diff options
| author | Patrick Williams <patrick@stwcx.xyz> | 2023-08-11 17:48:11 +0300 |
|---|---|---|
| committer | Patrick Williams <patrick@stwcx.xyz> | 2023-08-12 18:32:43 +0300 |
| commit | 2a25492c13e2b768f94b864a51f84e82e4238aef (patch) | |
| tree | 64102f707447c221fc7b27788cbed43052ed22a5 /meta-security | |
| parent | 6fddef299932b1270a799e78566e25daa911f742 (diff) | |
| download | openbmc-2a25492c13e2b768f94b864a51f84e82e4238aef.tar.xz | |
subtree updates
meta-openembedded: 0e3f5e5201..491b7592f4:
Alexander Kanavin (1):
libadwaita: move recipe to oe-core
Andrej Valek (1):
cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
Archana Polampalli (1):
yasm: fix CVE-2023-31975
Chase Qi (1):
meta-python: add python3-telnetlib3 package
Chen Qi (3):
iperf3: remove incorrect CVE_PRODUCT setting
open-vm-tools: add CVE_PRODUCT
grpc: fix CVE-2023-32732
Chi Xu (1):
lapack: Add ptest support
Chris Dimich (1):
image_types_sparse: Fix syntax error
Christian Hohnstaedt (1):
android-tools: fix QA warning about buildpaths
Christophe Vu-Brugier (2):
libnvme: add recipe
nvme-cli: upgrade 1.13 -> 2.5
Etienne Cordonnier (1):
uutils-coreutils: upgrade 0.0.19 -> 0.0.20
Gianfranco Costamagna (3):
vbxguestdrivers: upgrade 7.0.8 -> 7.0.10
dlt-daemon: Add patch to fix build with googletest 1.13
gpsd: make sure gps-utils-python runtime-depends on python3-pyserial
JD Schroeder (2):
radvd: Fix groupname gid change warning
cyrus-sasl: Fix groupname gid change warning
Jan Vermaete (1):
openh264: version bump 2.1.1 -> 2.3.1
Jasper Orschulko (1):
yaml-cpp: Fix cmake export
Khem Raj (9):
openwsman: Link with -lm to get floor() definition
portaudio-v19: Update to latest tip of trunk
python3-pyaudio: Fix cross builds
poco: Fix ptests
pcmciautils: Pass LD=CC via Make cmdline
ply: Pass LD via environment to configure
sip: upgrade 6.7.10 -> 6.7.11
nodejs: Upgrade to 18.17.0
python3-m2crypto: Remove __pycache__ files
Marek Vasut (1):
libiio: update to version 0.25
Markus Volk (9):
pipewire: update 0.3.73 -> 0.3.75
libcamera: update 0.0.5 -> 0.1.0
webkitgtk3: add recipe
geary: update 43.0 -> 44.0
webkitgtk3: upgrade 2.40.2 -> 2.40.5
fuse3: update 3.14.1 -> 3.15.1
pipewire: update 0.3.75 -> 0.3.77
pipewire: add support for liblc3
gnome-software: update 44.3 -> 44.4
Martin Jansa (4):
libtommath: add recipe for LibTomMath used by dropbear
libtomcrypt: backport a fix for CVE-2019-17362
libtomcrypt: add PACKAGECONFIG for ltm enabled by default
dlm: Do not use -fcf-protection=full on aarch64 platforms
Michael Opdenacker (7):
remove unused AUTHOR variable
remove unused AUTHOR variable
remove unused AUTHOR variable
remove unused AUTHOR variable
remove unused AUTHOR variable
remove unused AUTHOR variable
meta-python: Remove unused AUTHOR variable
Mingli Yu (2):
dracut: Remove busybox from RRECOMMENDS
mariadb: Upgrade to 10.11.4
Nicolas Marguet (2):
rsyslog: update from 8.2302.0 to 8.2306.0
rsyslog: Fix function inline errors in debug optimization
Peter Marko (1):
cve_check: fix conversion errors
Ramon Fried (1):
bitwise: Upgrade 0.43 -> 0.50
Ross Burton (1):
cherokee: add CVE_PRODUCT
Tim Orling (1):
libmodule-build-tiny-perl: upgrade 0.045 -> 0.046
Trevor Gamblin (31):
python3-django: upgrade 4.2.2 -> 4.2.3
python3-ipython: upgrade 8.12.0 -> 8.14.0
python3-awesomeversion: upgrade 22.9.0 -> 23.5.0
python3-binwalk: upgrade 2.3.3 -> 2.3.4
python3-bitstring: upgrade 3.1.9 -> 4.0.2
python3-bitstring: add python3-io to RDEPENDS, alphabetize
python3-blinker: upgrade 1.5 -> 1.6.2
python3-blinker: add python3-asyncio to RDEPENDS
python3-execnet: upgrade 1.9.0 -> 2.0.2
python3-flask: upgrade 2.2.3 -> 2.3.2
python3-flask: add python3-blinker to RDEPENDS, alphabetize
python3-greenstalk: upgrade 2.0.0 -> 2.0.2
python3-humanize: upgrade 4.4.0 -> 4.7.0
python3-versioneer: add recipe
python3-parse: upgrade 1.19.0 -> 1.19.1
python3-pandas: upgrade 1.5.3 -> 2.0.3
python3-pyperf: upgrade 2.5.0 -> 2.6.1
python3-rdflib: upgrade 6.2.0 -> 6.3.2
python3-semver: upgrade 2.13.0 -> 3.0.1
python3-send2trash: upgrade 1.8.0 -> 1.8.2
python3-sh: upgrade 1.14.3 -> 2.0.4
python3-snagboot: upgrade 1.0 -> 1.1
python3-werkzeug: upgrade 2.2.3 -> 2.3.6
python3-beautifulsoup4: upgrade 4.11.1 -> 4.12.2
python3-fastjsonschema: upgrade 2.16.3 -> 2.18.0
python3-jsonpatch: upgrade 1.32 -> 1.33
python3-m2crypto: upgrade 0.38.0 -> 0.39.0
python3-matplotlib: upgrade 3.6.3 -> 3.7.2
python3-pyaudio: upgrade 0.2.11 -> 0.2.13
python3-pybind11: upgrade 2.10.3 -> 2.11.1
python3-sqlparse: upgrade 0.4.3 -> 0.4.4
Vivien Didelot (1):
libcamera: bump to latest master
Wang Mingyu (83):
c-periphery: upgrade 2.4.1 -> 2.4.2
ctags: upgrade 6.0.20230611.0 -> 6.0.20230716.0
gensio: upgrade 2.6.6 -> 2.6.7
gnome-commander: upgrade 1.16.0 -> 1.16.1
hiredis: upgrade 1.1.0 -> 1.2.0
iperf3: upgrade 3.13 -> 3.14
iwd: upgrade 2.6 -> 2.7
libbytesize: upgrade 2.8 -> 2.9
libinih: upgrade 56 -> 57
libnftnl: upgrade 1.2.5 -> 1.2.6
lvgl: upgrade 8.3.7 -> 8.3.8
bats: upgrade 1.9.0 -> 1.10.0
function2: upgrade 4.2.2 -> 4.2.3
lmdb: upgrade 0.9.29 -> 0.9.31
redis: upgrade 6.2.12 -> 6.2.13
ser2net: upgrade 4.3.12 -> 4.3.13
python3-obd: upgrade 0.7.1 -> 0.7.2
python3-path: upgrade 16.6.0 -> 16.7.1
nginx: upgrade 1.24.0 -> 1.25.1
php: upgrade 8.2.7 -> 8.2.8
python3-charset-normalizer: upgrade 3.1.0 -> 3.2.0
python3-click: upgrade 8.1.3 -> 8.1.5
python3-dnspython: upgrade 2.3.0 -> 2.4.0
python3-engineio: upgrade 4.4.1 -> 4.5.1
python3-eth-utils: upgrade 2.1.1 -> 2.2.0
python3-frozenlist: upgrade 1.3.3 -> 1.4.0
python3-gevent: upgrade 22.10.2 -> 23.7.0
python3-google-api-python-client: upgrade 2.92.0 -> 2.93.0
python3-google-auth: upgrade 2.21.0 -> 2.22.0
python3-mock: upgrade 5.0.2 -> 5.1.0
python3-platformdirs: upgrade 3.8.0 -> 3.9.1
python3-protobuf: upgrade 4.23.3 -> 4.23.4
python3-pymisp: upgrade 2.4.172 -> 2.4.173
python3-pymongo: upgrade 4.4.0 -> 4.4.1
python3-tox: upgrade 4.6.3 -> 4.6.4
python3-virtualenv: upgrade 20.23.1 -> 20.24.0
python3-zeroconf: upgrade 0.70.0 -> 0.71.0
redis-plus-plus: upgrade 1.3.9 -> 1.3.10
redis: upgrade 7.0.11 -> 7.0.12
smemstat: upgrade 0.02.11 -> 0.02.12
tesseract: upgrade 5.3.1 -> 5.3.2
weechat: upgrade 4.0.1 -> 4.0.2
wireshark: upgrade 4.0.6 -> 4.0.7
xterm: upgrade 383 -> 384
lastlog2: add new recipe
wtmpdb: add new recipe
babeld: upgrade 1.12.2 -> 1.13.1
ctags: upgrade 6.0.20230716.0 -> 6.0.20230730.0
gspell: upgrade 1.12.1 -> 1.12.2
libcompress-raw-bzip2-perl: upgrade 2.204 -> 2.206
libcompress-raw-lzma-perl: upgrade 2.204 -> 2.206
libcompress-raw-zlib-perl: upgrade 2.204 -> 2.206
libio-compress-lzma-perl: upgrade 2.204 -> 2.206
libio-compress-perl: upgrade 2.204 -> 2.206
libqb: upgrade 2.0.7 -> 2.0.8
logcheck: upgrade 1.4.2 -> 1.4.3
mdio-tools,mdio-netlink: Upgrade recipes to 1.3.0
python3-dill: upgrade 0.3.6 -> 0.3.7
python3-gunicorn: upgrade 20.1.0 -> 21.2.0
python3-web3: upgrade 6.3.0 -> 6.7.0
python3-aiohttp: upgrade 3.8.4 -> 3.8.5
python3-bitarray: upgrade 2.7.6 -> 2.8.0
python3-click: upgrade 8.1.5 -> 8.1.6
python3-cmake: upgrade 3.26.4 -> 3.27.0
python3-configargparse: upgrade 1.5.5 -> 1.7
python3-cytoolz: upgrade 0.12.1 -> 0.12.2
python3-dnspython: upgrade 2.4.0 -> 2.4.1
python3-elementpath: upgrade 4.1.4 -> 4.1.5
python3-flask-socketio: upgrade 5.3.4 -> 5.3.5
python3-gnupg: upgrade 0.5.0 -> 0.5.1
python3-google-api-python-client: upgrade 2.93.0 -> 2.95.0
python3-grpcio: upgrade 1.56.0 -> 1.56.2
python3-jedi: upgrade 0.18.2 -> 0.19.0
python3-marshmallow: upgrade 3.19.0 -> 3.20.1
python3-portion: upgrade 2.4.0 -> 2.4.1
python3-pymodbus: upgrade 3.3.2 -> 3.4.1
python3-robotframework: upgrade 6.1 -> 6.1.1
python3-tomlkit: upgrade 0.11.8 -> 0.12.1
python3-typeguard: upgrade 4.0.0 -> 4.1.0
python3-virtualenv: upgrade 20.24.0 -> 20.24.2
python3-zeroconf: upgrade 0.71.0 -> 0.71.4
rdma-core: upgrade 46.0 -> 47.0
sip: upgrade 6.7.9 -> 6.7.10
Willy Tu (1):
mstpd: Add initial recipe for mstpd
Yi Zhao (4):
samba: upgrade 4.18.4 -> 4.18.5
libnfnetlink: enable native build
libnetfilter-queue: enable native build
daq: enable nfq module build
meta-raspberrypi: e3f733cadd..5e2f79a6fa:
Jan Vermaete (2):
kas-poky-rpi.yml: renamed ABORT to HALT
rpi-base.inc: add the disable-wifi overlay
Khem Raj (1):
rpi-base: Remove customizing SPLASH var
Martin Jansa (1):
libcamera: update PACKAGECONFIG for libcamera-0.1.0
Vincent Davis Jr (1):
rpidistro-vlc: fix error uint64_t does not name
Vivien Didelot (10):
rpi-libcamera-apps: fix Illegal Instruction
rpi-libcamera-apps: add opencv build dependency
rpi-libcamera-apps: add drm support
rpi-libcamera-apps: replace tensorflow config
rpi-libcamera-apps: don't force COMPATIBLE_MACHINE
rpi-libcamera-apps: rename to libcamera-apps
libcamera-apps: move recipe to dynamic-layers
libcamera-apps: bump to 3d9ac10
libcamera-apps: switch from CMake to meson
libcamera-apps: bump to latest main
meta-arm: b4d50a273d..992c07f7c0:
Abdellatif El Khlifi (2):
arm-bsp/trusted-firmware-a: corstone1000: psci: SMCCC_ARCH_FEATURES discovery through PSCI_FEATURES
arm-bsp/u-boot: corstone1000: upgrade to v2023.07
Adam Johnston (1):
arm-bsp/trusted-firmware-a: Reserve OP-TEE memory from NWd on N1SDP
Emekcan Aras (1):
arm-bsp/u-boot: corstone1000: increase the kernel size
Jon Mason (9):
CI: add defaults for get-binary-toolchains
CI: workaround 32bit timer warning in binary toolchain
arm-bsp/corstone1000: update u-boot preferred version
arm-toolchain/gcc-aarch64-none-elf: upgrade to 12.3.rel1
arm/edk2: move 202211 recipe to meta-arm-bsp
arm-bsp: clean-up patch noise
arm/optee-test: update musl workaround patch
arm-bsp/tc1: remove trusted-firmware-m target
arm/trusted-firmware-m: upgrade to v1.8.0
Robbie Cao (1):
arm/recipes-kernel: Add preempt-rt support for generic-arm64
Ross Burton (5):
arm-toolchain/androidclang: remove
arm-toolchain/arm-binary-toolchain: install to a versioned directory
arm-toolchain/gcc-arm-none-eabi-11.2: add new recipe
