diff options
Diffstat (limited to 'external/meta-security/recipes-security')
110 files changed, 3016 insertions, 8588 deletions
diff --git a/external/meta-security/recipes-security/AppArmor/apparmor_2.12.bb b/external/meta-security/recipes-security/AppArmor/apparmor_2.12.bb deleted file mode 100644 index e3f8dc99..00000000 --- a/external/meta-security/recipes-security/AppArmor/apparmor_2.12.bb +++ /dev/null @@ -1,159 +0,0 @@ -SUMMARY = "AppArmor another MAC control system" -DESCRIPTION = "user-space parser utility for AppArmor \ - This provides the system initialization scripts needed to use the \ - AppArmor Mandatory Access Control system, including the AppArmor Parser \ - which is required to convert AppArmor text profiles into machine-readable \ - policies that are loaded into the kernel for use with the AppArmor Linux \ - Security Module." -HOMEAPAGE = "http://apparmor.net/" -SECTION = "admin" - -LICENSE = "GPLv2 & GPLv2+ & BSD-3-Clause & LGPLv2.1+" -LIC_FILES_CHKSUM = "file://${S}/LICENSE;md5=fd57a4b0bc782d7b80fd431f10bbf9d0" - -DEPENDS = "bison-native apr gettext-native coreutils-native" - -SRC_URI = " \ - http://archive.ubuntu.com/ubuntu/pool/main/a/${BPN}/${BPN}_${PV}.orig.tar.gz \ - file://disable_perl_h_check.patch \ - file://crosscompile_perl_bindings.patch \ - file://apparmor.rc \ - file://functions \ - file://apparmor \ - file://apparmor.service \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "49054f58042f8e51ea92cc866575a833" -SRC_URI[sha256sum] = "8a2b0cd083faa4d0640f579024be3a629faa7db3b99540798a1a050e2eaba056" - -PARALLEL_MAKE = "" - -inherit pkgconfig autotools-brokensep update-rc.d python3native perlnative ptest cpan -inherit ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} - -S = "${WORKDIR}/apparmor-${PV}" - -PACKAGECONFIG ?="man python perl" -PACKAGECONFIG[man] = "--enable-man-pages, --disable-man-pages" -PACKAGECONFIG[python] = "--with-python, --without-python, python3 swig-native" -PACKAGECONFIG[perl] = "--with-perl, --without-perl, perl perl-native swig-native" -PACKAGECONFIG[apache2] = ",,apache2," - -PAMLIB="${@bb.utils.contains('DISTRO_FEATURES', 'pam', '1', '0', d)}" -HTTPD="${@bb.utils.contains('PACKAGECONFIG', 'apache2', '1', '0', d)}" - - -python() { - if 'apache2' in d.getVar('PACKAGECONFIG').split() and \ - 'webserver' not in d.getVar('BBFILE_COLLECTIONS').split(): - raise bb.parse.SkipRecipe('Requires meta-webserver to be present.') -} - -CONFIGUREOPTS_remove = "--disable-static" -EXTRA_OECONF_append = " --enable-static" - -do_configure() { - cd ${S}/libraries/libapparmor - aclocal - autoconf --force - libtoolize --automake -c --force - automake -ac - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} - sed -i -e 's#^YACC.*#YACC := bison#' ${S}/parser/Makefile - sed -i -e 's#^LEX.*#LEX := flex#' ${S}/parser/Makefile -} - -do_compile () { - oe_runmake -C ${B}/libraries/libapparmor - oe_runmake -C ${B}/binutils - oe_runmake -C ${B}/utils - oe_runmake -C ${B}/parser - oe_runmake -C ${B}/profiles - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor - fi -} - -do_install () { - install -d ${D}/${INIT_D_DIR} - install -d ${D}/lib/apparmor - - oe_runmake -C ${B}/libraries/libapparmor DESTDIR="${D}" install - oe_runmake -C ${B}/binutils DESTDIR="${D}" install - oe_runmake -C ${B}/utils DESTDIR="${D}" install - oe_runmake -C ${B}/parser DESTDIR="${D}" install - oe_runmake -C ${B}/profiles DESTDIR="${D}" install - - if test -z "${HTTPD}" ; then - oe_runmake -C ${B}/changehat/mod_apparmor DESTDIR="${D}" install - fi - - if test -z "${PAMLIB}" ; then - oe_runmake -C ${B}/changehat/pam_apparmor DESTDIR="${D}" install - fi - - # aa-easyprof is installed by python-tools-setup.py, fix it up - sed -i -e 's:/usr/bin/env.*:/usr/bin/python3:' ${D}${bindir}/aa-easyprof - chmod 0755 ${D}${bindir}/aa-easyprof - - install ${WORKDIR}/apparmor ${D}/${INIT_D_DIR}/apparmor - install ${WORKDIR}/functions ${D}/lib/apparmor - if [ "${VIRTUAL-RUNTIME_init_manager}" = "systemd" ]; then - install -d ${D}${systemd_system_unitdir} - install ${WORKDIR}/apparmor.service \ - ${D}${systemd_system_unitdir} - fi -} - -do_compile_ptest () { - oe_runmake -C ${B}/tests/regression/apparmor - oe_runmake -C ${B}/parser/tst - oe_runmake -C ${B}/libraries/libapparmor -} - -do_install_ptest () { - t=${D}/${PTEST_PATH}/testsuite - install -d ${t} - install -d ${t}/tests/regression/apparmor - cp -rf ${B}/tests/regression/apparmor ${t}/tests/regression - - install -d ${t}/parser/tst - cp -rf ${B}/parser/tst ${t}/parser - cp ${B}/parser/apparmor_parser ${t}/parser - cp ${B}/parser/frob_slack_rc ${t}/parser - - install -d ${t}/libraries/libapparmor - cp -rf ${B}/libraries/libapparmor ${t}/libraries - - install -d ${t}/common - cp -rf ${B}/common ${t} - - install -d ${t}/binutils - cp -rf ${B}/binutils ${t} -} - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "apparmor" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "apparmor.service" -SYSTEMD_AUTO_ENABLE = "disable" - -PACKAGES += "${@bb.utils.contains('PACKAGECONFIG', 'apache2', 'mod-${PN}', '', d)}" - -FILES_${PN} += "/lib/apparmor/ ${sysconfdir}/apparmor ${PYTHON_SITEPACKAGES_DIR}" -FILES_mod-${PN} = "${libdir}/apache2/modules/*" - -ALLOW_EMPTY_${PN} = "1" - -RDEPENDS_${PN} += "bash lsb" -RDEPENDS_${PN} += "${@bb.utils.contains('PACKAGECONFIG','python','python3 python3-modules','', d)}" -RDEPENDS_${PN}_remove += "${@bb.utils.contains('PACKAGECONFIG','perl','','perl', d)}" -RDEPENDS_${PN}-ptest += "perl coreutils dbus-lib" diff --git a/external/meta-security/recipes-security/AppArmor/files/apparmor b/external/meta-security/recipes-security/AppArmor/files/apparmor deleted file mode 100644 index ac3ab9a4..00000000 --- a/external/meta-security/recipes-security/AppArmor/files/apparmor +++ /dev/null @@ -1,227 +0,0 @@ -#!/bin/sh -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008, 2009 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Steve Beattie <steve.beattie@canonical.com> -# Kees Cook <kees@ubuntu.com> -# -# /etc/init.d/apparmor -# -### BEGIN INIT INFO -# Provides: apparmor -# Required-Start: $local_fs -# Required-Stop: umountfs -# Default-Start: S -# Default-Stop: -# Short-Description: AppArmor initialization -# Description: AppArmor init script. This script loads all AppArmor profiles. -### END INIT INFO - -log_daemon_msg() { - echo $* -} - -log_end_msg () { - retval=$1 - if [ $retval -eq 0 ]; then - echo "." - else - echo " failed!" - fi - return $retval -} - -. /lib/apparmor/functions -. /lib/lsb/init-functions - -usage() { - echo "Usage: $0 {start|stop|restart|reload|force-reload|status|recache}" -} - -test -x ${PARSER} || exit 0 # by debian policy -# LSM is built-in, so it is either there or not enabled for this boot -test -d /sys/module/apparmor || exit 0 - -securityfs() { - # Need securityfs for any mode - if [ ! -d "${AA_SFS}" ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^${SECURITYFS} securityfs"'$' ; then - log_daemon_msg "AppArmor not available as kernel LSM." - log_end_msg 1 - exit 1 - else - log_daemon_msg "Mounting securityfs on ${SECURITYFS}" - if ! mount -t securityfs none "${SECURITYFS}"; then - log_end_msg 1 - exit 1 - fi - fi - fi - if [ ! -w "$AA_SFS"/.load ]; then - log_daemon_msg "Insufficient privileges to change profiles." - log_end_msg 1 - exit 1 - fi -} - -handle_system_policy_package_updates() { - apparmor_was_updated=0 - - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi -} - -# Allow "recache" even when running on the liveCD -if [ "$1" = "recache" ]; then - log_daemon_msg "Recaching AppArmor profiles" - recache_profiles - rc=$? - log_end_msg "$rc" - exit $rc -fi - -# do not perform start/stop/reload actions when running from liveCD -test -d /rofs/etc/apparmor.d && exit 0 - -rc=255 -case "$1" in - start) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not starting AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Starting AppArmor profiles" - securityfs - # That is only useful for click, snappy and system images, - # i.e. not in Debian. And it reads and writes to /var, that - # can be remote-mounted, so it would prevent us from using - # Before=sysinit.target without possibly introducing dependency - # loops. - handle_system_policy_package_updates - load_configured_profiles - rc=$? - log_end_msg "$rc" - ;; - stop) - log_daemon_msg "Clearing AppArmor profiles cache" - clear_cache - rc=$? - log_end_msg "$rc" - cat >&2 <<EOM -All profile caches have been cleared, but no profiles have been unloaded. -Unloading profiles will leave already running processes permanently -unconfined, which can lead to unexpected situations. - -To set a process to complain mode, use the command line tool -'aa-complain'. To really tear down all profiles, run the init script -with the 'teardown' option." -EOM - ;; - teardown) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not tearing down AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Unloading AppArmor profiles" - securityfs - running_profile_names | while read profile; do - if ! unload_profile "$profile" ; then - log_end_msg 1 - exit 1 - fi - done - rc=0 - log_end_msg $rc - ;; - restart|reload|force-reload) - if test -x /sbin/systemd-detect-virt && \ - systemd-detect-virt --quiet --container && \ - ! is_container_with_internal_policy; then - log_daemon_msg "Not reloading AppArmor in container" - log_end_msg 0 - exit 0 - fi - log_daemon_msg "Reloading AppArmor profiles" - securityfs - clear_cache - load_configured_profiles - rc=$? - unload_obsolete_profiles - - log_end_msg "$rc" - ;; - status) - securityfs - if [ -x /usr/sbin/aa-status ]; then - aa-status --verbose - else - cat "$AA_SFS"/profiles - fi - rc=$? - ;; - *) - usage - rc=1 - ;; - esac -exit $rc diff --git a/external/meta-security/recipes-security/AppArmor/files/apparmor.rc b/external/meta-security/recipes-security/AppArmor/files/apparmor.rc deleted file mode 100644 index 1507d7b5..00000000 --- a/external/meta-security/recipes-security/AppArmor/files/apparmor.rc +++ /dev/null @@ -1,98 +0,0 @@ -description "Pre-cache and pre-load apparmor profiles" -author "Dimitri John Ledkov <xnox@ubuntu.com> and Jamie Strandboge <jamie@ubuntu.com>" - -task - -start on starting rc-sysinit - -script - [ -d /rofs/etc/apparmor.d ] && exit 0 # do not load on liveCD - [ -d /sys/module/apparmor ] || exit 0 # do not load without AppArmor - [ -x /sbin/apparmor_parser ] || exit 0 # do not load without parser - - . /lib/apparmor/functions - - systemd-detect-virt --quiet --container && ! is_container_with_internal_policy && exit 0 || true - - # Need securityfs for any mode - if [ ! -d /sys/kernel/security/apparmor ]; then - if cut -d" " -f2,3 /proc/mounts | grep -q "^/sys/kernel/security securityfs"'$' ; then - exit 0 - else - mount -t securityfs none /sys/kernel/security || exit 0 - fi - fi - - [ -w /sys/kernel/security/apparmor/.load ] || exit 0 - - apparmor_was_updated=0 - if ! compare_previous_version ; then - # On snappy flavors, if the current and previous versions are - # different then clear the system cache. snappy will handle - # "$PROFILES_CACHE_VAR" itself (on Touch flavors - # compare_previous_version always returns '0' since snappy - # isn't available). - clear_cache_system - apparmor_was_updated=1 - elif ! compare_and_save_debsums apparmor ; then - # If the system policy has been updated since the last time we - # ran, clear the cache to prevent potentially stale binary - # cache files after an Ubuntu image based upgrade (LP: - # #1350673). This can be removed once all system image flavors - # move to snappy (on snappy systems compare_and_save_debsums - # always returns '0' since /var/lib/dpkg doesn't exist). - clear_cache - apparmor_was_updated=1 - fi - - if [ -x /usr/bin/aa-clickhook ] || [ -x /usr/bin/aa-profile-hook ] ; then - # If packages for system policy that affect click packages have - # been updated since the last time we ran, run aa-clickhook -f - force_clickhook=0 - force_profile_hook=0 - if ! compare_and_save_debsums apparmor-easyprof-ubuntu ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums apparmor-easyprof-ubuntu-snappy ; then - force_clickhook=1 - fi - if ! compare_and_save_debsums click-apparmor ; then - force_clickhook=1 - force_profile_hook=1 - fi - if [ -x /usr/bin/aa-clickhook ] && ([ $force_clickhook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-clickhook -f - fi - if [ -x /usr/bin/aa-profile-hook ] && ([ $force_profile_hook -eq 1 ] || [ $apparmor_was_updated -eq 1 ]) ; then - aa-profile-hook -f - fi - fi - - if [ "$ACTION" = "teardown" ]; then - running_profile_names | while read profile; do - unload_profile "$profile" - done - exit 0 - fi - - if [ "$ACTION" = "clear" ]; then - clear_cache - exit 0 - fi - - if [ "$ACTION" = "reload" ] || [ "$ACTION" = "force-reload" ]; then - clear_cache - load_configured_profiles - unload_obsolete_profiles - exit 0 - fi - - # Note: if apparmor-easyprof-ubuntu md5sums didn't match up above, - # aa-clickhook will have already compiled the policy, generated the cache - # files and loaded them into the kernel by this point, so reloading click - # policy from cache, while fairly fast (<2 seconds for 250 profiles on - # armhf), is redundant. Fixing this would complicate the logic quite a bit - # and it wouldn't improve the (by far) common case (ie, when - # 'aa-clickhook -f' is not run). - load_configured_profiles -end script diff --git a/external/meta-security/recipes-security/AppArmor/files/apparmor.service b/external/meta-security/recipes-security/AppArmor/files/apparmor.service deleted file mode 100644 index e66afe4e..00000000 --- a/external/meta-security/recipes-security/AppArmor/files/apparmor.service +++ /dev/null @@ -1,22 +0,0 @@ -[Unit] -Description=AppArmor initialization -After=local-fs.target -Before=sysinit.target -AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load -ConditionSecurity=apparmor -DefaultDependencies=no -Documentation=man:apparmor(7) -Documentation=http://wiki.apparmor.net/ - -# Don't start this unit on the Ubuntu Live CD -ConditionPathExists=!/rofs/etc/apparmor.d - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/etc/init.d/apparmor start -ExecStop=/etc/init.d/apparmor stop -ExecReload=/etc/init.d/apparmor reload - -[Install] -WantedBy=sysinit.target diff --git a/external/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch b/external/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch deleted file mode 100644 index ef55de71..00000000 --- a/external/meta-security/recipes-security/AppArmor/files/crosscompile_perl_bindings.patch +++ /dev/null @@ -1,25 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -As we're cross-compiling here we need to override CC/LD that MakeMaker has -stuck in the generated Makefile with our cross tools. In this case, linking is -done via the compiler rather than the linker directly so pass in CC not LD -here. - -Signed-Off-By: Tom Rini <trini@konsulko.com> - ---- a/libraries/libapparmor/swig/perl/Makefile.am.orig 2017-06-13 19:04:43.296676212 -0400 -+++ b/libraries/libapparmor/swig/perl/Makefile.am 2017-06-13 19:05:03.488676693 -0400 -@@ -16,11 +16,11 @@ - - LibAppArmor.so: libapparmor_wrap.c Makefile.perl - if test ! -f libapparmor_wrap.c; then cp $(srcdir)/libapparmor_wrap.c . ; fi -- $(MAKE) -fMakefile.perl -+ $(MAKE) -fMakefile.perl CC='$(CC)' LD='$(CC)' - if test $(top_srcdir) != $(top_builddir) ; then rm -f libapparmor_wrap.c ; fi - - install-exec-local: Makefile.perl -- $(MAKE) -fMakefile.perl install_vendor -+ $(MAKE) -fMakefile.perl install_vendor CC='$(CC)' LD='$(CC)' - - # sadly there is no make uninstall for perl - #uninstall-local: Makefile.perl diff --git a/external/meta-security/recipes-security/AppArmor/files/disable_pdf.patch b/external/meta-security/recipes-security/AppArmor/files/disable_pdf.patch deleted file mode 100644 index c6b4bddc..00000000 --- a/external/meta-security/recipes-security/AppArmor/files/disable_pdf.patch +++ /dev/null @@ -1,33 +0,0 @@ -Index: apparmor-2.10.95/parser/Makefile -=================================================================== ---- apparmor-2.10.95.orig/parser/Makefile -+++ apparmor-2.10.95/parser/Makefile -@@ -139,17 +139,6 @@ export Q VERBOSE BUILD_OUTPUT - po/${NAME}.pot: ${SRCS} ${HDRS} - $(MAKE) -C po ${NAME}.pot NAME=${NAME} SOURCES="${SRCS} ${HDRS}" - --techdoc.pdf: techdoc.tex -- timestamp=$(shell date --utc "+%Y%m%d%H%M%S%z" -r $< );\ -- while pdflatex "\def\fixedpdfdate{$$timestamp}\input $<" ${BUILD_OUTPUT} || exit 1 ; \ -- grep -q "Label(s) may have changed" techdoc.log; \ -- do :; done -- --techdoc/index.html: techdoc.pdf -- latex2html -show_section_numbers -split 0 -noinfo -nonavigation -noaddress techdoc.tex ${BUILD_OUTPUT} -- --techdoc.txt: techdoc/index.html -- w3m -dump $< > $@ - - # targets arranged this way so that people who don't want full docs can - # pick specific targets they want. -@@ -159,9 +148,7 @@ manpages: $(MANPAGES) - - htmlmanpages: $(HTMLMANPAGES) - --pdf: techdoc.pdf -- --docs: manpages htmlmanpages pdf -+docs: manpages htmlmanpages - - indep: docs - $(Q)$(MAKE) -C po all diff --git a/external/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch b/external/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch deleted file mode 100644 index cf2640fc..00000000 --- a/external/meta-security/recipes-security/AppArmor/files/disable_perl_h_check.patch +++ /dev/null @@ -1,19 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Remove file check for $perl_includedir/perl.h. AC_CHECK_FILE will fail on -cross compilation. Rather than try and get a compile check to work here, -we know that we have what's required via our metadata so remove only this -check. - -Signed-Off-By: Tom Rini <trini@konsulko.com> - ---- a/libraries/libapparmor/configure.ac.orig 2017-06-13 16:41:38.668471495 -0400 -+++ b/libraries/libapparmor/configure.ac 2017-06-13 16:41:40.708471543 -0400 -@@ -58,7 +58,6 @@ - AC_PATH_PROG(PERL, perl) - test -z "$PERL" && AC_MSG_ERROR([perl is required when enabling perl bindings]) - perl_includedir="`$PERL -e 'use Config; print $Config{archlib}'`/CORE" -- AC_CHECK_FILE($perl_includedir/perl.h, enable_perl=yes, enable_perl=no) - fi - - diff --git a/external/meta-security/recipes-security/AppArmor/files/functions b/external/meta-security/recipes-security/AppArmor/files/functions deleted file mode 100644 index cef8cfe7..00000000 --- a/external/meta-security/recipes-security/AppArmor/files/functions +++ /dev/null @@ -1,271 +0,0 @@ -# /lib/apparmor/functions for Debian -*- shell-script -*- -# ---------------------------------------------------------------------- -# Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 -# NOVELL (All rights reserved) -# Copyright (c) 2008-2010 Canonical, Ltd. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of version 2 of the GNU General Public -# License published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, contact Novell, Inc. -# ---------------------------------------------------------------------- -# Authors: -# Kees Cook <kees@ubuntu.com> - -PROFILES="/etc/apparmor.d" -PROFILES_CACHE="$PROFILES/cache" -PROFILES_VAR="/var/lib/apparmor/profiles" -PROFILES_SNAPPY="/var/lib/snapd/apparmor/profiles" -PROFILES_CACHE_VAR="/var/cache/apparmor" -PARSER="/sbin/apparmor_parser" -SECURITYFS="/sys/kernel/security" -export AA_SFS="$SECURITYFS/apparmor" - -# Suppress warnings when booting in quiet mode -quiet_arg="" -[ "${QUIET:-no}" = yes ] && quiet_arg="-q" -[ "${quiet:-n}" = y ] && quiet_arg="-q" - -foreach_configured_profile() { - rc_all="0" - for pdir in "$PROFILES" "$PROFILES_VAR" "$PROFILES_SNAPPY" ; do - if [ ! -d "$pdir" ]; then - continue - fi - num=`find "$pdir" -type f ! -name '*.md5sums' | wc -l` - if [ "$num" = "0" ]; then - continue - fi - - cache_dir="$PROFILES_CACHE" - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_dir="$PROFILES_CACHE_VAR" - fi - cache_args="--cache-loc=$cache_dir" - if [ ! -d "$cache_dir" ]; then - cache_args= - fi - - # LP: #1383858 - expr tree simplification is too slow for - # Touch policy on ARM, so disable it for now - cache_extra_args= - if [ -d "$PROFILES_CACHE_VAR" ] && [ "$pdir" = "$PROFILES_VAR" ] || [ "$pdir" = "$PROFILES_SNAPPY" ]; then - cache_extra_args="-O no-expr-simplify" - fi - - # If need to compile everything, then use -n1 with xargs to - # take advantage of -P. When cache files are in use, omit -n1 - # since it is considerably faster on moderately sized profile - # sets to give the parser all the profiles to load at once - n1_args= - num=`find "$cache_dir" -type f ! -name '.features' | wc -l` - if [ "$num" = "0" ]; then - n1_args="-n1" - fi - - (ls -1 "$pdir" | egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs $n1_args -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - # FIXME: when the parser properly handles broken - # profiles (LP: #1377338), remove this if statement. - # For now, if the xargs returns with error, just run - # through everything with -n1. (This could be broken - # out and refactored, but this is temporary so make it - # easy to understand and revert) - if [ "$rc_all" != "0" ]; then - (ls -1 "$pdir" | \ - egrep -v '(\.dpkg-(new|old|dist|bak)|~)$' | \ - while read profile; do - if [ -f "$pdir"/"$profile" ]; then - echo "$pdir"/"$profile" - fi - done) | \ - xargs -n1 -d"\n" -P$(getconf _NPROCESSORS_ONLN) "$PARSER" "$@" $cache_args $cache_extra_args -- || { - rc_all="$?" - } - fi - } - done - return $rc_all -} - -load_configured_profiles() { - clear_cache_if_outdated - foreach_configured_profile $quiet_arg --write-cache --replace -} - -load_configured_profiles_without_caching() { - foreach_configured_profile $quiet_arg --replace -} - -recache_profiles() { - clear_cache - foreach_configured_profile $quiet_arg --write-cache --skip-kernel-load -} - -configured_profile_names() { - foreach_configured_profile $quiet_arg -N 2>/dev/null | LC_COLLATE=C sort | grep -v '//' -} - -running_profile_names() { - # Output a sorted list of loaded profiles, skipping libvirt's - # dynamically generated files - cat "$AA_SFS"/profiles | sed -e "s/ (\(enforce\|complain\))$//" | egrep -v '^libvirt-[0-9a-f\-]+$' | LC_COLLATE=C sort | grep -v '//' -} - -unload_profile() { - echo -n "$1" > "$AA_SFS"/.remove -} - -clear_cache() { - clear_cache_system - clear_cache_var -} - -clear_cache_system() { - find "$PROFILES_CACHE" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -clear_cache_var() { - find "$PROFILES_CACHE_VAR" -maxdepth 1 -type f -print0 | xargs -0 rm -f -- -} - -read_features_dir() -{ - for f in `ls -AU "$1"` ; do - if [ -f "$1/$f" ] ; then - read -r KF < "$1/$f" || true - echo -n "$f {$KF } " - elif [ -d "$1/$f" ] ; then - echo -n "$f {" - KF=`read_features_dir "$1/$f"` || true - echo -n "$KF} " - fi - done -} - -clear_cache_if_outdated() { - if [ -r "$PROFILES_CACHE"/.features ]; then - if [ -d "$AA_SFS"/features ]; then - KERN_FEATURES=`read_features_dir "$AA_SFS"/features` - else - read -r KERN_FEATURES < "$AA_SFS"/features - fi - CACHE_FEATURES=`tr '\n' ' ' < "$PROFILES_CACHE"/.features` - if [ "$KERN_FEATURES" != "$CACHE_FEATURES" ]; then - clear_cache - fi - fi -} - -unload_obsolete_profiles() { - # Currently we must re-parse all the profiles to get policy names. :( - aa_configured=$(mktemp -t aa-XXXXXX) - configured_profile_names > "$aa_configured" || true - aa_loaded=$(mktemp -t aa-XXXXXX) - running_profile_names > "$aa_loaded" || true - LC_COLLATE=C comm -2 -3 "$aa_loaded" "$aa_configured" | while read profile ; do - unload_profile "$profile" - done - rm -f "$aa_configured" "$aa_loaded" -} - -# If the system debsum differs from the saved debsum, the new system debsum is -# saved and non-zero is returned. Returns 0 if the two debsums matched or if -# the system debsum file does not exist. This can be removed when system image -# flavors all move to snappy. -compare_and_save_debsums() { - pkg="$1" - - if [ -n $pkg ] && [ -d "$PROFILES_VAR" ]; then - sums="/var/lib/dpkg/info/${pkg}.md5sums" - # store saved md5sums in /var/lib/apparmor/profiles since - # /var/cache/apparmor might be cleared by apparmor - saved_sums="${PROFILES_VAR}/.${pkg}.md5sums" - - if [ -f "$sums" ] && \ - ! diff -q "$sums" "$saved_sums" 2>&1 >/dev/null ; then - cp -f "$sums" "$saved_sums" - return 1 - fi - fi - - return 0 -} - -compare_previous_version() { - installed="/usr/share/snappy/security-policy-version" - previous="/var/lib/snappy/security-policy-version" - - # When just $previous doesn't exist, assume this is a new system with - # no cache and don't do anything special. - if [ -f "$installed" ] && [ -f "$previous" ]; then - pv=`grep '^apparmor/' "$previous" | cut -d ' ' -f 2` - iv=`grep '^apparmor/' "$installed" | cut -d ' ' -f 2` - if [ -n "$iv" ] && [ -n "$pv" ] && [ "$iv" != "$pv" ]; then - # snappy updates $previous elsewhere, so just return - return 1 - fi - fi - - return 0 -} - -# Checks to see if the current container is capable of having internal AppArmor -# profiles that should be loaded. Callers of this function should have already -# verified that they're running inside of a container environment with -# something like `systemd-detect-virt --container`. -# -# The only known container environments capable of supporting internal policy -# are LXD and LXC environment. -# -# Returns 0 if the container environment is capable of having its own internal -# policy and non-zero otherwise. -# -# IMPORTANT: This function will return 0 in the case of a non-LXD/non-LXC -# system container technology being nested inside of a LXD/LXC container that -# utilized an AppArmor namespace and profile stacking. The reason 0 will be -# returned is because .ns_stacked will be "yes" and .ns_name will still match -# "lx[dc]-*" since the nested system container technology will not have set up -# a new AppArmor profile namespace. This will result in the nested system -# container's boot process to experience failed policy loads but the boot -# process should continue without any loss of functionality. This is an -# unsupported configuration that cannot be properly handled by this function. -is_container_with_internal_policy() { - local ns_stacked_path="${AA_SFS}/.ns_stacked" - local ns_name_path="${AA_SFS}/.ns_name" - local ns_stacked - local ns_name - - if ! [ -f "$ns_stacked_path" ] || ! [ -f "$ns_name_path" ]; then - return 1 - fi - - read -r ns_stacked < "$ns_stacked_path" - if [ "$ns_stacked" != "yes" ]; then - return 1 - fi - - # LXD and LXC set up AppArmor namespaces starting with "lxd-" and - # "lxc-", respectively. Return non-zero for all other namespace - # identifiers. - read -r ns_name < "$ns_name_path" - if [ "${ns_name#lxd-*}" = "$ns_name" ] && \ - [ "${ns_name#lxc-*}" = "$ns_name" ]; then - return 1 - fi - - return 0 -} diff --git a/external/meta-security/recipes-security/AppArmor/files/run-ptest b/external/meta-security/recipes-security/AppArmor/files/run-ptest deleted file mode 100644 index 3b8e427e..00000000 --- a/external/meta-security/recipes-security/AppArmor/files/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#! /bin/sh -cd testsuite - -make -C tests/regression/apparmor tests diff --git a/external/meta-security/recipes-security/bastille/bastille_3.2.1.bb b/external/meta-security/recipes-security/bastille/bastille_3.2.1.bb index 152c03ae..0290cae2 100644 --- a/external/meta-security/recipes-security/bastille/bastille_3.2.1.bb +++ b/external/meta-security/recipes-security/bastille/bastille_3.2.1.bb @@ -9,8 +9,6 @@ DEPENDS = "virtual/kernel" RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" FILES_${PN} += "/run/lock/subsys/bastille" -inherit module-base - SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ file://AccountPermission.pm \ file://FileContent.pm \ @@ -41,8 +39,7 @@ S = "${WORKDIR}/Bastille" do_install () { install -d ${D}${sbindir} - install -d ${D}${libdir}/perl/site_perl/Curses - ln -sf perl ${D}/${libdir}/perl5 + install -d ${D}${libdir}/perl5/site_perl/Curses install -d ${D}${libdir}/Bastille install -d ${D}${libdir}/Bastille/API @@ -51,7 +48,6 @@ do_install () { install -d ${D}${datadir}/Bastille/OSMap/Modules install -d ${D}${datadir}/Bastille/Questions install -d ${D}${datadir}/Bastille/FKL/configs/ - install -d ${D}${localstatedir}/lock/subsys/bastille install -d ${D}${localstatedir}/log/Bastille install -d ${D}${sysconfdir}/Bastille install -m 0755 AutomatedBastille ${D}${sbindir} diff --git a/external/meta-security/recipes-security/bastille/files/set_required_questions.py b/external/meta-security/recipes-security/bastille/files/set_required_questions.py index 4a28358c..f306109d 100755 --- a/external/meta-security/recipes-security/bastille/files/set_required_questions.py +++ b/external/meta-security/recipes-security/bastille/files/set_required_questions.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 #Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> @@ -83,7 +83,7 @@ def xform_file(qfile, distro, qlabel): @param name qlabel The question label for which the distro is to be added. """ questions_in = open(qfile) - questions_out = tempfile.NamedTemporaryFile(delete=False) + questions_out = tempfile.NamedTemporaryFile(mode="w+", delete=False) for l in add_requires(qlabel, distro, questions_in): questions_out.write(l) questions_out.close() diff --git a/external/meta-security/recipes-security/buck-security/buck-security_0.7.bb b/external/meta-security/recipes-security/buck-security/buck-security_0.7.bb deleted file mode 100644 index 3733c88b..00000000 --- a/external/meta-security/recipes-security/buck-security/buck-security_0.7.bb +++ /dev/null @@ -1,63 +0,0 @@ -SUMMARY = "Linux security scanner" -DESCRIPTION = "Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux \ -system. This enables you to quickly overview the security status of your Linux system." -SECTION = "security" -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" -RDEPENDS_${PN} = "coreutils \ - gnupg \ - net-tools \ - perl \ - perl-module-data-dumper \ - perl-module-file-basename \ - perl-module-file-spec \ - perl-module-getopt-long \ - perl-module-lib \ - perl-module-posix \ - perl-module-term-ansicolor \ - perl-module-time-localtime \ - pinentry \ - " - -RDEPENDS_${PN}_class-native = "coreutils \ - net-tools \ - perl \ - perl-module-data-dumper \ - perl-module-file-basename \ - perl-module-file-spec \ - perl-module-getopt-long \ - perl-module-lib \ - perl-module-posix \ - perl-module-term-ansicolor \ - perl-module-time-localtime \ - " - -SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_${PV}/${BPN}_${PV}.tar.gz" - -SRC_URI[md5sum] = "611a3e9bb7ed8a8270aa15216c321c53" -SRC_URI[sha256sum] = "c533c6631ec3554dd8d39d2d1c3ed44badbbf50810ebb75469c74639fa294b01" - -S = "${WORKDIR}/${BPN}_${PV}" - -do_configure() { - : -} - -do_compile() { - : -} - -do_install() { - install -d ${D}${bindir}/buck - cp -r ${S}/* ${D}${bindir}/buck - cp -r ${S}/buck-security ${D}${bindir} - sed -i 's!use lib "checks"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks")!' ${D}${bindir}/buck-security - sed -i 's!use lib "checks/lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks/lib")!' ${D}${bindir}/buck-security - sed -i 's!use lib "lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/lib")!' ${D}${bindir}/buck-security - sed -i 's!my $buck_root = "."!my $buck_root = File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck")!' ${D}${bindir}/buck-security - -} - -FILES_${PN} = "${bindir}/*" - -BBCLASSEXTEND = "native" diff --git a/external/meta-security/recipes-security/ccs-tools/README b/external/meta-security/recipes-security/ccs-tools/README deleted file mode 100644 index 4a4faa71..00000000 --- a/external/meta-security/recipes-security/ccs-tools/README +++ /dev/null @@ -1,12 +0,0 @@ -Documentation: -http://tomoyo.sourceforge.jp/1.8/index.html.en - - -To start via command line add: - -" security=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd" - -To initialize: -/usr/lib/ccs/init_policy - -DISTRO_FEATURES_append = " tomoyo" diff --git a/external/meta-security/recipes-security/ccs-tools/ccs-tools_1.8.4.bb b/external/meta-security/recipes-security/ccs-tools/ccs-tools_1.8.4.bb deleted file mode 100644 index 189504a5..00000000 --- a/external/meta-security/recipes-security/ccs-tools/ccs-tools_1.8.4.bb +++ /dev/null @@ -1,50 +0,0 @@ -SUMMARY = "Tomoyo" -DESCRIPTION = "TOMOYO Linux is a Mandatory Access Control (MAC) implementation for Linux that can be used to increase the security of a system, while also being useful purely as a system analysis tool. \nTo start via command line add: \nsecurity=tomoyo TOMOYO_trigger=/usr/lib/systemd/systemd \nTo initialize: \n/usr/lib/ccs/init_policy" - -SECTION = "security" -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING.ccs;md5=751419260aa954499f7abaabaa882bbe" - -DEPENDS = "ncurses" - -DS = "20150505" -SRC_URI = "http://osdn.dl.sourceforge.jp/tomoyo/49693/${BPN}-${PV}-${DS}.tar.gz" - -SRC_URI[md5sum] = "eeee8eb96a7680bfa9c8f6de55502c44" -SRC_URI[sha256sum] = "c358b80a2ea77a9dda79dc2a056dae3acaf3a72fcb8481cfb1cd1f16746324b4" - -S = "${WORKDIR}/${PN}" - -inherit distro_features_check - -do_make(){ - oe_runmake USRLIBDIR=${libdir} all - cd ${S}/kernel_test - oe_runmake all -} - -do_install(){ - oe_runmake INSTALLDIR=${D} USRLIBDIR=${libdir} install -} - -PACKAGE="${PN} ${PN}-dbg ${PN}-doc" - -FILES_${PN} = "\ - ${sbindir}/* \ - ${base_sbindir}/* \ - ${libdir}/* \ -" - -FILES_${PN}-doc = "\ - ${mandir}/man8/* \ -" - -FILES_${PN}-dbg = "\ - ${base_sbindir}/.debug/* \ - ${sbindir}/.debug/* \ - ${libdir}/.debug/* \ - ${libdir}/ccs/.debug/* \ - /usr/src/debug/* \ -" - -REQUIRED_DISTRO_FEATURES ?=" tomoyo" diff --git a/external/meta-security/recipes-security/checksec/checksec_1.5.bb b/external/meta-security/recipes-security/checksec/checksec_1.5.bb deleted file mode 100644 index 07f0f7c7..00000000 --- a/external/meta-security/recipes-security/checksec/checksec_1.5.bb +++ /dev/null @@ -1,18 +0,0 @@ -SUMMARY = "Program radominization" -DESCRIPTION = "The checksec.sh script is designed to test what standard Linux OS and PaX security features are being used." -SECTION = "security" -LICENSE = "BSD" -HOMEPAGE="http://www.trapkit.de/tools/checksec.html" - -LIC_FILES_CHKSUM = "file://checksec.sh;md5=075996be339ab16ad7b94d6de3ee07bd" - -SRC_URI = "file://checksec.sh" - -S = "${WORKDIR}" - -do_install() { - install -d ${D}${bindir} - install -m 0755 ${WORKDIR}/checksec.sh ${D}${bindir} -} - -RDEPENDS_${PN} = "bash" diff --git a/external/meta-security/recipes-security/checksec/files/checksec.sh b/external/meta-security/recipes-security/checksec/files/checksec.sh deleted file mode 100644 index dd1f72e5..00000000 --- a/external/meta-security/recipes-security/checksec/files/checksec.sh +++ /dev/null @@ -1,882 +0,0 @@ -#!/bin/bash -# -# The BSD License (http://www.opensource.org/licenses/bsd-license.php) -# specifies the terms and conditions of use for checksec.sh: -# -# Copyright (c) 2009-2011, Tobias Klein. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in -# the documentation and/or other materials provided with the -# distribution. -# * Neither the name of Tobias Klein nor the name of trapkit.de may be -# used to endorse or promote products derived from this software -# without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS -# OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED -# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF -# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH -# DAMAGE. -# -# Name : checksec.sh -# Version : 1.5 -# Author : Tobias Klein -# Date : November 2011 -# Download: http://www.trapkit.de/tools/checksec.html -# Changes : http://www.trapkit.de/tools/checksec_changes.txt -# -# Description: -# -# Modern Linux distributions offer some mitigation techniques to make it -# harder to exploit software vulnerabilities reliably. Mitigations such -# as RELRO, NoExecute (NX), Stack Canaries, Address Space Layout -# Randomization (ASLR) and Position Independent Executables (PIE) have -# made reliably exploiting any vulnerabilities that do exist far more -# challenging. The checksec.sh script is designed to test what *standard* -# Linux OS and PaX (http://pax.grsecurity.net/) security features are being -# used. -# -# As of version 1.3 the script also lists the status of various Linux kernel -# protection mechanisms. -# -# Credits: -# -# Thanks to Brad Spengler (grsecurity.net) for the PaX support. -# Thanks to Jon Oberheide (jon.oberheide.org) for the kernel support. -# Thanks to Ollie Whitehouse (Research In Motion) for rpath/runpath support. -# -# Others that contributed to checksec.sh (in no particular order): -# -# Simon Ruderich, Denis Scherbakov, Stefan Kuttler, Radoslaw Madej, -# Anthony G. Basile, Martin Vaeth and Brian Davis. -# - -# global vars -have_readelf=1 -verbose=false - -# FORTIFY_SOURCE vars -FS_end=_chk -FS_cnt_total=0 -FS_cnt_checked=0 -FS_cnt_unchecked=0 -FS_chk_func_libc=0 -FS_functions=0 -FS_libc=0 - -# version information -version() { - echo "checksec v1.5, Tobias Klein, www.trapkit.de, November 2011" - echo -} - -# help -help() { - echo "Usage: checksec [OPTION]" - echo - echo "Options:" - echo - echo " --file <executable-file>" - echo " --dir <directory> [-v]" - echo " --proc <process name>" - echo " --proc-all" - echo " --proc-libs <process ID>" - echo " --kernel" - echo " --fortify-file <executable-file>" - echo " --fortify-proc <process ID>" - echo " --version" - echo " --help" - echo - echo "For more information, see:" - echo " http://www.trapkit.de/tools/checksec.html" - echo -} - -# check if command exists -command_exists () { - type $1 > /dev/null 2>&1; -} - -# check if directory exists -dir_exists () { - if [ -d $1 ] ; then - return 0 - else - return 1 - fi -} - -# check user privileges -root_privs () { - if [ $(/usr/bin/id -u) -eq 0 ] ; then - return 0 - else - return 1 - fi -} - -# check if input is numeric -isNumeric () { - echo "$@" | grep -q -v "[^0-9]" -} - -# check if input is a string -isString () { - echo "$@" | grep -q -v "[^A-Za-z]" -} - -# check file(s) -filecheck() { - # check for RELRO support - if readelf -l $1 2>/dev/null | grep -q 'GNU_RELRO'; then - if readelf -d $1 2>/dev/null | grep -q 'BIND_NOW'; then - echo -n -e '\033[32mFull RELRO \033[m ' - else - echo -n -e '\033[33mPartial RELRO\033[m ' - fi - else - echo -n -e '\033[31mNo RELRO \033[m ' - fi - - # check for stack canary support - if readelf -s $1 2>/dev/null | grep -q '__stack_chk_fail'; then - echo -n -e '\033[32mCanary found \033[m ' - else - echo -n -e '\033[31mNo canary found\033[m ' - fi - - # check for NX support - if readelf -W -l $1 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then - echo -n -e '\033[31mNX disabled\033[m ' - else - echo -n -e '\033[32mNX enabled \033[m ' - fi - - # check for PIE support - if readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then - echo -n -e '\033[31mNo PIE \033[m ' - elif readelf -h $1 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then - if readelf -d $1 2>/dev/null | grep -q '(DEBUG)'; then - echo -n -e '\033[32mPIE enabled \033[m ' - else - echo -n -e '\033[33mDSO \033[m ' - fi - else - echo -n -e '\033[33mNot an ELF file\033[m ' - fi - - # check for rpath / run path - if readelf -d $1 2>/dev/null | grep -q 'rpath'; then - echo -n -e '\033[31mRPATH \033[m ' - else - echo -n -e '\033[32mNo RPATH \033[m ' - fi - - if readelf -d $1 2>/dev/null | grep -q 'runpath'; then - echo -n -e '\033[31mRUNPATH \033[m ' - else - echo -n -e '\033[32mNo RUNPATH \033[m ' - fi -} - -# check process(es) -proccheck() { - # check for RELRO support - if readelf -l $1/exe 2>/dev/null | grep -q 'Program Headers'; then - if readelf -l $1/exe 2>/dev/null | grep -q 'GNU_RELRO'; then - if readelf -d $1/exe 2>/dev/null | grep -q 'BIND_NOW'; then - echo -n -e '\033[32mFull RELRO \033[m ' - else - echo -n -e '\033[33mPartial RELRO \033[m ' - fi - else - echo -n -e '\033[31mNo RELRO \033[m ' - fi - else - echo -n -e '\033[31mPermission denied (please run as root)\033[m\n' - exit 1 - fi - - # check for stack canary support - if readelf -s $1/exe 2>/dev/null | grep -q 'Symbol table'; then - if readelf -s $1/exe 2>/dev/null | grep -q '__stack_chk_fail'; then - echo -n -e '\033[32mCanary found \033[m ' - else - echo -n -e '\033[31mNo canary found \033[m ' - fi - else - if [ "$1" != "1" ] ; then - echo -n -e '\033[33mPermission denied \033[m ' - else - echo -n -e '\033[33mNo symbol table found\033[m ' - fi - fi - - # first check for PaX support - if cat $1/status 2> /dev/null | grep -q 'PaX:'; then - pageexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b6) ) - segmexec=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b10) ) - mprotect=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b8) ) - randmmap=( $(cat $1/status 2> /dev/null | grep 'PaX:' | cut -b9) ) - if [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[32mPaX enabled\033[m ' - elif [[ "$pageexec" = "p" && "$segmexec" = "s" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[33mPaX ASLR only\033[m ' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "R" ]] ; then - echo -n -e '\033[33mPaX mprot off \033[m' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "M" && "$randmmap" = "r" ]] ; then - echo -n -e '\033[33mPaX ASLR off\033[m ' - elif [[ "$pageexec" = "P" || "$segmexec" = "S" ]] && [[ "$mprotect" = "m" && "$randmmap" = "r" ]] ; then - echo -n -e '\033[33mPaX NX only\033[m ' - else - echo -n -e '\033[31mPaX disabled\033[m ' - fi - # fallback check for NX support - elif readelf -W -l $1/exe 2>/dev/null | grep 'GNU_STACK' | grep -q 'RWE'; then - echo -n -e '\033[31mNX disabled\033[m ' - else - echo -n -e '\033[32mNX enabled \033[m ' - fi - - # check for PIE support - if readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*EXEC'; then - echo -n -e '\033[31mNo PIE \033[m ' - elif readelf -h $1/exe 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then - if readelf -d $1/exe 2>/dev/null | grep -q '(DEBUG)'; then - echo -n -e '\033[32mPIE enabled \033[m ' - else - echo -n -e '\033[33mDynamic Shared Object\033[m ' - fi - else - echo -n -e '\033[33mNot an ELF file \033[m ' - fi -} - -# check mapped libraries -libcheck() { - libs=( $(awk '{ print $6 }' /proc/$1/maps | grep '/' | sort -u | xargs file | grep ELF | awk '{ print $1 }' | sed 's/:/ /') ) - - printf "\n* Loaded libraries (file information, # of mapped files: ${#libs[@]}):\n\n" - - for element in $(seq 0 $((${#libs[@]} - 1))) - do - echo " ${libs[$element]}:" - echo -n " " - filecheck ${libs[$element]} - printf "\n\n" - done -} - -# check for system-wide ASLR support -aslrcheck() { - # PaX ASLR support - if !(cat /proc/1/status 2> /dev/null | grep -q 'Name:') ; then - echo -n -e ':\033[33m insufficient privileges for PaX ASLR checks\033[m\n' - echo -n -e ' Fallback to standard Linux ASLR check' - fi - - if cat /proc/1/status 2> /dev/null | grep -q 'PaX:'; then - printf ": " - if cat /proc/1/status 2> /dev/null | grep 'PaX:' | grep -q 'R'; then - echo -n -e '\033[32mPaX ASLR enabled\033[m\n\n' - else - echo -n -e '\033[31mPaX ASLR disabled\033[m\n\n' - fi - else - # standard Linux 'kernel.randomize_va_space' ASLR support - # (see the kernel file 'Documentation/sysctl/kernel.txt' for a detailed description) - printf " (kernel.randomize_va_space): " - if /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 1'; then - echo -n -e '\033[33mOn (Setting: 1)\033[m\n\n' - printf " Description - Make the addresses of mmap base, stack and VDSO page randomized.\n" - printf " This, among other things, implies that shared libraries will be loaded to \n" - printf " random addresses. Also for PIE-linked binaries, the location of code start\n" - printf " is randomized. Heap addresses are *not* randomized.\n\n" - elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 2'; then - echo -n -e '\033[32mOn (Setting: 2)\033[m\n\n' - printf " Description - Make the addresses of mmap base, heap, stack and VDSO page randomized.\n" - printf " This, among other things, implies that shared libraries will be loaded to random \n" - printf " addresses. Also for PIE-linked binaries, the location of code start is randomized.\n\n" - elif /sbin/sysctl -a 2>/dev/null | grep -q 'kernel.randomize_va_space = 0'; then - echo -n -e '\033[31mOff (Setting: 0)\033[m\n' - else - echo -n -e '\033[31mNot supported\033[m\n' - fi - printf " See the kernel file 'Documentation/sysctl/kernel.txt' for more details.\n\n" - fi -} - -# check cpu nx flag -nxcheck() { - if grep -q nx /proc/cpuinfo; then - echo -n -e '\033[32mYes\033[m\n\n' - else - echo -n -e '\033[31mNo\033[m\n\n' - fi -} - -# check for kernel protection mechanisms -kernelcheck() { - printf " Description - List the status of kernel protection mechanisms. Rather than\n" - printf " inspect kernel mechanisms that may aid in the prevention of exploitation of\n" - printf " userspace processes, this option lists the status of kernel configuration\n" - printf " options that harden the kernel itself against attack.\n\n" - printf " Kernel config: " - - if [ -f /proc/config.gz ] ; then - kconfig="zcat /proc/config.gz" - printf "\033[32m/proc/config.gz\033[m\n\n" - elif [ -f /boot/config-`uname -r` ] ; then - kconfig="cat /boot/config-`uname -r`" - printf "\033[33m/boot/config-`uname -r`\033[m\n\n" - printf " Warning: The config on disk may not represent running kernel config!\n\n"; - elif [ -f "${KBUILD_OUTPUT:-/usr/src/linux}"/.config ] ; then - kconfig="cat ${KBUILD_OUTPUT:-/usr/src/linux}/.config" - printf "\033[33m%s\033[m\n\n" "${KBUILD_OUTPUT:-/usr/src/linux}/.config" - printf " Warning: The config on disk may not represent running kernel config!\n\n"; - else - printf "\033[31mNOT FOUND\033[m\n\n" - exit 0 - fi - - printf " GCC stack protector support: " - if $kconfig | grep -qi 'CONFIG_CC_STACKPROTECTOR=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Strict user copy checks: " - if $kconfig | grep -qi 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Enforce read-only kernel data: " - if $kconfig | grep -qi 'CONFIG_DEBUG_RODATA=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - printf " Restrict /dev/mem access: " - if $kconfig | grep -qi 'CONFIG_STRICT_DEVMEM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Restrict /dev/kmem access: " - if $kconfig | grep -qi 'CONFIG_DEVKMEM=y'; then - printf "\033[31mDisabled\033[m\n" - else - printf "\033[32mEnabled\033[m\n" - fi - - printf "\n" - printf "* grsecurity / PaX: " - - if $kconfig | grep -qi 'CONFIG_GRKERNSEC=y'; then - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIGH=y'; then - printf "\033[32mHigh GRKERNSEC\033[m\n\n" - elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_MEDIUM=y'; then - printf "\033[33mMedium GRKERNSEC\033[m\n\n" - elif $kconfig | grep -qi 'CONFIG_GRKERNSEC_LOW=y'; then - printf "\033[31mLow GRKERNSEC\033[m\n\n" - else - printf "\033[33mCustom GRKERNSEC\033[m\n\n" - fi - - printf " Non-executable kernel pages: " - if $kconfig | grep -qi 'CONFIG_PAX_KERNEXEC=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Prevent userspace pointer deref: " - if $kconfig | grep -qi 'CONFIG_PAX_MEMORY_UDEREF=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Prevent kobject refcount overflow: " - if $kconfig | grep -qi 'CONFIG_PAX_REFCOUNT=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Bounds check heap object copies: " - if $kconfig | grep -qi 'CONFIG_PAX_USERCOPY=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Disable writing to kmem/mem/port: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_KMEM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Disable privileged I/O: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_IO=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Harden module auto-loading: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_MODHARDEN=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - - printf " Hide kernel symbols: " - if $kconfig | grep -qi 'CONFIG_GRKERNSEC_HIDESYM=y'; then - printf "\033[32mEnabled\033[m\n" - else - printf "\033[31mDisabled\033[m\n" - fi - else - printf "\033[31mNo GRKERNSEC\033[m\n\n" - printf " The grsecurity / PaX patchset is available here:\n" - printf " http://grsecurity.net/\n" - fi - - printf "\n" - printf "* Kernel Heap Hardening: " - - if $kconfig | grep -qi 'CONFIG_KERNHEAP=y'; then - if $kconfig | grep -qi 'CONFIG_KERNHEAP_FULLPOISON=y'; then - printf "\033[32mFull KERNHEAP\033[m\n\n" - else - printf "\033[33mPartial KERNHEAP\033[m\n\n" - fi - else - printf "\033[31mNo KERNHEAP\033[m\n\n" - printf " The KERNHEAP hardening patchset is available here:\n" - printf " https://www.subreption.com/kernheap/\n\n" - fi -} - -# --- FORTIFY_SOURCE subfunctions (start) --- - -# is FORTIFY_SOURCE supported by libc? -FS_libc_check() { - printf "* FORTIFY_SOURCE support available (libc) : " - - if [ "${#FS_chk_func_libc[@]}" != "0" ] ; then - printf "\033[32mYes\033[m\n" - else - printf "\033[31mNo\033[m\n" - exit 1 - fi -} - -# was the binary compiled with FORTIFY_SOURCE? -FS_binary_check() { - printf "* Binary compiled with FORTIFY_SOURCE support: " - - for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) - do - if [[ ${FS_functions[$FS_elem_functions]} =~ _chk ]] ; then - printf "\033[32mYes\033[m\n" - return - fi - done - printf "\033[31mNo\033[m\n" - exit 1 -} - -FS_comparison() { - echo - printf " ------ EXECUTABLE-FILE ------- . -------- LIBC --------\n" - printf " FORTIFY-able library functions | Checked function names\n" - printf " -------------------------------------------------------\n" - - for FS_elem_libc in $(seq 0 $((${#FS_chk_func_libc[@]} - 1))) - do - for FS_elem_functions in $(seq 0 $((${#FS_functions[@]} - 1))) - do - FS_tmp_func=${FS_functions[$FS_elem_functions]} - FS_tmp_libc=${FS_chk_func_libc[$FS_elem_libc]} - - if [[ $FS_tmp_func =~ ^$FS_tmp_libc$ ]] ; then - printf " \033[31m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end - let FS_cnt_total++ - let FS_cnt_unchecked++ - elif [[ $FS_tmp_func =~ ^$FS_tmp_libc(_chk) ]] ; then - printf " \033[32m%-30s\033[m | __%s%s\n" $FS_tmp_func $FS_tmp_libc $FS_end - let FS_cnt_total++ - let FS_cnt_checked++ - fi - - done - done -} - -FS_summary() { - echo - printf "SUMMARY:\n\n" - printf "* Number of checked functions in libc : ${#FS_chk_func_libc[@]}\n" - printf "* Total number of library functions in the executable: ${#FS_functions[@]}\n" - printf "* Number of FORTIFY-able functions in the executable : %s\n" $FS_cnt_total - printf "* Number of checked functions in the executable : \033[32m%s\033[m\n" $FS_cnt_checked - printf "* Number of unchecked functions in the executable : \033[31m%s\033[m\n" $FS_cnt_unchecked - echo -} - -# --- FORTIFY_SOURCE subfunctions (end) --- - -if !