.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -10,14 +10,3 @@ aide-0.14.tar.gz
 aide-0.14.tar.gz.asc
 /aide-0.15.1.tar.gz
 /aide-0.15.1.tar.gz.asc
-/aide-0.16b1.tar.gz
-/aide-0.16rc1.tar.gz
-/aide-0.16.tar.gz
-/aide-0.18.4.tar.gz
-/aide-0.18.6.tar.gz
-/aide-0.18.8.tar.gz
-/aide-0.18.8.tar.gz.asc
-/aide-0.19.1.tar.gz
-/aide-0.19.1.tar.gz.asc
-/aide-0.19.2.tar.gz
-/aide-0.19.2.tar.gz.asc

aide-0.14-man.patch

@@ -0,0 +1,15 @@
+diff -ur aide.orig/doc/aide.1.in aide/doc/aide.1.in
+--- aide.orig/doc/aide.1.in	2010-02-24 13:53:49.000000000 -0500
++++ aide/doc/aide.1.in	2010-02-24 13:57:44.000000000 -0500
+@@ -75,9 +75,9 @@
+ .SH FILES
+ .B @sysconfdir@/aide.conf
+ Default aide configuration file.
+-.B @sysconfdir@/aide.db
++.B @localstatedir@/lib/aide.db
+ Default aide database.
+-.B @sysconfdir@/aide.db.new
++.B @localstatedir@/lib/aide.db.new
+ Default aide output database.
+ .SH SEE ALSO
+ .BR aide.conf (5)

aide-0.15.1-fipsfix.patch

@@ -0,0 +1,103 @@
+diff -up aide-0.15.1/src/aide.c.fipsfix aide-0.15.1/src/aide.c
+--- aide-0.15.1/src/aide.c.fipsfix	2010-08-08 19:39:31.000000000 +0200
++++ aide-0.15.1/src/aide.c	2012-11-22 16:59:45.378713818 +0100
+@@ -484,9 +484,28 @@ int main(int argc,char**argv)
+ #endif
+   umask(0177);
+   init_sighandler();
+-
+   setdefaults_before_config();
+ 
++#if WITH_GCRYPT
++  error(255,"Gcrypt library initialization\n");
++  /*
++   *  Initialize libgcrypt as per
++   *  http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
++   *
++   *
++   */
++  gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
++  gcry_control(GCRYCTL_INIT_SECMEM, 1);
++
++  if(!gcry_check_version(GCRYPT_VERSION)) {
++      error(0,"libgcrypt version mismatch\n");
++      exit(VERSION_MISMATCH_ERROR);
++  }
++
++  gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
++#endif /* WITH_GCRYPT */
++
++
+   if(read_param(argc,argv)==RETFAIL){
+     error(0, _("Invalid argument\n") );
+     exit(INVALID_ARGUMENT_ERROR);
+@@ -641,6 +660,9 @@ int main(int argc,char**argv)
+     }
+ #endif
+   }
++#ifdef WITH_GCRYPT
++  gcry_control(GCRYCTL_TERM_SECMEM, 0);
++#endif /* WITH_GCRYPT */
+   return RETOK;
+ }
+ const char* aide_key_3=CONFHMACKEY_03;
+diff -up aide-0.15.1/src/md.c.fipsfix aide-0.15.1/src/md.c
+--- aide-0.15.1/src/md.c.fipsfix	2010-08-08 19:39:31.000000000 +0200
++++ aide-0.15.1/src/md.c	2012-11-22 16:59:33.166673632 +0100
+@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
+   }
+ #endif 
+ #ifdef WITH_GCRYPT
+-  error(255,"Gcrypt library initialization\n");
+-  	if(!gcry_check_version(GCRYPT_VERSION)) {
+-		error(0,"libgcrypt version mismatch\n");
+-		exit(VERSION_MISMATCH_ERROR);
+-	}
+-	gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
+-	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+-	if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
++	if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
+ 		error(0,"gcrypt_md_open failed\n");
+ 		exit(IO_ERROR);
+ 	}
+@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
+   
+   /*.    There might be more hashes in the library. Add those here..   */
+   
+-  gcry_md_reset(md->mdh);
++  gcry_md_close(md->mdh);
+ #endif  
+ 
+ #ifdef WITH_MHASH
+diff -up aide-0.15.1/src/util.c.fipsfix aide-0.15.1/src/util.c
+--- aide-0.15.1/src/util.c.fipsfix	2010-08-08 19:39:31.000000000 +0200
++++ aide-0.15.1/src/util.c	2012-11-22 16:59:33.166673632 +0100
+@@ -494,28 +494,5 @@ int syslog_facility_lookup(char *s)
+ 	return(AIDE_SYSLOG_FACILITY);
+ }
+ 
+-/* We need these dummy stubs to fool the linker into believing that
+-   we do not need them at link time */
+-
+-void* dlopen(char*filename,int flag)
+-{
+-  return NULL;
+-}
+-
+-void* dlsym(void*handle,char*symbol)
+-{
+-  return NULL;
+-}
+-
+-void* dlclose(void*handle)
+-{
+-  return NULL;
+-}
+-
+-const char* dlerror(void)
+-{
+-  return NULL;
+-}
+-
+ const char* aide_key_2=CONFHMACKEY_02;
+ const char* db_key_2=DBHMACKEY_02;

aide-0.15.1-format-security.patch

@@ -0,0 +1,20 @@
+--- a/src/db_file.c
++++ b/src/db_file.c
+@@ -702,7 +702,7 @@ int db_write_byte_base64(byte*data,size_t len,FILE* file,int i,
+   }
+ 
+   if(tmpstr){
+-    retval=dofprintf(tmpstr);
++    retval=dofprintf("%s",tmpstr);
+     free(tmpstr);
+     return retval;
+   }else {
+@@ -741,7 +741,7 @@ int db_write_time_base64(time_t i,FILE* file,int a)
+ 
+ 
+   tmpstr=encode_base64((byte *)ptr,strlen(ptr));
+-  retval=dofprintf(tmpstr);
++  retval=dofprintf("%s",tmpstr);
+   free(tmpstr);
+   free(ptr);
+ 

aide.conf

@@ -4,7 +4,7 @@
 @@define LOGDIR /var/log/aide
 
 # The location of the database to be read.
-database_in=file:@@{DBDIR}/aide.db.gz
+database=file:@@{DBDIR}/aide.db.gz
 
 # The location of the database to be written.
 #database_out=sql:host:port:database:login_name:passwd:table
@@ -14,49 +14,19 @@ database_out=file:@@{DBDIR}/aide.db.new.gz
 # Whether to gzip the output to database
 gzip_dbout=yes
 
-# Database attributes to include in report (H = all compiled hashsums, default)
-database_attrs=H
-
-# Add metadata to database (version info, timestamps)
-database_add_metadata=yes
-
-# Warn about unrestricted rules during config check (default: false)
-config_check_warn_unrestricted_rules=false
-
-# Number of workers for parallel processing (default: 1, can use percentage)
-num_workers=1
-
 # Default.
-log_level=warning
-report_level=changed_attributes
-
-# Report format (plain or json)
-report_format=plain
-
-# Group files in report by added/removed/changed
-report_grouped=yes
-
-# Summarize changes in report
-report_summarize_changes=yes
-
-# Don't report if no differences found
-report_quiet=no
-
-# Report encoding (base64 is default, base16 available)
-report_base16=no
+verbose=5
 
 report_url=file:@@{LOGDIR}/aide.log
 report_url=stdout
 #report_url=stderr
-#report_url=syslog:LOG_AUTH
+#NOT IMPLEMENTED report_url=mailto:root@foo.com
+#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
 
 # These are the default rules.
 #
-#ftype:  file type
-#fstype: file system type (Linux-only)
 #p:      permissions
-#i:      inode
-#l:      link name (symbolic links only)
+#i:      inode:
 #n:      number of links
 #u:      user
 #g:      group
@@ -65,78 +35,55 @@ report_url=stdout
 #m:      mtime
 #a:      atime
 #c:      ctime
+#S:      check for growing size
 #acl:           Access Control Lists
 #selinux        SELinux security context
 #xattrs:        Extended file attributes
-#e2fsattrs:     file attributes on Linux file system
-#caps:          file capabilities (Linux-only)
-
-# Hashsums attributes (regular files only)
+#md5:    md5 checksum
+#sha1:   sha1 checksum
 #sha256:        sha256 checksum
 #sha512:        sha512 checksum
-#sha512_256:    SHA-512 checksum truncated to 256 output bits
-#sha3_256:      SHA3-256 checksum (modern)
-#sha3_512:      SHA3-512 checksum (modern)
-#stribog256:    GOST R 34.11-2012, 256 bit
-#stribog512:    GOST R 34.11-2012, 512 bit
+#rmd160: rmd160 checksum
+#tiger:  tiger checksum
 
