diff --git a/.gitignore b/.gitignore index 3d07290..ce1812d 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,5 @@ aide-0.14.tar.gz.asc /aide-0.18.8.tar.gz.asc /aide-0.19.1.tar.gz /aide-0.19.1.tar.gz.asc +/aide-0.19.2.tar.gz +/aide-0.19.2.tar.gz.asc diff --git a/aide.conf b/aide.conf index 7090a46..56ba1da 100644 --- a/aide.conf +++ b/aide.conf @@ -112,221 +112,247 @@ report_url=stdout # You can create custom rules like this. # Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed) ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 # Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES # Base + sha512 (strong) -NORMAL = R+sha512 +NORMAL = R+sha512-m-c -CONTENT = ftype+sha256 +# Content only - added file type and strong hash +CONTENT = ftype+sha512 # For directories, don't bother doing hashes - added file type and link name DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name -PERMS = ftype+p+i+l+u+g+acl+selinux +PERMS = ftype+p+u+g+acl+selinux+xattrs -# Logfile are special, in that they often change -LOG = > +# Logfiles are special, in that they often change due to log rotation +# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes +# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques +# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation) +LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash -DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Next decide what directories/files you want in the database. -/boot/ NORMAL -/bin/ NORMAL -/sbin/ NORMAL -/lib/ NORMAL -/lib64/ NORMAL +/boot NORMAL +/bin NORMAL +/sbin NORMAL +/lib NORMAL +/lib64 NORMAL # Monitor /opt selectively to avoid noise from auto-updating applications -/opt/ CONTENT -/usr/ NORMAL +/opt CONTENT +/usr NORMAL # These are too volatile !/usr/src !/usr/tmp -/root NORMAL # Admins dot files constantly change, just check perms /root/\..* PERMS +!/root/.xauth* +/root NORMAL # Check only permissions, inode, user and group for /etc, but # cover some important files closely. -/etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ # trusted databases -/etc/hosts$ NORMAL -/etc/host.conf$ NORMAL -/etc/hostname$ NORMAL -/etc/issue$ NORMAL -/etc/issue.net$ NORMAL -/etc/protocols$ NORMAL -/etc/services$ NORMAL -/etc/localtime$ NORMAL -/etc/alternatives/ NORMAL +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives NORMAL /etc/mime.types$ NORMAL -/etc/terminfo/ NORMAL -/etc/exports$ NORMAL -/etc/fstab$ NORMAL -/etc/passwd$ NORMAL -/etc/group$ NORMAL -/etc/gshadow$ NORMAL -/etc/shadow$ NORMAL -/etc/security/opasswd$ NORMAL -/etc/skel/ NORMAL +/etc/terminfo NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/subgid$ NORMAL +/etc/subuid$ NORMAL +/etc/skel NORMAL +/etc/sssd NORMAL +/etc/swid NORMAL +/etc/system-release-cpe$ NORMAL +/etc/tmux.conf$ NORMAL +/etc/xattr.conf$ NORMAL # networking -/etc/hosts.allow$ NORMAL -/etc/hosts.deny$ NORMAL -/etc/firewalld/ NORMAL -/etc/NetworkManager/ NORMAL +/etc/firewalld NORMAL +!