Adding AIDE to HIDS tools

roles/Sharingan/files/aide/base.conf

@@ -0,0 +1,146 @@
+# Example configuration file for AIDE.
+# More information about configuration options available in the aide.conf manpage.
+@@define DBDIR /var/lib/aide
+@@define LOGDIR /var/log/aide
+
+# The location of the database to be read.
+database_in=file:@@{DBDIR}/aide.db.gz
+
+# The location of the database to be written.
+#database_out=sql:host:port:database:login_name:passwd:table
+#database_out=file:aide.db.new
+database_out=file:@@{DBDIR}/aide.db.new.gz
+
+# Whether to gzip the output to database
+gzip_dbout=yes
+
+# Default.
+log_level=warning
+report_level=changed_attributes
+
+report_url=file:@@{LOGDIR}/aide.log
+report_url=stdout
+#report_url=stderr
+#
+# Here are all the attributes we can check
+#p:       permissions
+#i:       inode
+#n:       number of links
+#l:       link name
+#u:       user
+#g:       group
+#s:       size
+###b:        block count
+#m:       mtime
+#a:       atime
+#c:       ctime
+#S:       check for growing size
+#I:       ignore changed filename
+#ANF:     allow new files
+#ARF:     allow removed files
+#
+
+# Here are all the digests we can use
+#md5:           md5 checksum
+#sha1:          sha1 checksum
+#sha256:        sha256 checksum
+#sha512:        sha512 checksum
+#rmd160:        rmd160 checksum
+#tiger:         tiger checksum
+#haval:         haval checksum
+#crc32:         crc32 checksum
+#gost:          gost checksum
+#whirlpool:     whirlpool checksum
+
+# These are the default rules
+#R:             p+i+l+n+u+g+s+m+c+md5
+#L:             p+i+l+n+u+g
+#E:             Empty group
+#>:             Growing logfile p+l+u+g+i+n+S
+
+# You can create custom rules - my home made rule definition goes like this
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+# Everything but access time (Ie. all changes)
+EVERYTHING = R+ALLXTRAHASHES
+
+# Sane, with multiple hashes
+# NORMAL = R+rmd160+sha256+whirlpool
+NORMAL = R+rmd160+sha256
+
+# For directories, don't bother doing hashes
+DIR = p+i+n+u+g+acl+xattrs
+
+# Access control only
+PERMS = p+i+u+g+acl
+
+# Logfile are special, in that they often change
+LOG = >
+
+# Just do md5 and sha256 hashes
+LSPP = R+sha256
+
+# Some files get updated automatically, so the inode/ctime/mtime change
+# but we want to know when the data inside them changes
+DATAONLY =  p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
+
+
+# Next decide what directories/files you want in the database.
+
+/boot   NORMAL
+/bin    NORMAL
+/sbin   NORMAL
+/lib    NORMAL
+/lib64  NORMAL
+/opt    NORMAL
+/usr    NORMAL
+/root   NORMAL
+# These are too volatile
+!/usr/src
+!/usr/tmp
+
+# Check only permissions, inode, user and group for /etc, but
+# cover some important files closely.
+/etc    PERMS
+!/etc/mtab
+# Ignore backup files
+!/etc/.*~
+/etc/exports  NORMAL
+/etc/fstab    NORMAL
+/etc/passwd   NORMAL
+/etc/group    NORMAL
+/etc/gshadow  NORMAL
+/etc/shadow   NORMAL
+/etc/security/opasswd   NORMAL
+
+/etc/hosts.allow   NORMAL
+/etc/hosts.deny    NORMAL
+
+/etc/sudoers NORMAL
+/etc/skel NORMAL
+
+/etc/logrotate.d NORMAL
+
+/etc/resolv.conf DATAONLY
+
+/etc/nscd.conf NORMAL
+/etc/securetty NORMAL
+
+# Shell/X starting files
+/etc/profile NORMAL
+/etc/bashrc NORMAL
+/etc/bash_completion.d/ NORMAL
+/etc/login.defs NORMAL
+/etc/zprofile NORMAL
+/etc/zshrc NORMAL
+/etc/zlogin NORMAL
+/etc/zlogout NORMAL
+/etc/profile.d/ NORMAL
+/etc/X11/ NORMAL
+
+# Ignore logs
+!/var/lib/pacman/.*
+!/var/cache/.*
+!/var/log/.*
+!/var/run/.*
+!/var/spool/.*

roles/Sharingan/files/aide/yggdrasil.conf

@@ -0,0 +1,89 @@
+# Example configuration file for AIDE.
+# More information about configuration options available in the aide.conf manpage.
+@@define DBDIR /home/yggdrasil/.aide
+@@define LOGDIR @@{DBDIR}
+
+# The location of the database to be read.
+database_in=file:@@{DBDIR}/aide.db.gz
+database_out=file:@@{DBDIR}/aide.new.db.gz
+
+# The location of the database to be written.
+#database_out=sql:host:port:database:login_name:passwd:table
+#database_out=file:aide.db.new
+# Whether to gzip the output to database
+gzip_dbout=yes
+
+# Default.
+log_level=warning
+report_level=changed_attributes
+
+report_url=file:@@{LOGDIR}/aide.log
+report_url=stdout
+#report_url=stderr
+#
+# Here are all the attributes we can check
+#p:       permissions
+#i:       inode
+#n:       number of links
+#l:       link name
+#u:       user
+#g:       group
+#s:       size
+###b:        block count
+#m:       mtime
+#a:       atime
+#c:       ctime
+#S:       check for growing size
+#I:       ignore changed filename
+#ANF:     allow new files
+#ARF:     allow removed files
+#
+
+# Here are all the digests we can use
+#md5:           md5 checksum
+#sha1:          sha1 checksum
+#sha256:        sha256 checksum
+#sha512:        sha512 checksum
+#rmd160:        rmd160 checksum
+#tiger:         tiger checksum
+#haval:         haval checksum
+#crc32:         crc32 checksum
+#gost:          gost checksum
+#whirlpool:     whirlpool checksum
+
+# These are the default rules
+#R:             p+i+l+n+u+g+s+m+c+md5
+#L:             p+i+l+n+u+g
+#E:             Empty group
+#>:             Growing logfile p+l+u+g+i+n+S
+
+# You can create custom rules - my home made rule definition goes like this
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+# Everything but access time (Ie. all changes)
+EVERYTHING = R+ALLXTRAHASHES
+
+# Sane, with multiple hashes
+# NORMAL = R+rmd160+sha256+whirlpool
+NORMAL = R+rmd160+sha256
+
+# For directories, don't bother doing hashes
+DIR = p+i+n+u+g+acl+xattrs
+
+# Access control only
+PERMS = p+i+u+g+acl
+
+# Logfile are special, in that they often change
+LOG = >
+
+# Just do md5 and sha256 hashes
+LSPP = R+sha256
+
+# Some files get updated automatically, so the inode/ctime/mtime change
+# but we want to know when the data inside them changes
+DATAONLY =  p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
+
+
+# Next decide what directories/files you want in the database.
+/home/yggdrasil/ NORMAL
+!/home/yggdrasil/.aide$

roles/Sharingan/package/LICENSE

@@ -0,0 +1,31 @@
+# http://www.wtfpl.net/about/
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+                    Version 2, December 2004
+
+ Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
+
+ Everyone is permitted to copy and distribute verbatim or modified
+ copies of this license document, and changing it is allowed as long
+ as the name is changed.
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.
+
+                        ANINIX ADDENDUM
+
+ Trademark 2017 (https://aninix.net/)
+
+ The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
+ AniNIX materials may be reproduced and re-used (though you must
+ contact the admins of the network to get written permission to use
+ the AniNIX name or logo) so long as such reproduction or re-use
+ does not inhibit the original AniNIX use of the same.
+
+ Attribution is appreciated for other materials but not legally
+ required or necessary.
+
+ "AniNIX" trademark serial: 87177883
+ |> Logo trademark serial: 87177887

roles/Sharingan/package/Makefile

@@ -0,0 +1,22 @@
+compile:
+	@echo Nothing to do
+
+install:
+	mkdir -p ${pkgdir}/usr/local/sbin/
+	for i in aidecheck aideinit; do install -m 0750 -o root -g http $$i ${pkgdir}/usr/local/sbin/; done
+
+test: compile
+	@echo Nothing to do
+
+clean:
+	git clean -fX
+	git clean -fd
+
+diff:
+	@echo Nothing to do.
+
+reverse:
+	@echo Nothing to do.
+
+checkperm:
+	@echo Nothing to do.

roles/Sharingan/package/PKGBUILD

@@ -0,0 +1,46 @@
+depends=('bash>=4.4' 'aide')
+makedepends=('make>=4.2')
+checkdepends=()
+optdepends=()
+pkgname="sharingan-scripts"
+pkgver="$(git describe --tag --abbrev=0)"."$(git rev-parse --short HEAD)"
+pkgrel=1
+pkgrel() {
+    echo $(( `git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit` + 1 ))
+}
+epoch="$(git log | grep -c commit)"
+pkgdesc="$(head -n 1 README.md)"
+arch=("x86_64")
+url="$(git config remote.origin.url | sed 's/.git$//')"
+license=('custom')
+groups=()
+provides=("${pkgname}")
+conflicts=()
+replaces=("${pkgname,,}", "aninix-${pkgname,,}")
+backup=()
+options=()
+install=
+changelog=
+source=()
+noextract=()
+md5sums=()
+validpgpkeys=()
+
+prepare() {
+    git pull
+}
+
+build() {
+    make -C ..
+}
+
+check() {
+    chmod -R u+r ../pkg
+	make -C .. test
+}
+
+package() {
+    export pkgdir="${pkgdir}"
+	make -C .. install
+    install -D -m644 ../../../../LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+}

