summaryrefslogtreecommitdiffstats
path: root/recipes-security/redhat-security
diff options
context:
space:
mode:
authorAndrei Dinu <andrei.adrianx.dinu@intel.com>2013-06-17 17:24:38 +0300
committerAndrei Dinu <andrei.adrianx.dinu@intel.com>2013-06-17 17:24:38 +0300
commit60d90b25631471e8193b3069c6a520ccf7c82008 (patch)
treee413ea3904059ff52a4539aeff358518fa0ae327 /recipes-security/redhat-security
downloadmeta-security-60d90b25631471e8193b3069c6a520ccf7c82008.tar.gz
meta-security : initial commit
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Diffstat (limited to 'recipes-security/redhat-security')
-rw-r--r--recipes-security/redhat-security/files/find-chroot-py.sh96
-rw-r--r--recipes-security/redhat-security/files/find-chroot.sh93
-rw-r--r--recipes-security/redhat-security/files/find-elf4tmp.sh84
-rw-r--r--recipes-security/redhat-security/files/find-execstack.sh72
-rw-r--r--recipes-security/redhat-security/files/find-hidden-exec.sh21
-rw-r--r--recipes-security/redhat-security/files/find-nodrop-groups.sh85
-rw-r--r--recipes-security/redhat-security/files/find-sh4errors.sh132
-rw-r--r--recipes-security/redhat-security/files/find-sh4tmp.sh116
-rw-r--r--recipes-security/redhat-security/files/lib-bin-check.sh31
-rw-r--r--recipes-security/redhat-security/files/rpm-chksec.sh279
-rw-r--r--recipes-security/redhat-security/files/rpm-drop-groups.sh131
-rw-r--r--recipes-security/redhat-security/files/selinux-check-devices.sh12
-rw-r--r--recipes-security/redhat-security/files/selinux-ls-unconfined.sh19
-rw-r--r--recipes-security/redhat-security/redhat-security_1.0.bb38
14 files changed, 1209 insertions, 0 deletions
diff --git a/recipes-security/redhat-security/files/find-chroot-py.sh b/recipes-security/redhat-security/files/find-chroot-py.sh
new file mode 100644
index 0000000..9996e08
--- /dev/null
+++ b/recipes-security/redhat-security/files/find-chroot-py.sh
@@ -0,0 +1,96 @@
1#!/bin/sh
2#
3# find-chroot-py utility
4# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
5# sgrubb@redhat.com
6#
7# This software may be freely redistributed under the terms of the GNU
8# public license.
9#
10# You should have received a copy of the GNU General Public License
11# along with this program; if not, write to the Free Software
12# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
13#
14# This program looks for python apps that use chroot(2) without using chdir(2)
15#
16# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
17
18libdirs="/lib /lib64 /usr/lib /usr/lib64"
19progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
20FOUND=0
21
22# First param is which list to use, second is search pattern
23scan () {
24if [ "$1" = "1" ] ; then
25 dirs=$libdirs
26elif [ "$1" = "2" ] ; then
27 dirs=$progdirs
28elif [ "$1" = "3" ] ; then
29 dirs=$3
30fi
31
32for d in $dirs ; do
33 if [ ! -d $d ] ; then
34 continue
35 fi
36 files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
37 for f in $files
38 do
39 if [ "$1" = "2" ] ; then
40 testf=`/usr/bin/file $f | egrep 'ython'`
41 if [ x"$testf" = "x" ] ; then
42 continue
43 fi
44 fi
45 syms=`egrep ' os.chroot' $f`
46 if [ x"$syms" != "x" ] ; then
47 syms=`egrep ' os.chdir' $f`
48 if [ x"$syms" = "x" ] ; then
49 if [ $FOUND = 0 ] ; then
50 printf "%-44s%s\n" "FILE" " PACKAGE"
51 FOUND=1
52 fi
53 # Red
54 printf "\033[31m%-44s\033[m" $f
55 #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
56 rpm -qf --queryformat " %{SOURCERPM}" $f
57 echo
58 else
59 # One last test to see if chdir is within 4
60 # lines of chroot
61 syms=`cat $f | egrep ' os.chroot' -A3 | egrep ' os.chdir'`
62 if [ x"$syms" = "x" ] ; then
63 if [ $FOUND = 0 ] ; then
64 printf "%-44s%s\n" "FILE" " PACKAGE"
65 FOUND=1
66 fi
67 printf "\033[31m%-44s\033[m" $f
68 rpm -qf --queryformat " %{SOURCERPM}" $f
69 echo
70 fi
71 fi
72 fi
73 done
74done
75}
76
77if [ $# -eq 1 ] ; then
78 if [ -d $1 ] ; then
79 scan 3 '*' $1
80 else
81 echo "Input is not a directory"
82 exit 1
83 fi
84else
85 scan 2 '*'
86 scan 1 '*.py'
87fi
88
89if [ $FOUND -eq 0 ] ; then
90 # Nothing to report, just exit
91 echo "No problems found" 1>&2
92 exit 0
93fi
94exit 1
95
96
diff --git a/recipes-security/redhat-security/files/find-chroot.sh b/recipes-security/redhat-security/files/find-chroot.sh
new file mode 100644
index 0000000..adce7fc
--- /dev/null
+++ b/recipes-security/redhat-security/files/find-chroot.sh
@@ -0,0 +1,93 @@
1#!/bin/sh
2#
3# find-chroot utility
4# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
5# sgrubb@redhat.com
6#
7# This software may be freely redistributed under the terms of the GNU
8# public license.
