diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2021-05-19 04:42:15 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2021-05-19 04:57:23 +0300 |
commit | d7eca3aaccf58555fa5619465140d3b71204720c (patch) | |
tree | 6a6088979a6e8c3ee0e6e5f18116d7efef935062 /meta-security | |
parent | 2c4f2cf6b7e6860bdf024da8fdf998b97c66c39b (diff) | |
download | openbmc-d7eca3aaccf58555fa5619465140d3b71204720c.tar.xz |
subtree updates2.10.0-rc1
meta-raspberrypi: 8cffbf5e85..b601818301:
Changqing Li (1):
99-com.rules: fix error invalid substitution type
Khem Raj (2):
linux-firmware-rpidistro: Update to 20190114-1+rpt11
bluez-firmware-rpidistro: Update to 1.2-4+rpt8
Pierre-Jean Texier (1):
rpi-base: make SPLASH overridable from outside
SCVready (1):
rpi-config: comment updated
matt-hammond-bbc (1):
libva: Fix for when using `userland`
poky: 1203d1f24d..05a8aad57c:
Alejandro Enedino Hernandez Samaniego (2):
python3: Upgrade 3.9.2 -> 3.9.4
python3: Improve logging, syntax and update deprecated modules to create_manifest
Alexander Kanavin (6):
scripts/oe-debuginfod: correct several issues
oeqa: tear down oeqa decorators if one of them raises an exception in setup
meta/lib/oeqa/core/tests/cases/timeout.py: add a testcase for the previous fix
Revert "oeqa: Set LD_LIBRARY_PATH when executing native commands"
diffoscope: add native libraries to LD_LIBRARY_PATH
linux-firmware: upgrade 20210208 -> 20210315
Anders Wallin (2):
lttng-tools: Fix missing legacy test files
lttng-tools: Fix path for test_python_looging
Anthony Bagwell (1):
systemd: upgrade 247.4 -> 247.6
Anuj Mittal (2):
qemu: fix CVE-2021-3392
lsb-release: fix reproducibility failure
Bruce Ashfield (19):
linux-yocto/5.4: update to v5.4.109
linux-yocto/5.10: update to v5.10.27
linux-yocto/5.10: BSP configuration fixes
linux-yocto/5.10: update to v5.10.29
linux-yocto/5.4: update to v5.4.111
linux-yocto/5.10: update to v5.10.30
linux-yocto-rt/5.10: update to -rt34
linux-yocto/5.4: update to v5.4.112
linux-yocto/5.4: fix arm defconfig warnings
linux-yocto/5.10: fix arm defconfig warnings
linux-yocto/5.10: aufs fixes
linux-yocto/5.10: qemuriscv32.cfg: RV32 only supports 1G physical memory
linux-yocto/5.10: update to v5.10.32
perf: fix python-audit RDEPENDS
linux-yocto/5.4: update to v5.4.114
linux-yocto/5.10: update to v5.10.34
linux-yocto/5.4: update to v5.4.116
linux-yocto/5.10: qemuppc32: reduce serial shutdown issues
linux-yocto/5.4: qemuppc32: reduce serial shutdown issues
Changqing Li (2):
cairo: fix CVE-2020-35492
gdk-pixbuf: fix CVE-2021-20240
Chen Qi (5):
busybox: fix CVE-2021-28831
glib-2.0: fix CVE-2021-28153
weston: fix build failure due to race condition
rsync: fix CVE-2020-14387
db: update CVE_PRODUCT
Christophe Chapuis (1):
rootfs.py: find .ko.gz and .ko.xz kernel modules as well
Daniel Ammann (1):
archiver: Fix typos
Douglas Royds (2):
Revert "externalsrc: Detect code changes in submodules"
externalsrc: Detect code changes in submodules
Gavin Li (1):
kmod: do not symlink config.guess/config.sub during autoreconf
He Zhe (1):
linux-yocto-dev: add features/scsi/scsi-debug.scc features/gpio/mockup.scc to KERNEL_FEATURES
Jon Mason (1):
oeqa/runtime: space needed
Jonas Höppner (1):
ltp: fix empty ltp-dev package
Jose Quaresma (1):
ptest-runner: libgcc must be installed for pthread_cancel to work
Joshua Watt (1):
classes/image: Use xargs to set file timestamps
Kai Kang (3):
kernel-yocto.bbclass: chdir to ${WORKDIR} for do_kernel_checkout
cmake.bbclass: remove ${B} before cmake_do_configure
grub2.inc: remove '-O2' from CFLAGS
Kevin Hao (3):
modutils-initscripts: Bail out when no module is installed
sysvinit-inittab/start_getty: Check /sys for the tty device existence
Revert "inittab: Add getty launch on hvc0 for qemuppc64"
Khairul Rohaizzat Jamaluddin (1):
qemu: Fix CVE-2020-35517
Khem Raj (6):
ca-certificates: Fix openssl runtime cert dependencies
systemd: Fix build on mips/musl
go: Use dl.google.com for SRC_URI
libjpeg-turbo: Use --reproducible option for nasm
busybox: Fix reproducibility
webkitgtk: Fix reproducibility in minibrowser
Konrad Weihmann (1):
cve-update-db-native: skip on empty cpe23Uri
Michael Opdenacker (1):
sanity.bbclass: mention CONNECTIVITY_CHECK_URIS in network failure message
Mikko Rapeli (2):
bitbake: bitbake: tests/fetch: fix test execution without .gitconfig
bitbake: bitbake: tests/fetch: remove write protected files too
Mingli Yu (6):
groff: not ship /usr/bin/grap2graph
libtool: make sure autoheader run before automake
packagegroup-core-tools-profile: Remove valgrind for riscv32
packagegroup-core-tools-testapps.bb: Remove kexec for riscv32
libxshmfence: Build fixes for riscv32
rpm: Upgrade to 4.16.1.3
Niels Avonds (1):
bitbake: fetch/gitsm: Fix crash when using git LFS and submodules
Peter Budny (1):
lib/oe/terminal: Fix tmux new-session on older tmux versions (<1.9)
Peter Kjellerstedt (1):
libcap: Configure Make variables correctly without a horrible hack
Randy MacLeod (1):
oe-time-dd-test.sh: increase timeout to 15 sec
Reto Schneider (2):
license_image.bbclass: Detect broken symlinks
license_image.bbclass: Fix symlink to generic license files
Richard Purdie (22):
oeqa/selftest: Hardcode test assumptions about heartbeat event timings
bitbake: runqueue: Fix deferred task issues
pseudo: Upgrade to add trailing slashes ignore path fix
oeqa/selftest: Ensure packages classes are set correctly for maintainers test
sanity: Add error check for '%' in build path
runqemu: Ensure we cleanup snapshot files after image run
yocto-check-layer: Avoid bug when iterating and autoadding dependencies
patchelf: Backport fix from upstream for note section overlap error
bitbake: runqueue: Fix multiconfig deferred task sstate validity caching issue
bitbake: runqueue: Handle deferred task rehashing in multiconfig builds
patchelf: Fix note section alignment issues
patchelf: Fix alignment patch
pybootchart/draw: Avoid divide by zero error
yocto-uninative: Update to 3.1 which includes a patchelf fix
lib/package_manager: Use shutil.copy instead of bb.utils.copyfile for intercepts
oeqa/qemurunner: Improve logging thread exit handling for qemu shutdown test
oeqa/qemurunner: Fix binary vs str issue
oeqa/qemurunner: Improve handling of run_serial for shutdown commands
puzzles: Upstream changed to main branch for development
poky.conf: Bump version for 3.3.1 hardknott release
build-appliance-image: Update to hardknott head revision
documentation: prepare for 3.3.1 release
Romain Naour (1):
dejagnu: needs expect at runtime
Ross Burton (4):
bitbake: bitbake-server: ensure server timeout is a float
insane: clean up some more warning messages
glslang: strip whitespace in pkgconfig file
oe-buildenv-internal: add BitBake's library to PYTHONPATH
Sakib Sajal (10):
oe-time-dd-test.sh: make executable
oe-time-dd-test.sh: provide more information from "top"
qemu: fix CVE-2021-20181
qemu: fix CVE-2020-29443
qemu: fix CVE-2021-20221
qemu: fix CVE-2021-3409
qemu: fix CVE-2021-3416
qemu: fix CVE-2021-20257
qemu: fix CVE-2020-27821
qemu: fix CVE-2021-20263
Saul Wold (1):
pango: re-enable ptest
Stefan Ghinea (3):
wpa-supplicant: fix CVE-2021-30004
libssh2: fix build failure with option no-ecdsa
xserver-xorg: fix CVE-2021-3472
Trevor Gamblin (1):
nettle: upgrade 3.7.1 -> 3.7.2
Ulrich Ölmann (1):
arch-armv6m.inc: fix access rights
Vinícius Ossanes Aquino (1):
lttng-modules: backport patches to fix build against 5.12+ kernel
Wes Lindauer (1):
oeqa/runtime/cases: Only disable/enable for current boot
Yanfei Xu (1):
parselogs: ignore floppy error on qemu-system-x86 at boot stage
Yann Dirson (1):
linux-firmware: include all relevant files in -bcm4356
Yi Fan Yu (1):
libevent: Increase ptest timing tolerance 50 ms -> 100 ms
hongxu (1):
deb: apply postinstall on sdk
wangmy (4):
mesa: upgrade 21.0.1 -> 21.0.2
go: update SRC_URI to use https protocol
go: upgrade 1.16.2 -> 1.16.3
mesa: upgrade 21.0.2 -> 21.0.3
zhengruoqin (2):
wireless-regdb: upgrade 2020.11.20 -> 2021.04.21
ruby: upgrade 3.0.0 -> 3.0.1
meta-openembedded: 98175fd0cc..bbe3855ec7:
Aditya.Tayade (1):
neon: Add ptest
Andreas Müller (17):
udisks2: upgrade 2.9.1 -> 2.9.2 / replace '_git' by version in recipe-name
poppler: upgrade 21.02.0 -> 21.03.0
xfce4-panel: upgrade 4.16.1 -> 4.16.2
xfce4-cpugraph-plugin: upgrade 1.2.1 -> 1.2.3
xfce4-time-out-plugin: upgrade 1.1.1 -> 1.1.2
mousepad: upgrade 0.5.2 -> 0.5.3
xfce4-panel-profiles: 1.0.12 -> 1.0.13
thunar: upgrade 4.16.2 -> 4.16.4
xfce4-taskmanager: upgrade 1.4.0 -> 1.4.2
networkmanager-openvpn: Fix packageing
mousepad: upgrade 0.5.3 -> 0.5.4
xfce4-battery-plugin: upgrade 1.1.3 -> 1.1.4
gigolo: upgrade 0.5.1 -> 0.5.2
thunar: upgrade 4.16.4 -> 4.16.6
poppler: upgrade 21.03.0 -> 21.04.0
catfish: add python3-dbus to RDEPENDS
fluidsynth: upgrade 2.1.7 -> 2.2.0
Andrei Gherzan (6):
python3-pep8: Fix HOMEPAGE
python3-mccabe: Fix HOMEPAGE
python3-ifaddr: Integrate a dependency of pysonos
python3-pysonos: Integrate the SONOS control HomeAssistant module
python3-aiohue: Integrate the hue control python module
packagegroup-meta-python: Add new modules (aiohue, ifaddr, pysonos)
Andrej Valek (1):
jsoncpp: Upgrade to 1.9.4
Andrew Geissler (1):
nodejs: ppc64le machine support
Armin Kuster (3):
wireguard: update to v1.0.20210219 +1
nostromo: Blacklist and exclude from world builds
packagegroup-meta-webserver: remove nostromo from pkg grp
Awais Belal (1):
libnet-ssleay-perl: add rdep on perl-module-autoloader
Bartosz Golaszewski (11):
pystemd: satisfy runtime dependencies
python3-pythonping: new package
python3-wpa-supplicant: new package
python3-txdbus: new package
python3-wpa-supplicant: add runtime dependencies
python3-wpa-supplicant: fix importing the cli submodule
python3-wpa-supplicant: replace DESCRIPTION with SUMMARY
libgpiod: update v1.6.2 -> v1.6.3
python3-txdbus: add missing runtime dependencies
python3-jmespath: new package
python3-docutils: new package
Ben Gampe (1):
python3-h11: new package
Carlos Rafael Giani (1):
pipewire: Upgrade to 0.3.24
Changqing Li (2):
php: allow php as empty
openldap: upgrade 2.4.57 -> 2.4.58
Chen Qi (2):
tigervnc: upgrade to 1.11.0
python3-django: upgrade to 2.2.20
Clément Péron (2):
grpc: move grpc plugins to a new grpc-compiler package
nodejs: 12.20.2 -> 12.21.0
Colin McAllister (1):
python3-gpsd-py3: Added recipe
Daniel Wagenknecht (1):
gnome-keyring: set file capabilities in pkg_postinst
Denys Dmytriyenko (1):
glmark2: also depend on wayland-protocols when wayland distro feature is on
Devon Pringle (1):
python3-pastedeploy: Add recipe
Fabio Berton (1):
python3-requests: Support idna version 3.1
Hermes Zhang (1):
gpsd: backport d-bus message time patch from upstream
Hongxu Jia (1):
debootstrap: 1.0.67 -> 1.0.123
INC@Cisco) (2):
bpftool: remove recipe from blacklist
bpftool: improve reproducibility
Jan Kaisrlik (1):
abseil-cpp: reorder content of packages
Joe Hershberger (1):
strongswan: Make PACKAGECONFIG a default value
Joshua Watt (1):
classes: Add Android sparse image class
Kai Kang (9):
python3-pillow: 8.1.0 -> 8.1.2
xfce4-cpufreq-plugin: 1.2.2 -> 1.2.5
exo: 4.16.0 -> 4.16.1
xfce4-netload-plugin: 1.3.2 -> 1.4.0
xfce4-genmon-plugin: 4.1.0 -> 4.1.1
xfce4-weather-plugin: 0.10.2 -> 0.11.0
xfce4-systemload-plugin: 1.2.4 -> 1.3.0
xfce4-taskmanager: 1.4.2 -> 1.5.2
freeradius: check existence of openssl's commands in bootstrap
Kamil Dziezyk (1):
bats: upgrade 1.1.0 -> 1.3.0
Kartikey Rameshbhai Parmar (1):
fluidsynth: update SRC_URI to remove non-existing 2.1.x branch
Khem Raj (77):
nss: Disable Werror
open-vm-tools: Do not use volatile qualifier
dconf-editor: Fix build with vala 0.50.4
libbacktrace: Add recipe
libleak: Add recipe
packagegroup-meta-oe: Add libleak to packagegroup-meta-oe-extended
mongodb: Upgrade to 4.4.4
packagegroup-meta-python: Add python3-semantic-version
python3-grpcio: Upgrade to 1.36.1
python3-grpcio: Fix build on mips and musl
mpv: Link libatomic on riscv64
glog: Link with libexecinfo on musl
musl-nscd: Make lex syntax posix'y
libbpf: Depend on virtual/kernel:do_shared_workdir
waf-cross-answers: Add powerpc64le version
python3-grpcio,python3-grpcio-tools: Disable for ppc64le
openh264: Disable building for ppc64le
ufs-utils: Upgrade to 1.9
libhugetlbfs: Fix ARCH setting for ppc64 LE
nodejs: Set correct nodejs arch for ppc64le
libnma: Disbale vapi
xrdp: Upgrade to 0.9.15
ply: upgrade to latest
ply: Disable on ppc64
ltrace: Fix build on ppc64le/musl
oprofile: Fix build on musl
gperftools: Update SRCREV to point to 2.9.1 release
mongodb: Fix cross build on ppc64le
abseil-cpp: Fix build on musl and ppc64
mariadb: Fix build on musl/ppc
mongodb: Fix build on ppc64le
breakpad: Upgrade to latest
ssiapi: Disable for ppc64
kexec-tools-klibc: Use SITEINFO_BITS to construct includepath
breakpad: Exclude for ppc64
python3-grpcio,python3-grpcio-tools: Enable build on ppc64/glibc
breakpad: Do not fallback to android implementation for getcontext/setcontext on musl
oprofile: Upgrade to 1.4.0 release
vboxguestdrivers: Add __divmoddi4 builtin support
links-x11,links: Upgrade to 2.22
layers: Drop gatesgarth from LAYERSERIES_COMPAT
xxhash: Remove recipe
gsound: Use () instead of {} for makefile variable in gsound_play_VALAFLAGS
pipewire: Package systemd unit file for pipewire-media-session
packagegroup-meta-python: Add new package python3-pythonping
python3-spidev: Remove recipe for 3.2
python3-werkzeug: Clarify BSD license type
python3-werkzeug: Delete recipe for 1.0.0
python3-hexdump: Move cleanup_hexfile into install_append
cryptsetup: DEPEND on renamed util-linux-libuuid
tracker-miners: Check for commercial license to enable ffmpeg
gnome-settings-daemon: Do not generate meson.native
libb64: Add recipe
sysdig: Upgrade to 0.27.1
sysdig: Depend on system libb64
gimp: Disable vector iconn on rv32/musl
libcamera: Update the patch to upstreamed one
flashrom: Add remaining RISCV support
mpd: Check for commercial in LICENSE_FLAGS_WHITELIST
mpv: Exclude from world if commercial is not in inclusion list
sox: Exclude from world if commercial is not in inclusion list
vlc: Exclude from world if commercial is not in inclusion list
sox: Remove LICENSE_FLAGS = "commercial"
mariadb: Fix build on newer 32bit architectures
libmanette: Add recipe
pidgin-sipe: Fix build with glib-2.0 >= 2.68
gjs: Fix build with gcc11
poppler: Backport patches to fix build with glib-2.0 2.68+ and GCC11
opencv: Upgrade to 5.4.2
tbb: Fix build with musl
core-image-minimal-xfce: Use graphical.target as default
vnstat: Disable install parallism to fix a potential install race
open-vm-tools: Fix build with gcc 11
nss: Re-enable -Werror
gimp: Disable vector icon generation on mips/glibc too
tbb: Re-introduce PE
gimp: Disable vector icons on musl/x86
Leon Anavi (134):
python3-elementpath: Upgrade 2.1.4 -> 2.2.0
python3-twisted: Upgrade 20.3.0 -> 21.2.0
python3-ipython: Upgrade 7.20.0 -> 7.21.0
python3-yamlloader: Upgrade 0.5.5 -> 1.0.0
python3-astroid: Upgrade 2.5 -> 2.5.1
python3-portion: Upgrade 2.1.4 -> 2.1.5
python3-pandas: Upgrade 1.2.2 -> 1.2.3
python3-ruamel-yaml: Upgrade 0.16.12 -> 0.16.13
python3-prettytable: Upgrade 2.0.0 -> 2.1.0
python3-huey: Upgrade 2.3.0 -> 2.3.1
python3-pychromecast: Upgrade 8.1.0 -> 9.1.1
python3-incremental: Upgrade 17.5.0 -> 21.3.0
python3-waitress: Upgrade 1.4.4 -> 2.0.0
python3-pako: Upgrade 0.3.0 -> 0.3.1
python3-pyscaffold: Upgrade 3.3.1 -> 4.0
python3-croniter: Upgrade 1.0.6 -> 1.0.8
python3-prompt-toolkit: Upgrade 3.0.16 -> 3.0.17
python3-pymisp: Upgrade 2.4.138 -> 2.4.140
python3-jsonpatch: Upgrade 1.31 -> 1.32
python3-jsonpointer: Upgrade 2.0 -> 2.1
python3-configargparse: Upgrade 1.3 -> 1.4
python3-luma-core: Upgrade 2.2.0 -> 2.3.1
python3-pycodestyle: Upgrade 2.6.0 -> 2.7.0
python3-bitarray: Upgrade 1.7.0 -> 1.7.1
python3-alembic: Upgrade 1.5.5 -> 1.5.7
python3-pyflakes: Upgrade 2.2.0 -> 2.3.0
python3-autobahn: Upgrade 21.2.2 -> 21.3.1
python3-pulsectl: Upgrade 21.2.0 -> 21.3.4
python3-configparser: Upgrade 5.0.1 -> 5.0.2
python3-defusedxml: Upgrade 0.6.0 -> 0.7.1
python3-twine: Upgrade 3.3.0 -> 3.4.0
python3-socketio: Upgrade 5.0.4 -> 5.1.0
python3-soupsieve: Upgrade 2.2 -> 2.2.1
python3-cassandra-driver: Upgrade 3.24.0 -> 3.25.0
python3-urllib3: Upgrade 1.26.3 -> 1.26.4
python3-bitarray: Upgrade 1.7.1 -> 1.8.0
python3-pyscaffold: Upgrade 4.0 -> 4.0.1
python3-flask-migrate: Upgrade 2.6.0 -> 2.7.0
python3-grpcio-tools: Upgrade 1.35.0 -> 1.36.1
python3-humanize: Upgrade 3.2.0 -> 3.3.0
python3-regex: Upgrade 2020.11.13 -> 2021.3.17
python3-twine: Upgrade 3.4.0 -> 3.4.1
python3-isort: Upgrade 5.7.0 -> 5.8.0
python3-sqlalchemy: Upgrade 1.3.23 -> 1.4.2
python3-scrypt: Upgrade 0.8.6 -> 0.8.17
python3-colorlog: Upgrade 4.7.2 -> 4.8.0
python3-croniter: Upgrade 1.0.8 -> 1.0.9
python3-pyperf: Upgrade 2.1.0 -> 2.2.0
python3-lazy-object-proxy: Upgrade 1.5.2 -> 1.6.0
python3-prompt-toolkit: Upgrade 3.0.17 -> 3.0.18
python3-configshell-fb: Upgrade 1.1.28 -> 1.1.29
python3-backports-functools-lru-cache: Upgrade 1.6.1 -> 1.6.3
python3-pytest-helpers-namespace: Upgrade 2019.1.8 -> 2021.3.24
python3-elementpath: Upgrade 2.2.0 -> 2.2.1
python3-alembic: Upgrade 1.5.7 -> 1.5.8
python3-rfc3339-validator: Upgrade 0.1.2 -> 0.1.3
python3-pyflakes: Upgrade 2.3.0 -> 2.3.1
python3-pint: Upgrade 0.16.1 -> 0.17
python3-flask-sqlalchemy: Upgrade 2.4.4 -> 2.5.1
python3-django: Upgrade 3.1.1 -> 3.1.7
python3-djangorestframework: Upgrade 3.12.2 -> 3.12.3
python3-ruamel-yaml: Upgrade 0.16.13 -> 0.17.0
python3-bitarray: Upgrade 1.8.0 -> 1.8.1
python3-sqlalchemy: Upgrade 1.4.2 -> 1.4.3
python3-xmlschema: Upgrade 1.5.1 -> 1.5.3
python3-croniter: Upgrade 1.0.9 -> 1.0.10
python3-astroid: Upgrade 2.5.1 -> 2.5.2
python3-pyroute2: Upgrade 0.5.14 -> 0.5.15
python3-coverage: Upgrade 5.4 -> 5.5
python3-gunicorn: Upgrade 20.0.4 -> 20.1.0
python3-djangorestframework: Upgrade 3.12.3 -> 3.12.4
python3-ipython: Upgrade 7.21.0 -> 7.22.0
python3-openpyxl: Upgrade 3.0.6 -> 3.0.7
python3-ruamel-yaml: Upgrade 0.17.0 -> 0.17.2
python3-sqlalchemy: Upgrade 1.4.3 -> 1.4.4
python3-bitarray: Upgrade 1.8.1 -> 1.8.2
python3-httplib2: Upgrade 0.19.0 -> 0.19.1
python3-parso: Upgrade 0.8.1 -> 0.8.2
python3-matplotlib: Upgrade 3.3.4 -> 3.4.1
python3-pyroute2: Upgrade 0.5.15 -> 0.5.16
python3-h5py: Upgrade 3.1.0 -> 3.2.1
python3-cheetah: Upgrade 3.2.6 -> 3.2.6.post1
python3-google-api-python-client: Upgrade 2.0.2 -> 2.1.0
python3-xlsxwriter: Upgrade 1.3.7 -> 1.3.8
python3-pymisp: Upgrade 2.4.140 -> 2.4.141
python3-tqdm: Upgrade 4.58.0 -> 4.59.0
python3-contextlib2: Upgrade 0.6.0 -> 0.6.0.post1
python3-typeguard: Upgrade 2.11.1 -> 2.12.0
python3-decorator: Upgrade 4.4.2 -> 5.0.1
python3-pillow: Upgrade 8.1.2 -> 8.2.0
python3-aiohttp: Upgrade 3.7.4 -> 3.7.4.post0
python3-networkx: Upgrade 2.5 -> 2.5.1
python3-pysonos: Upgrade 0.0.40 -> 0.0.41
python3-docutils: Upgrade 0.16 -> 0.17
python3-bitarray: Upgrade 1.8.2 -> 1.9.0
python3-regex: Upgrade 2021.3.17 -> 2021.4.4
python3-sqlalchemy: Upgrade 1.4.4 -> 1.4.5
python3-pychromecast: Upgrade 9.1.1 -> 9.1.2
python3-decorator: Upgrade 5.0.1 -> 5.0.5
python3-pymisp: Upgrade 2.4.141 -> 2.4.141.1
python3-pyroute2: Upgrade 0.5.16 -> 0.5.17
python3-transitions: Upgrade 0.8.7 -> 0.8.8
python3-sqlalchemy: Upgrade 1.4.5 -> 1.4.6
python3-bitarray: Upgrade 1.9.0 -> 1.9.1
python3-pysonos: Upgrade 0.0.41 -> 0.0.42
python3-django: Upgrade 3.1.7 -> 3.2
python3-tqdm: Upgrade 4.59.0 -> 4.60.0
python3-xmlschema: Upgrade 1.5.3 -> 1.6.0
python3-ruamel-yaml: Upgrade 0.17.2 -> 0.17.4
python3-croniter: Upgrade 1.0.10 -> 1.0.11
python3-decorator: Upgrade 5.0.5 -> 5.0.6
python3-grpcio-tools: Upgrade 1.36.1 -> 1.37.0
python3-speedtest-cli: Upgrade 2.1.2 -> 2.1.3
python3-python-vlc: Upgrade 3.0.11115 -> 3.0.12117
python3-robotframework: Upgrade 4.0 -> 4.0.1
python3-grpcio: Upgrade 1.36.1 -> 1.37.0
python3-cerberus: Upgrade 1.3.2 -> 1.3.3
python3-humanize: Upgrade 3.3.0 -> 3.4.0
python3-monotonic: Upgrade 1.5 -> 1.6
python3-sqlalchemy: Upgrade 1.4.6 -> 1.4.7
python3-typed-ast: Upgrade 1.4.2 -> 1.4.3
python3-backports-functools-lru-cache: Upgrade 1.6.3 -> 1.6.4
python3-xmlschema: Upgrade 1.6.0 -> 1.6.1
python3-pyroute2: Upgrade 0.5.17 -> 0.5.18
python3-sympy: Upgrade 1.7.1 -> 1.8
python3-pandas: Upgrade 1.2.3 -> 1.2.4
python3-humanize: Upgrade 3.4.0 -> 3.4.1
python3-decorator: Upgrade 5.0.6 -> 5.0.7
python3-colorlog: Upgrade 4.8.0 -> 5.0.1
python3-google-api-python-client: Upgrade 2.1.0 -> 2.2.0
python3-croniter: Upgrade 1.0.11 -> 1.0.12
python3-pysonos: Upgrade 0.0.42 -> 0.0.43
python3-asttokens: Upgrade 2.0.4 -> 2.0.5
python3-hyperframe: Upgrade 6.0.0 -> 6.0.1
Luca Boccassi (3):
cryptsetup: depend on new util-linux-uuid to break cycle
dbus-broker: upgrade 26 -> 27
dbus-broker: upgrade 27 -> 28
Marius Kriegerowski (1):
tmate: add recipe version 2.4.0
Martin Jansa (25):
glog: fix searching for Libunwind
ceres-solver: prevent fetching git hook during do_configure
packagegroup-meta-oe: include abseil-cpp for all architectures
packagegroup-meta-oe: include nodejs without meta-python2 conditional
packagegroup-meta-oe: move the packages depending on meta-python2 to separate packages
mysql-python, lio-utils, openlmi-tools: add conditional PNBLACKLIST like meta-python2 does
conf/layer.conf: include .bbappend files in BBFILES_DYNAMIC
open-vm-tools: move to meta-networking
packagegroup-meta-{oe,multimedia}: move pipewire to the right packagegroup
packagegroup-meta-multimedia: include projucer only with x11 in DISTRO_FEATURES
packagegroup-meta-multimedia: include vlc only with x11 in DISTRO_FEATURES
packagegroup-meta-oe: include glfw, icewm, geis only with x11 in DISTRO_FEATURES
phonet-utils: remove
packagegroup-meta-oe: use 4 spaces for identation
telepathy-glib: respect GI_DATA_ENABLED when enabling vala-bindings
uml-utilities: fix installed-vs-shipped with usrmerge
libsmi: use /bin/sh instead of ${base_bindir}/sh to silence QA error with usrmerge
libyui: switch to libyui-old repo which still has this SRCREV
libyui(-ncurses): upgrade to 4.1.1, libyui repo was rewritten completely
android-tools: use PN instead of BPN in RDEPENDS
pidgin-sipe: fix g_memdup2 changes to be backwards compatible with glib-1.67
pidgin: upgrade to 2.14.2
opencv: fetch wechat_qrcode files used by dnn PACKAGECONFIG
opencv: link sfm module with Glog
ostree: switch from default master branch to main to fix do_fetch failure
Matteo Croce (1):
libbpf: use pkg-config
Michael Vetter (1):
jasper: upgrade 2.0.25 -> 2.0.26
Ming Liu (1):
atftp: move atftpd.init from files to atftp subdirectory
Mingli Yu (10):
geoip: Switch to use the main branch
geoip-perl: Switch to use the main branch
bridge-utils: Switch to use the main branch
netkit-telnet: Update SRC_URI
quagga: Update SRC_URI
hostapd: fix CVE-2019-5061
freeradius: Upgrade to 3.0.21
hostapd: fix CVE-2021-0326 and CVE-2021-27803
php: Upgrade to 7.4.16
python3-cryptography: Upgrade to 3.3.2
Naveen Saini (2):
tbb: upgrade 2020.3 -> 2021.2.0
ocl-icd: upgrade 2.2.14 -> 2.3.0
Nisha Parrakat (1):
neon: use pkg-config instead of xml2-config to configure
Oleksandr Kravchuk (10):
ipset: update to 7.11
libnice: update to 0.1.18
nbdkit: update to 1.25.3
python3-bitarray: update to 1.7.0
python3-google-api-python-client: update to 2.0.2
python3-jsonpatch: update to 1.31
python3-websocket-client: update to 0.58.0
python3-robotframework: update to 4.0
python3-sentry-sdk: update to 1.0.0
aom: update to 3.0.0
Peace Lee (2):
guider: Upgrade 3.9.7 -> 3.9.8
guider: Upgrade 3.9.7 -> 3.9.8
Persian Prince (1):
tinymembench: Correct PV
Philip Balister (1):
fftw: Add support for ptest.
Randy MacLeod (8):
gperftools: upgrade 2.8.1 -> 2.9.1
zabbix: upgrade 4.4.6 -> 5.2.5
nss: upgrade 3.60.1 -> 3.62
xterm: upgrade 362 -> 366
zstd: remove the recipe since it moved to oe-core
tclap: upgrade 1.2.2 -> 1.4.0
doxygen: Upgrade 1.8.20 -> 1.9.1
open-vm-tools: upgrade 11.0.1 -> 11.2.5
Ross Burton (4):
libxmlb: upgrade to 0.3.0
flashrom: recipe cleanup
openjpeg: add native/nativesdk class extension
fwts: upgrade to 21.03.00
Sakib Sajal (1):
grpc: upgrade 1.36.1 -> 1.36.2
Sam Van Den Berge (1):
libiio: fix build when python bindings are enabled
Sana Kazi (1):
mdns: Whitelisted CVE-2007-0613 for mdns
Sinan Kaya (1):
zram: add support for mem_limit
Stefan Ghinea (2):
hostapd: fix CVE-2021-30004
python3-django: fix CVE-2021-28658
Stefan Schmidt (2):
musl-rpmatch_git.bb: add new recipe to provide rpmatch() for musl libc builds
plymouth_0.9.5.bb: allow building with musl libc
Ulrich Ölmann (1):
v4l-utils: fix reproducibility
Valentin Longchamp (1):
libssh: add gcrypt to PACKAGECONFIG
Vinicius Aquino (1):
networkmanager: upgrade 1.28.0 -> 1.30.2
Vinícius Ossanes Aquino (2):
modemmanager: upgrade 1.14.10 -> 1.16.2
libqmi: upgrade 1.26.6 -> 1.28.2
Wang Mingyu (3):
czmq: Conflict resolution for sha1.h
python3-lxml: upgrade 4.6.2 -> 4.6.3
python3-zopeinterface: upgrade 5.2.0 -> 5.3.0
Yann Dirson (1):
mpv: remove explicit LICENSE_FLAGS
Yi Fan Yu (7):
librelp: update 1.6.0 -> 1.10.0
rsyslog: Fix rsyslog systemd service not starting
rsyslog: fix some of the ptests
redis: upgrade 6.0.9 -> 6.2.1
syslog-ng: upgrade 3.24.1 -> 3.31.2
syslog-ng: remove CONFIG_TLS override for arm DEBUG_BUILD
syslog-ng: Drop an obsolete patch to add --enable-libnet
Yi Zhao (3):
quagga: do not set PIDFile in service files
tclap: add pkg-config file
gvfs: rdepend on gsettings-desktop-schemas
Zang Ruochen (1):
gtkwave: upgrade 3.3.104 -> 3.3.108
akuster (1):
README: updated Maintainers list for Hardknott
hasan.men (2):
librdkafka: Add initial recipe v1.6.1
libcppkafka: Add initial recipe for cppkafka wrapper
persianpros (5):
PEP8 double aggressive E701, E70 and E502
PEP8 double aggressive E20 and E211
PEP8 double aggressive E22, E224, E241, E242 and E27
PEP8 double aggressive E301 ~ E306
PEP8 double aggressive W291 ~ W293 and W391
wangmy (2):
mariadb: upgrade 10.5.8 -> 10.5.9
uftrace: Fix error on aarch64 when binutils update to 2.35.1
zangrc (38):
dovecot: upgrade 2.3.13 -> 2.3.14
fetchmail: upgrade 6.4.16 -> 6.4.17
dialog: upgrade 1.3-20210117 -> 1.3-20210306
fio: upgrade 3.25 -> 3.26
xorriso: upgrade 1.5.3 -> 1.5.5
iscsi-initiator-utils: upgrade 2.1.3 -> 2.1.4
mosquitto: upgrade 2.0.8 -> 2.0.9
nbdkit: upgrade 1.25.3 -> 1.25.4
wireguard-tools: upgrade 1.0.20210223 -> 1.0.20210315
wireshark: upgrade 3.4.3 -> 3.4.4
live555: upgrade 20210129 -> 20210322
mg: upgrade 20200723 -> 20210314
nanopb: upgrade 0.4.4 -> 0.4.5
nss: upgrade 3.62 -> 3.63
uriparser: upgrade 0.9.4 -> 0.9.5
gnome-autoar: upgrade 0.2.4 -> 0.3.1
emacs: upgrade 27.1 -> 27.2
fbgrab: upgrade 1.4 -> 1.5
ostree: upgrade 2020.8 -> 2021.1
zabbix: upgrade 5.2.5 -> 5.2.6
libxaw: upgrade 1.0.13 -> 1.0.14
mosquitto: upgrade 2.0.9 -> 2.0.10
nbdkit: upgrade 1.25.4 -> 1.25.5
stunnel: upgrade 5.58 -> 5.59
usbredir: upgrade 0.8.0 -> 0.9.0
hwdata: upgrade 0.345 -> 0.346
live555: upgrade 20210322 -> 20210406
rabbitmq-c: upgrade 0.10.0 -> 0.11.0
xterm: upgrade 366 -> 367
fuse3: upgrade 3.10.2 -> 3.10.3
cifs-utils: upgrade 6.12 -> 6.13
dnsmasq: upgrade 2.84 -> 2.85
nbdkit: upgrade 1.25.5 -> 1.25.6
wolfssl: upgrade 4.7.0 -> 4.7.1
networkmanager: upgrade 1.30.2 -> 1.30.4
libdvdread: upgrade 6.1.1 -> 6.1.2
redis: upgrade 6.2.1 -> 6.2.2
nss: upgrade 3.63 -> 3.64
zhengruoqin (21):
phpmyadmin: upgrade 5.0.4 -> 5.1.0
uthash: upgrade 2.2.0 -> 2.3.0
gd: upgrade 2.3.1 -> 2.3.2
openocd: upgrade 0.10 -> 0.11
satyr: upgrade 0.36 -> 0.37
libcrypt-openssl-guess-perl: upgrade 0.11 -> 0.12
cryptsetup: upgrade 2.3.4 -> 2.3.5
glmark2: upgrade 20201114 -> 2021.02
grpc: upgrade 1.36.2 -> 1.36.3
dialog: upgrade 1.3-20210306 -> 1.3-20210319
grpc: upgrade 1.36.3 -> 1.36.4
libgee: upgrade 0.20.3 -> 0.20.4
fetchmail: upgrade 6.4.17 -> 6.4.18
lldpd: upgrade 1.0.4 -> 1.0.8
networkmanager-openvpn: upgrade 1.8.12 -> 1.8.14
snort: upgrade 2.9.17 -> 2.9.17.1
python3-absl: upgrade 0.10.0 -> 0.12.0
python3-astroid: upgrade 2.5.2 -> 2.5.3
python3-bitarray: upgrade 1.9.1 -> 1.9.2
irssi: upgrade 1.2.2 -> 1.2.3
librsync: upgrade 2.3.1 -> 2.3.2
meta-security: 775870980b..c6b1eec0e5:
Anton Antonov (5):
Use libest "main" branch instead of "master".
Add meta-parsec layer into meta-security.
Define secure images with parsec-service and parsec-tool included and add the images into gitlab CI
Clearly define clang toolchain in Parsec recipes
gitlab-ci: Move all parsec builds into a separate job
Armin Kuster (25):
packagegroup-core-security: drop clamav-cvd
clamav: upgrade 104.0
python3-privacyidea: upgrade 3.5.1 -> 3.5.2
clamav: fix systemd service install
swtpm: now need python-cryptography, pull in layer
swtpm: file pip3 issue
swtpm: fix check for tscd deamon on host
python3-suricata-update: update to 1.2.1
.gitlab-ci.yml: reorder to speed up builds
kas-security-base.yml: tweek build vars
gitlab-ci: fine tune order
clamav: remove rest of mirror.dat ref
lkrg-module: Add Linux Kernel Runtime Guard
kas-security-base: change branch to hardknott
kas-security-base: add hardknott local dirs
kas-security-base: Move some DISTRO_FEATURES around
*-tpm.yml: drop tpms jobs
gitlab-ci: move tpm build
.gitlab-ci: work on pipelime
gitlab-ci: cleanup after_script
gitlab-ci: add new before script
kas: cleanup some kas files
packagegroup-core-security: exclude apparmor in mips64
.gitlab-ci: use kas shell in some cases.
kas-security-base: fix feature namespace for tpm*
Ming Liu (2):
meta: drop IMA_POLICY from policy recipes
initramfs-framework-ima: introduce IMA_FORCE
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I635e69c9d74af0c553cad5eadd972f26830c7add
Diffstat (limited to 'meta-security')
20 files changed, 98 insertions, 1717 deletions
diff --git a/meta-security/.gitlab-ci.yml b/meta-security/.gitlab-ci.yml index f673ef6988..32110253c4 100644 --- a/meta-security/.gitlab-ci.yml +++ b/meta-security/.gitlab-ci.yml @@ -1,33 +1,76 @@ -stages: - - build - -.build: - stage: build - image: crops/poky - before_script: +.before-my-script: &before-my-script - echo "$ERR_REPORT_USERNAME" > ~/.oe-send-error - echo "$ERR_REPORT_EMAIL" >> ~/.oe-send-error - export PATH=~/.local/bin:$PATH - wget https://bootstrap.pypa.io/get-pip.py - python3 get-pip.py - python3 -m pip install kas - after_script: + +.after-my-script: &after-my-script - cd $CI_PROJECT_DIR/poky - . ./oe-init-build-env $CI_PROJECT_DIR/build - for x in `ls $CI_PROJECT_DIR/build/tmp/log/error-report/ | grep error_report_`; do - send-error-report -y tmp/log/error-report/$x - done - - cd $CI_PROJECT_DIR - - rm -rf build - cache: - paths: - - layers + - rm -fr $CI_PROJECT_DIR/build + + +stages: + - build + - parsec + - multi + - alt + - musl + - test + +.build: + before_script: + - *before-my-script + stage: build + after_script: + - *after-my-script + +.parsec: + before_script: + - *before-my-script + stage: parsec + after_script: + - *after-my-script + + +.multi: + before_script: + - *before-my-script + stage: multi + after_script: + - *after-my-script + +.alt: + before_script: + - *before-my-script + stage: alt + after_script: + - *after-my-script + +.musl: + before_script: + - *before-my-script + stage: musl + after_script: + - *after-my-script + +.test: + before_script: + - *before-my-script + stage: test + after_script: + - *after-my-script + qemux86: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml - kas build --target security-build-image kas/$CI_JOB_NAME-comp.yml - kas build --target harden-image-minimal kas/$CI_JOB_NAME-harden.yml - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml @@ -35,8 +78,7 @@ qemux86: qemux86-64: extends: .build script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm-image security-tpm2-image" - kas build --target dm-verity-image-initramfs kas/$CI_JOB_NAME-dm-verify.yml - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml @@ -44,20 +86,17 @@ qemuarm: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml qemuarm64: extends: .build script: - - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml + - kas shell kas/$CI_JOB_NAME.yml -c "bitbake -k security-build-image security-tpm2-image" - kas build --target integrity-image-minimal kas/$CI_JOB_NAME-ima.yml qemuppc: extends: .build script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml - - kas build --target security-build-image kas/$CI_JOB_NAME-parsec.yml qemumips64: extends: .build @@ -69,61 +108,58 @@ qemuriscv64: script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml -qemux86-64-tpm: - extends: .build - script: - - kas build --target security-tpm-image kas/$CI_JOB_NAME.yml - - kas build --target security-tpm2-image kas/$CI_JOB_NAME2.yml - -qemuarm64-tpm2: - extends: .build - script: - - kas build --target security-tpm2-image kas/$CI_JOB_NAME.yml - qemuarm64-alt: - extends: .build + extends: .alt script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemuarm64-multi: - extends: .build + extends: .multi script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemumips64-alt: - extends: .build + extends: .alt script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemumips64-multi: - extends: .build + extends: .multi script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemux86-64-alt: - extends: .build + extends: .alt script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemux86-64-multi: - extends: .build + extends: .multi script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemux86-musl: - extends: .build + extends: .musl script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemuarm64-musl: - extends: .build + extends: .musl script: - kas build --target security-build-image kas/$CI_JOB_NAME.yml qemux86-test: - extends: .build + extends: .test allow_failure: true script: - kas build --target security-test-image kas/$CI_JOB_NAME.yml - kas build -c testimage --target security-test-image kas/$CI_JOB_NAME.yml +parsec: + extends: .parsec + script: + - kas build --target security-build-image kas/qemuarm-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemuarm64-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemux86-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemux86-64-$CI_JOB_NAME.yml + - kas build --target security-build-image kas/qemuppc-$CI_JOB_NAME.yml diff --git a/meta-security/README b/meta-security/README index eb15366753..f223feef03 100644 --- a/meta-security/README +++ b/meta-security/README @@ -11,19 +11,28 @@ This layer depends on: URI: git://git.openembedded.org/openembedded-core branch: master + revision: HEAD + prio: default URI: git://git.openembedded.org/meta-openembedded/meta-oe branch: master + revision: HEAD + prio: default URI: git://git.openembedded.org/meta-openembedded/meta-perl branch: master + revision: HEAD + prio: default URI: git://git.openembedded.org/meta-openembedded/meta-python branch: master + revision: HEAD + prio: default URI: git://git.openembedded.org/meta-openembedded/meta-networking branch: master - + revision: HEAD + prio: default Adding the security layer to your build ======================================== @@ -42,23 +51,11 @@ other layers needed. e.g.: /path/to/meta-openembedded/meta-perl \ /path/to/meta-openembedded/meta-python \ /path/to/meta-openembedded/meta-networking \ - /path/to/layer/meta-security " - -Optional Rust dependancy -====================================== -If you want to use the latest Suricata that needs rust, you will need to clone - - URI: https://github.com/meta-rust/meta-rust.git - branch: master - - BBLAYERS += "/path/to/layer/meta-rust" - -This will activate the dynamic-layer mechanism and pull in the newer suricata - + /path/to/layer/meta-security \ Maintenance -====================================== +----------- Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index 906e024407..fd21da1eba 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -12,7 +12,3 @@ BBFILE_PRIORITY_security = "8" LAYERSERIES_COMPAT_security = "hardknott" LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer meta-python" - -BBFILES_DYNAMIC += " \ -rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \ -" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch deleted file mode 100644 index fc44ce68f5..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch +++ /dev/null @@ -1,32 +0,0 @@ -Skip pkg Makefile from using its own rust steps - -Upstream-Status: OE Specific - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: suricata-6.0.2/Makefile.am -=================================================================== ---- suricata-6.0.2.orig/Makefile.am -+++ suricata-6.0.2/Makefile.am -@@ -7,7 +7,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - $(SURICATA_UPDATE_DIR) \ - lua \ - acsite.m4 --SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ -+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ - $(SURICATA_UPDATE_DIR) - - CLEANFILES = stamp-h[0-9]* -Index: suricata-6.0.2/Makefile.in -=================================================================== ---- suricata-6.0.2.orig/Makefile.in -+++ suricata-6.0.2/Makefile.in -@@ -426,7 +426,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - lua \ - acsite.m4 - --SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ -+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ - $(SURICATA_UPDATE_DIR) - - CLEANFILES = stamp-h[0-9]* diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest deleted file mode 100644 index 666ba9c954..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -suricata -u diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service deleted file mode 100644 index a99a76ef86..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Suricata IDS/IDP daemon -After=network.target -Requires=network.target -Documentation=man:suricata(8) man:suricatasc(8) -Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW -RestrictAddressFamilies= -ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 -ExecReload=/bin/kill -HUP $MAINPID -PrivateTmp=yes -ProtectHome=yes -ProtectSystem=yes - -[Install] -WantedBy=multi-user.target - diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml deleted file mode 100644 index 8d06a27449..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml +++ /dev/null @@ -1,1326 +0,0 @@ -%YAML 1.1 ---- - -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml - - -# Number of packets allowed to be processed simultaneously. Default is a -# conservative 1024. A higher number will make sure CPU's/CPU cores will be -# more easily kept busy, but may negatively impact caching. -# -# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules -# apply. In that case try something like 60000 or more. This is because the CUDA -# pattern matcher buffers and scans as many packets as possible in parallel. -#max-pending-packets: 1024 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned -# load balancing). -#runmode: autofp - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# round-robin - Flows assigned to threads in a round robin fashion. -# active-packets - Flows assigned to threads that have the lowest number of -# unprocessed packets (default). -# hash - Flow alloted usihng the address hash. More of a random -# technique. Was the default in Suricata 1.2.1 and older. -# -#autofp-scheduler: active-packets - -# If suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Run suricata as user and group. -#run-as: -# user: suri -# group: suri - -# Default pid file. -# Will use this file if no --pidfile in command options. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -#default-packet-size: 1514 - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# Unix command socket can be used to pass commands to suricata. -# An external tool can then connect to get information from suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: no - #filename: custom.socket - -# Configure the type of alert (and other) logging you would like. -outputs: - - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: yes - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - type: file #file|syslog|unix_dgram|unix_stream - filename: eve.json - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - types: - - alert - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - - dns - - tls: - extended: yes # enable this for extended logging information - - files: - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - #- drop - - ssh - - # alert output for use with Barnyard2 - - unified2-alert: - enabled: yes - filename: unified2.alert - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - #limit: 32mb - - # Sensor ID field of unified2 alerts. - #sensor-id: 0 - - # HTTP X-Forwarded-For support by adding the unified2 extra header that - # will contain the actual client IP address or by overwriting the source - # IP address (helpful when inspecting traffic that is being reversed - # proxied). - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". Note - # that in the "overwrite" mode, if the reported IP address in the HTTP - # X-Forwarded-For header is of a different version of the packet - # received, it will fall-back to "extra-data" mode. - mode: extra-data - # Header name were the actual IP address will be reported, if more than - # one IP address is present, the last IP address will be the one taken - # into consideration. - header: X-Forwarded-For - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: yes - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - #extended: yes # Log extended information like fingerprint - certs-log-dir: certs # directory to store the certificates files - - # a line based log of DNS requests and/or replies (no alerts) - - dns-log: - enabled: no - filename: dns.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log to used with pcap file study. - # this module is dedicated to offline pcap parsing (empty output - # if used with another kind of input). It can interoperate with - # pcap parser like wireshark via the suriwire plugin. - - pcap-info: - enabled: no - - # Packet log... log packets in pcap format. 2 modes of operation: "normal" - # and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. - # In this base dir the pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - mode: normal # normal or sguil. - #sguil-base-dir: /nsm_data/ - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (http://www.prelude-technologies.com/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the suricata engine. - # The interval field (in seconds) tells after how long output will be written - # on the log file. - - stats: - enabled: yes - filename: stats.log - interval: 8 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # a line based information for dropped packets in IPS mode - - drop: - enabled: no - filename: drop.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # output module to store extracted files to disk - # - # The files are stored to the log-dir in a format "file.<id>" where <id> is - # an incrementing number starting at 1. For each file "file.<id>" a meta - # file "file.<id>.meta" is created. - # - # File extraction depends on a lot of things to be fully done: - # - stream reassembly depth. For optimal results, set this to 0 (unlimited) - # - http request / response body sizes. Again set to 0 for optimal results. - # - rules that contain the "filestore" keyword. - - file-store: - enabled: no # set to yes to enable - log-dir: files # directory to store the files - force-magic: no # force logging magic on all stored files - force-md5: no # force logging of md5 checksums - #waldo: file.waldo # waldo file to store the file_id across runs - - # output module to log files tracked in a easily parsable json format - - file-log: - enabled: no - filename: files-json.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -magic-file: /usr/share/misc/magic.mgc - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if suricata is not able to keep pace. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -# af-packet support -# Set threads to > 1 to use PACKET_FANOUT support -af-packet: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - # Default clusterid. AF_PACKET will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_round_robin: round robin load balancing - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independantly of the number - # of threads: - #ring-size: 2048 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap od IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - - interface: eth1 - threads: 1 - cluster-id: 98 - cluster-type: cluster_flow - defrag: yes - # buffer-size: 32768 - # disable-promisc: no - # Put default values here - - interface: default - #threads: 2 - #use-mmap: yes - -legacy: - uricontent: enabled - -# You can specify a threshold config file by setting "threshold-file" -# to the path of the threshold config file: -# threshold-file: /etc/suricata/threshold.config - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect-engine: - - profile: medium - - custom-values: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 - - sgh-mpm-context: auto - - inspection-recursion-limit: 3000 - # When rule-reload is enabled, sending a USR2 signal to the Suricata process - # will trigger a live rule reload. Experimental feature, use with care. - #- rule-reload: true - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #- delayed-detect: yes - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - # On some cpu's/architectures it is beneficial to tie individual threads - # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, - # and each extra CPU/core has one "detect" thread. - # - # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. - # - set-cpu-affinity: no - # Tune cpu affinity of suricata threads. Each family of threads can be bound - # on specific CPUs. - cpu-affinity: - - management-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - decode-cpu-set: - cpu: [ 0, 1 ] - mode: "balanced" - - stream-cpu-set: - cpu: [ "0-1" ] - - detect-cpu-set: - cpu: [ "all" ] - mode: "exclusive" # run detect threads in these cpus - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "medium" - - verdict-cpu-set: - cpu: [ 0 ] - prio: - default: "high" - - reject-cpu-set: - cpu: [ 0 ] - prio: - default: "low" - - output-cpu-set: - cpu: [ "all" ] - prio: - default: "medium" - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.5 - -# Cuda configuration. -cuda: - # The "mpm" profile. On not specifying any of these parameters, the engine's - # internal default values are used, which are same as the ones specified in - # in the default conf file. - mpm: - # The minimum length required to buffer data to the gpu. - # Anything below this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - # A value of 0 indicates there's no limit. - data-buffer-size-min-limit: 0 - # The maximum length for data that we would buffer to the gpu. - # Anything over this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - data-buffer-size-max-limit: 1500 - # The ring buffer size used by the CudaBuffer API to buffer data. - cudabuffer-buffer-size: 500mb - # The max chunk size that can be sent to the gpu in a single go. - gpu-transfer-size: 50mb - # The timeout limit for batching of packets in microseconds. - batching-timeout: 2000 - # The device to use for the mpm. Currently we don't support load balancing - # on multiple gpus. In case you have multiple devices on your system, you - # can specify the device to use, using this conf. By default we hold 0, to - # specify the first device cuda sees. To find out device-id associated with - # the card(s) on the system run "suricata --list-cuda-cards". - device-id: 0 - # No of Cuda streams used for asynchronous processing. All values > 0 are valid. - # For this option you need a device with Compute Capability > 1.0. - cuda-streams: 2 - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, -# ac and ac-gfbs. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. -# -# There is also a CUDA pattern matcher (only available if Suricata was -# compiled with --enable-cuda: b2g_cuda. Make sure to update your -# max-pending-packets setting above as well if you use b2g_cuda. - -mpm-algo: ac - -# The memory settings for hash size of these algorithms can vary from lowest -# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max -# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - -# medium (1024) - high (2048). -# -# For B2g/B3g algorithms, there is a support for two different scan/search -# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and -# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms -# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & -# B3gSearchBNDMq. -# -# For B2g the different scan/search algorithms and, hash and bloom -# filter size settings. For B3g the different scan/search algorithms and, hash -# and bloom filter size settings. For wumanber the hash and bloom filter size -# settings. - -pattern-matcher: - - b2gc: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2gm: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2g: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b3g: - search-algo: B3gSearchBNDMq - hash-size: low - bf-size: medium - - wumanber: - hash-size: low - bf-size: medium - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# prunning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doens't find a flow to prune, it will set -# the emergency bit and it will try again with more agressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 64mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a hanshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - tcp: - new: 60 - established: 3600 - closed: 120 - emergency-new: 10 - emergency-established: 300 - emergency-closed: 20 - udp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - icmp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated trafic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size -# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value -# # of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# chunk-prealloc: 250 # Number of preallocated stream chunks. These -# # are used during stream inspection (raw). -# segments: # Settings for reassembly segment pool. -# - size: 4 # Size of the (data)segment for a pool -# prealloc: 256 # Number of segments to prealloc and keep -# # in the pool. -# -stream: - memcap: 32mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 128mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #chunk-prealloc: 250 - #segments: - # - size: 4 - # prealloc: 256 - # - size: 16 - # prealloc: 512 - # - size: 112 - # prealloc: 512 - # - size: 248 - # prealloc: 512 - # - size: 512 - # prealloc: 512 - # - size: 768 - # prealloc: 1024 - # - size: 1448 - # prealloc: 1024 - # - size: 65535 - # prealloc: 128 - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 16777216 - -# Logging configuration. This is not about logging IDS alerts, but -# IDS output about what its doing, errors, etc. -logging: - - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overriden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overriden in an - # output section. You can leave this out to get the default. - # - # This value is overriden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overriden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - - file: - enabled: no - filename: /var/log/suricata.log - - syslog: - enabled: yes - facility: local5 - format: "[%i] <%d> -- " - -# Tilera mpipe configuration. for use on Tilera TILE-Gx. -mpipe: - - # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". - load-balance: dynamic - - # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 - iqueue-packets: 2048 - - # List of interfaces we will listen on. - inputs: - - interface: xgbe2 - - interface: xgbe3 - - interface: xgbe4 - - - # Relative weight of memory for packets of each mPipe buffer size. - stack: - size128: 0 - size256: 9 - size512: 0 - size1024: 0 - size1664: 7 - size4096: 0 - size10386: 0 - size16384: 0 - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/PF_RING.html -pfring: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. - # This is only supported in versions of PF_RING > 4.1.1. - cluster-type: cluster_flow - # bpf filter for this interface - #bpf-filter: tcp - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - -# Set the default rule path here to search for the files. -# if not set, it will look at the current working dir -default-rule-path: /etc/suricata/rules -rule-files: - - botcc.rules - - ciarmy.rules - - compromised.rules - - drop.rules - - dshield.rules - - emerging-activex.rules - - emerging-attack_response.rules - - emerging-chat.rules - - emerging-current_events.rules - - emerging-dns.rules - - emerging-dos.rules - - emerging-exploit.rules - - emerging-ftp.rules - - emerging-games.rules - - emerging-icmp_info.rules -# - emerging-icmp.rules - - emerging-imap.rules - - emerging-inappropriate.rules - - emerging-malware.rules - - emerging-misc.rules - - emerging-mobile_malware.rules - - emerging-netbios.rules - - emerging-p2p.rules - - emerging-policy.rules - - emerging-pop3.rules - - emerging-rpc.rules - - emerging-scada.rules - - emerging-scan.rules - - emerging-shellcode.rules - - emerging-smtp.rules - - emerging-snmp.rules - - emerging-sql.rules - - emerging-telnet.rules - - emerging-tftp.rules - - emerging-trojan.rules - - emerging-user_agents.rules - - emerging-voip.rules - - emerging-web_client.rules - - emerging-web_server.rules - - emerging-web_specific_apps.rules - - emerging-worm.rules - - tor.rules - - decoder-events.rules # available in suricata sources under rules dir - - stream-events.rules # available in suricata sources under rules dir - - http-events.rules # available in suricata sources under rules dir - - smtp-events.rules # available in suricata sources under rules dir - - dns-events.rules # available in suricata sources under rules dir - - tls-events.rules # available in suricata sources under rules dir - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config - -# Holds variables that would be used by the engine. -vars: - - # Holds the address group vars that would be passed in a Signature. - # These would be retrieved during the Signature address parsing stage. - address-groups: - - HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" - - EXTERNAL_NET: "!$HOME_NET" - - HTTP_SERVERS: "$HOME_NET" - - SMTP_SERVERS: "$HOME_NET" - - SQL_SERVERS: "$HOME_NET" - - DNS_SERVERS: "$HOME_NET" - - TELNET_SERVERS: "$HOME_NET" - - AIM_SERVERS: "$EXTERNAL_NET" - - DNP3_SERVER: "$HOME_NET" - - DNP3_CLIENT: "$HOME_NET" - - MODBUS_CLIENT: "$HOME_NET" - - MODBUS_SERVER: "$HOME_NET" - - ENIP_CLIENT: "$HOME_NET" - - ENIP_SERVER: "$HOME_NET" - - # Holds the port group vars that would be passed in a Signature. - # These would be retrieved during the Signature port parsing stage. - port-groups: - - HTTP_PORTS: "80" - - SHELLCODE_PORTS: "!80" - - ORACLE_PORTS: 1521 - - SSH_PORTS: 22 - - DNP3_PORTS: 20000 - -# Set the order of alerts bassed on actions -# The default order is pass, drop, reject, alert -action-order: - - pass - - drop - - reject - - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] - old-solaris: [] - solaris: ["::1"] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -# Holds details on the app-layer. The protocols section details each protocol. -# Under each protocol, the default value for detection-enabled and " -# parsed-enabled is yes, unless specified otherwise. -# Each protocol covers enabling/disabling parsers for all ipprotos -# the app-layer protocol runs on. For example "dcerpc" refers to the tcp -# version of the protocol as well as the udp version of the protocol. -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables detection only(parser disabled). -app-layer: - protocols: - tls: - enabled: yes - detection-ports: - dp: 443 - - #no-reassemble: yes - dcerpc: - enabled: yes - ftp: - enabled: yes - ssh: - enabled: yes - smtp: - enabled: yes - imap: - enabled: detection-only - msn: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139 - # smb2 detection is disabled internally inside the engine. - #smb2: - # enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: 64mb - - ########################################################################### - # Configure libhtp. - # - # - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # - # Currently Available Personalities: - # Minimal - # Generic - # IDS (default) - # IIS_4_0 - # IIS_5_0 - # IIS_5_1 - # IIS_6_0 - # IIS_7_0 - # IIS_7_5 - # Apache_2 - ########################################################################### - libhtp: - - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 3072 - response-body-limit: 3072 - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 32kb - response-body-inspect-window: 4kb - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - sort: avgticks - - # Limit the number of items printed at exit. - limit: 100 - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - hba: -1 - - # use_all_streams set to "yes" will query the Napatech service for all configured - # streams and listen on all of them. When set to "no" the streams config array - # will be used. - use-all-streams: yes - - # The streams to listen on - streams: [1, 2, 3] - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata deleted file mode 100644 index fbf37848ee..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata +++ /dev/null @@ -1,2 +0,0 @@ -#Type Path Mode UID GID Age Argument -d /var/log/suricata 0755 root root diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata deleted file mode 100644 index 4627bd3b0f..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata +++ /dev/null @@ -1,2 +0,0 @@ -# <type> <owner> <group> <mode> <path> <linksource> -d root root 0755 /var/log/suricata none diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb deleted file mode 100644 index 34e72e9cb9..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.37.bb +++ /dev/null @@ -1,27 +0,0 @@ -SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" - -SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" -SRCREV = "eaa2db29e65e7f2691c18a9022aeb5fb836ec5f1" - -DEPENDS = "zlib" - -inherit autotools-brokensep pkgconfig - -CFLAGS += "-D_DEFAULT_SOURCE" - -#S = "${WORKDIR}/suricata-${VER}/${BPN}" - -S = "${WORKDIR}/git" - -do_configure () { - cd ${S} - ./autogen.sh - oe_runconf -} - -RDEPENDS_${PN} += "zlib" - diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc deleted file mode 100644 index 85f419e48a..