samhain: update to 4.2.2

* update to version 4.2.2 * Add new recipe for standalone mode * Add systemd support * Add patches to fix several issues * samhain-standalone: add ptest support * samhain-server: no need to depend on samhain-server-native * Move common things from the bb to the inc file Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-06-01 13:10:33 +00:00 · 2017-08-14 08:56:26 +08:00
parent 25b8f02eea
commit 9949776684
17 changed files with 761 additions and 81 deletions
@@ -0,0 +1,3 @@
+#!/bin/sh
+current_dir=$(dirname $(readlink -f $0))
+$current_dir/cutest
@@ -0,0 +1,108 @@
+From 02a143f0068cbc6cea71359169210fbb3606d4bb Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Mon, 18 Jan 2016 00:24:57 -0500
+Subject: [PATCH] configure: add option for ps
+
+The configure searches hardcoded host paths for PSPATH
+and run ps commands to decide PSARG which will fail
+on host without ps:
+| configure: error: Cannot find ps in any of /usr/ucb /bin /usr/bin
+
+So add an option so we can specify the ps at configure
+to avoid host contamination.
+
+Upstream-Status: Inappropriate [cross compile specific]
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ aclocal.m4   |  2 +-
+ configure.ac | 60 ++++++++++--------------------------------------------------
+ 2 files changed, 11 insertions(+), 51 deletions(-)
+
+diff --git a/aclocal.m4 b/aclocal.m4
+index a2e59a6..cd20a2f 100644
+--- a/aclocal.m4
+++ b/aclocal.m4
+@@ -409,7 +409,7 @@ x_includes=NONE
+ x_libraries=NONE
+ DESTDIR=
+ SH_ENABLE_OPTS="selinux posix-acl asm ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid"
+-SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file"
+SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file ps-path"
+ 
+ # Installation directory options.
+ # These are left unexpanded so users can "make install exec_prefix=/foo"
+diff --git a/configure.ac b/configure.ac
+index 5910b1f..8c3e087 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -730,56 +730,16 @@ then
+ fi
+ AC_CHECK_HEADERS(gmp.h)
+ 
+-AC_MSG_CHECKING([for ps])
+-PS=
+-for ff in /usr/ucb /bin /usr/bin; do
+-    if test -x "$ff/ps"; then
+-       PS="$ff/ps"
+-       AC_MSG_RESULT([$PS])
+-       break
+-    fi
+-done
+-if test x$PS = x
+-then
+-	AC_MSG_RESULT([no])
+-	AC_MSG_ERROR([Cannot find ps in any of /usr/ucb /bin /usr/bin])
+-fi
+-AC_DEFINE_UNQUOTED([PSPATH], _("$PS"), [Path to ps])
+-
+-AC_MSG_CHECKING([how to use ps])
+-$PS ax >/dev/null 2>&1
+-if test $? -eq 0; then
+-   case "$host_os" in
+-   *openbsd*)
+-   one=`$PS akx | wc -l`
+-   ;;
+-   *)
+-   one=`$PS ax | wc -l`
+-   ;;
+-   esac
+-else
+-   one=0
+-fi
+-$PS -e >/dev/null 2>&1
+-if test $? -eq 0; then
+-   two=`$PS -e | wc -l`
+-else
+-   two=0
+-fi
+-if test $one -ge $two 
+-then
+-   case "$host_os" in
+-   *openbsd*)
+-	PSARG="akx"
+-	;;
+-   *)
+-	PSARG="ax"
+-	;;
+-   esac
+-else
+-	PSARG="-e"
+-fi
+-AC_DEFINE_UNQUOTED([PSARG], _("$PSARG"), [Argument for ps])
+AC_ARG_WITH(ps-path,
+	[  --with-ps-path=PATH         set path to ps command ],
+	[
+	if test "x${withval}" != xno; then
+		pspath="${withval}"
+		AC_DEFINE_UNQUOTED([PSPATH], _("${pspath}"), [Path to ps])
+		AC_DEFINE_UNQUOTED([PSARG], _("ax"), [Argument for ps])
+	fi
+	])
+
+ AC_MSG_RESULT([$PS $PSARG])
+ 