9#
10# You should have received a copy of the GNU General Public License
11# along with this program; if not, write to the Free Software
12# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
13#
14# This program looks for apps that use chroot(2) without using chdir(2)
15#
16# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
17
18libdirs="/lib /lib64 /usr/lib /usr/lib64"
19progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
20FOUND=0
21
22# First param is which list to use, second is search pattern
23scan () {
24if [ "$1" = "1" ] ; then
25 dirs=$libdirs
26elif [ "$1" = "2" ] ; then
27 dirs=$progdirs
28elif [ "$1" = "3" ] ; then
29 dirs=$3
30fi
31
32for d in $dirs ; do
33 if [ ! -d $d ] ; then
34 continue
35 fi
36 files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
37 for f in $files
38 do
39 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chroot@.*GLIBC'`
40 if [ x"$syms" != "x" ] ; then
41 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chdir@.*GLIBC'`
42 if [ x"$syms" = "x" ] ; then
43 if [ $FOUND = 0 ] ; then
44 printf "%-44s%s\n" "FILE" " PACKAGE"
45 FOUND=1
46 fi
47 # Red
48 printf "\033[31m%-44s\033[m" $f
49 #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
50 rpm -qf --queryformat " %{SOURCERPM}" $f
51 echo
52 else
53 # One last test to see if chdir is within 3
54 # lines of chroot
55 syms=`objdump -d $f | egrep callq | egrep 'chroot@plt' -A2 | egrep 'chroot|chdir'`
56 if [ x"$syms" = "x" ] ; then
57 syms=`echo $f | egrep -v 'libc-2|libc.so'`
58 if [ x"$syms" != "x" ] ; then
59 if [ $FOUND = 0 ] ; then
60 printf "%-44s%s\n" "FILE" "PACKAGE"
61 FOUND=1
62 fi
63 printf "\033[31m%-44s\033[m" $f
64 rpm -qf --queryformat " %{SOURCERPM}" $f
65 echo
66 fi
67 fi
68 fi
69 fi
70 done
71done
72}
73
74if [ $# -eq 1 ] ; then
75 if [ -d $1 ] ; then
76 scan 3 '*' $1
77 else
78 echo "Input is not a directory"
79 exit 1
80 fi
81else
82 scan 2 '*'
83 scan 1 '*.so'
84fi
85
86if [ $FOUND -eq 0 ] ; then
87 # Nothing to report, just exit
88 echo "No problems found" 1>&2
89 exit 0
90fi
91exit 1
92
93
diff --git a/recipes-security/redhat-security/files/find-elf4tmp.sh b/recipes-security/redhat-security/files/find-elf4tmp.sh
new file mode 100644
index 0000000..8f39baa
--- /dev/null
+++ b/recipes-security/redhat-security/files/find-elf4tmp.sh
@@ -0,0 +1,84 @@
1#!/bin/sh
2# find_elf4tmp utility
3# Copyright (c) 2010-12 Steve Grubb. ALL RIGHTS RESERVED.
4# sgrubb@redhat.com
5#
6# This software may be freely redistributed under the terms of the GNU
7# public license.
8#
9# You should have received a copy of the GNU General Public License
10# along with this program; if not, write to the Free Software
11# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
12
13# This script will search a directory and its subdirectories for all elf
14# executables. It will then search for the use of the tmp directory. If it finds
15# this is true, it will then check to see if XXX is being used which would
16# indicate that the path is going to be randomized.
17
18if [ $# -ge 2 ] ; then
19 echo "Usage: find_elf4tmp [directory]" 1>&2
20 exit 1
21fi
22if [ ! -x /usr/bin/eu-strings ] ; then
23 echo "Skipping due to missing /usr/bin/eu-strings utility"
24 exit 1
25fi
26if [ -h /bin ] ; then
27 DIRS="/usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /usr/lib /usr/lib64 /usr/local"
28else
29 DIRS="/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /lib /lib64 /usr/lib /usr/lib64 /usr/local"
30fi
31if [ $# -eq 1 ] ; then
32 if [ -d "$1" ] ; then
33 DIRS="$1"
34 else
35 echo "Option passed in was not a directory" 1>&2
36 exit 1
37 fi
38fi
39
40FOUND=0
41for d in $DIRS
42do
43 if [ ! -d $d ] ; then
44 continue
45 fi
46# echo "Scanning files in $d..."
47 for f in `/usr/bin/find $d -type f 2>/dev/null`
48 do
49 # Get just the elf executables
50 testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF`
51 if [ x"$testf" != "x" ] ; then
52 test_res=`/usr/bin/eu-strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'`
53 if [ x"$test_res" = "x" ] ; then
54 continue
55 fi
56
57 # Do further examination...
58 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' mkstemp@.*GLIBC| tempnam@.*GLIBC| tmpfile@.*GLIBC'`
59 if [ x"$syms" != "x" ] ; then
60 continue
61 fi
62
63 # Well its a bad one...out with it
64 FOUND=1
65
66 # Get the package
67 RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /bin/sort | /usr/bin/uniq`
68 if [ x"$RPM" = "x" ] ; then
69 RPM="<unowned>"
70 fi
71
72 # For each tmp string, output the line
73 echo $test_res | /usr/bin/tr '\b' '\n' | /bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f
74 fi
75 done
76done
77if [ $FOUND -eq 0 ] ; then
78 # Nothing to report, just exit
79 echo "No problems found" 1>&2
80 exit 0
81fi
82exit 1
83
84
diff --git a/recipes-security/redhat-security/files/find-execstack.sh b/recipes-security/redhat-security/files/find-execstack.sh
new file mode 100644
index 0000000..85f16de
--- /dev/null
+++ b/recipes-security/redhat-security/files/find-execstack.sh
@@ -0,0 +1,72 @@
1#!/bin/sh
2#
3# find-execstack utility
4# Copyright (c) 2007 Steve Grubb. ALL RIGHTS RESERVED.