(command_exists readelf) ; then - printf "\033[31mWarning: 'readelf' not found! It's required for most checks.\033[m\n\n" - have_readelf=0 -fi - -# parse command-line arguments -case "$1" in - - --version) - version - exit 0 - ;; - - --help) - help - exit 0 - ;; - - --dir) - if [ "$3" = "-v" ] ; then - verbose=true - fi - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid directory.\033[m\n\n" - exit 1 - fi - # remove trailing slashes - tempdir=`echo $2 | sed -e "s/\/*$//"` - if [ ! -d $tempdir ] ; then - printf "\033[31mError: The directory '$tempdir' does not exist.\033[m\n\n" - exit 1 - fi - cd $tempdir - printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" - for N in [A-Za-z]*; do - if [ "$N" != "[A-Za-z]*" ]; then - # read permissions? - if [ ! -r $N ]; then - printf "\033[31mError: No read permissions for '$tempdir/$N' (run as root).\033[m\n" - else - # ELF executable? - out=`file $N` - if [[ ! $out =~ ELF ]] ; then - if [ "$verbose" = "true" ] ; then - printf "\033[34m*** Not an ELF file: $tempdir/" - file $N - printf "\033[m" - fi - else - filecheck $N - if [ `find $tempdir/$N \( -perm -004000 -o -perm -002000 \) -type f -print` ]; then - printf "\033[37;41m%s%s\033[m" $2 $N - else - printf "%s%s" $tempdir/ $N - fi - echo - fi - fi - fi - done - exit 0 - ;; - - --file) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid file.\033[m\n\n" - exit 1 - fi - # does the file exist? - if [ ! -e $2 ] ; then - printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" - exit 1 - fi - # read permissions? - if [ ! -r $2 ] ; then - printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" - exit 1 - fi - # ELF executable? - out=`file $2` - if [[ ! $out =~ ELF ]] ; then - printf "\033[31mError: Not an ELF file: " - file $2 - printf "\033[m\n" - exit 1 - fi - printf "RELRO STACK CANARY NX PIE RPATH RUNPATH FILE\n" - filecheck $2 - if [ `find $2 \( -perm -004000 -o -perm -002000 \) -type f -print` ] ; then - printf "\033[37;41m%s%s\033[m" $2 $N - else - printf "%s" $2 - fi - echo - exit 0 - ;; - - --proc-all) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - for N in [1-9]*; do - if [ $N != $$ ] && readlink -q $N/exe > /dev/null; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - proccheck $N - echo - fi - done - if [ ! -e /usr/bin/id ] ; then - printf "\n\033[33mNote: If you are running 'checksec.sh' as an unprivileged user, you\n" - printf " will not see all processes. Please run the script as root.\033[m\n\n" - else - if !(root_privs) ; then - printf "\n\033[33mNote: You are running 'checksec.sh' as an unprivileged user.\n" - printf " Too see all processes, please run the script as root.\033[m\n\n" - fi - fi - exit 0 - ;; - - --proc) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process name.\033[m\n\n" - exit 1 - fi - if !(isString "$2") ; then - printf "\033[31mError: Please provide a valid process name.\033[m\n\n" - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - for N in `ps -Ao pid,comm | grep $2 | cut -b1-6`; do - if [ -d $N ] ; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - proccheck $N - echo - fi - done - exit 0 - ;; - - --proc-libs) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - if !(isNumeric "$2") ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - cd /proc - printf "* System-wide ASLR" - aslrcheck - printf "* Does the CPU support NX: " - nxcheck - printf "* Process information:\n\n" - printf " COMMAND PID RELRO STACK CANARY NX/PaX PIE\n" - N=$2 - if [ -d $N ] ; then - printf "%16s" `head -1 $N/status | cut -b 7-` - printf "%7d " $N - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - proccheck $N - echo - libcheck $N - fi - exit 0 - ;; - - --kernel) - cd /proc - printf "* Kernel protection information:\n\n" - kernelcheck - exit 0 - ;; - - --fortify-file) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid file.\033[m\n\n" - exit 1 - fi - # does the file exist? - if [ ! -e $2 ] ; then - printf "\033[31mError: The file '$2' does not exist.\033[m\n\n" - exit 1 - fi - # read permissions? - if [ ! -r $2 ] ; then - printf "\033[31mError: No read permissions for '$2' (run as root).\033[m\n\n" - exit 1 - fi - # ELF executable? - out=`file $2` - if [[ ! $out =~ ELF ]] ; then - printf "\033[31mError: Not an ELF file: " - file $2 - printf "\033[m\n" - exit 1 - fi - if [ -e /lib/libc.so.6 ] ; then - FS_libc=/lib/libc.so.6 - elif [ -e /lib64/libc.so.6 ] ; then - FS_libc=/lib64/libc.so.6 - elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/i386-linux-gnu/libc.so.6 - elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/x86_64-linux-gnu/libc.so.6 - else - printf "\033[31mError: libc not found.\033[m\n\n" - exit 1 - fi - - FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) - FS_functions=( $(readelf -s $2 | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) - - FS_libc_check - FS_binary_check - FS_comparison - FS_summary - - exit 0 - ;; - - --fortify-proc) - if [ $have_readelf -eq 0 ] ; then - exit 1 - fi - if [ -z "$2" ] ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - if !(isNumeric "$2") ; then - printf "\033[31mError: Please provide a valid process ID.\033[m\n\n" - exit 1 - fi - cd /proc - N=$2 - if [ -d $N ] ; then - # read permissions? - if [ ! -r $N/exe ] ; then - if !(root_privs) ; then - printf "\033[31mNo read permissions for '/proc/$N/exe' (run as root).\033[m\n\n" - exit 1 - fi - if [ ! `readlink $N/exe` ] ; then - printf "\033[31mPermission denied. Requested process ID belongs to a kernel thread.\033[m\n\n" - exit 1 - fi - exit 1 - fi - if [ -e /lib/libc.so.6 ] ; then - FS_libc=/lib/libc.so.6 - elif [ -e /lib64/libc.so.6 ] ; then - FS_libc=/lib64/libc.so.6 - elif [ -e /lib/i386-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/i386-linux-gnu/libc.so.6 - elif [ -e /lib/x86_64-linux-gnu/libc.so.6 ] ; then - FS_libc=/lib/x86_64-linux-gnu/libc.so.6 - else - printf "\033[31mError: libc not found.\033[m\n\n" - exit 1 - fi - printf "* Process name (PID) : %s (%d)\n" `head -1 $N/status | cut -b 7-` $N - FS_chk_func_libc=( $(readelf -s $FS_libc | grep _chk@@ | awk '{ print $8 }' | cut -c 3- | sed -e 's/_chk@.*//') ) - FS_functions=( $(readelf -s $2/exe | awk '{ print $8 }' | sed 's/_*//' | sed -e 's/@.*//') ) - - FS_libc_check - FS_binary_check - FS_comparison - FS_summary - fi - exit 0 - ;; - - *) - if [ "$#" != "0" ] ; then - printf "\033[31mError: Unknown option '$1'.\033[m\n\n" - fi - help - exit 1 - ;; -esac diff --git a/external/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb b/external/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb deleted file mode 100644 index a9616911..00000000 --- a/external/meta-security/recipes-security/checksecurity/checksecurity_2.0.15.bb +++ /dev/null @@ -1,20 +0,0 @@ -SUMMARY = "basic system security checks" -DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes." -SECTION = "security" -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" - -SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \ - file://setuid-log-folder.patch" - -SRC_URI[md5sum] = "a30161c3e24d3be710b2fd13fcd1f32f" -SRC_URI[sha256sum] = "67abe3d6391c96146e96f376d3fd6eb7a9418b0f7fe205b465219889791dba32" - -do_compile() { -} - -do_install() { - oe_runmake PREFIX=${D} -} - -RDEPENDS_${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob util-linux findutils coreutils" diff --git a/external/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch b/external/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch deleted file mode 100644 index 540ea9c3..00000000 --- a/external/meta-security/recipes-security/checksecurity/files/setuid-log-folder.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu <andrei.adrianx.dinu@intel.com> -Date: Thu, 20 Jun 2013 15:14:55 +0300 -Subject: [PATCH] changed log folder for check-setuid - -check-setuid was creating logs in /var/log directory, -which cannot be created persistently. To avoid errors -the log folder was changed to /etc/checksecurity/. - -Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> ---- - etc/check-setuid.conf | 2 +- - plugins/check-setuid | 6 +++--- - 2 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf -index 621336f..e1532c0 100644 ---- a/etc/check-setuid.conf -+++ b/etc/check-setuid.conf -@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false" - # - # Location of setuid file databases. - # --LOGDIR=/var/log/setuid -+LOGDIR=/etc/checksecurity/ -diff --git a/plugins/check-setuid b/plugins/check-setuid -index 8d6f90b..bdb21c1 100755 ---- a/plugins/check-setuid -+++ b/plugins/check-setuid -@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then - exit 1 - fi - --TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp --TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp -+TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp -+TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp - - # - # Check for NFS/AFS mounts that are not nosuid/nodev -@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then - fi - - # Guard against undefined vars --[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid -+[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/ - if [ ! -e "$LOGDIR" ] ; then - echo "ERROR: Log directory $LOGDIR does not exist" - exit 1 --- -1.7.9.5 - diff --git a/external/meta-security/recipes-security/clamav/clamav_0.99.4.bb b/external/meta-security/recipes-security/clamav/clamav_0.99.4.bb deleted file mode 100644 index 8c2c2fa2..00000000 --- a/external/meta-security/recipes-security/clamav/clamav_0.99.4.bb +++ /dev/null @@ -1,158 +0,0 @@ -SUMMARY = "ClamAV anti-virus utility for Unix - command-line interface" -DESCRIPTION = "ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats." -HOMEPAGE = "http://www.clamav.net/index.html" -SECTION = "security" -LICENSE = "LGPL-2.1" - -DEPENDS = "libtool db libmspack chrpath-replacement-native" - -LIC_FILES_CHKSUM = "file://COPYING.LGPL;beginline=2;endline=3;md5=4b89c05acc71195e9a06edfa2fa7d092" - -SRCREV = "b66e5e27b48c0a07494f9df9b809ed933cede047" - -SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.99 \ - file://clamd.conf \ - file://freshclam.conf \ - file://volatiles.03_clamav \ - file://${BPN}.service \ - " - -S = "${WORKDIR}/git" - -LEAD_SONAME = "libclamav.so" -SO_VER = "7.1.1" - -EXTRANATIVEPATH += "chrpath-native" - -inherit autotools-brokensep pkgconfig useradd systemd - -UID = "clamav" -GID = "clamav" - -# Clamav has a built llvm version 2 but does not build with gcc 6.x, -# disable the internal one. This is a known issue -# If you want LLVM support, use meta-oe llvm3.3 to build for GCC 6.X, -# as defined below - -CLAMAV_LLVM ?= "oellvm" -CLAMAV_LLVM_RELEASE ?= "6.0" - -PACKAGECONFIG ?= "ncurses openssl bz2 zlib ${CLAMAV_LLVM}" -PACKAGECONFIG += " ${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[oellvm] = "--with-system-llvm --with-llvm-linking=dynamic --disable-llvm, ,llvm${CLAMAV_LLVM_RELEASE}" - -PACKAGECONFIG[pcre] = "--with-pcre=${STAGING_LIBDIR}, --without-pcre, libpcre" -PACKAGECONFIG[xml] = "--with-xml=${STAGING_LIBDIR}/.., --with-xml=no, libxml2," -PACKAGECONFIG[json] = "--with-libjson=${STAGING_LIBDIR}, --without-libjson, json," -PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR}, --without-libcurl, curl," -PACKAGECONFIG[ipv6] = "--enable-ipv6, --disable-ipv6" -PACKAGECONFIG[openssl] = "--with-openssl=${STAGING_DIR_HOST}/usr, --without-openssl, openssl, openssl" -PACKAGECONFIG[zlib] = "--with-zlib=${STAGING_DIR_HOST}/usr --disable-zlib-vcheck , --without-zlib, zlib, " -PACKAGECONFIG[bz2] = "--with-libbz2-prefix=${STAGING_LIBDIR}/.., --without-libbz2-prefix, " -PACKAGECONFIG[ncurses] = "--with-libncurses-prefix=${STAGING_LIBDIR}/.., --without-libncurses-prefix, ncurses, " -PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_unitdir}/system/, --without-systemdsystemunitdir, " - -EXTRA_OECONF += " --with-user=${UID} --with-group=${GID} \ - --without-libcheck-prefix --disable-unrar \ - --disable-mempool \ - --program-prefix="" \ - --disable-yara \ - --disable-rpath \ - " - -do_configure () { - cd ${S} - ./configure ${CONFIGUREOPTS} ${EXTRA_OECONF} -} - -do_compile_append() { - # brute force removing RPATH - chrpath -d ${B}/libclamav/.libs/libclamav.so.${SO_VER} - chrpath -d ${B}/sigtool/.libs/sigtool - chrpath -d ${B}/clambc/.libs/clambc - chrpath -d ${B}/clamscan/.libs/clamscan - chrpath -d ${B}/clamconf/.libs/clamconf - chrpath -d ${B}/clamd/.libs/clamd - chrpath -d ${B}/freshclam/.libs/freshclam -} - -do_install_append() { - install -d ${D}/${sysconfdir} - install -d ${D}/${localstatedir}/lib/clamav - install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles - - install -m 644 ${WORKDIR}/clamd.conf ${D}/${sysconfdir} - install -m 644 ${WORKDIR}/freshclam.conf ${D}/${sysconfdir} - install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/volatiles.03_clamav - sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc - rm ${D}/${libdir}/libclamav.so - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then - install -D -m 0644 ${WORKDIR}/clamav.service ${D}${systemd_unitdir}/system/clamav.service - fi -} - -pkg_postinst_ontarget_${PN} () { - if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update - fi - chown ${UID}:${GID} ${localstatedir}/lib/clamav -} - - -PACKAGES = "${PN} ${PN}-dev ${PN}-dbg ${PN}-daemon ${PN}-doc \ - ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav ${PN}-staticdev" - -FILES_${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit \ - ${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \ - ${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit* \ - ${docdir}/clamav/* " - -FILES_${PN}-clamdscan = " ${bindir}/clamdscan \ - ${docdir}/clamdscan/* \ - ${mandir}/man1/clamdscan* \ - " - -FILES_${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \ - ${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \ - ${mandir}/man5/clamd* ${mandir}/man8/clamd* \ - ${sysconfdir}/clamd.conf* \ - ${systemd_unitdir}/system/clamav-daemon/* \ - ${docdir}/clamav-daemon/* ${sysconfdir}/clamav-daemon \ - ${sysconfdir}/logcheck/ignore.d.server/clamav-daemon " - -FILES_${PN}-freshclam = "${bindir}/freshclam \ - ${sysconfdir}/freshclam.conf* \ - ${sysconfdir}/clamav ${sysconfdir}/default/volatiles \ - ${localstatedir}/lib/clamav \ - ${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \ - ${mandir}/man5/freshclam.conf.* \ - ${systemd_unitdir}/system/clamav-freshclam.service" - -FILES_${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \ - ${libdir}/pkgconfig/*.pc \ - ${mandir}/man1/clamav-config.* \ - ${includedir}/*.h ${docdir}/libclamav* " - -FILES_${PN}-staticdev = "${libdir}/*.a" - -FILES_${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libmspack.so*\ - ${docdir}/libclamav/* " - -FILES_${PN}-doc = "${mandir}/man/* \ - ${datadir}/man/* \ - ${docdir}/* " - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system ${UID}" -USERADD_PARAM_${PN} = "--system -g ${GID} --home-dir \ - ${localstatedir}/spool/${BPN} \ - --no-create-home --shell /bin/false ${BPN}" - -RPROVIDES_${PN} += "${PN}-systemd" -RREPLACES_${PN} += "${PN}-systemd" -RCONFLICTS_${PN} += "${PN}-systemd" -SYSTEMD_SERVICE_${PN} = "${BPN}.service" - -RDEPENDS_${PN} += "openssl ncurses-libncurses libbz2 ncurses-libtinfo clamav-freshclam clamav-libclamav" diff --git a/external/meta-security/recipes-security/clamav/files/clamav-freshclam.service b/external/meta-security/recipes-security/clamav/files/clamav-freshclam.service deleted file mode 100644 index 0c909fb3..00000000 --- a/external/meta-security/recipes-security/clamav/files/clamav-freshclam.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=ClamAV virus database updater -Documentation=man:freshclam(1) man:freshclam.conf(5) http://www.clamav.net/lang/en/doc/ -# If user wants it run from cron, don't start the daemon. -ConditionPathExists=!/etc/cron.d/clamav-freshclam - -[Service] -ExecStart=/usr/bin/freshclam -d --foreground=true -StandardOutput=syslog - -[Install] -WantedBy=multi-user.target diff --git a/external/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample b/external/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample deleted file mode 100644 index ed0d519f..00000000 --- a/external/meta-security/recipes-security/clamav/files/clamav-milter.conf.sample +++ /dev/null @@ -1,293 +0,0 @@ -## -## Example config file for clamav-milter -## - -# Comment or remove the line below. -Example - - -## -## Main options -## - -# Define the interface through which we communicate with sendmail -# This option is mandatory! Possible formats are: -# [[unix|local]:]/path/to/file - to specify a unix domain socket -# inet:port@[hostname|ip-address] - to specify an ipv4 socket -# inet6:port@[hostname|ip-address] - to specify an ipv6 socket -# -# Default: no default -#MilterSocket /tmp/clamav-milter.socket -#MilterSocket inet:7357 - -# Define the group ownership for the (unix) milter socket. -# Default: disabled (the primary group of the user running clamd) -#MilterSocketGroup virusgroup - -# Sets the permissions on the (unix) milter socket to the specified mode. -# Default: disabled (obey umask) -#MilterSocketMode 660 - -# Remove stale socket after unclean shutdown. -# -# Default: yes -#FixStaleSocket yes - -# Run as another user (clamav-milter must be started by root for this option to work) -# -# Default: unset (don't drop privileges) -#User clamav - -# Initialize supplementary group access (clamav-milter must be started by root). -# -# Default: no -#AllowSupplementaryGroups no - -# Waiting for data from clamd will timeout after this time (seconds). -# Value of 0 disables the timeout. -# -# Default: 120 -#ReadTimeout 300 - -# Don't fork into background. -# -# Default: no -#Foreground yes - -# Chroot to the specified directory. -# Chrooting is performed just after reading the config file and before dropping privileges. -# -# Default: unset (don't chroot) -#Chroot /newroot - -# This option allows you to save a process identifier of the listening -# daemon (main thread). -# -# Default: disabled -#PidFile /var/run/clamav/clamav-milter.pid - -# Optional path to the global temporary directory. -# Default: system specific (usually /tmp or /var/tmp). -# -#TemporaryDirectory /var/tmp - -## -## Clamd options -## - -# Define the clamd socket to connect to for scanning. -# This option is mandatory! Syntax: -# ClamdSocket unix:path -# ClamdSocket tcp:host:port -# The first syntax specifies a local unix socket (needs an absolute path) e.g.: -# ClamdSocket unix:/var/run/clamd/clamd.socket -# The second syntax specifies a tcp local or remote tcp socket: the -# host can be a hostname or an ip address; the ":port" field is only required -# for IPv6 addresses, otherwise it defaults to 3310, e.g.: -# ClamdSocket tcp:192.168.0.1 -# -# This option can be repeated several times with different sockets or even -# with the same socket: clamd servers will be selected in a round-robin fashion. -# -# Default: no default -ClamdSocket /var/run/clamav/clamd - - -## -## Exclusions -## - -# Messages originating from these hosts/networks will not be scanned -# This option takes a host(name)/mask pair in CIRD notation and can be -# repeated several times. If "/mask" is omitted, a host is assumed. -# To specify a locally orignated, non-smtp, email use the keyword "local" -# -# Default: unset (scan everything regardless of the origin) -#LocalNet local -#LocalNet 192.168.0.0/24 -#LocalNet 1111:2222:3333::/48 - -# This option specifies a file which contains a list of basic POSIX regular -# expressions. Addresses (sent to or from - see below) matching these regexes -# will not be scanned. Optionally each line can start with the string "From:" -# or "To:" (note: no whitespace after the colon) indicating if it is, -# respectively, the sender or recipient that is to be whitelisted. -# If the field is missing, "To:" is assumed. -# Lines starting with #, : or ! are ignored. -# -# Default unset (no exclusion applied) -#Whitelist /etc/whitelisted_addresses - -# Messages from authenticated SMTP users matching this extended POSIX -# regular expression (egrep-like) will not be scanned. -# As an alternative, a file containing a plain (not regex) list of names (one -# per line) can be specified using the prefix "file:". -# e.g. SkipAuthenticated file:/etc/good_guys -# -# Note: this is the AUTH login name! -# -# Default: unset (no whitelisting based on SMTP auth) -#SkipAuthenticated ^(tom|dick|henry)$ - -# Messages larger than this value won't be scanned. -# Make sure this value is lower or equal than StreamMaxLength in clamd.conf -# -# Default: 25M -#MaxFileSize 10M - - -## -## Actions -## - -# The following group of options controls the delievery process under -# different circumstances. -# The following actions are available: -# - Accept -# The message is accepted for delievery -# - Reject -# Immediately refuse delievery (a 5xx error is returned to the peer) -# - Defer -# Return a temporary failure message (4xx) to the peer -# - Blackhole (not available for OnFail) -# Like Accept but the message is sent to oblivion -# - Quarantine (not available for OnFail) -# Like Accept but message is quarantined instead of being delivered -# -# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ -# For Postfix this causes the message to be placed on hold -# -# Action to be performed on clean messages (mostly useful for testing) -# Default: Accept -#OnClean Accept - -# Action to be performed on infected messages -# Default: Quarantine -#OnInfected Quarantine - -# Action to be performed on error conditions (this includes failure to -# allocate data structures, no scanners available, network timeouts, -# unknown scanner replies and the like) -# Default: Defer -#OnFail Defer - -# This option allows to set a specific rejection reason for infected messages -# and it's therefore only useful together with "OnInfected Reject" -# The string "%v", if present, will be replaced with the virus name. -# Default: MTA specific -#RejectMsg - -# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an -# "X-Virus-Status" headers will be attached to each processed message, possibly -# replacing existing headers. -# If it is set to Add, the X-Virus headers are added possibly on top of the -# existing ones. -# Note that while "Replace" can potentially break DKIM signatures, "Add" may -# confuse procmail and similar filters. -# Default: no -#AddHeader Replace - -# When AddHeader is in use, this option allows to arbitrary set the reported -# hostname. This may be desirable in order to avoid leaking internal names. -# If unset the real machine name is used. -# Default: disabled -#ReportHostname my.mail.server.name - -# Execute a command (possibly searching PATH) when an infected message is found. -# The following parameters are passed to the invoked program in this order: -# virus name, queue id, sender, destination, subject, message id, message date. -# Note #1: this requires MTA macroes to be available (see LogInfected below) -# Note #2: the process is invoked in the context of clamav-milter -# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to -# avoid unnecessary delays in email delievery -# Default: disabled -#VirusAction /usr/local/bin/my_infected_message_handler - -## -## Logging options -## - -# Uncomment this option to enable logging. -# LogFile must be writable for the user running daemon. -# A full path is required. -# -# Default: disabled -#LogFile /var/log/clamav/clamav-milter.log - -# By default the log file is locked for writing - the lock protects against -# running clamav-milter multiple times. -# This option disables log file locking. -# -# Default: no -#LogFileUnlock yes - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log -# rotation (the LogRotate option) will always be enabled. -# -# Default: 1M -#LogFileMaxSize 2M - -# Log time with each message. -# -# Default: no -#LogTime yes - -# Use system logger (can work together with LogFile). -# -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable verbose logging. -# -# Default: no -#LogVerbose yes - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# This option allows to tune what is logged when a message is infected. -# Possible values are Off (the default - nothing is logged), -# Basic (minimal info logged), Full (verbose info logged) -# Note: -# For this to work properly in sendmail, make sure the msg_id, mail_addr, -# rcpt_addr and i macroes are available in eom. In other words add a line like: -# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i -# to your .cf file. Alternatively use the macro: -# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i') -# Postfix should be working fine with the default settings. -# -# Default: disabled -#LogInfected Basic - -# This option allows to tune what is logged when no threat is found in a scanned message. -# See LogInfected for possible values and caveats. -# Useful in debugging but drastically increases the log size. -# Default: disabled -#LogClean Basic - -# This option affects the behaviour of LogInfected, LogClean and VirusAction -# when a message with multiple recipients is scanned: -# If SupportMultipleRecipients is off (the default) -# then one single log entry is generated for the message and, in case the -# message is determined to be malicious, the command indicated by VirusAction -# is executed just once. In both cases only the last recipient is reported. -# If SupportMultipleRecipients is on: -# then one line is logged for each recipient and the command indicated -# by VirusAction is also executed once for each recipient. -# -# Note: although it's probably a good idea to enable this option, the default value -# is currently set to off for legacy reasons. -# Default: no -#SupportMultipleRecipients yes - diff --git a/external/meta-security/recipes-security/clamav/files/clamav.service b/external/meta-security/recipes-security/clamav/files/clamav.service deleted file mode 100644 index f13191fc..00000000 --- a/external/meta-security/recipes-security/clamav/files/clamav.service +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=Clam AntiVirus userspace daemon -Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/ -Requires=clamav-daemon.socket -# Check for database existence -ConditionPathExistsGlob=/usr/share/clamav/main.{c[vl]d,inc} -ConditionPathExistsGlob=/usr/share/clamav/daily.{c[vl]d,inc} - -[Service] -ExecStart=/usr/sbin/clamd --foreground=true -# Reload the database -ExecReload=/bin/kill -USR2 $MAINPID -StandardOutput=syslog - -[Install] -WantedBy=multi-user.target -Also=clamav-daemon.socket diff --git a/external/meta-security/recipes-security/clamav/files/clamd.conf b/external/meta-security/recipes-security/clamav/files/clamd.conf deleted file mode 100644 index 04577850..00000000 --- a/external/meta-security/recipes-security/clamav/files/clamd.conf +++ /dev/null @@ -1,595 +0,0 @@ -# Uncomment this option to enable logging. -# LogFile must be writable for the user running daemon. -# A full path is required. -# Default: disabled -LogFile /tmp/clamd.log - -# By default the log file is locked for writing - the lock protects against -# running clamd multiple times (if want to run another clamd, please -# copy the configuration file, change the LogFile variable, and run -# the daemon with --config-file option). -# This option disables log file locking. -# Default: no -LogFileUnlock yes - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log -# rotation (the LogRotate option) will always be enabled. -# Default: 1M -LogFileMaxSize 2M - -# Log time with each message. -# Default: no -LogTime yes - -# Also log clean files. Useful in debugging but drastically increases the -# log size. -# Default: no -#LogClean yes - -# Use system logger (can work together with LogFile). -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable verbose logging. -# Default: no -#LogVerbose yes - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# Log additional information about the infected file, such as its -# size and hash, together with the virus name. -ExtendedDetectionInfo yes - -# This option allows you to save a process identifier of the listening -# daemon (main thread). -# Default: disabled -PidFile /var/run/clamd.pid - -# Optional path to the global temporary directory. -# Default: system specific (usually /tmp or /var/tmp). -TemporaryDirectory /var/tmp - -# Path to the database directory. -# Default: hardcoded (depends on installation options) -DatabaseDirectory /var/lib/clamav - -# Only load the official signatures published by the ClamAV project. -# Default: no -#OfficialDatabaseOnly no - -# The daemon can work in local mode, network mode or both. -# Due to security reasons we recommend the local mode. - -# Path to a local socket file the daemon will listen on. -# Default: disabled (must be specified by a user) -LocalSocket /tmp/clamd.socket - -# Sets the group ownership on the unix socket. -# Default: disabled (the primary group of the user running clamd) -#LocalSocketGroup virusgroup - -# Sets the permissions on the unix socket to the specified mode. -# Default: disabled (socket is world accessible) -#LocalSocketMode 660 - -# Remove stale socket after unclean shutdown. -# Default: yes -#FixStaleSocket yes - -# TCP port address. -# Default: no -#TCPSocket 3310 - -# TCP address. -# By default we bind to INADDR_ANY, probably not wise. -# Enable the following to provide some degree of protection -# from the outside world. This option can be specified multiple -# times if you want to listen on multiple IPs. IPv6 is now supported. -# Default: no -#TCPAddr 127.0.0.1 - -# Maximum length the queue of pending connections may grow to. -# Default: 200 -#MaxConnectionQueueLength 30 - -# Clamd uses FTP-like protocol to receive data from remote clients. -# If you are using clamav-milter to balance load between remote clamd daemons -# on firewall servers you may need to tune the options below. - -# Close the connection when the data size limit is exceeded. -# The value should match your MTA's limit for a maximum attachment size. -# Default: 25M -#StreamMaxLength 10M - -# Limit port range. -# Default: 1024 -#StreamMinPort 30000 -# Default: 2048 -#StreamMaxPort 32000 - -# Maximum number of threads running at the same time. -# Default: 10 -#MaxThreads 20 - -# Waiting for data from a client socket will timeout after this time (seconds). -# Default: 120 -#ReadTimeout 300 - -# This option specifies the time (in seconds) after which clamd should -# timeout if a client doesn't provide any initial command after connecting. -# Default: 5 -#CommandReadTimeout 5 - -# This option specifies how long to wait (in miliseconds) if the send buffer is full. -# Keep this value low to prevent clamd hanging -# -# Default: 500 -#SendBufTimeout 200 - -# Maximum number of queued items (including those being processed by MaxThreads threads) -# It is recommended to have this value at least twice MaxThreads if possible. -# WARNING: you shouldn't increase this too much to avoid running out of file descriptors, -# the following condition should hold: -# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024) -# -# Default: 100 -#MaxQueue 200 - -# Waiting for a new job will timeout after this time (seconds). -# Default: 30 -#IdleTimeout 60 - -# Don't scan files and directories matching regex -# This directive can be used multiple times -# Default: scan all -#ExcludePath ^/proc/ -#ExcludePath ^/sys/ - -# Maximum depth directories are scanned at. -# Default: 15 -#MaxDirectoryRecursion 20 - -# Follow directory symlinks. -# Default: no -#FollowDirectorySymlinks yes - -# Follow regular file symlinks. -# Default: no -#FollowFileSymlinks yes - -# Scan files and directories on other filesystems. -# Default: yes -#CrossFilesystems yes - -# Perform a database check. -# Default: 600 (10 min) -#SelfCheck 600 - -# Execute a command when virus is found. In the command string %v will -# be replaced with the virus name. -# Default: no -#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v" - -# Run as another user (clamd must be started by root for this option to work) -# Default: don't drop privileges -User clamav - -# Initialize supplementary group access (clamd must be started by root). -# Default: no -#AllowSupplementaryGroups no - -# Stop daemon when libclamav reports out of memory condition. -#ExitOnOOM yes - -# Don't fork into background. -# Default: no -#Foreground yes - -# Enable debug messages in libclamav. -# Default: no -#Debug yes - -# Do not remove temporary files (for debug purposes). -# Default: no -#LeaveTemporaryFiles yes - -# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject -# any ALLMATCHSCAN command as invalid. -# Default: yes -#AllowAllMatchScan no - -# Detect Possibly Unwanted Applications. -# Default: no -#DetectPUA yes - -# Exclude a specific PUA category. This directive can be used multiple times. -# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for -# the complete list of PUA categories. -# Default: Load all categories (if DetectPUA is activated) -#ExcludePUA NetTool -#ExcludePUA PWTool - -# Only include a specific PUA category. This directive can be used multiple -# times. -# Default: Load all categories (if DetectPUA is activated) -#IncludePUA Spy -#IncludePUA Scanner -#IncludePUA RAT - -# In some cases (eg. complex malware, exploits in graphic files, and others), -# ClamAV uses special algorithms to provide accurate detection. This option -# controls the algorithmic detection. -# Default: yes -#AlgorithmicDetection yes - -# This option causes memory or nested map scans to dump the content to disk. -# If you turn on this option, more data is written to disk and is available -# when the LeaveTemporaryFiles option is enabled. -#ForceToDisk yes - -# This option allows you to disable the caching feature of the engine. By -# default, the engine will store an MD5 in a cache of any files that are -# not flagged as virus or that hit limits checks. Disabling the cache will -# have a negative performance impact on large scans. -# Default: no -#DisableCache yes - -## -## Executable files -## - -# PE stands for Portable Executable - it's an executable file format used -# in all 32 and 64-bit versions of Windows operating systems. This option allows -# ClamAV to perform a deeper analysis of executable files and it's also -# required for decompression of popular executable packers such as UPX, FSG, -# and Petite. If you turn off this option, the original files will still be -# scanned, but without additional processing. -# Default: yes -#ScanPE yes - -# Certain PE files contain an authenticode signature. By default, we check -# the signature chain in the PE file against a database of trusted and -# revoked certificates if the file being scanned is marked as a virus. -# If any certificate in the chain validates against any trusted root, but -# does not match any revoked certificate, the file is marked as whitelisted. -# If the file does match a revoked certificate, the file is marked as virus. -# The following setting completely turns off authenticode verification. -# Default: no -#DisableCertCheck yes - -# Executable and Linking Format is a standard format for UN*X executables. -# This option allows you to control the scanning of ELF files. -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -#ScanELF yes - -# With this option clamav will try to detect broken executables (both PE and -# ELF) and mark them as Broken.Executable. -# Default: no -#DetectBrokenExecutables yes - - -## -## Documents -## - -# This option enables scanning of OLE2 files, such as Microsoft Office -# documents and .msi files. -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -# Default: yes -#ScanOLE2 yes - -# With this option enabled OLE2 files with VBA macros, which were not -# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". -# Default: no -#OLE2BlockMacros no - -# This option enables scanning within PDF files. -# If you turn off this option, the original files will still be scanned, but -# without decoding and additional processing. -# Default: yes -#ScanPDF yes - -# This option enables scanning within SWF files. -# If you turn off this option, the original files will still be scanned, but -# without decoding and additional processing. -# Default: yes -#ScanSWF yes - - -## -## Mail files -## - -# Enable internal e-mail scanner. -# If you turn off this option, the original files will still be scanned, but -# without parsing individual messages/attachments. -# Default: yes -#ScanMail yes - -# Scan RFC1341 messages split over many emails. -# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory. -# WARNING: This option may open your system to a DoS attack. -# Never use it on loaded servers. -# Default: no -#ScanPartialMessages yes - -# With this option enabled ClamAV will try to detect phishing attempts by using -# signatures. -# Default: yes -#PhishingSignatures yes - -# Scan URLs found in mails for phishing attempts using heuristics. -# Default: yes -#PhishingScanURLs yes - -# Always block SSL mismatches in URLs, even if the URL isn't in the database. -# This can lead to false positives. -# -# Default: no -#PhishingAlwaysBlockSSLMismatch no - -# Always block cloaked URLs, even if URL isn't in database. -# This can lead to false positives. -# -# Default: no -#PhishingAlwaysBlockCloak no - -# Detect partition intersections in raw disk images using heuristics. -# Default: no -#PartitionIntersection no - -# Allow heuristic match to take precedence. -# When enabled, if a heuristic scan (such as phishingScan) detects -# a possible virus/phish it will stop scan immediately. Recommended, saves CPU -# scan-time. -# When disabled, virus/phish detected by heuristic scans will be reported only at -# the end of a scan. If an archive contains both a heuristically detected -# virus/phish, and a real malware, the real malware will be reported -# -# Keep this disabled if you intend to handle "*.Heuristics.*" viruses -# differently from "real" malware. -# If a non-heuristically-detected virus (signature-based) is found first, -# the scan is interrupted immediately, regardless of this config option. -# -# Default: no -#HeuristicScanPrecedence yes - - -## -## Data Loss Prevention (DLP) -## - -# Enable the DLP module -# Default: No -#StructuredDataDetection yes - -# This option sets the lowest number of Credit Card numbers found in a file -# to generate a detect. -# Default: 3 -#StructuredMinCreditCardCount 5 - -# This option sets the lowest number of Social Security Numbers found -# in a file to generate a detect. -# Default: 3 -#StructuredMinSSNCount 5 - -# With this option enabled the DLP module will search for valid -# SSNs formatted as xxx-yy-zzzz -# Default: yes -#StructuredSSNFormatNormal yes - -# With this option enabled the DLP module will search for valid -# SSNs formatted as xxxyyzzzz -# Default: no -#StructuredSSNFormatStripped yes - - -## -## HTML -## - -# Perform HTML normalisation and decryption of MS Script Encoder code. -# Default: yes -# If you turn off this option, the original files will still be scanned, but -# without additional processing. -#ScanHTML yes - - -## -## Archives -## - -# ClamAV can scan within archives and compressed files. -# If you turn off this option, the original files will still be scanned, but -# without unpacking and additional processing. -# Default: yes -#ScanArchive yes - -# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR). -# Default: no -#ArchiveBlockEncrypted no - - -## -## Limits -## - -# The options below protect your system against Denial of Service attacks -# using archive bombs. - -# This option sets the maximum amount of data to be scanned for each input file. -# Archives and other containers are recursively extracted and scanned up to this -# value. -# Value of 0 disables the limit -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 100M -#MaxScanSize 150M - -# Files larger than this limit won't be scanned. Affects the input file itself -# as well as files contained inside it (when the input file is an archive, a -# document or some other kind of container). -# Value of 0 disables the limit. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 25M -#MaxFileSize 30M - -# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR -# file, all files within it will also be scanned. This options specifies how -# deeply the process should be continued. -# Note: setting this limit too high may result in severe damage to the system. -# Default: 16 -#MaxRecursion 10 - -# Number of files to be scanned within an archive, a document, or any other -# container file. -# Value of 0 disables the limit. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 10000 -#MaxFiles 15000 - -# Maximum size of a file to check for embedded PE. Files larger than this value -# will skip the additional analysis step. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 10M -#MaxEmbeddedPE 10M - -# Maximum size of a HTML file to normalize. HTML files larger than this value -# will not be normalized or scanned. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 10M -#MaxHTMLNormalize 10M - -# Maximum size of a normalized HTML file to scan. HTML files larger than this -# value after normalization will not be scanned. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 2M -#MaxHTMLNoTags 2M - -# Maximum size of a script file to normalize. Script content larger than this -# value will not be normalized or scanned. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 5M -#MaxScriptNormalize 5M - -# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger -# than this value will skip the step to potentially reanalyze as PE. -# Note: disabling this limit or setting it too high may result in severe damage -# to the system. -# Default: 1M -#MaxZipTypeRcg 1M - -# This option sets the maximum number of partitions of a raw disk image to be scanned. -# Raw disk images with more partitions than this value will have up to the value number -# partitions scanned. Negative values are not allowed. -# Note: setting this limit too high may result in severe damage or impact performance. -# Default: 50 -#MaxPartitions 128 - -# This option sets the maximum number of icons within a PE to be scanned. -# PE files with more icons than this value will have up to the value number icons scanned. -# Negative values are not allowed. -# WARNING: setting this limit too high may result in severe damage or impact performance. -# Default: 100 -#MaxIconsPE 200 - -## -## On-access Scan Settings -## - -# Enable on-access scanning. Currently, this is supported via fanotify. -# Clamuko/Dazuko support has been deprecated. -# Default: no -#ScanOnAccess yes - -# Don't scan files larger than OnAccessMaxFileSize -# Value of 0 disables the limit. -# Default: 5M -#OnAccessMaxFileSize 10M - -# Set the include paths (all files inside them will be scanned). You can have -# multiple OnAccessIncludePath directives but each directory must be added -# in a separate line. (On-access scan only) -# Default: disabled -#OnAccessIncludePath /home -#OnAccessIncludePath /students - -# Set the exclude paths. All subdirectories are also excluded. -# (On-access scan only) -# Default: disabled -#OnAccessExcludePath /home/bofh - -# With this option you can whitelist specific UIDs. Processes with these UIDs -# will be able to access all files. -# This option can be used multiple times (one per line). -# Default: disabled -#OnAccessExcludeUID 0 - - -## -## Bytecode -## - -# With this option enabled ClamAV will load bytecode from the database. -# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses. -# Default: yes -#Bytecode yes - -# Set bytecode security level. -# Possible values: -# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS -# This value is only available if clamav was built with --enable-debug! -# TrustSigned - trust bytecode loaded from signed .c[lv]d files, -# insert runtime safety checks for bytecode loaded from other sources -# Paranoid - don't trust any bytecode, insert runtime checks for all -# Recommended: TrustSigned, because bytecode in .cvd files already has these checks -# Note that by default only signed bytecode is loaded, currently you can only -# load unsigned bytecode in --enable-debug mode. -# -# Default: TrustSigned -#BytecodeSecurity TrustSigned - -# Set bytecode timeout in miliseconds. -# -# Default: 5000 -# BytecodeTimeout 1000 - -## -## Statistics gathering and submitting -## - -# Enable statistical reporting. -# Default: no -#StatsEnabled yes - -# Disable submission of individual PE sections for files flagged as malware. -# Default: no -#StatsPEDisabled yes - -# HostID in the form of an UUID to use when submitting statistical information. -# Default: auto -#StatsHostID auto - -# Time in seconds to wait for the stats server to come back with a response -# Default: 10 -#StatsTimeout 10 diff --git a/external/meta-security/recipes-security/clamav/files/freshclam.conf b/external/meta-security/recipes-security/clamav/files/freshclam.conf deleted file mode 100644 index 100724f1..00000000 --- a/external/meta-security/recipes-security/clamav/files/freshclam.conf +++ /dev/null @@ -1,224 +0,0 @@ -# Path to the database directory. -# WARNING: It must match clamd.conf's directive! -# Default: hardcoded (depends on installation options) -DatabaseDirectory /var/lib/clamav - -# Path to the log file (make sure it has proper permissions) -# Default: disabled -UpdateLogFile /var/log/clamav/freshclam.log - -# Maximum size of the log file. -# Value of 0 disables the limit. -# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes) -# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). -# in bytes just don't use modifiers. If LogFileMaxSize is enabled, -# log rotation (the LogRotate option) will always be enabled. -# Default: 1M -LogFileMaxSize 2M - -# Log time with each message. -# Default: no -LogTime yes - -# Enable verbose logging. -# Default: no -#LogVerbose yes - -# Use system logger (can work together with UpdateLogFile). -# Default: no -#LogSyslog yes - -# Specify the type of syslog messages - please refer to 'man syslog' -# for facility names. -# Default: LOG_LOCAL6 -#LogFacility LOG_MAIL - -# Enable log rotation. Always enabled when LogFileMaxSize is enabled. -# Default: no -#LogRotate yes - -# This option allows you to save the process identifier of the daemon -# Default: disabled -PidFile /var/run/freshclam.pid - -# By default when started freshclam drops privileges and switches to the -# "clamav" user. This directive allows you to change the database owner. -# Default: clamav (may depend on installation options) -DatabaseOwner clamav - -# Initialize supplementary group access (freshclam must be started by root). -# Default: no -#AllowSupplementaryGroups yes - -# Use DNS to verify virus database version. Freshclam uses DNS TXT records -# to verify database and software versions. With this directive you can change -# the database verification domain. -# WARNING: Do not touch it unless you're configuring freshclam to use your -# own database verification domain. -# Default: current.cvd.clamav.net -#DNSDatabaseInfo current.cvd.clamav.net - -# Uncomment the following line and replace XY with your country -# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list. -# You can use db.XY.ipv6.clamav.net for IPv6 connections. -#DatabaseMirror db.XY.clamav.net - -# database.clamav.net is a round-robin record which points to our most -# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is -# not working. DO NOT TOUCH the following line unless you know what you -# are doing. -DatabaseMirror database.clamav.net - -# How many attempts to make before giving up. -# Default: 3 (per mirror) -#MaxAttempts 5 - -# With this option you can control scripted updates. It's highly recommended -# to keep it enabled. -# Default: yes -#ScriptedUpdates yes - -# By default freshclam will keep the local databases (.cld) uncompressed to -# make their handling faster. With this option you can enable the compression; -# the change will take effect with the next database update. -# Default: no -#CompressLocalDatabase no - -# With this option you can provide custom sources (http:// or file://) for -# database files. This option can be used multiple times. -# Default: no custom URLs -#DatabaseCustomURL http://myserver.com/mysigs.ndb -#DatabaseCustomURL file:///mnt/nfs/local.hdb - -# This option allows you to easily point freshclam to private mirrors. -# If PrivateMirror is set, freshclam does not attempt to use DNS -# to determine whether its databases are out-of-date, instead it will -# use the If-Modified-Since request or directly check the headers of the -# remote database files. For each database, freshclam first attempts -# to download the CLD file. If that fails, it tries to download the -# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo -# and ScriptedUpdates. It can be used multiple times to provide -# fall-back mirrors. -# Default: disabled -#PrivateMirror mirror1.mynetwork.com -#PrivateMirror mirror2.mynetwork.com - -# Number of database checks per day. -# Default: 12 (every two hours) -#Checks 24 - -# Proxy settings -# Default: disabled -#HTTPProxyServer myproxy.com -#HTTPProxyPort 1234 -#HTTPProxyUsername myusername -#HTTPProxyPassword mypass - -# If your servers are behind a firewall/proxy which applies User-Agent -# filtering you can use this option to force the use of a different -# User-Agent header. -# Default: clamav/version_number -#HTTPUserAgent SomeUserAgentIdString - -# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for -# multi-homed systems. -# Default: Use OS'es default outgoing IP address. -#LocalIPAddress aaa.bbb.ccc.ddd - -# Send the RELOAD command to clamd. -# Default: no -#NotifyClamd /path/to/clamd.conf - -# Run command after successful database update. -# Default: disabled -#OnUpdateExecute command - -# Run command when database update process fails. -# Default: disabled -#OnErrorExecute command - -# Run command when freshclam reports outdated version. -# In the command string %v will be replaced by the new version number. -# Default: disabled -#OnOutdatedExecute command - -# Don't fork into background. -# Default: no -#Foreground yes - -# Enable debug messages in libclamav. -# Default: no -#Debug yes - -# Timeout in seconds when connecting to database server. -# Default: 30 -#ConnectTimeout 60 - -# Timeout in seconds when reading from database server. -# Default: 30 -#ReceiveTimeout 60 - -# With this option enabled, freshclam will attempt to load new -# databases into memory to make sure they are properly handled -# by libclamav before replacing the old ones. -# Default: yes -#TestDatabases yes - -# When enabled freshclam will submit statistics to the ClamAV Project about -# the latest virus detections in your environment. The ClamAV maintainers -# will then use this data to determine what types of malware are the most -# detected in the field and in what geographic area they are. -# Freshclam will connect to clamd in order to get recent statistics. -# Default: no -#SubmitDetectionStats /path/to/clamd.conf - -# Country of origin of malware/detection statistics (for statistical -# purposes only). The statistics collector at ClamAV.net will look up -# your IP address to determine the geographical origin of the malware -# reported by your installation. If this installation is mainly used to -# scan data which comes from a different location, please enable this -# option and enter a two-letter code (see http://www.iana.org/domains/root/db/) -# of the country of origin. -# Default: disabled -#DetectionStatsCountry country-code - -# This option enables support for our "Personal Statistics" service. -# When this option is enabled, the information on malware detected by -# your clamd installation is made available to you through our website. -# To get your HostID, log on http://www.stats.clamav.net and add a new -# host to your host list. Once you have the HostID, uncomment this option -# and paste the HostID here. As soon as your freshclam starts submitting -# information to our stats collecting service, you will be able to view -# the statistics of this clamd installation by logging into -# http://www.stats.clamav.net with the same credentials you used to -# generate the HostID. For more information refer to: -# http://www.clamav.net/documentation.html#cctts -# This feature requires SubmitDetectionStats to be enabled. -# Default: disabled -#DetectionStatsHostID unique-id - -# This option enables support for Google Safe Browsing. When activated for -# the first time, freshclam will download a new database file (safebrowsing.cvd) -# which will be automatically loaded by clamd and clamscan during the next -# reload, provided that the heuristic phishing detection is turned on. This -# database includes information about websites that may be phishing sites or -# possible sources of malware. When using this option, it's mandatory to run -# freshclam at least every 30 minutes. -# Freshclam uses the ClamAV's mirror infrastructure to distribute the -# database and its updates but all the contents are provided under Google's -# terms of use. See http://www.google.com/transparencyreport/safebrowsing -# and http://www.clamav.net/documentation.html#safebrowsing -# for more information. -# Default: disabled -#SafeBrowsing yes - -# This option enables downloading of bytecode.cvd, which includes additional -# detection mechanisms and improvements to the ClamAV engine. -# Default: enabled -#Bytecode yes - -# Download an additional 3rd party signature database distributed through -# the ClamAV mirrors. -# This option can be used multiple times. -#ExtraDatabase dbname1 -#ExtraDatabase dbname2 diff --git a/external/meta-security/recipes-security/clamav/files/volatiles.03_clamav b/external/meta-security/recipes-security/clamav/files/volatiles.03_clamav deleted file mode 100644 index ee2153ca..00000000 --- a/external/meta-security/recipes-security/clamav/files/volatiles.03_clamav +++ /dev/null @@ -1,3 +0,0 @@ -# <type> <owner> <group> <mode> <path> <linksource> -d clamav clamav 0755 /var/log/clamav none -f clamav clamav 0655 /var/log/clamav/freshclam.log none diff --git a/external/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/external/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index 1f780f9e..d8cd06f8 100644 --- a/external/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/external/meta-security/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -14,6 +14,7 @@ DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native" SRC_URI = "\ https://launchpad.net/ecryptfs/trunk/${PV}/+download/${BPN}_${PV}.orig.tar.gz \ file://ecryptfs-utils-CVE-2016-6224.patch \ + file://0001-avoid-race-condition.patch \ file://ecryptfs.service \ " @@ -30,17 +31,17 @@ EXTRA_OECONF = "\ --disable-pywrap \ --disable-nls \ --with-pamdir=${base_libdir}/security \ + --disable-openssl \ " PACKAGECONFIG ??