/etc/NetworkManager/system-connections +/etc/NetworkManager NORMAL /etc/networks$ NORMAL -/etc/dhcp/ NORMAL -/etc/wpa_supplicant/ NORMAL +/etc/dhcp NORMAL +/etc/wpa_supplicant NORMAL /etc/resolv.conf$ DATAONLY -/etc/nscd.conf$ NORMAL # logins and accounts /etc/login.defs$ NORMAL /etc/libuser.conf$ NORMAL /var/log/faillog$ PERMS /var/log/lastlog$ PERMS -/var/run/faillock/ PERMS -/etc/pam.d/ NORMAL -/etc/security$ NORMAL +/var/run/faillock PERMS +/etc/pam.d NORMAL +/etc/security NORMAL /etc/securetty$ NORMAL -/etc/polkit-1/ NORMAL +/etc/polkit-1 NORMAL /etc/sudo.conf$ NORMAL /etc/sudoers$ NORMAL -/etc/sudoers.d/ NORMAL +/etc/sudoers.d NORMAL # Shell/X starting files /etc/profile$ NORMAL -/etc/profile.d/ NORMAL +/etc/profile.d NORMAL /etc/bashrc$ NORMAL -/etc/bash_completion.d/ NORMAL +/etc/bash_completion.d NORMAL /etc/zprofile$ NORMAL /etc/zshrc$ NORMAL /etc/zlogin$ NORMAL /etc/zlogout$ NORMAL -/etc/X11/ NORMAL +/etc/X11 NORMAL /etc/shells$ NORMAL # Pkg manager -/etc/yum.conf$ NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL +/etc/dnf NORMAL +/etc/yum.repos.d NORMAL -/etc/audit/ NORMAL -/etc/audisp/ NORMAL +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit NORMAL /etc/libaudit.conf$ NORMAL /etc/aide.conf$ NORMAL -# System logs +# System logs with proper logrotate handling /etc/rsyslog.conf$ NORMAL -/etc/rsyslog.d/ NORMAL +/etc/rsyslog.d NORMAL /etc/logrotate.conf$ NORMAL -/etc/logrotate.d/ NORMAL -/var/log/ LOG+ANF+ARF -/var/run/utmp$ LOG +/etc/logrotate.d NORMAL +/etc/systemd/journald.conf$ NORMAL + +# Log directory +/var/log LOG +# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation +/var/log/journal LOG-xattrs-n + + +/var/run/utmp LOG + # secrets -/etc/pkcs11/ NORMAL -/etc/pki/ NORMAL -/etc/ssl/ NORMAL -/etc/certmonger/ NORMAL +/etc/pkcs11 NORMAL +/etc/pki NORMAL +/etc/ssl NORMAL +/etc/certmonger NORMAL +/var/lib/systemd/random-seed$ PERMS # init system -/etc/systemd/ NORMAL -/etc/sysconfig/ NORMAL -/etc/rc.d/ NORMAL -/etc/tmpfiles.d/ NORMAL +/etc/systemd NORMAL +/etc/sysconfig NORMAL +/etc/rc.d NORMAL +/etc/tmpfiles.d NORMAL /etc/machine-id$ NORMAL # boot config -/etc/grub.d/ NORMAL +/etc/default NORMAL +/etc/grub.d NORMAL /etc/grub2.cfg$ NORMAL /etc/dracut.conf$ NORMAL -/etc/dracut.conf.d/ NORMAL +/etc/dracut.conf.d NORMAL # glibc linker /etc/ld.so.cache$ NORMAL /etc/ld.so.conf$ NORMAL -/etc/ld.so.conf.d/ NORMAL +/etc/ld.so.conf.d NORMAL +/etc/ld.so.preload$ NORMAL # kernel config /etc/sysctl.conf$ NORMAL -/etc/sysctl.d/ NORMAL -/etc/modprobe.d/ NORMAL -/etc/modules-load.d/ NORMAL -/etc/depmod.d/ NORMAL -/etc/udev/ NORMAL +/etc/sysctl.d NORMAL +/etc/modprobe.d NORMAL +/etc/modules-load.d NORMAL +/etc/depmod.d NORMAL +/etc/udev NORMAL /etc/crypttab$ NORMAL #### Daemons #### # cron jobs -/var/spool/at/ CONTENT +/var/spool/at CONTENT /etc/at.allow$ CONTENT /etc/at.deny$ CONTENT +/etc/anacrontab$ NORMAL /etc/cron.allow$ NORMAL /etc/cron.deny$ NORMAL -/etc/cron.d/ NORMAL -/etc/cron.daily/ NORMAL -/etc/cron.hourly/ NORMAL -/etc/cron.monthly/ NORMAL -/etc/cron.weekly/ NORMAL +/etc/cron.d NORMAL +/etc/cron.daily NORMAL +/etc/cron.hourly NORMAL +/etc/cron.monthly NORMAL +/etc/cron.weekly NORMAL /etc/crontab$ NORMAL -/var/spool/cron/root/ CONTENT -/etc/anacrontab$ NORMAL +/var/spool/cron/root CONTENT # time keeping -/etc/ntp.conf$ NORMAL -/etc/ntp/ NORMAL /etc/chrony.conf$ NORMAL /etc/chrony.keys$ NORMAL # mail /etc/aliases$ NORMAL /etc/aliases.db$ NORMAL -/etc/postfix/ NORMAL -/etc/mail.rc$ NORMAL -/etc/mailcap$ NORMAL +/etc/postfix NORMAL # ssh /etc/ssh/sshd_config$ NORMAL /etc/ssh/ssh_config$ NORMAL # stunnel -/etc/stunnel/ NORMAL +/etc/stunnel NORMAL # ftp -/etc/vsftpd.conf$ CONTENT -/etc/vsftpd/ CONTENT +/etc/vsftpd CONTENT # printing -/etc/cups/ NORMAL -/etc/cupshelpers/ NORMAL -/etc/avahi/ NORMAL +/etc/cups NORMAL +/etc/cupshelpers NORMAL +/etc/avahi NORMAL # web server -/etc/httpd/ NORMAL +/etc/httpd NORMAL # dns -/etc/named/ NORMAL +/etc/named NORMAL /etc/named.conf$ NORMAL /etc/named.iscdlv.key$ NORMAL /etc/named.rfc1912.zones$ NORMAL /etc/named.root.key$ NORMAL # xinetd -/etc/xinetd.d/ NORMAL +/etc/xinetd.conf$ NORMAL +/etc/xinetd.d NORMAL + +# IPsec +/etc/ipsec.conf$ NORMAL +/etc/ipsec.secrets$ NORMAL +/etc/ipsec.d NORMAL + +# USBGuard +/etc/usbguard NORMAL + +# Now everything else +/etc PERMS # This gets new/removes-old filenames daily !/var/log/sa @@ -340,4 +366,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/httpd/ \ No newline at end of file +!/var/log/httpd +# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation +!/boot/grub2/grubenv + diff --git a/aide.rpmlintrc b/aide.rpmlintrc new file mode 100644 index 0000000..67d2667 --- /dev/null +++ b/aide.rpmlintrc @@ -0,0 +1,15 @@ +# RPMlint configuration for aide package +# These warnings are expected and intentional for security reasons + +# AIDE log directory has restricted permissions (700) for security +# Log files may contain sensitive security information +addFilter("aide.* non-standard-dir-perm /var/log/aide 700") + +# AIDE configuration file has restricted permissions (600) for security +# Configuration reveals what files/directories are monitored +addFilter("aide.* non-readable /etc/aide.conf 600") + +# FSF address in COPYING file is outdated - this is an upstream issue +# The license text contains the old FSF address format +addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING") + diff --git a/aide.spec b/aide.spec index 9bd36bf..7b1c7a4 100644 --- a/aide.spec +++ b/aide.spec @@ -1,6 +1,6 @@ Summary: Intrusion detection environment Name: aide -Version: 0.19.1 +Version: 0.19.2 Release: %autorelease URL: https://github.com/aide/aide License: GPL-2.0-or-later diff --git a/sources b/sources index d46f6aa..0b47fd8 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (aide-0.19.1.tar.gz) = 5f345458acdc79072b8293ea19a6846f2f7ab2eca36729ff1dc6fe06595a40f46af5aac57c8b02b4d144a4ad649b2a1d7f8e3bb216f0fa3d48a7023abf0029b1 -SHA512 (aide-0.19.1.tar.gz.asc) = d5bb3b8ec7dec229a01ae2e2588cc64caf9eaf2e9a71593c2d43662eb25f0afca9d955de7eeba13ca10dbe09f5b66e3b653ab018aa4c16f0531c368335b5e6de +SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830 +SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a