From 0c33c3d49cf7c987ee08743e8001f76f1a5b7e6a Mon Sep 17 00:00:00 2001 From: Daniel Kopecek Date: Nov 22 2012 17:12:23 +0000 Subject: FIPS related fixes - added patch to fix aide in FIPS mode - use only FIPS approved digest algorithms in aide.conf so that aide works by default in FIPS mode --- diff --git a/aide-0.15.1-fipsfix.patch b/aide-0.15.1-fipsfix.patch new file mode 100644 index 0000000..2b80c39 --- /dev/null +++ b/aide-0.15.1-fipsfix.patch @@ -0,0 +1,103 @@ +diff -up aide-0.15.1/src/aide.c.fipsfix aide-0.15.1/src/aide.c +--- aide-0.15.1/src/aide.c.fipsfix 2010-08-08 19:39:31.000000000 +0200 ++++ aide-0.15.1/src/aide.c 2012-11-22 16:59:45.378713818 +0100 +@@ -484,9 +484,28 @@ int main(int argc,char**argv) + #endif + umask(0177); + init_sighandler(); +- + setdefaults_before_config(); + ++#if WITH_GCRYPT ++ error(255,"Gcrypt library initialization\n"); ++ /* ++ * Initialize libgcrypt as per ++ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html ++ * ++ * ++ */ ++ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0); ++ gcry_control(GCRYCTL_INIT_SECMEM, 1); ++ ++ if(!gcry_check_version(GCRYPT_VERSION)) { ++ error(0,"libgcrypt version mismatch\n"); ++ exit(VERSION_MISMATCH_ERROR); ++ } ++ ++ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); ++#endif /* WITH_GCRYPT */ ++ ++ + if(read_param(argc,argv)==RETFAIL){ + error(0, _("Invalid argument\n") ); + exit(INVALID_ARGUMENT_ERROR); +@@ -641,6 +660,9 @@ int main(int argc,char**argv) + } + #endif + } ++#ifdef WITH_GCRYPT ++ gcry_control(GCRYCTL_TERM_SECMEM, 0); ++#endif /* WITH_GCRYPT */ + return RETOK; + } + const char* aide_key_3=CONFHMACKEY_03; +diff -up aide-0.15.1/src/md.c.fipsfix aide-0.15.1/src/md.c +--- aide-0.15.1/src/md.c.fipsfix 2010-08-08 19:39:31.000000000 +0200 ++++ aide-0.15.1/src/md.c 2012-11-22 16:59:33.166673632 +0100 +@@ -201,14 +201,7 @@ int init_md(struct md_container* md) { + } + #endif + #ifdef WITH_GCRYPT +- error(255,"Gcrypt library initialization\n"); +- if(!gcry_check_version(GCRYPT_VERSION)) { +- error(0,"libgcrypt version mismatch\n"); +- exit(VERSION_MISMATCH_ERROR); +- } +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){ ++ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){ + error(0,"gcrypt_md_open failed\n"); + exit(IO_ERROR); + } +@@ -299,7 +292,7 @@ int close_md(struct md_container* md) { + + /*. There might be more hashes in the library. Add those here.. */ + +- gcry_md_reset(md->mdh); ++ gcry_md_close(md->mdh); + #endif + + #ifdef WITH_MHASH +diff -up aide-0.15.1/src/util.c.fipsfix aide-0.15.1/src/util.c +--- aide-0.15.1/src/util.c.fipsfix 2010-08-08 19:39:31.000000000 +0200 ++++ aide-0.15.1/src/util.c 2012-11-22 16:59:33.166673632 +0100 +@@ -494,28 +494,5 @@ int syslog_facility_lookup(char *s) + return(AIDE_SYSLOG_FACILITY); + } + +-/* We need these dummy stubs to fool the linker into believing that +- we do not need them at link time */ +- +-void* dlopen(char*filename,int flag) +-{ +- return NULL; +-} +- +-void* dlsym(void*handle,char*symbol) +-{ +- return NULL; +-} +- +-void* dlclose(void*handle) +-{ +- return NULL; +-} +- +-const char* dlerror(void) +-{ +- return NULL; +-} +- + const char* aide_key_2=CONFHMACKEY_02; + const char* db_key_2=DBHMACKEY_02; diff --git a/aide.conf b/aide.conf index 0f8c0cd..cd95c01 100644 --- a/aide.conf +++ b/aide.conf @@ -51,6 +51,8 @@ report_url=stdout #crc32: crc32 checksum (MHASH only) #whirlpool: whirlpool checksum (MHASH only) +FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 + #R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 #L: p+i+n+u+g+acl+selinux+xattrs #E: Empty group @@ -65,7 +67,7 @@ EVERYTHING = R+ALLXTRAHASHES # Sane, with multiple hashes # NORMAL = R+rmd160+sha256+whirlpool -NORMAL = R+rmd160+sha256 +NORMAL = FIPSR+sha512 # For directories, don't bother doing hashes DIR = p+i+n+u+g+acl+selinux+xattrs @@ -76,12 +78,12 @@ PERMS = p+i+u+g+acl+selinux # Logfile are special, in that they often change LOG = > -# Just do md5 and sha256 hashes -LSPP = R+sha256 +# Just do sha256 and sha512 hashes +LSPP = FIPSR+sha512 # Some files get updated automatically, so the inode/ctime/mtime change # but we want to know when the data inside them changes -DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 # Next decide what directories/files you want in the database. diff --git a/aide.spec b/aide.spec index f253cbf..0aed33b 100644 --- a/aide.spec +++ b/aide.spec @@ -4,7 +4,7 @@ Summary: Intrusion detection environment Name: aide Version: 0.15.1 -Release: 3%{?dist} +Release: 4%{?dist} URL: http://sourceforge.net/projects/aide License: GPLv2+ Group: Applications/System @@ -14,6 +14,8 @@ Source2: README.quickstart Source3: aide.logrotate # Customize the database file location in the man page. Patch1: aide-0.14-man.patch +# fix aide in FIPS mode +Patch2: aide-0.15.1-fipsfix.patch Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n) BuildRequires: mktemp BuildRequires: prelink elfutils-libelf-devel @@ -36,7 +38,8 @@ checker and intrusion detection program. %prep %setup -q -%patch1 -p1 +%patch1 -p1 -b .man +%patch2 -p1 -b .fipsfix %build %configure --with-config_file=%{_sysconfdir}/aide.conf \ @@ -85,6 +88,11 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Thu Nov 22 2012 Daniel Kopecek - 0.15.1-4 +- added patch to fix aide in FIPS mode +- use only FIPS approved digest algorithms in aide.conf so that + aide works by default in FIPS mode + * Wed Jul 18 2012 Fedora Release Engineering - 0.15.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild