diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore index 945a894..ce1812d 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,11 @@ aide-0.14.tar.gz.asc /aide-0.16b1.tar.gz /aide-0.16rc1.tar.gz /aide-0.16.tar.gz +/aide-0.18.4.tar.gz +/aide-0.18.6.tar.gz +/aide-0.18.8.tar.gz +/aide-0.18.8.tar.gz.asc +/aide-0.19.1.tar.gz +/aide-0.19.1.tar.gz.asc +/aide-0.19.2.tar.gz +/aide-0.19.2.tar.gz.asc diff --git a/aide-0.15-syslog-format.patch b/aide-0.15-syslog-format.patch deleted file mode 100644 index 0361434..0000000 --- a/aide-0.15-syslog-format.patch +++ /dev/null @@ -1,496 +0,0 @@ -diff -up ./doc/aide.conf.5.in.syslog_format ./doc/aide.conf.5.in ---- ./doc/aide.conf.5.in.syslog_format 2016-07-25 22:58:12.000000000 +0200 -+++ ./doc/aide.conf.5.in 2018-09-27 19:09:09.697371212 +0200 -@@ -57,6 +57,25 @@ inclusive. This parameter can only be gi - occurrence is used. If \-\-verbose or \-V is used then the value from that - is used. The default is 5. If verbosity is 20 then additional report - output is written when doing \-\-check, \-\-update or \-\-compare. -+.IP "syslog_format" -+Valid values are yes,true,no and false. This option enables new syslog format -+which is suitable for logging. Every change is logged as one simple line. This option -+changes verbose level to 0 and prints everything that was changed. It is suggested -+to use this option with "report_url=syslog:...". Default value is "false/no". -+Maximum size of message is 1KB which is limitation of syslog call. If message is -+greater than limit, message will be truncated. -+Option summarize_changes has no impact for this format. -+.nf -+.eo -+ -+Output always starts with: -+"AIDE found differences between database and filesystem!!" -+And it is followed by summary: -+summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1 -+And finally there are logs about changes: -+dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;... -+.ec -+.fi - .IP "report_url" - The url that the output is written to. There can be multiple instances - of this parameter. Output is written to all of them. The default is -diff -up ./include/db_config.h.syslog_format ./include/db_config.h ---- ./include/db_config.h.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./include/db_config.h 2018-09-27 19:09:09.697371212 +0200 -@@ -311,6 +311,7 @@ typedef struct db_config { - FILE* db_out; - - int config_check; -+ int syslog_format; - - struct md_container *mdc_in; - struct md_container *mdc_out; -diff -up ./src/aide.c.syslog_format ./src/aide.c ---- ./src/aide.c.syslog_format 2018-09-27 19:09:09.695371197 +0200 -+++ ./src/aide.c 2018-09-27 19:09:09.698371220 +0200 -@@ -283,6 +283,7 @@ static void setdefaults_before_config() - } - - /* Setting some defaults */ -+ conf->syslog_format=0; - conf->report_db=0; - conf->tree=NULL; - conf->config_check=0; -@@ -495,6 +496,10 @@ static void setdefaults_after_config() - if(conf->verbose_level==-1){ - conf->verbose_level=5; - } -+ if(conf->syslog_format==1){ -+ conf->verbose_level=0; -+ } -+ - } - - -diff -up ./src/compare_db.c.syslog_format ./src/compare_db.c ---- ./src/compare_db.c.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/compare_db.c 2018-09-27 19:09:09.698371220 +0200 -@@ -110,7 +110,7 @@ const DB_ATTR_TYPE details_attributes[] - #endif - }; - --const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size (>)"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512") -+const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512") - #ifdef WITH_MHASH - , _("CRC32"), _("HAVAL"), _("GOST"), _("CRC32B"), _("WHIRLPOOL") - #endif -@@ -269,12 +269,19 @@ static int xattrs2array(xattrs_type* xat - if ((len == xattrs->ents[num - 1].vsz) || ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) { - length = 8 + width + strlen(xattrs->ents[num - 1].key) + strlen(val); - (*values)[num]=malloc(length *sizeof(char)); -- snprintf((*values)[num], length , "[%.*zd] %s = %s", width, num, xattrs->ents[num - 1].key, val); -+ -+ char * fmt = "[%.*zd] %s = %s"; -+ if (conf->syslog_format) fmt = "[%.*zd]%s=%s"; // its smaller so it has to be enough space allocated. -+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val); -+ - } else { - val = encode_base64(xattrs->ents[num - 1].val, xattrs->ents[num - 1].vsz); - length = 10 + width + strlen(xattrs->ents[num - 1].key) + strlen(val); - (*values)[num]=malloc( length *sizeof(char)); -- snprintf((*values)[num], length , "[%.*zd] %s <=> %s", width, num, xattrs->ents[num - 1].key, val); -+ -+ char * fmt = "[%.*zd] %s <=> %s"; -+ if (conf->syslog_format) fmt = "[%.*zd]%s<=>%s"; // its smaller so it has to be enough space allocated. -+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val); - free(val); - } - } -@@ -302,6 +309,26 @@ static int acl2array(acl_type* acl, char - } - if (acl->acl_a || acl->acl_d) { - int j, k, i; -+ if (conf->syslog_format) { -+ *values = malloc(2 * sizeof(char*)); -+ -+ char *A, *D = ""; -+ -+ if (acl->acl_a) { A = acl->acl_a; } -+ if (acl->acl_d) { D = acl->acl_d; } -+ -+ (*values)[0] = (char*) malloc(strlen(A) + 3); // "A:" and \0 -+ snprintf((*values)[0], strlen(A) + 3, "A:%s", A); -+ -+ (*values)[1] = (char*) malloc(strlen(D) + 3); // "D:" and \0 -+ snprintf((*values)[1], strlen(D) + 3, "D:%s", D); -+ -+ i = 0; while ( (*values)[0][i] ) { if ( (*values)[0][i]=='\n') { (*values)[0][i] = ' '; } i++; } -+ i = 0; while ( (*values)[1][i] ) { if ( (*values)[1][i]=='\n') { (*values)[1][i] = ' '; } i++; } -+ -+ return 2; -+ } -+ - if (acl->acl_a) { i = 0; while (acl->acl_a[i]) { if (acl->acl_a[i++]=='\n') { n++; } } } - if (acl->acl_d) { i = 0; while (acl->acl_d[i]) { if (acl->acl_d[i++]=='\n') { n++; } } } - *values = malloc(n * sizeof(char*)); -@@ -338,25 +365,25 @@ static char* e2fsattrs2string(unsigned l - - static char* get_file_type_string(mode_t mode) { - switch (mode & S_IFMT) { -- case S_IFREG: return _("File"); -- case S_IFDIR: return _("Directory"); -+ case S_IFREG: return conf->syslog_format ? "file" : _("File"); -+ case S_IFDIR: return conf->syslog_format ? "dir" : _("Directory"); - #ifdef S_IFIFO -- case S_IFIFO: return _("FIFO"); -+ case S_IFIFO: return conf->syslog_format ? "fifo" : _("FIFO"); - #endif -- case S_IFLNK: return _("Link"); -- case S_IFBLK: return _("Block device"); -- case S_IFCHR: return _("Character device"); -+ case S_IFLNK: return conf->syslog_format ? "link" : _("Link"); -+ case S_IFBLK: return conf->syslog_format ? "blockd" : _("Block device"); -+ case S_IFCHR: return conf->syslog_format ? "chard" : _("Character device"); - #ifdef S_IFSOCK -- case S_IFSOCK: return _("Socket"); -+ case S_IFSOCK: return conf->syslog_format ? "socket" : _("Socket"); - #endif - #ifdef S_IFDOOR -- case S_IFDOOR: return _("Door"); -+ case S_IFDOOR: return conf->syslog_format ? "door" : _("Door"); - #endif - #ifdef S_IFPORT -- case S_IFPORT: return _("Port"); -+ case S_IFPORT: return conf->syslog_format ? "port" : _("Port"); - #endif - case 0: return NULL; -- default: return _("Unknown file type"); -+ default: return conf->syslog_format ? "unknown" : _("Unknown file type"); - } - } - -@@ -554,6 +581,51 @@ static void print_dbline_attributes(db_l - } - } - -+ -+static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE -+ changed_attrs, DB_ATTR_TYPE force_attrs) { -+ char **ovalue, **nvalue; -+ int onumber, nnumber, i, j; -+ int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE); -+ DB_ATTR_TYPE attrs; -+ char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm); -+ if (file_type) { -+ error(0,"%s=", file_type); -+ } -+ error(0,"%s", (nline==NULL?oline:nline)->filename); -+ attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs); -+ for (j=0; j < length; ++j) { -+ if (details_attributes[j]&attrs) { -+ onumber=get_attribute_values(details_attributes[j], oline, &ovalue); -+ nnumber=get_attribute_values(details_attributes[j], nline, &nvalue); -+ -+ if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) { -+ -+ error(0, ";%s_old=|", details_string[j]); -+ -+ for (i = 0 ; i < onumber ; i++) { -+ error(0, "%s|", ovalue[i]); -+ } -+ -+ error(0, ";%s_new=|", details_string[j]); -+ -+ for (i = 0 ; i < nnumber ; i++) { -+ error(0, "%s|", nvalue[i]); -+ } -+ -+ } else { -+ -+ error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue); -+ -+ } -+ -+ for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL; -+ for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL; -+ } -+ } -+ error(0, "\n"); -+} -+ - static void print_attributes_added_node(db_line* line) { - print_dbline_attributes(NULL, line, 0, line->attr); - } -@@ -562,6 +634,26 @@ static void print_attributes_removed_nod - print_dbline_attributes(line, NULL, 0, line->attr); - } - -+static void print_attributes_added_node_syslog(db_line* line) { -+ -+ char *file_type = get_file_type_string(line->perm); -+ if (file_type) { -+ error(0,"%s=", file_type); -+ } -+ error(0,"%s; added\n", line->filename); -+ -+} -+ -+static void print_attributes_removed_node_syslog(db_line* line) { -+ -+ char *file_type = get_file_type_string(line->perm); -+ if (file_type) { -+ error(0,"%s=", file_type); -+ } -+ error(0,"%s; removed\n", line->filename); -+ -+} -+ - static void terse_report(seltree* node) { - list* r=NULL; - if ((node->checked&(DB_OLD|DB_NEW)) != 0) { -@@ -626,6 +718,26 @@ static void print_report_details(seltree - } - } - -+static void print_syslog_format(seltree* node) { -+ list* r=NULL; -+ -+ if (node->checked&NODE_CHANGED) { -+ print_dbline_attributes_syslog(node->old_data, node->new_data, node->changed_attrs, forced_attrs); -+ } -+ -+ if (node->checked&NODE_ADDED) { -+ print_attributes_added_node_syslog(node->new_data); -+ } -+ -+ if (node->checked&NODE_REMOVED) { -+ print_attributes_removed_node_syslog(node->old_data); -+ } -+ -+ for(r=node->childs;r;r=r->next){ -+ print_syslog_format((seltree*)r->data); -+ } -+} -+ - static void print_report_header() { - char *time; - int first = 1; -@@ -747,39 +859,53 @@ int gen_report(seltree* node) { - send_audit_report(); - #endif - if ((nadd|nrem|nchg) > 0 || conf->report_quiet == 0) { -- print_report_header(); -- if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) { -- if (conf->grouped) { -- if (nadd) { -- error(2,(char*)report_top_format,_("Added entries")); -- print_report_list(node, NODE_ADDED); -- } -- if (nrem) { -- error(2,(char*)report_top_format,_("Removed entries")); -- print_report_list(node, NODE_REMOVED); -- } -- if (nchg) { -- error(2,(char*)report_top_format,_("Changed entries")); -- print_report_list(node, NODE_CHANGED); -- } -- } else if (nadd || nrem || nchg) { -- if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); } -- else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); } -- else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); } -- else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); } -- else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); } -- else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); } -- else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); } -- print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED); -- } -- if (nadd || nrem || nchg) { -- error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes")); -- print_report_details(node); -- } -- } -- print_report_databases(); -- conf->end_time=time(&(conf->end_time)); -- print_report_footer(); -+ -+ if (!conf->syslog_format) { -+ print_report_header(); -+ } -+ -+ if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) { -+ if (!conf->syslog_format && conf->grouped) { -+ if (nadd) { -+ error(2,(char*)report_top_format,_("Added entries")); -+ print_report_list(node, NODE_ADDED); -+ } -+ if (nrem) { -+ error(2,(char*)report_top_format,_("Removed entries")); -+ print_report_list(node, NODE_REMOVED); -+ } -+ if (nchg) { -+ error(2,(char*)report_top_format,_("Changed entries")); -+ print_report_list(node, NODE_CHANGED); -+ } -+ } else if (!conf->syslog_format && ( nadd || nrem || nchg ) ) { -+ if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); } -+ else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); } -+ else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); } -+ else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); } -+ else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); } -+ else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); } -+ else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); } -+ print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED); -+ } -+ if (nadd || nrem || nchg) { -+ if (!conf->syslog_format) { -+ error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes")); -+ print_report_details(node); -+ } else { -+ /* Syslog Format */ -+ error(0, "AIDE found differences between database and filesystem!!\n"); -+ error(0, "summary;total_number_of_files=%ld;added_files=%ld;" -+ "removed_files=%ld;changed_files=%ld\n",ntotal,nadd,nrem,nchg); -+ print_syslog_format(node); -+ } -+ } -+ } -+ if (!conf->syslog_format) { -+ print_report_databases(); -+ conf->end_time=time(&(conf->end_time)); -+ print_report_footer(); -+ } - } - - return conf->action&(DO_COMPARE|DO_DIFF) ? (nadd!=0)*1+(nrem!=0)*2+(nchg!=0)*4 : 0; -diff -up ./src/conf_lex.l.syslog_format ./src/conf_lex.l ---- ./src/conf_lex.l.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/conf_lex.l 2018-09-27 19:09:09.698371220 +0200 -@@ -401,6 +401,12 @@ int var_in_conflval=0; - return (TROOT_PREFIX); - } - -+^[\t\ ]*"syslog_format"{E} { -+ error(230,"%li:syslog_format =\n",conf_lineno); -+ BEGIN CONFVALHUNT; -+ return (SYSLOG_FORMAT); -+} -+ - ^[\t\ ]*"recstop"{E} { - error(230,"%li:recstop =\n",conf_lineno); - BEGIN CONFVALHUNT; -diff -up ./src/conf_yacc.y.syslog_format ./src/conf_yacc.y ---- ./src/conf_yacc.y.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/conf_yacc.y 2018-09-27 19:09:09.699371228 +0200 -@@ -89,6 +89,7 @@ extern long conf_lineno; - %token TREPORT_URL - %token TGZIPDBOUT - %token TROOT_PREFIX -+%token SYSLOG_FORMAT - %token TUMASK - %token TTRUE - %token TFALSE -@@ -160,7 +161,7 @@ line : rule | equrule | negrule | define - | ifdefstmt | ifndefstmt | ifhoststmt | ifnhoststmt - | groupdef | db_in | db_out | db_new | db_attrs | verbose | report_detailed_init | config_version - | database_add_metadata | report | gzipdbout | root_prefix | report_base16 | report_quiet -- | report_ignore_e2fsattrs | recursion_stopper | warn_dead_symlinks | grouped -+ | report_ignore_e2fsattrs | syslogformat | recursion_stopper | warn_dead_symlinks | grouped - | summarize_changes | acl_no_symlink_follow | beginconfigstmt | endconfigstmt - | TEOF { - newlinelastinconfig=1; -@@ -408,6 +409,15 @@ conf->gzip_dbout=0; - #endif - } ; - -+syslogformat : SYSLOG_FORMAT TTRUE { -+conf->syslog_format=1; -+} | -+ SYSLOG_FORMAT TFALSE { -+conf->syslog_format=0; -+} ; -+ -+ -+ - recursion_stopper : TRECSTOP TSTRING { - /* FIXME implement me */ - -diff -up ./src/error.c.syslog_format ./src/error.c ---- ./src/error.c.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/error.c 2018-09-27 19:13:40.312416750 +0200 -@@ -38,6 +38,9 @@ - /*for locale support*/ - #include "util.h" - -+#define MAX_BUFFER_SIZE 1024 -+static char syslog_buffer[MAX_BUFFER_SIZE+1]; -+ - int cmp_url(url_t* url1,url_t* url2){ - - return ((url1->type==url2->type)&&(strcmp(url1->value,url2->value)==0)); -@@ -48,7 +51,9 @@ int error_init(url_t* url,int initial) - { - list* r=NULL; - FILE* fh=NULL; -- int sfac; -+ int sfac; -+ -+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); - - if (url->type==url_database) { - conf->report_db++; -@@ -163,13 +168,24 @@ void error(int errorlevel,char* error_ms - } - #ifdef HAVE_SYSLOG - if(conf->initial_report_url->type==url_syslog){ --#ifdef HAVE_VSYSLOG -- vsyslog(SYSLOG_PRIORITY,error_msg,ap); --#else -- char buf[1024]; -- vsnprintf(buf,1024,error_msg,ap); -- syslog(SYSLOG_PRIORITY,"%s",buf); --#endif -+ -+ char buff[MAX_BUFFER_SIZE+1]; -+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap); -+ size_t buff_len = strlen(buff); -+ -+ char result_buff[MAX_BUFFER_SIZE+1]; -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wformat-truncation" -+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff); -+#pragma GCC diagnostic pop -+ -+ if(buff[buff_len-1] == '\n'){ -+ syslog(SYSLOG_PRIORITY,"%s",result_buff); -+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); -+ } else { -+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE); -+ } -+ - va_end(ap); - return; - } -@@ -181,17 +197,25 @@ void error(int errorlevel,char* error_ms - - #ifdef HAVE_SYSLOG - if (conf->report_syslog!