Squashed 'import-layers/meta-security/' content from commit 4d139b9

Subtree from git://git.yoctoproject.org/meta-security

Change-Id: I14bb13faa3f2b2dc1f5d81b339dd48ffedf8562f
git-subtree-dir: import-layers/meta-security
git-subtree-split: 4d139b95c4f152d132592f515c5151f4dd6269c1
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
diff --git a/import-layers/meta-security/COPYING.MIT b/import-layers/meta-security/COPYING.MIT
new file mode 100644
index 0000000..89de354
--- /dev/null
+++ b/import-layers/meta-security/COPYING.MIT
@@ -0,0 +1,17 @@
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
diff --git a/import-layers/meta-security/README b/import-layers/meta-security/README
new file mode 100644
index 0000000..ef80f2b
--- /dev/null
+++ b/import-layers/meta-security/README
@@ -0,0 +1,272 @@
+Meta-security
+=============
+
+This layer provides security tools, hardening tools for Linux kernels
+and libraries for implementing security mechanisms.
+
+Dependencies
+============
+
+This layer depends on:
+
+  URI: git://git.openembedded.org/openembedded-core
+  branch: master
+  revision: HEAD
+  prio: default
+
+  URI: git://git.openembedded.org/meta-openembedded/meta-oe
+  branch: master
+  revision: HEAD
+  prio: default
+
+  URI: git://git.openembedded.org/meta-openembedded/meta-perl
+  branch: master
+  revision: HEAD
+  prio: default
+
+  URI: git://git.openembedded.org/meta-openembedded/meta-networking
+  branch: master
+  revision: HEAD
+  prio: default
+
+Adding the security layer to your build
+========================================
+
+In order to use this layer, you need to make the build system aware of
+it.
+
+Assuming the security layer exists at the top-level of your
+yocto build tree, you can add it to the build system by adding the
+location of the security layer to bblayers.conf, along with any
+other layers needed. e.g.:
+
+  BBLAYERS ?= " \
+    /path/to/oe-core/meta \
+    /path/to/meta-openembedded/meta-oe \
+    /path/to/meta-openembedded/meta-perl \
+    /path/to/meta-openembedded/meta-python \
+    /path/to/meta-openembedded/meta-networking \
+    /path/to/layer/meta-security \
+
+Contents and Help
+=================
+
+In this section the contents of the layer is listed, along with a short
+help for each package.
+
+         == bastille ==
+
+        Bastille  is  a  system hardening / lockdown program which enhances the
+        security of a Unix host.  It configures daemons, system settings and
+        firewalls to be more secure.  It can shut off unneeded services
+        like rcp and rlogin, and helps create "chroot jails" that help limit the
+        vulnerability of common Internet services like Web services and DNS.
+
+        usage : The functionality of Bastille which is available is
+                restricted to a purely informational one. The command:
+                bastille -c --os Yocto
+                will cause a series of menus containing security questions
+                about the system to be displayed to the user. For each
+                question, a default response, specified in the configuration
+                file which is installed with Bastille, will be selected.
+                The user may select an alternate response. When the user
+                has completed the sequence of menus Bastille saves the
+                responses to the configuration file.
+
+                The command:
+                bastille -l lists the configuration files that Bastille
+                is able to locate.
+
+                The other functionality which Bastille is intended to provide
+                is actually unavailable. This is not due to errors in poky
+                installation or configuration of the application. The Bastille
+                distribution is no longer supported. Significant modifications
+                would be required to make it possible to make use of the
+                functionality which is currently unavailable.
+
+
+        Additional information about Bastille can be found in the package
+        README file and other documentation.
+
+        Alternatives to Bastille include buck-security and checksecurity,
+        described elsewhere in this file.
+
+
+        == redhat-security ==
+
+        Sometimes you want to check different aspects of a distribution for security problems.
+        This can be anything from file permissions to correctness of code. This is a collection of those tools.
+        Depending on what information the tool has to access, it may need to be run as root.
+
+        - rpm-chksec.sh : This will take an rpm name as input and verify each ELF file to see if its compiled with the intended flags
+                          to most effectively use PIE and RELRO. Green is good, Orange could use work but is acceptable, and Red needs fixing.
+                          It has a mode --all that is the equivalent of using rpm -qa and feeding the packages to it.
+                          In this mode it will only give a summary result for the package. To find which files don't comply,
+                          re-run using just the package name.
+
+		!!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines:
+						IMAGE_ROOTFS_EXTRA_SPACE = ""  - specifying the extra space of the image
+						IMAGE_FEATURES += "package management" - for the correct output of rpm -qa
+
+        - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID
+                                  and GID without also calling setgroups or initgroups.
+
+        - rpm-drop-groups.sh : Same as above, but takes an rpm name instead.
+
+        - find-chroot.sh : This script scans the whole file system looking for ELF files that calls chroot(2) that also do not include a call to chdir.
+                           Programs that fail to do this do not have the cwd inside the chroot. This means the app can escape the protection that was intended.
+
+        - find-chroot-py.sh : This test is like the one above except it examines python scripts for the same problem.
+
+        - find-execstack.sh : This program scans the whole file system for ELF programs that have marked the stack as being executable.
+                              This means that if the program has another vulnerablity such as stack buffer overflow,
+                              any code the attacker places there is executable. Any program found must be fixed.
+
+        - find-hidden-exec.sh : This program scans the whole file system looking for excutables that are hidden.
+                                Anything found must be investigated since its highly unusual for executables to be hidden.
+
+        - find-sh4errors.sh : This program scans the whole file system looking for shell scripts.
+                              It then does a sh -n on the script which causes bash to parse the file to see if there are any mistakes.
+
+        - selinux-check-devices.sh : This script checks the /dev directory to see if there are any devices that are not correctly labeled.
+                                     Anything found by this test should be reported so that selinux policy can be fixed.
+                                     This test is very hardware specific, so to be effective a lot of people with different hardware
+                                     should run this test each upstream kernel version release.
+
+        - selinux-ls-unconfined.sh :  This script scans the running processes and looks for anything labeled with initrc_t or inetd.
+                                      These both mean that there are daemons that do not have policy and are therefore running unconfined.
+                                      These should be reported as SE Linux policy problems. Because it checks currently running daemons,
+                                      the more you have running, the better the test is.
+
+        - find-sh4tmp.sh : This script scans the whole filesystem to check if shell scripts are using well known tmp file names
+                           instead of obscure ones created by something like mktemp.
+
+        - find-elf4tmp.sh : This script scans the whole file system for ELF files using /tmp. When it finds this,
+                            it also looks to see if any of the known good random name generator functions is called by looking
+                            at the symbol table. If not, it will output the string.
+
+        - lib-bin-check.sh : This will check all installed library packages to see if an application is also part of the package.
+                             The relationship to security is that the SHA256 hash check will fail if a 32 bit version overwrites it.
+                             Also, the less binaries on a system, the more secure it is by virtue of removing the chance for an exploitable bug.
+
+
+                usage : simply invoke the script name in the terminal.
+
+
+        == pax-utils ==
+
+		( This package can be found in oe-core )
+
+        pax-utils is a small set of various PaX aware and related utilities for
+        ELF binaries.
+
+        - scanelf : With this application you can print out information specific to the ELF structure of a binary.
+                    For more help please consult the man pages or the readme file.
+
+        - pspax : is a user-space utility that scans the proc directory and list
+                  ELF types, as well as their respective PaX flags and filenames and
+                  attributes. Depending on build options, it may additionaly display the
+                  process running set of capabilities.
+
+        - scanmacho : is a user-space utility to quickly scan given
+                      Mach-Os, directories, or common system paths for different information. This
+                      may include Mach-O types, their install_names, etc.
+
+        - dumpelf : is a user-space utility to dump all of the internal
+                    ELF structures into the equivalent C structures for fun debugging and/or
+                    reference purposes.
+
+
+                usage : simply invoke the script name in the terminal.
+
+
+        == buck-security ==
+
+        Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux
+        system. This enables you to quickly overview the security status of your Linux system.
+
+                usage :	!!! before starting to use this tool please run the following command: !!!
+
+						export GPG_TTY=`tty`
+
+						This command is needed for the usage of the comand --make-checksum, which creates
+						a checksum for the files in the system.
+
+						switch to directory /usr/local/buck-security.
+                        before running the script, you should check the activated checks in conf/buck-security.conf file.
+                        after altering the changes, save the file and simply run :
+
+                        ./buck-security
+
+                        you can choose between different outputs : 1, 2(default) or 3.
+
+                        More detailed usage can be found typing ./buck-security --help
+
+
+        == libseccomp ==
+
+        The libseccomp library provides and easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism: seccomp.
+        The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional
+        function-call based filtering interface that should be familiar to, and easily adopted by application developers.
+
+                usage : More detailed usage can be found in the man pages and README file of the package.
+
+
+
+        == checksecurity ==
+
+        checksecurity is a simple package which will scan your system for several simple security holes.
+        It uses a simple collection of plugins, all of which are shell scripts which are configured by environmental variables.
+
+
+                usage : To start checksecurity simply write in the terminal :
+
+                        checksecurity
+
+        More detailed usage can be found in the man pages and README file of the package.
+
+
+        == nikto ==
+
+        Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items,
+        including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific
+        problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files,
+        HTTP server options, and will attempt to identify installed web servers and software.
+
+                usage : To start nikto simply write in the terminal :
+
+                        nikto
+
+        More detailed usage can be found in the man pages and README file of the package.
+
+
+        == nmap ==
+
+        Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing.
+        Many systems and network administrators also find it useful for tasks such as network inventory,
+        managing service upgrade schedules, and monitoring host or service uptime.
+
+                usage : To start nikto simply write in the terminal :
+
+                        nmap
+
+        More detailed usage can be found in the man pages and README file of the package.
+
+Maintenance
+-----------
+
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
+
+Maintainers:    Saul Wold <sgw@linux.intel.com>
+                Armin Kuster <akuster@mvista.com>
+
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/import-layers/meta-security/classes/check_security.bbclass b/import-layers/meta-security/classes/check_security.bbclass
new file mode 100644
index 0000000..6d6682e
--- /dev/null
+++ b/import-layers/meta-security/classes/check_security.bbclass
@@ -0,0 +1,7 @@
+check_security () {
+    ${STAGING_BINDIR_NATIVE}/buck-security -sysroot ${IMAGE_ROOTFS} -log ${T}/log.do_checksecurity.${PID} -disable-checks "checksum,firewall,packages_problematic,services,sshd,usermask" -no-sudo > /dev/null
+}
+
+EXTRA_IMAGEDEPENDS += "buck-security-native"
+
+ROOTFS_POSTPROCESS_COMMAND += "check_security;"
diff --git a/import-layers/meta-security/conf/layer.conf b/import-layers/meta-security/conf/layer.conf
new file mode 100644
index 0000000..efc426e
--- /dev/null
+++ b/import-layers/meta-security/conf/layer.conf
@@ -0,0 +1,14 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+	${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "security"
+BBFILE_PATTERN_security = "^${LAYERDIR}/"
+BBFILE_PRIORITY_security = "6"
+
+LAYERSERIES_COMPAT_security = "sumo"
+
+LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python"
diff --git a/import-layers/meta-security/meta-security-compliance/README b/import-layers/meta-security/meta-security-compliance/README
new file mode 100644
index 0000000..b29c143
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/README
@@ -0,0 +1,41 @@
+# Meta-security-compliance
+
+This layer is meant to contain programs to help in security compliance and auditing
+
+
+Dependencies
+============
+
+This layer depends on:
+
+  URI: git://git.openembedded.org/bitbake
+  branch: master
+
+  URI: git://git.openembedded.org/openembedded-core
+  layers: meta
+  branch: master
+
+or
+
+  URI: git://git.yoctoproject.org/poky
+  branch: master
+
+
+
+Maintenance
+-----------
+
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH'
+
+Layer Maintainer: Armin Kuster <akuster@mvista.com>
+
+
+License
+=======
+
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/import-layers/meta-security/meta-security-compliance/conf/layer.conf b/import-layers/meta-security/meta-security-compliance/conf/layer.conf
new file mode 100644
index 0000000..31716d6
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/conf/layer.conf
@@ -0,0 +1,15 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "scanners-layer"
+BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_scanners-layer = "6"
+
+LAYERSERIES_COMPAT_scanners-layer = "sumo"
+
+LAYERDEPENDS_scanners-layer = " \
+    core \
+"
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb b/import-layers/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb
new file mode 100644
index 0000000..c25b804
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.5.1.bb
@@ -0,0 +1,41 @@
+# Copyright (C) 2017 Armin Kuster  <akuster808@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+SUMMARY = "Lynis is a free and open source security and auditing tool."
+HOMEDIR = "https://cisofy.com/"
+LICENSE = "GPL-3.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
+
+SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "5b9da89c616344bbc73cbc5688a4a0bd"
+SRC_URI[sha256sum] = "7a09c6fc71c65d572ca702df7b4394d71f9037484062ef71b76f59a2c498b029"
+
+S = "${WORKDIR}/${BPN}"
+
+inherit autotools-brokensep
+
+do_compile[noexec] = "1"
+do_configure[noexec] = "1"
+
+do_install () {
+	install -d ${D}/${bindir}
+	install -d ${D}/${sysconfdir}/lynis
+	install -m 555 ${S}/lynis ${D}/${bindir}
+
+	install -d ${D}/${datadir}/lynis/db
+	install -d ${D}/${datadir}/lynis/plugins
+	install -d ${D}/${datadir}/lynis/include
+	install -d ${D}/${datadir}/lynis/extras
+
+	cp -r ${S}/db/* ${D}/${datadir}/lynis/db/.
+	cp -r ${S}/plugins/*  ${D}/${datadir}/lynis/plugins/.
+	cp -r ${S}/include/* ${D}/${datadir}/lynis/include/.
+	cp -r ${S}/extras/*  ${D}/${datadir}/lynis/extras/.
+        cp ${S}/*.prf ${D}/${sysconfdir}/lynis
+}
+
+FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf"
+FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" 
+
+RDEPENDS_${PN} += "procps"
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb b/import-layers/meta-security/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb
new file mode 100644
index 0000000..0ad427d
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-core/openembedded-release/openembedded-release_1.0.bb
@@ -0,0 +1,32 @@
+inherit allarch
+
+SUMMARY = "Operating release identification"
+DESCRIPTION = "The /etc/openembedded-release file contains operating system identification data."
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+INHIBIT_DEFAULT_DEPS = "1"
+
+do_fetch[noexec] = "1"
+do_unpack[noexec] = "1"
+do_patch[noexec] = "1"
+do_configure[noexec] = "1"
+
+VERSION = "0"
+RELEASE_NAME = "${DISTRO_NAME} ${DISTRO} ${VERSION}"
+
+def sanitise_version(ver):
+    ret = ver.replace('+', '-').replace(' ','_')
+    return ret.lower()
+
+python do_compile () {
+    import shutil
+    release_name = d.getVar('RELEASE_NAME')		 
+    with open(d.expand('${B}/openemebedded-release'), 'w') as f:
+        f.write('%s\n' % release_name)
+}
+do_compile[vardeps] += "${RELEASE_NAME}"
+
+do_install () {
+    install -d ${D}${sysconfdir}
+    install -m 0644 openemebedded-release ${D}${sysconfdir}/
+}
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend b/import-layers/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend
new file mode 100644
index 0000000..e9fd44a
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-core/os-release/os-release.bbappend
@@ -0,0 +1,4 @@
+OS_RELEASE_FIELDS += "CPE_NAME"
+
+CPE_NAME="cpe:/o:openembedded:nodistro:0"
+
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml
new file mode 100644
index 0000000..d3b2c9a
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xccdf.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xccdf:Benchmark xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" id="generated-xccdf" resolved="1">
+  <xccdf:status>incomplete</xccdf:status>
+  <xccdf:title>Automatically generated XCCDF from OVAL file: OpenEmbedded_nodistro_0.xml</xccdf:title>
+  <xccdf:description>This file has been generated automatically from oval definitions file.</xccdf:description>
+  <xccdf:version time="2017-06-07T04:05:05">None, generated from OVAL file.</xccdf:version>
+  <xccdf:Rule selected="true" id="oval-com.redhat.rhsa-def-20171365">
+    <xccdf:title>CPE-2017:1365: nss security and bug fix update (Important)</xccdf:title>
+    <xccdf:ident system="http://cve.mitre.org">CVE-2017-7502</xccdf:ident>
+    <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+      <xccdf:check-content-ref href="OpenEmbedded_nodistro_0.xml" name="oval:com.redhat.rhsa:def:20171365"/>
+    </xccdf:check>
+  </xccdf:Rule>
+</xccdf:Benchmark>
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml
new file mode 100644
index 0000000..a9bf2a0
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/OpenEmbedded_nodistro_0.xml
@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="utf-8"?>
+<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:red-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
+  <generator>
+    <oval:product_name>OpenEmbedded Errata Test System</oval:product_name>
+    <oval:schema_version>5.10.1</oval:schema_version>
+    <oval:timestamp>2017-06-07T04:05:05</oval:timestamp>
+  </generator>
+
+  <definitions>
+    <definition class="patch" id="oval:com.redhat.rhsa:def:20171365" version="604">
+      <metadata>
+        <title>CPE-2017:1365: nss security and bug fix update (Important)</title>
+    <affected family="unix">
+      <platform>OpenEmbedded Nodistro</platform>
+    </affected>
+    <reference ref_id="RHSA-2017:1365-03" ref_url="https://access.redhat.com/errata/RHSA-2017:1365" source="RHSA"/>
+      <reference ref_id="CVE-2017-7502" ref_url="https://access.redhat.com/security/cve/CVE-2017-7502" source="CVE"/>
+    <description>Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
+
+Security Fix(es):
+
+* A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library. (CVE-2017-7502)
+
+Bug Fix(es):
+
+* The Network Security Services (NSS) code and Certificate Authority (CA) list have been updated to meet the recommendations as published with the latest Mozilla Firefox Extended Support Release (ESR). The updated CA list improves compatibility with the certificates that are used in the Internet Public Key Infrastructure (PKI). To avoid certificate validation refusals, Red Hat recommends installing the updated CA list on June 12, 2017. (BZ#1451421)</description>
+
+<!-- ~~~~~~~~~~~~~~~~~~~~   advisory details   ~~~~~~~~~~~~~~~~~~~ -->
+
+<advisory from="example.com">
+        <severity>Important</severity>
+        <rights>NA</rights>
+        <issued date="2017-05-30"/>
+        <updated date="2017-05-30"/>
+        <cve cvss3="7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" cwe="CWE-476" href="https://access.redhat.com/security/cve/CVE-2017-7502">CVE-2017-7502</cve>
+        <bugzilla href="https://bugzilla.redhat.com/1446631" id="1446631">CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages</bugzilla>
+    <affected_cpe_list>
+        <cpe>cpe:/o:openembedded:nodistro:0</cpe>
+    </affected_cpe_list>
+</advisory>
+      </metadata>
+
+<criteria operator="AND">
+  <criterion comment="Red Hat Enterprise Linux 7 Client is installed" test_ref="oval:com.redhat.rhsa:tst:20171365001"/>
+  <criterion comment="nss is earlier than 0:3.28.4-r0" test_ref="oval:com.redhat.rhsa:tst:20171365007"/>
+</criteria>
+
+    </definition>
+  </definitions>
+  <tests>
+    <!-- ~~~~~~~~~~~~~~~~~~~~~   rpminfo tests   ~~~~~~~~~~~~~~~~~~~~~ -->
+    <rpminfo_test check="at least one" comment="Red Hat Enterprise Linux 7 Client is installed" id="oval:com.redhat.rhsa:tst:20171365001" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+  <object object_ref="oval:com.redhat.rhsa:obj:20171365001"/>
+  <state state_ref="oval:com.redhat.rhsa:ste:20171365002"/>
+</rpminfo_test>
+<rpminfo_test check="at least one" comment="nss is earlier than 0:3.31.4-r0" id="oval:com.redhat.rhsa:tst:20171365007" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+  <object object_ref="oval:com.redhat.rhsa:obj:20171365006"/>
+  <state state_ref="oval:com.redhat.rhsa:ste:20171365003"/>
+</rpminfo_test>
+
+  </tests>
+
+  <objects>
+    <!-- ~~~~~~~~~~~~~~~~~~~~   rpminfo objects   ~~~~~~~~~~~~~~~~~~~~ -->
+    <rpminfo_object id="oval:com.redhat.rhsa:obj:20171365006" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+  <name>nss</name>
+</rpminfo_object>
+<rpminfo_object id="oval:com.redhat.rhsa:obj:20171365001" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+  <name>openembedded-release</name>
+</rpminfo_object>
+
+  </objects>
+  <states>
+    <!-- ~~~~~~~~~~~~~~~~~~~~   rpminfo states   ~~~~~~~~~~~~~~~~~~~~~ -->
+<rpminfo_state id="oval:com.redhat.rhsa:ste:20171365002" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+  <version operation="pattern match">^1[^\d]</version>
+</rpminfo_state>
+<rpminfo_state id="oval:com.redhat.rhsa:ste:20171365003" version="604" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux">
+  <evr datatype="evr_string" operation="less than">0:3.31.4-r0</evr>
+</rpminfo_state>
+
+  </states>
+</oval_definitions>
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt
new file mode 100644
index 0000000..2243ac4
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/oval-to-xccdf.xslt
@@ -0,0 +1,72 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright 2012 Red Hat Inc., Durham, North Carolina. All Rights Reserved.
+
+This transformation is free software; you can redistribute it and/or modify
+it under the terms of the GNU Lesser General Public License as published by
+the Free Software Foundation; either version 2.1 of the License.
+
+This transformation is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+for more details.
+
+You should have received a copy of the GNU Lesser General Public License along
+with this library; if not, write to the Free Software Foundation, Inc., 59
+Temple Place, Suite 330, Boston, MA  02111-1307 USA
+
+Authors:
+     Šimon Lukašík <slukasik@redhat.com>
+-->
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"
+    xmlns:xccdf="http://checklists.nist.gov/xccdf/1.1"
+    xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
+    xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <xsl:output method="xml" encoding="UTF-8"/>
+
+    <xsl:template match="/">
+        <xccdf:Benchmark id="generated-xccdf" resolved="1">
+            <xccdf:status>incomplete</xccdf:status>
+            <xccdf:title>
+                <xsl:text>Automatically generated XCCDF from OVAL file: </xsl:text>
+                <xsl:value-of select="$ovalfile"/>
+            </xccdf:title>
+            <xccdf:description>This file has been generated automatically from oval definitions file.</xccdf:description>
+            <xccdf:version>
+                <xsl:attribute name="time">
+                    <xsl:value-of select="normalize-space(oval-def:oval_definitions/oval-def:generator/oval:timestamp[1]/text())"/>
+                </xsl:attribute>
+                <xsl:text>None, generated from OVAL file.</xsl:text>
+            </xccdf:version>
+            <xsl:apply-templates select="oval-def:oval_definitions/oval-def:definitions/oval-def:definition"/>
+        </xccdf:Benchmark>
+    </xsl:template>
+
+    <xsl:template match="oval-def:definition">
+        <xccdf:Rule selected="true">
+            <xsl:attribute name="id">
+                <xsl:value-of select="translate(@id,':','-')"/>
+            </xsl:attribute>
+            <xccdf:title>
+                <xsl:copy-of select="oval-def:metadata/oval-def:title/text()"/>
+            </xccdf:title>
+            <xsl:apply-templates select="oval-def:metadata/oval-def:advisory/oval-def:cve"/>
+                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+                    <xccdf:check-content-ref href="file">
+                        <xsl:attribute name="name">
+                            <xsl:value-of select="@id"/>
+                        </xsl:attribute>
+                        <xsl:attribute name="href">
+                            <xsl:value-of select="$ovalfile"/>
+                        </xsl:attribute>
+                    </xccdf:check-content-ref>
+                </xccdf:check>
+        </xccdf:Rule>
+    </xsl:template>
+
+    <xsl:template match="oval-def:cve">
+        <xccdf:ident system="http://cve.mitre.org">
+            <xsl:copy-of select="text()"/>
+        </xccdf:ident>
+    </xsl:template>
+</xsl:stylesheet>
+
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh
new file mode 100644
index 0000000..48a7485
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_cve.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+oscap oval eval \
+--report oval.html \
+--verbose-log-file filedevel.log \
+--verbose DEVEL \
+/usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh
new file mode 100644
index 0000000..70cd82c
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/files/run_test.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+#oscap oval eval --result-file ./myresults.xml ./OpenEmbedded_nodistro_0.xml
+
+oscap xccdf eval --results results.xml --report report.html OpenEmbedded_nodistro_0.xccdf.xml
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
new file mode 100644
index 0000000..5b61375
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/oe-scap/oe-scap_1.0.bb
@@ -0,0 +1,34 @@
+# Copyright (C) 2017 Armin Kuster  <akuster808@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+SUMARRY = "OE SCAP files"
+LIC_FILES_CHKSUM = "file://README.md;md5=46dec9f167b6e05986cb4023df6d92f4"
+LICENSE = "MIT"
+
+SRCREV = "7147871d7f37d408c0dd7720ef0fd3ec1b54ad98"
+SRC_URI = "git://github.com/akuster/oe-scap.git"
+SRC_URI += " \
+	file://run_cve.sh \
+	file://run_test.sh \
+	file://OpenEmbedded_nodistro_0.xml \
+        file://OpenEmbedded_nodistro_0.xccdf.xml \
+"
+	
+
+S = "${WORKDIR}/git"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
+
+do_install () {
+	install -d ${D}/${datadir}/oe-scap
+	install ${WORKDIR}/run_cve.sh ${D}/${datadir}/oe-scap/.
+	install ${WORKDIR}/run_test.sh ${D}/${datadir}/oe-scap/.
+	install ${WORKDIR}/OpenEmbedded_nodistro_0.xml ${D}/${datadir}/oe-scap/.
+	install ${WORKDIR}/OpenEmbedded_nodistro_0.xccdf.xml ${D}/${datadir}/oe-scap/.
+	cp ${S}/* ${D}/${datadir}/oe-scap/.
+}
+
+FILES_${PN} += "${datadir}/oe-scap"
+
+RDEPENDS_${PN} = "openscap"
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb
new file mode 100644
index 0000000..fb01a11
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.6.bb
@@ -0,0 +1,20 @@
+# Copyright (C) 2017 Armin Kuster  <akuster808@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+SUMARRY = "The OpenSCAP Daemon is a service that runs in the background."
+HOME_URL = "https://www.open-scap.org/tools/openscap-daemon/"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=40d2542b8c43a3ec2b7f5da31a697b88"
+LICENSE = "LGPL-2.1"
+
+DEPENDS = "python3-dbus"
+
+SRCREV = "3fd5c75a08223de35a865d026d2a6980ec9c1d74"
+SRC_URI = "git://github.com/OpenSCAP/openscap-daemon.git"
+
+PV = "0.1.6+git${SRCPV}"
+
+inherit setuptools3
+
+S = "${WORKDIR}/git"
+
+RDEPENDS_${PN} = "python"
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch
new file mode 100644
index 0000000..2d70855
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/files/crypto_pkgconfig.patch
@@ -0,0 +1,36 @@
+Index: git/configure.ac
+===================================================================
+--- git.orig/configure.ac
++++ git/configure.ac
+@@ -360,25 +360,13 @@ case "${with_crypto}" in
+         AC_DEFINE([HAVE_NSS3], [1], [Define to 1 if you have 'NSS' library.])
+         ;;
+     gcrypt)
+-	SAVE_LIBS=$LIBS
+-        AC_CHECK_LIB([gcrypt], [gcry_check_version],
+-                     [crapi_CFLAGS=`libgcrypt-config --cflags`;
+-                      crapi_LIBS=`libgcrypt-config --libs`;
+-                      crapi_libname="GCrypt";],
+-                     [AC_MSG_ERROR([library 'gcrypt' is required for GCrypt.])],
+-                     [])
+-        AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'gcrypt' library.])
+-	AC_CACHE_CHECK([for GCRYCTL_SET_ENFORCED_FIPS_FLAG],
+-                    [ac_cv_gcryctl_set_enforced_fips_flag],
+-                    [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([#include<gcrypt.h>],
+-                                                        [return GCRYCTL_SET_ENFORCED_FIPS_FLAG;])],
+-                                       [ac_cv_gcryctl_set_enforced_fips_flag=yes],
+-                                       [ac_cv_gcryctl_set_enforced_fips_flag=no])])
++	PKG_CHECK_MODULES([libgcrypt], [libgcrypt >= 1.7.9],[],
++			  AC_MSG_FAILURE([libgcrypt devel support is missing]))
+ 
+-	if test "${ac_cv_gcryctl_set_enforced_fips_flag}" == "yes"; then
+-	   AC_DEFINE([HAVE_GCRYCTL_SET_ENFORCED_FIPS_FLAG], [1], [Define to 1 if you have 'gcrypt' library with GCRYCTL_SET_ENFORCED_FIPS_FLAG.])
+-	fi
+-	LIBS=$SAVE_LIBS
++	crapi_libname="libgcrypt"
++	crapi_CFLAGS=$libgcrypt_CFLAGS
++	crapi_LIBS=$libgcrypt_LIBS
++        AC_DEFINE([HAVE_GCRYPT], [1], [Define to 1 if you have 'libgcrypt' library.])
+         ;;
+          *)
+           AC_MSG_ERROR([unknown crypto backend])
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
new file mode 100644
index 0000000..ecbe602
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/files/probe_dir_fixup.patch
@@ -0,0 +1,17 @@
+Index: git/configure.ac
+===================================================================
+--- git.orig/configure.ac
++++ git/configure.ac
+@@ -1109,11 +1109,7 @@ AC_ARG_WITH([crypto],
+      [],
+      [crypto=gcrypt])
+ 
+-if test "x${libexecdir}" = xNONE; then
+-	probe_dir="/usr/local/libexec/openscap"
+-else
+-	EXPAND_DIR(probe_dir,"${libexecdir}/openscap")
+-fi
++probe_dir="/usr/local/libexec/openscap"
+ 
+ AC_SUBST(probe_dir)
+ 
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest
new file mode 100644
index 0000000..454a6a3
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/files/run-ptest
@@ -0,0 +1,3 @@
+#!/bin/sh
+cd tests
+make -k check
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc
new file mode 100644
index 0000000..e9589b6
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap.inc
@@ -0,0 +1,2 @@
+STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source"
+STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb
new file mode 100644
index 0000000..7cbb1e2
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/openscap/openscap_1.2.15.bb
@@ -0,0 +1,86 @@
+# Copyright (C) 2017 Armin Kuster  <akuster808@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+SUMARRY = "NIST Certified SCAP 1.2 toolkit"
+HOME_URL = "https://www.open-scap.org/tools/openscap-base/"
+LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24"
+LICENSE = "LGPL-2.1"
+
+DEPENDS = "autoconf-archive pkgconfig gconf procps curl libxml2 rpm \
+          libxslt libcap swig swig-native"
+
+DEPENDS_class-native = "autoconf-archive-native pkgconfig-native swig-native curl-native libxml2-native libxslt-native dpkg-native libgcrypt-native nss-native"
+
+SRCREV = "240930d42611983c65ecae16dbca3248ce130921"
+SRC_URI = "git://github.com/akuster/openscap.git;branch=oe \
+           file://crypto_pkgconfig.patch \
+           file://run-ptest \
+"
+
+inherit autotools-brokensep pkgconfig python3native perlnative ptest
+
+S = "${WORKDIR}/git"
+
+PACKAGECONFIG ?= "nss3 pcre rpm"
+PACKAGECONFIG[pcre] = ",--enable-regex-posix, libpcre"
+PACKAGECONFIG[gcrypt] = "--with-crypto=gcrypt,, libgcrypt "
+PACKAGECONFIG[nss3] = "--with-crypto=nss3,, nss"
+PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python"
+PACKAGECONFIG[python3] = "--enable-python3, --disable-python3, python3, python3"
+PACKAGECONFIG[perl] = "--enable-perl, --disable-perl, perl, perl"
+PACKAGECONFIG[rpm] = " --enable-util-scap-as-rpm, --disable-util-scap-as-rpm, rpm, rpm"
+
+export LDFLAGS += " -ldl"
+
+EXTRA_OECONF += "--enable-probes-independent --enable-probes-linux \
+		--enable-probes-solaris --enable-probes-unix  --disable-util-oscap-docker\
+		--enable-util-oscap-ssh --enable-util-oscap --enable-ssp --enable-sce \
+"
+
+EXTRA_OECONF_class-native += "--disable-probes-independent --enable-probes-linux \
+		--disable-probes-solaris --disable-probes-unix \
+		--enable-util-oscap \
+"
+
+do_configure_prepend () {
+	sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/perl/Makefile.am
+	sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python3/Makefile.am
+	sed -i 's:-I/usr/include:-I${STAGING_INCDIR}:' ${S}/swig/python2/Makefile.am
+}
+
+
+include openscap.inc
+
+do_configure_append_class-native () {
+	sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${S}/config.h
+	sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${S}/config.h
+	sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${S}/config.h
+}
+
+do_clean[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}"
+
+do_install_append_class-native () {
+	oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native}
+	install -d $oscapdir	
+	cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir
+}
+
+TESTDIR = "tests"
+
+do_compile_ptest() {
+    sed -i 's:python2:python:' ${S}/${TESTDIR}/nist/test_worker.py
+    echo 'buildtest-TESTS: $(check)' >> ${TESTDIR}/Makefile
+    oe_runmake -C ${TESTDIR} buildtest-TESTS
+}
+
+do_install_ptest() {
+    # install the tests
+    cp -rf ${B}/${TESTDIR} ${D}${PTEST_PATH}
+}
+
+FILES_${PN} += "${PYTHON_SITEPACKAGES_DIR}"
+
+RDEPENDS_${PN} += "libxml2 python libgcc"
+RDEPENDS_${PN}-ptest = "bash perl python"
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb b/import-layers/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb
new file mode 100644
index 0000000..7fa417d
--- /dev/null
+++ b/import-layers/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.33.bb
@@ -0,0 +1,57 @@
+# Copyright (C) 2017 Armin Kuster  <akuster808@gmail.com>
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+SUMARRY = "SCAP content for various platforms"
+HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=236e81befc8154d18c93c848185d7e52"
+LICENSE = "LGPL-2.1"
+
+DEPENDS = "openscap-native"
+
+SRCREV = "423d9f40021a03abd018bef7818a3a9fe91a083c"
+SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe;"
+
+inherit cmake
+
+PARALLEL_MAKE = ""
+
+S = "${WORKDIR}/git"
+
+STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
+
+EXTRA_OECMAKE += "-DSSG_PRODUCT_CHROMIUM:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_DEBIAN8:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_FEDORA:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_FIREFOX:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_EAP5:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_JBOSS_FUSE6:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_JRE:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_OPENSUSE:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_OSP7:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL5:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL6:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEL7:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_RHEV3:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE11:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_SUSE12:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1404:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_UBUNTU1604:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_WRLINUX:BOOL=OFF"
+EXTRA_OECMAKE += "-DSSG_PRODUCT_WEBMIN:BOOL=OFF"
+
+do_configure_prepend () {
+	sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g'   ${S}/CMakeLists.txt
+        sed -i 's:/usr/share/openscap/:${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/:g' ${S}/cmake/SSGCommon.cmake
+}
+
+do_compile () {
+	cd ${B}
+	make openembedded 
+}
+
+do_install () {
+	cd ${B}
+	make DESTDIR=${D} install
+}
+FILES_${PN} += "${datadir}/xml"
+RDEPNEDS_${PN} = "openscap"
diff --git a/import-layers/meta-security/meta-tpm/README b/import-layers/meta-security/meta-tpm/README
new file mode 100644
index 0000000..bbc70bb
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/README
@@ -0,0 +1,4 @@
+meta-tpm layer
+==============
+
+This layer contains base TPM recipes.
diff --git a/import-layers/meta-security/meta-tpm/conf/layer.conf b/import-layers/meta-security/meta-tpm/conf/layer.conf
new file mode 100644
index 0000000..a2f0cab
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/conf/layer.conf
@@ -0,0 +1,15 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "tpm-layer"
+BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_tpm-layer = "6"
+
+LAYERSERIES_COMPAT_tpm-layer = "sumo"
+
+LAYERDEPENDS_tpm-layer = " \
+    core \
+"
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb b/import-layers/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb
new file mode 100644
index 0000000..a337076
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/images/security-tpm-image.bb
@@ -0,0 +1,19 @@
+DESCRIPTION = "A small image for building meta-security packages"
+
+IMAGE_FEATURES += "ssh-server-openssh"
+
+IMAGE_INSTALL = "\
+    packagegroup-base \
+    packagegroup-core-boot \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'tpm',  'packagegroup-security-tpm',  '', d)} \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \
+    os-release \
+    ${CORE_IMAGE_EXTRA_INSTALL}"
+
+IMAGE_LINGUAS ?= " "
+
+LICENSE = "MIT"
+
+inherit core-image
+
+export IMAGE_BASENAME = "security-tpm-image"
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
new file mode 100644
index 0000000..3b9d271
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm-i2c.bb
@@ -0,0 +1,19 @@
+DESCRIPTION = "Security packagegroup for TPM i2c support"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-security-tpm-i2c"
+
+SUMMARY_packagegroup-security-tpm-i2c = "Security TPM i2c support"
+RDEPENDS_packagegroup-security-tpm-i2c = " \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'packagegroup-security-tpm', '', d)} \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'packagegroup-security-tpm2', '', d)} \
+    kernel-module-tpm-i2c-atmel \
+    kernel-module-tpm-i2c-infineon \
+    kernel-module-tpm-i2c-nuvoton \
+    kernel-module-tpm-st33zp24 \
+    kernel-module-tpm-st33zp24-i2c \
+    "
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
new file mode 100644
index 0000000..25126ef
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm.bb
@@ -0,0 +1,29 @@
+DESCRIPTION = "Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-security-tpm"
+
+SUMMARY_packagegroup-security-tpm = "Security TPM support"
+RDEPENDS_packagegroup-security-tpm = " \
+    tpm-tools \
+    trousers \
+    ${X86_TPM_MODULES} \
+    "
+
+X86_TPM_MODULES ?= ""
+
+X86_TPM_MODULES_x86 = " \
+    kernel-module-tpm-atmel \
+    kernel-module-tpm-infineon \
+    kernel-module-tpm-nsc \
+    "
+
+X86_TPM_MODULES_x86-64 = " \
+    kernel-module-tpm-atmel \
+    kernel-module-tpm-infineon \
+    kernel-module-tpm-nsc \
+    "
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
new file mode 100644
index 0000000..13b505f
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb
@@ -0,0 +1,18 @@
+DESCRIPTION = "Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-security-tpm2"
+
+SUMMARY_packagegroup-security-tpm2 = "Security TPM 2.0 support"
+RDEPENDS_packagegroup-security-tpm2 = " \
+    tpm2.0-tools \
+    trousers \
+    libtss2 \
+    libtctidevice \
+    libtctisocket \
+    resourcemgr \
+    "
diff --git a/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
new file mode 100644
index 0000000..2e9394f
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-vtpm.bb
@@ -0,0 +1,14 @@
+DESCRIPTION = "Security packagegroup for Poky"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
+                    file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+inherit packagegroup
+
+PACKAGES = "packagegroup-security-vtpm"
+
+SUMMARY_packagegroup-security-vtpm = "Security Software vTPM support"
+RDEPENDS_packagegroup-security-vtpm = " \
+    libtpm \
+    swtpm \
+    "		
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg
new file mode 100644
index 0000000..8782823
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.cfg
@@ -0,0 +1,8 @@
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
+CONFIG_SECURITYFS=y
+CONFIG_TCG_NSC=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc
new file mode 100644
index 0000000..2949ed4
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm.scc
@@ -0,0 +1,3 @@
+define KFEATURE_DESCRIPTION "Enable TPM"
+
+kconf hardware tpm.cfg
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg
new file mode 100644
index 0000000..a81b54d
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.cfg
@@ -0,0 +1,6 @@
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
+CONFIG_TCG_CRB=y
+CONFIG_SECURITYFS=y
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc
new file mode 100644
index 0000000..088148f
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm2.scc
@@ -0,0 +1,3 @@
+define KFEATURE_DESCRIPTION "Enable TPM 2.0"
+
+kconf hardware tpm2.cfg
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg
new file mode 100644
index 0000000..59993f9
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.cfg
@@ -0,0 +1,15 @@
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TPM=y
+CONFIG_TCG_TIS_CORE=y
+CONFIG_TCG_TIS=y
+CONFIG_SECURITYFS=y
+
+CONFIG_REGMAP_I2C=y
+CONFIG_I2C_BOARDINFO=y
+CONFIG_I2C_COMPAT=y
+CONFIG_RTC_I2C_AND_SPI=y
+
+CONFIG_TCG_TIS_I2C_ATMEL=m
+CONFIG_TCG_TIS_I2C_INFINEON=m
+CONFIG_TCG_TIS_I2C_NUVOTON=m
+CONFIG_TCG_TIS_ST33ZP24_I2C=m
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc
new file mode 100644
index 0000000..0e4eedb
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_i2c.scc
@@ -0,0 +1,6 @@
+define KFEATURE_DESCRIPTION "Enable TPM i2c"
+
+include features/i2c/i2c.scc
+
+kconf hardware tpm_i2c.cfg
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg
new file mode 100644
index 0000000..8be331a
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/tpm_x86.cfg
@@ -0,0 +1,4 @@
+CONFIG_TCG_NSC=m
+CONFIG_TCG_ATMEL=m
+CONFIG_TCG_INFINEON=m
+CONFIG_TCG_TIS_ST33ZP24=m
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg
new file mode 100644
index 0000000..a8b3758
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.cfg
@@ -0,0 +1,5 @@
+CONFIG_HW_RANDOM_TPM=y
+CONFIG_TCG_TPM=y
+CONFIG_TCG_VTPM_PROXY=y
+CONFIG_SECURITYFS=y
+~                    
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc
new file mode 100644
index 0000000..e842da6
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto/vtpm.scc
@@ -0,0 +1,4 @@
+define KFEATURE_DESCRIPTION "Enable vTPM"
+
+kconf hardware vtpm.cfg
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend
new file mode 100644
index 0000000..cea8b1b
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -0,0 +1,17 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/linux-yocto:"
+
+# Enable tpm in kernel 
+SRC_URI_append_x86 = " \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
+    "
+
+SRC_URI_append_x86-64 = " \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'tpm', 'file://tpm.scc', '', d)} \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'tpm2', 'file://tpm2.scc', '', d)} \
+    "
+
+SRC_URI += " \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'tpm_i2c', 'file://tpm_i2c.scc', '', d)} \
+    ${@bb.utils.contains('MACHINE_FEATURES', 'vtpm', 'file://vtpm.scc', '', d)} \
+    "
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch
new file mode 100644
index 0000000..9e1021a
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch
@@ -0,0 +1,26 @@
+From 09e7dd42e5201d079bad70e9f7cc6033ce1c7cad Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Fri, 3 Feb 2017 10:58:22 -0500
+Subject: [PATCH] Convert another vdprintf to dprintf
+
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Upstream-Status: Backport
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/tpm_library.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: git/src/tpm_library.c
+===================================================================
+--- git.orig/src/tpm_library.c
++++ git/src/tpm_library.c
+@@ -427,7 +427,7 @@ void TPMLIB_LogPrintfA(unsigned int inde
+             indent = sizeof(spaces) - 1;
+         memset(spaces, ' ', indent);
+         spaces[indent] = 0;
+-        vdprintf(debug_fd, spaces, NULL);
++        dprintf(debug_fd, "%s", spaces);
+     }
+ 
+     va_start(args, format);
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch
new file mode 100644
index 0000000..a71b5c1
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch
@@ -0,0 +1,33 @@
+From 6a9b4e5d70f770aa9ca31e3e6d3b1ae72c192070 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.vnet.ibm.com>
+Date: Tue, 31 Jan 2017 20:10:51 -0500
+Subject: [PATCH] Use format '%s' for call to dprintf
+
+Fix the dprintf call to use a format parameter that otherwise causes
+errors with gcc on certain platforms.
+
+Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
+
+Upstream-Status: Backport
+replaces local patch
+Signed-off-by: Armin Kuster <akuster@mvsita.com>
+
+---
+ src/tpm_library.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: git/src/tpm_library.c
+===================================================================
+--- git.orig/src/tpm_library.c
++++ git/src/tpm_library.c
+@@ -405,8 +405,8 @@ int TPMLIB_LogPrintf(const char *format,
+     }
+ 
+     if (debug_prefix)
+-        dprintf(debug_fd, debug_prefix);
+-    dprintf(debug_fd, buffer);
++        dprintf(debug_fd, "%s", debug_prefix);
++    dprintf(debug_fd, "%s", buffer);
+ 
+     return i;
+ }
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch
new file mode 100644
index 0000000..fc13aa5
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch
@@ -0,0 +1,48 @@
+Upstream-Status: Pending
+Signed-off-by: Armin kuster <akuster808@gmail.com>
+
+Index: git/src/swtpm/ctrlchannel.c
+===================================================================
+--- git.orig/src/swtpm/ctrlchannel.c
++++ git/src/swtpm/ctrlchannel.c
+@@ -152,7 +152,8 @@ static int ctrlchannel_receive_state(ptm
+     uint32_t tpm_number = 0;
+     unsigned char *blob = NULL;
+     uint32_t blob_length = be32toh(pss->u.req.length);
+-    uint32_t remain = blob_length, offset = 0;
++    ssize_t remain = (ssize_t) blob_length;
++    uint32_t offset = 0;
+     TPM_RESULT res;
+     uint32_t flags = be32toh(pss->u.req.state_flags);
+     TPM_BOOL is_encrypted = (flags & PTM_STATE_FLAG_ENCRYPTED) != 0;
+Index: git/src/swtpm_ioctl/tpm_ioctl.c
+===================================================================
+--- git.orig/src/swtpm_ioctl/tpm_ioctl.c
++++ git/src/swtpm_ioctl/tpm_ioctl.c
+@@ -303,7 +303,7 @@ static int do_save_state_blob(int fd, bo
+         numbytes = write(file_fd, pgs.u.resp.data,
+                          devtoh32(is_chardev, pgs.u.resp.length));
+ 
+-        if (numbytes != devtoh32(is_chardev, pgs.u.resp.length)) {
++        if (numbytes != (ssize_t) devtoh32(is_chardev, pgs.u.resp.length)) {
+             fprintf(stderr,
+                     "Could not write to file '%s': %s\n",
+                     filename, strerror(errno));
+@@ -420,7 +420,7 @@ static int do_load_state_blob(int fd, bo
+                had_error = true;
+                break;
+             }
+-            pss.u.req.length = htodev32(is_chardev, numbytes);
++            pss.u.req.length = htodev32(is_chardev, (uint32_t) numbytes);
+ 
+             /* the returnsize is zero on all intermediate packets */
+             returnsize = ((size_t)numbytes < sizeof(pss.u.req.data))
+@@ -863,7 +863,7 @@ int main(int argc, char *argv[])
+             return EXIT_FAILURE;
+         }
+         /* no tpm_result here */
+-        printf("ptm capability is 0x%lx\n", (uint64_t)devtoh64(is_chardev, cap));
++        printf("ptm capability is 0x%llx\n", (uint64_t)devtoh64(is_chardev, cap));
+ 
+     } else if (!strcmp(command, "-i")) {
+         init.u.req.init_flags = htodev32(is_chardev, PTM_INIT_FLAG_DELETE_VOLATILE);
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb
new file mode 100644
index 0000000..b29ec6b
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/libtpm/libtpm_1.0.bb
@@ -0,0 +1,18 @@
+SUMMARY = "LIBPM - Software TPM Library"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=97e5eea8d700d76b3ddfd35c4c96485f"
+
+SRCREV = "3388d45082bdc588c6fc0672f44d6d7d0aaa86ff"
+SRC_URI = " \
+	git://github.com/stefanberger/libtpms.git \
+	"
+
+S = "${WORKDIR}/git"
+inherit autotools-brokensep pkgconfig
+
+PACKAGECONFIG ?= "openssl"
+PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
+
+PV = "1.0+git${SRCPV}"
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
new file mode 100644
index 0000000..67071b6
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0001-create-tpm-key-support-well-known-key-option.patch
@@ -0,0 +1,99 @@
+commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
+Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
+Date:   Wed Jun 19 18:57:13 2013 +0800
+
+support well-known password in openssl-tpm-engine.
+
+Add "-z" option to select well known password in create_tpm_key tool.
+
+Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
+
+diff --git a/create_tpm_key.c b/create_tpm_key.c
+index fee917f..7b94d62 100644
+--- a/create_tpm_key.c
++++ b/create_tpm_key.c
+@@ -46,6 +46,8 @@
+ #include <trousers/tss.h>
+ #include <trousers/trousers.h>
+ 
++#define TPM_WELL_KNOWN_KEY_LEN 20   /*well know key length is 20 bytes zero*/
++
+ #define print_error(a,b) \
+ 	fprintf(stderr, "%s:%d %s result: 0x%x (%s)\n", __FILE__, __LINE__, \
+ 		a, b, Trspi_Error_String(b))
+@@ -70,6 +72,7 @@ usage(char *argv0)
+ 		"\t\t-e|--enc-scheme  encryption scheme to use [PKCSV15] or OAEP\n"
+ 		"\t\t-q|--sig-scheme  signature scheme to use [DER] or SHA1\n"
+ 		"\t\t-s|--key-size    key size in bits [2048]\n"
++		"\t\t-z|--zerokey     use well known 20 bytes zero as SRK password.\n"
+ 		"\t\t-a|--auth        require a password for the key [NO]\n"
+ 		"\t\t-p|--popup       use TSS GUI popup dialogs to get the password "
+ 		"for the\n\t\t\t\t key [NO] (implies --auth)\n"
+@@ -147,6 +150,7 @@ int main(int argc, char **argv)
+ 	int		asn1_len;
+ 	char		*filename, c, *openssl_key = NULL;
+ 	int		option_index, auth = 0, popup = 0, wrap = 0;
++	int		wellknownkey = 0;
+ 	UINT32		enc_scheme = TSS_ES_RSAESPKCSV15;
+ 	UINT32		sig_scheme = TSS_SS_RSASSAPKCS1V15_DER;
+ 	UINT32		key_size = 2048;
+@@ -154,12 +158,15 @@ int main(int argc, char **argv)
+ 
+ 	while (1) {
+ 		option_index = 0;
+-		c = getopt_long(argc, argv, "pe:q:s:ahw:",
++		c = getopt_long(argc, argv, "pe:q:s:zahw:",
+ 				long_options, &option_index);
+ 		if (c == -1)
+ 			break;
+ 
+ 		switch (c) {
++			case 'z':
++				wellknownkey = 1;
++				break;
+ 			case 'a':
+ 				initFlags |= TSS_KEY_AUTHORIZATION;
+ 				auth = 1;
+@@ -293,6 +300,8 @@ int main(int argc, char **argv)
+ 
+ 	if (srk_authusage) {
+ 		char *authdata = calloc(1, 128);
++		TSS_FLAG secretMode = TSS_SECRET_MODE_PLAIN;
++		int authlen = 0;
+ 
+ 		if (!authdata) {
+ 			fprintf(stderr, "malloc failed.\n");
+@@ -309,17 +318,26 @@ int main(int argc, char **argv)
+ 			exit(result);
+ 		}
+ 
+-		if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
+-			Tspi_Context_CloseObject(hContext, hKey);
+-			Tspi_Context_Close(hContext);
+-			free(authdata);
+-			exit(result);
++		if (wellknownkey) {
++			memset(authdata, 0, TPM_WELL_KNOWN_KEY_LEN);
++			secretMode = TSS_SECRET_MODE_SHA1;
++			authlen = TPM_WELL_KNOWN_KEY_LEN;
++		}
++		else {
++			if (EVP_read_pw_string(authdata, 128, "SRK Password: ", 0)) {
++				Tspi_Context_CloseObject(hContext, hKey);
++				Tspi_Context_Close(hContext);
++				free(authdata);
++				exit(result);
++			}
++			secretMode = TSS_SECRET_MODE_PLAIN;
++			authlen = strlen(authdata);
+ 		}
+ 
+ 		//Set Secret
+ 		if ((result = Tspi_Policy_SetSecret(srkUsagePolicy,
+-						    TSS_SECRET_MODE_PLAIN,
+-						    strlen(authdata),
++						    secretMode,
++						    authlen,
+ 						    (BYTE *)authdata))) {
+ 			print_error("Tspi_Policy_SetSecret", result);
+ 			free(authdata);
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
new file mode 100644
index 0000000..f718f2e
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0002-libtpm-support-env-TPM_SRK_PW.patch
@@ -0,0 +1,80 @@
+commit 16dac0cb7b73b8a7088300e45b98ac20819b03ed
+Author: Junxian.Xiao <Junxian.Xiao@windriver.com>
+Date:   Wed Jun 19 18:57:13 2013 +0800
+
+support reading SRK password from env TPM_SRK_PW
+
+Add "env TPM_SRK_PW=xxxx" to set password for libtpm.so. Specially,
+use "env TPM_SRK_PW=#WELLKNOWN#" to set well known password.
+
+Signed-off-by: Junxian.Xiao <Junxian.Xiao@windriver.com>
+
+diff --git a/e_tpm.c b/e_tpm.c
+index f3e8bcf..7dcb75a 100644
+--- a/e_tpm.c
++++ b/e_tpm.c
+@@ -38,6 +38,8 @@
+ 
+ #include "e_tpm.h"
+ 
++#define TPM_WELL_KNOWN_KEY_LEN 20   /*well know key length is 20 bytes zero*/
++
+ //#define DLOPEN_TSPI
+ 
+ #ifndef OPENSSL_NO_HW
+@@ -248,6 +250,10 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ 	TSS_RESULT result;
+ 	UINT32 authusage;
+ 	BYTE *auth;
++	char *srkPasswd = NULL;
++	TSS_FLAG secretMode = secret_mode;
++	int authlen = 0;
++
+ 
+ 	if (hSRK != NULL_HKEY) {
+ 		DBGFN("SRK is already loaded.");
+@@ -299,18 +305,36 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ 		return 0;
+ 	}
+ 
+-	if (!tpm_engine_get_auth(ui, (char *)auth, 128, "SRK authorization: ",
+-				cb_data)) {
+-		Tspi_Context_CloseObject(hContext, hSRK);
+-		free(auth);
+-		TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
+-		return 0;
++	srkPasswd = getenv("TPM_SRK_PW");
++	if (NULL != srkPasswd) {
++		if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
++			memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
++			secretMode = TSS_SECRET_MODE_SHA1;
++			authlen = TPM_WELL_KNOWN_KEY_LEN;
++		} else {
++			int authbuflen = 128;
++			memset(auth, 0, authbuflen);
++			strncpy(auth, srkPasswd, authbuflen-1);
++			secretMode = TSS_SECRET_MODE_PLAIN;
++			authlen = strlen(auth);
++		}
++	}
++	else {
++		if (!tpm_engine_get_auth(ui, (char *)auth, 128,
++				"SRK authorization: ", cb_data)) {
++			Tspi_Context_CloseObject(hContext, hSRK);
++			free(auth);
++			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++			return 0;
++		}
++		secretMode = secret_mode;
++		authlen = strlen(auth);
+ 	}
+ 
+ 	/* secret_mode is a global that may be set by engine ctrl
+ 	 * commands.  By default, its set to TSS_SECRET_MODE_PLAIN */
+-	if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secret_mode,
+-					      strlen((char *)auth), auth))) {
++	if ((result = Tspi_Policy_SetSecret(hSRKPolicy, secretMode,
++					      authlen, auth))) {
+ 		Tspi_Context_CloseObject(hContext, hSRK);
+ 		free(auth);
+ 		TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch
new file mode 100644
index 0000000..d24a150
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-Fix-not-building-libtpm.la.patch
@@ -0,0 +1,25 @@
+From 7848445a1f4c750ef73bf96f5e89d402f87a1756 Mon Sep 17 00:00:00 2001
+From: Lans Zhang <jia.zhang@windriver.com>
+Date: Mon, 19 Jun 2017 14:54:28 +0800
+Subject: [PATCH] Fix not building libtpm.la
+
+Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+---
+ Makefile.am | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 6695656..634a7e6 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -10,4 +10,6 @@ libtpm_la_LIBADD=-lcrypto -lc -ltspi
+ libtpm_la_SOURCES=e_tpm.c e_tpm.h e_tpm_err.c
+ 
+ create_tpm_key_SOURCES=create_tpm_key.c
+-create_tpm_key_LDADD=-ltspi
++create_tpm_key_LDFLAGS=-ltspi
++
++LDADD=libtpm.la
+-- 
+2.7.5
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
new file mode 100644
index 0000000..a88148f
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch
@@ -0,0 +1,254 @@
+From eb28ad92a2722fd30f8114840cf2b1ade26b80ee Mon Sep 17 00:00:00 2001
+From: Limeng <Meng.Li@windriver.com>
+Date: Fri, 23 Jun 2017 11:39:04 +0800
+Subject: [PATCH] tpm:openssl-tpm-engine:parse an encrypted tpm SRK password 
+ from env
+
+Before, we support reading SRK password from env TPM_SRK_PW,
+but it is a plain password and not secure.
+So, we improve it and support to get an encrypted (AES algorithm)
+SRK password from env, and then parse it. The default decrypting
+AES password and salt is set in bb file.
+When we initialize TPM, and set a SRK pw, and then we need to
+encrypt it with the same AES password and salt by AES algorithm.
+At last, we set a env as below:
+export TPM_SRK_ENC_PW=xxxxxxxx
+"xxxxxxxx" is the encrypted SRK password for libtpm.so.
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ e_tpm.c     | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ e_tpm.h     |   4 ++
+ e_tpm_err.c |   4 ++
+ 3 files changed, 164 insertions(+), 1 deletion(-)
+
+diff --git a/e_tpm.c b/e_tpm.c
+index 7dcb75a..11bf74b 100644
+--- a/e_tpm.c
++++ b/e_tpm.c
+@@ -245,6 +245,118 @@ void ENGINE_load_tpm(void)
+ 	ERR_clear_error();
+ }
+ 
++static int tpm_decode_base64(unsigned char *indata,
++				int in_len,
++				unsigned char *outdata,
++				int *out_len)
++{
++	int total_len, len, ret;
++	EVP_ENCODE_CTX dctx;
++
++	EVP_DecodeInit(&dctx);
++
++	total_len = 0;
++	ret = EVP_DecodeUpdate(&dctx, outdata, &len, indata, in_len);
++	if (ret < 0) {
++		TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
++		return 1;
++	}
++
++	total_len += len;
++	ret = EVP_DecodeFinal(&dctx, outdata, &len);
++	if (ret < 0) {
++		TSSerr(TPM_F_TPM_DECODE_BASE64, TPM_R_DECODE_BASE64_FAILED);
++		return 1;
++	}
++	total_len += len;
++
++	*out_len = total_len;
++
++	return 0;
++}
++
++static int tpm_decrypt_srk_pw(unsigned char *indata, int in_len,
++				unsigned char *outdata,
++				int *out_len)
++{
++	int dec_data_len, dec_data_lenfinal;
++	unsigned char dec_data[256];
++	unsigned char *aes_pw;
++	unsigned char aes_salt[PKCS5_SALT_LEN];
++	unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
++	const EVP_CIPHER *cipher = NULL;
++	const EVP_MD *dgst = NULL;
++	EVP_CIPHER_CTX *ctx = NULL;
++
++	if (sizeof(SRK_DEC_SALT) - 1 > PKCS5_SALT_LEN) {
++		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++		return 1;
++	}
++
++	aes_pw = malloc(sizeof(SRK_DEC_PW) - 1);
++	if (aes_pw == NULL) {
++		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++		return 1;
++	}
++
++	memset(aes_salt, 0x00, sizeof(aes_salt));
++	memcpy(aes_pw, SRK_DEC_PW, sizeof(SRK_DEC_PW) - 1);
++	memcpy(aes_salt, SRK_DEC_SALT, sizeof(SRK_DEC_SALT) - 1);
++
++	cipher = EVP_get_cipherbyname("aes-128-cbc");
++	if (cipher == NULL) {
++		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++		free(aes_pw);
++		return 1;
++	}
++	dgst = EVP_sha256();
++
++	EVP_BytesToKey(cipher, dgst, aes_salt, (unsigned char *)aes_pw, sizeof(SRK_DEC_PW) - 1, 1, key, iv);
++
++	ctx = EVP_CIPHER_CTX_new();
++	/* Don't set key or IV right away; we want to check lengths */
++	if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, 0)) {
++		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++		free(aes_pw);
++		return 1;
++	}
++
++	OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
++	OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
++
++	if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 0)) {
++		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++		free(aes_pw);
++		return 1;
++	}
++
++	if (!EVP_CipherUpdate(ctx, dec_data, &dec_data_len, indata, in_len)) {
++		/* Error */
++		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++		free(aes_pw);
++		EVP_CIPHER_CTX_free(ctx);
++		return 1;
++	}
++
++	if (!EVP_CipherFinal_ex(ctx, dec_data + dec_data_len, &dec_data_lenfinal)) {
++		/* Error */
++		TSSerr(TPM_F_TPM_DECRYPT_SRK_PW, TPM_R_DECRYPT_SRK_PW_FAILED);
++		free(aes_pw);
++		EVP_CIPHER_CTX_free(ctx);
++		return 1;
++	}
++
++	dec_data_len = dec_data_len + dec_data_lenfinal;
++
++	memcpy(outdata, dec_data, dec_data_len);
++	*out_len = dec_data_len;
++
++	free(aes_pw);
++	EVP_CIPHER_CTX_free(ctx);
++
++	return 0;
++}
++
+ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ {
+ 	TSS_RESULT result;
+@@ -305,8 +417,50 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ 		return 0;
+ 	}
+ 
+-	srkPasswd = getenv("TPM_SRK_PW");
++	srkPasswd = getenv("TPM_SRK_ENC_PW");
+ 	if (NULL != srkPasswd) {
++		int in_len = strlen(srkPasswd);
++		int out_len;
++		unsigned char *out_buf;
++
++		if (!in_len || in_len % 4) {
++			Tspi_Context_CloseObject(hContext, hSRK);
++			free(auth);
++			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++			return 0;
++		}
++
++		out_len = in_len * 3 / 4;
++		out_buf = malloc(out_len);
++		if (NULL == out_buf) {
++			Tspi_Context_CloseObject(hContext, hSRK);
++			free(auth);
++			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++			return 0;
++		}
++
++		if (tpm_decode_base64(srkPasswd, strlen(srkPasswd),
++					out_buf, &out_len)) {
++			Tspi_Context_CloseObject(hContext, hSRK);
++			free(auth);
++			free(out_buf);
++			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++			return 0;
++		}
++
++		if (tpm_decrypt_srk_pw(out_buf, out_len,
++							auth, &authlen)) {
++			Tspi_Context_CloseObject(hContext, hSRK);
++			free(auth);
++			free(out_buf);
++			TSSerr(TPM_F_TPM_LOAD_SRK, TPM_R_REQUEST_FAILED);
++			return 0;
++		}
++		secretMode = TSS_SECRET_MODE_PLAIN;
++		free(out_buf);
++	}
++#ifdef TPM_SRK_PLAIN_PW
++	else if (NULL != (srkPasswd = getenv("TPM_SRK_PW")) {
+ 		if (0 == strcmp(srkPasswd, "#WELLKNOWN#")) {
+ 			memset(auth, 0, TPM_WELL_KNOWN_KEY_LEN);
+ 			secretMode = TSS_SECRET_MODE_SHA1;
+@@ -319,6 +473,7 @@ int tpm_load_srk(UI_METHOD *ui, void *cb_data)
+ 			authlen = strlen(auth);
+ 		}
+ 	}
++#endif
+ 	else {
+ 		if (!tpm_engine_get_auth(ui, (char *)auth, 128,
+ 				"SRK authorization: ", cb_data)) {
+diff --git a/e_tpm.h b/e_tpm.h
+index 6316e0b..56ff202 100644
+--- a/e_tpm.h
++++ b/e_tpm.h
+@@ -66,6 +66,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+ #define TPM_F_TPM_FILL_RSA_OBJECT		116
+ #define TPM_F_TPM_ENGINE_GET_AUTH		117
+ #define TPM_F_TPM_CREATE_SRK_POLICY		118
++#define TPM_F_TPM_DECODE_BASE64			119
++#define TPM_F_TPM_DECRYPT_SRK_PW		120
+ 
+ /* Reason codes. */
+ #define TPM_R_ALREADY_LOADED			100
+@@ -96,6 +98,8 @@ void ERR_TSS_error(int function, int reason, char *file, int line);
+ #define TPM_R_ID_INVALID			125
+ #define TPM_R_UI_METHOD_FAILED			126
+ #define TPM_R_UNKNOWN_SECRET_MODE		127
++#define TPM_R_DECODE_BASE64_FAILED		128
++#define TPM_R_DECRYPT_SRK_PW_FAILED		129
+ 
+ /* structure pointed to by the RSA object's app_data pointer */
+ struct rsa_app_data
+diff --git a/e_tpm_err.c b/e_tpm_err.c
+index 25a5d0f..439e267 100644
+--- a/e_tpm_err.c
++++ b/e_tpm_err.c
+@@ -235,6 +235,8 @@ static ERR_STRING_DATA TPM_str_functs[] = {
+ 	{ERR_PACK(0, TPM_F_TPM_BIND_FN, 0), "TPM_BIND_FN"},
+ 	{ERR_PACK(0, TPM_F_TPM_FILL_RSA_OBJECT, 0), "TPM_FILL_RSA_OBJECT"},
+ 	{ERR_PACK(0, TPM_F_TPM_ENGINE_GET_AUTH, 0), "TPM_ENGINE_GET_AUTH"},
++	{ERR_PACK(0, TPM_F_TPM_DECODE_BASE64, 0), "TPM_DECODE_BASE64"},
++	{ERR_PACK(0, TPM_F_TPM_DECRYPT_SRK_PW, 0), "TPM_DECRYPT_SRK_PW"},
+ 	{0, NULL}
+ };
+ 
+@@ -265,6 +267,8 @@ static ERR_STRING_DATA TPM_str_reasons[] = {
+ 	{TPM_R_FILE_READ_FAILED, "failed reading the key file"},
+ 	{TPM_R_ID_INVALID, "engine id doesn't match"},
+ 	{TPM_R_UI_METHOD_FAILED, "ui function failed"},
++	{TPM_R_DECODE_BASE64_FAILED, "decode base64 failed"},
++	{TPM_R_DECRYPT_SRK_PW_FAILED, "decrypt srk password failed"},
+ 	{0, NULL}
+ };
+ 
+-- 
+2.9.3
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
new file mode 100644
index 0000000..076704d
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/files/0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch
@@ -0,0 +1,34 @@
+From fb44e2814fd819c086f9a4c925427f89c0e8cec6 Mon Sep 17 00:00:00 2001
+From: Limeng <Meng.Li@windriver.com>
+Date: Fri, 21 Jul 2017 16:32:02 +0800
+Subject: [PATCH] tpm:openssl-tpm-engine: change variable c type from char
+ into int
+
+refer to getopt_long() function definition, its return value type is
+int. So, change variable c type from char into int.
+On arm platform, when getopt_long() calling fails, if we define c as
+char type, its value will be 255, not -1. This will cause code enter
+wrong case.
+
+Signed-off-by: Meng Li <Meng.Li@windriver.com>
+---
+ create_tpm_key.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/create_tpm_key.c b/create_tpm_key.c
+index 7b94d62..f30af90 100644
+--- a/create_tpm_key.c
++++ b/create_tpm_key.c
+@@ -148,7 +148,8 @@ int main(int argc, char **argv)
+ 	ASN1_OCTET_STRING *blob_str;
+ 	unsigned char	*blob_asn1 = NULL;
+ 	int		asn1_len;
+-	char		*filename, c, *openssl_key = NULL;
++	char		*filename, *openssl_key = NULL;
++	int		c;
+ 	int		option_index, auth = 0, popup = 0, wrap = 0;
+ 	int		wellknownkey = 0;
+ 	UINT32		enc_scheme = TSS_ES_RSAESPKCSV15;
+-- 
+1.7.9.5
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
new file mode 100644
index 0000000..4854f70
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/openssl-tpm-engine/openssl-tpm-engine_0.4.2.bb
@@ -0,0 +1,78 @@
+DESCRIPTION = "OpenSSL secure engine based on TPM hardware"
+HOMEPAGE = "https://sourceforge.net/projects/trousers/"
+SECTION = "security/tpm"
+
+LICENSE = "openssl"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=11f0ee3af475c85b907426e285c9bb52"
+
+DEPENDS += "openssl trousers"
+
+SRC_URI = "\
+    git://git.code.sf.net/p/trousers/openssl_tpm_engine \
+    file://0001-create-tpm-key-support-well-known-key-option.patch \
+    file://0002-libtpm-support-env-TPM_SRK_PW.patch \
+    file://0003-Fix-not-building-libtpm.la.patch \
+    file://0003-tpm-openssl-tpm-engine-parse-an-encrypted-tpm-SRK-pa.patch \
+    file://0004-tpm-openssl-tpm-engine-change-variable-c-type-from-c.patch \
+"
+SRCREV = "bbc2b1af809f20686e0d3553a62f0175742c0d60"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep
+
+# The definitions below are used to decrypt the srk password.
+# It is allowed to define the values in 3 forms: string, hex number and
+# the hybrid, e.g,
+# srk_dec_pw = "incendia"
+# srk_dec_pw = "\x69\x6e\x63\x65\x6e\x64\x69\x61"
+# srk_dec_pw = "\x1""nc""\x3""nd""\x1""a"
+#
+# Due to the limit of escape character, the hybrid must be written in
+# above style. The actual values defined below in C code style are:
+# srk_dec_pw[] = { 0x01, 'n', 'c', 0x03, 'n', 'd', 0x01, 'a' };
+# srk_dec_salt[] = { 'r', 0x00, 0x00, 't' };
+srk_dec_pw ?= "\\"\\\x1\\"\\"nc\\"\\"\\\x3\\"\\"nd\\"\\"\\\x1\\"\\"a\\""
+srk_dec_salt ?= "\\"r\\"\\"\\\x00\\\x00\\"\\"t\\""
+
+CFLAGS_append += "-DSRK_DEC_PW=${srk_dec_pw} -DSRK_DEC_SALT=${srk_dec_salt}"
+
+# Uncomment below line if using the plain srk password for development
+#CFLAGS_append += "-DTPM_SRK_PLAIN_PW"
+
+do_configure_prepend() {
+    cd "${S}"
+    cp LICENSE COPYING
+    touch NEWS AUTHORS ChangeLog
+}
+
+do_install_append() {
+    install -m 0755 -d "${D}${libdir}/engines"
+    install -m 0755 -d "${D}${prefix}/local/ssl/lib/engines"
+    install -m 0755 -d "${D}${libdir}/ssl/engines"
+
+    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/libtpm.so.0"
+    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/engines/libtpm.so"
+    cp -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${prefix}/local/ssl/lib/engines/libtpm.so"
+    mv -f "${D}${libdir}/openssl/engines/libtpm.so.0.0.0" "${D}${libdir}/ssl/engines/libtpm.so"
+    mv -f "${D}${libdir}/openssl/engines/libtpm.la" "${D}${libdir}/ssl/engines/libtpm.la"
+    rm -rf "${D}${libdir}/openssl"
+}
+
+FILES_${PN}-staticdev += "${libdir}/ssl/engines/libtpm.la"
+FILES_${PN}-dbg += "\
+    ${libdir}/ssl/engines/.debug \
+    ${libdir}/engines/.debug \
+    ${prefix}/local/ssl/lib/engines/.debug \
+"
+FILES_${PN} += "\
+    ${libdir}/ssl/engines/libtpm.so* \
+    ${libdir}/engines/libtpm.so* \
+    ${libdir}/libtpm.so* \
+    ${prefix}/local/ssl/lib/engines/libtpm.so* \
+"
+
+RDEPENDS_${PN} += "libcrypto libtspi"
+
+INSANE_SKIP_${PN} = "libdir"
+INSANE_SKIP_${PN}-dbg = "libdir"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
new file mode 100644
index 0000000..0cc4f63
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/pcr-extend/pcr-extend_git.bb
@@ -0,0 +1,25 @@
+SUMMARY = "Command line utility to extend hash of arbitrary data into a TPMs PCR."
+HOMEPAGE = "https://github.com/flihp/pcr-extend"
+SECTION = "security/tpm"
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+
+DEPENDS = "libtspi"
+
+PV = "0.1+git${SRCPV}"
+SRCREV = "c02ad8f628b3d99f6d4c087b402fe31a40ee6316"
+
+SRC_URI = "git://github.com/flihp/pcr-extend.git "
+
+inherit autotools
+
+S = "${WORKDIR}/git"
+
+do_compile() {
+    oe_runmake -C ${S}/src
+}
+
+do_install() {
+    install -d ${D}${bindir}
+    oe_runmake -C ${S}/src DESTDIR="${D}" install 
+}
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch
new file mode 100644
index 0000000..3d16431
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch
@@ -0,0 +1,31 @@
+From 8750a6c3f0b4d9e7e45b4079150d29eb44774e9c Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Tue, 14 Mar 2017 22:59:36 -0700
+Subject: [PATCH 2/4] logging: Fix musl build issue with fcntl
+
+ error: #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.h> [-Werror=cpp]
+ #warning redirecting incorrect #include <sys/fcntl.h> to <fcntl.
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/swtpm/logging.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/swtpm/logging.c b/src/swtpm/logging.c
+index f16cab6..7da8606 100644
+--- a/src/swtpm/logging.c
++++ b/src/swtpm/logging.c
+@@ -45,7 +45,7 @@
+ #include <errno.h>
+ #include <string.h>
+ #include <sys/types.h>
+-#include <sys/fcntl.h>
++#include <fcntl.h>
+ #include <sys/stat.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+-- 
+2.11.0
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch
new file mode 100644
index 0000000..60958f7
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch
@@ -0,0 +1,66 @@
+From 672bb4ee625da3141ba6cecb0601c7563de4c483 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Thu, 13 Oct 2016 02:03:56 -0700
+Subject: [PATCH 1/4] swtpm: add new package
+
+Upstream-Status: Inappropriate [OE config]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Rebased to current tip.
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+---
+ configure.ac | 34 ++++++++++------------------------
+ 1 file changed, 10 insertions(+), 24 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index abf5be1..85ed6ac 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -395,31 +395,17 @@ CFLAGS="$CFLAGS -Wformat -Wformat-security"
+ dnl We have to make sure libtpms is using the same crypto library
+ dnl to avoid problems
+ AC_MSG_CHECKING([the crypto library libtpms is using])
+-dirs=$($CC $CFLAGS -Xlinker --verbose 2>/dev/null | \
+-       sed -n '/SEARCH_DIR/p' | \
+-       sed 's/SEARCH_DIR("\(@<:@^"@:>@*\)"); */\1 /g' | \
+-       sed 's|=/|/|g')
+-for dir in $dirs $LIBRARY_PATH; do
+-  if test -r $dir/libtpms.so; then
+-    if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
+-      libtpms_cryptolib="openssl"
+-      break
+-    fi
+-    if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
+-      libtpms_cryptolib="freebl"
+-      break
+-    fi
++dir="$SEARCH_DIR"
++if test -r $dir/libtpms.so; then
++  if test -n "`ldd $dir/libtpms.so | grep libcrypto.so`"; then
++    libtpms_cryptolib="openssl"
++    break
+   fi
+-  case $host_os in
+-  cygwin|openbsd*)
+-    if test -r $dir/libtpms.a; then
+-      if test -n "$(nm $dir/libtpms.a | grep "U AES_encrypt")"; then
+-        libtpms_cryptolib="openssl"
+-      fi
+-    fi
+-    ;;
+-  esac
+-done
++  if test -n "`ldd $dir/libtpms.so | grep libnss3.so`"; then
++    libtpms_cryptolib="freebl"
++    break
++  fi
++fi
+ 
+ if test -z "$libtpms_cryptolib"; then
+   AC_MSG_ERROR([Could not determine libtpms crypto library.])
+-- 
+2.11.0
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch
new file mode 100644
index 0000000..d736bc6
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/files/ioctl_h.patch
@@ -0,0 +1,22 @@
+tpm_ioctl: fix musl for missing ioctl
+
+tpm_ioctl.c: In function 'ioctl_to_cmd':
+tpm_ioctl.c:86:26: error: '_IOC_NRSHIFT' undeclared (first use in this function)
+     return ((ioctlnum >> _IOC_NRSHIFT) & _IOC_NRMASK) + 1;
+
+
+Upstream-status:
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: git/src/swtpm_ioctl/tpm_ioctl.c
+===================================================================
+--- git.orig/src/swtpm_ioctl/tpm_ioctl.c
++++ git/src/swtpm_ioctl/tpm_ioctl.c
+@@ -58,6 +58,7 @@
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <sys/ioctl.h>
++#include <asm/ioctl.h>
+ #include <getopt.h>
+ #include <sys/un.h>
+ #include <sys/types.h>
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
new file mode 100644
index 0000000..644f3ac
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm-wrappers-native.bb
@@ -0,0 +1,53 @@
+SUMMARY = "SWTPM - OpenEmbedded wrapper scripts for native swtpm tools"
+LICENSE = "MIT"
+DEPENDS = "swtpm-native tpm-tools-native net-tools-native"
+
+inherit native
+
+# The whole point of the recipe is to make files available
+# for use after the build is done, so don't clean up...
+RM_WORK_EXCLUDE += "${PN}"
+
+do_create_wrapper () {
+    # Wrap (almost) all swtpm binaries. Some get special wrappers and some
+    # are not needed.
+    for i in `find ${bindir} ${base_bindir} ${sbindir} ${base_sbindir} -name 'swtpm*' -perm /+x -type f`; do
+        exe=`basename $i`
+        case $exe in
+            swtpm_setup.sh)
+                cat >${WORKDIR}/swtpm_setup_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around swtpm_setup.sh which adds parameters required to
+# run the setup as non-root directly from the native sysroot.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+# tcsd only allows to be run as root or tss. Pretend to be root...
+exec env ${FAKEROOTENV} ${FAKEROOTCMD} swtpm_setup.sh --config ${STAGING_DIR_NATIVE}/etc/swtpm_setup.conf "\$@"
+EOF
+                ;;
+            swtpm_setup)
+                true
+                ;;
+            *)
+                cat >${WORKDIR}/${exe}_oe.sh <<EOF
+#! /bin/sh
+#
+# Wrapper around $exe which makes it easier to invoke
+# the right binary.
+
+PATH="${bindir}:${base_bindir}:${sbindir}:${base_sbindir}:\$PATH"
+export PATH
+
+exec ${exe} "\$@"
+EOF
+                ;;
+        esac
+    done
+
+    chmod a+rx ${WORKDIR}/*.sh
+}
+
+addtask do_create_wrapper before do_build after do_prepare_recipe_sysroot
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
new file mode 100644
index 0000000..7476020
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/swtpm/swtpm_1.0.bb
@@ -0,0 +1,61 @@
+SUMMARY = "SWTPM - Software TPM Emulator"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=fe8092c832b71ef20dfe4c6d3decb3a8"
+SECTION = "apps"
+
+DEPENDS = "libtasn1 expect socat glib-2.0 libtpm libtpm-native"
+
+# configure checks for the tools already during compilation and
+# then swtpm_setup needs them at runtime
+DEPENDS += "tpm-tools-native expect-native socat-native"
+RDEPENDS_${PN} += "tpm-tools"
+
+SRCREV = "4f4f2f0a7e3195f6df8d235d58630a08e69403d8"
+SRC_URI = "git://github.com/stefanberger/swtpm.git \
+           file://fix_lib_search_path.patch \
+           file://fix_fcntl_h.patch \
+           file://ioctl_h.patch \
+           "
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig
+PARALLEL_MAKE = ""
+
+TSS_USER="tss"
+TSS_GROUP="tss"
+
+PACKAGECONFIG ?= "openssl cuse"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl, openssl"
+PACKAGECONFIG[gnutls] = "--with-gnutls, --without-gnutls, gnutls"
+PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux"
+PACKAGECONFIG[cuse] = "--with-cuse, --without-cuse, fuse"
+
+EXTRA_OECONF += "--with-tss-user=${TSS_USER} --with-tss-group=${TSS_GROUP}"
+
+export SEARCH_DIR = "${STAGING_LIBDIR_NATIVE}"
+
+# dup bootstrap 
+do_configure_prepend () {
+	libtoolize --force --copy
+	autoheader
+	aclocal
+	automake --add-missing -c
+	autoconf
+}
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system ${TSS_USER}"
+USERADD_PARAM_${PN} = "--system -g ${TSS_GROUP} --home-dir  \
+    --no-create-home  --shell /bin/false ${BPN}"
+
+RDEPENDS_${PN} = "libtpm expect socat bash"
+
+BBCLASSEXTEND = "native nativesdk"
+
+python() {
+    if 'cuse' in d.getVar('PACKAGECONFIG') and \
+        'filesystems-layer' not in d.getVar('BBFILE_COLLECTIONS').split():
+        raise bb.parse.SkipRecipe('Cuse enabled which requires meta-filesystems to be present.')
+}
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
new file mode 100644
index 0000000..8486d00
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-quote-tools/tpm-quote-tools_1.0.4.bb
@@ -0,0 +1,23 @@
+SUMMARY = "The TPM Quote Tools is a collection of programs that provide support \
+  for TPM based attestation using the TPM quote mechanism. \
+  "
+DESCRIPTION = "The TPM Quote Tools is a collection of programs that provide support \
+  for TPM based attestation using the TPM quote mechanism.  The manual \
+  page for tpm_quote_tools provides a usage overview. \
+  \
+  TPM Quote Tools has been tested with TrouSerS on Linux and NTRU on \
+  Windows XP.  It was ported to Windows using MinGW and MSYS. \
+  "
+HOMEPAGE = "https://sourceforge.net/projects/tpmquotetools/"
+SECTION = "security/tpm"
+LICENSE = "BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://COPYING;md5=8ec30b01163d242ecf07d9cd84e3611f"
+
+DEPENDS = "libtspi tpm-tools"
+
+SRC_URI = "${SOURCEFORGE_MIRROR}/tpmquotetools/${PV}/${BP}.tar.gz"
+
+SRC_URI[md5sum] = "6e194f5bc534301bbaef53dc6d22c233"
+SRC_URI[sha256sum] = "10dc4eade02635557a9496b388360844cd18e7864e2eb882f5e45ab2fa405ae2"
+
+inherit autotools
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
new file mode 100644
index 0000000..ab5e683
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/files/tpm-tools-extendpcr.patch
@@ -0,0 +1,244 @@
+Index: tpm-tools-1.3.8/include/tpm_tspi.h
+===================================================================
+--- tpm-tools-1.3.8.orig/include/tpm_tspi.h	2011-08-17 08:20:35.000000000 -0400
++++ tpm-tools-1.3.8/include/tpm_tspi.h	2013-01-05 23:26:31.571598217 -0500
+@@ -117,6 +117,10 @@
+ 			UINT32 *a_PcrSize, BYTE **a_PcrValue);
+ TSS_RESULT pcrcompositeSetPcrValue(TSS_HPCRS a_hPcrs, UINT32 a_Idx,
+ 					UINT32 a_PcrSize, BYTE *a_PcrValue);
++TSS_RESULT tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx,
++			UINT32 a_DataSize, BYTE *a_Data,
++			TSS_PCR_EVENT *a_Event,
++			UINT32 *a_PcrSize, BYTE **a_PcrValue);
+ #ifdef TSS_LIB_IS_12
+ TSS_RESULT unloadVersionInfo(UINT64 *offset, BYTE *blob, TPM_CAP_VERSION_INFO *v);
+ TSS_RESULT pcrcompositeSetPcrLocality(TSS_HPCRS a_hPcrs, UINT32 localityValue);
+Index: tpm-tools-1.3.8/lib/tpm_tspi.c
+===================================================================
+--- tpm-tools-1.3.8.orig/lib/tpm_tspi.c	2011-08-17 08:20:35.000000000 -0400
++++ tpm-tools-1.3.8/lib/tpm_tspi.c	2013-01-05 23:27:37.731593490 -0500
+@@ -594,6 +594,20 @@
+ 	return result;
+ }
+ 
++TSS_RESULT
++tpmPcrExtend(TSS_HTPM a_hTpm, UINT32 a_Idx,
++		UINT32 a_DataSize, BYTE *a_Data,
++		TSS_PCR_EVENT *a_Event,
++		UINT32 *a_PcrSize, BYTE **a_PcrValue)
++{
++	TSS_RESULT result =
++		Tspi_TPM_PcrExtend(a_hTpm, a_Idx, a_DataSize, a_Data, a_Event,
++				   a_PcrSize, a_PcrValue);
++	tspiResult("Tspi_TPM_PcrExtend", result);
++
++	return result;
++}
++
+ #ifdef TSS_LIB_IS_12
+ /*
+  * These getPasswd functions will wrap calls to the other functions and check to see if the TSS
+Index: tpm-tools-1.3.8/src/cmds/Makefile.am
+===================================================================
+--- tpm-tools-1.3.8.orig/src/cmds/Makefile.am	2011-08-15 13:52:08.000000000 -0400
++++ tpm-tools-1.3.8/src/cmds/Makefile.am	2013-01-05 23:30:46.223593698 -0500
+@@ -22,6 +22,7 @@
+ #
+ 
+ bin_PROGRAMS 	=	tpm_sealdata \
++			tpm_extendpcr \
+ 			tpm_unsealdata
+ 
+ if TSS_LIB_IS_12
+@@ -33,4 +34,5 @@
+ LDADD		=	$(top_builddir)/lib/libtpm_tspi.la -ltspi $(top_builddir)/lib/libtpm_unseal.la -ltpm_unseal -lcrypto
+ 
+ tpm_sealdata_SOURCES = tpm_sealdata.c
++tpm_extendpcr_SOURCES = tpm_extendpcr.c
+ tpm_unsealdata_SOURCES = tpm_unsealdata.c
+Index: tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ tpm-tools-1.3.8/src/cmds/tpm_extendpcr.c	2013-01-05 23:37:43.403585514 -0500
+@@ -0,0 +1,181 @@
++/*
++ * The Initial Developer of the Original Code is International
++ * Business Machines Corporation. Portions created by IBM
++ * Corporation are Copyright (C) 2005, 2006 International Business
++ * Machines Corporation. All Rights Reserved.
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the Common Public License as published by
++ * IBM Corporation; either version 1 of the License, or (at your option)
++ * any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * Common Public License for more details.
++ *
++ * You should have received a copy of the Common Public License
++ * along with this program; if not, a copy can be viewed at
++ * http://www.opensource.org/licenses/cpl1.0.php.
++ */
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++#include <limits.h>
++#include "tpm_tspi.h"
++#include "tpm_utils.h"
++#include "tpm_seal.h"
++
++// #define TPM_EXTENDPCR_DEBUG
++
++static void help(const char *aCmd)
++{
++	logCmdHelp(aCmd);
++	logCmdOption("-i, --infile FILE",
++		     _
++		     ("Filename containing data to extend PCRs with. Default is STDIN."));
++	logCmdOption("-p, --pcr NUMBER",
++		     _("PCR to extend."));
++
++}
++
++static char in_filename[PATH_MAX] = "";
++static TSS_HPCRS hPcrs = NULL_HPCRS;
++static TSS_HTPM hTpm;
++static UINT32 selectedPcrs[24];
++static UINT32 selectedPcrsLen = 0;
++TSS_HCONTEXT hContext = 0;
++
++static int parse(const int aOpt, const char *aArg)
++{
++	int rc = -1;
++
++	switch (aOpt) {
++	case 'i':
++		if (aArg) {
++			strncpy(in_filename, aArg, PATH_MAX);
++			rc = 0;
++		}
++		break;
++	case 'p':
++		if (aArg) {
++			selectedPcrs[selectedPcrsLen++] = atoi(aArg);
++			rc = 0;
++		}
++		break;
++	default:
++		break;
++	}
++	return rc;
++
++}
++
++int main(int argc, char **argv)
++{
++
++	int iRc = -1;
++	struct option opts[] = {
++		{"infile", required_argument, NULL, 'i'},
++		{"pcr", required_argument, NULL, 'p'},
++	};
++	unsigned char line[EVP_MD_block_size(EVP_sha1()) * 16];
++	int lineLen;
++	UINT32 i;
++
++	BIO *bin = NULL;
++
++	initIntlSys();
++
++	if (genericOptHandler(argc, argv, "i:p:", opts,
++			      sizeof(opts) / sizeof(struct option), parse,
++			      help) != 0)
++		goto out;
++
++	if (contextCreate(&hContext) != TSS_SUCCESS)
++		goto out;
++
++	if (contextConnect(hContext) != TSS_SUCCESS)
++		goto out_close;
++
++	if (contextGetTpm(hContext, &hTpm) != TSS_SUCCESS)
++		goto out_close;
++
++	/* Create a BIO for the input file */
++	if ((bin = BIO_new(BIO_s_file())) == NULL) {
++		logError(_("Unable to open input BIO\n"));
++		goto out_close;
++	}
++
++	/* Assign the input file to the BIO */
++	if (strlen(in_filename) == 0) 
++		BIO_set_fp(bin, stdin, BIO_NOCLOSE);
++	else if (!BIO_read_filename(bin, in_filename)) {
++		logError(_("Unable to open input file: %s\n"),
++			 in_filename);
++		goto out_close;
++	}
++
++	/* Create the PCRs object. If any PCRs above 15 are selected, this will need to be
++	 * a 1.2 TSS/TPM */
++	if (selectedPcrsLen) {
++		TSS_FLAG initFlag = 0;
++		UINT32 pcrSize;
++		BYTE *pcrValue;
++
++		for (i = 0; i < selectedPcrsLen; i++) {
++			if (selectedPcrs[i] > 15) {
++#ifdef TSS_LIB_IS_12
++				initFlag |= TSS_PCRS_STRUCT_INFO_LONG;
++#else
++				logError(_("This version of %s was compiled for a v1.1 TSS, which "
++					 "can only seal\n data to PCRs 0-15. PCR %u is out of range"
++					 "\n"), argv[0], selectedPcrs[i]);
++				goto out_close;
++#endif
++			}
++		}
++
++		unsigned char msg[EVP_MAX_MD_SIZE];
++		unsigned int msglen;
++		EVP_MD_CTX ctx;
++		EVP_DigestInit(&ctx, EVP_sha1());
++		while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0)
++			EVP_DigestUpdate(&ctx, line, lineLen);
++		EVP_DigestFinal(&ctx, msg, &msglen);
++
++		if (contextCreateObject(hContext, TSS_OBJECT_TYPE_PCRS, initFlag,
++					&hPcrs) != TSS_SUCCESS)
++			goto out_close;
++
++		for (i = 0; i < selectedPcrsLen; i++) {
++#ifdef TPM_EXTENDPCR_DEBUG
++			if (tpmPcrRead(hTpm, selectedPcrs[i], &pcrSize, &pcrValue) != TSS_SUCCESS)
++				goto out_close;
++
++			unsigned int j;
++			for (j = 0; j < pcrSize; j++)
++			  printf("%02X ", pcrValue[j]);
++			printf("\n");
++#endif
++			
++			if (tpmPcrExtend(hTpm, selectedPcrs[i], msglen, msg, NULL, &pcrSize, &pcrValue) != TSS_SUCCESS)
++			  goto out_close;
++
++#ifdef TPM_EXTENDPCR_DEBUG
++			for (j = 0; j < pcrSize; j++)
++			  printf("%02X ", pcrValue[j]);
++			printf("\n");
++#endif
++		}
++	}
++
++	iRc = 0;
++	logSuccess(argv[0]);
++
++out_close:
++	contextClose(hContext);
++
++out:
++	if (bin)
++		BIO_free(bin);
++	return iRc;
++}
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb
new file mode 100644
index 0000000..f670bff
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm-tools/tpm-tools_git.bb
@@ -0,0 +1,35 @@
+SUMMARY = "The tpm-tools package contains commands to allow the platform administrator the ability to manage and diagnose the platform's TPM."
+DESCRIPTION = " \
+  The tpm-tools package contains commands to allow the platform administrator \
+  the ability to manage and diagnose the platform's TPM.  Additionally, the \
+  package contains commands to utilize some of the capabilities available \
+  in the TPM PKCS#11 interface implemented in the openCryptoki project. \
+  "
+SECTION = "tpm"
+LICENSE = "CPL-1.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=059e8cd6165cb4c31e351f2b69388fd9"
+
+DEPENDS = "libtspi openssl"
+DEPENDS_class-native = "trousers-native"
+
+SRCREV = "5c5126bedf2da97906358adcfb8c43c86e7dd0ee"
+SRC_URI = " \
+	git://git.code.sf.net/p/trousers/tpm-tools \
+	file://tpm-tools-extendpcr.patch \
+	"
+
+PV = "1.3.9.1+git${SRCPV}"
+
+inherit autotools-brokensep gettext
+
+S = "${WORKDIR}/git"
+
+do_configure_prepend () {
+	mkdir -p po
+	mkdir -p m4
+	cp -R po_/* po/
+	touch po/Makefile.in.in
+	touch m4/Makefile.am
+}
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh
new file mode 100644
index 0000000..c8dfb7d
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd-init.sh
@@ -0,0 +1,65 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides:		tpm2-abrmd
+# Required-Start:	$local_fs $remote_fs $network
+# Required-Stop:	$local_fs $remote_fs $network
+# Should-Start:
+# Should-Stop:
+# Default-Start:	2 3 4 5
+# Default-Stop:		0 1 6
+# Short-Description:	starts tpm2-abrmd
+# Description:		tpm2-abrmd implements the TCG resource manager
+### END INIT INFO
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/tpm2-abrmd
+NAME=tpm2-abrmd
+DESC="TCG TSS2 Access Broker and Resource Management daemon"
+USER="tss"
+
+test -x "${DAEMON}" || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+case "${1}" in
+	start)
+		echo -n "Starting $DESC: "
+
+		if [ ! -e /dev/tpm* ]
+		then
+			echo "device driver not loaded, skipping."
+			exit 0
+		fi
+
+		start-stop-daemon --start --quiet --oknodo --background --pidfile /var/run/${NAME}.pid --user ${USER} --chuid ${USER} --exec ${DAEMON} -- ${DAEMON_OPTS}
+		RETVAL="$?"
+		echo "$NAME."
+		[ "$RETVAL" = 0 ] && pidof $DAEMON > /var/run/${NAME}.pid
+		exit $RETVAL
+		;;
+
+	stop)
+		echo -n "Stopping $DESC: "
+
+		start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON}
+		RETVAL="$?"
+                echo  "$NAME."
+		rm -f /var/run/${NAME}.pid
+		exit $RETVAL
+		;;
+
+	restart|force-reload)
+		"${0}" stop
+		sleep 1
+		"${0}" start
+		exit $?
+		;;
+	*)
+		echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2
+		exit 3
+		;;
+esac
+
+exit 0
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default
new file mode 100644
index 0000000..987978a
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/files/tpm2-abrmd.default
@@ -0,0 +1 @@
+DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transient-objects=20 --fail-on-loaded-trans"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb
new file mode 100644
index 0000000..a5d6843
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2-abrmd/tpm2-abrmd_1.2.0.bb
@@ -0,0 +1,54 @@
+SUMMARY = "TPM2 Access Broker & Resource Manager"
+DESCRIPTION = "This is a system daemon implementing the TPM2 access \
+broker (TAB) & Resource Manager (RM) spec from the TCG. The daemon (tpm2-abrmd) \
+is implemented using Glib and the GObject system. In this documentation and \
+in the code we use `tpm2-abrmd` and `tabrmd` interchangeably. \
+"
+SECTION = "security/tpm"
+
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
+
+DEPENDS += "autoconf-archive dbus glib-2.0 pkgconfig tpm2.0-tss glib-2.0-native"
+
+SRC_URI = "\
+    git://github.com/01org/tpm2-abrmd.git \
+    file://tpm2-abrmd-init.sh \
+    file://tpm2-abrmd.default \
+"
+SRCREV = "59ce1008e5fa3bd5a143437b0f7390851fd25bd8"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig systemd update-rc.d useradd
+
+SYSTEMD_PACKAGES += "${PN}"
+SYSTEMD_SERVICE_${PN} = "tpm2-abrmd.service"
+SYSTEMD_AUTO_ENABLE_${PN} = "disable"
+
+INITSCRIPT_NAME = "${PN}"
+INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "tss"
+USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
+
+PACKAGECONFIG ?="udev"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES','systemd','systemd', '', d)}"
+
+PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --with-systemdsystemunitdir=no"
+PACKAGECONFIG[udev] = "--with-udevrulesdir=${sysconfdir}/udev/rules.d, --without-udevrulesdir"
+
+do_install_append() {
+    install -d "${D}${sysconfdir}/init.d"
+    install -m 0755 "${WORKDIR}/tpm2-abrmd-init.sh" "${D}${sysconfdir}/init.d/tpm2-abrmd"
+
+    install -d "${D}${sysconfdir}/default"
+    install -m 0644 "${WORKDIR}/tpm2-abrmd.default" "${D}${sysconfdir}/default/tpm2-abrmd"
+}
+
+FILES_${PN} += "${libdir}/systemd/system-preset"
+
+RDEPENDS_${PN} += "libgcc dbus-glib libtss2 libtctidevice libtctisocket"
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb
new file mode 100644
index 0000000..7ec12fc
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tools/tpm2.0-tools_git.bb
@@ -0,0 +1,18 @@
+SUMMARY = "Tools for TPM2."
+DESCRIPTION = "tpm2.0-tools"
+LICENSE = "BSD"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=91b7c548d73ea16537799e8060cea819"
+SECTION = "tpm"
+
+DEPENDS = "pkgconfig tpm2.0-tss openssl curl autoconf-archive"
+
+# July 10, 2017
+SRCREV = "26c0557040c1cf8107fa3ebbcf2a5b07cc84b881"
+
+SRC_URI = "git://github.com/01org/tpm2.0-tools.git;name=tpm2.0-tools;destsuffix=tpm2.0-tools"
+
+S = "${WORKDIR}/tpm2.0-tools"
+
+PV = "2.0.0+git${SRCPV}"
+
+inherit autotools pkgconfig
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4 b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4
new file mode 100644
index 0000000..d383ad5
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/ax_pthread.m4
@@ -0,0 +1,332 @@
+# ===========================================================================
+#        http://www.gnu.org/software/autoconf-archive/ax_pthread.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
+#
+# DESCRIPTION
+#
+#   This macro figures out how to build C programs using POSIX threads. It
+#   sets the PTHREAD_LIBS output variable to the threads library and linker
+#   flags, and the PTHREAD_CFLAGS output variable to any special C compiler
+#   flags that are needed. (The user can also force certain compiler
+#   flags/libs to be tested by setting these environment variables.)
+#
+#   Also sets PTHREAD_CC to any special C compiler that is needed for
+#   multi-threaded programs (defaults to the value of CC otherwise). (This
+#   is necessary on AIX to use the special cc_r compiler alias.)
+#
+#   NOTE: You are assumed to not only compile your program with these flags,
+#   but also link it with them as well. e.g. you should link with
+#   $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
+#
+#   If you are only building threads programs, you may wish to use these
+#   variables in your default LIBS, CFLAGS, and CC:
+#
+#     LIBS="$PTHREAD_LIBS $LIBS"
+#     CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+#     CC="$PTHREAD_CC"
+#
+#   In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
+#   has a nonstandard name, defines PTHREAD_CREATE_JOINABLE to that name
+#   (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
+#
+#   Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
+#   PTHREAD_PRIO_INHERIT symbol is defined when compiling with
+#   PTHREAD_CFLAGS.
+#
+#   ACTION-IF-FOUND is a list of shell commands to run if a threads library
+#   is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
+#   is not found. If ACTION-IF-FOUND is not specified, the default action
+#   will define HAVE_PTHREAD.
+#
+#   Please let the authors know if this macro fails on any platform, or if
+#   you have any other suggestions or comments. This macro was based on work
+#   by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
+#   from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
+#   Alejandro Forero Cuervo to the autoconf macro repository. We are also
+#   grateful for the helpful feedback of numerous users.
+#
+#   Updated for Autoconf 2.68 by Daniel Richard G.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
+#   Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
+#
+#   This program is free software: you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 21
+
+AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
+AC_DEFUN([AX_PTHREAD], [
+AC_REQUIRE([AC_CANONICAL_HOST])
+AC_LANG_PUSH([C])
+ax_pthread_ok=no
+
+# We used to check for pthread.h first, but this fails if pthread.h
+# requires special compiler flags (e.g. on True64 or Sequent).
+# It gets checked for in the link test anyway.
+
+# First of all, check if the user has set any of the PTHREAD_LIBS,
+# etcetera environment variables, and if threads linking works using
+# them:
+if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then
+        save_CFLAGS="$CFLAGS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        save_LIBS="$LIBS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+        AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS])
+        AC_TRY_LINK_FUNC([pthread_join], [ax_pthread_ok=yes])
+        AC_MSG_RESULT([$ax_pthread_ok])
+        if test x"$ax_pthread_ok" = xno; then
+                PTHREAD_LIBS=""
+                PTHREAD_CFLAGS=""
+        fi
+        LIBS="$save_LIBS"
+        CFLAGS="$save_CFLAGS"
+fi
+
+# We must check for the threads library under a number of different
+# names; the ordering is very important because some systems
+# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
+# libraries is broken (non-POSIX).
+
+# Create a list of thread flags to try.  Items starting with a "-" are
+# C compiler flags, and other items are library names, except for "none"
+# which indicates that we try without any flags at all, and "pthread-config"
+# which is a program returning the flags for the Pth emulation library.
+
+ax_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
+
+# The ordering *is* (sometimes) important.  Some notes on the
+# individual items follow:
+
+# pthreads: AIX (must check this before -lpthread)
+# none: in case threads are in libc; should be tried before -Kthread and
+#       other compiler flags to prevent continual compiler warnings
+# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
+# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
+# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads)
+# -pthreads: Solaris/gcc
+# -mthreads: Mingw32/gcc, Lynx/gcc
+# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
+#      doesn't hurt to check since this sometimes defines pthreads too;
+#      also defines -D_REENTRANT)
+#      ... -mt is also the pthreads flag for HP/aCC
+# pthread: Linux, etcetera
+# --thread-safe: KAI C++
+# pthread-config: use pthread-config program (for GNU Pth library)
+
+case ${host_os} in
+        solaris*)
+
+        # On Solaris (at least, for some versions), libc contains stubbed
+        # (non-functional) versions of the pthreads routines, so link-based
+        # tests will erroneously succeed.  (We need to link with -pthreads/-mt/
+        # -lpthread.)  (The stubs are missing pthread_cleanup_push, or rather
+        # a function called by this macro, so we could check for that, but
+        # who knows whether they'll stub that too in a future libc.)  So,
+        # we'll just look for -pthreads and -lpthread first:
+
+        ax_pthread_flags="-pthreads pthread -mt -pthread $ax_pthread_flags"
+        ;;
+
+        darwin*)
+        ax_pthread_flags="-pthread $ax_pthread_flags"
+        ;;
+esac
+
+# Clang doesn't consider unrecognized options an error unless we specify
+# -Werror. We throw in some extra Clang-specific options to ensure that
+# this doesn't happen for GCC, which also accepts -Werror.
+
+AC_MSG_CHECKING([if compiler needs -Werror to reject unknown flags])
+save_CFLAGS="$CFLAGS"
+ax_pthread_extra_flags="-Werror"
+CFLAGS="$CFLAGS $ax_pthread_extra_flags -Wunknown-warning-option -Wsizeof-array-argument"
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([int foo(void);],[foo()])],
+                  [AC_MSG_RESULT([yes])],
+                  [ax_pthread_extra_flags=
+                   AC_MSG_RESULT([no])])
+CFLAGS="$save_CFLAGS"
+
+if test x"$ax_pthread_ok" = xno; then
+for flag in $ax_pthread_flags; do
+
+        case $flag in
+                none)
+                AC_MSG_CHECKING([whether pthreads work without any flags])
+                ;;
+
+                -*)
+                AC_MSG_CHECKING([whether pthreads work with $flag])
+                PTHREAD_CFLAGS="$flag"
+                ;;
+
+                pthread-config)
+                AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
+                if test x"$ax_pthread_config" = xno; then continue; fi
+                PTHREAD_CFLAGS="`pthread-config --cflags`"
+                PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
+                ;;
+
+                *)
+                AC_MSG_CHECKING([for the pthreads library -l$flag])
+                PTHREAD_LIBS="-l$flag"
+                ;;
+        esac
+
+        save_LIBS="$LIBS"
+        save_CFLAGS="$CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS $ax_pthread_extra_flags"
+
+        # Check for various functions.  We must include pthread.h,
+        # since some functions may be macros.  (On the Sequent, we
+        # need a special flag -Kthread to make this header compile.)
+        # We check for pthread_join because it is in -lpthread on IRIX
+        # while pthread_create is in libc.  We check for pthread_attr_init
+        # due to DEC craziness with -lpthreads.  We check for
+        # pthread_cleanup_push because it is one of the few pthread
+        # functions on Solaris that doesn't have a non-functional libc stub.
+        # We try pthread_create on general principles.
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
+                        static void routine(void *a) { a = 0; }
+                        static void *start_routine(void *a) { return a; }],
+                       [pthread_t th; pthread_attr_t attr;
+                        pthread_create(&th, 0, start_routine, 0);
+                        pthread_join(th, 0);
+                        pthread_attr_init(&attr);
+                        pthread_cleanup_push(routine, 0);
+                        pthread_cleanup_pop(0) /* ; */])],
+                [ax_pthread_ok=yes],
+                [])
+
+        LIBS="$save_LIBS"
+        CFLAGS="$save_CFLAGS"
+
+        AC_MSG_RESULT([$ax_pthread_ok])
+        if test "x$ax_pthread_ok" = xyes; then
+                break;
+        fi
+
+        PTHREAD_LIBS=""
+        PTHREAD_CFLAGS=""
+done
+fi
+
+# Various other checks:
+if test "x$ax_pthread_ok" = xyes; then
+        save_LIBS="$LIBS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+        save_CFLAGS="$CFLAGS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+
+        # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
+        AC_MSG_CHECKING([for joinable pthread attribute])
+        attr_name=unknown
+        for attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
+            AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
+                           [int attr = $attr; return attr /* ; */])],
+                [attr_name=$attr; break],
+                [])
+        done
+        AC_MSG_RESULT([$attr_name])
+        if test "$attr_name" != PTHREAD_CREATE_JOINABLE; then
+            AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], [$attr_name],
+                               [Define to necessary symbol if this constant
+                                uses a non-standard name on your system.])
+        fi
+
+        AC_MSG_CHECKING([if more special flags are required for pthreads])
+        flag=no
+        case ${host_os} in
+            aix* | freebsd* | darwin*) flag="-D_THREAD_SAFE";;
+            osf* | hpux*) flag="-D_REENTRANT";;
+            solaris*)
+            if test "$GCC" = "yes"; then
+                flag="-D_REENTRANT"
+            else
+                # TODO: What about Clang on Solaris?
+                flag="-mt -D_REENTRANT"
+            fi
+            ;;
+        esac
+        AC_MSG_RESULT([$flag])
+        if test "x$flag" != xno; then
+            PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS"
+        fi
+
+        AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
+            [ax_cv_PTHREAD_PRIO_INHERIT], [
+                AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
+                                                [[int i = PTHREAD_PRIO_INHERIT;]])],
+                    [ax_cv_PTHREAD_PRIO_INHERIT=yes],
+                    [ax_cv_PTHREAD_PRIO_INHERIT=no])
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes"],
+            [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])])
+
+        LIBS="$save_LIBS"
+        CFLAGS="$save_CFLAGS"
+
+        # More AIX lossage: compile with *_r variant
+        if test "x$GCC" != xyes; then
+            case $host_os in
+                aix*)
+                AS_CASE(["x/$CC"],
+                  [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
+                  [#handle absolute path differently from PATH based program lookup
+                   AS_CASE(["x$CC"],
+                     [x/*],
+                     [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
+                     [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
+                ;;
+            esac
+        fi
+fi
+
+test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
+
+AC_SUBST([PTHREAD_LIBS])
+AC_SUBST([PTHREAD_CFLAGS])
+AC_SUBST([PTHREAD_CC])
+
+# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
+if test x"$ax_pthread_ok" = xyes; then
+        ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
+        :
+else
+        ax_pthread_ok=no
+        $2
+fi
+AC_LANG_POP
+])dnl AX_PTHREAD
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch
new file mode 100644
index 0000000..ecaca6e
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss/fix_musl_select_include.patch
@@ -0,0 +1,31 @@
+This fixes musl build issue do to missing FD_* defines.
+Add sys/select.h
+
+Upstream-Status: Pending
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: TPM2.0-TSS/tcti/tcti_socket.cpp
+===================================================================
+--- TPM2.0-TSS.orig/tcti/tcti_socket.cpp
++++ TPM2.0-TSS/tcti/tcti_socket.cpp
+@@ -28,6 +28,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>   // Needed for _wtoi
+ 
++#include "sys/select.h"
+ #include <sapi/tpm20.h>
+ #include <tcti/tcti_socket.h>
+ #include "sysapi_util.h"
+Index: TPM2.0-TSS/resourcemgr/resourcemgr.c
+===================================================================
+--- TPM2.0-TSS.orig/resourcemgr/resourcemgr.c
++++ TPM2.0-TSS/resourcemgr/resourcemgr.c
+@@ -28,6 +28,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>   // Needed for _wtoi
+ 
++#include "sys/select.h"
+ #include <sapi/tpm20.h>
+ #include <tcti/tcti_device.h>
+ #include <tcti/tcti_socket.h>
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb
new file mode 100644
index 0000000..b673c2b
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2.0-tss/tpm2.0-tss_1.3.0.bb
@@ -0,0 +1,99 @@
+SUMMARY = "Software stack for TPM2."
+DESCRIPTION = "tpm2.0-tss like woah."
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da"
+SECTION = "tpm"
+
+DEPENDS = "autoconf-archive pkgconfig"
+
+SRCREV = "b1d9ece8c6bea2e3043943b2edfaebcdca330c38"
+
+SRC_URI = " \
+    git://github.com/tpm2-software/tpm2-tss.git;branch=1.x \
+    file://ax_pthread.m4 \
+"
+
+inherit autotools pkgconfig systemd
+
+S = "${WORKDIR}/git"
+
+do_configure_prepend () {
+	mkdir -p ${S}/m4
+	cp ${WORKDIR}/ax_pthread.m4 ${S}/m4
+	# execute the bootstrap script
+	currentdir=$(pwd)
+	cd ${S}
+	ACLOCAL="aclocal --system-acdir=${STAGING_DATADIR}/aclocal" ./bootstrap
+	cd $currentdir
+}
+
+INHERIT += "extrausers"
+EXTRA_USERS_PARAMS = "\
+	useradd -p '' tss; \
+	groupadd tss; \
+	"
+
+SYSTEMD_PACKAGES = "resourcemgr"
+SYSTEMD_SERVICE_resourcemgr = "resourcemgr.service"
+SYSTEMD_AUTO_ENABLE_resourcemgr = "enable"
+
+do_patch[postfuncs] += "${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','fix_systemd_unit','', d)}"
+fix_systemd_unit () {
+    sed -i -e 's;^ExecStart=.*/resourcemgr;ExecStart=${sbindir}/resourcemgr;' ${S}/contrib/resourcemgr.service
+}
+
+do_install_append() {
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        install -d ${D}${systemd_system_unitdir}
+        install -m0644 ${S}/contrib/resourcemgr.service ${D}${systemd_system_unitdir}/resourcemgr.service
+    fi
+}
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = " \
+    ${PN}-dbg \
+    ${PN}-doc \
+    libtss2 \
+    libtss2-dev \
+    libtss2-staticdev \
+    libtctidevice \
+    libtctidevice-dev \
+    libtctidevice-staticdev \
+    libtctisocket \
+    libtctisocket-dev \
+    libtctisocket-staticdev \
+    resourcemgr \
+"
+
+FILES_libtss2 = " \
+	${libdir}/libsapi.so.0.0.0 \
+	${libdir}/libmarshal.so.0.0.0 \
+"
+FILES_libtss2-dev = " \
+    ${includedir}/sapi \
+    ${includedir}/tcti/common.h \
+    ${libdir}/libsapi.so* \
+    ${libdir}/libmarshal.so* \
+    ${libdir}/pkgconfig/sapi.pc \
+"
+FILES_libtss2-staticdev = " \
+    ${libdir}/libsapi.a \
+    ${libdir}/libsapi.la \
+    ${libdir}/libmarshal.a \
+    ${libdir}/libmarshal.la \
+"
+FILES_libtctidevice = "${libdir}/libtcti-device.so.0.0.0"
+FILES_libtctidevice-dev = " \
+    ${includedir}/tcti/tcti_device.h \
+    ${libdir}/libtcti-device.so* \
+    ${libdir}/pkgconfig/tcti-device.pc \
+"
+FILES_libtctidevice-staticdev = "${libdir}/libtcti-device.*a"
+FILES_libtctisocket = "${libdir}/libtcti-socket.so.0.0.0"
+FILES_libtctisocket-dev = " \
+    ${includedir}/tcti/tcti_socket.h \
+    ${libdir}/libtcti-socket.so* \
+    ${libdir}/pkgconfig/tcti-socket.pc \
+"
+FILES_libtctisocket-staticdev = "${libdir}/libtcti-socket.*a"
+FILES_resourcemgr = "${sbindir}/resourcemgr ${systemd_system_unitdir}/resourcemgr.service"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb
new file mode 100644
index 0000000..866791c
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/tpm2simulator/tpm2simulator-native_138.bb
@@ -0,0 +1,22 @@
+SUMMARY = "TPM 2.0 Simulator Extraction Script"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1415f7be284540b81d9d28c67c1a6b8b"
+
+DEPENDS = "python"
+
+SRCREV = "e45324eba268723d39856111e7933c5c76238481"
+SRC_URI = "git://github.com/stwagnr/tpm2simulator.git"
+
+S = "${WORKDIR}/git"
+OECMAKE_SOURCEPATH = "${S}/cmake"
+
+inherit native lib_package cmake
+
+EXTRA_OECMAKE = " \
+	-DCMAKE_BUILD_TYPE=Debug \
+	-DSPEC_VERSION=138 \
+"
+
+do_configure_prepend () {
+	sed -i 's/^SET = False/SET = True/' ${S}/scripts/settings.py 
+}
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
new file mode 100644
index 0000000..7b3cc77
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch
@@ -0,0 +1,68 @@
+From 3396fc7a184293c23135161f034802062f7f3816 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <adraszik@tycoint.com>
+Date: Wed, 1 Nov 2017 11:41:48 +0000
+Subject: [PATCH] build: don't override --localstatedir --mandir --sysconfdir
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It is currently impossible to override localstatedir,
+mandir and sysconfdir during ./configure, because they
+are being overriden unconditionally because of they
+way trousers is built using rpmbuild.
+
+If they need massaging for rpmbuild, the values should
+be specified inside the spec file, not in ./configure
+and thereby overriding user-requested values.
+
+With this patch it is now possible to set above
+locations as needed. The .spec file is being modified
+as well so as to restore previous behaviour.
+
+Signed-off-by: André Draszik <adraszik@tycoint.com>
+---
+Upstream-Status: Submitted [https://sourceforge.net/p/trousers/mailman/message/36099290/]
+Signed-off-by: André Draszik <adraszik@tycoint.com>
+ configure.ac          | 11 ++---------
+ dist/trousers.spec.in |  2 +-
+ 2 files changed, 3 insertions(+), 10 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index b9626af..7fe5f8e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -376,16 +376,9 @@ CFLAGS="$CFLAGS -I../include \
+ KERNEL_VERSION=`uname -r`
+ AC_SUBST(CFLAGS)
+ 
+-# When we build the rpms, prefix will be /usr. This'll do some things that make sense,
+-# like put our sbin stuff in /usr/sbin and our library in /usr/lib. It'll do some other
+-# things that don't make sense like put our config file in /usr/etc. So, I'll just hack
+-# it here. If the --prefix option isn't specified during configure, let it all go to
++# If the --prefix option isn't specified during configure, let it all go to
+ # /usr/local, even /usr/local/etc. :-P
+-if test x"${prefix}" = x"/usr"; then
+-	sysconfdir="/etc"
+-	localstatedir="/var"
+-	mandir="/usr/share/man"
+-elif test x"${prefix}" = x"NONE"; then
++if test x"${prefix}" = x"NONE"; then
+ 	localstatedir="/usr/local/var"
+ fi
+ 
+diff --git a/dist/trousers.spec.in b/dist/trousers.spec.in
+index b298b0e..10ef178 100644
+--- a/dist/trousers.spec.in
++++ b/dist/trousers.spec.in
+@@ -45,7 +45,7 @@ applications.
+ 
+ %build
+ %{?arch64:export PKG_CONFIG_PATH=%{pkgconfig_path}:$PKG_CONFIG_PATH}
+-./configure --prefix=/usr --libdir=%{_libdir}
++./configure --prefix=/usr --libdir=%{_libdir} --sysconfdir=/etc --localstatedir=/var --mandir=/usr/share/man
+ make
+ 
+ %clean
+-- 
+2.15.0.rc1
+
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
new file mode 100644
index 0000000..3f5a144
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch
@@ -0,0 +1,49 @@
+trousers: fix compiling with musl
+
+use POSIX getpwent instead of getpwent_r
+
+Upstream-Status: Submitted
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+Index: git/src/tspi/ps/tspps.c
+===================================================================
+--- git.orig/src/tspi/ps/tspps.c
++++ git/src/tspi/ps/tspps.c
+@@ -66,9 +66,6 @@ get_user_ps_path(char **file)
+ 	TSS_RESULT result;
+ 	char *file_name = NULL, *home_dir = NULL;
+ 	struct passwd *pwp;
+-#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
+-	struct passwd pw;
+-#endif
+ 	struct stat stat_buf;
+ 	char buf[PASSWD_BUFSIZE];
+ 	uid_t euid;
+@@ -96,24 +93,15 @@ get_user_ps_path(char **file)
+ #else
+ 	setpwent();
+ 	while (1) {
+-#if (defined (__linux) || defined (linux) || defined(__GLIBC__))
+-		rc = getpwent_r(&pw, buf, PASSWD_BUFSIZE, &pwp);
+-		if (rc) {
+-			LogDebugFn("USER PS: Error getting path to home directory: getpwent_r: %s",
+-				   strerror(rc));
+-			endpwent();
+-			return TSPERR(TSS_E_INTERNAL_ERROR);
+-		}
+-
+-#elif (defined (__FreeBSD__) || defined (__OpenBSD__))
+ 		if ((pwp = getpwent()) == NULL) {
+ 			LogDebugFn("USER PS: Error getting path to home directory: getpwent: %s",
+                                    strerror(rc));
+ 			endpwent();
++#if (defined (__FreeBSD__) || defined (__OpenBSD__))
+ 			MUTEX_UNLOCK(user_ps_path);
++#endif
+ 			return TSPERR(TSS_E_INTERNAL_ERROR);
+ 		}
+-#endif
+ 		if (euid == pwp->pw_uid) {
+                         home_dir = strdup(pwp->pw_dir);
+                         break;
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service
new file mode 100644
index 0000000..787d4e9
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/tcsd.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=TCG Core Services Daemon
+After=syslog.target
+
+[Service]
+Type=forking
+ExecStart=@SBINDIR@/tcsd
+
+[Install]
+WantedBy=multi-user.target
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules
new file mode 100644
index 0000000..256babd
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers-udev.rules
@@ -0,0 +1,2 @@
+# trousers daemon expects tpm device to be owned by tss user & group
+KERNEL=="tpm[0-9]*", MODE="0600", OWNER="tss", GROUP="tss"
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh
new file mode 100644
index 0000000..d0d6cb3
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/files/trousers.init.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides:		tcsd trousers
+# Required-Start:	$local_fs $remote_fs $network
+# Required-Stop:	$local_fs $remote_fs $network
+# Should-Start:
+# Should-Stop:
+# Default-Start:	2 3 4 5
+# Default-Stop:		0 1 6
+# Short-Description:	starts tcsd
+# Description:		tcsd belongs to the TrouSerS TCG Software Stack
+### END INIT INFO
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+DAEMON=/usr/sbin/tcsd
+NAME=tcsd
+DESC="Trusted Computing daemon"
+USER="tss"
+
+test -x "${DAEMON}" || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+case "${1}" in
+	start)
+		echo "Starting $DESC: "
+
+		if [ ! -e /dev/tpm* ]
+		then
+			echo "device driver not loaded, skipping."
+			exit 0
+		fi
+
+		start-stop-daemon --start --quiet --oknodo \
+			--pidfile /var/run/${NAME}.pid --make-pidfile --background \
+			--user ${USER} --chuid ${USER} \
+			--exec ${DAEMON} -- ${DAEMON_OPTS} --foreground
+		RETVAL="$?"
+		echo "$NAME."
+		exit $RETVAL
+		;;
+
+	stop)
+		echo "Stopping $DESC: "
+
+		start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --exec ${DAEMON}
+		RETVAL="$?"
+                echo  "$NAME."
+		rm -f /var/run/${NAME}.pid
+		exit $RETVAL
+		;;
+
+	restart|force-reload)
+		"${0}" stop
+		sleep 1
+		"${0}" start
+		exit $?
+		;;
+	*)
+		echo "Usage: ${NAME} {start|stop|restart|force-reload|status}" >&2
+		exit 3
+		;;
+esac
+
+exit 0
diff --git a/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
new file mode 100644
index 0000000..fe8f557
--- /dev/null
+++ b/import-layers/meta-security/meta-tpm/recipes-tpm/trousers/trousers_git.bb
@@ -0,0 +1,118 @@
+SUMMARY = "TrouSerS - An open-source TCG Software Stack implementation."
+LICENSE = "BSD"
+HOMEPAGE = "http://sourceforge.net/projects/trousers/"
+LIC_FILES_CHKSUM = "file://README;startline=3;endline=4;md5=2af28fbed0832e4d83a9e6dd68bb4413"
+SECTION = "security/tpm"
+
+DEPENDS = "openssl"
+
+SRCREV = "4b9a70d5789b0b74f43957a6c19ab2156a72d3e0"
+PV = "0.3.14+git${SRCPV}"
+
+SRC_URI = " \
+	git://git.code.sf.net/p/trousers/trousers \
+    	file://trousers.init.sh \
+    	file://trousers-udev.rules \
+    	file://tcsd.service \
+        file://get-user-ps-path-use-POSIX-getpwent-instead-of-getpwe.patch \
+        file://0001-build-don-t-override-localstatedir-mandir-sysconfdir.patch \
+    	"
+
+S = "${WORKDIR}/git"
+
+inherit autotools pkgconfig useradd update-rc.d ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
+
+PACKAGECONFIG ?= "gmp "
+PACKAGECONFIG[gmp] = "--with-gmp, --with-gmp=no, gmp"
+PACKAGECONFIG[gtk] = "--with-gui=gtk, --with-gui=none, gtk+"
+
+do_install () {
+    oe_runmake DESTDIR=${D} install
+}
+
+do_install_append() {
+    install -d ${D}${sysconfdir}/init.d
+    install -m 0755 ${WORKDIR}/trousers.init.sh ${D}${sysconfdir}/init.d/trousers
+    install -d ${D}${sysconfdir}/udev/rules.d
+    install -m 0644 ${WORKDIR}/trousers-udev.rules ${D}${sysconfdir}/udev/rules.d/45-trousers.rules
+
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        install -d ${D}${systemd_unitdir}/system
+        install -m 0644 ${WORKDIR}/tcsd.service ${D}${systemd_unitdir}/system/
+        sed -i -e 's#@SBINDIR@#${sbindir}#g' ${D}${systemd_unitdir}/system/tcsd.service
+    fi        
+}
+
+CONFFILES_${PN} += "${sysconfig}/tcsd.conf"
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = " \
+	libtspi \
+	libtspi-dbg \
+	libtspi-dev \
+	libtspi-doc \
+	libtspi-staticdev \
+	trousers \
+	trousers-dbg \
+	trousers-doc \
+	"
+
+# libtspi needs tcsd for most (all?) operations, so suggest to
+# install that.
