From 1fe918a07084c878d72cf8a7d1707f6598cc438f Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 15 May 2020 14:16:47 -0500 Subject: meta-security: subtree update:b72cc7f87c..95fe86eb98 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit André Draszik (1): linux-yocto: update the bbappend to 5.x Armin Kuster (36): README: add pull request option sssd: drop py2 support python3-fail2ban: update to latest Apparmor: fix some runtime depends linux-yocto-dev: remove "+" checksecurity: fix runtime issues buck-security: fix rdebends and minor style cleanup swtpm: fix configure error ecryptfs-utils: search nspr header files in ${STAGING_INCDIR}/nspr directory bastille: convert to py3 tpm2-tools: update to 4.1.1 tpm2-tcti-uefi: fix build issue for i386 machine tpm2-tss: update to 2.3.2 ibmswtpm2: update to 1563 python3-fail2ban: add 2-3 conversion changes google-authenticator-libpam: install module in pam location apparmor: update to tip clamav: add bison-native to depend meta-security-isafw: import layer from Intel isafw: fix to work against master layer.conf: add zeus README.md: update to new maintainer clamav-native: missed bison fix secuirty*-image: remove dead var and minor cleanup libtpm: fix build issue over pod2man sssd: python2 not supported libseccomp: update to 2.4.3 lynis: add missing rdepends fail2ban: change hardcoded sysklogd to VIRTUAL-RUNTIME_base-utils-syslog chkrootkit: add rootkit recipe clamav: move to recipes-scanners checksec: move to recipe-scanners checksecurity: move to recipes-scanners buck-security: move to recipes-scanners arpwatch: add new recipe buck-security: fix runtime issue with missing per module Bartosz Golaszewski (3): linux: drop the bbappend for linux v4.x series classes: provide a class for generating dm-verity meta-data images dm-verity: add a working example for BeagleBone Black Haseeb Ashraf (1): samhain: dnmalloc hash fix for aarch64 and mips64 Jan Luebbe (2): apparmor: fix wrong executable permission on service file apparmor: update to 2.13.4 Jonatan Pålsson (10): README: Add meta-python to list of layer deps sssd: Add PACKAGECONFIG for python2 sssd: Fix typo in PACKAGECONFIG. cyrpto -> crypto sssd: DEPEND on nss if nothing else is chosen sssd: Sort PACKAGECONFIG entries sssd: Add autofs PACKAGECONFIG sssd: Add sudo PACKAGECONFIG sssd: Add missing files to SYSTEMD_SERVICE sssd: Add missing DEPENDS on jansson sssd: Add infopipe PACKAGECONFIG Kai Kang (1): sssd: fix for ldblibdir and systemd etc Martin Jansa (1): layer.conf: update LAYERSERIES_COMPAT for dunfell Mingli Yu (1): linux-yocto: update the bbappend to 5.x Pierre-Jean Texier via Lists.Yoctoproject.Org (1): google-authenticator-libpam: upgrade 1.07 -> 1.08 Yi Zhao (5): samhain: fix build with new version attr scap-security-guide: fix xml parsing error when build remediation files scap-security-guide: pass the correct schema file path to openscap-native openscap-daemon: add missing runtime dependencies samhain-server: add volatile file for systemd Change-Id: I3d4a4055cb9420e97d3eacf8436d9b048d34733f Signed-off-by: Andrew Geissler --- .../checksecurity/checksecurity_2.0.15.bb | 21 +++++++++ .../check-setuid-use-more-portable-find-args.patch | 23 ++++++++++ .../checksecurity/files/setuid-log-folder.patch | 52 ++++++++++++++++++++++ 3 files changed, 96 insertions(+) create mode 100644 meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb create mode 100644 meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch create mode 100644 meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch (limited to 'meta-security/recipes-scanners/checksecurity') diff --git a/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb b/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb new file mode 100644 index 000000000..204123d84 --- /dev/null +++ b/meta-security/recipes-scanners/checksecurity/checksecurity_2.0.15.bb @@ -0,0 +1,21 @@ +SUMMARY = "basic system security checks" +DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes." +SECTION = "security" +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \ + file://setuid-log-folder.patch \ + file://check-setuid-use-more-portable-find-args.patch" + +SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f" +SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32" + +do_compile() { +} + +do_install() { + oe_runmake PREFIX=${D} +} + +RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob perl-module-carp perl-module-env perl-module-tap-parser-iterator-array util-linux findutils coreutils" diff --git a/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch b/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch new file mode 100644 index 000000000..f1fe8edce --- /dev/null +++ b/meta-security/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch @@ -0,0 +1,23 @@ +From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001 +From: Christopher Larson +Date: Wed, 5 Sep 2018 23:21:43 +0500 +Subject: [PATCH] check-setuid: use more portable find args + +Signed-off-by: Christopher Larson +--- + plugins/check-setuid | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: checksecurity-2.0.15/plugins/check-setuid +=================================================================== +--- checksecurity-2.0.15.orig/plugins/check-setuid 2018-09-06 00:49:23.930934294 +0500 ++++ checksecurity-2.0.15/plugins/check-setuid 2018-09-06 00:49:49.694934757 +0500 +@@ -99,7 +99,7 @@ + ionice -t -c3 \ + find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \ + -xdev $PATHCHK \ +- \( -type f -perm +06000 -o \( \( -type b -o -type c \) \ ++ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \ + $DEVCHK \) \) \ + -ignore_readdir_race \ + -printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" | diff --git a/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch b/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch new file mode 100644 index 000000000..540ea9c31 --- /dev/null +++ b/meta-security/recipes-scanners/checksecurity/files/setuid-log-folder.patch @@ -0,0 +1,52 @@ +From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001 +From: Andrei Dinu +Date: Thu, 20 Jun 2013 15:14:55 +0300 +Subject: [PATCH] changed log folder for check-setuid + +check-setuid was creating logs in /var/log directory, +which cannot be created persistently. To avoid errors +the log folder was changed to /etc/checksecurity/. + +Signed-off-by: Andrei Dinu +--- + etc/check-setuid.conf | 2 +- + plugins/check-setuid | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf +index 621336f..e1532c0 100644 +--- a/etc/check-setuid.conf ++++ b/etc/check-setuid.conf +@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false" + # + # Location of setuid file databases. + # +-LOGDIR=/var/log/setuid ++LOGDIR=/etc/checksecurity/ +diff --git a/plugins/check-setuid b/plugins/check-setuid +index 8d6f90b..bdb21c1 100755 +--- a/plugins/check-setuid ++++ b/plugins/check-setuid +@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then + exit 1 + fi + +-TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp +-TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp ++TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp ++TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp + + # + # Check for NFS/AFS mounts that are not nosuid/nodev +@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then + fi + + # Guard against undefined vars +-[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid ++[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/ + if [ ! -e "$LOGDIR" ] ; then + echo "ERROR: Log directory $LOGDIR does not exist" + exit 1 +-- +1.7.9.5 + -- cgit v1.2.3