diff mbox series

[meta-security,7/9] classes: add aide routines

Message ID 20220618134435.2370878-7-akuster808@gmail.com
State Accepted, archived
Delegated to: Armin Kuster
Headers show
Series [meta-security,1/9] security-test-image: auto include layers if present. | expand

Commit Message

akuster808 June 18, 2022, 1:44 p.m. UTC 
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 classes/aide-base.bbclass    | 11 ++++++++
 classes/aide-db-init.bbclass | 52 ++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 classes/aide-base.bbclass
 create mode 100644 classes/aide-db-init.bbclass
diff mbox series

Patch

diff --git a/classes/aide-base.bbclass b/classes/aide-base.bbclass
new file mode 100644
index 0000000..36cc454
--- /dev/null
+++ b/classes/aide-base.bbclass
@@ -0,0 +1,11 @@ 
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+
+STAGING_AIDE_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/aida"
+AIDE_INCLUDE_DIRS ?= "/lib"
+AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+
+AIDE_SCAN_POSTINIT ?= "0"
+AIDE_RESCAN_POSTINIT ?= "0"
+
diff --git a/classes/aide-db-init.bbclass b/classes/aide-db-init.bbclass
new file mode 100644
index 0000000..800006f
--- /dev/null
+++ b/classes/aide-db-init.bbclass
@@ -0,0 +1,52 @@ 
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+# This class creates the initial aide database durning
+# the build cycle allowing for that set being skipped during boot
+# It has an additional benefit of having not being tamper with
+# after build.
+#
+# To have the aide db created during build
+# 1. Extend local.conf:
+#    INHERIT += "adie-init-db"
+#
+# These are the defaults as defined in aide-base.bbclass
+# They can be overriden in your local.conf or other distro include 
+#
+# To define where the share directory should be.
+#    STAGING_AIDE_DIR = "${TMPDIR}/work-shared/${MACHINE}/aida"
+#
+# To define which directories should be inclued in a scan
+#    AIDE_INCLUDE_DIRS ?= "/lib"
+#
+# To exclude directories and files from being scanned
+#    AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+#
+# To controll if a db init should happen at postint 
+#    AIDE_SCAN_POSTINIT ?= "0"
+#
+# To cotroll if a db recan should be run at postinit
+#    AIDE_RESCAN_POSTINIT ?= "0"
+
+inherit aide-base 
+
+aide_init_db() {
+    for dir in ${AIDE_INCLUDE_DIRS}; do
+        echo "${IMAGE_ROOTFS}${dir} NORMAL" >> ${STAGING_AIDE_DIR}/aide.conf
+    done
+    for dir in ${AIDE_SKIP_DIRS}; do
+        echo "!${IMAGE_ROOTFS}${dir}" >> ${STAGING_AIDE_DIR}/aide.conf
+    done
+
+
+    ${STAGING_AIDE_DIR}/bin/aide -c ${STAGING_AIDE_DIR}/aide.conf --init
+    gunzip ${STAGING_AIDE_DIR}/lib/aide.db.gz 
+    # strip out native path
+    sed -i -e 's:${IMAGE_ROOTFS}::' ${STAGING_AIDE_DIR}/lib/aide.db
+    gzip -9 ${STAGING_AIDE_DIR}/lib/aide.db 
+    cp -f ${STAGING_AIDE_DIR}/lib/aide.db.gz ${IMAGE_ROOTFS}${libdir}/aide
+}
+
+EXTRA_IMAGEDEPENDS:append = " aide-native"
+
+ROOTFS_POSTPROCESS_COMMAND:append = " aide_init_db;"