First

aideCheck.sh

+#!/bin/bash
+#
+# aideCheck.sh - A simple script to filter AIDE check & update cron jonbs
+#
+# - Send an email alert if MAIL recipient is set only if AIDE find something wrong
+# - Return 1 if AIDE find something wrong
+# - Run aide --update after execution, to remove multiple alerts (disabled by default)
+#
+# https://github.com/m33m33/aideCheck.sh
+#
+
+# Who will get the news. Leave empty for silent operation.
+MAIL="infosec@cirad.fr"
+# Set to 1 to get notified for changed files
+CHANGED_ALERT=1
+# Set to 1 to get notified for added files
+ADDED_ALERT=1
+# Set to 1 to run automatic aide update after execution (not recommended)
+AIDE_UPDATE=0
+
+# Nothing to be modified below this line
+########################################################################
+DATE=`date +%Y-%m-%d`
+MYHOST=`hostname`
+MYIP=`hostname -i`
+ALERTRV=0
+TMP=/var/lib/aide/.aideCheck.$$.txt
+
+umask 077
+
+mutt --help 1>/dev/null 2>&1
+if [ $? -ne 0 ]; then
+  echo "Error: you need mutt to send emails (and a working email setup on this machine)"
+  echo "ex: yum install mutt"
+  exit 10
+fi
+
+aide --help 1>/dev/null 2>&1
+if [ $? -ne 0 ]; then  
+  echo "Error: you need AIDE to watch for system changes, and to setup AIDE on first use"       
+  echo "ex: yum install aide"
+  exit 11
+fi
+
+# Prepare a nice mail report
+echo "AIDE check report for: $MYHOST ($MYIP)" > $TMP.mailReport
+
+# Run a diagonstic, this can take some time and CPU, be nice
+nice aide --check > $TMP
+
+# Look for issues, alert if any
+if [ $CHANGED_ALERT -eq 1 ]; then
+  cat $TMP |grep -e "^changed:" > $TMP.aideFail
+fi
+if [ $ADDED_ALERT -eq 1 ]; then
+  echo "============================================================" >> $TMP.aideFail
+  cat $TMP |grep -e "^added:" >> $TMP.aideFail
+fi
+
+touch $TMP.aideFail
+nbLines=`wc -l $TMP.aideFail | awk '{print $1}'`
+if [ $nbLines -ne 0 ]; then  
+  ALERTRV=1
+  echo "You may want to look at this summary, and attached full report:" >> $TMP.mailReport
+  echo "============================================================" >> $TMP.mailReport
+  cat $TMP.aideFail >> $TMP.mailReport
+  echo "============================================================" >> $TMP.mailReport
+  echo " " >> $TMP.mailReport
+  echo " " >> $TMP.mailReport 
+  echo "(In case of flase-positive, remember to update AIDE database (aide --update) to set a new baseline)" >> $TMP.mailReport
+  echo " " >> $TMP.mailReport  
+
+  if [ $AIDE_UPDATE -eq 1 ]; then
+    echo "Running aide --update to refresh the baseline. Warning : you may miss important alerts, you should not use this setting in production" >> $TMP.mailReport
+    nice aide --update 1>>$TMP.mailReport 2>&1
+  fi
+
+  # send the alert if needed
+  if [ "x$MAIL\x" != "x\x" ]; then
+    cat $TMP.mailReport | mutt -a $TMP -s "[aideCheck.sh] Alert for $MYHOST, suspicious changes detected" -- $MAIL
+  fi
+fi
+
+rm -f $TMP $TMP.mailReport $TMP.aideFail
+
+# This script return value may be used to chain scripts
+exit $ALERTRV