-# DEPRECATED (will be removed in future versions):
-#md5:    md5 checksum (deprecated since v0.19)
-#sha1:   sha1 checksum (deprecated since v0.19)
-#rmd160: rmd160 checksum (deprecated since v0.19)
-#gost:   gost checksum (deprecated since v0.19)
+#haval:  haval checksum (MHASH only)
+#gost:   gost checksum (MHASH only)
+#crc32:  crc32 checksum (MHASH only)
+#whirlpool:     whirlpool checksum (MHASH only)
 
-# REMOVED in AIDE v0.19:
-#S:      check for growing size (use 'growing+s' instead)
-#tiger:  tiger checksum (removed)
-#haval:  haval checksum (removed)
-#crc32:  crc32 checksum (removed)
-#crc32b: crc32b checksum (removed)
-#whirlpool: whirlpool checksum (removed)
+FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
 
-# Special attributes for advanced use cases:
-#I:      ignore changed filename - detects moved files by inode
-#growing: ignore growing file size/timestamps for logs
-#compressed: ignore compression - compares uncompressed content
-#ANF:    allow new files - new files ignored in report
-#ARF:    allow removed files - missing files ignored in report
-
-# Default groups in AIDE v0.19:
-# R = p+ftype+i+l+n+u+g+s+m+c+sha3_256+X
-# L = p+ftype+i+l+n+u+g+X  
-# > = Growing file p+ftype+l+u+g+i+n+s+growing+X
-# H = all compiled in (and not deprecated) hashsums
-# X = acl+selinux+xattrs+e2fsattrs+caps (if compiled in)
-# E = Empty group
-# Use 'aide --version' to list the default compound groups.
+#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
+#L:             p+i+n+u+g+acl+selinux+xattrs
+#E:             Empty group
+#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
 
 # You can create custom rules like this.
-# Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost)
-ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512
-# Everything but access time (Ie. all changes) - updated with modern hashsums
+# With MHASH...
+# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+# Everything but access time (Ie. all changes)
 EVERYTHING = R+ALLXTRAHASHES
 
-# Base + sha512 (strong)
-NORMAL = R+sha512-m-c
+# Sane, with multiple hashes
+# NORMAL = R+rmd160+sha256+whirlpool
+NORMAL = FIPSR+sha512
 
-# Content only - added file type and strong hash
-CONTENT = ftype+sha512
+# For directories, don't bother doing hashes
+DIR = p+i+n+u+g+acl+selinux+xattrs
 
-# For directories, don't bother doing hashes - added file type and link name
-DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
+# Access control only
+PERMS = p+i+u+g+acl+selinux
 
-# Access control only - added file type and link name
-PERMS = ftype+p+u+g+acl+selinux+xattrs
+# Logfile are special, in that they often change
+LOG = >
 
-# Logfiles are special, in that they often change due to log rotation
-# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes
-# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques
-# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation)
-LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs
+# Just do sha256 and sha512 hashes
+LSPP = FIPSR+sha512
 
 # Some files get updated automatically, so the inode/ctime/mtime change
-# but we want to know when the data inside them changes - updated with modern hash
-DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
+# but we want to know when the data inside them changes
+DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
 
 # Next decide what directories/files you want in the database.
 
@@ -145,220 +92,124 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
 /sbin   NORMAL
 /lib    NORMAL
 /lib64  NORMAL
-# Monitor /opt selectively to avoid noise from auto-updating applications
-/opt    CONTENT
+/opt    NORMAL
 /usr    NORMAL
+/root   NORMAL
 # These are too volatile
 !/usr/src
 !/usr/tmp
 
-# Admins dot files constantly change, just check perms
-/root/\..* PERMS
-!/root/.xauth*
-/root   NORMAL
-
 # Check only permissions, inode, user and group for /etc, but
 # cover some important files closely.
+/etc    PERMS
 !/etc/mtab
 # Ignore backup files
 !/etc/.*~
+/etc/exports  NORMAL
+/etc/fstab    NORMAL
+/etc/passwd   NORMAL
+/etc/group    NORMAL
+/etc/gshadow  NORMAL
+/etc/shadow   NORMAL
+/etc/security/opasswd   NORMAL
 
