diff -Nru aide-0.16~b1/ChangeLog aide-0.16/ChangeLog --- aide-0.16~b1/ChangeLog 2016-04-15 21:31:27.000000000 +0000 +++ aide-0.16/ChangeLog 2016-07-25 20:58:12.000000000 +0000 @@ -1,3 +1,25 @@ +2016-07-25 Hannes von Haugwitz + * Release version 0.16 + +2016-07-11 Hannes von Haugwitz + * Fix example aide.conf (xattr -> xattrs) + * aide.conf.5: update "SELECTION LINES" section + * Released version 0.16rc1 + +2016-07-10 Hannes von Haugwitz + * Fix compilation with latest libaudit + * Use AC_PROG_CC_C99 instead of AC_PROG_CC + * Add AM_PROG_CC_C_O + * aide.conf.in: logfile -> file + * Update README + * Update manual pages (aide.1 and aide.conf.5) + +2016-07-07 Hannes von Haugwitz + * Adapt manual to version 0.16 + +2016-06-08 Hannes von Haugwitz + * Add missing break statements + 2016-04-15 Hannes von Haugwitz * Released version 0.16b1 diff -Nru aide-0.16~b1/config.guess aide-0.16/config.guess --- aide-0.16~b1/config.guess 2016-04-15 21:37:12.000000000 +0000 +++ aide-0.16/config.guess 2016-07-25 21:09:47.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2016 Free Software Foundation, Inc. -timestamp='2015-08-20' +timestamp='2016-04-02' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -27,7 +27,7 @@ # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # # Please send patches to . @@ -50,7 +50,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2016 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -237,6 +237,10 @@ UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; @@ -268,42 +272,42 @@ ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV4.5 (21064)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "LCA4 (21066/21068)") - UNAME_MACHINE="alpha" ;; + UNAME_MACHINE=alpha ;; "EV5 (21164)") - UNAME_MACHINE="alphaev5" ;; + UNAME_MACHINE=alphaev5 ;; "EV5.6 (21164A)") - UNAME_MACHINE="alphaev56" ;; + UNAME_MACHINE=alphaev56 ;; "EV5.6 (21164PC)") - UNAME_MACHINE="alphapca56" ;; + UNAME_MACHINE=alphapca56 ;; "EV5.7 (21164PC)") - UNAME_MACHINE="alphapca57" ;; + UNAME_MACHINE=alphapca57 ;; "EV6 (21264)") - UNAME_MACHINE="alphaev6" ;; + UNAME_MACHINE=alphaev6 ;; "EV6.7 (21264A)") - UNAME_MACHINE="alphaev67" ;; + UNAME_MACHINE=alphaev67 ;; "EV6.8CB (21264C)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8AL (21264B)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.8CX (21264D)") - UNAME_MACHINE="alphaev68" ;; + UNAME_MACHINE=alphaev68 ;; "EV6.9A (21264/EV69A)") - UNAME_MACHINE="alphaev69" ;; + UNAME_MACHINE=alphaev69 ;; "EV7 (21364)") - UNAME_MACHINE="alphaev7" ;; + UNAME_MACHINE=alphaev7 ;; "EV7.9 (21364A)") - UNAME_MACHINE="alphaev79" ;; + UNAME_MACHINE=alphaev79 ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 @@ -376,16 +380,16 @@ exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build - SUN_ARCH="i386" + SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then - SUN_ARCH="x86_64" + SUN_ARCH=x86_64 fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` @@ -410,7 +414,7 @@ exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 + test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} @@ -635,13 +639,13 @@ sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; - '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi @@ -680,11 +684,11 @@ exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = "hppa2.0w" ] + if [ ${HP_ARCH} = hppa2.0w ] then eval $set_cc_for_build @@ -697,12 +701,12 @@ # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 - if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then - HP_ARCH="hppa2.0w" + HP_ARCH=hppa2.0w else - HP_ARCH="hppa64" + HP_ARCH=hppa64 fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} @@ -807,14 +811,14 @@ echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) - FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) @@ -896,7 +900,7 @@ exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix @@ -919,7 +923,7 @@ EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 - if test "$?" = 0 ; then LIBC="gnulibc1" ; fi + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; arc:Linux:*:* | arceb:Linux:*:*) @@ -965,6 +969,9 @@ ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; + k1om:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-${LIBC} exit ;; @@ -1120,7 +1127,7 @@ # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub - # prints for the "djgpp" host, or else GDB configury will decide that + # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; @@ -1269,6 +1276,9 @@ SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; + SX-ACE:SUPER-UX:*:*) + echo sxace-nec-superux${UNAME_RELEASE} + exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; @@ -1282,9 +1292,9 @@ UNAME_PROCESSOR=powerpc fi if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then - if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in @@ -1306,7 +1316,7 @@ exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` - if test "$UNAME_PROCESSOR" = "x86"; then + if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi @@ -1337,7 +1347,7 @@ # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. - if test "$cputype" = "386"; then + if test "$cputype" = 386; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" @@ -1379,7 +1389,7 @@ echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos @@ -1390,6 +1400,9 @@ x86_64:VMkernel:*:*) echo ${UNAME_MACHINE}-unknown-esx exit ;; + amd64:Isilon\ OneFS:*:*) + echo x86_64-unknown-onefs + exit ;; esac cat >&2 < header file. */ #undef HAVE_INTTYPES_H +/* Define to 1 if you have the `audit' library (-laudit). */ +#undef HAVE_LIBAUDIT + /* Define to 1 if you have the `gcrypt' library (-lgcrypt). */ #undef HAVE_LIBGCRYPT diff -Nru aide-0.16~b1/config.sub aide-0.16/config.sub --- aide-0.16~b1/config.sub 2016-04-15 21:37:12.000000000 +0000 +++ aide-0.16/config.sub 2016-07-25 21:09:47.000000000 +0000 @@ -1,8 +1,8 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2015 Free Software Foundation, Inc. +# Copyright 1992-2016 Free Software Foundation, Inc. -timestamp='2015-08-20' +timestamp='2016-03-30' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -33,7 +33,7 @@ # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -53,8 +53,7 @@ me=`echo "$0" | sed -e 's,.*/,,'` usage="\ -Usage: $0 [OPTION] CPU-MFR-OPSYS - $0 [OPTION] ALIAS +Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. @@ -68,7 +67,7 @@ version="\ GNU config.sub ($timestamp) -Copyright 1992-2015 Free Software Foundation, Inc. +Copyright 1992-2016 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -521,7 +520,7 @@ basic_machine=i386-pc os=-aros ;; - asmjs) + asmjs) basic_machine=asmjs-unknown ;; aux) @@ -1383,7 +1382,7 @@ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -bitrig* | -openbsd* | -solidbsd* \ + | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ @@ -1399,7 +1398,8 @@ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*) + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ + | -onefs* | -tirtos*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1531,6 +1531,8 @@ ;; -nacl*) ;; + -ios) + ;; -none) ;; *) diff -Nru aide-0.16~b1/configure aide-0.16/configure --- aide-0.16~b1/configure 2016-04-15 21:37:11.000000000 +0000 +++ aide-0.16/configure 2016-07-25 21:09:47.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for aide 0.16b1. +# Generated by GNU Autoconf 2.69 for aide 0.16. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ # Identity of this package. PACKAGE_NAME='aide' PACKAGE_TARNAME='aide' -PACKAGE_VERSION='0.16b1' -PACKAGE_STRING='aide 0.16b1' +PACKAGE_VERSION='0.16' +PACKAGE_STRING='aide 0.16' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1340,7 +1340,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures aide 0.16b1 to adapt to many kinds of systems. +\`configure' configures aide 0.16 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1412,7 +1412,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of aide 0.16b1:";; + short | recursive ) echo "Configuration of aide 0.16:";; esac cat <<\_ACEOF @@ -1559,7 +1559,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -aide configure 0.16b1 +aide configure 0.16 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2161,7 +2161,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by aide $as_me 0.16b1, which was +It was created by aide $as_me 0.16, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3134,7 +3134,7 @@ # Define the identity of the package. PACKAGE='aide' - VERSION='0.16b1' + VERSION='0.16' cat >>confdefs.h <<_ACEOF @@ -3229,7 +3229,7 @@ cat >>confdefs.h <<_ACEOF -#define AIDEVERSION "0.16b1" +#define AIDEVERSION "0.16" _ACEOF @@ -3237,6 +3237,69 @@ ac_config_headers="$ac_config_headers config.h" +DEPDIR="${am__leading_dot}deps" + +ac_config_commands="$ac_config_commands depfiles" + + +am_make=${MAKE-make} +cat > confinc << 'END' +am__doit: + @echo this is the am__doit target +.PHONY: am__doit +END +# If we don't find an include directive, just comment out the code. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 +$as_echo_n "checking for style of include used by $am_make... " >&6; } +am__include="#" +am__quote= +_am_result=none +# First try GNU make style include. +echo "include confinc" > confmf +# Ignore all kinds of additional output from 'make'. +case `$am_make -s -f confmf 2> /dev/null` in #( +*the\ am__doit\ target*) + am__include=include + am__quote= + _am_result=GNU + ;; +esac +# Now try BSD make style include. +if test "$am__include" = "#"; then + echo '.include "confinc"' > confmf + case `$am_make -s -f confmf 2> /dev/null` in #( + *the\ am__doit\ target*) + am__include=.include + am__quote="\"" + _am_result=BSD + ;; + esac +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 +$as_echo "$_am_result" >&6; } +rm -f confinc confmf + +# Check whether --enable-dependency-tracking was given. +if test "${enable_dependency_tracking+set}" = set; then : + enableval=$enable_dependency_tracking; +fi + +if test "x$enable_dependency_tracking" != xno; then + am_depcomp="$ac_aux_dir/depcomp" + AMDEPBACKSLASH='\' + am__nodep='_no' +fi + if test "x$enable_dependency_tracking" != xno; then + AMDEP_TRUE= + AMDEP_FALSE='#' +else + AMDEP_TRUE='#' + AMDEP_FALSE= +fi + + ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' @@ -4084,69 +4147,6 @@ ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu -DEPDIR="${am__leading_dot}deps" - -ac_config_commands="$ac_config_commands depfiles" - - -am_make=${MAKE-make} -cat > confinc << 'END' -am__doit: - @echo this is the am__doit target -.PHONY: am__doit -END -# If we don't find an include directive, just comment out the code. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 -$as_echo_n "checking for style of include used by $am_make... " >&6; } -am__include="#" -am__quote= -_am_result=none -# First try GNU make style include. -echo "include confinc" > confmf -# Ignore all kinds of additional output from 'make'. -case `$am_make -s -f confmf 2> /dev/null` in #( -*the\ am__doit\ target*) - am__include=include - am__quote= - _am_result=GNU - ;; -esac -# Now try BSD make style include. -if test "$am__include" = "#"; then - echo '.include "confinc"' > confmf - case `$am_make -s -f confmf 2> /dev/null` in #( - *the\ am__doit\ target*) - am__include=.include - am__quote="\"" - _am_result=BSD - ;; - esac -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 -$as_echo "$_am_result" >&6; } -rm -f confinc confmf - -# Check whether --enable-dependency-tracking was given. -if test "${enable_dependency_tracking+set}" = set; then : - enableval=$enable_dependency_tracking; -fi - -if test "x$enable_dependency_tracking" != xno; then - am_depcomp="$ac_aux_dir/depcomp" - AMDEPBACKSLASH='\' - am__nodep='_no' -fi - if test "x$enable_dependency_tracking" != xno; then - AMDEP_TRUE= - AMDEP_FALSE='#' -else - AMDEP_TRUE='#' - AMDEP_FALSE= -fi - - depcc="$CC" am_compiler_list= @@ -4276,6 +4276,183 @@ fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C99" >&5 +$as_echo_n "checking for $CC option to accept ISO C99... " >&6; } +if ${ac_cv_prog_cc_c99+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_prog_cc_c99=no +ac_save_CC=$CC +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +#include +#include +#include +#include + +// Check varargs macros. These examples are taken from C99 6.10.3.5. +#define debug(...) fprintf (stderr, __VA_ARGS__) +#define showlist(...) puts (#__VA_ARGS__) +#define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__)) +static void +test_varargs_macros (void) +{ + int x = 1234; + int y = 5678; + debug ("Flag"); + debug ("X = %d\n", x); + showlist (The first, second, and third items.); + report (x>y, "x is %d but y is %d", x, y); +} + +// Check long long types. +#define BIG64 18446744073709551615ull +#define BIG32 4294967295ul +#define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0) +#if !BIG_OK + your preprocessor is broken; +#endif +#if BIG_OK +#else + your preprocessor is broken; +#endif +static long long int bignum = -9223372036854775807LL; +static unsigned long long int ubignum = BIG64; + +struct incomplete_array +{ + int datasize; + double data[]; +}; + +struct named_init { + int number; + const wchar_t *name; + double average; +}; + +typedef const char *ccp; + +static inline int +test_restrict (ccp restrict text) +{ + // See if C++-style comments work. + // Iterate through items via the restricted pointer. + // Also check for declarations in for loops. + for (unsigned int i = 0; *(text+i) != '\0'; ++i) + continue; + return 0; +} + +// Check varargs and va_copy. +static void +test_varargs (const char *format, ...) +{ + va_list args; + va_start (args, format); + va_list args_copy; + va_copy (args_copy, args); + + const char *str; + int number; + float fnumber; + + while (*format) + { + switch (*format++) + { + case 's': // string + str = va_arg (args_copy, const char *); + break; + case 'd': // int + number = va_arg (args_copy, int); + break; + case 'f': // float + fnumber = va_arg (args_copy, double); + break; + default: + break; + } + } + va_end (args_copy); + va_end (args); +} + +int +main () +{ + + // Check bool. + _Bool success = false; + + // Check restrict. + if (test_restrict ("String literal") == 0) + success = true; + char *restrict newvar = "Another string"; + + // Check varargs. + test_varargs ("s, d' f .", "string", 65, 34.234); + test_varargs_macros (); + + // Check flexible array members. + struct incomplete_array *ia = + malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10)); + ia->datasize = 10; + for (int i = 0; i < ia->datasize; ++i) + ia->data[i] = i * 1.234; + + // Check named initializers. + struct named_init ni = { + .number = 34, + .name = L"Test wide string", + .average = 543.34343, + }; + + ni.number = 58; + + int dynamic_array[ni.number]; + dynamic_array[ni.number - 1] = 543; + + // work around unused variable warnings + return (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x' + || dynamic_array[ni.number - 1] != 543); + + ; + return 0; +} +_ACEOF +for ac_arg in '' -std=gnu99 -std=c99 -c99 -AC99 -D_STDC_C99= -qlanglvl=extc99 +do + CC="$ac_save_CC $ac_arg" + if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_c99=$ac_arg +fi +rm -f core conftest.err conftest.$ac_objext + test "x$ac_cv_prog_cc_c99" != "xno" && break +done +rm -f conftest.$ac_ext +CC=$ac_save_CC + +fi +# AC_CACHE_VAL +case "x$ac_cv_prog_cc_c99" in + x) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; + xno) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; + *) + CC="$CC $ac_cv_prog_cc_c99" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 +$as_echo "$ac_cv_prog_cc_c99" >&6; } ;; +esac +if test "x$ac_cv_prog_cc_c99" != xno; then : + +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} @@ -4699,6 +4876,7 @@ + # Check whether --with-extra-includes was given. if test "${with_extra_includes+set}" = set; then : withval=$with_extra_includes; CPPFLAGS="$CPPFLAGS $withval" @@ -6714,7 +6892,7 @@ ATTRLIB=-lattr compoptionstring="${compoptionstring}WITH_XATTR\\n" - aideextragroups="${aideextragroups}+xattr" + aideextragroups="${aideextragroups}+xattrs" { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } else @@ -7932,6 +8110,103 @@ AUDITLIB="-laudit" + if test "$aide_static_choice" == "yes"; then + saveLIBS=$LIBS + LIBS="-static $AUDITLIB" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for audit_log_user_message in -laudit" >&5 +$as_echo_n "checking for audit_log_user_message in -laudit... " >&6; } +if ${ac_cv_lib_audit_audit_log_user_message+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-laudit $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char audit_log_user_message (); +int +main () +{ +return audit_log_user_message (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_audit_audit_log_user_message=yes +else + ac_cv_lib_audit_audit_log_user_message=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_audit_audit_log_user_message" >&5 +$as_echo "$ac_cv_lib_audit_audit_log_user_message" >&6; } +if test "x$ac_cv_lib_audit_audit_log_user_message" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBAUDIT 1 +_ACEOF + + LIBS="-laudit $LIBS" + +else + + LIBS="$LIBS -lcap-ng" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for audit_log_user_message in -lcap-ng" >&5 +$as_echo_n "checking for audit_log_user_message in -lcap-ng... " >&6; } +if ${ac_cv_lib_cap_ng_audit_log_user_message+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcap-ng $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char audit_log_user_message (); +int +main () +{ +return audit_log_user_message (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_cap_ng_audit_log_user_message=yes +else + ac_cv_lib_cap_ng_audit_log_user_message=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_ng_audit_log_user_message" >&5 +$as_echo "$ac_cv_lib_cap_ng_audit_log_user_message" >&6; } +if test "x$ac_cv_lib_cap_ng_audit_log_user_message" = xyes; then : + AUDITLIB="$AUDITLIB -lcap-ng" +else + as_fn_error $? "You don't have libaudit properly installed. Install it or try --without-audit." "$LINENO" 5 + +fi + + +fi + + LIBS=$saveLIBS + fi compoptionstring="${compoptionstring}WITH_AUDIT\\n" else with_audit=no @@ -8501,7 +8776,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by aide $as_me 0.16b1, which was +This file was extended by aide $as_me 0.16, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8571,7 +8846,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -aide config.status 0.16b1 +aide config.status 0.16 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru aide-0.16~b1/configure.ac aide-0.16/configure.ac --- aide-0.16~b1/configure.ac 2016-04-15 21:30:16.000000000 +0000 +++ aide-0.16/configure.ac 2016-07-25 20:56:55.000000000 +0000 @@ -12,7 +12,7 @@ AM_CONFIG_HEADER(config.h) dnl Checks for programs. -AC_PROG_CC +AC_PROG_CC_C99 AC_PROG_MAKE_SET AC_PROG_RANLIB AC_PROG_INSTALL @@ -30,6 +30,7 @@ AC_CHECK_PROGS(LD, ld) AC_PATH_PROG(PKG_CONFIG, pkg-config, "") +AM_PROG_CC_C_O dnl AC_ARG_PROGRAM @@ -537,7 +538,7 @@ [AC_DEFINE(WITH_XATTR,1,[use xattr]) ATTRLIB=-lattr compoptionstring="${compoptionstring}WITH_XATTR\\n" - aideextragroups="${aideextragroups}+xattr" + aideextragroups="${aideextragroups}+xattrs" AC_MSG_RESULT(yes)], [AC_MSG_RESULT(no)] ) @@ -967,6 +968,17 @@ AC_MSG_ERROR(You don't have libaudit properly installed. Install it if you need it.) ) AUDITLIB="-laudit" + if test "$aide_static_choice" == "yes"; then + saveLIBS=$LIBS + LIBS="-static $AUDITLIB" + AC_CHECK_LIB([audit], [audit_log_user_message], [], [ + LIBS="$LIBS -lcap-ng" + AC_CHECK_LIB([cap-ng], [audit_log_user_message], [AUDITLIB="$AUDITLIB -lcap-ng"], + AC_MSG_ERROR([You don't have libaudit properly installed. Install it or try --without-audit.]) + , []) + ], []) + LIBS=$saveLIBS + fi compoptionstring="${compoptionstring}WITH_AUDIT\\n"], [with_audit=no] ) diff -Nru aide-0.16~b1/debian/changelog aide-0.16/debian/changelog --- aide-0.16~b1/debian/changelog 2016-04-17 20:17:47.000000000 +0000 +++ aide-0.16/debian/changelog 2016-07-26 20:23:58.000000000 +0000 @@ -1,3 +1,13 @@ +aide (0.16-1) unstable; urgency=medium + + * new upstream version, changes