[yocto] [meta-security][PATCH 1/3] samhain: New ISD package

[Armin Kuster]

These are the base files needed by both
client and server recipes.

Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 .../samhain/files/samhain-client.default           |   3 +
 recipes-security/samhain/files/samhain-client.init | 122 +++++++++++++++++++++
 .../samhain/files/samhain-server-volatiles         |   1 +
 .../samhain/files/samhain-server.default           |   3 +
 recipes-security/samhain/files/samhain-server.init | 116 ++++++++++++++++++++
 recipes-security/samhain/samhain.inc               |  82 ++++++++++++++
 6 files changed, 327 insertions(+)
 create mode 100644 recipes-security/samhain/files/samhain-client.default
 create mode 100644 recipes-security/samhain/files/samhain-client.init
 create mode 100644 recipes-security/samhain/files/samhain-server-volatiles
 create mode 100644 recipes-security/samhain/files/samhain-server.default
 create mode 100644 recipes-security/samhain/files/samhain-server.init
 create mode 100644 recipes-security/samhain/samhain.inc

diff --git a/recipes-security/samhain/files/samhain-client.default b/recipes-security/samhain/files/samhain-client.default
new file mode 100644
index 0000000..9899577
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-client.default
@@ -0,0 +1,3 @@
+# Set this to "yes" to start the server, after you configure it, of
+# course.
+SAMHAIN_CLIENT_START="no"
\ No newline at end of file
diff --git a/recipes-security/samhain/files/samhain-client.init b/recipes-security/samhain/files/samhain-client.init
new file mode 100644
index 0000000..730e1c4
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-client.init
@@ -0,0 +1,122 @@
+#!/bin/bash
+# chkconfig: 2345 99 10
+# description: File Integrity Checking Daemon
+#
+# processname: samhain
+# config  : /etc/samhainrc
+# logfile : /var/log/samhain_log
+# database: /var/lib/samhain/samhain_file
+#
+
+NAME=samhain
+DAEMON=/usr/sbin/samhain
+RETVAL=0
+PIDFILE=/var/run/samhain.pid
+
+. /etc/default/rcS
+
+. /etc/default/samhain-client
+
+if [ "x$SAMHAIN_CLIENT_START" != "xyes" ]; then
+	echo "${0}: client disabled in /etc/default/samhain-client"
+	exit 0
+fi
+
+if [ -x $DAEMON ]; then
+	:
+else
+	echo "${0}: executable ${DAEMON} not found"
+	exit 1
+fi
+
+if [ ! -e /var/lib/samhain/samhain_file ]; then
+	echo "${0}: /var/lib/samhain/samhain_file does not exist.  You must"
+	echo "  run 'samhain -t init' before samhian-client can start."
+	exit 1
+fi
+
+samhain_done()
+{
+	if [ $RETVAL -eq 0 ]; then
+		echo "."
+	else
+		echo " failed."
+	fi
+}
+
+log_stat_msg () {
+case "$1" in
+	0)
+	echo "Service $NAME: Running";
+	;;
+	1)
+	echo "Service $NAME: Stopped and /var/run pid file exists";
+	;;
+	3)
+	echo "Service $NAME: Stopped";
+	;;
+	*)
+	echo "Service $NAME: Status unknown";
+	;;
+esac
+}
+
+case "$1" in
+  start)
+	#
+	# Remove a stale PID file, if found
+	#
+	if test -f ${PIDFILE}; then
+	    /bin/rm -f ${PIDFILE}
+	fi
+	#
+	echo -n "Starting ${NAME}"
+	/sbin/start-stop-daemon --start --quiet --exec $DAEMON
+	RETVAL=$?
+	samhain_done
+	;;
+
+  stop)
+	echo -n "Stopping $NAME"
+        ( /sbin/start-stop-daemon --stop --quiet --exec $DAEMON )
+	RETVAL=$? 
