rpms/aide
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: rpms:f33
Branches Tags
rpms:rawhide
rpms:main
rpms:update-config
rpms:f42
rpms:f43
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33
rpms:f31
rpms:f32
rpms:f29
rpms:f30
rpms:f28
rpms:f27
rpms:f24
rpms:f25
rpms:f26
rpms:f23
rpms:f21
rpms:f22
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f14
rpms:f15
rpms:f16
rpms:fc6
rpms:f11
rpms:f9
rpms:f10
rpms:f12
rpms:f13
rpms:f7
rpms:f8
rpms:aide-0_14-5_fc13
rpms:aide-0_14-5_fc14
rpms:aide-0_14-4_fc14
rpms:aide-0_14-3_fc14
rpms:aide-0_14-2_fc14
rpms:aide-0_14-1_fc13
rpms:aide-0_14-1_fc14
rpms:aide-0_14-0_4_rc3_fc13
rpms:aide-0_14-0_4_rc3_fc14
rpms:aide-0_14-0_3_rc2_fc13
rpms:aide-0_14-0_3_rc2_fc14
rpms:aide-0_14-0_2_rc1_fc13
rpms:aide-0_14-0_2_rc1_fc14
rpms:aide-0_14-0_1_rc1_fc14
rpms:aide-0_13_1-16_fc14
rpms:aide-0_13_1-15_fc13
rpms:F-13-start
rpms:F-13-split
rpms:aide-0_13_1-14_fc12
rpms:aide-0_13_1-14_fc13
rpms:aide-0_13_1-13_fc12
rpms:aide-0_13_1-13_fc13
rpms:aide-0_13_1-12_fc12
rpms:F-12-start
rpms:F-12-split
rpms:aide-0_13_1-11_fc12
rpms:aide-0_13_1-10_fc12
rpms:aide-0_13_1-9_fc12
rpms:aide-0_13_1-8_fc12
rpms:aide-0_13_1-7_fc11
rpms:F-11-start
rpms:F-11-split
rpms:aide-0_13_1-6_fc11
rpms:aide-0_13_1-5_fc10
rpms:F-10-start
rpms:F-10-split
rpms:aide-0_13_1-4
rpms:F-9-start
rpms:F-9-split
rpms:aide-0_13_1-3
rpms:F-8-start
rpms:F-8-split
rpms:aide-0_13_1-2
rpms:F-7-start
rpms:F-7-split
rpms:aide-0_12-2_fc6_1
rpms:aide-0_12-2_fc7
rpms:aide-0_12-2_fc6
rpms:aide-0_12-1_fc6
rpms:FC-6-start
rpms:FC-6-split
rpms:aide-0_11-3_fc6
rpms:aide-0_11-2_fc6
rpms:aide-0_11-2
rpms:aide-0_10-4_fc6
rpms:aide-0_10-3_fc5
rpms:FC-5-split
rpms:aide-0_11-1
rpms:aide-0_10-2
rpms:FC-4-split
rpms:FC-3-split
rpms:aide-0_10-0_fdr_1_2
rpms:FC-2-split
rpms:aide-0_10-0_fdr_1_1
rpms:FC-1-split
rpms:aide-0_10-0_fdr_0_2_cvs20031104_1
rpms:aide-0_10-0_fdr_0_1_cvs20031104_rh90
rpms:RHL-9-split
...
pull from: rpms:rawhide
Branches Tags
rpms:main
rpms:rawhide
rpms:update-config
rpms:f42
rpms:f43
rpms:f41
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33
rpms:f31
rpms:f32
rpms:f29
rpms:f30
rpms:f28
rpms:f27
rpms:f24
rpms:f25
rpms:f26
rpms:f23
rpms:f21
rpms:f22
rpms:f20
rpms:f19
rpms:f18
rpms:f17
rpms:f14
rpms:f15
rpms:f16
rpms:fc6
rpms:f11
rpms:f9
rpms:f10
rpms:f12
rpms:f13
rpms:f7
rpms:f8
rpms:aide-0_14-5_fc13
rpms:aide-0_14-5_fc14
rpms:aide-0_14-4_fc14
rpms:aide-0_14-3_fc14
rpms:aide-0_14-2_fc14
rpms:aide-0_14-1_fc13
rpms:aide-0_14-1_fc14
rpms:aide-0_14-0_4_rc3_fc13
rpms:aide-0_14-0_4_rc3_fc14
rpms:aide-0_14-0_3_rc2_fc13
rpms:aide-0_14-0_3_rc2_fc14
rpms:aide-0_14-0_2_rc1_fc13
rpms:aide-0_14-0_2_rc1_fc14
rpms:aide-0_14-0_1_rc1_fc14
rpms:aide-0_13_1-16_fc14
rpms:aide-0_13_1-15_fc13
rpms:F-13-start
rpms:F-13-split
rpms:aide-0_13_1-14_fc12
rpms:aide-0_13_1-14_fc13
rpms:aide-0_13_1-13_fc12
rpms:aide-0_13_1-13_fc13
rpms:aide-0_13_1-12_fc12
rpms:F-12-start
rpms:F-12-split
rpms:aide-0_13_1-11_fc12
rpms:aide-0_13_1-10_fc12
rpms:aide-0_13_1-9_fc12
rpms:aide-0_13_1-8_fc12
rpms:aide-0_13_1-7_fc11
rpms:F-11-start
rpms:F-11-split
rpms:aide-0_13_1-6_fc11
rpms:aide-0_13_1-5_fc10
rpms:F-10-start
rpms:F-10-split
rpms:aide-0_13_1-4
rpms:F-9-start
rpms:F-9-split
rpms:aide-0_13_1-3
rpms:F-8-start
rpms:F-8-split
rpms:aide-0_13_1-2
rpms:F-7-start
rpms:F-7-split
rpms:aide-0_12-2_fc6_1
rpms:aide-0_12-2_fc7
rpms:aide-0_12-2_fc6
rpms:aide-0_12-1_fc6
rpms:FC-6-start
rpms:FC-6-split
rpms:aide-0_11-3_fc6
rpms:aide-0_11-2_fc6
rpms:aide-0_11-2
rpms:aide-0_10-4_fc6
rpms:aide-0_10-3_fc5
rpms:FC-5-split
rpms:aide-0_11-1
rpms:aide-0_10-2
rpms:FC-4-split
rpms:FC-3-split
rpms:aide-0_10-0_fdr_1_2
rpms:FC-2-split
rpms:aide-0_10-0_fdr_1_1
rpms:FC-1-split
rpms:aide-0_10-0_fdr_0_2_cvs20031104_1
rpms:aide-0_10-0_fdr_0_1_cvs20031104_rh90
rpms:RHL-9-split
Sign in to create a new pull request.

45 commits
f33 ... rawhide

Author SHA1 Message Date
Fedora Release Engineering
3b76bcd11a Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild 2026-01-16 03:31:38 +00:00
Cropi
9a67d750d4 Adjust default config to avoid false positives in /etc 2025-10-16 09:46:00 +02:00
Cropi
c4ba6e2926 Add explanatory comment for /boot/grub2/grubenv exclusion 
Document why /boot/grub2/grubenv is excluded from AIDE monitoring.  The
file's timestamp gets modified continuously due to the "boot_success"
implementation, which would cause unnecessary noise in security
monitoring reports.
Do not monitor link count in /var/log/journal
 2025-10-09 09:42:32 +02:00
Cropi
8479fabb2f Accomodate for constantly changing log files 
Many log files constantly change, especially if those are rotated.
Many of those files have changing xattrs, e2fsattrs, caps and acl(s).
So let's not monitor them, unless there will be many false positives.
 2025-09-24 08:16:59 +02:00
Cropi
307529a587 Do not monitor acl on /var/log/journal 2025-09-23 14:59:21 +02:00
Cropi
5634fe3236 Adjust ordering of /root files 2025-09-23 12:17:43 +02:00
Cropi
2ed6802a1a Do not include mtime/ctime in regular files 2025-09-23 11:51:37 +02:00
Cropi
32855bb235 Update LOG in config file 2025-09-23 11:08:10 +02:00
Attila Lakatos
e8239e55d5 Merge #9 Add .rpmlintrc file 2025-09-23 07:46:52 +00:00
Cropi
c9baefb299 Add .rpmlintrc file 2025-09-23 09:36:35 +02:00
Cropi
d25ee9c764 Adjust /var/log/journal monitoring in default config file 
By default, log files are expected to grow but persistent journal files are not handled correctly. The persistent journal is stored in /var/log/journal, hence fall into LOG rule.Unfortunately since some version of Fedora, the journal files get an extended attribute user.crtime_usec which updates when the file rotates.
Make sure to leave this out from the report.
 2025-09-23 08:23:48 +02:00
Cropi
9566357ccc Remove deprecated config file /etc/nscd.conf 
https://fedoraproject.org/wiki/Changes/RemoveNSCD
 2025-09-17 11:29:15 +02:00
Cropi
8a1c97dba1 Replace ntp with chrony config files 2025-09-17 11:28:32 +02:00
Attila Lakatos
18145fe46d Merge #7 Modernize aide configuration file 2025-09-09 09:26:01 +00:00
Cropi
9201249285 Refactor aide.conf 2025-09-09 10:23:07 +02:00
Cropi
7aad76e824 Rebase to 0.19.2 
Resolves: rhbz#2389391
Resolves: rhbz#2389389
CVE-2025-54389
CVE-2025-54409
 2025-08-20 08:33:36 +02:00
Cropi
c19980c40c aide.conf: update (special) attributes section 2025-08-07 10:34:35 +02:00
Cropi
aa4fd80a61 aide.conf: correct report_url possible values 2025-08-07 10:34:29 +02:00
Cropi
faf0f7484f aide.conf: add missing fields to config (added since 0.17) 2025-08-07 10:34:08 +02:00
Cropi
8e0d851b93 cry: use nettle instead of gcrypt 2025-08-05 12:13:17 +02:00
Cropi
d45509d296 Rebase to 0.19.1 2025-08-05 11:38:04 +02:00
Cropi
f3c128e1ec spec: standardize source file reference syntax 
Use consistent %{SOURCE#} macro syntax throughout the spec file
instead of mixing %{S:#} and %{SOURCE#} formats. This improves
readability and follows RPM packaging best practices.
 2025-08-05 11:26:43 +02:00
Cropi
7b39911f4e Simplify URL handling 2025-08-05 11:23:42 +02:00
Fedora Release Engineering
4750c5ce8a Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild 2025-07-23 16:50:19 +00:00
Adam Williamson
3073404dcd Remove confusing and broken patch (#2346091) 
Jian Peng noticed that this patch has multiple errors that cause
compilation to fail if it is applied. We did not notice because,
as the package stands, the patch is applied "normally" (by
%autosetup) and then immediately reverted (by the patch -R call)
before compilation occurs. So it's a confusing no-op.

