#!/bin/sh # # NAME # sshaide.sh - SSH/AIDE remote integrity monitoring script # # SYNOPSIS # sshaide.sh -check|-init ALL| # # DESCRIPTION # sshaide.sh uses AIDE and SSH to remotely run integrity checks # on ALL configured client systems or those specifically listed on # the command line from a centralized manager station. sshaide.sh # stores all binaries, databases and reports on a secure, centralized # manager station. Database initialization or periodic checks are # run on demand or via cron jobs from the manager stations based on # local policy requirements. # # sshaide.sh requires a valid account on the remote system and uses # SSH RSA authentication with public/private password-less key pairs # to obtain automated, scripted access to a remote system. Naturally # the account(s), sshaide.sh keys and manager system must be heavily # protected from compromise. To minimize potential problems, it is # recommended that sshaide.sh use non-privileged accounts. While # this limits access to verify some files and diretories on remote # systems, we believe it is an acceptable trade-off. Most critical # files and directories can be effectively monitored without having # privileged access. It is recommended that an unprivileged, but # dedicated account on the manager station also be setup to manage # AIDE databases, AIDE reports, remote logins and other sshaide.sh # requirements. # # Remote clients must have the public SSH RSA key that will be used # by the sshaide.sh manager. The sshaide.sh manager must have the # managed client's SSH server RSA public key in known_hosts or # hostkeys file. Refer to your SSH documentation for instructions # on setting up public SSH RSA keys. # # OPTIONS # The option must be given in the proper order and with proper # syntax. # # -init Initialize or re-initialize the AIDE database for the # listed host or hosts. # # -check Run an integrity check on the specified system or systems. # The database for any host being checked must have already # been intialized. # # DIRECTORIES and FILES # ~/ # This is the home directory of the user running sshaide.sh. # By default, this is retrieved from the $HOME environment # variable. # # ~/bin # The directory where the sshaide.sh script and AIDE # binaries are stored. Required. # # ~/bin/sshaide.sh # The sshaide.sh program. This file. Required. # # ~/bin/aide.[platform] # The AIDE binary for a [platform]. For example, a Linux # 2.4 binary may be named aide.linux-2.4. These binaries # will be linked to from the independent client directories # based on their platform requirements. Required. # # ~/configs # The directory where the AIDE configuration files are # stored. Common AIDE configurations are stored here and # can be linked to from the independent client directories # based on policy requirements. Required. # # ~/reports # This directory will store the initialization logs and # integrity check reports. Integrity reports will be # tar.gz'd by year-month-day-hour. Required, but created # automatically by sshaide.sh. # # ~/clients # This is the parent directory for all client hosts being # managed. Required. # # ~/clients/[client-host] # This directory is a specific client host to be managed by # sshaide.sh. [client-host] is a host name. Short host name # is usually sufficient, but a fully qualified domain name # may be used if there may be host name overlap from different # subdomains. Required for each client to be managed by # sshaide.sh. # # ~/clients/[client-host]/aide.db_[client_host] # This file is the AIDE database for the [client-host] being # managed by sshaide.sh. Required, but created automatically # by the -init process. # # ~/clients/[client-host]/aide.db_[client-host].old # This file is the previous AIDE database before the last # -init process. Not required. Created automatically after # the second or additional database initialization. # # ~/clients/[client-host]/sshaide.conf # This file contains client specific configuration information. # Optional. The following three options are available: # # emaillist comma-separated-list-of-addresses # This option specifies the email addresses that # sshaide.sh output should be delivered to. # remote_aidedir full-home-diretory-path-on-client # This option specifies the fully qualified path # used on the client host. This would be equivalanet # to