summaryrefslogtreecommitdiffstats
path: root/recipes-ids
Commit message (Collapse)AuthorAgeFilesLines
* suricata: drop pkg_postinst_ontarget systemd initClayton Casciato10 days1-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | /var/log/suricata initialization is handled by systemd-tmpfiles-setup.service, which occurs before services like suricata Work towards resolving: ERROR: [...] do_rootfs: The following packages could not be configured offline and rootfs is read-only: ['100-suricata'] Added in commit 36d656fe7244 ("suricata: add tmpfiles.d config") systemd testing: root@beaglebone-yocto:~# ls -d /var/log/suricata /var/log/suricata root@beaglebone-yocto:~# systemctl enable suricata Created symlink '/etc/systemd/system/multi-user.target.wants/suricata.service' -> '/usr/lib/systemd/system/suricata.service'. root@beaglebone-yocto:~# rmdir /var/log/suricata root@beaglebone-yocto:~# reboot now root@beaglebone-yocto:~# ls -d /var/log/suricata /var/log/suricata root@beaglebone-yocto:~# journalctl -o short-iso-precise -u systemd-tmpfiles-setup -u suricata 2025-05-20T00:45:46.450027+00:00 beaglebone-yocto systemd[1]: Starting Create System Files and Directories... [...] 2025-05-20T00:45:47.041049+00:00 beaglebone-yocto systemd[1]: Finished Create System Files and Directories. 2025-05-20T00:45:47.542976+00:00 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon. [...] Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: resolve TMPDIR QA issues in do_configureClayton Casciato10 days1-5/+2
| | | | | | | | | | | | | | | | | | | | | ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/bin/suricata in package suricata contains reference to TMPDIR [buildpaths] ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/src/debug/suricata/7.0.0/src/build-info.h in package suricata-src contains reference to TMPDIR [buildpaths] Address references when src/build-info.h is being written This is similar to Debian's approach: https://sources.debian.org/patches/suricata/1:7.0.10-1~bpo12%2B1/reproducible.patch/ Restore the "already-stripped" check and CFLAGS info Original resolution in commit c0e3fecc3bea ("suricata: fix QA warnings") Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: fix build error introduced by upstream commitArmin Kuster2025-04-131-0/+12
| | | | | | | | | | 7a2b9acef2 cargo: pass PACKAGECONFIG_CONFARGS to cargo build error: unexpected argument '--with-libcap_ng-includes' found | | Usage: cargo build --verbose... --target [<TRIPLE>] --release --manifest-path <PATH> --offline Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: upgrade 4.4.10 -> 4.5.2Yi Zhao2025-04-1315-118/+168
| | | | | | | | | | ChangeLog: https://fossies.org/linux/samhain/docs/Changelog * Refresh patches Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libhtp: update to 0.5.50Armin Kuster2025-04-132-152/+2
| | | | | | drop CVE-2024-45797.patch now included Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libhtp: fix CVE-2024-45797Hitendra Prajapati2024-11-242-1/+151
| | | | | | | Upstream-Status: Backport from https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: run whole autotools_do_configure not just oe_runconfMartin Jansa2024-09-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Otherwise Makefile isn't regenerated and do_compile fails with: suricata/7.0.0/suricata-7.0.0/missing: line 81: aclocal-1.16: command not found after automake upgrade from 1.16.5 to 1.17 from: https://git.openembedded.org/openembedded-core/commit/?id=b98328a6ff07119e7ba4f1072090d789e69edef8 Fixes: CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash 'TOPDIR/BUILD/work/mach-distro-linux/suricata/7.0.0/suricata-7.0.0/missing' aclocal-1.16 -I m4 TOPDIR/BUILD/work/mach-distro-linux/suricata/7.0.0/suricata-7.0.0/missing: line 81: aclocal-1.16: command not found WARNING: 'aclocal-1.16' is missing on your system. You should only need it if you modified 'acinclude.m4' or 'configure.ac' or m4 files included by 'configure.ac'. The 'aclocal' program is part of the GNU Automake package: <https://www.gnu.org/software/automake> It also requires GNU Autoconf, GNU m4 and Perl in order to run: <https://www.gnu.org/software/autoconf> <https://www.gnu.org/software/m4/> <https://www.perl.org/> make: *** [Makefile:465: aclocal.m4] Error 127 Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aide: update to latest stable.Armin Kuster2024-08-032-5/+47