5# sgrubb@redhat.com
6#
7# This software may be freely redistributed under the terms of the GNU
8# public license.
9#
10# You should have received a copy of the GNU General Public License
11# along with this program; if not, write to the Free Software
12# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
13#
14# This program looks for executable stacks
15#
16
17libdirs="/lib /lib64 /usr/lib /usr/lib64"
18progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
19FOUND=0
20
21# First param is which list to use, second is search pattern
22scan () {
23if [ "$1" = "1" ] ; then
24 dirs=$libdirs
25elif [ "$1" = "2" ] ; then
26 dirs=$progdirs
27fi
28
29for d in $dirs ; do
30 if [ ! -d $d ] ; then
31 continue
32 fi
33 files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
34 for f in $files
35 do
36 FOUND_ONE=0
37 stacks=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep STACK`
38 if [ x"$stacks" != "x" ] ; then
39 perms=`echo $stacks | /bin/awk '{ print $7 }'`
40 if [ x"$perms" != x -a "$perms" != "RW" ] ; then
41 FOUND_ONE=1
42 fi
43 fi
44 old_stacks=`echo $stacks | /bin/grep -v GNU_STACK`
45 if [ x"$old_stacks" != "x" ] ; then
46 FOUND_ONE=1
47 fi
48 heaps=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep GNU_HEAP`
49 if [ x"$heaps" != "x" ] ; then
50 FOUND_ONE=1
51 fi
52 if [ $FOUND_ONE = 1 ] ; then
53 printf "%-42s" $f
54 rpm -qf --queryformat "%{SOURCERPM}" $f
55 echo
56 FOUND=1
57 fi
58 done
59done
60}
61
62scan 1 '*.so'
63scan 2 '*'
64
65if [ $FOUND -eq 0 ] ; then
66 # Nothing to report, just exit
67 echo "No problems found" 1>&2
68 exit 0
69fi
70exit 1
71
72
diff --git a/recipes-security/redhat-security/files/find-hidden-exec.sh b/recipes-security/redhat-security/files/find-hidden-exec.sh
new file mode 100644
index 0000000..f799fca
--- /dev/null
+++ b/recipes-security/redhat-security/files/find-hidden-exec.sh
@@ -0,0 +1,21 @@
1#!/bin/sh
2#
3#
4# This software may be freely redistributed under the terms of the GNU
5# public license.
6#
7# You should have received a copy of the GNU General Public License
8# along with this program; if not, write to the Free Software
9# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
10#
11# This program looks for hidden executables
12
13find / -name '.*' -type f -perm /00111 2>/dev/null
14
15# Also need to find hidden dirs and see if anything below it is hidden
16hidden_dirs=`find / -name '.*' -type d 2>/dev/null`
17for d in $hidden_dirs
18do
19 find $d -name '.*' -type f -perm /00111 2>/dev/null
20done
21
diff --git a/recipes-security/redhat-security/files/find-nodrop-groups.sh b/recipes-security/redhat-security/files/find-nodrop-groups.sh
new file mode 100644
index 0000000..249eacd
--- /dev/null
+++ b/recipes-security/redhat-security/files/find-nodrop-groups.sh
@@ -0,0 +1,85 @@
1#!/bin/sh
2#
3# find-nodrop-groups utility
4# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
5# sgrubb@redhat.com
6#
7# This software may be freely redistributed under the terms of the GNU
8# public license.
9#
10# You should have received a copy of the GNU General Public License
11# along with this program; if not, write to the Free Software
12# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
13#
14# This program looks for apps that use setgid(2) without using initgroups(3)
15# or setgroups(2).
16#
17# To save to file: ./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
18
19libdirs="/lib /lib64 /usr/lib /usr/lib64"
20progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
21FOUND=0
22
23# First param is which list to use, second is search pattern
24scan () {
25if [ "$1" = "1" ] ; then
26 dirs=$libdirs
27elif [ "$1" = "2" ] ; then
28 dirs=$progdirs
29elif [ "$1" = "3" ] ; then
30 dirs=$3
31fi
32
33for d in $dirs ; do
34 if [ ! -d $d ] ; then
35 continue
36 fi
37 files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
38 for f in $files
39 do
40 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'`
41 if [ x"$syms" != "x" ] ; then
42 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'`
43 if [ x"$syms" != "x" ] ; then
44 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'`
45 if [ x"$syms" = "x" ] ; then
46 if [ $FOUND = 0 ] ; then
47 printf "%-44s%s\n" "FILE" "PACKAGE"
48 fi
49 syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print`
50 if [ x"$syms" = "x" ] ; then
51 printf "\033[31m%-44s\033[m" $f
52 rpm -qf --queryformat "%{SOURCERPM}" $f
53 echo
54 FOUND=1
55# else
56# printf "\033[33m%-44s\033[m" $f
57 fi
58 #rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
59 fi
60 fi
61 fi
62 done
63done
64}
65
66if [ $# -eq 1 ] ; then
67 if [ -d $1 ] ; then
68 scan 3 '*' $1
69 else
70 echo "Input is not a directory"
71 exit 1
72 fi
73else
74 scan 1 '*.so'
75 scan 2 '*'
76fi
77
78if [ $FOUND -eq 0 ] ; then
79 # Nothing to report, just exit
80 echo "No problems found" 1>&2
81 exit 0
82fi
83exit 1
84
85
diff --git a/recipes-security/redhat-security/files/find-sh4errors.sh b/recipes-security/redhat-security/files/find-sh4errors.sh
new file mode 100644
index 0000000..0054a6a
--- /dev/null
+++ b/recipes-security/redhat-security/files/find-sh4errors.sh
@@ -0,0 +1,132 @@
1#!/bin/sh
2# find_sh4errors utility
3# Copyright (c) 2004 Steve Grubb. ALL RIGHTS RESERVED.
