diff options
12 files changed, 115 insertions, 16 deletions
diff --git a/meta-security/lib/oeqa/runtime/cases/suricata.py b/meta-security/lib/oeqa/runtime/cases/suricata.py index 17fc8c5086..7f052ecd76 100644 --- a/meta-security/lib/oeqa/runtime/cases/suricata.py +++ b/meta-security/lib/oeqa/runtime/cases/suricata.py @@ -1,6 +1,7 @@ # Copyright (C) 2019 Armin Kuster <akuster808@gmail.com> # import re +from tempfile import mkstemp from oeqa.runtime.case import OERuntimeTestCase from oeqa.core.decorator.depends import OETestDepends @@ -9,6 +10,22 @@ from oeqa.runtime.decorator.package import OEHasPackage class SuricataTest(OERuntimeTestCase): + @classmethod + def setUpClass(cls): + cls.tmp_fd, cls.tmp_path = mkstemp() + with os.fdopen(cls.tmp_fd, 'w') as f: + # use google public dns + f.write("nameserver 8.8.8.8") + f.write(os.linesep) + f.write("nameserver 8.8.4.4") + f.write(os.linesep) + f.write("nameserver 127.0.0.1") + f.write(os.linesep) + + @classmethod + def tearDownClass(cls): + os.remove(cls.tmp_path) + @OEHasPackage(['suricata']) @OETestDepends(['ssh.SSHTest.test_ssh']) def test_suricata_help(self): @@ -18,10 +35,42 @@ class SuricataTest(OERuntimeTestCase): self.assertEqual(status, 1, msg = msg) @OETestDepends(['suricata.SuricataTest.test_suricata_help']) - def test_suricata_unittest(self): - status, output = self.target.run('suricata -u') - match = re.search('FAILED: 0 ', output) - if not match: - msg = ('suricata unittest had an unexpected failure. ' - 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 0, msg = msg) + def test_ping_openinfosecfoundation_org(self): + dst = '/etc/resolv.conf' + self.tc.target.run('rm -f %s' % dst) + (status, output) = self.tc.target.copyTo(self.tmp_path, dst) + msg = 'File could not be copied. Output: %s' % output + self.assertEqual(status, 0, msg=msg) + + status, output = self.target.run('ping -c 1 openinfosecfoundation.org') + msg = ('ping openinfosecfoundation.org failed: output is:\n%s' % output) + self.assertEqual(status, 0, msg = msg) + + @OEHasPackage(['python3-suricata-update']) + @OETestDepends(['suricata.SuricataTest.test_ping_openinfosecfoundation_org']) + def test_suricata_update(self): + status, output = self.tc.target.run('suricata-update') + msg = ('suricata-update had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_update']) + def test_suricata_update_sources_list(self): + status, output = self.tc.target.run('suricata-update list-sources') + msg = ('suricata-update list-sources had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources_list']) + def test_suricata_update_sources(self): + status, output = self.tc.target.run('suricata-update update-sources') + msg = ('suricata-update update-sources had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) + + @OETestDepends(['suricata.SuricataTest.test_suricata_update_sources']) + def test_suricata_update_enable_source(self): + status, output = self.tc.target.run('suricata-update enable-source oisf/trafficid') + msg = ('suricata-update enable-source oisf/trafficid had an unexpected failure. ' + 'Status and output:%s and %s' % (status, output)) + self.assertEqual(status, 0, msg = msg) diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf index 962424ccbe..bfc9c6ff16 100644 --- a/meta-security/meta-integrity/conf/layer.conf +++ b/meta-security/meta-integrity/conf/layer.conf @@ -24,3 +24,5 @@ OE_TERMINAL_EXPORTS += "INTEGRITY_BASE" LAYERSERIES_COMPAT_integrity = "zeus" # ima-evm-utils depends on keyutils from meta-oe LAYERDEPENDS_integrity = "core openembedded-layer" + +BBLAYERS_LAYERINDEX_NAME_integrity = "meta-integrity" diff --git a/meta-security/meta-security-compliance/conf/layer.conf b/meta-security/meta-security-compliance/conf/layer.conf index 0e93bd0e8e..8572a1fcea 100644 --- a/meta-security/meta-security-compliance/conf/layer.conf +++ b/meta-security/meta-security-compliance/conf/layer.conf @@ -11,3 +11,5 @@ BBFILE_PRIORITY_scanners-layer = "10" LAYERSERIES_COMPAT_scanners-layer = "zeus" LAYERDEPENDS_scanners-layer = "core openembedded-layer meta-python" + +BBLAYERS_LAYERINDEX_NAME_scanners-layer = "meta-security-compliance" diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf index 3af2d95171..175eba84ef 100644 --- a/meta-security/meta-tpm/conf/layer.conf +++ b/meta-security/meta-tpm/conf/layer.conf @@ -14,3 +14,4 @@ LAYERDEPENDS_tpm-layer = " \ core \ openembedded-layer \ " +BBLAYERS_LAYERINDEX_NAME_tpm-layer = "meta-tpm" diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh index c8dfb7de34..9bb7da9720 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd-init.sh @@ -27,7 +27,7 @@ case "${1}" in start) echo -n "Starting $DESC: " - if [ ! -e /dev/tpm* ] + if [ ! -e /dev/tpm? ] then echo "device driver not loaded, skipping." exit 0 diff --git a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default