diff options
Diffstat (limited to 'app-forensics/aide/files/aide.cron')
| -rwxr-xr-x | app-forensics/aide/files/aide.cron | 192 |
1 files changed, 192 insertions, 0 deletions
diff --git a/app-forensics/aide/files/aide.cron b/app-forensics/aide/files/aide.cron new file mode 100755 index 000000000000..c28b78f8e9db --- /dev/null +++ b/app-forensics/aide/files/aide.cron @@ -0,0 +1,192 @@ +#!/bin/bash +# Modified: Benjamin Smee +# Date: Fri Sep 10 11:35:41 BST 2004 + +# This is the email address reports get mailed to +MAILTO=root@localhost + +# Set this to suppress mailings when there's nothing to report +QUIETREPORTS=1 + +# This parameter defines which aide command to run from the cron script. +# Sensible values are "update" and "check". +# Default is "check", ensuring backwards compatibility. +# Since "update" does not take any longer, it is recommended to use "update", +# so that a new database is created every day. The new database needs to be +# manually copied over the current one, though. +COMMAND=update + +# This parameter defines how many lines to return per e-mail. Output longer +# than this value will be truncated in the e-mail sent out. +LINES=1000 + +# This parameter gives a grep regular expression. If given, all output lines +# that _don't_ match the regexp are listed first in the script's output. This +# allows to easily remove noise from the aide report. +NOISE="(/var/cache/|/var/lib/|/var/tmp)" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +LOGDIR="/var/log/aide" +LOGFILE="aide.log" +CONFFILE="/etc/aide/aide.conf" +ERRORLOG="aide_error.log" +MAILLOG="aide_mail.log" +ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"` + +[ -f /usr/bin/aide ] || exit 0 + +DATABASE=`grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2` +FQDN=`hostname -f` +DATE=`date +"at %Y-%m-%d %H:%M"` + +# default values + +DATABASE="${DATABASE:-/var/lib/aide/aide.db}" + +AIDEARGS="-V4" + +if [ ! -f $DATABASE ]; then + /usr/sbin/sendmail $MAILTO <<EOF +Subject: Daily AIDE report for $FQDN +From: root@${FQDN} +To: ${MAILTO} +Fatal error: The AIDE database does not exist! +This may mean you haven't created it, or it may mean that someone has removed it. +EOF + exit 0 +fi + +# Removed so no deps on debianutils - strerror +#[ -f "$LOGDIR/$LOGFILE" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null +#[ -f "$LOGDIR/$ERRORLOG" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null + +aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP" +RETVAL=$? + +if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then + # Bail now because there was no output and QUIETREPORTS is set + exit 0 +fi + +MAILTMP=`tempfile --directory "/tmp" --prefix "$MAILLOG"` + +(cat << EOF +This is an automated report generated by the Advanced Intrusion Detection +Environment on $FQDN ${DATE}. + +EOF + +# include error log in daily report e-mail + +if [ "$RETVAL" != "0" ]; then + cat > "$LOGDIR/$ERRORLOG" << EOF + +***************************************************************************** +* aide returned a non-zero exit value * +***************************************************************************** + +EOF + echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG" +else + touch "$LOGDIR/$ERRORLOG" +fi +< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG" +rm -f "$ERRORTMP" + +if [ -s "$LOGDIR/$ERRORLOG" ]; then + errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'` + if [ ${errorlines:=0} -gt $LINES ]; then + cat << EOF + +**************************************************************************** +* aide has returned many errors. * +* the error log output has been truncated in this mail * +**************************************************************************** + +EOF + echo "Error output is $errorlines lines, truncated to $LINES." + head -$LINES "$LOGDIR/$ERRORLOG" + echo "The full output can be found in $LOGDIR/$ERRORLOG." + else + echo "Errors produced ($errorlines lines):" + cat "$LOGDIR/$ERRORLOG" + fi +else + echo "AIDE produced no errors." +fi + +# include de-noised log + +if [ -n "$NOISE" ]; then + NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"` + NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"` + sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \ + grep '^\(changed\|removed\|added\):' | \ + grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2 + + if [ -n "$NOISE" ]; then + < $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP + rm -f $NOISETMP2 + echo "De-Noised output removes everything matching $NOISE." + else + mv $NOISETMP2 $NOISETMP + echo "No noise expression was given." + fi + + if [ -s "$NOISETMP" ]; then + loglines=`< $NOISETMP wc -l | awk '{ print $1 }'` + if [ ${loglines:=0} -gt $LINES ]; then + cat << EOF + +**************************************************************************** +* aide has returned long output which has been truncated in this mail * +**************************************************************************** + +EOF + echo "De-Noised output is $loglines lines, truncated to $LINES." + < $NOISETMP head -$LINES + echo "The full output can be found in $LOGDIR/$LOGFILE." + else + echo "De-Noised output of the daily AIDE run ($loglines lines):" + cat $NOISETMP + fi + else + echo "AIDE detected no changes after removing noise." + fi + rm -f $NOISETMP + echo "============================================================================" +fi + +# include non-de-noised log + +if [ -s "$LOGDIR/$LOGFILE" ]; then + loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'` + if [ ${loglines:=0} -gt $LINES ]; then + cat << EOF + +**************************************************************************** +* aide has returned long output which has been truncated in this mail * +**************************************************************************** + +EOF + echo "Output is $loglines lines, truncated to $LINES." + head -$LINES "$LOGDIR/$LOGFILE" + echo "The full output can be found in $LOGDIR/$LOGFILE." + else + echo "Output of the daily AIDE run ($loglines lines):" + cat "$LOGDIR/$LOGFILE" + fi +else + echo "AIDE detected no changes." +fi +) > ${MAILTMP} + +( +cat <<EOF +Subject: Daily AIDE report for $FQDN +From: root@${FQDN} +To: ${MAILTO} +EOF +cat ${MAILTMP} +) | /usr/sbin/sendmail $MAILTO + +rm -f "$MAILTMP" |