meta-security: subtree update:b72cc7f87c..95fe86eb98

André Draszik (1):
      linux-yocto: update the bbappend to 5.x

Armin Kuster (36):
      README: add pull request option
      sssd: drop py2 support
      python3-fail2ban: update to latest
      Apparmor: fix some runtime depends
      linux-yocto-dev: remove "+"
      checksecurity: fix runtime issues
      buck-security: fix rdebends and minor style cleanup
      swtpm: fix configure error
      ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
      bastille: convert to py3
      tpm2-tools: update to 4.1.1
      tpm2-tcti-uefi: fix build issue for i386 machine
      tpm2-tss: update to 2.3.2
      ibmswtpm2: update to 1563
      python3-fail2ban: add 2-3 conversion changes
      google-authenticator-libpam: install module in pam location
      apparmor: update to tip
      clamav: add bison-native to depend
      meta-security-isafw: import layer from Intel
      isafw: fix to work against master
      layer.conf: add zeus
      README.md: update to new maintainer
      clamav-native: missed bison fix
      secuirty*-image: remove dead var and minor cleanup
      libtpm: fix build issue over pod2man
      sssd: python2 not supported
      libseccomp: update to 2.4.3
      lynis: add missing rdepends
      fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
      chkrootkit: add rootkit recipe
      clamav: move to recipes-scanners
      checksec: move to recipe-scanners
      checksecurity: move to recipes-scanners
      buck-security: move to recipes-scanners
      arpwatch: add new recipe
      buck-security: fix runtime issue with missing per module

Bartosz Golaszewski (3):
      linux: drop the bbappend for linux v4.x series
      classes: provide a class for generating dm-verity meta-data images
      dm-verity: add a working example for BeagleBone Black

Haseeb Ashraf (1):
      samhain: dnmalloc hash fix for aarch64 and mips64

Jan Luebbe (2):
      apparmor: fix wrong executable permission on service file
      apparmor: update to 2.13.4

Jonatan Pålsson (10):
      README: Add meta-python to list of layer deps
      sssd: Add PACKAGECONFIG for python2
      sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
      sssd: DEPEND on nss if nothing else is chosen
      sssd: Sort PACKAGECONFIG entries
      sssd: Add autofs PACKAGECONFIG
      sssd: Add sudo PACKAGECONFIG
      sssd: Add missing files to SYSTEMD_SERVICE
      sssd: Add missing DEPENDS on jansson
      sssd: Add infopipe PACKAGECONFIG

Kai Kang (1):
      sssd: fix for ldblibdir and systemd etc

Martin Jansa (1):
      layer.conf: update LAYERSERIES_COMPAT for dunfell

Mingli Yu (1):
      linux-yocto: update the bbappend to 5.x

Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
      google-authenticator-libpam: upgrade 1.07 -> 1.08

Yi Zhao (5):
      samhain: fix build with new version attr
      scap-security-guide: fix xml parsing error when build remediation files
      scap-security-guide: pass the correct schema file path to openscap-native
      openscap-daemon: add missing runtime dependencies
      samhain-server: add volatile file for systemd

Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-security/recipes-scanners/arpwatch/arpwatch_3.0.bb b/meta-security/recipes-scanners/arpwatch/arpwatch_3.0.bb
new file mode 100644
index 0000000..9be319a
--- /dev/null
+++ b/meta-security/recipes-scanners/arpwatch/arpwatch_3.0.bb
@@ -0,0 +1,79 @@
+SUMARRY = "The ethernet monitor program; for keeping track of ethernet/ip address pairings"
+LICENSE = "BSD-4-Clause"
+HOME_PAGE = "http://ee.lbl.gov/"
+LIC_FILES_CHKSUM = "file://configure;md5=212742e55562cf47527d31c2a492411a"
+
+DEPENDS += "libpcap postfix"
+
+SRC_URI = "https://ee.lbl.gov/downloads/arpwatch/${BP}.tar.gz \
+           file://arpwatch.conf \
+           file://arpwatch.default \
+           file://arpwatch_init  \
+           file://postfix_workaround.patch \
+           file://host_contam_fix.patch "
+
+SRC_URI[sha256sum] = "82e137e104aca8b1280f5cca0ebe61b978f10eadcbb4c4802c181522ad02b25b"
+
+inherit  autotools-brokensep update-rc.d useradd
+
+ARPWATCH_UID ?= "arpwatch"
+ARPWATCH_GID ?= "arpwatch"
+APRWATCH_FROM ?= "root "
+ARPWATH_REPLY ?= "${ARPWATCH_UID}"
+
+EXTRA_OECONF = " --srcdir=${S} --with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}"
+
+CONFIGUREOPTS = " --build=${BUILD_SYS} \
+          --host=${HOST_SYS} \
+          --target=${TARGET_SYS} \
+          --prefix=${prefix} \
+          --exec_prefix=${exec_prefix} \
+          --bindir=${bindir} \
+          --sbindir=${sbindir} \
+          --libexecdir=${libexecdir} \
+          --datadir=${datadir} \
+          --sysconfdir=${sysconfdir} \
+          --sharedstatedir=${sharedstatedir} \
+          --localstatedir=${localstatedir} \
+          --libdir=${libdir} \
+          --includedir=${includedir} \
+          --oldincludedir=${oldincludedir} \
+          --infodir=${infodir} \
+          --mandir=${mandir} \
+          "
+
+do_configure () {
+    ${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
+}
+
+do_install () {
+    install -d ${D}${bindir}
+    install -d ${D}${sbindir}
+    install -d ${D}${mandir}
+    install -d ${D}${sysconfdir}
+    install -d ${D}${sysconfdir}/default
+    install -d ${D}${sysconfdir}/init.d
+    install -d ${D}${prefix}/etc/rc.d
+    install -d ${D}/var/lib/arpwatch
+
+    oe_runmake install DESTDIR=${D}
+    install -m 644 ${WORKDIR}/arpwatch.conf  ${D}${sysconfdir}
+    install -m 655 ${WORKDIR}/arpwatch_init  ${D}${sysconfdir}/init.d/arpwatch
+    install -m 644 ${WORKDIR}/arpwatch.default  ${D}${sysconfdir}/default
+}
+
+INITSCRIPT_NAME = "arpwatch"
+INITSCRIPT_PARAMS = "start 02 2 3 4 5 . stop 20 0 1 6 ."
+
+USERADD_PACKAGES = "${PN}"
+GROUPADD_PARAM_${PN} = "--system ${ARPWATCH_UID}"
+USERADD_PARAM_${PN} = "--system -g ${ARPWATCH_GID} --home-dir  \
+    ${localstatedir}/spool/${BPN} \
+    --no-create-home  --shell /bin/false ${BPN}"
+
+CONFFILE_FILES = "${sysconfdir}/${PN}.conf"
+
+FILES_${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \
+               ${sysconfdir} /var/lib/arpwatch"
+
+RDEPENDS_${PN} = "libpcap postfix postfix-cfg"
diff --git a/meta-security/recipes-scanners/arpwatch/files/arpwatch.conf b/meta-security/recipes-scanners/arpwatch/files/arpwatch.conf
new file mode 100644
index 0000000..67213c9
--- /dev/null
+++ b/meta-security/recipes-scanners/arpwatch/files/arpwatch.conf
@@ -0,0 +1,23 @@
+# /etc/arpwatch.conf: Debian-specific way to watch multiple interfaces.
+# Format of this configuration file is:
+#
+#<dev1>	<arpwatch options for dev1>
+#<dev2>	<arpwatch options for dev2>
+#...
+#<devN>	<arpwatch options for devN>
+#
+# You can set global options for all interfaces by editing
+# /etc/default/arpwatch
+
