Summary: | app-forensics/aide-0.15.1 hash signing does not work | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | darin hensley <coolio> |
Component: | Current packages | Assignee: | Forensics Herd [disbanded] <forensics+obsolete> |
Status: | RESOLVED CANTFIX | ||
Severity: | normal | CC: | coolio, gentoo, itumaykin+gentoo, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
darin hensley
2011-04-29 11:52:04 UTC
(In reply to comment #0) > according to the man page, If aide was compiled with the "--with- dbhmackey" > option, a hash for the config file will be calculated. Aide was compiled with > USE="acl mhash nls (selinux) xattr zlib -audit -curl -postgres -prelink > -static" > > After aide --init && aide --config-check I am given no hash signature. > > I do not get hash signatures for the databases ether. According to the manual, aide had to be compiled with the "--with-confighmac*" and/or "--with-dbhmac*" configure options. The hmac key must be configured during the compilation and is not related to mhash use flag (not directly). But the option is very interesting, is this possible to add an option to the ebuild to add this feature ? Use a variable like some other ebuild (SANE_BACKENDS, LIRC_DEVICES ...) for the key? Forget my previous comment, there is already a variable to add configure option: EXTRA_ECONF="--with-confighmactype=sha1 -with-confighmackey=YWlkZSBhaWRlIGFpZGUgYWlkZQo= --with-dbhmactype=sha1 --with-dbhmackey=YWlkZSBhaWRlIGFpZGUgYWlkZQo=" emerge -a aide Thanks for the idea, but there is no good way to supply your keys during build automatically. This is an advanced feature and you can enable it yourself with EXTRA_ECONF. It would great to have your instructions in Gentoo wiki for other users to learn. Please note that since aide-0.16 we already pass --with-confighmactype="sha512" and --with-dbhmackey="sha512" options. You can just supply your keys. |