=0) { --#ifdef HAVE_VSYSLOG -- va_start(ap,error_msg); -- vsyslog(SYSLOG_PRIORITY,error_msg,ap); -- va_end(ap); --#else -- char buf[1024]; -- va_start(ap,error_msg); -- vsnprintf(buf,1024,error_msg,ap); -+ va_start(ap, error_msg); -+ -+ char buff[MAX_BUFFER_SIZE+1]; -+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap); -+ size_t buff_len = strlen(buff); -+ -+ char result_buff[MAX_BUFFER_SIZE+1]; -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wformat-truncation" -+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff); -+#pragma GCC diagnostic pop -+ -+ if(buff[buff_len-1] == '\n'){ -+ syslog(SYSLOG_PRIORITY,"%s",result_buff); -+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); -+ } else { -+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE); -+ } - va_end(ap); -- syslog(SYSLOG_PRIORITY,"%s",buf); --#endif - } - #endif - diff --git a/aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch b/aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch deleted file mode 100644 index 0c4fc17..0000000 --- a/aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch +++ /dev/null @@ -1,58 +0,0 @@ -From c7caa6027c92b28aa11b8da74d56357e12f56d67 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= -Date: Wed, 20 Feb 2019 12:00:56 +0100 -Subject: [PATCH] Use LDADD for adding curl library to the linker command - ---- - Makefile.am | 2 +- - configure.ac | 5 +++-- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/Makefile.am b/Makefile.am -index 4b05d7a..1541d56 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -55,7 +55,7 @@ if USE_CURL - aide_SOURCES += include/fopen.h src/fopen.c - endif - --aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ -+aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ @CURLLIB@ - AM_CFLAGS = @AIDE_DEFS@ -W -Wall -g - AM_CPPFLAGS = -I$(top_srcdir) \ - -I$(top_srcdir)/include \ -diff --git a/configure.ac b/configure.ac -index 3598ebe..0418c59 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -702,24 +702,25 @@ if test x$with_zlib = xyes; then - compoptionstring="${compoptionstring}WITH_ZLIB\\n" - fi - -+CURLLIB= - if test x$with_curl = xyes; then - AC_PATH_PROG(curlconfig, "curl-config") - if test "_$curlconfig" != _ ; then - CURL_CFLAGS=`$curlconfig --cflags` -- CURL_LIBS=`$curlconfig --libs` -+ CURLLIB=`$curlconfig --libs` - else - AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.]) - fi - AC_CHECK_HEADERS(curl/curl.h,, - [AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])]) - CFLAGS="$CFLAGS $CURL_CFLAGS" -- LDFLAGS="$LDFLAGS $CURL_LIBS" - AC_CHECK_LIB(curl,curl_easy_init,havecurl=yes, - [AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])] - ) - AC_DEFINE(WITH_CURL,1,[use curl]) - compoptionstring="${compoptionstring}WITH_CURL\\n" - fi -+AC_SUBST(CURLLIB) - AM_CONDITIONAL(USE_CURL, test x$havecurl = xyes) - - AC_ARG_WITH(mhash, --- -2.20.1 - diff --git a/aide-0.16-crash-elf.patch b/aide-0.16-crash-elf.patch deleted file mode 100644 index 5aa3472..0000000 --- a/aide-0.16-crash-elf.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- ./src/do_md.c 2018-03-19 05:10:19.994957024 -0400 -+++ ./src/do_md.c 2018-03-19 05:19:05.829957024 -0400 -@@ -135,8 +135,13 @@ - continue; - - while (!bingo && (data = elf_getdata (scn, data)) != NULL) { -- int maxndx = data->d_size / shdr.sh_entsize; -+ int maxndx; - int ndx; -+ -+ if (shdr.sh_entsize != 0) -+ maxndx = data->d_size / shdr.sh_entsize; -+ else -+ continue; - - for (ndx = 0; ndx < maxndx; ++ndx) { - (void) gelf_getdyn (data, ndx, &dyn); diff --git a/aide-0.16-crypto-disable-haval-and-others.patch b/aide-0.16-crypto-disable-haval-and-others.patch deleted file mode 100644 index a066fd9..0000000 --- a/aide-0.16-crypto-disable-haval-and-others.patch +++ /dev/null @@ -1,153 +0,0 @@ -diff -up ./include/md.h.crypto ./include/md.h ---- ./include/md.h.crypto 2016-07-25 22:56:55.000000000 +0200 -+++ ./include/md.h 2018-08-29 15:00:30.827491299 +0200 -@@ -149,6 +149,7 @@ int init_md(struct md_container*); - int update_md(struct md_container*,void*,ssize_t); - int close_md(struct md_container*); - void md2line(struct md_container*,struct db_line*); -+DB_ATTR_TYPE get_available_crypto(); - - - #endif /*_MD_H_INCLUDED*/ -diff -up ./src/aide.c.crypto ./src/aide.c ---- ./src/aide.c.crypto 2018-08-29 15:00:30.825491309 +0200 -+++ ./src/aide.c 2018-08-29 15:00:30.827491299 +0200 -@@ -349,7 +349,7 @@ static void setdefaults_before_config() - - conf->db_attrs = 0; - #if defined(WITH_MHASH) || defined(WITH_GCRYPT) -- conf->db_attrs |= DB_MD5|DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512; -+ conf->db_attrs |= get_available_crypto(); - #ifdef WITH_MHASH - conf->db_attrs |= DB_GOST; - #ifdef HAVE_MHASH_WHIRLPOOL -diff -up ./src/md.c.crypto ./src/md.c ---- ./src/md.c.crypto 2018-08-29 15:00:30.823491319 +0200 -+++ ./src/md.c 2018-08-29 15:02:28.013903479 +0200 -@@ -78,6 +78,49 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) { - return r; - } - -+const char * hash_gcrypt2str(int i) { -+ char * r = "?"; -+#ifdef WITH_GCRYPT -+ switch (i) { -+ case GCRY_MD_MD5: { -+ r = "MD5"; -+ break; -+ } -+ case GCRY_MD_SHA1: { -+ r = "SHA1"; -+ break; -+ } -+ case GCRY_MD_RMD160: { -+ r = "RMD160"; -+ break; -+ } -+ case GCRY_MD_TIGER: { -+ r = "TIGER"; -+ break; -+ } -+ case GCRY_MD_HAVAL: { -+ r = "HAVAL"; -+ break; -+ } -+ case GCRY_MD_SHA256: { -+ r = "SHA256"; -+ break; -+ } -+ case GCRY_MD_SHA512: { -+ r = "SHA512"; -+ break; -+ } -+ case GCRY_MD_CRC32: { -+ r = "CRC32"; -+ break; -+ } -+ default: -+ break; -+ } -+#endif -+ return r; -+} -+ - DB_ATTR_TYPE hash_mhash2attr(int i) { - DB_ATTR_TYPE r=0; - #ifdef WITH_MHASH -@@ -163,6 +206,44 @@ DB_ATTR_TYPE hash_mhash2attr(int i) { - Initialise md_container according it's todo_attr field - */ - -+DB_ATTR_TYPE get_available_crypto() { -+ -+ DB_ATTR_TYPE ret = 0; -+ -+/* -+ * This function is usually called before config processing -+ * and default verbose level is 5 -+ */ -+#define lvl 255 -+ -+ error(lvl, "get_available_crypto called\n"); -+ -+#ifdef WITH_GCRYPT -+ -+ /* -+ * some initialization for FIPS -+ */ -+ gcry_check_version(NULL); -+ error(lvl, "Found algos:"); -+ -+ for(int i=0;i<=HASH_GCRYPT_COUNT;i++) { -+ -+ if ( (hash_gcrypt2attr(i) & HASH_USE_GCRYPT) == 0 ) -+ continue; -+ -+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) == 0) { -+ ret |= hash_gcrypt2attr(i); -+ error(lvl, " %s", hash_gcrypt2str(i)); -+ } -+ } -+ error(lvl, "\n"); -+ -+#endif -+ -+ error(lvl, "get_available_crypto_returned with %lld\n", ret); -+ return ret; -+} -+ - int init_md(struct md_container* md) { - - int i; -@@ -201,18 +282,27 @@ int init_md(struct md_container* md) { - } - #endif - #ifdef WITH_GCRYPT -- if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ -+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ - error(0,"gcrypt_md_open failed\n"); - exit(IO_ERROR); - } - for(i=0;i<=HASH_GCRYPT_COUNT;i++) { -+ -+ - if (((hash_gcrypt2attr(i)&HASH_USE_GCRYPT)&md->todo_attr)!=0) { -- DB_ATTR_TYPE h=hash_gcrypt2attr(i); -- error(255,"inserting %llu\n",h); -+ -+ DB_ATTR_TYPE h=hash_gcrypt2attr(i); -+ -+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) != 0) { -+ error(0,"Algo %s is not available\n", hash_gcrypt2str(i)); -+ exit(-1); -+ } -+ -+ error(255,"inserting %llu\n",h); - if(gcry_md_enable(md->mdh,i)==GPG_ERR_NO_ERROR){ - md->calc_attr|=h; - } else { -- error(0,"gcry_md_enable %i failed",i); -+ error(0,"gcry_md_enable %i failed\n",i); - md->todo_attr&=~h; - } - } diff --git a/aide-0.16b1-fipsfix.patch b/aide-0.16b1-fipsfix.patch deleted file mode 100644 index 434d74e..0000000 --- a/aide-0.16b1-fipsfix.