+ dnl *****************************************
+-- 
+1.9.1
+
@@ -0,0 +1,51 @@
+From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Fri, 15 Jan 2016 00:48:58 -0500
+Subject: [PATCH] Enable obfuscating binaries natively.
+
+Enable obfuscating binaries natively.
+
+The samhain build process involves an obfuscation step that attempts to
+defeat decompilation or other binary analysis techniques which might reveal
+secret information that should be known only to the system administrator.
+The obfuscation step builds several applications which run on the build host
+and then generate target code, which is then built into target binaries.
+
+This patch creates a basic infrastructure that supports building the
+obfuscation binaries natively then cross-compiling the target code by adding
+a special configure option.  In the absence of this option the old behaviour
+is preserved.
+
+Upstream-Status: Inappropriate [cross compile specific]
+    
+Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ Makefile.in | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 684e92b..fb090e2 100644
+--- a/Makefile.in
+++ b/Makefile.in
+@@ -54,7 +54,7 @@ selectconfig = @selectconfig@
+ top_builddir = .
+ 
+ INSTALL = @INSTALL@
+-INSTALL_PROGRAM = @INSTALL@ -s -m 700
+INSTALL_PROGRAM = @INSTALL@ -m 700
+ INSTALL_SHELL = @INSTALL@ -m 700
+ INSTALL_DATA = @INSTALL@ -m 600
+ INSTALL_MAN = @INSTALL@ -m 644
+@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip
+ 	      echo " $(INSTALL_PROGRAM) $$p $$target"; \
+ 	      $(INSTALL_PROGRAM) $$p $$target; \
+ 	      chmod 0700 $$target; \
+-	      echo " ./sstrip $$target"; \
+-	      ./sstrip $$target; \
+ 	    else \
+ 	      echo " $(INSTALL_SHELL) $$p $$target"; \
+ 	      $(INSTALL_SHELL) $$p $$target; \
+-- 
+1.9.1
+
@@ -0,0 +1,44 @@
+commit 0f6bdc219e598de08a3f37887efa5dfa50e2b996
+Author: Aws Ismail <aws.ismail@windriver.com>
+Date:   Fri Jun 22 15:47:08 2012 -0400
+
+Hash fix for MIPS64 and AARCH64
+    
+Samhain uses the addresses of local variables in generating hash
+values.  The hashing function is designed only for 32-bit values.
+For MIPS64 when a 64-bit address is passed in the resulting hash
+exceeds the limits of the underlying mechanism and samhain
+ultimately fails.  The solution is to simply take the lower 
+32-bits of the address and use that in generating hash values.
+    
+Signed-off-by: Greg Moffatt <greg.moffatt@windriver.com>
+
+Upstream-Status: Pending
+    
+Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+
+diff --git a/src/dnmalloc.c b/src/dnmalloc.c
+index da9a5c5..fc91400 100644
+--- a/src/dnmalloc.c
+++ b/src/dnmalloc.c
+@@ -2703,11 +2703,19 @@ static void freecilst_add(chunkinfoptr p) {
+ }
+ 
+ /* Calculate the hash table entry for a chunk */
+#if defined(CONFIG_ARCH_MIPS64) || defined(CONFIG_ARCH_AARCH64)
+#ifdef STARTHEAP_IS_ZERO
+#define hash(p)  ((((unsigned long) p) & 0x7fffffff) >> 7)
+#else
+#define hash(p)  ((((unsigned long) p - (unsigned long) startheap) & 0x7fffffff) >> 7)
+#endif
+#else
+ #ifdef STARTHEAP_IS_ZERO
+ #define hash(p)  (((unsigned long) p) >> 7)
+ #else
+ #define hash(p)  (((unsigned long) p - (unsigned long) startheap) >> 7)
+ #endif
+#endif /* CONFIG_ARCH_MIPS64 */ 
+ 
+ static void
+ hashtable_add (chunkinfoptr ci)
@@ -0,0 +1,24 @@
