From e23a63699b9e8e487bb0b50409e528876e92b4e5 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 22 Oct 2018 13:52:29 +0200
Subject: [PATCH] firmware: finish mtree for base/kernel

---
 src/opnsense/scripts/firmware/health.sh | 34 ++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/src/opnsense/scripts/firmware/health.sh b/src/opnsense/scripts/firmware/health.sh
index 1d180c92a..adeb0299a 100755
--- a/src/opnsense/scripts/firmware/health.sh
+++ b/src/opnsense/scripts/firmware/health.sh
@@ -32,6 +32,29 @@ PKG_PROGRESS_FILE=/tmp/pkg_upgrade.progress
 # Truncate upgrade progress file
 : > ${PKG_PROGRESS_FILE}
 
+MTREE_PATTERNS="
+./etc/group
+./etc/hosts
+./etc/master.passwd
+./etc/motd
+./etc/newsyslog.conf
+./etc/passwd
+./etc/pwd.db
+./etc/rc
+./etc/rc.shutdown
+./etc/shells
+./etc/spwd.db
+./etc/ttys
+./var/*
+"
+
+GREP_PATTERNS=
+
+for PATTERN in ${MTREE_PATTERNS}; do
+	GREP_PATTERNS="$(echo "${GREP_PATTERNS}${PATTERN} missing")
+"
+done
+
 set_check()
 {
 	SET=${1}
@@ -42,16 +65,19 @@ set_check()
 		return
 	fi
 
-	echo "Detect installed ${SET} files with invalid checksums" >> ${PKG_PROGRESS_FILE}
+	echo ">>> Check for missing or altered ${SET} files" >> ${PKG_PROGRESS_FILE}
 
-	${MTREE} < ${FILE} >> ${PKG_PROGRESS_FILE} 2>&1
+	echo "${MTREE_PATTERNS}" > /tmp/mtree.${1}
+	${MTREE} -X /tmp/mtree.${1} < ${FILE} | grep -Fvx "${GREP_PATTERNS}" \
+	    | grep -v '^\./var/.* missing$' >> ${PKG_PROGRESS_FILE} 2>&1
+	rm /tmp/mtree.${1}
 }
 
 echo "***GOT REQUEST TO AUDIT HEALTH***" >> ${PKG_PROGRESS_FILE}
 set_check base ${BASE_MTREE}
 set_check kernel ${KERNEL_MTREE}
-echo "Check for and install missing package dependencies" >> ${PKG_PROGRESS_FILE}
+echo ">>> Check for and install missing package dependencies" >> ${PKG_PROGRESS_FILE}
 pkg check -da >> ${PKG_PROGRESS_FILE} 2>&1
-echo "Detect installed package files with invalid checksums" >> ${PKG_PROGRESS_FILE}
+echo ">>> Check for missing or altered package files" >> ${PKG_PROGRESS_FILE}
 pkg check -sa >> ${PKG_PROGRESS_FILE} 2>&1
 echo '***DONE***' >> ${PKG_PROGRESS_FILE}