-# trusted databases
-/etc/hosts$      NORMAL
-/etc/host.conf$  NORMAL
-/etc/hostname$   NORMAL
-/etc/issue$      NORMAL
-/etc/issue.net$  NORMAL
-/etc/protocols$  NORMAL
-/etc/services$   NORMAL
-/etc/localtime$  NORMAL
-/etc/alternatives NORMAL
-/etc/mime.types$ NORMAL
-/etc/terminfo    NORMAL
-/etc/exports$    NORMAL
-/etc/fstab$      NORMAL
-/etc/passwd$     NORMAL
-/etc/group$      NORMAL
-/etc/gshadow$    NORMAL
-/etc/shadow$     NORMAL
-/etc/subgid$     NORMAL
-/etc/subuid$     NORMAL
-/etc/skel        NORMAL
-/etc/sssd        NORMAL
-/etc/swid        NORMAL
-/etc/system-release-cpe$ NORMAL
-/etc/tmux.conf$  NORMAL
-/etc/xattr.conf$ NORMAL
+/etc/hosts.allow   NORMAL
+/etc/hosts.deny    NORMAL
 
-# networking
-/etc/firewalld      NORMAL
-!/etc/NetworkManager/system-connections
-/etc/NetworkManager NORMAL
-/etc/networks$ NORMAL
-/etc/dhcp NORMAL
-/etc/wpa_supplicant NORMAL
-/etc/resolv.conf$ DATAONLY
+/etc/sudoers NORMAL
+/etc/skel NORMAL
 
-# logins and accounts
-/etc/login.defs$ NORMAL
-/etc/libuser.conf$ NORMAL
-/var/log/faillog$ PERMS
-/var/log/lastlog$ PERMS
-/var/run/faillock PERMS
-/etc/pam.d NORMAL
-/etc/security NORMAL
-/etc/securetty$ NORMAL
-/etc/polkit-1 NORMAL
-/etc/sudo.conf$ NORMAL
-/etc/sudoers$ NORMAL
-/etc/sudoers.d NORMAL
+/etc/logrotate.d NORMAL
+
+/etc/resolv.conf DATAONLY
+
+/etc/nscd.conf NORMAL
+/etc/securetty NORMAL
 
 # Shell/X starting files
-/etc/profile$ NORMAL
-/etc/profile.d NORMAL
-/etc/bashrc$ NORMAL
-/etc/bash_completion.d NORMAL
-/etc/zprofile$ NORMAL
-/etc/zshrc$ NORMAL
-/etc/zlogin$ NORMAL
-/etc/zlogout$ NORMAL
-/etc/X11 NORMAL
-/etc/shells$ NORMAL
+/etc/profile NORMAL
+/etc/bashrc NORMAL
+/etc/bash_completion.d/ NORMAL
+/etc/login.defs NORMAL
+/etc/zprofile NORMAL
+/etc/zshrc NORMAL
+/etc/zlogin NORMAL
+/etc/zlogout NORMAL
+/etc/profile.d/ NORMAL
+/etc/X11/ NORMAL
 
 # Pkg manager
-/etc/dnf NORMAL
-/etc/yum.repos.d NORMAL
-
-# auditing
-# AIDE produces an audit record, so this becomes perpetual motion.
-/var/log/audit PERMS
-/etc/audit NORMAL
-/etc/libaudit.conf$ NORMAL
-/etc/aide.conf$  NORMAL
-
-# System logs with proper logrotate handling
-/etc/rsyslog.conf$ NORMAL
-/etc/rsyslog.d NORMAL
-/etc/logrotate.conf$ NORMAL
-/etc/logrotate.d NORMAL
-/etc/systemd/journald.conf$ NORMAL
-
-# Log directory
-/var/log LOG
-# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation
-/var/log/journal LOG-xattrs-n
-
+/etc/yum.conf NORMAL
+/etc/yumex.conf NORMAL
+/etc/yumex.profiles.conf NORMAL
+/etc/yum/ NORMAL
+/etc/yum.repos.d/ NORMAL
 