include: + - fix compilation with latest libaudit (closes: #829575) + * adapt debian/patches/10-manpages.patch + * debian/control: + - bump to Standards-Version 3.9.8 (no changes necessary) + + -- Hannes von Haugwitz Tue, 26 Jul 2016 21:50:19 +0200 + aide (0.16~b1-1) unstable; urgency=medium * new beta upstream version, changes include: diff -Nru aide-0.16~b1/debian/control aide-0.16/debian/control --- aide-0.16~b1/debian/control 2016-04-17 20:16:31.000000000 +0000 +++ aide-0.16/debian/control 2016-07-26 20:23:58.000000000 +0000 @@ -20,7 +20,7 @@ Vcs-Git: https://anonscm.debian.org/git/pkg-aide/aide.git Vcs-Browser: https://anonscm.debian.org/cgit/pkg-aide/aide.git Homepage: http://aide.sourceforge.net -Standards-Version: 3.9.7 +Standards-Version: 3.9.8 Package: aide Architecture: any diff -Nru aide-0.16~b1/debian/patches/10-manpages.patch aide-0.16/debian/patches/10-manpages.patch --- aide-0.16~b1/debian/patches/10-manpages.patch 2016-04-17 20:16:31.000000000 +0000 +++ aide-0.16/debian/patches/10-manpages.patch 2016-07-26 20:23:58.000000000 +0000 @@ -1,10 +1,10 @@ Author: Marc Haber Description: Adjust manpages to fit debian specific configuration Forwarded: no -Last-Update: 2013-05-05 +Last-Update: 2016-07-26 --- a/doc/aide.1.in +++ b/doc/aide.1.in -@@ -81,19 +81,22 @@ +@@ -101,19 +101,22 @@ .PP .SH FILES @@ -22,7 +22,7 @@ Default aide output database. .SH SEE ALSO .BR aide.conf (5) - .BR http://www.cs.tut.fi/~rammer/aide/manual.html + .BR manual.html .SH BUGS -There are probably bugs in this release. Please report them -at http://sourceforge.net/projects/aide . Bug fixes are more than welcome. diff -Nru aide-0.16~b1/doc/aide.1 aide-0.16/doc/aide.1 --- aide-0.16~b1/doc/aide.1 2016-04-15 21:37:16.000000000 +0000 +++ aide-0.16/doc/aide.1 2016-07-25 21:09:52.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AIDE 1 "Apr 15, 2016" "aide 0.16b1" "User Commands" +.TH AIDE 1 "Jul 25, 2016" "aide 0.16" "User Commands" .SH NAME \fBaide\fP \- Advanced Intrusion Detection Environment .SH SYNOPSIS @@ -6,8 +6,8 @@ \%[\fBparameters\fP] \%\fBcommand\fP .SH DESCRIPTION -\fBaide\fP is an intrusion detection system for checking the integrity -of files. +\fBAIDE\fP is an intrusion detection system for checking the integrity +of files. .SH COMMANDS .PP @@ -19,15 +19,15 @@ Initialize the database. You must initialize a database and move it to the appropriate place before you can use the \-\-check command. .IP "--update, -u" -Checks the database and updates the database non-interactively. +Checks the database and updates the database non-interactively. The input and output databases must be different. .IP "--compare, -E" -Compares two databases. They must be defined in configfile with +Compares two databases. They must be defined in config file with database= and database_new=. .IP "--config-check, -D" Stops after reading in the configuration file. Any errors will be reported. If \fBaide\fP was compiled with the \(dq\fB--with-dbhmackey\fR\(dq option, -a hash for the config file will be calculated. See the aide manual for more +a hash for the config file will be calculated. See the AIDE manual for more information. .SH PARAMETERS .IP "--config=\fBconfigfile\fR , -c \fBconfigfile\fR" @@ -35,10 +35,25 @@ .IP "--limit=\fBREGEX\fR , -l \fBREGEX\fR" Limit command to entries matching REGEX. Note that the REGEX only matches at the first position. + +.RS +.B Example +.RS 3 +Only check and update the database entries matching /etc (i.e. the /etc +directory) while leaving all other entries unchecked and unchanged: + +.RS 3 +.nf +aide --update --limit /etc +.fi +.RE +.RE +.RE + .IP "--before=\(dq\fBconfigparameters\fR\(dq , -B \(dq\fBconfigparameters\fR\(dq" These \fBconfigparameters\fR are handled before the reading of the configuration file. See aide.conf (5) for more details on what to put -here. +here. .IP "--after=\(dq\fBconfigparameters\fR\(dq , -A \(dq\fBconfigparameters\fR\(dq" These \fBconfigparameters\fR are handled after the reading of the configuration file. See aide.conf (5) for more details on what to put @@ -57,7 +72,7 @@ .PP .SH DIAGNOSTICS Normally, the exit status is 0 if no errors occurred. Except when the -.BR --check, +.BR --check , .BR --compare " or" .B --update command was requested, in which case the exit status is defined as: @@ -94,7 +109,7 @@ Default aide output database. .SH SEE ALSO .BR aide.conf (5) -.BR http://www.cs.tut.fi/~rammer/aide/manual.html +.BR manual.html .SH BUGS There are probably bugs in this release. Please report them at http://sourceforge.net/projects/aide . Bug fixes are more than welcome. diff -Nru aide-0.16~b1/doc/aide.1.in aide-0.16/doc/aide.1.in --- aide-0.16~b1/doc/aide.1.in 2016-04-15 21:31:27.000000000 +0000 +++ aide-0.16/doc/aide.1.in 2016-07-25 20:58:12.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AIDE 1 "Apr 15, 2016" "aide 0.16b1" "User Commands" +.TH AIDE 1 "Jul 25, 2016" "aide 0.16" "User Commands" .SH NAME \fBaide\fP \- Advanced Intrusion Detection Environment .SH SYNOPSIS @@ -6,8 +6,8 @@ \%[\fBparameters\fP] \%\fBcommand\fP .SH DESCRIPTION -\fBaide\fP is an intrusion detection system for checking the integrity -of files. +\fBAIDE\fP is an intrusion detection system for checking the integrity +of files. .SH COMMANDS .PP @@ -19,15 +19,15 @@ Initialize the database. You must initialize a database and move it to the appropriate place before you can use the \-\-check command. .IP "--update, -u" -Checks the database and updates the database non-interactively. +Checks the database and updates the database non-interactively. The input and output databases must be different. .IP "--compare, -E" -Compares two databases. They must be defined in configfile with +Compares two databases. They must be defined in config file with database= and database_new=. .IP "--config-check, -D" Stops after reading in the configuration file. Any errors will be reported. If \fBaide\fP was compiled with the \(dq\fB--with-dbhmackey\fR\(dq option, -a hash for the config file will be calculated. See the aide manual for more +a hash for the config file will be calculated. See the AIDE manual for more information. .SH PARAMETERS .IP "--config=\fBconfigfile\fR , -c \fBconfigfile\fR" @@ -35,10 +35,25 @@ .IP "--limit=\fBREGEX\fR , -l \fBREGEX\fR" Limit command to entries matching REGEX. Note that the REGEX only matches at the first position. + +.RS +.B Example +.RS 3 +Only check and update the database entries matching /etc (i.e. the /etc +directory) while leaving all other entries unchecked and unchanged: + +.RS 3 +.nf +aide --update --limit /etc +.fi +.RE +.RE +.RE + .IP "--before=\(dq\fBconfigparameters\fR\(dq , -B \(dq\fBconfigparameters\fR\(dq" These \fBconfigparameters\fR are handled before the reading of the configuration file. See aide.conf (5) for more details on what to put -here. +here. .IP "--after=\(dq\fBconfigparameters\fR\(dq , -A \(dq\fBconfigparameters\fR\(dq" These \fBconfigparameters\fR are handled after the reading of the configuration file. See aide.conf (5) for more details on what to put @@ -57,7 +72,7 @@ .PP .SH DIAGNOSTICS Normally, the exit status is 0 if no errors occurred. Except when the -.BR --check, +.BR --check , .BR --compare " or" .B --update command was requested, in which case the exit status is defined as: @@ -94,7 +109,7 @@ Default aide output database. .SH SEE ALSO .BR aide.conf (5) -.BR http://www.cs.tut.fi/~rammer/aide/manual.html +.BR manual.html .SH BUGS There are probably bugs in this release. Please report them at http://sourceforge.net/projects/aide . Bug fixes are more than welcome. diff -Nru aide-0.16~b1/doc/aide.conf.5 aide-0.16/doc/aide.conf.5 --- aide-0.16~b1/doc/aide.conf.5 2016-04-15 21:37:16.000000000 +0000 +++ aide-0.16/doc/aide.conf.5 2016-07-25 21:09:52.000000000 +0000 @@ -1,31 +1,31 @@ -.TH AIDE.CONF 5 "Apr 15, 2016" "aide 0.16b1" "AIDE" +.TH AIDE.CONF 5 "Jul 25, 2016" "aide 0.16" "AIDE" .SH NAME aide.conf - The configuration file for Advanced Intrusion Detection -Environment +Environment .PP .SH SYNOPSIS \fBaide.conf\fP is the configuration file for Advanced Intrusion Detection Environment. \fBaide.conf\fP contains the runtime -configuration aide uses to initiailize or check the aide database. +configuration aide uses to initialize or check the AIDE database. .PP .SH "FILE FORMAT" \fBaide.conf\fP is similar in to Tripwire(tm)'s configuration -file. With little effort tw.conf can be converted to aide.conf. +file. With little effort tw.conf can be converted to aide.conf. .PP -aide.conf is case-sensitive. Leading and trailing whitespaces are -ignored. +aide.conf is case-sensitive. Leading and trailing white spaces are +ignored. .PP There are three types of lines in \fBaide.conf\fP. First there are the configuration lines which are used to set configuration parameters and -define/undefine variables. Second, there are selection lines that are used -to indicate which files are added to the database. Third, macro lines -define or undefine variables within the config file. Lines beginning -with # are ignored as comments. +define/undefine variables. Second, there are (restricted) selection lines that +are used to indicate which files are added to the database. Third, macro lines +define or undefine variables within the config file. Lines beginning with # +are ignored as comments. .PP .SH "CONFIG LINES" .PP These lines have the format parameter=value. See URLS for a list of -valid urls. +valid urls. .PP .IP "database" The url from which database is read. There can only be one of these @@ -47,9 +47,9 @@ .RB ' E '. By default all compiled in checksums are added to the report. .IP "database_add_metadata" -Whether to add the Aide version and the time of database generation as comments +Whether to add the AIDE version and the time of database generation as comments to the database file or not. Valid values are yes, true, no and false. The -default is to add the Aide version and the time of database generation. This +default is to add the AIDE version and the time of database generation. This option may be set to no by default in a future release. .IP "verbose" The level of messages that is output. This value can be 0-255 @@ -60,7 +60,7 @@ .IP "report_url" The url that the output is written to. There can be multiple instances of this parameter. Output is written to all of them. The default is -stdout. +stdout. .IP "report_base16" Whether to base16 encode the checksums in the report or not. Valid values are yes, true, no and false. The default is to report checksums not in base16 but @@ -79,7 +79,7 @@ if zlib support is compiled in. .IP "root_prefix" The prefix to strip from each file name in the file system before applying the -rules and writing to database. Aide removes a trailing slash from the prefix. +rules and writing to database. AIDE removes a trailing slash from the prefix. The default is no (an empty) prefix. This option has no effect in compare mode. .IP "acl_no_symlink_follow" @@ -102,17 +102,17 @@ replaced by the file-type (\fBf\fP for a regular file, \fBd\fP for a directory, \fBl\fP for a symbolic link, \fBc\fP for a character device, \fBb\fP for a block device, \fBp\fP for a FIFO, \fBs\fP for a unix -socket, \fBD\fP for a Solaris door, \fBP\fP for a Port, \fB!