[meta-security][PATCH 7/9] classes: add aide routines


Armin Kuster
 

Signed-off-by: Armin Kuster <akuster808@...>
---
classes/aide-base.bbclass | 11 ++++++++
classes/aide-db-init.bbclass | 52 ++++++++++++++++++++++++++++++++++++
2 files changed, 63 insertions(+)
create mode 100644 classes/aide-base.bbclass
create mode 100644 classes/aide-db-init.bbclass

diff --git a/classes/aide-base.bbclass b/classes/aide-base.bbclass
new file mode 100644
index 0000000..36cc454
--- /dev/null
+++ b/classes/aide-base.bbclass
@@ -0,0 +1,11 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@...>
+#
+
+STAGING_AIDE_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/aida"
+AIDE_INCLUDE_DIRS ?= "/lib"
+AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+
+AIDE_SCAN_POSTINIT ?= "0"
+AIDE_RESCAN_POSTINIT ?= "0"
+
diff --git a/classes/aide-db-init.bbclass b/classes/aide-db-init.bbclass
new file mode 100644
index 0000000..800006f
--- /dev/null
+++ b/classes/aide-db-init.bbclass
@@ -0,0 +1,52 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@...>
+#
+# This class creates the initial aide database durning
+# the build cycle allowing for that set being skipped during boot
+# It has an additional benefit of having not being tamper with
+# after build.
+#
+# To have the aide db created during build
+# 1. Extend local.conf:
+# INHERIT += "adie-init-db"
+#
+# These are the defaults as defined in aide-base.bbclass
+# They can be overriden in your local.conf or other distro include
+#
+# To define where the share directory should be.
+# STAGING_AIDE_DIR = "${TMPDIR}/work-shared/${MACHINE}/aida"
+#
+# To define which directories should be inclued in a scan
+# AIDE_INCLUDE_DIRS ?= "/lib"
+#
+# To exclude directories and files from being scanned
+# AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+#
+# To controll if a db init should happen at postint
+# AIDE_SCAN_POSTINIT ?= "0"
+#
+# To cotroll if a db recan should be run at postinit
+# AIDE_RESCAN_POSTINIT ?= "0"
+
+inherit aide-base
+
+aide_init_db() {
+ for dir in ${AIDE_INCLUDE_DIRS}; do
+ echo "${IMAGE_ROOTFS}${dir} NORMAL" >> ${STAGING_AIDE_DIR}/aide.conf
+ done
+ for dir in ${AIDE_SKIP_DIRS}; do
+ echo "!${IMAGE_ROOTFS}${dir}" >> ${STAGING_AIDE_DIR}/aide.conf
+ done
+
+
+ ${STAGING_AIDE_DIR}/bin/aide -c ${STAGING_AIDE_DIR}/aide.conf --init
+ gunzip ${STAGING_AIDE_DIR}/lib/aide.db.gz
+ # strip out native path
+ sed -i -e 's:${IMAGE_ROOTFS}::' ${STAGING_AIDE_DIR}/lib/aide.db
+ gzip -9 ${STAGING_AIDE_DIR}/lib/aide.db
+ cp -f ${STAGING_AIDE_DIR}/lib/aide.db.gz ${IMAGE_ROOTFS}${libdir}/aide
+}
+
+EXTRA_IMAGEDEPENDS:append = " aide-native"
+
+ROOTFS_POSTPROCESS_COMMAND:append = " aide_init_db;"
--
2.25.1

Join yocto@lists.yoctoproject.org to automatically receive all group messages.