4# sgrubb@redhat.com
5#
6# This software may be freely redistributed under the terms of the GNU
7# public license.
8#
9# You should have received a copy of the GNU General Public License
10# along with this program; if not, write to the Free Software
11# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
12
13# This script will search a directory and its subdirectories for every shell
14# script. It then runs sh -n to see if bash can determine if there are obvious
15# parsing errors. It does have a bug in that bash -n does not take into
16# account someone may program an unconditional exit and then include man page
17# generation information. It also fails to notice the exec command. When you
18# run across files that do either of the above, add it to the KNOWN_BAD list.
19
20if [ $# -ge 2 ] ; then
21 echo "Usage: find_sh4errors [directory]" 1>&2
22 exit 1
23fi
24INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh"
25SKIP_DIRS="/opt /home /root"
26KNOWN_BAD="/usr/bin/kde-build /usr/bin/cvsversion samples/copifuncs/copi.sendifm1 bashdb bash_completion_test"
27DIR="/"
28if [ $# -eq 1 ] ; then
29 if [ -d "$1" ] ; then
30 DIR="$1"
31 else
32 echo "Option passed in was not a directory" 1>&2
33 exit 1
34 fi
35fi
36tempfile=`mktemp /tmp/sh4.XXXXXX`
37tempfile2=`mktemp /tmp/sh4.XXXXXX`
38if [ -z "$tempfile" -o -z "$tempfile2" ] ; then
39 echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo
40 exit 1
41fi
42trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15
43
44# Get executable files
45#echo "Locating executables..."
46/usr/bin/find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null
47FOUND=0
48#echo "Refining list to shell scripts..."
49while read f
50do
51 # Get just the shell scripts
52 testf=`echo $f | /usr/bin/file -n -f - | egrep 'ourne|POSIX shell'`
53 if [ x"$testf" != x ] ; then
54 echo $f >> $tempfile2
55 FOUND=1
56 fi
57done < $tempfile
58/bin/rm -f $tempfile
59if [ $FOUND -eq 0 ] ; then
60 # Nothing to report, just exit
61# echo "Examining shell scripts in $DIR"
62# echo "No problems found"
63 /bin/rm -f $tempfile2
64 exit 0
65fi
66#echo "Examining shell scripts in $DIR"
67FOUND=0
68while read i
69do
70 # First see if the script calls an interpreter
71 SKIP=0
72 for lang in $INTERPRETERS
73 do
74 if `/bin/cat "$i" 2>/dev/null | \
75 grep "exec[ \t].*$lang" >/dev/null` ; then
76 SKIP=1
77 break
78 fi
79 done
80
81 if [ $SKIP -eq 1 ] ; then
82 continue
83 fi
84
85 # See if this is in a dir we want to ignore
86 for d in $SKIP_DIRS
87 do
88 if `echo "$i" | /bin/grep "^\$d" >/dev/null`; then
89 SKIP=1
90 break
91 fi
92 done
93
94 if [ $SKIP -eq 1 ] ; then
95 continue
96 fi
97
98 # Don't do the known naughty files
99 for bad in $KNOWN_BAD
100 do
101 if `echo "$i" | /bin/grep "$bad" >/dev/null`; then
102 SKIP=1
103 break
104 fi
105 done
106
107 if [ $SKIP -eq 1 ] ; then
108 continue
109 fi
110
111 # Now examine them for correctness
112 interp=`/usr/bin/head -n 1 "$i" | /bin/awk '{ print $1 }' | \
113 /usr/bin/tr -d '#!'`
114 if [ x"$interp" = "x" -o ! -x "$interp" ] ; then
115 interp="/bin/sh"
116 fi
117 $interp -n "$i" 2>/dev/null
118 if [ $? -ne 0 ] ; then
119 printf "%-44s" "$i"
120 rpm -qf --queryformat "%{NAME}-%{VERSION}" $i
121 echo
122 FOUND=1
123 fi
124done < $tempfile2
125/bin/rm -f $tempfile2
126if [ $FOUND -eq 0 ] ; then
127 # Nothing to report, just exit
128# echo "No problems found"
129 exit 0
130fi
131exit 1
132
diff --git a/recipes-security/redhat-security/files/find-sh4tmp.sh b/recipes-security/redhat-security/files/find-sh4tmp.sh
new file mode 100644
index 0000000..7fd1af7
--- /dev/null
+++ b/recipes-security/redhat-security/files/find-sh4tmp.sh
@@ -0,0 +1,116 @@
1#!/bin/sh
2# find_sh4tmp utility
3# Copyright (c) 2005 Steve Grubb. ALL RIGHTS RESERVED.
4# sgrubb@redhat.com
5#
6# This software may be freely redistributed under the terms of the GNU
7# public license.
8#
9# You should have received a copy of the GNU General Public License
10# along with this program; if not, write to the Free Software
11# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
12
13# This script will search a directory and its subdirectories for all shell
14# scripts. It will then search for the use of the tmp directory. If it finds
15# this is true, it will then try to determine if mktemp or something
16# reasonable was used and exclude it. It has a bug in that it does not handle
17# rm -f /tmp/ or mkdir /tmp/ correctly. If you run across files that do that,
18# add them to the KNOWN_BAD list to ignore them.
