maybe chmod 0755 'acpi'
maybe chmod 0755 'acpi/events'
maybe chmod 0644 'adduser.conf'
+maybe chmod 0755 'aide'
+maybe chmod 0644 'aide/aide.conf'
+maybe chmod 0755 'aide/aide.conf.d'
+maybe chmod 0644 'aide/aide.conf.d/10_aide_constants'
+maybe chmod 0755 'aide/aide.conf.d/10_aide_distribution'
+maybe chmod 0755 'aide/aide.conf.d/10_aide_hostname'
+maybe chmod 0755 'aide/aide.conf.d/10_aide_prevyear'
+maybe chmod 0644 'aide/aide.conf.d/10_aide_run'
+maybe chmod 0755 'aide/aide.conf.d/10_aide_year'
+maybe chmod 0755 'aide/aide.conf.d/30_aide_apache2'
+maybe chmod 0755 'aide/aide.conf.d/30_aide_bind9'
+maybe chmod 0755 'aide/aide.conf.d/30_inn2_vars'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_acpid'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_adjtime'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_aide'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_alsa'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_amanda-client'
+maybe chmod 0755 'aide/aide.conf.d/31_aide_amanda-server'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_amavisd-new'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_anacron'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_anubis'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_apache'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_apache2'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_apcupsd'
+maybe chmod 0755 'aide/aide.conf.d/31_aide_apt'
+maybe chmod 0755 'aide/aide.conf.d/31_aide_apt-file'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_apt-listbugs'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_apt-listchanges'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_apt-show-versions'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_apt_frqchg'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_aptitude'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_aptitude_frqchg'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_at'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_atop'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_bind9'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_btmp'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_cereal'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_checksecurity'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_clamav'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_clamav-freshclam'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_console-log'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_cracklib-runtime'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_cron'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_cron-apt'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_cups'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_dbus'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_ddclient'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_debconf'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_debsecan'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_dlocate'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_dokuwiki'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_dovecot'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_dpkg'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_etckeeper'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_exim4'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_exim4_logs'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_fail2ban'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_fcron'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_findutils'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_gnupg'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_hald'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_hapsd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_ifplugd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_ifupdown'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_inetd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_initramfs-tools'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_initscripts'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_inn2'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_ippl'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_isc-dhcp-client'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_isc-dhcp-server'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_kerberos'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_laptop-mode-tools'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_lastlog'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_lib-init-rw'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_libapache2-mod-fastcgi'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_libvirt-bin'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_lighttpd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_logcheck'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_logrotate'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_lvm2'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_mail'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_mailman'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_man'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_mdadm'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_mlocate'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_modules'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_mtab'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_munin'
+maybe chmod 0755 'aide/aide.conf.d/31_aide_munin-nodes'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_mysql-server'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_nagios2'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_nagios3'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_network'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_nfs'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_nrpe'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_nscd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_nslcd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_ntp-server'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_openvpn'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_opie-server'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_pam_motd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_pcscd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_php-common'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_php7'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_pm-utils'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_portmap'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_postfix'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_postgresql'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_postgrey'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_privoxy'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_proftpd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_resolvconf'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_rkhunter'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_rngd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_root-dotfiles'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_rsnapshot'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_rsyslog'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_run_systemd_netif'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_run_systemd_resolve'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_runuser'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_samba'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_screen'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_slapd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_slrn'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_smartmontools'
+maybe chmod 0755 'aide/aide.conf.d/31_aide_smokeping'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_snmpd'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_spamassassin'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_squid'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_ssh-agent'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_ssh-server'
+maybe chmod 0755 'aide/aide.conf.d/31_aide_sudo'
+maybe chmod 0755 'aide/aide.conf.d/31_aide_svn-server'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_systemd_journal'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_systemd_sessions'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_tetex-bin'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_tiger'
+maybe chmod 0755 'aide/aide.conf.d/31_aide_torrus'
+maybe chmod 0755 'aide/aide.conf.d/31_aide_trac'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_tt-rss'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_udev'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_util-linux'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_utmp'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_vpnc'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_webalizer'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_wpasupplicant'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_wtmp'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_x11-common'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_x11-xkb-utils'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_xdm'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_xfree86-common'
+maybe chmod 0644 'aide/aide.conf.d/31_aide_xinetd'
+maybe chmod 0644 'aide/aide.conf.d/70_aide_dev'
+maybe chmod 0644 'aide/aide.conf.d/70_aide_etc'
+maybe chmod 0644 'aide/aide.conf.d/70_aide_proc_sys'
+maybe chmod 0644 'aide/aide.conf.d/70_aide_run'
+maybe chmod 0644 'aide/aide.conf.d/70_aide_tmp'
+maybe chmod 0644 'aide/aide.conf.d/70_aide_var'
+maybe chmod 0644 'aide/aide.conf.d/99_aide_root'
+maybe chmod 0755 'aide/aide.settings.d'
+maybe chmod 0755 'aide/aide.settings.d/10_aide_sourceslist'
+maybe chmod 0644 'aide/aide.settings.d/31_aide_apt_settings'
+maybe chmod 0644 'aide/aide.settings.d/31_aide_svn-server_settings'
+maybe chmod 0644 'aide/aide.settings.d/31_aide_trac_settings'
maybe chmod 0644 'aliases'
maybe chmod 0644 'aliases.db'
maybe chmod 0755 'alternatives'
maybe chmod 0644 'cron.d/sync'
maybe chmod 0755 'cron.daily'
maybe chmod 0644 'cron.daily/.placeholder'
+maybe chmod 0755 'cron.daily/aide'
maybe chmod 0755 'cron.daily/apache2'
maybe chmod 0755 'cron.daily/apt-compat'
maybe chmod 0755 'cron.daily/apt-show-versions'
maybe chmod 0644 'debian_version'
maybe chmod 0755 'default'
maybe chmod 0644 'default/acpid'
+maybe chmod 0644 'default/aide'
maybe chmod 0644 'default/amavis-mc'
maybe chmod 0644 'default/amavisd-milter'
maybe chmod 0644 'default/amavisd-snmp-subagent'
--- /dev/null
+# AIDE conf
+
+# The daily cron job depends on these paths
+database=file:/var/lib/aide/aide.db
+database_out=file:/var/lib/aide/aide.db.new
+database_new=file:/var/lib/aide/aide.db.new
+gzip_dbout=yes
+
+# Set to no to disable summarize_changes option.
+summarize_changes=yes
+
+# Set to no to disable grouping of files in report.
+grouped=yes
+
+# standard verbose level
+verbose = 6
+
+# Set to yes to print the checksums in the report in hex format
+report_base16 = no
+
+# if you want to sacrifice security for speed, remove some of these
+# checksums. Whirlpool is broken on sparc and sparc64 (see #429180,
+# #420547, #152203).
+Checksums = sha256+sha512+rmd160+haval+gost+crc32+tiger
+
+# The checksums of the databases to be printed in the report
+# Set to 'E' to disable.
+database_attrs = Checksums
+
+# check permissions, owner, group and file type
+OwnerMode = p+u+g+ftype
+
+# Check size and block count
+Size = s+b
+
+# Files that stay static
+InodeData = OwnerMode+n+i+Size+l+X
+StaticFile = m+c+Checksums
+
+# Files that stay static but are copied to a ram disk on startup
+# (causing different inode)
+RamdiskData = InodeData-i
+
+# Check everything
+Full = InodeData+StaticFile
+
+# Files that change their mtimes or ctimes but not their contents
+VarTime = InodeData+Checksums
+
+# Files that are recreated regularly but do not change their contents
+VarInode = VarTime-i
+
+# Files that change their contents during system operation
+VarFile = OwnerMode+n+l+X
+
+# Directories that change their contents during system operation
+VarDir = OwnerMode+n+i+X
+
+# Directories that are recreated regularly and change their contents
+VarDirInode = OwnerMode+n+X
+
+# Directories that change their mtimes or ctimes but not their contents
+VarDirTime = InodeData
+
+# Logs are special: they are continously written to, may be compressed
+# have their file name changed in different, mutually incompatibly ways
+# and apprear and vanish at will. Handling this is a a complex and error-
+# prone issue.
+#
+# This is best broken down in a number of small tasks:
+#
+#
+# (A)
+# While a live log is being written to, it doesn't change its mode and
+# inode and its size only increases.
+#
+# (B)
+# When a live log is rotated for the first time, it should not change
+# its mode, may change its inode, and its size decreases. The size
+# decrease may not be noticed by aide if the file had size x at the last
+# aide run, was rotated in the mean time and was written to so that it
+# had a size > x at the next aide run.
+#
+# (C)
+# When a log is compressed, this looks to aide like the uncompressed
+# file vanished (or was replaced by another file) and the compressed
+# file appeared out of the blue. There is (currently) no way to
+# associate the (gone) uncompressed file's contents with the (new)
+# compressed file's contents
+#
+# (D)
+# The actual log rotation may rename foo.{x}.bar to foo.{x+1}.bar without
+# changing the other properties of the file
+#
+# (E)
+# If only a given number of log generations is to be kept, foo.{y}.bar may
+# vanish, but usually only when no foo.{z}.bar exists for z>y.
+#
+# (F)
+# The set of files foo.{x}.bar to foo.{y}.bar is called a "log series"
+# in aide terms, with the lowest x being called the "LoSerMember" element
+# and the highest y being called the "HiSerMember" element, and the z
+# with x<z<y simple called "SerMember". The Lo and Hi members need to
+# be special cased in aide configuration.
+#
+#
+# This is an example of the normal life of a log named foo in a logrotate
+# configuration using a configuration at it is commonly used in Debian
+# (from old to new):
+# 1 logrotate deletes HiSerMember foo.{y}.gz
+# 2 logrotate rotates SerMember foo.{z-1}.gz to foo.{z}.gz for all
+# z with 3<z<=y. This includes rotation of foo.{y-1}.gz to
+# foo.{y}.gz and foo.2.gz to foo.3.gz
+# 3 logrotate compresses foo.1 to foo.2.gz, creating LoSerMember foo.2.gz
+# 4 logrotate rotates foo to foo.1 (a simple rename)
+# 5 logrotate creates new, empty foo
+# 6 foo daemon logs to foo - foo grows in size
+#
+# we need the following rules:
+# /var/log/foo$ Log
+# /var/log/foo$ FreqRotLog
+# this takes care of the growing live log (step 7). The "Log" rule
+# is appropriate for logs that are not rotated daily as rotation
+# might be reported (if the file size has decreased since the last
+# aide run). For daily rotated logs, the "FreqRotLog" may be more
+# appropriate.
+# /var/log/foo\.1$ LowLog
+# this takes care of step 5.
+# /var/log/foo\.2\.gz$ LoSerMemberLog
+# this allows yet unknown new files to appear with a \.2\.gz extension,
+# covering step 3.
+# /var/log/foo\.[3..y-1]\.gz$ SerMemberLog
+# this watches the log files as they wander through the Series,
+# changing only their file name but not their contents or metadata,
+# covering step 2.
+# Please note that [3..y-1] needs to be a manually crafted regexp covering
+# all numbers between 3 and y-1.
+# /var/log/foo\.y\.gz$ HiSerMemberLog
+# finally, the last element of the Series is allowed to vanish without
+# being reported, covering step 1.
+#
+# Please note that these example rules need to be adapted to the logrotate
+# configuration for the log. Compression may be disabled or lead to a different
+# extension, the dateext option may be used, old logs might be held in a
+# different place, a log series does not necessarily need to be compressed etc.
+#
+# Please note that savelog rotates the live log to .0 and not to .1 as it
+# is logrotates (changeable) default.
+
+
+# Logs grow in size. Log rotation of these logs will be reported, so
+# this should only be used for logs that are not rotated daily.
+Log = OwnerMode+n+S+X
+
+# Logs that are frequently rotated
+FreqRotLog = Log-S
+
+# The first instance of a rotated log: After the log has stopped being
+# written to, but before rotation
+LowLog = Log-S
+
+# Rotated logs change their file name but retain all their other properties
+SerMemberLog = Full+I
+
+# The first instance of a compressed, rotated log: After a LowLog was
+# compressed.
+LoSerMemberLog = SerMemberLog+ANF
+
+# The last instance of a compressed, rotated log: After this name, a log
+# will be removed
+HiSerMemberLog = SerMemberLog+ARF
+
+# Not-yet-compressed log created by logrotate's dateext option:
+# These files appear one rotation (renamed from the live log) and are gone
+# the next rotation (being compressed)
+LowDELog = SerMemberLog+ANF+ARF
+
+# Compressed log created by logrotate's dateext option: These files appear
+# once and are not touched any more.
+SerMemberDELog = Full+ANF
+
+# For daemons that log to a variable file name and have the live log
+# hardlinked to a static file name
+LinkedLog = Log-n
--- /dev/null
+@@define IP4ADDRESS (25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}
+@@define IP6ADDRESS ((:(:[0-9A-Fa-f]{1,4}){1,7}|::|[0-9A-Fa-f]{1,4}(:(:[0-9A-Fa-f]{1,4}){1,6}|::|:[0-9A-Fa-f]{1,4}(:(:[0-9A-Fa-f]{1,4}){1,5}|::|:[0-9A-Fa-f]{1,4}(:(:[0-9A-Fa-f]{1,4}){1,4}|::|:[0-9A-Fa-f]{1,4}(:(:[0-9A-Fa-f]{1,4}){1,3}|::|:[0-9A-Fa-f]{1,4}(:(:[0-9A-Fa-f]{1,4}){1,2}|::|:[0-9A-Fa-f]{1,4}(::[0-9A-Fa-f]{1,4}|::|:[0-9A-Fa-f]{1,4}(::|:[0-9A-Fa-f]{1,4}))))))))|(:(:[0-9A-Fa-f]{1,4}){0,5}|[0-9A-Fa-f]{1,4}(:(:[0-9A-Fa-f]{1,4}){0,4}|:[0-9A-Fa-f]{1,4}(:(:[0-9A-Fa-f]{1,4}){0,3}|:[0-9A-Fa-f]{1,4}(:(:[0-9A-Fa-f]{1,4}){0,2}|:[0-9A-Fa-f]{1,4}(:(:[0-9A-Fa-f]{1,4})?|:[0-9A-Fa-f]{1,4}(:|:[0-9A-Fa-f]{1,4})))))):(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3})
--- /dev/null
+#!/bin/sh
+
+if [ -e "/etc/debian_version" ]; then
+ echo "@@ifndef DEBIANVERSION"
+ echo "@@define DEBIANVERSION Debian/$(head -n 1 /etc/debian_version | sed 's/[^-\/()a-zA-Z0-9]/_/g')"
+ echo "@@endif"
+fi
+if [ -x "/usr/bin/lsb_release" ]; then
+ for parm in id description release codename; do
+ PARM="$LSB_$(echo $parm | tr 'a-z' 'A-Z')"
+ echo "@@ifndef $PARM"
+ echo "@@define $PARM $(/usr/bin/lsb_release --short --$parm | sed 's/[^-\/a-z()A-Z0-9]/_/g')"
+ echo "@@endif"
+ done
+fi
--- /dev/null
+#!/bin/sh
+
+escapere()
+{
+ sed 's/\./\\./g'
+}
+
+if [ -n "$(hostname --fqdn)" ]; then
+ echo "@@define FQDN $(hostname --fqdn | escapere)"
+fi
+if [ -n "$(hostname)" ]; then
+ echo "@@define HOSTNAME $(hostname | escapere)"
+fi
+if [ -n "$(dnsdomainname)" ]; then
+ echo "@@define DNSDOMAINNAME $(dnsdomainname | escapere)"
+fi
+if [ -n "$(dpkg --print-architecture)" ]; then
+ echo "@@define ARCH $(dpkg --print-architecture)"
+fi
+if [ -n "$(dpkg --print-foreign-architectures)" ]; then
+ if [ "$(dpkg --print-foreign-architectures | wc -l)" -gt 1 ]; then
+ echo "@@define FOREIGN_ARCHES $(dpkg --print-foreign-architectures | tr '\n' '|' | sed 's/^/(/; s/|$/)/')"
+ else
+ echo "@@define FOREIGN_ARCHES $(dpkg --print-foreign-architectures)"
+ fi
+fi
--- /dev/null
+#!/bin/sh
+
+echo "@@define PREVYEAR4D $(date +%Y --date="last year")"
--- /dev/null
+# Please note: always remove leading and trailing slashes in path macros
+# var/run -> run
+@@ifndef RUN
+@@define RUN run
+@@endif
+# var/lock -> run/lock
+@@ifndef RUNLOCK
+@@define RUNLOCK run/lock
+@@endif
+# lib/init/rw -> run
+@@ifndef LIBINITRW
+@@define LIBINITRW run
+@@endif
+
+
+# Please note: mind the trailing slash after transition
+# dev/\. -> run/
+@@ifndef DEVDOT
+@@define DEVDOT run/
+@@endif
--- /dev/null
+#!/bin/sh
+
+echo "@@define YEAR4D $(date +%Y)"
--- /dev/null
+#!/bin/bash
+
+if [ -e /etc/apache2/mods-enabled/suexec.load ]; then
+ echo "@@define APACHE2_SUEXEC 1"
+fi
--- /dev/null
+#! /bin/bash
+# this script automatically sets the BINDCHROOT variable to the
+# directory that bind chroots to via configuration in
+# /etc/default/bind9. This is only going to work if your /etc/default/bind9
+# is not too modified.
+#
+# If you want to use this magic, just uncomment it.
+# You can also manually set the chroot directory in a non-executable
+# file: @@define BINDCHROOT /var/cache/bind
+
+# # Automagically extract chroot directory
+# . /etc/default/bind9
+# set $OPTIONS
+# for i in $@;do
+# if [ "$1" == "-t" ]
+# then echo "@@define BINDCHROOT $2"; break
+# else shift
+# fi
+# done
--- /dev/null
+#!/bin/bash
+
+if [ -e /etc/news/innfeed.conf ]; then
+ echo -n "@@define INN2_INNFEED_OUTFEEDS ("
+< /etc/news/innfeed.conf \
+ sed -n '/^[[:space:]]*peer[[:space:]]/{s/^[[:space:]]*peer[[:space:]]\+\([-\.a-z0-9]\+\).*/\1/;p;}' | \
+ tr '\n' '|' |\
+ sed 's/|$/)/'
+ echo
+fi
--- /dev/null
+/var/log/acpid$ Log
+/var/log/acpid\.1$ LowLog
+/var/log/acpid\.2\.gz$ LoSerMemberLog
+/var/log/acpid\.3\.gz$ SerMemberLog
+/var/log/acpid\.4\.gz$ HiSerMemberLog
+/@@{RUN}/acpid\.(socket|pid)$ VarFile
--- /dev/null
+/etc/adjtime$ VarFile
--- /dev/null
+/var/lib/aide/aide\.db(\.new)?$ VarFile
+!/var/lib/aide/aide\.conf\.autogenerated$
+/var/lib/aide$ VarDir
+/var/log/aide/aide\.log(\.0)?$ LowLog
+/var/log/aide/aide\.log\.1\.gz$ LoSerMemberLog
+/var/log/aide/aide\.log\.[2-5]\.gz$ SerMemberLog
+/var/log/aide/aide\.log\.6\.gz$ HiSerMemberLog
+/var/log/aide$ VarDir
+!/@@{RUN}/aide$
+!/@@{RUN}/aide\.lock$
+!/@@{RUN}/aide/cron\.daily\.lock$
+!/@@{RUN}/aide/cron\.daily$
+!/@@{RUN}/aide/cron\.daily/((error|a(run|err))log|mailfile)$
--- /dev/null
+/var/lib/alsa/asound\.state$ VarFile
--- /dev/null
+@@define AMANDALOG var/log/amanda
+
+/var/lib/dumpdates$ VarFile
+!/@@{AMANDALOG}/amandad/amandad\.@@{YEAR4D}[0-9]{10}\.debug$
+/@@{AMANDALOG}/(amandad|client)$ VarDir
+@@ifdef AMANDABACKUPSET
+/@@{AMANDALOG}/client/@@{AMANDABACKUPSET}$ VarDir
+@@endif
+!/@@{AMANDALOG}/client/[^/]+/(sendsize|killpgrp|sendbackup|selfcheck)\.@@{YEAR4D}[0-9]{10}\.debug$
--- /dev/null
+#!/bin/bash
+
+MULTILINEDLE=0
+
+skip_multiline_dle() {
+ if [ "$MULTILINEDLE" = "0" ]; then
+ if echo "$rest" | grep -q '{'; then
+ MULTILINEDLE=1
+ fi
+ return 1
+ elif echo "$host $dev $rest" | grep -q '}'; then
+ MULTILINEDLE=0
+ fi
+ return 0
+}
+
+if ! [ -d /etc/amanda ]; then
+ exit 0
+fi
+for configfile in $(find /etc/amanda -name amanda.conf ! -path '/etc/amanda/template.d*' | tr '
+' ' '); do
+ config="$(dirname $configfile)"
+ cd $config
+ CONF="${config##*/}"
+ AMANDA_TAPEDEV="$(amgetconf $CONF tapedev)"
+ AMANDA_TAPEDEV="${AMANDA_TAPEDEV#file:}"
+ if [ -d "$AMANDA_TAPEDEV" ]; then
+ echo "@@define AMANDA_TAPEDEV $AMANDA_TAPEDEV"
+ for slot in $(find $AMANDA_TAPEDEV -type d -regex '.*/slot[0-9]+' -printf "%P\n"); do
+ if [ -f "disklist" ]; then
+ while read host dev rest; do
+ if echo $host | grep -q '^\(#.*\)\?$'; then continue; fi
+ dev="$(echo $dev | sed 's|/|_|g')"
+ if ! skip_multiline_dle; then
+ echo "!@@{AMANDA_TAPEDEV}/$slot/[0-9]{5}[-\.]$host\.$dev\.[0123]$"
+ fi
+ done < disklist
+ MULTILINEDLE=0
+ fi
+ cat <<EOF
+@@{AMANDA_TAPEDEV}/$slot/00000[-\.]$CONF-$(printf "%03d" ${slot#slot})$ VarFile
+!@@{AMANDA_TAPEDEV}/$slot/[0-9]{5}[-\.]TAPEEND$
+@@{AMANDA_TAPEDEV}/$slot$ VarDir
+EOF
+ done
+ cat <<EOF
+@@{AMANDA_TAPEDEV}/(data|info)$ VarFile
+@@{AMANDA_TAPEDEV}$ VarDir
+EOF
+ fi
+ AMANDA_LOGDIR="$(amgetconf $CONF logdir)"
+ if [ -n "$AMANDA_LOGDIR" ]; then
+ cat <<EOF
+@@define AMANDA_LOGDIR $AMANDA_LOGDIR
+@@{AMANDA_LOGDIR}/log\.@@{YEAR4D}[0-9]{4}\.0$ LowDELog
+@@{AMANDA_LOGDIR}/oldlog/log\.@@{YEAR4D}[0-9]{4}\.0$ SerMemberDELog
+@@{AMANDA_LOGDIR}/amdump\.1$ LoSerMemberLog
+@@{AMANDA_LOGDIR}/amdump\.[2-8]$ SerMemberLog
+@@{AMANDA_LOGDIR}/amdump\.9$ HiSerMemberLog
+@@{AMANDA_LOGDIR}(/oldlog)?$ VarDir
+EOF
+ fi
+ AMANDA_INDEXDIR="$(amgetconf $CONF indexdir)"
+ if [ -n "$AMANDA_INDEXDIR" ]; then
+ echo "@@define AMANDA_INDEXDIR $AMANDA_INDEXDIR"
+ if [ -f "disklist" ]; then
+ while read host dev rest; do
+ if echo $host | grep -q '^\(#.*\)\?$'; then continue; fi
+ dev="$(echo $dev | sed 's|[/:]|_|g
+s|\"||g')"
+ if ! skip_multiline_dle; then
+ echo "!@@{AMANDA_INDEXDIR}/$host/$dev/@@{YEAR4D}[0-9]{4}_[0123]\.gz$"
+ echo "@@{AMANDA_INDEXDIR}/$host/$dev$ VarDir"
+ fi
+ done < disklist
+ MULTILINEDLE=0
+ fi
+ fi
+ AMANDA_CHANGERFILE="$(amgetconf $CONF changerfile)"
+ AMANDA_CHANGERDIR="${AMANDA_CHANGERFILE%changer}"
+ if [ -n "$AMANDA_CHANGERDIR" ]; then
+ echo "@@define AMANDA_CHANGERDIR $AMANDA_CHANGERDIR"
+ echo "@@{AMANDA_CHANGERDIR}/(changer-(access|clean|slot)|tapelist(\.yesterday)?)$ VarFile"
+ echo "@@{AMANDA_CHANGERDIR}$ VarDir"
+ fi
+ AMANDA_INFOFILE="$(amgetconf $CONF infofile)"
+ if [ -n "$AMANDA_INFOFILE" ]; then
+ echo "@@define AMANDA_INFOFILE $AMANDA_INFOFILE"
+ if [ -f "disklist" ]; then
+ while read host dev rest; do
+ if echo $host | grep -q '^\(#.*\)\?$'; then continue; fi
+ dev="$(echo $dev | sed 's|[/:]|_|g
+s|\"||g')"
+ if ! skip_multiline_dle; then
+ echo "@@{AMANDA_INFOFILE}/$host/$dev/info$ VarFile"
+ echo "@@{AMANDA_INFOFILE}/$host/$dev$ VarDir"
+ fi
+ done < disklist
+ MULTILINEDLE=0
+ fi
+ fi
+ # this is hardcoded since amgetconf refuses to deliver diskdir
+ AMANDA_HOLDING="/srv/amanda/holding"
+ if [ -n "$AMANDA_HOLDING" ]; then
+ echo "$AMANDA_HOLDING$ VarDir"
+ fi
+ echo "@@define AMANDALOG /var/log/amanda/server/$CONF"
+ cat <<EOF
+!@@{AMANDALOG}/(amcheck|amlogroll|amreport|amtrm(idx|log)|chunker|driver|dumper|planner|taper)\.@@{YEAR4D}[0-9]{10}\.debug$
+!@@{AMANDALOG}/(chunker|dumper)\.@@{YEAR4D}[0-9]{13}\.debug$
+@@{AMANDALOG}$ VarDir
+/var/log/amanda/server$ VarDir
+EOF
+done
+
+cat <<EOF
+@@define AMANDALOG /var/log/amanda/amandad
+!@@{AMANDALOG}/(amandad)\.@@{YEAR4D}[0-9]{10}\.debug$
+@@{AMANDALOG}$ VarDir
+/tmp/amanda$ VarDir
+EOF
+
--- /dev/null
+/@@{RUN}/amavis/amavisd.lock$ VarFile
+/var/lib/amavis/tmp$ VarDir
+!/var/lib/amavis/tmp/amavis-[0-9]{8}T[0-9]{6}-[0-9]{5}$
+!/var/lib/amavis/tmp/amavis-[0-9]{8}T[0-9]{6}-[0-9]{5}/(email\.txt|parts)$
+/var/lib/amavis/db/__db.[0-9]{3} VarFile
+/var/lib/amavis/db/(cache(-expiry)?|snmp|nanny)\.db$ VarFile
+/var/lib/amavis/.spamassassin$ VarDir
+/var/lib/amavis/.spamassassin/bayes_(toks|seen)$ VarFile
+/var/lib/amavis/.spamassassin/auto-whitelist$ VarFile
--- /dev/null
+/var/spool/anacron/cron\.(monthly|weekly|daily)$ VarFile
--- /dev/null
+/@@{RUN}/anubis\.pid$ VarFile
--- /dev/null
+/var/log/apache/(access|error)\.log$ Log
+/var/log/apache/(access|error)\.log\.1$ LowLog
+/var/log/apache/(access|error)\.log\.2\.gz$ LoSerMemberLog
+/var/log/apache/(access|error)\.log\.[0-9]+\.gz$ SerMemberLog
+/var/log/apache$ VarDir
+/@@{RUN}/apache\.pid$ VarFile
--- /dev/null
+@@ifdef APACHE2_SUEXEC
+@@define APACHE2_LOGS (access|error|suexec)
+@@else
+@@define APACHE2_LOGS (access|error)
+@@endif
+/var/log/apache2/@@{APACHE2_LOGS}\.log$ Log
+/var/log/apache2/@@{APACHE2_LOGS}\.log\.1$ LowLog
+/var/log/apache2/@@{APACHE2_LOGS}\.log\.2\.gz$ LoSerMemberLog
+/var/log/apache2/@@{APACHE2_LOGS}\.log\.([3-9]|[1-4][0-9]|5[0-1])\.gz$ SerMemberLog
+/var/log/apache2/@@{APACHE2_LOGS}\.log\.52\.gz$ HiSerMemberLog
+
+/@@{RUN}/apache2\.pid$ VarFile
+/@@{RUN}/apache2/ssl_scache$ VarFile
+/var/log/apache2$ VarDir
+/@@{RUN}/apache2$ VarDirInode
--- /dev/null
+/var/log/apcupsd\.events$ Log
+/@@{RUN}/apcupsd\.pid$ VarFile
+/@@{RUNLOCK}/LCK\.\.$ VarFile
--- /dev/null
+#!/bin/bash
+
+. "$UPAC_settingsd/10_aide_sourceslist"
+VARDIR="/var/lib/apt"
+LISTSDIR="$VARDIR/lists"
+CACHEDIR="/var/cache/apt"
+ARCHIVESDIR="$CACHEDIR/archives"
+SYSTEMDDIR="/var/lib/systemd/timers"
+LOGDIR="/var/log/apt"
+IGNORE_ARCHIVES=""
+IGNORE_FRQCHG=""
+APT_VERS=""
+
+if [ -x "$UPAC_confd/31_local_apt_settings" ]; then
+ . "$UPAC_confd/31_local_apt_settings"
+ echo "WARNING: usage of $UPAC_confd/31_local_apt_settings is deprecated, please use $UPAC_settingsd/31_aide_apt_settings" >&2
+elif [ -r "$UPAC_settingsd/31_aide_apt_settings" ]; then
+ # pull in configuration
+ . "$UPAC_settingsd/31_aide_apt_settings"
+fi
+
+echo '@@define TRANSLATIONS (ca|cs|da|de|de_DE|en|eo|es|eu|fi|fr|hr|hu|id|it|ja|km|ko|nb|nl|pl|pt|pt_BR|ro|ru|sk|sr|sv|uk|vi|zh|zh_CN|zh_TW)'
+
+cat $SOURCESLIST /dev/null | sed 's/ #.*$//' | while read deb uri dist comp; do
+ PROTOCOL="$(echo $uri | sed 's|\([^:]\+\).*|\1|')"
+ if [ "$PROTOCOL" = "http" ] || [ "$PROTOCOL" = "ftp" ]; then
+ HOST="$(echo $uri | sed -e 's|.*//\([^/[:space:]]\+\).*|\1|' -e 's|\.|\\\.|g')"
+ HOSTPATH="$(echo $uri | sed -e 's|.*//[^/[:space:]]\+/\?||;s|/$||;s|/|_|g;s|^\(.\+\)$|_\1|' -e 's|\.|\\\.|g')"
+ dist="${dist//\//_}"
+ if [ -n "$DEBUG" ]; then
+ echo "uri $uri"
+ echo "HOST $HOST"
+ echo "HOSTPATH $HOSTPATH"
+ fi
+ if [ "$deb" = "deb" ]; then
+ for c in $comp; do
+ echo "$LISTSDIR/${HOST}${HOSTPATH}_dists_${dist}_${c}_binary-@@{ARCH}_Packages(\.IndexDiff)?$ VarFile"
+ echo "@@ifdef FOREIGN_ARCHES"
+ echo "$LISTSDIR/${HOST}${HOSTPATH}_dists_${dist}_${c}_binary-@@{FOREIGN_ARCHES}_Packages(\.IndexDiff)?$ VarFile"
+ echo "@@endif"
+ echo "$LISTSDIR/${HOST}${HOSTPATH}_dists_${dist}_(InRelease|Release(\.gpg)?)$ VarFile"
+ echo "$LISTSDIR/${HOST}${HOSTPATH}_dists_${dist}_${c}_i18n_Translation-@@{TRANSLATIONS}(\.IndexDiff)?$ VarFile"
+ done
+ echo "!${LISTSDIR}/partial/${HOST}${HOSTPATH}_dists_${dist}_Release\.gpg\.reverify$"
+ elif [ "$deb" = "deb-src" ]; then
+ for c in $comp; do
+ echo "$LISTSDIR/${HOST}${HOSTPATH}_dists_${dist}_${c}_source_Sources(\.IndexDiff)?$ VarFile"
+ echo "$LISTSDIR/${HOST}${HOSTPATH}_dists_${dist}_(InRelease|Release(\.gpg)?)$ VarFile"
+ done
+ fi
+ else
+ : # other protocols are not supported. If you feel like they should
+ : # please give a good reason and probably a patch.
+ fi
+ echo -e "\n\n"
+done
+
+echo "${LISTSDIR}(/partial)?$ VarDir"
+echo "${LISTSDIR}/lock$ VarFile"
+echo "${VARDIR}/periodic/(download-upgradeable|update)-stamp$ VarTime"
+echo "${VARDIR}/(daily_lock|extended_states)$ VarFile"
+echo "${VARDIR}$ VarDir"
+
+echo "${SYSTEMDDIR}/stamp-apt-daily(-upgrade)?\.timer$ VarFile"
+
+echo "${LOGDIR}/(term|history)\.log$ Log"
+echo "${LOGDIR}/(term|history)\.log\.1\.gz$ LoSerMemberLog"
+echo "${LOGDIR}/(term|history)\.log\.([2-9]|1[0-1])\.gz$ SerMemberLog"
+echo "${LOGDIR}/(term|history)\.log\.12\.gz$ HiSerMemberLog"
+echo "${LOGDIR}$ VarDir"
+
+echo "/var/backups/apt\.extended_states\.0$ LowLog"
+echo "/var/backups/apt\.extended_states\.1\.gz$ LoSerMemberLog"
+echo "/var/backups/apt\.extended_states\.[2345]\.gz$ SerMemberLog"
+echo "/var/backups/apt\.extended_states\.6\.gz$ HiSerMemberLog"
+
+if [ "$IGNORE_ARCHIVES" = "yes" ]; then
+ echo "!$ARCHIVESDIR/[-a-zA-Z0-9%\.~_+]+_(@@{ARCH}|all)\.deb$"
+ echo "@@ifdef FOREIGN_ARCHES"
+ echo "!$ARCHIVESDIR/[-a-zA-Z0-9%\.~_+]+_@@{FOREIGN_ARCHES}\.deb$"
+ echo "@@endif"
+fi
+
+if [ "$IGNORE_FRQCHG" = "yes" ]; then
+ echo "$ARCHIVESDIR(/partial|/lock)?$ VarDir"
+ echo "!$CACHEDIR/(src)?pkgcache\.bin$"
+ echo "$CACHEDIR$ VarDir"
+fi
--- /dev/null
+#!/usr/bin/env bash
+
+. "$UPAC_settingsd/10_aide_sourceslist"
+
+cat $SOURCESLIST /dev/null | sed 's/ #.*$//' | while read deb uri dist comp; do
+ PROTOCOL="$(echo $uri | sed 's|\([^:]\+\).*|\1|')"
+ HOST="$(echo $uri | sed -e 's|.*//\([^/[:space:]]\+\).*|\1|' -e 's|\.|\\\.|g')"
+ HOSTPATH="$(echo $uri | sed -e 's|.*//[^/[:space:]]\+/\?||;s|/$||;s|/|_|g;s|^\(.\+\)$|_\1|' -e 's|\.|\\\.|g')"
+ if [ "$PROTOCOL" = "http" ] || [ "$PROTOCOL" = "ftp" ]; then
+ for c in $comp; do
+ echo "/var/cache/apt/apt-file/"${HOST//\./\\\.}${HOSTPATH}"_dists_"${dist//\//_}"_"${c}"_Contents-@@{ARCH}\.(gz|IndexDiff)$ VarFile"
+ echo "@@ifdef FOREIGN_ARCHES"
+ echo "/var/cache/apt/apt-file/"${HOST//\./\\\.}${HOSTPATH}"_dists_"${dist//\//_}"_"${c}"_Contents-@@{FOREIGN_ARCHES}\.(gz|IndexDiff)$ VarFile"
+ echo "@@endif"
+ done
+ fi
+done
+
+echo "/var/cache/apt/apt-file$ VarDir"
--- /dev/null
+!/var/cache/apt-listbugs/%2Findices%2Findex.db-(critical|grave|serious)\.gz$
+/var/cache/apt-listbugs$ VarDir
--- /dev/null
+/var/lib/apt/listchanges\.db$ VarFile
--- /dev/null
+/var/cache/apt-show-versions/(files|ipackages|apackages)$ VarFile
+/var/cache/apt-show-versions$ VarDir
--- /dev/null
+# this has been replaced by the scripted rule file 31_aide_apt
+# this file can be removed
--- /dev/null
+/var/log/aptitude$ Log
+/var/log/aptitude\.1\.gz$ LoSerMemberLog
+/var/log/aptitude\.[2-5]\.gz$ SerMemberLog
+/var/log/aptitude\.6\.gz$ HiSerMemberLog
+/var/backups/aptitude\.pkgstates\.0$ LowLog
+/var/backups/aptitude\.pkgstates\.1\.gz$ LoSerMemberLog
+/var/backups/aptitude\.pkgstates\.[2345]\.gz$ SerMemberLog
+/var/backups/aptitude\.pkgstates\.6\.gz$ HiSerMemberLog
+/var/lib/aptitude/pkgstates(\.old)?$ VarFile
+/var/lib/aptitude$ VarDir
+!/@@{RUNLOCK}/aptitude$
+/root/\.(aptitude|debtags)$ VarDir
+/root/\.aptitude/config$ VarFile
--- /dev/null
+# removed, rules are contained in 31_aide_aptitude
--- /dev/null
+/var/spool/cron/at(spool|jobs)$ VarDir
+/@@{RUN}/atd\.pid$ VarFile
--- /dev/null
+/var/log/atop$ VarDirInode
+!/var/log/atop/(atop_@@{YEAR4D}[[:digit:]]{4}|daily\.log)$
+/var/log/atop/dummy_(after|before)$ VarFile
+/@@{RUN}/(pacct_shadow\.d|atop)$ VarDir
+/@@{RUN}/atop/atop\.acct$ VarFile
+/@@{RUN}/atop\.pid$ VarFile
+!/@@{RUN}/pacct_shadow\.d/[0-9]{10}\.paf$
+/@@{RUN}/pacct_shadow\.d/current$ VarFile
+/@@{RUN}/pacct_source$ VarFile
--- /dev/null
+@@ifdef BINDCHROOT
+@@{BINDCHROOT}/dev/log$ LowLog
+@@{BINDCHROOT}/dev VarDir
+@@endif
+@@{BINDCHROOT}/var/log/bind/queries\.log$ Log
+@@{BINDCHROOT}/var/log/bind/queries\.log\.0$ LoSerMemberLog
+@@{BINDCHROOT}/var/log/bind/queries\.log\.[1-8]$ SerMemberLog
+@@{BINDCHROOT}/var/log/bind/queries\.log\.9$ HiSerMemberLog
+@@{BINDCHROOT}/var/log/bind VarDir
+@@{BINDCHROOT}/@@{RUN}/named/(session\.key|named\.pid)$ VarFile
+@@{BINDCHROOT}/@@{RUN}/named$ VarDirInode
+@@{BINDCHROOT}/var/cache/bind$ VarDir
+@@{BINDCHROOT}/var/cache/bind/[-[:alnum:].]+$ VarFile
--- /dev/null
+/var/log/btmp$ Log
+/var/log/btmp\.1$ LowLog
--- /dev/null
+# replace CEREALSESS with a regexp matching your session names
+#@@define CEREALSESS (session|session)
+@@ifdef CEREALSESS
+!/@@{RUN}/screen/S-@@{CEREALSESS}(/[0-9]+\.cereal:@@{CEREALSESS})?$
+!/var/lib/cereal/sessions/@@{CEREALSESS}/log/main(/@[0-9a-f]{24}\.s)?
+/var/lib/cereal/sessions/@@{CEREALSESS}/socket$ VarFile
+/var/lib/cereal/sessions/@@{CEREALSESS}/supervise$ VarDir
+/var/lib/cereal/sessions/@@{CEREALSESS}/supervise/(pid|stat|status)$ VarFile
+@@endif
--- /dev/null
+/var/log/setuid/setuid.changes$ Log
+/var/log/setuid/setuid.changes\.1$ LoSerMemberLog
+/var/log/setuid/setuid.changes\.[2-9]$ SerMemberLog
+/var/log/setuid/setuid.changes\.10$ HiSerMemberLog
+/var/log/setuid/setuid.(today|yesterday)$ VarFile
+/var/log/setuid$ VarDir
--- /dev/null
+/var/log/clamav/clamav\.log$ Log
+/var/log/clamav/clamav\.log\.1$ LowLog
+/var/log/clamav/clamav\.log\.2\.gz$ LoSerMemberLog
+/var/log/clamav/clamav\.log\.([3-9]|1[0-1])\.gz$ SerMemberLog
+/var/log/clamav/clamav\.log\.12\.gz$ HiSerMemberLog
+/@@{RUN}/clamav/clamd\.(ctl|pid)$ VarFile
+/var/log/clamav$ VarDir
+/@@{RUN}/clamav$ VarDirInode
--- /dev/null
+/var/log/clamav/freshclam\.log$ Log
+/var/log/clamav/freshclam\.log\.1$ LowLog
+/var/log/clamav/freshclam\.log\.2\.gz$ LoSerMemberLog
+/var/log/clamav/freshclam\.log\.([3-9]|1[0-1])\.gz$ SerMemberLog
+/var/log/clamav/freshclam\.log\.12\.gz$ HiSerMemberLog
+/var/lib/clamav/(daily|main)\.inc$ VarDir
+/var/lib/clamav/bytecode\.cld$ VarFile
+/var/lib/clamav/daily\.inc/daily\.(info|[nmhp]db)$ VarFile
+/var/lib/clamav/mirrors.dat$ VarFile
+/@@{RUN}/clamav/freshclam\.pid$ VarFile
--- /dev/null
+/@@{RUN}/console-log(/Debian-console-log)?$ VarFile
+/@@{RUN}/console-log/Debian-console-log/(8-_-_var_-_log_-_exim4_-_mainlog|9-_-_var_-_log_-_syslog_-_syslog)$ VarFile
--- /dev/null
+/var/cache/cracklib/cracklib_dict\.(hwm|pw(d|i))$ VarFile
--- /dev/null
+/@@{RUN}/crond\.(pid|reboot)$ VarFile
--- /dev/null
+/var/lib/cron-apt/_-_etc_-_cron-apt_-_config/mailchanges/(0-update-|3-download-)[0-9a-f]{32}$ VarFile
+!/var/lib/cron-apt/lockfile$
+/var/lib/cron-apt$ VarDir
+!/tmp/cron-apt\.[a-zA-Z0-9]{6}$
+!/tmp/cron-apt\.[a-zA-Z0-9]{6}/initlog$
+/var/log/cron-apt/log$ Log
+/var/log/cron-apt/log\.1\.gz$ LoSerMemberLog
+/var/log/cron-apt/log\.[23]\.gz$ SerMemberLog
+/var/log/cron-apt/log\.4\.gz$ HiSerMemberLog
+/var/log/cron-apt$ VarDir
--- /dev/null
+@@define CUPS_LOGS (access|error|page|cups-pdf)
+/var/log/cups/@@{CUPS_LOGS}_log$ Log
+/var/log/cups/@@{CUPS_LOGS}_log\.1\.gz$ LoSerMemberLog
+/var/log/cups/@@{CUPS_LOGS}_log\.[2-6]\.gz$ SerMemberLog
+/var/log/cups/@@{CUPS_LOGS}_log\.7\.gz$ HiSerMemberLog
+/var/log/cups$ VarDir
+
+/var/cache/cups$ VarDir
+/var/cache/cups/(job|remote)\.cache$ VarFile
+/var/cache/cups/job\.cache\.O$ VarFile
+/var/cache/cups/(([0-9]|([1-9]|1[0-9]|2[0-4])[0-9]|25[0-5])\.){3}([0-9]|([1-9]|1[0-9]|2[0-4])[0-9]|25[0-5])\.snmp$ VarTime
+
+!/var/spool/cups/(c[0-9]{5}|d[0-9]{5}-[0-9]{3})$
+!/var/spool/cups/tmp/cups-dbus-notifier-lockfile$
+/var/spool/cups(/tmp)?$ VarDir
+
+!/@@{RUN}/cups/certs/0$
+/@@{RUN}/cups/(printcap|cups(d\.pid|\.sock))$ VarFile
+/@@{RUN}/cups(/certs)?$ VarDirInode
+
+/etc/cups$ VarDir
+/etc/cups/(printers|subscriptions)\.conf(\.O)?$ VarFile
--- /dev/null
+/@@{RUN}/dbus/(pid|system_bus_socket)$ VarFile
+/@@{RUN}/dbus$ VarDirInode
--- /dev/null
+/var/cache/ddclient/ddclient\.cache$ VarFile
+/@@{RUN}/ddclient\.pid$ VarFile
--- /dev/null
+/var/cache/debconf/(config|templates)\.dat(-old)?$ VarFile
+/var/cache/debconf$ VarDir
--- /dev/null
+/var/lib/debsecan/history$ VarFile
+/var/lib/debsecan$ VarDir
--- /dev/null
+/var/lib/dlocate/(dpkg-list|dlocatedb(|\.stamps|\.old))$ VarFile
+/var/lib/dlocate$ VarDir
--- /dev/null
+/var/lib/dokuwiki/data/cache/[0-9a-f]/[0-9a-f]{32}\.(feed|i|xhtml)$ VarFile
+/var/lib/dokuwiki/data/(changes\.log|(index|word)\.idx)$ VarFile
+/var/lib/dokuwiki/data/meta/([a-z]+\.indexed|_dokuwiki\.changes)$ VarFile
+/var/lib/dokuwiki/data/meta$ VarDir
+/var/lib/dokuwiki/data/pages/[a-z]+\.txt$ VarFile
+/var/lib/dokuwiki/data/(attic|cache|locks|pages)$ VarDir
--- /dev/null
+/var/lib/dovecot/ssl-parameters\.dat$ VarFile
+/var/lib/dovecot$ VarDir
+/@@{RUN}/dovecot/(auth-worker\.[0-9]{4}|master\.pid)$ VarFile
+/@@{RUN}/dovecot/login/(default|ssl-parameters\.dat)$ VarFile
+/@@{RUN}/dovecot(/login)?$ VarDirInode
--- /dev/null
+/var/lib/dpkg/(available|status)(-old)?$ VarFile
+/var/lib/dpkg/status\.yesterday(\.[0-9]*)?(\.gz)?$ VarFile
+/var/lib/dpkg/triggers/Lock$ VarFile
+/var/lib/dpkg/(info|updates|lock)$ VarDir
+/var/lib/dpkg$ VarDir
+/var/log/(alternatives|dpkg)\.log$ Log
+/var/log/(alternatives|dpkg)\.log\.1$ LowLog
+/var/log/(alternatives|dpkg)\.log\.2\.gz$ LoSerMemberLog
+/var/log/(alternatives|dpkg)\.log\.([3-9]|1[0-1])\.gz$ SerMemberLog
+/var/log/(alternatives|dpkg)\.log\.12\.gz$ HiSerMemberLog
+/var/backups/(alternatives\.tar|dpkg\.(status|diversions|statoverride))\.0$ LowLog
+/var/backups/(alternatives\.tar|dpkg\.(status|diversions|statoverride))\.1\.gz$ LoSerMemberLog
+/var/backups/(alternatives\.tar|dpkg\.(status|diversions|statoverride))\.[2345]\.gz$ SerMemberLog
+/var/backups/(alternatives\.tar|dpkg\.(status|diversions|statoverride))\.6\.gz$ HiSerMemberLog
--- /dev/null
+/etc/\.git/index$ VarInode
+/etc/\.git$ VarDirTime
--- /dev/null
+/var/spool/exim4/gnutls-params$ VarFile
+/var/spool/exim4/db/(wait-remote_smtp(_smarthost)?|retry|callout)$ VarFile
+!/var/spool/exim4/input/[a-zA-Z0-9]{6}-[a-zA-Z0-9]{6}-[a-zA-Z0-9]{2}-[DHJ]$
+!/var/spool/exim4/msglog/[a-zA-Z0-9]{6}-[a-zA-Z0-9]{6}-[a-zA-Z0-9]{2}$
+!/var/spool/exim4/gnutls-params$
+!/var/spool/exim4/.rnd$
+/var/spool/exim4(/(input|msglog|scan))?$ VarDir
+/var/lib/exim4/config.autogenerated$ VarFile
+/@@{RUN}/exim4/exim.pid$ VarFile
+/var/lib/exim4$ VarDir
+/@@{RUN}/exim4$ VarDirInode
--- /dev/null
+# if your host frequently produces paniclog entries (this happens if
+# spam or virus scanners are in use), set
+# @@define EXIM4_LOGS (main|reject|panic)
+@@define EXIM4_LOGS (main|reject)
+/var/log/exim4/@@{EXIM4_LOGS}log$ Log
+/var/log/exim4/@@{EXIM4_LOGS}log\.1$ LowLog
+/var/log/exim4/@@{EXIM4_LOGS}log\.2\.gz$ LoSerMemberLog
+/var/log/exim4/@@{EXIM4_LOGS}log\.[3-9]\.gz$ SerMemberLog
+/var/log/exim4/@@{EXIM4_LOGS}log\.10\.gz$ HiSerMemberLog
+/var/log/exim4$ VarDir
--- /dev/null
+/var/log/fail2ban\.log$ Log
+/var/log/fail2ban\.log\.1$ LowLog
+/var/log/fail2ban\.log\.2\.gz$ LoSerMemberLog
+/var/log/fail2ban\.log\.3\.gz$ SerMemberLog
+/var/log/fail2ban\.log\.4\.gz$ HiSerMemberLog
+/@@{RUN}/fail2ban/fail2ban\.(sock|pid)$ VarFile
+/@@{RUN}/fail2ban$ VarDirInode
--- /dev/null
+/@@{RUN}/fcron\.(pid|fifo)$ VarFile
+/var/spool/fcron/systab$ VarFile
+/var/spool/fcron$ VarDir
--- /dev/null
+/var/cache/locate/locatedb$ VarFile
+/var/cache/locate$ VarDir
--- /dev/null
+!/@@{RUN}/user/[0-9]+/gnupg(/S.(dirmngr|gpg-agent(\.(browser|extra|ssh))?))?$
--- /dev/null
+/@@{RUN}/hald/hald\.pid$ VarFile
+/@@{RUN}/hald$ VarDirInode
--- /dev/null
+/@@{RUN}/hdapsd\.pid$ VarFile
--- /dev/null
+@@define INTERFACES eth0
+/@@{RUN}/ifplugd\.@@{INTERFACES}\.pid$ VarFile
--- /dev/null
+/@@{RUN}/network/ifstate$ VarFile
--- /dev/null
+/@@{RUN}/inetd\.pid$ VarFile
--- /dev/null
+/@@{DEVDOT}initramfs$ VarDirInode
--- /dev/null
+/var/lib/urandom/random-seed$ VarFile
+/var/lib/(urandom|initscripts)$ VarDir
+/var/log/dmesg$ Log
+/var/log/dmesg\.0$ LowLog
+/var/log/dmesg\.1\.gz$ LoSerMemberLog
+/var/log/dmesg\.[23]\.gz$ SerMemberLog
+/var/log/dmesg\.4\.gz$ HiSerMemberLog
+/var/log/fsck/check(root|fs)$ VarFile
+/@@{RUN}/motd$ VarFile
--- /dev/null
+@@define NEWSLOGS (errlog|expire\.log|news(\.crit|\.err|\.notice)?|rc\.news|sendsys\.log|unwanted\.log|inn_status\.html|innfeed\.status|expire\.(lastlowmark|list))
+@@define OLDLOGS (active|errlog|expire\.log|news(\.crit|\.err|\.notice)?|sendsys\.log|unwanted\.log)
+
+!/var/lib/news/history(\.(dir|hash|index))?$
+/var/lib/news/(active(\.old)?|newsgroups|\.news\.daily)$ VarFile
+
+!/var/spool/news/articles(/[-a-z0-9+]+)+$
+/var/spool/news/overview/group\.index$ VarFile
+!/var/spool/news/overview(/[a-z0-9])+/[-\.a-z0-9+]+\.(IDX|DAT)$
+/var/spool/news/overview(/[a-z0-9])+$ VarDir
+!/var/spool/news/articles/control/(newgroup|checkgroups|rmgroup)/[0-9]*$
+/var/spool/news/innfeed/@@{INN2_INNFEED_OUTFEEDS}\.(lock|output|input)$ VarFile
+!/var/spool/news/innfeed/innfeed-dropped\.A[0-9]{6}$
+/var/spool/news/innfeed$ VarDir
+/var/spool/news/incoming(/tmp)?$ VarDir
+
+/@@{RUN}/news/(control|(innd|innfeed|innwatch)\.pid|innwatch\.time|LOCK\.innwatch|nntpin)$ VarFile
+/@@{RUN}/news$ VarDirInode
+
+/var/log/news/path/inpaths\.[0-9]{10}$ VarFile+ANF
+/var/log/news/@@{NEWSLOGS}$ VarFile
+/var/log/news/OLD/(expire\.log\.0|unwanted\.log)$ VarFile
+/var/log/news/OLD/@@{OLDLOGS}\.1\.gz$ LoSerMemberLog
+/var/log/news/OLD/@@{OLDLOGS}\.[0-9]+\.gz$ SerMemberLog
+/var/log/news(/(path|OLD))?$ VarDir
--- /dev/null
+/@@{RUN}/ippl/ippl.(pid|conf)$ VarFile
+/@@{RUN}/ippl$ VarDirInode
--- /dev/null
+# @@define ISCDHCLIENTIFACE eth0
+@@ifdef ISCDHCLIENTIFACE
+/@@{RUN}/dhclient\.@@{ISCDHCLIENTIFACE}\.pid$ VarFile
+/var/lib/dhcp/dhclient\.@@{ISCDHCLIENTIFACE}\.leases$ VarFile
+@@endif
--- /dev/null
+/@@{RUN}/dhcpd\.pid$ VarFile
+/var/lib/dhcp/dhcpd6?.leases~?$ VarFile
+/var/lib/dhcp$ VarDir
--- /dev/null
+/var/tmp/krb5kdc_rcache$ VarFile
+/var/tmp/(nfs|host)_[0-9]+$ VarFile
+/tmp/krb5cc_machine_[A-Z.]+$ VarFile
+!/tmp/krb5cc_[0-9]+_[[:alnum:]]+$
+/var/lib/krb5kdc/principal$ VarFile+s+b+i
+/var/lib/krb5kdc/principal\.ok$ VarTime
--- /dev/null
+/@@{RUN}/laptop-mode-tools/(state(-brightness-command)?|enabled|start-stop-undo-actions|nolm-mountopts)$ VarFile
+/@@{RUN}/laptop-mode-tools$ VarDirInode
+/@@{RUNLOCK}/lmt-(req|invoc)\.lock$ VarInode
--- /dev/null
+/var/log/lastlog$ Log
--- /dev/null
+# removed, Debian migrated to /run
--- /dev/null
+/var/lib/apache2/fcgid/sock$ VarDir
+!/var/lib/apache2/fcgid/sock/[0-9]{5}\.[0-9]$
--- /dev/null
+/var/(lib|cache)/libvirt/qemu$ VarDir
+/@@{RUN}/libvirtd\.pid$ VarFile
+/@@{RUN}/libvirt/libvirt-sock(-ro)?$ VarFile
+/var/lib/libvirt/qemu/[-[:alnum:]]+\.monitor$ VarInode
+/var/lib/libvirt/qemu/(save|snapshot)$ VarDir
+/var/lib/libvirt$ VarDir
+/@@{RUNLOCK}/libvirt-guests$ VarDirInode
+/@@{RUN}/libvirt/qemu/[-[:alnum:]]+\.(pid|xml)$ VarFile
+/@@{RUN}/libvirt(/(qemu|uml-guest))?$ VarDirInode
--- /dev/null
+@@define LIGHTTP_LOGS (access|error)
+/var/log/lighttpd/@@{LIGHTTP_LOGS}\.log$ Log
+/var/log/lighttpd/@@{LIGHTTP_LOGS}\.log\.1$ LowLog
+/var/log/lighttpd/@@{LIGHTTP_LOGS}\.log\.2\.gz$ LoSerMemberLog
+/var/log/lighttpd/@@{LIGHTTP_LOGS}\.log\.([3-9]|10|11)\.gz$ SerMemberLog
+/var/log/lighttpd/@@{LIGHTTP_LOGS}\.log\.12\.gz$ HiSerMemberLog
+
+/@@{RUN}/lighttpd\.pid$ VarFile
+/@@{RUN}/lighttpd$ VarDirInode
+
+/tmp/php\.socket-[0-9]$ VarFile
--- /dev/null
+/var/lib/logcheck/offset\.var\.log\.(syslog|auth\.log)$ VarFile
+/var/lib/logcheck$ VarDir
+/@@{RUNLOCK}/logcheck$ VarDirInode
--- /dev/null
+/var/lib/logrotate$ VarDir
+/var/lib/logrotate/status$ VarFile
--- /dev/null
+/etc/lvm/cache/\.cache$ VarInode
+/etc/lvm/cache$ VarDir
+/@@{RUNLOCK}/lvm$ VarDirInode
--- /dev/null
+/var/mail/[a-z0-9]+$ VarFile
+/var/mail$ VarDir
--- /dev/null
+# maintained on q
+!/var/lib/mailman/data/(bounce-events|heldmsg-[-[:alnum:]]+)-[[:digit:]]+\.pck$
+/var/lib/mailman/data$ VarDir
+!/var/lib/mailman/archives/private/[-[:alnum:]]+/database/@@{YEAR4D}-[[:alnum:]]+-(author|subject|thread|article|date)$
+!/var/lib/mailman/archives/private/[-[:alnum:]]+/@@{YEAR4D}-[[:alnum:]]+/(author|subject|thread|date|index|[[:digit:]]{5,6})\.html$
+!/var/lib/mailman/archives/private/[-[:alnum:]]+/@@{YEAR4D}-[[:alnum:]]\.txt(\.gz)?$
+!/var/lib/mailman/archives/private/[-[:alnum:]]+/attachments/[[:digit:]]{8}/[[:digit:]]{8}/[[:alnum:]\.]+$
+
+/var/lib/mailman/lists/[-[:alnum:]]+/(config|request|pending)\.pck$ VarFile
+/var/lib/mailman/lists/[-[:alnum:]]+/(config)\.pck\.last$ VarFile
+/var/lib/mailman/lists/[-[:alnum:]]+$ VarDir
+
+/var/lib/mailman/qfiles/(in|archive|bounces|retry|out|virgin)$ VarFile
+
+/@@{RUNLOCK}/mailman/master-qrunner(\.[[:alnum:]]+\.[[:digit:]]+)?$ VarFile
+/@@{RUNLOCK}/mailman$ VarDirInode
+
+@@define LOGFILES4 (vette|error|bounce|digest)
+/var/log/mailman/@@{LOGFILES4}$ Log
+/var/log/mailman/@@{LOGFILES4}\.1$ LowLog
+/var/log/mailman/@@{LOGFILES4}\.2\.gz$ LoSerMemberLog
+/var/log/mailman/@@{LOGFILES4}\.3\.gz$ SerMemberLog
+/var/log/mailman/@@{LOGFILES4}\.4\.gz$ HiSerMemberLog
+
+@@define LOGFILES12 (subscribe|post)
+/var/log/mailman/@@{LOGFILES12}$ Log
+/var/log/mailman/@@{LOGFILES12}\.1$ LowLog
+/var/log/mailman/@@{LOGFILES12}\.2\.gz$ LoSerMemberLog
+/var/log/mailman/@@{LOGFILES12}\.([3-9]|1[0-1])\.gz$ SerMemberLog
+/var/log/mailman/@@{LOGFILES12}\.12\.gz$ HiSerMemberLog
+
+@@define LOGFILES7 (qrunner|fromusenet|locks|smtp(-failure)?)
+/var/log/mailman/@@{LOGFILES7}$ Log
+/var/log/mailman/@@{LOGFILES7}\.1$ LowLog
+/var/log/mailman/@@{LOGFILES7}\.2\.gz$ LoSerMemberLog
+/var/log/mailman/@@{LOGFILES7}\.[3-6]\.gz$ SerMemberLog
+/var/log/mailman/@@{LOGFILES7}\.7\.gz$ HiSerMemberLog
--- /dev/null
+/var/cache/man/(cat[123456789]|local|opt|fsstnd|oldlocal|X11R6)$ VarDir
+
+@@define LANGS (ca|cs|da|de(\.UTF-8)?|en|es(\.UTF-8)?|fi|fr(\.(ISO8859-1|UTF-8))?|gl|hr|hu|id|it(\.(ISO8859-1|UTF-8))?|ja(\.UTF-8)?|jp|ko|nl|pl(\.(UTF-8|ISO8859-2))?|pt(_BR)?|ro|ru|sv|sk|sl|tr|vi|zh(_(CH|CN|TW))?)
+
+/var/cache/man(/@@{LANGS})?/(CACHEDIR\.TAG|index\.db)$ VarFile
+/var/cache/man(/@@{LANGS})?$ VarDir
--- /dev/null
+/@@{RUN}/mdadm/(monitor|autorebuild)\.pid$ VarFile
+/run/mdadm/m(ap|d[0-9]+-uevent)$ VarInode
+/@@{RUN}/mdadm$ VarDirInode
--- /dev/null
+/var/lib/mlocate/mlocate\.db$ VarFile
+/var/lib/mlocate$ VarDir
+!/run/mlocate\.daily\.lock$
--- /dev/null
+/lib/modules/[-0-9\.]*/modules\.dep$ VarFile
--- /dev/null
+# removed, /etc/mtab is now a symlink
--- /dev/null
+/var/cache/munin/www/index\.html$ VarFile
+@@ifdef DNSDOMAINNAME
+@@ifdef FQDN
+/var/cache/munin/www/@@{DNSDOMAINNAME}/(index\.html|@@{FQDN}/[-_[:alnum:]]+\.(png|html))$ VarFile
+/var/lib/munin/@@{DNSDOMAINNAME}/@@{FQDN}-.*\.rrd$ VarFile
+/@@{RUN}/munin/munin-@@{DNSDOMAINNAME}-@@{FQDN}\.lock$ VarFile
+@@endif
+/var/cache/munin/www/@@{DNSDOMAINNAME}/comparison-(month|day|year|week)\.html$ VarFile
+@@endif
+!/@@{RUN}/munin/munin-(update|datafile|graph|limits|html)\.lock$
+/var/lib/munin/(limits|datafiles|munin-(update|graph)\.stats)$ VarFile
+!/var/lib/munin/munin-(update|graph)\.stats\.tmp$
+/var/lib/munin/plugin-state/(exim_mailstats(-(([0-9]|([1-9]|1[0-9]|2[0-4])[0-9]|25[0-5])\.){3}([0-9]|([1-9]|1[0-9]|2[0-4])[0-9]|25[0-5]))?|(smart-[sh]d[a-z]|munin-cupsys-pages)\.state)$ VarFile
+/var/lib/munin/plugin-state/(postfix_mailvolume|_proc_net_tcp[6]?)$ VarFile
+/var/lib/munin/datafile$ VarFile
+/var/lib/munin$ VarDir
+@@define LOGFILES (node|graph|update|html|limits)
+/var/log/munin/munin-@@{LOGFILES}\.log$ Log
+/var/log/munin/munin-@@{LOGFILES}\.log\.1\.gz$ LoSerMemberLog
+/var/log/munin/munin-@@{LOGFILES}\.log\.[2-6]\.gz$ SerMemberLog
+/var/log/munin/munin-@@{LOGFILES}\.log\.7\.gz$ HiSerMemberLog
+/var/log/munin$ VarDir
+!/@@{RUN}/munin/munin-server-socket\.[0-9]+$
+/@@{RUN}/munin/munin-node\.pid$ VarFile
+/@@{RUN}/munin$ VarDirInode
--- /dev/null
+#!/bin/sh
+#
+# generate aide exclude patterns for all nodes listed in $MUNINCONF
+
+MUNINCONF=/etc/munin/munin.conf
+
+[ -e $MUNINCONF ] || exit 0
+
+HOSTS=$(grep '^\[[[:alnum:]:.]\+\]' $MUNINCONF | tr -d '[]')
+
+escape_dots()
+{
+ echo $1 | sed 's/\./\\\./g'
+}
+
+for HOST in $HOSTS; do
+ DOMAIN=$(escape_dots ${HOST#*.})
+ DHOST=$(escape_dots $HOST)
+
+ echo "/var/cache/munin/www/$DOMAIN/(index\.html|$DHOST/[-_[:alnum:]]+\.(png|html))$ VarFile"
+ echo "/var/lib/munin/$DOMAIN/$DHOST-.*\.rrd$ VarFile"
+ echo "/@@{RUN}/munin/munin-(update|datafile|$DOMAIN-$DHOST|limits)\.lock$ VarFile"
+done
--- /dev/null
+/var/lib/mysql$ VarDir
+/var/lib/mysql/(ibdata1|ib_logfile0)$ VarFile
+/var/log/mysql$ VarDir
+/var/log/mysql/mysql-bin\.index$ VarFile
+!/var/log/mysql/mysql-bin\.[0-9]{3}$
+!/var/log/mysql/mysql-bin\.[0-9]{6}$
+/@@{RUN}/mysqld/mysqld\.(sock|pid)$ VarFile
+/@@{RUN}/mysqld$ VarDirInode
--- /dev/null
+/var/cache/nagios2/(objects\.cache|status\.dat)$ VarFile
+/var/lib/nagios2/(comments|retention)\.dat$ VarFile
+/var/lib/nagios2/rw/nagios\.cmd$ VarFile
+/var/lib/nagios2/rw$ VarDir
+/var/log/nagios2/nagios\.log$ LowLog
+/var/log/nagios2/archives/nagios-[01][0-9]-[0123][0-9]-@@{YEAR4D}-00\.log$ SerMemberDELog
+/@@{RUN}/nagios2/nagios2\.pid$ VarFile
+/var/(cache|lib|log)/nagios2$ VarDir
+/@@{RUN}/nagios2$ VarDirInode
+/var/log/nagios2/archives$ VarDir
--- /dev/null
+!/var/lib/nagios3/spool/checkresults/[a-zA-Z0-9]{7}(\.ok)?$
+/var/lib/nagios3/spool/checkresults$ VarDir
+/var/lib/nagios3/retention\.dat$ VarFile
+/var/lib/nagios3$ VarDir
+
+/var/log/nagios3/archives/nagios-[0-9]{2}-[0-9]{2}-[0-9]{4}-[0-9]{2}\.log$ LoSerMemberLog
+/var/log/nagios3/archives$ VarDir
+/var/log/nagios3/nagios\.log$ LowLog
+/var/log/nagios3$ VarDir
+
+/var/cache/nagios3/(status\.dat|objects\.cache)$ VarFile
+/var/cache/nagios3$ VarDir
+
+/@@{RUN}/nagios3/nagios3\.pid$ VarFile
+/@@{RUN}/nagios3$ VarDirInode
--- /dev/null
+/@@{RUN}/network$ VarDirInode
--- /dev/null
+/@@{RUN}/(rpc\.statd|sm-notify)\.pid$ VarFile
+/var/lib/nfs/state$ VarFile
+/var/lib/nfs/etab$ VarInode
+/var/lib/nfs/rpc_pipefs/nfs/clnt[0-9]/(info|krb5|idmap)$ VarTime
+/var/lib/nfs/rpc_pipefs/nfs/clnt[0-9]$ VarDir
+/var/lib/nfs/rpc_pipefs/(statd|portmap|nfs|mount|lockd)$ VarDir
+/var/lib/nfs/rpc_pipefs$ VarDirInode
+/var/lib/nfs(/v4recovery)?$ VarDir
--- /dev/null
+/@@{RUN}/nagios/nrpe\.pid$ VarFile
+/@@{RUN}/nagios$ VarDirInode
--- /dev/null
+/var/cache/nscd/(passwd|group|services)$ VarFile
+/@@{RUN}/nscd/(socket|nscd\.pid)$ VarFile
+/@@{RUN}/nscd$ VarDirInode
--- /dev/null
+/@@{RUN}/nslcd/(socket|nslcd\.pid)$ VarFile
+/@@{RUN}/nslcd$ VarDirInode
--- /dev/null
+/var/lib/ntp/ntp\.drift$ VarFile
+/var/lib/ntp$ VarDir
+!/var/log/ntpstats/peerstats(\.[0-9]{8})?
+!/var/log/ntpstats/loopstats(\.[0-9]{8})?
+/var/log/ntpstats$ VarDir
+/@@{RUN}/ntpd\.pid$ VarFile
--- /dev/null
+/@@{RUN}/openvpn\.client\.status$ VarFile
--- /dev/null
+/etc/opiekeys$ VarFile
--- /dev/null
+!/@@{RUN}/motd\.dynamic$
--- /dev/null
+/@@{RUN}/pcscd/pcscd\.(pub|comm|pid)$ VarFile
+/@@{RUN}/pcscd(/pcscd\.events)?$ VarDirInode
--- /dev/null
+/var/lib/systemd/timers/stamp-phpsessionclean\.timer$ VarFile
--- /dev/null
+/var/lib/php/sessions$ VarDir
+/var/lib/php/sessions/sess_[0-9a-z]{26}$ VarFile+ANF+ARF
+/var/lib/php/sessions/sess_[0-9a-z]{32}$ VarFile+ANF+ARF
--- /dev/null
+/@@{RUN}/pm-utils/(pm-(suspend|powersave)(/storage)?|locks)$ VarDirInode
--- /dev/null
+/@@{RUN}/portmap(\.pid|_mapping)$ VarFile
+/@@{LIBINITRW}/sendsigs\.omit\.d/portmap$ VarInode
--- /dev/null
+/var/lib/postfix/prng_exch$ VarFile
+/var/spool/postfix/(active|incoming|maildrop)$ VarDir
+/var/spool/postfix/public/(pickup|qmgr)$ VarTime
--- /dev/null
+/var/log/postgresql/postgresql-[0-9]\.[0-9]-main\.log$ Log
+/var/log/postgresql/postgresql-[0-9]\.[0-9]-main\.log\.1$ LowLog
+/var/log/postgresql/postgresql-[0-9]\.[0-9]-main\.log\.2\.gz$ LoSerMemberLog
+/var/log/postgresql/postgresql-[0-9]\.[0-9]-main\.log\.[3-9]\.gz$ SerMemberLog
+/var/log/postgresql/postgresql-[0-9]\.[0-9]-main\.log\.10\.gz$ HiSerMemberLog
+/var/log/postgresql$ VarDir
+
+/@@{RUN}/postgresql/[0-9]\.[0-9]-main\.pid$ VarFile
+/@@{RUN}/postgresql$ VarDirInode
+
+@@define PORT 5432
+/@@{RUN}/postgresql/\.s\.PGSQL\.@@{PORT}(\.lock)?$ VarFile
+/var/lib/postgresql/[0-9]\.[0-9]/main/pg_stat_tmp/pgstat\.stat$ VarFile
+/var/lib/postgresql/[0-9]\.[0-9]/main/pg_stat_tmp$ VarDir
--- /dev/null
+/var/lib/postgrey$ VarDir
+/var/lib/postgrey/postgrey(|lock)\.db$ VarFile
+/var/lib/postgrey/log\.[0-9]{10}$ VarFile
+/var/lib/postgrey/__db\.[0-9]{3}$ VarFile
--- /dev/null
+/var/log/privoxy/logfile$ Log
--- /dev/null
+/var/log/proftpd/proftpd(_(access|auth|xfer))?\.log$ Log
+/@@{RUN}/proftpd/proftpd\.(delay|pid|scoreboard)$ VarFile
+/var/log/proftpd$ VarDir
+/@@{RUN}/proftpd$ VarDirInode
+
--- /dev/null
+/etc/resolv\.conf$ VarFile
+/@@{LIBINITRW}/resolvconf/interface/(wlan|eth)[0-9]+(\.(dhclient|inet))?$ VarFile
+/@@{LIBINITRW}/resolvconf/enable-updates$ VarFile
+/@@{LIBINITRW}/resolvconf/resolv\.conf$ VarFile
+/@@{LIBINITRW}/resolvconf(/interface)?$ VarDirInode
--- /dev/null
+/var/lib/rkhunter/db/(mirrors|rkhunter_prop_list)\.dat$ VarTime
+/var/lib/rkhunter/tmp/(group|passwd)$ VarFile
+/var/lib/rkhunter/(db|tmp)$ VarDir
+/var/log/rkhunter\.log$ Log
+/var/log/rkhunter\.log\.1$ LowLog
+/var/log/rkhunter\.log\.2\.gz$ LoSerMemberLog
+/var/log/rkhunter\.log\.3\.gz$ SerMemberLog
+/var/log/rkhunter\.log\.4\.gz$ HiSerMemberLog
--- /dev/null
+/@@{RUN}/rngd\.pid$ VarFile
--- /dev/null
+#/root/\.bash_history$ VarFile
+#/root/\.lesshst$ VarFile
+#/root/\.viminfo$ VarFile
+#/root$ VarDir
--- /dev/null
+/var/log/rsnapshot\.log$ Log
+/var/log/rsnapshot\.log\.1\.gz$ LoSerMemberLog
+/var/log/rsnapshot\.log\.[2-5]\.gz$ SerMemberLog
+/var/log/rsnapshot\.log\.6\.gz$ HiSerMemberLog
--- /dev/null
+@@define LOGFILES7R (syslog)
+/var/log/@@{LOGFILES7R}$ Log
+/var/log/@@{LOGFILES7R}\.1$ LowLog
+/var/log/@@{LOGFILES7R}\.2\.gz$ LoSerMemberLog
+/var/log/@@{LOGFILES7R}\.[3-6]\.gz$ SerMemberLog
+/var/log/@@{LOGFILES7R}\.7\.gz$ HiSerMemberLog
+@@define LOGFILES4R (messages|debug|(cron|lpr|auth|daemon|kern|user)\.log|mail\.(log|err|warn|info))
+/var/log/@@{LOGFILES4R}$ Log
+/var/log/@@{LOGFILES4R}\.1$ LowLog
+/var/log/@@{LOGFILES4R}\.2\.gz$ LoSerMemberLog
+/var/log/@@{LOGFILES4R}\.3\.gz$ SerMemberLog
+/var/log/@@{LOGFILES4R}\.4\.gz$ HiSerMemberLog
+/var/log$ VarDir
+/@@{RUN}/rsyslogd.pid$ VarFile
+/@@{LIBINITRW}/sendsigs\.omit\.d/rsyslog$ VarInode
--- /dev/null
+/@@{RUN}/systemd/netif(/(links|lldp|leases))?$ VarDir
+/@@{RUN}/systemd/netif/state$ VarFile
+/@@{RUN}/systemd/netif/(links|lldp|leases)/[0-9]{1,2}$ VarFile
--- /dev/null
+/@@{RUN}/systemd/resolve$ VarDir
+/@@{RUN}/systemd/resolve/resolv\.conf$ VarFile
--- /dev/null
+!/@@{RUN}/user(/[0-9]+(/systemd(/(notify|private|transient))?)?)?$
--- /dev/null
+/etc/samba/passdb\.tdb$ VarFile
+
+/var/log/samba/log\.(smbd|nmbd)$ Log
+/var/log/samba/log\.(smbd|nmbd)\.1\.gz$ LoSerMemberLog
+/var/log/samba/log\.(smbd|nmbd)\.[2-6]\.gz$ SerMemberLog
+/var/log/samba/log\.(smbd|nmbd)\.7\.gz$ HiSerMemberLog
+
+/var/log/samba/log\.[[:alnum:]._]+$ FreqRotLog
+/var/log/samba/log\.[[:alnum:]._]+\.old$ LowLog
+
+/var/log/samba/cores/[sn]mbd$ VarDir
+
+/@@{RUN}/samba/[sn]mbd\.pid$ VarFile
+/@@{RUN}/samba/(gencache(_notrans)?|messages|sessionid|connections|brlock|locking|notify(_onelevel)?|unexpected)\.tdb$ VarFile
+!/@@{RUN}/samba/namelist\.debug$
+
+/var/cache/samba/browse\.dat$ VarFile
+
+/var/lib/samba/(wins\.dat|(group_mapping\.l|(wins|registry|ntprinters|schannel_store)\.t)db)$ VarFile
+/var/lib/samba/private/msg\.sock$ VarFile
+
+/var/(log|cache|lib)/samba$ VarDir
+/@@{RUN}/samba(/msg\.lock)?$ VarDirInode
+!/@@{RUN}/samba/msg\.lock/[0-9]+$
+
--- /dev/null
+/@@{RUN}/screen/S-[0-9a-z]+$ VarDirInode
+@@ifdef HOSTNAME
+!/@@{RUN}/screen/S-[0-9a-z]+/[0-9]{1,5}\.pts-[0-9]\.@@{HOSTNAME}$
+@@endif
+/@@{RUN}/screen$ VarDirInode
--- /dev/null
+/var/lib/ldap/[[:alnum:]]+\.bdb$ VarTime
+/var/lib/ldap/__db\.00[1-5]+$ VarFile
+/var/lib/ldap/log\.0000000001$ VarFile
+/var/lib/ldap/alock$ VarFile
+/var/lib/ldap$ VarDir
+
+/@@{RUN}/ldapi$ VarInode
+/@@{RUN}/slapd/slapd\.args$ VarInode
+/@@{RUN}/slapd/slapd\.pid$ VarFile
+/@@{RUN}/slapd$ VarDirInode
--- /dev/null
+/var/lib/slrn/newsgroups\.dsc$ VarFile
--- /dev/null
+/@@{RUN}/smartd\.pid$ VarFile
+/var/lib/smartmontools/smartd\.[-_[:alnum:]]+\.ata\.state~?$ VarFile
+/var/lib/smartmontools/attrlog\.[-_[:alnum:]]+\.ata\.csv$ VarFile
+/var/lib/smartmontools$ VarDir
--- /dev/null
+#!/bin/bash
+
+if [ -d "/var/lib/smokeping" ]; then
+ find /var/lib/smokeping -type f -name '*.rrd' | \
+ sed 's/^\(.*\)/\1$ VarFile/'
+fi
+if [ -d "/var/www/smokeping" ]; then
+ find /var/www/smokeping -type f -name '*.png' | \
+ sed 's/^\(.*\)/\1$ VarFile/'
+ find /var/www/smokeping -type f -name '*.maxhight' | \
+ sed 's/^\(.*\)/\1$ VarFile/'
+fi
+
+cat <<EOF
+/@@{RUN}/smokeping/smokeping\.pid$ VarFile
+/@@{RUN}/smokeping$ VarDirInode
+!/tmp/speedy\.6\.21\.F$
+EOF
--- /dev/null
+/var/lib/snmp/snmpd\.conf$ VarFile
+/var/lib/snmp$ VarDir
+/@@{RUN}/snmpd\.pid$ VarFile
--- /dev/null
+/var/spool/spamassassin/bayes/(bayes_(journal|toks|seen)|auto-whitelist)$ VarFile
+/var/spool/spamassassin/bayes$ VarDir
+/@@{RUN}/spamd\.pid$ VarFile
+
+# enable this if you run automatic rule updates
+# !/var/lib/spamassassin/3\.002001/updates_spamassassin_org/[0-9][0-9]_[a-z]\.cf$
--- /dev/null
+!/var/spool/squid/[0-9A-F]{2}/[0-9A-F]{2}/[0-9A-F]{8}
+/var/spool/squid/(netdb_state|swap.state(.last-clean)?) VarFile
+/var/spool/squid/[0-9A-F]{2}(/[0-9A-F]{2})?$ VarDir
+/var/log/squid/(access|store)\.log$ Log
--- /dev/null
+!/tmp/ssh-[a-zA-Z0-9]{10}$
+!/tmp/ssh-[a-zA-Z0-9]{10}/agent.[0-9]{1,5}$
--- /dev/null
+/@@{RUN}/sshd.pid$ VarFile
--- /dev/null
+#!/bin/bash
+
+for dir in /run/sudo /var/lib/sudo; do
+ if [ -d "$dir" ]; then
+ printf "%s/ts/[a-z0-9]+$ VarFile\n" "$dir"
+ break;
+ fi
+done
+
--- /dev/null
+#!/bin/bash
+
+REPOSITORIES=""
+
+if [ -r "$UPAC_settingsd/31_aide_svn-server_settings" ]; then
+ # pull in configuration
+ . "$UPAC_settingsd/31_aide_svn-server_settings"
+fi
+
+for svnpath in $REPOSITORIES; do
+ [ -d $svnpath ] || exit 1
+ echo ${svnpath//\./\\\.}"db/(txn-)?current$ VarFile"
+ echo ${svnpath//\./\\\.}"db/rev(prop)?s/0/[0-9]+$ Full+ANF"
+ echo ${svnpath//\./\\\.}"(db(/(txn-protorevs|transactions|rev(prop)?s/0))?|dav/activities\.d)$ VarDir"
+done
--- /dev/null
+/run/systemd/journal/kernel-seqnum$ VarFile
+/run/systemd/journal/streams$ VarDir
+/run/systemd/journal/streams/[0-9]:[0-9]{4,7}$ VarFile+ANF+ARF
+!/run/log/journal/[0-9a-f]{32}$
+!/run/log/journal/[0-9a-f]{32}/system(@[0-9a-f]{32}-[0-9a-f]{16}-[0-9a-f]{16})?\.journal$
--- /dev/null
+/@@{RUN}/systemd/(sessions|transient|users)$ VarDir
+!/@@{RUN}/systemd/sessions/[0-9](\.ref)?
