From b43ff98e62a2bda50445fa39215f57bba18ab8d5 Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Mon, 10 May 2021 12:24:57 +0200 Subject: [PATCH] config cleanup --- aide.conf | 296 +++++++++++++++++++++++++++++++++------------------- aide.spec | 9 +- gating.yaml | 6 ++ 3 files changed, 202 insertions(+), 109 deletions(-) create mode 100644 gating.yaml diff --git a/aide.conf b/aide.conf index cd95c01..5221380 100644 --- a/aide.conf +++ b/aide.conf @@ -51,8 +51,6 @@ report_url=stdout #crc32: crc32 checksum (MHASH only) #whirlpool: whirlpool checksum (MHASH only) -FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 - #R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 #L: p+i+n+u+g+acl+selinux+xattrs #E: Empty group @@ -65,159 +63,241 @@ ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. all changes) EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Sane +# NORMAL = R+sha512 +NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512 # For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+selinux+xattrs # Access control only -PERMS = p+i+u+g+acl+selinux +PERMS = p+u+g+acl+selinux+xattrs # Logfile are special, in that they often change -LOG = > +LOG = p+u+g+n+S+acl+selinux+xattrs -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 +# Content + file type. +CONTENT = sha512+ftype + +# Extended content + file type + access. +CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512 # Next decide what directories/files you want in the database. -/boot NORMAL -/bin NORMAL -/sbin NORMAL -/lib NORMAL -/lib64 NORMAL -/opt NORMAL -/usr NORMAL -/root NORMAL +/boot CONTENT_EX +/opt CONTENT + +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* +# Otherwise get all of /root. +/root CONTENT_EX + # These are too volatile !/usr/src !/usr/tmp -# Check only permissions, inode, user and group for /etc, but -# cover some important files closely. -/etc PERMS -!/etc/mtab -# Ignore backup files -!/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL +# Otherwise get all of /usr. +/usr CONTENT_EX -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# trusted databases +/etc/hosts$ CONTENT_EX +/etc/host.conf$ CONTENT_EX +/etc/hostname$ CONTENT_EX +/etc/issue$ CONTENT_EX +/etc/issue.net$ CONTENT_EX +/etc/protocols$ CONTENT_EX +/etc/services$ CONTENT_EX +/etc/localtime$ CONTENT_EX +/etc/alternatives CONTENT_EX +/etc/sysconfig CONTENT_EX +/etc/mime.types$ CONTENT_EX +/etc/terminfo CONTENT_EX +/etc/exports$ CONTENT_EX +/etc/fstab$ CONTENT_EX +/etc/passwd$ CONTENT_EX +/etc/group$ CONTENT_EX +/etc/gshadow$ CONTENT_EX +/etc/shadow$ CONTENT_EX +/etc/subgid$ CONTENT_EX +/etc/subuid$ CONTENT_EX +/etc/security/opasswd$ CONTENT_EX +/etc/skel CONTENT_EX +/etc/sssd CONTENT_EX +/etc/machine-id$ CONTENT_EX +/etc/swid CONTENT_EX +/etc/system-release-cpe$ CONTENT_EX +/etc/shells$ CONTENT_EX +/etc/tmux.conf$ CONTENT_EX +/etc/xattr.conf$ CONTENT_EX -/etc/sudoers NORMAL -/etc/skel NORMAL +# networking +/etc/firewalld CONTENT_EX +!/etc/NetworkManager/system-connections +/etc/NetworkManager CONTENT_EX +/etc/networks$ CONTENT_EX +/etc/dhcp CONTENT_EX +/etc/wpa_supplicant CONTENT_EX +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ CONTENT_EX -/etc/logrotate.d NORMAL +# logins and accounts +/etc/login.defs$ CONTENT_EX +/etc/libuser.conf$ CONTENT_EX +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d CONTENT_EX +/etc/security CONTENT_EX +/etc/securetty$ CONTENT_EX +/etc/polkit-1 CONTENT_EX +/etc/sudo.conf$ CONTENT_EX +/etc/sudoers$ CONTENT_EX +/etc/sudoers.d CONTENT_EX -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL - -# Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL -/etc/profile.d/ NORMAL -/etc/X11/ NORMAL +# Shell/X startup files +/etc/profile$ CONTENT_EX +/etc/profile.d CONTENT_EX +/etc/bashrc$ CONTENT_EX +/etc/bash_completion.d CONTENT_EX +/etc/zprofile$ CONTENT_EX +/etc/zshrc$ CONTENT_EX +/etc/zlogin$ CONTENT_EX +/etc/zlogout$ CONTENT_EX +/etc/X11 CONTENT_EX # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL - -/var/log LOG -/var/run/utmp LOG +/etc/dnf