rpms/aide
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c10
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c8s
rpms:c9s-update
rpms:c8-beta
rpms:imports/c9/aide-0.16-105.el9
rpms:imports/c10/aide-0.18.6-8.el10_1.2
rpms:imports/c10s/aide-0.19.2-4.el10
rpms:imports/c10s/aide-0.19.2-3.el10
rpms:imports/c10s/aide-0.19.2-2.el10
rpms:imports/c9-beta/aide-0.16-105.el9
rpms:imports/c10/aide-0.18.6-8.el10_0.2
rpms:imports/c9/aide-0.16-103.el9_6.2
rpms:imports/c8/aide-0.16-15.el8_10.2
rpms:imports/c10s/aide-0.18.6-8.el10.1
rpms:imports/c9-beta/aide-0.16-103.el9
rpms:imports/c10s/aide-0.18.6-8.el10
rpms:imports/c10s/aide-0.18.6-7.el10
rpms:imports/c9-beta/aide-0.16-102.el9
rpms:imports/c10s/aide-0.18.6-6.el10
rpms:imports/c8s/aide-0.16-14.el8_5.1
rpms:imports/c9/aide-0.16-100.el9
rpms:imports/c8-beta/aide-0.16-14.el8_5.1
rpms:imports/c9-beta/aide-0.16-100.el9
rpms:imports/c8/aide-0.16-14.el8_5.1
rpms:imports/c9-beta/aide-0.16-21.el9
rpms:imports/c8-beta/aide-0.16-14.el8
rpms:imports/c8-beta/aide-0.16-11.el8
rpms:imports/c8-beta/aide-0.16-8.el8
rpms:imports/c8s/aide-0.16-14.el8
rpms:imports/c8s/aide-0.16-13.el8
rpms:imports/c8s/aide-0.16-12.el8
rpms:imports/c8/aide-0.16-14.el8
rpms:imports/c8/aide-0.16-11.el8
rpms:imports/c8/aide-0.16-8.el8
...
pull from: rpms:c10
Branches Tags
rpms:c9
rpms:c10
rpms:c9s
rpms:c10s
rpms:c9-beta
rpms:c8
rpms:c8s
rpms:c9s-update
rpms:c8-beta
rpms:imports/c9/aide-0.16-105.el9
rpms:imports/c10/aide-0.18.6-8.el10_1.2
rpms:imports/c10s/aide-0.19.2-4.el10
rpms:imports/c10s/aide-0.19.2-3.el10
rpms:imports/c10s/aide-0.19.2-2.el10
rpms:imports/c9-beta/aide-0.16-105.el9
rpms:imports/c10/aide-0.18.6-8.el10_0.2
rpms:imports/c9/aide-0.16-103.el9_6.2
rpms:imports/c8/aide-0.16-15.el8_10.2
rpms:imports/c10s/aide-0.18.6-8.el10.1
rpms:imports/c9-beta/aide-0.16-103.el9
rpms:imports/c10s/aide-0.18.6-8.el10
rpms:imports/c10s/aide-0.18.6-7.el10
rpms:imports/c9-beta/aide-0.16-102.el9
rpms:imports/c10s/aide-0.18.6-6.el10
rpms:imports/c8s/aide-0.16-14.el8_5.1
rpms:imports/c9/aide-0.16-100.el9
rpms:imports/c8-beta/aide-0.16-14.el8_5.1
rpms:imports/c9-beta/aide-0.16-100.el9
rpms:imports/c8/aide-0.16-14.el8_5.1
rpms:imports/c9-beta/aide-0.16-21.el9
rpms:imports/c8-beta/aide-0.16-14.el8
rpms:imports/c8-beta/aide-0.16-11.el8
rpms:imports/c8-beta/aide-0.16-8.el8
rpms:imports/c8s/aide-0.16-14.el8
rpms:imports/c8s/aide-0.16-13.el8
rpms:imports/c8s/aide-0.16-12.el8
rpms:imports/c8/aide-0.16-14.el8
rpms:imports/c8/aide-0.16-11.el8
rpms:imports/c8/aide-0.16-8.el8

2 Commits
c8 ... c10

Author SHA1 Message Date
eabdullin
addf3db81c import OL aide-0.18.6-8.el10_1.2 2025-12-04 09:10:38 +00:00
eabdullin
3c803d7867 import OL aide-0.18.6-8.el10_0.2 2025-08-27 12:01:31 +00:00
22 changed files with 1289 additions and 3246 deletions
Show Stats Expand all files Collapse all files

1
.aide.metadata
View File

@ -1 +0,0 @@
b97f65bb12701a42baa2cce45b41ed6367a70734 SOURCES/aide-0.16.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/aide-0.16.tar.gz
aide-0.18.6.tar.gz

0
SOURCES/README.quickstart → README.quickstart
View File

496
SOURCES/aide-0.15-syslog-format.patch
View File

@ -1,496 +0,0 @@
diff -up ./doc/aide.conf.5.in.syslog_format ./doc/aide.conf.5.in
--- ./doc/aide.conf.5.in.syslog_format 2016-07-25 22:58:12.000000000 +0200
+++ ./doc/aide.conf.5.in 2018-09-27 19:09:09.697371212 +0200
@@ -57,6 +57,25 @@ inclusive. This parameter can only be gi
occurrence is used. If \-\-verbose or \-V is used then the value from that
is used. The default is 5. If verbosity is 20 then additional report
output is written when doing \-\-check, \-\-update or \-\-compare.
+.IP "syslog_format"
+Valid values are yes,true,no and false. This option enables new syslog format
+which is suitable for logging. Every change is logged as one simple line. This option
+changes verbose level to 0 and prints everything that was changed. It is suggested
+to use this option with "report_url=syslog:...". Default value is "false/no".
+Maximum size of message is 1KB which is limitation of syslog call. If message is
+greater than limit, message will be truncated.
+Option summarize_changes has no impact for this format.
+.nf
+.eo
+
+Output always starts with:
+"AIDE found differences between database and filesystem!!"
+And it is followed by summary:
+summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
+And finally there are logs about changes:
+dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
+.ec
+.fi
.IP "report_url"
The url that the output is written to. There can be multiple instances
of this parameter. Output is written to all of them. The default is
diff -up ./include/db_config.h.syslog_format ./include/db_config.h
--- ./include/db_config.h.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./include/db_config.h 2018-09-27 19:09:09.697371212 +0200
@@ -311,6 +311,7 @@ typedef struct db_config {
FILE* db_out;
int config_check;
+ int syslog_format;
struct md_container *mdc_in;
struct md_container *mdc_out;
diff -up ./src/aide.c.syslog_format ./src/aide.c
--- ./src/aide.c.syslog_format 2018-09-27 19:09:09.695371197 +0200
+++ ./src/aide.c 2018-09-27 19:09:09.698371220 +0200
@@ -283,6 +283,7 @@ static void setdefaults_before_config()
}
/* Setting some defaults */
+ conf->syslog_format=0;
conf->report_db=0;
conf->tree=NULL;
conf->config_check=0;
@@ -495,6 +496,10 @@ static void setdefaults_after_config()
if(conf->verbose_level==-1){
conf->verbose_level=5;
}
+ if(conf->syslog_format==1){
+ conf->verbose_level=0;
+ }
+
}
diff -up ./src/compare_db.c.syslog_format ./src/compare_db.c
--- ./src/compare_db.c.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/compare_db.c 2018-09-27 19:09:09.698371220 +0200
@@ -110,7 +110,7 @@ const DB_ATTR_TYPE details_attributes[]
#endif
};
-const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size (>)"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512")
+const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512")
#ifdef WITH_MHASH
, _("CRC32"), _("HAVAL"), _("GOST"), _("CRC32B"), _("WHIRLPOOL")
#endif
@@ -269,12 +269,19 @@ static int xattrs2array(xattrs_type* xat
if ((len == xattrs->ents[num - 1].vsz) || ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) {
length = 8 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
(*values)[num]=malloc(length *sizeof(char));
- snprintf((*values)[num], length , "[%.*zd] %s = %s", width, num, xattrs->ents[num - 1].key, val);
+
+ char * fmt = "[%.*zd] %s = %s";
+ if (conf->syslog_format) fmt = "[%.*zd]%s=%s"; // its smaller so it has to be enough space allocated.
+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
+
} else {
val = encode_base64(xattrs->ents[num - 1].val, xattrs->ents[num - 1].vsz);
length = 10 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
(*values)[num]=malloc( length *sizeof(char));
- snprintf((*values)[num], length , "[%.*zd] %s <=> %s", width, num, xattrs->ents[num - 1].key, val);
+
+ char * fmt = "[%.*zd] %s <=> %s";
+ if (conf->syslog_format) fmt = "[%.*zd]%s<=>%s"; // its smaller so it has to be enough space allocated.
+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
free(val);
}
}
@@ -302,6 +309,26 @@ static int acl2array(acl_type* acl, char
}
if (acl->acl_a || acl->acl_d) {
int j, k, i;
+ if (conf->syslog_format) {
+ *values = malloc(2 * sizeof(char*));
+
+ char *A, *D = "<NONE>";
+
+ if (acl->acl_a) { A = acl->acl_a; }
+ if (acl->acl_d) { D = acl->acl_d; }
+
+ (*values)[0] = (char*) malloc(strlen(A) + 3); // "A:" and \0
+ snprintf((*values)[0], strlen(A) + 3, "A:%s", A);
+
+ (*values)[1] = (char*) malloc(strlen(D) + 3); // "D:" and \0
+ snprintf((*values)[1], strlen(D) + 3, "D:%s", D);
+
+ i = 0; while ( (*values)[0][i] ) { if ( (*values)[0][i]=='\n') { (*values)[0][i] = ' '; } i++; }
+ i = 0; while ( (*values)[1][i] ) { if ( (*values)[1][i]=='\n') { (*values)[1][i] = ' '; } i++; }
+
+ return 2;
+ }
+
if (acl->acl_a) { i = 0; while (acl->acl_a[i]) { if (acl->acl_a[i++]=='\n') { n++; } } }
if (acl->acl_d) { i = 0; while (acl->acl_d[i]) { if (acl->acl_d[i++]=='\n') { n++; } } }
*values = malloc(n * sizeof(char*));
@@ -338,25 +365,25 @@ static char* e2fsattrs2string(unsigned l
static char* get_file_type_string(mode_t mode) {
switch (mode & S_IFMT) {
- case S_IFREG: return _("File");
- case S_IFDIR: return _("Directory");
+ case S_IFREG: return conf->syslog_format ? "file" : _("File");
+ case S_IFDIR: return conf->syslog_format ? "dir" : _("Directory");
#ifdef S_IFIFO
- case S_IFIFO: return _("FIFO");
+ case S_IFIFO: return conf->syslog_format ? "fifo" : _("FIFO");
#endif
- case S_IFLNK: return _("Link");
- case S_IFBLK: return _("Block device");
- case S_IFCHR: return _("Character device");
+ case S_IFLNK: return conf->syslog_format ? "link" : _("Link");
+ case S_IFBLK: return conf->syslog_format ? "blockd" : _("Block device");
+ case S_IFCHR: return conf->syslog_format ? "chard" : _("Character device");
#ifdef S_IFSOCK
- case S_IFSOCK: return _("Socket");
+ case S_IFSOCK: return conf->syslog_format ? "socket" : _("Socket");
#endif
#ifdef S_IFDOOR
- case S_IFDOOR: return _("Door");
+ case S_IFDOOR: return conf->syslog_format ? "door" : _("Door");
#endif
#ifdef S_IFPORT
- case S_IFPORT: return _("Port");
+ case S_IFPORT: return conf->syslog_format ? "port" : _("Port");
#endif
case 0: return NULL;
- default: return _("Unknown file type");
+ default: return conf->syslog_format ? "unknown" : _("Unknown file type");
}
}
@@ -554,6 +581,51 @@ static void print_dbline_attributes(db_l
}
}
+
+static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE
+ changed_attrs, DB_ATTR_TYPE force_attrs) {
+ char **ovalue, **nvalue;
+ int onumber, nnumber, i, j;
+ int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE);
+ DB_ATTR_TYPE attrs;
+ char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm);
+ if (file_type) {
+ error(0,"%s=", file_type);
+ }
+ error(0,"%s", (nline==NULL?oline:nline)->filename);
+ attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs);
+ for (j=0; j < length; ++j) {
+ if (details_attributes[j]&attrs) {
+ onumber=get_attribute_values(details_attributes[j], oline, &ovalue);
+ nnumber=get_attribute_values(details_attributes[j], nline, &nvalue);
+
+ if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) {
+
+ error(0, ";%s_old=|", details_string[j]);
+
+ for (i = 0 ; i < onumber ; i++) {
+ error(0, "%s|", ovalue[i]);
+ }
+
+ error(0, ";%s_new=|", details_string[j]);
+
+ for (i = 0 ; i < nnumber ; i++) {
+ error(0, "%s|", nvalue[i]);
+ }
+
+ } else {
+
+ error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue);
+
+ }
+
+ for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL;
+ for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL;
+ }
+ }
+ error(0, "\n");
+}
+
static void print_attributes_added_node(db_line* line) {
print_dbline_attributes(NULL, line, 0, line->attr);
}
@@ -562,6 +634,26 @@ static void print_attributes_removed_nod
print_dbline_attributes(line, NULL, 0, line->attr);
}
+static void print_attributes_added_node_syslog(db_line* line) {
+
+ char *file_type = get_file_type_string(line->perm);
+ if (file_type) {
+ error(0,"%s=", file_type);
+ }
+ error(0,"%s; added\n", line->filename);
+
+}
+
+static void print_attributes_removed_node_syslog(db_line* line) {
+
+ char *file_type = get_file_type_string(line->perm);
+ if (file_type) {
+ error(0,"%s=", file_type);
+ }
+ error(0,"%s; removed\n", line->filename);
+
+}
+
static void terse_report(seltree* node) {
list* r=NULL;
if ((node->checked&(DB_OLD|DB_NEW)) != 0) {
@@ -626,6 +718,26 @@ static void print_report_details(seltree
}
}
+static void print_syslog_format(seltree* node) {
+ list* r=NULL;
+
+ if (node->checked&NODE_CHANGED) {
+ print_dbline_attributes_syslog(node->old_data, node->new_data, node->changed_attrs, forced_attrs);
+ }
+
+ if (node->checked&NODE_ADDED) {
+ print_attributes_added_node_syslog(node->new_data);
+ }
+
+ if (node->checked&NODE_REMOVED) {
+ print_attributes_removed_node_syslog(node->old_data);
+ }
+
+ for(r=node->childs;r;r=r->next){
+ print_syslog_format((seltree*)r->data);
+ }
+}
+
static void print_report_header() {
char *time;
int first = 1;
@@ -747,39 +859,53 @@ int gen_report(seltree* node) {
send_audit_report();
#endif
if ((nadd|nrem|nchg) > 0 || conf->report_quiet == 0) {
- print_report_header();
- if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) {
- if (conf->grouped) {
- if (nadd) {
- error(2,(char*)report_top_format,_("Added entries"));
- print_report_list(node, NODE_ADDED);
- }
- if (nrem) {
- error(2,(char*)report_top_format,_("Removed entries"));
- print_report_list(node, NODE_REMOVED);
- }
- if (nchg) {
- error(2,(char*)report_top_format,_("Changed entries"));
- print_report_list(node, NODE_CHANGED);
- }
- } else if (nadd || nrem || nchg) {
- if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); }
- else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); }
- else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); }
- else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); }
- else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); }
- else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); }
- else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); }
- print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED);
- }
- if (nadd || nrem || nchg) {
- error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes"));
- print_report_details(node);
- }
- }
- print_report_databases();
- conf->end_time=time(&(conf->end_time));
- print_report_footer();
+
+ if (!conf->syslog_format) {
+ print_report_header();
+ }
+
+ if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) {
+ if (!conf->syslog_format && conf->grouped) {
+ if (nadd) {
+ error(2,(char*)report_top_format,_("Added entries"));
+ print_report_list(node, NODE_ADDED);
+ }
+ if (nrem) {
+ error(2,(char*)report_top_format,_("Removed entries"));
+ print_report_list(node, NODE_REMOVED);
+ }
+ if (nchg) {
+ error(2,(char*)report_top_format,_("Changed entries"));
+ print_report_list(node, NODE_CHANGED);
+ }
+ } else if (!conf->syslog_format && ( nadd || nrem || nchg ) ) {
+ if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); }
+ else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); }
+ else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); }
+ else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); }
+ else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); }
+ else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); }
+ else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); }
+ print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED);
+ }
+ if (nadd || nrem || nchg) {
+ if (!conf->syslog_format) {
+ error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes"));
+ print_report_details(node);
+ } else {
+ /* Syslog Format */
+ error(0, "AIDE found differences between database and filesystem!!\n");
+ error(0, "summary;total_number_of_files=%ld;added_files=%ld;"
+ "removed_files=%ld;changed_files=%ld\n",ntotal,nadd,nrem,nchg);
+ print_syslog_format(node);
+ }
+ }
+ }
+ if (!conf->syslog_format) {
+ print_report_databases();
+ conf->end_time=time(&(conf->end_time));
+ print_report_footer();
+ }
}
return conf->action&(DO_COMPARE|DO_DIFF) ? (nadd!=0)*1+(nrem!=0)*2+(nchg!=0)*4 : 0;
diff -up ./src/conf_lex.l.syslog_format ./src/conf_lex.l
--- ./src/conf_lex.l.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/conf_lex.l 2018-09-27 19:09:09.698371220 +0200
@@ -401,6 +401,12 @@ int var_in_conflval=0;
return (TROOT_PREFIX);
}
+^[\t\ ]*"syslog_format"{E} {
+ error(230,"%li:syslog_format =\n",conf_lineno);
+ BEGIN CONFVALHUNT;
+ return (SYSLOG_FORMAT);
+}
+
^[\t\ ]*"recstop"{E} {
error(230,"%li:recstop =\n",conf_lineno);
BEGIN CONFVALHUNT;
diff -up ./src/conf_yacc.y.syslog_format ./src/conf_yacc.y
--- ./src/conf_yacc.y.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/conf_yacc.y 2018-09-27 19:09:09.699371228 +0200
@@ -89,6 +89,7 @@ extern long conf_lineno;
%token TREPORT_URL
%token TGZIPDBOUT
%token TROOT_PREFIX
+%token SYSLOG_FORMAT
%token TUMASK
%token TTRUE
%token TFALSE
@@ -160,7 +161,7 @@ line : rule | equrule | negrule | define
| ifdefstmt | ifndefstmt | ifhoststmt | ifnhoststmt
| groupdef | db_in | db_out | db_new | db_attrs | verbose | report_detailed_init | config_version
| database_add_metadata | report | gzipdbout | root_prefix | report_base16 | report_quiet
- | report_ignore_e2fsattrs | recursion_stopper | warn_dead_symlinks | grouped
+ | report_ignore_e2fsattrs | syslogformat | recursion_stopper | warn_dead_symlinks | grouped
| summarize_changes | acl_no_symlink_follow | beginconfigstmt | endconfigstmt
| TEOF {
newlinelastinconfig=1;
@@ -408,6 +409,15 @@ conf->gzip_dbout=0;
#endif
} ;
+syslogformat : SYSLOG_FORMAT TTRUE {
+conf->syslog_format=1;
+} |
+ SYSLOG_FORMAT TFALSE {
+conf->syslog_format=0;
+} ;
+
+
+
recursion_stopper : TRECSTOP TSTRING {
/* FIXME implement me */
diff -up ./src/error.c.syslog_format ./src/error.c
--- ./src/error.c.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/error.c 2018-09-27 19:13:40.312416750 +0200
@@ -38,6 +38,9 @@
/*for locale support*/
#include "util.h"
+#define MAX_BUFFER_SIZE 1024
+static char syslog_buffer[MAX_BUFFER_SIZE+1];
+
int cmp_url(url_t* url1,url_t* url2){
return ((url1->type==url2->type)&&(strcmp(url1->value,url2->value)==0));
@@ -48,7 +51,9 @@ int error_init(url_t* url,int initial)
{
list* r=NULL;
FILE* fh=NULL;
- int sfac;
+ int sfac;
+
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
if (url->type==url_database) {
conf->report_db++;
@@ -163,13 +168,24 @@ void error(int errorlevel,char* error_ms
}
#ifdef HAVE_SYSLOG
if(conf->initial_report_url->type==url_syslog){
-#ifdef HAVE_VSYSLOG
- vsyslog(SYSLOG_PRIORITY,error_msg,ap);
-#else
- char buf[1024];
- vsnprintf(buf,1024,error_msg,ap);
- syslog(SYSLOG_PRIORITY,"%s",buf);
-#endif
+
+ char buff[MAX_BUFFER_SIZE+1];
+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap);
+ size_t buff_len = strlen(buff);
+
+ char result_buff[MAX_BUFFER_SIZE+1];
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-truncation"
+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff);
+#pragma GCC diagnostic pop
+
+ if(buff[buff_len-1] == '\n'){
+ syslog(SYSLOG_PRIORITY,"%s",result_buff);
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
+ } else {
+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE);
+ }
+
va_end(ap);
return;
}
@@ -181,17 +197,25 @@ void error(int errorlevel,char* error_ms
#ifdef HAVE_SYSLOG
if (conf->report_syslog!=0) {
-#ifdef HAVE_VSYSLOG
- va_start(ap,error_msg);
- vsyslog(SYSLOG_PRIORITY,error_msg,ap);
- va_end(ap);
-#else
- char buf[1024];
- va_start(ap,error_msg);
- vsnprintf(buf,1024,error_msg,ap);
+ va_start(ap, error_msg);
+
+ char buff[MAX_BUFFER_SIZE+1];
+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap);
+ size_t buff_len = strlen(buff);
+
+ char result_buff[MAX_BUFFER_SIZE+1];
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-truncation"
+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff);
+#pragma GCC diagnostic pop
+
+ if(buff[buff_len-1] == '\n'){
+ syslog(SYSLOG_PRIORITY,"%s",result_buff);
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
+ } else {
+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE);
+ }
va_end(ap);
- syslog(SYSLOG_PRIORITY,"%s",buf);
-#endif
}
#endif

123
SOURCES/aide-0.16-CVE-2021-45417.patch
View File

@ -1,123 +0,0 @@
diff --git a/include/base64.h b/include/base64.h
index 0ff7116..381ef5d 100644
--- a/include/base64.h
+++ b/include/base64.h
@@ -36,7 +36,6 @@
#include <assert.h>
#include "types.h"
-#define B64_BUF 16384
#define FAIL -1
#define SKIP -2
diff --git a/src/base64.c b/src/base64.c
index fd01bac..1b0f301 100644
--- a/src/base64.c
+++ b/src/base64.c
@@ -85,11 +85,9 @@ FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL, FAIL
};
/* Returns NULL on error */
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
char* encode_base64(byte* src,size_t ssize)
{
char* outbuf;
- char* retbuf;
int pos;
int i, l, left;
unsigned long triple;
@@ -101,7 +99,10 @@ char* encode_base64(byte* src,size_t ssize)
error(240,"\n");
return NULL;
}
- outbuf = (char *)malloc(sizeof(char)*B64_BUF);
+
+ /* length of encoded base64 string (padded) */
+ size_t length = sizeof(char)* ((ssize + 2) / 3) * 4;
+ outbuf = (char *)malloc(length + 1);
/* Initialize working pointers */
inb = src;
@@ -162,20 +163,14 @@ char* encode_base64(byte* src,size_t ssize)
inb++;
}
- /* outbuf is not completely used so we use retbuf */
- retbuf=(char*)malloc(sizeof(char)*(pos+1));
- memcpy(retbuf,outbuf,pos);
- retbuf[pos]='\0';
- free(outbuf);
+ outbuf[pos]='\0';
- return retbuf;
+ return outbuf;
}
-/* FIXME Possible buffer overflow on outputs larger than B64_BUF */
byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
{
byte* outbuf;
- byte* retbuf;
char* inb;
int i;
int l;
@@ -188,10 +183,18 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
if (!ssize||src==NULL)
return NULL;
+ /* exit on unpadded input */
+ if (ssize % 4) {
+ error(3, "decode_base64: '%s' has invalid length (missing padding characters?)", src);
+ return NULL;
+ }
+
+ /* calculate length of decoded string, substract padding chars if any (ssize is >= 4) */
+ size_t length = sizeof(byte) * ((ssize / 4) * 3)- (src[ssize-1] == '=') - (src[ssize-2] == '=');
/* Initialize working pointers */
inb = src;
- outbuf = (byte *)malloc(sizeof(byte)*B64_BUF);
+ outbuf = (byte *)malloc(length + 1);
l = 0;
triple = 0;
@@ -243,15 +246,11 @@ byte* decode_base64(char* src,size_t ssize, size_t *ret_len)
inb++;
}
- retbuf=(byte*)malloc(sizeof(byte)*(pos+1));
- memcpy(retbuf,outbuf,pos);
- retbuf[pos]='\0';
-
- free(outbuf);
+ outbuf[pos]='\0';
if (ret_len) *ret_len = pos;
- return retbuf;
+ return outbuf;
}
size_t length_base64(char* src,size_t ssize)
diff --git a/src/db.c b/src/db.c
index 858240d..62c4faa 100644
--- a/src/db.c
+++ b/src/db.c
@@ -664,13 +664,15 @@ db_line* db_char2line(char** ss,int db){
time_t base64totime_t(char* s){
+ if(strcmp(s,"0")==0){
+ return 0;
+ }
byte* b=decode_base64(s,strlen(s),NULL);
char* endp;
- if (b==NULL||strcmp(s,"0")==0) {
+ if (b==NULL) {
/* Should we print error here? */
- free(b);
return 0;
} else {

220
SOURCES/aide-0.16-CVE-2025-54389-part2.patch
View File

@ -1,220 +0,0 @@
diff -up aide-0.16/src/db_disk.c.orig aide-0.16/src/db_disk.c
--- aide-0.16/src/db_disk.c.orig 2025-08-21 09:58:21.271581589 +0200
+++ aide-0.16/src/db_disk.c 2025-08-21 10:01:26.310573141 +0200
@@ -139,7 +139,11 @@ void add_child (db_line * fil)
int i;
struct seltree *new_r;
- error (255, "Adding child %s\n", fil->filename);
+ {
+ char *fname_safe = stresc(fil->filename);
+ error (255, "Adding child %s\n", fname_safe);
+ free(fname_safe);
+ }
new_r = get_seltree_node (r, fil->filename);
if (new_r != NULL) {
@@ -182,9 +186,13 @@ static int get_file_status(char *filenam
if(sres == -1){
char* er = strerror(errno);
if (er == NULL) {
- error(0,"get_file_status: lstat() failed for %s. strerror() failed for %i\n", filename, errno);
+ char *filename_safe = stresc(filename);
+ error(0,"get_file_status: lstat() failed for %s. strerror() failed for %i\n", filename_safe, errno);
+ free(filename_safe);
} else {
- error(0,"get_file_status: lstat() failed for %s: %s\n", filename, er);
+ char *filename_safe = stresc(filename);
+ error(0,"get_file_status: lstat() failed for %s: %s\n", filename_safe, er);
+ free(filename_safe);
}
}
return sres;
@@ -220,7 +228,11 @@ db_line *db_readline_disk ()
error (240, "%s attr=%llu\n", &fullname[conf->root_prefix_length], attr);
if (fil != NULL) {
- error (240, "%s attr=%llu\n", fil->filename, fil->attr);
+ {
+ char *fname_safe = stresc(fil->filename);
+ error (240, "%s attr=%llu\n", fname_safe, fil->attr);
+ free(fname_safe);
+ }
return fil;
}
}
@@ -269,7 +281,11 @@ recursion:
error (240, "%s attr=%llu\n", &fullname[conf->root_prefix_length], attr);
if (fil != NULL) {
- error (240, "%s attr=%llu\n", fil->filename, fil->attr);
+ {
+ char *fname_safe = stresc(fil->filename);
+ error (240, "%s attr=%llu\n", fname_safe, fil->attr);
+ free(fname_safe);
+ }
} else {
/*
Something went wrong during read process ->
diff -up aide-0.16/src/gen_list.c.orig aide-0.16/src/gen_list.c
--- aide-0.16/src/gen_list.c.orig 2025-08-21 09:58:21.273581610 +0200
+++ aide-0.16/src/gen_list.c 2025-08-21 10:04:29.190502666 +0200
@@ -37,6 +37,7 @@
#include "list.h"
#include "gen_list.h"
#include "seltree.h"
+#include "util.h"
#include "db.h"
#include "db_config.h"
#include "commandconf.h"
@@ -993,16 +994,28 @@ int check_rxtree(char* filename,seltree*
if(conf->limit!=NULL) {
retval=pcre_exec(conf->limit_crx, NULL, filename, strlen(filename), 0, PCRE_PARTIAL_SOFT, NULL, 0);
if (retval >= 0) {
- error(220, "check_rxtree: %s does match limit: %s\n", filename, conf->limit);
+ char *fname_safe = stresc(filename);
+ char *limit_safe = conf->limit?stresc(conf->limit):NULL;
+ error(220, "check_rxtree: %s does match limit: %s\n", fname_safe, limit_safe?limit_safe:"");
+ free(fname_safe);
+ free(limit_safe);
} else if (retval == PCRE_ERROR_PARTIAL) {
- error(220, "check_rxtree: %s does PARTIAL match limit: %s\n", filename, conf->limit);
+ char *fname_safe = stresc(filename);
+ char *limit_safe = conf->limit?stresc(conf->limit):NULL;
+ error(220, "check_rxtree: %s does PARTIAL match limit: %s\n", fname_safe, limit_safe?limit_safe:"");
if(S_ISDIR(perm) && get_seltree_node(tree,filename)==NULL){
- error(220, "check_rxtree: creating new seltree node for '%s'\n", filename);
+ error(220, "check_rxtree: creating new seltree node for '%s'\n", fname_safe);
new_seltree_node(tree,filename,0,NULL);
}
+ free(fname_safe);
+ free(limit_safe);
return -1;
} else {
- error(220, "check_rxtree: %s does NOT match limit: %s\n", filename, conf->limit);
+ char *fname_safe = stresc(filename);
+ char *limit_safe = conf->limit?stresc(conf->limit):NULL;
+ error(220, "check_rxtree: %s does NOT match limit: %s\n", fname_safe, limit_safe?limit_safe:"");
+ free(fname_safe);
+ free(limit_safe);
return -2;
}
}
@@ -1039,13 +1052,25 @@ db_line* get_file_attrs(char* filename,D
} else {
if(fs->st_atime>cur_time){
- error(CLOCK_SKEW,_("%s atime in future\n"),filename);
+ {
+ char *fname_safe = stresc(filename);
+ error(CLOCK_SKEW,_("%s atime in future\n"),fname_safe);
+ free(fname_safe);
+ }
}
if(fs->st_mtime>cur_time){
- error(CLOCK_SKEW,_("%s mtime in future\n"),filename);
+ {
+ char *fname_safe = stresc(filename);
+ error(CLOCK_SKEW,_("%s mtime in future\n"),fname_safe);
+ free(fname_safe);
+ }
}
if(fs->st_ctime>cur_time){
- error(CLOCK_SKEW,_("%s ctime in future\n"),filename);
+ {
+ char *fname_safe = stresc(filename);
+ error(CLOCK_SKEW,_("%s ctime in future\n"),fname_safe);
+ free(fname_safe);
+ }
}
}
@@ -1220,7 +1245,11 @@ void hsymlnk(db_line* line) {
int sres;
sres=AIDE_STAT_FUNC(line->fullpath,&fs);
if (sres!=0 && sres!=EACCES) {
- error(4,"Dead symlink detected at %s\n",line->fullpath);
+ {
+ char *fp_safe = stresc(line->fullpath);
+ error(4,"Dead symlink detected at %s\n",fp_safe);
+ free(fp_safe);
+ }
}
if(!(line->attr&DB_RDEV))
fs.st_rdev=0;
diff -up aide-0.16/src/util.c.orig aide-0.16/src/util.c
--- aide-0.16/src/util.c.orig 2025-08-21 09:58:21.272581600 +0200
+++ aide-0.16/src/util.c 2025-08-21 10:07:50.157894133 +0200
@@ -104,9 +104,11 @@ url_t* parse_url(char* val)
r+=2;
for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++);
if(r[0]=='\0'){
- error(0,"Invalid file-URL,no path after hostname: file:%s\n",t);
+ char *t_safe = stresc(t);
+ error(0,"Invalid file-URL,no path after hostname: file:%s\n",t_safe);
+ free(t_safe);
free(hostname);
- return NULL;
+ return NULL;
}
u->value=strdup(r);
r[0]='\0';
@@ -118,9 +120,11 @@ url_t* parse_url(char* val)
free(hostname);
break;
} else {
- error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,u->value);
- free(hostname);
- return NULL;
+ char *value_safe = stresc(u->value);
+ error(0,"Invalid file-URL, cannot use hostname other than localhost or %s: file:%s\n",hostname,value_safe);
+ free(value_safe);
+ free(hostname);
+ return NULL;
}
break;
@@ -150,6 +154,43 @@ url_t* parse_url(char* val)
return u;
}
+static size_t escape_str(const char *unescaped_str, char *str, size_t s) {
+ size_t n = 0;
+ size_t i = 0;
+ char c;
+ while (i < s && (c = unescaped_str[i])) {
+ if ((c >= 0 && (c < 0x1f || c == 0x7f)) ||
+ (c == '\\' && isdigit(unescaped_str[i+1])
+ && isdigit(unescaped_str[i+2])
+ && isdigit(unescaped_str[i+3]))) {
+ if (str) { snprintf(&str[n], 5, "\\%03o", c); }
+ n += 4;
+ } else {
+ if (str) { str[n] = c; }
+ n++;
+ }
+ i++;
+ }
+ if (str) { str[n] = '\0'; }
+ n++;
+ return n;
+}
+
+char *strnesc(const char *unescaped_str, size_t s) {
+ int n = escape_str(unescaped_str, NULL, s);
+ char *str = malloc(n);
+ if (str == NULL) {
+ error(0, "malloc: failed to allocate %d bytes of memory\n", n);
+ exit(1);
+ }
+ escape_str(unescaped_str, str, s);
+ return str;
+}
+
+char *stresc(const char *unescaped_str) {
+ return strnesc(unescaped_str, strlen(unescaped_str));
+}
+
/* Returns 1 if the string contains unsafe characters, 0 otherwise. */
int contains_unsafe (const char *s)
{

