3 PATH="/sbin:/usr/sbin:/bin:/usr/bin"
6 CONFFILE="/var/lib/aide/aide.conf.autogenerated"
8 ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"`
10 [ -f /usr/bin/aide ] || exit 0
12 if [ -f /etc/default/aide ]; then
16 DATABASE=`grep "^database=file:/" $CONFFILE | head -1 | cut --delimiter=: --fields=2`
18 DATE=`date +"at %Y-%m-%d %H:%M"`
22 MAILTO="${MAILTO:-root}"
23 DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
24 LINES="${LINES:-1000}"
25 COMMAND="${COMMAND:-check}"
29 if [ ! -f $DATABASE ]; then
31 echo "Fatal error: The AIDE database does not exist!"
32 echo "This may mean you haven't created it, or it may mean that someone has removed it."
33 ) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO
37 [ -f "$LOGDIR/$LOGFILE" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null
38 [ -f "$LOGDIR/$ERRORLOG" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null
40 aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
43 if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then
44 # Bail now because there was no output and QUIETREPORTS is set
49 This is an automated report generated by the Advanced Intrusion Detection
50 Environment on $FQDN ${DATE}.
54 # include error log in daily report e-mail
56 if [ "$RETVAL" != "0" ]; then
57 cat > "$LOGDIR/$ERRORLOG" << EOF;
59 *****************************************************************************
60 * aide returned a non-zero exit value *
61 *****************************************************************************
64 echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
66 touch "$LOGDIR/$ERRORLOG"
68 < "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
71 if [ -s "$LOGDIR/$ERRORLOG" ]; then
72 errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'`
73 if [ ${errorlines:=0} -gt $LINES ]; then
76 ****************************************************************************
77 * aide has returned many errors. *
78 * the error log output has been truncated in this mail *
79 ****************************************************************************
82 echo "Error output is $errorlines lines, truncated to $LINES."
83 head -$LINES "$LOGDIR/$ERRORLOG"
84 echo "The full output can be found in $LOGDIR/$ERRORLOG."
86 echo "Errors produced ($errorlines lines):"
87 cat "$LOGDIR/$ERRORLOG"
90 echo "AIDE produced no errors."
93 # include de-noised log
95 if [ -n "$NOISE" ]; then
96 NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"`
97 NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"`
98 sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
99 grep '^\(changed\|removed\|added\):' | \
100 grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2
102 if [ -n "$NOISE" ]; then
103 < $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP
105 echo "De-Noised output removes everything matching $NOISE."
107 mv $NOISETMP2 $NOISETMP
108 echo "No noise expression was given."
111 if [ -s "$NOISETMP" ]; then
112 loglines=`< $NOISETMP wc -l | awk '{ print $1 }'`
113 if [ ${loglines:=0} -gt $LINES ]; then
116 ****************************************************************************
117 * aide has returned long output which has been truncated in this mail *
118 ****************************************************************************
121 echo "De-Noised output is $loglines lines, truncated to $LINES."
122 < $NOISETMP head -$LINES
123 echo "The full output can be found in $LOGDIR/$LOGFILE."
125 echo "De-Noised output of the daily AIDE run ($loglines lines):"
129 echo "AIDE detected no changes after removing noise."
132 echo "============================================================================"
135 # include non-de-noised log
137 if [ -s "$LOGDIR/$LOGFILE" ]; then
138 loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'`
139 if [ ${loglines:=0} -gt $LINES ]; then
142 ****************************************************************************
143 * aide has returned long output which has been truncated in this mail *
144 ****************************************************************************
147 echo "Output is $loglines lines, truncated to $LINES."
148 head -$LINES "$LOGDIR/$LOGFILE"
149 echo "The full output can be found in $LOGDIR/$LOGFILE."
151 echo "Output of the daily AIDE run ($loglines lines):"
152 cat "$LOGDIR/$LOGFILE"
155 echo "AIDE detected no changes."
157 ) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO