config cleanup

aide.conf

@@ -51,8 +51,6 @@ report_url=stdout
 #crc32:  crc32 checksum (MHASH only)
 #whirlpool:     whirlpool checksum (MHASH only)
 
-FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
-
 #R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
 #L:             p+i+n+u+g+acl+selinux+xattrs
 #E:             Empty group
@@ -65,159 +63,241 @@ ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
 # Everything but access time (Ie. all changes)
 EVERYTHING = R+ALLXTRAHASHES
 
-# Sane, with multiple hashes
-# NORMAL = R+rmd160+sha256+whirlpool
-NORMAL = FIPSR+sha512
+# Sane
+# NORMAL = R+sha512
+NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
 
 # For directories, don't bother doing hashes
 DIR = p+i+n+u+g+acl+selinux+xattrs
 
 # Access control only
-PERMS = p+i+u+g+acl+selinux
+PERMS = p+u+g+acl+selinux+xattrs
 
 # Logfile are special, in that they often change
-LOG = >
+LOG = p+u+g+n+S+acl+selinux+xattrs
 
-# Just do sha256 and sha512 hashes
-LSPP = FIPSR+sha512
+# Content + file type.
+CONTENT = sha512+ftype
+
+# Extended content + file type + access.
+CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
 
 # Some files get updated automatically, so the inode/ctime/mtime change
 # but we want to know when the data inside them changes
-DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
+DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha512
 
 # Next decide what directories/files you want in the database.
 
-/boot   NORMAL
-/bin    NORMAL
-/sbin   NORMAL
-/lib    NORMAL
-/lib64  NORMAL
-/opt    NORMAL
-/usr    NORMAL
-/root   NORMAL
+/boot       CONTENT_EX
+/opt        CONTENT
+
+# Admins dot files constantly change, just check perms
+/root/\..* PERMS
+!/root/.xauth*
+# Otherwise get all of /root.
+/root   CONTENT_EX
+
 # These are too volatile
 !/usr/src
 !/usr/tmp
 
-# Check only permissions, inode, user and group for /etc, but
-# cover some important files closely.
-/etc    PERMS
-!/etc/mtab
-# Ignore backup files
-!/etc/.*~
-/etc/exports  NORMAL
-/etc/fstab    NORMAL
-/etc/passwd   NORMAL
-/etc/group    NORMAL
-/etc/gshadow  NORMAL
-/etc/shadow   NORMAL
-/etc/security/opasswd   NORMAL
+# Otherwise get all of /usr.
+/usr    CONTENT_EX
 
-/etc/hosts.allow   NORMAL
-/etc/hosts.deny    NORMAL
+# trusted databases
+/etc/hosts$      CONTENT_EX
+/etc/host.conf$  CONTENT_EX
+/etc/hostname$   CONTENT_EX
+/etc/issue$      CONTENT_EX
+/etc/issue.net$  CONTENT_EX
+/etc/protocols$  CONTENT_EX
+/etc/services$   CONTENT_EX
+/etc/localtime$  CONTENT_EX
+/etc/alternatives CONTENT_EX
+/etc/sysconfig   CONTENT_EX
+/etc/mime.types$ CONTENT_EX
+/etc/terminfo    CONTENT_EX
+/etc/exports$    CONTENT_EX
+/etc/fstab$      CONTENT_EX
+/etc/passwd$     CONTENT_EX
+/etc/group$      CONTENT_EX
+/etc/gshadow$    CONTENT_EX
+/etc/shadow$     CONTENT_EX
+/etc/subgid$     CONTENT_EX
+/etc/subuid$     CONTENT_EX
+/etc/security/opasswd$ CONTENT_EX
+/etc/skel        CONTENT_EX
+/etc/sssd        CONTENT_EX
+/etc/machine-id$ CONTENT_EX
+/etc/swid        CONTENT_EX
+/etc/system-release-cpe$ CONTENT_EX
+/etc/shells$     CONTENT_EX
+/etc/tmux.conf$  CONTENT_EX
+/etc/xattr.conf$ CONTENT_EX
 
-/etc/sudoers NORMAL
-/etc/skel NORMAL
+# networking
+/etc/firewalld      CONTENT_EX
+!/etc/NetworkManager/system-connections
+/etc/NetworkManager CONTENT_EX
+/etc/networks$ CONTENT_EX
+/etc/dhcp CONTENT_EX
+/etc/wpa_supplicant CONTENT_EX
+/etc/resolv.conf$ DATAONLY
+/etc/nscd.conf$ CONTENT_EX
 
-/etc/logrotate.d NORMAL
+# logins and accounts
+/etc/login.defs$ CONTENT_EX
+/etc/libuser.conf$ CONTENT_EX
+/var/log/faillog$ PERMS
+/var/log/lastlog$ PERMS
+/var/run/faillock PERMS
+/etc/pam.d CONTENT_EX
+/etc/security CONTENT_EX
+/etc/securetty$ CONTENT_EX
+/etc/polkit-1 CONTENT_EX
+/etc/sudo.conf$ CONTENT_EX
+/etc/sudoers$ CONTENT_EX
+/etc/sudoers.d CONTENT_EX
 
-/etc/resolv.conf DATAONLY
-
-/etc/nscd.conf NORMAL
-/etc/securetty NORMAL
-
-# Shell/X starting files
-/etc/profile NORMAL
-/etc/bashrc NORMAL
-/etc/bash_completion.d/ NORMAL
-/etc/login.defs NORMAL
-/etc/zprofile NORMAL
-/etc/zshrc NORMAL
-/etc/zlogin NORMAL
-/etc/zlogout NORMAL
-/etc/profile.d/ NORMAL
-/etc/X11/ NORMAL
+# Shell/X startup files
+/etc/profile$ CONTENT_EX
+/etc/profile.d CONTENT_EX
+/etc/bashrc$ CONTENT_EX
+/etc/bash_completion.d CONTENT_EX
+/etc/zprofile$ CONTENT_EX
+/etc/zshrc$ CONTENT_EX
+/etc/zlogin$ CONTENT_EX
+/etc/zlogout$ CONTENT_EX
+/etc/X11 CONTENT_EX
 
 # Pkg manager
-/etc/yum.conf NORMAL
-/etc/yumex.conf NORMAL
-/etc/yumex.profiles.conf NORMAL
-/etc/yum/ NORMAL
-/etc/yum.repos.d/ NORMAL
-
-/var/log   LOG
-/var/run/utmp LOG
+/etc/dnf CONTENT_EX
+/etc/yum.conf$ CONTENT_EX
+/etc/yum CONTENT_EX
+/etc/yum.repos.d CONTENT_EX
 
 # This gets new/removes-old filenames daily
 !/var/log/sa
 # As we are checking it, we've truncated yesterdays size to zero.
 !/var/log/aide.log
 
-# LSPP rules...
+# auditing
 # AIDE produces an audit record, so this becomes perpetual motion.
-# /var/log/audit/ LSPP
-/etc/audit/ LSPP
-/etc/libaudit.conf LSPP
-/usr/sbin/stunnel LSPP
-/var/spool/at LSPP
-/etc/at.allow LSPP
-/etc/at.deny LSPP
-/etc/cron.allow LSPP
-/etc/cron.deny LSPP
-/etc/cron.d/ LSPP
-/etc/cron.daily/ LSPP
-/etc/cron.hourly/ LSPP
-/etc/cron.monthly/ LSPP
-/etc/cron.weekly/ LSPP
-/etc/crontab LSPP
-/var/spool/cron/root LSPP
+/var/log/audit PERMS
+/etc/audit CONTENT_EX
+/etc/libaudit.conf$ CONTENT_EX
+/etc/aide.conf$  CONTENT_EX
 
-/etc/login.defs LSPP
-/etc/securetty LSPP
-/var/log/faillog LSPP
-/var/log/lastlog LSPP
+# System logs
+/etc/rsyslog.conf$ CONTENT_EX
+/etc/rsyslog.d CONTENT_EX
+/etc/logrotate.conf$ CONTENT_EX
+/etc/logrotate.d CONTENT_EX
+/etc/systemd/journald.conf$ CONTENT_EX
+/var/log LOG+ANF+ARF
+/var/run/utmp LOG
 
-/etc/hosts LSPP
-/etc/sysconfig LSPP
+# secrets
+/etc/pkcs11 CONTENT_EX
+/etc/pki CONTENT_EX
+/etc/crypto-policies CONTENT_EX
+/etc/certmonger CONTENT_EX
+/var/lib/systemd/random-seed$ PERMS
 
-/etc/inittab LSPP
-/etc/grub/ LSPP
-/etc/rc.d LSPP
+# init system
+/etc/systemd CONTENT_EX
+/etc/rc.d CONTENT_EX
+/etc/tmpfiles.d CONTENT_EX
 
-/etc/ld.so.conf LSPP
+# boot config
+/etc/default CONTENT_EX
+/etc/grub.d CONTENT_EX
+/etc/dracut.conf$ CONTENT_EX
+/etc/dracut.conf.d CONTENT_EX
 
-/etc/localtime LSPP
+# glibc linker
+/etc/ld.so.cache$ CONTENT_EX
+/etc/ld.so.conf$ CONTENT_EX
+/etc/ld.so.conf.d CONTENT_EX
+/etc/ld.so.preload$ CONTENT_EX
 
-/etc/sysctl.conf LSPP
+# kernel config
+/etc/sysctl.conf$ CONTENT_EX
+/etc/sysctl.d CONTENT_EX
+/etc/modprobe.d CONTENT_EX
+/etc/modules-load.d CONTENT_EX
+/etc/depmod.d CONTENT_EX
+/etc/udev CONTENT_EX
+/etc/crypttab$ CONTENT_EX
 
-/etc/modprobe.conf LSPP
+#### Daemons ####
 
-/etc/pam.d LSPP
-/etc/security LSPP
-/etc/aliases LSPP
-/etc/postfix LSPP
+# cron jobs
+/etc/at.allow$ CONTENT
+/etc/at.deny$ CONTENT
+/etc/anacrontab$ CONTENT_EX
+/etc/cron.allow$ CONTENT_EX
+/etc/cron.deny$ CONTENT_EX
+/etc/cron.d CONTENT_EX
+/etc/cron.daily CONTENT_EX
+/etc/cron.hourly CONTENT_EX
+/etc/cron.monthly CONTENT_EX
+/etc/cron.weekly CONTENT_EX
+/etc/crontab$ CONTENT_EX
+/var/spool/cron/root CONTENT
 
-/etc/ssh/sshd_config LSPP
-/etc/ssh/ssh_config LSPP
+# time keeping
+/etc/chrony.conf$ CONTENT_EX
+/etc/chrony.keys$ CONTENT_EX
 
-/etc/stunnel LSPP
+# mail
+/etc/aliases$ CONTENT_EX
+/etc/aliases.db$ CONTENT_EX
+/etc/postfix CONTENT_EX
 
-/etc/vsftpd.ftpusers LSPP
-/etc/vsftpd LSPP
+# ssh
+/etc/ssh/sshd_config$ CONTENT_EX
+/etc/ssh/ssh_config$ CONTENT_EX
 
-/etc/issue LSPP
-/etc/issue.net LSPP
+# stunnel
+/etc/stunnel CONTENT_EX
 
-/etc/cups LSPP
+# printing
+/etc/cups CONTENT_EX
+/etc/cupshelpers CONTENT_EX
+/etc/avahi CONTENT_EX
+
+# web server
+/etc/httpd CONTENT_EX
+
+# dns
+/etc/named CONTENT_EX
+/etc/named.conf$ CONTENT_EX
+/etc/named.iscdlv.key$ CONTENT_EX
+/etc/named.rfc1912.zones$ CONTENT_EX
+/etc/named.root.key$ CONTENT_EX
+
+# xinetd
+/etc/xinetd.conf$ CONTENT_EX
+/etc/xinetd.d CONTENT_EX
+
+# IPsec
+/etc/ipsec.conf$ CONTENT_EX
+/etc/ipsec.secrets$ CONTENT_EX
+/etc/ipsec.d CONTENT_EX
+
+# USB guard
+/etc/usbguard CONTENT_EX
+
+# Ignore some files
+!/etc/mtab$
+!/etc/.*~
+
+# Now everything else
+/etc    PERMS
 
 # With AIDE's default verbosity level of 5, these would give lots of
 # warnings upon tree traversal. It might change with future version.
 #
 #=/lost\+found    DIR
 #=/home           DIR
-
-# Ditto /var/log/sa reason...
-!/var/log/and-httpd
-
-# Admins dot files constantly change, just check perms
-/root/\..* PERMS

aide.spec

@@ -1,7 +1,7 @@
 Summary:        Intrusion detection environment
 Name:           aide
 Version:        0.16
-Release:        18%{?dist}
+Release:        19%{?dist}
 URL:            http://sourceforge.net/projects/aide
 License:        GPLv2+
 
@@ -80,6 +80,13 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 %dir %attr(0700,root,root) %{_localstatedir}/log/aide
 
 %changelog
+* Mon May 10 2021 Zoltan Fridrich <zfridric@redhat.com> - 0.16-19
+- use gating and config file from rhel-8.5
+- remove check of periodically changing files
+  Resolves: rhbz#1957656
+- config cleanup
+  Resolves: rhbz#1957654
+
 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.16-18
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}