= "nss \ ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)} \ " PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," -PACKAGECONFIG[openssl] = "--enable-openssl,--disable-openssl,openssl," PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," do_configure_prepend() { - export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" + export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3" export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" export KEYUTILS_LIBS="-L${STAGING_LIBDIR} -lkeyutils" diff --git a/external/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch b/external/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch new file mode 100644 index 00000000..af28d581 --- /dev/null +++ b/external/meta-security/recipes-security/ecryptfs-utils/files/0001-avoid-race-condition.patch @@ -0,0 +1,32 @@ +From ab671b02e3aaf65dd1fd279789ea933b8140fe52 Mon Sep 17 00:00:00 2001 +From: Chen Qi <Qi.Chen@windriver.com> +Date: Tue, 27 Aug 2019 16:08:00 +0800 +Subject: [PATCH] avoid race condition + +The rootsbin directory is self defined. The install-rootsbinPROGRAMS +is actually treated as part of install-data. + +This would avoid race condition which causes install failure. + +Upstream-Status: Pending + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + src/utils/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/utils/Makefile.am b/src/utils/Makefile.am +index 83cf851..344883a 100644 +--- a/src/utils/Makefile.am ++++ b/src/utils/Makefile.am +@@ -67,6 +67,6 @@ ecryptfs_stat_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + test_SOURCES = test.c io.c + test_LDADD = $(top_builddir)/src/libecryptfs/libecryptfs.la + +-install-exec-hook: install-rootsbinPROGRAMS ++install-data-hook: install-rootsbinPROGRAMS + -rm -f "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private" + $(LN_S) "mount.ecryptfs_private" "$(DESTDIR)/$(rootsbindir)/umount.ecryptfs_private" +-- +2.17.1 + diff --git a/external/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/external/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch new file mode 100644 index 00000000..7f0812c4 --- /dev/null +++ b/external/meta-security/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch @@ -0,0 +1,28 @@ +From fe3436d65518099d35c643848cba50253abc249c Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@cn.fujitsu.com> +Date: Thu, 9 May 2019 14:44:51 +0900 +Subject: [PATCH] To fix build error of xrange. + +NameError: name 'xrange' is not defined + +Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> +--- + fail2ban/__init__.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py +index fa6dcf7..61789a4 100644 +--- a/fail2ban/__init__.py ++++ b/fail2ban/__init__.py +@@ -82,7 +82,7 @@ strptime("2012", "%Y") + + # short names for pure numeric log-level ("Level 25" could be truncated by short formats): + def _init(): +- for i in xrange(50): ++ for i in range(50): + if logging.getLevelName(i).startswith('Level'): + logging.addLevelName(i, '#%02d-Lev.' % i) + _init() +-- +2.7.4 + diff --git a/external/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch b/external/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch new file mode 100644 index 00000000..ee872ec4 --- /dev/null +++ b/external/meta-security/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch @@ -0,0 +1,2527 @@ +From abaa20435bac7decffa69e6f965aac9ce29aff6a Mon Sep 17 00:00:00 2001 +From: Armin Kuster <akuster808@gmail.com> +Date: Wed, 12 Feb 2020 17:19:15 +0000 +Subject: [PATCH] python3-fail2ban: 2-3 conversion + +Upstream-Status: OE specific. + +fail2ban handles py3 via a 2-3 conversion utility. + +Signed-off-by: Armin Kuster <akuster808@gmail.com> +--- + fail2ban/client/actionreader.py | 4 +- + fail2ban/client/configparserinc.py | 10 +- + fail2ban/client/configreader.py | 4 +- + fail2ban/client/csocket.py | 4 +- + fail2ban/client/fail2banclient.py | 4 +- + fail2ban/client/fail2banregex.py | 20 +- + fail2ban/client/filterreader.py | 2 +- + fail2ban/client/jailreader.py | 4 +- + fail2ban/helpers.py | 15 +- + fail2ban/server/action.py | 19 +- + fail2ban/server/actions.py | 24 +- + fail2ban/server/asyncserver.py | 4 +- + fail2ban/server/banmanager.py | 18 +- + fail2ban/server/database.py | 6 +- + fail2ban/server/failmanager.py | 8 +- + fail2ban/server/failregex.py | 9 +- + fail2ban/server/filter.py | 12 +- + fail2ban/server/filterpoll.py | 2 +- + fail2ban/server/filterpyinotify.py | 6 +- + fail2ban/server/ipdns.py | 16 +- + fail2ban/server/jail.py | 14 +- + fail2ban/server/mytime.py | 2 +- + fail2ban/server/server.py | 18 +- + fail2ban/server/strptime.py | 6 +- + fail2ban/server/ticket.py | 14 +- + fail2ban/server/transmitter.py | 2 +- + fail2ban/server/utils.py | 6 +- + fail2ban/tests/action_d/test_badips.py | 2 +- + fail2ban/tests/actiontestcase.py | 4 +- + fail2ban/tests/clientreadertestcase.py | 4 +- + fail2ban/tests/databasetestcase.py | 16 +- + fail2ban/tests/datedetectortestcase.py | 6 +- + fail2ban/tests/fail2banclienttestcase.py | 8 +- + fail2ban/tests/failmanagertestcase.py | 10 +- + .../tests/files/config/apache-auth/digest.py | 20 +- + fail2ban/tests/filtertestcase.py | 92 ++--- + fail2ban/tests/misctestcase.py | 22 +- + fail2ban/tests/observertestcase.py | 34 +- + fail2ban/tests/samplestestcase.py | 8 +- + fail2ban/tests/servertestcase.py | 28 +- + fail2ban/tests/sockettestcase.py | 2 +- + fail2ban/tests/utils.py | 22 +- + setup.py | 326 ------------------ + 43 files changed, 264 insertions(+), 593 deletions(-) + delete mode 100755 setup.py + +diff --git a/fail2ban/client/actionreader.py b/fail2ban/client/actionreader.py +index 80617a50..ecf323c5 100644 +--- a/fail2ban/client/actionreader.py ++++ b/fail2ban/client/actionreader.py +@@ -90,11 +90,11 @@ class ActionReader(DefinitionInitConfigReader): + stream = list() + stream.append(head + ["addaction", self._name]) + multi = [] +- for opt, optval in opts.iteritems(): ++ for opt, optval in opts.items(): + if opt in self._configOpts and not opt.startswith('known/'): + multi.append([opt, optval]) + if self._initOpts: +- for opt, optval in self._initOpts.iteritems(): ++ for opt, optval in self._initOpts.items(): + if opt not in self._configOpts and not opt.startswith('known/'): + multi.append([opt, optval]) + if len(multi) > 1: +diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py +index e0f39579..45c77437 100644 +--- a/fail2ban/client/configparserinc.py ++++ b/fail2ban/client/configparserinc.py +@@ -62,7 +62,7 @@ if sys.version_info >= (3,2): + parser, option, accum, rest, section, map, *args, **kwargs) + + else: # pragma: no cover +- from ConfigParser import SafeConfigParser, \ ++ from configparser import SafeConfigParser, \ + InterpolationMissingOptionError, NoOptionError, NoSectionError + + # Interpolate missing known/option as option from default section +@@ -327,7 +327,7 @@ after = 1.conf + # mix it with defaults: + return set(opts.keys()) | set(self._defaults) + # only own option names: +- return opts.keys() ++ return list(opts.keys()) + + def read(self, filenames, get_includes=True): + if not isinstance(filenames, list): +@@ -356,7 +356,7 @@ after = 1.conf + ret += i + # merge defaults and all sections to self: + alld.update(cfg.get_defaults()) +- for n, s in cfg.get_sections().iteritems(): ++ for n, s in cfg.get_sections().items(): + # conditional sections + cond = SafeConfigParserWithIncludes.CONDITIONAL_RE.match(n) + if cond: +@@ -366,7 +366,7 @@ after = 1.conf + del(s['__name__']) + except KeyError: + pass +- for k in s.keys(): ++ for k in list(s.keys()): + v = s.pop(k) + s[k + cond] = v + s2 = alls.get(n) +@@ -399,7 +399,7 @@ after = 1.conf + sec.update(options) + return + sk = {} +- for k, v in options.iteritems(): ++ for k, v in options.items(): + if not k.startswith(pref) and k != '__name__': + sk[pref+k] = v + sec.update(sk) +diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py +index 20709b72..b5167409 100644 +--- a/fail2ban/client/configreader.py ++++ b/fail2ban/client/configreader.py +@@ -26,7 +26,7 @@ __license__ = "GPL" + + import glob + import os +-from ConfigParser import NoOptionError, NoSectionError ++from configparser import NoOptionError, NoSectionError + + from .configparserinc import sys, SafeConfigParserWithIncludes, logLevel + from ..helpers import getLogger, _as_bool, _merge_dicts, substituteRecursiveTags +@@ -197,7 +197,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes): + config_files += sorted(glob.glob('%s/*.local' % config_dir)) + + # choose only existing ones +- config_files = filter(os.path.exists, config_files) ++ config_files = list(filter(os.path.exists, config_files)) + + if len(config_files): + # at least one config exists and accessible +diff --git a/fail2ban/client/csocket.py b/fail2ban/client/csocket.py +index ab3e294b..9417cde9 100644 +--- a/fail2ban/client/csocket.py ++++ b/fail2ban/client/csocket.py +@@ -47,7 +47,7 @@ class CSocket: + + def send(self, msg, nonblocking=False, timeout=None): + # Convert every list member to string +- obj = dumps(map(CSocket.convert, msg), HIGHEST_PROTOCOL) ++ obj = dumps(list(map(CSocket.convert, msg)), HIGHEST_PROTOCOL) + self.__csock.send(obj + CSPROTO.END) + return self.receive(self.__csock, nonblocking, timeout) + +@@ -71,7 +71,7 @@ class CSocket: + @staticmethod + def convert(m): + """Convert every "unexpected" member of message to string""" +- if isinstance(m, (basestring, bool, int, float, list, dict, set)): ++ if isinstance(m, (str, bool, int, float, list, dict, set)): + return m + else: # pragma: no cover + return str(m) +diff --git a/fail2ban/client/fail2banclient.py b/fail2ban/client/fail2banclient.py +index 7c90ca40..7eb11684 100755 +--- a/fail2ban/client/fail2banclient.py ++++ b/fail2ban/client/fail2banclient.py +@@ -45,7 +45,7 @@ def _thread_name(): + return threading.current_thread().__class__.__name__ + + def input_command(): # pragma: no cover +- return raw_input(PROMPT) ++ return input(PROMPT) + + ## + # +@@ -444,7 +444,7 @@ class Fail2banClient(Fail2banCmdLine, Thread): + return False + finally: + self._alive = False +- for s, sh in _prev_signals.iteritems(): ++ for s, sh in _prev_signals.items(): + signal.signal(s, sh) + + +diff --git a/fail2ban/client/fail2banregex.py b/fail2ban/client/fail2banregex.py +index 513b765d..4a71b3c0 100644 +--- a/fail2ban/client/fail2banregex.py ++++ b/fail2ban/client/fail2banregex.py +@@ -41,10 +41,10 @@ import shlex + import sys + import time + import time +-import urllib ++import urllib.request, urllib.parse, urllib.error + from optparse import OptionParser, Option + +-from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError ++from configparser import NoOptionError, NoSectionError, MissingSectionHeaderError + + try: # pragma: no cover + from ..server.filtersystemd import FilterSystemd +@@ -68,7 +68,7 @@ def debuggexURL(sample, regex, multiline=False, useDns="yes"): + 'flavor': 'python' + } + if multiline: args['flags'] = 'm' +- return 'https://www.debuggex.com/?' + urllib.urlencode(args) ++ return 'https://www.debuggex.com/?' + urllib.parse.urlencode(args) + + def output(args): # pragma: no cover (overriden in test-cases) + print(args) +@@ -244,7 +244,7 @@ class Fail2banRegex(object): + + def __init__(self, opts): + # set local protected members from given options: +- self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.iteritems())) ++ self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.items())) + self._opts = opts + self._maxlines_set = False # so we allow to override maxlines in cmdline + self._datepattern_set = False +@@ -304,7 +304,7 @@ class Fail2banRegex(object): + realopts = {} + combopts = reader.getCombined() + # output all options that are specified in filter-argument as well as some special (mostly interested): +- for k in ['logtype', 'datepattern'] + fltOpt.keys(): ++ for k in ['logtype', 'datepattern'] + list(fltOpt.keys()): + # combined options win, but they contain only a sub-set in filter expected keys, + # so get the rest from definition section: + try: +@@ -424,7 +424,7 @@ class Fail2banRegex(object): + self.output( "Use %11s line : %s" % (regex, shortstr(value)) ) + regex_values = {regextype: [RegexStat(value)]} + +- for regextype, regex_values in regex_values.iteritems(): ++ for regextype, regex_values in regex_values.items(): + regex = regextype + 'regex' + setattr(self, "_" + regex, regex_values) + for regex in regex_values: +@@ -523,10 +523,10 @@ class Fail2banRegex(object): + output(ret[1]) + elif self._opts.out == 'msg': + for ret in ret: +- output('\n'.join(map(lambda v:''.join(v for v in v), ret[3].get('matches')))) ++ output('\n'.join([''.join(v for v in v) for v in ret[3].get('matches')])) + elif self._opts.out == 'row': + for ret in ret: +- output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].iteritems() if k != 'matches'))) ++ output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].items() if k != 'matches'))) + else: + for ret in ret: + output(ret[3].get(self._opts.out)) +@@ -565,9 +565,9 @@ class Fail2banRegex(object): + ans = [[]] + for arg in [l, regexlist]: + ans = [ x + [y] for x in ans for y in arg ] +- b = map(lambda a: a[0] + ' | ' + a[1].getFailRegex() + ' | ' + ++ b = [a[0] + ' | ' + a[1].getFailRegex() + ' | ' + + debuggexURL(self.encode_line(a[0]), a[1].getFailRegex(), +- multiline, self._opts.usedns), ans) ++ multiline, self._opts.usedns) for a in ans] + pprint_list([x.rstrip() for x in b], header) + else: + output( "%s too many to print. Use --print-all-%s " \ +diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py +index 413f125e..4f0cc4cf 100644 +--- a/fail2ban/client/filterreader.py ++++ b/fail2ban/client/filterreader.py +@@ -71,7 +71,7 @@ class FilterReader(DefinitionInitConfigReader): + @staticmethod + def _fillStream(stream, opts, jailName): + prio0idx = 0 +- for opt, value in opts.iteritems(): ++ for opt, value in opts.items(): + if opt in ("failregex", "ignoreregex"): + if value is None: continue + multi = [] +diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py +index 50c1d047..969d0bc0 100644 +--- a/fail2ban/client/jailreader.py ++++ b/fail2ban/client/jailreader.py +@@ -117,7 +117,7 @@ class JailReader(ConfigReader): + } + _configOpts.update(FilterReader._configOpts) + +- _ignoreOpts = set(['action', 'filter', 'enabled'] + FilterReader._configOpts.keys()) ++ _ignoreOpts = set(['action', 'filter', 'enabled'] + list(FilterReader._configOpts.keys())) + + def getOptions(self): + +@@ -236,7 +236,7 @@ class JailReader(ConfigReader): + stream.extend(self.__filter.convert()) + # and using options from jail: + FilterReader._fillStream(stream, self.__opts, self.__name) +- for opt, value in self.__opts.iteritems(): ++ for opt, value in self.__opts.items(): + if opt == "logpath": + if self.__opts.get('backend', '').startswith("systemd"): continue + found_files = 0 +diff --git a/fail2ban/helpers.py b/fail2ban/helpers.py +index 6f2bcdd7..7e563696 100644 +--- a/fail2ban/helpers.py ++++ b/fail2ban/helpers.py +@@ -31,6 +31,7 @@ import traceback + from threading import Lock + + from .server.mytime import MyTime ++import importlib + + try: + import ctypes +@@ -63,7 +64,7 @@ if sys.version_info < (3,): # pragma: 3.x no cover + from imp import load_dynamic as __ldm + _sys = __ldm('_sys', 'sys') + except ImportError: # pragma: no cover - only if load_dynamic fails +- reload(sys) ++ importlib.reload(sys) + _sys = sys + if hasattr(_sys, "setdefaultencoding"): + _sys.setdefaultencoding(encoding) +@@ -101,7 +102,7 @@ if sys.version_info >= (3,): # pragma: 2.x no cover + else: # pragma: 3.x no cover + def uni_decode(x, enc=PREFER_ENC, errors='strict'): + try: +- if isinstance(x, unicode): ++ if isinstance(x, str): + return x.encode(enc, errors) + return x + except (UnicodeDecodeError, UnicodeEncodeError): # pragma: no cover - unsure if reachable +@@ -110,7 +111,7 @@ else: # pragma: 3.x no cover + return x.encode(enc, 'replace') + if sys.getdefaultencoding().upper() != 'UTF-8': # pragma: no cover - utf-8 is default encoding now + def uni_string(x): +- if not isinstance(x, unicode): ++ if not isinstance(x, str): + return str(x) + return x.encode(PREFER_ENC, 'replace') + else: +@@ -118,7 +119,7 @@ else: # pragma: 3.x no cover + + + def _as_bool(val): +- return bool(val) if not isinstance(val, basestring) \ ++ return bool(val) if not isinstance(val, str) \ + else val.lower() in ('1', 'on', 'true', 'yes') + + +@@ -326,7 +327,7 @@ def splitwords(s): + """ + if not s: + return [] +- return filter(bool, map(lambda v: v.strip(), re.split('[ ,\n]+', s))) ++ return list(filter(bool, [v.strip() for v in re.split('[ ,\n]+', s)])) + + if sys.version_info >= (3,5): + eval(compile(r'''if 1: +@@ -436,7 +437,7 @@ def substituteRecursiveTags(inptags, conditional='', + while True: + repFlag = False + # substitute each value: +- for tag in tags.iterkeys(): ++ for tag in tags.keys(): + # ignore escaped or already done (or in ignore list): + if tag in ignore or tag in done: continue + # ignore replacing callable items from calling map - should be converted on demand only (by get): +@@ -476,7 +477,7 @@ def substituteRecursiveTags(inptags, conditional='', + m = tre_search(value, m.end()) + continue + # if calling map - be sure we've string: +- if not isinstance(repl, basestring): repl = uni_string(repl) ++ if not isinstance(repl, str): repl = uni_string(repl) + value = value.replace('<%s>' % rtag, repl) + #logSys.log(5, 'value now: %s' % value) + # increment reference count: +diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py +index 5c817fc0..81d50689 100644 +--- a/fail2ban/server/action.py ++++ b/fail2ban/server/action.py +@@ -111,9 +111,9 @@ class CallingMap(MutableMapping, object): + def _asdict(self, calculated=False, checker=None): + d = dict(self.data, **self.storage) + if not calculated: +- return dict((n,v) for n,v in d.iteritems() \ ++ return dict((n,v) for n,v in d.items() \ + if not callable(v) or n in self.CM_REPR_ITEMS) +- for n,v in d.items(): ++ for n,v in list(d.items()): + if callable(v): + try: + # calculate: +@@ -179,7 +179,7 @@ class CallingMap(MutableMapping, object): + return self.__class__(_merge_copy_dicts(self.data, self.storage)) + + +-class ActionBase(object): ++class ActionBase(object, metaclass=ABCMeta): + """An abstract base class for actions in Fail2Ban. + + Action Base is a base definition of what methods need to be in +@@ -209,7 +209,6 @@ class ActionBase(object): + Any additional arguments specified in `jail.conf` or passed + via `fail2ban-client` will be passed as keyword arguments. + """ +- __metaclass__ = ABCMeta + + @classmethod + def __subclasshook__(cls, C): +@@ -420,7 +419,7 @@ class CommandAction(ActionBase): + if not callable(family): # pragma: no cover + return self.__substCache.get(key, {}).get(family) + # family as expression - use it to filter values: +- return [v for f, v in self.__substCache.get(key, {}).iteritems() if family(f)] ++ return [v for f, v in self.__substCache.get(key, {}).items() if family(f)] + cmd = args[0] + if cmd: # set: + try: +@@ -432,7 +431,7 @@ class CommandAction(ActionBase): + try: + famd = self.__substCache[key] + cmd = famd.pop(family) +- for family, v in famd.items(): ++ for family, v in list(famd.items()): + if v == cmd: + del famd[family] + except KeyError: # pragma: no cover +@@ -448,7 +447,7 @@ class CommandAction(ActionBase): + res = True + err = 'Script error' + if not family: # all started: +- family = [famoper for (famoper,v) in self.__started.iteritems() if v] ++ family = [famoper for (famoper,v) in self.__started.items() if v] + for famoper in family: + try: + cmd = self._getOperation(tag, famoper) +@@ -617,7 +616,7 @@ class CommandAction(ActionBase): + and executes the resulting command. + """ + # collect started families, may be started on demand (conditional): +- family = [f for (f,v) in self.__started.iteritems() if v & 3 == 3]; # started and contains items ++ family = [f for (f,v) in self.__started.items() if v & 3 == 3]; # started and contains items + # if nothing contains items: + if not family: return True + # flush: +@@ -642,7 +641,7 @@ class CommandAction(ActionBase): + """ + # collect started families, if started on demand (conditional): + if family is None: +- family = [f for (f,v) in self.__started.iteritems() if v] ++ family = [f for (f,v) in self.__started.items() if v] + # if no started (on demand) actions: + if not family: return True + self.__started = {} +@@ -676,7 +675,7 @@ class CommandAction(ActionBase): + ret = True + # for each started family: + if self.actioncheck: +- for (family, started) in self.__started.items(): ++ for (family, started) in list(self.__started.items()): + if started and not self._invariantCheck(family, beforeRepair): + # reset started flag and command of executed operation: + self.__started[family] = 0 +diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py +index 24fea838..94b9c3ed 100644 +--- a/fail2ban/server/actions.py ++++ b/fail2ban/server/actions.py +@@ -156,11 +156,11 @@ class Actions(JailThread, Mapping): + else: + if hasattr(self, '_reload_actions'): + # reload actions after all parameters set via stream: +- for name, initOpts in self._reload_actions.iteritems(): ++ for name, initOpts in self._reload_actions.items(): + if name in self._actions: + self._actions[name].reload(**(initOpts if initOpts else {})) + # remove obsolete actions (untouched by reload process): +- delacts = OrderedDict((name, action) for name, action in self._actions.iteritems() ++ delacts = OrderedDict((name, action) for name, action in self._actions.items() + if name not in self._reload_actions) + if len(delacts): + # unban all tickets using removed actions only: +@@ -289,7 +289,7 @@ class Actions(JailThread, Mapping): + """ + if actions is None: + actions = self._actions +- revactions = actions.items() ++ revactions = list(actions.items()) + revactions.reverse() + for name, action in revactions: + try: +@@ -314,7 +314,7 @@ class Actions(JailThread, Mapping): + True when the thread exits nicely. + """ + cnt = 0 +- for name, action in self._actions.iteritems(): ++ for name, action in self._actions.items(): + try: + action.start() + except Exception as e: +@@ -474,7 +474,7 @@ class Actions(JailThread, Mapping): + Observers.Main.add('banFound', bTicket, self._jail, btime) + logSys.notice("[%s] %sBan %s", self._jail.name, ('' if not bTicket.restored else 'Restore '), ip) + # do actions : +- for name, action in self._actions.iteritems(): ++ for name, action in self._actions.items(): + try: + if ticket.restored and getattr(action, 'norestored', False): + continue +@@ -511,13 +511,13 @@ class Actions(JailThread, Mapping): + if bTicket.banEpoch == self.banEpoch and diftm > 3: + # avoid too often checks: + if not rebanacts and MyTime.time() > self.__lastConsistencyCheckTM + 3: +- for action in self._actions.itervalues(): ++ for action in self._actions.values(): + action.consistencyCheck() + self.__lastConsistencyCheckTM = MyTime.time() + # check epoch in order to reban it: + if bTicket.banEpoch < self.banEpoch: + if not rebanacts: rebanacts = dict( +- (name, action) for name, action in self._actions.iteritems() ++ (name, action) for name, action in self._actions.items() + if action.banEpoch > bTicket.banEpoch) + cnt += self.__reBan(bTicket, actions=rebanacts) + else: # pragma: no cover - unexpected: ticket is not banned for some reasons - reban using all actions: +@@ -542,8 +542,8 @@ class Actions(JailThread, Mapping): + ip = ticket.getIP() + aInfo = self.__getActionInfo(ticket) + if log: +- logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % actions.keys()[0] if len(actions) == 1 else '')) +- for name, action in actions.iteritems(): ++ logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % list(actions.keys())[0] if len(actions) == 1 else '')) ++ for name, action in actions.items(): + try: + logSys.debug("[%s] action %r: reban %s", self._jail.name, name, ip) + if not aInfo.immutable: aInfo.reset() +@@ -567,7 +567,7 @@ class Actions(JailThread, Mapping): + if not self.__banManager._inBanList(ticket): return + # do actions : + aInfo = None +- for name, action in self._actions.iteritems(): ++ for name, action in self._actions.items(): + try: + if ticket.restored and getattr(action, 'norestored', False): + continue +@@ -616,7 +616,7 @@ class Actions(JailThread, Mapping): + cnt = 0 + # first we'll execute flush for actions supporting this operation: + unbactions = {} +- for name, action in (actions if actions is not None else self._actions).iteritems(): ++ for name, action in (actions if actions is not None else self._actions).items(): + try: + if hasattr(action, 'flush') and (not isinstance(action, CommandAction) or action.actionflush): + logSys.notice("[%s] Flush ticket(s) with %s", self._jail.name, name) +@@ -671,7 +671,7 @@ class Actions(JailThread, Mapping): + aInfo = self.__getActionInfo(ticket) + if log: + logSys.notice("[%s] Unban %s", self._jail.name, aInfo["ip"]) +- for name, action in unbactions.iteritems(): ++ for name, action in unbactions.items(): + try: + logSys.debug("[%s] action %r: unban %s", self._jail.name, name, ip) + if not aInfo.immutable: aInfo.reset() +diff --git a/fail2ban/server/asyncserver.py b/fail2ban/server/asyncserver.py +index e3400737..f5f9740b 100644 +--- a/fail2ban/server/asyncserver.py ++++ b/fail2ban/server/asyncserver.py +@@ -178,7 +178,7 @@ def loop(active, timeout=None, use_poll=False, err_count=None): + elif err_count['listen'] > 100: # pragma: no cover - normally unreachable + if ( + e.args[0] == errno.EMFILE # [Errno 24] Too many open files +- or sum(err_count.itervalues()) > 1000 ++ or sum(err_count.values()) > 1000 + ): + logSys.critical("Too many errors - critical count reached %r", err_count) + break +@@ -220,7 +220,7 @@ class AsyncServer(asyncore.dispatcher): + elif self.__errCount['accept'] > 100: + if ( + (isinstance(e, socket.error) and e.args[0] == errno.EMFILE) # [Errno 24] Too many open files +- or sum(self.__errCount.itervalues()) > 1000 ++ or sum(self.__errCount.values()) > 1000 + ): + logSys.critical("Too many errors - critical count reached %r", self.__errCount) + self.stop() +diff --git a/fail2ban/server/banmanager.py b/fail2ban/server/banmanager.py +index 5770bfd7..9bb44971 100644 +--- a/fail2ban/server/banmanager.py ++++ b/fail2ban/server/banmanager.py +@@ -105,9 +105,9 @@ class BanManager: + def getBanList(self, ordered=False, withTime=False): + with self.__lock: + if not ordered: +- return self.__banList.keys() ++ return list(self.__banList.keys()) + lst = [] +- for ticket in self.__banList.itervalues(): ++ for ticket in self.__banList.values(): + eob = ticket.getEndOfBanTime(self.__banTime) + lst.append((ticket,eob)) + lst.sort(key=lambda t: t[1]) +@@ -126,7 +126,7 @@ class BanManager: + + def __iter__(self): + with self.__lock: +- return self.__banList.itervalues() ++ return iter(self.__banList.values()) + + ## + # Returns normalized value +@@ -165,7 +165,7 @@ class BanManager: + return return_dict + # get ips in lock: + with self.__lock: +- banIPs = [banData.getIP() for banData in self.__banList.values()] ++ banIPs = [banData.getIP() for banData in list(self.__banList.values())] + # get cymru info: + try: + for ip in banIPs: +@@ -341,7 +341,7 @@ class BanManager: + # Gets the list of ticket to remove (thereby correct next unban time). + unBanList = {} + nextUnbanTime = BanTicket.MAX_TIME +- for fid,ticket in self.__banList.iteritems(): ++ for fid,ticket in self.__banList.items(): + # current time greater as end of ban - timed out: + eob = ticket.getEndOfBanTime(self.__banTime) + if time > eob: +@@ -357,15 +357,15 @@ class BanManager: + if len(unBanList): + if len(unBanList) / 2.0 <= len(self.__banList) / 3.0: + # few as 2/3 should be removed - remove particular items: +- for fid in unBanList.iterkeys(): ++ for fid in unBanList.keys(): + del self.__banList[fid] + else: + # create new dictionary without items to be deleted: +- self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.iteritems() \ ++ self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.items() \ + if fid not in unBanList) + + # return list of tickets: +- return unBanList.values() ++ return list(unBanList.values()) + + ## + # Flush the ban list. +@@ -375,7 +375,7 @@ class BanManager: + + def flushBanList(self): + with self.__lock: +- uBList = self.__banList.values() ++ uBList = list(self.__banList.values()) + self.__banList = dict() + return uBList + +diff --git a/fail2ban/server/database.py b/fail2ban/server/database.py +index ed736a7a..0e8c9aec 100644 +--- a/fail2ban/server/database.py ++++ b/fail2ban/server/database.py +@@ -67,13 +67,13 @@ if sys.version_info >= (3,): # pragma: 2.x no cover + else: # pragma: 3.x no cover + def _normalize(x): + if isinstance(x, dict): +- return dict((_normalize(k), _normalize(v)) for k, v in x.iteritems()) ++ return dict((_normalize(k), _normalize(v)) for k, v in x.items()) + elif isinstance(x, (list, set)): + return [_normalize(element) for element in x] +- elif isinstance(x, unicode): ++ elif isinstance(x, str): + # in 2.x default text_factory is unicode - so return proper unicode here: + return x.encode(PREFER_ENC, 'replace').decode(PREFER_ENC) +- elif isinstance(x, basestring): ++ elif isinstance(x, str): + return x.decode(PREFER_ENC, 'replace') + return x + +diff --git a/fail2ban/server/failmanager.py b/fail2ban/server/failmanager.py +index 93c028fb..a9c6b5f6 100644 +--- a/fail2ban/server/failmanager.py ++++ b/fail2ban/server/failmanager.py +@@ -57,7 +57,7 @@ class FailManager: + def getFailCount(self): + # may be slow on large list of failures, should be used for test purposes only... + with self.__lock: +- return len(self.__failList), sum([f.getRetry() for f in self.__failList.values()]) ++ return len(self.__failList), sum([f.getRetry() for f in list(self.__failList.values())]) + + def getFailTotal(self): + with self.__lock: +@@ -125,7 +125,7 @@ class FailManager: + # in case of having many active failures, it should be ran only + # if debug level is "low" enough + failures_summary = ', '.join(['%s:%d' % (k, v.getRetry()) +- for k,v in self.__failList.iteritems()]) ++ for k,v in self.__failList.items()]) + logSys.log(logLevel, "Total # of detected failures: %d. Current failures from %d IPs (IP:count): %s" + % (self.__failTotal, len(self.__failList), failures_summary)) + +@@ -138,7 +138,7 @@ class FailManager: + + def cleanup(self, time): + with self.__lock: +- todelete = [fid for fid,item in self.__failList.iteritems() \ ++ todelete = [fid for fid,item in self.__failList.items() \ + if item.getLastTime() + self.__maxTime <= time] + if len(todelete) == len(self.__failList): + # remove all: +@@ -152,7 +152,7 @@ class FailManager: + del self.__failList[fid] + else: + # create new dictionary without items to be deleted: +- self.__failList = dict((fid,item) for fid,item in self.__failList.iteritems() \ ++ self.__failList = dict((fid,item) for fid,item in self.__failList.items() \ + if item.getLastTime() + self.__maxTime > time) + self.__bgSvc.service() + +diff --git a/fail2ban/server/failregex.py b/fail2ban/server/failregex.py +index f7dafbef..fb75187d 100644 +--- a/fail2ban/server/failregex.py ++++ b/fail2ban/server/failregex.py +@@ -128,10 +128,7 @@ class Regex: + self._regexObj = re.compile(regex, re.MULTILINE if multiline else 0) + self._regex = regex + self._altValues = {} +- for k in filter( +- lambda k: len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE), +- self._regexObj.groupindex +- ): ++ for k in [k for k in self._regexObj.groupindex if len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE)]: + n = ALTNAME_CRE.match(k).group(1) + self._altValues[k] = n + self._altValues = list(self._altValues.items()) if len(self._altValues) else None +@@ -211,7 +208,7 @@ class Regex: + # + @staticmethod + def _tupleLinesBuf(tupleLines): +- return "\n".join(map(lambda v: "".join(v[::2]), tupleLines)) + "\n" ++ return "\n".join(["".join(v[::2]) for v in tupleLines]) + "\n" + + ## + # Searches the regular expression. +@@ -223,7 +220,7 @@ class Regex: + + def search(self, tupleLines, orgLines=None): + buf = tupleLines +- if not isinstance(tupleLines, basestring): ++ if not isinstance(tupleLines, str): + buf = Regex._tupleLinesBuf(tupleLines) + self._matchCache = self._regexObj.search(buf) + if self._matchCache: +diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py +index 998fe298..d181fd38 100644 +--- a/fail2ban/server/filter.py ++++ b/fail2ban/server/filter.py +@@ -292,7 +292,7 @@ class Filter(JailThread): + dd = DateDetector() + dd.default_tz = self.__logtimezone + if not isinstance(pattern, (list, tuple)): +- pattern = filter(bool, map(str.strip, re.split('\n+', pattern))) ++ pattern = list(filter(bool, list(map(str.strip, re.split('\n+', pattern))))) + for pattern in pattern: + dd.appendTemplate(pattern) + self.dateDetector = dd +@@ -987,7 +987,7 @@ class FileFilter(Filter): + # @return log paths + + def getLogPaths(self): +- return self.__logs.keys() ++ return list(self.__logs.keys()) + + ## + # Get the log containers +@@ -995,7 +995,7 @@ class FileFilter(Filter): + # @return log containers + + def getLogs(self): +- return self.__logs.values() ++ return list(self.__logs.values()) + + ## + # Get the count of log containers +@@ -1021,7 +1021,7 @@ class FileFilter(Filter): + + def setLogEncoding(self, encoding): + encoding = super(FileFilter, self).setLogEncoding(encoding) +- for log in self.__logs.itervalues(): ++ for log in self.__logs.values(): + log.setEncoding(encoding) + + def getLog(self, path): +@@ -1183,7 +1183,7 @@ class FileFilter(Filter): + """Status of Filter plus files being monitored. + """ + ret = super(FileFilter, self).status(flavor=flavor) +- path = self.__logs.keys() ++ path = list(self.__logs.keys()) + ret.append(("File list", path)) + return ret + +@@ -1191,7 +1191,7 @@ class FileFilter(Filter): + """Stop monitoring of log-file(s) + """ + # stop files monitoring: +- for path in self.__logs.keys(): ++ for path in list(self.__logs.keys()): + self.delLogPath(path) + # stop thread: + super(Filter, self).stop() +diff --git a/fail2ban/server/filterpoll.py b/fail2ban/server/filterpoll.py +index 228a2c8b..d49315cc 100644 +--- a/fail2ban/server/filterpoll.py ++++ b/fail2ban/server/filterpoll.py +@@ -176,4 +176,4 @@ class FilterPoll(FileFilter): + return False + + def getPendingPaths(self): +- return self.__file404Cnt.keys() ++ return list(self.__file404Cnt.keys()) +diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py +index ca6b253f..b683b860 100644 +--- a/fail2ban/server/filterpyinotify.py ++++ b/fail2ban/server/filterpyinotify.py +@@ -158,7 +158,7 @@ class FilterPyinotify(FileFilter): + except KeyError: pass + + def getPendingPaths(self): +- return self.__pending.keys() ++ return list(self.__pending.keys()) + + def _checkPending(self): + if not self.__pending: +@@ -168,7 +168,7 @@ class FilterPyinotify(FileFilter): + return + found = {} + minTime = 60 +- for path, (retardTM, isDir) in self.__pending.iteritems(): ++ for path, (retardTM, isDir) in self.__pending.items(): + if ntm - self.__pendingChkTime < retardTM: + if minTime > retardTM: minTime = retardTM + continue +@@ -184,7 +184,7 @@ class FilterPyinotify(FileFilter): + self.__pendingChkTime = time.time() + self.__pendingMinTime = minTime + # process now because we've missed it in monitoring: +- for path, isDir in found.iteritems(): ++ for path, isDir in found.items(): + self._delPending(path) + # refresh monitoring of this: + self._refreshWatcher(path, isDir=isDir) +diff --git a/fail2ban/server/ipdns.py b/fail2ban/server/ipdns.py +index 6648dac6..fe8f8db8 100644 +--- a/fail2ban/server/ipdns.py ++++ b/fail2ban/server/ipdns.py +@@ -275,7 +275,7 @@ class IPAddr(object): + raise ValueError("invalid ipstr %r, too many plen representation" % (ipstr,)) + if "." in s[1] or ":" in s[1]: # 255.255.255.0 resp. ffff:: style mask + s[1] = IPAddr.masktoplen(s[1]) +- s[1] = long(s[1]) ++ s[1] = int(s[1]) + return s + + def __init(self, ipstr, cidr=CIDR_UNSPEC): +@@ -309,7 +309,7 @@ class IPAddr(object): + + # mask out host portion if prefix length is supplied + if cidr is not None and cidr >= 0: +- mask = ~(0xFFFFFFFFL >> cidr) ++ mask = ~(0xFFFFFFFF >> cidr) + self._addr &= mask + self._plen = cidr + +@@ -321,13 +321,13 @@ class IPAddr(object): + + # mask out host portion if prefix length is supplied + if cidr is not None and cidr >= 0: +- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> cidr) ++ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> cidr) + self._addr &= mask + self._plen = cidr + + # if IPv6 address is a IPv4-compatible, make instance a IPv4 + elif self.isInNet(IPAddr.IP6_4COMPAT): +- self._addr = lo & 0xFFFFFFFFL ++ self._addr = lo & 0xFFFFFFFF + self._family = socket.AF_INET + self._plen = 32 + else: +@@ -445,7 +445,7 @@ class IPAddr(object): + elif self.isIPv6: + # convert network to host byte order + hi = self._addr >> 64 +- lo = self._addr & 0xFFFFFFFFFFFFFFFFL ++ lo = self._addr & 0xFFFFFFFFFFFFFFFF + binary = struct.pack("!QQ", hi, lo) + if self._plen and self._plen < 128: + add = "/%d" % self._plen +@@ -503,9 +503,9 @@ class IPAddr(object): + if self.family != net.family: + return False + if self.isIPv4: +- mask = ~(0xFFFFFFFFL >> net.plen) ++ mask = ~(0xFFFFFFFF >> net.plen) + elif self.isIPv6: +- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> net.plen) ++ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> net.plen) + else: + return False + +@@ -517,7 +517,7 @@ class IPAddr(object): + m4 = (1 << 32)-1 + mmap = {m6: 128, m4: 32, 0: 0} + m = 0 +- for i in xrange(0, 128): ++ for i in range(0, 128): + m |= 1 << i + if i < 32: + mmap[m ^ m4] = 32-1-i +diff --git a/fail2ban/server/jail.py b/fail2ban/server/jail.py +index ce9968a8..5fa5ef10 100644 +--- a/fail2ban/server/jail.py ++++ b/fail2ban/server/jail.py +@@ -26,7 +26,7 @@ __license__ = "GPL" + import logging + import math + import random +-import Queue ++import queue + + from .actions import Actions + from ..helpers import getLogger, _as_bool, extractOptions, MyTime +@@ -76,7 +76,7 @@ class Jail(object): + "might not function correctly. Please shorten" + % name) + self.__name = name +- self.__queue = Queue.Queue() ++ self.__queue = queue.Queue() + self.__filter = None + # Extra parameters for increase ban time + self._banExtra = {}; +@@ -127,25 +127,25 @@ class Jail(object): + "Failed to initialize any backend for Jail %r" % self.name) + + def _initPolling(self, **kwargs): +- from filterpoll import FilterPoll ++ from .filterpoll import FilterPoll + logSys.info("Jail '%s' uses poller %r" % (self.name, kwargs)) + self.__filter = FilterPoll(self, **kwargs) + + def _initGamin(self, **kwargs): + # Try to import gamin +- from filtergamin import FilterGamin ++ from .filtergamin import FilterGamin + logSys.info("Jail '%s' uses Gamin %r" % (self.name, kwargs)) + self.__filter = FilterGamin(self, **kwargs) + + def _initPyinotify(self, **kwargs): + # Try to import pyinotify +- from filterpyinotify import FilterPyinotify ++ from .filterpyinotify import FilterPyinotify + logSys.info("Jail '%s' uses pyinotify %r" % (self.name, kwargs)) + self.__filter = FilterPyinotify(self, **kwargs) + + def _initSystemd(self, **kwargs): # pragma: systemd no cover + # Try to import systemd +- from filtersystemd import FilterSystemd ++ from .filtersystemd import FilterSystemd + logSys.info("Jail '%s' uses systemd %r" % (self.name, kwargs)) + self.__filter = FilterSystemd(self, **kwargs) + +@@ -213,7 +213,7 @@ class Jail(object): + try: + ticket = self.__queue.get(False) + return ticket +- except Queue.Empty: ++ except queue.Empty: + return False + + def setBanTimeExtra(self, opt, value): +diff --git a/fail2ban/server/mytime.py b/fail2ban/server/mytime.py +index 98b69bd4..24bba5cf 100644 +--- a/fail2ban/server/mytime.py ++++ b/fail2ban/server/mytime.py +@@ -162,7 +162,7 @@ class MyTime: + + @returns number (calculated seconds from expression "val") + """ +- if isinstance(val, (int, long, float, complex)): ++ if isinstance(val, (int, float, complex)): + return val + # replace together standing abbreviations, example '1d12h' -> '1d 12h': + val = MyTime._str2sec_prep.sub(r" \1", val) +diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py +index 159f6506..fc948e8c 100644 +--- a/fail2ban/server/server.py ++++ b/fail2ban/server/server.py +@@ -97,7 +97,7 @@ class Server: + + def start(self, sock, pidfile, force=False, observer=True, conf={}): + # First set the mask to only allow access to owner +- os.umask(0077) ++ os.umask(0o077) + # Second daemonize before logging etc, because it will close all handles: + if self.__daemon: # pragma: no cover + logSys.info("Starting in daemon mode") +@@ -190,7 +190,7 @@ class Server: + + # Restore default signal handlers: + if _thread_name() == '_MainThread': +- for s, sh in self.__prev_signals.iteritems(): ++ for s, sh in self.__prev_signals.items(): + signal.signal(s, sh) + + # Give observer a small chance to complete its work before exit +@@ -268,10 +268,10 @@ class Server: + logSys.info("Stopping all jails") + with self.__lock: + # 1st stop all jails (signal and stop actions/filter thread): +- for name in self.__jails.keys(): ++ for name in list(self.__jails.keys()): + self.delJail(name, stop=True, join=False) + # 2nd wait for end and delete jails: +- for name in self.__jails.keys(): ++ for name in list(self.__jails.keys()): + self.delJail(name, stop=False, join=True) + + def reloadJails(self, name, opts, begin): +@@ -302,7 +302,7 @@ class Server: + if "--restart" in opts: + self.stopAllJail() + # first set all affected jail(s) to idle and reset filter regex and other lists/dicts: +- for jn, jail in self.__jails.iteritems(): ++ for jn, jail in self.__jails.items(): + if name == '--all' or jn == name: + jail.idle = True + self.__reload_state[jn] = jail +@@ -313,7 +313,7 @@ class Server: + # end reload, all affected (or new) jails have already all new parameters (via stream) and (re)started: + with self.__lock: + deljails = [] +- for jn, jail in self.__jails.iteritems(): ++ for jn, jail in self.__jails.items(): + # still in reload state: + if jn in self.__reload_state: + # remove jails that are not reloaded (untouched, so not in new configuration) +@@ -513,7 +513,7 @@ class Server: + jails = [self.__jails[name]] + else: + # in all jails: +- jails = self.__jails.values() ++ jails = list(self.__jails.values()) + # unban given or all (if value is None): + cnt = 0 + ifexists |= (name is None) +@@ -551,7 +551,7 @@ class Server: + def isAlive(self, jailnum=None): + if jailnum is not None and len(self.__jails) != jailnum: + return 0 +- for jail in self.__jails.values(): ++ for jail in list(self.