arm/trusted-firmware-m: explicitly use Arm GCC 11.2
arm-toolchain/gcc-arm-none-eabi: upgrade to 12.3.rel1
Ziad Elhanafy (1):
arm/recipes-devtools,doc: Update FVP version
poky: b398c7653e..71282bbc53:
Alex Kiernan (3):
base-passwd: Add the sgx group
udev: eudev: Revert add group to sgx
poky/poky-tiny: Explicitly exclude `shadow`
Alexander Kanavin (25):
meta: add missing summaries for image recipes
insane.bbclass: add do_recipe_qa task
devtool: do not run recipe_qa task when extracting source
insane.bbclass: add a SUMMARY/HOMEPAGE check (oe-core recipes only)
insane.bbclass: add a RECIPE_MAINTAINER check (oe-core recipes only)
librsvg: fix upstream version check
acpica: tarball and homepage relocated to intel.com
gnu-efi: upgrade 3.0.15 -> 3.0.17
gettext-minimal-native: obtain the needed files directly from gettext source tarball
kbd: upgrade 2.6.0 -> 2.6.1
systemd: upgrade 253.3 -> 253.7
jquery: upgrade 3.6.3 -> 3.7.0
strace: upgrade 6.3 -> 6.4
sudo: update 1.9.13p3 -> 1.9.14p2
libadwaita: add recipe from meta-gnome
epiphany: upgrade 43.1 -> 44.5
glibc-locale: use stricter matching for metapackages' runtime dependencies
uninative-tarball: install the full set of gconv modules
buildtools-extended-tarball: install the full set of gconv modules
procps: address failure with gettext 0.22
util-linux: upgrade 2.38.1 -> 2.39.1
ref-manual: document image-specific variant of INCOMPATIBLE_LICENSE
devtool/upgrade: raise an error if extracting source produces more than one directory
scripts/lib/scriptutils.py: add recipe_qa artifacts to exclusion list in filter_src_subdirs()
curl: ensure all ptest failures are caught
Alexandre Belloni (2):
base-files: bump PR because conf files are now sorted
wic: bootimg-efi: Stop hardcoding VMA offsets
Alexis Lothoré (3):
scripts/resulttool: add mention about new detected tests
scripts/resulttool: allow to replace test raw status with custom string
scripts/resulttool: define custom string for "not found" test results
Andrej Valek (2):
maintainers.inc: Modify email address
ref-manual: document CVE_STATUS and CVE_CHECK_STATUSMAP
Anuj Mittal (4):
glibc/check-test-wrapper: don't emit warnings from ssh
selftest/cases/glibc.py: increase the memory for testing
oeqa/utils/nfs: allow requesting non-udp ports
selftest/cases/glibc.py: switch to using NFS over TCP
BELOUARGA Mohamed (3):
linux-firmware : Add firmware of RTL8822 serie
bitbake: bitbake: fetch2/npmsw: Check if there are dependencies before trying to fetch them
bitbake: fetch2: Check if path is 'None' before calculating checksums
Bruce Ashfield (11):
kernel: make LOCALVERSION consistent between recipes
linux-yocto/6.4: fix CONFIG_LEDS_TRIGGER_GPIO kernel audit warning
linux-yocto/6.4: update to v6.4.6
linux-yocto/6.1: update to v6.1.41
linux-yocto/6.4: update to v6.4.7
linux-yocto-dev: bump to v6.5+
linux-yocto/6.4: update to v6.4.8
linux-yocto/6.1: update to v6.1.43
linux-yocto/6.4: update to v6.4.9
linux-yocto/6.4: fix qemuarm boot failure
linux-yocto-tiny/6.4: fix HID configuration warning
Chen Qi (4):
ncurses: fix CVE-2023-29491
multilib.conf: explicitly make MULTILIB_VARIANTS vardeps on MULTILIBS
gcc-crosssdk: ignore MULTILIB_VARIANTS in signature computation
openssh: sync with upstream's default
Christopher Larson (6):
bitbake: tests.data: add test for inline python calling a def'd function
bitbake: tests.codeparser: add test for exec of builtin from inline python
bitbake: data_smart: check for python builtins directly for context lookup
bitbake: tests.data: add test for builtin preferred over metadata value
bitbake: data_smart: directly check for methodpool functions in context lookup
bitbake: bb.tests.data: don't require the func flag for context functions
Denis OSTERLAND-HEIM (1):
kernel-fitImage: add machine compatible to config section
Dit Kozmaj (1):
bitbake: fetch2: Set maxsplit to match expected variables
Dmitry Baryshkov (5):
kmscube: bump SRCREV to get offscreen rendering to work
linux-firmware: package firmare for Dragonboard 410c
mesa: simplify overriding GALLIUMDRIVERS_LLVM
mesa: enable swrast Vulkan driver if LLVM drivers are enabled
linux-firmware: split platform-specific Adreno shaders to separate packages
Frederic Martinsons (4):
ptest-cargo.bbclass: Support of cargo workspaces
cargo.bbclass: Use --frozen flag for cargo operations
cargo_common.bbclass: Handle Cargo.lock modifications for git dependencies
rust-hello-world: Drop recipe
Jean-Marie Lemetayer (1):
package: always sort the conffiles
Joel Stanley (1):
kernel: don't fail if Modules.symvers doesn't exist
Jose Quaresma (1):
systemd: fix efi stubs
Joshua Watt (1):
bitbake: contrib: vim: Fix up a few errors when reloading
Julien Stephan (1):
libexif: add ptest support
Khem Raj (16):
nfs-utils: Fix host path contamination building locktest
ltp: Use bfd linker when lld is distro linker default
ffmpeg: Use bfd linker on i386 when lld is distro linker default
ltp: Use bfd linker for KVM_LD as well when ld-is-lld
autoconf: Backport upstreamed patches
Revert "site: merged common-glibc from OE"
x32-linux: Do not cache ac_cv_sys_file_offset_bits
gcc: Upgrade to 13.2 release
gnu-efi: Fix build break on riscv64
ffmpeg: Fix wrong code found with gas/2.41
systemd: Point to target binary paths for loadkeys and setfont
systemd: Make 254 work on musl
musl: Upgrade to tip of trunk
binutils: Upgrade to 2.41 release
systemd-boot: Ensure EFI_LD is also passed to compiler driver
pm-utils: Do not require GNU grep at runtime
Lee Chee Yang (2):
migration-guides: add release notes for 4.0.11
migration-guides: add release notes for 4.2.2
Luca Boccassi (2):
systemd: update to v254
systemd: add usrmerge to REQUIRED_DISTRO_FEATURES
Marek Vasut (1):
linux-firmware: Fix mediatek mt7601u firmware path
Mark Hatle (1):
tcf-agent: Update to 1.8.0 release
Markus Volk (4):
gcr3: remove recipe
systemd: add a packageconfig to support colored logs
webkitgtk: upgrade 2.40.2 -> 2.40.5
epiphany: upgrade 44.5 -> 44.6
Martin Jansa (3):
patchelf: add 3 fixes to optimize and fix uninative
alsa-utils: backport a fix to build with glibc-2.38
efivar: drop -fuse-ld=bfd
Michael Halstead (1):
yocto-uninative: Update hashes for uninative 4.1
Michael Opdenacker (4):
ref-manual: releases.svg: updates
ref-manual: LTS releases now supported for 4 years
poky.conf: update SANITY_TESTED_DISTROS to match autobuilder
recipes: remove unused AUTHOR variable
Oleksandr Hnatiuk (2):
file: return wrapper to fix builds when file is in buildtools-tarball
file: fix the way path is written to environment-setup.d
Ovidiu Panait (2):
mdadm: add util-linux-blockdev ptest dependency
mdadm: save ptest logs
Peter Marko (4):
cve-extra-exclusions: fix syntax error
libarchive: ignore CVE-2023-30571
cve-exclusion_6.1: correct typo in exclusion list name
bluez5: correct CVE status of ignored CVEs
Peter Suti (1):
externalsrc: fix dependency chain issues
Quentin Schulz (1):
docs: sdk-manual: appendix-obtain: fix literal block content
Richard Purdie (21):
createrepo-c: Fix 32 bit architecture segfaults with 64 bit time
build-appliance-image: Update to master head revision
oeqa/target/ssh: Ensure EAGAIN doesn't truncate output
createrepo-c: Update patch status
oeqa/runtime/ltp: Increase ltp test output timeout
oeqa/ltp: Show warning for non-zero exit codes
ltp: Add kernel loopback module dependency
target/ssh: Ensure exit code set for commands
autoconf: Upgrade to 2.72c
oeqa/ssh: Further improve process exit handling
oeqa/selftest/rust: Round test execution time to integer
qemuboot/runqemu: Fix 6.2 and later kernel network device naming
bitbake: siggen: Improve runtaskdeps data to fix sstate debugging
sstatesig: Update to match bitbake changes to runtaskdeps
Revert "kea: upgrade to v2.5.0"
selftest/reproducible: Update config to match ongoing changes
gnupg: Fix reproducibility failure
selftest: Ensure usrmerge is enabled with systemd
conf/init-mamager-systemd: Add usrmerge to DISTRO_FEATURES
bitbake.conf: Drop PE and PR from WORKDIR and STAMP
qemuboot: Update hardcoded path to match new layout
Robert Joslyn (2):
curl: Update from 8.1.2 to 8.2.0
curl: Refine ptest perl RDEPENDS
Ross Burton (8):
systemd: set correct paths for kdb binaries
systemd: depend on util-linux's swapon/off
linux-yocto: add script to generate kernel CVE_STATUS entries
ghostscript: backport fix for CVE-2023-38559
ghostscript: ignore CVE-2023-38560
openssh: upgrade to 9.3p2
librsvg: upgrade to 2.56.3
linux-yocto: extract generic kernel CVE_STATUS
Sakib Sajal (1):
go: upgrade 1.20.6 -> 1.20.7
Sudip Mukherjee (3):
libgit2: upgrade to v1.7.0
bind: upgrade to v9.18.17
kea: upgrade to v2.5.0
Tim Orling (10):
python3-urllib3: upgrade 2.0.3 -> 2.0.4
python3-hypothesis: upgrade 6.81.2 -> 6.82.0
python3-pyyaml: upgrade 6.0 -> 6.0.1
python_setuptools3_rust: inherit ...build_meta
python3-sphinx: upgrade 7.0.1 -> 7.1.1
python3-certifi: upgrade 2023.5.7 -> 2023.7.22
python3-more-itertools: upgrade 9.1.0 -> 10.0.0
python3-wheel: upgrade 0.40.0 -> 0.41.0
python3-chardet: upgrade 5.1.0 -> 5.2.0
python3-cryptography{-vectors}: upgrade -> 41.0.3
Trevor Gamblin (7):
python3-dtschema: upgrade 2023.4 -> 2023.6.1
python3-dtc: add from meta-virtualization
python3-dtschema: add python3-dtc to RDEPENDS
nfs-utils: upgrade 2.6.2 -> 2.6.3
iproute2: upgrade 6.3.0 -> 6.4.0
git: upgrade 2.39.3 -> 2.41.0
python3: add additional timing-related test skips
Ulrich Ölmann (3):
ref-manual: classes: kernel-fitimage: fix source of imagetype
ref-manual: classes: kernel-fitimage: fix typos
ref-manual: classes: kernel-fitimage: refine role of INITRAMFS_IMAGE_BUNDLE
Yang Xu (2):
oeqa/selftest/ssate: Add test for find_siginfo
bitbake: server/process: fix sig handle
Yash Shinde (5):
rust: Fix BOOTSTRAP_CARGO failure during Rust Oe-selftest
oeqa/selftest/rust: Add failed test cases to exclude list for Rust Oe-selftest
oeqa/selftest/binutils: Add elapsed time for binutils test report.
oeqa/selftest/gcc: Add elapsed time for gcc test report.
oeqa/selftest/glibc: Add elapsed time for glibc test report.
Yoann Congal (1):
bitbake: fetch2/gitsm: Document that we won't support propagating user parameter
meta-security: 405cca4028..b9bc938785:
Armin Kuster (21):
bastille: bastille/config should not be world writeable.
ossec-hids: Fix usermod
python3-flask-script: add package
python3-segno: add new package
python3-privacyidea: fixup REDPENDS
qemu: move qemu setting to image and out of layer.conf
packagegroup-core-security: only include firejail x86-64 and arch64
firejail: only allow x86-64 and arm64 to build
python3-tpm2-pytss: add python tss2 support
packagegroup: add python3-tpm2-pytss
clamav: update SRC_URI
scap-security-guide: refactor patches
packagegroup-security-tpm2: add more pkgs
scap-security-guide: enable ptest
python3-yamlpath: Add new pkg
python3-json2html: add new pkg
python3-json2html: add new pkg
meta-integrity: drop ima.cfg in favor of new k-cache
sshguard: Update to 2.4.3
meta-tpm linux-yocto-rt: Add the bbappend for rt kernel
layer: add QA_WARNINGS to all layers
Kai Kang (2):
openscap: fix buildpaths issue
sssd: 2.7.4 -> 2.9.1
Kevin Hao (1):
linux-yocto-rt: Add the bbappend for rt kernel
Luke Granger-Brown (1):
glome: update to tip
Wurm, Stephan (1):
dm-verity-image-initramfs: Allow compressed image types
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Icf1ba0c270d53f4c3c3838d4305116e5d6f794de
Diffstat (limited to 'meta-security')
36 files changed, 796 insertions, 435 deletions
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 334a9459cc..a436f97e87 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -26,6 +26,6 @@ BBFILES_DYNAMIC += " \ # Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check. INHERIT += "sanity-meta-security" -QB_KERNEL_CMDLINE_APPEND = " ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor=1 security=apparmor', '', d)}" - addpylib ${LAYERDIR}/lib oeqa + +WARN_QA:append:security = " patch-status missing-metadata" diff --git a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb index e7852d9f58..f2ef335b13 100644 --- a/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb +++ b/meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb @@ -138,7 +138,7 @@ do_install () { install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap - install -m 0777 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config + install -m 0644 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config for file in `cat Modules.txt` ; do install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb new file mode 100644 index 0000000000..377ad02fe7 --- /dev/null +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb @@ -0,0 +1,14 @@ +DESCRIPTION = "Scripting support for flask" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=e686048adb69341fc8a08caeda528b41" + +SRC_URI[md5sum] = "3fbd91fe13cebedfb2431331f6eabb68" +SRC_URI[sha256sum] = "6425963d91054cfcc185807141c7314a9c5ad46325911bd24dcb489bd0161c65" + +PYPI_PACKAGE = "Flask-Script" + +inherit pypi setuptools3 + +RDEPENDS:${PN} += "\ + ${PYTHON_PN}-flask \ + " diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb new file mode 100644 index 0000000000..638c56fc27 --- /dev/null +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb @@ -0,0 +1,9 @@ +DESCRIPTION="Python wrapper to convert JSON into a human readable HTML Table representation." +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=8065590663ea0c10aa131841ea806767" + +SRC_URI[sha256sum] = "8951a53662ae9cfd812685facdba693fc950ffc1c1fd1a8a2d3cf4c34600689c" + +PYPI_PACKAGE = "json2html" + +inherit pypi setuptools3 diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb new file mode 100644 index 0000000000..f8a6552ad4 --- /dev/null +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb @@ -0,0 +1,9 @@ +DESCRIPTION = "QR Code and Micro QR Code generator for Python 2 and Python 3" +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=8e8db3765a57bcb968140e0a353c1a35" + +SRC_URI[sha256sum] = "983424b296e62189d70fc73460cd946cf56dcbe82b9bda18c066fc1b24371cdc" + +#PYPI_PACKAGE = "Flask-Script" + +inherit pypi setuptools3 diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb new file mode 100644 index 0000000000..517ed87f3a --- /dev/null +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb @@ -0,0 +1,9 @@ +DESCRIPTION="Creates diffs of XML files" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=0d0e9e3949e163c3edd1e097b8b0ed62" + +SRC_URI[sha256sum] = "19b030b3fa37d1f0b5c5ad9ada9059884c3bf2c751c5dd8f1eb4ed49cfe3fc60" + +PYPI_PACKAGE = "xmldiff" + +inherit pypi setuptools3 diff --git a/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb new file mode 100644 index 0000000000..5d88951658 --- /dev/null +++ b/meta-security/dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb @@ -0,0 +1,9 @@ +DESCRIPTION="YAML Path and Command-Line Tools" +LICENSE = "ISC" +LIC_FILES_CHKSUM = "file://LICENSE;md5=5abda174c5040dd12ed2b225e3a096f0" + +SRC_URI[sha256sum] = "81d5b8baba60c255b519ccd31a691f9bc064223ff196709d41119bde81bba49e" + +PYPI_PACKAGE = "yamlpath" + +inherit pypi setuptools3 diff --git a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.8.1.bb b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.8.1.bb index 8bb88f1d1c..aa7bafaedf 100644 --- a/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.8.1.bb +++ b/meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.8.1.bb @@ -21,8 +21,7 @@ USERADD_PARAM:${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \ FILES:${PN} += " ${prefix}/etc/privacyidea/* ${prefix}/lib/privacyidea/*" -RDEPENDS:${PN} += " bash perl freeradius-mysql freeradius-utils" - +RDEPENDS:${PN} = " bash perl freeradius-mysql freeradius-utils" RDEPENDS:${PN} += "python3 python3-alembic python3-babel python3-bcrypt" RDEPENDS:${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet" RDEPENDS:${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml" @@ -34,5 +33,5 @@ RDEPENDS:${PN} += "python3-markupsafe python3-netaddr python3-oauth2client pytho RDEPENDS:${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql" RDEPENDS:${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg" RDEPENDS:${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa" -RDEPENDS:${PN} += "python3-six python3-smpplib python3-soupsieve python3-soupsieve " -RDEPENDS:${PN} += "python3-sqlalchemy python3-sqlsoup python3-urllib3 python3-werkzeug" +RDEPENDS:${PN} += "python3-smpplib python3-soupsieve python3-segno python3-importlib-metadata" +RDEPENDS:${PN} += "python3-sqlalchemy python3-urllib3 python3-werkzeug" diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch new file mode 100644 index 0000000000..6880405d8d --- /dev/null +++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/0001-sssctl-add-error-analyzer.patch @@ -0,0 +1,318 @@ +Backport patch to fix interpreter of sss_analyze. + +Upstream-Status: Backport [https://github.com/SSSD/sssd/commit/ed3726c] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +From ed3726c37fe07aab788404bfa2f9003db15f4210 Mon Sep 17 00:00:00 2001 +From: roy214 <abroy@redhat.com> +Date: Tue, 25 Apr 2023 20:01:24 +0530 +Subject: [PATCH] sssctl: add error analyzer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Also removing unused variable and import. + +Reviewed-by: Justin Stephenson <jstephen@redhat.com> +Reviewed-by: Tomáš Halman <thalman@redhat.com> +--- + src/tools/analyzer/Makefile.am | 2 + + src/tools/analyzer/modules/error.py | 61 +++++++++++++++++++++++++++ + src/tools/analyzer/modules/request.py | 54 +++++------------------- + src/tools/analyzer/sss_analyze | 2 +- + src/tools/analyzer/sss_analyze.py | 3 ++ + src/tools/analyzer/util.py | 44 +++++++++++++++++++ + 6 files changed, 121 insertions(+), 45 deletions(-) + create mode 100644 src/tools/analyzer/modules/error.py + create mode 100644 src/tools/analyzer/util.py + +diff --git a/src/tools/analyzer/Makefile.am b/src/tools/analyzer/Makefile.am +index b40043d043..7692af8528 100644 +--- a/src/tools/analyzer/Makefile.am ++++ b/src/tools/analyzer/Makefile.am +@@ -13,10 +13,12 @@ dist_pkgpython_DATA = \ + source_reader.py \ + parser.py \ + sss_analyze.py \ ++ util.py \ + $(NULL) + + modulesdir = $(pkgpythondir)/modules + dist_modules_DATA = \ + modules/__init__.py \ + modules/request.py \ ++ modules/error.py \ + $(NULL) +diff --git a/src/tools/analyzer/modules/error.py b/src/tools/analyzer/modules/error.py +new file mode 100644 +index 0000000000..71173670c5 +--- /dev/null ++++ b/src/tools/analyzer/modules/error.py +@@ -0,0 +1,61 @@ ++from sssd import util ++from sssd.parser import SubparsersAction ++from sssd import sss_analyze ++ ++class ErrorAnalyzer: ++ """ ++ An error analyzer module, list if there is any error reported by sssd_be ++ """ ++ module_parser = None ++ print_opts = [] ++ ++ def print_module_help(self, args): ++ """ ++ Print the module parser help output ++ ++ Args: ++ args (Namespace): argparse parsed arguments ++ """ ++ self.module_parser.print_help() ++ ++ def setup_args(self, parser_grp, cli): ++ """ ++ Setup module parser, subcommands, and options ++ ++ Args: ++ parser_grp (argparse.Action): Parser group to nest ++ module and subcommands under ++ """ ++ desc = "Analyze error check module" ++ self.module_parser = parser_grp.add_parser('error', ++ description=desc, ++ help='Error checker') ++ ++ subparser = self.module_parser.add_subparsers(title=None, ++ dest='subparser', ++ action=SubparsersAction, ++ metavar='COMMANDS') ++ ++ subcmd_grp = subparser.add_parser_group('Operation Modes') ++ cli.add_subcommand(subcmd_grp, 'list', 'Print error messages found in backend', ++ self.print_error, self.print_opts) ++ ++ self.module_parser.set_defaults(func=self.print_module_help) ++ ++ return self.module_parser ++ ++ def print_error(self, args): ++ err = 0 ++ utl = util.Utils() ++ source = utl.load(args) ++ component = source.Component.BE ++ source.set_component(component, False) ++ patterns = ['sdap_async_sys_connect request failed', 'terminated by own WATCHDOG', ++ 'ldap_sasl_interactive_bind_s failed', 'Communication with KDC timed out', 'SSSD is offline', 'Backend is offline', ++ 'tsig verify failure', 'ldap_install_tls failed', 's2n exop request failed'] ++ for line in utl.matched_line(source, patterns): ++ err +=1 ++ print(line) ++ if err > 0: ++ print("For possible solutions please refer to https://sssd.io/troubleshooting/errors.html") ++ return +diff --git a/src/tools/analyzer/modules/request.py b/src/tools/analyzer/modules/request.py +index d661dddb84..e4d5f060c7 100644 +--- a/src/tools/analyzer/modules/request.py ++++ b/src/tools/analyzer/modules/request.py +@@ -1,6 +1,6 @@ + import re + import logging +- ++from sssd import util + from sssd.parser import