Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

Document why /boot/grub2/grubenv is excluded from AIDE monitoring.  The
file's timestamp gets modified continuously due to the "boot_success"
implementation, which would cause unnecessary noise in security
monitoring reports.
Do not monitor link count in /var/log/journal

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -13,3 +13,11 @@ aide-0.14.tar.gz.asc
 /aide-0.16b1.tar.gz
 /aide-0.16rc1.tar.gz
 /aide-0.16.tar.gz
+/aide-0.18.4.tar.gz
+/aide-0.18.6.tar.gz
+/aide-0.18.8.tar.gz
+/aide-0.18.8.tar.gz.asc
+/aide-0.19.1.tar.gz
+/aide-0.19.1.tar.gz.asc
+/aide-0.19.2.tar.gz
+/aide-0.19.2.tar.gz.asc

aide-0.16b1-fipsfix.patch

@@ -1,103 +0,0 @@
-diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c
---- ./src/aide.c.orig	2016-07-12 11:10:08.013158385 +0200
-+++ ./src/aide.c	2016-07-12 11:30:54.867833064 +0200
-@@ -511,9 +511,28 @@ int main(int argc,char**argv)
- #endif
-   umask(0177);
-   init_sighandler();
--
-   setdefaults_before_config();
- 
-+#if WITH_GCRYPT
-+  error(255,"Gcrypt library initialization\n");
-+  /*
-+   *  Initialize libgcrypt as per
-+   *  http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
-+   *
-+   *
-+   */
-+  gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
-+  gcry_control(GCRYCTL_INIT_SECMEM, 1);
-+
-+  if(!gcry_check_version(GCRYPT_VERSION)) {
-+      error(0,"libgcrypt version mismatch\n");
-+      exit(VERSION_MISMATCH_ERROR);
-+  }
-+
-+  gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
-+#endif /* WITH_GCRYPT */
-+
-+
-   if(read_param(argc,argv)==RETFAIL){
-     error(0, _("Invalid argument\n") );
-     exit(INVALID_ARGUMENT_ERROR);
-@@ -646,6 +665,9 @@ int main(int argc,char**argv)
-     }
- #endif
-   }
-+#ifdef WITH_GCRYPT
-+  gcry_control(GCRYCTL_TERM_SECMEM, 0);
-+#endif /* WITH_GCRYPT */
-   return RETOK;
- }
- const char* aide_key_3=CONFHMACKEY_03;
-diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c
---- ./src/md.c.orig	2016-04-15 23:30:16.000000000 +0200
-+++ ./src/md.c	2016-07-12 11:35:04.007675329 +0200
-@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
-   }
- #endif 
- #ifdef WITH_GCRYPT
--  error(255,"Gcrypt library initialization\n");
--  	if(!gcry_check_version(GCRYPT_VERSION)) {
--		error(0,"libgcrypt version mismatch\n");
--		exit(VERSION_MISMATCH_ERROR);
--	}
--	gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
--	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
--	if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
-+        if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
- 		error(0,"gcrypt_md_open failed\n");
- 		exit(IO_ERROR);
- 	}
-@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
-   
-   /*.    There might be more hashes in the library. Add those here..   */
-   
--  gcry_md_reset(md->mdh);
-+  gcry_md_close(md->mdh);
- #endif  
- 
- #ifdef WITH_MHASH
-diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c
---- ./src/util.c.orig	2016-07-12 11:39:17.023437355 +0200
-+++ ./src/util.c	2016-07-12 11:39:51.618721157 +0200
-@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s)
- 	return(AIDE_SYSLOG_FACILITY);
- }
- 
--/* We need these dummy stubs to fool the linker into believing that
--   we do not need them at link time */
--
--void* dlopen(char*filename,int flag)
--{
--  return NULL;
--}
--
--void* dlsym(void*handle,char*symbol)
--{
--  return NULL;
--}
--
--void* dlclose(void*handle)
--{
--  return NULL;
--}
--
--const char* dlerror(void)
--{
--  return NULL;
--}
--
- const char* aide_key_2=CONFHMACKEY_02;
- const char* db_key_2=DBHMACKEY_02;

