diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2023-06-26 00:20:36 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2023-07-05 23:14:51 +0300 |
commit | 520786cc6f5e5078825972134b1ec6fd81a6022a (patch) | |
tree | 07d3f525ee77fa94f7cd8792291b2d102be649a6 /meta-security/recipes-compliance | |
parent | 92a3faaa54f016e7e4f49961dc8c6d777b4bffd4 (diff) | |
download | openbmc-520786cc6f5e5078825972134b1ec6fd81a6022a.tar.xz |
subtree updates
meta-arm: 3fcafa3a94..d6fac49541:
Abdellatif El Khlifi (1):
arm-bsp/u-boot: corstone1000: upgrade NVMXIP support
Denys Dmytriyenko (1):
optee-os: do not explicitly set CFG_MAP_EXT_DT_SECURE=y
Emekcan Aras (8):
arm-bsp/u-boot: corstone1000: Fix EFI multiple protocol install failure
arm-bsp/u-boot: corstone1000: Enable EFI set/get time services
arm-bsp/trusted-services: corstone1000: GetNextVariableName Fix
arm-bsp/optee-os:corstone1000: Drop SPMC non secure interrupt patches
arm-bsp/u-boot: corstone1000: Fix u-boot compilation warnings
arm-bsp/trusted-services: corstone1000: Fix PSA_RAW_KEY agreement test
arm-bsp/trusted-services: corstone1000: Fix Capsule Update
arm-bsp/trusted-firmware-a: corstone1000: Fix Trusted-Firmware-A version for corstone1000
Jon Mason (3):
trusted-firmware-a: update to the latest TF-A LTS
arm-bsp/tc1: update to use the latest tf-a
arm/scp-firmware: update to v2.12.0
Khem Raj (2):
gn: update to latest
gn: Fix build with gcc13
Ross Burton (8):
arm/trusted-firmware-m: remove -fcanon-prefix-map from DEBUG_PREFIX_MAP
arm-bsp/external-system: remove -fcanon-prefix-map from DEBUG_PREFIX_MAP
arm-toolchain/external-arm: remove -fcanon-prefix-map from DEBUG_PREFIX_MAP
arm/scp-firmware: use concerete toolchain
arm-toolchain/gcc-arm-12.2: remove
arm/gn: fix build with GCC <13
CI: always put the build logs in an artifact
CI: print the name of the documentation when building
Sumit Garg (1):
external-arm-toolchain: Enforce absolute path check
meta-openembedded: def4759e95..2638d458a5:
Adrian Zaharia (2):
meta-python: Add stopit
python3-stopit: add missing run-time dependencies
Alex Kiernan (1):
ostree: Upgrade 2023.3 -> 2023.4
Bartosz Golaszewski (55):
python3-pywbemtools: remove build-time dependencies
python3-pywbem: drop unneeded class from RDEPENDS
python3-pywbem: don't use PYTHON_PN
python3-pywbem: order RDEPENDS alphabetically
python3-pywbem: add missing run-time dependencies
python3-padatious: add missing run-time dependencies
python3-pako: add missing run-time dependencies
python3-paramiko: stop using PYTHON_PN
python3-paramiko: add missing run-time dependencies
python3-path: fix coding style
python3-path: add missing run-time dependencies
python3-ecdsa: don't install tests
python3-et-xmlfile: fix coding style
python3-et-xmlfile: add missing run-time dependencies
python3-flask-user: fix coding style
python3-flask-user: add missing run-time dependencies
python3-isort: fix coding style
python3-isort: add missing run-time dependencies
python3-isodate: stop using PYTHON_PN
python3-isodate: add missing run-time dependencies
python-idna-ssl: add missing run-time dependencies
python3-hpack: add missing run-time dependencies
python3-h11: add missing run-time dependencies
python3-gsocketpool: drop unneeded DEPENDS
python3-gsocketpool: stop using PYTHON_PN
python3-gsocketpool: add missing run-time dependencies
python3-flask-mail: stop using PYTHON_PN
python3-flask-mail: add missing run-time dependencies
python3-flask-sijax: stop using PYTHON_PN
python3-flask-sijax: add missing run-time dependencies
python3-flask-script: remove recipe
python3-aioserial: fix coding style
python3-aioserial: add missing run-time dependencies
python3-aspectlib: add missing run-time dependencies
python3-asyncio-throttle: add missing run-time dependencies
python3-attrdict3: add missing run-time dependencies
python3-betamax: add missing run-time dependencies
python3-binwalk: add missing run-time dependencies
python3-can: fix coding style
python3-can: add missing run-time dependencies
python3-click-spinner: add missing run-time dependencies
python3-colorlog: add missing run-time dependencies
python3-colorzero: add missing run-time dependencies
python3-configobj: fix coding style
python3-configobj: add missing run-time dependencies
python3-configshell-fb: add missing run-time dependencies
python3-coverage: fix coding style and RDEPENDS
python3-custom-inherit: add missing run-time dependencies
python3-dateparser: fix coding style
python3-dateparser: add missing run-time dependencies
python3-tzlocal: fix coding style
python3-tzlocal: add missing run-time dependencies
python3-dbus-next: add missing run-time dependencies
python3-defusedxml: add missing run-time dependencies
python3-setuptools-scm-git-archive: add missing run-time dependencies
Beniamin Sandu (5):
lmsensors: do not pull in unneeded perl modules for run-time dependencies
mdns: remove unneeded headers
mbedtls: add support for v3.x
rasdaemon: upgrade to 0.8.0
unbound: add option to build with libevent
Chen Qi (1):
redis: use the files path correctly
Denys Dmytriyenko (1):
grpc: point to the native protobuf compiler binary
Enguerrand de Ribaucourt (4):
cukinia: remove trailing whitespaces
cukinia: upgrade 0.6.1 -> 0.6.2
cukinia: inherit allarch
cukinia: add libgpiod-tools to RRECOMMENDS
Etienne Cordonnier (1):
uutils-coreutils: upgrade 0.0.18 -> 0.0.19
Joe Slater (2):
libgpiod: modify test 'gpioset: toggle (continuous)'
python3-sqlparse: fix CVE-2023-30608
Johannes Kauffmann (3):
open62541: add multithreading PACKAGECONFIG option
open62541: allow disabling subscriptions
ntpd: switch service type from forking to simple
Khem Raj (16):
ply: Demand BFD linker explicitly
crucible: Upgrade to 2023.04.12 release
schroedinger: Fix building tests
fwts: Fix build issues found with lld linker
xfce4-sensors-plugin: Use bfd linker instead of lld
ostree: Fix build errors found with lld linker
spice-gtk: Fix build with lld linker
sblim-sfcb: Fix build with lld linker
libtracefs: Fix build with clang+musl
gosu: Upgrade to 1.16 release
layers: Move READMEs to markdown format
