import aide-0.16-100.el9

This commit is contained in:
CentOS Sources 2022-05-17 05:00:06 -04:00 committed by Stepan Oksanichenko
commit 0ae03f0f89
16 changed files with 2540 additions and 0 deletions

1
.aide.metadata Normal file
View File

@ -0,0 +1 @@
b97f65bb12701a42baa2cce45b41ed6367a70734 SOURCES/aide-0.16.tar.gz

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/aide-0.16.tar.gz

40
SOURCES/README.quickstart Normal file
View File

@ -0,0 +1,40 @@
1) Customize /etc/aide.conf to your liking. In particular, add
important directories and files which you would like to be
covered by integrity checks. Avoid files which are expected
to change frequently or which don't affect the safety of your
system.
2) Run "/usr/sbin/aide --init" to build the initial database.
With the default setup, that creates /var/lib/aide/aide.db.new.gz
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
in a secure location, e.g. on separate read-only media (such as
CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
of those files in a secure location, so you have means to verify
that nobody modified those files.
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
which is the location of the input database.
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
compared with the AIDE database. Prior to running a check manually,
ensure that the AIDE binary and database have not been modified
without your knowledge.
Caution!
With the default setup, an AIDE check is not run periodically as a
cron job. It cannot be guaranteed that the AIDE binaries, config
file and database are intact. It is not recommended that you run
automated AIDE checks without verifying AIDE yourself frequently.
In addition to that, AIDE does not implement any password or
encryption protection for its own files.
It is up to you how to put a file integrity checker to good effect
and how to set up automated checks if you think it adds a level of
safety (e.g. detecting failed/incomplete compromises or unauthorized
modification of special files). On a compromised system, the
intruder could disable the automated check. Or he could replace the
AIDE binary, config file and database easily when they are not
located on read-only media.

View File

@ -0,0 +1,496 @@
diff -up ./doc/aide.conf.5.in.syslog_format ./doc/aide.conf.5.in
--- ./doc/aide.conf.5.in.syslog_format 2016-07-25 22:58:12.000000000 +0200
+++ ./doc/aide.conf.5.in 2018-09-27 19:09:09.697371212 +0200
@@ -57,6 +57,25 @@ inclusive. This parameter can only be gi
occurrence is used. If \-\-verbose or \-V is used then the value from that
is used. The default is 5. If verbosity is 20 then additional report
output is written when doing \-\-check, \-\-update or \-\-compare.
+.IP "syslog_format"
+Valid values are yes,true,no and false. This option enables new syslog format
+which is suitable for logging. Every change is logged as one simple line. This option
+changes verbose level to 0 and prints everything that was changed. It is suggested
+to use this option with "report_url=syslog:...". Default value is "false/no".
+Maximum size of message is 1KB which is limitation of syslog call. If message is
+greater than limit, message will be truncated.
+Option summarize_changes has no impact for this format.
+.nf
+.eo
+
+Output always starts with:
+"AIDE found differences between database and filesystem!!"
+And it is followed by summary:
+summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
+And finally there are logs about changes:
+dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
+.ec
+.fi
.IP "report_url"
The url that the output is written to. There can be multiple instances
of this parameter. Output is written to all of them. The default is
diff -up ./include/db_config.h.syslog_format ./include/db_config.h
--- ./include/db_config.h.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./include/db_config.h 2018-09-27 19:09:09.697371212 +0200
@@ -311,6 +311,7 @@ typedef struct db_config {
FILE* db_out;
int config_check;
+ int syslog_format;
struct md_container *mdc_in;
struct md_container *mdc_out;
diff -up ./src/aide.c.syslog_format ./src/aide.c
--- ./src/aide.c.syslog_format 2018-09-27 19:09:09.695371197 +0200
+++ ./src/aide.c 2018-09-27 19:09:09.698371220 +0200
@@ -283,6 +283,7 @@ static void setdefaults_before_config()
}
/* Setting some defaults */
+ conf->syslog_format=0;
conf->report_db=0;
conf->tree=NULL;
conf->config_check=0;
@@ -495,6 +496,10 @@ static void setdefaults_after_config()
if(conf->verbose_level==-1){
conf->verbose_level=5;
}
+ if(conf->syslog_format==1){
+ conf->verbose_level=0;
+ }
+
}
diff -up ./src/compare_db.c.syslog_format ./src/compare_db.c
--- ./src/compare_db.c.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/compare_db.c 2018-09-27 19:09:09.698371220 +0200
@@ -110,7 +110,7 @@ const DB_ATTR_TYPE details_attributes[]
#endif
};
-const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size (>)"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512")
+const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512")
#ifdef WITH_MHASH
, _("CRC32"), _("HAVAL"), _("GOST"), _("CRC32B"), _("WHIRLPOOL")
#endif
@@ -269,12 +269,19 @@ static int xattrs2array(xattrs_type* xat
if ((len == xattrs->ents[num - 1].vsz) || ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) {
length = 8 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
(*values)[num]=malloc(length *sizeof(char));
- snprintf((*values)[num], length , "[%.*zd] %s = %s", width, num, xattrs->ents[num - 1].key, val);
+
+ char * fmt = "[%.*zd] %s = %s";
+ if (conf->syslog_format) fmt = "[%.*zd]%s=%s"; // its smaller so it has to be enough space allocated.
+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
+
} else {
val = encode_base64(xattrs->ents[num - 1].val, xattrs->ents[num - 1].vsz);
length = 10 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
(*values)[num]=malloc( length *sizeof(char));
- snprintf((*values)[num], length , "[%.*zd] %s <=> %s", width, num, xattrs->ents[num - 1].key, val);
+
+ char * fmt = "[%.*zd] %s <=> %s";
+ if (conf->syslog_format) fmt = "[%.*zd]%s<=>%s"; // its smaller so it has to be enough space allocated.
+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
free(val);
}
}
@@ -302,6 +309,26 @@ static int acl2array(acl_type* acl, char
}
if (acl->acl_a || acl->acl_d) {
int j, k, i;
+ if (conf->syslog_format) {
+ *values = malloc(2 * sizeof(char*));
+
+ char *A, *D = "<NONE>";
+
+ if (acl->acl_a) { A = acl->acl_a; }
+ if (acl->acl_d) { D = acl->acl_d; }
+
+ (*values)[0] = (char*) malloc(strlen(A) + 3); // "A:" and \0
+ snprintf((*values)[0], strlen(A) + 3, "A:%s", A);
+
+ (*values)[1] = (char*) malloc(strlen(D) + 3); // "D:" and \0
+ snprintf((*values)[1], strlen(D) + 3, "D:%s", D);
+
+ i = 0; while ( (*values)[0][i] ) { if ( (*values)[0][i]=='\n') { (*values)[0][i] = ' '; } i++; }
+ i = 0; while ( (*values)[1][i] ) { if ( (*values)[1][i]=='\n') { (*values)[1][i] = ' '; } i++; }
+
+ return 2;
+ }
+
if (acl->acl_a) { i = 0; while (acl->acl_a[i]) { if (acl->acl_a[i++]=='\n') { n++; } } }
if (acl->acl_d) { i = 0; while (acl->acl_d[i]) { if (acl->acl_d[i++]=='\n') { n++; } } }
*values = malloc(n * sizeof(char*));
@@ -338,25 +365,25 @@ static char* e2fsattrs2string(unsigned l
static char* get_file_type_string(mode_t mode) {
switch (mode & S_IFMT) {
- case S_IFREG: return _("File");
- case S_IFDIR: return _("Directory");
+ case S_IFREG: return conf->syslog_format ? "file" : _("File");
+ case S_IFDIR: return conf->syslog_format ? "dir" : _("Directory");
#ifdef S_IFIFO
- case S_IFIFO: return _("FIFO");
+ case S_IFIFO: return conf->syslog_format ? "fifo" : _("FIFO");
#endif
- case S_IFLNK: return _("Link");
- case S_IFBLK: return _("Block device");
- case S_IFCHR: return _("Character device");
+ case S_IFLNK: return conf->syslog_format ? "link" : _("Link");
+ case S_IFBLK: return conf->syslog_format ? "blockd" : _("Block device");
+ case S_IFCHR: return conf->syslog_format ? "chard" : _("Character device");
#ifdef S_IFSOCK
- case S_IFSOCK: return _("Socket");
+ case S_IFSOCK: return conf->syslog_format ? "socket" : _("Socket");
#endif
#ifdef S_IFDOOR
- case S_IFDOOR: return _("Door");
+ case S_IFDOOR: return conf->syslog_format ? "door" : _("Door");
#endif
#ifdef S_IFPORT
- case S_IFPORT: return _("Port");
+ case S_IFPORT: return conf->syslog_format ? "port" : _("Port");
#endif
case 0: return NULL;
- default: return _("Unknown file type");
+ default: return conf->syslog_format ? "unknown" : _("Unknown file type");
}
}
@@ -554,6 +581,51 @@ static void print_dbline_attributes(db_l
}
}
+
+static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE
+ changed_attrs, DB_ATTR_TYPE force_attrs) {
+ char **ovalue, **nvalue;
+ int onumber, nnumber, i, j;
+ int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE);
+ DB_ATTR_TYPE attrs;
+ char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm);
+ if (file_type) {
+ error(0,"%s=", file_type);
+ }
+ error(0,"%s", (nline==NULL?oline:nline)->filename);
+ attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs);
+ for (j=0; j < length; ++j) {
+ if (details_attributes[j]&attrs) {
+ onumber=get_attribute_values(details_attributes[j], oline, &ovalue);
+ nnumber=get_attribute_values(details_attributes[j], nline, &nvalue);
+
+ if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) {
+
+ error(0, ";%s_old=|", details_string[j]);
+
+ for (i = 0 ; i < onumber ; i++) {
+ error(0, "%s|", ovalue[i]);
+ }
+
+ error(0, ";%s_new=|", details_string[j]);
+
+ for (i = 0 ; i < nnumber ; i++) {
+ error(0, "%s|", nvalue[i]);
+ }
+
+ } else {
+
+ error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue);
+
+ }
+
+ for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL;
+ for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL;
+ }
+ }
+ error(0, "\n");
+}
+
static void print_attributes_added_node(db_line* line) {
print_dbline_attributes(NULL, line, 0, line->attr);
}
@@ -562,6 +634,26 @@ static void print_attributes_removed_nod
print_dbline_attributes(line, NULL, 0, line->attr);
}
+static void print_attributes_added_node_syslog(db_line* line) {
+
+ char *file_type = get_file_type_string(line->perm);
+ if (file_type) {
+ error(0,"%s=", file_type);
+ }
+ error(0,"%s; added\n", line->filename);
+
+}
+
+static void print_attributes_removed_node_syslog(db_line* line) {
+
+ char *file_type = get_file_type_string(line->perm);
+ if (file_type) {
+ error(0,"%s=", file_type);
+ }
+ error(0,"%s; removed\n", line->filename);
+
+}
+
static void terse_report(seltree* node) {
list* r=NULL;
if ((node->checked&(DB_OLD|DB_NEW)) != 0) {
@@ -626,6 +718,26 @@ static void print_report_details(seltree
}
}
+static void print_syslog_format(seltree* node) {
+ list* r=NULL;
+
+ if (node->checked&NODE_CHANGED) {
+ print_dbline_attributes_syslog(node->old_data, node->new_data, node->changed_attrs, forced_attrs);
+ }
+
+ if (node->checked&NODE_ADDED) {
+ print_attributes_added_node_syslog(node->new_data);
+ }
+
+ if (node->checked&NODE_REMOVED) {
+ print_attributes_removed_node_syslog(node->old_data);
+ }
+
+ for(r=node->childs;r;r=r->next){
+ print_syslog_format((seltree*)r->data);
+ }
+}
+
static void print_report_header() {
char *time;
int first = 1;
@@ -747,39 +859,53 @@ int gen_report(seltree* node) {
send_audit_report();
#endif
if ((nadd|nrem|nchg) > 0 || conf->report_quiet == 0) {
- print_report_header();
- if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) {
- if (conf->grouped) {
- if (nadd) {
- error(2,(char*)report_top_format,_("Added entries"));
- print_report_list(node, NODE_ADDED);
- }
- if (nrem) {
- error(2,(char*)report_top_format,_("Removed entries"));
- print_report_list(node, NODE_REMOVED);
- }
- if (nchg) {
- error(2,(char*)report_top_format,_("Changed entries"));
- print_report_list(node, NODE_CHANGED);
- }
- } else if (nadd || nrem || nchg) {
- if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); }
- else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); }
- else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); }
- else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); }
- else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); }
- else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); }
- else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); }
- print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED);
- }
- if (nadd || nrem || nchg) {
- error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes"));
- print_report_details(node);
- }
- }
- print_report_databases();
- conf->end_time=time(&(conf->end_time));
- print_report_footer();
+
+ if (!conf->syslog_format) {
+ print_report_header();
+ }
+
+ if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) {
+ if (!conf->syslog_format && conf->grouped) {
+ if (nadd) {
+ error(2,(char*)report_top_format,_("Added entries"));
+ print_report_list(node, NODE_ADDED);
+ }
+ if (nrem) {
+ error(2,(char*)report_top_format,_("Removed entries"));
+ print_report_list(node, NODE_REMOVED);
+ }
+ if (nchg) {
+ error(2,(char*)report_top_format,_("Changed entries"));
+ print_report_list(node, NODE_CHANGED);
+ }
+ } else if (!conf->syslog_format && ( nadd || nrem || nchg ) ) {
+ if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); }
+ else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); }
+ else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); }
+ else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); }
+ else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); }
+ else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); }
+ else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); }
+ print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED);
+ }
+ if (nadd || nrem || nchg) {
+ if (!conf->syslog_format) {
+ error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes"));
+ print_report_details(node);
+ } else {
+ /* Syslog Format */
+ error(0, "AIDE found differences between database and filesystem!!\n");
+ error(0, "summary;total_number_of_files=%ld;added_files=%ld;"
+ "removed_files=%ld;changed_files=%ld\n",ntotal,nadd,nrem,nchg);
+ print_syslog_format(node);
+ }
+ }
+ }
+ if (!conf->syslog_format) {
+ print_report_databases();
+ conf->end_time=time(&(conf->end_time));
+ print_report_footer();
+ }
}
return conf->action&(DO_COMPARE|DO_DIFF) ? (nadd!=0)*1+(nrem!=0)*2+(nchg!=0)*4 : 0;
diff -up ./src/conf_lex.l.syslog_format ./src/conf_lex.l
--- ./src/conf_lex.l.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/conf_lex.l 2018-09-27 19:09:09.698371220 +0200
@@ -401,6 +401,12 @@ int var_in_conflval=0;
return (TROOT_PREFIX);
}
+^[\t\ ]*"syslog_format"{E} {
+ error(230,"%li:syslog_format =\n",conf_lineno);
+ BEGIN CONFVALHUNT;
+ return (SYSLOG_FORMAT);
+}
+
^[\t\ ]*"recstop"{E} {
error(230,"%li:recstop =\n",conf_lineno);
BEGIN CONFVALHUNT;
diff -up ./src/conf_yacc.y.syslog_format ./src/conf_yacc.y
--- ./src/conf_yacc.y.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/conf_yacc.y 2018-09-27 19:09:09.699371228 +0200
@@ -89,6 +89,7 @@ extern long conf_lineno;
%token TREPORT_URL
%token TGZIPDBOUT
%token TROOT_PREFIX
+%token SYSLOG_FORMAT
%token TUMASK
%token TTRUE
%token TFALSE
@@ -160,7 +161,7 @@ line : rule | equrule | negrule | define
| ifdefstmt | ifndefstmt | ifhoststmt | ifnhoststmt
| groupdef | db_in | db_out | db_new | db_attrs | verbose | report_detailed_init | config_version
| database_add_metadata | report | gzipdbout | root_prefix | report_base16 | report_quiet
- | report_ignore_e2fsattrs | recursion_stopper | warn_dead_symlinks | grouped
+ | report_ignore_e2fsattrs | syslogformat | recursion_stopper | warn_dead_symlinks | grouped
| summarize_changes | acl_no_symlink_follow | beginconfigstmt | endconfigstmt
| TEOF {
newlinelastinconfig=1;
@@ -408,6 +409,15 @@ conf->gzip_dbout=0;
#endif
} ;
+syslogformat : SYSLOG_FORMAT TTRUE {
+conf->syslog_format=1;
+} |
+ SYSLOG_FORMAT TFALSE {
+conf->syslog_format=0;
+} ;
+
+
+
recursion_stopper : TRECSTOP TSTRING {
/* FIXME implement me */
diff -up ./src/error.c.syslog_format ./src/error.c
--- ./src/error.c.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/error.c 2018-09-27 19:13:40.312416750 +0200
@@ -38,6 +38,9 @@
/*for locale support*/
#include "util.h"
+#define MAX_BUFFER_SIZE 1024
+static char syslog_buffer[MAX_BUFFER_SIZE+1];
+
int cmp_url(url_t* url1,url_t* url2){
return ((url1->type==url2->type)&&(strcmp(url1->value,url2->value)==0));
@@ -48,7 +51,9 @@ int error_init(url_t* url,int initial)
{
list* r=NULL;
FILE* fh=NULL;
- int sfac;
+ int sfac;
+
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
if (url->type==url_database) {
conf->report_db++;
@@ -163,13 +168,24 @@ void error(int errorlevel,char* error_ms
}
#ifdef HAVE_SYSLOG
if(conf->initial_report_url->type==url_syslog){
-#ifdef HAVE_VSYSLOG
- vsyslog(SYSLOG_PRIORITY,error_msg,ap);
-#else
- char buf[1024];
- vsnprintf(buf,1024,error_msg,ap);
- syslog(SYSLOG_PRIORITY,"%s",buf);
-#endif
+
+ char buff[MAX_BUFFER_SIZE+1];
+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap);
+ size_t buff_len = strlen(buff);
+
+ char result_buff[MAX_BUFFER_SIZE+1];
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-truncation"
+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff);
+#pragma GCC diagnostic pop
+
+ if(buff[buff_len-1] == '\n'){
+ syslog(SYSLOG_PRIORITY,"%s",result_buff);
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
+ } else {
+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE);
+ }
+
va_end(ap);
return;
}
@@ -181,17 +197,25 @@ void error(int errorlevel,char* error_ms
#ifdef HAVE_SYSLOG
if (conf->report_syslog!=0) {
-#ifdef HAVE_VSYSLOG
- va_start(ap,error_msg);
- vsyslog(SYSLOG_PRIORITY,error_msg,ap);
- va_end(ap);
-#else
- char buf[1024];
- va_start(ap,error_msg);
- vsnprintf(buf,1024,error_msg,ap);
+ va_start(ap, error_msg);
+
+ char buff[MAX_BUFFER_SIZE+1];
+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap);
+ size_t buff_len = strlen(buff);
+
+ char result_buff[MAX_BUFFER_SIZE+1];
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-truncation"
+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff);
+#pragma GCC diagnostic pop
+
+ if(buff[buff_len-1] == '\n'){
+ syslog(SYSLOG_PRIORITY,"%s",result_buff);
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
+ } else {
+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE);
+ }
va_end(ap);
- syslog(SYSLOG_PRIORITY,"%s",buf);
-#endif
}
#endif

View File

@ -0,0 +1,123 @@
diff --git a/include/base64.h b/include/base64.h
index 0ff7116..381ef5d 100644
--- a/include/base64.h
+++ b/include/base64.h
@@ -36,7 +36,6 @@
#include <assert.h>
#include "types.h"
-#define B64_BUF 16384
#define FAIL -1
#define SKIP -2
diff --git a/src/base64.c b/src/base64.c
index fd01bac..1b0f301 100644
--- a/src/base64.c
+++ b/src/base64.c
@@ -85,11 +85,9 @@ FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL
};
/* Returns NULL on error */
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
char* encode_base64(byte* src,size_t ssize)
{
char* outbuf;
- char* retbuf;
int pos;
int i, l, left;
unsigned long triple;
@@ -101,7 +99,10 @@ char* encode_base64(byte* src,size_t ssize)
error(240,"\n");
return NULL;
}
- outbuf = (char *)malloc(sizeof(char)*B64_BUF);
+
+ /* length of encoded base64 string (padded) */
+ size_t length = sizeof(char)* ((ssize + 2) / 3) * 4;
+ outbuf = (char *)malloc(length + 1);
/* Initialize working pointers */
inb = src;
@@ -162,20 +163,14 @@ char* encode_base64(byte* src,size_t ssize)
inb++;
}
- /* outbuf is not completely used so we use retbuf */
- retbuf=(char*)malloc(sizeof(char)*(pos+1));
- memcpy(retbuf,outbuf,pos);
- retbuf[pos]='\0';
- free(outbuf);
+ outbuf[pos]='\0';
- return retbuf;
+ return outbuf;
}
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
{
byte* outbuf;
- byte* retbuf;
char* inb;
int i;
int l;
@@ -188,10 +183,18 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
if (!ssize||src==NULL)
return NULL;
+ /* exit on unpadded input */
+ if (ssize % 4) {
+ error(3, "decode_base64: '%s' has invalid length (missing padding characters?)", src);
+ return NULL;
+ }
+
+ /* calculate length of decoded string, substract padding chars if any (ssize is >= 4) */
+ size_t length = sizeof(byte) * ((ssize / 4) * 3)- (src[ssize-1] == '=') - (src[ssize-2] == '=');
/* Initialize working pointers */
inb = src;
- outbuf = (byte *)malloc(sizeof(byte)*B64_BUF);
+ outbuf = (byte *)malloc(length + 1);
l = 0;
triple = 0;
@@ -243,15 +246,11 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
inb++;
}
- retbuf=(byte*)malloc(sizeof(byte)*(pos+1));
- memcpy(retbuf,outbuf,pos);
- retbuf[pos]='\0';
-
- free(outbuf);
+ outbuf[pos]='\0';
if (ret_len) *ret_len = pos;
- return retbuf;
+ return outbuf;
}
size_t length_base64(char* src,size_t ssize)
diff --git a/src/db.c b/src/db.c
index 858240d..62c4faa 100644
--- a/src/db.c
+++ b/src/db.c
@@ -664,13 +664,15 @@ db_line* db_char2line(char** ss,int db){
time_t base64totime_t(char* s){
+ if(strcmp(s,"0")==0){
+ return 0;
+ }
byte* b=decode_base64(s,strlen(s),NULL);
char* endp;
- if (b==NULL||strcmp(s,"0")==0) {
+ if (b==NULL) {
/* Should we print error here? */
- free(b);
return 0;
} else {

View File

@ -0,0 +1,58 @@
From c7caa6027c92b28aa11b8da74d56357e12f56d67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= <dkopecek@redhat.com>
Date: Wed, 20 Feb 2019 12:00:56 +0100
Subject: [PATCH] Use LDADD for adding curl library to the linker command
---
Makefile.am | 2 +-
configure.ac | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 4b05d7a..1541d56 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -55,7 +55,7 @@ if USE_CURL
aide_SOURCES += include/fopen.h src/fopen.c
endif
-aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@
+aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ @CURLLIB@
AM_CFLAGS = @AIDE_DEFS@ -W -Wall -g
AM_CPPFLAGS = -I$(top_srcdir) \
-I$(top_srcdir)/include \
diff --git a/configure.ac b/configure.ac
index 3598ebe..0418c59 100644
--- a/configure.ac
+++ b/configure.ac
@@ -702,24 +702,25 @@ if test x$with_zlib = xyes; then
compoptionstring="${compoptionstring}WITH_ZLIB\\n"
fi
+CURLLIB=
if test x$with_curl = xyes; then
AC_PATH_PROG(curlconfig, "curl-config")
if test "_$curlconfig" != _ ; then
CURL_CFLAGS=`$curlconfig --cflags`
- CURL_LIBS=`$curlconfig --libs`
+ CURLLIB=`$curlconfig --libs`
else
AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])
fi
AC_CHECK_HEADERS(curl/curl.h,,
[AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])])
CFLAGS="$CFLAGS $CURL_CFLAGS"
- LDFLAGS="$LDFLAGS $CURL_LIBS"
AC_CHECK_LIB(curl,curl_easy_init,havecurl=yes,
[AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])]
)
AC_DEFINE(WITH_CURL,1,[use curl])
compoptionstring="${compoptionstring}WITH_CURL\\n"
fi
+AC_SUBST(CURLLIB)
AM_CONDITIONAL(USE_CURL, test x$havecurl = xyes)
AC_ARG_WITH(mhash,
--
2.20.1

View File

@ -0,0 +1,17 @@
--- ./src/do_md.c 2018-03-19 05:10:19.994957024 -0400
+++ ./src/do_md.c 2018-03-19 05:19:05.829957024 -0400
@@ -135,8 +135,13 @@
continue;
while (!bingo && (data = elf_getdata (scn, data)) != NULL) {
- int maxndx = data->d_size / shdr.sh_entsize;
+ int maxndx;
int ndx;
+
+ if (shdr.sh_entsize != 0)
+ maxndx = data->d_size / shdr.sh_entsize;
+ else
+ continue;
for (ndx = 0; ndx < maxndx; ++ndx) {
(void) gelf_getdyn (data, ndx, &dyn);

View File

@ -0,0 +1,153 @@
diff -up ./include/md.h.crypto ./include/md.h
--- ./include/md.h.crypto 2016-07-25 22:56:55.000000000 +0200
+++ ./include/md.h 2018-08-29 15:00:30.827491299 +0200
@@ -149,6 +149,7 @@ int init_md(struct md_container*);
int update_md(struct md_container*,void*,ssize_t);
int close_md(struct md_container*);
void md2line(struct md_container*,struct db_line*);
+DB_ATTR_TYPE get_available_crypto();
#endif /*_MD_H_INCLUDED*/
diff -up ./src/aide.c.crypto ./src/aide.c
--- ./src/aide.c.crypto 2018-08-29 15:00:30.825491309 +0200
+++ ./src/aide.c 2018-08-29 15:00:30.827491299 +0200
@@ -349,7 +349,7 @@ static void setdefaults_before_config()
conf->db_attrs = 0;
#if defined(WITH_MHASH) || defined(WITH_GCRYPT)
- conf->db_attrs |= DB_MD5|DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512;
+ conf->db_attrs |= get_available_crypto();
#ifdef WITH_MHASH
conf->db_attrs |= DB_GOST;
#ifdef HAVE_MHASH_WHIRLPOOL
diff -up ./src/md.c.crypto ./src/md.c
--- ./src/md.c.crypto 2018-08-29 15:00:30.823491319 +0200
+++ ./src/md.c 2018-08-29 15:02:28.013903479 +0200
@@ -78,6 +78,49 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) {
return r;
}
+const char * hash_gcrypt2str(int i) {
+ char * r = "?";
+#ifdef WITH_GCRYPT
+ switch (i) {
+ case GCRY_MD_MD5: {
+ r = "MD5";
+ break;
+ }
+ case GCRY_MD_SHA1: {
+ r = "SHA1";
+ break;
+ }
+ case GCRY_MD_RMD160: {
+ r = "RMD160";
+ break;
+ }
+ case GCRY_MD_TIGER: {
+ r = "TIGER";
+ break;
+ }
+ case GCRY_MD_HAVAL: {
+ r = "HAVAL";
+ break;
+ }
+ case GCRY_MD_SHA256: {
+ r = "SHA256";
+ break;
+ }
+ case GCRY_MD_SHA512: {
+ r = "SHA512";
+ break;
+ }
+ case GCRY_MD_CRC32: {
+ r = "CRC32";
+ break;
+ }
+ default:
+ break;
+ }
+#endif
+ return r;
+}
+
DB_ATTR_TYPE hash_mhash2attr(int i) {
DB_ATTR_TYPE r=0;
#ifdef WITH_MHASH
@@ -163,6 +206,44 @@ DB_ATTR_TYPE hash_mhash2attr(int i) {
Initialise md_container according it's todo_attr field
*/
+DB_ATTR_TYPE get_available_crypto() {
+
+ DB_ATTR_TYPE ret = 0;
+
+/*
+ * This function is usually called before config processing
+ * and default verbose level is 5
+ */
+#define lvl 255
+
+ error(lvl, "get_available_crypto called\n");
+
+#ifdef WITH_GCRYPT
+
+ /*
+ * some initialization for FIPS
+ */
+ gcry_check_version(NULL);
+ error(lvl, "Found algos:");
+
+ for(int i=0;i<=HASH_GCRYPT_COUNT;i++) {
+
+ if ( (hash_gcrypt2attr(i) & HASH_USE_GCRYPT) == 0 )
+ continue;
+
+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) == 0) {
+ ret |= hash_gcrypt2attr(i);
+ error(lvl, " %s", hash_gcrypt2str(i));
+ }
+ }
+ error(lvl, "\n");
+
+#endif
+
+ error(lvl, "get_available_crypto_returned with %lld\n", ret);
+ return ret;
+}
+
int init_md(struct md_container* md) {
int i;
@@ -201,18 +282,27 @@ int init_md(struct md_container* md) {
}
#endif
#ifdef WITH_GCRYPT
- if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
error(0,"gcrypt_md_open failed\n");
exit(IO_ERROR);
}
for(i=0;i<=HASH_GCRYPT_COUNT;i++) {
+
+
if (((hash_gcrypt2attr(i)&HASH_USE_GCRYPT)&md->todo_attr)!=0) {
- DB_ATTR_TYPE h=hash_gcrypt2attr(i);
- error(255,"inserting %llu\n",h);
+
+ DB_ATTR_TYPE h=hash_gcrypt2attr(i);
+
+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) != 0) {
+ error(0,"Algo %s is not available\n", hash_gcrypt2str(i));
+ exit(-1);
+ }
+
+ error(255,"inserting %llu\n",h);
if(gcry_md_enable(md->mdh,i)==GPG_ERR_NO_ERROR){
md->calc_attr|=h;
} else {
- error(0,"gcry_md_enable %i failed",i);
+ error(0,"gcry_md_enable %i failed\n",i);
md->todo_attr&=~h;
}
}

View File

@ -0,0 +1,103 @@
diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c
--- ./src/aide.c.orig 2016-07-12 11:10:08.013158385 +0200
+++ ./src/aide.c 2016-07-12 11:30:54.867833064 +0200
@@ -511,9 +511,28 @@ int main(int argc,char**argv)
#endif
umask(0177);
init_sighandler();
-
setdefaults_before_config();
+#if WITH_GCRYPT
+ error(255,"Gcrypt library initialization\n");
+ /*
+ * Initialize libgcrypt as per
+ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
+ *
+ *
+ */
+ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
+ gcry_control(GCRYCTL_INIT_SECMEM, 1);
+
+ if(!gcry_check_version(GCRYPT_VERSION)) {
+ error(0,"libgcrypt version mismatch\n");
+ exit(VERSION_MISMATCH_ERROR);
+ }
+
+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+#endif /* WITH_GCRYPT */
+
+
if(read_param(argc,argv)==RETFAIL){
error(0, _("Invalid argument\n") );
exit(INVALID_ARGUMENT_ERROR);
@@ -646,6 +665,9 @@ int main(int argc,char**argv)
}
#endif
}
+#ifdef WITH_GCRYPT
+ gcry_control(GCRYCTL_TERM_SECMEM, 0);
+#endif /* WITH_GCRYPT */
return RETOK;
}
const char* aide_key_3=CONFHMACKEY_03;
diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c
--- ./src/md.c.orig 2016-04-15 23:30:16.000000000 +0200
+++ ./src/md.c 2016-07-12 11:35:04.007675329 +0200
@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
}
#endif
#ifdef WITH_GCRYPT
- error(255,"Gcrypt library initialization\n");
- if(!gcry_check_version(GCRYPT_VERSION)) {
- error(0,"libgcrypt version mismatch\n");
- exit(VERSION_MISMATCH_ERROR);
- }
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
error(0,"gcrypt_md_open failed\n");
exit(IO_ERROR);
}
@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
/*. There might be more hashes in the library. Add those here.. */
- gcry_md_reset(md->mdh);
+ gcry_md_close(md->mdh);
#endif
#ifdef WITH_MHASH
diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c
--- ./src/util.c.orig 2016-07-12 11:39:17.023437355 +0200
+++ ./src/util.c 2016-07-12 11:39:51.618721157 +0200
@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s)
return(AIDE_SYSLOG_FACILITY);
}
-/* We need these dummy stubs to fool the linker into believing that
- we do not need them at link time */
-
-void* dlopen(char*filename,int flag)
-{
- return NULL;
-}
-
-void* dlsym(void*handle,char*symbol)
-{
- return NULL;
-}
-
-void* dlclose(void*handle)
-{
- return NULL;
-}
-
-const char* dlerror(void)
-{
- return NULL;
-}
-
const char* aide_key_2=CONFHMACKEY_02;
const char* db_key_2=DBHMACKEY_02;

View File

@ -0,0 +1,15 @@
diff -up ./doc/aide.1.in.orig ./doc/aide.1.in
--- ./doc/aide.1.in.orig 2016-07-12 16:10:01.724595895 +0200
+++ ./doc/aide.1.in 2016-07-12 16:06:21.968639822 +0200
@@ -103,9 +103,9 @@ echo <encoded_checksum> | base64 \-d | h
.SH FILES
.IP \fB@sysconfdir@/aide.conf\fR
Default aide configuration file.
-.IP \fB@sysconfdir@/aide.db\fR
+.IP \fB@localstatedir@/lib/aide/aide.db\fR
Default aide database.
-.IP \fB@sysconfdir@/aide.db.new\fR
+.IP \fB@localstatedir@/lib/aide/aide.db.new\fR
Default aide output database.
.SH SEE ALSO
.BR aide.conf (5)

View File

@ -0,0 +1,51 @@
diff --color -ru a/configure.ac b/configure.ac
--- a/configure.ac 2021-05-20 09:31:11.686987129 +0200
+++ b/configure.ac 2021-05-20 09:39:43.369967457 +0200
@@ -784,11 +784,11 @@
[if test "x$withval" = "xmd5" ;then
CONFIGHMACTYPE="MHASH_MD5"
else if test "x$withval" = "xsha1" ;then
- CONFIGHMACTYPE="MHASH_SHA1"
+ CONFIGHMACTYPE="MHASH_SHA1"
else if test "x$withval" = "xsha256" ;then
- CONFIGHMACTYPE="MHASH_SHA256"
+ CONFIGHMACTYPE="MHASH_SHA256"
else if test "x$withval" = "xsha512" ;then
- CONFIGHMACTYPE="MHASH_SHA512"
+ CONFIGHMACTYPE="MHASH_SHA512"
else
echo "Valid parameters for --with-confighmactype are md5, sha1, sha256 and sha512"
exit 1
@@ -799,7 +799,6 @@
AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,$CONFIGHMACTYPE,[hash type for config file check])],
[
AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,MHASH_MD5,[hash type for config file check])]
-,
)
AC_ARG_WITH([confighmackey],
@@ -846,18 +845,18 @@
AC_ARG_WITH([dbhmactype],
AC_HELP_STRING([--with-dbhmactype=TYPE],
- [Hash type to use for checking db. Valid values are md5 and sha1.]),
+ [Hash type to use for checking db. Valid values are md5, sha1, sha256 and sha512.]),
[if test "x$withval" = "xmd5" ;then
DBHMACTYPE="MHASH_MD5"
else if test "x$withval" = "xsha1" ;then
- DBHMACTYPE="MHASH_SHA1"
+ DBHMACTYPE="MHASH_SHA1"
else if test "x$withval" = "xsha256" ;then
- CONFIGHMACTYPE="MHASH_SHA256"
+ DBHMACTYPE="MHASH_SHA256"
else if test "x$withval" = "xsha512" ;then
- CONFIGHMACTYPE="MHASH_SHA512"
+ DBHMACTYPE="MHASH_SHA512"
else
- echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512"
- exit 1
+ echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512"
+ exit 1
fi
fi
fi

View File

@ -0,0 +1,171 @@
Only in b: config.log
diff --color -ru a/contrib/sshaide.sh b/contrib/sshaide.sh
--- a/contrib/sshaide.sh 2016-07-25 22:56:55.000000000 +0200
+++ b/contrib/sshaide.sh 2021-05-20 11:11:24.112542472 +0200
@@ -260,7 +260,7 @@
_randword=`grep -n . ${_wordlist} | grep "^${_linenum}:" | cut -d: -f2`
# If $_randword has anything other than lower-case chars, try again
- (echo ${_randword} | LC_ALL=C grep '[^a-z]' 2>&1 >> /dev/null \
+ ({ echo ${_randword} | LC_ALL=C grep '[^a-z]' 2>&1; } >> /dev/null \
&& gen_rand_word ) || \
# Return the word
diff --color -ru a/src/commandconf.c b/src/commandconf.c
--- a/src/commandconf.c 2021-05-20 10:37:53.842382143 +0200
+++ b/src/commandconf.c 2021-05-25 14:16:43.278526146 +0200
@@ -313,7 +313,7 @@
} else {
/* gzread returns 0 even if uncompressed bytes were read*/
error(240,"nread=%d,strlen(buf)=%lu,errno=%s,gzerr=%s\n",
- retval,(unsigned long)strnlen((char*)buf, max_size),
+ retval,(unsigned long)strnlen((char*)buf, retval),
strerror(errno),gzerror(*db_gzp,&err));
if(retval==0){
retval=strnlen((char*)buf, max_size);
@@ -836,6 +836,11 @@
}
break;
}
+ default: {
+ error(0,"Unsupported dbtype.\n");
+ free(u);
+ break;
+ }
}
}
free(val);
@@ -900,7 +905,7 @@
} else {
error_init(u,0);
}
-
+ free(u->value);
free(u);
}
diff --color -ru a/src/db_disk.c b/src/db_disk.c
--- a/src/db_disk.c 2021-05-20 10:37:53.842382143 +0200
+++ b/src/db_disk.c 2021-05-20 12:37:00.081493364 +0200
@@ -125,10 +125,10 @@
ret = (char *) malloc (len);
ret[0] = (char) 0;
- strncpy(ret, conf->root_prefix, conf->root_prefix_length+1);
- strncat (ret, r->path, len2);
+ strcpy(ret, conf->root_prefix);
+ strcat (ret, r->path);
if (r->path[len2 - 1] != '/') {
- strncat (ret, "/", 1);
+ strcat (ret, "/");
}
strcat (ret, s);
return ret;
@@ -207,8 +207,8 @@
if (!root_handled) {
root_handled = 1;
fullname=malloc((conf->root_prefix_length+2)*sizeof(char));
- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1);
- strncat (fullname, "/", 1);
+ strcpy(fullname, conf->root_prefix);
+ strcat (fullname, "/");
if (!get_file_status(&fullname[conf->root_prefix_length], &fs)) {
add = check_rxtree (&fullname[conf->root_prefix_length], conf->tree, &attr, fs.st_mode);
error (240, "%s match=%d, tree=%p, attr=%llu\n", &fullname[conf->root_prefix_length], add,
@@ -346,8 +346,8 @@
error (255, "r->childs %p, r->parent %p,r->checked %i\n",
r->childs, r->parent, r->checked);
fullname=malloc((conf->root_prefix_length+strlen(r->path)+1)*sizeof(char));
- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1);
- strncat(fullname, r->path, strlen(r->path));
+ strcpy(fullname, conf->root_prefix);
+ strcat(fullname, r->path);
dirh=open_dir(fullname);
if (! dirh) {
@@ -441,8 +441,8 @@
char* fullname=malloc((conf->root_prefix_length+2)*sizeof(char));
- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1);
- strncat (fullname, "/", 1);
+ strcpy(fullname, conf->root_prefix);
+ strcat (fullname, "/");
dirh=open_dir(fullname);
free(fullname);
diff --color -ru a/src/error.c b/src/error.c
--- a/src/error.c 2021-05-20 10:37:53.836382037 +0200
+++ b/src/error.c 2021-05-21 11:49:09.781313097 +0200
@@ -125,7 +125,7 @@
fh=be_init(0,url,0);
if(fh!=NULL) {
conf->report_fd=list_append(conf->report_fd,(void*)fh);
- conf->report_url=list_append(conf->report_url,(void*)url);
+ conf->report_url=list_append(conf->report_url,(void*)strdup(url));
return RETOK;
}
diff --color -ru a/src/util.c b/src/util.c
--- a/src/util.c 2021-05-20 10:37:53.843382160 +0200
+++ b/src/util.c 2021-05-25 11:04:39.507278771 +0200
@@ -105,13 +105,15 @@
for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++);
if(r[0]=='\0'){
error(0,"Invalid file-URL,no path after hostname: file:%s\n",t);
+ free(u);
+ free(val_copy);
free(hostname);
return NULL;
}
u->value=strdup(r);
r[0]='\0';
if(gethostname(hostname,MAXHOSTNAMELEN)==-1){
- strncpy(hostname,"localhost", 10);
+ strncpy(hostname,"localhost",MAXHOSTNAMELEN);
}
if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){
@@ -119,6 +121,9 @@
break;
} else {
error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,u->value);
+ free(u->value);
+ free(u);
+ free(val_copy);
free(hostname);
return NULL;
}
@@ -229,6 +234,10 @@
int i=0;
pc=(char*)malloc(sizeof(char)*11);
+ if (!pc) {
+ error(0, "Memory allocation failed.\n");
+ return NULL;
+ }
for(i=0;i<10;i++){
pc[i]='-';
}
@@ -369,14 +378,17 @@
if (path != NULL) {
if (path[0] == '~') {
- if((homedir=getenv("HOME")) != NULL) {
+ if ((homedir=getenv("HOME")) != NULL) {
path_len = strlen(path+sizeof(char));
homedir_len = strlen(homedir);
full_len = homedir_len+path_len;
full = malloc(sizeof(char) * (full_len+1));
- strncpy(full, homedir, homedir_len);
- strncpy(full+homedir_len, path+sizeof(char), path_len);
- full[full_len] = '\0';
+ if (!full) {
+ error(0, "Memory allocation failed.\n");
+ return path;
+ }
+ strcpy(full, homedir);
+ strcat(full, path+sizeof(char));
free(path);
/* Don't free(homedir); because it is not safe on some platforms */
path = full;

303
SOURCES/aide.conf Normal file
View File

@ -0,0 +1,303 @@
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
verbose=5
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane
# NORMAL = R+sha512
NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only
PERMS = p+u+g+acl+selinux+xattrs
# Logfile are special, in that they often change
LOG = p+u+g+n+S+acl+selinux+xattrs
# Content + file type.
CONTENT = sha512+ftype
# Extended content + file type + access.
CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
# Next decide what directories/files you want in the database.
/boot CONTENT_EX
/opt CONTENT
# Admins dot files constantly change, just check perms
/root/\..* PERMS
!/root/.xauth*
# Otherwise get all of /root.
/root CONTENT_EX
# These are too volatile
!/usr/src
!/usr/tmp
# Otherwise get all of /usr.
/usr CONTENT_EX
# trusted databases
/etc/hosts$ CONTENT_EX
/etc/host.conf$ CONTENT_EX
/etc/hostname$ CONTENT_EX
/etc/issue$ CONTENT_EX
/etc/issue.net$ CONTENT_EX
/etc/protocols$ CONTENT_EX
/etc/services$ CONTENT_EX
/etc/localtime$ CONTENT_EX
/etc/alternatives CONTENT_EX
/etc/sysconfig CONTENT_EX
/etc/mime.types$ CONTENT_EX
/etc/terminfo CONTENT_EX
/etc/exports$ CONTENT_EX
/etc/fstab$ CONTENT_EX
/etc/passwd$ CONTENT_EX
/etc/group$ CONTENT_EX
/etc/gshadow$ CONTENT_EX
/etc/shadow$ CONTENT_EX
/etc/subgid$ CONTENT_EX
/etc/subuid$ CONTENT_EX
/etc/security/opasswd$ CONTENT_EX
/etc/skel CONTENT_EX
/etc/sssd CONTENT_EX
/etc/machine-id$ CONTENT_EX
/etc/swid CONTENT_EX
/etc/system-release-cpe$ CONTENT_EX
/etc/shells$ CONTENT_EX
/etc/tmux.conf$ CONTENT_EX
/etc/xattr.conf$ CONTENT_EX
# networking
/etc/firewalld CONTENT_EX
!/etc/NetworkManager/system-connections
/etc/NetworkManager CONTENT_EX
/etc/networks$ CONTENT_EX
/etc/dhcp CONTENT_EX
/etc/wpa_supplicant CONTENT_EX
/etc/resolv.conf$ DATAONLY
/etc/nscd.conf$ CONTENT_EX
# logins and accounts
/etc/login.defs$ CONTENT_EX
/etc/libuser.conf$ CONTENT_EX
/var/log/faillog$ PERMS
/var/log/lastlog$ PERMS
/var/run/faillock PERMS
/etc/pam.d CONTENT_EX
/etc/security CONTENT_EX
/etc/securetty$ CONTENT_EX
/etc/polkit-1 CONTENT_EX
/etc/sudo.conf$ CONTENT_EX
/etc/sudoers$ CONTENT_EX
/etc/sudoers.d CONTENT_EX
# Shell/X startup files
/etc/profile$ CONTENT_EX
/etc/profile.d CONTENT_EX
/etc/bashrc$ CONTENT_EX
/etc/bash_completion.d CONTENT_EX
/etc/zprofile$ CONTENT_EX
/etc/zshrc$ CONTENT_EX
/etc/zlogin$ CONTENT_EX
/etc/zlogout$ CONTENT_EX
/etc/X11 CONTENT_EX
# Pkg manager
/etc/dnf CONTENT_EX
/etc/yum.conf$ CONTENT_EX
/etc/yum CONTENT_EX
/etc/yum.repos.d CONTENT_EX
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# auditing
# AIDE produces an audit record, so this becomes perpetual motion.
/var/log/audit PERMS
/etc/audit CONTENT_EX
/etc/libaudit.conf$ CONTENT_EX
/etc/aide.conf$ CONTENT_EX
# System logs
/etc/rsyslog.conf$ CONTENT_EX
/etc/rsyslog.d CONTENT_EX
/etc/logrotate.conf$ CONTENT_EX
/etc/logrotate.d CONTENT_EX
/etc/systemd/journald.conf$ CONTENT_EX
/var/log LOG+ANF+ARF
/var/run/utmp LOG
# secrets
/etc/pkcs11 CONTENT_EX
/etc/pki CONTENT_EX
/etc/crypto-policies CONTENT_EX
/etc/certmonger CONTENT_EX
/var/lib/systemd/random-seed$ PERMS
# init system
/etc/systemd CONTENT_EX
/etc/rc.d CONTENT_EX
/etc/tmpfiles.d CONTENT_EX
# boot config
/etc/default CONTENT_EX
/etc/grub.d CONTENT_EX
/etc/dracut.conf$ CONTENT_EX
/etc/dracut.conf.d CONTENT_EX
# glibc linker
/etc/ld.so.cache$ CONTENT_EX
/etc/ld.so.conf$ CONTENT_EX
/etc/ld.so.conf.d CONTENT_EX
/etc/ld.so.preload$ CONTENT_EX
# kernel config
/etc/sysctl.conf$ CONTENT_EX
/etc/sysctl.d CONTENT_EX
/etc/modprobe.d CONTENT_EX
/etc/modules-load.d CONTENT_EX
/etc/depmod.d CONTENT_EX
/etc/udev CONTENT_EX
/etc/crypttab$ CONTENT_EX
#### Daemons ####
# cron jobs
/etc/at.allow$ CONTENT
/etc/at.deny$ CONTENT
/etc/anacrontab$ CONTENT_EX
/etc/cron.allow$ CONTENT_EX
/etc/cron.deny$ CONTENT_EX
/etc/cron.d CONTENT_EX
/etc/cron.daily CONTENT_EX
/etc/cron.hourly CONTENT_EX
/etc/cron.monthly CONTENT_EX
/etc/cron.weekly CONTENT_EX
/etc/crontab$ CONTENT_EX
/var/spool/cron/root CONTENT
# time keeping
/etc/chrony.conf$ CONTENT_EX
/etc/chrony.keys$ CONTENT_EX
# mail
/etc/aliases$ CONTENT_EX
/etc/aliases.db$ CONTENT_EX
/etc/postfix CONTENT_EX
# ssh
/etc/ssh/sshd_config$ CONTENT_EX
/etc/ssh/ssh_config$ CONTENT_EX
# stunnel
/etc/stunnel CONTENT_EX
# printing
/etc/cups CONTENT_EX
/etc/cupshelpers CONTENT_EX
/etc/avahi CONTENT_EX
# web server
/etc/httpd CONTENT_EX
# dns
/etc/named CONTENT_EX
/etc/named.conf$ CONTENT_EX
/etc/named.iscdlv.key$ CONTENT_EX
/etc/named.rfc1912.zones$ CONTENT_EX
/etc/named.root.key$ CONTENT_EX
# xinetd
/etc/xinetd.conf$ CONTENT_EX
/etc/xinetd.d CONTENT_EX
# IPsec
/etc/ipsec.conf$ CONTENT_EX
/etc/ipsec.secrets$ CONTENT_EX
/etc/ipsec.d CONTENT_EX
# USB guard
/etc/usbguard CONTENT_EX
# Ignore some files
!/etc/mtab$
!/etc/.*~
# Now everything else
/etc PERMS
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR

9
SOURCES/aide.logrotate Normal file
View File

@ -0,0 +1,9 @@
/var/log/aide/*.log {
weekly
missingok
rotate 4
compress
delaycompress
copytruncate
minsize 100k
}

642
SOURCES/coverity.patch Normal file
View File

@ -0,0 +1,642 @@
diff -up ./include/be.h.coverity ./include/be.h
--- ./include/be.h.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./include/be.h 2018-10-10 19:27:18.680632681 +0200
@@ -22,6 +22,6 @@
#define _BE_H_INCLUDED
#include "db_config.h"
-FILE* be_init(int inout,url_t* u,int iszipped);
+void* be_init(int inout,url_t* u,int iszipped);
#endif /* _BE_H_INCLUDED */
diff -up ./include/db_config.h.coverity ./include/db_config.h
--- ./include/db_config.h.coverity 2018-10-10 19:27:18.672632611 +0200
+++ ./include/db_config.h 2018-10-10 19:27:18.681632689 +0200
@@ -376,7 +376,7 @@ typedef struct db_config {
#endif
url_t* initial_report_url;
- FILE* initial_report_fd;
+ void* initial_report_fd;
/* report_url is a list of url_t*s */
list* report_url;
diff -up ./src/aide.c.coverity ./src/aide.c
--- ./src/aide.c.coverity 2018-10-10 19:27:18.678632663 +0200
+++ ./src/aide.c 2018-10-10 19:27:18.681632689 +0200
@@ -278,7 +278,7 @@ static void setdefaults_before_config()
error(0,_("Couldn't get hostname"));
free(s);
} else {
- s=(char*)realloc((void*)s,strlen(s)+1);
+ // s=(char*)realloc((void*)s,strlen(s)+1);
do_define("HOSTNAME",s);
}
@@ -506,8 +506,6 @@ static void setdefaults_after_config()
int main(int argc,char**argv)
{
int errorno=0;
- byte* dig=NULL;
- char* digstr=NULL;
#ifdef USE_LOCALE
setlocale(LC_ALL,"");
@@ -544,6 +542,10 @@ int main(int argc,char**argv)
}
errorno=commandconf('C',conf->config_file);
+ if (errorno==RETFAIL){
+ error(0,_("Configuration error\n"));
+ exit(INVALID_CONFIGURELINE_ERROR);
+ }
errorno=commandconf('D',"");
if (errorno==RETFAIL){
@@ -594,6 +596,9 @@ int main(int argc,char**argv)
}
}
#ifdef WITH_MHASH
+ byte* dig=NULL;
+ char* digstr=NULL;
+
if(conf->config_check&&FORCECONFIGMD){
error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n");
exit(INVALID_ARGUMENT_ERROR);
diff -up ./src/base64.c.coverity ./src/base64.c
--- ./src/base64.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/base64.c 2018-10-10 19:27:18.681632689 +0200
@@ -209,6 +209,7 @@ byte* decode_base64(char* src,size_t ssi
case FAIL:
error(3, "decode_base64: Illegal character: %c\n", *inb);
error(230, "decode_base64: Illegal line:\n%s\n", src);
+ free(outbuf);
return NULL;
break;
case SKIP:
@@ -260,7 +261,7 @@ size_t length_base64(char* src,size_t ss
int l;
int left;
size_t pos;
- unsigned long triple;
+ //unsigned long triple;
error(235, "decode base64\n");
/* Exit on empty input */
@@ -273,7 +274,7 @@ size_t length_base64(char* src,size_t ss
inb = src;
l = 0;
- triple = 0;
+ //triple = 0;
pos=0;
left = ssize;
/*
@@ -293,7 +294,7 @@ size_t length_base64(char* src,size_t ss
case SKIP:
break;
default:
- triple = triple<<6 | (0x3f & i);
+ //triple = triple<<6 | (0x3f & i);
l++;
break;
}
@@ -302,10 +303,10 @@ size_t length_base64(char* src,size_t ss
switch(l)
{
case 2:
- triple = triple>>4;
+ //triple = triple>>4;
break;
case 3:
- triple = triple>>2;
+ //triple = triple>>2;
break;
default:
break;
@@ -314,7 +315,7 @@ size_t length_base64(char* src,size_t ss
{
pos++;
}
- triple = 0;
+ //triple = 0;
l = 0;
}
inb++;
diff -up ./src/be.c.coverity ./src/be.c
--- ./src/be.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/be.c 2018-10-10 19:27:18.681632689 +0200
@@ -117,9 +117,9 @@ static char* get_first_value(char** in){
#endif
-FILE* be_init(int inout,url_t* u,int iszipped)
+void* be_init(int inout,url_t* u,int iszipped)
{
- FILE* fh=NULL;
+ void* fh=NULL;
long a=0;
char* err=NULL;
int fd;
diff -up ./src/commandconf.c.coverity ./src/commandconf.c
--- ./src/commandconf.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/commandconf.c 2018-10-10 19:27:18.682632698 +0200
@@ -106,7 +106,7 @@ int commandconf(const char mode,const ch
rv=0;
} else {
- rv=access(config,R_OK);
+ if (config != NULL) rv=access(config,R_OK);
if(rv==-1){
error(0,_("Cannot access config file: %s: %s\n"),config,strerror(errno));
}
@@ -166,14 +166,11 @@ int commandconf(const char mode,const ch
int conf_input_wrapper(char* buf, int max_size, FILE* in)
{
int retval=0;
- int c=0;
- char* tmp=NULL;
- void* key=NULL;
- int keylen=0;
/* FIXME Add support for gzipped config. :) */
#ifdef WITH_MHASH
/* Read a character at a time until we are doing md */
+ int c=0;
if(conf->do_configmd){
retval=fread(buf,1,max_size,in);
}else {
@@ -185,6 +182,9 @@ int conf_input_wrapper(char* buf, int ma
#endif
#ifdef WITH_MHASH
+ char* tmp=NULL;
+ void* key=NULL;
+ int keylen=0;
if(conf->do_configmd||conf->config_check){
if(((conf->do_configmd==1)&&conf->config_check)||!conf->confmd){
if(conf->do_configmd==1){
@@ -276,6 +276,9 @@ int db_input_wrapper(char* buf, int max_
#endif
break;
}
+ default: {
+ return 0;
+ }
}
#ifdef WITH_CURL
@@ -651,7 +654,6 @@ int handle_endif(int doit,int allow_else
case 0 : {
conferror("@@endif or @@else expected");
return -1;
- count=0;
}
default : {
@@ -816,6 +818,7 @@ void do_dbdef(int dbtype,char* val)
if(u==NULL||u->type==url_unknown||u->type==url_stdout
||u->type==url_stderr) {
error(0,_("Unsupported input URL-type:%s\n"),val);
+ free(u);
}
else {
*conf_db_url=u;
@@ -825,6 +828,7 @@ void do_dbdef(int dbtype,char* val)
case DB_WRITE: {
if(u==NULL||u->type==url_unknown||u->type==url_stdin){
error(0,_("Unsupported output URL-type:%s\n"),val);
+ free(u);
}
else{
conf->db_out_url=u;
@@ -848,6 +852,7 @@ void do_dbindef(char* val)
if(u==NULL||u->type==url_unknown||u->type==url_stdout
||u->type==url_stderr) {
error(0,_("Unsupported input URL-type:%s\n"),val);
+ free(u);
}
else {
conf->db_in_url=u;
@@ -869,6 +874,7 @@ void do_dboutdef(char* val)
* both input and output urls */
if(u==NULL||u->type==url_unknown||u->type==url_stdin){
error(0,_("Unsupported output URL-type:%s\n"),val);
+ free(u);
}
else{
conf->db_out_url=u;
@@ -894,7 +900,8 @@ void do_repurldef(char* val)
} else {
error_init(u,0);
}
-
+
+ free(u);
}
void do_verbdef(char* val)
@@ -984,7 +991,7 @@ void do_report_ignore_e2fsattrs(char* va
break;
}
}
- *val++;
+ val++;
}
}
#endif
diff -up ./src/compare_db.c.coverity ./src/compare_db.c
--- ./src/compare_db.c.coverity 2018-10-10 19:27:18.673632619 +0200
+++ ./src/compare_db.c 2018-10-10 19:27:18.682632698 +0200
@@ -312,7 +312,7 @@ static int acl2array(acl_type* acl, char
if (conf->syslog_format) {
*values = malloc(2 * sizeof(char*));
- char *A, *D = "<NONE>";
+ char *A= "<NONE>", *D = "<NONE>";
if (acl->acl_a) { A = acl->acl_a; }
if (acl->acl_d) { D = acl->acl_d; }
diff -up ./src/conf_lex.l.coverity ./src/conf_lex.l
--- ./src/conf_lex.l.coverity 2018-10-10 19:27:18.673632619 +0200
+++ ./src/conf_lex.l 2018-10-10 19:27:18.682632698 +0200
@@ -133,7 +133,7 @@ int var_in_conflval=0;
<EXPR>[\ \t]*\n {
conf_lineno++;
return (TNEWLINE);
- BEGIN 0;
+// BEGIN 0;
}
<EXPR>\+ {
diff -up ./src/db.c.coverity ./src/db.c
--- ./src/db.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/db.c 2018-10-10 19:27:18.683632707 +0200
@@ -27,6 +27,7 @@
#include "db_file.h"
#include "db_disk.h"
#include "md.h"
+#include "fopen.h"
#ifdef WITH_PSQL
#include "db_sql.h"
@@ -269,6 +270,9 @@ db_line* db_readline(int db){
db_order=&(conf->db_new_order);
break;
}
+ default: {
+ return NULL;
+ }
}
switch (db_url->type) {
@@ -368,7 +372,7 @@ db_line* db_char2line(char** ss,int db){
int i;
db_line* line=(db_line*)malloc(sizeof(db_line)*1);
- int* db_osize=0;
+ int* db_osize=NULL;
DB_FIELD** db_order=NULL;
switch (db) {
@@ -382,6 +386,10 @@ db_line* db_char2line(char** ss,int db){
db_order=&(conf->db_new_order);
break;
}
+ default: {