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc +++ /dev/null @@ -1,8 +0,0 @@ -HOMEPAGE = "http://suricata-ids.org/" -SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" - -VER = "6.0.2" -SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" - -SRC_URI[sha256sum] = "5e4647a07cb31b5d6d0049972a45375c137de908a964a44e2d6d231fa3ad4b52" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb deleted file mode 100644 index a4255d2476..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.2.bb +++ /dev/null @@ -1,193 +0,0 @@ -SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" - -require suricata.inc - -DEPENDS = "lz4 libhtp" - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRC_URI += " \ - file://volatiles.03_suricata \ - file://tmpfiles.suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - file://fixup.patch \ - " - -SRC_URI += " \ - crate://crates.io/autocfg/1.0.1 \ - crate://crates.io/semver-parser/0.7.0 \ - crate://crates.io/arrayvec/0.4.12 \ - crate://crates.io/ryu/1.0.5 \ - crate://crates.io/libc/0.2.86 \ - crate://crates.io/bitflags/1.2.1 \ - crate://crates.io/version_check/0.9.2 \ - crate://crates.io/memchr/2.3.4 \ - crate://crates.io/nodrop/0.1.14 \ - crate://crates.io/cfg-if/0.1.9 \ - crate://crates.io/static_assertions/0.3.4 \ - crate://crates.io/getrandom/0.1.16 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/siphasher/0.3.3 \ - crate://crates.io/ppv-lite86/0.2.10 \ - crate://crates.io/proc-macro-hack/0.5.19 \ - crate://crates.io/proc-macro2/0.4.30 \ - crate://crates.io/unicode-xid/0.1.0 \ - crate://crates.io/syn/0.15.44 \ - crate://crates.io/build_const/0.2.1 \ - crate://crates.io/num-derive/0.2.5 \ - crate://crates.io/base64/0.11.0 \ - crate://crates.io/widestring/0.4.3 \ - crate://crates.io/md5/0.7.0 \ - crate://crates.io/uuid/0.8.2 \ - crate://crates.io/byteorder/1.4.2 \ - crate://crates.io/semver/0.9.0 \ - crate://crates.io/nom/5.1.1 \ - crate://crates.io/num-traits/0.2.14 \ - crate://crates.io/num-integer/0.1.44 \ - crate://crates.io/num-bigint/0.2.6 \ - crate://crates.io/num-bigint/0.3.1 \ - crate://crates.io/num-rational/0.2.4 \ - crate://crates.io/num-complex/0.2.4 \ - crate://crates.io/num-iter/0.1.42 \ - crate://crates.io/phf_shared/0.8.0 \ - crate://crates.io/crc/1.8.1 \ - crate://crates.io/rustc_version/0.2.3 \ - crate://crates.io/phf/0.8.0 \ - crate://crates.io/lexical-core/0.6.7 \ - crate://crates.io/time/0.1.44 \ - crate://crates.io/quote/0.6.13 \ - crate://crates.io/rand_core/0.5.1 \ - crate://crates.io/rand_chacha/0.2.2 \ - crate://crates.io/rand_pcg/0.2.1 \ - crate://crates.io/num-traits/0.1.43 \ - crate://crates.io/rand/0.7.3 \ - crate://crates.io/enum_primitive/0.1.1 \ - crate://crates.io/phf_generator/0.8.0 \ - crate://crates.io/phf_codegen/0.8.0 \ - crate://crates.io/tls-parser/0.9.4 \ - crate://crates.io/num/0.2.1 \ - crate://crates.io/rusticata-macros/2.1.0 \ - crate://crates.io/ntp-parser/0.4.0 \ - crate://crates.io/der-oid-macro/0.2.0 \ - crate://crates.io/der-parser/3.0.4 \ - crate://crates.io/ipsec-parser/0.5.0 \ - crate://crates.io/x509-parser/0.6.5 \ - crate://crates.io/der-parser/4.1.0 \ - crate://crates.io/snmp-parser/0.6.0 \ - crate://crates.io/kerberos-parser/0.5.0 \ - crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ - crate://crates.io/log/0.4.0 \ - crate://crates.io/rand_hc/0.2.0 \ - crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ - " - -# test case support -SRC_URI += " \ - crate://crates.io/test-case/1.0.1 \ - crate://crates.io/proc-macro2/1.0.1 \ - crate://crates.io/quote/1.0.1 \ - crate://crates.io/syn/1.0.1 \ - crate://crates.io/unicode-xid/0.2.0 \ - " - -inherit autotools pkgconfig python3native systemd ptest cargo - -EXTRA_OECONF += " --disable-debug \ - --disable-gccmarch-native \ - --enable-non-bundled-htp \ - --disable-suricata-update \ - --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \ - " - -CARGO_SRC_DIR = "rust" - -B = "${S}" - -PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr " -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" - -PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," -PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," -PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap" -PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " -PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," -PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," -PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," - -PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" -PACKAGECONFIG[file] = ",,file, file" -PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," -PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" -PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," - -export logdir = "${localstatedir}/log" - -CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes" - -do_configure_prepend () { - oe_runconf -} - -do_compile () { - # we do this to bypass the make provided by this pkg - # patches Makefile to skip the subdir - cargo_do_compile - - # Finish building - cd ${S} - make -} - -do_install () { - install -d ${D}${sysconfdir}/suricata - - oe_runmake install DESTDIR=${D} - - install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata - - install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata - install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf - - install -d ${D}${systemd_unitdir}/system - sed -e s:/etc:${sysconfdir}:g \ - -e s:/var/run:/run:g \ - -e s:/var:${localstatedir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/bin/kill:${base_bindir}/kill:g \ - -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl -} - -pkg_postinst_ontarget_${PN} () { -if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf -elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi -} - -SYSTEMD_PACKAGES = "${PN}" - -PACKAGES =+ "${PN}-python" -FILES_${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" -FILES_${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" - -CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" diff --git a/meta-security/kas/kas-security-alt.yml b/meta-security/kas/kas-security-alt.yml index 309acaa03f..1514524520 100644 --- a/meta-security/kas/kas-security-alt.yml +++ b/meta-security/kas/kas-security-alt.yml @@ -5,4 +5,4 @@ header: local_conf_header: alt: | - DISTRO_FEATURES_append = " apparmor pam smack systemd" + DISTRO_FEATURES_append = " systemd" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index aa68336e18..7096d09eb1 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -14,7 +14,7 @@ repos: poky: url: https://git.yoctoproject.org/git/poky - refspec: master + refspec: hardknott layers: meta: meta-poky: @@ -22,7 +22,7 @@ repos: meta-openembedded: url: http://git.openembedded.org/meta-openembedded - refspec: master + refspec: hardknott layers: meta-oe: meta-perl: @@ -35,14 +35,14 @@ local_conf_header: CONF_VERSION = "1" SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" + SSTATE_DIR = "/home/build/sstate-cache/hardknott" + DL_DIR = "/home/build/downloads/hardknott" BB_HASHSERVE = "auto" BB_SIGNATURE_HANDLER = "OEEquivHash" INHERIT += "buildstats buildstats-summary buildhistory" INHERIT += "report-error" INHERIT += "testimage" INHERIT += "rm_work" - BB_NUMBER_THREADS="24" - BB_NUMBER_PARSE_THREADS="12" BB_TASK_NICE_LEVEL = '5' BB_TASK_NICE_LEVEL_task-testimage = '0' BB_TASK_IONICE_LEVEL = '2.7' @@ -51,6 +51,8 @@ local_conf_header: EXTRA_IMAGE_FEATURES ?= "debug-tweaks" PACKAGE_CLASSES = "package_ipk" + DISTRO_FEATURES_append = " pam apparmor smack" + MACHINE_FEATURES_append = " tpm tpm2" diskmon: | BB_DISKMON_DIRS = "\ diff --git a/meta-security/kas/qemuarm64-tpm2.yml b/meta-security/kas/qemuarm64-tpm2.yml deleted file mode 100644 index 3a8d8fc0de..0000000000 --- a/meta-security/kas/qemuarm64-tpm2.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " tpm2" - -machine: qemuarm64 diff --git a/meta-security/kas/qemumips64-alt.yml b/meta-security/kas/qemumips64-alt.yml index 923c213700..c5d54d4d4f 100644 --- a/meta-security/kas/qemumips64-alt.yml +++ b/meta-security/kas/qemumips64-alt.yml @@ -1,10 +1,6 @@ header: version: 8 includes: - - kas-security-base.yml - -local_conf_header: - alt: | - DISTRO_FEATURES_append = " pam systmed" + - kas-security-alt.yml machine: qemumips64 diff --git a/meta-security/kas/qemux86-64-tpm.yml b/meta-security/kas/qemux86-64-tpm.yml deleted file mode 100644 index 565b423274..0000000000 --- a/meta-security/kas/qemux86-64-tpm.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " tpm" - -machine: qemux86-64 diff --git a/meta-security/kas/qemux86-64-tpm2.yml b/meta-security/kas/qemux86-64-tpm2.yml deleted file mode 100644 index a43693ee90..0000000000 --- a/meta-security/kas/qemux86-64-tpm2.yml +++ /dev/null @@ -1,10 +0,0 @@ -header: - version: 8 - includes: - - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " tpm2" - -machine: qemux86-64 diff --git a/meta-security/kas/qemux86-test.yml b/meta-security/kas/qemux86-test.yml index 7b5f45151c..83a5353e7f 100644 --- a/meta-security/kas/qemux86-test.yml +++ b/meta-security/kas/qemux86-test.yml @@ -3,9 +3,4 @@ header: includes: - kas-security-base.yml - -local_conf_header: - meta-security: | - DISTRO_FEATURES_append = " apparmor smack pam" - machine: qemux86 diff --git a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb index 9ac0d2c25f..c723badee8 100644 --- a/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/meta-security/recipes-core/packagegroup/packagegroup-core-security.bb @@ -80,6 +80,8 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " +RDEPENDS_packagegroup-security-mac_remove_mipsarch = "apparmor" + RDEPENDS_packagegroup-meta-security-ptest-packages = "\ ptest-runner \ samhain-standalone-ptest \ |