PURPOSE This program uses AIDE to check a filesystem for any changes since the last time it was run. If there are any changes then it sends an email to the system administrator with a report of those changes and another email with a copy of the database of those files checked. A copy of the database and reports are kept on the local disk for a configurable number of days. REQUIREMENTS * AIDE version 0.10 or later, preferably version 0.13. * Linux. It may work on other UNIX operating systems such as Mac OS X and Solaris, but may need some modification. * BASH, the standard shell on Linux (and Mac OS X and now Solaris as well). * The programs find, gzip, sed, awk and grep, preferably the GNU versions. These are installed on almost all Linux systems. * The programs md5sum and sha1sum, which are used only in the emails to the systems administrator and are not needed by AIDE itself. These are part of the GNU coreutils and are installed on almost all Linux systems. * A hostname program capable of display the system's hostname. Almost all Linux or UNIX systems will have one installed. * The mutt email client to send the emails with attachments. It is not usually installed by default on most Linux distributions, though many will have it available as a package ready to install. * A sendmail compatible SMTP program, preferably Postfix or Exim. This is used by mutt to deliver the emails. Almost all Linux distributions will have one available, though not all install it by default. If you don't want to run a full SMTP server like Postfix then you can use a send-only SMTP system such as msmtp, which passes the emails onto another SMTP server for delivery. INSTALL This program is mainly a shell script and it's configuration file. If you have the Stow package management system then installation is easy: mkdir -p /usr/local/stow/adelaide cp -ai bin etc var /usr/local/stow/adelaide stow -v -d /usr/local/stow adelaide Stow will create symbolic links in /usr/local to the real files in /usr/local/stow/adelaide. This means that you know which package the files belong to and can add or remove them easily. Stow is a single Perl script will run on most versions of UNIX or Linux. If you don't want to use stow then you copy the script and it's configuration file anywhere, though I would recomend against /usr/ as that will probably interfere with your OS package manager. When you run adelaide you will need to tell it where the config file is, eg: adelaide --config /opt/adelaide/etc/adelaide.conf This script will probably need to be run as the root user as there may be areas that only root can read. A cron job should be used to run this script at the desired times. CONFIGURATION The adelaide.conf is the configuration file for this script. Important values to check and change before running are: aide_bin - location of the AIDE program aide_auto_dir - base directory where you installed adelaide warning_email_to & db_email_to - where to send the emails report_lifetime & db_lifetime - how long to keep report and database files You will also need a working aide.conf, the configuration file for AIDE itself. Some settings will need to match the files locations you entered in the adelaide.conf file, such as: @@define TOPDIR /usr/local/stow/adelaide database=file://@@{TOPDIR}/var/aide/aide.db database_out=file://@@{TOPDIR}/var/aide/aide.db.out database_new=file://@@{TOPDIR}/var/aide/aide.db.new report_url=stdout gzip_dbout=no verbose=20 The rest of the file will be a list of files to check and what properties to check them for (eg contents, timestamps, ownership). It may need some tweaking over time to get it checking what you want (eg some hosts may use DHCP and have /etc/resolv.conf changing). Some example aide.conf files have been included in the examples directory. FUTURE DEVELOPMENTS 1) Use GPG or PGP to sign database and reports to make sure that they have really been generated by the machine they claim. This won't stop fake emails being sent from that machine by the root user as we will have to include the passphrase in plain text in the script so that the secret key can be unlocked. Alternatively the gpg-agent could be used to unlock the secret key.