#!/bin/sh
#
# script to initialize an AIDE database and create a GPG key
# specifically for use with the AIDE database
#
# written by Vincent Danen <vdanen-at-annvix.org>
#
# $Id: aideinit 6673 2007-01-16 17:40:05Z vdanen $

TEXTDOMAIN=aidescripts

if [ ! -d /var/lib/aide ]; then
    printf $"FATAL: "$"The AIDE database directory %s does not exist!""\n\n" "/var/lib/aide"
    exit 1
fi

host="`hostname`"
gpg=""
if command -v gpg2 >/dev/null 2>&1
then gpg=gpg2
else if command -v gpg >/dev/null 2>&1
then gpg=gpg
fi
fi
if [ -z "$gpg" ]; then
	printf $"FATAL: "$"gpg not found. Aborting.""\n"
	exit 1
fi
aide="/usr/sbin/aide"
fname="aide-`hostname`-`date +%Y%m%d-%H%M%S`"

if [ "`${gpg} --list-secret-key | grep aide@${host} >/dev/null 2>&1; echo $?`" == "1" ]; then
    # we need to generate a gpg key

    printf $"Generating GPG private key for %s""\n" "aide@${host}"
    printf $"This is done automatically, but you must provide a strong passphrase to protect the key.""\n"

    getpass() {
        unset PASS1
        unset PASS2
        read -s -e -p $"Passphrase: " PASS1
        printf "\n"
        read -s -e -p $"Re-enter passphrase: " PASS2
        printf "\n"
        if [ "${PASS1}" != "${PASS2}" ]; then
            printf $"FATAL: "$"Passwords do not match!""\n"
            unset PASS1
            unset PASS2
        fi
    }

    getpass
    [[ "${PASS1}" == "" ]] && getpass
    [[ "${PASS1}" == "" ]] && {
        printf $"FATAL: "$"Password mismatch occurred twice. Aborting.""\n"
        exit 1
    }

    printf $"Generating GPG key..."
    tmpfile=`mktemp` || exit 1

    echo "Key-Type: EDDSA" >>${tmpfile}
    echo "Key-Curve: ed25519" >>${tmpfile}
    echo "Subkey-Type: ECDH" >>${tmpfile}
    echo "Subkey-Curve: cv25519" >>${tmpfile}
    echo "Name-Real: AIDE" >>${tmpfile}
    echo "Name-Comment: AIDE verification key" >>${tmpfile}
    echo "Name-Email: aide@${host}" >>${tmpfile}
    echo "Expire-Date: 0" >>${tmpfile}
    echo "Passphrase: ${PASS1}" >>${tmpfile}

    ${gpg} --batch --gen-key ${tmpfile}
    if [ "$?" == "0" ]; then
        printf " %s!\n" $"success"
        rm -f ${tmpfile}
    else
        printf " %s!\n%s\n" $"failed" $"An error occurred; cannot proceed!"
        rm -f ${tmpfile}
        exit 1
    fi
fi

signfile() {
    echo ${PASS1} | ${gpg} -u aide@${host} --passphrase-fd stdin --pinentry-mode loopback --no-tty --detach-sign aide.db.new
    if [ "$?" == "1" ]; then
        printf $"FATAL: "$"Error occurred when creating the signature file!""\n"
        exit 1
    fi
}

# Create symlink in /etc/systemd/ before system state is fixated in AIDE DB
trap 'systemctl -q disable aidecheck.timer' ERR
systemctl -q enable --now aidecheck.timer

printf $"Initializing the AIDE database... This may take a minute or two.""\n"

${aide} --init
pushd /var/lib/aide >/dev/null 2>&1
    # create the signature file; we don't have to ask for the passphrase here, we've already got it
    rm -f aide.db.new.sig
    signfile
    [[ ! -f aide.db.new.sig ]] && {
        printf $"FATAL: "$"Signature was not created! Aborting.""\n"
        exit 1
    }
    printf $"Database successfully signed.""\n"
    mv aide.db.new aide.db
    mv aide.db.new.sig aide.db.sig
    printf $"Scheduled regular integrity checks. Use:""\n"
    printf "systemctl status aidecheck.timer""\n"
    printf "systemctl status aidecheck.service""\n"
    printf "journalctl -u aidecheck.service""\n"
popd >/dev/null 2>&1

exit 0