Let's just remove it to avoid future confusion. If somebody wants
to re-add a fixed version of it, please ensure it works correctly
and the reason for its inclusion is documented in the spec file.
 2025-02-24 14:48:55 -08:00
Patrik Koncity
c1f9cbad75 Add tmt CI 2025-01-31 10:50:52 +00:00
Fedora Release Engineering
204ac42bba Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild 2025-01-16 10:44:20 +00:00
Sandro Bonazzola
b3964ed95f Update aide to 0.18.8 
- Update aide to 0.18.8
- Resolves fedora#2306506
- GPG verify source tarball
- Update project URL
- Remove unused patches
- Enable check phase during the build
- Require logrotate

Signed-off-by: Sandro Bonazzola <sbonazzo@redhat.com>
 2024-12-04 14:06:36 +01:00
Fedora Release Engineering
ae0fb53e0d Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild 2024-07-17 16:44:18 +00:00
Radovan Sroka
a003ad04cf Fix verbose option 
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
 2024-02-12 18:24:40 +01:00
Fedora Release Engineering
772571371f Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-22 22:47:57 +00:00
Fedora Release Engineering
e45ae0f104 Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-19 12:26:41 +00:00
Radovan Sroka
a6083587f1 Rebase to 0.18.6 
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
 2023-10-24 16:57:43 +02:00
Fedora Release Engineering
9d5d4a95e0 Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2023-07-19 13:01:53 +00:00
Radovan Sroka
929cb09177
 		Updated aide.conf 
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
 2023-06-21 14:25:29 +02:00
Radovan Sroka
1f9083fa05
 		Rebase to 1.18.4 
- aide-0.18.4 is available
Resolves: rhbz#1910486
- Please port your pcre dependency to pcre2. Pcre has been deprecated
Resolves: rhbz#2128267

Signed-off-by: Radovan Sroka <rsroka@redhat.com>
 2023-06-21 13:39:40 +02:00
Radovan Sroka
921cd675f0
 		- migrated to SPDX license 
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
 2023-06-13 11:42:24 +02:00
Radovan Sroka
9d06054a81
 		- migrated to SPDX license 
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
 2023-06-13 11:09:19 +02:00
Fedora Release Engineering
74f7f613ed Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2023-01-18 21:30:40 +00:00
Florian Weimer
2681d69152 Apply upstream patches to port configure to C99 
Related to:

  <https://fedoraproject.org/wiki/Changes/PortingToModernC>
  <https://fedoraproject.org/wiki/Toolchain/PortingToModernC>
 2022-11-25 12:02:26 +01:00
Fedora Release Engineering
3a3995cf3c Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2022-07-20 20:33:16 +00:00
Fedora Release Engineering
be7632bd59 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2022-01-19 21:02:08 +00:00
Fedora Release Engineering
262fe302ed - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2021-07-21 17:21:48 +00:00
Fedora Release Engineering
3e791cb9ee - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2021-07-21 12:26:29 +00:00
Fedora Release Engineering
0ddcbdc00e - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild 
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
 2021-01-25 23:54:23 +00:00
16 changed files with 350 additions and 1916 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.fmf/version Normal file
View file

@ -0,0 +1 @@
1

8
.gitignore vendored
View file

@ -13,3 +13,11 @@ aide-0.14.tar.gz.asc
/aide-0.16b1.tar.gz
/aide-0.16rc1.tar.gz
/aide-0.16.tar.gz
/aide-0.18.4.tar.gz
/aide-0.18.6.tar.gz
/aide-0.18.8.tar.gz
/aide-0.18.8.tar.gz.asc
/aide-0.19.1.tar.gz
/aide-0.19.1.tar.gz.asc
/aide-0.19.2.tar.gz
/aide-0.19.2.tar.gz.asc

