From b3964ed95f2f9a648aac18731dce7bc11bc04da6 Mon Sep 17 00:00:00 2001 From: Sandro Bonazzola Date: Wed, 4 Dec 2024 12:41:47 +0100 Subject: [PATCH 01/26] Update aide to 0.18.8 - Update aide to 0.18.8 - Resolves fedora#2306506 - GPG verify source tarball - Update project URL - Remove unused patches - Enable check phase during the build - Require logrotate Signed-off-by: Sandro Bonazzola --- .gitignore | 2 + aide-0.15-syslog-format.patch | 496 -------------------------- aide.spec | 325 ++--------------- coverity.patch | 642 ---------------------------------- gpgkey-aide.gpg | Bin 0 -> 5160 bytes sources | 3 +- 6 files changed, 32 insertions(+), 1436 deletions(-) delete mode 100644 aide-0.15-syslog-format.patch delete mode 100644 coverity.patch create mode 100644 gpgkey-aide.gpg diff --git a/.gitignore b/.gitignore index 2273619..465c998 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,5 @@ aide-0.14.tar.gz.asc /aide-0.16.tar.gz /aide-0.18.4.tar.gz /aide-0.18.6.tar.gz +/aide-0.18.8.tar.gz +/aide-0.18.8.tar.gz.asc diff --git a/aide-0.15-syslog-format.patch b/aide-0.15-syslog-format.patch deleted file mode 100644 index 0361434..0000000 --- a/aide-0.15-syslog-format.patch +++ /dev/null @@ -1,496 +0,0 @@ -diff -up ./doc/aide.conf.5.in.syslog_format ./doc/aide.conf.5.in ---- ./doc/aide.conf.5.in.syslog_format 2016-07-25 22:58:12.000000000 +0200 -+++ ./doc/aide.conf.5.in 2018-09-27 19:09:09.697371212 +0200 -@@ -57,6 +57,25 @@ inclusive. This parameter can only be gi - occurrence is used. If \-\-verbose or \-V is used then the value from that - is used. The default is 5. If verbosity is 20 then additional report - output is written when doing \-\-check, \-\-update or \-\-compare. -+.IP "syslog_format" -+Valid values are yes,true,no and false. This option enables new syslog format -+which is suitable for logging. Every change is logged as one simple line. This option -+changes verbose level to 0 and prints everything that was changed. It is suggested -+to use this option with "report_url=syslog:...". Default value is "false/no". -+Maximum size of message is 1KB which is limitation of syslog call. If message is -+greater than limit, message will be truncated. -+Option summarize_changes has no impact for this format. -+.nf -+.eo -+ -+Output always starts with: -+"AIDE found differences between database and filesystem!!" -+And it is followed by summary: -+summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1 -+And finally there are logs about changes: -+dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;... -+.ec -+.fi - .IP "report_url" - The url that the output is written to. There can be multiple instances - of this parameter. Output is written to all of them. The default is -diff -up ./include/db_config.h.syslog_format ./include/db_config.h ---- ./include/db_config.h.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./include/db_config.h 2018-09-27 19:09:09.697371212 +0200 -@@ -311,6 +311,7 @@ typedef struct db_config { - FILE* db_out; - - int config_check; -+ int syslog_format; - - struct md_container *mdc_in; - struct md_container *mdc_out; -diff -up ./src/aide.c.syslog_format ./src/aide.c ---- ./src/aide.c.syslog_format 2018-09-27 19:09:09.695371197 +0200 -+++ ./src/aide.c 2018-09-27 19:09:09.698371220 +0200 -@@ -283,6 +283,7 @@ static void setdefaults_before_config() - } - - /* Setting some defaults */ -+ conf->syslog_format=0; - conf->report_db=0; - conf->tree=NULL; - conf->config_check=0; -@@ -495,6 +496,10 @@ static void setdefaults_after_config() - if(conf->verbose_level==-1){ - conf->verbose_level=5; - } -+ if(conf->syslog_format==1){ -+ conf->verbose_level=0; -+ } -+ - } - - -diff -up ./src/compare_db.c.syslog_format ./src/compare_db.c ---- ./src/compare_db.c.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/compare_db.c 2018-09-27 19:09:09.698371220 +0200 -@@ -110,7 +110,7 @@ const DB_ATTR_TYPE details_attributes[] - #endif - }; - --const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size (>)"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512") -+const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512") - #ifdef WITH_MHASH - , _("CRC32"), _("HAVAL"), _("GOST"), _("CRC32B"), _("WHIRLPOOL") - #endif -@@ -269,12 +269,19 @@ static int xattrs2array(xattrs_type* xat - if ((len == xattrs->ents[num - 1].vsz) || ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) { - length = 8 + width + strlen(xattrs->ents[num - 1].key) + strlen(val); - (*values)[num]=malloc(length *sizeof(char)); -- snprintf((*values)[num], length , "[%.*zd] %s = %s", width, num, xattrs->ents[num - 1].key, val); -+ -+ char * fmt = "[%.*zd] %s = %s"; -+ if (conf->syslog_format) fmt = "[%.*zd]%s=%s"; // its smaller so it has to be enough space allocated. -+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val); -+ - } else { - val = encode_base64(xattrs->ents[num - 1].val, xattrs->ents[num - 1].vsz); - length = 10 + width + strlen(xattrs->ents[num - 1].key) + strlen(val); - (*values)[num]=malloc( length *sizeof(char)); -- snprintf((*values)[num], length , "[%.*zd] %s <=> %s", width, num, xattrs->ents[num - 1].key, val); -+ -+ char * fmt = "[%.*zd] %s <=> %s"; -+ if (conf->syslog_format) fmt = "[%.*zd]%s<=>%s"; // its smaller so it has to be enough space allocated. -+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val); - free(val); - } - } -@@ -302,6 +309,26 @@ static int acl2array(acl_type* acl, char - } - if (acl->acl_a || acl->acl_d) { - int j, k, i; -+ if (conf->syslog_format) { -+ *values = malloc(2 * sizeof(char*)); -+ -+ char *A, *D = ""; -+ -+ if (acl->acl_a) { A = acl->acl_a; } -+ if (acl->acl_d) { D = acl->acl_d; } -+ -+ (*values)[0] = (char*) malloc(strlen(A) + 3); // "A:" and \0 -+ snprintf((*values)[0], strlen(A) + 3, "A:%s", A); -+ -+ (*values)[1] = (char*) malloc(strlen(D) + 3); // "D:" and \0 -+ snprintf((*values)[1], strlen(D) + 3, "D:%s", D); -+ -+ i = 0; while ( (*values)[0][i] ) { if ( (*values)[0][i]=='\n') { (*values)[0][i] = ' '; } i++; } -+ i = 0; while ( (*values)[1][i] ) { if ( (*values)[1][i]=='\n') { (*values)[1][i] = ' '; } i++; } -+ -+ return 2; -+ } -+ - if (acl->acl_a) { i = 0; while (acl->acl_a[i]) { if (acl->acl_a[i++]=='\n') { n++; } } } - if (acl->acl_d) { i = 0; while (acl->acl_d[i]) { if (acl->acl_d[i++]=='\n') { n++; } } } - *values = malloc(n * sizeof(char*)); -@@ -338,25 +365,25 @@ static char* e2fsattrs2string(unsigned l - - static char* get_file_type_string(mode_t mode) { - switch (mode & S_IFMT) { -- case S_IFREG: return _("File"); -- case S_IFDIR: return _("Directory"); -+ case S_IFREG: return conf->syslog_format ? "file" : _("File"); -+ case S_IFDIR: return conf->syslog_format ? "dir" : _("Directory"); - #ifdef S_IFIFO -- case S_IFIFO: return _("FIFO"); -+ case S_IFIFO: return conf->syslog_format ? "fifo" : _("FIFO"); - #endif -- case S_IFLNK: return _("Link"); -- case S_IFBLK: return _("Block device"); -- case S_IFCHR: return _("Character device"); -+ case S_IFLNK: return conf->syslog_format ? "link" : _("Link"); -+ case S_IFBLK: return conf->syslog_format ? "blockd" : _("Block device"); -+ case S_IFCHR: return conf->syslog_format ? "chard" : _("Character device"); - #ifdef S_IFSOCK -- case S_IFSOCK: return _("Socket"); -+ case S_IFSOCK: return conf->syslog_format ? "socket" : _("Socket"); - #endif - #ifdef S_IFDOOR -- case S_IFDOOR: return _("Door"); -+ case S_IFDOOR: return conf->syslog_format ? "door" : _("Door"); - #endif - #ifdef S_IFPORT -- case S_IFPORT: return _("Port"); -+ case S_IFPORT: return conf->syslog_format ? "port" : _("Port"); - #endif - case 0: return NULL; -- default: return _("Unknown file type"); -+ default: return conf->syslog_format ? "unknown" : _("Unknown file type"); - } - } - -@@ -554,6 +581,51 @@ static void print_dbline_attributes(db_l - } - } - -+ -+static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE -+ changed_attrs, DB_ATTR_TYPE force_attrs) { -+ char **ovalue, **nvalue; -+ int onumber, nnumber, i, j; -+ int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE); -+ DB_ATTR_TYPE attrs; -+ char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm); -+ if (file_type) { -+ error(0,"%s=", file_type); -+ } -+ error(0,"%s", (nline==NULL?oline:nline)->filename); -+ attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs); -+ for (j=0; j < length; ++j) { -+ if (details_attributes[j]&attrs) { -+ onumber=get_attribute_values(details_attributes[j], oline, &ovalue); -+ nnumber=get_attribute_values(details_attributes[j], nline, &nvalue); -+ -+ if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) { -+ -+ error(0, ";%s_old=|", details_string[j]); -+ -+ for (i = 0 ; i < onumber ; i++) { -+ error(0, "%s|", ovalue[i]); -+ } -+ -+ error(0, ";%s_new=|", details_string[j]); -+ -+ for (i = 0 ; i < nnumber ; i++) { -+ error(0, "%s|", nvalue[i]); -+ } -+ -+ } else { -+ -+ error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue); -+ -+ } -+ -+ for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL; -+ for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL; -+ } -+ } -+ error(0, "\n"); -+} -+ - static void print_attributes_added_node(db_line* line) { - print_dbline_attributes(NULL, line, 0, line->attr); - } -@@ -562,6 +634,26 @@ static void print_attributes_removed_nod - print_dbline_attributes(line, NULL, 0, line->attr); - } - -+static void print_attributes_added_node_syslog(db_line* line) { -+ -+ char *file_type = get_file_type_string(line->perm); -+ if (file_type) { -+ error(0,"%s=", file_type); -+ } -+ error(0,"%s; added\n", line->filename); -+ -+} -+ -+static void print_attributes_removed_node_syslog(db_line* line) { -+ -+ char *file_type = get_file_type_string(line->perm); -+ if (file_type) { -+ error(0,"%s=", file_type); -+ } -+ error(0,"%s; removed\n", line->filename); -+ -+} -+ - static void terse_report(seltree* node) { - list* r=NULL; - if ((node->checked&(DB_OLD|DB_NEW)) != 0) { -@@ -626,6 +718,26 @@ static void print_report_details(seltree - } - } - -+static void print_syslog_format(seltree* node) { -+ list* r=NULL; -+ -+ if (node->checked&NODE_CHANGED) { -+ print_dbline_attributes_syslog(node->old_data, node->new_data, node->changed_attrs, forced_attrs); -+ } -+ -+ if (node->checked&NODE_ADDED) { -+ print_attributes_added_node_syslog(node->new_data); -+ } -+ -+ if (node->checked&NODE_REMOVED) { -+ print_attributes_removed_node_syslog(node->old_data); -+ } -+ -+ for(r=node->childs;r;r=r->next){ -+ print_syslog_format((seltree*)r->data); -+ } -+} -+ - static void print_report_header() { - char *time; - int first = 1; -@@ -747,39 +859,53 @@ int gen_report(seltree* node) { - send_audit_report(); - #endif - if ((nadd|nrem|nchg) > 0 || conf->report_quiet == 0) { -- print_report_header(); -- if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) { -- if (conf->grouped) { -- if (nadd) { -- error(2,(char*)report_top_format,_("Added entries")); -- print_report_list(node, NODE_ADDED); -- } -- if (nrem) { -- error(2,(char*)report_top_format,_("Removed entries")); -- print_report_list(node, NODE_REMOVED); -- } -- if (nchg) { -- error(2,(char*)report_top_format,_("Changed entries")); -- print_report_list(node, NODE_CHANGED); -- } -- } else if (nadd || nrem || nchg) { -- if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); } -- else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); } -- else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); } -- else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); } -- else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); } -- else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); } -- else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); } -- print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED); -- } -- if (nadd || nrem || nchg) { -- error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes")); -- print_report_details(node); -- } -- } -- print_report_databases(); -- conf->end_time=time(&(conf->end_time)); -- print_report_footer(); -+ -+ if (!conf->syslog_format) { -+ print_report_header(); -+ } -+ -+ if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) { -+ if (!conf->syslog_format && conf->grouped) { -+ if (nadd) { -+ error(2,(char*)report_top_format,_("Added entries")); -+ print_report_list(node, NODE_ADDED); -+ } -+ if (nrem) { -+ error(2,(char*)report_top_format,_("Removed entries")); -+ print_report_list(node, NODE_REMOVED); -+ } -+ if (nchg) { -+ error(2,(char*)report_top_format,_("Changed entries")); -+ print_report_list(node, NODE_CHANGED); -+ } -+ } else if (!conf->syslog_format && ( nadd || nrem || nchg ) ) { -+ if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); } -+ else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); } -+ else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); } -+ else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); } -+ else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); } -+ else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); } -+ else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); } -+ print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED); -+ } -+ if (nadd || nrem || nchg) { -+ if (!conf->syslog_format) { -+ error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes")); -+ print_report_details(node); -+ } else { -+ /* Syslog Format */ -+ error(0, "AIDE found differences between database and filesystem!!\n"); -+ error(0, "summary;total_number_of_files=%ld;added_files=%ld;" -+ "removed_files=%ld;changed_files=%ld\n",ntotal,nadd,nrem,nchg); -+ print_syslog_format(node); -+ } -+ } -+ } -+ if (!conf->syslog_format) { -+ print_report_databases(); -+ conf->end_time=time(&(conf->end_time)); -+ print_report_footer(); -+ } - } - - return conf->action&(DO_COMPARE|DO_DIFF) ? (nadd!=0)*1+(nrem!=0)*2+(nchg!=0)*4 : 0; -diff -up ./src/conf_lex.l.syslog_format ./src/conf_lex.l ---- ./src/conf_lex.l.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/conf_lex.l 2018-09-27 19:09:09.698371220 +0200 -@@ -401,6 +401,12 @@ int var_in_conflval=0; - return (TROOT_PREFIX); - } - -+^[\t\ ]*"syslog_format"{E} { -+ error(230,"%li:syslog_format =\n",conf_lineno); -+ BEGIN CONFVALHUNT; -+ return (SYSLOG_FORMAT); -+} -+ - ^[\t\ ]*"recstop"{E} { - error(230,"%li:recstop =\n",conf_lineno); - BEGIN CONFVALHUNT; -diff -up ./src/conf_yacc.y.syslog_format ./src/conf_yacc.y ---- ./src/conf_yacc.y.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/conf_yacc.y 2018-09-27 19:09:09.699371228 +0200 -@@ -89,6 +89,7 @@ extern long conf_lineno; - %token TREPORT_URL - %token TGZIPDBOUT - %token TROOT_PREFIX -+%token SYSLOG_FORMAT - %token TUMASK - %token TTRUE - %token TFALSE -@@ -160,7 +161,7 @@ line : rule | equrule | negrule | define - | ifdefstmt | ifndefstmt | ifhoststmt | ifnhoststmt - | groupdef | db_in | db_out | db_new | db_attrs | verbose | report_detailed_init | config_version - | database_add_metadata | report | gzipdbout | root_prefix | report_base16 | report_quiet -- | report_ignore_e2fsattrs | recursion_stopper | warn_dead_symlinks | grouped -+ | report_ignore_e2fsattrs | syslogformat | recursion_stopper | warn_dead_symlinks | grouped - | summarize_changes | acl_no_symlink_follow | beginconfigstmt | endconfigstmt - | TEOF { - newlinelastinconfig=1; -@@ -408,6 +409,15 @@ conf->gzip_dbout=0; - #endif - } ; - -+syslogformat : SYSLOG_FORMAT TTRUE { -+conf->syslog_format=1; -+} | -+ SYSLOG_FORMAT TFALSE { -+conf->syslog_format=0; -+} ; -+ -+ -+ - recursion_stopper : TRECSTOP TSTRING { - /* FIXME implement me */ - -diff -up ./src/error.c.syslog_format ./src/error.c ---- ./src/error.c.syslog_format 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/error.c 2018-09-27 19:13:40.312416750 +0200 -@@ -38,6 +38,9 @@ - /*for locale support*/ - #include "util.h" - -+#define MAX_BUFFER_SIZE 1024 -+static char syslog_buffer[MAX_BUFFER_SIZE+1]; -+ - int cmp_url(url_t* url1,url_t* url2){ - - return ((url1->type==url2->type)&&(strcmp(url1->value,url2->value)==0)); -@@ -48,7 +51,9 @@ int error_init(url_t* url,int initial) - { - list* r=NULL; - FILE* fh=NULL; -- int sfac; -+ int sfac; -+ -+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); - - if (url->type==url_database) { - conf->report_db++; -@@ -163,13 +168,24 @@ void error(int errorlevel,char* error_ms - } - #ifdef HAVE_SYSLOG - if(conf->initial_report_url->type==url_syslog){ --#ifdef HAVE_VSYSLOG -- vsyslog(SYSLOG_PRIORITY,error_msg,ap); --#else -- char buf[1024]; -- vsnprintf(buf,1024,error_msg,ap); -- syslog(SYSLOG_PRIORITY,"%s",buf); --#endif -+ -+ char buff[MAX_BUFFER_SIZE+1]; -+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap); -+ size_t buff_len = strlen(buff); -+ -+ char result_buff[MAX_BUFFER_SIZE+1]; -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wformat-truncation" -+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff); -+#pragma GCC diagnostic pop -+ -+ if(buff[buff_len-1] == '\n'){ -+ syslog(SYSLOG_PRIORITY,"%s",result_buff); -+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); -+ } else { -+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE); -+ } -+ - va_end(ap); - return; - } -@@ -181,17 +197,25 @@ void error(int errorlevel,char* error_ms - - #ifdef HAVE_SYSLOG - if (conf->report_syslog!=0) { --#ifdef HAVE_VSYSLOG -- va_start(ap,error_msg); -- vsyslog(SYSLOG_PRIORITY,error_msg,ap); -- va_end(ap); --#else -- char buf[1024]; -- va_start(ap,error_msg); -- vsnprintf(buf,1024,error_msg,ap); -+ va_start(ap, error_msg); -+ -+ char buff[MAX_BUFFER_SIZE+1]; -+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap); -+ size_t buff_len = strlen(buff); -+ -+ char result_buff[MAX_BUFFER_SIZE+1]; -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wformat-truncation" -+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff); -+#pragma GCC diagnostic pop -+ -+ if(buff[buff_len-1] == '\n'){ -+ syslog(SYSLOG_PRIORITY,"%s",result_buff); -+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1); -+ } else { -+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE); -+ } - va_end(ap); -- syslog(SYSLOG_PRIORITY,"%s",buf); --#endif - } - #endif - diff --git a/aide.spec b/aide.spec index be6e4a7..062480c 100644 --- a/aide.spec +++ b/aide.spec @@ -1,15 +1,20 @@ +%global forgeurl https://github.com/%{name}/%{name} + Summary: Intrusion detection environment Name: aide -Version: 0.18.6 -Release: 5%{?dist} -URL: http://sourceforge.net/projects/aide +Version: 0.18.8 +Release: %autorelease +URL: https://aide.github.io/ License: GPL-2.0-or-later - -Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz -Source1: aide.conf -Source2: README.quickstart -Source3: aide.logrotate +Source0: %{forgeurl}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source1: %{forgeurl}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc +# gpg2 --recv-keys 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 +# gpg2 --export --export-options export-minimal 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 >gpgkey-aide.gpg +Source2: gpgkey-aide.gpg +Source3: aide.conf +Source4: README.quickstart +Source5: aide.logrotate BuildRequires: gcc BuildRequires: make @@ -24,6 +29,13 @@ BuildRequires: libattr-devel BuildRequires: e2fsprogs-devel BuildRequires: audit-libs-devel BuildRequires: autoconf automake libtool +# For verifying signatures +BuildRequires: gnupg2 +# For being able to run 'make check' +BuildRequires: check-devel + + +Requires: logrotate Patch1: aide-verbose.patch @@ -32,8 +44,9 @@ AIDE (Advanced Intrusion Detection Environment) is a file integrity checker and intrusion detection program. %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -cp -a %{S:2} . +cp -a %{S:4} . %patch -R -P 1 -p1 -b .verbose @@ -52,10 +65,13 @@ cp -a %{S:2} . --with-audit %make_build +%check +make check + %install %make_install bindir=%{_sbindir} -install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1} -install -Dpm0644 %{S:3} %{buildroot}%{_sysconfdir}/logrotate.d/aide +install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:3} +install -Dpm0644 %{S:5} %{buildroot}%{_sysconfdir}/logrotate.d/aide mkdir -p %{buildroot}%{_localstatedir}/log/aide mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide @@ -72,289 +88,4 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide %dir %attr(0700,root,root) %{_localstatedir}/log/aide %changelog -* Wed Jul 17 2024 Fedora Release Engineering - 0.18.6-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Mon Feb 12 2024 Radovan Sroka - 0.18.6-4 -- rebase to 0.18.6 - -* Mon Jan 22 2024 Fedora Release Engineering - 0.18.6-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Jan 19 2024 Fedora Release Engineering - 0.18.6-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Tue Oct 24 2023 Radovan Sroka - 0.18.6-1 -- rebase to 0.18.6 - -* Wed Jul 19 2023 Fedora Release Engineering - 0.18.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Wed Jun 21 2023 Radovan Sroka - 0.18.4-1 -- aide-0.18.4 is available -Resolves: rhbz#1910486 -- Please port your pcre dependency to pcre2. Pcre has been deprecated -Resolves: rhbz#2128267 - -* Tue Jun 13 2023 Radovan Sroka - 0.16-23 -- migrated to SPDX license - -* Wed Jan 18 2023 Fedora Release Engineering - 0.16-22 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Nov 25 2022 Florian Weimer - 0.16-21 -- Apply upstream patches to port configure to C99 - -* Wed Jul 20 2022 Fedora Release Engineering - 0.16-20 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Wed Jan 19 2022 Fedora Release Engineering - 0.16-19 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Wed Jul 21 2021 Fedora Release Engineering - 0.16-18 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Mon Jan 25 2021 Fedora Release Engineering - 0.16-17 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Fri Jul 31 2020 Fedora Release Engineering - 0.16-16 -- Second attempt - Rebuilt for - https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Mon Jul 27 2020 Fedora Release Engineering - 0.16-15 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Wed Jun 24 2020 Radovan Sroka 0.16-14 -- AIDE breaks when setting report_ignore_e2fsattrs - Resolves: rhbz#1850276 - -* Tue Jan 28 2020 Fedora Release Engineering - 0.16-13 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Wed Jul 31 2019 Radovan Sroka - 0.16-12 -- backport some patches - Resolves: rhbz#1717140 - -* Wed Jul 24 2019 Fedora Release Engineering - 0.16-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Wed Feb 20 2019 Daniel Kopecek - 0.16-10 -- Fix building with curl - Resolves: rhbz#1674637 - -* Thu Jan 31 2019 Fedora Release Engineering - 0.16-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Tue Jul 31 2018 Florian Weimer - 0.16-8 -- Rebuild with fixed binutils - -* Thu Jul 12 2018 Fedora Release Engineering - 0.16-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Feb 20 2018 Igor Gnatenko - 0.16-6 -- Rebuild - -* Wed Feb 07 2018 Fedora Release Engineering - 0.16-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Wed Aug 02 2017 Fedora Release Engineering - 0.16-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 0.16-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Wed Apr 05 2017 Radovan Sroka - 0.16-2 -- fixed upstream link - -* Tue Apr 04 2017 Radovan Sroka - 0.16-1 -- rebase to stable v0.16 -- specfile cleanup -- make doc readable - resolves: #1421355 -- make aide binary runable for any user - resolves: #1421351 - -* Fri Feb 10 2017 Fedora Release Engineering - 0.16-0.3.rc1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Tue Jul 12 2016 Tomas Sykora - 0.16-0.2.rc1 -- New upstream devel version - -* Mon Jun 20 2016 Tomas Sykora - 0.16-0.1.b1 -- New upstream devel version - -* Wed Feb 03 2016 Fedora Release Engineering - 0.15.1-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Sat Jul 25 2015 Till Maas - 0.15.1-11 -- Remove prelink dependency because prelink was retired - -* Tue Jun 16 2015 Fedora Release Engineering - 0.15.1-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Fri Aug 15 2014 Fedora Release Engineering - 0.15.1-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Fri Jul 18 2014 Yaakov Selkowitz - 0.15.1-8 -- Fix FTBFS with -Werror=format-security (#1036983, #1105942) -- Avoid prelink BR on aarch64, ppc64le (#924977, #1078476) - -* Sat Jun 07 2014 Fedora Release Engineering - 0.15.1-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Sat Aug 03 2013 Fedora Release Engineering - 0.15.1-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Wed Feb 13 2013 Fedora Release Engineering - 0.15.1-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Thu Nov 22 2012 Daniel Kopecek - 0.15.1-4 -- added patch to fix aide in FIPS mode -- use only FIPS approved digest algorithms in aide.conf so that - aide works by default in FIPS mode - -* Wed Jul 18 2012 Fedora Release Engineering - 0.15.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu Jan 12 2012 Fedora Release Engineering - 0.15.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Thu Nov 11 2010 Steve Grubb - 0.15.1-1 -- New upstream release - -* Tue May 18 2010 Steve Grubb - 0.14-5 -- Apply 2 upstream bug fixes - -* Tue May 18 2010 Steve Grubb - 0.14-4 -- Use upstream's patch to fix bz 590566 - -* Sat May 15 2010 Steve Grubb - 0.14-3 -- Fix bz 590561 aide does not detect the change of SElinux context -- Fix bz 590566 aide reports a changed file when it has not been changed - -* Wed Apr 28 2010 Steve Grubb - 0.14-2 -- Fix bz 574764 by replacing abort calls with exit -- Apply libgcrypt init patch - -* Tue Mar 16 2010 Steve Grubb - 0.14-1 -- New upstream release final 0.14 - -* Thu Feb 25 2010 Steve Grubb - 0.14-0.4.rc3 -- New upstream release - -* Thu Feb 25 2010 Steve Grubb - 0.14-0.3.rc2 -- New upstream release - -* Tue Feb 23 2010 Steve Grubb - 0.14-0.2.rc1 -- Fix dirent detection on 64bit systems - -* Mon Feb 22 2010 Steve Grubb - 0.14-0.1.rc1 -- New upstream release - -* Fri Feb 19 2010 Steve Grubb - 0.13.1-16 -- Add logrotate script and spec file cleanups - -* Fri Dec 11 2009 Steve Grubb - 0.13.1-15 -- Get rid of .dedosify files - -* Wed Dec 09 2009 Steve Grubb - 0.13.1-14 -- Revise patch for Initialize libgcrypt correctly (#530485) - -* Sat Nov 07 2009 Steve Grubb - 0.13.1-13 -- Initialize libgcrypt correctly (#530485) - -* Fri Aug 21 2009 Tomas Mraz - 0.13.1-12 -- rebuilt with new audit - -* Wed Aug 19 2009 Steve Grubb 0.13.1-11 -- rebuild for new audit-libs -- Correct regex for root's dot files (#509370) - -* Fri Jul 24 2009 Fedora Release Engineering - 0.13.1-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Mon Jun 08 2009 Steve Grubb - 0.13.1-9 -- Make aide smarter about prelinked files (Peter Vrabec) -- Add /lib64 to default config - -* Mon Feb 23 2009 Fedora Release Engineering - 0.13.1-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Fri Jan 30 2009 Steve Grubb - 0.13.1-6 -- enable xattr support and update config file - -* Fri Sep 26 2008 Tom "spot" Callaway - 0.13.1-5 -- fix selcon patch to apply without fuzz - -* Fri Feb 15 2008 Steve Conklin -- rebuild for gcc4.3 - -* Tue Aug 21 2007 Michael Schwendt -- rebuilt - -* Sun Jul 22 2007 Michael Schwendt - 0.13.1-2 -- Apply Steve Conklin's patch to increase displayed portion of - selinux context. - -* Sun Dec 17 2006 Michael Schwendt - 0.13.1-1 -- Update to 0.13.1 release. - -* Sun Dec 10 2006 Michael Schwendt - 0.13-1 -- Update to 0.13 release. -- Include default aide.conf from RHEL5 as doc example file. - -* Sun Oct 29 2006 Michael Schwendt - 0.12-3.20061027cvs -- CAUTION! This changes the database format and results in a report of - false inconsistencies until an old database file is updated. -- Check out CVS 20061027 which now contains Red Hat's - acl/xattr/selinux/audit patches. -- Patches merged upstream. -- Update manual page substitutions. - -* Mon Oct 23 2006 Michael Schwendt - 0.12-2 -- Add "memory leaks and performance updates" patch as posted - to aide-devel by Steve Grubb. - -* Sat Oct 07 2006 Michael Schwendt - 0.12-1 -- Update to 0.12 release. -- now offers --disable-static, so -no-static patch is obsolete -- fill last element of getopt struct array with zeroes - -* Mon Oct 02 2006 Michael Schwendt - 0.11-3 -- rebuilt - -* Mon Sep 11 2006 Michael Schwendt - 0.11-2 -- rebuilt - -* Sun Feb 19 2006 Michael Schwendt - 0.11-1 -- Update to 0.11 release. -- useless-includes patch merged upstream. -- old Russian man pages not available anymore. -- disable static linking. - -* Thu Apr 7 2005 Michael Schwendt -- rebuilt - -* Fri Nov 28 2003 Michael Schwendt - 0:0.10-0.fdr.1 -- Update to 0.10 release. -- memleaks patch merged upstream. -- rootpath patch merged upstream. -- fstat patch not needed anymore. -- Updated URL. - -* Thu Nov 13 2003 Michael Schwendt - 0:0.10-0.fdr.0.2.cvs20031104 -- Added buildreq m4 to work around incomplete deps of bison package. - -* Tue Nov 04 2003 Michael Schwendt - 0:0.10-0.fdr.0.1.cvs20031104 -- Only tar.gz available upstream. -- byacc not needed when bison -y is available. -- Installed Russian manual pages. -- Updated with changes from CVS (2003-11-04). -- getopt patch merged upstream. -- bison-1.35 patch incorporated upstream. - -* Tue Sep 09 2003 Michael Schwendt - 0:0.9-0.fdr.0.2.20030902 -- Added fixes for further memleaks. - -* Sun Sep 07 2003 Michael Schwendt - 0:0.9-0.fdr.0.1.20030902 -- Initial package version. +%autochangelog diff --git a/coverity.patch b/coverity.patch deleted file mode 100644 index 9b981be..0000000 --- a/coverity.patch +++ /dev/null @@ -1,642 +0,0 @@ -diff -up ./include/be.h.coverity ./include/be.h ---- ./include/be.h.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./include/be.h 2018-10-10 19:27:18.680632681 +0200 -@@ -22,6 +22,6 @@ - #define _BE_H_INCLUDED - #include "db_config.h" - --FILE* be_init(int inout,url_t* u,int iszipped); -+void* be_init(int inout,url_t* u,int iszipped); - - #endif /* _BE_H_INCLUDED */ -diff -up ./include/db_config.h.coverity ./include/db_config.h ---- ./include/db_config.h.coverity 2018-10-10 19:27:18.672632611 +0200 -+++ ./include/db_config.h 2018-10-10 19:27:18.681632689 +0200 -@@ -376,7 +376,7 @@ typedef struct db_config { - #endif - - url_t* initial_report_url; -- FILE* initial_report_fd; -+ void* initial_report_fd; - - /* report_url is a list of url_t*s */ - list* report_url; -diff -up ./src/aide.c.coverity ./src/aide.c ---- ./src/aide.c.coverity 2018-10-10 19:27:18.678632663 +0200 -+++ ./src/aide.c 2018-10-10 19:27:18.681632689 +0200 -@@ -278,7 +278,7 @@ static void setdefaults_before_config() - error(0,_("Couldn't get hostname")); - free(s); - } else { -- s=(char*)realloc((void*)s,strlen(s)+1); -+ // s=(char*)realloc((void*)s,strlen(s)+1); - do_define("HOSTNAME",s); - } - -@@ -506,8 +506,6 @@ static void setdefaults_after_config() - int main(int argc,char**argv) - { - int errorno=0; -- byte* dig=NULL; -- char* digstr=NULL; - - #ifdef USE_LOCALE - setlocale(LC_ALL,""); -@@ -544,6 +542,10 @@ int main(int argc,char**argv) - } - - errorno=commandconf('C',conf->config_file); -+ if (errorno==RETFAIL){ -+ error(0,_("Configuration error\n")); -+ exit(INVALID_CONFIGURELINE_ERROR); -+ } - - errorno=commandconf('D',""); - if (errorno==RETFAIL){ -@@ -594,6 +596,9 @@ int main(int argc,char**argv) - } - } - #ifdef WITH_MHASH -+ byte* dig=NULL; -+ char* digstr=NULL; -+ - if(conf->config_check&&FORCECONFIGMD){ - error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n"); - exit(INVALID_ARGUMENT_ERROR); -diff -up ./src/base64.c.coverity ./src/base64.c ---- ./src/base64.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/base64.c 2018-10-10 19:27:18.681632689 +0200 -@@ -209,6 +209,7 @@ byte* decode_base64(char* src,size_t ssi - case FAIL: - error(3, "decode_base64: Illegal character: %c\n", *inb); - error(230, "decode_base64: Illegal line:\n%s\n", src); -+ free(outbuf); - return NULL; - break; - case SKIP: -@@ -260,7 +261,7 @@ size_t length_base64(char* src,size_t ss - int l; - int left; - size_t pos; -- unsigned long triple; -+ //unsigned long triple; - - error(235, "decode base64\n"); - /* Exit on empty input */ -@@ -273,7 +274,7 @@ size_t length_base64(char* src,size_t ss - inb = src; - - l = 0; -- triple = 0; -+ //triple = 0; - pos=0; - left = ssize; - /* -@@ -293,7 +294,7 @@ size_t length_base64(char* src,size_t ss - case SKIP: - break; - default: -- triple = triple<<6 | (0x3f & i); -+ //triple = triple<<6 | (0x3f & i); - l++; - break; - } -@@ -302,10 +303,10 @@ size_t length_base64(char* src,size_t ss - switch(l) - { - case 2: -- triple = triple>>4; -+ //triple = triple>>4; - break; - case 3: -- triple = triple>>2; -+ //triple = triple>>2; - break; - default: - break; -@@ -314,7 +315,7 @@ size_t length_base64(char* src,size_t ss - { - pos++; - } -- triple = 0; -+ //triple = 0; - l = 0; - } - inb++; -diff -up ./src/be.c.coverity ./src/be.c ---- ./src/be.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/be.c 2018-10-10 19:27:18.681632689 +0200 -@@ -117,9 +117,9 @@ static char* get_first_value(char** in){ - - #endif - --FILE* be_init(int inout,url_t* u,int iszipped) -+void* be_init(int inout,url_t* u,int iszipped) - { -- FILE* fh=NULL; -+ void* fh=NULL; - long a=0; - char* err=NULL; - int fd; -diff -up ./src/commandconf.c.coverity ./src/commandconf.c ---- ./src/commandconf.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/commandconf.c 2018-10-10 19:27:18.682632698 +0200 -@@ -106,7 +106,7 @@ int commandconf(const char mode,const ch - rv=0; - } else { - -- rv=access(config,R_OK); -+ if (config != NULL) rv=access(config,R_OK); - if(rv==-1){ - error(0,_("Cannot access config file: %s: %s\n"),config,strerror(errno)); - } -@@ -166,14 +166,11 @@ int commandconf(const char mode,const ch - int conf_input_wrapper(char* buf, int max_size, FILE* in) - { - int retval=0; -- int c=0; -- char* tmp=NULL; -- void* key=NULL; -- int keylen=0; - - /* FIXME Add support for gzipped config. :) */ - #ifdef WITH_MHASH - /* Read a character at a time until we are doing md */ -+ int c=0; - if(conf->do_configmd){ - retval=fread(buf,1,max_size,in); - }else { -@@ -185,6 +182,9 @@ int conf_input_wrapper(char* buf, int ma - #endif - - #ifdef WITH_MHASH -+ char* tmp=NULL; -+ void* key=NULL; -+ int keylen=0; - if(conf->do_configmd||conf->config_check){ - if(((conf->do_configmd==1)&&conf->config_check)||!conf->confmd){ - if(conf->do_configmd==1){ -@@ -276,6 +276,9 @@ int db_input_wrapper(char* buf, int max_ - #endif - break; - } -+ default: { -+ return 0; -+ } - } - - #ifdef WITH_CURL -@@ -651,7 +654,6 @@ int handle_endif(int doit,int allow_else - case 0 : { - conferror("@@endif or @@else expected"); - return -1; -- count=0; - } - - default : { -@@ -816,6 +818,7 @@ void do_dbdef(int dbtype,char* val) - if(u==NULL||u->type==url_unknown||u->type==url_stdout - ||u->type==url_stderr) { - error(0,_("Unsupported input URL-type:%s\n"),val); -+ free(u); - } - else { - *conf_db_url=u; -@@ -825,6 +828,7 @@ void do_dbdef(int dbtype,char* val) - case DB_WRITE: { - if(u==NULL||u->type==url_unknown||u->type==url_stdin){ - error(0,_("Unsupported output URL-type:%s\n"),val); -+ free(u); - } - else{ - conf->db_out_url=u; -@@ -848,6 +852,7 @@ void do_dbindef(char* val) - if(u==NULL||u->type==url_unknown||u->type==url_stdout - ||u->type==url_stderr) { - error(0,_("Unsupported input URL-type:%s\n"),val); -+ free(u); - } - else { - conf->db_in_url=u; -@@ -869,6 +874,7 @@ void do_dboutdef(char* val) - * both input and output urls */ - if(u==NULL||u->type==url_unknown||u->type==url_stdin){ - error(0,_("Unsupported output URL-type:%s\n"),val); -+ free(u); - } - else{ - conf->db_out_url=u; -@@ -894,7 +900,8 @@ void do_repurldef(char* val) - } else { - error_init(u,0); - } -- -+ -+ free(u); - } - - void do_verbdef(char* val) -@@ -984,7 +991,7 @@ void do_report_ignore_e2fsattrs(char* va - break; - } - } -- *val++; -+ val++; - } - } - #endif -diff -up ./src/compare_db.c.coverity ./src/compare_db.c ---- ./src/compare_db.c.coverity 2018-10-10 19:27:18.673632619 +0200 -+++ ./src/compare_db.c 2018-10-10 19:27:18.682632698 +0200 -@@ -312,7 +312,7 @@ static int acl2array(acl_type* acl, char - if (conf->syslog_format) { - *values = malloc(2 * sizeof(char*)); - -- char *A, *D = ""; -+ char *A= "", *D = ""; - - if (acl->acl_a) { A = acl->acl_a; } - if (acl->acl_d) { D = acl->acl_d; } -diff -up ./src/conf_lex.l.coverity ./src/conf_lex.l ---- ./src/conf_lex.l.coverity 2018-10-10 19:27:18.673632619 +0200 -+++ ./src/conf_lex.l 2018-10-10 19:27:18.682632698 +0200 -@@ -133,7 +133,7 @@ int var_in_conflval=0; - [\ \t]*\n { - conf_lineno++; - return (TNEWLINE); -- BEGIN 0; -+// BEGIN 0; - } - - \+ { -diff -up ./src/db.c.coverity ./src/db.c ---- ./src/db.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/db.c 2018-10-10 19:27:18.683632707 +0200 -@@ -27,6 +27,7 @@ - #include "db_file.h" - #include "db_disk.h" - #include "md.h" -+#include "fopen.h" - - #ifdef WITH_PSQL - #include "db_sql.h" -@@ -269,6 +270,9 @@ db_line* db_readline(int db){ - db_order=&(conf->db_new_order); - break; - } -+ default: { -+ return NULL; -+ } - } - - switch (db_url->type) { -@@ -368,7 +372,7 @@ db_line* db_char2line(char** ss,int db){ - - int i; - db_line* line=(db_line*)malloc(sizeof(db_line)*1); -- int* db_osize=0; -+ int* db_osize=NULL; - DB_FIELD** db_order=NULL; - - switch (db) { -@@ -382,6 +386,10 @@ db_line* db_char2line(char** ss,int db){ - db_order=&(conf->db_new_order); - break; - } -+ default: { -+ free(line); -+ return NULL; -+ } - } - - -@@ -601,7 +609,9 @@ db_line* db_char2line(char** ss,int db){ - size_t vsz = 0; - - tval = strtok(NULL, ","); -- line->xattrs->ents[num].key = db_readchar(strdup(tval)); -+ char * tmp = strdup(tval); -+ line->xattrs->ents[num].key = db_readchar(tmp); -+ free(tmp); - tval = strtok(NULL, ","); - val = base64tobyte(tval, strlen(tval), &vsz); - line->xattrs->ents[num].val = val; -@@ -648,6 +658,8 @@ db_line* db_char2line(char** ss,int db){ - - default : { - error(0,_("Not implemented in db_char2line %i \n"),(*db_order)[i]); -+ free_db_line(line); -+ free(line); - return NULL; - } - -@@ -826,7 +838,7 @@ void db_close() { - case url_ftp: - { - if (conf->db_out!=NULL) { -- url_fclose(conf->db_out); -+ url_fclose((URL_FILE*)conf->db_out); - } - break; - } -diff -up ./src/db_disk.c.coverity ./src/db_disk.c ---- ./src/db_disk.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/db_disk.c 2018-10-10 19:28:00.108995089 +0200 -@@ -79,9 +79,15 @@ static DIR *open_dir(char* path) { - - static void next_in_dir (void) - { -+ - #ifdef HAVE_READDIR_R -- if (dirh != NULL) -+ if (dirh != NULL) { -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" - rdres = AIDE_READDIR_R_FUNC (dirh, entp, resp); -+#pragma GCC diagnostic pop -+ } -+ - #else - #ifdef HAVE_READDIR - if (dirh != NULL) { -diff -up ./src/db_file.c.coverity ./src/db_file.c ---- ./src/db_file.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/db_file.c 2018-10-10 19:27:18.683632707 +0200 -@@ -171,7 +171,7 @@ int dofprintf( const char* s,...) - int db_file_read_spec(int db){ - - int i=0; -- int* db_osize=0; -+ int* db_osize=NULL; - DB_FIELD** db_order=NULL; - - switch (db) { -@@ -187,6 +187,9 @@ int db_file_read_spec(int db){ - db_lineno=&db_new_lineno; - break; - } -+ default: { -+ return RETFAIL; -+ } - } - - *db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD)); -@@ -198,13 +201,10 @@ int db_file_read_spec(int db){ - int l; - - -- /* Yes... we do not check if realloc returns nonnull */ -- -- *db_order=(DB_FIELD*) -- realloc((void*)*db_order, -+ void * tmp = realloc((void*)*db_order, - ((*db_osize)+1)*sizeof(DB_FIELD)); -- -- if(*db_order==NULL){ -+ if (tmp != NULL) *db_order=(DB_FIELD*) tmp; -+ else { - return RETFAIL; - } - -@@ -291,8 +291,8 @@ char** db_readline_file(int db){ - int* domd=NULL; - #ifdef WITH_MHASH - MHASH* md=NULL; --#endif - char** oldmdstr=NULL; -+#endif - int* db_osize=0; - DB_FIELD** db_order=NULL; - FILE** db_filep=NULL; -@@ -302,9 +302,9 @@ char** db_readline_file(int db){ - case DB_OLD: { - #ifdef WITH_MHASH - md=&(conf->dboldmd); -+ oldmdstr=&(conf->old_dboldmdstr); - #endif - domd=&(conf->do_dboldmd); -- oldmdstr=&(conf->old_dboldmdstr); - - db_osize=&(conf->db_in_size); - db_order=&(conf->db_in_order); -@@ -316,9 +316,9 @@ char** db_readline_file(int db){ - case DB_NEW: { - #ifdef WITH_MHASH - md=&(conf->dbnewmd); -+ oldmdstr=&(conf->old_dbnewmdstr); - #endif - domd=&(conf->do_dbnewmd); -- oldmdstr=&(conf->old_dbnewmdstr); - - db_osize=&(conf->db_new_size); - db_order=&(conf->db_new_order); -@@ -328,7 +328,9 @@ char** db_readline_file(int db){ - break; - } - } -- -+ -+ if (db_osize == NULL) return NULL; -+ - if (*db_osize==0) { - db_buff(db,*db_filep); - -@@ -737,8 +739,6 @@ int db_writespec_file(db_config* dbconf) - int i=0; - int j=0; - int retval=1; -- void*key=NULL; -- int keylen=0; - struct tm* st; - time_t tim=time(&tim); - st=localtime(&tim); -@@ -750,6 +750,8 @@ int db_writespec_file(db_config* dbconf) - - #ifdef WITH_MHASH - /* From hereon everything must MD'd before write to db */ -+ void*key=NULL; -+ int keylen=0; - if((key=get_db_key())!=NULL){ - keylen=get_db_key_len(); - dbconf->do_dbnewmd=1; -diff -up ./src/do_md.c.coverity ./src/do_md.c ---- ./src/do_md.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/do_md.c 2018-10-10 19:27:18.683632707 +0200 -@@ -202,7 +202,6 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - and we don't read from a pipe :) - */ - struct AIDE_STAT_TYPE fs; -- int sres=0; - int stat_diff,filedes; - #ifdef WITH_PRELINK - pid_t pid; -@@ -237,7 +236,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - return; - } - -- sres=AIDE_FSTAT_FUNC(filedes,&fs); -+ AIDE_FSTAT_FUNC(filedes,&fs); - if(!