diff --git a/.gitignore b/.gitignore index ce1812d..3d07290 100644 --- a/.gitignore +++ b/.gitignore @@ -19,5 +19,3 @@ aide-0.14.tar.gz.asc /aide-0.18.8.tar.gz.asc /aide-0.19.1.tar.gz /aide-0.19.1.tar.gz.asc -/aide-0.19.2.tar.gz -/aide-0.19.2.tar.gz.asc diff --git a/aide.conf b/aide.conf index 56ba1da..7090a46 100644 --- a/aide.conf +++ b/aide.conf @@ -112,247 +112,221 @@ report_url=stdout # You can create custom rules like this. # Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed) ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 # Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES # Base + sha512 (strong) -NORMAL = R+sha512-m-c +NORMAL = R+sha512 -# Content only - added file type and strong hash -CONTENT = ftype+sha512 +CONTENT = ftype+sha256 # For directories, don't bother doing hashes - added file type and link name DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name -PERMS = ftype+p+u+g+acl+selinux+xattrs +PERMS = ftype+p+i+l+u+g+acl+selinux -# Logfiles are special, in that they often change due to log rotation -# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes -# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques -# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation) -LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs +# Logfile are special, in that they often change +LOG = > # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash -DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 # Next decide what directories/files you want in the database. -/boot NORMAL -/bin NORMAL -/sbin NORMAL -/lib NORMAL -/lib64 NORMAL +/boot/ NORMAL +/bin/ NORMAL +/sbin/ NORMAL +/lib/ NORMAL +/lib64/ NORMAL # Monitor /opt selectively to avoid noise from auto-updating applications -/opt CONTENT -/usr NORMAL +/opt/ CONTENT +/usr/ NORMAL # These are too volatile !/usr/src !/usr/tmp +/root NORMAL # Admins dot files constantly change, just check perms /root/\..* PERMS -!/root/.xauth* -/root NORMAL # Check only permissions, inode, user and group for /etc, but # cover some important files closely. +/etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ # trusted databases -/etc/hosts$ NORMAL -/etc/host.conf$ NORMAL -/etc/hostname$ NORMAL -/etc/issue$ NORMAL -/etc/issue.net$ NORMAL -/etc/protocols$ NORMAL -/etc/services$ NORMAL -/etc/localtime$ NORMAL -/etc/alternatives NORMAL +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives/ NORMAL /etc/mime.types$ NORMAL -/etc/terminfo NORMAL -/etc/exports$ NORMAL -/etc/fstab$ NORMAL -/etc/passwd$ NORMAL -/etc/group$ NORMAL -/etc/gshadow$ NORMAL -/etc/shadow$ NORMAL -/etc/subgid$ NORMAL -/etc/subuid$ NORMAL -/etc/skel NORMAL -/etc/sssd NORMAL -/etc/swid NORMAL -/etc/system-release-cpe$ NORMAL -/etc/tmux.conf$ NORMAL -/etc/xattr.conf$ NORMAL +/etc/terminfo/ NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/security/opasswd$ NORMAL +/etc/skel/ NORMAL # networking -/etc/firewalld NORMAL -!