diff options
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 208 |
1 files changed, 175 insertions, 33 deletions
diff --git a/configure.ac b/configure.ac index 1b3e2ac..ffffb3a 100644 --- a/configure.ac +++ b/configure.ac @@ -11,7 +11,7 @@ AC_ARG_VAR([LIBS], [libraries to link against, e.g. -lintl]) dnl dnl start dnl -AM_INIT_AUTOMAKE(samhain, 4.1.4) +AM_INIT_AUTOMAKE(samhain, 4.4.10) AC_DEFINE([SAMHAIN], 1, [Application is samhain]) AC_CANONICAL_HOST @@ -38,6 +38,22 @@ if test "x$GCC" = "xyes"; then SH_GCC_VERSION fi +if test "x${gcc_VERSION_MAJOR}" != "x" +then + AC_MSG_CHECKING([for gcc compiler issues]) + if test ${gcc_VERSION_MAJOR} -ge 11 + then + dnmalloc_ok=no + AC_MSG_RESULT([dnmalloc does not work with gcc 11]) + else + dnmalloc_ok=yes + AC_MSG_RESULT([ok]) + fi +else + dnmalloc_ok=yes +fi + + AC_HEADER_STDC AC_CHECK_HEADERS([sys/ipc.h sys/sem.h sys/msg.h sys/uio.h fcntl.h]) @@ -50,7 +66,6 @@ uid_cast="signed long" selectconfig=linux mynetbsd=no sh_use_lcaps="undef" -dnmalloc_ok=yes sh_use_pie=yes enable_asm_ok=yes @@ -71,7 +86,8 @@ case "$host_os" in *) ;; esac - ;; + LDFLAGS="${LDFLAGS} -Wl,--as-needed" + ;; *osf*) AC_DEFINE([HOST_IS_OSF], 1, [Define if host OS is OSF]) @@ -242,9 +258,9 @@ AC_HEADER_STAT AC_DECL_SYS_SIGLIST AC_CHECK_HEADERS(stddef.h libgen.h sched.h malloc.h sys/uio.h \ - sys/mman.h sys/param.h sys/inotify.h \ + sys/mman.h sys/param.h sys/inotify.h sys/sysmacros.h \ sys/vfs.h mntent.h \ - sys/select.h sys/socket.h netinet/in.h \ + sys/select.h sys/socket.h netinet/in.h ifaddrs.h \ regex.h glob.h fnmatch.h \ linux/ext2_fs.h linux/fs.h ext2fs/ext2_fs.h asm/segment.h \ elf.h linux/elf.h auparse.h \ @@ -378,17 +394,18 @@ dnl dnl ***************************************** AC_FUNC_STRFTIME AC_CHECK_FUNCS(memcmp memcpy memmove memset getpwent endpwent fpurge \ + explicit_memset explicit_bzero \ gettimeofday strlcat strlcpy strstr strchr strerror strsignal \ seteuid setreuid setresuid lstat getwd getcwd ptrace \ usleep setpriority getpeereid nanosleep \ strptime basename sched_yield hasmntopt \ inet_aton gethostbyname setutent setrlimit gethostname uname \ - initgroups getpagesize \ + initgroups getpagesize getutxent \ ttyname fchmod writev mmap tzset \ getsid getpriority getpgid statvfs \ strerror_r getgrgid_r getpwnam_r getpwuid_r \ gmtime_r localtime_r rand_r readdir_r strtok_r \ - mincore posix_fadvise inotify_init1 + mincore posix_fadvise inotify_init1 scandir ) AC_CHECK_FUNC(statfs, AC_DEFINE(HAVE_STATFS) statfs="yes", statfs="no") SL_CHECK_VA_COPY @@ -671,6 +688,15 @@ if test x$sh_have_SO_PEERCRED = xyes; then AC_DEFINE(HAVE_SO_PEERCRED,1,[Have SO_PEERCRED define]) fi +AC_MSG_CHECKING(for union semun) +AC_TRY_COMPILE([#include <sys/types.h> +#include <sys/ipc.h> +#include <sys/sem.h>],[union semun foo;], [sh_have_semun=yes], [sh_have_semun=no]) +AC_MSG_RESULT($sh_have_semun) +if test x$sh_have_semun = xyes +then + AC_DEFINE(HAVE_UNION_SEMUN, 1, [union semun already defined in sys/ipc.h or sys/sem.h]) +fi dnl ***************************************** dnl checks for compiler characteristics @@ -695,8 +721,10 @@ if test "x$GCC" = "xyes"; then else GCC_STACK_PROTECT_LIB GCC_STACK_PROTECT_CC -dnl GCC_STACK_CHECK_CC - GCC_PIE_CC + GCC_STACK_CHECK_CC + GCC_PIE_CC + GCC_FLAG_CHECK([-fexceptions]) + GCC_FLAG_CHECK([-mcet -fcf-protection]) fi fi @@ -969,7 +997,7 @@ dnl [sh_use_lcaps="no"]) elif test "x$enable_network" = xserver; then mytclient="-DSH_WITH_SERVER" yulectl_prg="yulectl" - samhainadmin_prg="scripts/samhainadmin.pl" + samhainadmin_prg="scripts/samhainadmin-gpg.pl scripts/samhainadmin-sig.pl" setpwd_prg="samhain_setpwd" sh_main_prg="yule" if test "x${sh_have_gmp}" = xyes @@ -1027,10 +1055,15 @@ AC_ARG_ENABLE(static, then tmp_LIBS=`echo $LIBS | sed 's%\-lauparse%%' ` LIBS="${tmp_LIBS}" + AC_MSG_WARN([--enable-static: no support for Linux Auditing System]) fi if test "x$GCC" = "xyes"; then + if test -n "`echo "$CFLAGS" | grep "\-flto" 2> /dev/null`" + then + AC_MSG_ERROR([--enable-static: not compatible with link-time optimisation]) + fi case "$host_os" in *solaris*) @@ -1121,7 +1154,7 @@ AC_CHECK_FUNC(pmap_getmaps, # # this is from the snort configure.in # -AC_DEFUN(FAIL_MESSAGE,[ +AC_DEFUN([FAIL_MESSAGE],[ echo echo echo "**********************************************" @@ -1195,6 +1228,9 @@ dnl AC_CHECK_PROG(HAVE_PRELUDE_CONFIG, libprelude-config, yes, no) AC_ARG_WITH(database, [ --with-database=[[mysql|postgresql|oracle|odbc]] database support [[no]]], [ + if test x"$enable_static" = xyes; then + AC_MSG_WARN([With --enable-static, --with-database may fail to compile.]) + fi if test x"$enable_xml_log" != xyes; then AC_MSG_ERROR([With --with-database, --enable-xml-log is required as well.]) fi @@ -1674,6 +1710,15 @@ AC_ARG_ENABLE(debug, mydebugdef="-g" fi mydebugit="yes" + elif test "x${enable_debug}" = "xmem"; then + AC_DEFINE(MEM_DEBUG) + AC_DEFINE(SH_ABORT_ON_ERROR, 1, [Use abort]) + if test "x${myneedg3}" = "xyes"; then + mydebugdef="-g3" + else + mydebugdef="-g" + fi + mydebugit="yes" elif test "x${enable_debug}" = "xgdb"; then AC_DEFINE(SH_ABORT_ON_ERROR, 1, [Use abort]) if test "x${myneedg3}" = "xyes"; then @@ -1780,7 +1825,7 @@ dnl -W is the older name for -Wextra CFLAGS="$CFLAGS -Wall -W -Wno-missing-braces " ;; *) - CFLAGS="$CFLAGS -Wall -W " + CFLAGS="$CFLAGS -Wall -W -Werror=implicit-function-declaration " ;; esac fi @@ -2198,12 +2243,101 @@ AC_SUBST(mykeybase) dnl -dnl GPG/PGP options +dnl Signify/GnuPG options dnl +AC_ARG_WITH(signify, + [ --with-signify=PATH use OpenBSD signify to verify database/config [[no]]], + [ + if test "x${withval}" != "xno"; then + if test "x${cross_compiling}" = xyes; then + mysignify="${withval}" + else + if test -f "${withval}"; then + mysignify="${withval}" + mychk0=`gpg --load-extension tiger --print-md TIGER192 ${withval} 2>/dev/null` + if test "x$?" != "x0"; then + mychktest=no + for sam_pre in ./samhain ./yule /usr/local/sbin/samhain /usr/local/bin/samhain /usr/bin/samhain /usr/sbin/samhain /usr/local/sbin/yule /usr/local/bin/yule /usr/bin/yule /usr/sbin/yule; do + if test x"${mychktest}" = xyes + then + : + else + if test -f ${sam_pre} + then + echo "use existing ${sam_pre} for signify checksum" + mychk0=`${sam_pre} -H ${withval} 2>/dev/null` + if test "x$?" != "x0"; then + if test "x${nocl_code}" != "x"; then + mychk0=`echo -H ${withval} | ${sam_pre} ${nocl_code} 2>/dev/null` + if test "x$?" != "x0"; then + : + else + mychk="${mychk0}" + mychktest=yes + fi + fi + else + mychk="${mychk0}" + mychktest=yes + fi + fi + fi + done + if test x${mychktest} = xno; then + AC_MSG_WARN([--with-signify: cannot determine TIGER192 checksum of ${withval}]) + echo "-------------------------------------------------------------" + echo " I cannot find an existing GnuPG or samhain binary to use." + echo " You can:" + echo " (a) run make to compile a samhain binary, then repeat" + echo " ./configure and make" + echo " (b) ignore the failure. The checksum of the signify binary" + echo " will not get compiled in, thus allowing an attacker" + echo " to replace signify with a trojan and subverting the" + echo " signature verification of configure and database files." + echo + echo " PLEASE IGNORE THIS MESSAGE IF YOU ALSO USE --with-checksum" + echo "-------------------------------------------------------------" + fi + else + mychk="${mychk0}" + fi + else + AC_MSG_ERROR([--with-signify: cannot find signify PATH=${withval}]) + fi + fi + AC_DEFINE([WITH_SIG], 1, [Define if signature checking is supported.]) + AC_DEFINE([WITH_SIGNIFY], 1, [Define if using OpenBSD signify for signature checking.]) + AC_DEFINE_UNQUOTED([DEFAULT_SIG_PATH], _("${mysignify}"), [Define as path to signing binary]) + AC_SUBST(mysignify) + fi + ] +) + +AC_ARG_WITH(pubkey-checksum, + [ --with-pubkey-checksum=CHKSUM compile in TIGER192 checksum of signify public key [[no]]], + [ + if test "x${withval}" != "xno"; then + if test "x${withval}" == "xyes"; then + AC_MSG_ERROR([Option --with-pubkey-checksum=CHKSUM: checksum CHKSUM of signify public key not specified.]) + else + if test "x${withval}" = "x"; then + AC_MSG_ERROR([Option --with-checksum=CHKSUM: checksum CHKSUM of the signify public key not specified.]) + fi + fi + AC_DEFINE([HAVE_SIG_KEY_HASH], 1, [Define if signing binary checksum available.]) + AC_DEFINE_UNQUOTED([SIG_KEY_HASH], _("${withval}"), [Define as the signify public key checksum.] ) + fi + ] +) + + AC_ARG_WITH(gpg, [ --with-gpg=PATH use GnuPG to verify database/config [[no]]], [ + if test "x${mysignify}" != "x"; then + AC_MSG_ERROR([--with-gpg: already using --with-signify]) + fi if test "x${withval}" != "xno"; then if test "x${cross_compiling}" = xyes; then mygpg="${withval}" @@ -2262,8 +2396,9 @@ AC_ARG_WITH(gpg, AC_MSG_ERROR([--with-gpg: cannot find GnuPG PATH=${withval}]) fi fi + AC_DEFINE([WITH_SIG], 1, [Define if signature checking is supported.]) AC_DEFINE(WITH_GPG) - AC_DEFINE_UNQUOTED(DEFAULT_GPG_PATH, _("${mygpg}") ) + AC_DEFINE_UNQUOTED([DEFAULT_SIG_PATH], _("${mygpg}"), [Define as path to signing binary]) AC_SUBST(mygpg) fi ] @@ -2290,21 +2425,14 @@ AC_ARG_WITH(keyid, ] ) -dnl AC_ARG_WITH(pgp, -dnl [ --with-pgp=PATH Use PGP to verify database/config (no).], -dnl [myppg="$withval" -dnl AC_DEFINE(WITH_PGP) -dnl AC_DEFINE_UNQUOTED(DEFAULT_PGP_PATH, _("${myppg}") ) -dnl ]) - AC_ARG_WITH(checksum, - [ --with-checksum=CHKSUM compile in gpg/pgp checksum [[yes]]], + [ --with-checksum=CHKSUM compile in checksum of signing binary (e.g. gpg) [[yes]]], [ if test "x${withval}" != "xno"; then if test "x${withval}" != "xyes"; then if test "x${mychk}" != "x"; then if test "x${mychk}" != "x${withval}"; then - AC_MSG_WARN([--with-checksum: possible gpg CHKSUM problem]) + AC_MSG_WARN([--with-checksum: possible signing binary CHKSUM problem]) AC_MSG_WARN([--with-checksum: CHKSUM=${withval}]) AC_MSG_WARN([--with-checksum: autodetected=${mychk}]) fi @@ -2312,20 +2440,21 @@ AC_ARG_WITH(checksum, mychk="${withval}" else if test "x${mychk}" = "x"; then - AC_MSG_ERROR([Option --with-checksum=CHKSUM: checksum CHKSUM of the gpg binary not specified.]) + AC_MSG_ERROR([Option --with-checksum=CHKSUM: checksum CHKSUM of the signing binary not specified.]) fi fi - AC_DEFINE(HAVE_GPG_CHECKSUM) - AC_DEFINE_UNQUOTED(GPG_HASH, _("${mychk}") ) - echo "${mychk}" | sed 's,.