import aide-0.16-100.el9
This commit is contained in:
commit
0ae03f0f89
1
.aide.metadata
Normal file
1
.aide.metadata
Normal file
@ -0,0 +1 @@
|
||||
b97f65bb12701a42baa2cce45b41ed6367a70734 SOURCES/aide-0.16.tar.gz
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
SOURCES/aide-0.16.tar.gz
|
40
SOURCES/README.quickstart
Normal file
40
SOURCES/README.quickstart
Normal file
@ -0,0 +1,40 @@
|
||||
1) Customize /etc/aide.conf to your liking. In particular, add
|
||||
important directories and files which you would like to be
|
||||
covered by integrity checks. Avoid files which are expected
|
||||
to change frequently or which don't affect the safety of your
|
||||
system.
|
||||
|
||||
2) Run "/usr/sbin/aide --init" to build the initial database.
|
||||
With the default setup, that creates /var/lib/aide/aide.db.new.gz
|
||||
|
||||
3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
|
||||
in a secure location, e.g. on separate read-only media (such as
|
||||
CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
|
||||
of those files in a secure location, so you have means to verify
|
||||
that nobody modified those files.
|
||||
|
||||
4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
|
||||
which is the location of the input database.
|
||||
|
||||
5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
|
||||
compared with the AIDE database. Prior to running a check manually,
|
||||
ensure that the AIDE binary and database have not been modified
|
||||
without your knowledge.
|
||||
|
||||
Caution!
|
||||
|
||||
With the default setup, an AIDE check is not run periodically as a
|
||||
cron job. It cannot be guaranteed that the AIDE binaries, config
|
||||
file and database are intact. It is not recommended that you run
|
||||
automated AIDE checks without verifying AIDE yourself frequently.
|
||||
In addition to that, AIDE does not implement any password or
|
||||
encryption protection for its own files.
|
||||
|
||||
It is up to you how to put a file integrity checker to good effect
|
||||
and how to set up automated checks if you think it adds a level of
|
||||
safety (e.g. detecting failed/incomplete compromises or unauthorized
|
||||
modification of special files). On a compromised system, the
|
||||
intruder could disable the automated check. Or he could replace the
|
||||
AIDE binary, config file and database easily when they are not
|
||||
located on read-only media.
|
||||
|
496
SOURCES/aide-0.15-syslog-format.patch
Normal file
496
SOURCES/aide-0.15-syslog-format.patch
Normal file
@ -0,0 +1,496 @@
|
||||
diff -up ./doc/aide.conf.5.in.syslog_format ./doc/aide.conf.5.in
|
||||
--- ./doc/aide.conf.5.in.syslog_format 2016-07-25 22:58:12.000000000 +0200
|
||||
+++ ./doc/aide.conf.5.in 2018-09-27 19:09:09.697371212 +0200
|
||||
@@ -57,6 +57,25 @@ inclusive. This parameter can only be gi
|
||||
occurrence is used. If \-\-verbose or \-V is used then the value from that
|
||||
is used. The default is 5. If verbosity is 20 then additional report
|
||||
output is written when doing \-\-check, \-\-update or \-\-compare.
|
||||
+.IP "syslog_format"
|
||||
+Valid values are yes,true,no and false. This option enables new syslog format
|
||||
+which is suitable for logging. Every change is logged as one simple line. This option
|
||||
+changes verbose level to 0 and prints everything that was changed. It is suggested
|
||||
+to use this option with "report_url=syslog:...". Default value is "false/no".
|
||||
+Maximum size of message is 1KB which is limitation of syslog call. If message is
|
||||
+greater than limit, message will be truncated.
|
||||
+Option summarize_changes has no impact for this format.
|
||||
+.nf
|
||||
+.eo
|
||||
+
|
||||
+Output always starts with:
|
||||
+"AIDE found differences between database and filesystem!!"
|
||||
+And it is followed by summary:
|
||||
+summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
|
||||
+And finally there are logs about changes:
|
||||
+dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
|
||||
+.ec
|
||||
+.fi
|
||||
.IP "report_url"
|
||||
The url that the output is written to. There can be multiple instances
|
||||
of this parameter. Output is written to all of them. The default is
|
||||
diff -up ./include/db_config.h.syslog_format ./include/db_config.h
|
||||
--- ./include/db_config.h.syslog_format 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./include/db_config.h 2018-09-27 19:09:09.697371212 +0200
|
||||
@@ -311,6 +311,7 @@ typedef struct db_config {
|
||||
FILE* db_out;
|
||||
|
||||
int config_check;
|
||||
+ int syslog_format;
|
||||
|
||||
struct md_container *mdc_in;
|
||||
struct md_container *mdc_out;
|
||||
diff -up ./src/aide.c.syslog_format ./src/aide.c
|
||||
--- ./src/aide.c.syslog_format 2018-09-27 19:09:09.695371197 +0200
|
||||
+++ ./src/aide.c 2018-09-27 19:09:09.698371220 +0200
|
||||
@@ -283,6 +283,7 @@ static void setdefaults_before_config()
|
||||
}
|
||||
|
||||
/* Setting some defaults */
|
||||
+ conf->syslog_format=0;
|
||||
conf->report_db=0;
|
||||
conf->tree=NULL;
|
||||
conf->config_check=0;
|
||||
@@ -495,6 +496,10 @@ static void setdefaults_after_config()
|
||||
if(conf->verbose_level==-1){
|
||||
conf->verbose_level=5;
|
||||
}
|
||||
+ if(conf->syslog_format==1){
|
||||
+ conf->verbose_level=0;
|
||||
+ }
|
||||
+
|
||||
}
|
||||
|
||||
|
||||
diff -up ./src/compare_db.c.syslog_format ./src/compare_db.c
|
||||
--- ./src/compare_db.c.syslog_format 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/compare_db.c 2018-09-27 19:09:09.698371220 +0200
|
||||
@@ -110,7 +110,7 @@ const DB_ATTR_TYPE details_attributes[]
|
||||
#endif
|
||||
};
|
||||
|
||||
-const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size (>)"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512")
|
||||
+const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512")
|
||||
#ifdef WITH_MHASH
|
||||
, _("CRC32"), _("HAVAL"), _("GOST"), _("CRC32B"), _("WHIRLPOOL")
|
||||
#endif
|
||||
@@ -269,12 +269,19 @@ static int xattrs2array(xattrs_type* xat
|
||||
if ((len == xattrs->ents[num - 1].vsz) || ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) {
|
||||
length = 8 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
|
||||
(*values)[num]=malloc(length *sizeof(char));
|
||||
- snprintf((*values)[num], length , "[%.*zd] %s = %s", width, num, xattrs->ents[num - 1].key, val);
|
||||
+
|
||||
+ char * fmt = "[%.*zd] %s = %s";
|
||||
+ if (conf->syslog_format) fmt = "[%.*zd]%s=%s"; // its smaller so it has to be enough space allocated.
|
||||
+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
|
||||
+
|
||||
} else {
|
||||
val = encode_base64(xattrs->ents[num - 1].val, xattrs->ents[num - 1].vsz);
|
||||
length = 10 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
|
||||
(*values)[num]=malloc( length *sizeof(char));
|
||||
- snprintf((*values)[num], length , "[%.*zd] %s <=> %s", width, num, xattrs->ents[num - 1].key, val);
|
||||
+
|
||||
+ char * fmt = "[%.*zd] %s <=> %s";
|
||||
+ if (conf->syslog_format) fmt = "[%.*zd]%s<=>%s"; // its smaller so it has to be enough space allocated.
|
||||
+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
|
||||
free(val);
|
||||
}
|
||||
}
|
||||
@@ -302,6 +309,26 @@ static int acl2array(acl_type* acl, char
|
||||
}
|
||||
if (acl->acl_a || acl->acl_d) {
|
||||
int j, k, i;
|
||||
+ if (conf->syslog_format) {
|
||||
+ *values = malloc(2 * sizeof(char*));
|
||||
+
|
||||
+ char *A, *D = "<NONE>";
|
||||
+
|
||||
+ if (acl->acl_a) { A = acl->acl_a; }
|
||||
+ if (acl->acl_d) { D = acl->acl_d; }
|
||||
+
|
||||
+ (*values)[0] = (char*) malloc(strlen(A) + 3); // "A:" and \0
|
||||
+ snprintf((*values)[0], strlen(A) + 3, "A:%s", A);
|
||||
+
|
||||
+ (*values)[1] = (char*) malloc(strlen(D) + 3); // "D:" and \0
|
||||
+ snprintf((*values)[1], strlen(D) + 3, "D:%s", D);
|
||||
+
|
||||
+ i = 0; while ( (*values)[0][i] ) { if ( (*values)[0][i]=='\n') { (*values)[0][i] = ' '; } i++; }
|
||||
+ i = 0; while ( (*values)[1][i] ) { if ( (*values)[1][i]=='\n') { (*values)[1][i] = ' '; } i++; }
|
||||
+
|
||||
+ return 2;
|
||||
+ }
|
||||
+
|
||||
if (acl->acl_a) { i = 0; while (acl->acl_a[i]) { if (acl->acl_a[i++]=='\n') { n++; } } }
|
||||
if (acl->acl_d) { i = 0; while (acl->acl_d[i]) { if (acl->acl_d[i++]=='\n') { n++; } } }
|
||||
*values = malloc(n * sizeof(char*));
|
||||
@@ -338,25 +365,25 @@ static char* e2fsattrs2string(unsigned l
|
||||
|
||||
static char* get_file_type_string(mode_t mode) {
|
||||
switch (mode & S_IFMT) {
|
||||
- case S_IFREG: return _("File");
|
||||
- case S_IFDIR: return _("Directory");
|
||||
+ case S_IFREG: return conf->syslog_format ? "file" : _("File");
|
||||
+ case S_IFDIR: return conf->syslog_format ? "dir" : _("Directory");
|
||||
#ifdef S_IFIFO
|
||||
- case S_IFIFO: return _("FIFO");
|
||||
+ case S_IFIFO: return conf->syslog_format ? "fifo" : _("FIFO");
|
||||
#endif
|
||||
- case S_IFLNK: return _("Link");
|
||||
- case S_IFBLK: return _("Block device");
|
||||
- case S_IFCHR: return _("Character device");
|
||||
+ case S_IFLNK: return conf->syslog_format ? "link" : _("Link");
|
||||
+ case S_IFBLK: return conf->syslog_format ? "blockd" : _("Block device");
|
||||
+ case S_IFCHR: return conf->syslog_format ? "chard" : _("Character device");
|
||||
#ifdef S_IFSOCK
|
||||
- case S_IFSOCK: return _("Socket");
|
||||
+ case S_IFSOCK: return conf->syslog_format ? "socket" : _("Socket");
|
||||
#endif
|
||||
#ifdef S_IFDOOR
|
||||
- case S_IFDOOR: return _("Door");
|
||||
+ case S_IFDOOR: return conf->syslog_format ? "door" : _("Door");
|
||||
#endif
|
||||
#ifdef S_IFPORT
|
||||
- case S_IFPORT: return _("Port");
|
||||
+ case S_IFPORT: return conf->syslog_format ? "port" : _("Port");
|
||||
#endif
|
||||
case 0: return NULL;
|
||||
- default: return _("Unknown file type");
|
||||
+ default: return conf->syslog_format ? "unknown" : _("Unknown file type");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -554,6 +581,51 @@ static void print_dbline_attributes(db_l
|
||||
}
|
||||
}
|
||||
|
||||
+
|
||||
+static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE
|
||||
+ changed_attrs, DB_ATTR_TYPE force_attrs) {
|
||||
+ char **ovalue, **nvalue;
|
||||
+ int onumber, nnumber, i, j;
|
||||
+ int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE);
|
||||
+ DB_ATTR_TYPE attrs;
|
||||
+ char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm);
|
||||
+ if (file_type) {
|
||||
+ error(0,"%s=", file_type);
|
||||
+ }
|
||||
+ error(0,"%s", (nline==NULL?oline:nline)->filename);
|
||||
+ attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs);
|
||||
+ for (j=0; j < length; ++j) {
|
||||
+ if (details_attributes[j]&attrs) {
|
||||
+ onumber=get_attribute_values(details_attributes[j], oline, &ovalue);
|
||||
+ nnumber=get_attribute_values(details_attributes[j], nline, &nvalue);
|
||||
+
|
||||
+ if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) {
|
||||
+
|
||||
+ error(0, ";%s_old=|", details_string[j]);
|
||||
+
|
||||
+ for (i = 0 ; i < onumber ; i++) {
|
||||
+ error(0, "%s|", ovalue[i]);
|
||||
+ }
|
||||
+
|
||||
+ error(0, ";%s_new=|", details_string[j]);
|
||||
+
|
||||
+ for (i = 0 ; i < nnumber ; i++) {
|
||||
+ error(0, "%s|", nvalue[i]);
|
||||
+ }
|
||||
+
|
||||
+ } else {
|
||||
+
|
||||
+ error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue);
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+ for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL;
|
||||
+ for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL;
|
||||
+ }
|
||||
+ }
|
||||
+ error(0, "\n");
|
||||
+}
|
||||
+
|
||||
static void print_attributes_added_node(db_line* line) {
|
||||
print_dbline_attributes(NULL, line, 0, line->attr);
|
||||
}
|
||||
@@ -562,6 +634,26 @@ static void print_attributes_removed_nod
|
||||
print_dbline_attributes(line, NULL, 0, line->attr);
|
||||
}
|
||||
|
||||
+static void print_attributes_added_node_syslog(db_line* line) {
|
||||
+
|
||||
+ char *file_type = get_file_type_string(line->perm);
|
||||
+ if (file_type) {
|
||||
+ error(0,"%s=", file_type);
|
||||
+ }
|
||||
+ error(0,"%s; added\n", line->filename);
|
||||
+
|
||||
+}
|
||||
+
|
||||
+static void print_attributes_removed_node_syslog(db_line* line) {
|
||||
+
|
||||
+ char *file_type = get_file_type_string(line->perm);
|
||||
+ if (file_type) {
|
||||
+ error(0,"%s=", file_type);
|
||||
+ }
|
||||
+ error(0,"%s; removed\n", line->filename);
|
||||
+
|
||||
+}
|
||||
