+++ /dev/null
-# AIDE conf
-
-database=file:/var/lib/aide/aide.db
-database_out=file:/var/lib/aide/aide.db.new
-
-# Change this to "no" or remove it to not gzip output
-# (only useful on systems with few CPU cycles to spare)
-gzip_dbout=yes
-
-# Here are all the things we can check - these are the default rules
-#
-#p: permissions
-#i: inode
-#n: number of links
-#u: user
-#g: group
-#s: size
-#b: block count
-#m: mtime
-#a: atime
-#c: ctime
-#S: check for growing size
-#md5: md5 checksum
-#sha1: sha1 checksum
-#rmd160: rmd160 checksum
-#tiger: tiger checksum
-#R: p+i+n+u+g+s+m+c+md5
-#L: p+i+n+u+g
-#E: Empty group
-#>: Growing logfile p+u+g+i+n+S
-#haval: haval checksum
-#gost: gost checksum
-#crc32: crc32 checksum
-
-# Defines formerly set here have been moved to /etc/default/aide.
-
-# Custom rules
-Binlib = p+i+n+u+g+s+b+m+c+md5+sha1
-ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1
-Logs = p+i+n+u+g+S
-Devices = p+i+n+u+g+s+b+c+md5+sha1
-Databases = p+n+u+g
-StaticDir = p+i+n+u+g
-ManPages = p+i+n+u+g+s+b+m+c+md5+sha1
-
-# Next decide what directories/files you want in the database
-
-# Kernel, system map, etc.
-=/boot$ Binlib
-# Binaries
-/bin Binlib
-/sbin Binlib
-/usr/bin Binlib
-/usr/sbin Binlib
-/usr/local/bin Binlib
-/usr/local/sbin Binlib
-/usr/games Binlib
-# Libraries
-/lib Binlib
-/usr/lib Binlib
-/usr/local/lib Binlib
-# Log files
-=/var/log$ StaticDir
-!/var/log/ksymoops
-/var/log/aide/aide.log(.[0-9])?(.gz)? Databases
-/var/log/aide/error.log(.[0-9])?(.gz)? Databases
-/var/log/setuid.changes(.[0-9])?(.gz)? Databases
-!/var/log/aide
-/var/log Logs
-# Devices
-!/dev/pts
-# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr,
-# you may uncomment this to get rid of them. They're harmless but sometimes
-# annoying.
-#!/dev/cpu/mtrr
-!/dev/xconsole
-/dev Devices
-# Other miscellaneous files
-/var/run$ StaticDir
-!/var/run
-# Test only the directory when dealing with /proc
-/proc$ StaticDir
-!/proc
-
-# You can look through these examples to get further ideas
-
-# MD5 sum files - especially useful with debsums -g
-#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1
-
-# Check crontabs
-#/var/spool/anacron/cron.daily Databases
-#/var/spool/anacron/cron.monthly Databases
-#/var/spool/anacron/cron.weekly Databases
-#/var/spool/cron Databases
-#/var/spool/cron/crontabs Databases
-
-# manpages can be trojaned, especially depending on *roff implementation
-#/usr/man ManPages
-#/usr/share/man ManPages
-#/usr/local/man ManPages
-
-# docs
-#/usr/doc ManPages
-#/usr/share/doc ManPages
-
-# check users' home directories
-#/home Binlib
-
-# check sources for modifications
-#/usr/src L
-#/usr/local/src L
-
-# Check headers for same
-#/usr/include L
-#/usr/local/include L
+++ /dev/null
-#!/bin/bash
-
-PATH="/sbin:/usr/sbin:/bin:/usr/bin"
-LOGDIR="/var/log/aide"
-LOGFILE="aide.log"
-CONFFILE="/var/lib/aide/aide.conf.autogenerated"
-ERRORLOG="error.log"
-ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"`
-
-[ -f /usr/bin/aide ] || exit 0
-
-if [ -f /etc/default/aide ]; then
- . /etc/default/aide
-fi
-
-DATABASE=`grep "^database=file:/" $CONFFILE | head -1 | cut --delimiter=: --fields=2`
-FQDN=`hostname -f`
-DATE=`date +"at %Y-%m-%d %H:%M"`
-
-# default values
-
-MAILTO="${MAILTO:-root}"
-DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
-LINES="${LINES:-1000}"
-COMMAND="${COMMAND:-check}"
-
-AIDEARGS="-V4"
-
-if [ ! -f $DATABASE ]; then
- (
- echo "Fatal error: The AIDE database does not exist!"
- echo "This may mean you haven't created it, or it may mean that someone has removed it."
- ) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO
- exit 0
-fi
-
-[ -f "$LOGDIR/$LOGFILE" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null
-[ -f "$LOGDIR/$ERRORLOG" ] && savelog -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null
-
-aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
-RETVAL=$?
-
-if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then
- # Bail now because there was no output and QUIETREPORTS is set
- exit 0
-fi
-
-(cat << EOF;
-This is an automated report generated by the Advanced Intrusion Detection
-Environment on $FQDN ${DATE}.
-
-EOF
-
-# include error log in daily report e-mail
-
-if [ "$RETVAL" != "0" ]; then
- cat > "$LOGDIR/$ERRORLOG" << EOF;
-
-*****************************************************************************
-* aide returned a non-zero exit value *
-*****************************************************************************
-
-EOF
- echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
-else
- touch "$LOGDIR/$ERRORLOG"
-fi
-< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
-rm -f "$ERRORTMP"
-
-if [ -s "$LOGDIR/$ERRORLOG" ]; then
- errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'`
- if [ ${errorlines:=0} -gt $LINES ]; then
- cat << EOF;
-
-****************************************************************************
-* aide has returned many errors. *
-* the error log output has been truncated in this mail *
-****************************************************************************
-
-EOF
- echo "Error output is $errorlines lines, truncated to $LINES."
- head -$LINES "$LOGDIR/$ERRORLOG"
- echo "The full output can be found in $LOGDIR/$ERRORLOG."
- else
- echo "Errors produced ($errorlines lines):"
- cat "$LOGDIR/$ERRORLOG"
- fi
-else
- echo "AIDE produced no errors."
-fi
-
-# include de-noised log
-
-if [ -n "$NOISE" ]; then
- NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"`
- NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"`
- sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
- grep '^\(changed\|removed\|added\):' | \
- grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2
-
- if [ -n "$NOISE" ]; then
- < $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP
- rm -f $NOISETMP2
- echo "De-Noised output removes everything matching $NOISE."
- else
- mv $NOISETMP2 $NOISETMP
- echo "No noise expression was given."
- fi
-
- if [ -s "$NOISETMP" ]; then
- loglines=`< $NOISETMP wc -l | awk '{ print $1 }'`
- if [ ${loglines:=0} -gt $LINES ]; then
- cat << EOF;
-
-****************************************************************************
-* aide has returned long output which has been truncated in this mail *
-****************************************************************************
-
-EOF
- echo "De-Noised output is $loglines lines, truncated to $LINES."
- < $NOISETMP head -$LINES
- echo "The full output can be found in $LOGDIR/$LOGFILE."
- else
- echo "De-Noised output of the daily AIDE run ($loglines lines):"
- cat $NOISETMP
- fi
- else
- echo "AIDE detected no changes after removing noise."
- fi
- rm -f $NOISETMP
- echo "============================================================================"
-fi
-
-# include non-de-noised log
-
-if [ -s "$LOGDIR/$LOGFILE" ]; then
- loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'`
- if [ ${loglines:=0} -gt $LINES ]; then
- cat << EOF;
-
-****************************************************************************
-* aide has returned long output which has been truncated in this mail *
-****************************************************************************
-
-EOF
- echo "Output is $loglines lines, truncated to $LINES."
- head -$LINES "$LOGDIR/$LOGFILE"
- echo "The full output can be found in $LOGDIR/$LOGFILE."
- else
- echo "Output of the daily AIDE run ($loglines lines):"
- cat "$LOGDIR/$LOGFILE"
- fi
-else
- echo "AIDE detected no changes."
-fi
-) | /usr/bin/mail -s "Daily AIDE report for $FQDN" $MAILTO
+++ /dev/null
-# These settings are mainly for the wrapper scripts around aide,
-# such as aideinit and /etc/cron.daily/aide
-
-# This is the email address reports get mailed to
-MAILTO=root
-
-# Set this to suppress mailings when there's nothing to report
-#QUIETREPORTS=1
-
-# This parameter defines which aide command to run from the cron script.
-# Sensible values are "update" and "check".
-# Default is "check", ensuring backwards compatibility.
-# Since "update" does not take any longer, it is recommended to use "update",
-# so that a new database is created every day. The new database needs to be
-# manually copied over the current one, though.
-COMMAND=update
-
-# This parameter defines how many lines to return per e-mail. Output longer
-# than this value will be truncated in the e-mail sent out.
-LINES=1000
-
-# This parameter gives a grep regular expression. If given, all output lines
-# that _don't_ match the regexp are listed first in the script's output. This
-# allows to easily remove noise from the aide report.
-NOISE="(/var/cache/dwww|/var/backups|/var/lib/dwww/html)"
projects / carnet-upgrade.git / commitdiff