name,oline,nline); ++ error(2,(char*)entry_format,name,oline,nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog, name, oline, name, nline); ++ } + } + } + +-void print_int_changes(const char* name, int old, int new, int justnew) ++void print_int_changes(const char* name, int old, int new, int justnew, char* part_message) + { + if (!justnew) { + snprintf(oline,part_len,"%i",old); +@@ -653,11 +713,17 @@ void print_int_changes(const char* name, + snprintf(nline,part_len,"%i",new); + if (justnew) { + error(2,(char*)entry_format_justnew,name,' ',nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog_justnew, name, nline); ++ } + } else { + error(2,(char*)entry_format,name,oline,nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog, name, oline, name, nline); ++ } + } + } +-void print_long_changes(const char* name, AIDE_OFF_TYPE old, AIDE_OFF_TYPE new, int justnew) ++void print_long_changes(const char* name, AIDE_OFF_TYPE old, AIDE_OFF_TYPE new, int justnew, char* part_message) + { + #if SIZEOF_OFF64_T == SIZEOF_LONG_LONG + if (!justnew) { +@@ -672,12 +738,18 @@ void print_long_changes(const char* name + #endif + if (justnew) { + error(2,(char*)entry_format_justnew,name,' ',nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog_justnew, name, nline); ++ } + } else { + error(2,(char*)entry_format,name,oline,nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog, name, oline, name, nline); ++ } + } + } + +-void print_string_changes(const char* name, const char* old, const char* new, int justnew) ++void print_string_changes(const char* name, const char* old, const char* new, int justnew, char* part_message) + { + if (!justnew) { + snprintf(oline,part_len,"%s",old); +@@ -685,8 +757,14 @@ void print_string_changes(const char* na + snprintf(nline,part_len,"%s",new); + if (justnew) { + error(2,(char*)entry_format_justnew,name,' ',nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog_justnew, name, nline); ++ } + } else { +- error(2,(char*)entry_format,name,oline,nline); ++ error(2,(char*)entry_format,name,oline,nline); ++ if(part_message!=NULL && conf->syslog_format){ ++ snprintf(part_message, MESSAGE_SIZE, entry_syslog, name, oline, name, nline); ++ } + } + } + +@@ -954,168 +1032,226 @@ void print_changed_line(db_line* old,db_ + } + } + ++static void p_swap(char** first, char** second) ++{ ++ if(first==NULL||second==NULL)return; ++ char* tmp=*first; ++ *first=*second; ++ *second=tmp; ++} ++ ++#define DO_APPEND(x,y,z) do{ \ ++ if(conf->syslog_format&&z[0]!=0){ \ ++ snprintf(x, MESSAGE_SIZE,"%s;%s",y,z); \ ++ p_swap((char**)&x,(char**)&y); \ ++ z[0]='\0'; \ ++ } \ ++ }while(0) ++ + void print_dbline_changes(db_line* old,db_line* new, + DB_ATTR_TYPE ignorelist,DB_ATTR_TYPE forced_attrs) + { + char* tmp=NULL; + char* tmp2=NULL; +- ++ ++ char part_message[MESSAGE_SIZE]={0}; ++ char message1[MESSAGE_SIZE]={0}; ++ char message2[MESSAGE_SIZE]={0}; ++ char* message=&message1[0]; ++ char* message_old=&message2[0]; + /* + Force just entries, that exists. + */ + forced_attrs&=new->attr; + + error(2,"\n%s: %s\n",get_file_type_string(new->perm),new->filename); ++ ++ if(conf->syslog_format){ ++ if(S_ISDIR(new->perm_o)) ++ snprintf(message, MESSAGE_SIZE, "dir=%s", old->filename); ++ else ++ snprintf(message, MESSAGE_SIZE, "file=%s", old->filename); ++ p_swap(&message,&message_old); ++ } + + if ((!(DB_FTYPE&ignorelist)) && (((DB_FTYPE&old->attr && DB_FTYPE&new->attr) && get_file_type_char(old->perm)!=get_file_type_char(new->perm)) || DB_FTYPE&forced_attrs)) { +- print_string_changes("File type", get_file_type_string(old->perm),get_file_type_string(new->perm), get_file_type_char(old->perm)==get_file_type_char(new->perm)); ++ if(conf->syslog_format) ++ print_string_changes("file_type", get_file_type_string(old->perm),get_file_type_string(new->perm), get_file_type_char(old->perm)==get_file_type_char(new->perm), ((char*)part_message)); ++ else ++ print_string_changes("File type", get_file_type_string(old->perm),get_file_type_string(new->perm), get_file_type_char(old->perm)==get_file_type_char(new->perm), NULL); ++ DO_APPEND(message,message_old,part_message); + } + + if(!(DB_LINKNAME&ignorelist)){ +- print_str_changes(old->linkname,new->linkname, "Lname", DB_LINKNAME&forced_attrs); ++ print_str_changes(old->linkname,new->linkname, "Lname", DB_LINKNAME&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (((!(DB_SIZEG&ignorelist)) && (((DB_SIZEG&old->attr && DB_SIZEG&new->attr) && old->size>new->size) || DB_SIZEG&forced_attrs)) + || ((!(DB_SIZE&ignorelist)) && (((DB_SIZE&old->attr && DB_SIZE&new->attr) && old->size!=new->size) || DB_SIZE&forced_attrs)) ) { +- print_long_changes("Size", old->size,new->size,old->size==new->size); ++ print_long_changes("Size", old->size,new->size,old->size==new->size, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_BCOUNT&ignorelist)) { + if(old->bcount!=new->bcount ||(DB_BCOUNT&forced_attrs) ){ +- print_int_changes("Bcount", old->bcount,new->bcount,old->bcount==new->bcount); ++ print_int_changes("Bcount", old->bcount,new->bcount,old->bcount==new->bcount, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + } + if (!(DB_PERM&ignorelist)) { + if((DB_PERM&old->attr && DB_PERM&new->attr && old->perm!=new->perm) || DB_PERM&forced_attrs){ + tmp=perm_to_char(old->perm); + tmp2=perm_to_char(new->perm); +- print_string_changes("Perm", tmp,tmp2,old->perm==new->perm); ++ print_string_changes("Perm", tmp,tmp2,old->perm==new->perm, ((char*)part_message)); + free(tmp); + free(tmp2); + tmp=NULL; + tmp2=NULL; ++ DO_APPEND(message,message_old,part_message); + } + } + + if (!(DB_UID&ignorelist)) { + if(old->uid!=new->uid||DB_UID&forced_attrs){ +- print_int_changes("Uid", old->uid,new->uid,old->uid==new->uid); ++ print_int_changes("Uid", old->uid,new->uid,old->uid==new->uid, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + } + + if (!(DB_GID&ignorelist)) { + if(old->gid!=new->gid||DB_GID&forced_attrs){ +- print_int_changes("Gid", old->gid,new->gid,old->gid==new->gid); ++ print_int_changes("Gid", old->gid,new->gid,old->gid==new->gid, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + } + + if (!(DB_ATIME&ignorelist)) { + if(old->atime!=new->atime||DB_ATIME&forced_attrs){ +- print_time_changes("Atime", old->atime, new->atime,old->atime==new->atime); ++ print_time_changes("Atime", old->atime, new->atime,old->atime==new->atime, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + } + + if (!(DB_MTIME&ignorelist)) { + if(old->mtime!=new->mtime||DB_MTIME&forced_attrs){ +- print_time_changes("Mtime", old->mtime, new->mtime,old->mtime==new->mtime); ++ print_time_changes("Mtime", old->mtime, new->mtime,old->mtime==new->mtime, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + } + + if (!(DB_CTIME&ignorelist)) { + if(old->ctime!=new->ctime||DB_CTIME&forced_attrs){ +- print_time_changes("Ctime", old->ctime, new->ctime,old->ctime==new->ctime); ++ print_time_changes("Ctime", old->ctime, new->ctime,old->ctime==new->ctime, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + } + + if (!(DB_INODE&ignorelist)) { + if(((DB_INODE&old->attr && (DB_INODE&new->attr)) && old->inode!=new->inode) ||DB_INODE&forced_attrs){ +- print_int_changes("Inode", old->inode,new->inode,old->inode==new->inode); ++ print_int_changes("Inode", old->inode,new->inode,old->inode==new->inode, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + } + if (!(DB_LNKCOUNT&ignorelist)) { + if(old->nlink!=new->nlink||DB_LNKCOUNT&forced_attrs){ +- print_int_changes("Linkcount", old->nlink,new->nlink,old->nlink==new->nlink); ++ print_int_changes("Linkcount", old->nlink,new->nlink,old->nlink==new->nlink, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + } + + if (!(DB_MD5&ignorelist)) { + print_md_changes(old->md5,new->md5, + HASH_MD5_LEN, +- "MD5", DB_MD5&forced_attrs); ++ "MD5", DB_MD5&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_SHA1&ignorelist)) { + print_md_changes(old->sha1,new->sha1, + HASH_SHA1_LEN, +- "SHA1", DB_SHA1&forced_attrs); ++ "SHA1", DB_SHA1&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_RMD160&ignorelist)) { + print_md_changes(old->rmd160,new->rmd160, + HASH_RMD160_LEN, +- "RMD160", DB_RMD160&forced_attrs); ++ "RMD160", DB_RMD160&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_TIGER&ignorelist)) { + print_md_changes(old->tiger,new->tiger, + HASH_TIGER_LEN, +- "TIGER", DB_TIGER&forced_attrs); ++ "TIGER", DB_TIGER&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_SHA256&ignorelist)) { + print_md_changes(old->sha256,new->sha256, + HASH_SHA256_LEN, +- "SHA256", DB_SHA256&forced_attrs); ++ "SHA256", DB_SHA256&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_SHA512&ignorelist)) { + print_md_changes(old->sha512,new->sha512, + HASH_SHA512_LEN, +- "SHA512", DB_SHA512&forced_attrs); ++ "SHA512", DB_SHA512&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + #ifdef WITH_MHASH + if (!(DB_CRC32&ignorelist)) { + print_md_changes(old->crc32,new->crc32, + HASH_CRC32_LEN, +- "CRC32", DB_CRC32&forced_attrs); ++ "CRC32", DB_CRC32&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_HAVAL&ignorelist)) { + print_md_changes(old->haval,new->haval, + HASH_HAVAL256_LEN, +- "HAVAL", DB_HAVAL&forced_attrs); ++ "HAVAL", DB_HAVAL&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_GOST&ignorelist)) { + print_md_changes(old->gost,new->gost, + HASH_GOST_LEN, +- "GOST", DB_GOST&forced_attrs); ++ "GOST", DB_GOST&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_CRC32B&ignorelist)) { + print_md_changes(old->crc32b,new->crc32b, + HASH_CRC32B_LEN, +- "CRC32B", DB_CRC32B&forced_attrs); ++ "CRC32B", DB_CRC32B&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + if (!(DB_WHIRLPOOL&ignorelist)) { + print_md_changes(old->whirlpool,new->whirlpool, + HASH_WHIRLPOOL_LEN, +- "WHIRLPOOL", DB_WHIRLPOOL&forced_attrs); ++ "WHIRLPOOL", DB_WHIRLPOOL&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + #endif + + #ifdef WITH_ACL + if (!(DB_ACL&ignorelist)) { +- print_acl_changes(old->acl,new->acl, DB_ACL&forced_attrs); ++ print_acl_changes(old->acl,new->acl, DB_ACL&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + #endif + if (!(DB_XATTRS&ignorelist)) { +- print_xattrs_changes(old->xattrs,new->xattrs, DB_XATTRS&forced_attrs); ++ print_xattrs_changes(old->xattrs,new->xattrs, DB_XATTRS&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + if (!(DB_SELINUX&ignorelist)) { +- print_str_changes(old->cntx,new->cntx, "SELinux", DB_SELINUX&forced_attrs); ++ print_str_changes(old->cntx,new->cntx, "SELinux", DB_SELINUX&forced_attrs, ((char*)part_message)); ++ DO_APPEND(message,message_old,part_message); + } + + #ifdef WITH_E2FSATTRS +@@ -1123,13 +1259,19 @@ void print_dbline_changes(db_line* old,d + if(old->e2fsattrs!=new->e2fsattrs || DB_E2FSATTRS&forced_attrs ) { + tmp=e2fsattrs2char(old->e2fsattrs); + tmp2=e2fsattrs2char(new->e2fsattrs); +- print_string_changes("E2FSAttrs", tmp, tmp2, old->e2fsattrs==new->e2fsattrs); ++ print_string_changes("E2FSAttrs", tmp, tmp2, old->e2fsattrs==new->e2fsattrs, ((char*)part_message)); + free(tmp); free(tmp2); + tmp=NULL; tmp2=NULL; ++ DO_APPEND(message,message_old,part_message); + } + } + #endif + ++ if (conf->syslog_format) { ++ /* Already swapped */ ++ error(0, "%s\n", message_old); ++ } ++ + return; + } + +@@ -1207,8 +1349,13 @@ void print_report_header(int nfil,int na + error(2,_("Start timestamp: %.4u-%.2u-%.2u %.2u:%.2u:%.2u\n"), + st->tm_year+1900, st->tm_mon+1, st->tm_mday, + st->tm_hour, st->tm_min, st->tm_sec); +- error(0,_("\nSummary:\n Total number of files:\t%i\n Added files:\t\t\t%i\n" ++ if(!conf->syslog_format){ ++ error(0,_("\nSummary:\n Total number of files:\t%i\n Added files:\t\t\t%i\n" + " Removed files:\t\t%i\n Changed files:\t\t%i\n\n"),nfil,nadd,nrem,nchg); ++ }else{ ++ error(0,_("summary;total_number_of_files=%i;added_files=%i;" ++ "removed_files=%i;changed_files=%i\n"),nfil,nadd,nrem,nchg); ++ } + + } + +@@ -1312,6 +1459,7 @@ long report_tree(seltree* node,int stage + } + if(node->checked&NODE_ADDED){ + print_added_line(node->new_data); ++ if(conf->syslog_format) error(0, "file=%s; added\n", node->new_data->filename); + } + } + +@@ -1323,6 +1471,7 @@ long report_tree(seltree* node,int stage + } + if(node->checked&NODE_REMOVED){ + print_removed_line(node->old_data); ++ if(conf->syslog_format) error(0, "file=%s; removed\n", node->old_data->filename); + } + } + +@@ -1337,7 +1486,7 @@ long report_tree(seltree* node,int stage + } + } + +- if((stage==4)&&(conf->verbose_level>=5)&&status[4]){ ++ if((stage==4)&&(conf->verbose_level>=5||conf->syslog_format)&&status[4]){ + if(top){ + error(2,_("\n---------------------------------------------------\n")); + error(2,_("Detailed information about changes:\n")); +diff -up ./src/conf_lex.l.syslog-format ./src/conf_lex.l +--- ./src/conf_lex.l.syslog-format 2010-08-08 13:39:31.000000000 -0400 ++++ ./src/conf_lex.l 2017-03-07 11:12:49.965000000 -0500 +@@ -12,7 +12,7 @@ EX [" "\t]* + + %{ + +-#define YYDEBUG ++//#define YYDEBUG + + /* + * Copyright (C) 1999-2002,2004-2006,2010 Rami Lehti, Pablo Virolainen, Richard +@@ -349,6 +349,12 @@ int var_in_conflval=0; + return (TGZIPDBOUT); + } + ++^[\t\ ]*"syslog_format"{E} { ++ error(230,"%li:syslog_format =\n",conf_lineno); ++ BEGIN CONFVALHUNT; ++ return (SYSLOG_FORMAT); ++} ++ + ^[\t\ ]*"recstop"{E} { + error(230,"%li:recstop =\n",conf_lineno); + BEGIN CONFVALHUNT; +diff -up ./src/conf_yacc.y.syslog-format ./src/conf_yacc.y +--- ./src/conf_yacc.y.syslog-format 2010-08-08 13:39:31.000000000 -0400 ++++ ./src/conf_yacc.y 2017-03-07 11:12:49.965000000 -0500 +@@ -81,6 +81,7 @@ extern long conf_lineno; + %token TDATABASE_NEW + %token TREPORT_URL + %token TGZIPDBOUT ++%token SYSLOG_FORMAT + %token TUMASK + %token TTRUE + %token TFALSE +@@ -150,7 +151,7 @@ lines : lines line | ; + line : rule | equrule | negrule | definestmt | undefstmt + | ifdefstmt | ifndefstmt | ifhoststmt | ifnhoststmt + | groupdef | db_in | db_out | db_new | verbose | config_version +- | report | gzipdbout | recursion_stopper | warn_dead_symlinks | grouped ++ | report | gzipdbout | syslogformat | recursion_stopper | warn_dead_symlinks | grouped + | summarize_changes | acl_no_symlink_follow | beginconfigstmt | endconfigstmt + | TEOF { + newlinelastinconfig=1; +@@ -329,6 +330,13 @@ conf->gzip_dbout=0; + #endif + } ; + ++syslogformat : SYSLOG_FORMAT TTRUE { ++conf->syslog_format=1; ++} | ++ SYSLOG_FORMAT TFALSE { ++conf->syslog_format=0; ++} ; ++ + recursion_stopper : TRECSTOP TSTRING { + /* FIXME implement me */ + +diff -up ./src/db_lex.l.syslog-format ./src/db_lex.l +--- ./src/db_lex.l.syslog-format 2010-08-08 13:39:31.000000000 -0400 ++++ ./src/db_lex.l 2017-03-07 11:12:49.965000000 -0500 +@@ -45,7 +45,7 @@ extern YYSTYPE yylval; + #define YY_DECL int db_scan(void) + + +-#define YYDEBUG ++//#define YYDEBUG + + #include "aide.h" + #include "conf_yacc.h" diff --git a/SOURCES/aide-0.15.1-fipsfix.patch b/SOURCES/aide-0.15.1-fipsfix.patch new file mode 100644 index 0000000..2b80c39 --- /dev/null +++ b/SOURCES/aide-0.15.1-fipsfix.patch @@ -0,0 +1,103 @@ +diff -up aide-0.15.1/src/aide.c.fipsfix aide-0.15.1/src/aide.c +--- aide-0.15.1/src/aide.c.fipsfix 2010-08-08 19:39:31.000000000 +0200 ++++ aide-0.15.1/src/aide.c 2012-11-22 16:59:45.378713818 +0100 +@@ -484,9 +484,28 @@ int main(int argc,char**argv) + #endif + umask(0177); + init_sighandler(); +- + setdefaults_before_config(); + ++#if WITH_GCRYPT ++ error(255,"Gcrypt library initialization\n"); ++ /* ++ * Initialize libgcrypt as per ++ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html ++ * ++ * ++ */ ++ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0); ++ gcry_control(GCRYCTL_INIT_SECMEM, 1); ++ ++ if(!gcry_check_version(GCRYPT_VERSION)) { ++ error(0,"libgcrypt version mismatch\n"); ++ exit(VERSION_MISMATCH_ERROR); ++ } ++ ++ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); ++#endif /* WITH_GCRYPT */ ++ ++ + if(read_param(argc,argv)==RETFAIL){ + error(0, _("Invalid argument\n") ); + exit(INVALID_ARGUMENT_ERROR); +@@ -641,6 +660,9 @@ int main(int argc,char**argv) + } + #endif + } ++#ifdef WITH_GCRYPT ++ gcry_control(GCRYCTL_TERM_SECMEM, 0); ++#endif /* WITH_GCRYPT */ + return RETOK; + } + const char* aide_key_3=CONFHMACKEY_03; +diff -up aide-0.15.1/src/md.c.fipsfix aide-0.15.1/src/md.c +--- aide-0.15.1/src/md.c.fipsfix 2010-08-08 19:39:31.000000000 +0200 ++++ aide-0.15.1/src/md.c 2012-11-22 16:59:33.166673632 +0100 +@@ -201,14 +201,7 @@ int init_md(struct md_container* md) { + } + #endif + #ifdef WITH_GCRYPT +- error(255,"Gcrypt library initialization\n"); +- if(!gcry_check_version(GCRYPT_VERSION)) { +- error(0,"libgcrypt version mismatch\n"); +- exit(VERSION_MISMATCH_ERROR); +- } +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){ ++ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ + error(0,"gcrypt_md_open failed\n"); + exit(IO_ERROR); + } +@@ -299,7 +292,7 @@ int close_md(struct md_container* md) { + + /*. There might be more hashes in the library. Add those here.. */ + +- gcry_md_reset(md->mdh); ++ gcry_md_close(md->mdh); + #endif + + #ifdef WITH_MHASH +diff -up aide-0.15.1/src/util.c.fipsfix aide-0.15.1/src/util.c +--- aide-0.15.1/src/util.c.fipsfix 2010-08-08 19:39:31.000000000 +0200 ++++ aide-0.15.1/src/util.c 2012-11-22 16:59:33.166673632 +0100 +@@ -494,28 +494,5 @@ int