- enable xattr support and update config file

This commit is contained in:
Steve Grubb 2009-01-30 21:39:33 +00:00
parent 7d279b9716
commit ac87434af1
5 changed files with 343 additions and 246 deletions

174
aide-0.12-dedosify.patch Normal file
View File

@ -0,0 +1,174 @@
--- aide-0.12/contrib/gpg2_check.sh.spc 2007-06-21 12:37:06.000000000 -0400
+++ aide-0.12/contrib/gpg2_check.sh 2007-06-21 12:39:53.000000000 -0400
@@ -1,32 +1,32 @@
-#!/bin/sh
-# $Id: gpg2_check.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $
-
-# Script by Vincent Danen <vdanen@linsec.ca>
-
-hostname=`uname -n`
-echo "AIDE integrity check for ${hostname} beginning (`date`)"
-echo ""
-if [ ! -e /var/lib/aide/aide.db ] ; then
- echo "**** Error: AIDE database for ${hostname} not found."
- echo "**** Run 'aide --init' and move the appropriate database file."
-else
- if [ -f /etc/aide.conf ]; then
- if [ -f /var/lib/aide/aide.db.sig ]; then
- pushd /var/lib/aide >/dev/null
- echo "Verifying the GPG signature on the database..."
- echo ""
- gpg --verify aide.db.sig
- echo ""
- if [ "$?" == "1" ]; then
- echo "************************************************************"
- echo "GPG signature FAILED! Your database has been tampered with!"
- echo "************************************************************"
- exit 1
- fi
- popd >/dev/null
- fi
- nice -20 /usr/sbin/aide --check 2>/dev/null
- fi
-fi
-
-exit 0
+#!/bin/sh
+# $Id: gpg2_check.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $
+
+# Script by Vincent Danen <vdanen@linsec.ca>
+
+hostname=`uname -n`
+echo "AIDE integrity check for ${hostname} beginning (`date`)"
+echo ""
+if [ ! -e /var/lib/aide/aide.db ] ; then
+ echo "**** Error: AIDE database for ${hostname} not found."
+ echo "**** Run 'aide --init' and move the appropriate database file."
+else
+ if [ -f /etc/aide.conf ]; then
+ if [ -f /var/lib/aide/aide.db.sig ]; then
+ pushd /var/lib/aide >/dev/null
+ echo "Verifying the GPG signature on the database..."
+ echo ""
+ gpg --verify aide.db.sig
+ echo ""
+ if [ "$?" == "1" ]; then
+ echo "************************************************************"
+ echo "GPG signature FAILED! Your database has been tampered with!"
+ echo "************************************************************"
+ exit 1
+ fi
+ popd >/dev/null
+ fi
+ nice -20 /usr/sbin/aide --check 2>/dev/null
+ fi
+fi
+
+exit 0
--- aide-0.12/contrib/gpg2_update.sh.spc 2007-06-21 12:37:24.000000000 -0400
+++ aide-0.12/contrib/gpg2_update.sh 2007-06-21 12:39:43.000000000 -0400
@@ -1,52 +1,52 @@
-#!/bin/sh
-# $Id: gpg2_update.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $
-#
-# script to update and rotate the AIDE database files and, optionally
-# create a detached GPG signature to verify the database file
-#
-# written by Vincent Danen <vdanen-at-annvix.org> 01/21/2006
-
-usegpg=0
-
-if [ -f /root/.gnupg/secring.gpg ]; then
- usegpg=1
-fi
-
-if [ ! -d /var/lib/aide ]; then
- echo "The AIDE database directory /var/lib/aide does not exist!"
- exit 1
-fi
-
-pushd /var/lib/aide >/dev/null
-
-# copy the old database
-if [ -f aide.db ]; then
- newfile="aide-`hostname`-`date +%Y%m%d-%H%M%S`.db"
- if [ "${usegpg}" == 1 -a -f aide.db.sig ]; then
- # do an integrity check
- gpg --verify aide.db.sig
- if [ "$?" == "1" ]; then
- echo "************************************************************"
- echo "GPG signature FAILED! Your database has been tampered with!"
- echo "************************************************************"
- exit 1
- fi
- fi
- cp -av aide.db ${newfile}
- /usr/sbin/aide --update -B "database=file:/var/lib/aide/${newfile}"
- if [ "${usegpg}" == "1" ]; then
- # create the signature file
- [[ -f aide.db.sig ]] && rm -f aide.db.sig
- gpg --detach-sign aide.db
- if [ "$?" == "1" ]; then
- echo "FATAL: Error occurred when creating the signature file!"
- exit 1
- fi
- fi
- gzip -9f ${newfile}
-else
- echo "The AIDE database does not exist, can't update!"
- exit 1
-fi
-
-popd >/dev/null
+#!/bin/sh
+# $Id: gpg2_update.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $
+#
+# script to update and rotate the AIDE database files and, optionally
+# create a detached GPG signature to verify the database file
+#
+# written by Vincent Danen <vdanen-at-annvix.org> 01/21/2006
+
+usegpg=0
+
+if [ -f /root/.gnupg/secring.gpg ]; then
+ usegpg=1
+fi
+
+if [ ! -d /var/lib/aide ]; then
+ echo "The AIDE database directory /var/lib/aide does not exist!"
+ exit 1
+fi
+
+pushd /var/lib/aide >/dev/null
+
+# copy the old database
+if [ -f aide.db ]; then
+ newfile="aide-`hostname`-`date +%Y%m%d-%H%M%S`.db"
+ if [ "${usegpg}" == 1 -a -f aide.db.sig ]; then
+ # do an integrity check
+ gpg --verify aide.db.sig
+ if [ "$?" == "1" ]; then
+ echo "************************************************************"
+ echo "GPG signature FAILED! Your database has been tampered with!"
+ echo "************************************************************"
+ exit 1
+ fi
+ fi
+ cp -av aide.db ${newfile}
+ /usr/sbin/aide --update -B "database=file:/var/lib/aide/${newfile}"
+ if [ "${usegpg}" == "1" ]; then
+ # create the signature file
+ [[ -f aide.db.sig ]] && rm -f aide.db.sig
+ gpg --detach-sign aide.db
+ if [ "$?" == "1" ]; then
+ echo "FATAL: Error occurred when creating the signature file!"
+ exit 1
+ fi
+ fi
+ gzip -9f ${newfile}
+else
+ echo "The AIDE database does not exist, can't update!"
+ exit 1
+fi
+
+popd >/dev/null

