rpm/aide
SHA256
1
0
Fork 0
forked from pool/aide
Code Pull Requests Activity

Accepting request 874874 from security

Browse Source 
- Update default config file to match v0.17 (forwarded request 874872 from polslinux)

OBS-URL: https://build.opensuse.org/request/show/874874
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/aide?expand=0&rev=32
This commit is contained in:
Richard Brown 2021-02-25 17:28:56 +00:00 committed by Git OBS Bridge
commit 0bbe6a7526
12 changed files with 191 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
aide-0.16.1-as-needed.patch
View File

@ -1,13 +0,0 @@
Index: aide-0.16/Makefile.am
===================================================================
--- aide-0.16.orig/Makefile.am
+++ aide-0.16/Makefile.am
@@ -55,7 +55,7 @@ if USE_CURL
aide_SOURCES += include/fopen.h src/fopen.c
endif
-aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@
+aide_LDADD = -lm @LDFLAGS@ @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@
AM_CFLAGS = @AIDE_DEFS@ -W -Wall -g
AM_CPPFLAGS = -I$(top_srcdir) \
-I$(top_srcdir)/include \

3
aide-0.16.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:17f998ae6ae5afb9c83578e4953115ab8a2705efc50dee5c6461cef3f521b797
size 398895

14
aide-0.16.2.tar.gz.asc
View File

@ -1,14 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEEVJXNoXyawXqyOEGnGO6GOGAi71cFAlzhrn0ACgkQGO6GOGAi
71dmhQv/XI8jzv7XP6rLMQF7NFYbdQMrRUHtix2TOivOM/en9Pun9eNsANjKT7Ge
Sh2hciKRmu//L5NTX5UtH7QgYmn2b3A1Q8VexlWgqgUo0hUfcMKX46lw4J4mY5UU
xn7wHYSD2KMtcbXa/WsEqxjqo/aDt8f75p1I3YcoxI8OGm2xw/vIm3Zb7+2/chc+
tmCREYRt4Y8Rph6MscKNymusgjMEoT3bt8Sza6pb3RlBH9Acj91VwKthqKloXyb9
I3fpeyixW7+EBa2o/hOOrWYNKC47I0fgqpxSKGeD1Ogeklac4abEYkEuNPzLyYVO
f6y0EjaJaVGFB3Udys59S7MPSavu3MxAu7jTcHaXej5WssZ5lJLoL5tDU+665weq
uHun0+lnDVN1Cf6e4qsg7a4X8PazanhNY30d8vaQ/nZdrnffI8QWQ+cHDbthX7ml
pnHjJPQLxSOWaoxKwkd51Tn71Os6knAQq1t+//10FnMJFntYpNmRT8xn5W909pDd
wWARK/e6
=mHB7
-----END PGP SIGNATURE-----

11
aide-0.17.3-as-needed.patch Normal file
View File

@ -0,0 +1,11 @@
--- aide-0.17.3/Makefile.am.orig 2021-02-24 12:03:16.648845473 +0100
+++ aide-0.17.3/Makefile.am 2021-02-24 12:03:57.336978950 +0100
@@ -59,7 +59,7 @@
aide_SOURCES += include/fopen.h src/fopen.c
endif
-aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ @CAPLIB@ ${CURL_LIBS}
+aide_LDADD = -lm @LDFLAGS@ @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ @CAPLIB@ ${CURL_LIBS}
if HAVE_CHECK
TESTS = check_aide

3
aide-0.17.3.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8
size 330386

14
aide-0.17.3.tar.gz.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP SIGNATURE-----
iQGzBAABCgAdFiEEVJXNoXyawXqyOEGnGO6GOGAi71cFAmAkT9kACgkQGO6GOGAi
71ejJwwAj8ZxtcD7+LCnc2zJD4niB3gy1Jl50ocISgCq0do1xE9Gehs9HYSasCQY
61+kKM22/3Wr0Io/p3SrqoWm6zDQVchULK9YQsu1HEEU5KaePI3kvUKnJx1GCMVR
G16G6fDJ6irRhG2x7QTmolnp0jxp30p9z/ZUIySxY1FGfW00px8kl/Y1qrlxcejU
JEjV2aztW7ONTEmGIQF6iGPLxrF9CHP86FSX1WjtxF5f95wyAlVnD3/+CNew8ib4
HXcCSbTbIgWIt+8/t2eq+dOEwaWI//h3RMkHnhDwxHcB+L5lXtkFlvr20w3eRKzG
SQOdOnUzlTkX6qZcWZTYNFymfpMp0z1Lp1UmI4APtjkGomkpz/e/+nlJxUT3Ycvh
Ed+FJCKDlOjKVAGIuaqT6pS2fo8qvhTWnsSBsxXXpi07BcYYx56JMj752ZzIxSGF
EMjlfJa7gX/qceMHMEWSQG8O3w9FSGpIg0Ww5KFghXDaqbJy4mcsgnn62Zt4WS4C
gVyhKy4h
=VCaY
-----END PGP SIGNATURE-----

37
aide-define_hash_use_gcrypt.patch
View File

@ -1,37 +0,0 @@
diff -Nur aide-0.16/include/md.h aide-0.16.new/include/md.h
--- aide-0.16/include/md.h 2016-07-25 22:56:55.000000000 +0200
+++ aide-0.16.new/include/md.h 2018-11-21 14:07:01.347479021 +0100
@@ -48,7 +48,7 @@
#define HASH_GCRYPT_COUNT GCRY_MD_CRC32
#ifndef WITH_MHASH
#define HASH_USE_GCRYPT (DB_MD5|DB_SHA1|DB_RMD160|DB_TIGER|DB_CRC32|\
- DB_HAVAL|DB_CRC32|DB_SHA256|DB_SHA512)
+ DB_CRC32B|DB_SHA256|DB_SHA512)
#endif
#endif
diff -Nur aide-0.16/src/md.c aide-0.16.new/src/md.c
--- aide-0.16/src/md.c 2016-07-25 22:56:55.000000000 +0200
+++ aide-0.16.new/src/md.c 2018-11-21 14:06:05.602295496 +0100
@@ -55,10 +55,12 @@
r=DB_TIGER;
break;
}
+/* until libgcrypt-1.8.4 not implemented yet, see doc/gcrypt.info-1
case GCRY_MD_HAVAL: {
r=DB_HAVAL;
break;
}
+*/
case GCRY_MD_SHA256: {
r=DB_SHA256;
break;
@@ -219,7 +221,7 @@
if(gcry_md_enable(md->mdh,i)==GPG_ERR_NO_ERROR){
md->calc_attr|=h;
} else {
- error(0,"gcry_md_enable %i failed",i);
+ error(0,"gcry_md_enable %i failed, see /usr/include/gcrypt.h enum gcry_md_algos",i);
md->todo_attr&=~h;
}
}

20
aide-dynamic.patch
View File

@ -1,20 +0,0 @@
Index: aide-0.15.1/src/util.c
===================================================================
--- aide-0.15.1.orig/src/util.c
+++ aide-0.15.1/src/util.c
@@ -497,6 +497,7 @@ int syslog_facility_lookup(char *s)
/* We need these dummy stubs to fool the linker into believing that
we do not need them at link time */
+#if 0
void* dlopen(char*filename,int flag)
{
return NULL;
@@ -516,6 +517,7 @@ const char* dlerror(void)
{
return NULL;
}
+#endif
const char* aide_key_2=CONFHMACKEY_02;
const char* db_key_2=DBHMACKEY_02;

