Auditd in Yocto

1
votes

I'm trying to add auditd to Yocto linux. I added the selinux layer and it's dependent layers: openembedded-core and meta-virtualization. I added the layers to bblayers.conf. I added DISTRO_FEATURES_append = " acl xattr pam selinux" and PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls" to the local.conf file.

After building (by using bitbake core-image-base) and running the qemu, the kauditd process is running, but all user-space tools are not. The /etc/audit folder is not exist ,non of the audit's config files exists (audit.rules) and no user-space audit process is running. In the layer's info it is declared - "User space tools for kernel auditing".

What I am missing? Thanks.

2
yoctoaudit
Did you try to install the audit package to IMAGE_FEATURES? (I didn't see that in the OP above). I usually look (based on the Yocto mega reference manual) on the openembedded site to find recipe names: layers.openembedded.org/layerindex/branch/master/recipes/…cowboydan
Do you mean to add IMAGE_FEATURES += "package-management" to the audit recipe?MissRob
I was suggesting adding IMAGE_FEATURES += " audit" to local.conf.cowboydan
I already tried it, it does not even compile. Do you have any other suggestions?MissRob
I have the same problem...@MissRob did you find any solution?msd

2 Answers

0
votes

I think I found something that will answer your question: If you know what an example binary or library you expect to be in the target image, you can find what recipe the executable is in, and then add that package to the image.

  1. Start with the name of a binary or library you expect to be in the image and run the following. For me, I am using a CAN bus executable called candump. I wonder what recipe it's in? To find out, I issue:

    devtool search candump

Which returns:

can-utils

If nothing is returned, I'd double check your conf/bblayers.conf so that the layer you think it may be in is actually being seen by your build system. If you are unsure, take a look at the link below which points to OpenEmbedded which has a handy search utility for packages.

  1. After you find the recipe, you can then include that recipe into your build.

Here is a good reference in doing what I think you're asking on the OpenEmbedded website: https://wiki.yoctoproject.org/wiki/Cookbook:Example:Adding_packages_to_your_OS_image

0
votes

I just added auditd to my system. This is what I did.

First I got the repository checked out.

cd /path/to/yocto
git clone git://git.yoctoproject.org/meta-selinux
cd meta-selinux
# checkout the branch matching the Yocto release you are on
git checkout thud

Then I added auditd to my build.

cd /path/to/build
bitbake-layers add-layer /path/to/yocto/meta-selinux
cat >> conf/local.conf <<'END'
IMAGE_INSTALL_append = " auditd"
END
bitbake my_normal_image_target

Even though the Yocto recipe is called audit, the package name is auditd.

Of course, auditd without selinux is useless but it did attempt to run (journalctl -u auditd) and /etc/audit exists.

FWIW: To get auditd to a point where it reports say, login success/failure, I had to do a few more things. I'm not just adding it to a standard Yocto image, but to a custom image and custom machine. I'm already using systemd so I didn't have to change that (the layer seems to indicate it's required?). My local.conf looked like this.

# enable selinux
DISTRO_FEATURES_append = " acl xattr pam selinux"
# set the policy
PREFERRED_PROVIDER_virtual/refpolicy ?= "refpolicy-mls"
# install selinux packages and auditd
IMAGE_INSTALL_append = " packagegroup-core-selinux auditd"
# tell the kernel to enable selinux (non-enforcing) and audting
APPEND_append = " selinux=1 enforcing=0 audit=1"

I also had to change linux-yocto_selinux.inc to load selinux.cfg later. Probably layer/recipe ordering could have solved this too?

-SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}"
+SRC_URI_append = "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'file://selinux.cfg', '', d)}"

With all that in place, I see audit logs in my journal.