summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* conf/layer.conf: remove bbclass from BBFILESRobert Yang2018-02-062-2/+2
| | | | | | | Add bbclass to BBFILES doesn't make any sense. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* swtpm/libtpm: update to latest masterPatrick Ohly2017-12-105-75/+35
| | | | | | | | | This allows dropping some patches for issues that were addressed upstream. It also brings in support for connecting swtpm to qemu without relying on CUSE. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: remove the path for start-stop-daemonMingli Yu2017-12-103-17/+17
| | | | | | | | | | Remove the absolute path for start-stop-daemon to fix samhain start-up as start-stop-daemon sometimes located in /usr/sbin, not the expected /sbin. Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: fix build issueArmin Kuster2017-12-101-0/+2
| | | | | | | | | core2-64-oe-linux/openscap/1.2.15-r0/git/src/.libs/libopenscap.so: error: undefined reference to 'dlopen' | core2-64-oe-linux/openscap/1.2.15-r0/git/src/.libs/libopenscap.so: error: undefined reference to 'dlsym' | core2-64-oe-linux/openscap/1.2.15-r0/git/src/.libs/libopenscap.so: error: undefined reference to 'dlerror' | core2-64-oe-linux/openscap/1.2.15-r0/git/src/.libs/libopenscap.so: error: undefined reference to 'dlclose' Signed-off-by: Armin Kuster <akuster808@gmail.com>
* trousers: allow overriding localstatedir mandir sysconfdirAndré Draszik2017-11-062-0/+69
| | | | | | | | | | | | It is currently impossible to override localstatedir, mandir and sysconfdir during ./configure, because they are being overriden unconditionally. With this patch it is now possible to set above locations as needed. Signed-off-by: André Draszik <adraszik@tycoint.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* trousers: make initscript more reliableAndré Draszik2017-11-061-2/+4
| | | | | | | | | | | | | | | | | | | The combination of using start-stop-daemon and pidof is not working reliably in all cases. Sometimes, the tcsd daemon isn't running yet at the time pidof is being invoked. This results in an empty /var/run/tcsd.pid, making it impossible to stop tcsd using the init script. To solve this, one could either add a delay before calling pidof, or alternatively use start-stop-daemon's built-in functionality to achieve the same. Let's do the latter. Signed-off-by: André Draszik <adraszik@tycoint.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* fscryptctl: add v0.1.0André Draszik2017-10-241-0/+27
| | | | | | | | | | | | | | | | fscryptctl is a low-level tool written in C that handles raw keys and manages policies for Linux filesystem encryption [1]. For a tool that presents a higher level interface and manages metadata, key generation, key wrapping, PAM integration, and passphrase hashing, see fscrypt [2]. [1] https://lwn.net/Articles/639427 [2] https://github.com/google/fscrypt Signed-off-by: André Draszik <adraszik@tycoint.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscape: fix ptest compile errors and updateArmin Kuster2017-10-151-1/+3
| | | | | | | | | | | update to 1.2.15 plus ERROR: openscap-1.2.14-r0 do_package_qa: QA Issue: /usr/lib/openscap/ptest/tests/probes/process58/all.sh contained in package openscap-ptest requires /bin/bash, but no providers found in RDEPENDS_openscap-ptest? [file-rdeps] ERROR: openscap-1.2.14-r0 do_package_qa: QA Issue: /usr/lib/openscap/ptest/tests/xmldiff.pl contained in package openscap-ptest requires /usr/bin/perl, but no providers found in RDEPENDS_openscap-ptest? [file-rdeps] ERROR: openscap-1.2.14-r0 do_package_qa: QA Issue: /usr/lib/openscap/ptest/tests/nist/test_worker.py contained in package openscap-ptest requires /usr/bin/python2, but no providers found in RDEPENDS_openscap-ptest? [file-rdeps] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* keynote: update the SRC_URIDengke Du2017-10-101-3/+6
| | | | | | | | | | | | | | The old URL can't be available, give the new URL to keynote. The project already moved to: https://sourceforge.net/projects/keynote-2-3/ The different between old and new tarball was: the old tarball contains doc directory, source codes were same. Signed-off-by: Dengke Du <dengke.du@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openssl-tpm-engine: add packageArmin Kuster2017-10-106-0/+570
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2-abrmd: add packageArmin Kuster2017-10-103-0/+120
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm-quote-tools: Add packageArmin Kuster2017-10-101-0/+23
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* pcr-extend: add new packageArmin Kuster2017-10-101-0/+25
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* README: update with basic infoArmin Kuster2017-10-101-0/+4
| | | | | | needed to pass yocto-check-layer Signed-off-by: Armin Kuster <akuster808@gmail.com>
* swtpm: fix cuse dependsArmin Kuster2017-10-101-2/+8
| | | | | | | if cuse is enabled, depend on fuse which is in meta-filesystems throw error is layer is missing. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto/4.12: update path versionArmin Kuster2017-10-021-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* bastile: fix QA issueArmin Kuster2017-10-021-1/+1
| | | | | | WARNING: bastille-3.2.1-r0 do_package_qa: QA Issue: Symlink /usr/sbin/UndoBastille in bastille points to TMPDIR [symlink-to-sysroot] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lynis: move recipe to correct layerArmin Kuster2017-10-021-0/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap-daemon: fix QA issueArmin Kuster2017-10-021-0/+2
| | | | | | ERROR: openscap-daemon-0.1.6+gitAUTOINC+3fd5c75a08-r0 do_package_qa: QA Issue: /usr/bin/oscapd-cli contained in package openscap-daemon requires /usr/bin/python, but no providers found in RDEPENDS_openscap-daemon? [file-rdeps] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: update to 4.0.0Armin Kuster2017-10-023-6/+6
| | | | | | libhtp updated in // as suricata contains the sources Signed-off-by: Armin Kuster <akuster808@gmail.com>
* redhat-security: remove PR and fix styleArmin Kuster2017-10-021-3/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* checksecurity: fix recipe styleArmin Kuster2017-10-021-1/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libenv-perl: add recipe removed from coreArmin Kuster2017-10-021-0/+21
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* layer.conf: update layer dependsArmin Kuster2017-10-021-2/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libewf: fix build issueArmin Kuster2017-10-021-1/+1
| | | | | | | ERROR: gettext-native required but not in DEPENDS for file /build/build_artifacts/master/tmp-glibc/work/i586-oe-linux/libewf/20140608-r0/libewf-20140608/configure.ac. Missing inherit gettext? Signed-off-by: Armin Kuster <akuster808@gmail.com>
* oe-release: add oe-release file for openscapArmin Kuster2017-09-301-0/+32
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* os-release: needed by openscapArmin Kuster2017-09-301-0/+4
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: Add oe specific filesArmin Kuster2017-09-306-0/+215
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: add dameonArmin Kuster2017-09-301-0/+18
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: add scap-security-guideArmin Kuster2017-09-301-0/+57
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* openscap: add packageArmin Kuster2017-09-305-0/+140
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* lynis: add auditing toolArmin Kuster2017-09-301-0/+41
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security-compliance: add new layer for compliance and audit applicationsArmin Kuster2017-09-302-0/+54
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* clamav: update llvm to use 5.0 to match version in coreArmin Kuster2017-09-301-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* packagegroups: fix invalid license fileJackie Huang2017-09-155-5/+5
| | | | | | | | | | | | Use '${COMMON_LICENSE_DIR}/MIT' for MIT License to fix the warning: | WARNING: packagegroup-core-security do_populate_lic: ${COREBASE}/LICENSE is not a valid license file, please use '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM. This will become an error in the future Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: fix QA issue for GNU_HASHJackie Huang2017-09-152-0/+29
| | | | | | | | | Add LDFLAGS variable to fix QA issue for GNU_HASH: | ERROR: samhain-client-4.2.2-r0 do_package_qa: QA Issue: No GNU_HASH in the elf binary: '/builddir/usr/sbin/samhain_setpwd' [ldflags] Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: avoid searching host dir for postgresqlJackie Huang2017-09-152-1/+136
| | | | | | | | Add a patch to avoid searching host dir for postgresql, and set PGSQL_INC_DIR and PGSQL_LIB_DIR instead. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: fix for the PACKAGECONFIGJackie Huang2017-09-151-11/+13
| | | | | | | | | | | | | | | | | * The "??=" assignment for PACKAGECONFIG is overridden by the following "+=" assignments, which is not expected, so combine them into one assignment with multiple lines. * Fix a typo for postgresql. * Remove unneeded quotation marks. * run aotoconf to regenerate the configure, or the patch for ps option doesn't work: | configure: error: unrecognized option: --with-ps-path=/bin/ps Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: depends on attr when selinux is enabledJackie Huang2017-09-151-1/+1
| | | | | | | | The extended attribute is required by selinux feature, so add the dependency when selinux is enabled. Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* apparmor: fix a few build issuesArmin Kuster2017-09-151-2/+5
| | | | | | | | | | | | | | | | | | | | | | | configure.ac:8: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation | configure.ac:8: error: version mismatch. This is Automake 1.15.1, | configure.ac:8: but the definition used by this AM_INIT_AUTOMAKE add aclocal and make: Entering directory '/home/akuster/oss/clean/poky/build/tmp/work/mips64-poky-linux/apparmor/2.11.0-r0/apparmor-2.11.0/binutils' | error: ../libraries/libapparmor//src/.libs/libapparmor.a is missing. Pick one of these possible solutions: remove --disable-static and ERROR: apparmor-2.11.0-r0 do_package_qa: QA Issue: /usr/lib/apparmor/ptest/testsuite/parser/tst/gen-dbus.pl contained in package apparmor-ptest requires /usr/bin/perl, but no providers found in RDEPENDS_apparmor-ptest? [file-rdeps] add perl to ptest RDEPENDS Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Apparmor: add apache2 to PACKAGECONF and check for webserver layerArmin Kuster2017-09-151-4/+22
| | | | | | Don't want to add layer depends for one package unless needed. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tpm2.0-tss: fix systemd package listPatrick Ohly2017-09-151-1/+1
| | | | | | | | | | | | | Commit 4c4fa8c "tpm2.0-tss: install resourcemgr service" introduced systemd support for the resourcemgr package, but left the default ${PN} in SYSTEMD_PACKAGES, leading to an apparently harmless (?) build error, emitted by systemd.bbclass via bb.error() because tpm2.0-tss does not have a package of that name: ERROR: tpm2.0-tss-git-r0 do_package: tpm2.0-tss does not appear in package list, please add it Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* nmap: update to 7.60Armin Kuster2017-09-131-3/+5
| | | | | | | | LIC_CHKSUM_FILES changed do to yr update. add a few more PACKCONFIG Signed-off-by: Armin Kuster <akuster808@gmail.com>
* fail2Ban: Add new packageArmin Kuster2017-09-013-0/+314
| | | | | | | | Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time. Fail2Ban comes out-of-the-box ready to read many standard log files, such as those for sshd and Apache, and is easy to configure to read any log file you choose, for any error you choose. Though Fail2Ban is able to reduce the rate of incorrect authentications attempts, it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* sleuthkit: fix No GNU_HASH in the elf binaryArmin Kuster2017-08-311-0/+3
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto: drop all 4.1 contentMikko Ylinen2017-08-317-20627/+0
| | | | | | | | | | | | linux-yocto_4.1.bb recipe has been removed from oe-core master and that triggers a bitbake error due to orphan bbappends maintained in meta-security. To fix the error, drop linux-yocto_4.1.bbappend plus the patches and the config fragments for it. Signed-off-by: Mikko Ylinen <mikko.ylinen@linux.intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* linux-yocto: add 4.12 bbappendsArmin Kuster2017-08-314-0/+33
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* tripwire: update to 2.4.3.5Armin Kuster2017-08-311-2/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: update to 4.2.2Jackie Huang2017-08-3117-83/+763
| | | | | | | | | | | | | * update to version 4.2.2 * Add new recipe for standalone mode * Add systemd support * Add patches to fix several issues * samhain-standalone: add ptest support * samhain-server: no need to depend on samhain-server-native * Move common things from the bb to the inc file Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* apparmor: Additional runtime fixesTom Rini2017-08-132-8/+28
| | | | | | | | | | | | | | | | | | | - We need various python3 modules and we can only really solve this problem by including all python3-modules. - aa-easyprof needs to have its shebang corrected, do so. - The apparmor initscript depends on functions that LSB does not require so we must provide them. In some cases it's using non-standard function, so we just use more appropriate names. - The apparmor sysvinit-style initscript assumes that systemd-detect-virt will exist on the filesystem. Change this to check that it does before trying to execute it. [for aa-easyprof:] Reported-by: Anders Montonen <Anders.Montonen@iki.fi> Signed-off-by: Tom Rini <trini@konsulko.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>