+not run test on host, since we are doing cross-compile
+
+Upstream-status: Inappropriate [cross compile specific]
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ Makefile.in |    1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index e1b32a8..74bfdc9 100644
+--- a/Makefile.in
+++ b/Makefile.in
+@@ -1234,7 +1234,6 @@ intcutest: internal.h $(OBJECTS) $(CUTEST_OBJECTS) sh_tiger_i.o $(srcsrc)/CuTest
+ 	rm x_samhain.c; \
+ 	$(LINK) sh_tiger_i.o $(CUTEST_OBJECTS) CuTestMain.o CuTest.o $(OBJECTS) $(LIBS_TRY); \
+ 	test -f ./intcutest && mv ./intcutest ./cutest; \
+-	./cutest
+ 
+ runcutest:
+ 	gdb ./cutest
+-- 
+1.7.10.4
+
@@ -0,0 +1,27 @@
+commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04
+Author: Aws Ismail <aws.ismail@windriver.com>
+Date:   Thu Jan 10 16:29:05 2013 -0500
+
+    Set the PID Lock path for samhain.pid
+    
+    The explicit path for samhain.pid inorder
+    for samhain to work properly after it initial
+    database build.
+    
+    Upstream-Status: Inappropriate [configuration]
+
+    Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+
+diff --git a/samhainrc.linux b/samhainrc.linux
+index 10a8176..a7b06e6 100644
+--- a/samhainrc.linux
+++ b/samhainrc.linux
+@@ -639,7 +639,7 @@ SetFileCheckTime = 86400
+ 
+ ## Path to the PID file
+ #
+-# SetLockfilePath = (default: compiled-in)
+SetLockfilePath = /run/samhain.pid
+ 
+ 
+ ## The digest/checksum/hash algorithm
@@ -0,0 +1,61 @@
+From 00fb527e45da42550156197647e01de9a6b1ad52 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Mon, 3 Mar 2014 01:50:01 -0500
+Subject: [PATCH] fix real path for some files/dirs
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ samhainrc.linux |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/samhainrc.linux b/samhainrc.linux
+index e9727b4..7775d83 100644
+--- a/samhainrc.linux
+++ b/samhainrc.linux
+@@ -93,7 +93,6 @@ dir = 99/etc
+ ##
+ file = /etc/mtab
+ file = /etc/fstab
+-file = /etc/adjtime
+ file = /etc/motd
+ file = /etc/lvm/lvm.conf
+ 
+@@ -153,11 +152,11 @@ dir = 99/var
+ 
+ [IgnoreAll]
+ dir = -1/var/cache
+-dir = -1/var/lock
+-dir = -1/var/mail
+-dir = -1/var/run
+dir = -1/run/lock
+dir = -1/var/spool/mail
+dir = -1/run
+ dir = -1/var/spool
+-dir = -1/var/tmp
+dir = -1/var/volatile/tmp
+ 
+ 
+ [Attributes]
+@@ -167,7 +166,7 @@ dir = -1/var/tmp
+ file = /var/lib/rpm/__db.00?
+ 
+ file = /var/lib/logrotate.status
+-file = /var/lib/random-seed
+file = /var/lib/urandom/random-seed
+ 
+ 
+ [GrowingLogFiles]
+@@ -176,7 +175,7 @@ file = /var/lib/random-seed
+ ## are ignored. Logfile rotation will cause a report because of shrinking
+ ## size and different inode. 
+ ##
+-dir = 99/var/log
+dir = 99/var/volatile/log
+ 
+ [Attributes]
+ #
+-- 
+1.7.9.5
+
@@ -0,0 +1,158 @@
+commit 4c6658441eb3ffc4e51ed70f78cbdab046957580
+Author: Aws Ismail <aws.ismail@windriver.com>
+Date:   Fri Jun 22 16:38:20 2012 -0400
+
+Make samhainrc OE-friendly.
+
+Patch the samhainrc that will be installed 
+as part of the 'make install' step to more
+accurately reflect what will be found, and
+what will be of concern, on a OE install.
+    
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+
+diff --git a/samhainrc.linux b/samhainrc.linux
+index 9bc5ca4..10a8176 100644
+--- a/samhainrc.linux
+++ b/samhainrc.linux
+@@ -74,7 +74,6 @@ dir = 0/
+ [Attributes]
+ file = /tmp
+ file = /dev
+-file = /media
+ file = /proc
+ file = /sys
+ 
+@@ -93,19 +92,10 @@ dir = 99/etc
+ ## check permission and ownership
+ ##
+ file = /etc/mtab
+file = /etc/fstab
+ file = /etc/adjtime
+ file = /etc/motd
+-file = /etc/lvm/.cache
+-
+-# On Ubuntu, these are in /var/lib rather than /etc
+-file = /etc/cups/certs
+-file = /etc/cups/certs/0
+-
+-# managed by fstab-sync on Fedora Core
+-file = /etc/fstab
+-
+-# modified when booting 
+-file = /etc/sysconfig/hwconf
+file = /etc/lvm/lvm.conf
+ 
+ # There are files in /etc that might change, thus changing the directory
+ # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
+@@ -147,10 +137,6 @@ dir = 99/dev
+ ##
+ dir = -1/dev/pts
+ 
+-# dir = -1/dev/.udevdb
+-
+-file = /dev/ppp
+-
+ #
+ # --------- /usr -----------
+ #
+@@ -167,50 +153,21 @@ dir = 99/var
+ 
+ [IgnoreAll]
+ dir = -1/var/cache
+-dir = -1/var/backups
+-dir = -1/var/games
+-dir = -1/var/gdm
+ dir = -1/var/lock
+ dir = -1/var/mail
+ dir = -1/var/run
+ dir = -1/var/spool
+ dir = -1/var/tmp
+-dir = -1/var/lib/texmf
+-dir = -1/var/lib/scrollkeeper
+ 
+ 
+ [Attributes]
+ 
+-dir = /var/lib/nfs
+-dir = /var/lib/pcmcia
+-
+ # /var/lib/rpm changes if packets are installed;
+ # /var/lib/rpm/__db.00[123] even more frequently
+ file = /var/lib/rpm/__db.00?
+ 
+-file = /var/lib/acpi-support/vbestate
+-file = /var/lib/alsa/asound.state
+-file = /var/lib/apt/lists/lock
+-file = /var/lib/apt/lists/partial
+-file = /var/lib/cups/certs
+-file = /var/lib/cups/certs/0
+-file = /var/lib/dpkg/lock
+-file = /var/lib/gdm
+-file = /var/lib/gdm/.cookie
+-file = /var/lib/gdm/.gdmfifo
+-file = /var/lib/gdm/:0.Xauth
+-file = /var/lib/gdm/:0.Xservers
+-file = /var/lib/logrotate/status
+-file = /var/lib/mysql
+-file = /var/lib/mysql/ib_logfile0
+-file = /var/lib/mysql/ibdata1
+-file = /var/lib/slocate
+-file = /var/lib/slocate/slocate.db
+-file = /var/lib/slocate/slocate.db.tmp
+-file = /var/lib/urandom
+-file = /var/lib/urandom/random-seed
+file = /var/lib/logrotate.status
+ file = /var/lib/random-seed
+-file = /var/lib/xkb
+ 
+ 
+ [GrowingLogFiles]
+@@ -325,7 +282,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
+ 
+ ## Console
+ ##
+-# PrintSeverity=info
+PrintSeverity=warn
+ 
+ ## Logfile
+ ##
+@@ -333,7 +290,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
+ 
+ ## Syslog
+ ##
+-# SyslogSeverity=none
+SyslogSeverity=info
+ 
+ ## Remote server (yule)
+ ##
+@@ -556,7 +513,8 @@ ChecksumTest=check
+ ## and I/O limit (kilobytes per second; 0 == off)
+ ## to reduce load on host.
+ #
+-# SetNiceLevel = 0
+# By default we configure samhain to be nice with everything else on the system
+SetNiceLevel = 10
+ # SetIOLimit = 0
+ 
+ ## The version string to embed in file signature databases
+@@ -565,13 +523,14 @@ ChecksumTest=check
+ 
+ ## Interval between time stamp messages
+ #
+-# SetLoopTime = 60
+-SetLoopTime = 600
+# Log a timestamp every hour
+SetLoopTime = 3600
+ 
+ ## Interval between file checks 
+ #
+ # SetFileCheckTime = 600
+-SetFileCheckTime = 7200
+# One file system check per day
+SetFileCheckTime = 86400
+ 
+ ## Alternative: crontab-like schedule
+ #
@@ -0,0 +1,22 @@
+samhain: fix sha256 for big-endian machines
+
+After computing the digest, big-endian machines would
+memset() the digest to the first byte of state instead
+of using memcpy() to transfer it.
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe Slater <jslater@windriver.com>
+
+
+--- a/src/sh_checksum.c
+++ b/src/sh_checksum.c
+@@ -468,7 +468,7 @@ void SHA256_Final(sha2_byte digest[], SH
+       }
+     }
+ #else
+-    memset(d, context->state, SHA256_DIGEST_LENGTH);
+    memcpy(d, context->state, SHA256_DIGEST_LENGTH);
+     /* bcopy(context->state, d, SHA256_DIGEST_LENGTH); */
+ #endif
+   }
@@ -0,0 +1,3 @@
+# Set this to "yes" to start the server, after you configure it, of
+# course.
+SAMHAIN_STANDALONE_START="no"
@@ -0,0 +1,123 @@
+#!/bin/sh
+# chkconfig: 2345 99 10
+# description: File Integrity Checking Daemon
+#
+# processname: samhain
+# config  : /etc/samhainrc
+# logfile : /var/log/samhain_log
+# database: /var/lib/samhain/samhain_file
+#
+
+NAME=samhain
+DAEMON=/usr/sbin/samhain
+RETVAL=0
+VERBOSE=yes
+PIDFILE=/var/run/samhain.pid
+
+. /etc/default/samhain-standalone
+
+if [ "x$SAMHAIN_STANDALONE_START" != "xyes" ]; then
+	echo "${0}: samhain disabled in /etc/default/samhain-standalone"
+	exit 0
+fi
+
+if [ -x $DAEMON ]; then
+	:
+else
+	echo "${0}: executable ${DAEMON} not found"
+	exit 1
+fi
+
+if [ ! -e /var/lib/samhain/samhain_file ]; then
+	echo "${0}: /var/lib/samhain/samhain_file does not exist.  You must"
+	echo "  run 'samhain -t init' before samhian can start."
+	exit 1
+fi
+
+samhain_done()
+{
+	if [ $RETVAL -eq 0 ]; then
+		echo "."
+	else
+		echo " failed."
+	fi
+}
+
+log_stat_msg () {
+case "$1" in
+	0)
+	echo "Service $NAME: Running";
+	;;
+	1)
+	echo "Service $NAME: Stopped and /var/run pid file exists";
+	;;
+	3)
+	echo "Service $NAME: Stopped";
+	;;
+	*)
+	echo "Service $NAME: Status unknown";
+	;;
+esac
+}
+
+case "$1" in
+  start)
+	#
+	# Remove a stale PID file, if found
+	#
+	if test -f ${PIDFILE}; then
+	    /bin/rm -f ${PIDFILE}
+	fi
+
+	echo -n "Starting ${NAME}"
+	( /sbin/start-stop-daemon --start --quiet --exec $DAEMON )
+	RETVAL=$?
+	samhain_done
+	exit $RETVAL
+	;;
+  stop)
+    echo -n "Stopping $NAME"
+    ( /sbin/start-stop-daemon --stop --quiet --exec $DAEMON )
+	RETVAL=$?
+	samhain_done
+	#
+	# Remove a stale PID file, if found
+	#
+	if test -f ${PIDFILE}; then
+	    /bin/rm -f ${PIDFILE}
+	fi
+        if test -S /var/run/${NAME}.sock; then
+            /bin/rm -f /var/run/${NAME}.sock
+        fi
+	;;
+
+  restart)
+	$0 stop
+	sleep 3
+	$0 start
+	RETVAL=$?
+	;;
+
+  reload|force-reload)
+    echo -n "Reloading $NAME configuration files"
+    ( /sbin/start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON )
+    RETVAL=$?
+	samhain_done
+    ;;
+
+  status)
+	if pidof -o %PPID $DAEMON > /dev/null; then
+	    echo "Samhain running"
+	    RETVAL=0
+	else
+	    echo "Samhain not running"
+	    RETVAL=1
+	fi
+	;;
+  *)
+	echo "$0 usage: {start|stop|status|restart|reload}"
+	exit 1
+	;;
+esac
+
+exit $RETVAL
@@ -0,0 +1,12 @@
+[Unit]
+Description=Samhain @MODE_NAME@ Daemon
+After=syslog.target network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@LIBDIR@/@SAMHAIN_HELPER@ start
+ExecStop=@LIBDIR@/@SAMHAIN_HELPER@ stop
+
+[Install]
+WantedBy=multi-user.target
@@ -1,15 +1,11 @@
-SAMHAIN_MODE="client"
 INITSCRIPT_PARAMS = "defaults 15 85"

