diff options
Diffstat (limited to 'meta-security/meta-security-compliance')
7 files changed, 87 insertions, 4 deletions
diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 8572a1fce..965c83797 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "scanners-layer" BBFILE_PATTERN_scanners-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_scanners-layer = "10" -LAYERSERIES_COMPAT_scanners-layer = "zeus" +LAYERSERIES_COMPAT_scanners-layer = "dunfell" LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" diff --git a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb index 21e451794..245761c37 100644 --- a/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb +++ b/meta-security/meta-security-compliance/recipes-auditors/lynis/lynis_2.7.5.bb @@ -38,4 +38,4 @@ do_install () { FILES_${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" FILES_${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" -RDEPENDS_${PN} += "procps" +RDEPENDS_${PN} += "procps findutils" diff --git a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb index ca6e03079..a77502143 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/openscap-daemon/openscap-daemon_0.1.10.bb @@ -17,4 +17,7 @@ inherit setuptools3 S = "${WORKDIR}/git" -RDEPENDS_${PN} = "python" +RDEPENDS_${PN} = "openscap scap-security-guide \ + python3-core python3-dbus \ + python3-pygobject \ + " diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch new file mode 100644 index 000000000..c0b93e410 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0001-Fix-XML-parsing-of-the-remediation-functions-file.patch @@ -0,0 +1,39 @@ +From 174293162e5840684d967e36840fc1f9f57c90be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> +Date: Thu, 5 Dec 2019 15:02:05 +0100 +Subject: [PATCH] Fix XML "parsing" of the remediation functions file. + +A proper fix is not worth the effort, as we aim to kill shared Bash remediation +with Jinja2 macros. + +Upstream-Status: Backport +[https://github.com/ComplianceAsCode/content/commit/174293162e5840684d967e36840fc1f9f57c90be] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + ssg/build_remediations.py | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 7da807bd6..13e90f732 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -56,11 +56,11 @@ def get_available_functions(build_dir): + remediation_functions = [] + with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile: + filestring = xmlfile.read() +- # This regex looks implementation dependent but we can rely on +- # ElementTree sorting XML attrs alphabetically. Hidden is guaranteed +- # to be the first attr and ID is guaranteed to be second. ++ # This regex looks implementation dependent but we can rely on the element attributes ++ # being present on one line. ++ # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7. + remediation_functions = re.findall( +- r'<Value hidden=\"true\" id=\"function_(\S+)\"', ++ r'<Value.*id=\"function_(\S+)\"', + filestring, re.DOTALL + ) + +-- +2.17.1 + diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch new file mode 100644 index 000000000..f0c9909c3 --- /dev/null +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/files/0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch @@ -0,0 +1,35 @@ +From 28a35d63a0cc6b7beb51c77d93bb30778e6960cd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> +Date: Mon, 9 Dec 2019 13:41:47 +0100 +Subject: [PATCH] Fixed the broken fix, when greedy regex ate the whole file. + +We want to match attributes in an XML element, not in the whole file. + +Upstream-Status: Backport +[https://github.com/ComplianceAsCode/content/commit/28a35d63a0cc6b7beb51c77d93bb30778e6960cd] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + ssg/build_remediations.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssg/build_remediations.py b/ssg/build_remediations.py +index 13e90f732..edf31c0cf 100644 +--- a/ssg/build_remediations.py ++++ b/ssg/build_remediations.py +@@ -57,10 +57,10 @@ def get_available_functions(build_dir): + with codecs.open(xmlfilepath, "r", encoding="utf-8") as xmlfile: + filestring = xmlfile.read() + # This regex looks implementation dependent but we can rely on the element attributes +- # being present on one line. ++ # being present. Beware, DOTALL means we go through the whole file at once. + # We can't rely on ElementTree sorting XML attrs in any way since Python 3.7. + remediation_functions = re.findall( +- r'<Value.*id=\"function_(\S+)\"', ++ r'<Value[^>]+id=\"function_(\S+)\"', + filestring, re.DOTALL + ) + +-- +2.17.1 + diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc index 3212310fb..66c262302 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide.inc @@ -13,6 +13,9 @@ S = "${WORKDIR}/git" inherit cmake pkgconfig python3native STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" +export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe" +export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas" +export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl" OECMAKE_GENERATOR = "Unix Makefiles" diff --git a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb index d9238c03f..f35d7691b 100644 --- a/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb +++ b/meta-security/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_git.bb @@ -1,7 +1,10 @@ SUMARRY = "SCAP content for various platforms, OE changes" SRCREV = "5fdfdcb2e95afbd86ace555beca5d20cbf1043ed" -SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44;" +SRC_URI = "git://github.com/akuster/scap-security-guide.git;branch=oe-0.1.44; \ + file://0001-Fix-XML-parsing-of-the-remediation-functions-file.patch \ + file://0002-Fixed-the-broken-fix-when-greedy-regex-ate-the-whole.patch \ + " PV = "0.1.44+git${SRCPV}" require scap-security-guide.inc |