index 987978a665..b4b3c2072a 100644 --- a/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default +++ b/meta-security/meta-tpm/recipes-tpm2/tpm2-abrmd/files/tpm2-abrmd.default @@ -1 +1 @@ -DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transient-objects=20 --fail-on-loaded-trans" +DAEMON_OPTS="--tcti=device --logger=syslog --max-connections=20 --max-transients=20 --flush-all" diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb index 8305f70105..8305f70105 100644 --- a/meta-security/recipes-ids/suricata/libhtp_0.5.31.bb +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.32.bb diff --git a/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb b/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb index 63f75e0968..0070b5bcfc 100644 --- a/meta-security/recipes-ids/suricata/python3-suricata-update_1.0.5.bb +++ b/meta-security/recipes-ids/suricata/python3-suricata-update_1.1.1.bb @@ -5,8 +5,8 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" -SRCREV = "dcd0f630e13463750efb1593ad3ccae1ae6c27d4" -SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.0.x'" +SRCREV = "9630630ffc493ca26299d174ee2066aa1405b2d4" +SRC_URI = "git://github.com/OISF/suricata-update;branch='master-1.1.x'" S = "${WORKDIR}/git" diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc index 1f4baffcc5..3adbcf6d49 100644 --- a/meta-security/recipes-ids/suricata/suricata.inc +++ b/meta-security/recipes-ids/suricata/suricata.inc @@ -2,8 +2,8 @@ HOMEPAGE = "http://suricata-ids.org/" SECTION = "security Monitor/Admin" LICENSE = "GPLv2" -VER = "4.1.5" +VER = "4.1.6" SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" -SRC_URI[md5sum] = "0dfd68f6f4314c5c2eed7128112eff3b" -SRC_URI[sha256sum] = "cee5f6535cd7fe63fddceab62eb3bc66a63fc464466c88ec7a41b7a1331ac74b" +SRC_URI[md5sum] = "da5de1e8053f05cbd295793210117d34" +SRC_URI[sha256sum] = "8441ac89016106459ade2112fcde58b3f789e4beb2fd8bfa081ffb75eec75fe0" diff --git a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb b/meta-security/recipes-ids/suricata/suricata_4.1.6.bb index b2700d63fa..9b7122b9e5 100644 --- a/meta-security/recipes-ids/suricata/suricata_4.1.5.bb +++ b/meta-security/recipes-ids/suricata/suricata_4.1.6.bb @@ -10,7 +10,6 @@ SRC_URI += " \ file://suricata.yaml \ file://suricata.service \ file://run-ptest \ - file://0001-af-packet-fix-build-on-recent-Linux-kernels.patch \ " inherit autotools-brokensep pkgconfig python3-dir systemd ptest diff --git a/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch new file mode 100644 index 0000000000..a53433fe57 --- /dev/null +++ b/meta-security/recipes-security/libseccomp/files/0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch @@ -0,0 +1,45 @@ +From 1ecdddb2a5b61cf527d1f238f88a9d129239f87a Mon Sep 17 00:00:00 2001 +From: Paul Moore <paul@paul-moore.com> +Date: Tue, 5 Nov 2019 15:11:11 -0500 +Subject: [PATCH] tests: rely on __SNR_xxx instead of __NR_xxx for syscalls + +We recently changed how libseccomp handles syscall numbers that are +not defined natively, but we missed test #15. + +Acked-by: Tom Hromatka <tom.hromatka@oracle.com> +Signed-off-by: Paul Moore <paul@paul-moore.com> + +Upstream-Status: Backport +[https://github.com/seccomp/libseccomp/commit/1ecdddb2a5b61cf527d1f238f88a9d129239f87a] + +Signed-off-by: Yi Zhao <yi.zhao@windriver.com> +--- + tests/15-basic-resolver.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tests/15-basic-resolver.c b/tests/15-basic-resolver.c +index 6badef1..0c1eefe 100644 +--- a/tests/15-basic-resolver.c ++++ b/tests/15-basic-resolver.c +@@ -55,15 +55,15 @@ int main(int argc, char *argv[]) + unsigned int arch; + char *name = NULL; + +- if (seccomp_syscall_resolve_name("open") != __NR_open) ++ if (seccomp_syscall_resolve_name("open") != __SNR_open) + goto fail; +- if (seccomp_syscall_resolve_name("read") != __NR_read) ++ if (seccomp_syscall_resolve_name("read") != __SNR_read) + goto fail; + if (seccomp_syscall_resolve_name("INVALID") != __NR_SCMP_ERROR) + goto fail; + + rc = seccomp_syscall_resolve_name_rewrite(SCMP_ARCH_NATIVE, "openat"); +- if (rc != __NR_openat) ++ if (rc != __SNR_openat) + goto fail; + + while ((arch = arch_list[iter++]) != -1) { +-- +2.17.1 + diff --git a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb b/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb index 37a79829f7..07db82a605 100644 --- a/meta-security/recipes-security/libseccomp/libseccomp_2.4.1.bb +++ b/meta-security/recipes-security/libseccomp/libseccomp_2.4.2.bb @@ -4,9 +4,10 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "fb43972ea1aab24f2a70193fb7445c2674f594e3" +SRCREV = "1b6cfd1fc0b7499a28c24299a93a80bd18619563" SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ + file://0001-tests-rely-on-__SNR_xxx-instead-of-__NR_xxx-for-sysc.patch \ file://run-ptest \ " |