| #!/bin/bash |
| # Modified: Benjamin Smee |
| # Date: Fri Sep 10 11:35:41 BST 2004 |
| |
| # This is the email address reports get mailed to |
| MAILTO=root@localhost |
| |
| # Set this to suppress mailings when there's nothing to report |
| QUIETREPORTS=1 |
| |
| # This parameter defines which aide command to run from the cron script. |
| # Sensible values are "update" and "check". |
| # Default is "check", ensuring backwards compatibility. |
| # Since "update" does not take any longer, it is recommended to use "update", |
| # so that a new database is created every day. The new database needs to be |
| # manually copied over the current one, though. |
| COMMAND=update |
| |
| # This parameter defines how many lines to return per e-mail. Output longer |
| # than this value will be truncated in the e-mail sent out. |
| LINES=1000 |
| |
| # This parameter gives a grep regular expression. If given, all output lines |
| # that _don't_ match the regexp are listed first in the script's output. This |
| # allows to easily remove noise from the aide report. |
| NOISE="(/var/cache/|/var/lib/|/var/tmp)" |
| PATH="/bin:/usr/bin:/sbin:/usr/sbin" |
| LOGDIR="/var/log/aide" |
| LOGFILE="aide.log" |
| CONFFILE="/etc/aide/aide.conf" |
| ERRORLOG="aide_error.log" |
| MAILLOG="aide_mail.log" |
| ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"` |
| |
| [ -f /usr/bin/aide ] || exit 0 |
| |
| DATABASE=`grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2` |
| FQDN=`hostname -f` |
| DATE=`date +"at %Y-%m-%d %H:%M"` |
| |
| # default values |
| |
| DATABASE="${DATABASE:-/var/lib/aide/aide.db}" |
| |
| AIDEARGS="-V4" |
| |
| if [ ! -f $DATABASE ]; then |
| /usr/sbin/sendmail $MAILTO <<EOF |
| Subject: Daily AIDE report for $FQDN |
| From: root@${FQDN} |
| To: ${MAILTO} |
| Fatal error: The AIDE database does not exist! |
| This may mean you haven't created it, or it may mean that someone has removed it. |
| EOF |
| exit 0 |
| fi |
| |
| # Removed so no deps on debianutils - strerror |
| #[ -f "$LOGDIR/$LOGFILE" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null |
| #[ -f "$LOGDIR/$ERRORLOG" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null |
| |
| aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP" |
| RETVAL=$? |
| |
| if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then |
| # Bail now because there was no output and QUIETREPORTS is set |
| exit 0 |
| fi |
| |
| MAILTMP=`tempfile --directory "/tmp" --prefix "$MAILLOG"` |
| |
| (cat << EOF |
| This is an automated report generated by the Advanced Intrusion Detection |
| Environment on $FQDN ${DATE}. |
| |
| EOF |
| |
| # include error log in daily report e-mail |
| |
| if [ "$RETVAL" != "0" ]; then |
| cat > "$LOGDIR/$ERRORLOG" << EOF |
| |
| ***************************************************************************** |
| * aide returned a non-zero exit value * |
| ***************************************************************************** |
| |
| EOF |
| echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG" |
| else |
| touch "$LOGDIR/$ERRORLOG" |
| fi |
| < "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG" |
| rm -f "$ERRORTMP" |
| |
| if [ -s "$LOGDIR/$ERRORLOG" ]; then |
| errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'` |
| if [ ${errorlines:=0} -gt $LINES ]; then |
| cat << EOF |
| |
| **************************************************************************** |
| * aide has returned many errors. * |
| * the error log output has been truncated in this mail * |
| **************************************************************************** |
| |
| EOF |
| echo "Error output is $errorlines lines, truncated to $LINES." |
| head -$LINES "$LOGDIR/$ERRORLOG" |
| echo "The full output can be found in $LOGDIR/$ERRORLOG." |
| else |
| echo "Errors produced ($errorlines lines):" |
| cat "$LOGDIR/$ERRORLOG" |
| fi |
| else |
| echo "AIDE produced no errors." |
| fi |
| |
| # include de-noised log |
| |
| if [ -n "$NOISE" ]; then |
| NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"` |
| NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"` |
| sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \ |
| grep '^\(changed\|removed\|added\):' | \ |
| grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2 |
| |
| if [ -n "$NOISE" ]; then |
| < $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP |
| rm -f $NOISETMP2 |
| echo "De-Noised output removes everything matching $NOISE." |
| else |
| mv $NOISETMP2 $NOISETMP |
| echo "No noise expression was given." |
| fi |
| |
| if [ -s "$NOISETMP" ]; then |
| loglines=`< $NOISETMP wc -l | awk '{ print $1 }'` |
| if [ ${loglines:=0} -gt $LINES ]; then |
| cat << EOF |
| |
| **************************************************************************** |
| * aide has returned long output which has been truncated in this mail * |
| **************************************************************************** |
| |
| EOF |
| echo "De-Noised output is $loglines lines, truncated to $LINES." |
| < $NOISETMP head -$LINES |
| echo "The full output can be found in $LOGDIR/$LOGFILE." |
| else |
| echo "De-Noised output of the daily AIDE run ($loglines lines):" |
| cat $NOISETMP |
| fi |
| else |
| echo "AIDE detected no changes after removing noise." |
| fi |
| rm -f $NOISETMP |
| echo "============================================================================" |
| fi |
| |
| # include non-de-noised log |
| |
| if [ -s "$LOGDIR/$LOGFILE" ]; then |
| loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'` |
| if [ ${loglines:=0} -gt $LINES ]; then |
| cat << EOF |
| |
| **************************************************************************** |
| * aide has returned long output which has been truncated in this mail * |
| **************************************************************************** |
| |
| EOF |
| echo "Output is $loglines lines, truncated to $LINES." |
| head -$LINES "$LOGDIR/$LOGFILE" |
| echo "The full output can be found in $LOGDIR/$LOGFILE." |
| else |
| echo "Output of the daily AIDE run ($loglines lines):" |
| cat "$LOGDIR/$LOGFILE" |
| fi |
| else |
| echo "AIDE detected no changes." |
| fi |
| ) > ${MAILTMP} |
| |
| ( |
| cat <<EOF |
| Subject: Daily AIDE report for $FQDN |
| From: root@${FQDN} |
| To: ${MAILTO} |
| EOF |
| cat ${MAILTMP} |
| ) | /usr/sbin/sendmail $MAILTO |
| |
| rm -f "$MAILTMP" |