| # |
| # Copyright 2023 Google LLC |
| # |
| # This program is free software; you can redistribute it and/or |
| # modify it under the terms of the GNU General Public License |
| # version 2 as published by the Free Software Foundation. |
| # |
| # This program is distributed in the hope that it will be useful, |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| # GNU General Public License for more details. |
| # |
| |
| EAPI=7 |
| |
| inherit go-module systemd |
| |
| DESCRIPTION="Google CIS Scanner" |
| HOMEPAGE="https://github.com/google/localtoast" |
| |
| SRC_URI="https://github.com/google/localtoast/archive/${PV}.tar.gz -> ${P}.tar.gz |
| grafeas-0163b5bb2ff5afbf059ddf472fb4d128faae85e3.tar.gz |
| ${P}-deps.tar.xz" |
| |
| # In order to list licenses of dependencies, build the package and run |
| # `go-licenses csv "github.com/google/localtoast"` |
| LICENSE="Apache-2.0 BSD MPL-2.0" |
| SLOT="0" |
| KEYWORDS="*" |
| IUSE="" |
| DEPEND="" |
| RDEPEND="${DEPEND} |
| app-admin/cis-compliance |
| " |
| |
| |
| src_compile() { |
| export GOTRACEBACK="crash" |
| GO=$(tc-getGO) |
| export GO |
| |
| # There is a dependency to download grafeas separately as they don't provide |
| # compiled versions to be included in the go.sum. Add the grafeas version |
| # found in the localtoast build_protos.sh file to the local mirror and |
| # update accrodingly here and in SRC_URI. |
| mv "${WORKDIR}"/grafeas-0163b5bb2ff5afbf059ddf472fb4d128faae85e3/proto/v1 scannerlib/proto |
| rm -rf "${WORKDIR}"/0163b5bb2ff5afbf059ddf472fb4d128faae85e3 |
| sed -i 's\option go_package = ".*";\option go_package = "github.com/google/localtoast/scannerlib/proto/compliance_go_proto";\g' scannerlib/proto/v1/compliance.proto |
| sed -i 's\option go_package = ".*";\option go_package = "github.com/google/localtoast/scannerlib/proto/severity_go_proto";\g' scannerlib/proto/v1/severity.proto |
| |
| # Compile protos. |
| protoc -I=scannerlib --go_out=scannerlib/proto scannerlib/proto/*.proto scannerlib/proto/v1/compliance.proto scannerlib/proto/v1/severity.proto |
| |
| # Clean up. |
| mv scannerlib/proto/github.com/google/localtoast/scannerlib/proto/* scannerlib/proto/ |
| rm -r scannerlib/proto/github.com |
| |
| # Build the CIS Scanner |
| CGO_ENABLED=0 ${GO} build localtoast.go || die |
| } |
| |
| |
| src_install() { |
| ebegin "Installing CIS Scanner" |
| newbin localtoast cis_scanner |
| |
| # Make the cis scanner config |
| # This is needed as the configs are split into general_linux and cos specific |
| # benchmarks. This creates the full cos config combining both of those for the |
| # specific branch that the config is meant for. |
| emake configs |
| # Install the cis scanner config |
| CONFIG_PATH=/usr/share/google/security/cis-compliance/ |
| insinto ${CONFIG_PATH} |
| # Path uses cos_97 as that is currently the latest |
| # May need to be changed when updates occur to the scanner |
| newins configs/full/cos_97/instance_scanning.textproto cis_config.textproto |
| |
| # Envionment variables used by cis-compliance-scanner services location |
| insinto /etc/cis-scanner |
| |
| if [ "${ARCH}" = "arm64" ]; then |
| newins "${FILESDIR}"/env_vars_arm64 env_vars |
| systemd_newunit "${FILESDIR}"/cis-compliance-scanner-arm64.service cis-compliance-scanner.service |
| systemd_newunit "${FILESDIR}"/cis-level1-arm64.service cis-level1.service |
| systemd_newunit "${FILESDIR}"/cis-level2-arm64.service cis-level2.service |
| elif [ "${ARCH}" = "amd64" ]; then |
| newins "${FILESDIR}"/env_vars_amd64 env_vars |
| systemd_newunit "${FILESDIR}"/cis-compliance-scanner-amd64.service cis-compliance-scanner.service |
| systemd_newunit "${FILESDIR}"/cis-level1-amd64.service cis-level1.service |
| systemd_newunit "${FILESDIR}"/cis-level2-amd64.service cis-level2.service |
| else |
| eerror "unsupported architecture: ${ARCH}" |
| die |
| fi |
| systemd_dounit "${FILESDIR}"/cis-compliance-scanner.timer |
| |
| # Start cis-level1.service at bootup time |
| systemd_enable_service multi-user.target cis-level1.service |
| } |