import aide-0.16-11.el8

2019-11-05 14:47:35 -05:00 · 2019-11-05 14:47:35 -05:00 · f7e8351a14
commit f7e8351a14
parent ca4bb72a72
3 changed files with 247 additions and 106 deletions
--- a/SOURCES/aide.conf
+++ b/SOURCES/aide.conf
@ -51,8 +51,6 @@ report_url=stdout
 #crc32:  crc32 checksum (MHASH only)
 #whirlpool:     whirlpool checksum (MHASH only)
 FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
 #R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
 #L:             p+i+n+u+g+acl+selinux+xattrs
 #E:             Empty group
@ -65,150 +63,245 @@ ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
 # Everything but access time (Ie. all changes)
 EVERYTHING = R+ALLXTRAHASHES
-# Sane, with multiple hashes
+# Sane
-# NORMAL = R+rmd160+sha256+whirlpool
+# NORMAL = R+sha512
-NORMAL = FIPSR+sha512
+NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
 # For directories, don't bother doing hashes
 DIR = p+i+n+u+g+acl+selinux+xattrs
 # Access control only
-PERMS = p+i+u+g+acl+selinux
+PERMS = p+u+g+acl+selinux+xattrs
 # Logfile are special, in that they often change
-LOG = >
+LOG = p+u+g+n+S+acl+selinux+xattrs
-# Just do sha256 and sha512 hashes
+# Content + file type.
-LSPP = FIPSR+sha512
+CONTENT = sha512+ftype
 # Extended content + file type + access.
 CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
 # Some files get updated automatically, so the inode/ctime/mtime change
 # but we want to know when the data inside them changes
-DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
+DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha512
 # Next decide what directories/files you want in the database.
-/boot   NORMAL
+/boot        CONTENT_EX
-/bin    NORMAL
+/opt/        CONTENT
-/sbin   NORMAL
+
-/lib    NORMAL
+# Admins dot files constantly change, just check perms
-/lib64  NORMAL
+/root/\..* PERMS
-/opt    NORMAL
+# Otherwise get all of /root.
-/usr    NORMAL
+/root/   CONTENT_EX
-/root   NORMAL
+
 # These are too volatile
-!/usr/src
+!/usr/src/
-!/usr/tmp
+!/usr/tmp/
-# Check only permissions, inode, user and group for /etc, but
+# Otherwise get all of /usr.
-# cover some important files closely.
+/usr/    CONTENT_EX
 /etc    PERMS
 !/etc/mtab
 # Ignore backup files
 !/etc/.*~
 /etc/exports  NORMAL
 /etc/fstab    NORMAL
 /etc/passwd   NORMAL
 /etc/group    NORMAL
 /etc/gshadow  NORMAL
 /etc/shadow   NORMAL
 /etc/security/opasswd   NORMAL
-/etc/hosts.allow   NORMAL
+# trusted databases
-/etc/hosts.deny    NORMAL
+/etc/hosts$      CONTENT_EX
 /etc/host.conf$  CONTENT_EX
 /etc/hostname$   CONTENT_EX
 /etc/issue$      CONTENT_EX
 /etc/issue.net$  CONTENT_EX
 /etc/protocols$  CONTENT_EX
 /etc/services$   CONTENT_EX
 /etc/localtime$  CONTENT_EX
 /etc/alternatives/ CONTENT_EX
 /etc/sysconfig   CONTENT_EX
 /etc/mime.types$ CONTENT_EX
 /etc/terminfo/   CONTENT_EX
 /etc/exports$    CONTENT_EX
 /etc/fstab$      CONTENT_EX
 /etc/passwd$     CONTENT_EX
 /etc/group$      CONTENT_EX
 /etc/gshadow$    CONTENT_EX
 /etc/shadow$     CONTENT_EX
 /etc/subgid$     CONTENT_EX
 /etc/subuid$     CONTENT_EX
 /etc/security/opasswd$ CONTENT_EX
 /etc/skel/       CONTENT_EX
 /etc/subuid$     CONTENT_EX
 /etc/subgid$     CONTENT_EX
 /etc/sssd/       CONTENT_EX
 /etc/machine-id$ CONTENT_EX
 /etc/swid/       CONTENT_EX
 /etc/system-release-cpe$ CONTENT_EX
 /etc/shells$     CONTENT_EX
 /etc/tmux.conf$  CONTENT_EX
 /etc/xattr.conf$ CONTENT_EX
 /etc/sudoers NORMAL
 /etc/skel NORMAL
-/etc/logrotate.d NORMAL
+# networking
 /etc/hosts.allow$   CONTENT_EX
 /etc/hosts.deny$    CONTENT_EX
 /etc/firewalld/ CONTENT_EX
 !/etc/NetworkManager/system-connections/
 /etc/NetworkManager/ CONTENT_EX
 /etc/networks$ CONTENT_EX
 /etc/dhcp/ CONTENT_EX
 /etc/wpa_supplicant/ CONTENT_EX
 /etc/resolv.conf$ DATAONLY
 /etc/nscd.conf$ CONTENT_EX
-/etc/resolv.conf DATAONLY
+# logins and accounts
 /etc/login.defs$ CONTENT_EX
 /etc/libuser.conf$ CONTENT_EX
 /var/log/faillog$ PERMS
 /var/log/lastlog$ PERMS
 /var/run/faillock/ PERMS
 /etc/pam.d/ CONTENT_EX
 /etc/security/ CONTENT_EX
 /etc/securetty$ CONTENT_EX
 /etc/polkit-1/ CONTENT_EX
 /etc/sudo.conf$ CONTENT_EX
 /etc/sudoers CONTENT_EX
 /etc/sudoers.d/ CONTENT_EX
-/etc/nscd.conf NORMAL
+# Shell/X startup files
-/etc/securetty NORMAL
+/etc/profile$ CONTENT_EX
-
+/etc/profile.d/ CONTENT_EX
-# Shell/X starting files
+/etc/bashrc$ CONTENT_EX
-/etc/profile NORMAL
+/etc/bash_completion.d/ CONTENT_EX
-/etc/bashrc NORMAL
+/etc/zprofile$ CONTENT_EX
-/etc/bash_completion.d/ NORMAL
+/etc/zshrc$ CONTENT_EX
-/etc/login.defs NORMAL
+/etc/zlogin$ CONTENT_EX
-/etc/zprofile NORMAL
+/etc/zlogout$ CONTENT_EX
-/etc/zshrc NORMAL
+/etc/X11/ CONTENT_EX
 /etc/zlogin NORMAL
 /etc/zlogout NORMAL
 /etc/profile.d/ NORMAL
 /etc/X11/ NORMAL
 # Pkg manager
-/etc/yum.conf NORMAL
+/etc/dnf/ CONTENT_EX
-/etc/yumex.conf NORMAL
+/etc/yum.conf$ CONTENT_EX
-/etc/yumex.profiles.conf NORMAL
+/etc/yum/ CONTENT_EX
-/etc/yum/ NORMAL
+/etc/yum.repos.d/ CONTENT_EX
 /etc/yum.repos.d/ NORMAL
 /var/log   LOG
 /var/run/utmp LOG
 # This gets new/removes-old filenames daily
 !/var/log/sa
 # As we are checking it, we've truncated yesterdays size to zero.
 !/var/log/aide.log
-# LSPP rules...