+RRECOMMENDS_libtspi = "${PN}"
+
+FILES_libtspi = " \
+	${libdir}/*.so.1 \
+	${libdir}/*.so.1.2.0 \
+	"
+FILES_libtspi-dbg = " \
+	${libdir}/.debug \
+	${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tspi \
+	${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trspi \
+	${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/*.h \
+	${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/tss \
+	"
+FILES_libtspi-dev = " \
+	${includedir} \
+	${libdir}/*.so \
+	"
+FILES_libtspi-doc = " \
+	${mandir}/man3 \
+	"
+FILES_libtspi-staticdev = " \
+	${libdir}/*.la \
+	${libdir}/*.a \
+	"
+FILES_${PN} = " \
+	${sbindir}/tcsd \
+	${sysconfdir} \
+	${localstatedir} \
+	"
+
+FILES_${PN}-dev += "${libdir}/trousers"
+
+FILES_${PN}-dbg = " \
+	${sbindir}/.debug \
+	${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcs \
+	${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tcsd \
+	${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/tddl \
+	${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/trousers \
+	${prefix}/src/debug/${PN}/${PV}-${PR}/git/src/include/trousers \
+	"
+FILES_${PN}-doc = " \
+	${mandir}/man5 \
+	${mandir}/man8 \
+	"
+
+INITSCRIPT_NAME = "trousers"
+INITSCRIPT_PARAMS = "start 99 2 3 4 5 . stop 19 0 1 6 ."
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system tss"
+USERADD_PARAM_${PN} = "--system -M -d /var/lib/tpm -s /bin/false -g tss tss"
+
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE_${PN} = "tcsd.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/recipes-browers/tor/tor_6.5.2.bb b/import-layers/meta-security/recipes-browers/tor/tor_6.5.2.bb
new file mode 100644
index 0000000..1e3a812
--- /dev/null
+++ b/import-layers/meta-security/recipes-browers/tor/tor_6.5.2.bb
@@ -0,0 +1,7 @@
+SUMMARY = "Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security."
+
+HOMEPAGE = "https://www.torproject.org/"
+
+LICENSE = "GPV-v2"
+
+SRC_URI = "https://github.com/TheTorProject/gettorbrowser/archive/v6.5.2.tar.gz"
diff --git a/import-layers/meta-security/recipes-core/busybox/busybox/head.cfg b/import-layers/meta-security/recipes-core/busybox/busybox/head.cfg
new file mode 100644
index 0000000..16017ea
--- /dev/null
+++ b/import-layers/meta-security/recipes-core/busybox/busybox/head.cfg
@@ -0,0 +1 @@
+CONFIG_FEATURE_FANCY_HEAD=y
diff --git a/import-layers/meta-security/recipes-core/busybox/busybox_%.bbappend b/import-layers/meta-security/recipes-core/busybox/busybox_%.bbappend
new file mode 100644
index 0000000..8bb0706
--- /dev/null
+++ b/import-layers/meta-security/recipes-core/busybox/busybox_%.bbappend
@@ -0,0 +1,3 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "file://head.cfg"
diff --git a/import-layers/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb b/import-layers/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb
new file mode 100644
index 0000000..a826d1d
--- /dev/null
+++ b/import-layers/meta-security/recipes-forensic/afflib/afflib_3.6.6.bb
@@ -0,0 +1,30 @@
+SUMMARY = "The Advanced Forensic Format (AFF) is on-disk format for storing computer forensic information."
+HOMEPAGE = "http://www.afflib.org/"
+LICENSE = " BSD-4-Clause  & CPL-1.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=d1b2c6d0d6908f45d143ef6380727828"
+
+DEPENDS = " zlib ncurses readline openssl libgcrypt"
+
+SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/a/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \
+        http://archive.ubuntu.com/ubuntu/pool/universe/a/${BPN}/${BPN}_${PV}-1.1.diff.gz;name=dpatch \
+        file://configure_rm_ms_flags.patch \
+        "
+
+SRC_URI[orig.md5sum] = "b7ff4d2945882018eb1536cad182ad01"
+SRC_URI[orig.sha256sum] = "19cacfd558dc00e11975e820e3c4383b52aabbd5ca081d27bb7994a035d2f4ad"
+SRC_URI[dpatch.md5sum] = "171e871024545b487589e6c85290576f"
+SRC_URI[dpatch.sha256sum] = "db632e254ee51a1e4328cd4449d414eff4795053d4e36bfa8e0020fcb4085cdd"
+
+inherit autotools-brokensep pkgconfig
+
+CPPFLAGS = "-I${STAGING_INCDIR}"
+LDFLAGS = "-L${STAGING_LIBDIR}"
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[curl] = "--with-curl=${STAGING_LIBDIR}, --without-curl, curl"
+PACKAGECONFIG[expat] = "--with-expat=${STAGING_LIBDIR}, --without-expat, expat"
+PACKAGECONFIG[fuse] = "--enable-fuse=yes, --enable-fuse=no, fuse"
+PACKAGECONFIG[python] = "--enable-python=yes, --enable-python=no, python"
+
+EXTRA_OECONF += "--enable-s3=no CPPFLAGS=-I${STAGING_INCDIR} LDFLAGS=-L${STAGING_LIBDIR}"
+EXTRA_OEMAKE += "CPPFLAGS='${CPPFLAGS}' LDFLAGS='-L${STAGING_LIBDIR} -I${STAGING_INCDIR}'"
diff --git a/import-layers/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch b/import-layers/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch
new file mode 100644
index 0000000..ac33500
--- /dev/null
+++ b/import-layers/meta-security/recipes-forensic/afflib/files/configure_rm_ms_flags.patch
@@ -0,0 +1,18 @@
+Upstream-Status: Inappropriate [configuration]
+
+remove ms lib options when cross compiling
+
+Signed-Off-By: Armin Kuster <akuster808@gmail.com>
+
+Index: configure.ac
+===================================================================
+--- a.orig/configure.ac
++++ a/configure.ac
+@@ -47,7 +47,6 @@ if test x"${cross_compiling}" = "xno" ;
+   AC_MSG_NOTICE([ LDFLAGS = ${LDFLAGS} ])
+ else
+   AC_MSG_NOTICE([Cross Compiling --- will not update CPPFALGS or LDFLAGS with /usr/local, /opt/local or /sw])
+-  LIBS="$LIBS -lws2_32 -lgdi32"
+ fi
+ 
+ if test -r /bin/uname.exe ; then
diff --git a/import-layers/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch b/import-layers/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch
new file mode 100644
index 0000000..0881f25
--- /dev/null
+++ b/import-layers/meta-security/recipes-forensic/libewf/files/gcc5_fix.patch
@@ -0,0 +1,22 @@
+Upstream Status: pending
+
+Don't use inline with gcc 5.0
+
+fixes:
+undefined reference to `libuna_unicode_character_size_to_utf8'
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: libuna/libuna_inline.h
+===================================================================
+--- a/libuna/libuna_inline.h
++++ b/libuna/libuna_inline.h
+@@ -27,7 +27,7 @@
+ #if defined( _MSC_VER )
+ #define LIBUNA_INLINE _inline
+ 
+-#elif defined( __BORLANDC__ ) || defined( __clang__ )
++#elif defined( __BORLANDC__ ) || defined( __clang__ ) || ( __GNUC__ > 4 )
+ #define LIBUNA_INLINE /* inline */
+ 
+ #else
diff --git a/import-layers/meta-security/recipes-forensic/libewf/libewf_20140608.bb b/import-layers/meta-security/recipes-forensic/libewf/libewf_20140608.bb
new file mode 100644
index 0000000..f7dce12
--- /dev/null
+++ b/import-layers/meta-security/recipes-forensic/libewf/libewf_20140608.bb
@@ -0,0 +1,24 @@
+SUMMARY = "library with support for Expert Witness Compression Format"
+LICENSE = "LGPLv3+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=58c39b26c0549f8e1bb4122173f474cd"
+
+DEPENDS = "virtual/gettext libtool"
+
+SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/libe/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \
+        file://gcc5_fix.patch \
+        "
+SRC_URI[orig.md5sum] = "fdf615f23937fad8e02b60b9e3e5fb35"
+SRC_URI[orig.sha256sum] = "d14030ce6122727935fbd676d0876808da1e112721f3cb108564a4d9bf73da71"
+
+inherit autotools-brokensep pkgconfig gettext
+
+PACKAGECONFIG ??= "zlib ssl bz2"
+PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib"
+PACKAGECONFIG[bz2] = "--with-bzip2, --without-bzip2, bzip2, bzip2"
+PACKAGECONFIG[ssl] = "--with-openssl, --without-openssl, openssl, openssl"
+PACKAGECONFIG[fuse] = "--with-libfuse, --without-libfuse, fuse"
+PACKAGECONFIG[python] = "--enable-python, --disable-python, python"
+
+EXTRA_OECONF += "--with-gnu-ld --disable-rpath"
+
+RDEPENDS_${PN} += " util-linux-libuuid"
diff --git a/import-layers/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch b/import-layers/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch
new file mode 100644
index 0000000..03b1fb9
--- /dev/null
+++ b/import-layers/meta-security/recipes-forensic/sleuth/files/fix_host_poison.patch
@@ -0,0 +1,23 @@
+Upstream-Status: Inappropriate [configuration]
+
+Don't use host include or lib paths in *FLAGS
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: configure.ac
+===================================================================
+--- a/configure.ac
++++ b/configure.ac
+@@ -84,12 +84,6 @@ AX_PTHREAD([
+     LDFLAGS="$LDFLAGS $PTHREAD_CFLAGS"
+     CC="$PTHREAD_CC"],[])
+ 
+-dnl Not all compilers include /usr/local in the include and link path
+-if test -d /usr/local/include; then
+-    CPPFLAGS="$CPPFLAGS -I/usr/local/include"
+-    LDFLAGS="$LDFLAGS -L/usr/local/lib"
+-fi
+-
+ dnl Add enable/disable option
+ AC_ARG_ENABLE([java],
+     [AS_HELP_STRING([--disable-java], [Do not build the java bindings or jar file])])
diff --git a/import-layers/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb b/import-layers/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb
new file mode 100644
index 0000000..ba335f3
--- /dev/null
+++ b/import-layers/meta-security/recipes-forensic/sleuth/sleuthkit_4.1.3.bb
@@ -0,0 +1,31 @@
+SUMMARY = "The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate disk images."
+HOMEPAGE = "http://www.sleuthkit.org/sleuthkit/"
+LICENSE = "IPL-1.0 & GPLv2 & CPL-1.0"
+LIC_FILES_CHKSUM = "file://licenses/GNU-COPYING;startline=4;endline=5;md5=475b4784903850b579dc6e6310bd5f08\
+    file://licenses/IBM-LICENSE;startline=1;endline=2;md5=1fc3300388b0d6e6216825dd89c2e3a2\
+    file://licenses/cpl1.0.txt;startline=1;endline=2;md5=9e58c878202c73a4e3ed4be72598fb92"
+
+DEPENDS = "libtool"
+
+SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/s/${BPN}/${BPN}_${PV}.orig.tar.gz;name=orig \
+            file://fix_host_poison.patch \
+        "
+SRC_URI[orig.md5sum] = "139a12f06952d8a40bbe07884994cf5d"
+SRC_URI[orig.sha256sum] = "67f9d2a31a8884d58698d6122fc1a1bfa9bf238582bde2b49228ec9b899f0327"
+
+inherit autotools-brokensep pkgconfig gettext
+
+PACKAGECONFIG ??= "aff zlib ewf"
+PACKAGECONFIG[aff] = "--with-afflib=${STAGING_DIR_HOST}/usr, --without-afflib, afflib"
+PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr, --without-zlib, zlib"
+PACKAGECONFIG[ewf] = "--with-libewf=${STAGING_DIR_HOST}/usr, --without-libewf, libewf"
+
+#--with-gnu-ld
+EXTRA_OECONF += "--enable-static=no --disable-java LIBS='-L${STAGING_LIBDIR}' LDFLAGS='-L${STAGING_LIBDIR}' CPPFLAGS='-I${STAGING_INCDIR}'"
+
+# Avoid QA Issue: No GNU_HASH in the elf binary
+INSANE_SKIP_${PN} = "ldflags" 
+
+FILES_${PN} += " ${datadir}/tsk"
+
+RDEPENDS_${PN} += " perl"
diff --git a/import-layers/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg b/import-layers/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg
new file mode 100644
index 0000000..1dc4168
--- /dev/null
+++ b/import-layers/meta-security/recipes-kernel/linux/linux-yocto/apparmor.cfg
@@ -0,0 +1,13 @@
+CONFIG_AUDIT=y
+CONFIG_AUDITSYSCALL=y
+CONFIG_AUDIT_WATCH=y
+CONFIG_AUDIT_TREE=y
+# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
+CONFIG_SECURITY_PATH=y
+# CONFIG_SECURITY_SELINUX is not set
+CONFIG_SECURITY_APPARMOR=y
+CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
+CONFIG_SECURITY_APPARMOR_HASH=y
+CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
+CONFIG_INTEGRITY_AUDIT=y
+# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
diff --git a/import-layers/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg b/import-layers/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg
new file mode 100644
index 0000000..b5c4845
--- /dev/null
+++ b/import-layers/meta-security/recipes-kernel/linux/linux-yocto/smack-default-lsm.cfg
@@ -0,0 +1,2 @@
+CONFIG_DEFAULT_SECURITY="smack"
+CONFIG_DEFAULT_SECURITY_SMACK=y
diff --git a/import-layers/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg b/import-layers/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg
new file mode 100644
index 0000000..62f465a
--- /dev/null
+++ b/import-layers/meta-security/recipes-kernel/linux/linux-yocto/smack.cfg
@@ -0,0 +1,8 @@
+CONFIG_IP_NF_SECURITY=m
+CONFIG_IP6_NF_SECURITY=m
+CONFIG_EXT2_FS_SECURITY=y
+CONFIG_EXT3_FS_SECURITY=y
+CONFIG_EXT4_FS_SECURITY=y
+CONFIG_SECURITY=y
+CONFIG_SECURITY_SMACK=y
+CONFIG_TMPFS_XATTR=y
diff --git a/import-layers/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend b/import-layers/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend
new file mode 100644
index 0000000..067be8f
--- /dev/null
+++ b/import-layers/meta-security/recipes-kernel/linux/linux-yocto_4.%.bbappend
@@ -0,0 +1,10 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+
+SRC_URI += "\
+        ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', ' file://apparmor.cfg', '', d)} \
+"
+
+SRC_URI += "\
+        ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack.cfg', '', d)} \
+        ${@bb.utils.contains('DISTRO_FEATURES', 'smack', ' file://smack-default-lsm.cfg', '', d)} \
+"
diff --git a/import-layers/meta-security/recipes-perl/perl/files/libwhisker2.patch b/import-layers/meta-security/recipes-perl/perl/files/libwhisker2.patch
new file mode 100644
index 0000000..c066366
--- /dev/null
+++ b/import-layers/meta-security/recipes-perl/perl/files/libwhisker2.patch
@@ -0,0 +1,73 @@
+From 34698c7f561fb575293a1c991a71e1b4ddc5ae73 Mon Sep 17 00:00:00 2001
+From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+Date: Fri, 5 Jul 2013 11:56:58 +0300
+Subject: [PATCH] Mandir and perl install dir were overwritten with faulty
+ information in the Makefile. Now the Mandir and perl
+ install dir are sent via paramters from the recipe.
+
+Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+---
+ Makefile.pl |   12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/Makefile.pl b/Makefile.pl
+index 9ca5602..8776e18 100644
+--- a/Makefile.pl
++++ b/Makefile.pl
+@@ -131,6 +131,8 @@ foreach (keys %MODULES){
+ 
+ # adjust DESTDIR, if needed
+ $DESTDIR = $ENV{DESTDIR} if(defined $ENV{DESTDIR});
++$MANDIR = $ENV{MANDIR} if(defined $ENV{MANDIR});
++$INSTALLDIR = $ENV{INSTALLDIR} if(defined $ENV{INSTALLDIR});
+ 
+ # parse command line build options
+ while($COMMAND = shift @ARGV){
+@@ -171,7 +173,7 @@ sub command_install_pod {
+ 	command_build() if(!-e $TARGET);
+ 	die("Can not install without Config.pm") if($MODULES{Config}==0);
+ 	$CWD=&cwd if($MODULES{Cwd}>0);
+-	my $where=$DESTDIR . $Config{'man3direxp'};
++	my $where=$DESTDIR . $MANDIR;
+ 	my $t = $TARGET;
+ 	if($LIBRARY){
+ 		$t="$PACKAGE.3pm";
+@@ -219,7 +221,7 @@ sub command_install_pod {
+ sub command_uninstall_pod {
+ 	die("Can not uninstall without Config.pm") if($MODULES{Config}==0);
+ 	$CWD=&cwd if($MODULES{Cwd}>0);
+-	my $where=$DESTDIR . $Config{'man3direxp'};
++	my $where=$DESTDIR . $MANDIR;
+ 	my $t = $TARGET;
+ 	if($LIBRARY){
+ 		$t="$PACKAGE.3pm";
+@@ -243,7 +245,7 @@ sub command_install_library {
+ 	command_build() if(!-e $TARGET);
+ 	die("Can not install without Config.pm") if($MODULES{Config}==0);
+ 	$CWD=&cwd if($MODULES{Cwd}>0);
+-	my $where=$DESTDIR . $Config{'installsitelib'};
++	my $where=$DESTDIR . $INSTALLDIR;
+ 	if(!-e $where){
+ 	  print STDOUT "WARNING!\n\n",
+ 		"The local perl site directory does not exist:\n",
+@@ -271,7 +273,7 @@ sub command_install_library {
+ sub command_uninstall_library {
+ 	die("Can not uninstall without Config.pm") if($MODULES{Config}==0);
+ 	$CWD=&cwd if($MODULES{Cwd}>0);
+-	my $where=$DESTDIR . $Config{'installsitelib'};
++	my $where=$DESTDIR . $INSTALLDIR;
+ 	chdir($where);
+ 	if(-e $TARGET){
+ 		unlink $TARGET;
+@@ -401,7 +403,7 @@ sub command_socket_diag {
+ sub command_install_compat {
+ 	die("Can not install without Config.pm") if($MODULES{Config}==0);
+ 	$CWD=&cwd if($MODULES{Cwd}>0);
+-	my $where=$DESTDIR . $Config{'installsitelib'};
++	my $where=$DESTDIR . $INSTALLDIR;
+ 	if(!-e $where){
+ 	  print STDOUT "WARNING!\n\n",
+ 		"The local perl site directory does not exist:\n",
+-- 
+1.7.9.5
+
diff --git a/import-layers/meta-security/recipes-perl/perl/lib-perl_0.63.bb b/import-layers/meta-security/recipes-perl/perl/lib-perl_0.63.bb
new file mode 100644
index 0000000..7895864
--- /dev/null
+++ b/import-layers/meta-security/recipes-perl/perl/lib-perl_0.63.bb
@@ -0,0 +1,28 @@
+DESCRIPTION = "This is a small simple module which simplifies the \
+manipulation of @INC at compile time. It is typically used to add extra \
+directories to Perl's search path so that later 'use' or 'require' statements \
+will find modules which are not located in the default search path."
+
+SECTION = "libs"
+LICENSE = "Artistic-1.0 | GPL-1.0+"
+PR = "r0"
+
+LIC_FILES_CHKSUM = "file://README;beginline=26;endline=30;md5=94b119f1a7b8d611efc89b5d562a1a50"
+
+DEPENDS += "perl"
+
+SRC_URI = "http://www.cpan.org/authors/id/S/SM/SMUELLER/lib-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "8607ac4e0d9d43585ec28312f52df67c"
+SRC_URI[sha256sum] = "72f63db9220098e834d7a38231626bd0c9b802c1ec54a628e2df35f3818e5a00"
+
+S = "${WORKDIR}/lib-${PV}"
+
+EXTRA_CPANFLAGS = "EXPATLIBPATH=${STAGING_LIBDIR} EXPATINCPATH=${STAGING_INCDIR}"
+
+inherit cpan
+
+do_compile() {
+	export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
+	cpan_do_compile
+}
diff --git a/import-layers/meta-security/recipes-perl/perl/libenv-perl_1.04.bb b/import-layers/meta-security/recipes-perl/perl/libenv-perl_1.04.bb
new file mode 100644
index 0000000..dd8e115
--- /dev/null
+++ b/import-layers/meta-security/recipes-perl/perl/libenv-perl_1.04.bb
@@ -0,0 +1,21 @@
+SUMMARY = "Perl module that imports environment variables as scalars or arrays"
+DESCRIPTION = "Perl maintains environment variables in a special hash named %ENV. \
+For when this access method is inconvenient, the Perl module Env allows environment \
+variables to be treated as scalar or array variables."
+
+HOMEPAGE = "http://search.cpan.org/~flora/Env/"
+SECTION = "libs"
+LICENSE = "Artistic-1.0 | GPL-1.0+"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=76c1cbf18db56b3340d91cb947943bd3"
+
+SRC_URI = "http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/Env-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "fdba5c0690e66972c96fee112cf5f25c"
+SRC_URI[sha256sum] = "d94a3d412df246afdc31a2199cbd8ae915167a3f4684f7b7014ce1200251ebb0"
+
+S = "${WORKDIR}/Env-${PV}"
+
+inherit cpan
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb b/import-layers/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb
new file mode 100644
index 0000000..d9af430
--- /dev/null
+++ b/import-layers/meta-security/recipes-perl/perl/libwhisker2-perl_2.5.bb
@@ -0,0 +1,27 @@
+DESCRIPTION = "Libwhisker is a Perl module geared specificly for HTTP testing."
+
+SECTION = "libs"
+LICENSE = "Artistic-1.0 | GPL-1.0+"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=254b8e29606fce6d1c1a4c9e32354573"
+
+SRC_URI = "http://sourceforge.net/projects/whisker/files/libwhisker/${PV}/libwhisker2-${PV}.tar.gz \
+           file://libwhisker2.patch"
+
+SRC_URI[md5sum] = "7cc1718dddde8f9a439d5622ae2f37eb"
+SRC_URI[sha256sum] = "f45a1cf2ad2637b29dd1b13d7221ea12e3923ea09d107ced446400f19070a42f"
+
+S = "${WORKDIR}/libwhisker2-2.5"
+
+inherit cpan-base
+
+PACKAGEGROUP ??=""
+PACKAGEGROUP[ssl] = ", , libnet-ssleay-perl, libnet-ssleay-perl"
+
+do_install() {
+    install -d 755 ${D}${PERLLIBDIRS}/vendor_perl/${PERLVERSION}
+    install -d 755 ${D}${datadir}/perl/${PERLVERSION}
+    oe_runmake install DESTDIR=${D} INSTALLDIR=${PERLLIBDIRS}/vendor_perl/${PERLVERSION} MANDIR=${datadir}/perl/${PERLVERSION}
+}
+
+BBCLASSEXTEND = "native"
diff --git a/import-layers/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb b/import-layers/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb
new file mode 100644
index 0000000..fc9b614
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/apparmor_2.11.0.bb
@@ -0,0 +1,159 @@
+SUMMARY = "AppArmor another MAC control system"
+DESCRIPTION = "user-space parser utility for AppArmor \
+ This provides the system initialization scripts needed to use the \
+ AppArmor Mandatory Access Control system, including the AppArmor Parser \
+ which is required to convert AppArmor text profiles into machine-readable \
+ policies that are loaded into the kernel for use with the AppArmor Linux \
+ Security Module."
+HOMEAPAGE = "http://apparmor.net/"
+SECTION = "admin"
+
+LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0"
+
+DEPENDS = "bison-native apr gettext-native coreutils-native"
+
+SRC_URI = " \
+	http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \
+	file://disable_perl_h_check.patch \
+	file://crosscompile_perl_bindings.patch \
+	file://apparmor.rc \
+	file://functions \
+	file://apparmor \
+	file://apparmor.service \
+        file://run-ptest \
+	"
+
+SRC_URI[md5sum] = "899fd834dc5c8ebf2d52b97e4a174af7"
+SRC_URI[sha256sum] = "b1c489ea11e7771b8e6b181532cafbf9ebe6603e3cb00e2558f21b7a5bdd739a"
+
+PARALLEL_MAKE = ""
+
+inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan
+inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)}
+
+S = "${WORKDIR}/apparmor-${PV}"
+
+PACKAGECONFIG ?="man python perl"
+PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages"
+PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native"
+PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native"
+PACKAGECONFIG[apache2] = ",,apache2,"
+
+PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}"
+HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}"
+
+
+python() {
+    if 'apache2' in d.getVar('PACKAGECONFIG').split() and \
+	'webserver' not in d.getVar('BBFILE_COLLECTIONS').split():
+        raise bb.parse.SkipRecipe('Requires meta-webserver to be present.')
+}
+
+CONFIGUREOPTS_remove = "--disable-static"
+EXTRA_OECONF_append = " --enable-static"
+
+do_configure() {
+	cd ${S}/libraries/libapparmor
+	aclocal
+	autoconf --force
+	libtoolize --automake -c --force
+	automake -ac
+	./configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+	sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile
+	sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile
+}
+
+do_compile () {
+	oe_runmake -C ${B}/libraries/libapparmor
+        oe_runmake -C ${B}/binutils
+        oe_runmake -C ${B}/utils
+        oe_runmake -C ${B}/parser
+        oe_runmake -C ${B}/profiles
+
+	if test -z "${HTTPD}" ; then
+        	oe_runmake -C ${B}/changehat/mod_apparmor
+	fi	
+
+	if test -z "${PAMLIB}" ; then
+        	oe_runmake -C ${B}/changehat/pam_apparmor
+	fi
+}
+
+do_install () {
+	install -d ${D}/${INIT_D_DIR}
+	install -d ${D}/lib/apparmor
+		
+	oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install
+	oe_runmake -C ${B}/binutils DESTDIR="${D}" install
+	oe_runmake -C ${B}/utils DESTDIR="${D}" install
+	oe_runmake -C ${B}/parser DESTDIR="${D}" install
+	oe_runmake -C ${B}/profiles DESTDIR="${D}" install
+
+	if test -z "${HTTPD}" ; then
+		oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install
+	fi
+
+	if test -z "${PAMLIB}" ; then
+		oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install
+	fi
+
+	# aa-easyprof is installed by python-tools-setup.py, fix it up
+	sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof
+	chmod 0755 ${D}${bindir}/aa-easyprof
+
+	install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor
+	install ${WORKDIR}/functions ${D}/lib/apparmor
+	if [ "${VIRTUAL-RUNTIME_init_manager}" = "systemd" ]; then
+		install -d ${D}${systemd_system_unitdir}
+		install ${WORKDIR}/apparmor.service \
+			${D}${systemd_system_unitdir}
+	fi
+}
+
+do_compile_ptest () {
+        oe_runmake -C ${B}/tests/regression/apparmor
+        oe_runmake -C ${B}/parser/tst
+        oe_runmake -C ${B}/libraries/libapparmor
+}
+
+do_install_ptest () {
+	t=${D}/${PTEST_PATH}/testsuite
+	install -d ${t}
+	install -d ${t}/tests/regression/apparmor
+	cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression
+
+	install -d ${t}/parser/tst
+	cp -rf ${B}/parser/tst ${t}/parser
+	cp ${B}/parser/apparmor_parser ${t}/parser
+	cp ${B}/parser/frob_slack_rc ${t}/parser
+
+	install -d ${t}/libraries/libapparmor
+	cp -rf ${B}/libraries/libapparmor ${t}/libraries
+
+	install -d ${t}/common
+	cp -rf ${B}/common ${t}
+
+	install -d ${t}/binutils
+	cp -rf ${B}/binutils ${t}
+}
+
+INITSCRIPT_PACKAGES = "${PN}"
+INITSCRIPT_NAME = "apparmor"
+INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ."
+
+SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE_${PN} = "apparmor.service"
+SYSTEMD_AUTO_ENABLE = "disable"
+
+PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'mod-${PN}', '', d)}"
+
+FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
+FILES_mod-${PN} = "${libdir}/apache2/modules/*"
+
+ALLOW_EMPTY_${PN} = "1"
+
+RDEPENDS_${PN} += "bash lsb"
+RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}"
+RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}"
+RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib"
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/apparmor b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor
new file mode 100644
index 0000000..ac3ab9a
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor
@@ -0,0 +1,227 @@
+#!/bin/sh
+# ----------------------------------------------------------------------
+#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+#     NOVELL (All rights reserved)
+#    Copyright (c) 2008, 2009 Canonical, Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Novell, Inc.
+# ----------------------------------------------------------------------
+# Authors:
+#  Steve Beattie <steve.beattie@canonical.com>
+#  Kees Cook <kees@ubuntu.com>
+#
+# /etc/init.d/apparmor
+#
+### BEGIN INIT INFO
+# Provides: apparmor
+# Required-Start: $local_fs
+# Required-Stop: umountfs
+# Default-Start: S
+# Default-Stop:
+# Short-Description: AppArmor initialization
+# Description: AppArmor init script. This script loads all AppArmor profiles.
+### END INIT INFO
+
+log_daemon_msg() {
+    echo $*
+}
+
+log_end_msg () {
+    retval=$1
+    if [ $retval -eq 0 ]; then
+        echo "."
+    else
+        echo " failed!"
+    fi
+    return $retval
+}
+
+. /lib/apparmor/functions
+. /lib/lsb/init-functions
+
+usage() {
+    echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}"
+}
+
+test -x ${PARSER} || exit 0 # by debian policy
+# LSM is built-in, so it is either there or not enabled for this boot
+test -d /sys/module/apparmor || exit 0
+
+securityfs() {
+	# Need securityfs for any mode
+	if [ ! -d "${AA_SFS}" ]; then
+		if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then
+			log_daemon_msg "AppArmor not available as kernel LSM."
+			log_end_msg 1
+			exit 1
+		else
+			log_daemon_msg "Mounting securityfs on ${SECURITYFS}"
+			if ! mount -t securityfs none "${SECURITYFS}"; then
+				log_end_msg 1
+				exit 1
+			fi
+		fi
+	fi
+	if [ ! -w "$AA_SFS"/.load ]; then
+		log_daemon_msg "Insufficient privileges to change profiles."
+		log_end_msg 1
+		exit 1
+	fi
+}
+
+handle_system_policy_package_updates() {
+	apparmor_was_updated=0
+
+	if ! compare_previous_version ; then
+		# On snappy flavors, if the current and previous versions are
+		# different then clear the system cache. snappy will handle
+		# "$PROFILES_CACHE_VAR" itself (on Touch flavors
+		# compare_previous_version always returns '0' since snappy
+		# isn't available).
+		clear_cache_system
+		apparmor_was_updated=1
+	elif ! compare_and_save_debsums apparmor ; then
+		# If the system policy has been updated since the last time we
+		# ran, clear the cache to prevent potentially stale binary
+		# cache files after an Ubuntu image based upgrade (LP:
+		# #1350673). This can be removed once all system image flavors
+		# move to snappy (on snappy systems compare_and_save_debsums
+		# always returns '0' since /var/lib/dpkg doesn't exist).
+		clear_cache
+		apparmor_was_updated=1
+	fi
+
+	if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
+		# If packages for system policy that affect click packages have
+		# been updated since the last time we ran, run aa-clickhook -f
+                force_clickhook=0
+                force_profile_hook=0
+                if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
+                        force_clickhook=1
+                fi
+                if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
+                        force_clickhook=1
+                fi
+                if ! compare_and_save_debsums click-apparmor ; then
+                        force_clickhook=1
+                        force_profile_hook=1
+                fi
+                if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+                        aa-clickhook -f
+                fi
+                if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+                        aa-profile-hook -f
+                fi
+	fi
+}
+
+# Allow "recache" even when running on the liveCD
+if [ "$1" = "recache" ]; then
+	log_daemon_msg "Recaching AppArmor profiles"
+	recache_profiles
+	rc=$?
+	log_end_msg "$rc"
+	exit $rc
+fi
+
+# do not perform start/stop/reload actions when running from liveCD
+test -d /rofs/etc/apparmor.d && exit 0
+
+rc=255
+case "$1" in
+	start)
+		if test -x /sbin/systemd-detect-virt && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			log_daemon_msg "Not starting AppArmor in container"
+			log_end_msg 0
+			exit 0
+		fi
+		log_daemon_msg "Starting AppArmor profiles"
+		securityfs
+		# That is only useful for click, snappy and system images,
+		# i.e. not in Debian. And it reads and writes to /var, that
+		# can be remote-mounted, so it would prevent us from using
+		# Before=sysinit.target without possibly introducing dependency
+		# loops.
+		handle_system_policy_package_updates
+		load_configured_profiles
+		rc=$?
+		log_end_msg "$rc"
+		;;
+	stop)
+		log_daemon_msg "Clearing AppArmor profiles cache"
+		clear_cache
+		rc=$?
+		log_end_msg "$rc"
+		cat >&2 <<EOM
+All profile caches have been cleared, but no profiles have been unloaded.
+Unloading profiles will leave already running processes permanently
+unconfined, which can lead to unexpected situations.
+
+To set a process to complain mode, use the command line tool
+'aa-complain'. To really tear down all profiles, run the init script
+with the 'teardown' option."
+EOM
+		;;
+	teardown)
+		if test -x /sbin/systemd-detect-virt && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			log_daemon_msg "Not tearing down AppArmor in container"
+			log_end_msg 0
+			exit 0
+		fi
+		log_daemon_msg "Unloading AppArmor profiles"
+		securityfs
+		running_profile_names | while read profile; do
+			if ! unload_profile "$profile" ; then
+				log_end_msg 1
+				exit 1
+			fi
+		done
+		rc=0
+		log_end_msg $rc
+		;;
+	restart|reload|force-reload)
+		if test -x /sbin/systemd-detect-virt && \
+		   systemd-detect-virt --quiet --container && \
+		   ! is_container_with_internal_policy; then
+			log_daemon_msg "Not reloading AppArmor in container"
+			log_end_msg 0
+			exit 0
+		fi
+		log_daemon_msg "Reloading AppArmor profiles"
+		securityfs
+		clear_cache
+		load_configured_profiles
+		rc=$?
+		unload_obsolete_profiles
+
+		log_end_msg "$rc"
+		;;
+	status)
+		securityfs
+		if [ -x /usr/sbin/aa-status ]; then
+			aa-status --verbose
+		else
+			cat "$AA_SFS"/profiles
+		fi
+		rc=$?
+		;;
+	*)
+		usage
+		rc=1
+		;;
+	esac
+exit $rc
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/apparmor.rc b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor.rc
new file mode 100644
index 0000000..1507d7b
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor.rc
@@ -0,0 +1,98 @@
+description "Pre-cache and pre-load apparmor profiles"
+author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>"
+
+task
+
+start on starting rc-sysinit
+
+script
+    [ -d /rofs/etc/apparmor.d ]  && exit 0 # do not load on liveCD
+    [ -d /sys/module/apparmor ]  || exit 0 # do not load without AppArmor
+    [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser
+
+    . /lib/apparmor/functions
+
+    systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true
+
+    # Need securityfs for any mode
+    if [ ! -d /sys/kernel/security/apparmor ]; then
+        if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then
+            exit 0
+        else
+            mount -t securityfs none /sys/kernel/security || exit 0
+        fi
+    fi
+
+    [ -w /sys/kernel/security/apparmor/.load ] || exit 0
+
+    apparmor_was_updated=0
+    if ! compare_previous_version ; then
+        # On snappy flavors, if the current and previous versions are
+        # different then clear the system cache. snappy will handle
+        # "$PROFILES_CACHE_VAR" itself  (on Touch flavors
+        # compare_previous_version  always returns '0' since snappy
+        # isn't available).
+        clear_cache_system
+        apparmor_was_updated=1
+    elif ! compare_and_save_debsums apparmor ; then
+        # If the system policy has been updated since the last time we
+        # ran, clear the cache to prevent potentially stale binary
+        # cache files after an Ubuntu image based upgrade (LP:
+        # #1350673). This can be removed once all system image flavors
+        # move to snappy (on snappy systems compare_and_save_debsums
+        # always returns '0' since /var/lib/dpkg doesn't exist).
+        clear_cache
+        apparmor_was_updated=1
+    fi
+
+    if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then
+        # If packages for system policy that affect click packages have
+        # been updated since the last time we ran, run aa-clickhook -f
+        force_clickhook=0
+        force_profile_hook=0
+        if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then
+            force_clickhook=1
+        fi
+        if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then
+            force_clickhook=1
+        fi
+        if ! compare_and_save_debsums click-apparmor ; then
+            force_clickhook=1
+            force_profile_hook=1
+        fi
+        if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+            aa-clickhook -f
+        fi
+        if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then
+            aa-profile-hook -f
+        fi
+    fi
+
+    if [ "$ACTION" = "teardown" ]; then
+        running_profile_names | while read profile; do
+            unload_profile "$profile"
+        done
+        exit 0
+    fi
+
+    if [ "$ACTION" = "clear" ]; then
+        clear_cache
+        exit 0
+    fi
+
+    if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then
+        clear_cache
+        load_configured_profiles
+	unload_obsolete_profiles
+        exit 0
+    fi
+
+    # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above,
+    # aa-clickhook will have already compiled the policy, generated the cache
+    # files and loaded them into the kernel by this point, so reloading click
+    # policy from cache, while fairly fast (<2 seconds for 250 profiles on
+    # armhf), is redundant. Fixing this would complicate the logic quite a bit
+    # and it wouldn't improve the (by far) common case (ie, when
+    # 'aa-clickhook -f' is not run).
+    load_configured_profiles
+end script
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/apparmor.service b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor.service
new file mode 100644
index 0000000..e66afe4
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/apparmor.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=AppArmor initialization
+After=local-fs.target
+Before=sysinit.target
+AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
+ConditionSecurity=apparmor
+DefaultDependencies=no
+Documentation=man:apparmor(7)
+Documentation=http://wiki.apparmor.net/
+
+# Don't start this unit on the Ubuntu Live CD
+ConditionPathExists=!/rofs/etc/apparmor.d
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/etc/init.d/apparmor start
+ExecStop=/etc/init.d/apparmor stop
+ExecReload=/etc/init.d/apparmor reload
+
+[Install]
+WantedBy=sysinit.target
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch b/import-layers/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch
new file mode 100644
index 0000000..ef55de7
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch
@@ -0,0 +1,25 @@
+Upstream-Status: Inappropriate [configuration]
+
+As we're cross-compiling here we need to override CC/LD that MakeMaker has
+stuck in the generated Makefile with our cross tools.  In this case, linking is
+done via the compiler rather than the linker directly so pass in CC not LD
+here.
+
+Signed-Off-By: Tom Rini <trini@konsulko.com>
+
+--- a/libraries/libapparmor/swig/perl/Makefile.am.orig	2017-06-13 19:04:43.296676212 -0400
++++ b/libraries/libapparmor/swig/perl/Makefile.am	2017-06-13 19:05:03.488676693 -0400
+@@ -16,11 +16,11 @@
+ 
+ LibAppArmor.so: libapparmor_wrap.c Makefile.perl
+ 	if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi
+-	$(MAKE) -fMakefile.perl
++	$(MAKE) -fMakefile.perl CC='$(CC)' LD='$(CC)'
+ 	if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi
+ 
+ install-exec-local: Makefile.perl
+-	$(MAKE) -fMakefile.perl install_vendor
++	$(MAKE) -fMakefile.perl install_vendor CC='$(CC)' LD='$(CC)'
+ 
+ # sadly there is no make uninstall for perl
+ #uninstall-local: Makefile.perl
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/disable_pdf.patch b/import-layers/meta-security/recipes-security/AppArmor/files/disable_pdf.patch
new file mode 100644
index 0000000..c6b4bdd
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/disable_pdf.patch
@@ -0,0 +1,33 @@
+Index: apparmor-2.10.95/parser/Makefile
+===================================================================
+--- apparmor-2.10.95.orig/parser/Makefile
++++ apparmor-2.10.95/parser/Makefile
+@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT
+ po/${NAME}.pot: ${SRCS} ${HDRS}
+ 	$(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}"
+ 
+-techdoc.pdf: techdoc.tex
+-	timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\
+-	while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \
+-		grep -q "Label(s) may have changed" techdoc.log; \
+-	do :; done
+-
+-techdoc/index.html: techdoc.pdf
+-	latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT}
+-
+-techdoc.txt: techdoc/index.html
+-	w3m -dump $< > $@
+ 
+ # targets arranged this way so that people who don't want full docs can
+ # pick specific targets they want.
+@@ -159,9 +148,7 @@ manpages:	$(MANPAGES)
+ 
+ htmlmanpages:	$(HTMLMANPAGES)
+ 
+-pdf:	techdoc.pdf
+-
+-docs:	manpages htmlmanpages pdf
++docs:	manpages htmlmanpages 
+ 
+ indep: docs
+ 	$(Q)$(MAKE) -C po all
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch b/import-layers/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch
new file mode 100644
index 0000000..cf2640f
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch
@@ -0,0 +1,19 @@
+Upstream-Status: Inappropriate [configuration]
+
+Remove file check for $perl_includedir/perl.h.  AC_CHECK_FILE will fail on
+cross compilation.  Rather than try and get a compile check to work here,
+we know that we have what's required via our metadata so remove only this
+check.
+
+Signed-Off-By: Tom Rini <trini@konsulko.com>
+
+--- a/libraries/libapparmor/configure.ac.orig	2017-06-13 16:41:38.668471495 -0400
++++ b/libraries/libapparmor/configure.ac	2017-06-13 16:41:40.708471543 -0400
+@@ -58,7 +58,6 @@
+    AC_PATH_PROG(PERL, perl)
+    test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings])
+    perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE"
+-   AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no)
+ fi
+ 
+ 
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/functions b/import-layers/meta-security/recipes-security/AppArmor/files/functions
new file mode 100644
index 0000000..cef8cfe
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/functions
@@ -0,0 +1,271 @@
+# /lib/apparmor/functions for Debian -*- shell-script -*-
+# ----------------------------------------------------------------------
+#    Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
+#     NOVELL (All rights reserved)
+#    Copyright (c) 2008-2010 Canonical, Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, contact Novell, Inc.
+# ----------------------------------------------------------------------
+# Authors:
+#  Kees Cook <kees@ubuntu.com>
+
+PROFILES="/etc/apparmor.d"
+PROFILES_CACHE="$PROFILES/cache"
+PROFILES_VAR="/var/lib/apparmor/profiles"
+PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles"
+PROFILES_CACHE_VAR="/var/cache/apparmor"
+PARSER="/sbin/apparmor_parser"
+SECURITYFS="/sys/kernel/security"
+export AA_SFS="$SECURITYFS/apparmor"
+
+# Suppress warnings when booting in quiet mode
+quiet_arg=""
+[ "${QUIET:-no}" = yes ] && quiet_arg="-q"
+[ "${quiet:-n}" = y ] && quiet_arg="-q"
+
+foreach_configured_profile() {
+	rc_all="0"
+	for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do
+		if [ ! -d "$pdir" ]; then
+			continue
+		fi
+		num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l`
+		if [ "$num" = "0" ]; then
+			continue
+		fi
+
+		cache_dir="$PROFILES_CACHE"
+		if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
+			cache_dir="$PROFILES_CACHE_VAR"
+		fi
+		cache_args="--cache-loc=$cache_dir"
+		if [ ! -d "$cache_dir" ]; then
+			cache_args=
+		fi
+
+		# LP: #1383858 - expr tree simplification is too slow for
+		# Touch policy on ARM, so disable it for now
+		cache_extra_args=
+		if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then
+			cache_extra_args="-O no-expr-simplify"
+		fi
+
+		# If need to compile everything, then use -n1 with xargs to
+		# take advantage of -P. When cache files are in use, omit -n1
+		# since it is considerably faster on moderately sized profile
+		# sets to give the parser all the profiles to load at once
+		n1_args=
+		num=`find "$cache_dir" -type f ! -name '.features' | wc -l`
+		if [ "$num" = "0" ]; then
+			n1_args="-n1"
+		fi
+
+		(ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
+		while read profile; do
+			if [ -f "$pdir"/"$profile" ]; then
+				echo "$pdir"/"$profile"
+			fi
+		done) | \
+		xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
+			rc_all="$?"
+			# FIXME: when the parser properly handles broken
+			# profiles (LP: #1377338), remove this if statement.
+			# For now, if the xargs returns with error, just run
+			# through everything with -n1. (This could be broken
+			# out and refactored, but this is temporary so make it
+			# easy to understand and revert)
+			if [ "$rc_all" != "0" ]; then
+				(ls -1 "$pdir" | \
+				egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \
+				while read profile; do
+					if [ -f "$pdir"/"$profile" ]; then
+						echo "$pdir"/"$profile"
+					fi
+				done) | \
+				xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || {
+					rc_all="$?"
+				}
+			fi
+		}
+	done
+	return $rc_all
+}
+
+load_configured_profiles() {
+	clear_cache_if_outdated
+	foreach_configured_profile $quiet_arg --write-cache --replace
+}
+
+load_configured_profiles_without_caching() {
+	foreach_configured_profile $quiet_arg --replace
+}
+
+recache_profiles() {
+	clear_cache
+	foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load
+}
+
+configured_profile_names() {
+	foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//'
+}
+
+running_profile_names() {
+	# Output a sorted list of loaded profiles, skipping libvirt's
+	# dynamically generated files
+	cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//'
+}
+
+unload_profile() {
+	echo -n "$1" > "$AA_SFS"/.remove
+}
+
+clear_cache() {
+	clear_cache_system
+	clear_cache_var
+}
+
+clear_cache_system() {
+	find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
+}
+
+clear_cache_var() {
+	find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f --
+}
+
+read_features_dir()
+{
+	for f in `ls -AU "$1"` ; do
+		if [ -f "$1/$f" ] ; then
+			read -r KF < "$1/$f" || true
+			echo -n "$f {$KF } "
+		elif [ -d "$1/$f" ] ; then
+			echo -n "$f {"
+			KF=`read_features_dir "$1/$f"` || true
+			echo -n "$KF} "
+		fi
+	done
+}
+
+clear_cache_if_outdated() {
+	if [ -r "$PROFILES_CACHE"/.features ]; then
+		if [ -d "$AA_SFS"/features ]; then
+			KERN_FEATURES=`read_features_dir "$AA_SFS"/features`
+		else
+			read -r KERN_FEATURES < "$AA_SFS"/features
+		fi
+		CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features`
+		if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then
+			clear_cache
+		fi
+	fi
+}
+
+unload_obsolete_profiles() {
+	# Currently we must re-parse all the profiles to get policy names.  :(
+	aa_configured=$(mktemp -t aa-XXXXXX)
+	configured_profile_names > "$aa_configured" || true
+	aa_loaded=$(mktemp -t aa-XXXXXX)
+	running_profile_names > "$aa_loaded" || true
+	LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do
+		unload_profile "$profile"
+        done
+	rm -f "$aa_configured" "$aa_loaded"
+}
+
+# If the system debsum differs from the saved debsum, the new system debsum is
+# saved and non-zero is returned. Returns 0 if the two debsums matched or if
+# the system debsum file does not exist. This can be removed when system image
+# flavors all move to snappy.
+compare_and_save_debsums() {
+	pkg="$1"
+
+	if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then
+		sums="/var/lib/dpkg/info/${pkg}.md5sums"
+		# store saved md5sums in /var/lib/apparmor/profiles since
+		# /var/cache/apparmor might be cleared by apparmor
+		saved_sums="${PROFILES_VAR}/.${pkg}.md5sums"
+
+		if [ -f "$sums" ] && \
+		   ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then
+			cp -f "$sums" "$saved_sums"
+			return 1
+		fi
+	fi
+
+	return 0
+}
+
+compare_previous_version() {
+	installed="/usr/share/snappy/security-policy-version"
+	previous="/var/lib/snappy/security-policy-version"
+
+	# When just $previous doesn't exist, assume this is a new system with
+	# no cache and don't do anything special.
+	if [ -f "$installed" ] && [ -f "$previous" ]; then
+		pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2`
+		iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2`
+		if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then
+			# snappy updates $previous elsewhere, so just return
+			return 1
+		fi
+	fi
+
+	return 0
+}
+
+# Checks to see if the current container is capable of having internal AppArmor
+# profiles that should be loaded. Callers of this function should have already
+# verified that they're running inside of a container environment with
+# something like `systemd-detect-virt --container`.
+#
+# The only known container environments capable of supporting internal policy
+# are LXD and LXC environment.
+#
+# Returns 0 if the container environment is capable of having its own internal
+# policy and non-zero otherwise.
+#
+# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC
+# system container technology being nested inside of a LXD/LXC container that
+# utilized an AppArmor namespace and profile stacking. The reason 0 will be
+# returned is because .ns_stacked will be "yes" and .ns_name will still match
+# "lx[dc]-*" since the nested system container technology will not have set up
+# a new AppArmor profile namespace. This will result in the nested system
+# container's boot process to experience failed policy loads but the boot
+# process should continue without any loss of functionality. This is an
+# unsupported configuration that cannot be properly handled by this function.
+is_container_with_internal_policy() {
+	local ns_stacked_path="${AA_SFS}/.ns_stacked"
+	local ns_name_path="${AA_SFS}/.ns_name"
+	local ns_stacked
+	local ns_name
+
+	if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then
+		return 1
+	fi
+
+	read -r ns_stacked < "$ns_stacked_path"
+	if [ "$ns_stacked" != "yes" ]; then
+		return 1
+	fi
+
+	# LXD and LXC set up AppArmor namespaces starting with "lxd-" and
+	# "lxc-", respectively. Return non-zero for all other namespace
+	# identifiers.
+	read -r ns_name < "$ns_name_path"
+	if [ "${ns_name#lxd-*}" = "$ns_name" ] && \
+	   [ "${ns_name#lxc-*}" = "$ns_name" ]; then
+		return 1
+	fi
+
+	return 0
+}
diff --git a/import-layers/meta-security/recipes-security/AppArmor/files/run-ptest b/import-layers/meta-security/recipes-security/AppArmor/files/run-ptest
new file mode 100644
index 0000000..3b8e427
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/AppArmor/files/run-ptest
@@ -0,0 +1,4 @@
+#! /bin/sh
+cd testsuite
+
+make -C  tests/regression/apparmor tests
diff --git a/import-layers/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb b/import-layers/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb
new file mode 100644
index 0000000..4df072e
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/aircrack-ng/aircrack-ng_1.2.bb
@@ -0,0 +1,37 @@
+SUMMARY = "Aircrack-ng is a set of tools for auditing wireless networks"
+DESCRIPTION = "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools."
+SECTION = "security"
+LICENSE = "GPL-2.0"
+
+LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8"
+
+DEPENDS = "libnl openssl sqlite3 libpcre libpcap"
+RC = "rc2"
+SRC_URI = "http://download.aircrack-ng.org/${BP}-${RC}.tar.gz \
+            file://fixup_cflags.patch"
+
+SRC_URI[md5sum] = "ebe9d537f06f4d6956213af09c4476da"
+SRC_URI[sha256sum] = "ba5b3eda44254efc5b7c9f776eb756f7cc323ad5d0813c101e92edb483d157e9"
+
+inherit autotools-brokensep pkgconfig
+
+S = "${WORKDIR}/${BP}-rc2"
+
+PACKAGECONFIG ?= ""
+CFLAGS += " -I${S}/src/include"
+
+OEMAKE_EXTRA = "sqlite=true experimental=true pcre=true \
+                prefix=${prefix} \
+                "
+
+do_compile () {
+    make ${OEMAKE_EXTRA} TOOL_PREFIX=${TARGET_SYS}-
+}
+
+do_install () {
+    make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install
+}
+
+FILES_${PN} += "/usr/local/"
+
+RDEPENDS_${PN} = "libpcap"
diff --git a/import-layers/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch b/import-layers/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch
new file mode 100644
index 0000000..e13dd24
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/aircrack-ng/files/fixup_cflags.patch
@@ -0,0 +1,28 @@
+Upstream Status: Iinappropriate
+
+Issues do to build env.
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: aircrack-ng-1.2-rc2/src/Makefile
+===================================================================
+--- aircrack-ng-1.2-rc2.orig/src/Makefile
++++ aircrack-ng-1.2-rc2/src/Makefile
+@@ -3,8 +3,6 @@ include $(AC_ROOT)/common.mak
+ 
+ TEST_DIR	= $(AC_ROOT)/test
+ 
+-CFLAGS		+= -Iinclude
+-
+ iCC             = $(shell find /opt/intel/cc/*/bin/icc)
+ iCFLAGS         = -w -mcpu=pentiumpro -march=pentiumpro $(COMMON_CFLAGS)
+ iOPTFLAGS       = -O3 -ip -ipo -D_FILE_OFFSET_BITS=64
+@@ -102,7 +100,7 @@ endif
+ 
+ 
+ ifeq ($(subst TRUE,true,$(filter TRUE true,$(sqlite) $(SQLITE))),true)
+-	LIBSQL		= -L/usr/local/lib -lsqlite3
++	LIBSQL		= -lsqlite3
+ else
+ 	LIBSQL		=
+ endif
diff --git a/import-layers/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/import-layers/meta-security/recipes-security/bastille/bastille_3.2.1.bb
new file mode 100644
index 0000000..eee1a38
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/bastille_3.2.1.bb
@@ -0,0 +1,157 @@
+#The functionality of Bastille that is actually available is restricted. Please
+#consult the README file for the meta-security layer for additional information.
+SUMMARY = "Linux hardening tool"
+DESCRIPTION = "Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling."
+LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
+# Bash is needed for set +o privileged (check busybox), might also need ncurses
+DEPENDS = "virtual/kernel"
+RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils"
+FILES_${PN} += "/run/lock/subsys/bastille"
+
+inherit allarch module-base
+
+SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \
+           file://AccountPermission.pm \
+           file://FileContent.pm \
+           file://HPSpecific.pm \
+           file://Miscellaneous.pm \
+           file://ServiceAdmin.pm \
+           file://config \
+           file://fix_version_parse.patch \
+           file://fixed_defined_warnings.patch \
+           file://call_output_config.patch \
+           file://fix_missing_use_directives.patch \
+           file://fix_number_of_modules.patch \
+           file://remove_questions_text_file_references.patch \
+           file://simplify_B_place.patch \
+           file://find_existing_config.patch \
+           file://upgrade_options_processing.patch \
+           file://accept_os_flag_in_backend.patch \
+           file://allow_os_with_assess.patch \
+           file://edit_usage_message.patch \
+           file://organize_distro_discovery.patch \
+           file://do_not_apply_config.patch \
+           "
+
+SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
+SRC_URI[sha256sum] = "0ea25191b1dc1c8f91e1b6f8cb5436a3aa1e57418809ef902293448efed5021a"
+
+S = "${WORKDIR}/Bastille"
+
+do_install () {
+	install -d ${D}${sbindir}
+	install -d ${D}${libdir}/perl/site_perl/Curses
+	ln -sf perl ${D}/${libdir}/perl5
+
+	install -d ${D}${libdir}/Bastille
+	install -d ${D}${libdir}/Bastille/API
+	install -d ${D}${datadir}/Bastille
+	install -d ${D}${datadir}/Bastille/OSMap
+	install -d ${D}${datadir}/Bastille/OSMap/Modules
+	install -d ${D}${datadir}/Bastille/Questions
+	install -d ${D}${datadir}/Bastille/FKL/configs/
+	install -d ${D}${localstatedir}/lock/subsys/bastille
+	install -d ${D}${localstatedir}/log/Bastille
+	install -d ${D}${sysconfdir}/Bastille
+	install -m 0755 AutomatedBastille  ${D}${sbindir}
+	install -m 0755 BastilleBackEnd    ${D}${sbindir}
+	install -m 0755 InteractiveBastille    ${D}${sbindir}
+	install -m 0644 Modules.txt    ${D}${datadir}/Bastille
+	# New Weights file(s).
+	install -m 0644 Weights.txt    ${D}${datadir}/Bastille
+	# Castle graphic
+	install -m 0644 bastille.jpg    ${D}${datadir}/Bastille/
+	# Javascript file
+	install -m 0644 wz_tooltip.js    ${D}${datadir}/Bastille/
+	install -m 0644 Credits    ${D}${datadir}/Bastille
+	install -m 0644 FKL/configs/fkl_config_redhat.cfg    ${D}${datadir}/Bastille/FKL/configs/
+	install -m 0755 RevertBastille    ${D}${sbindir}
+	install -m 0755 bin/bastille    ${D}${sbindir}
+	install -m 0644 bastille-firewall    ${D}${datadir}/Bastille
+	install -m 0644 bastille-firewall-reset    ${D}${datadir}/Bastille
+	install -m 0644 bastille-firewall-schedule    ${D}${datadir}/Bastille
+	install -m 0644 bastille-tmpdir-defense.sh    ${D}${datadir}/Bastille
+	install -m 0644 bastille-tmpdir.csh    ${D}${datadir}/Bastille
+	install -m 0644 bastille-tmpdir.sh    ${D}${datadir}/Bastille
+	install -m 0644 bastille-firewall.cfg    ${D}${datadir}/Bastille
+	install -m 0644 bastille-ipchains    ${D}${datadir}/Bastille
+	install -m 0644 bastille-netfilter    ${D}${datadir}/Bastille
+	install -m 0644 bastille-firewall-early.sh    ${D}${datadir}/Bastille
+	install -m 0644 bastille-firewall-pre-audit.sh    ${D}${datadir}/Bastille
+	install -m 0644 complete.xbm    ${D}${datadir}/Bastille
+	install -m 0644 incomplete.xbm    ${D}${datadir}/Bastille
+	install -m 0644 disabled.xpm    ${D}${datadir}/Bastille
+	install -m 0644 ifup-local    ${D}${datadir}/Bastille
+	install -m 0644 hosts.allow    ${D}${datadir}/Bastille
+
+	install -m 0644 Bastille/AccountSecurity.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/Apache.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/API.pm    ${D}${libdir}/Bastille
+	install -m 0644 ${WORKDIR}/AccountPermission.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 ${WORKDIR}/FileContent.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 ${WORKDIR}/HPSpecific.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 ${WORKDIR}/ServiceAdmin.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 ${WORKDIR}/Miscellaneous.pm    ${D}${libdir}/Bastille/API
+	install -m 0644 Bastille/BootSecurity.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/ConfigureMiscPAM.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/DisableUserTools.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/DNS.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/FilePermissions.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/FTP.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/Firewall.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/OSX_API.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/LogAPI.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/HP_UX.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/IOLoader.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/Patches.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/Logging.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/MiscellaneousDaemons.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/PatchDownload.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/Printing.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/PSAD.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/RemoteAccess.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/SecureInetd.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/Sendmail.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/TestDriver.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/TMPDIR.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_AccountSecurity.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_Apache.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_DNS.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_FTP.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_HP_UX.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_MiscellaneousDaemons.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_Patches.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_SecureInetd.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_Sendmail.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_BootSecurity.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_DisableUserTools.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_FilePermissions.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_Logging.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/test_Printing.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille/IPFilter.pm    ${D}${libdir}/Bastille
+	install -m 0644 Bastille_Curses.pm    ${D}${libdir}/perl5/site_perl
+	install -m 0644 Bastille_Tk.pm    ${D}${libdir}/perl5/site_perl
+	install -m 0644 Curses/Widgets.pm    ${D}${libdir}/perl5/site_perl/Curses
+
+	install -m 0644 OSMap/LINUX.bastille    ${D}${datadir}/Bastille/OSMap
+	install -m 0644 OSMap/LINUX.system    ${D}${datadir}/Bastille/OSMap
+	install -m 0644 OSMap/LINUX.service    ${D}${datadir}/Bastille/OSMap
+	install -m 0644 OSMap/HP-UX.bastille    ${D}${datadir}/Bastille/OSMap
+	install -m 0644 OSMap/HP-UX.system    ${D}${datadir}/Bastille/OSMap
+	install -m 0644 OSMap/HP-UX.service    ${D}${datadir}/Bastille/OSMap
+	install -m 0644 OSMap/OSX.bastille    ${D}${datadir}/Bastille/OSMap
+	install -m 0644 OSMap/OSX.system    ${D}${datadir}/Bastille/OSMap
+
+	install -m 0777 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config
+
+	for file in `cat Modules.txt` ; do
+		install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions
+	done
+
+	${THISDIR}/files/set_required_questions.py ${D}${sysconfdir}/Bastille/config ${D}${datadir}/Bastille/Questions
+
+	ln -s RevertBastille ${D}${sbindir}/UndoBastille
+}
+
+FILES_${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*"
diff --git a/import-layers/meta-security/recipes-security/bastille/files/API.pm b/import-layers/meta-security/recipes-security/bastille/files/API.pm
new file mode 100644
index 0000000..5060f52
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/API.pm
@@ -0,0 +1,2528 @@
+# Copyright (C) 1999-2007 Jay Beale
+# Copyright (C) 2001-2008 Hewlett-Packard Development Company, L.P.
