summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* dm-verity-img.bbclass: filter units from value partwhinlatter-nextwhinlatterStephan Wurm2026-01-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | This is necessary for cryptsetup starting from v2.8.0 which introduced "[units]" in its output breaking the parsing of veritysetup output. VERITY header information for image-poky-20250701085433.squashfs-zst.verity. UUID: 5dc16c55-79b8-4988-9d79-900f8e143f98 Hash type: 1 Data blocks: 40091 Data block size: 4096 [bytes] Hash blocks: 318 Hash block size: 4096 [bytes] Hash algorithm: sha256 Salt: f670bf67a32f4f5a22e052d7bf84830f8d35ea24e2d52f585f6275207899153b Root hash: a7eab55b7933e347650671611e4b2a10571f2a28a1fb0fc8eae409f7a0d86693 This extends the value filter to remove the "[units]" from the .env file, while retaining compatibility to older cryptsetup releases. Signed-off-by: Stephan Wurm <stephan.wurm@a-eberle.de> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecuteClayton Casciato2026-01-182-1/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add option to prevent memory mappings that are both writable and executable. https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute= Core Suricata developer: https://github.com/jasonish/suricata-rpms/blob/a606a810325dd0a4f3ee45b2756b96bda28e590b/7.0/suricata-4.1.1-service.patch#L23 Fedora: https://src.fedoraproject.org/rpms/suricata/c/cfb3b996f54d28018cd01f9c6b9ecb77e59f344d Resolve SELinux AVC denial: type=PROCTITLE proctitle=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 type=SYSCALL arch=aarch64 syscall=mprotect success=no exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null) type=AVC avc: denied { execmem } for pid=283 comm=Suricata-Main scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* lynis: upgrade to 3.1.6Scott Murray2026-01-181-1/+1
| | | | | | | Release notes: https://github.com/CISOfy/lynis/releases/tag/3.1.6 Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* Update CI configuration for whinlatterScott Murray2026-01-071-4/+4
| | | | | | Update kas configuration for CI to use whinlatter branch. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* Update kas configurationScott Murray2026-01-074-12/+12
| | | | | | | | | Changes to catch up with current kas and future-proof a bit: * Update the kas configuration file versions to 19 to match kas 4.8.x. * Change refspec to branch to remove deprecation warnings. * Add quoting around URLs to match upstream examples. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* meta-parsec: Remove meta-clang dependencyScott Murray2026-01-073-9/+3
| | | | | | | | Since clang is in openembedded-core now, meta-parsec no longer needs meta-clang. Also updated maintainers in meta-parsec README.md since it had previously been missed. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: update PACKAGECONFIG[jansson] option to requiredClayton Casciato2025-12-311-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | jansson is required as of Suricata 5.0: https://github.com/OISF/suricata/commit/e49c40428e1b9f7e5dcdb5857c3978d5cb859fd9 This is still required in the latest release: https://github.com/OISF/suricata/blob/suricata-8.0.2/configure.ac#L828 On exclusion attempt: [...] | checking for jansson.h... no | checking for json_dump_callback in -ljansson... no | | ERROR: Jansson is now required. | | Go get it from your distribution or from: | http://www.digip.org/jansson/ | | Ubuntu/Debian: apt install libjansson-dev | CentOS: yum install jansson-devel | Fedora: dnf install jansson-devel | | NOTE: The following config.log files may provide further information. | NOTE: [...]/poky-whinlatter/build/tmp/work/cortexa57-poky-linux/suricata/7.0.13/sources/suricata-7.0.13/config.log | ERROR: configure failed | WARNING: exit code 1 from a shell command. ERROR: Task ([...]/poky-whinlatter/layers/meta-security/recipes-ids/suricata/suricata_7.0.13.bb:do_configure) failed with exit code '1' Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: drop trailing whitespaceClayton Casciato2025-12-311-6/+6
| | | | | Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: drop deprecated nss, nspr PACKAGECONFIGsClayton Casciato2025-12-221-3/+1