19
20if [ $# -ge 2 ] ; then
21 echo "Usage: find_sh4tmp [directory]" 1>&2
22 exit 1
23fi
24INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh"
25SKIP_DIRS="/opt /home /root /mnt /media /dev /proc /selinux /sys /usr/share/doc"
26KNOWN_BAD="kopete_latexconvert.sh cvs2dist fixfiles mysqlbug build/scripts/package/mkspec py-compile rc.sysinit init.d/xfs diff-jars grub-install mailshar vncserver Xsession sysreport cross-build vpkg rcs-to-cvs debug_check_log cvs2vendor tmpwatch ps2epsi mkdumprd xdg-open xdg-mime xdg-email gzexe"
27DIR="/"
28if [ $# -eq 1 ] ; then
29 if [ -d "$1" ] ; then
30 DIR="$1"
31 else
32 echo "Option passed in was not a directory" 1>&2
33 exit 1
34 fi
35fi
36tempfile=`mktemp /tmp/sh4.XXXXXX`
37tempfile2=`mktemp /tmp/sh4.XXXXXX`
38if [ -z "$tempfile" -o -z "$tempfile2" ] ; then
39 echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo
40 exit 1
41fi
42trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15
43
44# Get executable files
45#echo "Scanning shell scripts in $DIR..."
46find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null
47FOUND=0
48while read f
49do
50 # Get just the shell scripts
51 testf=`echo $f | file -n -f - | egrep 'ourne|POSIX shell'`
52 if [ x"$testf" != x ] ; then
53# FIXME: need to do something to get rid of echo, rm, or mkdir "/tmp/"
54 test_res=`cat $f 2>/dev/null | grep '\/tmp\/' | grep -v 'mktemp' | grep -v '^#'`
55 if [ x"$test_res" = x ] ; then
56 continue
57 fi
58
59 # Do further examination...
60 # First see if the script calls an interpreter
61 SKIP=0
62 for lang in $INTERPRETERS
63 do
64 if `cat "$f" | grep "exec[ \t].*$lang" >/dev/null` ; then
65 SKIP=1
66 break
67 fi
68 done
69
70 if [ $SKIP -eq 1 ] ; then
71 continue
72 fi
73
74 # See if this is in a dir we want to ignore
75 for d in $SKIP_DIRS
76 do
77 if `echo "$f" | grep "^\$d" >/dev/null`; then
78 SKIP=1
79 break
80 fi
81 done
82
83 if [ $SKIP -eq 1 ] ; then
84 continue
85 fi
86
87 # Don't do the known naughty files
88 for bad in $KNOWN_BAD
89 do
90 if `echo "$f" | grep "$bad" >/dev/null`; then
91 SKIP=1
92 break
93 fi
94 done
95
96 if [ $SKIP -eq 1 ] ; then
97 continue
98 fi
99
100 # Well its a bad one...out with it
101 printf "%-44s" $f
102 rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
103 echo
104 FOUND=1
105 fi
106done < $tempfile
107rm -f $tempfile
108if [ $FOUND -eq 0 ] ; then
109 # Nothing to report, just exit
110# echo "No problems found"
111 rm -f $tempfile2
112 exit 0
113fi
114exit 1
115
116
diff --git a/recipes-security/redhat-security/files/lib-bin-check.sh b/recipes-security/redhat-security/files/lib-bin-check.sh
new file mode 100644
index 0000000..1e2d930
--- /dev/null
+++ b/recipes-security/redhat-security/files/lib-bin-check.sh
@@ -0,0 +1,31 @@
1#!/bin/sh
2
3# This software may be freely redistributed under the terms of the GNU
4# public license.
5#
6# You should have received a copy of the GNU General Public License
7# along with this program; if not, write to the Free Software
8# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
9
10found=0
11list=`rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH}\n" | grep '^lib' | egrep -v '\-utils\-|\-bin\-|\-tools\-|\-client\-|libreoffice|\-plugin\-'`
12for p in $list
13do
14 bin=`rpm -ql $p | egrep '^/bin|^/sbin|^/usr/bin|^/usr/sbin' | grep -v '\-config'`
15 if [ "x$bin" != "x" ]; then
16 testf=`echo $bin | /usr/bin/file -n -f - 2>/dev/null | grep ELF`
17 if [ x"$testf" != "x" ] ; then
18 found=1
19 echo "$p could be split into a utils package"
20 fi
21 fi
22done
23
24if [ $found = 0 ]; then
25 echo "No problems found"
26 exit 0
27fi
28
29exit 1
30
31
diff --git a/recipes-security/redhat-security/files/rpm-chksec.sh b/recipes-security/redhat-security/files/rpm-chksec.sh
new file mode 100644
index 0000000..983c218
--- /dev/null
+++ b/recipes-security/redhat-security/files/rpm-chksec.sh
@@ -0,0 +1,279 @@
1#!/bin/sh
2# rpm-chksec
3#
4# Copyright (c) 2011-2013 Steve Grubb. ALL RIGHTS RESERVED.
5# sgrubb@redhat.com
6#
7# This software may be freely redistributed under the terms of the GNU
8# public license.
9#
10# You should have received a copy of the GNU General Public License
11# along with this program; if not, write to the Free Software
12# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
13#
14# Given an rpm, it will look at each file to check that its compiled with
15# the intended flags to make it more secure. Things that are green are OK.
16# Anything in yellow could be better but is passable. Anything in red needs
17# attention.