+# Licensed under the GNU General Public License, version 2
+
+package Bastille::API;
+
+## TO DO:
+#
+#
+#   1) Look for more places to insert error handling...
+#
+#   2) Document this module more
+#
+#
+
+
+##########################################################################
+#
+# This module forms the basis for the v1.1 API.
+#
+ ##########################################################################
+
+#
+# This module forms the initial basis for the Bastille Engine, implemented
+# presently via a Perl API for Perl modules.
+#
+# This is still under construction -- it is very usable, but not very well
+# documented, yet.
+#
+
+##########################################################################
+#
+#                          API Function Listing
+#
+##########################################################################
+# The routines which should be called by Bastille modules are listed here,
+# though they are better documented throughout this file.
+#
+# Distro Specific Stuff:
+#
+#  &GetDistro     - figures out what distro we're running, if it knows it...
+#  &ConfigureForDistro - sets global variables based on the distro
+#  &GetGlobal - returns hash values defined in ConfigureForDistro
+#
+#  &getGlobalConfig - returns value of hash set up by ReadConfig
+#
+# Logging Specific Stuff has moved to LogAPI.pm:
+#
+#  &B_log(type,msg) -- takes care of all logging
+#
+#
+# Input functions for the old input method...
+#
+# File open/close/backup functions
+#
+#  &B_open     * -- opens a file handle and logs the action/error (OLD WAY!)
+#  &B_open_plus  -- opens a pair of file handles for the old and new version
+#                   of a file; respects logonly flag.  (NEW WAY)
+#  &B_close    * -- closes a file handle and logs the action/error (OLD WAY!)
+#  &B_close_plus -- closes a pair of file handles opened by B_open_plus,
+#                   backing up one file and renaming the new file to the
+#                   old one's name, logging actions/errors.  Respects the
+#                   logonly flag -- needs B_backup file.  Finally, sets
+#                   new file's mode,uid,gid to old file's...  (NEW WAY)
+#  &B_backup_file - backs up a file that is being changed/deleted into the
+#                   $GLOBAL_BDIR{"backup"} directory.
+#
+# Non-content file modification functions
+#
+#  &B_delete_file - deletes the named file, backing up a copy
+#  &B_create_file - creates the named file, if it doesn't exist
+#
+#  &B_symlink     	- create a symlink to a file, recording the revert rm
+#
+# More stuff
+#
+#  &B_createdir     - make a directory, if it doesn't exist, record revert rmdir
+#  &B_cp            - copy a file, respecting LOGONLY and revert func.
+#  &B_mknod         - wrap mknod with revert and logonly and prefix functionality
+#
+#  &B_read_sums     - reads sum.csv file and parses input into the GLOBAL_SUM hash
+#  &B_write_sums    - writes sum.csv file from GLOBAL_SUM hash
+#  &B_check_sum($)  - take a file name and compares the stored cksum with the current
+#                     cksum of said file
+#  &B_set_sum($)    - takes a file name and gets that files current cksum then sets
+#                     that sum in the GLOBAL_SUM hash
+#  &B_revert_log - create entry in shell script, executed later by bastille -r
+#  &showDisclaimer  - Print the disclaimer and wait for 5 minutes for acceptance
+###########################################################################
+# Note:  GLOBAL_VERBOSE
+#
+# All logging functions now check GLOBAL_VERBOSE and, if set, will print
+# all the information sent to log files to STDOUT/STDERR as well.
+#
+
+#
+# Note:  GLOBAL_LOGONLY
+#
+# All Bastille API functions now check for the existence of a GLOBAL_LOGONLY
+# variable.  When said variable is set, no function actually modifies the
+# system.
+#
+# Note:  GLOBAL_DEBUG
+#
+# The B_log("DEBUG",...) function now checks GLOBAL_DEBUG and, if set, it will
+# print all the information to a new debug-log file. If GLOBAL_VERBOSE is
+# set it might log to STDOUT/STDERR as well (not yet implemented, pending
+# discussion). Developers should populate appropriate places with &B_log(DEBUG)
+# in order to be able to tell users to use this options and send the logs
+# for inspection and debugging.
+#
+#
+
+
+# Libraries for the Backup_file routine: Cwd and File::Path
+use Cwd;
+use Bastille::OSX_API;
+use Bastille::LogAPI;
+use File::Path;
+use File::Basename;
+
+# Export the API functions listed below for use by the modules.
+
+use Exporter;
+@ISA = qw ( Exporter );
+@EXPORT = qw(
+    setOptions  GetDistro ConfigureForDistro B_log B_revert_log
+    SanitizeEnv
+    B_open B_close B_symlink StopLogging
+    B_open_plus B_close_plus
+    B_isFileinSumDB
+    B_create_file B_read_sums B_check_sum  B_set_sum isSumDifferent listModifiedFiles
+    B_create_dir B_create_log_file
+    B_delete_file
+    B_cp B_place B_mknod
+    showDisclaimer 
+    getSupportedOSHash 
+    B_Backtick
+    B_System
+    isProcessRunning
+    checkProcsForService
+    
+    
+    $GLOBAL_OS $GLOBAL_ACTUAL_OS $CLI
+    $GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag
+    %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE
+    %GLOBAL_BDIR %GLOBAL_BFILE
+    %GLOBAL_CONFIG %GLOBAL_SUM
+
+    %GLOBAL_SERVICE %GLOBAL_SERVTYPE %GLOBAL_PROCESS %GLOBAL_RC_CONFIG
+    %GLOBAL_TEST
+    
+    getGlobal setGlobal getGlobalConfig
+    
+    
+    B_parse_fstab
+    B_parse_mtab B_is_rpm_up_to_date 
+    
+    NOTSECURE_CAN_CHANGE SECURE_CANT_CHANGE  
+    NOT_INSTALLED  INCONSISTENT MANUAL NOTEST SECURE_CAN_CHANGE
+    STRING_NOT_DEFINED NOT_INSTALLED_NOTSECURE DONT_KNOW
+    RELEVANT_HEADERQ NOTRELEVANT_HEADERQ
+);
+
+
+
+######################################################
+###Testing Functions
+##################################################################
+
+#Define "Constants" for test functions.  Note these constants sometimes get
+#interpreted as literal strings when used as hash references, so you may
+# have to use CONSTANT() to disambiguate, like below.  Sorry, it was either
+# that or create even *more* global variables.
+# See TestDriver.pm for definitions, and test design doc for full explaination
+use constant {
+    NOTSECURE_CAN_CHANGE => 0,
+    SECURE_CANT_CHANGE     => 1,
+    NOT_INSTALLED => 2, # (where the lack makes the system secure, eg telnet)
+    INCONSISTENT => 3,
+    MANUAL => 4,
+    NOTEST => 5,
+    SECURE_CAN_CHANGE => 6,
+    STRING_NOT_DEFINED => 7,
+    NOT_INSTALLED_NOTSECURE => 8, #(Where the missing s/w makes the system less secure eg IPFilter)
+    #Intentional duplicates follow
+    DONT_KNOW => 5,
+    RELEVANT_HEADERQ => 6,
+    NOTRELEVANT_HEADERQ => 0
+};
+
+&SanitizeEnv;
+
+# Set up some common error messages.  These are independent of
+# operating system
+
+# These will allow us to line up the warnings and error messages
+my $err ="ERROR:  ";
+my $spc ="        ";
+my $GLOBAL_OS="None";
+my $GLOBAL_ACTUAL_OS="None";
+my %GLOBAL_SUMS=();
+my $CLI='';
+
+#OS independent Error Messages Follow, normally "bastille" script filters
+#options before interactive or Bastille runs, so this check is often redundant
+$GLOBAL_ERROR{"usage"}="\n".
+    "$spc Usage: bastille [ -b | -c | -x ] [ --os <version> ] [ -f <alternate config> ]\n".
+    "$spc        bastille [ -r | --assess | --assessnobowser ]\n\n".
+    "$spc --assess : check status of system and report in browser\n".
+    "$spc --assessnobrowser : check status of system and list report locations\n".
+    "$spc -b : use a saved config file to apply changes\n".
+    "$spc      directly to system\n".
+    "$spc -c : use the Curses (non-X11) TUI\n".
+    "$spc -f <alternate config>: populate answers with a different config file\n".
+    "$spc -r : revert all Bastille changes to-date\n".
+    "$spc -x : use the Perl/Tk (X11) GUI\n" .
+    "$spc --os <version> : ask all questions for the given operating system\n" .
+    "$spc                version.  e.g. --os RH6.0\n";
+
+# These options don't work universally, so it's best not to
+# document them here (yet).  Hopefully, we'll get them
+# straightened out soon.
+#"$spc --log : log-only option\n".
+#"$spc -v : verbose mode\n".
+#"$spc --debug : debug mode\n";
+
+
+##############################################################################
+#
+#  Directory structure for Bastille Linux v1.2 and up
+#
+##############################################################################
+#
+#  /usr/sbin/          -- location of Bastille binaries
+#  /usr/lib/Bastille   -- location of Bastille modules
+#  /usr/share/Bastille -- location of Bastille data files
+#  /etc/Bastille       -- location of Bastille config files
+#
+#  /var/log/Bastille      -- location of Bastille log files
+#  /var/log/Bastille/revert -- directory holding all Bastille-created revert scripts
+#  /var/log/Bastille/revert/backup -- directory holding the original files that
+#                                   Bastille modifies, with permissions intact
+#
+##############################################################################
+
+##############################################################################
+#
+#  Directory structure for HP-UX Bastille v2.0 and up
+#
+##############################################################################
+#
+#  /opt/sec_mgmt/bastille/bin/  -- location of Bastille binaries
+#  /opt/sec_mgmt/bastille/lib/  -- location of Bastille modules
+#  /etc/opt/sec_mgmt/bastille/  -- location of Bastille data and config files
+#
+#  /var/opt/sec_mgmt/bastille/log/   -- location of Bastille log files
+#  /var/opt/sec_mgmt/bastille/revert -- directory holding all Bastille-created
+#                                       revert scripts and save files
+#
+##############################################################################
+
+
+##############################################################################
+##############################################################################
+##################  Actual functions start here... ###########################
+##############################################################################
+##############################################################################
+
+###########################################################################
+# setOptions takes six arguments, $GLOBAL_DEBUG, $GLOBAL_LOGONLY,
+# $GLOBAL_VERBOSE, $GLOBAL_AUDITONLY, $GLOBAL_AUDIT_NO_BROWSER, and GLOBAL_OS;
+###########################################################################
+sub setOptions($$$$$$) {
+    ($GLOBAL_DEBUG,$GLOBAL_LOGONLY,$GLOBAL_VERBOSE,$GLOBAL_AUDITONLY,
+     $GLOBAL_AUDIT_NO_BROWSER,$GLOBAL_OS) = @_;
+    if ($GLOBAL_AUDIT_NO_BROWSER) {
+	$GLOBAL_AUDITONLY = 1;
+    }
+    if (not(defined($GLOBAL_OS))){
+        $GLOBAL_OS="None";
+    }
+}
+###########################################################################
+#
+# SanitizeEnv load a proper environment so Bastille cannot be tricked
+# and Perl modules work correctly.
+#
+###########################################################################
+sub SanitizeEnv {
+	 delete @ENV{'IFS','CDPATH','ENV','BASH_ENV'};
+	 $ENV{CDPATH}=".";
+	 $ENV{BASH_ENV}= "";
+	 # Bin is needed here or else  /usr/lib/perl5/5.005/Cwd.pm
+	 # will not find `pwd`
+	 # Detected while testing with -w, jfs
+	 $ENV{PATH} = "/bin:/usr/bin";
+	 # Giorgi, is /usr/local/bin needed? (jfs)
+}
+
+###########################################################################
+#
+# GetDistro checks to see if the target is a known distribution and reports
+# said distribution.
+#
+# This is used throughout the script, but also by ConfigureForDistro.
+#
+#
+###########################################################################
+
+sub GetDistro() {
+
+    my ($release,$distro);
+
+    # Only read files for the distro once.
+    # if the --os option was used then
+    if ($GLOBAL_OS eq "None") {
+	if ( -e "/etc/mandrake-release" ) {
+	    open(MANDRAKE_RELEASE,"/etc/mandrake-release");
+	    $release=<MANDRAKE_RELEASE>;
+
+	    if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) {
+		$distro="MN$1";
+	    }
+	    elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) {
+                $distro="MN$1";
+            }
+            else {
+		print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n";
+		$distro="MN10.1";
+	    }
+
+	    close(MANDRAKE_RELEASE);
+	}
+	elsif ( -e "/etc/immunix-release" ) {
+	    open(IMMUNIX_RELEASE,"/etc/immunix-release");
+	    $release=<IMMUNIX_RELEASE>;
+	    unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) {
+		print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n";
+		$distro="RH6.2";
+	    }
+	    else {
+		$distro="RH$1";
+	    }
+	    close(*IMMUNIX_RELEASE);
+	}
+	elsif ( -e '/etc/fedora-release' ) {
+            open(FEDORA_RELEASE,'/etc/fedora-release');
+            $release=<FEDORA_RELEASE>;
+            close FEDORA_RELEASE;
+            if ($release =~ /^Fedora Core release (\d+\.?\d*)/) {
+                $distro = "RHFC$1";
+            }
+	    elsif ($release =~ /^Fedora release (\d+\.?\d*)/) {
+                $distro = "RHFC$1";
+            } 
+            else {
+                print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 8\n";
+                $distro='RHFC8';
+            }
+	}
+	elsif ( -e "/etc/redhat-release" ) {
+	    open(*REDHAT_RELEASE,"/etc/redhat-release");
+	    $release=<REDHAT_RELEASE>;
+	    if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) {
+		$distro="RH$1";
+	    }
+            elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) {
+                $distro="RHEL$1$2";
+            }
+	    elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) {
+		$distro="RHEL$2$1";
+	    }
+	    elsif ($release =~ /^CentOS release (\d+\.\d+)/) {
+		my $version = $1;
+		if ($version =~ /^4\./) {
+		    $distro='RHEL4AS';
+		}
+		elsif ($version =~ /^3\./) {
+		    $distro='RHEL3AS';
+		}
+		else {
+		    print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n";
+		    $distro='RHEL4AS';
+                 }
+	    }
+ 	    else {
+		# JJB/HP - Should this be B_log?
+		print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n";
+		$distro="RH9";
+	    }
+	    close(REDHAT_RELEASE);
+
+	}
+	elsif ( -e "/etc/debian_version" ) {
+	    $stable="3.1"; #Change this when Debian stable changes
+	    open(*DEBIAN_RELEASE,"/etc/debian_version");
+	    $release=<DEBIAN_RELEASE>;
+	    unless ($release =~ /^(\d+\.\d+\w*)/) {
+		print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n";
+		$distro="DB$stable";
+	    }
+	    else {
+		$distro="DB$1";
+	    }
+	    close(DEBIAN_RELEASE);
+	}
+	elsif ( -e "/etc/SuSE-release" ) {
+	    open(*SUSE_RELEASE,"/etc/SuSE-release");
+	    $release=<SUSE_RELEASE>;
+	    if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) {
+		$distro="SE$1";
+	    }
+	    elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) {
+		$distro="SESLES$1";
+	    }
+	    elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) {
+		$distro="SESLES$1";
+	    }
+            elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) {
+                $distro="SE$1";
+            }
+	    else {
+		print STDERR "$err Couldn't determine SuSE version! Setting to 10.3!\n";
+		$distro="SE10.3";
+	    }
+	    close(SUSE_RELEASE);
+	}
+	elsif ( -e "/etc/turbolinux-release") {
+	    open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release");
+	    $release=<TURBOLINUX_RELEASE>;
+	    unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) {
+		print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n";
+		$distro="TB7.0";
+	    }
+	    else {
+		$distro="TB$1";
+	    }
+	    close(TURBOLINUX_RELEASE);
+	}
+	else {
+	    # We're either on Mac OS X, HP-UX or an unsupported O/S.
+            if ( -x '/usr/bin/uname') {
+		# uname is in /usr/bin on Mac OS X and HP-UX
+		$release=`/usr/bin/uname -sr`;
+	    }
+	    else {
+	 	print STDERR "$err Could not determine operating system version!\n";
+		$distro="unknown";
+            }
+
+	    # Figure out what kind of system we're on.
+	    if ($release ne "") {
+		if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) {
+		    if ($1 == 6 ) {
+			$distro = "OSX10.2";
+		    }
+		    elsif ($1 == 7) {
+			$distro = "OSX10.3";
+		    }
+                    elsif ($1 == 8) {
+                        $distro = "OSX10.3";
+                    }
+		    else {
+		        $distro = "unknown";
+		    }
+		}
+	        elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) {
+		   $distro="$1$2";
+		}
+		else {
+		   print STDERR "$err Could not determine operating system version!\n";
+	           $distro="unknown";
+		}
+	    }
+	}
+
+	$GLOBAL_OS=$distro;
+    } elsif (not (defined $GLOBAL_OS)) {
+        print "ERROR: GLOBAL OS Scoping Issue\n";
+    } else {
+        $distro = $GLOBAL_OS;
+    }
+
+    return $distro;
+}
+
+###################################################################################
+#   &getActualDistro;                                                             #
+#                                                                                 #
+#    This subroutine returns the actual os version in which is running on.  This  #
+#    os version is independent of the --os switch feed to bastille.               #
+#                                                                                 #
+###################################################################################
+sub getActualDistro {
+    # set local variable to $GLOBAL_OS
+
+    if ($GLOBAL_ACTUAL_OS eq "None") {
+        my $os = $GLOBAL_OS;
+        # undef GLOBAL_OS so that the GetDistro routine will return
+        # the actualDistro, it might otherwise return the distro set
+        # by the --os switch.
+        $GLOBAL_OS = "None";
+        $GLOBAL_ACTUAL_OS = &GetDistro;
+        # reset the GLOBAL_OS variable
+        $GLOBAL_OS = $os;
+    }
+    return $GLOBAL_ACTUAL_OS;
+}
+# These are helper routines which used to be included inside GetDistro
+sub is_OS_supported($) {
+   my $os=$_[0];
+   my $supported=0;
+   my %supportedOSHash = &getSupportedOSHash;
+
+   foreach my $oSType (keys %supportedOSHash) {
+       foreach my $supported_os ( @{$supportedOSHash{$oSType}} ) {
+	   if ( $supported_os eq $os ) {
+	       $supported=1;
+	   }
+       }
+   }
+
+   return $supported;
+}
+
+###############################################################################
+#   getSupportedOSHash
+#
+#   This subrountine returns a hash of supported OSTypes, which point to a
+#   a list of supported distros.  When porting to a new distro, add the
+#   distro id to the hash in its appropriate list.
+###############################################################################
+sub getSupportedOSHash () {
+
+    my %osHash = ("LINUX" => [
+			      "DB2.2", "DB3.0",
+			      "RH6.0","RH6.1","RH6.2","RH7.0",
+			      "RH7.1","RH7.2","RH7.3","RH8.0",
+			      "RH9",
+                              "RHEL5",
+			      "RHEL4AS","RHEL4ES","RHEL4WS",
+			      "RHEL3AS","RHEL3ES","RHEL3WS",
+			      "RHEL2AS","RHEL2ES","RHEL2WS",
+			      "RHFC1","RHFC2","RHFC3","RHFC4",
+			      "RHFC5","RHFC6","RHFC7","RHFC8",
+			      "MN6.0","MN6.1 ","MN7.0","MN7.1",
+			      "MN7.2","MN8.0","MN8.1","MN8.2",
+			      "MN10.1",
+			      "SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1",
+			      "SE9.2","SE9.3","SE10.0","SE10.1","SE10.2","SE10.3",
+			      "SESLES8","SESLES9","SESLES10",
+			      "TB7.0"
+			      ],
+
+		  "HP-UX" => [
+			      "HP-UX11.00","HP-UX11.11",
+			      "HP-UX11.22", "HP-UX11.23",
+			      "HP-UX11.31"
+			      ],
+
+		  "OSX" => [
+			    'OSX10.2','OSX10.3','OSX10.4'
+			    ]
+		  );
+
+  return %osHash;
+
+}
+
+
+###############################################################################
+#  setFileLocations(OSMapFile, currentDistro);
+#
+#  Given a file map location this subroutine will create the GLOBAL_*
+#  hash entries specified within this file.
+###############################################################################
+sub setFileLocations($$) {
+
+    my ($fileInfoFile,$currentDistro) = @_;
+
+    # define a mapping from the first argument to the proper hash
+    my %map = ("BIN"   => \%GLOBAL_BIN,
+	       "FILE"  => \%GLOBAL_FILE,
+	       "BFILE" => \%GLOBAL_BFILE,
+	       "DIR"   => \%GLOBAL_DIR,
+	       "BDIR"  => \%GLOBAL_BDIR
+	       );
+    my @fileInfo = ();
+
+    #  File containing file location information
+    if(open(FILEINFO, "<$fileInfoFile" )) {
+
+	@fileInfo = <FILEINFO>;
+
+	close(FILEINFO);
+
+    }
+    else {
+	print STDERR "$err Unable to find file location information for '$distro'.\n" .
+	    "$spc Contact the Bastille support list for details.\n";
+	exit(1);
+    }
+
+    # Each line of the file map follows the pattern below:
+    # bdir,init.d,'/etc/rc.d/init.d',RH7.2,RH7.3
+    # if the distro information is not available, e.g.
+    # bdir,init.d,'/etc/rc.d/init.d'
+    # then the line applies to all distros under the OSType
+    foreach my $file (@fileInfo) {
+	# Perl comments are allowed within the file but only entire line comments
+	if($file !~ /^\s+\#|^\s+$/) {
+	    chomp $file;
+	    # type relates to the map above, type bin will map to GLOBAL_BIN
+	    # id is the identifier used as the hash key by the GLOBAL hash
+	    # fileLocation is the full path to the file
+	    # distroList is an optional list of distros that this particular
+	    #   file location, if no distro list is presented the file location
+	    #   is considered to apply to all distros
+	    my ($type,$id,$fileLocation,@distroList) = split /\s*,\s*/, $file;
+	    $fileLocation =~ s/^\'(.*)\'$/$1/;
+	    if($#distroList == -1) {
+		$map{uc($type)}->{$id}=$fileLocation;
+	    }
+	    else {
+		foreach my $distro (@distroList) {
+		    # if the current distro matches the distro listed then
+		    # this file location applies
+		    if($currentDistro =~ /$distro/) {
+			$map{uc($type)}->{$id}=$fileLocation;
+		    }
+		}
+	    }
+	}
+    }
+    unless(defined($map{uc("BFILE")}->{"current_config"})) {
+        &setGlobal("BFILE","current_config",&getGlobal("BFILE","config"));
+    }
+}
+
+###############################################################################
+#  setServiceInfo($OSServiceMapFile, $currentDistro
+#
+#  Given the location of an OS Service map file, which describes
+#  a service in terms of configurables, processes and a service type.
+#  The subroutine fills out the GLOBAL_SERVICE, $GLOBAL_RC_CONFIG, GLOBAL_SERVTYPE, and
+#  GLOBAL_PROCESS hashes for a given service ID.
+###############################################################################
+sub setServiceInfo($$) {
+    my ($serviceInfoFile,$currentDistro) = @_;
+    my @serviceInfo = ();
+
+    if(open(SERVICEINFO, "<$serviceInfoFile" )) {
+
+	@serviceInfo = <SERVICEINFO>;
+
+	close(SERVICEINFO);
+
+    }
+    else {
+	print STDERR "$err Unable to find service, service type, and process information\n" .
+	             "$spc for '$distro'.\n" .
+	             "$spc Contact the Bastille support list for details.\n";
+	exit(1);
+    }
+
+
+    # The following loop, parses the entire (YOUR OS).service file
+    # to provide service information for YOUR OS.
+    # The files format is as follows:
+    # serviceID,servType,('service' 'configuration' 'list'),('process' 'list')[,DISTROS]*
+    # if distros are not present then the service is assumed to be
+    # relevant the the current distro
+
+
+#
+# More specifically, this file's format for rc-based daemons is:
+#
+# script_name,rc,(rc-config-file rc-config-file ...),(rc-variable1 rc-variable2 ...),('program_name1 program_name2 ...')
+#
+# ...where script_name is a file in /etc/init.d/ and
+# ...program_nameN is a program launced by the script.
+#
+# This file's format for inet-based daemons is:
+#
+# identifier, inet, line name/file name, program name
+#
+# label,inet,(port1 port2 ...),(daemon1 daemon2 ...)
+#
+# ...where label is arbitrary, portN is one of the ports
+# ...this one listens on, and daemonN is a program launched
+# ...in response to a connection on a port.
+
+    foreach my $service (@serviceInfo) {
+	# This file accepts simple whole line comments perl style
+	if($service !~ /^\s+\#|^\s+$/) {
+	    chomp $service;
+	    my ($serviceID,$servType,$strConfigList,$strServiceList,
+		$strProcessList,@distroList) = split /\s*,\s*/, $service;
+            
+            sub MakeArrayFromString($){
+                my $entryString = $_[0];
+                my @destArray = ();
+                if ($entryString =~ /\'\S+\'/) { #Make sure we have something to extract before we try
+                    @destArray = split /\'\s+\'/, $entryString;
+                    $destArray[0] =~ s/^\(\'(.+)$/$1/; # Remove leading quotation mark
+                    $destArray[$#destArray] =~ s/^(.*)\'\)$/$1/; #Remove trailing quotation mark
+                }
+                return @destArray;
+            }
+
+	    # produce a list of configuration files from the files
+	    # format ('configuration' 'files')
+	    my @configList = MakeArrayFromString($strConfigList);
+
+	    # produce a list of service configurables from the files
+	    # format ('service' 'configurable')
+	    my @serviceList = MakeArrayFromString($strServiceList);
+
+	    # produce a list of process names from the files format
+	    # ('my' 'process' 'list')
+	    my @processList = MakeArrayFromString($strProcessList);
+
+	    # if distros were not specified then accept the service information
+	    if($#distroList == -1) {
+		@{$GLOBAL_SERVICE{$serviceID}} = @serviceList;
+		$GLOBAL_SERVTYPE{$serviceID} = $servType;
+		@{$GLOBAL_PROCESS{$serviceID}} = @processList;
+                @{$GLOBAL_RC_CONFIG{$serviceID}} = @configList;
+	    }
+	    else {
+		# only if the current distro matches one of the listed distros
+		# include the service information.
+		foreach my $distro (@distroList) {
+		    if($currentDistro =~ /$distro/) {
+			@{$GLOBAL_SERVICE{$serviceID}} = @serviceList;
+			$GLOBAL_SERVTYPE{$serviceID} = $servType;
+			@{$GLOBAL_PROCESS{$serviceID}} = @processList;
+                        @{$GLOBAL_RC_CONFIG{$serviceID}} = @configList;
+		    }
+		}
+	    }
+	}
+    }
+}
+
+
+
+###############################################################################
+#  getFileAndServiceInfo($distro,$actualDistro)
+#
+#  This subrountine, given distribution information, will import system file
+#  and service information into the GLOBA_* hashes.
+#
+#  NOTE: $distro and $actualDistro will only differ when the --os switch is
+#        used to generate a configuration file for an arbitrary operating
+#        system.
+#
+###############################################################################
+sub getFileAndServiceInfo($$) {
+
+    my ($distro,$actualDistro) = @_;
+
+    # defines the path to the OS map information for any supported OS type.
+    # OS map information is used to determine file locations for a given
+    # distribution.
+    my %oSInfoPath = (
+		       "LINUX" => "/usr/share/Bastille/OSMap/",
+		       "HP-UX" => "/etc/opt/sec_mgmt/bastille/OSMap/",
+		       "OSX" => "/usr/share/Bastille/OSMap/"
+		       );
+
+    # returns the OS, LINUX,  HP-UX, or OSX, associated with this
+    # distribution
+    my $actualOS = &getOSType($actualDistro);
+    my $oS = &getOSType($distro);
+
+    if(defined $actualOS && defined $oS) {
+	my $bastilleInfoFile = $oSInfoPath{$actualOS} . "${actualOS}.bastille";
+	my $systemInfoFile =  $oSInfoPath{$actualOS} . "${oS}.system";
+	my $serviceInfoFile = $oSInfoPath{$actualOS} . "${oS}.service";
+
+	if(-f $bastilleInfoFile) {
+	    &setFileLocations($bastilleInfoFile,$actualDistro);
+	}
+	else {
+	    print STDERR "$err Unable to find bastille file information.\n" .
+		         "$spc $bastilleInfoFile does not exist on the system";
+	    exit(1);
+	}
+
+	if(-f $systemInfoFile) {
+	    &setFileLocations($systemInfoFile,$distro);
+	}
+	else {
+	    print STDERR "$err Unable to find system file information.\n" .
+		         "$spc $systemInfoFile does not exist on the system";
+	    exit(1);
+	}
+	# Service info File is optional
+	if(-f $serviceInfoFile) {
+	    &setServiceInfo($serviceInfoFile,$distro);
+	}
+    }
+    else {
+	print STDERR "$err Unable to determine operating system type\n" .
+	             "$spc for $actualDistro or $distro\n";
+	exit(1);
+    }
+
+}
+
+
+# returns the Operating System type associated with the specified
+# distribution.
+sub getOSType($) {
+
+    my $distro = $_[0];
+
+    my %supportedOSHash = &getSupportedOSHash;
+    foreach my $oSType (keys %supportedOSHash) {
+	foreach my $oSDistro (@{$supportedOSHash{$oSType}}) {
+	    if($distro eq $oSDistro) {
+		return $oSType;
+	    }
+	}
+    }
+
+    return undef;
+
+}
+
+
+# Test subroutine used to debug file location info for new Distributions as
+# they are ported.
+sub dumpFileInfo {
+    print "Dumping File Information\n";
+    foreach my $hashref (\%GLOBAL_BIN,\%GLOBAL_DIR,\%GLOBAL_FILE,\%GLOBAL_BFILE,\%GLOBAL_BDIR) {
+	foreach my $id (keys %{$hashref}) {
+	    print "$id: ${$hashref}{$id}\n";
+	}
+	print "-----------------------\n\n";
+    }
+}
+
+# Test subroutine used to debug service info for new Distributions as
+# they are ported.
+sub dumpServiceInfo {
+    print "Dumping Service Information\n";
+    foreach my $serviceId (keys %GLOBAL_SERVICE) {
+	print "$serviceId:\n";
+	print "Type - $GLOBAL_SERVTYPE{$serviceId}\n";
+	print "Service List:\n";
+	foreach my $service (@{$GLOBAL_SERVICE{$serviceId}}) {
+	    print "$service ";
+	}
+	print "\nProcess List:\n";
+	foreach my $process (@{$GLOBAL_PROCESS{$serviceId}}) {
+	    print "$process ";
+	}
+	print "\n----------------------\n";
+    }
+}
+
+
+###########################################################################
+#
+# &ConfigureForDistro configures the API for a given distribution.  This
+# includes setting global variables that tell the Bastille API about
+# given binaries and directories.
+#
+# WARNING: If a distro is not covered here, Bastille may not be 100%
+#          compatible with it, though 1.1 is written to be much smarter
+#          about unknown distros...
+#
+###########################################################################
+sub ConfigureForDistro {
+
+    my $retval=1;
+
+    # checking to see if the os version given is in fact supported
+    my $distro = &GetDistro;
+
+    # checking to see if the actual os version is in fact supported
+    my $actualDistro = &getActualDistro;
+    $ENV{'LOCALE'}=''; # So that test cases checking for english results work ok.
+    if ((! &is_OS_supported($distro)) or (! &is_OS_supported($actualDistro))  ) {
+	# if either is not supported then print out a list of supported versions
+	if (! &is_OS_supported($distro)) {
+	    print STDERR "$err '$distro' is not a supported operating system.\n";
+	}
+	else {
+	    print STDERR "$err Bastille is unable to operate correctly on this\n";
+	    print STDERR "$spc $distro operating system.\n";
+	}
+	my %supportedOSHash = &getSupportedOSHash;
+	print STDERR "$spc Valid operating system versions are as follows:\n";
+
+	foreach my $oSType (keys %supportedOSHash) {
+
+	    print STDERR "$spc $oSType:\n$spc ";
+
+	    my $os_number = 1;
+	    foreach my $os (@{$supportedOSHash{$oSType}}) {
+		print STDERR "'$os' ";
+		if ($os_number == 5){
+		    print STDERR "\n$spc ";
+		    $os_number = 1;
+		}
+		else {
+		    $os_number++;
+		}
+
+	    }
+	    print STDERR "\n";
+	}
+
+	print "\n" . $GLOBAL_ERROR{"usage"};
+	exit(1);
+    }
+
+    # First, let's make sure that we do not create any files or
+    # directories with more permissive permissions than we
+    # intend via setting the Perl umask
+    umask(077);
+
+    &getFileAndServiceInfo($distro,$actualDistro);
+
+#    &dumpFileInfo;  # great for debuging file location issues
+#    &dumpServiceInfo; # great for debuging service information issues
+
+   # OS dependent error messages (after configuring file locations)
+    my $nodisclaim_file = &getGlobal('BFILE', "nodisclaimer");
+
+    $GLOBAL_ERROR{"disclaimer"}="$err Unable to touch $nodisclaim_file:" .
+	    "$spc You must use Bastille\'s -n flag (for example:\n" .
+	    "$spc bastille -f -n) or \'touch $nodisclaim_file \'\n";
+
+    return $retval;
+}
+
+
+###########################################################################
+###########################################################################
+#                                                                         #
+# The B_<perl_function> file utilities are replacements for their Perl    #
+# counterparts.  These replacements log their actions and their errors,   #
+# but are very similar to said counterparts.                              #
+#                                                                         #
+###########################################################################
+###########################################################################
+
+
+###########################################################################
+# B_open is used for opening a file for reading.  B_open_plus is the preferred
+# function for writing, since it saves a backup copy of the file for
+# later restoration.
+#
+# B_open opens the given file handle, associated with the given filename
+# and logs appropriately.
+#
+###########################################################################
+
+sub B_open {
+   my $retval=1;
+   my ($handle,$filename)=@_;
+
+   unless ($GLOBAL_LOGONLY) {
+       $retval = open $handle,$filename;
+   }
+
+   ($handle) = "$_[0]" =~ /[^:]+::[^:]+::([^:]+)/;
+   &B_log("ACTION","open $handle,\"$filename\";\n");
+   unless ($retval) {
+      &B_log("ERROR","open $handle, $filename failed...\n");
+   }
+
+   return $retval;
+}
+
+###########################################################################
+# B_open_plus is the v1.1 open command.
+#
+# &B_open_plus($handle_file,$handle_original,$file) opens the file $file
+# for reading and opens the file ${file}.bastille for writing.  It is the
+# counterpart to B_close_plus, which will move the original file to
+# $GLOBAL_BDIR{"backup"} and will place the new file ${file}.bastille in its
+# place.
+#
+# &B_open_plus makes the appropriate log entries in the action and error
+# logs.
+###########################################################################
+
+sub B_open_plus {
+
+    my ($handle_file,$handle_original,$file)=@_;
+    my $retval=1;
+    my $return_file=1;
+    my $return_old=1;
+
+    my $original_file = $file;
+
+    # Open the original file and open a copy for writing.
+    unless ($GLOBAL_LOGONLY) {
+	# if the temporary filename already exists then the open operation will fail.
+        if ( $file eq "" ){
+            &B_log("ERROR","Internal Error - Attempt Made to Open Blank Filename");
+            $return_old=0;
+	    $return_file=0;
+            return 0; #False
+        } elsif (-e "${file}.bastille") {
+            &B_log("ERROR","Unable to open $file as the swap file ".
+                   "${file}.bastille\" already exists.  Rename the swap ".
+                   "file to allow Bastille to make desired file modifications.");
+	    $return_old=0;
+	    $return_file=0;
+	}
+	else {
+	    $return_old = open $handle_original,"$file";
+	    $return_file = open $handle_file,("> $file.bastille");
+	}
+    }
+
+    # Error handling/logging here...
+    #&B_log("ACTION","# Modifying file $original_file via temporary file $original_file.bastille\n");
+    unless ($return_file) {
+	$retval=0;
+	&B_log("ERROR","open file: \"$original_file.bastille\" failed...\n");
+    }
+    unless ($return_old) {
+	$retval=0;
+	&B_log("ERROR","open file: \"$original_file\" failed.\n");
+    }
+
+    return $retval;
+
+}
+
+###########################################################################
+# B_close was the v1.0 close command.  It is still used in places in the
+# code.
+# However the use of B _close_plus, which implements a new, smarter,
+# backup scheme is preferred.
+#
+# B_close closes the given file handle, associated with the given filename
+# and logs appropriately.
+###########################################################################
+
+
+sub B_close {
+   my $retval=1;
+
+   unless ($GLOBAL_LOGONLY) {
+       $retval = close $_[0];
+   }
+
+   &B_log("ACTION", "close $_[0];\n");
+   unless ($retval) {
+      &B_log("ERROR", "close $_[0] failed...\n");
+   }
+
+   return $retval;
+}
+
+
+###########################################################################
+# B_close_plus is the v1.1 close command.
+#
+# &B_close_plus($handle_file,$handle_original,$file) closes the files
+# $file and ${file}.bastille, backs up $file to $GLOBAL_BDIR{"backup"} and
+# renames ${file}.bastille to $file.  This backup is made using the
+# internal API function &B_backup_file.  Further, it sets the new file's
+# permissions and uid/gid to the same as the old file.
+#
+# B_close_plus is the counterpart to B_open_plus, which opened $file and
+# $file.bastille with the file handles $handle_original and $handle_file,
+# respectively.
+#
+# &B_close_plus makes the appropriate log entries in the action and error
+# logs.
+###########################################################################
+
+sub B_close_plus {
+    my ($handle_file,$handle_original,$file)=@_;
+    my ($mode,$uid,$gid);
+    my @junk;
+
+    my $original_file;
+
+    my $retval=1;
+    my $return_file=1;
+    my $return_old=1;
+
+    # Append the global prefix, but save the original for B_backup_file b/c
+    # it appends the prefix on its own...
+
+    $original_file=$file;
+
+    #
+    # Close the files and prepare for the rename
+    #
+
+    if (($file eq "") or (not(-e $file ))) {
+        &B_log("ERROR","Internal Error, attempted to close a blank filename ".
+               "or nonexistent file.");
+        return 0; #False
+    }
+
+    unless ($GLOBAL_LOGONLY) {
+	$return_file = close $handle_file;
+	$return_old = close $handle_original;
+    }
+
+    # Error handling/logging here...
+    #&B_log("ACTION","#Closing $original_file and backing up to " . &getGlobal('BDIR', "backup"));
+    #&B_log("ACTION","/$original_file\n");
+
+    unless ($return_file) {
+	$retval=0;
+	&B_log("ERROR","close $original_file failed...\n");
+    }
+    unless ($return_old) {
+	$retval=0;
+	&B_log("ERROR","close $original_file.bastille failed.\n");
+    }
+
+    #
+    # If we've had no errors, backup the old file and put the new one
+    # in its place, with the Right permissions.
+    #
+
+    unless ( ($retval == 0) or $GLOBAL_LOGONLY) {
+
+	# Read the permissions/owners on the old file
+
+	@junk=stat ($file);
+	$mode=$junk[2];
+	$uid=$junk[4];
+	$gid=$junk[5];
+
+	# Set the permissions/owners on the new file
+
+	chmod $mode, "$file.bastille" or &B_log("ERROR","Not able to retain permissions on $original_file!!!\n");
+	chown $uid, $gid, "$file.bastille" or &B_log("ERROR","Not able to retain owners on $original_file!!!\n");
+
+	# Backup the old file and put a new one in place.
+
+	&B_backup_file($original_file);
+	rename "$file.bastille", $file or
+        &B_log("ERROR","B_close_plus: not able to move $original_file.bastille to $original_file\n");
+
+        # We add the file to the GLOBAL_SUMS hash if it is not already present
+	&B_set_sum($file);
+
+    }
+
+    return $retval;
+}
+
+###########################################################################
+# &B_backup_file ($file) makes a backup copy of the file $file in
+# &getGlobal('BDIR', "backup").  Note that this routine is intended for internal
+# use only -- only Bastille API functions should call B_backup_file.
+#
+###########################################################################
+
+sub B_backup_file {
+
+    my $file=$_[0];
+    my $complain = 1;
+    my $original_file = $file;
+
+    my $backup_dir = &getGlobal('BDIR', "backup");
+    my $backup_file = $backup_dir . $original_file;
+
+    my $retval=1;
+
+    # First, separate the file into the directory and the relative filename
+
+    my $directory ="";
+    if ($file =~ /^(.*)\/([^\/]+)$/) {
+	#$relative_file=$2;
+	$directory = $1;
+    } else {
+        $directory=cwd;
+    }
+
+    # Now, if the directory does not exist, create it.
+    # Later:
+    #   Try to set the same permissions on the patch directory that the
+    #   original had...?
+
+    unless ( -d ($backup_dir . $directory) ) {
+	mkpath(( $backup_dir . $directory),0,0700);
+
+    }
+
+    # Now we backup the file.  If there is already a backup file there,
+    # we will leave it alone, since it exists from a previous run and
+    # should be the _original_ (possibly user-modified) distro's version
+    # of the file.
+
+    if ( -e $file ) {
+
+	unless ( -e $backup_file ) {
+	    my $command=&getGlobal("BIN","cp");
+            &B_Backtick("$command -p $file $backup_file");
+	    &B_revert_log (&getGlobal("BIN","mv"). " $backup_file $file");
+	}
+
+    } else {
+	# The file we were trying to backup doesn't exist.
+
+	$retval=0;
+	# This is a non-fatal error, not worth complaining about
+	$complain = 0;
+	#&ErrorLog ("# Failed trying to backup file $file -- it doesn't exist!\n");
+    }
+
+    # Check to make sure that the file does exist in the backup location.
+
+    unless ( -e $backup_file ) {
+	$retval=0;
+	if ( $complain == 1 ) {
+	    &B_log("ERROR","Failed trying to backup $file -- the copy was not created.\n");
+	}
+    }
+
+    return $retval;
+}
+
+
+###########################################################################
+# &B_read_sums reads in the sum.csv file which contains information
+#   about Bastille modified files. The file structure is as follows:
+#
+#     filename,filesize,cksum
+#
+#   It reads the information into the GLOBAL_SUM hash i.e.
+#      $GLOBAL_SUM{$file}{sum} = $cksum
+#      $GLOBAL_SUM{$file}{filesize} = $size
+#   For the first run of Bastille on a given system this subroutine
+#   is a no-op, and returns "undefined."
+###########################################################################
+
+sub B_read_sums {
+
+    my $sumFile = &getGlobal('BFILE',"sum.csv");
+
+    if ( -e $sumFile ) {
+
+	open( SUM, "< $sumFile") or &B_log("ERROR","Unable to open $sumFile for read.\n$!\n");
+
+	while( my $line = <SUM> ) {
+	    chomp $line;
+	    my ($file,$filesize,$sum,$flag) = split /,/, $line;
+	    if(-e $file) {
+		$GLOBAL_SUM{"$file"}{filesize} = $filesize;
+		$GLOBAL_SUM{"$file"}{sum} = $sum;
+	    }
+	}
+
+	close(SUM);
+    } else {
+        return undef;
+    }
+}
+
+
+###########################################################################
+# &B_write_sums writes out the sum.csv file which contains information
+#   about Bastille modified files. The file structure is as follows:
+#
+#     filename,filesize,cksum
+#
+#   It writes the information from the GLOBAL_SUM hash i.e.
+#
+#      $file,$GLOBAL_SUM{$file}{sum},$GLOBAL_SUM{$file}{filesize}
+#
+#   This subroutine requires access to the GLOBAL_SUM hash.
+###########################################################################
+
+sub B_write_sums {
+
+    my $sumFile = &getGlobal('BFILE',"sum.csv");
+
+    if ( %GLOBAL_SUM ) {
+
+	open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n");
+
+	for my $file (sort keys %GLOBAL_SUM) {
+	    if( -e $file) {
+		print SUM "$file,$GLOBAL_SUM{\"$file\"}{filesize},$GLOBAL_SUM{\"$file\"}{sum}\n";
+	    }
+	}
+
+	close(SUM);
+    }
+
+}
+
+
+###########################################################################
+# &B_check_sum($file) compares the stored cksum and filesize of the given
+#   file compared to the current cksum and filesize respectively.
+#   This subroutine also keeps the state of the sum check by setting the
+#   checked flag which tells the subroutine that on this run this file
+#   has already been checked.
+#
+#     $GLOBAL_SUM{$file}{checked} = 1;
+#
+#   This subroutine requires access to the GLOBAL_SUM hash.
+#
+#  Returns 1 if sum checks out and 0 if not
+###########################################################################
+
+sub B_check_sum($) {
+    my $file = $_[0];
+    my $cksum = &getGlobal('BIN',"cksum");
+
+    if (not(%GLOBAL_SUM)) {
+        &B_read_sums;
+    }
+
+    if(-e $file) {
+	my ($sum,$size,$ckfile) = split(/\s+/, `$cksum $file`);
+        my $commandRetVal = ($? >> 8);  # find the command's return value
+
+	if($commandRetVal != 0) {
+	    &B_log("ERROR","$cksum reported the following error:\n$!\n");
+            return 0;
+	} else {
+            if ( exists $GLOBAL_SUM{$file} ) {
+                # if the file size or file sum differ from those recorded.
+                if (( $GLOBAL_SUM{$file}{filesize} == $size) and
+                    ($GLOBAL_SUM{$file}{sum} == $sum )) {
+                    return 1; #True, since saved state matches up, all is well.
+                } else {
+                    return 0; #False, since saved state doesn't match
+                }
+            } else {
+                &B_log("ERROR","File: $file does not exist in sums database.");
+                return 0;
+            }
+        }
+    } else {
+        &B_log("ERROR","The file: $file does not exist for comparison in B_check_sum.");
+        return 0;
+    }
+}
+
+# Don't think we need this anymore as function now check_sums returns
+# results directly
+#sub isSumDifferent($) {
+#    my $file = $_[0];
+#    if(exists $GLOBAL_SUM{$file}) {
+#	return $GLOBAL_SUM{$file}{flag}
+#    }
+#}
+
+sub listModifiedFiles {
+    my @listModifiedFiles=sort keys %GLOBAL_SUM;
+    return @listModifiedFiles;
+}
+
+###########################################################################
+# &B_isFileinSumDB($file) checks to see if a given file's sum was saved.
+#
+#     $GLOBAL_SUM{$file}{filesize} = $size;
+#     $GLOBAL_SUM{$file}{sum} = $cksum;
+#
+#   This subroutine requires access to the GLOBAL_SUM hash.
+###########################################################################
+
+sub B_isFileinSumDB($) {
+    my $file = $_[0];
+
+    if (not(%GLOBAL_SUM)) {
+        &B_log("DEBUG","Reading in DB from B_isFileinSumDB");
+        &B_read_sums;
+    }
+    if (exists($GLOBAL_SUM{"$file"})){
+        &B_log("DEBUG","$file is in sum database");
+        return 1; #true
+    } else {
+        &B_log("DEBUG","$file is not in sum database");
+        return 0; #false
+    }
+}
+
+###########################################################################
+# &B_set_sum($file) sets the current cksum and filesize of the given
+#   file into the GLOBAL_SUM hash.
+#
+#     $GLOBAL_SUM{$file}{filesize} = $size;
+#     $GLOBAL_SUM{$file}{sum} = $cksum;
+#
+#   This subroutine requires access to the GLOBAL_SUM hash.
+###########################################################################
+
+sub B_set_sum($) {
+
+    my $file = $_[0];
+    my $cksum = &getGlobal('BIN',"cksum");
+    if( -e $file) {
+
+	my ($sum,$size,$ckfile) = split(/\s+/, `$cksum $file`);
+        my $commandRetVal = ($? >> 8);  # find the command's return value
+
+	if($commandRetVal != 0) {
+
+	    &B_log("ERROR","$cksum reported the following error:\n$!\n");
+
+	}
+	else {
+
+	    # new file size and sum are added to the hash
+	    $GLOBAL_SUM{$file}{filesize} = $size;
+	    $GLOBAL_SUM{$file}{sum} = $sum;
+	    &B_write_sums;
+
+	}
+    } else {
+        &B_log("ERROR","Can not save chksum for file: $file since it does not exist");
+    }
+}
+
+
+###########################################################################
+#
+# &B_delete_file ($file)  deletes the file $file and makes a backup to
+# the backup directory.
+#
+##########################################################################
+
+
+sub B_delete_file($) { #Currently Linux only (TMPDIR)
+    #consideration: should create clear_sum routine if this is ever used to remove
+    #               A Bastille-generated file.
+
+    #
+    # This API routine deletes the named file, backing it up first to the
+    # backup directory.
+    #
+
+    my $filename=shift @_;
+    my $retval=1;
+
+    # We have to append the prefix ourselves since we don't use B_open_plus
+
+    my $original_filename=$filename;
+
+    &B_log("ACTION","Deleting (and backing-up) file $original_filename\n");
+    &B_log("ACTION","rm $original_filename\n");
+
+    unless ($filename) {
+	&B_log("ERROR","B_delete_file called with no arguments!\n");
+    }
+
+    unless ($GLOBAL_LOGONLY) {
+	if ( B_backup_file($original_filename) ) {
+	    unless ( unlink $filename ) {
+		&B_log("ERROR","Couldn't unlink file $original_filename");
+		$retval=0;
+	    }
+	}
+	else {
+	    $retval=0;
+	    &B_log("ERROR","B_delete_file did not delete $original_filename since it could not back it up\n");
+	}
+    }
+
+    $retval;
+
+}
+
+
+###########################################################################
+# &B_create_file ($file) creates the file $file, if it doesn't already
+# exist.
+# It will set a default mode of 0700 and a default uid/gid or 0/0.
+#
+# &B_create_file, to support Bastille's revert functionality, writes an
+# rm $file command to the end of the file &getGlobal('BFILE', "created-files").
+#
+##########################################################################
+
+
+sub B_create_file($) {
+
+    my $file = $_[0];
+    my $retval=1;
+
+    # We have to create the file ourselves since we don't use B_open_plus
+
+    my $original_file = $file;
+
+    if ($file eq ""){
+        &B_log("ERROR","Internal Error, attempt made to create blank filename");
+        return 0; #False
+    }
+
+    unless ( -e $file ) {
+
+	unless ($GLOBAL_LOGONLY) {
+
+	    # find the directory in which the file is to reside.
+	    my $dirName = dirname($file);
+	    # if the directory does not exist then
+	    if(! -d $dirName) {
+		# create it.
+		mkpath ($dirName,0,0700);
+	    }
+
+	    $retval=open CREATE_FILE,">$file";
+
+	    if ($retval) {
+		close CREATE_FILE;
+		chmod 0700,$file;
+		# Make the revert functionality
+		&B_revert_log( &getGlobal('BIN','rm') . " $original_file \n");
+	    } else {
+		&B_log("ERROR","Couldn't create file $original_file even though " .
+			  "it didn't already exist!\n");
+	    }
+	}
+	&B_log("ACTION","Created file $original_file\n");
+    } else {
+	&B_log("DEBUG","Didn't create file $original_file since it already existed.\n");
+	$retval=0;
+    }
+
+    $retval;
+}
+
+
+###########################################################################
+# &B_create_dir ($dir) creates the directory $dir, if it doesn't already
+# exist.
+# It will set a default mode of 0700 and a default uid/gid or 0/0.
+#
+##########################################################################
+
+
+sub B_create_dir($) {
+
+    my $dir = $_[0];
+    my $retval=1;
+
+    # We have to append the prefix ourselves since we don't use B_open_plus
+
+    my $original_dir=$dir;
+
+    unless ( -d $dir ) {
+	unless ($GLOBAL_LOGONLY) {
+	    $retval=mkdir $dir,0700;
+
+	    if ($retval) {
+		# Make the revert functionality
+		&B_revert_log (&getGlobal('BIN','rmdir') . " $original_dir\n");
+	    }
+	    else {
+		&B_log("ERROR","Couldn't create dir $original_dir even though it didn't already exist!");
+	    }
+
+	}
+	&B_log("ACTION","Created directory $original_dir\n");
+    }
+    else {
+	&B_log("ACTION","Didn't create directory $original_dir since it already existed.\n");
+	$retval=0;
+    }
+
+    $retval;
+}
+
+
+
+###########################################################################
+# &B_symlink ($original_file,$new_symlink) creates a symbolic link from
+# $original_file to $new_symlink.
+#
+# &B_symlink respects $GLOBAL_LOGONLY.  It supports
+# the revert functionality that you've come to know and love by adding every
+# symbolic link it creates to &getGlobal('BFILE', "created-symlinks"), currently set to:
+#
+#         /root/Bastille/revert/revert-created-symlinks
+#
+# The revert script, if it works like I think it should, will run this file,
+# which should be a script or rm's...
+#
+##########################################################################
+
+sub B_symlink($$) {
+    my ($source_file,$new_symlink)=@_;
+    my $retval=1;
+    my $original_source = $source_file;
+    my $original_symlink = $new_symlink;
+
+    unless ($GLOBAL_LOGONLY) {
+	$retval=symlink $source_file,$new_symlink;
+	if ($retval) {
+	    &B_revert_log (&getGlobal('BIN',"rm") .  " $original_symlink\n");
+	}
+    }
+
+    &B_log("ACTION", "Created a symbolic link called $original_symlink from $original_source\n");
+    &B_log("ACTION", "symlink \"$original_source\",\"$original_symlink\";\n");
+    unless ($retval) {
+	&B_log("ERROR","Couldn't symlink $original_symlink -> $original_source\n");
+    }
+
+    $retval;
+
+}
+
+
+sub B_cp($$) {
+
+    my ($source,$target)=@_;
+    my $retval=0;
+
+    my $had_to_backup_target=0;
+
+    use File::Copy;
+
+    my $original_source=$source;
+    my $original_target=$target;
+
+    if( -e $target and -f $target ) {
+	&B_backup_file($original_target);
+	&B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n");
+	$had_to_backup_target=1;
+    }
+
+    $retval=copy($source,$target);
+    if ($retval) {
+	&B_log("ACTION","cp $original_source $original_target\n");
+
+	#
+	# We want to add a line to the &getGlobal('BFILE', "created-files") so that the
+	# file we just put at $original_target gets deleted.
+	#
+	&B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n");
+    } else {
+	&B_log("ERROR","Failed to copy $original_source to $original_target\n");
+    }
+    # We add the file to the GLOBAL_SUMS hash if it is not already present
+    &B_set_sum($target);
+    $retval;
+}
+
+
+
+############################################################################
+# &B_place puts a file in place, using Perl's File::cp.  This file is taken
+# from &getGlobal('BDIR', "share") and is used to place a file that came with
+# Bastille.
+#
+# This should be DEPRECATED in favor of &B_cp, since the only reason it exists
+# is because of GLOBAL_PREFIX, which has been broken for quite some time.
+# Otherwise, the two routines are identical.
+#
+# It respects $GLOBAL_LOGONLY.
+# If $target is an already-existing file, it is backed up.
+#
+# revert either appends another "rm $target" to &getGlobal('BFILE', "revert-actions")  or
+# backs up the file that _was_ there into the &getGlobal('BDIR', "backup"),
+# appending a "mv" to revert-actions to put it back.
+#
+############################################################################
+
+sub B_place { # Only Linux references left (Firewall / TMPDIR)
+
+    my ($source,$target)=@_;
+    my $retval=0;
+
+    my $had_to_backup_target=0;
+
+    use File::Copy;
+
+    my $original_source=$source;
+    $source  = &getGlobal('BDIR', "share") . $source;
+    my $original_target=$target;
+
+    if ( -e $target and -f $target ) {
+	&B_backup_file($original_target);
+	&B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n");
+	$had_to_backup_target=1;
+    }
+    $retval=copy($source,$target);
+    if ($retval) {
+	&B_log("ACTION","placed file $original_source  as  $original_target\n");
+	#
+	# We want to add a line to the &getGlobal('BFILE', "created-files") so that the
+	# file we just put at $original_target gets deleted.
+	&B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n");
+    } else {
+	&B_log("ERROR","Failed to place $original_source as $original_target\n");
+    }
+
+    # We add the file to the GLOBAL_SUMS hash if it is not already present
+    &B_set_sum($target);
+
+    $retval;
+}
+
+
+
+
+
+#############################################################################
+#############################################################################
+#############################################################################
+
+###########################################################################
+# &B_mknod ($file) creates the node $file, if it doesn't already
+# exist.  It uses the prefix and suffix, like this:
+#
+#            mknod $prefix $file $suffix
+#
+# This is just a wrapper to the mknod program, which tries to introduce
+# revert functionality, by writing    rm $file     to the end of the
+# file &getGlobal('BFILE', "created-files").
+#
+##########################################################################
+
+
+sub B_mknod($$$) {
+
+    my ($prefix,$file,$suffix) = @_;
+    my $retval=1;
+
+    # We have to create the filename ourselves since we don't use B_open_plus
+
+    my $original_file = $file;
+
+    unless ( -e $file ) {
+	my $command = &getGlobal("BIN","mknod") . " $prefix $file $suffix";
+
+	if ( system($command) == 0) {
+	    # Since system will return 0 on success, invert the error code
+	    $retval=1;
+	}
+	else {
+	    $retval=0;
+	}
+
+	if ($retval) {
+
+	    # Make the revert functionality
+	    &B_revert_log(&getGlobal('BIN',"rm") . " $original_file\n");
+	} else {
+	    &B_log("ERROR","Couldn't mknod $prefix $original_file $suffix even though it didn't already exist!\n");
+	}
+
+
+	&B_log("ACTION","mknod $prefix $original_file $suffix\n");
+    }
+    else {
+	&B_log("ACTION","Didn't mknod $prefix $original_file $suffix since $original_file already existed.\n");
+	$retval=0;
+    }
+
+    $retval;
+}
+
+###########################################################################
+# &B_revert_log("reverse_command") prepends a command to a shell script.  This
+# shell script is intended to be run by bastille -r to reverse the changes that
+# Bastille made, returning the files which Bastille changed to their original
+# state.
+###########################################################################
+
+sub B_revert_log($) {
+
+    my $revert_command = $_[0];
+    my $revert_actions = &getGlobal('BFILE', "revert-actions");
+    my $revertdir= &getGlobal('BDIR', "revert");
+    my @lines;
+
+
+    if (! (-e $revert_actions)) {
+        mkpath($revertdir); #if this doesn't work next line catches
+	if (open REVERT_ACTIONS,">" . $revert_actions){ # create revert file
+	    close REVERT_ACTIONS; # chown to root, rwx------
+	    chmod 0700,$revert_actions;
+	    chown 0,0,$revert_actions;
+	}
+	else {
+	    &B_log("FATAL","Can not create revert-actions file: $revert_actions.\n" .
+		       "         Unable to add the following command to the revert\n" .
+		       "         actions script: $revert_command\n");
+	}
+
+    }
+
+    &B_open_plus (*REVERT_NEW, *REVERT_OLD, $revert_actions);
+
+    while (my $line=<REVERT_OLD>) { #copy file into @lines
+	push (@lines,$line);
+    }
+    print REVERT_NEW $revert_command .  "\n";  #make the revert command first in the new file
+    while (my $line = shift @lines) { #write the rest of the lines of the file
+	print REVERT_NEW $line;
+    }
+    close REVERT_OLD;
+    close REVERT_NEW;
+    if (rename "${revert_actions}.bastille", $revert_actions) { #replace the old file with the new file we
+	chmod 0700,$revert_actions;                # just made / mirrors B_close_plus logic
+	chown 0,0,$revert_actions;
+    } else {
+	&B_log("ERROR","B_revert_log: not able to move ${revert_actions}.bastille to ${revert_actions}!!! $!) !!!\n");
+    }
+}
+
+
+###########################################################################
+# &getGlobalConfig($$)
+#
+# returns the requested GLOBAL_CONFIG hash value, ignoring the error
+# if the value does not exist (because every module uses this to find
+# out if the question was answered "Y")
+###########################################################################
+sub getGlobalConfig ($$) {
+  my $module = $_[0];
+  my $key = $_[1];
+  if (exists $GLOBAL_CONFIG{$module}{$key}) {
+    my $answer=$GLOBAL_CONFIG{$module}{$key};
+    &B_log("ACTION","Answer to question $module.$key is \"$answer\".\n");
+    return $answer;
+  } else {
+    &B_log("ACTION","Answer to question $module.$key is undefined.");
+    return undef;
+  }
+}
+
+###########################################################################
+# &getGlobal($$)
+#
+# returns the requested GLOBAL_* hash value, and logs an error
+# if the variable does not exist.
+###########################################################################
+sub getGlobal ($$) {
+  my $type = uc($_[0]);
+  my $key = $_[1];
+
+  # define a mapping from the first argument to the proper hash
+  my %map = ("BIN"   => \%GLOBAL_BIN,
+             "FILE"  => \%GLOBAL_FILE,
+             "BFILE" => \%GLOBAL_BFILE,
+             "DIR"   => \%GLOBAL_DIR,
+             "BDIR"  => \%GLOBAL_BDIR,
+	     "ERROR" => \%GLOBAL_ERROR,
+	     "SERVICE" => \%GLOBAL_SERVICE,
+	     "SERVTYPE" => \%GLOBAL_SERVTYPE,
+	     "PROCESS" => \%GLOBAL_PROCESS,
+             "RCCONFIG" => \%GLOBAL_RC_CONFIG
+            );
+
+  # check to see if the desired key is in the desired hash
+  if (exists $map{$type}->{$key}) {
+    # get the value from the right hash with the key
+    return $map{$type}->{$key};
+  } else {
+    # i.e. Bastille tried to use $GLOBAL_BIN{'cp'} but it does not exist.
+    # Note that we can't use B_log, since it uses getGlobal ... recursive before
+    # configureForDistro is run.
