From d159c7fb39550d7348052766f46e51b26d3fd4cc Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Thu, 2 Sep 2021 21:05:58 -0500 Subject: subtree updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit poky: 94dfcaff64..359e1cb62f: Alexander Kanavin (76): tcf-agent: fetching over git:// no longer works lighttpd: convert from autotools to meson libxcrypt: upgrade 4.4.23 -> 4.4.25 python3-cython: upgrade 0.29.23 -> 0.29.24 python3-numpy: upgrade 1.21.0 -> 1.21.2 systemd: upgrade 249.1 -> 249.3 xeyes: upgrade 1.1.2 -> 1.2.0 btrfs-tools: update 5.13 -> 5.13.1 diffutils: update 3.7 -> 3.8 mc: update 4.8.26 - > 4.8.27 libsdl2: update 2.0.14 -> 2.0.16 vulkan-samples: update to latest revision pulseaudio: update 14.2 -> 15.0 libjitterentropy: update 3.0.2 -> 3.1.0 usbutils: upgrade 013 -> 014 inetutils: upgrade 2.0 -> 2.1 mobile-broadband-provider-info: upgrade 20201225 -> 20210805 glib-networking: upgrade 2.68.1 -> 2.68.2 e2fsprogs: upgrade 1.46.2 -> 1.46.4 help2man: upgrade 1.48.3 -> 1.48.4 libedit: upgrade 20210522-3.1 -> 20210714-3.1 log4cplus: upgrade 2.0.6 -> 2.0.7 mtools: upgrade 4.0.34 -> 4.0.35 patchelf: upgrade 0.12 -> 0.13 pkgconf: upgrade 1.7.4 -> 1.8.0 python3-git: upgrade 3.1.18 -> 3.1.20 python3-pip: upgrade 21.2.1 -> 21.2.4 python3-pygments: upgrade 2.9.0 -> 2.10.0 python3-setuptools: upgrade 57.1.0 -> 57.4.0 squashfs-tools: upgrade 4.4 -> 4.5 acpica: upgrade 20210331 -> 20210730 libidn2: upgrade 2.3.1 -> 2.3.2 stress-ng: upgrade 0.12.12 -> 0.13.00 sudo: upgrade 1.9.7p1 -> 1.9.7p2 epiphany: upgrade 40.2 -> 40.3 libgudev: upgrade 236 -> 237 libjpeg-turbo: upgrade 2.1.0 -> 2.1.1 libepoxy: upgrade 1.5.8 -> 1.5.9 pango: upgrade 1.48.7 -> 1.48.9 mesa: upgrade 21.1.5 -> 21.2.1 libinput: upgrade 1.18.0 -> 1.18.1 libxfont2: upgrade 2.0.4 -> 2.0.5 libxft: upgrade 2.3.3 -> 2.3.4 xserver-xorg: upgrade 1.20.12 -> 1.20.13 linux-firmware: upgrade 20210511 -> 20210818 wireless-regdb: upgrade 2021.04.21 -> 2021.07.14 libwebp: upgrade 1.2.0 -> 1.2.1 webkitgtk: upgrade 2.32.2 -> 2.32.3 boost: upgrade 1.76.0 -> 1.77.0 diffoscope: upgrade 179 -> 181 enchant2: upgrade 2.3.0 -> 2.3.1 re2c: upgrade 2.1.1 -> 2.2 rng-tools: upgrade 6.13 -> 6.14 kea: backport a patch to fix build errors exposed by latest update batch qemu: add a hint on how to enable CPU render nodes when a suitable GPU is absent mc: fix reproducibility libjitterentropy: remove contaminated hashequiv entry binutils: drop target flex/bison from build dependencies gnu-efi: update 3.0.13 -> 3.0.14 glib-2.0: upgrade 2.68.3 -> 2.68.4 util-linux: upgrade 2.37.1 -> 2.37.2 ccache: upgrade 4.3 -> 4.4 git: upgrade 2.32.0 -> 2.33.0 openssh: upgrade 8.6p1 -> 8.7p1 ell: upgrade 0.42 -> 0.43 python3-mako: upgrade 1.1.4 -> 1.1.5 vala: upgrade 0.52.4 -> 0.52.5 libnsl2: upgrade 1.3.0 -> 2.0.0 gi-docgen: upgrade 2021.6 -> 2021.7 json-glib: upgrade 1.6.2 -> 1.6.4 bind: upgrade 9.16.19 -> 9.16.20 harfbuzz: upgrade 2.8.2 -> 2.9.0 qemurunner.py: print output from runqemu/qemu-system in stop() qemurunner.py: handle getOutput() having nothing to read rust: fix upstream version checks mesa: enable crocus driver for older intel graphics Andreas Müller (2): mesa: upgrade 21.1.5 -> 21.1.7 binutils: Apply upstream patch to fix 'too many open files' on qtwebengine Andrej Valek (2): busybox: 1.33.1 -> 1.34.0 vim: add option to disable NLS support Andres Beltran (2): buildhistory: Add output file listing package information buildhistory: Label packages providing per-file dependencies in depends.dot Andrey Zhizhikin (2): lttng-modules: do not search in non-existing folder during install nativesdk-packagegroup-sdk-host: add perl integer module Armin Kuster (2): lz4: Security Fix for CVE-2021-3520 lz4: remove rest of ptest artifacts Bruce Ashfield (21): linux-yocto/5.13: update to v5.13.7 linux-yocto/5.4: update to v5.4.137 linux-yocto/5.10: update to v5.10.55 linux-yocto/5.4: update to v5.4.139 linux-yocto/5.10: update to v5.10.57 linux-yocto/5.13: update to v5.13.9 linux-yocto/5.4: remove recipes conf/machine: bump qemu preferred versions to 5.13 linux-yocto-dev: bump to v5.14+ lttng-modules: update to 2.13.0 kernel-devsrc: 5.14+ updates kernel-devsrc: fix 5.14+ objtool compilation poky/poky-tiny: set default kernel to 5.13 poky: set default kernel to 5.13 yocto-bsp: drop 5.4 bbappend poky-alt: switch default kernel to 5.10 linux-yocto/5.13: update to v5.13.11 linux-yocto/5.10: update to v5.10.59 linux-yocto/5.13: update to v5.13.12 linux-yocto/5.10: update to v5.10.60 parselogs.py: ignore intermittent CD/DVDROM identification failure Chen Qi (1): package_rpm/update-alternatives: fix package's provides Daniel Gomez (2): wic: Add --no-fstab-update part option oeqa: wic: Add tests for --no-fstab-update Denys Dmytriyenko (1): grep: upgrade 3.6 -> 3.7 Enrico Scholz (1): bitbake: fetch2/wget: fix 'no_proxy' handling Hongxu Jia (2): nativesdk-pseudo: Fix to work with glibc 2.34 systems glibc: fix create thread failed in unprivileged process Hsia-Jun Li (1): lib/oe/elf: Add Android OS to machine_dict Jon Mason (8): arch-armv8m-main: missing space conf/machine: move tune files to architecture directories yocto-bsp: update machine confs with new tune locations docs: update docs with new tune locations arch-arm*: add better support for gcc march extensions tune-cortexr*: add support for all Arm Cortex-R processors arch-arm*: Fix bugs with dsp and simd feature include files tune-*: Use more specific DEFAULTTUNE Jose Quaresma (1): sstate.bbclass: get the number of threads from BB_NUMBER_THREADS Joshua Watt (17): bitbake: contrib: vim: Add "remove" override highlighting bitbake.conf: Add lz4c, pzstd and zstd bitbake: bitbake: asyncrpc: Defer all asyncio to child process conf/licenses: Add FreeType SPDX mapping tzdata: Remove BSD License specifier glib-2.0: Use specific BSD license variant e2fsprogs: Use specific BSD license variant shadow: Use specific BSD license variant libcap: Use specific BSD license variant sudo: Use specific BSD license variant libpam: Use specific BSD license variant libxfont2: Use specific BSD license variant libjitterentropy: Use specific BSD license variant libx11: Use specific BSD license variant font-util: Use specific BSD license variant flac: Use specific BSD license variant swig: Use specific BSD license variant Kai Kang (2): libcgroup: fix installed-vs-shipped qa issue rustfmt: fix SRC_URI Kevin Hao (2): meta-yocto-bsp: Set the default kernel to v5.13 meta-yocto-bsp: Bump the kernel to v5.13.11 Khem Raj (2): weston: Re-order gbm destruction at DRM-backend tear down musl: Update to latest tip of trunk Kristian Klausen (1): systemd: Add repart PACKAGECONFIG Marco Felsch (1): bitbake: bitbake: bitbake-layers: add skip reason to output Marek Vasut (1): weston: Add rdp PACKAGECONFIG Marta Rybczynska (1): lzo: add CVE_PRODUCT Martin Jansa (3): bitbake: prserv: handle PRSERV_HOST = "127.0.0.1:0" the same as "localhost:0" bitbake: cooker/process: Fix typos in exiting message rust: remove unused patches Michael Halstead (2): uninative: Upgrade to 3.3, support glibc 2.34 uninative: Upgrade to 3.4 Michael Opdenacker (2): maintainers.inc: maintainer for alsa-*, flac, lame and speex meta: stop using "virtual/" in RPROVIDES and RDEPENDS Mingli Yu (2): shadow: fix default value in SHA_get_salt_rounds() bitbake: prserv: make localhost work Oleksandr Popovych (1): utils: Reduce the number of calls to the "dirname" command Oliver Kranz (1): Allow global override of golang GO_DYNLINK Paul Barker (2): bitbake: prserv: Replace XML RPC with modern asyncrpc implementation bitbake: prserv: Add read-only mode Paul Gortmaker (1): ltp: backport ioctl_ns05 fix from upstream Peter Kjellerstedt (7): lttng-modules: Make it build when CONFIG_TRACEPOINTS is not enabled again poky-floating-revisions.inc: Use new override syntax for commented vars local.conf.sample: Use the new override syntax for a commented variable bitbake.conf: Use the new variable override syntax in a comment buildhistory-collect-srcrevs: Adapt to the new variable override syntax meson.bbclass: Make the default buildtype "debug" if DEBUG_BUILD is 1 bitbake: providers: Use new override syntax when handling pn- "override" Purushottam Choudhary (1): assimp: added patch to fix hardcoded non-existing paths in CMake modules Randy MacLeod (8): openssl: upgrade from 1.1.1k to 1.1.1l rust: initial merge of most of meta-rust rust: mv README.md to recipes-devtools/rust/README-rust.md rust: update the README to conform to being in oe-core cargo/rust/rustfmt: exclude from world maintainers: Add myself as maintainer for rust pkgs cargo_common: remove http_proxy rust: remove Rust version 1.51.0 toolchain Richard Purdie (27): elfutils: Add zstd PACKAGECONFIG for determinism man-db: Add compression PACKAGECONFIG entries oeqa/selftest/glibc: Handle incorrect encoding issuesin glibc test results package/scripts: Fix FILES_INFO handling package: Fix overrides converion issue with PKGSIZE bitbake: bitbake: Make 3.6.0 the minimum python version elfutils: Fix ptest dependencies bsp-guide: Fix reference to bbappend section of dev-manual ref-manual: Fix reference to bbappend section of dev-manual gcc: Fix nativesdk builds and multilib fixes with gcc 11 bitbake: README: Add note about test suite and new tests pseudo: Fix to work with glibc 2.34 systems bitbake: README: Fix typo rust-cross*: Fix OVERRRIDE references in task signature computation rust-cross-canadian-common: Use rust.inc directly, not rust-target cargo: Ensure cargo-cross-canadian doesn't have native/nativesdk versions rust-native: Avoid stripped warning rust-llvm: Add missing HOMEPAGE rust: Skip target recipe since it doesn't work oeqa/selftest/distrodata: Fix up rust maintainer testing rust: Avoid buildtools+uninative issues with glibc symbols mismatches rust-common: Add LDFLAGS to cc wrapper oeqa/selftest/reproducibile: Exclude rust packages kernel: Use unexpanded EXTENDPKGV oeqa/buildtools-cases: Allow bitbake time to shutdown cargo: Apply uninative fix to snapshot as with rust rust-common: Hack around LD_LIBRARY_PATH issues on centos7 Robert P. J. Day (1): scripts/lib/wic/help/py: "Redhat" -> "Red Hat" Ross Burton (11): oeqa/selftest/buildoptions: test buildhistory PKGSIZE and FILELIST fields uninative: Improve glob to handle glibc 2.34 oeqa/sdk: add relocation test for buildtools glibc: package the stub .a libaries into glibc-dev oeqa/sdk: add HTTPS test for buildtools libcgroup: upgrade to 2.0 gcc: also relocate the musl loader local.conf.sample.extended: fix commented-out override syntax cpio: backport fix for CVE-2021-38185 mesa: fix build on Arm V5 with soft float ptest: allow the ptest-packagelists.inc warning to be disabled Sakib Sajal (1): qemu: fix CVE-2021-3682 Scott Murray (2): bitbake: bitbake: asyncrpc: always create new asyncio loops prservice: remove connection caching Stefan Herbrechtsmeier (4): u-boot: Remove redundancy from installed and deployed SPL artifact names u-boot: Remove misplaced configuration type variable u-boot: Make SPL suffix configurable u-boot: Make UBOOT_BINARYNAME configurable Tim Orling (7): python3-importlib-metadata: upgrade 4.6.3 -> 4.6.4 python3-hypothesis: upgrade 6.14.5 -> 6.14.8 python3-hypothesis: upgrade 6.14.8 -> 6.15.0 python3-hypothesis: enable ptest python3-pluggy: upgrade 0.13.1 -> 1.0.0 python3-pytest: allow python3-pluggy >=1.0.0 rust-common.bbclass: export RUST_TARGET_PATH Trevor Gamblin (1): bluez: upgrade 5.60 -> 5.61 Trevor Woerner (1): distro_features_check: expand with IMAGE_FEATURES Vinay Kumar (2): glibc: Fix CVE-2021-38604 rust-common.inc: Fix build failure with qemuppc64. Yi Zhao (2): prelink: add PACKAGECONFIG for selinux shadow: add /etc/default/useradd Zoltán Böszörményi (4): kernel-module-split.bbclass: Support zstd-compressed modules Allow opt-out of split kernel modules kernel.bbclass: Use full versions for inter-package dependencies base/kernel: Support zstd-compressed squashfs and cpio initramfs leimaohui (2): Fix conflict error when enable multilib. wordsize.h: Fix a miss, this file in arm and aarch64 should be the same. meta-raspberrypi: 32921fc9bd..a6fa6b3aec: Khem Raj (4): machines: Use tune files from new location in oe-core linux-raspberrypi: Update to 5.10.59 raspberrypi-firmware: Update to latest raspberrypi4: Use full kms (vc4-kms-v3d) DT overlay Marcus Comstedt (1): pi-bluetooth: Add compatibility with non-systemd builds Tom Rini (1): xserver-xf86-config: Correctly append to FILES:${PN} meta-security: c885d399cd..1f18c623e9: Armin Kuster (10): cryfs: add new package kas-security-bas: bump conf value kas: fix DISTRO appends dm-verity-img.bbclass: more overided fixups krill: Rust is in core now suricata: rust is in core layer.conf: drop dynamic-layer layer.conf: drop meta-rust harden-image-minimal: fix useradd inherit kas: remove rust layers Daiane Angolini (1): meta-integrity: kernel-modsign: Change weak default value George Liu (1): meta: Fix typos Marta Rybczynska (2): README: fix mailing lists README: fix mailing lists and a typo meta-openembedded: a13db91f19..9fdc7960ba: Andreas Müller (6): catch2: upgrade 2.13.6 -> 2.13.7 fltk/CMake: Do not export executable 'fluid' fltk: upgrade 1.3.6 -> 1.3.7 network-manager-applet: upgrade 1.22.0 -> 1.24.0 networkmanager: upgrade 1.32.4 -> 1.32.8 udisks2: upgrade 2.9.2 -> 2.9.3 Anton Blanchard (2): boost-url: Use GNUInstallDirs instead of hard wiring install directories cereal: Use GNUInstallDirs instead of hard wiring install directories Changqing Li (1): linuxptp: upgrade 3.1 -> 3.1.1 Devendra Tewari (1): android-tools: Add flag to enable adbd service (#147) Dmitry Baryshkov (1): image_types_sparse: stop using ext2simg Easwar Hariharan (1): chrony: Fix privdrop packageconfig Joe Slater (1): nginx: fix CVE-2021-3618 Justin Bronder (1): hidapi: add rdep on glibc-gconv-utf-16 Khem Raj (7): layer.conf: Add ttf-ipa to SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS on fontconfig mpich: link explictly with libgcc packagegroup-meta-networking: Add bmon libnss-nisplus: Remove pipewire: Upgrade to 0.3.34 bluealsa: Add recipe apitrace: Enable on glibc >= 2.34 Leon Anavi (21): python3-astroid: Upgrade 2.6.6 -> 2.7.0 python3-ujson: Upgrade 4.0.2 -> 4.1.0 python3-pycurl: Upgrade 7.44.0 -> 7.44.1 python3-websocket-client: Upgrade 1.1.0 -> 1.2.1 python3-bitarray: Upgrade 2.2.5 -> 2.3.0 python3-langtable: Upgrade 0.0.54 -> 0.0.56 python3-pandas: Upgrade 1.3.1 -> 1.3.2 python3-tzlocal: Upgrade 2.1 -> 3.0 python3-zeroconf: Upgrade 0.34.3 -> 0.36.0 python3-dbus-next: Upgrade 0.2.2 -> 0.2.3 python3-astroid: Upgrade 2.7.0 -> 2.7.1 python3-ruamel-yaml: Upgrade 0.17.10 -> 0.17.11 python3-unidiff: Upgrade 0.6.0 -> 0.7.0 python3-qrcode: Upgrade 7.2 -> 7.3 python3-simplejson: Upgrade 3.17.3 -> 3.17.4 python3-regex: Upgrade 2021.7.6 -> 2021.8.3 python3-colorlog: Upgrade 5.0.1 -> 6.4.1 python3-ruamel-yaml: Upgrade 0.17.11 -> 0.17.13 python3-simplejson: Upgrade 3.17.4 -> 3.17.5 python3-bitarray: Upgrade 2.3.0 -> 2.3.2 python3-watchdog: Upgrade 2.1.3 -> 2.1.5 Martin Jansa (1): layer.conf: Add ttf-takao to SIGGEN_EXCLUDE_SAFE_RECIPE_DEPS on fontconfig Matija Tudan (1): gpsd: upgrade 3.20 -> 3.23 Matteo Croce (1): libbpf: bump to 0.4.0 Michael Opdenacker (2): meta-multimedia: stop using "virtual/" in RPROVIDES and RDEPENDS meta-oe: stop using "virtual/" in RPROVIDES and RDEPENDS Mingli Yu (4): polkit: fix CVE-2021-3560 vsftpd: Upgrade to 3.0.5 mariadb: Upgrade to 10.6.4 jemalloc: improve reproducibility Nathan Rossi (1): nginx: Fix off_t size passed in configure Oleksandr Kravchuk (6): font-adobe-100dpi: fix UPSTREAM_CHECK_REGEX font-adobe-utopia-100dpi: fix UPSTREAM_CHECK_REGEX font-bh-100dpi: fix UPSTREAM_CHECK_REGEX font-bh-lucidatypewriter-100dpi: fix UPSTREAM_CHECK_REGEX font-bitstream-100dpi: fix UPSTREAM_CHECK_REGEX xf86-input-tslib: update to 1.1.1 Patrick Areny (2): libConfuse: Add recipe bmon: Add recipe Peter Kjellerstedt (6): gpsd: Let scons install the udev and systemd files gpsd: Move /usr/share/gpsd/doc to the gpsd-doc package poppler: Explicitly enable/disable boost together with splash chrony: Use new override syntax for USERADD_PARAM gpsd: Correct the installation of gpsd.hotplug if systemd is not enabled gpsd: Do not install gpsd.hotplug unconditionally Peter Morrow (1): libbpf: remove stale comment Sakib Sajal (2): lmdb: use libprefix in Makefile to install libraries gd: fix CVE-2021-38115 Sinan Kaya (4): c-ares: remove custom patches grpc: make SHARED library build optional libkcapi: add a hash only packageconfig libkcapi: allow an option to build natively Tim Orling (2): bootchart: drop; unfetchable python3-django_2.2.x: only check upstream 2.2.x Trevor Gamblin (5): python3-click: Add missing ptest artifacts python3-eventlet: add 0.30.2 to meta-python python3-gunicorn: tweak run-ptest, add RDEPENDS python3-license-expression: add ptest artifacts nftables: upgrade 0.9.9 -> 1.0.0 Vesa Jääskeläinen (2): python3-cached-property: Add recipe for version 1.5.2 python3-pkcs11: Add recipe for version 0.7.0 Yi Zhao (2): audit: upgrade 3.0.4 -> 3.0.5 krb5: filtering out -f*-prefix-map from krb5-config Zoltán Böszörményi (1): metacity: Add a patch to create build/src/core before moving generated sources to it leimaohui (3): packagegroup-meta-oe: Update ttf-ipa package name. uim: Dleted takao fonts from DEPENDS. takao-fonts: It should be in ttf-fonts directory as the other ttf fonts. wangmy (14): fetchmail: upgrade 6.4.20 -> 6.4.21 c-ares: upgrade 1.17.1 -> 1.17.2 icewm: upgrade 2.6.0 -> 2.7.0 netplan: upgrade 0.102 -> 0.103 ctags: upgrade 5.9.20210801.0 -> 5.9.20210815.0 live555: upgrade 20210720 -> 20210809 opensc: upgrade 0.21.0 -> 0.22.0 xfsprogs: upgrade 5.12.0 -> 5.13.0 networkmanager: upgrade 1.32.8 -> 1.32.10 can-utils: upgrade 2021.06.0 -> 2021.08.0 doxygen: upgrade 1.9.1 -> 1.9.2 gensio: upgrade 2.2.8 -> 2.2.9 live555: upgrade 20210809 -> 20210824 sedutil: upgrade 1.15.1.01 -> 1.20.0 zangrc (14): python3-flask-migrate: upgrade 3.0.1 -> 3.1.0 python3-flask-socketio: upgrade 5.1.0 -> 5.1.1 python3-google-api-python-client: upgrade 2.15.0 -> 2.17.0 python3-grpcio-tools: upgrade 1.38.1 -> 1.39.0 python3-grpcio: upgrade 1.38.1 -> 1.39.0 python3-wheel: upgrade 0.36.2 -> 0.37.0 libio-socket-ssl-perl: upgrade 2.071 -> 2.072 python3-aiohttp-jinja2: upgrade 1.4.2 -> 1.5 python3-gevent: upgrade 21.1.2 -> 21.8.0 python3-google-api-python-client: upgrade 2.17.0 -> 2.18.0 python3-h5py: upgrade 3.3.0 -> 3.4.0 python3-haversine: upgrade 2.3.1 -> 2.4.0 python3-pyephem: upgrade 3.7.7.1 -> 4.0.0.2 rdma-core: upgrade 35.0 -> 36.0 zhengruoqin (12): libqmi: upgrade 1.28.8 -> 1.30.0 sedutil: upgrade 1.15.1 -> 1.15.1.01 libencode-perl: upgrade 3.11 -> 3.12 python3-pymisp: upgrade 2.4.144 -> 2.4.148 python3-pyzmq: upgrade 22.1.0 -> 22.2.1 python3-tqdm: upgrade 4.62.0 -> 4.62.2 iwd: upgrade 1.16 -> 1.17 xmlsec1: upgrade 1.2.31 -> 1.2.32 xrdb: upgrade 1.2.0 -> 1.2.1 python3-regex: upgrade 2021.8.3 -> 2021.8.27 python3-sqlalchemy: upgrade 1.4.22 -> 1.4.23 python3-stevedore: upgrade 3.3.0 -> 3.4.0 Signed-off-by: Andrew Geissler Change-Id: I2960f1ce53a1e2cde8b03b929829db9a2f105541 --- meta-security/classes/dm-verity-img.bbclass | 4 +- meta-security/classes/sanity-meta-security.bbclass | 2 +- meta-security/conf/layer.conf | 4 - .../recipes-ids/suricata/files/fixup.patch | 32 - .../meta-rust/recipes-ids/suricata/files/run-ptest | 3 - .../recipes-ids/suricata/files/suricata.service | 20 - .../recipes-ids/suricata/files/suricata.yaml | 1326 -------------------- .../recipes-ids/suricata/files/tmpfiles.suricata | 2 - .../suricata/files/volatiles.03_suricata | 2 - .../recipes-ids/suricata/libhtp_0.5.38.bb | 27 - .../meta-rust/recipes-ids/suricata/suricata.inc | 5 - .../recipes-ids/suricata/suricata_6.0.3.bb | 206 --- .../krill/files/panic_workaround.patch | 16 - .../meta-rust/recipes-security/krill/krill.inc | 325 ----- .../recipes-security/krill/krill_0.9.1.bb | 39 - meta-security/kas/kas-security-base.yml | 13 +- meta-security/kas/kas-security-dm.yml | 1 + meta-security/kas/kas-security-parsec.yml | 4 - meta-security/meta-hardening/README | 6 +- .../recipes-core/images/harden-image-minimal.bb | 11 +- .../meta-integrity/classes/kernel-modsign.bbclass | 2 +- meta-security/meta-parsec/conf/layer.conf | 2 +- meta-security/meta-tpm/README | 8 +- .../recipes-ids/suricata/files/fixup.patch | 32 + meta-security/recipes-ids/suricata/files/run-ptest | 3 + .../recipes-ids/suricata/files/suricata.service | 20 + .../recipes-ids/suricata/files/suricata.yaml | 1326 ++++++++++++++++++++ .../recipes-ids/suricata/files/tmpfiles.suricata | 2 + .../suricata/files/volatiles.03_suricata | 2 + .../recipes-ids/suricata/libhtp_0.5.38.bb | 27 + meta-security/recipes-ids/suricata/suricata.inc | 5 + .../recipes-ids/suricata/suricata_6.0.3.bb | 206 +++ .../recipes-security/cryfs/cryfs_0.10.3.bb | 10 + .../krill/files/panic_workaround.patch | 16 + meta-security/recipes-security/krill/krill.inc | 325 +++++ .../recipes-security/krill/krill_0.9.1.bb | 39 + 36 files changed, 2035 insertions(+), 2038 deletions(-) delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc delete mode 100644 meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb create mode 100644 meta-security/recipes-ids/suricata/files/fixup.patch create mode 100644 meta-security/recipes-ids/suricata/files/run-ptest create mode 100644 meta-security/recipes-ids/suricata/files/suricata.service create mode 100644 meta-security/recipes-ids/suricata/files/suricata.yaml create mode 100644 meta-security/recipes-ids/suricata/files/tmpfiles.suricata create mode 100644 meta-security/recipes-ids/suricata/files/volatiles.03_suricata create mode 100644 meta-security/recipes-ids/suricata/libhtp_0.5.38.bb create mode 100644 meta-security/recipes-ids/suricata/suricata.inc create mode 100644 meta-security/recipes-ids/suricata/suricata_6.0.3.bb create mode 100644 meta-security/recipes-security/cryfs/cryfs_0.10.3.bb create mode 100644 meta-security/recipes-security/krill/files/panic_workaround.patch create mode 100644 meta-security/recipes-security/krill/krill.inc create mode 100644 meta-security/recipes-security/krill/krill_0.9.1.bb (limited to 'meta-security') diff --git a/meta-security/classes/dm-verity-img.bbclass b/meta-security/classes/dm-verity-img.bbclass index 16d395b557..a0950dabd7 100644 --- a/meta-security/classes/dm-verity-img.bbclass +++ b/meta-security/classes/dm-verity-img.bbclass @@ -63,8 +63,8 @@ verity_setup() { VERITY_TYPES = "ext2.verity ext3.verity ext4.verity btrfs.verity" IMAGE_TYPES += "${VERITY_TYPES}" CONVERSIONTYPES += "verity" -CONVERSION_CMD_verity = "verity_setup ${type}" -CONVERSION_DEPENDS_verity = "cryptsetup-native" +CONVERSION_CMD:verity = "verity_setup ${type}" +CONVERSION_DEPENDS:verity = "cryptsetup-native" python __anonymous() { verity_image = d.getVar('DM_VERITY_IMAGE') diff --git a/meta-security/classes/sanity-meta-security.bbclass b/meta-security/classes/sanity-meta-security.bbclass index b6c6b9cb53..f9e26984f5 100644 --- a/meta-security/classes/sanity-meta-security.bbclass +++ b/meta-security/classes/sanity-meta-security.bbclass @@ -1,7 +1,7 @@ addhandler security_bbappend_distrocheck security_bbappend_distrocheck[eventmask] = "bb.event.SanityCheck" python security_bbappend_distrocheck() { - skip_check = e.data.getVar('SKIP_META_SECUIRTY_SANITY_CHECK') == "1" + skip_check = e.data.getVar('SKIP_META_SECURITY_SANITY_CHECK') == "1" if 'security' not in e.data.getVar('DISTRO_FEATURES').split() and not skip_check: bb.warn("You have included the meta-security layer, but \ 'security' has not been enabled in your DISTRO_FEATURES. Some bbappend files \ diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf index cdcfaeec7a..ad9da560f8 100644 --- a/meta-security/conf/layer.conf +++ b/meta-security/conf/layer.conf @@ -16,7 +16,3 @@ LAYERDEPENDS_security = "core openembedded-layer perl-layer networking-layer met # Sanity check for meta-security layer. # Setting SKIP_META_SECURITY_SANITY_CHECK to "1" would skip the bbappend files check. INHERIT += "sanity-meta-security" - -BBFILES_DYNAMIC += " \ -rust-layer:${LAYERDIR}/dynamic-layers/meta-rust/recipes-*/*/*.bb \ -" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch deleted file mode 100644 index fc44ce68f5..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/fixup.patch +++ /dev/null @@ -1,32 +0,0 @@ -Skip pkg Makefile from using its own rust steps - -Upstream-Status: OE Specific - -Signed-off-by: Armin Kuster - -Index: suricata-6.0.2/Makefile.am -=================================================================== ---- suricata-6.0.2.orig/Makefile.am -+++ suricata-6.0.2/Makefile.am -@@ -7,7 +7,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - $(SURICATA_UPDATE_DIR) \ - lua \ - acsite.m4 --SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ -+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ - $(SURICATA_UPDATE_DIR) - - CLEANFILES = stamp-h[0-9]* -Index: suricata-6.0.2/Makefile.in -=================================================================== ---- suricata-6.0.2.orig/Makefile.in -+++ suricata-6.0.2/Makefile.in -@@ -426,7 +426,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - lua \ - acsite.m4 - --SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ -+SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ - $(SURICATA_UPDATE_DIR) - - CLEANFILES = stamp-h[0-9]* diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest deleted file mode 100644 index 666ba9c954..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -suricata -u diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service deleted file mode 100644 index a99a76ef86..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Suricata IDS/IDP daemon -After=network.target -Requires=network.target -Documentation=man:suricata(8) man:suricatasc(8) -Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW -RestrictAddressFamilies= -ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 -ExecReload=/bin/kill -HUP $MAINPID -PrivateTmp=yes -ProtectHome=yes -ProtectSystem=yes - -[Install] -WantedBy=multi-user.target - diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml deleted file mode 100644 index 8d06a27449..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/suricata.yaml +++ /dev/null @@ -1,1326 +0,0 @@ -%YAML 1.1 ---- - -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml - - -# Number of packets allowed to be processed simultaneously. Default is a -# conservative 1024. A higher number will make sure CPU's/CPU cores will be -# more easily kept busy, but may negatively impact caching. -# -# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules -# apply. In that case try something like 60000 or more. This is because the CUDA -# pattern matcher buffers and scans as many packets as possible in parallel. -#max-pending-packets: 1024 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned -# load balancing). -#runmode: autofp - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# round-robin - Flows assigned to threads in a round robin fashion. -# active-packets - Flows assigned to threads that have the lowest number of -# unprocessed packets (default). -# hash - Flow alloted usihng the address hash. More of a random -# technique. Was the default in Suricata 1.2.1 and older. -# -#autofp-scheduler: active-packets - -# If suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Run suricata as user and group. -#run-as: -# user: suri -# group: suri - -# Default pid file. -# Will use this file if no --pidfile in command options. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -#default-packet-size: 1514 - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# Unix command socket can be used to pass commands to suricata. -# An external tool can then connect to get information from suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: no - #filename: custom.socket - -# Configure the type of alert (and other) logging you would like. -outputs: - - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: yes - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - type: file #file|syslog|unix_dgram|unix_stream - filename: eve.json - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - types: - - alert - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - - dns - - tls: - extended: yes # enable this for extended logging information - - files: - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - #- drop - - ssh - - # alert output for use with Barnyard2 - - unified2-alert: - enabled: yes - filename: unified2.alert - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - #limit: 32mb - - # Sensor ID field of unified2 alerts. - #sensor-id: 0 - - # HTTP X-Forwarded-For support by adding the unified2 extra header that - # will contain the actual client IP address or by overwriting the source - # IP address (helpful when inspecting traffic that is being reversed - # proxied). - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". Note - # that in the "overwrite" mode, if the reported IP address in the HTTP - # X-Forwarded-For header is of a different version of the packet - # received, it will fall-back to "extra-data" mode. - mode: extra-data - # Header name were the actual IP address will be reported, if more than - # one IP address is present, the last IP address will be the one taken - # into consideration. - header: X-Forwarded-For - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: yes - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - #extended: yes # Log extended information like fingerprint - certs-log-dir: certs # directory to store the certificates files - - # a line based log of DNS requests and/or replies (no alerts) - - dns-log: - enabled: no - filename: dns.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log to used with pcap file study. - # this module is dedicated to offline pcap parsing (empty output - # if used with another kind of input). It can interoperate with - # pcap parser like wireshark via the suriwire plugin. - - pcap-info: - enabled: no - - # Packet log... log packets in pcap format. 2 modes of operation: "normal" - # and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. - # In this base dir the pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename. - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - mode: normal # normal or sguil. - #sguil-base-dir: /nsm_data/ - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (http://www.prelude-technologies.com/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the suricata engine. - # The interval field (in seconds) tells after how long output will be written - # on the log file. - - stats: - enabled: yes - filename: stats.log - interval: 8 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # a line based information for dropped packets in IPS mode - - drop: - enabled: no - filename: drop.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # output module to store extracted files to disk - # - # The files are stored to the log-dir in a format "file." where is - # an incrementing number starting at 1. For each file "file." a meta - # file "file..meta" is created. - # - # File extraction depends on a lot of things to be fully done: - # - stream reassembly depth. For optimal results, set this to 0 (unlimited) - # - http request / response body sizes. Again set to 0 for optimal results. - # - rules that contain the "filestore" keyword. - - file-store: - enabled: no # set to yes to enable - log-dir: files # directory to store the files - force-magic: no # force logging magic on all stored files - force-md5: no # force logging of md5 checksums - #waldo: file.waldo # waldo file to store the file_id across runs - - # output module to log files tracked in a easily parsable json format - - file-log: - enabled: no - filename: files-json.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -magic-file: /usr/share/misc/magic.mgc - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if suricata is not able to keep pace. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -# af-packet support -# Set threads to > 1 to use PACKET_FANOUT support -af-packet: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - # Default clusterid. AF_PACKET will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_round_robin: round robin load balancing - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independantly of the number - # of threads: - #ring-size: 2048 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap od IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - - interface: eth1 - threads: 1 - cluster-id: 98 - cluster-type: cluster_flow - defrag: yes - # buffer-size: 32768 - # disable-promisc: no - # Put default values here - - interface: default - #threads: 2 - #use-mmap: yes - -legacy: - uricontent: enabled - -# You can specify a threshold config file by setting "threshold-file" -# to the path of the threshold config file: -# threshold-file: /etc/suricata/threshold.config - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect-engine: - - profile: medium - - custom-values: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 - - sgh-mpm-context: auto - - inspection-recursion-limit: 3000 - # When rule-reload is enabled, sending a USR2 signal to the Suricata process - # will trigger a live rule reload. Experimental feature, use with care. - #- rule-reload: true - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #- delayed-detect: yes - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - # On some cpu's/architectures it is beneficial to tie individual threads - # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, - # and each extra CPU/core has one "detect" thread. - # - # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. - # - set-cpu-affinity: no - # Tune cpu affinity of suricata threads. Each family of threads can be bound - # on specific CPUs. - cpu-affinity: - - management-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - decode-cpu-set: - cpu: [ 0, 1 ] - mode: "balanced" - - stream-cpu-set: - cpu: [ "0-1" ] - - detect-cpu-set: - cpu: [ "all" ] - mode: "exclusive" # run detect threads in these cpus - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "medium" - - verdict-cpu-set: - cpu: [ 0 ] - prio: - default: "high" - - reject-cpu-set: - cpu: [ 0 ] - prio: - default: "low" - - output-cpu-set: - cpu: [ "all" ] - prio: - default: "medium" - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.5 - -# Cuda configuration. -cuda: - # The "mpm" profile. On not specifying any of these parameters, the engine's - # internal default values are used, which are same as the ones specified in - # in the default conf file. - mpm: - # The minimum length required to buffer data to the gpu. - # Anything below this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - # A value of 0 indicates there's no limit. - data-buffer-size-min-limit: 0 - # The maximum length for data that we would buffer to the gpu. - # Anything over this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - data-buffer-size-max-limit: 1500 - # The ring buffer size used by the CudaBuffer API to buffer data. - cudabuffer-buffer-size: 500mb - # The max chunk size that can be sent to the gpu in a single go. - gpu-transfer-size: 50mb - # The timeout limit for batching of packets in microseconds. - batching-timeout: 2000 - # The device to use for the mpm. Currently we don't support load balancing - # on multiple gpus. In case you have multiple devices on your system, you - # can specify the device to use, using this conf. By default we hold 0, to - # specify the first device cuda sees. To find out device-id associated with - # the card(s) on the system run "suricata --list-cuda-cards". - device-id: 0 - # No of Cuda streams used for asynchronous processing. All values > 0 are valid. - # For this option you need a device with Compute Capability > 1.0. - cuda-streams: 2 - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, -# ac and ac-gfbs. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. -# -# There is also a CUDA pattern matcher (only available if Suricata was -# compiled with --enable-cuda: b2g_cuda. Make sure to update your -# max-pending-packets setting above as well if you use b2g_cuda. - -mpm-algo: ac - -# The memory settings for hash size of these algorithms can vary from lowest -# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max -# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - -# medium (1024) - high (2048). -# -# For B2g/B3g algorithms, there is a support for two different scan/search -# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and -# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms -# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & -# B3gSearchBNDMq. -# -# For B2g the different scan/search algorithms and, hash and bloom -# filter size settings. For B3g the different scan/search algorithms and, hash -# and bloom filter size settings. For wumanber the hash and bloom filter size -# settings. - -pattern-matcher: - - b2gc: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2gm: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2g: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b3g: - search-algo: B3gSearchBNDMq - hash-size: low - bf-size: medium - - wumanber: - hash-size: low - bf-size: medium - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# prunning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doens't find a flow to prune, it will set -# the emergency bit and it will try again with more agressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 64mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a hanshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - tcp: - new: 60 - established: 3600 - closed: 120 - emergency-new: 10 - emergency-established: 300 - emergency-closed: 20 - udp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - icmp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated trafic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size -# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value -# # of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# chunk-prealloc: 250 # Number of preallocated stream chunks. These -# # are used during stream inspection (raw). -# segments: # Settings for reassembly segment pool. -# - size: 4 # Size of the (data)segment for a pool -# prealloc: 256 # Number of segments to prealloc and keep -# # in the pool. -# -stream: - memcap: 32mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 128mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #chunk-prealloc: 250 - #segments: - # - size: 4 - # prealloc: 256 - # - size: 16 - # prealloc: 512 - # - size: 112 - # prealloc: 512 - # - size: 248 - # prealloc: 512 - # - size: 512 - # prealloc: 512 - # - size: 768 - # prealloc: 1024 - # - size: 1448 - # prealloc: 1024 - # - size: 65535 - # prealloc: 128 - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 16777216 - -# Logging configuration. This is not about logging IDS alerts, but -# IDS output about what its doing, errors, etc. -logging: - - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overriden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overriden in an - # output section. You can leave this out to get the default. - # - # This value is overriden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overriden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - - file: - enabled: no - filename: /var/log/suricata.log - - syslog: - enabled: yes - facility: local5 - format: "[%i] <%d> -- " - -# Tilera mpipe configuration. for use on Tilera TILE-Gx. -mpipe: - - # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". - load-balance: dynamic - - # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 - iqueue-packets: 2048 - - # List of interfaces we will listen on. - inputs: - - interface: xgbe2 - - interface: xgbe3 - - interface: xgbe4 - - - # Relative weight of memory for packets of each mPipe buffer size. - stack: - size128: 0 - size256: 9 - size512: 0 - size1024: 0 - size1664: 7 - size4096: 0 - size10386: 0 - size16384: 0 - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/PF_RING.html -pfring: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. - # This is only supported in versions of PF_RING > 4.1.1. - cluster-type: cluster_flow - # bpf filter for this interface - #bpf-filter: tcp - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - -# Set the default rule path here to search for the files. -# if not set, it will look at the current working dir -default-rule-path: /etc/suricata/rules -rule-files: - - botcc.rules - - ciarmy.rules - - compromised.rules - - drop.rules - - dshield.rules - - emerging-activex.rules - - emerging-attack_response.rules - - emerging-chat.rules - - emerging-current_events.rules - - emerging-dns.rules - - emerging-dos.rules - - emerging-exploit.rules - - emerging-ftp.rules - - emerging-games.rules - - emerging-icmp_info.rules -# - emerging-icmp.rules - - emerging-imap.rules - - emerging-inappropriate.rules - - emerging-malware.rules - - emerging-misc.rules - - emerging-mobile_malware.rules - - emerging-netbios.rules - - emerging-p2p.rules - - emerging-policy.rules - - emerging-pop3.rules - - emerging-rpc.rules - - emerging-scada.rules - - emerging-scan.rules - - emerging-shellcode.rules - - emerging-smtp.rules - - emerging-snmp.rules - - emerging-sql.rules - - emerging-telnet.rules - - emerging-tftp.rules - - emerging-trojan.rules - - emerging-user_agents.rules - - emerging-voip.rules - - emerging-web_client.rules - - emerging-web_server.rules - - emerging-web_specific_apps.rules - - emerging-worm.rules - - tor.rules - - decoder-events.rules # available in suricata sources under rules dir - - stream-events.rules # available in suricata sources under rules dir - - http-events.rules # available in suricata sources under rules dir - - smtp-events.rules # available in suricata sources under rules dir - - dns-events.rules # available in suricata sources under rules dir - - tls-events.rules # available in suricata sources under rules dir - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config - -# Holds variables that would be used by the engine. -vars: - - # Holds the address group vars that would be passed in a Signature. - # These would be retrieved during the Signature address parsing stage. - address-groups: - - HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" - - EXTERNAL_NET: "!$HOME_NET" - - HTTP_SERVERS: "$HOME_NET" - - SMTP_SERVERS: "$HOME_NET" - - SQL_SERVERS: "$HOME_NET" - - DNS_SERVERS: "$HOME_NET" - - TELNET_SERVERS: "$HOME_NET" - - AIM_SERVERS: "$EXTERNAL_NET" - - DNP3_SERVER: "$HOME_NET" - - DNP3_CLIENT: "$HOME_NET" - - MODBUS_CLIENT: "$HOME_NET" - - MODBUS_SERVER: "$HOME_NET" - - ENIP_CLIENT: "$HOME_NET" - - ENIP_SERVER: "$HOME_NET" - - # Holds the port group vars that would be passed in a Signature. - # These would be retrieved during the Signature port parsing stage. - port-groups: - - HTTP_PORTS: "80" - - SHELLCODE_PORTS: "!80" - - ORACLE_PORTS: 1521 - - SSH_PORTS: 22 - - DNP3_PORTS: 20000 - -# Set the order of alerts bassed on actions -# The default order is pass, drop, reject, alert -action-order: - - pass - - drop - - reject - - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] - old-solaris: [] - solaris: ["::1"] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -# Holds details on the app-layer. The protocols section details each protocol. -# Under each protocol, the default value for detection-enabled and " -# parsed-enabled is yes, unless specified otherwise. -# Each protocol covers enabling/disabling parsers for all ipprotos -# the app-layer protocol runs on. For example "dcerpc" refers to the tcp -# version of the protocol as well as the udp version of the protocol. -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables detection only(parser disabled). -app-layer: - protocols: - tls: - enabled: yes - detection-ports: - dp: 443 - - #no-reassemble: yes - dcerpc: - enabled: yes - ftp: - enabled: yes - ssh: - enabled: yes - smtp: - enabled: yes - imap: - enabled: detection-only - msn: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139 - # smb2 detection is disabled internally inside the engine. - #smb2: - # enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: 64mb - - ########################################################################### - # Configure libhtp. - # - # - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # - # Currently Available Personalities: - # Minimal - # Generic - # IDS (default) - # IIS_4_0 - # IIS_5_0 - # IIS_5_1 - # IIS_6_0 - # IIS_7_0 - # IIS_7_5 - # Apache_2 - ########################################################################### - libhtp: - - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 3072 - response-body-limit: 3072 - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 32kb - response-body-inspect-window: 4kb - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - sort: avgticks - - # Limit the number of items printed at exit. - limit: 100 - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - hba: -1 - - # use_all_streams set to "yes" will query the Napatech service for all configured - # streams and listen on all of them. When set to "no" the streams config array - # will be used. - use-all-streams: yes - - # The streams to listen on - streams: [1, 2, 3] - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata deleted file mode 100644 index fbf37848ee..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/tmpfiles.suricata +++ /dev/null @@ -1,2 +0,0 @@ -#Type Path Mode UID GID Age Argument -d /var/log/suricata 0755 root root diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata deleted file mode 100644 index 4627bd3b0f..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/files/volatiles.03_suricata +++ /dev/null @@ -1,2 +0,0 @@ -# -d root root 0755 /var/log/suricata none diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb deleted file mode 100644 index 2a0c93ccc8..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/libhtp_0.5.38.bb +++ /dev/null @@ -1,27 +0,0 @@ -SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" - -SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" -SRCREV = "fca44158911a1642880ea5c774151a33ad33d906" - -DEPENDS = "zlib" - -inherit autotools-brokensep pkgconfig - -CFLAGS += "-D_DEFAULT_SOURCE" - -#S = "${WORKDIR}/suricata-${VER}/${BPN}" - -S = "${WORKDIR}/git" - -do_configure () { - cd ${S} - ./autogen.sh - oe_runconf -} - -RDEPENDS:${PN} += "zlib" - diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc deleted file mode 100644 index 5754617fbd..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata.inc +++ /dev/null @@ -1,5 +0,0 @@ -HOMEPAGE = "http://suricata-ids.org/" -SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" - -COMPATIBLE_HOST:powerpc = 'null' diff --git a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb b/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb deleted file mode 100644 index ca9e03e325..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-ids/suricata/suricata_6.0.3.bb +++ /dev/null @@ -1,206 +0,0 @@ -SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz" -SRC_URI[sha256sum] = "daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602" - -DEPENDS = "lz4 libhtp" - -SRC_URI += " \ - file://volatiles.03_suricata \ - file://tmpfiles.suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - file://fixup.patch \ - " - -SRC_URI += " \ - crate://crates.io/autocfg/1.0.1 \ - crate://crates.io/semver-parser/0.7.0 \ - crate://crates.io/arrayvec/0.4.12 \ - crate://crates.io/ryu/1.0.5 \ - crate://crates.io/libc/0.2.86 \ - crate://crates.io/bitflags/1.2.1 \ - crate://crates.io/version_check/0.9.2 \ - crate://crates.io/memchr/2.3.4 \ - crate://crates.io/nodrop/0.1.14 \ - crate://crates.io/cfg-if/0.1.9 \ - crate://crates.io/static_assertions/0.3.4 \ - crate://crates.io/getrandom/0.1.16 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/siphasher/0.3.3 \ - crate://crates.io/ppv-lite86/0.2.10 \ - crate://crates.io/proc-macro-hack/0.5.19 \ - crate://crates.io/proc-macro2/0.4.30 \ - crate://crates.io/unicode-xid/0.1.0 \ - crate://crates.io/syn/0.15.44 \ - crate://crates.io/build_const/0.2.1 \ - crate://crates.io/num-derive/0.2.5 \ - crate://crates.io/base64/0.11.0 \ - crate://crates.io/widestring/0.4.3 \ - crate://crates.io/md5/0.7.0 \ - crate://crates.io/uuid/0.8.2 \ - crate://crates.io/byteorder/1.4.2 \ - crate://crates.io/semver/0.9.0 \ - crate://crates.io/nom/5.1.1 \ - crate://crates.io/num-traits/0.2.14 \ - crate://crates.io/num-integer/0.1.44 \ - crate://crates.io/num-bigint/0.2.6 \ - crate://crates.io/num-bigint/0.3.1 \ - crate://crates.io/num-rational/0.2.4 \ - crate://crates.io/num-complex/0.2.4 \ - crate://crates.io/num-iter/0.1.42 \ - crate://crates.io/phf_shared/0.8.0 \ - crate://crates.io/crc/1.8.1 \ - crate://crates.io/rustc_version/0.2.3 \ - crate://crates.io/phf/0.8.0 \ - crate://crates.io/lexical-core/0.6.7 \ - crate://crates.io/time/0.1.44 \ - crate://crates.io/quote/0.6.13 \ - crate://crates.io/rand_core/0.5.1 \ - crate://crates.io/rand_chacha/0.2.2 \ - crate://crates.io/rand_pcg/0.2.1 \ - crate://crates.io/num-traits/0.1.43 \ - crate://crates.io/rand/0.7.3 \ - crate://crates.io/enum_primitive/0.1.1 \ - crate://crates.io/phf_generator/0.8.0 \ - crate://crates.io/phf_codegen/0.8.0 \ - crate://crates.io/tls-parser/0.9.4 \ - crate://crates.io/num/0.2.1 \ - crate://crates.io/rusticata-macros/2.1.0 \ - crate://crates.io/ntp-parser/0.4.0 \ - crate://crates.io/der-oid-macro/0.2.0 \ - crate://crates.io/der-parser/3.0.4 \ - crate://crates.io/ipsec-parser/0.5.0 \ - crate://crates.io/x509-parser/0.6.5 \ - crate://crates.io/der-parser/4.1.0 \ - crate://crates.io/snmp-parser/0.6.0 \ - crate://crates.io/kerberos-parser/0.5.0 \ - crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ - crate://crates.io/log/0.4.0 \ - crate://crates.io/rand_hc/0.2.0 \ - crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ - crate://crates.io/sawp/0.5.0 \ - crate://crates.io/sawp-modbus/0.5.0 \ - crate://crates.io/brotli/3.3.0 \ - crate://crates.io/flate2/1.0.20 \ - crate://crates.io/alloc-no-stdlib/2.0.1 \ - crate://crates.io/alloc-stdlib/0.2.1 \ - crate://crates.io/brotli-decompressor/2.3.1 \ - crate://crates.io/crc32fast/1.2.1 \ - crate://crates.io/miniz_oxide/0.4.4 \ - crate://crates.io/adler/1.0.2 \ - " - -# test case support -SRC_URI += " \ - crate://crates.io/test-case/1.0.1 \ - crate://crates.io/proc-macro2/1.0.1 \ - crate://crates.io/quote/1.0.1 \ - crate://crates.io/syn/1.0.1 \ - crate://crates.io/unicode-xid/0.2.0 \ - " - -inherit autotools pkgconfig python3native systemd ptest cargo - -EXTRA_OECONF += " --disable-debug \ - --disable-gccmarch-native \ - --enable-non-bundled-htp \ - --disable-suricata-update \ - --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \ - " - -CARGO_SRC_DIR = "rust" - -B = "${S}" - -PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr " -PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" - -PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," -PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," -PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap" -PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " -PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," -PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," -PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," - -PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" -PACKAGECONFIG[file] = ",,file, file" -PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," -PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" -PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," - -export logdir = "${localstatedir}/log" - -CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes" - -do_configure:prepend () { - oe_runconf -} - -do_compile () { - # we do this to bypass the make provided by this pkg - # patches Makefile to skip the subdir - cargo_do_compile - - # Finish building - cd ${S} - make -} - -do_install () { - install -d ${D}${sysconfdir}/suricata - - oe_runmake install DESTDIR=${D} - - install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata - - install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata - install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf - - install -d ${D}${systemd_unitdir}/system - sed -e s:/etc:${sysconfdir}:g \ - -e s:/var/run:/run:g \ - -e s:/var:${localstatedir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/bin/kill:${base_bindir}/kill:g \ - -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc - sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl -} - -pkg_postinst_ontarget:${PN} () { -if command -v systemd-tmpfiles >/dev/null; then - systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf -elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi -} - -SYSTEMD_PACKAGES = "${PN}" - -PACKAGES =+ "${PN}-python" -FILES:${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" -FILES:${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" - -CONFFILES:${PN} = "${sysconfdir}/suricata/suricata.yaml" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch b/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch deleted file mode 100644 index 9b08cb5ce9..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/files/panic_workaround.patch +++ /dev/null @@ -1,16 +0,0 @@ -Upstream-Status: OE specific -Signed-off-by: Armin Kuster - -Index: git/Cargo.toml -=================================================================== ---- git.orig/Cargo.toml -+++ git/Cargo.toml -@@ -71,7 +71,7 @@ static-openssl = [ "openssl/vendored" ] - # Make sure that Krill crashes on panics, rather than losing threads and - # limping on in a bad state. - [profile.release] --panic = "abort" -+#panic = "abort" - - [dev-dependencies] - # for user management diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc b/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc deleted file mode 100644 index f86468b966..