From ee32beb0333105ea120420a3556a752079ef5437 Mon Sep 17 00:00:00 2001
From: "William A. Kennington III" <wak@google.com>
Date: Wed, 2 Jun 2021 12:48:35 -0700
Subject: meta-security: subtree update:baca6133f9..ab239f1497

Armin Kuster (16):
      build cleanup: add iam to base depend
      tripwire: Blacklist pkg, upstream seems abandond
      tpm2-pkcs11: Update to 1.6.0
      clamav: update to tip.
      ossec-hids: add UPSTREAM_CHECK_COMMITS
      python3-scapy: add UPSTREAM_CHECK_COMMITS
      suricata: 4.1.x add UPSTREAM_CHECK_URI
      ibmswtpm2: update to 1661
      ibmtpm2tss: update to tip
      packagegroup-core-security: fix typo for mips
      Apparmor: fix multi config build issue.
      aide: Add another ids
      packagegroup-core-security: add aide and ossec
      .gitlab-ci: drop clean up combine alt w base
      clamav: fix systemd startup
      packagegroup-core-security: add clamav-daemon

Change-Id: Id941ea16208920cfa31bf6d42f8a01fc9765ec7c
Signed-off-by: William A. Kennington III <wak@google.com>
---
 meta-security/.gitlab-ci.yml                       | 123 ++++-----
 meta-security/kas/kas-security-base.yml            |   2 +-
 meta-security/kas/qemuarm64-ima.yml                |  10 -
 meta-security/kas/qemux86-64-ima.yml               |  10 -
 meta-security/kas/qemux86-ima.yml                  |  10 -
 .../ibmswtpm2/files/fix-wrong-cast.patch           |  27 --
 .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb       |  39 ---
 .../recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb       |  37 +++
 .../recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb    |   4 +-
 .../recipes-tpm2/tpm2-pkcs11/files/677.patch       | 295 +++++++++++++++++++++
 .../recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb  |  44 ---
 .../recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb  |  55 ++++
 .../packagegroup/packagegroup-core-security.bb     |  11 +-
 meta-security/recipes-ids/aide/aide/aide.conf      |  94 +++++++
 meta-security/recipes-ids/aide/aide_0.17.3.bb      |  41 +++
 .../recipes-ids/ossec/ossec-hids_3.6.0.bb          |   2 +
 .../recipes-ids/suricata/suricata_4.1.10.bb        |   2 +
 .../recipes-ids/tripwire/tripwire_2.4.3.7.bb       |   2 +
 meta-security/recipes-mac/AppArmor/apparmor_3.0.bb |   3 +-
 .../recipes-scanners/clamav/clamav_0.104.0.bb      |  49 ++--
 .../clamav/files/fix_systemd_socket.patch          |  25 ++
 .../recipes-security/scapy/python3-scapy_2.4.4.bb  |   2 +
 22 files changed, 655 insertions(+), 232 deletions(-)
 delete mode 100644 meta-security/kas/qemuarm64-ima.yml
 delete mode 100644 meta-security/kas/qemux86-64-ima.yml
 delete mode 100644 meta-security/kas/qemux86-ima.yml
 delete mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
 delete mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
 create mode 100644 meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
 create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
 delete mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb
 create mode 100644 meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
 create mode 100644 meta-security/recipes-ids/aide/aide/aide.conf
 create mode 100644 meta-security/recipes-ids/aide/aide_0.17.3.bb
 create mode 100644 meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch

(limited to 'meta-security')

diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml
index 32110253c..206d7241b 100644
--- a/meta-security/.gitlab-ci.yml
+++ b/meta-security/.gitlab-ci.yml
@@ -14,19 +14,17 @@
     - done
     - rm -fr $CI_PROJECT_DIR/build
 
-
 stages:
-  - build
+  - base 
   - parsec
   - multi
-  - alt 
   - musl
   - test
 
-.build:
+.base:
   before_script:
     - *before-my-script
-  stage: build
+  stage: base 
   after_script:
     - *after-my-script
 
@@ -45,13 +43,6 @@ stages:
   after_script:
     - *after-my-script
 
-.alt:
-  before_script:
-    - *before-my-script
-  stage: alt
-  after_script:
-    - *after-my-script
-
 .musl:
   before_script:
     - *before-my-script
@@ -66,100 +57,110 @@ stages:
   after_script:
     - *after-my-script
 
-
 qemux86:
-  extends: .build
+  extends: .base
   script:
-  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image integrity-image-minimal"
   - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml
   - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml
-  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
 
-qemux86-64:
-  extends: .build
+qemux86-musl:
+  extends: .musl
+  needs: ['qemux86-parsec']
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm-image security-tpm2-image"
-  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml
-  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemuarm:
-  extends: .build
+qemux86-parsec:
+  extends: .parsec
+  needs: ['qemux86']
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemuarm64:
-  extends: .build
+qemux86-test:
+  extends: .test
+  needs: ['qemux86']
+  allow_failure: true
   script:
-  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm2-image"
-  - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml
+  - kas build --target security-test-image kas/$CI_JOB_NAME.yml
+  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
 
-qemuppc:
-  extends: .build
+qemux86-64:
+  extends: .base
+  script:
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm-image security-tpm2-image integrity-image-minimal"
+  - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
+
+qemux86-64-parsec:
+  extends: .parsec
+  needs: ['qemux86-64']
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemumips64:
-  extends: .build
+qemux86-64-multi:
+  extends: .multi
+  needs: ['qemux86-64']
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemuriscv64:
-  extends: .build
+qemuarm:
+  extends: .base
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemuarm64-alt:
-  extends: .alt
+qemuarm-parsec:
+  extends: .parsec
+  needs: ['qemuarm']
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
+qemuarm64:
+  extends: .base
+  script:
+  - kas shell kas/$CI_JOB_NAME.yml  -c "bitbake -k security-build-image security-tpm2-image integrity-image-minimal"
+  - kas build --target security-build-image kas/$CI_JOB_NAME-alt.yml
+
 qemuarm64-multi:
   extends: .multi
+  needs: ['qemuarm64']
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemumips64-alt:
-  extends: .alt
+qemuarm64-musl:
+  extends: .musl
+  needs: ['qemuarm64']
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemumips64-multi:
-  extends: .multi
+qemuarm64-parsec:
+  extends: .parsec
+  needs: ['qemuarm64']
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemux86-64-alt:
-  extends: .alt
+qemuppc:
+  extends: .base
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemux86-64-multi:
-  extends: .multi
+qemuppc-parsec:
+  extends: .parsec
+  needs: ['qemuppc']
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemux86-musl:
-  extends: .musl
+qemumips64:
+  extends: .base
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemuarm64-musl:
-  extends: .musl
+qemumips64-multi:
+  extends: .multi
+  needs: ['qemumips64']
   script:
   - kas build --target security-build-image kas/$CI_JOB_NAME.yml
 
