FIPS related fixes
- added patch to fix aide in FIPS mode - use only FIPS approved digest algorithms in aide.conf so that aide works by default in FIPS mode
This commit is contained in:
parent
9d6982598b
commit
0c33c3d49c
103
aide-0.15.1-fipsfix.patch
Normal file
103
aide-0.15.1-fipsfix.patch
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
diff -up aide-0.15.1/src/aide.c.fipsfix aide-0.15.1/src/aide.c
|
||||||
|
--- aide-0.15.1/src/aide.c.fipsfix 2010-08-08 19:39:31.000000000 +0200
|
||||||
|
+++ aide-0.15.1/src/aide.c 2012-11-22 16:59:45.378713818 +0100
|
||||||
|
@@ -484,9 +484,28 @@ int main(int argc,char**argv)
|
||||||
|
#endif
|
||||||
|
umask(0177);
|
||||||
|
init_sighandler();
|
||||||
|
-
|
||||||
|
setdefaults_before_config();
|
||||||
|
|
||||||
|
+#if WITH_GCRYPT
|
||||||
|
+ error(255,"Gcrypt library initialization\n");
|
||||||
|
+ /*
|
||||||
|
+ * Initialize libgcrypt as per
|
||||||
|
+ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
|
||||||
|
+ *
|
||||||
|
+ *
|
||||||
|
+ */
|
||||||
|
+ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
|
||||||
|
+ gcry_control(GCRYCTL_INIT_SECMEM, 1);
|
||||||
|
+
|
||||||
|
+ if(!gcry_check_version(GCRYPT_VERSION)) {
|
||||||
|
+ error(0,"libgcrypt version mismatch\n");
|
||||||
|
+ exit(VERSION_MISMATCH_ERROR);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
|
||||||
|
+#endif /* WITH_GCRYPT */
|
||||||
|
+
|
||||||
|
+
|
||||||
|
if(read_param(argc,argv)==RETFAIL){
|
||||||
|
error(0, _("Invalid argument\n") );
|
||||||
|
exit(INVALID_ARGUMENT_ERROR);
|
||||||
|
@@ -641,6 +660,9 @@ int main(int argc,char**argv)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
+#ifdef WITH_GCRYPT
|
||||||
|
+ gcry_control(GCRYCTL_TERM_SECMEM, 0);
|
||||||
|
+#endif /* WITH_GCRYPT */
|
||||||
|
return RETOK;
|
||||||
|
}
|
||||||
|
const char* aide_key_3=CONFHMACKEY_03;
|
||||||
|
diff -up aide-0.15.1/src/md.c.fipsfix aide-0.15.1/src/md.c
|
||||||
|
--- aide-0.15.1/src/md.c.fipsfix 2010-08-08 19:39:31.000000000 +0200
|
||||||
|
+++ aide-0.15.1/src/md.c 2012-11-22 16:59:33.166673632 +0100
|
||||||
|
@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
#ifdef WITH_GCRYPT
|
||||||
|
- error(255,"Gcrypt library initialization\n");
|
||||||
|
- if(!gcry_check_version(GCRYPT_VERSION)) {
|
||||||
|
- error(0,"libgcrypt version mismatch\n");
|
||||||
|
- exit(VERSION_MISMATCH_ERROR);
|
||||||
|
- }
|
||||||
|
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
|
||||||
|
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
|
||||||
|
- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
|
||||||
|
+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
|
||||||
|
error(0,"gcrypt_md_open failed\n");
|
||||||
|
exit(IO_ERROR);
|
||||||
|
}
|
||||||
|
@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
|
||||||
|
|
||||||
|
/*. There might be more hashes in the library. Add those here.. */
|
||||||
|
|
||||||
|
- gcry_md_reset(md->mdh);
|
||||||
|
+ gcry_md_close(md->mdh);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef WITH_MHASH
|
||||||
|
diff -up aide-0.15.1/src/util.c.fipsfix aide-0.15.1/src/util.c
|
||||||
|
--- aide-0.15.1/src/util.c.fipsfix 2010-08-08 19:39:31.000000000 +0200
|
||||||
|
+++ aide-0.15.1/src/util.c 2012-11-22 16:59:33.166673632 +0100
|
||||||
|
@@ -494,28 +494,5 @@ int syslog_facility_lookup(char *s)
|
||||||
|
return(AIDE_SYSLOG_FACILITY);
|
||||||
|
}
|
||||||
|
|
||||||
|
-/* We need these dummy stubs to fool the linker into believing that
|
||||||
|
- we do not need them at link time */
|
||||||
|
-
|
||||||
|
-void* dlopen(char*filename,int flag)
|
||||||
|
-{
|
||||||
|
- return NULL;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-void* dlsym(void*handle,char*symbol)
|
||||||
|
-{
|
||||||
|
- return NULL;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-void* dlclose(void*handle)
|
||||||
|
-{
|
||||||
|
- return NULL;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-const char* dlerror(void)
|