496
aide-0.15-syslog-format.patch
View file

@ -1,496 +0,0 @@
diff -up ./doc/aide.conf.5.in.syslog_format ./doc/aide.conf.5.in
--- ./doc/aide.conf.5.in.syslog_format 2016-07-25 22:58:12.000000000 +0200
+++ ./doc/aide.conf.5.in 2018-09-27 19:09:09.697371212 +0200
@@ -57,6 +57,25 @@ inclusive. This parameter can only be gi
occurrence is used. If \-\-verbose or \-V is used then the value from that
is used. The default is 5. If verbosity is 20 then additional report
output is written when doing \-\-check, \-\-update or \-\-compare.
+.IP "syslog_format"
+Valid values are yes,true,no and false. This option enables new syslog format
+which is suitable for logging. Every change is logged as one simple line. This option
+changes verbose level to 0 and prints everything that was changed. It is suggested
+to use this option with "report_url=syslog:...". Default value is "false/no".
+Maximum size of message is 1KB which is limitation of syslog call. If message is
+greater than limit, message will be truncated.
+Option summarize_changes has no impact for this format.
+.nf
+.eo
+
+Output always starts with:
+"AIDE found differences between database and filesystem!!"
+And it is followed by summary:
+summary;total_number_of_files=1000;added_files=0;removed_files=0;changed_files=1
+And finally there are logs about changes:
+dir=/usr/sbin;Mtime_old=0000-00-00 00:00:00;Mtime_new=0000-00-00 00:00:00;...
+.ec
+.fi
.IP "report_url"
The url that the output is written to. There can be multiple instances
of this parameter. Output is written to all of them. The default is
diff -up ./include/db_config.h.syslog_format ./include/db_config.h
--- ./include/db_config.h.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./include/db_config.h 2018-09-27 19:09:09.697371212 +0200
@@ -311,6 +311,7 @@ typedef struct db_config {
FILE* db_out;
int config_check;
+ int syslog_format;
struct md_container *mdc_in;
struct md_container *mdc_out;
diff -up ./src/aide.c.syslog_format ./src/aide.c
--- ./src/aide.c.syslog_format 2018-09-27 19:09:09.695371197 +0200
+++ ./src/aide.c 2018-09-27 19:09:09.698371220 +0200
@@ -283,6 +283,7 @@ static void setdefaults_before_config()
}
/* Setting some defaults */
+ conf->syslog_format=0;
conf->report_db=0;
conf->tree=NULL;
conf->config_check=0;
@@ -495,6 +496,10 @@ static void setdefaults_after_config()
if(conf->verbose_level==-1){
conf->verbose_level=5;
}
+ if(conf->syslog_format==1){
+ conf->verbose_level=0;
+ }
+
}
diff -up ./src/compare_db.c.syslog_format ./src/compare_db.c
--- ./src/compare_db.c.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/compare_db.c 2018-09-27 19:09:09.698371220 +0200
@@ -110,7 +110,7 @@ const DB_ATTR_TYPE details_attributes[]
#endif
};
-const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size (>)"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512")
+const char* details_string[] = { _("File type") , _("Lname"), _("Size"), _("Size"), _("Bcount"), _("Perm"), _("Uid"), _("Gid"), _("Atime"), _("Mtime"), _("Ctime"), _("Inode"), _("Linkcount"), _("MD5"), _("SHA1"), _("RMD160"), _("TIGER"), _("SHA256"), _("SHA512")
#ifdef WITH_MHASH
, _("CRC32"), _("HAVAL"), _("GOST"), _("CRC32B"), _("WHIRLPOOL")
#endif
@@ -269,12 +269,19 @@ static int xattrs2array(xattrs_type* xat
if ((len == xattrs->ents[num - 1].vsz) || ((len == (xattrs->ents[num - 1].vsz - 1)) && !val[len])) {
length = 8 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
(*values)[num]=malloc(length *sizeof(char));
- snprintf((*values)[num], length , "[%.*zd] %s = %s", width, num, xattrs->ents[num - 1].key, val);
+
+ char * fmt = "[%.*zd] %s = %s";
+ if (conf->syslog_format) fmt = "[%.*zd]%s=%s"; // its smaller so it has to be enough space allocated.
+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
+
} else {
val = encode_base64(xattrs->ents[num - 1].val, xattrs->ents[num - 1].vsz);
length = 10 + width + strlen(xattrs->ents[num - 1].key) + strlen(val);
(*values)[num]=malloc( length *sizeof(char));
- snprintf((*values)[num], length , "[%.*zd] %s <=> %s", width, num, xattrs->ents[num - 1].key, val);
+
+ char * fmt = "[%.*zd] %s <=> %s";
+ if (conf->syslog_format) fmt = "[%.*zd]%s<=>%s"; // its smaller so it has to be enough space allocated.
+ snprintf((*values)[num], length , fmt, width, num, xattrs->ents[num - 1].key, val);
free(val);
}
}
@@ -302,6 +309,26 @@ static int acl2array(acl_type* acl, char
}
if (acl->acl_a || acl->acl_d) {
int j, k, i;
+ if (conf->syslog_format) {
+ *values = malloc(2 * sizeof(char*));
+
+ char *A, *D = "<NONE>";
+
+ if (acl->acl_a) { A = acl->acl_a; }
+ if (acl->acl_d) { D = acl->acl_d; }
+
+ (*values)[0] = (char*) malloc(strlen(A) + 3); // "A:" and \0
+ snprintf((*values)[0], strlen(A) + 3, "A:%s", A);
+
+ (*values)[1] = (char*) malloc(strlen(D) + 3); // "D:" and \0
+ snprintf((*values)[1], strlen(D) + 3, "D:%s", D);
+
+ i = 0; while ( (*values)[0][i] ) { if ( (*values)[0][i]=='\n') { (*values)[0][i] = ' '; } i++; }
+ i = 0; while ( (*values)[1][i] ) { if ( (*values)[1][i]=='\n') { (*values)[1][i] = ' '; } i++; }
+
+ return 2;
+ }
+
if (acl->acl_a) { i = 0; while (acl->acl_a[i]) { if (acl->acl_a[i++]=='\n') { n++; } } }
if (acl->acl_d) { i = 0; while (acl->acl_d[i]) { if (acl->acl_d[i++]=='\n') { n++; } } }
*values = malloc(n * sizeof(char*));
@@ -338,25 +365,25 @@ static char* e2fsattrs2string(unsigned l
static char* get_file_type_string(mode_t mode) {
switch (mode & S_IFMT) {
- case S_IFREG: return _("File");
- case S_IFDIR: return _("Directory");
+ case S_IFREG: return conf->syslog_format ? "file" : _("File");
+ case S_IFDIR: return conf->syslog_format ? "dir" : _("Directory");
#ifdef S_IFIFO
- case S_IFIFO: return _("FIFO");
+ case S_IFIFO: return conf->syslog_format ? "fifo" : _("FIFO");
#endif
- case S_IFLNK: return _("Link");
- case S_IFBLK: return _("Block device");
- case S_IFCHR: return _("Character device");
+ case S_IFLNK: return conf->syslog_format ? "link" : _("Link");
+ case S_IFBLK: return conf->syslog_format ? "blockd" : _("Block device");
+ case S_IFCHR: return conf->syslog_format ? "chard" : _("Character device");
#ifdef S_IFSOCK
- case S_IFSOCK: return _("Socket");
+ case S_IFSOCK: return conf->syslog_format ? "socket" : _("Socket");
#endif
#ifdef S_IFDOOR
- case S_IFDOOR: return _("Door");
+ case S_IFDOOR: return conf->syslog_format ? "door" : _("Door");
#endif
#ifdef S_IFPORT
- case S_IFPORT: return _("Port");
+ case S_IFPORT: return conf->syslog_format ? "port" : _("Port");
#endif
case 0: return NULL;
- default: return _("Unknown file type");
+ default: return conf->syslog_format ? "unknown" : _("Unknown file type");
}
}
@@ -554,6 +581,51 @@ static void print_dbline_attributes(db_l
}
}
+
+static void print_dbline_attributes_syslog(db_line* oline, db_line* nline, DB_ATTR_TYPE
+ changed_attrs, DB_ATTR_TYPE force_attrs) {
+ char **ovalue, **nvalue;
+ int onumber, nnumber, i, j;
+ int length = sizeof(details_attributes)/sizeof(DB_ATTR_TYPE);
+ DB_ATTR_TYPE attrs;
+ char *file_type = get_file_type_string((nline==NULL?oline:nline)->perm);
+ if (file_type) {
+ error(0,"%s=", file_type);
+ }
+ error(0,"%s", (nline==NULL?oline:nline)->filename);
+ attrs=force_attrs|(~(ignored_changed_attrs)&changed_attrs);
+ for (j=0; j < length; ++j) {
+ if (details_attributes[j]&attrs) {
+ onumber=get_attribute_values(details_attributes[j], oline, &ovalue);
+ nnumber=get_attribute_values(details_attributes[j], nline, &nvalue);
+
+ if (details_attributes[j] == DB_ACL || details_attributes[j] == DB_XATTRS) {
+
+ error(0, ";%s_old=|", details_string[j]);
+
+ for (i = 0 ; i < onumber ; i++) {
+ error(0, "%s|", ovalue[i]);
+ }
+
+ error(0, ";%s_new=|", details_string[j]);
+
+ for (i = 0 ; i < nnumber ; i++) {
+ error(0, "%s|", nvalue[i]);
+ }
+
+ } else {
+
+ error(0, ";%s_old=%s;%s_new=%s", details_string[j], *ovalue, details_string[j], *nvalue);
+
+ }
+
+ for(i=0; i < onumber; ++i) { free(ovalue[i]); ovalue[i]=NULL; } free(ovalue); ovalue=NULL;
+ for(i=0; i < nnumber; ++i) { free(nvalue[i]); nvalue[i]=NULL; } free(nvalue); nvalue=NULL;
+ }
+ }
+ error(0, "\n");
+}
+
static void print_attributes_added_node(db_line* line) {
print_dbline_attributes(NULL, line, 0, line->attr);
}
@@ -562,6 +634,26 @@ static void print_attributes_removed_nod
print_dbline_attributes(line, NULL, 0, line->attr);
}
+static void print_attributes_added_node_syslog(db_line* line) {
+
+ char *file_type = get_file_type_string(line->perm);
+ if (file_type) {
+ error(0,"%s=", file_type);
+ }
+ error(0,"%s; added\n", line->filename);
+
+}
+
+static void print_attributes_removed_node_syslog(db_line* line) {
+
+ char *file_type = get_file_type_string(line->perm);
+ if (file_type) {
+ error(0,"%s=", file_type);
+ }
+ error(0,"%s; removed\n", line->filename);
+
+}
+
static void terse_report(seltree* node) {
list* r=NULL;
if ((node->checked&(DB_OLD|DB_NEW)) != 0) {
@@ -626,6 +718,26 @@ static void print_report_details(seltree
}
}
+static void print_syslog_format(seltree* node) {
+ list* r=NULL;
+
+ if (node->checked&NODE_CHANGED) {
+ print_dbline_attributes_syslog(node->old_data, node->new_data, node->changed_attrs, forced_attrs);
+ }
+
+ if (node->checked&NODE_ADDED) {
+ print_attributes_added_node_syslog(node->new_data);
+ }
+
+ if (node->checked&NODE_REMOVED) {
+ print_attributes_removed_node_syslog(node->old_data);
+ }
+
+ for(r=node->childs;r;r=r->next){
+ print_syslog_format((seltree*)r->data);
+ }
+}
+
static void print_report_header() {
char *time;
int first = 1;
@@ -747,39 +859,53 @@ int gen_report(seltree* node) {
send_audit_report();
#endif
if ((nadd|nrem|nchg) > 0 || conf->report_quiet == 0) {
- print_report_header();
- if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) {
- if (conf->grouped) {
- if (nadd) {
- error(2,(char*)report_top_format,_("Added entries"));
- print_report_list(node, NODE_ADDED);
- }
- if (nrem) {
- error(2,(char*)report_top_format,_("Removed entries"));
- print_report_list(node, NODE_REMOVED);
- }
- if (nchg) {
- error(2,(char*)report_top_format,_("Changed entries"));
- print_report_list(node, NODE_CHANGED);
- }
- } else if (nadd || nrem || nchg) {
- if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); }
- else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); }
- else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); }
- else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); }
- else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); }
- else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); }
- else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); }
- print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED);
- }
- if (nadd || nrem || nchg) {
- error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes"));
- print_report_details(node);
- }
- }
- print_report_databases();
- conf->end_time=time(&(conf->end_time));
- print_report_footer();
+
+ if (!conf->syslog_format) {
+ print_report_header();
+ }
+
+ if(conf->action&(DO_COMPARE|DO_DIFF) || (conf->action&DO_INIT && conf->report_detailed_init) ) {
+ if (!conf->syslog_format && conf->grouped) {
+ if (nadd) {
+ error(2,(char*)report_top_format,_("Added entries"));
+ print_report_list(node, NODE_ADDED);
+ }
+ if (nrem) {
+ error(2,(char*)report_top_format,_("Removed entries"));
+ print_report_list(node, NODE_REMOVED);
+ }
+ if (nchg) {
+ error(2,(char*)report_top_format,_("Changed entries"));
+ print_report_list(node, NODE_CHANGED);
+ }
+ } else if (!conf->syslog_format && ( nadd || nrem || nchg ) ) {
+ if (nadd && nrem && nchg) { error(2,(char*)report_top_format,_("Added, removed and changed entries")); }
+ else if (nadd && nrem) { error(2,(char*)report_top_format,_("Added and removed entries")); }
+ else if (nadd && nchg) { error(2,(char*)report_top_format,_("Added and changed entries")); }
+ else if (nrem && nchg) { error(2,(char*)report_top_format,_("Removed and changed entries")); }
+ else if (nadd) { error(2,(char*)report_top_format,_("Added entries")); }
+ else if (nrem) { error(2,(char*)report_top_format,_("Removed entries")); }
+ else if (nchg) { error(2,(char*)report_top_format,_("Changed entries")); }
+ print_report_list(node, NODE_ADDED|NODE_REMOVED|NODE_CHANGED);
+ }
+ if (nadd || nrem || nchg) {
+ if (!conf->syslog_format) {
+ error(nchg?5:7,(char*)report_top_format,_("Detailed information about changes"));
+ print_report_details(node);
+ } else {
+ /* Syslog Format */
+ error(0, "AIDE found differences between database and filesystem!!\n");
+ error(0, "summary;total_number_of_files=%ld;added_files=%ld;"
+ "removed_files=%ld;changed_files=%ld\n",ntotal,nadd,nrem,nchg);
+ print_syslog_format(node);
+ }
+ }
+ }
+ if (!conf->syslog_format) {
+ print_report_databases();
+ conf->end_time=time(&(conf->end_time));
+ print_report_footer();
+ }
}
return conf->action&(DO_COMPARE|DO_DIFF) ? (nadd!=0)*1+(nrem!=0)*2+(nchg!=0)*4 : 0;
diff -up ./src/conf_lex.l.syslog_format ./src/conf_lex.l
--- ./src/conf_lex.l.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/conf_lex.l 2018-09-27 19:09:09.698371220 +0200
@@ -401,6 +401,12 @@ int var_in_conflval=0;
return (TROOT_PREFIX);
}
+^[\t\ ]*"syslog_format"{E} {
+ error(230,"%li:syslog_format =\n",conf_lineno);
+ BEGIN CONFVALHUNT;
+ return (SYSLOG_FORMAT);
+}
+
^[\t\ ]*"recstop"{E} {
error(230,"%li:recstop =\n",conf_lineno);
BEGIN CONFVALHUNT;
diff -up ./src/conf_yacc.y.syslog_format ./src/conf_yacc.y
--- ./src/conf_yacc.y.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/conf_yacc.y 2018-09-27 19:09:09.699371228 +0200
@@ -89,6 +89,7 @@ extern long conf_lineno;
%token TREPORT_URL
%token TGZIPDBOUT
%token TROOT_PREFIX
+%token SYSLOG_FORMAT
%token TUMASK
%token TTRUE
%token TFALSE
@@ -160,7 +161,7 @@ line : rule | equrule | negrule | define
| ifdefstmt | ifndefstmt | ifhoststmt | ifnhoststmt
| groupdef | db_in | db_out | db_new | db_attrs | verbose | report_detailed_init | config_version
| database_add_metadata | report | gzipdbout | root_prefix | report_base16 | report_quiet
- | report_ignore_e2fsattrs | recursion_stopper | warn_dead_symlinks | grouped
+ | report_ignore_e2fsattrs | syslogformat | recursion_stopper | warn_dead_symlinks | grouped
| summarize_changes | acl_no_symlink_follow | beginconfigstmt | endconfigstmt
| TEOF {
newlinelastinconfig=1;
@@ -408,6 +409,15 @@ conf->gzip_dbout=0;
#endif
} ;
+syslogformat : SYSLOG_FORMAT TTRUE {
+conf->syslog_format=1;
+} |
+ SYSLOG_FORMAT TFALSE {
+conf->syslog_format=0;
+} ;
+
+
+
recursion_stopper : TRECSTOP TSTRING {
/* FIXME implement me */
diff -up ./src/error.c.syslog_format ./src/error.c
--- ./src/error.c.syslog_format 2016-07-25 22:56:55.000000000 +0200
+++ ./src/error.c 2018-09-27 19:13:40.312416750 +0200
@@ -38,6 +38,9 @@
/*for locale support*/
#include "util.h"
+#define MAX_BUFFER_SIZE 1024
+static char syslog_buffer[MAX_BUFFER_SIZE+1];
+
int cmp_url(url_t* url1,url_t* url2){
return ((url1->type==url2->type)&&(strcmp(url1->value,url2->value)==0));
@@ -48,7 +51,9 @@ int error_init(url_t* url,int initial)
{
list* r=NULL;
FILE* fh=NULL;
- int sfac;
+ int sfac;
+
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
if (url->type==url_database) {
conf->report_db++;
@@ -163,13 +168,24 @@ void error(int errorlevel,char* error_ms
}
#ifdef HAVE_SYSLOG
if(conf->initial_report_url->type==url_syslog){
-#ifdef HAVE_VSYSLOG
- vsyslog(SYSLOG_PRIORITY,error_msg,ap);
-#else
- char buf[1024];
- vsnprintf(buf,1024,error_msg,ap);
- syslog(SYSLOG_PRIORITY,"%s",buf);
-#endif
+
+ char buff[MAX_BUFFER_SIZE+1];
+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap);
+ size_t buff_len = strlen(buff);
+
+ char result_buff[MAX_BUFFER_SIZE+1];
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-truncation"
+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff);
+#pragma GCC diagnostic pop
+
+ if(buff[buff_len-1] == '\n'){
+ syslog(SYSLOG_PRIORITY,"%s",result_buff);
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
+ } else {
+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE);
+ }
+
va_end(ap);
return;
}
@@ -181,17 +197,25 @@ void error(int errorlevel,char* error_ms
#ifdef HAVE_SYSLOG
if (conf->report_syslog!=0) {
-#ifdef HAVE_VSYSLOG
- va_start(ap,error_msg);
- vsyslog(SYSLOG_PRIORITY,error_msg,ap);
- va_end(ap);
-#else
- char buf[1024];
- va_start(ap,error_msg);
- vsnprintf(buf,1024,error_msg,ap);
+ va_start(ap, error_msg);
+
+ char buff[MAX_BUFFER_SIZE+1];
+ vsnprintf(buff,MAX_BUFFER_SIZE,error_msg,ap);
+ size_t buff_len = strlen(buff);
+
+ char result_buff[MAX_BUFFER_SIZE+1];
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wformat-truncation"
+ snprintf(result_buff, MAX_BUFFER_SIZE, "%s%s", syslog_buffer, buff);
+#pragma GCC diagnostic pop
+
+ if(buff[buff_len-1] == '\n'){
+ syslog(SYSLOG_PRIORITY,"%s",result_buff);
+ memset(syslog_buffer, 0, MAX_BUFFER_SIZE+1);
+ } else {
+ memcpy(syslog_buffer, result_buff, MAX_BUFFER_SIZE);
+ }
va_end(ap);
- syslog(SYSLOG_PRIORITY,"%s",buf);
-#endif
}
#endif

58
aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch
View file

@ -1,58 +0,0 @@
From c7caa6027c92b28aa11b8da74d56357e12f56d67 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= <dkopecek@redhat.com>
Date: Wed, 20 Feb 2019 12:00:56 +0100
Subject: [PATCH] Use LDADD for adding curl library to the linker command
---
Makefile.am | 2 +-
configure.ac | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 4b05d7a..1541d56 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -55,7 +55,7 @@ if USE_CURL
aide_SOURCES += include/fopen.h src/fopen.c
endif
-aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@
+aide_LDADD = -lm @PCRELIB@ @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @E2FSATTRSLIB@ @ELFLIB@ @CURLLIB@
AM_CFLAGS = @AIDE_DEFS@ -W -Wall -g
AM_CPPFLAGS = -I$(top_srcdir) \
-I$(top_srcdir)/include \
diff --git a/configure.ac b/configure.ac
index 3598ebe..0418c59 100644
--- a/configure.ac
+++ b/configure.ac
@@ -702,24 +702,25 @@ if test x$with_zlib = xyes; then
compoptionstring="${compoptionstring}WITH_ZLIB\\n"
fi
+CURLLIB=
if test x$with_curl = xyes; then
AC_PATH_PROG(curlconfig, "curl-config")
if test "_$curlconfig" != _ ; then
CURL_CFLAGS=`$curlconfig --cflags`
- CURL_LIBS=`$curlconfig --libs`
+ CURLLIB=`$curlconfig --libs`
else
AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])
fi
AC_CHECK_HEADERS(curl/curl.h,,
[AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])])
CFLAGS="$CFLAGS $CURL_CFLAGS"
- LDFLAGS="$LDFLAGS $CURL_LIBS"
AC_CHECK_LIB(curl,curl_easy_init,havecurl=yes,
[AC_MSG_ERROR([You don't have curl properly installed. Install it or try --without-curl.])]
)
AC_DEFINE(WITH_CURL,1,[use curl])
compoptionstring="${compoptionstring}WITH_CURL\\n"
fi
+AC_SUBST(CURLLIB)
AM_CONDITIONAL(USE_CURL, test x$havecurl = xyes)
AC_ARG_WITH(mhash,
--
2.20.1

17
aide-0.16-crash-elf.patch
View file

@ -1,17 +0,0 @@
--- ./src/do_md.c 2018-03-19 05:10:19.994957024 -0400
+++ ./src/do_md.c 2018-03-19 05:19:05.829957024 -0400
@@ -135,8 +135,13 @@
continue;
while (!bingo && (data = elf_getdata (scn, data)) != NULL) {
- int maxndx = data->d_size / shdr.sh_entsize;
+ int maxndx;
int ndx;
+
+ if (shdr.sh_entsize != 0)
+ maxndx = data->d_size / shdr.sh_entsize;
+ else
+ continue;
for (ndx = 0; ndx < maxndx; ++ndx) {
(void) gelf_getdyn (data, ndx, &dyn);

153
aide-0.16-crypto-disable-haval-and-others.patch
View file

@ -1,153 +0,0 @@
diff -up ./include/md.h.crypto ./include/md.h
--- ./include/md.h.crypto 2016-07-25 22:56:55.000000000 +0200
+++ ./include/md.h 2018-08-29 15:00:30.827491299 +0200
@@ -149,6 +149,7 @@ int init_md(struct md_container*);
int update_md(struct md_container*,void*,ssize_t);
int close_md(struct md_container*);
void md2line(struct md_container*,struct db_line*);
+DB_ATTR_TYPE get_available_crypto();
#endif /*_MD_H_INCLUDED*/
diff -up ./src/aide.c.crypto ./src/aide.c
--- ./src/aide.c.crypto 2018-08-29 15:00:30.825491309 +0200
+++ ./src/aide.c 2018-08-29 15:00:30.827491299 +0200
@@ -349,7 +349,7 @@ static void setdefaults_before_config()
conf->db_attrs = 0;
#if defined(WITH_MHASH) || defined(WITH_GCRYPT)
- conf->db_attrs |= DB_MD5|DB_TIGER|DB_HAVAL|DB_CRC32|DB_SHA1|DB_RMD160|DB_SHA256|DB_SHA512;
+ conf->db_attrs |= get_available_crypto();
#ifdef WITH_MHASH
conf->db_attrs |= DB_GOST;
#ifdef HAVE_MHASH_WHIRLPOOL
diff -up ./src/md.c.crypto ./src/md.c
--- ./src/md.c.crypto 2018-08-29 15:00:30.823491319 +0200
+++ ./src/md.c 2018-08-29 15:02:28.013903479 +0200
@@ -78,6 +78,49 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) {
return r;
}
+const char * hash_gcrypt2str(int i) {
+ char * r = "?";
+#ifdef WITH_GCRYPT
+ switch (i) {
+ case GCRY_MD_MD5: {
+ r = "MD5";
+ break;
+ }
+ case GCRY_MD_SHA1: {
+ r = "SHA1";
+ break;
+ }
+ case GCRY_MD_RMD160: {
+ r = "RMD160";
+ break;
+ }
+ case GCRY_MD_TIGER: {
+ r = "TIGER";
+ break;
+ }
+ case GCRY_MD_HAVAL: {
+ r = "HAVAL";
+ break;
+ }
+ case GCRY_MD_SHA256: {
+ r = "SHA256";
+ break;
+ }
+ case GCRY_MD_SHA512: {
+ r = "SHA512";
+ break;
+ }
+ case GCRY_MD_CRC32: {
+ r = "CRC32";
+ break;
+ }
+ default:
+ break;
+ }
+#endif
+ return r;
+}
+
DB_ATTR_TYPE hash_mhash2attr(int i) {
DB_ATTR_TYPE r=0;
#ifdef WITH_MHASH
@@ -163,6 +206,44 @@ DB_ATTR_TYPE hash_mhash2attr(int i) {
Initialise md_container according it's todo_attr field
*/
+DB_ATTR_TYPE get_available_crypto() {
+
+ DB_ATTR_TYPE ret = 0;
+
+/*
+ * This function is usually called before config processing
+ * and default verbose level is 5
+ */
+#define lvl 255
+
+ error(lvl, "get_available_crypto called\n");
+
+#ifdef WITH_GCRYPT
+
+ /*
+ * some initialization for FIPS
+ */
+ gcry_check_version(NULL);
+ error(lvl, "Found algos:");
+
+ for(int i=0;i<=HASH_GCRYPT_COUNT;i++) {
+
+ if ( (hash_gcrypt2attr(i) & HASH_USE_GCRYPT) == 0 )
+ continue;
+
+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) == 0) {
+ ret |= hash_gcrypt2attr(i);
+ error(lvl, " %s", hash_gcrypt2str(i));
+ }
+ }
+ error(lvl, "\n");
+
+#endif
+
+ error(lvl, "get_available_crypto_returned with %lld\n", ret);
+ return ret;
+}
+
int init_md(struct md_container* md) {
int i;
@@ -201,18 +282,27 @@ int init_md(struct md_container* md) {
}
#endif
#ifdef WITH_GCRYPT
- if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
error(0,"gcrypt_md_open failed\n");
exit(IO_ERROR);
}
for(i=0;i<=HASH_GCRYPT_COUNT;i++) {
+
+
if (((hash_gcrypt2attr(i)&HASH_USE_GCRYPT)&md->todo_attr)!=0) {
- DB_ATTR_TYPE h=hash_gcrypt2attr(i);
- error(255,"inserting %llu\n",h);
+
+ DB_ATTR_TYPE h=hash_gcrypt2attr(i);
+
+ if (gcry_md_algo_info(i, GCRYCTL_TEST_ALGO, NULL, NULL) != 0) {
+ error(0,"Algo %s is not available\n", hash_gcrypt2str(i));
+ exit(-1);
+ }
+
+ error(255,"inserting %llu\n",h);
if(gcry_md_enable(md->mdh,i)==GPG_ERR_NO_ERROR){
md->calc_attr|=h;
} else {
- error(0,"gcry_md_enable %i failed",i);
+ error(0,"gcry_md_enable %i failed\n",i);
md->todo_attr&=~h;
}
}

103
aide-0.16b1-fipsfix.patch
View file

@ -1,103 +0,0 @@
diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c
--- ./src/aide.c.orig 2016-07-12 11:10:08.013158385 +0200
+++ ./src/aide.c 2016-07-12 11:30:54.867833064 +0200
@@ -511,9 +511,28 @@ int main(int argc,char**argv)
#endif
umask(0177);
init_sighandler();
-
setdefaults_before_config();
+#if WITH_GCRYPT
+ error(255,"Gcrypt library initialization\n");
+ /*
+ * Initialize libgcrypt as per
+ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
+ *
+ *
+ */
+ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
+ gcry_control(GCRYCTL_INIT_SECMEM, 1);
+
+ if(!gcry_check_version(GCRYPT_VERSION)) {
+ error(0,"libgcrypt version mismatch\n");
+ exit(VERSION_MISMATCH_ERROR);
+ }
+
+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+#endif /* WITH_GCRYPT */
+
+
if(read_param(argc,argv)==RETFAIL){
error(0, _("Invalid argument\n") );
exit(INVALID_ARGUMENT_ERROR);
@@ -646,6 +665,9 @@ int main(int argc,char**argv)
}
#endif
}
+#ifdef WITH_GCRYPT
+ gcry_control(GCRYCTL_TERM_SECMEM, 0);
+#endif /* WITH_GCRYPT */
return RETOK;
}
const char* aide_key_3=CONFHMACKEY_03;
diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c
--- ./src/md.c.orig 2016-04-15 23:30:16.000000000 +0200
+++ ./src/md.c 2016-07-12 11:35:04.007675329 +0200
@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
}
#endif
#ifdef WITH_GCRYPT
- error(255,"Gcrypt library initialization\n");
- if(!gcry_check_version(GCRYPT_VERSION)) {
- error(0,"libgcrypt version mismatch\n");
- exit(VERSION_MISMATCH_ERROR);
- }
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
error(0,"gcrypt_md_open failed\n");
exit(IO_ERROR);
}
@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
/*. There might be more hashes in the library. Add those here.. */
- gcry_md_reset(md->mdh);
+ gcry_md_close(md->mdh);
#endif
#ifdef WITH_MHASH
diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c
--- ./src/util.c.orig 2016-07-12 11:39:17.023437355 +0200
+++ ./src/util.c 2016-07-12 11:39:51.618721157 +0200
@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s)
return(AIDE_SYSLOG_FACILITY);
}
-/* We need these dummy stubs to fool the linker into believing that
- we do not need them at link time */
-
-void* dlopen(char*filename,int flag)
-{
- return NULL;
-}
-
-void* dlsym(void*handle,char*symbol)
-{
- return NULL;
-}
-
-void* dlclose(void*handle)
-{
- return NULL;
-}
-
-const char* dlerror(void)
-{
- return NULL;
-}
-
const char* aide_key_2=CONFHMACKEY_02;
const char* db_key_2=DBHMACKEY_02;

15
aide-0.16rc1-man.patch
View file

@ -1,15 +0,0 @@
diff -up ./doc/aide.1.in.orig ./doc/aide.1.in
--- ./doc/aide.1.in.orig 2016-07-12 16:10:01.724595895 +0200
+++ ./doc/aide.1.in 2016-07-12 16:06:21.968639822 +0200
@@ -103,9 +103,9 @@ echo <encoded_checksum> | base64 \-d | h
.SH FILES
.IP \fB@sysconfdir@/aide.conf\fR
Default aide configuration file.
-.IP \fB@sysconfdir@/aide.db\fR
+.IP \fB@localstatedir@/lib/aide/aide.db\fR
Default aide database.
-.IP \fB@sysconfdir@/aide.db.new\fR
+.IP \fB@localstatedir@/lib/aide/aide.db.new\fR
Default aide output database.
.SH SEE ALSO
.BR aide.conf (5)

413
aide.conf
View file

@ -4,7 +4,7 @@
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
database_in=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
@ -14,19 +14,49 @@ database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Database attributes to include in report (H = all compiled hashsums, default)
database_attrs=H
# Add metadata to database (version info, timestamps)
database_add_metadata=yes
# Warn about unrestricted rules during config check (default: false)
config_check_warn_unrestricted_rules=false
# Number of workers for parallel processing (default: 1, can use percentage)
num_workers=1
# Default.
verbose=5
log_level=warning
report_level=changed_attributes
# Report format (plain or json)
report_format=plain
# Group files in report by added/removed/changed
report_grouped=yes
# Summarize changes in report
report_summarize_changes=yes
# Don't report if no differences found
report_quiet=no
# Report encoding (base64 is default, base16 available)
report_base16=no
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#NOT IMPLEMENTED report_url=mailto:root@foo.com
#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
#report_url=syslog:LOG_AUTH
# These are the default rules.
#
#ftype: file type
#fstype: file system type (Linux-only)
#p: permissions
#i: inode:
#i: inode
#l: link name (symbolic links only)
#n: number of links
#u: user
#g: group
@ -35,55 +65,78 @@ report_url=stdout
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#e2fsattrs: file attributes on Linux file system
#caps: file capabilities (Linux-only)
# Hashsums attributes (regular files only)
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#sha512_256: SHA-512 checksum truncated to 256 output bits
#sha3_256: SHA3-256 checksum (modern)
#sha3_512: SHA3-512 checksum (modern)
#stribog256: GOST R 34.11-2012, 256 bit
#stribog512: GOST R 34.11-2012, 512 bit
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
# DEPRECATED (will be removed in future versions):
#md5: md5 checksum (deprecated since v0.19)
#sha1: sha1 checksum (deprecated since v0.19)
#rmd160: rmd160 checksum (deprecated since v0.19)
#gost: gost checksum (deprecated since v0.19)
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
# REMOVED in AIDE v0.19:
#S: check for growing size (use 'growing+s' instead)
#tiger: tiger checksum (removed)
#haval: haval checksum (removed)
#crc32: crc32 checksum (removed)
#crc32b: crc32b checksum (removed)
#whirlpool: whirlpool checksum (removed)
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
# Special attributes for advanced use cases:
#I: ignore changed filename - detects moved files by inode
#growing: ignore growing file size/timestamps for logs
#compressed: ignore compression - compares uncompressed content
#ANF: allow new files - new files ignored in report
#ARF: allow removed files - missing files ignored in report
# Default groups in AIDE v0.19:
# R = p+ftype+i+l+n+u+g+s+m+c+sha3_256+X
# L = p+ftype+i+l+n+u+g+X
# > = Growing file p+ftype+l+u+g+i+n+s+growing+X
# H = all compiled in (and not deprecated) hashsums
# X = acl+selinux+xattrs+e2fsattrs+caps (if compiled in)
# E = Empty group
# Use 'aide --version' to list the default compound groups.
# You can create custom rules like this.
# With MHASH...
# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost)
ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512
# Everything but access time (Ie. all changes) - updated with modern hashsums
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = FIPSR+sha512
# Base + sha512 (strong)
NORMAL = R+sha512-m-c
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
# Content only - added file type and strong hash
CONTENT = ftype+sha512
# Access control only
PERMS = p+i+u+g+acl+selinux
# For directories, don't bother doing hashes - added file type and link name
DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
# Logfile are special, in that they often change
LOG = >
# Access control only - added file type and link name
PERMS = ftype+p+u+g+acl+selinux+xattrs
# Just do sha256 and sha512 hashes
LSPP = FIPSR+sha512
# Logfiles are special, in that they often change due to log rotation
# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes
# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques
# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation)
LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
# but we want to know when the data inside them changes - updated with modern hash
DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
# Next decide what directories/files you want in the database.
@ -92,124 +145,220 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
# Monitor /opt selectively to avoid noise from auto-updating applications
/opt CONTENT
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Admins dot files constantly change, just check perms
/root/\..* PERMS
!/root/.xauth*
/root NORMAL
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
# trusted databases
/etc/hosts$ NORMAL
/etc/host.conf$ NORMAL
/etc/hostname$ NORMAL
/etc/issue$ NORMAL
/etc/issue.net$ NORMAL
/etc/protocols$ NORMAL
/etc/services$ NORMAL
/etc/localtime$ NORMAL
/etc/alternatives NORMAL
/etc/mime.types$ NORMAL
/etc/terminfo NORMAL
/etc/exports$ NORMAL
/etc/fstab$ NORMAL
/etc/passwd$ NORMAL
/etc/group$ NORMAL
/etc/gshadow$ NORMAL
/etc/shadow$ NORMAL
/etc/subgid$ NORMAL
/etc/subuid$ NORMAL
/etc/skel NORMAL
/etc/sssd NORMAL
/etc/swid NORMAL
/etc/system-release-cpe$ NORMAL
/etc/tmux.conf$ NORMAL
/etc/xattr.conf$ NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
# networking
/etc/firewalld NORMAL
!/etc/NetworkManager/system-connections
/etc/NetworkManager NORMAL
/etc/networks$ NORMAL
/etc/dhcp NORMAL
/etc/wpa_supplicant NORMAL
/etc/resolv.conf$ DATAONLY
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# logins and accounts
/etc/login.defs$ NORMAL
/etc/libuser.conf$ NORMAL
/var/log/faillog$ PERMS
/var/log/lastlog$ PERMS
/var/run/faillock PERMS
/etc/pam.d NORMAL
/etc/security NORMAL
/etc/securetty$ NORMAL
/etc/polkit-1 NORMAL
/etc/sudo.conf$ NORMAL
/etc/sudoers$ NORMAL
/etc/sudoers.d NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
/etc/profile$ NORMAL
/etc/profile.d NORMAL
/etc/bashrc$ NORMAL
/etc/bash_completion.d NORMAL
/etc/zprofile$ NORMAL
/etc/zshrc$ NORMAL
/etc/zlogin$ NORMAL
/etc/zlogout$ NORMAL
/etc/X11 NORMAL
/etc/shells$ NORMAL
# Pkg manager
/etc/yum.conf NORMAL
/etc/yumex.conf NORMAL
/etc/yumex.profiles.conf NORMAL
/etc/yum/ NORMAL
/etc/yum.repos.d/ NORMAL
/etc/dnf NORMAL
/etc/yum.repos.d NORMAL
# auditing
# AIDE produces an audit record, so this becomes perpetual motion.
/var/log/audit PERMS
/etc/audit NORMAL
/etc/libaudit.conf$ NORMAL
/etc/aide.conf$ NORMAL
# System logs with proper logrotate handling
/etc/rsyslog.conf$ NORMAL
/etc/rsyslog.d NORMAL
/etc/logrotate.conf$ NORMAL
/etc/logrotate.d NORMAL
/etc/systemd/journald.conf$ NORMAL
# Log directory
/var/log LOG
# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation
/var/log/journal LOG-xattrs-n
/var/log LOG
/var/run/utmp LOG
# secrets
/etc/pkcs11 NORMAL
/etc/pki NORMAL
/etc/ssl NORMAL
/etc/certmonger NORMAL
/var/lib/systemd/random-seed$ PERMS
# init system
/etc/systemd NORMAL
/etc/sysconfig NORMAL
/etc/rc.d NORMAL
/etc/tmpfiles.d NORMAL
/etc/machine-id$ NORMAL
# boot config
/etc/default NORMAL
/etc/grub.d NORMAL
/etc/grub2.cfg$ NORMAL
/etc/dracut.conf$ NORMAL
/etc/dracut.conf.d NORMAL
# glibc linker
/etc/ld.so.cache$ NORMAL
/etc/ld.so.conf$ NORMAL
/etc/ld.so.conf.d NORMAL
/etc/ld.so.preload$ NORMAL
# kernel config
/etc/sysctl.conf$ NORMAL
/etc/sysctl.d NORMAL
/etc/modprobe.d NORMAL
/etc/modules-load.d NORMAL
/etc/depmod.d NORMAL
/etc/udev NORMAL
/etc/crypttab$ NORMAL
#### Daemons ####
# cron jobs
/var/spool/at CONTENT
/etc/at.allow$ CONTENT
/etc/at.deny$ CONTENT
/etc/anacrontab$ NORMAL
/etc/cron.allow$ NORMAL
/etc/cron.deny$ NORMAL
/etc/cron.d NORMAL
/etc/cron.daily NORMAL
/etc/cron.hourly NORMAL
/etc/cron.monthly NORMAL
/etc/cron.weekly NORMAL
/etc/crontab$ NORMAL
/var/spool/cron/root CONTENT
# time keeping
/etc/chrony.conf$ NORMAL
/etc/chrony.keys$ NORMAL
# mail
/etc/aliases$ NORMAL
/etc/aliases.db$ NORMAL
/etc/postfix NORMAL
# ssh
/etc/ssh/sshd_config$ NORMAL
/etc/ssh/ssh_config$ NORMAL
# stunnel
/etc/stunnel NORMAL
# ftp
/etc/vsftpd CONTENT
# printing
/etc/cups NORMAL
/etc/cupshelpers NORMAL
/etc/avahi NORMAL
# web server
/etc/httpd NORMAL
# dns
/etc/named NORMAL
/etc/named.conf$ NORMAL
/etc/named.iscdlv.key$ NORMAL
/etc/named.rfc1912.zones$ NORMAL
/etc/named.root.key$ NORMAL
# xinetd
/etc/xinetd.conf$ NORMAL
/etc/xinetd.d NORMAL
# IPsec
/etc/ipsec.conf$ NORMAL
/etc/ipsec.secrets$ NORMAL
/etc/ipsec.d NORMAL
# USBGuard
/etc/usbguard NORMAL
# Now everything else
/etc PERMS
# This gets new/removes-old filenames daily
!/var/log/sa
# As we are checking it, we've truncated yesterdays size to zero.
!/var/log/aide.log
# LSPP rules...
# AIDE produces an audit record, so this becomes perpetual motion.
# /var/log/audit/ LSPP
/etc/audit/ LSPP
/etc/libaudit.conf LSPP
/usr/sbin/stunnel LSPP
/var/spool/at LSPP
/etc/at.allow LSPP
/etc/at.deny LSPP
/etc/cron.allow LSPP
/etc/cron.deny LSPP
/etc/cron.d/ LSPP
/etc/cron.daily/ LSPP
/etc/cron.hourly/ LSPP
/etc/cron.monthly/ LSPP
/etc/cron.weekly/ LSPP
/etc/crontab LSPP
/var/spool/cron/root LSPP
/etc/login.defs LSPP
/etc/securetty LSPP
/var/log/faillog LSPP
/var/log/lastlog LSPP
/etc/hosts LSPP
/etc/sysconfig LSPP
/etc/inittab LSPP
/etc/grub/ LSPP
/etc/rc.d LSPP
/etc/ld.so.conf LSPP
/etc/localtime LSPP
/etc/sysctl.conf LSPP
/etc/modprobe.conf LSPP
/etc/pam.d LSPP
/etc/security LSPP
/etc/aliases LSPP
/etc/postfix LSPP
/etc/ssh/sshd_config LSPP
/etc/ssh/ssh_config LSPP
/etc/stunnel LSPP
/etc/vsftpd.ftpusers LSPP
/etc/vsftpd LSPP
/etc/issue LSPP
/etc/issue.net LSPP
/etc/cups LSPP
# With AIDE's default verbosity level of 5, these would give lots of
# warnings upon tree traversal. It might change with future version.
#
@ -217,7 +366,7 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
#=/home DIR
# Ditto /var/log/sa reason...
!/var/log/and-httpd
!/var/log/httpd
# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation
!/boot/grub2/grubenv
# Admins dot files constantly change, just check perms
/root/\..* PERMS

