From 81dcc109a47b0589abf6fc4ea4bd545bc22216d8 Mon Sep 17 00:00:00 2001
From: mgrimesix <126630154+mgrimesix@users.noreply.github.com>
Date: Wed, 19 Feb 2025 10:45:16 -0800
Subject: [PATCH] NAS-133968 / 25.10 / Update mtree to better support
 cryptographic verification for STIG (#824)

* Fixup list of file system object to remove or ignore.
Added a 'fixup' list to handle objects that get their permission changed on install.

* Update comment.
---
 scale_build/image/mtree.py | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/scale_build/image/mtree.py b/scale_build/image/mtree.py
index 6e28f68..7ab6914 100644
--- a/scale_build/image/mtree.py
+++ b/scale_build/image/mtree.py
@@ -17,6 +17,7 @@ MTREE_DIRS = ['boot', 'etc', 'usr', 'opt', 'var', 'conf/audit_rules']
 # eliminate files being flagged as changed rather than simply added to our
 # base install.
 ETC_FILES_TO_REMOVE = [
+    'etc/audit/rules.d/audit.rules',  # Not used by TrueNAS
     'etc/exports',
     'etc/ftpusers',
     'etc/idmapd.conf',
@@ -40,6 +41,18 @@ ETC_FILES_TO_REMOVE = [
     'etc/snmp/snmpd.conf',
     'etc/ssh/sshd_config',
     'etc/syslog-ng/syslog-ng.conf',
+    'etc/rc2.d/K01ssh',             # systemd removes these symlinks on ssh start
+    'etc/rc3.d/K01ssh',
+    'etc/rc4.d/K01ssh',
+    'etc/rc5.d/K01ssh',
+    'etc/initramfs-tools/modules',  # These two are not used by systemd
+    'etc/modules',
+]
+
+# Some files or directories get the permission mode changed on install.
+# The following is a list of tuples (files, mode).
+# Preemptively change the mode before generating the mtree.
+OBJS_TO_FIXUP = [
 ]
 
 
@@ -67,6 +80,13 @@ def _do_mtree_impl(mtree_file_path, version):
             '/usr/bin/bsdtar',
             '-f', f.name,
             '-c', '--format=mtree',
+            '--exclude', './boot/initrd.img*',
+            '--exclude', './etc/aliases',
+            '--exclude', './etc/audit/audit.rules',  # TrueNAS managed and audited
+            '--exclude', './etc/console-setup/cached_setup_*',
+            '--exclude', './etc/default/keyboard',
+            '--exclude', './etc/default/kdump-tools',
+            '--exclude', './etc/default/zfs',        # Modifed in usr/local/bin/truenas-initrd.py
             '--exclude', './etc/fstab',
             '--exclude', './etc/group',
             '--exclude', './etc/machine-id',
@@ -90,6 +110,7 @@ def _do_mtree_impl(mtree_file_path, version):
             '--exclude', './var/log/*',
             '--exclude', './var/lib/dbus/machine-id',
             '--exclude', './var/lib/certmonger/cas/*',
+            '--exclude', './var/lib/smartmontools/*',
             '--options', '!all,mode,uid,gid,type,link,size,sha256',
         ]
         run(cmd + MTREE_DIRS)
@@ -110,6 +131,12 @@ def generate_mtree(target_root_dir, version):
     for file in ETC_FILES_TO_REMOVE:
         os.unlink(os.path.join(target_root_dir, file))
 
+    # Some files and/or directories get their permission mode changed
+    # after install.  We preemptively make those mode changes here
+    # to avoid unnecessary reporting.
+    for fs_obj, mode in OBJS_TO_FIXUP:
+        os.chmod(os.path.join(target_root_dir, fs_obj), mode)
+
     mtree_file_path = os.path.realpath(MTREE_UPDATE_FILE)
 
     with chdir(target_root_dir):