(line->attr&DB_RDEV)) - fs.st_rdev=0; - -@@ -331,7 +330,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - } - #endif - #endif /* not HAVE_MMAP */ -- buf=malloc(READ_BLOCK_SIZE); -+// buf=malloc(READ_BLOCK_SIZE); - #if READ_BLOCK_SIZE>SSIZE_MAX - #error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE - #endif -diff -up ./src/gen_list.c.coverity ./src/gen_list.c ---- ./src/gen_list.c.coverity 2016-07-25 22:56:55.000000000 +0200 -+++ ./src/gen_list.c 2018-10-10 19:27:18.684632716 +0200 -@@ -843,15 +843,15 @@ static void add_file_to_tree(seltree* tr - DB_ATTR_TYPE localignorelist=0; - DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs; - -+ if(file==NULL){ -+ error(0, "add_file_to_tree was called with NULL db_line\n"); -+ } -+ - node=get_seltree_node(tree,file->filename); - - if(!node){ - node=new_seltree_node(tree,file->filename,0,NULL); - } -- -- if(file==NULL){ -- error(0, "add_file_to_tree was called with NULL db_line\n"); -- } - - /* add note to this node which db has modified it */ - node->checked|=db; -diff -up ./src/md.c.coverity ./src/md.c ---- ./src/md.c.coverity 2018-10-10 19:27:18.679632672 +0200 -+++ ./src/md.c 2018-10-10 19:27:18.684632716 +0200 -@@ -36,8 +36,8 @@ - */ - - DB_ATTR_TYPE hash_gcrypt2attr(int i) { -- DB_ATTR_TYPE r=0; - #ifdef WITH_GCRYPT -+ DB_ATTR_TYPE r=0; - switch (i) { - case GCRY_MD_MD5: { - r=DB_MD5; -@@ -74,13 +74,15 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) { - default: - break; - } --#endif - return r; -+#else /* !WITH_GCRYPT */ -+ return 0; -+#endif - } - - const char * hash_gcrypt2str(int i) { -- char * r = "?"; - #ifdef WITH_GCRYPT -+ char * r = "?"; - switch (i) { - case GCRY_MD_MD5: { - r = "MD5"; -@@ -117,13 +119,17 @@ const char * hash_gcrypt2str(int i) { - default: - break; - } --#endif - return r; -+#else /* !WITH_GCRYPT */ -+ return "?"; -+#endif - } - -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wunused-parameter" - DB_ATTR_TYPE hash_mhash2attr(int i) { -- DB_ATTR_TYPE r=0; - #ifdef WITH_MHASH -+ DB_ATTR_TYPE r=0; - switch (i) { - case MHASH_CRC32: { - r=DB_CRC32; -@@ -198,10 +204,15 @@ DB_ATTR_TYPE hash_mhash2attr(int i) { - default: - break; - } --#endif -+ - return r; -+#else /*!WITH_MHASH */ -+ return 0; -+#endif - } - -+#pragma GCC diagnostic pop -+ - /* - Initialise md_container according it's todo_attr field - */ -@@ -317,7 +328,6 @@ int init_md(struct md_container* md) { - */ - - int update_md(struct md_container* md,void* data,ssize_t size) { -- int i; - - error(255,"update_md called\n"); - -@@ -328,6 +338,7 @@ int update_md(struct md_container* md,vo - #endif - - #ifdef WITH_MHASH -+ int i; - - for(i=0;i<=HASH_MHASH_COUNT;i++) { - if (md->mhash_mdh[i]!=MHASH_FAILED) { -@@ -348,7 +359,6 @@ int update_md(struct md_container* md,vo - */ - - int close_md(struct md_container* md) { -- int i; - #ifdef _PARAMETER_CHECK_ - if (md==NULL) { - return RETFAIL; -@@ -356,6 +366,7 @@ int close_md(struct md_container* md) { - #endif - error(255,"close_md called \n"); - #ifdef WITH_MHASH -+ int i; - for(i=0;i<=HASH_MHASH_COUNT;i++) { - if (md->mhash_mdh[i]!=MHASH_FAILED) { - mhash (md->mhash_mdh[i], NULL, 0); -diff -up ./src/util.c.coverity ./src/util.c ---- ./src/util.c.coverity 2018-10-10 19:27:18.670632593 +0200 -+++ ./src/util.c 2018-10-10 19:27:18.684632716 +0200 -@@ -105,13 +105,15 @@ url_t* parse_url(char* val) - for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++); - if(r[0]=='\0'){ - error(0,"Invalid file-URL,no path after hostname: file:%s\n",t); -+ free(hostname); - return NULL; - } - u->value=strdup(r); - r[0]='\0'; - if(gethostname(hostname,MAXHOSTNAMELEN)==-1){ -- strncpy(hostname,"localhost", 10); -+ strncpy(hostname,"localhost", 10); - } -+ - if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){ - free(hostname); - break; -@@ -120,7 +122,7 @@ url_t* parse_url(char* val) - free(hostname); - return NULL; - } -- free(hostname); -+ - break; - } - u->value=strdup(r); diff --git a/gpgkey-aide.gpg b/gpgkey-aide.gpg new file mode 100644 index 0000000000000000000000000000000000000000..efb011917bd132d1633f2ceeb97ee79c1acfa0f4 GIT binary patch literal 5160 zcmajiXEYp&y2kM-gwY9x=)JdSBYH0xq7Op!=ti_bY+`glB8ccEI?=Woqjxbx34+l} zh~9~C*V*TsbrCd694Ss?}50AWv)%l{OW_~LfIvFc0ne0q-#>1e);23q2#C>wm zPJv6RX_L_VYfIkgW?6IR4jr2Vp2}M7x!B2eGPJ)|YHRVY8Lz}hvj!~1!mf|aH3`S{oQpOpF}!xUk2)nJF0RWQEvSN7I=A5+b~Kii?!q({IY{ZM<)O8I82dP?gXKZ90Awq5?nWABCDjU|oQ?%YBM ztIr+$g>?wu%tn#0jrltgM(>iEY^G6`FAjDEYi(^u9&9TEO?YEA^gnfn_pJA++0QeJ z^EKm#U4-R-zU}a_2<)Cct*-`H>j*h`Sp_@CQOv$?XY@>d_&8?r_Js-xCA`kng%`&x z>#pFL+KODskft&2Pc5`x zo8&B{AIj9_Nmdj1-^u$QrS7Y|UBW7on~+JpC_OETl{OAF?57Yvns@4hqeh}&ppBrc zpvd<`ZaZK0Su6ct>u3534`YlU2*s&k5z?8^kK- z{MS**AL;4*ubZ$v(nBE@guuHGBmyXd7=ZZ15JCblJ`E9skQkp91O@^?%s>$I6^I^4 z%Z4Y=I!Rt$m-)~L^Q-tg<&O&ItrjtSkV7yp3qFKV(zORb1flr%owaMuEY-$al3dp-t6agj&Po2tvB0sCJw_Emq)Lll>`dN6+^{@uhqC z6FyDMfh=^yigmxOF9S&}Bq6b0=qansw>aV_T$15IW3hk+L*w&Hs6NqRzAJA9Mfx?v z3do73s3*5>4ki0s7A|TYWTou5HTRbwF5!FU5oJ6mMT58IGp^U$>f7gf4`pc)MVnwpoO}YcP)NUwq8Yz9 z3`uALWvtvh?qWsFGr+5cN73jTYx#6IAiW=lQCyEO@NiTnzceLz+!`*Yj8JpJgDN|u z_eRir_a>3UFV{cYh9_dE;1>=0CIkd@qQ>+cSD&RP8l*J`S?isv=R!akPm^gw!v@=*pI)~K z;t{vuY^XP%#7E*p7J{=Sq$|HtjFocjQ&E4^(LwqXGmafFxTS(yhG%l@@3FS^+yQVA zzN*cuNp<6C(?U8|4*(Z$cZy_*5g_wIHksj6v20(2d&&u{Uf}=k(Es24DLFXWx!8IN zBfXszVnN1#WvK8s8U9^^GXJ~5(>n?P+G6;_bh0k6gX{<{==&3?BGi!=X38rEDoJeCk2c0NdfI}lJ`a$`&0;K2co2Peyi&_!!5AN_zkmpt+hv-z2~PeEAJ zvO;BZ|FOjP^5=!%MZU9TF|g+J8q#l#x^O?VgReo9*spJ zNIxtJ`jzG6m)-}&r+XNS9)q13ndAV(hd+%qjgq>K#_yW6%|~K4B`KVnWcREZk8+rV z`Quif7_V$to;W|0g^Km-dd)N=;F6XH9_F+^#ABa`&$5h-v3@brn~ZOf>@lvG(0+Yt zm$!nS)VKRPfs|o{41)^eaS7)h?eEYl&Hx%$F&TC8ru96*9JG8biryE|@*8a>Bc4X~ zmp@;M3XIN;wv-=dYhIU<{MB+#2d0wXwm)_exm%m8=ihxUTP8aDHI!*vLb5`&;$y=Q zoP%fP#g!T2_Dj6={r;y{?n~wD2H6I?T>fBgj6LX~hm@&YH7n`XqtEmNEXge|(NgH$ zy~b8IUT=q#wcos9m`YuV@$4300-he^_a`6;pig@ZUN>R;T`*YK@JQDJXu^TZv~Ac_ za*tE$FR~917GUJVyVP)Bomln+Ti(7^%mMG;oAW9c$LNhyDaqBd&r7oeLEStS!1ubI z25>IUna>O7m-_#~650q(5iBjN5Pub}r%VE^jx;RwT!7j16Nd`96kX|4zqHJhAnCtk zCM64MUzZMK(ebH?gHD{A31=Dd;U;ybx$sJil#F*{BSr4k#PZiQ*mW0=l_Nm&2G>FC zMj3$z!pN;Ut*}65N?IiEhz&b-aP_*9LsOqQV01MEE!Mc9&f?K&Ul%nJ9q{Fq?d2?{ z1>6uQmgVC(2q(PCLzwvrH*{uq%?WwU#{g{RUh(w*@b?FBRj6yAgk2)8t>0sLUnF1e z6P0ZlY^ASJ+|Kl?9|yNRdX*^f8j(Bi6l|>xVN1ZF?0QZtqJn|cN8~%6;kdvewR#Wy z;LhYSQtzQJeu)~x4t+#7sy{M5P&>BA>Jo`~P^QQyJ&nr1Wa|sI{uoy~Qy+EtYnx(0 za(Hw=A^Xjjo3%?w3F%s^{uSX3Bmb*5UDF(|*}z2E8;osz*PzLEy5>PRjz3oK7#8O%$F z=LH=#au4G`nc${vUlzyiIzf>1$l(5z4L5g6U0}q9*t%1&B__I9!q^^5rV@YKGHU!Z zq$c)RKf9%sjn^tUEjpwBt6fjhdKluRx9tg$eqqI_k@%LXX~MU&wi8B{yD3FzHzzIT z*|J!CF(LmJ%MK6kWwRygPsr8h#_;Q4wFkF8Ll<@)DjZ+PG8@3q?arC+h$AgfvPMg8 zFB-cm(3r~69+r42xH4#N5ItyLT+8~NF>oL)+&Hpa;B519Mkt_3qg8j;A5F4crqxT$ zPzqU@vNi3F7TD!1$ zni)rX&Jqhd^n2m>of)?%sz6kqcUZgh8-_6utMJ*8LArnK9VAvCwI5I80a?;+zpYz) zhY%;%I4i-24B1L|H8|zFQTA`lCHVd%)g8B%zX-pr&{WMy8j9mj$dzSF+_|4r)f^KG zhnHbDS;SQf<*wd{#0oDkYyXS01ds$!DriF{FrxVIw=#}f_tt63Hh_cM=iRggT5=+Z zp@&8p5N52|rgSDZRIze1?B@J<>^bALIj?N8g{DORaEv#K~bV&G_+m6R)tcRYB7s3dcFh#K-Xy>DtR4+XxAY+sI= zON?K}O3_e4j=842KCtvAQ1E!=VF@3xe+XWqn3CsR>+rh12RE|*G9#V`NwgoNZEC#i zROu0C*;CX@T?{o(%zAO%sfAil?bu|xOo?Us)8Wukzk$Kr*dDpZaatK!y#T&N;ntfj z>>GJcXe3&AC{1EA?Ylci{Cw%MJCXu!A=oM#;f@=$RJVrV!3~`s`Ba^yd2YQX{V9+0EWX63UniW1RSLYTr%z2c;q-4EN3gb7%>}ozvY`JP7e}eRuB;uP}N3yVeX*n z^P&_kGHGl#1J>8Y|1rt!X4p9L_KL>EElQR*yc1{I_BDR&VZO1dtUj69NEs$WU~U{IMac91w068`Uj7XhqTPNRqtc*LizTvS z|2(a+vMt-5I$Q8juGCKz^`szpmO8e?bfcEi$*iidDDPx~AZotd-jrQf!JjbD@SUIu zGFofZURCVgt;1lR%h(^YYmc@3Ym+|KOE>AQ0R)e^l{A}gfBi-Kbw)`i(!xL;I_=b`8r|JWIJkd2@ zd>^`|Ppq3c`WehBxr(-@VEzyuu^!-ui(+t1^<6!2tPUSVO7uM}5H#|Nq|aUkJz`Qd zilI4+{{4x*U^QN2)Iqkrop8Pe;5MMW;N=%v4isn;VTUL6Ss_;+F zH{L)Jz-U5;hf~0ioDkbN2BA9 zZqwwDbYigPTtm8P4-yH?GWp3fm6{i;yg<_7TZn-tCGpK^Pgb2g*U03AO9)6euSQaH zqAMV<4!oW+v-&d9jYmGSZgT;~_0JvlEv87-FWKFFV7VDF@GJoa?^k|tc_vHetjg8n zPi@N+w)k(!tuu~E(DDkhx?`Xmq6dQGASh5zGqcEIoPG;_0rbe-nUTmQ$3FGFFJH&A zhtFDe`tibOO)Ds$6=%7{JZ?vOEe&{E;ewT6Ics^QQ8G>%f8KaJuhIN*O0`Aq$F)-q z5PanW=T;w^pnTUl$|5*co!8?0TN##=Ek*O%a=vPSj|9q3v4wNh{;5hGl7kKyq$!}> z6E|m*u34L*e{E`MTY!hu#q*aj*a3@MpCy8SxilOyI#&rClIdo_e0`t~=)u@Cdm$g5 z_pBML)JFG-^=2)ZP-*cgsIy$lgre<#at6=;d!0dl$Jyr}>nsffmUZG-@#uksfP45L zJ;;ssKYY{eN5O2^4-hvf;#(Ne2VxT%`X~KIWI5mC#j{t!dJeEYh3K==gxn9?~ZaDQfjvI~{+_OV<`-wiP+0T;F*F3PJ1ctNZioay5 z`KGoh5o?84wlu(x=jbRgOLMb!TaAQZsEu=F?sB+kZ-oJ!*7UCMwQ zzV=c1ZW{a3`MktoAxJD)c3R=7$XO~ysJs}$ZR3OBEs?zr#I{ z6E`8QTvtIA?LcduZ@l$(Tu0DnnJ`&7xu%aStV4?(?U%`Kk8Nd~vO1j17+;*3 zlxgUzvp9@zDRE@t-PI7k0O<(Ys7DG~To#ynQ;&bLlLdh0@l}>VBu~zLUgro|swpN! zl+4Fv@|*stSU*3J*lDsrSv zEeT+9PYtu!*4r={+PLYMm9B8#P=M#t>U)Uz2kedZN_Drw@UdYB)w_d`kBz0^|k5Ph*++)0mBf}cNHh>OW_hxT5ysO!v|vBs>|FUE|=~TOEtfsQ7X-yhS+hO&qx})a?10CzMh5B@m{`s8a2StauxN=j`dq_;pN1oU6MZI$o< literal 0 HcmV?d00001 diff --git a/sources b/sources index aab41a4..ca6c59b 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (aide-0.18.6.tar.gz) = c0e7c366029a401bce4cf44762caecada4d4831bfc2f00ebab6cb818ba259fae5409fdfcc7386d2bc9ca91a8e8fe0eb78927205bc75513578b8a3ccd17183744 +SHA512 (aide-0.18.8.tar.gz) = 38763f527cfbc11847eca2fca17eceabc46158624954f0457feb49b885f34e4311f2dbc50b5471f4ff972e9e4e9c9f55c2da8dd8d55c04063a9043ab4829ff05 +SHA512 (aide-0.18.8.tar.gz.asc) = 9eeed86a0484d9f2acfd91c49adae285b34ebc390f65f32d72e9409a5e57456e637036094cb7fd38cb6a1332f6bbb58e4ff704819fd4449ec0d7b2ae01d95cd8 From 204ac42bba4e3365036d29d4a68b64acf7c4962f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 16 Jan 2025 10:44:20 +0000 Subject: [PATCH 02/26] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From c1f9cbad754fb62aefa08c1208a3e8dc3a26243e Mon Sep 17 00:00:00 2001 From: Patrik Koncity Date: Wed, 8 Jan 2025 14:25:09 +0100 Subject: [PATCH 03/26] Add tmt CI --- .fmf/version | 1 + ci.fmf | 12 ++++++++++++ 2 files changed, 13 insertions(+) create mode 100644 .fmf/version create mode 100644 ci.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..a36dc28 --- /dev/null +++ b/ci.fmf @@ -0,0 +1,12 @@ +#e2e test plan +/e2e: + plan: + import: + url: https://github.com/RedHat-SP-Security/aide-plans.git + name: /generic/e2e_ci + +/rpmverify: + plan: + import: + url: https://github.com/RedHat-SP-Security/aide-plans.git + name: /generic/rpmverify From 3073404dcdbb82446c5844ac4bca68797a1763d6 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Mon, 24 Feb 2025 14:48:55 -0800 Subject: [PATCH 04/26] Remove confusing and broken patch (#2346091) Jian Peng noticed that this patch has multiple errors that cause compilation to fail if it is applied. We did not notice because, as the package stands, the patch is applied "normally" (by %autosetup) and then immediately reverted (by the patch -R call) before compilation occurs. So it's a confusing no-op. Let's just remove it to avoid future confusion. If somebody wants to re-add a fixed version of it, please ensure it works correctly and the reason for its inclusion is documented in the spec file. --- aide-verbose.patch | 34 ---------------------------------- aide.spec | 4 ---- 2 files changed, 38 deletions(-) delete mode 100644 aide-verbose.patch diff --git a/aide-verbose.patch b/aide-verbose.patch deleted file mode 100644 index c87ff90..0000000 --- a/aide-verbose.