15
aide.rpmlintrc Normal file
View file

@ -0,0 +1,15 @@
# RPMlint configuration for aide package
# These warnings are expected and intentional for security reasons
# AIDE log directory has restricted permissions (700) for security
# Log files may contain sensitive security information
addFilter("aide.* non-standard-dir-perm /var/log/aide 700")
# AIDE configuration file has restricted permissions (600) for security
# Configuration reveals what files/directories are monitored
addFilter("aide.* non-readable /etc/aide.conf 600")
# FSF address in COPYING file is outdated - this is an upstream issue
# The license text contains the old FSF address format
addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING")

299
aide.spec
View file

@ -1,21 +1,24 @@
Summary: Intrusion detection environment
Name: aide
Version: 0.16
Release: 16%{?dist}
URL: http://sourceforge.net/projects/aide
License: GPLv2+
Version: 0.19.2
Release: %autorelease
URL: https://github.com/aide/aide
License: GPL-2.0-or-later
Source0: %{url}/files/aide/%{version}/%{name}-%{version}.tar.gz
Source1: aide.conf
Source2: README.quickstart
Source3: aide.logrotate
Source0: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
Source1: %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc
# gpg2 --recv-keys 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931
# gpg2 --export --export-options export-minimal 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 >gpgkey-aide.gpg
Source2: gpgkey-aide.gpg
Source3: aide.conf
Source4: README.quickstart
Source5: aide.logrotate
BuildRequires: gcc
BuildRequires: make
BuildRequires: bison flex
BuildRequires: pcre-devel
BuildRequires: libgpg-error-devel libgcrypt-devel
BuildRequires: pcre2-devel
BuildRequires: libgpg-error-devel nettle-devel
BuildRequires: zlib-devel
BuildRequires: libcurl-devel
BuildRequires: libacl-devel
@ -24,33 +27,30 @@ BuildRequires: libattr-devel
BuildRequires: e2fsprogs-devel
BuildRequires: audit-libs-devel
BuildRequires: autoconf automake libtool
# For verifying signatures
BuildRequires: gnupg2
# For being able to run 'make check'
BuildRequires: check-devel
# Customize the database file location in the man page.
Patch1: aide-0.16rc1-man.patch
# fix aide in FIPS mode
Patch2: aide-0.16b1-fipsfix.patch
# Bug 1674637 - aide: FTBFS in Fedora rawhide/f30
Patch3: aide-0.16-Use-LDADD-for-adding-curl-library-to-the-linker-comm.patch
Patch4: aide-0.15-syslog-format.patch
Patch5: aide-0.16-crypto-disable-haval-and-others.patch
Patch6: coverity.patch
Patch7: aide-0.16-crash-elf.patch
Requires: logrotate
%description
AIDE (Advanced Intrusion Detection Environment) is a file integrity
checker and intrusion detection program.
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p1
cp -a %{S:2} .
cp -a %{SOURCE4} .
%build
autoreconf -ivf
#autoreconf -ivf
%configure \
--disable-static \
--with-config_file=%{_sysconfdir}/aide.conf \
--with-gcrypt \
--without-gcrypt \
--with-nettle \
--with-zlib \
--with-curl \
--with-posix-acl \
@ -60,16 +60,19 @@ autoreconf -ivf
--with-audit
%make_build
%check
make check
%install
%make_install bindir=%{_sbindir}
install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1}
install -Dpm0644 %{S:3} %{buildroot}%{_sysconfdir}/logrotate.d/aide
install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{SOURCE3}
install -Dpm0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/aide
mkdir -p %{buildroot}%{_localstatedir}/log/aide
mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
%files
%license COPYING
%doc AUTHORS ChangeLog NEWS README doc/manual.html contrib/
%doc AUTHORS ChangeLog NEWS README
%doc README.quickstart
%{_sbindir}/aide
%{_mandir}/man1/*.1*
@ -80,244 +83,4 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
%dir %attr(0700,root,root) %{_localstatedir}/log/aide
%changelog
* Fri Jul 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-16
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> 0.16-14
- AIDE breaks when setting report_ignore_e2fsattrs
Resolves: rhbz#1850276
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Jul 31 2019 Radovan Sroka <rsroka@redhat.com> - 0.16-12
- backport some patches
Resolves: rhbz#1717140
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Feb 20 2019 Daniel Kopecek <dkopecek@redhat.com> - 0.16-10
- Fix building with curl
Resolves: rhbz#1674637
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Jul 31 2018 Florian Weimer <fweimer@redhat.com> - 0.16-8
- Rebuild with fixed binutils
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Feb 20 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.16-6
- Rebuild
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Wed Apr 05 2017 Radovan Sroka <rsroka@redhat.com> - 0.16-2
- fixed upstream link
* Tue Apr 04 2017 Radovan Sroka <rsroka@redhat.com> - 0.16-1
- rebase to stable v0.16
- specfile cleanup
- make doc readable
resolves: #1421355
- make aide binary runable for any user
resolves: #1421351
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.16-0.3.rc1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Jul 12 2016 Tomas Sykora <tosykora@redhat.com> - 0.16-0.2.rc1
- New upstream devel version
* Mon Jun 20 2016 Tomas Sykora <tosykora@redhat.com> - 0.16-0.1.b1
- New upstream devel version
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.15.1-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Sat Jul 25 2015 Till Maas <opensource@till.name> - 0.15.1-11
- Remove prelink dependency because prelink was retired
* Tue Jun 16 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Fri Jul 18 2014 Yaakov Selkowitz <yselkowi@redhat.com> - 0.15.1-8
- Fix FTBFS with -Werror=format-security (#1036983, #1105942)
- Avoid prelink BR on aarch64, ppc64le (#924977, #1078476)
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Thu Nov 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 0.15.1-4
- added patch to fix aide in FIPS mode
- use only FIPS approved digest algorithms in aide.conf so that
aide works by default in FIPS mode
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Thu Nov 11 2010 Steve Grubb <sgrubb@redhat.com> - 0.15.1-1
- New upstream release
* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-5
- Apply 2 upstream bug fixes
* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-4
- Use upstream's patch to fix bz 590566
* Sat May 15 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-3
- Fix bz 590561 aide does not detect the change of SElinux context
- Fix bz 590566 aide reports a changed file when it has not been changed
* Wed Apr 28 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-2
- Fix bz 574764 by replacing abort calls with exit
- Apply libgcrypt init patch
* Tue Mar 16 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-1
- New upstream release final 0.14
* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.4.rc3
- New upstream release
* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.3.rc2
- New upstream release
* Tue Feb 23 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.2.rc1
- Fix dirent detection on 64bit systems
* Mon Feb 22 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.1.rc1
- New upstream release
* Fri Feb 19 2010 Steve Grubb <sgrubb@redhat.com> - 0.13.1-16
- Add logrotate script and spec file cleanups
* Fri Dec 11 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-15
- Get rid of .dedosify files
* Wed Dec 09 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-14
- Revise patch for Initialize libgcrypt correctly (#530485)
* Sat Nov 07 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-13
- Initialize libgcrypt correctly (#530485)
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.13.1-12
- rebuilt with new audit
* Wed Aug 19 2009 Steve Grubb <sgrubb@redhat.com> 0.13.1-11
- rebuild for new audit-libs
- Correct regex for root's dot files (#509370)
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Mon Jun 08 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-9
- Make aide smarter about prelinked files (Peter Vrabec)
- Add /lib64 to default config
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Fri Jan 30 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-6
- enable xattr support and update config file
* Fri Sep 26 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.13.1-5
- fix selcon patch to apply without fuzz
* Fri Feb 15 2008 Steve Conklin <sconklin@redhat.com>
- rebuild for gcc4.3
* Tue Aug 21 2007 Michael Schwendt <mschwendt[AT]users.sf.net>
- rebuilt
* Sun Jul 22 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-2
- Apply Steve Conklin's patch to increase displayed portion of
selinux context.
* Sun Dec 17 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-1
- Update to 0.13.1 release.
* Sun Dec 10 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13-1
- Update to 0.13 release.
- Include default aide.conf from RHEL5 as doc example file.
* Sun Oct 29 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-3.20061027cvs
- CAUTION! This changes the database format and results in a report of
false inconsistencies until an old database file is updated.
- Check out CVS 20061027 which now contains Red Hat's
acl/xattr/selinux/audit patches.
- Patches merged upstream.
- Update manual page substitutions.
* Mon Oct 23 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-2
- Add "memory leaks and performance updates" patch as posted
to aide-devel by Steve Grubb.
* Sat Oct 07 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-1
- Update to 0.12 release.
- now offers --disable-static, so -no-static patch is obsolete
- fill last element of getopt struct array with zeroes
* Mon Oct 02 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-3
- rebuilt
* Mon Sep 11 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-2
- rebuilt
* Sun Feb 19 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-1
- Update to 0.11 release.
- useless-includes patch merged upstream.
- old Russian man pages not available anymore.
- disable static linking.
* Thu Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
- rebuilt
* Fri Nov 28 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.1
- Update to 0.10 release.
- memleaks patch merged upstream.
- rootpath patch merged upstream.
- fstat patch not needed anymore.
- Updated URL.
* Thu Nov 13 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.2.cvs20031104
- Added buildreq m4 to work around incomplete deps of bison package.
* Tue Nov 04 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.1.cvs20031104
- Only tar.gz available upstream.
- byacc not needed when bison -y is available.
- Installed Russian manual pages.
- Updated with changes from CVS (2003-11-04).
- getopt patch merged upstream.
- bison-1.35 patch incorporated upstream.
* Tue Sep 09 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.2.20030902
- Added fixes for further memleaks.
* Sun Sep 07 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.1.20030902
- Initial package version.
%autochangelog

