subtree updates
meta-openembedded: 0e3f5e5201..491b7592f4:
Alexander Kanavin (1):
libadwaita: move recipe to oe-core
Andrej Valek (1):
cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
Archana Polampalli (1):
yasm: fix CVE-2023-31975
Chase Qi (1):
meta-python: add python3-telnetlib3 package
Chen Qi (3):
iperf3: remove incorrect CVE_PRODUCT setting
open-vm-tools: add CVE_PRODUCT
grpc: fix CVE-2023-32732
Chi Xu (1):
lapack: Add ptest support
Chris Dimich (1):
image_types_sparse: Fix syntax error
Christian Hohnstaedt (1):
android-tools: fix QA warning about buildpaths
Christophe Vu-Brugier (2):
libnvme: add recipe
nvme-cli: upgrade 1.13 -> 2.5
Etienne Cordonnier (1):
uutils-coreutils: upgrade 0.0.19 -> 0.0.20
Gianfranco Costamagna (3):
vbxguestdrivers: upgrade 7.0.8 -> 7.0.10
dlt-daemon: Add patch to fix build with googletest 1.13
gpsd: make sure gps-utils-python runtime-depends on python3-pyserial
JD Schroeder (2):
radvd: Fix groupname gid change warning
cyrus-sasl: Fix groupname gid change warning
Jan Vermaete (1):
openh264: version bump 2.1.1 -> 2.3.1
Jasper Orschulko (1):
yaml-cpp: Fix cmake export
Khem Raj (9):
openwsman: Link with -lm to get floor() definition
portaudio-v19: Update to latest tip of trunk
python3-pyaudio: Fix cross builds
poco: Fix ptests
pcmciautils: Pass LD=CC via Make cmdline
ply: Pass LD via environment to configure
sip: upgrade 6.7.10 -> 6.7.11
nodejs: Upgrade to 18.17.0
python3-m2crypto: Remove __pycache__ files
Marek Vasut (1):
libiio: update to version 0.25
Markus Volk (9):
pipewire: update 0.3.73 -> 0.3.75
libcamera: update 0.0.5 -> 0.1.0
webkitgtk3: add recipe
geary: update 43.0 -> 44.0
webkitgtk3: upgrade 2.40.2 -> 2.40.5
fuse3: update 3.14.1 -> 3.15.1
pipewire: update 0.3.75 -> 0.3.77
pipewire: add support for liblc3
gnome-software: update 44.3 -> 44.4
Martin Jansa (4):
libtommath: add recipe for LibTomMath used by dropbear
libtomcrypt: backport a fix for CVE-2019-17362
libtomcrypt: add PACKAGECONFIG for ltm enabled by default
dlm: Do not use -fcf-protection=full on aarch64 platforms
Michael Opdenacker (7):
remove unused AUTHOR variable
remove unused AUTHOR variable
remove unused AUTHOR variable
remove unused AUTHOR variable
remove unused AUTHOR variable
remove unused AUTHOR variable
meta-python: Remove unused AUTHOR variable
Mingli Yu (2):
dracut: Remove busybox from RRECOMMENDS
mariadb: Upgrade to 10.11.4
Nicolas Marguet (2):
rsyslog: update from 8.2302.0 to 8.2306.0
rsyslog: Fix function inline errors in debug optimization
Peter Marko (1):
cve_check: fix conversion errors
Ramon Fried (1):
bitwise: Upgrade 0.43 -> 0.50
Ross Burton (1):
cherokee: add CVE_PRODUCT
Tim Orling (1):
libmodule-build-tiny-perl: upgrade 0.045 -> 0.046
Trevor Gamblin (31):
python3-django: upgrade 4.2.2 -> 4.2.3
python3-ipython: upgrade 8.12.0 -> 8.14.0
python3-awesomeversion: upgrade 22.9.0 -> 23.5.0
python3-binwalk: upgrade 2.3.3 -> 2.3.4
python3-bitstring: upgrade 3.1.9 -> 4.0.2
python3-bitstring: add python3-io to RDEPENDS, alphabetize
python3-blinker: upgrade 1.5 -> 1.6.2
python3-blinker: add python3-asyncio to RDEPENDS
python3-execnet: upgrade 1.9.0 -> 2.0.2
python3-flask: upgrade 2.2.3 -> 2.3.2
python3-flask: add python3-blinker to RDEPENDS, alphabetize
python3-greenstalk: upgrade 2.0.0 -> 2.0.2
python3-humanize: upgrade 4.4.0 -> 4.7.0
python3-versioneer: add recipe
python3-parse: upgrade 1.19.0 -> 1.19.1
python3-pandas: upgrade 1.5.3 -> 2.0.3
python3-pyperf: upgrade 2.5.0 -> 2.6.1
python3-rdflib: upgrade 6.2.0 -> 6.3.2
python3-semver: upgrade 2.13.0 -> 3.0.1
python3-send2trash: upgrade 1.8.0 -> 1.8.2
python3-sh: upgrade 1.14.3 -> 2.0.4
python3-snagboot: upgrade 1.0 -> 1.1
python3-werkzeug: upgrade 2.2.3 -> 2.3.6
python3-beautifulsoup4: upgrade 4.11.1 -> 4.12.2
python3-fastjsonschema: upgrade 2.16.3 -> 2.18.0
python3-jsonpatch: upgrade 1.32 -> 1.33
python3-m2crypto: upgrade 0.38.0 -> 0.39.0
python3-matplotlib: upgrade 3.6.3 -> 3.7.2
python3-pyaudio: upgrade 0.2.11 -> 0.2.13
python3-pybind11: upgrade 2.10.3 -> 2.11.1
python3-sqlparse: upgrade 0.4.3 -> 0.4.4
Vivien Didelot (1):
libcamera: bump to latest master
Wang Mingyu (83):
c-periphery: upgrade 2.4.1 -> 2.4.2
ctags: upgrade 6.0.20230611.0 -> 6.0.20230716.0
gensio: upgrade 2.6.6 -> 2.6.7
gnome-commander: upgrade 1.16.0 -> 1.16.1
hiredis: upgrade 1.1.0 -> 1.2.0
iperf3: upgrade 3.13 -> 3.14
iwd: upgrade 2.6 -> 2.7
libbytesize: upgrade 2.8 -> 2.9
libinih: upgrade 56 -> 57
libnftnl: upgrade 1.2.5 -> 1.2.6
lvgl: upgrade 8.3.7 -> 8.3.8
bats: upgrade 1.9.0 -> 1.10.0
function2: upgrade 4.2.2 -> 4.2.3
lmdb: upgrade 0.9.29 -> 0.9.31
redis: upgrade 6.2.12 -> 6.2.13
ser2net: upgrade 4.3.12 -> 4.3.13
python3-obd: upgrade 0.7.1 -> 0.7.2
python3-path: upgrade 16.6.0 -> 16.7.1
nginx: upgrade 1.24.0 -> 1.25.1
php: upgrade 8.2.7 -> 8.2.8
python3-charset-normalizer: upgrade 3.1.0 -> 3.2.0
python3-click: upgrade 8.1.3 -> 8.1.5
python3-dnspython: upgrade 2.3.0 -> 2.4.0
python3-engineio: upgrade 4.4.1 -> 4.5.1
python3-eth-utils: upgrade 2.1.1 -> 2.2.0
python3-frozenlist: upgrade 1.3.3 -> 1.4.0
python3-gevent: upgrade 22.10.2 -> 23.7.0
python3-google-api-python-client: upgrade 2.92.0 -> 2.93.0
python3-google-auth: upgrade 2.21.0 -> 2.22.0
python3-mock: upgrade 5.0.2 -> 5.1.0
python3-platformdirs: upgrade 3.8.0 -> 3.9.1
python3-protobuf: upgrade 4.23.3 -> 4.23.4
python3-pymisp: upgrade 2.4.172 -> 2.4.173
python3-pymongo: upgrade 4.4.0 -> 4.4.1
python3-tox: upgrade 4.6.3 -> 4.6.4
python3-virtualenv: upgrade 20.23.1 -> 20.24.0
python3-zeroconf: upgrade 0.70.0 -> 0.71.0
redis-plus-plus: upgrade 1.3.9 -> 1.3.10
redis: upgrade 7.0.11 -> 7.0.12
smemstat: upgrade 0.02.11 -> 0.02.12
tesseract: upgrade 5.3.1 -> 5.3.2
weechat: upgrade 4.0.1 -> 4.0.2
wireshark: upgrade 4.0.6 -> 4.0.7
xterm: upgrade 383 -> 384
lastlog2: add new recipe
wtmpdb: add new recipe
babeld: upgrade 1.12.2 -> 1.13.1
ctags: upgrade 6.0.20230716.0 -> 6.0.20230730.0
gspell: upgrade 1.12.1 -> 1.12.2
libcompress-raw-bzip2-perl: upgrade 2.204 -> 2.206
libcompress-raw-lzma-perl: upgrade 2.204 -> 2.206
libcompress-raw-zlib-perl: upgrade 2.204 -> 2.206
libio-compress-lzma-perl: upgrade 2.204 -> 2.206
libio-compress-perl: upgrade 2.204 -> 2.206
libqb: upgrade 2.0.7 -> 2.0.8
logcheck: upgrade 1.4.2 -> 1.4.3
mdio-tools,mdio-netlink: Upgrade recipes to 1.3.0
python3-dill: upgrade 0.3.6 -> 0.3.7
python3-gunicorn: upgrade 20.1.0 -> 21.2.0
python3-web3: upgrade 6.3.0 -> 6.7.0
python3-aiohttp: upgrade 3.8.4 -> 3.8.5
python3-bitarray: upgrade 2.7.6 -> 2.8.0