+# auditing
 # AIDE produces an audit record, so this becomes perpetual motion.
-# /var/log/audit/ LSPP
+/var/log/audit/ PERMS
-/etc/audit/ LSPP
+/etc/audit/ CONTENT_EX
-/etc/libaudit.conf LSPP
+/etc/libaudit.conf$ CONTENT_EX
-/usr/sbin/stunnel LSPP
+/etc/aide.conf$  CONTENT_EX
 /var/spool/at LSPP
 /etc/at.allow LSPP
 /etc/at.deny LSPP
 /etc/cron.allow LSPP
 /etc/cron.deny LSPP
 /etc/cron.d/ LSPP
 /etc/cron.daily/ LSPP
 /etc/cron.hourly/ LSPP
 /etc/cron.monthly/ LSPP
 /etc/cron.weekly/ LSPP
 /etc/crontab LSPP
 /var/spool/cron/root LSPP
-/etc/login.defs LSPP
+# System logs
-/etc/securetty LSPP
+/etc/rsyslog.conf$ CONTENT_EX
-/var/log/faillog LSPP
+/etc/rsyslog.d/ CONTENT_EX
-/var/log/lastlog LSPP
+/etc/logrotate.conf$ CONTENT_EX
 /etc/logrotate.d/ CONTENT_EX
 /etc/systemd/journald.conf$ CONTENT_EX
 /var/log/ LOG+ANF+ARF
 /var/run/utmp LOG
-/etc/hosts LSPP
+# secrets
-/etc/sysconfig LSPP
+/etc/pkcs11/ CONTENT_EX
 /etc/pki/ CONTENT_EX
 /etc/crypto-policies/ CONTENT_EX
 /etc/certmonger/ CONTENT_EX
 /var/lib/systemd/random-seed$ PERMS
-/etc/inittab LSPP
+# init system
-/etc/grub/ LSPP
+/etc/systemd/ CONTENT_EX
-/etc/rc.d LSPP
+/etc/rc.d/ CONTENT_EX
 /etc/tmpfiles.d/ CONTENT_EX
-/etc/ld.so.conf LSPP
+# boot config
 /etc/default/ CONTENT_EX
 /etc/grub.d/ CONTENT_EX
 /etc/dracut.conf CONTENT_EX
 /etc/dracut.conf.d/ CONTENT_EX
-/etc/localtime LSPP
+# glibc linker
 /etc/ld.so.cache$ CONTENT_EX
 /etc/ld.so.conf$ CONTENT_EX
 /etc/ld.so.conf.d/ CONTENT_EX
 /etc/ld.so.preload$ CONTENT_EX
-/etc/sysctl.conf LSPP
+# kernel config
 /etc/sysctl.conf CONTENT_EX
 /etc/sysctl.d/ CONTENT_EX
 /etc/modprobe.d/ CONTENT_EX
 /etc/modules-load.d/ CONTENT_EX
 /etc/depmod.d/ CONTENT_EX
 /etc/udev/ CONTENT_EX
 /etc/crypttab$ CONTENT_EX
-/etc/modprobe.conf LSPP
+#### Daemons ####
-/etc/pam.d LSPP
+# cron jobs
-/etc/security LSPP
+/var/spool/at/ CONTENT
-/etc/aliases LSPP
+/etc/at.allow$ CONTENT
-/etc/postfix LSPP
+/etc/at.deny$ CONTENT
 /var/spool/anacron CONTENT
 /etc/anacrontab$ CONTENT_EX
 /etc/cron.allow$ CONTENT_EX
 /etc/cron.deny$ CONTENT_EX
 /etc/cron.d/ CONTENT_EX
 /etc/cron.daily/ CONTENT_EX
 /etc/cron.hourly/ CONTENT_EX
 /etc/cron.monthly/ CONTENT_EX
 /etc/cron.weekly/ CONTENT_EX
 /etc/crontab$ CONTENT_EX
 /var/spool/cron/root/ CONTENT
-/etc/ssh/sshd_config LSPP
+# time keeping
-/etc/ssh/ssh_config LSPP
+/etc/chrony.conf CONTENT_EX
 /etc/chrony.keys$ CONTENT_EX
-/etc/stunnel LSPP
+# mail
 /etc/aliases$ CONTENT_EX
 /etc/aliases.db$ CONTENT_EX
 /etc/postfix/ CONTENT_EX
-/etc/vsftpd.ftpusers LSPP
+# ssh
-/etc/vsftpd LSPP
+/etc/ssh/sshd_config CONTENT_EX
 /etc/ssh/ssh_config CONTENT_EX
-/etc/issue LSPP
+# stunnel
-/etc/issue.net LSPP
+/etc/stunnel/ CONTENT_EX
 # printing
 /etc/cups/ CONTENT_EX
 /etc/cupshelpers/ CONTENT_EX
 /etc/avahi/ CONTENT_EX
 # web server
 /etc/httpd/ CONTENT_EX
 # dns
 /etc/named/ CONTENT_EX
 /etc/named.conf$ CONTENT_EX
 /etc/named.iscdlv.key$ CONTENT_EX
 /etc/named.rfc1912.zones$ CONTENT_EX
 /etc/named.root.key$ CONTENT_EX
 # xinetd
 /etc/xinetd.conf$ CONTENT_EX
 /etc/xinetd.d/ CONTENT_EX
 # IPsec
 /etc/ipsec.conf CONTENT_EX
