#!/bin/sh # # script to initialize an AIDE database and create a GPG key # specifically for use with the AIDE database # # written by Vincent Danen <vdanen-at-annvix.org> # # $Id: aideinit 6673 2007-01-16 17:40:05Z vdanen $ if [ ! -d /var/lib/aide ]; then printf "The AIDE database directory /var/lib/aide does not exist!\n\n" exit 1 fi host="`hostname`" gpg="/usr/bin/gpg" aide="/usr/sbin/aide" fname="aide-`hostname`-`date +%Y%m%d-%H%M%S`" if [ "`${gpg} --list-secret-key | grep aide@${host} >/dev/null 2>&1; echo $?`" == "1" ]; then # we need to generate a gpg key printf "Generating GPG private key for aide@${host}\n\n" printf "This is done automatically, but you must provide a strong passphrase\nto protect the key.\n\n" getpass() { unset PASS1 unset PASS2 read -s -e -p "Passphrase: " PASS1 printf "\n" read -s -e -p "Re-enter passphrase: " PASS2 printf "\n" if [ "${PASS1}" != "${PASS2}" ]; then printf "FATAL: Passwords do not match!\n\n" unset PASS1 unset PASS2 fi } getpass [[ "${PASS1}" == "" ]] && getpass [[ "${PASS1}" == "" ]] && { printf "FATAL: Password mis-match occurred twice. Aborting.\n\n" exit 1 } printf "Generating GPG key... " tmpfile=`mktemp` || exit 1 echo "Key-Type: DSA" >>${tmpfile} echo "Key-Length: 1024" >>${tmpfile} echo "Subkey-Type: ELG-E" >>${tmpfile} echo "Subkey-Length: 1024" >>${tmpfile} echo "Name-Real: AIDE" >>${tmpfile} echo "Name-Comment: AIDE verification key" >>${tmpfile} echo "Name-Email: aide@${host}" >>${tmpfile} echo "Expire-Date: 0" >>${tmpfile} echo "Passphrase: ${PASS1}" >>${tmpfile} ${gpg} --batch --gen-key ${tmpfile} if [ "$?" == "0" ]; then printf " success!\n\n" rm -f ${tmpfile} else printf " failed!\nAn error occurred; cannot proceed!\n\n" rm -f ${tmpfile} exit 1 fi fi signfile() { echo ${PASS1} | ${gpg} -u aide@${host} --passphrase-fd stdin --no-tty --detach-sign aide.db if [ "$?" == "1" ]; then printf "FATAL: Error occurred when creating the signature file!\n\n" exit 1 fi } printf "Initializing the AIDE database... this may take a minute or two.\n" # set database to a non-existant file to prevent warnings ${aide} --init -B "database=file:/tmp/foo" -B "database_out=file:/var/lib/aide/aide.db" pushd /var/lib/aide >/dev/null 2>&1 # create the signature file; we don't have to ask for the passphrase here, we've already got it [[ -f aide.db.sig ]] && rm -f aide.db.sig signfile [[ ! -f aide.db.sig ]] && { printf "FATAL: Signature was not created! Aborting.\n\n" exit 1 } printf "Database successfully signed.\n\n" popd >/dev/null 2>&1 exit 0