+
|
||||
static void terse_report(seltree* node) {
|
||||
list* r=NULL;
|
||||
if ((node->checked&(DB_OLD|DB_NEW)) != 0) {
|
||||
@@ -626,6 +718,26 @@ static void print_report_details(seltree
|
||||
}
|
||||
}
|
||||
|
||||
+static void print_syslog_format(seltree* node) {
|
||||
+ list* r=NULL;
|
||||
+
|
||||
+ if (node->checked&NODE_CHANGED) {
|
||||
+ print_dbline_attributes_syslog(node->old_data, node->new_data, node->changed_attrs, forced_attrs);
|
||||
+ }
|
||||
+
|
||||
+ if (node->checked&NODE_ADDED) {
|
||||
+ print_attributes_added_node_syslog(node->new_data);
|
||||
+ }
|
||||
+
|
||||
+ if (node->checked&NODE_REMOVED) {
|
||||
+ print_attributes_removed_node_syslog(node->old_data);
|
||||
+ }
|
||||
+
|
||||
+ for(r=node->childs;r;r=r->next){
|
||||
+ print_syslog_format((seltree*)r->data);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static void print_report_header() {
|
||||
char *time;
|
||||
int first = 1;
|
||||
@@ -747,39 +859,53 @@ int gen_report(seltree* node) {
|
||||
send_audit_report();
|
||||
#endif
|
||||
if ((nadd|nrem|nchg) > 0 || conf->report_quiet == 0) {
|
||||
- print_report_header();
|
||||
- if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) {
|
||||
- if (conf->grouped) {
|
||||
- if (nadd) {
|
||||
- error(2,(char*)report_top_format,_("Added entries"));
|
||||
- print_report_list(node, NODE_ADDED);
|
||||
- }
|
||||
- if (nrem) {
|
||||
- error(2,(char*)report_top_format,_("Removed entries"));
|
||||
- print_report_list(node, NODE_REMOVED);
|
||||
- }
|
||||
- if (nchg) {
|
||||
- error(2,(char*)report_top_format,_("Changed entries"));
|
||||
- print_report_list(node, NODE_CHANGED);
|
||||
- }
|
||||
- } else if (nadd || nrem || nchg) {
|
||||
- if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); }
|
||||
- else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); }
|
||||
- else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); }
|
||||
- else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); }
|
||||
- else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); }
|
||||
- else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); }
|
||||
- else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); }
|
||||
- print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED);
|
||||
- }
|
||||
- if (nadd || nrem || nchg) {
|
||||
- error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes"));
|
||||
- print_report_details(node);
|
||||
- }
|
||||
- }
|
||||
- print_report_databases();
|
||||
- conf->end_time=time(&(conf->end_time));
|
||||
- print_report_footer();
|
||||
+
|
||||
+ if (!conf->syslog_format) {
|
||||
+ print_report_header();
|
||||
+ }
|
||||
+
|
||||
+ if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) {
|
||||
+ if (!conf->syslog_format && conf->grouped) {
|
||||
+ if (nadd) {
|
||||
+ error(2,(char*)report_top_format,_("Added entries"));
|
||||
+ print_report_list(node, NODE_ADDED);
|
||||
+ }
|
||||
+ if (nrem) {
|
||||
+ error(2,(char*)report_top_format,_("Removed entries"));
|
||||
+ print_report_list(node, NODE_REMOVED);
|
||||
+ }
|
||||
+ if (nchg) {
|
||||
+ error(2,(char*)report_top_format,_("Changed entries"));
|
||||
+ print_report_list(node, NODE_CHANGED);
|
||||
+ }
|
||||
+ } else if (!conf->syslog_format && ( nadd || nrem || nchg ) ) {
|
||||
+ if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); }
|
||||
+ else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); }
|
||||
+ else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); }
|
||||
+ else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); }
|
||||
+ else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); }
|
||||
+ else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); }
|
||||
+ else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); }
|
||||
+ print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED);
|
||||
+ }
|
||||
+ if (nadd || nrem || nchg) {
|
||||
+ if (!conf->syslog_format) {
|
||||
+ error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes"));
|
||||
+ print_report_details(node);
|
||||
+ } else {
|
||||
+ /* Syslog Format */
|
||||
+ error(0, "AIDE found differences between database and filesystem!!\n");
|
||||
+ error(0, "summary;total_number_of_files=%ld;added_files=%ld;"
|
||||
+ "removed_files=%ld;changed_files=%ld\n",ntotal,nadd,nrem,nchg);
|
||||
+ print_syslog_format(node);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ if (!conf->syslog_format) {
|
||||
+ print_report_databases();
|
||||
+ conf->end_time=time(&(conf->end_time));
|
||||
+ print_report_footer();
|
||||
+ }
|
||||
}
|
||||
|
||||
return conf->action&(DO_COMPARE|DO_DIFF) ? (nadd!=0)*1+(nrem!=0)*2+(nchg!=0)*4 : 0;
|
||||
diff -up ./src/conf_lex.l.syslog_format ./src/conf_lex.l
|
||||
--- ./src/conf_lex.l.syslog_format 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/conf_lex.l 2018-09-27 19:09:09.698371220 +0200
|
||||
@@ -401,6 +401,12 @@ int var_in_conflval=0;
|
||||
return (TROOT_PREFIX);
|
||||
}
|
||||
|
||||
+^[\t\ ]*"syslog_format"{E} {
|
||||
+ error(230,"%li:syslog_format =\n",conf_lineno);
|
||||
+ BEGIN CONFVALHUNT;
|
||||
+ return (SYSLOG_FORMAT);
|
||||
+}
|
||||
+
|
||||
^[\t\ ]*"recstop"{E} {
|
||||
error(230,"%li:recstop =\n",conf_lineno);
|
||||
BEGIN CONFVALHUNT;
|
||||
diff -up ./src/conf_yacc.y.syslog_format ./src/conf_yacc.y
|
||||
--- ./src/conf_yacc.y.syslog_format 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/conf_yacc.y 2018-09-27 19:09:09.699371228 +0200
|
||||
@@ -89,6 +89,7 @@ extern long conf_lineno;
|
||||
%token TREPORT_URL
|
||||
%token TGZIPDBOUT
|
||||
%token TROOT_PREFIX
|
||||
+%token SYSLOG_FORMAT
|
||||
%token TUMASK
|
||||
%token TTRUE
|
||||
%token TFALSE
|
||||
@@ -160,7 +161,7 @@ line : rule | equrule | negrule | define
|
||||
| ifdefstmt | ifndefstmt | ifhoststmt | ifnhoststmt
|
||||
| groupdef | db_in | db_out | db_new | db_attrs | verbose | report_detailed_init | config_version
|
||||
| database_add_metadata | report | gzipdbout | root_prefix | report_base16 | report_quiet
|
||||
- | report_ignore_e2fsattrs | recursion_stopper | warn_dead_symlinks | grouped
|
||||
+ | report_ignore_e2fsattrs | syslogformat | recursion_stopper | warn_dead_symlinks | grouped
|
||||
| summarize_changes | acl_no_symlink_follow | beginconfigstmt | endconfigstmt
|
||||
| TEOF {
|
||||
newlinelastinconfig=1;
|
||||
@@ -408,6 +409,15 @@ conf->gzip_dbout=0;
|
||||
#endif
|
||||
} ;
|
||||
|
||||
+syslogformat : SYSLOG_FORMAT TTRUE {
|
||||
+conf->syslog_format=1;
|
||||
+} |
|
||||
+ SYSLOG_FORMAT TFALSE {
|
||||
+conf->syslog_format=0;
|
||||
+} ;
|
||||
+
|
||||
+
|
||||
+
|
||||
recursion_stopper : TRECSTOP TSTRING {
|
||||
/* FIXME implement me */
|
||||
|
||||
diff -up ./src/error.c.syslog_format ./src/error.c
|
||||
--- ./src/error.c.syslog_format 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/error.c 2018-09-27 19:13:40.312416750 +0200
|
||||
@@ -38,6 +38,9 @@
|
||||
/*for locale support*/
|
||||
#include "util.h"
|
||||
|
||||
+#define MAX_BUFFER_SIZE 1024
|
||||
+static char syslog_buffer[MAX_BUFFER_SIZE+1];
|
||||
+
|
||||
int cmp_url(url_t* url1,url_t* url2){
|
||||
|
||||
return ((url1->type==url2->type)&&(strcmp(url1->value,url2->value)==0));
|
||||
@@ -48,7 +51,9 @@ int error_init(url_t* url,int initial)
|
||||
{
|
||||
list* r=NULL;
|
||||
FILE* fh=NULL;
|
||||
- int sfac;
|
||||
+ int sfac;
|
||||
+
|
||||
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
|
||||
|
||||
if (url->type==url_database) {
|
||||
conf->report_db++;
|
||||
@@ -163,13 +168,24 @@ void error(int errorlevel,char* error_ms
|
||||
}
|
||||
#ifdef HAVE_SYSLOG
|
||||
if(conf->initial_report_url->type==url_syslog){
|
||||
-#ifdef HAVE_VSYSLOG
|
||||
- vsyslog(SYSLOG_PRIORITY,error_msg,ap);
|
||||
-#else
|
||||
- char buf[1024];
|
||||
- vsnprintf(buf,1024,error_msg,ap);
|
||||
- syslog(SYSLOG_PRIORITY,"%s",buf);
|
||||
-#endif
|
||||
+
|
||||
+ char buff[MAX_BUFFER_SIZE+1];
|
||||
+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap);
|
||||
+ size_t buff_len = strlen(buff);
|
||||
+
|
||||
+ char result_buff[MAX_BUFFER_SIZE+1];
|
||||
+#pragma GCC diagnostic push
|
||||
+#pragma GCC diagnostic ignored "-Wformat-truncation"
|
||||
+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff);
|
||||
+#pragma GCC diagnostic pop
|
||||
+
|
||||
+ if(buff[buff_len-1] == '\n'){
|
||||
+ syslog(SYSLOG_PRIORITY,"%s",result_buff);
|
||||
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
|
||||
+ } else {
|
||||
+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE);
|
||||
+ }
|
||||
+
|
||||
va_end(ap);
|
||||
return;
|
||||
}
|
||||
@@ -181,17 +197,25 @@ void error(int errorlevel,char* error_ms
|
||||
|
||||
#ifdef HAVE_SYSLOG
|
||||
if (conf->report_syslog!=0) {
|
||||
-#ifdef HAVE_VSYSLOG
|
||||
- va_start(ap,error_msg);
|
||||
- vsyslog(SYSLOG_PRIORITY,error_msg,ap);
|
||||
- va_end(ap);
|
||||
-#else
|
||||
- char buf[1024];
|
||||
- va_start(ap,error_msg);
|
||||
- vsnprintf(buf,1024,error_msg,ap);
|
||||
+ va_start(ap, error_msg);
|
||||
+
|
||||
+ char buff[MAX_BUFFER_SIZE+1];
|
||||
+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap);
|
||||
+ size_t buff_len = strlen(buff);
|
||||
+
|
||||
+ char result_buff[MAX_BUFFER_SIZE+1];
|
||||
+#pragma GCC diagnostic push
|
||||
+#pragma GCC diagnostic ignored "-Wformat-truncation"
|
||||
+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff);
|
||||
+#pragma GCC diagnostic pop
|
||||
+
|
||||
+ if(buff[buff_len-1] == '\n'){
|
||||
+ syslog(SYSLOG_PRIORITY,"%s",result_buff);
|
||||
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
|
||||
+ } else {
|
||||
+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE);
|
||||
+ }
|
||||
va_end(ap);
|
||||
- syslog(SYSLOG_PRIORITY,"%s",buf);
|
||||
-#endif
|
||||
}
|
||||
#endif
|
||||
|
123
SOURCES/aide-0.16-CVE-2021-45417.patch
Normal file
123
SOURCES/aide-0.16-CVE-2021-45417.patch
Normal file
@ -0,0 +1,123 @@
|
||||
diff --git a/include/base64.h b/include/base64.h
|
||||
index 0ff7116..381ef5d 100644
|
||||
--- a/include/base64.h
|
||||
+++ b/include/base64.h
|
||||
@@ -36,7 +36,6 @@
|
||||
#include <assert.h>
|
||||
#include "types.h"
|
||||
|
||||
-#define B64_BUF 16384
|
||||
#define FAIL -1
|
||||
#define SKIP -2
|
||||
|
||||
diff --git a/src/base64.c b/src/base64.c
|
||||
index fd01bac..1b0f301 100644
|
||||
--- a/src/base64.c
|
||||
+++ b/src/base64.c
|
||||
@@ -85,11 +85,9 @@ FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL
|
||||
};
|
||||
|
||||
/* Returns NULL on error */
|
||||
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
|
||||
char* encode_base64(byte* src,size_t ssize)
|
||||
{
|
||||
char* outbuf;
|
||||
- char* retbuf;
|
||||
int pos;
|
||||
int i, l, left;
|
||||
unsigned long triple;
|
||||
@@ -101,7 +99,10 @@ char* encode_base64(byte* src,size_t ssize)
|
||||
error(240,"\n");
|
||||
return NULL;
|
||||
}
|
||||
- outbuf = (char *)malloc(sizeof(char)*B64_BUF);
|
||||
+
|
||||
+ /* length of encoded base64 string (padded) */
|
||||
+ size_t length = sizeof(char)* ((ssize + 2) / 3) * 4;
|
||||
+ outbuf = (char *)malloc(length + 1);
|
||||
|
||||
/* Initialize working pointers */
|
||||
inb = src;
|
||||
@@ -162,20 +163,14 @@ char* encode_base64(byte* src,size_t ssize)
|
||||
inb++;
|
||||
}
|
||||
|
||||
- /* outbuf is not completely used so we use retbuf */
|
||||
- retbuf=(char*)malloc(sizeof(char)*(pos+1));
|
||||
- memcpy(retbuf,outbuf,pos);
|
||||
- retbuf[pos]='\0';
|
||||
- free(outbuf);
|
||||
+ outbuf[pos]='\0';
|
||||
|
||||
- return retbuf;
|
||||
+ return outbuf;
|
||||
}
|
||||
|
||||
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
|
||||
byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
|
||||
{
|
||||
byte* outbuf;
|
||||
- byte* retbuf;
|
||||
char* inb;
|
||||
int i;
|
||||
int l;
|
||||
@@ -188,10 +183,18 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
|
||||
if (!ssize||src==NULL)
|
||||
return NULL;
|
||||
|
||||
+ /* exit on unpadded input */
|
||||
+ if (ssize % 4) {
|
||||
+ error(3, "decode_base64: '%s' has invalid length (missing padding characters?)", src);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
+ /* calculate length of decoded string, substract padding chars if any (ssize is >= 4) */
|
||||
+ size_t length = sizeof(byte) * ((ssize / 4) * 3)- (src[ssize-1] == '=') - (src[ssize-2] == '=');
|
||||
|
||||
/* Initialize working pointers */
|
||||
inb = src;
|
||||
- outbuf = (byte *)malloc(sizeof(byte)*B64_BUF);
|
||||