+/var/log   LOG
 /var/run/utmp LOG
 
-
-# secrets
-/etc/pkcs11 NORMAL
-/etc/pki NORMAL
-/etc/ssl NORMAL
-/etc/certmonger NORMAL
-/var/lib/systemd/random-seed$ PERMS
-
-# init system
-/etc/systemd NORMAL
-/etc/sysconfig NORMAL
-/etc/rc.d NORMAL
-/etc/tmpfiles.d NORMAL
-/etc/machine-id$ NORMAL
-
-# boot config
-/etc/default NORMAL
-/etc/grub.d NORMAL
-/etc/grub2.cfg$ NORMAL
-/etc/dracut.conf$ NORMAL
-/etc/dracut.conf.d NORMAL
-
-# glibc linker
-/etc/ld.so.cache$ NORMAL
-/etc/ld.so.conf$ NORMAL
-/etc/ld.so.conf.d NORMAL
-/etc/ld.so.preload$ NORMAL
-
-# kernel config
-/etc/sysctl.conf$ NORMAL
-/etc/sysctl.d NORMAL
-/etc/modprobe.d NORMAL
-/etc/modules-load.d NORMAL
-/etc/depmod.d NORMAL
-/etc/udev NORMAL
-/etc/crypttab$ NORMAL
-
-#### Daemons ####
-
-# cron jobs
-/var/spool/at CONTENT
-/etc/at.allow$ CONTENT
-/etc/at.deny$ CONTENT
-/etc/anacrontab$ NORMAL
-/etc/cron.allow$ NORMAL
-/etc/cron.deny$ NORMAL
-/etc/cron.d NORMAL
-/etc/cron.daily NORMAL
-/etc/cron.hourly NORMAL
-/etc/cron.monthly NORMAL
-/etc/cron.weekly NORMAL
-/etc/crontab$ NORMAL
-/var/spool/cron/root CONTENT
-
-# time keeping
-/etc/chrony.conf$ NORMAL
-/etc/chrony.keys$ NORMAL
-
-# mail
-/etc/aliases$ NORMAL
-/etc/aliases.db$ NORMAL
-/etc/postfix NORMAL
-
-# ssh
-/etc/ssh/sshd_config$ NORMAL
-/etc/ssh/ssh_config$ NORMAL
-
-# stunnel
-/etc/stunnel NORMAL
-
-# ftp
-/etc/vsftpd CONTENT
-
-# printing
-/etc/cups NORMAL
-/etc/cupshelpers NORMAL
-/etc/avahi NORMAL
-
-# web server
-/etc/httpd NORMAL
-
-# dns
-/etc/named NORMAL
-/etc/named.conf$ NORMAL
-/etc/named.iscdlv.key$ NORMAL
-/etc/named.rfc1912.zones$ NORMAL
-/etc/named.root.key$ NORMAL
-
-# xinetd
-/etc/xinetd.conf$ NORMAL
-/etc/xinetd.d NORMAL
-
-# IPsec
-/etc/ipsec.conf$ NORMAL
-/etc/ipsec.secrets$ NORMAL
-/etc/ipsec.d NORMAL
-
-# USBGuard
-/etc/usbguard NORMAL
-
-# Now everything else
-/etc    PERMS
-
 # This gets new/removes-old filenames daily
 !/var/log/sa
 # As we are checking it, we've truncated yesterdays size to zero.
 !/var/log/aide.log
 
+# LSPP rules...
+# AIDE produces an audit record, so this becomes perpetual motion.
+# /var/log/audit/ LSPP
+/etc/audit/ LSPP
+/etc/libaudit.conf LSPP
+/usr/sbin/stunnel LSPP
+/var/spool/at LSPP
+/etc/at.allow LSPP
+/etc/at.deny LSPP
+/etc/cron.allow LSPP
+/etc/cron.deny LSPP
+/etc/cron.d/ LSPP
+/etc/cron.daily/ LSPP
+/etc/cron.hourly/ LSPP
+/etc/cron.monthly/ LSPP
+/etc/cron.weekly/ LSPP
+/etc/crontab LSPP
+/var/spool/cron/root LSPP
+
+/etc/login.defs LSPP
+/etc/securetty LSPP
+/var/log/faillog LSPP
+/var/log/lastlog LSPP
+
+/etc/hosts LSPP
+/etc/sysconfig LSPP
+
+/etc/inittab LSPP
+/etc/grub/ LSPP
+/etc/rc.d LSPP
+
+/etc/ld.so.conf LSPP
+
+/etc/localtime LSPP
+
+/etc/sysctl.conf LSPP
+
+/etc/modprobe.conf LSPP
+
+/etc/pam.d LSPP
+/etc/security LSPP
+/etc/aliases LSPP
+/etc/postfix LSPP
+
+/etc/ssh/sshd_config LSPP
+/etc/ssh/ssh_config LSPP
+
+/etc/stunnel LSPP
+
+/etc/vsftpd.ftpusers LSPP
+/etc/vsftpd LSPP
+
+/etc/issue LSPP
+/etc/issue.net LSPP
+
+/etc/cups LSPP
+
 # With AIDE's default verbosity level of 5, these would give lots of
 # warnings upon tree traversal. It might change with future version.
 #
@@ -366,7 +217,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
 #=/home           DIR
 