-qemux86-test:
-  extends: .test
-  allow_failure: true
-  script:
-  - kas build --target security-test-image kas/$CI_JOB_NAME.yml
-  - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml
-
-parsec:
-  extends: .parsec
+qemuriscv64:
+  extends: .base
   script:
-  - kas build --target security-build-image kas/qemuarm-$CI_JOB_NAME.yml
-  - kas build --target security-build-image kas/qemuarm64-$CI_JOB_NAME.yml
-  - kas build --target security-build-image kas/qemux86-$CI_JOB_NAME.yml
-  - kas build --target security-build-image kas/qemux86-64-$CI_JOB_NAME.yml
-  - kas build --target security-build-image kas/qemuppc-$CI_JOB_NAME.yml
+  - kas build --target security-build-image kas/$CI_JOB_NAME.yml
diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml
index 487befe1a..c6cc4fc8e 100644
--- a/meta-security/kas/kas-security-base.yml
+++ b/meta-security/kas/kas-security-base.yml
@@ -51,7 +51,7 @@ local_conf_header:
     EXTRA_IMAGE_FEATURES ?= "debug-tweaks"
     PACKAGE_CLASSES = "package_ipk"
 
-    DISTRO_FEATURES_append = " pam apparmor smack"
+    DISTRO_FEATURES_append = " pam apparmor smack ima"
     MACHINE_FEATURES_append = " tpm tpm2"
 
   diskmon: |
diff --git a/meta-security/kas/qemuarm64-ima.yml b/meta-security/kas/qemuarm64-ima.yml
deleted file mode 100644
index b4784729b..000000000
--- a/meta-security/kas/qemuarm64-ima.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-header:
-  version: 8
-  includes:
-    - kas-security-base.yml
-
-local_conf_header:
-  meta-security: |
-    DISTRO_FEATURES_append = " ima"
-
-machine: qemuarm64
diff --git a/meta-security/kas/qemux86-64-ima.yml b/meta-security/kas/qemux86-64-ima.yml
deleted file mode 100644
index e64931c17..000000000
--- a/meta-security/kas/qemux86-64-ima.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-header:
-  version: 8
-  includes:
-    - kas-security-base.yml
-
-local_conf_header:
-  meta-security: |
-    DISTRO_FEATURES_append = " ima"
-
-machine: qemux86-64
diff --git a/meta-security/kas/qemux86-ima.yml b/meta-security/kas/qemux86-ima.yml
deleted file mode 100644
index 6528ba620..000000000
--- a/meta-security/kas/qemux86-ima.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-header:
-  version: 8
-  includes:
-    - kas-security-base.yml
-
-local_conf_header:
-  meta-security: |
-    DISTRO_FEATURES_append = " ima"
-
-machine: qemux86
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
deleted file mode 100644
index f2938e0e0..000000000
--- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/files/fix-wrong-cast.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-Fix strict aliasing issue of gcc10
-
-fixes:
-
-TpmFail.c: In function 'TpmLogFailure':
-TpmFail.c:217:23: error: dereferencing type-punned pointer will break strict-aliasing rules [-Werror=strict-aliasing]
-  217 |     s_failFunction = *(UINT32 *)&function; /* kgold */
-      |                       ^~~~~~~~~~~~~~~~~~~
-cc1: all warnings being treated as errors
-
-Upstream-Status: Submitted
-
-Signed-off-by: Jens Rehsack <sno@NetBSD.org>
-
-Index: src/TpmFail.c
-===================================================================
---- src.orig/TpmFail.c	2020-09-10 15:43:57.085063875 +0200
-+++ src/TpmFail.c	2020-09-10 15:48:35.563302634 +0200
-@@ -214,7 +214,7 @@
-     // On a 64-bit machine, this may truncate the address of the string
-     // of the function name where the error occurred.
- #if FAIL_TRACE
--    s_failFunction = *(UINT32 *)&function;	/* kgold */
-+    memcpy(&s_failFunction, function, sizeof(uint32_t));	/* kgold */
-     s_failLine = line;
- #else
-     s_failFunction = 0;
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
deleted file mode 100644
index 301980dbe..000000000
--- a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1637.bb
+++ /dev/null
@@ -1,39 +0,0 @@
-SUMMARY = "IBM's Software TPM 2.0"
-DESCRIPTION = "The software TPM 2.0 is targeted toward application development, \
-education, and virtualization. \
-\
-The intent is that an application can be developed using the software TPM. \
-The application should then run using a hardware TPM without changes. \
-Advantages of this approach: \
-* In contrast to a hardware TPM, it runs on many platforms and it's generally faster. \
-* Application software errors are easily reversed by simply removing the TPM state and starting over. \
-* Difficult crypto errors are quickly debugged by looking inside the TPM."
-HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html"
-LICENSE = "BSD"
-SECTION = "securty/tpm"
-LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
-
-DEPENDS = "openssl"
-
-SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
-           file://tune-makefile.patch \
-           file://fix-wrong-cast.patch \
-           "
-SRC_URI[md5sum] = "43b217d87056e9155633925eb6ef749c"
-SRC_URI[sha256sum] = "dd3a4c3f7724243bc9ebcd5c39bbf87b82c696d1c1241cb8e5883534f6e2e327"
-SRC_URI[sha1sum] = "ab4b94079e57a86996991e8a2b749ce063e4ad3e"
-SRC_URI[sha384sum] = "bbef16a934853ce78cba7ddc766aa9d7ef3cde3430a322b1be772bf3ad4bd6d413ae9c4de21bc1a4879d17dfe2aadc1d"
-SRC_URI[sha512sum] = "007aa415cccf19a2bcf789c426727dc4032dcb04cc9d11eedc231d2add708c1134d3d5ee5cfbe7de68307c95fff7a30bd306fbd8d53c198a5ef348440440a6ed"
-
-S = "${WORKDIR}/src"
-
-CFLAGS += "-Wno-error=maybe-uninitialized -DALG_CAMELLIA=ALG_NO"
-
-do_compile () {
-   make CC='${CC}'
-}
-
-do_install () {
-   install -d ${D}/${bindir}
-   install -m 0755 tpm_server  ${D}/${bindir}
-}
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
new file mode 100644
index 000000000..7ea40a8c0
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmswtpm2/ibmswtpm2_1661.bb
@@ -0,0 +1,37 @@
+SUMMARY = "IBM's Software TPM 2.0"
+DESCRIPTION = "The software TPM 2.0 is targeted toward application development, \
+education, and virtualization. \
+\
+The intent is that an application can be developed using the software TPM. \
+The application should then run using a hardware TPM without changes. \
+Advantages of this approach: \
+* In contrast to a hardware TPM, it runs on many platforms and it's generally faster. \
+* Application software errors are easily reversed by simply removing the TPM state and starting over. \
+* Difficult crypto errors are quickly debugged by looking inside the TPM."
+HOMEPAGE = "http://ibmswtpm.sourceforge.net/ibmswtpm2.html"
+LICENSE = "BSD"
+SECTION = "securty/tpm"
+LIC_FILES_CHKSUM = "file://../LICENSE;md5=1e023f61454ac828b4aa1bc4293f7d5f"
+
+DEPENDS = "openssl"
+
+SRC_URI = "https://sourceforge.net/projects/ibmswtpm2/files/ibmtpm${PV}.tar.gz \
+           file://tune-makefile.patch \
+           "
+
+SRC_URI[sha256sum] = "55145928ad2b24f34be6a0eacf9fb492e10e0ea919b8428c721fa970e85d6147"
+
+UPSTREAM_CHECK_REGEX = "libtpm(?P<pver>).tar.gz"
+
+S = "${WORKDIR}/src"
+
+CFLAGS += "-Wno-error=maybe-uninitialized -DALG_CAMELLIA=ALG_NO"
+
+do_compile () {
+   make CC='${CC}'
+}
+
+do_install () {
+   install -d ${D}/${bindir}
+   install -m 0755 tpm_server  ${D}/${bindir}
+}
diff --git a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
index 4d9b5540a..ae8974b6c 100644
--- a/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
+++ b/meta-security/meta-tpm/recipes-tpm2/ibmtpm2tss/ibmtpm2tss_1.6.0.bb
@@ -17,11 +17,13 @@ DEPENDS = "openssl ibmswtpm2"
 