+ outbuf = (byte *)malloc(length + 1);
|
||||
|
||||
l = 0;
|
||||
triple = 0;
|
||||
@@ -243,15 +246,11 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
|
||||
inb++;
|
||||
}
|
||||
|
||||
- retbuf=(byte*)malloc(sizeof(byte)*(pos+1));
|
||||
- memcpy(retbuf,outbuf,pos);
|
||||
- retbuf[pos]='\0';
|
||||
-
|
||||
- free(outbuf);
|
||||
+ outbuf[pos]='\0';
|
||||
|
||||
if (ret_len) *ret_len = pos;
|
||||
|
||||
- return retbuf;
|
||||
+ return outbuf;
|
||||
}
|
||||
|
||||
size_t length_base64(char* src,size_t ssize)
|
||||
diff --git a/src/db.c b/src/db.c
|
||||
index 858240d..62c4faa 100644
|
||||
--- a/src/db.c
|
||||
+++ b/src/db.c
|
||||
@@ -664,13 +664,15 @@ db_line* db_char2line(char** ss,int db){
|
||||
|
||||
time_t base64totime_t(char* s){
|
||||
|
||||
+ if(strcmp(s,"0")==0){
|
||||
+ return 0;
|
||||
+ }
|
||||
byte* b=decode_base64(s,strlen(s),NULL);
|
||||
char* endp;
|
||||
|
||||
- if (b==NULL||strcmp(s,"0")==0) {
|
||||
+ if (b==NULL) {
|
||||
|
||||
/* Should we print error here? */
|
||||
- free(b);
|
||||
|
||||
return 0;
|
||||
} else {
|
@ -0,0 +1,58 @@
|
||||
From c7caa6027c92b28aa11b8da74d56357e12f56d67 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= <dkopecek@redhat.com>
|
||||
Date: Wed, 20 Feb 2019 12:00:56 +0100
|
||||
Subject: [PATCH] Use LDADD for adding curl library to the linker command
|
||||
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
configure.ac | 5 +++--
|
||||
2 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 4b05d7a..1541d56 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -55,7 +55,7 @@ if USE_CURL
|
||||
aide_SOURCES += include/fopen.h src/fopen.c
|
||||
endif
|
||||
|
||||
-aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@
|
||||
+aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ @CURLLIB@
|
||||
AM_CFLAGS = @AIDE_DEFS@ -W -Wall -g
|
||||
AM_CPPFLAGS = -I$(top_srcdir) \
|
||||
-I$(top_srcdir)/include \
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 3598ebe..0418c59 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -702,24 +702,25 @@ if test x$with_zlib = xyes; then
|
||||
compoptionstring="${compoptionstring}WITH_ZLIB\\n"
|
||||
fi
|
||||
|
||||
+CURLLIB=
|
||||
if test x$with_curl = xyes; then
|
||||
AC_PATH_PROG(curlconfig, "curl-config")
|
||||
if test "_$curlconfig" != _ ; then
|
||||
CURL_CFLAGS=`$curlconfig --cflags`
|
||||
- CURL_LIBS=`$curlconfig --libs`
|
||||
+ CURLLIB=`$curlconfig --libs`
|
||||
else
|
||||
AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])
|
||||
fi
|
||||
AC_CHECK_HEADERS(curl/curl.h,,
|
||||
[AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])])
|
||||
CFLAGS="$CFLAGS $CURL_CFLAGS"
|
||||
- LDFLAGS="$LDFLAGS $CURL_LIBS"
|
||||
AC_CHECK_LIB(curl,curl_easy_init,havecurl=yes,
|
||||
[AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])]
|
||||
)
|
||||
AC_DEFINE(WITH_CURL,1,[use curl])
|
||||
compoptionstring="${compoptionstring}WITH_CURL\\n"
|
||||
fi
|
||||
+AC_SUBST(CURLLIB)
|
||||
AM_CONDITIONAL(USE_CURL, test x$havecurl = xyes)
|
||||
|
||||
AC_ARG_WITH(mhash,
|
||||
--
|
||||
2.20.1
|
||||
|
17
SOURCES/aide-0.16-crash-elf.patch
Normal file
17
SOURCES/aide-0.16-crash-elf.patch
Normal file
@ -0,0 +1,17 @@
|
||||
--- ./src/do_md.c 2018-03-19 05:10:19.994957024 -0400
|
||||
+++ ./src/do_md.c 2018-03-19 05:19:05.829957024 -0400
|
||||
@@ -135,8 +135,13 @@
|
||||
continue;
|
||||
|
||||
while (!bingo && (data = elf_getdata (scn, data)) != NULL) {
|
||||
- int maxndx = data->d_size / shdr.sh_entsize;
|
||||
+ int maxndx;
|
||||
int ndx;
|
||||
+
|
||||
+ if (shdr.sh_entsize != 0)
|
||||
+ maxndx = data->d_size / shdr.sh_entsize;
|
||||
+ else
|
||||
+ continue;
|
||||
|
||||
for (ndx = 0; ndx < maxndx; ++ndx) {
|
||||
(void) gelf_getdyn (data, ndx, &dyn);
|
153
SOURCES/aide-0.16-crypto-disable-haval-and-others.patch
Normal file
153
SOURCES/aide-0.16-crypto-disable-haval-and-others.patch
Normal file
@ -0,0 +1,153 @@
|
||||
diff -up ./include/md.h.crypto ./include/md.h
|
||||
--- ./include/md.h.crypto 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./include/md.h 2018-08-29 15:00:30.827491299 +0200
|
||||
@@ -149,6 +149,7 @@ int init_md(struct md_container*);
|
||||
int update_md(struct md_container*,void*,ssize_t);
|
||||
int close_md(struct md_container*);
|
||||
void md2line(struct md_container*,struct db_line*);
|
||||
+DB_ATTR_TYPE get_available_crypto();
|
||||
|
||||
|
||||
#endif /*_MD_H_INCLUDED*/
|
||||
diff -up ./src/aide.c.crypto ./src/aide.c
|
||||
--- ./src/aide.c.crypto 2018-08-29 15:00:30.825491309 +0200
|
||||
+++ ./src/aide.c 2018-08-29 15:00:30.827491299 +0200
|
||||
@@ -349,7 +349,7 @@ static void setdefaults_before_config()
|
||||
|
||||
conf->db_attrs = 0;
|
||||
#if defined(WITH_MHASH) || defined(WITH_GCRYPT)
|
||||
- conf->db_attrs |= DB_MD5|DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512;
|
||||
+ conf->db_attrs |= get_available_crypto();
|
||||
#ifdef WITH_MHASH
|
||||
conf->db_attrs |= DB_GOST;
|
||||
#ifdef HAVE_MHASH_WHIRLPOOL
|
||||
diff -up ./src/md.c.crypto ./src/md.c
|
||||
--- ./src/md.c.crypto 2018-08-29 15:00:30.823491319 +0200
|
||||
+++ ./src/md.c 2018-08-29 15:02:28.013903479 +0200
|
||||
@@ -78,6 +78,49 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) {
|
||||
return r;
|
||||
}
|
||||
|
||||
+const char * hash_gcrypt2str(int i) {
|
||||
+ char * r = "?";
|
||||
+#ifdef WITH_GCRYPT
|
||||
+ switch (i) {
|
||||
+ case GCRY_MD_MD5: {
|
||||
+ r = "MD5";
|
||||
+ break;
|
||||
+ }
|
||||
+ case GCRY_MD_SHA1: {
|
||||
+ r = "SHA1";
|
||||
+ break;
|
||||
+ }
|
||||
+ case GCRY_MD_RMD160: {
|
||||
+ r = "RMD160";
|
||||
+ break;
|
||||
+ }
|
||||
+ case GCRY_MD_TIGER: {
|
||||
+ r = "TIGER";
|
||||
+ break;
|
||||
+ }
|
||||
+ case GCRY_MD_HAVAL: {
|
||||
+ r = "HAVAL";
|
||||
+ break;
|
||||
+ }
|
||||
+ case GCRY_MD_SHA256: {
|
||||
+ r = "SHA256";
|
||||
+ break;
|
||||
+ }
|
||||
+ case GCRY_MD_SHA512: {
|
||||
+ r = "SHA512";
|
||||
+ break;
|
||||
+ }
|
||||
+ case GCRY_MD_CRC32: {
|
||||
+ r = "CRC32";
|
||||
+ break;
|
||||
+ }
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+#endif
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
DB_ATTR_TYPE hash_mhash2attr(int i) {
|
||||
DB_ATTR_TYPE r=0;
|
||||
#ifdef WITH_MHASH
|
||||
@@ -163,6 +206,44 @@ DB_ATTR_TYPE hash_mhash2attr(int i) {
|
||||
Initialise md_container according it's todo_attr field
|
||||
*/
|
||||
|
||||
+DB_ATTR_TYPE get_available_crypto() {
|
||||
+
|
||||
+ DB_ATTR_TYPE ret = 0;
|
||||
+
|
||||
+/*
|
||||
+ * This function is usually called before config processing
|
||||
+ * and default verbose level is 5
|
||||
+ */
|
||||
+#define lvl 255
|
||||
+
|
||||
+ error(lvl, "get_available_crypto called\n");
|
||||
+
|
||||
+#ifdef WITH_GCRYPT
|
||||
+
|
||||
+ /*
|
||||
+ * some initialization for FIPS
|
||||
+ */
|
||||
+ gcry_check_version(NULL);
|
||||
+ error(lvl, "Found algos:");
|
||||
+
|
||||
+ for(int i=0;i<=HASH_GCRYPT_COUNT;i++) {
|
||||
+
|
||||
+ if ( (hash_gcrypt2attr(i) & HASH_USE_GCRYPT) == 0 )
|
||||
+ continue;
|
||||
+
|
||||
+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) == 0) {
|
||||
+ ret |= hash_gcrypt2attr(i);
|
||||
+ error(lvl, " %s", hash_gcrypt2str(i));
|
||||
+ }
|
||||
+ }
|
||||
+ error(lvl, "\n");
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
+ error(lvl, "get_available_crypto_returned with %lld\n", ret);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
int init_md(struct md_container* md) {
|
||||
|
||||
int i;
|
||||
@@ -201,18 +282,27 @@ int init_md(struct md_container* md) {
|
||||
}
|
||||
#endif
|
||||
#ifdef WITH_GCRYPT
|
||||
- if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
|
||||
+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
|
||||
error(0,"gcrypt_md_open failed\n");
|
||||
exit(IO_ERROR);
|
||||
}
|
||||
for(i=0;i<=HASH_GCRYPT_COUNT;i++) {
|
||||
+
|
||||
+
|
||||
if (((hash_gcrypt2attr(i)&HASH_USE_GCRYPT)&md->todo_attr)!=0) {
|
||||
- DB_ATTR_TYPE h=hash_gcrypt2attr(i);
|
||||
- error(255,"inserting %llu\n",h);
|
||||
+
|
||||
+ DB_ATTR_TYPE h=hash_gcrypt2attr(i);
|
||||
+
|
||||
+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) != 0) {
|
||||
+ error(0,"Algo %s is not available\n", hash_gcrypt2str(i));
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+
|
||||
+ error(255,"inserting %llu\n",h);
|
||||
if(gcry_md_enable(md->mdh,i)==GPG_ERR_NO_ERROR){
|
||||
md->calc_attr|=h;
|
||||
} else {
|
||||
- error(0,"gcry_md_enable %i failed",i);
|
||||
+ error(0,"gcry_md_enable %i failed\n",i);
|
||||
md->todo_attr&=~h;
|
||||
}
|
||||
}
|
103
SOURCES/aide-0.16b1-fipsfix.patch
Normal file
103
SOURCES/aide-0.16b1-fipsfix.patch
Normal file
@ -0,0 +1,103 @@
|
||||
diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c
|
||||
--- ./src/aide.c.orig 2016-07-12 11:10:08.013158385 +0200
|
||||
+++ ./src/aide.c 2016-07-12 11:30:54.867833064 +0200
|
||||
@@ -511,9 +511,28 @@ int main(int argc,char**argv)
|
||||
#endif
|
||||
umask(0177);
|
||||
init_sighandler();
|
||||
-
|
||||
setdefaults_before_config();
|
||||
|
||||
+#if WITH_GCRYPT
|
||||
+ error(255,"Gcrypt library initialization\n");
|
||||
+ /*
|
||||
+ * Initialize libgcrypt as per
|
||||
+ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
|
||||
+ *
|
||||
+ *
|
||||
+ */
|
||||
+ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
|
||||
+ gcry_control(GCRYCTL_INIT_SECMEM, 1);
|
||||
+
|
||||
+ if(!gcry_check_version(GCRYPT_VERSION)) {
|
||||
+ error(0,"libgcrypt version mismatch\n");
|
||||
+ exit(VERSION_MISMATCH_ERROR);
|
||||
+ }
|
||||
+
|
||||
+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
|
||||
+#endif /* WITH_GCRYPT */
|
||||
+
|
||||
+
|
||||
if(read_param(argc,argv)==RETFAIL){
|
||||
error(0, _("Invalid argument\n") );
|
||||
exit(INVALID_ARGUMENT_ERROR);
|
||||
@@ -646,6 +665,9 @@ int main(int argc,char**argv)
|
||||
}
|
||||
#endif
|
||||
}
|
||||
+#ifdef WITH_GCRYPT
|
||||
+ gcry_control(GCRYCTL_TERM_SECMEM, 0);
|
||||
+#endif /* WITH_GCRYPT */
|
||||
return RETOK;
|
||||
}
|
||||
const char* aide_key_3=CONFHMACKEY_03;
|
||||
diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c
|
||||
--- ./src/md.c.orig 2016-04-15 23:30:16.000000000 +0200
|
||||
+++ ./src/md.c 2016-07-12 11:35:04.007675329 +0200
|
||||
@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
|
||||
}
|
||||
#endif
|
||||
#ifdef WITH_GCRYPT
|
||||
- error(255,"Gcrypt library initialization\n");
|
||||
- if(!gcry_check_version(GCRYPT_VERSION)) {
|
||||
- error(0,"libgcrypt version mismatch\n");
|
||||
- exit(VERSION_MISMATCH_ERROR);
|
||||
- }
|
||||
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
|
||||
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
|
||||
- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
|
||||
+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
|
||||
error(0,"gcrypt_md_open failed\n");
|
||||
exit(IO_ERROR);
|
||||
}
|
||||
@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
|
||||
|
||||
/*. There might be more hashes in the library. Add those here.. */
|
||||
|
||||
- gcry_md_reset(md->mdh);
|
||||
+ gcry_md_close(md->mdh);
|
||||
#endif
|
||||
|
||||
#ifdef WITH_MHASH
|
||||
diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c
|
||||
--- ./src/util.c.orig 2016-07-12 11:39:17.023437355 +0200
|
||||
+++ ./src/util.c 2016-07-12 11:39:51.618721157 +0200
|
||||
@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s)
|
||||
return(AIDE_SYSLOG_FACILITY);
|
||||
}
|
||||
|
||||
-/* We need these dummy stubs to fool the linker into believing that
|
||||
- we do not need them at link time */
|
||||
-
|
||||
-void* dlopen(char*filename,int flag)
|
||||
-{
|
||||
- return NULL;
|
||||
-}
|
||||
-
|
||||
-void* dlsym(void*handle,char*symbol)
|
||||
-{
|
||||
- return NULL;
|
||||
-}
|
||||
-
|
||||
-void* dlclose(void*handle)
|
||||
-{
|
||||
- return NULL;
|
||||
-}
|
||||
-
|
||||
-const char* dlerror(void)
|
||||
-{
|
||||
- return NULL;
|
||||
-}
|
||||
-
|
||||
const char* aide_key_2=CONFHMACKEY_02;
|
||||
const char* db_key_2=DBHMACKEY_02;
|
15
SOURCES/aide-0.16rc1-man.patch
Normal file
15
SOURCES/aide-0.16rc1-man.patch
Normal file
@ -0,0 +1,15 @@
|
||||
diff -up ./doc/aide.1.in.orig ./doc/aide.1.in
|
||||
--- ./doc/aide.1.in.orig 2016-07-12 16:10:01.724595895 +0200
|
||||
+++ ./doc/aide.1.in 2016-07-12 16:06:21.968639822 +0200
|
||||
@@ -103,9 +103,9 @@ echo <encoded_checksum> | base64 \-d | h
|
||||
.SH FILES
|
||||
.IP \fB@sysconfdir@/aide.conf\fR
|
||||
Default aide configuration file.
