meta-security: subtree update:b72cc7f87c..95fe86eb98

André Draszik (1):
      linux-yocto: update the bbappend to 5.x

Armin Kuster (36):
      README: add pull request option
      sssd: drop py2 support
      python3-fail2ban: update to latest
      Apparmor: fix some runtime depends
      linux-yocto-dev: remove "+"
      checksecurity: fix runtime issues
      buck-security: fix rdebends and minor style cleanup
      swtpm: fix configure error
      ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory
      bastille: convert to py3
      tpm2-tools: update to 4.1.1
      tpm2-tcti-uefi: fix build issue for i386 machine
      tpm2-tss: update to 2.3.2
      ibmswtpm2: update to 1563
      python3-fail2ban: add 2-3 conversion changes
      google-authenticator-libpam: install module in pam location
      apparmor: update to tip
      clamav: add bison-native to depend
      meta-security-isafw: import layer from Intel
      isafw: fix to work against master
      layer.conf: add zeus
      README.md: update to new maintainer
      clamav-native: missed bison fix
      secuirty*-image: remove dead var and minor cleanup
      libtpm: fix build issue over pod2man
      sssd: python2 not supported
      libseccomp: update to 2.4.3
      lynis: add missing rdepends
      fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog
      chkrootkit: add rootkit recipe
      clamav: move to recipes-scanners
      checksec: move to recipe-scanners
      checksecurity: move to recipes-scanners
      buck-security: move to recipes-scanners
      arpwatch: add new recipe
      buck-security: fix runtime issue with missing per module

Bartosz Golaszewski (3):
      linux: drop the bbappend for linux v4.x series
      classes: provide a class for generating dm-verity meta-data images
      dm-verity: add a working example for BeagleBone Black

Haseeb Ashraf (1):
      samhain: dnmalloc hash fix for aarch64 and mips64

Jan Luebbe (2):
      apparmor: fix wrong executable permission on service file
      apparmor: update to 2.13.4

Jonatan Pålsson (10):
      README: Add meta-python to list of layer deps
      sssd: Add PACKAGECONFIG for python2
      sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto
      sssd: DEPEND on nss if nothing else is chosen
      sssd: Sort PACKAGECONFIG entries
      sssd: Add autofs PACKAGECONFIG
      sssd: Add sudo PACKAGECONFIG
      sssd: Add missing files to SYSTEMD_SERVICE
      sssd: Add missing DEPENDS on jansson
      sssd: Add infopipe PACKAGECONFIG

Kai Kang (1):
      sssd: fix for ldblibdir and systemd etc

Martin Jansa (1):
      layer.conf: update LAYERSERIES_COMPAT for dunfell

Mingli Yu (1):
      linux-yocto: update the bbappend to 5.x

Pierre-Jean Texier via Lists.Yoctoproject.Org (1):
      google-authenticator-libpam: upgrade 1.07 -> 1.08

Yi Zhao (5):
      samhain: fix build with new version attr
      scap-security-guide: fix xml parsing error when build remediation files
      scap-security-guide: pass the correct schema file path to openscap-native
      openscap-daemon: add missing runtime dependencies
      samhain-server: add volatile file for systemd

Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>

7 files changed, 87 insertions, 4 deletions

diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf
index 8572a1fce..965c83797 100644
--- a/meta-security/meta-security-compliance/conf/layer.conf
+++ b/meta-security/meta-security-compliance/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer"
 BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_scanners-layer = "10"
 
-LAYERSERIES_COMPAT_scanners-layer = "zeus"
+LAYERSERIES_COMPAT_scanners-layer = "dunfell"
 
 LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python"
 
diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb
index 21e451794..245761c37 100644
--- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb
+++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb
@@ -38,4 +38,4 @@ do_install () {
 FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf"
 FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" 
 
