diff --git a/meta-security/classes/aide-base.bbclass b/meta-security/classes/aide-base.bbclass
new file mode 100644
index 0000000..36cc454
--- /dev/null
+++ b/meta-security/classes/aide-base.bbclass
@@ -0,0 +1,11 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+
+STAGING_AIDE_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/aida"
+AIDE_INCLUDE_DIRS ?= "/lib"
+AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+
+AIDE_SCAN_POSTINIT ?= "0"
+AIDE_RESCAN_POSTINIT ?= "0"
+
diff --git a/meta-security/classes/aide-db-init.bbclass b/meta-security/classes/aide-db-init.bbclass
new file mode 100644
index 0000000..800006f
--- /dev/null
+++ b/meta-security/classes/aide-db-init.bbclass
@@ -0,0 +1,52 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+# This class creates the initial aide database durning
+# the build cycle allowing for that set being skipped during boot
+# It has an additional benefit of having not being tamper with
+# after build.
+#
+# To have the aide db created during build
+# 1. Extend local.conf:
+#    INHERIT += "adie-init-db"
+#
+# These are the defaults as defined in aide-base.bbclass
+# They can be overriden in your local.conf or other distro include 
+#
+# To define where the share directory should be.
+#    STAGING_AIDE_DIR = "${TMPDIR}/work-shared/${MACHINE}/aida"
+#
+# To define which directories should be inclued in a scan
+#    AIDE_INCLUDE_DIRS ?= "/lib"
+#
+# To exclude directories and files from being scanned
+#    AIDE_SKIP_DIRS ?= "/lib/modules/.\*"
+#
+# To controll if a db init should happen at postint 
+#    AIDE_SCAN_POSTINIT ?= "0"
+#
+# To cotroll if a db recan should be run at postinit
+#    AIDE_RESCAN_POSTINIT ?= "0"
+
+inherit aide-base 
+
+aide_init_db() {
+    for dir in ${AIDE_INCLUDE_DIRS}; do
+        echo "${IMAGE_ROOTFS}${dir} NORMAL" >> ${STAGING_AIDE_DIR}/aide.conf
+    done
+    for dir in ${AIDE_SKIP_DIRS}; do
+        echo "!${IMAGE_ROOTFS}${dir}" >> ${STAGING_AIDE_DIR}/aide.conf
+    done
+
+
+    ${STAGING_AIDE_DIR}/bin/aide -c ${STAGING_AIDE_DIR}/aide.conf --init
+    gunzip ${STAGING_AIDE_DIR}/lib/aide.db.gz 
+    # strip out native path
+    sed -i -e 's:${IMAGE_ROOTFS}::' ${STAGING_AIDE_DIR}/lib/aide.db
+    gzip -9 ${STAGING_AIDE_DIR}/lib/aide.db 
+    cp -f ${STAGING_AIDE_DIR}/lib/aide.db.gz ${IMAGE_ROOTFS}${libdir}/aide
+}
+
+EXTRA_IMAGEDEPENDS:append = " aide-native"
+
+ROOTFS_POSTPROCESS_COMMAND:append = " aide_init_db;"
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index fa7d79e..470c7f6 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -18,6 +18,8 @@
   perl-layer:${LAYERDIR}/dynamic-layers/meta-perl/recipes-*/*/*.bbappend \
   meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bb \
   meta-python:${LAYERDIR}/dynamic-layers/meta-python/recipes-*/*/*.bbappend \
+  networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/recipes-*/*/*.bb \
+  networking-layer:${LAYERDIR}/dynamic-layers/networking-layer/recipes-*/*/*.bbappend \
 "
 
 # Sanity check for meta-security layer.
diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb
index 40f6d15..8b6af5e 100644
--- a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb
+++ b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.6.2.bb
@@ -19,7 +19,7 @@
 USERADD_PARAM:${PN} = "--system -g privacyidea -o -r -d /opt/${BPN}  \
     --shell /bin/false privacyidea"
 
-FILES:${PN} += " ${prefix}/etc/privacyidea/* ${datadir}/lib/privacyidea/*"
+FILES:${PN} += " ${prefix}/etc/privacyidea/* ${prefix}/lib/privacyidea/*"
 
 RDEPENDS:${PN} += " bash perl freeradius-mysql freeradius-utils"
 
diff --git a/meta-security/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend b/meta-security/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend
new file mode 100644
index 0000000..6bafd9f
--- /dev/null
+++ b/meta-security/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend
@@ -0,0 +1,4 @@
+
+RDEPENDS:packagegroup-security-utils += "\
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
+"
diff --git a/meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
similarity index 100%
rename from meta-security/recipes-security/sssd/files/drop_ntpdate_chk.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
diff --git a/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
similarity index 100%
rename from meta-security/recipes-security/sssd/files/fix-ldblibdir.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
diff --git a/meta-security/recipes-security/sssd/files/fix_gid.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
similarity index 87%
rename from meta-security/recipes-security/sssd/files/fix_gid.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
index 9b481cc..419b83f 100644
--- a/meta-security/recipes-security/sssd/files/fix_gid.patch
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
@@ -12,10 +12,10 @@
 Upstream-Status: Pending
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
 
-Index: sssd-2.5.0/src/util/debug.h
+Index: sssd-2.7.1/src/util/debug.h
 ===================================================================
---- sssd-2.5.0.orig/src/util/debug.h
-+++ sssd-2.5.0/src/util/debug.h
+--- sssd-2.7.1.orig/src/util/debug.h
++++ sssd-2.7.1/src/util/debug.h
 @@ -24,6 +24,8 @@
  #include "config.h"
  
@@ -23,5 +23,5 @@
 +#include <unistd.h>
 +#include <sys/types.h>
  #include <stdbool.h>
+ #include <sys/types.h>
  
- #include "util/util_errors.h"
diff --git a/meta-security/recipes-security/sssd/files/musl_fixup.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
similarity index 100%
rename from meta-security/recipes-security/sssd/files/musl_fixup.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
diff --git a/meta-security/recipes-security/sssd/files/no_gen.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
similarity index 72%
rename from meta-security/recipes-security/sssd/files/no_gen.patch
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
index 5c83777..7d8e80b 100644
--- a/meta-security/recipes-security/sssd/files/no_gen.patch
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
@@ -4,11 +4,11 @@
 
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
 
-Index: sssd-2.5.0/Makefile.am
+Index: sssd-2.7.1/Makefile.am
 ===================================================================
---- sssd-2.5.0.orig/Makefile.am
-+++ sssd-2.5.0/Makefile.am
-@@ -1033,8 +1033,6 @@ generate-sbus-code:
+--- sssd-2.7.1.orig/Makefile.am
++++ sssd-2.7.1/Makefile.am
+@@ -1023,8 +1023,6 @@ generate-sbus-code:
  
  .PHONY: generate-sbus-code
  
diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
new file mode 100644
index 0000000..1e8b537
--- /dev/null
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
@@ -0,0 +1,15 @@
+[sssd]
+services = nss, pam
+domains = shadowutils
+
+[nss]
+
+[pam]
+
+[domain/shadowutils]
+id_provider = files
+
+auth_provider = proxy
+proxy_pam_target = sssd-shadowutils
+
+proxy_fast_alias = True
diff --git a/meta-security/recipes-security/sssd/files/volatiles.99_sssd b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
similarity index 100%
rename from meta-security/recipes-security/sssd/files/volatiles.99_sssd
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
diff --git a/meta-security/recipes-security/sssd/sssd_2.5.2.bb b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
similarity index 85%
rename from meta-security/recipes-security/sssd/sssd_2.5.2.bb
rename to meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
index 9f1d627..71f14a0 100644
--- a/meta-security/recipes-security/sssd/sssd_2.5.2.bb
+++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.1.bb
@@ -5,8 +5,9 @@
 LICENSE = "GPL-3.0-or-later"
 LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
 
-DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
-DEPENDS:append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit"
+DEPENDS = "acl attr cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
+DEPENDS:append = " libldb dbus libtalloc libpcre2 glib-2.0 popt e2fsprogs libtevent"
+DEPENDS:append = " openldap bind p11-kit jansson softhsm openssl libunistring"
 
 DEPENDS:append:libc-musl = " musl-nscd"
 
@@ -23,10 +24,9 @@
            file://drop_ntpdate_chk.patch \
            file://fix-ldblibdir.patch \
            file://musl_fixup.patch \
-           file://CVE-2021-3621.patch \
            "
 
-SRC_URI[sha256sum] = "5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
+SRC_URI[sha256sum] = "8eebd541a640aec95ed4b2da89713f0cbe8e4edf96895fbb972c0b9d570635c3"
 
 inherit autotools pkgconfig gettext python3-dir features_check systemd
 
@@ -39,7 +39,7 @@
     ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
     "
 
-PACKAGECONFIG ?="nss nscd autofs sudo infopipe"
+PACKAGECONFIG ?="nss autofs sudo infopipe"
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
 PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
 
@@ -49,8 +49,8 @@
 PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
 PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
 PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
-PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no "
 PACKAGECONFIG[nss] = ", ,nss,"
+PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
 PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
 PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
 PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
@@ -65,7 +65,6 @@
     --without-python2-bindings \
     --enable-pammoddir=${base_libdir}/security \
     --without-python2-bindings \
-    --without-secrets \
     --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
     --with-pid-path=/run \
 "
@@ -74,8 +73,8 @@
     mkdir -p ${AUTOTOOLS_AUXDIR}/build
     cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
 
-    # libresove has host path, remove it
-    sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4
+    # additional_libdir  defaults to /usr/lib so replace with staging_libdir globally
+    sed -i -e "s#\$additional_libdir#\${STAGING_LIBDIR}#" ${S}/src/build_macros.m4
 }
 
 do_compile:prepend () {
@@ -84,7 +83,11 @@
 do_install () {
     oe_runmake install  DESTDIR="${D}"
     rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
+
     install -d ${D}/${sysconfdir}/${BPN}
+    install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
+    mv ${D}/${BPN}  ${D}/${PYTHON_SITEPACKAGES_DIR}
+
     install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
 
     # /var/log/sssd needs to be created in runtime. Use rmdir to catch if
@@ -106,6 +109,7 @@
     # Remove /run as it is created on startup
     rm -rf ${D}/run
 
+#    rm -fr ${D}/sssd
     rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
 }
 
@@ -116,8 +120,6 @@
     chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
 }
 
-FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
-
 CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
 
 INITSCRIPT_NAME = "sssd"
@@ -141,10 +143,13 @@
 ALLOW_EMPTY:libsss-sudo = "1"
 
 FILES:${PN} += "${base_libdir}/security/pam_sss*.so  \
+                ${nonarch_libdir}/tmpfiles.d \
                 ${datadir}/dbus-1/system-services/*.service \
                 ${libdir}/krb5/* \
                 ${libdir}/ldb/* \
+                ${PYTHON_SITEPACKAGES_DIR}/sssd \
                 "
+
 FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
 
 RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"
diff --git a/meta-security/lib/oeqa/runtime/cases/aide.py b/meta-security/lib/oeqa/runtime/cases/aide.py
new file mode 100644
index 0000000..4c7633c
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/aide.py
@@ -0,0 +1,26 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+
+class AideTest(OERuntimeTestCase):
+
+    @OEHasPackage(['aide'])
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_aide_help(self):
+        status, output = self.target.run('aide --help')
+        msg = ('Aide help command does not work as expected. '
+               'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
+
+    @OETestDepends(['aide.AideTest.test_aide_help'])
+    def test_aide_dbinit(self):
+        status, output = self.target.run('aide --init')
+        match = re.search('Number of entries:', output)
+        if not match:
+            msg = ('Aide db init failed: output is:\n%s' % output)
+            self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/checksec.py b/meta-security/lib/oeqa/runtime/cases/checksec.py
index e46744c..53e6c1d 100644
--- a/meta-security/lib/oeqa/runtime/cases/checksec.py
+++ b/meta-security/lib/oeqa/runtime/cases/checksec.py
@@ -19,7 +19,7 @@
 
     @OETestDepends(['checksec.CheckSecTest.test_checksec_help'])
     def test_checksec_xml(self):
-        status, output = self.target.run('checksec --format xml --proc-all')
+        status, output = self.target.run('checksec --format=xml --proc=1')
         msg = ('checksec xml failed. Output: %s' % output)
         self.assertEqual(status, 0, msg = msg)
 
diff --git a/meta-security/lib/oeqa/runtime/cases/clamav.py b/meta-security/lib/oeqa/runtime/cases/clamav.py
index cf83937..e0cad8f 100644
--- a/meta-security/lib/oeqa/runtime/cases/clamav.py
+++ b/meta-security/lib/oeqa/runtime/cases/clamav.py
@@ -1,4 +1,4 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
+# Copyright (C) 2019 - 2022 Armin Kuster <akuster808@gmail.com>
 #
 import re
 from tempfile import mkstemp
@@ -48,21 +48,8 @@
         self.assertEqual(status, 0, msg = msg)
 
     @OETestDepends(['clamav.ClamavTest.test_ping_clamav_net'])
-    def test_freshclam_check_mirrors(self):
-        status, output = self.target.run('freshclam --list-mirrors')
-        match = re.search('Failures: 0', output)
-        if not match:
-            msg = ('freshclam --list-mirrors: failed. '
-               'Status and output:%s and %s' % (status, output))
-            self.assertEqual(status, 1, msg = msg)
-
-    @OETestDepends(['clamav.ClamavTest.test_freshclam_check_mirrors'])
     def test_freshclam_download(self):
         status, output = self.target.run('freshclam --show-progress')
-        match = re.search('Database updated', output)
-        #match = re.search('main.cvd is up to date', output)
-        if not match:
-            msg = ('freshclam : DB dowbload failed. '
-               'Status and output:%s and %s' % (status, output))
-            self.assertEqual(status, 1, msg = msg)
-
+        msg = ('freshclam : DB dowbload failed. '
+            'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/firejail.py b/meta-security/lib/oeqa/runtime/cases/firejail.py
new file mode 100644
index 0000000..88a8dda
--- /dev/null
+++ b/meta-security/lib/oeqa/runtime/cases/firejail.py
@@ -0,0 +1,18 @@
+# Copyright (C) 2022 Armin Kuster <akuster808@gmail.com>
+#
+import re
+
+from oeqa.runtime.case import OERuntimeTestCase
+from oeqa.core.decorator.depends import OETestDepends
+from oeqa.runtime.decorator.package import OEHasPackage
+
+class FirejailTest(OERuntimeTestCase):
+
+    @OEHasPackage(['firejail'])
+    @OEHasPackage(['libseccomp'])
+    @OETestDepends(['ssh.SSHTest.test_ssh'])
+    def test_firejail_basic(self):
+        status, output = self.target.run('firejail --help')
+        msg = ('Firejail --help command does not work as expected. '
+               'Status and output:%s and %s' % (status, output))
+        self.assertEqual(status, 0, msg = msg)
diff --git a/meta-security/lib/oeqa/runtime/cases/smack.py b/meta-security/lib/oeqa/runtime/cases/smack.py
index b8255c7..6b87574 100644
--- a/meta-security/lib/oeqa/runtime/cases/smack.py
+++ b/meta-security/lib/oeqa/runtime/cases/smack.py
@@ -15,17 +15,16 @@
 
     @classmethod
     def setUpClass(cls):
-        cls.smack_path = ""
         cls.current_label  = ""
         cls.uid = 1000
+        status, output = cls.tc.target.run("grep smack /proc/mounts | awk '{print $2}'")
+        cls.smack_path = output
 