158
aide.conf
View File

@ -1,6 +1,7 @@
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
@ -16,7 +17,7 @@ gzip_dbout=yes
# Default.
verbose=5
report_url=file:/var/log/aide.log
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
@ -35,23 +36,52 @@ report_url=stdout
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#gost: gost checksum
#crc32: crc32 checksum
#R: p+i+n+u+g+s+m+c+md5
#L: p+i+n+u+g
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
NORMAL = R+b+sha1
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
DIR = p+i+n+u+g
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only
PERMS = p+i+u+g+acl+selinux
# Logfile are special, in that they often change
LOG = >
# Just do md5 and sha256 hashes
LSPP = R+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
@ -62,19 +92,120 @@ DIR = p+i+n+u+g
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc p+i+u+g
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/var/log p+n+u+g
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL
/var/log LOG
/var/run/utmp LOG
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
/etc/hosts LSPP
/etc/sysconfig LSPP
/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP
/etc/ld.so.conf LSPP
/etc/localtime LSPP
/etc/sysctl.conf LSPP
/etc/modprobe.conf LSPP
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
/etc/stunnel LSPP
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
/etc/issue LSPP
/etc/issue.net LSPP
/etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
@ -82,3 +213,8 @@ DIR = p+i+n+u+g
#=/lost\+found DIR
#=/home DIR
# Ditto /var/log/sa reason...
!/var/log/and-httpd
# Admins dot files constantly change, just check perms
/root/.* PERMS

