blob: c28b78f8e9db10c8bab3ee4a1b9fa443ec888994 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
#!/bin/bash
# Modified: Benjamin Smee
# Date: Fri Sep 10 11:35:41 BST 2004
# This is the email address reports get mailed to
MAILTO=root@localhost
# Set this to suppress mailings when there's nothing to report
QUIETREPORTS=1
# This parameter defines which aide command to run from the cron script.
# Sensible values are "update" and "check".
# Default is "check", ensuring backwards compatibility.
# Since "update" does not take any longer, it is recommended to use "update",
# so that a new database is created every day. The new database needs to be
# manually copied over the current one, though.
COMMAND=update
# This parameter defines how many lines to return per e-mail. Output longer
# than this value will be truncated in the e-mail sent out.
LINES=1000
# This parameter gives a grep regular expression. If given, all output lines
# that _don't_ match the regexp are listed first in the script's output. This
# allows to easily remove noise from the aide report.
NOISE="(/var/cache/|/var/lib/|/var/tmp)"
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
LOGDIR="/var/log/aide"
LOGFILE="aide.log"
CONFFILE="/etc/aide/aide.conf"
ERRORLOG="aide_error.log"
MAILLOG="aide_mail.log"
ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"`
[ -f /usr/bin/aide ] || exit 0
DATABASE=`grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2`
FQDN=`hostname -f`
DATE=`date +"at %Y-%m-%d %H:%M"`
# default values
DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
AIDEARGS="-V4"
if [ ! -f $DATABASE ]; then
/usr/sbin/sendmail $MAILTO <<EOF
Subject: Daily AIDE report for $FQDN
From: root@${FQDN}
To: ${MAILTO}
Fatal error: The AIDE database does not exist!
This may mean you haven't created it, or it may mean that someone has removed it.
EOF
exit 0
fi
# Removed so no deps on debianutils - strerror
#[ -f "$LOGDIR/$LOGFILE" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null
#[ -f "$LOGDIR/$ERRORLOG" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null
aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
RETVAL=$?
if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then
# Bail now because there was no output and QUIETREPORTS is set
exit 0
fi
MAILTMP=`tempfile --directory "/tmp" --prefix "$MAILLOG"`
(cat << EOF
This is an automated report generated by the Advanced Intrusion Detection
Environment on $FQDN ${DATE}.
EOF
# include error log in daily report e-mail
if [ "$RETVAL" != "0" ]; then
cat > "$LOGDIR/$ERRORLOG" << EOF
*****************************************************************************
* aide returned a non-zero exit value *
*****************************************************************************
EOF
echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
else
touch "$LOGDIR/$ERRORLOG"
fi
< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
rm -f "$ERRORTMP"
if [ -s "$LOGDIR/$ERRORLOG" ]; then
errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'`
if [ ${errorlines:=0} -gt $LINES ]; then
cat << EOF
****************************************************************************
* aide has returned many errors. *
* the error log output has been truncated in this mail *
****************************************************************************
EOF
echo "Error output is $errorlines lines, truncated to $LINES."
head -$LINES "$LOGDIR/$ERRORLOG"
echo "The full output can be found in $LOGDIR/$ERRORLOG."
else
echo "Errors produced ($errorlines lines):"
cat "$LOGDIR/$ERRORLOG"
fi
else
echo "AIDE produced no errors."
fi
# include de-noised log
if [ -n "$NOISE" ]; then
NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"`
NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"`
sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
grep '^\(changed\|removed\|added\):' | \
grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2
if [ -n "$NOISE" ]; then
< $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP
rm -f $NOISETMP2
echo "De-Noised output removes everything matching $NOISE."
else
mv $NOISETMP2 $NOISETMP
echo "No noise expression was given."
fi
if [ -s "$NOISETMP" ]; then
loglines=`< $NOISETMP wc -l | awk '{ print $1 }'`
if [ ${loglines:=0} -gt $LINES ]; then
cat << EOF
****************************************************************************
* aide has returned long output which has been truncated in this mail *
****************************************************************************
EOF
echo "De-Noised output is $loglines lines, truncated to $LINES."
< $NOISETMP head -$LINES
echo "The full output can be found in $LOGDIR/$LOGFILE."
else
echo "De-Noised output of the daily AIDE run ($loglines lines):"
cat $NOISETMP
fi
else
echo "AIDE detected no changes after removing noise."
fi
rm -f $NOISETMP
echo "============================================================================"
fi
# include non-de-noised log
if [ -s "$LOGDIR/$LOGFILE" ]; then
loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'`
if [ ${loglines:=0} -gt $LINES ]; then
cat << EOF
****************************************************************************
* aide has returned long output which has been truncated in this mail *
****************************************************************************
EOF
echo "Output is $loglines lines, truncated to $LINES."
head -$LINES "$LOGDIR/$LOGFILE"
echo "The full output can be found in $LOGDIR/$LOGFILE."
else
echo "Output of the daily AIDE run ($loglines lines):"
cat "$LOGDIR/$LOGFILE"
fi
else
echo "AIDE detected no changes."
fi
) > ${MAILTMP}
(
cat <<EOF
Subject: Daily AIDE report for $FQDN
From: root@${FQDN}
To: ${MAILTO}
EOF
cat ${MAILTMP}
) | /usr/sbin/sendmail $MAILTO
rm -f "$MAILTMP"
|