     @skipIfNotFeature('smack',
         'Test requires smack to be in DISTRO_FEATURES')
     @OEHasPackage(['smack-test'])
     @OETestDepends(['ssh.SSHTest.test_ssh'])
     def test_smack_basic(self):
-        status, output = self.target.run("grep smack /proc/mounts | awk '{print $2}'")
-        self.smack_path = output
         status,output = self.target.run("cat /proc/self/attr/current")
         self.current_label = output.strip()
 
@@ -41,11 +40,11 @@
             "Status and output: %d %s" %(status, output))
         status, output = self.target.run("chsmack %s" %filename)
         self.target.run("rm %s" %filename)
-        m = re.search('(?<=access=")\S+(?=")', output)
+        m = re.search('(access=")\S+(?=")', output)
         if m is None:
             self.fail("Did not find access attribute")
         else:
-            label_retrieved = m .group(0)
+            label_retrieved = re.split("access=\"", output)[1][:-1]
             self.assertEqual(
                 LABEL, label_retrieved,
                 "label not set correctly. expected and gotten: "
@@ -64,11 +63,11 @@
             "Status and output: %d %s" %(status, output))
         status, output = self.target.run("chsmack %s" %filename)
         self.target.run("rm %s" %filename)
-        m= re.search('(?<=execute=")\S+(?=")', output)
+        m= re.search('(execute=")\S+(?=")', output)
         if m is None:
             self.fail("Did not find execute attribute")
         else:
-            label_retrieved = m.group(0)
+            label_retrieved = re.split("execute=\"", output)[1][:-1]
             self.assertEqual(
                 LABEL, label_retrieved,
                 "label not set correctly. expected and gotten: " +
@@ -87,11 +86,11 @@
             "Status and output: %d %s" %(status, output))
         status, output = self.target.run("chsmack %s" %filename)
         self.target.run("rm %s" %filename)
-        m = re.search('(?<=mmap=")\S+(?=")', output)
+        m = re.search('(mmap=")\S+(?=")', output)
         if m is None:
             self.fail("Did not find mmap attribute")
         else:
-            label_retrieved = m.group(0)
+            label_retrieved = re.split("mmap=\"", output)[1][:-1]
             self.assertEqual(
                 LABEL, label_retrieved,
                 "label not set correctly. expected and gotten: " +
@@ -109,11 +108,11 @@
                         "Status and output: %d %s" %(status, output))
         status, output = self.target.run("chsmack %s" %directory)
         self.target.run("rmdir %s" %directory)
-        m = re.search('(?<=transmute=")\S+(?=")', output)
+        m = re.search('(transmute=")\S+(?=")', output)
         if m is None:
             self.fail("Did not find transmute attribute")
         else:
-            label_retrieved = m.group(0)
+            label_retrieved = re.split("transmute=\"", output)[1][:-1]
             self.assertEqual(
                 "TRUE", label_retrieved,
                 "label not set correctly. expected and gotten: " +
@@ -127,10 +126,10 @@
         '''
 
         labelf = "/proc/self/attr/current"
-        command = "/bin/sh -c 'echo PRIVILEGED >%s; cat %s'" %(labelf, labelf)
+        command = "/bin/sh -c 'echo PRIVILEGED >%s'; cat %s" %(labelf, labelf)
 
         status, output = self.target.run(
-            "notroot.py 0 %s %s" %(self.current_label, command))
+            "/usr/sbin/notroot.py 0 %s %s" %(self.current_label, command))
 
         self.assertIn("PRIVILEGED", output,
                     "Privilege process did not change label.Output: %s" %output)
@@ -142,7 +141,7 @@
 
         command = "/bin/sh -c 'echo %s >/proc/self/attr/current'" %LABEL
         status, output = self.target.run(
-            "notroot.py %d %s %s"
+            "/usr/sbin/notroot.py %d %s %s"
             %(self.uid, self.current_label, command) +
             " 2>&1 | grep 'Operation not permitted'" )
 
@@ -160,9 +159,9 @@
         filename = "/tmp/test_unprivileged_change_file_label"
 
         self.target.run("touch %s" % filename)
-        self.target.run("notroot.py %d %s" %(self.uid, self.current_label))
+        self.target.run("/usr/sbin/notroot.py %d %s" %(self.uid, self.current_label))
         status, output = self.target.run(
-            "notroot.py " +
+            "/usr/sbin/notroot.py " +
             "%d unprivileged %s -a %s %s 2>&1 " %(self.uid, chsmack, LABEL, filename) +
             "| grep 'Operation not permitted'"  )
 
@@ -347,78 +346,6 @@
 
 
     @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
-    def test_smack_mmap_enforced(self):
-        '''Test if smack mmap access is enforced'''
-        raise unittest.SkipTest("Depends on mmap_test, which was removed from the layer while investigating its license.")
-
-        #      12345678901234567890123456789012345678901234567890123456
-        delr1="mmap_label              mmap_test_label1        -----"
-        delr2="mmap_label              mmap_test_label2        -----"
-        delr3="mmap_file_label         mmap_test_label1        -----"
-        delr4="mmap_file_label         mmap_test_label2        -----"
-
-        RuleA="mmap_label              mmap_test_label1        rw---"
-        RuleB="mmap_label              mmap_test_label2        r--at"
-        RuleC="mmap_file_label         mmap_test_label1        rw---"
-        RuleD="mmap_file_label         mmap_test_label2        rwxat"
-
-        mmap_label="mmap_label"
-        file_label="mmap_file_label"
-        test_file = "/usr/sbin/smack_test_mmap"
-        mmap_exe = "/tmp/mmap_test"
-        status, echo = self.target.run("which echo")
-        status, output = self.target.run(
-            "notroot.py %d %s %s 'test' > %s" \
-            %(self.uid, self.current_label, echo, test_file))
-        status, output = self.target.run("ls %s" %test_file)
-        self.assertEqual(status, 0, "Could not create mmap test file")
-        self.target.run("chsmack -m %s %s" %(file_label, test_file))
-        self.target.run("chsmack -e %s %s" %(mmap_label, mmap_exe))
-
-        # test with no rules with mmap label or exec label as subject
-        # access should be granted
-        self.target.run('echo -n "%s" > %s/load' %(delr1, self.smack_path))
-        self.target.run('echo -n "%s" > %s/load' %(delr2, self.smack_path))
-        self.target.run('echo -n "%s" > %s/load' %(delr3, self.smack_path))
-        self.target.run('echo -n "%s" > %s/load' %(delr4, self.smack_path))
-        status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
-        self.assertEqual(
-            status, 0,
-            "Should have mmap access without rules. Output: %s" %output)
-
-        # add rules that do not match access required
-        self.target.run('echo -n "%s" > %s/load' %(RuleA, self.smack_path))
-        self.target.run('echo -n "%s" > %s/load' %(RuleB, self.smack_path))
-        status, output = self.target.run("%s %s 0 2" % (mmap_exe, test_file))
-        self.assertNotEqual(
-            status, 0,
-            "Should not have mmap access with unmatching rules. " +
-            "Output: %s" %output)
-        self.assertIn(
-            "Permission denied", output,
-            "Mmap access should be denied with unmatching rules")
-
-        # add rule to match only partially (one way)
-        self.target.run('echo -n "%s" > %s/load' %(RuleC, self.smack_path))
-        status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
-        self.assertNotEqual(
-            status, 0,
-            "Should not have mmap access with partial matching rules. " +
-            "Output: %s" %output)
-        self.assertIn(
-            "Permission denied", output,
-            "Mmap access should be denied with partial matching rules")
-
-        # add rule to match fully
-        self.target.run('echo -n "%s" > %s/load' %(RuleD, self.smack_path))
-        status, output = self.target.run("%s %s 0 2" %(mmap_exe, test_file))
-        self.assertEqual(
-            status, 0,
-            "Should have mmap access with full matching rules." +
-            "Output: %s" %output)
-
-
-    @OETestDepends(['smack.SmackBasicTest.test_smack_basic'])
     def test_smack_transmute_dir(self):
         '''Test if smack transmute attribute works
 
diff --git a/meta-security/lib/oeqa/runtime/cases/sssd.py b/meta-security/lib/oeqa/runtime/cases/sssd.py
index 4644836..1dfdb94 100644
--- a/meta-security/lib/oeqa/runtime/cases/sssd.py
+++ b/meta-security/lib/oeqa/runtime/cases/sssd.py
@@ -28,10 +28,10 @@
 
