samhain: update to 4.2.2master-wip2

* update to version 4.2.2
* Add new recipe for standalone mode
* Add systemd support
* Add patches to fix several issues
* samhain-standalone: add ptest support
* samhain-server: no need to depend on samhain-server-native
* Move common things from the bb to the inc file

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

17 files changed, 763 insertions, 83 deletions

diff --git a/recipes-security/samhain/files/run-ptest b/recipes-security/samhain/files/run-ptest
new file mode 100755
index 0000000..2a4a765
--- /dev/null
+++ b/recipes-security/samhain/files/run-ptest
@@ -0,0 +1,3 @@
+#!/bin/sh
+current_dir=$(dirname $(readlink -f $0))
+$current_dir/cutest
diff --git a/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch b/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch
new file mode 100644
index 0000000..8de0735
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch
@@ -0,0 +1,108 @@
+From 02a143f0068cbc6cea71359169210fbb3606d4bb Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Mon, 18 Jan 2016 00:24:57 -0500
+Subject: [PATCH] configure: add option for ps
+
+The configure searches hardcoded host paths for PSPATH
+and run ps commands to decide PSARG which will fail
+on host without ps:
+| configure: error: Cannot find ps in any of /usr/ucb /bin /usr/bin
+
+So add an option so we can specify the ps at configure
+to avoid host contamination.
+
+Upstream-Status: Inappropriate [cross compile specific]
+
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ aclocal.m4   |  2 +-
+ configure.ac | 60 ++++++++++--------------------------------------------------
+ 2 files changed, 11 insertions(+), 51 deletions(-)
+
+diff --git a/aclocal.m4 b/aclocal.m4
+index a2e59a6..cd20a2f 100644
+--- a/aclocal.m4
++++ b/aclocal.m4
+@@ -409,7 +409,7 @@ x_includes=NONE
+ x_libraries=NONE
+ DESTDIR=
+ SH_ENABLE_OPTS="selinux posix-acl asm ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid"
+-SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file"
++SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file ps-path"
+ 
+ # Installation directory options.
+ # These are left unexpanded so users can "make install exec_prefix=/foo"
+diff --git a/configure.ac b/configure.ac
+index 5910b1f..8c3e087 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -730,56 +730,16 @@ then
+ fi
+ AC_CHECK_HEADERS(gmp.h)
+ 
+-AC_MSG_CHECKING([for ps])
+-PS=
+-for ff in /usr/ucb /bin /usr/bin; do
+-    if test -x "$ff/ps"; then
+-       PS="$ff/ps"
+-       AC_MSG_RESULT([$PS])
+-       break
+-    fi
+-done
+-if test x$PS = x
+-then
+-       AC_MSG_RESULT([no])
+-       AC_MSG_ERROR([Cannot find ps in any of /usr/ucb /bin /usr/bin])
+-fi
+-AC_DEFINE_UNQUOTED([PSPATH], _("$PS"), [Path to ps])
+-
+-AC_MSG_CHECKING([how to use ps])
+-$PS ax >/dev/null 2>&1
+-if test $? -eq 0; then
+-   case "$host_os" in
+-   *openbsd*)
+-   one=`$PS akx | wc -l`
+-   ;;
+-   *)
+-   one=`$PS ax | wc -l`
+-   ;;
+-   esac
+-else
+-   one=0
+-fi
+-$PS -e >/dev/null 2>&1
+-if test $? -eq 0; then
+-   two=`$PS -e | wc -l`
+-else
+-   two=0
+-fi
+-if test $one -ge $two 
+-then
+-   case "$host_os" in
+-   *openbsd*)
+-       PSARG="akx"
+-       ;;
+-   *)
+-       PSARG="ax"
+-       ;;
+-   esac
+-else
+-       PSARG="-e"
+-fi
+-AC_DEFINE_UNQUOTED([PSARG], _("$PSARG"), [Argument for ps])
++AC_ARG_WITH(ps-path,
++       [  --with-ps-path=PATH         set path to ps command ],
++       [
++       if test "x${withval}" != xno; then
++               pspath="${withval}"
++               AC_DEFINE_UNQUOTED([PSPATH], _("${pspath}"), [Path to ps])
++               AC_DEFINE_UNQUOTED([PSARG], _("ax"), [Argument for ps])
++       fi
++       ])
++
+ AC_MSG_RESULT([$PS $PSARG])
+ 
+ dnl *****************************************
+-- 
+1.9.1
+
diff --git a/recipes-security/samhain/files/samhain-cross-compile.patch b/recipes-security/samhain/files/samhain-cross-compile.patch
new file mode 100644
index 0000000..7f80a5c
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-cross-compile.patch