 # Ditto /var/log/sa reason...
-!/var/log/httpd
-# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation
-!/boot/grub2/grubenv
+!/var/log/and-httpd
 
+# Admins dot files constantly change, just check perms
+/root/\..* PERMS

aide.rpmlintrc

@@ -1,15 +0,0 @@
-# RPMlint configuration for aide package
-# These warnings are expected and intentional for security reasons
-
-# AIDE log directory has restricted permissions (700) for security
-# Log files may contain sensitive security information
-addFilter("aide.* non-standard-dir-perm /var/log/aide 700")
-
-# AIDE configuration file has restricted permissions (600) for security  
-# Configuration reveals what files/directories are monitored
-addFilter("aide.* non-readable /etc/aide.conf 600")
-
-# FSF address in COPYING file is outdated - this is an upstream issue
-# The license text contains the old FSF address format
-addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING")
-

aide.spec

@@ -1,86 +1,266 @@
-Summary:        Intrusion detection environment
-Name:           aide
-Version:        0.19.2
-Release:        %autorelease
-URL:            https://github.com/aide/aide
-License:        GPL-2.0-or-later
+# segfaults
+%{!?_with_curl: %{!?_without_curl: %global _without_curl --without-curl}}
 
-Source0:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz
-Source1:        %{url}/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc
-# gpg2 --recv-keys 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931
-# gpg2 --export --export-options export-minimal 2BBBD30FAAB29B3253BCFBA6F6947DAB68E7B931 >gpgkey-aide.gpg
-Source2:        gpgkey-aide.gpg
-Source3:        aide.conf
-Source4:        README.quickstart
-Source5:        aide.logrotate
-
-BuildRequires:  gcc
-BuildRequires:  make
-BuildRequires:  bison flex
-BuildRequires:  pcre2-devel
-BuildRequires:  libgpg-error-devel nettle-devel
-BuildRequires:  zlib-devel
-BuildRequires:  libcurl-devel
-BuildRequires:  libacl-devel
-BuildRequires:  pkgconfig(libselinux)
-BuildRequires:  libattr-devel
-BuildRequires:  e2fsprogs-devel
-BuildRequires:  audit-libs-devel
-BuildRequires:  autoconf automake libtool
-# For verifying signatures
-BuildRequires:  gnupg2
-# For being able to run 'make check'
-BuildRequires:  check-devel
-
-
-Requires:       logrotate
+Summary: Intrusion detection environment
+Name: aide
+Version: 0.15.1
+Release: 10%{?dist}
+URL: http://sourceforge.net/projects/aide
+License: GPLv2+
+Group: Applications/System
+Source0: http://downloads.sourceforge.net/aide/aide-%{version}.tar.gz
+Source1: aide.conf
+Source2: README.quickstart
+Source3: aide.logrotate
+# Customize the database file location in the man page.
+Patch1: aide-0.14-man.patch
+# fix aide in FIPS mode
+Patch2: aide-0.15.1-fipsfix.patch
+# -Werror=format-security
+Patch3: aide-0.15.1-format-security.patch
+Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
+BuildRequires: mktemp 
+BuildRequires: elfutils-libelf-devel
+%ifnarch aarch64 ppc64le
+BuildRequires: prelink
+%endif
+%if 0%{?rhel} == 0
+Buildrequires: mhash-devel
+%endif
+Buildrequires: zlib-devel libgcrypt-devel
+Buildrequires: flex bison
+Buildrequires: libattr-devel e2fsprogs-devel
+Buildrequires: libacl-devel libselinux-devel
+Buildrequires: audit-libs-devel >= 1.2.8-2
+%if "%{?_with_curl}x" != "x"
+Buildrequires: curl-devel
+%endif
 
 %description
 AIDE (Advanced Intrusion Detection Environment) is a file integrity
 checker and intrusion detection program.
 