+ free(line);
+ return NULL;
+ }
}
@@ -601,7 +609,9 @@ db_line* db_char2line(char** ss,int db){
size_t vsz = 0;
tval = strtok(NULL, ",");
- line->xattrs->ents[num].key = db_readchar(strdup(tval));
+ char * tmp = strdup(tval);
+ line->xattrs->ents[num].key = db_readchar(tmp);
+ free(tmp);
tval = strtok(NULL, ",");
val = base64tobyte(tval, strlen(tval), &vsz);
line->xattrs->ents[num].val = val;
@@ -648,6 +658,8 @@ db_line* db_char2line(char** ss,int db){
default : {
error(0,_("Not implemented in db_char2line %i \n"),(*db_order)[i]);
+ free_db_line(line);
+ free(line);
return NULL;
}
@@ -826,7 +838,7 @@ void db_close() {
case url_ftp:
{
if (conf->db_out!=NULL) {
- url_fclose(conf->db_out);
+ url_fclose((URL_FILE*)conf->db_out);
}
break;
}
diff -up ./src/db_disk.c.coverity ./src/db_disk.c
--- ./src/db_disk.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/db_disk.c 2018-10-10 19:28:00.108995089 +0200
@@ -79,9 +79,15 @@ static DIR *open_dir(char* path) {
static void next_in_dir (void)
{
+
#ifdef HAVE_READDIR_R
- if (dirh != NULL)
+ if (dirh != NULL) {
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
rdres = AIDE_READDIR_R_FUNC (dirh, entp, resp);
+#pragma GCC diagnostic pop
+ }
+
#else
#ifdef HAVE_READDIR
if (dirh != NULL) {
diff -up ./src/db_file.c.coverity ./src/db_file.c
--- ./src/db_file.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/db_file.c 2018-10-10 19:27:18.683632707 +0200
@@ -171,7 +171,7 @@ int dofprintf( const char* s,...)
int db_file_read_spec(int db){
int i=0;
- int* db_osize=0;
+ int* db_osize=NULL;
DB_FIELD** db_order=NULL;
switch (db) {
@@ -187,6 +187,9 @@ int db_file_read_spec(int db){
db_lineno=&db_new_lineno;
break;
}
+ default: {
+ return RETFAIL;
+ }
}
*db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD));
@@ -198,13 +201,10 @@ int db_file_read_spec(int db){
int l;
- /* Yes... we do not check if realloc returns nonnull */
-
- *db_order=(DB_FIELD*)
- realloc((void*)*db_order,
+ void * tmp = realloc((void*)*db_order,
((*db_osize)+1)*sizeof(DB_FIELD));
-
- if(*db_order==NULL){
+ if (tmp != NULL) *db_order=(DB_FIELD*) tmp;
+ else {
return RETFAIL;
}
@@ -291,8 +291,8 @@ char** db_readline_file(int db){
int* domd=NULL;
#ifdef WITH_MHASH
MHASH* md=NULL;
-#endif
char** oldmdstr=NULL;
+#endif
int* db_osize=0;
DB_FIELD** db_order=NULL;
FILE** db_filep=NULL;
@@ -302,9 +302,9 @@ char** db_readline_file(int db){
case DB_OLD: {
#ifdef WITH_MHASH
md=&(conf->dboldmd);
+ oldmdstr=&(conf->old_dboldmdstr);
#endif
domd=&(conf->do_dboldmd);
- oldmdstr=&(conf->old_dboldmdstr);
db_osize=&(conf->db_in_size);
db_order=&(conf->db_in_order);
@@ -316,9 +316,9 @@ char** db_readline_file(int db){
case DB_NEW: {
#ifdef WITH_MHASH
md=&(conf->dbnewmd);
+ oldmdstr=&(conf->old_dbnewmdstr);
#endif
domd=&(conf->do_dbnewmd);
- oldmdstr=&(conf->old_dbnewmdstr);
db_osize=&(conf->db_new_size);
db_order=&(conf->db_new_order);
@@ -328,7 +328,9 @@ char** db_readline_file(int db){
break;
}
}
-
+
+ if (db_osize == NULL) return NULL;
+
if (*db_osize==0) {
db_buff(db,*db_filep);
@@ -737,8 +739,6 @@ int db_writespec_file(db_config* dbconf)
int i=0;
int j=0;
int retval=1;
- void*key=NULL;
- int keylen=0;
struct tm* st;
time_t tim=time(&tim);
st=localtime(&tim);
@@ -750,6 +750,8 @@ int db_writespec_file(db_config* dbconf)
#ifdef WITH_MHASH
/* From hereon everything must MD'd before write to db */
+ void*key=NULL;
+ int keylen=0;
if((key=get_db_key())!=NULL){
keylen=get_db_key_len();
dbconf->do_dbnewmd=1;
diff -up ./src/do_md.c.coverity ./src/do_md.c
--- ./src/do_md.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/do_md.c 2018-10-10 19:27:18.683632707 +0200
@@ -202,7 +202,6 @@ void calc_md(struct AIDE_STAT_TYPE* old_
and we don't read from a pipe :)
*/
struct AIDE_STAT_TYPE fs;
- int sres=0;
int stat_diff,filedes;
#ifdef WITH_PRELINK
pid_t pid;
@@ -237,7 +236,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_
return;
}
- sres=AIDE_FSTAT_FUNC(filedes,&fs);
+ AIDE_FSTAT_FUNC(filedes,&fs);
if(!(line->attr&DB_RDEV))
fs.st_rdev=0;
@@ -331,7 +330,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_
}
#endif
#endif /* not HAVE_MMAP */
- buf=malloc(READ_BLOCK_SIZE);
+// buf=malloc(READ_BLOCK_SIZE);
#if READ_BLOCK_SIZE>SSIZE_MAX
#error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE
#endif
diff -up ./src/gen_list.c.coverity ./src/gen_list.c
--- ./src/gen_list.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/gen_list.c 2018-10-10 19:27:18.684632716 +0200
@@ -843,15 +843,15 @@ static void add_file_to_tree(seltree* tr
DB_ATTR_TYPE localignorelist=0;
DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs;
+ if(file==NULL){
+ error(0, "add_file_to_tree was called with NULL db_line\n");
+ }
+
node=get_seltree_node(tree,file->filename);
if(!node){
node=new_seltree_node(tree,file->filename,0,NULL);
}
-
- if(file==NULL){
- error(0, "add_file_to_tree was called with NULL db_line\n");
- }
/* add note to this node which db has modified it */
node->checked|=db;
diff -up ./src/md.c.coverity ./src/md.c
--- ./src/md.c.coverity 2018-10-10 19:27:18.679632672 +0200
+++ ./src/md.c 2018-10-10 19:27:18.684632716 +0200
@@ -36,8 +36,8 @@
*/
DB_ATTR_TYPE hash_gcrypt2attr(int i) {
- DB_ATTR_TYPE r=0;
#ifdef WITH_GCRYPT
+ DB_ATTR_TYPE r=0;
switch (i) {
case GCRY_MD_MD5: {
r=DB_MD5;
@@ -74,13 +74,15 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) {
default:
break;
}
-#endif
return r;
+#else /* !WITH_GCRYPT */
+ return 0;
+#endif
}
const char * hash_gcrypt2str(int i) {
- char * r = "?";
#ifdef WITH_GCRYPT
+ char * r = "?";
switch (i) {
case GCRY_MD_MD5: {
r = "MD5";
@@ -117,13 +119,17 @@ const char * hash_gcrypt2str(int i) {
default:
break;
}
-#endif
return r;
+#else /* !WITH_GCRYPT */
+ return "?";
+#endif
}
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-parameter"
DB_ATTR_TYPE hash_mhash2attr(int i) {
- DB_ATTR_TYPE r=0;
#ifdef WITH_MHASH
+ DB_ATTR_TYPE r=0;
switch (i) {
case MHASH_CRC32: {
r=DB_CRC32;
@@ -198,10 +204,15 @@ DB_ATTR_TYPE hash_mhash2attr(int i) {
default:
break;
}
-#endif
+
return r;
+#else /*!WITH_MHASH */
+ return 0;
+#endif
}
+#pragma GCC diagnostic pop
+
/*
Initialise md_container according it's todo_attr field
*/
@@ -317,7 +328,6 @@ int init_md(struct md_container* md) {
*/
int update_md(struct md_container* md,void* data,ssize_t size) {
- int i;
error(255,"update_md called\n");
@@ -328,6 +338,7 @@ int update_md(struct md_container* md,vo
#endif
#ifdef WITH_MHASH
+ int i;
for(i=0;i<=HASH_MHASH_COUNT;i++) {
if (md->mhash_mdh[i]!=MHASH_FAILED) {
@@ -348,7 +359,6 @@ int update_md(struct md_container* md,vo
*/
int close_md(struct md_container* md) {
- int i;
#ifdef _PARAMETER_CHECK_
if (md==NULL) {
return RETFAIL;
@@ -356,6 +366,7 @@ int close_md(struct md_container* md) {
#endif
error(255,"close_md called \n");
#ifdef WITH_MHASH
+ int i;
for(i=0;i<=HASH_MHASH_COUNT;i++) {
if (md->mhash_mdh[i]!=MHASH_FAILED) {
mhash (md->mhash_mdh[i], NULL, 0);
diff -up ./src/util.c.coverity ./src/util.c
--- ./src/util.c.coverity 2018-10-10 19:27:18.670632593 +0200
+++ ./src/util.c 2018-10-10 19:27:18.684632716 +0200
@@ -105,13 +105,15 @@ url_t* parse_url(char* val)
for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++);
if(r[0]=='\0'){
error(0,"Invalid file-URL,no path after hostname: file:%s\n",t);
+ free(hostname);
return NULL;
}
u->value=strdup(r);
r[0]='\0';
if(gethostname(hostname,MAXHOSTNAMELEN)==-1){
- strncpy(hostname,"localhost", 10);
+ strncpy(hostname,"localhost", 10);
}
+
if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){
free(hostname);
break;
@@ -120,7 +122,7 @@ url_t* parse_url(char* val)
free(hostname);
return NULL;
}
- free(hostname);
+
break;
}
u->value=strdup(r);