-RDEPENDS_${PN} += "procps"
+RDEPENDS_${PN} += "procps findutils"
diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
index ca6e03079..a77502143 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb
@@ -17,4 +17,7 @@ inherit setuptools3
 
 S = "${WORKDIR}/git"
 
-RDEPENDS_${PN} = "python"
+RDEPENDS_${PN} = "openscap scap-security-guide \
+                  python3-core python3-dbus \
+                  python3-pygobject \
+                 "
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch
new file mode 100644
index 000000000..c0b93e410
--- /dev/null
+++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch
@@ -0,0 +1,39 @@
+From 174293162e5840684d967e36840fc1f9f57c90be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Thu, 5 Dec 2019 15:02:05 +0100
+Subject: [PATCH] Fix XML "parsing" of the remediation functions file.
+
+A proper fix is not worth the effort, as we aim to kill shared Bash remediation
+with Jinja2 macros.
+
+Upstream-Status: Backport
+[https://github.com/ComplianceAsCode/content/commit/174293162e5840684d967e36840fc1f9f57c90be]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ssg/build_remediations.py | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 7da807bd6..13e90f732 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -56,11 +56,11 @@ def get_available_functions(build_dir):
+     remediation_functions = []
+     with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile:
+         filestring = xmlfile.read()
+-        # This regex looks implementation dependent but we can rely on
+-        # ElementTree sorting XML attrs alphabetically. Hidden is guaranteed
+-        # to be the first attr and ID is guaranteed to be second.
++        # This regex looks implementation dependent but we can rely on the element attributes
++        # being present on one line.
++        # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7.
+         remediation_functions = re.findall(
+-            r'<Value hidden=\"true\" id=\"function_(\S+)\"',
++            r'<Value.*id=\"function_(\S+)\"',
+             filestring, re.DOTALL
+         )
+ 
+-- 
+2.17.1
+
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch
new file mode 100644
index 000000000..f0c9909c3
--- /dev/null
+++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch
@@ -0,0 +1,35 @@
+From 28a35d63a0cc6b7beb51c77d93bb30778e6960cd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
+Date: Mon, 9 Dec 2019 13:41:47 +0100
+Subject: [PATCH] Fixed the broken fix, when greedy regex ate the whole file.
+
+We want to match attributes in an XML element, not in the whole file.
+
+Upstream-Status: Backport
+[https://github.com/ComplianceAsCode/content/commit/28a35d63a0cc6b7beb51c77d93bb30778e6960cd]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ ssg/build_remediations.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py
+index 13e90f732..edf31c0cf 100644
+--- a/ssg/build_remediations.py
++++ b/ssg/build_remediations.py
+@@ -57,10 +57,10 @@ def get_available_functions(build_dir):
+     with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile:
+         filestring = xmlfile.read()
+         # This regex looks implementation dependent but we can rely on the element attributes
+-        # being present on one line.
++        # being present. Beware, DOTALL means we go through the whole file at once.
+         # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7.
+         remediation_functions = re.findall(
+-            r'<Value.*id=\"function_(\S+)\"',
++            r'<Value[^>]+id=\"function_(\S+)\"',
+             filestring, re.DOTALL
+         )
+ 
+-- 
+2.17.1
+
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
index 3212310fb..66c262302 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
+++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc
@@ -13,6 +13,9 @@ S = "${WORKDIR}/git"
 inherit cmake pkgconfig python3native
 
 STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
+export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
+export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas"
+export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
 
 OECMAKE_GENERATOR = "Unix Makefiles"
 
diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
index d9238c03f..f35d7691b 100644
--- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
+++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb
@@ -1,7 +1,10 @@
 SUMARRY = "SCAP content for various platforms, OE changes"
 
 SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed"
-SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;"
+SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44; \
+           file://0001-Fix-XML-parsing-of-the-remediation-functions-file.patch \
+           file://0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch \
+          "
 PV = "0.1.44+git${SRCPV}"
 
 require scap-security-guide.inc