aide-0.16rc1-man.patch

@@ -1,15 +0,0 @@
-diff -up ./doc/aide.1.in.orig ./doc/aide.1.in
---- ./doc/aide.1.in.orig	2016-07-12 16:10:01.724595895 +0200
-+++ ./doc/aide.1.in	2016-07-12 16:06:21.968639822 +0200
-@@ -103,9 +103,9 @@ echo <encoded_checksum> | base64 \-d | h
- .SH FILES
- .IP \fB@sysconfdir@/aide.conf\fR
- Default aide configuration file.
--.IP \fB@sysconfdir@/aide.db\fR
-+.IP \fB@localstatedir@/lib/aide/aide.db\fR
- Default aide database.
--.IP \fB@sysconfdir@/aide.db.new\fR
-+.IP \fB@localstatedir@/lib/aide/aide.db.new\fR
- Default aide output database.
- .SH SEE ALSO
- .BR aide.conf (5)

aide.conf

@@ -4,7 +4,7 @@
 @@define LOGDIR /var/log/aide
 
 # The location of the database to be read.
-database=file:@@{DBDIR}/aide.db.gz
+database_in=file:@@{DBDIR}/aide.db.gz
 
 # The location of the database to be written.
 #database_out=sql:host:port:database:login_name:passwd:table
@@ -14,19 +14,49 @@ database_out=file:@@{DBDIR}/aide.db.new.gz
 # Whether to gzip the output to database
 gzip_dbout=yes
 
+# Database attributes to include in report (H = all compiled hashsums, default)
+database_attrs=H
+
+# Add metadata to database (version info, timestamps)
+database_add_metadata=yes
+
+# Warn about unrestricted rules during config check (default: false)
+config_check_warn_unrestricted_rules=false
+
+# Number of workers for parallel processing (default: 1, can use percentage)
+num_workers=1
+
 # Default.
-verbose=5
+log_level=warning
+report_level=changed_attributes
+
+# Report format (plain or json)
+report_format=plain
+
+# Group files in report by added/removed/changed
+report_grouped=yes
+
+# Summarize changes in report
+report_summarize_changes=yes
+
+# Don't report if no differences found
+report_quiet=no
+
+# Report encoding (base64 is default, base16 available)
+report_base16=no
 
 report_url=file:@@{LOGDIR}/aide.log
 report_url=stdout
 #report_url=stderr
-#NOT IMPLEMENTED report_url=mailto:root@foo.com
-#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
+#report_url=syslog:LOG_AUTH
 
 # These are the default rules.
 #
+#ftype:  file type
+#fstype: file system type (Linux-only)
 #p:      permissions
-#i:      inode:
+#i:      inode
+#l:      link name (symbolic links only)
 #n:      number of links
 #u:      user
 #g:      group
@@ -35,55 +65,78 @@ report_url=stdout
 #m:      mtime
 #a:      atime
 #c:      ctime
-#S:      check for growing size
 #acl:           Access Control Lists
 #selinux        SELinux security context
 #xattrs:        Extended file attributes
-#md5:    md5 checksum
-#sha1:   sha1 checksum
+#e2fsattrs:     file attributes on Linux file system
+#caps:          file capabilities (Linux-only)
+
+# Hashsums attributes (regular files only)
 #sha256:        sha256 checksum
 #sha512:        sha512 checksum
-#rmd160: rmd160 checksum
-#tiger:  tiger checksum
+#sha512_256:    SHA-512 checksum truncated to 256 output bits
+#sha3_256:      SHA3-256 checksum (modern)
+#sha3_512:      SHA3-512 checksum (modern)
+#stribog256:    GOST R 34.11-2012, 256 bit
+#stribog512:    GOST R 34.11-2012, 512 bit
 