     @OETestDepends(['sssd.SSSDTest.test_sssd_sssctl_conf_perms_chk'])
     def test_sssd_sssctl_deamon(self):
-        status, output = self.target.run('sssctl domain-status')
+        status, output = self.target.run('sssctl domain-list')
         match = re.search('No domains configured, fatal error!', output)
         if match:
-            msg = ('sssctl domain-status failed, sssd.conf not setup correctly. '
+            msg = ('sssctl domain-list failed, sssd.conf not setup correctly. '
                'Status and output:%s and %s' % (status, output))
             self.assertEqual(status, 0, msg = msg)
 
diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass
index 093c358..d3aa7fb 100644
--- a/meta-security/meta-integrity/classes/kernel-modsign.bbclass
+++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass
@@ -13,7 +13,9 @@
 MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
 
 # If this class is enabled, disable stripping signatures from modules
+# as well disable the debug symbols split
 INHIBIT_PACKAGE_STRIP = "1"
+INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
 
 kernel_do_configure:prepend() {
     if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then
diff --git a/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py
index d3d3f2e..11e5572 100644
--- a/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py
+++ b/meta-security/meta-parsec/lib/oeqa/runtime/cases/parsec.py
@@ -12,8 +12,13 @@
 class ParsecTest(OERuntimeTestCase):
     @classmethod
     def setUpClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
         cls.toml_file = '/etc/parsec/config.toml'
 
+    @classmethod
+    def tearDownClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
+
     def setUp(self):
         super(ParsecTest, self).setUp()
         if 'systemd' in self.tc.td['DISTRO_FEATURES']:
diff --git a/meta-security/meta-security-compliance/README b/meta-security/meta-security-compliance/README
index 320f856..3311d05 100644
--- a/meta-security/meta-security-compliance/README
+++ b/meta-security/meta-security-compliance/README
@@ -28,7 +28,7 @@
 Send pull requests, patches, comments or questions to yocto@yoctoproject.org
 
 When sending single patches, please using something like:
-'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security-compliance][PATCH'
+'git send-email -1 --to yocto@lists.yoctoproject.org  --subject-prefix=meta-security-compliance][PATCH'
 
 Layer Maintainer: Armin Kuster <akuster808@gmail.com>
 
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
similarity index 92%
rename from meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
rename to meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
index f665e29..d38c17a 100644
--- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.0.bb
+++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_3.0.8.bb
@@ -8,7 +8,7 @@
 
 SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz"
 
-SRC_URI[sha256sum] = "3cc165f9007ba41de6d0b693a1167dbaf0179085f9506dcba64b4b8e37e1bda2"
+SRC_URI[sha256sum] = "98373a4cc9d0471ab9bebb249e442fcf94b6bf6d4e9c6fc0b22bca1506646c63"
 
 S = "${WORKDIR}/${BPN}"
 
diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
index df47b35..0be5c59 100644
--- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
+++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/swtpm.py
@@ -8,11 +8,13 @@
 class SwTpmTest(OERuntimeTestCase):
     @classmethod
     def setUpClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
         cls.tc.target.run('mkdir /tmp/myvtpm2')
         cls.tc.target.run('chown tss:root /tmp/myvtpm2')
 
     @classmethod
     def tearDownClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
         cls.tc.target.run('rm -fr /tmp/myvtpm2')
 
     @skipIfNotFeature('tpm2','Test tpm2_swtpm_socket requires tpm2 to be in DISTRO_FEATURES')
diff --git a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
index e64d19d..8e90dc9 100644
--- a/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
+++ b/meta-security/meta-tpm/lib/oeqa/runtime/cases/tpm2.py
@@ -8,10 +8,12 @@
 class Tpm2Test(OERuntimeTestCase):
     @classmethod
     def setUpClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
         cls.tc.target.run('mkdir /tmp/myvtpm2')
 
     @classmethod
     def tearDownClass(cls):
+        cls.tc.target.run('swtpm_ioctl -s --tcp :2322')
         cls.tc.target.run('rm -fr /tmp/myvtpm2')
 
     def check_endlines(self, results,  expected_endlines): 
diff --git a/meta-security/recipes-core/images/security-build-image.bb b/meta-security/recipes-core/images/security-build-image.bb
index a8757f9..411cd20 100644
--- a/meta-security/recipes-core/images/security-build-image.bb
+++ b/meta-security/recipes-core/images/security-build-image.bb
@@ -3,6 +3,7 @@
 IMAGE_FEATURES += "ssh-server-openssh"
 
 IMAGE_INSTALL = "\
+    ${@bb.utils.contains("DISTRO_FEATURES", "lkrg", "lkrg-module", "",d)} \
     packagegroup-base \
     packagegroup-core-boot \
     packagegroup-core-security \
diff --git a/meta-security/recipes-core/images/security-test-image.bb b/meta-security/recipes-core/images/security-test-image.bb
index 54d8978..81f69dd 100644
--- a/meta-security/recipes-core/images/security-test-image.bb
+++ b/meta-security/recipes-core/images/security-test-image.bb
@@ -4,7 +4,16 @@
 
 IMAGE_FEATURES += "ssh-server-openssh"
 
-TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata"
+IMAGE_INSTALL:append = "\
+    ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm","", d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "tpm-layer", "packagegroup-security-tpm2","", d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "parsec-layer", "packagegroup-security-parsec","", d)} \
+    ${@bb.utils.contains("BBFILE_COLLECTIONS", "integrity", "packagegroup-ima-evm-utils","", d)} \
+"
+
+TEST_SUITES = "ssh ping apparmor clamav samhain sssd checksec smack suricata aide firejail"
+TEST_SUITES:append = " parsec tpm2 swtpm ima"
 
 INSTALL_CLAMAV_CVD = "1"
 
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index f381d91..05951da 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -35,11 +35,14 @@
     pinentry \
     softhsm \
     sshguard \
+    firejail \
     ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd google-authenticator-libpam", "",d)} \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
     "
 
+RDEPENDS:packagegroup-security-utils:remove:mipsarch = "firejail"
+
 SUMMARY:packagegroup-security-scanners = "Security scanners"
 RDEPENDS:packagegroup-security-scanners = "\
     ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " arpwatch",d)} \
diff --git a/meta-security/recipes-ids/aide/aide/aide.conf b/meta-security/recipes-ids/aide/aide/aide.conf
index 2c99e07..c4b917e 100644
--- a/meta-security/recipes-ids/aide/aide/aide.conf
+++ b/meta-security/recipes-ids/aide/aide/aide.conf
@@ -51,7 +51,7 @@
 #crc32:  crc32 checksum (MHASH only)
 #whirlpool:     whirlpool checksum (MHASH only)
 
-FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+FIPSR = p+u+g+s+acl+xattrs+sha256
 
 #R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
 #L:             p+i+n+u+g+acl+selinux+xattrs
@@ -70,10 +70,10 @@
 NORMAL = FIPSR+sha512
 
 # For directories, don't bother doing hashes
-DIR = p+i+n+u+g+acl+selinux+xattrs
+DIR = p+u+g+acl+xattrs
 
 # Access control only
-PERMS = p+i+u+g+acl+selinux
+PERMS = p+u+g+acl
 
 # Logfile are special, in that they often change
 LOG = >
@@ -83,12 +83,9 @@
 
 # Some files get updated automatically, so the inode/ctime/mtime change
 # but we want to know when the data inside them changes
-DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
+DATAONLY =  p+u+g+s+acl+xattrs+sha256
 