SubparsersAction + from sssd.parser import Option + +@@ -38,7 +38,6 @@ def print_module_help(self, args): + def setup_args(self, parser_grp, cli): + """ + Setup module parser, subcommands, and options +- + Args: + parser_grp (argparse.Action): Parser group to nest + module and subcommands under +@@ -63,42 +62,6 @@ def setup_args(self, parser_grp, cli): + + return self.module_parser + +- def load(self, args): +- """ +- Load the appropriate source reader. +- +- Args: +- args (Namespace): argparse parsed arguments +- +- Returns: +- Instantiated source object +- """ +- if args.source == "journald": +- from sssd.source_journald import Journald +- source = Journald() +- else: +- from sssd.source_files import Files +- source = Files(args.logdir) +- return source +- +- def matched_line(self, source, patterns): +- """ +- Yield lines which match any number of patterns (OR) in +- provided patterns list. +- +- Args: +- source (Reader): source Reader object +- Yields: +- lines matching the provided pattern(s) +- """ +- for line in source: +- for pattern in patterns: +- re_obj = re.compile(pattern) +- if re_obj.search(line): +- if line.startswith(' * '): +- continue +- yield line +- + def get_linked_ids(self, source, pattern, regex): + """ + Retrieve list of associated REQ_TRACE ids. Filter +@@ -114,8 +77,9 @@ def get_linked_ids(self, source, pattern, regex): + Returns: + List of linked ids discovered + """ ++ utl = util.Utils() + linked_ids = [] +- for match in self.matched_line(source, pattern): ++ for match in utl.matched_line(source, pattern): + id_re = re.compile(regex) + match = id_re.search(match) + if match: +@@ -250,7 +214,8 @@ def list_requests(self, args): + Args: + args (Namespace): populated argparse namespace + """ +- source = self.load(args) ++ utl = util.Utils() ++ source = utl.load(args) + component = source.Component.NSS + resp = "nss" + # Log messages matching the following regex patterns contain +@@ -266,7 +231,7 @@ def list_requests(self, args): + if args.verbose: + self.print_formatted_verbose(source) + else: +- for line in self.matched_line(source, patterns): ++ for line in utl.matched_line(source, patterns): + if type(source).__name__ == 'Journald': + print(line) + else: +@@ -279,7 +244,8 @@ def track_request(self, args): + Args: + args (Namespace): populated argparse namespace + """ +- source = self.load(args) ++ utl = util.Utils() ++ source = utl.load(args) + cid = args.cid + resp_results = False + be_results = False +@@ -294,7 +260,7 @@ def track_request(self, args): + logger.info(f"******** Checking {resp} responder for Client ID" + f" {cid} *******") + source.set_component(component, args.child) +- for match in self.matched_line(source, pattern): ++ for match in utl.matched_line(source, pattern): + resp_results = self.consume_line(match, source, args.merge) + + logger.info(f"********* Checking Backend for Client ID {cid} ********") +@@ -307,7 +273,7 @@ def track_request(self, args): + pattern.clear() + [pattern.append(f'\\{id}') for id in be_ids] + +- for match in self.matched_line(source, pattern): ++ for match in utl.matched_line(source, pattern): + be_results = self.consume_line(match, source, args.merge) + + if args.merge: +diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze +index 3f1beaf38b..6d4b5b30c6 100755 +--- a/src/tools/analyzer/sss_analyze ++++ b/src/tools/analyzer/sss_analyze +@@ -1,4 +1,4 @@ +-#!/usr/bin/env python ++#!/usr/bin/env python3 + + from sssd import sss_analyze + +diff --git a/src/tools/analyzer/sss_analyze.py b/src/tools/analyzer/sss_analyze.py +index 18b998f380..dafc84fc03 100644 +--- a/src/tools/analyzer/sss_analyze.py ++++ b/src/tools/analyzer/sss_analyze.py +@@ -1,6 +1,7 @@ + import argparse + + from sssd.modules import request ++from sssd.modules import error + from sssd.parser import SubparsersAction + + +@@ -55,9 +56,11 @@ def load_modules(self, parser, parser_grp): + """ + # Currently only the 'request' module exists + req = request.RequestAnalyzer() ++ err = error.ErrorAnalyzer() + cli = Analyzer() + + req.setup_args(parser_grp, cli) ++ err.setup_args(parser_grp, cli) + + def setup_args(self): + """ +diff --git a/src/tools/analyzer/util.py b/src/tools/analyzer/util.py +new file mode 100644 +index 0000000000..2a8d153a71 +--- /dev/null ++++ b/src/tools/analyzer/util.py +@@ -0,0 +1,44 @@ ++import re ++import logging ++ ++from sssd.source_files import Files ++from sssd.source_journald import Journald ++ ++logger = logging.getLogger() ++ ++ ++class Utils: ++ ++ def load(self, args): ++ """ ++ Load the appropriate source reader. ++ ++ Args: ++ args (Namespace): argparse parsed arguments ++ ++ Returns: ++ Instantiated source object ++ """ ++ if args.source == "journald": ++ source = Journald() ++ else: ++ source = Files(args.logdir) ++ return source ++ ++ def matched_line(self, source, patterns): ++ """ ++ Yield lines which match any number of patterns (OR) in ++ provided patterns list. ++ ++ Args: ++ source (Reader): source Reader object ++ Yields: ++ lines matching the provided pattern(s) ++ """ ++ for line in source: ++ for pattern in patterns: ++ re_obj = re.compile(pattern) ++ if re_obj.search(line): ++ if line.startswith(' * '): ++ continue ++ yield line diff --git a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.4.bb b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.1.bb index 78d29c3efd..9fa9d3b0f6 100644 --- a/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.4.bb +++ b/meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.9.1.bb @@ -16,7 +16,7 @@ DEPENDS:append:libc-musl = " musl-nscd" DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" -SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.gz \ +SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/${BP}.tar.gz \ file://sssd.conf \ file://volatiles.99_sssd \ file://no_gen.patch \ @@ -24,9 +24,10 @@ SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g file://drop_ntpdate_chk.patch \ file://fix-ldblibdir.patch \ file://musl_fixup.patch \ + file://0001-sssctl-add-error-analyzer.patch \ " -SRC_URI[sha256sum] = "10ef90c63fdbfda905145077679035bd5ad16b24daad13160de8d0ff82ea9950" +SRC_URI[sha256sum] = "97703d38159994a869aad1c852de4582c76f189cf044f51e15ba26e1e4b75298" UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases" @@ -58,7 +59,7 @@ PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " -PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" +PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv,,python3-systemd" EXTRA_OECONF += " \ --disable-cifs-idmap-plugin \ @@ -146,6 +147,7 @@ ALLOW_EMPTY:libsss-sudo = "1" FILES:${PN} += "${base_libdir}/security/pam_sss*.so \ ${nonarch_libdir}/tmpfiles.d \ + ${datadir}/dbus-1/system.d/*.conf \ ${datadir}/dbus-1/system-services/*.service \ ${libdir}/krb5/* \ ${libdir}/ldb/* \ diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index 1dbc5372f0..4bc1cac2f0 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -11,3 +11,5 @@ BBFILE_PRIORITY_harden-layer = "6" LAYERSERIES_COMPAT_harden-layer = "mickledore" LAYERDEPENDS_harden-layer = "core openembedded-layer" + +WARN_QA:append:harden-layer = " patch-status missing-metadata" diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index 0622a5f93c..7a9c1d188c 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -35,3 +35,5 @@ networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappe " addpylib ${LAYERDIR}/lib oeqa + +WARN_QA:append:integrity = " patch-status missing-metadata" diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg deleted file mode 100644 index d7d80a62aa..0000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.cfg +++ /dev/null @@ -1,45 +0,0 @@ -CONFIG_KEYS=y -CONFIG_ASYMMETRIC_KEY_TYPE=y -CONFIG_SYSTEM_TRUSTED_KEYRING=y -CONFIG_SYSTEM_TRUSTED_KEYS="${IMA_EVM_ROOT_CA}" -CONFIG_SECONDARY_TRUSTED_KEYRING=y -CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y -CONFIG_X509_CERTIFICATE_PARSER=y -CONFIG_PKCS8_PRIVATE_KEY_PARSER=y -CONFIG_CRYPTO_ECDSA=y -CONFIG_SECURITY=y -CONFIG_SECURITYFS=y -CONFIG_INTEGRITY=y -CONFIG_INTEGRITY_SIGNATURE=y -CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y -CONFIG_INTEGRITY_TRUSTED_KEYRING=y -CONFIG_IMA=y -CONFIG_IMA_MEASURE_PCR_IDX=10 -CONFIG_IMA_LSM_RULES=y -# CONFIG_IMA_TEMPLATE is not set -# CONFIG_IMA_NG_TEMPLATE is not set -CONFIG_IMA_SIG_TEMPLATE=y -CONFIG_IMA_DEFAULT_TEMPLATE="ima-sig" -# CONFIG_IMA_DEFAULT_HASH_SHA1 is not set -CONFIG_IMA_DEFAULT_HASH_SHA256=y -# CONFIG_IMA_DEFAULT_HASH_SHA512 is not set -CONFIG_IMA_DEFAULT_HASH="sha256" -CONFIG_IMA_WRITE_POLICY=y -CONFIG_IMA_READ_POLICY=y -CONFIG_IMA_APPRAISE=y -CONFIG_IMA_ARCH_POLICY=y -CONFIG_IMA_APPRAISE_BUILD_POLICY=y -CONFIG_IMA_APPRAISE_REQUIRE_POLICY_SIGS=y -# CONFIG_IMA_APPRAISE_BOOTPARAM is not set -# CONFIG_IMA_APPRAISE_MODSIG is not set -CONFIG_IMA_TRUSTED_KEYRING=y -CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y -# CONFIG_IMA_BLACKLIST_KEYRING is not set -# CONFIG_IMA_LOAD_X509 is not set -CONFIG_IMA_APPRAISE_SIGNED_INIT=y -CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS=y -CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS=y -CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y -# CONFIG_IMA_DISABLE_HTABLE is not set -CONFIG_EVM=y -# CONFIG_EVM_LOAD_X509 is not set diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc b/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc deleted file mode 100644 index 6eb84b06dd..0000000000 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux/ima.scc +++ /dev/null @@ -1,4 +0,0 @@ -define KFEATURE_DESCRIPTION "Enable IMA" - -kconf non-hardware ima.cfg - diff --git a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc index 701680014f..415476a04a 100644 --- a/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc +++ b/meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc @@ -1,8 +1,3 @@ -FILESEXTRAPATHS:append := "${THISDIR}/linux:" - -SRC_URI += " \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'file://ima.scc', '', d)} \ -" do_configure:append() { if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then @@ -11,5 +6,6 @@ do_configure:append() { } KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' features/ima/ima.scc', '', d)}" inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index 7d272a2858..b162289748 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -14,3 +14,5 @@ LAYERDEPENDS_parsec-layer = "core clang-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" addpylib ${LAYERDIR}/lib oeqa + +WARN_QA:append:parsec-layer = " patch-status missing-metadata" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 3b199f7cf9..1f270317cc 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -26,3 +26,5 @@ networking-layer:${LAYERDIR}/dynamic-layers/meta-networking/recipes-*/*/*.bbappe " addpylib ${LAYERDIR}/lib oeqa + +WARN_QA:append:tmp-layer = " patch-status missing-metadata" diff --git a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index fb0105e29d..b986097fb9 100644 --- a/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb +++ b/meta-security/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb @@ -20,4 +20,8 @@ RDEPENDS:packagegroup-security-tpm2 = " \ libtss2 \ tpm2-abrmd \ tpm2-pkcs11 \ + tpm2-openssl \ + tpm2-tss-engine \ + tpm2-tss-engine-engines \ + python3-tpm2-pytss \ " diff --git a/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto-rt_%.bbappend b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto-rt_%.bbappend new file mode 100644 index 0000000000..e8027ff38d --- /dev/null +++ b/meta-security/meta-tpm/recipes-kernel/linux/linux-yocto-rt_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains_any('DISTRO_FEATURES', 'tpm tpm2', 'linux-yocto_tpm.inc', '', d)} diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb new file mode 100644 index 0000000000..c98d4abf7f --- /dev/null +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb @@ -0,0 +1,15 @@ +DESCRIPTION = "TPM2 TSS Python bindings for Enhanced System API (ESYS), Feature API (FAPI), Marshaling (MU), TCTI Loader (TCTILdr), TCTIs, policy, and RC Decoding (rcdecode) libraries" +HOMEPAGE = "https://github.com/tpm2-software/tpm2-pytss" +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=500b2e742befc3da00684d8a1d5fd9da" + +SRC_URI[sha256sum] = "5b5b4b1456fdc1aeef3d2c3970beaa078c8f7f2648c97a69bcf60c5a2f95c897" + +PYPI_PACKAGE = "tpm2-pytss" + +DEPENDS = "python3-pkgconfig-native python3-pycparser-native python3-asn1crypto-native" +DEPENDS:append = " python3-cryptography-native tpm2-tss" + +inherit autotools pkgconfig pypi setuptools3_legacy + +RDEPENDS:${PN} = "libtss2" diff --git a/meta-security/recipes-compliance/openscap/files/0003-CMakeLists.txt-make-2-variables-configurable.patch b/meta-security/recipes-compliance/openscap/files/0003-CMakeLists.txt-make-2-variables-configurable.patch new file mode 100644 index 0000000000..953b0d9e8e --- /dev/null +++ b/meta-security/recipes-compliance/openscap/files/0003-CMakeLists.txt-make-2-variables-configurable.patch @@ -0,0 +1,37 @@ +From f99c3f1f516a84d33794f8e3da59adea1a12ef54 Mon Sep 17 00:00:00 2001 +From: Kai Kang <kai.kang@windriver.com> +Date: Tue, 20 Jun 2023 22:42:51 +0800 +Subject: [PATCH] CMakeLists.txt: make 2 variables configurable + +Variables PREFERRED_PYTHON_PATH and PYTHON3_PATH are set with +${PYTHON_EXECUTABLE}. For cross compile, ${PYTHON_EXECUTABLE} may point +to other path rather than standard dir such as /usr/bin. Then the +generated library file contains such path which should NOT. Update to +make variables PREFERRED_PYTHON_PATH and PYTHON3_PATH configurable to +avoid such issue. + +Upstream-Status: Submitted [https://github.com/OpenSCAP/openscap/pull/1990] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + CMakeLists.txt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 5db014e77..74628cdd4 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -125,8 +125,8 @@ endif() + find_package(PythonInterp 3) + find_package(PythonLibs 3) + +-set(PREFERRED_PYTHON_PATH "${PYTHON_EXECUTABLE}") +-set(PYTHON3_PATH "${PYTHON_EXECUTABLE}") ++set(PREFERRED_PYTHON_PATH "${PYTHON_EXECUTABLE}" CACHE PATH "Path to preferred Python") ++set(PYTHON3_PATH "${PYTHON_EXECUTABLE}" CACHE PATH "Path to Python3") + + find_package(RPM) + if(RPM_FOUND) +-- +2.34.1 + diff --git a/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb b/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb index ecc347c699..5abd5a69a8 100644 --- a/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb +++ b/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb @@ -12,6 +12,7 @@ DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native #Jun 22th, 2023 SRCREV = "a81c66d9bc36612dd1ca83a8c959a59e172eb4b9" SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https \ + file://0003-CMakeLists.txt-make-2-variables-configurable.patch \ " S = "${WORKDIR}/git" @@ -35,7 +36,9 @@ EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \ -DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS=OFF \ -DCMAKE_SKIP_INSTALL_RPATH=ON -DCMAKE_SKIP_RPATH=ON \ - " + -DPREFERRED_PYTHON_PATH=${bindir}/python3 \ + -DPYTHON3_PATH=${bindir}/python3 \ + " STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch index f003f72a6d..0db2b1203c 100644 --- a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch +++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch @@ -1,24 +1,27 @@ -From f6287d146762b8360bd7099f4724a58eedba7d2a Mon Sep 17 00:00:00 2001 +From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001 From: Armin Kuster <akuster808@gmail.com> Date: Wed, 14 Jun 2023 07:46:55 -0400 -Subject: [PATCH] scap-security-guide: add openembedded +Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support + +includes a standard profile for out-of-the-box checks Signed-off-by: Armin Kuster <akuster808@gmail.com> Upstream-Status: Pending +https://github.com/ComplianceAsCode/content/pull/10793 Signed-off-by: Armin Kuster <akuster808@gmail.com> --- - CMakeLists.txt | 5 +++ - build_product | 1 + - products/openembedded/CMakeLists.txt | 6 ++++ - products/openembedded/product.yml | 19 +++++++++++ - .../openembedded/profiles/standard.profile | 12 +++++++ - .../openembedded/transforms/constants.xslt | 10 ++++++ - .../oval/installed_OS_is_openembedded.xml | 33 +++++++++++++++++++ - .../oval/sysctl_kernel_ipv6_disable.xml | 1 + - ssg/constants.py | 5 ++- - 9 files changed, 91 insertions(+), 1 deletion(-) + CMakeLists.txt | 5 + + build_product | 1 + + products/openembedded/CMakeLists.txt | 6 + + products/openembedded/product.yml | 19 ++ + .../openembedded/profiles/standard.profile | 166 ++++++++++++++++++ + .../openembedded/transforms/constants.xslt | 10 ++ + .../oval/installed_OS_is_openembedded.xml | 33 ++++ + .../oval/sysctl_kernel_ipv6_disable.xml | 1 + + ssg/constants.py | 5 +- + 9 files changed, 245 insertions(+), 1 deletion(-) create mode 100644 products/openembedded/CMakeLists.txt create mode 100644 products/openembedded/product.yml create mode 100644 products/openembedded/profiles/standard.profile @@ -26,10 +29,10 @@ Signed-off-by: Armin Kuster <akuster808@gmail.com> create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml diff --git a/CMakeLists.txt b/CMakeLists.txt -index 85ec289644..09ac96784e 100644 +index 6b1ac00ff9..e4191f2cef 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt -@@ -95,6 +95,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be +@@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) @@ -37,16 +40,16 @@ index 85ec289644..09ac96784e 100644 option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) -@@ -289,6 +290,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") +@@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}") -+message(STATUS "OpenEmbedded nodistro: ${SSG_PRODUCT_OE}") - ++message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}") -@@ -410,6 +412,9 @@ endif() - if (SSG_PRODUCT_UOS20) + message(STATUS " ") +@@ -409,6 +411,9 @@ endif() + if(SSG_PRODUCT_UOS20) add_subdirectory("products/uos20" "uos20") endif() +if (SSG_PRODUCT_OE) @@ -56,14 +59,14 @@ index 85ec289644..09ac96784e 100644 # ZIP only contains source datastreams and kickstarts, people who # want sources to build from should get the tarball instead. diff --git a/build_product b/build_product -index fc793cbe70..197d925b7e 100755 +index fc793cbe70..7bdc03edfe 100755 --- a/build_product +++ b/build_product @@ -333,6 +333,7 @@ all_cmake_products=( UBUNTU2204 UOS20 MACOS1015 -+ OPENEMBEDDED ++ OPENEMBEDDED ) DEFAULT_OVAL_MAJOR_VERSION=5 @@ -81,7 +84,7 @@ index 0000000000..1981adf53e +ssg_build_product("openembedded") diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml new file mode 100644 -index 0000000000..9f2f12d737 +index 0000000000..debf6870ef --- /dev/null +++ b/products/openembedded/product.yml @@ -0,0 +1,19 @@ @@ -101,15 +104,15 @@ index 0000000000..9f2f12d737 +cpes_root: "../../shared/applicability" +cpes: + - openembedded: -+ name: "cpe:/o:openembedded" ++ name: "cpe:/o:openembedded:nodistro:" + title: "OpenEmbedded nodistro" + check_id: installed_OS_is_openembedded diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile new file mode 100644 -index 0000000000..44339d716c +index 0000000000..fcb9e0e5c2 --- /dev/null +++ b/products/openembedded/profiles/standard.profile -@@ -0,0 +1,12 @@ +@@ -0,0 +1,166 @@ +documentation_complete: true + +title: 'Sample Security Profile for OpenEmbedded Distros' @@ -121,10 +124,164 @@ index 0000000000..44339d716c +selections: + - file_owner_etc_passwd + - file_groupowner_etc_passwd ++ - service_crond_enabled ++ - file_groupowner_crontab ++ - file_owner_crontab ++ - file_permissions_crontab ++ - file_groupowner_cron_hourly ++ - file_owner_cron_hourly ++ - file_permissions_cron_hourly ++ - file_groupowner_cron_daily ++ - file_owner_cron_daily ++ - file_permissions_cron_daily ++ - file_groupowner_cron_weekly ++ - file_owner_cron_weekly ++ - file_permissions_cron_weekly ++ - file_groupowner_cron_monthly ++ - file_owner_cron_monthly ++ - file_permissions_cron_monthly ++ - file_groupowner_cron_d ++ - file_owner_cron_d ++ - file_permissions_cron_d ++ - file_groupowner_cron_allow ++ - file_owner_cron_allow ++ - file_cron_deny_not_exist ++ - file_groupowner_at_allow ++ - file_owner_at_allow ++ - file_at_deny_not_exist ++ - file_permissions_at_allow ++ - file_permissions_cron_allow ++ - file_groupowner_sshd_config ++ - file_owner_sshd_config ++ - file_permissions_sshd_config ++ - file_permissions_sshd_private_key ++ - file_permissions_sshd_pub_key ++ - sshd_set_loglevel_verbose ++ - sshd_set_loglevel_info ++ - sshd_max_auth_tries_value=4 ++ - sshd_set_max_auth_tries ++ - sshd_disable_rhosts ++ - disable_host_auth ++ - sshd_disable_root_login ++ - sshd_disable_empty_passwords ++ - sshd_do_not_permit_user_env ++ - sshd_idle_timeout_value=15_minutes ++ - sshd_set_idle_timeout ++ - sshd_set_keepalive ++ - var_sshd_set_keepalive=0 ++ - sshd_set_login_grace_time ++ - var_sshd_set_login_grace_time=60 ++ - sshd_enable_warning_banner ++ - sshd_enable_pam ++ - sshd_set_maxstartups ++ - var_sshd_set_maxstartups=10:30:60 ++ - sshd_set_max_sessions ++ - var_sshd_max_sessions=10 ++ - accounts_password_pam_minclass ++ - accounts_password_pam_minlen ++ - accounts_password_pam_retry ++ - var_password_pam_minclass=4 ++ - var_password_pam_minlen=14 ++ - locking_out_password_attempts ++ - accounts_password_pam_pwhistory_remember_password_auth ++ - accounts_password_pam_pwhistory_remember_system_auth ++ - var_password_pam_remember_control_flag=required ++ - var_password_pam_remember=5 ++ - set_password_hashing_algorithm_systemauth ++ - var_accounts_maximum_age_login_defs=365 ++ - accounts_password_set_max_life_existing ++ - var_accounts_minimum_age_login_defs=7 ++ - accounts_password_set_min_life_existing ++ - var_accounts_password_warn_age_login_defs=7 ++ - account_disable_post_pw_expiration ++ - var_account_disable_post_pw_expiration=30 ++ - no_shelllogin_for_systemaccounts ++ - accounts_tmout ++ - var_accounts_tmout=15_min ++ - accounts_root_gid_zero ++ - accounts_umask_etc_bashrc ++ - use_pam_wheel_for_su ++ - sshd_allow_only_protocol2 ++ - journald_forward_to_syslog ++ - journald_compress ++ - journald_storage ++ - service_auditd_enabled ++ - service_httpd_disabled ++ - service_vsftpd_disabled ++ - service_named_disabled ++ - service_nfs_disabled ++ - service_rpcbind_disabled ++ - service_slapd_disabled ++ - service_dhcpd_disabled ++ - service_cups_disabled ++ - service_ypserv_disabled ++ - service_rsyncd_disabled ++ - service_avahi-daemon_disabled ++ - service_snmpd_disabled ++ - service_squid_disabled ++ - service_smb_disabled ++ - service_dovecot_disabled ++ - banner_etc_motd ++ - login_banner_text=cis_banners ++ - banner_etc_issue ++ - login_banner_text=cis_banners ++ - file_groupowner_etc_motd ++ - file_owner_etc_motd ++ - file_permissions_etc_motd ++ - file_groupowner_etc_issue ++ - file_owner_etc_issue ++ - file_permissions_etc_issue ++ - ensure_gpgcheck_globally_activated ++ - package_aide_installed ++ - aide_periodic_cron_checking ++ - grub2_password ++ - file_groupowner_grub2_cfg ++ - file_owner_grub2_cfg ++ - file_permissions_grub2_cfg ++ - require_singleuser_auth ++ - require_emergency_target_auth ++ - disable_users_coredumps ++ - configure_crypto_policy ++ - var_system_crypto_policy=default_policy ++ - dir_perms_world_writable_sticky_bits + - file_permissions_etc_passwd ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_groupowner_etc_group ++ - file_owner_etc_group ++ - file_permissions_etc_group ++ - file_groupowner_etc_gshadow ++ - file_owner_etc_gshadow ++ - file_groupowner_backup_etc_passwd ++ - file_owner_backup_etc_passwd ++ - file_permissions_backup_etc_passwd ++ - file_groupowner_backup_etc_shadow ++ - file_owner_backup_etc_shadow ++ - file_permissions_backup_etc_shadow ++ - file_groupowner_backup_etc_group ++ - file_owner_backup_etc_group ++ - file_permissions_backup_etc_group ++ - file_groupowner_backup_etc_gshadow ++ - file_owner_backup_etc_gshadow ++ - file_permissions_unauthorized_world_writable ++ - file_permissions_ungroupowned ++ - accounts_root_path_dirs_no_write ++ - root_path_no_dot ++ - accounts_no_uid_except_zero ++ - file_ownership_home_directories ++ - file_groupownership_home_directories ++ - no_netrc_files ++ - no_rsh_trust_files ++ - account_unique_id ++ - group_unique_id ++ - group_unique_name ++ - wireless_disable_interfaces ++ - package_firewalld_installed ++ - service_firewalld_enabled ++ - package_iptables_installed diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt new file mode 100644 -index 0000000000..85e812a7c1 +index 0000000000..152571e8bb --- /dev/null +++ b/products/openembedded/transforms/constants.xslt @@ -0,0 +1,10 @@ @@ -132,15 +289,15 @@ index 0000000000..85e812a7c1 + +<xsl:include href="../../../shared/transforms/shared_constants.xslt"/> + -+<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable> -+<xsl:variable name="product_short_name">OE nodistro</xsl:variable> ++<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable> ++<xsl:variable name="product_short_name">openembedded</xsl:variable> +<xsl:variable name="product_stig_id_name">empty</xsl:variable> +<xsl:variable name="prod_type">openembedded</xsl:variable> + +</xsl:stylesheet> diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml new file mode 100644 -index 0000000000..17c2873686 +index 0000000000..11ebdca913 --- /dev/null +++ b/shared/checks/oval/installed_OS_is_openembedded.xml @@ -0,0 +1,33 @@ @@ -151,19 +308,19 @@ index 0000000000..17c2873686 + <affected family="unix"> + <platform>multi_platform_all</platform> + </affected> -+ <description>The operating system installed is an OpenEmbedded System</description> ++ <description>The operating system installed is an OpenEmbedded based system</description> + </metadata> -+ <criteria comment="System is OpenEmbedded" operator="AND"> ++ <criteria comment="System is OpenEmbedded based" operator="AND"> + <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> -+ <criterion comment="OpenEmbedded distro" test_ref="test_os_release" /> ++ <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" /> + <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" /> + </criteria> + </definition> + -+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release" version="1"> -+ <unix:object object_ref="obj_os_release" /> ++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1"> ++ <unix:object object_ref="obj_os_openembedded" /> + </unix:file_test> -+ <unix:file_object comment="check /etc/os-release file" id="obj_os_release" version="1"> ++ <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1"> + <unix:filepath>/etc/os-release</unix:filepath> + </unix:file_object> + diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch deleted file mode 100644 index 061c5f00a2..0000000000 --- a/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster808@gmail.com> -Date: Wed, 21 Jun 2023 07:46:38 -0400 -Subject: [PATCH] standard.profile: expand checks - -Upstream-Status: Pending -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Upstream-status: Pending ---- - .../openembedded/profiles/standard.profile | 206 ++++++++++++++++++ - 1 file changed, 206 insertions(+) - -diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile -index 44339d716c..877d1a3971 100644 ---- a/products/openembedded/profiles/standard.profile -+++ b/products/openembedded/profiles/standard.profile -@@ -9,4 +9,210 @@ description: |- - selections: - - file_owner_etc_passwd - - file_groupowner_etc_passwd -+ - service_crond_enabled -+ - file_groupowner_crontab -+ - file_owner_crontab -+ - file_permissions_crontab -+ - file_groupowner_cron_hourly -+ - file_owner_cron_hourly -+ - file_permissions_cron_hourly -+ - file_groupowner_cron_daily -+ - file_owner_cron_daily -+ - file_permissions_cron_daily -+ - file_groupowner_cron_weekly -+ - file_owner_cron_weekly -+ - file_permissions_cron_weekly -+ - file_groupowner_cron_monthly -+ - file_owner_cron_monthly -+ - file_permissions_cron_monthly -+ - file_groupowner_cron_d -+ - file_owner_cron_d -+ - file_permissions_cron_d -+ - file_groupowner_cron_allow -+ - file_owner_cron_allow -+ - file_cron_deny_not_exist -+ - file_groupowner_at_allow -+ - file_owner_at_allow -+ - file_at_deny_not_exist -+ - file_permissions_at_allow -+ - file_permissions_cron_allow -+ - file_groupowner_sshd_config -+ - file_owner_sshd_config -+ - file_permissions_sshd_config -+ - file_permissions_sshd_private_key -+ - file_permissions_sshd_pub_key -+ - sshd_set_loglevel_verbose -+ - sshd_set_loglevel_info -+ - sshd_max_auth_tries_value=4 -+ - sshd_set_max_auth_tries -+ - sshd_disable_rhosts -+ - disable_host_auth -+ - sshd_disable_root_login -+ - sshd_disable_empty_passwords -+ - sshd_do_not_permit_user_env -+ - sshd_idle_timeout_value=15_minutes -+ - sshd_set_idle_timeout -+ - sshd_set_keepalive -+ - var_sshd_set_keepalive=0 -+ - sshd_set_login_grace_time -+ - var_sshd_set_login_grace_time=60 -+ - sshd_enable_warning_banner -+ - sshd_enable_pam -+ - sshd_set_maxstartups -+ - var_sshd_set_maxstartups=10:30:60 -+ - sshd_set_max_sessions -+ - var_sshd_max_sessions=10 -+ - accounts_password_pam_minclass -+ - accounts_password_pam_minlen -+ - accounts_password_pam_retry -+ - var_password_pam_minclass=4 -+ - var_password_pam_minlen=14 -+ - locking_out_password_attempts -+ - accounts_password_pam_pwhistory_remember_password_auth -+ - accounts_password_pam_pwhistory_remember_system_auth -+ - var_password_pam_remember_control_flag=required -+ - var_password_pam_remember=5 -+ - set_password_hashing_algorithm_systemauth -+ - accounts_maximum_age_login_defs -+ - var_accounts_maximum_age_login_defs=365 -+ - accounts_password_set_max_life_existing -+ - accounts_minimum_age_login_defs -+ - var_accounts_minimum_age_login_defs=7 -+ - accounts_password_set_min_life_existing -+ - accounts_password_warn_age_login_defs -+ - var_accounts_password_warn_age_login_defs=7 -+ - account_disable_post_pw_expiration -+ - var_account_disable_post_pw_expiration=30 -+ - no_shelllogin_for_systemaccounts -+ - accounts_tmout -+ - var_accounts_tmout=15_min -+ - accounts_root_gid_zero -+ - accounts_umask_etc_bashrc -+ - accounts_umask_etc_login_defs -+ - use_pam_wheel_for_su -+ - sshd_allow_only_protocol2 -+ - journald_forward_to_syslog -+ - journald_compress -+ - journald_storage -+ - service_auditd_enabled -+ - service_httpd_disabled -+ - service_vsftpd_disabled -+ - service_named_disabled -+ - service_nfs_disabled -+ - service_rpcbind_disabled -+ - service_slapd_disabled -+ - service_dhcpd_disabled -+ - service_cups_disabled -+ - service_ypserv_disabled -+ - service_rsyncd_disabled -+ - service_avahi-daemon_disabled -+ - service_snmpd_disabled -+ - service_squid_disabled -+ - service_smb_disabled -+ - service_dovecot_disabled -+ - banner_etc_motd -+ - login_banner_text=cis_banners -+ - banner_etc_issue -+ - login_banner_text=cis_banners -+ - file_groupowner_etc_motd -+ - file_owner_etc_motd -+ - file_permissions_etc_motd -+ - file_groupowner_etc_issue -+ - file_owner_etc_issue -+ - file_permissions_etc_issue -+ - ensure_gpgcheck_globally_activated -+ - package_aide_installed -+ - aide_periodic_cron_checking -+ - grub2_password -+ - file_groupowner_grub2_cfg -+ - file_owner_grub2_cfg -+ - file_permissions_grub2_cfg -+ - require_singleuser_auth -+ - require_emergency_target_auth -+ - disable_users_coredumps -+ - coredump_disable_backtraces -+ - coredump_disable_storage -+ - configure_crypto_policy -+ - var_system_crypto_policy=default_policy -+ - dir_perms_world_writable_sticky_bits - - file_permissions_etc_passwd -+ - file_owner_etc_shadow -+ - file_groupowner_etc_shadow -+ - file_groupowner_etc_group -+ - file_owner_etc_group -+ - file_permissions_etc_group -+ - file_groupowner_etc_gshadow -+ - file_owner_etc_gshadow -+ - file_groupowner_backup_etc_passwd -+ - file_owner_backup_etc_passwd -+ - file_permissions_backup_etc_passwd -+ - file_groupowner_backup_etc_shadow -+ - file_owner_backup_etc_shadow -+ - file_permissions_backup_etc_shadow -+ - file_groupowner_backup_etc_group -+ - file_owner_backup_etc_group -+ - file_permissions_backup_etc_group -+ - file_groupowner_backup_etc_gshadow -+ - file_owner_backup_etc_gshadow -+ - file_permissions_backup_etc_gshadow -+ - file_permissions_unauthorized_world_writable -+ - file_permissions_ungroupowned -+ - accounts_root_path_dirs_no_write -+ - root_path_no_dot -+ - accounts_no_uid_except_zero -+ - file_ownership_home_directories -+ - file_groupownership_home_directories -+ - no_netrc_files -+ - no_rsh_trust_files -+ - account_unique_id -+ - group_unique_id -+ - group_unique_name -+ - kernel_module_sctp_disabled -+ - kernel_module_dccp_disabled -+ - wireless_disable_interfaces -+ - sysctl_net_ipv4_ip_forward -+ - sysctl_net_ipv6_conf_all_forwarding -+ - sysctl_net_ipv6_conf_all_forwarding_value=disabled -+ - sysctl_net_ipv4_conf_all_send_redirects -+ - sysctl_net_ipv4_conf_default_send_redirects -+ - sysctl_net_ipv4_conf_all_accept_source_route -+ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled -+ - sysctl_net_ipv4_conf_default_accept_source_route -+ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled -+ - sysctl_net_ipv6_conf_all_accept_source_route -+ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled -+ - sysctl_net_ipv6_conf_default_accept_source_route -+ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled -+ - sysctl_net_ipv4_conf_all_accept_redirects -+ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled -+ - sysctl_net_ipv4_conf_default_accept_redirects -+ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled -+ - sysctl_net_ipv6_conf_all_accept_redirects -+ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled -+ - sysctl_net_ipv6_conf_default_accept_redirects -+ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled -+ - sysctl_net_ipv4_conf_all_secure_redirects -+ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled -+ - sysctl_net_ipv4_conf_default_secure_redirects -+ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled -+ - sysctl_net_ipv4_conf_all_log_martians -+ - sysctl_net_ipv4_conf_all_log_martians_value=enabled -+ - sysctl_net_ipv4_conf_default_log_martians -+ - sysctl_net_ipv4_conf_default_log_martians_value=enabled -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts -+ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses -+ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled -+ - sysctl_net_ipv4_conf_all_rp_filter -+ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled -+ - sysctl_net_ipv4_conf_default_rp_filter -+ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled -+ - sysctl_net_ipv4_tcp_syncookies -+ - sysctl_net_ipv4_tcp_syncookies_value=enabled -+ - sysctl_net_ipv6_conf_all_accept_ra -+ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled -+ - sysctl_net_ipv6_conf_default_accept_ra -+ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled -+ - package_firewalld_installed -+ - service_firewalld_enabled -+ - package_iptables_installed --- -2.34.1 - diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch index 355f954290..1639264136 100644 --- a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch +++ b/meta-security/recipes-compliance/scap-security-guide/files/0002-scap-security-guide-Add-Poky-support.patch @@ -1,30 +1,27 @@ -From 23a224203a73688567f500380644e5cf30c8ed99 Mon Sep 17 00:00:00 2001 +From 2be977a60c944a54594d5786b2d8869ed72a9a06 Mon Sep 17 00:00:00 2001 From: Armin Kuster <akuster808@gmail.com> -Date: Thu, 22 Jun 2023 06:19:26 -0400 -Subject: [PATCH] scap-security-guide: add Poky support +Date: Wed, 5 Jul 2023 12:57:52 -0400 +Subject: [PATCH 2/2] scap-security-guide: Add Poky support Signed-off-by: Armin Kuster <akuster808@gmail.com> Upstream-Status: Pending +Waiting to see if OE changes get merged. Signed-off-by: Armin Kuster <akuster808@gmail.com> + --- - products/openembedded/product.yml | 7 +++- - .../openembedded/transforms/constants.xslt | 4 +-- - shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++ - 3 files changed, 41 insertions(+), 3 deletions(-) + products/openembedded/product.yml | 6 ++++ + shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++++ + 2 files changed, 39 insertions(+) create mode 100644 shared/checks/oval/installed_OS_is_poky.xml diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml -index 9f2f12d737..a495e197c0 100644 +index debf6870ef..d63479d5d3 100644 --- a/products/openembedded/product.yml +++ b/products/openembedded/product.yml -@@ -14,6 +14,11 @@ init_system: "systemd" - cpes_root: "../../shared/applicability" - cpes: - - openembedded: -- name: "cpe:/o:openembedded" -+ name: "cpe:/o:openembedded:nodistro:" +@@ -17,3 +17,9 @@ cpes: + name: "cpe:/o:openembedded:nodistro:" title: "OpenEmbedded nodistro" check_id: installed_OS_is_openembedded + @@ -32,24 +29,10 @@ index 9f2f12d737..a495e197c0 100644 + name: "cpe:/o:openembedded:poky:" + title: "OpenEmbedded Poky reference distribution" + check_id: installed_OS_is_poky -diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt -index 85e812a7c1..8901def2f9 100644 ---- a/products/openembedded/transforms/constants.xslt -+++ b/products/openembedded/transforms/constants.xslt -@@ -2,8 +2,8 @@ - - <xsl:include href="../../../shared/transforms/shared_constants.xslt"/> - --<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable> --<xsl:variable name="product_short_name">OE nodistro</xsl:variable> -+<xsl:variable name="product_long_name">OpenEmbedded based distribution</xsl:variable> -+<xsl:variable name="product_short_name">OE distros</xsl:variable> - <xsl:variable name="product_stig_id_name">empty</xsl:variable> - <xsl:variable name="prod_type">openembedded</xsl:variable> - ++ diff --git a/shared/checks/oval/installed_OS_is_poky.xml b/shared/checks/oval/installed_OS_is_poky.xml new file mode 100644 -index 0000000000..9c41acd786 +index 0000000000..b8805cf31b --- /dev/null +++ b/shared/checks/oval/installed_OS_is_poky.xml @@ -0,0 +1,33 @@ @@ -60,19 +43,19 @@ index 0000000000..9c41acd786 + <affected family="unix"> + <platform>multi_platform_all</platform> + </affected> -+ <description>The operating system installed is a Poky referenece based System</description> ++ <description>The operating system installed is a Poky based System</description> + </metadata> -+ <criteria comment="System is Poky reference distribution" operator="AND"> ++ <criteria comment="System is Poky based distribution" operator="AND"> + <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> -+ <criterion comment="Poky based distro" test_ref="test_os_release_poky" /> -+ <criterion comment="Poky referenece distribution is installed" test_ref="test_poky" /> ++ <criterion comment="Poky based distro" test_ref="test_os_poky" /> ++ <criterion comment="Poky based distribution is installed" test_ref="test_poky" /> + </criteria> + </definition> + -+ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release_poky" version="1"> -+ <unix:object object_ref="obj_os_release_poky" /> ++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_poky" version="1"> ++ <unix:object object_ref="obj_os_poky" /> + </unix:file_test> -+ <unix:file_object comment="check /etc/os-release file" id="obj_os_release_poky" version="1"> ++ <unix:file_object comment="check /etc/os-release file" id="obj_os_poky" version="1"> + <unix:filepath>/etc/os-release</unix:filepath> + </unix:file_object> + diff --git a/meta-security/recipes-compliance/scap-security-guide/files/run-ptest b/meta-security/recipes-compliance/scap-security-guide/files/run-ptest new file mode 100644 index 0000000000..e8d270f396 --- /dev/null +++ b/meta-security/recipes-compliance/scap-security-guide/files/run-ptest @@ -0,0 +1,7 @@ +#!/bin/sh + +export PYTHONPATH="/usr/lib/scap-security-guide/ptest/git:$PYTHONPATH" + +cd git/build + +ctest --output-on-failure -E unique-stigids diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb index 31ab96e526..988e48bd81 100644 --- a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb +++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb @@ -6,12 +6,12 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" LICENSE = "BSD-3-Clause" -SRCREV = "dad85502ce8da722a6afc391346c41cee61e90a9" +SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d" SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \ - file://0001-scap-security-guide-add-openembedded.patch \ - file://0001-standard.profile-expand-checks.patch \ - file://0001-scap-security-guide-add-Poky-support.patch \ file://run_eval.sh \ + file://run-ptest \ + file://0001-scap-security-guide-add-openembedded-distro-support.patch \ + file://0002-scap-security-guide-Add-Poky-support.patch \ " @@ -20,7 +20,7 @@ DEPENDS = "openscap-native python3-pyyaml-native python3-jinja2-native libxml2-n S = "${WORKDIR}/git" B = "${S}/build" -inherit cmake pkgconfig python3native python3targetconfig +inherit cmake pkgconfig python3native python3targetconfig ptest OECMAKE_GENERATOR = "Unix Makefiles" @@ -38,8 +38,52 @@ do_install:append() { install ${WORKDIR}/run_eval.sh ${D}${datadir}/openscap/. } +do_compile_ptest() { + cd ${S}/build + cmake ../ + make +} + +do_install_ptest() { + + # remove host & work dir from tests + for x in $(find ${S}/build -type f) ; + do + sed -e 's#${HOSTTOOLS_DIR}/##g' \ + -e 's#${RECIPE_SYSROOT_NATIVE}##g' \ + -e 's#${WORKDIR}#${PTEST_PATH}#g' \ + -e 's#/.*/xmllint#/usr/bin/xmllint#g' \ + -e 's#/.*/oscap#/usr/bin/oscap#g' \ + -e 's#/python3-native##g' \ + -i ${x} + done + + for x in $(find ${S}/build-scripts -type f) ; + do + sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' ${x} + done + + for x in $(find ${S}/tests -type f) ; + do + sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' ${x} + done + + for x in $(find ${S}/utils -type f) ; + do + sed -i -e '1s|^#!.*|#!