From 50f90c5410c30d5a28d6fb1568677b312a237908 Mon Sep 17 00:00:00 2001 From: openeuler_eason Date: Fri, 10 Jan 2020 15:46:55 +0800 Subject: [PATCH] aide: clean code --- README.quickstart | 40 --------------- aide-0.16b1-fipsfix.patch | 103 -------------------------------------- aide-0.16rc1-man.patch | 15 ------ aide.conf | 48 ------------------ aide.logrotate | 1 + aide.spec | 14 +++--- 6 files changed, 9 insertions(+), 212 deletions(-) delete mode 100644 README.quickstart delete mode 100644 aide-0.16b1-fipsfix.patch delete mode 100644 aide-0.16rc1-man.patch diff --git a/README.quickstart b/README.quickstart deleted file mode 100644 index 87adc63..0000000 --- a/README.quickstart +++ /dev/null @@ -1,40 +0,0 @@ -1) Customize /etc/aide.conf to your liking. In particular, add - important directories and files which you would like to be - covered by integrity checks. Avoid files which are expected - to change frequently or which don't affect the safety of your - system. - -2) Run "/usr/sbin/aide --init" to build the initial database. - With the default setup, that creates /var/lib/aide/aide.db.new.gz - -3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz - in a secure location, e.g. on separate read-only media (such as - CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures - of those files in a secure location, so you have means to verify - that nobody modified those files. - -4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz - which is the location of the input database. - -5) Run "/usr/sbin/aide --check" to check your system for inconsistencies - compared with the AIDE database. Prior to running a check manually, - ensure that the AIDE binary and database have not been modified - without your knowledge. - - Caution! - - With the default setup, an AIDE check is not run periodically as a - cron job. It cannot be guaranteed that the AIDE binaries, config - file and database are intact. It is not recommended that you run - automated AIDE checks without verifying AIDE yourself frequently. - In addition to that, AIDE does not implement any password or - encryption protection for its own files. - - It is up to you how to put a file integrity checker to good effect - and how to set up automated checks if you think it adds a level of - safety (e.g. detecting failed/incomplete compromises or unauthorized - modification of special files). On a compromised system, the - intruder could disable the automated check. Or he could replace the - AIDE binary, config file and database easily when they are not - located on read-only media. - diff --git a/aide-0.16b1-fipsfix.patch b/aide-0.16b1-fipsfix.patch deleted file mode 100644 index 434d74e..0000000 --- a/aide-0.16b1-fipsfix.patch +++ /dev/null @@ -1,103 +0,0 @@ -diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c ---- ./src/aide.c.orig 2016-07-12 11:10:08.013158385 +0200 -+++ ./src/aide.c 2016-07-12 11:30:54.867833064 +0200 -@@ -511,9 +511,28 @@ int main(int argc,char**argv) - #endif - umask(0177); - init_sighandler(); -- - setdefaults_before_config(); - -+#if WITH_GCRYPT -+ error(255,"Gcrypt library initialization\n"); -+ /* -+ * Initialize libgcrypt as per -+ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html -+ * -+ * -+ */ -+ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0); -+ gcry_control(GCRYCTL_INIT_SECMEM, 1); -+ -+ if(!gcry_check_version(GCRYPT_VERSION)) { -+ error(0,"libgcrypt version mismatch\n"); -+ exit(VERSION_MISMATCH_ERROR); -+ } -+ -+ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); -+#endif /* WITH_GCRYPT */ -+ -+ - if(read_param(argc,argv)==RETFAIL){ - error(0, _("Invalid argument\n") ); - exit(INVALID_ARGUMENT_ERROR); -@@ -646,6 +665,9 @@ int main(int argc,char**argv) - } - #endif - } -+#ifdef WITH_GCRYPT -+ gcry_control(GCRYCTL_TERM_SECMEM, 0); -+#endif /* WITH_GCRYPT */ - return RETOK; - } - const char* aide_key_3=CONFHMACKEY_03; -diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c ---- ./src/md.c.orig 2016-04-15 23:30:16.000000000 +0200 -+++ ./src/md.c 2016-07-12 11:35:04.007675329 +0200 -@@ -201,14 +201,7 @@ int init_md(struct md_container* md) { - } - #endif - #ifdef WITH_GCRYPT -- error(255,"Gcrypt library initialization\n"); -- if(!gcry_check_version(GCRYPT_VERSION)) { -- error(0,"libgcrypt version mismatch\n"); -- exit(VERSION_MISMATCH_ERROR); -- } -- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); -- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); -- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){ -+ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ - error(0,"gcrypt_md_open failed\n"); - exit(IO_ERROR); - } -@@ -299,7 +292,7 @@ int close_md(struct md_container* md) { - - /*. There might be more hashes in the library. Add those here.. */ - -- gcry_md_reset(md->mdh); -+ gcry_md_close(md->mdh); - #endif - - #ifdef WITH_MHASH -diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c ---- ./src/util.c.orig 2016-07-12 11:39:17.023437355 +0200 -+++ ./src/util.c 2016-07-12 11:39:51.618721157 +0200 -@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s) - return(AIDE_SYSLOG_FACILITY); - } - --/* We need these dummy stubs to fool the linker into believing that -- we do not need them at link time */ -- --void* dlopen(char*filename,int flag) --{ -- return NULL; --} -- --void* dlsym(void*handle,char*symbol) --{ -- return NULL; --} -- --void* dlclose(void*handle) --{ -- return NULL; --} -- --const char* dlerror(void) --{ -- return NULL; --} -- - const char* aide_key_2=CONFHMACKEY_02; - const char* db_key_2=DBHMACKEY_02; diff --git a/aide-0.16rc1-man.patch b/aide-0.16rc1-man.patch deleted file mode 100644 index 4715552..0000000 --- a/aide-0.16rc1-man.