12
ci.fmf Normal file
View file

@ -0,0 +1,12 @@
#e2e test plan
/e2e:
plan:
import:
url: https://github.com/RedHat-SP-Security/aide-plans.git
name: /generic/e2e_ci
/rpmverify:
plan:
import:
url: https://github.com/RedHat-SP-Security/aide-plans.git
name: /generic/rpmverify

642
coverity.patch
View file

@ -1,642 +0,0 @@
diff -up ./include/be.h.coverity ./include/be.h
--- ./include/be.h.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./include/be.h 2018-10-10 19:27:18.680632681 +0200
@@ -22,6 +22,6 @@
#define _BE_H_INCLUDED
#include "db_config.h"
-FILE* be_init(int inout,url_t* u,int iszipped);
+void* be_init(int inout,url_t* u,int iszipped);
#endif /* _BE_H_INCLUDED */
diff -up ./include/db_config.h.coverity ./include/db_config.h
--- ./include/db_config.h.coverity 2018-10-10 19:27:18.672632611 +0200
+++ ./include/db_config.h 2018-10-10 19:27:18.681632689 +0200
@@ -376,7 +376,7 @@ typedef struct db_config {
#endif
url_t* initial_report_url;
- FILE* initial_report_fd;
+ void* initial_report_fd;
/* report_url is a list of url_t*s */
list* report_url;
diff -up ./src/aide.c.coverity ./src/aide.c
--- ./src/aide.c.coverity 2018-10-10 19:27:18.678632663 +0200
+++ ./src/aide.c 2018-10-10 19:27:18.681632689 +0200
@@ -278,7 +278,7 @@ static void setdefaults_before_config()
error(0,_("Couldn't get hostname"));
free(s);
} else {
- s=(char*)realloc((void*)s,strlen(s)+1);
+ // s=(char*)realloc((void*)s,strlen(s)+1);
do_define("HOSTNAME",s);
}
@@ -506,8 +506,6 @@ static void setdefaults_after_config()
int main(int argc,char**argv)
{
int errorno=0;
- byte* dig=NULL;
- char* digstr=NULL;
#ifdef USE_LOCALE
setlocale(LC_ALL,"");
@@ -544,6 +542,10 @@ int main(int argc,char**argv)
}
errorno=commandconf('C',conf->config_file);
+ if (errorno==RETFAIL){
+ error(0,_("Configuration error\n"));
+ exit(INVALID_CONFIGURELINE_ERROR);
+ }
errorno=commandconf('D',"");
if (errorno==RETFAIL){
@@ -594,6 +596,9 @@ int main(int argc,char**argv)
}
}
#ifdef WITH_MHASH
+ byte* dig=NULL;
+ char* digstr=NULL;
+
if(conf->config_check&&FORCECONFIGMD){
error(0,"Can't give config checksum when compiled with --enable-forced_configmd\n");
exit(INVALID_ARGUMENT_ERROR);
diff -up ./src/base64.c.coverity ./src/base64.c
--- ./src/base64.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/base64.c 2018-10-10 19:27:18.681632689 +0200
@@ -209,6 +209,7 @@ byte* decode_base64(char* src,size_t ssi
case FAIL:
error(3, "decode_base64: Illegal character: %c\n", *inb);
error(230, "decode_base64: Illegal line:\n%s\n", src);
+ free(outbuf);
return NULL;
break;
case SKIP:
@@ -260,7 +261,7 @@ size_t length_base64(char* src,size_t ss
int l;
int left;
size_t pos;
- unsigned long triple;
+ //unsigned long triple;
error(235, "decode base64\n");
/* Exit on empty input */
@@ -273,7 +274,7 @@ size_t length_base64(char* src,size_t ss
inb = src;
l = 0;
- triple = 0;
+ //triple = 0;
pos=0;
left = ssize;
/*
@@ -293,7 +294,7 @@ size_t length_base64(char* src,size_t ss
case SKIP:
break;
default:
- triple = triple<<6 | (0x3f & i);
+ //triple = triple<<6 | (0x3f & i);
l++;
break;
}
@@ -302,10 +303,10 @@ size_t length_base64(char* src,size_t ss
switch(l)
{
case 2:
- triple = triple>>4;
+ //triple = triple>>4;
break;
case 3:
- triple = triple>>2;
+ //triple = triple>>2;
break;
default:
break;
@@ -314,7 +315,7 @@ size_t length_base64(char* src,size_t ss
{
pos++;
}
- triple = 0;
+ //triple = 0;
l = 0;
}
inb++;
diff -up ./src/be.c.coverity ./src/be.c
--- ./src/be.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/be.c 2018-10-10 19:27:18.681632689 +0200
@@ -117,9 +117,9 @@ static char* get_first_value(char** in){
#endif
-FILE* be_init(int inout,url_t* u,int iszipped)
+void* be_init(int inout,url_t* u,int iszipped)
{
- FILE* fh=NULL;
+ void* fh=NULL;
long a=0;
char* err=NULL;
int fd;
diff -up ./src/commandconf.c.coverity ./src/commandconf.c
--- ./src/commandconf.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/commandconf.c 2018-10-10 19:27:18.682632698 +0200
@@ -106,7 +106,7 @@ int commandconf(const char mode,const ch
rv=0;
} else {
- rv=access(config,R_OK);
+ if (config != NULL) rv=access(config,R_OK);
if(rv==-1){
error(0,_("Cannot access config file: %s: %s\n"),config,strerror(errno));
}
@@ -166,14 +166,11 @@ int commandconf(const char mode,const ch
int conf_input_wrapper(char* buf, int max_size, FILE* in)
{
int retval=0;
- int c=0;
- char* tmp=NULL;
- void* key=NULL;
- int keylen=0;
/* FIXME Add support for gzipped config. :) */
#ifdef WITH_MHASH
/* Read a character at a time until we are doing md */
+ int c=0;
if(conf->do_configmd){
retval=fread(buf,1,max_size,in);
}else {
@@ -185,6 +182,9 @@ int conf_input_wrapper(char* buf, int ma
#endif
#ifdef WITH_MHASH
+ char* tmp=NULL;
+ void* key=NULL;
+ int keylen=0;
if(conf->do_configmd||conf->config_check){
if(((conf->do_configmd==1)&&conf->config_check)||!conf->confmd){
if(conf->do_configmd==1){
@@ -276,6 +276,9 @@ int db_input_wrapper(char* buf, int max_
#endif
break;
}
+ default: {
+ return 0;
+ }
}
#ifdef WITH_CURL
@@ -651,7 +654,6 @@ int handle_endif(int doit,int allow_else
case 0 : {
conferror("@@endif or @@else expected");
return -1;
- count=0;
}
default : {
@@ -816,6 +818,7 @@ void do_dbdef(int dbtype,char* val)
if(u==NULL||u->type==url_unknown||u->type==url_stdout
||u->type==url_stderr) {
error(0,_("Unsupported input URL-type:%s\n"),val);
+ free(u);
}
else {
*conf_db_url=u;
@@ -825,6 +828,7 @@ void do_dbdef(int dbtype,char* val)
case DB_WRITE: {
if(u==NULL||u->type==url_unknown||u->type==url_stdin){
error(0,_("Unsupported output URL-type:%s\n"),val);
+ free(u);
}
else{
conf->db_out_url=u;
@@ -848,6 +852,7 @@ void do_dbindef(char* val)
if(u==NULL||u->type==url_unknown||u->type==url_stdout
||u->type==url_stderr) {
error(0,_("Unsupported input URL-type:%s\n"),val);
+ free(u);
}
else {
conf->db_in_url=u;
@@ -869,6 +874,7 @@ void do_dboutdef(char* val)
* both input and output urls */
if(u==NULL||u->type==url_unknown||u->type==url_stdin){
error(0,_("Unsupported output URL-type:%s\n"),val);
+ free(u);
}
else{
conf->db_out_url=u;
@@ -894,7 +900,8 @@ void do_repurldef(char* val)
} else {
error_init(u,0);
}
-
+
+ free(u);
}
void do_verbdef(char* val)
@@ -984,7 +991,7 @@ void do_report_ignore_e2fsattrs(char* va
break;
}
}
- *val++;
+ val++;
}
}
#endif
diff -up ./src/compare_db.c.coverity ./src/compare_db.c
--- ./src/compare_db.c.coverity 2018-10-10 19:27:18.673632619 +0200
+++ ./src/compare_db.c 2018-10-10 19:27:18.682632698 +0200
@@ -312,7 +312,7 @@ static int acl2array(acl_type* acl, char
if (conf->syslog_format) {
*values = malloc(2 * sizeof(char*));
- char *A, *D = "<NONE>";
+ char *A= "<NONE>", *D = "<NONE>";
if (acl->acl_a) { A = acl->acl_a; }
if (acl->acl_d) { D = acl->acl_d; }
diff -up ./src/conf_lex.l.coverity ./src/conf_lex.l
--- ./src/conf_lex.l.coverity 2018-10-10 19:27:18.673632619 +0200
+++ ./src/conf_lex.l 2018-10-10 19:27:18.682632698 +0200
@@ -133,7 +133,7 @@ int var_in_conflval=0;
<EXPR>[\ \t]*\n {
conf_lineno++;
return (TNEWLINE);
- BEGIN 0;
+// BEGIN 0;
}
<EXPR>\+ {
diff -up ./src/db.c.coverity ./src/db.c
--- ./src/db.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/db.c 2018-10-10 19:27:18.683632707 +0200
@@ -27,6 +27,7 @@
#include "db_file.h"
#include "db_disk.h"
#include "md.h"
+#include "fopen.h"
#ifdef WITH_PSQL
#include "db_sql.h"
@@ -269,6 +270,9 @@ db_line* db_readline(int db){
db_order=&(conf->db_new_order);
break;
}
+ default: {
+ return NULL;
+ }
}
switch (db_url->type) {
@@ -368,7 +372,7 @@ db_line* db_char2line(char** ss,int db){
int i;
db_line* line=(db_line*)malloc(sizeof(db_line)*1);
- int* db_osize=0;
+ int* db_osize=NULL;
DB_FIELD** db_order=NULL;
switch (db) {
@@ -382,6 +386,10 @@ db_line* db_char2line(char** ss,int db){
db_order=&(conf->db_new_order);
break;
}
+ default: {
+ free(line);
+ return NULL;
+ }
}
@@ -601,7 +609,9 @@ db_line* db_char2line(char** ss,int db){
size_t vsz = 0;
tval = strtok(NULL, ",");
- line->xattrs->ents[num].key = db_readchar(strdup(tval));
+ char * tmp = strdup(tval);
+ line->xattrs->ents[num].key = db_readchar(tmp);
+ free(tmp);
tval = strtok(NULL, ",");
val = base64tobyte(tval, strlen(tval), &vsz);
line->xattrs->ents[num].val = val;
@@ -648,6 +658,8 @@ db_line* db_char2line(char** ss,int db){
default : {
error(0,_("Not implemented in db_char2line %i \n"),(*db_order)[i]);
+ free_db_line(line);
+ free(line);
return NULL;
}
@@ -826,7 +838,7 @@ void db_close() {
case url_ftp:
{
if (conf->db_out!=NULL) {
- url_fclose(conf->db_out);
+ url_fclose((URL_FILE*)conf->db_out);
}
break;
}
diff -up ./src/db_disk.c.coverity ./src/db_disk.c
--- ./src/db_disk.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/db_disk.c 2018-10-10 19:28:00.108995089 +0200
@@ -79,9 +79,15 @@ static DIR *open_dir(char* path) {
static void next_in_dir (void)
{
+
#ifdef HAVE_READDIR_R
- if (dirh != NULL)
+ if (dirh != NULL) {
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
rdres = AIDE_READDIR_R_FUNC (dirh, entp, resp);
+#pragma GCC diagnostic pop
+ }
+
#else
#ifdef HAVE_READDIR
if (dirh != NULL) {
diff -up ./src/db_file.c.coverity ./src/db_file.c
--- ./src/db_file.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/db_file.c 2018-10-10 19:27:18.683632707 +0200
@@ -171,7 +171,7 @@ int dofprintf( const char* s,...)
int db_file_read_spec(int db){
int i=0;
- int* db_osize=0;
+ int* db_osize=NULL;
DB_FIELD** db_order=NULL;
switch (db) {
@@ -187,6 +187,9 @@ int db_file_read_spec(int db){
db_lineno=&db_new_lineno;
break;
}
+ default: {
+ return RETFAIL;
+ }
}
*db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD));
@@ -198,13 +201,10 @@ int db_file_read_spec(int db){
int l;
- /* Yes... we do not check if realloc returns nonnull */
-
- *db_order=(DB_FIELD*)
- realloc((void*)*db_order,
+ void * tmp = realloc((void*)*db_order,
((*db_osize)+1)*sizeof(DB_FIELD));
-
- if(*db_order==NULL){
+ if (tmp != NULL) *db_order=(DB_FIELD*) tmp;
+ else {
return RETFAIL;
}
@@ -291,8 +291,8 @@ char** db_readline_file(int db){
int* domd=NULL;
#ifdef WITH_MHASH
MHASH* md=NULL;
-#endif
char** oldmdstr=NULL;
+#endif
int* db_osize=0;
DB_FIELD** db_order=NULL;
FILE** db_filep=NULL;
@@ -302,9 +302,9 @@ char** db_readline_file(int db){
case DB_OLD: {
#ifdef WITH_MHASH
md=&(conf->dboldmd);
+ oldmdstr=&(conf->old_dboldmdstr);
#endif
domd=&(conf->do_dboldmd);
- oldmdstr=&(conf->old_dboldmdstr);
db_osize=&(conf->db_in_size);
db_order=&(conf->db_in_order);
@@ -316,9 +316,9 @@ char** db_readline_file(int db){
case DB_NEW: {
#ifdef WITH_MHASH
md=&(conf->dbnewmd);
+ oldmdstr=&(conf->old_dbnewmdstr);
#endif
domd=&(conf->do_dbnewmd);
- oldmdstr=&(conf->old_dbnewmdstr);
db_osize=&(conf->db_new_size);
db_order=&(conf->db_new_order);
@@ -328,7 +328,9 @@ char** db_readline_file(int db){
break;
}
}
-
+
+ if (db_osize == NULL) return NULL;
+
if (*db_osize==0) {
db_buff(db,*db_filep);
@@ -737,8 +739,6 @@ int db_writespec_file(db_config* dbconf)
int i=0;
int j=0;
int retval=1;
- void*key=NULL;
- int keylen=0;
struct tm* st;
time_t tim=time(&tim);
st=localtime(&tim);
@@ -750,6 +750,8 @@ int db_writespec_file(db_config* dbconf)
#ifdef WITH_MHASH
/* From hereon everything must MD'd before write to db */
+ void*key=NULL;
+ int keylen=0;
if((key=get_db_key())!=NULL){
keylen=get_db_key_len();
dbconf->do_dbnewmd=1;
diff -up ./src/do_md.c.coverity ./src/do_md.c
--- ./src/do_md.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/do_md.c 2018-10-10 19:27:18.683632707 +0200
@@ -202,7 +202,6 @@ void calc_md(struct AIDE_STAT_TYPE* old_
and we don't read from a pipe :)
*/
struct AIDE_STAT_TYPE fs;
- int sres=0;
int stat_diff,filedes;
#ifdef WITH_PRELINK
pid_t pid;
@@ -237,7 +236,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_
return;
}
- sres=AIDE_FSTAT_FUNC(filedes,&fs);
+ AIDE_FSTAT_FUNC(filedes,&fs);
if(!(line->attr&DB_RDEV))
fs.st_rdev=0;
@@ -331,7 +330,7 @@ void calc_md(struct AIDE_STAT_TYPE* old_
}
#endif
#endif /* not HAVE_MMAP */
- buf=malloc(READ_BLOCK_SIZE);
+// buf=malloc(READ_BLOCK_SIZE);
#if READ_BLOCK_SIZE>SSIZE_MAX
#error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE
#endif
diff -up ./src/gen_list.c.coverity ./src/gen_list.c
--- ./src/gen_list.c.coverity 2016-07-25 22:56:55.000000000 +0200
+++ ./src/gen_list.c 2018-10-10 19:27:18.684632716 +0200
@@ -843,15 +843,15 @@ static void add_file_to_tree(seltree* tr
DB_ATTR_TYPE localignorelist=0;
DB_ATTR_TYPE ignored_added_attrs, ignored_removed_attrs, ignored_changed_attrs;
+ if(file==NULL){
+ error(0, "add_file_to_tree was called with NULL db_line\n");
+ }
+
node=get_seltree_node(tree,file->filename);
if(!node){
node=new_seltree_node(tree,file->filename,0,NULL);
}
-
- if(file==NULL){
- error(0, "add_file_to_tree was called with NULL db_line\n");
- }
/* add note to this node which db has modified it */
node->checked|=db;
diff -up ./src/md.c.coverity ./src/md.c
--- ./src/md.c.coverity 2018-10-10 19:27:18.679632672 +0200
+++ ./src/md.c 2018-10-10 19:27:18.684632716 +0200
@@ -36,8 +36,8 @@
*/
DB_ATTR_TYPE hash_gcrypt2attr(int i) {
- DB_ATTR_TYPE r=0;
#ifdef WITH_GCRYPT
+ DB_ATTR_TYPE r=0;
switch (i) {
case GCRY_MD_MD5: {
r=DB_MD5;
@@ -74,13 +74,15 @@ DB_ATTR_TYPE hash_gcrypt2attr(int i) {
default:
break;
}
-#endif
return r;
+#else /* !WITH_GCRYPT */
+ return 0;
+#endif
}
const char * hash_gcrypt2str(int i) {
- char * r = "?";
#ifdef WITH_GCRYPT
+ char * r = "?";
switch (i) {
case GCRY_MD_MD5: {
r = "MD5";
@@ -117,13 +119,17 @@ const char * hash_gcrypt2str(int i) {
default:
break;
}
-#endif
return r;
+#else /* !WITH_GCRYPT */
+ return "?";
+#endif
}
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wunused-parameter"
DB_ATTR_TYPE hash_mhash2attr(int i) {
- DB_ATTR_TYPE r=0;
#ifdef WITH_MHASH
+ DB_ATTR_TYPE r=0;
switch (i) {
case MHASH_CRC32: {
r=DB_CRC32;
@@ -198,10 +204,15 @@ DB_ATTR_TYPE hash_mhash2attr(int i) {
default:
break;
}
-#endif
+
return r;
+#else /*!WITH_MHASH */
+ return 0;
+#endif
}
+#pragma GCC diagnostic pop
+
/*
Initialise md_container according it's todo_attr field
*/
@@ -317,7 +328,6 @@ int init_md(struct md_container* md) {
*/
int update_md(struct md_container* md,void* data,ssize_t size) {
- int i;
error(255,"update_md called\n");
@@ -328,6 +338,7 @@ int update_md(struct md_container* md,vo
#endif
#ifdef WITH_MHASH
+ int i;
for(i=0;i<=HASH_MHASH_COUNT;i++) {
if (md->mhash_mdh[i]!=MHASH_FAILED) {
@@ -348,7 +359,6 @@ int update_md(struct md_container* md,vo
*/
int close_md(struct md_container* md) {
- int i;
#ifdef _PARAMETER_CHECK_
if (md==NULL) {
return RETFAIL;
@@ -356,6 +366,7 @@ int close_md(struct md_container* md) {
#endif
error(255,"close_md called \n");
#ifdef WITH_MHASH
+ int i;
for(i=0;i<=HASH_MHASH_COUNT;i++) {
if (md->mhash_mdh[i]!=MHASH_FAILED) {
mhash (md->mhash_mdh[i], NULL, 0);
diff -up ./src/util.c.coverity ./src/util.c
--- ./src/util.c.coverity 2018-10-10 19:27:18.670632593 +0200
+++ ./src/util.c 2018-10-10 19:27:18.684632716 +0200
@@ -105,13 +105,15 @@ url_t* parse_url(char* val)
for(i=0;r[0]!='/'&&r[0]!='\0';r++,i++);
if(r[0]=='\0'){
error(0,"Invalid file-URL,no path after hostname: file:%s\n",t);
+ free(hostname);
return NULL;
}
u->value=strdup(r);
r[0]='\0';
if(gethostname(hostname,MAXHOSTNAMELEN)==-1){
- strncpy(hostname,"localhost", 10);
+ strncpy(hostname,"localhost", 10);
}
+
if( (strcmp(t,"localhost")==0)||(strcmp(t,hostname)==0)){
free(hostname);
break;
@@ -120,7 +122,7 @@ url_t* parse_url(char* val)
free(hostname);
return NULL;
}
- free(hostname);
+
break;
}
u->value=strdup(r);