 # Next decide what directories/files you want in the database.
 
 # Check only permissions, inode, user and group for /etc, but
 # cover some important files closely.
-/bin NORMAL
-/sbin NORMAL
-/lib NORMAL
diff --git a/meta-security/recipes-ids/aide/aide_0.17.4.bb b/meta-security/recipes-ids/aide/aide_0.17.4.bb
index 6bc2bfe..7ce0729 100644
--- a/meta-security/recipes-ids/aide/aide_0.17.4.bb
+++ b/meta-security/recipes-ids/aide/aide_0.17.4.bb
@@ -10,9 +10,9 @@
 
 SRC_URI[sha256sum] = "c81505246f3ffc2e76036d43a77212ae82895b5881d9b9e25c1361b1a9b7a846"
 
-inherit autotools pkgconfig
+inherit autotools pkgconfig aide-base
 
-PACKAGECONFIG ??=" mhash zlib e2fsattrs \
+PACKAGECONFIG ??=" mhash zlib e2fsattrs posix capabilities curl \
                  ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
                  ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \
                  "
@@ -24,11 +24,34 @@
 PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt"
 PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
 PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs"
+PACKAGECONFIG[capabilities] = "--with-capabilities, --without-capabilities, libcap, libcap"
+PACKAGECONFIG[posix] = "--with-posix-acl, --without-posix-acl, acl, acl"
+
+
+do_install[nostamp] = "1"
 
 do_install:append () {
     install -d ${D}${libdir}/${PN}/logs   
     install -d ${D}${sysconfdir}   
     install ${WORKDIR}/aide.conf ${D}${sysconfdir}/
+
+    for dir in ${AIDE_INCLUDE_DIRS}; do
+        echo "${dir} NORMAL" >> ${D}${sysconfdir}/aide.conf
+    done
+    for dir in ${AIDE_SKIP_DIRS}; do
+        echo "!${dir}" >> ${D}${sysconfdir}/aide.conf
+    done
+}
+
+do_install:class-native () {
+    install -d ${STAGING_AIDE_DIR}/bin
+    install -d ${STAGING_AIDE_DIR}/lib/logs
+
+    install ${B}/aide ${STAGING_AIDE_DIR}/bin
+    install ${WORKDIR}/aide.conf ${STAGING_AIDE_DIR}/
+
+    sed -i -s "s:\@\@define DBDIR.*:\@\@define DBDIR ${STAGING_AIDE_DIR}/lib:" ${STAGING_AIDE_DIR}/aide.conf
+    sed -i -e "s:\@\@define LOGDIR.*:\@\@define LOGDIR ${STAGING_AIDE_DIR}/lib/logs:" ${STAGING_AIDE_DIR}/aide.conf
 }
 
 CONF_FILE = "${sysconfdir}/aide.conf"
@@ -36,6 +59,14 @@
 FILES:${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf"
 
 pkg_postinst_ontarget:${PN} () {
-    /usr/bin/aide -i
+    if [ ${AIDE_SCAN_POSTINIT} ]; then
+        ${bindir}/aide -i
+    fi
+    if [ ${AIDE_RESCAN_POSTINIT}  && -e ${libdir}/aide/aide.db.gz ]; then
+        ${bindir}/aide -C
+    fi
 }
-RDPENDS_${PN} = "bison, libpcre"
+
+RDEPENDS:${PN} = "bison libpcre"
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch b/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch
index 799b1a6..f29afbe 100644
--- a/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch
+++ b/meta-security/recipes-kernel/lkrg/files/makefile_cleanup.patch
@@ -1,73 +1,53 @@
-Upstream-Status: Pending
-
-This needs more work. Its my starting point.
-
+Upstream-Status: Inappropriate [embedded specific]
+  
 Signed-off-by: Armin Kuster <akuster808@gmail.com>
 
+
 Index: git/Makefile
 ===================================================================
 --- git.orig/Makefile
 +++ git/Makefile
-@@ -4,28 +4,10 @@
- # Author:
- #  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
- ##
--
--P_OUTPUT = output
+@@ -7,15 +7,8 @@
+ 
+ P_OUTPUT = output
  P_PWD ?= $(shell pwd)
 -P_KVER ?= $(shell uname -r)
--P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh
--TARGET := p_lkrg
+ P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh
+ TARGET := p_lkrg
 -ifneq ($(KERNELRELEASE),)
 -    KERNEL := /lib/modules/$(KERNELRELEASE)/build
 -else
 -    ## KERNELRELEASE not set.
 -    KERNEL := /lib/modules/$(P_KVER)/build
 -endif
--
--#
--# Uncomment for debug compilation
--#
--# ccflags-m := -ggdb -DP_LKRG_DEBUG_BUILD -finstrument-functions
--# ccflags-y := ${ccflags-m}
--# p_lkrg-objs += src/modules/print_log/p_lkrg_debug_log.o
  
--obj-m += $(TARGET).o
--$(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \
-+obj-m := p_lkrg.o
-+p_lkrg-y := src/modules/ksyms/p_resolve_ksym.o \
-                   src/modules/hashing/p_lkrg_fast_hash.o \
-                   src/modules/comm_channel/p_comm_channel.o \
-                   src/modules/integrity_timer/p_integrity_timer.o \
-@@ -92,23 +74,14 @@ $(TARGET)-objs += src/modules/ksyms/p_re
+ #
+ # Use DEBUG=on for debug build.
+@@ -94,14 +87,13 @@ $(TARGET)-objs += src/modules/ksyms/p_re
                    src/p_lkrg_main.o
  
  
 -all:
 -#	$(MAKE) -C $(KERNEL) M=$(P_PWD) modules CONFIG_DEBUG_SECTION_MISMATCH=y
 -	$(MAKE) -C $(KERNEL) M=$(P_PWD) modules
--	mkdir -p $(P_OUTPUT)
--	cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT)
--
--install:
--	$(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install
--	depmod -a
--	$(P_PWD)/$(P_BOOTUP_SCRIPT) install
- 
--uninstall:
--	$(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall
 +modules:
 +	$(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules
-+
-+modules_install:
+ 	mkdir -p $(P_OUTPUT)
+ 	cp $(P_PWD)/$(TARGET).ko $(P_OUTPUT)
+ 
+-install:
+-	$(MAKE) -C $(KERNEL) M=$(P_PWD) modules_install
++moduled_install:
 +	$(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) modules_install
+ 	depmod -a
+ 	$(P_PWD)/$(P_BOOTUP_SCRIPT) install
+ 
+@@ -109,7 +101,7 @@ uninstall:
+ 	$(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall
  
  clean:
 -	$(MAKE) -C $(KERNEL) M=$(P_PWD) clean
--	$(RM) Module.markers modules.order
--	$(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers
--	$(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order
--	$(RM) -rf $(P_OUTPUT)
-+	rm -f *.o *~ core .depend .*.cmd *.ko *.mod.c
-+	rm -f Module.markers Module.symvers modules.order
-+	rm -rf .tmp_versions Modules.symvers
++	$(MAKE) -C $(KERNEL_SRC) M=$(P_PWD) clean
+ 	$(RM) Module.markers modules.order
+ 	$(RM) $(P_PWD)/src/modules/kmod/client/kmod/Module.markers
+ 	$(RM) $(P_PWD)/src/modules/kmod/client/kmod/modules.order
diff --git a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.2.bb b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.3.bb
similarity index 90%
rename from meta-security/recipes-kernel/lkrg/lkrg-module_0.9.2.bb
rename to meta-security/recipes-kernel/lkrg/lkrg-module_0.9.3.bb
index 85f7d44..2553974 100644
--- a/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.2.bb
+++ b/meta-security/recipes-kernel/lkrg/lkrg-module_0.9.3.bb
@@ -9,10 +9,11 @@
 