1053
SOURCES/aide-0.16-CVE-2025-54389.patch
View File

File diff suppressed because it is too large Load Diff

17
SOURCES/aide-0.16-crash-elf.patch
View File

@ -1,17 +0,0 @@
--- ./src/do_md.c 2018-03-19 05:10:19.994957024 -0400
+++ ./src/do_md.c 2018-03-19 05:19:05.829957024 -0400
@@ -135,8 +135,13 @@
continue;
while (!bingo && (data = elf_getdata (scn, data)) != NULL) {
- int maxndx = data->d_size / shdr.sh_entsize;
+ int maxndx;
int ndx;
+
+ if (shdr.sh_entsize != 0)
+ maxndx = data->d_size / shdr.sh_entsize;
+ else
+ continue;
for (ndx = 0; ndx < maxndx; ++ndx) {
(void) gelf_getdyn (data, ndx, &dyn);

153
SOURCES/aide-0.16-crypto-disable-haval-and-others.patch
View File

@ -1,153 +0,0 @@
diff -up ./include/md.h.crypto ./include/md.h
--- ./include/md.h.crypto 2016-07-25 22:56:55.000000000 +0200
+++ ./include/md.h 2018-08-29 15:00:30.827491299 +0200
@@ -149,6 +149,7 @@ int init_md(struct md_container*);
int update_md(struct md_container*,void*,ssize_t);
int close_md(struct md_container*);
void md2line(struct md_container*,struct db_line*);
+DB_ATTR_TYPE get_available_crypto();
#endif /*_MD_H_INCLUDED*/
diff -up ./src/aide.c.crypto ./src/aide.c
--- ./src/aide.c.crypto 2018-08-29 15:00:30.825491309 +0200
+++ ./src/aide.c 2018-08-29 15:00:30.827491299 +0200
@@ -349,7 +349,7 @@ static void setdefaults_before_config()
conf->db_attrs = 0;
#if defined(WITH_MHASH) || defined(WITH_GCRYPT)
- conf->db_attrs |= DB_MD5|DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512;
+ conf->db_attrs |= get_available_crypto();
#ifdef WITH_MHASH
conf->db_attrs |= DB_GOST;
#ifdef HAVE_MHASH_WHIRLPOOL
diff -up ./src/md.c.crypto ./src/md.c
--- ./src/md.c.crypto 2018-08-29 15:00:30.823491319 +0200
+++ ./src/md.c 2018-08-29 15:02:28.013903479 +0200
@@ -78,6 +78,49 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) {
return r;
}
+const char * hash_gcrypt2str(int i) {
+ char * r = "?";
+#ifdef WITH_GCRYPT
+ switch (i) {
+ case GCRY_MD_MD5: {
+ r = "MD5";
+ break;
+ }
+ case GCRY_MD_SHA1: {
+ r = "SHA1";
+ break;
+ }
+ case GCRY_MD_RMD160: {
+ r = "RMD160";
+ break;
+ }
+ case GCRY_MD_TIGER: {
+ r = "TIGER";
+ break;
+ }
+ case GCRY_MD_HAVAL: {
+ r = "HAVAL";
+ break;
+ }
+ case GCRY_MD_SHA256: {
+ r = "SHA256";
+ break;
+ }
+ case GCRY_MD_SHA512: {
+ r = "SHA512";
+ break;
+ }
+ case GCRY_MD_CRC32: {
+ r = "CRC32";
+ break;
+ }
+ default:
+ break;
+ }
+#endif
+ return r;
+}
+
DB_ATTR_TYPE hash_mhash2attr(int i) {
DB_ATTR_TYPE r=0;
#ifdef WITH_MHASH
@@ -163,6 +206,44 @@ DB_ATTR_TYPE hash_mhash2attr(int i) {
Initialise md_container according it's todo_attr field
*/
+DB_ATTR_TYPE get_available_crypto() {
+
+ DB_ATTR_TYPE ret = 0;
+
+/*
+ * This function is usually called before config processing
+ * and default verbose level is 5
+ */
+#define lvl 255
+
+ error(lvl, "get_available_crypto called\n");
+
+#ifdef WITH_GCRYPT
+
+ /*
+ * some initialization for FIPS
+ */
+ gcry_check_version(NULL);
+ error(lvl, "Found algos:");
+
+ for(int i=0;i<=HASH_GCRYPT_COUNT;i++) {
+
+ if ( (hash_gcrypt2attr(i) & HASH_USE_GCRYPT) == 0 )
+ continue;
+
+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) == 0) {
+ ret |= hash_gcrypt2attr(i);
+ error(lvl, " %s", hash_gcrypt2str(i));
+ }
+ }
+ error(lvl, "\n");
+
+#endif
+
+ error(lvl, "get_available_crypto_returned with %lld\n", ret);
+ return ret;
+}
+
int init_md(struct md_container* md) {
int i;
@@ -201,18 +282,27 @@ int init_md(struct md_container* md) {
}
#endif
#ifdef WITH_GCRYPT
- if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
error(0,"gcrypt_md_open failed\n");
exit(IO_ERROR);
}
for(i=0;i<=HASH_GCRYPT_COUNT;i++) {
+
+
if (((hash_gcrypt2attr(i)&HASH_USE_GCRYPT)&md->todo_attr)!=0) {
- DB_ATTR_TYPE h=hash_gcrypt2attr(i);
- error(255,"inserting %llu\n",h);
+
+ DB_ATTR_TYPE h=hash_gcrypt2attr(i);
+
+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) != 0) {
+ error(0,"Algo %s is not available\n", hash_gcrypt2str(i));
+ exit(-1);
+ }
+
+ error(255,"inserting %llu\n",h);
if(gcry_md_enable(md->mdh,i)==GPG_ERR_NO_ERROR){
md->calc_attr|=h;
} else {
- error(0,"gcry_md_enable %i failed",i);
+ error(0,"gcry_md_enable %i failed\n",i);
md->todo_attr&=~h;
}
}

103
SOURCES/aide-0.16b1-fipsfix.patch
View File

@ -1,103 +0,0 @@
diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c
--- ./src/aide.c.orig 2016-07-12 11:10:08.013158385 +0200
+++ ./src/aide.c 2016-07-12 11:30:54.867833064 +0200
@@ -511,9 +511,28 @@ int main(int argc,char**argv)
#endif
umask(0177);
init_sighandler();
-
setdefaults_before_config();
+#if WITH_GCRYPT
+ error(255,"Gcrypt library initialization\n");
+ /*
+ * Initialize libgcrypt as per
+ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
+ *
+ *
+ */
+ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
+ gcry_control(GCRYCTL_INIT_SECMEM, 1);
+
+ if(!gcry_check_version(GCRYPT_VERSION)) {
+ error(0,"libgcrypt version mismatch\n");
+ exit(VERSION_MISMATCH_ERROR);
+ }
+
+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+#endif /* WITH_GCRYPT */
+
+
if(read_param(argc,argv)==RETFAIL){
error(0, _("Invalid argument\n") );
exit(INVALID_ARGUMENT_ERROR);
@@ -646,6 +665,9 @@ int main(int argc,char**argv)
}
#endif
}
+#ifdef WITH_GCRYPT
+ gcry_control(GCRYCTL_TERM_SECMEM, 0);
+#endif /* WITH_GCRYPT */
return RETOK;
}
const char* aide_key_3=CONFHMACKEY_03;
diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c
--- ./src/md.c.orig 2016-04-15 23:30:16.000000000 +0200
+++ ./src/md.c 2016-07-12 11:35:04.007675329 +0200
@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
}
#endif
#ifdef WITH_GCRYPT
- error(255,"Gcrypt library initialization\n");
- if(!gcry_check_version(GCRYPT_VERSION)) {
- error(0,"libgcrypt version mismatch\n");
- exit(VERSION_MISMATCH_ERROR);
- }
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
error(0,"gcrypt_md_open failed\n");
exit(IO_ERROR);
}
@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
/*. There might be more hashes in the library. Add those here.. */
- gcry_md_reset(md->mdh);
+ gcry_md_close(md->mdh);
#endif
#ifdef WITH_MHASH
diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c
--- ./src/util.c.orig 2016-07-12 11:39:17.023437355 +0200
+++ ./src/util.c 2016-07-12 11:39:51.618721157 +0200
@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s)
return(AIDE_SYSLOG_FACILITY);
}
-/* We need these dummy stubs to fool the linker into believing that
- we do not need them at link time */
-
-void* dlopen(char*filename,int flag)
-{
- return NULL;
-}
-
-void* dlsym(void*handle,char*symbol)
-{
- return NULL;
-}
-
-void* dlclose(void*handle)
-{
- return NULL;
-}
-
-const char* dlerror(void)
-{
- return NULL;
-}
-
const char* aide_key_2=CONFHMACKEY_02;
const char* db_key_2=DBHMACKEY_02;

15
SOURCES/aide-0.16rc1-man.patch
View File

@ -1,15 +0,0 @@
diff -up ./doc/aide.1.in.orig ./doc/aide.1.in
--- ./doc/aide.1.in.orig 2016-07-12 16:10:01.724595895 +0200
+++ ./doc/aide.1.in 2016-07-12 16:06:21.968639822 +0200
@@ -103,9 +103,9 @@ echo <encoded_checksum> | base64 \-d | h
.SH FILES
.IP \fB@sysconfdir@/aide.conf\fR
Default aide configuration file.
-.IP \fB@sysconfdir@/aide.db\fR
+.IP \fB@localstatedir@/lib/aide/aide.db\fR
Default aide database.
-.IP \fB@sysconfdir@/aide.db.new\fR
+.IP \fB@localstatedir@/lib/aide/aide.db.new\fR
Default aide output database.
.SH SEE ALSO
.BR aide.conf (5)

317
SOURCES/aide.conf
View File

@ -1,317 +0,0 @@
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
verbose=5
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane
# NORMAL = R+sha512
NORMAL = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha512
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only
PERMS = p+u+g+acl+selinux+xattrs
# Logfile are special, in that they often change
LOG = p+u+g+n+S+acl+selinux+xattrs
# Content + file type.
CONTENT = sha512+ftype
# Extended content + file type + access.
CONTENT_EX = sha512+ftype+p+u+g+n+acl+selinux+xattrs
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha512
# Next decide what directories/files you want in the database.
/boot CONTENT_EX
/opt CONTENT
# Admins dot files constantly change, just check perms
/root/\..* PERMS
# Otherwise get all of /root.
/root CONTENT_EX
# These are too volatile
!/usr/src
!/usr/tmp
# Otherwise get all of /usr.
/usr CONTENT_EX
# trusted databases
/etc/hosts$ CONTENT_EX
/etc/host.conf$ CONTENT_EX
/etc/hostname$ CONTENT_EX
/etc/issue$ CONTENT_EX
/etc/issue.net$ CONTENT_EX
/etc/protocols$ CONTENT_EX
/etc/services$ CONTENT_EX
/etc/localtime$ CONTENT_EX
/etc/alternatives CONTENT_EX
/etc/sysconfig CONTENT_EX
/etc/mime.types$ CONTENT_EX
/etc/terminfo CONTENT_EX
/etc/exports$ CONTENT_EX
/etc/fstab$ CONTENT_EX
/etc/passwd$ CONTENT_EX
/etc/group$ CONTENT_EX
/etc/gshadow$ CONTENT_EX
/etc/shadow$ CONTENT_EX
/etc/subgid$ CONTENT_EX
/etc/subuid$ CONTENT_EX
/etc/security/opasswd$ CONTENT_EX
/etc/skel CONTENT_EX
/etc/subuid$ CONTENT_EX
/etc/subgid$ CONTENT_EX
/etc/sssd CONTENT_EX
/etc/machine-id$ CONTENT_EX
/etc/swid CONTENT_EX
/etc/system-release-cpe$ CONTENT_EX
/etc/shells$ CONTENT_EX
/etc/tmux.conf$ CONTENT_EX
/etc/xattr.conf$ CONTENT_EX
# networking
/etc/hosts.allow$ CONTENT_EX
/etc/hosts.deny$ CONTENT_EX
/etc/firewalld CONTENT_EX
!/etc/NetworkManager/system-connections
/etc/NetworkManager CONTENT_EX
/etc/networks$ CONTENT_EX
/etc/dhcp CONTENT_EX
/etc/wpa_supplicant CONTENT_EX
/etc/resolv.conf$ DATAONLY
/etc/nscd.conf$ CONTENT_EX
# logins and accounts
/etc/login.defs$ CONTENT_EX
/etc/libuser.conf$ CONTENT_EX
/var/log/faillog$ PERMS
/var/log/lastlog$ PERMS
/var/run/faillock PERMS
/etc/pam.d CONTENT_EX
/etc/security CONTENT_EX
/etc/securetty$ CONTENT_EX
/etc/polkit-1 CONTENT_EX
/etc/sudo.conf$ CONTENT_EX
/etc/sudoers$ CONTENT_EX
/etc/sudoers.d CONTENT_EX
# Shell/X startup files
/etc/profile$ CONTENT_EX
/etc/profile.d CONTENT_EX
/etc/bashrc$ CONTENT_EX
/etc/bash_completion.d CONTENT_EX
/etc/zprofile$ CONTENT_EX
/etc/zshrc$ CONTENT_EX
/etc/zlogin$ CONTENT_EX
/etc/zlogout$ CONTENT_EX
/etc/X11 CONTENT_EX
# Pkg manager
/etc/dnf CONTENT_EX
/etc/yum.conf$ CONTENT_EX
/etc/yum CONTENT_EX
/etc/yum.repos.d CONTENT_EX
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# auditing
# AIDE produces an audit record, so this becomes perpetual motion.
/var/log/audit PERMS
/etc/audit CONTENT_EX
/etc/libaudit.conf$ CONTENT_EX
/etc/aide.conf$ CONTENT_EX
# System logs
/etc/rsyslog.conf$ CONTENT_EX
/etc/rsyslog.d CONTENT_EX
/etc/logrotate.conf$ CONTENT_EX
/etc/logrotate.d CONTENT_EX
/etc/systemd/journald.conf$ CONTENT_EX
/var/log LOG+ANF+ARF
/var/run/utmp LOG
# secrets
/etc/pkcs11 CONTENT_EX
/etc/pki CONTENT_EX
/etc/crypto-policies CONTENT_EX
/etc/certmonger CONTENT_EX
/var/lib/systemd/random-seed$ PERMS
# init system
/etc/systemd CONTENT_EX
/etc/rc.d CONTENT_EX
/etc/tmpfiles.d CONTENT_EX
# boot config
/etc/default CONTENT_EX
/etc/grub.d CONTENT_EX
/etc/dracut.conf$ CONTENT_EX
/etc/dracut.conf.d CONTENT_EX
# glibc linker
/etc/ld.so.cache$ CONTENT_EX
/etc/ld.so.conf$ CONTENT_EX
/etc/ld.so.conf.d CONTENT_EX
/etc/ld.so.preload$ CONTENT_EX
# kernel config
/etc/sysctl.conf$ CONTENT_EX
/etc/sysctl.d CONTENT_EX
/etc/modprobe.d CONTENT_EX
/etc/modules-load.d CONTENT_EX
/etc/depmod.d CONTENT_EX
/etc/udev CONTENT_EX
/etc/crypttab$ CONTENT_EX
#### Daemons ####
# cron jobs
/var/spool/at CONTENT
/etc/at.allow$ CONTENT
/etc/at.deny$ CONTENT
/var/spool/anacron CONTENT
/etc/anacrontab$ CONTENT_EX
/etc/cron.allow$ CONTENT_EX
/etc/cron.deny$ CONTENT_EX
/etc/cron.d CONTENT_EX
/etc/cron.daily CONTENT_EX
/etc/cron.hourly CONTENT_EX
/etc/cron.monthly CONTENT_EX
/etc/cron.weekly CONTENT_EX
/etc/crontab$ CONTENT_EX
/var/spool/cron/root CONTENT
# time keeping
/etc/chrony.conf$ CONTENT_EX
/etc/chrony.keys$ CONTENT_EX
# mail
/etc/aliases$ CONTENT_EX
/etc/aliases.db$ CONTENT_EX
/etc/postfix CONTENT_EX
# ssh
/etc/ssh/sshd_config$ CONTENT_EX
/etc/ssh/ssh_config$ CONTENT_EX
# stunnel
/etc/stunnel CONTENT_EX
# printing
/etc/cups CONTENT_EX
/etc/cupshelpers CONTENT_EX
/etc/avahi CONTENT_EX
# web server
/etc/httpd CONTENT_EX
# dns
/etc/named CONTENT_EX
/etc/named.conf$ CONTENT_EX
/etc/named.iscdlv.key$ CONTENT_EX
/etc/named.rfc1912.zones$ CONTENT_EX
/etc/named.root.key$ CONTENT_EX
# xinetd
/etc/xinetd.conf$ CONTENT_EX
/etc/xinetd.d CONTENT_EX
# IPsec
/etc/ipsec.conf$ CONTENT_EX
/etc/ipsec.secrets$ CONTENT_EX
/etc/ipsec.d CONTENT_EX
# USB guard
/etc/usbguard CONTENT_EX
# Ignore some files
!/etc/mtab$
!/etc/.*~
# Now everything else
/etc PERMS
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR
# Ditto /var/log/sa reason...
!/var/log/and-httpd
# Admins dot files constantly change, just check perms
/root/\..* PERMS
!/root/.xauth*

