#!/bin/sh # # script to update and rotate the AIDE database files and # create a detached GPG signature to verify the database file # # written by Vincent Danen <vdanen-at-annvix.org> # # $Id: aideupdate 6662 2007-01-13 19:06:24Z vdanen $ gpg="/usr/bin/gpg" aide="/usr/sbin/aide" fname="aide-`hostname`-`date +%Y%m%d-%H%M%S`" host="`hostname`" if [ ! -d /var/lib/aide ]; then printf "The AIDE database directory /var/lib/aide does not exist!\n\n" exit 1 fi if [ ! -d /var/lib/aide/reports ]; then printf "Creating /var/lib/aide/reports to store reports\n" mkdir /var/lib/aide/reports && chmod 0700 /var/lib/aide/reports fi pushd /var/lib/aide >/dev/null # copy the old database if [ -f aide.db ]; then newfile="${fname}.db" if [ -f aide.db.sig ]; then # do an integrity check ${gpg} --verify aide.db.sig if [ "$?" == "1" ]; then printf "************************************************************\n" printf "GPG signature FAILED! Your database has been tampered with!\n" printf "************************************************************\n" exit 1 fi else printf "**************************************************************\n" printf "No GPG signature file found! Your system may be compromised\n" printf "or incorrectly configured! Please read man afterboot for\n" printf "more information on how to correctly configure AIDE on Annvix!\n" printf "**************************************************************\n" exit 1 fi # this function signs the aide.db with gpg signfile() { unset gpgpass printf "\n" read -s -e -p "Enter AIDE passphrase for aide@${host}: " gpgpass printf "\n" echo ${gpgpass} | ${gpg} -u aide@${host} --passphrase-fd stdin --no-tty --detach-sign aide.db if [ "$?" == "1" ]; then printf "FATAL: Error occurred when creating the signature file!\n\n" exit 1 fi } cp -a aide.db ${newfile} ${aide} --update -B "database=file:/var/lib/aide/${newfile}" -B "database_out=file:/var/lib/aide/aide.db" \ -B "report_url=file:/var/lib/aide/reports/${fname}.report" # create the signature file [[ -f aide.db.sig ]] && rm -f aide.db.sig signfile [[ ! -f aide.db.sig ]] && { printf "No signature was created; bad passphrase? Try it again.\n\n" signfile } [[ ! -f aide.db.sig ]] && { printf "FATAL: Signature was not created twice! Something is very wrong here.\n\n" exit 1 } printf "Database successfully signed.\n\n" gzip -9f ${newfile} else printf "The AIDE database does not exist, can't update!\n\n" exit 1 fi popd >/dev/null exit 0