[aide] FIPS related fixes
Daniel Kopeček
mildew at fedoraproject.org
Thu Nov 22 17:12:47 UTC 2012
commit 0c33c3d49cf7c987ee08743e8001f76f1a5b7e6a
Author: Daniel Kopecek <dkopecek at redhat.com>
Date: Thu Nov 22 18:11:53 2012 +0100
FIPS related fixes
- added patch to fix aide in FIPS mode
- use only FIPS approved digest algorithms in aide.conf so that
aide works by default in FIPS mode
aide-0.15.1-fipsfix.patch | 103 +++++++++++++++++++++++++++++++++++++++++++++
aide.conf | 10 +++--
aide.spec | 12 ++++-
3 files changed, 119 insertions(+), 6 deletions(-)
---
diff --git a/aide-0.15.1-fipsfix.patch b/aide-0.15.1-fipsfix.patch
new file mode 100644
index 0000000..2b80c39
--- /dev/null
+++ b/aide-0.15.1-fipsfix.patch
@@ -0,0 +1,103 @@
+diff -up aide-0.15.1/src/aide.c.fipsfix aide-0.15.1/src/aide.c
+--- aide-0.15.1/src/aide.c.fipsfix 2010-08-08 19:39:31.000000000 +0200
++++ aide-0.15.1/src/aide.c 2012-11-22 16:59:45.378713818 +0100
+@@ -484,9 +484,28 @@ int main(int argc,char**argv)
+ #endif
+ umask(0177);
+ init_sighandler();
+-
+ setdefaults_before_config();
+
++#if WITH_GCRYPT
++ error(255,"Gcrypt library initialization\n");
++ /*
++ * Initialize libgcrypt as per
++ * http://www.gnupg.org/documentation/manuals/gcrypt/Initializing-the-library.html
++ *
++ *
++ */
++ gcry_control(GCRYCTL_SET_ENFORCED_FIPS_FLAG, 0);
++ gcry_control(GCRYCTL_INIT_SECMEM, 1);
++
++ if(!gcry_check_version(GCRYPT_VERSION)) {
++ error(0,"libgcrypt version mismatch\n");
++ exit(VERSION_MISMATCH_ERROR);
++ }
++
++ gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
++#endif /* WITH_GCRYPT */
++
++
+ if(read_param(argc,argv)==RETFAIL){
+ error(0, _("Invalid argument\n") );
+ exit(INVALID_ARGUMENT_ERROR);
+@@ -641,6 +660,9 @@ int main(int argc,char**argv)
+ }
+ #endif
+ }
++#ifdef WITH_GCRYPT
++ gcry_control(GCRYCTL_TERM_SECMEM, 0);
++#endif /* WITH_GCRYPT */
+ return RETOK;
+ }
+ const char* aide_key_3=CONFHMACKEY_03;
+diff -up aide-0.15.1/src/md.c.fipsfix aide-0.15.1/src/md.c
+--- aide-0.15.1/src/md.c.fipsfix 2010-08-08 19:39:31.000000000 +0200
++++ aide-0.15.1/src/md.c 2012-11-22 16:59:33.166673632 +0100
+@@ -201,14 +201,7 @@ int init_md(struct md_container* md) {
+ }
+ #endif
+ #ifdef WITH_GCRYPT
+- error(255,"Gcrypt library initialization\n");
+- if(!gcry_check_version(GCRYPT_VERSION)) {
+- error(0,"libgcrypt version mismatch\n");
+- exit(VERSION_MISMATCH_ERROR);
+- }
+- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
+- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
+- if(gcry_md_open(&md->mdh,0,0)!=GPG_ERR_NO_ERROR){
++ if(gcry_md_open(&md->mdh,0,GCRY_MD_FLAG_SECURE)!=GPG_ERR_NO_ERROR){
+ error(0,"gcrypt_md_open failed\n");
+ exit(IO_ERROR);
+ }
+@@ -299,7 +292,7 @@ int close_md(struct md_container* md) {
+
+ /*. There might be more hashes in the library. Add those here.. */
+
+- gcry_md_reset(md->mdh);
++ gcry_md_close(md->mdh);
+ #endif
+
+ #ifdef WITH_MHASH
+diff -up aide-0.15.1/src/util.c.fipsfix aide-0.15.1/src/util.c
+--- aide-0.15.1/src/util.c.fipsfix 2010-08-08 19:39:31.000000000 +0200
++++ aide-0.15.1/src/util.c 2012-11-22 16:59:33.166673632 +0100
+@@ -494,28 +494,5 @@ int syslog_facility_lookup(char *s)
+ return(AIDE_SYSLOG_FACILITY);
+ }
+
+-/* We need these dummy stubs to fool the linker into believing that
+- we do not need them at link time */
+-
+-void* dlopen(char*filename,int flag)
+-{
+- return NULL;
+-}
+-
+-void* dlsym(void*handle,char*symbol)
+-{
+- return NULL;
+-}
+-
+-void* dlclose(void*handle)
+-{
+- return NULL;
+-}
+-
+-const char* dlerror(void)
+-{
+- return NULL;
+-}
+-
+ const char* aide_key_2=CONFHMACKEY_02;
+ const char* db_key_2=DBHMACKEY_02;
diff --git a/aide.conf b/aide.conf
index 0f8c0cd..cd95c01 100644
--- a/aide.conf
+++ b/aide.conf
@@ -51,6 +51,8 @@ report_url=stdout
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
+FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+
#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
#L: p+i+n+u+g+acl+selinux+xattrs
#E: Empty group
@@ -65,7 +67,7 @@ EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
-NORMAL = R+rmd160+sha256
+NORMAL = FIPSR+sha512
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+selinux+xattrs
@@ -76,12 +78,12 @@ PERMS = p+i+u+g+acl+selinux
# Logfile are special, in that they often change
LOG = >
-# Just do md5 and sha256 hashes
-LSPP = R+sha256
+# Just do sha256 and sha512 hashes
+LSPP = FIPSR+sha512
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
-DATAONLY = p+n+u+g+s+acl+selinux+xattrs+md5+sha256+rmd160+tiger
+DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
# Next decide what directories/files you want in the database.
diff --git a/aide.spec b/aide.spec
index f253cbf..0aed33b 100644
--- a/aide.spec
+++ b/aide.spec
@@ -4,7 +4,7 @@
Summary: Intrusion detection environment
Name: aide
Version: 0.15.1
-Release: 3%{?dist}
+Release: 4%{?dist}
URL: http://sourceforge.net/projects/aide
License: GPLv2+
Group: Applications/System
@@ -14,6 +14,8 @@ Source2: README.quickstart
Source3: aide.logrotate
# Customize the database file location in the man page.
Patch1: aide-0.14-man.patch
+# fix aide in FIPS mode
+Patch2: aide-0.15.1-fipsfix.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
BuildRequires: mktemp
BuildRequires: prelink elfutils-libelf-devel
@@ -36,7 +38,8 @@ checker and intrusion detection program.
%prep
%setup -q
-%patch1 -p1
+%patch1 -p1 -b .man
+%patch2 -p1 -b .fipsfix
%build
%configure --with-config_file=%{_sysconfdir}/aide.conf \
@@ -85,6 +88,11 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Thu Nov 22 2012 Daniel Kopecek <dkopecek at redhat.com> - 0.15.1-4
+- added patch to fix aide in FIPS mode
+- use only FIPS approved digest algorithms in aide.conf so that
+ aide works by default in FIPS mode
+
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.15.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
More information about the scm-commits
mailing list