the $HOME environment variable on the client # system. # userid remote-user-id # This option specifies the remote login id with # which to login to the remote system with. # # All configuration options are optional, but if present, # they must be begin in column 1 with whitespace separting # the desired value(s). # # ~/clients/[client-host]/reinit # The existence of this file indicates that the AIDE database # for this client host should be reinitialized through the # -init process on the next run. Simply `touch` this file # whenever you want to reinitialize the client host database. # This file will be automaticaly removed after the next -init # process. Optional. # # ~/clients/[client-host]/aide.conf # This is a soft link to the appropriate AIDE configuration # file in ~/configs. The following two lines are required # for each configuration file: # # database=file:./aide.db # database_out=file:./aide.newdb # # ~/clients/[client-host]/aide # This is a soft link to the appropriate AIDE binary for # the client host platform in ~/bin. Required. # # ~/tmp # This is a temporary work directory for sshaide.sh. # Required. # # Original concept and coding from: # Judith A Freeman # University of Chicago # Network Security Center # # 28 June 1998 to 16 May 2000 # # Updates by: # John Kristoff # # Northwestern University # Telecommunications and Network Services # # 2003-12-03,jtk: updated for AIDE v0.10 and Linux # newly packaged as sshaide.sh # adjusted default path to something more reasonable for linux # replaced tripwire references with aide naming conventions # replaced hard coded root user id with $userid variable from whoami # added LC_ALL=C for grep to work with traditional [] interpretations # added a cd to remote_aidedir on remote machine # forced remote_aidedir directory creation (with 'mkdir -p') # added quotes to ssh commands # changed the email subject and header format # changed mail delivery and email creation handling # minor commenting edits # adjusted wordlist for Linux and Solaris, exiting if file not found # removed $1 for wordlist # implemented config file for remote_aidedir and emaillist per machine # changed reinit check from read (-r) to write (-w) check # fixed tar/gzip'ing of reports only on -check mode # removed unncessary root directory variable, use just aidedir # 2003-12-06,jtk:minor configuration updates # added userid option to config and created $useriddefault # set default remote home directory with $homedefault # 2003-12-16,jtk: fixed sshaide.conf usage # added doc about userid config in sshaide.conf # changed order of sshaide.conf config options so remote_aidedir works # 2004-02-12,jtk: minor doc editing ### ### Basic setup ### # Get a limited path PATH=/bin:/usr/bin:/usr/local/bin:/usr/ucb # For debugging only # set -x ### ### Local variable declarations ### # set the remote username to login and run aide as useriddefault=`whoami` # Who gets the mail if not set in client dir? maildefault=root@localhost # remote home directory homedefault=/home/${useriddefault} # $date in the form year-month-day-hour date=`date +%Y-%m-%d-%H` # Where are we running out of aidedir=${HOME} # Setup local directories and files for use clientdir=${aidedir}/clients tmpdir=${aidedir}/tmp progname=`basename $0` ### ### Functions ### # Give usage statement usage () { echo "" echo "Usage: `${progname}` ALL|" echo " run-mode: -init | -check" echo " machine-list: space separated list in quotes" echo "" } ## gen_rand_word - returns a semi-random word ## only returns words that are all lowercase letters gen_rand_word () { # Set the word list if test -r "/usr/share/dict/words" ; then # For Linux _wordlist="/usr/share/dict/words" elif test -r "/usr/dict/words" ; then # For Solaris _wordlist="/usr/dict/words" else echo ERROR: words file not found! Exiting... exit 0 fi _randnum=`date +%H%S%Y%m%H%d%S%S` _listlines=`cat ${_wordlist} | wc -l` _linenum=`expr ${_randnum} % ${_listlines}` # If we picked line 0, change it to 1 'cause line 0 doesn't exist if test ${_linenum} -eq 0 ; then _linenum=1 fi _randword=`grep -n . ${_wordlist} | grep "^${_linenum}:" | cut -d: -f2` # If $_randword has anything other than lower-case chars, try again (echo ${_randword} | LC_ALL=C grep '[^a-z]' 2>&1 >> /dev/null \ && gen_rand_word ) || \ # Return the word echo ${_randword} } init_cmds () { if