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill.inc +++ /dev/null @@ -1,325 +0,0 @@ -# please note if you have entries that do not begin with crate:// -# you must change them to how that package can be fetched -SRC_URI += " \ - crate://crates.io/addr2line/0.14.1 \ - crate://crates.io/adler/1.0.2 \ - crate://crates.io/adler32/1.2.0 \ - crate://crates.io/aho-corasick/0.7.15 \ - crate://crates.io/ansi_term/0.11.0 \ - crate://crates.io/ansi_term/0.12.1 \ - crate://crates.io/arrayref/0.3.6 \ - crate://crates.io/arrayvec/0.5.2 \ - crate://crates.io/ascii-canvas/2.0.0 \ - crate://crates.io/ascii/1.0.0 \ - crate://crates.io/atty/0.2.14 \ - crate://crates.io/autocfg/0.1.7 \ - crate://crates.io/autocfg/1.0.1 \ - crate://crates.io/backtrace/0.3.56 \ - crate://crates.io/base64/0.10.1 \ - crate://crates.io/base64/0.12.3 \ - crate://crates.io/base64/0.13.0 \ - crate://crates.io/basic-cookies/0.1.4 \ - crate://crates.io/bcder/0.5.1 \ - crate://crates.io/bit-set/0.5.2 \ - crate://crates.io/bit-vec/0.6.3 \ - crate://crates.io/bitflags/1.2.1 \ - crate://crates.io/blake2b_simd/0.5.11 \ - crate://crates.io/block-buffer/0.9.0 \ - crate://crates.io/bumpalo/3.6.1 \ - crate://crates.io/byteorder/1.4.3 \ - crate://crates.io/bytes/0.4.12 \ - crate://crates.io/bytes/0.5.6 \ - crate://crates.io/bytes/1.0.1 \ - crate://crates.io/cc/1.0.67 \ - crate://crates.io/cfg-if/0.1.10 \ - crate://crates.io/cfg-if/1.0.0 \ - crate://crates.io/chrono/0.4.19 \ - crate://crates.io/chunked_transfer/1.4.0 \ - crate://crates.io/cipher/0.2.5 \ - crate://crates.io/clap/2.33.3 \ - crate://crates.io/clokwerk/0.3.4 \ - crate://crates.io/cloudabi/0.0.3 \ - crate://crates.io/constant_time_eq/0.1.5 \ - crate://crates.io/cookie/0.12.0 \ - crate://crates.io/cookie_store/0.7.0 \ - crate://crates.io/core-foundation-sys/0.8.2 \ - crate://crates.io/core-foundation/0.9.1 \ - crate://crates.io/cpuid-bool/0.1.2 \ - crate://crates.io/crc32fast/1.2.1 \ - crate://crates.io/crossbeam-deque/0.7.3 \ - crate://crates.io/crossbeam-epoch/0.8.2 \ - crate://crates.io/crossbeam-queue/0.2.3 \ - crate://crates.io/crossbeam-utils/0.7.2 \ - crate://crates.io/crossbeam-utils/0.8.3 \ - crate://crates.io/crunchy/0.2.2 \ - crate://crates.io/crypto-mac/0.10.0 \ - crate://crates.io/ctrlc/3.1.9 \ - crate://crates.io/deunicode/0.4.3 \ - crate://crates.io/diff/0.1.12 \ - crate://crates.io/digest/0.9.0 \ - crate://crates.io/dirs/1.0.5 \ - crate://crates.io/dtoa/0.4.8 \ - crate://crates.io/either/1.6.1 \ - crate://crates.io/ena/0.14.0 \ - crate://crates.io/encoding_rs/0.8.28 \ - crate://crates.io/error-chain/0.11.0 \ - crate://crates.io/failure/0.1.8 \ - crate://crates.io/failure_derive/0.1.8 \ - crate://crates.io/fern/0.5.9 \ - crate://crates.io/fixedbitset/0.2.0 \ - crate://crates.io/flate2/1.0.20 \ - crate://crates.io/fnv/1.0.7 \ - crate://crates.io/foreign-types-shared/0.1.1 \ - crate://crates.io/foreign-types/0.3.2 \ - crate://crates.io/form_urlencoded/1.0.1 \ - crate://crates.io/fuchsia-cprng/0.1.1 \ - crate://crates.io/fuchsia-zircon-sys/0.3.3 \ - crate://crates.io/fuchsia-zircon/0.3.3 \ - crate://crates.io/futures-channel/0.3.14 \ - crate://crates.io/futures-core/0.3.14 \ - crate://crates.io/futures-cpupool/0.1.8 \ - crate://crates.io/futures-executor/0.3.14 \ - crate://crates.io/futures-io/0.3.14 \ - crate://crates.io/futures-macro/0.3.14 \ - crate://crates.io/futures-sink/0.3.14 \ - crate://crates.io/futures-task/0.3.14 \ - crate://crates.io/futures-util/0.3.14 \ - crate://crates.io/futures/0.1.31 \ - crate://crates.io/futures/0.3.14 \ - crate://crates.io/generic-array/0.14.4 \ - crate://crates.io/getrandom/0.1.16 \ - crate://crates.io/getrandom/0.2.2 \ - crate://crates.io/gimli/0.23.0 \ - crate://crates.io/h2/0.1.26 \ - crate://crates.io/h2/0.2.7 \ - crate://crates.io/hashbrown/0.9.1 \ - crate://crates.io/hermit-abi/0.1.18 \ - crate://crates.io/hex/0.4.3 \ - crate://crates.io/hmac/0.10.1 \ - crate://crates.io/http-body/0.1.0 \ - crate://crates.io/http-body/0.3.1 \ - crate://crates.io/http/0.1.21 \ - crate://crates.io/http/0.2.4 \ - crate://crates.io/httparse/1.3.6 \ - crate://crates.io/httpdate/0.3.2 \ - crate://crates.io/hyper-tls/0.3.2 \ - crate://crates.io/hyper-tls/0.4.3 \ - crate://crates.io/hyper/0.12.36 \ - crate://crates.io/hyper/0.13.10 \ - crate://crates.io/idna/0.1.5 \ - crate://crates.io/idna/0.2.2 \ - crate://crates.io/impl-trait-for-tuples/0.2.1 \ - crate://crates.io/indexmap/1.6.2 \ - crate://crates.io/intervaltree/0.2.6 \ - crate://crates.io/iovec/0.1.4 \ - crate://crates.io/ipnet/2.3.0 \ - crate://crates.io/itertools/0.10.0 \ - crate://crates.io/itertools/0.9.0 \ - crate://crates.io/itoa/0.4.7 \ - crate://crates.io/jmespatch/0.3.0 \ - crate://crates.io/js-sys/0.3.50 \ - crate://crates.io/kernel32-sys/0.2.2 \ - crate://crates.io/lalrpop-util/0.19.5 \ - crate://crates.io/lalrpop/0.19.5 \ - crate://crates.io/lazy_static/1.4.0 \ - crate://crates.io/libc/0.2.93 \ - crate://crates.io/libflate/1.0.4 \ - crate://crates.io/libflate_lz77/1.0.0 \ - crate://crates.io/lock_api/0.3.4 \ - crate://crates.io/log/0.4.14 \ - crate://crates.io/maplit/1.0.2 \ - crate://crates.io/matchers/0.0.1 \ - crate://crates.io/matches/0.1.8 \ - crate://crates.io/maybe-uninit/2.0.0 \ - crate://crates.io/memchr/2.3.4 \ - crate://crates.io/memoffset/0.5.6 \ - crate://crates.io/mime/0.3.16 \ - crate://crates.io/mime_guess/2.0.3 \ - crate://crates.io/miniz_oxide/0.4.4 \ - crate://crates.io/mio/0.6.23 \ - crate://crates.io/miow/0.2.2 \ - crate://crates.io/native-tls/0.2.7 \ - crate://crates.io/net2/0.2.37 \ - crate://crates.io/new_debug_unreachable/1.0.4 \ - crate://crates.io/nix/0.20.0 \ - crate://crates.io/num-integer/0.1.44 \ - crate://crates.io/num-traits/0.2.14 \ - crate://crates.io/num_cpus/1.13.0 \ - crate://crates.io/oauth2/4.0.0 \ - crate://crates.io/object/0.23.0 \ - crate://crates.io/once_cell/1.7.2 \ - crate://crates.io/opaque-debug/0.3.0 \ - crate://crates.io/openidconnect/2.0.0 \ - crate://crates.io/openssl-probe/0.1.2 \ - crate://crates.io/openssl-src/111.15.0+1.1.1k \ - crate://crates.io/openssl-sys/0.9.61 \ - crate://crates.io/openssl/0.10.33 \ - crate://crates.io/ordered-float/1.1.1 \ - crate://crates.io/oso/0.12.0 \ - crate://crates.io/parking_lot/0.9.0 \ - crate://crates.io/parking_lot_core/0.6.2 \ - crate://crates.io/pbkdf2/0.7.5 \ - crate://crates.io/percent-encoding/1.0.1 \ - crate://crates.io/percent-encoding/2.1.0 \ - crate://crates.io/petgraph/0.5.1 \ - crate://crates.io/phf_shared/0.8.0 \ - crate://crates.io/pico-args/0.4.0 \ - crate://crates.io/pin-project-internal/1.0.6 \ - crate://crates.io/pin-project-lite/0.1.12 \ - crate://crates.io/pin-project-lite/0.2.6 \ - crate://crates.io/pin-project/1.0.6 \ - crate://crates.io/pin-utils/0.1.0 \ - crate://crates.io/pkg-config/0.3.19 \ - crate://crates.io/polar-core/0.12.0 \ - crate://crates.io/ppv-lite86/0.2.10 \ - crate://crates.io/precomputed-hash/0.1.1 \ - crate://crates.io/proc-macro-hack/0.5.19 \ - crate://crates.io/proc-macro-nested/0.1.7 \ - crate://crates.io/proc-macro2/1.0.26 \ - crate://crates.io/publicsuffix/1.5.6 \ - crate://crates.io/quick-xml/0.19.0 \ - crate://crates.io/quote/1.0.9 \ - crate://crates.io/rand/0.6.5 \ - crate://crates.io/rand/0.7.3 \ - crate://crates.io/rand/0.8.3 \ - crate://crates.io/rand_chacha/0.1.1 \ - crate://crates.io/rand_chacha/0.2.2 \ - crate://crates.io/rand_chacha/0.3.0 \ - crate://crates.io/rand_core/0.3.1 \ - crate://crates.io/rand_core/0.4.2 \ - crate://crates.io/rand_core/0.5.1 \ - crate://crates.io/rand_core/0.6.2 \ - crate://crates.io/rand_hc/0.1.0 \ - crate://crates.io/rand_hc/0.2.0 \ - crate://crates.io/rand_hc/0.3.0 \ - crate://crates.io/rand_isaac/0.1.1 \ - crate://crates.io/rand_jitter/0.1.4 \ - crate://crates.io/rand_os/0.1.3 \ - crate://crates.io/rand_pcg/0.1.2 \ - crate://crates.io/rand_xorshift/0.1.1 \ - crate://crates.io/rdrand/0.4.0 \ - crate://crates.io/redox_syscall/0.1.57 \ - crate://crates.io/redox_syscall/0.2.5 \ - crate://crates.io/redox_users/0.3.5 \ - crate://crates.io/regex-automata/0.1.9 \ - crate://crates.io/regex-syntax/0.6.23 \ - crate://crates.io/regex/1.4.5 \ - crate://crates.io/remove_dir_all/0.5.3 \ - crate://crates.io/reqwest/0.10.10 \ - crate://crates.io/reqwest/0.9.24 \ - crate://crates.io/ring/0.16.20 \ - crate://crates.io/rle-decode-fast/1.0.1 \ - crate://crates.io/rpassword/5.0.1 \ - crate://crates.io/rpki/0.10.1 \ - crate://crates.io/rust-argon2/0.8.3 \ - crate://crates.io/rustc-demangle/0.1.18 \ - crate://crates.io/rustc_version/0.2.3 \ - crate://crates.io/rustls/0.18.1 \ - crate://crates.io/ryu/1.0.5 \ - crate://crates.io/salsa20/0.7.2 \ - crate://crates.io/schannel/0.1.19 \ - crate://crates.io/scopeguard/1.1.0 \ - crate://crates.io/scrypt/0.6.5 \ - crate://crates.io/sct/0.6.1 \ - crate://crates.io/security-framework-sys/2.2.0 \ - crate://crates.io/security-framework/2.2.0 \ - crate://crates.io/semver-parser/0.7.0 \ - crate://crates.io/semver/0.9.0 \ - crate://crates.io/serde-value/0.6.0 \ - crate://crates.io/serde/1.0.125 \ - crate://crates.io/serde_derive/1.0.125 \ - crate://crates.io/serde_json/1.0.64 \ - crate://crates.io/serde_path_to_error/0.1.4 \ - crate://crates.io/serde_urlencoded/0.5.5 \ - crate://crates.io/serde_urlencoded/0.7.0 \ - crate://crates.io/sha2/0.9.3 \ - crate://crates.io/sharded-slab/0.1.1 \ - crate://crates.io/siphasher/0.3.5 \ - crate://crates.io/slab/0.4.2 \ - crate://crates.io/slug/0.1.4 \ - crate://crates.io/smallvec/0.6.14 \ - crate://crates.io/smallvec/1.6.1 \ - crate://crates.io/socket2/0.3.19 \ - crate://crates.io/spin/0.5.2 \ - crate://crates.io/string/0.2.1 \ - crate://crates.io/string_cache/0.8.1 \ - crate://crates.io/strsim/0.8.0 \ - crate://crates.io/subtle/2.4.0 \ - crate://crates.io/syn/1.0.69 \ - crate://crates.io/synstructure/0.12.4 \ - crate://crates.io/syslog/4.0.1 \ - crate://crates.io/tempfile/3.2.0 \ - crate://crates.io/term/0.5.2 \ - crate://crates.io/textwrap/0.11.0 \ - crate://crates.io/thiserror-impl/1.0.24 \ - crate://crates.io/thiserror/1.0.24 \ - crate://crates.io/thread_local/1.1.3 \ - crate://crates.io/time/0.1.44 \ - crate://crates.io/tiny-keccak/2.0.2 \ - crate://crates.io/tiny_http/0.8.0 \ - crate://crates.io/tinyvec/1.2.0 \ - crate://crates.io/tinyvec_macros/0.1.0 \ - crate://crates.io/tokio-buf/0.1.1 \ - crate://crates.io/tokio-current-thread/0.1.7 \ - crate://crates.io/tokio-executor/0.1.10 \ - crate://crates.io/tokio-io/0.1.13 \ - crate://crates.io/tokio-macros/0.2.6 \ - crate://crates.io/tokio-reactor/0.1.12 \ - crate://crates.io/tokio-rustls/0.14.1 \ - crate://crates.io/tokio-sync/0.1.8 \ - crate://crates.io/tokio-tcp/0.1.4 \ - crate://crates.io/tokio-threadpool/0.1.18 \ - crate://crates.io/tokio-timer/0.2.13 \ - crate://crates.io/tokio-tls/0.3.1 \ - crate://crates.io/tokio-util/0.3.1 \ - crate://crates.io/tokio/0.1.22 \ - crate://crates.io/tokio/0.2.25 \ - crate://crates.io/toml/0.5.8 \ - crate://crates.io/tower-service/0.3.1 \ - crate://crates.io/tracing-attributes/0.1.15 \ - crate://crates.io/tracing-core/0.1.17 \ - crate://crates.io/tracing-futures/0.2.5 \ - crate://crates.io/tracing-log/0.1.2 \ - crate://crates.io/tracing-serde/0.1.2 \ - crate://crates.io/tracing-subscriber/0.2.17 \ - crate://crates.io/tracing/0.1.25 \ - crate://crates.io/try-lock/0.2.3 \ - crate://crates.io/try_from/0.3.2 \ - crate://crates.io/typenum/1.13.0 \ - crate://crates.io/unicase/2.6.0 \ - crate://crates.io/unicode-bidi/0.3.5 \ - crate://crates.io/unicode-normalization/0.1.17 \ - crate://crates.io/unicode-width/0.1.8 \ - crate://crates.io/unicode-xid/0.2.1 \ - crate://crates.io/untrusted/0.7.1 \ - crate://crates.io/unwrap/1.2.1 \ - crate://crates.io/url/1.7.2 \ - crate://crates.io/url/2.2.1 \ - crate://crates.io/urlparse/0.7.3 \ - crate://crates.io/uuid/0.7.4 \ - crate://crates.io/uuid/0.8.2 \ - crate://crates.io/vcpkg/0.2.11 \ - crate://crates.io/vec_map/0.8.2 \ - crate://crates.io/version_check/0.9.3 \ - crate://crates.io/want/0.2.0 \ - crate://crates.io/want/0.3.0 \ - crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ - crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ - crate://crates.io/wasm-bindgen-backend/0.2.73 \ - crate://crates.io/wasm-bindgen-futures/0.4.23 \ - crate://crates.io/wasm-bindgen-macro-support/0.2.73 \ - crate://crates.io/wasm-bindgen-macro/0.2.73 \ - crate://crates.io/wasm-bindgen-shared/0.2.73 \ - crate://crates.io/wasm-bindgen/0.2.73 \ - crate://crates.io/web-sys/0.3.50 \ - crate://crates.io/webpki/0.21.4 \ - crate://crates.io/winapi-build/0.1.1 \ - crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ - crate://crates.io/winapi/0.2.8 \ - crate://crates.io/winapi/0.3.9 \ - crate://crates.io/winreg/0.6.2 \ - crate://crates.io/winreg/0.7.0 \ - crate://crates.io/ws2_32-sys/0.2.1 \ - crate://crates.io/xml-rs/0.8.3 \ -" diff --git a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb b/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb deleted file mode 100644 index 4dc61cfb37..0000000000 --- a/meta-security/dynamic-layers/meta-rust/recipes-security/krill/krill_0.9.1.bb +++ /dev/null @@ -1,39 +0,0 @@ -SUMMARY = "Resource Public Key Infrastructure (RPKI) daemon" -HOMEPAGE = "https://www.nlnetlabs.nl/projects/rpki/krill/" -LICENSE = "MPL-2.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=9741c346eef56131163e13b9db1241b3" - -DEPENDS = "openssl" - -include krill.inc - -# SRC_URI += "crate://crates.io/krill/0.9.1" -SRC_URI += "git://github.com/NLnetLabs/krill.git;protocol=https;nobranch=1;branch=main" -SRCREV = "d6c03b6f0199b1d10d252750a19a92b84576eb30" - -SRC_URI += "file://panic_workaround.patch" - -S = "${WORKDIR}/git" -CARGO_SRC_DIR = "" - -inherit pkgconfig useradd systemd cargo - - -do_install:append () { - install -d ${D}${sysconfdir} - install -d ${D}${datadir}/krill - - install -m 664 ${S}/defaults/krill.conf ${D}${sysconfdir}/. - install ${S}/defaults/* ${D}${datadir}/krill/. -} - -KRILL_UID ?= "krill" -KRILL_GID ?= "krill" - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM:${PN} = "--system ${KRILL_UID}" -USERADD_PARAM:${PN} = "--system -g ${KRILL_GID} --home-dir \ - /var/lib/krill/ --no-create-home \ - --shell /sbin/nologin ${BPN}" - -FILES:${PN} += "{sysconfdir}/defaults ${datadir}" diff --git a/meta-security/kas/kas-security-base.yml b/meta-security/kas/kas-security-base.yml index b9ce493bef..3bf46dbf01 100644 --- a/meta-security/kas/kas-security-base.yml +++ b/meta-security/kas/kas-security-base.yml @@ -1,5 +1,5 @@ header: - version: 8 + version: 9 distro: poky @@ -30,15 +30,9 @@ repos: meta-networking: meta-filesystems: - meta-rust: - url: https://github.com/meta-rust/meta-rust.git - refspec: master - - - local_conf_header: base: | - CONF_VERSION = "1" + CONF_VERSION = "2" SOURCE_MIRROR_URL = "http://downloads.yoctoproject.org/mirror/sources/" SSTATE_MIRRORS = "file://.* http://sstate.yoctoproject.org/dev/PATH;downloadfilename=PATH \n" BB_HASHSERVE = "auto" @@ -57,7 +51,7 @@ local_conf_header: EXTRA_IMAGE_FEATURES ?= "debug-tweaks" PACKAGE_CLASSES = "package_ipk" - DISTRO_FEATURES:append = " pam apparmor smack ima" + DISTRO_FEATURES:append = " security pam apparmor smack ima tpm tpm2" MACHINE_FEATURES:append = " tpm tpm2" diskmon: | @@ -73,7 +67,6 @@ local_conf_header: bblayers_conf_header: base: | - POKY_BBLAYERS_CONF_VERSION = "2" BBPATH = "${TOPDIR}" BBFILES ?= "" diff --git a/meta-security/kas/kas-security-dm.yml b/meta-security/kas/kas-security-dm.yml index 7ce0e9d72a..c03b3361ee 100644 --- a/meta-security/kas/kas-security-dm.yml +++ b/meta-security/kas/kas-security-dm.yml @@ -5,6 +5,7 @@ header: local_conf_header: dm-verify: | + DISTRO_FEATURES:append = " integrity" DM_VERITY_IMAGE = "core-image-minimal" DM_VERITY_IMAGE_TYPE = "ext4" IMAGE_CLASSES += "dm-verity-img" diff --git a/meta-security/kas/kas-security-parsec.yml b/meta-security/kas/kas-security-parsec.yml index 22ef5dd824..9a009be14b 100644 --- a/meta-security/kas/kas-security-parsec.yml +++ b/meta-security/kas/kas-security-parsec.yml @@ -8,10 +8,6 @@ repos: layers: meta-parsec: - meta-rust: - url: https://github.com/meta-rust/meta-rust.git - refspec: master - meta-clang: url: https://github.com/kraj/meta-clang.git refspec: master diff --git a/meta-security/meta-hardening/README b/meta-security/meta-hardening/README index 37a0b7ec85..191253c66a 100644 --- a/meta-security/meta-hardening/README +++ b/meta-security/meta-hardening/README @@ -64,14 +64,14 @@ layers: meta-oe Maintenance ----------- -Send pull requests, patches, comments or questions to yocto@yoctoproject.org +Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH' +'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-hardening][PATCH' These values can be set as defaults for this repository: -$ git config sendemail.to yocto@yoctoproject.org +$ git config sendemail.to yocto@lists.yoctoproject.org $ git config format.subjectPrefix meta-hardening][PATCH Now you can just do 'git send-email origin/master' to send all local patches. diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb index c35c2577e5..38771cdfb9 100644 --- a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb +++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -10,7 +10,8 @@ LICENSE = "MIT" IMAGE_ROOTFS_SIZE ?= "8192" -inherit core-image extrausers +inherit core-image +IMAGE_CLASSES:append = " extrausers" ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" DEFAULT_ADMIN_ACCOUNT ?