#!/bin/bash
# Football System AIDE Database Initialization
# Creates and initializes the file integrity monitoring database

set -e

echo "Initializing AIDE database..."

# Ensure required directories exist
mkdir -p /var/lib/aide
mkdir -p /var/log/aide
mkdir -p /etc/security

# Check if AIDE configuration exists
if [ ! -f /etc/aide.conf ]; then
    echo "⚠️  AIDE configuration not found at /etc/aide.conf"
    echo "Please ensure aide.conf is properly installed before running this script"
    exit 1
fi

# Set proper permissions for AIDE directories
chown root:root /var/lib/aide
chmod 700 /var/lib/aide

chown root:root /var/log/aide
chmod 750 /var/log/aide

# Create log files with proper permissions
touch /var/log/aide/aide.log
touch /var/log/aide/aide_check.log
touch /var/log/aide/aide_error.log

chown root:adm /var/log/aide/*.log
chmod 640 /var/log/aide/*.log

# Check if this is the first run
FIRST_RUN=false
if [ ! -f /var/lib/aide/aide.db ]; then
    echo "First-time AIDE database initialization detected"
    FIRST_RUN=true
fi

# Initialize AIDE database
echo "Creating AIDE database..."
if aide --init; then
    echo "✅ AIDE database created successfully"
else
    echo "❌ AIDE database initialization failed"
    exit 1
fi

# Move new database to active location
if [ -f /var/lib/aide/aide.db.new ]; then
    mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
    echo "✅ AIDE database activated"
fi

# Set secure permissions on database
chown root:root /var/lib/aide/aide.db
chmod 600 /var/lib/aide/aide.db

# Create AIDE check script
cat > /usr/local/bin/aide-check.sh << 'EOF'
#!/bin/bash
# Football System - AIDE Integrity Check
# Automated file integrity monitoring script

LOGFILE="/var/log/aide/aide_check.log"
ERRORFILE="/var/log/aide/aide_error.log"
DBFILE="/var/lib/aide/aide.db"
REPORTFILE="/var/log/aide/aide_report_$(date +%Y%m%d_%H%M%S).txt"

# Function to log messages
log_message() {
    local level=$1
    local message=$2
    echo "$(date '+%Y-%m-%d %H:%M:%S') [$level] $message" | tee -a "$LOGFILE"
}

# Function to send alerts
send_alert() {
    local message="$1"
    # Log to system log for security team monitoring
    logger -t "aide-check" -p auth.alert "$message"
    
    # If email is configured, send alert
    if command -v mail >/dev/null 2>&1 && [ -n "$SECURITY_EMAIL" ]; then
        echo "$message" | mail -s "AIDE Integrity Alert - Football System" "$SECURITY_EMAIL"
    fi
}

# Check if AIDE database exists
if [ ! -f "$DBFILE" ]; then
    log_message "ERROR" "AIDE database not found at $DBFILE"
    send_alert "CRITICAL: AIDE database missing - File integrity monitoring compromised"
    exit 1
fi

log_message "INFO" "Starting AIDE integrity check"

# Run AIDE check
if aide --check --config /etc/aide.conf > "$REPORTFILE" 2>>"$ERRORFILE"; then
    log_message "INFO" "AIDE check completed - No changes detected"
    
    # Clean up empty report file
    [ -s "$REPORTFILE" ] || rm -f "$REPORTFILE"
else
    local exit_code=$?
    log_message "WARNING" "AIDE check completed with exit code $exit_code"
    
    # Check if report file has content (actual changes detected)
    if [ -s "$REPORTFILE" ]; then
        log_message "ALERT" "File integrity changes detected - See report: $REPORTFILE"
        send_alert "SECURITY ALERT: File integrity changes detected on Football System. Review $REPORTFILE"
        
        # Log summary of changes
        local changed_files=$(grep -c "^changed:" "$REPORTFILE" 2>/dev/null || echo "0")
        local added_files=$(grep -c "^added:" "$REPORTFILE" 2>/dev/null || echo "0")
        local removed_files=$(grep -c "^removed:" "$REPORTFILE" 2>/dev/null || echo "0")
        
        log_message "ALERT" "Summary: $added_files added, $changed_files changed, $removed_files removed"
    else
        log_message "ERROR" "AIDE check failed - See error log: $ERRORFILE"
        send_alert "ERROR: AIDE integrity check failed on Football System"
    fi
fi

# Cleanup old reports (keep last 30 days)
find /var/log/aide -name "aide_report_*.txt" -mtime +30 -delete 2>/dev/null

log_message "INFO" "AIDE integrity check completed"
EOF

# Make the check script executable
chmod 750 /usr/local/bin/aide-check.sh
chown root:root /usr/local/bin/aide-check.sh

# Create AIDE update script
cat > /usr/local/bin/aide-update.sh << 'EOF'
#!/bin/bash
# Football System - AIDE Database Update
# Updates AIDE database after legitimate system changes

LOGFILE="/var/log/aide/aide_update.log"
DBFILE="/var/lib/aide/aide.db"
NEWDBFILE="/var/lib/aide/aide.db.new"

# Function to log messages
log_message() {
    local level=$1
    local message=$2
    echo "$(date '+%Y-%m-%d %H:%M:%S') [$level] $message" | tee -a "$LOGFILE"
}

