[gentoo-commits] repo/gentoo:master commit in: app-forensics/aide/files/

["Sam James" <sam@gentoo.org>]

commit:     a1c2babb3bb0ba114b392617cdafd27b3a68e67b
Author:     Daniel Hiepler <daniel-gentoo <AT> coderdu <DOT> de>
AuthorDate: Fri Mar 11 14:51:42 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Mar 12 00:11:39 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a1c2babb

app-forensics/aide: create new revision of aide.cron

* replace tempfile with mktemp (respects $TMPDIR or uses /tmp by default)
* Double quote to prevent globbing and word splitting.
* Use $(...) notation instead of legacy backticks `...`
* Prefer [ p ] && [ q ] as [ p -a q ] is not well defined
* don't check $QUIETREPORTS twice
* (--verbose): option no longer supported, use 'log_level' and 'report_level' options instead
* remove old comment - remaining debianutils dependency (tempfile) is removed now
* remove whitespace

Signed-off-by: Daniel Hiepler <daniel-gentoo <AT> coderdu.de>
Signed-off-by: Sam James <sam <AT> gentoo.org>

 app-forensics/aide/files/aide.cron-r2 | 188 ++++++++++++++++++++++++++++++++++
 1 file changed, 188 insertions(+)

diff --git a/app-forensics/aide/files/aide.cron-r2 b/app-forensics/aide/files/aide.cron-r2
new file mode 100644
index 000000000000..b8a78ba2a856
--- /dev/null
+++ b/app-forensics/aide/files/aide.cron-r2
@@ -0,0 +1,188 @@
+#!/bin/bash
+# Modified: Benjamin Smee
+# Date: Fri Sep 10 11:35:41 BST 2004
+
+# This is the email address reports get mailed to
+MAILTO=root@localhost
+
+# Set this to suppress mailings when there's nothing to report
+QUIETREPORTS=1
+
+# This parameter defines which aide command to run from the cron script.
+# Sensible values are "update" and "check".
+# Default is "check", ensuring backwards compatibility.
+# Since "update" does not take any longer, it is recommended to use "update",
+# so that a new database is created every day. The new database needs to be
+# manually copied over the current one, though.
+COMMAND=update
+
+# This parameter defines how many lines to return per e-mail. Output longer
+# than this value will be truncated in the e-mail sent out.
+LINES=1000
+
+# This parameter gives a grep regular expression. If given, all output lines
+# that _don't_ match the regexp are listed first in the script's output. This
+# allows to easily remove noise from the aide report.
+NOISE="(/var/cache/|/var/lib/|/var/tmp)"
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+LOGDIR="/var/log/aide"
+LOGFILE="aide.log"
+CONFFILE="/etc/aide/aide.conf"
+ERRORLOG="aide_error.log"
+MAILLOG="aide_mail.log"
+ERRORTMP=$(mktemp "${ERRORLOG}.XXXXXX")
+
+[ -f /usr/bin/aide ] || exit 0
+
+DATABASE=$(grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2)
+FQDN=$(hostname -f)
+DATE=$(date +"at %Y-%m-%d %H:%M")
+
+# default values
+
+DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
+
+AIDEARGS=""
+
+if [ ! -f "$DATABASE" ]; then
+	/usr/sbin/sendmail $MAILTO <<EOF
+Subject: Daily AIDE report for $FQDN
+From: root@${FQDN}
+To: ${MAILTO}
+Fatal error: The AIDE database does not exist!
+This may mean you haven't created it, or it may mean that someone has removed it.
+EOF
+	exit 0
+fi
+
+aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP"
+RETVAL=$?
+
+if [ -n "$QUIETREPORTS" ] && ! [ -s "$LOGDIR/$LOGFILE" ] && ! [ -s "$ERRORTMP" ] ; then
+	# Bail now because there was no output and QUIETREPORTS is set
+	exit 0
+fi
+
+MAILTMP=$(mktemp "${MAILLOG}.XXXXXX")
+
+(cat << EOF
+This is an automated report generated by the Advanced Intrusion Detection
+Environment on $FQDN ${DATE}.
+
+EOF
+
+# include error log in daily report e-mail