syslog_facility_lookup(char *s) + return(AIDE_SYSLOG_FACILITY); + } + +-/* We need these dummy stubs to fool the linker into believing that +- we do not need them at link time */ +- +-void* dlopen(char*filename,int flag) +-{ +- return NULL; +-} +- +-void* dlsym(void*handle,char*symbol) +-{ +- return NULL; +-} +- +-void* dlclose(void*handle) +-{ +- return NULL; +-} +- +-const char* dlerror(void) +-{ +- return NULL; +-} +- + const char* aide_key_2=CONFHMACKEY_02; + const char* db_key_2=DBHMACKEY_02; diff --git a/SOURCES/aide-0.15.1-prelinkwarn.patch b/SOURCES/aide-0.15.1-prelinkwarn.patch new file mode 100644 index 0000000..674629d --- /dev/null +++ b/SOURCES/aide-0.15.1-prelinkwarn.patch @@ -0,0 +1,78 @@ +diff -up aide-0.15.1/src/do_md.c.prelinkwarn aide-0.15.1/src/do_md.c +--- aide-0.15.1/src/do_md.c.prelinkwarn 2010-08-08 19:39:31.000000000 +0200 ++++ aide-0.15.1/src/do_md.c 2013-11-08 13:13:54.634961991 +0100 +@@ -70,6 +70,40 @@ + #ifdef WITH_PRELINK + #include + #include ++#include ++ ++bool g_prelink_present = false; ++bool g_prelink_detect = true; ++bool g_noprelink_warn = true; ++ ++bool prelink_present(void) ++{ ++ /* don't perform the check if we already did it */ ++ if (!g_prelink_detect) ++ return g_prelink_present; ++ ++ /* check whether the prelink binary is present and executable */ ++ if (access(PRELINK_PATH, X_OK) == 0) ++ g_prelink_present = true; ++ else ++ g_prelink_present = false; ++ ++ g_prelink_detect = false; ++ return g_prelink_present; ++} ++ ++void noprelink_warn(void) ++{ ++ if (g_noprelink_warn) { ++ error(0, ++ "WARNING: AIDE detected prelinked binary objects on your" ++ " system but the prelink tool (%s) is missing!\n", PRELINK_PATH); ++ error(0, ++ "WARNING: prelinked files will be processed without a prelink undo operation!" ++ " Please install prelink to fix this.\n"); ++ g_noprelink_warn = false; ++ } ++} + + /* + * Is file descriptor prelinked binary/library? +@@ -265,12 +299,19 @@ void calc_md(struct AIDE_STAT_TYPE* old_ + */ + pid=0; + if ( is_prelinked(filedes) ) { +- close(filedes); +- pid = open_prelinked(line->filename, &filedes); +- if (pid == 0) { +- error(0, "Error on starting prelink undo\n"); +- return; +- } ++ /* first detect whether the prelink binary is available */ ++ if (prelink_present()) { ++ close(filedes); ++ pid = open_prelinked(line->filename, &filedes); ++ if (pid == 0) { ++ error(0, "Error on starting prelink undo\n"); ++ return; ++ } ++ } else { ++ /* we've detected a prelinked file but the prelink binary is not available */ ++ /* warn the user about this situation (once) and process the file as is */ ++ noprelink_warn(); ++ } + } + #endif + +@@ -296,6 +337,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ + #ifdef __hpux + buf = mmap(0,r_size,PROT_READ,MAP_PRIVATE,filedes,curpos); + #else ++ + buf = mmap(0,r_size,PROT_READ,MAP_SHARED,filedes,curpos); + #endif + curpos+=r_size; diff --git a/SOURCES/aide.conf b/SOURCES/aide.conf new file mode 100644 index 0000000..b8bdf42 --- /dev/null +++ b/SOURCES/aide.conf @@ -0,0 +1,312 @@ +# Example configuration file for AIDE. + +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +# The location of the database to be read. +database=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database. +gzip_dbout=yes + +# Default. +verbose=5 + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger + +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane, with one good hash. +# NORMAL = sha256 +NORMAL = sha256 + +# For directories, don't bother doing hashes. +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only. +PERMS = p+u+g+acl+selinux+xattrs + +# Access + inode changes + file type. +STATIC = p+u+g+acl+selinux+xattrs+i+n+b+c+ftype + +# Logfiles only check access w/o xattrs. +LOG = p+u+g+n+acl+selinux+ftype + +# Content + file type. +CONTENT = sha256+ftype + +# Extended content + file type + access. +CONTENT_EX = sha256+ftype+p+u+g+n+acl+selinux+xattrs + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes. +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 + +# Next decide what directories/files you want in the database. Aide +# uses a first match system. Put file specific instructions before generic +# matches. e.g. Put file matches before directories. + +/boot/ CONTENT_EX +/bin/ CONTENT_EX +/sbin/ CONTENT_EX +/lib/ CONTENT_EX +/lib64/ CONTENT_EX +/opt/ CONTENT + +# Admin's dot files constantly change, just check perms. +/root/\..* PERMS +# Otherwise get all of /root. +/root/ CONTENT_EX + +# These are too volatile. +!/usr/src/ +!/usr/tmp/ +# Otherwise get all of /usr. +/usr/ CONTENT_EX + +# Check only permissions, user, group, seliunx for /etc, but +# cover some important files closely. +!/etc/mtab$ + +# Ignore backup files +!/etc/.*~ + +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives/ CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo/ CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel/ CONTENT_EX + +# networking +/etc/hosts.allow$ CONTENT_EX +/etc/hosts.deny$ CONTENT_EX +/etc/firewalld/ CONTENT_EX +/etc/NetworkManager/ CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp/ CONTENT_EX +/etc/wpa_supplicant/ CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ NORMAL + +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock/ PERMS +/etc/pam.d/ CONTENT_EX +/etc/security$ CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1/ CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers$ CONTENT_EX +/etc/sudoers.d/ CONTENT_EX + +# Shell/X starting files +/etc/profile$ CONTENT_EX +/etc/profile.d/ CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d/ CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11/ CONTENT_EX +/etc/shells$ CONTENT_EX + +# Pkg manager +/etc/yum.conf$ CONTENT_EX +/etc/yumex.conf$ CONTENT_EX +/etc/yumex.profiles.conf$ CONTENT_EX +/etc/yum/ CONTENT_EX +/etc/yum.repos.d/ CONTENT_EX + +# This gets new/removes-old filenames daily. +!/var/log/sa/ +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log + +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +# /var/log/audit/ PERMS+ANF+ARF +/etc/audit/ CONTENT_EX +/etc/audisp/ CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX + +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d/ CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d/ CONTENT_EX +/var/log/ LOG+ANF+ARF +/var/run/utmp$ LOG + +# secrets +/etc/pkcs11/ CONTENT_EX +/etc/pki/ CONTENT_EX +/etc/ssl/ CONTENT_EX +/etc/certmonger/ CONTENT_EX + +# init system +/etc/systemd/ CONTENT_EX +/etc/sysconfig/ CONTENT_EX +/etc/rc.d/ CONTENT_EX +/etc/tmpfiles.d/ CONTENT_EX +/etc/machine-id$ CONTENT_EX + +# boot config +/etc/grub.d/ CONTENT_EX +/etc/grub2.cfg$ CONTENT_EX +/etc/dracut.conf$ CONTENT_EX +/etc/dracut.conf.d/ CONTENT_EX + +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d/ CONTENT_EX + +# kernel config +/etc/sysctl.conf$ CONTENT_EX +/etc/sysctl.d/ CONTENT_EX +/etc/modprobe.d/ CONTENT_EX +/etc/modules-load.d/ CONTENT_EX +/etc/depmod.d/ CONTENT_EX +/etc/udev/ CONTENT_EX +/etc/crypttab$ CONTENT_EX + +#### Daemons #### + +# cron jobs +/var/spool/at/ CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d/ CONTENT_EX +/etc/cron.daily/ CONTENT_EX +/etc/cron.hourly/ CONTENT_EX +/etc/cron.monthly/ CONTENT_EX +/etc/cron.weekly/ CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root/ CONTENT +/etc/anacrontab$ CONTENT_EX + +# time keeping +/etc/ntp.conf$ CONTENT_EX +/etc/ntp/ CONTENT_EX +/etc/chrony.conf$ CONTENT_EX +/etc/chrony.keys$ CONTENT_EX + +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix/ CONTENT_EX +/etc/mail.rc$ CONTENT_EX +/etc/mailcap$ CONTENT_EX + +# ssh +/etc/ssh/sshd_config$ CONTENT_EX +/etc/ssh/ssh_config$ CONTENT_EX + +# stunnel +/etc/stunnel/ CONTENT_EX + +# ftp +/etc/vsftpd.conf$ CONTENT +/etc/vsftpd/ CONTENT + +# printing +/etc/cups/ CONTENT_EX +/etc/cupshelpers/ CONTENT_EX +/etc/avahi/ CONTENT_EX + +# web server +/etc/httpd/ CONTENT_EX + +# dns +/etc/named/ CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.d/ CONTENT_EX + +# Now everything else in /etc. +/etc/ PERMS + +# With AIDE's default verbosity level of 5, these would give lots of +# warnings upon tree traversal. It might change with future version. +# +#=/lost\+found DIR +#=/home DIR + +# Ditto /var/log/sa/ same reason... +!/var/log/httpd/ diff --git a/SOURCES/aide.logrotate b/SOURCES/aide.logrotate new file mode 100644 index 0000000..614c6a6 --- /dev/null +++ b/SOURCES/aide.logrotate @@ -0,0 +1,9 @@ +/var/log/aide/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/SPECS/aide.spec b/SPECS/aide.spec new file mode 100644 index 0000000..600dfe4 --- /dev/null +++ b/SPECS/aide.spec @@ -0,0 +1,292 @@ +# segfaults +%{!?_with_curl: %{!?_without_curl: %global _without_curl --without-curl}} + +Summary: Intrusion detection environment +Name: aide +Version: 0.15.1 +Release: 13%{?dist} +URL: http://sourceforge.net/projects/aide +License: GPLv2+ +Group: Applications/System +Source0: http://downloads.sourceforge.net/aide/aide-%{version}.tar.gz +Source1: aide.conf +Source2: README.quickstart +Source3: aide.logrotate +# Customize the database file location in the man page. +Patch1: aide-0.14-man.patch +# fix aide in FIPS mode +Patch2: aide-0.15.1-fipsfix.patch +# warn if processing prelinked binary objects and the prelink binary is not available +Patch3: aide-0.15.1-prelinkwarn.patch +Patch4: aide-0.15-syslog-format.patch +Patch5: aide-0.15-error-messages.patch + +Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n) +BuildRequires: mktemp +%ifnarch aarch64 ppc64le +BuildRequires: prelink +%endif +BuildRequires: elfutils-libelf-devel +%if 0%{?rhel} == 0 +Buildrequires: mhash-devel +%endif +Buildrequires: zlib-devel libgcrypt-devel +Buildrequires: flex bison +Buildrequires: libattr-devel e2fsprogs-devel +Buildrequires: libacl-devel libselinux-devel +Buildrequires: audit-libs-devel >= 1.2.8-2 +%if "%{?_with_curl}x" != "x" +Buildrequires: curl-devel +%endif + +%description +AIDE (Advanced Intrusion Detection Environment) is a file integrity +checker and intrusion detection program. + + +%prep +%setup -q +%patch1 -p1 -b .man +%patch2 -p1 -b .fipsfix +%patch3 -p1 -b .prelinkwarn +%patch4 -p1 -b .syslog-format +%patch5 -p1 -b .error-messages + +%build +%configure --with-config_file=%{_sysconfdir}/aide.conf \ + --with-zlib \ + --disable-static \ +%if 0%{?rhel} == 0 + --with-mhash \ +%endif + %{?_with_curl} %{?_without_curl} \ + --with-posix-acl \ + --with-selinux \ +%ifnarch aarch64 ppc64le + --with-prelink \ +%else + --without-prelink \ +%endif + --with-xattr \ + --with-e2fsattrs \ + --with-audit + +make + + +%install +rm -rf $RPM_BUILD_ROOT +make DESTDIR=$RPM_BUILD_ROOT bindir=%{_sbindir} install +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/aide +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir} +install -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir} +mkdir -p -m0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/aide +install -p %{SOURCE2} README.quickstart +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d +install -c -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/aide + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(0644,root,root,0755) +%doc AUTHORS COPYING ChangeLog NEWS README doc/manual.html contrib/ +%doc README.quickstart +%attr(0700,root,root) %{_sbindir}/aide +%{_mandir}/man1/* +%{_mandir}/man5/* +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/aide.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/aide +%dir %attr(0700,root,root) %{_localstatedir}/lib/aide +%dir %attr(0700,root,root) %{_localstatedir}/log/aide + + +%changelog +* Mon Mar 20 2017 Radovan Sroka - 0.15.1-13 +- RHEL 7.4 ERRATUM + Resolves: rhbz#1400548 + +* Tue Mar 07 2017 Radovan Sroka - 0.15.1-12 +- RHEL 7.4 ERRATUM + Resolves: rhbz#1377215 + +* Tue Jul 19 2016 Daniel Kopecek - 0.15.1-11 +- Corrected typos in the default configuration file + Resolves: rhbz#1304334 + +* Fri Jun 24 2016 Daniel Kopecek - 0.15.1-10 +- Updated the default configuration file. New defaults contributed + by Steve Grubb. + Resolves: rhbz#1304334 + +* Mon Aug 4 2014 Daniel Kopecek - 0.15.1-9 +- Don't require prelink on aarch64 and ppc64le + Resolves: rhbz#1078555 + Resolves: rhbz#1125462 + +* Fri Jan 24 2014 Daniel Mach - 0.15.1-8 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 0.15.1-7 +- Mass rebuild 2013-12-27 + +* Fri Nov 08 2013 Daniel Kopecek - 0.15.1-6 +- warn if processing prelinked binary objects and the prelink binary + is not available + Resolves: rbhz#1004826 + +* Wed Feb 13 2013 Fedora Release Engineering - 0.15.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Nov 22 2012 Daniel Kopecek - 0.15.1-4 +- added patch to fix aide in FIPS mode +- use only FIPS approved digest algorithms in aide.conf so that + aide works by default in FIPS mode + +* Wed Jul 18 2012 Fedora Release Engineering - 0.15.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jan 12 2012 Fedora Release Engineering - 0.15.