__jails.values()): + if not jail.isAlive(): + return 0 + return 1 +@@ -759,7 +759,7 @@ class Server: + return "flushed" + + def setThreadOptions(self, value): +- for o, v in value.iteritems(): ++ for o, v in value.items(): + if o == 'stacksize': + threading.stack_size(int(v)*1024) + else: # pragma: no cover +diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py +index 498d284b..a5579fdc 100644 +--- a/fail2ban/server/strptime.py ++++ b/fail2ban/server/strptime.py +@@ -79,7 +79,7 @@ timeRE['ExY'] = r"(?P<Y>%s\d)" % _getYearCentRE(cent=(0,3), distance=3) + timeRE['Exy'] = r"(?P<y>%s\d)" % _getYearCentRE(cent=(2,3), distance=3) + + def getTimePatternRE(): +- keys = timeRE.keys() ++ keys = list(timeRE.keys()) + patt = (r"%%(%%|%s|[%s])" % ( + "|".join([k for k in keys if len(k) > 1]), + "".join([k for k in keys if len(k) == 1]), +@@ -134,7 +134,7 @@ def zone2offset(tz, dt): + """ + if isinstance(tz, int): + return tz +- if isinstance(tz, basestring): ++ if isinstance(tz, str): + return validateTimeZone(tz) + tz, tzo = tz + if tzo is None or tzo == '': # without offset +@@ -171,7 +171,7 @@ def reGroupDictStrptime(found_dict, msec=False, default_tz=None): + year = month = day = hour = minute = tzoffset = \ + weekday = julian = week_of_year = None + second = fraction = 0 +- for key, val in found_dict.iteritems(): ++ for key, val in found_dict.items(): + if val is None: continue + # Directives not explicitly handled below: + # c, x, X +diff --git a/fail2ban/server/ticket.py b/fail2ban/server/ticket.py +index f67e0d23..f0b727c2 100644 +--- a/fail2ban/server/ticket.py ++++ b/fail2ban/server/ticket.py +@@ -55,7 +55,7 @@ class Ticket(object): + self._time = time if time is not None else MyTime.time() + self._data = {'matches': matches or [], 'failures': 0} + if data is not None: +- for k,v in data.iteritems(): ++ for k,v in data.items(): + if v is not None: + self._data[k] = v + if ticket: +@@ -89,7 +89,7 @@ class Ticket(object): + + def setIP(self, value): + # guarantee using IPAddr instead of unicode, str for the IP +- if isinstance(value, basestring): ++ if isinstance(value, str): + value = IPAddr(value) + self._ip = value + +@@ -181,7 +181,7 @@ class Ticket(object): + if len(args) == 1: + # todo: if support >= 2.7 only: + # self._data = {k:v for k,v in args[0].iteritems() if v is not None} +- self._data = dict([(k,v) for k,v in args[0].iteritems() if v is not None]) ++ self._data = dict([(k,v) for k,v in args[0].items() if v is not None]) + # add k,v list or dict (merge): + elif len(args) == 2: + self._data.update((args,)) +@@ -192,7 +192,7 @@ class Ticket(object): + # filter (delete) None values: + # todo: if support >= 2.7 only: + # self._data = {k:v for k,v in self._data.iteritems() if v is not None} +- self._data = dict([(k,v) for k,v in self._data.iteritems() if v is not None]) ++ self._data = dict([(k,v) for k,v in self._data.items() if v is not None]) + + def getData(self, key=None, default=None): + # return whole data dict: +@@ -201,17 +201,17 @@ class Ticket(object): + # return default if not exists: + if not self._data: + return default +- if not isinstance(key,(str,unicode,type(None),int,float,bool,complex)): ++ if not isinstance(key,(str,type(None),int,float,bool,complex)): + # return filtered by lambda/function: + if callable(key): + # todo: if support >= 2.7 only: + # return {k:v for k,v in self._data.iteritems() if key(k)} +- return dict([(k,v) for k,v in self._data.iteritems() if key(k)]) ++ return dict([(k,v) for k,v in self._data.items() if key(k)]) + # return filtered by keys: + if hasattr(key, '__iter__'): + # todo: if support >= 2.7 only: + # return {k:v for k,v in self._data.iteritems() if k in key} +- return dict([(k,v) for k,v in self._data.iteritems() if k in key]) ++ return dict([(k,v) for k,v in self._data.items() if k in key]) + # return single value of data: + return self._data.get(key, default) + +diff --git a/fail2ban/server/transmitter.py b/fail2ban/server/transmitter.py +index f83e9d5f..80726cb4 100644 +--- a/fail2ban/server/transmitter.py ++++ b/fail2ban/server/transmitter.py +@@ -475,7 +475,7 @@ class Transmitter: + opt = command[1][len("bantime."):] + return self.__server.getBanTimeExtra(name, opt) + elif command[1] == "actions": +- return self.__server.getActions(name).keys() ++ return list(self.__server.getActions(name).keys()) + elif command[1] == "action": + actionname = command[2] + actionvalue = command[3] +diff --git a/fail2ban/server/utils.py b/fail2ban/server/utils.py +index d4461a7d..13c24e76 100644 +--- a/fail2ban/server/utils.py ++++ b/fail2ban/server/utils.py +@@ -57,7 +57,7 @@ _RETCODE_HINTS = { + + # Dictionary to lookup signal name from number + signame = dict((num, name) +- for name, num in signal.__dict__.iteritems() if name.startswith("SIG")) ++ for name, num in signal.__dict__.items() if name.startswith("SIG")) + + class Utils(): + """Utilities provide diverse static methods like executes OS shell commands, etc. +@@ -109,7 +109,7 @@ class Utils(): + break + else: # pragma: 3.x no cover (dict is in 2.6 only) + remlst = [] +- for (ck, cv) in cache.iteritems(): ++ for (ck, cv) in cache.items(): + # if expired: + if cv[1] <= t: + remlst.append(ck) +@@ -152,7 +152,7 @@ class Utils(): + if not isinstance(realCmd, list): + realCmd = [realCmd] + i = len(realCmd)-1 +- for k, v in varsDict.iteritems(): ++ for k, v in varsDict.items(): + varsStat += "%s=$%s " % (k, i) + realCmd.append(v) + i += 1 +diff --git a/fail2ban/tests/action_d/test_badips.py b/fail2ban/tests/action_d/test_badips.py +index 013c0fdb..3c35e4d7 100644 +--- a/fail2ban/tests/action_d/test_badips.py ++++ b/fail2ban/tests/action_d/test_badips.py +@@ -32,7 +32,7 @@ from ..utils import LogCaptureTestCase, CONFIG_DIR + if sys.version_info >= (3, ): # pragma: 2.x no cover + from urllib.error import HTTPError, URLError + else: # pragma: 3.x no cover +- from urllib2 import HTTPError, URLError ++ from urllib.error import HTTPError, URLError + + def skip_if_not_available(f): + """Helper to decorate tests to skip in case of timeout/http-errors like "502 bad gateway". +diff --git a/fail2ban/tests/actiontestcase.py b/fail2ban/tests/actiontestcase.py +index 1a00c040..ecd09246 100644 +--- a/fail2ban/tests/actiontestcase.py ++++ b/fail2ban/tests/actiontestcase.py +@@ -244,14 +244,14 @@ class CommandActionTest(LogCaptureTestCase): + setattr(self.__action, 'ab', "<ac>") + setattr(self.__action, 'x?family=inet6', "") + # produce self-referencing properties except: +- self.assertRaisesRegexp(ValueError, r"properties contain self referencing definitions", ++ self.assertRaisesRegex(ValueError, r"properties contain self referencing definitions", + lambda: self.__action.replaceTag("<a><b>", + self.__action._properties, conditional="family=inet4") + ) + # remore self-referencing in props: + delattr(self.__action, 'ac') + # produce self-referencing query except: +- self.assertRaisesRegexp(ValueError, r"possible self referencing definitions in query", ++ self.assertRaisesRegex(ValueError, r"possible self referencing definitions in query", + lambda: self.__action.replaceTag("<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x>>>>>>>>>>>>>>>>>>>>>", + self.__action._properties, conditional="family=inet6") + ) +diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py +index 2c1d0a0e..aa7908c4 100644 +--- a/fail2ban/tests/clientreadertestcase.py ++++ b/fail2ban/tests/clientreadertestcase.py +@@ -390,7 +390,7 @@ class JailReaderTest(LogCaptureTestCase): + # And multiple groups (`][` instead of `,`) + result = extractOptions(option.replace(',', '][')) + expected2 = (expected[0], +- dict((k, v.replace(',', '][')) for k, v in expected[1].iteritems()) ++ dict((k, v.replace(',', '][')) for k, v in expected[1].items()) + ) + self.assertEqual(expected2, result) + +@@ -975,7 +975,7 @@ filter = testfilter1 + self.assertEqual(add_actions[-1][-1], "{}") + + def testLogPathFileFilterBackend(self): +- self.assertRaisesRegexp(ValueError, r"Have not found any log file for .* jail", ++ self.assertRaisesRegex(ValueError, r"Have not found any log file for .* jail", + self._testLogPath, backend='polling') + + def testLogPathSystemdBackend(self): +diff --git a/fail2ban/tests/databasetestcase.py b/fail2ban/tests/databasetestcase.py +index 9a5e9fa1..562461a6 100644 +--- a/fail2ban/tests/databasetestcase.py ++++ b/fail2ban/tests/databasetestcase.py +@@ -67,7 +67,7 @@ class DatabaseTest(LogCaptureTestCase): + + @property + def db(self): +- if isinstance(self._db, basestring) and self._db == ':auto-create-in-memory:': ++ if isinstance(self._db, str) and self._db == ':auto-create-in-memory:': + self._db = getFail2BanDb(self.dbFilename) + return self._db + @db.setter +@@ -159,7 +159,7 @@ class DatabaseTest(LogCaptureTestCase): + self.db = Fail2BanDb(self.dbFilename) + self.assertEqual(self.db.getJailNames(), set(['DummyJail #29162448 with 0 tickets'])) + self.assertEqual(self.db.getLogPaths(), set(['/tmp/Fail2BanDb_pUlZJh.log'])) +- ticket = FailTicket("127.0.0.1", 1388009242.26, [u"abc\n"]) ++ ticket = FailTicket("127.0.0.1", 1388009242.26, ["abc\n"]) + self.assertEqual(self.db.getBans()[0], ticket) + + self.assertEqual(self.db.updateDb(Fail2BanDb.__version__), Fail2BanDb.__version__) +@@ -185,9 +185,9 @@ class DatabaseTest(LogCaptureTestCase): + self.assertEqual(len(bans), 2) + # compare first ticket completely: + ticket = FailTicket("1.2.3.7", 1417595494, [ +- u'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', +- u'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', +- u'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7' ++ 'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', ++ 'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', ++ 'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7' + ]) + ticket.setAttempt(3) + self.assertEqual(bans[0], ticket) +@@ -286,11 +286,11 @@ class DatabaseTest(LogCaptureTestCase): + # invalid + valid, invalid + valid unicode, invalid + valid dual converted (like in filter:readline by fallback) ... + tickets = [ + FailTicket("127.0.0.1", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), +- FailTicket("127.0.0.2", 0, ['user "test"', u'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), ++ FailTicket("127.0.0.2", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), + FailTicket("127.0.0.3", 0, ['user "test"', b'user "\xd1\xe2\xe5\xf2\xe0"', b'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), +- FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xe4\xf6\xfc\xdf"']), ++ FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xe4\xf6\xfc\xdf"']), + FailTicket("127.0.0.5", 0, ['user "test"', 'unterminated \xcf']), +- FailTicket("127.0.0.6", 0, ['user "test"', u'unterminated \xcf']), ++ FailTicket("127.0.0.6", 0, ['user "test"', 'unterminated \xcf']), + FailTicket("127.0.0.7", 0, ['user "test"', b'unterminated \xcf']) + ] + for ticket in tickets: +diff --git a/fail2ban/tests/datedetectortestcase.py b/fail2ban/tests/datedetectortestcase.py +index 458f76ef..49ada60d 100644 +--- a/fail2ban/tests/datedetectortestcase.py ++++ b/fail2ban/tests/datedetectortestcase.py +@@ -279,7 +279,7 @@ class DateDetectorTest(LogCaptureTestCase): + self.assertEqual(logTime, mu) + self.assertEqual(logMatch.group(1), '2012/10/11 02:37:17') + # confuse it with year being at the end +- for i in xrange(10): ++ for i in range(10): + ( logTime, logMatch ) = self.datedetector.getTime('11/10/2012 02:37:17 [error] 18434#0') + self.assertEqual(logTime, mu) + self.assertEqual(logMatch.group(1), '11/10/2012 02:37:17') +@@ -505,7 +505,7 @@ class CustomDateFormatsTest(unittest.TestCase): + date = dd.getTime(line) + if matched: + self.assertTrue(date) +- if isinstance(matched, basestring): ++ if isinstance(matched, str): + self.assertEqual(matched, date[1].group(1)) + else: + self.assertEqual(matched, date[0]) +@@ -537,7 +537,7 @@ class CustomDateFormatsTest(unittest.TestCase): + date = dd.getTime(line) + if matched: + self.assertTrue(date) +- if isinstance(matched, basestring): # pragma: no cover ++ if isinstance(matched, str): # pragma: no cover + self.assertEqual(matched, date[1].group(1)) + else: + self.assertEqual(matched, date[0]) +diff --git a/fail2ban/tests/fail2banclienttestcase.py b/fail2ban/tests/fail2banclienttestcase.py +index 95f73ed3..bba354fa 100644 +--- a/fail2ban/tests/fail2banclienttestcase.py ++++ b/fail2ban/tests/fail2banclienttestcase.py +@@ -367,10 +367,10 @@ def with_foreground_server_thread(startextra={}): + # several commands to server in body of decorated function: + return f(self, tmp, startparams, *args, **kwargs) + except Exception as e: # pragma: no cover +- print('=== Catch an exception: %s' % e) ++ print(('=== Catch an exception: %s' % e)) + log = self.getLog() + if log: +- print('=== Error of server, log: ===\n%s===' % log) ++ print(('=== Error of server, log: ===\n%s===' % log)) + self.pruneLog() + raise + finally: +@@ -440,7 +440,7 @@ class Fail2banClientServerBase(LogCaptureTestCase): + ) + except: # pragma: no cover + if _inherited_log(startparams): +- print('=== Error by wait fot server, log: ===\n%s===' % self.getLog()) ++ print(('=== Error by wait fot server, log: ===\n%s===' % self.getLog())) + self.pruneLog() + log = pjoin(tmp, "f2b.log") + if isfile(log): +@@ -1610,6 +1610,6 @@ class Fail2banServerTest(Fail2banClientServerBase): + self.stopAndWaitForServerEnd(SUCCESS) + + def testServerStartStop(self): +- for i in xrange(2000): ++ for i in range(2000): + self._testServerStartStop() + +diff --git a/fail2ban/tests/failmanagertestcase.py b/fail2ban/tests/failmanagertestcase.py +index a5425286..2a94cc82 100644 +--- a/fail2ban/tests/failmanagertestcase.py ++++ b/fail2ban/tests/failmanagertestcase.py +@@ -45,11 +45,11 @@ class AddFailure(unittest.TestCase): + super(AddFailure, self).tearDown() + + def _addDefItems(self): +- self.__items = [[u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], +- [u'193.168.0.128', 1167605999.0], ++ self.__items = [['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], ++ ['193.168.0.128', 1167605999.0], + ['87.142.124.10', 1167605999.0], + ['87.142.124.10', 1167605999.0], + ['87.142.124.10', 1167605999.0], +diff --git a/fail2ban/tests/files/config/apache-auth/digest.py b/fail2ban/tests/files/config/apache-auth/digest.py +index 03588594..e2297ab3 100755 +--- a/fail2ban/tests/files/config/apache-auth/digest.py ++++ b/fail2ban/tests/files/config/apache-auth/digest.py +@@ -41,7 +41,7 @@ def auth(v): + response="%s" + """ % ( username, algorithm, realm, url, nonce, qop, response ) + # opaque="%s", +- print(p.method, p.url, p.headers) ++ print((p.method, p.url, p.headers)) + s = requests.Session() + return s.send(p) + +@@ -76,18 +76,18 @@ r = auth(v) + + # [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/ + +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + v['algorithm'] = algorithm + + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + nonce = v['nonce'] + v['nonce']=v['nonce'][5:-5] + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + # [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/ + +@@ -95,7 +95,7 @@ print(r.status_code,r.headers, r.text) + v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:] + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + #[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b + +@@ -107,7 +107,7 @@ import time + time.sleep(1) + + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + # Obtained by putting the following code in modules/aaa/mod_auth_digest.c + # in the function initialize_secret +@@ -137,7 +137,7 @@ s = sha.sha(apachesecret) + + v=preauth() + +-print(v['nonce']) ++print((v['nonce'])) + realm = v['Digest realm'][1:-1] + + (t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13])) +@@ -156,13 +156,13 @@ print(v) + + r = auth(v) + #[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + + url='/digest_onetime/' + v=preauth() + + # Need opaque header handling in auth + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) + r = auth(v) +-print(r.status_code,r.headers, r.text) ++print((r.status_code,r.headers, r.text)) +diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py +index 35785a58..8eeb6902 100644 +--- a/fail2ban/tests/filtertestcase.py ++++ b/fail2ban/tests/filtertestcase.py +@@ -22,7 +22,7 @@ + __copyright__ = "Copyright (c) 2004 Cyril Jaquier; 2012 Yaroslav Halchenko" + __license__ = "GPL" + +-from __builtin__ import open as fopen ++from builtins import open as fopen + import unittest + import os + import re +@@ -204,7 +204,7 @@ def _copy_lines_between_files(in_, fout, n=None, skip=0, mode='a', terminal_line + else: + fin = in_ + # Skip +- for i in xrange(skip): ++ for i in range(skip): + fin.readline() + # Read + i = 0 +@@ -244,7 +244,7 @@ def _copy_lines_to_journal(in_, fields={},n=None, skip=0, terminal_line=""): # p + # Required for filtering + fields.update(TEST_JOURNAL_FIELDS) + # Skip +- for i in xrange(skip): ++ for i in range(skip): + fin.readline() + # Read/Write + i = 0 +@@ -306,18 +306,18 @@ class BasicFilter(unittest.TestCase): + def testTest_tm(self): + unittest.F2B.SkipIfFast() + ## test function "_tm" works correct (returns the same as slow strftime): +- for i in xrange(1417512352, (1417512352 // 3600 + 3) * 3600): ++ for i in range(1417512352, (1417512352 // 3600 + 3) * 3600): + tm = MyTime.time2str(i) + if _tm(i) != tm: # pragma: no cover - never reachable + self.assertEqual((_tm(i), i), (tm, i)) + + def testWrongCharInTupleLine(self): + ## line tuple has different types (ascii after ascii / unicode): +- for a1 in ('', u'', b''): +- for a2 in ('2016-09-05T20:18:56', u'2016-09-05T20:18:56', b'2016-09-05T20:18:56'): ++ for a1 in ('', '', b''): ++ for a2 in ('2016-09-05T20:18:56', '2016-09-05T20:18:56', b'2016-09-05T20:18:56'): + for a3 in ( + 'Fail for "g\xc3\xb6ran" from 192.0.2.1', +- u'Fail for "g\xc3\xb6ran" from 192.0.2.1', ++ 'Fail for "g\xc3\xb6ran" from 192.0.2.1', + b'Fail for "g\xc3\xb6ran" from 192.0.2.1' + ): + # join should work if all arguments have the same type: +@@ -435,7 +435,7 @@ class IgnoreIP(LogCaptureTestCase): + + def testAddAttempt(self): + self.filter.setMaxRetry(3) +- for i in xrange(1, 1+3): ++ for i in range(1, 1+3): + self.filter.addAttempt('192.0.2.1') + self.assertLogged('Attempt 192.0.2.1', '192.0.2.1:%d' % i, all=True, wait=True) + self.jail.actions._Actions__checkBan() +@@ -472,7 +472,7 @@ class IgnoreIP(LogCaptureTestCase): + # like both test-cases above, just cached (so once per key)... + self.filter.ignoreCache = {"key":"<ip>"} + self.filter.ignoreCommand = 'if [ "<ip>" = "10.0.0.1" ]; then exit 0; fi; exit 1' +- for i in xrange(5): ++ for i in range(5): + self.pruneLog() + self.assertTrue(self.filter.inIgnoreIPList("10.0.0.1")) + self.assertFalse(self.filter.inIgnoreIPList("10.0.0.0")) +@@ -483,7 +483,7 @@ class IgnoreIP(LogCaptureTestCase): + # by host of IP: + self.filter.ignoreCache = {"key":"<ip-host>"} + self.filter.ignoreCommand = 'if [ "<ip-host>" = "test-host" ]; then exit 0; fi; exit 1' +- for i in xrange(5): ++ for i in range(5): + self.pruneLog() + self.assertTrue(self.filter.inIgnoreIPList(FailTicket("2001:db8::1"))) + self.assertFalse(self.filter.inIgnoreIPList(FailTicket("2001:db8::ffff"))) +@@ -495,7 +495,7 @@ class IgnoreIP(LogCaptureTestCase): + self.filter.ignoreCache = {"key":"<F-USER>", "max-count":"10", "max-time":"1h"} + self.assertEqual(self.filter.ignoreCache, ["<F-USER>", 10, 60*60]) + self.filter.ignoreCommand = 'if [ "<F-USER>" = "tester" ]; then exit 0; fi; exit 1' +- for i in xrange(5): ++ for i in range(5): + self.pruneLog() + self.assertTrue(self.filter.inIgnoreIPList(FailTicket("tester", data={'user': 'tester'}))) + self.assertFalse(self.filter.inIgnoreIPList(FailTicket("root", data={'user': 'root'}))) +@@ -644,7 +644,7 @@ class LogFileFilterPoll(unittest.TestCase): + fc = FileContainer(fname, self.filter.getLogEncoding()) + fc.open() + # no time - nothing should be found : +- for i in xrange(10): ++ for i in range(10): + f.write("[sshd] error: PAM: failure len 1\n") + f.flush() + fc.setPos(0); self.filter.seekToTime(fc, time) +@@ -718,14 +718,14 @@ class LogFileFilterPoll(unittest.TestCase): + # variable length of file (ca 45K or 450K before and hereafter): + # write lines with smaller as search time: + t = time - count - 1 +- for i in xrange(count): ++ for i in range(count): + f.write("%s [sshd] error: PAM: failure\n" % _tm(t)) + t += 1 + f.flush() + fc.setPos(0); self.filter.seekToTime(fc, time) + self.assertEqual(fc.getPos(), 47*count) + # write lines with exact search time: +- for i in xrange(10): ++ for i in range(10): + f.write("%s [sshd] error: PAM: failure\n" % _tm(time)) + f.flush() + fc.setPos(0); self.filter.seekToTime(fc, time) +@@ -734,8 +734,8 @@ class LogFileFilterPoll(unittest.TestCase): + self.assertEqual(fc.getPos(), 47*count) + # write lines with greater as search time: + t = time+1 +- for i in xrange(count//500): +- for j in xrange(500): ++ for i in range(count//500): ++ for j in range(500): + f.write("%s [sshd] error: PAM: failure\n" % _tm(t)) + t += 1 + f.flush() +@@ -1488,10 +1488,10 @@ def get_monitor_failures_journal_testcase(Filter_): # pragma: systemd no cover + # Add direct utf, unicode, blob: + for l in ( + "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", +- u"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", ++ "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", + b"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1".decode('utf-8', 'replace'), + "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", +- u"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", ++ "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", + b"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2".decode('utf-8', 'replace') + ): + fields = self.journal_fields +@@ -1520,7 +1520,7 @@ class GetFailures(LogCaptureTestCase): + + # so that they could be reused by other tests + FAILURES_01 = ('193.168.0.128', 3, 1124013599.0, +- [u'Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3) ++ ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3) + + def setUp(self): + """Call before every test case.""" +@@ -1595,8 +1595,8 @@ class GetFailures(LogCaptureTestCase): + + def testGetFailures02(self): + output = ('141.3.81.106', 4, 1124013539.0, +- [u'Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2' +- % m for m in 53, 54, 57, 58]) ++ ['Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2' ++ % m for m in (53, 54, 57, 58)]) + + self.filter.addLogPath(GetFailures.FILENAME_02, autoSeek=0) + self.filter.addFailRegex(r"Failed .* from <HOST>") +@@ -1691,17 +1691,17 @@ class GetFailures(LogCaptureTestCase): + # We should still catch failures with usedns = no ;-) + output_yes = ( + ('93.184.216.34', 2, 1124013539.0, +- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2', +- u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2', ++ 'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] + ), + ('2606:2800:220:1:248:1893:25c8:1946', 1, 1124013299.0, +- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] + ), + ) + + output_no = ( + ('93.184.216.34', 1, 1124013539.0, +- [u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] ++ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] + ) + ) + +@@ -1807,9 +1807,9 @@ class DNSUtilsTests(unittest.TestCase): + self.assertTrue(c.get('a') is None) + self.assertEqual(c.get('a', 'test'), 'test') + # exact 5 elements : +- for i in xrange(5): ++ for i in range(5): + c.set(i, i) +- for i in xrange(5): ++ for i in range(5): + self.assertEqual(c.get(i), i) + # remove unavailable key: + c.unset('a'); c.unset('a') +@@ -1817,30 +1817,30 @@ class DNSUtilsTests(unittest.TestCase): + def testCacheMaxSize(self): + c = Utils.Cache(maxCount=5, maxTime=60) + # exact 5 elements : +- for i in xrange(5): ++ for i in range(5): + c.set(i, i) +- self.assertEqual([c.get(i) for i in xrange(5)], [i for i in xrange(5)]) +- self.assertNotIn(-1, (c.get(i, -1) for i in xrange(5))) ++ self.assertEqual([c.get(i) for i in range(5)], [i for i in range(5)]) ++ self.assertNotIn(-1, (c.get(i, -1) for i in range(5))) + # add one - too many: + c.set(10, i) + # one element should be removed : +- self.assertIn(-1, (c.get(i, -1) for i in xrange(5))) ++ self.assertIn(-1, (c.get(i, -1) for i in range(5))) + # test max size (not expired): +- for i in xrange(10): ++ for i in range(10): + c.set(i, 1) + self.assertEqual(len(c), 5) + + def testCacheMaxTime(self): + # test max time (expired, timeout reached) : + c = Utils.Cache(maxCount=5, maxTime=0.0005) +- for i in xrange(10): ++ for i in range(10): + c.set(i, 1) + st = time.time() + self.assertTrue(Utils.wait_for(lambda: time.time() >= st + 0.0005, 1)) + # we have still 5 elements (or fewer if too slow test mashine): + self.assertTrue(len(c) <= 5) + # but all that are expiered also: +- for i in xrange(10): ++ for i in range(10): + self.assertTrue(c.get(i) is None) + # here the whole cache should be empty: + self.assertEqual(len(c), 0) +@@ -1861,7 +1861,7 @@ class DNSUtilsTests(unittest.TestCase): + c = count + while c: + c -= 1 +- s = xrange(0, 256, 1) if forw else xrange(255, -1, -1) ++ s = range(0, 256, 1) if forw else range(255, -1, -1) + if random: shuffle([i for i in s]) + for i in s: + IPAddr('192.0.2.'+str(i), IPAddr.FAM_IPv4) +@@ -1983,15 +1983,15 @@ class DNSUtilsNetworkTests(unittest.TestCase): + + def testAddr2bin(self): + res = IPAddr('10.0.0.0') +- self.assertEqual(res.addr, 167772160L) ++ self.assertEqual(res.addr, 167772160) + res = IPAddr('10.0.0.0', cidr=None) +- self.assertEqual(res.addr, 167772160L) +- res = IPAddr('10.0.0.0', cidr=32L) +- self.assertEqual(res.addr, 167772160L) +- res = IPAddr('10.0.0.1', cidr=32L) +- self.assertEqual(res.addr, 167772161L) +- res = IPAddr('10.0.0.1', cidr=31L) +- self.assertEqual(res.addr, 167772160L) ++ self.assertEqual(res.addr, 167772160) ++ res = IPAddr('10.0.0.0', cidr=32) ++ self.assertEqual(res.addr, 167772160) ++ res = IPAddr('10.0.0.1', cidr=32) ++ self.assertEqual(res.addr, 167772161) ++ res = IPAddr('10.0.0.1', cidr=31) ++ self.assertEqual(res.addr, 167772160) + + self.assertEqual(IPAddr('10.0.0.0').hexdump, '0a000000') + self.assertEqual(IPAddr('1::2').hexdump, '00010000000000000000000000000002') +@@ -2067,9 +2067,9 @@ class DNSUtilsNetworkTests(unittest.TestCase): + '93.184.216.34': 'ip4-test', + '2606:2800:220:1:248:1893:25c8:1946': 'ip6-test' + } +- d2 = dict([(IPAddr(k), v) for k, v in d.iteritems()]) +- self.assertTrue(isinstance(d.keys()[0], basestring)) +- self.assertTrue(isinstance(d2.keys()[0], IPAddr)) ++ d2 = dict([(IPAddr(k), v) for k, v in d.items()]) ++ self.assertTrue(isinstance(list(d.keys())[0], str)) ++ self.assertTrue(isinstance(list(d2.keys())[0], IPAddr)) + self.assertEqual(d.get(ip4[2], ''), 'ip4-test') + self.assertEqual(d.get(ip6[2], ''), 'ip6-test') + self.assertEqual(d2.get(str(ip4[2]), ''), 'ip4-test') +diff --git a/fail2ban/tests/misctestcase.py b/fail2ban/tests/misctestcase.py +index 9b986f53..94f7a8de 100644 +--- a/fail2ban/tests/misctestcase.py ++++ b/fail2ban/tests/misctestcase.py +@@ -29,9 +29,9 @@ import tempfile + import shutil + import fnmatch + from glob import glob +-from StringIO import StringIO ++from io import StringIO + +-from utils import LogCaptureTestCase, logSys as DefLogSys ++from .utils import LogCaptureTestCase, logSys as DefLogSys + + from ..helpers import formatExceptionInfo, mbasename, TraceBack, FormatterWithTraceBack, getLogger, \ + splitwords, uni_decode, uni_string +@@ -67,7 +67,7 @@ class HelpersTest(unittest.TestCase): + self.assertEqual(splitwords(' 1\n 2'), ['1', '2']) + self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3']) + # string as unicode: +- self.assertEqual(splitwords(u' 1\n 2, 3'), ['1', '2', '3']) ++ self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3']) + + + if sys.version_info >= (2,7): +@@ -197,11 +197,11 @@ class TestsUtilsTest(LogCaptureTestCase): + + def testUniConverters(self): + self.assertRaises(Exception, uni_decode, +- (b'test' if sys.version_info >= (3,) else u'test'), 'f2b-test::non-existing-encoding') +- uni_decode((b'test\xcf' if sys.version_info >= (3,) else u'test\xcf')) ++ (b'test' if sys.version_info >= (3,) else 'test'), 'f2b-test::non-existing-encoding') ++ uni_decode((b'test\xcf' if sys.version_info >= (3,) else 'test\xcf')) + uni_string(b'test\xcf') + uni_string('test\xcf') +- uni_string(u'test\xcf') ++ uni_string('test\xcf') + + def testSafeLogging(self): + # logging should be exception-safe, to avoid possible errors (concat, str. conversion, representation failures, etc) +@@ -213,7 +213,7 @@ class TestsUtilsTest(LogCaptureTestCase): + if self.err: + raise Exception('no represenation for test!') + else: +- return u'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf' ++ return 'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf' + test = Test() + logSys.log(logging.NOTICE, "test 1a: %r", test) + self.assertLogged("Traceback", "no represenation for test!") +@@ -261,7 +261,7 @@ class TestsUtilsTest(LogCaptureTestCase): + func_raise() + + try: +- print deep_function(3) ++ print(deep_function(3)) + except ValueError: + s = tb() + +@@ -278,7 +278,7 @@ class TestsUtilsTest(LogCaptureTestCase): + self.assertIn(':', s) + + def _testAssertionErrorRE(self, regexp, fun, *args, **kwargs): +- self.assertRaisesRegexp(AssertionError, regexp, fun, *args, **kwargs) ++ self.assertRaisesRegex(AssertionError, regexp, fun, *args, **kwargs) + + def testExtendedAssertRaisesRE(self): + ## test _testAssertionErrorRE several fail cases: +@@ -316,13 +316,13 @@ class TestsUtilsTest(LogCaptureTestCase): + self._testAssertionErrorRE(r"'a' unexpectedly found in 'cba'", + self.assertNotIn, 'a', 'cba') + self._testAssertionErrorRE(r"1 unexpectedly found in \[0, 1, 2\]", +- self.assertNotIn, 1, xrange(3)) ++ self.assertNotIn, 1, range(3)) + self._testAssertionErrorRE(r"'A' unexpectedly found in \['C', 'A'\]", + self.assertNotIn, 'A', (c.upper() for c in 'cba' if c != 'b')) + self._testAssertionErrorRE(r"'a' was not found in 'xyz'", + self.assertIn, 'a', 'xyz') + self._testAssertionErrorRE(r"5 was not found in \[0, 1, 2\]", +- self.assertIn, 5, xrange(3)) ++ self.assertIn, 5, range(3)) + self._testAssertionErrorRE(r"'A' was not found in \['C', 'B'\]", + self.assertIn, 'A', (c.upper() for c in 'cba' if c != 'a')) + ## assertLogged, assertNotLogged positive case: +diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py +index 8e944454..ed520286 100644 +--- a/fail2ban/tests/observertestcase.py ++++ b/fail2ban/tests/observertestcase.py +@@ -69,7 +69,7 @@ class BanTimeIncr(LogCaptureTestCase): + a.setBanTimeExtra('multipliers', multipliers) + # test algorithm and max time 24 hours : + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400] + ) + # with extra large max time (30 days): +@@ -81,38 +81,38 @@ class BanTimeIncr(LogCaptureTestCase): + if multcnt < 11: + arr = arr[0:multcnt-1] + ([arr[multcnt-2]] * (11-multcnt)) + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + arr + ) + a.setBanTimeExtra('maxtime', '1d') + # change factor : + a.setBanTimeExtra('factor', '2'); + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + [2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400, 86400] + ) + # factor is float : + a.setBanTimeExtra('factor', '1.33'); + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1596, 3192, 6384, 12768, 25536, 51072, 86400, 86400, 86400, 86400] + ) + a.setBanTimeExtra('factor', None); + # change max time : + a.setBanTimeExtra('maxtime', '12h') + self.assertEqual( +- [a.calcBanTime(600, i) for i in xrange(1, 11)], ++ [a.calcBanTime(600, i) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200] + ) + a.setBanTimeExtra('maxtime', '24h') + ## test randomization - not possibe all 10 times we have random = 0: + a.setBanTimeExtra('rndtime', '5m') + self.assertTrue( +- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)] + ) + a.setBanTimeExtra('rndtime', None) + self.assertFalse( +- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)] + ) + # restore default: + a.setBanTimeExtra('multipliers', None) +@@ -124,7 +124,7 @@ class BanTimeIncr(LogCaptureTestCase): + # this multipliers has the same values as default formula, we test stop growing after count 9: + self.testDefault('1 2 4 8 16 32 64 128 256') + # this multipliers has exactly the same values as default formula, test endless growing (stops by count 31 only): +- self.testDefault(' '.join([str(1<<i) for i in xrange(31)])) ++ self.testDefault(' '.join([str(1<<i) for i in range(31)])) + + def testFormula(self): + a = self.__jail; +@@ -136,38 +136,38 @@ class BanTimeIncr(LogCaptureTestCase): + a.setBanTimeExtra('multipliers', None) + # test algorithm and max time 24 hours : + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400] + ) + # with extra large max time (30 days): + a.setBanTimeExtra('maxtime', '30d') + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 76800, 153601, 307203, 614407] + ) + a.setBanTimeExtra('maxtime', '24h') + # change factor : + a.setBanTimeExtra('factor', '1'); + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1630, 4433, 12051, 32758, 86400, 86400, 86400, 86400, 86400, 86400] + ) + a.setBanTimeExtra('factor', '2.0 / 2.885385') + # change max time : + a.setBanTimeExtra('maxtime', '12h') + self.assertEqual( +- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], ++ [int(a.calcBanTime(600, i)) for i in range(1, 11)], + [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200] + ) + a.setBanTimeExtra('maxtime', '24h') + ## test randomization - not possibe all 10 times we have random = 0: + a.setBanTimeExtra('rndtime', '5m') + self.assertTrue( +- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)] + ) + a.setBanTimeExtra('rndtime', None) + self.assertFalse( +- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)] ++ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)] + ) + # restore default: + a.setBanTimeExtra('factor', None); +@@ -230,7 +230,7 @@ class BanTimeIncrDB(LogCaptureTestCase): + ticket = FailTicket(ip, stime, []) + # test ticket not yet found + self.assertEqual( +- [self.incrBanTime(ticket, 10) for i in xrange(3)], ++ [self.incrBanTime(ticket, 10) for i in range(3)], + [10, 10, 10] + ) + # add a ticket banned +@@ -285,7 +285,7 @@ class BanTimeIncrDB(LogCaptureTestCase): + ) + # increase ban multiple times: + lastBanTime = 20 +- for i in xrange(10): ++ for i in range(10): + ticket.setTime(stime + lastBanTime + 5) + banTime = self.incrBanTime(ticket, 10) + self.assertEqual(banTime, lastBanTime * 2) +@@ -481,7 +481,7 @@ class BanTimeIncrDB(LogCaptureTestCase): + ticket = FailTicket(ip, stime-120, []) + failManager = FailManager() + failManager.setMaxRetry(3) +- for i in xrange(3): ++ for i in range(3): + failManager.addFailure(ticket) + obs.add('failureFound', failManager, jail, ticket) + obs.wait_empty(5) +diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py +index 0bbd05f5..479b564a 100644 +--- a/fail2ban/tests/samplestestcase.py ++++ b/fail2ban/tests/samplestestcase.py +@@ -138,7 +138,7 @@ class FilterSamplesRegex(unittest.TestCase): + + @staticmethod + def _filterOptions(opts): +- return dict((k, v) for k, v in opts.iteritems() if not k.startswith('test.')) ++ return dict((k, v) for k, v in opts.items() if not k.startswith('test.')) + + def testSampleRegexsFactory(name, basedir): + def testFilter(self): +@@ -249,10 +249,10 @@ def testSampleRegexsFactory(name, basedir): + self.assertTrue(faildata.get('match', False), + "Line matched when shouldn't have") + self.assertEqual(len(ret), 1, +- "Multiple regexs matched %r" % (map(lambda x: x[0], ret))) ++ "Multiple regexs matched %r" % ([x[0] for x in ret])) + + # Verify match captures (at least fid/host) and timestamp as expected +- for k, v in faildata.iteritems(): ++ for k, v in faildata.items(): + if k not in ("time", "match", "desc", "filter"): + fv = fail.get(k, None) + if fv is None: +@@ -294,7 +294,7 @@ def testSampleRegexsFactory(name, basedir): + '\n'.join(pprint.pformat(fail).splitlines()))) + + # check missing samples for regex using each filter-options combination: +- for fltName, flt in self._filters.iteritems(): ++ for fltName, flt in self._filters.items(): + flt, regexsUsedIdx = flt + regexList = flt.getFailRegex() + for failRegexIndex, failRegex in enumerate(regexList): +diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py +index 55e72455..7925ab1e 100644 +--- a/fail2ban/tests/servertestcase.py ++++ b/fail2ban/tests/servertestcase.py +@@ -124,14 +124,14 @@ class TransmitterBase(LogCaptureTestCase): + self.transm.proceed(["get", jail, cmd]), (0, [])) + for n, value in enumerate(values): + ret = self.transm.proceed(["set", jail, cmdAdd, value]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2) + ret = self.transm.proceed(["get", jail, cmd]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2) + for n, value in enumerate(values): + ret = self.transm.proceed(["set", jail, cmdDel, value]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2) + ret = self.transm.proceed(["get", jail, cmd]) +- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2) ++ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2) + + def jailAddDelRegexTest(self, cmd, inValues, outValues, jail): + cmdAdd = "add" + cmd +@@ -930,7 +930,7 @@ class TransmitterLogging(TransmitterBase): + + def testLogTarget(self): + logTargets = [] +- for _ in xrange(3): ++ for _ in range(3): + tmpFile = tempfile.mkstemp("fail2ban", "transmitter") + logTargets.append(tmpFile[1]) + os.close(tmpFile[0]) +@@ -1003,26 +1003,26 @@ class TransmitterLogging(TransmitterBase): + self.assertEqual(self.transm.proceed(["flushlogs"]), (0, "rolled over")) + l.warning("After flushlogs") + with open(fn2,'r') as f: +- line1 = f.next() ++ line1 = next(f) + if line1.find('Changed logging target to') >= 0: +- line1 = f.next() ++ line1 = next(f) + self.assertTrue(line1.endswith("Before file moved\n")) +- line2 = f.next() ++ line2 = next(f) + self.assertTrue(line2.endswith("After file moved\n")) + try: +- n = f.next() ++ n = next(f) + if n.find("Command: ['flushlogs']") >=0: +- self.assertRaises(StopIteration, f.next) ++ self.assertRaises(StopIteration, f.__next__) + else: + self.fail("Exception StopIteration or Command: ['flushlogs'] expected. Got: %s" % n) + except StopIteration: + pass # on higher debugging levels this is expected + with open(fn,'r') as f: +- line1 = f.next() ++ line1 = next(f) + if line1.find('rollover performed on') >= 0: +- line1 = f.next() ++ line1 = next(f) + self.assertTrue(line1.endswith("After flushlogs\n")) +- self.assertRaises(StopIteration, f.next) ++ self.assertRaises(StopIteration, f.__next__) + f.close() + finally: + os.remove(fn2) +@@ -1185,7 +1185,7 @@ class LoggingTests(LogCaptureTestCase): + os.remove(f) + + +-from clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR ++from .clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR + + class ServerConfigReaderTests(LogCaptureTestCase): + +diff --git a/fail2ban/tests/sockettestcase.py b/fail2ban/tests/sockettestcase.py +index 69bf8d8b..60f49e57 100644 +--- a/fail2ban/tests/sockettestcase.py ++++ b/fail2ban/tests/sockettestcase.py +@@ -153,7 +153,7 @@ class Socket(LogCaptureTestCase): + org_handler = RequestHandler.found_terminator + try: + RequestHandler.found_terminator = lambda self: self.close() +- self.assertRaisesRegexp(RuntimeError, r"socket connection broken", ++ self.assertRaisesRegex(RuntimeError, r"socket connection broken", + lambda: client.send(testMessage, timeout=unittest.F2B.maxWaitTime(10))) + finally: + RequestHandler.found_terminator = org_handler +diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py +index fcfddba7..cb234e0d 100644 +--- a/fail2ban/tests/utils.py ++++ b/fail2ban/tests/utils.py +@@ -35,7 +35,7 @@ import time + import threading + import unittest + +-from cStringIO import StringIO ++from io import StringIO + from functools import wraps + + from ..helpers import getLogger, str2LogLevel, getVerbosityFormat, uni_decode +@@ -174,8 +174,8 @@ def initProcess(opts): + + # Let know the version + if opts.verbosity != 0: +- print("Fail2ban %s test suite. Python %s. Please wait..." \ +- % (version, str(sys.version).replace('\n', ''))) ++ print(("Fail2ban %s test suite. Python %s. Please wait..." \ ++ % (version, str(sys.version).replace('\n', '')))) + + return opts; + +@@ -322,7 +322,7 @@ def initTests(opts): + c = DNSUtils.CACHE_ipToName + # increase max count and max time (too many entries, long time testing): + c.setOptions(maxCount=10000, maxTime=5*60) +- for i in xrange(256): ++ for i in range(256): + c.set('192.0.2.%s' % i, None) + c.set('198.51.100.%s' % i, None) + c.set('203.0.113.%s' % i, None) +@@ -541,8 +541,8 @@ def gatherTests(regexps=None, opts=None): + import difflib, pprint + if not hasattr(unittest.TestCase, 'assertDictEqual'): + def assertDictEqual(self, d1, d2, msg=None): +- self.assert_(isinstance(d1, dict), 'First argument is not a dictionary') +- self.assert_(isinstance(d2, dict), 'Second argument is not a dictionary') ++ self.assertTrue(isinstance(d1, dict), 'First argument is not a dictionary') ++ self.assertTrue(isinstance(d2, dict), 'Second argument is not a dictionary') + if d1 != d2: + standardMsg = '%r != %r' % (d1, d2) + diff = ('\n' + '\n'.join(difflib.ndiff( +@@ -560,7 +560,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None): + # used to recognize having element as nested dict, list or tuple: + def _is_nested(v): + if isinstance(v, dict): +- return any(isinstance(v, (dict, list, tuple)) for v in v.itervalues()) ++ return any(isinstance(v, (dict, list, tuple)) for v in v.values()) + return any(isinstance(v, (dict, list, tuple)) for v in v) + # level comparison routine: + def _assertSortedEqual(a, b, level, nestedOnly, key): +@@ -573,7 +573,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None): + return + raise ValueError('%r != %r' % (a, b)) + if isinstance(a, dict) and isinstance(b, dict): # compare dict's: +- for k, v1 in a.iteritems(): ++ for k, v1 in a.items(): + v2 = b[k] + if isinstance(v1, (dict, list, tuple)) and isinstance(v2, (dict, list, tuple)): + _assertSortedEqual(v1, v2, level-1 if level != 0 else 0, nestedOnly, key) +@@ -608,14 +608,14 @@ if not hasattr(unittest.TestCase, 'assertRaisesRegexp'): + self.fail('\"%s\" does not match \"%s\"' % (regexp, e)) + else: + self.fail('%s not raised' % getattr(exccls, '__name__')) +- unittest.TestCase.assertRaisesRegexp = assertRaisesRegexp ++ unittest.TestCase.assertRaisesRegex = assertRaisesRegexp + + # always custom following methods, because we use atm better version of both (support generators) + if True: ## if not hasattr(unittest.TestCase, 'assertIn'): + def assertIn(self, a, b, msg=None): + bb = b + wrap = False +- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring): ++ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str): + b, bb = itertools.tee(b) + wrap = True + if a not in b: +@@ -626,7 +626,7 @@ if True: ## if not hasattr(unittest.TestCase, 'assertIn'): + def assertNotIn(self, a, b, msg=None): + bb = b + wrap = False +- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring): ++ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str): + b, bb = itertools.tee(b) + wrap = True + if a in b: +diff --git a/setup.py b/setup.py +deleted file mode 100755 +index ce1eedf6..00000000 +--- a/setup.py ++++ /dev/null +@@ -1,326 +0,0 @@ +-#!/usr/bin/env python +-# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- +-# vi: set ft=python sts=4 ts=4 sw=4 noet : +- +-# This file is part of Fail2Ban. +-# +-# Fail2Ban is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation; either version 2 of the License, or +-# (at your option) any later version. +-# +-# Fail2Ban is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with Fail2Ban; if not, write to the Free Software +-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +- +-__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko" +-__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors" +-__license__ = "GPL" +- +-import platform +- +-try: +- import setuptools +- from setuptools import setup +- from setuptools.command.install import install +- from setuptools.command.install_scripts import install_scripts +-except ImportError: +- setuptools = None +- from distutils.core import setup +- +-# all versions +-from distutils.command.build_py import build_py +-from distutils.command.build_scripts import build_scripts +-if setuptools is None: +- from distutils.command.install import install +- from distutils.command.install_scripts import install_scripts +-try: +- # python 3.x +- from distutils.command.build_py import build_py_2to3 +- from distutils.command.build_scripts import build_scripts_2to3 +- _2to3 = True +-except ImportError: +- # python 2.x +- _2to3 = False +- +-import os +-from os.path import isfile, join, isdir, realpath +-import re +-import sys +-import warnings +-from glob import glob +- +-from fail2ban.setup import updatePyExec +- +- +-source_dir = os.path.realpath(os.path.dirname( +- # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.): +- sys.argv[0] if os.path.basename(sys.argv[0]) == 'setup.py' else __file__ +-)) +- +-# Wrapper to install python binding (to current python version): +-class install_scripts_f2b(install_scripts): +- +- def get_outputs(self): +- outputs = install_scripts.get_outputs(self) +- # setup.py --dry-run install: +- dry_run = not outputs +- self.update_scripts(dry_run) +- if dry_run: +- #bindir = self.install_dir +- bindir = self.build_dir +- print('creating fail2ban-python binding -> %s (dry-run, real path can be different)' % (bindir,)) +- print('Copying content of %s to %s' % (self.build_dir, self.install_dir)); +- return outputs +- fn = None +- for fn in outputs: +- if os.path.basename(fn) == 'fail2ban-server': +- break +- bindir = os.path.dirname(fn) +- print('creating fail2ban-python binding -> %s' % (bindir,)) +- updatePyExec(bindir) +- return outputs +- +- def update_scripts(self, dry_run=False): +- buildroot = os.path.dirname(self.build_dir) +- install_dir = self.install_dir +- try: +- # remove root-base from install scripts path: +- root = self.distribution.command_options['install']['root'][1] +- if install_dir.startswith(root): +- install_dir = install_dir[len(root):] +- except: # pragma: no cover +- print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".') +- print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir)) +- with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn: +- lines = fn.readlines() +- fn = None +- if not dry_run: +- fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w') +- try: +- for ln in lines: +- ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln) +- if dry_run: +- sys.stdout.write(' | ' + ln) +- continue +- fn.write(ln) +- finally: +- if fn: fn.close() +- if dry_run: +- print(' `') +- +- +-# Wrapper to specify fail2ban own options: +-class install_command_f2b(install): +- user_options = install.user_options + [ +- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), +- ('without-tests', None, 'without tests files installation'), +- ] +- def initialize_options(self): +- self.disable_2to3 = None +- self.without_tests = None +- install.initialize_options(self) +- def finalize_options(self): +- global _2to3 +- ## in the test cases 2to3 should be already done (fail2ban-2to3): +- if self.disable_2to3: +- _2to3 = False +- if _2to3: +- cmdclass = self.distribution.cmdclass +- cmdclass['build_py'] = build_py_2to3 +- cmdclass['build_scripts'] = build_scripts_2to3 +- if self.without_tests: +- self.distribution.scripts.remove('bin/fail2ban-testcases') +- +- self.distribution.packages.remove('fail2ban.tests') +- self.distribution.packages.remove('fail2ban.tests.action_d') +- +- del self.distribution.package_data['fail2ban.tests'] +- install.finalize_options(self) +- def run(self): +- install.run(self) +- +- +-# Update fail2ban-python env to current python version (where f2b-modules located/installed) +-updatePyExec(os.path.join(source_dir, 'bin')) +- +-if setuptools and "test" in sys.argv: +- import logging +- logSys = logging.getLogger("fail2ban") +- hdlr = logging.StreamHandler(sys.stdout) +- fmt = logging.Formatter("%(asctime)-15s %(message)s") +- hdlr.setFormatter(fmt) +- logSys.addHandler(hdlr) +- if set(["-q", "--quiet"]) & set(sys.argv): +- logSys.setLevel(logging.CRITICAL) +- warnings.simplefilter("ignore") +- sys.warnoptions.append("ignore") +- elif set(["-v", "--verbose"]) & set(sys.argv): +- logSys.setLevel(logging.DEBUG) +- else: +- logSys.setLevel(logging.INFO) +-elif "test" in sys.argv: +- print("python distribute required to execute fail2ban tests") +- print("") +- +-longdesc = ''' +-Fail2Ban scans log files like /var/log/pwdfail or +-/var/log/apache/error_log and bans IP that makes +-too many password failures. It updates firewall rules +-to reject the IP address or executes user defined +-commands.''' +- +-if setuptools: +- setup_extra = { +- 'test_suite': "fail2ban.tests.utils.gatherTests", +- 'use_2to3': True, +- } +-else: +- setup_extra = {} +- +-data_files_extra = [] +-if os.path.exists('/var/run'): +- # if we are on the system with /var/run -- we are to use it for having fail2ban/ +- # directory there for socket file etc. +- # realpath is used to possibly resolve /var/run -> /run symlink +- data_files_extra += [(realpath('/var/run/fail2ban'), '')] +- +-# Installing documentation files only under Linux or other GNU/ systems +-# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding +-# installation there (see e.g. #1233) +-platform_system = platform.system().lower() +-doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt'] +-if platform_system in ('solaris', 'sunos'): +- doc_files.append('README.Solaris') +-if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'): +- data_files_extra.append( +- ('/usr/share/doc/fail2ban', doc_files) +- ) +- +-# Get version number, avoiding importing fail2ban. +-# This is due to tests not functioning for python3 as 2to3 takes place later +-exec(open(join("fail2ban", "version.py")).read()) +- +-setup( +- name = "fail2ban", +- version = version, +- description = "Ban IPs that make too many password failures", +- long_description = longdesc, +- author = "Cyril Jaquier & Fail2Ban Contributors", +- author_email = "cyril.jaquier@fail2ban.org", +- url = "http://www.fail2ban.org", +- license = "GPL", +- platforms = "Posix", +- cmdclass = { +- 'build_py': build_py, 'build_scripts': build_scripts, +- 'install_scripts': install_scripts_f2b, 'install': install_command_f2b +- }, +- scripts = [ +- 'bin/fail2ban-client', +- 'bin/fail2ban-server', +- 'bin/fail2ban-regex', +- 'bin/fail2ban-testcases', +- # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper +- ], +- packages = [ +- 'fail2ban', +- 'fail2ban.client', +- 'fail2ban.server', +- 'fail2ban.tests', +- 'fail2ban.tests.action_d', +- ], +- package_data = { +- 'fail2ban.tests': +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/files') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/config') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/action_d') +- for f in w[2]] +- }, +- data_files = [ +- ('/etc/fail2ban', +- glob("config/*.conf") +- ), +- ('/etc/fail2ban/filter.d', +- glob("config/filter.d/*.conf") +- ), +- ('/etc/fail2ban/filter.d/ignorecommands', +- [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)] +- ), +- ('/etc/fail2ban/action.d', +- glob("config/action.d/*.conf") + +- glob("config/action.d/*.py") +- ), +- ('/etc/fail2ban/fail2ban.d', +- '' +- ), +- ('/etc/fail2ban/jail.d', +- '' +- ), +- ('/var/lib/fail2ban', +- '' +- ), +- ] + data_files_extra, +- **setup_extra +-) +- +-# Do some checks after installation +-# Search for obsolete files. +-obsoleteFiles = [] +-elements = { +- "/etc/": +- [ +- "fail2ban.conf" +- ], +- "/usr/bin/": +- [ +- "fail2ban.py" +- ], +- "/usr/lib/fail2ban/": +- [ +- "version.py", +- "protocol.py" +- ] +-} +- +-for directory in elements: +- for f in elements[directory]: +- path = join(directory, f) +- if isfile(path): +- obsoleteFiles.append(path) +- +-if obsoleteFiles: +- print("") +- print("Obsolete files from previous Fail2Ban versions were found on " +- "your system.") +- print("Please delete them:") +- print("") +- for f in obsoleteFiles: +- print("\t" + f) +- print("") +- +-if isdir("/usr/lib/fail2ban"): +- print("") +- print("Fail2ban is not installed under /usr/lib anymore. The new " +- "location is under /usr/share. Please remove the directory " +- "/usr/lib/fail2ban and everything under this directory.") +- print("") +- +-# Update config file +-if sys.argv[1] == "install": +- print("") +- print("Please do not forget to update your configuration files.") +- print("They are in \"/etc/fail2ban/\".") +- print("") +- print("You can also install systemd service-unit file from \"build/fail2ban.service\"") +- print("resp. corresponding init script from \"files/*-initd\".") +- print("") +-- +2.17.1 + diff --git a/external/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py b/external/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py index a5d4ed6c..e2319498 100755 --- a/external/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py +++ b/external/meta-security/recipes-security/fail2ban/files/fail2ban_setup.py @@ -1,4 +1,3 @@ -#!