-
Notifications
You must be signed in to change notification settings - Fork 0
/
aideinit
126 lines (108 loc) · 3.89 KB
/
aideinit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/sh
#
# script to initialize an AIDE database and create a GPG key
# specifically for use with the AIDE database
#
# written by Vincent Danen <vdanen-at-annvix.org>
#
# $Id$
# variables
version="@pkg_version@"
host="`hostname`"
gpg="/usr/bin/gpg"
aide="/usr/sbin/aide"
fname="aide-`hostname`-`date +%Y%m%d-%H%M%S`"
header="AIDE+gpg - GnuPG authenticity for AIDE databases\nversion: ${version} - \$Id$\n\n"
# get the database directory
dbdir=$(egrep '^@@define DBDIR' /etc/aide.conf | awk '{print $3}')
database_file=$(egrep '^database=' /etc/aide.conf | sed "s|file:@@{DBDIR}|${dbdir}|g" | cut -d '=' -f 2)
databasenew_file=$(egrep '^database_out=' /etc/aide.conf | sed "s|file:@@{DBDIR}|${dbdir}|g" | cut -d '=' -f 2)
export GNUPGHOME=/root/.gnupg
printf "${header}"
if [ ! -d ${dbdir} ]; then
printf "The AIDE database directory does not exist!\n\n"
exit 1
fi
if [ "`${gpg} --list-secret-key | grep aide@${host} >/dev/null 2>&1; echo $?`" == "1" ]; then
# we need to generate a gpg key
printf "Generating GPG private key for aide@${host}\n\n"
printf "This is done automatically, but you must provide a strong passphrase\nto protect the key.\n\n"
getpass() {
unset PASS1
unset PASS2
read -s -e -p "Passphrase: " PASS1
printf "\n"
read -s -e -p "Re-enter passphrase: " PASS2
printf "\n"
if [ "${PASS1}" != "${PASS2}" ]; then
printf "FATAL: Passwords do not match!\n\n"
unset PASS1
unset PASS2
fi
}
getpass
[[ "${PASS1}" == "" ]] && getpass
[[ "${PASS1}" == "" ]] && {
printf "FATAL: Password mis-match occurred twice. Aborting.\n\n"
exit 1
}
printf "Generating GPG key... "
tmpfile=`mktemp` || exit 1
echo "Key-Type: DSA" >>${tmpfile}
echo "Key-Length: 1024" >>${tmpfile}
echo "Subkey-Type: ELG-E" >>${tmpfile}
echo "Subkey-Length: 1024" >>${tmpfile}
echo "Name-Real: AIDE" >>${tmpfile}
echo "Name-Comment: AIDE verification key" >>${tmpfile}
echo "Name-Email: aide@${host}" >>${tmpfile}
echo "Expire-Date: 0" >>${tmpfile}
echo "Passphrase: ${PASS1}" >>${tmpfile}
${gpg} --batch --gen-key ${tmpfile}
if [ "$?" == "0" ]; then
printf " success!\n\n"
rm -f ${tmpfile}
else
printf " failed!\nAn error occurred; cannot proceed!\n\n"
rm -f ${tmpfile}
exit 1
fi
else
# a key already exists; we need the passphrase
printf "An AIDE key for aide@${host} already exists. To sign the database\n"
printf "you must provide the passphrase.\n\n"
read -s -e -p "aide@${host} GPG passphrase: " PASS1
fi
signfile() {
[[ -f ${1}.sig ]] && rm -f ${1}.sig
echo ${PASS1} | ${gpg} -u aide@${host} --passphrase-fd stdin --no-tty --batch --detach-sign ${1}
if [ "$?" == "1" ]; then
printf "FATAL: Error occurred when creating the signature file!\n\n"
exit 1
fi
chmod 0600 ${1}.sig
[[ ! -f ${1}.sig ]] && {
printf "FATAL: Signature file ${1}.sig was not created! Aborting.\n\n"
exit 1
}
}
# first we sign the AIDE binary so on subsequent checks, before calling it,
# we can verify the signature
printf "Signing the AIDE binary...\n"
signfile ${aide}
# likewise for the configuration file
printf "Signing the AIDE configuration file...\n"
signfile /etc/aide.conf
printf "Initializing the AIDE database... this may take a minute or two.\n"
# set database to a non-existant file to prevent warnings
${aide} --init
pushd ${dbdir} >/dev/null 2>&1
if [ -f ${databasenew_file} ]; then
# rename the outbound file
mv -f ${databasenew_file} ${database_file}
fi
# create the signature file; we don't have to ask for the passphrase here, we've already got it
[[ -f ${database_file}.sig ]] && rm -f ${database_file}.sig
signfile ${database_file}
printf "Database successfully signed.\n\n"
popd >/dev/null 2>&1
exit 0