| | | | | | | | | | | | | Default add in 3f95047ae1e1d ("suricata: package update to 2.0.8") https://docs.suricata.io/en/suricata-8.0.1/upgrade.html#id7 As of 7.0, "NSS is no longer required. File hashing and JA3 can now be used without the NSS compile time dependency." Removed in 8.0: https://github.com/OISF/suricata/blob/suricata-8.0.1/ChangeLog#L647 Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
* openscap: switch to libpcre2hongxu2025-12-221-2/+2
| | | | | | | | The openscap added PCRE2 library since 2023 [1] [1] https://github.com/OpenSCAP/openscap/commit/cd1d4289581fa15527e516ddd07be814af7cba55 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
* scap-security-guide: update branchScott Murray2025-12-221-1/+1
| | | | | | | Switch back to the "stable" branch in SRC_URI now that upstream has changed its branch maintenance model so it is indeed stable. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* scap-security-guide: add UPSTREAM_CHECK_GITTAGREGEXYi Zhao2025-12-221-0/+1
| | | | | | | | | | | | | | | | | | | Add UPSTREAM_CHECK_GITTAGREGEX to check the correct latest stable verison. Before the patch: $ devtool latest-version scap-security-guide INFO: Current version: 0.1.78 INFO: Latest version: 0.5.0 INFO: Latest version's commit: b0a1b1c3db40f5fe8610c43cbc391bde92cc78b6 After the patch: $ devtool latest-version scap-security-guide INFO: Current version: 0.1.78 INFO: Latest version: 0.1.78 INFO: Latest version's commit: f7d794851971087db77d4be8eeb716944a1aae21 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* sssd: inherit github-releases classYi Zhao2025-12-221-3/+1
| | | | | | | | | | | | | | | | | Inherit github-releases class to check the correct latest stable verison. Before the patch: $ devtool latest-version sssd INFO: Current version: 2.10.2 INFO: Latest version: After the patch: $ devtool latest-version sssd INFO: Current version: 2.10.2 INFO: Latest version: 2.11.1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* libmhash: add UPSTREAM_CHECK_URIYi Zhao2025-12-221-0/+2
| | | | | | | | | | | | | | | | Add UPSTREAM_CHECK_URI to check the correct latest stable verison. Before the patch: $ devtool latest-version libmash INFO: Current version: 0.9.9.9 INFO: Latest version: After the patch: $ devtool latest-version libmash INFO: Current version: 0.9.9.9 INFO: Latest version: 0.9.9.9 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* clamav: Add recipe for version 1.4.3Hemant Jadhav2025-12-229-255/+537
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add modern ClamAV 1.4.3 recipe with comprehensive improvements over the legacy 0.104.4 version. Remove the end-of-life 0.104.4 recipe and associated patches as they are superseded by this version. Major changes in 1.4.3: - Upgraded core engine with improved threat detection capabilities - Added Rust components requiring cross-compilation support - Updated CMake build system replacing legacy autotools - Modernized library dependencies (LLVM, JSON-C, PCre2) - Added comprehensive license compliance for multi-component package - Enhanced cross-compilation support for all target architectures The recipe includes dynamic Cargo configuration using Yocto variables to support cross-compilation to any target architecture supported by the build system. Runtime configuration improvements: - Set APP_CONFIG_DIRECTORY to ${sysconfdir}/clamav for proper config paths - Added volatiles/tmpfiles support for /var/lib/clamav and /var/log/clamav - Added pkg_postinst scripts to ensure correct directory ownership - Implemented CMake cache variables for cross-compilation - Updated all license checksums for compliance - Added Rust toolchain integration with automatic environment setup - Use Cargo vendoring with cargo + cargo-update-recipe-crates classes Security rationale: - ClamAV 0.104.4 reached end-of-life and is no longer maintained - Upstream strongly recommends migration to 1.4.x for security updates Signed-off-by: Hemant Jadhav <hemant.jadhav@emerson.com> (regenerated diff, fixed building with systemd, fixed target Rust configuration, disabled for 32-bit targets) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: update to 7.0.13Scott Murray2025-11-282-705/+734
