meta-security: subtree update:ca9264b1e1..baca6133f9
Anton Antonov (1):
gitlab-ci: Move all parsec builds into a separate job
Armin Kuster (12):
kas-security-base: Move some DISTRO_FEATURES around
*-tpm.yml: drop tpms jobs
gitlab-ci: move tpm build
.gitlab-ci: work on pipelime
gitlab-ci: cleanup after_script
gitlab-ci: add new before script
kas: cleanup some kas files
packagegroup-core-security: exclude apparmor in mips64
.gitlab-ci: use kas shell in some cases.
kas-security-base: fix feature namespace for tpm*
ossec-hids: add new pkg
libseccomp: drop recipe. In core now
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: Icef0838533cbc51af188f574d4931ac3d250ba84
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml
index f673ef6..3211025 100644
--- a/meta-security/.gitlab-ci.yml
+++ b/meta-security/.gitlab-ci.yml
@@ -1,33 +1,76 @@
-stages:
- - build
-
-.build:
- stage: build
- image: crops/poky
- before_script:
+.before-my-script: &before-my-script
- echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error
- echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error
- export PATH=~/.local/bin:$PATH
- wget https://bootstrap.pypa.io/get-pip.py
- python3 get-pip.py
- python3 -m pip install kas
- after_script:
+
+.after-my-script: &after-my-script
- cd $CI_PROJECT_DIR/poky
- . ./oe-init-build-env $CI_PROJECT_DIR/build
- for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do
- send-error-report -y tmp/log/error-report/$x
- done
- - cd $CI_PROJECT_DIR
- - rm -rf build
- cache:
- paths:
- - layers
+ - rm -fr $CI_PROJECT_DIR/build
+
+
+stages:
+ - build
+ - parsec
+ - multi
+ - alt
+ - musl
+ - test
+
+.build:
+ before_script:
+ - *before-my-script
+ stage: build
+ after_script:
+ - *after-my-script
+
+.parsec:
+ before_script:
+ - *before-my-script
+ stage: parsec
+ after_script:
+ - *after-my-script
+
+
+.multi:
+ before_script:
+ - *before-my-script
+ stage: multi
+ after_script:
+ - *after-my-script
+
+.alt:
+ before_script:
+ - *before-my-script
+ stage: alt
+ after_script:
+ - *after-my-script
+
+.musl:
+ before_script:
+ - *before-my-script
+ stage: musl
+ after_script:
+ - *after-my-script
+
+.test:
+ before_script:
+ - *before-my-script
+ stage: test
+ after_script:
+ - *after-my-script
+
qemux86:
extends: .build
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
- kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml
- kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml
- kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
@@ -35,8 +78,7 @@
qemux86-64:
extends: .build
script:
- - kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
+ - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm-image security-tpm2-image"
- kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml
- kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
@@ -44,20 +86,17 @@
extends: .build
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
qemuarm64:
extends: .build
script:
- - kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
+ - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image"
- kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
qemuppc:
extends: .build
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
- - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml
qemumips64:
extends: .build
@@ -69,61 +108,58 @@
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
-qemux86-64-tpm:
- extends: .build
- script:
- - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml
- - kas build --target security-tpm2-image kas/$CI_JOB_NAME2.yml
-
-qemuarm64-tpm2:
- extends: .build
- script:
- - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml
-
qemuarm64-alt:
- extends: .build
+ extends: .alt
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemuarm64-multi:
- extends: .build
+ extends: .multi
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemumips64-alt:
- extends: .build
+ extends: .alt
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemumips64-multi:
- extends: .build
+ extends: .multi
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-64-alt:
