path: root/app-forensics/aide/files/aide.cron

#!/bin/bash
# Modified: Benjamin Smee
# Date: Fri Sep 10 11:35:41 BST 2004

# This is the email address reports get mailed to
MAILTO=root@localhost

# Set this to suppress mailings when there's nothing to report
QUIETREPORTS=1

# This parameter defines which aide command to run from the cron script.
# Sensible values are "update" and "check".
# Default is "check", ensuring backwards compatibility.
# Since "update" does not take any longer, it is recommended to use "update",
# so that a new database is created every day. The new database needs to be
# manually copied over the current one, though.
COMMAND=update

# This parameter defines how many lines to return per e-mail. Output longer
# than this value will be truncated in the e-mail sent out.
LINES=1000

# This parameter gives a grep regular expression. If given, all output lines
# that _don't_ match the regexp are listed first in the script's output. This
# allows to easily remove noise from the aide report.
NOISE="(/var/cache/|/var/lib/|/var/tmp)"
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
LOGDIR="/var/log/aide"
LOGFILE="aide.log"
CONFFILE="/etc/aide/aide.conf"
ERRORLOG="aide_error.log"
MAILLOG="aide_mail.log"
ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"`

[ -f /usr/bin/aide ] || exit 0

DATABASE=`grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2`
FQDN=`hostname -f`
DATE=`date +"at %Y-%m-%d %H:%M"`

# default values

DATABASE="${DATABASE:-/var/lib/aide/aide.db}"

AIDEARGS="-V4"

if [ ! -f $DATABASE ]; then
	/usr/sbin/sendmail $MAILTO <<EOF
Subject: Daily AIDE report for $FQDN
From: root@${FQDN}
To: ${MAILTO}
Fatal error: The AIDE database does not exist!
This may mean you haven't created it, or it may mean that someone has removed it.
EOF
	exit 0
fi

# Removed so no deps on debianutils - strerror
#[ -f "$LOGDIR/$LOGFILE" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null
#[ -f "$LOGDIR/$ERRORLOG" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null

aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
RETVAL=$?

if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then
	# Bail now because there was no output and QUIETREPORTS is set
	exit 0
fi

MAILTMP=`tempfile --directory "/tmp" --prefix "$MAILLOG"`

(cat << EOF
This is an automated report generated by the Advanced Intrusion Detection
Environment on $FQDN ${DATE}.

EOF

# include error log in daily report e-mail

if [ "$RETVAL" != "0" ]; then
	cat > "$LOGDIR/$ERRORLOG" << EOF
	
*****************************************************************************
*                    aide returned a non-zero exit value                    *
*****************************************************************************

EOF
	echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
else
	touch "$LOGDIR/$ERRORLOG"
fi
< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
rm -f "$ERRORTMP"

if [ -s "$LOGDIR/$ERRORLOG" ]; then
	errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'`
	if [ ${errorlines:=0} -gt $LINES ]; then
		cat << EOF

****************************************************************************
*                      aide has returned many errors.                      *
*           the error log output has been truncated in this mail           *
****************************************************************************

EOF
		echo "Error output is $errorlines lines, truncated to $LINES."
		head -$LINES "$LOGDIR/$ERRORLOG"
		echo "The full output can be found in $LOGDIR/$ERRORLOG."
	else
		echo "Errors produced  ($errorlines lines):"
		cat "$LOGDIR/$ERRORLOG"
	fi
else
	echo "AIDE produced no errors."
fi

# include de-noised log

if [ -n "$NOISE" ]; then
	NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"`
	NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"`
	sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
	grep '^\(changed\|removed\|added\):' | \
	grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2
	
	if [ -n "$NOISE" ]; then
		< $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP
		rm -f $NOISETMP2
		echo "De-Noised output removes everything matching $NOISE."
	else
		mv $NOISETMP2 $NOISETMP
		echo "No noise expression was given."
	fi
	
	if [ -s "$NOISETMP" ]; then
		loglines=`< $NOISETMP wc -l | awk '{ print $1 }'`
		if [ ${loglines:=0} -gt $LINES ]; then
			cat << EOF

****************************************************************************
*   aide has returned long output which has been truncated in this mail    *
****************************************************************************

EOF
			echo "De-Noised output is $loglines lines, truncated to $LINES."
			< $NOISETMP head -$LINES
			echo "The full output can be found in $LOGDIR/$LOGFILE."
		else
			echo "De-Noised output of the daily AIDE run ($loglines lines):"
			cat $NOISETMP
		fi
	else
		echo "AIDE detected no changes after removing noise."
	fi
	rm -f $NOISETMP
	echo "============================================================================"
fi

# include non-de-noised log

if [ -s "$LOGDIR/$LOGFILE" ]; then
	loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'`
	if [ ${loglines:=0} -gt $LINES ]; then
		cat << EOF

****************************************************************************
*   aide has returned long output which has been truncated in this mail    *
****************************************************************************

EOF
		echo "Output is $loglines lines, truncated to $LINES."
		head -$LINES "$LOGDIR/$LOGFILE"
		echo "The full output can be found in $LOGDIR/$LOGFILE."
	else
		echo "Output of the daily AIDE run ($loglines lines):"
		cat "$LOGDIR/$LOGFILE"
	fi
else
	echo "AIDE detected no changes."
fi
) > ${MAILTMP}

(
cat <<EOF
Subject: Daily AIDE report for $FQDN
From: root@${FQDN}
To: ${MAILTO}
EOF
cat ${MAILTMP}
) | /usr/sbin/sendmail $MAILTO

rm -f "$MAILTMP"