-#haval:  haval checksum (MHASH only)
-#gost:   gost checksum (MHASH only)
-#crc32:  crc32 checksum (MHASH only)
-#whirlpool:     whirlpool checksum (MHASH only)
+# DEPRECATED (will be removed in future versions):
+#md5:    md5 checksum (deprecated since v0.19)
+#sha1:   sha1 checksum (deprecated since v0.19)
+#rmd160: rmd160 checksum (deprecated since v0.19)
+#gost:   gost checksum (deprecated since v0.19)
 
-FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+# REMOVED in AIDE v0.19:
+#S:      check for growing size (use 'growing+s' instead)
+#tiger:  tiger checksum (removed)
+#haval:  haval checksum (removed)
+#crc32:  crc32 checksum (removed)
+#crc32b: crc32b checksum (removed)
+#whirlpool: whirlpool checksum (removed)
 
-#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
-#L:             p+i+n+u+g+acl+selinux+xattrs
-#E:             Empty group
-#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
+# Special attributes for advanced use cases:
+#I:      ignore changed filename - detects moved files by inode
+#growing: ignore growing file size/timestamps for logs
+#compressed: ignore compression - compares uncompressed content
+#ANF:    allow new files - new files ignored in report
+#ARF:    allow removed files - missing files ignored in report
+
+# Default groups in AIDE v0.19:
+# R = p+ftype+i+l+n+u+g+s+m+c+sha3_256+X
+# L = p+ftype+i+l+n+u+g+X  
+# > = Growing file p+ftype+l+u+g+i+n+s+growing+X
+# H = all compiled in (and not deprecated) hashsums
+# X = acl+selinux+xattrs+e2fsattrs+caps (if compiled in)
+# E = Empty group
+# Use 'aide --version' to list the default compound groups.
 
 # You can create custom rules like this.
-# With MHASH...
-# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
-ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
-# Everything but access time (Ie. all changes)
+# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost)
+ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512
+# Everything but access time (Ie. all changes) - updated with modern hashsums
 EVERYTHING = R+ALLXTRAHASHES
 
-# Sane, with multiple hashes
-# NORMAL = R+rmd160+sha256+whirlpool
-NORMAL = FIPSR+sha512
+# Base + sha512 (strong)
+NORMAL = R+sha512-m-c
 
-# For directories, don't bother doing hashes
-DIR = p+i+n+u+g+acl+selinux+xattrs
+# Content only - added file type and strong hash
+CONTENT = ftype+sha512
 
-# Access control only
-PERMS = p+i+u+g+acl+selinux
+# For directories, don't bother doing hashes - added file type and link name
+DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
 
-# Logfile are special, in that they often change
-LOG = >
+# Access control only - added file type and link name
+PERMS = ftype+p+u+g+acl+selinux+xattrs
 
-# Just do sha256 and sha512 hashes
-LSPP = FIPSR+sha512
+# Logfiles are special, in that they often change due to log rotation
+# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes
+# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques
+# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation)
+LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs
 
 # Some files get updated automatically, so the inode/ctime/mtime change
-# but we want to know when the data inside them changes
-DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
+# but we want to know when the data inside them changes - updated with modern hash
+DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
 
 # Next decide what directories/files you want in the database.
 
@@ -92,124 +145,220 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
 /sbin   NORMAL
 /lib    NORMAL
 /lib64  NORMAL
-/opt    NORMAL
+# Monitor /opt selectively to avoid noise from auto-updating applications
+/opt    CONTENT
 /usr    NORMAL
-/root   NORMAL
 # These are too volatile
 !/usr/src
 !/usr/tmp
 
+# Admins dot files constantly change, just check perms
+/root/\..* PERMS
+!/root/.xauth*
+/root   NORMAL
+
 # Check only permissions, inode, user and group for /etc, but
 # cover some important files closely.
-/etc    PERMS
 !/etc/mtab
 # Ignore backup files
 !/etc/.*~
-/etc/exports  NORMAL
-/etc/fstab    NORMAL
-/etc/passwd   NORMAL
-/etc/group    NORMAL
-/etc/gshadow  NORMAL
-/etc/shadow   NORMAL
-/etc/security/opasswd   NORMAL
 
-/etc/hosts.allow   NORMAL
-/etc/hosts.deny    NORMAL
+# trusted databases
+/etc/hosts$      NORMAL
+/etc/host.conf$  NORMAL
+/etc/hostname$   NORMAL
+/etc/issue$      NORMAL
+/etc/issue.net$  NORMAL
+/etc/protocols$  NORMAL
+/etc/services$   NORMAL
+/etc/localtime$  NORMAL
+/etc/alternatives NORMAL
+/etc/mime.types$ NORMAL
+/etc/terminfo    NORMAL
+/etc/exports$    NORMAL
+/etc/fstab$      NORMAL
+/etc/passwd$     NORMAL
+/etc/group$      NORMAL
+/etc/gshadow$    NORMAL
+/etc/shadow$     NORMAL
+/etc/subgid$     NORMAL
+/etc/subuid$     NORMAL
+/etc/skel        NORMAL
+/etc/sssd        NORMAL
+/etc/swid        NORMAL
+/etc/system-release-cpe$ NORMAL
+/etc/tmux.conf$  NORMAL
+/etc/xattr.conf$ NORMAL
 
-/etc/sudoers NORMAL
-/etc/skel NORMAL
+# networking
+/etc/firewalld      NORMAL
+!/etc/NetworkManager/system-connections
+/etc/NetworkManager NORMAL
+/etc/networks$ NORMAL
+/etc/dhcp NORMAL
+/etc/wpa_supplicant NORMAL
+/etc/resolv.conf$ DATAONLY
 
-/etc/logrotate.d NORMAL
-
-/etc/resolv.conf DATAONLY
-
-/etc/nscd.conf NORMAL
-/etc/securetty NORMAL
+# logins and accounts
+/etc/login.defs$ NORMAL
+/etc/libuser.conf$ NORMAL
+/var/log/faillog$ PERMS
+/var/log/lastlog$ PERMS
+/var/run/faillock PERMS
+/etc/pam.d NORMAL
+/etc/security NORMAL
+/etc/securetty$ NORMAL
+/etc/polkit-1 NORMAL
+/etc/sudo.conf$ NORMAL
+/etc/sudoers$ NORMAL
+/etc/sudoers.d NORMAL
 
 # Shell/X starting files
-/etc/profile NORMAL
-/etc/bashrc NORMAL
-/etc/bash_completion.d/ NORMAL
-/etc/login.defs NORMAL
-/etc/zprofile NORMAL
-/etc/zshrc NORMAL
-/etc/zlogin NORMAL
-/etc/zlogout NORMAL
-/etc/profile.d/ NORMAL
-/etc/X11/ NORMAL
+/etc/profile$ NORMAL
+/etc/profile.d NORMAL
+/etc/bashrc$ NORMAL
+/etc/bash_completion.d NORMAL
+/etc/zprofile$ NORMAL
+/etc/zshrc$ NORMAL
+/etc/zlogin$ NORMAL
+/etc/zlogout$ NORMAL
+/etc/X11 NORMAL
+/etc/shells$ NORMAL
 
 # Pkg manager
-/etc/yum.conf NORMAL
-/etc/yumex.conf NORMAL
-/etc/yumex.profiles.conf NORMAL
-/etc/yum/ NORMAL
-/etc/yum.repos.d/ NORMAL
+/etc/dnf NORMAL
+/etc/yum.repos.d NORMAL
+
+# auditing
+# AIDE produces an audit record, so this becomes perpetual motion.
+/var/log/audit PERMS
+/etc/audit NORMAL
+/etc/libaudit.conf$ NORMAL
+/etc/aide.conf$  NORMAL
+
+# System logs with proper logrotate handling
+/etc/rsyslog.conf$ NORMAL
+/etc/rsyslog.d NORMAL
+/etc/logrotate.conf$ NORMAL
+/etc/logrotate.d NORMAL
+/etc/systemd/journald.conf$ NORMAL
+
+# Log directory
+/var/log LOG
+# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation
+/var/log/journal LOG-xattrs-n
+
 
-/var/log   LOG
 /var/run/utmp LOG
 
+
+# secrets
+/etc/pkcs11 NORMAL
+/etc/pki NORMAL
+/etc/ssl NORMAL
+/etc/certmonger NORMAL
+/var/lib/systemd/random-seed$ PERMS
+
+# init system
+/etc/systemd NORMAL
+/etc/sysconfig NORMAL
+/etc/rc.d NORMAL
+/etc/tmpfiles.d NORMAL
+/etc/machine-id$ NORMAL
+
+# boot config
+/etc/default NORMAL
+/etc/grub.d NORMAL
+/etc/grub2.cfg$ NORMAL
+/etc/dracut.conf$ NORMAL
+/etc/dracut.conf.d NORMAL
+
+# glibc linker
+/etc/ld.so.cache$ NORMAL
+/etc/ld.so.conf$ NORMAL
+/etc/ld.so.conf.d NORMAL
+/etc/ld.so.preload$ NORMAL
+
+# kernel config
+/etc/sysctl.conf$ NORMAL
+/etc/sysctl.d NORMAL
+/etc/modprobe.d NORMAL
+/etc/modules-load.d NORMAL
+/etc/depmod.d NORMAL
+/etc/udev NORMAL
+/etc/crypttab$ NORMAL
+
+#### Daemons ####
+
+# cron jobs
+/var/spool/at CONTENT
+/etc/at.allow$ CONTENT
+/etc/at.deny$ CONTENT
+/etc/anacrontab$ NORMAL
+/etc/cron.allow$ NORMAL
+/etc/cron.deny$ NORMAL
+/etc/cron.d NORMAL
+/etc/cron.daily NORMAL
+/etc/cron.hourly NORMAL
+/etc/cron.monthly NORMAL
+/etc/cron.weekly NORMAL
+/etc/crontab$ NORMAL
+/var/spool/cron/root CONTENT
+
+# time keeping
+/etc/chrony.conf$ NORMAL
+/etc/chrony.keys$ NORMAL
+
+# mail
+/etc/aliases$ NORMAL
+/etc/aliases.db$ NORMAL
+/etc/postfix NORMAL
+
+# ssh
+/etc/ssh/sshd_config$ NORMAL
+/etc/ssh/ssh_config$ NORMAL
+
+# stunnel
+/etc/stunnel NORMAL
+
+# ftp
+/etc/vsftpd CONTENT
+
+# printing
+/etc/cups NORMAL
+/etc/cupshelpers NORMAL
+/etc/avahi NORMAL
+
+# web server
+/etc/httpd NORMAL
+
+# dns
+/etc/named NORMAL
+/etc/named.conf$ NORMAL
+/etc/named.iscdlv.key$ NORMAL
+/etc/named.rfc1912.zones$ NORMAL
+/etc/named.root.key$ NORMAL
+
+# xinetd
+/etc/xinetd.conf$ NORMAL
+/etc/xinetd.d NORMAL
+
+# IPsec
+/etc/ipsec.conf$ NORMAL
+/etc/ipsec.secrets$ NORMAL
+/etc/ipsec.d NORMAL
+
+# USBGuard
+/etc/usbguard NORMAL
+
+# Now everything else
+/etc    PERMS
+
 # This gets new/removes-old filenames daily
 !/var/log/sa
 # As we are checking it, we've truncated yesterdays size to zero.
 !/var/log/aide.log
 
-# LSPP rules...
-# AIDE produces an audit record, so this becomes perpetual motion.
-# /var/log/audit/ LSPP
-/etc/audit/ LSPP
-/etc/libaudit.conf LSPP
-/usr/sbin/stunnel LSPP
-/var/spool/at LSPP
-/etc/at.allow LSPP
-/etc/at.deny LSPP
-/etc/cron.allow LSPP
-/etc/cron.deny LSPP
-/etc/cron.d/ LSPP
-/etc/cron.daily/ LSPP
-/etc/cron.hourly/ LSPP
-/etc/cron.monthly/ LSPP
-/etc/cron.weekly/ LSPP
-/etc/crontab LSPP
-/var/spool/cron/root LSPP
-
-/etc/login.defs LSPP
-/etc/securetty LSPP
-/var/log/faillog LSPP
-/var/log/lastlog LSPP
-
-/etc/hosts LSPP
-/etc/sysconfig LSPP
-
-/etc/inittab LSPP
-/etc/grub/ LSPP
-/etc/rc.d LSPP
-
-/etc/ld.so.conf LSPP
-
-/etc/localtime LSPP
-
-/etc/sysctl.conf LSPP
-
-/etc/modprobe.conf LSPP
-
-/etc/pam.d LSPP
-/etc/security LSPP
-/etc/aliases LSPP
-/etc/postfix LSPP
-
-/etc/ssh/sshd_config LSPP
-/etc/ssh/ssh_config LSPP
-
-/etc/stunnel LSPP
-
-/etc/vsftpd.ftpusers LSPP
-/etc/vsftpd LSPP
-
-/etc/issue LSPP
-/etc/issue.net LSPP
-
-/etc/cups LSPP
-
 # With AIDE's default verbosity level of 5, these would give lots of
 # warnings upon tree traversal. It might change with future version.
 #
@@ -217,7 +366,7 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
 #=/home           DIR
 
 # Ditto /var/log/sa reason...
-!/var/log/and-httpd
+!/var/log/httpd
+# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation
+!/boot/grub2/grubenv
 
-# Admins dot files constantly change, just check perms
-/root/\..* PERMS

aide.rpmlintrc

@@ -0,0 +1,15 @@
+# RPMlint configuration for aide package
+# These warnings are expected and intentional for security reasons
+
+# AIDE log directory has restricted permissions (700) for security
+# Log files may contain sensitive security information
+addFilter("aide.* non-standard-dir-perm /var/log/aide 700")
+
+# AIDE configuration file has restricted permissions (600) for security  
+# Configuration reveals what files/directories are monitored
+addFilter("aide.* non-readable /etc/aide.conf 600")
+
+# FSF address in COPYING file is outdated - this is an upstream issue
+# The license text contains the old FSF address format
+addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING")
+

aide.spec

@@ -1,47 +1,56 @@
 Summary:        Intrusion detection environment
 Name:           aide
-Version:        0.16
-Release:        9%{?dist}
-URL:            http://sourceforge.net/projects/aide
-License:        GPLv2+
+Version:        0.19.2
+Release:        %autorelease
+URL:            https://github.com/aide/aide
+License:        GPL-2.0-or-later
 
-
-Source0:        %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz
-Source1:        aide.conf
-Source2:        README.quickstart
-Source3:        aide.logrotate
+Source0:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Source1:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc
+# gpg2 --recv-keys 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931
+# gpg2 --export --export-options export-minimal 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 >gpgkey-aide.gpg
+Source2:        gpgkey-aide.gpg
+Source3:        aide.conf
+Source4:        README.quickstart
+Source5:        aide.logrotate
 
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  bison flex
-BuildRequires:  pcre-devel
-BuildRequires:  libgpg-error-devel libgcrypt-devel
+BuildRequires:  pcre2-devel
+BuildRequires:  libgpg-error-devel nettle-devel
 BuildRequires:  zlib-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  libacl-devel
 BuildRequires:  pkgconfig(libselinux)
 BuildRequires:  libattr-devel
 BuildRequires:  e2fsprogs-devel
-Buildrequires:  audit-libs-devel
+BuildRequires:  audit-libs-devel
+BuildRequires:  autoconf automake libtool
+# For verifying signatures
+BuildRequires:  gnupg2
+# For being able to run 'make check'
+BuildRequires:  check-devel
 
-# Customize the database file location in the man page.
-Patch1: aide-0.16rc1-man.patch
-# fix aide in FIPS mode
-Patch2: aide-0.16b1-fipsfix.patch
+
+Requires:       logrotate
 
 %description
 AIDE (Advanced Intrusion Detection Environment) is a file integrity
 checker and intrusion detection program.
 
