#!/bin/sh
#
# script to update and rotate the AIDE database files and
# create a detached GPG signature to verify the database file
#
# written by Vincent Danen <vdanen-at-annvix.org>
#
# $Id: aideupdate 6662 2007-01-13 19:06:24Z vdanen $

gpg="/usr/bin/gpg"
aide="/usr/sbin/aide"
fname="aide-`hostname`-`date +%Y%m%d-%H%M%S`"
host="`hostname`"

if [ ! -d /var/lib/aide ]; then
    printf "The AIDE database directory /var/lib/aide does not exist!\n\n"
    exit 1
fi

if [ ! -d /var/lib/aide/reports ]; then
    printf "Creating /var/lib/aide/reports to store reports\n"
    mkdir /var/lib/aide/reports && chmod 0700 /var/lib/aide/reports
fi

pushd /var/lib/aide >/dev/null

# copy the old database
if [ -f aide.db ]; then
    newfile="${fname}.db"
    if [ -f aide.db.sig ]; then
        # do an integrity check
	${gpg} --verify aide.db.sig
	if [ "$?" == "1" ]; then
	    printf "************************************************************\n"
	    printf "GPG signature FAILED!  Your database has been tampered with!\n"
	    printf "************************************************************\n"
	    exit 1
	fi
    else
        printf "**************************************************************\n"
        printf "No GPG signature file found!  Your system may be compromised\n"
        printf "or incorrectly configured!  Please read man afterboot for\n"
        printf "more information on how to correctly configure AIDE on Annvix!\n"
        printf "**************************************************************\n"
        exit 1
    fi
    
    # this function signs the aide.db with gpg
    signfile() {
        unset gpgpass
        printf "\n"
        read -s -e -p "Enter AIDE passphrase for aide@${host}: " gpgpass
        printf "\n"
        echo ${gpgpass} | ${gpg} -u aide@${host} --passphrase-fd stdin --no-tty --detach-sign aide.db
        if [ "$?" == "1" ]; then
            printf "FATAL:  Error occurred when creating the signature file!\n\n"
            exit 1
        fi
    }
    
    cp -a aide.db ${newfile} 
    ${aide} --update -B "database=file:/var/lib/aide/${newfile}" -B "database_out=file:/var/lib/aide/aide.db" \
        -B "report_url=file:/var/lib/aide/reports/${fname}.report"
    # create the signature file
    [[ -f aide.db.sig ]] && rm -f aide.db.sig
    signfile
    [[ ! -f aide.db.sig ]] && {
        printf "No signature was created; bad passphrase?  Try it again.\n\n"
        signfile
    }
    [[ ! -f aide.db.sig ]] && {
        printf "FATAL: Signature was not created twice!  Something is very wrong here.\n\n"
        exit 1
    }
    printf "Database successfully signed.\n\n"
    gzip -9f ${newfile}
else
    printf "The AIDE database does not exist, can't update!\n\n"
    exit 1
fi

popd >/dev/null

exit 0