linux-yocto%.bbappend: Add audit.cfg

Add audit.cfg configuration fragment. By default it is not appended
to SRC_URI. It allows enabling the audit kernel subsystem which may
help to debug appraisal issues. Boot with "integrity_audit=1" to
capture a more complete set of events in /var/log/audit/.

Previously the same configuration fragment was provided by layer
meta-security-framework but it is no longer maintained therefore it
makes sense to have audit.cfg in layer meta-integrity.

Signed-off-by: Leon Anavi <leon.anavi@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

meta-integrity/README.md

@@ -219,12 +219,16 @@ executing the file is no longer allowed:
     -sh: /usr/bin/rpm: Permission denied
 
 Enabling the audit kernel subsystem may help to debug appraisal
-issues. Enable it by adding the meta-security-framework layer and
+issues. Enable it by adding a kernel configuration fragment and
 changing your local.conf:
     SRC_URI:append:pn-linux-yocto = " file://audit.cfg"
     CORE_IMAGE_EXTRA_INSTALL += "auditd"
 
-Then boot with "ima_appraise=log ima_appraise_tcb".
+Then boot with "ima_appraise=log ima_appraise_tcb integrity_audit=1".
+For example, for QEMU by changing variable QB_KERNEL_CMDLINE_APPEND
+in your local.conf:
+    QB_KERNEL_CMDLINE_APPEND:remove:pn-integrity-image-minimal = "ima_policy=tcb ima_appraise=fix"
+    QB_KERNEL_CMDLINE_APPEND:append:pn-integrity-image-minimal = " ima_appraise=log ima_appraise_tcb integrity_audit=1"
 
 Adding auditd is not strictly necessary but helps to capture a
 more complete set of events in /var/log/audit/ and search in

meta-integrity/recipes-kernel/linux/linux-yocto%.bbappend

@@ -1 +1,3 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/linux:"
+
 require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux_ima.inc', '', d)}

meta-integrity/recipes-kernel/linux/linux/audit.cfg

@@ -0,0 +1,2 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y