From 6999185ee32aabfae9b28cd30621513bc9b92c68 Mon Sep 17 00:00:00 2001 From: Michael Schwendt Date: Jan 05 2007 22:19:33 +0000 Subject: - Update to 0.13.1 release. Sun Dec 10 2006 Michael Schwendt - 0.13-1 - Update to 0.13 release. - Include default aide.conf from RHEL5 as doc example file. Sun Oct 29 2006 Michael Schwendt - 0.12-3.20061027cvs - CAUTION! This changes the database format and results in a report of false inconsistencies until an old database file is updated. - Check out CVS 20061027 which now contains Red Hat's acl/xattr/selinux/audit patches. - Patches merged upstream. - Update manual page substitutions. --- diff --git a/.cvsignore b/.cvsignore index 85490ae..5504e9e 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ -aide-0.12.tar.gz -aide-0.12.tar.gz.asc +aide-0.13.1.tar.gz.asc +aide-0.13.1.tar.gz diff --git a/aide-0.12-getopt.patch b/aide-0.12-getopt.patch deleted file mode 100644 index 60efebb..0000000 --- a/aide-0.12-getopt.patch +++ /dev/null @@ -1,14 +0,0 @@ -Do what the manual says. - -diff -Nur aide-0.12-orig/src/aide.c aide-0.12/src/aide.c ---- aide-0.12-orig/src/aide.c 2006-10-04 12:20:25.000000000 +0200 -+++ aide-0.12/src/aide.c 2006-10-14 22:35:47.000000000 +0200 -@@ -109,7 +109,7 @@ - { "update", no_argument, NULL, 'u'}, - { "config-check", no_argument, NULL, 'D'}, - { "compare", no_argument, NULL, 'E'}, -- { NULL } -+ { NULL, 0, NULL, 0 } - }; - - while(1){ diff --git a/aide-0.12-rh-bugfixes.patch b/aide-0.12-rh-bugfixes.patch deleted file mode 100644 index 6ce4bc0..0000000 --- a/aide-0.12-rh-bugfixes.patch +++ /dev/null @@ -1,160 +0,0 @@ -Hi, - -This patch removes a couple unnecessary memsets, fixes some memory leaks -associated with strlastslash usage, fixes some memory leaks in populate_tree, -and moves a couple assignments closer to where they are used in case they are -not needed. - --Steve - - -diff -ur aide-0.12_rc1.orig/src/base64.c aide-0.12_rc1/src/base64.c ---- aide-0.12_rc1.orig/src/base64.c 2006-10-16 13:31:43.000000000 -0400 -+++ aide-0.12_rc1/src/base64.c 2006-10-16 13:43:08.000000000 -0400 -@@ -103,8 +103,6 @@ - } - outbuf = (char *)malloc(sizeof(char)*B64_BUF); - -- memset((void*)outbuf,0,B64_BUF); -- - /* Initialize working pointers */ - inb = src; - i = 0; -@@ -191,11 +189,9 @@ - return NULL; - - -- - /* Initialize working pointers */ - inb = src; - outbuf = (byte *)malloc(sizeof(byte)*B64_BUF); -- memset(outbuf,0,sizeof(byte)*B64_BUF); - - l = 0; - triple = 0; -diff -ur aide-0.12_rc1.orig/src/commandconf.c aide-0.12_rc1/src/commandconf.c ---- aide-0.12_rc1.orig/src/commandconf.c 2006-10-16 13:31:43.000000000 -0400 -+++ aide-0.12_rc1/src/commandconf.c 2006-10-16 13:43:08.000000000 -0400 -@@ -240,11 +240,11 @@ - { - int retval=0; - int c=0; -- char* tmp=NULL; - int err=0; -- int* domd=0; -+ int* domd=NULL; - url_t* db_url=NULL; - #ifdef WITH_MHASH -+ char* tmp=NULL; - MHASH* md=NULL; - void* key=NULL; - int keylen; -@@ -401,7 +401,7 @@ - - int check_db_order(DB_FIELD* d,int size, DB_FIELD a) - { -- int i=0; -+ int i; - for(i=0;iconf_lineno = r->conf_lineno; -- node->rx=(char*)malloc(strlen(r->rx)+1); -- strcpy(node->rx,r->rx); -+ node->rx=strdup(r->rx); - } else { - node->conf_lineno = -1; - node->rx=NULL; -@@ -265,13 +264,17 @@ - if(isrx){ - parent=get_seltree_node(tree,tmprxtok); - }else { -- parent=get_seltree_node(tree,strlastslash(path)); -+ char* dirn=strlastslash(path); -+ parent=get_seltree_node(tree,dirn); -+ free(dirn); - } - if(parent==NULL){ - if(isrx){ - parent=new_seltree_node(tree,tmprxtok,isrx,r); - }else { -- parent=new_seltree_node(tree,strlastslash(path),isrx,r); -+ char* dirn=strlastslash(path); -+ parent=new_seltree_node(tree,dirn,isrx,r); -+ free(dirn); - } - } - free(tmprxtok); -@@ -306,8 +309,7 @@ - error(240,"Handling %s with %c \"%s\" with node \"%s\"\n",rxtok,type,curr_rule->rx,curnode->path); - - -- /* We have to add '^' to the first charaster of string... -- * -+ /* We have to add '^' to the first character of string... - */ - - data=(char*)malloc(strlen(curr_rule->rx)+1+1); -@@ -1518,9 +1520,14 @@ - if((add=check_rxtree(old->filename,tree,&attr))>0){ - add_file_to_tree(tree,old,DB_OLD,0,attr); - i++; -- }else if(!initdbwarningprinted){ -- error(3,_("WARNING: Old db contains a file that shouldn\'t be there, run --init or --update\n")); -- initdbwarningprinted=1; -+ }else{ -+ free_db_line(old); -+ free(old); -+ old=NULL; -+ if(!initdbwarningprinted){ -+ error(3,_("WARNING: Old db contains a file that shouldn\'t be there, run --init or --update\n")); -+ initdbwarningprinted=1; -+ } - } - if(i<100){ - old=db_readline(DB_OLD); -@@ -1543,6 +1550,10 @@ - if((add=check_rxtree(new->filename,tree,&attr))>0){ - add_file_to_tree(tree,new,DB_NEW,0,attr); - i++; -+ } else { -+ free_db_line(new); -+ free(new); -+ new=NULL; - } - if(i<100){ - new=db_readline(DB_NEW); -@@ -1568,6 +1579,8 @@ - } - if((conf->action&DO_INIT)&&!(conf->action&DO_COMPARE)){ - free_db_line(new); -+ free(new); -+ new=NULL; - } - if(i<100){ - new=db_readline(DB_DISK); -diff -ur aide-0.12_rc1.orig/src/symboltable.c aide-0.12_rc1/src/symboltable.c ---- aide-0.12_rc1.orig/src/symboltable.c 2006-10-16 13:31:43.000000000 -0400 -+++ aide-0.12_rc1/src/symboltable.c 2006-10-16 13:43:08.000000000 -0400 -@@ -34,13 +34,13 @@ - return NULL; - } - -- l=item->prev; - p=item; - while(p!=NULL){ - if (strcmp(s,((symba*)p->data)->name)==0) return p; - p=p->next; - } - -+ l=item->prev; - while(l!=NULL){ - /* Insert bug to here return l-> return p */ - if (strcmp(s,((symba*)l->data)->name)==0) return l; - diff --git a/aide.conf.rhel b/aide.conf.rhel new file mode 100644 index 0000000..8144a9e --- /dev/null +++ b/aide.conf.rhel @@ -0,0 +1,215 @@ +# Example configuration file for AIDE. + +@@define DBDIR /var/lib/aide + +# The location of the database to be read. +database=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +verbose=5 + +report_url=file:/var/log/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#S: check for growing size +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane, with multiple hashes +# NORMAL = R+rmd160+sha256+whirlpool +NORMAL = R+rmd160+sha256 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+i+u+g+acl+selinux + +# Logfile are special, in that they often change +LOG = > + +# Just do md5 and sha256 hashes +LSPP = R+sha256 + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger + +# Next decide what directories/files you want in the database. + +/boot NORMAL +/bin NORMAL +/sbin NORMAL +/lib NORMAL +/opt NORMAL +/usr NORMAL +/root NORMAL +# These are too volatile +!