+
+	#
+	# Remove a stale PID file, if found
+	#
+	if test -f ${PIDFILE}; then
+	    /bin/rm -f ${PIDFILE}
+	fi
+        if test -S /var/run/${NAME}.sock; then
+            /bin/rm -f /var/run/${NAME}.sock
+        fi
+	samhain_done
+	;;
+
+  restart)
+	$0 stop
+	sleep 3
+	$0 start
+	RETVAL=$?
+	;;
+
+  reload|force-reload)
+       	echo -n "Reloading $NAME configuration files"
+       	/sbin/start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON
+	RETVAL=$?
+	samhain_done
+	;;
+
+  status)
+	$DAEMON status
+	RETVAL=$?
+	log_stat_msg ${RETVAL}
+	;;
+
+  *)
+	echo "$0 usage: {start|stop|status|restart|reload}"
+	exit 1
+	;;
+esac
+
+exit $RETVAL
diff --git a/recipes-security/samhain/files/samhain-server-volatiles b/recipes-security/samhain/files/samhain-server-volatiles
new file mode 100644
index 0000000..6b80709
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-server-volatiles
@@ -0,0 +1 @@
+d daemon daemon 0775 /var/log/yule none
diff --git a/recipes-security/samhain/files/samhain-server.default b/recipes-security/samhain/files/samhain-server.default
new file mode 100644
index 0000000..bc3d67c
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-server.default
@@ -0,0 +1,3 @@
+# Set this to "yes" to start the server, after you configure it, of
+# course.
+SAMHAIN_SERVER_START="no"
\ No newline at end of file
diff --git a/recipes-security/samhain/files/samhain-server.init b/recipes-security/samhain/files/samhain-server.init
new file mode 100644
index 0000000..89bd0aa
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-server.init
@@ -0,0 +1,116 @@
+#!/bin/bash
+# chkconfig: 2345 98 11
+# description: File Integrity Checking Daemon
+#
+# processname: yule
+# config  : /etc/yulerc
+# logfile : /var/log/yule/yule_log
+# database: /var/lib/yule/yule_file
+#
+
+NAME=yule
+DAEMON=/usr/sbin/yule
+RETVAL=0
+PIDFILE=/var/run/yule.pid
+
+. /etc/default/rcS
+
+. /etc/default/samhain-server
+
+if [ "x$SAMHAIN_SERVER_START" != "xyes" ]; then
+	echo "${0}: server disabled in /etc/default/samhain-server"
+	exit 0
+fi
+
+if [ -x $DAEMON ]; then
+	:
+else
+	echo "${0}: executable ${DAEMON} not found"
+	exit 1
+fi
+
+samhain_done()
+{
+	if [ $RETVAL -eq 0 ]; then
+		echo "."
+	else
+		echo " failed."
+	fi
+}
+
+log_stat_msg () {
+case "$1" in
+	0)
+	echo "Service $NAME: Running";
+	;;
+	1)
+	echo "Service $NAME: Stopped and /var/run pid file exists";
+	;;
+	3)
+	echo "Service $NAME: Stopped";
+	;;
+	*)
+	echo "Service $NAME: Status unknown";
+	;;
+esac
+}
+
+case "$1" in
+  start)
+	#
+	# Remove a stale PID file, if found
+	#
+	if test -f ${PIDFILE}; then
+	    /bin/rm -f ${PIDFILE}
+	fi
+	#
+	echo -n "Starting ${NAME}"
+	/sbin/start-stop-daemon --start --quiet --exec $DAEMON
+	RETVAL=$?
+	samhain_done
+	;;
+
+  stop)
+	echo -n "Stopping $NAME"
+        ( /sbin/start-stop-daemon --stop --quiet --exec $DAEMON )
+	RETVAL=$? 
+
+	#
+	# Remove a stale PID file, if found
+	#
+	if test -f ${PIDFILE}; then
+	    /bin/rm -f ${PIDFILE}
+	fi
+        if test -S /var/run/${NAME}.sock; then
+            /bin/rm -f /var/run/${NAME}.sock
+        fi
+	samhain_done
+	;;
+
+  restart)
+	$0 stop
+	sleep 3
+	$0 start
+	RETVAL=$?
+	;;
+
+  reload|force-reload)
+       	echo -n "Reloading $NAME configuration files"
+       	/sbin/start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON
+	RETVAL=$?
+	samhain_done
+	;;
+
+  status)
+	$DAEMON status
+	RETVAL=$?
+	log_stat_msg ${RETVAL}
+	;;
+
+  *)
+	echo "$0 usage: {start|stop|status|restart|reload}"
+	exit 1
+	;;
+esac
+
+exit $RETVAL
diff --git a/recipes-security/samhain/samhain.inc b/recipes-security/samhain/samhain.inc
new file mode 100644
index 0000000..d6f9f82
--- /dev/null
+++ b/recipes-security/samhain/samhain.inc
@@ -0,0 +1,82 @@
+DESCRIPTION = "Provides file integrity checking and log file monitoring/analysis"
+HOMEPAGE    = "http://www.la-samhna.de/samhain/"
+LICENSE     = "GPLv2"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"
+
+
+SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
+	   file://${INITSCRIPT_NAME}.init \
+	   file://${INITSCRIPT_NAME}.default \
+	  "
+
+SRC_URI[md5sum] = "f7fff913d016241eec6829bd5f740513"
+SRC_URI[sha256sum] = "844e8e22c0e259b4c12cd0ccacdb3d5569a2a1746b0aa1aa285febb266cbcf31"
+
+S = "${WORKDIR}/samhain-${PV}"
+
+inherit autotools-brokensep update-rc.d pkgconfig
+
+SAMHAIN_PORT ??= "49777"
+SAMHAIN_SERVER ??= "NULL"
+
+INITSCRIPT_NAME = "samhain-${SAMHAIN_MODE}"
+INITSCRIPT_PARAMS ?= "defaults"
+
+
+PACKAGECONFIG ??= ""
+
+# We have to unpack the tar ball twice to get to the source.
+# Also as soon as OE gets the tar ball it unpacks and
+# proceeds to apply the patches. But what you still have after
+# the first unpack is another tar ball. So we do a do_unpack_extra()
+# and tell OE to do the second unpack before do_patch(), otherwise
+# do_patch() will fail when trying to apply the patches.
+do_unpack_extra () {
+	cd ${WORKDIR}
+	tar -xzvf samhain-${PV}.tar.gz
+}
+addtask unpack_extra after do_unpack before do_patch
+
+# If we use oe_runconf in do_configure() it will by default
+# use the prefix --oldincludedir=/usr/include which is not
+# recognized by Samhain's configure script and would invariably
+# throw back the error "unrecognized option: --oldincludedir=/usr/include"
+do_configure () {
+    cd ${S}
+	./configure \
+	    --build=${BUILD_SYS} \
+	    --host=${HOST_SYS} \
+	    --target=${TARGET_SYS} \
+	    --prefix=${prefix} \
+	    --exec_prefix=${exec_prefix} \
+	    --bindir=${bindir} \
+	    --sbindir=${sbindir} \
+	    --libexecdir=${libexecdir} \
+	    --datadir=${datadir} \
+	    --sysconfdir=${sysconfdir} \
+	    --sharedstatedir=${sharedstatedir} \
+	    --localstatedir=${localstatedir} \
+	    --libdir=${libdir} \
+	    --includedir=${includedir} \
+	    --infodir=${infodir} \
+	    --mandir=${mandir} \
+	    ${EXTRA_OECONF}
+}
+
+# Install the init script, it's default file, and the extraneous
+# documentation.
+do_install_append () {
+    cd ${S}
+	oe_runmake install DESTDIR='${D}' INSTALL=install-boot
+	install -d ${D}${sysconfdir}/init.d
+	install -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \
+		${D}${sysconfdir}/init.d/${INITSCRIPT_NAME}
+
+	install -d ${D}${sysconfdir}/default
+	install -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \
+		${D}${sysconfdir}/default/${INITSCRIPT_NAME}
+
+	install -d ${D}${docdir}/${PN}
+	cp -r docs/* ${D}${docdir}/${PN}
+	cp -r scripts ${D}${docdir}/${PN}
+}
-- 
1.9.1