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -up ./src/conf_eval.c.fix ./src/conf_eval.c ---- ./src/conf_eval.c.fix 2023-12-22 12:12:22.961141634 +0100 -+++ ./src/conf_eval.c 2023-12-22 14:09:21.217786675 +0100 -@@ -166,6 +166,7 @@ static DB_ATTR_TYPE eval_attribute_expre - - static void set_database_attr_option(DB_ATTR_TYPE attr, int linenumber, char *filename, char* linebuf) { - char *str; -+ long num; - - DB_ATTR_TYPE hashes = get_hashes(true); - if (attr&(~hashes)) { -@@ -298,8 +299,20 @@ static void eval_config_statement(config - LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_CONFIG, "set 'config_version' option to '%s'", str) - break; - case VERBOSE_OPTION: -- log_msg(LOG_LEVEL_ERROR, "%s:%d: 'verbose' option is no longer supported, use 'log_level' and 'report_level' options instead (see man aide.conf for details) (line: '%s')", conf_filename, conf_linenumber, conf_linebuf); -- exit(INVALID_CONFIGURELINE_ERROR); -+ log_msg(LOG_LEVEL_CONFIG, "%s:%d: 'verbose' option is deprecated, use 'log_level' and 'report_level' options instead (see man aide.conf for details) (line: '%s')", conf_filename, conf_linenumber, conf_linebuf); -+ str = eval_string_expression(statement.e, linenumber, filename, linebuf); -+ num = strtol(str, NULL, 10); -+ -+ if (num < 0 && num > 255) { -+ LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_ERROR, "invalid verbose level: '%s'", str); -+ exit(INVALID_CONFIGURELINE_ERROR); -+ } -+ -+ if (num >= 10) { -+ set_log_level(LOG_LEVEL_DEBUG); -+ } -+ -+ free(str); - break; - case LIMIT_CMDLINE_OPTION: - /* command-line options are ignored here */ diff --git a/aide.spec b/aide.spec index 062480c..eda0cff 100644 --- a/aide.spec +++ b/aide.spec @@ -37,8 +37,6 @@ BuildRequires: check-devel Requires: logrotate -Patch1: aide-verbose.patch - %description AIDE (Advanced Intrusion Detection Environment) is a file integrity checker and intrusion detection program. @@ -48,8 +46,6 @@ checker and intrusion detection program. %autosetup -p1 cp -a %{S:4} . -%patch -R -P 1 -p1 -b .verbose - %build #autoreconf -ivf %configure \ From 4750c5ce8a6f1c547f339ff8146e90e0348376b4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 23 Jul 2025 16:50:19 +0000 Subject: [PATCH 05/26] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 7b39911f4eb2db77db0fc254927fd64145b42e1c Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 5 Aug 2025 11:23:42 +0200 Subject: [PATCH 06/26] Simplify URL handling --- aide.spec | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/aide.spec b/aide.spec index eda0cff..8efe513 100644 --- a/aide.spec +++ b/aide.spec @@ -1,14 +1,12 @@ -%global forgeurl https://github.com/%{name}/%{name} - Summary: Intrusion detection environment Name: aide Version: 0.18.8 Release: %autorelease -URL: https://aide.github.io/ +URL: https://github.com/aide/aide License: GPL-2.0-or-later -Source0: %{forgeurl}/releases/download/v%{version}/%{name}-%{version}.tar.gz -Source1: %{forgeurl}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc +Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz +Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc # gpg2 --recv-keys 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 # gpg2 --export --export-options export-minimal 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 >gpgkey-aide.gpg Source2: gpgkey-aide.gpg From f3c128e1ec4eb9ae7587e205f92220018060201f Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 5 Aug 2025 11:26:43 +0200 Subject: [PATCH 07/26] spec: standardize source file reference syntax Use consistent %{SOURCE#} macro syntax throughout the spec file instead of mixing %{S:#} and %{SOURCE#} formats. This improves readability and follows RPM packaging best practices. --- aide.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aide.spec b/aide.spec index 8efe513..fdb6bfc 100644 --- a/aide.spec +++ b/aide.spec @@ -42,7 +42,7 @@ checker and intrusion detection program. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -cp -a %{S:4} . +cp -a %{SOURCE4} . %build #autoreconf -ivf @@ -64,8 +64,8 @@ make check %install %make_install bindir=%{_sbindir} -install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:3} -install -Dpm0644 %{S:5} %{buildroot}%{_sysconfdir}/logrotate.d/aide +install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{SOURCE3} +install -Dpm0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/aide mkdir -p %{buildroot}%{_localstatedir}/log/aide mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide From d45509d296037b559dd13f0217ef380a4b93f9c5 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 5 Aug 2025 11:38:04 +0200 Subject: [PATCH 08/26] Rebase to 0.19.1 --- .gitignore | 2 ++ aide.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 465c998..3d07290 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,5 @@ aide-0.14.tar.gz.asc /aide-0.18.6.tar.gz /aide-0.18.8.tar.gz /aide-0.18.8.tar.gz.asc +/aide-0.19.1.tar.gz +/aide-0.19.1.tar.gz.asc diff --git a/aide.spec b/aide.spec index fdb6bfc..1553dba 100644 --- a/aide.spec +++ b/aide.spec @@ -1,6 +1,6 @@ Summary: Intrusion detection environment Name: aide -Version: 0.18.8 +Version: 0.19.1 Release: %autorelease URL: https://github.com/aide/aide License: GPL-2.0-or-later diff --git a/sources b/sources index ca6c59b..d46f6aa 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (aide-0.18.8.tar.gz) = 38763f527cfbc11847eca2fca17eceabc46158624954f0457feb49b885f34e4311f2dbc50b5471f4ff972e9e4e9c9f55c2da8dd8d55c04063a9043ab4829ff05 -SHA512 (aide-0.18.8.tar.gz.asc) = 9eeed86a0484d9f2acfd91c49adae285b34ebc390f65f32d72e9409a5e57456e637036094cb7fd38cb6a1332f6bbb58e4ff704819fd4449ec0d7b2ae01d95cd8 +SHA512 (aide-0.19.1.tar.gz) = 5f345458acdc79072b8293ea19a6846f2f7ab2eca36729ff1dc6fe06595a40f46af5aac57c8b02b4d144a4ad649b2a1d7f8e3bb216f0fa3d48a7023abf0029b1 +SHA512 (aide-0.19.1.tar.gz.asc) = d5bb3b8ec7dec229a01ae2e2588cc64caf9eaf2e9a71593c2d43662eb25f0afca9d955de7eeba13ca10dbe09f5b66e3b653ab018aa4c16f0531c368335b5e6de From 8e0d851b93fe8045dd46d53f6532b5b159d62fcc Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 5 Aug 2025 11:41:14 +0200 Subject: [PATCH 09/26] cry: use nettle instead of gcrypt --- aide.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/aide.spec b/aide.spec index 1553dba..9bd36bf 100644 --- a/aide.spec +++ b/aide.spec @@ -18,7 +18,7 @@ BuildRequires: gcc BuildRequires: make BuildRequires: bison flex BuildRequires: pcre2-devel -BuildRequires: libgpg-error-devel libgcrypt-devel +BuildRequires: libgpg-error-devel nettle-devel BuildRequires: zlib-devel BuildRequires: libcurl-devel BuildRequires: libacl-devel @@ -49,7 +49,8 @@ cp -a %{SOURCE4} . %configure \ --disable-static \ --with-config_file=%{_sysconfdir}/aide.conf \ - --with-gcrypt \ + --without-gcrypt \ + --with-nettle \ --with-zlib \ --with-curl \ --with-posix-acl \ @@ -71,7 +72,7 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide %files %license COPYING -%doc AUTHORS ChangeLog NEWS README contrib/ +%doc AUTHORS ChangeLog NEWS README %doc README.quickstart %{_sbindir}/aide %{_mandir}/man1/*.1* From faf0f7484f747e738fb6dc73b4af6e461c0c832c Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:28:00 +0200 Subject: [PATCH 10/26] aide.conf: add missing fields to config (added since 0.17) --- aide.conf | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/aide.conf b/aide.conf index 57b15b9..5c978f7 100644 --- a/aide.conf +++ b/aide.conf @@ -14,10 +14,37 @@ database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database gzip_dbout=yes +# Database attributes to include in report (H = all compiled hashsums, default) +database_attrs=H + +# Add metadata to database (version info, timestamps) +database_add_metadata=yes + +# Warn about unrestricted rules during config check (default: false) +config_check_warn_unrestricted_rules=false + +# Number of workers for parallel processing (default: 1, can use percentage) +num_workers=1 + # Default. log_level=warning report_level=changed_attributes +# Report format (plain or json) +report_format=plain + +# Group files in report by added/removed/changed +report_grouped=yes + +# Summarize changes in report +report_summarize_changes=yes + +# Don't report if no differences found +report_quiet=no + +# Report encoding (base64 is default, base16 available) +report_base16=no + report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr From aa4fd80a6162bb0e14037cbd3ada91dc21e11cda Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:29:00 +0200 Subject: [PATCH 11/26] aide.conf: correct report_url possible values --- aide.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/aide.conf b/aide.conf index 5c978f7..4a0c0b8 100644 --- a/aide.conf +++ b/aide.conf @@ -48,8 +48,7 @@ report_base16=no report_url=file:@@{LOGDIR}/aide.log report_url=stdout #report_url=stderr -#NOT IMPLEMENTED report_url=mailto:root@foo.com -#NOT IMPLEMENTED report_url=syslog:LOG_AUTH +#report_url=syslog:LOG_AUTH # These are the default rules. # From c19980c40c356c14c5bfe0bf1149c93f48449313 Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:31:02 +0200 Subject: [PATCH 12/26] aide.conf: update (special) attributes section --- aide.conf | 55 ++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/aide.conf b/aide.conf index 4a0c0b8..2deaa1b 100644 --- a/aide.conf +++ b/aide.conf @@ -52,8 +52,11 @@ report_url=stdout # These are the default rules. # +#ftype: file type +#fstype: file system type (Linux-only) #p: permissions -#i: inode: +#i: inode +#l: link name (symbolic links only) #n: number of links #u: user #g: group @@ -62,28 +65,50 @@ report_url=stdout #m: mtime #a: atime #c: ctime -#S: check for growing size #acl: Access Control Lists #selinux SELinux security context #xattrs: Extended file attributes -#md5: md5 checksum -#sha1: sha1 checksum +#e2fsattrs: file attributes on Linux file system +#caps: file capabilities (Linux-only) + +# Hashsums attributes (regular files only) #sha256: sha256 checksum #sha512: sha512 checksum -#rmd160: rmd160 checksum -#tiger: tiger checksum +#sha512_256: SHA-512 checksum truncated to 256 output bits +#sha3_256: SHA3-256 checksum (modern) +#sha3_512: SHA3-512 checksum (modern) +#stribog256: GOST R 34.11-2012, 256 bit +#stribog512: GOST R 34.11-2012, 512 bit -#haval: haval checksum (MHASH only) -#gost: gost checksum (MHASH only) -#crc32: crc32 checksum (MHASH only) -#whirlpool: whirlpool checksum (MHASH only) +# DEPRECATED (will be removed in future versions): +#md5: md5 checksum (deprecated since v0.19) +#sha1: sha1 checksum (deprecated since v0.19) +#rmd160: rmd160 checksum (deprecated since v0.19) +#gost: gost checksum (deprecated since v0.19) -FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 +# REMOVED in AIDE v0.19: +#S: check for growing size (use 'growing+s' instead) +#tiger: tiger checksum (removed) +#haval: haval checksum (removed) +#crc32: crc32 checksum (removed) +#crc32b: crc32b checksum (removed) +#whirlpool: whirlpool checksum (removed) -#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 -#L: p+i+n+u+g+acl+selinux+xattrs -#E: Empty group -#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs +# Special attributes for advanced use cases: +#I: ignore changed filename - detects moved files by inode +#growing: ignore growing file size/timestamps for logs +#compressed: ignore compression - compares uncompressed content +#ANF: allow new files - new files ignored in report +#ARF: allow removed files - missing files ignored in report + +# Default groups in AIDE v0.19: +# R = p+ftype+i+l+n+u+g+s+m+c+sha3_256+X +# L = p+ftype+i+l+n+u+g+X +# > = Growing file p+ftype+l+u+g+i+n+s+growing+X +# H = all compiled in (and not deprecated) hashsums +# X = acl+selinux+xattrs+e2fsattrs+caps (if compiled in) +# E = Empty group +# Use 'aide --version' to list the default compound groups. # You can create custom rules like this. # With MHASH... From 7aad76e824e38aa8e4ce3ed520f3ce841e69d1af Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 20 Aug 2025 08:33:36 +0200 Subject: [PATCH 13/26] Rebase to 0.19.2 Resolves: rhbz#2389391 Resolves: rhbz#2389389 CVE-2025-54389 CVE-2025-54409 --- .gitignore | 2 ++ aide.