 %prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1
-cp -a %{S:2} .
+cp -a %{SOURCE4} .
 
 %build
+#autoreconf -ivf
 %configure  \
   --disable-static \
   --with-config_file=%{_sysconfdir}/aide.conf \
-  --with-gcrypt \
+  --without-gcrypt \
+  --with-nettle \
   --with-zlib \
   --with-curl \
   --with-posix-acl \
@@ -51,16 +60,19 @@ cp -a %{S:2} .
   --with-audit
 %make_build
 
+%check
+make check
+
 %install
 %make_install bindir=%{_sbindir}
-install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1}
-install -Dpm0644 %{S:3} %{buildroot}%{_sysconfdir}/logrotate.d/aide
+install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{SOURCE3}
+install -Dpm0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/aide
 mkdir -p %{buildroot}%{_localstatedir}/log/aide
 mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 
 %files
 %license COPYING
-%doc AUTHORS ChangeLog NEWS README doc/manual.html contrib/
+%doc AUTHORS ChangeLog NEWS README
 %doc README.quickstart
 %{_sbindir}/aide
 %{_mandir}/man1/*.1*
@@ -71,220 +83,4 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 %dir %attr(0700,root,root) %{_localstatedir}/log/aide
 
 %changelog
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 0.16-8
-- Rebuild with fixed binutils
-
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.16-6
-- Rebuild
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Wed Apr 05 2017 Radovan Sroka <rsroka@redhat.com> - 0.16-2
-- fixed upstream link
-
-* Tue Apr 04 2017 Radovan Sroka <rsroka@redhat.com> - 0.16-1
-- rebase to stable v0.16
-- specfile cleanup
-- make doc readable 
-  resolves: #1421355
-- make aide binary runable for any user
-  resolves: #1421351
-
-* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-0.3.rc1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Tue Jul 12 2016 Tomas Sykora <tosykora@redhat.com> - 0.16-0.2.rc1
-- New upstream devel version
-
-* Mon Jun 20 2016 Tomas Sykora <tosykora@redhat.com> - 0.16-0.1.b1
-- New upstream devel version
-
-* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.15.1-12
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Sat Jul 25 2015 Till Maas <opensource@till.name> - 0.15.1-11
-- Remove prelink dependency because prelink was retired
-
-* Tue Jun 16 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Fri Jul 18 2014 Yaakov Selkowitz <yselkowi@redhat.com> - 0.15.1-8
-- Fix FTBFS with -Werror=format-security (#1036983, #1105942)
-- Avoid prelink BR on aarch64, ppc64le (#924977, #1078476)
-
-* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
-
-* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
-
-* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
-
-* Thu Nov 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 0.15.1-4
-- added patch to fix aide in FIPS mode
-- use only FIPS approved digest algorithms in aide.conf so that
-  aide works by default in FIPS mode
-
-* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
-
-* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
-
-* Thu Nov 11 2010 Steve Grubb <sgrubb@redhat.com> - 0.15.1-1
-- New upstream release
-
-* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-5
-- Apply 2 upstream bug fixes
-
-* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-4
-- Use upstream's patch to fix bz 590566
-
-* Sat May 15 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-3
-- Fix bz 590561 aide does not detect the change of SElinux context
-- Fix bz 590566 aide reports a changed file when it has not been changed
-
-* Wed Apr 28 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-2
-- Fix bz 574764 by replacing abort calls with exit
-- Apply libgcrypt init patch
-
-* Tue Mar 16 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-1
-- New upstream release final 0.14
-
-* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.4.rc3
-- New upstream release
-
-* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.3.rc2
-- New upstream release
-
-* Tue Feb 23 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.2.rc1
-- Fix dirent detection on 64bit systems
-
-* Mon Feb 22 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.1.rc1
-- New upstream release
-
-* Fri Feb 19 2010 Steve Grubb <sgrubb@redhat.com> - 0.13.1-16
-- Add logrotate script and spec file cleanups
-
-* Fri Dec 11 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-15
-- Get rid of .dedosify files
-
-* Wed Dec 09 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-14
-- Revise patch for Initialize libgcrypt correctly (#530485)
-
-* Sat Nov 07 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-13
-- Initialize libgcrypt correctly (#530485)
-
-* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.13.1-12
-- rebuilt with new audit
-
-* Wed Aug 19 2009 Steve Grubb <sgrubb@redhat.com> 0.13.1-11
-- rebuild for new audit-libs
-- Correct regex for root's dot files (#509370)
-
-* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
-
-* Mon Jun 08 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-9
-- Make aide smarter about prelinked files (Peter Vrabec)
-- Add /lib64 to default config
-
-* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
-
-* Fri Jan 30 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-6
-- enable xattr support and update config file
-
-* Fri Sep 26 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.13.1-5
-- fix selcon patch to apply without fuzz
-
-* Fri Feb 15 2008 Steve Conklin <sconklin@redhat.com>
-- rebuild for gcc4.3
-
-* Tue Aug 21 2007 Michael Schwendt <mschwendt[AT]users.sf.net>
-- rebuilt
-
-* Sun Jul 22 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-2
-- Apply Steve Conklin's patch to increase displayed portion of
-  selinux context.
-
-* Sun Dec 17 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-1
-- Update to 0.13.1 release.
-
-* Sun Dec 10 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13-1
-- Update to 0.13 release.
-- Include default aide.conf from RHEL5 as doc example file.
-
-* Sun Oct 29 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-3.20061027cvs
-- CAUTION! This changes the database format and results in a report of
-  false inconsistencies until an old database file is updated.
-- Check out CVS 20061027 which now contains Red Hat's
-  acl/xattr/selinux/audit patches.
-- Patches merged upstream.
-- Update manual page substitutions.
-
-* Mon Oct 23 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-2
-- Add "memory leaks and performance updates" patch as posted
-  to aide-devel by Steve Grubb.
-
-* Sat Oct 07 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-1
-- Update to 0.12 release.
-- now offers --disable-static, so -no-static patch is obsolete
-- fill last element of getopt struct array with zeroes
-
-* Mon Oct 02 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-3
-- rebuilt
-
-* Mon Sep 11 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-2
-- rebuilt
-
-* Sun Feb 19 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-1
-- Update to 0.11 release.
-- useless-includes patch merged upstream.
-- old Russian man pages not available anymore.
-- disable static linking.
-
-* Thu Apr  7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
-- rebuilt
-
-* Fri Nov 28 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.1
-- Update to 0.10 release.
-- memleaks patch merged upstream.
-- rootpath patch merged upstream.
-- fstat patch not needed anymore.
-- Updated URL.
-
-* Thu Nov 13 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.2.cvs20031104
-- Added buildreq m4 to work around incomplete deps of bison package.
-
-* Tue Nov 04 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.1.cvs20031104
-- Only tar.gz available upstream.
-- byacc not needed when bison -y is available.
-- Installed Russian manual pages.
-- Updated with changes from CVS (2003-11-04).
-- getopt patch merged upstream.
-- bison-1.35 patch incorporated upstream.
-
-* Tue Sep 09 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.2.20030902
-- Added fixes for further memleaks.
-
-* Sun Sep 07 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.1.20030902
-- Initial package version.
-
+%autochangelog

ci.fmf

@@ -0,0 +1,12 @@
+#e2e test plan
+/e2e:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/aide-plans.git
+      name: /generic/e2e_ci
+ 
+/rpmverify:
+  plan:
+    import:
+      url: https://github.com/RedHat-SP-Security/aide-plans.git
+      name: /generic/rpmverify

sources

@@ -1 +1,2 @@
-SHA512 (aide-0.16.tar.gz) = 29ad97756e3e2fb21dc332ed03b494a1c73e621266f8622ec80bdba23092a38ee975b97f3cff2330e4c16e64e2f672259eea9291ca706a4009e7399b4e14e6a7
+SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830
+SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a