 inherit autotools pkgconfig
 
-SRCREV = "3e736f712ba53c8f06e66751f60fae428fd2e20f"
+SRCREV = "c4e131e34ec0ed09411aa3bc76f76129ef881573"
 SRC_URI = " git://git.code.sf.net/p/ibmtpm20tss/tss;nobranch=1 \
            file://0001-utils-12-Makefile.am-expand-wildcards-in-prereqs.patch \
            "
 
+UPSTREAM_CHECK_COMMITS = "1"
+
 EXTRA_OECONF = "--disable-tpm-1.2"
 
 S = "${WORKDIR}/git"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
new file mode 100644
index 000000000..5c91a5ec5
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/files/677.patch
@@ -0,0 +1,295 @@
+From 2b74d3df9b3b6932052ace627b21ff1352aa2932 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Wed, 5 May 2021 13:32:05 -0500
+Subject: [PATCH 1/4] test: fix build for gcc11
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes 0 size regions by ignoring them. The test code intentionally does
+bad things.
+
+test/unit/test_twist.c: In function ‘test_twistbin_aappend_twist_null’:
+test/unit/test_twist.c:327:18: error: ‘twistbin_aappend’ accessing 16 bytes in a region of size 0 [-Werror=stringop-overflow=]
+  327 |         actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
+      |                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+
+Upstream-Status: Pending
+Fix out for merge to offical repo
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ test/unit/test_twist.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/test/unit/test_twist.c b/test/unit/test_twist.c
+index ec66f69f..58d4530a 100644
+--- a/test/unit/test_twist.c
++++ b/test/unit/test_twist.c
+@@ -244,15 +244,23 @@ void test_twistbin_create(void **state) {
+ void test_twistbin_new_overflow_1(void **state) {
+     (void) state;
+ 
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wpragmas"
++#pragma GCC diagnostic ignored "-Wstringop-overflow"
+ 	twist actual = twistbin_new((void *) 0xDEADBEEF, ~0);
+ 	assert_null(actual);
++#pragma GCC diagnostic pop
+ }
+ 
+ void test_twistbin_new_overflow_2(void **state) {
+     (void) state;
+ 
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wpragmas"
++#pragma GCC diagnostic ignored "-Wstringop-overflow"
+ 	twist actual = twistbin_new((void *) 0xDEADBEEF, ~0 - sizeof(void *));
+ 	assert_null(actual);
++#pragma GCC diagnostic pop
+ }
+ 
+ void test_twistbin_new_overflow_3(void **state) {
+@@ -318,8 +326,12 @@ void test_twistbin_aappend_twist_null(void **state) {
+ 	twist actual = twistbin_aappend(expected, NULL, 42);
+ 	assert_ptr_equal((void * )actual, (void * )expected);
+ 
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wpragmas"
++#pragma GCC diagnostic ignored "-Wstringop-overflow"
+ 	actual = twistbin_aappend(expected, (binarybuffer *) 0xDEADBEEF, 0);
+ 	assert_ptr_equal((void * )actual, (void * )expected);
++#pragma GCC diagnostic pop
+ 
+ 	twist_free(actual);
+ }
+
+From 5bea05613e638375b73e29e5d56a9dabcfd2269d Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Wed, 5 May 2021 11:52:23 -0500
+Subject: [PATCH 2/4] utils: fix stringop-overread in str_padded_copy
+
+cc1: all warnings being treated as errors
+| make: *** [Makefile:1953: src/lib/slot.lo] Error 1
+| make: *** Waiting for unfinished jobs....
+| In file included from src/lib/mutex.h:10,
+| from src/lib/session_ctx.h:6,
+| from src/lib/digest.h:13,
+| from src/lib/tpm.c:28:
+| In function 'str_padded_copy',
+| inlined from 'tpm_get_token_info' at src/lib/tpm.c:742:5:
+| src/lib/utils.h:42:5: error: 'strnlen' specified bound 32 exceeds source size 5 [-Werror=stringop-overread]
+| 42 | memcpy(dst, src, strnlen((char *)(src), dst_len));
+| | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+| src/lib/utils.h: In function 'tpm_get_token_info':
+| src/lib/tpm.c:739:19: note: source object declared here
+| 739 | unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
+| | ^~~~~~~~~~~~~~
+| cc1: all warnings being treated as errors
+| make: *** [Makefile:1953: src/lib/tpm.lo] Error 1
+| WARNING: exit code 1 from a shell command.
+
+Fixes #676
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/lib/general.c | 8 ++++----
+ src/lib/general.h | 2 +-
+ src/lib/slot.c    | 4 ++--
+ src/lib/token.c   | 4 ++--
+ src/lib/tpm.c     | 7 +++----
+ src/lib/utils.h   | 6 ++++--
+ 6 files changed, 16 insertions(+), 15 deletions(-)
+
+diff --git a/src/lib/general.c b/src/lib/general.c
+index 9b7327c1..eaddaf82 100644
+--- a/src/lib/general.c
++++ b/src/lib/general.c
+@@ -19,8 +19,8 @@
+   #define VERSION "UNKNOWN"
+ #endif
+ 
+-#define LIBRARY_DESCRIPTION (CK_UTF8CHAR_PTR)"TPM2.0 Cryptoki"
+-#define LIBRARY_MANUFACTURER (CK_UTF8CHAR_PTR)"tpm2-software.github.io"
++static const CK_UTF8CHAR LIBRARY_DESCRIPTION[] = "TPM2.0 Cryptoki";
++static const CK_UTF8CHAR LIBRARY_MANUFACTURER[] = "tpm2-software.github.io";
+ 
+ #define CRYPTOKI_VERSION { \
+            .major = CRYPTOKI_VERSION_MAJOR, \
+@@ -78,8 +78,8 @@ CK_RV general_get_info(CK_INFO *info) {
+ 
+     static CK_INFO *_info = NULL;
+     if (!_info) {
+-        str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER, sizeof(_info_.manufacturerID));
+-        str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION, sizeof(_info_.libraryDescription));
++        str_padded_copy(_info_.manufacturerID, LIBRARY_MANUFACTURER);
++        str_padded_copy(_info_.libraryDescription, LIBRARY_DESCRIPTION);
+ 
+         parse_lib_version(&_info_.libraryVersion.major,
+                 &_info_.libraryVersion.minor);
+diff --git a/src/lib/general.h b/src/lib/general.h
+index 14a18e46..356c142d 100644
+--- a/src/lib/general.h
++++ b/src/lib/general.h
+@@ -10,7 +10,7 @@
+ #define TPM2_TOKEN_LABEL                "TPM2 PKCS#11 Token"
+ #define TPM2_TOKEN_MANUFACTURER         "Intel"
+ #define TPM2_TOKEN_MODEL                "TPM2 PKCS#11"
+-#define TPM2_TOKEN_SERIAL_NUMBER        "0000000000000000"
++static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
+ #define TPM2_TOKEN_HW_VERSION           { 0, 0 }
+ #define TPM2_TOKEN_FW_VERSION           { 0, 0 }
+ 
+diff --git a/src/lib/slot.c b/src/lib/slot.c
+index 548d22b5..6db5bb93 100644
+--- a/src/lib/slot.c
++++ b/src/lib/slot.c
+@@ -119,8 +119,8 @@ CK_RV slot_get_info (CK_SLOT_ID slot_id, CK_SLOT_INFO *info) {
+         return CKR_GENERAL_ERROR;
+     }
+ 
+-    str_padded_copy(info->manufacturerID, token_info.manufacturerID, sizeof(info->manufacturerID));
+-    str_padded_copy(info->slotDescription, token_info.label, sizeof(info->slotDescription));
++    str_padded_copy(info->manufacturerID, token_info.manufacturerID);
++    str_padded_copy(info->slotDescription, token_info.label);
+ 
+     info->hardwareVersion = token_info.hardwareVersion;
+     info->firmwareVersion = token_info.firmwareVersion;
+diff --git a/src/lib/token.c b/src/lib/token.c
+index 6d7ebd27..c7211296 100644
+--- a/src/lib/token.c
++++ b/src/lib/token.c
+@@ -317,8 +317,8 @@ CK_RV token_get_info (token *t, CK_TOKEN_INFO *info) {
+     }
+ 
+     // Identification
+-    str_padded_copy(info->label, t->label, sizeof(info->label));
+-    str_padded_copy(info->serialNumber, (unsigned char*) TPM2_TOKEN_SERIAL_NUMBER, sizeof(info->serialNumber));
++    str_padded_copy(info->label, t->label);
++    str_padded_copy(info->serialNumber, TPM2_TOKEN_SERIAL_NUMBER);
+ 
+ 
+     // Memory: TODO not sure what memory values should go here, the platform?
+diff --git a/src/lib/tpm.c b/src/lib/tpm.c
+index 1639df48..7f9f052a 100644
+--- a/src/lib/tpm.c
++++ b/src/lib/tpm.c
+@@ -740,15 +740,14 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
+     unsigned char manufacturerID[sizeof(UINT32)+1] = {0}; // 4 bytes + '\0' as temp storage
+     UINT32 manufacturer = ntohl(tpmProperties[TPM2_PT_MANUFACTURER - TPM2_PT_FIXED].value);
+     memcpy(manufacturerID, (unsigned char*) &manufacturer, sizeof(uint32_t));
+-    str_padded_copy(info->manufacturerID, manufacturerID, sizeof(info->manufacturerID));
++    str_padded_copy(info->manufacturerID, manufacturerID);
+ 
+     // Map human readable Manufacturer String, if available,
+     // otherwise 4 byte ID was already padded and will be used.
+     for (unsigned int i=0; i < ARRAY_LEN(TPM2_MANUFACTURER_MAP); i++){
+         if (!strncasecmp((char *)info->manufacturerID, TPM2_MANUFACTURER_MAP[i][0], 4)) {
+             str_padded_copy(info->manufacturerID,
+-                            (unsigned char *)TPM2_MANUFACTURER_MAP[i][1],
+-                            sizeof(info->manufacturerID));
++                            (unsigned char *)TPM2_MANUFACTURER_MAP[i][1]);
+         }
+     }
+ 
+@@ -758,7 +757,7 @@ CK_RV tpm_get_token_info (tpm_ctx *ctx, CK_TOKEN_INFO *info) {
+     vendor[1] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_2 - TPM2_PT_FIXED].value);
+     vendor[2] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_3 - TPM2_PT_FIXED].value);
+     vendor[3] = ntohl(tpmProperties[TPM2_PT_VENDOR_STRING_4 - TPM2_PT_FIXED].value);
+-    str_padded_copy(info->model, (unsigned char*) &vendor, sizeof(info->model));
++    str_padded_copy(info->model, (unsigned char*) &vendor);
+ 
+     return CKR_OK;
+ }
+diff --git a/src/lib/utils.h b/src/lib/utils.h
+index 81c61fae..cf357464 100644
+--- a/src/lib/utils.h
++++ b/src/lib/utils.h
+@@ -39,9 +39,11 @@
+ 
+ int str_to_ul(const char *val, size_t *res);
+ 
+-static inline void str_padded_copy(CK_UTF8CHAR_PTR dst, const CK_UTF8CHAR_PTR src, size_t dst_len) {
++#define str_padded_copy(dst, src) _str_padded_copy(dst, sizeof(dst), src, strnlen((const char *)src, sizeof(src)))
++static inline void _str_padded_copy(CK_UTF8CHAR_PTR dst, size_t dst_len, const CK_UTF8CHAR *src, size_t src_len) {
+     memset(dst, ' ', dst_len);
+-    memcpy(dst, src, strnlen((char *)(src), dst_len));
++    memcpy(dst, src, src_len);
++    LOGE("BILL(%zu): %.*s\n", dst_len, dst_len, dst);
+ }
+ 
+ twist utils_hash_pass(const twist pin, const twist salt);
+
+From afeae8a3846e06152fafb180077fbad4381a124d Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Wed, 5 May 2021 14:09:27 -0500
+Subject: [PATCH 3/4] general: drop unused macros
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/lib/general.h | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/src/lib/general.h b/src/lib/general.h
+index 356c142d..b3089554 100644
+--- a/src/lib/general.h
++++ b/src/lib/general.h
+@@ -7,17 +7,7 @@
+ 
+ #include "pkcs11.h"
+ 
+-#define TPM2_TOKEN_LABEL                "TPM2 PKCS#11 Token"
+-#define TPM2_TOKEN_MANUFACTURER         "Intel"
+-#define TPM2_TOKEN_MODEL                "TPM2 PKCS#11"
+ static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
+-#define TPM2_TOKEN_HW_VERSION           { 0, 0 }
+-#define TPM2_TOKEN_FW_VERSION           { 0, 0 }
+-
+-#define TPM2_SLOT_DESCRIPTION           "Intel TPM2.0 Cryptoki"
+-#define TPM2_SLOT_MANUFACTURER          TPM2_TOKEN_MANUFACTURER
+-#define TPM2_SLOT_HW_VERSION            TPM2_TOKEN_HW_VERSION
+-#define TPM2_SLOT_FW_VERSION            TPM2_TOKEN_FW_VERSION
+ 
+ CK_RV general_init(void *init_args);
+ CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
+
+From 8b43a99c5ff604d890bdc23fd2fa5f98aa087d83 Mon Sep 17 00:00:00 2001
+From: William Roberts <william.c.roberts@intel.com>
+Date: Wed, 5 May 2021 14:11:04 -0500
+Subject: [PATCH 4/4] token: move TPM2_TOKEN_SERIAL_NUMBER local to use
+
+Signed-off-by: William Roberts <william.c.roberts@intel.com>
+---
+ src/lib/general.h | 2 --
+ src/lib/token.c   | 2 ++
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/general.h b/src/lib/general.h
+index b3089554..9afd61ec 100644
+--- a/src/lib/general.h
++++ b/src/lib/general.h
+@@ -7,8 +7,6 @@
+ 
+ #include "pkcs11.h"
+ 
+-static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
+-
+ CK_RV general_init(void *init_args);
+ CK_RV general_get_func_list(CK_FUNCTION_LIST **function_list);
+ CK_RV general_get_info(CK_INFO *info);
+diff --git a/src/lib/token.c b/src/lib/token.c
+index c7211296..63a9a71b 100644
+--- a/src/lib/token.c
++++ b/src/lib/token.c
+@@ -20,6 +20,8 @@
+ #include "token.h"
+ #include "utils.h"
+ 
++static const CK_UTF8CHAR TPM2_TOKEN_SERIAL_NUMBER[] = "0000000000000000";
++
+ void pobject_config_free(pobject_config *c) {
+ 
+     if (c->is_transient) {
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb
deleted file mode 100644
index d53d4fa86..000000000
--- a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.5.0.bb
+++ /dev/null
@@ -1,44 +0,0 @@
-SUMMARY = "A PKCS#11 interface for TPM2 hardware"
-DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token."
-SECTION = "security/tpm"
-LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab"
-
-DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml python3-setuptools-native"
-
-SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=1.X \
-           file://bootstrap_fixup.patch \
-           file://0001-remove-local-binary-checkes.patch"
-
-SRCREV = "5d583351028eebd470f50ec35db5dcf00533df31"
-
-S = "${WORKDIR}/git"
-
-inherit autotools-brokensep pkgconfig python3native
-
-do_configure_prepend () {
-    ${S}/bootstrap
-}
-
-do_compile_append() {
-    cd ${S}/tools
-    python3 setup.py build
-}
-
-do_install_append() {
-    cd ${S}/tools
-    export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
-    ${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
-
-    sed -i -e "s:${PYTHON}:${USRBINPATH}/env ${PYTHON_PN}:g" "${D}${bindir}"/tpm2_ptool
-}
-
-RDEPNDS_${PN} = "tpm2-tools"
-
-PACKAGES =+ "${PN}-tools"
-RDEPENDS_${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
-
-FILES_${PN}-tools = "\
-    ${bindir}/tpm2_ptool \
-    ${libdir}/${PYTHON_DIR}/* \
-"
diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
new file mode 100644
index 000000000..63ec18d94
--- /dev/null
+++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.6.0.bb
@@ -0,0 +1,55 @@
+SUMMARY = "A PKCS#11 interface for TPM2 hardware"
+DESCRIPTION = "PKCS #11 is a Public-Key Cryptography Standard that defines a standard method to access cryptographic services from tokens/ devices such as hardware security modules (HSM), smart cards, etc. In this project we intend to use a TPM2 device as the cryptographic token."
+SECTION = "security/tpm"
+LICENSE = "BSD-2-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=0fc19f620a102768d6dbd1e7166e78ab"
+
+DEPENDS = "autoconf-archive pkgconfig dstat sqlite3 openssl libtss2-dev tpm2-tools libyaml p11-kit python3-setuptools-native"
+
+SRC_URI = "git://github.com/tpm2-software/tpm2-pkcs11.git;branch=master \
+           file://bootstrap_fixup.patch \
+           file://0001-remove-local-binary-checkes.patch \
+           file://677.patch \
+           "
+
+SRCREV = "c2d53cc1af6b9df13c832715442853b21048c273"
+
+S = "${WORKDIR}/git"
+
+inherit autotools-brokensep pkgconfig python3native
+
+do_configure_prepend () {
+    ${S}/bootstrap
+}
+
+do_compile_append() {
+    cd ${S}/tools
+    python3 setup.py build
+}
+
+do_install_append() {
+    install -d ${D}${libdir}/pkcs11
+    install -d ${D}${datadir}/p11-kit
+    rm -f ${D}${libdir}/pkcs11/libtpm2_pkcs11.so
+
+    cd ${S}/tools
+    export PYTHONPATH="${D}${PYTHON_SITEPACKAGES_DIR}"
+    ${PYTHON_PN} setup.py install --root="${D}" --prefix="${prefix}" --install-lib="${PYTHON_SITEPACKAGES_DIR}" --optimize=1 --skip-build
+
+    sed -i -e "s:${PYTHON}:${USRBINPATH}/env ${PYTHON_PN}:g" "${D}${bindir}"/tpm2_ptool
+}
+
+PACKAGES =+ "${PN}-tools"
+
+FILES_${PN}-tools = "\
+    ${bindir}/tpm2_ptool \
+    ${libdir}/${PYTHON_DIR}/* \
+    "
+
+FILES_${PN} += "\
+    ${libdir}/pkcs11/* \
+    ${datadir}/p11-kit/* \
+    "
+
+RDEPNDS_${PN} = "tpm2-tools"
+RDEPENDS_${PN}-tools += "${PYTHON_PN}-setuptools ${PYTHON_PN}-pyyaml ${PYTHON_PN}-cryptography ${PYTHON_PN}-pyasn1-modules"
diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
index a6142a8c7..d7349b080 100644
--- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -51,9 +51,9 @@ RDEPENDS_packagegroup-security-scanners = "\
     isic \
     nikto \
     checksecurity \
-    ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-freshclam",d)} \
+    ${@bb.utils.contains_any("TUNE_FEATURES", "riscv32 riscv64", "", " clamav clamav-daemon clamav-freshclam",d)} \
     "
-RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-freshclam"
+RDEPENDS_packagegroup-security-scanners_remove_libc-musl = "clamav clamav-daemon clamav-freshclam"
 
