!1 aide: clean code

Merge pull request !1 from guoxiaoqi/local
2020-01-11 17:37:59 +08:00 · 2020-01-11 17:37:59 +08:00 · 934d7870f8
commit 934d7870f8
parent 099799f1fe 50f90c5410
6 changed files with 9 additions and 212 deletions
--- a/README.quickstart
+++ b/README.quickstart
@ -1,40 +0,0 @@
-1) Customize /etc/aide.conf to your liking. In particular, add
-   important directories and files which you would like to be
-   covered by integrity checks. Avoid files which are expected
-   to change frequently or which don't affect the safety of your
-   system.
-
-2) Run "/usr/sbin/aide --init" to build the initial database.
-   With the default setup, that creates /var/lib/aide/aide.db.new.gz
-
-3) Store /etc/aide.conf, /usr/sbin/aide and /var/lib/aide/aide.db.new.gz
-   in a secure location, e.g. on separate read-only media (such as
-   CD-ROM). Alternatively, keep MD5 fingerprints or GPG signatures
-   of those files in a secure location, so you have means to verify
-   that nobody modified those files.
-
-4) Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
-   which is the location of the input database.
-
-5) Run "/usr/sbin/aide --check" to check your system for inconsistencies
-   compared with the AIDE database. Prior to running a check manually,
-   ensure that the AIDE binary and database have not been modified
-   without your knowledge.
-   
-   Caution! 
-   
-   With the default setup, an AIDE check is not run periodically as a
-   cron job. It cannot be guaranteed that the AIDE binaries, config
-   file and database are intact. It is not recommended that you run
-   automated AIDE checks without verifying AIDE yourself frequently.
-   In addition to that, AIDE does not implement any password or
-   encryption protection for its own files.
-   
-   It is up to you how to put a file integrity checker to good effect
-   and how to set up automated checks if you think it adds a level of
-   safety (e.g. detecting failed/incomplete compromises or unauthorized
-   modification of special files). On a compromised system, the
-   intruder could disable the automated check. Or he could replace the
-   AIDE binary, config file and database easily when they are not
-   located on read-only media. 
-
--- a/aide-0.16b1-fipsfix.patch
+++ b/aide-0.16b1-fipsfix.patch
@ -1,103 +0,0 @@
-diff -up ./src/aide.c.orig ./aide-0.16b1/src/aide.c
--- ./src/aide.c.orig	2016-07-12 11:10:08.013158385 +0200
-+++ ./src/aide.c	2016-07-12 11:30:54.867833064 +0200
-@@ -511,9 +511,28 @@ int main(int argc,char**argv)
- #endif
-   umask(0177);
-   init_sighandler();
-
-   setdefaults_before_config();
- 
-+#if WITH_GCRYPT
-+  error(255,"Gcrypt library initialization\n");
-+  /*
-+   *  Initialize libgcrypt as per
-+   *  http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
-+   *
-+   *
-+   */
-+  gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
-+  gcry_control(GCRYCTL_INIT_SECMEM, 1);
-+
-+  if(!gcry_check_version(GCRYPT_VERSION)) {
-+      error(0,"libgcrypt version mismatch\n");
-+      exit(VERSION_MISMATCH_ERROR);
-+  }
-+
-+  gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
-+#endif /* WITH_GCRYPT */
-+
-+
-   if(read_param(argc,argv)==RETFAIL){
-     error(0, _("Invalid argument\n") );
-     exit(INVALID_ARGUMENT_ERROR);
-@@ -646,6 +665,9 @@ int main(int argc,char**argv)
-     }
- #endif
-   }
-+#ifdef WITH_GCRYPT
-+  gcry_control(GCRYCTL_TERM_SECMEM, 0);
-+#endif /* WITH_GCRYPT */
-   return RETOK;
- }
- const char* aide_key_3=CONFHMACKEY_03;
-diff -up ./src/md.c.orig ./aide-0.16b1/src/md.c
--- ./src/md.c.orig	2016-04-15 23:30:16.000000000 +0200
-+++ ./src/md.c	2016-07-12 11:35:04.007675329 +0200
-@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
-   }
- #endif 
- #ifdef WITH_GCRYPT
-  error(255,"Gcrypt library initialization\n");
-  	if(!gcry_check_version(GCRYPT_VERSION)) {
-		error(0,"libgcrypt version mismatch\n");
-		exit(VERSION_MISMATCH_ERROR);
-	}
-	gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
-	gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
-	if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
-+        if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
- 		error(0,"gcrypt_md_open failed\n");
- 		exit(IO_ERROR);
- 	}
-@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
-   
-   /*.    There might be more hashes in the library. Add those here..   */
-   
-  gcry_md_reset(md->mdh);
-+  gcry_md_close(md->mdh);
- #endif  
- 
- #ifdef WITH_MHASH
-diff -up ./src/util.c.orig ./aide-0.16b1/src/util.c
--- ./src/util.c.orig	2016-07-12 11:39:17.023437355 +0200
-+++ ./src/util.c	2016-07-12 11:39:51.618721157 +0200
-@@ -519,28 +519,5 @@ int syslog_facility_lookup(char *s)
- 	return(AIDE_SYSLOG_FACILITY);
- }
- 
-/* We need these dummy stubs to fool the linker into believing that
-   we do not need them at link time */
-
-void* dlopen(char*filename,int flag)
-{
-  return NULL;
-}
-
-void* dlsym(void*handle,char*symbol)
-{
-  return NULL;
-}
-
-void* dlclose(void*handle)
-{
-  return NULL;
-}
-
-const char* dlerror(void)
-{
-  return NULL;
-}
-
- const char* aide_key_2=CONFHMACKEY_02;
- const char* db_key_2=DBHMACKEY_02;
--- a/aide-0.16rc1-man.patch
+++ b/aide-0.16rc1-man.patch
@ -1,15 +0,0 @@
-diff -up ./doc/aide.1.in.orig ./doc/aide.1.in
--- ./doc/aide.1.in.orig	2016-07-12 16:10:01.724595895 +0200
-+++ ./doc/aide.1.in	2016-07-12 16:06:21.968639822 +0200
-@@ -103,9 +103,9 @@ echo <encoded_checksum> | base64 \-d | h
- .SH FILES
- .IP \fB@sysconfdir@/aide.conf\fR
- Default aide configuration file.
-.IP \fB@sysconfdir@/aide.db\fR
-+.IP \fB@localstatedir@/lib/aide/aide.db\fR
- Default aide database.
-.IP \fB@sysconfdir@/aide.db.new\fR
-+.IP \fB@localstatedir@/lib/aide/aide.db.new\fR
- Default aide output database.
- .SH SEE ALSO
- .BR aide.conf (5)
--- a/aide.conf
+++ b/aide.conf
@ -7,8 +7,6 @@
 database=file:@@{DBDIR}/aide.db.gz

