diff options
author | V3n3RiX <venerix@koprulu.sector> | 2022-03-20 00:40:44 +0000 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2022-03-20 00:40:44 +0000 |
commit | 4cbcc855382a06088e2f016f62cafdbcb7e40665 (patch) | |
tree | 356496503d52354aa6d9f2d36126302fed5f3a73 /app-forensics/aide/files | |
parent | fcc5224904648a8e6eb528d7603154160a20022f (diff) |
gentoo resync : 20.03.2022
Diffstat (limited to 'app-forensics/aide/files')
-rw-r--r-- | app-forensics/aide/files/aide-0.16-fix-acl-configure-option.patch | 2 | ||||
-rw-r--r-- | app-forensics/aide/files/aide-0.17.4-bashism.patch | 60 | ||||
-rw-r--r-- | app-forensics/aide/files/aide.conf-r2 | 136 | ||||
-rw-r--r-- | app-forensics/aide/files/aide.cron-r2 | 188 |
4 files changed, 386 insertions, 0 deletions
diff --git a/app-forensics/aide/files/aide-0.16-fix-acl-configure-option.patch b/app-forensics/aide/files/aide-0.16-fix-acl-configure-option.patch index a989e379039c..b860b39d73ee 100644 --- a/app-forensics/aide/files/aide-0.16-fix-acl-configure-option.patch +++ b/app-forensics/aide/files/aide-0.16-fix-acl-configure-option.patch @@ -1,3 +1,5 @@ +Fixes upstream in master but not 0.17.x. + commit 3d9746bccbb50809e4c3de90ab5145a17af39aeb Author: Ilya Tumaykin <itumaykin@gmail.com> Date: Thu May 25 14:38:02 2017 +0300 diff --git a/app-forensics/aide/files/aide-0.17.4-bashism.patch b/app-forensics/aide/files/aide-0.17.4-bashism.patch new file mode 100644 index 000000000000..e25463dbf772 --- /dev/null +++ b/app-forensics/aide/files/aide-0.17.4-bashism.patch @@ -0,0 +1,60 @@ +Fixed upstream, so backport to 0.17.4 of +https://github.com/aide/aide/commit/5161886c49060228811eee6da319844ef62dff6d +https://github.com/aide/aide/commit/007eb4f32e8874ce457b4f15d9789c2a9d61731b + +Fixed in master but not 0.17.x. +--- a/configure.ac ++++ b/configure.ac +@@ -329,7 +329,7 @@ fi + AC_CHECK_HEADERS(syslog.h inttypes.h fcntl.h ctype.h) + + PCRELIB="-lpcre" +-if test "$aide_static_choice" == "yes"; then ++if test "$aide_static_choice" = "yes"; then + PCRELIB="$PCRELIB -pthread" + fi + AC_CHECK_LIB(pcre, pcre_exec, [ +@@ -426,14 +426,14 @@ AS_IF([test "x$with_selinux_support" != xno], + AC_DEFINE(WITH_SELINUX,1,[use SELinux]) + [AC_MSG_RESULT(yes) + if test "x$PKG_CONFIG" != xno && $PKG_CONFIG --exists libselinux; then +- if test "$aide_static_choice" == "yes"; then ++ if test "$aide_static_choice" = "yes"; then + SELINUXLIB=$(${PKG_CONFIG} --libs libselinux --static) + else + SELINUXLIB=$(${PKG_CONFIG} --libs libselinux) + fi + else + SELINUXLIB="-lselinux" +- if test "$aide_static_choice" == "yes"; then ++ if test "$aide_static_choice" = "yes"; then + saveLIBS=$LIBS + LIBS="-static $SELINUXLIB" + AC_SEARCH_LIBS([lgetfilecon_raw], [], [], [SELINUXLIB="$SELINUXLIB -lpthread"]) +@@ -555,7 +555,7 @@ AC_ARG_ENABLE([default_db], + [do not set default values for database_in and database_out config options]), + [enable_default_db=$enableval],[enable_default_db=yes]) + +-if test "$enable_default_db" == "yes"; then ++if test "$enable_default_db" = "yes"; then + + if test "x$sysconfdir" != x'${prefix}/etc'; then + evalled_sysconfdir=`eval echo "$sysconfdir"` +@@ -592,7 +592,7 @@ AC_ARG_WITH([curl], + [use curl library for http, https and ftp database backend (default: no)]), + [with_curl=$withval], [with_curl=no]) + AS_IF([test "x$with_curl" = "xyes"], [ +- if test "$aide_static_choice" == "yes"; then ++ if test "$aide_static_choice" = "yes"; then + PKG_CHECK_MODULES_STATIC(CURL, [libcurl], , [AC_MSG_RESULT([libcurl not found by pkg-config - Try --without-curl or add directory containing libcurl.pc to PKG_CONFIG_PATH environment variable])]) + else + PKG_CHECK_MODULES(CURL, [libcurl], , [AC_MSG_RESULT([libcurl not found by pkg-config - Try --without-curl or add directory containing libcurl.pc to PKG_CONFIG_PATH environment variable])]) +@@ -671,7 +671,7 @@ AS_IF([test "x$with_audit" != xno], + AC_MSG_ERROR(You don't have libaudit properly installed. Install it if you need it.) + ) + AUDITLIB="-laudit" +- if test "$aide_static_choice" == "yes"; then ++ if test "$aide_static_choice" = "yes"; then + saveLIBS=$LIBS + LIBS="-static $AUDITLIB" + AC_CHECK_LIB([audit], [audit_log_user_message], [], [ diff --git a/app-forensics/aide/files/aide.conf-r2 b/app-forensics/aide/files/aide.conf-r2 new file mode 100644 index 000000000000..4bce675f7da3 --- /dev/null +++ b/app-forensics/aide/files/aide.conf-r2 @@ -0,0 +1,136 @@ +# Example configuration file for AIDE +# See more: man 5 aide.conf + +database_in=file:/var/lib/aide/aide.db +database_out=file:/var/lib/aide/aide.db.new + +# Change this to "no" or remove it to not gzip output +# (only useful on systems with few CPU cycles to spare) +gzip_dbout=yes + +# Default: warning +#log_level=info + +# Default: changed_attributes +#report_level=added_removed_attributes + +report_url=file:/var/log/aide/aide.log +report_url=stdout +#report_url=stderr + +# Here are all the things we can check - these are the default rules +# +# p: permissions +# ftype: file type +# i: inode +# l: link name +# n: number of links +# u: user +# g: group +# s: size +# b: block count +# m: mtime (modification time) +# a: atime (access time) +# c: ctime (change time) +# S: check for growing size +# I: ignore changed filename +# ANF: allow new files +# ARF: allow removed files +# md5: md5 checksum +# sha1: sha1 checksum +# sha256: sha256 checksum +# sha512: sha512 checksum +# rmd160: rmd160 checksum +# tiger: tiger checksum +# crc32: crc32 checksum +# R: p+ftype+i+l+n+u+g+s+m+c+md5+X +# L: p+ftype+i+l+n+u+g+X +# E: Empty group +# X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled) +# >: Growing file p+ftype+l+u+g+i+n+S+X + +# Defines formerly set here have been moved to /etc/default/aide. + +# Custom rules +Binlib = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160 +ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160 +Logs = p+i+n+u+g+S +Devices = p+i+n+u+g+s+b+c+md5+sha256+rmd160 +Databases = p+n+u+g +StaticDir = p+i+n+u+g +ManPages = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160 + +# Next decide what directories/files you want in the database + +# Kernel, system map, etc. +=/boot$ Binlib +# Configs +/etc ConfFiles +!/etc/mtab +# Binaries +/bin Binlib +/sbin Binlib +/usr/bin Binlib +/usr/sbin Binlib +/usr/libexec Binlib +/usr/local/bin Binlib +/usr/local/sbin Binlib +#/usr/games Binlib +# Libraries +/lib(64)? Binlib +/usr/lib(64)? Binlib +/usr/local/lib(64)? Binlib +# Log files +=/var/log$ StaticDir +#!/var/log/ksymoops +/var/log/aide/aide.log(.[0-9])?(.gz)? Databases +/var/log/aide/error.log(.[0-9])?(.gz)? Databases +#/var/log/setuid.changes(.[0-9])?(.gz)? Databases +!/var/log/aide +/var/log Logs +# Devices +!/dev/pts +# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr, +# you may uncomment this to get rid of them. They're harmless but sometimes +# annoying. +#!/dev/cpu/mtrr +#!