- extends: .build
+ extends: .alt
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-64-multi:
- extends: .build
+ extends: .multi
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-musl:
- extends: .build
+ extends: .musl
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemuarm64-musl:
- extends: .build
+ extends: .musl
script:
- kas build --target security-build-image kas/$CI_JOB_NAME.yml
qemux86-test:
- extends: .build
+ extends: .test
allow_failure: true
script:
- kas build --target security-test-image kas/$CI_JOB_NAME.yml
- kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
+parsec:
+ extends: .parsec
+ script:
+ - kas build --target security-build-image kas/qemuarm-$CI_JOB_NAME.yml
+ - kas build --target security-build-image kas/qemuarm64-$CI_JOB_NAME.yml
+ - kas build --target security-build-image kas/qemux86-$CI_JOB_NAME.yml
+ - kas build --target security-build-image kas/qemux86-64-$CI_JOB_NAME.yml
+ - kas build --target security-build-image kas/qemuppc-$CI_JOB_NAME.yml
diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml
index 309acaa..1514524 100644
--- a/meta-security/kas/kas-security-alt.yml
+++ b/meta-security/kas/kas-security-alt.yml
@@ -5,4 +5,4 @@
local_conf_header:
alt: |
- DISTRO_FEATURES_append = " apparmor pam smack systemd"
+ DISTRO_FEATURES_append = " systemd"
diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml
index aa68336..487befe 100644
--- a/meta-security/kas/kas-security-base.yml
+++ b/meta-security/kas/kas-security-base.yml
@@ -51,6 +51,8 @@
EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
PACKAGE_CLASSES = "package_ipk"
+ DISTRO_FEATURES_append = " pam apparmor smack"
+ MACHINE_FEATURES_append = " tpm tpm2"
diskmon: |
BB_DISKMON_DIRS = "\
diff --git a/meta-security/kas/qemuarm64-tpm2.yml b/meta-security/kas/qemuarm64-tpm2.yml
deleted file mode 100644
index 3a8d8fc..0000000
--- a/meta-security/kas/qemuarm64-tpm2.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- meta-security: |
- DISTRO_FEATURES_append = " tpm2"
-
-machine: qemuarm64
diff --git a/meta-security/kas/qemumips64-alt.yml b/meta-security/kas/qemumips64-alt.yml
index 923c213..c5d54d4 100644
--- a/meta-security/kas/qemumips64-alt.yml
+++ b/meta-security/kas/qemumips64-alt.yml
@@ -1,10 +1,6 @@
header:
version: 8
includes:
- - kas-security-base.yml
-
-local_conf_header:
- alt: |
- DISTRO_FEATURES_append = " pam systmed"
+ - kas-security-alt.yml
machine: qemumips64
diff --git a/meta-security/kas/qemux86-64-tpm.yml b/meta-security/kas/qemux86-64-tpm.yml
deleted file mode 100644
index 565b423..0000000
--- a/meta-security/kas/qemux86-64-tpm.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- meta-security: |
- DISTRO_FEATURES_append = " tpm"
-
-machine: qemux86-64
diff --git a/meta-security/kas/qemux86-64-tpm2.yml b/meta-security/kas/qemux86-64-tpm2.yml
deleted file mode 100644
index a43693e..0000000
--- a/meta-security/kas/qemux86-64-tpm2.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-header:
- version: 8
- includes:
- - kas-security-base.yml
-
-local_conf_header:
- meta-security: |
- DISTRO_FEATURES_append = " tpm2"
-
-machine: qemux86-64
diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml
index 7b5f451..83a5353 100644
--- a/meta-security/kas/qemux86-test.yml
+++ b/meta-security/kas/qemux86-test.yml
@@ -3,9 +3,4 @@
includes:
- kas-security-base.yml
-
-local_conf_header:
- meta-security: |
- DISTRO_FEATURES_append = " apparmor smack pam"
-
machine: qemux86
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index 9ac0d2c..a6142a8 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -80,6 +80,9 @@
${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
"
+RDEPENDS_packagegroup-security-mac_remove_mips64 = "apparmor"
+RDEPENDS_packagegroup-security-mac_remove_mips64le = "apparmor"
+
RDEPENDS_packagegroup-meta-security-ptest-packages = "\
ptest-runner \
samhain-standalone-ptest \
diff --git a/meta-security/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch b/meta-security/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch
new file mode 100644
index 0000000..08e018f
--- /dev/null
+++ b/meta-security/recipes-ids/ossec/files/0001-Makefile-drop-running-scrips-install.patch
@@ -0,0 +1,37 @@
+From b948d36a8ca8e04794381f0f6eba29daf7e3fd01 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 21 Apr 2021 00:56:53 +0000
+Subject: [PATCH 1/2] Makefile: drop running scrips @ install
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ src/Makefile | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index 06a7094c..dfb8cb58 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -409,7 +409,6 @@ install-hybrid: install-server-generic
+ install-server: install-server-generic
+
+ install-common: build
+- ./init/adduser.sh ${OSSEC_USER} ${OSSEC_USER_MAIL} ${OSSEC_USER_REM} ${OSSEC_GROUP} ${PREFIX}
+ $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/
+ $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs
+ $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/ossec.log
+@@ -485,9 +484,6 @@ endif
+ $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/var
+ $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/var/run
+
+- ./init/fw-check.sh execute
+-
+-
+
+ install-server-generic: install-common
+ $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/active-responses.log
+--
+2.25.1
+
diff --git a/meta-security/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch b/meta-security/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch
new file mode 100644
index 0000000..d5e3403
--- /dev/null
+++ b/meta-security/recipes-ids/ossec/files/0002-Makefile-don-t-set-uid-gid.patch
@@ -0,0 +1,251 @@
+From d9ec907881b72d42b4918f7cfb46516ce8e77772 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Sat, 24 Apr 2021 23:07:29 +0000
+Subject: [PATCH 2/2] Makefile: don't set uid/gid
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+---
+ src/Makefile | 166 +++++++++++++++++++++++++--------------------------
+ 1 file changed, 83 insertions(+), 83 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index dfb8cb58..a4d69ef6 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -21,7 +21,7 @@ OSSEC_USER?=ossec
+ OSSEC_USER_MAIL?=ossecm
+ OSSEC_USER_REM?=ossecr
+
+-INSTALL_CMD?=install -m $(1) -o $(2) -g $(3)
++INSTALL_CMD?=install -m $(1)
+ INSTALL_LOCALTIME?=yes
+ INSTALL_RESOLVCONF?=yes
+
+@@ -397,10 +397,10 @@ endif
+ install: install-${TARGET}
+
+ install-agent: install-common
+- $(call INSTALL_CMD,0550,root,0) ossec-agentd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) agent-auth ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-agentd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) agent-auth ${PREFIX}/bin
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rids
+
+ install-local: install-server-generic
+
+@@ -409,129 +409,129 @@ install-hybrid: install-server-generic
+ install-server: install-server-generic
+
+ install-common: build
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs
+- $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/ossec.log
+-
+- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-logcollector ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-syscheckd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-execd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) manage_agents ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ../contrib/util.sh ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs
++ $(call INSTALL_CMD,0660) /dev/null ${PREFIX}/logs/ossec.log
++
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-logcollector ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-syscheckd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-execd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) manage_agents ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ../contrib/util.sh ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) ${OSSEC_CONTROL_SRC} ${PREFIX}/bin/ossec-control
+
+ ifeq (${LUA_ENABLE},yes)
+- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua
+- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/native
+- $(call INSTALL_CMD,0550,root,0) -d ${PREFIX}/lua/compiled
+- $(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/lua
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/lua/native
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/lua/compiled
++ $(call INSTALL_CMD,0550) ${EXTERNAL_LUA}src/ossec-lua ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) ${EXTERNAL_LUA}src/ossec-luac ${PREFIX}/bin/
+ endif
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/queue
+- $(call INSTALL_CMD,0770,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/alerts
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/ossec
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/syscheck
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/diff
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/queue
++ $(call INSTALL_CMD,0770) -d ${PREFIX}/queue/alerts
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/ossec
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/syscheck
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/diff
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/etc
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/etc
+ ifeq (${INSTALL_LOCALTIME},yes)
+- $(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/localtime ${PREFIX}/etc
++ $(call INSTALL_CMD,0440) /etc/localtime ${PREFIX}/etc
+ endif
+ ifeq (${INSTALL_RESOLVCONF},yes)
+- $(call INSTALL_CMD,0440,root,${OSSEC_GROUP}) /etc/resolv.conf ${PREFIX}/etc
++ $(call INSTALL_CMD,0440) /etc/resolv.conf ${PREFIX}/etc
+ endif
+
+- $(call INSTALL_CMD,1550,root,${OSSEC_GROUP}) -d ${PREFIX}/tmp
++ $(call INSTALL_CMD,1550) -d ${PREFIX}/tmp
+
+ ifneq (,$(wildcard /etc/TIMEZONE))
+- $(call INSTALL_CMD,440,root,${OSSEC_GROUP}) /etc/TIMEZONE ${PREFIX}/etc/
++ $(call INSTALL_CMD,440) /etc/TIMEZONE ${PREFIX}/etc/
+ endif
+ # Solaris Needs some extra files
+ ifeq (${uname_S},SunOS)
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/usr/share/lib/zoneinfo/
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/usr/share/lib/zoneinfo/
+ cp -r /usr/share/lib/zoneinfo/* ${PREFIX}/usr/share/lib/zoneinfo/
+ endif
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/internal_options.conf ${PREFIX}/etc/
++ $(call INSTALL_CMD,0640) -b ../etc/internal_options.conf ${PREFIX}/etc/
+ ifeq (,$(wildcard ${PREFIX}/etc/local_internal_options.conf))
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf
++ $(call INSTALL_CMD,0640) ../etc/local_internal_options.conf ${PREFIX}/etc/local_internal_options.conf
+ endif
+ ifeq (,$(wildcard ${PREFIX}/etc/client.keys))
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) /dev/null ${PREFIX}/etc/client.keys
++ $(call INSTALL_CMD,0640) /dev/null ${PREFIX}/etc/client.keys
+ endif
+ ifeq (,$(wildcard ${PREFIX}/etc/ossec.conf))
+ ifneq (,$(wildcard ../etc/ossec.mc))
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf
++ $(call INSTALL_CMD,0640) ../etc/ossec.mc ${PREFIX}/etc/ossec.conf
+ else
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf
++ $(call INSTALL_CMD,0640) ${OSSEC_CONF_SRC} ${PREFIX}/etc/ossec.conf
+ endif
+ endif
+
+- $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/etc/shared
+- $(call INSTALL_CMD,0640,${OSSEC_USER},${OSSEC_GROUP}) rootcheck/db/*.txt ${PREFIX}/etc/shared/
++ $(call INSTALL_CMD,0770) -d ${PREFIX}/etc/shared
++ $(call INSTALL_CMD,0640) rootcheck/db/*.txt ${PREFIX}/etc/shared/
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/active-response/bin
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/agentless
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) agentlessd/scripts/* ${PREFIX}/agentless/
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/active-response
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/active-response/bin
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/agentless
++ $(call INSTALL_CMD,0550) agentlessd/scripts/* ${PREFIX}/agentless/
+
+- $(call INSTALL_CMD,0700,root,${OSSEC_GROUP}) -d ${PREFIX}/.ssh
++ $(call INSTALL_CMD,0700) -d ${PREFIX}/.ssh
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/*.sh ${PREFIX}/active-response/bin/
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/
++ $(call INSTALL_CMD,0550) ../active-response/*.sh ${PREFIX}/active-response/bin/
++ $(call INSTALL_CMD,0550) ../active-response/firewalls/*.sh ${PREFIX}/active-response/bin/
+
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/var
+- $(call INSTALL_CMD,0770,root,${OSSEC_GROUP}) -d ${PREFIX}/var/run
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/var
++ $(call INSTALL_CMD,0770) -d ${PREFIX}/var/run
+
+
+ install-server-generic: install-common
+- $(call INSTALL_CMD,0660,${OSSEC_USER},${OSSEC_GROUP}) /dev/null ${PREFIX}/logs/active-responses.log
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/archives
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/alerts
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/logs/firewall
+-
+- $(call INSTALL_CMD,0550,root,0) ossec-agentlessd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-analysisd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-monitord ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-reportd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-maild ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-remoted ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-logtest ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-csyslogd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-authd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-dbd ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) ossec-makelists ${PREFIX}/bin
+- $(call INSTALL_CMD,0550,root,0) verify-agent-conf ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) clear_stats ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) list_agents ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) ossec-regex ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) syscheck_update ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) agent_control ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) syscheck_control ${PREFIX}/bin/
+- $(call INSTALL_CMD,0550,root,0) rootcheck_control ${PREFIX}/bin/
+-
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/stats
+- $(call INSTALL_CMD,0550,root,${OSSEC_GROUP}) -d ${PREFIX}/rules
++ $(call INSTALL_CMD,0660) /dev/null ${PREFIX}/logs/active-responses.log
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs/archives
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs/alerts
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/logs/firewall
++
++ $(call INSTALL_CMD,0550) ossec-agentlessd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-analysisd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-monitord ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-reportd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-maild ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-remoted ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-logtest ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-csyslogd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-authd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-dbd ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) ossec-makelists ${PREFIX}/bin
++ $(call INSTALL_CMD,0550) verify-agent-conf ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) clear_stats ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) list_agents ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) ossec-regex ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) syscheck_update ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) agent_control ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) syscheck_control ${PREFIX}/bin/
++ $(call INSTALL_CMD,0550) rootcheck_control ${PREFIX}/bin/
++
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/stats
++ $(call INSTALL_CMD,0550) -d ${PREFIX}/rules
+ ifneq (,$(wildcard ${PREFIX}/rules/local_rules.xml))
+ cp ${PREFIX}/rules/local_rules.xml ${PREFIX}/rules/local_rules.xml.installbackup
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml
++ $(call INSTALL_CMD,0640) -b ../etc/rules/*.xml ${PREFIX}/rules
++ $(call INSTALL_CMD,0640) ${PREFIX}/rules/local_rules.xml.installbackup ${PREFIX}/rules/local_rules.xml
+ rm ${PREFIX}/rules/local_rules.xml.installbackup
+ else
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) -b ../etc/rules/*.xml ${PREFIX}/rules
++ $(call INSTALL_CMD,0640) -b ../etc/rules/*.xml ${PREFIX}/rules
+ endif
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/fts
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/fts
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/rootcheck
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rootcheck
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/agent-info
+- $(call INSTALL_CMD,0750,${OSSEC_USER},${OSSEC_GROUP}) -d ${PREFIX}/queue/agentless
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/agent-info
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/agentless
+
+- $(call INSTALL_CMD,0750,${OSSEC_USER_REM},${OSSEC_GROUP}) -d ${PREFIX}/queue/rids
++ $(call INSTALL_CMD,0750) -d ${PREFIX}/queue/rids
+
+- $(call INSTALL_CMD,0640,root,${OSSEC_GROUP}) ../etc/decoder.xml ${PREFIX}/etc/
++ $(call INSTALL_CMD,0640) ../etc/decoder.xml ${PREFIX}/etc/
+
+ rm -f ${PREFIX}/etc/shared/merged.mg
+
+--
+2.25.1
+
diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
new file mode 100644
index 0000000..10354a7
--- /dev/null
+++ b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
@@ -0,0 +1,161 @@
+SUMMARY = "A full platform to monitor and control your systems"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d625d1520b5e38faefb81cf9772badc9"
+
+
+DEPENDS = "openssl libpcre2 zlib libevent"
+SRC_URI = "git://github.com/ossec/ossec-hids;branch=master \
+ file://0001-Makefile-drop-running-scrips-install.patch \
+ file://0002-Makefile-don-t-set-uid-gid.patch \
+ "
+
+SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2"
+
+inherit autotools-brokensep useradd
+
+S = "${WORKDIR}/git"
+
+OSSEC_UID ?= "ossec"
+OSSEC_RUID ?= "ossecr"
+OSSEC_GID ?= "ossec"
+OSSEC_EMAIL ?= "ossecm"
+
+do_configure[noexec] = "1"
+
+do_compile() {
+ cd ${S}/src
+ make PREFIX=${prefix} TARGET=local USE_SYSTEMD=No build
+}
+
+do_install(){
+ install -d ${D}${sysconfdir}
+ install -d ${D}/var/ossec/${sysconfdir}
+
+ cd ${S}/src
+ make TARGET=local PREFIX=${D}/var/ossec install
+
+ echo "DIRECTORY=\"/var/ossec\"" > ${D}/${sysconfdir}/ossec-init.conf
+ echo "VERSION=\"${PV}\"" >> ${D}/${sysconfdir}/ossec-init.conf
+ echo "DATE=\"`date`\"" >> ${D}/${sysconfdir}/ossec-init.conf
+ echo "TYPE=\"local\"" >> ${D}/${sysconfdir}/ossec-init.conf
+ chmod 600 ${D}/${sysconfdir}/ossec-init.conf
+ install -m 640 ${D}/${sysconfdir}/ossec-init.conf ${D}/var/ossec/${sysconfdir}/ossec-init.conf
+}
+
+pkg_postinst_ontarget_${PN} () {
+ DIR="/var/ossec"
+
+ usermod -g ossec -G ossec -a root
+
+ # Default for all directories
+ chmod -R 550 ${DIR}
+ chown -R root:${OSSEC_GID} ${DIR}
+
+ # To the ossec queue (default for agentd to read)
+ chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/ossec
+ chmod -R 770 ${DIR}/queue/ossec
+
+ # For the logging user
+ chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs
+ chmod -R 750 ${DIR}/logs
+ chmod -R 775 ${DIR}/queue/rids
+ touch ${DIR}/logs/ossec.log
+ chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs/ossec.log
+ chmod 664 ${DIR}/logs/ossec.log
+
+ chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/diff
+ chmod -R 750 ${DIR}/queue/diff
+ chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true
+
+ # For the etc dir
+ chmod 550 ${DIR}/etc
+ chown -R root:${OSSEC_GID} ${DIR}/etc
+ if [ -f /etc/localtime ]; then
+ cp -pL /etc/localtime ${DIR}/etc/;
+ chmod 555 ${DIR}/etc/localtime
+ chown root:${OSSEC_GID} ${DIR}/etc/localtime
+ fi
+
+ if [ -f /etc/TIMEZONE ]; then
+ cp -p /etc/TIMEZONE ${DIR}/etc/;
+ chmod 555 ${DIR}/etc/TIMEZONE
+ fi
+
+ # More files
+ chown root:${OSSEC_GID} ${DIR}/etc/internal_options.conf
+ chown root:${OSSEC_GID} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