\fP if file type -has changed and \fB?\fP otherwise). +socket, \fBD\fP for a Solaris door, \fBP\fP for a Solaris event port, \fB!\fP +if file type has changed and \fB?\fP otherwise). The Z is replaced as follows: A \fB=\fP means that the size has not changed, a \fB<\fP reports a shrinked size and a \fB>\fP reports a grown size. -The other letters in the string are the actual letters that will be output +The other letters in the string are the actual letters that will be output if the associated attribute for the item has been changed or a "." for no change, a "+" if the attribute has been added, a "-" if it has been removed, a ":" if the attribute is ignored (but not forced) or a " " if the attribute has -not been checked. The exceptions to this are: (1) a newly created file replaces +not been checked. The exceptions to this are: (1) a newly created file replaces each letter with a "+", and (2) a removed file replaces each letter with a "-". The attribute that is associated with each letter is as follows: @@ -198,17 +198,17 @@ .RE .RE .IP "config_version" -The value of config_version is printed in the report and also printed +The value of config_version is printed in the report and also printed to the database. This is for informational purposes only. It has no other functionality. .IP "Group definitions" If the parameter is not one of the previous parameters then it is regarded as a group definition. Value is then regarded as an -expression. Expression is of the following form. -.IP +expression. Expression is of the following form. +.IP .nf | + - | - + | - .fi .IP See DEFAULT GROUPS for an explanation of default predefined groups. @@ -216,19 +216,55 @@ .PP .SH "SELECTION LINES" .PP -aide supports three types of selection lines (regular, negative, equals) -Lines beginning with "/" are regular selection lines. Lines beginning -with "=" are equals selection lines. And lines beginning with "!" -are negative selection lines. The string following the first character -is taken as a regular expression matching to a complete filename, -including the path. In a regular selection rule the "/" is included in the -regular expression. Special characters in your filenames can be escaped -using two-digit URL encoding (for example, %20 to represent a space). -Following the regular expression is a group definition as explained above. +AIDE supports three types of selection lines: + +Regular selection line: +.RS 3 + +.nf +.B +.fi + +Files and directories matching the regular expression are added to the +database. + +.RE + +Negative selection line: +.RS 3 + +.nf +.B ! +.fi + +Files and directories matching the regular expression are ignored and not added +to the database. + +.RE + +Equals selection line: +.RS 3 + +.nf +.B = +.fi + +Files and directories matching the regular expression are added to the +database. The children of directories are only added if the regular expression +ends with a "/". The children of sub-directories are not added at all. + +.RE + +Every regular expression has to start with a "/". An implicit ^ is added in +front of each regular expression. In other words the regular expressions are +matched at the first position against the complete filename (i.e. including the +path). Special characters in your filenames can be escaped using two-digit URL +encoding (for example, %20 to represent a space). + See EXAMPLES and doc/aide.conf for examples. .PP More in-depth discussion of the selection algorithm can be found in -the aide manual. +the AIDE manual. .IP .PP .SH "RESTRICTED SELECTION LINES" @@ -250,7 +286,7 @@ \fBp\fP: restrict rule to FIFO files -\fBs\fP: restrict rule to unix sockets +\fBs\fP: restrict rule to UNIX sockets \fBD\fP: restrict rule to Solaris doors @@ -263,7 +299,7 @@ Restricted regular selection line: .RS 3 .nf -.B / +.B .fi .RE @@ -330,9 +366,9 @@ logic of @@ifdef statement but otherwise works similarly. .IP "@@ifhost \fBhostname\fR, @@ifnhost \fBhostname\fR" @@ifhost works like @@ifdef only difference is that it checks whether -\fBhostname\fR equals the name of the host that aide is running on. +\fBhostname\fR equals the name of the host that AIDE is running on. \fBhostname\fR is the name of the host without the domainname -(hostname, not hostname.aide.org). +(hostname, not hostname.example.com). .IP "@@{\fBVAR\fR}" @@{\fBVAR\fR} is replaced with the value of the variable \fBVAR\fR. If variable \fBVAR\fR is not defined an empty string is used. Unlike @@ -343,7 +379,7 @@ .IP "@@endif" Ends an if statement. .IP "@@include \fBVAR\fR" -Includes the file \fBVAR\fR. The content of the file is used as if it +Includes the file \fBVAR\fR. The content of the file is used as if it were inserted in this part of the config file. .PP .SH URLS @@ -356,7 +392,7 @@ Input is read from stdin. .IP "file://\fBfilename\fR" Input is read from \fBfilename\fR or output is written to -\fBfilename\fR. +\fBfilename\fR. .IP "fd:\fBnumber\fR" Input is read from filedescriptor \fBnumber\fR or output is written to \fBnumber\fR. @@ -391,7 +427,7 @@ .IP "L: p+ftype+i+l+n+u+g+X" .IP "E: Empty group" .IP "X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)" -.IP ">: Growing logfile p+ftype+l+u+g+i+n+S+X" +.IP ">: Growing file p+ftype+l+u+g+i+n+S+X" .LP And also the following if you have mhash support enabled .IP "gost: gost checksum" @@ -415,21 +451,28 @@ .PP .SH EXAMPLES .IP -.B "/ R" +.B "/ R" .LP -This adds all files on your machine to the database. This is one line +This adds all files on your machine to the database. This one line is a fully qualified configuration file. .IP .B "!/dev" .LP This ignores the /dev directory structure. .IP -.B "=/tmp" +.B "=/foo R" +.LP +Only /foo and /foobar are taken into the database. None of their children are +added. +.IP +.B "=/foo/ R" .LP -Only /tmp is taken into the database. None of its children are added. -.IP +Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into +the database. The children of sub-directories (e.g. /foo/directory/bar) are not +added. +.IP .B "\fBAll\fR=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160" -.LP +.LP This line defines group \fBAll\fR. It has all attributes and all md checksum functions. If you absolutely want all digest functions then you should enable mhash support and add @@ -437,32 +480,15 @@ \fBAll\fR. Mhash support can only be enabled at compile-time. .PP .SH HINTS -.IP -.B "=/foo p+i+l+n+u+g+s+m+c+md5" -.IP -.B "/foo/bar p+i+l+n+u+g+s+m+c+md5" -.LP -This config adds all files under /foo because they match to regex /foo, -which is equivalent to /foo.* . What you probably want is: -.IP -.B "=/foo$ p+i+l+n+u+g+s+m+c+md5" -.IP -.B "/foo/bar p+i+l+n+u+g+s+m+c+md5" -.LP -Note that the following still works as expected because =/foo$ stop -recuring of directory /foo. -.IP -.B "=/foo p+i+l+n+u+g+s+m+c+md5" -.LP In the following, the first is not allowed in AIDE. Use the latter instead. .IP .B "/foo epug" -.IP +.IP .B "/foo e+p+u+g" .PP .SH "SEE ALSO" .BR aide (1) -.BR http://www.cs.tut.fi/~rammer/aide/manual.html +.BR manual.html .SH DISCLAIMER All trademarks are the property of their respective owners. No animals were harmed while making this webpage or this piece of diff -Nru aide-0.16~b1/doc/aide.conf.5.in aide-0.16/doc/aide.conf.5.in --- aide-0.16~b1/doc/aide.conf.5.in 2016-04-15 21:31:27.000000000 +0000 +++ aide-0.16/doc/aide.conf.5.in 2016-07-25 20:58:12.000000000 +0000 @@ -1,31 +1,31 @@ -.TH AIDE.CONF 5 "Apr 15, 2016" "aide 0.16b1" "AIDE" +.TH AIDE.CONF 5 "Jul 25, 2016" "aide 0.16" "AIDE" .SH NAME aide.conf - The configuration file for Advanced Intrusion Detection -Environment +Environment .PP .SH SYNOPSIS \fBaide.conf\fP is the configuration file for Advanced Intrusion Detection Environment. \fBaide.conf\fP contains the runtime -configuration aide uses to initiailize or check the aide database. +configuration aide uses to initialize or check the AIDE database. .PP .SH "FILE FORMAT" \fBaide.conf\fP is similar in to Tripwire(tm)'s configuration -file. With little effort tw.conf can be converted to aide.conf. +file. With little effort tw.conf can be converted to aide.conf. .PP -aide.conf is case-sensitive. Leading and trailing whitespaces are -ignored. +aide.conf is case-sensitive. Leading and trailing white spaces are +ignored. .PP There are three types of lines in \fBaide.conf\fP. First there are the configuration lines which are used to set configuration parameters and -define/undefine variables. Second, there are selection lines that are used -to indicate which files are added to the database. Third, macro lines -define or undefine variables within the config file. Lines beginning -with # are ignored as comments. +define/undefine variables. Second, there are (restricted) selection lines that +are used to indicate which files are added to the