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c ---- ./src/aide.c.orig 2016-07-12 11:10:08.013158385 +0200 -+++ ./src/aide.c 2016-07-12 11:30:54.867833064 +0200 -@@ -511,9 +511,28 @@ int main(int argc,char**argv) - #endif - umask(0177); - init_sighandler(); -- - setdefaults_before_config(); - -+#if WITH_GCRYPT -+ error(255,"Gcrypt library initialization\n"); -+ /* -+ * Initialize libgcrypt as per -+ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html -+ * -+ * -+ */ -+ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0); -+ gcry_control(GCRYCTL_INIT_SECMEM, 1); -+ -+ if(!gcry_check_version(GCRYPT_VERSION)) { -+ error(0,"libgcrypt version mismatch\n"); -+ exit(VERSION_MISMATCH_ERROR); -+ } -+ -+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); -+#endif /* WITH_GCRYPT */ -+ -+ - if(read_param(argc,argv)==RETFAIL){ - error(0, _("Invalid argument\n") ); - exit(INVALID_ARGUMENT_ERROR); -@@ -646,6 +665,9 @@ int main(int argc,char**argv) - } - #endif - } -+#ifdef WITH_GCRYPT -+ gcry_control(GCRYCTL_TERM_SECMEM, 0); -+#endif /* WITH_GCRYPT */ - return RETOK; - } - const char* aide_key_3=CONFHMACKEY_03; -diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c ---- ./src/md.c.orig 2016-04-15 23:30:16.000000000 +0200 -+++ ./src/md.c 2016-07-12 11:35:04.007675329 +0200 -@@ -201,14 +201,7 @@ int init_md(struct md_container* md) { - } - #endif - #ifdef WITH_GCRYPT -- error(255,"Gcrypt library initialization\n"); -- if(!gcry_check_version(GCRYPT_VERSION)) { -- error(0,"libgcrypt version mismatch\n"); -- exit(VERSION_MISMATCH_ERROR); -- } -- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); -- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); -- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){ -+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ - error(0,"gcrypt_md_open failed\n"); - exit(IO_ERROR); - } -@@ -299,7 +292,7 @@ int close_md(struct md_container* md) { - - /*. There might be more hashes in the library. Add those here.. */ - -- gcry_md_reset(md->mdh); -+ gcry_md_close(md->mdh); - #endif - - #ifdef WITH_MHASH -diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c ---- ./src/util.c.orig 2016-07-12 11:39:17.023437355 +0200 -+++ ./src/util.c 2016-07-12 11:39:51.618721157 +0200 -@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s) - return(AIDE_SYSLOG_FACILITY); - } - --/* We need these dummy stubs to fool the linker into believing that -- we do not need them at link time */ -- --void* dlopen(char*filename,int flag) --{ -- return NULL; --} -- --void* dlsym(void*handle,char*symbol) --{ -- return NULL; --} -- --void* dlclose(void*handle) --{ -- return NULL; --} -- --const char* dlerror(void) --{ -- return NULL; --} -- - const char* aide_key_2=CONFHMACKEY_02; - const char* db_key_2=DBHMACKEY_02; diff --git a/aide-0.16rc1-man.patch b/aide-0.16rc1-man.patch deleted file mode 100644 index 4715552..0000000 --- a/aide-0.16rc1-man.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up ./doc/aide.1.in.orig ./doc/aide.1.in ---- ./doc/aide.1.in.orig 2016-07-12 16:10:01.724595895 +0200 -+++ ./doc/aide.1.in 2016-07-12 16:06:21.968639822 +0200 -@@ -103,9 +103,9 @@ echo | base64 \-d | h - .SH FILES - .IP \fB@sysconfdir@/aide.conf\fR - Default aide configuration file. --.IP \fB@sysconfdir@/aide.db\fR -+.IP \fB@localstatedir@/lib/aide/aide.db\fR - Default aide database. --.IP \fB@sysconfdir@/aide.db.new\fR -+.IP \fB@localstatedir@/lib/aide/aide.db.new\fR - Default aide output database. - .SH SEE ALSO - .BR aide.conf (5) diff --git a/aide.conf b/aide.conf index cd95c01..56ba1da 100644 --- a/aide.conf +++ b/aide.conf @@ -4,7 +4,7 @@ @@define LOGDIR /var/log/aide # The location of the database to be read. -database=file:@@{DBDIR}/aide.db.gz +database_in=file:@@{DBDIR}/aide.db.gz # The location of the database to be written. #database_out=sql:host:port:database:login_name:passwd:table @@ -14,19 +14,49 @@ database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes +# Database attributes to include in report (H = all compiled hashsums, default) +database_attrs=H + +# Add metadata to database (version info, timestamps) +database_add_metadata=yes + +# Warn about unrestricted rules during config check (default: false) +config_check_warn_unrestricted_rules=false + +# Number of workers for parallel processing (default: 1, can use percentage) +num_workers=1 + # Default. -verbose=5 +log_level=warning +report_level=changed_attributes + +# Report format (plain or json) +report_format=plain + +# Group files in report by added/removed/changed +report_grouped=yes + +# Summarize changes in report +report_summarize_changes=yes + +# Don't report if no differences found +report_quiet=no + +# Report encoding (base64 is default, base16 available) +report_base16=no report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr -#NOT IMPLEMENTED report_url=mailto:root@foo.com -#NOT IMPLEMENTED report_url=syslog:LOG_AUTH +#report_url=syslog:LOG_AUTH # These are the default rules. # +#ftype: file type +#fstype: file system type (Linux-only) #p: permissions -#i: inode: +#i: inode +#l: link name (symbolic links only) #n: number of links #u: user #g: group @@ -35,55 +65,78 @@ report_url=stdout #m: mtime #a: atime #c: ctime -#S: check for growing size #acl: Access Control Lists #selinux SELinux security context #xattrs: Extended file attributes -#md5: md5 checksum -#sha1: sha1 checksum +#e2fsattrs: file attributes on Linux file system +#caps: file capabilities (Linux-only) + +# Hashsums attributes (regular files only) #sha256: sha256 checksum #sha512: sha512 checksum -#rmd160: rmd160 checksum -#tiger: tiger checksum +#sha512_256: SHA-512 checksum truncated to 256 output bits +#sha3_256: SHA3-256 checksum (modern) +#sha3_512: SHA3-512 checksum (modern) +#stribog256: GOST R 34.11-2012, 256 bit +#stribog512: GOST R 34.11-2012, 512 bit -#haval: haval checksum (MHASH only) -#gost: gost checksum (MHASH only) -#crc32: crc32 checksum (MHASH only) -#whirlpool: whirlpool checksum (MHASH only) +# DEPRECATED (will be removed in future versions): +#md5: md5 checksum (deprecated since v0.19) +#sha1: sha1 checksum (deprecated since v0.19) +#rmd160: rmd160 checksum (deprecated since v0.19) +#gost: gost checksum (deprecated since v0.19) -FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 +# REMOVED in AIDE v0.19: +#S: check for growing size (use 'growing+s' instead) +#tiger: tiger checksum (removed) +#haval: haval checksum (removed) +#crc32: crc32 checksum (removed) +#crc32b: crc32b checksum (removed) +#whirlpool: whirlpool checksum (removed) -#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 -#L: p+i+n+u+g+acl+selinux+xattrs -#E: Empty group -#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs +# Special attributes for advanced use cases: +#I: ignore changed filename - detects moved files by inode +#growing: ignore growing file size/timestamps for logs +#compressed: ignore compression - compares uncompressed content +#ANF: allow new files - new files ignored in report +#ARF: allow removed files - missing files ignored in report + +# Default groups in AIDE v0.19: +# R = p+ftype+i+l+n+u+g+s+m+c+sha3_256+X +# L = p+ftype+i+l+n+u+g+X +# > = Growing file p+ftype+l+u+g+i+n+s+growing+X +# H = all compiled in (and not deprecated) hashsums +# X = acl+selinux+xattrs+e2fsattrs+caps (if compiled in) +# E = Empty group +# Use 'aide --version' to list the default compound groups. # You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 -ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger -# Everything but access time (Ie. all changes) +# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) +ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 +# Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Base + sha512 (strong) +NORMAL = R+sha512-m-c -# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +# Content only - added file type and strong hash +CONTENT = ftype+sha512 -# Access control only -PERMS = p+i+u+g+acl+selinux +# For directories, don't bother doing hashes - added file type and link name +DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs -# Logfile are special, in that they often change -LOG = > +# Access control only - added file type and link name +PERMS = ftype+p+u+g+acl+selinux+xattrs -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 +# Logfiles are special, in that they often change due to log rotation +# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes +# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques +# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation) +LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +# but we want to know when the data inside them changes - updated with modern hash +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Next decide what directories/files you want in the database. @@ -92,124 +145,220 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 /sbin NORMAL /lib NORMAL /lib64 NORMAL -/opt NORMAL +# Monitor /opt selectively to avoid noise from auto-updating applications +/opt CONTENT /usr NORMAL -/root NORMAL # These are too volatile !/usr/src !/usr/tmp +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* +/root NORMAL + # Check only permissions, inode, user and group for /etc, but # cover some important files closely. -/etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# trusted databases +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives NORMAL +/etc/mime.types$ NORMAL +/etc/terminfo NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/subgid$ NORMAL +/etc/subuid$ NORMAL +/etc/skel NORMAL +/etc/sssd NORMAL +/etc/swid NORMAL +/etc/system-release-cpe$ NORMAL +/etc/tmux.conf$ NORMAL +/etc/xattr.conf$ NORMAL -/etc/sudoers NORMAL -/etc/skel NORMAL +# networking +/etc/firewalld NORMAL +!/etc/NetworkManager/system-connections +/etc/NetworkManager NORMAL +/etc/networks$ NORMAL +/etc/dhcp NORMAL +/etc/wpa_supplicant NORMAL +/etc/resolv.conf$ DATAONLY -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL +# logins and accounts +/etc/login.defs$ NORMAL +/etc/libuser.conf$ NORMAL +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d NORMAL +/etc/security NORMAL +/etc/securetty$ NORMAL +/etc/polkit-1 NORMAL +/etc/sudo.conf$ NORMAL +/etc/sudoers$ NORMAL +/etc/sudoers.d NORMAL # Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL -/etc/profile.d/ NORMAL -/etc/X11/ NORMAL +/etc/profile$ NORMAL +/etc/profile.d NORMAL +/etc/bashrc$ NORMAL +/etc/bash_completion.d NORMAL +/etc/zprofile$ NORMAL +/etc/zshrc$ NORMAL +/etc/zlogin$ NORMAL +/etc/zlogout$ NORMAL +/etc/X11 NORMAL +/etc/shells$ NORMAL # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL +/etc/dnf NORMAL +/etc/yum.repos.d NORMAL + +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit NORMAL +/etc/libaudit.conf$ NORMAL +/etc/aide.conf$ NORMAL + +# System logs with proper logrotate handling +/etc/rsyslog.conf$ NORMAL +/etc/rsyslog.d NORMAL +/etc/logrotate.conf$ NORMAL +/etc/logrotate.d NORMAL +/etc/systemd/journald.conf$ NORMAL + +# Log directory +/var/log LOG +# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation +/var/log/journal LOG-xattrs-n + -/var/log LOG /var/run/utmp LOG + +# secrets +/etc/pkcs11 NORMAL +/etc/pki NORMAL +/etc/ssl NORMAL +/etc/certmonger NORMAL +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd NORMAL +/etc/sysconfig NORMAL +/etc/rc.d NORMAL +/etc/tmpfiles.d NORMAL +/etc/machine-id$ NORMAL + +# boot config +/etc/default NORMAL +/etc/grub.d NORMAL +/etc/grub2.cfg$ NORMAL +/etc/dracut.conf$ NORMAL +/etc/dracut.conf.d NORMAL + +# glibc linker +/etc/ld.so.cache$ NORMAL +/etc/ld.so.conf$ NORMAL +/etc/ld.so.conf.d NORMAL +/etc/ld.so.preload$ NORMAL + +# kernel config +/etc/sysctl.conf$ NORMAL +/etc/sysctl.d NORMAL +/etc/modprobe.d NORMAL +/etc/modules-load.d NORMAL +/etc/depmod.d NORMAL +/etc/udev NORMAL +/etc/crypttab$ NORMAL + +#### Daemons #### + +# cron jobs +/var/spool/at CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ NORMAL +/etc/cron.allow$ NORMAL +/etc/cron.deny$ NORMAL +/etc/cron.d NORMAL +/etc/cron.daily NORMAL +/etc/cron.hourly NORMAL +/etc/cron.monthly NORMAL +/etc/cron.weekly NORMAL +/etc/crontab$ NORMAL +/var/spool/cron/root CONTENT + +# time keeping +/etc/chrony.conf$ NORMAL +/etc/chrony.keys$ NORMAL + +# mail +/etc/aliases$ NORMAL +/etc/aliases.db$ NORMAL +/etc/postfix NORMAL + +# ssh +/etc/ssh/sshd_config$ NORMAL +/etc/ssh/ssh_config$ NORMAL + +# stunnel +/etc/stunnel NORMAL + +# ftp +/etc/vsftpd CONTENT + +# printing +/etc/cups NORMAL +/etc/cupshelpers NORMAL +/etc/avahi NORMAL + +# web server +/etc/httpd NORMAL + +# dns +/etc/named NORMAL +/etc/named.conf$ NORMAL +/etc/named.iscdlv.key$ NORMAL +/etc/named.rfc1912.zones$ NORMAL +/etc/named.root.key$ NORMAL + +# xinetd +/etc/xinetd.conf$ NORMAL +/etc/xinetd.d NORMAL + +# IPsec +/etc/ipsec.conf$ NORMAL +/etc/ipsec.secrets$ NORMAL +/etc/ipsec.d NORMAL + +# USBGuard +/etc/usbguard NORMAL + +# Now everything else +/etc PERMS + # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... -# AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP - -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP - -/etc/hosts LSPP -/etc/sysconfig LSPP - -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP - -/etc/ld.so.conf LSPP - -/etc/localtime LSPP - -/etc/sysctl.conf LSPP - -/etc/modprobe.conf LSPP - -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP - -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP - -/etc/stunnel LSPP - -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP - -/etc/issue LSPP -/etc/issue.net LSPP - -/etc/cups LSPP - # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # @@ -217,7 +366,7 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/and-httpd +!/var/log/httpd +# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation +!/boot/grub2/grubenv -# Admins dot files constantly change, just check perms -/root/\..* PERMS diff --git a/aide.rpmlintrc b/aide.rpmlintrc new file mode 100644 index 0000000..67d2667 --- /dev/null +++ b/aide.rpmlintrc @@ -0,0 +1,15 @@ +# RPMlint configuration for aide package +# These warnings are expected and intentional for security reasons + +# AIDE log directory has restricted permissions (700) for security +# Log files may contain sensitive security information +addFilter("aide.* non-standard-dir-perm /var/log/aide 700") + +# AIDE configuration file has restricted permissions (600) for security +# Configuration reveals what files/directories are monitored +addFilter("aide.* non-readable /etc/aide.conf 600") + +# FSF address in COPYING file is outdated - this is an upstream issue +# The license text contains the old FSF address format +addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING") + diff --git a/aide.spec b/aide.spec index 75b05e4..7b1c7a4 100644 --- a/aide.spec +++ b/aide.spec @@ -1,21 +1,24 @@ Summary: Intrusion detection environment Name: aide -Version: 0.16 -Release: 16%{?dist} -URL: http://sourceforge.net/projects/aide -License: GPLv2+ +Version: 0.19.2 +Release: %autorelease +URL: https://github.com/aide/aide +License: GPL-2.0-or-later - -Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz -Source1: aide.conf -Source2: README.quickstart -Source3: aide.logrotate +Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc +# gpg2 --recv-keys 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 +# gpg2 --export --export-options export-minimal 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 >gpgkey-aide.gpg +Source2: gpgkey-aide.gpg +Source3: aide.conf +Source4: README.quickstart +Source5: aide.logrotate BuildRequires: gcc BuildRequires: make BuildRequires: bison flex -BuildRequires: pcre-devel -BuildRequires: libgpg-error-devel libgcrypt-devel +BuildRequires: pcre2-devel +BuildRequires: libgpg-error-devel nettle-devel BuildRequires: zlib-devel BuildRequires: libcurl-devel BuildRequires: libacl-devel @@ -24,33 +27,30 @@ BuildRequires: libattr-devel BuildRequires: e2fsprogs-devel BuildRequires: audit-libs-devel BuildRequires: autoconf automake libtool +# For verifying signatures +BuildRequires: gnupg2 +# For being able to run 'make check' +BuildRequires: check-devel -# Customize the database file location in the man page. -Patch1: aide-0.16rc1-man.patch -# fix aide in FIPS mode -Patch2: aide-0.16b1-fipsfix.patch -# Bug 1674637 - aide: FTBFS in Fedora rawhide/f30 -Patch3: aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch -Patch4: aide-0.15-syslog-format.patch -Patch5: aide-0.16-crypto-disable-haval-and-others.patch -Patch6: coverity.patch -Patch7: aide-0.16-crash-elf.patch +Requires: logrotate %description AIDE (Advanced Intrusion Detection Environment) is a file integrity checker and intrusion detection program. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -cp -a %{S:2} . +cp -a %{SOURCE4} . %build -autoreconf -ivf +#autoreconf -ivf %configure \ --disable-static \ --with-config_file=%{_sysconfdir}/aide.conf \ - --with-gcrypt \ + --without-gcrypt \ + --with-nettle \ --with-zlib \ --with-curl \ --with-posix-acl \ @@ -60,16 +60,19 @@ autoreconf -ivf --with-audit %make_build +%check +make check + %install %make_install bindir=%{_sbindir} -install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1} -install -Dpm0644 %{S:3} %{buildroot}%{_sysconfdir}/logrotate.d/aide +install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{SOURCE3} +install -Dpm0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/aide mkdir -p %{buildroot}%{_localstatedir}/log/aide mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide %files %license COPYING -%doc AUTHORS ChangeLog NEWS README doc/manual.html contrib/ +%doc AUTHORS ChangeLog NEWS README %doc README.quickstart %{_sbindir}/aide %{_mandir}/man1/*.1* @@ -80,244 +83,4 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide %dir %attr(0700,root,root) %{_localstatedir}/log/aide %changelog -* Fri Jul 31 2020 Fedora Release Engineering - 0.16-16 -- Second attempt - Rebuilt for - https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon Jul 27 2020 Fedora Release Engineering - 0.16-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jun 24 2020 Radovan Sroka 0.16-14 -- AIDE breaks when setting report_ignore_e2fsattrs - Resolves: rhbz#1850276 - -* Tue Jan 28 2020 Fedora Release Engineering - 0.16-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Wed Jul 31 2019 Radovan Sroka - 0.16-12 -- backport some patches - Resolves: rhbz#1717140 - -* Wed Jul 24 2019 Fedora Release Engineering - 0.16-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Wed Feb 20 2019 Daniel Kopecek - 0.16-10 -- Fix building with curl - Resolves: rhbz#1674637 - -* Thu Jan 31 2019 Fedora Release Engineering - 0.16-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Tue Jul 31 2018 Florian Weimer - 0.16-8 -- Rebuild with fixed binutils - -* Thu Jul 12 2018 Fedora Release Engineering - 0.16-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Feb 20 2018 Igor Gnatenko - 0.16-6 -- Rebuild - -* Wed Feb 07 2018 Fedora Release Engineering - 0.16-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Wed Aug 02 2017 Fedora Release Engineering - 0.16-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 0.16-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed Apr 05 2017 Radovan Sroka - 0.16-2 -- fixed upstream link - -* Tue Apr 04 2017 Radovan Sroka - 0.16-1 -- rebase to stable v0.16 -- specfile cleanup -- make doc readable - resolves: #1421355 -- make aide binary runable for any user - resolves: #1421351 - -* Fri Feb 10 2017 Fedora Release Engineering - 0.16-0.3.rc1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Tue Jul 12 2016 Tomas Sykora - 0.16-0.2.rc1 -- New upstream devel version - -* Mon Jun 20 2016 Tomas Sykora - 0.16-0.1.b1 -- New upstream devel version - -* Wed Feb 03 2016 Fedora Release Engineering - 0.15.1-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Sat Jul 25 2015 Till Maas - 0.15.1-11 -- Remove prelink dependency because prelink was retired - -* Tue Jun 16 2015 Fedora Release Engineering - 0.15.1-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Fri Aug 15 2014 Fedora Release Engineering - 0.15.1-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Fri Jul 18 2014 Yaakov Selkowitz - 0.15.1-8 -- Fix FTBFS with -Werror=format-security (#1036983, #1105942) -- Avoid prelink BR on aarch64, ppc64le (#924977, #1078476) - -* Sat Jun 07 2014 Fedora Release Engineering - 0.15.1-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Sat Aug 03 2013 Fedora Release Engineering - 0.15.1-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Wed Feb 13 2013 Fedora Release Engineering - 0.15.1-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Thu Nov 22 2012 Daniel Kopecek - 0.15.1-4 -- added patch to fix aide in FIPS mode -- use only FIPS approved digest algorithms in aide.conf so that - aide works by default in FIPS mode - -* Wed Jul 18 2012 Fedora Release Engineering - 0.15.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu Jan 12 2012 Fedora Release Engineering - 0.15.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Thu Nov 11 2010 Steve Grubb - 0.15.1-1 -- New upstream release - -* Tue May 18 2010 Steve Grubb - 0.14-5 -- Apply 2 upstream bug fixes - -* Tue May 18 2010 Steve Grubb - 0.14-4 -- Use upstream's patch to fix bz 590566 - -* Sat May 15 2010 Steve Grubb - 0.14-3 -- Fix bz 590561 aide does not detect the change of SElinux context -- Fix bz 590566 aide reports a changed file when it has not been changed - -* Wed Apr 28 2010 Steve Grubb - 0.14-2 -- Fix bz 574764 by replacing abort calls with exit -- Apply libgcrypt init patch - -* Tue Mar 16 2010 Steve Grubb - 0.14-1 -- New upstream release final 0.14 - -* Thu Feb 25 2010 Steve Grubb - 0.14-0.4.rc3 -- New upstream release - -* Thu Feb 25 2010 Steve Grubb - 0.14-0.3.rc2 -- New upstream release - -* Tue Feb 23 2010 Steve Grubb - 0.14-0.2.rc1 -- Fix dirent detection on 64bit systems - -* Mon Feb 22 2010 Steve Grubb - 0.14-0.1.rc1 -- New upstream release - -* Fri Feb 19 2010 Steve Grubb - 0.13.1-16 -- Add logrotate script and spec file cleanups - -* Fri Dec 11 2009 Steve Grubb - 0.13.1-15 -- Get rid of .dedosify files - -* Wed Dec 09 2009 Steve Grubb - 0.13.1-14 -- Revise patch for Initialize libgcrypt correctly (#530485) - -* Sat Nov 07 2009 Steve Grubb - 0.13.1-13 -- Initialize libgcrypt correctly (#530485) - -* Fri Aug 21 2009 Tomas Mraz - 0.13.1-12 -- rebuilt with new audit - -* Wed Aug 19 2009 Steve Grubb 0.13.1-11 -- rebuild for new audit-libs -- Correct regex for root's dot files (#509370) - -* Fri Jul 24 2009 Fedora Release Engineering - 0.13.1-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Mon Jun 08 2009 Steve Grubb - 0.13.1-9 -- Make aide smarter about prelinked files (Peter Vrabec) -- Add /lib64 to default config - -* Mon Feb 23 2009 Fedora Release Engineering - 0.13.1-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Fri Jan 30 2009 Steve Grubb - 0.13.1-6 -- enable xattr support and update config file - -* Fri Sep 26 2008 Tom "spot" Callaway - 0.13.1-5 -- fix selcon patch to apply without fuzz - -* Fri Feb 15 2008 Steve Conklin -- rebuild for gcc4.3 - -* Tue Aug 21 2007 Michael Schwendt -- rebuilt - -* Sun Jul 22 2007 Michael Schwendt - 0.13.1-2 -- Apply Steve Conklin's patch to increase displayed portion of - selinux context. - -* Sun Dec 17 2006 Michael Schwendt - 0.13.1-1 -- Update to 0.13.1 release. - -* Sun Dec 10 2006 Michael Schwendt - 0.13-1 -- Update to 0.13 release. -- Include default aide.conf from RHEL5 as doc example file. - -* Sun Oct 29 2006 Michael Schwendt - 0.12-3.20061027cvs -- CAUTION! This changes the database format and results in a report of - false inconsistencies until an old database file is updated. -- Check out CVS 20061027 which now contains Red Hat's - acl/xattr/selinux/audit patches. -- Patches merged upstream. -- Update manual page substitutions. - -* Mon Oct 23 2006 Michael Schwendt - 0.12-2 -- Add "memory leaks and performance updates" patch as posted - to aide-devel by Steve Grubb. - -* Sat Oct 07 2006 Michael Schwendt - 0.12-1 -- Update to 0.12 release. -- now offers --disable-static, so -no-static patch is obsolete -- fill last element of getopt struct array with zeroes - -* Mon Oct 02 2006 Michael Schwendt - 0.11-3 -- rebuilt - -* Mon Sep 11 2006 Michael Schwendt - 0.11-2 -- rebuilt - -* Sun Feb 19 2006 Michael Schwendt - 0.11-1 -- Update to 0.11 release. -- useless-includes patch merged upstream. -- old Russian man pages not available anymore. -- disable static linking. - -* Thu Apr 7 2005 Michael Schwendt -- rebuilt - -* Fri Nov 28 2003 Michael Schwendt - 0:0.10-0.fdr.1 -- Update to 0.10 release. -- memleaks patch merged upstream. -- rootpath patch merged upstream. -- fstat patch not needed anymore. -- Updated URL. - -* Thu Nov 13 2003 Michael Schwendt - 0:0.10-0.fdr.0.2.cvs20031104 -- Added buildreq m4 to work around incomplete deps of bison package. - -* Tue Nov 04 2003 Michael Schwendt - 0:0.10-0.fdr.0.1.cvs20031104 -- Only tar.gz available upstream. -- byacc not needed when bison -y is available. -- Installed Russian manual pages. -- Updated with changes from CVS (2003-11-04). -- getopt patch merged upstream. -- bison-1.35 patch incorporated upstream. - -* Tue Sep 09 2003 Michael Schwendt - 0:0.9-0.fdr.0.2.20030902 -- Added fixes for further memleaks. - -* Sun Sep 07 2003 Michael Schwendt - 0:0.9-0.fdr.0.1.20030902 -- Initial package version. +%autochangelog diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..a36dc28 --- /dev/null +++ b/ci.fmf @@ -0,0 +1,12 @@ +#e2e test plan +/e2e: + plan: + import: + url: https://github.com/RedHat-SP-Security/aide-plans.git + name: /generic/e2e_ci + +/rpmverify: + plan: + import: + url: https://github.com/RedHat-SP-Security/aide-plans.git + name: /generic/rpmverify diff --git a/coverity.patch b/coverity.patch deleted file mode 100644 index 9b981be..0000000 --- a/coverity.patch +++ /dev/null @@ -1,642 +0,0 @@ -diff -up ./include/be.h.coverity ./include/be.h ---- ./include/be.h.