642
SOURCES/coverity.patch
View File

@ -1,642 +0,0 @@
diff -up ./include/be.h.coverity ./include/be.h
--- ./include/be.h.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./include/be.h 2018-10-10 19:27:18.680632681 +0200
@@ -22,6 +22,6 @@
#define _BE_H_INCLUDED
#include "db_config.h"
-FILE* be_init(int inout,url_t* u,int iszipped);
+void* be_init(int inout,url_t* u,int iszipped);
#endif /* _BE_H_INCLUDED */
diff -up ./include/db_config.h.coverity ./include/db_config.h
--- ./include/db_config.h.coverity 2018-10-10 19:27:18.672632611 +0200
+++ ./include/db_config.h 2018-10-10 19:27:18.681632689 +0200
@@ -376,7 +376,7 @@ typedef struct db_config {
#endif
url_t* initial_report_url;
- FILE* initial_report_fd;
+ void* initial_report_fd;
/* report_url is a list of url_t*s */
list* report_url;
diff -up ./src/aide.c.coverity ./src/aide.c
--- ./src/aide.c.coverity 2018-10-10 19:27:18.678632663 +0200
+++ ./src/aide.c 2018-10-10 19:27:18.681632689 +0200
@@ -278,7 +278,7 @@ static void setdefaults_before_config()
error(0,_("Couldn't get hostname"));
free(s);
} else {
- s=(char*)realloc((void*)s,strlen(s)+1);
+ // s=(char*)realloc((void*)s,strlen(s)+1);
do_define("HOSTNAME",s);
}
@@ -506,8 +506,6 @@ static void setdefaults_after_config()
int main(int argc,char**argv)
{
int errorno=0;
- byte* dig=NULL;
- char* digstr=NULL;
#ifdef USE_LOCALE
setlocale(LC_ALL,"");
@@ -544,6 +542,10 @@ int main(int argc,char**argv)
}
errorno=commandconf('C',conf->config_file);
+ if (errorno==RETFAIL){
+ error(0,_("Configuration error\n"));
+ exit(INVALID_CONFIGURELINE_ERROR);
+ }
errorno=commandconf('D',"");
if (errorno==RETFAIL){
@@ -594,6 +596,9 @@ int main(int argc,char**argv)
}
}
#ifdef WITH_MHASH
+ byte* dig=NULL;
+ char* digstr=NULL;
+
if(conf->config_check&&FORCECONFIGMD){
error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n");
exit(INVALID_ARGUMENT_ERROR);
diff -up ./src/base64.c.coverity ./src/base64.c
--- ./src/base64.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/base64.c 2018-10-10 19:27:18.681632689 +0200
@@ -209,6 +209,7 @@ byte* decode_base64(char* src,size_t ssi
case FAIL:
error(3, "decode_base64: Illegal character: %c\n", *inb);
error(230, "decode_base64: Illegal line:\n%s\n", src);
+ free(outbuf);
return NULL;
break;
case SKIP:
@@ -260,7 +261,7 @@ size_t length_base64(char* src,size_t ss
int l;
int left;
size_t pos;
- unsigned long triple;
+ //unsigned long triple;
error(235, "decode base64\n");
/* Exit on empty input */
@@ -273,7 +274,7 @@ size_t length_base64(char* src,size_t ss
inb = src;
l = 0;
- triple = 0;
+ //triple = 0;
pos=0;
left = ssize;
/*
@@ -293,7 +294,7 @@ size_t length_base64(char* src,size_t ss
case SKIP:
break;
default:
- triple = triple<<6 | (0x3f & i);
+ //triple = triple<<6 | (0x3f & i);
l++;
break;
}
@@ -302,10 +303,10 @@ size_t length_base64(char* src,size_t ss
switch(l)
{
case 2:
- triple = triple>>4;
+ //triple = triple>>4;
break;
case 3:
- triple = triple>>2;
+ //triple = triple>>2;
break;
default:
break;
@@ -314,7 +315,7 @@ size_t length_base64(char* src,size_t ss
{
pos++;
}
- triple = 0;
+ //triple = 0;
l = 0;
}
inb++;
diff -up ./src/be.c.coverity ./src/be.c
--- ./src/be.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/be.c 2018-10-10 19:27:18.681632689 +0200
@@ -117,9 +117,9 @@ static char* get_first_value(char** in){
#endif
-FILE* be_init(int inout,url_t* u,int iszipped)
+void* be_init(int inout,url_t* u,int iszipped)
{
- FILE* fh=NULL;
+ void* fh=NULL;
long a=0;
char* err=NULL;
int fd;
diff -up ./src/commandconf.c.coverity ./src/commandconf.c
--- ./src/commandconf.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/commandconf.c 2018-10-10 19:27:18.682632698 +0200
@@ -106,7 +106,7 @@ int commandconf(const char mode,const ch
rv=0;
} else {
- rv=access(config,R_OK);
+ if (config != NULL) rv=access(config,R_OK);
if(rv==-1){
error(0,_("Cannot access config file: %s: %s\n"),config,strerror(errno));
}
@@ -166,14 +166,11 @@ int commandconf(const char mode,const ch
int conf_input_wrapper(char* buf, int max_size, FILE* in)
{
int retval=0;
- int c=0;
- char* tmp=NULL;
- void* key=NULL;
- int keylen=0;
/* FIXME Add support for gzipped config. :) */
#ifdef WITH_MHASH
/* Read a character at a time until we are doing md */
+ int c=0;
if(conf->do_configmd){
retval=fread(buf,1,max_size,in);
}else {
@@ -185,6 +182,9 @@ int conf_input_wrapper(char* buf, int ma
#endif
#ifdef WITH_MHASH
+ char* tmp=NULL;
+ void* key=NULL;
+ int keylen=0;
if(conf->do_configmd||conf->config_check){
if(((conf->do_configmd==1)&&conf->config_check)||!conf->confmd){
if(conf->do_configmd==1){
@@ -276,6 +276,9 @@ int db_input_wrapper(char* buf, int max_
#endif
break;
}
+ default: {
+ return 0;
+ }
}
#ifdef WITH_CURL
@@ -651,7 +654,6 @@ int handle_endif(int doit,int allow_else
case 0 : {
conferror("@@endif or @@else expected");
return -1;
- count=0;
}
default : {
@@ -816,6 +818,7 @@ void do_dbdef(int dbtype,char* val)
if(u==NULL||u->type==url_unknown||u->type==url_stdout
||u->type==url_stderr) {
error(0,_("Unsupported input URL-type:%s\n"),val);
+ free(u);
}
else {
*conf_db_url=u;
@@ -825,6 +828,7 @@ void do_dbdef(int dbtype,char* val)
case DB_WRITE: {
if(u==NULL||u->type==url_unknown||u->type==url_stdin){
error(0,_("Unsupported output URL-type:%s\n"),val);
+ free(u);
}
else{
conf->db_out_url=u;
@@ -848,6 +852,7 @@ void do_dbindef(char* val)
if(u==NULL||u->type==url_unknown||u->type==url_stdout
||u->type==url_stderr) {
error(0,_("Unsupported input URL-type:%s\n"),val);
+ free(u);
}
else {
conf->db_in_url=u;
@@ -869,6 +874,7 @@ void do_dboutdef(char* val)
* both input and output urls */
if(u==NULL||u->type==url_unknown||u->type==url_stdin){
error(0,_("Unsupported output URL-type:%s\n"),val);
+ free(u);
}
else{
conf->db_out_url=u;
@@ -894,7 +900,8 @@ void do_repurldef(char* val)
} else {
error_init(u,0);
}
-
+
+ free(u);
}
void do_verbdef(char* val)
@@ -984,7 +991,7 @@ void do_report_ignore_e2fsattrs(char* va
break;
}
}
- *val++;
+ val++;
}
}
#endif
diff -up ./src/compare_db.c.coverity ./src/compare_db.c
--- ./src/compare_db.c.coverity 2018-10-10 19:27:18.673632619 +0200
+++ ./src/compare_db.c 2018-10-10 19:27:18.682632698 +0200
@@ -312,7 +312,7 @@ static int acl2array(acl_type* acl, char
if (conf->syslog_format) {
*values = malloc(2 * sizeof(char*));
- char *A, *D = "<NONE>";
+ char *A= "<NONE>", *D = "<NONE>";
if (acl->acl_a) { A = acl->acl_a; }
if (acl->acl_d) { D = acl->acl_d; }
diff -up ./src/conf_lex.l.coverity ./src/conf_lex.l
--- ./src/conf_lex.l.coverity 2018-10-10 19:27:18.673632619 +0200
+++ ./src/conf_lex.l 2018-10-10 19:27:18.682632698 +0200
@@ -133,7 +133,7 @@ int var_in_conflval=0;
<EXPR>[\ \t]*\n {
conf_lineno++;
return (TNEWLINE);
- BEGIN 0;
+// BEGIN 0;
}
<EXPR>\+ {
diff -up ./src/db.c.coverity ./src/db.c
--- ./src/db.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/db.c 2018-10-10 19:27:18.683632707 +0200
@@ -27,6 +27,7 @@
#include "db_file.h"
#include "db_disk.h"
#include "md.h"
+#include "fopen.h"
#ifdef WITH_PSQL
#include "db_sql.h"
@@ -269,6 +270,9 @@ db_line* db_readline(int db){
db_order=&(conf->db_new_order);
break;
}
+ default: {
+ return NULL;
+ }
}
switch (db_url->type) {
@@ -368,7 +372,7 @@ db_line* db_char2line(char** ss,int db){
int i;
db_line* line=(db_line*)malloc(sizeof(db_line)*1);
- int* db_osize=0;
+ int* db_osize=NULL;
DB_FIELD** db_order=NULL;
switch (db) {
@@ -382,6 +386,10 @@ db_line* db_char2line(char** ss,int db){
db_order=&(conf->db_new_order);
break;
}
+ default: {
+ free(line);
+ return NULL;
+ }
}
@@ -601,7 +609,9 @@ db_line* db_char2line(char** ss,int db){
size_t vsz = 0;
tval = strtok(NULL, ",");
- line->xattrs->ents[num].key = db_readchar(strdup(tval));
+ char * tmp = strdup(tval);
+ line->xattrs->ents[num].key = db_readchar(tmp);
+ free(tmp);
tval = strtok(NULL, ",");
val = base64tobyte(tval, strlen(tval), &vsz);
line->xattrs->ents[num].val = val;
@@ -648,6 +658,8 @@ db_line* db_char2line(char** ss,int db){
default : {
error(0,_("Not implemented in db_char2line %i \n"),(*db_order)[i]);
+ free_db_line(line);
+ free(line);
return NULL;
}
@@ -826,7 +838,7 @@ void db_close() {
case url_ftp:
{
if (conf->db_out!=NULL) {
- url_fclose(conf->db_out);
+ url_fclose((URL_FILE*)conf->db_out);
}
break;
}
diff -up ./src/db_disk.c.coverity ./src/db_disk.c
--- ./src/db_disk.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/db_disk.c 2018-10-10 19:28:00.108995089 +0200
@@ -79,9 +79,15 @@ static DIR *open_dir(char* path) {
static void next_in_dir (void)
{
+
#ifdef HAVE_READDIR_R
- if (dirh != NULL)
+ if (dirh != NULL) {
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
rdres = AIDE_READDIR_R_FUNC (dirh, entp, resp);
+#pragma GCC diagnostic pop
+ }
+
#else
#ifdef HAVE_READDIR
if (dirh != NULL) {
diff -up ./src/db_file.c.coverity ./src/db_file.c
--- ./src/db_file.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/db_file.c 2018-10-10 19:27:18.683632707 +0200
@@ -171,7 +171,7 @@ int dofprintf( const char* s,...)
int db_file_read_spec(int db){
int i=0;
- int* db_osize=0;
+ int* db_osize=NULL;
DB_FIELD** db_order=NULL;
switch (db) {
@@ -187,6 +187,9 @@ int db_file_read_spec(int db){
db_lineno=&db_new_lineno;
break;
}
+ default: {
+ return RETFAIL;
+ }
}
*db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD));
@@ -198,13 +201,10 @@ int db_file_read_spec(int db){
int l;
- /* Yes... we do not check if realloc returns nonnull */
-
- *db_order=(DB_FIELD*)
- realloc((void*)*db_order,
+ void * tmp = realloc((void*)*db_order,
((*db_osize)+1)*sizeof(DB_FIELD));
-
- if(*db_order==NULL){
+ if (tmp != NULL) *db_order=(DB_FIELD*) tmp;
+ else {
return RETFAIL;
}
@@ -291,8 +291,8 @@ char** db_readline_file(int db){
int* domd=NULL;
#ifdef WITH_MHASH
MHASH* md=NULL;
-#endif
char** oldmdstr=NULL;
+#endif
int* db_osize=0;
DB_FIELD** db_order=NULL;
FILE** db_filep=NULL;
@@ -302,9 +302,9 @@ char** db_readline_file(int db){
case DB_OLD: {
#ifdef WITH_MHASH
md=&(conf->dboldmd);
+ oldmdstr=&(conf->old_dboldmdstr);
#endif
domd=&(conf->do_dboldmd);
- oldmdstr=&(conf->old_dboldmdstr);
db_osize=&(conf->db_in_size);
db_order=&(conf->db_in_order);
@@ -316,9 +316,9 @@ char** db_readline_file(int db){
case DB_NEW: {
#ifdef WITH_MHASH
md=&(conf->dbnewmd);
+ oldmdstr=&(conf->old_dbnewmdstr);
#endif
domd=&(conf->do_dbnewmd);
- oldmdstr=&(conf->old_dbnewmdstr);
db_osize=&(conf->db_new_size);
db_order=&(conf->db_new_order);
@@ -328,7 +328,9 @@ char** db_readline_file(int db){
break;
}
}
-
+
+ if (db_osize == NULL) return NULL;
+
if (*db_osize==0) {
db_buff(db,*db_filep);
@@ -737,8 +739,6 @@ int db_writespec_file(db_config* dbconf)
int i=0;
int j=0;
int retval=1;
- void*key=NULL;
- int keylen=0;
struct tm* st;
time_t tim=time(&tim);
st=localtime(&tim);
@@ -750,6 +750,8 @@ int db_writespec_file(db_config* dbconf)
#ifdef WITH_MHASH
/* From hereon everything must MD'd before write to db */
+ void*key=NULL;
+ int keylen=0;
if((key=get_db_key())!=NULL){
keylen=get_db_key_len();
dbconf->do_dbnewmd=1;
diff -up ./src/do_md.c.coverity ./src/do_md.c
--- ./src/do_md.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/do_md.c 2018-10-10 19:27:18.683632707 +0200
@@ -202,7 +202,6 @@ void calc_md(struct AIDE_STAT_TYPE* old_
and we don't read from a pipe :)
*/
struct AIDE_STAT_TYPE fs;
- int sres=0;
int stat_diff,filedes;
#ifdef WITH_PRELINK
pid_t pid;
@@ -237,7 +236,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_
return;
}
- sres=AIDE_FSTAT_FUNC(filedes,&fs);
+ AIDE_FSTAT_FUNC(filedes,&fs);
if(!(line->attr&DB_RDEV))
fs.st_rdev=0;
@@ -331,7 +330,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_
}
#endif
#endif /* not HAVE_MMAP */
- buf=malloc(READ_BLOCK_SIZE);
+// buf=malloc(READ_BLOCK_SIZE);
#if READ_BLOCK_SIZE>SSIZE_MAX
#error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE
#endif
diff -up ./src/gen_list.c.coverity ./src/gen_list.c
--- ./src/gen_list.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/gen_list.c 2018-10-10 19:27:18.684632716 +0200
@@ -843,15 +843,15 @@ static void add_file_to_tree(seltree* tr
DB_ATTR_TYPE localignorelist=0;
DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs;
+ if(file==NULL){
+ error(0, "add_file_to_tree was called with NULL db_line\n");
+ }
+
node=get_seltree_node(tree,file->filename);
if(!node){
node=new_seltree_node(tree,file->filename,0,NULL);
}
-
- if(file==NULL){
- error(0, "add_file_to_tree was called with NULL db_line\n");
- }
/* add note to this node which db has modified it */
node->checked|=db;
diff -up ./src/md.c.coverity ./src/md.c
--- ./src/md.c.coverity 2018-10-10 19:27:18.679632672 +0200
+++ ./src/md.c 2018-10-10 19:27:18.684632716 +0200
@@ -36,8 +36,8 @@
*/
DB_ATTR_TYPE hash_gcrypt2attr(int i) {
- DB_ATTR_TYPE r=0;
#ifdef WITH_GCRYPT
+ DB_ATTR_TYPE r=0;
switch (i) {
case GCRY_MD_MD5: {
r=DB_MD5;
@@ -74,13 +74,15 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) {
default:
break;
}
-#endif
return r;
+#else /* !WITH_GCRYPT */
+ return 0;
+#endif
}
const char * hash_gcrypt2str(int i) {
- char * r = "?";
#ifdef WITH_GCRYPT
+ char * r = "?";
switch (i) {
case GCRY_MD_MD5: {
r = "MD5";
@@ -117,13 +119,17 @@ const char * hash_gcrypt2str(int i) {
default:
break;
}
-#endif
return r;
+#else /* !WITH_GCRYPT */
+ return "?";
+#endif
}
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-parameter"
DB_ATTR_TYPE hash_mhash2attr(int i) {
- DB_ATTR_TYPE r=0;
#ifdef WITH_MHASH
+ DB_ATTR_TYPE r=0;
switch (i) {
case MHASH_CRC32: {
r=DB_CRC32;
@@ -198,10 +204,15 @@ DB_ATTR_TYPE hash_mhash2attr(int i) {
default:
break;
}
-#endif
+
return r;
+#else /*!WITH_MHASH */
+ return 0;
+#endif
}
+#pragma GCC diagnostic pop
+
/*
Initialise md_container according it's todo_attr field
*/
@@ -317,7 +328,6 @@ int init_md(struct md_container* md) {
*/
int update_md(struct md_container* md,void* data,ssize_t size) {
- int i;
error(255,"update_md called\n");
@@ -328,6 +338,7 @@ int update_md(struct md_container* md,vo
#endif
#ifdef WITH_MHASH
+ int i;
for(i=0;i<=HASH_MHASH_COUNT;i++) {
if (md->mhash_mdh[i]!=MHASH_FAILED) {
@@ -348,7 +359,6 @@ int update_md(struct md_container* md,vo
*/
int close_md(struct md_container* md) {
- int i;
#ifdef _PARAMETER_CHECK_
if (md==NULL) {
return RETFAIL;
@@ -356,6 +366,7 @@ int close_md(struct md_container* md) {
#endif
error(255,"close_md called \n");
#ifdef WITH_MHASH
+ int i;
for(i=0;i<=HASH_MHASH_COUNT;i++) {
if (md->mhash_mdh[i]!=MHASH_FAILED) {
mhash (md->mhash_mdh[i], NULL, 0);
diff -up ./src/util.c.coverity ./src/util.c
--- ./src/util.c.coverity 2018-10-10 19:27:18.670632593 +0200
+++ ./src/util.c 2018-10-10 19:27:18.684632716 +0200
@@ -105,13 +105,15 @@ url_t* parse_url(char* val)
for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++);
if(r[0]=='\0'){
error(0,"Invalid file-URL,no path after hostname: file:%s\n",t);
+ free(hostname);
return NULL;
}
u->value=strdup(r);
r[0]='\0';
if(gethostname(hostname,MAXHOSTNAMELEN)==-1){
- strncpy(hostname,"localhost", 10);
+ strncpy(hostname,"localhost", 10);
}
+
if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){
free(hostname);
break;
@@ -120,7 +122,7 @@ url_t* parse_url(char* val)
free(hostname);
return NULL;
}
- free(hostname);
+
break;
}
u->value=strdup(r);