database. Third, macro lines +define or undefine variables within the config file. Lines beginning with # +are ignored as comments. .PP .SH "CONFIG LINES" .PP These lines have the format parameter=value. See URLS for a list of -valid urls. +valid urls. .PP .IP "database" The url from which database is read. There can only be one of these @@ -47,9 +47,9 @@ .RB ' E '. By default all compiled in checksums are added to the report. .IP "database_add_metadata" -Whether to add the Aide version and the time of database generation as comments +Whether to add the AIDE version and the time of database generation as comments to the database file or not. Valid values are yes, true, no and false. The -default is to add the Aide version and the time of database generation. This +default is to add the AIDE version and the time of database generation. This option may be set to no by default in a future release. .IP "verbose" The level of messages that is output. This value can be 0-255 @@ -60,7 +60,7 @@ .IP "report_url" The url that the output is written to. There can be multiple instances of this parameter. Output is written to all of them. The default is -stdout. +stdout. .IP "report_base16" Whether to base16 encode the checksums in the report or not. Valid values are yes, true, no and false. The default is to report checksums not in base16 but @@ -79,7 +79,7 @@ if zlib support is compiled in. .IP "root_prefix" The prefix to strip from each file name in the file system before applying the -rules and writing to database. Aide removes a trailing slash from the prefix. +rules and writing to database. AIDE removes a trailing slash from the prefix. The default is no (an empty) prefix. This option has no effect in compare mode. .IP "acl_no_symlink_follow" @@ -102,17 +102,17 @@ replaced by the file-type (\fBf\fP for a regular file, \fBd\fP for a directory, \fBl\fP for a symbolic link, \fBc\fP for a character device, \fBb\fP for a block device, \fBp\fP for a FIFO, \fBs\fP for a unix -socket, \fBD\fP for a Solaris door, \fBP\fP for a Port, \fB!\fP if file type -has changed and \fB?\fP otherwise). +socket, \fBD\fP for a Solaris door, \fBP\fP for a Solaris event port, \fB!\fP +if file type has changed and \fB?\fP otherwise). The Z is replaced as follows: A \fB=\fP means that the size has not changed, a \fB<\fP reports a shrinked size and a \fB>\fP reports a grown size. -The other letters in the string are the actual letters that will be output +The other letters in the string are the actual letters that will be output if the associated attribute for the item has been changed or a "." for no change, a "+" if the attribute has been added, a "-" if it has been removed, a ":" if the attribute is ignored (but not forced) or a " " if the attribute has -not been checked. The exceptions to this are: (1) a newly created file replaces +not been checked. The exceptions to this are: (1) a newly created file replaces each letter with a "+", and (2) a removed file replaces each letter with a "-". The attribute that is associated with each letter is as follows: @@ -198,17 +198,17 @@ .RE .RE .IP "config_version" -The value of config_version is printed in the report and also printed +The value of config_version is printed in the report and also printed to the database. This is for informational purposes only. It has no other functionality. .IP "Group definitions" If the parameter is not one of the previous parameters then it is regarded as a group definition. Value is then regarded as an -expression. Expression is of the following form. -.IP +expression. Expression is of the following form. +.IP .nf | + - | - + | - .fi .IP See DEFAULT GROUPS for an explanation of default predefined groups. @@ -216,19 +216,55 @@ .PP .SH "SELECTION LINES" .PP -aide supports three types of selection lines (regular, negative, equals) -Lines beginning with "/" are regular selection lines. Lines beginning -with "=" are equals selection lines. And lines beginning with "!" -are negative selection lines. The string following the first character -is taken as a regular expression matching to a complete filename, -including the path. In a regular selection rule the "/" is included in the -regular expression. Special characters in your filenames can be escaped -using two-digit URL encoding (for example, %20 to represent a space). -Following the regular expression is a group definition as explained above. +AIDE supports three types of selection lines: + +Regular selection line: +.RS 3 + +.nf +.B +.fi + +Files and directories matching the regular expression are added to the +database. + +.RE + +Negative selection line: +.RS 3 + +.nf +.B ! +.fi + +Files and directories matching the regular expression are ignored and not added +to the database. + +.RE + +Equals selection line: +.RS 3 + +.nf +.B = +.fi + +Files and directories matching the regular expression are added to the +database. The children of directories are only added if the regular expression +ends with a "/". The children of sub-directories are not added at all. + +.RE + +Every regular expression has to start with a "/". An implicit ^ is added in +front of each regular expression. In other words the regular expressions are +matched at the first position against the complete filename (i.e. including the +path). Special characters in your filenames can be escaped using two-digit URL +encoding (for example, %20 to represent a space). + See EXAMPLES and doc/aide.conf for examples. .PP More in-depth discussion of the selection algorithm can be found in -the aide manual. +the AIDE manual. .IP .PP .SH "RESTRICTED SELECTION LINES" @@ -250,7 +286,7 @@ \fBp\fP: restrict rule to FIFO files -\fBs\fP: restrict rule to unix sockets +\fBs\fP: restrict rule to UNIX sockets \fBD\fP: restrict rule to Solaris doors @@ -263,7 +299,7 @@ Restricted regular selection line: .RS 3 .nf -.B / +.B .fi .RE @@ -330,9 +366,9 @@ logic of @@ifdef statement but otherwise works similarly. .IP "@@ifhost \fBhostname\fR, @@ifnhost \fBhostname\fR" @@ifhost works like @@ifdef only difference is that it checks whether -\fBhostname\fR equals the name of the host that aide is running on. +\fBhostname\fR equals the name of the host that AIDE is running on. \fBhostname\fR is the name of the host without the domainname -(hostname, not hostname.aide.org). +(hostname, not hostname.example.com). .IP "@@{\fBVAR\fR}" @@{\fBVAR\fR} is replaced with the value of the variable \fBVAR\fR. If variable \fBVAR\fR is not defined an empty string is used. Unlike @@ -343,7 +379,7 @@ .IP "@@endif" Ends an if statement. .IP "@@include \fBVAR\fR" -Includes the file \fBVAR\fR. The content of the file is used as if it +Includes the file \fBVAR\fR. The content of the file is used as if it were inserted in this part of the config file. .PP .SH URLS @@ -356,7 +392,7 @@ Input is read from stdin. .IP "file://\fBfilename\fR" Input is read from \fBfilename\fR or output is written to -\fBfilename\fR. +\fBfilename\fR. .IP "fd:\fBnumber\fR" Input is read from filedescriptor \fBnumber\fR or output is written to \fBnumber\fR. @@ -391,7 +427,7 @@ .IP "L: p+ftype+i+l+n+u+g+X" .IP "E: Empty group" .IP "X: acl+selinux+xattrs+e2fsattrs (if groups are explicitly enabled)" -.IP ">: Growing logfile p+ftype+l+u+g+i+n+S+X" +.IP ">: Growing file p+ftype+l+u+g+i+n+S+X" .LP And also the following if you have mhash support enabled .IP "gost: gost checksum" @@ -415,21 +451,28 @@ .PP .SH EXAMPLES .IP -.B "/ R" +.B "/ R" .LP -This adds all files on your machine to the database. This is one line +This adds all files on your machine to the database. This one line is a fully qualified configuration file. .IP .B "!/dev" .LP This ignores the /dev directory structure. .IP -.B "=/tmp" +.B "=/foo R" +.LP +Only /foo and /foobar are taken into the database. None of their children are +added. +.IP +.B "=/foo/ R" .LP -Only /tmp is taken into the database. None of its children are added. -.IP +Only /foo and its children (e.g. /foo/file and /foo/directory) are taken into +the database. The children of sub-directories (e.g. /foo/directory/bar) are not +added. +.IP .B "\fBAll\fR=p+i+n+u+g+s+m+c+a+md5+sha1+tiger+rmd160" -.LP +.LP This line defines group \fBAll\fR. It has all attributes and all md checksum functions. If you absolutely want all digest functions then you should enable mhash support and add @@ -437,32 +480,15 @@ \fBAll\fR. Mhash support can only be enabled at compile-time. .PP .SH HINTS -.IP -.B "=/foo p+i+l+n+u+g+s+m+c+md5" -.IP -.B "/foo/bar p+i+l+n+u+g+s+m+c+md5" -.LP -This config adds all files under /foo because they match to regex /foo, -which is equivalent to /foo.* . What you probably want is: -.IP -.B "=/foo$ p+i+l+n+u+g+s+m+c+md5" -.IP -.B "/foo/bar p+i+l+n+u+g+s+m+c+md5" -.LP -Note that the following still works as expected because =/foo$ stop -recuring of directory /foo. -.IP -.B "=/foo p+i+l+n+u+g+s+m+c+md5" -.LP In the following, the first is not allowed in AIDE. Use the latter instead. .IP .B "/foo epug" -.IP +.IP .B "/foo e+p+u+g" .PP .SH "SEE ALSO" .BR aide (1) -.BR http://www.cs.tut.fi/~rammer/aide/manual.html +.BR manual.html .SH DISCLAIMER All trademarks are the property of their respective owners. No animals were harmed while making this webpage or this piece of diff -Nru aide-0.16~b1/doc/aide.conf.in aide-0.16/doc/aide.conf.in --- aide-0.16~b1/doc/aide.conf.in 2016-04-15 21:30:16.000000000 +0000 +++ aide-0.16/doc/aide.conf.in 2016-07-25 20:56:55.000000000 +0000 @@ -91,7 +91,7 @@ #R: p+ftype+i+l+n+u+g+s+m+c+md5 #L: p+ftype+i+l+n+u+g #E: Empty group -#>: Growing logfile p+ftype+l+u+g+i+n+S +#>: Growing file p+ftype+l+u+g+i+n+S #The following are available if you have mhash support enabled: #gost: gost checksum #whirlpool: whirlpool checksum diff -Nru aide-0.16~b1/doc/manual.html aide-0.16/doc/manual.html --- aide-0.16~b1/doc/manual.html 2016-04-15 21:31:27.000000000 +0000 +++ aide-0.16/doc/manual.html 2016-07-25 20:58:12.000000000 +0000 @@ -1,79 +1,82 @@ - -AIDE Manual version 0.16b1 - - + + + +AIDE Manual version 0.16 - +

The AIDE manual

- -

About this document

+

About this document

+

This manual is by no means complete, usable, readable, comprehensible, -or error free.
+or error free. +

-If you have any corrections, additions or constructive comments, please +If you have any corrections, additions or constructive comments, please report them as bugs, patches or feature requests here.

-This document was originally written by Rami Lehti -<rammer@cs.tut.fi> +

+This document was originally written by Rami Lehti +<rammer@cs.tut.fi> with additions made by Marc Haber -<mh+aide-manual@zugschlus.de> -and Richard van den Berg -<richard@vdberg.org> +<mh+aide-manual@zugschlus.de> +, Richard van den Berg +<richard@vdberg.org> +and Hannes von Haugwitz . +

- -

Table of Contents

+

Table of Contents

    -
  1. About this document -
  2. Table of Contents -
  3. What is AIDE? -
  4. Compiling AIDE -
  5. Configuration -
  6. Usage -
  7. Database and config signing -
  8. General guidelines for security +
  9. About this document
    10. +
  10. Table of Contents
    11. +
  11. What is AIDE?
    12. +
  12. Compiling AIDE
    13. +
  13. Configuration
    14. +
  14. Usage
    15. +
  15. Database and config signing
    16. +
  16. Miscellaneous
    17. +
  17. General guidelines for security
- -

What is AIDE?

+ +

What is AIDE?

AIDE (Advanced Intrusion Detection Environment) is an intrusion detection program. More specifically a file integrity checker.

AIDE constructs a database of the files specified in aide.conf, AIDE's configuration file. -The AIDE database stores various file attributes including: -permissions, inode number, user, group, file size, mtime and ctime, +The AIDE database stores various file attributes including: +file type, permissions, inode number, user, group, file size, mtime and ctime, atime, growing size, number of links and link name. AIDE also creates a cryptographic checksum or hash of each file using one or a combination of the following message digest algorithms: sha1, -sha256, sha512, md5, rmd160, tiger (gost and whirlpool can be compiled -in if mhash support is available). -Additionaly, the extended attributes acl, xattr and selinux can be used when -expliticly enabled during compile time. +sha256, sha512, md5, rmd160, tiger, haval, crc32 (gost and whirlpool can be +compiled in if mhash support is available). +Additionally, the attributes acl, xattr, selinux and e2fsattrs can be used when +explicitly enabled during compile time.

Typically, a system administrator will create an AIDE database on a new system before it is brought onto the network. This first AIDE database is a snapshot of the system in it's normal state and the yardstick by which all subsequent updates and changes will be measured. The database should contain information about key system -binaries, libraries, header files, all files -that are expected to remain the same over time. The database probably +binaries, libraries, header files, all files +that are expected to remain the same over time. The database probably should not contain information about files which change frequently like log files, mail spools, proc filesystems, user's home directories, or temporary directories.

-After a break-in, an administrator may begin by examinining the system -using system tools like ls, ps, netstat, and who --- +After a break-in, an administrator may begin by examining the system +using system tools like ls, ps, netstat, and who --- the very tools most likely to be trojaned. Imagine that ls has been -doctored to not show +doctored to not show any file named "sniffedpackets.log" and that ps and netstat have been -rewritten to not show any information for a process named -"sniffdaemond". +rewritten to not show any information for a process named +"sniffdaemond". Even an administrator who had previously printed out on paper the dates and sizes of these key system files can not be certain by comparison that they have not been modified in some way. File dates @@ -85,81 +88,120 @@ array of checksums that AIDE supports. By rerunning AIDE after a break-in, a system administrator can quickly identify changes to key files and have a fairly high degree of confidence as to the accuracy -of these findings. +of these findings.

Unfortunately, AIDE can not provide absolute sureness about change in -files. Like any other system file, AIDE's binary and/or database can +files. Like any other system file, AIDE's binary and/or database can also be altered.

- -

Compiling AIDE

-

I'm in a hurry. Bottomline about compilation.

+ +

Compiling AIDE

+

I'm in a hurry. Bottom line about compilation.

-After you have installed all the necessary sofware do -./configure;make;make install in the main AIDE +After you have installed all the necessary software do +./configure;make;make install in the main AIDE directory of the unpacked source tree. You should carefully think about the configuration and what a possible hacker can do if he/her/they/it has root access.

Getting all that is needed

-Before you can compile AIDE you must have certain things. +Before you can compile AIDE you must have certain things: +

-Please check to see if there are mirrors available.

+

Please check to see if there are mirrors available.

Once you have the source code of AIDE you should unpack it. If you have GNU tar then the command is tar zxvf -aide-version.tar.gz . +aide-<VERSION_NUMBER>.tar.gz +

+

Source Code Verification

+

+It is highly recommended to verify the signature of your +downloaded source code. You can either verify the source tarball or the git +tag. +

+

+To check the supplied signature with GnuPG: +

+
+
+$ gpg --verify aide-<VERSION_NUMBER>.tar.gz.asc
+
+
+

+To validate the gpg signature of the git tag: +

+
+
+$ git verify-tag v<VERSION_NUMBER>
+
+
+

The current public key is published on aide.sourceforge.net.

