app-forensics/aide/files/aide.cron - third_party/overlays/portage-stable - Git at Google

 #!/bin/bash
 # Modified: Benjamin Smee
 # Date: Fri Sep 10 11:35:41 BST 2004

 # This is the email address reports get mailed to
 MAILTO=root@localhost

 # Set this to suppress mailings when there's nothing to report
 QUIETREPORTS=1

 # This parameter defines which aide command to run from the cron script.
 # Sensible values are "update" and "check".
 # Default is "check", ensuring backwards compatibility.
 # Since "update" does not take any longer, it is recommended to use "update",
 # so that a new database is created every day. The new database needs to be
 # manually copied over the current one, though.
 COMMAND=update

 # This parameter defines how many lines to return per e-mail. Output longer
 # than this value will be truncated in the e-mail sent out.
 LINES=1000

 # This parameter gives a grep regular expression. If given, all output lines
 # that _don't_ match the regexp are listed first in the script's output. This
 # allows to easily remove noise from the aide report.
 NOISE="(/var/cache/|/var/lib/|/var/tmp)"
 PATH="/bin:/usr/bin:/sbin:/usr/sbin"
 LOGDIR="/var/log/aide"
 LOGFILE="aide.log"
 CONFFILE="/etc/aide/aide.conf"
 ERRORLOG="aide_error.log"
 MAILLOG="aide_mail.log"
 ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"`

 [ -f /usr/bin/aide ] || exit 0

 DATABASE=`grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2`
 FQDN=`hostname -f`
 DATE=`date +"at %Y-%m-%d %H:%M"`

 # default values

 DATABASE="${DATABASE:-/var/lib/aide/aide.db}"

 AIDEARGS="-V4"

 if [ ! -f $DATABASE ]; then
 	/usr/sbin/sendmail $MAILTO <<EOF
 Subject: Daily AIDE report for $FQDN
 From: root@${FQDN}
 To: ${MAILTO}
 Fatal error: The AIDE database does not exist!
 This may mean you haven't created it, or it may mean that someone has removed it.
 EOF
 	exit 0
 fi

 # Removed so no deps on debianutils - strerror
 #[ -f "$LOGDIR/$LOGFILE" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null
 #[ -f "$LOGDIR/$ERRORLOG" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null

 aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
 RETVAL=$?

 if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then
 	# Bail now because there was no output and QUIETREPORTS is set
 	exit 0
 fi

 MAILTMP=`tempfile --directory "/tmp" --prefix "$MAILLOG"`

 (cat << EOF
 This is an automated report generated by the Advanced Intrusion Detection
 Environment on $FQDN ${DATE}.

 EOF

 # include error log in daily report e-mail

 if [ "$RETVAL" != "0" ]; then
 	cat > "$LOGDIR/$ERRORLOG" << EOF

 *****************************************************************************
 *                    aide returned a non-zero exit value                    *
 *****************************************************************************

 EOF
 	echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
 else
 	touch "$LOGDIR/$ERRORLOG"
 fi
 < "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
 rm -f "$ERRORTMP"

 if [ -s "$LOGDIR/$ERRORLOG" ]; then
 	errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'`
 	if [ ${errorlines:=0} -gt $LINES ]; then
 		cat << EOF

 ****************************************************************************
 *                      aide has returned many errors.                      *
 *           the error log output has been truncated in this mail           *
 ****************************************************************************

 EOF
 		echo "Error output is $errorlines lines, truncated to $LINES."
 		head -$LINES "$LOGDIR/$ERRORLOG"
 		echo "The full output can be found in $LOGDIR/$ERRORLOG."
 	else
 		echo "Errors produced  ($errorlines lines):"
 		cat "$LOGDIR/$ERRORLOG"
 	fi
 else
 	echo "AIDE produced no errors."
 fi