# Check for valid update reason
if [ $# -eq 0 ]; then
    echo "Usage: $0 <reason>"
    echo "Example: $0 'System package updates'"
    echo "Example: $0 'Configuration change for service X'"
    exit 1
fi

REASON="$1"
log_message "INFO" "Starting AIDE database update - Reason: $REASON"

# Create backup of current database
if [ -f "$DBFILE" ]; then
    cp "$DBFILE" "${DBFILE}.backup_$(date +%Y%m%d_%H%M%S)"
    log_message "INFO" "Created backup of current database"
fi

# Run AIDE update
log_message "INFO" "Updating AIDE database..."
if aide --update --config /etc/aide.conf; then
    # Activate new database
    if [ -f "$NEWDBFILE" ]; then
        mv "$NEWDBFILE" "$DBFILE"
        log_message "INFO" "AIDE database updated and activated successfully"
        
        # Set proper permissions
        chmod 600 "$DBFILE"
        chown root:root "$DBFILE"
        
        log_message "INFO" "Database update completed - Reason: $REASON"
    else
        log_message "ERROR" "AIDE update completed but new database not found"
        exit 1
    fi
else
    log_message "ERROR" "AIDE database update failed"
    exit 1
fi

# Run a quick check to verify database
log_message "INFO" "Verifying updated database..."
if aide --check --config /etc/aide.conf >/dev/null 2>&1; then
    log_message "INFO" "Database verification successful"
else
    log_message "WARNING" "Database verification shows differences (expected after update)"
fi

log_message "INFO" "AIDE database update process completed"
EOF

# Make the update script executable
chmod 750 /usr/local/bin/aide-update.sh
chown root:root /usr/local/bin/aide-update.sh

# Create AIDE cron configuration
cat > /etc/cron.d/aide-check << 'EOF'
# Football System - AIDE Integrity Monitoring
# Run AIDE checks every 6 hours (4 times daily)

# Hourly quick check (only critical files)
5 * * * * root /usr/local/bin/aide-check.sh --critical >/dev/null 2>&1

# Full integrity check every 6 hours
5 0,6,12,18 * * * root /usr/local/bin/aide-check.sh >/dev/null 2>&1

# Weekly database maintenance
5 3 * * 0 root /usr/local/bin/aide-update.sh "Scheduled weekly maintenance" >/dev/null 2>&1
EOF

# Set proper permissions on cron configuration
chmod 644 /etc/cron.d/aide-check
chown root:root /etc/cron.d/aide-check

# Create systemd service for AIDE monitoring
cat > /etc/systemd/system/aide-check.service << 'EOF'
[Unit]
Description=AIDE File Integrity Check
Documentation=man:aide(8)
After=auditd.service
Wants=auditd.service

[Service]
Type=oneshot
ExecStart=/usr/local/bin/aide-check.sh
StandardOutput=journal
StandardError=journal

# Security settings
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/log/aide
PrivateTmp=yes

[Install]
WantedBy=multi-user.target
EOF

# Create systemd timer for periodic checks
cat > /etc/systemd/system/aide-check.timer << 'EOF'
[Unit]
Description=Run AIDE integrity checks every 6 hours
Requires=aide-check.service

[Timer]
OnCalendar=*-*-* 0,6,12,18:05:00
Persistent=true

[Install]
WantedBy=timers.target
EOF

# Enable and start the timer
systemctl daemon-reload
systemctl enable aide-check.timer
systemctl start aide-check.timer

# Create AIDE log rotation configuration
cat > /etc/logrotate.d/aide << 'EOF'
# Football System - AIDE Log Rotation

/var/log/aide/*.log {
    daily
    rotate 90
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
    sharedscripts
    postrotate
        systemctl reload rsyslog >/dev/null 2>&1 || true
    endscript
}

/var/log/aide/aide_report_*.txt {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 0640 root adm
}
EOF

# Set proper permissions
chmod 644 /etc/logrotate.d/aide
chown root:root /etc/logrotate.d/aide

# Run initial AIDE check
if [ "$FIRST_RUN" = "true" ]; then
    echo "Running initial AIDE integrity check..."
    if /usr/local/bin/aide-check.sh; then
        echo "✅ Initial AIDE check completed successfully"
    else
        echo "⚠️  Initial AIDE check completed with warnings (expected for new system)"
    fi
else
    echo "✅ AIDE database updated successfully"
fi

echo ""
echo "AIDE Configuration Summary:"
echo "- Database location: /var/lib/aide/aide.db"
echo "- Log directory: /var/log/aide/"
echo "- Check script: /usr/local/bin/aide-check.sh"
echo "- Update script: /usr/local/bin/aide-update.sh"
echo "- Systemd timer: aide-check.timer (runs every 6 hours)"
echo "- Cron backup: /etc/cron.d/aide-check"
echo ""
echo "Manual commands:"
echo "- Run integrity check: aide-check.sh"
echo "- Update database: aide-update.sh '<reason>'"
echo "- Check service status: systemctl status aide-check.timer"
echo "- View logs: journalctl -u aide-check.service"
echo ""
echo "✅ AIDE initialization and configuration completed"