#!/bin/bash PATH="/sbin:/usr/sbin:/bin:/usr/bin" LOGDIR="/var/log/aide" LOGFILE="aide.log" CONFFILE="/var/lib/aide/aide.conf.autogenerated" ERRORLOG="error.log" ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"` [ -f /usr/bin/aide ] || exit 0 if [ -f /etc/default/aide ]; then . /etc/default/aide fi DATABASE=`grep "^database=file:/" $CONFFILE | head -1 | cut --delimiter=: --fields=2` FQDN=`hostname -f` DATE=`date +"at %Y-%m-%d %H:%M"` # default values MAILTO="${MAILTO:-root}" DATABASE="${DATABASE:-/var/lib/aide/aide.db}" LINES="${LINES:-1000}" COMMAND="${COMMAND:-check}" AIDEARGS="-V4" if [ ! -f $DATABASE ]; then ( echo "Fatal error: The AIDE database does not exist!" echo "This may mean you haven't created it, or it may mean that someone has removed it." ) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO exit 0 fi [ -f "$LOGDIR/$LOGFILE" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null [ -f "$LOGDIR/$ERRORLOG" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP" RETVAL=$? if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then # Bail now because there was no output and QUIETREPORTS is set exit 0 fi (cat << EOF; This is an automated report generated by the Advanced Intrusion Detection Environment on $FQDN ${DATE}. EOF # include error log in daily report e-mail if [ "$RETVAL" != "0" ]; then cat > "$LOGDIR/$ERRORLOG" << EOF; ***************************************************************************** * aide returned a non-zero exit value * ***************************************************************************** EOF echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG" else touch "$LOGDIR/$ERRORLOG" fi < "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG" rm -f "$ERRORTMP" if [ -s "$LOGDIR/$ERRORLOG" ]; then errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'` if [ ${errorlines:=0} -gt $LINES ]; then cat << EOF; **************************************************************************** * aide has returned many errors. * * the error log output has been truncated in this mail * **************************************************************************** EOF echo "Error output is $errorlines lines, truncated to $LINES." head -$LINES "$LOGDIR/$ERRORLOG" echo "The full output can be found in $LOGDIR/$ERRORLOG." else echo "Errors produced ($errorlines lines):" cat "$LOGDIR/$ERRORLOG" fi else echo "AIDE produced no errors." fi # include de-noised log if [ -n "$NOISE" ]; then NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"` NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"` sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \ grep '^\(changed\|removed\|added\):' | \ grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2 if [ -n "$NOISE" ]; then < $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP rm -f $NOISETMP2 echo "De-Noised output removes everything matching $NOISE." else mv $NOISETMP2 $NOISETMP echo "No noise expression was given." fi if [ -s "$NOISETMP" ]; then loglines=`< $NOISETMP wc -l | awk '{ print $1 }'` if [ ${loglines:=0} -gt $LINES ]; then cat << EOF; **************************************************************************** * aide has returned long output which has been truncated in this mail * **************************************************************************** EOF echo "De-Noised output is $loglines lines, truncated to $LINES." < $NOISETMP head -$LINES echo "The full output can be found in $LOGDIR/$LOGFILE." else echo "De-Noised output of the daily AIDE run ($loglines lines):" cat $NOISETMP fi else echo "AIDE detected no changes after removing noise." fi rm -f $NOISETMP echo "============================================================================" fi # include non-de-noised log if [ -s "$LOGDIR/$LOGFILE" ]; then loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'` if [ ${loglines:=0} -gt $LINES ]; then cat << EOF; **************************************************************************** * aide has returned long output which has been truncated in this mail * **************************************************************************** EOF echo "Output is $loglines lines, truncated to $LINES." head -$LINES "$LOGDIR/$LOGFILE" echo "The full output can be found in $LOGDIR/$LOGFILE." else echo "Output of the daily AIDE run ($loglines lines):" cat "$LOGDIR/$LOGFILE" fi else echo "AIDE detected no changes." fi ) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO