diff options
author | Benjamin Smee <strerror@gentoo.org> | 2005-09-30 15:19:38 +0000 |
---|---|---|
committer | Benjamin Smee <strerror@gentoo.org> | 2005-09-30 15:19:38 +0000 |
commit | 5148051a190cebe7cafb395ec6b24af809ee2fa6 (patch) | |
tree | f831c6c355f73bc6fd1412dedf9f16b7d6e866f6 /app-forensics | |
parent | * bump (diff) | |
download | historical-5148051a190cebe7cafb395ec6b24af809ee2fa6.tar.gz historical-5148051a190cebe7cafb395ec6b24af809ee2fa6.tar.bz2 historical-5148051a190cebe7cafb395ec6b24af809ee2fa6.zip |
Added helper script and changed default config
Package-Manager: portage-2.0.51.22-r2
Diffstat (limited to 'app-forensics')
-rw-r--r-- | app-forensics/aide/ChangeLog | 8 | ||||
-rw-r--r-- | app-forensics/aide/Manifest | 15 | ||||
-rw-r--r-- | app-forensics/aide/aide-0.10_p20040917-r1.ebuild | 115 | ||||
-rw-r--r-- | app-forensics/aide/files/aide.conf | 115 | ||||
-rwxr-xr-x | app-forensics/aide/files/aide.cron | 175 | ||||
-rwxr-xr-x | app-forensics/aide/files/aideinit | 145 | ||||
-rw-r--r-- | app-forensics/aide/files/digest-aide-0.10_p20040917-r1 | 1 |
7 files changed, 568 insertions, 6 deletions
diff --git a/app-forensics/aide/ChangeLog b/app-forensics/aide/ChangeLog index b7c4ad4cd9fe..1027a863c828 100644 --- a/app-forensics/aide/ChangeLog +++ b/app-forensics/aide/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for app-forensics/aide # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-forensics/aide/ChangeLog,v 1.13 2005/04/21 18:46:53 blubb Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-forensics/aide/ChangeLog,v 1.14 2005/09/30 15:19:38 strerror Exp $ + +*aide-0.10_p20040917-r1 (30 Sep 2005) + + 30 Sep 2005; Benjamin Smee <strerror@gentoo.org> +files/aide.conf, + +files/aide.cron, +files/aideinit, +aide-0.10_p20040917-r1.ebuild: + Added helper script and changed default config 21 Apr 2005; Simon Stelling <blubb@gentoo.org> aide-0.10_p20040917.ebuild: stable on amd64 diff --git a/app-forensics/aide/Manifest b/app-forensics/aide/Manifest index 3b8b8338dba5..fa86ae6be098 100644 --- a/app-forensics/aide/Manifest +++ b/app-forensics/aide/Manifest @@ -1,11 +1,16 @@ -MD5 349dd99c3d866d14dae100dac9c04ff6 ChangeLog 4515 +MD5 4a0822e3949514e3f02289044fcb65f8 aide-0.9.ebuild 1390 MD5 91b1915d9d4ebc8ceb302db89bd31b77 aide-0.10.ebuild 1418 +MD5 7281a76e068801286ae965927b25c83b aide-0.10_p20040917-r1.ebuild 3081 MD5 f963571827dc97f1cbb03143bfcdbbca aide-0.10_p20040917.ebuild 2595 -MD5 4a0822e3949514e3f02289044fcb65f8 aide-0.9.ebuild 1390 +MD5 2e9a0c3e2235efa3a5e6f3cd43f3fc9e ChangeLog 4745 MD5 20ee07270b7eadc3659cd96a982e460f metadata.xml 230 MD5 4f38a077259ca3be62ae6a55c82d5302 files/aide-0.10-gentoo.diff 2760 -MD5 71915b04e537c8182a7cb3c7f560e04e files/aide-0.10_p20040917-fix-psql.diff 4726 -MD5 f07734c5b540f7a251d3d8139ef0f75f files/aide-0.9-gentoo.diff 2319 -MD5 8c599ad3440b5d4a3244875ff0655225 files/digest-aide-0.10 61 +MD5 9fd564a250e289afba0bf43ef639eae3 files/aideinit 2948 MD5 ff4b62bd8854921c76dd8a59552f3382 files/digest-aide-0.10_p20040917 71 MD5 b26d49d6bcafd39178a0da345cb2985d files/digest-aide-0.9 60 +MD5 ff4b62bd8854921c76dd8a59552f3382 files/digest-aide-0.10_p20040917-r1 71 +MD5 f07734c5b540f7a251d3d8139ef0f75f files/aide-0.9-gentoo.diff 2319 +MD5 8c599ad3440b5d4a3244875ff0655225 files/digest-aide-0.10 61 +MD5 71915b04e537c8182a7cb3c7f560e04e files/aide-0.10_p20040917-fix-psql.diff 4726 +MD5 85ae869c8edee90f3cceb6bf309c6c60 files/aide.conf 2713 +MD5 677202a99eef995fb515577bc4614aa8 files/aide.cron 5775 diff --git a/app-forensics/aide/aide-0.10_p20040917-r1.ebuild b/app-forensics/aide/aide-0.10_p20040917-r1.ebuild new file mode 100644 index 000000000000..45c115b55b46 --- /dev/null +++ b/app-forensics/aide/aide-0.10_p20040917-r1.ebuild @@ -0,0 +1,115 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-forensics/aide/aide-0.10_p20040917-r1.ebuild,v 1.1 2005/09/30 15:19:38 strerror Exp $ + +inherit eutils + +DESCRIPTION="AIDE (Advanced Intrusion Detection Environment) is a replacement for Tripwire" +HOMEPAGE="http://aide.sourceforge.net/" +SRC_URI="mirror://gentoo/${P}.tar.gz" + +SLOT="0" +LICENSE="GPL-2" +KEYWORDS="~x86 ~ppc ~sparc ~alpha ~amd64" +IUSE="nls postgres zlib crypt" + +DEPEND="app-arch/gzip + sys-devel/bison + sys-devel/flex + app-crypt/mhash + crypt? ( dev-libs/libgcrypt ) + postgres? ( dev-db/postgresql ) + zlib? ( sys-libs/zlib )" +RDEPEND="nls? ( sys-devel/gettext )" + +MY_PF=${PF%%_*} +S=${WORKDIR}/${PN} + +src_unpack() { + unpack ${A} + cd ${S} + + use postgres && epatch ${FILESDIR}/${PF}-fix-psql.diff + epatch ${FILESDIR}/${MY_PF}-gentoo.diff + + export WANT_AUTOCONF='2.5' + export WANT_AUTOMAKE='1.7' + sh autogen.sh || die "autogen.sh failed" +} + +src_compile() { + # passing --without-psql or --with-psql causes postgres to be enabled ... + # it's a broken configure.in file ... so lets just work around it + local myconf="" + use postgres && myconf="$myconf --with-psql" + use crypt && myconf="$myconf --with-gcrypt" + + econf \ + `use_with zlib` \ + `use_with nls locale` \ + --with-mhash \ + --sysconfdir=/etc/aide \ + --with-extra-lib=/usr/lib \ + ${myconf} \ + || die + emake || die +} + +src_test() { + # aide abort()'s inside the sandbox for some reason + if ! has sandbox ${FEATURES}; + then + src/aide --init -c doc/aide.conf -V20 \ + || die "failed to initialise database" + mv aide.db.new doc/aide.db + make check || die "failed self test" + fi +} + +src_install() { + make DESTDIR="${D}" install || die + use nls || rm -rf ${D}/usr/lib/locale + + keepdir /var/lib/aide + keepdir /var/log/aide + + insinto /etc/aide + doins ${FILESDIR}/aide.conf + + exeinto /usr/sbin + newexe ${FILESDIR}/aideinit aideinit + + exeinto /etc/cron.daily + newexe ${FILESDIR}/aide.cron aide.cron + + dodoc ChangeLog AUTHORS NEWS README + dohtml doc/manual.html +} + +pkg_postinst() { + chown root:root /var/lib/aide + chmod 0755 /var/lib/aide + + echo + einfo "A sample configuration file has been installed as" + einfo "/etc/aide/aide.conf. Please edit to meet your needs." + einfo "Read the aide.conf(5) manual page for more information." + einfo "A cron file has been installed in /etc/cron.daily/aide.cron" + einfo "A helper script, aideinit, has been installed and can" + einfo "be used to make AIDE management easier. Please run" + einfo "aideinit --help for more information" + echo + + if use postgres; then + einfo "Due to a bad assumption by aide, you must issue the following" + einfo "command after the database initialization (aide --init ...):" + einfo + einfo 'psql -c "update pg_index set indisunique=false from pg_class \\ ' + einfo " where pg_class.relname='TABLE_pkey' and \ " + einfo ' pg_class.oid=pg_index.indexrelid" -h HOSTNAME -p PORT DBASE USER' + einfo + einfo "where TABLE, HOSTNAME, PORT, DBASE, and USER are the same as" + einfo "your aide.conf." + echo + fi +} diff --git a/app-forensics/aide/files/aide.conf b/app-forensics/aide/files/aide.conf new file mode 100644 index 000000000000..cef1813db9f8 --- /dev/null +++ b/app-forensics/aide/files/aide.conf @@ -0,0 +1,115 @@ +# AIDE conf + +database=file:/var/lib/aide/aide.db +database_out=file:/var/lib/aide/aide.db.new + +# Change this to "no" or remove it to not gzip output +# (only useful on systems with few CPU cycles to spare) +gzip_dbout=yes + +# Here are all the things we can check - these are the default rules +# +#p: permissions +#i: inode +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#md5: md5 checksum +#sha1: sha1 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum +#R: p+i+n+u+g+s+m+c+md5 +#L: p+i+n+u+g +#E: Empty group +#>: Growing logfile p+u+g+i+n+S +#haval: haval checksum +#gost: gost checksum +#crc32: crc32 checksum + +# Defines formerly set here have been moved to /etc/default/aide. + +# Custom rules +Binlib = p+i+n+u+g+s+b+m+c+md5+sha1 +ConfFiles = p+i+n+u+g+s+b+m+c+md5+sha1 +Logs = p+i+n+u+g+S +Devices = p+i+n+u+g+s+b+c+md5+sha1 +Databases = p+n+u+g +StaticDir = p+i+n+u+g +ManPages = p+i+n+u+g+s+b+m+c+md5+sha1 + +# Next decide what directories/files you want in the database + +# Kernel, system map, etc. +=/boot$ Binlib +# Binaries +/bin Binlib +/sbin Binlib +/usr/bin Binlib +/usr/sbin Binlib +/usr/local/bin Binlib +/usr/local/sbin Binlib +#/usr/games Binlib +# Libraries +/lib Binlib +/usr/lib Binlib +/usr/local/lib Binlib +# Log files +=/var/log$ StaticDir +#!/var/log/ksymoops +/var/log/aide/aide.log(.[0-9])?(.gz)? Databases +/var/log/aide/error.log(.[0-9])?(.gz)? Databases +#/var/log/setuid.changes(.[0-9])?(.gz)? Databases +!/var/log/aide +/var/log Logs +# Devices +!/dev/pts +# If you get spurious warnings about being unable to mmap() /dev/cpu/mtrr, +# you may uncomment this to get rid of them. They're harmless but sometimes +# annoying. +#!/dev/cpu/mtrr +#!/dev/xconsole +/dev Devices +# Other miscellaneous files +/var/run$ StaticDir +!/var/run +# Test only the directory when dealing with /proc +/proc$ StaticDir +!/proc + +# You can look through these examples to get further ideas + +# MD5 sum files - especially useful with debsums -g +#/var/lib/dpkg/info/([^\.]+).md5sums u+g+s+m+md5+sha1 + +# Check crontabs +#/var/spool/anacron/cron.daily Databases +#/var/spool/anacron/cron.monthly Databases +#/var/spool/anacron/cron.weekly Databases +#/var/spool/cron Databases +#/var/spool/cron/crontabs Databases + +# manpages can be trojaned, especially depending on *roff implementation +#/usr/man ManPages +#/usr/share/man ManPages +#/usr/local/man ManPages + +# docs +#/usr/doc ManPages +#/usr/share/doc ManPages + +# check users' home directories +#/home Binlib + +# check sources for modifications +#/usr/src L +#/usr/local/src L + +# Check headers for same +#/usr/include L +#/usr/local/include L diff --git a/app-forensics/aide/files/aide.cron b/app-forensics/aide/files/aide.cron new file mode 100755 index 000000000000..34a24dd25a17 --- /dev/null +++ b/app-forensics/aide/files/aide.cron @@ -0,0 +1,175 @@ +#!/bin/bash +# Modified: Benjamin Smee +# Date: Fri Sep 10 11:35:41 BST 2004 + +# This is the email address reports get mailed to +MAILTO=root@localhost + +# Set this to suppress mailings when there's nothing to report +QUIETREPORTS=1 + +# This parameter defines which aide command to run from the cron script. +# Sensible values are "update" and "check". +# Default is "check", ensuring backwards compatibility. +# Since "update" does not take any longer, it is recommended to use "update", +# so that a new database is created every day. The new database needs to be +# manually copied over the current one, though. +COMMAND=update + +# This parameter defines how many lines to return per e-mail. Output longer +# than this value will be truncated in the e-mail sent out. +LINES=1000 + +# This parameter gives a grep regular expression. If given, all output lines +# that _don't_ match the regexp are listed first in the script's output. This +# allows to easily remove noise from the aide report. +NOISE="(/var/cache/|/var/lib/|/var/tmp)" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +LOGDIR="/var/log/aide" +LOGFILE="aide.log" +CONFFILE="/etc/aide/aide.conf" +ERRORLOG="aide_error.log" +ERRORTMP=`tempfile --directory "/tmp" --prefix "$ERRORLOG"` + +[ -f /usr/bin/aide ] || exit 0 + +DATABASE=`grep "^database=file:/" $CONFFILE | head -n 1 | cut --delimiter=: --fields=2` +FQDN=`hostname -f` +DATE=`date +"at %Y-%m-%d %H:%M"` + +# default values + +DATABASE="${DATABASE:-/var/lib/aide/aide.db}" + +AIDEARGS="-V4" + +if [ ! -f $DATABASE ]; then + ( + echo "Fatal error: The AIDE database does not exist!" + echo "This may mean you haven't created it, or it may mean that someone has removed it." + ) | /bin/mail -s "Daily AIDE report for $FQDN" $MAILTO + exit 0 +fi + +# Removed so no deps on debianutils - strerror +#[ -f "$LOGDIR/$LOGFILE" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$LOGFILE" > /dev/null +#[ -f "$LOGDIR/$ERRORLOG" ] && savelog -j -t -g adm -m 640 -u root -c 7 "$LOGDIR/$ERRORLOG" > /dev/null + +aide $AIDEARGS --$COMMAND >"$LOGDIR/$LOGFILE" 2>"$ERRORTMP" +RETVAL=$? + +if [ -n "$QUIETREPORTS" ] && [ $QUIETREPORTS -a \! -s $LOGDIR/$LOGFILE -a \! -s $ERRORTMP ]; then + # Bail now because there was no output and QUIETREPORTS is set + exit 0 +fi + +(cat << EOF; +This is an automated report generated by the Advanced Intrusion Detection +Environment on $FQDN ${DATE}. + +EOF + +# include error log in daily report e-mail + +if [ "$RETVAL" != "0" ]; then + cat > "$LOGDIR/$ERRORLOG" << EOF; + +***************************************************************************** +* aide returned a non-zero exit value * +***************************************************************************** + +EOF + echo "exit value is: $RETVAL" >> "$LOGDIR/$ERRORLOG" +else + touch "$LOGDIR/$ERRORLOG" +fi +< "$ERRORTMP" cat >> "$LOGDIR/$ERRORLOG" +rm -f "$ERRORTMP" + +if [ -s "$LOGDIR/$ERRORLOG" ]; then + errorlines=`wc -l "$LOGDIR/$ERRORLOG" | awk '{ print $1 }'` + if [ ${errorlines:=0} -gt $LINES ]; then + cat << EOF; + +**************************************************************************** +* aide has returned many errors. * +* the error log output has been truncated in this mail * +**************************************************************************** + +EOF + echo "Error output is $errorlines lines, truncated to $LINES." + head -$LINES "$LOGDIR/$ERRORLOG" + echo "The full output can be found in $LOGDIR/$ERRORLOG." + else + echo "Errors produced ($errorlines lines):" + cat "$LOGDIR/$ERRORLOG" + fi +else + echo "AIDE produced no errors." +fi + +# include de-noised log + +if [ -n "$NOISE" ]; then + NOISETMP=`tempfile --directory "/tmp" --prefix "aidenoise"` + NOISETMP2=`tempfile --directory "/tmp" --prefix "aidenoise"` + sed -n '1,/^Detailed information about changes:/p' "$LOGDIR/$LOGFILE" | \ + grep '^\(changed\|removed\|added\):' | \ + grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" > $NOISETMP2 + + if [ -n "$NOISE" ]; then + < $NOISETMP2 grep -v "^\(changed\|removed\|added\):$NOISE" > $NOISETMP + rm -f $NOISETMP2 + echo "De-Noised output removes everything matching $NOISE." + else + mv $NOISETMP2 $NOISETMP + echo "No noise expression was given." + fi + + if [ -s "$NOISETMP" ]; then + loglines=`< $NOISETMP wc -l | awk '{ print $1 }'` + if [ ${loglines:=0} -gt $LINES ]; then + cat << EOF; + +**************************************************************************** +* aide has returned long output which has been truncated in this mail * +**************************************************************************** + +EOF + echo "De-Noised output is $loglines lines, truncated to $LINES." + < $NOISETMP head -$LINES + echo "The full output can be found in $LOGDIR/$LOGFILE." + else + echo "De-Noised output of the daily AIDE run ($loglines lines):" + cat $NOISETMP + fi + else + echo "AIDE detected no changes after removing noise." + fi + rm -f $NOISETMP + echo "============================================================================" +fi + +# include non-de-noised log + +if [ -s "$LOGDIR/$LOGFILE" ]; then + loglines=`wc -l "$LOGDIR/$LOGFILE" | awk '{ print $1 }'` + if [ ${loglines:=0} -gt $LINES ]; then + cat << EOF; + +**************************************************************************** +* aide has returned long output which has been truncated in this mail * +**************************************************************************** + +EOF + echo "Output is $loglines lines, truncated to $LINES." + head -$LINES "$LOGDIR/$LOGFILE" + echo "The full output can be found in $LOGDIR/$LOGFILE." + else + echo "Output of the daily AIDE run ($loglines lines):" + cat "$LOGDIR/$LOGFILE" + fi +else + echo "AIDE detected no changes." +fi +) | /bin/mail -s "Daily AIDE report for $FQDN" $MAILTO diff --git a/app-forensics/aide/files/aideinit b/app-forensics/aide/files/aideinit new file mode 100755 index 000000000000..e0e933ce4b09 --- /dev/null +++ b/app-forensics/aide/files/aideinit @@ -0,0 +1,145 @@ +#!/bin/sh +# Copyright 2003 Mike Markley <mike@markley.org> +# This script is free for any purpose whatseoever so long as the above +# copyright notice remains in place. +# +# Modified for Gentoo: Benjamin Smee +# Date: Fri Sep 10 11:36:04 BST 2004 + +# This is the email address reports get mailed to +MAILTO=root@localhost + +# Defaults +#MAILTO="${MAILTO:-root}" + +# Options +opt_f=0 +opt_y=0 +opt_c=0 +opt_b=0 +config="/etc/aide/aide.conf" + +aideinit_usage() { + echo "Usage: $0 [options] -- [aide options]" + echo " -y|--yes Overwrite output file" + echo " -f|--force Force overwrite of database" + echo " -c|--config Specify alternate config file" + echo " -o|--output Specify alternate output file" + echo " -d|--database Specify alternate database file" + echo " -b|--background Run in the background" +} + +while [ -n "$1" ]; do + case "$1" in + -h|--help) + aideinit_usage + exit 0 + ;; + -f|--force) + opt_f=1 + shift + ;; + -y|--yes) + opt_y=1 + shift + ;; + -b|--background) + opt_b=1 + shift + ;; + -o|--output) + shift + [ -z "$1" ] && aideinit_usage && exit 1 + outfile=$1 + shift + ;; + -d|--database) + shift + [ -z "$1" ] && aideinit_usage && exit 1 + dbfile=$1 + shift + ;; + -c|--config) + opt_c=1 + shift + [ -z "$1" ] && aideinit_usage && exit 1 + config=$1 + shift + ;; + --) + shift + break 2 + ;; + *) + echo "Unknown option $1 (use -- to delimit aideinit and aide options)" + exit + ;; + esac +done + +if [ ! -f "$config" ]; then + echo "$0: $config: file not found" + exit 1 +fi + +if [ -z "$outfile" ]; then + outfile=`egrep "database_out=file:" $config | cut -d: -f2` + [ -z "$outfile" ] && outfile="/var/lib/aide/aide.db.new" +fi +if [ -z "$dbfile" ]; then + dbfile=`egrep "database=file:" $config | cut -d: -f2` + [ -z "$dbfile" ] && dbfile="/var/lib/aide/aide.db" +fi + +if [ -f $outfile ]; then + if [ $opt_y -eq 0 ]; then + echo -n "Overwrite existing $outfile [Yn]? " + read yn + case "$yn" in + [Nn]*) + exit 0 + ;; + esac + fi +fi + +extraflags="" + +if [ $opt_c -eq 1 ]; then + extraflags="$extraflags --config $config" +fi + +if [ $opt_b -eq 1 ]; then + (aide --init $extraflags $@ >/var/log/aide/aideinit.log 2>/var/log/aide/aideinit.errors + if [ -f "$dbfile" -a $opt_f -eq 0 ]; then + echo "$dbfile exists and -f was not specified" >> /var/log/aide/aideinit.errors + fi + lines=`wc -l /var/log/aideinit.errors | awk '{ print $1 }'` + if [ "$lines" -gt 0 ]; then + (echo "AIDE init errors:"; cat /var/log/aide/aideinit.errors) | /usr/bin/mail -s "AIDE initialization problem" $MAILTO + else + cp -f $outfile $dbfile + fi) & + exit 0 +fi + +echo "Running aide --init..." +aide --init $extraflags $@ + +return=$? +if [ $return -ne 0 ]; then + echo "Something didn't quite go right; see $outfile for details" >&2 + exit $return +fi + +if [ -f "$dbfile" -a $opt_f -eq 0 ]; then + echo -n "Overwrite $dbfile [yN]? " + read yn + case "$yn" in + [yY]*) + cp -f $outfile $dbfile + ;; + esac +else + cp -f $outfile $dbfile +fi diff --git a/app-forensics/aide/files/digest-aide-0.10_p20040917-r1 b/app-forensics/aide/files/digest-aide-0.10_p20040917-r1 new file mode 100644 index 000000000000..51418f8e2afb --- /dev/null +++ b/app-forensics/aide/files/digest-aide-0.10_p20040917-r1 @@ -0,0 +1 @@ +MD5 bfea36bd2a4254e212dcc19df54667fb aide-0.10_p20040917.tar.gz 201023 |