 SUMMARY_packagegroup-security-audit = "Security Audit tools "
 RDEPENDS_packagegroup-security-audit = " \
@@ -68,9 +68,10 @@ RDEPENDS_packagegroup-security-hardening = " \
 
 SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems"
 RDEPENDS_packagegroup-security-ids = " \
-    tripwire \
     samhain-standalone \
     ${@bb.utils.contains_any("TUNE_FEATURES", "ppc7400 riscv32 riscv64", "", " suricata",d)} \
+    ossec-hids \
+    aide \
     "
 
 SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems"
@@ -80,8 +81,7 @@ RDEPENDS_packagegroup-security-mac = " \
     ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \
     "
 
-RDEPENDS_packagegroup-security-mac_remove_mips64 = "apparmor"
-RDEPENDS_packagegroup-security-mac_remove_mips64le = "apparmor"
+RDEPENDS_packagegroup-security-mac_remove_mipsarch = "apparmor"
 
 RDEPENDS_packagegroup-meta-security-ptest-packages = "\
     ptest-runner \
@@ -89,7 +89,6 @@ RDEPENDS_packagegroup-meta-security-ptest-packages = "\
     libseccomp-ptest \
     python3-scapy-ptest \
     suricata-ptest \
-    tripwire-ptest \
     python3-fail2ban-ptest \
     ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \
 "
diff --git a/meta-security/recipes-ids/aide/aide/aide.conf b/meta-security/recipes-ids/aide/aide/aide.conf
new file mode 100644
index 000000000..2c99e0752
--- /dev/null
+++ b/meta-security/recipes-ids/aide/aide/aide.conf
@@ -0,0 +1,94 @@
+# Example configuration file for AIDE.
+
+@@define DBDIR /usr/lib/aide
+@@define LOGDIR /usr/lib/aide/logs
+
+# The location of the database to be read.
+database_in=file:@@{DBDIR}/aide.db.gz
+
+# The location of the database to be written.
+#database_out=sql:host:port:database:login_name:passwd:table
+#database_out=file:aide.db.new
+database_out=file:@@{DBDIR}/aide.db.gz
+
+# Whether to gzip the output to database
+gzip_dbout=yes
+
+# Default.
+log_level=warning
+
+report_url=file:@@{LOGDIR}/aide.log
+report_url=stdout
+#report_url=stderr
+#NOT IMPLEMENTED report_url=mailto:root@foo.com
+#NOT IMPLEMENTED report_url=syslog:LOG_AUTH
+
+# These are the default rules.
+#
+#p:      permissions
+#i:      inode:
+#n:      number of links
+#u:      user
+#g:      group
+#s:      size
+#b:      block count
+#m:      mtime
+#a:      atime
+#c:      ctime
+#S:      check for growing size
+#acl:           Access Control Lists
+#selinux        SELinux security context
+#xattrs:        Extended file attributes
+#md5:    md5 checksum
+#sha1:   sha1 checksum
+#sha256:        sha256 checksum
+#sha512:        sha512 checksum
+#rmd160: rmd160 checksum
+#tiger:  tiger checksum
+
+#haval:  haval checksum (MHASH only)
+#gost:   gost checksum (MHASH only)
+#crc32:  crc32 checksum (MHASH only)
+#whirlpool:     whirlpool checksum (MHASH only)
+
+FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
+
+#R:             p+i+n+u+g+s+m+c+acl+selinux+xattrs+md5
+#L:             p+i+n+u+g+acl+selinux+xattrs
+#E:             Empty group
+#>:             Growing logfile p+u+g+i+n+S+acl+selinux+xattrs
+
+# You can create custom rules like this.
+# With MHASH...
+# ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
+ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
+# Everything but access time (Ie. all changes)
+EVERYTHING = R+ALLXTRAHASHES
+
+# Sane, with multiple hashes
+# NORMAL = R+rmd160+sha256+whirlpool
+NORMAL = FIPSR+sha512
+
+# For directories, don't bother doing hashes
+DIR = p+i+n+u+g+acl+selinux+xattrs
+
+# Access control only
+PERMS = p+i+u+g+acl+selinux
+
+# Logfile are special, in that they often change
+LOG = >
+
+# Just do sha256 and sha512 hashes
+LSPP = FIPSR+sha512
+
+# Some files get updated automatically, so the inode/ctime/mtime change
+# but we want to know when the data inside them changes
+DATAONLY =  p+n+u+g+s+acl+selinux+xattrs+sha256
+
+# Next decide what directories/files you want in the database.
+
+# Check only permissions, inode, user and group for /etc, but
+# cover some important files closely.
+/bin NORMAL
+/sbin NORMAL
+/lib NORMAL
diff --git a/meta-security/recipes-ids/aide/aide_0.17.3.bb b/meta-security/recipes-ids/aide/aide_0.17.3.bb
new file mode 100644
index 000000000..522cd85fe
--- /dev/null
+++ b/meta-security/recipes-ids/aide/aide_0.17.3.bb
@@ -0,0 +1,41 @@
+SUMMARY = "Advanced Intrusion Detection Environment"
+HOMEPAGE = "https://aide.github.io"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
+LICENSE = "GPL-2.0"
+
+DEPENDS = "bison-native libpcre"
+
+SRC_URI = "https://github.com/aide/aide/releases/download/v${PV}/${BPN}-${PV}.tar.gz \
+           file://aide.conf"
+
+SRC_URI[sha256sum] = "a2eb1883cafaad056fbe43ee1e8ae09fd36caa30a0bc8edfea5d47bd67c464f8"
+
+inherit autotools pkgconfig
+
+PACKAGECONFIG ??=" mhash zlib e2fsattrs \
+                 ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
+                 ${@bb.utils.contains('DISTRO_FEATURES', 'xattr', 'xattr', '', d)} \
+                 "
+PACKAGECONFIG[selinux] = "--with-selinux, --without-selinux, libselinux, libselinux"
+PACKAGECONFIG[zlib] = "--with-zlib, --without-zlib, zlib, zlib "
+PACKAGECONFIG[xattr] = "--with-xattr, --without-xattr, attr, attr"
+PACKAGECONFIG[curl] = "--with-curl, --without-curl, curl, libcurl"
+PACKAGECONFIG[audit] = "--with-audit, --without-audit,"
+PACKAGECONFIG[gcrypt] = "--with-gcrypt, --without-gcrypt, libgcrypt, libgcrypt"
+PACKAGECONFIG[mhash] = "--with-mhash, --without-mhash, libmhash, libmhash"
+PACKAGECONFIG[e2fsattrs] = "--with-e2fsattrs, --without-e2fsattrs, e2fsprogs, e2fsprogs"
+
+do_install_append () {
+    install -d ${D}${libdir}/${PN}/logs   
+    install -d ${D}${sysconfdir}   
+    install ${WORKDIR}/aide.conf ${D}${sysconfdir}/
+}
+
+CONF_FILE = "${sysconfdir}/aide.conf"
+
+FILES_${PN} += "${libdir}/${PN} ${sysconfdir}/aide.conf"
+
+pkg_postinst_ontarget_${PN} () {
+    /usr/bin/aide -i
+}
+RDPENDS_${PN} = "bison, libpcre"
diff --git a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
index 10354a7d2..242bbdbe0 100644
--- a/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
+++ b/meta-security/recipes-ids/ossec/ossec-hids_3.6.0.bb
@@ -11,6 +11,8 @@ SRC_URI = "git://github.com/ossec/ossec-hids;branch=master \
 