18#
19# If the --all option is given, it will generate a list of rpms and then
20# summarize the rpm's state. For yes, then all files are in the expected
21# state. Just one file not compiled with the right flags can turn the
22# answer to no. Re-run passing that package (instead of --all) for the details.
23#
24# To save to file: ./rpm-chksec | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt
25
26VERSION="0.5.2"
27
28usage () {
29 echo "rpm-chksec [--version|--all|<rpmname>...]"
30 if [ ! -x /usr/bin/filecap ] ; then
31 echo "You need to install libcap-ng-utils to test capabilities"
32 fi
33 if [ $EUID != 0 ] ; then
34 echo "You might need to be root to read some files"
35 fi
36 exit 0
37}
38
39if [ "$1" = "--help" -o $# -eq 0 ] ; then
40 usage
41fi
42if [ "$1" = "--version" ] ; then
43 echo "rpm-chksec $VERSION"
44 exit 0
45fi
46if [ "$1" = "--all" ] ; then
47 MODE="all"
48else
49 MODE="single"
50fi
51
52do_one () {
53if ! rpm -q $1 >/dev/null 2>&1 ; then
54 if [ "$MODE" = "single" ] ; then
55 echo "$1 is not installed"
56 exit 1
57 else
58 echo "not installed"
59 return
60 fi
61fi
62files=`rpm -ql $1`
63
64# Look for daemons, need this for later...
65DAEMON=""
66for f in $files
67do
68 if [ ! -f "$f" ] ; then
69 continue
70 fi
71 if [ `echo "$f" | grep '\/etc\/rc.d\/init.d'` ] ; then
72 n=`basename "$f"`
73 t=`which "$n" 2>/dev/null`
74 if [ x"$t" != "x" ] ; then
75 DAEMON="$DAEMON $t"
76 continue
77 fi
78 t=`which "$n"d 2>/dev/null`
79 if [ x"$t" != "x" ] ; then
80 DAEMON="$DAEMON $t"
81 continue
82 fi
83 t=`cat "$f" 2>/dev/null | grep 'bin' | grep 'exit 5' | grep -v '\$'`
84 if [ x"$t" != "x" ] ; then
85 DAEMON="$DAEMON $t"
86 continue
87 fi
88 if [ "$MODE" = "single" ] ; then
89 echo "Can't find the executable in $f but daemon rules would apply"
90 fi
91 elif [ `echo "$f" | grep '\/lib\/systemd\/'` ] ; then
92 t=`cat "$f" | grep -i '^ExecStart=' | tr '=' ' ' | awk '{ print $2 }'`
93 if [ x"$t" != "x" ] ; then
94 DAEMON="$DAEMON $t"
95 continue
96 fi
97 fi
98done
99
100# Prevent garbled output when doing --all.
101skip_current=0
102
103for f in $files
104do
105 if [ ! -f "$f" ] ; then
106 continue
107 fi
108 # Some packages have files with ~ in them. This avoids it.
109 if ! echo "$f" | grep '^/' >/dev/null ; then
110 continue
111 fi
112 if [ ! -r "$f" ] && [ $EUID != 0 ] ; then
113 if [ $MODE = "single" ] ; then
114 echo "Please re-test $f as the root user"
115 else
116 # Don't print results.
117 skip_current=1
118 echo "Please re-test $1 as the root user"
119 fi
120 continue
121 fi
122 if ! file "$f" | grep -qw 'ELF'; then
123 continue
124 fi
125 RELRO="no"
126 if readelf -l "$f" 2>/dev/null | grep -q 'GNU_RELRO'; then
127 RELRO="partial"
128 fi
129 if readelf -d "$f" 2>/dev/null | grep -q 'BIND_NOW'; then
130 RELRO="full"
131 fi
132 PIE="no"
133 if readelf -h "$f" 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then
134 PIE="DSO"
135 if readelf -d "$f" 2>/dev/null | grep -q '(DEBUG)'; then
136 PIE="yes"
137 fi
138 fi
139 APP=""
140 if [ x"$DAEMON" != "x" ] ; then
141 for d in $DAEMON
142 do
143 if [ "$f" = "$d" ] ; then
144 APP="daemon"
145 break
146 fi
147 done
148 fi
149 if [ x"$APP" = "x" ] ; then
150 # See if this is a library or a setuid app
151 if [ `echo "$f" | grep '\/lib' | grep '\.so'` ] ; then
152 APP="library"
153 elif [ `find "$f" -perm -004000 -type f -print` ] ; then
154 APP="setuid"
155 elif [ `find "$f" -perm -002000 -type f -print` ] ; then
156 APP="setgid"
157 elif [ -x /usr/bin/filecap ] && [ `filecap "$f" 2> /dev/null | wc -w` -gt 0 ] ; then
158 APP="setcap"
159 else
160 syms1=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' connect@.*GLIBC| listen@.*GLIBC| accept@.*GLIBC|accept4@.*GLIBC'`
161 syms2=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' getaddrinfo@.*GLIBC| getnameinfo@.*GLIBC| getservent@.*GLIBC| getservbyname@.*GLIBC| getservbyport@.*GLIBC|gethostbyname@.*GLIBC| gethostbyname2@.*GLIBC| gethostbyaddr@.*GLIBC| gethostbyaddr2@.*GLIBC'`
162 if [ x"$syms1" != "x" ] ; then
163 if [ x"$syms2" != "x" ] ; then
164 APP="network-ip"
165 else
166 APP="network-local"
167 fi
168 fi
169 fi
170 fi
171 if [ x"$APP" = "x" ] ; then
172 APP="exec"
173 fi
174
175 # OK, ready for the output
176 if [ "$MODE" = "single" ] ; then
177 printf "%-56s %-10s " "$f" $APP
178 if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then
179 if [ "$RELRO" = "full" ] ; then
180 printf "\033[32m%-7s\033[m " $RELRO
181 elif [ "$RELRO" = "partial" ] ; then
182 printf "\033[33m%-7s\033[m " $RELRO
183 else
184 printf "\033[31m%-7s\033[m " $RELRO
185 fi
186 if [ "$PIE" = "yes" ] ; then
187 printf "\033[32m%-4s\033[m" $PIE
188 else
189 printf "\033[31m%-4s\033[m" $PIE
190 fi
191 elif [ "$APP" = "library" ] ; then
192 if [ "$RELRO" = "full" -o "$RELRO" = "partial" ] ; then
193 printf "\033[32m%-7s\033[m " $RELRO
194 else
195 printf "\033[31m%-7s\033[m " $RELRO
196 fi
197 printf "\033[32m%-4s\033[m" $PIE
198 else
199 # $APP = exec - we want partial relro
200 if [ "$RELRO" = "no" ] ; then
201 printf "\033[31m%-7s\033[m " $RELRO
202 else
203 printf "\033[32m%-7s\033[m " $RELRO
204 fi
205 printf "\033[32m%-4s\033[m" $PIE
206 fi
207 echo
208 else
209 if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then
210 if [ "$RELRO" = "no" ] ; then
211 RELRO_SUM="no"
212 APP_SUM="$APP"
213 fi
214 if [ "$PIE" = "no" ] ; then
215 PIE_SUM="no"
216 APP_SUM="$APP"
217 fi
218 elif [ "$APP" = "library" ] ; then
219 if [ "$RELRO" = "no" ] ; then
220 RELRO_SUM="no"
221 APP_SUM="$APP"
222 fi
223 # $APP = exec - must have partial or full relro
224 elif [ "$RELRO" = "no" ] ; then
225 RELRO_SUM="no"
226 APP_SUM="$APP"
227 fi
228 fi
229done
230}
231
232if [ "$MODE" = "single" ] ; then
233 printf "%-56s %-10s %-7s %-4s" "FILE" "TYPE" "RELRO" "PIE"
234 echo
235 for i; do
236 f=$(basename $1)
237 # Strip the .rpm extension, if present.
238 do_one ${f%%.rpm}
239 shift
240 done
241 exit 0
242fi
243
244# Skip the kernel as its special
245packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort`
246printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS"
247echo
248for p in $packages
249do
250 RELRO_SUM="yes"
251 PIE_SUM="yes"
252 APP_SUM=""
253 printf "%-50s " $p
254 do_one $p
255 if [[ $skip_current -eq 1 ]] ; then
256 continue
257 fi
258 if [ "$RELRO_SUM" = "yes" ] ; then
259 printf "\033[32m%-5s\033[m " "$RELRO_SUM"
260 else
261 printf "\033[31m%-5s\033[m " "$RELRO_SUM"
262 fi
263 if [ "$PIE_SUM" = "yes" ] ; then
264 printf "\033[32m%-4s\033[m" "$PIE_SUM"
265 if [ "$RELRO_SUM" = "no" ] ; then
266 printf " %-14s" "$APP_SUM"
267 fi
268 else
269 if [ "$APP_SUM" = "network-local" ] ; then
270 printf "\033[33m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM"
271 else
272 printf "\033[31m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM"
273 fi
274 fi
275 echo
276done
277exit 0
278
279
diff --git a/recipes-security/redhat-security/files/rpm-drop-groups.sh b/recipes-security/redhat-security/files/rpm-drop-groups.sh
new file mode 100644
index 0000000..8c75783
--- /dev/null
+++ b/recipes-security/redhat-security/files/rpm-drop-groups.sh
@@ -0,0 +1,131 @@
1#!/bin/sh
2# rpm-drop-groups
3#
4# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
5# sgrubb@redhat.com
6#
7# This software may be freely redistributed under the terms of the GNU
8# public license.
9#
10# You should have received a copy of the GNU General Public License
11# along with this program; if not, write to the Free Software
12# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
13#
14# Given an rpm, it will look at each file to check if it tries to change
15# group and user credentials. If so, it further tries to determine if
16# it also calls setgroups or initgroups. To correctly change groups, the
17# program must drop supplemntal groups. Programs are classified into: n/a
18# meaning no group dropping occurs, yes its done correctly, and no meaning
19# there seems to be a problem.
20#
21# If the --all option is given, it will generate a list of rpms and then
22# summarize the rpm's state. For yes, then all files are in the expected
23# state. Just one program failing can turn the package's summary to no.
24# Re-run passing that package (instead of --all) for the details.