xdg-desktop-portal-wlr: Fix build with older mesa
geary: Fix build with vala >= 0.56.8
libforms: Replace hardcoded dep on mesa with virtual/libgl
syzkaller: Upgrade to latest tip of trunk
ristretto: Upgrade to 0.13.1 release
Markus Volk (1):
gnome-software: upgrade 44.1 -> 44.2
Martin Jansa (5):
asio: fix malformed Upstream-Status
libgpiod: fix malformed Upstream-Status
postfix: fix malformed Upstream-Status
*.patch: add Upstream-Status to all patches
postfix: remove 2nd Upstream-Status
Michael Heimpold (1):
php: drop explicite ARM_INSTRUCTION_SET
Patrick Williams (1):
libplist_2.3.0: compile fix for version
Peter Kjellerstedt (1):
glog: Correct the packaging of /usr/share/glog/cmake/FindUnwind.cmake
Peter Marko (1):
python3-stopit: fix override syntax
Randolph Sapp (1):
opengl-es-cts: 3.2.8.0 -> 3.2.9.3
Remi Peuvergne (2):
zeromq: consider license exception over LGPL-3.0
zeromq: consider license exception over LGPL-3.0
Sandeep Gundlupet Raju (1):
opencv: Revert fix runtime dependencies
Soumya (1):
opencv: Fix for CVE-2023-2617
Wang Mingyu (57):
ctags: upgrade 6.0.20230604.0 -> 6.0.20230611.0
gjs: upgrade 1.76.0 -> 1.76.1
ipcalc: upgrade 1.0.2 -> 1.0.3
libadwaita: upgrade 1.3.2 -> 1.3.3
libjcat: upgrade 0.1.13 -> 0.1.14
libqb: upgrade 2.0.6 -> 2.0.7
mbpoll: upgrade 1.5.0 -> 1.5.2
mpich: upgrade 4.1.1 -> 4.1.2
nautilus: upgrade 44.2 -> 44.2.1
ntp: upgrade 4.2.8p16 -> 4.2.8p17
python3-eth-account: upgrade 0.8.0 -> 0.9.0
python3-eth-hash: upgrade 0.5.1 -> 0.5.2
python3-eth-typing: upgrade 3.3.0 -> 3.4.0
python3-eth-utils: upgrade 2.1.0 -> 2.1.1
python3-platformdirs: upgrade 3.5.1 -> 3.5.3
pcsc-lite: upgrade 1.9.9 -> 2.0.0
php: upgrade 8.2.6 -> 8.2.7
python3-argcomplete: upgrade 3.0.8 -> 3.1.0
python3-autobahn: upgrade 23.1.2 -> 23.6.1
python3-cassandra-driver: upgrade 3.27.0 -> 3.28.0
python3-cmake: upgrade 3.26.3 -> 3.26.4
python3-django: upgrade 4.2.1 -> 4.2.2
python3-hexbytes: upgrade 0.3.0 -> 0.3.1
python3-imageio: upgrade 2.30.0 -> 2.31.0
python3-pykickstart: upgrade 3.47 -> 3.48
python3-pymisp: upgrade 2.4.171 -> 2.4.172
python3-pymodbus: upgrade 3.3.0 -> 3.3.1
python3-sentry-sdk: upgrade 1.25.0 -> 1.25.1
python3-websocket-client: upgrade 1.5.2 -> 1.5.3
python3-zeroconf: upgrade 0.63.0 -> 0.64.1
remmina: upgrade 1.4.30 -> 1.4.31
tio: upgrade 2.5 -> 2.6
libtracefs: upgrade 1.6.4 -> 1.7.0
adw-gtk3: upgrade 4.7 -> 4.8
evince: upgrade 44.1 -> 44.2
gensio: upgrade 2.6.5 -> 2.6.6
redis-plus-plus: upgrade 1.3.8 -> 1.3.9
python3-click-repl: upgrade 0.2.0 -> 0.3.0
python3-platformdirs: upgrade 3.5.3 -> 3.6.0
python3-pytest-mock: upgrade 3.10.0 -> 3.11.1
python3-croniter: upgrade 1.3.15 -> 1.4.1
python3-elementpath: upgrade 4.1.2 -> 4.1.3
python3-google-api-core: upgrade 2.11.0 -> 2.11.1
python3-google-api-python-client: upgrade 2.88.0 -> 2.89.0
python3-googleapis-common-protos: upgrade 1.59.0 -> 1.59.1
python3-google-auth: upgrade 2.19.1 -> 2.20.0
python3-imageio: upgrade 2.31.0 -> 2.31.1
python3-protobuf: upgrade 4.23.2 -> 4.23.3
python3-pyproj: upgrade 3.5.0 -> 3.6.0
python3-rich: upgrade 13.4.1 -> 13.4.2
python3-robotframework: upgrade 6.0.2 -> 6.1
python3-ujson: upgrade 5.7.0 -> 5.8.0
python3-xmlschema: upgrade 2.3.0 -> 2.3.1
python3-xmodem: upgrade 0.4.6 -> 0.4.7
python3-zeroconf: upgrade 0.64.1 -> 0.68.0
strongswan: upgrade 5.9.10 -> 5.9.11
rdfind: upgrade 1.5.0 -> 1.6.0
Xiangyu Chen (1):
meta-oe: add pahole to NON_MULTILIB_RECIPES
Zoltán Böszörményi (3):
mpich: Upgrade to 4.1.1
python3-meson-python: New recipe
python_mesonpy: New class
poky: 00f3d58064..13b646c0e1:
Adrian Freihofer (9):
runqemu-ifup: remove uid parameter
runqemu-ifup: configurable tap names
runqemu-ifup: fix tap index
runqemu-ifup: remove only our taps
runqemu-gen-tapdevs: remove staging dir parameter
runqemu-gen-tapdevs: remove uid parameter
runqemu-gen-tapdevs: configurable tap names
runqemu-gen-tapdevs: remove only our taps
runqemu: configurable tap names
Alberto Planas (2):
bitbake.conf: add unzstd in HOSTTOOLS
rpm2cpio.sh: update to the last 4.x version
Alejandro Hernandez Samaniego (2):
baremetal-helloworld: Update SRCREV to fix entry addresses for ARM architectures
runqemu: Stop passing bindir to the runqemu-ifup call
Alex Kiernan (1):
eudev: Upgrade 3.2.11 -> 3.2.12
Alexander Kanavin (60):
scripts/runqemu: split lock dir creation into a reusable function
scripts/runqemu: allocate unfsd ports in a way that doesn't race or clash with unrelated processes
apmd: remove recipe and apm MACHINE_FEATURE
qemu: a pending patch was submitted and accepted upstream
maintainers.inc: unassign Adrian Bunk from wireless-regdb
maintainers.inc: unassign Alistair Francis from opensbi
maintainers.inc: unassign Chase Qi from libc-test
maintainers.inc: unassign Oleksandr Kravchuk from python3 and all other items
maintainers.inc: unassign Ricardo Neri from ovmf
grub: submit determinism.patch upstream
apr: upgrade 1.7.3 -> 1.7.4
at-spi2-core: upgrade 2.48.0 -> 2.48.3
btrfs-tools: upgrade 6.3 -> 6.3.1
attr: package /etc/xattr.conf with the library that consumes it
glib-2.0: backport a patch to address ptest fails caused by coreutils 9.2+
diffoscope: upgrade 236 -> 242
dnf: upgrade 4.14.0 -> 4.16.1
ethtool: upgrade 6.2 -> 6.3
gawk: upgrade 5.2.1 -> 5.2.2
strace: upgrade 6.2 -> 6.3
coreutils: upgrade 9.1 -> 9.3
gnupg: upgrade 2.4.0 -> 2.4.2
gobject-introspection: upgrade 1.74.0 -> 1.76.1
kmscube: upgrade to latest revision
libmodulemd: upgrade 2.14.0 -> 2.15.0
libuv: license file was split in two in the 1.45.0 version update
libx11: upgrade 1.8.4 -> 1.8.5
libxslt: upgrade 1.1.37 -> 1.1.38
linux-firmware: upgrade 20230404 -> 20230515
ltp: upgrade 20230127 -> 20230516
mesa: upgrade 23.0.3 -> 23.1.1
meson: upgrade 1.1.0 -> 1.1.1
mmc-utils: upgrade to latest revision
nettle: upgrade 3.8.1 -> 3.9
nghttp2: upgrade 1.52.0 -> 1.53.0
parted: upgrade 3.5 -> 3.6
puzzles: upgrade to latest revision
python3: upgrade 3.11.2 -> 3.11.3
python3-certifi: upgrade 2022.12.7 -> 2023.5.7
python3-docutils: upgrade 0.19 -> 0.20.1
python3-flit-core: upgrade 3.8.0 -> 3.9.0
python3-importlib-metadata: upgrade 6.2.0 -> 6.6.0
python3-pyasn1: upgrade 0.4.8 -> 0.5.0
python3-pyopenssl: upgrade 23.1.1 -> 23.2.0
python3-sphinx: remove BSD-3-Clause from LICENSE
serf: upgrade 1.3.9 -> 1.3.10
shaderc: upgrade 2023.2 -> 2023.4
squashfs-tools: upgrade 4.5.1 -> 4.6.1
vala: upgrade 0.56.6 -> 0.56.8
vulkan: upgrade 1.3.243.0 -> 1.3.250.0
wget: upgrade 1.21.3 -> 1.21.4
wireless-regdb: upgrade 2023.02.13 -> 2023.05.03
xf86-input-libinput: upgrade 1.2.1 -> 1.3.0
xf86-input-mouse: upgrade 1.9.4 -> 1.9.5
zstd: upgrade 1.5.4 -> 1.5.5
gdb: upgrade 13.1 -> 13.2
libxcrypt: upgrade 4.4.33 -> 4.4.34
zstd: fix a reproducibility issue in 1.5.5
sysfsutils: fetch a supported fork from github
sysfsutils: update 2.1.0 -> 2.1.1
Alexandre Belloni (1):
base-passwd: fix patchreview warning
Alexis Lothoré (3):
oeqa/core/runner: add helper to know about expected failures
oeqa/target/ssh: update options for SCP
testimage: implement test artifacts retriever for failing tests
Anuj Mittal (1):
glib-2.0: upgrade 2.76.2 -> 2.76.3
BELOUARGA Mohamed (1):
meta: lib: oe: npm_registry: Add more safe caracters
Bruce Ashfield (4):
linux-yocto/6.1: update to v6.1.33
linux-yocto/6.1: fix intermittent x86 boot hangs
linux-yocto/6.1: update to v6.1.34
linux-yocto/6.1: update to v6.1.35
Charlie Wu (1):
devtool: Fix the wrong variable in srcuri_entry
Chen Qi (7):
sdk.py: error out when moving file fails
sdk.py: fix moving dnf contents
rpm: write macros under libdir
zip: fix configure check by using _Static_assert
zip: remove unnecessary LARGE_FILE_SUPPORT CLFAGS
unzip: fix configure check for cross compilation
unzip: remove hardcoded LARGE_FILE_SUPPORT
Denys Dmytriyenko (1):
binutils: move packaging of gprofng static lib into common .inc
Ed Beroset (1):
Add clarification for SRCREV
Fabien Mahot (2):
useradd-example: package typo correction
oeqa/selftest/bbtests: add non-existent prefile/postfile tests
Hannu Lounento (1):
profile-manual: fix blktrace remote usage instructions
Ian Ray (1):
systemd-systemctl: support instance expansion in WantedBy
Jermain Horsman (1):
logrotate: Do not create logrotate.status file
Jose Quaresma (1):
selftest/reproducible: Allow chose the package manager
Jörg Sommer (2):
runqemu-gen-tapdevs: Refactoring
runqemu-ifupdown/get-tapdevs: Add support for ip tuntap
Khem Raj (12):
llvm: Upgrade to 16.0.5
glibc: Pass linker choice via compiler flags
libgcc: Always use BFD linker
efivar: Upgrade to tip of trunk
babeltrace2: Always use BFD linker when building tests with ld-is-lld distro feature
parted: Add missing libuuid to linker cmdline for libparted-fs-resize.so
kernel: Add kernel specific STRIP variable
libxml2: Do not use lld linker when building with tests on rv64
llvm: Bump to 16.0.6
go-helloworld: Upgrade to tip of trunk
rpcsvc-proto: Upgrade to 1.4.4
python3-bcrypt: Use BFD linker when building tests
Louis Rannou (3):
rootfs-postcommands: change sysusers.d command
systemd: replace the sysusers.d basic configuration
base-passwd: add the wheel group
Luca Ceresoli (1):
ref-manual: classes: devicetree: fix sentence saying the same thing twice
Markus Volk (2):
gtk4: upgrade 4.10.3 -> 4.10.4
gstreamer1.0-plugins-bad: use oneVPL instead of intel-mediasdk for msdk
Martin Jansa (1):
libstd-rs, rust: use bfd linker instead of gold
Michael Opdenacker (5):
psplash: replace Yocto .h by .png splashscreen
migration-guides: release-notes-4.3: update documentation notes
bitbake: bitbake-user-manual: explicit variables taking a colon separated list
bitbake: bitbake-user-manual: revert change about PREFERRED_PROVIDERS
ref-manual: variables.rst: explicit variables accepting colon separated lists
Mikko Rapeli (4):
useradd-staticids.bbclass: improve error message
selftest reproducible.py: support different build targets
variables.rst: document OEQA_REPRODUCIBLE_TEST_TARGET and OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS
reproducible-builds.rst: document OEQA_REPRODUCIBLE_TEST_TARGET and OEQA_REPRODUCIBLE_TEST_SSTATE_TARGETS
Ming Liu (2):
weston-init: introduce xwayland PACKAGECONFIG
meta: introduce KCONFIG_CONFIG_ENABLE_MENUCONFIG
Mingli Yu (2):
qemu: Split the qemu package
u-boot-tools: Use PATH_MAX for path length
Petr Gotthard (1):
lighttpd: upgrade 1.4.69 -> 1.4.71
Quentin Schulz (5):
bitbake: docs: bitbake-user-manual: bitbake-user-manual-hello: add links and highlights for variables
docs: bsp-guide: bsp: fix typo
docs: ref-manual: terms: fix typos in SPDX term
docs: fix unnecessary double white space
docs: ref-manual: terms: fix incorrect note directive
Randolph Sapp (6):
weston-init: make sure the render group exists
weston-init: add weston user to the render group
weston-init: add the weston user to the wayland group
weston-init: fix the mixed indentation
weston-init: guard against systemd configs
weston-init: add profile to point users to global socket
Remi Peuvergne (1):
common-licenses: Add LGPL-3.0-with-zeromq-exception
Richard Purdie (18):
runqemu/qemu-helper: Drop tunctl
runqemu-if*: Rename confusing variable name
oeqa/selftest/oescripts: Fix qemu-helper selftest
oeqa/logparser: Fix ptest No-section exception
strace: Disable failing test
strace: Merge two similar patches
testimage: Only note missing target directories, don't warn
ptest-runner: Pull in sync fix to improve log warnings
scripts/runqemu-ifup: Fix extra parameter issue
scripts/runqemu-ifup: Fix 10 or more tap devices
bitbake: runqueue: Fix handling of virtual files in layername calculation
ptest-runner: Ensure data writes don't race
bitbake.conf: Add layer-<layername> override support
insane: Improve patch-status layer filtering
genericx86: Drop gma500-gfx-check
bitbake: doc: Document FILE_LAYERNAME
migration-guides: add notes on FILE_LAYERNAME
migration-guides: add notes on systemd/usrmerge changes
Ross Burton (15):
nettle: rewrite ptest integration
nettle: inherit lib_package
cve-extra-exclusions: add more ignores for 2023 kernel CVEs
cve-extra-exclusions: remove 2019 blanket ignores
poky-altconfig: enable usrmerge DISTRO_FEATURE
gi-docgen: correct comment
gobject-introspection: remove obsolete DEPENDS
coreutils: fix build when the host has fr_FR.