 DEPENDS = "virtual/kernel elfutils"
 
-SRCREV = "43db5f19fca259feb1962f6db33382348cbc8320"
-
 SRC_URI = "git://github.com/lkrg-org/lkrg.git;protocol=https;branch=main \
-           file://makefile_cleanup.patch "
+           file://makefile_cleanup.patch \
+"
+
+SRCREV = "c578e9f786299b67ffd62057b4534b0bf4fb7ece"
 
 S = "${WORKDIR}/git"
 
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb
index 046a3a0..896abfe 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.4.bb
@@ -101,6 +101,8 @@
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
         oe_runmake -C ${B}/parser DESTDIR="${D}" install-systemd
     fi
+    chown root:root -R ${D}/${sysconfdir}/apparmor.d
+    chown root:root -R ${D}/${datadir}/apparmor
 }
 
 #Building ptest on arm fails.
diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
similarity index 87%
rename from meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb
rename to meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
index 8d148bb..ff800ce 100644
--- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.4.bb
+++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
@@ -7,11 +7,10 @@
 
 DEPENDS = "ncurses"
 
-DS = "20150505"
+DS = "20210910"
 SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz"
 
-SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44"
-SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4"
+SRC_URI[sha256sum] = "7900126cf2dd8706c42c2c1ef7a37fd8b50f1505abd7d9c3d653dc390fb4d620"
 
 S = "${WORKDIR}/${BPN}"
 
diff --git a/meta-security/recipes-mac/smack/smack-test/notroot.py b/meta-security/recipes-mac/smack/smack-test/notroot.py
index f0eb0b5..89f83f4 100644
--- a/meta-security/recipes-mac/smack/smack-test/notroot.py
+++ b/meta-security/recipes-mac/smack/smack-test/notroot.py
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
 #
 # Script used for running executables with custom labels, as well as custom uid/gid
 # Process label is changed by writing to /proc/self/attr/curent
@@ -9,8 +9,8 @@
 # """By  default,  each  user  in Debian GNU/Linux is given a corresponding group 
 # with the same name. """
 #
-# Usage: root@desk:~# python notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
-# eg: python notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
+# Usage: root@desk:~# python3 notroot.py <uid> <label> <full_path_to_executable> [arguments ..]
+# eg: python3 notroot.py 1000 User::Label /bin/ping -c 3 192.168.1.1
 #
 # Author: Alexandru Cornea <alexandru.cornea@intel.com>
 import os
@@ -28,6 +28,6 @@
 	os.setuid(uid)	
 	os.execv(path,sys.argv)
 
-except Exception,e:
-	print e.message
-	sys.exit(1)
+except Exception as e:
+	print(e.strerror)
+	sys.exit(-1)
diff --git a/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
index 5a0ce84..598f1df 100644
--- a/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
+++ b/meta-security/recipes-mac/smack/smack-test/smack_test_file_access.sh
@@ -8,7 +8,7 @@
 ECHO=`which echo`
 uid=1000
 initial_label=`cat /proc/self/attr/current`
-python $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
+python3 $TMP/notroot.py $uid "TheOther" $ECHO 'TEST' > $test_file
 chsmack -a "TheOther" $test_file
 
 #        12345678901234567890123456789012345678901234567890123456
@@ -17,7 +17,7 @@
 
 # Remove pre-existent rules for "TheOne TheOther <access>"
 echo -n "$delrule" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file 2>&1 1>/dev/null | grep -q "Permission denied" || RC=$?
 if [ $RC -ne 0 ]; then
 	echo "Process with different label than the test file and no read access on it can read it"
 	exit $RC
@@ -25,7 +25,7 @@
 
 # adding read access
 echo -n "$rule_ro" > $SMACK_PATH/load
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
 if [ $RC -ne 0 ]; then
 	echo "Process with different label than the test file but with read access on it cannot read it"
 	exit $RC
@@ -36,7 +36,7 @@
 # changing label of test file to *
 # according to SMACK documentation, read access on a * object is always permitted
 chsmack -a '*' $test_file
-python $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
+python3 $TMP/notroot.py $uid "TheOne" $CAT $test_file | grep -q "TEST" || RC=$?
 if [ $RC -ne 0 ]; then
 	echo  "Process cannot read file with * label"
 	exit $RC
@@ -45,7 +45,7 @@
 # changing subject label to *
 # according to SMACK documentation, every access requested by a star labeled subject is rejected
 TOUCH=`which touch`
-python $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
+python3 $TMP/notroot.py $uid '*' $TOUCH $TMP/test_file_2
 ls -la $TMP/test_file_2 2>&1 | grep -q 'No such file or directory' || RC=$?
 if [ $RC -ne 0 ];then
 	echo "Process with label '*' should not have any access"
diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
index 3bcb5eb..18e8329 100644
--- a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -56,7 +56,7 @@
 
 do_install:append () {
     install -d ${D}/${sysconfdir}
-    install -d -o ${CLAMAV_UID} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
+    install -d -o ${PN} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
     install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
 
     install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
diff --git a/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch b/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
new file mode 100644
index 0000000..a32720a
--- /dev/null
+++ b/meta-security/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch
@@ -0,0 +1,45 @@
+Exclude all the seccomp files to run during build.
+
+Upstream-Status: Inappropriate [embedded specific]
+There are some files that need to run to generate the appropriate files
+we are currently doing this on the target. 
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/Makefile.in
+===================================================================
+--- git.orig/Makefile.in
++++ git/Makefile.in
+@@ -34,7 +34,6 @@ MYDIRS = src/lib $(MAN_SRC) $(COMPLETION
+ MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so
+ COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion
+ MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1
+-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32
+ ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS)
+ 
+ .PHONY: all_items $(ALL_ITEMS)
+@@ -52,7 +51,7 @@ $(MANPAGES): src/man
+ 
+ man: $(MANPAGES)
+ 
+-filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE)
++filters: $(SBOX_APPS_NON_DUMPABLE)
+ seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize
+ 	src/fseccomp/fseccomp default seccomp
+ 	src/fsec-optimize/fsec-optimize seccomp
+@@ -81,7 +80,6 @@ clean:
+ 	done
+ 	$(MAKE) -C test clean
+ 	rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm
+-	rm -f $(SECCOMP_FILTERS)
+ 	rm -f test/utils/index.html*
+ 	rm -f test/utils/wget-log
+ 	rm -f test/utils/firejail-test-file*
+@@ -119,7 +117,7 @@ endif
+ 	# libraries and plugins
+ 	install -m 0755 -d $(DESTDIR)$(libdir)/firejail
+ 	install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh
+-	install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS)
++	install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) 
+ 	install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS)
+ 	install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats
+ 	# plugins w/o read permission (non-dumpable)
diff --git a/meta-security/recipes-security/Firejail/firejail_0.9.70.bb b/meta-security/recipes-security/Firejail/firejail_0.9.70.bb
new file mode 100644
index 0000000..35f7b07
--- /dev/null
+++ b/meta-security/recipes-security/Firejail/firejail_0.9.70.bb
@@ -0,0 +1,63 @@
+#
+# Copyright 2022 Armin Kuster <akuster808@gmail.com>
+#
+SUMMARY = "Linux namespaces and seccomp-bpf sandbox"
+DESCRIPTION = "Firejail is a SUID sandbox program that reduces the risk of security breaches \
+by restricting the running environment of untrusted applications using Linux namespaces, \
+seccomp-bpf and Linux capabilities."
+
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+LICENSE = "GPL-2.0-only"
+
+SRCREV = "b4b08d21cd95725c9d55dfdb6987fcc6d7893247"
+SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master \
+           file://exclude_seccomp_util_compiles.patch \
+           "
+
+DEPENDS = "libseccomp"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig bash-completion features_check
+
+REQUIRED_DISTRO_FEATURES = "seccomp"
+
+PACKAGECONFIG ?= ""
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
+PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}"
+
+PACKAGECONFIG[apparmor] = "--enable-apparmor, --disable-apparmor, apparmor, apparmor"
+PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
+PACKAGECONFIG[x11] = " --enable-x11, --disable-x11, "
+PACKAGECONFIG[dbusproxy] = ", --disable-dbusproxy, "
+PACKAGECONFIG[notmpfs] = ", --disable-usertmpfs  ,"
+PACKAGECONFIG[nofiretunnel] = ", --disable-firetunnel , "
+PACKAGECONFIG[noprivatehome] = ", --disable-private-home, "
+PACKAGECONFIG[nochroot] = ", --disable-chroot, "
+PACKAGECONFIG[nonetwork] = ", --disable-network, "
+PACKAGECONFIG[nouserns] = ", --disable-userns, "
+PACKAGECONFIG[nofiletransfer] = ", --disable-file-transfer, "
+PACKAGECONFIG[nosuid] = ", --disable-suid, "
+
+EXTRA_OECONF = "--disable-man --enable-busybox-workaround"
+
+PACKAGES:append = " ${PN}-vim ${PN}-zsh"
+
+FILES:${PN}-vim = "${datadir}/vim/"
+FILES:${PN}-zsh = "${datadir}/zsh/"
+
+pkg_postinst_ontarget:${PN} () {
+    ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp
+    ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp
+    ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp.debug allow-debuggers
+    ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.debug
+    ${libdir}/${BPN}/fseccomp secondary 32 ${libdir}/${BPN}/seccomp.32
+    ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.32
+    ${libdir}/${BPN}/fseccomp secondary block ${libdir}/${BPN}/seccomp.block_secondary
+    ${libdir}/${BPN}/fseccomp memory-deny-write-execute ${libdir}/${BPN}/seccomp.mdwx
+}
+
+COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*"
+
+RDEPENDS:${PN} = "bash"
diff --git a/meta-security/recipes-security/chipsec/chipsec_git.bb b/meta-security/recipes-security/chipsec/chipsec_1.8.5.bb
similarity index 71%
rename from meta-security/recipes-security/chipsec/chipsec_git.bb
rename to meta-security/recipes-security/chipsec/chipsec_1.8.5.bb
index d6c3ff2..48dfe45 100644
--- a/meta-security/recipes-security/chipsec/chipsec_git.bb
+++ b/meta-security/recipes-security/chipsec/chipsec_1.8.5.bb
@@ -7,21 +7,17 @@
 LICENSE = "GPL-2.0-only"
 LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d"
 
