meta-security: subtree update:baca6133f9..ab239f1497
Armin Kuster (16):
build cleanup: add iam to base depend
tripwire: Blacklist pkg, upstream seems abandond
tpm2-pkcs11: Update to 1.6.0
clamav: update to tip.
ossec-hids: add UPSTREAM_CHECK_COMMITS
python3-scapy: add UPSTREAM_CHECK_COMMITS
suricata: 4.1.x add UPSTREAM_CHECK_URI
ibmswtpm2: update to 1661
ibmtpm2tss: update to tip
packagegroup-core-security: fix typo for mips
Apparmor: fix multi config build issue.
aide: Add another ids
packagegroup-core-security: add aide and ossec
.gitlab-ci: drop clean up combine alt w base
clamav: fix systemd startup
packagegroup-core-security: add clamav-daemon
Change-Id: Id941ea16208920cfa31bf6d42f8a01fc9765ec7c
Signed-off-by: William A. Kennington III <wak@google.com>
diff --git a/meta-security/recipes-ids/aide/aide/aide.conf b/meta-security/recipes-ids/aide/aide/aide.conf
new file mode 100644
index 0000000..2c99e07
--- /dev/null
+++ b/meta-security/recipes-ids/aide/aide/aide.conf
@@ -0,0 +1,94 @@
+# Example configuration file for AIDE.
+
+@@define DBDIR /usr/lib/aide
+@@define LOGDIR /usr/lib/aide/logs
+
+# The location of the database to be read.
+database_in=file:@@{DBDIR}/aide.db.gz
+
+# The location of the database to be written.
+#database_out=sql:host:port:database:login_name:passwd:table
+#database_out=file:aide.db.new
+database_out=file:@@{DBDIR}/aide.db.gz
+
+# Whether to gzip the output to database
+gzip_dbout=yes
+
+# Default.
+log_level=warning
+
+report_url=file:@@{LOGDIR}/aide.log
+report_url=stdout
+#report_url=stderr
+#NOT IMPLEMENTED report_url=mailto:root@foo.com
+#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
+
+# These are the default rules.
+#
+#p: permissions
+#i: inode:
+#n: number of links
+#u: user
+#g: group
+#s: size
+#b: block count
+#m: mtime
+#a: atime
+#c: ctime
+#S: check for growing size
+#acl: Access Control Lists
+#selinux SELinux security context
+#xattrs: Extended file attributes
+#md5: md5 checksum
+#sha1: sha1 checksum
+#sha256: sha256 checksum
+#sha512: sha512 checksum
+#rmd160: rmd160 checksum
+#tiger: tiger checksum
+
+#haval: haval checksum (MHASH only)
+#gost: gost checksum (MHASH only)
+#crc32: crc32 checksum (MHASH only)
+#whirlpool: whirlpool checksum (MHASH only)
+
+FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+
+#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
+#L: p+i+n+u+g+acl+selinux+xattrs
+#E: Empty group
+#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
+
+# You can create custom rules like this.
+# With MHASH...
+# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+# Everything but access time (Ie. all changes)
+EVERYTHING = R+ALLXTRAHASHES
+
+# Sane, with multiple hashes
+# NORMAL = R+rmd160+sha256+whirlpool
+NORMAL = FIPSR+sha512
+
+# For directories, don't bother doing hashes
+DIR = p+i+n+u+g+acl+selinux+xattrs
+
+# Access control only
+PERMS = p+i+u+g+acl+selinux
+
+# Logfile are special, in that they often change
+LOG = >
+
+# Just do sha256 and sha512 hashes
+LSPP = FIPSR+sha512
+
+# Some files get updated automatically, so the inode/ctime/mtime change
+# but we want to know when the data inside them changes
+DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256
+
+# Next decide what directories/files you want in the database.
+
+# Check only permissions, inode, user and group for /etc, but
+# cover some important files closely.
+/bin NORMAL
+/sbin NORMAL
+/lib NORMAL
diff --git a/meta-security/recipes-ids/aide/aide_0.17.3.bb b/meta-security/recipes-ids/aide/aide_0.17.3.bb
new file mode 100644
index 0000000..522cd85
--- /dev/null
+++ b/meta-security/recipes-ids/aide/aide_0.17.3.bb
@@ -0,0 +1,41 @@
+SUMMARY = "Advanced Intrusion Detection Environment"
+HOMEPAGE = "https://aide.github.io"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+LICENSE = "GPL-2.0"
+
+DEPENDS = "bison-native libpcre"
+
+SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
+ file://aide.conf"
+
+SRC_URI[sha256sum] = "a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8"
+
+inherit autotools pkgconfig
+
+PACKAGECONFIG ??=" mhash zlib e2fsattrs \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \
+ "
+PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux, libselinux"
+PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib "
+PACKAGECONFIG[xattr] = "--with-xattr, --without-xattr, attr, attr"
+PACKAGECONFIG[curl] = "--with-curl, --without-curl, curl, libcurl"
+PACKAGECONFIG[audit] = "--with-audit, --without-audit,"
+PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt"
+PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
+PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs"
+
+do_install_append () {
+ install -d ${D}${libdir}/${PN}/logs
+ install -d ${D}${sysconfdir}
+ install ${WORKDIR}/aide.conf ${D}${sysconfdir}/
+}
+
+CONF_FILE = "${sysconfdir}/aide.conf"
+
+FILES_${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf"
+
+pkg_postinst_ontarget_${PN} () {
+ /usr/bin/aide -i
+}
+RDPENDS_${PN} = "bison, libpcre"
diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
index 10354a7..242bbdb 100644
--- a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
+++ b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
@@ -11,6 +11,8 @@
SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2"
+UPSTREAM_CHECK_COMMITS = "1"
+
inherit autotools-brokensep useradd
S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb b/meta-security/recipes-ids/suricata/suricata_4.1.10.bb
index 3f7beaa..bf08843 100644
--- a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb
+++ b/meta-security/recipes-ids/suricata/suricata_4.1.10.bb
@@ -12,6 +12,8 @@
file://run-ptest \
"
+UPSTREAM_CHECK_URI = "www.openinfosecfoundation.org/download"
+
inherit autotools-brokensep pkgconfig python3-dir systemd ptest
CFLAGS += "-D_DEFAULT_SOURCE -fcommon"
diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
index 4f50bff..36e5d00 100644
--- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
+++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
@@ -73,3 +73,5 @@
RDEPENDS_${PN} += " perl nano msmtp cronie"
RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules "
+
+PNBLACKLIST[tripwire] ?= "Upsteram project appears to be abondoned, fails to build with gcc11"