@@ -0,0 +1,51 @@
+From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001
+From: Jackie Huang <jackie.huang@windriver.com>
+Date: Fri, 15 Jan 2016 00:48:58 -0500
+Subject: [PATCH] Enable obfuscating binaries natively.
+
+Enable obfuscating binaries natively.
+
+The samhain build process involves an obfuscation step that attempts to
+defeat decompilation or other binary analysis techniques which might reveal
+secret information that should be known only to the system administrator.
+The obfuscation step builds several applications which run on the build host
+and then generate target code, which is then built into target binaries.
+
+This patch creates a basic infrastructure that supports building the
+obfuscation binaries natively then cross-compiling the target code by adding
+a special configure option.  In the absence of this option the old behaviour
+is preserved.
+
+Upstream-Status: Inappropriate [cross compile specific]
+    
+Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ Makefile.in | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 684e92b..fb090e2 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -54,7 +54,7 @@ selectconfig = @selectconfig@
+ top_builddir = .
+ 
+ INSTALL = @INSTALL@
+-INSTALL_PROGRAM = @INSTALL@ -s -m 700
++INSTALL_PROGRAM = @INSTALL@ -m 700
+ INSTALL_SHELL = @INSTALL@ -m 700
+ INSTALL_DATA = @INSTALL@ -m 600
+ INSTALL_MAN = @INSTALL@ -m 644
+@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip
+              echo " $(INSTALL_PROGRAM) $$p $$target"; \
+              $(INSTALL_PROGRAM) $$p $$target; \
+              chmod 0700 $$target; \
+-             echo " ./sstrip $$target"; \
+-             ./sstrip $$target; \
+            else \
+              echo " $(INSTALL_SHELL) $$p $$target"; \
+              $(INSTALL_SHELL) $$p $$target; \
+-- 
+1.9.1
+
diff --git a/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch b/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch
new file mode 100644
index 0000000..0608660
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch
@@ -0,0 +1,44 @@
+commit 0f6bdc219e598de08a3f37887efa5dfa50e2b996
+Author: Aws Ismail <aws.ismail@windriver.com>
+Date:   Fri Jun 22 15:47:08 2012 -0400
+
+Hash fix for MIPS64 and AARCH64
+    
+Samhain uses the addresses of local variables in generating hash
+values.  The hashing function is designed only for 32-bit values.
+For MIPS64 when a 64-bit address is passed in the resulting hash
+exceeds the limits of the underlying mechanism and samhain
+ultimately fails.  The solution is to simply take the lower 
+32-bits of the address and use that in generating hash values.
+    
+Signed-off-by: Greg Moffatt <greg.moffatt@windriver.com>
+
+Upstream-Status: Pending
+    
+Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+
+diff --git a/src/dnmalloc.c b/src/dnmalloc.c
+index da9a5c5..fc91400 100644
+--- a/src/dnmalloc.c
++++ b/src/dnmalloc.c
+@@ -2703,11 +2703,19 @@ static void freecilst_add(chunkinfoptr p) {
+ }
+ 
+ /* Calculate the hash table entry for a chunk */
++#if defined(CONFIG_ARCH_MIPS64) || defined(CONFIG_ARCH_AARCH64)
++#ifdef STARTHEAP_IS_ZERO
++#define hash(p)  ((((unsigned long) p) & 0x7fffffff) >> 7)
++#else
++#define hash(p)  ((((unsigned long) p - (unsigned long) startheap) & 0x7fffffff) >> 7)
++#endif
++#else
+ #ifdef STARTHEAP_IS_ZERO
+ #define hash(p)  (((unsigned long) p) >> 7)
+ #else
+ #define hash(p)  (((unsigned long) p - (unsigned long) startheap) >> 7)
+ #endif
++#endif /* CONFIG_ARCH_MIPS64 */ 
+ 
+ static void
+ hashtable_add (chunkinfoptr ci)
diff --git a/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch b/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch
new file mode 100644
index 0000000..5284313
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch
@@ -0,0 +1,24 @@
+not run test on host, since we are doing cross-compile
+
+Upstream-status: Inappropriate [cross compile specific]
+
+Signed-off-by: Roy Li <rongqing.li@windriver.com>
+---