 require samhain.inc

-#Let the default Logserver be 127.0.0.1
+# Let the default Logserver be 127.0.0.1
 EXTRA_OECONF += " \
        --with-logserver=${SAMHAIN_SERVER} \
        --with-port=${SAMHAIN_PORT} \
-        --with-config-file=/etc/samhainrc \
-        --with-data-file=/var/samhain/samhain.data \
-        --with-pid-file=/var/samhain/samhain.pid \
        "

 RDEPENDS_${PN} = "acl zlib attr bash"
@@ -1,54 +0,0 @@
-SAMHAIN_MODE="server"
-INITSCRIPT_PARAMS = "defaults 14 86"
-
-require samhain.inc
-
-DEPENDS = "gmp samhain-server-native"
-
-EXTRA_OECONF += "--enable-network=${SAMHAIN_MODE} "
-
-# supports mysql|postgresql|oracle|odbc but postgresql is the only one available
-
-PACKAGECONFIG ??= "postgresql"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}"
-
-PACKAGECONFIG[postgres]  = "--with-database=postgresql --enable-xml-log, "", postgresql"
-PACKAGECONFIG[suidcheck]  = "--enable-suidcheck","" , "
-PACKAGECONFIG[logwatch]  = "--enable-login-watch,"" , "
-PACKAGECONFIG[mounts]  = "--enable-mounts-check","" , "
-PACKAGECONFIG[userfiles]  = "--enable-userfiles","" , "
-PACKAGECONFIG[ipv6]  = "--enable-ipv6,"--disable-ipv6","
-PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
-PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl"
-
-SRC_URI += "file://samhain-server-volatiles"
-
-TARGET_CC_ARCH += "${LDFLAGS}"
-
-EXTRA_OECONF += " \
-    --with-config-file=REQ_FROM_SERVER/etc/samhainrc \
-    --with-data-file=REQ_FROM_SERVER/var/lib/samhain/samhain_file \
-    "
-
-do_install_append() {
-    cd ${S}
-    install -d ${D}${sysconfdir}/default/volatiles
-    install -m 0644 ${WORKDIR}/samhain-server-volatiles \
-        ${D}${sysconfdir}/default/volatiles/samhain-server
-
-    install -m 700 samhain-install.sh init/samhain.startLinux \
-        init/samhain.startLSB ${D}/var/lib/samhain
-}
-
-PACKAGES = "${PN} ${PN}-doc ${PN}-dbg"
-
-FILES_${PN} += "${sbindir}/*"
-
-FILES_${PN}-dbg += " \
-    ${sbindir}/.debug/* \
-    "
-
-RDEPENDS_${PN} += "gmp bash perl"
-BBCLASSEXTEND = "native"
@@ -0,0 +1,21 @@
+INITSCRIPT_PARAMS = "defaults 14 86"
+
+require samhain.inc
+
+DEPENDS = "gmp"
+
+SRC_URI += "file://samhain-server-volatiles"
+
+TARGET_CC_ARCH += "${LDFLAGS}"
+
+do_install_append() {
+    install -d ${D}${sysconfdir}/default/volatiles