28
aide-xattr-in-libc.patch
View File

@ -1,19 +1,27 @@
diff -Pdpru aide-0.16.1.orig/configure.ac aide-0.16.1/configure.ac
--- aide-0.16.1.orig/configure.ac 2019-03-17 22:12:56.269936982 +0100
+++ aide-0.16.1/configure.ac 2019-03-17 22:14:48.084669784 +0100
@@ -536,7 +536,7 @@ AC_ARG_WITH([xattr],
diff -ru old/configure.ac new/configure.ac
--- old/configure.ac 2021-02-10 22:01:14.000000000 +0100
+++ new/configure.ac 2021-02-24 13:17:31.287619804 +0100
@@ -483,7 +483,7 @@
AS_IF([test "x$with_xattr_support" != xno],
[AC_DEFINE(WITH_XATTR,1,[use xattr])
- ATTRLIB=-lattr
+ ATTRLIB=
compoptionstring="${compoptionstring}WITH_XATTR\\n"
aideextragroups="${aideextragroups}+xattrs"
AC_MSG_RESULT(yes)],
diff -Pdpru aide-0.16.1.orig/include/db_config.h aide-0.16.1/include/db_config.h
--- aide-0.16.1.orig/include/db_config.h 2019-03-17 22:12:56.269936982 +0100
+++ aide-0.16.1/include/db_config.h 2019-03-17 22:16:01.303841342 +0100
@@ -62,7 +62,6 @@ typedef struct acl_type {
[AC_MSG_RESULT(no)]
diff -ru old/include/db_config.h new/include/db_config.h
--- old/include/db_config.h 2021-02-10 22:01:14.000000000 +0100
+++ new/include/db_config.h 2021-02-24 13:49:16.813840910 +0100
@@ -23,7 +23,6 @@
#ifndef _DB_CONFIG_H_INCLUDED
#define _DB_CONFIG_H_INCLUDED
#include "config.h"
-#include "attributes.h"
#include "report.h"
#include "types.h"
#include <unistd.h>
@@ -48,7 +47,6 @@
#ifdef WITH_XATTR /* Do generic user Xattrs. */
#include <sys/xattr.h>
@ -21,3 +29,5 @@ diff -Pdpru aide-0.16.1.orig/include/db_config.h aide-0.16.1/include/db_config.h
#ifndef ENOATTR
# define ENOATTR ENODATA
#endif
Only in new/include: md.h.orig
Only in new/src: md.c.orig

85
aide.changes
View File

@ -1,3 +1,88 @@
-------------------------------------------------------------------
Wed Feb 24 13:45:59 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
- Update default config file to match v0.17
-------------------------------------------------------------------
Wed Feb 24 11:01:03 UTC 2021 - Paolo Stivanin <info@paolostivanin.com>
- Update to 0.17.3:
* BACKWARDS INCOMPATIBLE CHANGES
- '--verbose' command line option and 'verbose' config option are no
longer supported, use 'log_level' and 'report_level' options instead
- '--report' command line option is no longer supported, use
'report_url' config option instead
- 'ignore_list' config option is no longer supported, use
'report_ignore_changed_attrs' instead
- 'report_attributes' config option is no longer supported, use
'report_force_attrs' instead
- (restricted) regular rules must start with literal '/', i.e. the rule
cannot begin with a macro variable
- config lines must end with new line
- '@' and ' ' in the configuration are now escaped with '\', that means
to match a '\' you have to use four backslashes '\\\\' in your rules
- 'gzip_dbout=false' fails now with config error when no zlib support
is compiled in
- remove '--with-initial-errors' configure option
- remove PostgreSQL database backend support
- remove Sun ACL support
- remove config and database signing support
* Enhancements:
- add new '--log-level' command line option and 'log_level' config option
- introduce named log levels
- add new 'report' log level to help to debug rule matching
- add new 'config' log level to help to debug config and rule parsing
- aad new '--dry-init' command
- add new '--path-check' command
- add directory support for @@include
- add new @@x_include config macro
- add new @@x_include_setenv config macro
- add new default compound group 'H' (all compiled-in hashsums)
- add support for per-report_url options
- add new 'report_level' config option
- add new 'report_append' config option
- add exit code 21 for file lock errors
- add default config values, available hashsums and compound groups
to '--version' output
- add Linux capabilities support
- show changed attributes in 'different attributes' message
- enable 'gost' and 'whirlpool' checksums when using gcrypt
- add 'stribog256' and 'stribog512' gcrypt algorithms
- add config file names to log output
* Miscellaneous behaviour changes:
- 'report_summarize_changes': hashsum changes are now indicated with 'H'
- print '--help' and '--verion' output to stdout
- log messages and errors are always written to stderr
- initialise report URLs after configuration parsing
- allow empty values for macro variables
- SIGUSR1 now toggles debug log level
- fail on errors in regular expressions during config parsing
- fail on invalid URLs during config check
- Fail on double slash in rule path
- cache log lines when 'log_level' is not yet set
* Deprecations:
- 'database' config option is now deprecated, use 'database_in' instead
- 'summarize_changes' config option is now deprecated, use
'report_summarize_changes' instead
- 'grouped' config option is now deprecated, use 'report_grouped'
instead
- non-alphanumeric group names are deprecated
* Notable bug fixes:
- fix line numbers in log messages
- remove warning when input database is '/dev/null'
- correctly handle UTF-8 in path names and rules
- fix compilation with curl and gcrypt
- warn on unsupported hash algorithms
- improve large-file support
* Remove obsolete aide-attributes.sh script
* Remove outdated manual.html
* Update documentation
- Rename aide-0.16.1-as-needed.patch to and rebase aide-0.17.3-as-needed.patch
- Rebase aide-xattr-in-libc.patch
- Remove aide-define_hash_use_gcrypt.patch (no longer needed)
- Remove aide-dynamic.patch (no longer needed)
-------------------------------------------------------------------
Thu Jul 30 20:13:39 UTC 2020 - Matthias Eliasson <elimat@opensuse.org>

72
aide.conf
View File

@ -1,85 +1,85 @@
#
# AIDE _Example_ Configuration
# AIDE _Example_ Configuration
#
# Thanks to the Debian people and Dirk Müller <dmuell@gmx.net>
# Thanks to the Debian people and Dirk Müller <dmuell@gmx.net>
#
# Use at your own risk!
# Use at your own risk!
#
# Matthias G. Eckermann <mge@suse.de>
# Matthias G. Eckermann <mge@suse.de>
#
#
# Configuration parameters
#
database=file:/var/lib/aide/aide.db
database_in=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
verbose=1
report_url=stdout
warn_dead_symlinks=yes
#
# Custom rules
#
Binlib = p+i+n+u+g+s+b+m+c+sha256+sha512
ConfFiles = p+i+n+u+g+s+b+m+c+sha256+sha512
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+sha256+sha512
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+sha256+sha512
Binlib = p+i+n+u+g+s+b+m+c+sha256+sha512
ConfFiles = p+i+n+u+g+s+b+m+c+sha256+sha512
Logs = p+i+n+u+g+S
Devices = p+i+n+u+g+s+b+c+sha256+sha512
Databases = p+n+u+g
StaticDir = p+i+n+u+g
ManPages = p+i+n+u+g+s+b+m+c+sha256+sha512
#
# Directories and files
#
# Kernel, system map, etc.
/boot Binlib
/boot Binlib
# watch config files, but exclude, what changes at boot time, ...
!/etc/mtab
!/etc/lvm*
/etc ConfFiles
/etc ConfFiles
# Binaries
/bin Binlib
/sbin Binlib
/bin Binlib
/sbin Binlib
# Libraries
/lib Binlib
/lib Binlib
# Complete /usr and /opt
/usr Binlib
/opt Binlib
/usr Binlib
/opt Binlib
# Log files
/var/log$ StaticDir
#/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
#/var/log/aide/error.log(.[0-9])?(.gz)? Databases
#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
/var/log Logs
/var/log$ StaticDir
#/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
#/var/log/aide/error.log(.[0-9])?(.gz)? Databases
#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
/var/log Logs
# Devices
!/dev/pts
/dev Devices
/dev Devices
# Other miscellaneous files
/var/run$ StaticDir
/var/run$ StaticDir
!/var/run
/var/lib Databases
/var/lib Databases
# Test only the directory when dealing with /proc
/proc$ StaticDir
/proc$ StaticDir
!/proc
# manpages can be trojaned, especially depending on *roff implementation
#/usr/man ManPages
#/usr/share/man ManPages
#/usr/local/man ManPages
#/usr/man ManPages
#/usr/share/man ManPages
#/usr/local/man ManPages
# check sources for modifications
#/usr/src L
#/usr/local/src L
#/usr/src L
#/usr/local/src L
# Check headers for same
#/usr/include L
#/usr/local/include L
#/usr/include L
#/usr/local/include L

