[gentoo-commits] repo/gentoo:master commit in: app-forensics/aide/files/

[gentoo-commits] repo/gentoo:master commit in: app-forensics/aide/files/

[Sam James]

commit:     2823ca8dc37d4377400cdd3eaa647827d0120596
Author:     Daniel Hiepler <daniel-gentoo <AT> coderdu <DOT> de>
AuthorDate: Fri Mar 11 12:37:36 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Mar 12 00:11:41 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2823ca8d

app-forensics/aide: create new revision of aide.conf

* verbose option was replaced by log_level & report_level
* database option was renamed to database_in

Signed-off-by: Daniel Hiepler <daniel-gentoo <AT> coderdu.de>
Signed-off-by: Sam James <sam <AT> gentoo.org>

 app-forensics/aide/files/aide.conf-r2 | 136 ++++++++++++++++++++++++++++++++++
 1 file changed, 136 insertions(+)

diff --git a/app-forensics/aide/files/aide.conf-r2 b/app-forensics/aide/files/aide.conf-r2
new file mode 100644
index 000000000000..4bce675f7da3
--- /dev/null
+++ b/app-forensics/aide/files/aide.conf-r2
@@ -0,0 +1,136 @@
+# Example configuration file for AIDE
+# See more: man 5 aide.conf
+
+database_in=file:/var/lib/aide/aide.db
+database_out=file:/var/lib/aide/aide.db.new
+
+# Change this to "no" or remove it to not gzip output
+# (only useful on systems with few CPU cycles to spare)
+gzip_dbout=yes
+
+# Default: warning
+#log_level=info
+
+# Default: changed_attributes
+#report_level=added_removed_attributes
+
+report_url=file:/var/log/aide/aide.log
+report_url=stdout
+#report_url=stderr
+
+# Here are all the things we can check - these are the default rules
+#
+# p:   permissions
+# ftype: file type
+# i:   inode
+# l:   link name
+# n:   number of links
+# u:   user
+# g:   group
+# s:   size
+# b:   block count
+# m:   mtime (modification time)
+# a:   atime (access time)
+# c:   ctime (change time)
+# S:   check for growing size
+# I:   ignore changed filename
+# ANF: allow new files
+# ARF: allow removed files
+# md5: md5 checksum
+# sha1: sha1 checksum
+# sha256: sha256 checksum
+# sha512: sha512 checksum
+# rmd160: rmd160 checksum
+# tiger: tiger checksum
+# crc32:    crc32 checksum
+# R:   p+ftype+i+l+n+u+g+s+m+c+md5+X
+# L:   p+ftype+i+l+n+u+g+X
+# E:   Empty group
+# X:   acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)
+# >:   Growing file p+ftype+l+u+g+i+n+S+X
+
+# Defines formerly set here have been moved to /etc/default/aide.
+
+# Custom rules
+Binlib = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
+ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
+Logs = p+i+n+u+g+S
+Devices = p+i+n+u+g+s+b+c+md5+sha256+rmd160
+Databases = p+n+u+g
+StaticDir = p+i+n+u+g
+ManPages = p+i+n+u+g+s+b+m+c+md5+sha256+rmd160
+
+# Next decide what directories/files you want in the database
+
+# Kernel, system map, etc.
+=/boot$ Binlib
+# Configs
+/etc ConfFiles
+!/etc/mtab
+# Binaries
+/bin Binlib
+/sbin Binlib
+/usr/bin Binlib
+/usr/sbin Binlib
+/usr/libexec Binlib
+/usr/local/bin Binlib
+/usr/local/sbin Binlib
+#/usr/games Binlib
+# Libraries
+/lib(64)? Binlib
+/usr/lib(64)? Binlib
+/usr/local/lib(64)? Binlib
+# Log files
+=/var/log$ StaticDir
+#!/var/log/ksymoops
+/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
+/var/log/aide/error.log(.[0-9])?(.gz)? Databases
+#/var/log/setuid.changes(.[0-9])?(.gz)? Databases
+!/var/log/aide
+/var/log Logs
+# Devices
+!/dev/pts
+# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
+# you may uncomment this to get rid of them. They're harmless but sometimes
+# annoying.
+#!/dev/cpu/mtrr
+#!/dev/xconsole
+/dev Devices
+# Other miscellaneous files
+/var/run$ StaticDir
+!/var/run
+# Test only the directory when dealing with /proc
+/proc$ StaticDir
+!/proc
+
+# You can look through these examples to get further ideas
+
+# MD5 sum files - especially useful with debsums -g
+#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1
+
+# Check crontabs
+#/var/spool/anacron/cron.daily Databases
+#/var/spool/anacron/cron.monthly Databases
+#/var/spool/anacron/cron.weekly Databases
+#/var/spool/cron Databases
+#/var/spool/cron/crontabs Databases
+
+# manpages can be trojaned, especially depending on *roff implementation
+#/usr/man ManPages
+#/usr/share/man ManPages
+#/usr/local/man ManPages
+
+# docs
+#/usr/doc ManPages
+#/usr/share/doc ManPages
+
+# check users' home directories
+#/home Binlib
+
+# check sources for modifications
+#/usr/src L
+#/usr/local/src L
+
+# Check headers for same
+#/usr/include L
+#/usr/local/include L