roles/Sharingan/package/README.md

@@ -0,0 +1,4 @@
+This is a collection of scripts we use for managing HIDS data.
+
+1. aideinit: Initialize, record, and sign a database
+1. aidecheck: Verify there are no discrepancies from a database

roles/Sharingan/package/aidecheck

@@ -0,0 +1,59 @@
+#!/usr/bin/bash
+
+# File: aidecheck
+#
+# Description: This script checks a signed AIDE DB.
+#
+# Package: AniNIX/Sharingan
+# Copyright: WTFPL
+#
+# Author: DarkFeather <ircs://aninix.net:6697/DarkFeather>
+
+function usage() {
+    echo "Usage: $0 [ config reference ]"
+    exit $1
+}
+
+function main() {
+    ### Initialize the DB
+    base="$1"
+    dbdir="$(grep -m 1 -E '^@@define DBDIR' "$base" | cut -f 3 -d ' ')"
+    dbin="$(grep -m 1 -E '^database_in' "$base" | cut -f 2 -d '=' | sed "s#file:...DBDIR.#${dbdir}#")"
+    dbout="$(grep -m 1 -E '^database_out' "$base" | cut -f 2 -d '=' | sed "s#file:...DBDIR.#${dbdir}#")"
+
+    set -x
+
+    if ! gpg --verify "$dbin".sig "$dbin"; then
+        echo "$dbin doesn't match signature."
+        exit 1
+    fi
+
+    sudo aide -c "$base" -C
+
+}
+
+### MAIN
+if [ `basename "$0"` == "aidecheck" ]; then
+
+    # Allow -h for helptext
+    if [ "$1" == '-h' ]; then
+        echo "Checks an AIDE DB"
+        usage 0
+    else
+
+        # Find the config
+        if [ -z "${1}" ]; then
+            base='/etc/aide.conf'
+        else
+            base="/etc/aide/${1}.conf"
+        fi
+        if [ -f "$base" ]; then
+            main "$base"
+        else
+
+            # If it doesn't, explain and exit.
+            echo "$base does not exist"
+            usage 1
+        fi
+    fi
+fi

roles/Sharingan/package/aideinit

@@ -0,0 +1,59 @@
+#!/usr/bin/bash
+
+# File: aideinit
+#
+# Description: This script initializes an AIDE DB and signs it
+#
+# Package: AniNIX/Sharingan
+# Copyright: WTFPL
+#
+# Author: DarkFeather <ircs://aninix.net:6697/DarkFeather>
+
+function usage() {
+    echo "Usage: $0 [ config reference ]"
+    exit $1
+}
+
+function main() {
+    ### Initialize the DB
+    base="$1"
+    dbdir="$(grep -m 1 -E '^@@define DBDIR' "$base" | cut -f 3 -d ' ')"
+    dbin="$(grep -m 1 -E '^database_in' "$base" | cut -f 2 -d '=' | sed "s#file:...DBDIR.#${dbdir}#")"
+    dbout="$(grep -m 1 -E '^database_out' "$base" | cut -f 2 -d '=' | sed "s#file:...DBDIR.#${dbdir}#")"
+
+    # sudo chattr -i "$dbin"*
+
+    sudo aide -c "$base" -i 2>&1 | sudo tee "$dbin".out
+    sudo mv "$dbout" "$dbin"
+    sudo chmod 0644 "$dbin"
+    gpg -bs --output - "$dbin" | sudo tee "$dbin".sig &>/dev/null
+    sudo chown root: "$dbin"*
+    sudo chmod 0755 "$dbin"*
+    # sudo chattr +i "$dbin"*
+}
+
+### MAIN
+if [ `basename "$0"` == "aideinit" ]; then
+
+    # Allow -h for helptext
+    if [ "$1" == '-h' ]; then
+        echo "Initializes an AIDE DB"
+        usage 0
+    else
+
+        # Find the config
+        if [ -z "${1}" ]; then
+            base='/etc/aide.conf'
+        else
+            base="/etc/aide/${1}.conf"
+        fi
+        if [ -f "$base" ]; then
+            main "$base"
+        else
+
+            # If it doesn't, explain and exit.
+            echo "$base does not exist"
+            usage 1
+        fi
+    fi
+fi

roles/Sharingan/tasks/ids.yml

@@ -5,6 +5,7 @@
    register: package_install
    package:
      name:
+       - aide
        - sshguard
        - suricata
        - oinkmaster
@@ -73,6 +74,15 @@
      group: root
      mode: 0644
 
+ - name: Create aide conf folder
+   become: yes
+   copy:
+     src: "aide/"
+     dest: /etc/aide
+     owner: root
+     group: root
+     mode: 0755
+
  # Network IDS
  - name: Copy oinkmaster conf
    register: oinkmaster_conf