Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

Document why /boot/grub2/grubenv is excluded from AIDE monitoring.  The
file's timestamp gets modified continuously due to the "boot_success"
implementation, which would cause unnecessary noise in security
monitoring reports.
Do not monitor link count in /var/log/journal

.gitignore

@@ -19,3 +19,5 @@ aide-0.14.tar.gz.asc
 /aide-0.18.8.tar.gz.asc
 /aide-0.19.1.tar.gz
 /aide-0.19.1.tar.gz.asc
+/aide-0.19.2.tar.gz
+/aide-0.19.2.tar.gz.asc

aide.conf

@@ -112,221 +112,247 @@ report_url=stdout
 
 # You can create custom rules like this.
 # Note: Removed deprecated/removed hashsums (tiger, haval, crc32, crc32b, whirlpool, md5, sha1, rmd160, gost)
-# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32+crc32b (old with deprecated/removed)
 ALLXTRAHASHES = sha256+sha512+sha512_256+sha3_256+sha3_512+stribog256+stribog512
 # Everything but access time (Ie. all changes) - updated with modern hashsums
 EVERYTHING = R+ALLXTRAHASHES
 
 # Base + sha512 (strong)
-NORMAL = R+sha512
+NORMAL = R+sha512-m-c
 
-CONTENT = ftype+sha256
+# Content only - added file type and strong hash
+CONTENT = ftype+sha512
 
 # For directories, don't bother doing hashes - added file type and link name
 DIR = ftype+p+i+l+n+u+g+acl+selinux+xattrs
 
 # Access control only - added file type and link name
-PERMS = ftype+p+i+l+u+g+acl+selinux
+PERMS = ftype+p+u+g+acl+selinux+xattrs
 
-# Logfile are special, in that they often change
-LOG = >
+# Logfiles are special, in that they often change due to log rotation
+# Track only: permissions, file type, user, group, number of links, SELinux context, extended attributes
+# Allow new files (ANF) and allow removed files (ARF) due to log rotation techniques
+# Don't track: size, inodes, timestamps, checksums and some special attributes (these change frequently with log rotation)
+LOG = p+ftype+u+g+n+ANF+ARF+selinux+xattrs
 
 # Some files get updated automatically, so the inode/ctime/mtime change
 # but we want to know when the data inside them changes - updated with modern hash
-DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256
+DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha256
 
 # Next decide what directories/files you want in the database.
 
-/boot/   NORMAL
-/bin/    NORMAL
-/sbin/   NORMAL
-/lib/    NORMAL
-/lib64/  NORMAL
+/boot   NORMAL
+/bin    NORMAL
+/sbin   NORMAL
+/lib    NORMAL
+/lib64  NORMAL
 # Monitor /opt selectively to avoid noise from auto-updating applications
-/opt/    CONTENT
-/usr/    NORMAL
+/opt    CONTENT
+/usr    NORMAL
 # These are too volatile
 !/usr/src
 !/usr/tmp
 
-/root   NORMAL
 # Admins dot files constantly change, just check perms
 /root/\..* PERMS
+!/root/.xauth*
+/root   NORMAL
 
 # Check only permissions, inode, user and group for /etc, but
 # cover some important files closely.
-/etc    PERMS
 !/etc/mtab
 # Ignore backup files
 !/etc/.*~
 