cve-extra-exclusions: call out an Ubuntu-specific issue explicitly
cve-extra-exclusions: CVE-2023-3141 was backported in Linux 6.1.30
erofs-utils: backport fixes for CVE-2023-33551 and CVE-2023-33552
ghostscript: mostly rewrite recipe
python3-dbusmock: only recommend python3-pygobject
sysfsutils: don't install to base_libdir
base: improve LICENSE_FLAGS_DETAILS output
Sakib Sajal (1):
go: Upgrade 1.20.4 -> 1.20.5
Soumya (1):
perl: fix CVE-2023-31484
Stefano Babic (2):
libubootenv: upgrade 0.3.3 -> 0.3.4
mtd-utils: export headers and libraries for MTD and UBI
Sudip Mukherjee (2):
dpkg: upgrade to v1.21.22
cmake: upgrade to v3.26.4
Tan Wen Yan (1):
linux-yocto/6.1: update genericx86* machines to v6.1.30
Tom Hochstein (1):
weston: Cleanup and fix x11 and xwayland dependencies
Trevor Gamblin (2):
runqemu-gen-tapdevs: fix missing variable quote
glib-networking: use correct error code in ptest
Vincent Davis Jr (4):
spirv-tools: fix INTERFACE_LINK_LIBRARIES cmake prop
vulkan-validation-layers: add new recipe v1.3.243.0
spirv-tools: Use baselib instead of base_libdir
vulkan-validation-layers: cleanup recipe
Xiangyu Chen (1):
dbus: upgrade 1.14.6 -> 1.14.8
nikhil (1):
libwebp: Fix CVE-2023-1999
schitrod=cisco.com@lists.openembedded.org (1):
cups: Fix CVE-2023-32324
meta-security: 180dac9aec..405cca4028:
Ahmed Abdelfattah (1):
swtpm: fix parser error when using USERADDEXTENSION="useradd-staticids"
Armin Kuster (25):
scap-security-guide: update to 0.1.67
scap-security-guide: update to tip
scap-security-guide_git: drop oe version
openscap-daemon: This is now obsolete
oe-scap: Not maintained nor upstreamed
openscap: Fix native build missing depends
openscap: Drop OE specific recipe
lynis: move to main meta-security layer
openscap: move to main meta-security layer
meta-security-compliance: remove layer
openscap: add support for OpenEmbedded nodistro and Poky
scap-security-guide: add OE support
packagegroup-core-security: add compliance pkg group
kas: ci changes do to meta-security-compliance being removed
meta-security-isafw: drop layer isafw project archived
openscap: Update to tip to get OE/Poky support
scap-security-guide: bump the number of test that pass
clamav: drop unused patch
isic: fine tune Upstream-Status
scap-security-guide: Add Poky
arpwatch: Fix typo in COMPATIBLE_HOST:libc-musl = "null"
scap-security-guide: add Upstream-Status
scap-security-guide: Does not build for musl
openscap: update to 1.3.8
packagegroup-core-security: add os-release
Chen Qi (1):
complicance/isafw: remove oeqa addpylib
Kevin Hao (1):
dmverity: Suppress the realpath errors
Martin Jansa (5):
*.patch: add Upstream-Status to all patches
meta-tpm: *.patch: fix malformed Upstream-Status lines
dynamic-layers: *.patch: fix malformed and missing Upstream-Status lines
*.patch: fix malformed Upstream-Status and SOB lines
.patch: remove probably unused patches
Paul Gortmaker (7):
dm-verity: add descriptive strings for "wic list images"
dm-verity: restructure the veritysetup arg parsing
dm-verity: save veritysetup args beside runtime environment
dm-verity: add support for hash storage on separate partition
dm-verity: add wks.in fragment with dynamic build hash data
dm-verity: hook separate hash into initramfs framework
dm-verity: add sample systemd separate hash example and doc
Samantha Jalabert (1):
buck-security: fix missing dependencies to perl modules
meta-raspberrypi: 8e07f0d328..dff85b9a9f:
Khem Raj (1):
linux-raspberrypi-6.1: Update to 6.1.34 release
Martin Jansa (1):
*.patch: add Upstream-Status to all patches
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: If34dfa008a81d778c7bc02627388238f5125d85c
Diffstat (limited to 'meta-security/recipes-compliance')
8 files changed, 769 insertions, 0 deletions
diff --git a/meta-security/recipes-compliance/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch b/meta-security/recipes-compliance/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch new file mode 100644 index 0000000000..d365ec11b8 --- /dev/null +++ b/meta-security/recipes-compliance/lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch @@ -0,0 +1,51 @@ +From 4b1de197ee0dd259cc05d5faf7fd38b580d841d2 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Tue, 2 May 2023 16:22:13 -0400 +Subject: [PATCH] osdetection: add OpenEmbedded and Poky + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Upstream-Status: Pending +https://github.com/CISOfy/lynis/pull/1390 + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + include/osdetection | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/include/osdetection b/include/osdetection +index 989b1b3..e5974e5 100644 +--- a/include/osdetection ++++ b/include/osdetection +@@ -308,6 +308,12 @@ + OS_REDHAT_OR_CLONE=1 + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; ++ "nodistro") ++ LINUX_VERSION="openembedded" ++ OS_NAME="OpenEmbedded" ++ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ++ OS_VERSION_FULL=$(grep "^VERSION=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ++ ;; + "opensuse-tumbleweed") + LINUX_VERSION="openSUSE Tumbleweed" + # It's rolling release but has a snapshot version (the date of the snapshot) +@@ -330,6 +336,14 @@ + OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') + ;; ++ "poky") ++ LINUX_VERSION="Poky" ++ OS_NAME="openembedded" ++ LINUX_VERSION_LIKE="openembedded" ++ OS_VERSION=$(grep "^VERSION_ID=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ++ OS_VERSION_FULL=$(grep "^PRETTY_NAME=" /etc/os-release | awk -F= '{print $2}' | tr -d '"') ++ ++ ;; + "pop") + LINUX_VERSION="Pop!_OS" + LINUX_VERSION_LIKE="Ubuntu" +-- +2.25.1 + diff --git a/meta-security/recipes-compliance/lynis/lynis_3.0.8.bb b/meta-security/recipes-compliance/lynis/lynis_3.0.8.bb new file mode 100644 index 0000000000..0a4981245c --- /dev/null +++ b/meta-security/recipes-compliance/lynis/lynis_3.0.8.bb @@ -0,0 +1,42 @@ +# Copyright (C) 2017 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMMARY = "Lynis is a free and open source security and auditing tool." +HOMEDIR = "https://cisofy.com/" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" + +SRC_URI = "https://cisofy.com/files/${BPN}-${PV}.tar.gz \ + file://0001-osdetection-add-OpenEmbedded-and-Poky.patch \ + " + +SRC_URI[sha256sum] = "98373a4cc9d0471ab9bebb249e442fcf94b6bf6d4e9c6fc0b22bca1506646c63" + +S = "${WORKDIR}/${BPN}" + +inherit autotools-brokensep + +do_compile[noexec] = "1" +do_configure[noexec] = "1" + +do_install () { + install -d ${D}/${bindir} + install -d ${D}/${sysconfdir}/lynis + install -m 555 ${S}/lynis ${D}/${bindir} + + install -d ${D}/${datadir}/lynis/db + install -d ${D}/${datadir}/lynis/plugins + install -d ${D}/${datadir}/lynis/include + install -d ${D}/${datadir}/lynis/extras + + cp -r ${S}/db/* ${D}/${datadir}/lynis/db/. + cp -r ${S}/plugins/* ${D}/${datadir}/lynis/plugins/. + cp -r ${S}/include/* ${D}/${datadir}/lynis/include/. + cp -r ${S}/extras/* ${D}/${datadir}/lynis/extras/. + cp ${S}/*.prf ${D}/${sysconfdir}/lynis +} + +FILES:${PN} += "${sysconfdir}/developer.prf ${sysconfdir}/default.prf" +FILES:${PN}-doc += "lynis.8 FAQ README CHANGELOG.md CONTRIBUTIONS.md CONTRIBUTORS.md" + +RDEPENDS:${PN} += "procps findutils" diff --git a/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb b/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb new file mode 100644 index 0000000000..ecc347c699 --- /dev/null +++ b/meta-security/recipes-compliance/openscap/openscap_1.3.8.bb @@ -0,0 +1,75 @@ +# Copyright (C) 2017 - 2023 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "NIST Certified SCAP 1.2 toolkit" +HOME_URL = "https://www.open-scap.org/tools/openscap-base/" +LIC_FILES_CHKSUM = "file://COPYING;md5=fbc093901857fcd118f065f900982c24" +LICENSE = "LGPL-2.1-only" + +DEPENDS = "dbus acl bzip2 pkgconfig gconf procps curl libxml2 libxslt libcap swig libpcre xmlsec1" +DEPENDS:class-native = "pkgconfig-native swig-native curl-native libxml2-native libxslt-native libcap-native libpcre-native xmlsec1-native" + +#Jun 22th, 2023 +SRCREV = "a81c66d9bc36612dd1ca83a8c959a59e172eb4b9" +SRC_URI = "git://github.com/OpenSCAP/openscap.git;branch=maint-1.3;protocol=https \ + " + +S = "${WORKDIR}/git" + +inherit cmake pkgconfig python3native python3targetconfig perlnative systemd + +PACKAGECONFIG ?= "python3 rpm perl gcrypt ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[python3] = "-DENABLE_PYTHON3=ON, ,python3, python3" +PACKAGECONFIG[perl] = "-DENABLE_PERL=ON, ,perl, perl" +PACKAGECONFIG[rpm] = "-DENABLE_OSCAP_UTIL_AS_RPM=ON, ,rpm, rpm" +PACKAGECONFIG[gcrypt] = "-DWITH_CRYPTO=gcrypt, ,libgcrypt" +PACKAGECONFIG[nss3] = "-DWITH_CRYPTO=nss3, ,nss" +PACKAGECONFIG[selinux] = ", ,libselinux" +PACKAGECONFIG[remdediate_service] = "-DENABLE_OSCAP_REMEDIATE_SERVICE=ON,-DENABLE_OSCAP_REMEDIATE_SERVICE=NO," + +EXTRA_OECMAKE += "-DENABLE_PROBES_LINUX=ON -DENABLE_PROBES_UNIX=ON \ + -DENABLE_PROBES_SOLARIS=OFF -DENABLE_PROBES_INDEPENDENT=ON \ + -DENABLE_OSCAP_UTIL=ON -DENABLE_OSCAP_UTIL_SSH=ON \ + -DENABLE_OSCAP_UTIL_DOCKER=OFF -DENABLE_OSCAP_UTIL_CHROOT=OFF \ + -DENABLE_OSCAP_UTIL_PODMAN=OFF -DENABLE_OSCAP_UTIL_VM=OFF \ + -DENABLE_PROBES_WINDOWS=OFF -DENABLE_VALGRIND=OFF \ + -DENABLE_SCE=ON -DENABLE_MITRE=OFF -DENABLE_TESTS=OFF \ + -DCMAKE_SKIP_INSTALL_RPATH=ON -DCMAKE_SKIP_RPATH=ON \ + " + +STAGING_OSCAP_DIR = "${TMPDIR}/work-shared/${MACHINE}/oscap-source" +STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts" + +do_configure:append:class-native () { + sed -i 's:OSCAP_DEFAULT_CPE_PATH.*$:OSCAP_DEFAULT_CPE_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_SCHEMA_PATH.*$:OSCAP_DEFAULT_SCHEMA_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas":' ${B}/config.h + sed -i 's:OSCAP_DEFAULT_XSLT_PATH.*$:OSCAP_DEFAULT_XSLT_PATH "${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl":' ${B}/config.h +} + +do_install:append () { + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + if ${@bb.utils.contains('PACKAGECONFIG','remdediate_service','true','false',d)}; then + install -D -m 0644 ${B}/oscap-remediate.service ${D}${systemd_system_unitdir}/oscap-remediate.service + fi + fi +} + +do_install:class-native[cleandirs] += " ${STAGING_OSCAP_BUILDDIR}" +do_install:append:class-native () { + oscapdir=${STAGING_OSCAP_BUILDDIR}/${datadir_native} + install -d $oscapdir + cp -a ${D}/${STAGING_DATADIR_NATIVE}/openscap $oscapdir +} + + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE:${PN} = "${@bb.utils.contains('PACKAGECONFIG','remdediate_service', 'oscap-remediate.service', '',d)}" +SYSTEMD_AUTO_ENABLE = "disable" + + +FILES:${PN} += "${PYTHON_SITEPACKAGES_DIR}" + + +RDEPENDS:${PN} = "libxml2 python3-core libgcc bash" +RDEPENDS:${PN}-class-target = "libxml2 python3-core libgcc bash os-release" +BBCLASSEXTEND = "native" diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch new file mode 100644 index 0000000000..355f954290 --- /dev/null +++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky-support.patch @@ -0,0 +1,91 @@ +From 23a224203a73688567f500380644e5cf30c8ed99 Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Thu, 22 Jun 2023 06:19:26 -0400 +Subject: [PATCH] scap-security-guide: add Poky support + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + products/openembedded/product.yml | 7 +++- + .../openembedded/transforms/constants.xslt | 4 +-- + shared/checks/oval/installed_OS_is_poky.xml | 33 +++++++++++++++++++ + 3 files changed, 41 insertions(+), 3 deletions(-) + create mode 100644 shared/checks/oval/installed_OS_is_poky.xml + +diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml +index 9f2f12d737..a495e197c0 100644 +--- a/products/openembedded/product.yml ++++ b/products/openembedded/product.yml +@@ -14,6 +14,11 @@ init_system: "systemd" + cpes_root: "../../shared/applicability" + cpes: + - openembedded: +- name: "cpe:/o:openembedded" ++ name: "cpe:/o:openembedded:nodistro:" + title: "OpenEmbedded nodistro" + check_id: installed_OS_is_openembedded ++ ++ - poky: ++ name: "cpe:/o:openembedded:poky:" ++ title: "OpenEmbedded Poky reference distribution" ++ check_id: installed_OS_is_poky +diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt +index 85e812a7c1..8901def2f9 100644 +--- a/products/openembedded/transforms/constants.xslt ++++ b/products/openembedded/transforms/constants.xslt +@@ -2,8 +2,8 @@ + + <xsl:include href="../../../shared/transforms/shared_constants.xslt"/> + +-<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable> +-<xsl:variable name="product_short_name">OE nodistro</xsl:variable> ++<xsl:variable name="product_long_name">OpenEmbedded based distribution</xsl:variable> ++<xsl:variable name="product_short_name">OE distros</xsl:variable> + <xsl:variable name="product_stig_id_name">empty</xsl:variable> + <xsl:variable name="prod_type">openembedded</xsl:variable> + +diff --git a/shared/checks/oval/installed_OS_is_poky.xml b/shared/checks/oval/installed_OS_is_poky.xml +new file mode 100644 +index 0000000000..9c41acd786 +--- /dev/null ++++ b/shared/checks/oval/installed_OS_is_poky.xml +@@ -0,0 +1,33 @@ ++<def-group> ++ <definition class="inventory" id="installed_OS_is_poky" version="1"> ++ <metadata> ++ <title>Poky</title> ++ <affected family="unix"> ++ <platform>multi_platform_all</platform> ++ </affected> ++ <description>The operating system installed is a Poky referenece based System</description> ++ </metadata> ++ <criteria comment="System is Poky reference distribution" operator="AND"> ++ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> ++ <criterion comment="Poky based distro" test_ref="test_os_release_poky" /> ++ <criterion comment="Poky referenece distribution is installed" test_ref="test_poky" /> ++ </criteria> ++ </definition> ++ ++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release_poky" version="1"> ++ <unix:object object_ref="obj_os_release_poky" /> ++ </unix:file_test> ++ <unix:file_object comment="check /etc/os-release file" id="obj_os_release_poky" version="1"> ++ <unix:filepath>/etc/os-release</unix:filepath> ++ </unix:file_object> ++ ++ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_poky" version="1"> ++ <ind:object object_ref="obj_poky" /> ++ </ind:textfilecontent54_test> ++ <ind:textfilecontent54_object id="obj_poky" version="1" comment="Check Poky"> ++ <ind:filepath>/etc/os-release</ind:filepath> ++ <ind:pattern operation="pattern match">^ID=poky$</ind:pattern> ++ <ind:instance datatype="int">1</ind:instance> ++ </ind:textfilecontent54_object> ++ ++</def-group> +-- +2.34.1 + diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch new file mode 100644 index 0000000000..f003f72a6d --- /dev/null +++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded.patch @@ -0,0 +1,231 @@ +From f6287d146762b8360bd7099f4724a58eedba7d2a Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Wed, 14 Jun 2023 07:46:55 -0400 +Subject: [PATCH] scap-security-guide: add openembedded + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +--- + CMakeLists.txt | 5 +++ + build_product | 1 + + products/openembedded/CMakeLists.txt | 6 ++++ + products/openembedded/product.yml | 19 +++++++++++ + .../openembedded/profiles/standard.profile | 12 +++++++ + .../openembedded/transforms/constants.xslt | 10 ++++++ + .../oval/installed_OS_is_openembedded.xml | 33 +++++++++++++++++++ + .../oval/sysctl_kernel_ipv6_disable.xml | 1 + + ssg/constants.py | 5 ++- + 9 files changed, 91 insertions(+), 1 deletion(-) + create mode 100644 products/openembedded/CMakeLists.txt + create mode 100644 products/openembedded/product.yml + create mode 100644 products/openembedded/profiles/standard.profile + create mode 100644 products/openembedded/transforms/constants.xslt + create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 85ec289644..09ac96784e 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -95,6 +95,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be + option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) ++option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT}) + + + option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE) +@@ -289,6 +290,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}") + message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}") + message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}") + message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}") ++message(STATUS "OpenEmbedded nodistro: ${SSG_PRODUCT_OE}") + + + +@@ -410,6 +412,9 @@ endif() + if (SSG_PRODUCT_UOS20) + add_subdirectory("products/uos20" "uos20") + endif() ++if (SSG_PRODUCT_OE) ++ add_subdirectory("products/openembedded" "openembedded") ++endif() + + # ZIP only contains source datastreams and kickstarts, people who + # want sources to build from should get the tarball instead. +diff --git a/build_product b/build_product +index fc793cbe70..197d925b7e 100755 +--- a/build_product ++++ b/build_product +@@ -333,6 +333,7 @@ all_cmake_products=( + UBUNTU2204 + UOS20 + MACOS1015 ++ OPENEMBEDDED + ) + + DEFAULT_OVAL_MAJOR_VERSION=5 +diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt +new file mode 100644 +index 0000000000..1981adf53e +--- /dev/null ++++ b/products/openembedded/CMakeLists.txt +@@ -0,0 +1,6 @@ ++# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way. ++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}") ++ message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!") ++endif() ++ ++ssg_build_product("openembedded") +diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml +new file mode 100644 +index 0000000000..9f2f12d737 +--- /dev/null ++++ b/products/openembedded/product.yml +@@ -0,0 +1,19 @@ ++product: openembedded ++full_name: OpemEmbedded ++type: platform ++ ++benchmark_id: OPENEMBEDDED ++benchmark_root: "../../linux_os/guide" ++ ++profiles_root: "./profiles" ++ ++pkg_manager: "dnf" ++ ++init_system: "systemd" ++ ++cpes_root: "../../shared/applicability" ++cpes: ++ - openembedded: ++ name: "cpe:/o:openembedded" ++ title: "OpenEmbedded nodistro" ++ check_id: installed_OS_is_openembedded +diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile +new file mode 100644 +index 0000000000..44339d716c +--- /dev/null ++++ b/products/openembedded/profiles/standard.profile +@@ -0,0 +1,12 @@ ++documentation_complete: true ++ ++title: 'Sample Security Profile for OpenEmbedded Distros' ++ ++description: |- ++ This profile is an sample for use in documentation and example content. ++ The selected rules are standard and should pass quickly on most systems. ++ ++selections: ++ - file_owner_etc_passwd ++ - file_groupowner_etc_passwd ++ - file_permissions_etc_passwd +diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt +new file mode 100644 +index 0000000000..85e812a7c1 +--- /dev/null ++++ b/products/openembedded/transforms/constants.xslt +@@ -0,0 +1,10 @@ ++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> ++ ++<xsl:include href="../../../shared/transforms/shared_constants.xslt"/> ++ ++<xsl:variable name="product_long_name">OpenEmbedded nodistro</xsl:variable> ++<xsl:variable name="product_short_name">OE nodistro</xsl:variable> ++<xsl:variable name="product_stig_id_name">empty</xsl:variable> ++<xsl:variable name="prod_type">openembedded</xsl:variable> ++ ++</xsl:stylesheet> +diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml +new file mode 100644 +index 0000000000..17c2873686 +--- /dev/null ++++ b/shared/checks/oval/installed_OS_is_openembedded.xml +@@ -0,0 +1,33 @@ ++<def-group> ++ <definition class="inventory" id="installed_OS_is_openembedded" version="1"> ++ <metadata> ++ <title>OpenEmbedded</title> ++ <affected family="unix"> ++ <platform>multi_platform_all</platform> ++ </affected> ++ <description>The operating system installed is an OpenEmbedded System</description> ++ </metadata> ++ <criteria comment="System is OpenEmbedded" operator="AND"> ++ <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" /> ++ <criterion comment="OpenEmbedded distro" test_ref="test_os_release" /> ++ <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" /> ++ </criteria> ++ </definition> ++ ++ <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_release" version="1"> ++ <unix:object object_ref="obj_os_release" /> ++ </unix:file_test> ++ <unix:file_object comment="check /etc/os-release file" id="obj_os_release" version="1"> ++ <unix:filepath>/etc/os-release</unix:filepath> ++ </unix:file_object> ++ ++ <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1"> ++ <ind:object object_ref="obj_openembedded" /> ++ </ind:textfilecontent54_test> ++ <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded"> ++ <ind:filepath>/etc/os-release</ind:filepath> ++ <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern> ++ <ind:instance datatype="int">1</ind:instance> ++ </ind:textfilecontent54_object> ++ ++</def-group> +diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +index affb9770cb..4f22df262c 100644 +--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml ++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml +@@ -8,6 +8,7 @@ + <platform>multi_platform_debian</platform> + <platform>multi_platform_example</platform> + <platform>multi_platform_fedora</platform> ++ <platform>multi_platform_openembedded</platform> + <platform>multi_platform_opensuse</platform> + <platform>multi_platform_ol</platform> + <platform>multi_platform_rhcos</platform> +diff --git a/ssg/constants.py b/ssg/constants.py +index f66ba008fa..630fbdfcb9 100644 +--- a/ssg/constants.py ++++ b/ssg/constants.py +@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = { + "Ubuntu 20.04": "ubuntu2004", + "Ubuntu 22.04": "ubuntu2204", + "UnionTech OS Server 20": "uos20", ++ "OpenEmbedded": "openembedded", + "Not Applicable" : "example" + } + +@@ -267,7 +268,7 @@ REFERENCES = dict( + + MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu", + "opensuse", "sle", "ol", "ocp", "rhcos", +- "example", "eks", "alinux", "uos", "anolis"] ++ "example", "eks", "alinux", "uos", "anolis", "openembedded"] + + MULTI_PLATFORM_MAPPING = { + "multi_platform_alinux": ["alinux2", "alinux3"], +@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = { + "multi_platform_sle": ["sle12", "sle15"], + "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"], + "multi_platform_uos": ["uos20"], ++ "multi_platform_openembedded": ["openembedded"], + } + + RHEL_CENTOS_CPE_MAPPING = { +@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = { + 'ocp': 'Red Hat OpenShift Container Platform', + 'rhcos': 'Red Hat Enterprise Linux CoreOS', + 'eks': 'Amazon Elastic Kubernetes Service', ++ 'openembedded': 'OpenEmbedded', + } + + # References that can not be used with product-qualifiers +-- +2.34.1 + diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch new file mode 100644 index 0000000000..061c5f00a2 --- /dev/null +++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch @@ -0,0 +1,231 @@ +From 7af2da3bbe1d5b4cba89c6dae9ea267717b865ea Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Wed, 21 Jun 2023 07:46:38 -0400 +Subject: [PATCH] standard.profile: expand checks + +Upstream-Status: Pending +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Upstream-status: Pending +--- + .../openembedded/profiles/standard.profile | 206 ++++++++++++++++++ + 1 file changed, 206 insertions(+) + +diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile +index 44339d716c..877d1a3971 100644 +--- a/products/openembedded/profiles/standard.profile ++++ b/products/openembedded/profiles/standard.profile +@@ -9,4 +9,210 @@ description: |- + selections: + - file_owner_etc_passwd + - file_groupowner_etc_passwd ++ - service_crond_enabled ++ - file_groupowner_crontab ++ - file_owner_crontab ++ - file_permissions_crontab ++ - file_groupowner_cron_hourly ++ - file_owner_cron_hourly ++ - file_permissions_cron_hourly ++ - file_groupowner_cron_daily ++ - file_owner_cron_daily ++ - file_permissions_cron_daily ++ - file_groupowner_cron_weekly ++ - file_owner_cron_weekly ++ - file_permissions_cron_weekly ++ - file_groupowner_cron_monthly ++ - file_owner_cron_monthly ++ - file_permissions_cron_monthly ++ - file_groupowner_cron_d ++ - file_owner_cron_d ++ - file_permissions_cron_d ++ - file_groupowner_cron_allow ++ - file_owner_cron_allow ++ - file_cron_deny_not_exist ++ - file_groupowner_at_allow ++ - file_owner_at_allow ++ - file_at_deny_not_exist ++ - file_permissions_at_allow ++ - file_permissions_cron_allow ++ - file_groupowner_sshd_config ++ - file_owner_sshd_config ++ - file_permissions_sshd_config ++ - file_permissions_sshd_private_key ++ - file_permissions_sshd_pub_key ++ - sshd_set_loglevel_verbose ++ - sshd_set_loglevel_info ++ - sshd_max_auth_tries_value=4 ++ - sshd_set_max_auth_tries ++ - sshd_disable_rhosts ++ - disable_host_auth ++ - sshd_disable_root_login ++ - sshd_disable_empty_passwords ++ - sshd_do_not_permit_user_env ++ - sshd_idle_timeout_value=15_minutes ++ - sshd_set_idle_timeout ++ - sshd_set_keepalive ++ - var_sshd_set_keepalive=0 ++ - sshd_set_login_grace_time ++ - var_sshd_set_login_grace_time=60 ++ - sshd_enable_warning_banner ++ - sshd_enable_pam ++ - sshd_set_maxstartups ++ - var_sshd_set_maxstartups=10:30:60 ++ - sshd_set_max_sessions ++ - var_sshd_max_sessions=10 ++ - accounts_password_pam_minclass ++ - accounts_password_pam_minlen ++ - accounts_password_pam_retry ++ - var_password_pam_minclass=4 ++ - var_password_pam_minlen=14 ++ - locking_out_password_attempts ++ - accounts_password_pam_pwhistory_remember_password_auth ++ - accounts_password_pam_pwhistory_remember_system_auth ++ - var_password_pam_remember_control_flag=required ++ - var_password_pam_remember=5 ++ - set_password_hashing_algorithm_systemauth ++ - accounts_maximum_age_login_defs ++ - var_accounts_maximum_age_login_defs=365 ++ - accounts_password_set_max_life_existing ++ - accounts_minimum_age_login_defs ++ - var_accounts_minimum_age_login_defs=7 ++ - accounts_password_set_min_life_existing ++ - accounts_password_warn_age_login_defs ++ - var_accounts_password_warn_age_login_defs=7 ++ - account_disable_post_pw_expiration ++ - var_account_disable_post_pw_expiration=30 ++ - no_shelllogin_for_systemaccounts ++ - accounts_tmout ++ - var_accounts_tmout=15_min ++ - accounts_root_gid_zero ++ - accounts_umask_etc_bashrc ++ - accounts_umask_etc_login_defs ++ - use_pam_wheel_for_su ++ - sshd_allow_only_protocol2 ++ - journald_forward_to_syslog ++ - journald_compress ++ - journald_storage ++ - service_auditd_enabled ++ - service_httpd_disabled ++ - service_vsftpd_disabled ++ - service_named_disabled ++ - service_nfs_disabled ++ - service_rpcbind_disabled ++ - service_slapd_disabled ++ - service_dhcpd_disabled ++ - service_cups_disabled ++ - service_ypserv_disabled ++ - service_rsyncd_disabled ++ - service_avahi-daemon_disabled ++ - service_snmpd_disabled ++ - service_squid_disabled ++ - service_smb_disabled ++ - service_dovecot_disabled ++ - banner_etc_motd ++ - login_banner_text=cis_banners ++ - banner_etc_issue ++ - login_banner_text=cis_banners ++ - file_groupowner_etc_motd ++ - file_owner_etc_motd ++ - file_permissions_etc_motd ++ - file_groupowner_etc_issue ++ - file_owner_etc_issue ++ - file_permissions_etc_issue ++ - ensure_gpgcheck_globally_activated ++ - package_aide_installed ++ - aide_periodic_cron_checking ++ - grub2_password ++ - file_groupowner_grub2_cfg ++ - file_owner_grub2_cfg ++ - file_permissions_grub2_cfg ++ - require_singleuser_auth ++ - require_emergency_target_auth ++ - disable_users_coredumps ++ - coredump_disable_backtraces ++ - coredump_disable_storage ++ - configure_crypto_policy ++ - var_system_crypto_policy=default_policy ++ - dir_perms_world_writable_sticky_bits + - file_permissions_etc_passwd ++ - file_owner_etc_shadow ++ - file_groupowner_etc_shadow ++ - file_groupowner_etc_group ++ - file_owner_etc_group ++ - file_permissions_etc_group ++ - file_groupowner_etc_gshadow ++ - file_owner_etc_gshadow ++ - file_groupowner_backup_etc_passwd ++ - file_owner_backup_etc_passwd ++ - file_permissions_backup_etc_passwd ++ - file_groupowner_backup_etc_shadow ++ - file_owner_backup_etc_shadow ++ - file_permissions_backup_etc_shadow ++ - file_groupowner_backup_etc_group ++ - file_owner_backup_etc_group ++ - file_permissions_backup_etc_group ++ - file_groupowner_backup_etc_gshadow ++ - file_owner_backup_etc_gshadow ++ - file_permissions_backup_etc_gshadow ++ - file_permissions_unauthorized_world_writable ++ - file_permissions_ungroupowned ++ - accounts_root_path_dirs_no_write ++ - root_path_no_dot ++ - accounts_no_uid_except_zero ++ - file_ownership_home_directories ++ - file_groupownership_home_directories ++ - no_netrc_files ++ - no_rsh_trust_files ++ - account_unique_id ++ - group_unique_id ++ - group_unique_name ++ - kernel_module_sctp_disabled ++ - kernel_module_dccp_disabled ++ - wireless_disable_interfaces ++ - sysctl_net_ipv4_ip_forward ++ - sysctl_net_ipv6_conf_all_forwarding ++ - sysctl_net_ipv6_conf_all_forwarding_value=disabled ++ - sysctl_net_ipv4_conf_all_send_redirects ++ - sysctl_net_ipv4_conf_default_send_redirects ++ - sysctl_net_ipv4_conf_all_accept_source_route ++ - sysctl_net_ipv4_conf_all_accept_source_route_value=disabled ++ - sysctl_net_ipv4_conf_default_accept_source_route ++ - sysctl_net_ipv4_conf_default_accept_source_route_value=disabled ++ - sysctl_net_ipv6_conf_all_accept_source_route ++ - sysctl_net_ipv6_conf_all_accept_source_route_value=disabled ++ - sysctl_net_ipv6_conf_default_accept_source_route ++ - sysctl_net_ipv6_conf_default_accept_source_route_value=disabled ++ - sysctl_net_ipv4_conf_all_accept_redirects ++ - sysctl_net_ipv4_conf_all_accept_redirects_value=disabled ++ - sysctl_net_ipv4_conf_default_accept_redirects ++ - sysctl_net_ipv4_conf_default_accept_redirects_value=disabled ++ - sysctl_net_ipv6_conf_all_accept_redirects ++ - sysctl_net_ipv6_conf_all_accept_redirects_value=disabled ++ - sysctl_net_ipv6_conf_default_accept_redirects ++ - sysctl_net_ipv6_conf_default_accept_redirects_value=disabled ++ - sysctl_net_ipv4_conf_all_secure_redirects ++ - sysctl_net_ipv4_conf_all_secure_redirects_value=disabled ++ - sysctl_net_ipv4_conf_default_secure_redirects ++ - sysctl_net_ipv4_conf_default_secure_redirects_value=disabled ++ - sysctl_net_ipv4_conf_all_log_martians ++ - sysctl_net_ipv4_conf_all_log_martians_value=enabled ++ - sysctl_net_ipv4_conf_default_log_martians ++ - sysctl_net_ipv4_conf_default_log_martians_value=enabled ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts ++ - sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value=enabled ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses ++ - sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value=enabled ++ - sysctl_net_ipv4_conf_all_rp_filter ++ - sysctl_net_ipv4_conf_all_rp_filter_value=enabled ++ - sysctl_net_ipv4_conf_default_rp_filter ++ - sysctl_net_ipv4_conf_default_rp_filter_value=enabled ++ - sysctl_net_ipv4_tcp_syncookies ++ - sysctl_net_ipv4_tcp_syncookies_value=enabled ++ - sysctl_net_ipv6_conf_all_accept_ra ++ - sysctl_net_ipv6_conf_all_accept_ra_value=disabled ++ - sysctl_net_ipv6_conf_default_accept_ra ++ - sysctl_net_ipv6_conf_default_accept_ra_value=disabled ++ - package_firewalld_installed ++ - service_firewalld_enabled ++ - package_iptables_installed +-- +2.34.1 + diff --git a/meta-security/recipes-compliance/scap-security-guide/files/run_eval.sh b/meta-security/recipes-compliance/scap-security-guide/files/run_eval.sh new file mode 100644 index 0000000000..cc79bac9a1 --- /dev/null +++ b/meta-security/recipes-compliance/scap-security-guide/files/run_eval.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +oscap xccdf eval --results results.xml --report report.html --profile xccdf_org.ssgproject.content_profile_standard /usr/share/xml/scap/ssg/content/ssg-openembedded-ds.xml diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb new file mode 100644 index 0000000000..31ab96e526 --- /dev/null +++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb @@ -0,0 +1,45 @@ +# Copyright (C) 2017 - 2023 Armin Kuster <akuster808@gmail.com> +# Released under the MIT license (see COPYING.MIT for the terms) + +SUMARRY = "SCAP content for various platforms, upstream version" +HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/" +LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820" +LICENSE = "BSD-3-Clause" + +SRCREV = "dad85502ce8da722a6afc391346c41cee61e90a9" +SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \ + file://0001-scap-security-guide-add-openembedded.patch \ + file://0001-standard.profile-expand-checks.patch \ + file://0001-scap-security-guide-add-Poky-support.patch \ + file://run_eval.sh \ + " + + +DEPENDS = "openscap-native python3-pyyaml-native python3-jinja2-native libxml2-native expat-native coreutils-native" + +S = "${WORKDIR}/git" +B = "${S}/build" + +inherit cmake pkgconfig python3native python3targetconfig + +OECMAKE_GENERATOR = "Unix Makefiles" + +EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OE=ON" + +do_configure[depends] += "openscap-native:do_install" + +do_configure:prepend () { + sed -i -e 's:NAMES\ sed:NAMES\ ${HOSTTOOLS_DIR}/sed:g' ${S}/CMakeLists.txt + sed -i -e 's:NAMES\ grep:NAMES\ ${HOSTTOOLS_DIR}/grep:g' ${S}/CMakeLists.txt +} + +do_install:append() { + install -d ${D}${datadir}/openscap + install ${WORKDIR}/run_eval.sh ${D}${datadir}/openscap/. +} + +FILES:${PN} += "${datadir}/xml ${datadir}/openscap" + +RDEPENDS:${PN} = "openscap" + +COMPATIBLE_HOST:libc-musl = "null" |