diff --git a/aide-0.12-dedosify.patch b/aide-0.12-dedosify.patch new file mode 100644 index 0000000..8755725 --- /dev/null +++ b/aide-0.12-dedosify.patch @@ -0,0 +1,174 @@ +--- aide-0.12/contrib/gpg2_check.sh.spc 2007-06-21 12:37:06.000000000 -0400 ++++ aide-0.12/contrib/gpg2_check.sh 2007-06-21 12:39:53.000000000 -0400 +@@ -1,32 +1,32 @@ +-#!/bin/sh +-# $Id: gpg2_check.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $ +- +-# Script by Vincent Danen +- +-hostname=`uname -n` +-echo "AIDE integrity check for ${hostname} beginning (`date`)" +-echo "" +-if [ ! -e /var/lib/aide/aide.db ] ; then +- echo "**** Error: AIDE database for ${hostname} not found." +- echo "**** Run 'aide --init' and move the appropriate database file." +-else +- if [ -f /etc/aide.conf ]; then +- if [ -f /var/lib/aide/aide.db.sig ]; then +- pushd /var/lib/aide >/dev/null +- echo "Verifying the GPG signature on the database..." +- echo "" +- gpg --verify aide.db.sig +- echo "" +- if [ "$?" == "1" ]; then +- echo "************************************************************" +- echo "GPG signature FAILED! Your database has been tampered with!" +- echo "************************************************************" +- exit 1 +- fi +- popd >/dev/null +- fi +- nice -20 /usr/sbin/aide --check 2>/dev/null +- fi +-fi +- +-exit 0 ++#!/bin/sh ++# $Id: gpg2_check.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $ ++ ++# Script by Vincent Danen ++ ++hostname=`uname -n` ++echo "AIDE integrity check for ${hostname} beginning (`date`)" ++echo "" ++if [ ! -e /var/lib/aide/aide.db ] ; then ++ echo "**** Error: AIDE database for ${hostname} not found." ++ echo "**** Run 'aide --init' and move the appropriate database file." ++else ++ if [ -f /etc/aide.conf ]; then ++ if [ -f /var/lib/aide/aide.db.sig ]; then ++ pushd /var/lib/aide >/dev/null ++ echo "Verifying the GPG signature on the database..." ++ echo "" ++ gpg --verify aide.db.sig ++ echo "" ++ if [ "$?" == "1" ]; then ++ echo "************************************************************" ++ echo "GPG signature FAILED! Your database has been tampered with!" ++ echo "************************************************************" ++ exit 1 ++ fi ++ popd >/dev/null ++ fi ++ nice -20 /usr/sbin/aide --check 2>/dev/null ++ fi ++fi ++ ++exit 0 +--- aide-0.12/contrib/gpg2_update.sh.spc 2007-06-21 12:37:24.000000000 -0400 ++++ aide-0.12/contrib/gpg2_update.sh 2007-06-21 12:39:43.000000000 -0400 +@@ -1,52 +1,52 @@ +-#!/bin/sh +-# $Id: gpg2_update.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $ +-# +-# script to update and rotate the AIDE database files and, optionally +-# create a detached GPG signature to verify the database file +-# +-# written by Vincent Danen 01/21/2006 +- +-usegpg=0 +- +-if [ -f /root/.gnupg/secring.gpg ]; then +- usegpg=1 +-fi +- +-if [ ! -d /var/lib/aide ]; then +- echo "The AIDE database directory /var/lib/aide does not exist!" +- exit 1 +-fi +- +-pushd /var/lib/aide >/dev/null +- +-# copy the old database +-if [ -f aide.db ]; then +- newfile="aide-`hostname`-`date +%Y%m%d-%H%M%S`.db" +- if [ "${usegpg}" == 1 -a -f aide.db.sig ]; then +- # do an integrity check +- gpg --verify aide.db.sig +- if [ "$?" == "1" ]; then +- echo "************************************************************" +- echo "GPG signature FAILED! Your database has been tampered with!" +- echo "************************************************************" +- exit 1 +- fi +- fi +- cp -av aide.db ${newfile} +- /usr/sbin/aide --update -B "database=file:/var/lib/aide/${newfile}" +- if [ "${usegpg}" == "1" ]; then +- # create the signature file +- [[ -f aide.db.sig ]] && rm -f aide.db.sig +- gpg --detach-sign aide.db +- if [ "$?" == "1" ]; then +- echo "FATAL: Error occurred when creating the signature file!" +- exit 1 +- fi +- fi +- gzip -9f ${newfile} +-else +- echo "The AIDE database does not exist, can't update!" +- exit 1 +-fi +- +-popd >/dev/null ++#!/bin/sh ++# $Id: gpg2_update.