 /etc/ipsec.secrets CONTENT_EX
 /etc/ipsec.d/ CONTENT_EX
 # USB guard
 /etc/usbguard/ CONTENT_EX
 # Ignore some files
 !/etc/mtab$
 !/etc/.*~
 # Now everything else
 /etc/    PERMS
 /etc/cups LSPP
 # With AIDE's default verbosity level of 5, these would give lots of
 # warnings upon tree traversal. It might change with future version.
@ -221,3 +314,4 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
 # Admins dot files constantly change, just check perms
 /root/\..* PERMS
 !/root/.xauth*
--- a/SOURCES/coverity2.patch
+++ b/SOURCES/coverity2.patch
@ -0,0 +1,31 @@
 diff --up ./src/compare_db.c ./src/compare_db.c
 --- ./src/compare_db.c
 +++ ./src/compare_db.c
@@ -438,7 +438,11 @@ snprintf(*values[0], l, "%s",s);
     } else {
         *values = malloc(1 * sizeof (char*));
         if (DB_FTYPE&attr) {
 -            easy_string(get_file_type_string(line->perm))
 +            char *file_type = get_file_type_string(line->perm);
 +            if (!file_type) {
 +                error(2,"%s: ", file_type);
 +            }
 +            easy_string(file_type)
         } else if (DB_LINKNAME&attr) {
             easy_string(line->linkname)
         easy_number((DB_SIZE|DB_SIZEG),size,"%li")
 diff -up ./src/db_file.c ./src/db_file.c
 --- ./src/db_file.c
 +++ ./src/db_file.c
@@ -194,6 +194,10 @@ int db_file_read_spec(int db){
   *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD));
 +  if (*db_order == NULL){
 +    error(1,"malloc for *db_order failed in %s", __func__);
 +  }
 +
   while ((i=db_scan())!=TNEWLINE){
     switch (i) {
--- a/SPECS/aide.spec
+++ b/SPECS/aide.spec
@ -1,7 +1,7 @@
 Summary:        Intrusion detection environment
 Name:           aide
 Version:        0.16
-Release:        8%{?dist}
+Release:        11%{?dist}
 URL:            http://sourceforge.net/projects/aide
 License:        GPLv2+
@ -34,6 +34,9 @@ Patch4: aide-0.16-crypto-disable-haval-and-others.patch
 Patch5: coverity.patch
 Patch6: aide-0.16-crash-elf.patch
 # 1676487 - Null pointer dereference fix spotted by coverity
 Patch7: coverity2.patch
 %description
 AIDE (Advanced Intrusion Detection Environment) is a file integrity
 checker and intrusion detection program.
@ -78,6 +81,20 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 %dir %attr(0700,root,root) %{_localstatedir}/log/aide
 %changelog
 * Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-11
 - rebuild
 - minor edit of aide.conf
 * Tue Jul 23 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-10
 - respin
 - minor edit of aide.conf
 * Tue Jul 23 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-9
 - Null pointer dereference fix spotted by coverity
  resolves: rhbz#1676487
 - aide.conf needs updates for RHEL 8
  resolves: rhbz#1708015
 * Tue Oct 09 2018 Radovan Sroka <rsroka@redhat.com> - 0.16-8
 - fixed wrong line wrapping of messages in the syslog format
  resolves: rhbz#1628153
@ -300,4 +317,3 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 * Sun Sep 07 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.1.20030902
 - Initial package version.