Angstrom Filesystem Analysis using A.I.D.E.

Several list members have expressed frustration with Angstrom's package manager making undocumented changes which invariably break functionality between revisions, so here is a brief synopsis on how to use a System Integrity Verification (SIV) analysis to determine which files have changed between opkg upgrades. The SIV used for this example is the Advanced Intrusion Detection Environment (http://aide.sourceforge.net/).

There are several dependencies for A.I.D.E. which are not met with the stock Angstrom distro, so for simplicity I used my desktop Ubuntu host to perform the SIV scanning and analysis.

On your desktop Linux machine:

# apt-get install aide

Once A.I.D.E. is installed (and before you do an opkg update && opkg upgrade on the BeagleBone), attach the BeagleBone Angstrom SD card to your Linux desktop machine and verify that the SD card has been properly mounted with an assigned mountpoint:

# mount
/dev/mapper/ubuntu-root on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type devtmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
/dev/sda1 on /boot type ext2 (rw)
gvfsd-fuse on /run/user/gregoryperry/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,user=gregoryperry)
/dev/sdb2 on /media/gregoryperry/Angstrom-Cloud9- type ext4 (rw,nosuid,nodev,uhelper=udisks2)
/dev/sdb1 on /media/gregoryperry/BEAGLE_BONE type vfat (rw,nosuid,nodev,uid=1000,gid=1000,shortname=mixed,dmask=0077,utf8=1,showexec,flush,uhelper=udisks2)
# ls -ald /media/gregoryperry/Angstrom-Cloud9-/
drwxr-xr-x 19 root root 4096 Nov 21 10:40 /media/gregoryperry/Angstrom-Cloud9-/

This directory/mountpoint needs to be added to the A.I.D.E. configuration file so that a database of cryptographic hashes can be built for the Angstrom SD card contents.

# find / -name aide.conf -print
/etc/aide/aide.conf
# vi /etc/aide/aide.conf

(or use pico or whatever...)

Add the following to the last line of the aide.conf file:

/media/gregoryperry/Angstrom-Cloud9-/ Full

The first entry is the fully qualified path to the Angstrom SD card; the "Full" modifier tells A.I.D.E. to use all SIV checks when scanning this directory.

Next step is to initialize the A.I.D.E. database with a full scan of the Angstrom SD card:

# aide --init -c /etc/aide/aide.conf

By default the database that is created is named aide.db.new to prevent overwrites of previous databases, so rename the database you created to the filename expected by A.I.D.E. for subsequent SIV scans:

# mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

Unmount the Angstrom SD card, pop it in your BeagleBone and boot it up, then login and do an opkg update && opkg upgrade.

Once the opkg update is complete, gracefully shutdown the BeagleBone and attach the SD card to your desktop Linux machine again.

On your desktop machine, do a SIV scan with:

# aide --check -c /etc/aide/aide.conf
AIDE 0.15.1 found differences between database and filesystem!!
Start timestamp: 2013-01-09 12:08:28

Summary:
  Total number of files: 80413
  Added files: 0
  Removed files: 0
  Changed files: 33