+ Makefile.in |    1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index e1b32a8..74bfdc9 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -1234,7 +1234,6 @@ intcutest: internal.h $(OBJECTS) $(CUTEST_OBJECTS) sh_tiger_i.o $(srcsrc)/CuTest
+        rm x_samhain.c; \
+        $(LINK) sh_tiger_i.o $(CUTEST_OBJECTS) CuTestMain.o CuTest.o $(OBJECTS) $(LIBS_TRY); \
+        test -f ./intcutest && mv ./intcutest ./cutest; \
+-       ./cutest
+ 
+ runcutest:
+        gdb ./cutest
+-- 
+1.7.10.4
+
diff --git a/recipes-security/samhain/files/samhain-pid-path.patch b/recipes-security/samhain/files/samhain-pid-path.patch
new file mode 100644
index 0000000..592bd16
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-pid-path.patch
@@ -0,0 +1,27 @@
+commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04
+Author: Aws Ismail <aws.ismail@windriver.com>
+Date:   Thu Jan 10 16:29:05 2013 -0500
+
+    Set the PID Lock path for samhain.pid
+    
+    The explicit path for samhain.pid inorder
+    for samhain to work properly after it initial
+    database build.
+    
+    Upstream-Status: Inappropriate [configuration]
+
+    Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+
+diff --git a/samhainrc.linux b/samhainrc.linux
+index 10a8176..a7b06e6 100644
+--- a/samhainrc.linux
++++ b/samhainrc.linux
+@@ -639,7 +639,7 @@ SetFileCheckTime = 86400
+ 
+ ## Path to the PID file
+ #
+-# SetLockfilePath = (default: compiled-in)
++SetLockfilePath = /run/samhain.pid
+ 
+ 
+ ## The digest/checksum/hash algorithm
diff --git a/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch b/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch
new file mode 100644
index 0000000..dad6b15
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch
@@ -0,0 +1,61 @@
+From 00fb527e45da42550156197647e01de9a6b1ad52 Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Mon, 3 Mar 2014 01:50:01 -0500
+Subject: [PATCH] fix real path for some files/dirs
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+---
+ samhainrc.linux |   15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/samhainrc.linux b/samhainrc.linux
+index e9727b4..7775d83 100644
+--- a/samhainrc.linux
++++ b/samhainrc.linux
+@@ -93,7 +93,6 @@ dir = 99/etc
+ ##
+ file = /etc/mtab
+ file = /etc/fstab
+-file = /etc/adjtime
+ file = /etc/motd
+ file = /etc/lvm/lvm.conf
+ 
+@@ -153,11 +152,11 @@ dir = 99/var
+ 
+ [IgnoreAll]
+ dir = -1/var/cache
+-dir = -1/var/lock
+-dir = -1/var/mail
+-dir = -1/var/run
++dir = -1/run/lock
++dir = -1/var/spool/mail
++dir = -1/run
+ dir = -1/var/spool
+-dir = -1/var/tmp
++dir = -1/var/volatile/tmp
+ 
+ 
+ [Attributes]
+@@ -167,7 +166,7 @@ dir = -1/var/tmp
+ file = /var/lib/rpm/__db.00?
+ 
+ file = /var/lib/logrotate.status
+-file = /var/lib/random-seed
++file = /var/lib/urandom/random-seed
+ 
+ 
+ [GrowingLogFiles]
+@@ -176,7 +175,7 @@ file = /var/lib/random-seed
+ ## are ignored. Logfile rotation will cause a report because of shrinking
+ ## size and different inode. 
+ ##
+-dir = 99/var/log
++dir = 99/var/volatile/log
+ 
+ [Attributes]
+ #
+-- 
+1.7.9.5
+
diff --git a/recipes-security/samhain/files/samhain-samhainrc.patch b/recipes-security/samhain/files/samhain-samhainrc.patch
new file mode 100644
index 0000000..145700a
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-samhainrc.patch
@@ -0,0 +1,158 @@
+commit 4c6658441eb3ffc4e51ed70f78cbdab046957580
+Author: Aws Ismail <aws.ismail@windriver.com>
+Date:   Fri Jun 22 16:38:20 2012 -0400
+
+Make samhainrc OE-friendly.
+
+Patch the samhainrc that will be installed 
+as part of the 'make install' step to more
+accurately reflect what will be found, and
+what will be of concern, on a OE install.
+    
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
+
+diff --git a/samhainrc.linux b/samhainrc.linux
+index 9bc5ca4..10a8176 100644
+--- a/samhainrc.linux
++++ b/samhainrc.linux
+@@ -74,7 +74,6 @@ dir = 0/
+ [Attributes]
+ file = /tmp
+ file = /dev
+-file = /media
+ file = /proc
+ file = /sys
+ 
+@@ -93,19 +92,10 @@ dir = 99/etc
+ ## check permission and ownership