| | | | | | | | address new configure error. Enable pthread always mhash is being dropped in the next release so switch to gcrypt for now. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: fix QA warningsArmin Kuster2024-07-291-0/+5
| | | | | | ERROR: suricata-7.0.0-r0 do_package: QA Issue: File '/usr/bin/suricata' from suricata was already stripped, this will prevent future debugging! [already-stripped] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* recipes-*: convert WORKDIR->UNPACKDIRArmin Kuster2024-07-297-17/+17
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Suricata: Security Fix for CVE-2024-37151, CVE-2024-38534, CVE-2024-38535, ↵Siddharth Doshi2024-07-296-0/+491
| | | | | | | | | | | | | | | CVE-2024-38536 Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b, https://github.com/OISF/suricata/commit/a753cdbe84caee3b66d0bf49b2712d29a50d67ae, https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2, https://github.com/OISF/suricata/commit/2bd3bd0e318f19008e9fe068ab17277c530ffb92] CVE's Fixed: CVE-2024-37151 suricata: suricata: packet reassembly failure, which can lead to policy bypass CVE-2024-38534 suricata: suricata: Crafted modbus traffic can lead to unlimited resource accumulation within a flow CVE-2024-38535 suricata: Suricata: can run out of memory when parsing crafted HTTP/2 traffic CVE-2024-38536 suricata: NULL pointer dereference when http.memcap is reached Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: Start WORKDIR -> UNPACKDIR transitionWang Mingyu2024-06-171-1/+3
| | | | | | | Replace references of WORKDIR with UNPACKDIR where it makes sense to do so in preparation for changing the default value of UNPACKDIR. Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* recipes: WORKDIR -> UNPACKDIR transitionChangqing Li2024-06-172-9/+9
| | | | | | | | | * WORKDIR -> UNPACKDIR transition * Switch away from S = WORKDIR Signed-off-by: Changqing Li <changqing.li@windriver.com> [Fixed up the smack changes due to prior patch] Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security: Drop ${PYTHON_PN}Armin Kuster2024-03-271-3/+3
| | | | | | | Signed-off-by: Armin Kuster <akuster808@gmail.com> --- V2] Fix typo in python3-pyinotify changes
* samhain: remove the buildpathMingli Yu2023-11-081-0/+4
| | | | | | | | | | Fixes: WARNING: samhain-server-4.4.10-r0 do_package_qa: QA Issue: File /var/lib/samhain/samhain-install.sh in package samhain-server contains reference to TMPDIR [buildpaths] WARNING: samhain-server-4.4.10-r0 do_package_qa: QA Issue: File /usr/share/doc/samhain-server/scripts/samhain.ebuild-light in package samhain-server-doc contains reference to TMPDIR File /usr/share/doc/samhain-server/scripts/samhain.ebuild in package samhain-server-doc contains reference to TMPDIR [buildpaths] Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libhtp: update to 0.5.45Armin Kuster2023-09-251-0/+0
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: Update to 7.0.0Armin Kuster2023-09-254-673/+1101
| | | | | | | refersh patches update libhtp Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: fix build issue.Armin Kuster2023-09-121-1/+2
| | | | | | If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ossec-hids: Fix usermodArmin Kuster2023-07-311-53/+58
| | | | | | | Use built in USERMOD to set uid and gid properly. convert to using OSSEC_DIR instead of DIR Signed-off-by: Armin Kuster <akuster808@gmail.com>
* .patch: remove probably unused patchesMartin Jansa2023-06-251-18/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There could be some false possitives (the script is far from perfect), so please test it on your QA, I've only double checked with "git grep" (the script looks only in parent directory). @ ~/layers/meta-security $ /OE/extra-layers/meta-ros/scripts/check-patch-files.sh . ./recipes-ids/tripwire/files/add_armeb_arch.patch: not used in any recipe ./dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch: not used in any recipe ./recipes-scanners/clamav/files/fix2_libcurl_check.patch: not used in any recipe ./recipes-scanners/arpwatch/files/postfix_workaround.patch: not used in any recipe ./meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch: not used in any recipe ./meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch: not used in any recipe ./meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch: not used in any recipe ./meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch: not used in any recipe ./meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch: not used in any recipe ./recipes-mac/AppArmor/files/disable_perl_h_check.patch: not used in any recipe @ ~/layers/meta-security $ git grep add_armeb_arch.patch @ ~/layers/meta-security $ git grep 0001-To-fix-build-error-of-xrang.patch @ ~/layers/meta-security $ git grep fix2_libcurl_check.patch @ ~/layers/meta-security $ git grep postfix_workaround.patch @ ~/layers/meta-security $ git grep Use-format-s-for-call-to-dprintf.patch @ ~/layers/meta-security $ git grep fix_signed_issue.patch @ ~/layers/meta-security $ git grep Convert-another-vdprintf-to-dprintf.patch @ ~/layers/meta-security $ git grep fix_lib_search_path.patch @ ~/layers/meta-security $ git grep fix_fcntl_h.patch @ ~/layers/meta-security $ git grep disable_perl_h_check.patch Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* *.patch: fix malformed Upstream-Status and SOB linesMartin Jansa2023-06-253-8/+8
| | | | | | | | | | | | | | | | | | | | | | * as reported by openembedded-core/scripts/contrib/patchreview.py -v . Malformed Signed-off-by 'Signed-Off-By:' (./recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch) Malformed Signed-off-by 'Signed-Off-By:' (./recipes-mac/AppArmor/files/disable_perl_h_check.patch) Missing Upstream-Status tag (./recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch) Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/samhain/files/samhain-pid-path.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/suricata/files/fixup.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-scanners/clamav/files/fix2_libcurl_check.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/isic/files/configure_fix.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/krill/files/panic_workaround.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/opendnssec/files/libdns_conf_fix.patch Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/opendnssec/files/libxml2_conf.patch Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: Update to 4.4.10Armin Kuster2023-05-221-2/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: update to 6.0.11Armin Kuster2023-05-061-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libhtp: update to 0.5.43Armin Kuster2023-05-061-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* ossec-hids: update to tip of 3.7.0Armin Kuster2023-05-061-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: Missed on crate dependsArmin Kuster2023-04-081-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: Fixup to work within the recent crate changes.Armin Kuster2023-04-082-90/+725
| | | | | | | | Had to delete some wonky Cargo.toml files to get update_crates to work. Manually updated one crate to a newer version included by update_crates as it would not compile. Manually applied several crates missed by update_crates. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: update to 6.0.10Armin Kuster2023-03-201-1/+2
| | | | | | fixup another python file to use py3 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* libhtp: update to 0.5.42Armin Kuster2023-03-201-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: rework due to changed cache handlingMax Krummenacher2023-01-284-8/+9
| | | | | | | | | | | | | | | | | | | | | | | OE-Core changed the cache handling which made the use of ${BPN} no fail. | Parsing recipes...WARNING: .../samhain-standalone.bb: Exception during build_dependencies for do_configure | WARNING: .../samhain-standalone.bb: Error during finalise of .../samhain-standalone.bb | ERROR: ExpansionError during parsing .../samhain-standalone.bb | Traceback (most recent call last): | File "Var <MODE_NAME>", line 1, in <module> | bb.data_smart.ExpansionError: Failure expanding variable MODE_NAME, expression was ${@d.getVar('BPN').split('-')[1]} which triggered exception IndexError: list index out of range | The variable dependency chain for the failure is: MODE_NAME -> SAMHAIN_MODE -> do_configure Simplify the setting of MODE_NAME and SAMHAIN_MODE by setting them in the recipe files where we know their values. bitbake: ee89ade5 cache/codeparser: Switch to a new BB_CACHEDIR variable for cache location oe-core: 7c15e03dd3 bitbake.conf: Add BB_HASH_CODEPARSER_VALS Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: fix compile issueArmin Kuster2022-09-121-0/+2
| | | | | | make[2]: *** No rule to make target '../rust/target/arm-poky-linux-gnueabi/release/libsuricata.a', needed by 'suricata' Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain-standalone: fix buildpaths issueMingli Yu2022-08-252-0/+45
| | | | | | | | | Fixes: WARNING: samhain-standalone-4.4.9-r0 do_package_qa: QA Issue: File /usr/share/doc/samhain-standalone/scripts/samhain.ebuild-light in package samhain-standalone-doc contains reference to TMPDIR File /usr/share/doc/samhain-standalone/scripts/samhain.ebuild in package samhain-standalone-doc contains reference to TMPDIR [buildpaths] Signed-off-by: Mingli Yu <mingli.yu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aide: add UPSTREAM_CHECK_URIArmin Kuster2022-08-021-0/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: update to 6.0.5Armin Kuster2022-07-301-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aide.conf: adjust to allow for build time db creationArmin Kuster2022-06-231-7/+4
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aide: add native support for build time db creationArmin Kuster2022-06-231-2/+30
| | | | | | | | | | | This will help create a aide db during build that is then installed on the rootfs for verification at boot time. This work was inspired by: Marco Cavallini Yocto Project Ambassador Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aide: add a few more config optionsArmin Kuster2022-06-231-1/+3
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aide: fix typoYi Zhao2022-06-181-1/+2
| | | | | | | | Fix typo: RDPENDS_${PN} -> RDEPENDS:${PN} Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: update to 4.4.9Armin Kuster2022-05-231-2/+2
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: update to 5.0.5Armin Kuster2022-05-232-2/+2
| | | | libhtp rolls with it
* ossec-hids: update to 3.7.0Armin Kuster2022-05-231-1/+1
| | | | | | See https://github.com/ossec/ossec-hids/releases/tag/3.7.0 Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aide: Update 01.17.4Armin Kuster2022-05-231-1/+1
| | | | | | Precalculate buffer size in base64 functions (CVE-2021-45417) Signed-off-by: Armin Kuster <akuster808@gmail.com>
* aide: Add depend on audit when audit is enabled.Jeremy A. Puhlman2022-05-231-1/+1
| | | | | | | | | | checking for libaudit.h... no | configure: error: You don't have libaudit properly installed. Install it if you need it. | NOTE: The following config.log files may provide further information. Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: drop nfnetlink from pkg configArmin Kuster2022-05-141-1/+2
| | | | | | nfnetlink has a layer dependancy to meta-networking. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* LICENSE: update to SPDX standard namesJoe Slater2022-04-133-3/+3
| | | | | | | Use convert-spdx-licenses.py to update LICENSE in recipes. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain.inc: Correct LICENSE to GPL-2.0-onlyRanjitsinh Rathod2022-04-131-1/+1
| | | | | | | | | It seems below change done manually and so LICENSE variable modified from GPLv2 to GPL-2.0-or-later. But it should be GPL-2.0-only Link: https://git.yoctoproject.org/meta-security/commit/?id=c56ae450c93a1383a1ce800a32a6ef2c3fbbae1c Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* samhain: update to 4.4.7Armin Kuster2022-04-071-2/+2
| | | | | | This fixes musl builds too. Signed-off-by: Armin Kuster <akuster808@gmail.com>
* meta-security : Use SPDX style licensing formatAshish Sharma2022-04-022-2/+2
| | | | | | | | | | | | | | WARNING: selinux-sandbox-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: selinux-gui-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: semodule-utils-3.3-r0.1 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: selinux-dbus-3.3-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2+ [obsolete-license] \ WARNING: libwhisker2-perl-2.5-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPL-1.0+ [obsolete-license] \ WARNING: lib-perl-0.63-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPL-1.0+ [obsolete-license] \ WARNING: libhtp-0.5.39-r0 do_package_qa: QA Issue: Recipe LICENSE includes obsolete licenses GPLv2 [obsolete-license] \ ... Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
* recipes: Use renamed SKIP_RECIPE varFlagArmin Kuster2022-02-221-1/+1
| | | | Signed-off-by: Armin Kuster <akuster808@gmail.com>
* suricata: update to 6.0.4Armin Kuster2022-02-042-3/+3
| | | | | | bump lexical-core to 0.6.8 Signed-off-by: Armin Kuster <akuster808@gmail.com>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-07-03 15:55:42 +0000