/usr/bin/env python # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- # vi: set ft=python sts=4 ts=4 sw=4 noet : diff --git a/external/meta-security/recipes-security/fail2ban/files/initd b/external/meta-security/recipes-security/fail2ban/files/initd index 4f4b394c..586b3dac 100644 --- a/external/meta-security/recipes-security/fail2ban/files/initd +++ b/external/meta-security/recipes-security/fail2ban/files/initd @@ -39,9 +39,9 @@ start() { RETVAL=$? if [ $RETVAL = 0 ]; then touch ${lockfile} - echo_success + success else - echo_failure + failure fi echo return $RETVAL @@ -53,9 +53,9 @@ stop() { RETVAL=$? if [ $RETVAL = 0 ]; then rm -f ${lockfile} ${pidfile} - echo_success + success else - echo_failure + failure fi echo return $RETVAL diff --git a/external/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb b/external/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb deleted file mode 100644 index 17a7dd8d..00000000 --- a/external/meta-security/recipes-security/fail2ban/python-fail2ban_0.10.3.1.bb +++ /dev/null @@ -1,4 +0,0 @@ -inherit setuptools -require python-fail2ban.inc - -RDEPENDS_${PN}-ptest = "python python-modules python-fail2ban" diff --git a/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb b/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb deleted file mode 100644 index 5c887e85..00000000 --- a/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.3.1.bb +++ /dev/null @@ -1,4 +0,0 @@ -inherit setuptools3 -require python-fail2ban.inc - -RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/external/meta-security/recipes-security/fail2ban/python-fail2ban.inc b/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb index 9245f17b..e737f502 100644 --- a/external/meta-security/recipes-security/fail2ban/python-fail2ban.inc +++ b/external/meta-security/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb @@ -9,41 +9,43 @@ HOMEPAGE = "http://www.fail2ban.org" LICENSE = "GPL-2.0" LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" -SRCREV ="ac0d441fd68852ffda7b15c71f16b7f4fde1a7ee" -SRC_URI = " \ - git://github.com/fail2ban/fail2ban.git;branch=0.11 \ - file://initd \ +SRCREV ="3befbb177017957869425c81a560edb8e27db75a" +SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \ + file://initd \ file://fail2ban_setup.py \ file://run-ptest \ + file://0001-python3-fail2ban-2-3-conversion.patch \ " -inherit update-rc.d ptest +inherit update-rc.d ptest setuptools3 S = "${WORKDIR}/git" -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "fail2ban-server" -INITSCRIPT_PARAMS = "defaults 25" - do_compile_prepend () { cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py } do_install_append () { - install -d ${D}/${sysconfdir}/fail2ban - install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server - chown -R root:root ${D}/${bindir} + install -d ${D}/${sysconfdir}/fail2ban + install -d ${D}/${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server + chown -R root:root ${D}/${bindir} } do_install_ptest_append () { - install -d ${D}${PTEST_PATH} - sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest - install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH} + install -d ${D}${PTEST_PATH} + sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest + install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH} } FILES_${PN} += "/run" +INITSCRIPT_PACKAGES = "${PN}" +INITSCRIPT_NAME = "fail2ban-server" +INITSCRIPT_PARAMS = "defaults 25" + INSANE_SKIP_${PN}_append = "already-stripped" -RDEPENDS_${PN} = "sysklogd iptables sqlite3 ${PYTHON_PN} ${PYTHON_PN}-pyinotify" +RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify" +RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json" +RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/external/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.05.bb b/external/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb index 73b802fb..f9ca0926 100644 --- a/external/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.05.bb +++ b/external/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb @@ -4,17 +4,20 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" LICENSE = "Apache-2.0" SRC_URI = "git://github.com/google/google-authenticator-libpam.git" -SRCREV = "7365ed10d54393fb4c100cac063ae8edb744eac6" +SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef" DEPENDS = "libpam" S = "${WORKDIR}/git" -inherit autotools distro_features_check +inherit autotools features_check REQUIRED_DISTRO_FEATURES = "pam" +# Use the same dir location as PAM +EXTRA_OECONF = "--libdir=${base_libdir}" + PACKAGES += "pam-google-authenticator" -FILES_pam-google-authenticator = "${libdir}/security/pam_google_authenticator.so" +FILES_pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so" RDEPNEDS_pam-google-authenticator = "libpam" diff --git a/external/meta-security/recipes-security/images/security-client-image.bb b/external/meta-security/recipes-security/images/security-client-image.bb index 1a924797..f4ebc697 100644 --- a/external/meta-security/recipes-security/images/security-client-image.bb +++ b/external/meta-security/recipes-security/images/security-client-image.bb @@ -5,8 +5,7 @@ IMAGE_INSTALL = "\ packagegroup-core-boot \ os-release \ samhain-client \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)} \ - ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}" + ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" IMAGE_LINGUAS ?= " " diff --git a/external/meta-security/recipes-security/images/security-server-image.bb b/external/meta-security/recipes-security/images/security-server-image.bb index 502b5c14..4927e0ee 100644 --- a/external/meta-security/recipes-security/images/security-server-image.bb +++ b/external/meta-security/recipes-security/images/security-server-image.bb @@ -6,8 +6,7 @@ IMAGE_INSTALL = "\ packagegroup-base \ packagegroup-core-boot \ samhain-server \ - os-release \ - ${ROOTFS_PKGMANAGE_BOOTSTRAP} ${CORE_IMAGE_EXTRA_INSTALL}" + os-release " IMAGE_LINGUAS ?= " " diff --git a/external/meta-security/recipes-security/images/security-test-image.bb b/external/meta-security/recipes-security/images/security-test-image.bb new file mode 100644 index 00000000..c71d7267 --- /dev/null +++ b/external/meta-security/recipes-security/images/security-test-image.bb @@ -0,0 +1,33 @@ +DESCRIPTION = "A small image for testing meta-security packages" + +IMAGE_FEATURES += "ssh-server-openssh" + +TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" + +INSTALL_CLAMAV_CVD = "1" + +IMAGE_INSTALL = "\ + packagegroup-base \ + packagegroup-core-boot \ + packagegroup-core-security-ptest \ + clamav \ + tripwire \ + checksec \ + suricata \ + samhain-standalone \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ + os-release \ + " + + +IMAGE_LINGUAS ?= " " + +LICENSE = "MIT" + +inherit core-image + +export IMAGE_BASENAME = "security-test-image" + +IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/external/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch b/external/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch deleted file mode 100644 index acd91c01..00000000 --- a/external/meta-security/recipes-security/keyutils/files/keyutils-fix-error-report-by-adding-default-message.patch +++ /dev/null @@ -1,42 +0,0 @@ -fix keyutils test error report - -Upstream-Status: Pending - -"Permission denied" may be the reason of EKEYEXPIRED and EKEYREVOKED. -"Required key not available" may be the reason of EKEYREVOKED. -EXPIRED and REVOKED are 2 status of kernel security keys features. -But the userspace keyutils lib will output the error message, which may -have several reasons. - -Signed-off-by: Han Chao <chan@windriver.com> - -diff --git a/tests/toolbox.inc.sh b/tests/toolbox.inc.sh -index bbca00a..739e9d0 100644 ---- a/tests/toolbox.inc.sh -+++ b/tests/toolbox.inc.sh -@@ -227,11 +227,12 @@ function expect_error () - ;; - EKEYEXPIRED) - my_err="Key has expired" -- alt_err="Unknown error 127" -+ alt_err="Permission denied" - ;; - EKEYREVOKED) - my_err="Key has been revoked" -- alt_err="Unknown error 128" -+ alt_err="Permission denied" -+ alt2_err="Required key not available" - ;; - EKEYREJECTED) - my_err="Key has been rejected" -@@ -249,6 +250,9 @@ function expect_error () - elif [ "x$alt_err" != "x" ] && expr "$my_errmsg" : ".*: $alt_err" >&/dev/null - then - : -+ elif [ "x$alt2_err" != "x" ] && expr "$my_errmsg" : ".*: $alt2_err" >&/dev/null -+ then -+ : - elif [ "x$old_err" != "x" ] && expr "$my_errmsg" : ".*: $old_err" >&/dev/null - then - : - diff --git a/external/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch b/external/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch deleted file mode 100644 index a4ffd50c..00000000 --- a/external/meta-security/recipes-security/keyutils/files/keyutils-test-fix-output-format.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 49b6321368e4bd3cd233d045cd09004ddd7968b2 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Mon, 15 May 2017 14:52:00 +0800 -Subject: [PATCH] keyutils: fix output format - -keyutils ptest output format is incorrect, according to yocto -Development Manual -(http://www.yoctoproject.org/docs/latest/dev-manual/dev-manual.html#testing-packages-with-ptest) -5.10.6. Testing Packages With ptestThe test generates output in the format used by Automake: -<result>: <testname> -where the result can be PASS, FAIL, or SKIP, and the testname can be any -identifying string. -So we should change the test result format to match yocto ptest rules. - -Upstream-Status: Inappropriate [OE ptest specific] - -Signed-off-by: Li Wang <li.wang@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - tests/runtest.sh | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tests/runtest.sh b/tests/runtest.sh -index b6eaa7c..84263fb 100644 ---- a/tests/runtest.sh -+++ b/tests/runtest.sh -@@ -21,6 +21,11 @@ for i in ${TESTS}; do - echo "### RUNNING TEST $i" - if [[ $AUTOMATED != 0 ]] ; then - bash ./runtest.sh -+ if [ $? != 0 ]; then -+ echo "FAIL: $i" -+ else -+ echo "PASS: $i" -+ fi - else - bash ./runtest.sh || exit 1 - fi --- -2.11.0 - diff --git a/external/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch b/external/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch deleted file mode 100644 index dde1af44..00000000 --- a/external/meta-security/recipes-security/keyutils/files/keyutils-use-relative-path-for-link.patch +++ /dev/null @@ -1,28 +0,0 @@ -Subject: [PATCH] keyutils: use relative path for link - -The absolute path of the symlink will be invalid -when populated in sysroot, so use relative path instead. - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 824bbbf..8ce3a13 100644 ---- a/Makefile -+++ b/Makefile -@@ -167,7 +167,7 @@ ifeq ($(NO_SOLIB),0) - $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) - $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) - mkdir -p $(DESTDIR)$(USRLIBDIR) -- $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) -+ $(LNS) $(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) - endif - $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl - $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key --- -2.11.0 - diff --git a/external/meta-security/recipes-security/keyutils/files/run-ptest b/external/meta-security/recipes-security/keyutils/files/run-ptest deleted file mode 100755 index 305707f6..00000000 --- a/external/meta-security/recipes-security/keyutils/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -export AUTOMATED=1 -make -C tests run diff --git a/external/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb b/external/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb deleted file mode 100644 index a4222b9e..00000000 --- a/external/meta-security/recipes-security/keyutils/keyutils_1.5.10.bb +++ /dev/null @@ -1,47 +0,0 @@ -SUMMARY = "Linux Key Management Utilities" -DESCRIPTION = "\ - Utilities to control the kernel key management facility and to provide \ - a mechanism by which the kernel call back to userspace to get a key \ - instantiated. \ - " -HOMEPAGE = "http://people.redhat.com/dhowells/keyutils" -SECTION = "base" - -LICENSE = "LGPLv2.1+ & GPLv2.0+" - -LIC_FILES_CHKSUM = "file://LICENCE.GPL;md5=5f6e72824f5da505c1f4a7197f004b45 \ - file://LICENCE.LGPL;md5=7d1cacaa3ea752b72ea5e525df54a21f" - - -inherit siteinfo ptest - -SRC_URI = "http://people.redhat.com/dhowells/keyutils/${BP}.tar.bz2 \ - file://keyutils-use-relative-path-for-link.patch \ - file://keyutils-test-fix-output-format.patch \ - file://keyutils-fix-error-report-by-adding-default-message.patch \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "3771676319bc7b84b1549b5c63ff5243" -SRC_URI[sha256sum] = "115c3deae7f181778fd0e0ffaa2dad1bf1fe2f5677cf2e0e348cdb7a1c93afb6" - -EXTRA_OEMAKE = "'CFLAGS=${CFLAGS} -Wall' \ - NO_ARLIB=1 \ - BINDIR=${base_bindir} \ - SBINDIR=${base_sbindir} \ - LIBDIR=${base_libdir} \ - USRLIBDIR=${base_libdir} \ - BUILDFOR=${SITEINFO_BITS}-bit \ - NO_GLIBC_KEYERR=1 \ - " - -do_install () { - oe_runmake DESTDIR=${D} install -} - -do_install_ptest () { - cp -r ${S}/tests ${D}${PTEST_PATH}/ - sed -i -e 's/OSDIST=Unknown/OSDIST=${DISTRO}/' ${D}${PTEST_PATH}/tests/prepare.inc.sh -} - -RDEPENDS_${PN}-ptest += "glibc-utils" diff --git a/external/meta-security/recipes-security/libmspack/libmspack_0.5.bb b/external/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb index 80db23ce..8c288bee 100644 --- a/external/meta-security/recipes-security/libmspack/libmspack_0.5.bb +++ b/external/meta-security/recipes-security/libmspack/libmspack_1.9.1.bb @@ -6,11 +6,11 @@ DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRC_URI = "${DEBIAN_MIRROR}/main/libm/${BPN}/${BPN}_${PV}.orig.tar.gz\ -" -SRC_URI[md5sum] = "3aa3f6b9ef101463270c085478fda1da" -SRC_URI[sha256sum] = "8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110" +SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc" +SRC_URI = "git://github.com/kyz/libmspack.git" inherit autotools -S = "${WORKDIR}/${BP}alpha" +S = "${WORKDIR}/git/${BPN}" + +inherit autotools diff --git a/external/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb b/external/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb index 9c66db68..9ca41e65 100644 --- a/external/meta-security/recipes-security/libseccomp/libseccomp_2.3.3.bb +++ b/external/meta-security/recipes-security/libseccomp/libseccomp_2.4.3.bb @@ -4,9 +4,9 @@ SECTION = "security" LICENSE = "LGPL-2.1" LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" -SRCREV = "74b190e1aa05f07da0c61fb9a30dbc9c18ce2c9d" +SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427" -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.3 \ +SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ file://run-ptest \ " @@ -17,6 +17,8 @@ inherit autotools-brokensep pkgconfig ptest PACKAGECONFIG ??= "" PACKAGECONFIG[python] = "--enable-python, --disable-python, python" +DISABLE_STATIC = "" + do_compile_ptest() { oe_runmake -C tests check-build } diff --git a/external/meta-security/recipes-security/ncrack/ncrack_0.7.bb b/external/meta-security/recipes-security/ncrack/ncrack_0.7.bb new file mode 100644 index 00000000..ba269657 --- /dev/null +++ b/external/meta-security/recipes-security/ncrack/ncrack_0.7.bb @@ -0,0 +1,18 @@ +SUMMARY = "Network authentication cracking tool" +DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network devices for poor passwords." +HOMEPAGE = "https://nmap.org/ncrack" +SECTION = "security" + +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" + +SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426" +SRC_URI = "git://github.com/nmap/ncrack.git" + +DEPENDS = "openssl zlib" + +inherit autotools-brokensep + +S = "${WORKDIR}/git" + +INSANE_SKIP_${PN} = "already-stripped" diff --git a/external/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch b/external/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch deleted file mode 100644 index 5ddb1692..00000000 --- a/external/meta-security/recipes-security/nikto/files/CVE-2018-11652.patch +++ /dev/null @@ -1,106 +0,0 @@ -From e759b3300aace5314fe3d30800c8bd83c81c29f7 Mon Sep 17 00:00:00 2001 -From: sullo <sullo@cirt.net> -Date: Thu, 31 May 2018 23:30:03 -0400 -Subject: [PATCH] Fix CSV injection issue if server responds with a malicious - Server string & CSV output is opened in Excel or other spreadsheet app. - Potentially malicious cell start characters are now prefaced with a ' mark. - Thanks to Adam (@bytesoverbombs) for letting me know! - -Also fixed a crash in the outdated plugin if the $sepr field ends up being something that triggers a panic in split(). - -CVE: CVE-2018-11652 -Upstream-Status: Backport -Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com> ---- - plugins/nikto_outdated.plugin | 2 +- - plugins/nikto_report_csv.plugin | 42 +++++++++++++++++++++++++++++------------ - 2 files changed, 31 insertions(+), 13 deletions(-) - -diff --git a/plugins/nikto_outdated.plugin b/plugins/nikto_outdated.plugin -index 72379cc..eb1d889 100644 ---- a/plugins/nikto_outdated.plugin -+++ b/plugins/nikto_outdated.plugin -@@ -83,7 +83,7 @@ sub nikto_outdated { - $sepr = substr($sepr, (length($sepr) - 1), 1); - - # break up ID string on $sepr -- my @T = split(/$sepr/, $mark->{'banner'}); -+ my @T = split(/\\$sepr/, $mark->{'banner'}); - - # assume last is version... - for ($i = 0 ; $i < $#T ; $i++) { $MATCHSTRING .= "$T[$i] "; } -diff --git a/plugins/nikto_report_csv.plugin b/plugins/nikto_report_csv.plugin -index d13acab..b942e78 100644 ---- a/plugins/nikto_report_csv.plugin -+++ b/plugins/nikto_report_csv.plugin -@@ -52,10 +52,12 @@ sub csv_open { - sub csv_host_start { - my ($handle, $mark) = @_; - $mark->{'banner'} =~ s/"/\\"/g; -- print OUT "\"$mark->{'hostname'}\"," -- . "\"$mark->{'ip'}\"," -- . "\"$mark->{'port'}\"," . "\"\"," . "\"\"," . "\"\"," -- . "\"$mark->{'banner'}\"\n"; -+ print $handle "\"" . csv_safecell($hostname) . "\"," -+ . "\"" . csv_safecell($mark->{'ip'}) . "\"," -+ . "\"" . csv_safecell($mark->{'port'}) . "\"," . "\"\"," . "\"\"," . "\"\"," -+ #. "\"" . $mark->{'banner'} . "\"\n"; -+ . "\"" . csv_safecell($mark->{'banner'}) . "\"\n"; -+ - return; - } - -@@ -65,26 +67,42 @@ sub csv_item { - my ($handle, $mark, $item) = @_; - foreach my $uri (split(' ', $item->{'uri'})) { - my $line = ''; -- $line .= "\"$item->{'mark'}->{'hostname'}\","; -- $line .= "\"$item->{'mark'}->{'ip'}\","; -- $line .= "\"$item->{'mark'}->{'port'}\","; -+ $line .= "\"" . csv_safecell($hostname) . "\","; -+ $line .= "\"" . csv_safecell($item->{'mark'}->{'ip'}) . \","; -+ $line .= "\"" . csv_safecell($item->{'mark'}->{'port'}) . "\","; - - $line .= "\""; - if ($item->{'osvdb'} ne '') { $line .= "OSVDB-" . $item->{'osvdb'}; } - $line .= "\","; - - $line .= "\""; -- if ($item->{'method'} ne '') { $line .= $item->{'method'}; } -+ if ($item->{'method'} ne '') { $line .= csv_safecell($item->{'method'}); } - $line .= "\","; - - $line .= "\""; -- if ($uri ne '') { $line .= $mark->{'root'} . $uri; } -+ { $line .= csv_safecell($mark->{'root'}) . $uri; } -+ else { $line .= csv_safecell($ur - $line .= "\","; - -- $item->{'message'} =~ s/"/\\"/g; -- $line .= "\"$item->{'message'}\""; -- print $handle "$line\n"; -+ my $msg = $item->{'message'}; -+ $uri=quotemeta($uri); -+ my $root = quotemeta($mark->{'root'}); -+ $msg =~ s/^$uri:\s//; -+ $msg =~ s/^$root$uri:\s//; -+ $msg =~ s/"/\\"/g; -+ $line .= "\"" . csv_safecell($msg) ."\""; -+ print $handle "$line\n"; -+ - } - } - -+############################################################################### -+# prevent CSV injection attacks -+sub csv_safecell { -+ my $celldata = $_[0] || return; -+ if ($celldata =~ /^[=+@-]/) { $celldata = "'" . $celldata; } -+ return $celldata; -+} -+ -+ - 1; --- -2.6.4 - diff --git a/external/meta-security/recipes-security/nikto/files/location.patch b/external/meta-security/recipes-security/nikto/files/location.patch index a95b0629..edaa2047 100644 --- a/external/meta-security/recipes-security/nikto/files/location.patch +++ b/external/meta-security/recipes-security/nikto/files/location.patch @@ -1,36 +1,36 @@ -From e10b9b1f6704057ace39956ae1dc5c7caca07ff1 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu <andrei.adrianx.dinu@intel.com> -Date: Mon, 8 Jul 2013 11:53:54 +0300 -Subject: [PATCH] Setting the location of nikto on the image +From d1cb702d5147abea0d3208a4d554c61a6f2decd6 Mon Sep 17 00:00:00 2001 +From: Scott Ellis <scott@jumpnowtek.com> +Date: Fri, 28 Dec 2018 11:08:25 -0500 +Subject: [PATCH] Set custom paths -Upstream Status: Inapropriate +Upstream Status: Inappropriate -Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> +Signed-off-by: Scott Ellis <scott@jumpnowtek.com> --- - nikto.conf | 10 +++++----- + nikto.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) -diff --git a/nikto.conf b/nikto.conf -index 25b784d..9577033 100644 +diff --git a/program/nikto.conf b/program/nikto.conf +index bf36c58..8c55415 100644 --- a/nikto.conf +++ b/nikto.conf -@@ -61,11 +61,11 @@ CIRT=174.142.17.165 +@@ -61,11 +61,11 @@ CIRT=107.170.99.251 CHECKMETHODS=HEAD GET # If you want to specify the location of any of the files, specify them here -# EXECDIR=/opt/nikto # Location of Nikto -# PLUGINDIR=/opt/nikto/plugins # Location of plugin dir --# DBDIR=/opt/nikto/databases # Location of plugin dir --# TEMPLATEDIR=/opt/nikto/templates # Location of tempmlate dir +-# DBDIR=/opt/nikto/databases # Location of database dir +-# TEMPLATEDIR=/opt/nikto/templates # Location of template dir -# DOCDIR=/opt/nikto/docs # Location of docs dir +EXECDIR=/usr/bin/nikto # Location of Nikto +PLUGINDIR=/etc/nikto/plugins # Location of plugin dir -+DBDIR=/etc/nikto/databases # Location of plugin dir -+TEMPLATEDIR=/etc/nikto/templates # Location of tempmlate dir ++DBDIR=/etc/nikto/databases # Location of database dir ++TEMPLATEDIR=/etc/nikto/templates # Location of template dir +DOCDIR=/usr/share/doc/nikto # Location of docs dir # Default plugin macros - @@MUTATE=dictionary;subdomain + # Remove plugins designed to be run standalone -- -1.7.9.5 +2.7.4 diff --git a/external/meta-security/recipes-security/nikto/nikto_2.1.5.bb b/external/meta-security/recipes-security/nikto/nikto_2.1.5.bb deleted file mode 100644 index 19eb14f3..00000000 --- a/external/meta-security/recipes-security/nikto/nikto_2.1.5.bb +++ /dev/null @@ -1,108 +0,0 @@ -SUMMARY = "web server scanner" -DESCRIPTION = "Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous \ - files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" - -SRC_URI = "http://cirt.net/nikto/${BP}.tar.gz \ - file://location.patch \ - file://CVE-2018-11652.patch" - -SRC_URI[md5sum] = "efcc98a918becb77471ee9a5df0a7b1e" -SRC_URI[sha256sum] = "0e672a6a46bf2abde419a0e8ea846696d7f32e99ad18a6b405736ee6af07509f" - -do_install() { - install -d ${D}${bindir} - install -d ${D}${datadir} - install -d ${D}${datadir}/man/man1 - install -d ${D}${datadir}/doc/nikto - install -d ${D}${sysconfdir}/nikto - install -d ${D}${sysconfdir}/nikto/databases - install -d ${D}${sysconfdir}/nikto/plugins - install -d ${D}${sysconfdir}/nikto/templates - - install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_subdomains ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases - - install -m 0644 plugins/JSON-PP.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_msf.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_subdomain.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins - - install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates - - install -m 0644 nikto.conf ${D}${sysconfdir} - - install -m 0755 nikto.pl ${D}${bindir}/nikto - install -m 0644 replay.pl ${D}${bindir} - install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 - - install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto -} - -RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ - perl-module-getopt-long perl-module-time-local \ - perl-module-io-socket perl-module-overloading \ - perl-module-base perl-module-b perl-module-bytes \ - nikto-doc" diff --git a/external/meta-security/recipes-security/nikto/nikto_2.1.6.bb b/external/meta-security/recipes-security/nikto/nikto_2.1.6.bb new file mode 100644 index 00000000..2d2c46ca --- /dev/null +++ b/external/meta-security/recipes-security/nikto/nikto_2.1.6.bb @@ -0,0 +1,118 @@ +SUMMARY = "web server scanner" +DESCRIPTION = "Nikto is an Open Source web server scanner which performs comprehensive tests against web servers" +SECTION = "security" +HOMEPAGE = "https://cirt.net/Nikto2" + +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" + +SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79" +SRC_URI = "git://github.com/sullo/nikto.git \ + file://location.patch" + +S = "${WORKDIR}/git/program" + +do_install() { + install -d ${D}${bindir} + install -d ${D}${datadir} + install -d ${D}${datadir}/man/man1 + install -d ${D}${datadir}/doc/nikto + install -d ${D}${sysconfdir}/nikto + install -d ${D}${sysconfdir}/nikto/databases + install -d ${D}${sysconfdir}/nikto/plugins + install -d ${D}${sysconfdir}/nikto/templates + + install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_dir_traversal ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_domino ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_drupal ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases + install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases + + install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dir_traversal.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_dishwasher.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_docker_registry.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_domino.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_drupal.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_ms10_070.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_negotiate.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_origin_reflection.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_json.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_sqlg.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_sitefiles.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_strutshock.plugin ${D}${sysconfdir}/nikto/plugins + install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins + + install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates + install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates + + install -m 0644 nikto.conf ${D}${sysconfdir} + + install -m 0755 nikto.pl ${D}${bindir}/nikto + install -m 0644 replay.pl ${D}${bindir} + install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 + + install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto + install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto + install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto + install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto +} + +RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ + perl-module-getopt-long perl-module-time-local \ + perl-module-io-socket perl-module-overloading \ + perl-module-base perl-module-b perl-module-bytes" + diff --git a/external/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/external/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb new file mode 100644 index 00000000..83a9ed83 --- /dev/null +++ b/external/meta-security/recipes-security/packagegroup/packagegroup-core-security-ptest.bb @@ -0,0 +1,28 @@ +DESCRIPTION = "Security ptest packagegroup" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ + file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" + +inherit features_check + +REQUIRED_DISTRO_FEATURES = "ptest" + +PACKAGES = "\ + ${PN} \ + " + +ALLOW_EMPTY_${PN} = "1" + +SUMMARY_${PN} = "Security packages with ptests" +RDEPENDS_${PN} = " \ + ptest-runner \ + samhain-standalone-ptest \ + keyutils-ptest \ + libseccomp-ptest \ + python3-scapy-ptest \ + suricata-ptest \ + tripwire-ptest \ + python-fail2ban-ptest \ + ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ + ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ + " diff --git a/external/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb b/external/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb index e847847b..e0a9d053 100644 --- a/external/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb +++ b/external/meta-security/recipes-security/packagegroup/packagegroup-core-security.bb @@ -11,8 +11,6 @@ PACKAGES = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ - ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " RDEPENDS_packagegroup-core-security = "\ @@ -20,8 +18,6 @@ RDEPENDS_packagegroup-core-security = "\ packagegroup-security-scanners \ packagegroup-security-ids \ packagegroup-security-mac \ - ${@bb.utils.contains("MACHINE_FEATURES", "tpm", "packagegroup-security-tpm", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "ptest", "packagegroup-security-ptest", "", d)} \ " SUMMARY_packagegroup-security-utils = "Security utilities" @@ -29,11 +25,11 @@ RDEPENDS_packagegroup-security-utils = "\ checksec \ nmap \ pinentry \ - python-scapy \ + python3-scapy \ ding-libs \ - xmlsec1 \ keyutils \ libseccomp \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ " @@ -42,6 +38,8 @@ RDEPENDS_packagegroup-security-scanners = "\ nikto \ checksecurity \ clamav \ + clamav-freshclam \ + clamav-cvd \ " SUMMARY_packagegroup-security-audit = "Security Audit tools " @@ -68,18 +66,3 @@ RDEPENDS_packagegroup-security-mac = " \ ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ " - -SUMMARY_packagegroup-security-ptest = "Security packages with ptests" -RDEPENDS_packagegroup-security-ptest = " \ - samhain-standalone-ptest \ - xmlsec1-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python3-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - ptest-runner \ - " diff --git a/external/meta-security/recipes-security/samhain/files/run-ptest b/external/meta-security/recipes-security/samhain/files/run-ptest deleted file mode 100755 index 2a4a7653..00000000 --- a/external/meta-security/recipes-security/samhain/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -current_dir=$(dirname $(readlink -f $0)) -$current_dir/cutest diff --git a/external/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch b/external/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch deleted file mode 100644 index 088a938e..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch +++ /dev/null @@ -1,28 +0,0 @@ -From ae79606a6745dbbd429d1d4671dfe3045d735057 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Thu, 14 Sep 2017 13:26:55 +0800 -Subject: [PATCH] Add LDFLAGS variable for compiling samhain_setpwd - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile.in b/Makefile.in -index 01de987..49356cf 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -1128,7 +1128,7 @@ sh_tiger_i.o: $(srcsrc)/$(TIGER_SRC) Makefile config_xor.h - samhain_setpwd: encode config_xor.h $(srcsrc)/samhain_setpwd.c - @echo '$(COMPILE) -o samhain_setpwd $(srcsrc)/samhain_setpwd.c'; \ - ./encode $(XOR_CODE) $(srcsrc)/samhain_setpwd.c; \ -- $(COMPILE) -o samhain_setpwd x_samhain_setpwd.c; \ -+ $(COMPILE) $(LDFLAGS) -o samhain_setpwd x_samhain_setpwd.c; \ - rm x_samhain_setpwd.c - - samhain_stealth: encode config_xor.h $(srcsrc)/samhain_stealth.c --- -2.11.0 - diff --git a/external/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch b/external/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch deleted file mode 100644 index 6bf67e09..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-avoid-searching-host-for-postgresql.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 3e2ca7e06b16ceff6d12beb5113312f6525df595 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Thu, 14 Sep 2017 11:02:12 +0800 -Subject: [PATCH] configure.ac: avoid searching host for postgresql - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - configure.ac | 101 +++-------------------------------------------------------- - 1 file changed, 5 insertions(+), 96 deletions(-) - -diff --git a/configure.ac b/configure.ac -index a224c68..f658d53 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1278,90 +1278,11 @@ AC_ARG_WITH(database, - AC_DEFINE(WITH_POSTGRES) - AC_DEFINE(WITH_DATABASE) - # -- PGCONF="no" -- MY_PATH="${PATH}:/usr/local/bin:/usr/local/pgsql/bin" -- OLD_IFS="$IFS" -- IFS=":" -- for ff in ${MY_PATH} -- do -- if test -f "$ff/pg_config" -- then -- PGCONF="$ff/pg_config" -- fi -- done -- IFS="${OLD_IFS}" -- # -- # -- if test "x${PGCONF}" = "xno" -- then -- AC_MSG_CHECKING(for PostgreSQL in /usr/local/pgsql /usr/pgsql /usr/local /usr PGSQL_HOME) -- pgsql_directory="/usr/local/pgsql /usr/pgsql /usr/local /usr ${PGSQL_HOME}" -- for i in $pgsql_directory; do -- if test -r $i/include/pgsql/libpq-fe.h; then -- PGSQL_INC_DIR=$i/include -- PGSQL_DIR=$i -- # use AC_CHECK_HEADERS to check for pgsql/libpq-fe.h -- fi -- done -- if test -z "$PGSQL_DIR"; then -- for i in $pgsql_directory; do -- if test -r $i/include/postgresql/libpq-fe.h; then -- PGSQL_INC_DIR=$i/include -- PGSQL_DIR=$i -- fi -- done -- fi -- if test -z "$PGSQL_DIR"; then -- for i in $pgsql_directory; do -- if test -r $i/include/libpq-fe.h; then -- PGSQL_INC_DIR=$i/include -- PGSQL_DIR=$i -- fi -- done -- fi -- -- if test -z "$PGSQL_DIR"; then -- tmp="" -- for i in $pgsql_directory; do -- tmp="$tmp $i/include $i/include/pgsql $i/include/postgresql" -- done -- FAIL_MESSAGE("PostgreSQL header file (libpq-fe.h)", $tmp) -- fi -- -- for i in lib lib/pgsql lib/postgresql; do -- str="$PGSQL_DIR/$i/libpq.*" -- for j in `echo $str`; do -- if test -r $j; then -- PGSQL_LIB_DIR="$PGSQL_DIR/$i" -- break 2 -- fi -- done -- done -- -- if test -z "$PGSQL_LIB_DIR"; then -- for ff in $pgsql_directory; do -- for i in lib lib/pgsql lib/postgresql; do -- str="$ff/$i/libpq.*" -- for j in `echo $str`; do -- if test -r $j; then -- PGSQL_LIB_DIR="$ff/$i" -- break 3 -- fi -- done -- done -- done -- fi -- -- if test -z "$PGSQL_LIB_DIR"; then -- tmp="" -- for i in $pgsql_directory; do -- tmp="$i/lib $i/lib/pgsql $i/lib/postgresql" -- done -- FAIL_MESSAGE("postgresql library libpq", $tmp) -- fi -- -- AC_MSG_RESULT(yes) -- -+ if test -z "${PGSQL_LIB_DIR}" ; then -+ FAIL_MESSAGE("PGSQL_LIB_DIR is not set!") -+ elif test -z "${PGSQL_INC_DIR}" ; then -+ FAIL_MESSAGE("PGSQL_INC_DIR is not set!") -+ else - LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lm" - if test x"$enable_static" = xyes; then - LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lcrypt -lm" -@@ -1370,18 +1291,6 @@ AC_ARG_WITH(database, - fi - # CFLAGS="$CFLAGS -I${PGSQL_INC_DIR}" - CPPFLAGS="$CPPFLAGS -I${PGSQL_INC_DIR}" -- AC_CHECK_HEADERS(pgsql/libpq-fe.h) -- AC_CHECK_HEADERS(postgresql/libpq-fe.h) -- else -- pg_lib_dir=`${PGCONF} --libdir` -- if test x"$enable_static" = xyes; then -- LIBS="$LIBS -L${pg_lib_dir} -lpq -lcrypt -lm" -- else -- LIBS="$LIBS -L${pg_lib_dir} -lpq -lm" -- fi -- pg_inc_dir=`${PGCONF} --includedir` -- # CFLAGS="$CFLAGS -I${pg_inc_dir}" -- CPPFLAGS="$CPPFLAGS -I${pg_inc_dir}" - fi - elif test "x${withval}" = "xodbc"; then - AC_MSG_CHECKING(for odbc in /usr /usr/local ODBC_HOME) --- -2.11.0 - diff --git a/external/meta-security/recipes-security/samhain/files/samhain-client.default b/external/meta-security/recipes-security/samhain/files/samhain-client.default deleted file mode 100644 index 9899577a..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-client.default +++ /dev/null @@ -1,3 +0,0 @@ -# Set this to "yes" to start the server, after you configure it, of -# course. -SAMHAIN_CLIENT_START="no"
\ No newline at end of file diff --git a/external/meta-security/recipes-security/samhain/files/samhain-client.init b/external/meta-security/recipes-security/samhain/files/samhain-client.init deleted file mode 100644 index d5fabede..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-client.init +++ /dev/null @@ -1,122 +0,0 @@ -#!/bin/bash -# chkconfig: 2345 99 10 -# description: File Integrity Checking Daemon -# -# processname: samhain -# config : /etc/samhainrc -# logfile : /var/log/samhain_log -# database: /var/lib/samhain/samhain_file -# - -NAME=samhain -DAEMON=/usr/sbin/samhain -RETVAL=0 -PIDFILE=/var/run/samhain.pid - -. /etc/default/rcS - -. /etc/default/samhain-client - -if [ "x$SAMHAIN_CLIENT_START" != "xyes" ]; then - echo "${0}: client disabled in /etc/default/samhain-client" - exit 0 -fi - -if [ -x $DAEMON ]; then - : -else - echo "${0}: executable ${DAEMON} not found" - exit 1 -fi - -if [ ! -e /var/lib/samhain/samhain_file ]; then - echo "${0}: /var/lib/samhain/samhain_file does not exist. You must" - echo " run 'samhain -t init' before samhian-client can start." - exit 1 -fi - -samhain_done() -{ - if [ $RETVAL -eq 0 ]; then - echo "." - else - echo " failed." - fi -} - -log_stat_msg () { -case "$1" in - 0) - echo "Service $NAME: Running"; - ;; - 1) - echo "Service $NAME: Stopped and /var/run pid file exists"; - ;; - 3) - echo "Service $NAME: Stopped"; - ;; - *) - echo "Service $NAME: Status unknown"; - ;; -esac -} - -case "$1" in - start) - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - # - echo -n "Starting ${NAME}" - start-stop-daemon --start --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - stop) - echo -n "Stopping $NAME" - start-stop-daemon --stop --quiet --exec $DAEMON - RETVAL=$? - - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - if test -S /var/run/${NAME}.sock; then - /bin/rm -f /var/run/${NAME}.sock - fi - samhain_done - ;; - - restart) - $0 stop - sleep 3 - $0 start - RETVAL=$? - ;; - - reload|force-reload) - echo -n "Reloading $NAME configuration files" - start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - status) - $DAEMON status - RETVAL=$? - log_stat_msg ${RETVAL} - ;; - - *) - echo "$0 usage: {start|stop|status|restart|reload}" - exit 1 - ;; -esac - -exit $RETVAL diff --git a/external/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch b/external/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch deleted file mode 100644 index 8de0735f..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 02a143f0068cbc6cea71359169210fbb3606d4bb Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Mon, 18 Jan 2016 00:24:57 -0500 -Subject: [PATCH] configure: add option for ps - -The configure searches hardcoded host paths for PSPATH -and run ps commands to decide PSARG which will fail -on host without ps: -| configure: error: Cannot find ps in any of /usr/ucb /bin /usr/bin - -So add an option so we can specify the ps at configure -to avoid host contamination. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - aclocal.m4 | 2 +- - configure.ac | 60 ++++++++++-------------------------------------------------- - 2 files changed, 11 insertions(+), 51 deletions(-) - -diff --git a/aclocal.m4 b/aclocal.m4 -index a2e59a6..cd20a2f 100644 ---- a/aclocal.m4 -+++ b/aclocal.m4 -@@ -409,7 +409,7 @@ x_includes=NONE - x_libraries=NONE - DESTDIR= - SH_ENABLE_OPTS="selinux posix-acl asm ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid" --SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file" -+SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file ps-path" - - # Installation directory options. - # These are left unexpanded so users can "make install exec_prefix=/foo" -diff --git a/configure.ac b/configure.ac -index 5910b1f..8c3e087 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -730,56 +730,16 @@ then - fi - AC_CHECK_HEADERS(gmp.h) - --AC_MSG_CHECKING([for ps]) --PS= --for ff in /usr/ucb /bin /usr/bin; do -- if test -x "$ff/ps"; then -- PS="$ff/ps" -- AC_MSG_RESULT([$PS]) -- break -- fi --done --if test x$PS = x --then -- AC_MSG_RESULT([no]) -- AC_MSG_ERROR([Cannot find ps in any of /usr/ucb /bin /usr/bin]) --fi --AC_DEFINE_UNQUOTED([PSPATH], _("$PS"), [Path to ps]) -- --AC_MSG_CHECKING([how to use ps]) --$PS ax >/dev/null 2>&1 --if test $? -eq 0; then -- case "$host_os" in -- *openbsd*) -- one=`$PS akx | wc -l` -- ;; -- *) -- one=`$PS ax | wc -l` -- ;; -- esac --else -- one=0 --fi --$PS -e >/dev/null 2>&1 --if test $? -eq 0; then -- two=`$PS -e | wc -l` --else -- two=0 --fi --if test $one -ge $two --then -- case "$host_os" in -- *openbsd*) -- PSARG="akx" -- ;; -- *) -- PSARG="ax" -- ;; -- esac --else -- PSARG="-e" --fi --AC_DEFINE_UNQUOTED([PSARG], _("$PSARG"), [Argument for ps]) -+AC_ARG_WITH(ps-path, -+ [ --with-ps-path=PATH set path to ps command ], -+ [ -+ if test "x${withval}" != xno; then -+ pspath="${withval}" -+ AC_DEFINE_UNQUOTED([PSPATH], _("${pspath}"), [Path to ps]) -+ AC_DEFINE_UNQUOTED([PSARG], _("ax"), [Argument for ps]) -+ fi -+ ]) -+ - AC_MSG_RESULT([$PS $PSARG]) - - dnl ***************************************** --- -1.9.1 - diff --git a/external/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch b/external/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch deleted file mode 100644 index 7f80a5c6..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-cross-compile.patch +++ /dev/null @@ -1,51 +0,0 @@ -From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Fri, 15 Jan 2016 00:48:58 -0500 -Subject: [PATCH] Enable obfuscating binaries natively. - -Enable obfuscating binaries natively. - -The samhain build process involves an obfuscation step that attempts to -defeat decompilation or other binary analysis techniques which might reveal -secret information that should be known only to the system administrator. -The obfuscation step builds several applications which run on the build host -and then generate target code, which is then built into target binaries. - -This patch creates a basic infrastructure that supports building the -obfuscation binaries natively then cross-compiling the target code by adding -a special configure option. In the absence of this option the old behaviour -is preserved. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> ---- - Makefile.in | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 684e92b..fb090e2 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -54,7 +54,7 @@ selectconfig = @selectconfig@ - top_builddir = . - - INSTALL = @INSTALL@ --INSTALL_PROGRAM = @INSTALL@ -s -m 700 -+INSTALL_PROGRAM = @INSTALL@ -m 700 - INSTALL_SHELL = @INSTALL@ -m 700 - INSTALL_DATA = @INSTALL@ -m 600 - INSTALL_MAN = @INSTALL@ -m 644 -@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip - echo " $(INSTALL_PROGRAM) $$p $$target"; \ - $(INSTALL_PROGRAM) $$p $$target; \ - chmod 0700 $$target; \ -- echo " ./sstrip $$target"; \ -- ./sstrip $$target; \ - else \ - echo " $(INSTALL_SHELL) $$p $$target"; \ - $(INSTALL_SHELL) $$p $$target; \ --- -1.9.1 - diff --git a/external/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch b/external/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch deleted file mode 100644 index 06086606..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 0f6bdc219e598de08a3f37887efa5dfa50e2b996 -Author: Aws Ismail <aws.ismail@windriver.com> -Date: Fri Jun 22 15:47:08 2012 -0400 - -Hash fix for MIPS64 and AARCH64 - -Samhain uses the addresses of local variables in generating hash -values. The hashing function is designed only for 32-bit values. -For MIPS64 when a 64-bit address is passed in the resulting hash -exceeds the limits of the underlying mechanism and samhain -ultimately fails. The solution is to simply take the lower -32-bits of the address and use that in generating hash values. - -Signed-off-by: Greg Moffatt <greg.moffatt@windriver.com> - -Upstream-Status: Pending - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - -diff --git a/src/dnmalloc.c b/src/dnmalloc.c -index da9a5c5..fc91400 100644 ---- a/src/dnmalloc.c -+++ b/src/dnmalloc.c -@@ -2703,11 +2703,19 @@ static void freecilst_add(chunkinfoptr p) { - } - - /* Calculate the hash table entry for a chunk */ -+#if defined(CONFIG_ARCH_MIPS64) || defined(CONFIG_ARCH_AARCH64) -+#ifdef STARTHEAP_IS_ZERO -+#define hash(p) ((((unsigned long) p) & 0x7fffffff) >> 7) -+#else -+#define hash(p) ((((unsigned long) p - (unsigned long) startheap) & 0x7fffffff) >> 7) -+#endif -+#else - #ifdef STARTHEAP_IS_ZERO - #define hash(p) (((unsigned long) p) >> 7) - #else - #define hash(p) (((unsigned long) p - (unsigned long) startheap) >> 7) - #endif -+#endif /* CONFIG_ARCH_MIPS64 */ - - static void - hashtable_add (chunkinfoptr ci) diff --git a/external/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch b/external/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch deleted file mode 100644 index 52843131..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch +++ /dev/null @@ -1,24 +0,0 @@ -not run test on host, since we are doing cross-compile - -Upstream-status: Inappropriate [cross compile specific] - -Signed-off-by: Roy Li <rongqing.li@windriver.com> ---- - Makefile.in | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/Makefile.in b/Makefile.in -index e1b32a8..74bfdc9 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -1234,7 +1234,6 @@ intcutest: internal.h $(OBJECTS) $(CUTEST_OBJECTS) sh_tiger_i.o $(srcsrc)/CuTest - rm x_samhain.c; \ - $(LINK) sh_tiger_i.o $(CUTEST_OBJECTS) CuTestMain.o CuTest.o $(OBJECTS) $(LIBS_TRY); \ - test -f ./intcutest && mv ./intcutest ./cutest; \ -- ./cutest - - runcutest: - gdb ./cutest --- -1.7.10.4 - diff --git a/external/meta-security/recipes-security/samhain/files/samhain-pid-path.patch b/external/meta-security/recipes-security/samhain/files/samhain-pid-path.patch deleted file mode 100644 index 592bd165..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-pid-path.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04 -Author: Aws Ismail <aws.ismail@windriver.com> -Date: Thu Jan 10 16:29:05 2013 -0500 - - Set the PID Lock path for samhain.pid - - The explicit path for samhain.pid inorder - for samhain to work properly after it initial - database build. - - Upstream-Status: Inappropriate [configuration] - - Signed-off-by: Aws Ismail <aws.ismail@windriver.com> - -diff --git a/samhainrc.linux b/samhainrc.linux -index 10a8176..a7b06e6 100644 ---- a/samhainrc.linux -+++ b/samhainrc.linux -@@ -639,7 +639,7 @@ SetFileCheckTime = 86400 - - ## Path to the PID file - # --# SetLockfilePath = (default: compiled-in) -+SetLockfilePath = /run/samhain.pid - - - ## The digest/checksum/hash algorithm diff --git a/external/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch b/external/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch deleted file mode 100644 index dad6b150..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 00fb527e45da42550156197647e01de9a6b1ad52 Mon Sep 17 00:00:00 2001 -From: Wenzong Fan <wenzong.fan@windriver.com> -Date: Mon, 3 Mar 2014 01:50:01 -0500 -Subject: [PATCH] fix real path for some files/dirs - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> ---- - samhainrc.linux | 15 +++++++-------- - 1 file changed, 7 insertions(+), 8 deletions(-) - -diff --git a/samhainrc.linux b/samhainrc.linux -index e9727b4..7775d83 100644 ---- a/samhainrc.linux -+++ b/samhainrc.linux -@@ -93,7 +93,6 @@ dir = 99/etc - ## - file = /etc/mtab - file = /etc/fstab --file = /etc/adjtime - file = /etc/motd - file = /etc/lvm/lvm.conf - -@@ -153,11 +152,11 @@ dir = 99/var - - [IgnoreAll] - dir = -1/var/cache --dir = -1/var/lock --dir = -1/var/mail --dir = -1/var/run -+dir = -1/run/lock -+dir = -1/var/spool/mail -+dir = -1/run - dir = -1/var/spool --dir = -1/var/tmp -+dir = -1/var/volatile/tmp - - - [Attributes] -@@ -167,7 +166,7 @@ dir = -1/var/tmp - file = /var/lib/rpm/__db.00? - - file = /var/lib/logrotate.status --file = /var/lib/random-seed -+file = /var/lib/urandom/random-seed - - - [GrowingLogFiles] -@@ -176,7 +175,7 @@ file = /var/lib/random-seed - ## are ignored. Logfile rotation will cause a report because of shrinking - ## size and different inode. - ## --dir = 99/var/log -+dir = 99/var/volatile/log - - [Attributes] - # --- -1.7.9.5 - diff --git a/external/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch b/external/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch deleted file mode 100644 index 145700a0..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-samhainrc.patch +++ /dev/null @@ -1,158 +0,0 @@ -commit 4c6658441eb3ffc4e51ed70f78cbdab046957580 -Author: Aws Ismail <aws.ismail@windriver.com> -Date: Fri Jun 22 16:38:20 2012 -0400 - -Make samhainrc OE-friendly. - -Patch the samhainrc that will be installed -as part of the 'make install' step to more -accurately reflect what will be found, and -what will be of concern, on a OE install. - -Upstream-Status: Inappropriate [configuration] - -Signed-off-by: Aws Ismail <aws.ismail@windriver.com> - -diff --git a/samhainrc.linux b/samhainrc.linux -index 9bc5ca4..10a8176 100644 ---- a/samhainrc.linux -+++ b/samhainrc.linux -@@ -74,7 +74,6 @@ dir = 0/ - [Attributes] - file = /tmp - file = /dev --file = /media - file = /proc - file = /sys - -@@ -93,19 +92,10 @@ dir = 99/etc - ## check permission and ownership - ## - file = /etc/mtab -+file = /etc/fstab - file = /etc/adjtime - file = /etc/motd --file = /etc/lvm/.cache -- --# On Ubuntu, these are in /var/lib rather than /etc --file = /etc/cups/certs --file = /etc/cups/certs/0 -- --# managed by fstab-sync on Fedora Core --file = /etc/fstab -- --# modified when booting --file = /etc/sysconfig/hwconf -+file = /etc/lvm/lvm.conf - - # There are files in /etc that might change, thus changing the directory - # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'. -@@ -147,10 +137,6 @@ dir = 99/dev - ## - dir = -1/dev/pts - --# dir = -1/dev/.udevdb -- --file = /dev/ppp -- - # - # --------- /usr ----------- - # -@@ -167,50 +153,21 @@ dir = 99/var - - [IgnoreAll] - dir = -1/var/cache --dir = -1/var/backups --dir = -1/var/games --dir = -1/var/gdm - dir = -1/var/lock - dir = -1/var/mail - dir = -1/var/run - dir = -1/var/spool - dir = -1/var/tmp --dir = -1/var/lib/texmf --dir = -1/var/lib/scrollkeeper - - - [Attributes] - --dir = /var/lib/nfs --dir = /var/lib/pcmcia -- - # /var/lib/rpm changes if packets are installed; - # /var/lib/rpm/__db.00[123] even more frequently - file = /var/lib/rpm/__db.00? - --file = /var/lib/acpi-support/vbestate --file = /var/lib/alsa/asound.state --file = /var/lib/apt/lists/lock --file = /var/lib/apt/lists/partial --file = /var/lib/cups/certs --file = /var/lib/cups/certs/0 --file = /var/lib/dpkg/lock --file = /var/lib/gdm --file = /var/lib/gdm/.cookie --file = /var/lib/gdm/.gdmfifo --file = /var/lib/gdm/:0.Xauth --file = /var/lib/gdm/:0.Xservers --file = /var/lib/logrotate/status --file = /var/lib/mysql --file = /var/lib/mysql/ib_logfile0 --file = /var/lib/mysql/ibdata1 --file = /var/lib/slocate --file = /var/lib/slocate/slocate.db --file = /var/lib/slocate/slocate.db.tmp --file = /var/lib/urandom --file = /var/lib/urandom/random-seed -+file = /var/lib/logrotate.status - file = /var/lib/random-seed --file = /var/lib/xkb - - - [GrowingLogFiles] -@@ -325,7 +282,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp - - ## Console - ## --# PrintSeverity=info -+PrintSeverity=warn - - ## Logfile - ## -@@ -333,7 +290,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp - - ## Syslog - ## --# SyslogSeverity=none -+SyslogSeverity=info - - ## Remote server (yule) - ## -@@ -556,7 +513,8 @@ ChecksumTest=check - ## and I/O limit (kilobytes per second; 0 == off) - ## to reduce load on host. - # --# SetNiceLevel = 0 -+# By default we configure samhain to be nice with everything else on the system -+SetNiceLevel = 10 - # SetIOLimit = 0 - - ## The version string to embed in file signature databases -@@ -565,13 +523,14 @@ ChecksumTest=check - - ## Interval between time stamp messages - # --# SetLoopTime = 60 --SetLoopTime = 600 -+# Log a timestamp every hour -+SetLoopTime = 3600 - - ## Interval between file checks - # - # SetFileCheckTime = 600 --SetFileCheckTime = 7200 -+# One file system check per day -+SetFileCheckTime = 86400 - - ## Alternative: crontab-like schedule - # diff --git a/external/meta-security/recipes-security/samhain/files/samhain-server-volatiles b/external/meta-security/recipes-security/samhain/files/samhain-server-volatiles deleted file mode 100644 index 6b807093..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-server-volatiles +++ /dev/null @@ -1 +0,0 @@ -d daemon daemon 0775 /var/log/yule none diff --git a/external/meta-security/recipes-security/samhain/files/samhain-server.default b/external/meta-security/recipes-security/samhain/files/samhain-server.default deleted file mode 100644 index bc3d67cd..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-server.default +++ /dev/null @@ -1,3 +0,0 @@ -# Set this to "yes" to start the server, after you configure it, of -# course. -SAMHAIN_SERVER_START="no"