+    install -m 0644 ${WORKDIR}/samhain-server-volatiles \
+        ${D}${sysconfdir}/default/volatiles/samhain-server
+
+    install -m 700 samhain-install.sh init/samhain.startLinux \
+        init/samhain.startLSB ${D}/var/lib/samhain
+}
+
+RDEPENDS_${PN} += "gmp bash perl"
+BBCLASSEXTEND = "native"
@@ -0,0 +1,31 @@
+require samhain.inc
+
+SRC_URI += "file://samhain-not-run-ptest-on-host.patch \
+            file://run-ptest \
+"
+
+PROVIDES += "samhain"
+
+SYSTEMD_SERVICE_${PN} = "samhain.service"
+
+inherit ptest
+
+do_compile() {
+	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'yes', 'no', d)}" = "yes" ]; then
+		oe_runmake cutest
+		rm -f ${S}*.o config_xor.h internal.h
+	fi
+	oe_runmake "$@"
+}
+
+do_install_append() {
+    ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain
+}
+
+do_install_ptest() {
+	mkdir -p ${D}${PTEST_PATH}
+	install ${S}/cutest ${D}${PTEST_PATH}
+}
+
+RPROVIDES_${PN} += "samhain"
+RCONFLICTS_${PN} = "samhain-client samhain-server"
@@ -5,25 +5,60 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"


 SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
-	   file://${INITSCRIPT_NAME}.init \
-	   file://${INITSCRIPT_NAME}.default \
-	  "
+           file://samhain-cross-compile.patch \
+           file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \
+           file://samhain-samhainrc.patch \
+           file://samhain-samhainrc-fix-files-dirs-path.patch \
+           file://samhain-pid-path.patch \
+           file://samhain-sha256-big-endian.patch \
+           file://samhain-configure-add-option-for-ps.patch \
+           file://${INITSCRIPT_NAME}.init \
+           file://${INITSCRIPT_NAME}.default \
+           file://samhain.service \
+           "

-SRC_URI[md5sum] = "6de1060d6e79c4893d8d89d5cbd3c1b0"
-SRC_URI[sha256sum] = "93beabb19ac68fb5336a3d8f6b5414de05a460ff6982c41a4e3fb2082e769791"
+SRC_URI[md5sum] = "f499d5d06bfd1d787073a45bf28dd60f"
+SRC_URI[sha256sum] = "0f3e64afb3f00064c9b136d34a72d580cd41248c5941eba0452f364a109003c7"

 S = "${WORKDIR}/samhain-${PV}"

-inherit autotools-brokensep update-rc.d pkgconfig
+inherit autotools-brokensep update-rc.d pkgconfig systemd

 SAMHAIN_PORT ??= "49777"
 SAMHAIN_SERVER ??= "NULL"

-INITSCRIPT_NAME = "samhain-${SAMHAIN_MODE}"
+INITSCRIPT_NAME = "${BPN}"
 INITSCRIPT_PARAMS ?= "defaults"