*:,,g' | sed 's, ,,g' | sed 's,\(.\),\1:,g' | awk '{ split($0, arr, ":"); m = length($1)/2; print "#ifndef CHKSUM_H"; print "#define CHKSUM_H"; print "char gpgchk[50];"; for (i=1; i <= m; i++) printf "gpgchk[%d] = %c%s%c;\n", i-1, 39, arr[i], 39; printf "gpgchk[48] = %c%c0%c;\n", 39, 92, 39; print "#endif"; }' > sh_gpg_chksum.h + AC_DEFINE([HAVE_SIG_CHECKSUM], 1, [Define if signing binary checksum available.]) + AC_DEFINE_UNQUOTED([SIG_HASH], _("${mychk}"), [Define as the signing binary TIGER192 checksum.] ) + echo "${mychk}" | sed 's,.*:,,g' | sed 's, ,,g' | sed 's,\(.\),\1:,g' | awk '{ split($0, arr, ":"); m = length($1)/2; print "#ifndef CHKSUM_H"; print "#define CHKSUM_H"; print "char sigchk[50];"; for (i=1; i <= m; i++) printf "sigchk[%d] = %c%s%c;\n", i-1, 39, arr[i], 39; printf "sigchk[48] = %c%c0%c;\n", 39, 92, 39; print "#endif"; }' > sh_sig_chksum.h fi ], [ - if test "x${mygpg}" != "x"; then + if test "x${mygpg}" != "x" || test "x${mysignify}" != "x" + then if test "x${mychk}" != "x"; then - AC_DEFINE(HAVE_GPG_CHECKSUM) - AC_DEFINE_UNQUOTED(GPG_HASH, _("${mychk}") ) - echo "${mychk}" | sed 's,.*:,,g' | sed 's, ,,g' | sed 's,\(.\),\1:,g' | awk '{ split($0, arr, ":"); m = length($1)/2; print "#ifndef CHKSUM_H"; print "#define CHKSUM_H"; print "char gpgchk[50];"; for (i=1; i <= m; i++) printf "gpgchk[%d] = %c%s%c;\n", i-1, 39, arr[i], 39; printf "gpgchk[48] = %c%c0%c;\n", 39, 92, 39; print "#endif"; }' > sh_gpg_chksum.h + AC_DEFINE([HAVE_SIG_CHECKSUM], 1, [Define if signing binary checksum available.]) + AC_DEFINE_UNQUOTED([SIG_HASH], _("${mychk}"), [Define as the signing binary TIGER192 checksum.] ) + echo "${mychk}" | sed 's,.*:,,g' | sed 's, ,,g' | sed 's,\(.\),\1:,g' | awk '{ split($0, arr, ":"); m = length($1)/2; print "#ifndef CHKSUM_H"; print "#define CHKSUM_H"; print "char sigchk[50];"; for (i=1; i <= m; i++) printf "sigchk[%d] = %c%s%c;\n", i-1, 39, arr[i], 39; printf "sigchk[48] = %c%c0%c;\n", 39, 92, 39; print "#endif"; }' > sh_sig_chksum.h fi fi ] @@ -2672,6 +2801,7 @@ Makefile samhain-install.sh init/samhain.startLSB init/samhain.startLinux +init/samhain.startSystemd init/samhain.startGentoo init/samhain.startFreeBSD init/samhain.startSolaris @@ -2687,7 +2817,8 @@ scripts/samhain.spec scripts/redhat_i386.client.spec scripts/samhain.ebuild scripts/samhain.ebuild-light -scripts/samhainadmin.pl +scripts/samhainadmin-gpg.pl +scripts/samhainadmin-sig.pl scripts/yuleadmin.pl scripts/check_samhain.pl deploy.sh @@ -2695,7 +2826,8 @@ deploy.sh [ echo timestamp > stamp-h chmod +x samhain-install.sh -chmod +x scripts/samhainadmin.pl +chmod +x scripts/samhainadmin-gpg.pl +chmod +x scripts/samhainadmin-sig.pl chmod +x scripts/yuleadmin.pl chmod +x scripts/check_samhain.pl ] @@ -2703,6 +2835,16 @@ chmod +x scripts/check_samhain.pl chmod +x deploy.sh +if test "x${mysignify}" != x +then + cp -a scripts/samhainadmin-sig.pl scripts/samhainadmin.pl +fi +if test "x${mygpg}" != x +then + cp -a scripts/samhainadmin-gpg.pl scripts/samhainadmin.pl +fi + + if test "x${cross_compiling}" = xyes then |