\ No newline at end of file diff --git a/external/meta-security/recipes-security/samhain/files/samhain-server.init b/external/meta-security/recipes-security/samhain/files/samhain-server.init deleted file mode 100644 index c456e51c..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-server.init +++ /dev/null @@ -1,116 +0,0 @@ -#!/bin/bash -# chkconfig: 2345 98 11 -# description: File Integrity Checking Daemon -# -# processname: yule -# config : /etc/yulerc -# logfile : /var/log/yule/yule_log -# database: /var/lib/yule/yule_file -# - -NAME=yule -DAEMON=/usr/sbin/yule -RETVAL=0 -PIDFILE=/var/run/yule.pid - -. /etc/default/rcS - -. /etc/default/samhain-server - -if [ "x$SAMHAIN_SERVER_START" != "xyes" ]; then - echo "${0}: server disabled in /etc/default/samhain-server" - exit 0 -fi - -if [ -x $DAEMON ]; then - : -else - echo "${0}: executable ${DAEMON} not found" - exit 1 -fi - -samhain_done() -{ - if [ $RETVAL -eq 0 ]; then - echo "." - else - echo " failed." - fi -} - -log_stat_msg () { -case "$1" in - 0) - echo "Service $NAME: Running"; - ;; - 1) - echo "Service $NAME: Stopped and /var/run pid file exists"; - ;; - 3) - echo "Service $NAME: Stopped"; - ;; - *) - echo "Service $NAME: Status unknown"; - ;; -esac -} - -case "$1" in - start) - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - # - echo -n "Starting ${NAME}" - start-stop-daemon --start --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - stop) - echo -n "Stopping $NAME" - start-stop-daemon --stop --quiet --exec $DAEMON - RETVAL=$? - - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - if test -S /var/run/${NAME}.sock; then - /bin/rm -f /var/run/${NAME}.sock - fi - samhain_done - ;; - - restart) - $0 stop - sleep 3 - $0 start - RETVAL=$? - ;; - - reload|force-reload) - echo -n "Reloading $NAME configuration files" - start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - status) - $DAEMON status - RETVAL=$? - log_stat_msg ${RETVAL} - ;; - - *) - echo "$0 usage: {start|stop|status|restart|reload}" - exit 1 - ;; -esac - -exit $RETVAL diff --git a/external/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch b/external/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch deleted file mode 100644 index 3065c730..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-sha256-big-endian.patch +++ /dev/null @@ -1,22 +0,0 @@ -samhain: fix sha256 for big-endian machines - -After computing the digest, big-endian machines would -memset() the digest to the first byte of state instead -of using memcpy() to transfer it. - -Upstream-Status: Pending - -Signed-off-by: Joe Slater <jslater@windriver.com> - - ---- a/src/sh_checksum.c -+++ b/src/sh_checksum.c -@@ -468,7 +468,7 @@ void SHA256_Final(sha2_byte digest[], SH - } - } - #else -- memset(d, context->state, SHA256_DIGEST_LENGTH); -+ memcpy(d, context->state, SHA256_DIGEST_LENGTH); - /* bcopy(context->state, d, SHA256_DIGEST_LENGTH); */ - #endif - } diff --git a/external/meta-security/recipes-security/samhain/files/samhain-standalone.default b/external/meta-security/recipes-security/samhain/files/samhain-standalone.default deleted file mode 100644 index 507a59f2..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-standalone.default +++ /dev/null @@ -1,3 +0,0 @@ -# Set this to "yes" to start the server, after you configure it, of -# course. -SAMHAIN_STANDALONE_START="no" diff --git a/external/meta-security/recipes-security/samhain/files/samhain-standalone.init b/external/meta-security/recipes-security/samhain/files/samhain-standalone.init deleted file mode 100644 index 2f23bffd..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain-standalone.init +++ /dev/null @@ -1,123 +0,0 @@ -#!/bin/sh -# chkconfig: 2345 99 10 -# description: File Integrity Checking Daemon -# -# processname: samhain -# config : /etc/samhainrc -# logfile : /var/log/samhain_log -# database: /var/lib/samhain/samhain_file -# - -NAME=samhain -DAEMON=/usr/sbin/samhain -RETVAL=0 -VERBOSE=yes -PIDFILE=/var/run/samhain.pid - -. /etc/default/samhain-standalone - -if [ "x$SAMHAIN_STANDALONE_START" != "xyes" ]; then - echo "${0}: samhain disabled in /etc/default/samhain-standalone" - exit 0 -fi - -if [ -x $DAEMON ]; then - : -else - echo "${0}: executable ${DAEMON} not found" - exit 1 -fi - -if [ ! -e /var/lib/samhain/samhain_file ]; then - echo "${0}: /var/lib/samhain/samhain_file does not exist. You must" - echo " run 'samhain -t init' before samhian can start." - exit 1 -fi - -samhain_done() -{ - if [ $RETVAL -eq 0 ]; then - echo "." - else - echo " failed." - fi -} - -log_stat_msg () { -case "$1" in - 0) - echo "Service $NAME: Running"; - ;; - 1) - echo "Service $NAME: Stopped and /var/run pid file exists"; - ;; - 3) - echo "Service $NAME: Stopped"; - ;; - *) - echo "Service $NAME: Status unknown"; - ;; -esac -} - -case "$1" in - start) - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - - echo -n "Starting ${NAME}" - start-stop-daemon --start --quiet --exec $DAEMON - RETVAL=$? - samhain_done - exit $RETVAL - ;; - stop) - echo -n "Stopping $NAME" - start-stop-daemon --stop --quiet --exec $DAEMON - RETVAL=$? - samhain_done - # - # Remove a stale PID file, if found - # - if test -f ${PIDFILE}; then - /bin/rm -f ${PIDFILE} - fi - if test -S /var/run/${NAME}.sock; then - /bin/rm -f /var/run/${NAME}.sock - fi - ;; - - restart) - $0 stop - sleep 3 - $0 start - RETVAL=$? - ;; - - reload|force-reload) - echo -n "Reloading $NAME configuration files" - start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON - RETVAL=$? - samhain_done - ;; - - status) - if pidof -o %PPID $DAEMON > /dev/null; then - echo "Samhain running" - RETVAL=0 - else - echo "Samhain not running" - RETVAL=1 - fi - ;; - *) - echo "$0 usage: {start|stop|status|restart|reload}" - exit 1 - ;; -esac - -exit $RETVAL diff --git a/external/meta-security/recipes-security/samhain/files/samhain.service b/external/meta-security/recipes-security/samhain/files/samhain.service deleted file mode 100644 index e4f216ab..00000000 --- a/external/meta-security/recipes-security/samhain/files/samhain.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Samhain @MODE_NAME@ Daemon -After=syslog.target network.target - -[Service] -Type=forking -RemainAfterExit=yes -ExecStart=@LIBDIR@/@SAMHAIN_HELPER@ start -ExecStop=@LIBDIR@/@SAMHAIN_HELPER@ stop - -[Install] -WantedBy=multi-user.target diff --git a/external/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb b/external/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb deleted file mode 100644 index 812408e5..00000000 --- a/external/meta-security/recipes-security/samhain/samhain-client_4.3.0.bb +++ /dev/null @@ -1,11 +0,0 @@ -INITSCRIPT_PARAMS = "defaults 15 85" - -require samhain.inc - -# Let the default Logserver be 127.0.0.1 -EXTRA_OECONF += " \ - --with-logserver=${SAMHAIN_SERVER} \ - --with-port=${SAMHAIN_PORT} \ - " - -RDEPENDS_${PN} = "acl zlib attr bash" diff --git a/external/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb b/external/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb deleted file mode 100644 index 9341d444..00000000 --- a/external/meta-security/recipes-security/samhain/samhain-server_4.3.0.bb +++ /dev/null @@ -1,20 +0,0 @@ -INITSCRIPT_PARAMS = "defaults 14 86" - -require samhain.inc - -DEPENDS = "gmp" - -SRC_URI += "file://samhain-server-volatiles" - -TARGET_CC_ARCH += "${LDFLAGS}" - -do_install_append() { - install -d ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/samhain-server-volatiles \ - ${D}${sysconfdir}/default/volatiles/samhain-server - - install -m 700 samhain-install.sh init/samhain.startLinux \ - init/samhain.startLSB ${D}/var/lib/samhain -} - -RDEPENDS_${PN} += "gmp bash perl" diff --git a/external/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb b/external/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb deleted file mode 100644 index 4fed9e9e..00000000 --- a/external/meta-security/recipes-security/samhain/samhain-standalone_4.3.0.bb +++ /dev/null @@ -1,31 +0,0 @@ -require samhain.inc - -SRC_URI += "file://samhain-not-run-ptest-on-host.patch \ - file://run-ptest \ -" - -PROVIDES += "samhain" - -SYSTEMD_SERVICE_${PN} = "samhain.service" - -inherit ptest - -do_compile() { - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'yes', 'no', d)}" = "yes" ]; then - oe_runmake cutest - rm -f ${S}*.o config_xor.h internal.h - fi - oe_runmake "$@" -} - -do_install_append() { - ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain -} - -do_install_ptest() { - mkdir -p ${D}${PTEST_PATH} - install ${S}/cutest ${D}${PTEST_PATH} -} - -RPROVIDES_${PN} += "samhain" -RCONFLICTS_${PN} = "samhain-client samhain-server" diff --git a/external/meta-security/recipes-security/samhain/samhain.inc b/external/meta-security/recipes-security/samhain/samhain.inc deleted file mode 100644 index 944bf0d0..00000000 --- a/external/meta-security/recipes-security/samhain/samhain.inc +++ /dev/null @@ -1,162 +0,0 @@ -DESCRIPTION = "Provides file integrity checking and log file monitoring/analysis" -HOMEPAGE = "http://www.la-samhna.de/samhain/" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b" - - -SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ - file://samhain-cross-compile.patch \ - file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \ - file://samhain-samhainrc.patch \ - file://samhain-samhainrc-fix-files-dirs-path.patch \ - file://samhain-pid-path.patch \ - file://samhain-sha256-big-endian.patch \ - file://samhain-configure-add-option-for-ps.patch \ - file://samhain-avoid-searching-host-for-postgresql.patch \ - file://samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch \ - file://${INITSCRIPT_NAME}.init \ - file://${INITSCRIPT_NAME}.default \ - file://samhain.service \ - " - -SRC_URI[md5sum] = "a00e99375675fc6e50cca3e208f5207e" -SRC_URI[sha256sum] = "8551dc3b0851889a2b979097e9c02309b40d48b4659f02efe7fe525ce8361a0d" - -UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html" -UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar" - -S = "${WORKDIR}/samhain-${PV}" - -inherit autotools-brokensep update-rc.d pkgconfig systemd - -SAMHAIN_PORT ??= "49777" -SAMHAIN_SERVER ??= "NULL" - -INITSCRIPT_NAME = "${BPN}" -INITSCRIPT_PARAMS ?= "defaults" - -SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "${INITSCRIPT_NAME}.service" -SYSTEMD_AUTO_ENABLE = "disable" - -# mode mapping: -# BPN MODE_NAME SAMHAIN_MODE -# samhain-standalone standalone no -# samhain-client client client -# samhain-server server server -MODE_NAME = "${@d.getVar('BPN').split('-')[1]}" -SAMHAIN_MODE = "${@oe.utils.ifelse(d.getVar('MODE_NAME') == 'standalone', 'no', '${MODE_NAME}')}" - -# supports mysql|postgresql|oracle|odbc but postgresql is the only one available - -PACKAGECONFIG ??= "postgresql ps \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)} \ -" - -PACKAGECONFIG[postgresql] = "--with-database=postgresql --enable-xml-log PGSQL_INC_DIR=${STAGING_INCDIR} PGSQL_LIB_DIR=${STAGING_LIBDIR}, , postgresql" -PACKAGECONFIG[suidcheck] = "--enable-suidcheck, , " -PACKAGECONFIG[logwatch] = "--enable-login-watch, , " -PACKAGECONFIG[mounts] = "--enable-mounts-check, , " -PACKAGECONFIG[userfiles] = "--enable-userfiles, , " -PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6," -PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux attr" -PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl" -PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit" -PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps" - -do_unpack_samhain() { - cd ${WORKDIR} - tar -xzvf samhain-${PV}.tar.gz -} - -python do_unpack_append() { - bb.build.exec_func('do_unpack_samhain', d) -} - -do_configure_prepend_arm() { - export sh_cv___va_copy=yes -} - -do_configure_prepend_aarch64() { - export sh_cv___va_copy=yes -} - -# If we use oe_runconf in do_configure() it will by default -# use the prefix --oldincludedir=/usr/include which is not -# recognized by Samhain's configure script and would invariably -# throw back the error "unrecognized option: --oldincludedir=/usr/include" -do_configure_prepend () { - cat << EOF > ${S}/config-site.${BP} -ssp_cv_lib=no -sh_cv_va_copy=yes -EOF - export CONFIG_SITE=${S}/config-site.${BP} -} - -do_configure () { - autoconf -f - ./configure \ - --build=${BUILD_SYS} \ - --host=${HOST_SYS} \ - --target=${TARGET_SYS} \ - --prefix=${prefix} \ - --exec_prefix=${exec_prefix} \ - --bindir=${bindir} \ - --sbindir=${sbindir} \ - --libexecdir=${libexecdir} \ - --datadir=${datadir} \ - --sysconfdir=${sysconfdir} \ - --sharedstatedir=${sharedstatedir} \ - --localstatedir=${localstatedir} \ - --libdir=${libdir} \ - --includedir=${includedir} \ - --infodir=${infodir} \ - --mandir=${mandir} \ - --enable-network=${SAMHAIN_MODE} \ - --with-pid-file=${localstatedir}/run/samhain.pid \ - --with-data-file=${localstatedir}/lib/samhain/samhain_file \ - ${EXTRA_OECONF} -} - -do_compile_prepend_libc-musl () { - sed -i 's/^#define HAVE_MALLOC_H.*//' ${B}/config.h -} - -# Install the init script, it's default file, and the extraneous -# documentation. -do_install_append () { - oe_runmake install DESTDIR='${D}' INSTALL=install-boot - - install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \ - ${D}${sysconfdir}/init.d/${INITSCRIPT_NAME} - - install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \ - ${D}${sysconfdir}/default/${INITSCRIPT_NAME} - - if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then - if [ "${SAMHAIN_MODE}" = "no" ]; then - install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/samhain.service - else - install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/${BPN}.service - fi - install -D -m 0755 ${WORKDIR}/${BPN}.init ${D}/${libexecdir}/${BPN} - sed -i -e 's,@LIBDIR@,${libexecdir},' \ - -e 's,@SAMHAIN_HELPER@,${BPN},' \ - -e 's,@MODE_NAME@,${MODE_NAME},' \ - ${D}${systemd_system_unitdir}/samhain*.service - fi - - install -d ${D}${docdir}/${BPN} - cp -r docs/* ${D}${docdir}/${BPN} - cp -r scripts ${D}${docdir}/${BPN} - install -d -m 755 ${D}${localstatedir}/samhain - - # Prevent QA warnings about installed ${localstatedir}/run - if [ -d ${D}${localstatedir}/run ]; then - rmdir ${D}${localstatedir}/run - fi -} - -FILES_${PN} += "${systemd_system_unitdir}" diff --git a/external/meta-security/recipes-security/scapy/files/run-ptest b/external/meta-security/recipes-security/scapy/files/run-ptest index 91b29f90..797d8ecf 100755..100644 --- a/external/meta-security/recipes-security/scapy/files/run-ptest +++ b/external/meta-security/recipes-security/scapy/files/run-ptest @@ -1,4 +1,4 @@ #!/bin/sh -UTscapy -t regression.uts -f text -l -C \ +UTscapy3 -t regression.uts -f text -l -C \ -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/external/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb b/external/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb deleted file mode 100644 index 98db1fd6..00000000 --- a/external/meta-security/recipes-security/scapy/python-scapy_2.4.0.bb +++ /dev/null @@ -1,6 +0,0 @@ -inherit setuptools -require python-scapy.inc - -SRC_URI += "file://run-ptest" - -RDEPENDS_${PN} += "${PYTHON_PN}-subprocess" diff --git a/external/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb b/external/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb deleted file mode 100644 index 93ca7be8..00000000 --- a/external/meta-security/recipes-security/scapy/python3-scapy_2.4.0.bb +++ /dev/null @@ -1,4 +0,0 @@ -inherit setuptools3 -require python-scapy.inc - -SRC_URI += "file://run-ptest" diff --git a/external/meta-security/recipes-security/scapy/python-scapy.inc b/external/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb index 5abe7db7..925f188c 100644 --- a/external/meta-security/recipes-security/scapy/python-scapy.inc +++ b/external/meta-security/recipes-security/scapy/python3-scapy_2.4.3.bb @@ -3,18 +3,28 @@ DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It i SECTION = "security" LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://bin/scapy;beginline=9;endline=13;md5=1d5249872cc54cd4ca3d3879262d0c69" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" -SRC_URI[md5sum] = "d7d3c4294f5a718e234775d38dbeb7ec" -SRC_URI[sha256sum] = "452f714f5c2eac6fd0a6146b1dbddfc24dd5f4103f3ed76227995a488cfb2b73" +S = "${WORKDIR}/git" -inherit pypi ptest +SRCREV = "3047580162a9407ef05fe981983cacfa698f1159" +SRC_URI = "git://github.com/secdev/scapy.git \ + file://run-ptest" + +S = "${WORKDIR}/git" + +inherit setuptools3 ptest + +do_install_append() { + mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 + mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 +} do_install_ptest() { install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest } -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-netclient \ +RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/external/meta-security/recipes-security/smack/files/run-ptest b/external/meta-security/recipes-security/smack/files/run-ptest deleted file mode 100644 index 049a9b47..00000000 --- a/external/meta-security/recipes-security/smack/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -./tests/make_policies.bash ./tests/generator -./tests/make_policies.bash ./tests/generator labels diff --git a/external/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch b/external/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch deleted file mode 100644 index 4d677e75..00000000 --- a/external/meta-security/recipes-security/smack/files/smack_generator_make_fixup.patch +++ /dev/null @@ -1,18 +0,0 @@ -Upstream-Status: Pending - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - - -Index: git/tests/Makefile -=================================================================== ---- git.orig/tests/Makefile -+++ git/tests/Makefile -@@ -4,7 +4,7 @@ clean: - rm -rf ./out ./generator - - generator: generator.c -- gcc -Wall -O3 generator.c -o ./generator -+ ${CC} ${LDFLAGS} generator.c -o ./generator - - policies: ./generator ./make_policies.bash - ./make_policies.bash ./generator diff --git a/external/meta-security/recipes-security/smack/smack_1.3.1.bb b/external/meta-security/recipes-security/smack/smack_1.3.1.bb deleted file mode 100644 index 246562af..00000000 --- a/external/meta-security/recipes-security/smack/smack_1.3.1.bb +++ /dev/null @@ -1,54 +0,0 @@ -DESCRIPTION = "Selection of tools for developers working with Smack" -HOMEPAGE = "https://github.com/smack-team/smack" -SECTION = "Security/Access Control" -LICENSE = "LGPL-2.1" - -LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" - -SRCREV = "4a102c7584b39ce693995ffb65e0918a9df98dd8" -SRC_URI = " \ - git://github.com/smack-team/smack.git \ - file://smack_generator_make_fixup.patch \ - file://run-ptest" - -PV = "1.3.1" - -inherit autotools update-rc.d pkgconfig ptest ${@bb.utils.contains('VIRTUAL-RUNTIME_init_manager','systemd','systemd','', d)} - -S = "${WORKDIR}/git" - -PACKAGECONFIG ??= "" -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[systemd] = "--with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemdsystemunitdir, systemd" - -do_compile_append () { - oe_runmake -C ${S}/tests generator -} - -do_install_append () { - install -d ${D}${sysconfdir}/init.d - install -d ${D}${sysconfdir}/smack - install -d ${D}${sysconfdir}/smack/accesses.d - install -d ${D}${sysconfdir}/smack/cipso.d - install ${S}/init/smack.rc ${D}/${sysconfdir}/init.d/smack -} - -do_install_ptest () { - install -d ${D}${PTEST_PATH}/tests - install ${S}/tests/generator ${D}/${PTEST_PATH}/tests - install ${S}/tests/generate-rules.sh ${D}${PTEST_PATH}/tests - install ${S}/tests/make_policies.bash ${D}${PTEST_PATH}/tests -} - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "smack" -INITSCRIPT_PARAMS = "start 16 2 3 4 5 . stop 35 0 1 6 ." - -FILES_${PN} += "${sysconfdir}/init.d/smack" -FILES_${PN}-ptest += "generator" - -RDEPENDS_${PN} += "coreutils" -RDEPENDS_${PN}-ptest += "make bash bc" - -BBCLASSEXTEND = "native" diff --git a/external/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch b/external/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch new file mode 100644 index 00000000..e350bafc --- /dev/null +++ b/external/meta-security/recipes-security/sssd/files/fix-ldblibdir.patch @@ -0,0 +1,25 @@ +When calculate value of ldblibdir, it checks whether the directory of +$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not +suitable for cross compile. Fix it that only re-assign ldblibdir when its value +is empty. + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- + src/external/libldb.m4 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/external/libldb.m4 b/src/external/libldb.m4 +index c400add..5e5f06d 100644 +--- a/src/external/libldb.m4 ++++ b/src/external/libldb.m4 +@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then + ldblibdir=$with_ldb_lib_dir + else + ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`" +- if ! test -d $ldblibdir; then ++ if test -z $ldblibdir; then + ldblibdir="${libdir}/ldb" + fi + fi diff --git a/external/meta-security/recipes-security/sssd/files/volatiles.99_sssd b/external/meta-security/recipes-security/sssd/files/volatiles.99_sssd new file mode 100644 index 00000000..2a82413f --- /dev/null +++ b/external/meta-security/recipes-security/sssd/files/volatiles.99_sssd @@ -0,0 +1 @@ +d root root 0750 /var/log/sssd none diff --git a/external/meta-security/recipes-security/sssd/sssd_1.16.3.bb b/external/meta-security/recipes-security/sssd/sssd_1.16.3.bb deleted file mode 100644 index 8f7f805f..00000000 --- a/external/meta-security/recipes-security/sssd/sssd_1.16.3.bb +++ /dev/null @@ -1,73 +0,0 @@ -SUMMARY = "system security services daemon" -DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://pagure.io/SSSD/sssd/" -SECTION = "base" -LICENSE = "GPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" - -SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz\ - file://sssd.conf " - -SRC_URI[md5sum] = "af4288c9d1f9953e3b3b6e0b165a5ece" -SRC_URI[sha256sum] = "ee5d17a0c663c09819cbab9364085b9e57faeca02406cc30efe14cc0cfc04ec4" - -inherit autotools pkgconfig gettext update-rc.d python-dir distro_features_check - -REQUIRED_DISTRO_FEATURES = "pam" - -CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_path_NSUPDATE=${bindir} \ - ac_cv_path_PYTHON2=${PYTHON_DIR} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ - " - -PACKAGECONFIG ?="nss nscd" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" - -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" -PACKAGECONFIG[python2] = "--with-python2-bindings, --without-python2-bindings" -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," -PACKAGECONFIG[cyrpto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[systemd] = "--with-systemdunitdir=${systemd_unitdir}/system/, --with-systemdunitdir=" -PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" -PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl" - -EXTRA_OECONF += "--disable-cifs-idmap-plugin --without-nfsv4-idmapd-plugin --without-ipa-getkeytab" - -do_configure_prepend() { - mkdir -p ${AUTOTOOLS_AUXDIR}/build - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 -} - -do_install () { - oe_runmake install DESTDIR="${D}" - rmdir --ignore-fail-on-non-empty "${D}/${bindir}" - install -d ${D}/${sysconfdir}/${BPN} - install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} -} - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" - -INITSCRIPT_NAME = "sssd" -INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = "${BPN}.service" -SYSTEMD_AUTO_ENABLE = "disable" - -FILES_${PN} += "${libdir} ${datadir} /run ${libdir}/*.so* " -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" - -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" - -RDEPENDS_${PN} += "bind dbus" diff --git a/external/meta-security/recipes-security/sssd/sssd_1.16.4.bb b/external/meta-security/recipes-security/sssd/sssd_1.16.4.bb new file mode 100644 index 00000000..7ea1586b --- /dev/null +++ b/external/meta-security/recipes-security/sssd/sssd_1.16.4.bb @@ -0,0 +1,124 @@ +SUMMARY = "system security services daemon" +DESCRIPTION = "SSSD is a system security services daemon" +HOMEPAGE = "https://pagure.io/SSSD/sssd/" +SECTION = "base" +LICENSE = "GPLv3+" +LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" + +DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" +DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" + +# If no crypto has been selected, default to DEPEND on nss, since that's what +# sssd will pick if no active choice is made during configure +DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ + bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" + +SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ + file://sssd.conf \ + file://volatiles.99_sssd \ + file://fix-ldblibdir.patch \ + " + +SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" +SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" + +inherit autotools pkgconfig gettext python3-dir features_check systemd + +REQUIRED_DISTRO_FEATURES = "pam" + +SSSD_UID ?= "root" +SSSD_GID ?= "root" + +CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ + ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ + " + +PACKAGECONFIG ?="nss nscd autofs sudo infopipe" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" +PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" +PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson" +PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" +PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " +PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" +PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" +PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " +PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," +PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" +PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" +PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" +PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " +PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " +PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" + +EXTRA_OECONF += " \ + --disable-cifs-idmap-plugin \ + --without-nfsv4-idmapd-plugin \ + --without-ipa-getkeytab \ + --without-python2-bindings \ + --enable-pammoddir=${base_libdir}/security \ + --without-python2-bindings \ +" + +do_configure_prepend() { + mkdir -p ${AUTOTOOLS_AUXDIR}/build + cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ + + # libresove has host path, remove it + sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 +} + +do_install () { + oe_runmake install DESTDIR="${D}" + rmdir --ignore-fail-on-non-empty "${D}/${bindir}" + install -d ${D}/${sysconfdir}/${BPN} + install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} + install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d + echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf + fi + + # Remove /var/run as it is created on startup + rm -rf ${D}${localstatedir}/run + +} + +pkg_postinst_ontarget_${PN} () { +if [ -e /etc/init.d/populate-volatile.sh ] ; then + ${sysconfdir}/init.d/populate-volatile.sh update +fi + chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf +} + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" + +INITSCRIPT_NAME = "sssd" +INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." +SYSTEMD_SERVICE_${PN} = " \ + ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ + sssd-nss.service \ + sssd-nss.socket \ + sssd-pam-priv.socket \ + sssd-pam.service \ + sssd-pam.socket \ + sssd-secrets.service \ + sssd-secrets.socket \ + sssd.service \ +" +SYSTEMD_AUTO_ENABLE = "disable" + +FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" +FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" + +# The package contains symlinks that trip up insane +INSANE_SKIP_${PN} = "dev-so" + +RDEPENDS_${PN} = "bind dbus libldb libpam" diff --git a/external/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz b/external/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz Binary files differdeleted file mode 100644 index aed37547..00000000 --- a/external/meta-security/recipes-security/suricata/files/emerging.rules.tar.gz +++ /dev/null diff --git a/external/meta-security/recipes-security/suricata/files/no_libhtp_build.patch b/external/meta-security/recipes-security/suricata/files/no_libhtp_build.patch deleted file mode 100644 index 2ebf021f..00000000 --- a/external/meta-security/recipes-security/suricata/files/no_libhtp_build.patch +++ /dev/null @@ -1,38 +0,0 @@ -Upstream-Status: Inappropriate [configuration] - -Signed-of_by: Armin Kuster <akuster808@gmail.com> - -Index: suricata-2.0.5/Makefile.am -=================================================================== ---- suricata-2.0.5.orig/Makefile.am -+++ suricata-2.0.5/Makefile.am -@@ -5,7 +5,7 @@ ACLOCAL_AMFLAGS = -I m4 - EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \ - classification.config threshold.config \ - reference.config --SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts -+SUBDIRS = src qa rules doc contrib scripts - - CLEANFILES = stamp-h[0-9]* - -Index: suricata-2.0.5/Makefile.in -=================================================================== ---- suricata-2.0.5.orig/Makefile.in -+++ suricata-2.0.5/Makefile.in -@@ -229,7 +229,6 @@ HAVE_PCAP_CONFIG = @HAVE_PCAP_CONFIG@ - HAVE_PKG_CONFIG = @HAVE_PKG_CONFIG@ - HAVE_PYTHON_CONFIG = @HAVE_PYTHON_CONFIG@ - HAVE_WGET = @HAVE_WGET@ --HTP_DIR = @HTP_DIR@ - HTP_LDADD = @HTP_LDADD@ - INSTALL = @INSTALL@ - INSTALL_DATA = @INSTALL_DATA@ -@@ -369,7 +368,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s - classification.config threshold.config \ - reference.config - --SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts -+SUBDIRS = src qa rules doc contrib scripts - CLEANFILES = stamp-h[0-9]* - all: config.h - $(MAKE) $(AM_MAKEFLAGS) all-recursive diff --git a/external/meta-security/recipes-security/suricata/files/run-ptest b/external/meta-security/recipes-security/suricata/files/run-ptest deleted file mode 100644 index 666ba9c9..00000000 --- a/external/meta-security/recipes-security/suricata/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -suricata -u diff --git a/external/meta-security/recipes-security/suricata/files/suricata.service b/external/meta-security/recipes-security/suricata/files/suricata.service deleted file mode 100644 index a99a76ef..00000000 --- a/external/meta-security/recipes-security/suricata/files/suricata.service +++ /dev/null @@ -1,20 +0,0 @@ -[Unit] -Description=Suricata IDS/IDP daemon -After=network.target -Requires=network.target -Documentation=man:suricata(8) man:suricatasc(8) -Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki - -[Service] -Type=simple -CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW -RestrictAddressFamilies= -ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0 -ExecReload=/bin/kill -HUP $MAINPID -PrivateTmp=yes -ProtectHome=yes -ProtectSystem=yes - -[Install] -WantedBy=multi-user.target - diff --git a/external/meta-security/recipes-security/suricata/files/suricata.yaml b/external/meta-security/recipes-security/suricata/files/suricata.yaml deleted file mode 100644 index 8d06a274..00000000 --- a/external/meta-security/recipes-security/suricata/files/suricata.yaml +++ /dev/null @@ -1,1326 +0,0 @@ -%YAML 1.1 ---- - -# Suricata configuration file. In addition to the comments describing all -# options in this file, full documentation can be found at: -# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml - - -# Number of packets allowed to be processed simultaneously. Default is a -# conservative 1024. A higher number will make sure CPU's/CPU cores will be -# more easily kept busy, but may negatively impact caching. -# -# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules -# apply. In that case try something like 60000 or more. This is because the CUDA -# pattern matcher buffers and scans as many packets as possible in parallel. -#max-pending-packets: 1024 - -# Runmode the engine should use. Please check --list-runmodes to get the available -# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned -# load balancing). -#runmode: autofp - -# Specifies the kind of flow load balancer used by the flow pinned autofp mode. -# -# Supported schedulers are: -# -# round-robin - Flows assigned to threads in a round robin fashion. -# active-packets - Flows assigned to threads that have the lowest number of -# unprocessed packets (default). -# hash - Flow alloted usihng the address hash. More of a random -# technique. Was the default in Suricata 1.2.1 and older. -# -#autofp-scheduler: active-packets - -# If suricata box is a router for the sniffed networks, set it to 'router'. If -# it is a pure sniffing setup, set it to 'sniffer-only'. -# If set to auto, the variable is internally switch to 'router' in IPS mode -# and 'sniffer-only' in IDS mode. -# This feature is currently only used by the reject* keywords. -host-mode: auto - -# Run suricata as user and group. -#run-as: -# user: suri -# group: suri - -# Default pid file. -# Will use this file if no --pidfile in command options. -#pid-file: /var/run/suricata.pid - -# Daemon working directory -# Suricata will change directory to this one if provided -# Default: "/" -#daemon-directory: "/" - -# Preallocated size for packet. Default is 1514 which is the classical -# size for pcap on ethernet. You should adjust this value to the highest -# packet size (MTU + hardware header) on your system. -#default-packet-size: 1514 - -# The default logging directory. Any log or output file will be -# placed here if its not specified with a full path name. This can be -# overridden with the -l command line parameter. -default-log-dir: /var/log/suricata/ - -# Unix command socket can be used to pass commands to suricata. -# An external tool can then connect to get information from suricata -# or trigger some modifications of the engine. Set enabled to yes -# to activate the feature. You can use the filename variable to set -# the file name of the socket. -unix-command: - enabled: no - #filename: custom.socket - -# Configure the type of alert (and other) logging you would like. -outputs: - - # a line based alerts log similar to Snort's fast.log - - fast: - enabled: yes - filename: fast.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # Extensible Event Format (nicknamed EVE) event log in JSON format - - eve-log: - enabled: yes - type: file #file|syslog|unix_dgram|unix_stream - filename: eve.json - # the following are valid when type: syslog above - #identity: "suricata" - #facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - types: - - alert - - http: - extended: yes # enable this for extended logging information - # custom allows additional http fields to be included in eve-log - # the example below adds three additional fields when uncommented - #custom: [Accept-Encoding, Accept-Language, Authorization] - - dns - - tls: - extended: yes # enable this for extended logging information - - files: - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - #- drop - - ssh - - # alert output for use with Barnyard2 - - unified2-alert: - enabled: yes - filename: unified2.alert - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - #limit: 32mb - - # Sensor ID field of unified2 alerts. - #sensor-id: 0 - - # HTTP X-Forwarded-For support by adding the unified2 extra header that - # will contain the actual client IP address or by overwriting the source - # IP address (helpful when inspecting traffic that is being reversed - # proxied). - xff: - enabled: no - # Two operation modes are available, "extra-data" and "overwrite". Note - # that in the "overwrite" mode, if the reported IP address in the HTTP - # X-Forwarded-For header is of a different version of the packet - # received, it will fall-back to "extra-data" mode. - mode: extra-data - # Header name were the actual IP address will be reported, if more than - # one IP address is present, the last IP address will be the one taken - # into consideration. - header: X-Forwarded-For - - # a line based log of HTTP requests (no alerts) - - http-log: - enabled: yes - filename: http.log - append: yes - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log of TLS handshake parameters (no alerts) - - tls-log: - enabled: no # Log TLS connections. - filename: tls.log # File to store TLS logs. - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - #extended: yes # Log extended information like fingerprint - certs-log-dir: certs # directory to store the certificates files - - # a line based log of DNS requests and/or replies (no alerts) - - dns-log: - enabled: no - filename: dns.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # a line based log to used with pcap file study. - # this module is dedicated to offline pcap parsing (empty output - # if used with another kind of input). It can interoperate with - # pcap parser like wireshark via the suriwire plugin. - - pcap-info: - enabled: no - - # Packet log... log packets in pcap format. 2 modes of operation: "normal" - # and "sguil". - # - # In normal mode a pcap file "filename" is created in the default-log-dir, - # or are as specified by "dir". In Sguil mode "dir" indicates the base directory. - # In this base dir the pcaps are created in th directory structure Sguil expects: - # - # $sguil-base-dir/YYYY-MM-DD/$filename.<timestamp> - # - # By default all packets are logged except: - # - TCP streams beyond stream.reassembly.depth - # - encrypted streams after the key exchange - # - - pcap-log: - enabled: no - filename: log.pcap - - # File size limit. Can be specified in kb, mb, gb. Just a number - # is parsed as bytes. - limit: 1000mb - - # If set to a value will enable ring buffer mode. Will keep Maximum of "max-files" of size "limit" - max-files: 2000 - - mode: normal # normal or sguil. - #sguil-base-dir: /nsm_data/ - #ts-format: usec # sec or usec second format (default) is filename.sec usec is filename.sec.usec - use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets - - # a full alerts log containing much information for signature writers - # or for investigating suspected false positives. - - alert-debug: - enabled: no - filename: alert-debug.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # alert output to prelude (http://www.prelude-technologies.com/) only - # available if Suricata has been compiled with --enable-prelude - - alert-prelude: - enabled: no - profile: suricata - log-packet-content: no - log-packet-header: yes - - # Stats.log contains data from various counters of the suricata engine. - # The interval field (in seconds) tells after how long output will be written - # on the log file. - - stats: - enabled: yes - filename: stats.log - interval: 8 - - # a line based alerts log similar to fast.log into syslog - - syslog: - enabled: no - # reported identity to syslog. If ommited the program name (usually - # suricata) will be used. - #identity: "suricata" - facility: local5 - #level: Info ## possible levels: Emergency, Alert, Critical, - ## Error, Warning, Notice, Info, Debug - - # a line based information for dropped packets in IPS mode - - drop: - enabled: no - filename: drop.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - # output module to store extracted files to disk - # - # The files are stored to the log-dir in a format "file.<id>" where <id> is - # an incrementing number starting at 1. For each file "file.<id>" a meta - # file "file.