+# For example:
+
+eth0	
+#eth0	-m root
+#eth1	-m root
+#eth2	-m root
+
+# or, if you have an MTA configured for plussed addressing:
+#
+#eth0	-m root+eth0
+#eth1	-m root+eth1
+#eth2	-m root+eth2
diff --git a/meta-security/recipes-scanners/arpwatch/files/arpwatch.default b/meta-security/recipes-scanners/arpwatch/files/arpwatch.default
new file mode 100644
index 0000000..b0a7d8f
--- /dev/null
+++ b/meta-security/recipes-scanners/arpwatch/files/arpwatch.default
@@ -0,0 +1,7 @@
+# Global options for arpwatch(8).
+
+# Debian: don't report bogons, don't use PROMISC.
+ARGS="-N -p"
+
+# Debian: run as `arpwatch' user.  Empty this to run as root.
+RUNAS="arpwatch"
diff --git a/meta-security/recipes-scanners/arpwatch/files/arpwatch_init b/meta-security/recipes-scanners/arpwatch/files/arpwatch_init
new file mode 100644
index 0000000..9860c65
--- /dev/null
+++ b/meta-security/recipes-scanners/arpwatch/files/arpwatch_init
@@ -0,0 +1,123 @@
+#!/bin/sh
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+NAME=arpwatch
+DAEMON=/usr/sbin/$NAME
+DESC="Ethernet/FDDI station monitor daemon"
+DATADIR=/var/lib/$NAME
+RETVAL=0
+
+. /etc/init.d/functions
+
+### You shouldn't touch anything below unless you know what you are doing.
+
+[ -f /etc/default/arpwatch ] && . /etc/default/arpwatch
+
+# Decide whether we have to deal with multiple interfaces.
+CONF=/etc/arpwatch.conf
+MULTIPLE=0
+if [ -r $CONF ]; then
+	grep -c '^[a-z]' $CONF 2>&1 >/dev/null && MULTIPLE=1
+fi
+
+# Check whether we have to drop privileges.
+if [ -n "$RUNAS" ]; then
+	if getent passwd "$RUNAS" >/dev/null; then
+		ARGS="-u ${RUNAS} $ARGS"
+	else
+		RUNAS=""
+	fi
+fi
+
+start_instance () {
+	IFACE=$1
+	INSTANCE=${NAME}-${IFACE}
+	DATAFILE=$DATADIR/${IFACE}.dat
+	IFACE_OPTS="-P /var/run/${INSTANCE}.pid -i ${IFACE} -f ${DATAFILE} $2"
+
+	echo -n "Starting $DESC: "
+	if [ ! -f $DATAFILE ]; then
+		echo -n "(creating $DATAFILE) " :> $DATAFILE
+	fi
+	if [ -n "$RUNAS" ]; then
+		echo -n "(chown $RUNAS $DATAFILE) "
+		chown $RUNAS $DATAFILE
+	fi
+	start-stop-daemon --start --quiet \
+		--pidfile /var/run/${INSTANCE}.pid \
+		--exec $DAEMON -- $IFACE_OPTS $ARGS
+	echo "${INSTANCE}."
+	ps h -C $NAME -o pid,args | \
+		awk "/$IFACE/ { print \$1 }" > /var/run/${INSTANCE}.pid
+}
+
+stop_instance () {
+	IFACE=$1
+	INSTANCE=${NAME}-${IFACE}
+	[ -f /var/run/${INSTANCE}.pid ] || return 0
+	echo -n "Stopping $DESC: "
+	start-stop-daemon --stop --quiet --oknodo \
+		--pidfile /var/run/${INSTANCE}.pid
+	echo "${INSTANCE}."
+	rm -f /var/run/${INSTANCE}.pid
+}
+
+process_loop_break_line () {
+	__IFACE=$1
+	shift
+	__IOPTS="$@"
+}
+
+process_loop () {
+	OPERATION=$1
+	grep '^[a-z]' $CONF 2>/dev/null | \
+	while read LINE
+	do
+		process_loop_break_line $LINE
+		I=$__IFACE
+		I_OPTS="$__IOPTS"
+		$OPERATION $I "$I_OPTS"
+	done
+}
+
+startup () {
+  	process_loop start_instance
+}
+
+shutdown () {
+	process_loop stop_instance
+}
+
+case "$1" in
+  start)
+  	startup
+	;;
+  stop)
+  	shutdown
+	;;
+  reload)
+  	echo "Reload operation not supported -- use restart."
+	RETVAL=2
+	;;
+  restart|force-reload)
+	#
+	#	If the "reload" option is implemented, move the "force-reload"
+	#	option to the "reload" entry above. If not, "force-reload" is
+	#	just the same as "restart".
+	#
+	shutdown
+	sleep 1
+	startup
+	;;
+  status)
+      status_of_proc $DAEMON $NAME
+      ;;
+  *)
+	N=/etc/init.d/$NAME
+	# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $N {start|stop|restart|force-reload}" >&2
+	RETVAL=2
+	;;
+esac
+
+exit $RETVAL
diff --git a/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch b/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch
new file mode 100644
index 0000000..7d7ffac
--- /dev/null
+++ b/meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch
@@ -0,0 +1,21 @@
+This removes the host contamination
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: arpwatch-3.0/configure
+===================================================================
+--- arpwatch-3.0.orig/configure
++++ arpwatch-3.0/configure
+@@ -4349,8 +4349,8 @@ fi
+ 	    CC=cc
+ 	    export CC
+     fi
+-    V_INCLS="$V_INCLS -I/usr/local/include"
+-    LDFLAGS="$LDFLAGS -L/usr/local/lib"
++    V_INCLS="$V_INCLS "
++    LDFLAGS="$LDFLAGS "
+     if test "$GCC" != yes ; then
+ 	    { $as_echo "$as_me:${as_lineno-$LINENO}: checking that $CC handles ansi prototypes" >&5
+ $as_echo_n "checking that $CC handles ansi prototypes... " >&6; }
diff --git a/meta-security/recipes-scanners/arpwatch/files/postfix_workaround.patch b/meta-security/recipes-scanners/arpwatch/files/postfix_workaround.patch
new file mode 100644
index 0000000..95213f2
--- /dev/null
+++ b/meta-security/recipes-scanners/arpwatch/files/postfix_workaround.patch
@@ -0,0 +1,91 @@
+Sendmail exists after the system boots. We are using postfix
+so no need to check if it exists. 
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: arpwatch-3.0/configure
+===================================================================
+--- arpwatch-3.0.orig/configure
++++ arpwatch-3.0/configure
+@@ -636,7 +636,6 @@ LBL_LIBS
+ HAVE_FREEBSD_TRUE
+ HAVE_FREEBSD_FALSE
+ PYTHON
+-V_SENDMAIL
+ LIBOBJS
+ INSTALL_DATA
+ INSTALL_SCRIPT
+@@ -5573,53 +5572,6 @@ fi
+ done
+ 
+ 
+-# Extract the first word of "sendmail", so it can be a program name with args.
+-set dummy sendmail; ac_word=$2
+-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+-$as_echo_n "checking for $ac_word... " >&6; }
+-if ${ac_cv_path_V_SENDMAIL+:} false; then :
+-  $as_echo_n "(cached) " >&6
+-else
+-  case $V_SENDMAIL in
+-  [\\/]* | ?:[\\/]*)
+-  ac_cv_path_V_SENDMAIL="$V_SENDMAIL" # Let the user override the test with a path.
+-  ;;
+-  *)
+-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+-as_dummy="$PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc"
+-for as_dir in $as_dummy
+-do
+-  IFS=$as_save_IFS
+-  test -z "$as_dir" && as_dir=.
+-    for ac_exec_ext in '' $ac_executable_extensions; do
+-  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+-    ac_cv_path_V_SENDMAIL="$as_dir/$ac_word$ac_exec_ext"
+-    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+-    break 2
+-  fi
+-done
+-  done
+-IFS=$as_save_IFS
+-
+-  ;;
+-esac
+-fi
+-V_SENDMAIL=$ac_cv_path_V_SENDMAIL
+-if test -n "$V_SENDMAIL"; then
+-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $V_SENDMAIL" >&5
+-$as_echo "$V_SENDMAIL" >&6; }
+-else
+-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+-$as_echo "no" >&6; }
+-fi
+-
+-
+-
+-if test -z "${V_SENDMAIL}" ; then
+-	as_fn_error $? "Can't find sendmail" "$LINENO" 5
+-fi
+-
+-
+ python=${PYTHON:-python}
+ # Extract the first word of "${python}", so it can be a program name with args.
+ set dummy ${python}; ac_word=$2
+Index: arpwatch-3.0/configure.in
+===================================================================
+--- arpwatch-3.0.orig/configure.in
++++ arpwatch-3.0/configure.in
+@@ -76,13 +76,6 @@ AC_LBL_UNION_WAIT
+ AC_CHECK_LIB(resolv, res_query)
+ AC_LBL_LIBPCAP(V_PCAPDEP, V_INCLS)
+ 
+-AC_PATH_PROG(V_SENDMAIL, sendmail,,
+-    $PATH:/usr/sbin:/usr/lib:/usr/bin:/usr/ucblib:/usr/local/etc)
+-
+-if test -z "${V_SENDMAIL}" ; then
+-	AC_MSG_ERROR([Can't find sendmail])
+-fi
+-
+ dnl AC_LBL_CHECK_TYPE(int32_t, int)
+ dnl AC_LBL_CHECK_TYPE(u_int32_t, u_int)
+