= "myadmin" @@ -19,7 +20,7 @@ DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!" EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}" -EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};" -EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};" -EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" -EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " useradd ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " groupadd ${DEFAULT_ADMIN_GROUP};" +EXTRA_USERS_PARAMS:append = " usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" diff --git a/meta-security/meta-integrity/classes/kernel-modsign.bbclass b/meta-security/meta-integrity/classes/kernel-modsign.bbclass index cf5d3ebe20..093c3585e1 100644 --- a/meta-security/meta-integrity/classes/kernel-modsign.bbclass +++ b/meta-security/meta-integrity/classes/kernel-modsign.bbclass @@ -2,7 +2,7 @@ # set explicitly in a local.conf before activating kernel-modsign. # To use the insecure (because public) example keys, use # MODSIGN_KEY_DIR = "${INTEGRITY_BASE}/data/debug-keys" -MODSIGN_KEY_DIR ?= "MODSIGN_KEY_DIR_NOT_SET" +MODSIGN_KEY_DIR ??= "MODSIGN_KEY_DIR_NOT_SET" # Private key for modules signing. The default is okay when # using the example key directory. diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf index 86d41b22ba..2eeb71b0f4 100644 --- a/meta-security/meta-parsec/conf/layer.conf +++ b/meta-security/meta-parsec/conf/layer.conf @@ -10,5 +10,5 @@ BBFILE_PRIORITY_parsec-layer = "5" LAYERSERIES_COMPAT_parsec-layer = "honister" -LAYERDEPENDS_parsec-layer = "core rust-layer clang-layer tpm-layer" +LAYERDEPENDS_parsec-layer = "core clang-layer tpm-layer" BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec" diff --git a/meta-security/meta-tpm/README b/meta-security/meta-tpm/README index 4441dd293a..5722a92abb 100644 --- a/meta-security/meta-tpm/README +++ b/meta-security/meta-tpm/README @@ -5,7 +5,7 @@ The bbappend files for some recipes (e.g. linux-yocto) in this layer need to have 'tpm' in DISTRO_FEATURES to have effect. To enable them, add in configuration file the following line. - DISTRO_FEATURES:append = " tmp" + DISTRO_FEATURES:append = " tpm" If meta-tpm is included, but tpm is not enabled as a distro feature a warning is printed at parse time: @@ -57,14 +57,14 @@ other layers needed. e.g.: Maintenance ----------- -Send pull requests, patches, comments or questions to yocto@yoctoproject.org +Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-security][PATCH' +'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-security][PATCH' These values can be set as defaults for this repository: -$ git config sendemail.to yocto@yoctoproject.org +$ git config sendemail.to yocto@lists.yoctoproject.org $ git config format.subjectPrefix meta-security][PATCH Now you can just do 'git send-email origin/master' to send all local patches. diff --git a/meta-security/recipes-ids/suricata/files/fixup.patch b/meta-security/recipes-ids/suricata/files/fixup.patch new file mode 100644 index 0000000000..fc44ce68f5 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/fixup.patch @@ -0,0 +1,32 @@ +Skip pkg Makefile from using its own rust steps + +Upstream-Status: OE Specific + +Signed-off-by: Armin Kuster + +Index: suricata-6.0.2/Makefile.am +=================================================================== +--- suricata-6.0.2.orig/Makefile.am ++++ suricata-6.0.2/Makefile.am +@@ -7,7 +7,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s + $(SURICATA_UPDATE_DIR) \ + lua \ + acsite.m4 +-SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ ++SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ + $(SURICATA_UPDATE_DIR) + + CLEANFILES = stamp-h[0-9]* +Index: suricata-6.0.2/Makefile.in +=================================================================== +--- suricata-6.0.2.orig/Makefile.in ++++ suricata-6.0.2/Makefile.in +@@ -426,7 +426,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s + lua \ + acsite.m4 + +-SUBDIRS = $(HTP_DIR) rust src qa rules doc contrib etc python ebpf \ ++SUBDIRS = $(HTP_DIR) src qa rules doc contrib etc python ebpf \ + $(SURICATA_UPDATE_DIR) + + CLEANFILES = stamp-h[0-9]* diff --git a/meta-security/recipes-ids/suricata/files/run-ptest b/meta-security/recipes-ids/suricata/files/run-ptest new file mode 100644 index 0000000000..666ba9c954 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh + +suricata -u diff --git a/meta-security/recipes-ids/suricata/files/suricata.service b/meta-security/recipes-ids/suricata/files/suricata.service new file mode 100644 index 0000000000..a99a76ef86 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/suricata.service @@ -0,0 +1,20 @@ +[Unit] +Description=Suricata IDS/IDP daemon +After=network.target +Requires=network.target +Documentation=man:suricata(8) man:suricatasc(8) +Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki + +[Service] +Type=simple +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW +RestrictAddressFamilies= +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 +ExecReload=/bin/kill -HUP $MAINPID +PrivateTmp=yes +ProtectHome=yes +ProtectSystem=yes + +[Install] +WantedBy=multi-user.target + diff --git a/meta-security/recipes-ids/suricata/files/suricata.yaml b/meta-security/recipes-ids/suricata/files/suricata.yaml new file mode 100644 index 0000000000..8d06a27449 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/suricata.yaml @@ -0,0 +1,1326 @@ +%YAML 1.1 +--- + +# Suricata configuration file. In addition to the comments describing all +# options in this file, full documentation can be found at: +# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml + + +# Number of packets allowed to be processed simultaneously. Default is a +# conservative 1024. A higher number will make sure CPU's/CPU cores will be +# more easily kept busy, but may negatively impact caching. +# +# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules +# apply. In that case try something like 60000 or more. This is because the CUDA +# pattern matcher buffers and scans as many packets as possible in parallel. +#max-pending-packets: 1024 + +# Runmode the engine should use. Please check --list-runmodes to get the available +# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned +# load balancing). +#runmode: autofp + +# Specifies the kind of flow load balancer used by the flow pinned autofp mode. +# +# Supported schedulers are: +# +# round-robin - Flows assigned to threads in a round robin fashion. +# active-packets - Flows assigned to threads that have the lowest number of +# unprocessed packets (default). +# hash - Flow alloted usihng the address hash. More of a random +# technique. Was the default in Suricata 1.2.1 and older. +# +#autofp-scheduler: active-packets + +# If suricata box is a router for the sniffed networks, set it to 'router'. If +# it is a pure sniffing setup, set it to 'sniffer-only'. +# If set to auto, the variable is internally switch to 'router' in IPS mode +# and 'sniffer-only' in IDS mode. +# This feature is currently only used by the reject* keywords. +host-mode: auto + +# Run suricata as user and group. +#run-as: +# user: suri +# group: suri + +# Default pid file. +# Will use this file if no --pidfile in command options. +#pid-file: /var/run/suricata.pid + +# Daemon working directory +# Suricata will change directory to this one if provided +# Default: "/" +#daemon-directory: "/" + +# Preallocated size for packet. Default is 1514 which is the classical +# size for pcap on ethernet. You should adjust this value to the highest +# packet size (MTU + hardware header) on your system. +#default-packet-size: 1514 + +# The default logging directory. Any log or output file will be +# placed here if its not specified with a full path name. This can be +# overridden with the -l command line parameter. +default-log-dir: /var/log/suricata/ + +# Unix command socket can be used to pass commands to suricata. +# An external tool can then connect to get information from suricata +# or trigger some modifications of the engine. Set enabled to yes +# to activate the feature. You can use the filename variable to set +# the file name of the socket. +unix-command: + enabled: no + #filename: custom.socket + +# Configure the type of alert (and other) logging you would like. +outputs: + + # a line based alerts log similar to Snort's fast.log + - fast: + enabled: yes + filename: fast.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # Extensible Event Format (nicknamed EVE) event log in JSON format + - eve-log: + enabled: yes + type: file #file|syslog|unix_dgram|unix_stream + filename: eve.json + # the following are valid when type: syslog above + #identity: "suricata" + #facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + types: + - alert + - http: + extended: yes # enable this for extended logging information + # custom allows additional http fields to be included in eve-log + # the example below adds three additional fields when uncommented + #custom: [Accept-Encoding, Accept-Language, Authorization] + - dns + - tls: + extended: yes # enable this for extended logging information + - files: + force-magic: no # force logging magic on all logged files + force-md5: no # force logging of md5 checksums + #- drop + - ssh + + # alert output for use with Barnyard2 + - unified2-alert: + enabled: yes + filename: unified2.alert + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + #limit: 32mb + + # Sensor ID field of unified2 alerts. + #sensor-id: 0 + + # HTTP X-Forwarded-For support by adding the unified2 extra header that + # will contain the actual client IP address or by overwriting the source + # IP address (helpful when inspecting traffic that is being reversed + # proxied). + xff: + enabled: no + # Two operation modes are available, "extra-data" and "overwrite". Note + # that in the "overwrite" mode, if the reported IP address in the HTTP + # X-Forwarded-For header is of a different version of the packet + # received, it will fall-back to "extra-data" mode. + mode: extra-data + # Header name were the actual IP address will be reported, if more than + # one IP address is present, the last IP address will be the one taken + # into consideration. + header: X-Forwarded-For + + # a line based log of HTTP requests (no alerts) + - http-log: + enabled: yes + filename: http.log + append: yes + #extended: yes # enable this for extended logging information + #custom: yes # enabled the custom logging format (defined by customformat) + #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log of TLS handshake parameters (no alerts) + - tls-log: + enabled: no # Log TLS connections. + filename: tls.log # File to store TLS logs. + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + #extended: yes # Log extended information like fingerprint + certs-log-dir: certs # directory to store the certificates files + + # a line based log of DNS requests and/or replies (no alerts) + - dns-log: + enabled: no + filename: dns.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # a line based log to used with pcap file study. + # this module is dedicated to offline pcap parsing (empty output + # if used with another kind of input). It can interoperate with + # pcap parser like wireshark via the suriwire plugin. + - pcap-info: + enabled: no + + # Packet log... log packets in pcap format. 2 modes of operation: "normal" + # and "sguil". + # + # In normal mode a pcap file "filename" is created in the default-log-dir, + # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. + # In this base dir the pcaps are created in th directory structure Sguil expects: + # + # $sguil-base-dir/YYYY-MM-DD/$filename. + # + # By default all packets are logged except: + # - TCP streams beyond stream.reassembly.depth + # - encrypted streams after the key exchange + # + - pcap-log: + enabled: no + filename: log.pcap + + # File size limit. Can be specified in kb, mb, gb. Just a number + # is parsed as bytes. + limit: 1000mb + + # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" + max-files: 2000 + + mode: normal # normal or sguil. + #sguil-base-dir: /nsm_data/ + #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec + use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets + + # a full alerts log containing much information for signature writers + # or for investigating suspected false positives. + - alert-debug: + enabled: no + filename: alert-debug.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # alert output to prelude (http://www.prelude-technologies.com/) only + # available if Suricata has been compiled with --enable-prelude + - alert-prelude: + enabled: no + profile: suricata + log-packet-content: no + log-packet-header: yes + + # Stats.log contains data from various counters of the suricata engine. + # The interval field (in seconds) tells after how long output will be written + # on the log file. + - stats: + enabled: yes + filename: stats.log + interval: 8 + + # a line based alerts log similar to fast.log into syslog + - syslog: + enabled: no + # reported identity to syslog. If ommited the program name (usually + # suricata) will be used. + #identity: "suricata" + facility: local5 + #level: Info ## possible levels: Emergency, Alert, Critical, + ## Error, Warning, Notice, Info, Debug + + # a line based information for dropped packets in IPS mode + - drop: + enabled: no + filename: drop.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + # output module to store extracted files to disk + # + # The files are stored to the log-dir in a format "file." where is + # an incrementing number starting at 1. For each file "file." a meta + # file "file..meta" is created. + # + # File extraction depends on a lot of things to be fully done: + # - stream reassembly depth. For optimal results, set this to 0 (unlimited) + # - http request / response body sizes. Again set to 0 for optimal results. + # - rules that contain the "filestore" keyword. + - file-store: + enabled: no # set to yes to enable + log-dir: files # directory to store the files + force-magic: no # force logging magic on all stored files + force-md5: no # force logging of md5 checksums + #waldo: file.waldo # waldo file to store the file_id across runs + + # output module to log files tracked in a easily parsable json format + - file-log: + enabled: no + filename: files-json.log + append: yes + #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' + + force-magic: no # force logging magic on all logged files + force-md5: no # force logging of md5 checksums + +# Magic file. The extension .mgc is added to the value here. +#magic-file: /usr/share/file/magic +magic-file: /usr/share/misc/magic.mgc + +# When running in NFQ inline mode, it is possible to use a simulated +# non-terminal NFQUEUE verdict. +# This permit to do send all needed packet to suricata via this a rule: +# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE +# And below, you can have your standard filtering ruleset. To activate +# this mode, you need to set mode to 'repeat' +# If you want packet to be sent to another queue after an ACCEPT decision +# set mode to 'route' and set next-queue value. +# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance +# by processing several packets before sending a verdict (worker runmode only). +# On linux >= 3.6, you can set the fail-open option to yes to have the kernel +# accept the packet if suricata is not able to keep pace. +nfq: +# mode: accept +# repeat-mark: 1 +# repeat-mask: 1 +# route-queue: 2 +# batchcount: 20 +# fail-open: yes + +#nflog support +nflog: + # netlink multicast group + # (the same as the iptables --nflog-group param) + # Group 0 is used by the kernel, so you can't use it + - group: 2 + # netlink buffer size + buffer-size: 18432 + # put default value here + - group: default + # set number of packet to queue inside kernel + qthreshold: 1 + # set the delay before flushing packet in the queue inside kernel + qtimeout: 100 + # netlink max buffer size + max-size: 20000 + +# af-packet support +# Set threads to > 1 to use PACKET_FANOUT support +af-packet: + - interface: eth0 + # Number of receive threads (>1 will enable experimental flow pinned + # runmode) + threads: 1 + # Default clusterid. AF_PACKET will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. + # This is only supported for Linux kernel > 3.1 + # possible value are: + # * cluster_round_robin: round robin load balancing + # * cluster_flow: all packets of a given flow are send to the same socket + # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket + cluster-type: cluster_flow + # In some fragmentation case, the hash can not be computed. If "defrag" is set + # to yes, the kernel will do the needed defragmentation before sending the packets. + defrag: yes + # To use the ring feature of AF_PACKET, set 'use-mmap' to yes + use-mmap: yes + # Ring size will be computed with respect to max_pending_packets and number + # of threads. You can set manually the ring size in number of packets by setting + # the following value. If you are using flow cluster-type and have really network + # intensive single-flow you could want to set the ring-size independantly of the number + # of threads: + #ring-size: 2048 + # On busy system, this could help to set it to yes to recover from a packet drop + # phase. This will result in some packets (at max a ring flush) being non treated. + #use-emergency-flush: yes + # recv buffer size, increase value could improve performance + # buffer-size: 32768 + # Set to yes to disable promiscuous mode + # disable-promisc: no + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - kernel: use indication sent by kernel for each packet (default) + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: kernel + # BPF filter to apply to this interface. The pcap filter syntax apply here. + #bpf-filter: port 80 or udp + # You can use the following variables to activate AF_PACKET tap od IPS mode. + # If copy-mode is set to ips or tap, the traffic coming to the current + # interface will be copied to the copy-iface interface. If 'tap' is set, the + # copy is complete. If 'ips' is set, the packet matching a 'drop' action + # will not be copied. + #copy-mode: ips + #copy-iface: eth1 + - interface: eth1 + threads: 1 + cluster-id: 98 + cluster-type: cluster_flow + defrag: yes + # buffer-size: 32768 + # disable-promisc: no + # Put default values here + - interface: default + #threads: 2 + #use-mmap: yes + +legacy: + uricontent: enabled + +# You can specify a threshold config file by setting "threshold-file" +# to the path of the threshold config file: +# threshold-file: /etc/suricata/threshold.config + +# The detection engine builds internal groups of signatures. The engine +# allow us to specify the profile to use for them, to manage memory on an +# efficient way keeping a good performance. For the profile keyword you +# can use the words "low", "medium", "high" or "custom". If you use custom +# make sure to define the values at "- custom-values" as your convenience. +# Usually you would prefer medium/high/low. +# +# "sgh mpm-context", indicates how the staging should allot mpm contexts for +# the signature groups. "single" indicates the use of a single context for +# all the signature group heads. "full" indicates a mpm-context for each +# group head. "auto" lets the engine decide the distribution of contexts +# based on the information the engine gathers on the patterns from each +# group head. +# +# The option inspection-recursion-limit is used to limit the recursive calls +# in the content inspection code. For certain payload-sig combinations, we +# might end up taking too much time in the content inspection code. +# If the argument specified is 0, the engine uses an internally defined +# default limit. On not specifying a value, we use no limits on the recursion. +detect-engine: + - profile: medium + - custom-values: + toclient-src-groups: 2 + toclient-dst-groups: 2 + toclient-sp-groups: 2 + toclient-dp-groups: 3 + toserver-src-groups: 2 + toserver-dst-groups: 4 + toserver-sp-groups: 2 + toserver-dp-groups: 25 + - sgh-mpm-context: auto + - inspection-recursion-limit: 3000 + # When rule-reload is enabled, sending a USR2 signal to the Suricata process + # will trigger a live rule reload. Experimental feature, use with care. + #- rule-reload: true + # If set to yes, the loading of signatures will be made after the capture + # is started. This will limit the downtime in IPS mode. + #- delayed-detect: yes + +# Suricata is multi-threaded. Here the threading can be influenced. +threading: + # On some cpu's/architectures it is beneficial to tie individual threads + # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, + # and each extra CPU/core has one "detect" thread. + # + # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. + # + set-cpu-affinity: no + # Tune cpu affinity of suricata threads. Each family of threads can be bound + # on specific CPUs. + cpu-affinity: + - management-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - receive-cpu-set: + cpu: [ 0 ] # include only these cpus in affinity settings + - decode-cpu-set: + cpu: [ 0, 1 ] + mode: "balanced" + - stream-cpu-set: + cpu: [ "0-1" ] + - detect-cpu-set: + cpu: [ "all" ] + mode: "exclusive" # run detect threads in these cpus + # Use explicitely 3 threads and don't compute number by using + # detect-thread-ratio variable: + # threads: 3 + prio: + low: [ 0 ] + medium: [ "1-2" ] + high: [ 3 ] + default: "medium" + - verdict-cpu-set: + cpu: [ 0 ] + prio: + default: "high" + - reject-cpu-set: + cpu: [ 0 ] + prio: + default: "low" + - output-cpu-set: + cpu: [ "all" ] + prio: + default: "medium" + # + # By default Suricata creates one "detect" thread per available CPU/CPU core. + # This setting allows controlling this behaviour. A ratio setting of 2 will + # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this + # will result in 4 detect threads. If values below 1 are used, less threads + # are created. So on a dual core CPU a setting of 0.5 results in 1 detect + # thread being created. Regardless of the setting at a minimum 1 detect + # thread will always be created. + # + detect-thread-ratio: 1.5 + +# Cuda configuration. +cuda: + # The "mpm" profile. On not specifying any of these parameters, the engine's + # internal default values are used, which are same as the ones specified in + # in the default conf file. + mpm: + # The minimum length required to buffer data to the gpu. + # Anything below this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + # A value of 0 indicates there's no limit. + data-buffer-size-min-limit: 0 + # The maximum length for data that we would buffer to the gpu. + # Anything over this is MPM'ed on the CPU. + # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. + data-buffer-size-max-limit: 1500 + # The ring buffer size used by the CudaBuffer API to buffer data. + cudabuffer-buffer-size: 500mb + # The max chunk size that can be sent to the gpu in a single go. + gpu-transfer-size: 50mb + # The timeout limit for batching of packets in microseconds. + batching-timeout: 2000 + # The device to use for the mpm. Currently we don't support load balancing + # on multiple gpus. In case you have multiple devices on your system, you + # can specify the device to use, using this conf. By default we hold 0, to + # specify the first device cuda sees. To find out device-id associated with + # the card(s) on the system run "suricata --list-cuda-cards". + device-id: 0 + # No of Cuda streams used for asynchronous processing. All values > 0 are valid. + # For this option you need a device with Compute Capability > 1.0. + cuda-streams: 2 + +# Select the multi pattern algorithm you want to run for scan/search the +# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, +# ac and ac-gfbs. +# +# The mpm you choose also decides the distribution of mpm contexts for +# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". +# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" +# to be set to "single", because of ac's memory requirements, unless the +# ruleset is small enough to fit in one's memory, in which case one can +# use "full" with "ac". Rest of the mpms can be run in "full" mode. +# +# There is also a CUDA pattern matcher (only available if Suricata was +# compiled with --enable-cuda: b2g_cuda. Make sure to update your +# max-pending-packets setting above as well if you use b2g_cuda. + +mpm-algo: ac + +# The memory settings for hash size of these algorithms can vary from lowest +# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max +# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - +# medium (1024) - high (2048). +# +# For B2g/B3g algorithms, there is a support for two different scan/search +# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and +# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms +# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & +# B3gSearchBNDMq. +# +# For B2g the different scan/search algorithms and, hash and bloom +# filter size settings. For B3g the different scan/search algorithms and, hash +# and bloom filter size settings. For wumanber the hash and bloom filter size +# settings. + +pattern-matcher: + - b2gc: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b2gm: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b2g: + search-algo: B2gSearchBNDMq + hash-size: low + bf-size: medium + - b3g: + search-algo: B3gSearchBNDMq + hash-size: low + bf-size: medium + - wumanber: + hash-size: low + bf-size: medium + +# Defrag settings: + +defrag: + memcap: 32mb + hash-size: 65536 + trackers: 65535 # number of defragmented flows to follow + max-frags: 65535 # number of fragments to keep (higher than trackers) + prealloc: yes + timeout: 60 + +# Enable defrag per host settings +# host-config: +# +# - dmz: +# timeout: 30 +# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] +# +# - lan: +# timeout: 45 +# address: +# - 192.168.0.0/24 +# - 192.168.10.0/24 +# - 172.16.14.0/24 + +# Flow settings: +# By default, the reserved memory (memcap) for flows is 32MB. This is the limit +# for flow allocation inside the engine. You can change this value to allow +# more memory usage for flows. +# The hash-size determine the size of the hash used to identify flows inside +# the engine, and by default the value is 65536. +# At the startup, the engine can preallocate a number of flows, to get a better +# performance. The number of flows preallocated is 10000 by default. +# emergency-recovery is the percentage of flows that the engine need to +# prune before unsetting the emergency state. The emergency state is activated +# when the memcap limit is reached, allowing to create new flows, but +# prunning them with the emergency timeouts (they are defined below). +# If the memcap is reached, the engine will try to prune flows +# with the default timeouts. If it doens't find a flow to prune, it will set +# the emergency bit and it will try again with more agressive timeouts. +# If that doesn't work, then it will try to kill the last time seen flows +# not in use. +# The memcap can be specified in kb, mb, gb. Just a number indicates it's +# in bytes. + +flow: + memcap: 64mb + hash-size: 65536 + prealloc: 10000 + emergency-recovery: 30 + +# This option controls the use of vlan ids in the flow (and defrag) +# hashing. Normally this should be enabled, but in some (broken) +# setups where both sides of a flow are not tagged with the same vlan +# tag, we can ignore the vlan id's in the flow hashing. +vlan: + use-for-tracking: true + +# Specific timeouts for flows. Here you can specify the timeouts that the +# active flows will wait to transit from the current state to another, on each +# protocol. The value of "new" determine the seconds to wait after a hanshake or +# stream startup before the engine free the data of that flow it doesn't +# change the state to established (usually if we don't receive more packets +# of that flow). The value of "established" is the amount of +# seconds that the engine will wait to free the flow if it spend that amount +# without receiving new packets or closing the connection. "closed" is the +# amount of time to wait after a flow is closed (usually zero). +# +# There's an emergency mode that will become active under attack circumstances, +# making the engine to check flow status faster. This configuration variables +# use the prefix "emergency-" and work similar as the normal ones. +# Some timeouts doesn't apply to all the protocols, like "closed", for udp and +# icmp. + +flow-timeouts: + + default: + new: 30 + established: 300 + closed: 0 + emergency-new: 10 + emergency-established: 100 + emergency-closed: 0 + tcp: + new: 60 + established: 3600 + closed: 120 + emergency-new: 10 + emergency-established: 300 + emergency-closed: 20 + udp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + icmp: + new: 30 + established: 300 + emergency-new: 10 + emergency-established: 100 + +# Stream engine settings. Here the TCP stream tracking and reassembly +# engine is configured. +# +# stream: +# memcap: 32mb # Can be specified in kb, mb, gb. Just a +# # number indicates it's in bytes. +# checksum-validation: yes # To validate the checksum of received +# # packet. If csum validation is specified as +# # "yes", then packet with invalid csum will not +# # be processed by the engine stream/app layer. +# # Warning: locally generated trafic can be +# # generated without checksum due to hardware offload +# # of checksum. You can control the handling of checksum +# # on a per-interface basis via the 'checksum-checks' +# # option +# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread +# midstream: false # don't allow midstream session pickups +# async-oneside: false # don't enable async stream handling +# inline: no # stream inline mode +# max-synack-queued: 5 # Max different SYN/ACKs to queue +# +# reassembly: +# memcap: 64mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# depth: 1mb # Can be specified in kb, mb, gb. Just a number +# # indicates it's in bytes. +# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least +# # this size. Can be specified in kb, mb, +# # gb. Just a number indicates it's in bytes. +# # The max acceptable size is 4024 bytes. +# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. +# # This lower the risk of some evasion technics but could lead +# # detection change between runs. It is set to 'yes' by default. +# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is +# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size +# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value +# # of randomize-chunk-range is 10. +# +# raw: yes # 'Raw' reassembly enabled or disabled. +# # raw is for content inspection by detection +# # engine. +# +# chunk-prealloc: 250 # Number of preallocated stream chunks. These +# # are used during stream inspection (raw). +# segments: # Settings for reassembly segment pool. +# - size: 4 # Size of the (data)segment for a pool +# prealloc: 256 # Number of segments to prealloc and keep +# # in the pool. +# +stream: + memcap: 32mb + checksum-validation: yes # reject wrong csums + inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + reassembly: + memcap: 128mb + depth: 1mb # reassemble 1mb into a stream + toserver-chunk-size: 2560 + toclient-chunk-size: 2560 + randomize-chunk-size: yes + #randomize-chunk-range: 10 + #raw: yes + #chunk-prealloc: 250 + #segments: + # - size: 4 + # prealloc: 256 + # - size: 16 + # prealloc: 512 + # - size: 112 + # prealloc: 512 + # - size: 248 + # prealloc: 512 + # - size: 512 + # prealloc: 512 + # - size: 768 + # prealloc: 1024 + # - size: 1448 + # prealloc: 1024 + # - size: 65535 + # prealloc: 128 + +# Host table: +# +# Host table is used by tagging and per host thresholding subsystems. +# +host: + hash-size: 4096 + prealloc: 1000 + memcap: 16777216 + +# Logging configuration. This is not about logging IDS alerts, but +# IDS output about what its doing, errors, etc. +logging: + + # The default log level, can be overridden in an output section. + # Note that debug level logging will only be emitted if Suricata was + # compiled with the --enable-debug configure option. + # + # This value is overriden by the SC_LOG_LEVEL env var. + default-log-level: notice + + # The default output format. Optional parameter, should default to + # something reasonable if not provided. Can be overriden in an + # output section. You can leave this out to get the default. + # + # This value is overriden by the SC_LOG_FORMAT env var. + #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " + + # A regex to filter output. Can be overridden in an output section. + # Defaults to empty (no filter). + # + # This value is overriden by the SC_LOG_OP_FILTER env var. + default-output-filter: + + # Define your logging outputs. If none are defined, or they are all + # disabled you will get the default - console output. + outputs: + - console: + enabled: yes + - file: + enabled: no + filename: /var/log/suricata.log + - syslog: + enabled: yes + facility: local5 + format: "[%i] <%d> -- " + +# Tilera mpipe configuration. for use on Tilera TILE-Gx. +mpipe: + + # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". + load-balance: dynamic + + # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 + iqueue-packets: 2048 + + # List of interfaces we will listen on. + inputs: + - interface: xgbe2 + - interface: xgbe3 + - interface: xgbe4 + + + # Relative weight of memory for packets of each mPipe buffer size. + stack: + size128: 0 + size256: 9 + size512: 0 + size1024: 0 + size1664: 7 + size4096: 0 + size10386: 0 + size16384: 0 + +# PF_RING configuration. for use with native PF_RING support +# for more info see http://www.ntop.org/PF_RING.html +pfring: + - interface: eth0 + # Number of receive threads (>1 will enable experimental flow pinned + # runmode) + threads: 1 + + # Default clusterid. PF_RING will load balance packets based on flow. + # All threads/processes that will participate need to have the same + # clusterid. + cluster-id: 99 + + # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. + # This is only supported in versions of PF_RING > 4.1.1. + cluster-type: cluster_flow + # bpf filter for this interface + #bpf-filter: tcp + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - rxonly: only compute checksum for packets received by network card. + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # Second interface + #- interface: eth1 + # threads: 3 + # cluster-id: 93 + # cluster-type: cluster_flow + # Put default values here + - interface: default + #threads: 2 + +pcap: + - interface: eth0 + # On Linux, pcap will try to use mmaped capture and will use buffer-size + # as total of memory used by the ring. So set this to something bigger + # than 1% of your bandwidth. + #buffer-size: 16777216 + #bpf-filter: "tcp and port 25" + # Choose checksum verification mode for the interface. At the moment + # of the capture, some packets may be with an invalid checksum due to + # offloading to the network card of the checksum computation. + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have any validation + #checksum-checks: auto + # With some accelerator cards using a modified libpcap (like myricom), you + # may want to have the same number of capture threads as the number of capture + # rings. In this case, set up the threads variable to N to start N threads + # listening on the same interface. + #threads: 16 + # set to no to disable promiscuous mode: + #promisc: no + # set snaplen, if not set it defaults to MTU if MTU can be known + # via ioctl call and to full capture if not. + #snaplen: 1518 + # Put default values here + - interface: default + #checksum-checks: auto + +pcap-file: + # Possible values are: + # - yes: checksum validation is forced + # - no: checksum validation is disabled + # - auto: suricata uses a statistical approach to detect when + # checksum off-loading is used. (default) + # Warning: 'checksum-validation' must be set to yes to have checksum tested + checksum-checks: auto + +# For FreeBSD ipfw(8) divert(4) support. +# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" +# in /etc/loader.conf or kldload'ing the appropriate kernel modules. +# Additionally, you need to have an ipfw rule for the engine to see +# the packets from ipfw. For Example: +# +# ipfw add 100 divert 8000 ip from any to any +# +# The 8000 above should be the same number you passed on the command +# line, i.e. -d 8000 +# +ipfw: + + # Reinject packets at the specified ipfw rule number. This config + # option is the ipfw rule number AT WHICH rule processing continues + # in the ipfw processing system after the engine has finished + # inspecting the packet for acceptance. If no rule number is specified, + # accepted packets are reinjected at the divert rule which they entered + # and IPFW rule processing continues. No check is done to verify + # this will rule makes sense so care must be taken to avoid loops in ipfw. + # + ## The following example tells the engine to reinject packets + # back into the ipfw firewall AT rule number 5500: + # + # ipfw-reinjection-rule-number: 5500 + +# Set the default rule path here to search for the files. +# if not set, it will look at the current working dir +default-rule-path: /etc/suricata/rules +rule-files: + - botcc.rules + - ciarmy.rules + - compromised.rules + - drop.rules + - dshield.rules + - emerging-activex.rules + - emerging-attack_response.rules + - emerging-chat.rules + - emerging-current_events.rules + - emerging-dns.rules + - emerging-dos.rules + - emerging-exploit.rules + - emerging-ftp.rules + - emerging-games.rules + - emerging-icmp_info.rules +# - emerging-icmp.rules + - emerging-imap.rules + - emerging-inappropriate.rules + - emerging-malware.rules + - emerging-misc.rules + - emerging-mobile_malware.rules + - emerging-netbios.rules + - emerging-p2p.rules + - emerging-policy.rules + - emerging-pop3.rules + - emerging-rpc.rules + - emerging-scada.rules + - emerging-scan.rules + - emerging-shellcode.rules + - emerging-smtp.rules + - emerging-snmp.rules + - emerging-sql.rules + - emerging-telnet.rules + - emerging-tftp.rules + - emerging-trojan.rules + - emerging-user_agents.rules + - emerging-voip.rules + - emerging-web_client.rules + - emerging-web_server.rules + - emerging-web_specific_apps.rules + - emerging-worm.rules + - tor.rules + - decoder-events.rules # available in suricata sources under rules dir + - stream-events.rules # available in suricata sources under rules dir + - http-events.rules # available in suricata sources under rules dir + - smtp-events.rules # available in suricata sources under rules dir + - dns-events.rules # available in suricata sources under rules dir + - tls-events.rules # available in suricata sources under rules dir + +classification-file: /etc/suricata/classification.config +reference-config-file: /etc/suricata/reference.config + +# Holds variables that would be used by the engine. +vars: + + # Holds the address group vars that would be passed in a Signature. + # These would be retrieved during the Signature address parsing stage. + address-groups: + + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + + EXTERNAL_NET: "!$HOME_NET" + + HTTP_SERVERS: "$HOME_NET" + + SMTP_SERVERS: "$HOME_NET" + + SQL_SERVERS: "$HOME_NET" + + DNS_SERVERS: "$HOME_NET" + + TELNET_SERVERS: "$HOME_NET" + + AIM_SERVERS: "$EXTERNAL_NET" + + DNP3_SERVER: "$HOME_NET" + + DNP3_CLIENT: "$HOME_NET" + + MODBUS_CLIENT: "$HOME_NET" + + MODBUS_SERVER: "$HOME_NET" + + ENIP_CLIENT: "$HOME_NET" + + ENIP_SERVER: "$HOME_NET" + + # Holds the port group vars that would be passed in a Signature. + # These would be retrieved during the Signature port parsing stage. + port-groups: + + HTTP_PORTS: "80" + + SHELLCODE_PORTS: "!80" + + ORACLE_PORTS: 1521 + + SSH_PORTS: 22 + + DNP3_PORTS: 20000 + +# Set the order of alerts bassed on actions +# The default order is pass, drop, reject, alert +action-order: + - pass + - drop + - reject + - alert + +# IP Reputation +#reputation-categories-file: /etc/suricata/iprep/categories.txt +#default-reputation-path: /etc/suricata/iprep +#reputation-files: +# - reputation.list + +# Host specific policies for defragmentation and TCP stream +# reassembly. The host OS lookup is done using a radix tree, just +# like a routing table so the most specific entry matches. +host-os-policy: + # Make the default policy windows. + windows: [0.0.0.0/0] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] + old-solaris: [] + solaris: ["::1"] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + + +# Limit for the maximum number of asn1 frames to decode (default 256) +asn1-max-frames: 256 + +# When run with the option --engine-analysis, the engine will read each of +# the parameters below, and print reports for each of the enabled sections +# and exit. The reports are printed to a file in the default log dir +# given by the parameter "default-log-dir", with engine reporting +# subsection below printing reports in its own report file. +engine-analysis: + # enables printing reports for fast-pattern for every rule. + rules-fast-pattern: yes + # enables printing reports for each rule + rules: yes + +#recursion and match limits for PCRE where supported +pcre: + match-limit: 3500 + match-limit-recursion: 1500 + +# Holds details on the app-layer. The protocols section details each protocol. +# Under each protocol, the default value for detection-enabled and " +# parsed-enabled is yes, unless specified otherwise. +# Each protocol covers enabling/disabling parsers for all ipprotos +# the app-layer protocol runs on. For example "dcerpc" refers to the tcp +# version of the protocol as well as the udp version of the protocol. +# The option "enabled" takes 3 values - "yes", "no", "detection-only". +# "yes" enables both detection and the parser, "no" disables both, and +# "detection-only" enables detection only(parser disabled). +app-layer: + protocols: + tls: + enabled: yes + detection-ports: + dp: 443 + + #no-reassemble: yes + dcerpc: + enabled: yes + ftp: + enabled: yes + ssh: + enabled: yes + smtp: + enabled: yes + imap: + enabled: detection-only + msn: + enabled: detection-only + smb: + enabled: yes + detection-ports: + dp: 139 + # smb2 detection is disabled internally inside the engine. + #smb2: + # enabled: yes + dns: + # memcaps. Globally and per flow/state. + #global-memcap: 16mb + #state-memcap: 512kb + + # How many unreplied DNS requests are considered a flood. + # If the limit is reached, app-layer-event:dns.flooded; will match. + #request-flood: 500 + + tcp: + enabled: yes + detection-ports: + dp: 53 + udp: + enabled: yes + detection-ports: + dp: 53 + http: + enabled: yes + # memcap: 64mb + + ########################################################################### + # Configure libhtp. + # + # + # default-config: Used when no server-config matches + # personality: List of personalities used by default + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # server-config: List of server configurations to use if address matches + # address: List of ip addresses or networks for this block + # personalitiy: List of personalities used by this block + # request-body-limit: Limit reassembly of request body for inspection + # by http_client_body & pcre /P option. + # response-body-limit: Limit reassembly of response body for inspection + # by file_data, http_server_body & pcre /Q option. + # double-decode-path: Double decode path section of the URI + # double-decode-query: Double decode query section of the URI + # + # uri-include-all: Include all parts of the URI. By default the + # 'scheme', username/password, hostname and port + # are excluded. Setting this option to true adds + # all of them to the normalized uri as inspected + # by http_uri, urilen, pcre with /U and the other + # keywords that inspect the normalized uri. + # Note that this does not affect http_raw_uri. + # Also, note that including all was the default in + # 1.4 and 2.0beta1. + # + # meta-field-limit: Hard size limit for request and response size + # limits. Applies to request line and headers, + # response line and headers. Does not apply to + # request or response bodies. Default is 18k. + # If this limit is reached an event is raised. + # + # Currently Available Personalities: + # Minimal + # Generic + # IDS (default) + # IIS_4_0 + # IIS_5_0 + # IIS_5_1 + # IIS_6_0 + # IIS_7_0 + # IIS_7_5 + # Apache_2 + ########################################################################### + libhtp: + + default-config: + personality: IDS + + # Can be specified in kb, mb, gb. Just a number indicates + # it's in bytes. + request-body-limit: 3072 + response-body-limit: 3072 + + # inspection limits + request-body-minimal-inspect-size: 32kb + request-body-inspect-window: 4kb + response-body-minimal-inspect-size: 32kb + response-body-inspect-window: 4kb + # Take a random value for inspection sizes around the specified value. + # This lower the risk of some evasion technics but could lead + # detection change between runs. It is set to 'yes' by default. + #randomize-inspection-sizes: yes + # If randomize-inspection-sizes is active, the value of various + # inspection size will be choosen in the [1 - range%, 1 + range%] + # range + # Default value of randomize-inspection-range is 10. + #randomize-inspection-range: 10 + + # decoding + double-decode-path: no + double-decode-query: no + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + +# Profiling settings. Only effective if Suricata has been built with the +# the --enable-profiling configure flag. +# +profiling: + # Run profiling for every xth packet. The default is 1, which means we + # profile every packet. If set to 1000, one packet is profiled for every + # 1000 received. + #sample-rate: 1000 + + # rule profiling + rules: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: rule_perf.log + append: yes + + # Sort options: ticks, avgticks, checks, matches, maxticks + sort: avgticks + + # Limit the number of items printed at exit. + limit: 100 + + # per keyword profiling + keywords: + enabled: yes + filename: keyword_perf.log + append: yes + + # packet profiling + packets: + + # Profiling can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: yes + filename: packet_stats.log + append: yes + + # per packet csv output + csv: + + # Output can be disabled here, but it will still have a + # performance impact if compiled in. + enabled: no + filename: packet_stats.csv + + # profiling of locking. Only available when Suricata was built with + # --enable-profiling-locks. + locks: + enabled: no + filename: lock_stats.log + append: yes + +# Suricata core dump configuration. Limits the size of the core dump file to +# approximately max-dump. The actual core dump size will be a multiple of the +# page size. Core dumps that would be larger than max-dump are truncated. On +# Linux, the actual core dump size may be a few pages larger than max-dump. +# Setting max-dump to 0 disables core dumping. +# Setting max-dump to 'unlimited' will give the full core dump file. +# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size +# to be 'unlimited'. + +coredump: + max-dump: unlimited + +napatech: + # The Host Buffer Allowance for all streams + # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) + hba: -1 + + # use_all_streams set to "yes" will query the Napatech service for all configured + # streams and listen on all of them. When set to "no" the streams config array + # will be used. + use-all-streams: yes + + # The streams to listen on + streams: [1, 2, 3] + +# Includes. Files included here will be handled as if they were +# inlined in this configuration file. +#include: include1.yaml +#include: include2.yaml diff --git a/meta-security/recipes-ids/suricata/files/tmpfiles.suricata b/meta-security/recipes-ids/suricata/files/tmpfiles.suricata new file mode 100644 index 0000000000..fbf37848ee --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/tmpfiles.suricata @@ -0,0 +1,2 @@ +#Type Path Mode UID GID Age Argument +d /var/log/suricata 0755 root root diff --git a/meta-security/recipes-ids/suricata/files/volatiles.03_suricata b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata new file mode 100644 index 0000000000..4627bd3b0f --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/volatiles.03_suricata @@ -0,0 +1,2 @@ +# +d root root 0755 /var/log/suricata none diff --git a/meta-security/recipes-ids/suricata/libhtp_0.5.38.bb b/meta-security/recipes-ids/suricata/libhtp_0.5.38.bb new file mode 100644 index 0000000000..2a0c93ccc8 --- /dev/null +++ b/meta-security/recipes-ids/suricata/libhtp_0.5.38.bb @@ -0,0 +1,27 @@ +SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." + +require suricata.inc + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=596ab7963a1a0e5198e5a1c4aa621843" + +SRC_URI = "git://github.com/OISF/libhtp.git;protocol=https;branch=0.5.x" +SRCREV = "fca44158911a1642880ea5c774151a33ad33d906" + +DEPENDS = "zlib" + +inherit autotools-brokensep pkgconfig + +CFLAGS += "-D_DEFAULT_SOURCE" + +#S = "${WORKDIR}/suricata-${VER}/${BPN}" + +S = "${WORKDIR}/git" + +do_configure () { + cd ${S} + ./autogen.sh + oe_runconf +} + +RDEPENDS:${PN} += "zlib" + diff --git a/meta-security/recipes-ids/suricata/suricata.inc b/meta-security/recipes-ids/suricata/suricata.inc new file mode 100644 index 0000000000..5754617fbd --- /dev/null +++ b/meta-security/recipes-ids/suricata/suricata.inc @@ -0,0 +1,5 @@ +HOMEPAGE = "http://suricata-ids.org/" +SECTION = "security Monitor/Admin" +LICENSE = "GPLv2" + +COMPATIBLE_HOST:powerpc = 'null' diff --git a/meta-security/recipes-ids/suricata/suricata_6.0.3.bb b/meta-security/recipes-ids/suricata/suricata_6.0.3.bb new file mode 100644 index 0000000000..ca9e03e325 --- /dev/null +++ b/meta-security/recipes-ids/suricata/suricata_6.0.3.bb @@ -0,0 +1,206 @@ +SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" + +require suricata.inc + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${PV}.tar.gz" +SRC_URI[sha256sum] = "daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602" + +DEPENDS = "lz4 libhtp" + +SRC_URI += " \ + file://volatiles.03_suricata \ + file://tmpfiles.suricata \ + file://suricata.yaml \ + file://suricata.service \ + file://run-ptest \ + file://fixup.patch \ + " + +SRC_URI += " \ + crate://crates.io/autocfg/1.0.1 \ + crate://crates.io/semver-parser/0.7.0 \ + crate://crates.io/arrayvec/0.4.12 \ + crate://crates.io/ryu/1.0.5 \ + crate://crates.io/libc/0.2.86 \ + crate://crates.io/bitflags/1.2.1 \ + crate://crates.io/version_check/0.9.2 \ + crate://crates.io/memchr/2.3.4 \ + crate://crates.io/nodrop/0.1.14 \ + crate://crates.io/cfg-if/0.1.9 \ + crate://crates.io/static_assertions/0.3.4 \ + crate://crates.io/getrandom/0.1.16 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/siphasher/0.3.3 \ + crate://crates.io/ppv-lite86/0.2.10 \ + crate://crates.io/proc-macro-hack/0.5.19 \ + crate://crates.io/proc-macro2/0.4.30 \ + crate://crates.io/unicode-xid/0.1.0 \ + crate://crates.io/syn/0.15.44 \ + crate://crates.io/build_const/0.2.1 \ + crate://crates.io/num-derive/0.2.5 \ + crate://crates.io/base64/0.11.0 \ + crate://crates.io/widestring/0.4.3 \ + crate://crates.io/md5/0.7.0 \ + crate://crates.io/uuid/0.8.2 \ + crate://crates.io/byteorder/1.4.2 \ + crate://crates.io/semver/0.9.0 \ + crate://crates.io/nom/5.1.1 \ + crate://crates.io/num-traits/0.2.14 \ + crate://crates.io/num-integer/0.1.44 \ + crate://crates.io/num-bigint/0.2.6 \ + crate://crates.io/num-bigint/0.3.1 \ + crate://crates.io/num-rational/0.2.4 \ + crate://crates.io/num-complex/0.2.4 \ + crate://crates.io/num-iter/0.1.42 \ + crate://crates.io/phf_shared/0.8.0 \ + crate://crates.io/crc/1.8.1 \ + crate://crates.io/rustc_version/0.2.3 \ + crate://crates.io/phf/0.8.0 \ + crate://crates.io/lexical-core/0.6.7 \ + crate://crates.io/time/0.1.44 \ + crate://crates.io/quote/0.6.13 \ + crate://crates.io/rand_core/0.5.1 \ + crate://crates.io/rand_chacha/0.2.2 \ + crate://crates.io/rand_pcg/0.2.1 \ + crate://crates.io/num-traits/0.1.43 \ + crate://crates.io/rand/0.7.3 \ + crate://crates.io/enum_primitive/0.1.1 \ + crate://crates.io/phf_generator/0.8.0 \ + crate://crates.io/phf_codegen/0.8.0 \ + crate://crates.io/tls-parser/0.9.4 \ + crate://crates.io/num/0.2.1 \ + crate://crates.io/rusticata-macros/2.1.0 \ + crate://crates.io/ntp-parser/0.4.0 \ + crate://crates.io/der-oid-macro/0.2.0 \ + crate://crates.io/der-parser/3.0.4 \ + crate://crates.io/ipsec-parser/0.5.0 \ + crate://crates.io/x509-parser/0.6.5 \ + crate://crates.io/der-parser/4.1.0 \ + crate://crates.io/snmp-parser/0.6.0 \ + crate://crates.io/kerberos-parser/0.5.0 \ + crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/log/0.4.0 \ + crate://crates.io/rand_hc/0.2.0 \ + crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ + crate://crates.io/sawp/0.5.0 \ + crate://crates.io/sawp-modbus/0.5.0 \ + crate://crates.io/brotli/3.3.0 \ + crate://crates.io/flate2/1.0.20 \ + crate://crates.io/alloc-no-stdlib/2.0.1 \ + crate://crates.io/alloc-stdlib/0.2.1 \ + crate://crates.io/brotli-decompressor/2.3.1 \ + crate://crates.io/crc32fast/1.2.1 \ + crate://crates.io/miniz_oxide/0.4.4 \ + crate://crates.io/adler/1.0.2 \ + " + +# test case support +SRC_URI += " \ + crate://crates.io/test-case/1.0.1 \ + crate://crates.io/proc-macro2/1.0.1 \ + crate://crates.io/quote/1.0.1 \ + crate://crates.io/syn/1.0.1 \ + crate://crates.io/unicode-xid/0.2.0 \ + " + +inherit autotools pkgconfig python3native systemd ptest cargo + +EXTRA_OECONF += " --disable-debug \ + --disable-gccmarch-native \ + --enable-non-bundled-htp \ + --disable-suricata-update \ + --with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR} \ + " + +CARGO_SRC_DIR = "rust" + +B = "${S}" + +PACKAGECONFIG ??