python3-click: upgrade 8.1.5 -> 8.1.6
python3-cmake: upgrade 3.26.4 -> 3.27.0
python3-configargparse: upgrade 1.5.5 -> 1.7
python3-cytoolz: upgrade 0.12.1 -> 0.12.2
python3-dnspython: upgrade 2.4.0 -> 2.4.1
python3-elementpath: upgrade 4.1.4 -> 4.1.5
python3-flask-socketio: upgrade 5.3.4 -> 5.3.5
python3-gnupg: upgrade 0.5.0 -> 0.5.1
python3-google-api-python-client: upgrade 2.93.0 -> 2.95.0
python3-grpcio: upgrade 1.56.0 -> 1.56.2
python3-jedi: upgrade 0.18.2 -> 0.19.0
python3-marshmallow: upgrade 3.19.0 -> 3.20.1
python3-portion: upgrade 2.4.0 -> 2.4.1
python3-pymodbus: upgrade 3.3.2 -> 3.4.1
python3-robotframework: upgrade 6.1 -> 6.1.1
python3-tomlkit: upgrade 0.11.8 -> 0.12.1
python3-typeguard: upgrade 4.0.0 -> 4.1.0
python3-virtualenv: upgrade 20.24.0 -> 20.24.2
python3-zeroconf: upgrade 0.71.0 -> 0.71.4
rdma-core: upgrade 46.0 -> 47.0
sip: upgrade 6.7.9 -> 6.7.10
Willy Tu (1):
mstpd: Add initial recipe for mstpd
Yi Zhao (4):
samba: upgrade 4.18.4 -> 4.18.5
libnfnetlink: enable native build
libnetfilter-queue: enable native build
daq: enable nfq module build
meta-raspberrypi: e3f733cadd..5e2f79a6fa:
Jan Vermaete (2):
kas-poky-rpi.yml: renamed ABORT to HALT
rpi-base.inc: add the disable-wifi overlay
Khem Raj (1):
rpi-base: Remove customizing SPLASH var
Martin Jansa (1):
libcamera: update PACKAGECONFIG for libcamera-0.1.0
Vincent Davis Jr (1):
rpidistro-vlc: fix error uint64_t does not name
Vivien Didelot (10):
rpi-libcamera-apps: fix Illegal Instruction
rpi-libcamera-apps: add opencv build dependency
rpi-libcamera-apps: add drm support
rpi-libcamera-apps: replace tensorflow config
rpi-libcamera-apps: don't force COMPATIBLE_MACHINE
rpi-libcamera-apps: rename to libcamera-apps
libcamera-apps: move recipe to dynamic-layers
libcamera-apps: bump to 3d9ac10
libcamera-apps: switch from CMake to meson
libcamera-apps: bump to latest main
meta-arm: b4d50a273d..992c07f7c0:
Abdellatif El Khlifi (2):
arm-bsp/trusted-firmware-a: corstone1000: psci: SMCCC_ARCH_FEATURES discovery through PSCI_FEATURES
arm-bsp/u-boot: corstone1000: upgrade to v2023.07
Adam Johnston (1):
arm-bsp/trusted-firmware-a: Reserve OP-TEE memory from NWd on N1SDP
Emekcan Aras (1):
arm-bsp/u-boot: corstone1000: increase the kernel size
Jon Mason (9):
CI: add defaults for get-binary-toolchains
CI: workaround 32bit timer warning in binary toolchain
arm-bsp/corstone1000: update u-boot preferred version
arm-toolchain/gcc-aarch64-none-elf: upgrade to 12.3.rel1
arm/edk2: move 202211 recipe to meta-arm-bsp
arm-bsp: clean-up patch noise
arm/optee-test: update musl workaround patch
arm-bsp/tc1: remove trusted-firmware-m target
arm/trusted-firmware-m: upgrade to v1.8.0
Robbie Cao (1):
arm/recipes-kernel: Add preempt-rt support for generic-arm64
Ross Burton (5):
arm-toolchain/androidclang: remove
arm-toolchain/arm-binary-toolchain: install to a versioned directory
arm-toolchain/gcc-arm-none-eabi-11.2: add new recipe
arm/trusted-firmware-m: explicitly use Arm GCC 11.2
arm-toolchain/gcc-arm-none-eabi: upgrade to 12.3.rel1
Ziad Elhanafy (1):
arm/recipes-devtools,doc: Update FVP version
poky: b398c7653e..71282bbc53:
Alex Kiernan (3):
base-passwd: Add the sgx group
udev: eudev: Revert add group to sgx
poky/poky-tiny: Explicitly exclude `shadow`
Alexander Kanavin (25):
meta: add missing summaries for image recipes
insane.bbclass: add do_recipe_qa task
devtool: do not run recipe_qa task when extracting source
insane.bbclass: add a SUMMARY/HOMEPAGE check (oe-core recipes only)
insane.bbclass: add a RECIPE_MAINTAINER check (oe-core recipes only)
librsvg: fix upstream version check
acpica: tarball and homepage relocated to intel.com
gnu-efi: upgrade 3.0.15 -> 3.0.17
gettext-minimal-native: obtain the needed files directly from gettext source tarball
kbd: upgrade 2.6.0 -> 2.6.1
systemd: upgrade 253.3 -> 253.7
jquery: upgrade 3.6.3 -> 3.7.0
strace: upgrade 6.3 -> 6.4
sudo: update 1.9.13p3 -> 1.9.14p2
libadwaita: add recipe from meta-gnome
epiphany: upgrade 43.1 -> 44.5
glibc-locale: use stricter matching for metapackages' runtime dependencies
uninative-tarball: install the full set of gconv modules
buildtools-extended-tarball: install the full set of gconv modules
procps: address failure with gettext 0.22
util-linux: upgrade 2.38.1 -> 2.39.1
ref-manual: document image-specific variant of INCOMPATIBLE_LICENSE
devtool/upgrade: raise an error if extracting source produces more than one directory
scripts/lib/scriptutils.py: add recipe_qa artifacts to exclusion list in filter_src_subdirs()
curl: ensure all ptest failures are caught
Alexandre Belloni (2):
base-files: bump PR because conf files are now sorted
wic: bootimg-efi: Stop hardcoding VMA offsets
Alexis Lothoré (3):
scripts/resulttool: add mention about new detected tests
scripts/resulttool: allow to replace test raw status with custom string
scripts/resulttool: define custom string for "not found" test results
Andrej Valek (2):
maintainers.inc: Modify email address
ref-manual: document CVE_STATUS and CVE_CHECK_STATUSMAP
Anuj Mittal (4):
glibc/check-test-wrapper: don't emit warnings from ssh
selftest/cases/glibc.py: increase the memory for testing
oeqa/utils/nfs: allow requesting non-udp ports
selftest/cases/glibc.py: switch to using NFS over TCP
BELOUARGA Mohamed (3):
linux-firmware : Add firmware of RTL8822 serie
bitbake: bitbake: fetch2/npmsw: Check if there are dependencies before trying to fetch them
bitbake: fetch2: Check if path is 'None' before calculating checksums
Bruce Ashfield (11):
kernel: make LOCALVERSION consistent between recipes
linux-yocto/6.4: fix CONFIG_LEDS_TRIGGER_GPIO kernel audit warning
linux-yocto/6.4: update to v6.4.6
linux-yocto/6.1: update to v6.1.41
linux-yocto/6.4: update to v6.4.7
linux-yocto-dev: bump to v6.5+
linux-yocto/6.4: update to v6.4.8
linux-yocto/6.1: update to v6.1.43
linux-yocto/6.4: update to v6.4.9
linux-yocto/6.4: fix qemuarm boot failure
linux-yocto-tiny/6.4: fix HID configuration warning
Chen Qi (4):
ncurses: fix CVE-2023-29491
multilib.conf: explicitly make MULTILIB_VARIANTS vardeps on MULTILIBS
gcc-crosssdk: ignore MULTILIB_VARIANTS in signature computation
openssh: sync with upstream's default
Christopher Larson (6):
bitbake: tests.data: add test for inline python calling a def'd function
bitbake: tests.codeparser: add test for exec of builtin from inline python
bitbake: data_smart: check for python builtins directly for context lookup
bitbake: tests.data: add test for builtin preferred over metadata value
bitbake: data_smart: directly check for methodpool functions in context lookup
bitbake: bb.tests.data: don't require the func flag for context functions
Denis OSTERLAND-HEIM (1):
kernel-fitImage: add machine compatible to config section
Dit Kozmaj (1):
bitbake: fetch2: Set maxsplit to match expected variables
Dmitry Baryshkov (5):
kmscube: bump SRCREV to get offscreen rendering to work
linux-firmware: package firmare for Dragonboard 410c
mesa: simplify overriding GALLIUMDRIVERS_LLVM
mesa: enable swrast Vulkan driver if LLVM drivers are enabled
linux-firmware: split platform-specific Adreno shaders to separate packages
Frederic Martinsons (4):
ptest-cargo.bbclass: Support of cargo workspaces
cargo.bbclass: Use --frozen flag for cargo operations
cargo_common.bbclass: Handle Cargo.lock modifications for git dependencies
rust-hello-world: Drop recipe
Jean-Marie Lemetayer (1):
package: always sort the conffiles
Joel Stanley (1):
kernel: don't fail if Modules.symvers doesn't exist
Jose Quaresma (1):
systemd: fix efi stubs
Joshua Watt (1):
bitbake: contrib: vim: Fix up a few errors when reloading
Julien Stephan (1):
libexif: add ptest support
Khem Raj (16):
nfs-utils: Fix host path contamination building locktest
ltp: Use bfd linker when lld is distro linker default
ffmpeg: Use bfd linker on i386 when lld is distro linker default
ltp: Use bfd linker for KVM_LD as well when ld-is-lld
autoconf: Backport upstreamed patches
Revert "site: merged common-glibc from OE"
x32-linux: Do not cache ac_cv_sys_file_offset_bits
gcc: Upgrade to 13.2 release
gnu-efi: Fix build break on riscv64
ffmpeg: Fix wrong code found with gas/2.41
systemd: Point to target binary paths for loadkeys and setfont
systemd: Make 254 work on musl
musl: Upgrade to tip of trunk
binutils: Upgrade to 2.41 release
systemd-boot: Ensure EFI_LD is also passed to compiler driver
pm-utils: Do not require GNU grep at runtime
Lee Chee Yang (2):
migration-guides: add release notes for 4.0.11
migration-guides: add release notes for 4.2.2
Luca Boccassi (2):
systemd: update to v254
systemd: add usrmerge to REQUIRED_DISTRO_FEATURES
Marek Vasut (1):
linux-firmware: Fix mediatek mt7601u firmware path
Mark Hatle (1):
tcf-agent: Update to 1.8.0 release
Markus Volk (4):
gcr3: remove recipe
systemd: add a packageconfig to support colored logs
webkitgtk: upgrade 2.40.2 -> 2.40.5
epiphany: upgrade 44.5 -> 44.6
Martin Jansa (3):
patchelf: add 3 fixes to optimize and fix uninative
alsa-utils: backport a fix to build with glibc-2.38
efivar: drop -fuse-ld=bfd
Michael Halstead (1):
yocto-uninative: Update hashes for uninative 4.1
Michael Opdenacker (4):
ref-manual: releases.svg: updates
ref-manual: LTS releases now supported for 4 years
poky.conf: update SANITY_TESTED_DISTROS to match autobuilder
recipes: remove unused AUTHOR variable
Oleksandr Hnatiuk (2):
file: return wrapper to fix builds when file is in buildtools-tarball
file: fix the way path is written to environment-setup.d
Ovidiu Panait (2):
mdadm: add util-linux-blockdev ptest dependency
mdadm: save ptest logs
Peter Marko (4):
cve-extra-exclusions: fix syntax error
libarchive: ignore CVE-2023-30571
cve-exclusion_6.1: correct typo in exclusion list name
bluez5: correct CVE status of ignored CVEs
Peter Suti (1):
externalsrc: fix dependency chain issues
Quentin Schulz (1):
docs: sdk-manual: appendix-obtain: fix literal block content
Richard Purdie (21):
createrepo-c: Fix 32 bit architecture segfaults with 64 bit time
build-appliance-image: Update to master head revision
oeqa/target/ssh: Ensure EAGAIN doesn't truncate output
createrepo-c: Update patch status
oeqa/runtime/ltp: Increase ltp test output timeout
oeqa/ltp: Show warning for non-zero exit codes
ltp: Add kernel loopback module dependency
target/ssh: Ensure exit code set for commands
autoconf: Upgrade to 2.72c
oeqa/ssh: Further improve process exit handling
oeqa/selftest/rust: Round test execution time to integer
qemuboot/runqemu: Fix 6.2 and later kernel network device naming
bitbake: siggen: Improve runtaskdeps data to fix sstate debugging
sstatesig: Update to match bitbake changes to runtaskdeps
Revert "kea: upgrade to v2.5.0"
selftest/reproducible: Update config to match ongoing changes
gnupg: Fix reproducibility failure
selftest: Ensure usrmerge is enabled with systemd
conf/init-mamager-systemd: Add usrmerge to DISTRO_FEATURES
bitbake.conf: Drop PE and PR from WORKDIR and STAMP
qemuboot: Update hardcoded path to match new layout
Robert Joslyn (2):
curl: Update from 8.1.2 to 8.2.0
curl: Refine ptest perl RDEPENDS
Ross Burton (8):
systemd: set correct paths for kdb binaries
systemd: depend on util-linux's swapon/off
linux-yocto: add script to generate kernel CVE_STATUS entries
ghostscript: backport fix for CVE-2023-38559
ghostscript: ignore CVE-2023-38560
openssh: upgrade to 9.3p2
librsvg: upgrade to 2.56.3
linux-yocto: extract generic kernel CVE_STATUS
Sakib Sajal (1):
go: upgrade 1.20.6 -> 1.20.7
Sudip Mukherjee (3):
libgit2: upgrade to v1.7.0
bind: upgrade to v9.18.17
kea: upgrade to v2.5.0
Tim Orling (10):
python3-urllib3: upgrade 2.0.3 -> 2.0.4
python3-hypothesis: upgrade 6.81.2 -> 6.82.0
python3-pyyaml: upgrade 6.0 -> 6.0.1
python_setuptools3_rust: inherit ...build_meta
python3-sphinx: upgrade 7.0.1 -> 7.1.1
python3-certifi: upgrade 2023.5.7 -> 2023.7.22
python3-more-itertools: upgrade 9.1.0 -> 10.0.0
python3-wheel: upgrade 0.40.0 -> 0.41.0
python3-chardet: upgrade 5.1.0 -> 5.2.0
python3-cryptography{-vectors}: upgrade -> 41.0.3
Trevor Gamblin (7):
python3-dtschema: upgrade 2023.4 -> 2023.6.1
python3-dtc: add from meta-virtualization
python3-dtschema: add python3-dtc to RDEPENDS
nfs-utils: upgrade 2.6.2 -> 2.6.3
iproute2: upgrade 6.3.0 -> 6.4.0
git: upgrade 2.39.3 -> 2.41.0
python3: add additional timing-related test skips
Ulrich Ölmann (3):
ref-manual: classes: kernel-fitimage: fix source of imagetype
ref-manual: classes: kernel-fitimage: fix typos
ref-manual: classes: kernel-fitimage: refine role of INITRAMFS_IMAGE_BUNDLE
Yang Xu (2):
oeqa/selftest/ssate: Add test for find_siginfo
bitbake: server/process: fix sig handle
Yash Shinde (5):
rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
oeqa/selftest/rust: Add failed test cases to exclude list for Rust Oe-selftest
oeqa/selftest/binutils: Add elapsed time for binutils test report.
oeqa/selftest/gcc: Add elapsed time for gcc test report.
oeqa/selftest/glibc: Add elapsed time for glibc test report.
Yoann Congal (1):
bitbake: fetch2/gitsm: Document that we won't support propagating user parameter
meta-security: 405cca4028..b9bc938785:
Armin Kuster (21):
bastille: bastille/config should not be world writeable.
ossec-hids: Fix usermod
python3-flask-script: add package
python3-segno: add new package
python3-privacyidea: fixup REDPENDS
qemu: move qemu setting to image and out of layer.conf
packagegroup-core-security: only include firejail x86-64 and arch64
firejail: only allow x86-64 and arm64 to build
python3-tpm2-pytss: add python tss2 support
packagegroup: add python3-tpm2-pytss
clamav: update SRC_URI
scap-security-guide: refactor patches
packagegroup-security-tpm2: add more pkgs
scap-security-guide: enable ptest
python3-yamlpath: Add new pkg
python3-json2html: add new pkg
python3-json2html: add new pkg
meta-integrity: drop ima.cfg in favor of new k-cache
sshguard: Update to 2.4.3
meta-tpm linux-yocto-rt: Add the bbappend for rt kernel
layer: add QA_WARNINGS to all layers
Kai Kang (2):
openscap: fix buildpaths issue
sssd: 2.7.4 -> 2.9.1
Kevin Hao (1):
linux-yocto-rt: Add the bbappend for rt kernel
Luke Granger-Brown (1):
glome: update to tip
Wurm, Stephan (1):
dm-verity-image-initramfs: Allow compressed image types
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Icf1ba0c270d53f4c3c3838d4305116e5d6f794de
diff --git a/meta-security/recipes-compliance/openscap/files/0003-CMakeLists.txt-make-2-variables-configurable.patch b/meta-security/recipes-compliance/openscap/files/0003-CMakeLists.txt-make-2-variables-configurable.patch
new file mode 100644
index 0000000..953b0d9
--- /dev/null
+++ b/meta-security/recipes-compliance/openscap/files/0003-CMakeLists.txt-make-2-variables-configurable.patch
@@ -0,0 +1,37 @@
+From f99c3f1f516a84d33794f8e3da59adea1a12ef54 Mon Sep 17 00:00:00 2001
+From: Kai Kang <kai.kang@windriver.com>
+Date: Tue, 20 Jun 2023 22:42:51 +0800
+Subject: [PATCH] CMakeLists.txt: make 2 variables configurable
+
+Variables PREFERRED_PYTHON_PATH and PYTHON3_PATH are set with
+${PYTHON_EXECUTABLE}. For cross compile, ${PYTHON_EXECUTABLE} may point
+to other path rather than standard dir such as /usr/bin. Then the
+generated library file contains such path which should NOT. Update to
+make variables PREFERRED_PYTHON_PATH and PYTHON3_PATH configurable to
+avoid such issue.
+
+Upstream-Status: Submitted [https://github.com/OpenSCAP/openscap/pull/1990]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+ CMakeLists.txt | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 5db014e77..74628cdd4 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -125,8 +125,8 @@ endif()
+ find_package(PythonInterp 3)
+ find_package(PythonLibs 3)
+
+-set(PREFERRED_PYTHON_PATH "${PYTHON_EXECUTABLE}")
+-set(PYTHON3_PATH "${PYTHON_EXECUTABLE}")
++set(PREFERRED_PYTHON_PATH "${PYTHON_EXECUTABLE}" CACHE PATH "Path to preferred Python")
++set(PYTHON3_PATH "${PYTHON_EXECUTABLE}" CACHE PATH "Path to Python3")
+
+ find_package(RPM)
+ if(RPM_FOUND)
+--
+2.34.1
+
diff --git a/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb b/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb
index ecc347c..5abd5a6 100644
--- a/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb
+++ b/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb
@@ -12,6 +12,7 @@
#Jun 22th, 2023
SRCREV = "a81c66d9bc36612dd1ca83a8c959a59e172eb4b9"
SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https \
+ file://0003-CMakeLists.txt-make-2-variables-configurable.patch \
"
S = "${WORKDIR}/git"
@@ -35,7 +36,9 @@
-DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \
-DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS=OFF \
-DCMAKE_SKIP_INSTALL_RPATH=ON -DCMAKE_SKIP_RPATH=ON \
- "
+ -DPREFERRED_PYTHON_PATH=${bindir}/python3 \
+ -DPYTHON3_PATH=${bindir}/python3 \
+ "
STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source"
STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch
deleted file mode 100644
index 355f954..0000000
--- a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 23a224203a73688567f500380644e5cf30c8ed99 Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Thu, 22 Jun 2023 06:19:26 -0400
-Subject: [PATCH] scap-security-guide: add Poky support
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- products/openembedded/product.yml | 7 +++-
- .../openembedded/transforms/constants.xslt | 4 +--
- shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++
- 3 files changed, 41 insertions(+), 3 deletions(-)
- create mode 100644 shared/checks/oval/installed_OS_is_poky.xml
-
-diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
-index 9f2f12d737..a495e197c0 100644
---- a/products/openembedded/product.yml
-+++ b/products/openembedded/product.yml
-@@ -14,6 +14,11 @@ init_system: "systemd"
- cpes_root: "../../shared/applicability"
- cpes:
- - openembedded:
-- name: "cpe:/o:openembedded"
-+ name: "cpe:/o:openembedded:nodistro:"
- title: "OpenEmbedded nodistro"
- check_id: installed_OS_is_openembedded
-+
-+ - poky:
-+ name: "cpe:/o:openembedded:poky:"
-+ title: "OpenEmbedded Poky reference distribution"
-+ check_id: installed_OS_is_poky
-diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
-index 85e812a7c1..8901def2f9 100644
---- a/products/openembedded/transforms/constants.xslt
-+++ b/products/openembedded/transforms/constants.xslt
-@@ -2,8 +2,8 @@
-
- <xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
-
--<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable>
--<xsl:variable name="product_short_name">OE nodistro</xsl:variable>
-+<xsl:variable name="product_long_name">OpenEmbedded based distribution</xsl:variable>
-+<xsl:variable name="product_short_name">OE distros</xsl:variable>
- <xsl:variable name="product_stig_id_name">empty</xsl:variable>
- <xsl:variable name="prod_type">openembedded</xsl:variable>
-
-diff --git a/shared/checks/oval/installed_OS_is_poky.xml b/shared/checks/oval/installed_OS_is_poky.xml
-new file mode 100644
-index 0000000000..9c41acd786
---- /dev/null
-+++ b/shared/checks/oval/installed_OS_is_poky.xml
-@@ -0,0 +1,33 @@
-+<def-group>
-+ <definition class="inventory" id="installed_OS_is_poky" version="1">
-+ <metadata>
-+ <title>Poky</title>
-+ <affected family="unix">
-+ <platform>multi_platform_all</platform>
-+ </affected>
-+ <description>The operating system installed is a Poky referenece based System</description>
-+ </metadata>
-+ <criteria comment="System is Poky reference distribution" operator="AND">
-+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
-+ <criterion comment="Poky based distro" test_ref="test_os_release_poky" />
-+ <criterion comment="Poky referenece distribution is installed" test_ref="test_poky" />
-+ </criteria>
-+ </definition>
-+
-+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release_poky" version="1">
-+ <unix:object object_ref="obj_os_release_poky" />
-+ </unix:file_test>
-+ <unix:file_object comment="check /etc/os-release file" id="obj_os_release_poky" version="1">
-+ <unix:filepath>/etc/os-release</unix:filepath>
-+ </unix:file_object>
-+
-+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_poky" version="1">
-+ <ind:object object_ref="obj_poky" />
-+ </ind:textfilecontent54_test>
-+ <ind:textfilecontent54_object id="obj_poky" version="1" comment="Check Poky">
-+ <ind:filepath>/etc/os-release</ind:filepath>
-+ <ind:pattern operation="pattern match">^ID=poky$</ind:pattern>
-+ <ind:instance datatype="int">1</ind:instance>
-+ </ind:textfilecontent54_object>
-+
-+</def-group>
---
-2.34.1
-
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
new file mode 100644
index 0000000..0db2b12
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
@@ -0,0 +1,388 @@
+From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 14 Jun 2023 07:46:55 -0400
+Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support
+
+includes a standard profile for out-of-the-box checks
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-Status: Pending
+https://github.com/ComplianceAsCode/content/pull/10793
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ CMakeLists.txt | 5 +
+ build_product | 1 +
+ products/openembedded/CMakeLists.txt | 6 +
+ products/openembedded/product.yml | 19 ++
+ .../openembedded/profiles/standard.profile | 166 ++++++++++++++++++
+ .../openembedded/transforms/constants.xslt | 10 ++
+ .../oval/installed_OS_is_openembedded.xml | 33 ++++
+ .../oval/sysctl_kernel_ipv6_disable.xml | 1 +
+ ssg/constants.py | 5 +-
+ 9 files changed, 245 insertions(+), 1 deletion(-)
+ create mode 100644 products/openembedded/CMakeLists.txt
+ create mode 100644 products/openembedded/product.yml
+ create mode 100644 products/openembedded/profiles/standard.profile
+ create mode 100644 products/openembedded/transforms/constants.xslt
+ create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 6b1ac00ff9..e4191f2cef 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
+ option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
++option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+
+
+ option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
+@@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
+ message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
+ message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
+ message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
++message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}")
+
+
+ message(STATUS " ")
+@@ -409,6 +411,9 @@ endif()
+ if(SSG_PRODUCT_UOS20)
+ add_subdirectory("products/uos20" "uos20")
+ endif()
++if (SSG_PRODUCT_OE)
++ add_subdirectory("products/openembedded" "openembedded")
++endif()
+
+ # ZIP only contains source datastreams and kickstarts, people who
+ # want sources to build from should get the tarball instead.
+diff --git a/build_product b/build_product
+index fc793cbe70..7bdc03edfe 100755
+--- a/build_product
++++ b/build_product
+@@ -333,6 +333,7 @@ all_cmake_products=(
+ UBUNTU2204
+ UOS20
+ MACOS1015
++ OPENEMBEDDED
+ )
+
+ DEFAULT_OVAL_MAJOR_VERSION=5
+diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt
+new file mode 100644
+index 0000000000..1981adf53e
+--- /dev/null
++++ b/products/openembedded/CMakeLists.txt
+@@ -0,0 +1,6 @@
++# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way.
++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
++endif()
++
++ssg_build_product("openembedded")
+diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
+new file mode 100644
+index 0000000000..debf6870ef
+--- /dev/null
++++ b/products/openembedded/product.yml
+@@ -0,0 +1,19 @@
++product: openembedded
++full_name: OpemEmbedded
++type: platform
++
++benchmark_id: OPENEMBEDDED
++benchmark_root: "../../linux_os/guide"
++
++profiles_root: "./profiles"
++
++pkg_manager: "dnf"
++
++init_system: "systemd"
++
++cpes_root: "../../shared/applicability"
++cpes:
++ - openembedded:
++ name: "cpe:/o:openembedded:nodistro:"
++ title: "OpenEmbedded nodistro"
++ check_id: installed_OS_is_openembedded
+diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
+new file mode 100644
+index 0000000000..fcb9e0e5c2
+--- /dev/null
++++ b/products/openembedded/profiles/standard.profile
+@@ -0,0 +1,166 @@
++documentation_complete: true
++
++title: 'Sample Security Profile for OpenEmbedded Distros'
++
++description: |-
++ This profile is an sample for use in documentation and example content.
++ The selected rules are standard and should pass quickly on most systems.
++
++selections:
++ - file_owner_etc_passwd
++ - file_groupowner_etc_passwd
++ - service_crond_enabled
++ - file_groupowner_crontab
++ - file_owner_crontab
++ - file_permissions_crontab
++ - file_groupowner_cron_hourly
++ - file_owner_cron_hourly
++ - file_permissions_cron_hourly
++ - file_groupowner_cron_daily
++ - file_owner_cron_daily
++ - file_permissions_cron_daily
++ - file_groupowner_cron_weekly
++ - file_owner_cron_weekly
++ - file_permissions_cron_weekly
++ - file_groupowner_cron_monthly
++ - file_owner_cron_monthly
++ - file_permissions_cron_monthly
++ - file_groupowner_cron_d
++ - file_owner_cron_d
++ - file_permissions_cron_d
++ - file_groupowner_cron_allow
++ - file_owner_cron_allow
++ - file_cron_deny_not_exist
++ - file_groupowner_at_allow
++ - file_owner_at_allow
++ - file_at_deny_not_exist
++ - file_permissions_at_allow
++ - file_permissions_cron_allow
++ - file_groupowner_sshd_config
++ - file_owner_sshd_config
++ - file_permissions_sshd_config
++ - file_permissions_sshd_private_key
++ - file_permissions_sshd_pub_key
++ - sshd_set_loglevel_verbose
++ - sshd_set_loglevel_info
++ - sshd_max_auth_tries_value=4
++ - sshd_set_max_auth_tries
++ - sshd_disable_rhosts
++ - disable_host_auth
++ - sshd_disable_root_login
++ - sshd_disable_empty_passwords
++ - sshd_do_not_permit_user_env
++ - sshd_idle_timeout_value=15_minutes
++ - sshd_set_idle_timeout
++ - sshd_set_keepalive
++ - var_sshd_set_keepalive=0
++ - sshd_set_login_grace_time
++ - var_sshd_set_login_grace_time=60
++ - sshd_enable_warning_banner
++ - sshd_enable_pam
++ - sshd_set_maxstartups
++ - var_sshd_set_maxstartups=10:30:60
++ - sshd_set_max_sessions
++ - var_sshd_max_sessions=10
++ - accounts_password_pam_minclass
++ - accounts_password_pam_minlen
++ - accounts_password_pam_retry
++ - var_password_pam_minclass=4
++ - var_password_pam_minlen=14
++ - locking_out_password_attempts
++ - accounts_password_pam_pwhistory_remember_password_auth
++ - accounts_password_pam_pwhistory_remember_system_auth
++ - var_password_pam_remember_control_flag=required
++ - var_password_pam_remember=5
++ - set_password_hashing_algorithm_systemauth
++ - var_accounts_maximum_age_login_defs=365
++ - accounts_password_set_max_life_existing
++ - var_accounts_minimum_age_login_defs=7
++ - accounts_password_set_min_life_existing
++ - var_accounts_password_warn_age_login_defs=7
++ - account_disable_post_pw_expiration
++ - var_account_disable_post_pw_expiration=30
++ - no_shelllogin_for_systemaccounts
++ - accounts_tmout
++ - var_accounts_tmout=15_min
++ - accounts_root_gid_zero
++ - accounts_umask_etc_bashrc
++ - use_pam_wheel_for_su
++ - sshd_allow_only_protocol2
++ - journald_forward_to_syslog
++ - journald_compress
++ - journald_storage
++ - service_auditd_enabled
++ - service_httpd_disabled
++ - service_vsftpd_disabled
++ - service_named_disabled
++ - service_nfs_disabled
++ - service_rpcbind_disabled
++ - service_slapd_disabled
++ - service_dhcpd_disabled
++ - service_cups_disabled
++ - service_ypserv_disabled
++ - service_rsyncd_disabled
++ - service_avahi-daemon_disabled
++ - service_snmpd_disabled
++ - service_squid_disabled
++ - service_smb_disabled
++ - service_dovecot_disabled
++ - banner_etc_motd
++ - login_banner_text=cis_banners
++ - banner_etc_issue
++ - login_banner_text=cis_banners
++ - file_groupowner_etc_motd
++ - file_owner_etc_motd
++ - file_permissions_etc_motd
++ - file_groupowner_etc_issue
++ - file_owner_etc_issue
++ - file_permissions_etc_issue
++ - ensure_gpgcheck_globally_activated
++ - package_aide_installed
++ - aide_periodic_cron_checking
++ - grub2_password
++ - file_groupowner_grub2_cfg
++ - file_owner_grub2_cfg
++ - file_permissions_grub2_cfg
++ - require_singleuser_auth
++ - require_emergency_target_auth
++ - disable_users_coredumps
++ - configure_crypto_policy
++ - var_system_crypto_policy=default_policy
++ - dir_perms_world_writable_sticky_bits
++ - file_permissions_etc_passwd
++ - file_owner_etc_shadow
++ - file_groupowner_etc_shadow
++ - file_groupowner_etc_group
++ - file_owner_etc_group
++ - file_permissions_etc_group
++ - file_groupowner_etc_gshadow
++ - file_owner_etc_gshadow
++ - file_groupowner_backup_etc_passwd
++ - file_owner_backup_etc_passwd
++ - file_permissions_backup_etc_passwd
++ - file_groupowner_backup_etc_shadow
++ - file_owner_backup_etc_shadow
++ - file_permissions_backup_etc_shadow
++ - file_groupowner_backup_etc_group
++ - file_owner_backup_etc_group
++ - file_permissions_backup_etc_group
++ - file_groupowner_backup_etc_gshadow
++ - file_owner_backup_etc_gshadow
++ - file_permissions_unauthorized_world_writable
++ - file_permissions_ungroupowned
++ - accounts_root_path_dirs_no_write
++ - root_path_no_dot
++ - accounts_no_uid_except_zero
++ - file_ownership_home_directories
++ - file_groupownership_home_directories
++ - no_netrc_files
++ - no_rsh_trust_files
++ - account_unique_id
++ - group_unique_id
++ - group_unique_name
++ - wireless_disable_interfaces
++ - package_firewalld_installed
++ - service_firewalld_enabled
++ - package_iptables_installed
+diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
+new file mode 100644
+index 0000000000..152571e8bb
+--- /dev/null
++++ b/products/openembedded/transforms/constants.xslt
+@@ -0,0 +1,10 @@
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++
++<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
++
++<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable>
++<xsl:variable name="product_short_name">openembedded</xsl:variable>
++<xsl:variable name="product_stig_id_name">empty</xsl:variable>
++<xsl:variable name="prod_type">openembedded</xsl:variable>
++
++</xsl:stylesheet>
+diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
+new file mode 100644
+index 0000000000..11ebdca913
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_openembedded.xml
+@@ -0,0 +1,33 @@
++<def-group>
++ <definition class="inventory" id="installed_OS_is_openembedded" version="1">
++ <metadata>
++ <title>OpenEmbedded</title>
++ <affected family="unix">
++ <platform>multi_platform_all</platform>
++ </affected>
++ <description>The operating system installed is an OpenEmbedded based system</description>
++ </metadata>
++ <criteria comment="System is OpenEmbedded based" operator="AND">
++ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
++ <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" />
++ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" />
++ </criteria>
++ </definition>
++
++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1">
++ <unix:object object_ref="obj_os_openembedded" />
++ </unix:file_test>
++ <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1">
++ <unix:filepath>/etc/os-release</unix:filepath>
++ </unix:file_object>
++
++ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1">
++ <ind:object object_ref="obj_openembedded" />
++ </ind:textfilecontent54_test>
++ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded">
++ <ind:filepath>/etc/os-release</ind:filepath>
++ <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern>
++ <ind:instance datatype="int">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++</def-group>
+diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+index affb9770cb..4f22df262c 100644
+--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+@@ -8,6 +8,7 @@
+ <platform>multi_platform_debian</platform>
+ <platform>multi_platform_example</platform>
+ <platform>multi_platform_fedora</platform>
++ <platform>multi_platform_openembedded</platform>
+ <platform>multi_platform_opensuse</platform>
+ <platform>multi_platform_ol</platform>
+ <platform>multi_platform_rhcos</platform>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index f66ba008fa..630fbdfcb9 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
+ "Ubuntu 20.04": "ubuntu2004",
+ "Ubuntu 22.04": "ubuntu2204",
+ "UnionTech OS Server 20": "uos20",
++ "OpenEmbedded": "openembedded",
+ "Not Applicable" : "example"
+ }
+
+@@ -267,7 +268,7 @@ REFERENCES = dict(
+
+ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+ "opensuse", "sle", "ol", "ocp", "rhcos",
+- "example", "eks", "alinux", "uos", "anolis"]
++ "example", "eks", "alinux", "uos", "anolis", "openembedded"]
+
+ MULTI_PLATFORM_MAPPING = {
+ "multi_platform_alinux": ["alinux2", "alinux3"],
+@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = {
+ "multi_platform_sle": ["sle12", "sle15"],
+ "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
+ "multi_platform_uos": ["uos20"],
++ "multi_platform_openembedded": ["openembedded"],
+ }
+
+ RHEL_CENTOS_CPE_MAPPING = {
+@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
+ 'ocp': 'Red Hat OpenShift Container Platform',
+ 'rhcos': 'Red Hat Enterprise Linux CoreOS',
+ 'eks': 'Amazon Elastic Kubernetes Service',
++ 'openembedded': 'OpenEmbedded',
+ }
+
+ # References that can not be used with product-qualifiers
+--
+2.34.1
+
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch
deleted file mode 100644
index f003f72..0000000
--- a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch
+++ /dev/null
@@ -1,231 +0,0 @@
-From f6287d146762b8360bd7099f4724a58eedba7d2a Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Wed, 14 Jun 2023 07:46:55 -0400
-Subject: [PATCH] scap-security-guide: add openembedded
-
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
----
- CMakeLists.txt | 5 +++
- build_product | 1 +
- products/openembedded/CMakeLists.txt | 6 ++++
- products/openembedded/product.yml | 19 +++++++++++
- .../openembedded/profiles/standard.profile | 12 +++++++
- .../openembedded/transforms/constants.xslt | 10 ++++++
- .../oval/installed_OS_is_openembedded.xml | 33 +++++++++++++++++++
- .../oval/sysctl_kernel_ipv6_disable.xml | 1 +
- ssg/constants.py | 5 ++-
- 9 files changed, 91 insertions(+), 1 deletion(-)
- create mode 100644 products/openembedded/CMakeLists.txt
- create mode 100644 products/openembedded/product.yml
- create mode 100644 products/openembedded/profiles/standard.profile
- create mode 100644 products/openembedded/transforms/constants.xslt
- create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 85ec289644..09ac96784e 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -95,6 +95,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
- option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
- option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-+option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
-
-
- option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
-@@ -289,6 +290,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
- message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
- message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
- message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
-+message(STATUS "OpenEmbedded nodistro: ${SSG_PRODUCT_OE}")
-
-
-
-@@ -410,6 +412,9 @@ endif()
- if (SSG_PRODUCT_UOS20)
- add_subdirectory("products/uos20" "uos20")
- endif()
-+if (SSG_PRODUCT_OE)
-+ add_subdirectory("products/openembedded" "openembedded")
-+endif()
-
- # ZIP only contains source datastreams and kickstarts, people who
- # want sources to build from should get the tarball instead.
-diff --git a/build_product b/build_product
-index fc793cbe70..197d925b7e 100755
---- a/build_product
-+++ b/build_product
-@@ -333,6 +333,7 @@ all_cmake_products=(
- UBUNTU2204
- UOS20
- MACOS1015
-+ OPENEMBEDDED
- )
-
- DEFAULT_OVAL_MAJOR_VERSION=5
-diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt
-new file mode 100644
-index 0000000000..1981adf53e
---- /dev/null
-+++ b/products/openembedded/CMakeLists.txt
-@@ -0,0 +1,6 @@
-+# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way.
-+if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
-+ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
-+endif()
-+
-+ssg_build_product("openembedded")
-diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
-new file mode 100644
-index 0000000000..9f2f12d737
---- /dev/null
-+++ b/products/openembedded/product.yml
-@@ -0,0 +1,19 @@
-+product: openembedded
-+full_name: OpemEmbedded
-+type: platform
-+
-+benchmark_id: OPENEMBEDDED
-+benchmark_root: "../../linux_os/guide"
-+
-+profiles_root: "./profiles"
-+
-+pkg_manager: "dnf"
-+
-+init_system: "systemd"
-+
-+cpes_root: "../../shared/applicability"
-+cpes:
-+ - openembedded:
-+ name: "cpe:/o:openembedded"
-+ title: "OpenEmbedded nodistro"
-+ check_id: installed_OS_is_openembedded
-diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
-new file mode 100644
-index 0000000000..44339d716c
---- /dev/null
-+++ b/products/openembedded/profiles/standard.profile
-@@ -0,0 +1,12 @@
-+documentation_complete: true
-+
-+title: 'Sample Security Profile for OpenEmbedded Distros'
-+
-+description: |-
-+ This profile is an sample for use in documentation and example content.
-+ The selected rules are standard and should pass quickly on most systems.