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up ./doc/aide.1.in.orig ./doc/aide.1.in ---- ./doc/aide.1.in.orig 2016-07-12 16:10:01.724595895 +0200 -+++ ./doc/aide.1.in 2016-07-12 16:06:21.968639822 +0200 -@@ -103,9 +103,9 @@ echo | base64 \-d | h - .SH FILES - .IP \fB@sysconfdir@/aide.conf\fR - Default aide configuration file. --.IP \fB@sysconfdir@/aide.db\fR -+.IP \fB@localstatedir@/lib/aide/aide.db\fR - Default aide database. --.IP \fB@sysconfdir@/aide.db.new\fR -+.IP \fB@localstatedir@/lib/aide/aide.db.new\fR - Default aide output database. - .SH SEE ALSO - .BR aide.conf (5) diff --git a/aide.conf b/aide.conf index cd95c01..ef08948 100644 --- a/aide.conf +++ b/aide.conf @@ -7,8 +7,6 @@ database=file:@@{DBDIR}/aide.db.gz # The location of the database to be written. -#database_out=sql:host:port:database:login_name:passwd:table -#database_out=file:aide.db.new database_out=file:@@{DBDIR}/aide.db.new.gz # Whether to gzip the output to database @@ -19,54 +17,15 @@ verbose=5 report_url=file:@@{LOGDIR}/aide.log report_url=stdout -#report_url=stderr -#NOT IMPLEMENTED report_url=mailto:root@foo.com -#NOT IMPLEMENTED report_url=syslog:LOG_AUTH - -# These are the default rules. -# -#p: permissions -#i: inode: -#n: number of links -#u: user -#g: group -#s: size -#b: block count -#m: mtime -#a: atime -#c: ctime -#S: check for growing size -#acl: Access Control Lists -#selinux SELinux security context -#xattrs: Extended file attributes -#md5: md5 checksum -#sha1: sha1 checksum -#sha256: sha256 checksum -#sha512: sha512 checksum -#rmd160: rmd160 checksum -#tiger: tiger checksum - -#haval: haval checksum (MHASH only) -#gost: gost checksum (MHASH only) -#crc32: crc32 checksum (MHASH only) -#whirlpool: whirlpool checksum (MHASH only) FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 -#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 -#L: p+i+n+u+g+acl+selinux+xattrs -#E: Empty group -#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs - # You can create custom rules like this. -# With MHASH... -# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger # Everything but access time (Ie. all changes) EVERYTHING = R+ALLXTRAHASHES # Sane, with multiple hashes -# NORMAL = R+rmd160+sha256+whirlpool NORMAL = FIPSR+sha512 # For directories, don't bother doing hashes @@ -155,7 +114,6 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 # LSPP rules... # AIDE produces an audit record, so this becomes perpetual motion. -# /var/log/audit/ LSPP /etc/audit/ LSPP /etc/libaudit.conf LSPP /usr/sbin/stunnel LSPP @@ -210,12 +168,6 @@ DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 /etc/cups LSPP -# With AIDE's default verbosity level of 5, these would give lots of -# warnings upon tree traversal. It might change with future version. -# -#=/lost\+found DIR -#=/home DIR - # Ditto /var/log/sa reason... !/var/log/and-httpd diff --git a/aide.logrotate b/aide.logrotate index 614c6a6..8e45f8c 100644 --- a/aide.logrotate +++ b/aide.logrotate @@ -1,4 +1,5 @@ /var/log/aide/*.log { + maxage 365 weekly missingok rotate 4 diff --git a/aide.spec b/aide.spec index 2ea2208..e6560c2 100644 --- a/aide.spec +++ b/aide.spec @@ -1,19 +1,16 @@ Name: aide Version: 0.16 -Release: 14 +Release: 15 Summary: Advanced Intrusion Detection Environment License: GPLv2+ URL: http://sourceforge.net/projects/aide Source0: http://sourceforge.net/projects/aide/files/aide/%{version}/%{name}-%{version}.tar.gz Source1: aide.conf -Source2: README.quickstart Source3: aide.logrotate BuildRequires: gcc make bison flex pcre-devel libgpg-error-devel libgcrypt-devel zlib-devel libcurl-devel BuildRequires: libacl-devel libselinux-devel libattr-devel e2fsprogs-devel audit-libs-devel git -Patch1: aide-0.16rc1-man.patch -Patch2: aide-0.16b1-fipsfix.patch Patch6000: aide-define_hash_use_gcrypt.patch Patch6001: Fix-short-form-of-limit-parameter.patch Patch6002: Fix-root_prefix-option.patch @@ -39,7 +36,6 @@ make %{?_smp_mflags} %install %make_install bindir=%{_sbindir} install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1} -install -Dpm0644 -t %{buildroot}%{_datadir}/doc/aide-help %{S:2} install -Dpm0644 -t %{buildroot}%{_sysconfdir}/logrotate.d/aide %{S:3} mkdir -p %{buildroot}%{_localstatedir}/log/aide mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide @@ -64,10 +60,16 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide %files help %defattr(-,root,root) -%doc NEWS README doc/manual.html README.quickstart +%doc NEWS README doc/manual.html %{_mandir}/*/* %changelog +* Fri Jan 10 2020 openEuler Buildteam - 0.16-15 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC: clean code + * Wed Oct 9 2019 openEuler Buildteam - 0.16-14 - Type:enhancement - ID:NA -- Gitee