 # trusted databases
-/etc/hosts$ NORMAL
-/etc/host.conf$ NORMAL
-/etc/hostname$ NORMAL
-/etc/issue$ NORMAL
-/etc/issue.net$ NORMAL
-/etc/protocols$ NORMAL
-/etc/services$ NORMAL
-/etc/localtime$ NORMAL
-/etc/alternatives/ NORMAL
+/etc/hosts$      NORMAL
+/etc/host.conf$  NORMAL
+/etc/hostname$   NORMAL
+/etc/issue$      NORMAL
+/etc/issue.net$  NORMAL
+/etc/protocols$  NORMAL
+/etc/services$   NORMAL
+/etc/localtime$  NORMAL
+/etc/alternatives NORMAL
 /etc/mime.types$ NORMAL
-/etc/terminfo/ NORMAL
-/etc/exports$  NORMAL
-/etc/fstab$    NORMAL
-/etc/passwd$   NORMAL
-/etc/group$    NORMAL
-/etc/gshadow$  NORMAL
-/etc/shadow$   NORMAL
-/etc/security/opasswd$   NORMAL
-/etc/skel/ NORMAL
+/etc/terminfo    NORMAL
+/etc/exports$    NORMAL
+/etc/fstab$      NORMAL
+/etc/passwd$     NORMAL
+/etc/group$      NORMAL
+/etc/gshadow$    NORMAL
+/etc/shadow$     NORMAL
+/etc/subgid$     NORMAL
+/etc/subuid$     NORMAL
+/etc/skel        NORMAL
+/etc/sssd        NORMAL
+/etc/swid        NORMAL
+/etc/system-release-cpe$ NORMAL
+/etc/tmux.conf$  NORMAL
+/etc/xattr.conf$ NORMAL
 
 # networking
-/etc/hosts.allow$   NORMAL
-/etc/hosts.deny$    NORMAL
-/etc/firewalld/ NORMAL
-/etc/NetworkManager/ NORMAL
+/etc/firewalld      NORMAL
+!/etc/NetworkManager/system-connections
+/etc/NetworkManager NORMAL
 /etc/networks$ NORMAL
-/etc/dhcp/ NORMAL
-/etc/wpa_supplicant/ NORMAL
+/etc/dhcp NORMAL
+/etc/wpa_supplicant NORMAL
 /etc/resolv.conf$ DATAONLY
-/etc/nscd.conf$ NORMAL
 
 # logins and accounts
 /etc/login.defs$ NORMAL
 /etc/libuser.conf$ NORMAL
 /var/log/faillog$ PERMS
 /var/log/lastlog$ PERMS
-/var/run/faillock/ PERMS
-/etc/pam.d/ NORMAL
-/etc/security$ NORMAL
+/var/run/faillock PERMS
+/etc/pam.d NORMAL
+/etc/security NORMAL
 /etc/securetty$ NORMAL
-/etc/polkit-1/ NORMAL
+/etc/polkit-1 NORMAL
 /etc/sudo.conf$ NORMAL
 /etc/sudoers$ NORMAL
-/etc/sudoers.d/ NORMAL
+/etc/sudoers.d NORMAL
 
 # Shell/X starting files
 /etc/profile$ NORMAL
-/etc/profile.d/ NORMAL
+/etc/profile.d NORMAL
 /etc/bashrc$ NORMAL
-/etc/bash_completion.d/ NORMAL
+/etc/bash_completion.d NORMAL
 /etc/zprofile$ NORMAL
 /etc/zshrc$ NORMAL
 /etc/zlogin$ NORMAL
 /etc/zlogout$ NORMAL
-/etc/X11/ NORMAL
+/etc/X11 NORMAL
 /etc/shells$ NORMAL
 
 # Pkg manager
-/etc/yum.conf$ NORMAL
-/etc/yum/ NORMAL
-/etc/yum.repos.d/ NORMAL
+/etc/dnf NORMAL
+/etc/yum.repos.d NORMAL
 
-/etc/audit/ NORMAL
-/etc/audisp/ NORMAL
+# auditing
+# AIDE produces an audit record, so this becomes perpetual motion.
+/var/log/audit PERMS
+/etc/audit NORMAL
 /etc/libaudit.conf$ NORMAL
 /etc/aide.conf$  NORMAL
 