 SRCREV = "1303c78e2c67d7acee0508cb00c3bc63baaa27c2"
 
+UPSTREAM_CHECK_COMMITS = "1"
+
 inherit autotools-brokensep  useradd
 
 S = "${WORKDIR}/git"
diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb b/meta-security/recipes-ids/suricata/suricata_4.1.10.bb
index 3f7beaacf..bf088433a 100644
--- a/meta-security/recipes-ids/suricata/suricata_4.1.10.bb
+++ b/meta-security/recipes-ids/suricata/suricata_4.1.10.bb
@@ -12,6 +12,8 @@ SRC_URI += " \
     file://run-ptest \
     "
 
+UPSTREAM_CHECK_URI = "www.openinfosecfoundation.org/download"
+
 inherit autotools-brokensep pkgconfig python3-dir systemd ptest
 
 CFLAGS += "-D_DEFAULT_SOURCE -fcommon"
diff --git a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
index 4f50bff73..36e5d00b7 100644
--- a/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
+++ b/meta-security/recipes-ids/tripwire/tripwire_2.4.3.7.bb
@@ -73,3 +73,5 @@ FILES_${PN}-ptest += "${PTEST_PATH}/tests "
 
 RDEPENDS_${PN} += " perl nano msmtp cronie"
 RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules "
+
+PNBLACKLIST[tripwire] ?= "Upsteram project appears to be abondoned, fails to build with gcc11"
diff --git a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb
index 015205d49..d9c3e4d83 100644
--- a/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb
+++ b/meta-security/recipes-mac/AppArmor/apparmor_3.0.bb
@@ -177,8 +177,9 @@ SYSTEMD_AUTO_ENABLE ?= "enable"
 
 PACKAGES += "mod-${PN}"
 
-FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}"
+FILES_${PN} += "/lib/apparmor/ /lib/security/ ${sysconfdir}/apparmor ${nonarch_libdir}/${PYTHON_DIR}/site-packages"
 FILES_mod-${PN} = "${libdir}/apache2/modules/*"
+FILES_${PN}-dbg += "/lib/security/"
 
 DEPENDS_append_libc-musl = " fts "
 RDEPENDS_${PN}_libc-musl +=  "musl-utils"
diff --git a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
index 36e498dfb..ce5b0ea4d 100644
--- a/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/meta-security/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -8,16 +8,17 @@ DEPENDS = "glibc llvm libtool db openssl zlib curl libxml2 bison pcre2 json-c li
  
 LIC_FILES_CHKSUM = "file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b273d5902896f7bbe17"
 
-SRCREV = "5553a5e206ceae5d920368baee7d403f823bcb6f"
+# May 2nd
+SRCREV = "de0086aa918b79cd22570d0c05977a288b197e23"
 
 SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=dev/0.104 \
     file://clamd.conf \
     file://freshclam.conf \
     file://volatiles.03_clamav \
     file://tmpfiles.clamav \
-    file://${BPN}.service \
     file://headers_fixup.patch \
     file://oe_cmake_fixup.patch \
+    file://fix_systemd_socket.patch \
 "
 S = "${WORKDIR}/git"
 
