#!/bin/sh

# Directories to watch
WATCH_DIRS="/etc/stacfg"

# Where snapshots and logs are stored
SNAPSHOT_DIR="/var/lib/audit_trail_snapshots"
LOGFILE="/var/log/audit_trail.log"

# Files and extensions to exclude
EXCLUDE_FILES="restartReason scanlist scanlistopts.cfg isa11.rtn registration.txt ports.config"
EXCLUDE_EXTENSIONS="6dl"

mkdir -p "$SNAPSHOT_DIR"

log_to_syslog() {
    logger -p local5.notice "[AUDIT-TRAIL] $1"
}

# Snapshot files
SNAPSHOT_FILE="$SNAPSHOT_DIR/audit_trail.snapshot"
CURRENT_FILE="$SNAPSHOT_DIR/audit_trail.current"

# Step 1: If no baseline snapshot, create one
if [ ! -f "$SNAPSHOT_FILE" ]; then
    for WATCH_DIR in $WATCH_DIRS; do
        find "$WATCH_DIR" -type f | while read filepath; do
            filename=$(basename "$filepath")
            skip_file=0

            # Exclude by filename
            for exclude in $EXCLUDE_FILES; do
                if [ "$filename" = "$exclude" ]; then
                    skip_file=1
                    break
                fi
            done

            # Exclude by extension
            if [ $skip_file -eq 0 ]; then
                for ext in $EXCLUDE_EXTENSIONS; do
                    case "$filename" in
                        *.$ext)
                            skip_file=1
                            break
                            ;;
                    esac
                done
            fi

            if [ $skip_file -eq 0 ]; then
                md5sum "$filepath"
            fi
        done
    done | sort > "$SNAPSHOT_FILE"
    log_to_syslog "Initial checksum snapshot created for $WATCH_DIRS."
fi

# Step 2: Create a new current snapshot
for WATCH_DIR in $WATCH_DIRS; do
    find "$WATCH_DIR" -type f | while read filepath; do
        filename=$(basename "$filepath")
        skip_file=0

        # Exclude by filename
        for exclude in $EXCLUDE_FILES; do
            if [ "$filename" = "$exclude" ]; then
                skip_file=1
                break
            fi
        done

        # Exclude by extension
        if [ $skip_file -eq 0 ]; then
            for ext in $EXCLUDE_EXTENSIONS; do
                case "$filename" in
                    *.$ext)
                        skip_file=1
                        break
                        ;;
                esac
            done
        fi

        if [ $skip_file -eq 0 ]; then
            md5sum "$filepath"
        fi
    done
done | sort > "$CURRENT_FILE"

# Step 3: Compare old and current snapshots by matching files only
while read -r checksum_old file_old; do
    line_new=$(grep " $file_old\$" "$CURRENT_FILE")
    checksum_new=$(echo "$line_new" | cut -d' ' -f1)

    if [ -n "$checksum_new" ]; then  # File still exists
        if [ "$checksum_old" != "$checksum_new" ]; then
            TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
            MESSAGE="[$TIMESTAMP] File modified: $file_old"
            echo "$MESSAGE" >> "$LOGFILE"
            log_to_syslog "$MESSAGE"
        fi
    fi
done < "$SNAPSHOT_FILE"

# Step 4: Update the snapshot for future checks
mv "$CURRENT_FILE" "$SNAPSHOT_FILE"