+ chown root:${OSSEC_GID} ${DIR}/etc/client.keys >/dev/null 2>&1 || true
+ chown root:${OSSEC_GID} ${DIR}/agentless/*
+ chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/.ssh
+ chown root:${OSSEC_GID} ${DIR}/etc/shared/*
+
+ chmod 550 ${DIR}/etc
+ chmod 440 ${DIR}/etc/internal_options.conf
+ chmod 660 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true
+ chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true
+ chmod 550 ${DIR}/agentless/*
+ chmod 700 ${DIR}/.ssh
+ chmod 770 ${DIR}/etc/shared
+ chmod 660 ${DIR}/etc/shared/*
+
+ # For the /var/run
+ chmod 770 ${DIR}/var/run
+ chown root:${OSSEC_GID} ${DIR}/var/run
+
+ # For util.sh
+ chown root:${OSSEC_GID} ${DIR}/bin/util.sh
+ chmod +x ${DIR}/bin/util.sh
+
+ # For binaries and active response
+ chmod 755 ${DIR}/active-response/bin/*
+ chown root:${OSSEC_GID} ${DIR}/active-response/bin/*
+ chown root:${OSSEC_GID} ${DIR}/bin/*
+ chmod 550 ${DIR}/bin/*
+
+ # For ossec.conf
+ chown root:${OSSEC_GID} ${DIR}/etc/ossec.conf
+ chmod 660 ${DIR}/etc/ossec.conf
+
+ # Debconf
+ . /usr/share/debconf/confmodule
+ db_input high ossec-hids-agent/server-ip || true
+ db_go
+
+ db_get ossec-hids-agent/server-ip
+ SERVER_IP=$RET
+
+ sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${DIR}/etc/ossec.conf
+ db_stop
+
+ # ossec-init.conf
+ if [ -e ${DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then
+ if [ -e /etc/ossec-init.conf ]; then
+ rm -f /etc/ossec-init.conf
+ fi
+ ln -s ${DIR}/etc/ossec-init.conf /etc/ossec-init.conf
+ fi
+
+ # init.d/ossec file
+ if [ -x ${DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then
+ if [ -e /etc/init.d/ossec ]; then
+ rm -f /etc/init.d/ossec
+ fi
+ ln -s ${DIR}/etc/init.d/ossec /etc/init.d/ossec
+ fi
+
+ # Service
+ if [ -x /etc/init.d/ossec ]; then
+ update-rc.d -f ossec defaults
+ fi
+
+ # Delete tmp directory
+ if [ -d ${OSSEC_HIDS_TMP_DIR} ]; then
+ rm -r ${OSSEC_HIDS_TMP_DIR}
+ fi
+}
+
+USERADD_PACKAGES = "${PN}"
+USERADD_PARAM_${PN} = "--system --home-dir /var/ossec -g ossec --shell /bin/false ossec"
+GROUPADD_PARAM_${PN} = "--system ossec"
+
+RDEPENDS_${PN} = "openssl bash"
diff --git a/meta-security/recipes-security/libseccomp/files/run-ptest b/meta-security/recipes-security/libseccomp/files/run-ptest
deleted file mode 100644
index 54b4a63..0000000
--- a/meta-security/recipes-security/libseccomp/files/run-ptest
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-
-cd tests
-./regression -a
diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.5.1.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.5.1.bb
deleted file mode 100644
index 40ac1a8..0000000
--- a/meta-security/recipes-security/libseccomp/libseccomp_2.5.1.bb
+++ /dev/null
@@ -1,47 +0,0 @@
-SUMMARY = "interface to seccomp filtering mechanism"
-DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp."
-SECTION = "security"
-LICENSE = "LGPL-2.1"
-LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f"
-
-DEPENDS += "gperf-native"
-
-SRCREV = "4bf70431a339a2886ab8c82e9a45378f30c6e6c7"
-
-SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.5 \
- file://run-ptest \
- "
-
-COMPATIBLE_HOST_riscv32 = "null"
-
-S = "${WORKDIR}/git"
-
-inherit autotools-brokensep pkgconfig ptest
-
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[python] = "--enable-python, --disable-python, python3"
-
-DISABLE_STATIC = ""
-
-do_compile_ptest() {
- oe_runmake -C tests check-build
-}
-
-do_install_ptest() {
- install -d ${D}${PTEST_PATH}/tests
- install -d ${D}${PTEST_PATH}/tools
- for file in $(find tests/* -executable -type f); do
- install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
- done
- for file in $(find tests/*.tests -type f); do
- install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests
- done
- for file in $(find tools/* -executable -type f); do
- install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools
- done
-}
-
-FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*"
-FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug"
-
-RDEPENDS_${PN}-ptest = "coreutils bash"