25#
26# To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt
27
28VERSION="0.1"
29
30usage () {
31 echo "rpm-drop-groups [--all|<rpmname>|--version]"
32 exit 0
33}
34
35if [ "$1" = "--help" -o $# -eq 0 ] ; then
36 usage
37fi
38if [ "$1" = "--version" ] ; then
39 echo "rpm-drop-groups $VERSION"
40 exit 0
41fi
42if [ "$1" = "--all" ] ; then
43 MODE="all"
44else
45 MODE="single"
46fi
47
48do_one () {
49if ! rpm -q $1 >/dev/null 2>&1 ; then
50 if [ "$MODE" = "single" ] ; then
51 echo "$1 is not installed"
52 exit 1
53 else
54 echo "not installed"
55 return
56 fi
57fi
58files=`rpm -ql $1`
59
60for f in $files
61do
62 if [ ! -f $f ] ; then
63 continue
64 fi
65 if ! file $f | grep -q 'ELF'; then
66 continue
67 fi
68
69 CORRECT="n/a"
70 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'`
71 if [ x"$syms" != "x" ] ; then
72 CORRECT="yes"
73 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'`
74 if [ x"$syms" != "x" ] ; then
75 syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'`
76 if [ x"$syms" = "x" ] ; then
77 syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print`
78 if [ x"$syms" = "x" ] ; then
79 CORRECT="no"
80 fi
81 fi
82 fi
83 fi
84
85 # OK, ready for the output
86 if [ "$MODE" = "single" ] ; then
87 printf "%-60s " $f
88 if [ "$CORRECT" = "yes" ] ; then
89 printf "\033[32m%-7s\033[m " $CORRECT
90 elif [ "$CORRECT" = "no" ] ; then
91 printf "\033[31m%-7s\033[m " $CORRECT
92 else
93 printf "\033[33m%-7s\033[m " $CORRECT
94 fi
95 echo
96 else
97 if [ "$CORRECT" = "no" ] ; then
98 CORRECT_SUM="no"
99 fi
100 fi
101done
102}
103
104if [ "$MODE" = "single" ] ; then
105 printf "%-60s%-7s" "FILE" "CORRECT"
106 echo
107 for i; do
108 do_one $1
109 shift
110 done
111 exit 0
112fi
113
114packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort`
115printf "%-50s %-7s" "PACKAGE" "CORRECT"
116echo
117for p in $packages
118do
119 CORRECT_SUM="yes"
120 printf "%-50s " $p
121 do_one $p
122 if [ "$CORRECT_SUM" = "yes" ] ; then
123 printf "\033[32m%-7s\033[m " $CORRECT_SUM
124 else
125 printf "\033[31m%-7s\033[m " $CORRECT_SUM
126 fi
127 echo
128done
129exit 0
130
131
diff --git a/recipes-security/redhat-security/files/selinux-check-devices.sh b/recipes-security/redhat-security/files/selinux-check-devices.sh
new file mode 100644
index 0000000..ef996d7
--- /dev/null
+++ b/recipes-security/redhat-security/files/selinux-check-devices.sh
@@ -0,0 +1,12 @@
1#!/bin/sh
2
3# This software may be freely redistributed under the terms of the GNU
4# public license.
5#
6# You should have received a copy of the GNU General Public License
7# along with this program; if not, write to the Free Software
8# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
9
10find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"
11
12
diff --git a/recipes-security/redhat-security/files/selinux-ls-unconfined.sh b/recipes-security/redhat-security/files/selinux-ls-unconfined.sh
new file mode 100644
index 0000000..6868413
--- /dev/null
+++ b/recipes-security/redhat-security/files/selinux-ls-unconfined.sh
@@ -0,0 +1,19 @@
1#!/bin/sh
2
3# This software may be freely redistributed under the terms of the GNU
4# public license.
5#
6# You should have received a copy of the GNU General Public License
7# along with this program; if not, write to the Free Software
8# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
9
10# This checks for unconfined apps running, initrc and inetd are signs
11# of missing transitions.
12
13pidof xinetd >/dev/null
14if [ $? -eq 0 ] ; then
15ps -eZ | egrep "initrc|inetd" | egrep -v `pidof xinetd` | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }'
16else
17ps -eZ | egrep "initrc" | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }'
18fi
19
diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb
new file mode 100644
index 0000000..edab390
--- /dev/null
+++ b/recipes-security/redhat-security/redhat-security_1.0.bb
@@ -0,0 +1,38 @@
1DESCRIPTION = "Tools used by redhat linux distribution for security checks"
2SECTION = "security"
3LICENSE = "GPLv2"
4LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
5PR = "r0"
6
7SRC_URI = "file://find-chroot-py.sh \
8 file://find-chroot.sh \
9 file://find-elf4tmp.sh \
10 file://find-execstack.sh \
11 file://find-hidden-exec.sh \
12 file://find-nodrop-groups.sh \
13 file://find-sh4errors.sh \
14 file://find-sh4tmp.sh \
15 file://lib-bin-check.sh \
16 file://rpm-chksec.sh \
17 file://rpm-drop-groups.sh \
18 file://selinux-check-devices.sh \
19 file://selinux-ls-unconfined.sh"
20
21S = "${WORKDIR}"
22
23do_install() {
24 install -d ${D}${bindir}
25 install -m 0755 ${WORKDIR}/find-chroot-py.sh ${D}${bindir}
26 install -m 0755 ${WORKDIR}/find-chroot.sh ${D}${bindir}
27 install -m 0755 ${WORKDIR}/find-elf4tmp.sh ${D}${bindir}
28 install -m 0755 ${WORKDIR}/find-execstack.sh ${D}${bindir}
29 install -m 0755 ${WORKDIR}/find-hidden-exec.sh ${D}${bindir}
30 install -m 0755 ${WORKDIR}/find-nodrop-groups.sh ${D}${bindir}
31 install -m 0755 ${WORKDIR}/find-sh4errors.sh ${D}${bindir}
32 install -m 0755 ${WORKDIR}/find-sh4tmp.sh ${D}${bindir}
33 install -m 0755 ${WORKDIR}/lib-bin-check.sh ${D}${bindir}
34 install -m 0755 ${WORKDIR}/rpm-chksec.sh ${D}${bindir}
35 install -m 0755 ${WORKDIR}/rpm-drop-groups.sh ${D}${bindir}
36 install -m 0755 ${WORKDIR}/selinux-check-devices.sh ${D}${bindir}
37 install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir}
38}
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-06-19 16:31:46 +0000