#!/bin/sh # # /secure/aide.sh # # Function: CAll AIDE to check system integrity and report changes. # System must be initialised with "aide --init" first. # # History: # 27.Jul.01 P. Etienne Version 0.1 # 24.Aug.01 Sean Boran Make it general, one summary email, improve. # 02.Oct.01 Michael Semling, too lazy to write all the config stuff # added init, help, update to the script ############################################################33 # # configuration # user="root" aide="/usr/local/bin/aide" aide_conf="/etc/aide.conf" echo="/bin/echo -e" # # paranoia settings # umask 077 # # paths and misc # AIDE=/aide MAIL=/usr/bin/mailx GREP=/usr/bin/grep WC=/usr/bin/wc HOSTNAME=`/bin/hostname` DATE=`/bin/date +%m/%d/%y:%H.%M` changes=0 # # Simply create the needed files for the script, and echo a warning # if a problem occurs during the creation of the files # TMPDIR=/tmp/aide_tmp TMPEMAIL=aide_email TMPFILE=aide_grep TMPRESULT=aide_result export TMPDIR TMPEMAIL TMPFILE TMPRESULT check_integrity () { #date | $MAIL -s "Integrity check of `uname -n` server started" $user mkdir $TMPDIR 2>/dev/null chmod 700 $TMPDIR rm -f $TMPDIR/$TMPEMAIL touch $TMPDIR/$TMPEMAIL || { $echo "\nSecurity problem, cannot create a new file $TMPDIR/$TMPEMAIL," $echo "it is better to abort. Good Luck.\n" exit 1 } rm -f $TMPDIR/$TMPFILE touch $TMPDIR/$TMPFILE || { $echo "\nSecurity problem, cannot create a new file $TMPDIR/$TMPEFILE," $echo "it is better to abort. Good Luck.\n" exit 1 } rm -f $TMPDIR/$TMPRESULT touch $TMPDIR/$TMPRESULT || { $echo "\nSecurity problem, cannot create a new file $TMPDIR/$TMPRESULT," $echo "it is better to abort. Good Luck.\n" exit 1 } # # Start the check # $echo "Start aide integrity check on `date`\n" > $TMPDIR/$TMPEMAIL $aide --config=$aide_conf -C > $TMPDIR/$TMPRESULT 2>>$TMPDIR/$TMPEMAIL ## Send full report if debugging: #$MAIL -s "$HOSTNAME AIDE integrity check: full report" $user < $TMPDIR/$TMPRESULT grep MD5 $TMPDIR/$TMPRESULT > $TMPDIR/$TMPFILE test -s $TMPDIR/$TMPFILE && { changes=1 $echo ">>>>>>> WARNING, files have been modified!" >> $TMPDIR/$TMPEMAIL $echo "Number of changed files: `$GREP MD5 $TMPDIR/$TMPRESULT | $WC -l`" >> $TMPDIR/$TMPEMAIL #$echo >> $TMPDIR/$TMPEMAIL #$echo "DETAIL OF CHANGED FILES:" >> $TMPDIR/$TMPEMAIL sed -e '/./{H;$!d;}' -e 'x;/File/!d;/Ctime/!d;/MD5/!d' $TMPDIR/$TMPRESULT >> $TMPDIR/$TMPEMAIL #cat $TMPDIR/$TMPEMAIL | $MAIL -s "$HOSTNAME, $DATE AIDE ALERT: system files CHANGED" $user } grep 'added:/' $TMPDIR/$TMPRESULT > $TMPDIR/$TMPFILE test -s $TMPDIR/$TMPFILE && { changes=1 #$echo ">>>>>>> Files have been added!" >> $TMPDIR/$TMPEMAIL $echo "\n\n>>>>> Number of NEW files detected: `$GREP 'added:/' $TMPDIR/$TMPRESULT | $WC -l`" >> $TMPDIR/$TMPEMAIL #$echo >> $TMPDIR/$TMPEMAIL #$echo "NEW files detected:" >> $TMPDIR/$TMPEMAIL grep 'added:/' $TMPDIR/$TMPRESULT >> $TMPDIR/$TMPEMAIL #cat $TMPDIR/$TMPEMAIL | $MAIL -s "$HOSTNAME, $DATE AIDE INFO: system files ADDED" $user } grep 'removed:/' $TMPDIR/$TMPRESULT > $TMPDIR/$TMPFILE test -s $TMPDIR/$TMPFILE && { changes=1 #$echo ">>>>>>> Files have been added!" >> $TMPDIR/$TMPEMAIL $echo "\n\n>>>>> Number of NEW files detected: `$GREP 'added:/' $TMPDIR/$TMPRESULT | $WC -l`" >> $TMPDIR/$TMPEMAIL #$echo >> $TMPDIR/$TMPEMAIL #$echo "NEW files detected:" >> $TMPDIR/$TMPEMAIL grep 'added:/' $TMPDIR/$TMPRESULT >> $TMPDIR/$TMPEMAIL #cat $TMPDIR/$TMPEMAIL | $MAIL -s "$HOSTNAME, $DATE AIDE INFO: system files ADDED" $user } grep 'removed:/' $TMPDIR/$TMPRESULT > $TMPDIR/$TMPFILE test -s $TMPDIR/$TMPFILE && { changes=1 #$echo ">>>>>>> Files have been removed!" >> $TMPDIR/$TMPEMAIL $echo "\n\n>>>>> Number of files removed: `$GREP 'removed:/' $TMPDIR/$TMPRESULT | $WC -l`" >> $TMPDIR/$TMPEMAIL #$echo >> $TMPDIR/$TMPEMAIL #$echo "DETAIL OF REMOVED FILES:" >> $TMPDIR/$TMPEMAIL grep 'removed:/' $TMPDIR/$TMPRESULT >> $TMPDIR/$TMPEMAIL #cat $TMPDIR/$TMPEMAIL | $MAIL -s "$HOSTNAME, $DATE AIDE INFO: system files REMOVED" $user } $echo "\nFinished aide integrity check on `date`\n" >> $TMPDIR/$TMPEMAIL $echo "\nTo reinitialise the Aide database, run 'aide.sh init' or 'aide.sh update'" >> $TMPDIR/$TMPEMAIL if [ "$changes" -eq "1" ] ; then subject="$HOSTNAME AIDE integrity check" else subject="$HOSTNAME AIDE integrity check (no changes)" fi $MAIL -s "$subject" $user < $TMPDIR/$TMPEMAIL #rm -f $TMPDIR/$TMPEMAIL #rm -f $TMPDIR/$TMPFILE #rm -f $TMPDIR/$TMPRESULT #date | $MAIL -s "Integrity check of `uname -n` server finished" $user } # Check for optional parameters, allowed help, init, update and no parameter for check. case "$1" in -?) $echo "This is the AIDE (Advanced Intrusion Detection)script." $echo "Usage for aide script" $echo " ./aide.sh help -> shows this help." $echo " ./aide.sh init -> initiates the database." $echo " ./aide.sh update -> updates an existing database." $echo " ./aide.sh -> (nothing) compares the files with the signatures in the database." exit 0 ;; help) echo "This is the AIDE (Advanced Intrusion Detection)script." echo "Usage for aide script" echo " ./aide.sh help -> shows this help." echo " ./aide.sh init -> initiates the database." echo " ./aide.sh update -> updates an existing database." echo " ./aide.sh -> (nothing) compares the files with the signatures in the database." exit 0 ;; init) echo "DATABASE INIT MESSAGE" | $MAIL -s "$HOSTNAME, $DATE AIDE INFO: DATABASE has been INITIALISED!" $user $aide --config=$aide_conf --init cp $AIDE/aide.db.new $AIDE/aide.db exit 0 ;; update) echo "DATABASE UPDATE MESSAGE" | $MAIL -s "$HOSTNAME, $DATE AIDE INFO: DATABASE has been UPDATED!" $user $aide --config=$aide_conf --update cp $AIDE/aide.db.new $AIDE/aide.db exit 0 ;; *) check_integrity ; exit 1 esac