|
||||
-.IP \fB@sysconfdir@/aide.db\fR
|
||||
+.IP \fB@localstatedir@/lib/aide/aide.db\fR
|
||||
Default aide database.
|
||||
-.IP \fB@sysconfdir@/aide.db.new\fR
|
||||
+.IP \fB@localstatedir@/lib/aide/aide.db.new\fR
|
||||
Default aide output database.
|
||||
.SH SEE ALSO
|
||||
.BR aide.conf (5)
|
51
SOURCES/aide-configure.patch
Normal file
51
SOURCES/aide-configure.patch
Normal file
@ -0,0 +1,51 @@
|
||||
diff --color -ru a/configure.ac b/configure.ac
|
||||
--- a/configure.ac 2021-05-20 09:31:11.686987129 +0200
|
||||
+++ b/configure.ac 2021-05-20 09:39:43.369967457 +0200
|
||||
@@ -784,11 +784,11 @@
|
||||
[if test "x$withval" = "xmd5" ;then
|
||||
CONFIGHMACTYPE="MHASH_MD5"
|
||||
else if test "x$withval" = "xsha1" ;then
|
||||
- CONFIGHMACTYPE="MHASH_SHA1"
|
||||
+ CONFIGHMACTYPE="MHASH_SHA1"
|
||||
else if test "x$withval" = "xsha256" ;then
|
||||
- CONFIGHMACTYPE="MHASH_SHA256"
|
||||
+ CONFIGHMACTYPE="MHASH_SHA256"
|
||||
else if test "x$withval" = "xsha512" ;then
|
||||
- CONFIGHMACTYPE="MHASH_SHA512"
|
||||
+ CONFIGHMACTYPE="MHASH_SHA512"
|
||||
else
|
||||
echo "Valid parameters for --with-confighmactype are md5, sha1, sha256 and sha512"
|
||||
exit 1
|
||||
@@ -799,7 +799,6 @@
|
||||
AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,$CONFIGHMACTYPE,[hash type for config file check])],
|
||||
[
|
||||
AC_DEFINE_UNQUOTED(CONFIGHMACTYPE,MHASH_MD5,[hash type for config file check])]
|
||||
-,
|
||||
)
|
||||
|
||||
AC_ARG_WITH([confighmackey],
|
||||
@@ -846,18 +845,18 @@
|
||||
|
||||
AC_ARG_WITH([dbhmactype],
|
||||
AC_HELP_STRING([--with-dbhmactype=TYPE],
|
||||
- [Hash type to use for checking db. Valid values are md5 and sha1.]),
|
||||
+ [Hash type to use for checking db. Valid values are md5, sha1, sha256 and sha512.]),
|
||||
[if test "x$withval" = "xmd5" ;then
|
||||
DBHMACTYPE="MHASH_MD5"
|
||||
else if test "x$withval" = "xsha1" ;then
|
||||
- DBHMACTYPE="MHASH_SHA1"
|
||||
+ DBHMACTYPE="MHASH_SHA1"
|
||||
else if test "x$withval" = "xsha256" ;then
|
||||
- CONFIGHMACTYPE="MHASH_SHA256"
|
||||
+ DBHMACTYPE="MHASH_SHA256"
|
||||
else if test "x$withval" = "xsha512" ;then
|
||||
- CONFIGHMACTYPE="MHASH_SHA512"
|
||||
+ DBHMACTYPE="MHASH_SHA512"
|
||||
else
|
||||
- echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512"
|
||||
- exit 1
|
||||
+ echo "Valid parameters for --with-dbhmactype are md5, sha1, sha256 and sha512"
|
||||
+ exit 1
|
||||
fi
|
||||
fi
|
||||
fi
|
171
SOURCES/aide-static-analysis.patch
Normal file
171
SOURCES/aide-static-analysis.patch
Normal file
@ -0,0 +1,171 @@
|
||||
Only in b: config.log
|
||||
diff --color -ru a/contrib/sshaide.sh b/contrib/sshaide.sh
|
||||
--- a/contrib/sshaide.sh 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ b/contrib/sshaide.sh 2021-05-20 11:11:24.112542472 +0200
|
||||
@@ -260,7 +260,7 @@
|
||||
_randword=`grep -n . ${_wordlist} | grep "^${_linenum}:" | cut -d: -f2`
|
||||
|
||||
# If $_randword has anything other than lower-case chars, try again
|
||||
- (echo ${_randword} | LC_ALL=C grep '[^a-z]' 2>&1 >> /dev/null \
|
||||
+ ({ echo ${_randword} | LC_ALL=C grep '[^a-z]' 2>&1; } >> /dev/null \
|
||||
&& gen_rand_word ) || \
|
||||
|
||||
# Return the word
|
||||
diff --color -ru a/src/commandconf.c b/src/commandconf.c
|
||||
--- a/src/commandconf.c 2021-05-20 10:37:53.842382143 +0200
|
||||
+++ b/src/commandconf.c 2021-05-25 14:16:43.278526146 +0200
|
||||
@@ -313,7 +313,7 @@
|
||||
} else {
|
||||
/* gzread returns 0 even if uncompressed bytes were read*/
|
||||
error(240,"nread=%d,strlen(buf)=%lu,errno=%s,gzerr=%s\n",
|
||||
- retval,(unsigned long)strnlen((char*)buf, max_size),
|
||||
+ retval,(unsigned long)strnlen((char*)buf, retval),
|
||||
strerror(errno),gzerror(*db_gzp,&err));
|
||||
if(retval==0){
|
||||
retval=strnlen((char*)buf, max_size);
|
||||
@@ -836,6 +836,11 @@
|
||||
}
|
||||
break;
|
||||
}
|
||||
+ default: {
|
||||
+ error(0,"Unsupported dbtype.\n");
|
||||
+ free(u);
|
||||
+ break;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
free(val);
|
||||
@@ -900,7 +905,7 @@
|
||||
} else {
|
||||
error_init(u,0);
|
||||
}
|
||||
-
|
||||
+ free(u->value);
|
||||
free(u);
|
||||
}
|
||||
|
||||
diff --color -ru a/src/db_disk.c b/src/db_disk.c
|
||||
--- a/src/db_disk.c 2021-05-20 10:37:53.842382143 +0200
|
||||
+++ b/src/db_disk.c 2021-05-20 12:37:00.081493364 +0200
|
||||
@@ -125,10 +125,10 @@
|
||||
|
||||
ret = (char *) malloc (len);
|
||||
ret[0] = (char) 0;
|
||||
- strncpy(ret, conf->root_prefix, conf->root_prefix_length+1);
|
||||
- strncat (ret, r->path, len2);
|
||||
+ strcpy(ret, conf->root_prefix);
|
||||
+ strcat (ret, r->path);
|
||||
if (r->path[len2 - 1] != '/') {
|
||||
- strncat (ret, "/", 1);
|
||||
+ strcat (ret, "/");
|
||||
}
|
||||
strcat (ret, s);
|
||||
return ret;
|
||||
@@ -207,8 +207,8 @@
|
||||
if (!root_handled) {
|
||||
root_handled = 1;
|
||||
fullname=malloc((conf->root_prefix_length+2)*sizeof(char));
|
||||
- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1);
|
||||
- strncat (fullname, "/", 1);
|
||||
+ strcpy(fullname, conf->root_prefix);
|
||||
+ strcat (fullname, "/");
|
||||
if (!get_file_status(&fullname[conf->root_prefix_length], &fs)) {
|
||||
add = check_rxtree (&fullname[conf->root_prefix_length], conf->tree, &attr, fs.st_mode);
|
||||
error (240, "%s match=%d, tree=%p, attr=%llu\n", &fullname[conf->root_prefix_length], add,
|
||||
@@ -346,8 +346,8 @@
|
||||
error (255, "r->childs %p, r->parent %p,r->checked %i\n",
|
||||
r->childs, r->parent, r->checked);
|
||||
fullname=malloc((conf->root_prefix_length+strlen(r->path)+1)*sizeof(char));
|
||||
- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1);
|
||||
- strncat(fullname, r->path, strlen(r->path));
|
||||
+ strcpy(fullname, conf->root_prefix);
|
||||
+ strcat(fullname, r->path);
|
||||
dirh=open_dir(fullname);
|
||||
if (! dirh) {
|
||||
|
||||
@@ -441,8 +441,8 @@
|
||||
|
||||
|
||||
char* fullname=malloc((conf->root_prefix_length+2)*sizeof(char));
|
||||
- strncpy(fullname, conf->root_prefix, conf->root_prefix_length+1);
|
||||
- strncat (fullname, "/", 1);
|
||||
+ strcpy(fullname, conf->root_prefix);
|
||||
+ strcat (fullname, "/");
|
||||
dirh=open_dir(fullname);
|
||||
free(fullname);
|
||||
|
||||
diff --color -ru a/src/error.c b/src/error.c
|
||||
--- a/src/error.c 2021-05-20 10:37:53.836382037 +0200
|
||||
+++ b/src/error.c 2021-05-21 11:49:09.781313097 +0200
|
||||
@@ -125,7 +125,7 @@
|
||||
fh=be_init(0,url,0);
|
||||
if(fh!=NULL) {
|
||||
conf->report_fd=list_append(conf->report_fd,(void*)fh);
|
||||
- conf->report_url=list_append(conf->report_url,(void*)url);
|
||||
+ conf->report_url=list_append(conf->report_url,(void*)strdup(url));
|
||||
return RETOK;
|
||||
}
|
||||
|
||||
diff --color -ru a/src/util.c b/src/util.c
|
||||
--- a/src/util.c 2021-05-20 10:37:53.843382160 +0200
|
||||
+++ b/src/util.c 2021-05-25 11:04:39.507278771 +0200
|
||||
@@ -105,13 +105,15 @@
|
||||
for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++);
|
||||
if(r[0]=='\0'){
|
||||
error(0,"Invalid file-URL,no path after hostname: file:%s\n",t);
|
||||
+ free(u);
|
||||
+ free(val_copy);
|
||||
free(hostname);
|
||||
return NULL;
|
||||
}
|
||||
u->value=strdup(r);
|
||||
r[0]='\0';
|
||||
if(gethostname(hostname,MAXHOSTNAMELEN)==-1){
|
||||
- strncpy(hostname,"localhost", 10);
|
||||
+ strncpy(hostname,"localhost",MAXHOSTNAMELEN);
|
||||
}
|
||||
|
||||
if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){
|
||||
@@ -119,6 +121,9 @@
|
||||
break;
|
||||
} else {
|
||||
error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,u->value);
|
||||
+ free(u->value);
|
||||
+ free(u);
|
||||
+ free(val_copy);
|
||||
free(hostname);
|
||||
return NULL;
|
||||
}
|
||||
@@ -229,6 +234,10 @@
|
||||
int i=0;
|
||||
|
||||
pc=(char*)malloc(sizeof(char)*11);
|
||||
+ if (!pc) {
|
||||
+ error(0, "Memory allocation failed.\n");
|
||||
+ return NULL;
|
||||
+ }
|
||||
for(i=0;i<10;i++){
|
||||
pc[i]='-';
|
||||
}
|
||||
@@ -369,14 +378,17 @@
|
||||
|
||||
if (path != NULL) {
|
||||
if (path[0] == '~') {
|
||||
- if((homedir=getenv("HOME")) != NULL) {
|
||||
+ if ((homedir=getenv("HOME")) != NULL) {
|
||||
path_len = strlen(path+sizeof(char));
|
||||
homedir_len = strlen(homedir);
|
||||
full_len = homedir_len+path_len;
|
||||
full = malloc(sizeof(char) * (full_len+1));
|
||||
- strncpy(full, homedir, homedir_len);
|
||||
- strncpy(full+homedir_len, path+sizeof(char), path_len);
|
||||
- full[full_len] = '\0';
|
||||
+ if (!full) {
|
||||
+ error(0, "Memory allocation failed.\n");
|
||||
+ return path;
|
||||
+ }
|
||||
+ strcpy(full, homedir);
|
||||
+ strcat(full, path+sizeof(char));
|
||||
free(path);
|
||||
/* Don't free(homedir); because it is not safe on some platforms */
|
||||
path = full;
|
303
SOURCES/aide.conf
Normal file
303
SOURCES/aide.conf
Normal file
@ -0,0 +1,303 @@
|
||||
# Example configuration file for AIDE.
|
||||
|
||||
@@define DBDIR /var/lib/aide
|
||||
@@define LOGDIR /var/log/aide
|
||||
|
||||
# The location of the database to be read.
|
||||
database=file:@@{DBDIR}/aide.db.gz
|
||||
|
||||
# The location of the database to be written.
|
||||
#database_out=sql:host:port:database:login_name:passwd:table
|
||||
#database_out=file:aide.db.new
|
||||
database_out=file:@@{DBDIR}/aide.db.new.gz
|
||||
|
||||
# Whether to gzip the output to database
|
||||
gzip_dbout=yes
|
||||
|
||||
# Default.
|
||||
verbose=5
|
||||
|
||||
report_url=file:@@{LOGDIR}/aide.log
|
||||
report_url=stdout
|
||||
#report_url=stderr
|
||||
#NOT IMPLEMENTED report_url=mailto:root@foo.com
|
||||
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
|
||||
|
||||
# These are the default rules.
|
||||
#
|
||||
#p: permissions
|
||||
#i: inode:
|
||||
#n: number of links
|
||||
#u: user
|
||||
#g: group
|
||||
#s: size
|
||||
#b: block count
|
||||
#m: mtime
|
||||
#a: atime
|
||||
#c: ctime
|
||||
#S: check for growing size
|
||||
#acl: Access Control Lists
|
||||
#selinux SELinux security context
|
||||
#xattrs: Extended file attributes
|
||||
#md5: md5 checksum
|
||||
#sha1: sha1 checksum
|
||||
#sha256: sha256 checksum
|
||||
#sha512: sha512 checksum
|
||||
#rmd160: rmd160 checksum
|
||||
#tiger: tiger checksum
|
||||
|
||||
#haval: haval checksum (MHASH only)
|
||||
#gost: gost checksum (MHASH only)
|
||||
#crc32: crc32 checksum (MHASH only)
|
||||
#whirlpool: whirlpool checksum (MHASH only)
|
||||
|
||||
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
|
||||
#L: p+i+n+u+g+acl+selinux+xattrs
|
||||
#E: Empty group
|
||||
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
|
||||
|
||||
# You can create custom rules like this.
|
||||
# With MHASH...
|
||||
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
|
||||
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
|
||||
# Everything but access time (Ie. all changes)
|
||||
EVERYTHING = R+ALLXTRAHASHES
|
||||
|
||||
# Sane
|
||||
# NORMAL = R+sha512
|
||||
NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
|
||||
|
||||
# For directories, don't bother doing hashes
|
||||
DIR = p+i+n+u+g+acl+selinux+xattrs
|
||||
|
||||
# Access control only
|
||||
PERMS = p+u+g+acl+selinux+xattrs
|
||||
|
||||
# Logfile are special, in that they often change
|
||||
LOG = p+u+g+n+S+acl+selinux+xattrs
|
||||
|
||||
# Content + file type.
|
||||
CONTENT = sha512+ftype
|
||||
|
||||
# Extended content + file type + access.
|
||||
CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
|
||||
|
||||
# Some files get updated automatically, so the inode/ctime/mtime change
|
||||
# but we want to know when the data inside them changes
|
||||
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
|
||||
|
||||
# Next decide what directories/files you want in the database.
|
||||
|
||||
/boot CONTENT_EX
|
||||
/opt CONTENT
|
||||
|
||||
# Admins dot files constantly change, just check perms
|
||||
/root/\..* PERMS
|
||||
!/root/.xauth*
|
||||
# Otherwise get all of /root.
|
||||
/root CONTENT_EX
|
||||
|
||||
# These are too volatile
|
||||
!/usr/src
|
||||
!/usr/tmp
|
||||
|
||||
# Otherwise get all of /usr.
|
||||
/usr CONTENT_EX
|
||||
|
||||
# trusted databases
|
||||
/etc/hosts$ CONTENT_EX
|
||||
/etc/host.conf$ CONTENT_EX
|
||||
/etc/hostname$ CONTENT_EX
|
||||
/etc/issue$ CONTENT_EX
|
||||
/etc/issue.net$ CONTENT_EX
|
||||
/etc/protocols$ CONTENT_EX
|
||||
/etc/services$ CONTENT_EX
|
||||
/etc/localtime$ CONTENT_EX
|
||||
/etc/alternatives CONTENT_EX
|
||||
/etc/sysconfig CONTENT_EX
|
||||
/etc/mime.types$ CONTENT_EX
|
||||
/etc/terminfo CONTENT_EX
|
||||
/etc/exports$ CONTENT_EX
|
||||
/etc/fstab$ CONTENT_EX
|
||||
/etc/passwd$ CONTENT_EX
|
||||
/etc/group$ CONTENT_EX
|
||||
/etc/gshadow$ CONTENT_EX
|
||||
/etc/shadow$ CONTENT_EX
|
||||
/etc/subgid$ CONTENT_EX
|
||||
/etc/subuid$ CONTENT_EX
|
||||
/etc/security/opasswd$ CONTENT_EX
|
||||
/etc/skel CONTENT_EX
|
||||
/etc/sssd CONTENT_EX
|
||||
/etc/machine-id$ CONTENT_EX
|
||||
/etc/swid CONTENT_EX
|
||||
/etc/system-release-cpe$ CONTENT_EX
|
||||
/etc/shells$ CONTENT_EX
|
||||
/etc/tmux.conf$ CONTENT_EX
|
||||
/etc/xattr.conf$ CONTENT_EX
|
||||
|
||||
# networking
|
||||
/etc/firewalld CONTENT_EX
|
||||
!/etc/NetworkManager/system-connections
|
||||
/etc/NetworkManager CONTENT_EX
|
||||
/etc/networks$ CONTENT_EX
|
||||
/etc/dhcp CONTENT_EX
|
||||
/etc/wpa_supplicant CONTENT_EX
|
||||
/etc/resolv.conf$ DATAONLY
|
||||
/etc/nscd.conf$ CONTENT_EX
|
||||
|
||||
# logins and accounts
|
||||
/etc/login.defs$ CONTENT_EX
|
||||
/etc/libuser.conf$ CONTENT_EX
|
||||
/var/log/faillog$ PERMS
|
||||
/var/log/lastlog$ PERMS
|
||||
/var/run/faillock PERMS
|
||||
/etc/pam.d CONTENT_EX
|
||||
/etc/security CONTENT_EX
|
||||
/etc/securetty$ CONTENT_EX
|
||||
/etc/polkit-1 CONTENT_EX
|
||||
/etc/sudo.conf$ CONTENT_EX
|
||||
/etc/sudoers$ CONTENT_EX
|
||||
/etc/sudoers.d CONTENT_EX
|
||||
|
||||
# Shell/X startup files
|
||||
/etc/profile$ CONTENT_EX
|
||||
/etc/profile.d CONTENT_EX
|
||||
/etc/bashrc$ CONTENT_EX
|
||||
/etc/bash_completion.d CONTENT_EX
|
||||
/etc/zprofile$ CONTENT_EX
|
||||
/etc/zshrc$ CONTENT_EX
|
||||
/etc/zlogin$ CONTENT_EX
|
||||
/etc/zlogout$ CONTENT_EX
|
||||
/etc/X11 CONTENT_EX
|
||||
|
||||
# Pkg manager
|
||||
/etc/dnf CONTENT_EX
|
||||
/etc/yum.conf$ CONTENT_EX
|
||||
/etc/yum CONTENT_EX
|
||||
/etc/yum.repos.d CONTENT_EX
|
||||
|
||||
# This gets new/removes-old filenames daily
|
||||
!/var/log/sa
|
||||
# As we are checking it, we've truncated yesterdays size to zero.
|
||||
!/var/log/aide.log
|
||||
|
||||
# auditing
|
||||
# AIDE produces an audit record, so this becomes perpetual motion.
|
||||
/var/log/audit PERMS
|
||||
/etc/audit CONTENT_EX
|
||||
/etc/libaudit.conf$ CONTENT_EX
|
||||
/etc/aide.conf$ CONTENT_EX
|
||||
|
||||
# System logs
|
||||
/etc/rsyslog.conf$ CONTENT_EX
|
||||
/etc/rsyslog.d CONTENT_EX
|
||||
/etc/logrotate.conf$ CONTENT_EX
|
||||
/etc/logrotate.d CONTENT_EX
|
||||
/etc/systemd/journald.conf$ CONTENT_EX
|
||||
/var/log LOG+ANF+ARF
|
||||
/var/run/utmp LOG
|
||||
|
||||
# secrets
|
||||
/etc/pkcs11 CONTENT_EX
|
||||
/etc/pki CONTENT_EX
|
||||
/etc/crypto-policies CONTENT_EX
|
||||
/etc/certmonger CONTENT_EX
|
||||
/var/lib/systemd/random-seed$ PERMS
|
||||
|
||||
# init system
|
||||
/etc/systemd CONTENT_EX
|
||||
/etc/rc.d CONTENT_EX
|
||||
/etc/tmpfiles.d CONTENT_EX
|
||||
|
||||
# boot config
|
||||
/etc/default CONTENT_EX
|
||||
/etc/grub.d CONTENT_EX
|
||||
/etc/dracut.conf$ CONTENT_EX
|
||||
/etc/dracut.conf.d CONTENT_EX
|
||||
|
||||
# glibc linker
|
||||
/etc/ld.so.cache$ CONTENT_EX
|
||||
/etc/ld.so.conf$ CONTENT_EX
|
||||
/etc/ld.so.conf.d CONTENT_EX
|
||||
/etc/ld.so.preload$ CONTENT_EX
|
||||
|
||||
# kernel config
|
||||
/etc/sysctl.conf$ CONTENT_EX
|
||||
/etc/sysctl.d CONTENT_EX
|
||||
/etc/modprobe.d CONTENT_EX
|
||||
/etc/modules-load.d CONTENT_EX
|
||||
/etc/depmod.d CONTENT_EX
|
||||
/etc/udev CONTENT_EX
|
||||
/etc/crypttab$ CONTENT_EX
|
||||
|
||||
#### Daemons ####
|
||||
|
||||
# cron jobs
|
||||
/etc/at.allow$ CONTENT
|
||||
/etc/at.deny$ CONTENT
|
||||
/etc/anacrontab$ CONTENT_EX
|
||||
/etc/cron.allow$ CONTENT_EX
|
||||
/etc/cron.deny$ CONTENT_EX
|
||||
/etc/cron.d CONTENT_EX
|
||||
/etc/cron.daily CONTENT_EX
|
||||
/etc/cron.hourly CONTENT_EX
|
||||
/etc/cron.monthly CONTENT_EX
|
||||
/etc/cron.weekly CONTENT_EX
|
||||
/etc/crontab$ CONTENT_EX
|
||||
/var/spool/cron/root CONTENT
|
||||
|
||||
# time keeping
|
||||
/etc/chrony.conf$ CONTENT_EX
|
||||
/etc/chrony.keys$ CONTENT_EX
|
||||
|
||||
# mail
|
||||
/etc/aliases$ CONTENT_EX
|
||||
/etc/aliases.db$ CONTENT_EX
|
||||
/etc/postfix CONTENT_EX
|
||||
|
||||
# ssh
|
||||
/etc/ssh/sshd_config$ CONTENT_EX
|
||||
/etc/ssh/ssh_config$ CONTENT_EX
|
||||
|
||||
# stunnel
|
||||
/etc/stunnel CONTENT_EX
|
||||
|
||||
# printing
|
||||
/etc/cups CONTENT_EX
|
||||
/etc/cupshelpers CONTENT_EX
|
||||
/etc/avahi CONTENT_EX
|
||||
|
||||
# web server
|
||||
/etc/httpd CONTENT_EX
|
||||
|
||||
# dns
|
||||
/etc/named CONTENT_EX
|
||||
/etc/named.conf$ CONTENT_EX
|
||||
/etc/named.iscdlv.key$ CONTENT_EX
|
||||
/etc/named.rfc1912.zones$ CONTENT_EX
|
||||
/etc/named.root.key$ CONTENT_EX
|
||||
|
||||
# xinetd
|
||||
/etc/xinetd.conf$ CONTENT_EX
|
||||
/etc/xinetd.d CONTENT_EX
|
||||
|
||||
# IPsec
|
||||
/etc/ipsec.conf$ CONTENT_EX
|
||||
/etc/ipsec.secrets$ CONTENT_EX
|
||||
/etc/ipsec.d CONTENT_EX
|
||||
|
||||
# USB guard
|
||||
/etc/usbguard CONTENT_EX
|
||||
|
||||
# Ignore some files
|
||||
!/etc/mtab$
|
||||
!/etc/.*~
|
||||
|
||||
# Now everything else
|
||||
/etc PERMS
|
||||
|
||||
# With AIDE's default verbosity level of 5, these would give lots of
|
||||
# warnings upon tree traversal. It might change with future version.
|
||||
#
|
||||
#=/lost\+found DIR
|
||||
#=/home DIR
|
9
SOURCES/aide.logrotate
Normal file
9
SOURCES/aide.logrotate
Normal file
@ -0,0 +1,9 @@
|
||||
/var/log/aide/*.log {
|
||||
weekly
|
||||
missingok
|
||||
rotate 4
|
||||
compress
|
||||
delaycompress
|
||||
copytruncate
|
||||
minsize 100k
|
||||
}
|
642
SOURCES/coverity.patch
Normal file
642
SOURCES/coverity.patch
Normal file
@ -0,0 +1,642 @@
|
||||
diff -up ./include/be.h.coverity ./include/be.h
|
||||
--- ./include/be.h.coverity 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./include/be.h 2018-10-10 19:27:18.680632681 +0200
|
||||
@@ -22,6 +22,6 @@
|
||||
#define _BE_H_INCLUDED
|
||||
#include "db_config.h"
|
||||
|
||||
-FILE* be_init(int inout,url_t* u,int iszipped);
|
||||
+void* be_init(int inout,url_t* u,int iszipped);
|
||||
|
||||
#endif /* _BE_H_INCLUDED */
|
||||
diff -up ./include/db_config.h.coverity ./include/db_config.h
|
||||
--- ./include/db_config.h.coverity 2018-10-10 19:27:18.672632611 +0200
|
||||
+++ ./include/db_config.h 2018-10-10 19:27:18.681632689 +0200
|
||||
@@ -376,7 +376,7 @@ typedef struct db_config {
|
||||
#endif
|
||||
|
||||
url_t* initial_report_url;
|
||||
- FILE* initial_report_fd;
|
||||
+ void* initial_report_fd;
|
||||
|
||||
/* report_url is a list of url_t*s */
|
||||
list* report_url;
|
||||
diff -up ./src/aide.c.coverity ./src/aide.c
|
||||
--- ./src/aide.c.coverity 2018-10-10 19:27:18.678632663 +0200
|
||||
+++ ./src/aide.c 2018-10-10 19:27:18.681632689 +0200
|
||||
@@ -278,7 +278,7 @@ static void setdefaults_before_config()
|
||||
error(0,_("Couldn't get hostname"));
|
||||
free(s);
|
||||
} else {
|
||||
- s=(char*)realloc((void*)s,strlen(s)+1);
|
||||
+ // s=(char*)realloc((void*)s,strlen(s)+1);
|
||||
do_define("HOSTNAME",s);
|
||||
}
|
||||
|
||||
@@ -506,8 +506,6 @@ static void setdefaults_after_config()
|
||||
int main(int argc,char**argv)
|
||||
{
|
||||
int errorno=0;
|
||||
- byte* dig=NULL;
|
||||
- char* digstr=NULL;
|
||||
|
||||
#ifdef USE_LOCALE
|
||||
setlocale(LC_ALL,"");
|
||||
@@ -544,6 +542,10 @@ int main(int argc,char**argv)
|
||||
}
|
||||
|
||||
errorno=commandconf('C',conf->config_file);
|
||||
+ if (errorno==RETFAIL){
|
||||
+ error(0,_("Configuration error\n"));
|
||||
+ exit(INVALID_CONFIGURELINE_ERROR);
|
||||
+ }
|
||||
|
||||
errorno=commandconf('D',"");
|
||||
if (errorno==RETFAIL){
|
||||
@@ -594,6 +596,9 @@ int main(int argc,char**argv)
|
||||
}
|
||||
}
|
||||
#ifdef WITH_MHASH
|
||||
+ byte* dig=NULL;
|
||||
+ char* digstr=NULL;
|
||||
+
|
||||
if(conf->config_check&&FORCECONFIGMD){
|
||||
error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n");
|
||||
exit(INVALID_ARGUMENT_ERROR);
|
||||
diff -up ./src/base64.c.coverity ./src/base64.c
|
||||
--- ./src/base64.c.coverity 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/base64.c 2018-10-10 19:27:18.681632689 +0200
|
||||
@@ -209,6 +209,7 @@ byte* decode_base64(char* src,size_t ssi
|
||||
case FAIL:
|
||||
error(3, "decode_base64: Illegal character: %c\n", *inb);
|
||||
error(230, "decode_base64: Illegal line:\n%s\n", src);
|
||||
+ free(outbuf);
|
||||
return NULL;
|
||||
break;
|
||||
case SKIP:
|
||||
@@ -260,7 +261,7 @@ size_t length_base64(char* src,size_t ss
|
||||
int l;
|
||||
int left;
|
||||
size_t pos;
|
||||
- unsigned long triple;
|
||||
+ //unsigned long triple;
|
||||
|
||||
error(235, "decode base64\n");
|
||||
/* Exit on empty input */
|
||||
@@ -273,7 +274,7 @@ size_t length_base64(char* src,size_t ss
|
||||
inb = src;
|
||||
|
||||
l = 0;
|
||||
- triple = 0;
|
||||
+ //triple = 0;
|
||||
pos=0;
|
||||
left = ssize;
|
||||
/*
|
||||
@@ -293,7 +294,7 @@ size_t length_base64(char* src,size_t ss
|
||||
case SKIP:
|
||||
break;
|
||||
default:
|
||||
- triple = triple<<6 | (0x3f & i);
|
||||
+ //triple = triple<<6 | (0x3f & i);
|
||||
l++;
|
||||
break;
|
||||
}
|
||||
@@ -302,10 +303,10 @@ size_t length_base64(char* src,size_t ss
|
||||
switch(l)
|
||||
{
|
||||
case 2:
|
||||
- triple = triple>>4;
|
||||
+ //triple = triple>>4;
|
||||
break;
|
||||
case 3:
|
||||
- triple = triple>>2;
|
||||
+ //triple = triple>>2;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
@@ -314,7 +315,7 @@ size_t length_base64(char* src,size_t ss
|
||||
{
|
||||
pos++;
|
||||
}
|
||||
- triple = 0;
|
||||
+ //triple = 0;
|
||||
l = 0;
|
||||
}
|
||||
inb++;
|
||||
diff -up ./src/be.c.coverity ./src/be.c
|
||||
--- ./src/be.c.coverity 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/be.c 2018-10-10 19:27:18.681632689 +0200
|
||||
@@ -117,9 +117,9 @@ static char* get_first_value(char** in){
|
||||
|
||||
#endif
|
||||
|
||||
-FILE* be_init(int inout,url_t* u,int iszipped)
|
||||
+void* be_init(int inout,url_t* u,int iszipped)
|
||||
{
|
||||
- FILE* fh=NULL;
|
||||
+ void* fh=NULL;
|
||||
long a=0;
|
||||
char* err=NULL;
|
||||
int fd;
|
||||
diff -up ./src/commandconf.c.coverity ./src/commandconf.c
|
||||
--- ./src/commandconf.c.coverity 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/commandconf.c 2018-10-10 19:27:18.682632698 +0200
|
||||
@@ -106,7 +106,7 @@ int commandconf(const char mode,const ch
|
||||
rv=0;
|
||||
} else {
|
||||
|
||||
- rv=access(config,R_OK);
|
||||
+ if (config != NULL) rv=access(config,R_OK);
|
||||
if(rv==-1){
|
||||
error(0,_("Cannot access config file: %s: %s\n"),config,strerror(errno));
|
||||
}
|
||||
@@ -166,14 +166,11 @@ int commandconf(const char mode,const ch
|
||||
int conf_input_wrapper(char* buf, int max_size, FILE* in)
|
||||
{
|
||||
int retval=0;
|
||||
- int c=0;
|
||||
- char* tmp=NULL;
|
||||
- void* key=NULL;
|
||||
- int keylen=0;
|
||||
|
||||
/* FIXME Add support for gzipped config. :) */
|
||||
#ifdef WITH_MHASH
|
||||
/* Read a character at a time until we are doing md */
|
||||
+ int c=0;
|
||||
if(conf->do_configmd){
|
||||
retval=fread(buf,1,max_size,in);
|
||||
}else {
|
||||
@@ -185,6 +182,9 @@ int conf_input_wrapper(char* buf, int ma
|
||||
#endif
|
||||
|
||||
#ifdef WITH_MHASH
|
||||
+ char* tmp=NULL;
|
||||
+ void* key=NULL;
|
||||
+ int keylen=0;
|
||||
if(conf->do_configmd||conf->config_check){
|
||||
if(((conf->do_configmd==1)&&conf->config_check)||!conf->confmd){
|
||||
if(conf->do_configmd==1){
|
||||
@@ -276,6 +276,9 @@ int db_input_wrapper(char* buf, int max_
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
+ default: {
|
||||
+ return 0;
|
||||
+ }
|
||||
}
|
||||
|
||||
#ifdef WITH_CURL
|
||||
@@ -651,7 +654,6 @@ int handle_endif(int doit,int allow_else
|
||||
case 0 : {
|
||||
conferror("@@endif or @@else expected");
|
||||
return -1;
|
||||
- count=0;
|
||||
}
|
||||
|
||||
default : {
|
||||
@@ -816,6 +818,7 @@ void do_dbdef(int dbtype,char* val)
|
||||
if(u==NULL||u->type==url_unknown||u->type==url_stdout
|
||||
||u->type==url_stderr) {
|
||||
error(0,_("Unsupported input URL-type:%s\n"),val);
|
||||
+ free(u);
|
||||
}
|
||||
else {
|
||||
*conf_db_url=u;
|
||||
@@ -825,6 +828,7 @@ void do_dbdef(int dbtype,char* val)
|
||||
case DB_WRITE: {
|
||||
if(u==NULL||u->type==url_unknown||u->type==url_stdin){
|
||||
error(0,_("Unsupported output URL-type:%s\n"),val);
|
||||
+ free(u);
|
||||
}
|
||||
else{
|
||||
conf->db_out_url=u;
|
||||
@@ -848,6 +852,7 @@ void do_dbindef(char* val)
|
||||
if(u==NULL||u->type==url_unknown||u->type==url_stdout
|
||||
||u->type==url_stderr) {
|
||||
error(0,_("Unsupported input URL-type:%s\n"),val);
|
||||
+ free(u);
|
||||
}
|
||||
else {
|
||||
conf->db_in_url=u;
|
||||
@@ -869,6 +874,7 @@ void do_dboutdef(char* val)
|
||||
* both input and output urls */
|
||||
if(u==NULL||u->type==url_unknown||u->type==url_stdin){
|
||||
error(0,_("Unsupported output URL-type:%s\n"),val);
|
||||
+ free(u);
|
||||
}
|
||||
else{
|
||||
conf->db_out_url=u;
|
||||
@@ -894,7 +900,8 @@ void do_repurldef(char* val)
|
||||
} else {
|
||||
error_init(u,0);
|
||||
}
|
||||
-
|
||||
+
|
||||
+ free(u);
|
||||
}
|
||||
|
||||
void do_verbdef(char* val)
|
||||
@@ -984,7 +991,7 @@ void do_report_ignore_e2fsattrs(char* va
|
||||
break;
|
||||
}
|
||||
}
|
||||
- *val++;
|
||||
+ val++;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
diff -up ./src/compare_db.c.coverity ./src/compare_db.c
|
||||
--- ./src/compare_db.c.coverity 2018-10-10 19:27:18.673632619 +0200
|
||||
+++ ./src/compare_db.c 2018-10-10 19:27:18.682632698 +0200
|
||||
@@ -312,7 +312,7 @@ static int acl2array(acl_type* acl, char
|
||||
if (conf->syslog_format) {
|
||||
*values = malloc(2 * sizeof(char*));
|
||||
|
||||
- char *A, *D = "<NONE>";
|
||||
+ char *A= "<NONE>", *D = "<NONE>";
|
||||
|
||||
if (acl->acl_a) { A = acl->acl_a; }
|
||||
if (acl->acl_d) { D = acl->acl_d; }
|
||||
diff -up ./src/conf_lex.l.coverity ./src/conf_lex.l
|
||||
--- ./src/conf_lex.l.coverity 2018-10-10 19:27:18.673632619 +0200
|
||||
+++ ./src/conf_lex.l 2018-10-10 19:27:18.682632698 +0200
|
||||
@@ -133,7 +133,7 @@ int var_in_conflval=0;
|
||||
<EXPR>[\ \t]*\n {
|
||||
conf_lineno++;
|
||||
return (TNEWLINE);
|
||||
- BEGIN 0;
|
||||
+// BEGIN 0;
|
||||
}
|
||||
|
||||
<EXPR>\+ {
|
||||
diff -up ./src/db.c.coverity ./src/db.c
|
||||
--- ./src/db.c.coverity 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/db.c 2018-10-10 19:27:18.683632707 +0200
|
||||
@@ -27,6 +27,7 @@
|
||||
#include "db_file.h"
|
||||
#include "db_disk.h"
|
||||
#include "md.h"
|
||||
+#include "fopen.h"
|
||||
|
||||
#ifdef WITH_PSQL
|
||||
#include "db_sql.h"
|
||||
@@ -269,6 +270,9 @@ db_line* db_readline(int db){
|
||||
db_order=&(conf->db_new_order);
|
||||
break;
|
||||
}
|
||||
+ default: {
|
||||
+ return NULL;
|
||||
+ }
|
||||
}
|
||||
|
||||
switch (db_url->type) {
|
||||
@@ -368,7 +372,7 @@ db_line* db_char2line(char** ss,int db){
|
||||
|
||||
int i;
|
||||
db_line* line=(db_line*)malloc(sizeof(db_line)*1);
|
||||
- int* db_osize=0;
|
||||
+ int* db_osize=NULL;
|
||||
DB_FIELD** db_order=NULL;
|
||||
|
||||
switch (db) {
|
||||
@@ -382,6 +386,10 @@ db_line* db_char2line(char** ss,int db){
|
||||
db_order=&(conf->db_new_order);
|
||||
break;
|
||||
}
|
||||
+ default: {
|
||||
+ free(line);
|
||||
+ return NULL;
|
||||
+ }
|
||||
}
|
||||
|
||||
|
||||
@@ -601,7 +609,9 @@ db_line* db_char2line(char** ss,int db){
|
||||
size_t vsz = 0;
|
||||
|
||||
tval = strtok(NULL, ",");
|
||||
- line->xattrs->ents[num].key = db_readchar(strdup(tval));
|
||||
+ char * tmp = strdup(tval);
|
||||
+ line->xattrs->ents[num].key = db_readchar(tmp);
|
||||
+ free(tmp);
|
||||
tval = strtok(NULL, ",");
|
||||
val = base64tobyte(tval, strlen(tval), &vsz);
|
||||
line->xattrs->ents[num].val = val;
|
||||
@@ -648,6 +658,8 @@ db_line* db_char2line(char** ss,int db){
|
||||
|
||||
default : {
|
||||
error(0,_("Not implemented in db_char2line %i \n"),(*db_order)[i]);
|
||||
+ free_db_line(line);
|
||||
+ free(line);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
@@ -826,7 +838,7 @@ void db_close() {
|
||||
case url_ftp:
|
||||
{
|
||||
if (conf->db_out!=NULL) {
|
||||
- url_fclose(conf->db_out);
|
||||
+ url_fclose((URL_FILE*)conf->db_out);
|
||||
}
|
||||
break;
|
||||
}
|
||||
diff -up ./src/db_disk.c.coverity ./src/db_disk.c
|
||||
--- ./src/db_disk.c.coverity 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/db_disk.c 2018-10-10 19:28:00.108995089 +0200
|
||||
@@ -79,9 +79,15 @@ static DIR *open_dir(char* path) {
|
||||
|
||||
static void next_in_dir (void)
|
||||
{
|
||||
+
|
||||
#ifdef HAVE_READDIR_R
|
||||
- if (dirh != NULL)
|
||||
+ if (dirh != NULL) {
|
||||
+#pragma GCC diagnostic push
|
||||
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
|
||||
rdres = AIDE_READDIR_R_FUNC (dirh, entp, resp);
|
||||
+#pragma GCC diagnostic pop
|
||||
+ }
|
||||
+
|
||||
#else
|
||||
#ifdef HAVE_READDIR
|
||||
if (dirh != NULL) {
|
||||
diff -up ./src/db_file.c.coverity ./src/db_file.c
|
||||
--- ./src/db_file.c.coverity 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/db_file.c 2018-10-10 19:27:18.683632707 +0200
|
||||
@@ -171,7 +171,7 @@ int dofprintf( const char* s,...)
|
||||
int db_file_read_spec(int db){
|
||||
|
||||
int i=0;
|
||||
- int* db_osize=0;
|
||||
+ int* db_osize=NULL;
|
||||
DB_FIELD** db_order=NULL;
|
||||
|
||||
switch (db) {
|
||||
@@ -187,6 +187,9 @@ int db_file_read_spec(int db){
|
||||
db_lineno=&db_new_lineno;
|
||||
break;
|
||||
}
|
||||
+ default: {
|
||||
+ return RETFAIL;
|
||||
+ }
|
||||
}
|
||||
|
||||
*db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD));
|
||||
@@ -198,13 +201,10 @@ int db_file_read_spec(int db){
|
||||
int l;
|
||||
|
||||
|
||||
- /* Yes... we do not check if realloc returns nonnull */
|
||||
-
|
||||
- *db_order=(DB_FIELD*)
|
||||
- realloc((void*)*db_order,
|
||||
+ void * tmp = realloc((void*)*db_order,
|
||||
((*db_osize)+1)*sizeof(DB_FIELD));
|
||||
-
|
||||
- if(*db_order==NULL){
|
||||
+ if (tmp != NULL) *db_order=(DB_FIELD*) tmp;
|
||||
+ else {
|
||||
return RETFAIL;
|
||||
}
|
||||
|
||||
@@ -291,8 +291,8 @@ char** db_readline_file(int db){
|
||||
int* domd=NULL;
|
||||
#ifdef WITH_MHASH
|
||||
MHASH* md=NULL;
|
||||
-#endif
|
||||
char** oldmdstr=NULL;
|
||||
+#endif
|
||||
int* db_osize=0;
|
||||
DB_FIELD** db_order=NULL;
|
||||
FILE** db_filep=NULL;
|
||||
@@ -302,9 +302,9 @@ char** db_readline_file(int db){
|
||||
case DB_OLD: {
|
||||
#ifdef WITH_MHASH
|
||||
md=&(conf->dboldmd);
|
||||
+ oldmdstr=&(conf->old_dboldmdstr);
|
||||
#endif
|
||||
domd=&(conf->do_dboldmd);
|
||||
- oldmdstr=&(conf->old_dboldmdstr);
|
||||
|
||||
db_osize=&(conf->db_in_size);
|
||||
db_order=&(conf->db_in_order);
|
||||
@@ -316,9 +316,9 @@ char** db_readline_file(int db){
|
||||
case DB_NEW: {
|
||||
#ifdef WITH_MHASH
|
||||
md=&(conf->dbnewmd);
|
||||
+ oldmdstr=&(conf->old_dbnewmdstr);
|
||||
#endif
|
||||
domd=&(conf->do_dbnewmd);
|
||||
- oldmdstr=&(conf->old_dbnewmdstr);
|
||||
|
||||
db_osize=&(conf->db_new_size);
|
||||
db_order=&(conf->db_new_order);
|
||||
@@ -328,7 +328,9 @@ char** db_readline_file(int db){
|
||||
break;
|
||||
}
|
||||
}
|
||||
-
|
||||
+
|
||||
+ if (db_osize == NULL) return NULL;
|
||||
+
|
||||
if (*db_osize==0) {
|
||||
db_buff(db,*db_filep);
|
||||
|
||||
@@ -737,8 +739,6 @@ int db_writespec_file(db_config* dbconf)
|
||||
int i=0;
|
||||
int j=0;
|
||||
int retval=1;
|
||||
- void*key=NULL;
|
||||
- int keylen=0;
|
||||
struct tm* st;
|
||||
time_t tim=time(&tim);
|
||||
st=localtime(&tim);
|
||||
@@ -750,6 +750,8 @@ int db_writespec_file(db_config* dbconf)
|
||||
|
||||
#ifdef WITH_MHASH
|
||||
/* From hereon everything must MD'd before write to db */
|
||||
+ void*key=NULL;
|
||||
+ int keylen=0;
|
||||
if((key=get_db_key())!=NULL){
|
||||
keylen=get_db_key_len();
|
||||
dbconf->do_dbnewmd=1;
|
||||
diff -up ./src/do_md.c.coverity ./src/do_md.c
|
||||
--- ./src/do_md.c.coverity 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/do_md.c 2018-10-10 19:27:18.683632707 +0200
|
||||
@@ -202,7 +202,6 @@ void calc_md(struct AIDE_STAT_TYPE* old_
|
||||
and we don't read from a pipe :)
|
||||
*/
|
||||
struct AIDE_STAT_TYPE fs;
|
||||
- int sres=0;
|
||||
int stat_diff,filedes;
|
||||
#ifdef WITH_PRELINK
|
||||
pid_t pid;
|
||||
@@ -237,7 +236,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_
|
||||
return;
|
||||
}
|
||||
|
||||
- sres=AIDE_FSTAT_FUNC(filedes,&fs);
|
||||
+ AIDE_FSTAT_FUNC(filedes,&fs);
|
||||
if(!(line->attr&DB_RDEV))
|
||||
fs.st_rdev=0;
|
||||
|
||||
@@ -331,7 +330,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_
|
||||
}
|
||||
#endif
|
||||
#endif /* not HAVE_MMAP */
|
||||
- buf=malloc(READ_BLOCK_SIZE);
|
||||
+// buf=malloc(READ_BLOCK_SIZE);
|
||||
#if READ_BLOCK_SIZE>SSIZE_MAX
|
||||
#error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE
|
||||
#endif
|
||||
diff -up ./src/gen_list.c.coverity ./src/gen_list.c
|
||||
--- ./src/gen_list.c.coverity 2016-07-25 22:56:55.000000000 +0200
|
||||
+++ ./src/gen_list.c 2018-10-10 19:27:18.684632716 +0200
|
||||
@@ -843,15 +843,15 @@ static void add_file_to_tree(seltree* tr
|
||||
DB_ATTR_TYPE localignorelist=0;
|
||||
DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs;
|
||||
|
||||
+ if(file==NULL){
|
||||
+ error(0, "add_file_to_tree was called with NULL db_line\n");
|
||||
+ }
|
||||
+
|
||||
node=get_seltree_node(tree,file->filename);
|
||||
|
||||
if(!node){
|
||||
node=new_seltree_node(tree,file->filename,0,NULL);
|
||||
}
|
||||
-
|
||||
- if(file==NULL){
|
||||
- error(0, "add_file_to_tree was called with NULL db_line\n");
|
||||
- }
|
||||
|
||||
/* add note to this node which db has modified it */
|
||||
node->checked|=db;
|
||||
diff -up ./src/md.c.coverity ./src/md.c
|
||||
--- ./src/md.c.coverity 2018-10-10 19:27:18.679632672 +0200
|
||||
+++ ./src/md.c 2018-10-10 19:27:18.684632716 +0200
|
||||
@@ -36,8 +36,8 @@
|
||||
*/
|
||||
|
||||
DB_ATTR_TYPE hash_gcrypt2attr(int i) {
|
||||
- DB_ATTR_TYPE r=0;
|
||||
#ifdef WITH_GCRYPT
|
||||
+ DB_ATTR_TYPE r=0;
|
||||
switch (i) {
|
||||
case GCRY_MD_MD5: {
|
||||
r=DB_MD5;
|
||||
@@ -74,13 +74,15 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) {
|
||||
default:
|
||||
break;
|
||||
}
|
||||
-#endif
|
||||
return r;
|
||||
+#else /* !WITH_GCRYPT */
|
||||
+ return 0;
|
||||
+#endif
|
||||
}
|
||||
|
||||
const char * hash_gcrypt2str(int i) {
|
||||
- char * r = "?";
|
||||
#ifdef WITH_GCRYPT
|
||||
+ char * r = "?";
|
||||
switch (i) {
|
||||
case GCRY_MD_MD5: {
|
||||
r = "MD5";
|
||||
@@ -117,13 +119,17 @@ const char * hash_gcrypt2str(int i) {
|
||||
default:
|
||||
break;
|
||||
}
|
||||
-#endif
|
||||
return r;
|
||||
+#else /* !WITH_GCRYPT */
|
||||
+ return "?";
|
||||
+#endif
|
||||
}
|
||||
|
||||
+#pragma GCC diagnostic push
|
||||
+#pragma GCC diagnostic ignored "-Wunused-parameter"
|
||||
DB_ATTR_TYPE hash_mhash2attr(int i) {
|
||||
- DB_ATTR_TYPE r=0;
|
||||
#ifdef WITH_MHASH
|
||||
+ DB_ATTR_TYPE r=0;
|
||||
switch (i) {
|
||||
case MHASH_CRC32: {
|
||||
r=DB_CRC32;
|
||||
@@ -198,10 +204,15 @@ DB_ATTR_TYPE hash_mhash2attr(int i) {
|
||||
default:
|
||||
break;
|
||||
}
|
||||
-#endif
|
||||
+
|
||||
return r;
|
||||
+#else /*!WITH_MHASH */
|
||||
+ return 0;
|
||||
+#endif
|
||||
}
|
||||
|
||||
+#pragma GCC diagnostic pop
|
||||
+
|
||||
/*
|
||||
Initialise md_container according it's todo_attr field
|
||||
*/
|
||||
@@ -317,7 +328,6 @@ int init_md(struct md_container* md) {
|
||||
*/
|
||||
|
||||
int update_md(struct md_container* md,void* data,ssize_t size) {
|
||||
- int i;
|
||||
|
||||
error(255,"update_md called\n");
|
||||
|
||||
@@ -328,6 +338,7 @@ int update_md(struct md_container* md,vo
|
||||
#endif
|
||||
|
||||
#ifdef WITH_MHASH
|
||||
+ int i;
|
||||
|
||||
for(i=0;i<=HASH_MHASH_COUNT;i++) {
|
||||
if (md->mhash_mdh[i]!=MHASH_FAILED) {
|
||||
@@ -348,7 +359,6 @@ int update_md(struct md_container* md,vo
|
||||
*/
|
||||
|
||||
int close_md(struct md_container* md) {
|
||||
- int i;
|
||||
#ifdef _PARAMETER_CHECK_
|
||||
if (md==NULL) {
|
||||
return RETFAIL;
|
||||
@@ -356,6 +366,7 @@ int close_md(struct md_container* md) {
|
||||
#endif
|
||||
error(255,"close_md called \n");
|
||||
#ifdef WITH_MHASH
|
||||
+ int i;
|
||||
for(i=0;i<=HASH_MHASH_COUNT;i++) {
|
||||
if (md->mhash_mdh[i]!=MHASH_FAILED) {
|
||||
mhash (md->mhash_mdh[i], NULL, 0);
|
||||
diff -up ./src/util.c.coverity ./src/util.c
|
||||
--- ./src/util.c.coverity 2018-10-10 19:27:18.670632593 +0200
|
||||
+++ ./src/util.c 2018-10-10 19:27:18.684632716 +0200
|
||||
@@ -105,13 +105,15 @@ url_t* parse_url(char* val)
|
||||
for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++);
|
||||
if(r[0]=='\0'){
|
||||
error(0,"Invalid file-URL,no path after hostname: file:%s\n",t);
|
||||
+ free(hostname);
|
||||
return NULL;
|
||||
}
|
||||
u->value=strdup(r);
|
||||
r[0]='\0';
|
||||
if(gethostname(hostname,MAXHOSTNAMELEN)==-1){
|
||||
- strncpy(hostname,"localhost", 10);
|
||||
+ strncpy(hostname,"localhost", 10);
|
||||
}
|
||||
+
|
||||
if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){
|
||||
free(hostname);
|
||||
break;
|
||||
@@ -120,7 +122,7 @@ url_t* parse_url(char* val)
|
||||
free(hostname);
|
||||
return NULL;
|
||||
}
|
||||
- free(hostname);
|
||||
+
|
||||
break;
|
||||
}
|
||||
u->value=strdup(r);
|
357
SPECS/aide.spec
Normal file
357
SPECS/aide.spec
Normal file
@ -0,0 +1,357 @@
|
||||
Summary: Intrusion detection environment
|
||||
Name: aide
|
||||
Version: 0.16
|
||||
Release: 100%{?dist}
|
||||
URL: http://sourceforge.net/projects/aide
|
||||
License: GPLv2+
|
||||
|
||||
|
||||
Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: aide.conf
|
||||
Source2: README.quickstart
|
||||
Source3: aide.logrotate
|
||||
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: bison flex
|
||||
BuildRequires: pcre-devel
|
||||
BuildRequires: libgpg-error-devel libgcrypt-devel
|
||||
BuildRequires: zlib-devel
|
||||
BuildRequires: libcurl-devel
|
||||
BuildRequires: libacl-devel
|
||||
BuildRequires: pkgconfig(libselinux)
