diff --git a/.cvsignore b/.cvsignore index 5504e9e..0914dc5 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,4 @@ aide-0.13.1.tar.gz.asc aide-0.13.1.tar.gz +aide-0.14-rc1.tar.gz +aide-0.14-rc1.tar.gz.asc diff --git a/aide-0.12-dedosify.patch b/aide-0.12-dedosify.patch deleted file mode 100644 index 8755725..0000000 --- a/aide-0.12-dedosify.patch +++ /dev/null @@ -1,174 +0,0 @@ ---- aide-0.12/contrib/gpg2_check.sh.spc 2007-06-21 12:37:06.000000000 -0400 -+++ aide-0.12/contrib/gpg2_check.sh 2007-06-21 12:39:53.000000000 -0400 -@@ -1,32 +1,32 @@ --#!/bin/sh --# $Id: gpg2_check.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $ -- --# Script by Vincent Danen -- --hostname=`uname -n` --echo "AIDE integrity check for ${hostname} beginning (`date`)" --echo "" --if [ ! -e /var/lib/aide/aide.db ] ; then -- echo "**** Error: AIDE database for ${hostname} not found." -- echo "**** Run 'aide --init' and move the appropriate database file." --else -- if [ -f /etc/aide.conf ]; then -- if [ -f /var/lib/aide/aide.db.sig ]; then -- pushd /var/lib/aide >/dev/null -- echo "Verifying the GPG signature on the database..." -- echo "" -- gpg --verify aide.db.sig -- echo "" -- if [ "$?" == "1" ]; then -- echo "************************************************************" -- echo "GPG signature FAILED! Your database has been tampered with!" -- echo "************************************************************" -- exit 1 -- fi -- popd >/dev/null -- fi -- nice -20 /usr/sbin/aide --check 2>/dev/null -- fi --fi -- --exit 0 -+#!/bin/sh -+# $Id: gpg2_check.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $ -+ -+# Script by Vincent Danen -+ -+hostname=`uname -n` -+echo "AIDE integrity check for ${hostname} beginning (`date`)" -+echo "" -+if [ ! -e /var/lib/aide/aide.db ] ; then -+ echo "**** Error: AIDE database for ${hostname} not found." -+ echo "**** Run 'aide --init' and move the appropriate database file." -+else -+ if [ -f /etc/aide.conf ]; then -+ if [ -f /var/lib/aide/aide.db.sig ]; then -+ pushd /var/lib/aide >/dev/null -+ echo "Verifying the GPG signature on the database..." -+ echo "" -+ gpg --verify aide.db.sig -+ echo "" -+ if [ "$?" == "1" ]; then -+ echo "************************************************************" -+ echo "GPG signature FAILED! Your database has been tampered with!" -+ echo "************************************************************" -+ exit 1 -+ fi -+ popd >/dev/null -+ fi -+ nice -20 /usr/sbin/aide --check 2>/dev/null -+ fi -+fi -+ -+exit 0 ---- aide-0.12/contrib/gpg2_update.sh.spc 2007-06-21 12:37:24.000000000 -0400 -+++ aide-0.12/contrib/gpg2_update.sh 2007-06-21 12:39:43.000000000 -0400 -@@ -1,52 +1,52 @@ --#!/bin/sh --# $Id: gpg2_update.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $ --# --# script to update and rotate the AIDE database files and, optionally --# create a detached GPG signature to verify the database file --# --# written by Vincent Danen 01/21/2006 -- --usegpg=0 -- --if [ -f /root/.gnupg/secring.gpg ]; then -- usegpg=1 --fi -- --if [ ! -d /var/lib/aide ]; then -- echo "The AIDE database directory /var/lib/aide does not exist!" -- exit 1 --fi -- --pushd /var/lib/aide >/dev/null -- --# copy the old database --if [ -f aide.db ]; then -- newfile="aide-`hostname`-`date +%Y%m%d-%H%M%S`.db" -- if [ "${usegpg}" == 1 -a -f aide.db.sig ]; then -- # do an integrity check -- gpg --verify aide.db.sig -- if [ "$?" == "1" ]; then -- echo "************************************************************" -- echo "GPG signature FAILED! Your database has been tampered with!" -- echo "************************************************************" -- exit 1 -- fi -- fi -- cp -av aide.db ${newfile} -- /usr/sbin/aide --update -B "database=file:/var/lib/aide/${newfile}" -- if [ "${usegpg}" == "1" ]; then -- # create the signature file -- [[ -f aide.db.sig ]] && rm -f aide.db.sig -- gpg --detach-sign aide.db -- if [ "$?" == "1" ]; then -- echo "FATAL: Error occurred when creating the signature file!" -- exit 1 -- fi -- fi -- gzip -9f ${newfile} --else -- echo "The AIDE database does not exist, can't update!" -- exit 1 --fi -- --popd >/dev/null -+#!/bin/sh -+# $Id: gpg2_update.sh,v 1.1 2006/01/22 20:25:37 rvdb Exp $ -+# -+# script to update and rotate the AIDE database files and, optionally -+# create a detached GPG signature to verify the database file -+# -+# written by Vincent Danen 01/21/2006 -+ -+usegpg=0 -+ -+if [ -f /root/.gnupg/secring.gpg ]; then -+ usegpg=1 -+fi -+ -+if [ ! -d /var/lib/aide ]; then -+ echo "The AIDE database directory /var/lib/aide does not exist!" -+ exit 1 -+fi -+ -+pushd /var/lib/aide >/dev/null -+ -+# copy the old database -+if [ -f aide.db ]; then -+ newfile="aide-`hostname`-`date +%Y%m%d-%H%M%S`.db" -+ if [ "${usegpg}" == 1 -a -f aide.db.sig ]; then -+ # do an integrity check -+ gpg --verify aide.db.sig -+ if [ "$?" == "1" ]; then -+ echo "************************************************************" -+ echo "GPG signature FAILED! Your database has been tampered with!" -+ echo "************************************************************" -+ exit 1 -+ fi -+ fi -+ cp -av aide.db ${newfile} -+ /usr/sbin/aide --update -B "database=file:/var/lib/aide/${newfile}" -+ if [ "${usegpg}" == "1" ]; then -+ # create the signature file -+ [[ -f aide.db.sig ]] && rm -f aide.db.sig -+ gpg --detach-sign aide.db -+ if [ "$?" == "1" ]; then -+ echo "FATAL: Error occurred when creating the signature file!" -+ exit 1 -+ fi -+ fi -+ gzip -9f ${newfile} -+else -+ echo "The AIDE database does not exist, can't update!" -+ exit 1 -+fi -+ -+popd >/dev/null diff --git a/aide-0.13.1-contextsize.patch b/aide-0.13.1-contextsize.patch deleted file mode 100644 index bfd5d25..0000000 --- a/aide-0.13.1-contextsize.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Steve Conklin -To: aide-devel@lists.sourceforge.net - -Only the first 32 characters of the selinux context was displayed, which -often isn't enough to see what changed. -This patch increases the displayed length to 128 characters for selinux -contexts and also for link names. - -diff -up aide-0.13.1/src/compare_db.c.selcon aide-0.13.1/src/compare_db.c ---- aide-0.13.1/src/compare_db.c.selcon 2006-11-30 14:06:56.000000000 -0500 -+++ aide-0.13.1/src/compare_db.c 2008-09-26 13:23:25.000000000 -0400 -@@ -53,9 +53,10 @@ - const int old_col = 12; - const int new_col = 40; - --const int part_len = 33; /* usable length of line[] */ --char oline[33]; --char nline[33]; -+const int part_len = 33; /* usable length of line[] for most purposes */ -+const int long_part_len = 129; /* length of line[] for link names and selinux contexts */ -+char oline[129]; -+char nline[129]; - const char* entry_format= " %-9s: %-33s, %s\n"; - const char* entry_format_justnew=" %-9s: %-33c %s\n"; - /*************/ -@@ -379,17 +380,17 @@ void print_str_changes(char*old,char*new - - if(old==NULL){ - if(new!