 # include de-noised log

 if [ -n "$NOISE" ]; then
 	NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"`
 	NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"`
 	sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
 	grep '^\(changed\|removed\|added\):' | \
 	grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2

 	if [ -n "$NOISE" ]; then
 		< $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP
 		rm -f $NOISETMP2
 		echo "De-Noised output removes everything matching $NOISE."
 	else
 		mv $NOISETMP2 $NOISETMP
 		echo "No noise expression was given."
 	fi

 	if [ -s "$NOISETMP" ]; then
 		loglines=`< $NOISETMP wc -l | awk '{ print $1 }'`
 		if [ ${loglines:=0} -gt $LINES ]; then
 			cat << EOF

 ****************************************************************************
 *   aide has returned long output which has been truncated in this mail    *
 ****************************************************************************

 EOF
 			echo "De-Noised output is $loglines lines, truncated to $LINES."
 			< $NOISETMP head -$LINES
 			echo "The full output can be found in $LOGDIR/$LOGFILE."
 		else
 			echo "De-Noised output of the daily AIDE run ($loglines lines):"
 			cat $NOISETMP
 		fi
 	else
 		echo "AIDE detected no changes after removing noise."
 	fi
 	rm -f $NOISETMP
 	echo "============================================================================"
 fi

 # include non-de-noised log

 if [ -s "$LOGDIR/$LOGFILE" ]; then
 	loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'`
 	if [ ${loglines:=0} -gt $LINES ]; then
 		cat << EOF

 ****************************************************************************
 *   aide has returned long output which has been truncated in this mail    *
 ****************************************************************************

 EOF
 		echo "Output is $loglines lines, truncated to $LINES."
 		head -$LINES "$LOGDIR/$LOGFILE"
 		echo "The full output can be found in $LOGDIR/$LOGFILE."
 	else
 		echo "Output of the daily AIDE run ($loglines lines):"
 		cat "$LOGDIR/$LOGFILE"
 	fi
 else
 	echo "AIDE detected no changes."
 fi
 ) > ${MAILTMP}

 (
 cat <<EOF
 Subject: Daily AIDE report for $FQDN
 From: root@${FQDN}
 To: ${MAILTO}
 EOF
 cat ${MAILTMP}
 ) | /usr/sbin/sendmail $MAILTO

 rm -f "$MAILTMP"
	#!/bin/bash
	# Modified: Benjamin Smee
	# Date: Fri Sep 10 11:35:41 BST 2004

	# This is the email address reports get mailed to
	MAILTO=root@localhost

	# Set this to suppress mailings when there's nothing to report
	QUIETREPORTS=1

	# This parameter defines which aide command to run from the cron script.
	# Sensible values are "update" and "check".
	# Default is "check", ensuring backwards compatibility.
	# Since "update" does not take any longer, it is recommended to use "update",
	# so that a new database is created every day. The new database needs to be
	# manually copied over the current one, though.
	COMMAND=update

	# This parameter defines how many lines to return per e-mail. Output longer
	# than this value will be truncated in the e-mail sent out.
	LINES=1000

	# This parameter gives a grep regular expression. If given, all output lines
	# that _don't_ match the regexp are listed first in the script's output. This
	# allows to easily remove noise from the aide report.
	NOISE="(/var/cache/\|/var/lib/\|/var/tmp)"
	PATH="/bin:/usr/bin:/sbin:/usr/sbin"
	LOGDIR="/var/log/aide"
	LOGFILE="aide.log"
	CONFFILE="/etc/aide/aide.conf"
	ERRORLOG="aide_error.log"
	MAILLOG="aide_mail.log"
	ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"`

	[ -f /usr/bin/aide ] \|\| exit 0

	DATABASE=`grep "^database=file:/" $CONFFILE \| head -n 1 \| cut --delimiter=: --fields=2`
	FQDN=`hostname -f`
	DATE=`date +"at %Y-%m-%d %H:%M"`

	# default values

	DATABASE="${DATABASE:-/var/lib/aide/aide.db}"

	AIDEARGS="-V4"

	if [ ! -f $DATABASE ]; then
	/usr/sbin/sendmail $MAILTO <<EOF
	Subject: Daily AIDE report for $FQDN
	From: root@${FQDN}
	To: ${MAILTO}
	Fatal error: The AIDE database does not exist!
	This may mean you haven't created it, or it may mean that someone has removed it.
	EOF
	exit 0
	fi

	# Removed so no deps on debianutils - strerror
	#[ -f "$LOGDIR/$LOGFILE" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null
	#[ -f "$LOGDIR/$ERRORLOG" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null

	aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
	RETVAL=$?

	if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then
	# Bail now because there was no output and QUIETREPORTS is set
	exit 0
	fi

	MAILTMP=`tempfile --directory "/tmp" --prefix "$MAILLOG"`

	(cat << EOF
	This is an automated report generated by the Advanced Intrusion Detection
	Environment on $FQDN ${DATE}.

