Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 365299 - app-forensics/aide-0.15.1 hash signing does not work
Summary: app-forensics/aide-0.15.1 hash signing does not work
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Forensics Herd [disbanded]
Depends on:
Reported: 2011-04-29 11:52 UTC by darin hensley
Modified: 2017-05-28 17:15 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description darin hensley 2011-04-29 11:52:04 UTC
according to the man page,  If aide was compiled with the "--with- dbhmackey" option, a hash for the config file will be calculated. Aide was compiled with USE="acl mhash nls (selinux) xattr zlib -audit -curl -postgres -prelink -static"

After aide --init && aide --config-check I am given no hash signature. 

I do not get hash signatures for the databases ether. 

This makes me also wonder if the md5 and sha1 checks are truly working when aide is scanning files and comparing the filesystems. 

aide-0.15.1 is deemed stable according to the developer. 

Reproducible: Always

Steps to Reproduce:
1. aide --init
2. aide --check-config
Actual Results:  
no signature given after aide --check-config.

Expected Results:  
$ aide --config-check
Config checked. Use the following to patch your config file.
> @@begin_config 27GF0+oKj1CvP4tltuibhu8YGIU=
> @@end_config

I am worried that the md5 and sha1 algorithms are also not working for the file systems checks.  

localhost / # emerge --info output
Portage (selinux/v2refpolicy/amd64/hardened, gcc-4.4.5, glibc-2.13-r2, 2.6.36-hardened-r6 x86_64)
                        System Settings
System uname: Linux-2.6.36-hardened-r6-x86_64-AMD_Phenom-tm-_II_X3_705e_Processor-with-gentoo-2.0.1
Timestamp of tree: Fri, 01 Apr 2011 10:30:02 +0000
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python:     2.6.5-r3, 2.7.1-r1, 3.1.3-r1
dev-util/cmake:      2.8.4
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.8
sys-apps/sandbox:    2.4
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.5
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers: (sys-kernel/linux-headers)
CFLAGS="-march=native -O2 -pipe"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/maven-bin-2.2/conf"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/var/lib/layman/zugaina /var/lib/layman/hardened-development"
USE="X acl acpi amd64 berkdb bindist cairo cli cracklib crypt cxx dbus dri evdev fortran fuse gimp git glitz gnutls gtk hardened iconv iso14755 jpeg modules mudflap ncurses nls opengl openmp pam pcre perl pic png pppd python qt4 readline selinux session ssl svg tcpd tiff truetype udev virtualbox xcb xorg xvmc zlib" ALSA_CARDS="maestro3 usb-usx2y wavefront" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 

localhost / #
Comment 1 Marc Perrudin 2011-08-11 12:28:23 UTC
(In reply to comment #0)
> according to the man page,  If aide was compiled with the "--with- dbhmackey"
> option, a hash for the config file will be calculated. Aide was compiled with
> USE="acl mhash nls (selinux) xattr zlib -audit -curl -postgres -prelink
> -static"
> After aide --init && aide --config-check I am given no hash signature. 
> I do not get hash signatures for the databases ether. 

According to the manual, aide had to be compiled with the "--with-confighmac*" and/or "--with-dbhmac*" configure options. The hmac key must be configured during the compilation and is not related to mhash use flag (not directly).

But the option is very interesting, is this possible to add an option to the ebuild to add this feature ? Use a variable like some other ebuild (SANE_BACKENDS, LIRC_DEVICES ...) for the key?
Comment 2 Marc Perrudin 2011-08-11 13:24:46 UTC
Forget my previous comment, there is already a variable to add configure option:

EXTRA_ECONF="--with-confighmactype=sha1 -with-confighmackey=YWlkZSBhaWRlIGFpZGUgYWlkZQo= --with-dbhmactype=sha1 --with-dbhmackey=YWlkZSBhaWRlIGFpZGUgYWlkZQo=" emerge -a aide
Comment 3 Coacher 2017-05-28 17:15:07 UTC
Thanks for the idea, but there is no good way to supply your keys during build automatically. This is an advanced feature and you can enable it yourself with EXTRA_ECONF. It would great to have your instructions in Gentoo wiki for other users to learn.

Please note that since aide-0.16 we already pass --with-confighmactype="sha512" and --with-dbhmackey="sha512" options. You can just supply your keys.