+
 %prep
-%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
-%autosetup -p1
-cp -a %{SOURCE4} .
+%setup -q
+%patch1 -p1 -b .man
+%patch2 -p1 -b .fipsfix
+%patch3 -p1 -b .format
 
 %build
-#autoreconf -ivf
-%configure  \
-  --disable-static \
-  --with-config_file=%{_sysconfdir}/aide.conf \
-  --without-gcrypt \
-  --with-nettle \
-  --with-zlib \
-  --with-curl \
-  --with-posix-acl \
-  --with-selinux \
-  --with-xattr \
-  --with-e2fsattrs \
-  --with-audit
-%make_build
+%configure --with-config_file=%{_sysconfdir}/aide.conf \
+           --with-zlib \
+           --disable-static \
+%if 0%{?rhel} == 0
+           --with-mhash \
+%endif
+           %{?_with_curl} %{?_without_curl} \
+           --with-posix-acl \
+           --with-selinux \
+           --with-prelink \
+           --with-xattr \
+           --with-e2fsattrs \
+           --with-audit
+
+make
 
-%check
-make check
 
 %install
-%make_install bindir=%{_sbindir}
-install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{SOURCE3}
-install -Dpm0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/aide
-mkdir -p %{buildroot}%{_localstatedir}/log/aide
-mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
+rm -rf $RPM_BUILD_ROOT
+make DESTDIR=$RPM_BUILD_ROOT bindir=%{_sbindir} install
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log/aide
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}
+install -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}
+mkdir -p -m0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/aide
+install -p %{SOURCE2} README.quickstart
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
+install -c -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/aide
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
 
 %files
-%license COPYING
-%doc AUTHORS ChangeLog NEWS README
+%defattr(0644,root,root,0755)
+%doc AUTHORS COPYING ChangeLog NEWS README doc/manual.html contrib/
 %doc README.quickstart
-%{_sbindir}/aide
-%{_mandir}/man1/*.1*
-%{_mandir}/man5/*.5*
+%attr(0700,root,root) %{_sbindir}/aide
+%{_mandir}/man1/*
+%{_mandir}/man5/*
 %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/aide.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/aide
 %dir %attr(0700,root,root) %{_localstatedir}/lib/aide
 %dir %attr(0700,root,root) %{_localstatedir}/log/aide
 