/usr/src +!/usr/tmp + +# Check only permissions, inode, user and group for /etc, but +# cover some important files closely. +/etc PERMS +!/etc/mtab +# Ignore backup files +!/etc/.*~ +/etc/exports NORMAL +/etc/fstab NORMAL +/etc/passwd NORMAL +/etc/group NORMAL +/etc/gshadow NORMAL +/etc/shadow NORMAL +/etc/security/opasswd NORMAL + +/etc/hosts.allow NORMAL +/etc/hosts.deny NORMAL + +/etc/sudoers NORMAL +/etc/skel NORMAL + +/etc/logrotate.d NORMAL + +/etc/resolv.conf DATAONLY + +/etc/nscd.conf NORMAL +/etc/securetty NORMAL + +# Shell/X starting files +/etc/profile NORMAL +/etc/bashrc NORMAL +/etc/bash_completion.d/ NORMAL +/etc/login.defs NORMAL +/etc/zprofile NORMAL +/etc/zshrc NORMAL +/etc/zlogin NORMAL +/etc/zlogout NORMAL +/etc/profile.d/ NORMAL +/etc/X11/ NORMAL + +# Pkg manager +/etc/yum.conf NORMAL +/etc/yumex.conf NORMAL +/etc/yumex.profiles.conf NORMAL +/etc/yum/ NORMAL +/etc/yum.repos.d/ NORMAL + +/var/log LOG +# This gets new/removes-old filenames daily +!/var/log/sa +# As we are checking it, we've truncated yesterdays size to zero. +!/var/log/aide.log + +# LSPP rules... +# AIDE produces an audit record, so this becomes perpetual motion. +# /var/log/audit/ LSPP +/etc/audit/ LSPP +/etc/libaudit.conf LSPP +/usr/sbin/stunnel LSPP +/var/spool/at LSPP +/etc/at.allow LSPP +/etc/at.deny LSPP +/etc/cron.allow LSPP +/etc/cron.deny LSPP +/etc/cron.d/ LSPP +/etc/cron.daily/ LSPP +/etc/cron.hourly/ LSPP +/etc/cron.monthly/ LSPP +/etc/cron.weekly/ LSPP +/etc/crontab LSPP +/var/spool/cron/root LSPP + +/etc/login.defs LSPP +/etc/securetty LSPP +/var/log/faillog LSPP +/var/log/lastlog LSPP + +/etc/hosts LSPP +/etc/sysconfig LSPP + +/etc/inittab LSPP +# Grub isn't in LSPP, but pretend it is +/etc/grub/ LSPP +/etc/rc.d LSPP + +/etc/ld.so.conf LSPP + +/etc/localtime LSPP + +/etc/sysctl.conf LSPP + +/etc/modprobe.conf LSPP + +/etc/pam.d LSPP +/etc/security LSPP +/etc/aliases LSPP +/etc/postfix LSPP + +/etc/ssh/sshd_config LSPP +/etc/ssh/ssh_config LSPP + +/etc/stunnel LSPP + +/etc/vsftpd.ftpusers LSPP +/etc/vsftpd LSPP + +/etc/issue LSPP +/etc/issue.net LSPP + +/etc/cups LSPP + +# With AIDE's default verbosity level of 5, these would give lots of +# warnings upon tree traversal. It might change with future version. +# +#=/lost\+found DIR +#=/home DIR + +# Dito /var/log/sa reason... +!/var/log/and-httpd diff --git a/aide.spec b/aide.spec index b4cda4b..5c487b8 100644 --- a/aide.spec +++ b/aide.spec @@ -6,22 +6,24 @@ Summary: Intrusion detection environment Name: aide -Version: 0.12 -Release: 2%{?dist} +Version: 0.13.1 +Release: 1 URL: http://sourceforge.net/projects/aide License: GPL Group: Applications/System Source0: http://download.sourceforge.net/aide/aide-%{version}.tar.gz Source1: aide.conf Source2: README.quickstart -Patch0: aide-0.12-getopt.patch -Patch1: aide-0.12-rh-bugfixes.patch +Source3: aide.conf.rhel Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n) Buildrequires: mhash-devel zlib-devel Buildrequires: flex bison %if "%{?_with_curl}x" != "x" Buildrequires: curl-devel %endif +Buildrequires: pkgconfig +Buildrequires: libattr-devel libacl-devel libselinux-devel +Buildrequires: audit-libs-devel >= 1.2.8-2 #Buildrequires: postgresql-devel libgcrypt-devel #(needs --with-psql and -lgcrypt in src/Makefile.in) @@ -32,8 +34,10 @@ checker and intrusion detection program. %prep %setup -q -%patch0 -p1 -b .getopt -%patch1 -p1 -b .rh-bugfixes + +# Adjust default paths in manual. +sed -i -e 's!@sysconfdir@/aide.db\(.new\)\?!%{_localstatedir}/lib/aide/aide.db\1.gz!' doc/aide.1.in +sed -i -e 's!@sysconfdir@/aide.conf!%{_sysconfdir}/aide.conf!' doc/aide.1.in %build @@ -41,14 +45,10 @@ checker and intrusion detection program. --with-zlib \ --with-mhash --enable-mhash \ %{?_with_curl} %{?_without_curl} \ + --with-selinux --with-posix-acl --with-configmactype=sha256 \ + --with-audit \ %{?nostatic} -# Adjust default database paths. -perl -pi -e 's!%{_sysconfdir}/aide.db!%{_localstatedir}/lib/aide.db!' config.h -# Adjust default paths in manual. -perl -pi -e 's!/etc/aide.db!%{_localstatedir}/lib/aide.db!' doc/aide.1 -perl -pi -e 's!/etc/aide.conf!%{_sysconfdir}/aide.conf!' doc/aide.1 - make %{?_smp_mflags} @@ -59,6 +59,7 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir} install -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir} mkdir -p -m0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/aide install -p %{SOURCE2} README.quickstart +install -p %{SOURCE3} aide.conf.rhel %clean @@ -68,7 +69,7 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(0644,root,root,0755) %doc AUTHORS COPYING ChangeLog NEWS README doc/manual.html contrib/ -%doc README.quickstart +%doc README.quickstart aide.conf.rhel %attr(0700,root,root) %{_sbindir}/aide %{_mandir}/man1/* %{_mandir}/man5/* @@ -77,6 +78,21 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Sun Dec 17 2006 Michael Schwendt - 0.13.1-1 +- Update to 0.13.1 release. + +* Sun Dec 10 2006 Michael Schwendt - 0.13-1 +- Update to 0.13 release. +- Include default aide.conf from RHEL5 as doc example file. + +* Sun Oct 29 2006 Michael Schwendt - 0.12-3.20061027cvs +- CAUTION! This changes the database format and results in a report of + false inconsistencies until an old database file is updated. +- Check out CVS 20061027 which now contains Red Hat's + acl/xattr/selinux/audit patches. +- Patches merged upstream. +- Update manual page substitutions. + * Mon Oct 23 2006 Michael Schwendt - 0.12-2 - Add "memory leaks and performance updates" patch as posted to aide-devel by Steve Grubb. diff --git a/sources b/sources index d4413b7..770e9a0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -fee8da9fe8ac4f78de1a237290ed3204 aide-0.12.tar.gz -1073f8839dc68c6e0ae1251dd2371584 aide-0.12.tar.gz.asc +eb724c089677d634a02d015ef943522c aide-0.13.1.tar.gz.asc +27978cc6bca4f0fbf3f6f5a1b330661c aide-0.13.1.tar.gz