34
aide.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package aide
#
# Copyright (c) 2020 SUSE LLC
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
Name: aide
Version: 0.16.2
Version: 0.17.3
Release: 0
Summary: Advanced Intrusion Detection Environment
License: GPL-2.0-or-later
@ -28,10 +28,8 @@ Source2: aide-cron_daily.sh
Source3: aide-test.sh
Source42: https://github.com/aide/aide/releases/download/v%{version}/aide-%{version}.tar.gz.asc
Source43: aide.keyring
Patch1: aide-0.16.1-as-needed.patch
Patch3: aide-xattr-in-libc.patch
Patch4: aide-dynamic.patch
Patch5: aide-define_hash_use_gcrypt.patch
Patch1: aide-0.17.3-as-needed.patch
Patch2: aide-xattr-in-libc.patch
BuildRequires: automake
BuildRequires: bison
BuildRequires: curl-devel
@ -54,9 +52,7 @@ Simple AIDE test script for externalized testing.
%prep
%setup -q
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch2 -p1
%build
autoreconf -fiv
@ -84,7 +80,16 @@ install -m 700 %{SOURCE3} %{buildroot}%{_bindir}/
mkdir -p doc/examples%{_sysconfdir}/cron.daily/
cp -a %{SOURCE2} doc/examples%{_sysconfdir}/cron.daily/aide.sh
%post
if ! grep -q "database_in" %{_sysconfdir}/aide.conf ; then
# with the 0.17 update some backward incompatible changes were made to the config file. Therefore, we have to adapt those parameters, otherwise the program will fail
sed -i 's/database=/database_in=/' %{_sysconfdir}/aide.conf
sed -i '/verbose=/d' %{_sysconfdir}/aide.conf
sed -i 's/\t/ /g' %{_sysconfdir}/aide.conf
fi
%check
rm -rf %{_localstatedir}/tmp/aide-test
mkdir %{_localstatedir}/tmp/aide-test
export TESTDIR=%{_localstatedir}/tmp/aide-test
%make_build DESTDIR=$TESTDIR install
@ -92,19 +97,26 @@ install -m 700 -d $TESTDIR%{_localstatedir}/lib/aide
install -m 700 -d $TESTDIR%{_sysconfdir}
install -m 600 %{SOURCE1} $TESTDIR%{_sysconfdir}/aide.conf.new
sed -e "s#%{_localstatedir}/lib/aide#$TESTDIR%{_localstatedir}/lib/aide#g" <$TESTDIR%{_sysconfdir}/aide.conf.new >$TESTDIR%{_sysconfdir}/aide.conf
if ! grep -q "database_in" %{_sysconfdir}/aide.conf ; then
# with the 0.17 update some backward incompatible changes were made to the config file. Therefore, we have to adapt those parameters, otherwise the program will fail
sed -i 's/database=/database_in=/' $TESTDIR%{_sysconfdir}/aide.conf
sed -i '/verbose=/d' $TESTDIR%{_sysconfdir}/aide.conf
sed -i 's/\t/ /g' $TESTDIR%{_sysconfdir}/aide.conf
fi
$TESTDIR/usr/bin/aide -D -c $TESTDIR%{_sysconfdir}/aide.conf
sleep 2
sync
sleep 2
$TESTDIR/usr/bin/aide -c $TESTDIR%{_sysconfdir}/aide.conf --init
mv $TESTDIR%{_localstatedir}/lib/aide/aide.db.new $TESTDIR%{_localstatedir}/lib/aide/aide.db
$TESTDIR/usr/bin/aide -c $TESTDIR%{_sysconfdir}/aide.conf --check --verbose
$TESTDIR/usr/bin/aide -c $TESTDIR%{_sysconfdir}/aide.conf --check --log-level=info
rm -rf $TESTDIR
%files
%license COPYING
%doc AUTHORS ChangeLog NEWS README doc/manual* doc/examples
%doc AUTHORS ChangeLog NEWS README doc/examples
%{_bindir}/aide
/%{_mandir}/man1/aide.1.gz
/%{_mandir}/man5/aide.conf.5.gz