aide: clean code

2020-01-10 15:46:55 +08:00 · 2020-01-10 15:46:55 +08:00 · 50f90c5410
commit 50f90c5410
parent 099799f1fe
6 changed files with 9 additions and 212 deletions
--- a/README.quickstart
+++ b/README.quickstart
@ -1,40 +0,0 @@
 1) Customize /etc/aide.conf to your liking. In particular, add
   important directories and files which you would like to be
   covered by integrity checks. Avoid files which are expected
   to change frequently or which don't affect the safety of your
   system.
 2) Run "/usr/sbin/aide --init" to build the initial database.
   With the default setup, that creates /var/lib/aide/aide.db.new.gz
 3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
   in a secure location, e.g. on separate read-only media (such as
   CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
   of those files in a secure location, so you have means to verify
   that nobody modified those files.
 4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
   which is the location of the input database.
 5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
   compared with the AIDE database. Prior to running a check manually,
   ensure that the AIDE binary and database have not been modified
   without your knowledge.
   Caution! 
   With the default setup, an AIDE check is not run periodically as a
   cron job. It cannot be guaranteed that the AIDE binaries, config
   file and database are intact. It is not recommended that you run
   automated AIDE checks without verifying AIDE yourself frequently.
   In addition to that, AIDE does not implement any password or
   encryption protection for its own files.
   It is up to you how to put a file integrity checker to good effect
   and how to set up automated checks if you think it adds a level of
   safety (e.g. detecting failed/incomplete compromises or unauthorized
   modification of special files). On a compromised system, the
   intruder could disable the automated check. Or he could replace the
   AIDE binary, config file and database easily when they are not
   located on read-only media. 
--- a/aide-0.16b1-fipsfix.patch
+++ b/aide-0.16b1-fipsfix.patch
@ -1,103 +0,0 @@
 diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c
 --- ./src/aide.c.orig	2016-07-12 11:10:08.013158385 +0200
 +++ ./src/aide.c	2016-07-12 11:30:54.867833064 +0200
@@ -511,9 +511,28 @@ int main(int argc,char**argv)
 #endif
   umask(0177);
   init_sighandler();
 -
   setdefaults_before_config();
 +#if WITH_GCRYPT
 +  error(255,"Gcrypt library initialization\n");
 +  /*
 +   *  Initialize libgcrypt as per
 +   *  http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
 +   *
 +   *
 +   */
 +  gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
 +  gcry_control(GCRYCTL_INIT_SECMEM, 1);
 +
 +  if(!gcry_check_version(GCRYPT_VERSION)) {
 +      error(0,"libgcrypt version mismatch\n");
 +      exit(VERSION_MISMATCH_ERROR);
 +  }
 +
 +  gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
 +#endif /* WITH_GCRYPT */
 +
 +
   if(read_param(argc,argv)==RETFAIL){
     error(0, _("Invalid argument\n") );
     exit(INVALID_ARGUMENT_ERROR);
@@ -646,6 +665,9 @@ int main(int argc,char**argv)
     }
 #endif
   }
 +#ifdef WITH_GCRYPT
 +  gcry_control(GCRYCTL_TERM_SECMEM, 0);
 +#endif /* WITH_GCRYPT */
   return RETOK;
 }
 const char* aide_key_3=CONFHMACKEY_03;
 diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c
 --- ./src/md.c.orig	2016-04-15 23:30:16.000000000 +0200
 +++ ./src/md.c	2016-07-12 11:35:04.007675329 +0200
@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
   }
 #endif 
 #ifdef WITH_GCRYPT
 -  error(255,"Gcrypt library initialization\n");
 -  	if(!gcry_check_version(GCRYPT_VERSION)) {
 -		error(0,"libgcrypt version mismatch\n");
 -		exit(VERSION_MISMATCH_ERROR);
 -	}
 -	gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
 -	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
 -	if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
 +        if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
 		error(0,"gcrypt_md_open failed\n");
 		exit(IO_ERROR);
 	}
@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
   /*.    There might be more hashes in the library. Add those here..   */
 -  gcry_md_reset(md->mdh);
 +  gcry_md_close(md->mdh);
 #endif  
 #ifdef WITH_MHASH
 diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c
 --- ./src/util.c.orig	2016-07-12 11:39:17.023437355 +0200
 +++ ./src/util.c	2016-07-12 11:39:51.618721157 +0200
@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s)
 	return(AIDE_SYSLOG_FACILITY);
 }
 -/* We need these dummy stubs to fool the linker into believing that
 -   we do not need them at link time */
 -
 -void* dlopen(char*filename,int flag)
 -{
 -  return NULL;
 -}
 -
 -void* dlsym(void*handle,char*symbol)
 -{
 -  return NULL;
 -}
 -
 -void* dlclose(void*handle)
 -{
 -  return NULL;
 -}
 -
 -const char* dlerror(void)
 -{
 -  return NULL;
 -}
 -
 const char* aide_key_2=CONFHMACKEY_02;
 const char* db_key_2=DBHMACKEY_02;
--- a/aide-0.16rc1-man.patch
+++ b/aide-0.16rc1-man.patch
@ -1,15 +0,0 @@
 diff -up ./doc/aide.1.in.orig ./doc/aide.1.in
 --- ./doc/aide.1.in.orig	2016-07-12 16:10:01.724595895 +0200
 +++ ./doc/aide.1.in	2016-07-12 16:06:21.968639822 +0200
@@ -103,9 +103,9 @@ echo <encoded_checksum> | base64 \-d | h
 .SH FILES
 .IP \fB@sysconfdir@/aide.conf\fR
 Default aide configuration file.