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./include/be.h 2018-10-10 19:27:18.680632681 +0200 -@@ -22,6 +22,6 @@ - #define _BE_H_INCLUDED - #include "db_config.h" - --FILE* be_init(int inout,url_t* u,int iszipped); -+void* be_init(int inout,url_t* u,int iszipped); - - #endif /* _BE_H_INCLUDED */ -diff -up ./include/db_config.h.coverity ./include/db_config.h ---- ./include/db_config.h.coverity 2018-10-10 19:27:18.672632611 +0200 -+++ ./include/db_config.h 2018-10-10 19:27:18.681632689 +0200 -@@ -376,7 +376,7 @@ typedef struct db_config { - #endif - - url_t* initial_report_url; -- FILE* initial_report_fd; -+ void* initial_report_fd; - - /* report_url is a list of url_t*s */ - list* report_url; -diff -up ./src/aide.c.coverity ./src/aide.c ---- ./src/aide.c.coverity 2018-10-10 19:27:18.678632663 +0200 -+++ ./src/aide.c 2018-10-10 19:27:18.681632689 +0200 -@@ -278,7 +278,7 @@ static void setdefaults_before_config() - error(0,_("Couldn't get hostname")); - free(s); - } else { -- s=(char*)realloc((void*)s,strlen(s)+1); -+ // s=(char*)realloc((void*)s,strlen(s)+1); - do_define("HOSTNAME",s); - } - -@@ -506,8 +506,6 @@ static void setdefaults_after_config() - int main(int argc,char**argv) - { - int errorno=0; -- byte* dig=NULL; -- char* digstr=NULL; - - #ifdef USE_LOCALE - setlocale(LC_ALL,""); -@@ -544,6 +542,10 @@ int main(int argc,char**argv) - } - - errorno=commandconf('C',conf->config_file); -+ if (errorno==RETFAIL){ -+ error(0,_("Configuration error\n")); -+ exit(INVALID_CONFIGURELINE_ERROR); -+ } - - errorno=commandconf('D',""); - if (errorno==RETFAIL){ -@@ -594,6 +596,9 @@ int main(int argc,char**argv) - } - } - #ifdef WITH_MHASH -+ byte* dig=NULL; -+ char* digstr=NULL; -+ - if(conf->config_check&&FORCECONFIGMD){ - error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n"); - exit(INVALID_ARGUMENT_ERROR); -diff -up ./src/base64.c.coverity ./src/base64.c ---- ./src/base64.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/base64.c 2018-10-10 19:27:18.681632689 +0200 -@@ -209,6 +209,7 @@ byte* decode_base64(char* src,size_t ssi - case FAIL: - error(3, "decode_base64: Illegal character: %c\n", *inb); - error(230, "decode_base64: Illegal line:\n%s\n", src); -+ free(outbuf); - return NULL; - break; - case SKIP: -@@ -260,7 +261,7 @@ size_t length_base64(char* src,size_t ss - int l; - int left; - size_t pos; -- unsigned long triple; -+ //unsigned long triple; - - error(235, "decode base64\n"); - /* Exit on empty input */ -@@ -273,7 +274,7 @@ size_t length_base64(char* src,size_t ss - inb = src; - - l = 0; -- triple = 0; -+ //triple = 0; - pos=0; - left = ssize; - /* -@@ -293,7 +294,7 @@ size_t length_base64(char* src,size_t ss - case SKIP: - break; - default: -- triple = triple<<6 | (0x3f & i); -+ //triple = triple<<6 | (0x3f & i); - l++; - break; - } -@@ -302,10 +303,10 @@ size_t length_base64(char* src,size_t ss - switch(l) - { - case 2: -- triple = triple>>4; -+ //triple = triple>>4; - break; - case 3: -- triple = triple>>2; -+ //triple = triple>>2; - break; - default: - break; -@@ -314,7 +315,7 @@ size_t length_base64(char* src,size_t ss - { - pos++; - } -- triple = 0; -+ //triple = 0; - l = 0; - } - inb++; -diff -up ./src/be.c.coverity ./src/be.c ---- ./src/be.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/be.c 2018-10-10 19:27:18.681632689 +0200 -@@ -117,9 +117,9 @@ static char* get_first_value(char** in){ - - #endif - --FILE* be_init(int inout,url_t* u,int iszipped) -+void* be_init(int inout,url_t* u,int iszipped) - { -- FILE* fh=NULL; -+ void* fh=NULL; - long a=0; - char* err=NULL; - int fd; -diff -up ./src/commandconf.c.coverity ./src/commandconf.c ---- ./src/commandconf.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/commandconf.c 2018-10-10 19:27:18.682632698 +0200 -@@ -106,7 +106,7 @@ int commandconf(const char mode,const ch - rv=0; - } else { - -- rv=access(config,R_OK); -+ if (config != NULL) rv=access(config,R_OK); - if(rv==-1){ - error(0,_("Cannot access config file: %s: %s\n"),config,strerror(errno)); - } -@@ -166,14 +166,11 @@ int commandconf(const char mode,const ch - int conf_input_wrapper(char* buf, int max_size, FILE* in) - { - int retval=0; -- int c=0; -- char* tmp=NULL; -- void* key=NULL; -- int keylen=0; - - /* FIXME Add support for gzipped config. :) */ - #ifdef WITH_MHASH - /* Read a character at a time until we are doing md */ -+ int c=0; - if(conf->do_configmd){ - retval=fread(buf,1,max_size,in); - }else { -@@ -185,6 +182,9 @@ int conf_input_wrapper(char* buf, int ma - #endif - - #ifdef WITH_MHASH -+ char* tmp=NULL; -+ void* key=NULL; -+ int keylen=0; - if(conf->do_configmd||conf->config_check){ - if(((conf->do_configmd==1)&&conf->config_check)||!conf->confmd){ - if(conf->do_configmd==1){ -@@ -276,6 +276,9 @@ int db_input_wrapper(char* buf, int max_ - #endif - break; - } -+ default: { -+ return 0; -+ } - } - - #ifdef WITH_CURL -@@ -651,7 +654,6 @@ int handle_endif(int doit,int allow_else - case 0 : { - conferror("@@endif or @@else expected"); - return -1; -- count=0; - } - - default : { -@@ -816,6 +818,7 @@ void do_dbdef(int dbtype,char* val) - if(u==NULL||u->type==url_unknown||u->type==url_stdout - ||u->type==url_stderr) { - error(0,_("Unsupported input URL-type:%s\n"),val); -+ free(u); - } - else { - *conf_db_url=u; -@@ -825,6 +828,7 @@ void do_dbdef(int dbtype,char* val) - case DB_WRITE: { - if(u==NULL||u->type==url_unknown||u->type==url_stdin){ - error(0,_("Unsupported output URL-type:%s\n"),val); -+ free(u); - } - else{ - conf->db_out_url=u; -@@ -848,6 +852,7 @@ void do_dbindef(char* val) - if(u==NULL||u->type==url_unknown||u->type==url_stdout - ||u->type==url_stderr) { - error(0,_("Unsupported input URL-type:%s\n"),val); -+ free(u); - } - else { - conf->db_in_url=u; -@@ -869,6 +874,7 @@ void do_dboutdef(char* val) - * both input and output urls */ - if(u==NULL||u->type==url_unknown||u->type==url_stdin){ - error(0,_("Unsupported output URL-type:%s\n"),val); -+ free(u); - } - else{ - conf->db_out_url=u; -@@ -894,7 +900,8 @@ void do_repurldef(char* val) - } else { - error_init(u,0); - } -- -+ -+ free(u); - } - - void do_verbdef(char* val) -@@ -984,7 +991,7 @@ void do_report_ignore_e2fsattrs(char* va - break; - } - } -- *val++; -+ val++; - } - } - #endif -diff -up ./src/compare_db.c.coverity ./src/compare_db.c ---- ./src/compare_db.c.coverity 2018-10-10 19:27:18.673632619 +0200 -+++ ./src/compare_db.c 2018-10-10 19:27:18.682632698 +0200 -@@ -312,7 +312,7 @@ static int acl2array(acl_type* acl, char - if (conf->syslog_format) { - *values = malloc(2 * sizeof(char*)); - -- char *A, *D = ""; -+ char *A= "", *D = ""; - - if (acl->acl_a) { A = acl->acl_a; } - if (acl->acl_d) { D = acl->acl_d; } -diff -up ./src/conf_lex.l.coverity ./src/conf_lex.l ---- ./src/conf_lex.l.coverity 2018-10-10 19:27:18.673632619 +0200 -+++ ./src/conf_lex.l 2018-10-10 19:27:18.682632698 +0200 -@@ -133,7 +133,7 @@ int var_in_conflval=0; - [\ \t]*\n { - conf_lineno++; - return (TNEWLINE); -- BEGIN 0; -+// BEGIN 0; - } - - \+ { -diff -up ./src/db.c.coverity ./src/db.c ---- ./src/db.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/db.c 2018-10-10 19:27:18.683632707 +0200 -@@ -27,6 +27,7 @@ - #include "db_file.h" - #include "db_disk.h" - #include "md.h" -+#include "fopen.h" - - #ifdef WITH_PSQL - #include "db_sql.h" -@@ -269,6 +270,9 @@ db_line* db_readline(int db){ - db_order=&(conf->db_new_order); - break; - } -+ default: { -+ return NULL; -+ } - } - - switch (db_url->type) { -@@ -368,7 +372,7 @@ db_line* db_char2line(char** ss,int db){ - - int i; - db_line* line=(db_line*)malloc(sizeof(db_line)*1); -- int* db_osize=0; -+ int* db_osize=NULL; - DB_FIELD** db_order=NULL; - - switch (db) { -@@ -382,6 +386,10 @@ db_line* db_char2line(char** ss,int db){ - db_order=&(conf->db_new_order); - break; - } -+ default: { -+ free(line); -+ return NULL; -+ } - } - - -@@ -601,7 +609,9 @@ db_line* db_char2line(char** ss,int db){ - size_t vsz = 0; - - tval = strtok(NULL, ","); -- line->xattrs->ents[num].key = db_readchar(strdup(tval)); -+ char * tmp = strdup(tval); -+ line->xattrs->ents[num].key = db_readchar(tmp); -+ free(tmp); - tval = strtok(NULL, ","); - val = base64tobyte(tval, strlen(tval), &vsz); - line->xattrs->ents[num].val = val; -@@ -648,6 +658,8 @@ db_line* db_char2line(char** ss,int db){ - - default : { - error(0,_("Not implemented in db_char2line %i \n"),(*db_order)[i]); -+ free_db_line(line); -+ free(line); - return NULL; - } - -@@ -826,7 +838,7 @@ void db_close() { - case url_ftp: - { - if (conf->db_out!=NULL) { -- url_fclose(conf->db_out); -+ url_fclose((URL_FILE*)conf->db_out); - } - break; - } -diff -up ./src/db_disk.c.coverity ./src/db_disk.c ---- ./src/db_disk.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/db_disk.c 2018-10-10 19:28:00.108995089 +0200 -@@ -79,9 +79,15 @@ static DIR *open_dir(char* path) { - - static void next_in_dir (void) - { -+ - #ifdef HAVE_READDIR_R -- if (dirh != NULL) -+ if (dirh != NULL) { -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" - rdres = AIDE_READDIR_R_FUNC (dirh, entp, resp); -+#pragma GCC diagnostic pop -+ } -+ - #else - #ifdef HAVE_READDIR - if (dirh != NULL) { -diff -up ./src/db_file.c.coverity ./src/db_file.c ---- ./src/db_file.