+    print STDERR "ERROR:   Bastille tried to use \$GLOBAL_${type}\{\'$key\'} but it does not exist.\n";
+    return undef;
+  }
+}
+
+###########################################################################
+# &getGlobal($$)
+#
+# sets the requested GLOBAL_* hash value
+###########################################################################
+sub setGlobal ($$$) {
+  my $type = uc($_[0]);
+  my $key = $_[1];
+  my $input_value = $_[2];
+
+  # define a mapping from the first argument to the proper hash
+  my %map = ("BIN"   => \%GLOBAL_BIN,
+             "FILE"  => \%GLOBAL_FILE,
+             "BFILE" => \%GLOBAL_BFILE,
+             "DIR"   => \%GLOBAL_DIR,
+             "BDIR"  => \%GLOBAL_BDIR,
+	     "ERROR" => \%GLOBAL_ERROR,
+	     "SERVICE" => \%GLOBAL_SERVICE,
+	     "SERVTYPE" => \%GLOBAL_SERVTYPE,
+	     "PROCESS" => \%GLOBAL_PROCESS,
+            );
+
+  if ($map{$type}->{$key} = $input_value) {
+    return 1;
+  } else {
+    &B_log('ERROR','Internal Error, Unable to set global config value:' . $type . ", " .$key);
+    return 0;
+  }
+}
+
+
+###########################################################################
+# &showDisclaimer:
+# Print the disclaimer and wait for 2 minutes for acceptance
+# Do NOT do so if any of the following conditions hold
+# 1. the -n option was used
+# 2. the file ~/.bastille_disclaimer exists
+###########################################################################
+
+sub showDisclaimer($) {
+
+    my $nodisclaim = $_[0];
+    my $nodisclaim_file = &getGlobal('BFILE', "nodisclaimer");
+    my $response;
+    my $WAIT_TIME = 300; # we'll wait for 5 minutes
+    my $developersAnd;
+    my $developersOr;
+    if ($GLOBAL_OS =~ "^HP-UX") {
+	$developersAnd ="HP AND ITS";
+	$developersOr ="HP OR ITS";
+    }else{
+	$developersAnd ="JAY BEALE, THE BASTILLE DEVELOPERS, AND THEIR";
+	$developersOr ="JAY BEALE, THE BASTILLE DEVELOPERS, OR THEIR";
+    }
+    my $DISCLAIMER =
+	"\n" .
+        "Copyright (C) 1999-2006 Jay Beale\n" .
+        "Copyright (C) 1999-2001 Peter Watkins\n" .
+        "Copyright (C) 2000 Paul L. Allen\n" .
+        "Copyright (C) 2001-2007 Hewlett-Packard Development Company, L.P.\n" .
+        "Bastille is free software; you are welcome to redistribute it under\n" .
+        "certain conditions.  See the \'COPYING\' file in your distribution for terms.\n\n" .
+	"DISCLAIMER.  Use of Bastille can help optimize system security, but does not\n" .
+	"guarantee system security. Information about security obtained through use of\n" .
+	"Bastille is provided on an AS-IS basis only and is subject to change without\n" .
+	"notice. Customer acknowledges they are responsible for their system\'s security.\n" .
+	"TO THE EXTENT ALLOWED BY LOCAL LAW, Bastille (\"SOFTWARE\") IS PROVIDED TO YOU \n" .
+	"\"AS IS\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN,\n" .
+	"EXPRESS OR IMPLIED.  $developersAnd SUPPLIERS\n" .
+	"DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE \n" .
+	"IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.\n" .
+	"Some countries, states and provinces do not allow exclusions of implied\n" .
+	"warranties or conditions, so the above exclusion may not apply to you. You may\n" .
+	"have other rights that vary from country to country, state to state, or province\n" .
+	"to province.  EXCEPT TO THE EXTENT PROHIBITED BY LOCAL LAW, IN NO EVENT WILL\n" .
+	"$developersOr SUBSIDIARIES, AFFILIATES OR\n" .
+	"SUPPLIERS BE LIABLE FOR DIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR OTHER\n" .
+	"DAMAGES (INCLUDING LOST PROFIT, LOST DATA, OR DOWNTIME COSTS), ARISING OUT OF\n" .
+	"THE USE, INABILITY TO USE, OR THE RESULTS OF USE OF THE SOFTWARE, WHETHER BASED\n" .
+	"IN WARRANTY, CONTRACT, TORT OR OTHER LEGAL THEORY, AND WHETHER OR NOT ADVISED\n" .
+	"OF THE POSSIBILITY OF SUCH DAMAGES. Your use of the Software is entirely at your\n" .
+	"own risk. Should the Software prove defective, you assume the entire cost of all\n" .
+	"service, repair or correction. Some countries, states and provinces do not allow\n" .
+	"the exclusion or limitation of liability for incidental or consequential \n" .
+	"damages, so the above limitation may not apply to you.  This notice will only \n".
+        "display on the first run on a given system.\n".
+        "To suppress the disclaimer on other machines, use Bastille\'s -n flag (example: bastille -n).\n";
+
+
+# If the user has specified not to show the disclaimer, or
+# the .bastille_disclaimer file already exists, then return
+    if( ( $nodisclaim ) || -e $nodisclaim_file ) { return 1; }
+
+# otherwise, show the disclaimer
+    print ($DISCLAIMER);
+
+# there is a response
+	my $touch = &getGlobal('BIN', "touch");
+	my $retVal = system("$touch $nodisclaim_file");
+	if( $retVal != 0 ) {
+	    &ErrorLog ( &getGlobal('ERROR','disclaimer'));
+	}
+} # showDisclaimer
+
+
+
+
+################################################################
+# &systemCall
+#Function used by exported methods B_Backtick and B_system
+#to handle the mechanics of system calls.
+# This function also manages error handling.
+# Input: a system call
+# Output: a list containing the status, sstdout and stderr
+# of the the system call
+#
+################################################################
+sub systemCall ($){
+    no strict;
+    local $command=$_[0];  # changed scoping so eval below can read it
+
+    local $SIG{'ALRM'} = sub {  die "timeout" }; # This subroutine exits the "eval" below.  The program
+    # can then move on to the next operation.  Used "local"
+    # to avoid name space collision with disclaim alarm.
+    local $WAIT_TIME=120; # Wait X seconds for system commands
+    local $commandOutput = '';
+    my $errOutput = '';
+    eval{
+        $errorFile = &getGlobal('BFILE','stderrfile');
+        unlink($errorFile); #To make sure we don't mix output
+	alarm($WAIT_TIME); # start a time-out for command to complete.  Some commands hang, and we want to
+	                   # fail gracefully.  When we call "die" it exits this eval statement
+	                   # with a value we use below
+	$commandOutput = `$command 2> $errorFile`; # run the command and gather its output
+	my $commandRetVal = ($? >> 8);  # find the commands return value
+	if ($commandRetVal == 0) {
+	    &B_log("ACTION","Executed Command: " . $command . "\n");
+	    &B_log("ACTION","Command Output: " . $commandOutput . "\n");
+	    die "success";
+	} else {
+	    die "failure";
+	};
+    };
+
+    my $exitcode=$@;
+    alarm(0);  # End of the timed operation
+
+    my $cat = &getGlobal("BIN","cat");
+    if ( -e $errorFile ) {
+        $errOutput = `$cat $errorFile`;
+    }
+
+    if ($exitcode) {  # The eval command above will exit with one of the 3 values below
+	if ($exitcode =~ /timeout/) {
+	    &B_log("WARNING","No response received from $command after $WAIT_TIME seconds.\n" .
+		   "Command Output: " . $commandOutput . "\n");
+	    return (0,'','');
+	} elsif ($exitcode =~ /success/) {
+	    return (1,$commandOutput,$errOutput);
+	} elsif ($exitcode =~ /failure/) {
+	    return (0,$commandOutput,$errOutput);
+	} else {
+	    &B_log("FATAL","Unexpected return state from command execution: $command\n" .
+		   "Command Output: " . $commandOutput . "\n");
+	}
+    }
+}
+
+#############################################
+# Use this **only** for commands used that are
+# intended to test system state and
+# not make any system change.  Use this in place of the
+# prior use of "backticks throughout Bastille
+# Handles basic output redirection, but not for stdin
+# Input: Command
+# Output: Results
+#############################################
+
+sub B_Backtick($) {
+    my $command=$_[0];
+    my $combineOutput=0;
+    my $stdoutRedir = "";
+    my $stderrRedir = "";
+    my $echo = &getGlobal('BIN','echo');
+
+    if (($command =~ s/2>&1//) or
+        (s/>&2//)){
+        $combineOutput=1;
+    }
+    if ($command =~ s/>\s*([^>\s])+// ) {
+        $stdoutRedir = $1;
+    }
+    if ($command =~ s/2>\s*([^>\s])+// ) {
+        $stderrRedir = $1;
+    }
+
+    my ($ranFine, $stdout, $stderr) = &systemCall($command);
+    if ($ranFine) {
+        &B_log("DEBUG","Command: $command succeeded for test with output: $stdout , ".
+               "and stderr: $stderr");
+    } else {
+        &B_log("DEBUG","Command: $command failed for test with output: $stdout , ".
+               "and stderr: $stderr");
+    }
+    if ($combineOutput) {
+        $stdout .= $stderr;
+        $stderr = $stdout; #these should be the same
+    }
+    if ($stdoutRedir ne "") {
+        system("$echo \'$stdout\' > $stdoutRedir");
+    }
+    if ($stderrRedir ne "") {
+        system("$echo \'$stderr\' > $stderrRedir");
+    }
+    return $stdout;
+}
+
+####################################################################
+#  &B_System($command,$revertcommand);
+#    This function executes a command, then places the associated
+#    revert command in revert file. It takes two parameters, the
+#    command and the command that reverts that command.
+#
+#   uses ActionLog and ErrorLog for logging purposes.
+###################################################################
+sub B_System ($$) {
+    my ($command,$revertcmd)=@_;
+
+    my ($ranFine, $stdout, $stderr) = &systemCall($command);
+    if ($ranFine) {
+        &B_revert_log ("$revertcmd \n");
+        if ($stderr ne '' ) {
+                &B_log("ACTION",$command . "suceeded with STDERR: " .
+                       $stderr . "\n");
+        }
+        return 1;
+    } else {
+        my $warningString = "Command Failed: " . $command . "\n" .
+                            "Command Output: " . $stdout . "\n";
+        if ($stderr ne '') {
+            $warningString .= "Error message: " . $stderr;
+        }
+        &B_log("WARNING", $warningString);
+        return 0;
+    }
+}
+
+
+###########################################################################
+# &isProcessRunning($procPattern);
+#
+# If called in scalar context this subroutine will return a 1 if the
+# pattern specified can be matched against the process table.  It will
+# return a 0 otherwise.
+# If called in the list context this subroutine will return the list
+# of processes which matched the pattern supplied
+#
+# scalar return values:
+# 0:     pattern not in process table
+# 1:     pattern is in process table
+#
+# list return values:
+# proc lines from the process table if they are found
+###########################################################################
+sub isProcessRunning($) {
+
+    my $procPattern= $_[0];
+    my $ps = &getGlobal('BIN',"ps");
+
+    my $isRunning=0;
+    # process table.
+    my @psTable = `$ps -elf`;
+    # list of processes that match the $procPattern
+    my @procList;
+    foreach my $process (@psTable) {
+        if($process =~ $procPattern) {
+            $isRunning = 1;
+            push @procList, $process . "\n";
+        }
+    }
+    
+    &B_log("DEBUG","$procPattern search yielded $isRunning\n\n");
+    # if this subroutine was called in scalar context
+    if( ! wantarray ) {
+        return $isRunning;
+    }
+
+    return @procList;
+}
+
+
+###########################################################################
+# &checkProcsForService($service);
+#
+# Checks if the given service is running by analyzing the process table.
+# This is a helper function to checkServiceOnLinux and checkServiceOnHP
+#
+# Return values:
+# SECURE_CANT_CHANGE() if the service is off
+# INCONSISTENT() if the state of the service cannot be determined
+#
+# Mostly used in  "check service" direct-return context, but added option use.
+# to ignore warning if a check for a service ... where a found service doesn't
+# have direct security problems.
+#
+###########################################################################
+sub checkProcsForService ($;$) {
+  my $service=$_[0];
+  my $ignore_warning=$_[1];
+
+  my @psnames=@{ &getGlobal('PROCESS',$service)};
+
+  my @processes;
+  # inetd services don't have a separate process
+  foreach my $psname (@psnames) {
+    my @procList = &isProcessRunning($psname);
+    if(@procList >= 0){
+      splice @processes,$#processes+1,0,@procList;
+    }
+  }
+
+  if($#processes >= 0){
+    if ((defined($ignore_warning)) and ($ignore_warning eq "ignore_warning")) {
+      &B_log("WARNING","The following processes were still running even though " .
+           "the corresponding service appears to be turned off.  Bastille " .
+           "question and action will be skipped.\n\n" .
+           "@processes\n\n");
+      # processes were still running, service is not off, but we don't know how
+      # to configure it so we skip the question
+    return INCONSISTENT();
+    } else {
+      return NOTSECURE_CAN_CHANGE(); # In the case we're ignoring the warning,
+                                     # ie: checking to make *sure* a process
+                                     # is running, the answer isn't inconsistent
+    }
+  } else {
+    &B_log("DEBUG","$service is off.  Found no processes running on the system.");
+    # no processes, so service is off
+    return SECURE_CANT_CHANGE();
+  }
+  # Can't determine the state of the service by looking at the processes,
+  # so return INCONSISTENT().
+  return INCONSISTENT();
+}
+
+###########################################################################
+# B_parse_fstab()
+#
+# Search the filesystem table for a specific mount point.
+#
+# scalar return value:
+# The line form the table that matched the mount point, or the null string
+# if no match was found.
+#
+# list return value:
+# A list of parsed values from the line of the table that matched, with
+# element [3] containing a reference to a hash of the mount options.  The
+# keys are: acl, dev, exec, rw, suid, sync, or user.  The value of each key
+# can be either 0 or 1.  To access the hash, use code similar to this:
+# %HashResult = %{(&B_parse_fstab($MountPoint))[3]};
+#
+###########################################################################
+
+sub B_parse_fstab($)
+{
+    my $name = shift;
+    my $file = &getGlobal('FILE','fstab');
+    my ($enable, $disable, $infile);
+    my @lineopt;
+    my $retline = "";
+    my @retlist = ();
+
+    unless (open FH, $file) {
+	&B_log('ERROR',"B_parse_fstab couldn't open fstab file at path $file.\n");
+	return 0;
+    }
+    while (<FH>) {
+        s/\#.*//;
+        next unless /\S/;
+        @retlist = split;
+        next unless $retlist[1] eq $name;
+        $retline  .= $_;
+        if (wantarray) {
+            my $option = {		# initialize to defaults
+            acl    =>  0,		# for ext2, etx3, reiserfs
+            dev    =>  1,
+            exec   =>  1,
+            rw     =>  1,
+            suid   =>  1,
+            sync   =>  0,
+            user   =>  0,
+            };
+
+            my @lineopt = split(',',$retlist[3]);
+            foreach my $entry (@lineopt) {
+                if ($entry eq 'acl') {
+                    $option->{'acl'} = 1;
+                }
+                elsif ($entry eq 'nodev') {
+                    $option->{'dev'} = 0;
+                }
+                elsif ($entry eq 'noexec') {
+                    $option->{'exec'} = 0;
+                }
+                elsif ($entry eq 'ro') {
+                    $option->{'rw'} = 0;
+                }
+                elsif ($entry eq 'nosuid') {
+                    $option->{'suid'} = 0;
+                }
+                elsif ($entry eq 'sync') {
+                    $option->{'sync'} = 1;
+                }
+                elsif ($entry eq 'user') {
+                    $option->{'user'} = 1;
+                }
+            }
+            $retlist[3]= $option;
+        }
+        last;
+    }
+
+    if (wantarray)
+    {
+        return @retlist;
+    }
+    else
+    {
+        return $retline;
+    }
+
+}
+
+
+###########################################################################
+# B_parse_mtab()
+#
+# This routine returns a hash of devices and their mount points from mtab,
+# simply so you can get a list of mounted filesystems.
+#
+###########################################################################
+
+sub B_parse_mtab
+{
+    my $mountpoints;
+    open(MTAB,&getGlobal('FILE','mtab'));
+    while(my $mtab_line = <MTAB>) {
+        #test if it's a device
+        if ($mtab_line =~ /^\//)
+        {
+           #parse out device and mount point
+           $mtab_line =~ /^(\S+)\s+(\S+)/;
+           $mountpoints->{$1} = $2;
+        }
+     }
+     return $mountpoints;
+}
+
+
+###########################################################################
+# B_is_rpm_up_to_date()
+#
+#
+###########################################################################
+
+sub B_is_rpm_up_to_date(@)
+{
+    my($nameB,$verB,$relB,$epochB) = @_;
+    my $installedpkg = $nameB;
+
+    if ($epochB =~ /(none)/) {
+	$epochB = 0;
+    }
+
+    my $rpmA   = `rpm -q --qf '%{VERSION}-%{RELEASE}-%{EPOCH}\n' $installedpkg`;
+    my $nameA  = $nameB;
+    my ($verA,$relA,$epochA);
+
+    my $retval;
+
+    # First, if the RPM isn't installed, let's handle that.
+    if ($rpmA =~ /is not installed/) {
+	$retval = -1;
+	return $retval;
+    }
+    else {
+	# Next, let's try to parse the EVR information without as few
+	# calls as possible to rpm.
+	if ($rpmA =~ /([^-]+)-([^-]+)-([^-]+)$/) {
+	    $verA = $1;
+	    $relA = $2;
+	    $epochA = $3;
+	}
+	else {
+	    $nameA  = `rpm -q --qf '%{NAME}' $installedpkg`;
+	    $verA  = `rpm -q --qf '%{VERSION}' $installedpkg`;
+	    $relA  = `rpm -q --qf '%{RELEASE}' $installedpkg`;
+	    $epochA  = `rpm -q --qf '%{EPOCH}' $installedpkg`;
+	}
+    }
+
+    # Parse "none" as 0.
+    if ($epochA =~ /(none)/) {
+	$epochA = 0;
+    }
+
+    # Handle the case where only one of them is zero.
+    if ($epochA == 0 xor $epochB == 0)
+    {
+	if ($epochA != 0)
+	{
+	    $retval = 1;
+	}
+	else
+	{
+	    $retval = 0;
+	}
+    }
+    else
+    {
+	# ...otherwise they are either both 0 or both non-zero and
+	# so the situation isn't trivial.
+
+	# Check epoch first - highest epoch wins.
+	my $rpmcmp = &cmp_vers_part($epochA, $epochB);
+	#print "epoch rpmcmp is $rpmcmp\n";
+	if ($rpmcmp > 0)
+	{
+	    $retval = 1;
+	}
+	elsif ($rpmcmp < 0)
+	{
+	    $retval = 0;
+	}
+	else
+	{
+	    # Epochs were the same.  Check Version now.
+	    $rpmcmp = &cmp_vers_part($verA, $verB);
+	    #print "epoch rpmcmp is $rpmcmp\n";
+	    if ($rpmcmp > 0)
+	    {
+		$retval = 1;
+	    }
+	    elsif ($rpmcmp < 0)
+	    {
+		$retval = 0;
+	    }
+	    else
+	    {
+		# Versions were the same.  Check Release now.
+		my $rpmcmp = &cmp_vers_part($relA, $relB);
+		#print "epoch rpmcmp is $rpmcmp\n";
+		if ($rpmcmp >= 0)
+		{
+		    $retval = 1;
+		}
+		elsif ($rpmcmp < 0)
+		{
+		    $retval = 0;
+		}
+	    }
+	}
+    }
+    return $retval;
+}
+
+#################################################
+#  Helper function for B_is_rpm_up_to_date()
+#################################################
+
+#This cmp_vers_part function taken from Kirk Bauer's Autorpm.
+# This version comparison code was sent in by Robert Mitchell and, although
+# not yet perfect, is better than the original one I had. He took the code
+# from freshrpms and did some mods to it. Further mods by Simon Liddington
+# <sjl96v@ecs.soton.ac.uk>.
+#
+# Splits string into minors on . and change from numeric to non-numeric
+# characters. Minors are compared from the beginning of the string. If the
+# minors are both numeric then they are numerically compared. If both minors
+# are non-numeric and a single character they are alphabetically compared, if
+# they are not a single character they are checked to be the same if the are not
+# the result is unknown (currently we say the first is newer so that we have
+# a choice to upgrade). If one minor is numeric and one non-numeric then the
+# numeric one is newer as it has a longer version string.
+# We also assume that (for example) .15 is equivalent to 0.15
+
+sub cmp_vers_part($$) {
+   my($va, $vb) = @_;
+   my(@va_dots, @vb_dots);
+   my($a, $b);
+   my($i);
+
+   if ($vb !~ /^pre/ and $va =~ s/^pre(\d+.*)$/$1/) {
+      if ($va eq $vb) { return -1; }
+   } elsif ($va !~ /^pre/ and $vb =~ s/^pre(\d+.*)$/$1/) {
+      if ($va eq $vb) { return 1; }
+   }
+
+   @va_dots = split(/\./, $va);
+   @vb_dots = split(/\./, $vb);
+
+   $a = shift(@va_dots);
+   $b = shift(@vb_dots);
+   # We also assume that (for example) .15 is equivalent to 0.15
+   if ($a eq '' && $va ne '') { $a = "0"; }
+   if ($b eq '' && $vb ne '') { $b = "0"; }
+   while ((defined($a) && $a ne '') || (defined($b) && $b ne '')) {
+      # compare each minor from left to right
+      if ((not defined($a)) || ($a eq '')) { return -1; } # the longer version is newer
+      if ((not defined($b)) || ($b eq '')) { return  1; }
+      if ($a =~ /^\d+$/ && $b =~ /^\d+$/) {
+         # I have changed this so that when the two strings are numeric, but one or both
+         # of them start with a 0, then do a string compare - Kirk Bauer - 5/28/99
+         if ($a =~ /^0/ or $b =~ /^0/) {
+            # We better string-compare so that netscape-4.6 is newer than netscape-4.08
+            if ($a ne $b) {return ($a cmp $b);}
+         }
+         # numeric compare
+         if ($a != $b) { return $a <=> $b; }
+      } elsif ($a =~ /^\D+$/ && $b =~ /^\D+$/) {
+         # string compare
+         if (length($a) == 1 && length($b) == 1) {
+            # only minors with one letter seem to be useful for versioning
+            if ($a ne $b) { return $a cmp $b; }
+         } elsif (($a cmp $b) != 0) {
+            # otherwise we should at least check they are the same and if not say unknown
+            # say newer for now so at least we get choice whether to upgrade or not
+            return -1;
+         }
+      } elsif ( ($a =~ /^\D+$/ && $b =~ /^\d+$/) || ($a =~ /^\d+$/ && $b =~ /^\D+$/) ) {
+         # if we get a number in one and a word in another the one with a number
+         # has a longer version string
+         if ($a =~ /^\d+$/) { return 1; }
+         if ($b =~ /^\d+$/) { return -1; }
+      } else {
+         # minor needs splitting
+         $a =~ /\d+/ || $a =~ /\D+/;
+         # split the $a minor into numbers and non-numbers
+         my @va_bits = ($`, $&, $');
+         $b =~ /\d+/ || $b =~ /\D+/;
+         # split the $b minor into numbers and non-numbers
+         my @vb_bits = ($`, $&, $');
+         for ( my $j=2; $j >= 0; $j--) {
+            if ($va_bits[$j] ne '') { unshift(@va_dots,$va_bits[$j]); }
+            if ($vb_bits[$j] ne '') { unshift(@vb_dots,$vb_bits[$j]); }
+         }
+      }
+      $a = shift(@va_dots);
+      $b = shift(@vb_dots);
+   }
+   return 0;
+}
+
+1;
+
diff --git a/import-layers/meta-security/recipes-security/bastille/files/AccountPermission.pm b/import-layers/meta-security/recipes-security/bastille/files/AccountPermission.pm
new file mode 100644
index 0000000..cfbaab1
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/AccountPermission.pm
@@ -0,0 +1,1060 @@
+package Bastille::API::AccountPermission;
+use strict;
+
+use Bastille::API;
+
+use Bastille::API::HPSpecific;
+
+require Exporter;
+our @ISA = qw(Exporter);
+our @EXPORT_OK = qw(
+B_chmod
+B_chmod_if_exists
+B_chown
+B_chown_link
+B_chgrp
+B_chgrp_link
+B_userdel
+B_groupdel
+B_remove_user_from_group
+B_check_owner_group
+B_is_unowned_file
+B_is_ungrouped_file
+B_check_permissions
+B_permission_test
+B_find_homes
+B_is_executable
+B_is_suid
+B_is_sgid
+B_get_user_list
+B_get_group_list
+B_remove_suid
+);
+our @EXPORT = @EXPORT_OK;
+
+###########################################################################
+# &B_chmod ($mode, $file) sets the mode of $file to $mode.  $mode must
+# be stored in octal, so if you want to give mode 700 to /etc/aliases,
+# you need to use:
+#
+#                 &B_chmod ( 0700 , "/etc/aliases");
+#
+# where the 0700 denotes "octal 7-0-0".
+#
+# &B_chmod ($mode_changes,$file) also respects the symbolic methods of
+# changing file permissions, which are often what question authors are
+# really seeking.
+#
+#                 &B_chmod ("u-s" , "/bin/mount")
+# or
+#                 &B_chmod ("go-rwx", "/bin/mount")
+#
+#
+# &B_chmod respects GLOBAL_LOGONLY and uses
+# &B_revert_log used to insert a shell command that will return
+#         the permissions to the pre-Bastille state.
+#
+# B_chmod allow for globbing now, as of 1.2.0.  JJB
+#
+##########################################################################
+
+
+sub B_chmod($$) {
+   my ($new_perm,$file_expr)=@_;
+   my $old_perm;
+   my $old_perm_raw;
+   my $new_perm_formatted;
+   my $old_perm_formatted;
+
+   my $retval=1;
+
+   my $symbolic = 0;
+   my ($chmod_noun,$add_remove,$capability) = ();
+   # Handle symbolic possibilities too
+   if ($new_perm =~ /([ugo]+)([+-]{1})([rwxst]+)/) {
+       $symbolic = 1;
+       $chmod_noun = $1;
+       $add_remove = $2;
+       $capability = $3;
+   }
+
+   my $file;
+   my @files = glob ($file_expr);
+
+   foreach $file (@files) {
+
+       # Prepend global prefix, but save the original filename for B_backup_file
+       my $original_file=$file;
+
+       # Store the old permissions so that we can log them.
+       unless (stat $file) {
+           &B_log("ERROR","Couldn't stat $original_file from $old_perm to change permissions\n");
+           next;
+       }
+
+       $old_perm_raw=(stat(_))[2];
+       $old_perm= (($old_perm_raw/512) % 8) .
+           (($old_perm_raw/64) % 8) .
+               (($old_perm_raw/8) % 8) .
+                   ($old_perm_raw % 8);
+
+       # If we've gone symbolic, calculate the new permissions in octal.
+       if ($symbolic) {
+           #
+           # We calculate the new permissions by applying a bitmask to
+           # the current permissions, by OR-ing (for +) or XOR-ing (for -).
+           #
+           # We create this mask by first calculating a perm_mask that forms
+           # the right side of this, then multiplying it by 8 raised to the
+           # appropriate power to affect the correct digit of the octal mask.
+           # This means that we raise 8 to the power of 0,1,2, or 3, based on
+           # the noun of "other","group","user", or "suid/sgid/sticky".
+           #
+           # Actually, we handle multiple nouns by summing powers of 8.
+           #
+           # The only tough part is that we have to handle suid/sgid/sticky
+           # differently.
+           #
+
+           # We're going to calculate a mask to OR or XOR with the current
+           # file mode.  This mask is $mask.  We calculate this by calculating
+           # a sum of powers of 8, corresponding to user/group/other,
+           # multiplied with a $premask.  The $premask is simply the
+           # corresponding bitwise expression of the rwx bits.
+           #
+           # To handle SUID, SGID or sticky in the simplest way possible, we
+           # simply add their values to the $mask first.
+
+           my $perm_mask = 00;
+           my $mask = 00;
+
+           # Check for SUID, SGID or sticky as these are exceptional.
+           if ($capability =~ /s/) {
+               if ($chmod_noun =~ /u/) {
+                   $mask += 04000;
+               }
+               if ($chmod_noun =~ /g/) {
+                   $mask += 02000;
+               }
+           }
+           if ($capability =~ /t/) {
+               $mask += 01000;
+           }
+
+           # Now handle the normal attributes
+           if ($capability =~ /[rwx]/) {
+               if ($capability =~ /r/) {
+                   $perm_mask |= 04;
+               }
+               if ($capability =~ /w/) {
+                   $perm_mask |= 02;
+               }
+               if ($capability =~ /x/) {
+                   $perm_mask |= 01;
+               }
+
+               # Now figure out which 3 bit octal digit we're affecting.
+               my $power = 0;
+               if ($chmod_noun =~ /u/) {
+                   $mask += $perm_mask * 64;
+               }
+               if ($chmod_noun =~ /g/) {
+                   $mask += $perm_mask * 8;
+               }
+               if ($chmod_noun =~ /o/) {
+                   $mask += $perm_mask * 1;
+               }
+           }
+           # Now apply the mask to get the new permissions
+           if ($add_remove eq '+') {
+               $new_perm = $old_perm_raw | $mask;
+           }
+           elsif ($add_remove eq '-') {
+               $new_perm = $old_perm_raw & ( ~($mask) );
+           }
+       }
+
+       # formating for simple long octal output of the permissions in string form
+       $new_perm_formatted=sprintf "%5lo",$new_perm;
+       $old_perm_formatted=sprintf "%5lo",$old_perm_raw;
+
+       &B_log("ACTION","change permissions on $original_file from $old_perm_formatted to $new_perm_formatted\n");
+
+       &B_log("ACTION", "chmod $new_perm_formatted,\"$original_file\";\n");
+
+       # Change the permissions on the file
+
+       if ( -e $file ) {
+           unless ($GLOBAL_LOGONLY) {
+               $retval=chmod $new_perm,$file;
+               if($retval){
+                   # if the distribution is HP-UX then the modifications should
+                   # also be made to the IPD (installed product database)
+                   if(&GetDistro =~ "^HP-UX"){
+                       &B_swmodify($file);
+                   }
+                   # making changes revert-able
+                   &B_revert_log(&getGlobal('BIN', "chmod") . " $old_perm $file\n");
+               }
+           }
+           unless ($retval) {
+               &B_log("ERROR","Couldn't change permissions on $original_file from $old_perm_formatted to $new_perm_formatted\n");
+               $retval=0;
+           }
+       }
+       else {
+           &B_log("ERROR", "chmod: File $original_file doesn't exist!\n");
+           $retval=0;
+       }
+   }
+
+   $retval;
+
+}
+
+###########################################################################
+# &B_chmod_if_exists ($mode, $file) sets the mode of $file to $mode *if*
+# $file exists.  $mode must be stored in octal, so if you want to give
+# mode 700 to /etc/aliases, you need to use:
+#
+#                 &B_chmod_if_exists ( 0700 , "/etc/aliases");
+#
+# where the 0700 denotes "octal 7-0-0".
+#
+# &B_chmod_if_exists respects GLOBAL_LOGONLY and uses
+# &B_revert_log to reset the permissions of the file.
+#
+# B_chmod_if_exists allow for globbing now, as of 1.2.0.  JJB
+#
+##########################################################################
+
+
+sub B_chmod_if_exists($$) {
+   my ($new_perm,$file_expr)=@_;
+   # If $file_expr has a glob character, pass it on (B_chmod won't complain
+   # about nonexistent files if given a glob pattern)
+   if ( $file_expr =~ /[\*\[\{]/ ) {   # } just to match open brace for vi
+       &B_log("ACTION","Running chmod $new_perm $file_expr");
+       return(&B_chmod($new_perm,$file_expr));
+   }
+   # otherwise, test for file existence
+   if ( -e $file_expr ) {
+       &B_log("ACTION","File exists, running chmod $new_perm $file_expr");
+       return(&B_chmod($new_perm,$file_expr));
+   }
+}
+
+###########################################################################
+# &B_chown ($uid, $file) sets the owner of $file to $uid, like this:
+#
+#                 &B_chown ( 0 , "/etc/aliases");
+#
+# &B_chown respects $GLOBAL_LOGONLY  and uses
+# &B_revert_log to insert a shell command that will return
+#         the file/directory owner to the pre-Bastille state.
+#
+# Unlike Perl, we've broken the chown function into B_chown/B_chgrp to
+# make error checking simpler.
+#
+# As of 1.2.0, this now supports file globbing. JJB
+#
+##########################################################################
+
+
+sub B_chown($$) {
+   my ($newown,$file_expr)=@_;
+   my $oldown;
+   my $oldgown;
+
+   my $retval=1;
+
+   my $file;
+   my @files = glob($file_expr);
+
+   foreach $file (@files) {
+
+       # Prepend prefix, but save original filename
+       my $original_file=$file;
+
+       $oldown=(stat $file)[4];
+       $oldgown=(stat $file)[5];
+
+       &B_log("ACTION","change ownership on $original_file from $oldown to $newown\n");
+       &B_log("ACTION","chown $newown,$oldgown,\"$original_file\";\n");
+       if ( -e $file ) {
+           unless ($GLOBAL_LOGONLY) {
+               # changing the files owner using perl chown function
+               $retval = chown $newown,$oldgown,$file;
+               if($retval){
+                   # if the distribution is HP-UX then the modifications should
+                   # also be made to the IPD (installed product database)
+                   if(&GetDistro =~ "^HP-UX"){
+                       &B_swmodify($file);
+                   }
+                   # making ownership change revert-able
+                   &B_revert_log(&getGlobal('BIN', "chown") . " $oldown $file\n");
+               }
+           }
+           unless ($retval) {
+               &B_log("ERROR","Couldn't change ownership to $newown on file $original_file\n");
+           }
+       }
+       else {
+           &B_log("ERROR","chown: File $original_file doesn't exist!\n");
+           $retval=0;
+       }
+   }
+
+   $retval;
+}
+
+###########################################################################
+# &B_chown_link just like &B_chown but one exception:
+# if the input file is a link  it will not change the target's ownship, it only change the link itself's ownship
+###########################################################################
+sub B_chown_link($$){
+    my ($newown,$file_expr)=@_;
+    my $chown = &getGlobal("BIN","chown");
+    my @files = glob($file_expr);
+    my $retval = 1;
+
+    foreach my $file (@files) {
+        # Prepend prefix, but save original filename
+        my $original_file=$file;
+        my $oldown=(stat $file)[4];
+        my $oldgown=(stat $file)[5];
+
+        &B_log("ACTION","change ownership on $original_file from $oldown to $newown\n");
+        &B_log("ACTION","chown -h $newown,\"$original_file\";\n");
+        if ( -e $file ) {
+            unless ($GLOBAL_LOGONLY) {
+                `$chown -h $newown $file`;
+                $retval = ($? >> 8);
+                if($retval == 0 ){
+                    # if the distribution is HP-UX then the modifications should
+                    # also be made to the IPD (installed product database)
+                    if(&GetDistro =~ "^HP-UX"){
+                        &B_swmodify($file);
+                    }
+                    # making ownership change revert-able
+                    &B_revert_log("$chown -h $oldown $file\n");
+                }
+            }
+            unless ( ! $retval) {
+                &B_log("ERROR","Couldn't change ownership to $newown on file $original_file\n");
+            }
+        }
+        else {
+            &B_log("ERROR","chown: File $original_file doesn't exist!\n");
+            $retval=0;
+        }
+    }
+}
+
+
+###########################################################################
+# &B_chgrp ($gid, $file) sets the group owner of $file to $gid, like this:
+#
+#                 &B_chgrp ( 0 , "/etc/aliases");
+#
+# &B_chgrp respects $GLOBAL_LOGONLY  and uses
+# &B_revert_log to insert a shell command that will return
+#         the file/directory group to the pre-Bastille state.
+#
+# Unlike Perl, we've broken the chown function into B_chown/B_chgrp to
+# make error checking simpler.
+#
+# As of 1.2.0, this now supports file globbing.  JJB
+#
+##########################################################################
+
+
+sub B_chgrp($$) {
+   my ($newgown,$file_expr)=@_;
+   my $oldown;
+   my $oldgown;
+
+   my $retval=1;
+
+   my $file;
+   my @files = glob($file_expr);
+
+   foreach $file (@files) {
+
+       # Prepend global prefix, but save original filename for &B_backup_file
+       my $original_file=$file;
+
+       $oldown=(stat $file)[4];
+       $oldgown=(stat $file)[5];
+
+       &B_log("ACTION", "Change group ownership on $original_file from $oldgown to $newgown\n");
+       &B_log("ACTION", "chown $oldown,$newgown,\"$original_file\";\n");
+       if ( -e $file ) {
+           unless ($GLOBAL_LOGONLY) {
+               # changing the group for the file/directory
+               $retval = chown $oldown,$newgown,$file;
+               if($retval){
+                   # if the distribution is HP-UX then the modifications should
+                   # also be made to the IPD (installed product database)
+                   if(&GetDistro =~ "^HP-UX"){
+                       &B_swmodify($file);
+                   }
+                   &B_revert_log(&getGlobal('BIN', "chgrp") . " $oldgown $file\n");
+               }
+           }
+           unless ($retval) {
+               &B_log("ERROR","Couldn't change ownership to $newgown on file $original_file\n");
+           }
+       }
+       else {
+           &B_log("ERROR","chgrp: File $original_file doesn't exist!\n");
+           $retval=0;
+       }
+   }
+
+   $retval;
+}
+
+###########################################################################
+# &B_chgrp_link just like &B_chgrp but one exception:
+# if the input file is a link
+# it will not change the target's ownship, it only change the link itself's ownship
+###########################################################################
+sub B_chgrp_link($$) {
+    my ($newgown,$file_expr)=@_;
+    my $chgrp = &getGlobal("BIN","chgrp");
+    my @files = glob($file_expr);
+    my $retval=1;
+
+    foreach my $file (@files) {
+        # Prepend prefix, but save original filename
+        my $original_file=$file;
+        my $oldgown=(stat $file)[5];
+
+        &B_log("ACTION","change group ownership on $original_file from $oldgown to $newgown\n");
+        &B_log("ACTION","chgrp -h  $newgown \"$original_file\";\n");
+        if ( -e $file ) {
+            unless ($GLOBAL_LOGONLY) {
+                # do not follow link with option -h
+                `$chgrp -h $newgown $file`;
+                $retval = ($? >> 8);
+                if($retval == 0 ){
+                    # if the distribution is HP-UX then the modifications should
+                    # also be made to the IPD (installed product database)
+                    if(&GetDistro =~ "^HP-UX"){
+                        &B_swmodify($file);
+                    }
+                    # making ownership change revert-able
+                    &B_revert_log("$chgrp" . " -h $oldgown $file\n");
+                }
+            }
+            unless (! $retval) {
+                &B_log("ERROR","Couldn't change group ownership to $newgown on file $original_file\n");
+            }
+        }
+        else {
+            &B_log("ERROR","chgrp: File $original_file doesn't exist!\n");
+            $retval=0;
+        }
+    }
+}
+
+###########################################################################
+# B_userdel($user) removes $user from the system, chmoding her home
+# directory to 000, root:root owned, and removes the user from all
+# /etc/passwd, /etc/shadow and /etc/group lines.
+#
+# In the future, we may also choose to make a B_lock_account routine.
+#
+# This routine depends on B_remove_user_from_group.
+###########################################################################
+
+sub B_userdel($) {
+
+    my $user_to_remove = $_[0];
+
+    if (&GetDistro =~ /^HP-UX/) {
+        return 0;
+
+        # Not yet suported on HP-UX, where we'd need to support
+        # the TCB files and such.
+    }
+
+    #
+    # First, let's chmod/chown/chgrp the user's home directory.
+    #
+
+    # Get the user's home directory from /etc/passwd
+    if (open PASSWD,&getGlobal('FILE','passwd')) {
+        my @lines=<PASSWD>;
+        close PASSWD;
+
+        # Get the home directory
+        my $user_line = grep '^\s*$user_to_remove\s*:',@lines;
+        my $home_directory = (split /\s*:\s*/,$user_line)[5];
+
+        # Chmod that home dir to 0000,owned by uid 0, gid 0.
+        if (&B_chmod_if_exists(0000,$home_directory)) {
+            &B_chown(0,$home_directory);
+            &B_chgrp(0,$home_directory);
+        }
+    }
+    else {
+        &B_log('ERROR',"B_userdel couldn't open the passwd file to remove a user.");
+        return 0;
+    }
+
+    #
+    # Next find out what groups the user is in, so we can call
+    # B_remove_user_from_group($user,$group)
+    #
+    # TODO: add this to the helper functions for the test suite.
+    #
+
+    my @groups = ();
+
+    # Parse /etc/group, looking for our user.
+    if (open GROUP,&getGlobal('FILE','group')) {
+        my @lines = <GROUP>;
+        close GROUP;
+
+        foreach my $line (@lines) {
+
+            # Parse the line -- first field is group, last is users in group.
+            if ($line =~ /([^\#^:]+):[^:]+:[^:]+:(.*)/) {
+                my $group = $1;
+                my $users_section = $2;
+
+                # Get the user list and check if our user is in it.
+                my @users = split /\s*,\s*/,$users_section;
+                foreach my $user (@users) {
+                    if ($user_to_remove eq $user) {
+                        push @groups,$group;
+                        last;
+                    }
+                }
+            }
+        }
+    }
+
+    # Now remove the user from each of those groups.
+    foreach my $group (@groups) {
+        &B_remove_user_from_group($user_to_remove,$group);
+    }
+
+    # Remove the user's /etc/passwd and /etc/shadow lines
+    &B_delete_line(&getGlobal('FILE','passwd'),"^$user_to_remove\\s*:");
+    &B_delete_line(&getGlobal('FILE','shadow'),"^$user_to_remove\\s*:");
+
+
+    #
+    # We should delete the user's group as well, if it's a single-user group.
+    #
+    if (open ETCGROUP,&getGlobal('FILE','group')) {
+        my @group_lines = <ETCGROUP>;
+        close ETCGROUP;
+        chomp @group_lines;
+
+        if (grep /^$user_to_remove\s*:[^:]*:[^:]*:\s*$/,@group_lines > 0) {
+           &B_groupdel($user_to_remove);
+        }
+    }
+
+}
+
+###########################################################################
+# B_groupdel($group) removes $group from /etc/group.
+###########################################################################
+
+sub B_groupdel($) {
+
+    my $group = $_[0];
+
+    # First read /etc/group to make sure the group is in there.
+    if (open GROUP,&getGlobal('FILE','group')) {
+        my @lines=<GROUP>;
+        close GROUP;
+
+        # Delete the line in /etc/group if present
+        if (grep /^$group:/,@lines > 0) {
+            # The group is named in /etc/group
+            &B_delete_line(&getGlobal('FILE','group'),"^$group:/");
+        }
+    }
+
+}
+
+
+###########################################################################
+# B_remove_user_from_group($user,$group) removes $user from $group,
+# by modifying $group's /etc/group line, pulling the user out.  This
+# uses B_chunk_replace thrice to replace these patterns:
+#
+#   ":\s*$user\s*," --> ":"
+#   ",\s*$user" -> ""
+#
+###########################################################################
+
+sub B_remove_user_from_group($$) {
+
+    my ($user_to_remove,$group) = @_;
+
+    #
+    # We need to find the line from /etc/group that defines the group, parse
+    # it, and put it back together without this user.
+    #
+
+    # Open the group file
+    unless (open GROUP,&getGlobal('FILE','group')) {
+        &B_log('ERROR',"&B_remove_user_from_group couldn't read /etc/group to remove $user_to_remove from $group.\n");
+        return 0;
+    }
+    my @lines = <GROUP>;
+    close GROUP;
+    chomp @lines;
+
+    #
+    # Read through the lines to find the one we care about.  We'll construct a
+    # replacement and then use B_replace_line to make the switch.
+    #
+
+    foreach my $line (@lines) {
+
+        if ($line =~ /^\s*$group\s*:/) {
+
+            # Parse this line.
+            my @group_entries = split ':',$line;
+            my @users = split ',',($group_entries[3]);
+
+            # Now, recreate it.
+            my $first_user = 1;
+            my $group_line = $group_entries[0] . ':' . $group_entries[1] . ':' . $group_entries[2] . ':';
+
+            # Add every user except the one we're removing.
+            foreach my $user (@users) {
+
+                # Remove whitespace.
+                $user =~ s/\s+//g;
+
+                if ($user ne $user_to_remove) {
+                    # Add the user to the end of the line, prefacing
+                    # it with a comma if it's not the first user.
+
+                    if ($first_user) {
+                        $group_line .= "$user";
+                        $first_user = 0;
+                    }
+                    else {
+                        $group_line .= ",$user";
+                    }
+                }
+            }
+
+            # The line is now finished.  Replace the original line.
+            $group_line .= "\n";
+            &B_replace_line(&getGlobal('FILE','group'),"^\\s*$group\\s*:",$group_line);
+        }
+
+    }
+    return 1;
+}
+
+###########################################################################
+# &B_check_owner_group($$$)
+#
+# Checks if the given file has the given owner and/or group.
+# If the given owner is "", checks group only.
+# If the given group is "", checks owner only.
+#
+# return values:
+# 1: file has the given owner and/or group
+#    or file exists, and both the given owner and group are ""
+# 0: file does not has the given owner or group
+#    or file does not exists
+############################################################################
+
+sub B_check_owner_group ($$$){
+  my ($fileName, $owner, $group) = @_;
+
+  if (-e $fileName) {
+      my @junk=stat ($fileName);
+      my $uid=$junk[4];
+      my $gid=$junk[5];
+
+      # Check file owner
+      if ($owner ne "") {
+          if (getpwnam($owner) != $uid) {
+              return 0;
+          }
+      }
+
+      # Check file group
+      if ($group ne "") {
+          if (getgrnam($group) != $gid) {
+              return 0;
+          }
+      }
+
+      return 1;
+  }
+  else {
+      # Something is wrong if the file not exist
+      return 0;
+  }
+}
+
+##########################################################################
+# this subroutine will test whether the given file is unowned
+##########################################################################
+sub B_is_unowned_file($) {
+    my $file =$_;
+    my $uid = (stat($file))[4];
+    my $uname = (getpwuid($uid))[0];
+    if ( $uname =~ /.+/ ) {
+        return 1;
+    }
+    return 0;
+}
+
+##########################################################################
+# this subroutine will test whether the given file is ungrouped
+##########################################################################
+sub B_is_ungrouped_file($){
+    my $file =$_;
+    my $gid = (stat($file))[5];
+    my $gname = (getgrgid($gid))[0];
+    if ( $gname =~ /.+/ ) {
+        return 1;
+    }
+    return 0;
+}
+
+
+
+
+###########################################################################
+# &B_check_permissions($$)
+#
+# Checks if the given file has the given permissions or stronger, where we
+# define stronger as "less accessible."  The file argument must be fully
+# qualified, i.e. contain the absolute path.
+#
+# return values:
+# 1: file has the given permissions or better
+# 0:  file does not have the given permsssions
+# undef: file permissions cannot be determined
+###########################################################################
+
+sub B_check_permissions ($$){
+  my ($fileName, $reqdPerms) = @_;
+  my $filePerms;                        # actual permissions
+
+
+  if (-e $fileName) {
+    if (stat($fileName)) {
+      $filePerms = (stat($fileName))[2] & 07777;
+    }
+    else {
+      &B_log ("ERROR", "Can't stat $fileName.\n");
+      return undef;
+    }
+  }
+  else {
+    # If the file does not exist, permissions are as good as they can get.
+    return 1;
+  }
+
+  #
+  # We can check whether the $filePerms are as strong by
+  # bitwise ANDing them with $reqdPerms and checking if the
+  # result is still equal to $filePerms.  If it is, the
+  # $filePerms are strong enough.
+  #
+  if ( ($filePerms & $reqdPerms) == $filePerms ) {
+      return 1;
+  }
+  else {
+      return 0;
+  }
+
+}
+
+##########################################################################
+# B_permission_test($user, $previlege,$file)
+# $user can be
+# "owner"
+# "group"
+# "other"
+# $previlege can be:
+# "r"
+# "w"
+# "x"
+# "suid"
+# "sgid"
+# "sticky"
+# if previlege is set to suid or sgid or sticky, then $user can be empty
+# this sub routine test whether the $user has the specified previlige to $file
+##########################################################################
+
+sub B_permission_test($$$){
+    my ($user, $previlege, $file) = @_;
+
+    if (-e $file ) {
+        my $mode = (stat($file))[2];
+        my $bitpos;
+        # bitmap is | suid sgid sticky | rwx | rwx | rwx
+        if ($previlege =~ /suid/ ) {
+            $bitpos = 11;
+        }
+        elsif ($previlege =~ /sgid/ ) {
+            $bitpos = 10;
+        }
+        elsif ($previlege =~ /sticky/ )  {
+            $bitpos = 9;
+        }
+        else {
+            if ( $user =~ /owner/) {
+                if ($previlege =~ /r/) {
+                    $bitpos = 8;
+                }
+                elsif ($previlege =~ /w/) {
+                    $bitpos =7;
+                }
+                elsif ($previlege =~ /x/) {
+                    $bitpos =6;
+                }
+                else {
+                    return 0;
+                }
+            }
+            elsif ( $user =~ /group/) {
+                if ($previlege =~ /r/) {
+                    $bitpos =5;
+                }
+                elsif ($previlege =~ /w/) {
+                    $bitpos =4;
+                }
+                elsif ($previlege =~ /x/) {
+                    $bitpos =3;
+                }
+                else {
+                    return 0;
+                }
+            }
+            elsif ( $user =~ /other/) {
+                if ($previlege =~ /r/) {
+                    $bitpos =2;
+                }
+                elsif ($previlege =~ /w/) {
+                    $bitpos =1;
+                }
+                elsif ($previlege =~ /x/) {
+                    $bitpos =0;
+                }
+                else {
+                    return 0;
+                }
+            }
+            else {
+                return 0;
+            }
+        }
+        $mode /= 2**$bitpos;
+        if ($mode % 2) {
+            return 1;
+        }
+        return 0;
+    }
+}
+
+##########################################################################
+# this subroutine will return a list of home directory
+##########################################################################
+sub B_find_homes(){
+    # find loginable homes
+    my $logins = &getGlobal("BIN","logins");
+    my @lines = `$logins -ox`;
+    my @homes;
+    foreach my $line (@lines) {
+        chomp $line;
+        my @data = split /:/, $line;
+        if ($data[7] =~ /PS/ && $data[5] =~ /home/) {
+            push @homes, $data[5];
+        }
+    }
+    return @homes;
+}
+
+
+###########################################################################
+# B_is_executable($)
+#
+# This routine reports on whether a file is executable by the current
+# process' effective UID.
+#
+# scalar return values:
+# 0:     file is not executable
+# 1:     file is executable
+#
+###########################################################################
+
+sub B_is_executable($)
+{
+    my $name = shift;
+    my $executable = 0;
+
+    if (-x $name) {
+        $executable = 1;
+    }
+    return $executable;
+}
+
+###########################################################################
+# B_is_suid($)
+#
+# This routine reports on whether a file is Set-UID and owned by root.
+#
+# scalar return values:
+# 0:     file is not SUID root
+# 1:     file is SUID root
+#
+###########################################################################
+
+sub B_is_suid($)
+{
+    my $name = shift;
+
+    my @FileStatus = stat($name);
+    my $IsSuid = 0;
+
+    if (-u $name) #Checks existence and suid
+    {
+        if($FileStatus[4] == 0) {
+            $IsSuid = 1;
+        }
+    }
+
+    return $IsSuid;
+}
+
+###########################################################################
+# B_is_sgid($)
+#
+# This routine reports on whether a file is SGID and group owned by
+# group root (gid 0).
+#
+# scalar return values:
+# 0:     file is not SGID root
+# 1:     file is SGID root
+#
+###########################################################################
+
+sub B_is_sgid($)
+{
+    my $name = shift;
+
+    my @FileStatus = stat($name);
+    my $IsSgid = 0;
+
+    if (-g $name) #checks existence and sgid
+    {
+        if($FileStatus[5] == 0) {
+            $IsSgid = 1;
+        }
+    }
+
+    return $IsSgid;
+}
+
+###########################################################################
+# B_get_user_list()
+#
+# This routine outputs a list of users on the system.
+#
+###########################################################################
+
+sub B_get_user_list()
+{
+    my @users;
+    open(PASSWD,&getGlobal('FILE','passwd'));
+    while(<PASSWD>) {
+        #Get the users
+        if (/^([^:]+):/)
+        {
+            push (@users,$1);
+        }
+    }
+     return @users;
+}
+
+###########################################################################
+# B_get_group_list()
+#
+# This routine outputs a list of groups on the system.
+#
+###########################################################################
+
+sub B_get_group_list()
+{
+    my @groups;
+    open(GROUP,&getGlobal('FILE','group'));
+    while(my $group_line = <GROUP>) {
+        #Get the groups
+        if ($group_line =~ /^([^:]+):/)
+        {
+            push (@groups,$1);
+        }
+    }
+     return @groups;
+}
+
+
+###########################################################################
+# &B_remove_suid ($file) removes the suid bit from $file if it
+# is set and the file exist. If you would like to remove the suid bit
+# from /bin/ping then you need to use:
+#
+#                 &B_remove_suid("/bin/ping");
+#
+# &B_remove_suid respects GLOBAL_LOGONLY.
+# &B_remove_suid uses &B_chmod to make the permission changes
+# &B_remove_suid allows for globbing.  tyler_e
+#
+###########################################################################
+
+sub B_remove_suid($) {
+   my $file_expr = $_[0];
+
+   &B_log("ACTION","Removing SUID bit from \"$file_expr\".");
+   unless ($GLOBAL_LOGONLY) {
+       my @files = glob($file_expr);
+
+     foreach my $file (@files) {
+         # check file existence
+         if(-e $file){
+            # stat current file to get raw permissions
+            my $old_perm_raw = (stat $file)[2];
+            # test to see if suidbit is set
+            my $suid_bit = (($old_perm_raw/2048) % 2);
+            if($suid_bit == 1){
+                # new permission without the suid bit
+                my $new_perm = ((($old_perm_raw/512) % 8 ) - 4) .
+                    (($old_perm_raw/64) % 8 ) .
+                        (($old_perm_raw/8) % 8 ) .
+                            (($old_perm_raw) % 8 );
+                if(&B_chmod(oct($new_perm), $file)){
+                    &B_log("ACTION","Removed SUID bit from \"$file\".");
+                }
+                else {
+                    &B_log("ERROR","Could not remove SUID bit from \"$file\".");
+                }
+            } # No action if SUID bit is not set
+        }# No action if file does not exist
+      }# Repeat for each file in the file glob
+    } # unless Global_log
+}
+
+
+
+1;
+
diff --git a/import-layers/meta-security/recipes-security/bastille/files/FileContent.pm b/import-layers/meta-security/recipes-security/bastille/files/FileContent.pm
new file mode 100644
index 0000000..0a5d609
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/FileContent.pm
@@ -0,0 +1,1153 @@
+package Bastille::API::FileContent;
+use strict;
+
+use Bastille::API;
+
+require Exporter;
+our @ISA = qw(Exporter);
+our @EXPORT_OK = qw(
+B_blank_file
+B_insert_line_after
+B_insert_line_before
+B_insert_line
+B_append_line
+B_prepend_line
+B_replace_line
+B_replace_lines
+B_replace_pattern
+B_match_line
+B_match_line_only
+B_match_chunk
+B_return_matched_lines
+B_hash_comment_line
+B_hash_uncomment_line
+B_delete_line
+B_chunk_replace
+B_print
+B_getValueFromFile
+B_getValueFromString
+
+B_TODO
+B_TODOFlags
+);
+our @EXPORT = @EXPORT_OK;
+
+
+
+###########################################################################
+# &B_blank_file ($filename,$pattern) blanks the file $filename, unless the
+# pattern $pattern is present in the file.  This lets us completely redo
+# a file, if it isn't the one we put in place on a previous run...
+#
+# B_blank_file respects $GLOBAL_LOGONLY and uses B_open_plus and B_close_plus
+# so that it makes backups and only modifies files when we're not in "-v"
+# mode...
+#
+# If the file does not exist, the function does nothing, and gives an error
+# to the Error Log
+#
+###########################################################################
+
+sub B_blank_file($$) {
+
+    my ($filename,$pattern) = @_;
+    my $retval;
+
+    # If this variable is true, we won't blank the file...
+
+    my $found_pattern=0;
+
+    if ($retval=&B_open_plus (*BLANK_NEW,*BLANK_OLD,$filename) ) {
+
+        my @lines;
+
+        while (my $line = <BLANK_OLD>) {
+
+            push @lines,$line;
+            if ($line =~ $pattern) {
+                $found_pattern=1;
+            }
+        }
+
+        # Only copy the old file if the new one didn't match.
+        if ($found_pattern) {
+            while ( my $line = shift @lines ) {
+                &B_print(*BLANK_NEW,$line);
+            }
+        }
+        else {
+            &B_log("ACTION","Blanked file $filename\n");
+        }
+        &B_close_plus(*BLANK_NEW,*BLANK_OLD,$filename);
+    }
+    else {
+        &B_log("ERROR","Couldn't blank file $filename since we couldn't open it or its replacement\n");
+    }
+
+    return $retval;
+
+}
+
+###########################################################################
+# &B_insert_line_after ($filename,$pattern,$line_to_insert,$line_to_follow)
+# modifies $filename, inserting $line_to_insert unless one or more lines
+# in the file matches $pattern.  The $line_to_insert will be placed
+# immediately after $line_to_follow, if it exists.  If said line does not
+# exist, the line will not be inserted and this routine will return 0.
+#
+# B_insert_line uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+# Here's examples of where you might use this:
+#
+# You'd like to insert a line in Apache's configuration file, in a
+# particular section.
+#
+###########################################################################
+
+sub B_insert_line_after($$$$) {
+
+    my ($filename,$pattern,$line_to_insert,$line_to_follow) = @_;
+
+    my @lines;
+    my $found_pattern=0;
+    my $found_line_to_follow=0;
+
+    my $retval=1;
+
+    if ( &B_open_plus (*INSERT_NEW,*INSERT_OLD,$filename) ) {
+
+        # Read through the file looking for a match both on the $pattern
+        # and the line we are supposed to be inserting after...
+
+        my $ctr=1;
+        while (my $line=<INSERT_OLD>) {
+            push (@lines,$line);
+            if ($line =~ $pattern) {
+                $found_pattern=1;
+            }
+            if ( ($found_line_to_follow < 1) and ($line =~ $line_to_follow)) {
+                $found_line_to_follow=$ctr;
+            }
+            $ctr++;
+        }
+
+        # Log an error if we never found the line we were to insert after
+        unless ($found_line_to_follow ) {
+            $retval=0;
+            &B_log("ERROR","Never found the line that we were supposed to insert after in $filename\n");
+        }
+
+        # Now print the file back out, inserting our line if we should...
+
+        $ctr=1;
+        while (my $line = shift @lines) {
+            &B_print(*INSERT_NEW,$line);
+            if ( ($ctr == $found_line_to_follow) and ($found_pattern == 0) ) {
+                &B_print(*INSERT_NEW,$line_to_insert);
+                &B_log("ACTION","Inserted the following line in $filename:\n");
+                &B_log("ACTION","$line_to_insert");
+            }
+            $ctr++;
+        }
+
+        &B_close_plus (*INSERT_NEW,*INSERT_OLD,$filename);
+
+    }
+    else {
+        $retval=0;
+        &B_log("ERROR","Couldn't insert line to $filename, since open failed.");
+    }
+
+    return $retval;
+
+}
+###########################################################################
+# &B_insert_line_before ($filename,$pattern,$line_to_insert,$line_to_preceed)
+# modifies $filename, inserting $line_to_insert unless one or more lines
+# in the file matches $pattern.  The $line_to_insert will be placed
+# immediately before $line_to_preceed, if it exists.  If said line does not
+# exist, the line will not be inserted and this routine will return 0.
+#
+# B_insert_line uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+# Here's examples of where you might use this:
+#
+# You'd like to insert a line in Apache's configuration file, in a
+# particular section.
+#
+###########################################################################
+
+sub B_insert_line_before($$$$) {
+
+    my ($filename,$pattern,$line_to_insert,$line_to_preceed) = @_;
+
+    my @lines;
+    my $found_pattern=0;
+    my $found_line_to_preceed=0;
+
+    my $retval=1;
+
+    if ( &B_open_plus (*INSERT_NEW,*INSERT_OLD,$filename) ) {
+
+        # Read through the file looking for a match both on the $pattern
+        # and the line we are supposed to be inserting after...
+
+        my $ctr=1;
+        while (my $line=<INSERT_OLD>) {
+            push (@lines,$line);
+            if ($line =~ $pattern) {
+                $found_pattern=1;
+            }
+            if ( ($found_line_to_preceed < 1) and ($line =~ $line_to_preceed)) {
+                $found_line_to_preceed=$ctr;
+            }
+            $ctr++;
+        }
+
+        # Log an error if we never found the line we were to preceed
+        unless ($found_line_to_preceed ) {
+            $retval=0;
+            &B_log("ERROR","Never found the line that we were supposed to insert before in $filename\n");
+        }
+
+        # Now print the file back out, inserting our line if we should...