31
SOURCES/coverity2.patch
View File

@ -1,31 +0,0 @@
diff --up ./src/compare_db.c ./src/compare_db.c
--- ./src/compare_db.c
+++ ./src/compare_db.c
@@ -438,7 +438,11 @@ snprintf(*values[0], l, "%s",s);
} else {
*values = malloc(1 * sizeof (char*));
if (DB_FTYPE&attr) {
- easy_string(get_file_type_string(line->perm))
+ char *file_type = get_file_type_string(line->perm);
+ if (!file_type) {
+ error(2,"%s: ", file_type);
+ }
+ easy_string(file_type)
} else if (DB_LINKNAME&attr) {
easy_string(line->linkname)
easy_number((DB_SIZE|DB_SIZEG),size,"%li")
diff -up ./src/db_file.c ./src/db_file.c
--- ./src/db_file.c
+++ ./src/db_file.c
@@ -194,6 +194,10 @@ int db_file_read_spec(int db){
*db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD));
+ if (*db_order == NULL){
+ error(1,"malloc for *db_order failed in %s", __func__);
+ }
+
while ((i=db_scan())!=TNEWLINE){
switch (i) {

34
aide-verbose.patch Normal file
View File

@ -0,0 +1,34 @@
diff -up ./src/conf_eval.c.verbose ./src/conf_eval.c
--- ./src/conf_eval.c.verbose 2023-04-01 18:25:38.000000000 +0200
+++ ./src/conf_eval.c 2024-05-15 00:08:41.040033220 +0200
@@ -187,6 +187,7 @@ static void set_database_attr_option(DB_
static void eval_config_statement(config_option_statement statement, int linenumber, char *filename, char* linebuf) {
char *str;
bool b;
+ long num;
DB_ATTR_TYPE attr;
switch (statement.option) {
ATTRIBUTE_CONFIG_OPTION_CASE(REPORT_IGNORE_ADDED_ATTRS_OPTION, report_ignore_added_attrs)
@@ -298,8 +299,20 @@ static void eval_config_statement(config
LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_CONFIG, "set 'config_version' option to '%s'", str)
break;
case VERBOSE_OPTION:
- log_msg(LOG_LEVEL_ERROR, "%s:%d: 'verbose' option is no longer supported, use 'log_level' and 'report_level' options instead (see man aide.conf for details) (line: '%s')", conf_filename, conf_linenumber, conf_linebuf);
- exit(INVALID_CONFIGURELINE_ERROR);
+ log_msg(LOG_LEVEL_CONFIG, "%s:%d: 'verbose' option is deprecated, use 'log_level' and 'report_level' options instead (see man aide.conf for details) (line: '%s')", conf_filename, conf_linenumber, conf_linebuf);
+ str = eval_string_expression(statement.e, linenumber, filename, linebuf);
+ num = strtol(str, NULL, 10);
+
+ if (num < 0 || num > 255) {
+ LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "invalid verbose level: '%s'", str);
+ exit(INVALID_CONFIGURELINE_ERROR);
+ }
+
+ if (num >= 10) {
+ set_log_level(LOG_LEVEL_DEBUG);
+ }
+
+ free(str);
break;
case LIMIT_CMDLINE_OPTION:
/* command-line options are ignored here */

225
aide.conf Normal file
View File

@ -0,0 +1,225 @@
# Example configuration file for AIDE.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database_in=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
log_level=warning
report_level=changed_attributes
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
# These are the default rules.
#
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
FIPSR = p+i+n+u+g+s+acl+selinux+xattrs+sha256
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = FIPSR+sha512
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Access control only
PERMS = p+i+u+g+acl+selinux
# Logfile are special, in that they often change
LOG = >
# Just do sha256 and sha512 hashes
LSPP = FIPSR+sha512
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL
/var/log LOG
/var/run/utmp LOG
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
/etc/hosts LSPP
/etc/sysconfig LSPP
/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP
/etc/ld.so.conf LSPP
/etc/localtime LSPP
/etc/sysctl.conf LSPP
/etc/modprobe.conf LSPP
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
/etc/stunnel LSPP
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
/etc/issue LSPP
/etc/issue.net LSPP
/etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
#=/lost\+found DIR
#=/home DIR
# Ditto /var/log/sa reason...
!/boot/grub2/grubenv
!/var/log/and-httpd
# Admins dot files constantly change, just check perms
/root/\..* PERMS

0
SOURCES/aide.logrotate → aide.logrotate
View File

192
SPECS/aide.spec → aide.spec
View File

@ -1,9 +1,9 @@
Summary: Intrusion detection environment
Name: aide
Version: 0.16
Release: 15%{?dist}.2
Version: 0.18.6
Release: 8%{?dist}.2
URL: http://sourceforge.net/projects/aide
License: GPLv2+
License: GPL-2.0-or-later
Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz
Source1: aide.conf
Source2: README.quickstart
@ -12,52 +12,46 @@ Source3: aide.logrotate
BuildRequires: gcc
BuildRequires: make
BuildRequires: bison flex
BuildRequires: pcre-devel
BuildRequires: libgpg-error-devel libgcrypt-devel
BuildRequires: pcre2-devel
BuildRequires: libgpg-error-devel gnutls-devel
BuildRequires: zlib-devel
BuildRequires: libcurl-devel
BuildRequires: libacl-devel
BuildRequires: pkgconfig(libselinux)
BuildRequires: libattr-devel
BuildRequires: e2fsprogs-devel
Buildrequires: audit-libs-devel
BuildRequires: audit-libs-devel
BuildRequires: autoconf autoconf-archive
BuildRequires: automake libtool
Requires: libgcrypt >= 1.8.5
Patch1: aide-verbose.patch
Patch2: gnutls.patch
Patch3: escape-control-chars-CVE-2025-54389.patch
Patch4: lowercase-groupnames.patch
# Customize the database file location in the man page.
Patch1: aide-0.16rc1-man.patch
# fix aide in FIPS mode
Patch2: aide-0.16b1-fipsfix.patch
Patch3: aide-0.15-syslog-format.patch
Patch4: aide-0.16-crypto-disable-haval-and-others.patch
Patch5: coverity.patch
Patch6: aide-0.16-crash-elf.patch
# 1676487 - Null pointer dereference fix spotted by coverity
Patch7: coverity2.patch
# 2041957 - CVE-2021-45417 aide: heap-based buffer overflow on outputs larger than B64_BUF
Patch8: aide-0.16-CVE-2021-45417.patch
# CVE-2025-54389 aide: improper output neutralization enables bypassing
Patch9: aide-0.16-CVE-2025-54389.patch
Patch10: aide-0.16-CVE-2025-54389-part2.patch
%description
AIDE (Advanced Intrusion Detection Environment) is a file integrity
checker and intrusion detection program.
%prep
%autosetup -p1
%setup
#%%autosetup -p1
cp -a %{S:2} .
%patch -P 1 -p1 -b .verbose
%patch -P 2 -p1 -b .gnutls
%patch -P 3 -p1 -b .CVE-2025-54389
%patch -P 4 -p1 -b .lowercase-groupnames
%build
autoreconf -ivf
%configure \
--disable-static \
--with-config_file=%{_sysconfdir}/aide.conf \
--with-gcrypt \
--with-gnutls \
--without-gcrypt \
--with-zlib \
--with-curl \
--with-posix-acl \
@ -65,7 +59,6 @@ cp -a %{S:2} .
--with-xattr \
--with-e2fsattrs \
--with-audit
%make_build
%install
@ -77,7 +70,7 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
%files
%license COPYING
%doc AUTHORS ChangeLog NEWS README doc/manual.html contrib/
%doc AUTHORS ChangeLog NEWS README contrib/
%doc README.quickstart
%{_sbindir}/aide
%{_mandir}/man1/*.1*
@ -88,61 +81,112 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
%dir %attr(0700,root,root) %{_localstatedir}/log/aide
%changelog
* Thu Aug 21 2025 Attila Lakatos <alakatos@redhat.com> - 0.16.15.2
* Tue Oct 14 2025 Attila Lakatos <alakatos@redhat.com> - 0.18.6-8.2
- RHEL 10.1.Z ERRATUM
- Fix lowercase group name definition
Resolves: RHEL-119647
* Tue Aug 19 2025 Attila Lakatos <alakatos@redhat.com> - 0.18.6-8.1
RHEL 10.1 ERRATUM
- CVE-2025-54389 aide: improper output neutralization enables bypassing
resolves: RHEL-109907
Resolves: RHEL-108928
* Tue Jan 25 2022 Radovan Sroka <rsroka@redhat.com> - 0.16.15
- backported fix for CVE-2021-45417
resolves: rhbz#2041957
* Wed Jan 29 2025 Radovan Sroka <rsroka@redhat.com> - 0.18.6-8
RHEL 10.0 ERRATUM
- /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation
Resolves: RHEL-4320
* Tue Jun 30 2020 Radovan Sroka <rsroka@redhat.com> = 0.16.14
- strict require for libgcrypt
resolves: rhbz#1852407
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.18.6-7
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Tue May 19 2020 Attila Lakatos <alakatos@redhat.com> - 0.16-13
- RHEL 8.3
- minor edit of aide.conf to make it consistent
resolves: rhbz#1740754
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.18.6-6
- Bump release for June 2024 mass rebuild
* Mon Apr 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.16-12
- RHEL 8.3
- minor edit of aide.conf
resolves: rhbz#1740754
- do not generate false warnings when report_ignore_e2fsattrs is specified in aide.conf
resolves: rhbz#1806323
* Fri May 17 2024 Radovan Sroka <rsroka@redhat.com> - 0.18.6-5
REDHAT 10.0 ERRATUM
- fix verbose patch
- get rid of libgcrypt
Resolves: RHEL-36780
* Wed Jul 24 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-11
- rebuild
- minor edit of aide.conf
* Mon Feb 12 2024 Radovan Sroka <rsroka@redhat.com> - 0.18.6-4
- rebase to 0.18.6
* Tue Jul 23 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-10
- respin
- minor edit of aide.conf
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.18.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Jul 23 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-9
- Null pointer dereference fix spotted by coverity
resolves: rhbz#1676487
- aide.conf needs updates for RHEL 8
resolves: rhbz#1708015
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.18.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Oct 09 2018 Radovan Sroka <rsroka@redhat.com> - 0.16-8
- fixed wrong line wrapping of messages in the syslog format
resolves: rhbz#1628153
- fixed coverity issues
resolves: rhbz#1602441
- fixed crash when processing .dynamic section
resolves: rhbz#1597250
* Tue Oct 24 2023 Radovan Sroka <rsroka@redhat.com> - 0.18.6-1
- rebase to 0.18.6
* Wed Aug 29 2018 Radovan Sroka <rsroka@redhat.com> - 0.16-7
- fixed crypto problem with libgcrypt (fips)
- resolves: rhbz#1623045
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.18.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Aug 22 2018 Radovan Sroka <rsroka@redhat.com> - 0.16-6
- ported syslog format from rhel7
resolves: rhbz#1584136
- fixed crypto problem with libgcrypt
resolves: rhbz#1584120
* Wed Jun 21 2023 Radovan Sroka <rsroka@redhat.com> - 0.18.4-1
- aide-0.18.4 is available
Resolves: rhbz#1910486
- Please port your pcre dependency to pcre2. Pcre has been deprecated
Resolves: rhbz#2128267
* Tue Jun 13 2023 Radovan Sroka <rsroka@redhat.com> - 0.16-23
- migrated to SPDX license
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Nov 25 2022 Florian Weimer <fweimer@redhat.com> - 0.16-21
- Apply upstream patches to port configure to C99
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-20
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-19
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-18
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jul 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-16
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> 0.16-14
- AIDE breaks when setting report_ignore_e2fsattrs
Resolves: rhbz#1850276
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Jul 31 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-12
- backport some patches
Resolves: rhbz#1717140
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Feb 20 2019 Daniel Kopecek <dkopecek@redhat.com> - 0.16-10
- Fix building with curl
Resolves: rhbz#1674637
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 0.16-8
- Rebuild with fixed binutils
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.16-6
- Rebuild
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