-# System logs
+# System logs with proper logrotate handling
 /etc/rsyslog.conf$ NORMAL
-/etc/rsyslog.d/ NORMAL
+/etc/rsyslog.d NORMAL
 /etc/logrotate.conf$ NORMAL
-/etc/logrotate.d/ NORMAL
-/var/log/ LOG+ANF+ARF
-/var/run/utmp$ LOG
+/etc/logrotate.d NORMAL
+/etc/systemd/journald.conf$ NORMAL
+
+# Log directory
+/var/log LOG
+# Journal files - exclude xattrs and link count due to systemd journal's user.crtime_usec extended attribute changes and new directory creation
+/var/log/journal LOG-xattrs-n
+
+
+/var/run/utmp LOG
+
 
 # secrets
-/etc/pkcs11/ NORMAL
-/etc/pki/ NORMAL
-/etc/ssl/ NORMAL
-/etc/certmonger/ NORMAL
+/etc/pkcs11 NORMAL
+/etc/pki NORMAL
+/etc/ssl NORMAL
+/etc/certmonger NORMAL
+/var/lib/systemd/random-seed$ PERMS
 
 # init system
-/etc/systemd/ NORMAL
-/etc/sysconfig/ NORMAL
-/etc/rc.d/ NORMAL
-/etc/tmpfiles.d/ NORMAL
+/etc/systemd NORMAL
+/etc/sysconfig NORMAL
+/etc/rc.d NORMAL
+/etc/tmpfiles.d NORMAL
 /etc/machine-id$ NORMAL
 
 # boot config
-/etc/grub.d/ NORMAL
+/etc/default NORMAL
+/etc/grub.d NORMAL
 /etc/grub2.cfg$ NORMAL
 /etc/dracut.conf$ NORMAL
-/etc/dracut.conf.d/ NORMAL
+/etc/dracut.conf.d NORMAL
 
 # glibc linker
 /etc/ld.so.cache$ NORMAL
 /etc/ld.so.conf$ NORMAL
-/etc/ld.so.conf.d/ NORMAL
+/etc/ld.so.conf.d NORMAL
+/etc/ld.so.preload$ NORMAL
 
 # kernel config
 /etc/sysctl.conf$ NORMAL
-/etc/sysctl.d/ NORMAL
-/etc/modprobe.d/ NORMAL
-/etc/modules-load.d/ NORMAL
-/etc/depmod.d/ NORMAL
-/etc/udev/ NORMAL
+/etc/sysctl.d NORMAL
+/etc/modprobe.d NORMAL
+/etc/modules-load.d NORMAL
+/etc/depmod.d NORMAL
+/etc/udev NORMAL
 /etc/crypttab$ NORMAL
 
 #### Daemons ####
 
 # cron jobs
-/var/spool/at/ CONTENT
+/var/spool/at CONTENT
 /etc/at.allow$ CONTENT
 /etc/at.deny$ CONTENT
+/etc/anacrontab$ NORMAL
 /etc/cron.allow$ NORMAL
 /etc/cron.deny$ NORMAL
-/etc/cron.d/ NORMAL
-/etc/cron.daily/ NORMAL
-/etc/cron.hourly/ NORMAL
-/etc/cron.monthly/ NORMAL
-/etc/cron.weekly/ NORMAL
+/etc/cron.d NORMAL
+/etc/cron.daily NORMAL
+/etc/cron.hourly NORMAL
+/etc/cron.monthly NORMAL
+/etc/cron.weekly NORMAL
 /etc/crontab$ NORMAL
-/var/spool/cron/root/ CONTENT
-/etc/anacrontab$ NORMAL
+/var/spool/cron/root CONTENT
 
 # time keeping
-/etc/ntp.conf$ NORMAL
-/etc/ntp/ NORMAL
 /etc/chrony.conf$ NORMAL
 /etc/chrony.keys$ NORMAL
 
 # mail
 /etc/aliases$ NORMAL
 /etc/aliases.db$ NORMAL
-/etc/postfix/ NORMAL
-/etc/mail.rc$ NORMAL
-/etc/mailcap$ NORMAL
+/etc/postfix NORMAL
 
 # ssh
 /etc/ssh/sshd_config$ NORMAL
 /etc/ssh/ssh_config$ NORMAL
 
 # stunnel
-/etc/stunnel/ NORMAL
+/etc/stunnel NORMAL
 
 # ftp
-/etc/vsftpd.conf$ CONTENT
-/etc/vsftpd/ CONTENT
+/etc/vsftpd CONTENT
 
 # printing
-/etc/cups/ NORMAL
-/etc/cupshelpers/ NORMAL
-/etc/avahi/ NORMAL
+/etc/cups NORMAL
+/etc/cupshelpers NORMAL
+/etc/avahi NORMAL
 
 # web server
-/etc/httpd/ NORMAL
+/etc/httpd NORMAL
 
 # dns
-/etc/named/ NORMAL
+/etc/named NORMAL
 /etc/named.conf$ NORMAL
 /etc/named.iscdlv.key$ NORMAL
 /etc/named.rfc1912.zones$ NORMAL
 /etc/named.root.key$ NORMAL
 
 # xinetd
-/etc/xinetd.d/ NORMAL
+/etc/xinetd.conf$ NORMAL
+/etc/xinetd.d NORMAL
+
+# IPsec
+/etc/ipsec.conf$ NORMAL
+/etc/ipsec.secrets$ NORMAL
+/etc/ipsec.d NORMAL
+
+# USBGuard
+/etc/usbguard NORMAL
+
+# Now everything else
+/etc    PERMS
 
 # This gets new/removes-old filenames daily
 !/var/log/sa
@@ -340,4 +366,7 @@ DATAONLY = ftype+p+l+n+u+g+s+acl+selinux+xattrs+sha_256
 #=/home           DIR
 
 # Ditto /var/log/sa reason...
-!/var/log/httpd/
+!/var/log/httpd
+# /boot/grub2/grubenv's timestamp is getting modified continuously due to "boot_success" implementation
+!/boot/grub2/grubenv
+

aide.rpmlintrc

@@ -0,0 +1,15 @@
+# RPMlint configuration for aide package
+# These warnings are expected and intentional for security reasons
+
+# AIDE log directory has restricted permissions (700) for security
+# Log files may contain sensitive security information
+addFilter("aide.* non-standard-dir-perm /var/log/aide 700")
+
+# AIDE configuration file has restricted permissions (600) for security  
+# Configuration reveals what files/directories are monitored
+addFilter("aide.* non-readable /etc/aide.conf 600")
+
+# FSF address in COPYING file is outdated - this is an upstream issue
+# The license text contains the old FSF address format
+addFilter("aide.* incorrect-fsf-address /usr/share/licenses/aide/COPYING")
+

aide.spec

@@ -1,6 +1,6 @@
 Summary:        Intrusion detection environment
 Name:           aide
-Version:        0.19.1
+Version:        0.19.2
 Release:        %autorelease
 URL:            https://github.com/aide/aide
 License:        GPL-2.0-or-later

sources

@@ -1,2 +1,2 @@
-SHA512 (aide-0.19.1.tar.gz) = 5f345458acdc79072b8293ea19a6846f2f7ab2eca36729ff1dc6fe06595a40f46af5aac57c8b02b4d144a4ad649b2a1d7f8e3bb216f0fa3d48a7023abf0029b1
-SHA512 (aide-0.19.1.tar.gz.asc) = d5bb3b8ec7dec229a01ae2e2588cc64caf9eaf2e9a71593c2d43662eb25f0afca9d955de7eeba13ca10dbe09f5b66e3b653ab018aa4c16f0531c368335b5e6de
+SHA512 (aide-0.19.2.tar.gz) = 08506c2302e34794fa08a27caaa1e714ba736d46351c577234f2c3d2623ea82b243b3318061a369a46d6961a782f42fbb8edd42d1d4de6949e7fc30c87865830
+SHA512 (aide-0.19.2.tar.gz.asc) = ebc04f22a49ec6b378dca4930574edcd46919281297bc1d5e09f5839a6fab3a38762462b7d852a82b7045313f9c24208bfff49a561d8afd04e9116be7096169a