#!/bin/bash
# Modified: Benjamin Smee
# Date: Fri Sep 10 11:35:41 BST 2004

# This is the email address reports get mailed to
MAILTO=root@localhost

# Set this to suppress mailings when there's nothing to report
QUIETREPORTS=1

# This parameter defines which aide command to run from the cron script.
# Sensible values are "update" and "check".
# Default is "check", ensuring backwards compatibility.
# Since "update" does not take any longer, it is recommended to use "update",
# so that a new database is created every day. The new database needs to be
# manually copied over the current one, though.
COMMAND=update

# This parameter defines how many lines to return per e-mail. Output longer
# than this value will be truncated in the e-mail sent out.
LINES=1000

# This parameter gives a grep regular expression. If given, all output lines
# that _don't_ match the regexp are listed first in the script's output. This
# allows to easily remove noise from the aide report.
NOISE="(/var/cache/|/var/lib/|/var/tmp)"
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
LOGDIR="/var/log/aide"
LOGFILE="aide.log"
CONFFILE="/etc/aide/aide.conf"
ERRORLOG="aide_error.log"
MAILLOG="aide_mail.log"
ERRORTMP=$(mktemp "${ERRORLOG}.XXXXXX")

[ -f /usr/bin/aide ] || exit 0

DATABASE=$(grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2)
FQDN=$(hostname -f)
DATE=$(date +"at %Y-%m-%d %H:%M")

# default values

DATABASE="${DATABASE:-/var/lib/aide/aide.db}"

AIDEARGS=""

if [ ! -f "$DATABASE" ]; then
	/usr/sbin/sendmail $MAILTO <<EOF
Subject: Daily AIDE report for $FQDN
From: root@${FQDN}
To: ${MAILTO}
Fatal error: The AIDE database does not exist!
This may mean you haven't created it, or it may mean that someone has removed it.
EOF
	exit 0
fi

aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
RETVAL=$?

if [ -n "$QUIETREPORTS" ] && ! [ -s "$LOGDIR/$LOGFILE" ] && ! [ -s "$ERRORTMP" ] ; then
	# Bail now because there was no output and QUIETREPORTS is set
	exit 0
fi

MAILTMP=$(mktemp "${MAILLOG}.XXXXXX")

(cat << EOF
This is an automated report generated by the Advanced Intrusion Detection
Environment on $FQDN ${DATE}.

EOF

# include error log in daily report e-mail

if [ "$RETVAL" != "0" ]; then
	cat > "$LOGDIR/$ERRORLOG" << EOF

*****************************************************************************
*                    aide returned a non-zero exit value                    *
*****************************************************************************

EOF
	echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
else
	touch "$LOGDIR/$ERRORLOG"
fi
< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
rm -f "$ERRORTMP"

if [ -s "$LOGDIR/$ERRORLOG" ]; then
	errorlines=$(wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }')
	if [ "${errorlines:=0}" -gt $LINES ]; then
		cat << EOF

****************************************************************************
*                      aide has returned many errors.                      *
*           the error log output has been truncated in this mail           *
****************************************************************************

EOF
		echo "Error output is $errorlines lines, truncated to $LINES."
		head -$LINES "$LOGDIR/$ERRORLOG"
		echo "The full output can be found in $LOGDIR/$ERRORLOG."
	else
		echo "Errors produced  ($errorlines lines):"
		cat "$LOGDIR/$ERRORLOG"
	fi
else
	echo "AIDE produced no errors."
fi

# include de-noised log

if [ -n "$NOISE" ]; then
	NOISETMP=$(mktemp "aidenoise.XXXXXX")
	NOISETMP2=$(mktemp "aidenoise.XXXXXX")
	sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
	grep '^\(changed\|removed\|added\):' | \
	grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > "$NOISETMP2"

	if [ -n "$NOISE" ]; then
		< "$NOISETMP2" grep -v "^\(changed\|removed\|added\):$NOISE" > "$NOISETMP"
		rm -f "$NOISETMP2"
		echo "De-Noised output removes everything matching $NOISE."
	else
		mv "$NOISETMP2" "$NOISETMP"
		echo "No noise expression was given."
	fi

	if [ -s "$NOISETMP" ]; then
		loglines=$(< "$NOISETMP" wc -l | awk '{ print $1 }')
		if [ "${loglines:=0}" -gt $LINES ]; then
			cat << EOF

****************************************************************************
*   aide has returned long output which has been truncated in this mail    *
****************************************************************************

EOF
			echo "De-Noised output is $loglines lines, truncated to $LINES."
			< "$NOISETMP" head -$LINES
			echo "The full output can be found in $LOGDIR/$LOGFILE."
		else
			echo "De-Noised output of the daily AIDE run ($loglines lines):"
			cat "$NOISETMP"
		fi
	else
		echo "AIDE detected no changes after removing noise."
	fi
	rm -f "$NOISETMP"
	echo "============================================================================"
fi

# include non-de-noised log

if [ -s "$LOGDIR/$LOGFILE" ]; then
	loglines=$(wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }')
	if [ "${loglines:=0}" -gt $LINES ]; then
		cat << EOF

****************************************************************************
*   aide has returned long output which has been truncated in this mail    *
****************************************************************************

EOF
		echo "Output is $loglines lines, truncated to $LINES."
		head -$LINES "$LOGDIR/$LOGFILE"
		echo "The full output can be found in $LOGDIR/$LOGFILE."
	else
		echo "Output of the daily AIDE run ($loglines lines):"
		cat "$LOGDIR/$LOGFILE"
	fi
else
	echo "AIDE detected no changes."
fi
) > "${MAILTMP}"

(
cat <<EOF
Subject: Daily AIDE report for $FQDN
From: root@${FQDN}
To: ${MAILTO}
EOF
cat "${MAILTMP}"
) | /usr/sbin/sendmail $MAILTO

rm -f "$MAILTMP"