+!/@@{RUN}/systemd/transient/session-[0-9]+\.scope$
+!/@@{RUN}/systemd/users/[0-9]+$
+
--- /dev/null
+/var/lib/texmf/ls-R(-TEXMFMAIN|-TEXMFDIST-TETEX)? VarFile
--- /dev/null
+@@define TIGER_LOGS (check_(accounts|group|netrc|passwdformat|passwd|perms|rhosts|system|aliases|exports|inetd|printcap|anonftp|path|crontabs|tcpd|services|ftpusers|umask|exrc|embedded|devices)|find_files)
+/var/log/tiger/@@{TIGER_LOGS}\.out\.1$ LoSerMemberLog
+/var/log/tiger/@@{TIGER_LOGS}\.out\.[2-9]$ SerMemberLog
+/var/log/tiger/@@{TIGER_LOGS}\.out\.10$ HiSerMemberLog
+
+@@define TIGER_8LOGS (logfiles|rootkit|root|rootdir|runprocs|known)
+/var/log/tiger/check_@@{TIGER_8LOGS}\.out\.[123]$ LoSerMemberLog
+/var/log/tiger/check_@@{TIGER_8LOGS}\.out\.[4-7]$ SerMemberLog
+/var/log/tiger/check_@@{TIGER_8LOGS}\.out\.(8|9|10)$ HiSerMemberLog
+
+/var/log/tiger/check_listeningprocs\.out\.([1-9]|10)$ FreqRotLog
+
+/var/log/tiger$ VarDir
+
+/var/lib/tiger/work$ VarDir
--- /dev/null
+#!/bin/bash
+
+if ! [ -d /var/lib/torrus ]; then
+ exit 0
+fi
+
+find /var/lib/torrus/collector_rrd -name '*.rrd' | \
+ sed 's/^\(.*\)/\1$ VarFile/'
+
+TORRUS_TREES=""
+
+for tree in $TORRUS_TREES; do
+ cat <<EOF
+@@define TORRUS_TREE $tree
+/var/lib/torrus/db/sub/@@{TORRUS_TREE}/(config_readers|nodepcache_1|scheduler_stats)\.db$ VarFile
+/var/log/torrus/collector\.@@{TORRUS_TREE}_0\.log$ Log
+/@@{RUN}/torrus/collector\.@@{TORRUS_TREE}_0\.pid$ VarFile
+EOF
+done
+
+cat <<EOF
+!/var/cache/torrus/[0-9a-f]{32}_[0-9]{5}$
+/var/lib/torrus/db/__db\.00[1234]$ VarFile
+/var/lib/torrus/db/render_cache\.db$ VarFile
+!/var/lib/torrus/session_data/store/[0-9a-f]{32}$
+!/var/lib/torrus/session_data/lock/Apache-Session-[0-9a-f]{32}\.lock$
+/var/lib/torrus/session_data/(store|lock)$ VarDir
+!/var/log/torrus/dbenv_errlog_$(pidof collector)$
+/var/log/torrus$ VarDir
+/@@{RUN}/torrus$ VarDirInode
+EOF
--- /dev/null
+#!/bin/bash
+
+REPOSITORIES=""
+
+if [ -r "$UPAC_settingsd/31_aide_trac_settings" ]; then
+ # pull in configuration
+ . "$UPAC_settingsd/31_aide_trac_settings"
+fi
+
+for tracpath in $REPOSITORIES; do
+ [ -d $tracpath ] || exit 1
+ echo ${tracpath//\./\\\.}"db/trac\.db$ VarFile"
+ echo ${tracpath//\./\\\.}"db$ VarDir"
+done
--- /dev/null
+/var/lib/tt-rss/update_daemon.(stamp|lock)$ VarFile
+/var/lib/tt-rss$ VarDirTime
+
+/var/log/tt-rss\.log$ Log
+/var/log/tt-rss\.log\.1\.gz$ LoSerMemberLog
+/var/log/tt-rss\.log\.[2-6]\.gz$ SerMemberLog
+/var/log/tt-rss\.log\.7\.gz$ HiSerMemberLog
--- /dev/null
+# always assume that we have udev
+# Making this any more paranoid would probably mean to implementing most
+# of udev. Please feel free to submit patches ;)
+/@@{DEVDOT}udev/queue\.bin$ RamdiskData-s
+/@@{DEVDOT}udev/ RamdiskData
+/@@{DEVDOT}udev$ VarDirInode
--- /dev/null
+/@@{DEVDOT}mount/utab$ VarInode
+/@@{DEVDOT}mount$ VarDirInode
--- /dev/null
+/@@{RUN}/utmp$ VarFile
--- /dev/null
+/@@{RUN}/vpnc$ VarDirInode
--- /dev/null
+#@@define LOC_WEBSITES (www\.a\.example|www\.b\.example)
+@@ifdef LOC_WEBSITES
+@@define LOC_WEBALIZERFILES (index\.html|usage\.png|webalizer\.(hist|current)|(ctry|daily|hourly)_usage_@@{YEAR4D}(0[1-9]|1[0-2])\.png|usage_@@YEAR4D(0[1-9]|1[0-2])\.html)
+
+/var/www/@@{LOC_WEBSITES}/stats/@@{LOC_WEBALIZERFILES}$ VarFile
+@@endif
--- /dev/null
+@@define INTERFACES wlan0
+/@@{LIBINITRW}/sendsigs\.omit\.d/wpasupplicant\.wpa_(supplicant|action)\.@@{INTERFACES}\.pid$ VarFile
+
+/@@{RUN}/wpa_action\.@@{INTERFACES}\.(pid|timestamp)$ VarFile
+/@@{RUN}/wpa_supplicant\.@@{INTERFACES}\.pid$ VarFile
+/@@{RUN}/wpa_supplicant/@@{INTERFACES}$ VarFile
+/@@{RUN}/wpa_supplicant$ VarDirInode
+
+@@define WPA_LOGS wpa_(action|supplicant)\.@@{INTERFACES}
+/var/log/@@{WPA_LOGS}\.log$ Log
+/var/log/@@{WPA_LOGS}\.log\.1\.gz$ LoSerMemberLog
+/var/log/@@{WPA_LOGS}\.log\.[2-4]\.gz$ SerMemberLog
+/var/log/@@{WPA_LOGS}\.log\.5\.gz$ HiSerMemberLog
--- /dev/null
+/var/log/wtmp$ Log
+/var/log/wtmp\.1$ LowLog
--- /dev/null
+/tmp/\.(X11|ICE)-unix$ VarDirInode
--- /dev/null
+/var/lib/xkb$ VarDirTime
--- /dev/null
+!/var/lib/xdm/authdir/authfiles/A:[0-9]-[A-Za-z0-9]{6}$
+/var/lib/xdm/authdir/authfiles$ VarDir
+/@@{RUN}/xdm\.pid$ VarFile
--- /dev/null
+# removed, replaced by 31_aide_x11-common
--- /dev/null
+/@@{RUN}/xinetd.pid$ VarFile
--- /dev/null
+!/dev/pts/[0-9]{1,2}$
+/dev/pts$ VarDir
+
+/dev RamdiskData
--- /dev/null
+/etc$ VarDir
--- /dev/null
+!/proc
+!/sys
--- /dev/null
+/@@{LIBINITRW}/sendsigs\.omit\.d$ VarDirInode
+/@@{LIBINITRW}/\.ramfs$ VarFile
+/@@{LIBINITRW}$ VarDirInode
+
+/@@{RUNLOCK}/\.ramfs$ VarFile
+/@@{RUNLOCK}$ VarDirInode
+/@@{RUN}$ VarDirInode-n
--- /dev/null
+/tmp$ OwnerMode+i
--- /dev/null
+/var/(backups|log|tmp)$ VarDir
--- /dev/null
+#!/bin/sh
+
+SOURCESLIST=""
+if [ -e "/etc/apt/sources.list" ]; then
+ SOURCESLIST="/etc/apt/sources.list"
+fi
+
+for file in /etc/apt/sources.list.d/*; do
+ if [ -e "$file" ]; then
+ SOURCESLIST="$SOURCESLIST $file"
+ fi
+done
--- /dev/null
+IGNORE_ARCHIVES=""
+IGNORE_FRQCHG=""
--- /dev/null
+REPOSITORIES=""
--- /dev/null
+REPOSITORIES=""
--- /dev/null
+#!/bin/bash
+
+set -e
+set -C
+
+# trap handler
+
+FQDN="$(hostname -f)"
+if [ -z "$FQDN" ]; then
+ echo >&2 "error determining FQDN: hostname -f does not give output"
+ hostname -f >&2
+ exit 1
+fi
+
+traphandler() {
+ trap - INT ERR
+ if [ -n "${LOCKED:-}" ]; then
+ # we have the lock,
+ pidof aide | xargs --no-run-if-empty kill -9
+ fi
+ onexit signal $1
+ return 0
+}
+trap ' traphandler INT; trap - INT ERR' INT
+trap ' traphandler ERR; trap - INT ERR' ERR
+
+# bail if no aide binary found
+
+if ! [ -f "/usr/bin/aide" ] && ! [ -f "/usr/sbin/aide" ]; then
+ exit 0
+fi
+
+# default variables
+
+PATH="/sbin:/usr/sbin:/bin:/usr/bin"
+LOGDIR="/var/log/aide"
+# LOGFILE: /var/log/aide/aide.log - all logs untruncated (not temp)
+LOGFILE="$LOGDIR/aide.log"
+CONFFILE="/var/lib/aide/aide.conf.autogenerated"
+PREFIX="aide"
+TMPBASE="/run/aide"
+LOCKFILE="$TMPBASE/cron.daily.lock"
+TMPDIRIN="$TMPBASE/cron.daily"
+USE_SAVELOG=""
+if command -v savelog > /dev/null; then
+ USE_SAVELOG="1"
+fi
+
+AIDEARGS="-V4"
+MAILSUBJ="Daily AIDE report for $FQDN"
+
+DATE="$(date +"%Y-%m-%d %H:%M")"
+BEGINSTAMP="$(date +"%Y-%m-%d %H:%M:%S")"
+
+# make sure $TMPBASE exists
+
+if ! [ -d "$TMPBASE" ]; then
+ mkdir -p $TMPBASE
+ chown root:root $TMPBASE
+ chmod 600 $TMPBASE
+fi
+
+# have /etc/default/aide override variables
+
+if [ -f "/etc/default/aide" ]; then
+ . "/etc/default/aide"
+fi
+
+# from here on, we're going to bail on unbound variables
+
+set -u
+
+# umask
+
+umask 077
+
+# grep aide configuration data from aide config
+
+update-aide.conf
+DATABASE="$(< "$CONFFILE" grep "^database[[:space:]]*=[[:space:]]*file:/" | head -n 1 | cut --delimiter=: --fields=2)"
+DATABASE_OUT="$(< "$CONFFILE" grep "^database_out[[:space:]]*=[[:space:]]*file:/" | head -n 1 | cut --delimiter=: --fields=2)"
+
+< "$CONFFILE" grep -qE "^grouped[[:space:]]*=[[:space:]]*(no|false)[[:space:]]*$" && GROUPED="false" || GROUPED="true"
+
+# default values
+
+CRON_DAILY_RUN="${CRON_DAILY_RUN:-yes}"
+MAILTO="${MAILTO:-root}"
+eval MAILTO="$MAILTO"
+DATABASE="${DATABASE:-/var/lib/aide/aide.db}"
+LINES="${LINES:-1000}"
+COMMAND="${COMMAND:-check}"
+COPYNEWDB="${COPYNEWDB:-no}"
+QUIETREPORTS="${QUIETREPORTS:-no}"
+SILENTREPORTS="${SILENTREPORTS:-no}"
+TRUNCATEDETAILS="${TRUNCATEDETAILS:-no}"
+FILTERUPDATES="${FILTERUPDATES:-no}"
+FILTERINSTALLATIONS="${FILTERINSTALLATIONS:-no}"
+CRONEXITHOOK="${CRONEXITHOOK:-}"
+ONEXIT=""
+
+# silent implies quiet
+if [ "$SILENTREPORTS" = "yes" ]; then
+ QUIETREPORTS="yes"
+fi
+
+# Get the database's date
+DATABASEDATE=""
+if [ -f $DATABASE ]; then
+ DATABASEDATE="$(stat -c %y $DATABASE | sed -e "s/\..*//")"
+fi
+
+# Force TRUNCATEDETAILS when filter updates/installations
+if [ "$FILTERUPDATES" = "yes" ] || [ "$FILTERINSTALLATIONS" = "yes" ] ; then
+ TRUNCATEDETAILS="yes"
+fi
+
+# functions
+
+mytempfile() {
+ NAME="$1"
+ echo "$TMPDIR/$NAME"
+ touch "$TMPDIR/$NAME"
+}
+
+frame() {
+ WIDTH=78
+ STARS="*******************************************************************************"
+ SPACES=" "
+ printf "%s\n" "${STARS:1:$WIDTH}"
+ while read line ; do
+ HALF="${SPACES:1:$((($WIDTH-${#line})/2))}"
+ LINE="$HALF$line$SPACES"
+ printf "*%s*\n" "${LINE:1:$(($WIDTH-2))}"
+ done
+ printf "%s\n" "${STARS:1:$WIDTH}"
+}
+
+onexit() {
+ if [ "$ONEXIT" = "running" ]; then
+ return 1
+ fi
+
+ ONEXIT="running"
+
+ local LOGHEAD
+ local MAILHEAD
+
+ CRONEXITHOOKPARM="$1"
+ case "$1" in
+ signal)
+ LOGHEAD="$(printf "terminated with signal %s" "$2")"
+ MAILHEAD="$(printf "The cron job was terminated with signal %s" "$2")"
+ ;;
+ fatal)
+ LOGHEAD="$(printf "terminated by fatal error.")"
+ MAILHEAD="$(printf "The cron job was terminated by a fatal error.")"
+ ;;
+ nolock)
+ LOGHEAD="$(printf "terminated because lock %s could not be obtained." "$LOCKFILE")"
+ MAILHEAD="$(printf "The cron job was terminated because lock %s could not be obtained." "$LOCKFILE")"
+ ;;
+ cantmovetmp)
+ LOGHEAD="$(printf "terminated: Cannot move away %s." "$TMPDIRIN")"
+ MAILHEAD="$(printf "The cron job was terminated: Cannot move away %s." "$TMPDIRIN")"
+ ;;
+ nohook)
+ LOGHEAD="$(printf "terminated: CRONEXITHOOK set to %s which is not executeable." "$CRONEXITHOOK")"
+ MAILHEAD="$(printf "The cron job was terminated: CRONEXITHOOK set to %s which is not executeable." "$CRONEXITHOOK")"
+ ;;
+ cantcreatetmp)
+ LOGHEAD="$(printf "terminated: Cannot create temporary directory %s." "$TMPDIRIN")"
+ MAILHEAD="$(printf "The cron job was terminated: Cannot create temporary directory %s." "$TMPDIRIN")"
+ ;;
+ success)
+ ;;
+ *)
+ LOGHEAD="$(printf "wrong parameter (\"%s\") to onexit." "$1")"
+ MAILHEAD="$(printf "The cron job was terminated for unknown reasons, and a wrong parameter (\"%s\")was given to onexit." "$1")"
+ CRONEXITHOOKPARM="unknown"
+ ;;
+ esac
+
+ if [ -z "${TMPDIR:-}" ] || [ -z "${MAILFILE:-}" ]; then
+ # we are being called so early that we are not yet fully initialized
+ # LOGHEAD goes to syslog instead of LOGFILE since we do not know
+ # what's up with LOGFILE
+ logger -t aide-cron-daily "$LOGHEAD"
+ if [ "$SILENTREPORTS" != "yes" ]; then
+ echo "$MAILHEAD" | mail -s "premature termination - $MAILSUBJ" "$MAILTO"
+ fi
+ CRONEXITHOOKPARM="early-$CRONEXITHOOKPARM"
+ else
+ # we are being called after the cron job was properly set up.
+ # Do the full works.
+
+ if [ "$USE_SAVELOG" = "1" ] || [ "$USE_SAVELOG" = "yes" ]; then
+ savelog -t -g adm -m 640 -u root -c 7 "$LOGFILE" > /dev/null
+ else
+ LOGFILEWDATE="${LOGFILE}-$(date +%Y%m%d-%H%M%S)"
+ ln -sf $LOGFILEWDATE $LOGFILE
+ LOGFILE="${LOGFILEWDATE}"
+ fi
+
+ printf >> "$MAILFILE" \
+"This is an automated report generated by the Advanced Intrusion Detection
+Environment on %s started at %s.\n\n" "$FQDN" "$BEGINSTAMP"
+
+ printf >> "$LOGFILE" \
+"aide run on %s started at %s.\n" "$FQDN" "$BEGINSTAMP"
+
+ if [ -n "${LOGHEAD:-}" ]; then
+ printf "$LOGHEAD\n" | frame >> "$LOGFILE"
+ printf "\n" >> "$LOGFILE"
+ fi
+ if [ -n "${MAILHEAD:-}" ]; then
+ printf "$MAILHEAD\n" | frame >> "$MAILFILE"
+ printf "\n\n" >> "$MAILFILE"
+ fi
+
+ # report about AIDE's return value
+
+ if [ -n "${ARETVAL:-}" ]; then
+ ARETEXPL=""
+ ARETERR=""
+ PREFIX="$(printf "AIDE returned with exit code %d." "$ARETVAL")"
+ case "$ARETVAL" in
+ -1)
+ PREFIX=""
+ ARETERR="the cron job was interrupted before AIDE could return an exit code.";;
+ 0)
+ PREFIX="AIDE returned with a zero exit code."
+ ARETEXPL="No changes detected!";;
+ 1)
+ ARETEXPL="Added entries detected!";;
+ 2)
+ ARETEXPL="Removed entries detected!";;
+ 3)
+ ARETEXPL="Added and removed entries detected!";;
+ 4)
+ ARETEXPL="Changed entries detected!";;
+ 5)
+ ARETEXPL="Added and changed entries detected!";;
+ 6)
+ ARETEXPL="Removed and changed entries detected!";;
+ 7)
+ ARETEXPL="Added, removed and changed entries detected!";;
+ 14)
+ ARETERR="Error writing!";;
+ 15)
+ ARETERR="Invalid Argument!";;
+ 16)
+ ARETERR="Unimplemented function!";;
+ 17)
+ ARETERR="Invalid configuration!";;
+ 18)
+ ARETERR="Input/Output error!";;
+ *)
+ ARETERR="$(printf "AIDE returned an unknown non-zero exit value\nexit value is %d\n\n" "$ARETVAL")";;
+ esac
+ if [ -n "$ARETEXPL" ]; then
+ echo "$PREFIX $ARETEXPL" >> "$MAILFILE"
+ echo "$PREFIX $ARETEXPL" >> "$LOGFILE"
+ fi
+ if [ -n "$ARETERR" ]; then
+ echo "$PREFIX $ARETERR" | frame >> "$MAILFILE"
+ echo "$PREFIX $ARETERR" | frame >> "$LOGFILE"
+ fi
+ unset ARETEXPL
+ unset ARETERR
+ unset PREFIX
+ else
+ ARETEXPL="ARETVAL not initialized. cron job was aborted prematurely."
+ ARETVAL=255
+ echo $ARETEXPL | frame >> "$LOGFILE"
+ echo $ARETEXPL | frame >> "$MAILFILE"
+ unset ARETEXPL
+ printf "\n" >> "$LOGFILE"
+ printf "\n\n" >> "$MAILFILE"
+ fi
+
+ # script errors
+
+ if [ -n "${ERRORLOG:-}" ] && [ -s "$ERRORLOG" ]; then
+ printf "script errors\n" | frame >> "$MAILFILE"
+ < "$ERRORLOG" cat >> "$MAILFILE"
+ printf "End of script errors\n\n" >> "$MAILFILE"
+
+ printf "script errors\n" | frame >> "$LOGFILE"
+ < "$ERRORLOG" cat >> "$LOGFILE"
+ printf "End of script errors\n" >> "$LOGFILE"
+ fi
+
+ # aide post run information
+
+ if [ -n "${POSTRUNLOG:-}" ] && [ -s "$POSTRUNLOG" ]; then
+ printf "AIDE post run information\n" >> "$MAILFILE"
+ < "$POSTRUNLOG" cat >> "$MAILFILE"
+ printf "End of AIDE post run information\n\n" >> "$MAILFILE"
+
+ printf "AIDE post run information\n" >> "$LOGFILE"
+ < "$POSTRUNLOG" cat >> "$LOGFILE"
+ printf "End of AIDE post run information\n" >> "$LOGFILE"
+ fi
+
+ # include error log in daily report e-mail
+
+ if [ -n "${AERRLOG:-}" ] && [ -s "$AERRLOG" ]; then
+ errorlines="$(wc -l "$AERRLOG" | awk '{ print $1 }')"
+ if [ "$LINES" -gt "0" ] && [ "${errorlines:=0}" -gt "$LINES" ]; then
+ printf "AIDE has returned many errors.\nthe error log output has been truncated in this mail\n" | \
+ frame >> "$MAILFILE"
+ printf >> "$MAILFILE" "Error output is %d lines, truncated to %d.\n" "$errorlines" "$LINES"
+ < "$AERRLOG" head -n "$LINES" >> "$MAILFILE"
+ printf >> "$MAILFILE" "\nEnd of truncated AIDE error output. The full output can be found in %s.\n\n" "$LOGFILE"
+ else
+ printf >> "$MAILFILE" "Errors produced (%d lines):\n" "$errorlines"
+ < "$AERRLOG" cat >> "$MAILFILE"
+ printf >> "$MAILFILE" "\nEnd of AIDE error output.\n\n"
+ fi
+ printf >> "$LOGFILE" "AIDE error output (%d lines):\n" "$errorlines"
+ < "$AERRLOG" cat >> "$LOGFILE"
+ printf >> "$LOGFILE" "End of AIDE error output\n"
+ else
+ printf >> "$MAILFILE" "AIDE produced no errors.\n\n"
+ printf >> "$LOGFILE" "AIDE produced no errors.\n"
+ fi
+
+
+ # finish log file
+ if [ -n "${ARUNLOG:-}" ] && [ -s "$ARUNLOG" ]; then
+ printf >> "$LOGFILE" "AIDE output (%d lines):\n" "$(wc -l "$ARUNLOG" | awk '{ print $1 }')"
+ < "$ARUNLOG" cat >> "$LOGFILE"
+ printf >> "$LOGFILE" "End of AIDE output.\n\n"
+ else
+ printf >> "$LOGFILE" "AIDE detected no changes.\n\n"
+ fi
+
+ if [ -n "${DBCHECKLOG:-}" ] && [ -s "$DBCHECKLOG" ]; then
+ < "$DBCHECKLOG" cat >> "$LOGFILE"
+ fi
+
+ ENDTIME="$(date +%s)"
+
+ printf >> "$LOGFILE" "End of AIDE daily cron job at %s, run time %d seconds\n" "$(date +"%Y-%m-%d %H:%M" -d@$ENDTIME)" "$(( $ENDTIME - $BEGINTIME ))"
+
+ LOGFILE_CHECKSUM="$(sha256sum $LOGFILE)"
+
+ # include de-noised log into mail
+
+ if [ -n "${ARUNLOG:-}" ] && [ -s "$ARUNLOG" ]; then
+
+ MAIL_MODE=0
+
+ # truncate details
+ if [ "$TRUNCATEDETAILS" = "yes" ] ; then
+ case "$ARETVAL" in
+ 4|5|6|7)
+ MAILTMP="$(mytempfile aidemail)"
+ < $ARUNLOG sed '/^Detailed information about changes:$/,/^The attributes of the (uncompressed) database(s):$/{/^The attributes of the (uncompressed) database(s):$/!d}' >> "$MAILTMP"
+ MAIL_MODE=1
+ ;;
+ *)
+ MAILTMP="$ARUNLOG"
+ ;;
+ esac
+
+ # Filter package upgrades/installations
+
+ # Figure out where the dpkg log file is
+ DPKGLOG="$(< /etc/dpkg/dpkg.cfg grep "^log" | head -n 1 | cut -d ' ' -f 2)"
+
+ if ( [ "$FILTERUPDATES" = "yes" ] || [ "$FILTERINSTALLATIONS" = "yes" ] ) && [ -s "$DPKGLOG" ]; then
+
+ # Create a list of files modified by system updates
+ if ( [ "$FILTERUPDATES" = "yes" ] && [ "$FILTERINSTALLATIONS" = "yes" ] ) ; then FILTER="install|upgrade"
+ elif [ "$FILTERUPDATES" = "yes" ]; then FILTER="upgrade"
+ else FILTER="install"
+ fi
+ PKG_FILE_LIST="$(mytempfile pkg_file_list)"
+ REGEX="^([^ ]+ [^ ]+) ("$FILTER") ([^ ]+) [^ ]+ [^ ]+$"
+ pkgs=
+ while read line; do
+ if [[ $line =~ $REGEX ]] && [[ "$DATABASEDATE" < ${BASH_REMATCH[1]} ]]; then
+ if dpkg-query -L ${BASH_REMATCH[3]} > /dev/null 2>&1; then
+ pkgs+="${BASH_REMATCH[3]} (${BASH_REMATCH[2]})\n"
+ dpkg-query -L ${BASH_REMATCH[3]} | sed -e "/^$/d" -e "/\/\./d" >> "$PKG_FILE_LIST"
+ if ! ls /var/lib/dpkg/info/${BASH_REMATCH[3]}.* >> "$PKG_FILE_LIST" 2>/dev/null; then
+ ls /var/lib/dpkg/info/${BASH_REMATCH[3]%:*}.* >> "$PKG_FILE_LIST"
+ fi
+ fi
+ fi
+ done < "$DPKGLOG"
+
+ if [ -n "$pkgs" ]; then
+ FILTEREDMAIL=$(mytempfile filteredmail)
+ let MAIL_MODE=MAIL_MODE+2
+ ADD=0; REM=0; CHG=0
+ N_ADD=0; N_REM=0; N_CHG=0
+ declare -a NF_ADD NF_REM NF_CHG
+ NF_ADD=()
+ NF_REM=()
+ NF_CHG=()
+ REGEX="^(changed|removed|added|[fdLDBFs?!][ :l<>=bpugamcinCAXSE.+-]{16}): (.*)"
+ BACKUPIFS="$IFS"
+ IFS=""
+ while read -r line; do
+ if [[ $line =~ $REGEX ]] ; then
+ [ -z "$(grep -xF "${BASH_REMATCH[2]}" "$PKG_FILE_LIST")" ] && DONTFILTER_FILE=true || DONTFILTER_FILE=false
+ case "${BASH_REMATCH[1]}" in
+ added|[fdLDBFs?]++++++++++++++++)
+ ((ADD++)) || true
+ if $DONTFILTER_FILE; then
+ ((N_ADD++)) || true
+ if $GROUPED; then
+ NF_ADD[${#NF_ADD[*]}]="$line"
+ else
+ NF_CHG[${#NF_CHG[*]}]="$line"
+ fi
+ fi
+ ;;
+ removed|[fdLDBFs?]----------------)
+ ((REM++)) || true
+ if $DONTFILTER_FILE; then
+ ((N_REM++)) || true
+ if $GROUPED; then
+ NF_REM[${#NF_REM[*]}]="$line"
+ else
+ NF_CHG[${#NF_CHG[*]}]="$line"
+ fi
+ fi
+ ;;
+ changed|[fdLDBFs?!]*)
+ ((CHG++)) || true
+ if $DONTFILTER_FILE; then
+ ((N_CHG++)) || true
+ NF_CHG[${#NF_CHG[*]}]="$line"
+ fi
+ ;;
+ *)
+ printf >> "$FILTEREDMAIL" "error: '%s' could not be matched, mail report is incomplete (full output can be found in %s)!! Please file a bug report against the aide-common package and include this error message.\n" "${BASH_REMATCH[1]}" "$LOGFILE"
+ ;;
+ esac
+ fi
+ done < "$MAILTMP"
+ IFS=$BACKUPIFS
+ let F_ADD=$ADD-$N_ADD || true
+ let F_REM=$REM-$N_REM || true
+ let F_CHG=$CHG-$N_CHG || true
+ < $MAILTMP sed -n '0,/^ Total number of entries:/{p;}' >> "$FILTEREDMAIL"
+ SEPERATOR_TEMPLATE="\n---------------------------------------------------\n%s entries (filtered: %s):\n---------------------------------------------------\n\n"
+ NUM_FILES_TEMPLATE=" %s entries:\t\t%s\t(filtered: %s)\n"
+ printf >> "$FILTEREDMAIL" "$NUM_FILES_TEMPLATE" "Added" "$N_ADD" "$F_ADD"
+ printf >> "$FILTEREDMAIL" "$NUM_FILES_TEMPLATE" "Removed" "$N_REM" "$F_REM"
+ printf >> "$FILTEREDMAIL" "$NUM_FILES_TEMPLATE" "Changed" "$N_CHG" "$F_CHG"
+ printf >> "$FILTEREDMAIL" "\nThe following package changes were detected and were filtered from this mail:\n"
+ printf >> "$FILTEREDMAIL" "$pkgs"
+ if [ "$N_ADD" -eq "0" ] && [ "$N_REM" -eq "0" ] && [ "$N_CHG" -eq "0" ] ; then
+ printf >> "$FILTEREDMAIL" "\nAIDE detected no changes after filtering package changes.\n\n"
+ else
+ if [ "${#NF_ADD[@]}" -gt "0" ]; then
+ printf >> "$FILTEREDMAIL" "$SEPERATOR_TEMPLATE" "Added" "$F_ADD"
+ for ((i=0;i<${#NF_ADD[@]};i++)); do echo "${NF_ADD[$i]}" >> "$FILTEREDMAIL"; done
+ fi
+ if [ "${#NF_REM[@]}" -gt "0" ]; then
+ printf >> "$FILTEREDMAIL" "$SEPERATOR_TEMPLATE" "Removed" "$F_REM"
+ for ((i=0;i<${#NF_REM[@]};i++)); do echo "${NF_REM[$i]}" >> "$FILTEREDMAIL"; done
+ fi
+ if [ "${#NF_CHG[@]}" -gt "0" ]; then
+ if $GROUPED; then
+ printf >> "$FILTEREDMAIL" "$SEPERATOR_TEMPLATE" "Changed" "$F_CHG"
+ else
+ if [ "$N_ADD" -gt "0" ] && [ "$N_REM" -gt "0" ] && [ "$N_CHG" -gt "0" ]; then
+ HEAD="Added, removed and changed"
+ elif [ "$N_ADD" -gt "0" ] && [ "$N_REM" -gt "0" ]; then
+ HEAD="Added and removed"
+ elif [ "$N_ADD" -gt "0" ] && [ "$N_CHG" -gt "0" ]; then
+ HEAD="Added and changed"
+ elif [ "$N_REM" -gt "0" ] && [ "$N_CHG" -gt "0" ]; then
+ HEAD="Removed and changed"
+ elif [ "$N_ADD" -gt "0" ]; then
+ HEAD="Added"
+ elif [ "$N_REM" -gt "0" ]; then
+ HEAD="Removed"
+ elif [ "$N_CHG" -gt "0" ]; then
+ HEAD="Changed"
+ fi
+ printf >> "$FILTEREDMAIL" "$SEPERATOR_TEMPLATE" "$HEAD" "$((F_ADD+F_REM+F_CHG))"
+ fi
+ for ((i=0;i<${#NF_CHG[@]};i++)); do echo "${NF_CHG[$i]}" >> "$FILTEREDMAIL"; done
+ fi
+ fi
+ printf >> "$FILTEREDMAIL" "\n---------------------------------------------------\n"
+ < $MAILTMP sed -n '/^The attributes of the (uncompressed) database(s):$/,$ {p;}' >> "$FILTEREDMAIL"
+ MAILTMP="$FILTEREDMAIL"
+ fi
+ fi
+ else
+ MAILTMP="$ARUNLOG"
+ fi
+
+ if [ -n "${NOISE:-}" ]; then
+ NOISETMP="$(mytempfile aidenoise1)"
+ NOISETMP2="$(mytempfile aidenoise2)"
+ < "$MAILTMP" sed -n '1,/^Detailed information about changes:/p' | \
+ grep '^\(changed\|removed\|added\|[fdLDBFs?!][ :l<>=bpugamcinCAXSE.+-]\{16\}\):' | \
+ grep -v "^added: THERE WERE ALSO [0-9]\+ FILES ADDED UNDER THIS DIRECTORY" >> "$NOISETMP2"
+
+ if [ -n "$NOISE" ]; then
+ < "$NOISETMP2" grep -v "^\(changed\|removed\|added\|[fdLDBFs?!][ :l<>=bpugamcinCAXSE.+-]\{16\}\): $NOISE" >> "$NOISETMP" || true
+ printf >> "$MAILFILE" "De-Noised output removes everything matching %s.\n" "$NOISE"
+ fi
+
+ if [ -s "$NOISETMP" ]; then
+ loglines="$(< $NOISETMP wc -l | awk '{ print $1 }')"
+ if [ "$LINES" -gt "0" ] && [ "${loglines:=0}" -gt "$LINES" ]; then
+ printf "AIDE has returned long output which has been truncated in this mail\n" | \
+ frame >> "$MAILFILE"
+ printf >> "$MAILFILE" \
+ "De-Noised output is %d lines, truncated to %d.\n" "$loglines" "$LINES"
+ < "$NOISETMP" head -n "$LINES" >> "$MAILFILE"
+ printf >> "$MAILFILE" "\nEnd of truncated De-Noised AIDE output. The full output can be found in %s.\nsha256sum: %s\n\n" "$LOGFILE" "$LOGFILE_CHECKSUM"
+ else
+ printf >> "$MAILFILE" "De-Noised output of the daily AIDE run (%d lines):\n" "$loglines"
+ < "$NOISETMP" cat >> "$MAILFILE"
+ printf >> "$MAILFILE" "\nEnd of De-Noised AIDE output.\n\n"
+ fi
+ else
+ printf >> "$MAILFILE" "AIDE detected no changes after removing noise.\n\n"
+ fi
+ printf >> "$MAILFILE" "============================================================================\n"
+ fi
+
+ # include non-de-noised log into mail
+
+ if [ -n "${MAILTMP:-}" ] && [ -s "$MAILTMP" ]; then
+ loglines="$(wc -l "$MAILTMP" | awk '{ print $1 }')"
+ if [ "$LINES" -gt "0" ] && [ "${loglines:=0}" -gt "$LINES" ]; then
+ printf "AIDE has returned long output which has been truncated in this mail\n" | \
+ frame >> "$MAILFILE"
+ printf >> "$MAILFILE" \
+ "Output is %d lines, truncated to %d.\n" "$loglines" "$LINES"
+ < "$MAILTMP" head -n "$LINES" >> "$MAILFILE"
+ printf >> "$MAILFILE" "\nEnd of truncated AIDE output. The full output can be found in %s.\nsha256sum: %s\n\n" "$LOGFILE" "$LOGFILE_CHECKSUM"
+ else
+ printf >> "$MAILFILE" "Output of the daily AIDE run (%d lines):\n" "$loglines"
+ < "$MAILTMP" cat >> "$MAILFILE"
+ if [ "$MAIL_MODE" -gt "0" ] ; then
+ case "$MAIL_MODE" in
+ 1) AIDE_OUTPUT="truncated" ;;
+ 2) AIDE_OUTPUT="filtered" ;;
+ 3) AIDE_OUTPUT="truncated and filtered" ;;
+ esac
+ printf >> "$MAILFILE" "\nEnd of %s AIDE output.\n\nThe full output can be found in %s.\nsha256sum: %s\n\n" "$AIDE_OUTPUT" "$LOGFILE" "$LOGFILE_CHECKSUM"
+ else
+ printf >> "$MAILFILE" "\nEnd of AIDE output.\n\n"
+ fi
+ fi
+ else
+ printf >> "$MAILFILE" "AIDE detected no changes.\n\n"
+ fi
+ else
+ printf >> "$MAILFILE" "funny, AIDE did not leave a log.\n\n"
+ printf >> "$LOGFILE" "funny, AIDE did not leave a log.\n"
+ fi
+
+ if [ -n "${DBCHECKLOG:-}" ] && [ -s "$DBCHECKLOG" ]; then
+ < "$DBCHECKLOG" cat >> "$MAILFILE"
+ printf >> "$MAILFILE" "\n"
+ fi
+
+ printf >> "$MAILFILE" "End of AIDE daily cron job at %s, run time %d seconds\n" "$(date +"%Y-%m-%d %H:%M" -d@$ENDTIME)" "$(( $ENDTIME - $BEGINTIME ))"
+
+ # send mail if changes or errors were detected or quiet reports not requested
+ if [ "$QUIETREPORTS" != "yes" ] || [ "$ARETVAL" != "0" ] || [ $(< "$ERRORLOG" wc -l) -ne 0 ]; then
+ # do not send anything (not even error messages) if silence is requested
+ if [ "$SILENTREPORTS" != "yes" ]; then
+ < "$MAILFILE" mail -s "$MAILSUBJ" "$MAILTO"
+ fi
+ fi
+
+ # clean up temp files
+ rm -rf $TMPDIR
+ fi
+
+ if [ -n "$CRONEXITHOOK" ] && [ -x "$CRONEXITHOOK" ]; then
+ $CRONEXITHOOK $CRONEXITHOOKPARM
+ fi
+
+ # clear lock
+ if [ -n "${LOCKED:-}" ] && command -v dotlockfile >/dev/null 2>&1; then
+ dotlockfile -u "$LOCKFILE" || true
+ fi
+ unset LOCKED
+
+ return 0
+}
+
+BEGINTIME="$(date +%s)"
+
+if [ "$CRON_DAILY_RUN" != "yes" ] && ! tty -s; then
+ exit 0
+fi
+
+if command -v dotlockfile >/dev/null 2>&1; then
+ if ! dotlockfile -p -l "$LOCKFILE"; then
+ onexit nolock
+ exit 1
+ fi
+else
+ PREERRLOG="no dotlockfile binary in path, not checking for already running aide cron job\n"
+fi
+LOCKED=yes
+
+# prepare temp dir
+if [ -e "$TMPDIRIN" ]; then
+ if ! NEWNAME="$(mktemp -d $TMPBASE/cron.daily.old.XXXXXXXXXX)"; then
+ onexit cantmovetmp
+ exit 1
+ fi
+ mv "$TMPDIRIN" "$NEWNAME"
+ unset NEWNAME
+ OLDTMPDIRFOUND="yes"
+fi
+
+if ! mkdir -p $TMPDIRIN; then
+ onexit cantcreatetmp
+ exit 1
+fi
+
+# handle the case that CRONEXITHOOK does not exist or is not executeable
+if [ -n "$CRONEXITHOOK" ]; then
+ if ! [ -x "$CRONEXITHOOK" ]; then
+ onexit nohook
+ exit 1
+ fi
+fi
+
+# we can now directly use file names inside $TMPDIR: It is only
+# writeable for us (umask 077), so we're safe against symlink attacks.
+# We use invariant file names here since our work files need to be
+# excluded from aide.
+TMPDIR="$TMPDIRIN"
+
+# now, with $TMPDIR having been created, we can use onexit.
+
+# ERRORLOG: Error messages from script. Gets written to $LOGFILE first
+ERRORLOG="$(mytempfile errorlog)"
+
+if [ -n "${PREERRORLOG:-}" ]; then
+ printf >> "$ERRORLOG" "$PREERRORLOG"
+fi
+unset PREERRORLOG
+
+# MAILFILE: Contents gets mailed. Built and handled from inside onexit()
+MAILFILE="$(mytempfile mailfile)"
+
+# aide return value
+ARETVAL=-1
+
+if [ ! -f "$DATABASE" ]; then
+ printf >> "$ERRORLOG" "Fatal error: The AIDE database '%s' does not exist!\n" "$DATABASE"
+ printf >> "$ERRORLOG" "This may mean you haven't created it or that the initialization process is still running, or it may mean that someone has removed it.\n"
+ onexit fatal
+ exit 1
+fi
+
+# code
+
+# re-assign current time to be more accurate about aide's real start time
+BEGINSTAMP="$(date +"%Y-%m-%d %H:%M:%S")"
+
+# ARUNLOG: standard output of aide run
+ARUNLOG="$(mytempfile arunlog)"
+
+# AERRLOG: standard error of aide run
+AERRLOG="$(mytempfile aerrlog)"
+
+printf "begin timestamp %s\n" "$BEGINSTAMP" >> "$ARUNLOG"
+
+aide.wrapper $AIDEARGS "--$COMMAND" >|"$ARUNLOG" 2>|"$AERRLOG" && ARETVAL="$?"
+ARETVAL="$?"
+
+# POSTRUNLOG: summary of aide execution and cron job log
+POSTRUNLOG="$(mytempfile postrunlog)"
+
+# DBCHECKLOG: Output of the database checksums
+DBCHECKLOG="$(mytempfile dbchecklog)"
+
+# NOISETMP: completely de-noised log
+# NOISETMP2: pre-filtered ARUNLOG, containing only changed, removed and added lines
+NOISETMP="$(mytempfile noisetmp)"
+NOISETMP2="$(mytempfile noisetmp2)"
+
+# find out whether we neeed to copy the new database over the old one
+
+COPYDB="0"
+if [ "$COPYNEWDB" = "ifnochange" ] && [ "$ARETVAL" = "0" ]; then
+ COPYDB="1"
+ printf >> "$POSTRUNLOG" "no significant changes detected.\n"
+fi
+
+if [ "$COPYNEWDB" = "yes" ]; then
+ COPYDB=1
+fi
+
+if [ "$COPYDB" = "1" ] && [ "$COMMAND" = "update" ]; then
+ cp -f "$DATABASE_OUT" "$DATABASE"
+ printf >> "$POSTRUNLOG" "output database %s was copied to %s as requested by cron job configuration\n" "$DATABASE_OUT" "$DATABASE"
+fi
+
+onexit success
+exit 0
+
+# end of file
--- /dev/null
+# These settings are mainly for the wrapper scripts around aide,
+# such as aideinit and /etc/cron.daily/aide
+
+# Set this to no to disable daily aide runs
+#CRON_DAILY_RUN=yes
+
+# This is used as the host name in the AIDE reports that are sent out
+# via e-mail. It defaults to the output of $(hostname --fqdn), but can
+# be set to arbitrary values.
+# FQDN=
+
+# This is used as the subject for the e-mail reports.
+# If your mail system only threads by subject, you might want to add
+# some variable content here (for example $(date +%Y-%m-%d)).
+MAILSUBJ="Daily AIDE report for $FQDN"
+
+# This is the email address reports get mailed to
+# default is root
+# This variable is expanded before it is used, so you can use variables
+# here. For example, MAILTO=$FQDN-aide@domain.example will send the
+# report to host.name.example-aide@domain.example is the local FQDN is
+# host.name.example.
+MAILTO=root
+
+# Set this to yes to suppress mailings when no changes have been
+# detected during the AIDE run and no error output was given.
+#QUIETREPORTS=no
+
+# Set this to yes to suppress mailings under all circumstances
+# This option implies QUIETREPORTS=yes
+#SILENTREPORTS=no
+
+# This parameter defines which AIDE command to run from the cron script.
+# Sensible values are "update" and "check".
+# Default is "check", ensuring backwards compatibility.
+# Since "update" does not take any longer, it is recommended to use "update",
+# so that a new database is created every day. The new database needs to be
+# manually copied over the current one, though.
+COMMAND=update
+
+# This parameter defines what to do with a new database created by
+# COMMAND=update. It is ignored if COMMAND!=update.
+# no: Do not copy new database to old database. This is the default.
+# yes: Copy new database to old database. This means that changes to the
+# file system are only reported once. Possibly dangerous.
+# ifnochange: Copy new database to old database if no changes have
+# been reported. This is needed for ANF/ARF to work reliably.
+COPYNEWDB=no
+
+# Set this to yes to truncate the detailed changes part in the mail. The full
+# output will still be listed in the log file.
+TRUNCATEDETAILS=no
+
+# Set this to yes to suppress file changes by package and security
+# updates from appearing in the e-mail report. Filtered file changes will
+# still be listed in the log file. This option parses the /var/log/dpkg.log
+# file and implies TRUNCATEDETAILS=yes
+FILTERUPDATES=no
+
+# Set this to yes to suppress file changes by package installations
+# from appearing in the e-mail report. Filtered file changes will still
+# be listed in the log file. This option parses the /var/log/dpkg.log file and
+# implies TRUNCATEDETAILS=yes.
+FILTERINSTALLATIONS=no
+
+# This parameter defines how many lines to return per e-mail. Output longer
+# than this value will be truncated in the e-mail sent out.
+# Set value to "0" to disable this option.
+LINES=1000
+
+# This parameter gives a grep regular expression. If given, all output lines
+# that _don't_ match the regexp are listed first in the script's output. This
+# allows to easily remove noise from the AIDE report.
+NOISE=""
+
+# This parameter defines which options are given to aide in the daily
+# cron job. The default is "-V4".
+AIDEARGS=""
+
+# These parameters control update-aide.conf and give the defaults for
+# the --confdir, --confd and --settingsd options
+# UPAC_CONFDIR="/etc/aide"
+# UPAC_CONFD="$UPAC_CONFDIR/aide.conf.d"
+# UPAC_SETTINGSD="$UPAC_CONFDIR/aide.settings.d"
+
+# Set this to a command that will be executed before the cron job
+# exits. This can be used to postprocess the generated report.
+# If the command is not in /sbin:/usr/sbin:/bin:/usr/bin (see PATH
+# setting in the daily cron job), you need to give a fully qualified
+# path. The script is executed before the aide lock is released.
+# The hook is called with a single parameter meaning:
+# signal: The cron job was terminated by a signal
+# fatal: There was a fatal error
+# nolock: The lock could not be obtained
+# cantmovetmp: It was not possible to move away the temporary directory
+# cantcreatetmp: It was not possible to create the temporary directory
+# success: aide finished successfully and gave meaningful results
+# unknown: onexit was called with an illegal reason (should not happen)
+# If the cron job aborted before the cron job was fully set up,
+# "early-" is prepended to the reason.
+CRONEXITHOOK=""
projects / vserver / commitdiff