| | | | | | | Release notes: https://suricata.io/2025/11/06/suricata-8-0-2-and-7-0-13-released/ Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* libgssglue: add UPSTREAM_CHECK_GITTAGREGEXYi Zhao2025-11-211-0/+2
| | | | | | | | | | | | | | | | | | | | Add UPSTREAM_CHECK_GITTAGREGEX to check the correct latest stable verison. Before the patch: $ devtool latest-version libgssglue INFO: Current version: 0.9 INFO: Latest version: 011 INFO: Latest version's commit: af30789052a8cc5f86b5b0c8fd4758c7ba1505ff After the patch: $ devtool latest-version libgssglue INFO: Current version: 0.9 INFO: Latest version: 0.9 INFO: Latest version's commit: ada76bdaec665f70505f0b3aefe871b873e7c4b6 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* oeqa: openscap testLouis Rannou2025-11-212-1/+49
| | | | | | | | | | | | Add basic openscap test. This looks for an existing profile and run a basic scan. Openscap scans return 1 in case of failure, 0 in case of success and 2 when a vulnerability has been found. As this does not aim to check openscap reports, 2 is considered as a successful test. Signed-off-by: Louis Rannou <louis.rannou@non.se.com> (added to test image) Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* openscap: fixesLouis Rannou2025-11-211-2/+2
| | | | | | | | | Fixes: - typo in the RDEPENDS class-target override ('-' instead of ':') - typo SUMARRY -> SUMMARY Signed-off-by: Louis Rannou <louis.rannou@non.se.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* libgssglue: update HOMEPAGEYi Zhao2025-11-211-1/+1
| | | | | | | The original homepage is outdated. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* scap-security-guide: upgrade 0.1.77 -> 0.1.78Yi Zhao2025-11-211-1/+1
| | | | | | | | ChangeLog: https://github.com/ComplianceAsCode/content/releases/tag/v0.1.78 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* openscap: upgrade 1.4.1 -> 1.4.2Yi Zhao2025-11-211-1/+3
| | | | | | | | | | ChangeLog: https://github.com/OpenSCAP/openscap/releases/tag/1.4.2 Disable building on musl as scap-security-guide already does. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* ima-evm-utils: remove unnecessary FILESEXTRAPATHS tweakScott Murray2025-11-131-2/+0
| | | | | | | | | It was pointed out that the recipe was wrongly doing FILESEXTRAPATHS:append, but on inspection the recipe does not need it at all, so just remove. Reported-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* suricata: update to 7.0.12Clayton Casciato2025-11-1210-1299/+779
| | | | | | | | | | | | | | | | | | | Also update libhtp to required version 0.5.52. See suricata release notes for more details about changes and CVEs fixed: https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/ https://suricata.io/2024/03/19/suricata-7-0-4-and-6-0-17-released/ https://suricata.io/2024/04/23/suricata-7-0-5-and-6-0-19-released/ https://suricata.io/2024/06/27/suricata-7-0-6-and-6-0-20-released/ https://suricata.io/2024/10/01/suricata-7-0-7-released/ https://suricata.io/2024/12/12/suricata-7-0-8-released/ https://suricata.io/2025/03/18/suricata-7-0-9-released/ https://suricata.io/2025/07/08/suricata-7-0-11-released/ https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/ Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
* fail2ban: replace fail2ban-python shebang with python3Haixiao Yan2025-11-121-0/+3
| | | | | | | | | | In Yocto, there is only one Python interpreter (python3), and the auto-generated "fail2ban-python" symlink is not used. To ensure all installed scripts can run correctly, replace the shebang line from "#!/usr/bin/env fail2ban-python" to "#!/usr/bin/env python3" during installation. Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
* ecryptfs-utils: Add CVE tag for ecryptfs-utils-CVE-2016-6224.patchhongxu2025-11-121-0/+1
| | | | | | | Follow Yocto policy to add CVE tag to CVE patch Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
* fail2ban: Adapt test output to Automake format for ptest compatibilityHaixiao Yan2025-11-122-1/+51