<id>.meta" is created. - # - # File extraction depends on a lot of things to be fully done: - # - stream reassembly depth. For optimal results, set this to 0 (unlimited) - # - http request / response body sizes. Again set to 0 for optimal results. - # - rules that contain the "filestore" keyword. - - file-store: - enabled: no # set to yes to enable - log-dir: files # directory to store the files - force-magic: no # force logging magic on all stored files - force-md5: no # force logging of md5 checksums - #waldo: file.waldo # waldo file to store the file_id across runs - - # output module to log files tracked in a easily parsable json format - - file-log: - enabled: no - filename: files-json.log - append: yes - #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' - - force-magic: no # force logging magic on all logged files - force-md5: no # force logging of md5 checksums - -# Magic file. The extension .mgc is added to the value here. -#magic-file: /usr/share/file/magic -magic-file: /usr/share/misc/magic.mgc - -# When running in NFQ inline mode, it is possible to use a simulated -# non-terminal NFQUEUE verdict. -# This permit to do send all needed packet to suricata via this a rule: -# iptables -I FORWARD -m mark ! --mark $MARK/$MASK -j NFQUEUE -# And below, you can have your standard filtering ruleset. To activate -# this mode, you need to set mode to 'repeat' -# If you want packet to be sent to another queue after an ACCEPT decision -# set mode to 'route' and set next-queue value. -# On linux >= 3.1, you can set batchcount to a value > 1 to improve performance -# by processing several packets before sending a verdict (worker runmode only). -# On linux >= 3.6, you can set the fail-open option to yes to have the kernel -# accept the packet if suricata is not able to keep pace. -nfq: -# mode: accept -# repeat-mark: 1 -# repeat-mask: 1 -# route-queue: 2 -# batchcount: 20 -# fail-open: yes - -#nflog support -nflog: - # netlink multicast group - # (the same as the iptables --nflog-group param) - # Group 0 is used by the kernel, so you can't use it - - group: 2 - # netlink buffer size - buffer-size: 18432 - # put default value here - - group: default - # set number of packet to queue inside kernel - qthreshold: 1 - # set the delay before flushing packet in the queue inside kernel - qtimeout: 100 - # netlink max buffer size - max-size: 20000 - -# af-packet support -# Set threads to > 1 to use PACKET_FANOUT support -af-packet: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - # Default clusterid. AF_PACKET will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - # Default AF_PACKET cluster type. AF_PACKET can load balance per flow or per hash. - # This is only supported for Linux kernel > 3.1 - # possible value are: - # * cluster_round_robin: round robin load balancing - # * cluster_flow: all packets of a given flow are send to the same socket - # * cluster_cpu: all packets treated in kernel by a CPU are send to the same socket - cluster-type: cluster_flow - # In some fragmentation case, the hash can not be computed. If "defrag" is set - # to yes, the kernel will do the needed defragmentation before sending the packets. - defrag: yes - # To use the ring feature of AF_PACKET, set 'use-mmap' to yes - use-mmap: yes - # Ring size will be computed with respect to max_pending_packets and number - # of threads. You can set manually the ring size in number of packets by setting - # the following value. If you are using flow cluster-type and have really network - # intensive single-flow you could want to set the ring-size independantly of the number - # of threads: - #ring-size: 2048 - # On busy system, this could help to set it to yes to recover from a packet drop - # phase. This will result in some packets (at max a ring flush) being non treated. - #use-emergency-flush: yes - # recv buffer size, increase value could improve performance - # buffer-size: 32768 - # Set to yes to disable promiscuous mode - # disable-promisc: no - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - kernel: use indication sent by kernel for each packet (default) - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: kernel - # BPF filter to apply to this interface. The pcap filter syntax apply here. - #bpf-filter: port 80 or udp - # You can use the following variables to activate AF_PACKET tap od IPS mode. - # If copy-mode is set to ips or tap, the traffic coming to the current - # interface will be copied to the copy-iface interface. If 'tap' is set, the - # copy is complete. If 'ips' is set, the packet matching a 'drop' action - # will not be copied. - #copy-mode: ips - #copy-iface: eth1 - - interface: eth1 - threads: 1 - cluster-id: 98 - cluster-type: cluster_flow - defrag: yes - # buffer-size: 32768 - # disable-promisc: no - # Put default values here - - interface: default - #threads: 2 - #use-mmap: yes - -legacy: - uricontent: enabled - -# You can specify a threshold config file by setting "threshold-file" -# to the path of the threshold config file: -# threshold-file: /etc/suricata/threshold.config - -# The detection engine builds internal groups of signatures. The engine -# allow us to specify the profile to use for them, to manage memory on an -# efficient way keeping a good performance. For the profile keyword you -# can use the words "low", "medium", "high" or "custom". If you use custom -# make sure to define the values at "- custom-values" as your convenience. -# Usually you would prefer medium/high/low. -# -# "sgh mpm-context", indicates how the staging should allot mpm contexts for -# the signature groups. "single" indicates the use of a single context for -# all the signature group heads. "full" indicates a mpm-context for each -# group head. "auto" lets the engine decide the distribution of contexts -# based on the information the engine gathers on the patterns from each -# group head. -# -# The option inspection-recursion-limit is used to limit the recursive calls -# in the content inspection code. For certain payload-sig combinations, we -# might end up taking too much time in the content inspection code. -# If the argument specified is 0, the engine uses an internally defined -# default limit. On not specifying a value, we use no limits on the recursion. -detect-engine: - - profile: medium - - custom-values: - toclient-src-groups: 2 - toclient-dst-groups: 2 - toclient-sp-groups: 2 - toclient-dp-groups: 3 - toserver-src-groups: 2 - toserver-dst-groups: 4 - toserver-sp-groups: 2 - toserver-dp-groups: 25 - - sgh-mpm-context: auto - - inspection-recursion-limit: 3000 - # When rule-reload is enabled, sending a USR2 signal to the Suricata process - # will trigger a live rule reload. Experimental feature, use with care. - #- rule-reload: true - # If set to yes, the loading of signatures will be made after the capture - # is started. This will limit the downtime in IPS mode. - #- delayed-detect: yes - -# Suricata is multi-threaded. Here the threading can be influenced. -threading: - # On some cpu's/architectures it is beneficial to tie individual threads - # to specific CPU's/CPU cores. In this case all threads are tied to CPU0, - # and each extra CPU/core has one "detect" thread. - # - # On Intel Core2 and Nehalem CPU's enabling this will degrade performance. - # - set-cpu-affinity: no - # Tune cpu affinity of suricata threads. Each family of threads can be bound - # on specific CPUs. - cpu-affinity: - - management-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - receive-cpu-set: - cpu: [ 0 ] # include only these cpus in affinity settings - - decode-cpu-set: - cpu: [ 0, 1 ] - mode: "balanced" - - stream-cpu-set: - cpu: [ "0-1" ] - - detect-cpu-set: - cpu: [ "all" ] - mode: "exclusive" # run detect threads in these cpus - # Use explicitely 3 threads and don't compute number by using - # detect-thread-ratio variable: - # threads: 3 - prio: - low: [ 0 ] - medium: [ "1-2" ] - high: [ 3 ] - default: "medium" - - verdict-cpu-set: - cpu: [ 0 ] - prio: - default: "high" - - reject-cpu-set: - cpu: [ 0 ] - prio: - default: "low" - - output-cpu-set: - cpu: [ "all" ] - prio: - default: "medium" - # - # By default Suricata creates one "detect" thread per available CPU/CPU core. - # This setting allows controlling this behaviour. A ratio setting of 2 will - # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this - # will result in 4 detect threads. If values below 1 are used, less threads - # are created. So on a dual core CPU a setting of 0.5 results in 1 detect - # thread being created. Regardless of the setting at a minimum 1 detect - # thread will always be created. - # - detect-thread-ratio: 1.5 - -# Cuda configuration. -cuda: - # The "mpm" profile. On not specifying any of these parameters, the engine's - # internal default values are used, which are same as the ones specified in - # in the default conf file. - mpm: - # The minimum length required to buffer data to the gpu. - # Anything below this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - # A value of 0 indicates there's no limit. - data-buffer-size-min-limit: 0 - # The maximum length for data that we would buffer to the gpu. - # Anything over this is MPM'ed on the CPU. - # Can be specified in kb, mb, gb. Just a number indicates it's in bytes. - data-buffer-size-max-limit: 1500 - # The ring buffer size used by the CudaBuffer API to buffer data. - cudabuffer-buffer-size: 500mb - # The max chunk size that can be sent to the gpu in a single go. - gpu-transfer-size: 50mb - # The timeout limit for batching of packets in microseconds. - batching-timeout: 2000 - # The device to use for the mpm. Currently we don't support load balancing - # on multiple gpus. In case you have multiple devices on your system, you - # can specify the device to use, using this conf. By default we hold 0, to - # specify the first device cuda sees. To find out device-id associated with - # the card(s) on the system run "suricata --list-cuda-cards". - device-id: 0 - # No of Cuda streams used for asynchronous processing. All values > 0 are valid. - # For this option you need a device with Compute Capability > 1.0. - cuda-streams: 2 - -# Select the multi pattern algorithm you want to run for scan/search the -# in the engine. The supported algorithms are b2g, b2gc, b2gm, b3g, wumanber, -# ac and ac-gfbs. -# -# The mpm you choose also decides the distribution of mpm contexts for -# signature groups, specified by the conf - "detect-engine.sgh-mpm-context". -# Selecting "ac" as the mpm would require "detect-engine.sgh-mpm-context" -# to be set to "single", because of ac's memory requirements, unless the -# ruleset is small enough to fit in one's memory, in which case one can -# use "full" with "ac". Rest of the mpms can be run in "full" mode. -# -# There is also a CUDA pattern matcher (only available if Suricata was -# compiled with --enable-cuda: b2g_cuda. Make sure to update your -# max-pending-packets setting above as well if you use b2g_cuda. - -mpm-algo: ac - -# The memory settings for hash size of these algorithms can vary from lowest -# (2048) - low (4096) - medium (8192) - high (16384) - higher (32768) - max -# (65536). The bloomfilter sizes of these algorithms can vary from low (512) - -# medium (1024) - high (2048). -# -# For B2g/B3g algorithms, there is a support for two different scan/search -# algorithms. For B2g the scan algorithms are B2gScan & B2gScanBNDMq, and -# search algorithms are B2gSearch & B2gSearchBNDMq. For B3g scan algorithms -# are B3gScan & B3gScanBNDMq, and search algorithms are B3gSearch & -# B3gSearchBNDMq. -# -# For B2g the different scan/search algorithms and, hash and bloom -# filter size settings. For B3g the different scan/search algorithms and, hash -# and bloom filter size settings. For wumanber the hash and bloom filter size -# settings. - -pattern-matcher: - - b2gc: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2gm: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b2g: - search-algo: B2gSearchBNDMq - hash-size: low - bf-size: medium - - b3g: - search-algo: B3gSearchBNDMq - hash-size: low - bf-size: medium - - wumanber: - hash-size: low - bf-size: medium - -# Defrag settings: - -defrag: - memcap: 32mb - hash-size: 65536 - trackers: 65535 # number of defragmented flows to follow - max-frags: 65535 # number of fragments to keep (higher than trackers) - prealloc: yes - timeout: 60 - -# Enable defrag per host settings -# host-config: -# -# - dmz: -# timeout: 30 -# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"] -# -# - lan: -# timeout: 45 -# address: -# - 192.168.0.0/24 -# - 192.168.10.0/24 -# - 172.16.14.0/24 - -# Flow settings: -# By default, the reserved memory (memcap) for flows is 32MB. This is the limit -# for flow allocation inside the engine. You can change this value to allow -# more memory usage for flows. -# The hash-size determine the size of the hash used to identify flows inside -# the engine, and by default the value is 65536. -# At the startup, the engine can preallocate a number of flows, to get a better -# performance. The number of flows preallocated is 10000 by default. -# emergency-recovery is the percentage of flows that the engine need to -# prune before unsetting the emergency state. The emergency state is activated -# when the memcap limit is reached, allowing to create new flows, but -# prunning them with the emergency timeouts (they are defined below). -# If the memcap is reached, the engine will try to prune flows -# with the default timeouts. If it doens't find a flow to prune, it will set -# the emergency bit and it will try again with more agressive timeouts. -# If that doesn't work, then it will try to kill the last time seen flows -# not in use. -# The memcap can be specified in kb, mb, gb. Just a number indicates it's -# in bytes. - -flow: - memcap: 64mb - hash-size: 65536 - prealloc: 10000 - emergency-recovery: 30 - -# This option controls the use of vlan ids in the flow (and defrag) -# hashing. Normally this should be enabled, but in some (broken) -# setups where both sides of a flow are not tagged with the same vlan -# tag, we can ignore the vlan id's in the flow hashing. -vlan: - use-for-tracking: true - -# Specific timeouts for flows. Here you can specify the timeouts that the -# active flows will wait to transit from the current state to another, on each -# protocol. The value of "new" determine the seconds to wait after a hanshake or -# stream startup before the engine free the data of that flow it doesn't -# change the state to established (usually if we don't receive more packets -# of that flow). The value of "established" is the amount of -# seconds that the engine will wait to free the flow if it spend that amount -# without receiving new packets or closing the connection. "closed" is the -# amount of time to wait after a flow is closed (usually zero). -# -# There's an emergency mode that will become active under attack circumstances, -# making the engine to check flow status faster. This configuration variables -# use the prefix "emergency-" and work similar as the normal ones. -# Some timeouts doesn't apply to all the protocols, like "closed", for udp and -# icmp. - -flow-timeouts: - - default: - new: 30 - established: 300 - closed: 0 - emergency-new: 10 - emergency-established: 100 - emergency-closed: 0 - tcp: - new: 60 - established: 3600 - closed: 120 - emergency-new: 10 - emergency-established: 300 - emergency-closed: 20 - udp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - icmp: - new: 30 - established: 300 - emergency-new: 10 - emergency-established: 100 - -# Stream engine settings. Here the TCP stream tracking and reassembly -# engine is configured. -# -# stream: -# memcap: 32mb # Can be specified in kb, mb, gb. Just a -# # number indicates it's in bytes. -# checksum-validation: yes # To validate the checksum of received -# # packet. If csum validation is specified as -# # "yes", then packet with invalid csum will not -# # be processed by the engine stream/app layer. -# # Warning: locally generated trafic can be -# # generated without checksum due to hardware offload -# # of checksum. You can control the handling of checksum -# # on a per-interface basis via the 'checksum-checks' -# # option -# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread -# midstream: false # don't allow midstream session pickups -# async-oneside: false # don't enable async stream handling -# inline: no # stream inline mode -# max-synack-queued: 5 # Max different SYN/ACKs to queue -# -# reassembly: -# memcap: 64mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# depth: 1mb # Can be specified in kb, mb, gb. Just a number -# # indicates it's in bytes. -# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least -# # this size. Can be specified in kb, mb, -# # gb. Just a number indicates it's in bytes. -# # The max acceptable size is 4024 bytes. -# randomize-chunk-size: yes # Take a random value for chunk size around the specified value. -# # This lower the risk of some evasion technics but could lead -# # detection change between runs. It is set to 'yes' by default. -# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is -# # a random value between (1 - randomize-chunk-range/100)*randomize-chunk-size -# # and (1 + randomize-chunk-range/100)*randomize-chunk-size. Default value -# # of randomize-chunk-range is 10. -# -# raw: yes # 'Raw' reassembly enabled or disabled. -# # raw is for content inspection by detection -# # engine. -# -# chunk-prealloc: 250 # Number of preallocated stream chunks. These -# # are used during stream inspection (raw). -# segments: # Settings for reassembly segment pool. -# - size: 4 # Size of the (data)segment for a pool -# prealloc: 256 # Number of segments to prealloc and keep -# # in the pool. -# -stream: - memcap: 32mb - checksum-validation: yes # reject wrong csums - inline: auto # auto will use inline mode in IPS mode, yes or no set it statically - reassembly: - memcap: 128mb - depth: 1mb # reassemble 1mb into a stream - toserver-chunk-size: 2560 - toclient-chunk-size: 2560 - randomize-chunk-size: yes - #randomize-chunk-range: 10 - #raw: yes - #chunk-prealloc: 250 - #segments: - # - size: 4 - # prealloc: 256 - # - size: 16 - # prealloc: 512 - # - size: 112 - # prealloc: 512 - # - size: 248 - # prealloc: 512 - # - size: 512 - # prealloc: 512 - # - size: 768 - # prealloc: 1024 - # - size: 1448 - # prealloc: 1024 - # - size: 65535 - # prealloc: 128 - -# Host table: -# -# Host table is used by tagging and per host thresholding subsystems. -# -host: - hash-size: 4096 - prealloc: 1000 - memcap: 16777216 - -# Logging configuration. This is not about logging IDS alerts, but -# IDS output about what its doing, errors, etc. -logging: - - # The default log level, can be overridden in an output section. - # Note that debug level logging will only be emitted if Suricata was - # compiled with the --enable-debug configure option. - # - # This value is overriden by the SC_LOG_LEVEL env var. - default-log-level: notice - - # The default output format. Optional parameter, should default to - # something reasonable if not provided. Can be overriden in an - # output section. You can leave this out to get the default. - # - # This value is overriden by the SC_LOG_FORMAT env var. - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " - - # A regex to filter output. Can be overridden in an output section. - # Defaults to empty (no filter). - # - # This value is overriden by the SC_LOG_OP_FILTER env var. - default-output-filter: - - # Define your logging outputs. If none are defined, or they are all - # disabled you will get the default - console output. - outputs: - - console: - enabled: yes - - file: - enabled: no - filename: /var/log/suricata.log - - syslog: - enabled: yes - facility: local5 - format: "[%i] <%d> -- " - -# Tilera mpipe configuration. for use on Tilera TILE-Gx. -mpipe: - - # Load balancing modes: "static", "dynamic", "sticky", or "round-robin". - load-balance: dynamic - - # Number of Packets in each ingress packet queue. Must be 128, 512, 2028 or 65536 - iqueue-packets: 2048 - - # List of interfaces we will listen on. - inputs: - - interface: xgbe2 - - interface: xgbe3 - - interface: xgbe4 - - - # Relative weight of memory for packets of each mPipe buffer size. - stack: - size128: 0 - size256: 9 - size512: 0 - size1024: 0 - size1664: 7 - size4096: 0 - size10386: 0 - size16384: 0 - -# PF_RING configuration. for use with native PF_RING support -# for more info see http://www.ntop.org/PF_RING.html -pfring: - - interface: eth0 - # Number of receive threads (>1 will enable experimental flow pinned - # runmode) - threads: 1 - - # Default clusterid. PF_RING will load balance packets based on flow. - # All threads/processes that will participate need to have the same - # clusterid. - cluster-id: 99 - - # Default PF_RING cluster type. PF_RING can load balance per flow or per hash. - # This is only supported in versions of PF_RING > 4.1.1. - cluster-type: cluster_flow - # bpf filter for this interface - #bpf-filter: tcp - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - rxonly: only compute checksum for packets received by network card. - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # Second interface - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - # Put default values here - - interface: default - #threads: 2 - -pcap: - - interface: eth0 - # On Linux, pcap will try to use mmaped capture and will use buffer-size - # as total of memory used by the ring. So set this to something bigger - # than 1% of your bandwidth. - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - # Choose checksum verification mode for the interface. At the moment - # of the capture, some packets may be with an invalid checksum due to - # offloading to the network card of the checksum computation. - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have any validation - #checksum-checks: auto - # With some accelerator cards using a modified libpcap (like myricom), you - # may want to have the same number of capture threads as the number of capture - # rings. In this case, set up the threads variable to N to start N threads - # listening on the same interface. - #threads: 16 - # set to no to disable promiscuous mode: - #promisc: no - # set snaplen, if not set it defaults to MTU if MTU can be known - # via ioctl call and to full capture if not. - #snaplen: 1518 - # Put default values here - - interface: default - #checksum-checks: auto - -pcap-file: - # Possible values are: - # - yes: checksum validation is forced - # - no: checksum validation is disabled - # - auto: suricata uses a statistical approach to detect when - # checksum off-loading is used. (default) - # Warning: 'checksum-validation' must be set to yes to have checksum tested - checksum-checks: auto - -# For FreeBSD ipfw(8) divert(4) support. -# Please make sure you have ipfw_load="YES" and ipdivert_load="YES" -# in /etc/loader.conf or kldload'ing the appropriate kernel modules. -# Additionally, you need to have an ipfw rule for the engine to see -# the packets from ipfw. For Example: -# -# ipfw add 100 divert 8000 ip from any to any -# -# The 8000 above should be the same number you passed on the command -# line, i.e. -d 8000 -# -ipfw: - - # Reinject packets at the specified ipfw rule number. This config - # option is the ipfw rule number AT WHICH rule processing continues - # in the ipfw processing system after the engine has finished - # inspecting the packet for acceptance. If no rule number is specified, - # accepted packets are reinjected at the divert rule which they entered - # and IPFW rule processing continues. No check is done to verify - # this will rule makes sense so care must be taken to avoid loops in ipfw. - # - ## The following example tells the engine to reinject packets - # back into the ipfw firewall AT rule number 5500: - # - # ipfw-reinjection-rule-number: 5500 - -# Set the default rule path here to search for the files. -# if not set, it will look at the current working dir -default-rule-path: /etc/suricata/rules -rule-files: - - botcc.rules - - ciarmy.rules - - compromised.rules - - drop.rules - - dshield.rules - - emerging-activex.rules - - emerging-attack_response.rules - - emerging-chat.rules - - emerging-current_events.rules - - emerging-dns.rules - - emerging-dos.rules - - emerging-exploit.rules - - emerging-ftp.rules - - emerging-games.rules - - emerging-icmp_info.rules -# - emerging-icmp.rules - - emerging-imap.rules - - emerging-inappropriate.rules - - emerging-malware.rules - - emerging-misc.rules - - emerging-mobile_malware.rules - - emerging-netbios.rules - - emerging-p2p.rules - - emerging-policy.rules - - emerging-pop3.rules - - emerging-rpc.rules - - emerging-scada.rules - - emerging-scan.rules - - emerging-shellcode.rules - - emerging-smtp.rules - - emerging-snmp.rules - - emerging-sql.rules - - emerging-telnet.rules - - emerging-tftp.rules - - emerging-trojan.rules - - emerging-user_agents.rules - - emerging-voip.rules - - emerging-web_client.rules - - emerging-web_server.rules - - emerging-web_specific_apps.rules - - emerging-worm.rules - - tor.rules - - decoder-events.rules # available in suricata sources under rules dir - - stream-events.rules # available in suricata sources under rules dir - - http-events.rules # available in suricata sources under rules dir - - smtp-events.rules # available in suricata sources under rules dir - - dns-events.rules # available in suricata sources under rules dir - - tls-events.rules # available in suricata sources under rules dir - -classification-file: /etc/suricata/classification.config -reference-config-file: /etc/suricata/reference.config - -# Holds variables that would be used by the engine. -vars: - - # Holds the address group vars that would be passed in a Signature. - # These would be retrieved during the Signature address parsing stage. - address-groups: - - HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" - - EXTERNAL_NET: "!$HOME_NET" - - HTTP_SERVERS: "$HOME_NET" - - SMTP_SERVERS: "$HOME_NET" - - SQL_SERVERS: "$HOME_NET" - - DNS_SERVERS: "$HOME_NET" - - TELNET_SERVERS: "$HOME_NET" - - AIM_SERVERS: "$EXTERNAL_NET" - - DNP3_SERVER: "$HOME_NET" - - DNP3_CLIENT: "$HOME_NET" - - MODBUS_CLIENT: "$HOME_NET" - - MODBUS_SERVER: "$HOME_NET" - - ENIP_CLIENT: "$HOME_NET" - - ENIP_SERVER: "$HOME_NET" - - # Holds the port group vars that would be passed in a Signature. - # These would be retrieved during the Signature port parsing stage. - port-groups: - - HTTP_PORTS: "80" - - SHELLCODE_PORTS: "!80" - - ORACLE_PORTS: 1521 - - SSH_PORTS: 22 - - DNP3_PORTS: 20000 - -# Set the order of alerts bassed on actions -# The default order is pass, drop, reject, alert -action-order: - - pass - - drop - - reject - - alert - -# IP Reputation -#reputation-categories-file: /etc/suricata/iprep/categories.txt -#default-reputation-path: /etc/suricata/iprep -#reputation-files: -# - reputation.list - -# Host specific policies for defragmentation and TCP stream -# reassembly. The host OS lookup is done using a radix tree, just -# like a routing table so the most specific entry matches. -host-os-policy: - # Make the default policy windows. - windows: [0.0.0.0/0] - bsd: [] - bsd-right: [] - old-linux: [] - linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"] - old-solaris: [] - solaris: ["::1"] - hpux10: [] - hpux11: [] - irix: [] - macos: [] - vista: [] - windows2k3: [] - - -# Limit for the maximum number of asn1 frames to decode (default 256) -asn1-max-frames: 256 - -# When run with the option --engine-analysis, the engine will read each of -# the parameters below, and print reports for each of the enabled sections -# and exit. The reports are printed to a file in the default log dir -# given by the parameter "default-log-dir", with engine reporting -# subsection below printing reports in its own report file. -engine-analysis: - # enables printing reports for fast-pattern for every rule. - rules-fast-pattern: yes - # enables printing reports for each rule - rules: yes - -#recursion and match limits for PCRE where supported -pcre: - match-limit: 3500 - match-limit-recursion: 1500 - -# Holds details on the app-layer. The protocols section details each protocol. -# Under each protocol, the default value for detection-enabled and " -# parsed-enabled is yes, unless specified otherwise. -# Each protocol covers enabling/disabling parsers for all ipprotos -# the app-layer protocol runs on. For example "dcerpc" refers to the tcp -# version of the protocol as well as the udp version of the protocol. -# The option "enabled" takes 3 values - "yes", "no", "detection-only". -# "yes" enables both detection and the parser, "no" disables both, and -# "detection-only" enables detection only(parser disabled). -app-layer: - protocols: - tls: - enabled: yes - detection-ports: - dp: 443 - - #no-reassemble: yes - dcerpc: - enabled: yes - ftp: - enabled: yes - ssh: - enabled: yes - smtp: - enabled: yes - imap: - enabled: detection-only - msn: - enabled: detection-only - smb: - enabled: yes - detection-ports: - dp: 139 - # smb2 detection is disabled internally inside the engine. - #smb2: - # enabled: yes - dns: - # memcaps. Globally and per flow/state. - #global-memcap: 16mb - #state-memcap: 512kb - - # How many unreplied DNS requests are considered a flood. - # If the limit is reached, app-layer-event:dns.flooded; will match. - #request-flood: 500 - - tcp: - enabled: yes - detection-ports: - dp: 53 - udp: - enabled: yes - detection-ports: - dp: 53 - http: - enabled: yes - # memcap: 64mb - - ########################################################################### - # Configure libhtp. - # - # - # default-config: Used when no server-config matches - # personality: List of personalities used by default - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # server-config: List of server configurations to use if address matches - # address: List of ip addresses or networks for this block - # personalitiy: List of personalities used by this block - # request-body-limit: Limit reassembly of request body for inspection - # by http_client_body & pcre /P option. - # response-body-limit: Limit reassembly of response body for inspection - # by file_data, http_server_body & pcre /Q option. - # double-decode-path: Double decode path section of the URI - # double-decode-query: Double decode query section of the URI - # - # uri-include-all: Include all parts of the URI. By default the - # 'scheme', username/password, hostname and port - # are excluded. Setting this option to true adds - # all of them to the normalized uri as inspected - # by http_uri, urilen, pcre with /U and the other - # keywords that inspect the normalized uri. - # Note that this does not affect http_raw_uri. - # Also, note that including all was the default in - # 1.4 and 2.0beta1. - # - # meta-field-limit: Hard size limit for request and response size - # limits. Applies to request line and headers, - # response line and headers. Does not apply to - # request or response bodies. Default is 18k. - # If this limit is reached an event is raised. - # - # Currently Available Personalities: - # Minimal - # Generic - # IDS (default) - # IIS_4_0 - # IIS_5_0 - # IIS_5_1 - # IIS_6_0 - # IIS_7_0 - # IIS_7_5 - # Apache_2 - ########################################################################### - libhtp: - - default-config: - personality: IDS - - # Can be specified in kb, mb, gb. Just a number indicates - # it's in bytes. - request-body-limit: 3072 - response-body-limit: 3072 - - # inspection limits - request-body-minimal-inspect-size: 32kb - request-body-inspect-window: 4kb - response-body-minimal-inspect-size: 32kb - response-body-inspect-window: 4kb - # Take a random value for inspection sizes around the specified value. - # This lower the risk of some evasion technics but could lead - # detection change between runs. It is set to 'yes' by default. - #randomize-inspection-sizes: yes - # If randomize-inspection-sizes is active, the value of various - # inspection size will be choosen in the [1 - range%, 1 + range%] - # range - # Default value of randomize-inspection-range is 10. - #randomize-inspection-range: 10 - - # decoding - double-decode-path: no - double-decode-query: no - - server-config: - - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # # Can be specified in kb, mb, gb. Just a number indicates - # # it's in bytes. - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: no - # double-decode-query: no - -# Profiling settings. Only effective if Suricata has been built with the -# the --enable-profiling configure flag. -# -profiling: - # Run profiling for every xth packet. The default is 1, which means we - # profile every packet. If set to 1000, one packet is profiled for every - # 1000 received. - #sample-rate: 1000 - - # rule profiling - rules: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: rule_perf.log - append: yes - - # Sort options: ticks, avgticks, checks, matches, maxticks - sort: avgticks - - # Limit the number of items printed at exit. - limit: 100 - - # per keyword profiling - keywords: - enabled: yes - filename: keyword_perf.log - append: yes - - # packet profiling - packets: - - # Profiling can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: yes - filename: packet_stats.log - append: yes - - # per packet csv output - csv: - - # Output can be disabled here, but it will still have a - # performance impact if compiled in. - enabled: no - filename: packet_stats.csv - - # profiling of locking. Only available when Suricata was built with - # --enable-profiling-locks. - locks: - enabled: no - filename: lock_stats.log - append: yes - -# Suricata core dump configuration. Limits the size of the core dump file to -# approximately max-dump. The actual core dump size will be a multiple of the -# page size. Core dumps that would be larger than max-dump are truncated. On -# Linux, the actual core dump size may be a few pages larger than max-dump. -# Setting max-dump to 0 disables core dumping. -# Setting max-dump to 'unlimited' will give the full core dump file. -# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size -# to be 'unlimited'. - -coredump: - max-dump: unlimited - -napatech: - # The Host Buffer Allowance for all streams - # (-1 = OFF, 1 - 100 = percentage of the host buffer that can be held back) - hba: -1 - - # use_all_streams set to "yes" will query the Napatech service for all configured - # streams and listen on all of them. When set to "no" the streams config array - # will be used. - use-all-streams: yes - - # The streams to listen on - streams: [1, 2, 3] - -# Includes. Files included here will be handled as if they were -# inlined in this configuration file. -#include: include1.yaml -#include: include2.yaml diff --git a/external/meta-security/recipes-security/suricata/files/volatiles.03_suricata b/external/meta-security/recipes-security/suricata/files/volatiles.03_suricata deleted file mode 100644 index 4627bd3b..00000000 --- a/external/meta-security/recipes-security/suricata/files/volatiles.03_suricata +++ /dev/null @@ -1,2 +0,0 @@ -# <type> <owner> <group> <mode> <path> <linksource> -d root root 0755 /var/log/suricata none diff --git a/external/meta-security/recipes-security/suricata/libhtp_0.5.27.bb b/external/meta-security/recipes-security/suricata/libhtp_0.5.27.bb deleted file mode 100644 index 8305f701..00000000 --- a/external/meta-security/recipes-security/suricata/libhtp_0.5.27.bb +++ /dev/null @@ -1,15 +0,0 @@ -SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces." - -require suricata.inc - -LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -DEPENDS = "zlib" - -inherit autotools pkgconfig - -CFLAGS += "-D_DEFAULT_SOURCE" - -S = "${WORKDIR}/suricata-${VER}/${BPN}" - -RDEPENDS_${PN} += "zlib" diff --git a/external/meta-security/recipes-security/suricata/suricata.inc b/external/meta-security/recipes-security/suricata/suricata.inc deleted file mode 100644 index 1f421210..00000000 --- a/external/meta-security/recipes-security/suricata/suricata.inc +++ /dev/null @@ -1,9 +0,0 @@ -HOMEPAGE = "http://suricata-ids.org/" -SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" - -VER = "4.0.5" -SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz" - -SRC_URI[md5sum] = "ea0cb823d6a86568152f75ade6de442f" -SRC_URI[sha256sum] = "74dacb4359d57fbd3452e384eeeb1dd77b6ae00f02e9994ad5a7b461d5f4c6c2" diff --git a/external/meta-security/recipes-security/suricata/suricata_4.0.5.bb b/external/meta-security/recipes-security/suricata/suricata_4.0.5.bb deleted file mode 100644 index 6c0a109b..00000000 --- a/external/meta-security/recipes-security/suricata/suricata_4.0.5.bb +++ /dev/null @@ -1,96 +0,0 @@ -SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine" - -require suricata.inc - -LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" - -SRC_URI += "file://emerging.rules.tar.gz;name=rules" - -SRC_URI += " \ - file://volatiles.03_suricata \ - file://suricata.yaml \ - file://suricata.service \ - file://run-ptest \ - " - -SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33" -SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798" - -inherit autotools-brokensep pkgconfig python-dir systemd ptest - -CFLAGS += "-D_DEFAULT_SOURCE" - -CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \ - ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no " - -EXTRA_OECONF += " --disable-debug \ - --enable-non-bundled-htp \ - --disable-gccmarch-native \ - " - -PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr" -PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" - -PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp," -PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ," -PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ," -PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ," -PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , " -PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet," -PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ," -PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue," - -PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson" -PACKAGECONFIG[file] = ",,file, file" -PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss," -PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr," -PACKAGECONFIG[python] = "--enable-python, --disable-python, python, python" -PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," - -export logdir = "${localstatedir}/log" - -do_install_append () { - - install -d ${D}${sysconfdir}/suricata - - oe_runmake install-conf DESTDIR=${D} - - # mimic move of downloaded rules to e_sysconfrulesdir - cp -rf ${WORKDIR}/rules ${D}${sysconfdir}/suricata - - oe_runmake install-rules DESTDIR=${D} - - install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles - install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata - - install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata - - install -d ${D}${systemd_unitdir}/system - sed -e s:/etc:${sysconfdir}:g \ - -e s:/var/run:/run:g \ - -e s:/var:${localstatedir}:g \ - -e s:/usr/bin:${bindir}:g \ - -e s:/bin/kill:${base_bindir}/kill:g \ - -e s:/usr/lib:${libdir}:g \ - ${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - -} - -pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi -} - -SYSTEMD_PACKAGES = "${PN}" - -PACKAGES =+ "${PN}-socketcontrol" -FILES_${PN} += "${systemd_unitdir}" -FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}" - -CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml" - -RDEPENDS_${PN}-python = "python" diff --git a/external/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch b/external/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch deleted file mode 100644 index 2379d665..00000000 --- a/external/meta-security/recipes-security/tripwire/files/add_armeb_arch.patch +++ /dev/null @@ -1,18 +0,0 @@ -tripwire: Add armeb support - -Upstream-Status: Submitted to tripwire-dev - -Signed-off-by: Armin Kuster <akuster@mvista.com> - -diff -Naurp tripwire-2.4.2.2-src_org/config.sub tripwire-2.4.2.2-src/config.sub ---- tripwire-2.4.2.2-src_org/config.sub 2015-07-20 15:03:04.161452573 +0530 -+++ tripwire-2.4.2.2-src/config.sub 2015-07-20 15:06:07.077673139 +0530 -@@ -268,7 +268,7 @@ case $basic_machine in - # FIXME: clean up the formatting here. - vax-* | tahoe-* | i*86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \ - | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | c[123]* | aarch64-* | aarch64be-* \ -- | arm-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \ -+ | arm-* | armeb-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \ - | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \ - | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \ - | xmp-* | ymp-* \ diff --git a/external/meta-security/recipes-security/tripwire/files/run-ptest b/external/meta-security/recipes-security/tripwire/files/run-ptest deleted file mode 100644 index aedfddc5..00000000 --- a/external/meta-security/recipes-security/tripwire/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -./twtest.pl diff --git a/external/meta-security/recipes-security/tripwire/files/tripwire.cron b/external/meta-security/recipes-security/tripwire/files/tripwire.cron deleted file mode 100644 index 2035508d..00000000 --- a/external/meta-security/recipes-security/tripwire/files/tripwire.cron +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -HOST_NAME=`uname -n` -if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then - echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****" - echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****" -else - test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check -fi diff --git a/external/meta-security/recipes-security/tripwire/files/tripwire.sh b/external/meta-security/recipes-security/tripwire/files/tripwire.sh deleted file mode 100644 index 4276d10e..00000000 --- a/external/meta-security/recipes-security/tripwire/files/tripwire.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -HOST_NAME=`uname -n` -if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then - echo "**** WARNING: Tripwire database for ${HOST_NAME} not found. ****" - echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****" - # Note: /etc/tripwire/twinstall.sh creates and initializes tripwire - # database (i.e tripwire --init). - # Example: . /etc/tripwire/twinstall.sh 2> /dev/null -fi diff --git a/external/meta-security/recipes-security/tripwire/files/tripwire.txt b/external/meta-security/recipes-security/tripwire/files/tripwire.txt deleted file mode 100644 index 332d0042..00000000 --- a/external/meta-security/recipes-security/tripwire/files/tripwire.txt +++ /dev/null @@ -1,69 +0,0 @@ -Post-Installation Instructions -1. Run the configuration script: /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files. -Note: Once encoded and signed, the configuration file should not be renamed or moved. -2. Initialize the Tripwire database file. (/usr/sbin/tripwire--init) -3. Run the first integrity check. (/usr/sbin/tripwire--check) -4. Edit the configuration file (twcfg.txt) with a text editor, if desired. -5. Edit the policy file (twpol.txt) with a text editor, if desired. - -Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file. - -Modifying the Policy File -You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system. - -Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language. - -After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software. - -Selecting Passphrases -Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply: -Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters. - -Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also. - -Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database. - -Initializing the Database -In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is: -tripwire --init - -Running an Integrity Check -The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is: -tripwire --check - -Printing Reports - twprint Print Report Mode -The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used. -Example: On a machine named LIGHTHOUSE, the command would be: -./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr - -Updating the Database after an Integrity Check -Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is: -tripwire --update - -Updating the Policy File -Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is: -tripwire --update-policy - -Testing email functions -Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is: -tripwire --test - -Tripwire Components -The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore. - -System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file. - -The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check. - -When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail. - -The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits. - -Tripwire Help -All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile - --? Display usage and version information ---help Display all command modes ---help all Display help for all command modes ---help [mode] Display help for current command mode ---version Display version information diff --git a/external/meta-security/recipes-security/tripwire/files/twcfg.txt b/external/meta-security/recipes-security/tripwire/files/twcfg.txt deleted file mode 100644 index 224e9201..00000000 --- a/external/meta-security/recipes-security/tripwire/files/twcfg.txt +++ /dev/null @@ -1,15 +0,0 @@ -ROOT =/usr/sbin -POLFILE =/etc/tripwire/tw.pol -DBFILE =/var/lib/tripwire/$(HOSTNAME).twd -REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr -SITEKEYFILE =/etc/tripwire/site.key -LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key -EDITOR =/usr/bin/nano -LATEPROMPTING =false -LOOSEDIRECTORYCHECKING =false -MAILNOVIOLATIONS =true -EMAILREPORTLEVEL =3 -REPORTLEVEL =3 -MAILMETHOD =SENDMAIL -SYSLOGREPORTING =false -MAILPROGRAM =/usr/lib/sendmail -t diff --git a/external/meta-security/recipes-security/tripwire/files/twinstall.sh b/external/meta-security/recipes-security/tripwire/files/twinstall.sh deleted file mode 100644 index 7d1b63fe..00000000 --- a/external/meta-security/recipes-security/tripwire/files/twinstall.sh +++ /dev/null @@ -1,320 +0,0 @@ -#!/bin/sh - -######################################################################## -######################################################################## -## -## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script -## -## Copyleft information contained in footer -## -######################################################################## -######################################################################## - -##======================================================= -## Setup -##======================================================= - -# We can assume all the correct tools are in place because the -# RPM installed, didn't it? - -##------------------------------------------------------- -## Set HOST_NAME variable -##------------------------------------------------------- -HOST_NAME='localhost' -if uname -n > /dev/null 2> /dev/null ; then - HOST_NAME=`uname -n` -fi - -##------------------------------------------------------- -## Program variables - edited by RPM during initial install -##------------------------------------------------------- - -# Site Passphrase variable -TW_SITE_PASS="tripwire" - -# Complete path to site key -SITE_KEY="/etc/tripwire/site.key" - -# Local Passphrase variable -TW_LOCAL_PASS="tripwire" - -# Complete path to local key -LOCAL_KEY="/etc/tripwire/${HOST_NAME}-local.key" - -# If clobber==true, overwrite files; if false, do not overwrite files. -CLOBBER="false" - -# If prompt==true, ask for confirmation before continuing with install. -PROMPT="true" - -# Name of twadmin executeable -TWADMIN="twadmin" - -# Path to twadmin executeable -TWADMPATH=/usr/sbin - -# Path to configuration directory -CONF_PATH="/etc/tripwire" - -# Name of clear text policy file -TXT_POL=$CONF_PATH/twpol.txt - -# Name of clear text configuration file -TXT_CFG=$CONF_PATH/twcfg.txt - -# Name of encrypted configuration file -CONFIG_FILE=$CONF_PATH/tw.cfg - -# Path of the final Tripwire policy file (signed) -SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'` - - -##======================================================= -## Create Key Files -##======================================================= - -##------------------------------------------------------- -## If user has to enter a passphrase, give some -## advice about what is appropriate. -##------------------------------------------------------- - -if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then -cat << END_OF_TEXT - ----------------------------------------------- -The Tripwire site and local passphrases are used to -sign a variety of files, such as the configuration, -policy, and database files. - -Passphrases should be at least 8 characters in length -and contain both letters and numbers. - -See the Tripwire manual for more information. -END_OF_TEXT -fi - -##======================================================= -## Generate keys. -##======================================================= - -echo -echo "----------------------------------------------" -echo "Creating key files..." - -##------------------------------------------------------- -## Site key file. -##------------------------------------------------------- - -# If clobber is true, and prompting is off (unattended operation) -# and the key file already exists, remove it. Otherwise twadmin -# will prompt with an "are you sure?" message. - -if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then - rm -f "$SITE_KEY" -fi - -if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then - echo "The site key file \"$SITE_KEY\"" - echo 'exists and will not be overwritten.' -else - cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\"" - if [ -n "$TW_SITE_PASS" ] ; then - cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" - fi - eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" - if [ $? -ne 0 ] ; then - echo "Error: site key generation failed" - exit 1 - else chmod 640 "$SITE_KEY" - fi -fi - -##------------------------------------------------------- -## Local key file. -##------------------------------------------------------- - -# If clobber is true, and prompting is off (unattended operation) -# and the key file already exists, remove it. Otherwise twadmin -# will prompt with an "are you sure?" message. - -if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then - rm -f "$LOCAL_KEY" -fi - -if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then - echo "The site key file \"$LOCAL_KEY\"" - echo 'exists and will not be overwritten.' -else - cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\"" - if [ -n "$TW_LOCAL_PASS" ] ; then - cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\"" - fi - eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" - if [ $? -ne 0 ] ; then - echo "Error: local key generation failed" - exit 1 - else chmod 640 "$LOCAL_KEY" - fi -fi - -##======================================================= -## Sign the Configuration File -##======================================================= - -echo -echo "----------------------------------------------" -echo "Signing configuration file..." - -##------------------------------------------------------- -## If noclobber, then backup any existing config file. -##------------------------------------------------------- - -if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then - backup="${CONFIG_FILE}.$$.bak" - echo "Backing up $CONFIG_FILE" - echo " to $backup" - `mv "$CONFIG_FILE" "$backup"` - if [ $? -ne 0 ] ; then - echo "Error: backup of configuration file failed." - exit 1 - fi -fi - -##------------------------------------------------------- -## Build command line. -##------------------------------------------------------- - -cmdargs="--create-cfgfile" -cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" -cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" -if [ -n "$TW_SITE_PASS" ] ; then - cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" -fi - -##------------------------------------------------------- -## Sign the file. -##------------------------------------------------------- - -eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\"" -if [ $? -ne 0 ] ; then - echo "Error: signing of configuration file failed." - exit 1 -fi - -# Set the rights properly -chmod 640 "$CONFIG_FILE" - -##------------------------------------------------------- -## We keep the cleartext version around. -##------------------------------------------------------- - -cat << END_OF_TEXT - -A clear-text version of the Tripwire configuration file -$TXT_CFG -has been preserved for your inspection. It is recommended -that you delete this file manually after you have examined it. - -END_OF_TEXT - -##======================================================= -## Sign tripwire policy file. -##======================================================= - -echo -echo "----------------------------------------------" -echo "Signing policy file..." - -##------------------------------------------------------- -## If noclobber, then backup any existing policy file. -##------------------------------------------------------- - -if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then - backup="${POLICY_FILE}.