+
+        $ctr=1;
+        while (my $line = shift @lines) {
+            if ( ($ctr == $found_line_to_preceed) and ($found_pattern == 0) ) {
+                &B_print(*INSERT_NEW,$line_to_insert);
+                &B_log("ACTION","Inserted the following line in $filename:\n");
+                &B_log("ACTION","$line_to_insert");
+            }
+            &B_print(*INSERT_NEW,$line);
+            $ctr++;
+        }
+
+        &B_close_plus (*INSERT_NEW,*INSERT_OLD,$filename);
+
+    }
+    else {
+        $retval=0;
+        &B_log("ERROR","Couldn't insert line to $filename, since open failed.");
+    }
+
+    return $retval;
+
+}
+
+###########################################################################
+# &B_insert_line ($filename,$pattern,$line_to_insert,$line_to_follow)
+#
+#   has been renamed to B_insert_line_after()
+#
+# This name will continue to work, as a shim for code that has not been
+# transitioned.
+###########################################################################
+
+sub B_insert_line($$$$) {
+
+    my $rtn_value = &B_insert_line_after(@_);
+
+    return ($rtn_value);
+}
+
+
+###########################################################################
+# &B_append_line ($filename,$pattern,$line_to_append)  modifies $filename,
+# appending $line_to_append unless one or more lines in the file matches
+# $pattern.  This is an enhancement to the append_line_if_no_such_line_exists
+# idea.
+#
+# Additionally, if $pattern is set equal to "", the line is always appended.
+#
+# B_append_line uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+# Here's examples of where you might use this:
+#
+# You'd like to add a   root   line to /etc/ftpusers if none exists.
+# You'd like to add a   Options Indexes  line to Apache's config. file,
+# after you delete all Options lines from said config file.
+#
+###########################################################################
+
+sub B_append_line($$$) {
+
+    my ($filename,$pattern,$line_to_append) = @_;
+
+    my $found_pattern=0;
+    my $retval=1;
+
+    if ( &B_open_plus (*APPEND_NEW,*APPEND_OLD,$filename) ) {
+        while (my $line=<APPEND_OLD>) {
+            &B_print(*APPEND_NEW,$line);
+            if ($line =~ $pattern) {
+                $found_pattern=1;
+            }
+        }
+        # Changed != 0 to $pattern so that "" works instead of 0 and perl
+        # does not give the annoying
+        # Argument "XX" isn't numeric in ne at ...
+        if ( $pattern eq "" or ! $found_pattern ) {
+            &B_print(*APPEND_NEW,$line_to_append);
+            &B_log("ACTION","Appended the following line to $filename:\n");
+            &B_log("ACTION","$line_to_append");
+        }
+        &B_close_plus (*APPEND_NEW,*APPEND_OLD,$filename);
+    }
+    else {
+        $retval=0;
+        &B_log("ERROR","# Couldn't append line to $filename, since open failed.");
+    }
+
+    return $retval;
+
+}
+
+###########################################################################
+# &B_prepend_line ($filename,$pattern,$line_to_prepend)  modifies $filename,
+# pre-pending $line_to_prepend unless one or more lines in the file matches
+# $pattern.  This is an enhancement to the prepend_line_if_no_such_line_exists
+# idea.
+#
+# B_prepend_line uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+# Here's examples of where you might use this:
+#
+# You'd like to insert the line "auth   required   pam_deny.so" to the top
+# of the PAM stack file /etc/pam.d/rsh to totally deactivate rsh.
+#
+###########################################################################
+
+sub B_prepend_line($$$) {
+
+    my ($filename,$pattern,$line_to_prepend) = @_;
+
+    my @lines;
+    my $found_pattern=0;
+    my $retval=1;
+
+    if ( &B_open_plus (*PREPEND_NEW,*PREPEND_OLD,$filename) ) {
+        while (my $line=<PREPEND_OLD>) {
+            push (@lines,$line);
+            if ($line =~ $pattern) {
+                $found_pattern=1;
+            }
+        }
+        unless ($found_pattern) {
+            &B_print(*PREPEND_NEW,$line_to_prepend);
+        }
+        while (my $line = shift @lines) {
+            &B_print(*PREPEND_NEW,$line);
+        }
+
+        &B_close_plus (*PREPEND_NEW,*PREPEND_OLD,$filename);
+
+        # Log the action
+        &B_log("ACTION","Pre-pended the following line to $filename:\n");
+        &B_log("ACTION","$line_to_prepend");
+    }
+    else {
+        $retval=0;
+        &B_log("ERROR","Couldn't prepend line to $filename, since open failed.\n");
+    }
+
+    return $retval;
+
+}
+
+
+###########################################################################
+# &B_replace_line ($filename,$pattern,$line_to_switch_in) modifies $filename,
+# replacing any lines matching $pattern with $line_to_switch_in.
+#
+# It returns the number of lines it replaced (or would have replaced, if
+# LOGONLY mode wasn't on...)
+#
+# B_replace_line uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+# Here an example of where you might use this:
+#
+# You'd like to replace any Options lines in Apache's config file with:
+#            Options Indexes FollowSymLinks
+#
+###########################################################################
+
+sub B_replace_line($$$) {
+
+    my ($filename,$pattern,$line_to_switch_in) = @_;
+    my $retval=0;
+
+    if ( &B_open_plus (*REPLACE_NEW,*REPLACE_OLD,$filename) ) {
+        while (my $line=<REPLACE_OLD>) {
+            unless ($line =~ $pattern) {
+                &B_print(*REPLACE_NEW,$line);
+            }
+            else {
+                # Don't replace the line if it's already there.
+                unless ($line eq $line_to_switch_in) {
+                    &B_print(*REPLACE_NEW,$line_to_switch_in);
+
+                    $retval++;
+                    &B_log("ACTION","File modification in $filename -- replaced line\n" .
+                           "$line\n" .
+                           "with:\n" .
+                           "$line_to_switch_in");
+                }
+                # But if it is there, make sure it stays there! (by Paul Allen)
+                else {
+                    &B_print(*REPLACE_NEW,$line);
+                }
+            }
+        }
+        &B_close_plus (*REPLACE_NEW,*REPLACE_OLD,$filename);
+    }
+    else {
+        $retval=0;
+        &B_log("ERROR","Couldn't replace line(s) in $filename because open failed.\n");
+    }
+
+    return $retval;
+}
+
+###########################################################################
+# &B_replace_lines ($filename,$patterns_and_substitutes) modifies $filename,
+# replacing the line matching the nth $pattern specified in $patterns_and_substitutes->[n]->[0]
+# with the corresponding substitutes in $patterns_and_substitutes->[n]->-[1]
+#
+# It returns the number of lines it replaced (or would have replaced, if
+# LOGONLY mode wasn't on...)
+#
+# B_replace_lines uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+# Here an example of where you might use this:
+#
+# You'd like to replace /etc/opt/ssh/sshd_config file
+# (^#|^)Protocol\s+(.*)\s*$                             ==>                Protocol 2
+# (^#|^)X11Forwarding\s+(.*)\s*$                  ==>                X11Forwarding yes
+# (^#|^)IgnoreRhosts\s+(.*)\s*$                     ==>                gnoreRhosts yes
+# (^#|^)RhostsAuthentication\s+(.*)\s*$         ==>                RhostsAuthentication no
+# (^#|^)RhostsRSAAuthentication\s+(.*)\s*$   ==>               RhostsRSAAuthentication no
+# (^#|^)PermitRootLogin\s+(.*)\s*$                 ==>              PermitRootLogin no
+# (^#|^)PermitEmptyPasswords\s+(.*)\s*$      ==>              PermitEmptyPasswords no
+# my $patterns_and_substitutes = [
+#           [ '(^#|^)Protocol\s+(.*)\s*$'                             =>                'Protocol 2'],
+#           ['(^#|^)X11Forwarding\s+(.*)\s*$'                  =>                'X11Forwarding yes'],
+#           ['(^#|^)IgnoreRhosts\s+(.*)\s*$'                     =>                'gnoreRhosts yes'],
+#           ['(^#|^)RhostsAuthentication\s+(.*)\s*$'         =>                'RhostsAuthentication no'],
+#           ['(^#|^)RhostsRSAAuthentication\s+(.*)\s*$'   =>               'RhostsRSAAuthentication no'],
+#           ['(^#|^)PermitRootLogin\s+(.*)\s*$'                 =>              'PermitRootLogin no'],
+#          ['(^#|^)PermitEmptyPasswords\s+(.*)\s*$'      =>              'PermitEmptyPasswords no']
+#]
+# B_replaces_lines($sshd_config,$patterns_and_substitutes);
+###########################################################################
+
+sub B_replace_lines($$){
+    my ($filename, $pairs) = @_;
+    my $retval = 0;
+    if ( &B_open_plus (*REPLACE_NEW,*REPLACE_OLD,$filename) ) {
+        while (my $line = <REPLACE_OLD>) {
+            my $switch;
+            my $switch_before = $line;
+            chomp($line);
+            foreach my $pair (@$pairs) {
+                $switch = 0;
+               
+                my $pattern = $pair->[0] ;
+                my $replace = $pair->[1];
+                my $evalstr = '$line'  . "=~ s/$pattern/$replace/";
+                eval $evalstr;
+                if ($@) {
+                    &B_log("ERROR", "eval $evalstr failed.\n");
+                }
+                #if ( $line =~ s/$pair->[0]/$pair->[1]/) {
+                #    $switch = 1;
+                #    last;
+                #}
+            }
+            &B_print(*REPLACE_NEW,"$line\n");
+            if ($switch) {
+                $retval++;
+                B_log("ACTION","File modification in $filename -- replaced line\n" .
+                      "$switch_before\n" .
+                      "with:\n" .
+                      "$line\n");
+            }
+        }
+        &B_close_plus (*REPLACE_NEW,*REPLACE_OLD,$filename);
+        return 1;
+    }
+    else {
+        $retval=0;
+        &B_log("ERROR","Couldn't replace line(s) in $filename because open failed.\n");
+    }
+}
+
+################################################################################################
+# &B_replace_pattern ($filename,$pattern,$pattern_to_remove,$text_to_switch_in)
+# modifies $filename, acting on only lines that match $pattern, replacing a
+# string that matches $pattern_to_remove with $text_to_switch_in.
+#
+# Ex:
+#  B_replace_pattern('/etc/httpd.conf','^\s*Options.*\bIncludes\b','Includes','IncludesNoExec')
+#
+#   replaces all "Includes" with "IncludesNoExec" on Apache Options lines.
+#
+# It returns the number of lines it altered (or would have replaced, if
+# LOGONLY mode wasn't on...)
+#
+# B_replace_pattern uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+#################################################################################################
+
+sub B_replace_pattern($$$$) {
+
+    my ($filename,$pattern,$pattern_to_remove,$text_to_switch_in) = @_;
+    my $retval=0;
+
+    if ( &B_open_plus (*REPLACE_NEW,*REPLACE_OLD,$filename) ) {
+        while (my $line=<REPLACE_OLD>) {
+            unless ($line =~ $pattern) {
+                &B_print(*REPLACE_NEW,$line);
+            }
+            else {
+                my $orig_line =$line;
+                $line =~ s/$pattern_to_remove/$text_to_switch_in/;
+
+                &B_print(*REPLACE_NEW,$line);
+
+                $retval++;
+                &B_log("ACTION","File modification in $filename -- replaced line\n" .
+                       "$orig_line\n" .
+                       "via pattern with:\n" .
+                       "$line\n\n");
+            }
+        }
+        &B_close_plus (*REPLACE_NEW,*REPLACE_OLD,$filename);
+    }
+    else {
+        $retval=0;
+        &B_log("ERROR","Couldn't pattern-replace line(s) in $filename because open failed.\n");
+    }
+
+    return $retval;
+}
+
+
+###########################################################################
+# &B_match_line($file,$pattern);
+#
+# This subroutine will return a 1 if the pattern specified can be matched
+# against the file specified.  It will return a 0 otherwise.
+#
+# return values:
+# 0:     pattern not in file or the file is not readable
+# 1:     pattern is in file
+###########################################################################
+sub B_match_line($$) {
+    # file to be checked and pattern to check for.
+    my ($file,$pattern) = @_;
+    # if the file is readable then
+    if(-r $file) {
+        # if the file can be opened then
+        if(open FILE,"<$file") {
+            # look at each line in the file
+            while (my $line = <FILE>) {
+                # if a line matches the pattern provided then
+                if($line =~ $pattern) {
+                    # return the pattern was found
+                    B_log('DEBUG','Pattern: ' . $pattern . ' matched in file: ' .
+                    $file . "\n");
+                    return 1;
+                }
+            }
+        }
+        # if the file cann't be opened then
+        else {
+            # send a note to that affect to the errorlog
+            &B_log("ERROR","Unable to open file for read.\n$file\n$!\n");
+        }
+    }
+    B_log('DEBUG','Pattern: ' . $pattern . ' not matched in file: ' .
+          $file . "\n");
+    # the provided pattern was not matched against a line in the file
+    return 0;
+}
+
+###########################################################################
+# &B_match_line_only($file,$pattern);
+#
+# This subroutine checks if the specified pattern can be matched and if
+# it's the only content in the file. The only content means it's only but
+# may have several copies in the file.
+#
+# return values:
+# 0:     pattern not in file or pattern is not the only content
+#        or the file is not readable
+# 1:     pattern is in file and it's the only content
+############################################################################
+sub B_match_line_only($$) {
+    my ($file,$pattern) = @_;
+
+    # if matched, set to 1 later
+    my $retval = 0;
+
+    # if the file is readable then
+    if(-r $file) {
+        # if the file can be opened then
+        if(&B_open(*FILED, $file)) {
+            # pattern should be matched at least once
+            # pattern can not be mismatched
+            while (my $line = <FILED>) {
+                if ($line =~ $pattern) {
+                    $retval = 1;
+                }
+                else {
+                    &B_close(*FILED);
+                    return 0;
+                }
+            }
+        }
+        &B_close(*FILED);
+    }
+
+    return $retval;
+}
+
+###########################################################################
+# &B_return_matched_lines($file,$pattern);
+#
+# This subroutine returns lines in a file matching a given regular
+# expression, when called in the default list mode.  When called in scalar
+# mode, returns the number of elements found.
+###########################################################################
+sub B_return_matched_lines($$)
+{
+    my ($filename,$pattern) = @_;
+    my @lines = ();
+
+    open(READFILE, $filename);
+    while (<READFILE>) {
+        chomp;
+        next unless /$pattern/;
+        push(@lines, $_);
+    }
+    if (wantarray)
+    {
+        return @lines;
+    }
+    else
+    {
+        return scalar (@lines);
+    }
+}
+
+###########################################################################
+# &B_match_chunk($file,$pattern);
+#
+# This subroutine will return a 1 if the pattern specified can be matched
+# against the file specified on a line-agnostic form.  This allows for
+# patterns which by necessity must match against a multi-line pattern.
+# This is the natural analogue to B_replace_chunk, which was created to
+# provide multi-line capability not provided by B_replace_line.
+#
+# return values:
+# 0:     pattern not in file or the file is not readable
+# 1:     pattern is in file
+###########################################################################
+
+sub B_match_chunk($$) {
+
+    my ($file,$pattern) = @_;
+    my @lines;
+    my $big_long_line;
+    my $retval=1;
+
+    open CHUNK_FILE,$file;
+
+    # Read all lines into one scalar.
+    @lines = <CHUNK_FILE>;
+    close CHUNK_FILE;
+
+    foreach my $line ( @lines ) {
+        $big_long_line .= $line;
+    }
+
+    # Substitution routines get weird unless last line is terminated with \n
+    chomp $big_long_line;
+    $big_long_line .= "\n";
+
+    # Exit if we don't find a match
+    unless ($big_long_line =~ $pattern) {
+        $retval = 0;
+    }
+
+    return $retval;
+}
+
+###########################################################################
+# &B_hash_comment_line ($filename,$pattern) modifies $filename, replacing
+# any lines matching $pattern with a "hash-commented" version, like this:
+#
+#
+#        finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.fingerd
+# becomes:
+#        #finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.fingerd
+#
+# Also:
+#       tftp        dgram  udp wait   root /usr/lbin/tftpd    tftpd\
+#        /opt/ignite\
+#        /var/opt/ignite
+# becomes:
+#       #tftp        dgram  udp wait   root /usr/lbin/tftpd    tftpd\
+#       # /opt/ignite\
+#       # /var/opt/ignite
+#
+#
+# B_hash_comment_line uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+###########################################################################
+
+sub B_hash_comment_line($$) {
+
+    my ($filename,$pattern) = @_;
+    my $retval=1;
+
+    if ( &B_open_plus (*HASH_NEW,*HASH_OLD,$filename) ) {
+        my $line;
+        while ($line=<HASH_OLD>) {
+            unless ( ($line =~ $pattern) and ($line !~ /^\s*\#/) ) {
+                &B_print(*HASH_NEW,$line);
+            }
+            else {
+                &B_print(*HASH_NEW,"#$line");
+                &B_log("ACTION","File modification in $filename -- hash commented line\n" .
+                       "$line\n" .
+                       "like this:\n" .
+                       "#$line\n\n");
+                # while the line has a trailing \ then we should also comment out the line below
+                while($line =~ m/\\\n$/) {
+                    if($line=<HASH_OLD>) {
+                        &B_print(*HASH_NEW,"#$line");
+                        &B_log("ACTION","File modification in $filename -- hash commented line\n" .
+                               "$line\n" .
+                               "like this:\n" .
+                               "#$line\n\n");
+                    }
+                    else {
+                        $line = "";
+                    }
+                }
+
+            }
+        }
+        &B_close_plus (*HASH_NEW,*HASH_OLD,$filename);
+    }
+    else {
+        $retval=0;
+        &B_log("ERROR","Couldn't hash-comment line(s) in $filename because open failed.\n");
+    }
+
+    return $retval;
+}
+
+
+###########################################################################
+# &B_hash_uncomment_line ($filename,$pattern) modifies $filename,
+# removing any commenting from lines that match $pattern.
+#
+#        #finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.fingerd
+# becomes:
+#        finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.fingerd
+#
+#
+# B_hash_uncomment_line uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+###########################################################################
+
+sub B_hash_uncomment_line($$) {
+
+    my ($filename,$pattern) = @_;
+    my $retval=1;
+
+    if ( &B_open_plus (*HASH_NEW,*HASH_OLD,$filename) ) {
+      my $line;
+        while ($line=<HASH_OLD>) {
+            unless ( ($line =~ $pattern) and ($line =~ /^\s*\#/) ) {
+                &B_print(*HASH_NEW,$line);
+            }
+            else {
+                $line =~ /^\s*\#+(.*)$/;
+                $line = "$1\n";
+
+                &B_print(*HASH_NEW,"$line");
+                &B_log("ACTION","File modification in $filename -- hash uncommented line\n");
+                &B_log("ACTION",$line);
+                # while the line has a trailing \ then we should also uncomment out the line below
+                while($line =~ m/\\\n$/) {
+                    if($line=<HASH_OLD>) {
+                        $line =~ /^\s*\#+(.*)$/;
+                        $line = "$1\n";
+                        &B_print(*HASH_NEW,"$line");
+                        &B_log("ACTION","File modification in $filename -- hash uncommented line\n");
+                        &B_log("ACTION","#$line");
+                        &B_log("ACTION","like this:\n");
+                        &B_log("ACTION","$line");
+                    }
+                    else {
+                        $line = "";
+                    }
+                }
+            }
+        }
+        &B_close_plus (*HASH_NEW,*HASH_OLD,$filename);
+    }
+    else {
+        $retval=0;
+        &B_log("ERROR","Couldn't hash-uncomment line(s) in $filename because open failed.\n");
+    }
+
+    return $retval;
+}
+
+
+
+###########################################################################
+# &B_delete_line ($filename,$pattern) modifies $filename, deleting any
+# lines matching $pattern.  It uses B_replace_line to do this.
+#
+# B_replace_line uses B_open_plus and B_close_plus, so that the file
+# modified is backed up...
+#
+# Here an example of where you might use this:
+#
+# You'd like to remove any timeout=  lines in /etc/lilo.conf, so that your
+# delay=1 modification will work.
+
+#
+###########################################################################
+
+
+sub B_delete_line($$) {
+
+    my ($filename,$pattern)=@_;
+    my $retval=&B_replace_line($filename,$pattern,"");
+
+    return $retval;
+}
+
+
+###########################################################################
+# &B_chunk_replace ($file,$pattern,$replacement) reads $file replacing the
+# first occurrence of $pattern with $replacement.
+#
+###########################################################################
+
+sub B_chunk_replace($$$) {
+
+    my ($file,$pattern,$replacement) = @_;
+
+    my @lines;
+    my $big_long_line;
+    my $retval=1;
+
+    &B_open (*OLDFILE,$file);
+
+    # Read all lines into one scalar.
+    @lines = <OLDFILE>;
+    &B_close (*OLDFILE);
+    foreach my $line ( @lines ) {
+        $big_long_line .= $line;
+    }
+
+    # Substitution routines get weird unless last line is terminated with \n
+    chomp $big_long_line;
+    $big_long_line .= "\n";
+
+    # Exit if we don't find a match
+    unless ($big_long_line =~ $pattern) {
+        return 0;
+    }
+
+    $big_long_line =~ s/$pattern/$replacement/s;
+
+    $retval=&B_open_plus (*NEWFILE,*OLDFILE,$file);
+    if ($retval) {
+        &B_print (*NEWFILE,$big_long_line);
+        &B_close_plus (*NEWFILE,*OLDFILE,$file);
+    }
+
+    return $retval;
+}
+
+###########################################################################
+# &B_print ($handle,@list) prints the items of @list to the file handle
+# $handle.  It logs the action and respects the $GLOBAL_LOGONLY variable.
+#
+###########################################################################
+
+sub B_print {
+   my $handle=shift @_;
+
+   my $result=1;
+
+   unless ($GLOBAL_LOGONLY) {
+       $result=print $handle @_;
+   }
+
+   ($handle) = "$handle" =~ /[^:]+::[^:]+::([^:]+)/;
+
+   $result;
+}
+
+
+##########################################################################
+# &B_getValueFromFile($regex,$file);
+# Takes a regex with a single group "()" and returns the unique value
+# on any non-commented lines
+# This (and B_return_matched_lines are only used in this file, though are
+# probably more generally useful.  For now, leaving these here serve the following
+#functions:
+# a) still gets exported/associated as part of the Test_API package, and
+# is still availble for a couple operations that can't be deferred to the
+# main test loop, as they save values so that individual tests don't have to
+# recreate  (copy / paste) the logic to get them.
+#
+# It also avoids the circular "use" if we incldued "use Test API" at the top
+# of this file (Test API "uses" this file.
+# Returns the uncommented, unique values of a param=value pair.
+#
+# Return values:
+# 'Not Defined' if the value is not present or not uniquely defined.
+# $value if the value is present and unique
+#
+###########################################################################
+sub B_getValueFromFile ($$){
+  my $inputRegex=$_[0];
+  my $file=$_[1];
+  my ($lastvalue,$value)='';
+
+  my @lines=&B_return_matched_lines($file, $inputRegex);
+
+  return &B_getValueFromString($inputRegex,join('/n',@lines));
+}
+
+##########################################################################
+# &B_getValueFromString($param,$string);
+# Takes a regex with a single group "()" and returns the unique value
+# on any non-commented lines
+# This (and B_return_matched_lines are only used in this file, though are
+# probably more generally useful.  For now, leaving these here serve the following
+#functions:
+# a) still gets exported/associated as part of the Test_API package, and
+# is still availble for a couple operations that can't be deferred to the
+# main test loop, as they save values so that individual tests don't have to
+# recreate  (copy / paste) the logic to get them.
+#
+# It also avoids the circular "use" if we incldued "use Test API" at the top
+# of this file (Test API "uses" this file.
+# Returns the uncommented, unique values of a param=value pair.
+#
+# Return values:
+# 'Not Unique' if the value is not uniquely defined.
+# undef if the value isn't defined at all
+# $value if the value is present and unique
+#
+###########################################################################
+sub B_getValueFromString ($$){
+  my $inputRegex=$_[0];
+  my $inputString=$_[1];
+  my $lastValue='';
+  my $value='';
+
+  my @lines=split(/\n/,$inputString);
+
+  &B_log("DEBUG","B_getvaluefromstring called with regex: $inputRegex and input: " .
+         $inputString);
+  foreach my $line (grep(/$inputRegex/,@lines)) {
+    $line =~ /$inputRegex/;
+    $value=$1;
+    if (($lastValue eq '') and ($value ne '')) {
+        $lastValue = $value;
+    } elsif (($lastValue ne $value) and ($value ne '')) {
+        B_log("DEBUG","getvaluefromstring returned Not Unique");
+        return 'Not Unique';
+    }
+  }
+  if ((not(defined($value))) or ($value eq '')) {
+    &B_log("DEBUG","Could not find regex match in string");
+    return undef;
+  } else {
+    &B_log("DEBUG","B_getValueFromString Found: $value ; using:  $inputRegex");
+    return $value;
+  }
+}
+
+###############################################################
+# This function adds something to the To Do List.
+# Arguments:
+# 1) The string you want to add to the To Do List.
+# 2) Optional: Question whose TODOFlag should be set to indicate
+#    A pending manual action in subsequent reports.  Only skip this
+#    If there's no security-audit relevant action you need the user to
+#    accomplish
+# Ex:
+# &B_TODO("------\nInstalling IPFilter\n----\nGo get Ipfilter","IPFilter.install_ipfilter");
+#
+#
+# Returns:
+# 0 - If error condition
+# True, if sucess, specifically:
+#   "appended" if the append operation was successful
+#   "exists" if no change was made since the entry was already present
+###############################################################
+sub B_TODO ($;$) {
+    my $text = $_[0];
+    my $FlaggedQuestion = $_[1];
+    my $multilineString = "";
+
+    # trim off any leading and trailing new lines, regexes separated for "clarity"
+    $text =~ s/^\n+(.*)/$1/;
+    $text =~ s/(.*)\n+$/$1/;
+
+    if ( ! -e &getGlobal('BFILE',"TODO") ) {
+	# Make the TODO list file for HP-UX Distro
+	&B_create_file(&getGlobal('BFILE', "TODO"));
+	&B_append_line(&getGlobal('BFILE', "TODO"),'a$b',
+          "Please take the steps below to make your system more secure,\n".
+          "then delete the item from this file and record what you did along\n".
+          "with the date and time in your system administration log.  You\n".
+          "will need that information in case you ever need to revert your\n".
+          "changes.\n\n");
+    }
+
+
+    if (open(TODO,"<" . &getGlobal('BFILE', "TODO"))) {
+	while (my $line = <TODO>) {
+	    # getting rid of all meta characters.
+	    $line =~ s/(\\|\||\(|\)|\[|\]|\{|\}|\^|\$|\*|\+|\?|\.)//g;
+	    $multilineString .= $line;
+	}
+	chomp $multilineString;
+        $multilineString .= "\n";
+
+	close(TODO);
+    }
+    else {
+	&B_log("ERROR","Unable to read TODO.txt file.\n" .
+		  "The following text could not be appended to the TODO list:\n" .
+		  $text .
+		  "End of TODO text\n");
+        return 0; #False
+    }
+
+    my $textPattern = $text;
+
+    # getting rid of all meta characters.
+    $textPattern =~ s/(\\|\||\(|\)|\[|\]|\{|\}|\^|\$|\*|\+|\?|\.)//g;
+
+    if( $multilineString !~  "$textPattern") {
+	my $datestamp = "{" . localtime() . "}";
+	unless ( &B_append_line(&getGlobal('BFILE', "TODO"), "", $datestamp . "\n" . $text . "\n\n\n") ) {
+	    &B_log("ERROR","TODO Failed for text: " . $text );
+	}
+        #Note that we only set the flag on the *initial* entry in the TODO File
+        #Not on subsequent detection.  This is to avoid the case where Bastille
+        #complains on a subsequent Bastille run of an already-performed manual
+        #action that the user neglected to delete from the TODO file.
+        # It does, however lead to a report of "nonsecure" when the user
+        #asked for the TODO item, performed it, Bastille detected that and cleared the
+        # Item, and then the user unperformed the action.  I think this is proper behavior.
+        # rwf 06/06
+
+        if (defined($FlaggedQuestion)) {
+            &B_TODOFlags("set",$FlaggedQuestion);
+        }
+        return "appended"; #evals to true, and also notes what happened
+    } else {
+        return "exists"; #evals to true, and also
+    }
+
+}
+
+
+#####################################################################
+# &B_TODOFlags()
+#
+# This is the interface to the TODO flags.  Test functions set these when they
+# require a TODO item to be completed to get to a "secure" state.
+# The prune/reporting function checks these to ensure no flags are set before
+# reporting an item "secure"
+# "Methods" are load | save | isSet <Question> | set <Question> | unset <Question>
+#
+######################################################################
+
+sub B_TODOFlags($;$) {
+    my $action = $_[0];
+    my $module = $_[1];
+
+    use File::Spec;
+
+    my $todo_flag = &getGlobal("BFILE","TODOFlag");
+
+    &B_log("DEBUG","B_TODOFlags action: $action , module: $module");
+
+    if ($action eq "load") {
+	if (-e $todo_flag ) {
+	    &B_open(*TODO_FLAGS, $todo_flag);
+	    my @lines = <TODO_FLAGS>;
+	    foreach my $line (@lines) {
+                chomp($line);
+		$GLOBAL_CONFIG{"$line"}{"TODOFlag"}="yes";
+	    }
+	    return (&B_close(*TODO_FLAGS)); #return success of final close
+	} else {
+            return 1; #No-op is okay
+        }
+    } elsif ($action eq "save") {
+	# Make sure the file exists, else create
+        #Note we use open_plus and and create file, so if Bastille is
+        #reverted, all the flags will self-clear (file deleted)
+        my $flagNumber = 0;
+        my $flagData = '';
+        foreach my $key (keys %GLOBAL_CONFIG) {
+            if ($GLOBAL_CONFIG{$key}{"TODOFlag"} eq "yes") {
+                ++$flagNumber;
+                $flagData .= "$key\n";
+	    }
+	}
+        if (not( -e $todo_flag)) {
+                &B_log("DEBUG","Initializing TODO Flag file: $todo_flag");
+                &B_create_file($todo_flag); # Make sure it exists
+        }
+        &B_blank_file($todo_flag,
+                          "This will not appear in the file; ensures blanking");
+        return &B_append_line($todo_flag, "", "$flagData"); #return success of save
+    } elsif (($action eq "isSet") and ($module ne "")) {
+	if ($GLOBAL_CONFIG{"$module"}{"TODOFlag"} eq "yes") {
+	    return 1; #TRUE
+	} else {
+	    return 0; #FALSE
+        }
+    } elsif (($action eq "set") and ($module ne "")) {
+        $GLOBAL_CONFIG{"$module"}{"TODOFlag"} = "yes";
+    } elsif (($action eq "clear") and ($module ne "")) {
+        $GLOBAL_CONFIG{"$module"}{"TODOFlag"} = "";
+    } else {
+	&B_log("ERROR","TODO_Flag Called with invalid parameters: $action , $module".
+	       "audit report may be incorrect.");
+	return 0; #FALSE
+    }
+}
+
+1;
+
+
diff --git a/import-layers/meta-security/recipes-security/bastille/files/HPSpecific.pm b/import-layers/meta-security/recipes-security/bastille/files/HPSpecific.pm
new file mode 100644
index 0000000..7e7d709
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/HPSpecific.pm
@@ -0,0 +1,1983 @@
+package Bastille::API::HPSpecific;
+
+use strict;
+use Bastille::API;
+use Bastille::API::FileContent;
+
+require Exporter;
+our @ISA = qw(Exporter);
+our @EXPORT_OK = qw(
+getIPFLocation
+getGlobalSwlist
+B_check_system
+B_swmodify
+B_load_ipf_rules
+B_Schedule
+B_ch_rc
+B_set_value
+B_chperm
+B_install_jail
+B_list_processes
+B_list_full_processes
+B_deactivate_inetd_service
+B_get_rc
+B_set_rc
+B_chrootHPapache
+isSystemTrusted
+isTrustedMigrationAvailable
+checkServiceOnHPUX
+B_get_path
+convertToTrusted
+isOKtoConvert
+convertToShadow
+getSupportedSettings
+B_get_sec_value
+secureIfNoNameService
+isUsingRemoteNameService
+remoteServiceCheck
+remoteNISPlusServiceCheck
+B_create_nsswitch_file
+B_combine_service_results
+
+%priorBastilleNDD
+%newNDD
+);
+our @EXPORT = @EXPORT_OK;
+
+
+
+# "Constants" for use both in testing and in lock-down
+our %priorBastilleNDD = (
+   "ip_forward_directed_broadcasts" =>["ip",   "0"],
+   "ip_forward_src_routed"          =>["ip",   "0"],
+   "ip_forwarding"                  =>["ip",   "0"],
+   "ip_ire_gw_probe"                =>["ip",   "0"],
+   "ip_pmtu_strategy"               =>["ip",   "1"],
+   "ip_respond_to_echo_broadcast"   =>["ip",   "0"],
+   "ip_send_redirects"              =>["ip",   "0"],
+   "ip_send_source_quench"          =>["ip",   "0"],
+   "tcp_syn_rcvd_max"               =>["tcp","1000"],
+   "tcp_conn_request_max"           =>["tcp","4096"] );
+
+our %newNDD = (
+   "ip_forward_directed_broadcasts" =>["ip",    "0"],
+   "ip_forward_src_routed"          =>["ip",    "0"],
+   "ip_forwarding"                  =>["ip",    "0"],
+   "ip_ire_gw_probe"                =>["ip",    "0"],
+   "ip_pmtu_strategy"               =>["ip",    "1"],
+   "ip_respond_to_echo_broadcast"   =>["ip",    "0"],
+   "ip_send_redirects"              =>["ip",    "0"],
+   "ip_send_source_quench"          =>["ip",    "0"],
+   "tcp_syn_rcvd_max"               =>["tcp","4096"],
+   "tcp_conn_request_max"           =>["tcp","4096"],
+   "arp_cleanup_interval"           =>["arp","60000"],
+   "ip_respond_to_timestamp"        =>["ip",    "0"],
+   "ip_respond_to_timestamp_broadcast" => ["ip","0"] );
+
+
+####################################################################
+#
+#  This module makes up the HP-UX specific API routines.
+#
+####################################################################
+#
+#  Subroutine Listing:
+#     &HP_ConfigureForDistro: adds all used file names to global
+#                             hashes and generates a global IPD
+#                             hash for SD modification lookup.
+#
+#     &getGlobalSwlist($):    Takes a fully qualified file name
+#                             and returns product:filset info
+#                             for that file.  returns undef if
+#                             the file is not present in the IPD
+#
+#     &B_check_system:        Runs a series of system queries to
+#                             determine if Bastille can be safely
+#                             ran on the current system.
+#
+#     &B_swmodify($):         Takes a file name and runs the
+#                             swmodify command on it so that the
+#                             IPD is updated after changes
+#
+#     &B_System($$):          Takes a system command and the system
+#                             command that should be used to revert
+#                             whatever was done. Returns 1 on
+#                             success and 0 on failure
+#
+#     &B_Backtick($)          Takes a command to run and returns its stdout
+#                             to be used in place of the prior prevelent use
+#                             of un-error-handled backticks
+#
+#     &B_load_ipf_rules($):   Loads a set of ipfrules into ipf, storing
+#                             current rules for later reversion.
+#
+#     &B_Schedule($$):        Takes a pattern and a crontab line.
+#                             Adds or replaces the crontab line to
+#                             the crontab file, depending on if a
+#                             line matches the pattern
+#
+#     &B_ch_rc($$):           Takes a the rc.config.d flag name and
+#                             new value as well as the init script
+#                             location. This will stop a services
+#                             and set the service so that it will
+#                             not be restarted.
+#
+#     &B_set_value($$$):      Takes a param, value, and a filename
+#                             and sets the given value in the file.
+#                             Uses ch_rc, but could be rewritten using
+#                             Bastille API calls to make it work on Linux
+#
+#     &B_TODO($):             Appends the give string to the TODO.txt
+#                             file.
+#
+#     &B_chperm($$$$):        Takes new perm owner and group of given
+#                             file.  TO BE DEPRECATED!!!
+#
+#     &B_install_jail($$):    Takes the jail name and the jail config
+#                             script location for a give jail...
+#                             These scripts can be found in the main
+#                             directory e.g. jail.bind.hpux
+#
+#####################################################################
+
+##############################################################################
+#
+#                     HP-UX Bastille directory structure
+#
+##############################################################################
+#
+#  /opt/sec_mgmt/bastille/bin/   -- location of Bastille binaries
+#  /opt/sec_mgmt/bastille/lib/   -- location of Bastille modules
+#  /opt/sec_mgmt/bastille/doc/   -- location of Bastille doc files
+#
+#  /etc/opt/sec_mgmt/bastille/   -- location of Bastille config files
+#
+#  /var/opt/sec_mgmt/bastille/log         -- location of Bastille log files
+#  /var/opt/sec_mgmt/bastille/revert        -- directory holding all Bastille-
+#                                            created revert scripts
+#  /var/opt/sec_mgmt/bastille/revert/backup -- directory holding the original
+#                                            files that Bastille modifies,
+#                                            with permissions intact
+#
+##############################################################################
+
+sub getIPFLocation () { # Temporary until we get defined search space support
+    my $ipf=&getGlobal('BIN','ipf_new');
+    my $ipfstat=&getGlobal('BIN','ipfstat_new');
+    if (not(-e $ipf)) { # Detect if the binaries moved
+        $ipf = &getGlobal('BIN','ipf');
+        $ipfstat=&getGlobal('BIN','ipfstat');
+    }
+    return ($ipf, $ipfstat);
+}
+
+##############################################
+# Given a combination of service results, provided
+# in an array, this function combines the result into
+# a reasonable aggregate result
+##############################################
+
+sub B_combine_service_results(@){
+    my @results = @_;
+    
+    #TODO: Consider greater sophistication wrt inconsistent, or not installed.
+    
+    foreach my $result (@results) {
+        if (not(($result ==  SECURE_CAN_CHANGE) or
+            ($result ==  SECURE_CANT_CHANGE) or
+            ($result == NOT_INSTALLED()))) {
+            return NOTSECURE_CAN_CHANGE();
+        }
+    }
+    return SECURE_CANT_CHANGE();
+}
+
+####################################################################
+# &getGlobalSwlist ($file);
+#   This function returns the product and fileset information for
+#   a given file or directory if it exists in the IPD otherwise
+#   it returns undefined "undef"
+#
+#   uses $GLOBAL_SWLIST{"$FILE"}
+####################################################################
+sub getGlobalSwlist($){
+    no strict;
+    my $file = $_[0];
+
+
+    if(! %GLOBAL_SWLIST) {
+	# Generating swlist database for swmodify changes that will be required
+	# The database will be a hash of fully qualified file names that reference
+	# the files product name and fileset.  These values are required to use
+	# swmodify...
+
+	# Files tagged 'is_volatile' in the IPD are not entered in the swlist database
+	# in order to avoid invoking swmodify if the file is changed later.  Attempting to 
+	# swmodify 'volatile' files is both unneccessary and complicated since swverify will 
+	# not evaluate volatile files anyway, and adding another value to the swlist database
+	# would require complex code changes.
+
+	# temp variable to keep swlist command /usr/sbin/swlist
+	my $swlist = &getGlobal('BIN',"swlist");
+
+	# listing of each directory and file that was installed by SD on the target machine
+	my @fileList = `$swlist -a is_volatile -l file`;
+
+	# listing of each patch and the patches that supersede each.
+	# hash which is indexed by patch.fileset on the system
+	my %patchSuperseded;
+
+	my @patchList = `${swlist} -l fileset -a superseded_by *.*,c=patch 2>&1`;
+	# check to see if any patches are present on the system
+	if(($? >> 8) == 0) {
+
+	    # determining patch suppression for swmodify.
+	    foreach my $patchState (@patchList) {
+		# removing empty lines and commented lines.
+		if($patchState !~ /^\s*\#/ && $patchState !~ /^\s*$/) {
+
+		    # removing leading white space
+		    $patchState =~ s/^\s+//;
+		    my @patches = split /\s+/, $patchState;
+		    if($#patches == 0){
+			# patch is not superseded
+			$patchSuperseded{$patches[0]} = 0;
+		    }
+		    else {
+			# patch is superseded
+			$patchSuperseded{$patches[0]} = 1;
+		    }
+		}
+	    }
+	}
+	else {
+	    &B_log("DEBUG","No patches found on the system.\n");
+	}
+
+	if($#fileList >= 0){
+	    # foreach line of swlist output
+	    foreach my $fileEntry ( @fileList ){
+		#filter out commented portions
+		if( $fileEntry !~ /^\s*\#/ ){
+		    chomp $fileEntry;
+		    # split the output into three fields: product.fileset, filename, flag_isvolatile
+		    my( $productInfo, $file, $is_volatile ) = $fileEntry =~ /^\s*(\S+): (\S+)\t(\S+)/ ;
+		    # do not register volatile files
+		    next if ($is_volatile =~ /true/);  # skip to next file entry
+		    $productInfo =~ s/\s+//;
+		    $file =~ s/\s+//;
+		    # if the product is a patch
+		    if($productInfo =~ /PH(CO|KL|NE|SS)/){
+			# if the patch is not superseded by another patch
+			if($patchSuperseded{$productInfo} == 0){
+			    # add the patch to the list of owner for this file
+			    push @{$GLOBAL_SWLIST{"$file"}}, $productInfo;
+			}
+		    }
+		    # not a patch.
+		    else {
+			# add the product to the list of owners for this file
+			push @{$GLOBAL_SWLIST{"$file"}}, $productInfo;
+		    }
+
+		}
+	    }
+	}
+	else{
+	    # defining GLOBAL_SWLIST in error state.
+	    $GLOBAL_SWLIST{"ERROR"} = "ERROR";
+	    &B_log("ERROR","Could not execute swlist.  Swmodifys will not be attempted");
+	}
+    }
+
+    if(exists $GLOBAL_SWLIST{"$file"}){
+	return $GLOBAL_SWLIST{"$file"};
+    }
+    else {
+	return undef;
+    }
+}
+
+###################################################################
+#  &B_check_system;
+#    This subroutine is called to validate that bastille may be
+#    safely run on the current system.  It will check to insure
+#    that there is enough file system space, mounts are rw, nfs
+#    mounts are not mounted noroot, and swinstall, swremove and
+#    swmodify are not running
+#
+#    uses ErrorLog
+#
+##################################################################
+sub B_check_system {
+    # exitFlag is one if a conflict with the successful execution
+    # of bastille is found.
+    my $exitFlag = 0;
+
+    my $ignoreCheck = &getGlobal("BDIR","config") . "/.no_system_check";
+    if( -e $ignoreCheck ) {
+	return $exitFlag;
+    }
+
+    # first check for swinstall, swmodify, or swremove processes
+    my $ps = &getGlobal('BIN',"ps") . " -el";
+    my @processTable = `$ps`;
+    foreach my $process (@processTable) {
+	if($process =~ /swinstall/ ) {
+	    &B_log("ERROR","Bastille cannot run while a swinstall is in progress.\n" .
+		      "Complete the swinstall operation and then run Bastille.\n\n");
+	    $exitFlag = 1;
+	}
+
+	if($process =~ /swremove/ ) {
+	    &B_log("ERROR","Bastille cannot run while a swremove is in progress.\n" .
+		      "Complete the swremove operation and then run Bastille.\n\n");
+	    $exitFlag = 1;
+	}
+
+	if($process =~ /swmodify/ ) {
+	    &B_log("ERROR","Bastille cannot run while a swmodify is in progress.\n" .
+		      "Complete the swmodify operation and then run Bastille.\n\n");
+	    $exitFlag = 1;
+	}
+
+    }
+
+    # check for root read only mounts for /var /etc /stand /
+    # Bastille is required to make changes to these file systems.
+    my $mount = &getGlobal('BIN',"mount");
+    my $rm = &getGlobal('BIN',"rm");
+    my $touch = &getGlobal('BIN',"touch");
+
+    my @mnttab = `$mount`;
+
+    if(($? >> 8) != 0) {
+	&B_log("WARNING","Unable to use $mount to determine if needed partitions\n" .
+		  "are root writable, based on disk mount options.\n" .
+		  "Bastille will continue but note that disk\n" .
+		  "mount checks were skipped.\n\n");
+    }
+    else {
+	foreach my $record (@mnttab) {
+	    my @fields = split /\s+/, $record;
+	    if ((defined $fields[0]) && (defined $fields[2]) && (defined $fields[3])) {
+		my $mountPoint = $fields[0];
+		my $mountType =  $fields[2];
+		my $mountOptions = $fields[3];
+
+		# checks for /stand and /var/* removed 
+		if($mountPoint =~ /^\/$|^\/etc|^\/var$/) {
+
+		    if($mountOptions =~ /^ro,|,ro,|,ro$/) {
+			&B_log("ERROR","$mountPoint is mounted read-only.  Bastille needs to make\n" .
+				  "modifications to this file system.  Please remount\n" .
+				  "$mountPoint read-write and then run Bastille again.\n\n");
+			$exitFlag = 1;
+		    }
+		    # looking for an nfs mounted file system
+		    if($mountType =~/.+:\//){
+			my $fileExisted=0;
+			if(-e "$mountPoint/.bastille") {
+			    $fileExisted=1;
+			}
+
+			`$touch $mountPoint/.bastille 1>/dev/null 2>&1`;
+
+			if( (! -e "$mountPoint/.bastille") || (($? >> 8) != 0) ) {
+			    &B_log("ERROR","$mountPoint is an nfs mounted file system that does\n" .
+				   "not allow root to write to.  Bastille needs to make\n" .
+				   "modifications to this file system.  Please remount\n" .
+				   "$mountPoint giving root access and then run Bastille\n" .
+				   "again.\n\n");
+
+			    $exitFlag = 1;
+			}
+			# if the file did not exist befor the touch then remove the generated file
+			if(! $fileExisted) {
+			    `$rm -f $mountPoint/.bastille 1>/dev/null 2>&1`;
+			}
+		    }
+		}
+	    }
+	    else {
+		&B_log("WARNING","Unable to use $mount to determine if needed partitions\n" .
+			  "are root writable, based on disk mount options.\n" .
+			  "Bastille will continue but note that disk\n" .
+			  "mount checks were skipped.\n\n");
+	    }
+	}
+
+    }
+
+    # checks for enough disk space in directories that Bastille writes to.
+    my $bdf = &getGlobal('BIN',"bdf");
+    #directories that Bastille writes to => required space in kilobytes.
+    my %bastilleDirs = ( "/etc/opt/sec_mgmt/bastille" => "4", "/var/opt/sec_mgmt/bastille"=> "1000");
+    for my $directory (sort keys %bastilleDirs) {
+	my @diskUsage = `$bdf $directory`;
+
+	if(($? >> 8) != 0) {
+	    &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" .
+		   "$directory\n" .
+		   "Bastille will continue but note that disk\n" .
+		   "usage checks were skipped.\n\n");
+
+	}
+	else {
+	    # removing bdf header line from usage information.
+	    shift @diskUsage;
+	    my $usageString= "";
+
+	    foreach my $usageRecord (@diskUsage) {
+		chomp $usageRecord;
+	        $usageString .= $usageRecord;
+	    }
+
+	    $usageString =~ s/^\s+//;
+
+	    my @fields = split /\s+/, $usageString;
+	    if($#fields != 5) {
+		&B_log("WARNING","Unable to use $bdf to determine disk usage for\n" .
+		       "$directory\n" .
+		       "Bastille will continue but note that disk\n" .
+		       "usage checks were skipped.\n\n");
+	    }
+	    else {
+
+		my $mountPoint = $fields[5];
+		my $diskAvail = $fields[3];
+
+		if($diskAvail <= $bastilleDirs{"$directory"}) {
+		    &B_log("ERROR","$mountPoint does not contain enough available space\n" .
+			      "for Bastille to run properly.  $directory needs\n" .
+			      "at least $bastilleDirs{$directory} kilobytes of space.\n" .
+			      "Please clear at least that amount of space from\n" .
+			      "$mountPoint and run Bastille again.\n" .
+			      "Current Free Space available = ${diskAvail} k\n\n");
+ 		    $exitFlag = 1;
+		}
+	    }
+	}
+    }
+
+    # check to make sure that we are in at least run level 2 before we attempt to run
+    my $who = &getGlobal('BIN', "who") . " -r";
+    my $levelInfo = `$who`;
+    if(($? >> 8) != 0 ) {
+	&B_log("WARNING","Unable to use \"$who\" to determine system run.\n" .
+		  "level Bastille will continue but note that the run\n" .
+		  "level check was skipped.\n\n");
+    }
+    else {
+	chomp $levelInfo;
+	my @runlevel = split /\s+/, $levelInfo;
+	if ((! defined $runlevel[3]) or ($runlevel[3] < 2)) {
+	    &B_log("WARNING","Bastille requires a run-level of 2 or more to run properly.\n" .
+		      "Please move your system to a higher run level and then\n" .
+		      "run 'bastille -b'.\n\n");
+	    if(defined $runlevel[3]) {
+		&B_log("ERROR","Current run-level is '$runlevel[3]'.\n\n");
+		$exitFlag=1;
+	    }
+	    else {
+		&B_log("WARNING","Unable to use \"$who\" to determine system run.\n" .
+			  "level Bastille will continue but note that the run\n" .
+			  "level check was skipped.\n\n");
+	    }
+	}
+	else {
+	    &B_log("DEBUG","System run-level is $runlevel[3]\n");
+	}
+    }
+
+    if($exitFlag) {
+	exit(1);
+    }
+
+}
+
+###################################################################
+#  &B_swmodify($file);
+#    This subroutine is called after a file is modified.  It will
+#    redefine the file in the IPD with it's new properties.  If
+#    the file is not in the IPD it does nothing.
+#
+#    uses B_System to make the swmodifications.
+##################################################################
+sub B_swmodify($){
+    my $file = $_[0];
+    if(defined &getGlobalSwlist($file)){
+	my $swmodify = &getGlobal('BIN',"swmodify");
+	my @productsInfo = @{&getGlobalSwlist($file)};
+	# running swmodify on files that were altered by this function but
+	# were created and maintained by SD
+	foreach my $productInfo (@productsInfo) {
+	    &B_System("$swmodify -x files='$file' $productInfo",
+		      "$swmodify -x files='$file' $productInfo");
+	}
+    }
+}
+
+####################################################################
+#  &B_load_ipf_rules($ipfruleset);
+#    This function enables an ipfruleset.  It's a little more
+#    specific than most API functions, but necessary because
+#    ipf doesn't return correct exit codes (syntax error results
+#    in a 0 exit code)
+#
+#   uses ActionLog and ErrorLog to log
+#   calls crontab directly (to list and to read in new jobs)
+###################################################################
+sub B_load_ipf_rules ($) {
+   my $ipfruleset=$_[0];
+
+   &B_log("DEBUG","# sub B_load_ipf_rules");
+
+   # TODO: grab ipf.conf dynamically from the rc.config.d files
+   my $ipfconf = &getGlobal('FILE','ipf.conf');
+
+   # file system changes - these are straightforward, and the API
+   # will take care of the revert
+   &B_create_file($ipfconf);
+   &B_blank_file($ipfconf, 'a$b');
+   &B_append_line($ipfconf, 'a$b', $ipfruleset);
+
+   # runtime changes
+
+   # define binaries
+   my $grep = &getGlobal('BIN', 'grep');
+   my ($ipf, $ipfstat) = &getIPFLocation;
+   # create backup rules
+   # This will exit with a non-zero exit code because of the grep
+   my @oldrules = `$ipfstat -io 2>&1 | $grep -v empty`;
+
+   my @errors=`$ipf -I -Fa -f $ipfconf 2>&1`;
+
+   if(($? >> 8) == 0) {
+
+      &B_set_rc("IPF_START","1");
+      &B_set_rc("IPF_CONF","$ipfconf");
+
+      # swap the rules in
+      &B_System("$ipf -s","$ipf -s");
+
+      # now create a "here" document with the previous version of
+      # the rules and put it into the revert-actions script
+      &B_revert_log("$ipf -I -Fa -f - <<EOF\n@{oldrules}EOF");
+
+      if (@errors) {
+        &B_log("ERROR","ipfilter produced the following errors when\n" .
+                  "        loading $ipfconf.  You probably had an invalid\n" .
+                  "        rule in ". &getGlobal('FILE','customipfrules') ."\n".
+                  "@errors\n");
+      }
+
+   } else {
+     &B_log("ERROR","Unable to run $ipf\n");
+   }
+
+}
+
+
+
+####################################################################
+#  &B_Schedule($pattern,$cronjob);
+#    This function schedules a cronjob.  If $pattern exists in the
+#    crontab file, that job will be replaced.  Otherwise, the job
+#    will be appended.
+#
+#   uses ActionLog and ErrorLog to log
+#   calls crontab directly (to list and to read in new jobs)
+###################################################################
+sub B_Schedule ($$) {
+   my ($pattern,$cronjob)=@_;
+   $cronjob .= "\n";
+
+   &B_log("DEBUG","# sub B_Schedule");
+   my $crontab = &getGlobal('BIN','crontab');
+
+   my @oldjobs = `$crontab -l 2>/dev/null`;
+   my @newjobs;
+   my $patternfound=0;
+
+   foreach my $oldjob (@oldjobs) {
+       if (($oldjob =~ m/$pattern/ ) and (not($patternfound))) {
+	   push @newjobs, $cronjob;
+	   $patternfound=1;
+	   &B_log("ACTION","changing existing cron job which matches $pattern with\n" .
+		  "$cronjob");
+       } elsif ($oldjob !~ m/$pattern/ ) {
+       	&B_log("ACTION","keeping existing cron job $oldjob");
+      	push @newjobs, $oldjob;
+       } #implied: else if pattern matches, but we've
+          #already replaced one, then toss the others.
+   }
+
+   unless ($patternfound) {
+     &B_log("ACTION","adding cron job\n$cronjob\n");
+     push @newjobs, $cronjob;
+   }
+
+   if(open(CRONTAB, "|$crontab - 2> /dev/null")) {
+     print CRONTAB @newjobs;
+
+     # now create a "here" document with the previous version of
+     # the crontab file and put it into the revert-actions script
+     &B_revert_log("$crontab <<EOF\n" . "@oldjobs" . "EOF");
+     close CRONTAB;
+   }
+
+   # Now check to make sure it happened, since cron will exit happily
+   # (retval 0) with no changes if there are any syntax errors
+   my @editedjobs = `$crontab -l 2>/dev/null`;
+
+   if (@editedjobs ne @newjobs) {
+     &B_log("ERROR","failed to add cron job:\n$cronjob\n" .
+               "         You probably had an invalid crontab file to start with.");
+   }
+
+}
+
+
+#This function turns off a service, given a service name defined in HP-UX.service
+
+sub B_ch_rc($) {
+
+    my ($service_name)=@_;
+
+    if (&GetDistro != "^HP-UX") {
+       &B_log("ERROR","Tried to call ch_rc $service_name on a non-HP-UX\n".
+                 "         system!  Internal Bastille error.");
+       return undef;
+    }
+    my $configfile="";
+    my $command = &getGlobal('BIN', 'ch_rc');
+    
+    my $startup_script=&getGlobal('DIR','initd') . "/". $service_name;
+    my @rc_parameters= @{ &getGlobal('SERVICE',$service_name) };
+    my @rcFiles=@{ &getGlobal('RCCONFIG',$service_name) };
+    my $rcFile='';
+    if (@rcFiles == 1){
+        $rcFile=$rcFiles[0];
+    } else {
+        &B_log("FATAL","Multiple RC Files not yet supported... internal error.");
+    }
+    
+    # if the service-related process is not run, and the control variable is stilll 1
+    # there is a inconsistency.  in this case we only need to change the control variable
+    my @psnames=@{ &getGlobal('PROCESS',$service_name)};
+    my @processes;
+    foreach my $psname (@psnames) {
+        $psname .= '\b'; # avoid embedded match; anchor search pattern to trailing word boundry
+        my @procList = &isProcessRunning($psname);
+        if(@procList >= 0){
+          splice @processes,$#processes+1,0,@procList;
+        }
+    }
+#Actually set the rc variable
+  foreach my $rcVariable (@rc_parameters){
+    my $orig_value = &B_get_rc($rcVariable);
+    if ($orig_value eq "" ) { #If variable not set, used the defined file
+        $configfile=&getGlobal("DIR","rc.config.d") . "/" . $rcFile;
+        if (not( -f $configfile )) {
+            &B_create_file($configfile);
+        }
+    }
+    &B_log("DEBUG","In B_ch_rc (no procs), setting $rcVariable to 0 in $configfile" .
+           ", with an original value of $orig_value with rcfile: $rcFile");
+    if ( ! @processes) { # IF there are no processes we don't neet to perform a "stop"
+            &B_set_rc($rcVariable, "0", $configfile);
+    } else {
+        if ( $orig_value !~ "1" ) { #If param is not already 1, the "stop" script won't work
+            &B_set_rc($rcVariable, "1",$configfile);
+        }
+        &B_System ($startup_script  . " stop", #stop service, then restart if the user runs bastille -r
+                   $startup_script . " start");
+        # set parameter, so that service will stay off after reboots
+        &B_set_rc($rcVariable, "0", $configfile);
+    }
+  }
+}
+
+
+# This routine sets a value in a given file
+sub B_set_value($$$) {
+    my ($param, $value, $file)=@_;
+
+    &B_log("DEBUG","B_set_value: $param, $value, $file");
+    if (! -e $file ) {
+	&B_create_file("$file");
+    }
+
+    # If a value is already set to something other than $value then reset it.
+    #Note that though this tests for "$value ="the whole line gets replaced, so
+    #any pre-existing values are also replaced.
+    &B_replace_line($file,"^$param\\s*=\\s*","$param=$value\n");
+    # If the value is not already set to something then set it.
+    &B_append_line($file,"^$param\\s*=\\s*$value","$param=$value\n");
+
+}
+
+
+##################################################################################
+# &B_chperm($owner,$group,$mode,$filename(s))
+#   This function changes ownership and mode of a list of files. Takes four
+#   arguments first the owner next the group and third the new mode in oct and
+#   last a list of files that the permissions changes should take affect on.
+#
+#   uses: &swmodify and &B_revert_log
+##################################################################################
+sub B_chperm($$$$) {
+    my ($newown, $newgrp, $newmode, $file_expr) = @_;
+    my @files = glob($file_expr);
+
+    my $return = 1;
+
+    foreach my $file (@files){
+	my @filestat = stat $file;
+	my $oldmode = (($filestat[2]/512) % 8) .
+	    (($filestat[2]/64) % 8) .
+		(($filestat[2]/8) % 8) .
+		    (($filestat[2]) % 8);
+
+	if((chown $newown, $newgrp, $file) != 1 ){
+	    &B_log("ERROR","Could not change ownership of $file to $newown:$newgrp\n");
+	    $return = 0;
+	}
+	else{
+	    &B_log("ACTION","Changed ownership of $file to $newown:$newgrp\n");
+	    # swmodifying file if possible...
+	    &B_swmodify($file);
+	    &B_revert_log(&getGlobal('BIN',"chown") . " $filestat[4]:$filestat[5] $file\n");
+	}
+
+        my $newmode_formatted=sprintf "%5lo",$newmode;
+
+	if((chmod $newmode, $file) != 1){
+	    &B_log("ERROR","Could not change mode of $file to $newmode_formatted\n");
+	    $return = 0;
+	}
+	else{
+	    &B_log("ACTION","Changed mode of $file to $newmode_formatted\n");
+	    &B_revert_log(&getGlobal('BIN',"chmod") . " $oldmode $file\n");
+	}
+
+
+    }
+    return $return;
+}
+
+############################################################################
+# &B_install_jail($jailname, $jailconfigfile);
+# This function takes two arguments ( jail_name, jail_config )
+# It's purpose is to take read in config files that define a
+# chroot jail and then generate it bases on that specification
+############################################################################
+sub B_install_jail($$) {
+
+    my $jailName = $_[0];  # Name of the jail e.g bind
+    my $jailConfig = $_[1]; # Name of the jails configuration file
+    # create the root directory of the jail if it does not exist
+    &B_create_dir( &getGlobal('BDIR','jail'));
+    &B_chperm(0,0,0555,&getGlobal('BDIR','jail'));
+
+    # create the Jail dir if it does not exist
+    &B_create_dir( &getGlobal('BDIR','jail') . "/" . $jailName);
+    &B_chperm(0,0,0555,&getGlobal('BDIR','jail') . "/". $jailName);
+
+
+    my $jailPath = &getGlobal('BDIR','jail') . "/" . $jailName;
+    my @lines; # used to store no commented no empty config file lines
+    # open configuration file for desired jail and parse in commands
+    if(open(JAILCONFIG,"< $jailConfig")) {
+	while(my $line=<JAILCONFIG>){
+	    if($line !~ /^\s*\#|^\s*$/){
+		chomp $line;
+		push(@lines,$line);
+	    }
+	}
+        close JAILCONFIG;
+    }
+    else{
+	&B_log("ERROR","Open Failed on filename: $jailConfig\n");
+	return 0;
+    }
+    # read through commands and execute
+    foreach my $line (@lines){
+        &B_log("ACTION","Install jail: $line\n");
+	my @confCmd = split /\s+/,$line;
+	if($confCmd[0] =~ /dir/){ # if the command say to add a directory
+	    if($#confCmd == 4) { # checking dir Cmd form
+		if(! (-d  $jailPath . "/" . $confCmd[1])){
+		    #add a directory and change its permissions according
+                    #to the conf file
+		    &B_create_dir( $jailPath . "/" . $confCmd[1]);
+                    &B_chperm((getpwnam($confCmd[3]))[2],
+                              (getgrnam($confCmd[4]))[2],
+                               oct($confCmd[2]),
+                               $jailPath . "/" . $confCmd[1]);
+		}
+	    }
+	    else {
+		&B_log("ERROR","Badly Formed Configuration Line:\n$line\n\n");
+	    }
+	}
+	elsif($confCmd[0] =~ /file/) {
+	    if($#confCmd == 5) { # checking file cmd form
+		if(&B_cp($confCmd[1],$jailPath . "/" . $confCmd[2])){
+		    # for copy command cp file and change perms
+		    &B_chperm($confCmd[4],$confCmd[5],oct($confCmd[3]),$jailPath . "/" . $confCmd[2]);
+		}
+		else {
+		    &B_log("ERROR","Could not complete copy on specified files:\n" .