+
+if [ "$RETVAL" != "0" ]; then
+	cat > "$LOGDIR/$ERRORLOG" << EOF
+
+*****************************************************************************
+*                    aide returned a non-zero exit value                    *
+*****************************************************************************
+
+EOF
+	echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG"
+else
+	touch "$LOGDIR/$ERRORLOG"
+fi
+< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG"
+rm -f "$ERRORTMP"
+
+if [ -s "$LOGDIR/$ERRORLOG" ]; then
+	errorlines=$(wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }')
+	if [ "${errorlines:=0}" -gt $LINES ]; then
+		cat << EOF
+
+****************************************************************************
+*                      aide has returned many errors.                      *
+*           the error log output has been truncated in this mail           *
+****************************************************************************
+
+EOF
+		echo "Error output is $errorlines lines, truncated to $LINES."
+		head -$LINES "$LOGDIR/$ERRORLOG"
+		echo "The full output can be found in $LOGDIR/$ERRORLOG."
+	else
+		echo "Errors produced  ($errorlines lines):"
+		cat "$LOGDIR/$ERRORLOG"
+	fi
+else
+	echo "AIDE produced no errors."
+fi
+
+# include de-noised log
+
+if [ -n "$NOISE" ]; then
+	NOISETMP=$(mktemp "aidenoise.XXXXXX")
+	NOISETMP2=$(mktemp "aidenoise.XXXXXX")
+	sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \
+	grep '^\(changed\|removed\|added\):' | \
+	grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > "$NOISETMP2"
+
+	if [ -n "$NOISE" ]; then
+		< "$NOISETMP2" grep -v "^\(changed\|removed\|added\):$NOISE" > "$NOISETMP"
+		rm -f "$NOISETMP2"
+		echo "De-Noised output removes everything matching $NOISE."
+	else
+		mv "$NOISETMP2" "$NOISETMP"
+		echo "No noise expression was given."
+	fi
+
+	if [ -s "$NOISETMP" ]; then
+		loglines=$(< "$NOISETMP" wc -l | awk '{ print $1 }')
+		if [ "${loglines:=0}" -gt $LINES ]; then
+			cat << EOF
+
+****************************************************************************
+*   aide has returned long output which has been truncated in this mail    *
+****************************************************************************
+
+EOF
+			echo "De-Noised output is $loglines lines, truncated to $LINES."
+			< "$NOISETMP" head -$LINES
+			echo "The full output can be found in $LOGDIR/$LOGFILE."
+		else
+			echo "De-Noised output of the daily AIDE run ($loglines lines):"
+			cat "$NOISETMP"
+		fi
+	else
+		echo "AIDE detected no changes after removing noise."
+	fi
+	rm -f "$NOISETMP"
+	echo "============================================================================"
+fi
+
+# include non-de-noised log
+
+if [ -s "$LOGDIR/$LOGFILE" ]; then
+	loglines=$(wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }')
+	if [ "${loglines:=0}" -gt $LINES ]; then
+		cat << EOF
+
+****************************************************************************
+*   aide has returned long output which has been truncated in this mail    *
+****************************************************************************
+
+EOF
+		echo "Output is $loglines lines, truncated to $LINES."
+		head -$LINES "$LOGDIR/$LOGFILE"
+		echo "The full output can be found in $LOGDIR/$LOGFILE."
+	else
+		echo "Output of the daily AIDE run ($loglines lines):"
+		cat "$LOGDIR/$LOGFILE"
+	fi
+else
+	echo "AIDE detected no changes."
+fi
+) > "${MAILTMP}"
+
+(
+cat <<EOF
+Subject: Daily AIDE report for $FQDN
+From: root@${FQDN}
+To: ${MAILTO}
+EOF
+cat "${MAILTMP}"
+) | /usr/sbin/sendmail $MAILTO
+
+rm -f "$MAILTMP"