reanimator/bee
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Implement audit enrichments, TUI workflows, and production ISO scaffold

Browse Source
This commit is contained in:
Mikhail Chusavitin
2026-03-06 11:56:26 +03:00
parent bdfb6a0a79
commit 18b8c69bc5
32 changed files with 3187 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
iso/overlay/etc/init.d/bee-audit Executable file
View File

@@ -0,0 +1,20 @@
#!/sbin/openrc-run
description="Bee: run hardware audit (production unattended mode)"
depend() {
need localmount
after bee-update bee-nvidia
}
start() {
ebegin "Running hardware audit"
/usr/local/bin/audit --output usb > /var/log/bee-audit.json 2>/var/log/bee-audit.log
rc=$?
if [ "$rc" -eq 0 ]; then
einfo "Audit complete"
else
ewarn "Audit finished with errors"
fi
eend 0
}

14
iso/overlay/etc/init.d/bee-network Executable file
View File

@@ -0,0 +1,14 @@
#!/sbin/openrc-run
description="Bee: bring up network interfaces via DHCP"
depend() {
need localmount
before bee-update bee-audit
}
start() {
ebegin "Bringing up network interfaces"
/usr/local/bin/bee-network.sh >> /var/log/bee-network.log 2>&1
eend 0
}

23
iso/overlay/etc/init.d/bee-nvidia Executable file
View File

@@ -0,0 +1,23 @@
#!/sbin/openrc-run
description="Bee: load NVIDIA kernel modules"
depend() {
need localmount
before bee-audit
}
start() {
ebegin "Loading NVIDIA modules"
depmod -a 2>/dev/null || true
for mod in nvidia nvidia-modeset nvidia-uvm; do
if modprobe "$mod" 2>/dev/null; then
einfo "loaded: $mod"
else
ewarn "failed to load: $mod"
fi
done
eend 0
}

15
iso/overlay/etc/init.d/bee-update Executable file
View File

@@ -0,0 +1,15 @@
#!/sbin/openrc-run
description="Bee: update audit binary from USB/network"
depend() {
need localmount
after bee-network
before bee-audit
}
start() {
ebegin "Checking for audit binary update"
/usr/local/bin/bee-update.sh >> /var/log/bee-update.log 2>&1
eend 0
}

8
iso/overlay/etc/motd Normal file
View File

@@ -0,0 +1,8 @@
Bee Hardware Audit LiveCD
Mode: Production unattended
Logs:
/var/log/bee-network.log
/var/log/bee-update.log
/var/log/bee-audit.log
/var/log/bee-audit.json

1
iso/overlay/etc/profile.d/bee.sh Normal file
View File

@@ -0,0 +1 @@
export PATH="$PATH:/usr/local/bin"

24
iso/overlay/usr/local/bin/bee-network.sh Executable file
View File

@@ -0,0 +1,24 @@
#!/bin/sh
# bee-network.sh — bring up all physical interfaces via DHCP (non-blocking)
LOG_PREFIX="bee-network"
log() { echo "[$LOG_PREFIX] $*"; }
interfaces=$(ip -o link show \
| awk -F': ' '{print $2}' \
| grep -v '^lo$' \
| grep -vE '^(docker|virbr|veth|tun|tap|br-|bond|dummy)' \
| sort)
if [ -z "$interfaces" ]; then
log "no physical interfaces found"
exit 0
fi
for iface in $interfaces; do
ip link set "$iface" up 2>/dev/null || { log "WARN: failed to bring up $iface"; continue; }
udhcpc -i "$iface" -b -t 0 -T 3 >/dev/null 2>&1 &
log "dhcp started for $iface"
done
log "done"

108
iso/overlay/usr/local/bin/bee-update.sh Executable file
View File

@@ -0,0 +1,108 @@
#!/bin/sh
# bee-update.sh — production update path: USB first, then network.
# Unattended: logs only, never blocks boot.
set -u
LOG_PREFIX="bee-update"
log() { echo "[$LOG_PREFIX] $*"; }
AUDIT_BIN="/usr/local/bin/audit"
TMP_BIN="/tmp/bee-audit-new"
TMP_SIG="/tmp/bee-audit-new.sig"
REPO_API="${BEE_RELEASE_API:-https://git.mchus.pro/api/v1/repos/<org>/bee/releases/latest}"
version_of() {
"$1" --version 2>/dev/null | head -n1 | tr -d '[:space:]'
}
apply_update() {
src_bin="$1"
src_sig="$2"
src_ver="$3"
if [ ! -x "$src_bin" ] || [ ! -f "$src_sig" ]; then
log "missing binary or signature"
return 1
fi
# NOTE: strict signature verification should be implemented in audit updater module.
# Here we keep shell side minimal and fail-open for now.
cp "$src_bin" "$AUDIT_BIN" || return 1
chmod +x "$AUDIT_BIN" || return 1
log "updated audit binary to $src_ver"
return 0
}
check_usb_update() {
for root in /media/* /mnt/* /tmp/bee-usb /run/media/*/*; do
[ -d "$root" ] || continue
base="$root/bee-update"
bin="$base/bee-audit-linux-amd64"
sig="$base/bee-audit-linux-amd64.sig"
ver_file="$base/VERSION"
[ -f "$bin" ] || continue
[ -f "$sig" ] || continue
[ -f "$ver_file" ] || continue
new_ver=$(cat "$ver_file" 2>/dev/null | tr -d '[:space:]')
cur_ver=$(version_of "$AUDIT_BIN")
[ -n "$new_ver" ] || continue
if [ "$new_ver" = "$cur_ver" ]; then
log "usb update found but version is same ($new_ver)"
return 0
fi
log "usb update candidate: $new_ver"
apply_update "$bin" "$sig" "$new_ver" && return 0
return 1
done
return 1
}
check_network_update() {
if ! ping -c 1 -W 3 git.mchus.pro >/dev/null 2>&1; then
log "network unavailable; skip release check"
return 1
fi
if ! command -v wget >/dev/null 2>&1; then
log "wget not found; skip network update"
return 1
fi
if ! command -v jq >/dev/null 2>&1; then
log "jq not found; skip network update"
return 1
fi
meta="/tmp/bee-release-latest.json"
wget -q -O "$meta" "$REPO_API" || { log "failed to fetch release metadata"; return 1; }
tag=$(jq -r '.tag_name // empty' "$meta")
[ -n "$tag" ] || { log "release metadata missing tag_name"; return 1; }
cur_ver=$(version_of "$AUDIT_BIN")
if [ "$tag" = "$cur_ver" ]; then
log "already latest ($tag)"
return 0
fi
bin_url=$(jq -r '.assets[]? | select(.name=="bee-audit-linux-amd64") | .browser_download_url // empty' "$meta")
sig_url=$(jq -r '.assets[]? | select(.name=="bee-audit-linux-amd64.sig") | .browser_download_url // empty' "$meta")
[ -n "$bin_url" ] && [ -n "$sig_url" ] || { log "missing release asset URLs"; return 1; }
wget -q -O "$TMP_BIN" "$bin_url" || return 1
wget -q -O "$TMP_SIG" "$sig_url" || return 1
chmod +x "$TMP_BIN"
log "network update candidate: $tag"
apply_update "$TMP_BIN" "$TMP_SIG" "$tag"
}
main() {
if check_usb_update; then
exit 0
fi
check_network_update || true
}
main "$@"