+			   "$line\n");
+		}
+	    }
+	    else {
+		&B_log("ERROR","Badly Formed Configuration Line:\n" .
+		       "$line\n\n");
+	    }
+	}
+	elsif($confCmd[0] =~ /slink/) {
+	    if($#confCmd == 2) { # checking file cmd form
+		if(!(-e $jailPath . "/" . $confCmd[2])){
+		    #for symlink command create the symlink
+		    &B_symlink($jailPath . "/" . $confCmd[1], $confCmd[2]);
+		}
+	    }
+	    else {
+		&B_log("ERROR","Badly Formed Configuration Line:\n" .
+		       "$line\n\n");
+	    }
+	}
+	else {
+	    &B_log("ERROR","Unrecognized Configuration Line:\n" .
+		   "$line\n\n");
+	}
+    }
+    return 1;
+}
+
+
+
+###########################################################################
+#  &B_list_processes($service)                                            #
+#                                                                         #
+#  This subroutine uses the GLOBAL_PROCESS hash to determine if a         #
+#  service's corresponding processes are running on the system.           #
+#  If any of the processes are found to be running then the process       #
+#  name(s) is/are returned by this subroutine in the form of an list      #
+#  If none of the processes that correspond to the service are running    #
+#  then an empty list is returned.                                        #
+###########################################################################
+sub B_list_processes($) {
+
+    # service name
+    my $service = $_[0];
+    # list of processes related to the service
+    my @processes=@{ &getGlobal('PROCESS',$service)};
+
+    # current systems process information
+    my $ps = &getGlobal('BIN',"ps");
+    my $psTable = `$ps -elf`;
+
+    # the list to be returned from the function
+    my @running_processes;
+
+    # for every process associated with the service
+    foreach my $process (@processes) {
+	# if the process is in the process table then
+	if($psTable =~ m/$process/) {
+	    # add the process to the list, which will be returned
+	    push @running_processes, $process;
+	}
+
+    }
+
+    # return the list of running processes
+    return @running_processes;
+
+}
+
+#############################################################################
+#  &B_list_full_processes($service)                                         #
+#                                                                           #
+#  This subroutine simply grep through the process table for those matching #
+#  the input argument  TODO: Allow B_list process to levereage this code    #
+#  ... Not done this cycle to avoid release risk (late in cycle)            #
+#############################################################################
+sub B_list_full_processes($) {
+
+    # service name
+    my $procName = $_[0];
+    my $ps = &getGlobal('BIN',"ps");
+    my @psTable = split(/\n/,`$ps -elf`);
+
+    # for every process associated with the service
+    my @runningProcessLines = grep(/$procName/ , @psTable);
+    # return the list of running processes
+    return @runningProcessLines;
+}
+
+################################################################################
+#  &B_deactivate_inetd_service($service);                                      #
+#                                                                              #
+#  This subroutine will disable all inetd services associated with the input   #
+#  service name.  Service name must be a reference to the following hashes     #
+#  GLOBAL_SERVICE GLOBAL_SERVTYPE and GLOBAL_PROCESSES.  If processes are left #
+#  running it will note these services in the TODO list as well as instruct the#
+#  user in how they remaining processes can be disabled.                       #
+################################################################################
+sub B_deactivate_inetd_service($) {
+    my $service = $_[0];
+    my $servtype = &getGlobal('SERVTYPE',"$service");
+    my $inetd_conf = &getGlobal('FILE',"inetd.conf");
+
+    # check the service type to ensure that it can be configured by this subroutine.
+    if($servtype ne 'inet') {
+	&B_log("ACTION","The service \"$service\" is not an inet service so it cannot be\n" .
+		   "configured by this subroutine\n");
+	return 0;
+    }
+
+    # check for the inetd configuration files existence so it may be configured by
+    # this subroutine.
+    if(! -e $inetd_conf ) {
+	&B_log("ACTION","The file \"$inetd_conf\" cannot be located.\n" .
+		   "Unable to configure inetd\n");
+	return 0;
+    }
+
+    # list of service identifiers present in inetd.conf file.
+    my @inetd_entries = @{ &getGlobal('SERVICE',"$service") };
+
+    foreach my $inetd_entry (@inetd_entries) {
+	&B_hash_comment_line($inetd_conf, "^\\s*$inetd_entry");
+    }
+
+    # list of processes associated with this service which are still running
+    # on the system
+    my @running_processes = &B_list_processes($service);
+
+    if($#running_processes >= 0) {
+        my $todoString = "\n" .
+	                 "---------------------------------------\n" .
+	                 "Deactivating Inetd Service: $service\n" .
+			 "---------------------------------------\n" .
+			 "The following process(es) are associated with the inetd service \"$service\".\n" .
+			 "They are most likely associated with a session which was initiated prior to\n" .
+			 "running Bastille.  To disable a process see \"kill(1)\" man pages or reboot\n" .
+			 "the system\n" .
+			 "Active Processes:\n" .
+			 "###################################\n";
+	foreach my $running_process (@running_processes) {
+	    $todoString .= "\t$running_process\n";
+	}
+	$todoString .= 	 "###################################\n";
+
+	&B_TODO($todoString);
+    }
+
+}
+
+
+################################################################################
+# B_get_rc($key);                                                              #
+#                                                                              #
+#  This subroutine will use the ch_rc binary to get rc.config.d variables      #
+#  values properly escaped and quoted.                                         #
+################################################################################
+sub B_get_rc($) {
+    
+    my $key=$_[0];
+    my $ch_rc = &getGlobal('BIN',"ch_rc");
+
+    # get the current value of the given parameter.
+    my $currentValue=`$ch_rc -l -p $key`;
+    chomp $currentValue;
+    
+    if(($? >> 8) == 0 ) {
+        # escape all meta characters.
+	# $currentValue =~ s/([\"\`\$\\])/\\$1/g; 
+        # $currentValue = '"' . $currentValue . '"';
+    }
+    else {
+	return undef;
+    }
+
+    return $currentValue;
+}
+
+
+
+################################################################################
+# B_set_rc($key,$value);                                                       #
+#                                                                              #
+#  This subroutine will use the ch_rc binary to set rc.config.d variables.  As #
+#  well as setting the variable this subroutine will set revert strings.       #
+#                                                                              #
+################################################################################
+sub B_set_rc($$;$) {
+
+    my ($key,$value,$configfile)=@_;
+    my $ch_rc = &getGlobal('BIN',"ch_rc");
+
+    # get the current value of the given parameter.
+    my $currentValue=&B_get_rc($key);
+    if(defined $currentValue ) {
+        if ($currentValue =~ /^\"(.*)\"$/ ) {
+            $currentValue = '"\"' . $1 . '\""';
+        }
+        if ($value =~ /^\"(.*)\"$/ ) {
+            $value = '"\"' . $1 . '\""';
+        }
+	if ( &B_System("$ch_rc -a -p $key=$value $configfile",
+		       "$ch_rc -a -p $key=$currentValue $configfile") ) {
+	    #ch_rc success
+	    return 1;
+	}
+	else {
+	    #ch_rc failure.
+	    return 0;
+	}
+    }
+    else {
+	&B_log("ERROR","ch_rc was unable to lookup $key\n");
+	return 0;
+    }
+
+}
+
+
+################################################################################
+#  &ChrootHPApache($chrootScript,$httpd_conf,$httpd_bin,
+#                  $apachectl,$apacheJailDir,$serverString);
+#
+#     This subroutine given an chroot script, supplied by the vendor, a
+#     httpd.conf file, the binary location of httpd, the control script,
+#     the jail directory, and the servers identification string, descriptive
+#     string for TODO etc.  It makes modifications to httpd.conf so that when
+#     Apache starts it will chroot itself into the jail that the above
+#     mentions script creates.
+#
+#     uses B_replace_line B_create_dir B_System B_TODO
+#
+###############################################################################
+sub B_chrootHPapache($$$$$$) {
+
+    my ($chrootScript,$httpd_conf,$httpd_bin,$apachectl,$apacheJailDir,$serverString)= @_;
+
+    my $exportpath = "export PATH=/usr/bin;";
+    my $ps = &getGlobal('BIN',"ps");
+    my $isRunning = 0;
+    my $todo_header = 0;
+
+    # checking for a 2.0 version of the apache chroot script.
+    if(-e $chrootScript ) {
+
+	if(open HTTPD, $httpd_conf) {
+	    while (my $line = <HTTPD>){
+		if($line =~ /^\s*Chroot/) {
+		    &B_log("DEBUG","Apache is already running in a chroot as specified by the following line:\n$line\n" .
+			   "which appears in the httpd.conf file.  No Apache Chroot action was taken.\n");
+		    return;
+		}
+	    }
+	    close(HTTPD);
+	}
+
+	if(`$ps -ef` =~ $httpd_bin ) {
+	    $isRunning=1;
+	    &B_System("$exportpath " . $apachectl . " stop","$exportpath " . $apachectl . " start");
+	}
+	&B_replace_line($httpd_conf, '^\s*#\s*Chroot' ,
+			"Chroot " . $apacheJailDir);
+	if(-d &getGlobal('BDIR',"jail")){
+	    &B_log("DEBUG","Jail directory already exists. No action taken.\n");
+	}
+	else{
+	    &B_log("ACTION","Jail directory was created.\n");
+	    &B_create_dir( &getGlobal('BDIR','jail'));
+	}
+
+	if(-d $apacheJailDir){
+	    &B_log("DEBUG","$serverString jail already exists. No action taken.\n");
+	}
+	else{
+	    &B_System(&getGlobal('BIN',"umask") . " 022; $exportpath " . $chrootScript,
+		      &getGlobal('BIN',"echo") . " \"Your $serverString is now running outside of it's\\n" .
+		      "chroot jail.  You must manually migrate your web applications\\n" .
+		      "back to your Apache server's httpd.conf defined location(s).\\n".
+		      "After you have completed this, feel free to remove the jail directories\\n" .
+		      "from your machine.  Your apache jail directory is located in\\n" .
+		      &getGlobal('BDIR',"jail") . "\\n\" >> " . &getGlobal('BFILE',"TOREVERT"));
+
+	}
+	if($isRunning){
+	    &B_System("$exportpath " . $apachectl . " start","$exportpath " . $apachectl . " stop");
+	    &B_log("ACTION","$serverString is now running in an chroot jail.\n");
+	}
+
+	&B_log("ACTION","The jail is located in " . $apacheJailDir . "\n");
+
+	if ($todo_header !=1){
+	    &B_TODO("\n---------------------------------\nApache Chroot:\n" .
+		    "---------------------------------\n");
+	}
+	&B_TODO("$serverString Chroot Jail:\n" .
+		"httpd.conf contains the Apache dependencies.  You should\n" .
+		"review this file to ensure that the dependencies made it\n" .
+		"into the jail.  Otherwise, you run a risk of your Apache server\n" .
+		"not having access to all its modules and functionality.\n");
+
+
+    }
+
+}
+
+
+sub isSystemTrusted {
+        my $getprdef = &getGlobal('BIN',"getprdef");
+        my $definition = &B_Backtick("$getprdef -t 2>&1");
+        if($definition =~ "System is not trusted.") {
+            return 0;
+        } else {
+            return 1;
+        }
+}
+
+
+sub isTrustedMigrationAvailable {
+    my $distroVersion='';
+
+    if (&GetDistro =~ '^HP-UX11.(\d*)') {
+	$distroVersion=$1;
+	if ($distroVersion < 23) { # Not available before 11.23
+	    return 0; #FALSE
+	} elsif ($distroVersion >= 31) { #Bundled with 11.31 and after
+	    &B_log('DEBUG','isTrustedMigrationAvailable: HP-UX 11.31 always has trusted mode extensions');
+	    return 1;
+	} elsif ($distroVersion == 23) { # Optional on 11.23 if filesets installed
+	    if ( -x &getGlobal('BIN',"userdbget") ) {
+		&B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Installed');
+		return 1;
+	    } else {
+		&B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Not Installed');
+		return 0; #FALSE
+	    }
+	} else {
+	    &B_log('DEBUG','isTrustedMigrationAvailable: ' . &GetDistro .
+		   ' not currently supported for trusted extentions.');
+	    return 0; #FALSE
+	}
+    } else {
+	&B_log('WARNING','isTrustedMigrationAvailable: HP-UX routine called on Linux system');
+	return 0; #FALSE
+    }
+}
+
+
+
+###########################################################################
+# &checkServiceOnHPUX($service);
+#
+# Checks if the given service is running on an HP/UX system.  This is
+# called by B_is_Service_Off(), which is the function that Bastille
+# modules should call.
+#
+# Return values:
+# NOTSECURE_CAN_CHANGE() if the service is on
+# SECURE_CANT_CHANGE() if the service is off
+# INCONSISTENT() if the state of the service cannot be determined
+# NOT_INSTALLED() if the s/w isn't insalled
+#
+###########################################################################
+sub checkServiceOnHPUX($) {
+  my $service=$_[0];
+
+  # get the list of parameters which could be used to initiate the service
+  # (could be in /etc/rc.config.d, /etc/inetd.conf, or /etc/inittab, so we
+  # check all of them)
+  my @params= @{ &getGlobal('SERVICE',$service) };
+  my $grep =&getGlobal('BIN', 'grep');
+  my $inetd=&getGlobal('FILE', 'inetd.conf');
+  my $inittab=&getGlobal('FILE', 'inittab');
+  my $retVals;
+  my $startup=&getGlobal('DIR','initd') ;
+  my @inet_bins= @{ &getGlobal('PROCESS',$service) };
+  
+  my $entry_found = 0;
+
+  &B_log("DEBUG","CheckHPUXservice: $service");
+  my $full_initd_path = $startup . "/" . $service;
+  if ($GLOBAL_SERVTYPE{$service} eq "rc") { # look for the init script in /sbin/init.d
+    if (not(-e $full_initd_path )) {
+        return NOT_INSTALLED();
+    }
+  } else { #inet-based service, so look for inetd.conf entries.
+    &B_log("DEBUG","Checking inet service $service");
+    my @inet_entries= @{ &getGlobal('SERVICE',$service) };
+    foreach my $service (@inet_entries) {
+        &B_log('DEBUG',"Checking for inetd.conf entry of $service in checkService on HPUX");
+        my $service_regex = '^[#\s]*' . $service . '\s+';
+        if ( &B_match_line($inetd, $service_regex) ) { # inet entry search
+            &B_log('DEBUG',"$service present, entry exists");
+            $entry_found = 1 ;
+        }
+    }
+    if ($entry_found == 0 ) {
+       return NOT_INSTALLED();
+    }
+  }
+
+ foreach my $param (@params) {
+    &B_log("DEBUG","Checking to see if service $service is off.\n");
+    if (&getGlobal('SERVTYPE', $service) =~ /rc/) {
+      my $ch_rc=&getGlobal('BIN', 'ch_rc');
+      my $on=&B_Backtick("$ch_rc -l -p $param");
+
+      $on =~ s/\s*\#.*$//; # remove end-of-line comments
+      $on =~ s/^\s*\"(.+)\"\s*$/$1/; # remove surrounding double quotes
+      $on =~ s/^\s*\'(.+)\'\s*$/$1/; # remove surrounding single quotes
+      $on =~ s/^\s*\"(.+)\"\s*$/$1/; # just in case someone did '"blah blah"'
+
+      chomp $on;
+      &B_log("DEBUG","ch_rc returned: $param=$on in checkServiceOnHPUX");
+
+      if ($on =~ /^\d+$/ && $on != 0) {
+        # service is on
+        &B_log("DEBUG","CheckService found $param service is set to \'on\' in scripts.");
+        return NOTSECURE_CAN_CHANGE();
+      }
+      elsif($on =~ /^\s*$/) {
+        # if the value returned is an empty string return
+        # INCONSISTENT(), since we don't know what the hard-coded default is.
+        return INCONSISTENT();
+      }
+    } else {
+      # those files which rely on comments to determine what gets
+      # turned on, such as inetd.conf and inittab
+      my $inettabs=&B_Backtick("$grep -e '^[[:space:]]*$param' $inetd $inittab");
+      if ($inettabs =~ /.+/) {  # . matches anything except newlines
+        # service is not off
+        &B_log("DEBUG","Checking inetd.conf and inittab; found $inettabs");
+        ###########################   BREAK out, don't skip question
+        return NOTSECURE_CAN_CHANGE();
+      }
+    }
+  } # foreach $param
+
+  # boot-time parameters are not set; check processes
+  # checkprocs for services returns INCONSISTENT() if a service is found
+  # since a found-service is inconsistent with the above checks.
+  B_log("DEBUG","Boot-Parameters not set, checking processes.");
+  if (&runlevel < 2) { # Below runlevel 2, it is unlikely that
+                      #services will be running, so just check "on-disk" state
+    &B_log("NOTE","Running during boot sequence, so skipping process checks");
+    return SECURE_CANT_CHANGE();
+  } else {
+    return &checkProcsForService($service);
+  }
+}
+
+sub runlevel {
+    my $who = &getGlobal("BIN", "who");
+    my $runlevel = &B_Backtick("$who -r");
+    if ($runlevel =~ s/.* run-level (\S).*/$1/) {
+        &B_log("DEBUG","Runlevel is: $runlevel");
+        return $runlevel;
+    } else {
+        &B_log("WARNING","Can not determine runlevel, assuming runlevel 3");
+        &B_log("DEBUG","Runlevel command output: $runlevel");
+        return "3"; #safer since the who command didn't work, we'll assume
+                # runlevel 3 since that provides more checks.
+    }
+}
+
+#
+# given a profile file, it will return a PATH array set by the file.
+#
+sub B_get_path($) {
+    my $file = $_[0];
+    my $sh = &getGlobal("BIN", "sh");
+    # use (``)[0] is becuase, signal 0 maybe trapped which will produce some stdout
+    my $path = (`$sh -c '. $file 1>/dev/null 2>&1 < /dev/null ;  echo \$PATH'`)[0];
+    my @path_arr = split(":", $path);
+    my %tmp_path;
+    my %path;
+    for my $tmpdir (@path_arr) {
+        chomp $tmpdir;
+        if ($tmpdir ne ""  && ! $tmp_path{$tmpdir}) {
+            $tmp_path{$tmpdir}++;
+        }
+    }
+    return keys %tmp_path;
+}
+
+# Convert to trusted mode if it's not already
+sub convertToTrusted {
+   &B_log("DEBUG","# sub convertToTrusted \n");
+   if( ! &isSystemTrusted) {
+
+      my ($ok, $message) = &isOKtoConvert;
+
+      my $ts_header="\n---------------------------------\nTrusted Systems:\n" .
+                    "---------------------------------\n";
+
+      if ($ok) {
+	# actually do the conversion
+        if(&B_System(&getGlobal('BIN','tsconvert'), &getGlobal('BIN','tsconvert') . " -r")){
+	  # adjust change times for user passwords to keep them valid
+	  # default is to expire them when converting to a trusted system,
+	  # which can be problematic, especially since some older versions of
+	  # SecureShell do not allow the user to change the password
+	  &B_System(&getGlobal('BIN','modprpw') . " -V", "");
+
+	  my $getprdef = &getGlobal('BIN','getprdef');
+	  my $oldsettings = &B_Backtick("$getprdef -m lftm,exptm,mintm,expwarn,umaxlntr");
+	  $oldsettings =~ s/ //g;
+
+	  # remove password lifetime and increasing login tries so they
+	  # don't lock themselves out of the system entirely.
+	  # set default expiration time and the like.
+	  my $newsettings="lftm=0,exptm=0,mintm=0,expwarn=0,umaxlntr=10";
+
+	  &B_System(&getGlobal('BIN','modprdef') . " -m $newsettings",
+		    &getGlobal('BIN','modprdef') . " -m $oldsettings");
+
+          &B_TODO($ts_header .
+                  "Your system has been converted to a trusted system.\n" .
+                  "You should review the security settings available on a trusted system.\n".
+                  "$message");
+
+          # to get rid of "Cron: Your job did not contain a valid audit ID."
+          # error, we re-read the crontab file after converting to trusted mode
+          # Nothing is necessary in "revert" since we won't be in trusted mode
+          # at that time.
+          # crontab's errors can be spurious, and this will report an 'error'
+          # of the crontab file is missing, so we send stderr to the bit bucket
+          my $crontab = &getGlobal('BIN',"crontab");
+	  &B_System("$crontab -l 2>/dev/null | $crontab","");
+        }
+
+      } else {
+          &B_TODO($ts_header . $message);
+          return 0; # not ok to convert, so we didn't
+      }
+   }
+   else {
+      &B_log("DEBUG","System is already in trusted mode, no action taken.\n");
+      return 1;
+   }
+
+   # just to make sure
+   if( &isSystemTrusted ) {
+      return 1;
+   } else {
+      &B_log("ERROR","Trusted system conversion was unsuccessful for an unknown reason.\n" .
+                "         You may try using SAM/SMH to do the conversion instead of Bastille.\n");
+      return 0;
+   }
+}
+
+# isOKtoConvert - check for conflicts between current system state and trusted
+# mode
+#
+# Return values
+# 0 - conflict found, see message for details
+# 1 - no conflicts, see message for further instructions
+#
+sub isOKtoConvert {
+    &B_log("DEBUG","# sub isOKtoConvert \n");
+    # initialize text for TODO instructions
+    my $specialinstructions="  - convert to trusted mode\n";
+
+    # These are somewhat out-of-place, but only affect the text of the message.
+    # Each of these messages is repeated in a separate TODO item in the
+    # appropriate subroutine.
+    if (&getGlobalConfig("AccountSecurity","single_user_password") eq "Y") {
+	if (&GetDistro =~ "^HP-UX11.(.*)" and $1<23 ) {
+	    $specialinstructions .= "  - set a single user password\n";
+	}
+    }
+
+    if (&getGlobalConfig("AccountSecurity","passwordpolicies") eq "Y") {
+	    $specialinstructions .= "  - set trusted mode password policies\n";
+    }
+
+    if (&getGlobalConfig("AccountSecurity", "PASSWORD_HISTORY_DEPTHyn") eq "Y") {
+       $specialinstructions .= "  - set a password history depth\n";
+    }
+
+    if (&getGlobalConfig("AccountSecurity","system_auditing") eq "Y") {
+       $specialinstructions .= "  - enable auditing\n";
+    }
+
+    my $saminstructions=
+	   "The security settings can be modified by running SAM as follows:\n" .
+	   "# sam\n" .
+	   "Next, go to the \"Auditing and Security Area\" and review\n" .
+	   "each sub-section.  Make sure that you review all of your\n" .
+	   "settings, as some policies may seem restrictive.\n\n" .
+           "On systems using the System Management Homepage, you can\n".
+           "change your settings via the Tools:Security Attributes Configuration\n".
+           "section.  On some systems, you may also have the option of using SMH.\n\n";
+
+    # First, check for possible conflicts and corner cases
+
+    # check nsswitch for possible conflicts
+    my $nsswitch = &getGlobal('FILE', 'nsswitch.conf');
+    if ( -e $nsswitch) {
+        open(FILE, $nsswitch);
+        while (<FILE>) {
+            if (/nis/ or /compat/ or /ldap/) {
+              my $message = "Bastille found a possible conflict between trusted mode and\n" .
+		            "$nsswitch.  Please remove all references to\n" .
+                            "\"compat\", \"nis\" and \"ldap\" in $nsswitch\n" .
+                            "and rerun Bastille, or use SAM/SMH to\n" .
+                            "$specialinstructions\n".
+                            "$saminstructions";
+              close(FILE);
+	      return (0,$message);
+            }
+        }
+        close(FILE);
+    }
+
+    # check the namesvrs config file for possible NIS conflicts
+    #Changed to unless "Y AND Y" since question can be skipped when nis is off
+    # but corner cases can still exist, so check then too.
+    unless ( &getGlobalConfig('MiscellaneousDaemons','nis_client') eq "Y" and
+         &getGlobalConfig('MiscellaneousDaemons','nis_server') eq "Y" ) {
+	my $namesvrs = &getGlobal('FILE', 'namesvrs');
+	if (open(FILE, $namesvrs)) {
+	    while (<FILE>) {
+		if (/^NIS.*=["]?1["]?$/) {
+		    my $message= "Possible conflict between trusted mode and NIS found.\n".
+			"Please use SAM/SMH to\n" .
+			"  - turn off NIS\n" .
+			"$specialinstructions\n".
+			"$saminstructions";
+		    close(FILE);
+		    return (0,$message);
+		}
+	    }
+	    close(FILE);
+	} else {
+            &B_log("ERROR","Unable to open $namesvrs for reading.");
+            my $message= "Possible conflict between trusted mode and NIS found.\n".
+		"Please use SAM/SMH to\n" .
+		"  - turn off NIS\n" .
+		"$specialinstructions\n".
+		"$saminstructions";
+	    return (0,$message);
+	}
+	if ( &B_match_line (&getGlobal("FILE","passwd"),"^\+:.*")) {
+	    my $message= '"+" entry found in passwd file.  These are not\n' .
+	    "compatible with Trusted Mode.  Either remove the entries\n" .
+	    "and re-run Bastille, or re-run Bastille, and direct it to\n" .
+	    "disable NIS client and server.\n";
+	    return (0,$message);
+	    }
+
+    }
+
+
+    # check for conflicts with DCE integrated login
+    my $authcmd = &getGlobal('BIN','auth.adm');
+    if ( -e $authcmd ) {
+         my $retval = system("PATH=/usr/bin $authcmd -q 1>/dev/null 2>&1");
+         if ($retval != 0 and $retval != 1) {
+             my $message="It appears that DCE integrated login is configured on this system.\n" .
+		      "DCE integrated login is incompatible with trusted systems and\n" .
+		      "auditing.  Bastille is unable to\n" .
+		      "$specialinstructions" .
+		      "You will need to configure auditing and password policies using DCE.\n\n";
+	     return (0,$message);
+         }
+    }
+
+    if ( -e &getGlobal('FILE','shadow') ) {
+       my $message="This system has already been converted to shadow passwords.\n" .
+                   "Shadow passwords are incompatible with trusted mode.\n" .
+		   "Bastille is unable to\n" .
+		   "$specialinstructions" .
+                   "If you desire these features, you should use\n".
+                   "\'pwunconv\' to change back to standard passwords,\n".
+                   "and then rerun Bastille.\n\n";
+       return (0,$message);
+   }
+
+    return (1,$saminstructions);
+}
+
+# This routine allows Bastille to determine trusted-mode extension availability
+
+sub convertToShadow {
+
+        if (&isSystemTrusted) {
+            # This is an internal error...Bastille should not call this routine
+            # in this case.  Error is here for robustness against future changes.
+            &B_log("ERROR","This system is already converted to trusted mode.\n" .
+                      "         Converting to shadow passwords will not be attempted.\n");
+            return 0;
+        }
+
+	# configuration files on which shadowed passwords depend
+        my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf");
+
+	# binaries used to convert to a shadowed password
+	my $pwconv = &getGlobal('BIN',"pwconv");
+	my $echo = &getGlobal('BIN','echo'); # the echo is used to pipe a yes into the pwconv program as
+	                                     # pwconv requires user interaction.
+
+	# the binary used in a system revert.
+	my $pwunconv = &getGlobal('BIN',"pwunconv");
+	#check the password file for nis usage and if the nis client
+	#or server is running.
+	if(-e $nsswitch_conf) {
+	    # check the file for nis, nis+, compat, or dce usage.
+	    if(&B_match_line($nsswitch_conf, '^\s*passwd:.+(nis|nisplus|dce|compat)')) {
+		my $shadowTODO = "\n---------------------------------\nHide encrypted passwords:\n" .
+		                 "---------------------------------\n" .
+		                 "This version of password shadowing does not support any repository other\n" .
+		                 "than files. In order to convert your password database to shadowed passwords\n" .
+				 "there can be no mention of nis, nisplus, compat, or dce in the passwd\n" .
+				 "field of the \"$nsswitch_conf\" file.  Please make the necessary edits to\n" .
+				 "the $nsswitch_conf file and run Bastille again using the command:\n" .
+				 "\"bastille -b\"\n";
+		# Adding the shadowTODO comment to the TODO list.
+		&B_TODO("$shadowTODO");
+		# Notifing the user that the shadowed password coversion has failed.
+		&B_log("ERROR","Password Shadowing Conversion Failed\n" .
+			  "$shadowTODO");
+		# exiting the subroutine.
+		return 0;
+	    }
+
+	}
+
+	# convert the password file to a shadowed repository.
+        if (( -e $pwconv ) and ( -e $pwunconv ) and
+            ( &B_System("$echo \"yes\" | $pwconv","$pwunconv") ) ){
+	    &B_TODO( "\n---------------------------------\nShadowing Password File:\n" .
+		     "---------------------------------\n" .
+		     "Your password file has been converted to use password shadowing.\n" .
+		     "This version of password shadowing does not support any repository other\n" .
+		     "than files. There can be no mention of nis, nisplus, compat, or dce\n" .
+		     "in the passwd field of the \"$nsswitch_conf\" file.\n\n" );
+	} else {
+            &B_log("ERROR","Conversion to shadow mode failed.  The system may require ".
+                   "a patch to be capable of switching to shadow mode, or the ".
+                   "system my be in a state where conversion is not possible.");
+        }
+}
+
+
+
+##########################################################################
+# &getSupportedSettings();
+# Manipulates %trustedParameter and %isSupportedSetting, file-scoped variables
+#
+# Reads the password policy support matrix, which in-turn gives Bastille the
+# places it should look for a given password policy setting.
+
+# Note the file was created like this so if could be maintained in an Excel(tm)
+# spreadsheet, to optimize reviewability.  TODO: consider other formats
+
+#  File Format:
+#  HEADERS:<comment>,[<OS Version> <Mode> <Extensions>,]...
+#  [
+#  :<label>:<trusted equivalent>,,,,,,,,,,,,<comment>
+#  <action> (comment), [<test value>,]...
+#  ] ...
+# Example;
+# HEADERS:Information Source (trusted equiv),11.11 Standard no-SMSE,11.11 Trusted no-SMSE,11.11 Shadow no-SMSE,11.23 Standard no-SMSE,11.23 Trusted no-SMSE,11.23 Shadow no-SMSE,11.23 Standard SMSE,11.23 Shadow SMSE,11.23 Trusted SMSE,11.31 Trusted SMSE,11.31 Shadow SMSE,11.31 Standard SMSE,Other Exceptions
+#:ABORT_LOGIN_ON_MISSING_HOMEDIR,,,,,,,,,,,,,root
+#/etc/security.dsc (search),x,,xx,x,x,x,!,!,!,!,!,!,
+#/etc/default/security(search),y,y,y,y,y,y,y,y,y,y,y,y,
+#getprdef (execute with <Trusted Equiv> argument),x,x,x,x,x,x,x,x,x,x,x,x,
+
+###########################################################################
+our %trustedParameter = ();
+our %isSupportedSetting = ();
+
+sub getSupportedSettings() {
+
+    my $line; # For a config file line
+    my $linecount = 0;
+    my $currentsetting = "";
+    my @fields; # Fields in a given line
+    my @columns; #Column Definitions
+
+
+    &B_open(*SETTINGSFILE,&getGlobal('BFILE','AccountSecSupport'));
+    my @settingLines=<SETTINGSFILE>;
+    &B_close(*SETTINGSFILE);
+
+    #Remove blank-lines and comments
+    @settingLines = grep(!/^#/,@settingLines);
+    @settingLines = grep(!/^(\s*,+)*$/,@settingLines);
+
+    foreach $line (@settingLines) {
+	++$linecount;
+	@fields = split(/,/,$line);
+	if ($line =~ /^Information Source:/) { #Sets up colums
+	    my $fieldcount = 1; #Skipping first field
+	    while ((defined($fields[$fieldcount])) and
+                   ($fields[$fieldcount] =~ /\d+\.\d+/)){
+		my @subfields = split(/ /,$fields[$fieldcount]);
+                my $fieldsCount = @subfields;
+                if ($fieldsCount != 3){
+                    &B_log("ERROR","Invalid subfield count: $fieldsCount in:".
+                           &getGlobal('BFILE','AccountSecSupport') .
+                           " line: $linecount and field: $fieldcount");
+                }
+		$columns[$fieldcount] = {OSVersion => $subfields[0],
+                                         Mode => $subfields[1],
+                                         Extension => $subfields[2] };
+                &B_log("DEBUG","Found Header Column, $columns[$fieldcount]{'OSVersion'}, ".
+                       $columns[$fieldcount]{'Mode'} ." , " .
+                       $columns[$fieldcount]{'Extension'});
+		++$fieldcount;
+		}                                      # New Account Seting ex:
+	} elsif ($line =~ /^:([^,:]+)(?::([^,]+))?/) { # :PASSWORD_WARNDAYS:expwarn,,,,,,,,,,,,
+	    $currentsetting = $1;
+	    if (defined($2)) {
+		$trustedParameter{"$currentsetting"}=$2;
+	    }
+            &B_log("DEBUG","Found Current Setting: ". $currentsetting .
+                   "/" . $trustedParameter{"$currentsetting"});
+	} elsif (($line =~ /(^[^, :\)\(]+)[^,]*,((?:(?:[!y?nx]|!!),)+)/) and #normal line w/ in setting ex:
+		 ($currentsetting ne "")){ # security.dsc (search),x,x,x,x,x,!,!!,!,!,!,!,
+	    my $placeToLook = $1;
+	    my $fieldcount = 1; #Skip the first one, which we used in last line
+	    while (defined($fields[$fieldcount])) {
+		&B_log("DEBUG","Setting $currentsetting : $columns[$fieldcount]{OSVersion} , ".
+		       "$columns[$fieldcount]{Mode} , ".
+		       "$columns[$fieldcount]{Extension} , ".
+		       "$placeToLook, to $fields[$fieldcount]");
+		$isSupportedSetting{"$currentsetting"}
+		    {"$columns[$fieldcount]{OSVersion}"}
+		    {"$columns[$fieldcount]{Mode}"}
+		    {"$columns[$fieldcount]{Extension}"}
+		    {"$placeToLook"} =
+		    $fields[$fieldcount];
+                    ++$fieldcount;
+	    }
+	} else {
+	    if ($line !~ /^,*/) {
+                &B_log("ERROR","Incorrectly Formatted Line at ".
+                       &getGlobal('BFILE','AccountSecSupport') . ": $linecount");
+            }
+	}
+    }
+}
+
+##########################################################################
+# &B_get_sec_value($param);
+# This subroutine finds the value for a given user policy parameter.
+# Specifically, it supports the parameters listed in the internal data structure
+
+# Return values:
+# 'Not Defined' if the value is not present or not uniquely defined.
+# $value if the value is present and unique
+#
+###########################################################################
+sub B_get_sec_value($) {
+    my $param=$_[0];
+
+    my $os_version;
+    if (&GetDistro =~ /^HP-UX\D*(\d+\.\d+)/ ){
+	$os_version=$1;
+    } else {
+	&B_log("ERROR","B_get_sec_value only supported on HP-UX");
+	return undef;
+    }
+#    my $sec_dsc =  &getGlobal('FILE', 'security.dsc');
+    my $sec_file = &getGlobal('FILE', 'security');
+    my $getprdef = &getGlobal('BIN','getprdef');
+    my $getprpw = &getGlobal('BIN','getprpw');
+    my $userdbget = &getGlobal('BIN','userdbget');
+    my $passwd = &getGlobal('BIN','passwd');
+
+    my $sec_flags = "";
+    my @sec_settings=();
+    my $user_sec_setting="";
+
+    my $security_mode="Standard";
+    my $security_extension="no-SMSE";
+
+    &B_log("DEBUG","Entering get_sec_value for: $param");
+
+    sub isok ($) { # Locally-scoped subroutine, takes supported-matrix entry as argument
+	my $supportedMatrixEntry = $_[0];
+
+	if ($supportedMatrixEntry =~ /!/) { #Matrix Entry for "Documented and/or tested"
+           &B_log("DEBUG","isOk TRUE: $supportedMatrixEntry");
+	    return 1;
+	} else {
+            &B_log("DEBUG","isOk FALSE: $supportedMatrixEntry");
+	    return 0; #FALSE
+	}
+    } #end local subroutine
+
+    #Get Top Array item non-destructively
+    sub getTop (@) {
+        my @incomingArray = @_;
+        my $topval = pop(@incomingArray);
+        push(@incomingArray,$topval); #Probably redundant, but left in just in case.
+        return $topval;
+    }
+
+    sub ifExistsPushOnSecSettings($$) {
+        my $sec_settings = $_[0];
+        my $pushval = $_[1];
+
+        if ($pushval ne ""){
+            push (@$sec_settings, $pushval);
+        }
+    }
+
+    #prpw and prdef both use "YES" instead of "1" like the other settings.
+    sub normalizePolicy($){
+        my $setting = $_[0];
+
+        $setting =~ s/YES/1/;
+        $setting =~ s/NO/1/;
+
+        return $setting;
+    }
+
+
+
+    if ((%trustedParameter == ()) or (%isSupportedSetting == ())) {
+	# Manipulates %trustedParameter and %isSupportedSetting
+	&getSupportedSettings;
+    }
+
+    #First determine the security mode
+    my $shadowFile = &getGlobal("FILE","shadow");
+    my $passwdFile = &getGlobal("FILE","passwd");
+
+    if (&isSystemTrusted) {
+	$security_mode = 'Trusted';
+    } elsif ((-e $shadowFile) and #check file exist, and that passwd has no non-"locked" accounts
+             (not(&B_match_line($passwdFile,'^[^\:]+:[^:]*[^:*x]')))) {
+	    $security_mode = 'Shadow';
+    } else {
+	$security_mode = 'Standard';
+    }
+    if (&isTrustedMigrationAvailable) {
+	$security_extension = 'SMSE';
+	} else {
+	$security_extension = 'no-SMSE';
+    }
+    &B_log("DEBUG","Security mode: $security_mode extension: $security_extension");
+    # Now look up the value from each applicable database, from highest precedence
+    # to lowest:
+    &B_log("DEBUG","Checking $param in userdbget");
+    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
+              {$security_extension}{"userdbget_-a"})) {
+	&ifExistsPushOnSecSettings(\@sec_settings,
+                                   &B_getValueFromString('\w+\s+\w+=(\S+)',
+                                                         &B_Backtick("$userdbget -a $param")));
+        &B_log("DEBUG", $param . ":userdbget setting: ". &getTop(@sec_settings));
+    }
+    &B_log("DEBUG","Checking $param in passwd");
+    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
+              {$security_extension}{"passwd_-sa"})) {
+	if ($param eq "PASSWORD_MINDAYS") {
+	    &ifExistsPushOnSecSettings(\@sec_settings,
+                                       &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+(\d+)\s+\d+',
+                                                             &B_Backtick("$passwd -s -a")));
+	} elsif ($param eq "PASSWORD_MAXDAYS") {
+	    &ifExistsPushOnSecSettings(\@sec_settings,
+                                       &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+\d+\s+(\d+)',
+                                                             &B_Backtick("$passwd -s -a")));
+	} elsif ($param eq "PASSWORD_WARNDAYS") {
+	    &ifExistsPushOnSecSettings(\@sec_settings,
+                                       &B_getValueFromString('(?:\w+\s+){2}[\d\/]+(?:\s+\d+){2}\s+(\d+)',
+                                                             &B_Backtick("$passwd -s -a")));
+	}
+        &B_log("DEBUG", $param . ":passwd -sa setting: ". &getTop(@sec_settings));
+    }
+    &B_log("DEBUG","Checking $param in get prpw");
+    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
+              {$security_extension}{"getprpw"})) {
+        my $logins = &getGlobal("BIN","logins");
+	my @userArray = split(/\n/,`$logins`);
+	my $userParamVals = '';
+	foreach my $rawuser (@userArray) {
+            $rawuser =~ /^(\S+)/;
+	    my $user = $1;
+            my $nextParamVal=&B_Backtick("$getprpw -l -m $trustedParameter{$param} $user");
+            $nextParamVal =~ s/\w*=(-*[\w\d]*)/$1/;
+	    if ($nextParamVal != -1) { #Don't count users for which the local DB is undefined
+                $userParamVals .= $user . "::::" . $nextParamVal ."\n";
+            }
+	} #Note getValueFromStrings deals with duplicates, returning "Not Unigue"
+        my $policySetting = &B_getValueFromString('::::(\S+)',"$userParamVals");
+	&ifExistsPushOnSecSettings (\@sec_settings, &normalizePolicy($policySetting));
+        &B_log("DEBUG", $param . ":prpw setting: ". &getTop(@sec_settings));
+    }
+    &B_log("DEBUG","Checking $param in get prdef");
+    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
+              {$security_extension}{"getprdef"})) {
+	$_ = &B_Backtick ("$getprdef -m " . $trustedParameter{$param});
+	/\S+=(\S+)/;
+        my $policySetting = $1;
+	&ifExistsPushOnSecSettings(\@sec_settings, &normalizePolicy($policySetting));
+        &B_log("DEBUG", $param . ":prdef setting: ". &getTop(@sec_settings));
+
+    }
+    &B_log("DEBUG","Checking $param in default security");
+    if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
+              {$security_extension}{"/etc/default/security"})) {
+	&ifExistsPushOnSecSettings(\@sec_settings,&B_getValueFromFile('^\s*'. $param .
+                                               '\s*=\s*([^\s#]+)\s*$', $sec_file));
+        &B_log("DEBUG", $param . ":default setting: ". &getTop(@sec_settings));
+    }
+    #Commented below code in 3.0 release to avoid implication that bastille
+    #had ever set these values explicitly, and the implications to runnable
+    #config files where Bastille would then apply the defaults as actual policy
+    #with possible conversion to shadow or similar side-effect.
+
+#    &B_log("DEBUG","Checking $param in security.dsc");
+    #security.dsc, only added in if valid for OS/mode/Extension, and nothing else
+    #is defined (ie: @sec_settings=0)
+#    if ((&isok($isSupportedSetting{$param}{$os_version}{$security_mode}
+#              {$security_extension}{"/etc/security.dsc"})) and (@sec_settings == 0)) {
+#	&ifExistsPushOnSecSettings(\@sec_settings, &B_getValueFromFile('^' . $param .
+#                                                ';(?:[-\w/]*;){2}([-\w/]+);', $sec_dsc));
+#        &B_log("DEBUG", $param . ":security.dsc: ". &getTop(@sec_settings));
+#    }
+
+    # Return what we found
+    my $last_setting=undef;
+    my $current_setting=undef;
+    while (@sec_settings > 0) {
+	$current_setting = pop(@sec_settings);
+        &B_log("DEBUG","Comparing $param configuration for identity: " .
+               $current_setting);
+	if ((defined($current_setting)) and ($current_setting ne '')) {
+	    if (not(defined($last_setting))){
+		$last_setting=$current_setting;
+	    } elsif (($last_setting ne $current_setting) or
+                     ($current_setting eq 'Not Unique')){
+                &B_log("DEBUG","$param setting not unique.");
+		return 'Not Unique';  # Inconsistent state found, return 'Not Unique'
+	    }
+	}
+    }
+    if ((not(defined($last_setting))) or ($last_setting eq '')) {
+        return undef;
+    } else {
+        return $last_setting;
+    }
+
+} #End B_get_sec_value
+
+sub secureIfNoNameService($){
+    my $retval = $_[0];
+    
+    if (&isUsingRemoteNameService) {
+        return MANUAL();
+    } else {
+        return $retval;
+    }
+}
+
+#Specifically for cleartext protocols like NIS, which are not "secure"
+sub isUsingRemoteNameService(){
+    
+    if (&remoteServiceCheck('nis|nisplus|dce') == SECURE_CAN_CHANGE()){
+        return 0; #false
+    } else {
+        return 1;
+    }
+}
+
+
+
+###########################################
+## This is a wrapper for two functions that
+## test the existence of nis-like configurations
+## It is used by both the front end test and the back-end run
+##############################################
+sub remoteServiceCheck($){
+        my $regex = $_[0];
+        
+        my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf");
+        my $passwd = &getGlobal('FILE',"passwd");
+        
+        # check the file for nis usage.
+        if (-e $nsswitch_conf) {
+            if (&B_match_line($nsswitch_conf, '^\s*passwd:.*('. $regex . ')')) {
+                    return NOTSECURE_CAN_CHANGE();
+            } elsif ((&B_match_line($nsswitch_conf, '^\s*passwd:.*(compat)')) and
+            (&B_match_line($passwd, '^\s*\+'))) {
+                    return NOTSECURE_CAN_CHANGE(); # true
+            }
+        } elsif ((&B_match_line($passwd, '^\s*\+'))) {
+                return NOTSECURE_CAN_CHANGE();
+        }
+        
+        my $oldnisdomain=&B_get_rc("NIS_DOMAIN");
+        if ((($oldnisdomain eq "") or ($oldnisdomain eq '""')) and (&checkServiceOnHPUX('nis.client'))){
+            return SECURE_CAN_CHANGE();
+        }
+        return NOTSECURE_CAN_CHANGE();
+}
+
+#############################################
+# remoteNISPlusServiceCheck
+# test the existence of nis+ configuration
+#############################################
+sub remoteNISPlusServiceCheck () {
+
+    my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf");
+
+    # check the file for nis+ usage.
+    if (-e $nsswitch_conf) {
+        if (&B_match_line($nsswitch_conf, 'nisplus')) {
+            return NOTSECURE_CAN_CHANGE();
+        }
+    }
+
+    return &checkServiceOnHPUX('nisp.client');
+}
+
+
+##########################################################################
+# This subroutine creates nsswitch.conf file if the file not exists,
+# and then append serveral services into the file if the service not
+# exists in the file.
+##########################################################################
+sub B_create_nsswitch_file ($) {
+    my $regex = $_[0];
+
+    my $nsswitch = &getGlobal('FILE',"nsswitch.conf");
+
+    if( ! -f $nsswitch ) {
+        &B_create_file($nsswitch);
+        # we don't need to revert the permissions change because we just
+        # created the file
+        chmod(0444, $nsswitch);
+
+        &B_append_line($nsswitch,'\s*passwd:', "passwd:       $regex\n");
+        &B_append_line($nsswitch,'\s*group:', "group:        $regex\n");
+        &B_append_line($nsswitch,'\s*hosts:', "hosts:        $regex\n");
+        &B_append_line($nsswitch,'\s*networks:', "networks:     $regex\n");
+        &B_append_line($nsswitch,'\s*protocols:', "protocols:    $regex\n");
+        &B_append_line($nsswitch,'\s*rpc:', "rpc:          $regex\n");
+        &B_append_line($nsswitch,'\s*publickey:', "publickey:    $regex\n");
+        &B_append_line($nsswitch,'\s*netgroup:', "netgroup:     $regex\n");
+        &B_append_line($nsswitch,'\s*automount:', "automount:    $regex\n");
+        &B_append_line($nsswitch,'\s*aliases:', "aliases:      $regex\n");
+        &B_append_line($nsswitch,'\s*services:', "services:     $regex\n");
+    }
+}
+
+1;
+
diff --git a/import-layers/meta-security/recipes-security/bastille/files/Miscellaneous.pm b/import-layers/meta-security/recipes-security/bastille/files/Miscellaneous.pm
new file mode 100644
index 0000000..b3bdf10
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/Miscellaneous.pm
@@ -0,0 +1,166 @@
+package Bastille::API::Miscellaneous;
+use strict;
+
+use File::Path;
+use Bastille::API;
+use Bastille::API::HPSpecific;
+use Bastille::API::FileContent;
+
+require Exporter;
+our @ISA = qw(Exporter);
+our @EXPORT_OK = qw(
+PrepareToRun
+B_is_package_installed
+);
+our @EXPORT = @EXPORT_OK;
+
+
+###########################################################################
+#
+# PrepareToRun sets up Bastille to run.  It checks the ARGV array for
+# special options and runs ConfigureForDistro to set necessary file
+# locations and other global variables.
+#
+###########################################################################
+
+sub PrepareToRun {
+
+    # Make sure we're root!
+    if ( $> != 0 ) {
+	&B_log("ERROR","Bastille must run as root!\n");
+        exit(1);
+    }
+
+
+    # Make any directories that don't exist...
+    foreach my $dir (keys %GLOBAL_BDIR) {
+        my $BdirPath = $GLOBAL_BDIR{$dir};
+        if ( $BdirPath =~ /^\s*\// ) { #Don't make relative directories
+            mkpath ($BdirPath,0,0700);
+        }
+    }
+
+    if(&GetDistro =~ "^HP-UX") {
+	&B_check_system;
+    }
+
+    &B_log("ACTION","\n########################################################\n" .
+	       "#  Begin Bastille Run                                  #\n" .
+	       "########################################################\n\n");
+
+    #read sum file if it exists.
+    &B_read_sums;
+
+
+# No longer necessary as flags are no longer in sum file, and sums are
+# are now checked "real time"
+
+    # check the integrity of the files listed
+#    for my $file (sort keys %GLOBAL_SUM) {
+#	&B_check_sum($file);
+#    }
+    # write out the newly flagged sums
+#    &B_write_sums;
+
+
+}
+
+
+
+###########################################################################
+# &B_is_package_installed($package);
+#
+# This function checks for the existence of the package named.
+#
+# TODO: Allow $package to be an expression.
+# TODO: Allow optional $version, $release, $epoch arguments so we can
+#       make sure that the given package is at least as recent as some
+#       given version number.
+#
+# scalar return values:
+# 0:    $package is not installed
+# 1:    $package is installed
+###########################################################################
+
+sub B_is_package_installed($) {
+    no strict;
+    my $package = $_[0];
+# Create a "global" variable with values scoped to this function
+# We do this to avoid having to repeatedly swlist/rpm
+# when we run B_is_package_installed
+local %INSTALLED_PACKAGE_LIST;
+
+    my $distro = &GetDistro;
+    if ($distro =~ /^HP-UX/) {
+        if (&checkProcsForService('swagent','ignore_warning') == SECURE_CANT_CHANGE()) {
+            &B_log("WARNING","Software Distributor Agent(swagent) is not running.  Can not tell ".
+                   "if package: $package is installed or not.  Bastille will assume not.  ".
+                   "If the package is actually installed, Bastille may report or configure incorrectly.".
+                   "To use Bastille-results as-is, please check to ensure $package is not installed, ".
+                   "or re-run with the swagent running to get correct results.");
+            return 0; #FALSE
+        }
+	my $swlist=&getGlobal('BIN','swlist');
+        if (%INSTALLED_PACKAGE_LIST == () ) { # re-use prior results
+          if (open(SWLIST, "$swlist -a state -l fileset |")) {
+            while (my $line = <SWLIST>){
+              if ($line =~ /^ {2}\S+\.(\S+)\s*(\w+)/) {
+                $INSTALLED_PACKAGE_LIST{$1} = $2;
+              }
+            }
+          close SWLIST;
+          } else {
+            &B_log("ERROR","B_is_package_installed was unable to run the swlist command: $swlist,\n");
+            return FALSE;
+          }
+        }
+        # Now find the entry
+        if ($INSTALLED_PACKAGE_LIST{$package} == 'configured') {
+            return TRUE;
+        } else {
+            return FALSE;
+        }
+    } #End HP-UX Section
+    # This routine only works on RPM-based distros: Red Hat, Fedora, Mandrake and SuSE
+    elsif ( ($distro !~ /^RH/) and ($distro !~ /^MN/) and($distro !~ /^SE/) ) {
+        return 0;
+    } else { #This is a RPM-based distro
+        # Run an rpm command -- librpm is extremely messy, dynamic and not
+        # so much a perl thing.  It's actually barely a C/C++ thing...
+        if (open RPM,"rpm -q $package") {
+            # We should get only one line back, but let's parse a few
+            # just in case.
+            my @lines = <RPM>;
+            close RPM;
+            #
+            # This is what we're trying to parse:
+            # $ rpm -q jay
+            # package jay is not installed
+            # $ rpm -q bash
+            # bash-2.05b-305.1
+            #
+
+            foreach $line (@lines) {
+                if ($line =~ /^package\s$package\sis\snot\sinstalled/) {
+            	return 0;
+                }
+                elsif ($line =~ /^$package\-/) {
+            	return 1;
+                }
+            }
+
+            # If we've read every line without finding one of these, then
+            # our parsing is broken
+            &B_log("ERROR","B_is_package_installed was unable to find a definitive RPM present or not present line.\n");
+            return 0;
+        } else {
+            &B_log("ERROR","B_is_package_installed was unable to run the RPM command,\n");
+            return 0;
+        }
+    }
+}
+
+
+
+1;
+
diff --git a/import-layers/meta-security/recipes-security/bastille/files/ServiceAdmin.pm b/import-layers/meta-security/recipes-security/bastille/files/ServiceAdmin.pm
new file mode 100644
index 0000000..879223a
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/ServiceAdmin.pm
@@ -0,0 +1,690 @@
+package Bastille::API::ServiceAdmin;
+use strict;
+
+use Bastille::API;
+
+use Bastille::API::HPSpecific;
+use Bastille::API::FileContent;
+
+require Exporter;
+our @ISA = qw(Exporter);
+our @EXPORT_OK = qw(
+B_chkconfig_on
+B_chkconfig_off
+B_service_start
+B_service_stop
+B_service_restart
+B_is_service_off
+checkServiceOnLinux
+remoteServiceCheck
+remoteNISPlusServiceCheck
+B_create_nsswitch_file
+);
+our @EXPORT = @EXPORT_OK;
+
+
+#######
+# &B_chkconfig_on and &B_chkconfig_off() are great for systems that didn't use
+# a more modern init system.  This is a bit of a problem on Fedora, though,
+# which used upstart from Fedora 9 to Fedora 14, then switched to a new
+# Red Hat-created system called systemd for Fedora 15 and 16 (so far).
+# OpenSUSE also moved to systemd, starting with 12.1.  Version 11.4 did not
+# use systemd.
+# It is also a problem on Ubuntu, starting at version 6.10, where they also
+# used upstart.
+#####
+
+
+
+
+###########################################################################
+# &B_chkconfig_on ($daemon_name) creates the symbolic links that are
+# named in the "# chkconfig: ___ _ _ " portion of the init.d files.  We
+# need this utility, in place of the distro's chkconfig, because of both
+# our need to add revert functionality and our need to harden distros that
+# are not mounted on /.
+#
+# It uses the following global variables to find the links and the init
+# scripts, respectively:
+#
+#   &getGlobal('DIR', "rcd")    -- directory where the rc_.d subdirs can be found
+#   &getGlobal('DIR', "initd")  -- directory the rc_.d directories link to
+#
+# Here an example of where you might use this:
+#
+# You'd like to tell the system to run the firewall at boot:
+#       B_chkconfig_on("bastille-firewall")
+#
+###########################################################################
+
+# PW: Blech. Copied B_chkconfig_off() and changed a few things,
+#               then changed a few more things....
+
+sub B_chkconfig_on {
+
+    my $startup_script=$_[0];
+    my $retval=1;
+
+    my $chkconfig_line;
+    my ($runlevelinfo,@runlevels);
+    my ($start_order,$stop_order,$filetolink);
+
+    &B_log("ACTION","# chkconfig_on enabling $startup_script\n");
+
+    # In Debian system there is no chkconfig script, run levels are checked
+    # one by one (jfs)
+    if (&GetDistro =~/^DB.*/) {
+            $filetolink = &getGlobal('DIR', "initd") . "/$startup_script";
+            if (-x $filetolink)
+            {
+                    foreach my $level ("0","1","2","3","4","5","6" ) {
+                            my $link = '';
+                            $link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script";
+                            $retval=symlink($filetolink,$link);
+                    }
+            }
+            return $retval;
+    }
+    #
+    # On SUSE, chkconfig-based rc scripts have been replaced with a whole different
+    # system.  chkconfig on SUSE is actually a shell script that does some stuff and then
+    # calls insserv, their replacement.
+    #
+
+    if (&GetDistro =~ /^SE/) {
+        # only try to chkconfig on if init script is found
+        if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) {
+            $chkconfig_line=&getGlobal('BIN','chkconfig');
+            &B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off");
+            # chkconfig doesn't take affect until reboot, need to restart service also
+            B_service_restart("$startup_script");
+            return 1; #success
+        }
+        return 0; #failure
+    }
+
+    #
+    # Run through the init script looking for the chkconfig line...
+    #
+    $retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script";
+    unless ($retval) {
+        &B_log("ACTION","# Didn't chkconfig_on $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n");
+    }
+    else {
+
+      READ_LOOP:
+        while (my $line=<CHKCONFIG>) {
+
+            # We're looking for lines like this one:
+            #      # chkconfig: 2345 10 90
+            # OR this
+            #      # chkconfig: - 10 90
+
+            if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) {
+                $runlevelinfo = $1;
+                $start_order = $2;
+                $stop_order = $3;
+                # handle a run levels arg of '-'
+                if ( $runlevelinfo eq '-' ) {
+                    &B_log("ACTION","chkconfig_on saw '-' for run levels for \"$startup_script\", is defaulting to levels 3,4,5\n");
+                    $runlevelinfo = '345';
+                }
+                @runlevels = split(//,$runlevelinfo);
+                # make sure the orders have 2 digits
+                $start_order =~ s/^(\d)$/0$1/;
+                $stop_order =~ s/^(\d)$/0$1/;
+                last READ_LOOP;
+            }
+        }
+        close CHKCONFIG;
+
+        # Do we have what we need?
+        if ( (scalar(@runlevels) < 1) || (! $start_order =~ /^\d{2}$/) || (! $stop_order =~ /^\d{2}$/) ) {
+                # problem
+                &B_log("ERROR","# B_chkconfig_on $startup_script failed -- no valid run level/start/stop info found\n");
+                return(-1);
+        }
+
+        # Now, run through creating symlinks...
+        &B_log("ACTION","# chkconfig_on will use run levels ".join(",",@runlevels)." for \"$startup_script\" with S order $start_order and K order $stop_order\n");
+
+        $retval=0;
+        # BUG: we really ought to readdir() on &getGlobal('DIR', "rcd") to get all levels
+        foreach my $level ( "0","1","2","3","4","5","6" ) {
+                my $link = '';
+                # we make K links in run levels not specified in the chkconfig line
+                $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script;
+                my $klink = $link;
+                # now we see if this is a specified run level; if so, make an S link
+                foreach my $markedlevel ( @runlevels ) {
+                        if ( $level == $markedlevel) {
+                                $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script;
+                        }
+                }
+                my $target = &getGlobal('DIR', "initd") ."/" . $startup_script;
+                my $local_return;
+
+                if ( (-e "$klink") && ($klink ne $link) ) {
+                    # there's a K link, but this level needs an S link
+                    unless ($GLOBAL_LOGONLY) {
+                        $local_return = unlink("$klink");
+                        if ( ! $local_return ) {
+                            # unlinking old, bad $klink failed
+                            &B_log("ERROR","Unlinking $klink failed\n");
+                        } else {
+                            &B_log("ACTION","Removed link $klink\n");
+                            # If we removed the link, add a link command to the revert file
+                            &B_revert_log (&getGlobal('BIN','ln') . " -s $target $klink\n");
+                        } # close what to do if unlink works
+                    }   # if not GLOBAL_LOGONLY
+                }       # if $klink exists and ne $link
+
+                # OK, we've disposed of any old K links, make what we need
+                if ( (! ( -e "$link" )) && ($link ne '') ) {
+                    # link doesn't exist and the start/stop number is OK; make it
+                    unless ($GLOBAL_LOGONLY) {
+                        # create the link
+                        $local_return = &B_symlink($target,$link);
+                        if ($local_return) {
+                            $retval++;
+                            &B_log("ACTION","Created link $link\n");
+                        } else {
+                            &B_log("ERROR","Couldn't create $link when trying to chkconfig on $startup_script\n");
+                        }
+                    }
+
+                } # link doesn't exist
+            } # foreach level
+
+    }
+
+    if ($retval < @runlevels) {
+        $retval=0;
+    }
+
+    $retval;
+
+}
+
+
+###########################################################################
+# &B_chkconfig_off ($daemon_name) deletes the symbolic links that are
+# named in the "# chkconfig: ___ _ _ " portion of the init.d files.  We
+# need this utility, in place of the distro's chkconfig, because of both
+# our need to add revert functionality and our need to harden distros that
+# are not mounted on /.
+#
+# chkconfig allows for a REVERT of its work by writing to an executable
+# file &getGlobal('BFILE', "removed-symlinks").
+#
+# It uses the following global variables to find the links and the init
+# scripts, respectively:
+#
+#   &getGlobal('DIR', "rcd")    -- directory where the rc_.d subdirs can be found
+#   &getGlobal('DIR', "initd")  -- directory the rc_.d directories link to
+#
+# Here an example of where you might use this:
+#
+# You'd like to tell stop running sendmail in daemon mode on boot:
+#       B_chkconfig_off("sendmail")
+#
+###########################################################################
+
+
+
+sub B_chkconfig_off {
+
+    my $startup_script=$_[0];
+    my $retval=1;
+
+    my $chkconfig_line;
+    my @runlevels;
+    my ($start_order,$stop_order,$filetolink);
+
+    if (&GetDistro =~/^DB.*/) {
+            $filetolink = &getGlobal('DIR', "initd") . "/$startup_script";
+            if (-x $filetolink)
+            {
+                    # Three ways to do this in Debian:
+                    # 1.- have the initd script set to 600 mode
+                    # 2.- Remove the links in rcd (re-installing the package
+                    # will break it)
+                    # 3.- Use update-rc.d --remove (same as 2.)
+                    # (jfs)
+                    &B_chmod(0600,$filetolink);
+                    $retval=6;
+
+                    # The second option
+                    #foreach my $level ("0","1","2","3","4","5","6" ) {
+                    #my $link = '';
+                    #$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script";
+                    #unlink($link);
+                    #}
+            }
+    }
+
+    #
+    # On SUSE, chkconfig-based rc scripts have been replaced with a whole different
+    # system.  chkconfig on SUSE is actually a shell script that does some stuff and then
+    # calls insserv, their replacement.
+    #
+    elsif (&GetDistro =~ /^SE/) {
+        # only try to chkconfig off if init script is found
+        if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) {
+            $chkconfig_line=&getGlobal('BIN','chkconfig');
+            &B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off");
+            # chkconfig doesn't take affect until reboot, need to stop service
+            # since expectation is that the daemons are disabled even without a reboot
+            B_service_stop("$startup_script");
+            return 1; #success
+        }
+        return 0; #failure
+    }
+    else {
+
+            # Run through the init script looking for the chkconfig line...
+
+
+            $retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script";
+            unless ($retval) {
+                    &B_log("ACTION","Didn't chkconfig_off $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n");
+            }
+            else {
+
+                    READ_LOOP:
+                    while (my $line=<CHKCONFIG>) {
+
+                            # We're looking for lines like this one:
+                            #      # chkconfig: 2345 10 90
+
+                            if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) {
+                                    @runlevels=split //,$1;
+                                    $start_order=$2;
+                                    $stop_order=$3;
+
+
+                                    # Change single digit run levels to double digit -- otherwise,
+                                    # the alphabetic ordering chkconfig depends on fails.
+                                    if ($start_order =~ /^\d$/ ) {
+                                            $start_order = "0" . $start_order;
+                                            &B_log("ACTION","chkconfig_off converted start order to $start_order\n");
+                                    }
+                                    if ($stop_order =~ /^\d$/ ) {
+                                            $stop_order = "0" . $stop_order;
+                                            &B_log("ACTION","chkconfig_off converted stop order to $stop_order\n");
+                                    }
+
+                                    last READ_LOOP;
+                            }
+                    }
+                    close CHKCONFIG;
+
+                    # If we never found a chkconfig line, can we just run through all 5
+                    # rcX.d dirs from 1 to 5...?
+
+                    # unless ( $start_order and $stop_order ) {
+                    #    @runlevels=("1","2","3","4","5");
+                    #    $start_order = "*"; $stop_order="*";
+                    # }
+
+                    # Now, run through removing symlinks...
+
+
+
+                    $retval=0;
+
+                    # Handle the special case that the run level specified is solely "-"
+                    if ($runlevels[0] =~ /-/) {
+                            @runlevels = ( "0","1","2","3","4","5","6" );
+                    }
+
+                    foreach my $level ( @runlevels ) {
+                            my $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script;
+                            my $new_link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script;
+                            my $target = &getGlobal('DIR', "initd") ."/" . $startup_script;
+                            my $local_return;
+
+
+                            # Replace the S__ link in this level with a K__ link.
+                            if ( -e $link ) {
+                                    unless ($GLOBAL_LOGONLY) {
+                                            $local_return=unlink $link;
+                                            if ($local_return) {
+                                                    $local_return=symlink $target,$new_link;
+                                                    unless ($local_return) {
+                                                            &B_log("ERROR","Linking $target to $new_link failed.\n");
+                                                    }
+                                            }
+                                            else {  # unlinking failed
+                                                    &B_log("ERROR","Unlinking $link failed\n");
+                                            }
+
+                                    }
+                                    if ($local_return) {
+                                            $retval++;
+                                            &B_log("ACTION","Removed link $link\n");
+
+                                            #
+                                            # If we removed the link, add a link command to the revert file
+                                            # Write out the revert information for recreating the S__
+                                            # symlink and deleting the K__ symlink.
+                                            &B_revert_log(&getGlobal('BIN',"ln") . " -s $target $link\n");
+                                            &B_revert_log(&getGlobal('BIN',"rm") . " -f $new_link\n");
+                                    }
+                                    else {
+                                            &B_log("ERROR","B_chkconfig_off $startup_script failed\n");
+                                    }
+
+                            }
+                    } # foreach
+
+            } # else-unless
+
+    } # else-DB
+    if ($retval < @runlevels) {
+            $retval=0;
+    }
+
+    $retval;
+
+}
+
+
+###########################################################################
+# &B_service_start ($daemon_name)
+# Starts service on RedHat/SUSE-based Linux distributions which have the
+# service command:
+#
+#       service $daemon_name start
+#
+# Other Linux distros that also support this method of starting
+# services can be added to use this function.
+#
+# Here an example of where you might use this:
+#
+# You'd like to tell the system to start the vsftpd daemon:
+#       &B_service_start("vsftpd")
+#
+# Uses &B_System in HP_API.pm
+# To match how the &B_System command works this method:
+# returns 1 on success
+# returns 0 on failure
+###########################################################################
+
+sub B_service_start {
+
+    my $daemon=$_[0];
+
+    if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
+        (&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
+        &B_log("ERROR","Tried to call service_start on a system lacking a service command! Internal Bastille error.");
+       return undef;
+    }
+
+    # only start service if init script is found
+    if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
+        &B_log("ACTION","# service_start enabling $daemon\n");
+
+        my $service_cmd=&getGlobal('BIN', 'service');
+        if ($service_cmd) {
+            # Start the service,
+            # Also provide &B_System revert command
+
+            return (&B_System("$service_cmd $daemon start",
+                              "$service_cmd $daemon stop"));
+        }
+    }
+
+    # init script not found, do not try to start, return failure
+    return 0;
+}
+
+###########################################################################
+# &B_service_stop ($daemon_name)
+# Stops service on RedHat/SUSE-based Linux distributions which have the
+# service command:
+#
+#       service $daemon_name stop
+#
+# Other Linux distros that also support this method of starting
+# services can be added to use this function.
+# Stops service.
+#
+#
+# Here an example of where you might use this:
+#
+# You'd like to tell the system to stop the vsftpd daemon:
+#       &B_service_stop("vsftpd")
+#
+# Uses &B_System in HP_API.pm
+# To match how the &B_System command works this method:
+# returns 1 on success
+# returns 0 on failure
+###########################################################################
+
+sub B_service_stop {
+
+    my $daemon=$_[0];
+
+    if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
+        (&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
+        &B_log("ERROR","Tried to call service_stop on a system lacking a service command! Internal Bastille error.");
+       return undef;
+    }
+
+    # only stop service if init script is found
+    if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
+        &B_log("ACTION","# service_stop disabling $daemon\n");
+
+        my $service_cmd=&getGlobal('BIN', 'service');
+        if ($service_cmd) {
+
+        # Stop the service,
+        # Also provide &B_System revert command
+
+           return (&B_System("$service_cmd $daemon stop",
+                             "$service_cmd $daemon start"));
+        }
+    }
+
+    # init script not found, do not try to stop, return failure
+    return 0;
+}
+
+
+###########################################################################
+# &B_service_restart ($daemon_name)
+# Restarts service on RedHat/SUSE-based Linux distributions which have the
+# service command:
+#
+#       service $daemon_name restart
+#
+# Other Linux distros that also support this method of starting
+# services can be added to use this function.
+#
+# Here an example of where you might use this:
+#
+# You'd like to tell the system to restart the vsftpd daemon:
+#       &B_service_restart("vsftpd")
+#
+# Uses &B_System in HP_API.pm
+# To match how the &B_System command works this method:
+# returns 1 on success
+# returns 0 on failure
+###########################################################################
+
+sub B_service_restart {
+
+    my $daemon=$_[0];
+
+    if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
+        (&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
+        &B_log("ERROR","Tried to call service_restart on a system lacking a service command! Internal Bastille error.");
+       return undef;
+    }
+
+    # only restart service if init script is found
+    if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
+        &B_log("ACTION","# service_restart re-enabling $daemon\n");
+
+        my $service_cmd=&getGlobal('BIN', 'service');
+        if ($service_cmd) {
+
+            # Restart the service
+            return (&B_System("$service_cmd $daemon restart",
+                              "$service_cmd $daemon restart"));
+        }
+    }
+
+    # init script not found, do not try to restart, return failure
+    return 0;
+}
+
+###########################################################################
+# &B_is_service_off($;$)
+#
+# Runs the specified test to determine whether or not the question should
+# be answered.
+#
+# return values:
+# NOTSECURE_CAN_CHANGE()/0:     service is on
+# SECURE_CANT_CHANGE()/1:     service is off
+# undef: test is not defined
+###########################################################################
+
+sub B_is_service_off ($){
+   my $service=$_[0];
+
+   if(&GetDistro =~ "^HP-UX"){
+     #die "Why do I think I'm on HPUX?!\n";
+     return &checkServiceOnHPUX($service);
+   }
+   elsif ( (&GetDistro =~ "^RH") || (&GetDistro =~ "^SE") ) {
+     return &checkServiceOnLinux($service);
+   }
+   else {
+    &B_log("DEBUG","B_is_service off called for unsupported OS");
+     # not yet implemented for other distributions of Linux
+     # when GLOBAL_SERVICE, GLOBAL_SERVTYPE and GLOBAL_PROCESS are filled
+     # in for Linux, then
+     # at least inetd and inittab services should be similar to the above,
+     # whereas chkconfig would be used on some Linux distros to determine
+     # if non-inetd/inittab services are running at boot time.  Looking at
+     # processes should be similar.
+     return undef;
+   }
+}
+
+###########################################################################
+# &checkServiceOnLinux($service);
+#
+# Checks if the given service is running on a Linux system.  This is
+# called by B_is_Service_Off(), which is the function that Bastille
+# modules should call.
+#
+# Return values:
+# NOTSECURE_CAN_CHANGE() if the service is on
+# SECURE_CANT_CHANGE() if the service is off
+# undef if the state of the service cannot be determined
+#
+###########################################################################
+sub checkServiceOnLinux($) {
+  my $service=$_[0];
+
+  # get the list of parameters which could be used to initiate the service
+  # (could be in /etc/rc.d/rc?.d, /etc/inetd.conf, or /etc/inittab, so we
+  # check all of them)
+  
+  my @params = @{ &getGlobal('SERVICE', $service) };
+  my $chkconfig = &getGlobal('BIN', 'chkconfig');
+  my $grep = &getGlobal('BIN', 'grep');
+  my $inittab = &getGlobal('FILE', 'inittab');
+  my $serviceType = &getGlobal('SERVTYPE', $service);;
+
+  # A kludge to get things running because &getGlobal('SERVICE' doesn't
+  # return the expected values.
+  @params = ();
+  push (@params, $service);
+
+  foreach my $param (@params) {
+    &B_log("DEBUG","Checking to see if service $service is off.\n");
+
+    if ($serviceType =~ /rc/) {
+      my $on = &B_Backtick("$chkconfig --list $param 2>&1");
+      if ($on =~ /^$param:\s+unknown/) {
+          # This service isn't installed on the system
+          return NOT_INSTALLED();
+      }
+      if ($on =~ /^error reading information on service $param: No such file or directory/) {
+          # This service isn't installed on the system
+          return NOT_INSTALLED();
+      }
+      if ($on =~ /^error/) {
+          # This probably
+          &B_log("DEBUG","chkconfig returned: $param=$on\n");
+          return undef;
+      }
+      $on =~ s/^$param\s+//;            # remove the service name and spaces
+      $on =~ s/[0-6]:off\s*//g;         # remove any runlevel:off entries
+      $on =~ s/:on\s*//g;               # remove the :on from the runlevels
+      # what remains is a list of runlevels in which the service is on,
+      # or a null string if it is never turned on
+      chomp $on;                        # newline should be gone already (\s)
+      &B_log("DEBUG","chkconfig returned: $param=$on\n");
+
+      if ($on =~ /^\d+$/) {
+        # service is not off
+        ###########################   BREAK out, don't skip question
+        return NOTSECURE_CAN_CHANGE();
+      }
+  }
+    elsif ($serviceType =~ /inet/) {
+        my $on = &B_Backtick("$chkconfig --list $param 2>&1");
+        if ($on =~ /^$param:\s+unknown/) {
+            # This service isn't installed on the system
+            return NOT_INSTALLED();
+        }
+        if ($on =~ /^error reading information on service $param: No such file or directory/) {
+            # This service isn't installed on the system
+            return NOT_INSTALLED();
+        }
+        if ($on =~ /^error/ ) {
+         # Something else is wrong?
+         # return undef
+         return undef;
+     }
+      if ($on =~ tr/\n// > 1) {
+        $on =~ s/^xinetd.+\n//;
+      }
+      $on =~ s/^\s*$param:?\s+//;       # remove the service name and spaces
+      chomp $on;                        # newline should be gone already (\s)
+      &B_log("DEBUG","chkconfig returned: $param=$on\n");
+
+      if ($on =~ /^on$/) {
+        # service is not off
+        ###########################   BREAK out, don't skip question
+        return NOTSECURE_CAN_CHANGE();
+      }
+    }
+    else {
+      # perhaps the service is started by inittab
+      my $inittabline = &B_Backtick("$grep -E '^[^#].{0,3}:.*:.+:.*$param' $inittab");
+      if ($inittabline =~ /.+/) {  # . matches anything except newlines
+        # service is not off
+        &B_log("DEBUG","Checking inittab; found $inittabline\n");
+        ###########################   BREAK out, don't skip question
+        return NOTSECURE_CAN_CHANGE();
+      }
+    }
+  }  # foreach my $param
+
+
+  # boot-time parameters are not set; check processes
+  # Note the checkProcsforService returns INCONSISTENT() if a process is found
+  # assuming the checks above
+  return &checkProcsForService($service);
+}
+
+1;
+
+
diff --git a/import-layers/meta-security/recipes-security/bastille/files/accept_os_flag_in_backend.patch b/import-layers/meta-security/recipes-security/bastille/files/accept_os_flag_in_backend.patch
new file mode 100644
index 0000000..4a438e4
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/accept_os_flag_in_backend.patch
@@ -0,0 +1,34 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/BastilleBackEnd
+===================================================================
+--- Bastille.orig/BastilleBackEnd	2013-08-21 12:40:54.000000000 -0400
++++ Bastille/BastilleBackEnd	2013-08-21 12:43:21.895950001 -0400
+@@ -52,11 +52,13 @@
+ my $force = 0;
+ my $debug = 0;
+ my $alternate_config=undef;
++my $os_version=undef;
+ 
+ if( Getopt::Long::GetOptions( "n"     => \$nodisclaim,
+                               "v"     => \$verbose,
+                               "force" => \$force,
+ 			      "f=s"   => \$alternate_config,
++                              "os=s"  => \$os_version,
+ 			      "debug" => \$debug) ) {
+     $error = 0; # no parse error
+ 
+@@ -66,7 +68,8 @@
+ 
+ &setOptions(
+   debug => $debug,
+-  verbose => $verbose);
++  verbose => $verbose,
++  os => $os_version);
+ &ConfigureForDistro;
+ 
+ if ( $error ) { # GetOptions couldn't parse all of the args
diff --git a/import-layers/meta-security/recipes-security/bastille/files/allow_os_with_assess.patch b/import-layers/meta-security/recipes-security/bastille/files/allow_os_with_assess.patch
new file mode 100644
index 0000000..e112f90
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/allow_os_with_assess.patch
@@ -0,0 +1,43 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/bin/bastille
+===================================================================
+--- Bastille.orig/bin/bastille	2013-08-21 08:59:06.647950000 -0400
++++ Bastille/bin/bastille	2013-08-21 15:55:53.193631711 -0400
+@@ -195,7 +195,6 @@
+ systemFileLocations
+ 
+ isAssessing='no'
+-nonXArg='no'
+ 
+ if [ $PERL_V_MAJ -eq $MIN_V_MAJ  -a  $PERL_V_MIN -lt $MIN_V_MIN -o $PERL_V_MAJ -lt  $MIN_V_MAJ ]; then # invalid Perl
+     printErr
+@@ -316,12 +315,10 @@
+ 	  '--os')
+ 	      options_left="$options_left --os"
+               optarg='yes'
+-              nonXArg='yes'
+ 	      ;;
+           '-f')
+               options_left="$options_left -f"
+               optarg='yes'
+-              nonXArg='yes'
+               ;;
+ #  Non-exclusive (undocumented and unsupported) options follow:
+ #  There is no validity/combination checking done with these.
+@@ -345,11 +342,6 @@
+       fi
+     done
+ 
+-#Detect case where -f or --os attempted use with --assess
+-    if [ \( x$nonXArg = xyes \) -a  \( x$isAssessing = xyes \) ]; then
+-      printUsage
+-      exit 2
+-    fi
+ 
+ # We have a valid version of perl! Verify that all the required
+ # modules can be found.
diff --git a/import-layers/meta-security/recipes-security/bastille/files/call_output_config.patch b/import-layers/meta-security/recipes-security/bastille/files/call_output_config.patch
new file mode 100644
index 0000000..1e898b1
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/call_output_config.patch
@@ -0,0 +1,19 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/Bastille_Curses.pm
+===================================================================
+--- Bastille.orig/Bastille_Curses.pm	2013-08-21 08:58:53.899950000 -0400
++++ Bastille/Bastille_Curses.pm	2013-08-21 09:20:20.295950005 -0400
+@@ -84,7 +84,7 @@
+     }
+ 
+     # Output answers to the script and display
+-    &checkAndSaveConfig(&getGlobal('BFILE', "config"));
++    &outputConfig;
+ 
+     # Run Bastille
+ 
diff --git a/import-layers/meta-security/recipes-security/bastille/files/config b/import-layers/meta-security/recipes-security/bastille/files/config
new file mode 100755
index 0000000..9e5e206
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/config
@@ -0,0 +1,106 @@
+# Q:  Would you like to enforce password aging? [Y]
+AccountSecurity.passwdage="Y"
+# Q:  Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
+AccountSecurity.protectrhost="Y"
+# Q:  Should we disallow root login on tty's 1-6? [N]
+AccountSecurity.rootttylogins="Y"
+# Q:  What umask would you like to set for users on the system? [077]
+AccountSecurity.umask="077"
+# Q:  Do you want to set the default umask? [Y]
+AccountSecurity.umaskyn="Y"
+# Q:  Would you like to deactivate the Apache web server? [Y]
+Apache.apacheoff="Y"
+# Q:  Would you like to password protect single-user mode? [Y]
+BootSecurity.passsum="Y"
+# Q:  Should we restrict console access to a small group of user accounts? [N]
+ConfigureMiscPAM.consolelogin="Y"
+# Q:  Which accounts should be able to login at console? [root]
+ConfigureMiscPAM.consolelogin_accounts="root"
+# Q:  Would you like to put limits on system resource usage? [N]
+ConfigureMiscPAM.limitsconf="Y"
+# Q:  Would you like to set more restrictive permissions on the administration utilities? [N]
+FilePermissions.generalperms_1_1="Y"
+# Q:  Would you like to disable SUID status for mount/umount?
+FilePermissions.suidmount="Y"
+# Q:  Would you like to disable SUID status for ping? [Y]
+FilePermissions.suidping="Y"
+# Q:  Would you like to disable SUID status for traceroute? [Y]
+FilePermissions.suidtrace="Y"
+# Q:  Do you need the advanced networking options?
+Firewall.ip_advnetwork="Y"
+# Q:  Should Bastille run the firewall and enable it at boot time? [N]
+Firewall.ip_enable_firewall="Y"
+# Q:  Would you like to run the packet filtering script? [N]
+Firewall.ip_intro="Y"
+# Q:  Interfaces for DHCP queries: [ ]
+Firewall.ip_s_dhcpiface=" "
+# Q:  DNS servers: [0.0.0.0/0]
+Firewall.ip_s_dns="10.184.9.1"
+# Q:  ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
+Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded"
+# Q:  ICMP services to audit: [ ]
+Firewall.ip_s_icmpaudit=" "
+# Q:  ICMP types to disallow outbound: [destination-unreachable time-exceeded]
+Firewall.ip_s_icmpout="destination-unreachable time-exceeded"
+# Q:  Internal interfaces: [ ]
+Firewall.ip_s_internaliface=" "
+# Q:  TCP service names or port numbers to allow on private interfaces: [ ]
+Firewall.ip_s_internaltcp=" "
+# Q:  UDP service names or port numbers to allow on private interfaces: [ ]
+Firewall.ip_s_internaludp=" "
+# Q:  Masqueraded networks: [ ]
+Firewall.ip_s_ipmasq=" "
+# Q:  Kernel modules to masquerade: [ftp raudio vdolive]
+Firewall.ip_s_kernelmasq="ftp raudio vdolive"
+# Q:  NTP servers to query: [ ]
+Firewall.ip_s_ntpsrv=" "
+# Q:  Force passive mode? [N]
+Firewall.ip_s_passiveftp="N"
+# Q:  Public interfaces: [eth+ ppp+ slip+]
+Firewall.ip_s_publiciface="eth+ ppp+ slip+"
+# Q:  TCP service names or port numbers to allow on public interfaces:[ ]
+Firewall.ip_s_publictcp=" "
+# Q:  UDP service names or port numbers to allow on public interfaces:[ ]
+Firewall.ip_s_publicudp=" "
+# Q:  Reject method: [DENY]
+Firewall.ip_s_rejectmethod="DENY"
+# Q:  Enable source address verification? [Y]
+Firewall.ip_s_srcaddr="Y"
+# Q:  TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
+Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
+# Q:  TCP services to block: [2049 2065:2090 6000:6020 7100]
+Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100"
+# Q:  Trusted interface names: [lo]
+Firewall.ip_s_trustiface="lo"
+# Q:  UDP services to audit: [31337]
+Firewall.ip_s_udpaudit="31337"
+# Q:  UDP services to block: [2049 6770]
+Firewall.ip_s_udpblock="2049 6770"
+# Q:  Would you like to add additional logging? [Y]
+Logging.morelogging="Y"
+# Q:  Would you like to set up process accounting? [N]
+Logging.pacct="N"
+# Q:  Do you have a remote logging host? [N]
+Logging.remotelog="N"
+# Q:  Would you like to disable acpid and/or apmd? [Y]
+MiscellaneousDaemons.apmd="Y"
+# Q:  Would you like to deactivate NFS and Samba? [Y]
+MiscellaneousDaemons.remotefs="Y"
+# Q:  Would you like to disable printing? [N]
+Printing.printing="Y"
+# Q:  Would you like to disable printing? [N]
+Printing.printing_cups="Y"
+# Q:  Would you like to display "Authorized Use" messages at log-in time? [Y]
+SecureInetd.banners="Y"
+# Q:  Should Bastille ensure inetd's FTP service does not run on this system? [y]
+SecureInetd.deactivate_ftp="Y"
+# Q:  Should Bastille ensure the telnet service does not run on this system? [y]
+SecureInetd.deactivate_telnet="Y"
+# Q:  Who is responsible for granting authorization to use this machine?
+SecureInetd.owner="its owner"
+# Q:  Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
+SecureInetd.tcpd_default_deny="Y"
+# Q:  Do you want to stop sendmail from running in daemon mode? [Y]
+Sendmail.sendmaildaemon="Y"
+# Q:  Would you like to install TMPDIR/TMP scripts? [N]
+TMPDIR.tmpdir="N"
diff --git a/import-layers/meta-security/recipes-security/bastille/files/do_not_apply_config.patch b/import-layers/meta-security/recipes-security/bastille/files/do_not_apply_config.patch
new file mode 100644
index 0000000..574aa98
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/do_not_apply_config.patch
@@ -0,0 +1,40 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/Bastille_Curses.pm
+===================================================================
+--- Bastille.orig/Bastille_Curses.pm	2013-08-27 16:43:39.130959000 -0400
++++ Bastille/Bastille_Curses.pm	2013-08-27 16:43:39.794959000 -0400
+@@ -83,11 +83,6 @@
+     # Output answers to the script and display
+     &outputConfig;
+ 
+-    # Run Bastille
+-
+-    &Run_Bastille_with_Config;
+-
+-
+     # Display Credits
+ 
+     open CREDITS,"/usr/share/Bastille/Credits";
+Index: Bastille/InteractiveBastille
+===================================================================
+--- Bastille.orig/InteractiveBastille	2013-08-27 16:43:39.434959000 -0400
++++ Bastille/InteractiveBastille	2013-08-27 17:18:55.758959000 -0400
+@@ -531,10 +531,10 @@
+     "       Please address bug reports and suggestions to jay\@bastille-linux.org\n" .
+     "\n";
+ 
+-    $InterfaceEndScreenDescription = "We will now implement the choices you have made here.\n\n" .
++    $InterfaceEndScreenDescription = "We will now record the choices you have made here.\n\n" .
+ 	"Answer NO if you want to go back and make changes!\n";
+-    $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we make the changes?";
+-    $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to implement your choices.\n";
++    $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we record the answers and exit?";
++    $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to record your choices.\n";
+     require Bastille_Curses;
+ } elsif ($GLOBAL_AUDITONLY) {
+ 
diff --git a/import-layers/meta-security/recipes-security/bastille/files/edit_usage_message.patch b/import-layers/meta-security/recipes-security/bastille/files/edit_usage_message.patch
new file mode 100644
index 0000000..72cdc2f
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/edit_usage_message.patch
@@ -0,0 +1,32 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/bin/bastille
+===================================================================
+--- Bastille.orig/bin/bastille	2013-08-25 14:16:35.614779001 -0400
++++ Bastille/bin/bastille	2013-08-25 14:16:38.674779000 -0400
+@@ -60,7 +60,7 @@
+ printUsage () {
+   cat >&2 << EOF
+ $ERRSPACES Usage: bastille [ -b  | -c | -x ] [ --os <version>] [ -f <alternate config> ]
+-$ERRSPACES        bastille [-r | -l | -h | --assess | --assessnobrowser ]
++$ERRSPACES        bastille [-r | -l | -h | --assess | --assessnobrowser ] [ --os <version> ]
+ $ERRSPACES -b : use a saved config file to apply changes
+ $ERRSPACES      directly to system
+ $ERRSPACES -c : use the Curses (non-X11) GUI, not available on HP-UX
+Index: Bastille/Bastille/API.pm
+===================================================================
+--- Bastille.orig/Bastille/API.pm	2013-08-25 08:15:40.266779002 -0400
++++ Bastille/Bastille/API.pm	2013-08-25 14:18:22.750778811 -0400
+@@ -206,7 +206,7 @@
+ #options before interactive or Bastille runs, so this check is often redundant
+ $GLOBAL_ERROR{"usage"}="\n".
+     "$spc Usage: bastille [ -b | -c | -x ] [ --os <version> ] [ -f <alternate config> ]\n".
+-    "$spc        bastille [ -r | --assess | --assessnobowser ]\n\n".
++    "$spc        bastille [ -r | --assess | --assessnobowser ] [ --os <version> ]\n\n".
+     "$spc --assess : check status of system and report in browser\n".
+     "$spc --assessnobrowser : check status of system and list report locations\n".
+     "$spc -b : use a saved config file to apply changes\n".
diff --git a/import-layers/meta-security/recipes-security/bastille/files/find_existing_config.patch b/import-layers/meta-security/recipes-security/bastille/files/find_existing_config.patch
new file mode 100644
index 0000000..c075875
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/find_existing_config.patch
@@ -0,0 +1,64 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/bin/bastille
+===================================================================
+--- Bastille.orig/bin/bastille	2013-06-20 14:58:01.065796000 -0400
++++ Bastille/bin/bastille	2013-08-20 15:16:18.472378000 -0400
+@@ -102,8 +102,9 @@
+     # defines OS specific file locations based on uname
+     systemFileLocations
+ 
++    config_files=`find $config_repository -type f -name \*config 2>/dev/null`
++
+     if [ -f $last_config ]; then
+-        config_files=`find $config_repository -type f -name \*config 2>/dev/null`
+ 	for config_cursor in `echo $config_files`
+ 	  do
+ 	  if /usr/bin/diff $last_config $config_cursor >/dev/null 2>&1
+@@ -112,8 +113,8 @@
+ 	  fi
+ 	done
+ 	if [ -n "$match" ]; then
+-	    echo "The last bastille run corresponds to the following profiles:"
+-	    echo "$match"
++	    printf "The last Bastille run corresponds to the following profiles:\n"
++	    printf "$match"
+ 	else
+             cat >&2 << EOF
+ NOTE:    The last config file applied,
+@@ -122,18 +123,28 @@
+ $ERRSPACES $config_repository.
+ $ERRSPACES This probably means that Bastille was last run interactively and
+ $ERRSPACES changes were made to the config file, but they have not yet been
+-$ERRSPACES applied, or that the source config file was moved.  If you do have pending 
++$ERRSPACES applied, or that the source config file was moved.  If you do have pending
+ $ERRSPACES changes in a config file, you can apply them by running
+ $ERRSPACES 'bastille -b -f <config file>.'
+ EOF
+ 
+ 	fi
+     else
+-	echo "NOTE:    The system is in its pre-bastilled state.\n"
++	for config_cursor in `echo $config_files`
++	  do
++	  match="$match   $config_cursor\n"
++	done
++        if [ -n "$match" ]; then
++            printf "The following Bastille profiles were located:\n"
++            printf "$match"
++        else
++            printf "No Bastille profiles were located.\n"
++        fi
++        printf "No log files of profiles from previous executions of Bastille have been found. It is likely that Bastille has not been run on this machine.\n"
+     fi
+-
+ }
+ 
++
+ # First, make sure we're root
+ if [ `PATH="/usr/bin:/bin"; id -u` -ne 0 ]; then
+     echo "ERROR:   Bastille must be run as root user" >&2
diff --git a/import-layers/meta-security/recipes-security/bastille/files/fix_missing_use_directives.patch b/import-layers/meta-security/recipes-security/bastille/files/fix_missing_use_directives.patch
new file mode 100644
index 0000000..05f145a
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/fix_missing_use_directives.patch
@@ -0,0 +1,54 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/Bastille/Firewall.pm
+===================================================================
+--- Bastille.orig/Bastille/Firewall.pm	2008-09-14 19:56:54.000000000 -0400
++++ Bastille/Bastille/Firewall.pm	2013-08-20 16:28:44.588378000 -0400
+@@ -21,6 +21,7 @@
+ package Bastille::Firewall;
+ 
+ use Bastille::API;
++use Bastille::API::AccountPermission;
+ use Bastille::API::FileContent;
+ use Bastille::API::ServiceAdmin;
+ 
+Index: Bastille/Bastille/SecureInetd.pm
+===================================================================
+--- Bastille.orig/Bastille/SecureInetd.pm	2008-09-14 19:56:58.000000000 -0400
++++ Bastille/Bastille/SecureInetd.pm	2013-08-20 16:45:02.252378001 -0400
+@@ -12,6 +12,7 @@
+ use lib "/usr/lib";
+ 
+ use Bastille::API;
++use Bastille::API::AccountPermission;
+ use Bastille::API::HPSpecific;
+ use Bastille::API::ServiceAdmin;
+ use Bastille::API::FileContent;
+Index: Bastille/Bastille/ConfigureMiscPAM.pm
+===================================================================
+--- Bastille.orig/Bastille/ConfigureMiscPAM.pm	2005-09-12 23:47:28.000000000 -0400
++++ Bastille/Bastille/ConfigureMiscPAM.pm	2013-08-20 18:36:07.340378001 -0400
+@@ -5,6 +5,7 @@
+ use lib "/usr/lib";
+ 
+ use Bastille::API;
++use Bastille::API::FileContent;
+ 
+ # To DO:
+ #
+Index: Bastille/Bastille/Printing.pm
+===================================================================
+--- Bastille.orig/Bastille/Printing.pm	2008-09-14 19:56:58.000000000 -0400
++++ Bastille/Bastille/Printing.pm	2013-08-20 19:05:01.532378002 -0400
+@@ -5,6 +5,7 @@
+ use lib "/usr/lib";
+ 
+ use Bastille::API;
++use Bastille::API::AccountPermission;
+ use Bastille::API::HPSpecific;
+ use Bastille::API::ServiceAdmin;
+ use Bastille::API::FileContent;
diff --git a/import-layers/meta-security/recipes-security/bastille/files/fix_number_of_modules.patch b/import-layers/meta-security/recipes-security/bastille/files/fix_number_of_modules.patch
new file mode 100644
index 0000000..743e549
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/fix_number_of_modules.patch
@@ -0,0 +1,38 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/Bastille_Curses.pm
+===================================================================
+--- Bastille.orig/Bastille_Curses.pm	2013-08-24 18:21:54.445288000 -0400
++++ Bastille/Bastille_Curses.pm	2013-08-24 18:29:16.981288000 -0400
+@@ -36,9 +36,6 @@
+     use Curses;
+     use Curses::Widgets;
+ 
+-    # Number_Modules is the number of modules loaded in by Load_Questions
+-    $Number_Modules=0;
+-
+     #
+     # Highlighted button is the button currently chosen in the button bar
+     #     We preserve this from question to question...
+@@ -397,7 +394,7 @@
+     my $title;
+ 
+     if ($module) {
+-	$title=$module . " of $Number_Modules";
++	$title=$module;
+     }
+ 
+     txt_field( 'window'       => $window,
+@@ -488,7 +485,7 @@
+     my $title;
+ 
+     if ($module) {
+-	$title=$module . " of $Number_Modules";
++	$title=$module;
+     }
+ 
+     noecho;
diff --git a/import-layers/meta-security/recipes-security/bastille/files/fix_version_parse.patch b/import-layers/meta-security/recipes-security/bastille/files/fix_version_parse.patch
new file mode 100644
index 0000000..5923c04
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/fix_version_parse.patch
@@ -0,0 +1,27 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/bin/bastille
+===================================================================
+--- Bastille.orig/bin/bastille
++++ Bastille/bin/bastille
+@@ -162,11 +162,12 @@ fi
+ # We check that the version is at least the minimum
+ 
+ PERL_VERSION=`${CURRENT_PERL_PATH}/perl -version |
+-                head -2 |            # the second line contains the version
++                head -n 2 |            # the second line contains the version
+                 tr " "  "\n" |       # split words into separate lines
+-                sed -e "s/^v//" |    # to get rid of the v in v5.6.0
+-                grep "^[1-9]\." |    # find a "word" that starts with number dot
+-                sed -e "s/_/./"`     # substitute _patchlevel with .patchlevel
++                grep "^(v" |         # find a "word" that starts with '(v'
++                sed -e "s/^(v//" -e "s/)//" -e "s/_/./"`
++                                     # to get rid of the (v in v5.6.0
++                                     # substitute _patchlevel with .patchlevel
+                                      #   (used in 5.005_03 and prior)
+ 
+ # everything before the first .
diff --git a/import-layers/meta-security/recipes-security/bastille/files/fixed_defined_warnings.patch b/import-layers/meta-security/recipes-security/bastille/files/fixed_defined_warnings.patch
new file mode 100644
index 0000000..e7996e3
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/fixed_defined_warnings.patch
@@ -0,0 +1,65 @@
+From c59b84ca3bda8e4244d47901b6966f28dd675434 Mon Sep 17 00:00:00 2001
+From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+Date: Thu, 23 May 2013 15:12:23 +0300
+Subject: [PATCH] added yocto-standard to bastille
+
+In order to make Bastille functional and avoid errors
+regarding distros, if not any given distro is identified,
+yocto-standard distro is added to the distro variable
+in Bastille.
+
+Fixed also some warnings regarding defined statements
+in API.pm.
+
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+ Bastille/API.pm |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+Index: Bastille/Bastille/API.pm
+===================================================================
+--- Bastille.orig/Bastille/API.pm	2008-09-14 19:56:53.000000000 -0400
++++ Bastille/Bastille/API.pm	2013-08-21 08:55:26.715950001 -0400
+@@ -445,8 +445,8 @@
+ 		$release=`/usr/bin/uname -sr`;
+ 	    }
+ 	    else {
+-	 	print STDERR "$err Could not determine operating system version!\n";
+-		$distro="unknown";
++                print STDERR "$err Could not determine operating system version!\n";
++		$distro="unknown"
+             }
+ 
+ 	    # Figure out what kind of system we're on.
+@@ -1284,7 +1284,7 @@
+ 
+     my $sumFile = &getGlobal('BFILE',"sum.csv");
+ 
+-    if ( defined %GLOBAL_SUM ) {
++    if ( %GLOBAL_SUM ) {
+ 
+ 	open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n");
+ 
+@@ -1318,7 +1318,7 @@
+     my $file = $_[0];
+     my $cksum = &getGlobal('BIN',"cksum");
+ 
+-    if (not(defined(%GLOBAL_SUM))) {
++    if (not(%GLOBAL_SUM)) {
+         &B_read_sums;
+     }
+ 
+@@ -1375,7 +1375,7 @@
+ sub B_isFileinSumDB($) {
+     my $file = $_[0];
+ 
+-    if (not(defined(%GLOBAL_SUM))) {
++    if (not(%GLOBAL_SUM)) {
+         &B_log("DEBUG","Reading in DB from B_isFileinSumDB");
+         &B_read_sums;
+     }
diff --git a/import-layers/meta-security/recipes-security/bastille/files/organize_distro_discovery.patch b/import-layers/meta-security/recipes-security/bastille/files/organize_distro_discovery.patch
new file mode 100644
index 0000000..d64d1e2
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/organize_distro_discovery.patch
@@ -0,0 +1,476 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/Bastille/API.pm
+===================================================================
+--- Bastille.orig/Bastille/API.pm	2013-08-22 04:32:38.269968002 -0400
++++ Bastille/Bastille/API.pm	2013-08-22 11:29:53.137968002 -0400
+@@ -141,7 +141,7 @@
+     checkProcsForService
+     
+     
+-    $GLOBAL_OS $GLOBAL_ACTUAL_OS $CLI
++    $CLI
+     $GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag
+     %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE
+     %GLOBAL_BDIR %GLOBAL_BFILE
+@@ -198,7 +198,7 @@
+ my $err ="ERROR:  ";
+ my $spc ="        ";
+ my $GLOBAL_OS="None";
+-my $GLOBAL_ACTUAL_OS="None";
++my $GLOBAL_INFERRED_OS="None";
+ my %GLOBAL_SUMS=();
+ my $CLI='';
+ 
+@@ -306,7 +306,7 @@
+ 
+ ###########################################################################
+ #
+-# GetDistro checks to see if the target is a known distribution and reports
++# InferDistro checks to see if the target is a known distribution and reports
+ # said distribution.
+ #
+ # This is used throughout the script, but also by ConfigureForDistro.
+@@ -314,205 +314,194 @@
+ #
+ ###########################################################################
+ 
+-sub GetDistro() {
++sub InferDistro() {
+ 
+     my ($release,$distro);
+ 
+-    # Only read files for the distro once.
+-    # if the --os option was used then
+-    if ($GLOBAL_OS eq "None") {
+-	if ( -e "/etc/mandrake-release" ) {
+-	    open(MANDRAKE_RELEASE,"/etc/mandrake-release");
+-	    $release=<MANDRAKE_RELEASE>;
+-
+-	    if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) {
+-		$distro="MN$1";
+-	    }
+-	    elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) {
+-                $distro="MN$1";
+-            }
+-            else {
+-		print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n";
+-		$distro="MN10.1";
+-	    }
+-
+-	    close(MANDRAKE_RELEASE);
+-	}
+-	elsif ( -e "/etc/immunix-release" ) {
+-	    open(IMMUNIX_RELEASE,"/etc/immunix-release");
+-	    $release=<IMMUNIX_RELEASE>;
+-	    unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) {
+-		print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n";
+-		$distro="RH6.2";
+-	    }
+-	    else {
+-		$distro="RH$1";
+-	    }
+-	    close(*IMMUNIX_RELEASE);
+-	}
+-	elsif ( -e '/etc/fedora-release' ) {
+-            open(FEDORA_RELEASE,'/etc/fedora-release');
+-            $release=<FEDORA_RELEASE>;
+-            close FEDORA_RELEASE;
+-            if ($release =~ /^Fedora Core release (\d+\.?\d*)/) {
+-                $distro = "RHFC$1";
+-            }
+-	    elsif ($release =~ /^Fedora release (\d+\.?\d*)/) {
+-                $distro = "RHFC$1";
+-            } 
+-            else {
+-                print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 8\n";
+-                $distro='RHFC8';
+-            }
++    if ( -e "/etc/mandrake-release" ) {
++        open(MANDRAKE_RELEASE,"/etc/mandrake-release");
++        $release=<MANDRAKE_RELEASE>;
++
++        if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) {
++	    $distro="MN$1";
++	}
++	elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) {
++            $distro="MN$1";
++        }
++        else {
++            print STDERR "$err Could not infer Mandrake/Mandriva version! Setting to 10.1!\n";
++	    $distro="MN10.1";
++	}
++
++        close(MANDRAKE_RELEASE);
++    }
++    elsif ( -e "/etc/immunix-release" ) {
++        open(IMMUNIX_RELEASE,"/etc/immunix-release");
++        $release=<IMMUNIX_RELEASE>;
++        unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) {
++            print STDERR "$err Could not infer Immunix version! Setting to 6.2!\n";
++	    $distro="RH6.2";
++        }
++	else {
++	    $distro="RH$1";
+ 	}
+-	elsif ( -e "/etc/redhat-release" ) {
+-	    open(*REDHAT_RELEASE,"/etc/redhat-release");
+-	    $release=<REDHAT_RELEASE>;
+-	    if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) {
+-		$distro="RH$1";
+-	    }
+-            elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) {
+-                $distro="RHEL$1$2";
+-            }
+-	    elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) {
+-		$distro="RHEL$2$1";
++	close(*IMMUNIX_RELEASE);
++    }
++    elsif ( -e '/etc/fedora-release' ) {
++        open(FEDORA_RELEASE,'/etc/fedora-release');
++        $release=<FEDORA_RELEASE>;
++        close FEDORA_RELEASE;
++        if ($release =~ /^Fedora Core release (\d+\.?\d*)/) {
++            $distro = "RHFC$1";
++        }
++	elsif ($release =~ /^Fedora release (\d+\.?\d*)/) {
++            $distro = "RHFC$1";
++        }
++        else {
++            print STDERR "$err Could not infer Fedora version! Setting to Fedora Core 8\n";
++            $distro='RHFC8';
++        }
++    }
++    elsif ( -e "/etc/redhat-release" ) {
++        open(*REDHAT_RELEASE,"/etc/redhat-release");
++        $release=<REDHAT_RELEASE>;
++        if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) {
++	    $distro="RH$1";
++	}
++        elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) {
++            $distro="RHEL$1$2";
++        }
++	elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) {
++	    $distro="RHEL$2$1";
++	}
++	elsif ($release =~ /^CentOS release (\d+\.\d+)/) {
++	    my $version = $1;
++	    if ($version =~ /^4\./) {
++	        $distro='RHEL4AS';
+ 	    }
+-	    elsif ($release =~ /^CentOS release (\d+\.\d+)/) {
+-		my $version = $1;
+-		if ($version =~ /^4\./) {
+-		    $distro='RHEL4AS';
+-		}
+-		elsif ($version =~ /^3\./) {
+-		    $distro='RHEL3AS';
+-		}
+-		else {
+-		    print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n";
+-		    $distro='RHEL4AS';
+-                 }
+-	    }
+- 	    else {
+-		# JJB/HP - Should this be B_log?
+-		print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n";
+-		$distro="RH9";
+-	    }
+-	    close(REDHAT_RELEASE);
+-
+-	}
+-	elsif ( -e "/etc/debian_version" ) {
+-	    $stable="3.1"; #Change this when Debian stable changes
+-	    open(*DEBIAN_RELEASE,"/etc/debian_version");
+-	    $release=<DEBIAN_RELEASE>;
+-	    unless ($release =~ /^(\d+\.\d+\w*)/) {
+-		print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n";
+-		$distro="DB$stable";
++	    elsif ($version =~ /^3\./) {
++	        $distro='RHEL3AS';
+ 	    }
+ 	    else {
+-		$distro="DB$1";
+-	    }
+-	    close(DEBIAN_RELEASE);
+-	}
+-	elsif ( -e "/etc/SuSE-release" ) {
+-	    open(*SUSE_RELEASE,"/etc/SuSE-release");
+-	    $release=<SUSE_RELEASE>;
+-	    if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) {
+-		$distro="SE$1";
+-	    }
+-	    elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) {
+-		$distro="SESLES$1";
+-	    }
+-	    elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) {
+-		$distro="SESLES$1";
+-	    }
+-            elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) {
+-                $distro="SE$1";
++	        print STDERR "$err Could not infer CentOS version! Setting to Red Hat Enterprise 4 AS.\n";
++	        $distro='RHEL4AS';
+             }
+-	    else {
+-		print STDERR "$err Couldn't determine SuSE version! Setting to 10.3!\n";
+-		$distro="SE10.3";
+-	    }
+-	    close(SUSE_RELEASE);
+-	}
+-	elsif ( -e "/etc/turbolinux-release") {
+-	    open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release");
+-	    $release=<TURBOLINUX_RELEASE>;
+-	    unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) {
+-		print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n";
+-		$distro="TB7.0";
+-	    }
+-	    else {
+-		$distro="TB$1";
+-	    }
+-	    close(TURBOLINUX_RELEASE);
++        }
++ 	else {
++	    # JJB/HP - Should this be B_log?
++	    print STDERR "$err Could not infer Red Hat version! Setting to 9!\n";
++	    $distro="RH9";
++	}
++	close(REDHAT_RELEASE);
++
++    }
++    elsif ( -e "/etc/debian_version" ) {
++        $stable="3.1"; #Change this when Debian stable changes
++        open(*DEBIAN_RELEASE,"/etc/debian_version");
++        $release=<DEBIAN_RELEASE>;
++        unless ($release =~ /^(\d+\.\d+\w*)/) {
++  	    print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n";
++	    $distro="DB$stable";
++        }
++        else {
++	    $distro="DB$1";
++	}
++	close(DEBIAN_RELEASE);
++    }
++    elsif ( -e "/etc/SuSE-release" ) {
++        open(*SUSE_RELEASE,"/etc/SuSE-release");
++        $release=<SUSE_RELEASE>;
++        if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) {
++	    $distro="SE$1";
++        }
++        elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) {
++	    $distro="SESLES$1";
++        }
++	elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) {
++	    $distro="SESLES$1";
++	}
++        elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) {
++            $distro="SE$1";
++        }
++	else {
++	    print STDERR "$err Could not infer SuSE version! Setting to 10.3!\n";
++	    $distro="SE10.3";
+ 	}
++	close(SUSE_RELEASE);
++    }
++    elsif ( -e "/etc/turbolinux-release") {
++        open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release");
++        $release=<TURBOLINUX_RELEASE>;
++        unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) {
++	    print STDERR "$err Could not infer TurboLinux version! Setting to 7.0!\n";
++	    $distro="TB7.0";
++        }
+ 	else {
+-	    # We're either on Mac OS X, HP-UX or an unsupported O/S.
+-            if ( -x '/usr/bin/uname') {
++	    $distro="TB$1";
++	}
++	close(TURBOLINUX_RELEASE);
++    }
++    else {
++        # We're either on Mac OS X, HP-UX or an unsupported O/S.
++        if ( -x '/usr/bin/uname') {
+ 		# uname is in /usr/bin on Mac OS X and HP-UX
+-		$release=`/usr/bin/uname -sr`;
+-	    }
+-	    else {
+-                print STDERR "$err Could not determine operating system version!\n";
+-		$distro="unknown"
+-            }
+-
+-	    # Figure out what kind of system we're on.
+-	    if ($release ne "") {
+-		if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) {
+-		    if ($1 == 6 ) {
+-			$distro = "OSX10.2";
+-		    }
+-		    elsif ($1 == 7) {
+-			$distro = "OSX10.3";
+-		    }
+-                    elsif ($1 == 8) {
+-                        $distro = "OSX10.3";
+-                    }
+-		    else {
+-		        $distro = "unknown";
+-		    }
++	    $release=`/usr/bin/uname -sr`;
++	}
++	else {
++            print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
++	    $distro="unknown";
++        }
++
++	# Figure out what kind of system we're on.
++	if ($release ne "") {
++	    if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) {
++	        if ($1 == 6 ) {
++		    $distro = "OSX10.2";
+ 		}
+-	        elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) {
+-		   $distro="$1$2";
++		elsif ($1 == 7) {
++		    $distro = "OSX10.3";
+ 		}
++                elsif ($1 == 8) {
++                    $distro = "OSX10.3";
++                }
+ 		else {
+-		   print STDERR "$err Could not determine operating system version!\n";
+-	           $distro="unknown";
++                    print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
++		    $distro = "unknown";
+ 		}
+ 	    }
++	    elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) {
++	        $distro="$1$2";
++	    }
++	    else {
++                print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
++	        $distro="unknown";
++	    }
+ 	}
+-
+-	$GLOBAL_OS=$distro;
+-    } elsif (not (defined $GLOBAL_OS)) {
+-        print "ERROR: GLOBAL OS Scoping Issue\n";
+-    } else {
+-        $distro = $GLOBAL_OS;
+     }
+-
+     return $distro;
+ }
+ 
+ ###################################################################################
+-#   &getActualDistro;                                                             #
++#   &getInferredDistro;                                                             #
+ #                                                                                 #
+ #    This subroutine returns the actual os version in which is running on.  This  #
+ #    os version is independent of the --os switch feed to bastille.               #
+ #                                                                                 #
+ ###################################################################################
+-sub getActualDistro {
+-    # set local variable to $GLOBAL_OS
++sub getInferredDistro {
++    if ($GLOBAL_INFERRED_OS eq "None") {
++        $GLOBAL_INFERRED_OS = &InferDistro;
++    }
++    return $GLOBAL_INFERRED_OS;
++}
+ 
+-    if ($GLOBAL_ACTUAL_OS eq "None") {
+-        my $os = $GLOBAL_OS;
+-        # undef GLOBAL_OS so that the GetDistro routine will return
+-        # the actualDistro, it might otherwise return the distro set
+-        # by the --os switch.
+-        $GLOBAL_OS = "None";
+-        $GLOBAL_ACTUAL_OS = &GetDistro;
+-        # reset the GLOBAL_OS variable
+-        $GLOBAL_OS = $os;
++sub GetDistro {
++    if ($GLOBAL_OS eq "None") {
++        return &getInferredDistro;
+     }
+-    return $GLOBAL_ACTUAL_OS;
++    return $GLOBAL_OS;
+ }
++
+ # These are helper routines which used to be included inside GetDistro
+ sub is_OS_supported($) {
+    my $os=$_[0];
+@@ -556,7 +545,8 @@
+ 			      "SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1",
+ 			      "SE9.2","SE9.3","SE10.0","SE10.1","SE10.2","SE10.3",
+ 			      "SESLES8","SESLES9","SESLES10",
+-			      "TB7.0"
++			      "TB7.0",
++                              "Yocto"
+ 			      ],
+ 
+ 		  "HP-UX" => [
+@@ -882,23 +872,19 @@
+ ###########################################################################
+ sub ConfigureForDistro {
+ 
+-    my $retval=1;
+-
+-    # checking to see if the os version given is in fact supported
+     my $distro = &GetDistro;
+ 
+-    # checking to see if the actual os version is in fact supported
+-    my $actualDistro = &getActualDistro;
++    my $inferredDistro = &getInferredDistro;
++
++    if (! ($inferredDistro eq $distro) ) {
++        print STDERR "WARNING: Inferred distro $inferredDistro is not the same as specified distro $distro. Using specified distro.\n";
++    }
++
+     $ENV{'LOCALE'}=''; # So that test cases checking for english results work ok.
+-    if ((! &is_OS_supported($distro)) or (! &is_OS_supported($actualDistro))  ) {
+-	# if either is not supported then print out a list of supported versions
+-	if (! &is_OS_supported($distro)) {
+-	    print STDERR "$err '$distro' is not a supported operating system.\n";
+-	}
+-	else {
+-	    print STDERR "$err Bastille is unable to operate correctly on this\n";
+-	    print STDERR "$spc $distro operating system.\n";
+-	}
++
++    if (! &is_OS_supported($distro)) {
++	print STDERR "$err '$distro' is not a supported operating system.\n";
++
+ 	my %supportedOSHash = &getSupportedOSHash;
+ 	print STDERR "$spc Valid operating system versions are as follows:\n";
+ 
+@@ -930,7 +916,7 @@
+     # intend via setting the Perl umask
+     umask(077);
+ 
+-    &getFileAndServiceInfo($distro,$actualDistro);
++    &getFileAndServiceInfo($distro,$distro);
+ 
+ #    &dumpFileInfo;  # great for debuging file location issues
+ #    &dumpServiceInfo; # great for debuging service information issues
+@@ -942,7 +928,7 @@
+ 	    "$spc You must use Bastille\'s -n flag (for example:\n" .
+ 	    "$spc bastille -f -n) or \'touch $nodisclaim_file \'\n";
+ 
+-    return $retval;
++    return 1;
+ }
+ 
+ 
+Index: Bastille/Bastille/LogAPI.pm
+===================================================================
+--- Bastille.orig/Bastille/LogAPI.pm	2013-08-22 04:32:38.269968002 -0400
++++ Bastille/Bastille/LogAPI.pm	2013-08-22 04:32:47.509968002 -0400
+@@ -111,7 +111,7 @@
+    # do this here to prevent bootstrapping problem, where we need to
+    # write an error that the errorlog location isn't defined.
+    my $logdir="/var/log/Bastille";
+-   if(&getActualDistro =~ "^HP-UX"){
++   if(&getInferredDistro =~ "^HP-UX"){
+        $logdir = "/var/opt/sec_mgmt/bastille/log/";
+    }
+ 
diff --git a/import-layers/meta-security/recipes-security/bastille/files/remove_questions_text_file_references.patch b/import-layers/meta-security/recipes-security/bastille/files/remove_questions_text_file_references.patch
new file mode 100644
index 0000000..bd094ee
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/remove_questions_text_file_references.patch
@@ -0,0 +1,30 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/OSMap/LINUX.bastille
+===================================================================
+--- Bastille.orig/OSMap/LINUX.bastille	2008-01-25 18:31:35.000000000 -0500
++++ Bastille/OSMap/LINUX.bastille	2013-08-22 04:48:32.677968002 -0400
+@@ -12,7 +12,6 @@
+ 
+ bfile,InteractiveBastille,'/usr/sbin/InteractiveBastille'
+ bfile,BastilleBackEnd,'/usr/sbin/BastilleBackEnd'
+-bfile,Questions,'/usr/share/Bastille/Questions.txt'
+ bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt'
+ bfile,TODO,'/var/log/Bastille/TODO'
+ bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt'
+Index: Bastille/OSMap/OSX.bastille
+===================================================================
+--- Bastille.orig/OSMap/OSX.bastille	2007-09-11 18:09:26.000000000 -0400
++++ Bastille/OSMap/OSX.bastille	2013-08-22 04:48:47.245968001 -0400
+@@ -10,7 +10,6 @@
+ bdir,share,'/usr/share/Bastille'
+ 
+ bfile,BastilleBackEnd,'/var/root/Bastille/BastilleBackEnd'
+-bfile,Questions,'/usr/share/Bastille/Questions.txt'
+ bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt'
+ bfile,TODO,'/var/log/Bastille/TODO'
+ bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt'
diff --git a/import-layers/meta-security/recipes-security/bastille/files/set_required_questions.py b/import-layers/meta-security/recipes-security/bastille/files/set_required_questions.py
new file mode 100755
index 0000000..4a28358
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/set_required_questions.py
@@ -0,0 +1,157 @@
+#!/usr/bin/env python
+
+#Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+import argparse, os, shutil, sys, tempfile, traceback
+from os import path
+
+
+
+def get_config(lines):
+  """
+  From a sequence of lines retrieve the question file name, question identifier
+  pairs.
+  """
+  for l in lines:
+    if not l.startswith("#"):
+      try:
+        (coord, value) = l.split("=")
+        try:
+          (fname, ident) = coord.split(".")
+          yield fname, ident
+        except ValueError as e:
+          raise ValueError("Badly formatted coordinates %s in line %s." % (coord, l.strip()))
+      except ValueError as e:
+        raise ValueError("Skipping badly formatted line %s, %s" % (l.strip(), e))
+
+
+
+def check_contains(line, name):
+  """
+  Check if the value field for REQUIRE_DISTRO contains the given name.
+  @param name line The REQUIRE_DISTRO line
+  @param name name The name to look for in the value field of the line.
+  """
+  try:
+    (label, distros) = line.split(":")
+    return name in distros.split()
+  except ValueError as e:
+    raise ValueError("Error splitting REQUIRE_DISTRO line: %s" % e)
+
+
+
+def add_requires(the_ident, distro, lines):
+
+  """
+  Yield a sequence of lines the same as lines except that where
+  the_ident matches a question identifier change the REQUIRE_DISTRO so that
+  it includes the specified distro.
+
+  @param name the_ident The question identifier to be matched.
+  @param name distro The distribution to added to the questions REQUIRE_DISTRO
+                     field.
+  @param lines The sequence to be processed.
+  """
+  for l in lines:
+    yield l
+    if l.startswith("LABEL:"):
+      try:
+        (label, ident) = l.split(":")
+        if ident.strip() == the_ident:
+          break
+      except ValueError as e:
+        raise ValueError("Unexpected line %s in questions file." % l.strip())
+  for l in lines:
+    if l.startswith("REQUIRE_DISTRO"):
+      if not check_contains(l, distro):
+        yield l.rstrip() + " " + distro + "\n"
+      else:
+        yield l
+      break;
+    else:
+      yield l
+  for l in lines:
+    yield l
+
+
+
+def xform_file(qfile, distro, qlabel):
+  """
+  Transform a Questions file.
+  @param name qfile The designated questions file.
+  @param name distro The distribution to add to the required distributions.
+  @param name qlabel The question label for which the distro is to be added.
+  """
+  questions_in = open(qfile)
+  questions_out = tempfile.NamedTemporaryFile(delete=False)
+  for l in add_requires(qlabel, distro, questions_in):
+    questions_out.write(l)
+  questions_out.close()
+  questions_in.close()
+  shutil.copystat(qfile, questions_out.name)
+  os.remove(qfile)
+  shutil.move(questions_out.name, qfile)
+
+
+
+def handle_args(parser):
+  parser.add_argument('config_file',
+                      help = "Configuration file path.")
+  parser.add_argument('questions_dir',
+                      help = "Directory containing Questions files.")
+  parser.add_argument('--distro', '-d',
+                      help = "The distribution, the default is Yocto.",
+                      default = "Yocto")
+  parser.add_argument('--debug', '-b',
+                      help = "Print debug information.",
+                      action = 'store_true')
+  return parser.parse_args()
+
+
+
+def check_args(args):
+  args.config_file = os.path.abspath(args.config_file)
+  args.questions_dir = os.path.abspath(args.questions_dir)
+
+  if not os.path.isdir(args.questions_dir):
+    raise ValueError("Specified Questions directory %s does not exist or is not a directory." % args.questions_dir)
+
+  if not os.path.isfile(args.config_file):
+    raise ValueError("Specified configuration file %s not found." % args.config_file)
+
+
+
+def main():
+  opts = handle_args(argparse.ArgumentParser(description="A simple script that sets required questions based on the question/answer pairs in a configuration file."))
+
+  try:
+    check_args(opts)
+  except ValueError as e:
+    if opts.debug:
+      traceback.print_exc()
+    else:
+      sys.exit("Fatal error:\n%s" % e)
+
+
+  try:
+    config_in = open(opts.config_file)
+    for qfile, qlabel in get_config(config_in):
+      questions_file = os.path.join(opts.questions_dir, qfile + ".txt")
+      xform_file(questions_file, opts.distro, qlabel)
+    config_in.close()
+
+  except IOError as e:
+    if opts.debug:
+      traceback.print_exc()
+    else:
+      sys.exit("Fatal error reading or writing file:\n%s" % e)
+  except ValueError as e:
+    if opts.debug:
+      traceback.print_exc()
+    else:
+      sys.exit("Fatal error:\n%s" % e)
+
+
+
+if __name__ == "__main__":
+  main()
diff --git a/import-layers/meta-security/recipes-security/bastille/files/simplify_B_place.patch b/import-layers/meta-security/recipes-security/bastille/files/simplify_B_place.patch
new file mode 100644
index 0000000..307fdca
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/simplify_B_place.patch
@@ -0,0 +1,40 @@
+Upstream Status: Inappropriate [No upstream maintenance]
+
+Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
+
+---
+
+Index: Bastille/Bastille/API.pm
+===================================================================
+--- Bastille.orig/Bastille/API.pm	2013-08-21 08:59:17.939950001 -0400
++++ Bastille/Bastille/API.pm	2013-08-21 08:59:30.983950001 -0400
+@@ -1679,24 +1679,22 @@
+ 
+     use File::Copy;
+ 
+-    my $original_source=$source;
+     $source  = &getGlobal('BDIR', "share") . $source;
+-    my $original_target=$target;
+ 
+     if ( -e $target and -f $target ) {
+-	&B_backup_file($original_target);
+-	&B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n");
++	&B_backup_file($target);
++	&B_log("ACTION","About to copy $source to $target -- had to backup target\n");
+ 	$had_to_backup_target=1;
+     }
+     $retval=copy($source,$target);
+     if ($retval) {
+-	&B_log("ACTION","placed file $original_source  as  $original_target\n");
++	&B_log("ACTION","placed file $source  as  $target\n");
+ 	#
+ 	# We want to add a line to the &getGlobal('BFILE', "created-files") so that the
+ 	# file we just put at $original_target gets deleted.
+-	&B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n");
++	&B_revert_log(&getGlobal('BIN',"rm") . " $target\n");
+     } else {
+-	&B_log("ERROR","Failed to place $original_source as $original_target\n");
++	&B_log("ERROR","Failed to place $source as $target\n");
+     }
+ 
+     # We add the file to the GLOBAL_SUMS hash if it is not already present
diff --git a/import-layers/meta-security/recipes-security/bastille/files/upgrade_options_processing.patch b/import-layers/meta-security/recipes-security/bastille/files/upgrade_options_processing.patch
new file mode 100644
index 0000000..4093867
--- /dev/null
+++ b/import-layers/meta-security/recipes-security/bastille/files/upgrade_options_processing.patch