+

+If you do not have that key, you can get it from one of the well known PGP key +servers. +

+

+You have to make sure that the key you install is not a faked one. You +can do this with reasonable assurance by comparing the output of +

+
+
+$ gpg --fingerprint 0x<KEYID>
+
+
+

+with the fingerprint published elsewhere.

Compile-time configuration

Next you must use the configure script found in AIDE's source code package to configure the compilation process.

There are several options you can select to configure. You can find out -what options are available with ./configure --help +what options are available with ./configure --help command. Most of the time you do not need to give any options. You can just use configure without any parameters.

-If you want to change the directory where AIDE is installed you can +If you want to change the directory where AIDE is installed you can use --prefix option. For example ./configure --prefix=/usr - +

Compilation and installation

The compilation is done by simply typing make. You can now type make install to install the binary and the manual pages. The binary however should be installed on read-only -media or in some other tamperproof place. Also the databases should +media or in some other tamperproof place. Also the databases should be kept somewhere where a possible intruder cannot change them.

- -

Configuration

+ +

Configuration

Next you have to create a configuration file. You can find more documentation for this in aide.conf(5) manual page.

There are three types of lines in aide.conf: +

    -
  • configuration lines - used to set configuration parameters and -define/undefine variables -
  • selection lines - indicate which files will be added to the database -
  • macro lines - define or undefine variables within the the config file +
  • configuration lines - used to set configuration parameters and define/undefine variables
    • +
  • (restricted) selection lines - indicate which files will be added to the database
    • +
  • macro lines - define or undefine variables within the config file
+

Lines beginning with # are ignored as comments.

@@ -169,7 +211,7 @@ 

 #AIDE conf
 
-   # Here are all the things we can check - these are the default rules 
+   # Here are all the things we can check - these are the default rules
    #
    #p:      permissions
    #ftype:  file type
@@ -196,7 +238,7 @@
    #R:      p+ftupe+i+l+n+u+g+s+m+c+md5
    #L:      p+ftype+i+l+n+u+g
    #E:      Empty group
-   #>:      Growing logfile p+ftype+l+u+g+i+n+S
+   #>:      Growing file p+ftype+l+u+g+i+n+S
    #The following are available if you have mhash support enabled:
    #gost:   gost checksum
    #whirlpool: whirlpool checksum
@@ -207,16 +249,16 @@
    #xattrs:  extended file attributes
    #e2fsattrs: file attributes on a second extended file system
 
-   # You can alse create custom rules - my home made rule definition goes like this 
+   # You can also create custom rules - my home made rule definition goes like this
    #
-   MyRule = p+i+n+u+g+s+b+m+c+md5+sha1 
+   MyRule = p+i+n+u+g+s+b+m+c+md5+sha1
 
    # Next decide what directories/files you want in the database
 
    /etc p+i+u+g     #check only permissions, inode, user and group for etc
-   /bin MyRule      # apply the custom rule to the files in bin 
-   /sbin MyRule     # apply the same custom rule to the files in sbin 
-   /var MyRule		
+   /bin MyRule      # apply the custom rule to the files in bin
+   /sbin MyRule     # apply the same custom rule to the files in sbin
+   /var MyRule
    !/var/log/.*     # ignore the log dir it changes too often
    !/var/spool/.*   # ignore spool dirs as they change too often
    !/var/adm/utmp$  # ignore the file /var/adm/utmp
@@ -226,23 +268,23 @@
 
 
 
-
Here we include files in /etc, /bin and /sbin.  We also include
-/var but ignore /var/log, /var/spool and a single file /var/adm/utmp. 
+
Here we include files in /etc, /bin and /sbin. We also include
+/var but ignore /var/log, /var/spool and a single file /var/adm/utmp.
 

 It is generally a good idea to ignore directories that frequently
-change, unless you want to read long reports.  
+change, unless you want to read long reports.
 It is good practice to exclude tmp directories, mail spools, log
 directories, proc filesystems, user's home directories, web content
-directories, anything that changes regularly.  It is also good practice to
+directories, anything that changes regularly. It is also good practice to
 include all system binaries, libraries, include files, system source
-files.  It will also be a good idea to include directories you don't
-often look in like /dev /usr/man/.*usr/.  Of course you'll want to
-include as many files as practical, but think about what you include.        
+files. It will also be a good idea to include directories you don't
+often look in like /dev /usr/man/.*usr/. Of course you'll want to
+include as many files as practical, but think about what you include.
 

 

 One example: If
 you have a block device whose owner is changing frequently, you can
-configure aide to just 
+configure aide to just
 check the attributes that do not normally change (inode, number of
 links, ctime).
 

@@ -251,59 +293,66 @@
 the end of the regexp. This matches to the name of the file exactly
 and does not include any other files that might have the same
 beginning. In the example, all filenames beginning with
-/var/adm/utmp would be ignored if there were no dollar sign at the 
+/var/adm/utmp would be ignored if there were no dollar sign at the
 end of the last line. An intruder could then create a
-directory called  /var/adm/utmp_root_kit and place all the files
+directory called /var/adm/utmp_root_kit and place all the files
 he/she/they wanted there and they would be ignored by AIDE.
 

+
Special group definitions

 

 There are several special group definitions to tweak what attributes are
 printed in the report. First report_force_attrs lists those attributes
 that are always printed from changed files. For example, if you say
+

 
 report_force_attrs = u+g
 

+

 and the size of a file changes, it's user and group id will also be printed
-in the report. Secondly,  report_ignore_added_attrs,
+in the report. Secondly, report_ignore_added_attrs,
 report_ignore_removed_attrs and report_ignore_changed_attrs define which
 attributes to ignore from the report. For example, if you define
+

 
 report_ignore_changed_attrs = b
 

-and this size of a file changes, it's block count will not be printed in the
+

+and the size of a file changes, it's block count will not be printed in the
 report, even if it did change as well.
 

+

+If an attribute is both ignored and forced the attribute is not considered for
+file change but printed in the final report if the file has been otherwise
+changed.
+

 
Troubleshooting your config

 
Making a config file is a lot of hard work and must be done on a case
-by case  bases. Don't give up simply because you don't get it right
+by case bases. Don't give up simply because you don't get it right
 the first time around. This section gives you a few hints on how to debug
-your config. 
+your config.
 

 

-You can use aide --verbose=255 to generate a lot of debug 
-output to help you see which files get added and which are discarded. 
+You can use aide --verbose=255 to generate a lot of debug
+output to help you see which files get added and which are discarded.
 The following section gives some more information about
 AIDE's rule matching algorithm.
 

 
Understanding AIDE rule matching

 

 Before reading this you should have basic understanding of how regular
-expressions work. There are several good books about this. Several
-Perl-books also have decent explanations about this subject. Just
-remember that Perl has some extensions to the standard regexps.
-There are also some differences in how different platforms handle
-regexps if you are using your platforms own regexp implementation.
-For example GNU regexps have their own extensions. Try reading the
-manual page of your system in this case. It might be a pain to read
-but it is worth it.
+expressions in general and Perl Compatible Regular Expressions in particular
+work. There are several good books about this. Several Perl-books also have
+decent explanations about this subject.
 

 

 As you already know, aide has three types of selection lines:
+

 
    
 
  • Regular selection lines, beginning with "/".
    • 
 
  • Equals selection lines, beginning with "=".
    • 
 
  • Negative selection lines, beginning with "!".
    • 
 

+

 The string following the first character is taken as a regular
 expression matching to a complete filename, including the path. In a
 regular selection rule, the slash is included in the regular
@@ -331,23 +380,25 @@
 

 The algorithm that aide uses for rule matching is described in the
 following paragraphs. The pseudocode is an adaption from src/gen_list.c.
-
+

 
+
 check_node_for_match(node,filename,first_time)
-	if (first_time)
-        	check(equals list for this node)
+    if (first_time)
+            check(equals list for this node)
 
-	check(regular list for this node)
+    check(regular list for this node)
 
-	if (node is not the root node)
-		check_node_for_match(nodes parent,filename,false)
+    if (node is not the root node)
+        check_node_for_match(nodes parent,filename,false)
 
-	if (this file is about to be added)
-		check(negative list for this node)
+    if (this file is about to be added)
+        check(negative list for this node)
 
-	return (info about whether this file should be added or not and how)
-

+    return (info about whether this file should be added or not and how)
 
+
+

When aide needs to determine whether a file found in the file system is to be checked, it first determines the deepest possible node x to match the current file against (that algorithm is not part of the @@ -364,48 +415,29 @@

There are some side-effects from this algorithm that might seem strange at first. For example if you have the following rules: - -

-/ R
-=/etc R+a
-!/etc/ppp/logs
-
- -The result would be that /etc and all files in it and in /etc/ppp -except /etc/ppp/logs would be added to the database. This is perfectly -normal. This happens because the =/etc matches not only /etc but all -the files under it. Remember that regexps match always just the part -they are referring to. The rest of the line is included by default. -So =/etc$ R+a would be the correct form. If you don't -have the !/etc/ppp/logs you would get the results that -you are looking for because there is no node /etc in the regexp -tree and there for it is not checked when AIDE constructs the list of -files to add to the database. But when you have the negative rules the -nodes /etc and /etc/ppp get created and they get checked when the file -list is generated. So the =/etc is used to find a match in those nodes -and it succeeds.