+
 %changelog
-%autochangelog
+* Tue Jun 16 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Aug 15 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 18 2014 Yaakov Selkowitz <yselkowi@redhat.com> - 0.15.1-8
+- Fix FTBFS with -Werror=format-security (#1036983, #1105942)
+- Avoid prelink BR on aarch64, ppc64le (#924977, #1078476)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Nov 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 0.15.1-4
+- added patch to fix aide in FIPS mode
+- use only FIPS approved digest algorithms in aide.conf so that
+  aide works by default in FIPS mode
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.15.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Nov 11 2010 Steve Grubb <sgrubb@redhat.com> - 0.15.1-1
+- New upstream release
+
+* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-5
+- Apply 2 upstream bug fixes
+
+* Tue May 18 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-4
+- Use upstream's patch to fix bz 590566
+
+* Sat May 15 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-3
+- Fix bz 590561 aide does not detect the change of SElinux context
+- Fix bz 590566 aide reports a changed file when it has not been changed
+
+* Wed Apr 28 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-2
+- Fix bz 574764 by replacing abort calls with exit
+- Apply libgcrypt init patch
+
+* Tue Mar 16 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-1
+- New upstream release final 0.14
+
+* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.4.rc3
+- New upstream release
+
+* Thu Feb 25 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.3.rc2
+- New upstream release
+
+* Tue Feb 23 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.2.rc1
+- Fix dirent detection on 64bit systems
+
+* Mon Feb 22 2010 Steve Grubb <sgrubb@redhat.com> - 0.14-0.1.rc1
+- New upstream release
+
+* Fri Feb 19 2010 Steve Grubb <sgrubb@redhat.com> - 0.13.1-16
+- Add logrotate script and spec file cleanups
+
+* Fri Dec 11 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-15
+- Get rid of .dedosify files
+
+* Wed Dec 09 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-14
+- Revise patch for Initialize libgcrypt correctly (#530485)
+
+* Sat Nov 07 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-13
+- Initialize libgcrypt correctly (#530485)
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.13.1-12
+- rebuilt with new audit
+
+* Wed Aug 19 2009 Steve Grubb <sgrubb@redhat.com> 0.13.1-11
+- rebuild for new audit-libs
+- Correct regex for root's dot files (#509370)
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jun 08 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-9
+- Make aide smarter about prelinked files (Peter Vrabec)
+- Add /lib64 to default config
+
+* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Jan 30 2009 Steve Grubb <sgrubb@redhat.com> - 0.13.1-6
+- enable xattr support and update config file
+
+* Fri Sep 26 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.13.1-5
+- fix selcon patch to apply without fuzz
+
+* Fri Feb 15 2008 Steve Conklin <sconklin@redhat.com>
+- rebuild for gcc4.3
+
+* Tue Aug 21 2007 Michael Schwendt <mschwendt[AT]users.sf.net>
+- rebuilt
+
+* Sun Jul 22 2007 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-2
+- Apply Steve Conklin's patch to increase displayed portion of
+  selinux context.
+
+* Sun Dec 17 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13.1-1
+- Update to 0.13.1 release.
+
+* Sun Dec 10 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.13-1
+- Update to 0.13 release.
+- Include default aide.conf from RHEL5 as doc example file.
+
+* Sun Oct 29 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-3.20061027cvs
+- CAUTION! This changes the database format and results in a report of
+  false inconsistencies until an old database file is updated.
+- Check out CVS 20061027 which now contains Red Hat's
+  acl/xattr/selinux/audit patches.
+- Patches merged upstream.
+- Update manual page substitutions.
+
+* Mon Oct 23 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-2
+- Add "memory leaks and performance updates" patch as posted
+  to aide-devel by Steve Grubb.
+
+* Sat Oct 07 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.12-1
+- Update to 0.12 release.
+- now offers --disable-static, so -no-static patch is obsolete
+- fill last element of getopt struct array with zeroes
+
+* Mon Oct 02 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-3
+- rebuilt
+
+* Mon Sep 11 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-2
+- rebuilt
+
+* Sun Feb 19 2006 Michael Schwendt <mschwendt[AT]users.sf.net> - 0.11-1
+- Update to 0.11 release.
+- useless-includes patch merged upstream.
+- old Russian man pages not available anymore.
+- disable static linking.
+
+* Fri Apr  7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
+- rebuilt
+
+* Fri Nov 28 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.1
+- Update to 0.10 release.
+- memleaks patch merged upstream.
+- rootpath patch merged upstream.
+- fstat patch not needed anymore.
+- Updated URL.
+
+* Thu Nov 13 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.2.cvs20031104
+- Added buildreq m4 to work around incomplete deps of bison package.
+
+* Tue Nov 04 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.10-0.fdr.0.1.cvs20031104
+- Only tar.gz available upstream.
+- byacc not needed when bison -y is available.
+- Installed Russian manual pages.
+- Updated with changes from CVS (2003-11-04).
+- getopt patch merged upstream.
+- bison-1.35 patch incorporated upstream.
+
+* Tue Sep 09 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.2.20030902
+- Added fixes for further memleaks.
+
+* Sun Sep 07 2003 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:0.9-0.fdr.0.1.20030902
+- Initial package version.
+

ci.fmf

@@ -1,12 +0,0 @@
-#e2e test plan
-/e2e:
-  plan:
-    import:
-      url: https://github.com/RedHat-SP-Security/aide-plans.git
-      name: /generic/e2e_ci
- 
-/rpmverify:
-  plan:
-    import:
-      url: https://github.com/RedHat-SP-Security/aide-plans.git
-      name: /generic/rpmverify

sources

@@ -1,2 +1,2 @@
-SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830
-SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a
+d0b72535ff68b93a648e4d08b0ed7f07  aide-0.15.1.tar.gz
+aa8e08c35c13786b2abb3afe6e6a8024  aide-0.15.1.tar.gz.asc