	EOF

	# include error log in daily report e-mail

	if [ "$RETVAL" != "0" ]; then
	cat > "$LOGDIR/$ERRORLOG" << EOF

	*****************************************************************************
	* aide returned a non-zero exit value *
	*****************************************************************************

	EOF
	echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
	else
	touch "$LOGDIR/$ERRORLOG"
	fi
	< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
	rm -f "$ERRORTMP"

	if [ -s "$LOGDIR/$ERRORLOG" ]; then
	errorlines=`wc -l "$LOGDIR/$ERRORLOG" \| awk '{ print $1 }'`
	if [ ${errorlines:=0} -gt $LINES ]; then
	cat << EOF

	****************************************************************************
	* aide has returned many errors. *
	* the error log output has been truncated in this mail *
	****************************************************************************

	EOF
	echo "Error output is $errorlines lines, truncated to $LINES."
	head -$LINES "$LOGDIR/$ERRORLOG"
	echo "The full output can be found in $LOGDIR/$ERRORLOG."
	else
	echo "Errors produced ($errorlines lines):"
	cat "$LOGDIR/$ERRORLOG"
	fi
	else
	echo "AIDE produced no errors."
	fi

	# include de-noised log

	if [ -n "$NOISE" ]; then
	NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"`
	NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"`
	sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" \| \
	grep '^\(changed\\|removed\\|added\):' \| \
	grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2

	if [ -n "$NOISE" ]; then
	< $NOISETMP2 grep -v "^\(changed\\|removed\\|added\):$NOISE" > $NOISETMP
	rm -f $NOISETMP2
	echo "De-Noised output removes everything matching $NOISE."
	else
	mv $NOISETMP2 $NOISETMP
	echo "No noise expression was given."
	fi

	if [ -s "$NOISETMP" ]; then
	loglines=`< $NOISETMP wc -l \| awk '{ print $1 }'`
	if [ ${loglines:=0} -gt $LINES ]; then
	cat << EOF

	****************************************************************************
	* aide has returned long output which has been truncated in this mail *
	****************************************************************************

	EOF
	echo "De-Noised output is $loglines lines, truncated to $LINES."
	< $NOISETMP head -$LINES
	echo "The full output can be found in $LOGDIR/$LOGFILE."
	else
	echo "De-Noised output of the daily AIDE run ($loglines lines):"
	cat $NOISETMP
	fi
	else
	echo "AIDE detected no changes after removing noise."
	fi
	rm -f $NOISETMP
	echo "============================================================================"
	fi

	# include non-de-noised log

	if [ -s "$LOGDIR/$LOGFILE" ]; then
	loglines=`wc -l "$LOGDIR/$LOGFILE" \| awk '{ print $1 }'`
	if [ ${loglines:=0} -gt $LINES ]; then
	cat << EOF

	****************************************************************************
	* aide has returned long output which has been truncated in this mail *
	****************************************************************************

	EOF
	echo "Output is $loglines lines, truncated to $LINES."
	head -$LINES "$LOGDIR/$LOGFILE"
	echo "The full output can be found in $LOGDIR/$LOGFILE."
	else
	echo "Output of the daily AIDE run ($loglines lines):"
	cat "$LOGDIR/$LOGFILE"
	fi
	else
	echo "AIDE detected no changes."
	fi
	) > ${MAILTMP}

	(
	cat <<EOF
	Subject: Daily AIDE report for $FQDN
	From: root@${FQDN}
	To: ${MAILTO}
	EOF
	cat ${MAILTMP}
	) \| /usr/sbin/sendmail $MAILTO

	rm -f "$MAILTMP"