-

-Consider the following rules: - 

+
 / R
 =/var/log/messages$ R+a
 !/var/log/messages.*
-
+ +

This is what you might write if you want to check /var/log/messages but not /var/log/messages.0 and /var/log/messages.1 etc. However since the negative selection rules are checked last and .* can match to an empty string /var/log/messages is not added to the database. The following is a more correct way of doing it. - +

+
 / R
 =/var/log/messages$ R+a
 !/var/log/messages\.[0-9]$
-
+ +

Now only messages files ending in number 0-9 are not included in the database. Note an intruder could disguise a rootkit by creating a directory called messages.9. If messages.9 does not already exist that @@ -413,13 +445,15 @@

Consider the following rules: - +

+
 / n+p+l+i+u+g+s+b+m+c+md5+sha1+rmd160+haval+gost+crc32+tiger
 /etc$ n+p+l+i+u+g
 /etc/resolv.conf$ n+p+l+u+g
-
+ +

This way, changing /etc/resolv.conf will also report /etc as having their mtime and ctime changed, even if /etc is configured not to be checked for mtime and ctime. The reason is that aide only uses a @@ -430,41 +464,43 @@

Rearranging the configuration like this: - +

+
 /etc/resolv.conf$ n+p+l+u+g
 /etc$ n+p+l+i+u+g
 / n+p+l+i+u+g+s+b+m+c+md5+sha1+rmd160+haval+gost+crc32+tiger
-
+ +

will solve the issue. It is generally a good idea to write the most general rules last.

- -

Usage

+ +

Usage

First you must create a database against which future checks are performed. This should be done immediately after the operating system and applications have been installed, before the machine is plugged -into a network. You can do this by giving the command -aide --init. +into a network. You can do this by giving the command +aide --init. This creates a database that contains all of the files that you -selected in your config file. The newly created database should now be +selected in your config file. The newly created database should now be moved to a secure location such as read-only media. You should also place the configuration file and the AIDE binary and preferably the manual pages and this manual on that media also. Please remember to edit the configuration file so that the input database is read from -that read-only media. The config file should not be kept on the +that read-only media. The config file should not be kept on the target machine. The attacker could read the config file and alter it and if he does alter it he could place his rootkit in a place that -AIDE does not check. So the read-only media should be accessible only +AIDE does not check. So the read-only media should be accessible only during the check.

Now you are all set to go. You can now check the integrity of the files. This can be done by giving the command aide --check. AIDE now reads the database and compares it to the files found on the -disk. AIDE may find changes in places that might not expect. For +disk. AIDE may find changes in places that you might not expect. For instance tty devices often change owners and permissions. You may want to read long reports and that is up to you to decide. But most of us do not have the time or the inclination read through tons of garbage @@ -487,7 +523,7 @@ creates a new database. This database should now be placed on that read-only media along with the new config file. The check, trim, update cycle should be repeated as long as necessary. I recommend that -the config file should be reviewed once in a while. The definition of +the config file should be reviewed once in a while. The definition of "a while" depends on your paranoia. Some might want do it daily after each check. Some might want to do it weekly.

@@ -502,16 +538,17 @@

There is also an alternative way of doing this. This method may be preferable for people that have lots of machines that run aide. -You can run -aide --init +You can run +aide --init on all of the hosts and move the generated databases to a central host -where you compare different versions of the databases with +where you compare different versions of the databases with aide --compare This has the benefit of freeing up resources on the monitored machines. +

+ - -

Database and config signing

+

Database and config signing

The security of AIDE can be increased by signing the configuration and/or database. When a database is signed, and it is changed manually, AIDE will @@ -522,6 +559,7 @@

To make use of the signing features, use these options to the configure script: +

--with-confighmactype=TYPE @@ -539,7 +577,7 @@ 31 chars.
- --with-dbhmactype=TYPE + --with-dbhmactype=TYPE
Hash type to use for checking db. Valid values are @@ -550,15 +588,13 @@
HMAC hash key to use for checking db. Must be a base64 - encoded byte stream. Maximum string lentgth is 31 + encoded byte stream. Maximum string length is 31 chars.
- +

The base64 encoding was chosen so that the keys are not limited to printable -characters. You can use a local base64 tool or an -online -base64 encoder +characters. You can use a local base64 tool to convert the keys to the right format. Then run configure, for example:

@@ -572,6 +608,7 @@

To make the presence of a valid signature mandatory, the following configure options can be used: +

@@ -589,6 +626,7 @@
+

It is also possible to edit the config.h file by hand, and changing the values of the FORCEDBMD and FORCECONFIGMD macros. @@ -599,6 +637,7 @@ --init or aide --update. The hash for the aide.conf configuration file can be obtained by running aide --config-check: +

 $ aide --config-check
@@ -609,9 +648,11 @@
 > @@end_config
+

The @@begin_config and @@end_config can be added to the aide.conf file manually, or the output of aide --config-check can be directly piped into patch: +

 $ aide --config-check | patch
@@ -625,6 +666,7 @@
 patching file /etc/aide.conf
+

Using forced_configmd will make AIDE refuse to use unsigned configuration files. This also disables the --config-check option. This only makes sense if you already have a signed configuration, or @@ -632,22 +674,21 @@ configurations for you.

- -

Miscellaneous

+ +

Miscellaneous

The AIDE database can be used to find the real names and places of files that have been moved to lost+found directory by fsck.

- -

General guidelines for security

+ +

General guidelines for security

    -
  1. Do not assume anything -
  2. Trust no-one,nothing -
  3. Nothing is secure -
  4. Security is a trade-off with usability -
  5. Paranoia is your friend +
  6. Do not assume anything
    7. +
  7. Trust no-one,nothing
    8. +
  8. Nothing is secure
    9. +
  9. Security is a trade-off with usability
    10. +
  10. Paranoia is your friend
- diff -Nru aide-0.16~b1/NEWS aide-0.16/NEWS --- aide-0.16~b1/NEWS 2016-04-15 21:30:16.000000000 +0000 +++ aide-0.16/NEWS 2016-07-25 20:56:55.000000000 +0000 @@ -3,7 +3,7 @@ - Negative selection lines of the form '! ' are no longer supported (use '!' instead) - The switch to Perl 5 Compatible Regular Expressions and the fix of - '.*'-rule matching may result in different rule matching behaviour. + '.*'-rule matching may result in different rule matching behaviour * Support restricted selection lines * Switch to PCRE library (drops bundled GNU regexp library) * New config options: @@ -27,6 +27,7 @@ - adjust file type letters in summarize_changes output - add numeric timezone to time string - add info about verbose level to report if it differs from standard + value - add info about number of entries if aide found no changes or the database has been initialized - add run time to report @@ -45,6 +46,7 @@ * Sort entries of database file * Compare database entries just once * Add warning if a group is redefined + * Update documentation * Bug fixes * Code clean up diff -Nru aide-0.16~b1/README aide-0.16/README --- aide-0.16~b1/README 2016-04-15 21:31:27.000000000 +0000 +++ aide-0.16/README 2016-07-25 20:58:12.000000000 +0000 @@ -1,7 +1,7 @@ AIDE - Advanced Intrusion Detection Environment ------------------------------------------------- - Version 0.16b1 + Version 0.16 This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without @@ -62,7 +62,7 @@ to use --disable-static when configuring AIDE. Please note that dynamic linking introduces a security risk and is not recommended. - For Mac OS Leopard (10.5) you also need to use --disable-lfs because it + Since Mac OS Leopard (10.5) you also need to use --disable-lfs because it handles 64 bit file support out of the box. Source Code Verification @@ -85,7 +85,7 @@ The current public key needed for signature verification is: - pub 4096R/68E7B931 2011-06-28 [expires: 2017-06-26] + pub 4096R/68E7B931 2011-06-28 [expires: 2021-06-27] uid Hannes von Haugwitz If you do not have this key, you can get it from one of the well known PGP diff -Nru aide-0.16~b1/src/gen_list.c aide-0.16/src/gen_list.c --- aide-0.16~b1/src/gen_list.c 2016-04-15 21:30:16.000000000 +0000 +++ aide-0.16/src/gen_list.c 2016-07-25 20:56:55.000000000 +0000 @@ -635,12 +635,14 @@ case 0: { error(220, "check_node_for_match: equal match for '%s'\n", text); retval|=2|4; + break; } case -1: { if(S_ISDIR(perm) && get_seltree_node(node,text)==NULL) { error(220, "check_node_for_match: creating new seltree node for '%s'\n", text); new_seltree_node(node,text,0,NULL); } + break; } } } @@ -654,12 +656,14 @@ case 0: { error(220, "check_node_for_match: selective match for '%s'\n", text); retval|=1|8; + break; } case -1: { if(S_ISDIR(perm) && get_seltree_node(node,text)==NULL) { error(220, "check_node_for_match: creating new seltree node for '%s'\n", text); new_seltree_node(node,text,0,NULL); } + break; } } } diff -Nru aide-0.16~b1/version.m4 aide-0.16/version.m4 --- aide-0.16~b1/version.m4 2016-04-15 21:37:08.000000000 +0000 +++ aide-0.16/version.m4 2016-07-25 21:09:44.000000000 +0000 @@ -1 +1 @@ -m4_define([AIDE_VERSION], [0.16b1]) +m4_define([AIDE_VERSION], [0.16])