||||||
|
-{
|
||||||
|
- return NULL;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
const char* aide_key_2=CONFHMACKEY_02;
|
||||||
|
const char* db_key_2=DBHMACKEY_02;
|
10
aide.conf
10
aide.conf
@ -51,6 +51,8 @@ report_url=stdout
|
|||||||
#crc32: crc32 checksum (MHASH only)
|
#crc32: crc32 checksum (MHASH only)
|
||||||
#whirlpool: whirlpool checksum (MHASH only)
|
#whirlpool: whirlpool checksum (MHASH only)
|
||||||
|
|
||||||
|
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
|
||||||
|
|
||||||
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
|
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
|
||||||
#L: p+i+n+u+g+acl+selinux+xattrs
|
#L: p+i+n+u+g+acl+selinux+xattrs
|
||||||
#E: Empty group
|
#E: Empty group
|
||||||
@ -65,7 +67,7 @@ EVERYTHING = R+ALLXTRAHASHES
|
|||||||
|
|
||||||
# Sane, with multiple hashes
|
# Sane, with multiple hashes
|
||||||
# NORMAL = R+rmd160+sha256+whirlpool
|
# NORMAL = R+rmd160+sha256+whirlpool
|
||||||
NORMAL = R+rmd160+sha256
|
NORMAL = FIPSR+sha512
|
||||||
|
|
||||||
# For directories, don't bother doing hashes
|
# For directories, don't bother doing hashes
|
||||||
DIR = p+i+n+u+g+acl+selinux+xattrs
|
DIR = p+i+n+u+g+acl+selinux+xattrs
|
||||||
@ -76,12 +78,12 @@ PERMS = p+i+u+g+acl+selinux
|
|||||||
# Logfile are special, in that they often change
|
# Logfile are special, in that they often change
|
||||||
LOG = >
|
LOG = >
|
||||||
|
|
||||||
# Just do md5 and sha256 hashes
|
# Just do sha256 and sha512 hashes
|
||||||
LSPP = R+sha256
|
LSPP = FIPSR+sha512
|
||||||
|
|
||||||
# Some files get updated automatically, so the inode/ctime/mtime change
|
# Some files get updated automatically, so the inode/ctime/mtime change
|
||||||
# but we want to know when the data inside them changes
|
# but we want to know when the data inside them changes
|
||||||
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger
|
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
|
||||||
|
|
||||||
# Next decide what directories/files you want in the database.
|
# Next decide what directories/files you want in the database.
|
||||||
|
|
||||||
|
12
aide.spec
12
aide.spec
@ -4,7 +4,7 @@
|
|||||||
Summary: Intrusion detection environment
|
Summary: Intrusion detection environment
|
||||||
Name: aide
|
Name: aide
|
||||||
Version: 0.15.1
|
Version: 0.15.1
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
URL: http://sourceforge.net/projects/aide
|
URL: http://sourceforge.net/projects/aide
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
@ -14,6 +14,8 @@ Source2: README.quickstart
|
|||||||
Source3: aide.logrotate
|
Source3: aide.logrotate
|
||||||
# Customize the database file location in the man page.
|
# Customize the database file location in the man page.
|
||||||
Patch1: aide-0.14-man.patch
|
Patch1: aide-0.14-man.patch
|
||||||
|
# fix aide in FIPS mode
|
||||||
|
Patch2: aide-0.15.1-fipsfix.patch
|
||||||
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
|
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
|
||||||
BuildRequires: mktemp
|
BuildRequires: mktemp
|
||||||
BuildRequires: prelink elfutils-libelf-devel
|
BuildRequires: prelink elfutils-libelf-devel
|
||||||
@ -36,7 +38,8 @@ checker and intrusion detection program.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch1 -p1
|
%patch1 -p1 -b .man
|
||||||
|
%patch2 -p1 -b .fipsfix
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure --with-config_file=%{_sysconfdir}/aide.conf \
|
%configure --with-config_file=%{_sysconfdir}/aide.conf \
|
||||||
@ -85,6 +88,11 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 0.15.1-4
|
||||||
|
- added patch to fix aide in FIPS mode
|
||||||
|
- use only FIPS approved digest algorithms in aide.conf so that
|
||||||
|
aide works by default in FIPS mode
|
||||||
|
|
||||||
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-3
|
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-3
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user