[gentoo-commits] repo/gentoo:master commit in: app-forensics/aide/files/

[Sam James]

commit:     a1c2babb3bb0ba114b392617cdafd27b3a68e67b
Author:     Daniel Hiepler <daniel-gentoo <AT> coderdu <DOT> de>
AuthorDate: Fri Mar 11 14:51:42 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Mar 12 00:11:39 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1c2babb

app-forensics/aide: create new revision of aide.cron

* replace tempfile with mktemp (respects $TMPDIR or uses /tmp by default)
* Double quote to prevent globbing and word splitting.
* Use $(...) notation instead of legacy backticks `...`
* Prefer [ p ] && [ q ] as [ p -a q ] is not well defined
* don't check $QUIETREPORTS twice
* (--verbose): option no longer supported, use 'log_level' and 'report_level' options instead
* remove old comment - remaining debianutils dependency (tempfile) is removed now
* remove whitespace

Signed-off-by: Daniel Hiepler <daniel-gentoo <AT> coderdu.de>
Signed-off-by: Sam James <sam <AT> gentoo.org>

 app-forensics/aide/files/aide.cron-r2 | 188 ++++++++++++++++++++++++++++++++++
 1 file changed, 188 insertions(+)

diff --git a/app-forensics/aide/files/aide.cron-r2 b/app-forensics/aide/files/aide.cron-r2
new file mode 100644
index 000000000000..b8a78ba2a856
--- /dev/null
+++ b/app-forensics/aide/files/aide.cron-r2
@@ -0,0 +1,188 @@
+#!/bin/bash
+# Modified: Benjamin Smee
+# Date: Fri Sep 10 11:35:41 BST 2004
+
+# This is the email address reports get mailed to
+MAILTO=root@localhost
+
+# Set this to suppress mailings when there's nothing to report
+QUIETREPORTS=1
+
+# This parameter defines which aide command to run from the cron script.
+# Sensible values are "update" and "check".
+# Default is "check", ensuring backwards compatibility.
+# Since "update" does not take any longer, it is recommended to use "update",
+# so that a new database is created every day. The new database needs to be
+# manually copied over the current one, though.
+COMMAND=update
+
+# This parameter defines how many lines to return per e-mail. Output longer
+# than this value will be truncated in the e-mail sent out.
+LINES=1000
+
+# This parameter gives a grep regular expression. If given, all output lines
+# that _don't_ match the regexp are listed first in the script's output. This
+# allows to easily remove noise from the aide report.
+NOISE="(/var/cache/|/var/lib/|/var/tmp)"
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+LOGDIR="/var/log/aide"
+LOGFILE="aide.log"
+CONFFILE="/etc/aide/aide.conf"
+ERRORLOG="aide_error.log"
+MAILLOG="aide_mail.log"
+ERRORTMP=$(mktemp "${ERRORLOG}.XXXXXX")
+
+[ -f /usr/bin/aide ] || exit 0
+
+DATABASE=$(grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2)
+FQDN=$(hostname -f)
+DATE=$(date +"at %Y-%m-%d %H:%M")
+
+# default values
+
+DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
+
+AIDEARGS=""
+
+if [ ! -f "$DATABASE" ]; then
+	/usr/sbin/sendmail $MAILTO <<EOF
+Subject: Daily AIDE report for $FQDN
+From: root@${FQDN}
+To: ${MAILTO}
+Fatal error: The AIDE database does not exist!
+This may mean you haven't created it, or it may mean that someone has removed it.
+EOF
+	exit 0
+fi
+
+aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
+RETVAL=$?
+
+if [ -n "$QUIETREPORTS" ] && ! [ -s "$LOGDIR/$LOGFILE" ] && ! [ -s "$ERRORTMP" ] ; then
+	# Bail now because there was no output and QUIETREPORTS is set
+	exit 0
+fi
+
+MAILTMP=$(mktemp "${MAILLOG}.XXXXXX")
+
+(cat << EOF
+This is an automated report generated by the Advanced Intrusion Detection
+Environment on $FQDN ${DATE}.
+
+EOF
+
+# include error log in daily report e-mail
+
+if [ "$RETVAL" != "0" ]; then
+	cat > "$LOGDIR/$ERRORLOG" << EOF
+
+*****************************************************************************
+*                    aide returned a non-zero exit value                    *
+*****************************************************************************
+
+EOF
+	echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
+else
+	touch "$LOGDIR/$ERRORLOG"
+fi
+< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
+rm -f "$ERRORTMP"
+
+if [ -s "$LOGDIR/$ERRORLOG" ]; then
+	errorlines=$(wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }')
+	if [ "${errorlines:=0}" -gt $LINES ]; then
+		cat << EOF
+
+****************************************************************************
+*                      aide has returned many errors.                      *
+*           the error log output has been truncated in this mail           *
+****************************************************************************
+
+EOF
+		echo "Error output is $errorlines lines, truncated to $LINES."
+		head -$LINES "$LOGDIR/$ERRORLOG"
+		echo "The full output can be found in $LOGDIR/$ERRORLOG."
+	else
+		echo "Errors produced  ($errorlines lines):"
+		cat "$LOGDIR/$ERRORLOG"
+	fi
+else
+	echo "AIDE produced no errors."
+fi
+
+# include de-noised log
+
+if [ -n "$NOISE" ]; then
+	NOISETMP=$(mktemp "aidenoise.XXXXXX")
+	NOISETMP2=$(mktemp "aidenoise.XXXXXX")
+	sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
+	grep '^\(changed\|removed\|added\):' | \
+	grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > "$NOISETMP2"
+
+	if [ -n "$NOISE" ]; then
+		< "$NOISETMP2" grep -v "^\(changed\|removed\|added\):$NOISE" > "$NOISETMP"
+		rm -f "$NOISETMP2"
+		echo "De-Noised output removes everything matching $NOISE."
+	else
+		mv "$NOISETMP2" "$NOISETMP"
+		echo "No noise expression was given."
+	fi
+
+	if [ -s "$NOISETMP" ]; then
+		loglines=$(< "$NOISETMP" wc -l | awk '{ print $1 }')
+		if [ "${loglines:=0}" -gt $LINES ]; then
+			cat << EOF
+
+****************************************************************************
+*   aide has returned long output which has been truncated in this mail    *
+****************************************************************************
+
+EOF
+			echo "De-Noised output is $loglines lines, truncated to $LINES."
+			< "$NOISETMP" head -$LINES
+			echo "The full output can be found in $LOGDIR/$LOGFILE."
+		else
+			echo "De-Noised output of the daily AIDE run ($loglines lines):"
+			cat "$NOISETMP"
+		fi
+	else
+		echo "AIDE detected no changes after removing noise."
+	fi
+	rm -f "$NOISETMP"
+	echo "============================================================================"
+fi
+
+# include non-de-noised log
+
+if [ -s "$LOGDIR/$LOGFILE" ]; then
+	loglines=$(wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }')
+	if [ "${loglines:=0}" -gt $LINES ]; then
+		cat << EOF
+
+****************************************************************************
+*   aide has returned long output which has been truncated in this mail    *
+****************************************************************************
+
+EOF
+		echo "Output is $loglines lines, truncated to $LINES."
+		head -$LINES "$LOGDIR/$LOGFILE"
+		echo "The full output can be found in $LOGDIR/$LOGFILE."
+	else
+		echo "Output of the daily AIDE run ($loglines lines):"
+		cat "$LOGDIR/$LOGFILE"
+	fi
+else
+	echo "AIDE detected no changes."
+fi
+) > "${MAILTMP}"
+
+(
+cat <<EOF
+Subject: Daily AIDE report for $FQDN
+From: root@${FQDN}
+To: ${MAILTO}
+EOF
+cat "${MAILTMP}"
+) | /usr/sbin/sendmail $MAILTO
+
+rm -f "$MAILTMP"

[gentoo-commits] repo/gentoo:master commit in: app-forensics/aide/files/

[Sam James]

commit:     f201807494ca1aabd2b9f2a3895d7d896f8a09c9
Author:     Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Wed Feb  8 16:47:21 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Feb  8 17:15:13 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2018074

app-forensics/aide: remove unused patch

Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/29491
Signed-off-by: Sam James <sam <AT> gentoo.org>

 app-forensics/aide/files/aide-0.17.4-bashism.patch | 60 ----------------------
 1 file changed, 60 deletions(-)

diff --git a/app-forensics/aide/files/aide-0.17.4-bashism.patch b/app-forensics/aide/files/aide-0.17.4-bashism.patch
deleted file mode 100644
index e25463dbf772..000000000000
--- a/app-forensics/aide/files/aide-0.17.4-bashism.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-Fixed upstream, so backport to 0.17.4 of
-https://github.com/aide/aide/commit/5161886c49060228811eee6da319844ef62dff6d
-https://github.com/aide/aide/commit/007eb4f32e8874ce457b4f15d9789c2a9d61731b
-
-Fixed in master but not 0.17.x.
---- a/configure.ac
-+++ b/configure.ac
-@@ -329,7 +329,7 @@ fi
- AC_CHECK_HEADERS(syslog.h inttypes.h fcntl.h ctype.h)
- 
- PCRELIB="-lpcre"
--if test "$aide_static_choice" == "yes"; then
-+if test "$aide_static_choice" = "yes"; then
-     PCRELIB="$PCRELIB -pthread"
- fi
- AC_CHECK_LIB(pcre, pcre_exec, [
-@@ -426,14 +426,14 @@ AS_IF([test "x$with_selinux_support" != xno],
-     AC_DEFINE(WITH_SELINUX,1,[use SELinux])
-     [AC_MSG_RESULT(yes)
-     if test "x$PKG_CONFIG" != xno && $PKG_CONFIG --exists libselinux; then
--        if test "$aide_static_choice" == "yes"; then
-+        if test "$aide_static_choice" = "yes"; then
-             SELINUXLIB=$(${PKG_CONFIG} --libs libselinux --static)
-         else
-             SELINUXLIB=$(${PKG_CONFIG} --libs libselinux)
-         fi
-     else
-     SELINUXLIB="-lselinux"
--    if test "$aide_static_choice" == "yes"; then
-+    if test "$aide_static_choice" = "yes"; then
-         saveLIBS=$LIBS
-         LIBS="-static $SELINUXLIB"
-         AC_SEARCH_LIBS([lgetfilecon_raw], [], [], [SELINUXLIB="$SELINUXLIB -lpthread"])
-@@ -555,7 +555,7 @@ AC_ARG_ENABLE([default_db],
-     [do not set default values for database_in and database_out config options]),
-     [enable_default_db=$enableval],[enable_default_db=yes])
- 
--if test "$enable_default_db" == "yes"; then
-+if test "$enable_default_db" = "yes"; then
- 
- if test "x$sysconfdir" != x'${prefix}/etc'; then
- 	evalled_sysconfdir=`eval echo "$sysconfdir"`
-@@ -592,7 +592,7 @@ AC_ARG_WITH([curl],
-   [use curl library for http, https and ftp database backend (default: no)]),
-  [with_curl=$withval], [with_curl=no])
- AS_IF([test "x$with_curl" = "xyes"], [
--       if test "$aide_static_choice" == "yes"; then
-+       if test "$aide_static_choice" = "yes"; then
-            PKG_CHECK_MODULES_STATIC(CURL, [libcurl], , [AC_MSG_RESULT([libcurl not found by pkg-config - Try --without-curl or add directory containing libcurl.pc to PKG_CONFIG_PATH environment variable])])
-         else
-            PKG_CHECK_MODULES(CURL, [libcurl], , [AC_MSG_RESULT([libcurl not found by pkg-config - Try --without-curl or add directory containing libcurl.pc to PKG_CONFIG_PATH environment variable])])
-@@ -671,7 +671,7 @@ AS_IF([test "x$with_audit" != xno],
- 		AC_MSG_ERROR(You don't have libaudit properly installed. Install it if you need it.)
- 	)
- 	AUDITLIB="-laudit"
--	if test "$aide_static_choice" == "yes"; then
-+	if test "$aide_static_choice" = "yes"; then
- 		saveLIBS=$LIBS
- 		LIBS="-static $AUDITLIB"
- 		AC_CHECK_LIB([audit], [audit_log_user_message], [], [