-SRC_URI = "git://github.com/chipsec/chipsec.git;branch=master;protocol=https \
-          "
+DEPENDS = "virtual/kernel nasm-native"
 
-SRCREV = "b2a61684826dc8b9f622a844a40efea579cd7e7d"
-
-COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https"
+SRCREV = "07a532aac9f6c3d94b8895cf89336b6a2e60c0d9"
 
 S = "${WORKDIR}/git"
-EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
-
-DEPENDS = "virtual/kernel nasm-native python3-setuptools-native"
-RDEPENDS:${PN} += "python3 python3-modules"
 
 inherit module setuptools3
 
+EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'"
+
 do_compile:append() {
 	cd ${S}/drivers/linux
 	oe_runmake  KSRC=${STAGING_KERNEL_BUILDDIR}
@@ -31,5 +27,8 @@
 	install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux
 }
 
-FILES:${PN} += "${exec_prefix} \
-"
+COMPATIBLE_HOST = "(i.86|x86_64).*-linux"
+
+FILES:${PN} += "${exec_prefix}"
+
+RDEPENDS:${PN} = "python3 python3-modules"
diff --git a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
index 35c5ff8..4d1f584 100644
--- a/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
+++ b/meta-security/recipes-security/libmhash/libmhash_0.9.9.9.bb
@@ -35,3 +35,5 @@
 do_install_ptest() {
     install -m 0755 ${S}/demo/mhash ${D}${PTEST_PATH}
 }
+
+BBCLASSEXTEND = "native"
diff --git a/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch b/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch
deleted file mode 100644
index 7a59df9..0000000
--- a/meta-security/recipes-security/sssd/files/CVE-2021-3621.patch
+++ /dev/null
@@ -1,288 +0,0 @@
-Backport patch to fix CVE-2021-3621.
-
-Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/7ab83f9]
-CVE: CVE-2021-3621
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-
-From 7ab83f97e1cbefb78ece17232185bdd2985f0bbe Mon Sep 17 00:00:00 2001
-From: Alexey Tikhonov <atikhono@redhat.com>
-Date: Fri, 18 Jun 2021 13:17:19 +0200
-Subject: [PATCH] TOOLS: replace system() with execvp() to avoid execution of
- user supplied command
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-:relnote: A flaw was found in SSSD, where the sssctl command was
-vulnerable to shell command injection via the logs-fetch and
-cache-expire subcommands. This flaw allows an attacker to trick
-the root user into running a specially crafted sssctl command,
-such as via sudo, to gain root access. The highest threat from this
-vulnerability is to confidentiality, integrity, as well as system
-availability.
-This patch fixes a flaw by replacing system() with execvp().
-
-:fixes: CVE-2021-3621
-
-Reviewed-by: Pavel Březina <pbrezina@redhat.com>
----
- src/tools/sssctl/sssctl.c      | 39 ++++++++++++++++-------
- src/tools/sssctl/sssctl.h      |  2 +-
- src/tools/sssctl/sssctl_data.c | 57 +++++++++++-----------------------
- src/tools/sssctl/sssctl_logs.c | 32 +++++++++++++++----
- 4 files changed, 73 insertions(+), 57 deletions(-)
-
-diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c
-index 2997dbf968..8adaf30910 100644
---- a/src/tools/sssctl/sssctl.c
-+++ b/src/tools/sssctl/sssctl.c
-@@ -97,22 +97,36 @@ sssctl_prompt(const char *message,
-     return SSSCTL_PROMPT_ERROR;
- }
- 
--errno_t sssctl_run_command(const char *command)
-+errno_t sssctl_run_command(const char *const argv[])
- {
-     int ret;
-+    int wstatus;
- 
--    DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command);
-+    DEBUG(SSSDBG_TRACE_FUNC, "Running '%s'\n", argv[0]);
- 
--    ret = system(command);
-+    ret = fork();
-     if (ret == -1) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command);
-         ERROR("Error while executing external command\n");
-         return EFAULT;
--    } else if (WEXITSTATUS(ret) != 0) {
--        DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n",
--              command, WEXITSTATUS(ret));
-+    }
-+
-+    if (ret == 0) {
-+        /* cast is safe - see
-+        https://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
-+        "The statement about argv[] and envp[] being constants ... "
-+        */
-+        execvp(argv[0], discard_const_p(char * const, argv));
-         ERROR("Error while executing external command\n");
--        return EIO;
-+        _exit(1);
-+    } else {
-+        if (waitpid(ret, &wstatus, 0) == -1) {
-+            ERROR("Error while executing external command '%s'\n", argv[0]);
-+            return EFAULT;
-+        } else if (WEXITSTATUS(wstatus) != 0) {
-+            ERROR("Command '%s' failed with [%d]\n",
-+                  argv[0], WEXITSTATUS(wstatus));
-+            return EIO;
-+        }
-     }
- 
-     return EOK;
-@@ -132,11 +146,14 @@ static errno_t sssctl_manage_service(enum sssctl_svc_action action)
- #elif defined(HAVE_SERVICE)
-     switch (action) {
-     case SSSCTL_SVC_START:
--        return sssctl_run_command(SERVICE_PATH" sssd start");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "start", NULL});
-     case SSSCTL_SVC_STOP:
--        return sssctl_run_command(SERVICE_PATH" sssd stop");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "stop", NULL});
-     case SSSCTL_SVC_RESTART:
--        return sssctl_run_command(SERVICE_PATH" sssd restart");
-+        return sssctl_run_command(
-+                      (const char *[]){SERVICE_PATH, "sssd", "restart", NULL});
-     }
- #endif
- 
-diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h
-index 0115b2457c..599ef65196 100644
---- a/src/tools/sssctl/sssctl.h
-+++ b/src/tools/sssctl/sssctl.h
-@@ -47,7 +47,7 @@ enum sssctl_prompt_result
- sssctl_prompt(const char *message,
-               enum sssctl_prompt_result defval);
- 
--errno_t sssctl_run_command(const char *command);
-+errno_t sssctl_run_command(const char *const argv[]); /* argv[0] - command */
- bool sssctl_start_sssd(bool force);
- bool sssctl_stop_sssd(bool force);
- bool sssctl_restart_sssd(bool force);
-diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c
-index 8d79b977fd..bf22913416 100644
---- a/src/tools/sssctl/sssctl_data.c
-+++ b/src/tools/sssctl/sssctl_data.c
-@@ -105,15 +105,15 @@ static errno_t sssctl_backup(bool force)
-         }
-     }
- 
--    ret = sssctl_run_command("sss_override user-export "
--                             SSS_BACKUP_USER_OVERRIDES);
-+    ret = sssctl_run_command((const char *[]){"sss_override", "user-export",