|
||||
BuildRequires: libattr-devel
|
||||
BuildRequires: e2fsprogs-devel
|
||||
BuildRequires: audit-libs-devel
|
||||
BuildRequires: autoconf automake libtool
|
||||
|
||||
# Customize the database file location in the man page.
|
||||
Patch1: aide-0.16rc1-man.patch
|
||||
# fix aide in FIPS mode
|
||||
Patch2: aide-0.16b1-fipsfix.patch
|
||||
# Bug 1674637 - aide: FTBFS in Fedora rawhide/f30
|
||||
Patch3: aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch
|
||||
|
||||
Patch4: aide-0.15-syslog-format.patch
|
||||
Patch5: aide-0.16-crypto-disable-haval-and-others.patch
|
||||
Patch6: coverity.patch
|
||||
Patch7: aide-0.16-crash-elf.patch
|
||||
Patch8: aide-configure.patch
|
||||
Patch9: aide-static-analysis.patch
|
||||
|
||||
Patch10: aide-0.16-CVE-2021-45417.patch
|
||||
|
||||
%description
|
||||
AIDE (Advanced Intrusion Detection Environment) is a file integrity
|
||||
checker and intrusion detection program.
|
||||
|
||||
%prep
|
||||
%autosetup -p1
|
||||
cp -a %{S:2} .
|
||||
|
||||
%build
|
||||
autoreconf -ivf
|
||||
%configure \
|
||||
--disable-static \
|
||||
--with-config_file=%{_sysconfdir}/aide.conf \
|
||||
--with-gcrypt \
|
||||
--with-zlib \
|
||||
--with-curl \
|
||||
--with-posix-acl \
|
||||
--with-selinux \
|
||||
--with-xattr \
|
||||
--with-e2fsattrs \
|
||||
--with-audit \
|
||||
--with-confighmactype=sha512 \
|
||||
--with-dbhmactype=sha512
|
||||
%make_build
|
||||
|
||||
%install
|
||||
%make_install bindir=%{_sbindir}
|
||||
install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1}
|
||||
install -Dpm0644 %{S:3} %{buildroot}%{_sysconfdir}/logrotate.d/aide
|
||||
mkdir -p %{buildroot}%{_localstatedir}/log/aide
|
||||
mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
|
||||
|
||||
%files
|
||||
%license COPYING
|
||||
%doc AUTHORS ChangeLog NEWS README doc/manual.html contrib/
|
||||
%doc README.quickstart
|
||||
%{_sbindir}/aide
|
||||
%{_mandir}/man1/*.1*
|
||||
%{_mandir}/man5/*.5*
|
||||
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/aide.conf
|
||||
%config(noreplace) %{_sysconfdir}/logrotate.d/aide
|
||||
%dir %attr(0700,root,root) %{_localstatedir}/lib/aide
|
||||
%dir %attr(0700,root,root) %{_localstatedir}/log/aide
|
||||
|
||||
%changelog
|
||||
* Mon Jan 24 2022 Radovan Sroka <rsroka@redhat.com> - 0.16-100
|
||||
- backport fix for CVE-2021-45417
|
||||
Resolves: rhbz#2041950
|
||||
|
||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.16-21
|
||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||
Related: rhbz#1991688
|
||||
|
||||
* Thu May 27 2021 Zoltan Fridrich <zfridric@redhat.com> - 0.16-20
|
||||
- fix configuration option with-dbhmactype
|
||||
- do not use sha1 and md5 by default
|
||||
Resolves: rhbz#1935457
|
||||
- fix important static analysis issues
|
||||
Resolves: rhbz#1938676
|
||||
|
||||
* Mon May 10 2021 Zoltan Fridrich <zfridric@redhat.com> - 0.16-19
|
||||
- use gating and config file from rhel-8.5
|
||||
- remove check of periodically changing files
|
||||
Resolves: rhbz#1957656
|
||||
- config cleanup
|
||||
Resolves: rhbz#1957654
|
||||
|
||||
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.16-18
|
||||
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
|
||||
|
||||
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-17
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||
|
||||
* Fri Jul 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-16
|
||||
- Second attempt - Rebuilt for
|
||||
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-15
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
|
||||
|
||||
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> 0.16-14
|
||||
- AIDE breaks when setting report_ignore_e2fsattrs
|
||||
Resolves: rhbz#1850276
|
||||
|
||||
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-13
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||
|
||||
* Wed Jul 31 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-12
|
||||
- backport some patches
|
||||
Resolves: rhbz#1717140
|
||||
|
||||
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-11
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||
|
||||
* Wed Feb 20 2019 Daniel Kopecek <dkopecek@redhat.com> - 0.16-10
|
||||
- Fix building with curl
|
||||
Resolves: rhbz#1674637
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
* Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 0.16-8
|
||||
- Rebuild with fixed binutils
|
||||
|
||||
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||
|
||||
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.16-6
|
||||
- Rebuild
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-4
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
|
||||
|
||||
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
|
||||
|
||||
* Wed Apr 05 2017 Radovan Sroka <rsroka@redhat.com> - 0.16-2
|
||||
- fixed upstream link
|
||||
|
||||
* Tue Apr 04 2017 Radovan Sroka <rsroka@redhat.com> - 0.16-1
|
||||
- rebase to stable v0.16
|
||||
- specfile cleanup
|
||||
- make doc readable
|
||||
resolves: #1421355
|
||||
- make aide binary runable for any user
|
||||
resolves: #1421351
|
||||
|
||||
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-0.3.rc1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
|
||||
|
||||
* Tue Jul 12 2016 Tomas Sykora <tosykora@redhat.com> - 0.16-0.2.rc1
|
||||
- New upstream devel version
|
||||
|
||||
* Mon Jun 20 2016 Tomas Sykora <tosykora@redhat.com> - 0.16-0.1.b1
|
||||
- New upstream devel version
|
||||
|
||||
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.15.1-12
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
|
||||
|
||||
* Sat Jul 25 2015 Till Maas <opensource@till.name> - 0.15.1-11
|
||||
- Remove prelink dependency because prelink was retired
|
||||
|
||||
* Tue Jun 16 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-9
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
|
||||
|
||||
* Fri Jul 18 2014 Yaakov Selkowitz <yselkowi@redhat.com> - 0.15.1-8
|
||||
- Fix FTBFS with -Werror=format-security (#1036983, #1105942)
|
||||
- Avoid prelink BR on aarch64, ppc64le (#924977, #1078476)
|
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-6
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
|
||||
|
||||
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
||||
|
||||
* Thu Nov 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 0.15.1-4
|
||||
- added patch to fix aide in FIPS mode
|
||||
- use only FIPS approved digest algorithms in aide.conf so that
|
||||
aide works by default in FIPS mode
|
||||
|
||||
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||
|
||||
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
||||
|
||||
* Thu Nov 11 2010 Steve Grubb <sgrubb@redhat.com> - 0.15.1-1
|
||||
- New upstream release
|
||||
|
||||
* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-5
|
||||
- Apply 2 upstream bug fixes
|
||||
|
||||
* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-4
|
||||
- Use upstream's patch to fix bz 590566
|
||||
|
||||
* Sat May 15 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-3
|
||||
- Fix bz 590561 aide does not detect the change of SElinux context
|
||||
- Fix bz 590566 aide reports a changed file when it has not been changed
|
||||
|
||||
* Wed Apr 28 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-2
|
||||
- Fix bz 574764 by replacing abort calls with exit
|
||||
- Apply libgcrypt init patch
|
||||
|
||||
* Tue Mar 16 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-1
|
||||
- New upstream release final 0.14
|
||||
|
||||
* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.4.rc3
|
||||
- New upstream release
|
||||
|
||||
* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.3.rc2
|
||||
- New upstream release
|
||||
|
||||
* Tue Feb 23 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.2.rc1
|
||||
- Fix dirent detection on 64bit systems
|
||||
|
||||
* Mon Feb 22 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.1.rc1
|
||||
- New upstream release
|
||||
|
||||
* Fri Feb 19 2010 Steve Grubb <sgrubb@redhat.com> - 0.13.1-16
|
||||
- Add logrotate script and spec file cleanups
|
||||
|
||||
* Fri Dec 11 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-15
|
||||
- Get rid of .dedosify files
|
||||
|
||||
* Wed Dec 09 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-14
|
||||
- Revise patch for Initialize libgcrypt correctly (#530485)
|
||||
|
||||
* Sat Nov 07 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-13
|
||||
- Initialize libgcrypt correctly (#530485)
|
||||
|
||||
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.13.1-12
|
||||
- rebuilt with new audit
|
||||
|
||||
* Wed Aug 19 2009 Steve Grubb <sgrubb@redhat.com> 0.13.1-11
|
||||
- rebuild for new audit-libs
|
||||
- Correct regex for root's dot files (#509370)
|
||||
|
||||
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-10
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||
|
||||
* Mon Jun 08 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-9
|
||||
- Make aide smarter about prelinked files (Peter Vrabec)
|
||||
- Add /lib64 to default config
|
||||
|
||||
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-7
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
||||
|
||||
* Fri Jan 30 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-6
|
||||
- enable xattr support and update config file
|
||||
|
||||
* Fri Sep 26 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.13.1-5
|
||||
- fix selcon patch to apply without fuzz
|
||||
|
||||
* Fri Feb 15 2008 Steve Conklin <sconklin@redhat.com>
|
||||
- rebuild for gcc4.3
|
||||
|
||||
* Tue Aug 21 2007 Michael Schwendt <mschwendt[AT]users.sf.net>
|
||||
- rebuilt
|
||||
|
||||
* Sun Jul 22 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-2
|
||||
- Apply Steve Conklin's patch to increase displayed portion of
|
||||
selinux context.
|
||||
|
||||
* Sun Dec 17 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-1
|
||||
- Update to 0.13.1 release.
|
||||
|
||||
* Sun Dec 10 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13-1
|
||||
- Update to 0.13 release.
|
||||
- Include default aide.conf from RHEL5 as doc example file.
|
||||
|
||||
* Sun Oct 29 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-3.20061027cvs
|
||||
- CAUTION! This changes the database format and results in a report of
|
||||
false inconsistencies until an old database file is updated.
|
||||
- Check out CVS 20061027 which now contains Red Hat's
|
||||
acl/xattr/selinux/audit patches.
|
||||
- Patches merged upstream.
|
||||
- Update manual page substitutions.
|
||||
|
||||
* Mon Oct 23 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-2
|
||||
- Add "memory leaks and performance updates" patch as posted
|
||||
to aide-devel by Steve Grubb.
|
||||
|
||||
* Sat Oct 07 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-1
|
||||
- Update to 0.12 release.
|
||||
- now offers --disable-static, so -no-static patch is obsolete
|
||||
- fill last element of getopt struct array with zeroes
|
||||
|
||||
* Mon Oct 02 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-3
|
||||
- rebuilt
|
||||
|
||||
* Mon Sep 11 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-2
|
||||
- rebuilt
|
||||
|
||||
* Sun Feb 19 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-1
|
||||
- Update to 0.11 release.
|
||||
- useless-includes patch merged upstream.
|
||||
- old Russian man pages not available anymore.
|
||||
- disable static linking.
|
||||
|
||||
* Thu Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
|
||||
- rebuilt
|
||||
|
||||
* Fri Nov 28 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.1
|
||||
- Update to 0.10 release.
|
||||
- memleaks patch merged upstream.
|
||||
- rootpath patch merged upstream.
|
||||
- fstat patch not needed anymore.
|
||||
- Updated URL.
|
||||
|
||||
* Thu Nov 13 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.2.cvs20031104
|
||||
- Added buildreq m4 to work around incomplete deps of bison package.
|
||||
|
||||
* Tue Nov 04 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.1.cvs20031104
|
||||
- Only tar.gz available upstream.
|
||||
- byacc not needed when bison -y is available.
|
||||
- Installed Russian manual pages.
|
||||
- Updated with changes from CVS (2003-11-04).
|
||||
- getopt patch merged upstream.
|
||||
- bison-1.35 patch incorporated upstream.
|
||||
|
||||
* Tue Sep 09 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.2.20030902
|
||||
- Added fixes for further memleaks.
|
||||
|
||||
* Sun Sep 07 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.1.20030902
|
||||
- Initial package version.
|
Loading…
Reference in New Issue
Block a user