 # The location of the database to be written.
-#database_out=sql:host:port:database:login_name:passwd:table
-#database_out=file:aide.db.new
 database_out=file:@@{DBDIR}/aide.db.new.gz

 # Whether to gzip the output to database
@ -19,54 +17,15 @@ verbose=5

 report_url=file:@@{LOGDIR}/aide.log
 report_url=stdout
-#report_url=stderr
-#NOT IMPLEMENTED report_url=mailto:root@foo.com
-#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
-
-# These are the default rules.
-#
-#p:      permissions
-#i:      inode:
-#n:      number of links
-#u:      user
-#g:      group
-#s:      size
-#b:      block count
-#m:      mtime
-#a:      atime
-#c:      ctime
-#S:      check for growing size
-#acl:           Access Control Lists
-#selinux        SELinux security context
-#xattrs:        Extended file attributes
-#md5:    md5 checksum
-#sha1:   sha1 checksum
-#sha256:        sha256 checksum
-#sha512:        sha512 checksum
-#rmd160: rmd160 checksum
-#tiger:  tiger checksum
-
-#haval:  haval checksum (MHASH only)
-#gost:   gost checksum (MHASH only)
-#crc32:  crc32 checksum (MHASH only)
-#whirlpool:     whirlpool checksum (MHASH only)

 FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256

-#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
-#L:             p+i+n+u+g+acl+selinux+xattrs
-#E:             Empty group
-#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
-
 # You can create custom rules like this.
-# With MHASH...
-# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
 ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
 # Everything but access time (Ie. all changes)
 EVERYTHING = R+ALLXTRAHASHES

 # Sane, with multiple hashes
-# NORMAL = R+rmd160+sha256+whirlpool
 NORMAL = FIPSR+sha512

 # For directories, don't bother doing hashes
@ -155,7 +114,6 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

 # LSPP rules...
 # AIDE produces an audit record, so this becomes perpetual motion.
-# /var/log/audit/ LSPP
 /etc/audit/ LSPP
 /etc/libaudit.conf LSPP
 /usr/sbin/stunnel LSPP
@ -210,12 +168,6 @@ DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256

 /etc/cups LSPP

-# With AIDE's default verbosity level of 5, these would give lots of
-# warnings upon tree traversal. It might change with future version.
-#
-#=/lost\+found    DIR
-#=/home           DIR
-
 # Ditto /var/log/sa reason...
 !/var/log/and-httpd

--- a/aide.logrotate
+++ b/aide.logrotate
@ -1,4 +1,5 @@
 /var/log/aide/*.log {
+	maxage 365
        weekly
        missingok
        rotate 4
--- a/aide.spec
+++ b/aide.spec
@ -1,19 +1,16 @@
 Name:       aide
 Version:    0.16
-Release:    14
+Release:    15
 Summary:    Advanced Intrusion Detection Environment
 License:    GPLv2+
 URL:        http://sourceforge.net/projects/aide
 Source0:    http://sourceforge.net/projects/aide/files/aide/%{version}/%{name}-%{version}.tar.gz
 Source1:    aide.conf
-Source2:    README.quickstart
 Source3:    aide.logrotate

 BuildRequires:  gcc make bison flex pcre-devel libgpg-error-devel libgcrypt-devel zlib-devel libcurl-devel
 BuildRequires:  libacl-devel libselinux-devel libattr-devel e2fsprogs-devel audit-libs-devel git

-Patch1:  aide-0.16rc1-man.patch
-Patch2:  aide-0.16b1-fipsfix.patch
 Patch6000:  aide-define_hash_use_gcrypt.patch
 Patch6001:  Fix-short-form-of-limit-parameter.patch
 Patch6002:  Fix-root_prefix-option.patch
@ -39,7 +36,6 @@ make %{?_smp_mflags}
 %install
 %make_install bindir=%{_sbindir}
 install -Dpm0644 -t %{buildroot}%{_sysconfdir} %{S:1}
-install -Dpm0644 -t %{buildroot}%{_datadir}/doc/aide-help %{S:2}
 install -Dpm0644 -t %{buildroot}%{_sysconfdir}/logrotate.d/aide %{S:3}
 mkdir -p %{buildroot}%{_localstatedir}/log/aide
 mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide
@ -64,10 +60,16 @@ mkdir -p -m0700 %{buildroot}%{_localstatedir}/lib/aide

 %files help
 %defattr(-,root,root)
-%doc NEWS README doc/manual.html README.quickstart
+%doc NEWS README doc/manual.html
 %{_mandir}/*/*

 %changelog
+* Fri Jan 10 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.16-15
+- Type:enhancement
+- ID:NA
+- SUG:NA
+- DESC: clean code
+
 * Wed Oct 9 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.16-14
 - Type:enhancement
 - ID:NA