= "jansson file pcre yaml python pcap cap-ng net nfnetlink nss nspr " +PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" + +PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," +PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," +PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap" +PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " +PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," +PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," +PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," + +PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" +PACKAGECONFIG[file] = ",,file, file" +PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," +PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," +PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" +PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," + +export logdir = "${localstatedir}/log" + +CACHED_CONFIGUREVARS = "ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes" + +do_configure:prepend () { + oe_runconf +} + +do_compile () { + # we do this to bypass the make provided by this pkg + # patches Makefile to skip the subdir + cargo_do_compile + + # Finish building + cd ${S} + make +} + +do_install () { + install -d ${D}${sysconfdir}/suricata + + oe_runmake install DESTDIR=${D} + + install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/03_suricata + + install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata + install -m 0644 ${S}/suricata.yaml ${D}${sysconfdir}/suricata + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + install -m 0644 ${WORKDIR}/tmpfiles.suricata ${D}${sysconfdir}/tmpfiles.d/suricata.conf + + install -d ${D}${systemd_unitdir}/system + sed -e s:/etc:${sysconfdir}:g \ + -e s:/var/run:/run:g \ + -e s:/var:${localstatedir}:g \ + -e s:/usr/bin:${bindir}:g \ + -e s:/bin/kill:${base_bindir}/kill:g \ + -e s:/usr/lib:${libdir}:g \ + ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service + fi + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + + sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatasc + sed -i -e "s:#!.*$:#!${USRBINPATH}/env ${PYTHON_PN}:g" ${D}${bindir}/suricatactl +} + +pkg_postinst_ontarget:${PN} () { +if command -v systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/suricata.conf +elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi +} + +SYSTEMD_PACKAGES = "${PN}" + +PACKAGES =+ "${PN}-python" +FILES:${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" +FILES:${PN}-python = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" + +CONFFILES:${PN} = "${sysconfdir}/suricata/suricata.yaml" diff --git a/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb b/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb new file mode 100644 index 0000000000..74f32a495f --- /dev/null +++ b/meta-security/recipes-security/cryfs/cryfs_0.10.3.bb @@ -0,0 +1,10 @@ +SUMMARY = "CryFS encrypts your files, so you can safely store them anywhere." +HOMEDIR = "https://www.cryfs.org" + +LICENSE = "LGPL-3.0" +FILE_CHK_SUM = "file://;md5=12345" + +SRC_URI = "https://github.com/${BPN}/${BPN}.git" +SRCREV = "0f83a1ab7e5ca9f37f97bc57b20d3fab0f351d11" + +inherit cmake diff --git a/meta-security/recipes-security/krill/files/panic_workaround.patch b/meta-security/recipes-security/krill/files/panic_workaround.patch new file mode 100644 index 0000000000..9b08cb5ce9 --- /dev/null +++ b/meta-security/recipes-security/krill/files/panic_workaround.patch @@ -0,0 +1,16 @@ +Upstream-Status: OE specific +Signed-off-by: Armin Kuster + +Index: git/Cargo.toml +=================================================================== +--- git.orig/Cargo.toml ++++ git/Cargo.toml +@@ -71,7 +71,7 @@ static-openssl = [ "openssl/vendored" ] + # Make sure that Krill crashes on panics, rather than losing threads and + # limping on in a bad state. + [profile.release] +-panic = "abort" ++#panic = "abort" + + [dev-dependencies] + # for user management diff --git a/meta-security/recipes-security/krill/krill.inc b/meta-security/recipes-security/krill/krill.inc new file mode 100644 index 0000000000..f86468b966 --- /dev/null +++ b/meta-security/recipes-security/krill/krill.inc @@ -0,0 +1,325 @@ +# please note if you have entries that do not begin with crate:// +# you must change them to how that package can be fetched +SRC_URI += " \ + crate://crates.io/addr2line/0.14.1 \ + crate://crates.io/adler/1.0.2 \ + crate://crates.io/adler32/1.2.0 \ + crate://crates.io/aho-corasick/0.7.15 \ + crate://crates.io/ansi_term/0.11.0 \ + crate://crates.io/ansi_term/0.12.1 \ + crate://crates.io/arrayref/0.3.6 \ + crate://crates.io/arrayvec/0.5.2 \ + crate://crates.io/ascii-canvas/2.0.0 \ + crate://crates.io/ascii/1.0.0 \ + crate://crates.io/atty/0.2.14 \ + crate://crates.io/autocfg/0.1.7 \ + crate://crates.io/autocfg/1.0.1 \ + crate://crates.io/backtrace/0.3.56 \ + crate://crates.io/base64/0.10.1 \ + crate://crates.io/base64/0.12.3 \ + crate://crates.io/base64/0.13.0 \ + crate://crates.io/basic-cookies/0.1.4 \ + crate://crates.io/bcder/0.5.1 \ + crate://crates.io/bit-set/0.5.2 \ + crate://crates.io/bit-vec/0.6.3 \ + crate://crates.io/bitflags/1.2.1 \ + crate://crates.io/blake2b_simd/0.5.11 \ + crate://crates.io/block-buffer/0.9.0 \ + crate://crates.io/bumpalo/3.6.1 \ + crate://crates.io/byteorder/1.4.3 \ + crate://crates.io/bytes/0.4.12 \ + crate://crates.io/bytes/0.5.6 \ + crate://crates.io/bytes/1.0.1 \ + crate://crates.io/cc/1.0.67 \ + crate://crates.io/cfg-if/0.1.10 \ + crate://crates.io/cfg-if/1.0.0 \ + crate://crates.io/chrono/0.4.19 \ + crate://crates.io/chunked_transfer/1.4.0 \ + crate://crates.io/cipher/0.2.5 \ + crate://crates.io/clap/2.33.3 \ + crate://crates.io/clokwerk/0.3.4 \ + crate://crates.io/cloudabi/0.0.3 \ + crate://crates.io/constant_time_eq/0.1.5 \ + crate://crates.io/cookie/0.12.0 \ + crate://crates.io/cookie_store/0.7.0 \ + crate://crates.io/core-foundation-sys/0.8.2 \ + crate://crates.io/core-foundation/0.9.1 \ + crate://crates.io/cpuid-bool/0.1.2 \ + crate://crates.io/crc32fast/1.2.1 \ + crate://crates.io/crossbeam-deque/0.7.3 \ + crate://crates.io/crossbeam-epoch/0.8.2 \ + crate://crates.io/crossbeam-queue/0.2.3 \ + crate://crates.io/crossbeam-utils/0.7.2 \ + crate://crates.io/crossbeam-utils/0.8.3 \ + crate://crates.io/crunchy/0.2.2 \ + crate://crates.io/crypto-mac/0.10.0 \ + crate://crates.io/ctrlc/3.1.9 \ + crate://crates.io/deunicode/0.4.3 \ + crate://crates.io/diff/0.1.12 \ + crate://crates.io/digest/0.9.0 \ + crate://crates.io/dirs/1.0.5 \ + crate://crates.io/dtoa/0.4.8 \ + crate://crates.io/either/1.6.1 \ + crate://crates.io/ena/0.14.0 \ + crate://crates.io/encoding_rs/0.8.28 \ + crate://crates.io/error-chain/0.11.0 \ + crate://crates.io/failure/0.1.8 \ + crate://crates.io/failure_derive/0.1.8 \ + crate://crates.io/fern/0.5.9 \ + crate://crates.io/fixedbitset/0.2.0 \ + crate://crates.io/flate2/1.0.20 \ + crate://crates.io/fnv/1.0.7 \ + crate://crates.io/foreign-types-shared/0.1.1 \ + crate://crates.io/foreign-types/0.3.2 \ + crate://crates.io/form_urlencoded/1.0.1 \ + crate://crates.io/fuchsia-cprng/0.1.1 \ + crate://crates.io/fuchsia-zircon-sys/0.3.3 \ + crate://crates.io/fuchsia-zircon/0.3.3 \ + crate://crates.io/futures-channel/0.3.14 \ + crate://crates.io/futures-core/0.3.14 \ + crate://crates.io/futures-cpupool/0.1.8 \ + crate://crates.io/futures-executor/0.3.14 \ + crate://crates.io/futures-io/0.3.14 \ + crate://crates.io/futures-macro/0.3.14 \ + crate://crates.io/futures-sink/0.3.14 \ + crate://crates.io/futures-task/0.3.14 \ + crate://crates.io/futures-util/0.3.14 \ + crate://crates.io/futures/0.1.31 \ + crate://crates.io/futures/0.3.14 \ + crate://crates.io/generic-array/0.14.4 \ + crate://crates.io/getrandom/0.1.16 \ + crate://crates.io/getrandom/0.2.2 \ + crate://crates.io/gimli/0.23.0 \ + crate://crates.io/h2/0.1.26 \ + crate://crates.io/h2/0.2.7 \ + crate://crates.io/hashbrown/0.9.1 \ + crate://crates.io/hermit-abi/0.1.18 \ + crate://crates.io/hex/0.4.3 \ + crate://crates.io/hmac/0.10.1 \ + crate://crates.io/http-body/0.1.0 \ + crate://crates.io/http-body/0.3.1 \ + crate://crates.io/http/0.1.21 \ + crate://crates.io/http/0.2.4 \ + crate://crates.io/httparse/1.3.6 \ + crate://crates.io/httpdate/0.3.2 \ + crate://crates.io/hyper-tls/0.3.2 \ + crate://crates.io/hyper-tls/0.4.3 \ + crate://crates.io/hyper/0.12.36 \ + crate://crates.io/hyper/0.13.10 \ + crate://crates.io/idna/0.1.5 \ + crate://crates.io/idna/0.2.2 \ + crate://crates.io/impl-trait-for-tuples/0.2.1 \ + crate://crates.io/indexmap/1.6.2 \ + crate://crates.io/intervaltree/0.2.6 \ + crate://crates.io/iovec/0.1.4 \ + crate://crates.io/ipnet/2.3.0 \ + crate://crates.io/itertools/0.10.0 \ + crate://crates.io/itertools/0.9.0 \ + crate://crates.io/itoa/0.4.7 \ + crate://crates.io/jmespatch/0.3.0 \ + crate://crates.io/js-sys/0.3.50 \ + crate://crates.io/kernel32-sys/0.2.2 \ + crate://crates.io/lalrpop-util/0.19.5 \ + crate://crates.io/lalrpop/0.19.5 \ + crate://crates.io/lazy_static/1.4.0 \ + crate://crates.io/libc/0.2.93 \ + crate://crates.io/libflate/1.0.4 \ + crate://crates.io/libflate_lz77/1.0.0 \ + crate://crates.io/lock_api/0.3.4 \ + crate://crates.io/log/0.4.14 \ + crate://crates.io/maplit/1.0.2 \ + crate://crates.io/matchers/0.0.1 \ + crate://crates.io/matches/0.1.8 \ + crate://crates.io/maybe-uninit/2.0.0 \ + crate://crates.io/memchr/2.3.4 \ + crate://crates.io/memoffset/0.5.6 \ + crate://crates.io/mime/0.3.16 \ + crate://crates.io/mime_guess/2.0.3 \ + crate://crates.io/miniz_oxide/0.4.4 \ + crate://crates.io/mio/0.6.23 \ + crate://crates.io/miow/0.2.2 \ + crate://crates.io/native-tls/0.2.7 \ + crate://crates.io/net2/0.2.37 \ + crate://crates.io/new_debug_unreachable/1.0.4 \ + crate://crates.io/nix/0.20.0 \ + crate://crates.io/num-integer/0.1.44 \ + crate://crates.io/num-traits/0.2.14 \ + crate://crates.io/num_cpus/1.13.0 \ + crate://crates.io/oauth2/4.0.0 \ + crate://crates.io/object/0.23.0 \ + crate://crates.io/once_cell/1.7.2 \ + crate://crates.io/opaque-debug/0.3.0 \ + crate://crates.io/openidconnect/2.0.0 \ + crate://crates.io/openssl-probe/0.1.2 \ + crate://crates.io/openssl-src/111.15.0+1.1.1k \ + crate://crates.io/openssl-sys/0.9.61 \ + crate://crates.io/openssl/0.10.33 \ + crate://crates.io/ordered-float/1.1.1 \ + crate://crates.io/oso/0.12.0 \ + crate://crates.io/parking_lot/0.9.0 \ + crate://crates.io/parking_lot_core/0.6.2 \ + crate://crates.io/pbkdf2/0.7.5 \ + crate://crates.io/percent-encoding/1.0.1 \ + crate://crates.io/percent-encoding/2.1.0 \ + crate://crates.io/petgraph/0.5.1 \ + crate://crates.io/phf_shared/0.8.0 \ + crate://crates.io/pico-args/0.4.0 \ + crate://crates.io/pin-project-internal/1.0.6 \ + crate://crates.io/pin-project-lite/0.1.12 \ + crate://crates.io/pin-project-lite/0.2.6 \ + crate://crates.io/pin-project/1.0.6 \ + crate://crates.io/pin-utils/0.1.0 \ + crate://crates.io/pkg-config/0.3.19 \ + crate://crates.io/polar-core/0.12.0 \ + crate://crates.io/ppv-lite86/0.2.10 \ + crate://crates.io/precomputed-hash/0.1.1 \ + crate://crates.io/proc-macro-hack/0.5.19 \ + crate://crates.io/proc-macro-nested/0.1.7 \ + crate://crates.io/proc-macro2/1.0.26 \ + crate://crates.io/publicsuffix/1.5.6 \ + crate://crates.io/quick-xml/0.19.0 \ + crate://crates.io/quote/1.0.9 \ + crate://crates.io/rand/0.6.5 \ + crate://crates.io/rand/0.7.3 \ + crate://crates.io/rand/0.8.3 \ + crate://crates.io/rand_chacha/0.1.1 \ + crate://crates.io/rand_chacha/0.2.2 \ + crate://crates.io/rand_chacha/0.3.0 \ + crate://crates.io/rand_core/0.3.1 \ + crate://crates.io/rand_core/0.4.2 \ + crate://crates.io/rand_core/0.5.1 \ + crate://crates.io/rand_core/0.6.2 \ + crate://crates.io/rand_hc/0.1.0 \ + crate://crates.io/rand_hc/0.2.0 \ + crate://crates.io/rand_hc/0.3.0 \ + crate://crates.io/rand_isaac/0.1.1 \ + crate://crates.io/rand_jitter/0.1.4 \ + crate://crates.io/rand_os/0.1.3 \ + crate://crates.io/rand_pcg/0.1.2 \ + crate://crates.io/rand_xorshift/0.1.1 \ + crate://crates.io/rdrand/0.4.0 \ + crate://crates.io/redox_syscall/0.1.57 \ + crate://crates.io/redox_syscall/0.2.5 \ + crate://crates.io/redox_users/0.3.5 \ + crate://crates.io/regex-automata/0.1.9 \ + crate://crates.io/regex-syntax/0.6.23 \ + crate://crates.io/regex/1.4.5 \ + crate://crates.io/remove_dir_all/0.5.3 \ + crate://crates.io/reqwest/0.10.10 \ + crate://crates.io/reqwest/0.9.24 \ + crate://crates.io/ring/0.16.20 \ + crate://crates.io/rle-decode-fast/1.0.1 \ + crate://crates.io/rpassword/5.0.1 \ + crate://crates.io/rpki/0.10.1 \ + crate://crates.io/rust-argon2/0.8.3 \ + crate://crates.io/rustc-demangle/0.1.18 \ + crate://crates.io/rustc_version/0.2.3 \ + crate://crates.io/rustls/0.18.1 \ + crate://crates.io/ryu/1.0.5 \ + crate://crates.io/salsa20/0.7.2 \ + crate://crates.io/schannel/0.1.19 \ + crate://crates.io/scopeguard/1.1.0 \ + crate://crates.io/scrypt/0.6.5 \ + crate://crates.io/sct/0.6.1 \ + crate://crates.io/security-framework-sys/2.2.0 \ + crate://crates.io/security-framework/2.2.0 \ + crate://crates.io/semver-parser/0.7.0 \ + crate://crates.io/semver/0.9.0 \ + crate://crates.io/serde-value/0.6.0 \ + crate://crates.io/serde/1.0.125 \ + crate://crates.io/serde_derive/1.0.125 \ + crate://crates.io/serde_json/1.0.64 \ + crate://crates.io/serde_path_to_error/0.1.4 \ + crate://crates.io/serde_urlencoded/0.5.5 \ + crate://crates.io/serde_urlencoded/0.7.0 \ + crate://crates.io/sha2/0.9.3 \ + crate://crates.io/sharded-slab/0.1.1 \ + crate://crates.io/siphasher/0.3.5 \ + crate://crates.io/slab/0.4.2 \ + crate://crates.io/slug/0.1.4 \ + crate://crates.io/smallvec/0.6.14 \ + crate://crates.io/smallvec/1.6.1 \ + crate://crates.io/socket2/0.3.19 \ + crate://crates.io/spin/0.5.2 \ + crate://crates.io/string/0.2.1 \ + crate://crates.io/string_cache/0.8.1 \ + crate://crates.io/strsim/0.8.0 \ + crate://crates.io/subtle/2.4.0 \ + crate://crates.io/syn/1.0.69 \ + crate://crates.io/synstructure/0.12.4 \ + crate://crates.io/syslog/4.0.1 \ + crate://crates.io/tempfile/3.2.0 \ + crate://crates.io/term/0.5.2 \ + crate://crates.io/textwrap/0.11.0 \ + crate://crates.io/thiserror-impl/1.0.24 \ + crate://crates.io/thiserror/1.0.24 \ + crate://crates.io/thread_local/1.1.3 \ + crate://crates.io/time/0.1.44 \ + crate://crates.io/tiny-keccak/2.0.2 \ + crate://crates.io/tiny_http/0.8.0 \ + crate://crates.io/tinyvec/1.2.0 \ + crate://crates.io/tinyvec_macros/0.1.0 \ + crate://crates.io/tokio-buf/0.1.1 \ + crate://crates.io/tokio-current-thread/0.1.7 \ + crate://crates.io/tokio-executor/0.1.10 \ + crate://crates.io/tokio-io/0.1.13 \ + crate://crates.io/tokio-macros/0.2.6 \ + crate://crates.io/tokio-reactor/0.1.12 \ + crate://crates.io/tokio-rustls/0.14.1 \ + crate://crates.io/tokio-sync/0.1.8 \ + crate://crates.io/tokio-tcp/0.1.4 \ + crate://crates.io/tokio-threadpool/0.1.18 \ + crate://crates.io/tokio-timer/0.2.13 \ + crate://crates.io/tokio-tls/0.3.1 \ + crate://crates.io/tokio-util/0.3.1 \ + crate://crates.io/tokio/0.1.22 \ + crate://crates.io/tokio/0.2.25 \ + crate://crates.io/toml/0.5.8 \ + crate://crates.io/tower-service/0.3.1 \ + crate://crates.io/tracing-attributes/0.1.15 \ + crate://crates.io/tracing-core/0.1.17 \ + crate://crates.io/tracing-futures/0.2.5 \ + crate://crates.io/tracing-log/0.1.2 \ + crate://crates.io/tracing-serde/0.1.2 \ + crate://crates.io/tracing-subscriber/0.2.17 \ + crate://crates.io/tracing/0.1.25 \ + crate://crates.io/try-lock/0.2.3 \ + crate://crates.io/try_from/0.3.2 \ + crate://crates.io/typenum/1.13.0 \ + crate://crates.io/unicase/2.6.0 \ + crate://crates.io/unicode-bidi/0.3.5 \ + crate://crates.io/unicode-normalization/0.1.17 \ + crate://crates.io/unicode-width/0.1.8 \ + crate://crates.io/unicode-xid/0.2.1 \ + crate://crates.io/untrusted/0.7.1 \ + crate://crates.io/unwrap/1.2.1 \ + crate://crates.io/url/1.7.2 \ + crate://crates.io/url/2.2.1 \ + crate://crates.io/urlparse/0.7.3 \ + crate://crates.io/uuid/0.7.4 \ + crate://crates.io/uuid/0.8.2 \ + crate://crates.io/vcpkg/0.2.11 \ + crate://crates.io/vec_map/0.8.2 \ + crate://crates.io/version_check/0.9.3 \ + crate://crates.io/want/0.2.0 \ + crate://crates.io/want/0.3.0 \ + crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1 \ + crate://crates.io/wasi/0.9.0+wasi-snapshot-preview1 \ + crate://crates.io/wasm-bindgen-backend/0.2.73 \ + crate://crates.io/wasm-bindgen-futures/0.4.23 \ + crate://crates.io/wasm-bindgen-macro-support/0.2.73 \ + crate://crates.io/wasm-bindgen-macro/0.2.73 \ + crate://crates.io/wasm-bindgen-shared/0.2.73 \ + crate://crates.io/wasm-bindgen/0.2.73 \ + crate://crates.io/web-sys/0.3.50 \ + crate://crates.io/webpki/0.21.4 \ + crate://crates.io/winapi-build/0.1.1 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0 \ + crate://crates.io/winapi/0.2.8 \ + crate://crates.io/winapi/0.3.9 \ + crate://crates.io/winreg/0.6.2 \ + crate://crates.io/winreg/0.7.0 \ + crate://crates.io/ws2_32-sys/0.2.1 \ + crate://crates.io/xml-rs/0.8.3 \ +" diff --git a/meta-security/recipes-security/krill/krill_0.9.1.bb b/meta-security/recipes-security/krill/krill_0.9.1.bb new file mode 100644 index 0000000000..4dc61cfb37 --- /dev/null +++ b/meta-security/recipes-security/krill/krill_0.9.1.bb @@ -0,0 +1,39 @@ +SUMMARY = "Resource Public Key Infrastructure (RPKI) daemon" +HOMEPAGE = "https://www.nlnetlabs.nl/projects/rpki/krill/" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=9741c346eef56131163e13b9db1241b3" + +DEPENDS = "openssl" + +include krill.inc + +# SRC_URI += "crate://crates.io/krill/0.9.1" +SRC_URI += "git://github.com/NLnetLabs/krill.git;protocol=https;nobranch=1;branch=main" +SRCREV = "d6c03b6f0199b1d10d252750a19a92b84576eb30" + +SRC_URI += "file://panic_workaround.patch" + +S = "${WORKDIR}/git" +CARGO_SRC_DIR = "" + +inherit pkgconfig useradd systemd cargo + + +do_install:append () { + install -d ${D}${sysconfdir} + install -d ${D}${datadir}/krill + + install -m 664 ${S}/defaults/krill.conf ${D}${sysconfdir}/. + install ${S}/defaults/* ${D}${datadir}/krill/. +} + +KRILL_UID ?= "krill" +KRILL_GID ?= "krill" + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${KRILL_UID}" +USERADD_PARAM:${PN} = "--system -g ${KRILL_GID} --home-dir \ + /var/lib/krill/ --no-create-home \ + --shell /sbin/nologin ${BPN}" + +FILES:${PN} += "{sysconfdir}/defaults ${datadir}" -- cgit v1.2.3