+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE_${PN} = "${INITSCRIPT_NAME}.service"
+SYSTEMD_AUTO_ENABLE = "disable"

-PACKAGECONFIG ??= ""
+# mode mapping:
+# BPN                MODE_NAME   SAMHAIN_MODE
+# samhain-standalone standalone  no
+# samhain-client     client      client
+# samhain-server     server      server
+MODE_NAME = "${@d.getVar('BPN').split('-')[1]}"
+SAMHAIN_MODE = "${@oe.utils.ifelse(d.getVar('MODE_NAME') == 'standalone', 'no', '${MODE_NAME}')}"
+
+# supports mysql|postgresql|oracle|odbc but postgresql is the only one available
+
+PACKAGECONFIG ??= "postgresql ps"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}"
+
+PACKAGECONFIG[postgres]  = "--with-database=postgresql --enable-xml-log, "", postgresql"
+PACKAGECONFIG[suidcheck]  = "--enable-suidcheck","" , "
+PACKAGECONFIG[logwatch]  = "--enable-login-watch,"" , "
+PACKAGECONFIG[mounts]  = "--enable-mounts-check","" , "
+PACKAGECONFIG[userfiles]  = "--enable-userfiles","" , "
+PACKAGECONFIG[ipv6]  = "--enable-ipv6,"--disable-ipv6","
+PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
+PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl"
+PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit"
+PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps"

 do_unpack_samhain() {
    cd ${WORKDIR}
@@ -72,6 +107,9 @@ do_configure () {
 	--includedir=${includedir} \
 	--infodir=${infodir} \
 	--mandir=${mandir} \
+	--enable-network=${SAMHAIN_MODE} \
+	--with-pid-file=${localstatedir}/run/samhain.pid \
+	--with-data-file=${localstatedir}/lib/samhain/samhain_file \
 	${EXTRA_OECONF}
 }

@@ -82,24 +120,36 @@ do_compile_prepend_libc-musl () {
 # Install the init script, it's default file, and the extraneous
 # documentation.
 do_install_append () {
-	cd ${S}
 	oe_runmake install DESTDIR='${D}' INSTALL=install-boot
-	install -d ${D}${sysconfdir}/init.d
-	install -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \
+
+	install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \
 		${D}${sysconfdir}/init.d/${INITSCRIPT_NAME}

-	install -d ${D}${sysconfdir}/default
-	install -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \
+	install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \
 		${D}${sysconfdir}/default/${INITSCRIPT_NAME}

-	install -d ${D}${docdir}/${PN}
-	cp -r docs/* ${D}${docdir}/${PN}
-	cp -r scripts ${D}${docdir}/${PN}
-	install -d -m 755 ${D}/var/samhain
+	if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+		if [ "${SAMHAIN_MODE}" = "no" ]; then
+		    install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/samhain.service
+		else
+		    install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/${BPN}.service
+		fi
+		install -D -m 0755 ${WORKDIR}/${BPN}.init ${D}/${libexecdir}/${BPN}
+		sed -i -e 's,@LIBDIR@,${libexecdir},' \
+		       -e 's,@SAMHAIN_HELPER@,${BPN},' \
+		       -e 's,@MODE_NAME@,${MODE_NAME},' \
+		       ${D}${systemd_system_unitdir}/samhain*.service
+    fi
+
+	install -d ${D}${docdir}/${BPN}
+	cp -r docs/* ${D}${docdir}/${BPN}
+	cp -r scripts ${D}${docdir}/${BPN}
+	install -d -m 755 ${D}${localstatedir}/samhain
+
+	# Prevent QA warnings about installed ${localstatedir}/run
+	if [ -d ${D}${localstatedir}/run ]; then
+		rmdir ${D}${localstatedir}/run
+	fi
 }

-FILES_${PN} += "\
-    /run \
-    "
-
-INSANE_SKIP_${PN} = "already-stripped"
+FILES_${PN} += "${systemd_system_unitdir}"