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $ ++# ++# script to update and rotate the AIDE database files and, optionally ++# create a detached GPG signature to verify the database file ++# ++# written by Vincent Danen 01/21/2006 ++ ++usegpg=0 ++ ++if [ -f /root/.gnupg/secring.gpg ]; then ++ usegpg=1 ++fi ++ ++if [ ! -d /var/lib/aide ]; then ++ echo "The AIDE database directory /var/lib/aide does not exist!" ++ exit 1 ++fi ++ ++pushd /var/lib/aide >/dev/null ++ ++# copy the old database ++if [ -f aide.db ]; then ++ newfile="aide-`hostname`-`date +%Y%m%d-%H%M%S`.db" ++ if [ "${usegpg}" == 1 -a -f aide.db.sig ]; then ++ # do an integrity check ++ gpg --verify aide.db.sig ++ if [ "$?" == "1" ]; then ++ echo "************************************************************" ++ echo "GPG signature FAILED! Your database has been tampered with!" ++ echo "************************************************************" ++ exit 1 ++ fi ++ fi ++ cp -av aide.db ${newfile} ++ /usr/sbin/aide --update -B "database=file:/var/lib/aide/${newfile}" ++ if [ "${usegpg}" == "1" ]; then ++ # create the signature file ++ [[ -f aide.db.sig ]] && rm -f aide.db.sig ++ gpg --detach-sign aide.db ++ if [ "$?" == "1" ]; then ++ echo "FATAL: Error occurred when creating the signature file!" ++ exit 1 ++ fi ++ fi ++ gzip -9f ${newfile} ++else ++ echo "The AIDE database does not exist, can't update!" ++ exit 1 ++fi ++ ++popd >/dev/null diff --git a/aide-0.12-selcon.patch b/aide-0.13.1-contextsize.patch similarity index 100% rename from aide-0.12-selcon.patch rename to aide-0.13.1-contextsize.patch diff --git a/aide.conf b/aide.conf index ce68965..bc1af8e 100644 --- a/aide.conf +++ b/aide.conf @@ -1,6 +1,7 @@ # Example configuration file for AIDE. @@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide # The location of the database to be read. database=file:@@{DBDIR}/aide.db.gz @@ -16,7 +17,7 @@ gzip_dbout=yes # Default. verbose=5 -report_url=file:/var/log/aide.log +report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr #NOT IMPLEMENTED report_url=mailto:root@foo.com @@ -35,23 +36,52 @@ report_url=stdout #a: atime #c: ctime #S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes #md5: md5 checksum #sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum #rmd160: rmd160 checksum #tiger: tiger checksum -#haval: haval checksum -#gost: gost checksum -#crc32: crc32 checksum -#R: p+i+n+u+g+s+m+c+md5 -#L: p+i+n+u+g -#E: Empty group -#>: Growing logfile p+u+g+i+n+S + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs # You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES -NORMAL = R+b+sha1 +# Sane, with multiple hashes +# NORMAL = R+rmd160+sha256+whirlpool +NORMAL = R+rmd160+sha256 -DIR = p+i+n+u+g +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+i+u+g+acl+selinux + +# Logfile are special, in that they often change +LOG = > + +# Just do md5 and sha256 hashes +LSPP = R+sha256 + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger # Next decide what directories/files you want in the database. @@ -62,19 +92,120 @@ DIR = p+i+n+u+g /opt NORMAL /usr NORMAL /root NORMAL +# These are too volatile +!/usr/src +!/usr/tmp # Check only permissions, inode, user and group for /etc, but # cover some important files closely. -/etc p+i+u+g +/etc PERMS !/etc/mtab +# Ignore backup files +!/etc/.*~ /etc/exports NORMAL /etc/fstab NORMAL /etc/passwd NORMAL /etc/group NORMAL /etc/gshadow NORMAL /etc/shadow NORMAL +/etc/security/opasswd NORMAL -/var/log p+n+u+g +/etc/hosts.allow NORMAL +/etc/hosts.deny NORMAL + +/etc/sudoers NORMAL +/etc/skel NORMAL + +/etc/logrotate.d NORMAL + +/etc/resolv.conf DATAONLY + +/etc/nscd.conf NORMAL +/etc/securetty NORMAL + +# Shell/X starting files +/etc/profile NORMAL +/etc/bashrc NORMAL +/etc/bash_completion.d/ NORMAL +/etc/login.defs NORMAL +/etc/zprofile NORMAL +/etc/zshrc NORMAL +/etc/zlogin NORMAL +/etc/zlogout NORMAL +/etc/profile.d/ NORMAL +/etc/X11/ NORMAL + +# Pkg manager +/etc/yum.conf NORMAL +/etc/yumex.conf NORMAL +/etc/yumex.profiles.conf NORMAL +/etc/yum/ NORMAL +/etc/yum.repos.d/ NORMAL + +/var/log LOG +/var/run/utmp LOG + +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log + +# LSPP rules... +# AIDE