31
coverity2.patch
View file

@ -1,31 +0,0 @@
diff --up ./src/compare_db.c ./src/compare_db.c
--- ./src/compare_db.c
+++ ./src/compare_db.c
@@ -438,7 +438,11 @@ snprintf(*values[0], l, "%s",s);
} else {
*values = malloc(1 * sizeof (char*));
if (DB_FTYPE&attr) {
- easy_string(get_file_type_string(line->perm))
+ char *file_type = get_file_type_string(line->perm);
+ if (!file_type) {
+ error(2,"%s: ", file_type);
+ }
+ easy_string(file_type)
} else if (DB_LINKNAME&attr) {
easy_string(line->linkname)
easy_number((DB_SIZE|DB_SIZEG),size,"%li")
diff -up ./src/db_file.c ./src/db_file.c
--- ./src/db_file.c
+++ ./src/db_file.c
@@ -194,6 +194,10 @@ int db_file_read_spec(int db){
*db_order=(DB_FIELD*) malloc(1*sizeof(DB_FIELD));
+ if (*db_order == NULL){
+ error(1,"malloc for *db_order failed in %s", __func__);
+ }
+
while ((i=db_scan())!=TNEWLINE){
switch (i) {

BIN
gpgkey-aide.gpg Normal file
View file

Binary file not shown.

3
sources
View file

@ -1 +1,2 @@
SHA512 (aide-0.16.tar.gz) = 29ad97756e3e2fb21dc332ed03b494a1c73e621266f8622ec80bdba23092a38ee975b97f3cff2330e4c16e64e2f672259eea9291ca706a4009e7399b4e14e6a7
SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830
SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a