You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
193 lines
5.9 KiB
193 lines
5.9 KiB
#!/bin/bash
|
|
# Modified: Benjamin Smee
|
|
# Date: Fri Sep 10 11:35:41 BST 2004
|
|
|
|
# This is the email address reports get mailed to
|
|
MAILTO=root@localhost
|
|
|
|
# Set this to suppress mailings when there's nothing to report
|
|
QUIETREPORTS=1
|
|
|
|
# This parameter defines which aide command to run from the cron script.
|
|
# Sensible values are "update" and "check".
|
|
# Default is "check", ensuring backwards compatibility.
|
|
# Since "update" does not take any longer, it is recommended to use "update",
|
|
# so that a new database is created every day. The new database needs to be
|
|
# manually copied over the current one, though.
|
|
COMMAND=update
|
|
|
|
# This parameter defines how many lines to return per e-mail. Output longer
|
|
# than this value will be truncated in the e-mail sent out.
|
|
LINES=1000
|
|
|
|
# This parameter gives a grep regular expression. If given, all output lines
|
|
# that _don't_ match the regexp are listed first in the script's output. This
|
|
# allows to easily remove noise from the aide report.
|
|
NOISE="(/var/cache/|/var/lib/|/var/tmp)"
|
|
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
|
|
LOGDIR="/var/log/aide"
|
|
LOGFILE="aide.log"
|
|
CONFFILE="/etc/aide/aide.conf"
|
|
ERRORLOG="aide_error.log"
|
|
MAILLOG="aide_mail.log"
|
|
ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"`
|
|
|
|
[ -f /usr/bin/aide ] || exit 0
|
|
|
|
DATABASE=`grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2`
|
|
FQDN=`hostname -f`
|
|
DATE=`date +"at %Y-%m-%d %H:%M"`
|
|
|
|
# default values
|
|
|
|
DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
|
|
|
|
AIDEARGS="-V4"
|
|
|
|
if [ ! -f $DATABASE ]; then
|
|
/usr/sbin/sendmail $MAILTO <<EOF
|
|
Subject: Daily AIDE report for $FQDN
|
|
From: root@${FQDN}
|
|
To: ${MAILTO}
|
|
Fatal error: The AIDE database does not exist!
|
|
This may mean you haven't created it, or it may mean that someone has removed it.
|
|
EOF
|
|
exit 0
|
|
fi
|
|
|
|
# Removed so no deps on debianutils - strerror
|
|
#[ -f "$LOGDIR/$LOGFILE" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null
|
|
#[ -f "$LOGDIR/$ERRORLOG" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null
|
|
|
|
aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
|
|
RETVAL=$?
|
|
|
|
if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then
|
|
# Bail now because there was no output and QUIETREPORTS is set
|
|
exit 0
|
|
fi
|
|
|
|
MAILTMP=`tempfile --directory "/tmp" --prefix "$MAILLOG"`
|
|
|
|
(cat << EOF
|
|
This is an automated report generated by the Advanced Intrusion Detection
|
|
Environment on $FQDN ${DATE}.
|
|
|
|
EOF
|
|
|
|
# include error log in daily report e-mail
|
|
|
|
if [ "$RETVAL" != "0" ]; then
|
|
cat > "$LOGDIR/$ERRORLOG" << EOF
|
|
|
|
*****************************************************************************
|
|
* aide returned a non-zero exit value *
|
|
*****************************************************************************
|
|
|
|
EOF
|
|
echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
|
|
else
|
|
touch "$LOGDIR/$ERRORLOG"
|
|
fi
|
|
< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
|
|
rm -f "$ERRORTMP"
|
|
|
|
if [ -s "$LOGDIR/$ERRORLOG" ]; then
|
|
errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'`
|
|
if [ ${errorlines:=0} -gt $LINES ]; then
|
|
cat << EOF
|
|
|
|
****************************************************************************
|
|
* aide has returned many errors. *
|
|
* the error log output has been truncated in this mail *
|
|
****************************************************************************
|
|
|
|
EOF
|
|
echo "Error output is $errorlines lines, truncated to $LINES."
|
|
head -$LINES "$LOGDIR/$ERRORLOG"
|
|
echo "The full output can be found in $LOGDIR/$ERRORLOG."
|
|
else
|
|
echo "Errors produced ($errorlines lines):"
|
|
cat "$LOGDIR/$ERRORLOG"
|
|
fi
|
|
else
|
|
echo "AIDE produced no errors."
|
|
fi
|
|
|
|
# include de-noised log
|
|
|
|
if [ -n "$NOISE" ]; then
|
|
NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"`
|
|
NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"`
|
|
sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
|
|
grep '^\(changed\|removed\|added\):' | \
|
|
grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2
|
|
|
|
if [ -n "$NOISE" ]; then
|
|
< $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP
|
|
rm -f $NOISETMP2
|
|
echo "De-Noised output removes everything matching $NOISE."
|
|
else
|
|
mv $NOISETMP2 $NOISETMP
|
|
echo "No noise expression was given."
|
|
fi
|
|
|
|
if [ -s "$NOISETMP" ]; then
|
|
loglines=`< $NOISETMP wc -l | awk '{ print $1 }'`
|
|
if [ ${loglines:=0} -gt $LINES ]; then
|
|
cat << EOF
|
|
|
|
****************************************************************************
|
|
* aide has returned long output which has been truncated in this mail *
|
|
****************************************************************************
|
|
|
|
EOF
|
|
echo "De-Noised output is $loglines lines, truncated to $LINES."
|
|
< $NOISETMP head -$LINES
|
|
echo "The full output can be found in $LOGDIR/$LOGFILE."
|
|
else
|
|
echo "De-Noised output of the daily AIDE run ($loglines lines):"
|
|
cat $NOISETMP
|
|
fi
|
|
else
|
|
echo "AIDE detected no changes after removing noise."
|
|
fi
|
|
rm -f $NOISETMP
|
|
echo "============================================================================"
|
|
fi
|
|
|
|
# include non-de-noised log
|
|
|
|
if [ -s "$LOGDIR/$LOGFILE" ]; then
|
|
loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'`
|
|
if [ ${loglines:=0} -gt $LINES ]; then
|
|
cat << EOF
|
|
|
|
****************************************************************************
|
|
* aide has returned long output which has been truncated in this mail *
|
|
****************************************************************************
|
|
|
|
EOF
|
|
echo "Output is $loglines lines, truncated to $LINES."
|
|
head -$LINES "$LOGDIR/$LOGFILE"
|
|
echo "The full output can be found in $LOGDIR/$LOGFILE."
|
|
else
|
|
echo "Output of the daily AIDE run ($loglines lines):"
|
|
cat "$LOGDIR/$LOGFILE"
|
|
fi
|
|
else
|
|
echo "AIDE detected no changes."
|
|
fi
|
|
) > ${MAILTMP}
|
|
|
|
(
|
|
cat <<EOF
|
|
Subject: Daily AIDE report for $FQDN
|
|
From: root@${FQDN}
|
|
To: ${MAILTO}
|
|
EOF
|
|
cat ${MAILTMP}
|
|
) | /usr/sbin/sendmail $MAILTO
|
|
|
|
rm -f "$MAILTMP"
|