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Convert fail2ban-testcases output to follow Automake-compatible format (PASS:/FAIL:) so that ptest-runner can correctly parse and report test results. root@intel-x86-64:~# ptest-runner python3-fail2ban -t 300 START: ptest-runner 2025-09-22T07:57 BEGIN: /usr/lib64/python3-fail2ban/ptest Fail2ban 1.1.1.dev1 test suite. Python 3.12.11 (main, Jun 3 2025, 15:41:47) [GCC 13.4.0]. Please wait... I: Skipping smtp tests: No module named 'smtpd' I: Skipping SSL smtp tests: No module named 'aiosmtpd' PASS: fail2ban.tests.servertestcase.Transmitter.testAction PASS: fail2ban.tests.servertestcase.Transmitter.testAddJail PASS: fail2ban.tests.servertestcase.Transmitter.testDatabase PASS: fail2ban.tests.servertestcase.Transmitter.testDatePattern PASS: fail2ban.tests.servertestcase.Transmitter.testGetNOK PASS: fail2ban.tests.servertestcase.Transmitter.testJailAttemptIP PASS: fail2ban.tests.servertestcase.Transmitter.testJailBanIP ... PASS: fail2ban.tests.servertestcase.TransmitterLogging.testBanTimeIncr PASS: fail2ban.tests.servertestcase.TransmitterLogging.testFlushLogs PASS: fail2ban.tests.servertestcase.TransmitterLogging.testLogLevel PASS: fail2ban.tests.servertestcase.TransmitterLogging.testLogTarget PASS: fail2ban.tests.servertestcase.TransmitterLogging.testLogTargetSYSLOG PASS: fail2ban.tests.servertestcase.TransmitterLogging.testSyslogSocket PASS: fail2ban.tests.servertestcase.TransmitterLogging.testSyslogSocketNOK ============================================================================ Testsuite summary DURATION: 48 END: /usr/lib64/python3-fail2ban/ptest 2025-09-22T07:58 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
* Update kas configuration for poky obsolescenceScott Murray2025-11-121-2/+13
| | | | | | | Replace poky repository configuration with separate bitbake, openembedded-core, and meta-poky repository configurations. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* meta-tpm: Small maintainers fixScott Murray2025-10-081-1/+0
| | | | | | | To avoid confusion, remove stray aircrack-ng entry as it is actually in the main layer and not meta-tpm. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* packagegroup-core-security: update for recent changesScott Murray2025-10-081-5/+10
| | | | | | | | | | | | Changes: - Add libmhash and libgssglue so they will get tested by CI. - Switch to MACHINE_ARCH to facilitate the above, but it makes sense anyway due to all the machine overrides used in the packagegroup definition. - Add the recently added python3-suricata-update so it will get tested by CI. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* paxctl: Remove recipeScott Murray2025-10-085-95/+0
| | | | | | | | Remove the paxctl recipe since it has seemingly been broken for a while without anyone noticing, and there likely have been no actual users since grsecurity stopped doing public releases in 2017. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* libest: Remove recipeScott Murray2025-10-081-28/+0
| | | | | | | Remove the libest recipe since it has been disabled since November 2021, and upstream has shown no activity since 2022. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* tripwire: Remove recipeScott Murray2025-10-0810-1654/+0
| | | | | | | Remove the tripwire recipe since it has been disabled since May 2021, and upstream has shown no activity since 2018. Signed-off-by: Scott Murray <scott.murray@konsulko.com>
* libmhash: fix build with gcc 15Yi Zhao2025-10-081-0/+2
| | | | | | | GCC 15 switched to C23 by default, which libmhash does not yet support. So keep using C17. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* suricata-update: add package to pull filesClayton Casciato2025-10-081-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | suricata has "--disable-suricata-update" Original add: caaeb67863a6 ("suricata-update: add package to pull rules") Suricata dropped: 7a1691c03726 ("suricata: Drop 4.1.x its EOL") Not readded: 818a8646a689 ("suricata: rust is in core") *Changes* 1.2.1 -> 1.3.6 Drop period and trailing space in SUMMARY value Drop now-redundant "S" Use HTTPS protocol for SRC_URI LICENSE "GPLv2" -> "GPL-2.0-only" Add "python3-shell" RDEPENDS to resolve: ModuleNotFoundError: No module named 'shlex' Basic target testing: root@beaglebone-yocto:~# suricata-update 22/9/2025 -- 04:06:23 - <Info> -- Using data-directory /var/lib/suricata. 22/9/2025 -- 04:06:23 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml 22/9/2025 -- 04:06:23 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules. 22/9/2025 -- 04:06:23 - <Info> -- Found Suricata version 7.0.0 at /bin/suricata. 22/9/2025 -- 04:06:23 - <Info> -- Loading /etc/suricata/suricata.yaml 22/9/2025 -- 04:06:23 - <Info> -- Disabling rules for protocol pgsql 22/9/2025 -- 04:06:23 - <Info> -- Disabling rules for protocol modbus 22/9/2025 -- 04:06:23 - <Info> -- Disabling rules for protocol dnp3 22/9/2025 -- 04:06:23 - <Info> -- Disabling rules for protocol enip 22/9/2025 -- 04:06:23 - <Info> -- No sources configured, will use Emerging Threats Open 22/9/2025 -- 04:06:23 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-7.0.0/emerging.rules.tar.gz. 100% - 5102134/5102134 22/9/2025 -- 04:06:24 - <Info> -- Done. 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http2-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/mqtt-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/quic-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/rfb-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules 22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules 22/9/2025 -- 04:06:27 - <Info> -- Ignoring file ba1345f233851ca2df4d905ea4b386d2/rules/emerging-deleted.rules 22/9/2025 -- 04:06:57 - <Info> -- Loaded 61205 rules. 22/9/2025 -- 04:07:02 - <Info> -- Disabled 14 rules. 22/9/2025 -- 04:07:02 - <Info> -- Enabled 0 rules. 22/9/2025 -- 04:07:02 - <Info> -- Modified 0 rules. 22/9/2025 -- 04:07:02 - <Info> -- Dropped 0 rules. 22/9/2025 -- 04:07:03 - <Info> -- Enabled 136 rules for flowbit dependencies. 22/9/2025 -- 04:07:03 - <Info> -- Creating directory /var/lib/suricata/rules. 22/9/2025 -- 04:07:03 - <Info> -- Backing up current rules. 22/9/2025 -- 04:07:03 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 61205; enabled: 45406; added: 61205; removed 0; modified: 0 22/9/2025 -- 04:07:06 - <Info> -- Writing /var/lib/suricata/rules/classification.config 22/9/2025 -- 04:07:07 - <Info> -- Testing with suricata -T. 22/9/2025 -- 04:07:57 - <Info> -- Done. Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
* suricata: populate SYSTEMD_SERVICE for service autostartClayton Casciato2025-10-081-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://docs.yoctoproject.org/dev/ref-manual/variables.html#term-SYSTEMD_SERVICE Before: root@beaglebone-yocto:~# systemctl status suricata * suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; disabled; preset: disabled) Active: inactive (dead) Docs: man:suricata(8) man:suricatasc(8) https://redmine.openinfosecfoundation.org/projects/suricata/wiki After: root@beaglebone-yocto:~# systemctl status suricata * suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled) Active: active (running) since Mon 2025-09-22 04:05:08 UTC; 20s ago Invocation: 8cfeb29631f443f0830bffeb00975931 Docs: man:suricata(8) man:suricatasc(8) https://redmine.openinfosecfoundation.org/projects/suricata/wiki Main PID: 268 (Suricata-Main) Tasks: 7 (limit: 4915) Memory: 36.8M (peak: 37M) CPU: 2.222s CGroup: /system.slice/suricata.service `-268 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 Sep 22 04:05:08 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon. Sep 22 04:05:09 beaglebone-yocto suricata[268]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: No rule files match the pattern /var/lib/suricata/rules/suricata.rules Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: 1 rule files specified, but no rules were loaded! Sep 22 04:05:10 beaglebone-yocto suricata[268]: i: threads: Threads created -> W: 1 FM: 1 FR: 1 Engine started. Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
* python3-fail2ban: update to latest git revYi Zhao2025-10-083-248/+1
| | | | | | | | | | | | | | | | | | | | | | | Update to latest git rev as the current version doesn't work with OpenSSH 9.8+[1]. Ptest result: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-21T12:45 BEGIN: /usr/lib64/python3-fail2ban/ptest Ran 538 tests in 13.045s OK (skipped=3) DURATION: 14 END: /usr/lib64/python3-fail2ban/ptest 2025-09-21T12:46 STOP: ptest-runner TOTAL: 1 FAIL: 0 [1] https://github.com/fail2ban/fail2ban/commit/2fed408c05ac5206b490368d94599869bd6a056d Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* python3-fail2ban: fix ptest failuresYi Zhao2025-10-083-1/+256
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix ptest failures by backporting patches and updating test case config files. Before the patch: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-11T15:42 BEGIN: /usr/lib64/python3-fail2ban/ptest <snip> Ran 524 tests in 23.023s FAILED (failures=5, errors=7, skipped=3) DURATION: 24 END: /usr/lib64/python3-fail2ban/ptest 2025-09-11T15:42 STOP: ptest-runner TOTAL: 1 FAIL: 1 After the patch: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-11T15:59 BEGIN: /usr/lib64/python3-fail2ban/ptest <snip> Ran 524 tests in 25.982s OK (skipped=3) DURATION: 27 END: /usr/lib64/python3-fail2ban/ptest 2025-09-11T15:59 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
* test: allow root login for test imagesMarta Rybczynska2025-10-081-0/+1
| | | | Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* chipsec: disable until 6.16 support is fixedMarta Rybczynska2025-10-082-2/+4
| | | | | | | | | | The 1.13.16 version does not work on the kernel 6.16 for now [1]. Disable when waiting for the fix. [1] https://github.com/chipsec/chipsec/issues/2563 Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* chipsec: update to 1.13.16Marta Rybczynska2025-10-081-1/+1
| | | | | | | | Update from 1.9.1 (October 2022) to the latest 1.x release, 1.13.16. Changelog: https://github.com/chipsec/chipsec/releases Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* lynis: move to GitHub fetchingMarta Rybczynska2025-10-081-4/+2
| | | | | | | Move to fetching from GitHub hashes to avoid issues at releases, when the last-recent release changes place. Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* lynis: update to 3.1.5Michael Opdenacker2025-09-101-1/+1
| | | | | | | | | | | | | | | | | | | Tested on master (whinlatter) with beaglebone-yocto New in version 3.1.5 (2025-07-29): https://cisofy.com/changelog/lynis/#315 Added: - Support for OpenWrt - Bitdefender detection on Linux - Detection of openSUSE Tumbleweed-Slowroll Changed: - Corrected detection of service manager SMF - Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt - Check modules also under /usr/lib/modules.d Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
* lynis: homepage updateMichael Opdenacker2025-09-101-1/+1
| | | | Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
* tpm2-tss-engine: remove libgcrypt dependencyPatrick Wicki2025-09-101-1/+1
| | | | | | | There is no hint of libgcrypt in the upstream code and distro packages like Debian and Fedora do not have this dependency either. Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
* suricata: install classification, reference configsClayton Casciato2025-08-281-0/+2
| | | | | | | | | | | | | suricata.yaml references these configs Resolve: <Warning> -- could not open: "/etc/suricata/classification.config": No such file or directory <Error> -- please check the "classification-file" option in your suricata.yaml file Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
* lib-perl: add a HOMEPAGE. Use CPAN_MIRRORJ. S.2025-08-281-1/+2
| | | | Signed-off-by: Jason Schonberg <schonm@gmail.com>
* kas: add whitespaces around assignementMarta Rybczynska2025-07-231-2/+2
| | | | | | | | | | Add whitespaces when assigning variables in kas cofiguration. We were getting: WARNING: ... has a lack of whitespace around the assignment: 'BB_NUMBER_THREADS="24"' WARNING: ... has a lack of whitespace around the assignment: 'BB_NUMBER_PARSE_THREADS="12"' Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* aide: remove for muslMarta Rybczynska2025-07-231-0/+1
| | | | | | | Aide currently doesn't compile with musl because of copied getopt prototypes and implementation. Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
* kas: add common dldir/sstateMarta Rybczynska2025-07-231-0/+4
| | | | Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>