produces an audit record, so this becomes perpetual motion. +# /var/log/audit/ LSPP +/etc/audit/ LSPP +/etc/libaudit.conf LSPP +/usr/sbin/stunnel LSPP +/var/spool/at LSPP +/etc/at.allow LSPP +/etc/at.deny LSPP +/etc/cron.allow LSPP +/etc/cron.deny LSPP +/etc/cron.d/ LSPP +/etc/cron.daily/ LSPP +/etc/cron.hourly/ LSPP +/etc/cron.monthly/ LSPP +/etc/cron.weekly/ LSPP +/etc/crontab LSPP +/var/spool/cron/root LSPP + +/etc/login.defs LSPP +/etc/securetty LSPP +/var/log/faillog LSPP +/var/log/lastlog LSPP + +/etc/hosts LSPP +/etc/sysconfig LSPP + +/etc/inittab LSPP +/etc/grub/ LSPP +/etc/rc.d LSPP + +/etc/ld.so.conf LSPP + +/etc/localtime LSPP + +/etc/sysctl.conf LSPP + +/etc/modprobe.conf LSPP + +/etc/pam.d LSPP +/etc/security LSPP +/etc/aliases LSPP +/etc/postfix LSPP + +/etc/ssh/sshd_config LSPP +/etc/ssh/ssh_config LSPP + +/etc/stunnel LSPP + +/etc/vsftpd.ftpusers LSPP +/etc/vsftpd LSPP + +/etc/issue LSPP +/etc/issue.net LSPP + +/etc/cups LSPP # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. @@ -82,3 +213,8 @@ DIR = p+i+n+u+g #=/lost\+found DIR #=/home DIR +# Ditto /var/log/sa reason... +!/var/log/and-httpd + +# Admins dot files constantly change, just check perms +/root/.* PERMS diff --git a/aide.conf.rhel b/aide.conf.rhel deleted file mode 100644 index 8144a9e..0000000 --- a/aide.conf.rhel +++ /dev/null @@ -1,215 +0,0 @@ -# Example configuration file for AIDE. - -@@define DBDIR /var/lib/aide - -# The location of the database to be read. -database=file:@@{DBDIR}/aide.db.gz - -# The location of the database to be written. -#database_out=sql:host:port:database:login_name:passwd:table -#database_out=file:aide.db.new -database_out=file:@@{DBDIR}/aide.db.new.gz - -# Whether to gzip the output to database -gzip_dbout=yes - -# Default. -verbose=5 - -report_url=file:/var/log/aide.log -report_url=stdout -#report_url=stderr -#NOT IMPLEMENTED report_url=mailto:root@foo.com -#NOT IMPLEMENTED report_url=syslog:LOG_AUTH - -# These are the default rules. -# -#p: permissions -#i: inode: -#n: number of links -#u: user -#g: group -#s: size -#b: block count -#m: mtime -#a: atime -#c: ctime -#acl: Access Control Lists -#selinux SELinux security context -#xattrs: Extended file attributes -#S: check for growing size -#md5: md5 checksum -#sha1: sha1 checksum -#sha256: sha256 checksum -#sha512: sha512 checksum -#rmd160: rmd160 checksum -#tiger: tiger checksum - -#haval: haval checksum (MHASH only) -#gost: gost checksum (MHASH only) -#crc32: crc32 checksum (MHASH only) -#whirlpool: whirlpool checksum (MHASH only) - -#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 -#L: p+i+n+u+g+acl+selinux+xattrs -#E: Empty group -#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs - -# You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 -ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger -# Everything but access time (Ie. all changes) -EVERYTHING = R+ALLXTRAHASHES - -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = R+rmd160+sha256 - -# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs - -# Access control only -PERMS = p+i+u+g+acl+selinux - -# Logfile are special, in that they often change -LOG = > - -# Just do md5 and sha256 hashes -LSPP = R+sha256 - -# Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger - -# Next decide what directories/files you want in the database. - -/boot NORMAL -/bin NORMAL -/sbin NORMAL -/lib NORMAL -/opt NORMAL -/usr NORMAL -/root NORMAL -# These are too volatile -!/usr/src -!/usr/tmp - -# Check only permissions, inode, user and group for /etc, but -# cover some important files closely. -/etc PERMS -!/etc/mtab -# Ignore backup files -!/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL - -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL - -/etc/sudoers NORMAL -/etc/skel NORMAL - -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL - -# Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL -/etc/profile.d/ NORMAL -/etc/X11/ NORMAL - -# Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL - -/var/log LOG -# This gets new/removes-old filenames daily -!