Workarounds for config file problems.

[carnet-upgrade.git] / usr / share / carnet-upgrade / files / etc / cron.daily / aide

#!/bin/bash

PATH="/sbin:/usr/sbin:/bin:/usr/bin"
LOGDIR="/var/log/aide"
LOGFILE="aide.log"
CONFFILE="/var/lib/aide/aide.conf.autogenerated"
ERRORLOG="error.log"
ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"`

[ -f /usr/bin/aide ] || exit 0

if [ -f /etc/default/aide ]; then
        . /etc/default/aide
fi

DATABASE=`grep "^database=file:/" $CONFFILE | head -1 | cut --delimiter=: --fields=2`
FQDN=`hostname -f`
DATE=`date +"at %Y-%m-%d %H:%M"`

# default values

MAILTO="${MAILTO:-root}"
DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
LINES="${LINES:-1000}"
COMMAND="${COMMAND:-check}"

AIDEARGS="-V4"

if [ ! -f $DATABASE ]; then
        (
        echo "Fatal error: The AIDE database does not exist!"
        echo "This may mean you haven't created it, or it may mean that someone has removed it."
        ) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO
        exit 0
fi

[ -f "$LOGDIR/$LOGFILE" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null
[ -f "$LOGDIR/$ERRORLOG" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null

aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
RETVAL=$?

if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then
        # Bail now because there was no output and QUIETREPORTS is set
        exit 0
fi

(cat << EOF;
This is an automated report generated by the Advanced Intrusion Detection
Environment on $FQDN ${DATE}.

EOF

# include error log in daily report e-mail

if [ "$RETVAL" != "0" ]; then
        cat > "$LOGDIR/$ERRORLOG" << EOF;
        
*****************************************************************************
*                    aide returned a non-zero exit value                    *
*****************************************************************************

EOF
        echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
else
        touch "$LOGDIR/$ERRORLOG"
fi
< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
rm -f "$ERRORTMP"

if [ -s "$LOGDIR/$ERRORLOG" ]; then
        errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'`
        if [ ${errorlines:=0} -gt $LINES ]; then
                cat << EOF;

****************************************************************************
*                      aide has returned many errors.                      *
*           the error log output has been truncated in this mail           *
****************************************************************************

EOF
                echo "Error output is $errorlines lines, truncated to $LINES."
                head -$LINES "$LOGDIR/$ERRORLOG"
                echo "The full output can be found in $LOGDIR/$ERRORLOG."
        else
                echo "Errors produced  ($errorlines lines):"
                cat "$LOGDIR/$ERRORLOG"
        fi
else
        echo "AIDE produced no errors."
fi

# include de-noised log

if [ -n "$NOISE" ]; then
        NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"`
        NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"`
        sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
        grep '^\(changed\|removed\|added\):' | \
        grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2
        
        if [ -n "$NOISE" ]; then
                < $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP
                rm -f $NOISETMP2
                echo "De-Noised output removes everything matching $NOISE."
        else
                mv $NOISETMP2 $NOISETMP
                echo "No noise expression was given."
        fi
        
        if [ -s "$NOISETMP" ]; then
                loglines=`< $NOISETMP wc -l | awk '{ print $1 }'`
                if [ ${loglines:=0} -gt $LINES ]; then
                        cat << EOF;

****************************************************************************
*   aide has returned long output which has been truncated in this mail    *
****************************************************************************

EOF
                        echo "De-Noised output is $loglines lines, truncated to $LINES."
                        < $NOISETMP head -$LINES
                        echo "The full output can be found in $LOGDIR/$LOGFILE."
                else
                        echo "De-Noised output of the daily AIDE run ($loglines lines):"
                        cat $NOISETMP
                fi
        else
                echo "AIDE detected no changes after removing noise."
        fi
        rm -f $NOISETMP
        echo "============================================================================"
fi

# include non-de-noised log

if [ -s "$LOGDIR/$LOGFILE" ]; then
        loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'`
        if [ ${loglines:=0} -gt $LINES ]; then
                cat << EOF;

****************************************************************************
*   aide has returned long output which has been truncated in this mail    *
****************************************************************************

EOF
                echo "Output is $loglines lines, truncated to $LINES."
                head -$LINES "$LOGDIR/$LOGFILE"
                echo "The full output can be found in $LOGDIR/$LOGFILE."
        else
                echo "Output of the daily AIDE run ($loglines lines):"
                cat "$LOGDIR/$LOGFILE"
        fi
else
        echo "AIDE detected no changes."
fi
) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO