<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/meta-security.git/recipes-security/buck-security, branch wip_kernel</title>
<subtitle>Mirror of git.yoctoproject.org/meta-security.git</subtitle>
<id>https://git.enea.com/cgit/linux/meta-security.git/atom?h=wip_kernel</id>
<link rel='self' href='https://git.enea.com/cgit/linux/meta-security.git/atom?h=wip_kernel'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/'/>
<updated>2013-10-24T01:57:20+00:00</updated>
<entry>
<title>meta-security: Bump buck-security to new version and remove patch file.</title>
<updated>2013-10-24T01:57:20+00:00</updated>
<author>
<name>mulhern</name>
<email>mulhern@yoctoproject.org</email>
</author>
<published>2013-10-20T17:51:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=cac0cef10cb7dc66d64c2e403b61457f5ba79bab'/>
<id>urn:sha1:cac0cef10cb7dc66d64c2e403b61457f5ba79bab</id>
<content type='text'>
Since I am maintaining buck-security it has accepted the patch
take_root_dir.patch and the new version (0.7) contains the result of
applying the patch.

Signed-off-by: mulhern &lt;mulhern@yoctoproject.org&gt;
</content>
</entry>
<entry>
<title>buck-security: Parameterize hard-coded file locations.</title>
<updated>2013-10-24T01:57:20+00:00</updated>
<author>
<name>mulhern</name>
<email>mulhern@yoctoproject.org</email>
</author>
<published>2013-09-04T00:30:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=594e95f052d352c4b269a39e994785e4e60ef078'/>
<id>urn:sha1:594e95f052d352c4b269a39e994785e4e60ef078</id>
<content type='text'>
buck-security hard-codes a number of file locations for the target system on
which it operates and also its own dependencies. These hard-coded dependencies
have been parameterized and a few other related changes have been made. The
changes are more fully explained below.

buck-security.bb:

* The RDEPENDS_${PN} variable has been made more orderly in anticipation of
  subsequent changes. It also includes a few other perl modules required by
  the changes to the application.
* The functionality.patch file has been removed and superseded by the
  take_root_dir.patch patch.
* The definition of S is parameterized on BPN not PN; they are different if the
  package has a native option.
* The install step replaces the use directives and an assignment in the
  buck-security script in a more general way than previously.
* The recipes now allows the package to have a native version.

take_root_dir.patch:
  * buck-security

    * An additional flag, sysroot, that specifies the sysroot of the filesystem
      that the buck-security utility inspects is added. If the sysroot can not
      be located the script fails gracefully.
    * An additional flag, no-sudo, which prevents the script from exiting
      if it is not run by root is added.
    * An additional flag, disable-checks, which accepts a comma-separated list
      of checks to be disabled is added.
    * The script checks whether there has been an error in parsing the
      command-line arguments and fails with a usage message if there has.
    * The log flag now optionally takes a log file name.
    * The location of the configuration file is calculated relative to the
      location of the main script and if it can not be found the script fails
      gracefully.
    * The various file locations specified in the buck-security configuration
      file are made relative to the location of the buck-security script or the
      sysroot as appropriate.
    * If a log file has been specified the log is not also printed to stdout.
    * The command actually executed is printed in the log.
    * Some checks for mutually exclusive options are added.
    * Output level 3 is now meaningless, so it has been removed.
    * Various changes have been made to the report format.
    * Results are sorted lexicographically and, if abspath, do not include
      the sysroot.

  * checks/*.pm files
    * Wherever a directory had been hard-coded it is now parameterized on the
      sysroot.
    * In some cases, a test that had previously been run as a bash test was
      converted to a perl test to allow better handling of results and errors.
    * The output parameter is no longer accepted by the check procedure since
      this value is global.
    * All check procedures now accept an output_type parameter.
    * The dangling URLs are removed from the help text.

  * checks/lib/check.pm
    * The CheckBash and CheckPerl functions have been adapted so that the
      the filepaths are not hard-coded and so that the actual command is made
      available to the logging component.
    * A parameter indicating the outcome type is accepted and passed to the
      exception checker.
    * Error output is clearly distinguished from regular output.
    * A failure in a test is clearly distinguished from an insecure result.
    * The output is no longer formatted in the check functions.

  * checks/lib/mkchecksum.pm
    * The command no longer is run on non-existent directories.

  * checks/lib/exceptions.pm
    * The exception file path is located relative to the buck-security script.
    * If the exceptions are pathnames, the sysroot is prepended.
    * Correct wildcard semantics is observed.

  * checks/lib/users.pm
    * The passwd files are located relative to the sysroot.
    * Reading from the password file is made more principle.
    * The test experiences an error if files can not be found rather than
      the script terminating.
    * Some dead code is eliminated.

  * conf/buck-security.conf
    * The checksum_dir variable is a list instead of a string for easier
      manipulation.
    * The new configuration variable sysdir is added and the default is /.
    * The ssh_config variable is added.
    * All tests are included in the checks variable.

  * checks/sshd.pm
    * The ssh config file is set in the buck-security configuration file
      instead of hard-coded here.

  * checks/nopasswd.pm
    * This is a duplicate of emptypasswd, so it is removed.

  * RDEPENDS_${PN}_class-native variable is added as some tasks make no
    sense when run externally. Since they will not be run, there is no point
</content>
</entry>
<entry>
<title>Added missing functionality to buck-security</title>
<updated>2013-08-01T07:52:33+00:00</updated>
<author>
<name>Andrei Dinu</name>
<email>andrei.adrianx.dinu@intel.com</email>
</author>
<published>2013-08-01T07:52:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=9534de459e6d48dd9809710e9ce6bf6712821237'/>
<id>urn:sha1:9534de459e6d48dd9809710e9ce6bf6712821237</id>
<content type='text'>
 * added pinentry recipe needed for buck-security option
 * added missing rdepends to recipe
 * added functionality patch
 * updated README file

Signed-off-by: Andrei Dinu &lt;andrei.adrianx.dinu@intel.com&gt;
</content>
</entry>
<entry>
<title>meta-security-1.0-final</title>
<updated>2013-07-11T14:37:43+00:00</updated>
<author>
<name>Andrei Dinu</name>
<email>andrei.adrianx.dinu@intel.com</email>
</author>
<published>2013-07-11T14:37:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=2d0c61a39f5608fbe2180ccfd067d0858aa12092'/>
<id>urn:sha1:2d0c61a39f5608fbe2180ccfd067d0858aa12092</id>
<content type='text'>
Signed-off-by: Andrei Dinu &lt;andrei.adrianx.dinu@intel.com&gt;
</content>
</entry>
<entry>
<title>security layer updated work</title>
<updated>2013-07-01T13:45:26+00:00</updated>
<author>
<name>Andrei Dinu</name>
<email>andrei.adrianx.dinu@intel.com</email>
</author>
<published>2013-07-01T13:45:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/meta-security.git/commit/?id=f359c35ab250c09e858d88b8b1aa872bb7d2cddd'/>
<id>urn:sha1:f359c35ab250c09e858d88b8b1aa872bb7d2cddd</id>
<content type='text'>
Signed-off-by: Andrei Dinu &lt;andrei.adrianx.dinu@intel.com&gt;
</content>
</entry>
</feed>