test ! -d ${aidedir}/reports/initlogs/ ; then mkdir -p ${aidedir}/reports/initlogs/ fi ssh -l $userid $machine "(umask 077 ; cd ${remote_aidedir}; ${remote_aidedir}/aide --init --config=${remote_aidedir}/aide.conf 2>&1 | tee ${remote_aidedir}/initoutput >> /dev/null)" # Copy output back to file mkdir -p ${tmpdir}/initoutput/${date} scp -q ${userid}@${machine}:${remote_aidedir}/initoutput ${inittmp}/${machine} # backup old database if it exists if test -r ${clientdir}/${machine}/aide.db_${machine} ; then mv ${clientdir}/${machine}/aide.db_${machine} ${clientdir}/${machine}/aide.db_${machine}.old fi scp -q ${userid}@${machine}:${remote_aidedir}/aide.newdb ${clientdir}/${machine}/aide.db_${machine} } check_cmds () { scp -q $db ${userid}@${machine}:${remote_aidedir}/aide.db ssh -l $userid $machine "umask 077 && cd ${remote_aidedir} && ${remote_aidedir}/aide --config=${remote_aidedir}/aide.conf 2>&1 | tee ${remote_aidedir}/report >> /dev/null" # Copy output back to file if test ! -d ${aidedir}/reports/${date} ; then mkdir ${aidedir}/reports/${date} fi scp -q ${userid}@${machine}:${remote_aidedir}/report $reports/${machine} } ### ### The program ### # From the commandline case $# in 2) mode=$1; thehosts=$2 ;; *) usage; exit 1 ;; esac # Set mode specific variables case $mode in -init) initlogs=${aidedir}/reports/initlogs inittmp=${tmpdir}/initoutput/${date} mail_fordir=${inittmp} ;; -check) reports=${aidedir}/reports/${date} mail_fordir=${reports} ;; esac # case $thehosts in ALL) forcmd=`ls ${clientdir}` ;; *) forcmd=$thehosts ;; esac for machine in $forcmd ; do sleep 2 # so we get a different random word ( ## background it (this is so it runs in parellel) # Set up local directories and files for use config=${clientdir}/${machine}/aide.conf db=${clientdir}/${machine}/aide.db_${machine} binary=${clientdir}/${machine}/aide log=${clientdir}/${machine}/log sshaide_conf=${clientdir}/${machine}/sshaide.conf # Set up temporary directory name for remote machine rand_word=`gen_rand_word` # Apply client host configuration options if test ! -r ${sshaide_conf} ; then remote_aidedir=${homedefault}/${rand_word}.$$ mailrcpts=${maildefault} userid=${useriddefault} else # Get the email addresses to send reports to grep '^emaillist' ${sshaide_conf} if [ $? != 0 ] ; then mailrcpts=${maildefault} else mailrcpts=`grep -m1 '^emaillist' ${sshaide_conf} | \ awk '{print $2}'` fi # Get the remote user id grep '^userid' ${sshaide_conf} if [ $? != 0 ] ; then userid=${useriddefault} else userid=`grep -m1 '^userid' ${sshaide_conf} | \ awk '{print $2}'` fi # Get home directory to use on remote machine grep '^homedir' ${sshaide_conf} if [ $? != 0 ] ; then remote_aidedir=/home/${userid}/${rand_word}.$$ else remote_aidedir=`grep -m1 '^homedir' ${sshaide_conf} | \ awk '{print $2}'`/${rand_word}.$$ fi fi # Do the dirty work ssh -l $userid $machine "mkdir -p $remote_aidedir" scp -q $config ${userid}@${machine}:${remote_aidedir} scp -q $binary ${userid}@${machine}:${remote_aidedir} case $mode in -init) init_cmds ;; -check) check_cmds ;; esac # Delete remote directory ssh -l $userid $machine "rm -rf $remote_aidedir" # If $mail_fordir doesn't exist, don't continue if test ! -d "${mail_fordir}" ; then echo "${progname}:${mail_fordir} doesn't exist," echo "exiting now, not sending mail" exit 1 fi ### ### Mail reports out ### cat ${mail_fordir}/${machine} \ | mail -s "### AIDE ${mode} ${machine} ${date}" ${mailrcpts} ) done # Wait for all bg processes to finish before continuing wait # Tar and compress the reports if test $mode = -check ; then tar cf ${reports}.tar ${reports} rm -rf ${reports} gzip -9 ${reports}.tar fi # If mode is check, examine clientdir for reinit file, and # reinitialize if it exists if test $mode = -check ; then for host in $forcmd ; do if test -w ${clientdir}/${host}/reinit ; then ${aidedir}/bin/${progname} -init ${host} & rm ${clientdir}/${host}/reinit fi done fi ### ### Clean up init stuff ### if test $mode = -init ; then # Concatenate inittmp directories into initlogs for host in `ls -A ${mail_fordir}` ; do ( echo "********************************************" echo ${host} $date ${mode} echo "********************************************" echo "" cat ${mail_fordir}/${host} echo "" )| tee -a $initlogs/`date +%Y-%m` >> /dev/null done # Delete inittmp directory rm -rf ${tmpdir}/initoutput fi