-+
-+selections:
-+ - file_owner_etc_passwd
-+ - file_groupowner_etc_passwd
-+ - file_permissions_etc_passwd
-diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
-new file mode 100644
-index 0000000000..85e812a7c1
---- /dev/null
-+++ b/products/openembedded/transforms/constants.xslt
-@@ -0,0 +1,10 @@
-+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-+
-+<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
-+
-+<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable>
-+<xsl:variable name="product_short_name">OE nodistro</xsl:variable>
-+<xsl:variable name="product_stig_id_name">empty</xsl:variable>
-+<xsl:variable name="prod_type">openembedded</xsl:variable>
-+
-+</xsl:stylesheet>
-diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
-new file mode 100644
-index 0000000000..17c2873686
---- /dev/null
-+++ b/shared/checks/oval/installed_OS_is_openembedded.xml
-@@ -0,0 +1,33 @@
-+<def-group>
-+ <definition class="inventory" id="installed_OS_is_openembedded" version="1">
-+ <metadata>
-+ <title>OpenEmbedded</title>
-+ <affected family="unix">
-+ <platform>multi_platform_all</platform>
-+ </affected>
-+ <description>The operating system installed is an OpenEmbedded System</description>
-+ </metadata>
-+ <criteria comment="System is OpenEmbedded" operator="AND">
-+ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
-+ <criterion comment="OpenEmbedded distro" test_ref="test_os_release" />
-+ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" />
-+ </criteria>
-+ </definition>
-+
-+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release" version="1">
-+ <unix:object object_ref="obj_os_release" />
-+ </unix:file_test>
-+ <unix:file_object comment="check /etc/os-release file" id="obj_os_release" version="1">
-+ <unix:filepath>/etc/os-release</unix:filepath>
-+ </unix:file_object>
-+
-+ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1">
-+ <ind:object object_ref="obj_openembedded" />
-+ </ind:textfilecontent54_test>
-+ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded">
-+ <ind:filepath>/etc/os-release</ind:filepath>
-+ <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern>
-+ <ind:instance datatype="int">1</ind:instance>
-+ </ind:textfilecontent54_object>
-+
-+</def-group>
-diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-index affb9770cb..4f22df262c 100644
---- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-+++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
-@@ -8,6 +8,7 @@
- <platform>multi_platform_debian</platform>
- <platform>multi_platform_example</platform>
- <platform>multi_platform_fedora</platform>
-+ <platform>multi_platform_openembedded</platform>
- <platform>multi_platform_opensuse</platform>
- <platform>multi_platform_ol</platform>
- <platform>multi_platform_rhcos</platform>
-diff --git a/ssg/constants.py b/ssg/constants.py
-index f66ba008fa..630fbdfcb9 100644
---- a/ssg/constants.py
-+++ b/ssg/constants.py
-@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
- "Ubuntu 20.04": "ubuntu2004",
- "Ubuntu 22.04": "ubuntu2204",
- "UnionTech OS Server 20": "uos20",
-+ "OpenEmbedded": "openembedded",
- "Not Applicable" : "example"
- }
-
-@@ -267,7 +268,7 @@ REFERENCES = dict(
-
- MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
- "opensuse", "sle", "ol", "ocp", "rhcos",
-- "example", "eks", "alinux", "uos", "anolis"]
-+ "example", "eks", "alinux", "uos", "anolis", "openembedded"]
-
- MULTI_PLATFORM_MAPPING = {
- "multi_platform_alinux": ["alinux2", "alinux3"],
-@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = {
- "multi_platform_sle": ["sle12", "sle15"],
- "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
- "multi_platform_uos": ["uos20"],
-+ "multi_platform_openembedded": ["openembedded"],
- }
-
- RHEL_CENTOS_CPE_MAPPING = {
-@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
- 'ocp': 'Red Hat OpenShift Container Platform',
- 'rhcos': 'Red Hat Enterprise Linux CoreOS',
- 'eks': 'Amazon Elastic Kubernetes Service',
-+ 'openembedded': 'OpenEmbedded',
- }
-
- # References that can not be used with product-qualifiers
---
-2.34.1
-
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch
deleted file mode 100644
index 061c5f0..0000000
--- a/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch
+++ /dev/null
@@ -1,231 +0,0 @@
-From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001
-From: Armin Kuster <akuster808@gmail.com>
-Date: Wed, 21 Jun 2023 07:46:38 -0400
-Subject: [PATCH] standard.profile: expand checks
-
-Upstream-Status: Pending
-Signed-off-by: Armin Kuster <akuster808@gmail.com>
-
-Upstream-status: Pending
----
- .../openembedded/profiles/standard.profile | 206 ++++++++++++++++++
- 1 file changed, 206 insertions(+)
-
-diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
-index 44339d716c..877d1a3971 100644
---- a/products/openembedded/profiles/standard.profile
-+++ b/products/openembedded/profiles/standard.profile
-@@ -9,4 +9,210 @@ description: |-
- selections:
- - file_owner_etc_passwd
- - file_groupowner_etc_passwd
-+ - service_crond_enabled
-+ - file_groupowner_crontab
-+ - file_owner_crontab
-+ - file_permissions_crontab
-+ - file_groupowner_cron_hourly
-+ - file_owner_cron_hourly
-+ - file_permissions_cron_hourly
-+ - file_groupowner_cron_daily
-+ - file_owner_cron_daily
-+ - file_permissions_cron_daily
-+ - file_groupowner_cron_weekly
-+ - file_owner_cron_weekly
-+ - file_permissions_cron_weekly
-+ - file_groupowner_cron_monthly
-+ - file_owner_cron_monthly
-+ - file_permissions_cron_monthly
-+ - file_groupowner_cron_d
-+ - file_owner_cron_d
-+ - file_permissions_cron_d
-+ - file_groupowner_cron_allow
-+ - file_owner_cron_allow
-+ - file_cron_deny_not_exist
-+ - file_groupowner_at_allow
-+ - file_owner_at_allow
-+ - file_at_deny_not_exist
-+ - file_permissions_at_allow
-+ - file_permissions_cron_allow
-+ - file_groupowner_sshd_config
-+ - file_owner_sshd_config
-+ - file_permissions_sshd_config
-+ - file_permissions_sshd_private_key
-+ - file_permissions_sshd_pub_key
-+ - sshd_set_loglevel_verbose
-+ - sshd_set_loglevel_info
-+ - sshd_max_auth_tries_value=4
-+ - sshd_set_max_auth_tries
-+ - sshd_disable_rhosts
-+ - disable_host_auth
-+ - sshd_disable_root_login
-+ - sshd_disable_empty_passwords
-+ - sshd_do_not_permit_user_env
-+ - sshd_idle_timeout_value=15_minutes
-+ - sshd_set_idle_timeout
-+ - sshd_set_keepalive
-+ - var_sshd_set_keepalive=0
-+ - sshd_set_login_grace_time
-+ - var_sshd_set_login_grace_time=60
-+ - sshd_enable_warning_banner
-+ - sshd_enable_pam
-+ - sshd_set_maxstartups
-+ - var_sshd_set_maxstartups=10:30:60
-+ - sshd_set_max_sessions
-+ - var_sshd_max_sessions=10
-+ - accounts_password_pam_minclass
-+ - accounts_password_pam_minlen
-+ - accounts_password_pam_retry
-+ - var_password_pam_minclass=4
-+ - var_password_pam_minlen=14
-+ - locking_out_password_attempts
-+ - accounts_password_pam_pwhistory_remember_password_auth
-+ - accounts_password_pam_pwhistory_remember_system_auth
-+ - var_password_pam_remember_control_flag=required
-+ - var_password_pam_remember=5
-+ - set_password_hashing_algorithm_systemauth
-+ - accounts_maximum_age_login_defs
-+ - var_accounts_maximum_age_login_defs=365
-+ - accounts_password_set_max_life_existing
-+ - accounts_minimum_age_login_defs
-+ - var_accounts_minimum_age_login_defs=7
-+ - accounts_password_set_min_life_existing
-+ - accounts_password_warn_age_login_defs
-+ - var_accounts_password_warn_age_login_defs=7
-+ - account_disable_post_pw_expiration
-+ - var_account_disable_post_pw_expiration=30
-+ - no_shelllogin_for_systemaccounts
-+ - accounts_tmout
-+ - var_accounts_tmout=15_min
-+ - accounts_root_gid_zero
-+ - accounts_umask_etc_bashrc
-+ - accounts_umask_etc_login_defs
-+ - use_pam_wheel_for_su
-+ - sshd_allow_only_protocol2
-+ - journald_forward_to_syslog
-+ - journald_compress
-+ - journald_storage
-+ - service_auditd_enabled
-+ - service_httpd_disabled
-+ - service_vsftpd_disabled
-+ - service_named_disabled
-+ - service_nfs_disabled
-+ - service_rpcbind_disabled
-+ - service_slapd_disabled
-+ - service_dhcpd_disabled
-+ - service_cups_disabled
-+ - service_ypserv_disabled
-+ - service_rsyncd_disabled
-+ - service_avahi-daemon_disabled
-+ - service_snmpd_disabled
-+ - service_squid_disabled
-+ - service_smb_disabled
-+ - service_dovecot_disabled
-+ - banner_etc_motd
-+ - login_banner_text=cis_banners
-+ - banner_etc_issue
-+ - login_banner_text=cis_banners
-+ - file_groupowner_etc_motd
-+ - file_owner_etc_motd
-+ - file_permissions_etc_motd
-+ - file_groupowner_etc_issue
-+ - file_owner_etc_issue
-+ - file_permissions_etc_issue
-+ - ensure_gpgcheck_globally_activated
-+ - package_aide_installed
-+ - aide_periodic_cron_checking
-+ - grub2_password
-+ - file_groupowner_grub2_cfg
-+ - file_owner_grub2_cfg
-+ - file_permissions_grub2_cfg
-+ - require_singleuser_auth
-+ - require_emergency_target_auth
-+ - disable_users_coredumps
-+ - coredump_disable_backtraces
-+ - coredump_disable_storage
-+ - configure_crypto_policy
-+ - var_system_crypto_policy=default_policy
-+ - dir_perms_world_writable_sticky_bits
- - file_permissions_etc_passwd
-+ - file_owner_etc_shadow
-+ - file_groupowner_etc_shadow
-+ - file_groupowner_etc_group
-+ - file_owner_etc_group
-+ - file_permissions_etc_group
-+ - file_groupowner_etc_gshadow
-+ - file_owner_etc_gshadow
-+ - file_groupowner_backup_etc_passwd
-+ - file_owner_backup_etc_passwd
-+ - file_permissions_backup_etc_passwd
-+ - file_groupowner_backup_etc_shadow
-+ - file_owner_backup_etc_shadow
-+ - file_permissions_backup_etc_shadow
-+ - file_groupowner_backup_etc_group
-+ - file_owner_backup_etc_group
-+ - file_permissions_backup_etc_group
-+ - file_groupowner_backup_etc_gshadow
-+ - file_owner_backup_etc_gshadow
-+ - file_permissions_backup_etc_gshadow
-+ - file_permissions_unauthorized_world_writable
-+ - file_permissions_ungroupowned
-+ - accounts_root_path_dirs_no_write
-+ - root_path_no_dot
-+ - accounts_no_uid_except_zero
-+ - file_ownership_home_directories
-+ - file_groupownership_home_directories
-+ - no_netrc_files
-+ - no_rsh_trust_files
-+ - account_unique_id
-+ - group_unique_id
-+ - group_unique_name
-+ - kernel_module_sctp_disabled
-+ - kernel_module_dccp_disabled
-+ - wireless_disable_interfaces
-+ - sysctl_net_ipv4_ip_forward
-+ - sysctl_net_ipv6_conf_all_forwarding
-+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled
-+ - sysctl_net_ipv4_conf_all_send_redirects
-+ - sysctl_net_ipv4_conf_default_send_redirects
-+ - sysctl_net_ipv4_conf_all_accept_source_route
-+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled
-+ - sysctl_net_ipv4_conf_default_accept_source_route
-+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled
-+ - sysctl_net_ipv6_conf_all_accept_source_route
-+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled
-+ - sysctl_net_ipv6_conf_default_accept_source_route
-+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled
-+ - sysctl_net_ipv4_conf_all_accept_redirects
-+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled
-+ - sysctl_net_ipv4_conf_default_accept_redirects
-+ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled
-+ - sysctl_net_ipv6_conf_all_accept_redirects
-+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled
-+ - sysctl_net_ipv6_conf_default_accept_redirects
-+ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled
-+ - sysctl_net_ipv4_conf_all_secure_redirects
-+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled
-+ - sysctl_net_ipv4_conf_default_secure_redirects
-+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled
-+ - sysctl_net_ipv4_conf_all_log_martians
-+ - sysctl_net_ipv4_conf_all_log_martians_value=enabled
-+ - sysctl_net_ipv4_conf_default_log_martians
-+ - sysctl_net_ipv4_conf_default_log_martians_value=enabled
-+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled
-+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
-+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled
-+ - sysctl_net_ipv4_conf_all_rp_filter
-+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled
-+ - sysctl_net_ipv4_conf_default_rp_filter
-+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled
-+ - sysctl_net_ipv4_tcp_syncookies
-+ - sysctl_net_ipv4_tcp_syncookies_value=enabled
-+ - sysctl_net_ipv6_conf_all_accept_ra
-+ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled
-+ - sysctl_net_ipv6_conf_default_accept_ra
-+ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled
-+ - package_firewalld_installed
-+ - service_firewalld_enabled
-+ - package_iptables_installed
---
-2.34.1
-
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch
new file mode 100644
index 0000000..1639264
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch
@@ -0,0 +1,74 @@
+From 2be977a60c944a54594d5786b2d8869ed72a9a06 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 5 Jul 2023 12:57:52 -0400
+Subject: [PATCH 2/2] scap-security-guide: Add Poky support
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-Status: Pending
+Waiting to see if OE changes get merged.
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+
+---
+ products/openembedded/product.yml | 6 ++++
+ shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++++
+ 2 files changed, 39 insertions(+)
+ create mode 100644 shared/checks/oval/installed_OS_is_poky.xml
+
+diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
+index debf6870ef..d63479d5d3 100644
+--- a/products/openembedded/product.yml
++++ b/products/openembedded/product.yml
+@@ -17,3 +17,9 @@ cpes:
+ name: "cpe:/o:openembedded:nodistro:"
+ title: "OpenEmbedded nodistro"
+ check_id: installed_OS_is_openembedded
++
++ - poky:
++ name: "cpe:/o:openembedded:poky:"
++ title: "OpenEmbedded Poky reference distribution"
++ check_id: installed_OS_is_poky
++
+diff --git a/shared/checks/oval/installed_OS_is_poky.xml b/shared/checks/oval/installed_OS_is_poky.xml
+new file mode 100644
+index 0000000000..b8805cf31b
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_poky.xml
+@@ -0,0 +1,33 @@
++<def-group>
++ <definition class="inventory" id="installed_OS_is_poky" version="1">
++ <metadata>
++ <title>Poky</title>
++ <affected family="unix">
++ <platform>multi_platform_all</platform>
++ </affected>
++ <description>The operating system installed is a Poky based System</description>
++ </metadata>
++ <criteria comment="System is Poky based distribution" operator="AND">
++ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
++ <criterion comment="Poky based distro" test_ref="test_os_poky" />
++ <criterion comment="Poky based distribution is installed" test_ref="test_poky" />
++ </criteria>
++ </definition>
++
++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_poky" version="1">
++ <unix:object object_ref="obj_os_poky" />
++ </unix:file_test>
++ <unix:file_object comment="check /etc/os-release file" id="obj_os_poky" version="1">
++ <unix:filepath>/etc/os-release</unix:filepath>
++ </unix:file_object>
++
++ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_poky" version="1">
++ <ind:object object_ref="obj_poky" />
++ </ind:textfilecontent54_test>
++ <ind:textfilecontent54_object id="obj_poky" version="1" comment="Check Poky">
++ <ind:filepath>/etc/os-release</ind:filepath>
++ <ind:pattern operation="pattern match">^ID=poky$</ind:pattern>
++ <ind:instance datatype="int">1</ind:instance>
++ </ind:textfilecontent54_object>
++
++</def-group>
+--
+2.34.1
+
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/run-ptest b/meta-security/recipes-compliance/scap-security-guide/files/run-ptest
new file mode 100644
index 0000000..e8d270f
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/files/run-ptest
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+export PYTHONPATH="/usr/lib/scap-security-guide/ptest/git:$PYTHONPATH"
+
+cd git/build
+
+ctest --output-on-failure -E unique-stigids
diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
index 31ab96e..988e48b 100644
--- a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
+++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
@@ -6,12 +6,12 @@
LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
LICENSE = "BSD-3-Clause"
-SRCREV = "dad85502ce8da722a6afc391346c41cee61e90a9"
+SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d"
SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \
- file://0001-scap-security-guide-add-openembedded.patch \
- file://0001-standard.profile-expand-checks.patch \
- file://0001-scap-security-guide-add-Poky-support.patch \
file://run_eval.sh \
+ file://run-ptest \
+ file://0001-scap-security-guide-add-openembedded-distro-support.patch \
+ file://0002-scap-security-guide-Add-Poky-support.patch \
"
@@ -20,7 +20,7 @@
S = "${WORKDIR}/git"
B = "${S}/build"
-inherit cmake pkgconfig python3native python3targetconfig
+inherit cmake pkgconfig python3native python3targetconfig ptest
OECMAKE_GENERATOR = "Unix Makefiles"
@@ -38,8 +38,52 @@
install ${WORKDIR}/run_eval.sh ${D}${datadir}/openscap/.
}
+do_compile_ptest() {
+ cd ${S}/build
+ cmake ../
+ make
+}
+
+do_install_ptest() {
+
+ # remove host & work dir from tests
+ for x in $(find ${S}/build -type f) ;
+ do
+ sed -e 's#${HOSTTOOLS_DIR}/##g' \
+ -e 's#${RECIPE_SYSROOT_NATIVE}##g' \
+ -e 's#${WORKDIR}#${PTEST_PATH}#g' \
+ -e 's#/.*/xmllint#/usr/bin/xmllint#g' \
+ -e 's#/.*/oscap#/usr/bin/oscap#g' \
+ -e 's#/python3-native##g' \
+ -i ${x}
+ done
+
+ for x in $(find ${S}/build-scripts -type f) ;
+ do
+ sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' ${x}
+ done
+
+ for x in $(find ${S}/tests -type f) ;
+ do
+ sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' ${x}
+ done
+
+ for x in $(find ${S}/utils -type f) ;
+ do
+ sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' ${x}
+ done
+
+ PDIRS="apple_os build controls products shared components applications linux_os ocp-resources tests utils ssg build-scripts"
+ t=${D}/${PTEST_PATH}/git
+ for d in ${PDIRS}; do
+ install -d ${t}/$d
+ cp -fr ${S}/$d/* ${t}/$d/.
+ done
+}
+
FILES:${PN} += "${datadir}/xml ${datadir}/openscap"
RDEPENDS:${PN} = "openscap"
+RDEPENDS:${PN}-ptest = "cmake grep sed bash git python3 python3-modules python3-mypy python3-pyyaml python3-yamlpath python3-xmldiff python3-json2html python3-pandas python3-openpyxl python3-pytest libxml2-utils libxslt-bin"
COMPATIBLE_HOST:libc-musl = "null"