+ ##
+ file = /etc/mtab
++file = /etc/fstab
+ file = /etc/adjtime
+ file = /etc/motd
+-file = /etc/lvm/.cache
+-
+-# On Ubuntu, these are in /var/lib rather than /etc
+-file = /etc/cups/certs
+-file = /etc/cups/certs/0
+-
+-# managed by fstab-sync on Fedora Core
+-file = /etc/fstab
+-
+-# modified when booting 
+-file = /etc/sysconfig/hwconf
++file = /etc/lvm/lvm.conf
+ 
+ # There are files in /etc that might change, thus changing the directory
+ # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
+@@ -147,10 +137,6 @@ dir = 99/dev
+ ##
+ dir = -1/dev/pts
+ 
+-# dir = -1/dev/.udevdb
+-
+-file = /dev/ppp
+-
+ #
+ # --------- /usr -----------
+ #
+@@ -167,50 +153,21 @@ dir = 99/var
+ 
+ [IgnoreAll]
+ dir = -1/var/cache
+-dir = -1/var/backups
+-dir = -1/var/games
+-dir = -1/var/gdm
+ dir = -1/var/lock
+ dir = -1/var/mail
+ dir = -1/var/run
+ dir = -1/var/spool
+ dir = -1/var/tmp
+-dir = -1/var/lib/texmf
+-dir = -1/var/lib/scrollkeeper
+ 
+ 
+ [Attributes]
+ 
+-dir = /var/lib/nfs
+-dir = /var/lib/pcmcia
+-
+ # /var/lib/rpm changes if packets are installed;
+ # /var/lib/rpm/__db.00[123] even more frequently
+ file = /var/lib/rpm/__db.00?
+ 
+-file = /var/lib/acpi-support/vbestate
+-file = /var/lib/alsa/asound.state
+-file = /var/lib/apt/lists/lock
+-file = /var/lib/apt/lists/partial
+-file = /var/lib/cups/certs
+-file = /var/lib/cups/certs/0
+-file = /var/lib/dpkg/lock
+-file = /var/lib/gdm
+-file = /var/lib/gdm/.cookie
+-file = /var/lib/gdm/.gdmfifo
+-file = /var/lib/gdm/:0.Xauth
+-file = /var/lib/gdm/:0.Xservers
+-file = /var/lib/logrotate/status
+-file = /var/lib/mysql
+-file = /var/lib/mysql/ib_logfile0
+-file = /var/lib/mysql/ibdata1
+-file = /var/lib/slocate
+-file = /var/lib/slocate/slocate.db
+-file = /var/lib/slocate/slocate.db.tmp
+-file = /var/lib/urandom
+-file = /var/lib/urandom/random-seed
++file = /var/lib/logrotate.status
+ file = /var/lib/random-seed
+-file = /var/lib/xkb
+ 
+ 
+ [GrowingLogFiles]
+@@ -325,7 +282,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
+ 
+ ## Console
+ ##
+-# PrintSeverity=info
++PrintSeverity=warn
+ 
+ ## Logfile
+ ##
+@@ -333,7 +290,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
+ 
+ ## Syslog
+ ##
+-# SyslogSeverity=none
++SyslogSeverity=info
+ 
+ ## Remote server (yule)
+ ##
+@@ -556,7 +513,8 @@ ChecksumTest=check
+ ## and I/O limit (kilobytes per second; 0 == off)
+ ## to reduce load on host.
+ #
+-# SetNiceLevel = 0
++# By default we configure samhain to be nice with everything else on the system
++SetNiceLevel = 10
+ # SetIOLimit = 0
+ 
+ ## The version string to embed in file signature databases
+@@ -565,13 +523,14 @@ ChecksumTest=check
+ 
+ ## Interval between time stamp messages
+ #
+-# SetLoopTime = 60
+-SetLoopTime = 600
++# Log a timestamp every hour
++SetLoopTime = 3600
+ 
+ ## Interval between file checks 
+ #
+ # SetFileCheckTime = 600
+-SetFileCheckTime = 7200
++# One file system check per day
++SetFileCheckTime = 86400
+ 
+ ## Alternative: crontab-like schedule
+ #
diff --git a/recipes-security/samhain/files/samhain-sha256-big-endian.patch b/recipes-security/samhain/files/samhain-sha256-big-endian.patch
new file mode 100644
index 0000000..3065c73
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-sha256-big-endian.patch
@@ -0,0 +1,22 @@
+samhain: fix sha256 for big-endian machines
+
+After computing the digest, big-endian machines would
+memset() the digest to the first byte of state instead
+of using memcpy() to transfer it.
+
+Upstream-Status: Pending
+
+Signed-off-by: Joe Slater <jslater@windriver.com>
+
+
+--- a/src/sh_checksum.c
++++ b/src/sh_checksum.c
+@@ -468,7 +468,7 @@ void SHA256_Final(sha2_byte digest[], SH
+       }
+     }
+ #else
+-    memset(d, context->state, SHA256_DIGEST_LENGTH);
++    memcpy(d, context->state, SHA256_DIGEST_LENGTH);
+     /* bcopy(context->state, d, SHA256_DIGEST_LENGTH); */
+ #endif
+   }
diff --git a/recipes-security/samhain/files/samhain-standalone.default b/recipes-security/samhain/files/samhain-standalone.default
new file mode 100644