/var/log/sa -# As we are checking it, we've truncated yesterdays size to zero. -!/var/log/aide.log - -# LSPP rules... -# AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP - -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP - -/etc/hosts LSPP -/etc/sysconfig LSPP - -/etc/inittab LSPP -# Grub isn't in LSPP, but pretend it is -/etc/grub/ LSPP -/etc/rc.d LSPP - -/etc/ld.so.conf LSPP - -/etc/localtime LSPP - -/etc/sysctl.conf LSPP - -/etc/modprobe.conf LSPP - -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP - -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP - -/etc/stunnel LSPP - -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP - -/etc/issue LSPP -/etc/issue.net LSPP - -/etc/cups LSPP - -# With AIDE's default verbosity level of 5, these would give lots of -# warnings upon tree traversal. It might change with future version. -# -#=/lost\+found DIR -#=/home DIR - -# Dito /var/log/sa reason... -!/var/log/and-httpd diff --git a/aide.spec b/aide.spec index cdbee51..7b94ccb 100644 --- a/aide.spec +++ b/aide.spec @@ -7,25 +7,26 @@ Summary: Intrusion detection environment Name: aide Version: 0.13.1 -Release: 5%{?dist} +Release: 6%{?dist} URL: http://sourceforge.net/projects/aide License: GPLv2+ Group: Applications/System Source0: http://download.sourceforge.net/aide/aide-%{version}.tar.gz Source1: aide.conf Source2: README.quickstart -Source3: aide.conf.rhel -Patch0: aide-0.13.1-manuals.patch -Patch1: aide-0.12-selcon.patch +Patch1: aide-0.13.1-contextsize.patch +Patch2: aide-0.12-dedosify.patch +Patch3: aide-0.13.1-manuals.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n) -Buildrequires: mhash-devel zlib-devel +BuildRequires: mktemp +Buildrequires: mhash-devel +Buildrequires: zlib-devel libgcrypt-devel Buildrequires: flex bison +Buildrequires: libattr-devel libacl-devel libselinux-devel +Buildrequires: audit-libs-devel >= 1.2.8-2 %if "%{?_with_curl}x" != "x" Buildrequires: curl-devel %endif -Buildrequires: pkgconfig -Buildrequires: libattr-devel libacl-devel libselinux-devel -Buildrequires: audit-libs-devel >= 1.2.8-2 #Buildrequires: postgresql-devel libgcrypt-devel #(needs --with-psql and -lgcrypt in src/Makefile.in) @@ -36,22 +37,19 @@ checker and intrusion detection program. %prep %setup -q - -%patch0 -p1 -b .manuals -# Adjust default paths in manual (not as safe as the patch). -#sed -i -e 's!@sysconfdir@/aide.db\(.new\)\?!%{_localstatedir}/lib/aide/aide.db\1.gz!' doc/aide.1.in -#sed -i -e 's!@sysconfdir@/aide.conf!%{_sysconfdir}/aide.conf!' doc/aide.1.in -%patch1 -p1 -b .selcon +%patch1 -p1 -b .contextsize +%patch2 -p1 -b .dedosify +%patch3 -p1 -b .manpages %build %configure --with-config_file=%{_sysconfdir}/aide.conf \ --with-zlib \ + --disable-static \ --with-mhash --enable-mhash \ %{?_with_curl} %{?_without_curl} \ - --with-selinux --with-posix-acl --with-configmactype=sha256 \ - --with-audit \ - %{?nostatic} + --with-selinux --with-posix-acl --with-audit \ + --with-xattr make %{?_smp_mflags} @@ -59,11 +57,11 @@ make %{?_smp_mflags} %install rm -rf $RPM_BUILD_ROOT %makeinstall bindir=$RPM_BUILD_ROOT%{_sbindir} +mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/aide mkdir -p $RPM_BUILD_ROOT%{_sysconfdir} install -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir} mkdir -p -m0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/aide install -p %{SOURCE2} README.quickstart -install -p %{SOURCE3} aide.conf.rhel %clean @@ -73,15 +71,19 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(0644,root,root,0755) %doc AUTHORS COPYING ChangeLog NEWS README doc/manual.html contrib/ -%doc README.quickstart aide.conf.rhel +%doc README.quickstart %attr(0700,root,root) %{_sbindir}/aide %{_mandir}/man1/* %{_mandir}/man5/* %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/aide.conf %dir %attr(0700,root,root) %{_localstatedir}/lib/aide +%dir %attr(0700,root,root) %{_localstatedir}/log/aide %changelog +* Fri Jan 30 2009 Steve Grubb - 0.13.1-6 +- enable xattr support and update config file + * Fri Sep 26 2008 Tom "spot" Callaway - 0.13.1-5 - fix selcon patch to apply without fuzz