357
SPECS/aide.spec Normal file
View File

@ -0,0 +1,357 @@
Summary: Intrusion detection environment
Name: aide
Version: 0.16
Release: 100%{?dist}
URL: http://sourceforge.net/projects/aide
License: GPLv2+
Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz
Source1: aide.conf
Source2: README.quickstart
Source3: aide.logrotate
BuildRequires: gcc
BuildRequires: make
BuildRequires: bison flex
BuildRequires: pcre-devel
BuildRequires: libgpg-error-devel libgcrypt-devel
BuildRequires: zlib-devel
BuildRequires: libcurl-devel
BuildRequires: libacl-devel
BuildRequires: pkgconfig(libselinux)
BuildRequires: libattr-devel
BuildRequires: e2fsprogs-devel
BuildRequires: audit-libs-devel
BuildRequires: autoconf automake libtool
# Customize the database file location in the man page.
Patch1: aide-0.16rc1-man.patch
# fix aide in FIPS mode
Patch2: aide-0.16b1-fipsfix.patch
# Bug 1674637 - aide: FTBFS in Fedora rawhide/f30
Patch3: aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch
Patch4: aide-0.15-syslog-format.patch
Patch5: aide-0.16-crypto-disable-haval-and-others.patch
Patch6: coverity.patch
Patch7: aide-0.16-crash-elf.patch
Patch8: aide-configure.patch
Patch9: aide-static-analysis.patch
Patch10: aide-0.16-CVE-2021-45417.patch
%description
AIDE (Advanced Intrusion Detection Environment) is a file integrity
checker and intrusion detection program.
%prep
%autosetup -p1
cp -a %{S:2} .
%build
autoreconf -ivf
%configure \
--disable-static \
--with-config_file=%{_sysconfdir}/aide.conf \
--with-gcrypt \
--with-zlib \
--with-curl \
--with-posix-acl \
--with-selinux \
--with-xattr \
--with-e2fsattrs \
--with-audit \
--with-confighmactype=sha512 \
--with-dbhmactype=sha512
%make_build
%install
%make_install bindir=%{_sbindir}
install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1}
install -Dpm0644 %{S:3} %{buildroot}%{_sysconfdir}/logrotate.d/aide
mkdir -p %{buildroot}%{_localstatedir}/log/aide
mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
%files
%license COPYING
%doc AUTHORS ChangeLog NEWS README doc/manual.html contrib/
%doc README.quickstart
%{_sbindir}/aide
%{_mandir}/man1/*.1*
%{_mandir}/man5/*.5*
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/aide.conf
%config(noreplace) %{_sysconfdir}/logrotate.d/aide
%dir %attr(0700,root,root) %{_localstatedir}/lib/aide
%dir %attr(0700,root,root) %{_localstatedir}/log/aide
%changelog
* Mon Jan 24 2022 Radovan Sroka <rsroka@redhat.com> - 0.16-100
- backport fix for CVE-2021-45417
Resolves: rhbz#2041950
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.16-21
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu May 27 2021 Zoltan Fridrich <zfridric@redhat.com> - 0.16-20
- fix configuration option with-dbhmactype
- do not use sha1 and md5 by default
Resolves: rhbz#1935457
- fix important static analysis issues
Resolves: rhbz#1938676
* Mon May 10 2021 Zoltan Fridrich <zfridric@redhat.com> - 0.16-19
- use gating and config file from rhel-8.5
- remove check of periodically changing files
Resolves: rhbz#1957656
- config cleanup
Resolves: rhbz#1957654
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.16-18
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jul 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-16
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> 0.16-14
- AIDE breaks when setting report_ignore_e2fsattrs
Resolves: rhbz#1850276
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Jul 31 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-12
- backport some patches
Resolves: rhbz#1717140
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Feb 20 2019 Daniel Kopecek <dkopecek@redhat.com> - 0.16-10
- Fix building with curl
Resolves: rhbz#1674637
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 0.16-8
- Rebuild with fixed binutils
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.16-6
- Rebuild
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Apr 05 2017 Radovan Sroka <rsroka@redhat.com> - 0.16-2
- fixed upstream link
* Tue Apr 04 2017 Radovan Sroka <rsroka@redhat.com> - 0.16-1
- rebase to stable v0.16
- specfile cleanup
- make doc readable
resolves: #1421355
- make aide binary runable for any user
resolves: #1421351
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-0.3.rc1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Jul 12 2016 Tomas Sykora <tosykora@redhat.com> - 0.16-0.2.rc1
- New upstream devel version
* Mon Jun 20 2016 Tomas Sykora <tosykora@redhat.com> - 0.16-0.1.b1
- New upstream devel version
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.15.1-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Sat Jul 25 2015 Till Maas <opensource@till.name> - 0.15.1-11
- Remove prelink dependency because prelink was retired
* Tue Jun 16 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Fri Jul 18 2014 Yaakov Selkowitz <yselkowi@redhat.com> - 0.15.1-8
- Fix FTBFS with -Werror=format-security (#1036983, #1105942)
- Avoid prelink BR on aarch64, ppc64le (#924977, #1078476)
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Nov 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 0.15.1-4
- added patch to fix aide in FIPS mode
- use only FIPS approved digest algorithms in aide.conf so that
aide works by default in FIPS mode
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Thu Nov 11 2010 Steve Grubb <sgrubb@redhat.com> - 0.15.1-1
- New upstream release
* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-5
- Apply 2 upstream bug fixes
* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-4
- Use upstream's patch to fix bz 590566
* Sat May 15 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-3
- Fix bz 590561 aide does not detect the change of SElinux context
- Fix bz 590566 aide reports a changed file when it has not been changed
* Wed Apr 28 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-2
- Fix bz 574764 by replacing abort calls with exit
- Apply libgcrypt init patch
* Tue Mar 16 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-1
- New upstream release final 0.14
* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.4.rc3
- New upstream release
* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.3.rc2
- New upstream release
* Tue Feb 23 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.2.rc1
- Fix dirent detection on 64bit systems
* Mon Feb 22 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.1.rc1
- New upstream release
* Fri Feb 19 2010 Steve Grubb <sgrubb@redhat.com> - 0.13.1-16
- Add logrotate script and spec file cleanups
* Fri Dec 11 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-15
- Get rid of .dedosify files
* Wed Dec 09 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-14
- Revise patch for Initialize libgcrypt correctly (#530485)
* Sat Nov 07 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-13
- Initialize libgcrypt correctly (#530485)
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.13.1-12
- rebuilt with new audit
* Wed Aug 19 2009 Steve Grubb <sgrubb@redhat.com> 0.13.1-11
- rebuild for new audit-libs
- Correct regex for root's dot files (#509370)
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Mon Jun 08 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-9
- Make aide smarter about prelinked files (Peter Vrabec)
- Add /lib64 to default config
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Fri Jan 30 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-6
- enable xattr support and update config file
* Fri Sep 26 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.13.1-5
- fix selcon patch to apply without fuzz
* Fri Feb 15 2008 Steve Conklin <sconklin@redhat.com>
- rebuild for gcc4.3
* Tue Aug 21 2007 Michael Schwendt <mschwendt[AT]users.sf.net>
- rebuilt
* Sun Jul 22 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-2
- Apply Steve Conklin's patch to increase displayed portion of
selinux context.
* Sun Dec 17 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-1
- Update to 0.13.1 release.
* Sun Dec 10 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13-1
- Update to 0.13 release.
- Include default aide.conf from RHEL5 as doc example file.
* Sun Oct 29 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-3.20061027cvs
- CAUTION! This changes the database format and results in a report of
false inconsistencies until an old database file is updated.
- Check out CVS 20061027 which now contains Red Hat's
acl/xattr/selinux/audit patches.
- Patches merged upstream.
- Update manual page substitutions.
* Mon Oct 23 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-2
- Add "memory leaks and performance updates" patch as posted
to aide-devel by Steve Grubb.
* Sat Oct 07 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-1
- Update to 0.12 release.
- now offers --disable-static, so -no-static patch is obsolete
- fill last element of getopt struct array with zeroes
* Mon Oct 02 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-3
- rebuilt
* Mon Sep 11 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-2
- rebuilt
* Sun Feb 19 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-1
- Update to 0.11 release.
- useless-includes patch merged upstream.
- old Russian man pages not available anymore.
- disable static linking.
* Thu Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
- rebuilt
* Fri Nov 28 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.1
- Update to 0.10 release.
- memleaks patch merged upstream.
- rootpath patch merged upstream.
- fstat patch not needed anymore.
- Updated URL.
* Thu Nov 13 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.2.cvs20031104
- Added buildreq m4 to work around incomplete deps of bison package.
* Tue Nov 04 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.1.cvs20031104
- Only tar.gz available upstream.
- byacc not needed when bison -y is available.
- Installed Russian manual pages.
- Updated with changes from CVS (2003-11-04).
- getopt patch merged upstream.
- bison-1.35 patch incorporated upstream.
* Tue Sep 09 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.2.20030902
- Added fixes for further memleaks.
* Sun Sep 07 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.1.20030902
- Initial package version.