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Nov 11 2010 Steve Grubb - 0.15.1-1 +- New upstream release + +* Tue May 18 2010 Steve Grubb - 0.14-5 +- Apply 2 upstream bug fixes + +* Tue May 18 2010 Steve Grubb - 0.14-4 +- Use upstream's patch to fix bz 590566 + +* Sat May 15 2010 Steve Grubb - 0.14-3 +- Fix bz 590561 aide does not detect the change of SElinux context +- Fix bz 590566 aide reports a changed file when it has not been changed + +* Wed Apr 28 2010 Steve Grubb - 0.14-2 +- Fix bz 574764 by replacing abort calls with exit +- Apply libgcrypt init patch + +* Tue Mar 16 2010 Steve Grubb - 0.14-1 +- New upstream release final 0.14 + +* Thu Feb 25 2010 Steve Grubb - 0.14-0.4.rc3 +- New upstream release + +* Thu Feb 25 2010 Steve Grubb - 0.14-0.3.rc2 +- New upstream release + +* Tue Feb 23 2010 Steve Grubb - 0.14-0.2.rc1 +- Fix dirent detection on 64bit systems + +* Mon Feb 22 2010 Steve Grubb - 0.14-0.1.rc1 +- New upstream release + +* Fri Feb 19 2010 Steve Grubb - 0.13.1-16 +- Add logrotate script and spec file cleanups + +* Fri Dec 11 2009 Steve Grubb - 0.13.1-15 +- Get rid of .dedosify files + +* Wed Dec 09 2009 Steve Grubb - 0.13.1-14 +- Revise patch for Initialize libgcrypt correctly (#530485) + +* Sat Nov 07 2009 Steve Grubb - 0.13.1-13 +- Initialize libgcrypt correctly (#530485) + +* Fri Aug 21 2009 Tomas Mraz - 0.13.1-12 +- rebuilt with new audit + +* Wed Aug 19 2009 Steve Grubb 0.13.1-11 +- rebuild for new audit-libs +- Correct regex for root's dot files (#509370) + +* Fri Jul 24 2009 Fedora Release Engineering - 0.13.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jun 08 2009 Steve Grubb - 0.13.1-9 +- Make aide smarter about prelinked files (Peter Vrabec) +- Add /lib64 to default config + +* Mon Feb 23 2009 Fedora Release Engineering - 0.13.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Fri Jan 30 2009 Steve Grubb - 0.13.1-6 +- enable xattr support and update config file + +* Fri Sep 26 2008 Tom "spot" Callaway - 0.13.1-5 +- fix selcon patch to apply without fuzz + +* Fri Feb 15 2008 Steve Conklin +- rebuild for gcc4.3 + +* Tue Aug 21 2007 Michael Schwendt +- rebuilt + +* Sun Jul 22 2007 Michael Schwendt - 0.13.1-2 +- Apply Steve Conklin's patch to increase displayed portion of + selinux context. + +* Sun Dec 17 2006 Michael Schwendt - 0.13.1-1 +- Update to 0.13.1 release. + +* Sun Dec 10 2006 Michael Schwendt - 0.13-1 +- Update to 0.13 release. +- Include default aide.conf from RHEL5 as doc example file. + +* Sun Oct 29 2006 Michael Schwendt - 0.12-3.20061027cvs +- CAUTION! This changes the database format and results in a report of + false inconsistencies until an old database file is updated. +- Check out CVS 20061027 which now contains Red Hat's + acl/xattr/selinux/audit patches. +- Patches merged upstream. +- Update manual page substitutions. + +* Mon Oct 23 2006 Michael Schwendt - 0.12-2 +- Add "memory leaks and performance updates" patch as posted + to aide-devel by Steve Grubb. + +* Sat Oct 07 2006 Michael Schwendt - 0.12-1 +- Update to 0.12 release. +- now offers --disable-static, so -no-static patch is obsolete +- fill last element of getopt struct array with zeroes + +* Mon Oct 02 2006 Michael Schwendt - 0.11-3 +- rebuilt + +* Mon Sep 11 2006 Michael Schwendt - 0.11-2 +- rebuilt + +* Sun Feb 19 2006 Michael Schwendt - 0.11-1 +- Update to 0.11 release. +- useless-includes patch merged upstream. +- old Russian man pages not available anymore. +- disable static linking. + +* Fri Apr 7 2005 Michael Schwendt +- rebuilt + +* Fri Nov 28 2003 Michael Schwendt - 0:0.10-0.fdr.1 +- Update to 0.10 release. +- memleaks patch merged upstream. +- rootpath patch merged upstream. +- fstat patch not needed anymore. +- Updated URL. + +* Thu Nov 13 2003 Michael Schwendt - 0:0.10-0.fdr.0.2.cvs20031104 +- Added buildreq m4 to work around incomplete deps of bison package. + +* Tue Nov 04 2003 Michael Schwendt - 0:0.10-0.fdr.0.1.cvs20031104 +- Only tar.gz available upstream. +- byacc not needed when bison -y is available. +- Installed Russian manual pages. +- Updated with changes from CVS (2003-11-04). +- getopt patch merged upstream. +- bison-1.35 patch incorporated upstream. + +* Tue Sep 09 2003 Michael Schwendt - 0:0.9-0.fdr.0.2.20030902 +- Added fixes for further memleaks. + +* Sun Sep 07 2003 Michael Schwendt - 0:0.9-0.fdr.0.1.20030902 +- Initial package version. +