meta-security: subtree update:b72cc7f87c..95fe86eb98
André Draszik (1):
linux-yocto: update the bbappend to 5.x
Armin Kuster (36):
README: add pull request option
sssd: drop py2 support
python3-fail2ban: update to latest
Apparmor: fix some runtime depends
linux-yocto-dev: remove "+"
checksecurity: fix runtime issues
buck-security: fix rdebends and minor style cleanup
swtpm: fix configure error
ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
bastille: convert to py3
tpm2-tools: update to 4.1.1
tpm2-tcti-uefi: fix build issue for i386 machine
tpm2-tss: update to 2.3.2
ibmswtpm2: update to 1563
python3-fail2ban: add 2-3 conversion changes
google-authenticator-libpam: install module in pam location
apparmor: update to tip
clamav: add bison-native to depend
meta-security-isafw: import layer from Intel
isafw: fix to work against master
layer.conf: add zeus
README.md: update to new maintainer
clamav-native: missed bison fix
secuirty*-image: remove dead var and minor cleanup
libtpm: fix build issue over pod2man
sssd: python2 not supported
libseccomp: update to 2.4.3
lynis: add missing rdepends
fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
chkrootkit: add rootkit recipe
clamav: move to recipes-scanners
checksec: move to recipe-scanners
checksecurity: move to recipes-scanners
buck-security: move to recipes-scanners
arpwatch: add new recipe
buck-security: fix runtime issue with missing per module
Bartosz Golaszewski (3):
linux: drop the bbappend for linux v4.x series
classes: provide a class for generating dm-verity meta-data images
dm-verity: add a working example for BeagleBone Black
Haseeb Ashraf (1):
samhain: dnmalloc hash fix for aarch64 and mips64
Jan Luebbe (2):
apparmor: fix wrong executable permission on service file
apparmor: update to 2.13.4
Jonatan Pålsson (10):
README: Add meta-python to list of layer deps
sssd: Add PACKAGECONFIG for python2
sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
sssd: DEPEND on nss if nothing else is chosen
sssd: Sort PACKAGECONFIG entries
sssd: Add autofs PACKAGECONFIG
sssd: Add sudo PACKAGECONFIG
sssd: Add missing files to SYSTEMD_SERVICE
sssd: Add missing DEPENDS on jansson
sssd: Add infopipe PACKAGECONFIG
Kai Kang (1):
sssd: fix for ldblibdir and systemd etc
Martin Jansa (1):
layer.conf: update LAYERSERIES_COMPAT for dunfell
Mingli Yu (1):
linux-yocto: update the bbappend to 5.x
Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
google-authenticator-libpam: upgrade 1.07 -> 1.08
Yi Zhao (5):
samhain: fix build with new version attr
scap-security-guide: fix xml parsing error when build remediation files
scap-security-guide: pass the correct schema file path to openscap-native
openscap-daemon: add missing runtime dependencies
samhain-server: add volatile file for systemd
Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
new file mode 100644
index 0000000..204123d
--- /dev/null
+++ b/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb
@@ -0,0 +1,21 @@
+SUMMARY = "basic system security checks"
+DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes."
+SECTION = "security"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+
+SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
+ file://setuid-log-folder.patch \
+ file://check-setuid-use-more-portable-find-args.patch"
+
+SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f"
+SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32"
+
+do_compile() {
+}
+
+do_install() {
+ oe_runmake PREFIX=${D}
+}
+
+RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob perl-module-carp perl-module-env perl-module-tap-parser-iterator-array util-linux findutils coreutils"
diff --git a/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
new file mode 100644
index 0000000..f1fe8ed
--- /dev/null
+++ b/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
@@ -0,0 +1,23 @@
+From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001
+From: Christopher Larson <chris_larson@mentor.com>
+Date: Wed, 5 Sep 2018 23:21:43 +0500
+Subject: [PATCH] check-setuid: use more portable find args
+
+Signed-off-by: Christopher Larson <chris_larson@mentor.com>
+---
+ plugins/check-setuid | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: checksecurity-2.0.15/plugins/check-setuid
+===================================================================
+--- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500
++++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500
+@@ -99,7 +99,7 @@
+ ionice -t -c3 \
+ find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
+ -xdev $PATHCHK \
+- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \
++ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
+ $DEVCHK \) \) \
+ -ignore_readdir_race \
+ -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
diff --git a/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch b/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch
new file mode 100644
index 0000000..540ea9c
--- /dev/null
+++ b/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch
@@ -0,0 +1,52 @@
+From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001
+From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+Date: Thu, 20 Jun 2013 15:14:55 +0300
+Subject: [PATCH] changed log folder for check-setuid
+
+check-setuid was creating logs in /var/log directory,
+which cannot be created persistently. To avoid errors
+the log folder was changed to /etc/checksecurity/.
+
+Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+---
+ etc/check-setuid.conf | 2 +-
+ plugins/check-setuid | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf
+index 621336f..e1532c0 100644
+--- a/etc/check-setuid.conf
++++ b/etc/check-setuid.conf
+@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false"
+ #
+ # Location of setuid file databases.
+ #
+-LOGDIR=/var/log/setuid
++LOGDIR=/etc/checksecurity/
+diff --git a/plugins/check-setuid b/plugins/check-setuid
+index 8d6f90b..bdb21c1 100755
+--- a/plugins/check-setuid
++++ b/plugins/check-setuid
+@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then
+ exit 1
+ fi
+
+-TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp
+-TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp
++TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp
++TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp
+
+ #
+ # Check for NFS/AFS mounts that are not nosuid/nodev
+@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
+ fi
+
+ # Guard against undefined vars
+-[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid
++[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/
+ if [ ! -e "$LOGDIR" ] ; then
+ echo "ERROR: Log directory $LOGDIR does not exist"
+ exit 1
+--
+1.7.9.5
+