index 0000000..507a59f
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-standalone.default
@@ -0,0 +1,3 @@
+# Set this to "yes" to start the server, after you configure it, of
+# course.
+SAMHAIN_STANDALONE_START="no"
diff --git a/recipes-security/samhain/files/samhain-standalone.init b/recipes-security/samhain/files/samhain-standalone.init
new file mode 100644
index 0000000..ac28efd
--- /dev/null
+++ b/recipes-security/samhain/files/samhain-standalone.init
@@ -0,0 +1,123 @@
+#!/bin/sh
+# chkconfig: 2345 99 10
+# description: File Integrity Checking Daemon
+#
+# processname: samhain
+# config  : /etc/samhainrc
+# logfile : /var/log/samhain_log
+# database: /var/lib/samhain/samhain_file
+#
+
+NAME=samhain
+DAEMON=/usr/sbin/samhain
+RETVAL=0
+VERBOSE=yes
+PIDFILE=/var/run/samhain.pid
+
+. /etc/default/samhain-standalone
+
+if [ "x$SAMHAIN_STANDALONE_START" != "xyes" ]; then
+        echo "${0}: samhain disabled in /etc/default/samhain-standalone"
+        exit 0
+fi
+
+if [ -x $DAEMON ]; then
+        :
+else
+        echo "${0}: executable ${DAEMON} not found"
+        exit 1
+fi
+
+if [ ! -e /var/lib/samhain/samhain_file ]; then
+        echo "${0}: /var/lib/samhain/samhain_file does not exist.  You must"
+        echo "  run 'samhain -t init' before samhian can start."
+        exit 1
+fi
+
+samhain_done()
+{
+        if [ $RETVAL -eq 0 ]; then
+                echo "."
+        else
+                echo " failed."
+        fi
+}
+
+log_stat_msg () {
+case "$1" in
+        0)
+        echo "Service $NAME: Running";
+        ;;
+        1)
+        echo "Service $NAME: Stopped and /var/run pid file exists";
+        ;;
+        3)
+        echo "Service $NAME: Stopped";
+        ;;
+        *)
+        echo "Service $NAME: Status unknown";
+        ;;
+esac
+}
+
+case "$1" in
+  start)
+        #
+        # Remove a stale PID file, if found
+        #
+        if test -f ${PIDFILE}; then
+            /bin/rm -f ${PIDFILE}
+        fi
+
+        echo -n "Starting ${NAME}"
+        ( /sbin/start-stop-daemon --start --quiet --exec $DAEMON )
+        RETVAL=$?
+        samhain_done
+        exit $RETVAL
+        ;;
+  stop)
+    echo -n "Stopping $NAME"
+    ( /sbin/start-stop-daemon --stop --quiet --exec $DAEMON )
+        RETVAL=$?
+        samhain_done
+        #
+        # Remove a stale PID file, if found
+        #
+        if test -f ${PIDFILE}; then
+            /bin/rm -f ${PIDFILE}
+        fi
+        if test -S /var/run/${NAME}.sock; then
+            /bin/rm -f /var/run/${NAME}.sock
+        fi
+        ;;
+
+  restart)
+        $0 stop
+        sleep 3
+        $0 start
+        RETVAL=$?
+        ;;
+
+  reload|force-reload)
+    echo -n "Reloading $NAME configuration files"
+    ( /sbin/start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON )
+    RETVAL=$?
+        samhain_done
+    ;;
+
+  status)
+        if pidof -o %PPID $DAEMON > /dev/null; then
+            echo "Samhain running"
+            RETVAL=0
+        else
+            echo "Samhain not running"
+            RETVAL=1
+        fi
+        ;;
+  *)
+        echo "$0 usage: {start|stop|status|restart|reload}"
+        exit 1
+        ;;
+esac
+
+exit $RETVAL
diff --git a/recipes-security/samhain/files/samhain.service b/recipes-security/samhain/files/samhain.service
new file mode 100644
index 0000000..e6dc3b9
--- /dev/null
+++ b/recipes-security/samhain/files/samhain.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Samhain @MODE_NAME@ Daemon
+After=syslog.target network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@LIBDIR@/@SAMHAIN_HELPER@ start
+ExecStop=@LIBDIR@/@SAMHAIN_HELPER@ stop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/recipes-security/samhain/samhain-client_4.2.1.bb b/recipes-security/samhain/samhain-client_4.2.2.bb
index 4b04326..812408e 100644
--- a/recipes-security/samhain/samhain-client_4.2.1.bb
+++ b/recipes-security/samhain/samhain-client_4.2.2.bb
@@ -1,15 +1,11 @@
-SAMHAIN_MODE="client"
 INITSCRIPT_PARAMS = "defaults 15 85"
 
 require samhain.inc
 
-#Let the default Logserver be 127.0.0.1
+# Let the default Logserver be 127.0.0.1
 EXTRA_OECONF += " \
         --with-logserver=${SAMHAIN_SERVER} \
         --with-port=${SAMHAIN_PORT} \
-        --with-config-file=/etc/samhainrc \
-        --with-data-file=/var/samhain/samhain.data \
-        --with-pid-file=/var/samhain/samhain.pid \
         "
 
 RDEPENDS_${PN} = "acl zlib attr bash"
diff --git a/recipes-security/samhain/samhain-server_4.2.1.bb b/recipes-security/samhain/samhain-server_4.2.1.bb
deleted file mode 100644
index 7ef84db..0000000
--- a/recipes-security/samhain/samhain-server_4.2.1.bb
+++ /dev/null
@@ -1,54 +0,0 @@
-SAMHAIN_MODE="server"
-INITSCRIPT_PARAMS = "defaults 14 86"
-
-require samhain.inc
-
-DEPENDS = "gmp samhain-server-native"
-
-EXTRA_OECONF += "--enable-network=${SAMHAIN_MODE} "
-
-# supports mysql|postgresql|oracle|odbc but postgresql is the only one available
-
-PACKAGECONFIG ??= "postgresql"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
-PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}"
-
-PACKAGECONFIG[postgres]  = "--with-database=postgresql --enable-xml-log, "", postgresql"
-PACKAGECONFIG[suidcheck]  = "--enable-suidcheck","" , "
-PACKAGECONFIG[logwatch]  = "--enable-login-watch,"" , "
-PACKAGECONFIG[mounts]  = "--enable-mounts-check","" , "
-PACKAGECONFIG[userfiles]  = "--enable-userfiles","" , "
-PACKAGECONFIG[ipv6]  = "--enable-ipv6,"--disable-ipv6","
-PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
-PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl"
-
-SRC_URI += "file://samhain-server-volatiles"
-
-TARGET_CC_ARCH += "${LDFLAGS}"
-
-EXTRA_OECONF += " \
-    --with-config-file=REQ_FROM_SERVER/etc/samhainrc \
-    --with-data-file=REQ_FROM_SERVER/var/lib/samhain/samhain_file \
-    "
-
-do_install_append() {
-    cd ${S}
-    install -d ${D}${sysconfdir}/default/volatiles
-    install -m 0644 ${WORKDIR}/samhain-server-volatiles \
-        ${D}${sysconfdir}/default/volatiles/samhain-server
-
-    install -m 700 samhain-install.sh init/samhain.startLinux \
-        init/samhain.startLSB ${D}/var/lib/samhain
-}
-
-PACKAGES = "${PN} ${PN}-doc ${PN}-dbg"
-
-FILES_${PN} += "${sbindir}/*"
-
-FILES_${PN}-dbg += " \
-    ${sbindir}/.debug/* \
-    "
-
-RDEPENDS_${PN} += "gmp bash perl"
-BBCLASSEXTEND = "native"
diff --git a/recipes-security/samhain/samhain-server_4.2.2.bb b/recipes-security/samhain/samhain-server_4.2.2.bb
new file mode 100644
index 0000000..67f1ec5
--- /dev/null
+++ b/recipes-security/samhain/samhain-server_4.2.2.bb
@@ -0,0 +1,21 @@
+INITSCRIPT_PARAMS = "defaults 14 86"
+
+require samhain.inc
+
+DEPENDS = "gmp"
+
+SRC_URI += "file://samhain-server-volatiles"
+
+TARGET_CC_ARCH += "${LDFLAGS}"
+
+do_install_append() {
+    install -d ${D}${sysconfdir}/default/volatiles
+    install -m 0644 ${WORKDIR}/samhain-server-volatiles \
+        ${D}${sysconfdir}/default/volatiles/samhain-server
+
+    install -m 700 samhain-install.sh init/samhain.startLinux \
+        init/samhain.startLSB ${D}/var/lib/samhain
+}
+
+RDEPENDS_${PN} += "gmp bash perl"
+BBCLASSEXTEND = "native"
diff --git a/recipes-security/samhain/samhain-standalone_4.2.2.bb b/recipes-security/samhain/samhain-standalone_4.2.2.bb
new file mode 100644
index 0000000..4fed9e9
--- /dev/null
+++ b/recipes-security/samhain/samhain-standalone_4.2.2.bb
@@ -0,0 +1,31 @@
+require samhain.inc
+
+SRC_URI += "file://samhain-not-run-ptest-on-host.patch \
+            file://run-ptest \
+"
+
+PROVIDES += "samhain"
+
+SYSTEMD_SERVICE_${PN} = "samhain.service"
+
+inherit ptest
+
+do_compile() {
+        if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'yes', 'no', d)}" = "yes" ]; then
+                oe_runmake cutest
+                rm -f ${S}*.o config_xor.h internal.h
+        fi
+        oe_runmake "$@"
+}
+
+do_install_append() {
+    ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain
+}
+
+do_install_ptest() {
+        mkdir -p ${D}${PTEST_PATH}
+        install ${S}/cutest ${D}${PTEST_PATH}
+}
+
+RPROVIDES_${PN} += "samhain"
+RCONFLICTS_${PN} = "samhain-client samhain-server"
diff --git a/recipes-security/samhain/samhain.inc b/recipes-security/samhain/samhain.inc
index 007264d..83b2db2 100644
--- a/recipes-security/samhain/samhain.inc
+++ b/recipes-security/samhain/samhain.inc
@@ -5,25 +5,60 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"
 
 
 SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
-           file://${INITSCRIPT_NAME}.init \
-           file://${INITSCRIPT_NAME}.default \
-          "
-
-SRC_URI[md5sum] = "6de1060d6e79c4893d8d89d5cbd3c1b0"
-SRC_URI[sha256sum] = "93beabb19ac68fb5336a3d8f6b5414de05a460ff6982c41a4e3fb2082e769791"
+           file://samhain-cross-compile.patch \
+           file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \
+           file://samhain-samhainrc.patch \
+           file://samhain-samhainrc-fix-files-dirs-path.patch \
+           file://samhain-pid-path.patch \
+           file://samhain-sha256-big-endian.patch \
+           file://samhain-configure-add-option-for-ps.patch \
+           file://${INITSCRIPT_NAME}.init \
+           file://${INITSCRIPT_NAME}.default \
+           file://samhain.service \
+           "
+
+SRC_URI[md5sum] = "f499d5d06bfd1d787073a45bf28dd60f"
+SRC_URI[sha256sum] = "0f3e64afb3f00064c9b136d34a72d580cd41248c5941eba0452f364a109003c7"
 
 S = "${WORKDIR}/samhain-${PV}"
 
-inherit autotools-brokensep update-rc.d pkgconfig
+inherit autotools-brokensep update-rc.d pkgconfig systemd
 
 SAMHAIN_PORT ??= "49777"
 SAMHAIN_SERVER ??= "NULL"
 
-INITSCRIPT_NAME = "samhain-${SAMHAIN_MODE}"
+INITSCRIPT_NAME = "${BPN}"
 INITSCRIPT_PARAMS ?= "defaults"
 
-
-PACKAGECONFIG ??= ""
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE_${PN} = "${INITSCRIPT_NAME}.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+# mode mapping:
+# BPN                MODE_NAME   SAMHAIN_MODE
+# samhain-standalone standalone  no
+# samhain-client     client      client
+# samhain-server     server      server
+MODE_NAME = "${@d.getVar('BPN').split('-')[1]}"
+SAMHAIN_MODE = "${@oe.utils.ifelse(d.getVar('MODE_NAME') == 'standalone', 'no', '${MODE_NAME}')}"
+
+# supports mysql|postgresql|oracle|odbc but postgresql is the only one available
+
+PACKAGECONFIG ??= "postgresql ps"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}"
+
+PACKAGECONFIG[postgres]  = "--with-database=postgresql --enable-xml-log, "", postgresql"
+PACKAGECONFIG[suidcheck]  = "--enable-suidcheck","" , "
+PACKAGECONFIG[logwatch]  = "--enable-login-watch,"" , "
+PACKAGECONFIG[mounts]  = "--enable-mounts-check","" , "
+PACKAGECONFIG[userfiles]  = "--enable-userfiles","" , "
+PACKAGECONFIG[ipv6]  = "--enable-ipv6,"--disable-ipv6","
+PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
+PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl"
+PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit"
+PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps"
 
 do_unpack_samhain() {
     cd ${WORKDIR}
@@ -72,6 +107,9 @@ do_configure () {
         --includedir=${includedir} \
         --infodir=${infodir} \
         --mandir=${mandir} \
+        --enable-network=${SAMHAIN_MODE} \
+        --with-pid-file=${localstatedir}/run/samhain.pid \
+        --with-data-file=${localstatedir}/lib/samhain/samhain_file \
         ${EXTRA_OECONF}
 }
 
@@ -82,24 +120,36 @@ do_compile_prepend_libc-musl () {
 # Install the init script, it's default file, and the extraneous
 # documentation.
 do_install_append () {
-        cd ${S}
         oe_runmake install DESTDIR='${D}' INSTALL=install-boot
-        install -d ${D}${sysconfdir}/init.d
-        install -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \
+
+        install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \
                 ${D}${sysconfdir}/init.d/${INITSCRIPT_NAME}
 
-        install -d ${D}${sysconfdir}/default
-        install -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \
+        install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \
                 ${D}${sysconfdir}/default/${INITSCRIPT_NAME}
 
-        install -d ${D}${docdir}/${PN}
-        cp -r docs/* ${D}${docdir}/${PN}
-        cp -r scripts ${D}${docdir}/${PN}
-        install -d -m 755 ${D}/var/samhain
+        if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+                if [ "${SAMHAIN_MODE}" = "no" ]; then
+                    install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/samhain.service
+                else
+                    install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/${BPN}.service
+                fi
+                install -D -m 0755 ${WORKDIR}/${BPN}.init ${D}/${libexecdir}/${BPN}
+                sed -i -e 's,@LIBDIR@,${libexecdir},' \
+                       -e 's,@SAMHAIN_HELPER@,${BPN},' \
+                       -e 's,@MODE_NAME@,${MODE_NAME},' \
+                       ${D}${systemd_system_unitdir}/samhain*.service
+    fi
+
+        install -d ${D}${docdir}/${BPN}
+        cp -r docs/* ${D}${docdir}/${BPN}
+        cp -r scripts ${D}${docdir}/${BPN}
+        install -d -m 755 ${D}${localstatedir}/samhain
+
+        # Prevent QA warnings about installed ${localstatedir}/run
+        if [ -d ${D}${localstatedir}/run ]; then
+                rmdir ${D}${localstatedir}/run
+        fi
 }
 
-FILES_${PN} += "\
-    /run \
-    "
-
-INSANE_SKIP_${PN} = "already-stripped"
+FILES_${PN} += "${systemd_system_unitdir}"