=NULL){ -- snprintf(oline,part_len,""); -- snprintf(nline,part_len,"%s",new); -+ snprintf(oline,long_part_len,""); -+ snprintf(nline,long_part_len,"%s",new); - ok = 1; - } - } else if(new==NULL){ -- snprintf(oline,part_len,"%s",old); -- snprintf(nline,part_len,""); -+ snprintf(oline,long_part_len,"%s",old); -+ snprintf(nline,long_part_len,""); - ok = 1; - } else if(strcmp(old,new)!=0){ -- snprintf(oline,part_len,"%s",old); -- snprintf(nline,part_len,"%s",new); -+ snprintf(oline,long_part_len,"%s",old); -+ snprintf(nline,long_part_len,"%s",new); - ok = 1; - } - if(ok) diff --git a/aide-0.13.1-libgrypt-init.patch b/aide-0.13.1-libgrypt-init.patch deleted file mode 100644 index b6794fc..0000000 --- a/aide-0.13.1-libgrypt-init.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -urp aide-0.13.1.orig/doc/aide.1.in aide-0.13.1/doc/aide.1.in ---- aide-0.13.1.orig/doc/aide.1.in 2009-12-01 12:23:10.000000000 -0500 -+++ aide-0.13.1/doc/aide.1.in 2009-12-01 12:28:14.000000000 -0500 -@@ -67,6 +67,7 @@ conditions: - .IP "16 Unimplemented function error" - .IP "17 Invalid configureline error" - .IP "18 IO error" -+.IP "19 Version mismatch error" - .PP - .SH NOTES - Please note that due to mmap issues, aide cannot be terminated with -diff -urp aide-0.13.1.orig/include/report.h aide-0.13.1/include/report.h ---- aide-0.13.1.orig/include/report.h 2009-12-01 12:23:10.000000000 -0500 -+++ aide-0.13.1/include/report.h 2009-12-01 12:27:43.000000000 -0500 -@@ -31,6 +31,7 @@ - #define UNIMPLEMENTED_FUNCTION_ERROR 16 - #define INVALID_CONFIGURELINE_ERROR 17 - #define IO_ERROR 18 -+#define VERSION_MISMATCH_ERROR 19 - - /* Errorcodes */ - #define HASH_ALGO_ERROR 30 -diff -urp aide-0.13.1.orig/src/md.c aide-0.13.1/src/md.c ---- aide-0.13.1.orig/src/md.c 2009-12-01 12:23:10.000000000 -0500 -+++ aide-0.13.1/src/md.c 2009-12-01 12:27:04.000000000 -0500 -@@ -201,6 +201,15 @@ int init_md(struct md_container* md) { - #endif - #ifdef WITH_GCRYPT - error(255,"Gcrypt library initialization\n"); -+ /* -+ Initialize libgcrypt as per -+ http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html -+ */ -+ if(!gcry_check_version(GCRYPT_VERSION)) { -+ error(0,"libgcrypt version mismatch\n"); -+ exit(VERSION_MISMATCH_ERROR); -+ } -+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); - if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){ - error(0,"gcrypt_md_open failed\n"); - exit(IO_ERROR); diff --git a/aide-0.13.1-manuals.patch b/aide-0.13.1-manuals.patch deleted file mode 100644 index fa6f303..0000000 --- a/aide-0.13.1-manuals.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -Nur aide-0.13.1-orig/doc/aide.1.in aide-0.13.1/doc/aide.1.in ---- aide-0.13.1-orig/doc/aide.1.in 2006-11-30 20:38:16.000000000 +0100 -+++ aide-0.13.1/doc/aide.1.in 2007-01-05 23:28:44.000000000 +0100 -@@ -73,11 +73,11 @@ - SIGTERM. Use SIGKILL to terminate. - .PP - .SH FILES --.B @sysconfdir@/aide.conf -+.B /etc/aide.conf - Default aide configuration file. --.B @sysconfdir@/aide.db -+.B /var/lib/aide/aide.db.gz - Default aide database. --.B @sysconfdir@/aide.db.new -+.B /var/lib/aide/aide.db.new.gz - Default aide output database. - .SH SEE ALSO - .BR aide.conf (5) diff --git a/aide-0.13.1-prelink2.patch b/aide-0.13.1-prelink2.patch deleted file mode 100644 index fd2a3f6..0000000 --- a/aide-0.13.1-prelink2.patch +++ /dev/null @@ -1,286 +0,0 @@ -diff -up aide-0.13.1/configure.in.prelink aide-0.13.1/configure.in ---- aide-0.13.1/configure.in.prelink 2006-12-08 22:49:21.000000000 +0100 -+++ aide-0.13.1/configure.in 2009-05-13 16:14:49.000000000 +0200 -@@ -405,6 +405,30 @@ AS_IF([test "x$with_selinux_support" != - - AC_SUBST(SELINUXLIB) - -+ -+AC_MSG_CHECKING(for prelink-support) -+AC_ARG_WITH([prelink], -+ [AC_HELP_STRING([--with-prelink],[use prelink (no checking)])], -+ [case $with_prelink in -+ yes) AC_DEFINE_UNQUOTED(PRELINK_PATH, "/usr/sbin/prelink", [path to prelink]) -+ AC_DEFINE(WITH_PRELINK,1,[use prelink]) -+ ELFLIB="-lelf" -+ compoptionstring="${compoptionstring}WITH_PRELINK\\n" -+ AC_MSG_RESULT([/usr/sbin/prelink]) -+ ;; -+ no) AC_MSG_RESULT(no) -+ ;; -+ *) AC_DEFINE_UNQUOTED(PRELINK_PATH, "$with_prelink", [path to prelink]) -+ AC_DEFINE(WITH_PRELINK,1,[use prelink]) -+ ELFLIB="-lelf" -+ compoptionstring="${compoptionstring}WITH_PRELINK\\n" -+ AC_MSG_RESULT([$with_prelink]) -+ ;; -+ esac], -+ [with_prelink=no] -+) -+AC_SUBST(ELFLIB) -+ - AC_MSG_CHECKING(for xattr-support) - AC_ARG_WITH([xattr], - [AC_HELP_STRING([--with-xattr], -diff -up aide-0.13.1/src/do_md.c.prelink aide-0.13.1/src/do_md.c ---- aide-0.13.1/src/do_md.c.prelink 2006-10-27 22:47:20.000000000 +0200 -+++ aide-0.13.1/src/do_md.c 2009-05-13 17:37:51.000000000 +0200 -@@ -65,6 +65,86 @@ - /* - #include - */ -+ -+#ifdef WITH_PRELINK -+#include -+#include -+ -+/* -+ * Is file descriptor prelinked binary/library? -+ * Return: 1(yes) / 0(no) -+ * -+ */ -+int is_prelinked(int fd) { -+ Elf *elf = NULL; -+ Elf_Scn *scn = NULL; -+ Elf_Data *data = NULL; -+ GElf_Ehdr ehdr; -+ GElf_Shdr shdr; -+ GElf_Dyn dyn; -+ int bingo; -+ -+ (void) elf_version(EV_CURRENT); -+ -+ if ((elf = elf_begin (fd, ELF_C_READ, NULL)) == NULL -+ || elf_kind(elf) != ELF_K_ELF -+ || gelf_getehdr(elf, &ehdr) == NULL -+ || !(ehdr.e_type == ET_DYN || ehdr.e_type == ET_EXEC)) -+ return 0; -+ -+ bingo = 0; -+ while (!bingo && (scn = elf_nextscn(elf, scn)) != NULL) { -+ (void) gelf_getshdr(scn, &shdr); -+ -+ if (shdr.sh_type != SHT_DYNAMIC) -+ continue; -+ -+ while (!bingo && (data = elf_getdata (scn, data)) != NULL) { -+ int maxndx = data->d_size / shdr.sh_entsize; -+ int ndx; -+ -+ for (ndx = 0; ndx < maxndx; ++ndx) { -+ (void) gelf_getdyn (data, ndx, &dyn); -+ if (!(dyn.d_tag == DT_GNU_PRELINKED || dyn.d_tag == DT_GNU_LIBLIST)) -+ continue; -+ bingo = 1; -+ break; -+ } -+ } -+ } -+ -+ return bingo; -+} -+ -+/* -+ * Open path via prelink -y, set fd -+ * Return: 0(not success) / !0(prelink child process) -+ * -+ */ -+pid_t open_prelinked(const char * path, int * fd) { -+ const char *cmd = PRELINK_PATH; -+ pid_t pid = 0; -+ int pipes[2]; -+ -+ pipes[0] = pipes[1] = -1; -+ pipe(pipes); -+ if (!(pid = fork())) { -+ /* child */ -+ close(pipes[0]); -+ dup2(pipes[1], STDOUT_FILENO); -+ close(pipes[1]); -+ unsetenv("MALLOC_CHECK_"); -+ execl(cmd, cmd, "--verify", path, (char *) NULL); -+ } -+ /* parent */ -+ close(pipes[1]); -+ *fd = pipes[0]; -+ return pid; -+ -+} -+ -+#endif -+ - void md_init_fail(const char* s,db_line* db,byte** hash,DB_ATTR_TYPE i) { - error(0,"Message digest %s initialise failed\nDisabling %s for file %s\n",s,s,db->filename); - db->attr=db->attr&(~i); -@@ -121,6 +201,9 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - struct AIDE_STAT_TYPE fs; - int sres=0; - int stat_diff,filedes; -+#ifdef WITH_PRELINK -+ pid_t pid; -+#endif - - error(255,"calc_md called\n"); - #ifdef _PARAMETER_CHECK_ -@@ -166,6 +249,22 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - /* - Now we have a 'valid' filehandle to read from a file. - */ -+ -+#ifdef WITH_PRELINK -+ /* -+ * Let's take care of prelinked libraries/binaries -+ */ -+ pid=0; -+ if ( is_prelinked(filedes) ) { -+ close(filedes); -+ pid = open_prelinked(line->filename, &filedes); -+ if (pid == 0) { -+ error(0, "Error on starting prelink undo\n"); -+ return; -+ } -+ } -+#endif -+ - off_t r_size=0; - off_t size=0; - char* buf; -@@ -176,47 +275,58 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - - if (init_md(&mdc)==RETOK) { - #ifdef HAVE_MMAP -- off_t curpos=0; -+#ifdef WITH_PRELINK -+ if (pid == 0) { -+#endif -+ off_t curpos=0; - -- r_size=fs.st_size; -- /* in mmap branch r_size is used as size remaining */ -- while(r_size>0){ -- if(r_size0){ -+ if(r_sizefilename,strerror(errno)); -- close(filedes); -- close_md(&mdc); -- return; -- } -- conf->catch_mmap=1; -- if (update_md(&mdc,buf,size)!=RETOK) { -- error(0,"Message digest failed during update\n"); -- close_md(&mdc); -- munmap(buf,size); -- return; -- } -- munmap(buf,size); -- conf->catch_mmap=0; -+ curpos+=MMAP_BLOCK_SIZE; -+ size=MMAP_BLOCK_SIZE; -+ r_size-=MMAP_BLOCK_SIZE; -+ } -+ if ( buf == MAP_FAILED ) { -+ error(0,"error mmap'ing %s: %s\n", line->filename,strerror(errno)); -+ close(filedes); -+ close_md(&mdc); -+ return; -+ } -+ conf->catch_mmap=1; -+ if (update_md(&mdc,buf,size)!=RETOK) { -+ error(0,"Message digest failed during update\n"); -+ close_md(&mdc); -+ munmap(buf,size); -+ return; -+ } -+ munmap(buf,size); -+ conf->catch_mmap=0; -+ } -+ /* we have used MMAP, let's return */ -+ close_md(&mdc); -+ md2line(&mdc,line); -+ close(filedes); -+ return; -+#ifdef WITH_PRELINK - } --#else /* not HAVE_MMAP */ -+#endif -+#endif /* not HAVE_MMAP */ - buf=malloc(READ_BLOCK_SIZE); - #if READ_BLOCK_SIZE>SSIZE_MAX - #error "READ_BLOCK_SIZE" is too large. Max value is SSIZE_MAX, and current is READ_BLOCK_SIZE -@@ -229,11 +339,22 @@ void calc_md(struct AIDE_STAT_TYPE* old_ - } - r_size+=size; - } -+ -+#ifdef WITH_PRELINK -+ if (pid) { -+ int status; -+ (void) waitpid(pid, &status, 0); -+ if (!WIFEXITED(status) || WEXITSTATUS(status)) { -+ error(0, "Error on exit of prelink child process\n"); -+ close_md(&mdc); -+ return; -+ } -+ } -+#endif - free(buf); --#endif /* HAVE_MMAP else branch */ - close_md(&mdc); - md2line(&mdc,line); -- -+ - } else { - error(3,"Message digest initialization failed.\n"); - no_hash(line); -diff -up aide-0.13.1/src/Makefile.am.prelink aide-0.13.1/src/Makefile.am ---- aide-0.13.1/src/Makefile.am.prelink 2006-10-27 23:10:38.000000000 +0200 -+++ aide-0.13.1/src/Makefile.am 2009-05-13 16:14:49.000000000 +0200 -@@ -50,7 +50,7 @@ aide_SOURCES = \ - - INCLUDES = -I$(top_srcdir)/include - --LDADD = -lm @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ -+LDADD = -lm @CRYPTLIB@ @ACLLIB@ @SELINUXLIB@ @AUDITLIB@ @ATTRLIB@ @ELFLIB@ - - AM_LDFLAGS = @LDFLAGS@ @LD_STATIC_FLAG@ - diff --git a/aide.spec b/aide.spec index 704abdc..7a74a7f 100644 --- a/aide.spec +++ b/aide.spec @@ -14,7 +14,7 @@ Source2: README.quickstart Source3: aide.logrotate Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n) BuildRequires: mktemp -BuildRequires: prelink autoconf automake elfutils-libelf-devel +BuildRequires: prelink elfutils-libelf-devel %if 0%{?rhel} == 0 Buildrequires: mhash-devel %endif diff --git a/sources b/sources index 770e9a0..448638b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -eb724c089677d634a02d015ef943522c aide-0.13.1.tar.gz.asc -27978cc6bca4f0fbf3f6f5a1b330661c aide-0.13.1.tar.gz +5af59a71e77df0f9b444d8e56a044abd aide-0.14-rc1.tar.gz.asc +e13d4ef4fbd6558c5026306cba556803 aide-0.14-rc1.tar.gz