 -.IP \fB@sysconfdir@/aide.db\fR
 +.IP \fB@localstatedir@/lib/aide/aide.db\fR
 Default aide database.
 -.IP \fB@sysconfdir@/aide.db.new\fR
 +.IP \fB@localstatedir@/lib/aide/aide.db.new\fR
 Default aide output database.
 .SH SEE ALSO
 .BR aide.conf (5)
--- a/aide.conf
+++ b/aide.conf
@ -7,8 +7,6 @@
 database=file:@@{DBDIR}/aide.db.gz
 # The location of the database to be written.
 #database_out=sql:host:port:database:login_name:passwd:table
 #database_out=file:aide.db.new
 database_out=file:@@{DBDIR}/aide.db.new.gz
 # Whether to gzip the output to database
@ -19,54 +17,15 @@ verbose=5
 report_url=file:@@{LOGDIR}/aide.log
 report_url=stdout
 #report_url=stderr
 #NOT IMPLEMENTED report_url=mailto:root@foo.com
 #NOT IMPLEMENTED report_url=syslog:LOG_AUTH
 # These are the default rules.
 #
 #p:      permissions
 #i:      inode:
 #n:      number of links
 #u:      user
 #g:      group
 #s:      size
 #b:      block count
 #m:      mtime
 #a:      atime
 #c:      ctime
 #S:      check for growing size
 #acl:           Access Control Lists
 #selinux        SELinux security context
 #xattrs:        Extended file attributes
 #md5:    md5 checksum
 #sha1:   sha1 checksum
 #sha256:        sha256 checksum
 #sha512:        sha512 checksum
 #rmd160: rmd160 checksum
 #tiger:  tiger checksum
 #haval:  haval checksum (MHASH only)
 #gost:   gost checksum (MHASH only)
 #crc32:  crc32 checksum (MHASH only)
 #whirlpool:     whirlpool checksum (MHASH only)
 FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
 #R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
 #L:             p+i+n+u+g+acl+selinux+xattrs
 #E:             Empty group
 #>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
 # You can create custom rules like this.
 # With MHASH...
 # ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
 ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
 # Everything but access time (Ie. all changes)
 EVERYTHING = R+ALLXTRAHASHES
 # Sane, with multiple hashes
 # NORMAL = R+rmd160+sha256+whirlpool
 NORMAL = FIPSR+sha512
 # For directories, don't bother doing hashes
@ -155,7 +114,6 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
 # LSPP rules...
 # AIDE produces an audit record, so this becomes perpetual motion.
 # /var/log/audit/ LSPP
 /etc/audit/ LSPP
 /etc/libaudit.conf LSPP
 /usr/sbin/stunnel LSPP
@ -210,12 +168,6 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
 /etc/cups LSPP
 # With AIDE's default verbosity level of 5, these would give lots of
 # warnings upon tree traversal. It might change with future version.
 #
 #=/lost\+found    DIR
 #=/home           DIR
 # Ditto /var/log/sa reason...
 !/var/log/and-httpd
--- a/aide.logrotate
+++ b/aide.logrotate
@ -1,4 +1,5 @@
 /var/log/aide/*.log {
 	maxage 365
        weekly
        missingok
        rotate 4
--- a/aide.spec
+++ b/aide.spec
@ -1,19 +1,16 @@
 Name:       aide
 Version:    0.16
-Release:    14
+Release:    15
 Summary:    Advanced Intrusion Detection Environment
 License:    GPLv2+
 URL:        http://sourceforge.net/projects/aide
 Source0:    http://sourceforge.net/projects/aide/files/aide/%{version}/%{name}-%{version}.tar.gz
 Source1:    aide.conf
 Source2:    README.quickstart
 Source3:    aide.logrotate
 BuildRequires:  gcc make bison flex pcre-devel libgpg-error-devel libgcrypt-devel zlib-devel libcurl-devel
 BuildRequires:  libacl-devel libselinux-devel libattr-devel e2fsprogs-devel audit-libs-devel git
 Patch1:  aide-0.16rc1-man.patch
 Patch2:  aide-0.16b1-fipsfix.patch
 Patch6000:  aide-define_hash_use_gcrypt.patch
 Patch6001:  Fix-short-form-of-limit-parameter.patch
 Patch6002:  Fix-root_prefix-option.patch
@ -39,7 +36,6 @@ make %{?_smp_mflags}
 %install
 %make_install bindir=%{_sbindir}
 install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1}
 install -Dpm0644 -t %{buildroot}%{_datadir}/doc/aide-help %{S:2}
 install -Dpm0644 -t %{buildroot}%{_sysconfdir}/logrotate.d/aide %{S:3}
 mkdir -p %{buildroot}%{_localstatedir}/log/aide
 mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
@ -64,10 +60,16 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
 %files help
 %defattr(-,root,root)
-%doc NEWS README doc/manual.html README.quickstart
+%doc NEWS README doc/manual.html
 %{_mandir}/*/*
 %changelog
 * Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.16-15
 - Type:enhancement
 - ID:NA
 - SUG:NA
 - DESC: clean code
 * Wed Oct 9 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.16-14
 - Type:enhancement
 - ID:NA