/usr/bin/env python3|' ${x} + done + + PDIRS="apple_os build controls products shared components applications linux_os ocp-resources tests utils ssg build-scripts" + t=${D}/${PTEST_PATH}/git + for d in ${PDIRS}; do + install -d ${t}/$d + cp -fr ${S}/$d/* ${t}/$d/. + done +} + FILES:${PN} += "${datadir}/xml ${datadir}/openscap" RDEPENDS:${PN} = "openscap" +RDEPENDS:${PN}-ptest = "cmake grep sed bash git python3 python3-modules python3-mypy python3-pyyaml python3-yamlpath python3-xmldiff python3-json2html python3-pandas python3-openpyxl python3-pytest libxml2-utils libxslt-bin" COMPATIBLE_HOST:libc-musl = "null" diff --git a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb index 187aeaee29..78f7b49b27 100644 --- a/meta-security/recipes-core/images/dm-verity-image-initramfs.bb +++ b/meta-security/recipes-core/images/dm-verity-image-initramfs.bb @@ -19,7 +19,14 @@ IMAGE_FEATURES = "" IMAGE_LINGUAS = "" # Can we somehow inspect reverse dependencies to avoid these variables? -do_image[depends] += "${DM_VERITY_IMAGE}:do_image_${DM_VERITY_IMAGE_TYPE}" +python __anonymous() { + verity_image = d.getVar('DM_VERITY_IMAGE') + verity_type = d.getVar('DM_VERITY_IMAGE_TYPE') + + if verity_image and verity_type: + dep = ' %s:do_image_%s' % (verity_image, verity_type.replace('-', '_')) + d.appendVarFlag('do_image', 'depends', dep) +} # Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE do_image[nostamp] = "1" diff --git a/meta-security/recipes-core/images/security-build-image.bb b/meta-security/recipes-core/images/security-build-image.bb index 411cd20ef2..9c820495f4 100644 --- a/meta-security/recipes-core/images/security-build-image.bb +++ b/meta-security/recipes-core/images/security-build-image.bb @@ -18,3 +18,8 @@ inherit core-image export IMAGE_BASENAME = "security-build-image" IMAGE_ROOTFS_EXTRA_SPACE = "5242880" + +QB_KERNEL_CMDLINE_APPEND = " ${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor=1 security=apparmor', '', d)}" + +# We need more mem to run many apps in this layer +QB_MEM = "-m 2048" diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index 494745b17b..3ef77e5ac9 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -40,7 +40,6 @@ RDEPENDS:packagegroup-security-utils = "\ pinentry \ softhsm \ sshguard \ - firejail \ ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 ", "", " libseccomp",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ @@ -48,9 +47,8 @@ RDEPENDS:packagegroup-security-utils = "\ have_krill = "${@bb.utils.contains("DISTRO_FEATURES", "pam", "krill", "",d)}" RDEPENDS:packagegroup-security-utils:append:x86 = " chipsec ${have_krill}" -RDEPENDS:packagegroup-security-utils:append:x86-64 = " chipsec ${have_krill}" -RDEPENDS:packagegroup-security-utils:append:aarch64 = " ${have_krill}" -RDEPENDS:packagegroup-security-utils:remove:mipsarch = "firejail" +RDEPENDS:packagegroup-security-utils:append:x86-64 = " firejail chipsec ${have_krill}" +RDEPENDS:packagegroup-security-utils:append:aarch64 = " firejail ${have_krill}" RDEPENDS:packagegroup-security-utils:remove:libc-musl = "krill" SUMMARY:packagegroup-security-scanners = "Security scanners" diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb index 55c10fa1a9..829715bc29 100644 --- a/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb +++ b/meta-security/recipes-ids/ossec/ossec-hids_3.7.0.bb @@ -17,11 +17,19 @@ inherit autotools-brokensep useradd S = "${WORKDIR}/git" + +OSSEC_DIR="/var/ossec" OSSEC_UID ?= "ossec" OSSEC_RUID ?= "ossecr" OSSEC_GID ?= "ossec" OSSEC_EMAIL ?= "ossecm" +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${OSSEC_UID}" +USERADD_PARAM:${PN} = "--system -g ${OSSEC_GID} --home-dir \ + ${OSSEC_DIR} --no-create-home \ + --shell /sbin/nologin ${BPN}" + do_configure[noexec] = "1" do_compile() { @@ -45,78 +53,75 @@ do_install(){ } pkg_postinst_ontarget:${PN} () { - DIR="/var/ossec" - - usermod -g ossec -G ossec -a root # Default for all directories - chmod -R 550 ${DIR} - chown -R root:${OSSEC_GID} ${DIR} + chmod -R 550 ${OSSEC_DIR} + chown -R root:${OSSEC_GID} ${OSSEC_DIR} # To the ossec queue (default for agentd to read) - chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/ossec - chmod -R 770 ${DIR}/queue/ossec + chown -R ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/queue/ossec + chmod -R 770 ${OSSEC_DIR}/queue/ossec # For the logging user - chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs - chmod -R 750 ${DIR}/logs - chmod -R 775 ${DIR}/queue/rids - touch ${DIR}/logs/ossec.log - chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/logs/ossec.log - chmod 664 ${DIR}/logs/ossec.log + chown -R ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/logs + chmod -R 750 ${OSSEC_DIR}/logs + chmod -R 775 ${OSSEC_DIR}/queue/rids + touch ${OSSEC_DIR}/logs/ossec.log + chown ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/logs/ossec.log + chmod 664 ${OSSEC_DIR}/logs/ossec.log - chown -R ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/queue/diff - chmod -R 750 ${DIR}/queue/diff - chmod 740 ${DIR}/queue/diff/* > /dev/null 2>&1 || true + chown -R ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/queue/diff + chmod -R 750 ${OSSEC_DIR}/queue/diff + chmod 740 ${OSSEC_DIR}/queue/diff/* > /dev/null 2>&1 || true # For the etc dir - chmod 550 ${DIR}/etc - chown -R root:${OSSEC_GID} ${DIR}/etc + chmod 550 ${OSSEC_DIR}/etc + chown -R root:${OSSEC_GID} ${OSSEC_DIR}/etc if [ -f /etc/localtime ]; then - cp -pL /etc/localtime ${DIR}/etc/; - chmod 555 ${DIR}/etc/localtime - chown root:${OSSEC_GID} ${DIR}/etc/localtime + cp -pL /etc/localtime ${OSSEC_DIR}/etc/; + chmod 555 ${OSSEC_DIR}/etc/localtime + chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/localtime fi if [ -f /etc/TIMEZONE ]; then - cp -p /etc/TIMEZONE ${DIR}/etc/; - chmod 555 ${DIR}/etc/TIMEZONE + cp -p /etc/TIMEZONE ${OSSEC_DIR}/etc/; + chmod 555 ${OSSEC_DIR}/etc/TIMEZONE fi # More files - chown root:${OSSEC_GID} ${DIR}/etc/internal_options.conf - chown root:${OSSEC_GID} ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true - chown root:${OSSEC_GID} ${DIR}/etc/client.keys >/dev/null 2>&1 || true - chown root:${OSSEC_GID} ${DIR}/agentless/* - chown ${OSSEC_UUID}:${OSSEC_GID} ${DIR}/.ssh - chown root:${OSSEC_GID} ${DIR}/etc/shared/* - - chmod 550 ${DIR}/etc - chmod 440 ${DIR}/etc/internal_options.conf - chmod 660 ${DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true - chmod 440 ${DIR}/etc/client.keys >/dev/null 2>&1 || true - chmod 550 ${DIR}/agentless/* - chmod 700 ${DIR}/.ssh - chmod 770 ${DIR}/etc/shared - chmod 660 ${DIR}/etc/shared/* + chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/internal_options.conf + chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true + chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/client.keys >/dev/null 2>&1 || true + chown root:${OSSEC_GID} ${OSSEC_DIR}/agentless/* + chown ${OSSEC_UUID}:${OSSEC_GID} ${OSSEC_DIR}/.ssh + chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/shared/* + + chmod 550 ${OSSEC_DIR}/etc + chmod 440 ${OSSEC_DIR}/etc/internal_options.conf + chmod 660 ${OSSEC_DIR}/etc/local_internal_options.conf >/dev/null 2>&1 || true + chmod 440 ${OSSEC_DIR}/etc/client.keys >/dev/null 2>&1 || true + chmod 550 ${OSSEC_DIR}/agentless/* + chmod 700 ${OSSEC_DIR}/.ssh + chmod 770 ${OSSEC_DIR}/etc/shared + chmod 660 ${OSSEC_DIR}/etc/shared/* # For the /var/run - chmod 770 ${DIR}/var/run - chown root:${OSSEC_GID} ${DIR}/var/run + chmod 770 ${OSSEC_DIR}/var/run + chown root:${OSSEC_GID} ${OSSEC_DIR}/var/run # For util.sh - chown root:${OSSEC_GID} ${DIR}/bin/util.sh - chmod +x ${DIR}/bin/util.sh + chown root:${OSSEC_GID} ${OSSEC_DIR}/bin/util.sh + chmod +x ${OSSEC_DIR}/bin/util.sh # For binaries and active response - chmod 755 ${DIR}/active-response/bin/* - chown root:${OSSEC_GID} ${DIR}/active-response/bin/* - chown root:${OSSEC_GID} ${DIR}/bin/* - chmod 550 ${DIR}/bin/* + chmod 755 ${OSSEC_DIR}/active-response/bin/* + chown root:${OSSEC_GID} ${OSSEC_DIR}/active-response/bin/* + chown root:${OSSEC_GID} ${OSSEC_DIR}/bin/* + chmod 550 ${OSSEC_DIR}/bin/* # For ossec.conf - chown root:${OSSEC_GID} ${DIR}/etc/ossec.conf - chmod 660 ${DIR}/etc/ossec.conf + chown root:${OSSEC_GID} ${OSSEC_DIR}/etc/ossec.conf + chmod 660 ${OSSEC_DIR}/etc/ossec.conf # Debconf . /usr/share/debconf/confmodule @@ -126,23 +131,23 @@ pkg_postinst_ontarget:${PN} () { db_get ossec-hids-agent/server-ip SERVER_IP=$RET - sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${DIR}/etc/ossec.conf + sed -i "s/<server-ip>[^<]\+<\/server-ip>/<server-ip>${SERVER_IP}<\/server-ip>/" ${OSSEC_DIR}/etc/ossec.conf db_stop # ossec-init.conf - if [ -e ${DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then + if [ -e ${OSSEC_DIR}/etc/ossec-init.conf ] && [ -d /etc/ ]; then if [ -e /etc/ossec-init.conf ]; then rm -f /etc/ossec-init.conf fi - ln -s ${DIR}/etc/ossec-init.conf /etc/ossec-init.conf + ln -s ${OSSEC_DIR}/etc/ossec-init.conf /etc/ossec-init.conf fi # init.d/ossec file - if [ -x ${DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then + if [ -x ${OSSEC_DIR}/etc/init.d/ossec ] && [ -d /etc/init.d/ ]; then if [ -e /etc/init.d/ossec ]; then rm -f /etc/init.d/ossec fi - ln -s ${DIR}/etc/init.d/ossec /etc/init.d/ossec + ln -s ${OSSEC_DIR}/etc/init.d/ossec /etc/init.d/ossec fi # Service diff --git a/meta-security/recipes-kernel/linux/linux-yocto-rt_%.bbappend b/meta-security/recipes-kernel/linux/linux-yocto-rt_%.bbappend new file mode 100644 index 0000000000..79dfeacf8b --- /dev/null +++ b/meta-security/recipes-kernel/linux/linux-yocto-rt_%.bbappend @@ -0,0 +1 @@ +require ${@bb.utils.contains('DISTRO_FEATURES', 'security', 'linux-yocto_security.inc', '', d)} diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb index 68a7d1ff2f..102f26790a 100644 --- a/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb +++ b/meta-security/recipes-scanners/clamav/clamav_0.104.4.bb @@ -13,7 +13,7 @@ LIC_FILES_CHKSUM = "file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b2 # July 30th, 2022 SRCREV = "563ba93052f3b7b46fb8725a65ee6299a9c332cf" -SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=https \ +SRC_URI = "git://github.com/Cisco-Talos/clamav;branch=rel/0.104;protocol=https \ file://clamd.conf \ file://freshclam.conf \ file://volatiles.03_clamav \ diff --git a/meta-security/recipes-security/Firejail/firejail_0.9.72.bb b/meta-security/recipes-security/Firejail/firejail_0.9.72.bb index 12a3105c68..5713f466b4 100644 --- a/meta-security/recipes-security/Firejail/firejail_0.9.72.bb +++ b/meta-security/recipes-security/Firejail/firejail_0.9.72.bb @@ -59,6 +59,7 @@ pkg_postinst_ontarget:${PN} () { ${libdir}/${BPN}/fseccomp memory-deny-write-execute ${libdir}/${BPN}/seccomp.mdwx } -COMPATIBLE_MACHINE:mips64 = "(!.*mips64).*" +COMPATIBLE_MACHINE:x86_64 = "x86_64" +COMPATIBLE_MACHINE:arm64 = "arch64" RDEPENDS:${PN} = "bash" diff --git a/meta-security/recipes-security/glome/glome_git.bb b/meta-security/recipes-security/glome/glome_git.bb index 12d6d5ffa3..8787ddc359 100644 --- a/meta-security/recipes-security/glome/glome_git.bb +++ b/meta-security/recipes-security/glome/glome_git.bb @@ -12,7 +12,7 @@ DEPENDS += "openssl" S = "${WORKDIR}/git" SRC_URI = "git://github.com/google/glome.git;branch=master;protocol=https" -SRCREV = "978ad9fb165f1e382c875f2ce08a1fc4f2ddcf1b" +SRCREV = "48d28f82bd51ae4bccc84fbbee93c375b026596b" FILES:${PN} += "${libdir}/security" diff --git a/meta-security/recipes-security/sshguard/sshguard_2.4.2.bb b/meta-security/recipes-security/sshguard/sshguard_2.4.3.bb index bd7f979276..37b414e936 100644 --- a/meta-security/recipes-security/sshguard/sshguard_2.4.2.bb +++ b/meta-security/recipes-security/sshguard/sshguard_2.4.3.bb @@ -6,6 +6,6 @@ LICENSE = "BSD-1-Clause" SRC_URI="https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz" -SRC_URI[sha256sum] = "2770b776e5ea70a9bedfec4fd84d57400afa927f0f7522870d2dcbbe1ace37e8" +SRC_URI[sha256sum] = "64029deff6de90fdeefb1f497d414f0e4045076693a91da1a70eb7595e97efeb" inherit autotools-brokensep |