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/db_file.c 2018-10-10 19:27:18.683632707 +0200 -@@ -171,7 +171,7 @@ int dofprintf( const char* s,...) - int db_file_read_spec(int db){ - - int i=0; -- int* db_osize=0; -+ int* db_osize=NULL; - DB_FIELD** db_order=NULL; - - switch (db) { -@@ -187,6 +187,9 @@ int db_file_read_spec(int db){ - db_lineno=&db_new_lineno; - break; - } -+ default: { -+ return RETFAIL; -+ } - } - - *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD)); -@@ -198,13 +201,10 @@ int db_file_read_spec(int db){ - int l; - - -- /* Yes... we do not check if realloc returns nonnull */ -- -- *db_order=(DB_FIELD*) -- realloc((void*)*db_order, -+ void * tmp = realloc((void*)*db_order, - ((*db_osize)+1)*sizeof(DB_FIELD)); -- -- if(*db_order==NULL){ -+ if (tmp != NULL) *db_order=(DB_FIELD*) tmp; -+ else { - return RETFAIL; - } - -@@ -291,8 +291,8 @@ char** db_readline_file(int db){ - int* domd=NULL; - #ifdef WITH_MHASH - MHASH* md=NULL; --#endif - char** oldmdstr=NULL; -+#endif - int* db_osize=0; - DB_FIELD** db_order=NULL; - FILE** db_filep=NULL; -@@ -302,9 +302,9 @@ char** db_readline_file(int db){ - case DB_OLD: { - #ifdef WITH_MHASH - md=&(conf->dboldmd); -+ oldmdstr=&(conf->old_dboldmdstr); - #endif - domd=&(conf->do_dboldmd); -- oldmdstr=&(conf->old_dboldmdstr); - - db_osize=&(conf->db_in_size); - db_order=&(conf->db_in_order); -@@ -316,9 +316,9 @@ char** db_readline_file(int db){ - case DB_NEW: { - #ifdef WITH_MHASH - md=&(conf->dbnewmd); -+ oldmdstr=&(conf->old_dbnewmdstr); - #endif - domd=&(conf->do_dbnewmd); -- oldmdstr=&(conf->old_dbnewmdstr); - - db_osize=&(conf->db_new_size); - db_order=&(conf->db_new_order); -@@ -328,7 +328,9 @@ char** db_readline_file(int db){ - break; - } - } -- -+ -+ if (db_osize == NULL) return NULL; -+ - if (*db_osize==0) { - db_buff(db,*db_filep); - -@@ -737,8 +739,6 @@ int db_writespec_file(db_config* dbconf) - int i=0; - int j=0; - int retval=1; -- void*key=NULL; -- int keylen=0; - struct tm* st; - time_t tim=time(&tim); - st=localtime(&tim); -@@ -750,6 +750,8 @@ int db_writespec_file(db_config* dbconf) - - #ifdef WITH_MHASH - /* From hereon everything must MD'd before write to db */ -+ void*key=NULL; -+ int keylen=0; - if((key=get_db_key())!=NULL){ - keylen=get_db_key_len(); - dbconf->do_dbnewmd=1; -diff -up ./src/do_md.c.coverity ./src/do_md.c ---- ./src/do_md.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/do_md.c 2018-10-10 19:27:18.683632707 +0200 -@@ -202,7 +202,6 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - and we don't read from a pipe :) - */ - struct AIDE_STAT_TYPE fs; -- int sres=0; - int stat_diff,filedes; - #ifdef WITH_PRELINK - pid_t pid; -@@ -237,7 +236,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - return; - } - -- sres=AIDE_FSTAT_FUNC(filedes,&fs); -+ AIDE_FSTAT_FUNC(filedes,&fs); - if(!(line->attr&DB_RDEV)) - fs.st_rdev=0; - -@@ -331,7 +330,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - } - #endif - #endif /* not HAVE_MMAP */ -- buf=malloc(READ_BLOCK_SIZE); -+// buf=malloc(READ_BLOCK_SIZE); - #if READ_BLOCK_SIZE>SSIZE_MAX - #error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE - #endif -diff -up ./src/gen_list.c.coverity ./src/gen_list.c ---- ./src/gen_list.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/gen_list.c 2018-10-10 19:27:18.684632716 +0200 -@@ -843,15 +843,15 @@ static void add_file_to_tree(seltree* tr - DB_ATTR_TYPE localignorelist=0; - DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs; - -+ if(file==NULL){ -+ error(0, "add_file_to_tree was called with NULL db_line\n"); -+ } -+ - node=get_seltree_node(tree,file->filename); - - if(!node){ - node=new_seltree_node(tree,file->filename,0,NULL); - } -- -- if(file==NULL){ -- error(0, "add_file_to_tree was called with NULL db_line\n"); -- } - - /* add note to this node which db has modified it */ - node->checked|=db; -diff -up ./src/md.c.coverity ./src/md.c ---- ./src/md.c.coverity 2018-10-10 19:27:18.679632672 +0200 -+++ ./src/md.c 2018-10-10 19:27:18.684632716 +0200 -@@ -36,8 +36,8 @@ - */ - - DB_ATTR_TYPE hash_gcrypt2attr(int i) { -- DB_ATTR_TYPE r=0; - #ifdef WITH_GCRYPT -+ DB_ATTR_TYPE r=0; - switch (i) { - case GCRY_MD_MD5: { - r=DB_MD5; -@@ -74,13 +74,15 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) { - default: - break; - } --#endif - return r; -+#else /* !WITH_GCRYPT */ -+ return 0; -+#endif - } - - const char * hash_gcrypt2str(int i) { -- char * r = "?"; - #ifdef WITH_GCRYPT -+ char * r = "?"; - switch (i) { - case GCRY_MD_MD5: { - r = "MD5"; -@@ -117,13 +119,17 @@ const char * hash_gcrypt2str(int i) { - default: - break; - } --#endif - return r; -+#else /* !WITH_GCRYPT */ -+ return "?"; -+#endif - } - -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wunused-parameter" - DB_ATTR_TYPE hash_mhash2attr(int i) { -- DB_ATTR_TYPE r=0; - #ifdef WITH_MHASH -+ DB_ATTR_TYPE r=0; - switch (i) { - case MHASH_CRC32: { - r=DB_CRC32; -@@ -198,10 +204,15 @@ DB_ATTR_TYPE hash_mhash2attr(int i) { - default: - break; - } --#endif -+ - return r; -+#else /*!WITH_MHASH */ -+ return 0; -+#endif - } - -+#pragma GCC diagnostic pop -+ - /* - Initialise md_container according it's todo_attr field - */ -@@ -317,7 +328,6 @@ int init_md(struct md_container* md) { - */ - - int update_md(struct md_container* md,void* data,ssize_t size) { -- int i; - - error(255,"update_md called\n"); - -@@ -328,6 +338,7 @@ int update_md(struct md_container* md,vo - #endif - - #ifdef WITH_MHASH -+ int i; - - for(i=0;i<=HASH_MHASH_COUNT;i++) { - if (md->mhash_mdh[i]!=MHASH_FAILED) { -@@ -348,7 +359,6 @@ int update_md(struct md_container* md,vo - */ - - int close_md(struct md_container* md) { -- int i; - #ifdef _PARAMETER_CHECK_ - if (md==NULL) { - return RETFAIL; -@@ -356,6 +366,7 @@ int close_md(struct md_container* md) { - #endif - error(255,"close_md called \n"); - #ifdef WITH_MHASH -+ int i; - for(i=0;i<=HASH_MHASH_COUNT;i++) { - if (md->mhash_mdh[i]!=MHASH_FAILED) { - mhash (md->mhash_mdh[i], NULL, 0); -diff -up ./src/util.c.coverity ./src/util.c ---- ./src/util.c.coverity 2018-10-10 19:27:18.670632593 +0200 -+++ ./src/util.c 2018-10-10 19:27:18.684632716 +0200 -@@ -105,13 +105,15 @@ url_t* parse_url(char* val) - for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++); - if(r[0]=='\0'){ - error(0,"Invalid file-URL,no path after hostname: file:%s\n",t); -+ free(hostname); - return NULL; - } - u->value=strdup(r); - r[0]='\0'; - if(gethostname(hostname,MAXHOSTNAMELEN)==-1){ -- strncpy(hostname,"localhost", 10); -+ strncpy(hostname,"localhost", 10); - } -+ - if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){ - free(hostname); - break; -@@ -120,7 +122,7 @@ url_t* parse_url(char* val) - free(hostname); - return NULL; - } -- free(hostname); -+ - break; - } - u->value=strdup(r); diff --git a/coverity2.patch b/coverity2.patch deleted file mode 100644 index 5052ba3..0000000 --- a/coverity2.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --up ./src/compare_db.c ./src/compare_db.c ---- ./src/compare_db.c -+++ ./src/compare_db.c -@@ -438,7 +438,11 @@ snprintf(*values[0], l, "%s",s); - } else { - *values = malloc(1 * sizeof (char*)); - if (DB_FTYPE&attr) { -- easy_string(get_file_type_string(line->perm)) -+ char *file_type = get_file_type_string(line->perm); -+ if (!file_type) { -+ error(2,"%s: ", file_type); -+ } -+ easy_string(file_type) - } else if (DB_LINKNAME&attr) { - easy_string(line->linkname) - easy_number((DB_SIZE|DB_SIZEG),size,"%li") -diff -up ./src/db_file.c ./src/db_file.c ---- ./src/db_file.c -+++ ./src/db_file.c -@@ -194,6 +194,10 @@ int db_file_read_spec(int db){ - - *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD)); - -+ if (*db_order == NULL){ -+ error(1,"malloc for *db_order failed in %s", __func__); -+ } -+ - while ((i=db_scan())!=TNEWLINE){ - switch (i) { - - diff --git a/gpgkey-aide.gpg b/gpgkey-aide.gpg new file mode 100644 index 0000000..efb0119 Binary files /dev/null and b/gpgkey-aide.gpg differ diff --git a/sources b/sources index abe8169..0b47fd8 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (aide-0.16.tar.gz) = 29ad97756e3e2fb21dc332ed03b494a1c73e621266f8622ec80bdba23092a38ee975b97f3cff2330e4c16e64e2f672259eea9291ca706a4009e7399b4e14e6a7 +SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830 +SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a