CONTENT_EX +/etc/yum.conf$ CONTENT_EX +/etc/yum CONTENT_EX +/etc/yum.repos.d CONTENT_EX # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... +# auditing # AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP +/var/log/audit PERMS +/etc/audit CONTENT_EX +/etc/libaudit.conf$ CONTENT_EX +/etc/aide.conf$ CONTENT_EX -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP +# System logs +/etc/rsyslog.conf$ CONTENT_EX +/etc/rsyslog.d CONTENT_EX +/etc/logrotate.conf$ CONTENT_EX +/etc/logrotate.d CONTENT_EX +/etc/systemd/journald.conf$ CONTENT_EX +/var/log LOG+ANF+ARF +/var/run/utmp LOG -/etc/hosts LSPP -/etc/sysconfig LSPP +# secrets +/etc/pkcs11 CONTENT_EX +/etc/pki CONTENT_EX +/etc/crypto-policies CONTENT_EX +/etc/certmonger CONTENT_EX +/var/lib/systemd/random-seed$ PERMS -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP +# init system +/etc/systemd CONTENT_EX +/etc/rc.d CONTENT_EX +/etc/tmpfiles.d CONTENT_EX -/etc/ld.so.conf LSPP +# boot config +/etc/default CONTENT_EX +/etc/grub.d CONTENT_EX +/etc/dracut.conf$ CONTENT_EX +/etc/dracut.conf.d CONTENT_EX -/etc/localtime LSPP +# glibc linker +/etc/ld.so.cache$ CONTENT_EX +/etc/ld.so.conf$ CONTENT_EX +/etc/ld.so.conf.d CONTENT_EX +/etc/ld.so.preload$ CONTENT_EX -/etc/sysctl.conf LSPP +# kernel config +/etc/sysctl.conf$ CONTENT_EX +/etc/sysctl.d CONTENT_EX +/etc/modprobe.d CONTENT_EX +/etc/modules-load.d CONTENT_EX +/etc/depmod.d CONTENT_EX +/etc/udev CONTENT_EX +/etc/crypttab$ CONTENT_EX -/etc/modprobe.conf LSPP +#### Daemons #### -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP +# cron jobs +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ CONTENT_EX +/etc/cron.allow$ CONTENT_EX +/etc/cron.deny$ CONTENT_EX +/etc/cron.d CONTENT_EX +/etc/cron.daily CONTENT_EX +/etc/cron.hourly CONTENT_EX +/etc/cron.monthly CONTENT_EX +/etc/cron.weekly CONTENT_EX +/etc/crontab$ CONTENT_EX +/var/spool/cron/root CONTENT -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP +# time keeping +/etc/chrony.conf$ CONTENT_EX +/etc/chrony.keys$ CONTENT_EX -/etc/stunnel LSPP +# mail +/etc/aliases$ CONTENT_EX +/etc/aliases.db$ CONTENT_EX +/etc/postfix CONTENT_EX -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP +# ssh +/etc/ssh/sshd_config$ CONTENT_EX +/etc/ssh/ssh_config$ CONTENT_EX -/etc/issue LSPP -/etc/issue.net LSPP +# stunnel +/etc/stunnel CONTENT_EX -/etc/cups LSPP +# printing +/etc/cups CONTENT_EX +/etc/cupshelpers CONTENT_EX +/etc/avahi CONTENT_EX + +# web server +/etc/httpd CONTENT_EX + +# dns +/etc/named CONTENT_EX +/etc/named.conf$ CONTENT_EX +/etc/named.iscdlv.key$ CONTENT_EX +/etc/named.rfc1912.zones$ CONTENT_EX +/etc/named.root.key$ CONTENT_EX + +# xinetd +/etc/xinetd.conf$ CONTENT_EX +/etc/xinetd.d CONTENT_EX + +# IPsec +/etc/ipsec.conf$ CONTENT_EX +/etc/ipsec.secrets$ CONTENT_EX +/etc/ipsec.d CONTENT_EX + +# USB guard +/etc/usbguard CONTENT_EX + +# Ignore some files +!/etc/mtab$ +!/etc/.*~ + +# Now everything else +/etc PERMS # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # #=/lost\+found DIR #=/home DIR - -# Ditto /var/log/sa reason... -!/var/log/and-httpd - -# Admins dot files constantly change, just check perms -/root/\..* PERMS diff --git a/aide.spec b/aide.spec index e1c0330..a975118 100644 --- a/aide.spec +++ b/aide.spec @@ -1,7 +1,7 @@ Summary: Intrusion detection environment Name: aide Version: 0.16 -Release: 18%{?dist} +Release: 19%{?dist} URL: http://sourceforge.net/projects/aide License: GPLv2+ @@ -80,6 +80,13 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide %dir %attr(0700,root,root) %{_localstatedir}/log/aide %changelog +* Mon May 10 2021 Zoltan Fridrich - 0.16-19 +- use gating and config file from rhel-8.5 +- remove check of periodically changing files + Resolves: rhbz#1957656 +- config cleanup + Resolves: rhbz#1957654 + * Thu Apr 15 2021 Mohan Boddu - 0.16-18 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..c190bde --- /dev/null +++ b/gating.yaml @@ -0,0 +1,6 @@ +--- !Policy +product_versions: + - rhel-9 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}