diff options
author | William A. Kennington III <wak@google.com> | 2021-06-02 22:48:35 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2021-06-07 18:15:22 +0300 |
commit | ee32beb0333105ea120420a3556a752079ef5437 (patch) | |
tree | f16a7a13fad542ab1069569568b4c8a053e5be84 /meta-security/recipes-ids | |
parent | a99e9b62f0adc374f48844dc94b4bb41d6a04c90 (diff) | |
download | openbmc-ee32beb0333105ea120420a3556a752079ef5437.tar.xz |
meta-security: subtree update:baca6133f9..ab239f1497
Armin Kuster (16):
build cleanup: add iam to base depend
tripwire: Blacklist pkg, upstream seems abandond
tpm2-pkcs11: Update to 1.6.0
clamav: update to tip.
ossec-hids: add UPSTREAM_CHECK_COMMITS
python3-scapy: add UPSTREAM_CHECK_COMMITS
suricata: 4.1.x add UPSTREAM_CHECK_URI
ibmswtpm2: update to 1661
ibmtpm2tss: update to tip
packagegroup-core-security: fix typo for mips
Apparmor: fix multi config build issue.
aide: Add another ids
packagegroup-core-security: add aide and ossec
.gitlab-ci: drop clean up combine alt w base
clamav: fix systemd startup
packagegroup-core-security: add clamav-daemon
Change-Id: Id941ea16208920cfa31bf6d42f8a01fc9765ec7c
Signed-off-by: William A. Kennington III <wak@google.com>
Diffstat (limited to 'meta-security/recipes-ids')
5 files changed, 141 insertions, 0 deletions
diff --git a/meta-security/recipes-ids/aide/aide/aide.conf b/meta-security/recipes-ids/aide/aide/aide.conf new file mode 100644 index 000000000..2c99e0752 --- /dev/null +++ b/meta-security/recipes-ids/aide/aide/aide.conf @@ -0,0 +1,94 @@ +# Example configuration file for AIDE. + +@@define DBDIR /usr/lib/aide +@@define LOGDIR /usr/lib/aide/logs + +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +log_level=warning + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +#NOT IMPLEMENTED report_url=mailto:root@foo.com +#NOT IMPLEMENTED report_url=syslog:LOG_AUTH + +# These are the default rules. +# +#p: permissions +#i: inode: +#n: number of links +#u: user +#g: group +#s: size +#b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#acl: Access Control Lists +#selinux SELinux security context +#xattrs: Extended file attributes +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum + +#haval: haval checksum (MHASH only) +#gost: gost checksum (MHASH only) +#crc32: crc32 checksum (MHASH only) +#whirlpool: whirlpool checksum (MHASH only) + +FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256 + +#R: p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5 +#L: p+i+n+u+g+acl+selinux+xattrs +#E: Empty group +#>: Growing logfile p+u+g+i+n+S+acl+selinux+xattrs + +# You can create custom rules like this. +# With MHASH... +# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane, with multiple hashes +# NORMAL = R+rmd160+sha256+whirlpool +NORMAL = FIPSR+sha512 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+selinux+xattrs + +# Access control only +PERMS = p+i+u+g+acl+selinux + +# Logfile are special, in that they often change +LOG = > + +# Just do sha256 and sha512 hashes +LSPP = FIPSR+sha512 + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+selinux+xattrs+sha256 + +# Next decide what directories/files you want in the database. + +# Check only permissions, inode, user and group for /etc, but +# cover some important files closely. +/bin NORMAL +/sbin NORMAL +/lib NORMAL diff --git a/meta-security/recipes-ids/aide/aide_0.17.3.bb b/meta-security/recipes-ids/aide/aide_0.17.3.bb new file mode 100644 index 000000000..522cd85fe --- /dev/null +++ b/meta-security/recipes-ids/aide/aide_0.17.3.bb @@ -0,0 +1,41 @@ +SUMMARY = "Advanced Intrusion Detection Environment" +HOMEPAGE = "https://aide.github.io" +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" +LICENSE = "GPL-2.0" + +DEPENDS = "bison-native libpcre" + +SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \ + file://aide.conf" + +SRC_URI[sha256sum] = "a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8" + +inherit autotools pkgconfig + +PACKAGECONFIG ??=" mhash zlib e2fsattrs \ + ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \ + " +PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux, libselinux" +PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib " +PACKAGECONFIG[xattr] = "--with-xattr, --without-xattr, attr, attr" +PACKAGECONFIG[curl] = "--with-curl, --without-curl, curl, libcurl" +PACKAGECONFIG[audit] = "--with-audit, --without-audit," +PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt" +PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash" +PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs" + +do_install_append () { + install -d ${D}${libdir}/${PN}/logs + install -d ${D}${sysconfdir} + install ${WORKDIR}/aide.conf ${D}${sysconfdir}/ +} + +CONF_FILE = "${sysconfdir}/aide.conf" + +FILES_${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf" + +pkg_postinst_ontarget_${PN} () { + /usr/bin/aide -i +} +RDPENDS_${PN} = "bison, libpcre" diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb index 10354a7d2..242bbdbe0 100644 --- a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb +++ b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb @@ -11,6 +11,8 @@ SRC_URI = "git://github.com/ossec/ossec-hids;branch=master \ SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2" +UPSTREAM_CHECK_COMMITS = "1" + inherit autotools-brokensep useradd S = "${WORKDIR}/git" diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb b/meta-security/recipes-ids/suricata/suricata_4.1.10.bb index 3f7beaacf..bf088433a 100644 --- a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb +++ b/meta-security/recipes-ids/suricata/suricata_4.1.10.bb @@ -12,6 +12,8 @@ SRC_URI += " \ file://run-ptest \ " +UPSTREAM_CHECK_URI = "www.openinfosecfoundation.org/download" + inherit autotools-brokensep pkgconfig python3-dir systemd ptest CFLAGS += "-D_DEFAULT_SOURCE -fcommon" diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb index 4f50bff73..36e5d00b7 100644 --- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb +++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb @@ -73,3 +73,5 @@ FILES_${PN}-ptest += "${PTEST_PATH}/tests " RDEPENDS_${PN} += " perl nano msmtp cronie" RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules " + +PNBLACKLIST[tripwire] ?= "Upsteram project appears to be abondoned, fails to build with gcc11" |