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 3d07290..ce1812d 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,5 @@ aide-0.14.tar.gz.asc /aide-0.18.8.tar.gz.asc /aide-0.19.1.tar.gz /aide-0.19.1.tar.gz.asc +/aide-0.19.2.tar.gz +/aide-0.19.2.tar.gz.asc diff --git a/aide.spec b/aide.spec index 9bd36bf..7b1c7a4 100644 --- a/aide.spec +++ b/aide.spec @@ -1,6 +1,6 @@ Summary: Intrusion detection environment Name: aide -Version: 0.19.1 +Version: 0.19.2 Release: %autorelease URL: https://github.com/aide/aide License: GPL-2.0-or-later diff --git a/sources b/sources index d46f6aa..0b47fd8 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (aide-0.19.1.tar.gz) = 5f345458acdc79072b8293ea19a6846f2f7ab2eca36729ff1dc6fe06595a40f46af5aac57c8b02b4d144a4ad649b2a1d7f8e3bb216f0fa3d48a7023abf0029b1 -SHA512 (aide-0.19.1.tar.gz.asc) = d5bb3b8ec7dec229a01ae2e2588cc64caf9eaf2e9a71593c2d43662eb25f0afca9d955de7eeba13ca10dbe09f5b66e3b653ab018aa4c16f0531c368335b5e6de +SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830 +SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a From 920124928552faeaef5846b87f8f9dd5423b1011 Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 7 Aug 2025 10:32:01 +0200 Subject: [PATCH 14/26] Refactor aide.conf --- aide.conf | 310 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 198 insertions(+), 112 deletions(-) diff --git a/aide.conf b/aide.conf index 2deaa1b..5953f6d 100644 --- a/aide.conf +++ b/aide.conf @@ -111,31 +111,29 @@ report_url=stdout # Use 'aide --version' to list the default compound groups. # You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 -ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger -# Everything but access time (Ie. all changes) +# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost) +ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 +# Everything but access time (Ie. all changes) - updated with modern hashsums EVERYTHING = R+ALLXTRAHASHES -# Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool -NORMAL = FIPSR+sha512 +# Base + sha512 (strong) +NORMAL = R+sha512 -# For directories, don't bother doing hashes -DIR = p+i+n+u+g+acl+selinux+xattrs +# Content only - added file type and strong hash +CONTENT = ftype+sha512 -# Access control only -PERMS = p+i+u+g+acl+selinux +# For directories, don't bother doing hashes - added file type and link name +DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs + +# Access control only - added file type and link name +PERMS = ftype+p+i+l+u+g+acl+selinux # Logfile are special, in that they often change LOG = > -# Just do sha256 and sha512 hashes -LSPP = FIPSR+sha512 - # Some files get updated automatically, so the inode/ctime/mtime change -# but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 +# but we want to know when the data inside them changes - updated with modern hash +DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Next decide what directories/files you want in the database. @@ -144,124 +142,215 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 /sbin NORMAL /lib NORMAL /lib64 NORMAL -/opt NORMAL +# Monitor /opt selectively to avoid noise from auto-updating applications +/opt CONTENT /usr NORMAL -/root NORMAL # These are too volatile !/usr/src !/usr/tmp +/root NORMAL +# Admins dot files constantly change, just check perms +/root/\..* PERMS +!/root/.xauth* + # Check only permissions, inode, user and group for /etc, but # cover some important files closely. /etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ -/etc/exports NORMAL -/etc/fstab NORMAL -/etc/passwd NORMAL -/etc/group NORMAL -/etc/gshadow NORMAL -/etc/shadow NORMAL -/etc/security/opasswd NORMAL -/etc/hosts.allow NORMAL -/etc/hosts.deny NORMAL +# trusted databases +/etc/hosts$ NORMAL +/etc/host.conf$ NORMAL +/etc/hostname$ NORMAL +/etc/issue$ NORMAL +/etc/issue.net$ NORMAL +/etc/protocols$ NORMAL +/etc/services$ NORMAL +/etc/localtime$ NORMAL +/etc/alternatives NORMAL +/etc/mime.types$ NORMAL +/etc/terminfo NORMAL +/etc/exports$ NORMAL +/etc/fstab$ NORMAL +/etc/passwd$ NORMAL +/etc/group$ NORMAL +/etc/gshadow$ NORMAL +/etc/shadow$ NORMAL +/etc/subgid$ NORMAL +/etc/subuid$ NORMAL +/etc/skel NORMAL +/etc/sssd NORMAL +/etc/swid NORMAL +/etc/system-release-cpe$ NORMAL +/etc/tmux.conf$ NORMAL +/etc/xattr.conf$ NORMAL -/etc/sudoers NORMAL -/etc/skel NORMAL +# networking +/etc/firewalld NORMAL +!/etc/NetworkManager/system-connections +/etc/NetworkManager NORMAL +/etc/networks$ NORMAL +/etc/dhcp NORMAL +/etc/wpa_supplicant NORMAL +/etc/resolv.conf$ DATAONLY +/etc/nscd.conf$ NORMAL -/etc/logrotate.d NORMAL - -/etc/resolv.conf DATAONLY - -/etc/nscd.conf NORMAL -/etc/securetty NORMAL +# logins and accounts +/etc/login.defs$ NORMAL +/etc/libuser.conf$ NORMAL +/var/log/faillog$ PERMS +/var/log/lastlog$ PERMS +/var/run/faillock PERMS +/etc/pam.d NORMAL +/etc/security NORMAL +/etc/securetty$ NORMAL +/etc/polkit-1 NORMAL +/etc/sudo.conf$ NORMAL +/etc/sudoers$ NORMAL +/etc/sudoers.d NORMAL # Shell/X starting files -/etc/profile NORMAL -/etc/bashrc NORMAL -/etc/bash_completion.d/ NORMAL -/etc/login.defs NORMAL -/etc/zprofile NORMAL -/etc/zshrc NORMAL -/etc/zlogin NORMAL -/etc/zlogout NORMAL -/etc/profile.d/ NORMAL -/etc/X11/ NORMAL +/etc/profile$ NORMAL +/etc/profile.d NORMAL +/etc/bashrc$ NORMAL +/etc/bash_completion.d NORMAL +/etc/zprofile$ NORMAL +/etc/zshrc$ NORMAL +/etc/zlogin$ NORMAL +/etc/zlogout$ NORMAL +/etc/X11 NORMAL +/etc/shells$ NORMAL # Pkg manager -/etc/yum.conf NORMAL -/etc/yumex.conf NORMAL -/etc/yumex.profiles.conf NORMAL -/etc/yum/ NORMAL -/etc/yum.repos.d/ NORMAL +/etc/dnf NORMAL +/etc/yum.repos.d NORMAL -/var/log LOG +# auditing +# AIDE produces an audit record, so this becomes perpetual motion. +/var/log/audit PERMS +/etc/audit NORMAL +/etc/libaudit.conf$ NORMAL +/etc/aide.conf$ NORMAL + +# System logs +/etc/rsyslog.conf$ NORMAL +/etc/rsyslog.d NORMAL +/etc/logrotate.conf$ NORMAL +/etc/logrotate.d NORMAL +/etc/systemd/journald.conf$ NORMAL +/var/log LOG+ANF+ARF /var/run/utmp LOG + +# secrets +/etc/pkcs11 NORMAL +/etc/pki NORMAL +/etc/ssl NORMAL +/etc/certmonger NORMAL +/var/lib/systemd/random-seed$ PERMS + +# init system +/etc/systemd NORMAL +/etc/sysconfig NORMAL +/etc/rc.d NORMAL +/etc/tmpfiles.d NORMAL +/etc/machine-id$ NORMAL + +# boot config +/etc/default NORMAL +/etc/grub.d NORMAL +/etc/grub2.cfg$ NORMAL +/etc/dracut.conf$ NORMAL +/etc/dracut.conf.d NORMAL + +# glibc linker +/etc/ld.so.cache$ NORMAL +/etc/ld.so.conf$ NORMAL +/etc/ld.so.conf.d NORMAL +/etc/ld.so.preload$ NORMAL + +# kernel config +/etc/sysctl.conf$ NORMAL +/etc/sysctl.d NORMAL +/etc/modprobe.d NORMAL +/etc/modules-load.d NORMAL +/etc/depmod.d NORMAL +/etc/udev NORMAL +/etc/crypttab$ NORMAL + +#### Daemons #### + +# cron jobs +/var/spool/at CONTENT +/etc/at.allow$ CONTENT +/etc/at.deny$ CONTENT +/etc/anacrontab$ NORMAL +/etc/cron.allow$ NORMAL +/etc/cron.deny$ NORMAL +/etc/cron.d NORMAL +/etc/cron.daily NORMAL +/etc/cron.hourly NORMAL +/etc/cron.monthly NORMAL +/etc/cron.weekly NORMAL +/etc/crontab$ NORMAL +/var/spool/cron/root CONTENT + +# time keeping +/etc/ntp.conf$ NORMAL +/etc/ntp NORMAL +/etc/chrony.conf$ NORMAL +/etc/chrony.keys$ NORMAL + +# mail +/etc/aliases$ NORMAL +/etc/aliases.db$ NORMAL +/etc/postfix NORMAL + +# ssh +/etc/ssh/sshd_config$ NORMAL +/etc/ssh/ssh_config$ NORMAL + +# stunnel +/etc/stunnel NORMAL + +# ftp +/etc/vsftpd CONTENT + +# printing +/etc/cups NORMAL +/etc/cupshelpers NORMAL +/etc/avahi NORMAL + +# web server +/etc/httpd NORMAL + +# dns +/etc/named NORMAL +/etc/named.conf$ NORMAL +/etc/named.iscdlv.key$ NORMAL +/etc/named.rfc1912.zones$ NORMAL +/etc/named.root.key$ NORMAL + +# xinetd +/etc/xinetd.conf$ NORMAL +/etc/xinetd.d NORMAL + +# IPsec +/etc/ipsec.conf$ NORMAL +/etc/ipsec.secrets$ NORMAL +/etc/ipsec.d NORMAL + +# USBGuard +/etc/usbguard NORMAL + # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. !/var/log/aide.log -# LSPP rules... -# AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP -/etc/audit/ LSPP -/etc/libaudit.conf LSPP -/usr/sbin/stunnel LSPP -/var/spool/at LSPP -/etc/at.allow LSPP -/etc/at.deny LSPP -/etc/cron.allow LSPP -/etc/cron.deny LSPP -/etc/cron.d/ LSPP -/etc/cron.daily/ LSPP -/etc/cron.hourly/ LSPP -/etc/cron.monthly/ LSPP -/etc/cron.weekly/ LSPP -/etc/crontab LSPP -/var/spool/cron/root LSPP - -/etc/login.defs LSPP -/etc/securetty LSPP -/var/log/faillog LSPP -/var/log/lastlog LSPP - -/etc/hosts LSPP -/etc/sysconfig LSPP - -/etc/inittab LSPP -/etc/grub/ LSPP -/etc/rc.d LSPP - -/etc/ld.so.conf LSPP - -/etc/localtime LSPP - -/etc/sysctl.conf LSPP - -/etc/modprobe.conf LSPP - -/etc/pam.d LSPP -/etc/security LSPP -/etc/aliases LSPP -/etc/postfix LSPP - -/etc/ssh/sshd_config LSPP -/etc/ssh/ssh_config LSPP - -/etc/stunnel LSPP - -/etc/vsftpd.ftpusers LSPP -/etc/vsftpd LSPP - -/etc/issue LSPP -/etc/issue.net LSPP - -/etc/cups LSPP - # With AIDE's default verbosity level of 5, these would give lots of # warnings upon tree traversal. It might change with future version. # @@ -269,7 +358,4 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/and-httpd - -# Admins dot files constantly change, just check perms -/root/\..