402
escape-control-chars-CVE-2025-54389.patch Normal file
View File

@ -0,0 +1,402 @@
diff -U0 aide-0.18.6/ChangeLog.orig aide-0.18.6/ChangeLog
diff -up aide-0.18.6/doc/aide.1.orig aide-0.18.6/doc/aide.1
--- aide-0.18.6/doc/aide.1.orig 2025-08-19 11:35:36.082823977 +0200
+++ aide-0.18.6/doc/aide.1 2025-08-19 11:35:36.082823977 +0200
@@ -130,12 +130,25 @@ SIGUSR1 toggles the log_level between cu
.PP
.SH NOTES
+.IP "Checksum encoding"
+
The checksums in the database and in the output are by default base64
encoded (see also report_base16 option).
To decode them you can use the following shell command:
echo <encoded_checksum> | base64 \-d | hexdump \-v \-e '32/1 "%02x" "\\n"'
+.IP "Control characters"
+
+Control characters (00-31 and 127) are always escaped in log and plain report
+output. They are escaped by a literal backslash (\\) followed by exactly 3
+digits representing the character in octal notation (e.g. a newline is output
+as "\fB\\012\fR"). A literal backslash is not escaped unless it is followed by
+3 digits (0-9), in this case the literal backslash is escaped as
+"\fB\\134\fR". Reports in JSON format are escaped according to the JSON specs
+(e.g. a newline is output as "\fB\\b\fR" or an escape (\fBESC\fR) is output as
+"\fB\\u001b\fR")
+
.PP
.SH FILES
diff -up aide-0.18.6/include/util.h.orig aide-0.18.6/include/util.h
--- aide-0.18.6/include/util.h.orig 2025-08-19 11:35:36.081823966 +0200
+++ aide-0.18.6/include/util.h 2025-08-19 11:35:36.080823957 +0200
@@ -57,6 +57,9 @@ int cmpurl(url_t*, url_t*);
int contains_unsafe(const char*);
+char *strnesc(const char *, size_t);
+char *stresc(const char *);
+
void decode_string(char*);
char* encode_string(const char*);
diff -up aide-0.18.6/src/aide.c.orig aide-0.18.6/src/aide.c
--- aide-0.18.6/src/aide.c.orig 2025-08-19 11:35:36.083823987 +0200
+++ aide-0.18.6/src/aide.c 2025-08-19 11:35:36.083823987 +0200
@@ -285,8 +285,8 @@ static void read_param(int argc,char**ar
if((conf->limit_crx=pcre2_compile((PCRE2_SPTR) conf->limit, PCRE2_ZERO_TERMINATED, PCRE2_UTF|PCRE2_ANCHORED, &pcre2_errorcode, &pcre2_erroffset, NULL)) == NULL) {
PCRE2_UCHAR pcre2_error[128];
pcre2_get_error_message(pcre2_errorcode, pcre2_error, 128);
- INVALID_ARGUMENT("--limit", error in regular expression '%s' at %zu: %s, conf->limit, pcre2_erroffset, pcre2_error)
-
+ char * limit_safe = stresc(conf->limit);
+ INVALID_ARGUMENT("--limit", error in regular expression '%s' at %zu: %s, limit_safe, pcre2_erroffset, pcre2_error)
}
conf->limit_md = pcre2_match_data_create_from_pattern(conf->limit_crx, NULL);
if (conf->limit_md == NULL) {
diff -up aide-0.18.6/src/gen_list.c.orig aide-0.18.6/src/gen_list.c
--- aide-0.18.6/src/gen_list.c.orig 2025-08-19 11:35:36.083823987 +0200
+++ aide-0.18.6/src/gen_list.c 2025-08-19 11:35:36.083823987 +0200
@@ -339,35 +339,40 @@ void print_match(char* filename, rx_rule
char * str;
char* attr_str;
char file_type = get_restriction_char(restriction);
+ char *filename_safe = stresc(filename);
+ char *limit_safe = conf->limit?stresc(conf->limit):NULL;
+
switch (match) {
case RESULT_SELECTIVE_MATCH:
str = get_restriction_string(rule->restriction);
attr_str = diff_attributes(0, rule->attr);
- fprintf(stdout, "[X] %c '%s': selective rule: '%s %s %s' (%s:%d: '%s%s%s')\n", file_type, filename, rule->rx, str, attr_str, rule->config_filename, rule->config_linenumber, rule->config_line, rule->prefix?"', prefix: '":"", rule->prefix?rule->prefix:"");
+ fprintf(stdout, "[X] %c '%s': selective rule: '%s %s %s' (%s:%d: '%s%s%s')\n", file_type, filename_safe, rule->rx, str, attr_str, rule->config_filename, rule->config_linenumber, rule->config_line, rule->prefix?"', prefix: '":"", rule->prefix?rule->prefix:"");
free(attr_str);
free(str);
break;
case RESULT_EQUAL_MATCH:
str = get_restriction_string(rule->restriction);
attr_str = diff_attributes(0, rule->attr);
- fprintf(stdout, "[X] %c '%s': equal rule: '=%s %s %s' (%s:%d: '%s%s%s')\n", file_type, filename, rule->rx, str, attr_str, rule->config_filename, rule->config_linenumber, rule->config_line, rule->prefix?"', prefix: '":"", rule->prefix?rule->prefix:"");
+ fprintf(stdout, "[X] %c '%s': equal rule: '=%s %s %s' (%s:%d: '%s%s%s')\n", file_type, filename_safe, rule->rx, str, attr_str, rule->config_filename, rule->config_linenumber, rule->config_line, rule->prefix?"', prefix: '":"", rule->prefix?rule->prefix:"");
free(attr_str);
free(str);
break;
case RESULT_PARTIAL_MATCH:
case RESULT_NO_MATCH:
if (rule) {
- fprintf(stdout, "[ ] %c '%s': negative rule: '!%s %s' (%s:%d: '%s%s%s')\n", file_type, filename, rule->rx, str = get_restriction_string(rule->restriction), rule->config_filename, rule->config_linenumber, rule->config_line, rule->prefix?"', prefix: '":"", rule->prefix?rule->prefix:"");
+ fprintf(stdout, "[ ] %c '%s': negative rule: '!%s %s' (%s:%d: '%s%s%s')\n", file_type, filename_safe, rule->rx, str = get_restriction_string(rule->restriction), rule->config_filename, rule->config_linenumber, rule->config_line, rule->prefix?"', prefix: '":"", rule->prefix?rule->prefix:"");
free(str);
} else {
- fprintf(stdout, "[ ] %c '%s': no matching rule\n", file_type, filename);
+ fprintf(stdout, "[ ] %c '%s': no matching rule\n", file_type, filename_safe);
}
break;
case RESULT_PARTIAL_LIMIT_MATCH:
case RESULT_NO_LIMIT_MATCH:
- fprintf(stdout, "[ ] %c '%s': outside of limit '%s'\n", file_type, filename, conf->limit);
+ fprintf(stdout, "[ ] %c '%s': outside of limit '%s'\n", file_type, filename_safe, limit_safe);
break;
}
+ free(filename_safe);
+ free(limit_safe);
}
/*
diff -up aide-0.18.6/src/log.c.orig aide-0.18.6/src/log.c
--- aide-0.18.6/src/log.c.orig 2025-08-19 11:35:36.083823987 +0200
+++ aide-0.18.6/src/log.c 2025-08-19 11:42:16.887261761 +0200
@@ -30,6 +30,7 @@
#include "log.h"
#include "errorcodes.h"
+#include "util.h"
LOG_LEVEL prev_log_level = LOG_LEVEL_UNSET;
LOG_LEVEL log_level = LOG_LEVEL_UNSET;
@@ -118,7 +119,9 @@ static void log_cached_lines(void) {
for(int i = 0; i < ncachedlines; ++i) {
LOG_LEVEL level = cached_lines[i].level;
if (level == LOG_LEVEL_ERROR || level <= log_level) {
- fprintf(url, "%s: %s\n", log_level_array[level-1].log_string, cached_lines[i].message);
+ char *msg_safe = stresc(cached_lines[i].message);
+ fprintf(url, "%s: %s\n", log_level_array[level-1].log_string, msg_safe);
+ free(msg_safe);
}
free(cached_lines[i].message);
}
@@ -135,9 +138,24 @@ static void vlog_msg(LOG_LEVEL level,con
FILE* url = stderr;
if (level == LOG_LEVEL_ERROR || level <= log_level) {
- fprintf(url, "%s: ", log_level_array[level-1].log_string );
- vfprintf(url, format, ap);
- fprintf(url, "\n");
+ va_list aq;
+ va_copy(aq, ap);
+ int n = vsnprintf(NULL, 0, format, aq) + 1;
+ va_end(aq);
+
+ int size = n * sizeof(char);
+ char *msg_unsafe = malloc(size);
+ if (msg_unsafe == NULL) {
+ fprintf(url, "%s: malloc failed to allocate %d bytes of memory\n", log_level_array[LOG_LEVEL_ERROR-1].log_string, size);
+ exit(MEMORY_ALLOCATION_FAILURE);
+ }
+
+ vsnprintf(msg_unsafe, n, format, ap);
+ char *msg_safe = stresc(msg_unsafe);
+ free(msg_unsafe);
+ fprintf(url, "%s: %s\n", log_level_array[level-1].log_string, msg_safe);
+ free(msg_safe);
+
} else if (log_level == LOG_LEVEL_UNSET) {
cache_line(level, format, ap);
}
diff -up aide-0.18.6/src/report_json.c.orig aide-0.18.6/src/report_json.c
--- aide-0.18.6/src/report_json.c.orig 2025-08-19 11:35:36.084823997 +0200
+++ aide-0.18.6/src/report_json.c 2025-08-19 11:35:36.083823987 +0200
@@ -57,12 +57,53 @@ static int _escape_json_string(const cha
int n = 0;
for (i = 0; i < strlen(src); ++i) {
- if (src[i] == '\\') {
- if (escaped_string) { escaped_string[n] = '\\'; }
- n++;
+ switch(src[i]) {
+ case '\n':
+ if (escaped_string) { escaped_string[n] = '\\'; }
+ n++;
+ if (escaped_string) { escaped_string[n] = 'n'; }
+ n++;
+ break;
+ case '\t':
+ if (escaped_string) { escaped_string[n] = '\\'; }
+ n++;
+ if (escaped_string) { escaped_string[n] = 't'; }
+ n++;
+ break;
+ case '\b':
+ if (escaped_string) { escaped_string[n] = '\\'; }
+ n++;
+ if (escaped_string) { escaped_string[n] = 'b'; }
+ n++;
+ break;
+ case '\f':
+ if (escaped_string) { escaped_string[n] = '\\'; }
+ n++;
+ if (escaped_string) { escaped_string[n] = 'f'; }
+ n++;
+ break;
+ case '\r':
+ if (escaped_string) { escaped_string[n] = '\\'; }
+ n++;
+ if (escaped_string) { escaped_string[n] = 'r'; }
+ n++;
+ break;
+ case '"':
+ case '\\':
+ if (escaped_string) { escaped_string[n] = '\\'; }
+ n++;
+ if (escaped_string) { escaped_string[n] = src[i]; }
+ n++;
+ break;
+ default:
+ if (src[i] >= 0 && (src[i] < 0x1f || src[i] == 0x7f)) {
+ if (escaped_string) { snprintf(&escaped_string[n], 7, "\\u%04x", src[i]); }
+ n += 6;
+ } else {
+ if (escaped_string) { escaped_string[n] = src[i]; }
+ n++;
+ }
}
- if (escaped_string) { escaped_string[n] = src[i]; }
- n++;
}
if (escaped_string) { escaped_string[n] = '\0'; }
n++;
diff -up aide-0.18.6/src/report_plain.c.orig aide-0.18.6/src/report_plain.c
--- aide-0.18.6/src/report_plain.c.orig 2025-08-19 11:35:36.084823997 +0200
+++ aide-0.18.6/src/report_plain.c 2025-08-19 11:35:36.083823987 +0200
@@ -55,7 +55,9 @@ static char* _get_not_grouped_list_strin
static void _print_config_option(report_t *report, config_option option, const char* value) {
if (first) { first=false; }
else { report_printf(report," | "); }
- report_printf(report, "%s: %s", config_options[option].report_string, value);
+ char *value_safe = stresc(value);
+ report_printf(report, "%s: %s", config_options[option].report_string, value_safe);
+ free(value_safe);
}
static void _print_report_option(report_t *report, config_option option, const char* value) {
@@ -63,37 +65,49 @@ static void _print_report_option(report_
}
static void _print_attribute(report_t *report, db_line* oline, db_line* nline, ATTRIBUTE attribute) {
- char **ovalue = NULL;
- char **nvalue = NULL;
+ char **ovalues = NULL;
+ char **nvalues = NULL;
int onumber, nnumber, i, c;
int p = (width_details-(4 + MAX_WIDTH_DETAILS_STRING))/2;
DB_ATTR_TYPE attr = ATTR(attribute);
const char* name = attributes[attribute].details_string;
- onumber=get_attribute_values(attr, oline, &ovalue, report);
- nnumber=get_attribute_values(attr, nline, &nvalue, report);
+ onumber=get_attribute_values(attr, oline, &ovalues, report);
+ nnumber=get_attribute_values(attr, nline, &nvalues, report);
i = 0;
while (i<onumber || i<nnumber) {
- int olen = i<onumber?strlen(ovalue[i]):0;
- int nlen = i<nnumber?strlen(nvalue[i]):0;
+ char *ovalue = NULL;
+ char *nvalue = NULL;
+ int olen = 0;
+ int nlen = 0;
+ if (i<onumber){
+ ovalue = stresc(ovalues[i]);
+ olen = strlen(ovalue);
+ }
+ if (i<nnumber) {
+ nvalue = stresc(nvalues[i]);
+ nlen = strlen(nvalue);
+ }
int k = 0;
while (olen-p*k >= 0 || nlen-p*k >= 0) {
c = k*(p-1);
if (!onumber) {
- report_printf(report," %-*s%c %-*c %.*s\n", MAX_WIDTH_DETAILS_STRING, (i+k)?"":name, (i+k)?' ':':', p, ' ', p-1, nlen-c>0?&nvalue[i][c]:"");
+ report_printf(report," %-*s%c %-*c %.*s\n", MAX_WIDTH_DETAILS_STRING, (i+k)?"":name, (i+k)?' ':':', p, ' ', p-1, nlen-c>0?&nvalue[c]:"");
} else if (!nnumber) {
- report_printf(report," %-*s%c %.*s\n", MAX_WIDTH_DETAILS_STRING, (i+k)?"":name, (i+k)?' ':':', p-1, olen-c>0?&ovalue[i][c]:"");
+ report_printf(report," %-*s%c %.*s\n", MAX_WIDTH_DETAILS_STRING, (i+k)?"":name, (i+k)?' ':':', p-1, olen-c>0?&ovalue[c]:"");
} else {
- report_printf(report," %-*s%c %-*.*s| %.*s\n", MAX_WIDTH_DETAILS_STRING, (i+k)?"":name, (i+k)?' ':':', p, p-1, olen-c>0?&ovalue[i][c]:"", p-1, nlen-c>0?&nvalue[i][c]:"");
+ report_printf(report," %-*s%c %-*.*s| %.*s\n", MAX_WIDTH_DETAILS_STRING, (i+k)?"":name, (i+k)?' ':':', p, p-1, olen-c>0?&ovalue[c]:"", p-1, nlen-c>0?&nvalue[c]:"");
}
k++;
}
++i;
+ free(ovalue);
+ free(nvalue);
}
- for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL;
- for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL;
+ for(i=0; i < onumber; ++i) { free(ovalues[i]); ovalues[i]=NULL; } free(ovalues); ovalues=NULL;
+ for(i=0; i < nnumber; ++i) { free(nvalues[i]); nvalues[i]=NULL; } free(nvalues); nvalues=NULL;
}
static void _print_database_attributes(report_t *report, db_line* db) {
@@ -136,17 +150,29 @@ static void print_report_summary_plain(r
}
static void print_line_plain(report_t* report, seltree* node) {
- if(report->summarize_changes) {
+ if(report->summarize_changes) {
+ char *filename = ((node->checked&NODE_REMOVED)?node->old_data:node->new_data)->filename;
+ char *filename_safe = stresc(filename);
char* summary = get_summarize_changes_string(report, node);
- report_printf(report, "\n%s: %s", summary, ((node->checked&NODE_REMOVED)?node->old_data:node->new_data)->filename);
+ report_printf(report, "\n%s: %s", summary, filename_safe);
free(summary); summary=NULL;
+ free(filename_safe);
} else {
if (node->checked&NODE_ADDED) {
- report_printf(report, _("\nadded: %s"),(node->new_data)->filename);
+ char *filename = (node->new_data)->filename;
+ char *filename_safe = stresc(filename);
+ report_printf(report, _("\nadded: %s"), filename_safe);
+ free(filename_safe);
} else if (node->checked&NODE_REMOVED) {
- report_printf(report, _("\nremoved: %s"),(node->old_data)->filename);
+ char *filename = (node->old_data)->filename;
+ char *filename_safe = stresc(filename);
+ report_printf(report, _("\nremoved: %s"), filename_safe);
+ free(filename_safe);
} else if (node->checked&NODE_CHANGED) {
- report_printf(report, _("\nchanged: %s"),(node->new_data)->filename);
+ char *filename = (node->new_data)->filename;
+ char *filename_safe = stresc(filename);
+ report_printf(report, _("\nchanged: %s"), filename_safe);
+ free(filename_safe);
}
}
}
@@ -154,11 +180,14 @@ static void print_line_plain(report_t* r
static void print_report_dbline_attributes_plain(report_t *report, db_line* oline, db_line* nline, DB_ATTR_TYPE report_attrs) {
if (report_attrs) {
char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm);
+ db_line* line = nline==NULL?oline:nline;
report_printf(report, "\n");
if (file_type) {
report_printf(report, "%s: ", file_type);
}
- report_printf(report, "%s\n", (nline==NULL?oline:nline)->filename);
+ char *filename_safe = stresc(line->filename);
+ report_printf(report, "%s\n", filename_safe);
+ free(filename_safe);
print_dbline_attrs(report, oline, nline, report_attrs, _print_attribute);
}
@@ -195,9 +224,11 @@ static void print_report_details_plain(r
static void print_report_diff_attrs_entries_plain(report_t *report) {
for(int i = 0; i < report->num_diff_attrs_entries; ++i) {
char *str = NULL;
+ char *entry_safe = stresc(report->diff_attrs_entries[i].entry);
report_printf(report, "Entry %s in databases has different attributes: %s\n",
- report->diff_attrs_entries[i].entry,
+ entry_safe,
str= diff_attributes(report->diff_attrs_entries[i].old_attrs, report->diff_attrs_entries[i].new_attrs));
+ free(entry_safe);
free(str);
}
report->num_diff_attrs_entries = 0;
diff -up aide-0.18.6/src/util.c.orig aide-0.18.6/src/util.c
--- aide-0.18.6/src/util.c.orig 2025-08-19 11:35:36.084823997 +0200
+++ aide-0.18.6/src/util.c 2025-08-19 11:35:36.082823977 +0200
@@ -105,6 +105,41 @@ int cmpurl(url_t* u1,url_t* u2)
return RETOK;
}
+static size_t escape_str(const char *unescaped_str, char *str, size_t s) {
+ size_t n = 0;
+ size_t i = 0;
+ char c;
+ while (i < s && (c = unescaped_str[i])) {
+ if ((c >= 0 && (c < 0x1f || c == 0x7f)) ||
+ (c == '\\' && isdigit(unescaped_str[i+1])
+ && isdigit(unescaped_str[i+2])
+ && isdigit(unescaped_str[i+3])
+ ) ) {
+ if (str) { snprintf(&str[n], 5, "\\%03o", c); }
+ n += 4;
+ } else {
+ if (str) { str[n] = c; }
+ n++;
+ }
+ i++;
+ }
+ if (str) { str[n] = '\0'; }
+ n++;
+ return n;
+}
+
+char *strnesc(const char *unescaped_str, size_t s) {
+ int n = escape_str(unescaped_str, NULL, s);
+ char *str = checked_malloc(n);
+ escape_str(unescaped_str, str, s);
+ return str;
+}
+
+char *stresc(const char *unescaped_str) {
+ return strnesc(unescaped_str, strlen(unescaped_str));
+}
+
+
/* Returns 1 if the string contains unsafe characters, 0 otherwise. */
int contains_unsafe (const char *s)
{