/etc/NetworkManager/system-connections -/etc/NetworkManager NORMAL +/etc/hosts.allow$ NORMAL +/etc/hosts.deny$ NORMAL +/etc/firewalld/ NORMAL +/etc/NetworkManager/ NORMAL /etc/networks$ NORMAL -/etc/dhcp NORMAL -/etc/wpa_supplicant NORMAL +/etc/dhcp/ NORMAL +/etc/wpa_supplicant/ NORMAL /etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ NORMAL # logins and accounts /etc/login.defs$ NORMAL /etc/libuser.conf$ NORMAL /var/log/faillog$ PERMS /var/log/lastlog$ PERMS -/var/run/faillock PERMS -/etc/pam.d NORMAL -/etc/security NORMAL +/var/run/faillock/ PERMS +/etc/pam.d/ NORMAL +/etc/security$ NORMAL /etc/securetty$ NORMAL -/etc/polkit-1 NORMAL +/etc/polkit-1/ NORMAL /etc/sudo.conf$ NORMAL /etc/sudoers$ NORMAL -/etc/sudoers.d NORMAL +/etc/sudoers.d/ NORMAL # Shell/X starting files /etc/profile$ NORMAL -/etc/profile.d NORMAL +/etc/profile.d/ NORMAL /etc/bashrc$ NORMAL -/etc/bash_completion.d NORMAL +/etc/bash_completion.d/ NORMAL /etc/zprofile$ NORMAL /etc/zshrc$ NORMAL /etc/zlogin$ NORMAL /etc/zlogout$ NORMAL -/etc/X11 NORMAL +/etc/X11/ NORMAL /etc/shells$ NORMAL # Pkg manager -/etc/dnf NORMAL -/etc/yum.repos.d NORMAL +/etc/yum.conf$ NORMAL +/etc/yum/ NORMAL +/etc/yum.repos.d/ NORMAL -# auditing -# AIDE produces an audit record, so this becomes perpetual motion. -/var/log/audit PERMS -/etc/audit NORMAL +/etc/audit/ NORMAL +/etc/audisp/ NORMAL /etc/libaudit.conf$ NORMAL /etc/aide.conf$ NORMAL -# System logs with proper logrotate handling +# System logs /etc/rsyslog.conf$ NORMAL -/etc/rsyslog.d NORMAL +/etc/rsyslog.d/ NORMAL /etc/logrotate.conf$ NORMAL -/etc/logrotate.d NORMAL -/etc/systemd/journald.conf$ NORMAL - -# Log directory -/var/log LOG -# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation -/var/log/journal LOG-xattrs-n - - -/var/run/utmp LOG - +/etc/logrotate.d/ NORMAL +/var/log/ LOG+ANF+ARF +/var/run/utmp$ LOG # secrets -/etc/pkcs11 NORMAL -/etc/pki NORMAL -/etc/ssl NORMAL -/etc/certmonger NORMAL -/var/lib/systemd/random-seed$ PERMS +/etc/pkcs11/ NORMAL +/etc/pki/ NORMAL +/etc/ssl/ NORMAL +/etc/certmonger/ NORMAL # init system -/etc/systemd NORMAL -/etc/sysconfig NORMAL -/etc/rc.d NORMAL -/etc/tmpfiles.d NORMAL +/etc/systemd/ NORMAL +/etc/sysconfig/ NORMAL +/etc/rc.d/ NORMAL +/etc/tmpfiles.d/ NORMAL /etc/machine-id$ NORMAL # boot config -/etc/default NORMAL -/etc/grub.d NORMAL +/etc/grub.d/ NORMAL /etc/grub2.cfg$ NORMAL /etc/dracut.conf$ NORMAL -/etc/dracut.conf.d NORMAL +/etc/dracut.conf.d/ NORMAL # glibc linker /etc/ld.so.cache$ NORMAL /etc/ld.so.conf$ NORMAL -/etc/ld.so.conf.d NORMAL -/etc/ld.so.preload$ NORMAL +/etc/ld.so.conf.d/ NORMAL # kernel config /etc/sysctl.conf$ NORMAL -/etc/sysctl.d NORMAL -/etc/modprobe.d NORMAL -/etc/modules-load.d NORMAL -/etc/depmod.d NORMAL -/etc/udev NORMAL +/etc/sysctl.d/ NORMAL +/etc/modprobe.d/ NORMAL +/etc/modules-load.d/ NORMAL +/etc/depmod.d/ NORMAL +/etc/udev/ NORMAL /etc/crypttab$ NORMAL #### Daemons #### # cron jobs -/var/spool/at CONTENT +/var/spool/at/ CONTENT /etc/at.allow$ CONTENT /etc/at.deny$ CONTENT -/etc/anacrontab$ NORMAL /etc/cron.allow$ NORMAL /etc/cron.deny$ NORMAL -/etc/cron.d NORMAL -/etc/cron.daily NORMAL -/etc/cron.hourly NORMAL -/etc/cron.monthly NORMAL -/etc/cron.weekly NORMAL +/etc/cron.d/ NORMAL +/etc/cron.daily/ NORMAL +/etc/cron.hourly/ NORMAL +/etc/cron.monthly/ NORMAL +/etc/cron.weekly/ NORMAL /etc/crontab$ NORMAL -/var/spool/cron/root CONTENT +/var/spool/cron/root/ CONTENT +/etc/anacrontab$ NORMAL # time keeping +/etc/ntp.conf$ NORMAL +/etc/ntp/ NORMAL /etc/chrony.conf$ NORMAL /etc/chrony.keys$ NORMAL # mail /etc/aliases$ NORMAL /etc/aliases.db$ NORMAL -/etc/postfix NORMAL +/etc/postfix/ NORMAL +/etc/mail.rc$ NORMAL +/etc/mailcap$ NORMAL # ssh /etc/ssh/sshd_config$ NORMAL /etc/ssh/ssh_config$ NORMAL # stunnel -/etc/stunnel NORMAL +/etc/stunnel/ NORMAL # ftp -/etc/vsftpd CONTENT +/etc/vsftpd.conf$ CONTENT +/etc/vsftpd/ CONTENT # printing -/etc/cups NORMAL -/etc/cupshelpers NORMAL -/etc/avahi NORMAL +/etc/cups/ NORMAL +/etc/cupshelpers/ NORMAL +/etc/avahi/ NORMAL # web server -/etc/httpd NORMAL +/etc/httpd/ NORMAL # dns -/etc/named NORMAL +/etc/named/ NORMAL /etc/named.conf$ NORMAL /etc/named.iscdlv.key$ NORMAL /etc/named.rfc1912.zones$ NORMAL /etc/named.root.key$ NORMAL # xinetd -/etc/xinetd.conf$ NORMAL -/etc/xinetd.d NORMAL - -# IPsec -/etc/ipsec.conf$ NORMAL -/etc/ipsec.secrets$ NORMAL -/etc/ipsec.d NORMAL - -# USBGuard -/etc/usbguard NORMAL - -# Now everything else -/etc PERMS +/etc/xinetd.d/ NORMAL # This gets new/removes-old filenames daily !/var/log/sa @@ -366,7 +340,4 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/httpd -# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation -!/boot/grub2/grubenv - +!/var/log/httpd/ \ No newline at end of file diff --git a/aide.rpmlintrc b/aide.rpmlintrc deleted file mode 100644 index 67d2667..0000000 --- a/aide.rpmlintrc +++ /dev/null @@ -1,15 +0,0 @@ -# RPMlint configuration for aide package -# These warnings are expected and intentional for security reasons - -# AIDE log directory has restricted permissions (700) for security -# Log files may contain sensitive security information -addFilter("aide.* non-standard-dir-perm /var/log/aide 700") - -# AIDE configuration file has restricted permissions (600) for security -# Configuration reveals what files/directories are monitored -addFilter("aide.* non-readable /etc/aide.conf 600") - -# FSF address in COPYING file is outdated - this is an upstream issue -# The license text contains the old FSF address format -addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING") - diff --git a/aide.spec b/aide.spec index 7b1c7a4..9bd36bf 100644 --- a/aide.spec +++ b/aide.spec @@ -1,6 +1,6 @@ Summary: Intrusion detection environment Name: aide -Version: 0.19.2 +Version: 0.19.1 Release: %autorelease URL: https://github.com/aide/aide License: GPL-2.0-or-later diff --git a/sources b/sources index 0b47fd8..d46f6aa 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830 -SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a +SHA512 (aide-0.19.1.tar.gz) = 5f345458acdc79072b8293ea19a6846f2f7ab2eca36729ff1dc6fe06595a40f46af5aac57c8b02b4d144a4ad649b2a1d7f8e3bb216f0fa3d48a7023abf0029b1 +SHA512 (aide-0.19.1.tar.gz.asc) = d5bb3b8ec7dec229a01ae2e2588cc64caf9eaf2e9a71593c2d43662eb25f0afca9d955de7eeba13ca10dbe09f5b66e3b653ab018aa4c16f0531c368335b5e6de