View File

@ -1,215 +0,0 @@
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
verbose=5
report_url=file:/var/log/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#S: check for growing size
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only
PERMS = p+i+u+g+acl+selinux
# Logfile are special, in that they often change
LOG = >
# Just do md5 and sha256 hashes
LSPP = R+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL
/var/log LOG
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
/etc/hosts LSPP
/etc/sysconfig LSPP
/etc/inittab LSPP
# Grub isn't in LSPP, but pretend it is
/etc/grub/ LSPP
/etc/rc.d LSPP
/etc/ld.so.conf LSPP
/etc/localtime LSPP
/etc/sysctl.conf LSPP
/etc/modprobe.conf LSPP
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
/etc/stunnel LSPP
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
/etc/issue LSPP
/etc/issue.net LSPP
/etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR
# Dito /var/log/sa reason...
!/var/log/and-httpd

View File

@ -7,25 +7,26 @@
Summary: Intrusion detection environment
Name: aide
Version: 0.13.1
Release: 5%{?dist}
Release: 6%{?dist}
URL: http://sourceforge.net/projects/aide
License: GPLv2+
Group: Applications/System
Source0: http://download.sourceforge.net/aide/aide-%{version}.tar.gz
Source1: aide.conf
Source2: README.quickstart
Source3: aide.conf.rhel
Patch0: aide-0.13.1-manuals.patch
Patch1: aide-0.12-selcon.patch
Patch1: aide-0.13.1-contextsize.patch
Patch2: aide-0.12-dedosify.patch
Patch3: aide-0.13.1-manuals.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
Buildrequires: mhash-devel zlib-devel
BuildRequires: mktemp
Buildrequires: mhash-devel
Buildrequires: zlib-devel libgcrypt-devel
Buildrequires: flex bison
Buildrequires: libattr-devel libacl-devel libselinux-devel
Buildrequires: audit-libs-devel >= 1.2.8-2
%if "%{?_with_curl}x" != "x"
Buildrequires: curl-devel
%endif
Buildrequires: pkgconfig
Buildrequires: libattr-devel libacl-devel libselinux-devel
Buildrequires: audit-libs-devel >= 1.2.8-2
#Buildrequires: postgresql-devel libgcrypt-devel
#(needs --with-psql and -lgcrypt in src/Makefile.in)
@ -36,22 +37,19 @@ checker and intrusion detection program.
%prep
%setup -q
%patch0 -p1 -b .manuals
# Adjust default paths in manual (not as safe as the patch).
#sed -i -e 's!@sysconfdir@/aide.db\(.new\)\?!%{_localstatedir}/lib/aide/aide.db\1.gz!' doc/aide.1.in
#sed -i -e 's!@sysconfdir@/aide.conf!%{_sysconfdir}/aide.conf!' doc/aide.1.in
%patch1 -p1 -b .selcon
%patch1 -p1 -b .contextsize
%patch2 -p1 -b .dedosify
%patch3 -p1 -b .manpages
%build
%configure --with-config_file=%{_sysconfdir}/aide.conf \
--with-zlib \
--disable-static \
--with-mhash --enable-mhash \
%{?_with_curl} %{?_without_curl} \
--with-selinux --with-posix-acl --with-configmactype=sha256 \
--with-audit \
%{?nostatic}
--with-selinux --with-posix-acl --with-audit \
--with-xattr
make %{?_smp_mflags}
@ -59,11 +57,11 @@ make %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
%makeinstall bindir=$RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/aide
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}
install -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}
mkdir -p -m0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/aide
install -p %{SOURCE2} README.quickstart
install -p %{SOURCE3} aide.conf.rhel
%clean
@ -73,15 +71,19 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(0644,root,root,0755)
%doc AUTHORS COPYING ChangeLog NEWS README doc/manual.html contrib/
%doc README.quickstart aide.conf.rhel
%doc README.quickstart
%attr(0700,root,root) %{_sbindir}/aide
%{_mandir}/man1/*
%{_mandir}/man5/*
%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/aide.conf
%dir %attr(0700,root,root) %{_localstatedir}/lib/aide
%dir %attr(0700,root,root) %{_localstatedir}/log/aide
%changelog
* Fri Jan 30 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-6
- enable xattr support and update config file
* Fri Sep 26 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.13.1-5
- fix selcon patch to apply without fuzz