@@ -28,6 +29,8 @@ BINCONFIG = "${bindir}/clamav-config"
 
 inherit cmake chrpath pkgconfig useradd systemd multilib_header multilib_script
 
+UPSTREAM_CHECK_COMMITS = "1"
+
 CLAMAV_UID ?= "clamav"
 CLAMAV_GID ?= "clamav"
 
@@ -67,31 +70,29 @@ do_install_append () {
     rm ${D}/${libdir}/libmspack.so
 
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
-        install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service
         install -d ${D}${sysconfdir}/tmpfiles.d
         install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf
     fi
     oe_multilib_header clamav-types.h
 }
 
-pkg_postinst_ontarget_${PN} () {
-    if command -v systemd-tmpfiles >/dev/null; then
-        systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
-    elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
-        ${sysconfdir}/init.d/populate-volatile.sh update
+pkg_postinst_${PN} () {
+    if [ -z "$D" ]; then
+        if command -v systemd-tmpfiles >/dev/null; then
+            systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
+        elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
+            ${sysconfdir}/init.d/populate-volatile.sh update
+        fi
+        chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
     fi
-    mkdir -p ${localstatedir}/lib/clamav
-    chown -R ${CLAMAV_UID}:${CLAMAV_GID} ${localstatedir}/lib/clamav
 }
 
-
-PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \
-            ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev"
+PACKAGES += "${PN}-daemon ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav"
 
 FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit ${sbindir}/clamonacc \
                 ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \
                 ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit*  \
-                ${docdir}/clamav/* ${libdir}/libmspack* "
+                ${docdir}/clamav/*"
 
 FILES_${PN}-clamdscan = " ${bindir}/clamdscan \
                         ${docdir}/clamdscan/* \
@@ -103,11 +104,11 @@ FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
                         ${mandir}/man5/clamd*  ${mandir}/man8/clamd* \
                         ${sysconfdir}/clamd.conf* \
                         /usr/etc/clamd.conf* \
-                        ${systemd_unitdir}/system/clamav-daemon/* \
+                        ${systemd_system_unitdir}/clamav-daemon/* \
                         ${docdir}/clamav-daemon/*  ${sysconfdir}/clamav-daemon \
                         ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon \
-                        ${systemd_unitdir}/system/clamav-daemon.service \
-                        ${systemd_unitdir}/system/clamav-clamonacc.service \
+                        ${systemd_system_unitdir}/clamav-daemon.service \
+                        ${systemd_system_unitdir}/clamav-clamonacc.service \
                         "
 
 FILES_${PN}-freshclam = "${bindir}/freshclam \
@@ -118,7 +119,7 @@ FILES_${PN}-freshclam = "${bindir}/freshclam \
                         ${localstatedir}/lib/clamav \
                         ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \
                         ${mandir}/man5/freshclam.conf.* \
-                        ${systemd_unitdir}/system/clamav-freshclam.service"
+                        ${systemd_system_unitdir}/clamav-freshclam.service"
 
 FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
                     ${libdir}/pkgconfig/*.pc \
@@ -128,7 +129,8 @@ FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
 FILES_${PN}-staticdev = "${libdir}/*.a"
 
 FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so* \
-                         ${libdir}/libfreshclam.so* ${docdir}/libclamav/* "
+                         ${libdir}/libfreshclam.so* ${docdir}/libclamav/* \
+                         ${libdir}/libmspack* "
 
 FILES_${PN}-doc = "${mandir}/man/* \
                    ${datadir}/man/* \
@@ -137,12 +139,15 @@ FILES_${PN}-doc = "${mandir}/man/* \
 USERADD_PACKAGES = "${PN}"
 GROUPADD_PARAM_${PN} = "--system ${CLAMAV_UID}"
 USERADD_PARAM_${PN} = "--system -g ${CLAMAV_GID} --home-dir  \
-    ${localstatedir}/spool/${BPN} \
-    --no-create-home  --shell /bin/false ${BPN}"
+    ${localstatedir}/lib/${BPN} \
+    --no-create-home  --shell /sbin/nologin ${BPN}"
 
 RPROVIDES_${PN} += "${PN}-systemd"
 RREPLACES_${PN} += "${PN}-systemd"
 RCONFLICTS_${PN} += "${PN}-systemd"
-SYSTEMD_SERVICE_${PN} = "${BPN}.service"
+SYSTEMD_PACKAGES  = "${PN}-daemon ${PN}-freshclam"
+SYSTEMD_SERVICE_${PN}-daemon = "clamav-daemon.service"
+SYSTEMD_SERVICE_${PN}-freshclam = "clamav-freshclam.service"
 
 RDEPENDS_${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-freshclam clamav-libclamav"
+RDEPENDS_${PN}-daemon = "clamav"
diff --git a/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch b/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch
new file mode 100644
index 000000000..3e9abe236
--- /dev/null
+++ b/meta-security/recipes-scanners/clamav/files/fix_systemd_socket.patch
@@ -0,0 +1,25 @@
+clamd not installing clamav-daemon.socket
+
+Fixes:
+__main__.SystemdUnitNotFoundError: (PosixPath('../security-build-image/1.0-r0/rootfs'), 'clamav-daemon.socket')
+%post(clamav-daemon-0.104.0-r0.core2_64): waitpid(3587571) rc 3587571 status 100
+warning: %post(clamav-daemon-0.104.0-r0.core2_64) scriptlet failed, exit status 1
+
+Upstream-Status: Pending
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Index: git/clamd/CMakeLists.txt
+===================================================================
+--- git.orig/clamd/CMakeLists.txt
++++ git/clamd/CMakeLists.txt
+@@ -54,4 +54,10 @@ if(SYSTEMD_FOUND)
+     install(
+         FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.service
+         DESTINATION ${SYSTEMD_UNIT_DIR})
++    configure_file(
++        ${CMAKE_CURRENT_SOURCE_DIR}/clamav-daemon.socket.in
++        ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.socket @ONLY)
++    install(
++        FILES ${CMAKE_CURRENT_BINARY_DIR}/clamav-daemon.socket
++        DESTINATION ${SYSTEMD_UNIT_DIR})
+ endif()
diff --git a/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb b/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb
index 8d81ed15d..23ddfce64 100644
--- a/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb
+++ b/meta-security/recipes-security/scapy/python3-scapy_2.4.4.bb
@@ -13,6 +13,8 @@ SRC_URI = "git://github.com/secdev/scapy.git \
 
 S = "${WORKDIR}/git"
 
+UPSTREAM_CHECK_COMMITS = "1"
+
 inherit setuptools3 ptest
 
 do_install_append() {
-- 
cgit v1.2.3