progress snapshot

2026-01-21 08:33:09 -05:00
parent 6c96f3c549
commit 1339705f9d
20 changed files with 3387 additions and 46 deletions
--- a/config/aide-init.sh
+++ b/config/aide-init.sh
@@ -0,0 +1,332 @@
+#!/bin/bash
+# Football System AIDE Database Initialization
+# Creates and initializes the file integrity monitoring database
+
+set -e
+
+echo "Initializing AIDE database..."
+
+# Ensure required directories exist
+mkdir -p /var/lib/aide
+mkdir -p /var/log/aide
+mkdir -p /etc/security
+
+# Check if AIDE configuration exists
+if [ ! -f /etc/aide.conf ]; then
+    echo "⚠️  AIDE configuration not found at /etc/aide.conf"
+    echo "Please ensure aide.conf is properly installed before running this script"
+    exit 1
+fi
+
+# Set proper permissions for AIDE directories
+chown root:root /var/lib/aide
+chmod 700 /var/lib/aide
+
+chown root:root /var/log/aide
+chmod 750 /var/log/aide
+
+# Create log files with proper permissions
+touch /var/log/aide/aide.log
+touch /var/log/aide/aide_check.log
+touch /var/log/aide/aide_error.log
+
+chown root:adm /var/log/aide/*.log
+chmod 640 /var/log/aide/*.log
+
+# Check if this is the first run
+FIRST_RUN=false
+if [ ! -f /var/lib/aide/aide.db ]; then
+    echo "First-time AIDE database initialization detected"
+    FIRST_RUN=true
+fi
+
+# Initialize AIDE database
+echo "Creating AIDE database..."
+if aide --init; then
+    echo "✅ AIDE database created successfully"
+else
+    echo "❌ AIDE database initialization failed"
+    exit 1
+fi
+
+# Move new database to active location
+if [ -f /var/lib/aide/aide.db.new ]; then
+    mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
+    echo "✅ AIDE database activated"
+fi
+
+# Set secure permissions on database
+chown root:root /var/lib/aide/aide.db
+chmod 600 /var/lib/aide/aide.db
+
+# Create AIDE check script
+cat > /usr/local/bin/aide-check.sh << 'EOF'
+#!/bin/bash
+# Football System - AIDE Integrity Check
+# Automated file integrity monitoring script
+
+LOGFILE="/var/log/aide/aide_check.log"
+ERRORFILE="/var/log/aide/aide_error.log"
+DBFILE="/var/lib/aide/aide.db"
+REPORTFILE="/var/log/aide/aide_report_$(date +%Y%m%d_%H%M%S).txt"
+
+# Function to log messages
+log_message() {
+    local level=$1
+    local message=$2
+    echo "$(date '+%Y-%m-%d %H:%M:%S') [$level] $message" | tee -a "$LOGFILE"
+}
+
+# Function to send alerts
+send_alert() {
+    local message="$1"
+    # Log to system log for security team monitoring
+    logger -t "aide-check" -p auth.alert "$message"
+    
+    # If email is configured, send alert
+    if command -v mail >/dev/null 2>&1 && [ -n "$SECURITY_EMAIL" ]; then
+        echo "$message" | mail -s "AIDE Integrity Alert - Football System" "$SECURITY_EMAIL"
+    fi
+}
+
+# Check if AIDE database exists
+if [ ! -f "$DBFILE" ]; then
+    log_message "ERROR" "AIDE database not found at $DBFILE"
+    send_alert "CRITICAL: AIDE database missing - File integrity monitoring compromised"
+    exit 1
+fi
+
+log_message "INFO" "Starting AIDE integrity check"
+
+# Run AIDE check
+if aide --check --config /etc/aide.conf > "$REPORTFILE" 2>>"$ERRORFILE"; then
+    log_message "INFO" "AIDE check completed - No changes detected"
+    
+    # Clean up empty report file
+    [ -s "$REPORTFILE" ] || rm -f "$REPORTFILE"
+else
+    local exit_code=$?
+    log_message "WARNING" "AIDE check completed with exit code $exit_code"
+    
+    # Check if report file has content (actual changes detected)
+    if [ -s "$REPORTFILE" ]; then
+        log_message "ALERT" "File integrity changes detected - See report: $REPORTFILE"
+        send_alert "SECURITY ALERT: File integrity changes detected on Football System. Review $REPORTFILE"
+        
+        # Log summary of changes
+        local changed_files=$(grep -c "^changed:" "$REPORTFILE" 2>/dev/null || echo "0")
+        local added_files=$(grep -c "^added:" "$REPORTFILE" 2>/dev/null || echo "0")
+        local removed_files=$(grep -c "^removed:" "$REPORTFILE" 2>/dev/null || echo "0")
+        
+        log_message "ALERT" "Summary: $added_files added, $changed_files changed, $removed_files removed"
+    else
+        log_message "ERROR" "AIDE check failed - See error log: $ERRORFILE"
+        send_alert "ERROR: AIDE integrity check failed on Football System"
+    fi
+fi
+
+# Cleanup old reports (keep last 30 days)
+find /var/log/aide -name "aide_report_*.txt" -mtime +30 -delete 2>/dev/null
+
+log_message "INFO" "AIDE integrity check completed"
+EOF
+
+# Make the check script executable
+chmod 750 /usr/local/bin/aide-check.sh
+chown root:root /usr/local/bin/aide-check.sh
+
+# Create AIDE update script
+cat > /usr/local/bin/aide-update.sh << 'EOF'
+#!/bin/bash
+# Football System - AIDE Database Update
+# Updates AIDE database after legitimate system changes
+
+LOGFILE="/var/log/aide/aide_update.log"
+DBFILE="/var/lib/aide/aide.db"
+NEWDBFILE="/var/lib/aide/aide.db.new"
+
+# Function to log messages
+log_message() {
+    local level=$1
+    local message=$2
+    echo "$(date '+%Y-%m-%d %H:%M:%S') [$level] $message" | tee -a "$LOGFILE"
+}
+
+# Check for valid update reason
+if [ $# -eq 0 ]; then
+    echo "Usage: $0 <reason>"
+    echo "Example: $0 'System package updates'"
+    echo "Example: $0 'Configuration change for service X'"
+    exit 1
+fi
+
+REASON="$1"
+log_message "INFO" "Starting AIDE database update - Reason: $REASON"
+
+# Create backup of current database
+if [ -f "$DBFILE" ]; then
+    cp "$DBFILE" "${DBFILE}.backup_$(date +%Y%m%d_%H%M%S)"
+    log_message "INFO" "Created backup of current database"
+fi
+
+# Run AIDE update
+log_message "INFO" "Updating AIDE database..."
+if aide --update --config /etc/aide.conf; then
+    # Activate new database
+    if [ -f "$NEWDBFILE" ]; then
+        mv "$NEWDBFILE" "$DBFILE"
+        log_message "INFO" "AIDE database updated and activated successfully"
+        
+        # Set proper permissions
+        chmod 600 "$DBFILE"
+        chown root:root "$DBFILE"
+        
+        log_message "INFO" "Database update completed - Reason: $REASON"
+    else
+        log_message "ERROR" "AIDE update completed but new database not found"
+        exit 1
+    fi
+else
+    log_message "ERROR" "AIDE database update failed"
+    exit 1
+fi
+
+# Run a quick check to verify database
+log_message "INFO" "Verifying updated database..."
+if aide --check --config /etc/aide.conf >/dev/null 2>&1; then
+    log_message "INFO" "Database verification successful"
+else
+    log_message "WARNING" "Database verification shows differences (expected after update)"
+fi
+
+log_message "INFO" "AIDE database update process completed"
+EOF
+
+# Make the update script executable
+chmod 750 /usr/local/bin/aide-update.sh
+chown root:root /usr/local/bin/aide-update.sh
+
+# Create AIDE cron configuration
+cat > /etc/cron.d/aide-check << 'EOF'
+# Football System - AIDE Integrity Monitoring
+# Run AIDE checks every 6 hours (4 times daily)
+
+# Hourly quick check (only critical files)
+5 * * * * root /usr/local/bin/aide-check.sh --critical >/dev/null 2>&1
+
+# Full integrity check every 6 hours
+5 0,6,12,18 * * * root /usr/local/bin/aide-check.sh >/dev/null 2>&1
+
+# Weekly database maintenance
+5 3 * * 0 root /usr/local/bin/aide-update.sh "Scheduled weekly maintenance" >/dev/null 2>&1
+EOF
+
+# Set proper permissions on cron configuration
+chmod 644 /etc/cron.d/aide-check
+chown root:root /etc/cron.d/aide-check
+
+# Create systemd service for AIDE monitoring
+cat > /etc/systemd/system/aide-check.service << 'EOF'
+[Unit]
+Description=AIDE File Integrity Check
+Documentation=man:aide(8)
+After=auditd.service
+Wants=auditd.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/aide-check.sh
+StandardOutput=journal
+StandardError=journal
+
+# Security settings
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/var/log/aide
+PrivateTmp=yes
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Create systemd timer for periodic checks
+cat > /etc/systemd/system/aide-check.timer << 'EOF'
+[Unit]
+Description=Run AIDE integrity checks every 6 hours
+Requires=aide-check.service
+
+[Timer]
+OnCalendar=*-*-* 0,6,12,18:05:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
+EOF
+
+# Enable and start the timer
+systemctl daemon-reload
+systemctl enable aide-check.timer
+systemctl start aide-check.timer
+
+# Create AIDE log rotation configuration
+cat > /etc/logrotate.d/aide << 'EOF'
+# Football System - AIDE Log Rotation
+
+/var/log/aide/*.log {
+    daily
+    rotate 90
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+    sharedscripts
+    postrotate
+        systemctl reload rsyslog >/dev/null 2>&1 || true
+    endscript
+}
+
+/var/log/aide/aide_report_*.txt {
+    daily
+    rotate 30
+    compress
+    delaycompress
+    missingok
+    notifempty
+    create 0640 root adm
+}
+EOF
+
+# Set proper permissions
+chmod 644 /etc/logrotate.d/aide
+chown root:root /etc/logrotate.d/aide
+
+# Run initial AIDE check
+if [ "$FIRST_RUN" = "true" ]; then
+    echo "Running initial AIDE integrity check..."
+    if /usr/local/bin/aide-check.sh; then
+        echo "✅ Initial AIDE check completed successfully"
+    else
+        echo "⚠️  Initial AIDE check completed with warnings (expected for new system)"
+    fi
+else
+    echo "✅ AIDE database updated successfully"
+fi
+
+echo ""
+echo "AIDE Configuration Summary:"
+echo "- Database location: /var/lib/aide/aide.db"
+echo "- Log directory: /var/log/aide/"
+echo "- Check script: /usr/local/bin/aide-check.sh"
+echo "- Update script: /usr/local/bin/aide-update.sh"
+echo "- Systemd timer: aide-check.timer (runs every 6 hours)"
+echo "- Cron backup: /etc/cron.d/aide-check"
+echo ""
+echo "Manual commands:"
+echo "- Run integrity check: aide-check.sh"
+echo "- Update database: aide-update.sh '<reason>'"
+echo "- Check service status: systemctl status aide-check.timer"
+echo "- View logs: journalctl -u aide-check.service"
+echo ""
+echo "✅ AIDE initialization and configuration completed"