487
gnutls.patch Normal file
View File

@ -0,0 +1,487 @@
diff -up ./configure.ac.gnutls ./configure.ac
--- ./configure.ac.gnutls 2023-06-13 20:53:43.000000000 +0200
+++ ./configure.ac 2024-05-14 19:09:47.419448389 +0200
@@ -350,6 +350,10 @@ AC_MSG_CHECKING(for Mhash)
AC_ARG_WITH([mhash], AS_HELP_STRING([--with-mhash], [use Mhash (default: check)]), [with_mhash=$withval], [with_mhash=check])
AC_MSG_RESULT([$with_mhash])
+AC_MSG_CHECKING(for GnuTLS)
+AC_ARG_WITH([gnutls], AS_HELP_STRING([--with-gnutls], [use GnuTLS library (default: check)]), [with_gnutls=$withval], [with_gnutls=check])
+AC_MSG_RESULT([$with_gnutls])
+
AC_MSG_CHECKING(for GNU crypto library)
AC_ARG_WITH([gcrypt], AS_HELP_STRING([--with-gcrypt], [use GNU crypto library (default: check)]), [with_gcrypt=$withval], [with_gcrypt=check])
AC_MSG_RESULT([$with_gcrypt])
@@ -363,19 +367,29 @@ AS_IF([test x"$with_mhash" = xyes], [
)],AC_DEFINE(HAVE_MHASH_WHIRLPOOL,1,[mhash has whirlpool]))
AS_IF([test x"$with_gcrypt" = xcheck], [
with_gcrypt=no
+ with_gnutls=no
])
])
AIDE_PKG_CHECK_MODULES_OPTIONAL(gcrypt, GCRYPT, libgcrypt)
+AIDE_PKG_CHECK_MODULES_OPTIONAL(gnutls, GNUTLS, gnutls)
AS_IF([test x"$with_mhash" != xno && test x"$with_gcrypt" != xno], [
AC_MSG_ERROR([Using gcrypt together with mhash makes no sense. To disable mhash use --without-mhash])
])
-AS_IF([test x"$with_mhash" = xno && test x"$with_gcrypt" = xno], [
- AC_MSG_ERROR([AIDE requires mhash or libcrypt for hashsum calculation])
+AS_IF([test x"$with_mhash" != xno && test x"$with_gnutls" != xno], [
+ AC_MSG_ERROR([Using gnutls together with mhash makes no sense. To disable mhash use --without-mhash])
+])
+AS_IF([test x"$with_gcrypt" != xno && test x"$with_gnutls" != xno], [
+ AC_MSG_ERROR([Using gnutls together with gcrypt makes no sense. To disable gcrypt use --without-gcrypt])
+])
+AS_IF([test x"$with_mhash" = xno && test x"$with_gcrypt" = xno && test x"$with_gnutls" == xno], [
+ AC_MSG_ERROR([AIDE requires mhash, gnutls or libcrypt for hashsum calculation])
])
compoptionstring="${compoptionstring}use Mhash: $with_mhash\\n"
AM_CONDITIONAL(HAVE_MHASH, [test "x$MHASH_LIBS" != "x"])
compoptionstring="${compoptionstring}use GNU crypto library: $with_gcrypt\\n"
AM_CONDITIONAL(HAVE_GCRYPT, [test "x$GCRYPT_LIBS" != "x"])
+compoptionstring="${compoptionstring}use GnuTLS: $with_gnutls\\n"
+AM_CONDITIONAL(HAVE_GNUTLS, [test "x$GNUTLS_LIBS" != "x"])
AIDE_PKG_CHECK(audit, Linux Auditing Framework, no, AUDIT, audit)
diff -up ./doc/aide.conf.5.gnutls ./doc/aide.conf.5
--- ./doc/aide.conf.5.gnutls 2023-08-01 10:47:59.000000000 +0200
+++ ./doc/aide.conf.5 2024-05-14 19:09:47.420448380 +0200
@@ -866,6 +866,7 @@ haval256 checksum
.TP
.B "crc32"
crc32 checksum
+(\fIlibmhash\fR and \fIlibgcrypt\fR only)
.TP
.B "crc32b"
crc32 checksum
@@ -876,14 +877,15 @@ GOST R 34.11-94 checksum
.TP
.B "whirlpool"
whirlpool checksum
+(\fIlibgcrypt\fR and \fIlibmhash\fRonly)
.TP
.B "stribog256"
GOST R 34.11-2012, 256 bit checksum
-(\fIlibgcrypt\fR only, added in AIDE v0.17)
+(\fIlibgcrypt\fR and \fIgnutls\fR only, added in AIDE v0.17)
.TP
.B "stribog512"
GOST R 34.11-2012, 512 bit checksum
-(\fIlibgcrypt\fR only, added in AIDE v0.17)
+(\fIlibgcrypt\fR and \fIgnutls\fR only, added in AIDE v0.17)
.PP
Use 'aide --version' to show which hashsums are available.
diff -up ./include/md.h.gnutls ./include/md.h
--- ./include/md.h.gnutls 2023-04-01 18:25:38.000000000 +0200
+++ ./include/md.h 2024-05-14 19:09:47.420448380 +0200
@@ -29,6 +29,10 @@
#ifdef WITH_GCRYPT
#include <gcrypt.h>
#endif
+#ifdef WITH_GNUTLS
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#endif
#include <sys/types.h>
#include "attributes.h"
#include "hashsum.h"
@@ -61,6 +65,10 @@ typedef struct md_container {
gcry_md_hd_t mdh;
#endif
+#ifdef WITH_GNUTLS
+ gnutls_hash_hd_t gnutls_mdh[num_hashes];
+#endif
+
} md_container;
typedef struct md_hashsums {
diff -up ./Makefile.am.gnutls ./Makefile.am
--- ./Makefile.am.gnutls 2024-05-14 19:09:47.420448380 +0200
+++ ./Makefile.am 2024-05-14 19:23:09.347757387 +0200
@@ -64,17 +64,35 @@ if HAVE_CURL
aide_SOURCES += include/fopen.h src/fopen.c
endif
-aide_CFLAGS = @AIDE_DEFS@ -W -Wall -g ${PTHREAD_CFLAGS}
-aide_LDADD = -lm ${PCRE2_LIBS} ${ZLIB_LIBS} ${MHASH_LIBS} ${GCRYPT_LIBS} ${POSIX_ACL_LIBS} ${SELINUX_LIBS} ${AUDIT_LIBS} ${XATTR_LIBS} ${ELF_LIBS} ${E2FSATTRS_LIBS} ${CAPABILITIES_LIBS} ${CURL_LIBS} ${PTHREAD_LIBS}
+aide_CFLAGS = @AIDE_DEFS@ -W -Wall -g ${PTHREAD_CFLAGS} ${GNUTLS_CFLAGS}
+aide_LDADD = -lm ${PCRE2_LIBS} ${ZLIB_LIBS} ${MHASH_LIBS} ${GNUTLS_LIBS} ${GCRYPT_LIBS} ${POSIX_ACL_LIBS} ${SELINUX_LIBS} ${AUDIT_LIBS} ${XATTR_LIBS} ${ELF_LIBS} ${E2FSATTRS_LIBS} ${CAPABILITIES_LIBS} ${CURL_LIBS} ${PTHREAD_LIBS}
if HAVE_CHECK
-TESTS = check_aide
-check_PROGRAMS = check_aide
+TESTS = check_aide check_md
+check_PROGRAMS = check_aide check_md
check_aide_SOURCES = tests/check_aide.c tests/check_aide.h \
tests/check_attributes.c src/attributes.c \
src/log.c src/util.c
-check_aide_CFLAGS = -I$(top_srcdir)/include $(CHECK_CFLAGS)
-check_aide_LDADD = -lm ${PCRE2_LIBS} ${MHASH_LIBS} ${GCRYPT_LIBS} $(CHECK_LIBS)
+check_aide_CFLAGS = -I$(top_srcdir)/include $(CHECK_CFLAGS) ${GNUTLS_CFLAGS}
+check_aide_LDADD = -lm ${PCRE2_LIBS} ${MHASH_LIBS} ${GCRYPT_LIBS} $(CHECK_LIBS) ${GNUTLS_LIBS}
+
+check_md_SOURCES = tests/check_md.c tests/check_md.h \
+ tests/check_hashes.c \
+ src/log.c src/util.c src/md.c src/base64.c src/hashsum.c src/attributes.c
+
+check_md_CFLAGS = -I$(top_srcdir)/include \
+ $(CHECK_CFLAGS) \
+ $(GCRYPT_CFLAGS) \
+ $(GNUTLS_CFLAGS) \
+ $(MHASH_CFLAGS) \
+ $(PCRE2_CFLAGS)
+check_md_LDADD = -lm \
+ $(CHECK_LIBS) \
+ ${GCRYPT_LIBS} \
+ ${GNUTLS_LIBS} \
+ ${MHASH_LIBS} \
+ ${PCRE2_LIBS}
+
endif # HAVE_CHECK
AM_CFLAGS = @AIDE_DEFS@ -W -Wall -g
diff -up ./README.gnutls ./README
--- ./README.gnutls 2023-08-01 10:47:59.000000000 +0200
+++ ./README 2024-05-14 19:09:47.419448389 +0200
@@ -132,11 +132,15 @@
o GNU make.
o pkg-config
o PCRE2 library
- o Mhash (optional, but highly recommended). Mhash is currently
- available from http://mhash.sourceforge.net/. A static version of
- libmhash needs to be build using the --enable-static=yes
- configure option.
+
+ One of the following crypto libraries:
+
+ o Mhash. Mhash is currently available from
+ http://mhash.sourceforge.net/. A static version of libmhash needs
+ to be build using the --enable-static=yes configure option.
Aide requires at least mhash version 0.9.2
+ o GNU libgcrypt
+ o GnuTLS
o libcheck (optional, needed for 'make check', license: LGPL-2.1)
diff -up ./src/aide.c.gnutls ./src/aide.c
--- ./src/aide.c.gnutls 2023-06-13 20:52:39.000000000 +0200
+++ ./src/aide.c 2024-05-14 19:09:47.420448380 +0200
@@ -66,6 +66,9 @@ char* after = NULL;
#include <gcrypt.h>
#define NEED_LIBGCRYPT_VERSION "1.8.0"
#endif
+#ifdef WITH_GNUTLS
+#include <gnutls/gnutls.h>
+#endif
static void usage(int exitvalue)
{
@@ -522,9 +525,6 @@ static void setdefaults_before_config()
DB_ATTR_TYPE common_attrs = ATTR(attr_perm)|ATTR(attr_ftype)|ATTR(attr_inode)|ATTR(attr_linkcount)|ATTR(attr_uid)|ATTR(attr_gid);
DB_ATTR_TYPE GROUP_R_HASHES=0LLU;
-#ifdef WITH_MHASH
- GROUP_R_HASHES=ATTR(attr_md5);
-#endif
#ifdef WITH_GCRYPT
if (gcry_fips_mode_active()) {
char* str;
@@ -533,6 +533,8 @@ static void setdefaults_before_config()
} else {
GROUP_R_HASHES = ATTR(attr_md5);
}
+#else /* WITH_MHASH or WITH_GNUTLS */
+ GROUP_R_HASHES=ATTR(attr_md5);
#endif
log_msg(LOG_LEVEL_INFO, "define default groups definitions");
diff -up ./src/hashsum.c.gnutls ./src/hashsum.c
--- ./src/hashsum.c.gnutls 2023-04-01 18:25:38.000000000 +0200
+++ ./src/hashsum.c 2024-05-14 19:09:47.420448380 +0200
@@ -29,6 +29,9 @@
#ifdef WITH_GCRYPT
#include <gcrypt.h>
#endif
+#ifdef WITH_GNUTLS
+#include <gnutls/gnutls.h>
+#endif
hashsum_t hashsums[] = {
{ attr_md5, 16 },
@@ -86,6 +89,24 @@ int algorithms[] = { /* order must match
};
#endif
+#ifdef WITH_GNUTLS
+int algorithms[] = { /* order must match hashsums array */
+ GNUTLS_DIG_MD5,
+ GNUTLS_DIG_SHA1,
+ GNUTLS_DIG_SHA256,
+ GNUTLS_DIG_SHA512,
+ GNUTLS_DIG_RMD160,
+ -1, /* TIGER is not available */
+ -1, /* CRC32 is not available */
+ -1, /* CRC32B is not available */
+ -1, /* GCRY_MD_HAVAL is not available */
+ -1, /* WHIRLPOOL is not available */
+ -1, /* GNUTLS_DIG_GOSTR_94 gives different results than Gcrypt */
+ GNUTLS_DIG_STREEBOG_256,
+ GNUTLS_DIG_STREEBOG_512,
+};
+#endif
+
DB_ATTR_TYPE get_hashes(bool include_unsupported) {
DB_ATTR_TYPE attr = 0LLU;
for (int i = 0; i < num_hashes; ++i) {
diff -up ./src/md.c.gnutls ./src/md.c
--- ./src/md.c.gnutls 2023-04-01 18:25:38.000000000 +0200
+++ ./src/md.c 2024-05-14 19:28:09.651209390 +0200
@@ -40,6 +40,11 @@
#include <gcrypt.h>
#endif
+#ifdef WITH_GNUTLS