* PERMS +!/var/log/httpd \ No newline at end of file From 8a1c97dba18c69ab61d4de8bacc5c915a65aab0c Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 17 Sep 2025 11:26:30 +0200 Subject: [PATCH 15/26] Replace ntp with chrony config files --- aide.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/aide.conf b/aide.conf index 5953f6d..799961f 100644 --- a/aide.conf +++ b/aide.conf @@ -299,8 +299,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 /var/spool/cron/root CONTENT # time keeping -/etc/ntp.conf$ NORMAL -/etc/ntp NORMAL /etc/chrony.conf$ NORMAL /etc/chrony.keys$ NORMAL From 9566357ccc7dbebd709f0005b241bfaae1e5024f Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 17 Sep 2025 11:29:15 +0200 Subject: [PATCH 16/26] Remove deprecated config file /etc/nscd.conf https://fedoraproject.org/wiki/Changes/RemoveNSCD --- aide.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/aide.conf b/aide.conf index 799961f..e698ac6 100644 --- a/aide.conf +++ b/aide.conf @@ -196,7 +196,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 /etc/dhcp NORMAL /etc/wpa_supplicant NORMAL /etc/resolv.conf$ DATAONLY -/etc/nscd.conf$ NORMAL # logins and accounts /etc/login.defs$ NORMAL From d25ee9c7642ff575917aedbc5f977fdeff047ac8 Mon Sep 17 00:00:00 2001 From: Cropi Date: Mon, 22 Sep 2025 16:19:04 +0200 Subject: [PATCH 17/26] Adjust /var/log/journal monitoring in default config file By default, log files are expected to grow but persistent journal files are not handled correctly. The persistent journal is stored in /var/log/journal, hence fall into LOG rule.Unfortunately since some version of Fedora, the journal files get an extended attribute user.crtime_usec which updates when the file rotates. Make sure to leave this out from the report. --- aide.conf | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/aide.conf b/aide.conf index e698ac6..da4cbb5 100644 --- a/aide.conf +++ b/aide.conf @@ -128,8 +128,10 @@ DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name PERMS = ftype+p+i+l+u+g+acl+selinux -# Logfile are special, in that they often change -LOG = > +# Logfiles are special, in that they often change +# Don't track inodes (-i) since log rotation creates new files with different inodes +# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques +LOG = >+ANF+ARF-i # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash @@ -234,13 +236,18 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 /etc/libaudit.conf$ NORMAL /etc/aide.conf$ NORMAL -# System logs +# System logs with proper logrotate handling /etc/rsyslog.conf$ NORMAL /etc/rsyslog.d NORMAL /etc/logrotate.conf$ NORMAL /etc/logrotate.d NORMAL /etc/systemd/journald.conf$ NORMAL -/var/log LOG+ANF+ARF + +# Log directory +/var/log LOG +# Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes +/var/log/journal LOG-xattrs + /var/run/utmp LOG From c9baefb29993343e1dc03a55663aac2f518d902f Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 08:46:09 +0200 Subject: [PATCH 18/26] Add .rpmlintrc file --- aide.rpmlintrc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 aide.rpmlintrc diff --git a/aide.rpmlintrc b/aide.rpmlintrc new file mode 100644 index 0000000..67d2667 --- /dev/null +++ b/aide.rpmlintrc @@ -0,0 +1,15 @@ +# RPMlint configuration for aide package +# These warnings are expected and intentional for security reasons + +# AIDE log directory has restricted permissions (700) for security +# Log files may contain sensitive security information +addFilter("aide.* non-standard-dir-perm /var/log/aide 700") + +# AIDE configuration file has restricted permissions (600) for security +# Configuration reveals what files/directories are monitored +addFilter("aide.* non-readable /etc/aide.conf 600") + +# FSF address in COPYING file is outdated - this is an upstream issue +# The license text contains the old FSF address format +addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING") + From 32855bb23585027061c8b289466e796eb662ce82 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 11:08:10 +0200 Subject: [PATCH 19/26] Update LOG in config file --- aide.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index da4cbb5..bf7e66b 100644 --- a/aide.conf +++ b/aide.conf @@ -130,8 +130,9 @@ PERMS = ftype+p+i+l+u+g+acl+selinux # Logfiles are special, in that they often change # Don't track inodes (-i) since log rotation creates new files with different inodes +# Don't track size (-s) since log rotation causes size decreases that we don't care about # Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques -LOG = >+ANF+ARF-i +LOG = >+ANF+ARF-i-s # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash From 2ed6802a1a5f0554427a3e18d0f1cf453b310041 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 11:51:37 +0200 Subject: [PATCH 20/26] Do not include mtime/ctime in regular files --- aide.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index bf7e66b..c8ed75d 100644 --- a/aide.conf +++ b/aide.conf @@ -117,7 +117,7 @@ ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512 EVERYTHING = R+ALLXTRAHASHES # Base + sha512 (strong) -NORMAL = R+sha512 +NORMAL = R+sha512-m-c # Content only - added file type and strong hash CONTENT = ftype+sha512 From 5634fe32368d43da2a5aec91fa7691cae1048e05 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 12:17:43 +0200 Subject: [PATCH 21/26] Adjust ordering of /root files --- aide.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index c8ed75d..5ea17ef 100644 --- a/aide.conf +++ b/aide.conf @@ -152,10 +152,10 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 !/usr/src !/usr/tmp -/root NORMAL # Admins dot files constantly change, just check perms /root/\..* PERMS !/root/.xauth* +/root NORMAL # Check only permissions, inode, user and group for /etc, but # cover some important files closely. From 307529a5874a6219b5b513d32eeac5c7d919aea1 Mon Sep 17 00:00:00 2001 From: Cropi Date: Tue, 23 Sep 2025 14:59:21 +0200 Subject: [PATCH 22/26] Do not monitor acl on /var/log/journal --- aide.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aide.conf b/aide.conf index 5ea17ef..da9d00d 100644 --- a/aide.conf +++ b/aide.conf @@ -247,7 +247,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Log directory /var/log LOG # Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes -/var/log/journal LOG-xattrs +/var/log/journal LOG-xattrs-acl /var/run/utmp LOG From 8479fabb2f09bb8aace92132692fc616aa3e039f Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 24 Sep 2025 08:16:59 +0200 Subject: [PATCH 23/26] Accomodate for constantly changing log files Many log files constantly change, especially if those are rotated. Many of those files have changing xattrs, e2fsattrs, caps and acl(s). So let's not monitor them, unless there will be many false positives. --- aide.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/aide.conf b/aide.conf index da9d00d..8524225 100644 --- a/aide.conf +++ b/aide.conf @@ -128,11 +128,11 @@ DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name PERMS = ftype+p+i+l+u+g+acl+selinux -# Logfiles are special, in that they often change -# Don't track inodes (-i) since log rotation creates new files with different inodes -# Don't track size (-s) since log rotation causes size decreases that we don't care about +# Logfiles are special, in that they often change due to log rotation +# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes # Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques -LOG = >+ANF+ARF-i-s +# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation) +LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes - updated with modern hash @@ -247,7 +247,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Log directory /var/log LOG # Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes -/var/log/journal LOG-xattrs-acl +/var/log/journal LOG-xattrs /var/run/utmp LOG From c4ba6e2926d7a55448a3f619b2a73d7ad6bf220e Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 9 Oct 2025 09:42:32 +0200 Subject: [PATCH 24/26] Add explanatory comment for /boot/grub2/grubenv exclusion Document why /boot/grub2/grubenv is excluded from AIDE monitoring. The file's timestamp gets modified continuously due to the "boot_success" implementation, which would cause unnecessary noise in security monitoring reports. Do not monitor link count in /var/log/journal --- aide.conf | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/aide.conf b/aide.conf index 8524225..0ec4c0c 100644 --- a/aide.conf +++ b/aide.conf @@ -246,8 +246,9 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Log directory /var/log LOG -# Journal files - exclude xattrs due to systemd journal's user.crtime_usec extended attribute changes -/var/log/journal LOG-xattrs +# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation +/var/log/journal LOG-xattrs-n + /var/run/utmp LOG @@ -363,4 +364,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 #=/home DIR # Ditto /var/log/sa reason... -!/var/log/httpd \ No newline at end of file +!/var/log/httpd +# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation +!/boot/grub2/grubenv + From 9a67d750d4f88a2eebd7f6e944e25f6de0bf2d4b Mon Sep 17 00:00:00 2001 From: Cropi Date: Thu, 16 Oct 2025 09:46:00 +0200 Subject: [PATCH 25/26] Adjust default config to avoid false positives in /etc --- aide.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/aide.conf b/aide.conf index 0ec4c0c..56ba1da 100644 --- a/aide.conf +++ b/aide.conf @@ -126,7 +126,7 @@ CONTENT = ftype+sha512 DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs # Access control only - added file type and link name -PERMS = ftype+p+i+l+u+g+acl+selinux +PERMS = ftype+p+u+g+acl+selinux+xattrs # Logfiles are special, in that they often change due to log rotation # Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes @@ -159,7 +159,6 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # Check only permissions, inode, user and group for /etc, but # cover some important files closely. -/etc PERMS !/etc/mtab # Ignore backup files !/etc/.*~ @@ -352,6 +351,9 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256 # USBGuard /etc/usbguard NORMAL +# Now everything else +/etc PERMS + # This gets new/removes-old filenames daily !/var/log/sa # As we are checking it, we've truncated yesterdays size to zero. From 3b76bcd11a6bf80bfcfb0904ee45de2e3d9e79b6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 16 Jan 2026 03:31:38 +0000 Subject: [PATCH 26/26] Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild