diff options
Diffstat (limited to 'meta-security/recipes-security')
76 files changed, 237 insertions, 6522 deletions
diff --git a/meta-security/recipes-security/AppArmor/apparmor_2.12.bb b/meta-security/recipes-security/AppArmor/apparmor_2.12.bb deleted file mode 100644 index e3f8dc99c..000000000 --- a/meta-security/recipes-security/AppArmor/apparmor_2.12.bb +++ /dev/null @@ -1,159 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native" - -SRC_URI = " \ - http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833" -SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056" - -PARALLEL_MAKE = "" - -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan -inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} - -S = "${WORKDIR}/apparmor-${PV}" - -PACKAGECONFIG ?="man python perl" -PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" -PACKAGECONFIG[apache2] = ",,apache2," - -PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" -HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -CONFIGUREOPTS_remove = "--disable-static" -EXTRA_OECONF_append = " --enable-static" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} - sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile - sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile -} - -do_compile () { - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - # aa-easyprof is installed by python-tools-setup.py, fix it up - sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof - chmod 0755 ${D}${bindir}/aa-easyprof - - install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install ${WORKDIR}/functions ${D}/lib/apparmor - if [ "${VIRTUAL-RUNTIME_init_manager}" = "systemd" ]; then - install -d ${D}${systemd_system_unitdir} - install ${WORKDIR}/apparmor.service \ - ${D}${systemd_system_unitdir} - fi -} - -do_compile_ptest () { - oe_runmake -C ${B}/tests/regression/apparmor - oe_runmake -C ${B}/parser/tst - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - install -d ${t}/parser/tst - cp -rf ${B}/parser/tst ${t}/parser - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE = "disable" - -PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'mod-${PN}', '', d)}" - -FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" - -ALLOW_EMPTY_${PN} = "1" - -RDEPENDS_${PN} += "bash lsb" -RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib" diff --git a/meta-security/recipes-security/AppArmor/files/apparmor b/meta-security/recipes-security/AppArmor/files/apparmor deleted file mode 100644 index ac3ab9a4a..000000000 --- a/meta-security/recipes-security/AppArmor/files/apparmor +++ /dev/null @@ -1,227 +0,0 @@ -#!/bin/sh -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008, 2009 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Steve Beattie <steve.beattie@canonical.com> -# Kees Cook <kees@ubuntu.com> -# -# /etc/init.d/apparmor -# -### BEGIN INIT INFO -# Provides: apparmor -# Required-Start: $local_fs -# Required-Stop: umountfs -# Default-Start: S -# Default-Stop: -# Short-Description: AppArmor initialization -# Description: AppArmor init script. This script loads all AppArmor profiles. -### END INIT INFO - -log_daemon_msg() { - echo $* -} - -log_end_msg () { - retval=$1 - if [ $retval -eq 0 ]; then - echo "." - else - echo " failed!" - fi - return $retval -} - -. /lib/apparmor/functions -. /lib/lsb/init-functions - -usage() { - echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" -} - -test -x ${PARSER} || exit 0 # by debian policy -# LSM is built-in, so it is either there or not enabled for this boot -test -d /sys/module/apparmor || exit 0 - -securityfs() { - # Need securityfs for any mode - if [ ! -d "${AA_SFS}" ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then - log_daemon_msg "AppArmor not available as kernel LSM." - log_end_msg 1 - exit 1 - else - log_daemon_msg "Mounting securityfs on ${SECURITYFS}" - if ! mount -t securityfs none "${SECURITYFS}"; then - log_end_msg 1 - exit 1 - fi - fi - fi - if [ ! -w "$AA_SFS"/.load ]; then - log_daemon_msg "Insufficient privileges to change profiles." - log_end_msg 1 - exit 1 - fi -} - -handle_system_policy_package_updates() { - apparmor_was_updated=0 - - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi -} - -# Allow "recache" even when running on the liveCD -if [ "$1" = "recache" ]; then - log_daemon_msg "Recaching AppArmor profiles" - recache_profiles - rc=$? - log_end_msg "$rc" - exit $rc -fi - -# do not perform start/stop/reload actions when running from liveCD -test -d /rofs/etc/apparmor.d && exit 0 - -rc=255 -case "$1" in - start) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not starting AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Starting AppArmor profiles" - securityfs - # That is only useful for click, snappy and system images, - # i.e. not in Debian. And it reads and writes to /var, that - # can be remote-mounted, so it would prevent us from using - # Before=sysinit.target without possibly introducing dependency - # loops. - handle_system_policy_package_updates - load_configured_profiles - rc=$? - log_end_msg "$rc" - ;; - stop) - log_daemon_msg "Clearing AppArmor profiles cache" - clear_cache - rc=$? - log_end_msg "$rc" - cat >&2 <<EOM -All profile caches have been cleared, but no profiles have been unloaded. -Unloading profiles will leave already running processes permanently -unconfined, which can lead to unexpected situations. - -To set a process to complain mode, use the command line tool -'aa-complain'. To really tear down all profiles, run the init script -with the 'teardown' option." -EOM - ;; - teardown) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not tearing down AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Unloading AppArmor profiles" - securityfs - running_profile_names | while read profile; do - if ! unload_profile "$profile" ; then - log_end_msg 1 - exit 1 - fi - done - rc=0 - log_end_msg $rc - ;; - restart|reload|force-reload) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not reloading AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Reloading AppArmor profiles" - securityfs - clear_cache - load_configured_profiles - rc=$? - unload_obsolete_profiles - - log_end_msg "$rc" - ;; - status) - securityfs - if [ -x /usr/sbin/aa-status ]; then - aa-status --verbose - else - cat "$AA_SFS"/profiles - fi - rc=$? - ;; - *) - usage - rc=1 - ;; - esac -exit $rc diff --git a/meta-security/recipes-security/AppArmor/files/apparmor.rc b/meta-security/recipes-security/AppArmor/files/apparmor.rc deleted file mode 100644 index 1507d7b5f..000000000 --- a/meta-security/recipes-security/AppArmor/files/apparmor.rc +++ /dev/null @@ -1,98 +0,0 @@ -description "Pre-cache and pre-load apparmor profiles" -author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>" - -task - -start on starting rc-sysinit - -script - [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD - [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor - [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser - - . /lib/apparmor/functions - - systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true - - # Need securityfs for any mode - if [ ! -d /sys/kernel/security/apparmor ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then - exit 0 - else - mount -t securityfs none /sys/kernel/security || exit 0 - fi - fi - - [ -w /sys/kernel/security/apparmor/.load ] || exit 0 - - apparmor_was_updated=0 - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi - - if [ "$ACTION" = "teardown" ]; then - running_profile_names | while read profile; do - unload_profile "$profile" - done - exit 0 - fi - - if [ "$ACTION" = "clear" ]; then - clear_cache - exit 0 - fi - - if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then - clear_cache - load_configured_profiles - unload_obsolete_profiles - exit 0 - fi - - # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above, - # aa-clickhook will have already compiled the policy, generated the cache - # files and loaded them into the kernel by this point, so reloading click - # policy from cache, while fairly fast (<2 seconds for 250 profiles on - # armhf), is redundant. Fixing this would complicate the logic quite a bit - # and it wouldn't improve the (by far) common case (ie, when - # 'aa-clickhook -f' is not run). - load_configured_profiles -end script diff --git a/meta-security/recipes-security/AppArmor/files/apparmor.service b/meta-security/recipes-security/AppArmor/files/apparmor.service deleted file mode 100644 index e66afe4e1..000000000 --- a/meta-security/recipes-security/AppArmor/files/apparmor.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=AppArmor initialization -After=local-fs.target -Before=sysinit.target -AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load -ConditionSecurity=apparmor -DefaultDependencies=no -Documentation=man:apparmor(7) -Documentation=http://wiki.apparmor.net/ - -# Don't start this unit on the Ubuntu Live CD -ConditionPathExists=!/rofs/etc/apparmor.d - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/etc/init.d/apparmor start -ExecStop=/etc/init.d/apparmor stop -ExecReload=/etc/init.d/apparmor reload - -[Install] -WantedBy=sysinit.target diff --git a/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch b/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch deleted file mode 100644 index ef55de717..000000000 --- a/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch +++ /dev/null @@ -1,25 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -As we're cross-compiling here we need to override CC/LD that MakeMaker has -stuck in the generated Makefile with our cross tools. In this case, linking is -done via the compiler rather than the linker directly so pass in CC not LD -here. - -Signed-Off-By: Tom Rini <trini@konsulko.com> - ---- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400 -+++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400 -@@ -16,11 +16,11 @@ - - LibAppArmor.so: libapparmor_wrap.c Makefile.perl - if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi -- $(MAKE) -fMakefile.perl -+ $(MAKE) -fMakefile.perl CC='$(CC)' LD='$(CC)' - if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi - - install-exec-local: Makefile.perl -- $(MAKE) -fMakefile.perl install_vendor -+ $(MAKE) -fMakefile.perl install_vendor CC='$(CC)' LD='$(CC)' - - # sadly there is no make uninstall for perl - #uninstall-local: Makefile.perl diff --git a/meta-security/recipes-security/AppArmor/files/disable_pdf.patch b/meta-security/recipes-security/AppArmor/files/disable_pdf.patch deleted file mode 100644 index c6b4bddc2..000000000 --- a/meta-security/recipes-security/AppArmor/files/disable_pdf.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: apparmor-2.10.95/parser/Makefile -=================================================================== ---- apparmor-2.10.95.orig/parser/Makefile -+++ apparmor-2.10.95/parser/Makefile -@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT - po/${NAME}.pot: ${SRCS} ${HDRS} - $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" - --techdoc.pdf: techdoc.tex -- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ -- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ -- grep -q "Label(s) may have changed" techdoc.log; \ -- do :; done -- --techdoc/index.html: techdoc.pdf -- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} -- --techdoc.txt: techdoc/index.html -- w3m -dump $< > $@ - - # targets arranged this way so that people who don't want full docs can - # pick specific targets they want. -@@ -159,9 +148,7 @@ manpages: $(MANPAGES) - - htmlmanpages: $(HTMLMANPAGES) - --pdf: techdoc.pdf -- --docs: manpages htmlmanpages pdf -+docs: manpages htmlmanpages - - indep: docs - $(Q)$(MAKE) -C po all diff --git a/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch b/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch deleted file mode 100644 index cf2640fce..000000000 --- a/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch +++ /dev/null @@ -1,19 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Remove file check for $perl_includedir/perl.h. AC_CHECK_FILE will fail on -cross compilation. Rather than try and get a compile check to work here, -we know that we have what's required via our metadata so remove only this -check. - -Signed-Off-By: Tom Rini <trini@konsulko.com> - ---- a/libraries/libapparmor/configure.ac.orig 2017-06-13 16:41:38.668471495 -0400 -+++ b/libraries/libapparmor/configure.ac 2017-06-13 16:41:40.708471543 -0400 -@@ -58,7 +58,6 @@ - AC_PATH_PROG(PERL, perl) - test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings]) - perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE" -- AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no) - fi - - diff --git a/meta-security/recipes-security/AppArmor/files/functions b/meta-security/recipes-security/AppArmor/files/functions deleted file mode 100644 index cef8cfe7d..000000000 --- a/meta-security/recipes-security/AppArmor/files/functions +++ /dev/null @@ -1,271 +0,0 @@ -# /lib/apparmor/functions for Debian -*- shell-script -*- -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008-2010 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Kees Cook <kees@ubuntu.com> - -PROFILES="/etc/apparmor.d" -PROFILES_CACHE="$PROFILES/cache" -PROFILES_VAR="/var/lib/apparmor/profiles" -PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles" -PROFILES_CACHE_VAR="/var/cache/apparmor" -PARSER="/sbin/apparmor_parser" -SECURITYFS="/sys/kernel/security" -export AA_SFS="$SECURITYFS/apparmor" - -# Suppress warnings when booting in quiet mode -quiet_arg="" -[ "${QUIET:-no}" = yes ] && quiet_arg="-q" -[ "${quiet:-n}" = y ] && quiet_arg="-q" - -foreach_configured_profile() { - rc_all="0" - for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do - if [ ! -d "$pdir" ]; then - continue - fi - num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l` - if [ "$num" = "0" ]; then - continue - fi - - cache_dir="$PROFILES_CACHE" - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_dir="$PROFILES_CACHE_VAR" - fi - cache_args="--cache-loc=$cache_dir" - if [ ! -d "$cache_dir" ]; then - cache_args= - fi - - # LP: #1383858 - expr tree simplification is too slow for - # Touch policy on ARM, so disable it for now - cache_extra_args= - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_extra_args="-O no-expr-simplify" - fi - - # If need to compile everything, then use -n1 with xargs to - # take advantage of -P. When cache files are in use, omit -n1 - # since it is considerably faster on moderately sized profile - # sets to give the parser all the profiles to load at once - n1_args= - num=`find "$cache_dir" -type f ! -name '.features' | wc -l` - if [ "$num" = "0" ]; then - n1_args="-n1" - fi - - (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - # FIXME: when the parser properly handles broken - # profiles (LP: #1377338), remove this if statement. - # For now, if the xargs returns with error, just run - # through everything with -n1. (This could be broken - # out and refactored, but this is temporary so make it - # easy to understand and revert) - if [ "$rc_all" != "0" ]; then - (ls -1 "$pdir" | \ - egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - } - fi - } - done - return $rc_all -} - -load_configured_profiles() { - clear_cache_if_outdated - foreach_configured_profile $quiet_arg --write-cache --replace -} - -load_configured_profiles_without_caching() { - foreach_configured_profile $quiet_arg --replace -} - -recache_profiles() { - clear_cache - foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load -} - -configured_profile_names() { - foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//' -} - -running_profile_names() { - # Output a sorted list of loaded profiles, skipping libvirt's - # dynamically generated files - cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//' -} - -unload_profile() { - echo -n "$1" > "$AA_SFS"/.remove -} - -clear_cache() { - clear_cache_system - clear_cache_var -} - -clear_cache_system() { - find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -clear_cache_var() { - find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -read_features_dir() -{ - for f in `ls -AU "$1"` ; do - if [ -f "$1/$f" ] ; then - read -r KF < "$1/$f" || true - echo -n "$f {$KF } " - elif [ -d "$1/$f" ] ; then - echo -n "$f {" - KF=`read_features_dir "$1/$f"` || true - echo -n "$KF} " - fi - done -} - -clear_cache_if_outdated() { - if [ -r "$PROFILES_CACHE"/.features ]; then - if [ -d "$AA_SFS"/features ]; then - KERN_FEATURES=`read_features_dir "$AA_SFS"/features` - else - read -r KERN_FEATURES < "$AA_SFS"/features - fi - CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features` - if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then - clear_cache - fi - fi -} - -unload_obsolete_profiles() { - # Currently we must re-parse all the profiles to get policy names. :( - aa_configured=$(mktemp -t aa-XXXXXX) - configured_profile_names > "$aa_configured" || true - aa_loaded=$(mktemp -t aa-XXXXXX) - running_profile_names > "$aa_loaded" || true - LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do - unload_profile "$profile" - done - rm -f "$aa_configured" "$aa_loaded" -} - -# If the system debsum differs from the saved debsum, the new system debsum is -# saved and non-zero is returned. Returns 0 if the two debsums matched or if -# the system debsum file does not exist. This can be removed when system image -# flavors all move to snappy. -compare_and_save_debsums() { - pkg="$1" - - if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then - sums="/var/lib/dpkg/info/${pkg}.md5sums" - # store saved md5sums in /var/lib/apparmor/profiles since - # /var/cache/apparmor might be cleared by apparmor - saved_sums="${PROFILES_VAR}/.${pkg}.md5sums" - - if [ -f "$sums" ] && \ - ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then - cp -f "$sums" "$saved_sums" - return 1 - fi - fi - - return 0 -} - -compare_previous_version() { - installed="/usr/share/snappy/security-policy-version" - previous="/var/lib/snappy/security-policy-version" - - # When just $previous doesn't exist, assume this is a new system with - # no cache and don't do anything special. - if [ -f "$installed" ] && [ -f "$previous" ]; then - pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2` - iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2` - if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then - # snappy updates $previous elsewhere, so just return - return 1 - fi - fi - - return 0 -} - -# Checks to see if the current container is capable of having internal AppArmor -# profiles that should be loaded. Callers of this function should have already -# verified that they're running inside of a container environment with -# something like `systemd-detect-virt --container`. -# -# The only known container environments capable of supporting internal policy -# are LXD and LXC environment. -# -# Returns 0 if the container environment is capable of having its own internal -# policy and non-zero otherwise. -# -# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC -# system container technology being nested inside of a LXD/LXC container that -# utilized an AppArmor namespace and profile stacking. The reason 0 will be -# returned is because .ns_stacked will be "yes" and .ns_name will still match -# "lx[dc]-*" since the nested system container technology will not have set up -# a new AppArmor profile namespace. This will result in the nested system -# container's boot process to experience failed policy loads but the boot -# process should continue without any loss of functionality. This is an -# unsupported configuration that cannot be properly handled by this function. -is_container_with_internal_policy() { - local ns_stacked_path="${AA_SFS}/.ns_stacked" - local ns_name_path="${AA_SFS}/.ns_name" - local ns_stacked - local ns_name - - if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then - return 1 - fi - - read -r ns_stacked < "$ns_stacked_path" - if [ "$ns_stacked" != "yes" ]; then - return 1 - fi - - # LXD and LXC set up AppArmor namespaces starting with "lxd-" and - # "lxc-", respectively. Return non-zero for all other namespace - # identifiers. - read -r ns_name < "$ns_name_path" - if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ - [ "${ns_name#lxc-*}" = "$ns_name" ]; then - return 1 - fi - - return 0 -} diff --git a/meta-security/recipes-security/AppArmor/files/run-ptest b/meta-security/recipes-security/AppArmor/files/run-ptest deleted file mode 100644 index 3b8e427eb..000000000 --- a/meta-security/recipes-security/AppArmor/files/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#! /bin/sh -cd testsuite - -make -C tests/regression/apparmor tests diff --git a/meta-security/recipes-security/checksec/checksec_1.11.bb b/meta-security/recipes-security/checksec/checksec_1.11.bb new file mode 100644 index 000000000..59a67bd65 --- /dev/null +++ b/meta-security/recipes-security/checksec/checksec_1.11.bb @@ -0,0 +1,19 @@ +SUMMARY = "Linux system security checks" +DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used." +SECTION = "security" +LICENSE = "BSD" +HOMEPAGE="https://github.com/slimm609/checksec.sh" + +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=93fddcca19f6c897871f9b5f9a035f4a" + +SRCREV = "a57e03c4f62dbaca0ec949bbc58491fb0c461447" +SRC_URI = "git://github.com/slimm609/checksec.sh" + +S = "${WORKDIR}/git" + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${S}/checksec ${D}${bindir} +} + +RDEPENDS_${PN} = "bash openssl-bin" diff --git a/meta-security/recipes-security/checksec/checksec_1.5.bb b/meta-security/recipes-security/checksec/checksec_1.5.bb deleted file mode 100644 index 07f0f7c79..000000000 --- a/meta-security/recipes-security/checksec/checksec_1.5.bb +++ /dev/null @@ -1,18 +0,0 @@ -SUMMARY = "Program radominization" -DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used." -SECTION = "security" -LICENSE = "BSD" -HOMEPAGE="http://www.trapkit.de/tools/checksec.html" - -LIC_FILES_CHKSUM = "file://checksec.sh;md5=075996be339ab16ad7b94d6de3ee07bd" - -SRC_URI = "file://checksec.sh" - -S = "${WORKDIR}" - -do_install() { - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/checksec.sh ${D}${bindir} -} - -RDEPENDS_${PN} = "bash" diff --git a/meta-security/recipes-security/checksec/files/checksec.sh b/meta-security/recipes-security/checksec/files/checksec.sh deleted file mode 100644 index dd1f72e54..000000000 --- a/meta-security/recipes-security/checksec/files/checksec.sh +++ /dev/null @@ -1,882 +0,0 @@ -#!/bin/bash -# -# The BSD License (http://www.opensource.org/licenses/bsd-license.php) -# specifies the terms and conditions of use for checksec.sh: -# -# Copyright (c) 2009-2011, Tobias Klein. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in -# the documentation and/or other materials provided with the -# distribution. -# * Neither the name of Tobias Klein nor the name of trapkit.de may be -# used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED -# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF -# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH -# DAMAGE. -# -# Name : checksec.sh -# Version : 1.5 -# Author : Tobias Klein -# Date : November 2011 -# Download: http://www.trapkit.de/tools/checksec.html -# Changes : http://www.trapkit.de/tools/checksec_changes.txt -# -# Description: -# -# Modern Linux distributions offer some mitigation techniques to make it -# harder to exploit software vulnerabilities reliably. Mitigations such -# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout -# Randomization (ASLR) and Position Independent Executables (PIE) have -# made reliably exploiting any vulnerabilities that do exist far more -# challenging. The checksec.sh script is designed to test what *standard* -# Linux OS and PaX (http://pax.grsecurity.net/) security features are being -# used. -# -# As of version 1.3 the script also lists the status of various Linux kernel -# protection mechanisms. -# -# Credits: -# -# Thanks to Brad Spengler (grsecurity.net) for the PaX support. -# Thanks to Jon Oberheide (jon.oberheide.org) for the kernel support. -# Thanks to Ollie Whitehouse (Research In Motion) for rpath/runpath support. -# -# Others that contributed to checksec.sh (in no particular order): -# -# Simon Ruderich, Denis Scherbakov, Stefan Kuttler, Radoslaw Madej, -# Anthony G. Basile, Martin Vaeth and Brian Davis. -# - -# global vars -have_readelf=1 -verbose=false - -# FORTIFY_SOURCE vars -FS_end=_chk -FS_cnt_total=0 -FS_cnt_checked=0 -FS_cnt_unchecked=0 -FS_chk_func_libc=0 -FS_functions=0 -FS_libc=0 - -# version information -version() { - echo "checksec v1.5, Tobias Klein, www.trapkit.de, November 2011" - echo -} - -# help -help() { - echo "Usage: checksec [OPTION]" - echo - echo "Options:" - echo - echo " --file <executable-file>" - echo " --dir <directory> [-v]" - echo " --proc <process name>" - echo " --proc-all" - echo " --proc-libs <process ID>" - echo " --kernel" - echo " --fortify-file <executable-file>" - echo " --fortify-proc <process ID>" - echo " --version" - echo " --help" - echo - echo "For more information, see:" - echo " http://www.trapkit.de/tools/checksec.html" - echo -} - -# check if command exists -command_exists () { - type $1 > /dev/null 2>&1; -} - -# check if directory exists -dir_exists () { - if [ -d $1 ] ; then - return 0 - else - return 1 - fi -} - -# check user privileges -root_privs () { - if [ $(/usr/bin/id -u) -eq 0 ] ; then - return 0 - else - return 1 - fi -} - -# check if input is numeric -isNumeric () { - echo "$@" | grep -q -v "[^0-9]" -} - -# check if input is a string -isString () { - echo "$@" | grep -q -v "[^A-Za-z]" -} - -# check file(s) -filecheck() { - # check for RELRO support - if readelf -l $1 2>/dev/null | grep -q 'GNU_RELRO'; then - if readelf -d $1 2>/dev/null | grep -q 'BIND_NOW'; then - echo -n -e '\033[32mFull RELRO \033[m ' - else - echo -n -e '\033[33mPartial RELRO\033[m ' - fi - else - echo -n -e '\033[31mNo RELRO \033[m ' - fi - - # check for stack canary support - if readelf -s $1 2>/dev/null | grep -q '__stack_chk_fail'; then - echo -n -e '\033[32mCanary found \033[m ' - else - echo -n -e '\033[31mNo canary found\033[m ' - fi - - # check for NX support - if readelf -W -l $1 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then - echo -n -e '\033[31mNX disabled\033[m ' - else - echo -n -e '\033[32mNX enabled \033[m ' - fi - - # check for PIE support - if readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then - echo -n -e '\033[31mNo PIE \033[m ' - elif readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then - if readelf -d $1 2>/dev/null | grep -q '(DEBUG)'; then - echo -n -e '\033[32mPIE enabled \033[m ' - else - echo -n -e '\033[33mDSO \033[m ' - fi - else - echo -n -e '\033[33mNot an ELF file\033[m ' - fi - - # check for rpath / run path - if readelf -d $1 2>/dev/null | grep -q 'rpath'; then - echo -n -e '\033[31mRPATH \033[m ' - else - echo -n -e '\033[32mNo RPATH \033[m ' - fi - - if readelf -d $1 2>/dev/null | grep -q 'runpath'; then - echo -n -e '\033[31mRUNPATH \033[m ' - else - echo -n -e '\033[32mNo RUNPATH \033[m ' - fi -} - -# check process(es) -proccheck() { - # check for RELRO support - if readelf -l $1/exe 2>/dev/null | grep -q 'Program Headers'; then - if readelf -l $1/exe 2>/dev/null | grep -q 'GNU_RELRO'; then - if readelf -d $1/exe 2>/dev/null | grep -q 'BIND_NOW'; then - echo -n -e '\033[32mFull RELRO \033[m ' - else - echo -n -e '\033[33mPartial RELRO \033[m ' - fi - else - echo -n -e '\033[31mNo RELRO \033[m ' - fi - else - echo -n -e '\033[31mPermission denied (please run as root)\033[m\n' - exit 1 - fi - - # check for stack canary support - if readelf -s $1/exe 2>/dev/null | grep -q 'Symbol table'; then - if readelf -s $1/exe 2>/dev/null | grep -q '__stack_chk_fail'; then - echo -n -e '\033[32mCanary found \033[m ' - else - echo -n -e '\033[31mNo canary found \033[m ' - fi - else - if [ "$1" != "1" ] ; then - echo -n -e '\033[33mPermission denied \033[m ' - else - echo -n -e '\033[33mNo symbol table found\033[m ' - fi - fi - - # first check for PaX support - if cat $1/status 2> /dev/null | grep -q 'PaX:'; then - pageexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b6) ) - segmexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b10) ) - mprotect=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b8) ) - randmmap=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b9) ) - if [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[32mPaX enabled\033[m ' - elif [[ "$pageexec" = "p" && "$segmexec" = "s" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[33mPaX ASLR only\033[m ' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[33mPaX mprot off \033[m' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "r" ]] ; then - echo -n -e '\033[33mPaX ASLR off\033[m ' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "r" ]] ; then - echo -n -e '\033[33mPaX NX only\033[m ' - else - echo -n -e '\033[31mPaX disabled\033[m ' - fi - # fallback check for NX support - elif readelf -W -l $1/exe 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then - echo -n -e '\033[31mNX disabled\033[m ' - else - echo -n -e '\033[32mNX enabled \033[m ' - fi - - # check for PIE support - if readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then - echo -n -e '\033[31mNo PIE \033[m ' - elif readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then - if readelf -d $1/exe 2>/dev/null | grep -q '(DEBUG)'; then - echo -n -e '\033[32mPIE enabled \033[m ' - else - echo -n -e '\033[33mDynamic Shared Object\033[m ' - fi - else - echo -n -e '\033[33mNot an ELF file \033[m ' - fi -} - -# check mapped libraries -libcheck() { - libs=( $(awk '{ print $6 }' /proc/$1/maps | grep '/' | sort -u | xargs file | grep ELF | awk '{ print $1 }' | sed 's/:/ /') ) - - printf "\n* Loaded libraries (file information, # of mapped files: ${#libs[@]}):\n\n" - - for element in $(seq 0 $((${#libs[@]} - 1))) - do - echo " ${libs[$element]}:" - echo -n " " - filecheck ${libs[$element]} - printf "\n\n" - done -} - -# check for system-wide ASLR support -aslrcheck() { - # PaX ASLR support - if !(cat /proc/1/status 2> /dev/null | grep -q 'Name:') ; then - echo -n -e ':\033[33m insufficient privileges for PaX ASLR checks\033[m\n' - echo -n -e ' Fallback to standard Linux ASLR check' - fi - - if cat /proc/1/status 2> /dev/null | grep -q 'PaX:'; then - printf ": " - if cat /proc/1/status 2> /dev/null | grep 'PaX:' | grep -q 'R'; then - echo -n -e '\033[32mPaX ASLR enabled\033[m\n\n' - else - echo -n -e '\033[31mPaX ASLR disabled\033[m\n\n' - fi - else - # standard Linux 'kernel.randomize_va_space' ASLR support - # (see the kernel file 'Documentation/sysctl/kernel.txt' for a detailed description) - printf " (kernel.randomize_va_space): " - if /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 1'; then - echo -n -e '\033[33mOn (Setting: 1)\033[m\n\n' - printf " Description - Make the addresses of mmap base, stack and VDSO page randomized.\n" - printf " This, among other things, implies that shared libraries will be loaded to \n" - printf " random addresses. Also for PIE-linked binaries, the location of code start\n" - printf " is randomized. Heap addresses are *not* randomized.\n\n" - elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 2'; then - echo -n -e '\033[32mOn (Setting: 2)\033[m\n\n' - printf " Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.\n" - printf " This, among other things, implies that shared libraries will be loaded to random \n" - printf " addresses. Also for PIE-linked binaries, the location of code start is randomized.\n\n" - elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 0'; then - echo -n -e '\033[31mOff (Setting: 0)\033[m\n' - else - echo -n -e '\033[31mNot supported\033[m\n' - fi - printf " See the kernel file 'Documentation/sysctl/kernel.txt' for more details.\n\n" - fi -} - -# check cpu nx flag -nxcheck() { - if grep -q nx /proc/cpuinfo; then - echo -n -e '\033[32mYes\033[m\n\n' - else - echo -n -e '\033[31mNo\033[m\n\n' - fi -} - -# check for kernel protection mechanisms -kernelcheck() { - printf " Description - List the status of kernel protection mechanisms. Rather than\n" - printf " inspect kernel mechanisms that may aid in the prevention of exploitation of\n" - printf " userspace processes, this option lists the status of kernel configuration\n" - printf " options that harden the kernel itself against attack.\n\n" - printf " Kernel config: " - - if [ -f /proc/config.gz ] ; then - kconfig="zcat /proc/config.gz" - printf "\033[32m/proc/config.gz\033[m\n\n" - elif [ -f /boot/config-`uname -r` ] ; then - kconfig="cat /boot/config-`uname -r`" - printf "\033[33m/boot/config-`uname -r`\033[m\n\n" - printf " Warning: The config on disk may not represent running kernel config!\n\n"; - elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then - kconfig="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config" - printf "\033[33m%s\033[m\n\n" "${KBUILD_OUTPUT:-/usr/src/linux}/.config" - printf " Warning: The config on disk may not represent running kernel config!\n\n"; - else - printf "\033[31mNOT FOUND\033[m\n\n" - exit 0 - fi - - printf " GCC stack protector support: " - if $kconfig | grep -qi 'CONFIG_CC_STACKPROTECTOR=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Strict user copy checks: " - if $kconfig | grep -qi 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Enforce read-only kernel data: " - if $kconfig | grep -qi 'CONFIG_DEBUG_RODATA=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - printf " Restrict /dev/mem access: " - if $kconfig | grep -qi 'CONFIG_STRICT_DEVMEM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Restrict /dev/kmem access: " - if $kconfig | grep -qi 'CONFIG_DEVKMEM=y'; then - printf "\033[31mDisabled\033[m\n" - else - printf "\033[32mEnabled\033[m\n" - fi - - printf "\n" - printf "* grsecurity / PaX: " - - if $kconfig | grep -qi 'CONFIG_GRKERNSEC=y'; then - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIGH=y'; then - printf "\033[32mHigh GRKERNSEC\033[m\n\n" - elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_MEDIUM=y'; then - printf "\033[33mMedium GRKERNSEC\033[m\n\n" - elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_LOW=y'; then - printf "\033[31mLow GRKERNSEC\033[m\n\n" - else - printf "\033[33mCustom GRKERNSEC\033[m\n\n" - fi - - printf " Non-executable kernel pages: " - if $kconfig | grep -qi 'CONFIG_PAX_KERNEXEC=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Prevent userspace pointer deref: " - if $kconfig | grep -qi 'CONFIG_PAX_MEMORY_UDEREF=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Prevent kobject refcount overflow: " - if $kconfig | grep -qi 'CONFIG_PAX_REFCOUNT=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Bounds check heap object copies: " - if $kconfig | grep -qi 'CONFIG_PAX_USERCOPY=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Disable writing to kmem/mem/port: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_KMEM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Disable privileged I/O: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_IO=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Harden module auto-loading: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_MODHARDEN=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Hide kernel symbols: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIDESYM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - else - printf "\033[31mNo GRKERNSEC\033[m\n\n" - printf " The grsecurity / PaX patchset is available here:\n" - printf " http://grsecurity.net/\n" - fi - - printf "\n" - printf "* Kernel Heap Hardening: " - - if $kconfig | grep -qi 'CONFIG_KERNHEAP=y'; then - if $kconfig | grep -qi 'CONFIG_KERNHEAP_FULLPOISON=y'; then - printf "\033[32mFull KERNHEAP\033[m\n\n" - else - printf "\033[33mPartial KERNHEAP\033[m\n\n" - fi - else - printf "\033[31mNo KERNHEAP\033[m\n\n" - printf " The KERNHEAP hardening patchset is available here:\n" - printf " https://www.subreption.com/kernheap/\n\n" - fi -} - -# --- FORTIFY_SOURCE subfunctions (start) --- - -# is FORTIFY_SOURCE supported by libc? -FS_libc_check() { - printf "* FORTIFY_SOURCE support available (libc) : " - - if [ "${#FS_chk_func_libc[@]}" != "0" ] ; then - printf "\033[32mYes\033[m\n" - else - printf "\033[31mNo\033[m\n" - exit 1 - fi -} - -# was the binary compiled with FORTIFY_SOURCE? -FS_binary_check() { - printf "* Binary compiled with FORTIFY_SOURCE support: " - - for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) - do - if [[ ${FS_functions[$FS_elem_functions]} =~ _chk ]] ; then - printf "\033[32mYes\033[m\n" - return - fi - done - printf "\033[31mNo\033[m\n" - exit 1 -} - -FS_comparison() { - echo - printf " ------ EXECUTABLE-FILE ------- . -------- LIBC --------\n" - printf " FORTIFY-able library functions | Checked function names\n" - printf " -------------------------------------------------------\n" - - for FS_elem_libc in $(seq 0 $((${#FS_chk_func_libc[@]} - 1))) - do - for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) - do - FS_tmp_func=${FS_functions[$FS_elem_functions]} - FS_tmp_libc=${FS_chk_func_libc[$FS_elem_libc]} - - if [[ $FS_tmp_func =~ ^$FS_tmp_libc$ ]] ; then - printf " \033[31m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end - let FS_cnt_total++ - let FS_cnt_unchecked++ - elif [[ $FS_tmp_func =~ ^$FS_tmp_libc(_chk) ]] ; then - printf " \033[32m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end - let FS_cnt_total++ - let FS_cnt_checked++ - fi - - done - done -} - -FS_summary() { - echo - printf "SUMMARY:\n\n" - printf "* Number of checked functions in libc : ${#FS_chk_func_libc[@]}\n" - printf "* Total number of library functions in the executable: ${#FS_functions[@]}\n" - printf "* Number of FORTIFY-able functions in the executable : %s\n" $FS_cnt_total - printf "* Number of checked functions in the executable : \033[32m%s\033[m\n" $FS_cnt_checked - printf "* Number of unchecked functions in the executable : \033[31m%s\033[m\n" $FS_cnt_unchecked - echo -} - -# --- FORTIFY_SOURCE subfunctions (end) --- - -if !(command_exists readelf) ; then - printf "\033[31mWarning: 'readelf' not found! It's required for most checks.\033[m\n\n" - have_readelf=0 -fi - -# parse command-line arguments -case "$1" in - - --version) - version - exit 0 - ;; - - --help) - help - exit 0 - ;; - - --dir) - if [ "$3" = "-v" ] ; then - verbose=true - fi - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid directory.\033[m\n\n" - exit 1 - fi - # remove trailing slashes - tempdir=`echo $2 | sed -e "s/\/*$//"` - if [ ! -d $tempdir ] ; then - printf "\033[31mError: The directory '$tempdir' does not exist.\033[m\n\n" - exit 1 - fi - cd $tempdir - printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" - for N in [A-Za-z]*; do - if [ "$N" != "[A-Za-z]*" ]; then - # read permissions? - if [ ! -r $N ]; then - printf "\033[31mError: No read permissions for '$tempdir/$N' (run as root).\033[m\n" - else - # ELF executable? - out=`file $N` - if [[ ! $out =~ ELF ]] ; then - if [ "$verbose" = "true" ] ; then - printf "\033[34m*** Not an ELF file: $tempdir/" - file $N - printf "\033[m" - fi - else - filecheck $N - if [ `find $tempdir/$N \( -perm -004000 -o -perm -002000 \) -type f -print` ]; then - printf "\033[37;41m%s%s\033[m" $2 $N - else - printf "%s%s" $tempdir/ $N - fi - echo - fi - fi - fi - done - exit 0 - ;; - - --file) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid file.\033[m\n\n" - exit 1 - fi - # does the file exist? - if [ ! -e $2 ] ; then - printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" - exit 1 - fi - # read permissions? - if [ ! -r $2 ] ; then - printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" - exit 1 - fi - # ELF executable? - out=`file $2` - if [[ ! $out =~ ELF ]] ; then - printf "\033[31mError: Not an ELF file: " - file $2 - printf "\033[m\n" - exit 1 - fi - printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" - filecheck $2 - if [ `find $2 \( -perm -004000 -o -perm -002000 \) -type f -print` ] ; then - printf "\033[37;41m%s%s\033[m" $2 $N - else - printf "%s" $2 - fi - echo - exit 0 - ;; - - --proc-all) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - for N in [1-9]*; do - if [ $N != $$ ] && readlink -q $N/exe > /dev/null; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - proccheck $N - echo - fi - done - if [ ! -e /usr/bin/id ] ; then - printf "\n\033[33mNote: If you are running 'checksec.sh' as an unprivileged user, you\n" - printf " will not see all processes. Please run the script as root.\033[m\n\n" - else - if !(root_privs) ; then - printf "\n\033[33mNote: You are running 'checksec.sh' as an unprivileged user.\n" - printf " Too see all processes, please run the script as root.\033[m\n\n" - fi - fi - exit 0 - ;; - - --proc) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process name.\033[m\n\n" - exit 1 - fi - if !(isString "$2") ; then - printf "\033[31mError: Please provide a valid process name.\033[m\n\n" - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - for N in `ps -Ao pid,comm | grep $2 | cut -b1-6`; do - if [ -d $N ] ; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - proccheck $N - echo - fi - done - exit 0 - ;; - - --proc-libs) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - if !(isNumeric "$2") ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf "* Process information:\n\n" - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - N=$2 - if [ -d $N ] ; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - proccheck $N - echo - libcheck $N - fi - exit 0 - ;; - - --kernel) - cd /proc - printf "* Kernel protection information:\n\n" - kernelcheck - exit 0 - ;; - - --fortify-file) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid file.\033[m\n\n" - exit 1 - fi - # does the file exist? - if [ ! -e $2 ] ; then - printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" - exit 1 - fi - # read permissions? - if [ ! -r $2 ] ; then - printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" - exit 1 - fi - # ELF executable? - out=`file $2` - if [[ ! $out =~ ELF ]] ; then - printf "\033[31mError: Not an ELF file: " - file $2 - printf "\033[m\n" - exit 1 - fi - if [ -e /lib/libc.so.6 ] ; then - FS_libc=/lib/libc.so.6 - elif [ -e /lib64/libc.so.6 ] ; then - FS_libc=/lib64/libc.so.6 - elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/i386-linux-gnu/libc.so.6 - elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/x86_64-linux-gnu/libc.so.6 - else - printf "\033[31mError: libc not found.\033[m\n\n" - exit 1 - fi - - FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) - FS_functions=( $(readelf -s $2 | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) - - FS_libc_check - FS_binary_check - FS_comparison - FS_summary - - exit 0 - ;; - - --fortify-proc) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - if !(isNumeric "$2") ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - cd /proc - N=$2 - if [ -d $N ] ; then - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - if [ -e /lib/libc.so.6 ] ; then - FS_libc=/lib/libc.so.6 - elif [ -e /lib64/libc.so.6 ] ; then - FS_libc=/lib64/libc.so.6 - elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/i386-linux-gnu/libc.so.6 - elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/x86_64-linux-gnu/libc.so.6 - else - printf "\033[31mError: libc not found.\033[m\n\n" - exit 1 - fi - printf "* Process name (PID) : %s (%d)\n" `head -1 $N/status | cut -b 7-` $N - FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) - FS_functions=( $(readelf -s $2/exe | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) - - FS_libc_check - FS_binary_check - FS_comparison - FS_summary - fi - exit 0 - ;; - - *) - if [ "$#" != "0" ] ; then - printf "\033[31mError: Unknown option '$1'.\033[m\n\n" - fi - help - exit 1 - ;; -esac diff --git a/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/meta-security/recipes-security/clamav/clamav_0.99.4.bb index 8c2c2fa2f..6219d9ed2 100644 --- a/meta-security/recipes-security/clamav/clamav_0.99.4.bb +++ b/meta-security/recipes-security/clamav/clamav_0.99.4.bb @@ -31,17 +31,13 @@ GID = "clamav" # Clamav has a built llvm version 2 but does not build with gcc 6.x, # disable the internal one. This is a known issue -# If you want LLVM support, use meta-oe llvm3.3 to build for GCC 6.X, -# as defined below +# If you want LLVM support, use the one in core -CLAMAV_LLVM ?= "oellvm" -CLAMAV_LLVM_RELEASE ?= "6.0" - -PACKAGECONFIG ?= "ncurses openssl bz2 zlib ${CLAMAV_LLVM}" +PACKAGECONFIG ?= "ncurses openssl bz2 zlib llvm" PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" -PACKAGECONFIG[oellvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm${CLAMAV_LLVM_RELEASE}" +PACKAGECONFIG[llvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm8.0" PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre" PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2," diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban.inc b/meta-security/recipes-security/fail2ban/python-fail2ban.inc index 9245f17b1..7270ed8ac 100644 --- a/meta-security/recipes-security/fail2ban/python-fail2ban.inc +++ b/meta-security/recipes-security/fail2ban/python-fail2ban.inc @@ -9,7 +9,7 @@ HOMEPAGE = "http://www.fail2ban.org" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" -SRCREV ="ac0d441fd68852ffda7b15c71f16b7f4fde1a7ee" +SRCREV ="aa565eb80ec6043317e8430cabcaf9c3f4e61578" SRC_URI = " \ git://github.com/fail2ban/fail2ban.git;branch=0.11 \ file://initd \ diff --git a/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb index 17a7dd8dd..17a7dd8dd 100644 --- a/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb +++ b/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.4.0.bb diff --git a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb index 5c887e857..5c887e857 100644 --- a/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb +++ b/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb diff --git a/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch b/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch deleted file mode 100644 index dde1af44a..000000000 --- a/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] keyutils: use relative path for link - -The absolute path of the symlink will be invalid -when populated in sysroot, so use relative path instead. - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 824bbbf..8ce3a13 100644 ---- a/Makefile -+++ b/Makefile -@@ -167,7 +167,7 @@ ifeq ($(NO_SOLIB),0) - $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) - $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) - mkdir -p $(DESTDIR)$(USRLIBDIR) -- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) -+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) - endif - $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl - $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key --- -2.11.0 - diff --git a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb b/meta-security/recipes-security/keyutils/keyutils_1.6.bb index a4222b9e9..c961fa293 100644 --- a/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb +++ b/meta-security/recipes-security/keyutils/keyutils_1.6.bb @@ -16,14 +16,13 @@ LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ inherit siteinfo ptest SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ - file://keyutils-use-relative-path-for-link.patch \ file://keyutils-test-fix-output-format.patch \ file://keyutils-fix-error-report-by-adding-default-message.patch \ file://run-ptest \ " -SRC_URI[md5sum] = "3771676319bc7b84b1549b5c63ff5243" -SRC_URI[sha256sum] = "115c3deae7f181778fd0e0ffaa2dad1bf1fe2f5677cf2e0e348cdb7a1c93afb6" +SRC_URI[md5sum] = "191987b0ab46bb5b50efd70a6e6ce808" +SRC_URI[sha256sum] = "d3aef20cec0005c0fa6b4be40079885567473185b1a57b629b030e67942c7115" EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ NO_ARLIB=1 \ @@ -36,6 +35,7 @@ EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ " do_install () { + install -d ${D}/${nonarch_base_libdir}/pkgconfig oe_runmake DESTDIR=${D} install } @@ -44,4 +44,8 @@ do_install_ptest () { sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh } -RDEPENDS_${PN}-ptest += "glibc-utils" +FILES_${PN}-dev += "${nonarch_base_libdir}/pkgconfig/libkeyutils.pc" + +RDEPENDS_${PN}-ptest += "lsb" +RDEPENDS_${PN}-ptest_append_libc-glibc = " glibc-utils" +RDEPENDS_${PN}-ptest_append_libc-musl = " musl-utils" diff --git a/meta-security/recipes-security/libmspack/libmspack_0.5.bb b/meta-security/recipes-security/libmspack/libmspack_0.9.1.bb index 80db23cec..56a8a0770 100644 --- a/meta-security/recipes-security/libmspack/libmspack_0.5.bb +++ b/meta-security/recipes-security/libmspack/libmspack_0.9.1.bb @@ -6,10 +6,10 @@ DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.gz\ -" -SRC_URI[md5sum] = "3aa3f6b9ef101463270c085478fda1da" -SRC_URI[sha256sum] = "8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110" +SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.gz" + +SRC_URI[md5sum] = "9602ae4a6b0468d9aaef6359c1e90657" +SRC_URI[sha256sum] = "62a336d9c798638aaf3dceb43843320061544bbf35547c316b075b99112f2e40" inherit autotools diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb index 9c66db68c..41ffd625c 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.0.bb @@ -4,9 +4,9 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "74b190e1aa05f07da0c61fb9a30dbc9c18ce2c9d" +SRCREV = "4d64011741375bb1a4ba7d71905ca37b97885083" -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.3 \ +SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ file://run-ptest \ " diff --git a/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/meta-security/recipes-security/ncrack/ncrack_0.7.bb new file mode 100644 index 000000000..06ba2b6df --- /dev/null +++ b/meta-security/recipes-security/ncrack/ncrack_0.7.bb @@ -0,0 +1,18 @@ +SUMMARY = "Network authentication cracking tool" +DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network devices for poor passwords." +HOMEPAGE = "https://nmap.org/ncrack" +SECTION = "security" + +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;md5=198fa93d4e80225839e595336f3b5ff0" + +SRCREV = "3a793a21820708466081825beda9fce857f36cb6" +SRC_URI = "git://github.com/nmap/ncrack.git" + +DEPENDS = "openssl zlib" + +inherit autotools-brokensep + +S = "${WORKDIR}/git" + +INSANE_SKIP_${PN} = "already-stripped" diff --git a/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch b/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch deleted file mode 100644 index 5ddb16926..000000000 --- a/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch +++ /dev/null @@ -1,106 +0,0 @@ -From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001 -From: sullo <sullo@cirt.net> -Date: Thu, 31 May 2018 23:30:03 -0400 -Subject: [PATCH] Fix CSV injection issue if server responds with a malicious - Server string & CSV output is opened in Excel or other spreadsheet app. - Potentially malicious cell start characters are now prefaced with a ' mark. - Thanks to Adam (@bytesoverbombs) for letting me know! - -Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split(). - -CVE: CVE-2018-11652 -Upstream-Status: Backport -Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com> ---- - plugins/nikto_outdated.plugin | 2 +- - plugins/nikto_report_csv.plugin | 42 +++++++++++++++++++++++++++++------------ - 2 files changed, 31 insertions(+), 13 deletions(-) - -diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin -index 72379cc..eb1d889 100644 ---- a/plugins/nikto_outdated.plugin -+++ b/plugins/nikto_outdated.plugin -@@ -83,7 +83,7 @@ sub nikto_outdated { - $sepr = substr($sepr, (length($sepr) - 1), 1); - - # break up ID string on $sepr -- my @T = split(/$sepr/, $mark->{'banner'}); -+ my @T = split(/\\$sepr/, $mark->{'banner'}); - - # assume last is version... - for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; } -diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin -index d13acab..b942e78 100644 ---- a/plugins/nikto_report_csv.plugin -+++ b/plugins/nikto_report_csv.plugin -@@ -52,10 +52,12 @@ sub csv_open { - sub csv_host_start { - my ($handle, $mark) = @_; - $mark->{'banner'} =~ s/"/\\"/g; -- print OUT "\"$mark->{'hostname'}\"," -- . "\"$mark->{'ip'}\"," -- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\"," -- . "\"$mark->{'banner'}\"\n"; -+ print $handle "\"" . csv_safecell($hostname) . "\"," -+ . "\"" . csv_safecell($mark->{'ip'}) . "\"," -+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\"," -+ #. "\"" . $mark->{'banner'} . "\"\n"; -+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n"; -+ - return; - } - -@@ -65,26 +67,42 @@ sub csv_item { - my ($handle, $mark, $item) = @_; - foreach my $uri (split(' ', $item->{'uri'})) { - my $line = ''; -- $line .= "\"$item->{'mark'}->{'hostname'}\","; -- $line .= "\"$item->{'mark'}->{'ip'}\","; -- $line .= "\"$item->{'mark'}->{'port'}\","; -+ $line .= "\"" . csv_safecell($hostname) . "\","; -+ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \","; -+ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\","; - - $line .= "\""; - if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; } - $line .= "\","; - - $line .= "\""; -- if ($item->{'method'} ne '') { $line .= $item->{'method'}; } -+ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); } - $line .= "\","; - - $line .= "\""; -- if ($uri ne '') { $line .= $mark->{'root'} . $uri; } -+ { $line .= csv_safecell($mark->{'root'}) . $uri; } -+ else { $line .= csv_safecell($ur - $line .= "\","; - -- $item->{'message'} =~ s/"/\\"/g; -- $line .= "\"$item->{'message'}\""; -- print $handle "$line\n"; -+ my $msg = $item->{'message'}; -+ $uri=quotemeta($uri); -+ my $root = quotemeta($mark->{'root'}); -+ $msg =~ s/^$uri:\s//; -+ $msg =~ s/^$root$uri:\s//; -+ $msg =~ s/"/\\"/g; -+ $line .= "\"" . csv_safecell($msg) ."\""; -+ print $handle "$line\n"; -+ - } - } - -+############################################################################### -+# prevent CSV injection attacks -+sub csv_safecell { -+ my $celldata = $_[0] || return; -+ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; } -+ return $celldata; -+} -+ -+ - 1; --- -2.6.4 - diff --git a/meta-security/recipes-security/nikto/files/location.patch b/meta-security/recipes-security/nikto/files/location.patch index a95b0629f..edaa20475 100644 --- a/meta-security/recipes-security/nikto/files/location.patch +++ b/meta-security/recipes-security/nikto/files/location.patch @@ -1,36 +1,36 @@ -From e10b9b1f6704057ace39956ae1dc5c7caca07ff1 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu <andrei.adrianx.dinu@intel.com> -Date: Mon, 8 Jul 2013 11:53:54 +0300 -Subject: [PATCH] Setting the location of nikto on the image +From d1cb702d5147abea0d3208a4d554c61a6f2decd6 Mon Sep 17 00:00:00 2001 +From: Scott Ellis <scott@jumpnowtek.com> +Date: Fri, 28 Dec 2018 11:08:25 -0500 +Subject: [PATCH] Set custom paths -Upstream Status: Inapropriate +Upstream Status: Inappropriate -Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> +Signed-off-by: Scott Ellis <scott@jumpnowtek.com> --- - nikto.conf | 10 +++++----- + nikto.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) -diff --git a/nikto.conf b/nikto.conf -index 25b784d..9577033 100644 +diff --git a/program/nikto.conf b/program/nikto.conf +index bf36c58..8c55415 100644 --- a/nikto.conf +++ b/nikto.conf -@@ -61,11 +61,11 @@ CIRT=174.142.17.165 +@@ -61,11 +61,11 @@ CIRT=107.170.99.251 CHECKMETHODS=HEAD GET # If you want to specify the location of any of the files, specify them here -# EXECDIR=/opt/nikto # Location of Nikto -# PLUGINDIR=/opt/nikto/plugins # Location of plugin dir --# DBDIR=/opt/nikto/databases # Location of plugin dir --# TEMPLATEDIR=/opt/nikto/templates # Location of tempmlate dir +-# DBDIR=/opt/nikto/databases # Location of database dir +-# TEMPLATEDIR=/opt/nikto/templates # Location of template dir -# DOCDIR=/opt/nikto/docs # Location of docs dir +EXECDIR=/usr/bin/nikto # Location of Nikto +PLUGINDIR=/etc/nikto/plugins # Location of plugin dir -+DBDIR=/etc/nikto/databases # Location of plugin dir -+TEMPLATEDIR=/etc/nikto/templates # Location of tempmlate dir ++DBDIR=/etc/nikto/databases # Location of database dir ++TEMPLATEDIR=/etc/nikto/templates # Location of template dir +DOCDIR=/usr/share/doc/nikto # Location of docs dir # Default plugin macros - @@MUTATE=dictionary;subdomain + # Remove plugins designed to be run standalone -- -1.7.9.5 +2.7.4 diff --git a/meta-security/recipes-security/nikto/nikto_2.1.5.bb b/meta-security/recipes-security/nikto/nikto_2.1.5.bb deleted file mode 100644 index 19eb14f3e..000000000 --- a/meta-security/recipes-security/nikto/nikto_2.1.5.bb +++ /dev/null @@ -1,108 +0,0 @@ -SUMMARY = "web server scanner" -DESCRIPTION = "Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous \ - files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" - -SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \ - file://location.patch \ - file://CVE-2018-11652.patch" - -SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e" -SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f" - -do_install() { - install -d ${D}${bindir} - install -d ${D}${datadir} - install -d ${D}${datadir}/man/man1 - install -d ${D}${datadir}/doc/nikto - install -d ${D}${sysconfdir}/nikto - install -d ${D}${sysconfdir}/nikto/databases - install -d ${D}${sysconfdir}/nikto/plugins - install -d ${D}${sysconfdir}/nikto/templates - - install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_subdomains ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases - - install -m 0644 plugins/JSON-PP.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_msf.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_subdomain.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins - - install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates - - install -m 0644 nikto.conf ${D}${sysconfdir} - - install -m 0755 nikto.pl ${D}${bindir}/nikto - install -m 0644 replay.pl ${D}${bindir} - install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 - - install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto -} - -RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ - perl-module-getopt-long perl-module-time-local \ - perl-module-io-socket perl-module-overloading \ - perl-module-base perl-module-b perl-module-bytes \ - nikto-doc" diff --git a/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/meta-security/recipes-security/nikto/nikto_2.1.6.bb new file mode 100644 index 000000000..2d2c46ca1 --- /dev/null +++ b/meta-security/recipes-security/nikto/nikto_2.1.6.bb @@ -0,0 +1,118 @@ +SUMMARY = "web server scanner" +DESCRIPTION = "Nikto is an Open Source web server scanner which performs comprehensive tests against web servers" +SECTION = "security" +HOMEPAGE = "https://cirt.net/Nikto2" + +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79" +SRC_URI = "git://github.com/sullo/nikto.git \ + file://location.patch" + +S = "${WORKDIR}/git/program" + +do_install() { + install -d ${D}${bindir} + install -d ${D}${datadir} + install -d ${D}${datadir}/man/man1 + install -d ${D}${datadir}/doc/nikto + install -d ${D}${sysconfdir}/nikto + install -d ${D}${sysconfdir}/nikto/databases + install -d ${D}${sysconfdir}/nikto/plugins + install -d ${D}${sysconfdir}/nikto/templates + + install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_dir_traversal ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_domino ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_drupal ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases + + install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dir_traversal.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dishwasher.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_docker_registry.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_domino.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_drupal.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_ms10_070.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_negotiate.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_origin_reflection.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_json.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_sqlg.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_sitefiles.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_strutshock.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins + + install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates + + install -m 0644 nikto.conf ${D}${sysconfdir} + + install -m 0755 nikto.pl ${D}${bindir}/nikto + install -m 0644 replay.pl ${D}${bindir} + install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 + + install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto + install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto + install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto + install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto +} + +RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ + perl-module-getopt-long perl-module-time-local \ + perl-module-io-socket perl-module-overloading \ + perl-module-base perl-module-b perl-module-bytes" + diff --git a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index e847847b8..b8ab27df1 100644 --- a/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -78,7 +78,7 @@ RDEPENDS_packagegroup-security-ptest = " \ python-scapy-ptest \ suricata-ptest \ tripwire-ptest \ - python3-fail2ban-ptest \ + python-fail2ban-ptest \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ ptest-runner \ diff --git a/meta-security/recipes-security/samhain/files/run-ptest b/meta-security/recipes-security/samhain/files/run-ptest deleted file mode 100755 index 2a4a76530..000000000 --- a/meta-security/recipes-security/samhain/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -current_dir=$(dirname $(readlink -f $0)) -$current_dir/cutest diff --git a/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch b/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch deleted file mode 100644 index 088a938e3..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch +++ /dev/null @@ -1,28 +0,0 @@ -From ae79606a6745dbbd429d1d4671dfe3045d735057 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Thu, 14 Sep 2017 13:26:55 +0800 -Subject: [PATCH] Add LDFLAGS variable for compiling samhain_setpwd - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile.in b/Makefile.in -index 01de987..49356cf 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -1128,7 +1128,7 @@ sh_tiger_i.o: $(srcsrc)/$(TIGER_SRC) Makefile config_xor.h - samhain_setpwd: encode config_xor.h $(srcsrc)/samhain_setpwd.c - @echo '$(COMPILE) -o samhain_setpwd $(srcsrc)/samhain_setpwd.c'; \ - ./encode $(XOR_CODE) $(srcsrc)/samhain_setpwd.c; \ -- $(COMPILE) -o samhain_setpwd x_samhain_setpwd.c; \ -+ $(COMPILE) $(LDFLAGS) -o samhain_setpwd x_samhain_setpwd.c; \ - rm x_samhain_setpwd.c - - samhain_stealth: encode config_xor.h $(srcsrc)/samhain_stealth.c --- -2.11.0 - diff --git a/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch b/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch deleted file mode 100644 index 6bf67e09b..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 3e2ca7e06b16ceff6d12beb5113312f6525df595 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Thu, 14 Sep 2017 11:02:12 +0800 -Subject: [PATCH] configure.ac: avoid searching host for postgresql - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - configure.ac | 101 +++-------------------------------------------------------- - 1 file changed, 5 insertions(+), 96 deletions(-) - -diff --git a/configure.ac b/configure.ac -index a224c68..f658d53 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1278,90 +1278,11 @@ AC_ARG_WITH(database, - AC_DEFINE(WITH_POSTGRES) - AC_DEFINE(WITH_DATABASE) - # -- PGCONF="no" -- MY_PATH="${PATH}:/usr/local/bin:/usr/local/pgsql/bin" -- OLD_IFS="$IFS" -- IFS=":" -- for ff in ${MY_PATH} -- do -- if test -f "$ff/pg_config" -- then -- PGCONF="$ff/pg_config" -- fi -- done -- IFS="${OLD_IFS}" -- # -- # -- if test "x${PGCONF}" = "xno" -- then -- AC_MSG_CHECKING(for PostgreSQL in /usr/local/pgsql /usr/pgsql /usr/local /usr PGSQL_HOME) -- pgsql_directory="/usr/local/pgsql /usr/pgsql /usr/local /usr ${PGSQL_HOME}" -- for i in $pgsql_directory; do -- if test -r $i/include/pgsql/libpq-fe.h; then -- PGSQL_INC_DIR=$i/include -- PGSQL_DIR=$i -- # use AC_CHECK_HEADERS to check for pgsql/libpq-fe.h -- fi -- done -- if test -z "$PGSQL_DIR"; then -- for i in $pgsql_directory; do -- if test -r $i/include/postgresql/libpq-fe.h; then -- PGSQL_INC_DIR=$i/include -- PGSQL_DIR=$i -- fi -- done -- fi -- if test -z "$PGSQL_DIR"; then -- for i in $pgsql_directory; do -- if test -r $i/include/libpq-fe.h; then -- PGSQL_INC_DIR=$i/include -- PGSQL_DIR=$i -- fi -- done -- fi -- -- if test -z "$PGSQL_DIR"; then -- tmp="" -- for i in $pgsql_directory; do -- tmp="$tmp $i/include $i/include/pgsql $i/include/postgresql" -- done -- FAIL_MESSAGE("PostgreSQL header file (libpq-fe.h)", $tmp) -- fi -- -- for i in lib lib/pgsql lib/postgresql; do -- str="$PGSQL_DIR/$i/libpq.*" -- for j in `echo $str`; do -- if test -r $j; then -- PGSQL_LIB_DIR="$PGSQL_DIR/$i" -- break 2 -- fi -- done -- done -- -- if test -z "$PGSQL_LIB_DIR"; then -- for ff in $pgsql_directory; do -- for i in lib lib/pgsql lib/postgresql; do -- str="$ff/$i/libpq.*" -- for j in `echo $str`; do -- if test -r $j; then -- PGSQL_LIB_DIR="$ff/$i" -- break 3 -- fi -- done -- done -- done -- fi -- -- if test -z "$PGSQL_LIB_DIR"; then -- tmp="" -- for i in $pgsql_directory; do -- tmp="$i/lib $i/lib/pgsql $i/lib/postgresql" -- done -- FAIL_MESSAGE("postgresql library libpq", $tmp) -- fi -- -- AC_MSG_RESULT(yes) -- -+ if test -z "${PGSQL_LIB_DIR}" ; then -+ FAIL_MESSAGE("PGSQL_LIB_DIR is not set!") -+ elif test -z "${PGSQL_INC_DIR}" ; then -+ FAIL_MESSAGE("PGSQL_INC_DIR is not set!") -+ else - LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lm" - if test x"$enable_static" = xyes; then - LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lcrypt -lm" -@@ -1370,18 +1291,6 @@ AC_ARG_WITH(database, - fi - # CFLAGS="$CFLAGS -I${PGSQL_INC_DIR}" - CPPFLAGS="$CPPFLAGS -I${PGSQL_INC_DIR}" -- AC_CHECK_HEADERS(pgsql/libpq-fe.h) -- AC_CHECK_HEADERS(postgresql/libpq-fe.h) -- else -- pg_lib_dir=`${PGCONF} --libdir` -- if test x"$enable_static" = xyes; then -- LIBS="$LIBS -L${pg_lib_dir} -lpq -lcrypt -lm" -- else -- LIBS="$LIBS -L${pg_lib_dir} -lpq -lm" -- fi -- pg_inc_dir=`${PGCONF} --includedir` -- # CFLAGS="$CFLAGS -I${pg_inc_dir}" -- CPPFLAGS="$CPPFLAGS -I${pg_inc_dir}" - fi - elif test "x${withval}" = "xodbc"; then - AC_MSG_CHECKING(for odbc in /usr /usr/local ODBC_HOME) --- -2.11.0 - diff --git a/meta-security/recipes-security/samhain/files/samhain-client.default b/meta-security/recipes-security/samhain/files/samhain-client.default deleted file mode 100644 index 9899577ae..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-client.default +++ /dev/null @@ -1,3 +0,0 @@ -# Set this to "yes" to start the server, after you configure it, of -# course. -SAMHAIN_CLIENT_START="no"
\ No newline at end of file diff --git a/meta-security/recipes-security/samhain/files/samhain-client.init b/meta-security/recipes-security/samhain/files/samhain-client.init deleted file mode 100644 index d5fabeded..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-client.init +++ /dev/null @@ -1,122 +0,0 @@ -#!/bin/bash -# chkconfig: 2345 99 10 -# description: File Integrity Checking Daemon -# -# processname: samhain -# config : /etc/samhainrc -# logfile : /var/log/samhain_log -# database: /var/lib/samhain/samhain_file -# - -NAME=samhain -DAEMON=/usr/sbin/samhain -RETVAL=0 -PIDFILE=/var/run/samhain.pid - -. /etc/default/rcS - -. /etc/default/samhain-client - -if [ "x$SAMHAIN_CLIENT_START" != "xyes" ]; then - echo "${0}: client disabled in /etc/default/samhain-client" - exit 0 -fi - -if [ -x $DAEMON ]; then - : -else - echo "${0}: executable ${DAEMON} not found" - exit 1 -fi - -if [ ! -e /var/lib/samhain/samhain_file ]; then - echo "${0}: /var/lib/samhain/samhain_file does not exist. You must" - echo " run 'samhain -t init' before samhian-client can start." - exit 1 -fi - -samhain_done() -{ - if [ $RETVAL -eq 0 ]; then - echo "." - else - echo " failed." - fi -} - -log_stat_msg () { -case "$1" in - 0) - echo "Service $NAME: Running"; - ;; - 1) - echo "Service $NAME: Stopped and /var/run pid file exists"; - ;; - 3) - echo "Service $NAME: Stopped"; - ;; - *) - echo "Service $NAME: Status unknown"; - ;; -esac -} - -case "$1" in - start) - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - # - echo -n "Starting ${NAME}" - start-stop-daemon --start --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - stop) - echo -n "Stopping $NAME" - start-stop-daemon --stop --quiet --exec $DAEMON - RETVAL=$? - - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - if test -S /var/run/${NAME}.sock; then - /bin/rm -f /var/run/${NAME}.sock - fi - samhain_done - ;; - - restart) - $0 stop - sleep 3 - $0 start - RETVAL=$? - ;; - - reload|force-reload) - echo -n "Reloading $NAME configuration files" - start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - status) - $DAEMON status - RETVAL=$? - log_stat_msg ${RETVAL} - ;; - - *) - echo "$0 usage: {start|stop|status|restart|reload}" - exit 1 - ;; -esac - -exit $RETVAL diff --git a/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch b/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch deleted file mode 100644 index 8de0735fc..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 02a143f0068cbc6cea71359169210fbb3606d4bb Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Mon, 18 Jan 2016 00:24:57 -0500 -Subject: [PATCH] configure: add option for ps - -The configure searches hardcoded host paths for PSPATH -and run ps commands to decide PSARG which will fail -on host without ps: -| configure: error: Cannot find ps in any of /usr/ucb /bin /usr/bin - -So add an option so we can specify the ps at configure -to avoid host contamination. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - aclocal.m4 | 2 +- - configure.ac | 60 ++++++++++-------------------------------------------------- - 2 files changed, 11 insertions(+), 51 deletions(-) - -diff --git a/aclocal.m4 b/aclocal.m4 -index a2e59a6..cd20a2f 100644 ---- a/aclocal.m4 -+++ b/aclocal.m4 -@@ -409,7 +409,7 @@ x_includes=NONE - x_libraries=NONE - DESTDIR= - SH_ENABLE_OPTS="selinux posix-acl asm ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid" --SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file" -+SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file ps-path" - - # Installation directory options. - # These are left unexpanded so users can "make install exec_prefix=/foo" -diff --git a/configure.ac b/configure.ac -index 5910b1f..8c3e087 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -730,56 +730,16 @@ then - fi - AC_CHECK_HEADERS(gmp.h) - --AC_MSG_CHECKING([for ps]) --PS= --for ff in /usr/ucb /bin /usr/bin; do -- if test -x "$ff/ps"; then -- PS="$ff/ps" -- AC_MSG_RESULT([$PS]) -- break -- fi --done --if test x$PS = x --then -- AC_MSG_RESULT([no]) -- AC_MSG_ERROR([Cannot find ps in any of /usr/ucb /bin /usr/bin]) --fi --AC_DEFINE_UNQUOTED([PSPATH], _("$PS"), [Path to ps]) -- --AC_MSG_CHECKING([how to use ps]) --$PS ax >/dev/null 2>&1 --if test $? -eq 0; then -- case "$host_os" in -- *openbsd*) -- one=`$PS akx | wc -l` -- ;; -- *) -- one=`$PS ax | wc -l` -- ;; -- esac --else -- one=0 --fi --$PS -e >/dev/null 2>&1 --if test $? -eq 0; then -- two=`$PS -e | wc -l` --else -- two=0 --fi --if test $one -ge $two --then -- case "$host_os" in -- *openbsd*) -- PSARG="akx" -- ;; -- *) -- PSARG="ax" -- ;; -- esac --else -- PSARG="-e" --fi --AC_DEFINE_UNQUOTED([PSARG], _("$PSARG"), [Argument for ps]) -+AC_ARG_WITH(ps-path, -+ [ --with-ps-path=PATH set path to ps command ], -+ [ -+ if test "x${withval}" != xno; then -+ pspath="${withval}" -+ AC_DEFINE_UNQUOTED([PSPATH], _("${pspath}"), [Path to ps]) -+ AC_DEFINE_UNQUOTED([PSARG], _("ax"), [Argument for ps]) -+ fi -+ ]) -+ - AC_MSG_RESULT([$PS $PSARG]) - - dnl ***************************************** --- -1.9.1 - diff --git a/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch b/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch deleted file mode 100644 index 7f80a5c61..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Fri, 15 Jan 2016 00:48:58 -0500 -Subject: [PATCH] Enable obfuscating binaries natively. - -Enable obfuscating binaries natively. - -The samhain build process involves an obfuscation step that attempts to -defeat decompilation or other binary analysis techniques which might reveal -secret information that should be known only to the system administrator. -The obfuscation step builds several applications which run on the build host -and then generate target code, which is then built into target binaries. - -This patch creates a basic infrastructure that supports building the -obfuscation binaries natively then cross-compiling the target code by adding -a special configure option. In the absence of this option the old behaviour -is preserved. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile.in | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 684e92b..fb090e2 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -54,7 +54,7 @@ selectconfig = @selectconfig@ - top_builddir = . - - INSTALL = @INSTALL@ --INSTALL_PROGRAM = @INSTALL@ -s -m 700 -+INSTALL_PROGRAM = @INSTALL@ -m 700 - INSTALL_SHELL = @INSTALL@ -m 700 - INSTALL_DATA = @INSTALL@ -m 600 - INSTALL_MAN = @INSTALL@ -m 644 -@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip - echo " $(INSTALL_PROGRAM) $$p $$target"; \ - $(INSTALL_PROGRAM) $$p $$target; \ - chmod 0700 $$target; \ -- echo " ./sstrip $$target"; \ -- ./sstrip $$target; \ - else \ - echo " $(INSTALL_SHELL) $$p $$target"; \ - $(INSTALL_SHELL) $$p $$target; \ --- -1.9.1 - diff --git a/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch b/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch deleted file mode 100644 index 060866068..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 0f6bdc219e598de08a3f37887efa5dfa50e2b996 -Author: Aws Ismail <aws.ismail@windriver.com> -Date: Fri Jun 22 15:47:08 2012 -0400 - -Hash fix for MIPS64 and AARCH64 - -Samhain uses the addresses of local variables in generating hash -values. The hashing function is designed only for 32-bit values. -For MIPS64 when a 64-bit address is passed in the resulting hash -exceeds the limits of the underlying mechanism and samhain -ultimately fails. The solution is to simply take the lower -32-bits of the address and use that in generating hash values. - -Signed-off-by: Greg Moffatt <greg.moffatt@windriver.com> - -Upstream-Status: Pending - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - -diff --git a/src/dnmalloc.c b/src/dnmalloc.c -index da9a5c5..fc91400 100644 ---- a/src/dnmalloc.c -+++ b/src/dnmalloc.c -@@ -2703,11 +2703,19 @@ static void freecilst_add(chunkinfoptr p) { - } - - /* Calculate the hash table entry for a chunk */ -+#if defined(CONFIG_ARCH_MIPS64) || defined(CONFIG_ARCH_AARCH64) -+#ifdef STARTHEAP_IS_ZERO -+#define hash(p) ((((unsigned long) p) & 0x7fffffff) >> 7) -+#else -+#define hash(p) ((((unsigned long) p - (unsigned long) startheap) & 0x7fffffff) >> 7) -+#endif -+#else - #ifdef STARTHEAP_IS_ZERO - #define hash(p) (((unsigned long) p) >> 7) - #else - #define hash(p) (((unsigned long) p - (unsigned long) startheap) >> 7) - #endif -+#endif /* CONFIG_ARCH_MIPS64 */ - - static void - hashtable_add (chunkinfoptr ci) diff --git a/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch b/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch deleted file mode 100644 index 528431311..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch +++ /dev/null @@ -1,24 +0,0 @@ -not run test on host, since we are doing cross-compile - -Upstream-status: Inappropriate [cross compile specific] - -Signed-off-by: Roy Li <rongqing.li@windriver.com> ---- - Makefile.in | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/Makefile.in b/Makefile.in -index e1b32a8..74bfdc9 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -1234,7 +1234,6 @@ intcutest: internal.h $(OBJECTS) $(CUTEST_OBJECTS) sh_tiger_i.o $(srcsrc)/CuTest - rm x_samhain.c; \ - $(LINK) sh_tiger_i.o $(CUTEST_OBJECTS) CuTestMain.o CuTest.o $(OBJECTS) $(LIBS_TRY); \ - test -f ./intcutest && mv ./intcutest ./cutest; \ -- ./cutest - - runcutest: - gdb ./cutest --- -1.7.10.4 - diff --git a/meta-security/recipes-security/samhain/files/samhain-pid-path.patch b/meta-security/recipes-security/samhain/files/samhain-pid-path.patch deleted file mode 100644 index 592bd165f..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-pid-path.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04 -Author: Aws Ismail <aws.ismail@windriver.com> -Date: Thu Jan 10 16:29:05 2013 -0500 - - Set the PID Lock path for samhain.pid - - The explicit path for samhain.pid inorder - for samhain to work properly after it initial - database build. - - Upstream-Status: Inappropriate [configuration] - - Signed-off-by: Aws Ismail <aws.ismail@windriver.com> - -diff --git a/samhainrc.linux b/samhainrc.linux -index 10a8176..a7b06e6 100644 ---- a/samhainrc.linux -+++ b/samhainrc.linux -@@ -639,7 +639,7 @@ SetFileCheckTime = 86400 - - ## Path to the PID file - # --# SetLockfilePath = (default: compiled-in) -+SetLockfilePath = /run/samhain.pid - - - ## The digest/checksum/hash algorithm diff --git a/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch b/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch deleted file mode 100644 index dad6b150e..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 00fb527e45da42550156197647e01de9a6b1ad52 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Mon, 3 Mar 2014 01:50:01 -0500 -Subject: [PATCH] fix real path for some files/dirs - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> ---- - samhainrc.linux | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - -diff --git a/samhainrc.linux b/samhainrc.linux -index e9727b4..7775d83 100644 ---- a/samhainrc.linux -+++ b/samhainrc.linux -@@ -93,7 +93,6 @@ dir = 99/etc - ## - file = /etc/mtab - file = /etc/fstab --file = /etc/adjtime - file = /etc/motd - file = /etc/lvm/lvm.conf - -@@ -153,11 +152,11 @@ dir = 99/var - - [IgnoreAll] - dir = -1/var/cache --dir = -1/var/lock --dir = -1/var/mail --dir = -1/var/run -+dir = -1/run/lock -+dir = -1/var/spool/mail -+dir = -1/run - dir = -1/var/spool --dir = -1/var/tmp -+dir = -1/var/volatile/tmp - - - [Attributes] -@@ -167,7 +166,7 @@ dir = -1/var/tmp - file = /var/lib/rpm/__db.00? - - file = /var/lib/logrotate.status --file = /var/lib/random-seed -+file = /var/lib/urandom/random-seed - - - [GrowingLogFiles] -@@ -176,7 +175,7 @@ file = /var/lib/random-seed - ## are ignored. Logfile rotation will cause a report because of shrinking - ## size and different inode. - ## --dir = 99/var/log -+dir = 99/var/volatile/log - - [Attributes] - # --- -1.7.9.5 - diff --git a/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch b/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch deleted file mode 100644 index 145700a0e..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch +++ /dev/null @@ -1,158 +0,0 @@ -commit 4c6658441eb3ffc4e51ed70f78cbdab046957580 -Author: Aws Ismail <aws.ismail@windriver.com> -Date: Fri Jun 22 16:38:20 2012 -0400 - -Make samhainrc OE-friendly. - -Patch the samhainrc that will be installed -as part of the 'make install' step to more -accurately reflect what will be found, and -what will be of concern, on a OE install. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> - -diff --git a/samhainrc.linux b/samhainrc.linux -index 9bc5ca4..10a8176 100644 ---- a/samhainrc.linux -+++ b/samhainrc.linux -@@ -74,7 +74,6 @@ dir = 0/ - [Attributes] - file = /tmp - file = /dev --file = /media - file = /proc - file = /sys - -@@ -93,19 +92,10 @@ dir = 99/etc - ## check permission and ownership - ## - file = /etc/mtab -+file = /etc/fstab - file = /etc/adjtime - file = /etc/motd --file = /etc/lvm/.cache -- --# On Ubuntu, these are in /var/lib rather than /etc --file = /etc/cups/certs --file = /etc/cups/certs/0 -- --# managed by fstab-sync on Fedora Core --file = /etc/fstab -- --# modified when booting --file = /etc/sysconfig/hwconf -+file = /etc/lvm/lvm.conf - - # There are files in /etc that might change, thus changing the directory - # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'. -@@ -147,10 +137,6 @@ dir = 99/dev - ## - dir = -1/dev/pts - --# dir = -1/dev/.udevdb -- --file = /dev/ppp -- - # - # --------- /usr ----------- - # -@@ -167,50 +153,21 @@ dir = 99/var - - [IgnoreAll] - dir = -1/var/cache --dir = -1/var/backups --dir = -1/var/games --dir = -1/var/gdm - dir = -1/var/lock - dir = -1/var/mail - dir = -1/var/run - dir = -1/var/spool - dir = -1/var/tmp --dir = -1/var/lib/texmf --dir = -1/var/lib/scrollkeeper - - - [Attributes] - --dir = /var/lib/nfs --dir = /var/lib/pcmcia -- - # /var/lib/rpm changes if packets are installed; - # /var/lib/rpm/__db.00[123] even more frequently - file = /var/lib/rpm/__db.00? - --file = /var/lib/acpi-support/vbestate --file = /var/lib/alsa/asound.state --file = /var/lib/apt/lists/lock --file = /var/lib/apt/lists/partial --file = /var/lib/cups/certs --file = /var/lib/cups/certs/0 --file = /var/lib/dpkg/lock --file = /var/lib/gdm --file = /var/lib/gdm/.cookie --file = /var/lib/gdm/.gdmfifo --file = /var/lib/gdm/:0.Xauth --file = /var/lib/gdm/:0.Xservers --file = /var/lib/logrotate/status --file = /var/lib/mysql --file = /var/lib/mysql/ib_logfile0 --file = /var/lib/mysql/ibdata1 --file = /var/lib/slocate --file = /var/lib/slocate/slocate.db --file = /var/lib/slocate/slocate.db.tmp --file = /var/lib/urandom --file = /var/lib/urandom/random-seed -+file = /var/lib/logrotate.status - file = /var/lib/random-seed --file = /var/lib/xkb - - - [GrowingLogFiles] -@@ -325,7 +282,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp - - ## Console - ## --# PrintSeverity=info -+PrintSeverity=warn - - ## Logfile - ## -@@ -333,7 +290,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp - - ## Syslog - ## --# SyslogSeverity=none -+SyslogSeverity=info - - ## Remote server (yule) - ## -@@ -556,7 +513,8 @@ ChecksumTest=check - ## and I/O limit (kilobytes per second; 0 == off) - ## to reduce load on host. - # --# SetNiceLevel = 0 -+# By default we configure samhain to be nice with everything else on the system -+SetNiceLevel = 10 - # SetIOLimit = 0 - - ## The version string to embed in file signature databases -@@ -565,13 +523,14 @@ ChecksumTest=check - - ## Interval between time stamp messages - # --# SetLoopTime = 60 --SetLoopTime = 600 -+# Log a timestamp every hour -+SetLoopTime = 3600 - - ## Interval between file checks - # - # SetFileCheckTime = 600 --SetFileCheckTime = 7200 -+# One file system check per day -+SetFileCheckTime = 86400 - - ## Alternative: crontab-like schedule - # diff --git a/meta-security/recipes-security/samhain/files/samhain-server-volatiles b/meta-security/recipes-security/samhain/files/samhain-server-volatiles deleted file mode 100644 index 6b8070936..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-server-volatiles +++ /dev/null @@ -1 +0,0 @@ -d daemon daemon 0775 /var/log/yule none diff --git a/meta-security/recipes-security/samhain/files/samhain-server.default b/meta-security/recipes-security/samhain/files/samhain-server.default deleted file mode 100644 index bc3d67cde..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-server.default +++ /dev/null @@ -1,3 +0,0 @@ -# Set this to "yes" to start the server, after you configure it, of -# course. -SAMHAIN_SERVER_START="no"
\ No newline at end of file diff --git a/meta-security/recipes-security/samhain/files/samhain-server.init b/meta-security/recipes-security/samhain/files/samhain-server.init deleted file mode 100644 index c456e51c9..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-server.init +++ /dev/null @@ -1,116 +0,0 @@ -#!/bin/bash -# chkconfig: 2345 98 11 -# description: File Integrity Checking Daemon -# -# processname: yule -# config : /etc/yulerc -# logfile : /var/log/yule/yule_log -# database: /var/lib/yule/yule_file -# - -NAME=yule -DAEMON=/usr/sbin/yule -RETVAL=0 -PIDFILE=/var/run/yule.pid - -. /etc/default/rcS - -. /etc/default/samhain-server - -if [ "x$SAMHAIN_SERVER_START" != "xyes" ]; then - echo "${0}: server disabled in /etc/default/samhain-server" - exit 0 -fi - -if [ -x $DAEMON ]; then - : -else - echo "${0}: executable ${DAEMON} not found" - exit 1 -fi - -samhain_done() -{ - if [ $RETVAL -eq 0 ]; then - echo "." - else - echo " failed." - fi -} - -log_stat_msg () { -case "$1" in - 0) - echo "Service $NAME: Running"; - ;; - 1) - echo "Service $NAME: Stopped and /var/run pid file exists"; - ;; - 3) - echo "Service $NAME: Stopped"; - ;; - *) - echo "Service $NAME: Status unknown"; - ;; -esac -} - -case "$1" in - start) - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - # - echo -n "Starting ${NAME}" - start-stop-daemon --start --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - stop) - echo -n "Stopping $NAME" - start-stop-daemon --stop --quiet --exec $DAEMON - RETVAL=$? - - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - if test -S /var/run/${NAME}.sock; then - /bin/rm -f /var/run/${NAME}.sock - fi - samhain_done - ;; - - restart) - $0 stop - sleep 3 - $0 start - RETVAL=$? - ;; - - reload|force-reload) - echo -n "Reloading $NAME configuration files" - start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - status) - $DAEMON status - RETVAL=$? - log_stat_msg ${RETVAL} - ;; - - *) - echo "$0 usage: {start|stop|status|restart|reload}" - exit 1 - ;; -esac - -exit $RETVAL diff --git a/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch b/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch deleted file mode 100644 index 3065c7309..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch +++ /dev/null @@ -1,22 +0,0 @@ -samhain: fix sha256 for big-endian machines - -After computing the digest, big-endian machines would -memset() the digest to the first byte of state instead -of using memcpy() to transfer it. - -Upstream-Status: Pending - -Signed-off-by: Joe Slater <jslater@windriver.com> - - ---- a/src/sh_checksum.c -+++ b/src/sh_checksum.c -@@ -468,7 +468,7 @@ void SHA256_Final(sha2_byte digest[], SH - } - } - #else -- memset(d, context->state, SHA256_DIGEST_LENGTH); -+ memcpy(d, context->state, SHA256_DIGEST_LENGTH); - /* bcopy(context->state, d, SHA256_DIGEST_LENGTH); */ - #endif - } diff --git a/meta-security/recipes-security/samhain/files/samhain-standalone.default b/meta-security/recipes-security/samhain/files/samhain-standalone.default deleted file mode 100644 index 507a59f29..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-standalone.default +++ /dev/null @@ -1,3 +0,0 @@ -# Set this to "yes" to start the server, after you configure it, of -# course. -SAMHAIN_STANDALONE_START="no" diff --git a/meta-security/recipes-security/samhain/files/samhain-standalone.init b/meta-security/recipes-security/samhain/files/samhain-standalone.init deleted file mode 100644 index 2f23bffd9..000000000 --- a/meta-security/recipes-security/samhain/files/samhain-standalone.init +++ /dev/null @@ -1,123 +0,0 @@ -#!/bin/sh -# chkconfig: 2345 99 10 -# description: File Integrity Checking Daemon -# -# processname: samhain -# config : /etc/samhainrc -# logfile : /var/log/samhain_log -# database: /var/lib/samhain/samhain_file -# - -NAME=samhain -DAEMON=/usr/sbin/samhain -RETVAL=0 -VERBOSE=yes -PIDFILE=/var/run/samhain.pid - -. /etc/default/samhain-standalone - -if [ "x$SAMHAIN_STANDALONE_START" != "xyes" ]; then - echo "${0}: samhain disabled in /etc/default/samhain-standalone" - exit 0 -fi - -if [ -x $DAEMON ]; then - : -else - echo "${0}: executable ${DAEMON} not found" - exit 1 -fi - -if [ ! -e /var/lib/samhain/samhain_file ]; then - echo "${0}: /var/lib/samhain/samhain_file does not exist. You must" - echo " run 'samhain -t init' before samhian can start." - exit 1 -fi - -samhain_done() -{ - if [ $RETVAL -eq 0 ]; then - echo "." - else - echo " failed." - fi -} - -log_stat_msg () { -case "$1" in - 0) - echo "Service $NAME: Running"; - ;; - 1) - echo "Service $NAME: Stopped and /var/run pid file exists"; - ;; - 3) - echo "Service $NAME: Stopped"; - ;; - *) - echo "Service $NAME: Status unknown"; - ;; -esac -} - -case "$1" in - start) - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - - echo -n "Starting ${NAME}" - start-stop-daemon --start --quiet --exec $DAEMON - RETVAL=$? - samhain_done - exit $RETVAL - ;; - stop) - echo -n "Stopping $NAME" - start-stop-daemon --stop --quiet --exec $DAEMON - RETVAL=$? - samhain_done - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - if test -S /var/run/${NAME}.sock; then - /bin/rm -f /var/run/${NAME}.sock - fi - ;; - - restart) - $0 stop - sleep 3 - $0 start - RETVAL=$? - ;; - - reload|force-reload) - echo -n "Reloading $NAME configuration files" - start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - status) - if pidof -o %PPID $DAEMON > /dev/null; then - echo "Samhain running" - RETVAL=0 - else - echo "Samhain not running" - RETVAL=1 - fi - ;; - *) - echo "$0 usage: {start|stop|status|restart|reload}" - exit 1 - ;; -esac - -exit $RETVAL diff --git a/meta-security/recipes-security/samhain/files/samhain.service b/meta-security/recipes-security/samhain/files/samhain.service deleted file mode 100644 index e4f216ab4..000000000 --- a/meta-security/recipes-security/samhain/files/samhain.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Samhain @MODE_NAME@ Daemon -After=syslog.target network.target - -[Service] -Type=forking -RemainAfterExit=yes -ExecStart=@LIBDIR@/@SAMHAIN_HELPER@ start -ExecStop=@LIBDIR@/@SAMHAIN_HELPER@ stop - -[Install] -WantedBy=multi-user.target diff --git a/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb b/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb deleted file mode 100644 index 812408e5e..000000000 --- a/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb +++ /dev/null @@ -1,11 +0,0 @@ -INITSCRIPT_PARAMS = "defaults 15 85" - -require samhain.inc - -# Let the default Logserver be 127.0.0.1 -EXTRA_OECONF += " \ - --with-logserver=${SAMHAIN_SERVER} \ - --with-port=${SAMHAIN_PORT} \ - " - -RDEPENDS_${PN} = "acl zlib attr bash" diff --git a/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb b/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb deleted file mode 100644 index 9341d4440..000000000 --- a/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb +++ /dev/null @@ -1,20 +0,0 @@ -INITSCRIPT_PARAMS = "defaults 14 86" - -require samhain.inc - -DEPENDS = "gmp" - -SRC_URI += "file://samhain-server-volatiles" - -TARGET_CC_ARCH += "${LDFLAGS}" - -do_install_append() { - install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/samhain-server-volatiles \ - ${D}${sysconfdir}/default/volatiles/samhain-server - - install -m 700 samhain-install.sh init/samhain.startLinux \ - init/samhain.startLSB ${D}/var/lib/samhain -} - -RDEPENDS_${PN} += "gmp bash perl" diff --git a/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb b/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb deleted file mode 100644 index 4fed9e9e9..000000000 --- a/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb +++ /dev/null @@ -1,31 +0,0 @@ -require samhain.inc - -SRC_URI += "file://samhain-not-run-ptest-on-host.patch \ - file://run-ptest \ -" - -PROVIDES += "samhain" - -SYSTEMD_SERVICE_${PN} = "samhain.service" - -inherit ptest - -do_compile() { - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'yes', 'no', d)}" = "yes" ]; then - oe_runmake cutest - rm -f ${S}*.o config_xor.h internal.h - fi - oe_runmake "$@" -} - -do_install_append() { - ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain -} - -do_install_ptest() { - mkdir -p ${D}${PTEST_PATH} - install ${S}/cutest ${D}${PTEST_PATH} -} - -RPROVIDES_${PN} += "samhain" -RCONFLICTS_${PN} = "samhain-client samhain-server" diff --git a/meta-security/recipes-security/samhain/samhain.inc b/meta-security/recipes-security/samhain/samhain.inc deleted file mode 100644 index 944bf0d0b..000000000 --- a/meta-security/recipes-security/samhain/samhain.inc +++ /dev/null @@ -1,162 +0,0 @@ -DESCRIPTION = "Provides file integrity checking and log file monitoring/analysis" -HOMEPAGE = "http://www.la-samhna.de/samhain/" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b" - - -SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ - file://samhain-cross-compile.patch \ - file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \ - file://samhain-samhainrc.patch \ - file://samhain-samhainrc-fix-files-dirs-path.patch \ - file://samhain-pid-path.patch \ - file://samhain-sha256-big-endian.patch \ - file://samhain-configure-add-option-for-ps.patch \ - file://samhain-avoid-searching-host-for-postgresql.patch \ - file://samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch \ - file://${INITSCRIPT_NAME}.init \ - file://${INITSCRIPT_NAME}.default \ - file://samhain.service \ - " - -SRC_URI[md5sum] = "a00e99375675fc6e50cca3e208f5207e" -SRC_URI[sha256sum] = "8551dc3b0851889a2b979097e9c02309b40d48b4659f02efe7fe525ce8361a0d" - -UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" -UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" - -S = "${WORKDIR}/samhain-${PV}" - -inherit autotools-brokensep update-rc.d pkgconfig systemd - -SAMHAIN_PORT ??= "49777" -SAMHAIN_SERVER ??= "NULL" - -INITSCRIPT_NAME = "${BPN}" -INITSCRIPT_PARAMS ?= "defaults" - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "${INITSCRIPT_NAME}.service" -SYSTEMD_AUTO_ENABLE = "disable" - -# mode mapping: -# BPN MODE_NAME SAMHAIN_MODE -# samhain-standalone standalone no -# samhain-client client client -# samhain-server server server -MODE_NAME = "${@d.getVar('BPN').split('-')[1]}" -SAMHAIN_MODE = "${@oe.utils.ifelse(d.getVar('MODE_NAME') == 'standalone', 'no', '${MODE_NAME}')}" - -# supports mysql|postgresql|oracle|odbc but postgresql is the only one available - -PACKAGECONFIG ??= "postgresql ps \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)} \ -" - -PACKAGECONFIG[postgresql] = "--with-database=postgresql --enable-xml-log PGSQL_INC_DIR=${STAGING_INCDIR} PGSQL_LIB_DIR=${STAGING_LIBDIR}, , postgresql" -PACKAGECONFIG[suidcheck] = "--enable-suidcheck, , " -PACKAGECONFIG[logwatch] = "--enable-login-watch, , " -PACKAGECONFIG[mounts] = "--enable-mounts-check, , " -PACKAGECONFIG[userfiles] = "--enable-userfiles, , " -PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," -PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux attr" -PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl" -PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit" -PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps" - -do_unpack_samhain() { - cd ${WORKDIR} - tar -xzvf samhain-${PV}.tar.gz -} - -python do_unpack_append() { - bb.build.exec_func('do_unpack_samhain', d) -} - -do_configure_prepend_arm() { - export sh_cv___va_copy=yes -} - -do_configure_prepend_aarch64() { - export sh_cv___va_copy=yes -} - -# If we use oe_runconf in do_configure() it will by default -# use the prefix --oldincludedir=/usr/include which is not -# recognized by Samhain's configure script and would invariably -# throw back the error "unrecognized option: --oldincludedir=/usr/include" -do_configure_prepend () { - cat << EOF > ${S}/config-site.${BP} -ssp_cv_lib=no -sh_cv_va_copy=yes -EOF - export CONFIG_SITE=${S}/config-site.${BP} -} - -do_configure () { - autoconf -f - ./configure \ - --build=${BUILD_SYS} \ - --host=${HOST_SYS} \ - --target=${TARGET_SYS} \ - --prefix=${prefix} \ - --exec_prefix=${exec_prefix} \ - --bindir=${bindir} \ - --sbindir=${sbindir} \ - --libexecdir=${libexecdir} \ - --datadir=${datadir} \ - --sysconfdir=${sysconfdir} \ - --sharedstatedir=${sharedstatedir} \ - --localstatedir=${localstatedir} \ - --libdir=${libdir} \ - --includedir=${includedir} \ - --infodir=${infodir} \ - --mandir=${mandir} \ - --enable-network=${SAMHAIN_MODE} \ - --with-pid-file=${localstatedir}/run/samhain.pid \ - --with-data-file=${localstatedir}/lib/samhain/samhain_file \ - ${EXTRA_OECONF} -} - -do_compile_prepend_libc-musl () { - sed -i 's/^#define HAVE_MALLOC_H.*//' ${B}/config.h -} - -# Install the init script, it's default file, and the extraneous -# documentation. -do_install_append () { - oe_runmake install DESTDIR='${D}' INSTALL=install-boot - - install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \ - ${D}${sysconfdir}/init.d/${INITSCRIPT_NAME} - - install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \ - ${D}${sysconfdir}/default/${INITSCRIPT_NAME} - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - if [ "${SAMHAIN_MODE}" = "no" ]; then - install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/samhain.service - else - install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/${BPN}.service - fi - install -D -m 0755 ${WORKDIR}/${BPN}.init ${D}/${libexecdir}/${BPN} - sed -i -e 's,@LIBDIR@,${libexecdir},' \ - -e 's,@SAMHAIN_HELPER@,${BPN},' \ - -e 's,@MODE_NAME@,${MODE_NAME},' \ - ${D}${systemd_system_unitdir}/samhain*.service - fi - - install -d ${D}${docdir}/${BPN} - cp -r docs/* ${D}${docdir}/${BPN} - cp -r scripts ${D}${docdir}/${BPN} - install -d -m 755 ${D}${localstatedir}/samhain - - # Prevent QA warnings about installed ${localstatedir}/run - if [ -d ${D}${localstatedir}/run ]; then - rmdir ${D}${localstatedir}/run - fi -} - -FILES_${PN} += "${systemd_system_unitdir}" diff --git a/meta-security/recipes-security/scapy/files/run-ptest b/meta-security/recipes-security/scapy/files/run-ptest index 91b29f907..91b29f907 100755..100644 --- a/meta-security/recipes-security/scapy/files/run-ptest +++ b/meta-security/recipes-security/scapy/files/run-ptest diff --git a/meta-security/recipes-security/scapy/python-scapy.inc b/meta-security/recipes-security/scapy/python-scapy.inc index 5abe7db76..99f30a7bf 100644 --- a/meta-security/recipes-security/scapy/python-scapy.inc +++ b/meta-security/recipes-security/scapy/python-scapy.inc @@ -5,16 +5,25 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" -SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec" -SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73" +S = "${WORKDIR}/git" -inherit pypi ptest +SRCREV = "bad14cb1a5aee29f8107fbe8ad008d4645f14da7" +SRC_URI = "git://github.com/secdev/scapy.git" + +inherit ptest + +do_install_append() { + if [ "${PYTHON_PN}" = "python3" ]; then + sed -i -e 's/python/python3/' ${D}${bindir}/scapy + sed -i -e 's/python/python3/' ${D}${bindir}/UTscapy + fi +} do_install_ptest() { install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest } -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient \ +RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb index 98db1fd6d..98db1fd6d 100644 --- a/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb +++ b/meta-security/recipes-security/scapy/python-scapy_2.4.2.bb diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb index 93ca7be8a..83c79f484 100644 --- a/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb +++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.2.bb @@ -2,3 +2,4 @@ inherit setuptools3 require python-scapy.inc SRC_URI += "file://run-ptest" + diff --git a/meta-security/recipes-security/smack/files/run-ptest b/meta-security/recipes-security/smack/files/run-ptest deleted file mode 100644 index 049a9b47a..000000000 --- a/meta-security/recipes-security/smack/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -./tests/make_policies.bash ./tests/generator -./tests/make_policies.bash ./tests/generator labels diff --git a/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch b/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch deleted file mode 100644 index 4d677e751..000000000 --- a/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch +++ /dev/null @@ -1,18 +0,0 @@ -Upstream-Status: Pending - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - - -Index: git/tests/Makefile -=================================================================== ---- git.orig/tests/Makefile -+++ git/tests/Makefile -@@ -4,7 +4,7 @@ clean: - rm -rf ./out ./generator - - generator: generator.c -- gcc -Wall -O3 generator.c -o ./generator -+ ${CC} ${LDFLAGS} generator.c -o ./generator - - policies: ./generator ./make_policies.bash - ./make_policies.bash ./generator diff --git a/meta-security/recipes-security/smack/smack_1.3.1.bb b/meta-security/recipes-security/smack/smack_1.3.1.bb deleted file mode 100644 index 246562afe..000000000 --- a/meta-security/recipes-security/smack/smack_1.3.1.bb +++ /dev/null @@ -1,54 +0,0 @@ -DESCRIPTION = "Selection of tools for developers working with Smack" -HOMEPAGE = "https://github.com/smack-team/smack" -SECTION = "Security/Access Control" -LICENSE = "LGPL-2.1" - -LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" - -SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8" -SRC_URI = " \ - git://github.com/smack-team/smack.git \ - file://smack_generator_make_fixup.patch \ - file://run-ptest" - -PV = "1.3.1" - -inherit autotools update-rc.d pkgconfig ptest ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} - -S = "${WORKDIR}/git" - -PACKAGECONFIG ??= "" -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd" - -do_compile_append () { - oe_runmake -C ${S}/tests generator -} - -do_install_append () { - install -d ${D}${sysconfdir}/init.d - install -d ${D}${sysconfdir}/smack - install -d ${D}${sysconfdir}/smack/accesses.d - install -d ${D}${sysconfdir}/smack/cipso.d - install ${S}/init/smack.rc ${D}/${sysconfdir}/init.d/smack -} - -do_install_ptest () { - install -d ${D}${PTEST_PATH}/tests - install ${S}/tests/generator ${D}/${PTEST_PATH}/tests - install ${S}/tests/generate-rules.sh ${D}${PTEST_PATH}/tests - install ${S}/tests/make_policies.bash ${D}${PTEST_PATH}/tests -} - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "smack" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -FILES_${PN} += "${sysconfdir}/init.d/smack" -FILES_${PN}-ptest += "generator" - -RDEPENDS_${PN} += "coreutils" -RDEPENDS_${PN}-ptest += "make bash bc" - -BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-security/sssd/sssd_1.16.3.bb b/meta-security/recipes-security/sssd/sssd_1.16.4.bb index 8f7f805fd..34bc8c804 100644 --- a/meta-security/recipes-security/sssd/sssd_1.16.3.bb +++ b/meta-security/recipes-security/sssd/sssd_1.16.4.bb @@ -11,13 +11,16 @@ DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\ file://sssd.conf " -SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece" -SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4" +SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" +SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" -inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check +inherit autotools pkgconfig gettext python-dir distro_features_check REQUIRED_DISTRO_FEATURES = "pam" +SSSD_UID ?= "root" +SSSD_GID ?= "root" + CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ ac_cv_path_NSUPDATE=${bindir} \ ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ @@ -25,6 +28,7 @@ CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ PACKAGECONFIG ?="nss nscd" PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" @@ -55,6 +59,17 @@ do_install () { rmdir --ignore-fail-on-non-empty "${D}/${bindir}" install -d ${D}/${sysconfdir}/${BPN} install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi + chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf } CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" @@ -70,4 +85,4 @@ FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" # The package contains symlinks that trip up insane INSANE_SKIP_${PN} = "dev-so" -RDEPENDS_${PN} += "bind dbus" +RDEPENDS_${PN} = "bind dbus libldb libpam" diff --git a/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz b/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz Binary files differdeleted file mode 100644 index aed375474..000000000 --- a/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz +++ /dev/null diff --git a/meta-security/recipes-security/suricata/files/no_libhtp_build.patch b/meta-security/recipes-security/suricata/files/no_libhtp_build.patch deleted file mode 100644 index 2ebf021fc..000000000 --- a/meta-security/recipes-security/suricata/files/no_libhtp_build.patch +++ /dev/null @@ -1,38 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Signed-of_by: Armin Kuster <akuster808@gmail.com> - -Index: suricata-2.0.5/Makefile.am -=================================================================== ---- suricata-2.0.5.orig/Makefile.am -+++ suricata-2.0.5/Makefile.am -@@ -5,7 +5,7 @@ ACLOCAL_AMFLAGS = -I m4 - EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \ - classification.config threshold.config \ - reference.config --SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts -+SUBDIRS = src qa rules doc contrib scripts - - CLEANFILES = stamp-h[0-9]* - -Index: suricata-2.0.5/Makefile.in -=================================================================== ---- suricata-2.0.5.orig/Makefile.in -+++ suricata-2.0.5/Makefile.in -@@ -229,7 +229,6 @@ HAVE_PCAP_CONFIG = @HAVE_PCAP_CONFIG@ - HAVE_PKG_CONFIG = @HAVE_PKG_CONFIG@ - HAVE_PYTHON_CONFIG = @HAVE_PYTHON_CONFIG@ - HAVE_WGET = @HAVE_WGET@ --HTP_DIR = @HTP_DIR@ - HTP_LDADD = @HTP_LDADD@ - INSTALL = @INSTALL@ - INSTALL_DATA = @INSTALL_DATA@ -@@ -369,7 +368,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - classification.config threshold.config \ - reference.config - --SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts -+SUBDIRS = src qa rules doc contrib scripts - CLEANFILES = stamp-h[0-9]* - all: config.h - $(MAKE) $(AM_MAKEFLAGS) all-recursive diff --git a/meta-security/recipes-security/suricata/files/run-ptest b/meta-security/recipes-security/suricata/files/run-ptest deleted file mode 100644 index 666ba9c95..000000000 --- a/meta-security/recipes-security/suricata/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -suricata -u diff --git a/meta-security/recipes-security/suricata/files/suricata.service b/meta-security/recipes-security/suricata/files/suricata.service deleted file mode 100644 index a99a76ef8..000000000 --- a/meta-security/recipes-security/suricata/files/suricata.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Suricata IDS/IDP daemon -After=network.target -Requires=network.target -Documentation=man:suricata(8) man:suricatasc(8) -Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW -RestrictAddressFamilies= -ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 -ExecReload=/bin/kill -HUP $MAINPID -PrivateTmp=yes -ProtectHome=yes -ProtectSystem=yes - -[Install] -WantedBy=multi-user.target - diff --git a/meta-security/recipes-security/suricata/files/suricata.yaml b/meta-security/recipes-security/suricata/files/suricata.yaml deleted file mode 100644 index 8d06a2744..000000000 --- a/meta-security/recipes-security/suricata/files/suricata.yaml +++ /dev/null @@ -1,1326 +0,0 @@ -%YAML 1.1 ---- - -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml - - -# Number of packets allowed to be processed simultaneously. Default is a -# conservative 1024. A higher number will make sure CPU's/CPU cores will be -# more easily kept busy, but may negatively impact caching. -# -# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules -# apply. In that case try something like 60000 or more. This is because the CUDA -# pattern matcher buffers and scans as many packets as possible in parallel. -#max-pending-packets: 1024 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned -# load balancing). -#runmode: autofp - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# round-robin - Flows assigned to threads in a round robin fashion. -# active-packets - Flows assigned to threads that have the lowest number of -# unprocessed packets (default). -# hash - Flow alloted usihng the address hash. More of a random -# technique. Was the default in Suricata 1.2.1 and older. -# -#autofp-scheduler: active-packets - -# If suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Run suricata as user and group. -#run-as: -# user: suri -# group: suri - -# Default pid file. -# Will use this file if no --pidfile in command options. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -#default-packet-size: 1514 - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# Unix command socket can be used to pass commands to suricata. -# An external tool can then connect to get information from suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: no - #filename: custom.socket - -# Configure the type of alert (and other) logging you would like. -outputs: - - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: yes - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - type: file #file|syslog|unix_dgram|unix_stream - filename: eve.json - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - types: - - alert - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - - dns - - tls: - extended: yes # enable this for extended logging information - - files: - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - #- drop - - ssh - - # alert output for use with Barnyard2 - - unified2-alert: - enabled: yes - filename: unified2.alert - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - #limit: 32mb - - # Sensor ID field of unified2 alerts. - #sensor-id: 0 - - # HTTP X-Forwarded-For support by adding the unified2 extra header that - # will contain the actual client IP address or by overwriting the source - # IP address (helpful when inspecting traffic that is being reversed - # proxied). - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". Note - # that in the "overwrite" mode, if the reported IP address in the HTTP - # X-Forwarded-For header is of a different version of the packet - # received, it will fall-back to "extra-data" mode. - mode: extra-data - # Header name were the actual IP address will be reported, if more than - # one IP address is present, the last IP address will be the one taken - # into consideration. - header: X-Forwarded-For - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: yes - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - #extended: yes # Log extended information like fingerprint - certs-log-dir: certs # directory to store the certificates files - - # a line based log of DNS requests and/or replies (no alerts) - - dns-log: - enabled: no - filename: dns.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log to used with pcap file study. - # this module is dedicated to offline pcap parsing (empty output - # if used with another kind of input). It can interoperate with - # pcap parser like wireshark via the suriwire plugin. - - pcap-info: - enabled: no - - # Packet log... log packets in pcap format. 2 modes of operation: "normal" - # and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. - # In this base dir the pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - mode: normal # normal or sguil. - #sguil-base-dir: /nsm_data/ - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (http://www.prelude-technologies.com/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the suricata engine. - # The interval field (in seconds) tells after how long output will be written - # on the log file. - - stats: - enabled: yes - filename: stats.log - interval: 8 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # a line based information for dropped packets in IPS mode - - drop: - enabled: no - filename: drop.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # output module to store extracted files to disk - # - # The files are stored to the log-dir in a format "file.<id>" where <id> is - # an incrementing number starting at 1. For each file "file.<id>" a meta - # file "file.<id>.meta" is created. - # - # File extraction depends on a lot of things to be fully done: - # - stream reassembly depth. For optimal results, set this to 0 (unlimited) - # - http request / response body sizes. Again set to 0 for optimal results. - # - rules that contain the "filestore" keyword. - - file-store: - enabled: no # set to yes to enable - log-dir: files # directory to store the files - force-magic: no # force logging magic on all stored files - force-md5: no # force logging of md5 checksums - #waldo: file.waldo # waldo file to store the file_id across runs - - # output module to log files tracked in a easily parsable json format - - file-log: - enabled: no - filename: files-json.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -magic-file: /usr/share/misc/magic.mgc - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if suricata is not able to keep pace. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -# af-packet support -# Set threads to > 1 to use PACKET_FANOUT support -af-packet: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - # Default clusterid. AF_PACKET will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_round_robin: round robin load balancing - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independantly of the number - # of threads: - #ring-size: 2048 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap od IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - - interface: eth1 - threads: 1 - cluster-id: 98 - cluster-type: cluster_flow - defrag: yes - # buffer-size: 32768 - # disable-promisc: no - # Put default values here - - interface: default - #threads: 2 - #use-mmap: yes - -legacy: - uricontent: enabled - -# You can specify a threshold config file by setting "threshold-file" -# to the path of the threshold config file: -# threshold-file: /etc/suricata/threshold.config - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect-engine: - - profile: medium - - custom-values: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 - - sgh-mpm-context: auto - - inspection-recursion-limit: 3000 - # When rule-reload is enabled, sending a USR2 signal to the Suricata process - # will trigger a live rule reload. Experimental feature, use with care. - #- rule-reload: true - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #- delayed-detect: yes - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - # On some cpu's/architectures it is beneficial to tie individual threads - # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, - # and each extra CPU/core has one "detect" thread. - # - # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. - # - set-cpu-affinity: no - # Tune cpu affinity of suricata threads. Each family of threads can be bound - # on specific CPUs. - cpu-affinity: - - management-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - decode-cpu-set: - cpu: [ 0, 1 ] - mode: "balanced" - - stream-cpu-set: - cpu: [ "0-1" ] - - detect-cpu-set: - cpu: [ "all" ] - mode: "exclusive" # run detect threads in these cpus - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "medium" - - verdict-cpu-set: - cpu: [ 0 ] - prio: - default: "high" - - reject-cpu-set: - cpu: [ 0 ] - prio: - default: "low" - - output-cpu-set: - cpu: [ "all" ] - prio: - default: "medium" - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.5 - -# Cuda configuration. -cuda: - # The "mpm" profile. On not specifying any of these parameters, the engine's - # internal default values are used, which are same as the ones specified in - # in the default conf file. - mpm: - # The minimum length required to buffer data to the gpu. - # Anything below this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - # A value of 0 indicates there's no limit. - data-buffer-size-min-limit: 0 - # The maximum length for data that we would buffer to the gpu. - # Anything over this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - data-buffer-size-max-limit: 1500 - # The ring buffer size used by the CudaBuffer API to buffer data. - cudabuffer-buffer-size: 500mb - # The max chunk size that can be sent to the gpu in a single go. - gpu-transfer-size: 50mb - # The timeout limit for batching of packets in microseconds. - batching-timeout: 2000 - # The device to use for the mpm. Currently we don't support load balancing - # on multiple gpus. In case you have multiple devices on your system, you - # can specify the device to use, using this conf. By default we hold 0, to - # specify the first device cuda sees. To find out device-id associated with - # the card(s) on the system run "suricata --list-cuda-cards". - device-id: 0 - # No of Cuda streams used for asynchronous processing. All values > 0 are valid. - # For this option you need a device with Compute Capability > 1.0. - cuda-streams: 2 - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, -# ac and ac-gfbs. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. -# -# There is also a CUDA pattern matcher (only available if Suricata was -# compiled with --enable-cuda: b2g_cuda. Make sure to update your -# max-pending-packets setting above as well if you use b2g_cuda. - -mpm-algo: ac - -# The memory settings for hash size of these algorithms can vary from lowest -# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max -# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - -# medium (1024) - high (2048). -# -# For B2g/B3g algorithms, there is a support for two different scan/search -# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and -# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms -# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & -# B3gSearchBNDMq. -# -# For B2g the different scan/search algorithms and, hash and bloom -# filter size settings. For B3g the different scan/search algorithms and, hash -# and bloom filter size settings. For wumanber the hash and bloom filter size -# settings. - -pattern-matcher: - - b2gc: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2gm: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2g: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b3g: - search-algo: B3gSearchBNDMq - hash-size: low - bf-size: medium - - wumanber: - hash-size: low - bf-size: medium - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# prunning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doens't find a flow to prune, it will set -# the emergency bit and it will try again with more agressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 64mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a hanshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - tcp: - new: 60 - established: 3600 - closed: 120 - emergency-new: 10 - emergency-established: 300 - emergency-closed: 20 - udp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - icmp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated trafic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size -# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value -# # of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# chunk-prealloc: 250 # Number of preallocated stream chunks. These -# # are used during stream inspection (raw). -# segments: # Settings for reassembly segment pool. -# - size: 4 # Size of the (data)segment for a pool -# prealloc: 256 # Number of segments to prealloc and keep -# # in the pool. -# -stream: - memcap: 32mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 128mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #chunk-prealloc: 250 - #segments: - # - size: 4 - # prealloc: 256 - # - size: 16 - # prealloc: 512 - # - size: 112 - # prealloc: 512 - # - size: 248 - # prealloc: 512 - # - size: 512 - # prealloc: 512 - # - size: 768 - # prealloc: 1024 - # - size: 1448 - # prealloc: 1024 - # - size: 65535 - # prealloc: 128 - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 16777216 - -# Logging configuration. This is not about logging IDS alerts, but -# IDS output about what its doing, errors, etc. -logging: - - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overriden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overriden in an - # output section. You can leave this out to get the default. - # - # This value is overriden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overriden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - - file: - enabled: no - filename: /var/log/suricata.log - - syslog: - enabled: yes - facility: local5 - format: "[%i] <%d> -- " - -# Tilera mpipe configuration. for use on Tilera TILE-Gx. -mpipe: - - # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". - load-balance: dynamic - - # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 - iqueue-packets: 2048 - - # List of interfaces we will listen on. - inputs: - - interface: xgbe2 - - interface: xgbe3 - - interface: xgbe4 - - - # Relative weight of memory for packets of each mPipe buffer size. - stack: - size128: 0 - size256: 9 - size512: 0 - size1024: 0 - size1664: 7 - size4096: 0 - size10386: 0 - size16384: 0 - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/PF_RING.html -pfring: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. - # This is only supported in versions of PF_RING > 4.1.1. - cluster-type: cluster_flow - # bpf filter for this interface - #bpf-filter: tcp - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - -# Set the default rule path here to search for the files. -# if not set, it will look at the current working dir -default-rule-path: /etc/suricata/rules -rule-files: - - botcc.rules - - ciarmy.rules - - compromised.rules - - drop.rules - - dshield.rules - - emerging-activex.rules - - emerging-attack_response.rules - - emerging-chat.rules - - emerging-current_events.rules - - emerging-dns.rules - - emerging-dos.rules - - emerging-exploit.rules - - emerging-ftp.rules - - emerging-games.rules - - emerging-icmp_info.rules -# - emerging-icmp.rules - - emerging-imap.rules - - emerging-inappropriate.rules - - emerging-malware.rules - - emerging-misc.rules - - emerging-mobile_malware.rules - - emerging-netbios.rules - - emerging-p2p.rules - - emerging-policy.rules - - emerging-pop3.rules - - emerging-rpc.rules - - emerging-scada.rules - - emerging-scan.rules - - emerging-shellcode.rules - - emerging-smtp.rules - - emerging-snmp.rules - - emerging-sql.rules - - emerging-telnet.rules - - emerging-tftp.rules - - emerging-trojan.rules - - emerging-user_agents.rules - - emerging-voip.rules - - emerging-web_client.rules - - emerging-web_server.rules - - emerging-web_specific_apps.rules - - emerging-worm.rules - - tor.rules - - decoder-events.rules # available in suricata sources under rules dir - - stream-events.rules # available in suricata sources under rules dir - - http-events.rules # available in suricata sources under rules dir - - smtp-events.rules # available in suricata sources under rules dir - - dns-events.rules # available in suricata sources under rules dir - - tls-events.rules # available in suricata sources under rules dir - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config - -# Holds variables that would be used by the engine. -vars: - - # Holds the address group vars that would be passed in a Signature. - # These would be retrieved during the Signature address parsing stage. - address-groups: - - HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" - - EXTERNAL_NET: "!$HOME_NET" - - HTTP_SERVERS: "$HOME_NET" - - SMTP_SERVERS: "$HOME_NET" - - SQL_SERVERS: "$HOME_NET" - - DNS_SERVERS: "$HOME_NET" - - TELNET_SERVERS: "$HOME_NET" - - AIM_SERVERS: "$EXTERNAL_NET" - - DNP3_SERVER: "$HOME_NET" - - DNP3_CLIENT: "$HOME_NET" - - MODBUS_CLIENT: "$HOME_NET" - - MODBUS_SERVER: "$HOME_NET" - - ENIP_CLIENT: "$HOME_NET" - - ENIP_SERVER: "$HOME_NET" - - # Holds the port group vars that would be passed in a Signature. - # These would be retrieved during the Signature port parsing stage. - port-groups: - - HTTP_PORTS: "80" - - SHELLCODE_PORTS: "!80" - - ORACLE_PORTS: 1521 - - SSH_PORTS: 22 - - DNP3_PORTS: 20000 - -# Set the order of alerts bassed on actions -# The default order is pass, drop, reject, alert -action-order: - - pass - - drop - - reject - - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] - old-solaris: [] - solaris: ["::1"] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -# Holds details on the app-layer. The protocols section details each protocol. -# Under each protocol, the default value for detection-enabled and " -# parsed-enabled is yes, unless specified otherwise. -# Each protocol covers enabling/disabling parsers for all ipprotos -# the app-layer protocol runs on. For example "dcerpc" refers to the tcp -# version of the protocol as well as the udp version of the protocol. -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables detection only(parser disabled). -app-layer: - protocols: - tls: - enabled: yes - detection-ports: - dp: 443 - - #no-reassemble: yes - dcerpc: - enabled: yes - ftp: - enabled: yes - ssh: - enabled: yes - smtp: - enabled: yes - imap: - enabled: detection-only - msn: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139 - # smb2 detection is disabled internally inside the engine. - #smb2: - # enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: 64mb - - ########################################################################### - # Configure libhtp. - # - # - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # - # Currently Available Personalities: - # Minimal - # Generic - # IDS (default) - # IIS_4_0 - # IIS_5_0 - # IIS_5_1 - # IIS_6_0 - # IIS_7_0 - # IIS_7_5 - # Apache_2 - ########################################################################### - libhtp: - - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 3072 - response-body-limit: 3072 - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 32kb - response-body-inspect-window: 4kb - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - sort: avgticks - - # Limit the number of items printed at exit. - limit: 100 - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - hba: -1 - - # use_all_streams set to "yes" will query the Napatech service for all configured - # streams and listen on all of them. When set to "no" the streams config array - # will be used. - use-all-streams: yes - - # The streams to listen on - streams: [1, 2, 3] - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/meta-security/recipes-security/suricata/files/volatiles.03_suricata b/meta-security/recipes-security/suricata/files/volatiles.03_suricata deleted file mode 100644 index 4627bd3b0..000000000 --- a/meta-security/recipes-security/suricata/files/volatiles.03_suricata +++ /dev/null @@ -1,2 +0,0 @@ -# <type> <owner> <group> <mode> <path> <linksource> -d root root 0755 /var/log/suricata none diff --git a/meta-security/recipes-security/suricata/libhtp_0.5.27.bb b/meta-security/recipes-security/suricata/libhtp_0.5.27.bb deleted file mode 100644 index 8305f7010..000000000 --- a/meta-security/recipes-security/suricata/libhtp_0.5.27.bb +++ /dev/null @@ -1,15 +0,0 @@ -SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." - -require suricata.inc - -LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -DEPENDS = "zlib" - -inherit autotools pkgconfig - -CFLAGS += "-D_DEFAULT_SOURCE" - -S = "${WORKDIR}/suricata-${VER}/${BPN}" - -RDEPENDS_${PN} += "zlib" diff --git a/meta-security/recipes-security/suricata/suricata.inc b/meta-security/recipes-security/suricata/suricata.inc deleted file mode 100644 index 1f421210d..000000000 --- a/meta-security/recipes-security/suricata/suricata.inc +++ /dev/null @@ -1,9 +0,0 @@ -HOMEPAGE = "http://suricata-ids.org/" -SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" - -VER = "4.0.5" -SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" - -SRC_URI[md5sum] = "ea0cb823d6a86568152f75ade6de442f" -SRC_URI[sha256sum] = "74dacb4359d57fbd3452e384eeeb1dd77b6ae00f02e9994ad5a7b461d5f4c6c2" diff --git a/meta-security/recipes-security/suricata/suricata_4.0.5.bb b/meta-security/recipes-security/suricata/suricata_4.0.5.bb deleted file mode 100644 index 6c0a109be..000000000 --- a/meta-security/recipes-security/suricata/suricata_4.0.5.bb +++ /dev/null @@ -1,96 +0,0 @@ -SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRC_URI += "file://emerging.rules.tar.gz;name=rules" - -SRC_URI += " \ - file://volatiles.03_suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - " - -SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" -SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" - -inherit autotools-brokensep pkgconfig python-dir systemd ptest - -CFLAGS += "-D_DEFAULT_SOURCE" - -CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ - ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " - -EXTRA_OECONF += " --disable-debug \ - --enable-non-bundled-htp \ - --disable-gccmarch-native \ - " - -PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" - -PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," -PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," -PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," -PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," -PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " -PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," -PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," -PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," - -PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" -PACKAGECONFIG[file] = ",,file, file" -PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," -PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" -PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," - -export logdir = "${localstatedir}/log" - -do_install_append () { - - install -d ${D}${sysconfdir}/suricata - - oe_runmake install-conf DESTDIR=${D} - - # mimic move of downloaded rules to e_sysconfrulesdir - cp -rf ${WORKDIR}/rules ${D}${sysconfdir}/suricata - - oe_runmake install-rules DESTDIR=${D} - - install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata - - install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata - - install -d ${D}${systemd_unitdir}/system - sed -e s:/etc:${sysconfdir}:g \ - -e s:/var/run:/run:g \ - -e s:/var:${localstatedir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/bin/kill:${base_bindir}/kill:g \ - -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - -} - -pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi -} - -SYSTEMD_PACKAGES = "${PN}" - -PACKAGES =+ "${PN}-socketcontrol" -FILES_${PN} += "${systemd_unitdir}" -FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" - -CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" - -RDEPENDS_${PN}-python = "python" diff --git a/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch b/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch deleted file mode 100644 index 2379d6654..000000000 --- a/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch +++ /dev/null @@ -1,18 +0,0 @@ -tripwire: Add armeb support - -Upstream-Status: Submitted to tripwire-dev - -Signed-off-by: Armin Kuster <akuster@mvista.com> - -diff -Naurp tripwire-2.4.2.2-src_org/config.sub tripwire-2.4.2.2-src/config.sub ---- tripwire-2.4.2.2-src_org/config.sub 2015-07-20 15:03:04.161452573 +0530 -+++ tripwire-2.4.2.2-src/config.sub 2015-07-20 15:06:07.077673139 +0530 -@@ -268,7 +268,7 @@ case $basic_machine in - # FIXME: clean up the formatting here. - vax-* | tahoe-* | i*86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \ - | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | c[123]* | aarch64-* | aarch64be-* \ -- | arm-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \ -+ | arm-* | armeb-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \ - | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \ - | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \ - | xmp-* | ymp-* \ diff --git a/meta-security/recipes-security/tripwire/files/run-ptest b/meta-security/recipes-security/tripwire/files/run-ptest deleted file mode 100644 index aedfddc59..000000000 --- a/meta-security/recipes-security/tripwire/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -./twtest.pl diff --git a/meta-security/recipes-security/tripwire/files/tripwire.cron b/meta-security/recipes-security/tripwire/files/tripwire.cron deleted file mode 100644 index 2035508d7..000000000 --- a/meta-security/recipes-security/tripwire/files/tripwire.cron +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -HOST_NAME=`uname -n` -if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then - echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****" - echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****" -else - test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check -fi diff --git a/meta-security/recipes-security/tripwire/files/tripwire.sh b/meta-security/recipes-security/tripwire/files/tripwire.sh deleted file mode 100644 index 4276d10eb..000000000 --- a/meta-security/recipes-security/tripwire/files/tripwire.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -HOST_NAME=`uname -n` -if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then - echo "**** WARNING: Tripwire database for ${HOST_NAME} not found. ****" - echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****" - # Note: /etc/tripwire/twinstall.sh creates and initializes tripwire - # database (i.e tripwire --init). - # Example: . /etc/tripwire/twinstall.sh 2> /dev/null -fi diff --git a/meta-security/recipes-security/tripwire/files/tripwire.txt b/meta-security/recipes-security/tripwire/files/tripwire.txt deleted file mode 100644 index 332d00420..000000000 --- a/meta-security/recipes-security/tripwire/files/tripwire.txt +++ /dev/null @@ -1,69 +0,0 @@ -Post-Installation Instructions -1. Run the configuration script: /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files. -Note: Once encoded and signed, the configuration file should not be renamed or moved. -2. Initialize the Tripwire database file. (/usr/sbin/tripwire--init) -3. Run the first integrity check. (/usr/sbin/tripwire--check) -4. Edit the configuration file (twcfg.txt) with a text editor, if desired. -5. Edit the policy file (twpol.txt) with a text editor, if desired. - -Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file. - -Modifying the Policy File -You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system. - -Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language. - -After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software. - -Selecting Passphrases -Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply: -Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters. - -Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also. - -Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database. - -Initializing the Database -In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is: -tripwire --init - -Running an Integrity Check -The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is: -tripwire --check - -Printing Reports - twprint Print Report Mode -The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used. -Example: On a machine named LIGHTHOUSE, the command would be: -./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr - -Updating the Database after an Integrity Check -Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is: -tripwire --update - -Updating the Policy File -Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is: -tripwire --update-policy - -Testing email functions -Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is: -tripwire --test - -Tripwire Components -The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore. - -System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file. - -The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check. - -When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail. - -The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits. - -Tripwire Help -All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile - --? Display usage and version information ---help Display all command modes ---help all Display help for all command modes ---help [mode] Display help for current command mode ---version Display version information diff --git a/meta-security/recipes-security/tripwire/files/twcfg.txt b/meta-security/recipes-security/tripwire/files/twcfg.txt deleted file mode 100644 index 224e9201e..000000000 --- a/meta-security/recipes-security/tripwire/files/twcfg.txt +++ /dev/null @@ -1,15 +0,0 @@ -ROOT =/usr/sbin -POLFILE =/etc/tripwire/tw.pol -DBFILE =/var/lib/tripwire/$(HOSTNAME).twd -REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr -SITEKEYFILE =/etc/tripwire/site.key -LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key -EDITOR =/usr/bin/nano -LATEPROMPTING =false -LOOSEDIRECTORYCHECKING =false -MAILNOVIOLATIONS =true -EMAILREPORTLEVEL =3 -REPORTLEVEL =3 -MAILMETHOD =SENDMAIL -SYSLOGREPORTING =false -MAILPROGRAM =/usr/lib/sendmail -t diff --git a/meta-security/recipes-security/tripwire/files/twinstall.sh b/meta-security/recipes-security/tripwire/files/twinstall.sh deleted file mode 100644 index 7d1b63fe5..000000000 --- a/meta-security/recipes-security/tripwire/files/twinstall.sh +++ /dev/null @@ -1,320 +0,0 @@ -#!/bin/sh - -######################################################################## -######################################################################## -## -## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script -## -## Copyleft information contained in footer -## -######################################################################## -######################################################################## - -##======================================================= -## Setup -##======================================================= - -# We can assume all the correct tools are in place because the -# RPM installed, didn't it? - -##------------------------------------------------------- -## Set HOST_NAME variable -##------------------------------------------------------- -HOST_NAME='localhost' -if uname -n > /dev/null 2> /dev/null ; then - HOST_NAME=`uname -n` -fi - -##------------------------------------------------------- -## Program variables - edited by RPM during initial install -##------------------------------------------------------- - -# Site Passphrase variable -TW_SITE_PASS="tripwire" - -# Complete path to site key -SITE_KEY="/etc/tripwire/site.key" - -# Local Passphrase variable -TW_LOCAL_PASS="tripwire" - -# Complete path to local key -LOCAL_KEY="/etc/tripwire/${HOST_NAME}-local.key" - -# If clobber==true, overwrite files; if false, do not overwrite files. -CLOBBER="false" - -# If prompt==true, ask for confirmation before continuing with install. -PROMPT="true" - -# Name of twadmin executeable -TWADMIN="twadmin" - -# Path to twadmin executeable -TWADMPATH=/usr/sbin - -# Path to configuration directory -CONF_PATH="/etc/tripwire" - -# Name of clear text policy file -TXT_POL=$CONF_PATH/twpol.txt - -# Name of clear text configuration file -TXT_CFG=$CONF_PATH/twcfg.txt - -# Name of encrypted configuration file -CONFIG_FILE=$CONF_PATH/tw.cfg - -# Path of the final Tripwire policy file (signed) -SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'` - - -##======================================================= -## Create Key Files -##======================================================= - -##------------------------------------------------------- -## If user has to enter a passphrase, give some -## advice about what is appropriate. -##------------------------------------------------------- - -if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then -cat << END_OF_TEXT - ----------------------------------------------- -The Tripwire site and local passphrases are used to -sign a variety of files, such as the configuration, -policy, and database files. - -Passphrases should be at least 8 characters in length -and contain both letters and numbers. - -See the Tripwire manual for more information. -END_OF_TEXT -fi - -##======================================================= -## Generate keys. -##======================================================= - -echo -echo "----------------------------------------------" -echo "Creating key files..." - -##------------------------------------------------------- -## Site key file. -##------------------------------------------------------- - -# If clobber is true, and prompting is off (unattended operation) -# and the key file already exists, remove it. Otherwise twadmin -# will prompt with an "are you sure?" message. - -if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then - rm -f "$SITE_KEY" -fi - -if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then - echo "The site key file \"$SITE_KEY\"" - echo 'exists and will not be overwritten.' -else - cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\"" - if [ -n "$TW_SITE_PASS" ] ; then - cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" - fi - eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" - if [ $? -ne 0 ] ; then - echo "Error: site key generation failed" - exit 1 - else chmod 640 "$SITE_KEY" - fi -fi - -##------------------------------------------------------- -## Local key file. -##------------------------------------------------------- - -# If clobber is true, and prompting is off (unattended operation) -# and the key file already exists, remove it. Otherwise twadmin -# will prompt with an "are you sure?" message. - -if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then - rm -f "$LOCAL_KEY" -fi - -if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then - echo "The site key file \"$LOCAL_KEY\"" - echo 'exists and will not be overwritten.' -else - cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\"" - if [ -n "$TW_LOCAL_PASS" ] ; then - cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\"" - fi - eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" - if [ $? -ne 0 ] ; then - echo "Error: local key generation failed" - exit 1 - else chmod 640 "$LOCAL_KEY" - fi -fi - -##======================================================= -## Sign the Configuration File -##======================================================= - -echo -echo "----------------------------------------------" -echo "Signing configuration file..." - -##------------------------------------------------------- -## If noclobber, then backup any existing config file. -##------------------------------------------------------- - -if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then - backup="${CONFIG_FILE}.$$.bak" - echo "Backing up $CONFIG_FILE" - echo " to $backup" - `mv "$CONFIG_FILE" "$backup"` - if [ $? -ne 0 ] ; then - echo "Error: backup of configuration file failed." - exit 1 - fi -fi - -##------------------------------------------------------- -## Build command line. -##------------------------------------------------------- - -cmdargs="--create-cfgfile" -cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" -cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" -if [ -n "$TW_SITE_PASS" ] ; then - cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" -fi - -##------------------------------------------------------- -## Sign the file. -##------------------------------------------------------- - -eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\"" -if [ $? -ne 0 ] ; then - echo "Error: signing of configuration file failed." - exit 1 -fi - -# Set the rights properly -chmod 640 "$CONFIG_FILE" - -##------------------------------------------------------- -## We keep the cleartext version around. -##------------------------------------------------------- - -cat << END_OF_TEXT - -A clear-text version of the Tripwire configuration file -$TXT_CFG -has been preserved for your inspection. It is recommended -that you delete this file manually after you have examined it. - -END_OF_TEXT - -##======================================================= -## Sign tripwire policy file. -##======================================================= - -echo -echo "----------------------------------------------" -echo "Signing policy file..." - -##------------------------------------------------------- -## If noclobber, then backup any existing policy file. -##------------------------------------------------------- - -if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then - backup="${POLICY_FILE}.$$.bak" - echo "Backing up $POLICY_FILE" - echo " to $backup" - mv "$POLICY_FILE" "$backup" - if [ $? -ne 0 ] ; then - echo "Error: backup of policy file failed." - exit 1 - fi -fi - -##------------------------------------------------------- -## Build command line. -##------------------------------------------------------- - -cmdargs="--create-polfile" -cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" -cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" -if [ -n "$TW_SITE_PASS" ] ; then - cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" -fi - -##------------------------------------------------------- -## Sign the file. -##------------------------------------------------------- - -eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\"" -if [ $? -ne 0 ] ; then - echo "Error: signing of policy file failed." - exit 1 -fi - -# Set the proper rights on the newly signed policy file. -chmod 0640 "$SIGNED_POL" - -##------------------------------------------------------- -## We keep the cleartext version around. -##------------------------------------------------------- - -cat << END_OF_TEXT - -A clear-text version of the Tripwire policy file -$TXT_POL -has been preserved for your inspection. This implements -a minimal policy, intended only to test essential -Tripwire functionality. You should edit the policy file -to describe your system, and then use twadmin to generate -a new signed copy of the Tripwire policy. - -END_OF_TEXT - -# Initialize tripwire database -/usr/sbin/tripwire --init --cfgfile $CONFIG_FILE --site-keyfile $SITE_KEY \ ---local-passphrase $TW_LOCAL_PASS 2> /dev/null - -######################################################################## -######################################################################## -# -# TRIPWIRE GPL NOTICES -# -# The developer of the original code and/or files is Tripwire, Inc. -# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc. -# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. -# -# This program is free software. The contents of this file are subject to -# the terms of the GNU General Public License as published by the Free -# Software Foundation; either version 2 of the License, or (at your option) -# any later version. You may redistribute it and/or modify it only in -# compliance with the GNU General Public License. -# -# This program is distributed in the hope that it will be useful. However, -# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE -# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. -# Please see the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# Nothing in the GNU General Public License or any other license to use the -# code or files shall permit you to use Tripwire's trademarks, -# service marks, or other intellectual property without Tripwire's -# prior written consent. -# -# If you have any questions, please contact Tripwire, Inc. at either -# info@tripwire.org or www.tripwire.org. -# -######################################################################## -######################################################################## diff --git a/meta-security/recipes-security/tripwire/files/twpol-yocto.txt b/meta-security/recipes-security/tripwire/files/twpol-yocto.txt deleted file mode 100644 index 65f5f7500..000000000 --- a/meta-security/recipes-security/tripwire/files/twpol-yocto.txt +++ /dev/null @@ -1,1107 +0,0 @@ - ############################################################################## - # ## -############################################################################## # -# # # -# Generic Policy file # # -# V1.2.0rh # # -# August 9, 2001 # # -# ## -############################################################################## - - - ############################################################################## - # ## -############################################################################## # -# # # -# This is the example Tripwire Policy file. It is intended as a place to # # -# start creating your own custom Tripwire Policy file. Referring to it as # # -# well as the Tripwire Policy Guide should give you enough information to # # -# make a good custom Tripwire Policy file that better covers your # # -# configuration and security needs. A text version of this policy file is # # -# called twpol.txt. # # -# # # -# Note that this file is tuned to an 'everything' install of Red Hat Linux. # # -# If run unmodified, this file should create no errors on database # # -# creation, or violations on a subsiquent integrity check. However, it is # # -# impossible for there to be one policy file for all machines, so this # # -# existing one errs on the side of security. Your Linux configuration will # # -# most likey differ from the one our policy file was tuned to, and will # # -# therefore require some editing of the default Tripwire Policy file. # # -# # # -# The example policy file is best run with 'Loose Directory Checking' # # -# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # -# file. # # -# # # -# Email support is not included and must be added to this file. # # -# Add the 'emailto=' to the rule directive section of each rule (add a comma # # -# after the 'severity=' line and add an 'emailto=' and include the email # # -# addresses you want the violation reports to go to). Addresses are # # -# semi-colon delimited. # # -# ## -############################################################################## - - - - ############################################################################## - # ## -############################################################################## # -# # # -# Global Variable Definitions # # -# # # -# These are defined at install time by the installation script. You may # # -# Manually edit these if you are using this file directly and not from the # # -# installation script itself. # # -# ## -############################################################################## - -@@section GLOBAL -TWROOT=/usr/sbin; -TWBIN=/usr/sbin; -TWPOL="/etc/tripwire"; -TWDB="/var/lib/tripwire"; -TWSKEY="/etc/tripwire"; -TWLKEY="/etc/tripwire"; -TWREPORT="/var/lib/tripwire/report"; -HOSTNAME=localhost; - -@@section FS -SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set -SEC_BIN = $(ReadOnly) ; # Binaries that should not change -SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often -SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership -SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership -SIG_LOW = 33 ; # Non-critical files that are of minimal security impact -SIG_MED = 66 ; # Non-critical files that are of significant security impact -SIG_HI = 100 ; # Critical files that are significant points of vulnerability - - -# Tripwire Binaries -( - rulename = "Tripwire Binaries", - severity = $(SIG_HI) -) -{ - $(TWBIN)/siggen -> $(SEC_BIN) ; - $(TWBIN)/tripwire -> $(SEC_BIN) ; - $(TWBIN)/twadmin -> $(SEC_BIN) ; - $(TWBIN)/twprint -> $(SEC_BIN) ; -} - -# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases -( - rulename = "Tripwire Data Files", - severity = $(SIG_HI) -) -{ - # NOTE: We remove the inode attribute because when Tripwire creates a backup, - # it does so by renaming the old file and creating a new one (which will - # have a new inode number). Inode is left turned on for keys, which shouldn't - # ever change. - - # NOTE: The first integrity check triggers this rule and each integrity check - # afterward triggers this rule until a database update is run, since the - # database file does not exist before that point. - - $(TWDB) -> $(SEC_CONFIG) -i ; - $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; - $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; - $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; - $(TWSKEY)/site.key -> $(SEC_BIN) ; - - #don't scan the individual reports - $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; -} - - -# Tripwire HQ Connector Binaries -#( -# rulename = "Tripwire HQ Connector Binaries", -# severity = $(SIG_HI) -#) -#{ -# $(TWBIN)/hqagent -> $(SEC_BIN) ; -#} -# -# Tripwire HQ Connector - Configuration Files, Keys, and Logs - - ############################################################################## - # ## -############################################################################## # -# # # -# Note: File locations here are different than in a stock HQ Connector # # -# installation. This is because Tripwire 2.3 uses a different path # # -# structure than Tripwire 2.2.1. # # -# # # -# You may need to update your HQ Agent configuation file (or this policy # # -# file) to correct the paths. We have attempted to support the FHS standard # # -# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # -# places them. # # -# ## -############################################################################## - -#( -# rulename = "Tripwire HQ Connector Data Files", -# severity = $(SIG_HI) -#) -#{ -# ############################################################################# -# ############################################################################## -# # NOTE: Removing the inode attribute because when Tripwire creates a backup ## -# # it does so by renaming the old file and creating a new one (which will ## -# # have a new inode number). Leaving inode turned on for keys, which ## -# # shouldn't ever change. ## -# ############################################################################# -# -# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; -# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; -# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; -# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; -# -# # Uncomment if you have agent logging enabled. -# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; -#} - - - -# Commonly accessed directories that should remain static with regards to owner and group -( - rulename = "Invariant Directories", - severity = $(SIG_MED) -) -{ - / -> $(SEC_INVARIANT) (recurse = 0) ; - /home -> $(SEC_INVARIANT) (recurse = 0) ; - /etc -> $(SEC_INVARIANT) (recurse = 0) ; -} - ################################################ - # ## -################################################ # -# # # -# File System and Disk Administration Programs # # -# ## -################################################ - -( - rulename = "File System and Disk Administraton Programs", - severity = $(SIG_HI) -) -{ - /sbin/accton -> $(SEC_CRIT) ; - /sbin/badblocks -> $(SEC_CRIT) ; - /sbin/busybox -> $(SEC_CRIT) ; - /sbin/busybox.anaconda -> $(SEC_CRIT) ; - /sbin/convertquota -> $(SEC_CRIT) ; - /sbin/dosfsck -> $(SEC_CRIT) ; - /sbin/debugfs -> $(SEC_CRIT) ; - /sbin/debugreiserfs -> $(SEC_CRIT) ; - /sbin/dumpe2fs -> $(SEC_CRIT) ; - /sbin/dump -> $(SEC_CRIT) ; - /sbin/dump.static -> $(SEC_CRIT) ; - # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? - /sbin/e2fsck -> $(SEC_CRIT) ; - /sbin/e2label -> $(SEC_CRIT) ; - /sbin/fdisk -> $(SEC_CRIT) ; - /sbin/fsck -> $(SEC_CRIT) ; - /sbin/fsck.ext2 -> $(SEC_CRIT) ; - /sbin/fsck.ext3 -> $(SEC_CRIT) ; - /sbin/fsck.minix -> $(SEC_CRIT) ; - /sbin/fsck.msdos -> $(SEC_CRIT) ; - /sbin/fsck.vfat -> $(SEC_CRIT) ; - /sbin/ftl_check -> $(SEC_CRIT) ; - /sbin/ftl_format -> $(SEC_CRIT) ; - /sbin/hdparm -> $(SEC_CRIT) ; - #/sbin/lvchange -> $(SEC_CRIT) ; - #/sbin/lvcreate -> $(SEC_CRIT) ; - #/sbin/lvdisplay -> $(SEC_CRIT) ; - #/sbin/lvextend -> $(SEC_CRIT) ; - #/sbin/lvmchange -> $(SEC_CRIT) ; - #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; - #/sbin/lvmdiskscan -> $(SEC_CRIT) ; - #/sbin/lvmsadc -> $(SEC_CRIT) ; - #/sbin/lvmsar -> $(SEC_CRIT) ; - #/sbin/lvreduce -> $(SEC_CRIT) ; - #/sbin/lvremove -> $(SEC_CRIT) ; - #/sbin/lvrename -> $(SEC_CRIT) ; - #/sbin/lvscan -> $(SEC_CRIT) ; - /sbin/mkbootdisk -> $(SEC_CRIT) ; - /sbin/mkdosfs -> $(SEC_CRIT) ; - /sbin/mke2fs -> $(SEC_CRIT) ; - /sbin/mkfs -> $(SEC_CRIT) ; - /sbin/mkfs.bfs -> $(SEC_CRIT) ; - /sbin/mkfs.ext2 -> $(SEC_CRIT) ; - /sbin/mkfs.minix -> $(SEC_CRIT) ; - /sbin/mkfs.msdos -> $(SEC_CRIT) ; - /sbin/mkfs.vfat -> $(SEC_CRIT) ; - /sbin/mkinitrd -> $(SEC_CRIT) ; - #/sbin/mkpv -> $(SEC_CRIT) ; - /sbin/mkraid -> $(SEC_CRIT) ; - /sbin/mkreiserfs -> $(SEC_CRIT) ; - /sbin/mkswap -> $(SEC_CRIT) ; - #/sbin/mtx -> $(SEC_CRIT) ; - /sbin/pam_console_apply -> $(SEC_CRIT) ; - /sbin/parted -> $(SEC_CRIT) ; - /sbin/pcinitrd -> $(SEC_CRIT) ; - #/sbin/pvchange -> $(SEC_CRIT) ; - #/sbin/pvcreate -> $(SEC_CRIT) ; - #/sbin/pvdata -> $(SEC_CRIT) ; - #/sbin/pvdisplay -> $(SEC_CRIT) ; - #/sbin/pvmove -> $(SEC_CRIT) ; - #/sbin/pvscan -> $(SEC_CRIT) ; - /sbin/quotacheck -> $(SEC_CRIT) ; - /sbin/quotaon -> $(SEC_CRIT) ; - /sbin/raidstart -> $(SEC_CRIT) ; - /sbin/reiserfsck -> $(SEC_CRIT) ; - /sbin/resize2fs -> $(SEC_CRIT) ; - /sbin/resize_reiserfs -> $(SEC_CRIT) ; - /sbin/restore -> $(SEC_CRIT) ; - /sbin/restore.static -> $(SEC_CRIT) ; - /sbin/scsi_info -> $(SEC_CRIT) ; - /sbin/sfdisk -> $(SEC_CRIT) ; - /sbin/stinit -> $(SEC_CRIT) ; - #/sbin/tapeinfo -> $(SEC_CRIT) ; - /sbin/tune2fs -> $(SEC_CRIT) ; - /sbin/unpack -> $(SEC_CRIT) ; - /sbin/update -> $(SEC_CRIT) ; - #/sbin/vgcfgbackup -> $(SEC_CRIT) ; - #/sbin/vgcfgrestore -> $(SEC_CRIT) ; - #/sbin/vgchange -> $(SEC_CRIT) ; - #/sbin/vgck -> $(SEC_CRIT) ; - #/sbin/vgcreate -> $(SEC_CRIT) ; - #/sbin/vgdisplay -> $(SEC_CRIT) ; - #/sbin/vgexport -> $(SEC_CRIT) ; - #/sbin/vgextend -> $(SEC_CRIT) ; - #/sbin/vgimport -> $(SEC_CRIT) ; - #/sbin/vgmerge -> $(SEC_CRIT) ; - #/sbin/vgmknodes -> $(SEC_CRIT) ; - #/sbin/vgreduce -> $(SEC_CRIT) ; - #/sbin/vgremove -> $(SEC_CRIT) ; - #/sbin/vgrename -> $(SEC_CRIT) ; - #/sbin/vgscan -> $(SEC_CRIT) ; - #/sbin/vgsplit -> $(SEC_CRIT) ; - /bin/chgrp -> $(SEC_CRIT) ; - /bin/chmod -> $(SEC_CRIT) ; - /bin/chown -> $(SEC_CRIT) ; - /bin/cp -> $(SEC_CRIT) ; - /bin/cpio -> $(SEC_CRIT) ; - /bin/mount -> $(SEC_CRIT) ; - /bin/umount -> $(SEC_CRIT) ; - /bin/mkdir -> $(SEC_CRIT) ; - /bin/mknod -> $(SEC_CRIT) ; - /bin/mktemp -> $(SEC_CRIT) ; - /bin/rm -> $(SEC_CRIT) ; - /bin/rmdir -> $(SEC_CRIT) ; - /bin/touch -> $(SEC_CRIT) ; -} - - ################################## - # ## -################################## # -# # # -# Kernel Administration Programs # # -# ## -################################## - -( - rulename = "Kernel Administration Programs", - severity = $(SIG_HI) -) -{ - /sbin/adjtimex -> $(SEC_CRIT) ; - /sbin/ctrlaltdel -> $(SEC_CRIT) ; - /sbin/depmod -> $(SEC_CRIT) ; - /sbin/insmod -> $(SEC_CRIT) ; - /sbin/insmod.static -> $(SEC_CRIT) ; - /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; - /sbin/klogd -> $(SEC_CRIT) ; - /sbin/ldconfig -> $(SEC_CRIT) ; - /sbin/minilogd -> $(SEC_CRIT) ; - /sbin/modinfo -> $(SEC_CRIT) ; - #/sbin/nuactlun -> $(SEC_CRIT) ; - #/sbin/nuscsitcpd -> $(SEC_CRIT) ; - /sbin/pivot_root -> $(SEC_CRIT) ; - /sbin/sndconfig -> $(SEC_CRIT) ; - /sbin/sysctl -> $(SEC_CRIT) ; -} - - ####################### - # ## -####################### # -# # # -# Networking Programs # # -# ## -####################### - -( - rulename = "Networking Programs", - severity = $(SIG_HI) -) -{ - /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ; - /bin/ping -> $(SEC_CRIT) ; - /sbin/agetty -> $(SEC_CRIT) ; - /sbin/arp -> $(SEC_CRIT) ; - /sbin/arping -> $(SEC_CRIT) ; - /sbin/dhcpcd -> $(SEC_CRIT) ; - /sbin/ether-wake -> $(SEC_CRIT) ; - #/sbin/getty -> $(SEC_CRIT) ; - /sbin/ifcfg -> $(SEC_CRIT) ; - /sbin/ifconfig -> $(SEC_CRIT) ; - /sbin/ifdown -> $(SEC_CRIT) ; - /sbin/ifenslave -> $(SEC_CRIT) ; - /sbin/ifport -> $(SEC_CRIT) ; - /sbin/ifup -> $(SEC_CRIT) ; - /sbin/ifuser -> $(SEC_CRIT) ; - /sbin/ip -> $(SEC_CRIT) ; - /sbin/ip6tables -> $(SEC_CRIT) ; - /sbin/ipchains -> $(SEC_CRIT) ; - /sbin/ipchains-restore -> $(SEC_CRIT) ; - /sbin/ipchains-save -> $(SEC_CRIT) ; - /sbin/ipfwadm -> $(SEC_CRIT) ; - /sbin/ipmaddr -> $(SEC_CRIT) ; - /sbin/iptables -> $(SEC_CRIT) ; - /sbin/iptables-restore -> $(SEC_CRIT) ; - /sbin/iptables-save -> $(SEC_CRIT) ; - /sbin/iptunnel -> $(SEC_CRIT) ; - #/sbin/ipvsadm -> $(SEC_CRIT) ; - #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; - #/sbin/ipvsadm-save -> $(SEC_CRIT) ; - /sbin/ipx_configure -> $(SEC_CRIT) ; - /sbin/ipx_interface -> $(SEC_CRIT) ; - /sbin/ipx_internal_net -> $(SEC_CRIT) ; - /sbin/iwconfig -> $(SEC_CRIT) ; - /sbin/iwgetid -> $(SEC_CRIT) ; - /sbin/iwlist -> $(SEC_CRIT) ; - /sbin/iwpriv -> $(SEC_CRIT) ; - /sbin/iwspy -> $(SEC_CRIT) ; - /sbin/mgetty -> $(SEC_CRIT) ; - /sbin/mingetty -> $(SEC_CRIT) ; - /sbin/nameif -> $(SEC_CRIT) ; - /sbin/netreport -> $(SEC_CRIT) ; - /sbin/plipconfig -> $(SEC_CRIT) ; - /sbin/portmap -> $(SEC_CRIT) ; - /sbin/ppp-watch -> $(SEC_CRIT) ; - #/sbin/rarp -> $(SEC_CRIT) ; - /sbin/route -> $(SEC_CRIT) ; - /sbin/slattach -> $(SEC_CRIT) ; - /sbin/tc -> $(SEC_CRIT) ; - #/sbin/uugetty -> $(SEC_CRIT) ; - /sbin/vgetty -> $(SEC_CRIT) ; - /sbin/ypbind -> $(SEC_CRIT) ; -} - - ################################## - # ## -################################## # -# # # -# System Administration Programs # # -# ## -################################## - -( - rulename = "System Administration Programs", - severity = $(SIG_HI) -) -{ - /sbin/chkconfig -> $(SEC_CRIT) ; - /sbin/fuser -> $(SEC_CRIT) ; - /sbin/halt -> $(SEC_CRIT) ; - /sbin/init -> $(SEC_CRIT) ; - /sbin/initlog -> $(SEC_CRIT) ; - /sbin/install-info -> $(SEC_CRIT) ; - /sbin/killall5 -> $(SEC_CRIT) ; - #/sbin/linuxconf -> $(SEC_CRIT) ; - #/sbin/linuxconf-auth -> $(SEC_CRIT) ; - /sbin/pam_tally -> $(SEC_CRIT) ; - /sbin/pwdb_chkpwd -> $(SEC_CRIT) ; - #/sbin/remadmin -> $(SEC_CRIT) ; - /sbin/rescuept -> $(SEC_CRIT) ; - /sbin/rmt -> $(SEC_CRIT) ; - /sbin/rpc.lockd -> $(SEC_CRIT) ; - /sbin/rpc.statd -> $(SEC_CRIT) ; - /sbin/rpcdebug -> $(SEC_CRIT) ; - /sbin/service -> $(SEC_CRIT) ; - /sbin/setsysfont -> $(SEC_CRIT) ; - /sbin/shutdown -> $(SEC_CRIT) ; - /sbin/sulogin -> $(SEC_CRIT) ; - /sbin/swapon -> $(SEC_CRIT) ; - /sbin/syslogd -> $(SEC_CRIT) ; - /sbin/unix_chkpwd -> $(SEC_CRIT) ; - /bin/pwd -> $(SEC_CRIT) ; - /bin/uname -> $(SEC_CRIT) ; -} - - ######################################## - # ## -######################################## # -# # # -# Hardware and Device Control Programs # # -# ## -######################################## -( - rulename = "Hardware and Device Control Programs", - severity = $(SIG_HI) -) -{ - /bin/setserial -> $(SEC_CRIT) ; - /bin/sfxload -> $(SEC_CRIT) ; - /sbin/blockdev -> $(SEC_CRIT) ; - /sbin/cardctl -> $(SEC_CRIT) ; - /sbin/cardmgr -> $(SEC_CRIT) ; - /sbin/cbq -> $(SEC_CRIT) ; - /sbin/dump_cis -> $(SEC_CRIT) ; - /sbin/elvtune -> $(SEC_CRIT) ; - /sbin/hotplug -> $(SEC_CRIT) ; - /sbin/hwclock -> $(SEC_CRIT) ; - /sbin/ide_info -> $(SEC_CRIT) ; - #/sbin/isapnp -> $(SEC_CRIT) ; - /sbin/kbdrate -> $(SEC_CRIT) ; - /sbin/losetup -> $(SEC_CRIT) ; - /sbin/lspci -> $(SEC_CRIT) ; - /sbin/lspnp -> $(SEC_CRIT) ; - /sbin/mii-tool -> $(SEC_CRIT) ; - /sbin/pack_cis -> $(SEC_CRIT) ; - #/sbin/pnpdump -> $(SEC_CRIT) ; - /sbin/probe -> $(SEC_CRIT) ; - /sbin/pump -> $(SEC_CRIT) ; - /sbin/setpci -> $(SEC_CRIT) ; - /sbin/shapecfg -> $(SEC_CRIT) ; -} - - ############################### - # ## -############################### # -# # # -# System Information Programs # # -# ## -############################### -( - rulename = "System Information Programs", - severity = $(SIG_HI) -) -{ - /sbin/consoletype -> $(SEC_CRIT) ; - /sbin/kernelversion -> $(SEC_CRIT) ; - /sbin/runlevel -> $(SEC_CRIT) ; -} - - #################################### - # ## -#################################### # -# # # -# Application Information Programs # # -# ## -#################################### - -( - rulename = "Application Information Programs", - severity = $(SIG_HI) -) -{ - /sbin/genksyms -> $(SEC_CRIT) ; - #/sbin/genksyms.old -> $(SEC_CRIT) ; - /sbin/rtmon -> $(SEC_CRIT) ; -} - - ########################## - # ## -########################## # -# # # -# Shell Related Programs # # -# ## -########################## -( - rulename = "Shell Related Programs", - severity = $(SIG_HI) -) -{ - /sbin/getkey -> $(SEC_CRIT) ; - /sbin/nash -> $(SEC_CRIT) ; - /sbin/sash -> $(SEC_CRIT) ; -} - - - ################ - # ## -################ # -# # # -# OS Utilities # # -# ## -################ -( - rulename = "Operating System Utilities", - severity = $(SIG_HI) -) -{ - /bin/arch -> $(SEC_CRIT) ; - /bin/ash -> $(SEC_CRIT) ; - /bin/ash.static -> $(SEC_CRIT) ; - /bin/aumix-minimal -> $(SEC_CRIT) ; - /bin/basename -> $(SEC_CRIT) ; - /bin/cat -> $(SEC_CRIT) ; - /bin/consolechars -> $(SEC_CRIT) ; - /bin/cut -> $(SEC_CRIT) ; - /bin/date -> $(SEC_CRIT) ; - /bin/dd -> $(SEC_CRIT) ; - /bin/df -> $(SEC_CRIT) ; - /bin/dmesg -> $(SEC_CRIT) ; - /bin/doexec -> $(SEC_CRIT) ; - /bin/echo -> $(SEC_CRIT) ; - /bin/ed -> $(SEC_CRIT) ; - /bin/egrep -> $(SEC_CRIT) ; - /bin/false -> $(SEC_CRIT) ; - /bin/fgrep -> $(SEC_CRIT) ; - /bin/gawk -> $(SEC_CRIT) ; - /bin/gawk-3.1.0 -> $(SEC_CRIT) ; - /bin/gettext -> $(SEC_CRIT) ; - /bin/grep -> $(SEC_CRIT) ; - /bin/gunzip -> $(SEC_CRIT) ; - /bin/gzip -> $(SEC_CRIT) ; - /bin/hostname -> $(SEC_CRIT) ; - /bin/igawk -> $(SEC_CRIT) ; - /bin/ipcalc -> $(SEC_CRIT) ; - /bin/kill -> $(SEC_CRIT) ; - /bin/ln -> $(SEC_CRIT) ; - /bin/loadkeys -> $(SEC_CRIT) ; - /bin/login -> $(SEC_CRIT) ; - /bin/ls -> $(SEC_CRIT) ; - /bin/mail -> $(SEC_CRIT) ; - /bin/more -> $(SEC_CRIT) ; - /bin/mt -> $(SEC_CRIT) ; - /bin/mv -> $(SEC_CRIT) ; - /bin/netstat -> $(SEC_CRIT) ; - /bin/nice -> $(SEC_CRIT) ; - /bin/pgawk -> $(SEC_CRIT) ; - /bin/ps -> $(SEC_CRIT) ; - /bin/rpm -> $(SEC_CRIT) ; - /bin/sed -> $(SEC_CRIT) ; - /bin/sleep -> $(SEC_CRIT) ; - /bin/sort -> $(SEC_CRIT) ; - /bin/stty -> $(SEC_CRIT) ; - /bin/su -> $(SEC_CRIT) ; - /bin/sync -> $(SEC_CRIT) ; - /bin/tar -> $(SEC_CRIT) ; - /bin/true -> $(SEC_CRIT) ; - /bin/usleep -> $(SEC_CRIT) ; - /bin/vi -> $(SEC_CRIT) ; - /bin/zcat -> $(SEC_CRIT) ; - /bin/zsh -> $(SEC_CRIT) ; - #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; - /sbin/sln -> $(SEC_CRIT) ; - /usr/bin/vimtutor -> $(SEC_CRIT) ; -} - - ############################## - # ## -############################## # -# # # -# Critical Utility Sym-Links # # -# ## -############################## -( - rulename = "Critical Utility Sym-Links", - severity = $(SIG_HI) -) -{ - #/sbin/askrunlevel -> $(SEC_CRIT) ; - /sbin/clock -> $(SEC_CRIT) ; - #/sbin/fixperm -> $(SEC_CRIT) ; - /sbin/fsck.reiserfs -> $(SEC_CRIT) ; - #/sbin/fsconf -> $(SEC_CRIT) ; - /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; - /sbin/kallsyms -> $(SEC_CRIT) ; - /sbin/ksyms -> $(SEC_CRIT) ; - /sbin/lsmod -> $(SEC_CRIT) ; - #/sbin/mailconf -> $(SEC_CRIT) ; - /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; - #/sbin/modemconf -> $(SEC_CRIT) ; - /sbin/modprobe -> $(SEC_CRIT) ; - /sbin/mount.ncp -> $(SEC_CRIT) ; - /sbin/mount.ncpfs -> $(SEC_CRIT) ; - /sbin/mount.smb -> $(SEC_CRIT) ; - /sbin/mount.smbfs -> $(SEC_CRIT) ; - #/sbin/netconf -> $(SEC_CRIT) ; - /sbin/pidof -> $(SEC_CRIT) ; - /sbin/poweroff -> $(SEC_CRIT) ; - /sbin/quotaoff -> $(SEC_CRIT) ; - /sbin/raid0run -> $(SEC_CRIT) ; - /sbin/raidhotadd -> $(SEC_CRIT) ; - /sbin/raidhotgenerateerror -> $(SEC_CRIT) ; - /sbin/raidhotremove -> $(SEC_CRIT) ; - /sbin/raidstop -> $(SEC_CRIT) ; - /sbin/rdump -> $(SEC_CRIT) ; - /sbin/rdump.static -> $(SEC_CRIT) ; - /sbin/reboot -> $(SEC_CRIT) ; - /sbin/rmmod -> $(SEC_CRIT) ; - /sbin/rrestore -> $(SEC_CRIT) ; - /sbin/rrestore.static -> $(SEC_CRIT) ; - /sbin/swapoff -> $(SEC_CRIT) ; - /sbin/telinit -> $(SEC_CRIT) ; - #/sbin/userconf -> $(SEC_CRIT) ; - #/sbin/uucpconf -> $(SEC_CRIT) ; - #/sbin/vregistry -> $(SEC_CRIT) ; - /bin/awk -> $(SEC_CRIT) ; - /bin/bash2 -> $(SEC_CRIT) ; - /bin/bsh -> $(SEC_CRIT) ; - /bin/csh -> $(SEC_CRIT) ; - /bin/dnsdomainname -> $(SEC_CRIT) ; - /bin/domainname -> $(SEC_CRIT) ; - /bin/ex -> $(SEC_CRIT) ; - /bin/gtar -> $(SEC_CRIT) ; - /bin/nisdomainname -> $(SEC_CRIT) ; - /bin/red -> $(SEC_CRIT) ; - /bin/rvi -> $(SEC_CRIT) ; - /bin/rview -> $(SEC_CRIT) ; - /bin/view -> $(SEC_CRIT) ; - /bin/ypdomainname -> $(SEC_CRIT) ; -} - - - ######################### - # ## -######################### # -# # # -# Temporary directories # # -# ## -######################### -( - rulename = "Temporary directories", - recurse = false, - severity = $(SIG_LOW) -) -{ - /usr/tmp -> $(SEC_INVARIANT) ; - /var/tmp -> $(SEC_INVARIANT) ; - /tmp -> $(SEC_INVARIANT) ; -} - - ############### - # ## -############### # -# # # -# Local files # # -# ## -############### -( - rulename = "User binaries", - severity = $(SIG_MED) -) -{ - /sbin -> $(SEC_BIN) (recurse = 1) ; - /usr/bin -> $(SEC_BIN) (recurse = 1) ; - /usr/sbin -> $(SEC_BIN) (recurse = 1) ; - /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; -} - -( - rulename = "Shell Binaries", - severity = $(SIG_HI) -) -{ - /bin/bash -> $(SEC_BIN) ; - /bin/ksh -> $(SEC_BIN) ; - # /bin/psh -> $(SEC_BIN) ; # No longer used? - # /bin/Rsh -> $(SEC_BIN) ; # No longer used? - /bin/sh -> $(SEC_BIN) ; - # /bin/shell -> $(SEC_SUID) ; # No longer used? - # /bin/tsh -> $(SEC_BIN) ; # No longer used? - /bin/tcsh -> $(SEC_BIN) ; - /sbin/nologin -> $(SEC_BIN) ; -} - -( - rulename = "Security Control", - severity = $(SIG_HI) -) -{ - /etc/group -> $(SEC_CRIT) ; - /etc/security -> $(SEC_CRIT) ; - #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists -} - -#( -# rulename = "Boot Scripts", -# severity = $(SIG_HI) -#) -#{ -# /etc/rc -> $(SEC_CONFIG) ; -# /etc/rc.bsdnet -> $(SEC_CONFIG) ; -# /etc/rc.dt -> $(SEC_CONFIG) ; -# /etc/rc.net -> $(SEC_CONFIG) ; -# /etc/rc.net.serial -> $(SEC_CONFIG) ; -# /etc/rc.nfs -> $(SEC_CONFIG) ; -# /etc/rc.powerfail -> $(SEC_CONFIG) ; -# /etc/rc.tcpip -> $(SEC_CONFIG) ; -# /etc/trcfmt.Z -> $(SEC_CONFIG) ; -#} - -( - rulename = "Login Scripts", - severity = $(SIG_HI) -) -{ - /etc/bashrc -> $(SEC_CONFIG) ; - /etc/csh.cshrc -> $(SEC_CONFIG) ; - /etc/csh.login -> $(SEC_CONFIG) ; - /etc/inputrc -> $(SEC_CONFIG) ; - # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists - /etc/profile -> $(SEC_CONFIG) ; -} - -# Libraries -( - rulename = "Libraries", - severity = $(SIG_MED) -) -{ - /usr/lib -> $(SEC_BIN) ; - /usr/local/lib -> $(SEC_BIN) ; -} - - - ###################################################### - # ## -###################################################### # -# # # -# Critical System Boot Files # # -# These files are critical to a correct system boot. # # -# ## -###################################################### - -( - rulename = "Critical system boot files", - severity = $(SIG_HI) -) -{ - /boot -> $(SEC_CRIT) ; - #/sbin/devfsd -> $(SEC_CRIT) ; - /sbin/grub -> $(SEC_CRIT) ; - /sbin/grub-install -> $(SEC_CRIT) ; - /sbin/grub-md5-crypt -> $(SEC_CRIT) ; - /sbin/installkernel -> $(SEC_CRIT) ; - /sbin/lilo -> $(SEC_CRIT) ; - /sbin/mkkerneldoth -> $(SEC_CRIT) ; - !/boot/System.map ; - !/boot/module-info ; - /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ; - # other boot files may exist. Look for: - #/ufsboot -> $(SEC_CRIT) ; -} - ################################################## - ################################################### - # These files change every time the system boots ## - ################################################## -( - rulename = "System boot changes", - severity = $(SIG_HI) -) -{ - !/var/run/ftp.pids-all ; # Comes and goes on reboot. - !/root/.enlightenment ; - /dev/log -> $(SEC_CONFIG) ; - /dev/cua0 -> $(SEC_CONFIG) ; - # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device - /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. - /dev/tty1 -> $(SEC_CONFIG) ; # tty devices - /dev/tty2 -> $(SEC_CONFIG) ; # tty devices - /dev/tty3 -> $(SEC_CONFIG) ; # are extremely - /dev/tty4 -> $(SEC_CONFIG) ; # variable - /dev/tty5 -> $(SEC_CONFIG) ; - /dev/tty6 -> $(SEC_CONFIG) ; - /dev/urandom -> $(SEC_CONFIG) ; - /dev/initctl -> $(SEC_CONFIG) ; - /var/lock/subsys -> $(SEC_CONFIG) ; - #/var/lock/subsys/amd -> $(SEC_CONFIG) ; - /var/lock/subsys/anacron -> $(SEC_CONFIG) ; - /var/lock/subsys/apmd -> $(SEC_CONFIG) ; - #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; - /var/lock/subsys/atd -> $(SEC_CONFIG) ; - /var/lock/subsys/autofs -> $(SEC_CONFIG) ; - #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; - #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; - #/var/lock/subsys/canna -> $(SEC_CONFIG) ; - /var/lock/subsys/crond -> $(SEC_CONFIG) ; - #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/firewall -> $(SEC_CONFIG) ; - #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/gated -> $(SEC_CONFIG) ; - /var/lock/subsys/gpm -> $(SEC_CONFIG) ; - #/var/lock/subsys/httpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/identd -> $(SEC_CONFIG) ; - #/var/lock/subsys/innd -> $(SEC_CONFIG) ; - /var/lock/subsys/ipchains -> $(SEC_CONFIG) ; - #/var/lock/subsys/iptables -> $(SEC_CONFIG) ; - #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; - #/var/lock/subsys/irda -> $(SEC_CONFIG) ; - #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ; - #/var/lock/subsys/isdn -> $(SEC_CONFIG) ; - #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; - #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ; - /var/lock/subsys/keytable -> $(SEC_CONFIG) ; - #/var/lock/subsys/kprop -> $(SEC_CONFIG) ; - #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ; - #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; - /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; - #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/ldap -> $(SEC_CONFIG) ; - #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; - #/var/lock/subsys/lpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; - #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ; - #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ; - #/var/lock/subsys/named -> $(SEC_CONFIG) ; - /var/lock/subsys/netfs -> $(SEC_CONFIG) ; - /var/lock/subsys/network -> $(SEC_CONFIG) ; - #/var/lock/subsys/nfs -> $(SEC_CONFIG) ; - /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; - #/var/lock/subsys/nscd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; - #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ; - /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; - /var/lock/subsys/portmap -> $(SEC_CONFIG) ; - #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ; - #/var/lock/subsys/pxe -> $(SEC_CONFIG) ; - #/var/lock/subsys/radvd -> $(SEC_CONFIG) ; - /var/lock/subsys/random -> $(SEC_CONFIG) ; - #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ; - /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; - /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ripd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ; - #/var/lock/subsys/routed -> $(SEC_CONFIG) ; - #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ; - #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ; - #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ; - #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ; - /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; - #/var/lock/subsys/smb -> $(SEC_CONFIG) ; - #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/squid -> $(SEC_CONFIG) ; - /var/lock/subsys/sshd -> $(SEC_CONFIG) ; - /var/lock/subsys/syslog -> $(SEC_CONFIG) ; - #/var/lock/subsys/tux -> $(SEC_CONFIG) ; - #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/ups -> $(SEC_CONFIG) ; - #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ; - #/var/lock/subsys/wine -> $(SEC_CONFIG) ; - /var/lock/subsys/xfs -> $(SEC_CONFIG) ; - /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; - /var/lock/subsys/ypbind -> $(SEC_CONFIG) ; - #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ; - #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; - #/var/lock/subsys/zebra -> $(SEC_CONFIG) ; - /var/run -> $(SEC_CONFIG) ; - /var/log -> $(SEC_CONFIG) ; - /etc/ioctl.save -> $(SEC_CONFIG) ; - /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes - /etc/issue -> $(SEC_CONFIG) ; - /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount - /lib/modules -> $(SEC_CONFIG) ; - /etc/.pwd.lock -> $(SEC_CONFIG) ; - # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists -} - -# These files change the behavior of the root account -( - rulename = "Root config files", - severity = 100 -) -{ - /root -> $(SEC_CRIT) ; # Catch all additions to /root - #/root/.Xresources -> $(SEC_CONFIG) ; - /root/.bashrc -> $(SEC_CONFIG) ; - /root/.bash_profile -> $(SEC_CONFIG) ; - /root/.bash_logout -> $(SEC_CONFIG) ; - /root/.cshrc -> $(SEC_CONFIG) ; - /root/.tcshrc -> $(SEC_CONFIG) ; - /root/Mail -> $(SEC_CONFIG) ; - #/root/mail -> $(SEC_CONFIG) ; - #/root/.amandahosts -> $(SEC_CONFIG) ; - #/root/.addressbook.lu -> $(SEC_CONFIG) ; - #/root/.addressbook -> $(SEC_CONFIG) ; - /root/.bash_history -> $(SEC_CONFIG) ; - /root/.elm -> $(SEC_CONFIG) ; - #/root/.esd_auth -> $(SEC_CONFIG) ; - /root/.gnome_private -> $(SEC_CONFIG) ; - /root/.gnome-desktop -> $(SEC_CONFIG) ; - /root/.gnome -> $(SEC_CONFIG) ; - /root/.ICEauthority -> $(SEC_CONFIG) ; - #/root/.mc -> $(SEC_CONFIG) ; - #/root/.pinerc -> $(SEC_CONFIG) ; - /root/.sawfish -> $(SEC_CONFIG) ; - /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login - #/root/.xauth -> $(SEC_CONFIG) ; - /root/.xsession-errors -> $(SEC_CONFIG) ; -} - - ################################ - # ## -################################ # -# # # -# Critical configuration files # # -# ## -################################ -( - rulename = "Critical configuration files", - severity = $(SIG_HI) -) -{ - #/etc/conf.linuxconf -> $(SEC_BIN) ; - /etc/crontab -> $(SEC_BIN) ; - /etc/cron.hourly -> $(SEC_BIN) ; - /etc/cron.daily -> $(SEC_BIN) ; - /etc/cron.weekly -> $(SEC_BIN) ; - /etc/cron.monthly -> $(SEC_BIN) ; - /etc/default -> $(SEC_BIN) ; - /etc/fstab -> $(SEC_BIN) ; - /etc/exports -> $(SEC_BIN) ; - /etc/group- -> $(SEC_BIN) ; # changes should be infrequent - /etc/host.conf -> $(SEC_BIN) ; - /etc/hosts.allow -> $(SEC_BIN) ; - /etc/hosts.deny -> $(SEC_BIN) ; - /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent - /etc/protocols -> $(SEC_BIN) ; - /etc/services -> $(SEC_BIN) ; - /etc/rc.d/init.d -> $(SEC_BIN) ; - /etc/rc.d -> $(SEC_BIN) ; - /etc/mail.rc -> $(SEC_BIN) ; - /etc/modules.conf -> $(SEC_BIN) ; - /etc/motd -> $(SEC_BIN) ; - /etc/named.conf -> $(SEC_BIN) ; - /etc/passwd -> $(SEC_CONFIG) ; - /etc/passwd- -> $(SEC_CONFIG) ; - /etc/profile.d -> $(SEC_BIN) ; - /var/lib/nfs/rmtab -> $(SEC_BIN) ; - /usr/sbin/fixrmtab -> $(SEC_BIN) ; - /etc/rpc -> $(SEC_BIN) ; - /etc/sysconfig -> $(SEC_BIN) ; - /etc/samba/smb.conf -> $(SEC_CONFIG) ; - #/etc/gettydefs -> $(SEC_BIN) ; - /etc/nsswitch.conf -> $(SEC_BIN) ; - /etc/yp.conf -> $(SEC_BIN) ; - /etc/hosts -> $(SEC_CONFIG) ; - /etc/xinetd.conf -> $(SEC_CONFIG) ; - /etc/inittab -> $(SEC_CONFIG) ; - /etc/resolv.conf -> $(SEC_CONFIG) ; - /etc/syslog.conf -> $(SEC_CONFIG) ; -} - - #################### - # ## -#################### # -# # # -# Critical devices # # -# ## -#################### -( - rulename = "Critical devices", - severity = $(SIG_HI), - recurse = false -) -{ - /dev/kmem -> $(Device) ; - /dev/mem -> $(Device) ; - /dev/null -> $(Device) ; - /dev/zero -> $(Device) ; - /proc/devices -> $(Device) ; - /proc/net -> $(Device) ; - /proc/sys -> $(Device) ; - /proc/cpuinfo -> $(Device) ; - /proc/modules -> $(Device) ; - /proc/mounts -> $(Device) ; - /proc/dma -> $(Device) ; - /proc/filesystems -> $(Device) ; - /proc/pci -> $(Device) ; - /proc/interrupts -> $(Device) ; - /proc/driver/rtc -> $(Device) ; - /proc/ioports -> $(Device) ; - #/proc/scsi -> $(Device) ; - /proc/kcore -> $(Device) ; - /proc/self -> $(Device) ; - /proc/kmsg -> $(Device) ; - /proc/stat -> $(Device) ; - /proc/ksyms -> $(Device) ; - /proc/loadavg -> $(Device) ; - /proc/uptime -> $(Device) ; - /proc/locks -> $(Device) ; - /proc/version -> $(Device) ; - /proc/mdstat -> $(Device) ; - /proc/meminfo -> $(Device) ; - /proc/cmdline -> $(Device) ; - /proc/misc -> $(Device) ; -} - -# Rest of critical system binaries -( - rulename = "OS executables and libraries", - severity = $(SIG_HI) -) -{ - /bin -> $(SEC_BIN) ; - /lib -> $(SEC_BIN) ; -} - -#============================================================================= -# -# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, -# Inc. in the United States and other countries. All rights reserved. -# -# Linux is a registered trademark of Linus Torvalds. -# -# UNIX is a registered trademark of The Open Group. -# -#============================================================================= -# -# Permission is granted to make and distribute verbatim copies of this document -# provided the copyright notice and this permission notice are preserved on all -# copies. -# -# Permission is granted to copy and distribute modified versions of this -# document under the conditions for verbatim copying, provided that the entire -# resulting derived work is distributed under the terms of a permission notice -# identical to this one. -# -# Permission is granted to copy and distribute translations of this document -# into another language, under the above conditions for modified versions, -# except that this permission notice may be stated in a translation approved by -# Tripwire, Inc. -# -# DCM -# -# $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ -# diff --git a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb b/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb deleted file mode 100644 index 59d1f35c5..000000000 --- a/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb +++ /dev/null @@ -1,73 +0,0 @@ -SUMMARY = "Tripwire: A system integrity assessment tool (IDS)" -DESCRIPTION = "Open Source Tripwire® software is a security and data \ -integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems" -HOMEPAGE="http://sourceforge.net/projects/tripwire" -SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127" - -SRCREV = "80db91b4c1ca4be9efafd2286e3b2ad32ba4c34c" - -SRC_URI = "\ - git://github.com/Tripwire/tripwire-open-source.git \ - file://tripwire.cron \ - file://tripwire.sh \ - file://tripwire.txt \ - file://twcfg.txt \ - file://twinstall.sh \ - file://twpol-yocto.txt \ - file://run-ptest \ - " - -S = "${WORKDIR}/git" - -inherit autotools-brokensep update-rc.d ptest - -INITSCRIPT_NAME = "tripwire" -INITSCRIPT_PARAMS = "start 40 S ." -TRIPWIRE_HOST = "${HOST_SYS}" -TRIPWIRE_TARGET = "${TARGET_SYS}" - -CXXFLAGS += "-fno-strict-aliasing" -EXTRA_OECONF = "--disable-openssl --enable-static --sysconfdir=/etc/tripwire" - -do_install () { - install -d ${D}${libdir} ${D}${datadir} ${D}${base_libdir} - install -d ${D}${sysconfdir} ${D}${mandir} ${D}${sbindir} - install -d ${D}${sysconfdir}/${PN} - install -d ${D}${localstatedir}/lib/${PN} ${D}${localstatedir}/lib/${BPN}/report - install -d ${D}${mandir}/man4 ${D}${mandir}/man5 ${D}${mandir}/man8 - install -d ${D}${docdir}/${BPN} ${D}${docdir}/${BPN}/templates - install -d ${D}${sysconfdir}/init.d - - install -m 0755 ${S}/bin/* ${D}${sbindir} - install -m 0644 ${S}/lib/* ${D}${base_libdir} - install -m 0644 ${S}/lib/* ${D}${localstatedir}/lib/${PN} - install -m 0755 ${WORKDIR}/tripwire.cron ${D}${sysconfdir} - install -m 0755 ${WORKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire - install -m 0755 ${WORKDIR}/twinstall.sh ${D}${sysconfdir}/${PN} - install -m 0644 ${WORKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt - install -m 0644 ${WORKDIR}/twcfg.txt ${D}${sysconfdir}/${PN} - - install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4 - install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5 - install -m 0644 ${S}/man/man8/* ${D}${mandir}/man8 - install -m 0644 ${S}/policy/templates/* ${D}${docdir}/${BPN}/templates - install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN} - install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN} - install -m 0644 ${S}/TRADEMARK ${D}${docdir}/${BPN} - install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN} -} - -do_install_ptest_append () { - install -d ${D}${PTEST_PATH}/tests - cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH} -} - -FILES_${PN} += "${libdir} ${docdir}/${PN}/*" -FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug" -FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" -FILES_${PN}-ptest += "${PTEST_PATH}/tests " - -RDEPENDS_${PN} += " perl nano msmtp cronie" -RDEPENDS_${PN}-ptest = " perl lib-perl" diff --git a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb index 2dbbf331e..eac8d6bd4 100644 --- a/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb +++ b/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.27.bb @@ -5,7 +5,7 @@ DESCRIPTION = "\ XML security standards "XML Digital Signature" and "XML Encryption". \ " HOMEPAGE = "http://www.aleksey.com/xmlsec/" -DEPENDS = "libtool libxml2 libxslt openssl zlib libgcrypt gnutls nss nspr libgpg-error" +DEPENDS = "libtool libxml2 libxslt zlib" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://COPYING;md5=352791d62092ea8104f085042de7f4d0" @@ -20,17 +20,25 @@ SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ file://run-ptest \ " -SRC_URI[md5sum] = "9c4aaf9ff615a73921b9e3bf4988d878" -SRC_URI[sha256sum] = "8d8276c9c720ca42a3b0023df8b7ae41a2d6c5f9aa8d20ed1672d84cc8982d50" +SRC_URI[md5sum] = "508bee7e4f1b99f2d50aaa7d38ede56e" +SRC_URI[sha256sum] = "97d756bad8e92588e6997d2227797eaa900d05e34a426829b149f65d87118eb6" inherit autotools-brokensep ptest pkgconfig CFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" CPPFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" -EXTRA_OECONF = "\ - --with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../.. \ - " +PACKAGECONFIG ??= "gnutls libgcrypt nss openssl des" +PACKAGECONFIG[gnutls] = ",,gnutls" +PACKAGECONFIG[libgcrypt] = ",,libgcrypt" +PACKAGECONFIG[nss] = "--with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../..,,nss nspr" +PACKAGECONFIG[openssl] = ",,openssl" +PACKAGECONFIG[des] = ",--disable-des,," + +# these can be dynamically loaded with xmlSecCryptoDLLoadLibrary() +FILES_SOLIBSDEV = "${libdir}/libxmlsec1.so" +FILES_${PN} += "${libdir}/libxmlsec1-*.so" +INSANE_SKIP_${PN} = "dev-so" FILES_${PN}-dev += "${libdir}/xmlsec1Conf.sh" FILES_${PN}-dbg += "${PTEST_PATH}/.debug/*" |
