diff options
| author | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-07-24 16:43:29 +0300 |
|---|---|---|
| committer | Andrei Dinu <andrei.adrianx.dinu@intel.com> | 2013-07-24 16:52:28 +0300 |
| commit | a1af92a7edaa4d9032f7a40a6c5002e1080c974c (patch) | |
| tree | 74350d38209e7ec634c6164c750971f38bc269f9 | |
| parent | e1a1986d8e2bb67e81c6318cab22b385a853d53d (diff) | |
| download | meta-security-redhat-security_fix.tar.gz | |
Fixed the issues that prevented redhat-security toolsredhat-security_fix
to run correctly.
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
| -rw-r--r-- | README | 4 | ||||
| -rw-r--r-- | recipes-security/redhat-security/files/find-elf4tmp.sh | 8 | ||||
| -rw-r--r-- | recipes-security/redhat-security/files/rpm-chksec.sh | 2 | ||||
| -rw-r--r-- | recipes-security/redhat-security/redhat-security_1.0.bb | 2 |
4 files changed, 10 insertions, 6 deletions
| @@ -73,6 +73,10 @@ help for each package. | |||
| 73 | In this mode it will only give a summary result for the package. To find which files don't comply, | 73 | In this mode it will only give a summary result for the package. To find which files don't comply, |
| 74 | re-run using just the package name. | 74 | re-run using just the package name. |
| 75 | 75 | ||
| 76 | !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines: | ||
| 77 | IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image | ||
| 78 | IMAGE_FEATURES += "package management" - for the correct output of rpm -qa | ||
| 79 | |||
| 76 | - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID | 80 | - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID |
| 77 | and GID without also calling setgroups or initgroups. | 81 | and GID without also calling setgroups or initgroups. |
| 78 | 82 | ||
diff --git a/recipes-security/redhat-security/files/find-elf4tmp.sh b/recipes-security/redhat-security/files/find-elf4tmp.sh index 8f39baa..3118a70 100644 --- a/recipes-security/redhat-security/files/find-elf4tmp.sh +++ b/recipes-security/redhat-security/files/find-elf4tmp.sh | |||
| @@ -19,7 +19,7 @@ if [ $# -ge 2 ] ; then | |||
| 19 | echo "Usage: find_elf4tmp [directory]" 1>&2 | 19 | echo "Usage: find_elf4tmp [directory]" 1>&2 |
| 20 | exit 1 | 20 | exit 1 |
| 21 | fi | 21 | fi |
| 22 | if [ ! -x /usr/bin/eu-strings ] ; then | 22 | if [ ! -x /usr/bin/strings ] ; then |
| 23 | echo "Skipping due to missing /usr/bin/eu-strings utility" | 23 | echo "Skipping due to missing /usr/bin/eu-strings utility" |
| 24 | exit 1 | 24 | exit 1 |
| 25 | fi | 25 | fi |
| @@ -49,7 +49,7 @@ do | |||
| 49 | # Get just the elf executables | 49 | # Get just the elf executables |
| 50 | testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF` | 50 | testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF` |
| 51 | if [ x"$testf" != "x" ] ; then | 51 | if [ x"$testf" != "x" ] ; then |
| 52 | test_res=`/usr/bin/eu-strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'` | 52 | test_res=`/usr/bin/strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'` |
| 53 | if [ x"$test_res" = "x" ] ; then | 53 | if [ x"$test_res" = "x" ] ; then |
| 54 | continue | 54 | continue |
| 55 | fi | 55 | fi |
| @@ -64,13 +64,13 @@ do | |||
| 64 | FOUND=1 | 64 | FOUND=1 |
| 65 | 65 | ||
| 66 | # Get the package | 66 | # Get the package |
| 67 | RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /bin/sort | /usr/bin/uniq` | 67 | RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /usr/bin/sort | /usr/bin/uniq` |
| 68 | if [ x"$RPM" = "x" ] ; then | 68 | if [ x"$RPM" = "x" ] ; then |
| 69 | RPM="<unowned>" | 69 | RPM="<unowned>" |
| 70 | fi | 70 | fi |
| 71 | 71 | ||
| 72 | # For each tmp string, output the line | 72 | # For each tmp string, output the line |
| 73 | echo $test_res | /usr/bin/tr '\b' '\n' | /bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f | 73 | echo $test_res | /usr/bin/tr '\b' '\n' | /usr/bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f |
| 74 | fi | 74 | fi |
| 75 | done | 75 | done |
| 76 | done | 76 | done |
diff --git a/recipes-security/redhat-security/files/rpm-chksec.sh b/recipes-security/redhat-security/files/rpm-chksec.sh index 983c218..a0e8bb1 100644 --- a/recipes-security/redhat-security/files/rpm-chksec.sh +++ b/recipes-security/redhat-security/files/rpm-chksec.sh | |||
| @@ -242,7 +242,7 @@ if [ "$MODE" = "single" ] ; then | |||
| 242 | fi | 242 | fi |
| 243 | 243 | ||
| 244 | # Skip the kernel as its special | 244 | # Skip the kernel as its special |
| 245 | packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort` | 245 | packages=`rpm -qa | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort` |
| 246 | printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS" | 246 | printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS" |
| 247 | echo | 247 | echo |
| 248 | for p in $packages | 248 | for p in $packages |
diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb index 134cefe..5f92696 100644 --- a/recipes-security/redhat-security/redhat-security_1.0.bb +++ b/recipes-security/redhat-security/redhat-security_1.0.bb | |||
| @@ -5,7 +5,7 @@ LICENSE = "GPLv2" | |||
| 5 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" | 5 | LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" |
| 6 | PR = "r0" | 6 | PR = "r0" |
| 7 | 7 | ||
| 8 | RDEPENDS_${PN} = "file" | 8 | RDEPENDS_${PN} = "file libcap-ng rpm rpmresolve procps findutils" |
| 9 | 9 | ||
| 10 | SRC_URI = "file://find-chroot-py.sh \ | 10 | SRC_URI = "file://find-chroot-py.sh \ |
| 11 | file://find-chroot.sh \ | 11 | file://find-chroot.sh \ |