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+#endif
+
/*
Initialise md_container according its todo_attr field
*/
@@ -90,6 +95,22 @@ int init_md(struct md_container* md, con
}
}
#endif
+#ifdef WITH_GNUTLS
+ for (HASHSUM i = 0 ; i < num_hashes ; ++i) {
+ DB_ATTR_TYPE h = ATTR(hashsums[i].attribute);
+ if (h&md->todo_attr) {
+ if(gnutls_hash_init(&(md->gnutls_mdh[i]),algorithms[i])>=0){
+ md->calc_attr|=h;
+ } else {
+ log_msg(LOG_LEVEL_WARNING,"%s: gnutls_hash_init (%s) failed for '%s'", filename, attributes[hashsums[i].attribute].db_name, filename);
+ md->todo_attr&=~h;
+ md->gnutls_mdh[i] = NULL;
+ }
+ } else {
+ md->gnutls_mdh[i] = NULL;
+ }
+ }
+#endif
char *str;
log_msg(LOG_LEVEL_DEBUG, "%s> initialized md_container: %s (%p)", filename, str = diff_attributes(0, md->calc_attr), md);
free(str);
@@ -120,6 +141,13 @@ int update_md(struct md_container* md,vo
#ifdef WITH_GCRYPT
gcry_md_write(md->mdh, data, size);
#endif
+#ifdef WITH_GNUTLS
+ for (HASHSUM i = 0 ; i < num_hashes ; ++i) {
+ if(md->gnutls_mdh[i] != NULL){
+ gnutls_hash(md->gnutls_mdh[i], data, size);
+ }
+ }
+#endif
return RETOK;
}
@@ -163,6 +191,14 @@ int close_md(struct md_container* md, md
}
}
#endif
+#ifdef WITH_GNUTLS
+ for (HASHSUM i = 0 ; i < num_hashes ; ++i) {
+ if(md->gnutls_mdh[i] != NULL){
+ gnutls_hash_deinit(md->gnutls_mdh[i], hs?hs->hashsums[i]:NULL);
+ md->gnutls_mdh[i] = NULL;
+ }
+ }
+#endif /* WITH_MHASH */
if (hs) {
hs->attrs = md->calc_attr;
}
diff -up ./tests/check_hashes.c.gnutls ./tests/check_hashes.c
--- ./tests/check_hashes.c.gnutls 2024-05-14 19:09:47.420448380 +0200
+++ ./tests/check_hashes.c 2024-05-14 19:09:47.420448380 +0200
@@ -0,0 +1,111 @@
+/*
+ * AIDE (Advanced Intrusion Detection Environment)
+ *
+ * Copyright (C) 2024 Jakub Jelen
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include "config.h"
+
+#include <check.h>
+#include <stdlib.h>
+
+#include "hashsum.h"
+#include "md.h"
+
+typedef struct {
+ const char *input;
+ ssize_t input_len;
+ md_hashsums expected;
+} diff_digests_t;
+
+static diff_digests_t diff_digests_tests[] = {
+ { "", 0, {{
+ "\xd4\x1d\x8c\xd9\x8f\x00\xb2\x04\xe9\x80\x09\x98\xec\xf8\x42\x7e",
+ "\xda\x39\xa3\xee\x5e\x6b\x4b\x0d\x32\x55\xbf\xef\x95\x60\x18\x90\xaf\xd8\x07\x09",
+ "\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9\x24\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52\xb8\x55",
+ "\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80\x07\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c\xe9\xce\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87\x7e\xec\x2f\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a\xf9\x27\xda\x3e",
+ "\x9c\x11\x85\xa5\xc5\xe9\xfc\x54\x61\x28\x08\x97\x7e\xe8\xf5\x48\xb2\x25\x8d\x31",
+ "\x24\xf0\x13\x0c\x63\xac\x93\x32\x16\x16\x6e\x76\xb1\xbb\x92\x5f\xf3\x73\xde\x2d\x49\x58\x4e\x7a",
+ "\x00\x00\x00\x00",
+ "\x00\x00\x00\x00",
+ "\x4f\x69\x38\x53\x1f\x0b\xc8\x99\x1f\x62\xda\x7b\xbd\x6f\x7d\xe3\xfa\xd4\x45\x62\xb8\xc6\xf4\xeb\xf1\x46\xd5\xb4\xe4\x6f\x7c\x17",
+ "\x19\xfa\x61\xd7\x55\x22\xa4\x66\x9b\x44\xe3\x9c\x1d\x2e\x17\x26\xc5\x30\x23\x21\x30\xd4\x07\xf8\x9a\xfe\xe0\x96\x49\x97\xf7\xa7\x3e\x83\xbe\x69\x8b\x28\x8f\xeb\xcf\x88\xe3\xe0\x3c\x4f\x07\x57\xea\x89\x64\xe5\x9b\x63\xd9\x37\x08\xb1\x38\xcc\x42\xa6\x6e\xb3",
+ "\xce\x85\xb9\x9c\xc4\x67\x52\xff\xfe\xe3\x5c\xab\x9a\x7b\x02\x78\xab\xb4\xc2\xd2\x05\x5c\xff\x68\x5a\xf4\x91\x2c\x49\x49\x0f\x8d",
+ "\x3f\x53\x9a\x21\x3e\x97\xc8\x02\xcc\x22\x9d\x47\x4c\x6a\xa3\x2a\x82\x5a\x36\x0b\x2a\x93\x3a\x94\x9f\xd9\x25\x20\x8d\x9c\xe1\xbb",
+ "\x8e\x94\x5d\xa2\x09\xaa\x86\x9f\x04\x55\x92\x85\x29\xbc\xae\x46\x79\xe9\x87\x3a\xb7\x07\xb5\x53\x15\xf5\x6c\xeb\x98\xbe\xf0\xa7\x36\x2f\x71\x55\x28\x35\x6e\xe8\x3c\xda\x5f\x2a\xac\x4c\x6a\xd2\xba\x3a\x71\x5c\x1b\xcd\x81\xcb\x8e\x9f\x90\xbf\x4c\x1c\x1a\x8a" }
+ }},
+ { "hello", 5, {{
+ "\x5d\x41\x40\x2a\xbc\x4b\x2a\x76\xb9\x71\x9d\x91\x10\x17\xc5\x92",
+ "\xaa\xf4\xc6\x1d\xdc\xc5\xe8\xa2\xda\xbe\xde\x0f\x3b\x48\x2c\xd9\xae\xa9\x43\x4d",
+ "\x2c\xf2\x4d\xba\x5f\xb0\xa3\x0e\x26\xe8\x3b\x2a\xc5\xb9\xe2\x9e\x1b\x16\x1e\x5c\x1f\xa7\x42\x5e\x73\x04\x33\x62\x93\x8b\x98\x24",
+ "\x9b\x71\xd2\x24\xbd\x62\xf3\x78\x5d\x96\xd4\x6a\xd3\xea\x3d\x73\x31\x9b\xfb\xc2\x89\x0c\xaa\xda\xe2\xdf\xf7\x25\x19\x67\x3c\xa7\x23\x23\xc3\xd9\x9b\xa5\xc1\x1d\x7c\x7a\xcc\x6e\x14\xb8\xc5\xda\x0c\x46\x63\x47\x5c\x2e\x5c\x3a\xde\xf4\x6f\x73\xbc\xde\xc0\x43",
+ "\x10\x8f\x07\xb8\x38\x24\x12\x61\x2c\x04\x8d\x07\xd1\x3f\x81\x41\x18\x44\x5a\xcd",
+ "\xa7\x88\x62\x33\x6f\x7f\xfd\x2c\x8a\x38\x74\xf8\x9b\x1b\x74\xf2\xf2\x7b\xdb\xca\x39\x66\x02\x54",
+#ifdef WITH_MHASH
+ "\x3d\x65\x31\x19",
+#else
+ "\x36\x10\xa6\x86",
+#endif
+ "\x86\xa6\x10\x36",
+ "\x26\x71\x8e\x4f\xb0\x55\x95\xcb\x87\x03\xa6\x72\xa8\xae\x91\xee\xa0\x71\xca\xc5\xe7\x42\x61\x73\xd4\xc2\x5a\x61\x1c\x4b\x80\x22",
+ "\x0a\x25\xf5\x5d\x73\x08\xec\xa6\xb9\x56\x7a\x7e\xd3\xbd\x1b\x46\x32\x7f\x0f\x1f\xfd\xc8\x04\xdd\x8b\xb5\xaf\x40\xe8\x8d\x78\xb8\x8d\xf0\xd0\x02\xa8\x9e\x2f\xdb\xd5\x87\x6c\x52\x3f\x1b\x67\xbc\x44\xe9\xf8\x70\x47\x59\x8e\x75\x48\x29\x8e\xa1\xc8\x1c\xfd\x73",
+ "\xa7\xeb\x5d\x08\xdd\xf2\x36\x3f\x1e\xa0\x31\x7a\x80\x3f\xce\xf8\x1d\x33\x86\x3c\x8b\x2f\x9f\x6d\x7d\x14\x95\x1d\x22\x9f\x45\x67",
+ "\x3f\xb0\x70\x0a\x41\xce\x6e\x41\x41\x3b\xa7\x64\xf9\x8b\xf2\x13\x5b\xa6\xde\xd5\x16\xbe\xa2\xfa\xe8\x42\x9c\xc5\xbd\xd4\x6d\x6d",
+ "\x8d\xf4\x14\x26\x09\x66\xbe\xb7\xb3\x4d\x92\x07\x63\x07\x9e\x15\xdf\x1f\x63\x29\x7e\xb3\xdd\x43\x11\xe8\xb5\x85\xd4\xbf\x2f\x59\x23\x21\x4f\x1d\xfe\xd3\xfd\xee\x4a\xaf\x01\x83\x30\xa1\x2a\xcd\xe0\xef\xcc\x33\x8e\xb5\x29\x22\xf3\xe5\x71\x21\x2d\x42\xc8\xde" }
+ }},
+};
+
+static int num_diff_digests_tests = sizeof diff_digests_tests / sizeof(diff_digests_t);
+
+START_TEST (test_diff_digests) {
+ const char *filename = "filename"; /* used only in the debug logs */
+ md_hashsums hs = {0};
+ struct md_container *mdc = calloc(1, sizeof(struct md_container));
+ mdc->todo_attr = get_hashes(false);
+
+#ifdef WITH_GCRYPT
+ gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+#endif
+
+ init_md(mdc, filename);
+ update_md(mdc, (void *)diff_digests_tests[_i].input, diff_digests_tests[_i].input_len);
+ close_md(mdc, &hs, filename);
+ free(mdc);
+
+ for (HASHSUM i = 0 ; i < num_hashes ; ++i) {
+ DB_ATTR_TYPE attr = ATTR(hashsums[i].attribute);
+ if (algorithms[i] >= 0 && hs.attrs&attr) {
+ ck_assert_mem_eq(diff_digests_tests[_i].expected.hashsums[i], hs.hashsums[i], hashsums[i].length);
+ }
+ }
+}
+END_TEST
+
+Suite *make_md_suite(void) {
+
+ Suite *s = suite_create ("md");
+
+ TCase *tc_diff_digests = tcase_create ("diff_digests");
+
+ tcase_add_loop_test (tc_diff_digests, test_diff_digests, 0, num_diff_digests_tests);
+
+ suite_add_tcase (s, tc_diff_digests);
+
+ return s;
+}
+
diff -up ./tests/check_md.c.gnutls ./tests/check_md.c
--- ./tests/check_md.c.gnutls 2024-05-14 19:09:47.420448380 +0200
+++ ./tests/check_md.c 2024-05-14 19:09:47.420448380 +0200
@@ -0,0 +1,36 @@
+/*
+ * AIDE (Advanced Intrusion Detection Environment)
+ *
+ * Copyright (C) 2024 Jakub Jelen
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <stdlib.h>
+
+#include "check_md.h"
+
+int main (void) {
+ int number_failed;
+ SRunner *sr;
+
+ sr = srunner_create (make_md_suite());
+
+ srunner_run_all (sr, CK_NORMAL);
+ number_failed = srunner_ntests_failed (sr);
+
+ srunner_free (sr);
+ return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}
diff -up ./tests/check_md.h.gnutls ./tests/check_md.h
--- ./tests/check_md.h.gnutls 2024-05-14 19:09:47.421448372 +0200
+++ ./tests/check_md.h 2024-05-14 19:09:47.421448372 +0200
@@ -0,0 +1,23 @@
+/*
+ * AIDE (Advanced Intrusion Detection Environment)
+ *
+ * Copyright (C) 2024 Jakub Jelen
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#include <check.h>
+
+Suite *make_md_suite(void);

21
lowercase-groupnames.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up aide-0.18.6/src/conf_lex.l.orig aide-0.18.6/src/conf_lex.l
--- aide-0.18.6/src/conf_lex.l.orig 2025-10-14 08:06:03.148161714 +0200
+++ aide-0.18.6/src/conf_lex.l 2025-10-14 08:06:52.742286876 +0200
@@ -5,8 +5,6 @@ G [a-zA-Z0-9]
V [a-zA-Z_]+[a-zA-Z0-9_]*
E [\ ]*"="[\ ]*
-O [a-z_]
-
%{
#define YYDEBUG 1
@@ -483,7 +481,7 @@ LOG_LEVEL lex_log_level = LOG_LEVEL_CONF
return (CONFIGOPTION);
}
-<CONFIG>({O})+ {
+<CONFIG>[a-z]+(_[a-z]+)+ {
log_msg(LOG_LEVEL_ERROR,"%s:%d: unknown config option: '%s' (line: '%s')", conf_filename, conf_linenumber, conftext, conf_linebuf);
exit(INVALID_CONFIGURELINE_ERROR);
}

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (aide-0.18.6.tar.gz) = c0e7c366029a401bce4cf44762caecada4d4831bfc2f00ebab6cb818ba259fae5409fdfcc7386d2bc9ca91a8e8fe0eb78927205bc75513578b8a3ccd17183744