/dev/xconsole +/dev Devices +# Other miscellaneous files +/var/run$ StaticDir +!/var/run +# Test only the directory when dealing with /proc +/proc$ StaticDir +!/proc + +# You can look through these examples to get further ideas + +# MD5 sum files - especially useful with debsums -g +#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1 + +# Check crontabs +#/var/spool/anacron/cron.daily Databases +#/var/spool/anacron/cron.monthly Databases +#/var/spool/anacron/cron.weekly Databases +#/var/spool/cron Databases +#/var/spool/cron/crontabs Databases + +# manpages can be trojaned, especially depending on *roff implementation +#/usr/man ManPages +#/usr/share/man ManPages +#/usr/local/man ManPages + +# docs +#/usr/doc ManPages +#/usr/share/doc ManPages + +# check users' home directories +#/home Binlib + +# check sources for modifications +#/usr/src L +#/usr/local/src L + +# Check headers for same +#/usr/include L +#/usr/local/include L diff --git a/app-forensics/aide/files/aide.cron-r2 b/app-forensics/aide/files/aide.cron-r2 new file mode 100644 index 000000000000..b8a78ba2a856 --- /dev/null +++ b/app-forensics/aide/files/aide.cron-r2 @@ -0,0 +1,188 @@ +#!/bin/bash +# Modified: Benjamin Smee +# Date: Fri Sep 10 11:35:41 BST 2004 + +# This is the email address reports get mailed to +MAILTO=root@localhost + +# Set this to suppress mailings when there's nothing to report +QUIETREPORTS=1 + +# This parameter defines which aide command to run from the cron script. +# Sensible values are "update" and "check". +# Default is "check", ensuring backwards compatibility. +# Since "update" does not take any longer, it is recommended to use "update", +# so that a new database is created every day. The new database needs to be +# manually copied over the current one, though. +COMMAND=update + +# This parameter defines how many lines to return per e-mail. Output longer +# than this value will be truncated in the e-mail sent out. +LINES=1000 + +# This parameter gives a grep regular expression. If given, all output lines +# that _don't_ match the regexp are listed first in the script's output. This +# allows to easily remove noise from the aide report. +NOISE="(/var/cache/|/var/lib/|/var/tmp)" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +LOGDIR="/var/log/aide" +LOGFILE="aide.log" +CONFFILE="/etc/aide/aide.conf" +ERRORLOG="aide_error.log" +MAILLOG="aide_mail.log" +ERRORTMP=$(mktemp "${ERRORLOG}.XXXXXX") + +[ -f /usr/bin/aide ] || exit 0 + +DATABASE=$(grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2) +FQDN=$(hostname -f) +DATE=$(date +"at %Y-%m-%d %H:%M") + +# default values + +DATABASE="${DATABASE:-/var/lib/aide/aide.db}" + +AIDEARGS="" + +if [ ! -f "$DATABASE" ]; then + /usr/sbin/sendmail $MAILTO <<EOF +Subject: Daily AIDE report for $FQDN +From: root@${FQDN} +To: ${MAILTO} +Fatal error: The AIDE database does not exist! +This may mean you haven't created it, or it may mean that someone has removed it. +EOF + exit 0 +fi + +aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP" +RETVAL=$? + +if [ -n "$QUIETREPORTS" ] && ! [ -s "$LOGDIR/$LOGFILE" ] && ! [ -s "$ERRORTMP" ] ; then + # Bail now because there was no output and QUIETREPORTS is set + exit 0 +fi + +MAILTMP=$(mktemp "${MAILLOG}.XXXXXX") + +(cat << EOF +This is an automated report generated by the Advanced Intrusion Detection +Environment on $FQDN ${DATE}. + +EOF + +# include error log in daily report e-mail + +if [ "$RETVAL" != "0" ]; then + cat > "$LOGDIR/$ERRORLOG" << EOF + +***************************************************************************** +* aide returned a non-zero exit value * +***************************************************************************** + +EOF + echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG" +else + touch "$LOGDIR/$ERRORLOG" +fi +< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG" +rm -f "$ERRORTMP" + +if [ -s "$LOGDIR/$ERRORLOG" ]; then + errorlines=$(wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }') + if [ "${errorlines:=0}" -gt $LINES ]; then + cat << EOF + +**************************************************************************** +* aide has returned many errors. * +* the error log output has been truncated in this mail * +**************************************************************************** + +EOF + echo "Error output is $errorlines lines, truncated to $LINES." + head -$LINES "$LOGDIR/$ERRORLOG" + echo "The full output can be found in $LOGDIR/$ERRORLOG." + else + echo "Errors produced ($errorlines lines):" + cat "$LOGDIR/$ERRORLOG" + fi +else + echo "AIDE produced no errors." +fi + +# include de-noised log + +if [ -n "$NOISE" ]; then + NOISETMP=$(mktemp "aidenoise.XXXXXX") + NOISETMP2=$(mktemp "aidenoise.XXXXXX") + sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \ + grep '^\(changed\|removed\|added\):' | \ + grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > "$NOISETMP2" + + if [ -n "$NOISE" ]; then + < "$NOISETMP2" grep -v "^\(changed\|removed\|added\):$NOISE" > "$NOISETMP" + rm -f "$NOISETMP2" + echo "De-Noised output removes everything matching $NOISE." + else + mv "$NOISETMP2" "$NOISETMP" + echo "No noise expression was given." + fi + + if [ -s "$NOISETMP" ]; then + loglines=$(< "$NOISETMP" wc -l | awk '{ print $1 }') + if [ "${loglines:=0}" -gt $LINES ]; then + cat << EOF + +**************************************************************************** +* aide has returned long output which has been truncated in this mail * +**************************************************************************** + +EOF + echo "De-Noised output is $loglines lines, truncated to $LINES." + < "$NOISETMP" head -$LINES + echo "The full output can be found in $LOGDIR/$LOGFILE." + else + echo "De-Noised output of the daily AIDE run ($loglines lines):" + cat "$NOISETMP" + fi + else + echo "AIDE detected no changes after removing noise." + fi + rm -f "$NOISETMP" + echo "============================================================================" +fi + +# include non-de-noised log + +if [ -s "$LOGDIR/$LOGFILE" ]; then + loglines=$(wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }') + if [ "${loglines:=0}" -gt $LINES ]; then + cat << EOF + +**************************************************************************** +* aide has returned long output which has been truncated in this mail * +**************************************************************************** + +EOF + echo "Output is $loglines lines, truncated to $LINES." + head -$LINES "$LOGDIR/$LOGFILE" + echo "The full output can be found in $LOGDIR/$LOGFILE." + else + echo "Output of the daily AIDE run ($loglines lines):" + cat "$LOGDIR/$LOGFILE" + fi +else + echo "AIDE detected no changes." +fi +) > "${MAILTMP}" + +( +cat <<EOF +Subject: Daily AIDE report for $FQDN +From: root@${FQDN} +To: ${MAILTO} +EOF +cat "${MAILTMP}" +) | /usr/sbin/sendmail $MAILTO + +rm -f "$MAILTMP" |