-+                                              SSS_BACKUP_USER_OVERRIDES, NULL});
-     if (ret != EOK) {
-         ERROR("Unable to export user overrides\n");
-         return ret;
-     }
- 
--    ret = sssctl_run_command("sss_override group-export "
--                             SSS_BACKUP_GROUP_OVERRIDES);
-+    ret = sssctl_run_command((const char *[]){"sss_override", "group-export",
-+                                              SSS_BACKUP_GROUP_OVERRIDES, NULL});
-     if (ret != EOK) {
-         ERROR("Unable to export group overrides\n");
-         return ret;
-@@ -158,8 +158,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
-     }
- 
-     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
--        ret = sssctl_run_command("sss_override user-import "
--                                 SSS_BACKUP_USER_OVERRIDES);
-+        ret = sssctl_run_command((const char *[]){"sss_override", "user-import",
-+                                                  SSS_BACKUP_USER_OVERRIDES, NULL});
-         if (ret != EOK) {
-             ERROR("Unable to import user overrides\n");
-             return ret;
-@@ -167,8 +167,8 @@ static errno_t sssctl_restore(bool force_start, bool force_restart)
-     }
- 
-     if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) {
--        ret = sssctl_run_command("sss_override group-import "
--                                 SSS_BACKUP_GROUP_OVERRIDES);
-+        ret = sssctl_run_command((const char *[]){"sss_override", "group-import",
-+                                                  SSS_BACKUP_GROUP_OVERRIDES, NULL});
-         if (ret != EOK) {
-             ERROR("Unable to import group overrides\n");
-             return ret;
-@@ -296,40 +296,19 @@ errno_t sssctl_cache_expire(struct sss_cmdline *cmdline,
-                             void *pvt)
- {
-     errno_t ret;
--    char *cmd_args = NULL;
--    const char *cachecmd = SSS_CACHE;
--    char *cmd = NULL;
--    int i;
--
--    if (cmdline->argc == 0) {
--        ret = sssctl_run_command(cachecmd);
--        goto done;
--    }
- 
--    cmd_args = talloc_strdup(tool_ctx, "");
--    if (cmd_args == NULL) {
--        ret = ENOMEM;
--        goto done;
-+    const char **args = talloc_array_size(tool_ctx,
-+                                          sizeof(char *),
-+                                          cmdline->argc + 2);
-+    if (!args) {
-+        return ENOMEM;
-     }
-+    memcpy(&args[1], cmdline->argv, sizeof(char *) * cmdline->argc);
-+    args[0] = SSS_CACHE;
-+    args[cmdline->argc + 1] = NULL;
- 
--    for (i = 0; i < cmdline->argc; i++) {
--        cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]);
--        if (i != cmdline->argc - 1) {
--            cmd_args = talloc_strdup_append(cmd_args, " ");
--        }
--    }
--
--    cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args);
--    if (cmd == NULL) {
--        ret = ENOMEM;
--        goto done;
--    }
--
--    ret = sssctl_run_command(cmd);
--
--done:
--    talloc_free(cmd_args);
--    talloc_free(cmd);
-+    ret = sssctl_run_command(args);
- 
-+    talloc_free(args);
-     return ret;
- }
-diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c
-index 9ff2be05b6..ebb2c4571c 100644
---- a/src/tools/sssctl/sssctl_logs.c
-+++ b/src/tools/sssctl/sssctl_logs.c
-@@ -31,6 +31,7 @@
- #include <ldb.h>
- #include <popt.h>
- #include <stdio.h>
-+#include <glob.h>
- 
- #include "util/util.h"
- #include "tools/common/sss_process.h"
-@@ -230,6 +231,7 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- {
-     struct sssctl_logs_opts opts = {0};
-     errno_t ret;
-+    glob_t globbuf;
- 
-     /* Parse command line. */
-     struct poptOption options[] = {
-@@ -253,8 +255,20 @@ errno_t sssctl_logs_remove(struct sss_cmdline *cmdline,
- 
-         sss_signal(SIGHUP);
-     } else {
-+        globbuf.gl_offs = 4;
-+        ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+        if (ret != 0) {
-+            DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+            return ret;
-+        }
-+        globbuf.gl_pathv[0] = discard_const_p(char, "truncate");
-+        globbuf.gl_pathv[1] = discard_const_p(char, "--no-create");
-+        globbuf.gl_pathv[2] = discard_const_p(char, "--size");
-+        globbuf.gl_pathv[3] = discard_const_p(char, "0");
-+
-         PRINT("Truncating log files...\n");
--        ret = sssctl_run_command("truncate --no-create --size 0 " LOG_FILES);
-+        ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+        globfree(&globbuf);
-         if (ret != EOK) {
-             ERROR("Unable to truncate log files\n");
-             return ret;
-@@ -269,8 +283,8 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
-                           void *pvt)
- {
-     const char *file;
--    const char *cmd;
-     errno_t ret;
-+    glob_t globbuf;
- 
-     /* Parse command line. */
-     ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL,
-@@ -280,13 +294,19 @@ errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline,
-         return ret;
-     }
- 
--    cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES);
--    if (cmd == NULL) {
--        ERROR("Out of memory!");
-+    globbuf.gl_offs = 3;
-+    ret = glob(LOG_PATH"/*.log", GLOB_ERR|GLOB_DOOFFS, NULL, &globbuf);
-+    if (ret != 0) {
-+        DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand log files list\n");
-+        return ret;
-     }
-+    globbuf.gl_pathv[0] = discard_const_p(char, "tar");
-+    globbuf.gl_pathv[1] = discard_const_p(char, "-czf");
-+    globbuf.gl_pathv[2] = discard_const_p(char, file);
- 
-     PRINT("Archiving log files into %s...\n", file);
--    ret = sssctl_run_command(cmd);
-+    ret = sssctl_run_command((const char * const*)globbuf.gl_pathv);
-+    globfree(&globbuf);
-     if (ret != EOK) {
-         ERROR("Unable to archive log files\n");
-         return ret;
diff --git a/meta-security/recipes-security/sssd/files/sssd.conf b/meta-security/recipes-security/sssd/files/sssd.conf
deleted file mode 100644
index 1709a7a..0000000
--- a/meta-security/recipes-security/sssd/files/sssd.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-[sssd]
-services = nss, pam
-config_file_version = 2
-
-[nss]
-
-[pam]
-