$$.bak" - echo "Backing up $POLICY_FILE" - echo " to $backup" - mv "$POLICY_FILE" "$backup" - if [ $? -ne 0 ] ; then - echo "Error: backup of policy file failed." - exit 1 - fi -fi - -##------------------------------------------------------- -## Build command line. -##------------------------------------------------------- - -cmdargs="--create-polfile" -cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" -cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" -if [ -n "$TW_SITE_PASS" ] ; then - cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" -fi - -##------------------------------------------------------- -## Sign the file. -##------------------------------------------------------- - -eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\"" -if [ $? -ne 0 ] ; then - echo "Error: signing of policy file failed." - exit 1 -fi - -# Set the proper rights on the newly signed policy file. -chmod 0640 "$SIGNED_POL" - -##------------------------------------------------------- -## We keep the cleartext version around. -##------------------------------------------------------- - -cat << END_OF_TEXT - -A clear-text version of the Tripwire policy file -$TXT_POL -has been preserved for your inspection. This implements -a minimal policy, intended only to test essential -Tripwire functionality. You should edit the policy file -to describe your system, and then use twadmin to generate -a new signed copy of the Tripwire policy. - -END_OF_TEXT - -# Initialize tripwire database -/usr/sbin/tripwire --init --cfgfile $CONFIG_FILE --site-keyfile $SITE_KEY \ ---local-passphrase $TW_LOCAL_PASS 2> /dev/null - -######################################################################## -######################################################################## -# -# TRIPWIRE GPL NOTICES -# -# The developer of the original code and/or files is Tripwire, Inc. -# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc. -# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. -# -# This program is free software. The contents of this file are subject to -# the terms of the GNU General Public License as published by the Free -# Software Foundation; either version 2 of the License, or (at your option) -# any later version. You may redistribute it and/or modify it only in -# compliance with the GNU General Public License. -# -# This program is distributed in the hope that it will be useful. However, -# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE -# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. -# Please see the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# Nothing in the GNU General Public License or any other license to use the -# code or files shall permit you to use Tripwire's trademarks, -# service marks, or other intellectual property without Tripwire's -# prior written consent. -# -# If you have any questions, please contact Tripwire, Inc. at either -# info@tripwire.org or www.tripwire.org. -# -######################################################################## -######################################################################## diff --git a/external/meta-security/recipes-security/tripwire/files/twpol-yocto.txt b/external/meta-security/recipes-security/tripwire/files/twpol-yocto.txt deleted file mode 100644 index 65f5f750..00000000 --- a/external/meta-security/recipes-security/tripwire/files/twpol-yocto.txt +++ /dev/null @@ -1,1107 +0,0 @@ - ############################################################################## - # ## -############################################################################## # -# # # -# Generic Policy file # # -# V1.2.0rh # # -# August 9, 2001 # # -# ## -############################################################################## - - - ############################################################################## - # ## -############################################################################## # -# # # -# This is the example Tripwire Policy file. It is intended as a place to # # -# start creating your own custom Tripwire Policy file. Referring to it as # # -# well as the Tripwire Policy Guide should give you enough information to # # -# make a good custom Tripwire Policy file that better covers your # # -# configuration and security needs. A text version of this policy file is # # -# called twpol.txt. # # -# # # -# Note that this file is tuned to an 'everything' install of Red Hat Linux. # # -# If run unmodified, this file should create no errors on database # # -# creation, or violations on a subsiquent integrity check. However, it is # # -# impossible for there to be one policy file for all machines, so this # # -# existing one errs on the side of security. Your Linux configuration will # # -# most likey differ from the one our policy file was tuned to, and will # # -# therefore require some editing of the default Tripwire Policy file. # # -# # # -# The example policy file is best run with 'Loose Directory Checking' # # -# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # -# file. # # -# # # -# Email support is not included and must be added to this file. # # -# Add the 'emailto=' to the rule directive section of each rule (add a comma # # -# after the 'severity=' line and add an 'emailto=' and include the email # # -# addresses you want the violation reports to go to). Addresses are # # -# semi-colon delimited. # # -# ## -############################################################################## - - - - ############################################################################## - # ## -############################################################################## # -# # # -# Global Variable Definitions # # -# # # -# These are defined at install time by the installation script. You may # # -# Manually edit these if you are using this file directly and not from the # # -# installation script itself. # # -# ## -############################################################################## - -@@section GLOBAL -TWROOT=/usr/sbin; -TWBIN=/usr/sbin; -TWPOL="/etc/tripwire"; -TWDB="/var/lib/tripwire"; -TWSKEY="/etc/tripwire"; -TWLKEY="/etc/tripwire"; -TWREPORT="/var/lib/tripwire/report"; -HOSTNAME=localhost; - -@@section FS -SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set -SEC_BIN = $(ReadOnly) ; # Binaries that should not change -SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often -SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership -SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership -SIG_LOW = 33 ; # Non-critical files that are of minimal security impact -SIG_MED = 66 ; # Non-critical files that are of significant security impact -SIG_HI = 100 ; # Critical files that are significant points of vulnerability - - -# Tripwire Binaries -( - rulename = "Tripwire Binaries", - severity = $(SIG_HI) -) -{ - $(TWBIN)/siggen -> $(SEC_BIN) ; - $(TWBIN)/tripwire -> $(SEC_BIN) ; - $(TWBIN)/twadmin -> $(SEC_BIN) ; - $(TWBIN)/twprint -> $(SEC_BIN) ; -} - -# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases -( - rulename = "Tripwire Data Files", - severity = $(SIG_HI) -) -{ - # NOTE: We remove the inode attribute because when Tripwire creates a backup, - # it does so by renaming the old file and creating a new one (which will - # have a new inode number). Inode is left turned on for keys, which shouldn't - # ever change. - - # NOTE: The first integrity check triggers this rule and each integrity check - # afterward triggers this rule until a database update is run, since the - # database file does not exist before that point. - - $(TWDB) -> $(SEC_CONFIG) -i ; - $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; - $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; - $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; - $(TWSKEY)/site.key -> $(SEC_BIN) ; - - #don't scan the individual reports - $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; -} - - -# Tripwire HQ Connector Binaries -#( -# rulename = "Tripwire HQ Connector Binaries", -# severity = $(SIG_HI) -#) -#{ -# $(TWBIN)/hqagent -> $(SEC_BIN) ; -#} -# -# Tripwire HQ Connector - Configuration Files, Keys, and Logs - - ############################################################################## - # ## -############################################################################## # -# # # -# Note: File locations here are different than in a stock HQ Connector # # -# installation. This is because Tripwire 2.3 uses a different path # # -# structure than Tripwire 2.2.1. # # -# # # -# You may need to update your HQ Agent configuation file (or this policy # # -# file) to correct the paths. We have attempted to support the FHS standard # # -# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # -# places them. # # -# ## -############################################################################## - -#( -# rulename = "Tripwire HQ Connector Data Files", -# severity = $(SIG_HI) -#) -#{ -# ############################################################################# -# ############################################################################## -# # NOTE: Removing the inode attribute because when Tripwire creates a backup ## -# # it does so by renaming the old file and creating a new one (which will ## -# # have a new inode number). Leaving inode turned on for keys, which ## -# # shouldn't ever change. ## -# ############################################################################# -# -# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; -# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; -# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; -# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; -# -# # Uncomment if you have agent logging enabled. -# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; -#} - - - -# Commonly accessed directories that should remain static with regards to owner and group -( - rulename = "Invariant Directories", - severity = $(SIG_MED) -) -{ - / -> $(SEC_INVARIANT) (recurse = 0) ; - /home -> $(SEC_INVARIANT) (recurse = 0) ; - /etc -> $(SEC_INVARIANT) (recurse = 0) ; -} - ################################################ - # ## -################################################ # -# # # -# File System and Disk Administration Programs # # -# ## -################################################ - -( - rulename = "File System and Disk Administraton Programs", - severity = $(SIG_HI) -) -{ - /sbin/accton -> $(SEC_CRIT) ; - /sbin/badblocks -> $(SEC_CRIT) ; - /sbin/busybox -> $(SEC_CRIT) ; - /sbin/busybox.anaconda -> $(SEC_CRIT) ; - /sbin/convertquota -> $(SEC_CRIT) ; - /sbin/dosfsck -> $(SEC_CRIT) ; - /sbin/debugfs -> $(SEC_CRIT) ; - /sbin/debugreiserfs -> $(SEC_CRIT) ; - /sbin/dumpe2fs -> $(SEC_CRIT) ; - /sbin/dump -> $(SEC_CRIT) ; - /sbin/dump.static -> $(SEC_CRIT) ; - # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? - /sbin/e2fsck -> $(SEC_CRIT) ; - /sbin/e2label -> $(SEC_CRIT) ; - /sbin/fdisk -> $(SEC_CRIT) ; - /sbin/fsck -> $(SEC_CRIT) ; - /sbin/fsck.ext2 -> $(SEC_CRIT) ; - /sbin/fsck.ext3 -> $(SEC_CRIT) ; - /sbin/fsck.minix -> $(SEC_CRIT) ; - /sbin/fsck.msdos -> $(SEC_CRIT) ; - /sbin/fsck.vfat -> $(SEC_CRIT) ; - /sbin/ftl_check -> $(SEC_CRIT) ; - /sbin/ftl_format -> $(SEC_CRIT) ; - /sbin/hdparm -> $(SEC_CRIT) ; - #/sbin/lvchange -> $(SEC_CRIT) ; - #/sbin/lvcreate -> $(SEC_CRIT) ; - #/sbin/lvdisplay -> $(SEC_CRIT) ; - #/sbin/lvextend -> $(SEC_CRIT) ; - #/sbin/lvmchange -> $(SEC_CRIT) ; - #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; - #/sbin/lvmdiskscan -> $(SEC_CRIT) ; - #/sbin/lvmsadc -> $(SEC_CRIT) ; - #/sbin/lvmsar -> $(SEC_CRIT) ; - #/sbin/lvreduce -> $(SEC_CRIT) ; - #/sbin/lvremove -> $(SEC_CRIT) ; - #/sbin/lvrename -> $(SEC_CRIT) ; - #/sbin/lvscan -> $(SEC_CRIT) ; - /sbin/mkbootdisk -> $(SEC_CRIT) ; - /sbin/mkdosfs -> $(SEC_CRIT) ; - /sbin/mke2fs -> $(SEC_CRIT) ; - /sbin/mkfs -> $(SEC_CRIT) ; - /sbin/mkfs.bfs -> $(SEC_CRIT) ; - /sbin/mkfs.ext2 -> $(SEC_CRIT) ; - /sbin/mkfs.minix -> $(SEC_CRIT) ; - /sbin/mkfs.msdos -> $(SEC_CRIT) ; - /sbin/mkfs.vfat -> $(SEC_CRIT) ; - /sbin/mkinitrd -> $(SEC_CRIT) ; - #/sbin/mkpv -> $(SEC_CRIT) ; - /sbin/mkraid -> $(SEC_CRIT) ; - /sbin/mkreiserfs -> $(SEC_CRIT) ; - /sbin/mkswap -> $(SEC_CRIT) ; - #/sbin/mtx -> $(SEC_CRIT) ; - /sbin/pam_console_apply -> $(SEC_CRIT) ; - /sbin/parted -> $(SEC_CRIT) ; - /sbin/pcinitrd -> $(SEC_CRIT) ; - #/sbin/pvchange -> $(SEC_CRIT) ; - #/sbin/pvcreate -> $(SEC_CRIT) ; - #/sbin/pvdata -> $(SEC_CRIT) ; - #/sbin/pvdisplay -> $(SEC_CRIT) ; - #/sbin/pvmove -> $(SEC_CRIT) ; - #/sbin/pvscan -> $(SEC_CRIT) ; - /sbin/quotacheck -> $(SEC_CRIT) ; - /sbin/quotaon -> $(SEC_CRIT) ; - /sbin/raidstart -> $(SEC_CRIT) ; - /sbin/reiserfsck -> $(SEC_CRIT) ; - /sbin/resize2fs -> $(SEC_CRIT) ; - /sbin/resize_reiserfs -> $(SEC_CRIT) ; - /sbin/restore -> $(SEC_CRIT) ; - /sbin/restore.static -> $(SEC_CRIT) ; - /sbin/scsi_info -> $(SEC_CRIT) ; - /sbin/sfdisk -> $(SEC_CRIT) ; - /sbin/stinit -> $(SEC_CRIT) ; - #/sbin/tapeinfo -> $(SEC_CRIT) ; - /sbin/tune2fs -> $(SEC_CRIT) ; - /sbin/unpack -> $(SEC_CRIT) ; - /sbin/update -> $(SEC_CRIT) ; - #/sbin/vgcfgbackup -> $(SEC_CRIT) ; - #/sbin/vgcfgrestore -> $(SEC_CRIT) ; - #/sbin/vgchange -> $(SEC_CRIT) ; - #/sbin/vgck -> $(SEC_CRIT) ; - #/sbin/vgcreate -> $(SEC_CRIT) ; - #/sbin/vgdisplay -> $(SEC_CRIT) ; - #/sbin/vgexport -> $(SEC_CRIT) ; - #/sbin/vgextend -> $(SEC_CRIT) ; - #/sbin/vgimport -> $(SEC_CRIT) ; - #/sbin/vgmerge -> $(SEC_CRIT) ; - #/sbin/vgmknodes -> $(SEC_CRIT) ; - #/sbin/vgreduce -> $(SEC_CRIT) ; - #/sbin/vgremove -> $(SEC_CRIT) ; - #/sbin/vgrename -> $(SEC_CRIT) ; - #/sbin/vgscan -> $(SEC_CRIT) ; - #/sbin/vgsplit -> $(SEC_CRIT) ; - /bin/chgrp -> $(SEC_CRIT) ; - /bin/chmod -> $(SEC_CRIT) ; - /bin/chown -> $(SEC_CRIT) ; - /bin/cp -> $(SEC_CRIT) ; - /bin/cpio -> $(SEC_CRIT) ; - /bin/mount -> $(SEC_CRIT) ; - /bin/umount -> $(SEC_CRIT) ; - /bin/mkdir -> $(SEC_CRIT) ; - /bin/mknod -> $(SEC_CRIT) ; - /bin/mktemp -> $(SEC_CRIT) ; - /bin/rm -> $(SEC_CRIT) ; - /bin/rmdir -> $(SEC_CRIT) ; - /bin/touch -> $(SEC_CRIT) ; -} - - ################################## - # ## -################################## # -# # # -# Kernel Administration Programs # # -# ## -################################## - -( - rulename = "Kernel Administration Programs", - severity = $(SIG_HI) -) -{ - /sbin/adjtimex -> $(SEC_CRIT) ; - /sbin/ctrlaltdel -> $(SEC_CRIT) ; - /sbin/depmod -> $(SEC_CRIT) ; - /sbin/insmod -> $(SEC_CRIT) ; - /sbin/insmod.static -> $(SEC_CRIT) ; - /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; - /sbin/klogd -> $(SEC_CRIT) ; - /sbin/ldconfig -> $(SEC_CRIT) ; - /sbin/minilogd -> $(SEC_CRIT) ; - /sbin/modinfo -> $(SEC_CRIT) ; - #/sbin/nuactlun -> $(SEC_CRIT) ; - #/sbin/nuscsitcpd -> $(SEC_CRIT) ; - /sbin/pivot_root -> $(SEC_CRIT) ; - /sbin/sndconfig -> $(SEC_CRIT) ; - /sbin/sysctl -> $(SEC_CRIT) ; -} - - ####################### - # ## -####################### # -# # # -# Networking Programs # # -# ## -####################### - -( - rulename = "Networking Programs", - severity = $(SIG_HI) -) -{ - /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ; - /bin/ping -> $(SEC_CRIT) ; - /sbin/agetty -> $(SEC_CRIT) ; - /sbin/arp -> $(SEC_CRIT) ; - /sbin/arping -> $(SEC_CRIT) ; - /sbin/dhcpcd -> $(SEC_CRIT) ; - /sbin/ether-wake -> $(SEC_CRIT) ; - #/sbin/getty -> $(SEC_CRIT) ; - /sbin/ifcfg -> $(SEC_CRIT) ; - /sbin/ifconfig -> $(SEC_CRIT) ; - /sbin/ifdown -> $(SEC_CRIT) ; - /sbin/ifenslave -> $(SEC_CRIT) ; - /sbin/ifport -> $(SEC_CRIT) ; - /sbin/ifup -> $(SEC_CRIT) ; - /sbin/ifuser -> $(SEC_CRIT) ; - /sbin/ip -> $(SEC_CRIT) ; - /sbin/ip6tables -> $(SEC_CRIT) ; - /sbin/ipchains -> $(SEC_CRIT) ; - /sbin/ipchains-restore -> $(SEC_CRIT) ; - /sbin/ipchains-save -> $(SEC_CRIT) ; - /sbin/ipfwadm -> $(SEC_CRIT) ; - /sbin/ipmaddr -> $(SEC_CRIT) ; - /sbin/iptables -> $(SEC_CRIT) ; - /sbin/iptables-restore -> $(SEC_CRIT) ; - /sbin/iptables-save -> $(SEC_CRIT) ; - /sbin/iptunnel -> $(SEC_CRIT) ; - #/sbin/ipvsadm -> $(SEC_CRIT) ; - #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; - #/sbin/ipvsadm-save -> $(SEC_CRIT) ; - /sbin/ipx_configure -> $(SEC_CRIT) ; - /sbin/ipx_interface -> $(SEC_CRIT) ; - /sbin/ipx_internal_net -> $(SEC_CRIT) ; - /sbin/iwconfig -> $(SEC_CRIT) ; - /sbin/iwgetid -> $(SEC_CRIT) ; - /sbin/iwlist -> $(SEC_CRIT) ; - /sbin/iwpriv -> $(SEC_CRIT) ; - /sbin/iwspy -> $(SEC_CRIT) ; - /sbin/mgetty -> $(SEC_CRIT) ; - /sbin/mingetty -> $(SEC_CRIT) ; - /sbin/nameif -> $(SEC_CRIT) ; - /sbin/netreport -> $(SEC_CRIT) ; - /sbin/plipconfig -> $(SEC_CRIT) ; - /sbin/portmap -> $(SEC_CRIT) ; - /sbin/ppp-watch -> $(SEC_CRIT) ; - #/sbin/rarp -> $(SEC_CRIT) ; - /sbin/route -> $(SEC_CRIT) ; - /sbin/slattach -> $(SEC_CRIT) ; - /sbin/tc -> $(SEC_CRIT) ; - #/sbin/uugetty -> $(SEC_CRIT) ; - /sbin/vgetty -> $(SEC_CRIT) ; - /sbin/ypbind -> $(SEC_CRIT) ; -} - - ################################## - # ## -################################## # -# # # -# System Administration Programs # # -# ## -################################## - -( - rulename = "System Administration Programs", - severity = $(SIG_HI) -) -{ - /sbin/chkconfig -> $(SEC_CRIT) ; - /sbin/fuser -> $(SEC_CRIT) ; - /sbin/halt -> $(SEC_CRIT) ; - /sbin/init -> $(SEC_CRIT) ; - /sbin/initlog -> $(SEC_CRIT) ; - /sbin/install-info -> $(SEC_CRIT) ; - /sbin/killall5 -> $(SEC_CRIT) ; - #/sbin/linuxconf -> $(SEC_CRIT) ; - #/sbin/linuxconf-auth -> $(SEC_CRIT) ; - /sbin/pam_tally -> $(SEC_CRIT) ; - /sbin/pwdb_chkpwd -> $(SEC_CRIT) ; - #/sbin/remadmin -> $(SEC_CRIT) ; - /sbin/rescuept -> $(SEC_CRIT) ; - /sbin/rmt -> $(SEC_CRIT) ; - /sbin/rpc.lockd -> $(SEC_CRIT) ; - /sbin/rpc.statd -> $(SEC_CRIT) ; - /sbin/rpcdebug -> $(SEC_CRIT) ; - /sbin/service -> $(SEC_CRIT) ; - /sbin/setsysfont -> $(SEC_CRIT) ; - /sbin/shutdown -> $(SEC_CRIT) ; - /sbin/sulogin -> $(SEC_CRIT) ; - /sbin/swapon -> $(SEC_CRIT) ; - /sbin/syslogd -> $(SEC_CRIT) ; - /sbin/unix_chkpwd -> $(SEC_CRIT) ; - /bin/pwd -> $(SEC_CRIT) ; - /bin/uname -> $(SEC_CRIT) ; -} - - ######################################## - # ## -######################################## # -# # # -# Hardware and Device Control Programs # # -# ## -######################################## -( - rulename = "Hardware and Device Control Programs", - severity = $(SIG_HI) -) -{ - /bin/setserial -> $(SEC_CRIT) ; - /bin/sfxload -> $(SEC_CRIT) ; - /sbin/blockdev -> $(SEC_CRIT) ; - /sbin/cardctl -> $(SEC_CRIT) ; - /sbin/cardmgr -> $(SEC_CRIT) ; - /sbin/cbq -> $(SEC_CRIT) ; - /sbin/dump_cis -> $(SEC_CRIT) ; - /sbin/elvtune -> $(SEC_CRIT) ; - /sbin/hotplug -> $(SEC_CRIT) ; - /sbin/hwclock -> $(SEC_CRIT) ; - /sbin/ide_info -> $(SEC_CRIT) ; - #/sbin/isapnp -> $(SEC_CRIT) ; - /sbin/kbdrate -> $(SEC_CRIT) ; - /sbin/losetup -> $(SEC_CRIT) ; - /sbin/lspci -> $(SEC_CRIT) ; - /sbin/lspnp -> $(SEC_CRIT) ; - /sbin/mii-tool -> $(SEC_CRIT) ; - /sbin/pack_cis -> $(SEC_CRIT) ; - #/sbin/pnpdump -> $(SEC_CRIT) ; - /sbin/probe -> $(SEC_CRIT) ; - /sbin/pump -> $(SEC_CRIT) ; - /sbin/setpci -> $(SEC_CRIT) ; - /sbin/shapecfg -> $(SEC_CRIT) ; -} - - ############################### - # ## -############################### # -# # # -# System Information Programs # # -# ## -############################### -( - rulename = "System Information Programs", - severity = $(SIG_HI) -) -{ - /sbin/consoletype -> $(SEC_CRIT) ; - /sbin/kernelversion -> $(SEC_CRIT) ; - /sbin/runlevel -> $(SEC_CRIT) ; -} - - #################################### - # ## -#################################### # -# # # -# Application Information Programs # # -# ## -#################################### - -( - rulename = "Application Information Programs", - severity = $(SIG_HI) -) -{ - /sbin/genksyms -> $(SEC_CRIT) ; - #/sbin/genksyms.old -> $(SEC_CRIT) ; - /sbin/rtmon -> $(SEC_CRIT) ; -} - - ########################## - # ## -########################## # -# # # -# Shell Related Programs # # -# ## -########################## -( - rulename = "Shell Related Programs", - severity = $(SIG_HI) -) -{ - /sbin/getkey -> $(SEC_CRIT) ; - /sbin/nash -> $(SEC_CRIT) ; - /sbin/sash -> $(SEC_CRIT) ; -} - - - ################ - # ## -################ # -# # # -# OS Utilities # # -# ## -################ -( - rulename = "Operating System Utilities", - severity = $(SIG_HI) -) -{ - /bin/arch -> $(SEC_CRIT) ; - /bin/ash -> $(SEC_CRIT) ; - /bin/ash.static -> $(SEC_CRIT) ; - /bin/aumix-minimal -> $(SEC_CRIT) ; - /bin/basename -> $(SEC_CRIT) ; - /bin/cat -> $(SEC_CRIT) ; - /bin/consolechars -> $(SEC_CRIT) ; - /bin/cut -> $(SEC_CRIT) ; - /bin/date -> $(SEC_CRIT) ; - /bin/dd -> $(SEC_CRIT) ; - /bin/df -> $(SEC_CRIT) ; - /bin/dmesg -> $(SEC_CRIT) ; - /bin/doexec -> $(SEC_CRIT) ; - /bin/echo -> $(SEC_CRIT) ; - /bin/ed -> $(SEC_CRIT) ; - /bin/egrep -> $(SEC_CRIT) ; - /bin/false -> $(SEC_CRIT) ; - /bin/fgrep -> $(SEC_CRIT) ; - /bin/gawk -> $(SEC_CRIT) ; - /bin/gawk-3.1.0 -> $(SEC_CRIT) ; - /bin/gettext -> $(SEC_CRIT) ; - /bin/grep -> $(SEC_CRIT) ; - /bin/gunzip -> $(SEC_CRIT) ; - /bin/gzip -> $(SEC_CRIT) ; - /bin/hostname -> $(SEC_CRIT) ; - /bin/igawk -> $(SEC_CRIT) ; - /bin/ipcalc -> $(SEC_CRIT) ; - /bin/kill -> $(SEC_CRIT) ; - /bin/ln -> $(SEC_CRIT) ; - /bin/loadkeys -> $(SEC_CRIT) ; - /bin/login -> $(SEC_CRIT) ; - /bin/ls -> $(SEC_CRIT) ; - /bin/mail -> $(SEC_CRIT) ; - /bin/more -> $(SEC_CRIT) ; - /bin/mt -> $(SEC_CRIT) ; - /bin/mv -> $(SEC_CRIT) ; - /bin/netstat -> $(SEC_CRIT) ; - /bin/nice -> $(SEC_CRIT) ; - /bin/pgawk -> $(SEC_CRIT) ; - /bin/ps -> $(SEC_CRIT) ; - /bin/rpm -> $(SEC_CRIT) ; - /bin/sed -> $(SEC_CRIT) ; - /bin/sleep -> $(SEC_CRIT) ; - /bin/sort -> $(SEC_CRIT) ; - /bin/stty -> $(SEC_CRIT) ; - /bin/su -> $(SEC_CRIT) ; - /bin/sync -> $(SEC_CRIT) ; - /bin/tar -> $(SEC_CRIT) ; - /bin/true -> $(SEC_CRIT) ; - /bin/usleep -> $(SEC_CRIT) ; - /bin/vi -> $(SEC_CRIT) ; - /bin/zcat -> $(SEC_CRIT) ; - /bin/zsh -> $(SEC_CRIT) ; - #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; - /sbin/sln -> $(SEC_CRIT) ; - /usr/bin/vimtutor -> $(SEC_CRIT) ; -} - - ############################## - # ## -############################## # -# # # -# Critical Utility Sym-Links # # -# ## -############################## -( - rulename = "Critical Utility Sym-Links", - severity = $(SIG_HI) -) -{ - #/sbin/askrunlevel -> $(SEC_CRIT) ; - /sbin/clock -> $(SEC_CRIT) ; - #/sbin/fixperm -> $(SEC_CRIT) ; - /sbin/fsck.reiserfs -> $(SEC_CRIT) ; - #/sbin/fsconf -> $(SEC_CRIT) ; - /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; - /sbin/kallsyms -> $(SEC_CRIT) ; - /sbin/ksyms -> $(SEC_CRIT) ; - /sbin/lsmod -> $(SEC_CRIT) ; - #/sbin/mailconf -> $(SEC_CRIT) ; - /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; - #/sbin/modemconf -> $(SEC_CRIT) ; - /sbin/modprobe -> $(SEC_CRIT) ; - /sbin/mount.ncp -> $(SEC_CRIT) ; - /sbin/mount.ncpfs -> $(SEC_CRIT) ; - /sbin/mount.smb -> $(SEC_CRIT) ; - /sbin/mount.smbfs -> $(SEC_CRIT) ; - #/sbin/netconf -> $(SEC_CRIT) ; - /sbin/pidof -> $(SEC_CRIT) ; - /sbin/poweroff -> $(SEC_CRIT) ; - /sbin/quotaoff -> $(SEC_CRIT) ; - /sbin/raid0run -> $(SEC_CRIT) ; - /sbin/raidhotadd -> $(SEC_CRIT) ; - /sbin/raidhotgenerateerror -> $(SEC_CRIT) ; - /sbin/raidhotremove -> $(SEC_CRIT) ; - /sbin/raidstop -> $(SEC_CRIT) ; - /sbin/rdump -> $(SEC_CRIT) ; - /sbin/rdump.static -> $(SEC_CRIT) ; - /sbin/reboot -> $(SEC_CRIT) ; - /sbin/rmmod -> $(SEC_CRIT) ; - /sbin/rrestore -> $(SEC_CRIT) ; - /sbin/rrestore.static -> $(SEC_CRIT) ; - /sbin/swapoff -> $(SEC_CRIT) ; - /sbin/telinit -> $(SEC_CRIT) ; - #/sbin/userconf -> $(SEC_CRIT) ; - #/sbin/uucpconf -> $(SEC_CRIT) ; - #/sbin/vregistry -> $(SEC_CRIT) ; - /bin/awk -> $(SEC_CRIT) ; - /bin/bash2 -> $(SEC_CRIT) ; - /bin/bsh -> $(SEC_CRIT) ; - /bin/csh -> $(SEC_CRIT) ; - /bin/dnsdomainname -> $(SEC_CRIT) ; - /bin/domainname -> $(SEC_CRIT) ; - /bin/ex -> $(SEC_CRIT) ; - /bin/gtar -> $(SEC_CRIT) ; - /bin/nisdomainname -> $(SEC_CRIT) ; - /bin/red -> $(SEC_CRIT) ; - /bin/rvi -> $(SEC_CRIT) ; - /bin/rview -> $(SEC_CRIT) ; - /bin/view -> $(SEC_CRIT) ; - /bin/ypdomainname -> $(SEC_CRIT) ; -} - - - ######################### - # ## -######################### # -# # # -# Temporary directories # # -# ## -######################### -( - rulename = "Temporary directories", - recurse = false, - severity = $(SIG_LOW) -) -{ - /usr/tmp -> $(SEC_INVARIANT) ; - /var/tmp -> $(SEC_INVARIANT) ; - /tmp -> $(SEC_INVARIANT) ; -} - - ############### - # ## -############### # -# # # -# Local files # # -# ## -############### -( - rulename = "User binaries", - severity = $(SIG_MED) -) -{ - /sbin -> $(SEC_BIN) (recurse = 1) ; - /usr/bin -> $(SEC_BIN) (recurse = 1) ; - /usr/sbin -> $(SEC_BIN) (recurse = 1) ; - /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; -} - -( - rulename = "Shell Binaries", - severity = $(SIG_HI) -) -{ - /bin/bash -> $(SEC_BIN) ; - /bin/ksh -> $(SEC_BIN) ; - # /bin/psh -> $(SEC_BIN) ; # No longer used? - # /bin/Rsh -> $(SEC_BIN) ; # No longer used? - /bin/sh -> $(SEC_BIN) ; - # /bin/shell -> $(SEC_SUID) ; # No longer used? - # /bin/tsh -> $(SEC_BIN) ; # No longer used? - /bin/tcsh -> $(SEC_BIN) ; - /sbin/nologin -> $(SEC_BIN) ; -} - -( - rulename = "Security Control", - severity = $(SIG_HI) -) -{ - /etc/group -> $(SEC_CRIT) ; - /etc/security -> $(SEC_CRIT) ; - #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists -} - -#( -# rulename = "Boot Scripts", -# severity = $(SIG_HI) -#) -#{ -# /etc/rc -> $(SEC_CONFIG) ; -# /etc/rc.bsdnet -> $(SEC_CONFIG) ; -# /etc/rc.dt -> $(SEC_CONFIG) ; -# /etc/rc.net -> $(SEC_CONFIG) ; -# /etc/rc.net.serial -> $(SEC_CONFIG) ; -# /etc/rc.nfs -> $(SEC_CONFIG) ; -# /etc/rc.powerfail -> $(SEC_CONFIG) ; -# /etc/rc.tcpip -> $(SEC_CONFIG) ; -# /etc/trcfmt.Z -> $(SEC_CONFIG) ; -#} - -( - rulename = "Login Scripts", - severity = $(SIG_HI) -) -{ - /etc/bashrc -> $(SEC_CONFIG) ; - /etc/csh.cshrc -> $(SEC_CONFIG) ; - /etc/csh.login -> $(SEC_CONFIG) ; - /etc/inputrc -> $(SEC_CONFIG) ; - # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists - /etc/profile -> $(SEC_CONFIG) ; -} - -# Libraries -( - rulename = "Libraries", - severity = $(SIG_MED) -) -{ - /usr/lib -> $(SEC_BIN) ; - /usr/local/lib -> $(SEC_BIN) ; -} - - - ###################################################### - # ## -###################################################### # -# # # -# Critical System Boot Files # # -# These files are critical to a correct system boot. # # -# ## -###################################################### - -( - rulename = "Critical system boot files", - severity = $(SIG_HI) -) -{ - /boot -> $(SEC_CRIT) ; - #/sbin/devfsd -> $(SEC_CRIT) ; - /sbin/grub -> $(SEC_CRIT) ; - /sbin/grub-install -> $(SEC_CRIT) ; - /sbin/grub-md5-crypt -> $(SEC_CRIT) ; - /sbin/installkernel -> $(SEC_CRIT) ; - /sbin/lilo -> $(SEC_CRIT) ; - /sbin/mkkerneldoth -> $(SEC_CRIT) ; - !/boot/System.map ; - !/boot/module-info ; - /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ; - # other boot files may exist. Look for: - #/ufsboot -> $(SEC_CRIT) ; -} - ################################################## - ################################################### - # These files change every time the system boots ## - ################################################## -( - rulename = "System boot changes", - severity = $(SIG_HI) -) -{ - !/var/run/ftp.pids-all ; # Comes and goes on reboot. - !/root/.enlightenment ; - /dev/log -> $(SEC_CONFIG) ; - /dev/cua0 -> $(SEC_CONFIG) ; - # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device - /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. - /dev/tty1 -> $(SEC_CONFIG) ; # tty devices - /dev/tty2 -> $(SEC_CONFIG) ; # tty devices - /dev/tty3 -> $(SEC_CONFIG) ; # are extremely - /dev/tty4 -> $(SEC_CONFIG) ; # variable - /dev/tty5 -> $(SEC_CONFIG) ; - /dev/tty6 -> $(SEC_CONFIG) ; - /dev/urandom -> $(SEC_CONFIG) ; - /dev/initctl -> $(SEC_CONFIG) ; - /var/lock/subsys -> $(SEC_CONFIG) ; - #/var/lock/subsys/amd -> $(SEC_CONFIG) ; - /var/lock/subsys/anacron -> $(SEC_CONFIG) ; - /var/lock/subsys/apmd -> $(SEC_CONFIG) ; - #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; - /var/lock/subsys/atd -> $(SEC_CONFIG) ; - /var/lock/subsys/autofs -> $(SEC_CONFIG) ; - #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; - #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; - #/var/lock/subsys/canna -> $(SEC_CONFIG) ; - /var/lock/subsys/crond -> $(SEC_CONFIG) ; - #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/firewall -> $(SEC_CONFIG) ; - #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/gated -> $(SEC_CONFIG) ; - /var/lock/subsys/gpm -> $(SEC_CONFIG) ; - #/var/lock/subsys/httpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/identd -> $(SEC_CONFIG) ; - #/var/lock/subsys/innd -> $(SEC_CONFIG) ; - /var/lock/subsys/ipchains -> $(SEC_CONFIG) ; - #/var/lock/subsys/iptables -> $(SEC_CONFIG) ; - #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; - #/var/lock/subsys/irda -> $(SEC_CONFIG) ; - #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ; - #/var/lock/subsys/isdn -> $(SEC_CONFIG) ; - #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; - #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ; - /var/lock/subsys/keytable -> $(SEC_CONFIG) ; - #/var/lock/subsys/kprop -> $(SEC_CONFIG) ; - #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ; - #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; - /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; - #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/ldap -> $(SEC_CONFIG) ; - #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; - #/var/lock/subsys/lpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; - #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ; - #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ; - #/var/lock/subsys/named -> $(SEC_CONFIG) ; - /var/lock/subsys/netfs -> $(SEC_CONFIG) ; - /var/lock/subsys/network -> $(SEC_CONFIG) ; - #/var/lock/subsys/nfs -> $(SEC_CONFIG) ; - /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; - #/var/lock/subsys/nscd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; - #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ; - /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; - /var/lock/subsys/portmap -> $(SEC_CONFIG) ; - #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ; - #/var/lock/subsys/pxe -> $(SEC_CONFIG) ; - #/var/lock/subsys/radvd -> $(SEC_CONFIG) ; - /var/lock/subsys/random -> $(SEC_CONFIG) ; - #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ; - /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; - /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ripd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ; - #/var/lock/subsys/routed -> $(SEC_CONFIG) ; - #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ; - #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ; - #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ; - #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ; - /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; - #/var/lock/subsys/smb -> $(SEC_CONFIG) ; - #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/squid -> $(SEC_CONFIG) ; - /var/lock/subsys/sshd -> $(SEC_CONFIG) ; - /var/lock/subsys/syslog -> $(SEC_CONFIG) ; - #/var/lock/subsys/tux -> $(SEC_CONFIG) ; - #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/ups -> $(SEC_CONFIG) ; - #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ; - #/var/lock/subsys/wine -> $(SEC_CONFIG) ; - /var/lock/subsys/xfs -> $(SEC_CONFIG) ; - /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; - /var/lock/subsys/ypbind -> $(SEC_CONFIG) ; - #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ; - #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; - #/var/lock/subsys/zebra -> $(SEC_CONFIG) ; - /var/run -> $(SEC_CONFIG) ; - /var/log -> $(SEC_CONFIG) ; - /etc/ioctl.save -> $(SEC_CONFIG) ; - /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes - /etc/issue -> $(SEC_CONFIG) ; - /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount - /lib/modules -> $(SEC_CONFIG) ; - /etc/.pwd.lock -> $(SEC_CONFIG) ; - # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists -} - -# These files change the behavior of the root account -( - rulename = "Root config files", - severity = 100 -) -{ - /root -> $(SEC_CRIT) ; # Catch all additions to /root - #/root/.Xresources -> $(SEC_CONFIG) ; - /root/.bashrc -> $(SEC_CONFIG) ; - /root/.bash_profile -> $(SEC_CONFIG) ; - /root/.bash_logout -> $(SEC_CONFIG) ; - /root/.cshrc -> $(SEC_CONFIG) ; - /root/.tcshrc -> $(SEC_CONFIG) ; - /root/Mail -> $(SEC_CONFIG) ; - #/root/mail -> $(SEC_CONFIG) ; - #/root/.amandahosts -> $(SEC_CONFIG) ; - #/root/.addressbook.lu -> $(SEC_CONFIG) ; - #/root/.addressbook -> $(SEC_CONFIG) ; - /root/.bash_history -> $(SEC_CONFIG) ; - /root/.elm -> $(SEC_CONFIG) ; - #/root/.esd_auth -> $(SEC_CONFIG) ; - /root/.gnome_private -> $(SEC_CONFIG) ; - /root/.gnome-desktop -> $(SEC_CONFIG) ; - /root/.gnome -> $(SEC_CONFIG) ; - /root/.ICEauthority -> $(SEC_CONFIG) ; - #/root/.mc -> $(SEC_CONFIG) ; - #/root/.pinerc -> $(SEC_CONFIG) ; - /root/.sawfish -> $(SEC_CONFIG) ; - /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login - #/root/.xauth -> $(SEC_CONFIG) ; - /root/.xsession-errors -> $(SEC_CONFIG) ; -} - - ################################ - # ## -################################ # -# # # -# Critical configuration files # # -# ## -################################ -( - rulename = "Critical configuration files", - severity = $(SIG_HI) -) -{ - #/etc/conf.linuxconf -> $(SEC_BIN) ; - /etc/crontab -> $(SEC_BIN) ; - /etc/cron.hourly -> $(SEC_BIN) ; - /etc/cron.daily -> $(SEC_BIN) ; - /etc/cron.weekly -> $(SEC_BIN) ; - /etc/cron.monthly -> $(SEC_BIN) ; - /etc/default -> $(SEC_BIN) ; - /etc/fstab -> $(SEC_BIN) ; - /etc/exports -> $(SEC_BIN) ; - /etc/group- -> $(SEC_BIN) ; # changes should be infrequent - /etc/host.conf -> $(SEC_BIN) ; - /etc/hosts.allow -> $(SEC_BIN) ; - /etc/hosts.deny -> $(SEC_BIN) ; - /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent - /etc/protocols -> $(SEC_BIN) ; - /etc/services -> $(SEC_BIN) ; - /etc/rc.d/init.d -> $(SEC_BIN) ; - /etc/rc.d -> $(SEC_BIN) ; - /etc/mail.rc -> $(SEC_BIN) ; - /etc/modules.conf -> $(SEC_BIN) ; - /etc/motd -> $(SEC_BIN) ; - /etc/named.conf -> $(SEC_BIN) ; - /etc/passwd -> $(SEC_CONFIG) ; - /etc/passwd- -> $(SEC_CONFIG) ; - /etc/profile.d -> $(SEC_BIN) ; - /var/lib/nfs/rmtab -> $(SEC_BIN) ; - /usr/sbin/fixrmtab -> $(SEC_BIN) ; - /etc/rpc -> $(SEC_BIN) ; - /etc/sysconfig -> $(SEC_BIN) ; - /etc/samba/smb.conf -> $(SEC_CONFIG) ; - #/etc/gettydefs -> $(SEC_BIN) ; - /etc/nsswitch.conf -> $(SEC_BIN) ; - /etc/yp.conf -> $(SEC_BIN) ; - /etc/hosts -> $(SEC_CONFIG) ; - /etc/xinetd.conf -> $(SEC_CONFIG) ; - /etc/inittab -> $(SEC_CONFIG) ; - /etc/resolv.conf -> $(SEC_CONFIG) ; - /etc/syslog.conf -> $(SEC_CONFIG) ; -} - - #################### - # ## -#################### # -# # # -# Critical devices # # -# ## -#################### -( - rulename = "Critical devices", - severity = $(SIG_HI), - recurse = false -) -{ - /dev/kmem -> $(Device) ; - /dev/mem -> $(Device) ; - /dev/null -> $(Device) ; - /dev/zero -> $(Device) ; - /proc/devices -> $(Device) ; - /proc/net -> $(Device) ; - /proc/sys -> $(Device) ; - /proc/cpuinfo -> $(Device) ; - /proc/modules -> $(Device) ; - /proc/mounts -> $(Device) ; - /proc/dma -> $(Device) ; - /proc/filesystems -> $(Device) ; - /proc/pci -> $(Device) ; - /proc/interrupts -> $(Device) ; - /proc/driver/rtc -> $(Device) ; - /proc/ioports -> $(Device) ; - #/proc/scsi -> $(Device) ; - /proc/kcore -> $(Device) ; - /proc/self -> $(Device) ; - /proc/kmsg -> $(Device) ; - /proc/stat -> $(Device) ; - /proc/ksyms -> $(Device) ; - /proc/loadavg -> $(Device) ; - /proc/uptime -> $(Device) ; - /proc/locks -> $(Device) ; - /proc/version -> $(Device) ; - /proc/mdstat -> $(Device) ; - /proc/meminfo -> $(Device) ; - /proc/cmdline -> $(Device) ; - /proc/misc -> $(Device) ; -} - -# Rest of critical system binaries -( - rulename = "OS executables and libraries", - severity = $(SIG_HI) -) -{ - /bin -> $(SEC_BIN) ; - /lib -> $(SEC_BIN) ; -} - -#============================================================================= -# -# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, -# Inc. in the United States and other countries. All rights reserved. -# -# Linux is a registered trademark of Linus Torvalds. -# -# UNIX is a registered trademark of The Open Group. -# -#============================================================================= -# -# Permission is granted to make and distribute verbatim copies of this document -# provided the copyright notice and this permission notice are preserved on all -# copies. -# -# Permission is granted to copy and distribute modified versions of this -# document under the conditions for verbatim copying, provided that the entire -# resulting derived work is distributed under the terms of a permission notice -# identical to this one. -# -# Permission is granted to copy and distribute translations of this document -# into another language, under the above conditions for modified versions, -# except that this permission notice may be stated in a translation approved by -# Tripwire, Inc. -# -# DCM -# -# $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ -# diff --git a/external/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb b/external/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb deleted file mode 100644 index 59d1f35c..00000000 --- a/external/meta-security/recipes-security/tripwire/tripwire_2.4.3.6.bb +++ /dev/null @@ -1,73 +0,0 @@ -SUMMARY = "Tripwire: A system integrity assessment tool (IDS)" -DESCRIPTION = "Open Source Tripwire® software is a security and data \ -integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems" -HOMEPAGE="http://sourceforge.net/projects/tripwire" -SECTION = "security Monitor/Admin" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127" - -SRCREV = "80db91b4c1ca4be9efafd2286e3b2ad32ba4c34c" - -SRC_URI = "\ - git://github.com/Tripwire/tripwire-open-source.git \ - file://tripwire.cron \ - file://tripwire.sh \ - file://tripwire.txt \ - file://twcfg.txt \ - file://twinstall.sh \ - file://twpol-yocto.txt \ - file://run-ptest \ - " - -S = "${WORKDIR}/git" - -inherit autotools-brokensep update-rc.d ptest - -INITSCRIPT_NAME = "tripwire" -INITSCRIPT_PARAMS = "start 40 S ." -TRIPWIRE_HOST = "${HOST_SYS}" -TRIPWIRE_TARGET = "${TARGET_SYS}" - -CXXFLAGS += "-fno-strict-aliasing" -EXTRA_OECONF = "--disable-openssl --enable-static --sysconfdir=/etc/tripwire" - -do_install () { - install -d ${D}${libdir} ${D}${datadir} ${D}${base_libdir} - install -d ${D}${sysconfdir} ${D}${mandir} ${D}${sbindir} - install -d ${D}${sysconfdir}/${PN} - install -d ${D}${localstatedir}/lib/${PN} ${D}${localstatedir}/lib/${BPN}/report - install -d ${D}${mandir}/man4 ${D}${mandir}/man5 ${D}${mandir}/man8 - install -d ${D}${docdir}/${BPN} ${D}${docdir}/${BPN}/templates - install -d ${D}${sysconfdir}/init.d - - install -m 0755 ${S}/bin/* ${D}${sbindir} - install -m 0644 ${S}/lib/* ${D}${base_libdir} - install -m 0644 ${S}/lib/* ${D}${localstatedir}/lib/${PN} - install -m 0755 ${WORKDIR}/tripwire.cron ${D}${sysconfdir} - install -m 0755 ${WORKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire - install -m 0755 ${WORKDIR}/twinstall.sh ${D}${sysconfdir}/${PN} - install -m 0644 ${WORKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt - install -m 0644 ${WORKDIR}/twcfg.txt ${D}${sysconfdir}/${PN} - - install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4 - install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5 - install -m 0644 ${S}/man/man8/* ${D}${mandir}/man8 - install -m 0644 ${S}/policy/templates/* ${D}${docdir}/${BPN}/templates - install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN} - install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN} - install -m 0644 ${S}/TRADEMARK ${D}${docdir}/${BPN} - install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN} -} - -do_install_ptest_append () { - install -d ${D}${PTEST_PATH}/tests - cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH} -} - -FILES_${PN} += "${libdir} ${docdir}/${PN}/*" -FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug" -FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" -FILES_${PN}-ptest += "${PTEST_PATH}/tests " - -RDEPENDS_${PN} += " perl nano msmtp cronie" -RDEPENDS_${PN}-ptest = " perl lib-perl" diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch b/external/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch deleted file mode 100644 index 1cec47fc..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/change-finding-path-of-nss.patch +++ /dev/null @@ -1,67 +0,0 @@ -From c1c980a95d85bcaf8802524d6148783522b300d7 Mon Sep 17 00:00:00 2001 -From: Yulong Pei <Yulong.pei@windriver.com> -Date: Wed, 21 Jul 2010 22:33:43 +0800 -Subject: [PATCH] change finding path of nss and nspr - -Upstream-Status: Pending - -Signed-off-by: Yulong Pei <Yulong.pei@windriver.com> -Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - configure.ac | 20 ++++++++++---------- - 1 file changed, 10 insertions(+), 10 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 951b3eb..1fdeb0f 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -866,10 +866,10 @@ MOZILLA_MIN_VERSION="1.4" - NSS_CRYPTO_LIB="$XMLSEC_PACKAGE-nss" - NSPR_PACKAGE=mozilla-nspr - NSS_PACKAGE=mozilla-nss --NSPR_INCLUDE_MARKER="nspr/nspr.h" -+NSPR_INCLUDE_MARKER="nspr.h" - NSPR_LIB_MARKER="libnspr4$shrext" - NSPR_LIBS_LIST="-lnspr4 -lplds4 -lplc4" --NSS_INCLUDE_MARKER="nss/nss.h" -+NSS_INCLUDE_MARKER="nss3/nss.h" - NSS_LIB_MARKER="libnss3$shrext" - NSS_LIBS_LIST="-lnss3 -lsmime3" - -@@ -898,24 +898,24 @@ fi - dnl Priority 1: User specifies the path to installation - if test "z$NSPR_FOUND" = "zno" -a "z$with_nspr" != "z" -a "z$with_nspr" != "zyes" ; then - AC_MSG_CHECKING(for nspr library installation in "$with_nspr" folder) -- if test -f "$with_nspr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/lib/$NSPR_LIB_MARKER" ; then -- NSPR_INCLUDE_PATH="$with_nspr/include" -- NSPR_LIB_PATH="$with_nspr/lib" -+ if test -f "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" -a -f "$with_nspr/${libdir}/$NSPR_LIB_MARKER" ; then -+ NSPR_INCLUDE_PATH="$with_nspr/usr/include" -+ NSPR_LIB_PATH="$with_nspr/${libdir}" - NSPR_FOUND="yes" - AC_MSG_RESULT([yes]) - else -- AC_MSG_ERROR([not found: "$with_nspr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/lib/$NSPR_LIB_MARKER" files don't exist), typo?]) -+ AC_MSG_ERROR([not found: "$with_nspr/usr/include/$NSPR_INCLUDE_MARKER" and/or "$with_nspr/${libdir}/$NSPR_LIB_MARKER" files don't exist), typo?]) - fi - fi - if test "z$NSS_FOUND" = "zno" -a "z$with_nss" != "z" -a "z$with_nss" != "zyes" ; then - AC_MSG_CHECKING(for nss library installation in "$with_nss" folder) -- if test -f "$with_nss/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/lib/$NSS_LIB_MARKER" ; then -- NSS_INCLUDE_PATH="$with_nss/include" -- NSS_LIB_PATH="$with_nss/lib" -+ if test -f "$with_nss/usr/include/$NSS_INCLUDE_MARKER" -a -f "$with_nss/${libdir}/$NSS_LIB_MARKER" ; then -+ NSS_INCLUDE_PATH="$with_nss/usr/include/nss3" -+ NSS_LIB_PATH="$with_nss/${libdir}" - NSS_FOUND="yes" - AC_MSG_RESULT([yes]) - else -- AC_MSG_ERROR([not found: "$with_nss/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/lib/$NSS_LIB_MARKER" files don't exist), typo?]) -+ AC_MSG_ERROR([not found: "$with_nss/usr/include/$NSS_INCLUDE_MARKER" and/or "$with_nss/${libdir}/$NSS_LIB_MARKER" files don't exist), typo?]) - fi - fi - --- -2.7.4 - diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch b/external/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch deleted file mode 100644 index af598fe7..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/fix-ltmain.sh.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 847dc52f5a50e34ee4d6e3dc2c708711747a58ca Mon Sep 17 00:00:00 2001 -From: Yulong Pei <Yulong.pei@windriver.com> -Date: Thu, 21 Jan 2010 14:11:20 +0800 -Subject: [PATCH] force to use our own libtool - -Upstream-Status: Inappropriate [ OE specific ] - -Signed-off-by: Yulong Pei <Yulong.pei@windriver.com> - ---- - ltmain.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ltmain.sh b/ltmain.sh -index 147d758..a61f16b 100644 ---- a/ltmain.sh -+++ b/ltmain.sh -@@ -6969,7 +6969,7 @@ func_mode_link () - dir=$func_resolve_sysroot_result - # We need an absolute path. - case $dir in -- [\\/]* | [A-Za-z]:[\\/]*) ;; -+ =* | [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - absdir=`cd "$dir" && pwd` - test -z "$absdir" && \ diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch b/external/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch deleted file mode 100644 index d4535692..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/makefile-ptest.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 83a1381e1d6bd1b5ec3df6f7c4bc1f4fe4f860b6 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Thu, 15 Jun 2017 14:44:01 +0800 -Subject: [PATCH] xmlsec1: add new recipe - -This enables the building of the examples directory -and it's installed as ptest. - -Upstream-Status: Inappropriate [ OE ptest specific ] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- - examples/Makefile | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/examples/Makefile b/examples/Makefile -index 89b1d61..c1cbcca 100644 ---- a/examples/Makefile -+++ b/examples/Makefile -@@ -8,9 +8,17 @@ PROGRAMS = \ - decrypt1 decrypt2 decrypt3 \ - xmldsigverify - -+ifndef CC - CC = gcc --CFLAGS += -g $(shell xmlsec1-config --cflags) -DUNIX_SOCKETS --LDLIBS += -g $(shell xmlsec1-config --libs) -+endif -+ -+CFLAGS += -I../include -g $(shell PKG_CONFIG_PATH=.. pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS -+LDLIBS += -L../src/.libs -g $(shell PKG_CONFIG_PATH=.. pkg-config --libs xmlsec1 ) -+ -+DESTDIR = /usr/share/xmlsec1 -+install-ptest: -+ if [ ! -d $(DESTDIR) ]; then mkdir -p $(DESTDIR); fi -+ cp * $(DESTDIR) - - all: $(PROGRAMS) - diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest b/external/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest deleted file mode 100755 index a203c38f..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/run-ptest +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/sh - -check_return() { - if [ $? == 0 ]; then - echo -e "PASS: $1\n" - else - echo -e "FAIL: $1\n" - fi -} - -echo "---------------------------------------------------" -echo "Signing a template file..." -./sign1 sign1-tmpl.xml rsakey.pem > sign1-res.xml -./verify1 sign1-res.xml rsapub.pem -check_return sign-tmpl - -echo "---------------------------------------------------" -echo "Signing a dynamicaly created template..." -./sign2 sign2-doc.xml rsakey.pem > sign2-res.xml -./verify1 sign2-res.xml rsapub.pem -check_return sign-dynamic-templ - -echo "---------------------------------------------------" -echo "Signing with X509 certificate..." -./sign3 sign3-doc.xml rsakey.pem rsacert.pem > sign3-res.xml -./verify3 sign3-res.xml ca2cert.pem cacert.pem -check_return sign-x509 - -echo "---------------------------------------------------" -echo "Verifying a signature with a single key..." -./verify1 sign1-res.xml rsapub.pem -./verify1 sign2-res.xml rsapub.pem -check_return verify-single-key - -echo "---------------------------------------------------" -echo "Verifying a signature with keys manager..." -./verify2 sign1-res.xml rsapub.pem -./verify2 sign2-res.xml rsapub.pem -check_return verify-keys-manager - -echo "---------------------------------------------------" -echo "Verifying a signature with X509 certificates..." -./verify3 sign3-res.xml ca2cert.pem cacert.pem -check_return verify-x509 - -echo "---------------------------------------------------" -echo "Verifying a signature with additional restrictions..." -./verify4 verify4-res.xml ca2cert.pem cacert.pem -check_return verify-res - -echo "---------------------------------------------------" -echo "Encrypting data with a template file..." -./encrypt1 encrypt1-tmpl.xml deskey.bin > encrypt1-res.xml -./decrypt1 encrypt1-res.xml deskey.bin -check_return encrypt-tmpl - -echo "---------------------------------------------------" -echo "Encrypting data with a dynamicaly created template..." -./encrypt2 encrypt2-doc.xml deskey.bin > encrypt2-res.xml -./decrypt1 encrypt2-res.xml deskey.bin -check_return encrypt-dynamic-tmpl - -echo "---------------------------------------------------" -echo "Encrypting data with a session key..." -./encrypt3 encrypt3-doc.xml rsakey.pem > encrypt3-res.xml -./decrypt3 encrypt3-res.xml -check_return encrypt-session-key - -echo "---------------------------------------------------" -echo "Decrypting data with a single key..." -./decrypt1 encrypt1-res.xml deskey.bin -./decrypt1 encrypt2-res.xml deskey.bin -check_return encrypt-single-key - -echo "---------------------------------------------------" -echo "Decrypting data with keys manager..." -./decrypt2 encrypt1-res.xml deskey.bin -./decrypt2 encrypt2-res.xml deskey.bin -check_return encrypt-keys-manager - -echo "---------------------------------------------------" -echo "Writing a custom keys manager..." -./decrypt3 encrypt1-res.xml -./decrypt3 encrypt2-res.xml -check_return write-keys-manager diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch b/external/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch deleted file mode 100644 index 8b2533ed..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1/xmlsec1-examples-allow-build-in-separate-dir.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0c38c6864e7ba8f53a657d87894f24374a6a4932 Mon Sep 17 00:00:00 2001 -From: Jackie Huang <jackie.huang@windriver.com> -Date: Tue, 30 Dec 2014 11:18:17 +0800 -Subject: [PATCH] examples: allow build in separate dir - -Upstream-Status: Inappropriate [ OE specific ] - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - ---- - examples/Makefile | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/examples/Makefile b/examples/Makefile -index c1cbcca..3f1bd14 100644 ---- a/examples/Makefile -+++ b/examples/Makefile -@@ -12,8 +12,10 @@ ifndef CC - CC = gcc - endif - --CFLAGS += -I../include -g $(shell PKG_CONFIG_PATH=.. pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS --LDLIBS += -L../src/.libs -g $(shell PKG_CONFIG_PATH=.. pkg-config --libs xmlsec1 ) -+top_srcdir = .. -+top_builddir = .. -+CFLAGS += -I$(top_srcdir)/include -g $(shell PKG_CONFIG_PATH=$(top_srcdir) pkg-config --cflags xmlsec1 ) -DUNIX_SOCKETS -+LDLIBS += -L$(top_builddir)/src/.libs -g $(shell PKG_CONFIG_PATH=$(top_srcdir) pkg-config --libs xmlsec1 ) - - DESTDIR = /usr/share/xmlsec1 - install-ptest: diff --git a/external/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb b/external/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb deleted file mode 100644 index 2dbbf331..00000000 --- a/external/meta-security/recipes-security/xmlsec1/xmlsec1_1.2.26.bb +++ /dev/null @@ -1,56 +0,0 @@ -SUMMARY = "XML Security Library is a C library based on LibXML2" -DESCRIPTION = "\ - XML Security Library is a C library based on \ - LibXML2 and OpenSSL. The library was created with a goal to support major \ - XML security standards "XML Digital Signature" and "XML Encryption". \ - " -HOMEPAGE = "http://www.aleksey.com/xmlsec/" -DEPENDS = "libtool libxml2 libxslt openssl zlib libgcrypt gnutls nss nspr libgpg-error" - -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://COPYING;md5=352791d62092ea8104f085042de7f4d0" - -SECTION = "libs" - -SRC_URI = "http://www.aleksey.com/xmlsec/download/${BP}.tar.gz \ - file://fix-ltmain.sh.patch \ - file://change-finding-path-of-nss.patch \ - file://makefile-ptest.patch \ - file://xmlsec1-examples-allow-build-in-separate-dir.patch \ - file://run-ptest \ - " - -SRC_URI[md5sum] = "9c4aaf9ff615a73921b9e3bf4988d878" -SRC_URI[sha256sum] = "8d8276c9c720ca42a3b0023df8b7ae41a2d6c5f9aa8d20ed1672d84cc8982d50" - -inherit autotools-brokensep ptest pkgconfig - -CFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" -CPPFLAGS += "-I${STAGING_INCDIR}/nspr4 -I${STAGING_INCDIR}/nss3" - -EXTRA_OECONF = "\ - --with-nss=${STAGING_LIBDIR}/../.. --with-nspr=${STAGING_LIBDIR}/../.. \ - " - -FILES_${PN}-dev += "${libdir}/xmlsec1Conf.sh" -FILES_${PN}-dbg += "${PTEST_PATH}/.debug/*" - -RDEPENDS_${PN}-ptest += "${PN}-dev" -INSANE_SKIP_${PN}-ptest += "dev-deps" - -PTEST_EXTRA_ARGS = "top_srcdir=${S} top_builddir=${B}" - -do_compile_ptest () { - oe_runmake -C ${S}/examples ${PTEST_EXTRA_ARGS} all -} - -do_install_append() { - for i in ${bindir}/xmlsec1-config ${libdir}/xmlsec1Conf.sh \ - ${libdir}/pkgconfig/xmlsec1-openssl.pc; do - sed -i -e "s@${RECIPE_SYSROOT}@@g" ${D}$i - done -} - -do_install_ptest () { - oe_runmake -C ${S}/examples DESTDIR=${D}${PTEST_PATH} ${PTEST_EXTRA_ARGS} install-ptest -} |