diff options
Diffstat (limited to 'recipes-security')
81 files changed, 1385 insertions, 12676 deletions
diff --git a/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch b/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch new file mode 100644 index 0000000..7e70692 --- /dev/null +++ b/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch @@ -0,0 +1,45 @@ +Exclude all the seccomp files to run during build. + +Upstream-Status: Inappropriate [embedded specific] +There are some files that need to run to generate the appropriate files +we are currently doing this on the target. +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/Makefile +=================================================================== +--- git.orig/Makefile ++++ git/Makefile +@@ -18,7 +18,6 @@ MYDIRS = src/lib $(MAN_SRC) $(COMPLETION + MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so + COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion + MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 +-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 + ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) + + .PHONY: all +@@ -43,7 +42,7 @@ $(MANPAGES): src/man config.mk + + man: $(MANPAGES) + +-filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) ++filters: $(SBOX_APPS_NON_DUMPABLE) + seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize + src/fseccomp/fseccomp default seccomp + src/fsec-optimize/fsec-optimize seccomp +@@ -72,7 +71,6 @@ clean: + done + $(MAKE) -C test clean + rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm +- rm -f $(SECCOMP_FILTERS) + rm -f test/utils/index.html* + rm -f test/utils/wget-log + rm -f test/utils/firejail-test-file* +@@ -110,7 +108,7 @@ endif + # libraries and plugins + install -m 0755 -d $(DESTDIR)$(libdir)/firejail + install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh +- install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) ++ install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) + install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) + install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats + # plugins w/o read permission (non-dumpable) diff --git a/recipes-security/Firejail/firejail_0.9.72.bb b/recipes-security/Firejail/firejail_0.9.72.bb new file mode 100644 index 0000000..5713f46 --- /dev/null +++ b/recipes-security/Firejail/firejail_0.9.72.bb @@ -0,0 +1,65 @@ +# +# Copyright 2022 Armin Kuster <akuster808@gmail.com> +# +SUMMARY = "Linux namespaces and seccomp-bpf sandbox" +DESCRIPTION = "Firejail is a SUID sandbox program that reduces the risk of security breaches \ +by restricting the running environment of untrusted applications using Linux namespaces, \ +seccomp-bpf and Linux capabilities." + +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" +LICENSE = "GPL-2.0-only" + +SRCREV = "2551bc71f14052344666f3ca2ad67f5b798020b9" +SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master \ + file://exclude_seccomp_util_compiles.patch \ + " + +DEPENDS = "libseccomp" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig bash-completion features_check + +REQUIRED_DISTRO_FEATURES = "seccomp" + +PACKAGECONFIG ?= "" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" + +PACKAGECONFIG[apparmor] = "--enable-apparmor, --disable-apparmor, apparmor, apparmor" +PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux" +PACKAGECONFIG[x11] = " --enable-x11, --disable-x11, " +PACKAGECONFIG[dbusproxy] = ", --disable-dbusproxy, " +PACKAGECONFIG[notmpfs] = ", --disable-usertmpfs ," +PACKAGECONFIG[nofiretunnel] = ", --disable-firetunnel , " +PACKAGECONFIG[noprivatehome] = ", --disable-private-home, " +PACKAGECONFIG[nochroot] = ", --disable-chroot, " +PACKAGECONFIG[nonetwork] = ", --disable-network, " +PACKAGECONFIG[nouserns] = ", --disable-userns, " +PACKAGECONFIG[nofiletransfer] = ", --disable-file-transfer, " +PACKAGECONFIG[nosuid] = ", --disable-suid, " + +EXTRA_OECONF = "--disable-man --enable-busybox-workaround" + +PACKAGES:append = " ${PN}-vim ${PN}-zsh" + +FILES:${PN}-vim = "${datadir}/vim/" +FILES:${PN}-zsh = "${datadir}/zsh/" +FILES:${PN}-dev = "${datadir}/gtksourceview-5/" + +pkg_postinst_ontarget:${PN} () { + ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp + ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp + ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp.debug allow-debuggers + ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.debug + ${libdir}/${BPN}/fseccomp secondary 32 ${libdir}/${BPN}/seccomp.32 + ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.32 + ${libdir}/${BPN}/fseccomp secondary block ${libdir}/${BPN}/seccomp.block_secondary + ${libdir}/${BPN}/fseccomp memory-deny-write-execute ${libdir}/${BPN}/seccomp.mdwx +} + +COMPATIBLE_MACHINE:x86_64 = "x86_64" +COMPATIBLE_MACHINE:arm64 = "arch64" + +RDEPENDS:${PN} = "bash" diff --git a/recipes-security/aircrack-ng/aircrack-ng_1.3.bb b/recipes-security/aircrack-ng/aircrack-ng_1.6.bb index d739227..d3722c0 100644 --- a/recipes-security/aircrack-ng/aircrack-ng_1.3.bb +++ b/recipes-security/aircrack-ng/aircrack-ng_1.6.bb @@ -1,7 +1,7 @@ SUMMARY = "Aircrack-ng is a set of tools for auditing wireless networks" DESCRIPTION = "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools." SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8" @@ -9,8 +9,8 @@ DEPENDS = "libnl openssl sqlite3 libpcre libpcap" SRC_URI = "http://download.aircrack-ng.org/${BP}.tar.gz" -SRC_URI[md5sum] = "c7c5b076dee0c25ee580b0f56f455623" -SRC_URI[sha256sum] = "8ae08a7c28741f6ace2769267112053366550e7f746477081188ad38410383ca" +SRC_URI[md5sum] = "22ddc85549b51ed0da0931d01ef215e5" +SRC_URI[sha256sum] = "4f0bfd486efc6ea7229f7fbc54340ff8b2094a0d73e9f617e0a39f878999a247" inherit autotools-brokensep pkgconfig @@ -29,6 +29,8 @@ do_install () { make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install } -FILES_${PN} += "/usr/local/" +FILES:${PN} += "${libdir}/*.so" +FILES_SOLIBSDEV = "" +INSANE_SKIP:${PN} += "dev-so" -RDEPENDS_${PN} = "libpcap" +RDEPENDS:${PN} = "libpcap" diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/recipes-security/bastille/bastille_3.2.1.bb deleted file mode 100644 index e9accb5..0000000 --- a/recipes-security/bastille/bastille_3.2.1.bb +++ /dev/null @@ -1,155 +0,0 @@ -#The functionality of Bastille that is actually available is restricted. Please -#consult the README file for the meta-security layer for additional information. -SUMMARY = "Linux hardening tool" -DESCRIPTION = "Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling." -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b" -# Bash is needed for set +o privileged (check busybox), might also need ncurses -DEPENDS = "virtual/kernel" -RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" -FILES_${PN} += "/run/lock/subsys/bastille" - -inherit module-base - -SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ - file://AccountPermission.pm \ - file://FileContent.pm \ - file://HPSpecific.pm \ - file://Miscellaneous.pm \ - file://ServiceAdmin.pm \ - file://config \ - file://fix_version_parse.patch \ - file://fixed_defined_warnings.patch \ - file://call_output_config.patch \ - file://fix_missing_use_directives.patch \ - file://fix_number_of_modules.patch \ - file://remove_questions_text_file_references.patch \ - file://simplify_B_place.patch \ - file://find_existing_config.patch \ - file://upgrade_options_processing.patch \ - file://accept_os_flag_in_backend.patch \ - file://allow_os_with_assess.patch \ - file://edit_usage_message.patch \ - file://organize_distro_discovery.patch \ - file://do_not_apply_config.patch \ - " - -SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b" -SRC_URI[sha256sum] = "0ea25191b1dc1c8f91e1b6f8cb5436a3aa1e57418809ef902293448efed5021a" - -S = "${WORKDIR}/Bastille" - -do_install () { - install -d ${D}${sbindir} - install -d ${D}${libdir}/perl5/site_perl/Curses - - install -d ${D}${libdir}/Bastille - install -d ${D}${libdir}/Bastille/API - install -d ${D}${datadir}/Bastille - install -d ${D}${datadir}/Bastille/OSMap - install -d ${D}${datadir}/Bastille/OSMap/Modules - install -d ${D}${datadir}/Bastille/Questions - install -d ${D}${datadir}/Bastille/FKL/configs/ - install -d ${D}${localstatedir}/log/Bastille - install -d ${D}${sysconfdir}/Bastille - install -m 0755 AutomatedBastille ${D}${sbindir} - install -m 0755 BastilleBackEnd ${D}${sbindir} - install -m 0755 InteractiveBastille ${D}${sbindir} - install -m 0644 Modules.txt ${D}${datadir}/Bastille - # New Weights file(s). - install -m 0644 Weights.txt ${D}${datadir}/Bastille - # Castle graphic - install -m 0644 bastille.jpg ${D}${datadir}/Bastille/ - # Javascript file - install -m 0644 wz_tooltip.js ${D}${datadir}/Bastille/ - install -m 0644 Credits ${D}${datadir}/Bastille - install -m 0644 FKL/configs/fkl_config_redhat.cfg ${D}${datadir}/Bastille/FKL/configs/ - install -m 0755 RevertBastille ${D}${sbindir} - install -m 0755 bin/bastille ${D}${sbindir} - install -m 0644 bastille-firewall ${D}${datadir}/Bastille - install -m 0644 bastille-firewall-reset ${D}${datadir}/Bastille - install -m 0644 bastille-firewall-schedule ${D}${datadir}/Bastille - install -m 0644 bastille-tmpdir-defense.sh ${D}${datadir}/Bastille - install -m 0644 bastille-tmpdir.csh ${D}${datadir}/Bastille - install -m 0644 bastille-tmpdir.sh ${D}${datadir}/Bastille - install -m 0644 bastille-firewall.cfg ${D}${datadir}/Bastille - install -m 0644 bastille-ipchains ${D}${datadir}/Bastille - install -m 0644 bastille-netfilter ${D}${datadir}/Bastille - install -m 0644 bastille-firewall-early.sh ${D}${datadir}/Bastille - install -m 0644 bastille-firewall-pre-audit.sh ${D}${datadir}/Bastille - install -m 0644 complete.xbm ${D}${datadir}/Bastille - install -m 0644 incomplete.xbm ${D}${datadir}/Bastille - install -m 0644 disabled.xpm ${D}${datadir}/Bastille - install -m 0644 ifup-local ${D}${datadir}/Bastille - install -m 0644 hosts.allow ${D}${datadir}/Bastille - - install -m 0644 Bastille/AccountSecurity.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Apache.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/API.pm ${D}${libdir}/Bastille - install -m 0644 ${WORKDIR}/AccountPermission.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/FileContent.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/HPSpecific.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/ServiceAdmin.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/Miscellaneous.pm ${D}${libdir}/Bastille/API - install -m 0644 Bastille/BootSecurity.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/ConfigureMiscPAM.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/DisableUserTools.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/DNS.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/FilePermissions.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/FTP.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Firewall.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/OSX_API.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/LogAPI.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/HP_UX.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/IOLoader.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Patches.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Logging.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/MiscellaneousDaemons.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/PatchDownload.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Printing.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/PSAD.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/RemoteAccess.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/SecureInetd.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Sendmail.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/TestDriver.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/TMPDIR.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_AccountSecurity.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Apache.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_DNS.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_FTP.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_HP_UX.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_MiscellaneousDaemons.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Patches.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_SecureInetd.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Sendmail.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_BootSecurity.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_DisableUserTools.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_FilePermissions.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Logging.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Printing.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/IPFilter.pm ${D}${libdir}/Bastille - install -m 0644 Bastille_Curses.pm ${D}${libdir}/perl5/site_perl - install -m 0644 Bastille_Tk.pm ${D}${libdir}/perl5/site_perl - install -m 0644 Curses/Widgets.pm ${D}${libdir}/perl5/site_perl/Curses - - install -m 0644 OSMap/LINUX.bastille ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/LINUX.system ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/LINUX.service ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/HP-UX.bastille ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/HP-UX.system ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/HP-UX.service ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap - - install -m 0777 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config - - for file in `cat Modules.txt` ; do - install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions - done - - ${THISDIR}/files/set_required_questions.py ${D}${sysconfdir}/Bastille/config ${D}${datadir}/Bastille/Questions - - ln -s RevertBastille ${D}${sbindir}/UndoBastille -} - -FILES_${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*" diff --git a/recipes-security/bastille/files/API.pm b/recipes-security/bastille/files/API.pm deleted file mode 100644 index 5060f52..0000000 --- a/recipes-security/bastille/files/API.pm +++ /dev/null @@ -1,2528 +0,0 @@ -# Copyright (C) 1999-2007 Jay Beale -# Copyright (C) 2001-2008 Hewlett-Packard Development Company, L.P. -# Licensed under the GNU General Public License, version 2 - -package Bastille::API; - -## TO DO: -# -# -# 1) Look for more places to insert error handling... -# -# 2) Document this module more -# -# - - -########################################################################## -# -# This module forms the basis for the v1.1 API. -# - ########################################################################## - -# -# This module forms the initial basis for the Bastille Engine, implemented -# presently via a Perl API for Perl modules. -# -# This is still under construction -- it is very usable, but not very well -# documented, yet. -# - -########################################################################## -# -# API Function Listing -# -########################################################################## -# The routines which should be called by Bastille modules are listed here, -# though they are better documented throughout this file. -# -# Distro Specific Stuff: -# -# &GetDistro - figures out what distro we're running, if it knows it... -# &ConfigureForDistro - sets global variables based on the distro -# &GetGlobal - returns hash values defined in ConfigureForDistro -# -# &getGlobalConfig - returns value of hash set up by ReadConfig -# -# Logging Specific Stuff has moved to LogAPI.pm: -# -# &B_log(type,msg) -- takes care of all logging -# -# -# Input functions for the old input method... -# -# File open/close/backup functions -# -# &B_open * -- opens a file handle and logs the action/error (OLD WAY!) -# &B_open_plus -- opens a pair of file handles for the old and new version -# of a file; respects logonly flag. (NEW WAY) -# &B_close * -- closes a file handle and logs the action/error (OLD WAY!) -# &B_close_plus -- closes a pair of file handles opened by B_open_plus, -# backing up one file and renaming the new file to the -# old one's name, logging actions/errors. Respects the -# logonly flag -- needs B_backup file. Finally, sets -# new file's mode,uid,gid to old file's... (NEW WAY) -# &B_backup_file - backs up a file that is being changed/deleted into the -# $GLOBAL_BDIR{"backup"} directory. -# -# Non-content file modification functions -# -# &B_delete_file - deletes the named file, backing up a copy -# &B_create_file - creates the named file, if it doesn't exist -# -# &B_symlink - create a symlink to a file, recording the revert rm -# -# More stuff -# -# &B_createdir - make a directory, if it doesn't exist, record revert rmdir -# &B_cp - copy a file, respecting LOGONLY and revert func. -# &B_mknod - wrap mknod with revert and logonly and prefix functionality -# -# &B_read_sums - reads sum.csv file and parses input into the GLOBAL_SUM hash -# &B_write_sums - writes sum.csv file from GLOBAL_SUM hash -# &B_check_sum($) - take a file name and compares the stored cksum with the current -# cksum of said file -# &B_set_sum($) - takes a file name and gets that files current cksum then sets -# that sum in the GLOBAL_SUM hash -# &B_revert_log - create entry in shell script, executed later by bastille -r -# &showDisclaimer - Print the disclaimer and wait for 5 minutes for acceptance -########################################################################### -# Note: GLOBAL_VERBOSE -# -# All logging functions now check GLOBAL_VERBOSE and, if set, will print -# all the information sent to log files to STDOUT/STDERR as well. -# - -# -# Note: GLOBAL_LOGONLY -# -# All Bastille API functions now check for the existence of a GLOBAL_LOGONLY -# variable. When said variable is set, no function actually modifies the -# system. -# -# Note: GLOBAL_DEBUG -# -# The B_log("DEBUG",...) function now checks GLOBAL_DEBUG and, if set, it will -# print all the information to a new debug-log file. If GLOBAL_VERBOSE is -# set it might log to STDOUT/STDERR as well (not yet implemented, pending -# discussion). Developers should populate appropriate places with &B_log(DEBUG) -# in order to be able to tell users to use this options and send the logs -# for inspection and debugging. -# -# - - -# Libraries for the Backup_file routine: Cwd and File::Path -use Cwd; -use Bastille::OSX_API; -use Bastille::LogAPI; -use File::Path; -use File::Basename; - -# Export the API functions listed below for use by the modules. - -use Exporter; -@ISA = qw ( Exporter ); -@EXPORT = qw( - setOptions GetDistro ConfigureForDistro B_log B_revert_log - SanitizeEnv - B_open B_close B_symlink StopLogging - B_open_plus B_close_plus - B_isFileinSumDB - B_create_file B_read_sums B_check_sum B_set_sum isSumDifferent listModifiedFiles - B_create_dir B_create_log_file - B_delete_file - B_cp B_place B_mknod - showDisclaimer - getSupportedOSHash - B_Backtick - B_System - isProcessRunning - checkProcsForService - - - $GLOBAL_OS $GLOBAL_ACTUAL_OS $CLI - $GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag - %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE - %GLOBAL_BDIR %GLOBAL_BFILE - %GLOBAL_CONFIG %GLOBAL_SUM - - %GLOBAL_SERVICE %GLOBAL_SERVTYPE %GLOBAL_PROCESS %GLOBAL_RC_CONFIG - %GLOBAL_TEST - - getGlobal setGlobal getGlobalConfig - - - B_parse_fstab - B_parse_mtab B_is_rpm_up_to_date - - NOTSECURE_CAN_CHANGE SECURE_CANT_CHANGE - NOT_INSTALLED INCONSISTENT MANUAL NOTEST SECURE_CAN_CHANGE - STRING_NOT_DEFINED NOT_INSTALLED_NOTSECURE DONT_KNOW - RELEVANT_HEADERQ NOTRELEVANT_HEADERQ -); - - - -###################################################### -###Testing Functions -################################################################## - -#Define "Constants" for test functions. Note these constants sometimes get -#interpreted as literal strings when used as hash references, so you may -# have to use CONSTANT() to disambiguate, like below. Sorry, it was either -# that or create even *more* global variables. -# See TestDriver.pm for definitions, and test design doc for full explaination -use constant { - NOTSECURE_CAN_CHANGE => 0, - SECURE_CANT_CHANGE => 1, - NOT_INSTALLED => 2, # (where the lack makes the system secure, eg telnet) - INCONSISTENT => 3, - MANUAL => 4, - NOTEST => 5, - SECURE_CAN_CHANGE => 6, - STRING_NOT_DEFINED => 7, - NOT_INSTALLED_NOTSECURE => 8, #(Where the missing s/w makes the system less secure eg IPFilter) - #Intentional duplicates follow - DONT_KNOW => 5, - RELEVANT_HEADERQ => 6, - NOTRELEVANT_HEADERQ => 0 -}; - -&SanitizeEnv; - -# Set up some common error messages. These are independent of -# operating system - -# These will allow us to line up the warnings and error messages -my $err ="ERROR: "; -my $spc =" "; -my $GLOBAL_OS="None"; -my $GLOBAL_ACTUAL_OS="None"; -my %GLOBAL_SUMS=(); -my $CLI=''; - -#OS independent Error Messages Follow, normally "bastille" script filters -#options before interactive or Bastille runs, so this check is often redundant -$GLOBAL_ERROR{"usage"}="\n". - "$spc Usage: bastille [ -b | -c | -x ] [ --os <version> ] [ -f <alternate config> ]\n". - "$spc bastille [ -r | --assess | --assessnobowser ]\n\n". - "$spc --assess : check status of system and report in browser\n". - "$spc --assessnobrowser : check status of system and list report locations\n". - "$spc -b : use a saved config file to apply changes\n". - "$spc directly to system\n". - "$spc -c : use the Curses (non-X11) TUI\n". - "$spc -f <alternate config>: populate answers with a different config file\n". - "$spc -r : revert all Bastille changes to-date\n". - "$spc -x : use the Perl/Tk (X11) GUI\n" . - "$spc --os <version> : ask all questions for the given operating system\n" . - "$spc version. e.g. --os RH6.0\n"; - -# These options don't work universally, so it's best not to -# document them here (yet). Hopefully, we'll get them -# straightened out soon. -#"$spc --log : log-only option\n". -#"$spc -v : verbose mode\n". -#"$spc --debug : debug mode\n"; - - -############################################################################## -# -# Directory structure for Bastille Linux v1.2 and up -# -############################################################################## -# -# /usr/sbin/ -- location of Bastille binaries -# /usr/lib/Bastille -- location of Bastille modules -# /usr/share/Bastille -- location of Bastille data files -# /etc/Bastille -- location of Bastille config files -# -# /var/log/Bastille -- location of Bastille log files -# /var/log/Bastille/revert -- directory holding all Bastille-created revert scripts -# /var/log/Bastille/revert/backup -- directory holding the original files that -# Bastille modifies, with permissions intact -# -############################################################################## - -############################################################################## -# -# Directory structure for HP-UX Bastille v2.0 and up -# -############################################################################## -# -# /opt/sec_mgmt/bastille/bin/ -- location of Bastille binaries -# /opt/sec_mgmt/bastille/lib/ -- location of Bastille modules -# /etc/opt/sec_mgmt/bastille/ -- location of Bastille data and config files -# -# /var/opt/sec_mgmt/bastille/log/ -- location of Bastille log files -# /var/opt/sec_mgmt/bastille/revert -- directory holding all Bastille-created -# revert scripts and save files -# -############################################################################## - - -############################################################################## -############################################################################## -################## Actual functions start here... ########################### -############################################################################## -############################################################################## - -########################################################################### -# setOptions takes six arguments, $GLOBAL_DEBUG, $GLOBAL_LOGONLY, -# $GLOBAL_VERBOSE, $GLOBAL_AUDITONLY, $GLOBAL_AUDIT_NO_BROWSER, and GLOBAL_OS; -########################################################################### -sub setOptions($$$$$$) { - ($GLOBAL_DEBUG,$GLOBAL_LOGONLY,$GLOBAL_VERBOSE,$GLOBAL_AUDITONLY, - $GLOBAL_AUDIT_NO_BROWSER,$GLOBAL_OS) = @_; - if ($GLOBAL_AUDIT_NO_BROWSER) { - $GLOBAL_AUDITONLY = 1; - } - if (not(defined($GLOBAL_OS))){ - $GLOBAL_OS="None"; - } -} -########################################################################### -# -# SanitizeEnv load a proper environment so Bastille cannot be tricked -# and Perl modules work correctly. -# -########################################################################### -sub SanitizeEnv { - delete @ENV{'IFS','CDPATH','ENV','BASH_ENV'}; - $ENV{CDPATH}="."; - $ENV{BASH_ENV}= ""; - # Bin is needed here or else /usr/lib/perl5/5.005/Cwd.pm - # will not find `pwd` - # Detected while testing with -w, jfs - $ENV{PATH} = "/bin:/usr/bin"; - # Giorgi, is /usr/local/bin needed? (jfs) -} - -########################################################################### -# -# GetDistro checks to see if the target is a known distribution and reports -# said distribution. -# -# This is used throughout the script, but also by ConfigureForDistro. -# -# -########################################################################### - -sub GetDistro() { - - my ($release,$distro); - - # Only read files for the distro once. - # if the --os option was used then - if ($GLOBAL_OS eq "None") { - if ( -e "/etc/mandrake-release" ) { - open(MANDRAKE_RELEASE,"/etc/mandrake-release"); - $release=<MANDRAKE_RELEASE>; - - if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) { - $distro="MN$1"; - } - elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) { - $distro="MN$1"; - } - else { - print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n"; - $distro="MN10.1"; - } - - close(MANDRAKE_RELEASE); - } - elsif ( -e "/etc/immunix-release" ) { - open(IMMUNIX_RELEASE,"/etc/immunix-release"); - $release=<IMMUNIX_RELEASE>; - unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) { - print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n"; - $distro="RH6.2"; - } - else { - $distro="RH$1"; - } - close(*IMMUNIX_RELEASE); - } - elsif ( -e '/etc/fedora-release' ) { - open(FEDORA_RELEASE,'/etc/fedora-release'); - $release=<FEDORA_RELEASE>; - close FEDORA_RELEASE; - if ($release =~ /^Fedora Core release (\d+\.?\d*)/) { - $distro = "RHFC$1"; - } - elsif ($release =~ /^Fedora release (\d+\.?\d*)/) { - $distro = "RHFC$1"; - } - else { - print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 8\n"; - $distro='RHFC8'; - } - } - elsif ( -e "/etc/redhat-release" ) { - open(*REDHAT_RELEASE,"/etc/redhat-release"); - $release=<REDHAT_RELEASE>; - if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) { - $distro="RH$1"; - } - elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) { - $distro="RHEL$1$2"; - } - elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) { - $distro="RHEL$2$1"; - } - elsif ($release =~ /^CentOS release (\d+\.\d+)/) { - my $version = $1; - if ($version =~ /^4\./) { - $distro='RHEL4AS'; - } - elsif ($version =~ /^3\./) { - $distro='RHEL3AS'; - } - else { - print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n"; - $distro='RHEL4AS'; - } - } - else { - # JJB/HP - Should this be B_log? - print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n"; - $distro="RH9"; - } - close(REDHAT_RELEASE); - - } - elsif ( -e "/etc/debian_version" ) { - $stable="3.1"; #Change this when Debian stable changes - open(*DEBIAN_RELEASE,"/etc/debian_version"); - $release=<DEBIAN_RELEASE>; - unless ($release =~ /^(\d+\.\d+\w*)/) { - print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n"; - $distro="DB$stable"; - } - else { - $distro="DB$1"; - } - close(DEBIAN_RELEASE); - } - elsif ( -e "/etc/SuSE-release" ) { - open(*SUSE_RELEASE,"/etc/SuSE-release"); - $release=<SUSE_RELEASE>; - if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) { - $distro="SE$1"; - } - elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) { - $distro="SESLES$1"; - } - elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) { - $distro="SESLES$1"; - } - elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) { - $distro="SE$1"; - } - else { - print STDERR "$err Couldn't determine SuSE version! Setting to 10.3!\n"; - $distro="SE10.3"; - } - close(SUSE_RELEASE); - } - elsif ( -e "/etc/turbolinux-release") { - open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release"); - $release=<TURBOLINUX_RELEASE>; - unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) { - print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n"; - $distro="TB7.0"; - } - else { - $distro="TB$1"; - } - close(TURBOLINUX_RELEASE); - } - else { - # We're either on Mac OS X, HP-UX or an unsupported O/S. - if ( -x '/usr/bin/uname') { - # uname is in /usr/bin on Mac OS X and HP-UX - $release=`/usr/bin/uname -sr`; - } - else { - print STDERR "$err Could not determine operating system version!\n"; - $distro="unknown"; - } - - # Figure out what kind of system we're on. - if ($release ne "") { - if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) { - if ($1 == 6 ) { - $distro = "OSX10.2"; - } - elsif ($1 == 7) { - $distro = "OSX10.3"; - } - elsif ($1 == 8) { - $distro = "OSX10.3"; - } - else { - $distro = "unknown"; - } - } - elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) { - $distro="$1$2"; - } - else { - print STDERR "$err Could not determine operating system version!\n"; - $distro="unknown"; - } - } - } - - $GLOBAL_OS=$distro; - } elsif (not (defined $GLOBAL_OS)) { - print "ERROR: GLOBAL OS Scoping Issue\n"; - } else { - $distro = $GLOBAL_OS; - } - - return $distro; -} - -################################################################################### -# &getActualDistro; # -# # -# This subroutine returns the actual os version in which is running on. This # -# os version is independent of the --os switch feed to bastille. # -# # -################################################################################### -sub getActualDistro { - # set local variable to $GLOBAL_OS - - if ($GLOBAL_ACTUAL_OS eq "None") { - my $os = $GLOBAL_OS; - # undef GLOBAL_OS so that the GetDistro routine will return - # the actualDistro, it might otherwise return the distro set - # by the --os switch. - $GLOBAL_OS = "None"; - $GLOBAL_ACTUAL_OS = &GetDistro; - # reset the GLOBAL_OS variable - $GLOBAL_OS = $os; - } - return $GLOBAL_ACTUAL_OS; -} -# These are helper routines which used to be included inside GetDistro -sub is_OS_supported($) { - my $os=$_[0]; - my $supported=0; - my %supportedOSHash = &getSupportedOSHash; - - foreach my $oSType (keys %supportedOSHash) { - foreach my $supported_os ( @{$supportedOSHash{$oSType}} ) { - if ( $supported_os eq $os ) { - $supported=1; - } - } - } - - return $supported; -} - -############################################################################### -# getSupportedOSHash -# -# This subrountine returns a hash of supported OSTypes, which point to a -# a list of supported distros. When porting to a new distro, add the -# distro id to the hash in its appropriate list. -############################################################################### -sub getSupportedOSHash () { - - my %osHash = ("LINUX" => [ - "DB2.2", "DB3.0", - "RH6.0","RH6.1","RH6.2","RH7.0", - "RH7.1","RH7.2","RH7.3","RH8.0", - "RH9", - "RHEL5", - "RHEL4AS","RHEL4ES","RHEL4WS", - "RHEL3AS","RHEL3ES","RHEL3WS", - "RHEL2AS","RHEL2ES","RHEL2WS", - "RHFC1","RHFC2","RHFC3","RHFC4", - "RHFC5","RHFC6","RHFC7","RHFC8", - "MN6.0","MN6.1 ","MN7.0","MN7.1", - "MN7.2","MN8.0","MN8.1","MN8.2", - "MN10.1", - "SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1", - "SE9.2","SE9.3","SE10.0","SE10.1","SE10.2","SE10.3", - "SESLES8","SESLES9","SESLES10", - "TB7.0" - ], - - "HP-UX" => [ - "HP-UX11.00","HP-UX11.11", - "HP-UX11.22", "HP-UX11.23", - "HP-UX11.31" - ], - - "OSX" => [ - 'OSX10.2','OSX10.3','OSX10.4' - ] - ); - - return %osHash; - -} - - -############################################################################### -# setFileLocations(OSMapFile, currentDistro); -# -# Given a file map location this subroutine will create the GLOBAL_* -# hash entries specified within this file. -############################################################################### -sub setFileLocations($$) { - - my ($fileInfoFile,$currentDistro) = @_; - - # define a mapping from the first argument to the proper hash - my %map = ("BIN" => \%GLOBAL_BIN, - "FILE" => \%GLOBAL_FILE, - "BFILE" => \%GLOBAL_BFILE, - "DIR" => \%GLOBAL_DIR, - "BDIR" => \%GLOBAL_BDIR - ); - my @fileInfo = (); - - # File containing file location information - if(open(FILEINFO, "<$fileInfoFile" )) { - - @fileInfo = <FILEINFO>; - - close(FILEINFO); - - } - else { - print STDERR "$err Unable to find file location information for '$distro'.\n" . - "$spc Contact the Bastille support list for details.\n"; - exit(1); - } - - # Each line of the file map follows the pattern below: - # bdir,init.d,'/etc/rc.d/init.d',RH7.2,RH7.3 - # if the distro information is not available, e.g. - # bdir,init.d,'/etc/rc.d/init.d' - # then the line applies to all distros under the OSType - foreach my $file (@fileInfo) { - # Perl comments are allowed within the file but only entire line comments - if($file !~ /^\s+\#|^\s+$/) { - chomp $file; - # type relates to the map above, type bin will map to GLOBAL_BIN - # id is the identifier used as the hash key by the GLOBAL hash - # fileLocation is the full path to the file - # distroList is an optional list of distros that this particular - # file location, if no distro list is presented the file location - # is considered to apply to all distros - my ($type,$id,$fileLocation,@distroList) = split /\s*,\s*/, $file; - $fileLocation =~ s/^\'(.*)\'$/$1/; - if($#distroList == -1) { - $map{uc($type)}->{$id}=$fileLocation; - } - else { - foreach my $distro (@distroList) { - # if the current distro matches the distro listed then - # this file location applies - if($currentDistro =~ /$distro/) { - $map{uc($type)}->{$id}=$fileLocation; - } - } - } - } - } - unless(defined($map{uc("BFILE")}->{"current_config"})) { - &setGlobal("BFILE","current_config",&getGlobal("BFILE","config")); - } -} - -############################################################################### -# setServiceInfo($OSServiceMapFile, $currentDistro -# -# Given the location of an OS Service map file, which describes -# a service in terms of configurables, processes and a service type. -# The subroutine fills out the GLOBAL_SERVICE, $GLOBAL_RC_CONFIG, GLOBAL_SERVTYPE, and -# GLOBAL_PROCESS hashes for a given service ID. -############################################################################### -sub setServiceInfo($$) { - my ($serviceInfoFile,$currentDistro) = @_; - my @serviceInfo = (); - - if(open(SERVICEINFO, "<$serviceInfoFile" )) { - - @serviceInfo = <SERVICEINFO>; - - close(SERVICEINFO); - - } - else { - print STDERR "$err Unable to find service, service type, and process information\n" . - "$spc for '$distro'.\n" . - "$spc Contact the Bastille support list for details.\n"; - exit(1); - } - - - # The following loop, parses the entire (YOUR OS).service file - # to provide service information for YOUR OS. - # The files format is as follows: - # serviceID,servType,('service' 'configuration' 'list'),('process' 'list')[,DISTROS]* - # if distros are not present then the service is assumed to be - # relevant the the current distro - - -# -# More specifically, this file's format for rc-based daemons is: -# -# script_name,rc,(rc-config-file rc-config-file ...),(rc-variable1 rc-variable2 ...),('program_name1 program_name2 ...') -# -# ...where script_name is a file in /etc/init.d/ and -# ...program_nameN is a program launced by the script. -# -# This file's format for inet-based daemons is: -# -# identifier, inet, line name/file name, program name -# -# label,inet,(port1 port2 ...),(daemon1 daemon2 ...) -# -# ...where label is arbitrary, portN is one of the ports -# ...this one listens on, and daemonN is a program launched -# ...in response to a connection on a port. - - foreach my $service (@serviceInfo) { - # This file accepts simple whole line comments perl style - if($service !~ /^\s+\#|^\s+$/) { - chomp $service; - my ($serviceID,$servType,$strConfigList,$strServiceList, - $strProcessList,@distroList) = split /\s*,\s*/, $service; - - sub MakeArrayFromString($){ - my $entryString = $_[0]; - my @destArray = (); - if ($entryString =~ /\'\S+\'/) { #Make sure we have something to extract before we try - @destArray = split /\'\s+\'/, $entryString; - $destArray[0] =~ s/^\(\'(.+)$/$1/; # Remove leading quotation mark - $destArray[$#destArray] =~ s/^(.*)\'\)$/$1/; #Remove trailing quotation mark - } - return @destArray; - } - - # produce a list of configuration files from the files - # format ('configuration' 'files') - my @configList = MakeArrayFromString($strConfigList); - - # produce a list of service configurables from the files - # format ('service' 'configurable') - my @serviceList = MakeArrayFromString($strServiceList); - - # produce a list of process names from the files format - # ('my' 'process' 'list') - my @processList = MakeArrayFromString($strProcessList); - - # if distros were not specified then accept the service information - if($#distroList == -1) { - @{$GLOBAL_SERVICE{$serviceID}} = @serviceList; - $GLOBAL_SERVTYPE{$serviceID} = $servType; - @{$GLOBAL_PROCESS{$serviceID}} = @processList; - @{$GLOBAL_RC_CONFIG{$serviceID}} = @configList; - } - else { - # only if the current distro matches one of the listed distros - # include the service information. - foreach my $distro (@distroList) { - if($currentDistro =~ /$distro/) { - @{$GLOBAL_SERVICE{$serviceID}} = @serviceList; - $GLOBAL_SERVTYPE{$serviceID} = $servType; - @{$GLOBAL_PROCESS{$serviceID}} = @processList; - @{$GLOBAL_RC_CONFIG{$serviceID}} = @configList; - } - } - } - } - } -} - - - -############################################################################### -# getFileAndServiceInfo($distro,$actualDistro) -# -# This subrountine, given distribution information, will import system file -# and service information into the GLOBA_* hashes. -# -# NOTE: $distro and $actualDistro will only differ when the --os switch is -# used to generate a configuration file for an arbitrary operating -# system. -# -############################################################################### -sub getFileAndServiceInfo($$) { - - my ($distro,$actualDistro) = @_; - - # defines the path to the OS map information for any supported OS type. - # OS map information is used to determine file locations for a given - # distribution. - my %oSInfoPath = ( - "LINUX" => "/usr/share/Bastille/OSMap/", - "HP-UX" => "/etc/opt/sec_mgmt/bastille/OSMap/", - "OSX" => "/usr/share/Bastille/OSMap/" - ); - - # returns the OS, LINUX, HP-UX, or OSX, associated with this - # distribution - my $actualOS = &getOSType($actualDistro); - my $oS = &getOSType($distro); - - if(defined $actualOS && defined $oS) { - my $bastilleInfoFile = $oSInfoPath{$actualOS} . "${actualOS}.bastille"; - my $systemInfoFile = $oSInfoPath{$actualOS} . "${oS}.system"; - my $serviceInfoFile = $oSInfoPath{$actualOS} . "${oS}.service"; - - if(-f $bastilleInfoFile) { - &setFileLocations($bastilleInfoFile,$actualDistro); - } - else { - print STDERR "$err Unable to find bastille file information.\n" . - "$spc $bastilleInfoFile does not exist on the system"; - exit(1); - } - - if(-f $systemInfoFile) { - &setFileLocations($systemInfoFile,$distro); - } - else { - print STDERR "$err Unable to find system file information.\n" . - "$spc $systemInfoFile does not exist on the system"; - exit(1); - } - # Service info File is optional - if(-f $serviceInfoFile) { - &setServiceInfo($serviceInfoFile,$distro); - } - } - else { - print STDERR "$err Unable to determine operating system type\n" . - "$spc for $actualDistro or $distro\n"; - exit(1); - } - -} - - -# returns the Operating System type associated with the specified -# distribution. -sub getOSType($) { - - my $distro = $_[0]; - - my %supportedOSHash = &getSupportedOSHash; - foreach my $oSType (keys %supportedOSHash) { - foreach my $oSDistro (@{$supportedOSHash{$oSType}}) { - if($distro eq $oSDistro) { - return $oSType; - } - } - } - - return undef; - -} - - -# Test subroutine used to debug file location info for new Distributions as -# they are ported. -sub dumpFileInfo { - print "Dumping File Information\n"; - foreach my $hashref (\%GLOBAL_BIN,\%GLOBAL_DIR,\%GLOBAL_FILE,\%GLOBAL_BFILE,\%GLOBAL_BDIR) { - foreach my $id (keys %{$hashref}) { - print "$id: ${$hashref}{$id}\n"; - } - print "-----------------------\n\n"; - } -} - -# Test subroutine used to debug service info for new Distributions as -# they are ported. -sub dumpServiceInfo { - print "Dumping Service Information\n"; - foreach my $serviceId (keys %GLOBAL_SERVICE) { - print "$serviceId:\n"; - print "Type - $GLOBAL_SERVTYPE{$serviceId}\n"; - print "Service List:\n"; - foreach my $service (@{$GLOBAL_SERVICE{$serviceId}}) { - print "$service "; - } - print "\nProcess List:\n"; - foreach my $process (@{$GLOBAL_PROCESS{$serviceId}}) { - print "$process "; - } - print "\n----------------------\n"; - } -} - - -########################################################################### -# -# &ConfigureForDistro configures the API for a given distribution. This -# includes setting global variables that tell the Bastille API about -# given binaries and directories. -# -# WARNING: If a distro is not covered here, Bastille may not be 100% -# compatible with it, though 1.1 is written to be much smarter -# about unknown distros... -# -########################################################################### -sub ConfigureForDistro { - - my $retval=1; - - # checking to see if the os version given is in fact supported - my $distro = &GetDistro; - - # checking to see if the actual os version is in fact supported - my $actualDistro = &getActualDistro; - $ENV{'LOCALE'}=''; # So that test cases checking for english results work ok. - if ((! &is_OS_supported($distro)) or (! &is_OS_supported($actualDistro)) ) { - # if either is not supported then print out a list of supported versions - if (! &is_OS_supported($distro)) { - print STDERR "$err '$distro' is not a supported operating system.\n"; - } - else { - print STDERR "$err Bastille is unable to operate correctly on this\n"; - print STDERR "$spc $distro operating system.\n"; - } - my %supportedOSHash = &getSupportedOSHash; - print STDERR "$spc Valid operating system versions are as follows:\n"; - - foreach my $oSType (keys %supportedOSHash) { - - print STDERR "$spc $oSType:\n$spc "; - - my $os_number = 1; - foreach my $os (@{$supportedOSHash{$oSType}}) { - print STDERR "'$os' "; - if ($os_number == 5){ - print STDERR "\n$spc "; - $os_number = 1; - } - else { - $os_number++; - } - - } - print STDERR "\n"; - } - - print "\n" . $GLOBAL_ERROR{"usage"}; - exit(1); - } - - # First, let's make sure that we do not create any files or - # directories with more permissive permissions than we - # intend via setting the Perl umask - umask(077); - - &getFileAndServiceInfo($distro,$actualDistro); - -# &dumpFileInfo; # great for debuging file location issues -# &dumpServiceInfo; # great for debuging service information issues - - # OS dependent error messages (after configuring file locations) - my $nodisclaim_file = &getGlobal('BFILE', "nodisclaimer"); - - $GLOBAL_ERROR{"disclaimer"}="$err Unable to touch $nodisclaim_file:" . - "$spc You must use Bastille\'s -n flag (for example:\n" . - "$spc bastille -f -n) or \'touch $nodisclaim_file \'\n"; - - return $retval; -} - - -########################################################################### -########################################################################### -# # -# The B_<perl_function> file utilities are replacements for their Perl # -# counterparts. These replacements log their actions and their errors, # -# but are very similar to said counterparts. # -# # -########################################################################### -########################################################################### - - -########################################################################### -# B_open is used for opening a file for reading. B_open_plus is the preferred -# function for writing, since it saves a backup copy of the file for -# later restoration. -# -# B_open opens the given file handle, associated with the given filename -# and logs appropriately. -# -########################################################################### - -sub B_open { - my $retval=1; - my ($handle,$filename)=@_; - - unless ($GLOBAL_LOGONLY) { - $retval = open $handle,$filename; - } - - ($handle) = "$_[0]" =~ /[^:]+::[^:]+::([^:]+)/; - &B_log("ACTION","open $handle,\"$filename\";\n"); - unless ($retval) { - &B_log("ERROR","open $handle, $filename failed...\n"); - } - - return $retval; -} - -########################################################################### -# B_open_plus is the v1.1 open command. -# -# &B_open_plus($handle_file,$handle_original,$file) opens the file $file -# for reading and opens the file ${file}.bastille for writing. It is the -# counterpart to B_close_plus, which will move the original file to -# $GLOBAL_BDIR{"backup"} and will place the new file ${file}.bastille in its -# place. -# -# &B_open_plus makes the appropriate log entries in the action and error -# logs. -########################################################################### - -sub B_open_plus { - - my ($handle_file,$handle_original,$file)=@_; - my $retval=1; - my $return_file=1; - my $return_old=1; - - my $original_file = $file; - - # Open the original file and open a copy for writing. - unless ($GLOBAL_LOGONLY) { - # if the temporary filename already exists then the open operation will fail. - if ( $file eq "" ){ - &B_log("ERROR","Internal Error - Attempt Made to Open Blank Filename"); - $return_old=0; - $return_file=0; - return 0; #False - } elsif (-e "${file}.bastille") { - &B_log("ERROR","Unable to open $file as the swap file ". - "${file}.bastille\" already exists. Rename the swap ". - "file to allow Bastille to make desired file modifications."); - $return_old=0; - $return_file=0; - } - else { - $return_old = open $handle_original,"$file"; - $return_file = open $handle_file,("> $file.bastille"); - } - } - - # Error handling/logging here... - #&B_log("ACTION","# Modifying file $original_file via temporary file $original_file.bastille\n"); - unless ($return_file) { - $retval=0; - &B_log("ERROR","open file: \"$original_file.bastille\" failed...\n"); - } - unless ($return_old) { - $retval=0; - &B_log("ERROR","open file: \"$original_file\" failed.\n"); - } - - return $retval; - -} - -########################################################################### -# B_close was the v1.0 close command. It is still used in places in the -# code. -# However the use of B _close_plus, which implements a new, smarter, -# backup scheme is preferred. -# -# B_close closes the given file handle, associated with the given filename -# and logs appropriately. -########################################################################### - - -sub B_close { - my $retval=1; - - unless ($GLOBAL_LOGONLY) { - $retval = close $_[0]; - } - - &B_log("ACTION", "close $_[0];\n"); - unless ($retval) { - &B_log("ERROR", "close $_[0] failed...\n"); - } - - return $retval; -} - - -########################################################################### -# B_close_plus is the v1.1 close command. -# -# &B_close_plus($handle_file,$handle_original,$file) closes the files -# $file and ${file}.bastille, backs up $file to $GLOBAL_BDIR{"backup"} and -# renames ${file}.bastille to $file. This backup is made using the -# internal API function &B_backup_file. Further, it sets the new file's -# permissions and uid/gid to the same as the old file. -# -# B_close_plus is the counterpart to B_open_plus, which opened $file and -# $file.bastille with the file handles $handle_original and $handle_file, -# respectively. -# -# &B_close_plus makes the appropriate log entries in the action and error -# logs. -########################################################################### - -sub B_close_plus { - my ($handle_file,$handle_original,$file)=@_; - my ($mode,$uid,$gid); - my @junk; - - my $original_file; - - my $retval=1; - my $return_file=1; - my $return_old=1; - - # Append the global prefix, but save the original for B_backup_file b/c - # it appends the prefix on its own... - - $original_file=$file; - - # - # Close the files and prepare for the rename - # - - if (($file eq "") or (not(-e $file ))) { - &B_log("ERROR","Internal Error, attempted to close a blank filename ". - "or nonexistent file."); - return 0; #False - } - - unless ($GLOBAL_LOGONLY) { - $return_file = close $handle_file; - $return_old = close $handle_original; - } - - # Error handling/logging here... - #&B_log("ACTION","#Closing $original_file and backing up to " . &getGlobal('BDIR', "backup")); - #&B_log("ACTION","/$original_file\n"); - - unless ($return_file) { - $retval=0; - &B_log("ERROR","close $original_file failed...\n"); - } - unless ($return_old) { - $retval=0; - &B_log("ERROR","close $original_file.bastille failed.\n"); - } - - # - # If we've had no errors, backup the old file and put the new one - # in its place, with the Right permissions. - # - - unless ( ($retval == 0) or $GLOBAL_LOGONLY) { - - # Read the permissions/owners on the old file - - @junk=stat ($file); - $mode=$junk[2]; - $uid=$junk[4]; - $gid=$junk[5]; - - # Set the permissions/owners on the new file - - chmod $mode, "$file.bastille" or &B_log("ERROR","Not able to retain permissions on $original_file!!!\n"); - chown $uid, $gid, "$file.bastille" or &B_log("ERROR","Not able to retain owners on $original_file!!!\n"); - - # Backup the old file and put a new one in place. - - &B_backup_file($original_file); - rename "$file.bastille", $file or - &B_log("ERROR","B_close_plus: not able to move $original_file.bastille to $original_file\n"); - - # We add the file to the GLOBAL_SUMS hash if it is not already present - &B_set_sum($file); - - } - - return $retval; -} - -########################################################################### -# &B_backup_file ($file) makes a backup copy of the file $file in -# &getGlobal('BDIR', "backup"). Note that this routine is intended for internal -# use only -- only Bastille API functions should call B_backup_file. -# -########################################################################### - -sub B_backup_file { - - my $file=$_[0]; - my $complain = 1; - my $original_file = $file; - - my $backup_dir = &getGlobal('BDIR', "backup"); - my $backup_file = $backup_dir . $original_file; - - my $retval=1; - - # First, separate the file into the directory and the relative filename - - my $directory =""; - if ($file =~ /^(.*)\/([^\/]+)$/) { - #$relative_file=$2; - $directory = $1; - } else { - $directory=cwd; - } - - # Now, if the directory does not exist, create it. - # Later: - # Try to set the same permissions on the patch directory that the - # original had...? - - unless ( -d ($backup_dir . $directory) ) { - mkpath(( $backup_dir . $directory),0,0700); - - } - - # Now we backup the file. If there is already a backup file there, - # we will leave it alone, since it exists from a previous run and - # should be the _original_ (possibly user-modified) distro's version - # of the file. - - if ( -e $file ) { - - unless ( -e $backup_file ) { - my $command=&getGlobal("BIN","cp"); - &B_Backtick("$command -p $file $backup_file"); - &B_revert_log (&getGlobal("BIN","mv"). " $backup_file $file"); - } - - } else { - # The file we were trying to backup doesn't exist. - - $retval=0; - # This is a non-fatal error, not worth complaining about - $complain = 0; - #&ErrorLog ("# Failed trying to backup file $file -- it doesn't exist!\n"); - } - - # Check to make sure that the file does exist in the backup location. - - unless ( -e $backup_file ) { - $retval=0; - if ( $complain == 1 ) { - &B_log("ERROR","Failed trying to backup $file -- the copy was not created.\n"); - } - } - - return $retval; -} - - -########################################################################### -# &B_read_sums reads in the sum.csv file which contains information -# about Bastille modified files. The file structure is as follows: -# -# filename,filesize,cksum -# -# It reads the information into the GLOBAL_SUM hash i.e. -# $GLOBAL_SUM{$file}{sum} = $cksum -# $GLOBAL_SUM{$file}{filesize} = $size -# For the first run of Bastille on a given system this subroutine -# is a no-op, and returns "undefined." -########################################################################### - -sub B_read_sums { - - my $sumFile = &getGlobal('BFILE',"sum.csv"); - - if ( -e $sumFile ) { - - open( SUM, "< $sumFile") or &B_log("ERROR","Unable to open $sumFile for read.\n$!\n"); - - while( my $line = <SUM> ) { - chomp $line; - my ($file,$filesize,$sum,$flag) = split /,/, $line; - if(-e $file) { - $GLOBAL_SUM{"$file"}{filesize} = $filesize; - $GLOBAL_SUM{"$file"}{sum} = $sum; - } - } - - close(SUM); - } else { - return undef; - } -} - - -########################################################################### -# &B_write_sums writes out the sum.csv file which contains information -# about Bastille modified files. The file structure is as follows: -# -# filename,filesize,cksum -# -# It writes the information from the GLOBAL_SUM hash i.e. -# -# $file,$GLOBAL_SUM{$file}{sum},$GLOBAL_SUM{$file}{filesize} -# -# This subroutine requires access to the GLOBAL_SUM hash. -########################################################################### - -sub B_write_sums { - - my $sumFile = &getGlobal('BFILE',"sum.csv"); - - if ( %GLOBAL_SUM ) { - - open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n"); - - for my $file (sort keys %GLOBAL_SUM) { - if( -e $file) { - print SUM "$file,$GLOBAL_SUM{\"$file\"}{filesize},$GLOBAL_SUM{\"$file\"}{sum}\n"; - } - } - - close(SUM); - } - -} - - -########################################################################### -# &B_check_sum($file) compares the stored cksum and filesize of the given -# file compared to the current cksum and filesize respectively. -# This subroutine also keeps the state of the sum check by setting the -# checked flag which tells the subroutine that on this run this file -# has already been checked. -# -# $GLOBAL_SUM{$file}{checked} = 1; -# -# This subroutine requires access to the GLOBAL_SUM hash. -# -# Returns 1 if sum checks out and 0 if not -########################################################################### - -sub B_check_sum($) { - my $file = $_[0]; - my $cksum = &getGlobal('BIN',"cksum"); - - if (not(%GLOBAL_SUM)) { - &B_read_sums; - } - - if(-e $file) { - my ($sum,$size,$ckfile) = split(/\s+/, `$cksum $file`); - my $commandRetVal = ($? >> 8); # find the command's return value - - if($commandRetVal != 0) { - &B_log("ERROR","$cksum reported the following error:\n$!\n"); - return 0; - } else { - if ( exists $GLOBAL_SUM{$file} ) { - # if the file size or file sum differ from those recorded. - if (( $GLOBAL_SUM{$file}{filesize} == $size) and - ($GLOBAL_SUM{$file}{sum} == $sum )) { - return 1; #True, since saved state matches up, all is well. - } else { - return 0; #False, since saved state doesn't match - } - } else { - &B_log("ERROR","File: $file does not exist in sums database."); - return 0; - } - } - } else { - &B_log("ERROR","The file: $file does not exist for comparison in B_check_sum."); - return 0; - } -} - -# Don't think we need this anymore as function now check_sums returns -# results directly -#sub isSumDifferent($) { -# my $file = $_[0]; -# if(exists $GLOBAL_SUM{$file}) { -# return $GLOBAL_SUM{$file}{flag} -# } -#} - -sub listModifiedFiles { - my @listModifiedFiles=sort keys %GLOBAL_SUM; - return @listModifiedFiles; -} - -########################################################################### -# &B_isFileinSumDB($file) checks to see if a given file's sum was saved. -# -# $GLOBAL_SUM{$file}{filesize} = $size; -# $GLOBAL_SUM{$file}{sum} = $cksum; -# -# This subroutine requires access to the GLOBAL_SUM hash. -########################################################################### - -sub B_isFileinSumDB($) { - my $file = $_[0]; - - if (not(%GLOBAL_SUM)) { - &B_log("DEBUG","Reading in DB from B_isFileinSumDB"); - &B_read_sums; - } - if (exists($GLOBAL_SUM{"$file"})){ - &B_log("DEBUG","$file is in sum database"); - return 1; #true - } else { - &B_log("DEBUG","$file is not in sum database"); - return 0; #false - } -} - -########################################################################### -# &B_set_sum($file) sets the current cksum and filesize of the given -# file into the GLOBAL_SUM hash. -# -# $GLOBAL_SUM{$file}{filesize} = $size; -# $GLOBAL_SUM{$file}{sum} = $cksum; -# -# This subroutine requires access to the GLOBAL_SUM hash. -########################################################################### - -sub B_set_sum($) { - - my $file = $_[0]; - my $cksum = &getGlobal('BIN',"cksum"); - if( -e $file) { - - my ($sum,$size,$ckfile) = split(/\s+/, `$cksum $file`); - my $commandRetVal = ($? >> 8); # find the command's return value - - if($commandRetVal != 0) { - - &B_log("ERROR","$cksum reported the following error:\n$!\n"); - - } - else { - - # new file size and sum are added to the hash - $GLOBAL_SUM{$file}{filesize} = $size; - $GLOBAL_SUM{$file}{sum} = $sum; - &B_write_sums; - - } - } else { - &B_log("ERROR","Can not save chksum for file: $file since it does not exist"); - } -} - - -########################################################################### -# -# &B_delete_file ($file) deletes the file $file and makes a backup to -# the backup directory. -# -########################################################################## - - -sub B_delete_file($) { #Currently Linux only (TMPDIR) - #consideration: should create clear_sum routine if this is ever used to remove - # A Bastille-generated file. - - # - # This API routine deletes the named file, backing it up first to the - # backup directory. - # - - my $filename=shift @_; - my $retval=1; - - # We have to append the prefix ourselves since we don't use B_open_plus - - my $original_filename=$filename; - - &B_log("ACTION","Deleting (and backing-up) file $original_filename\n"); - &B_log("ACTION","rm $original_filename\n"); - - unless ($filename) { - &B_log("ERROR","B_delete_file called with no arguments!\n"); - } - - unless ($GLOBAL_LOGONLY) { - if ( B_backup_file($original_filename) ) { - unless ( unlink $filename ) { - &B_log("ERROR","Couldn't unlink file $original_filename"); - $retval=0; - } - } - else { - $retval=0; - &B_log("ERROR","B_delete_file did not delete $original_filename since it could not back it up\n"); - } - } - - $retval; - -} - - -########################################################################### -# &B_create_file ($file) creates the file $file, if it doesn't already -# exist. -# It will set a default mode of 0700 and a default uid/gid or 0/0. -# -# &B_create_file, to support Bastille's revert functionality, writes an -# rm $file command to the end of the file &getGlobal('BFILE', "created-files"). -# -########################################################################## - - -sub B_create_file($) { - - my $file = $_[0]; - my $retval=1; - - # We have to create the file ourselves since we don't use B_open_plus - - my $original_file = $file; - - if ($file eq ""){ - &B_log("ERROR","Internal Error, attempt made to create blank filename"); - return 0; #False - } - - unless ( -e $file ) { - - unless ($GLOBAL_LOGONLY) { - - # find the directory in which the file is to reside. - my $dirName = dirname($file); - # if the directory does not exist then - if(! -d $dirName) { - # create it. - mkpath ($dirName,0,0700); - } - - $retval=open CREATE_FILE,">$file"; - - if ($retval) { - close CREATE_FILE; - chmod 0700,$file; - # Make the revert functionality - &B_revert_log( &getGlobal('BIN','rm') . " $original_file \n"); - } else { - &B_log("ERROR","Couldn't create file $original_file even though " . - "it didn't already exist!\n"); - } - } - &B_log("ACTION","Created file $original_file\n"); - } else { - &B_log("DEBUG","Didn't create file $original_file since it already existed.\n"); - $retval=0; - } - - $retval; -} - - -########################################################################### -# &B_create_dir ($dir) creates the directory $dir, if it doesn't already -# exist. -# It will set a default mode of 0700 and a default uid/gid or 0/0. -# -########################################################################## - - -sub B_create_dir($) { - - my $dir = $_[0]; - my $retval=1; - - # We have to append the prefix ourselves since we don't use B_open_plus - - my $original_dir=$dir; - - unless ( -d $dir ) { - unless ($GLOBAL_LOGONLY) { - $retval=mkdir $dir,0700; - - if ($retval) { - # Make the revert functionality - &B_revert_log (&getGlobal('BIN','rmdir') . " $original_dir\n"); - } - else { - &B_log("ERROR","Couldn't create dir $original_dir even though it didn't already exist!"); - } - - } - &B_log("ACTION","Created directory $original_dir\n"); - } - else { - &B_log("ACTION","Didn't create directory $original_dir since it already existed.\n"); - $retval=0; - } - - $retval; -} - - - -########################################################################### -# &B_symlink ($original_file,$new_symlink) creates a symbolic link from -# $original_file to $new_symlink. -# -# &B_symlink respects $GLOBAL_LOGONLY. It supports -# the revert functionality that you've come to know and love by adding every -# symbolic link it creates to &getGlobal('BFILE', "created-symlinks"), currently set to: -# -# /root/Bastille/revert/revert-created-symlinks -# -# The revert script, if it works like I think it should, will run this file, -# which should be a script or rm's... -# -########################################################################## - -sub B_symlink($$) { - my ($source_file,$new_symlink)=@_; - my $retval=1; - my $original_source = $source_file; - my $original_symlink = $new_symlink; - - unless ($GLOBAL_LOGONLY) { - $retval=symlink $source_file,$new_symlink; - if ($retval) { - &B_revert_log (&getGlobal('BIN',"rm") . " $original_symlink\n"); - } - } - - &B_log("ACTION", "Created a symbolic link called $original_symlink from $original_source\n"); - &B_log("ACTION", "symlink \"$original_source\",\"$original_symlink\";\n"); - unless ($retval) { - &B_log("ERROR","Couldn't symlink $original_symlink -> $original_source\n"); - } - - $retval; - -} - - -sub B_cp($$) { - - my ($source,$target)=@_; - my $retval=0; - - my $had_to_backup_target=0; - - use File::Copy; - - my $original_source=$source; - my $original_target=$target; - - if( -e $target and -f $target ) { - &B_backup_file($original_target); - &B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n"); - $had_to_backup_target=1; - } - - $retval=copy($source,$target); - if ($retval) { - &B_log("ACTION","cp $original_source $original_target\n"); - - # - # We want to add a line to the &getGlobal('BFILE', "created-files") so that the - # file we just put at $original_target gets deleted. - # - &B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n"); - } else { - &B_log("ERROR","Failed to copy $original_source to $original_target\n"); - } - # We add the file to the GLOBAL_SUMS hash if it is not already present - &B_set_sum($target); - $retval; -} - - - -############################################################################ -# &B_place puts a file in place, using Perl's File::cp. This file is taken -# from &getGlobal('BDIR', "share") and is used to place a file that came with -# Bastille. -# -# This should be DEPRECATED in favor of &B_cp, since the only reason it exists -# is because of GLOBAL_PREFIX, which has been broken for quite some time. -# Otherwise, the two routines are identical. -# -# It respects $GLOBAL_LOGONLY. -# If $target is an already-existing file, it is backed up. -# -# revert either appends another "rm $target" to &getGlobal('BFILE', "revert-actions") or -# backs up the file that _was_ there into the &getGlobal('BDIR', "backup"), -# appending a "mv" to revert-actions to put it back. -# -############################################################################ - -sub B_place { # Only Linux references left (Firewall / TMPDIR) - - my ($source,$target)=@_; - my $retval=0; - - my $had_to_backup_target=0; - - use File::Copy; - - my $original_source=$source; - $source = &getGlobal('BDIR', "share") . $source; - my $original_target=$target; - - if ( -e $target and -f $target ) { - &B_backup_file($original_target); - &B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n"); - $had_to_backup_target=1; - } - $retval=copy($source,$target); - if ($retval) { - &B_log("ACTION","placed file $original_source as $original_target\n"); - # - # We want to add a line to the &getGlobal('BFILE', "created-files") so that the - # file we just put at $original_target gets deleted. - &B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n"); - } else { - &B_log("ERROR","Failed to place $original_source as $original_target\n"); - } - - # We add the file to the GLOBAL_SUMS hash if it is not already present - &B_set_sum($target); - - $retval; -} - - - - - -############################################################################# -############################################################################# -############################################################################# - -########################################################################### -# &B_mknod ($file) creates the node $file, if it doesn't already -# exist. It uses the prefix and suffix, like this: -# -# mknod $prefix $file $suffix -# -# This is just a wrapper to the mknod program, which tries to introduce -# revert functionality, by writing rm $file to the end of the -# file &getGlobal('BFILE', "created-files"). -# -########################################################################## - - -sub B_mknod($$$) { - - my ($prefix,$file,$suffix) = @_; - my $retval=1; - - # We have to create the filename ourselves since we don't use B_open_plus - - my $original_file = $file; - - unless ( -e $file ) { - my $command = &getGlobal("BIN","mknod") . " $prefix $file $suffix"; - - if ( system($command) == 0) { - # Since system will return 0 on success, invert the error code - $retval=1; - } - else { - $retval=0; - } - - if ($retval) { - - # Make the revert functionality - &B_revert_log(&getGlobal('BIN',"rm") . " $original_file\n"); - } else { - &B_log("ERROR","Couldn't mknod $prefix $original_file $suffix even though it didn't already exist!\n"); - } - - - &B_log("ACTION","mknod $prefix $original_file $suffix\n"); - } - else { - &B_log("ACTION","Didn't mknod $prefix $original_file $suffix since $original_file already existed.\n"); - $retval=0; - } - - $retval; -} - -########################################################################### -# &B_revert_log("reverse_command") prepends a command to a shell script. This -# shell script is intended to be run by bastille -r to reverse the changes that -# Bastille made, returning the files which Bastille changed to their original -# state. -########################################################################### - -sub B_revert_log($) { - - my $revert_command = $_[0]; - my $revert_actions = &getGlobal('BFILE', "revert-actions"); - my $revertdir= &getGlobal('BDIR', "revert"); - my @lines; - - - if (! (-e $revert_actions)) { - mkpath($revertdir); #if this doesn't work next line catches - if (open REVERT_ACTIONS,">" . $revert_actions){ # create revert file - close REVERT_ACTIONS; # chown to root, rwx------ - chmod 0700,$revert_actions; - chown 0,0,$revert_actions; - } - else { - &B_log("FATAL","Can not create revert-actions file: $revert_actions.\n" . - " Unable to add the following command to the revert\n" . - " actions script: $revert_command\n"); - } - - } - - &B_open_plus (*REVERT_NEW, *REVERT_OLD, $revert_actions); - - while (my $line=<REVERT_OLD>) { #copy file into @lines - push (@lines,$line); - } - print REVERT_NEW $revert_command . "\n"; #make the revert command first in the new file - while (my $line = shift @lines) { #write the rest of the lines of the file - print REVERT_NEW $line; - } - close REVERT_OLD; - close REVERT_NEW; - if (rename "${revert_actions}.bastille", $revert_actions) { #replace the old file with the new file we - chmod 0700,$revert_actions; # just made / mirrors B_close_plus logic - chown 0,0,$revert_actions; - } else { - &B_log("ERROR","B_revert_log: not able to move ${revert_actions}.bastille to ${revert_actions}!!! $!) !!!\n"); - } -} - - -########################################################################### -# &getGlobalConfig($$) -# -# returns the requested GLOBAL_CONFIG hash value, ignoring the error -# if the value does not exist (because every module uses this to find -# out if the question was answered "Y") -########################################################################### -sub getGlobalConfig ($$) { - my $module = $_[0]; - my $key = $_[1]; - if (exists $GLOBAL_CONFIG{$module}{$key}) { - my $answer=$GLOBAL_CONFIG{$module}{$key}; - &B_log("ACTION","Answer to question $module.$key is \"$answer\".\n"); - return $answer; - } else { - &B_log("ACTION","Answer to question $module.$key is undefined."); - return undef; - } -} - -########################################################################### -# &getGlobal($$) -# -# returns the requested GLOBAL_* hash value, and logs an error -# if the variable does not exist. -########################################################################### -sub getGlobal ($$) { - my $type = uc($_[0]); - my $key = $_[1]; - - # define a mapping from the first argument to the proper hash - my %map = ("BIN" => \%GLOBAL_BIN, - "FILE" => \%GLOBAL_FILE, - "BFILE" => \%GLOBAL_BFILE, - "DIR" => \%GLOBAL_DIR, - "BDIR" => \%GLOBAL_BDIR, - "ERROR" => \%GLOBAL_ERROR, - "SERVICE" => \%GLOBAL_SERVICE, - "SERVTYPE" => \%GLOBAL_SERVTYPE, - "PROCESS" => \%GLOBAL_PROCESS, - "RCCONFIG" => \%GLOBAL_RC_CONFIG - ); - - # check to see if the desired key is in the desired hash - if (exists $map{$type}->{$key}) { - # get the value from the right hash with the key - return $map{$type}->{$key}; - } else { - # i.e. Bastille tried to use $GLOBAL_BIN{'cp'} but it does not exist. - # Note that we can't use B_log, since it uses getGlobal ... recursive before - # configureForDistro is run. - print STDERR "ERROR: Bastille tried to use \$GLOBAL_${type}\{\'$key\'} but it does not exist.\n"; - return undef; - } -} - -########################################################################### -# &getGlobal($$) -# -# sets the requested GLOBAL_* hash value -########################################################################### -sub setGlobal ($$$) { - my $type = uc($_[0]); - my $key = $_[1]; - my $input_value = $_[2]; - - # define a mapping from the first argument to the proper hash - my %map = ("BIN" => \%GLOBAL_BIN, - "FILE" => \%GLOBAL_FILE, - "BFILE" => \%GLOBAL_BFILE, - "DIR" => \%GLOBAL_DIR, - "BDIR" => \%GLOBAL_BDIR, - "ERROR" => \%GLOBAL_ERROR, - "SERVICE" => \%GLOBAL_SERVICE, - "SERVTYPE" => \%GLOBAL_SERVTYPE, - "PROCESS" => \%GLOBAL_PROCESS, - ); - - if ($map{$type}->{$key} = $input_value) { - return 1; - } else { - &B_log('ERROR','Internal Error, Unable to set global config value:' . $type . ", " .$key); - return 0; - } -} - - -########################################################################### -# &showDisclaimer: -# Print the disclaimer and wait for 2 minutes for acceptance -# Do NOT do so if any of the following conditions hold -# 1. the -n option was used -# 2. the file ~/.bastille_disclaimer exists -########################################################################### - -sub showDisclaimer($) { - - my $nodisclaim = $_[0]; - my $nodisclaim_file = &getGlobal('BFILE', "nodisclaimer"); - my $response; - my $WAIT_TIME = 300; # we'll wait for 5 minutes - my $developersAnd; - my $developersOr; - if ($GLOBAL_OS =~ "^HP-UX") { - $developersAnd ="HP AND ITS"; - $developersOr ="HP OR ITS"; - }else{ - $developersAnd ="JAY BEALE, THE BASTILLE DEVELOPERS, AND THEIR"; - $developersOr ="JAY BEALE, THE BASTILLE DEVELOPERS, OR THEIR"; - } - my $DISCLAIMER = - "\n" . - "Copyright (C) 1999-2006 Jay Beale\n" . - "Copyright (C) 1999-2001 Peter Watkins\n" . - "Copyright (C) 2000 Paul L. Allen\n" . - "Copyright (C) 2001-2007 Hewlett-Packard Development Company, L.P.\n" . - "Bastille is free software; you are welcome to redistribute it under\n" . - "certain conditions. See the \'COPYING\' file in your distribution for terms.\n\n" . - "DISCLAIMER. Use of Bastille can help optimize system security, but does not\n" . - "guarantee system security. Information about security obtained through use of\n" . - "Bastille is provided on an AS-IS basis only and is subject to change without\n" . - "notice. Customer acknowledges they are responsible for their system\'s security.\n" . - "TO THE EXTENT ALLOWED BY LOCAL LAW, Bastille (\"SOFTWARE\") IS PROVIDED TO YOU \n" . - "\"AS IS\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN,\n" . - "EXPRESS OR IMPLIED. $developersAnd SUPPLIERS\n" . - "DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE \n" . - "IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.\n" . - "Some countries, states and provinces do not allow exclusions of implied\n" . - "warranties or conditions, so the above exclusion may not apply to you. You may\n" . - "have other rights that vary from country to country, state to state, or province\n" . - "to province. EXCEPT TO THE EXTENT PROHIBITED BY LOCAL LAW, IN NO EVENT WILL\n" . - "$developersOr SUBSIDIARIES, AFFILIATES OR\n" . - "SUPPLIERS BE LIABLE FOR DIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR OTHER\n" . - "DAMAGES (INCLUDING LOST PROFIT, LOST DATA, OR DOWNTIME COSTS), ARISING OUT OF\n" . - "THE USE, INABILITY TO USE, OR THE RESULTS OF USE OF THE SOFTWARE, WHETHER BASED\n" . - "IN WARRANTY, CONTRACT, TORT OR OTHER LEGAL THEORY, AND WHETHER OR NOT ADVISED\n" . - "OF THE POSSIBILITY OF SUCH DAMAGES. Your use of the Software is entirely at your\n" . - "own risk. Should the Software prove defective, you assume the entire cost of all\n" . - "service, repair or correction. Some countries, states and provinces do not allow\n" . - "the exclusion or limitation of liability for incidental or consequential \n" . - "damages, so the above limitation may not apply to you. This notice will only \n". - "display on the first run on a given system.\n". - "To suppress the disclaimer on other machines, use Bastille\'s -n flag (example: bastille -n).\n"; - - -# If the user has specified not to show the disclaimer, or -# the .bastille_disclaimer file already exists, then return - if( ( $nodisclaim ) || -e $nodisclaim_file ) { return 1; } - -# otherwise, show the disclaimer - print ($DISCLAIMER); - -# there is a response - my $touch = &getGlobal('BIN', "touch"); - my $retVal = system("$touch $nodisclaim_file"); - if( $retVal != 0 ) { - &ErrorLog ( &getGlobal('ERROR','disclaimer')); - } -} # showDisclaimer - - - - -################################################################ -# &systemCall -#Function used by exported methods B_Backtick and B_system -#to handle the mechanics of system calls. -# This function also manages error handling. -# Input: a system call -# Output: a list containing the status, sstdout and stderr -# of the the system call -# -################################################################ -sub systemCall ($){ - no strict; - local $command=$_[0]; # changed scoping so eval below can read it - - local $SIG{'ALRM'} = sub { die "timeout" }; # This subroutine exits the "eval" below. The program - # can then move on to the next operation. Used "local" - # to avoid name space collision with disclaim alarm. - local $WAIT_TIME=120; # Wait X seconds for system commands - local $commandOutput = ''; - my $errOutput = ''; - eval{ - $errorFile = &getGlobal('BFILE','stderrfile'); - unlink($errorFile); #To make sure we don't mix output - alarm($WAIT_TIME); # start a time-out for command to complete. Some commands hang, and we want to - # fail gracefully. When we call "die" it exits this eval statement - # with a value we use below - $commandOutput = `$command 2> $errorFile`; # run the command and gather its output - my $commandRetVal = ($? >> 8); # find the commands return value - if ($commandRetVal == 0) { - &B_log("ACTION","Executed Command: " . $command . "\n"); - &B_log("ACTION","Command Output: " . $commandOutput . "\n"); - die "success"; - } else { - die "failure"; - }; - }; - - my $exitcode=$@; - alarm(0); # End of the timed operation - - my $cat = &getGlobal("BIN","cat"); - if ( -e $errorFile ) { - $errOutput = `$cat $errorFile`; - } - - if ($exitcode) { # The eval command above will exit with one of the 3 values below - if ($exitcode =~ /timeout/) { - &B_log("WARNING","No response received from $command after $WAIT_TIME seconds.\n" . - "Command Output: " . $commandOutput . "\n"); - return (0,'',''); - } elsif ($exitcode =~ /success/) { - return (1,$commandOutput,$errOutput); - } elsif ($exitcode =~ /failure/) { - return (0,$commandOutput,$errOutput); - } else { - &B_log("FATAL","Unexpected return state from command execution: $command\n" . - "Command Output: " . $commandOutput . "\n"); - } - } -} - -############################################# -# Use this **only** for commands used that are -# intended to test system state and -# not make any system change. Use this in place of the -# prior use of "backticks throughout Bastille -# Handles basic output redirection, but not for stdin -# Input: Command -# Output: Results -############################################# - -sub B_Backtick($) { - my $command=$_[0]; - my $combineOutput=0; - my $stdoutRedir = ""; - my $stderrRedir = ""; - my $echo = &getGlobal('BIN','echo'); - - if (($command =~ s/2>&1//) or - (s/>&2//)){ - $combineOutput=1; - } - if ($command =~ s/>\s*([^>\s])+// ) { - $stdoutRedir = $1; - } - if ($command =~ s/2>\s*([^>\s])+// ) { - $stderrRedir = $1; - } - - my ($ranFine, $stdout, $stderr) = &systemCall($command); - if ($ranFine) { - &B_log("DEBUG","Command: $command succeeded for test with output: $stdout , ". - "and stderr: $stderr"); - } else { - &B_log("DEBUG","Command: $command failed for test with output: $stdout , ". - "and stderr: $stderr"); - } - if ($combineOutput) { - $stdout .= $stderr; - $stderr = $stdout; #these should be the same - } - if ($stdoutRedir ne "") { - system("$echo \'$stdout\' > $stdoutRedir"); - } - if ($stderrRedir ne "") { - system("$echo \'$stderr\' > $stderrRedir"); - } - return $stdout; -} - -#################################################################### -# &B_System($command,$revertcommand); -# This function executes a command, then places the associated -# revert command in revert file. It takes two parameters, the -# command and the command that reverts that command. -# -# uses ActionLog and ErrorLog for logging purposes. -################################################################### -sub B_System ($$) { - my ($command,$revertcmd)=@_; - - my ($ranFine, $stdout, $stderr) = &systemCall($command); - if ($ranFine) { - &B_revert_log ("$revertcmd \n"); - if ($stderr ne '' ) { - &B_log("ACTION",$command . "suceeded with STDERR: " . - $stderr . "\n"); - } - return 1; - } else { - my $warningString = "Command Failed: " . $command . "\n" . - "Command Output: " . $stdout . "\n"; - if ($stderr ne '') { - $warningString .= "Error message: " . $stderr; - } - &B_log("WARNING", $warningString); - return 0; - } -} - - -########################################################################### -# &isProcessRunning($procPattern); -# -# If called in scalar context this subroutine will return a 1 if the -# pattern specified can be matched against the process table. It will -# return a 0 otherwise. -# If called in the list context this subroutine will return the list -# of processes which matched the pattern supplied -# -# scalar return values: -# 0: pattern not in process table -# 1: pattern is in process table -# -# list return values: -# proc lines from the process table if they are found -########################################################################### -sub isProcessRunning($) { - - my $procPattern= $_[0]; - my $ps = &getGlobal('BIN',"ps"); - - my $isRunning=0; - # process table. - my @psTable = `$ps -elf`; - # list of processes that match the $procPattern - my @procList; - foreach my $process (@psTable) { - if($process =~ $procPattern) { - $isRunning = 1; - push @procList, $process . "\n"; - } - } - - &B_log("DEBUG","$procPattern search yielded $isRunning\n\n"); - # if this subroutine was called in scalar context - if( ! wantarray ) { - return $isRunning; - } - - return @procList; -} - - -########################################################################### -# &checkProcsForService($service); -# -# Checks if the given service is running by analyzing the process table. -# This is a helper function to checkServiceOnLinux and checkServiceOnHP -# -# Return values: -# SECURE_CANT_CHANGE() if the service is off -# INCONSISTENT() if the state of the service cannot be determined -# -# Mostly used in "check service" direct-return context, but added option use. -# to ignore warning if a check for a service ... where a found service doesn't -# have direct security problems. -# -########################################################################### -sub checkProcsForService ($;$) { - my $service=$_[0]; - my $ignore_warning=$_[1]; - - my @psnames=@{ &getGlobal('PROCESS',$service)}; - - my @processes; - # inetd services don't have a separate process - foreach my $psname (@psnames) { - my @procList = &isProcessRunning($psname); - if(@procList >= 0){ - splice @processes,$#processes+1,0,@procList; - } - } - - if($#processes >= 0){ - if ((defined($ignore_warning)) and ($ignore_warning eq "ignore_warning")) { - &B_log("WARNING","The following processes were still running even though " . - "the corresponding service appears to be turned off. Bastille " . - "question and action will be skipped.\n\n" . - "@processes\n\n"); - # processes were still running, service is not off, but we don't know how - # to configure it so we skip the question - return INCONSISTENT(); - } else { - return NOTSECURE_CAN_CHANGE(); # In the case we're ignoring the warning, - # ie: checking to make *sure* a process - # is running, the answer isn't inconsistent - } - } else { - &B_log("DEBUG","$service is off. Found no processes running on the system."); - # no processes, so service is off - return SECURE_CANT_CHANGE(); - } - # Can't determine the state of the service by looking at the processes, - # so return INCONSISTENT(). - return INCONSISTENT(); -} - -########################################################################### -# B_parse_fstab() -# -# Search the filesystem table for a specific mount point. -# -# scalar return value: -# The line form the table that matched the mount point, or the null string -# if no match was found. -# -# list return value: -# A list of parsed values from the line of the table that matched, with -# element [3] containing a reference to a hash of the mount options. The -# keys are: acl, dev, exec, rw, suid, sync, or user. The value of each key -# can be either 0 or 1. To access the hash, use code similar to this: -# %HashResult = %{(&B_parse_fstab($MountPoint))[3]}; -# -########################################################################### - -sub B_parse_fstab($) -{ - my $name = shift; - my $file = &getGlobal('FILE','fstab'); - my ($enable, $disable, $infile); - my @lineopt; - my $retline = ""; - my @retlist = (); - - unless (open FH, $file) { - &B_log('ERROR',"B_parse_fstab couldn't open fstab file at path $file.\n"); - return 0; - } - while (<FH>) { - s/\#.*//; - next unless /\S/; - @retlist = split; - next unless $retlist[1] eq $name; - $retline .= $_; - if (wantarray) { - my $option = { # initialize to defaults - acl => 0, # for ext2, etx3, reiserfs - dev => 1, - exec => 1, - rw => 1, - suid => 1, - sync => 0, - user => 0, - }; - - my @lineopt = split(',',$retlist[3]); - foreach my $entry (@lineopt) { - if ($entry eq 'acl') { - $option->{'acl'} = 1; - } - elsif ($entry eq 'nodev') { - $option->{'dev'} = 0; - } - elsif ($entry eq 'noexec') { - $option->{'exec'} = 0; - } - elsif ($entry eq 'ro') { - $option->{'rw'} = 0; - } - elsif ($entry eq 'nosuid') { - $option->{'suid'} = 0; - } - elsif ($entry eq 'sync') { - $option->{'sync'} = 1; - } - elsif ($entry eq 'user') { - $option->{'user'} = 1; - } - } - $retlist[3]= $option; - } - last; - } - - if (wantarray) - { - return @retlist; - } - else - { - return $retline; - } - -} - - -########################################################################### -# B_parse_mtab() -# -# This routine returns a hash of devices and their mount points from mtab, -# simply so you can get a list of mounted filesystems. -# -########################################################################### - -sub B_parse_mtab -{ - my $mountpoints; - open(MTAB,&getGlobal('FILE','mtab')); - while(my $mtab_line = <MTAB>) { - #test if it's a device - if ($mtab_line =~ /^\//) - { - #parse out device and mount point - $mtab_line =~ /^(\S+)\s+(\S+)/; - $mountpoints->{$1} = $2; - } - } - return $mountpoints; -} - - -########################################################################### -# B_is_rpm_up_to_date() -# -# -########################################################################### - -sub B_is_rpm_up_to_date(@) -{ - my($nameB,$verB,$relB,$epochB) = @_; - my $installedpkg = $nameB; - - if ($epochB =~ /(none)/) { - $epochB = 0; - } - - my $rpmA = `rpm -q --qf '%{VERSION}-%{RELEASE}-%{EPOCH}\n' $installedpkg`; - my $nameA = $nameB; - my ($verA,$relA,$epochA); - - my $retval; - - # First, if the RPM isn't installed, let's handle that. - if ($rpmA =~ /is not installed/) { - $retval = -1; - return $retval; - } - else { - # Next, let's try to parse the EVR information without as few - # calls as possible to rpm. - if ($rpmA =~ /([^-]+)-([^-]+)-([^-]+)$/) { - $verA = $1; - $relA = $2; - $epochA = $3; - } - else { - $nameA = `rpm -q --qf '%{NAME}' $installedpkg`; - $verA = `rpm -q --qf '%{VERSION}' $installedpkg`; - $relA = `rpm -q --qf '%{RELEASE}' $installedpkg`; - $epochA = `rpm -q --qf '%{EPOCH}' $installedpkg`; - } - } - - # Parse "none" as 0. - if ($epochA =~ /(none)/) { - $epochA = 0; - } - - # Handle the case where only one of them is zero. - if ($epochA == 0 xor $epochB == 0) - { - if ($epochA != 0) - { - $retval = 1; - } - else - { - $retval = 0; - } - } - else - { - # ...otherwise they are either both 0 or both non-zero and - # so the situation isn't trivial. - - # Check epoch first - highest epoch wins. - my $rpmcmp = &cmp_vers_part($epochA, $epochB); - #print "epoch rpmcmp is $rpmcmp\n"; - if ($rpmcmp > 0) - { - $retval = 1; - } - elsif ($rpmcmp < 0) - { - $retval = 0; - } - else - { - # Epochs were the same. Check Version now. - $rpmcmp = &cmp_vers_part($verA, $verB); - #print "epoch rpmcmp is $rpmcmp\n"; - if ($rpmcmp > 0) - { - $retval = 1; - } - elsif ($rpmcmp < 0) - { - $retval = 0; - } - else - { - # Versions were the same. Check Release now. - my $rpmcmp = &cmp_vers_part($relA, $relB); - #print "epoch rpmcmp is $rpmcmp\n"; - if ($rpmcmp >= 0) - { - $retval = 1; - } - elsif ($rpmcmp < 0) - { - $retval = 0; - } - } - } - } - return $retval; -} - -################################################# -# Helper function for B_is_rpm_up_to_date() -################################################# - -#This cmp_vers_part function taken from Kirk Bauer's Autorpm. -# This version comparison code was sent in by Robert Mitchell and, although -# not yet perfect, is better than the original one I had. He took the code -# from freshrpms and did some mods to it. Further mods by Simon Liddington -# <sjl96v@ecs.soton.ac.uk>. -# -# Splits string into minors on . and change from numeric to non-numeric -# characters. Minors are compared from the beginning of the string. If the -# minors are both numeric then they are numerically compared. If both minors -# are non-numeric and a single character they are alphabetically compared, if -# they are not a single character they are checked to be the same if the are not -# the result is unknown (currently we say the first is newer so that we have -# a choice to upgrade). If one minor is numeric and one non-numeric then the -# numeric one is newer as it has a longer version string. -# We also assume that (for example) .15 is equivalent to 0.15 - -sub cmp_vers_part($$) { - my($va, $vb) = @_; - my(@va_dots, @vb_dots); - my($a, $b); - my($i); - - if ($vb !~ /^pre/ and $va =~ s/^pre(\d+.*)$/$1/) { - if ($va eq $vb) { return -1; } - } elsif ($va !~ /^pre/ and $vb =~ s/^pre(\d+.*)$/$1/) { - if ($va eq $vb) { return 1; } - } - - @va_dots = split(/\./, $va); - @vb_dots = split(/\./, $vb); - - $a = shift(@va_dots); - $b = shift(@vb_dots); - # We also assume that (for example) .15 is equivalent to 0.15 - if ($a eq '' && $va ne '') { $a = "0"; } - if ($b eq '' && $vb ne '') { $b = "0"; } - while ((defined($a) && $a ne '') || (defined($b) && $b ne '')) { - # compare each minor from left to right - if ((not defined($a)) || ($a eq '')) { return -1; } # the longer version is newer - if ((not defined($b)) || ($b eq '')) { return 1; } - if ($a =~ /^\d+$/ && $b =~ /^\d+$/) { - # I have changed this so that when the two strings are numeric, but one or both - # of them start with a 0, then do a string compare - Kirk Bauer - 5/28/99 - if ($a =~ /^0/ or $b =~ /^0/) { - # We better string-compare so that netscape-4.6 is newer than netscape-4.08 - if ($a ne $b) {return ($a cmp $b);} - } - # numeric compare - if ($a != $b) { return $a <=> $b; } - } elsif ($a =~ /^\D+$/ && $b =~ /^\D+$/) { - # string compare - if (length($a) == 1 && length($b) == 1) { - # only minors with one letter seem to be useful for versioning - if ($a ne $b) { return $a cmp $b; } - } elsif (($a cmp $b) != 0) { - # otherwise we should at least check they are the same and if not say unknown - # say newer for now so at least we get choice whether to upgrade or not - return -1; - } - } elsif ( ($a =~ /^\D+$/ && $b =~ /^\d+$/) || ($a =~ /^\d+$/ && $b =~ /^\D+$/) ) { - # if we get a number in one and a word in another the one with a number - # has a longer version string - if ($a =~ /^\d+$/) { return 1; } - if ($b =~ /^\d+$/) { return -1; } - } else { - # minor needs splitting - $a =~ /\d+/ || $a =~ /\D+/; - # split the $a minor into numbers and non-numbers - my @va_bits = ($`, $&, $'); - $b =~ /\d+/ || $b =~ /\D+/; - # split the $b minor into numbers and non-numbers - my @vb_bits = ($`, $&, $'); - for ( my $j=2; $j >= 0; $j--) { - if ($va_bits[$j] ne '') { unshift(@va_dots,$va_bits[$j]); } - if ($vb_bits[$j] ne '') { unshift(@vb_dots,$vb_bits[$j]); } - } - } - $a = shift(@va_dots); - $b = shift(@vb_dots); - } - return 0; -} - -1; - diff --git a/recipes-security/bastille/files/AccountPermission.pm b/recipes-security/bastille/files/AccountPermission.pm deleted file mode 100644 index cfbaab1..0000000 --- a/recipes-security/bastille/files/AccountPermission.pm +++ /dev/null @@ -1,1060 +0,0 @@ -package Bastille::API::AccountPermission; -use strict; - -use Bastille::API; - -use Bastille::API::HPSpecific; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -B_chmod -B_chmod_if_exists -B_chown -B_chown_link -B_chgrp -B_chgrp_link -B_userdel -B_groupdel -B_remove_user_from_group -B_check_owner_group -B_is_unowned_file -B_is_ungrouped_file -B_check_permissions -B_permission_test -B_find_homes -B_is_executable -B_is_suid -B_is_sgid -B_get_user_list -B_get_group_list -B_remove_suid -); -our @EXPORT = @EXPORT_OK; - -########################################################################### -# &B_chmod ($mode, $file) sets the mode of $file to $mode. $mode must -# be stored in octal, so if you want to give mode 700 to /etc/aliases, -# you need to use: -# -# &B_chmod ( 0700 , "/etc/aliases"); -# -# where the 0700 denotes "octal 7-0-0". -# -# &B_chmod ($mode_changes,$file) also respects the symbolic methods of -# changing file permissions, which are often what question authors are -# really seeking. -# -# &B_chmod ("u-s" , "/bin/mount") -# or -# &B_chmod ("go-rwx", "/bin/mount") -# -# -# &B_chmod respects GLOBAL_LOGONLY and uses -# &B_revert_log used to insert a shell command that will return -# the permissions to the pre-Bastille state. -# -# B_chmod allow for globbing now, as of 1.2.0. JJB -# -########################################################################## - - -sub B_chmod($$) { - my ($new_perm,$file_expr)=@_; - my $old_perm; - my $old_perm_raw; - my $new_perm_formatted; - my $old_perm_formatted; - - my $retval=1; - - my $symbolic = 0; - my ($chmod_noun,$add_remove,$capability) = (); - # Handle symbolic possibilities too - if ($new_perm =~ /([ugo]+)([+-]{1})([rwxst]+)/) { - $symbolic = 1; - $chmod_noun = $1; - $add_remove = $2; - $capability = $3; - } - - my $file; - my @files = glob ($file_expr); - - foreach $file (@files) { - - # Prepend global prefix, but save the original filename for B_backup_file - my $original_file=$file; - - # Store the old permissions so that we can log them. - unless (stat $file) { - &B_log("ERROR","Couldn't stat $original_file from $old_perm to change permissions\n"); - next; - } - - $old_perm_raw=(stat(_))[2]; - $old_perm= (($old_perm_raw/512) % 8) . - (($old_perm_raw/64) % 8) . - (($old_perm_raw/8) % 8) . - ($old_perm_raw % 8); - - # If we've gone symbolic, calculate the new permissions in octal. - if ($symbolic) { - # - # We calculate the new permissions by applying a bitmask to - # the current permissions, by OR-ing (for +) or XOR-ing (for -). - # - # We create this mask by first calculating a perm_mask that forms - # the right side of this, then multiplying it by 8 raised to the - # appropriate power to affect the correct digit of the octal mask. - # This means that we raise 8 to the power of 0,1,2, or 3, based on - # the noun of "other","group","user", or "suid/sgid/sticky". - # - # Actually, we handle multiple nouns by summing powers of 8. - # - # The only tough part is that we have to handle suid/sgid/sticky - # differently. - # - - # We're going to calculate a mask to OR or XOR with the current - # file mode. This mask is $mask. We calculate this by calculating - # a sum of powers of 8, corresponding to user/group/other, - # multiplied with a $premask. The $premask is simply the - # corresponding bitwise expression of the rwx bits. - # - # To handle SUID, SGID or sticky in the simplest way possible, we - # simply add their values to the $mask first. - - my $perm_mask = 00; - my $mask = 00; - - # Check for SUID, SGID or sticky as these are exceptional. - if ($capability =~ /s/) { - if ($chmod_noun =~ /u/) { - $mask += 04000; - } - if ($chmod_noun =~ /g/) { - $mask += 02000; - } - } - if ($capability =~ /t/) { - $mask += 01000; - } - - # Now handle the normal attributes - if ($capability =~ /[rwx]/) { - if ($capability =~ /r/) { - $perm_mask |= 04; - } - if ($capability =~ /w/) { - $perm_mask |= 02; - } - if ($capability =~ /x/) { - $perm_mask |= 01; - } - - # Now figure out which 3 bit octal digit we're affecting. - my $power = 0; - if ($chmod_noun =~ /u/) { - $mask += $perm_mask * 64; - } - if ($chmod_noun =~ /g/) { - $mask += $perm_mask * 8; - } - if ($chmod_noun =~ /o/) { - $mask += $perm_mask * 1; - } - } - # Now apply the mask to get the new permissions - if ($add_remove eq '+') { - $new_perm = $old_perm_raw | $mask; - } - elsif ($add_remove eq '-') { - $new_perm = $old_perm_raw & ( ~($mask) ); - } - } - - # formating for simple long octal output of the permissions in string form - $new_perm_formatted=sprintf "%5lo",$new_perm; - $old_perm_formatted=sprintf "%5lo",$old_perm_raw; - - &B_log("ACTION","change permissions on $original_file from $old_perm_formatted to $new_perm_formatted\n"); - - &B_log("ACTION", "chmod $new_perm_formatted,\"$original_file\";\n"); - - # Change the permissions on the file - - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - $retval=chmod $new_perm,$file; - if($retval){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - # making changes revert-able - &B_revert_log(&getGlobal('BIN', "chmod") . " $old_perm $file\n"); - } - } - unless ($retval) { - &B_log("ERROR","Couldn't change permissions on $original_file from $old_perm_formatted to $new_perm_formatted\n"); - $retval=0; - } - } - else { - &B_log("ERROR", "chmod: File $original_file doesn't exist!\n"); - $retval=0; - } - } - - $retval; - -} - -########################################################################### -# &B_chmod_if_exists ($mode, $file) sets the mode of $file to $mode *if* -# $file exists. $mode must be stored in octal, so if you want to give -# mode 700 to /etc/aliases, you need to use: -# -# &B_chmod_if_exists ( 0700 , "/etc/aliases"); -# -# where the 0700 denotes "octal 7-0-0". -# -# &B_chmod_if_exists respects GLOBAL_LOGONLY and uses -# &B_revert_log to reset the permissions of the file. -# -# B_chmod_if_exists allow for globbing now, as of 1.2.0. JJB -# -########################################################################## - - -sub B_chmod_if_exists($$) { - my ($new_perm,$file_expr)=@_; - # If $file_expr has a glob character, pass it on (B_chmod won't complain - # about nonexistent files if given a glob pattern) - if ( $file_expr =~ /[\*\[\{]/ ) { # } just to match open brace for vi - &B_log("ACTION","Running chmod $new_perm $file_expr"); - return(&B_chmod($new_perm,$file_expr)); - } - # otherwise, test for file existence - if ( -e $file_expr ) { - &B_log("ACTION","File exists, running chmod $new_perm $file_expr"); - return(&B_chmod($new_perm,$file_expr)); - } -} - -########################################################################### -# &B_chown ($uid, $file) sets the owner of $file to $uid, like this: -# -# &B_chown ( 0 , "/etc/aliases"); -# -# &B_chown respects $GLOBAL_LOGONLY and uses -# &B_revert_log to insert a shell command that will return -# the file/directory owner to the pre-Bastille state. -# -# Unlike Perl, we've broken the chown function into B_chown/B_chgrp to -# make error checking simpler. -# -# As of 1.2.0, this now supports file globbing. JJB -# -########################################################################## - - -sub B_chown($$) { - my ($newown,$file_expr)=@_; - my $oldown; - my $oldgown; - - my $retval=1; - - my $file; - my @files = glob($file_expr); - - foreach $file (@files) { - - # Prepend prefix, but save original filename - my $original_file=$file; - - $oldown=(stat $file)[4]; - $oldgown=(stat $file)[5]; - - &B_log("ACTION","change ownership on $original_file from $oldown to $newown\n"); - &B_log("ACTION","chown $newown,$oldgown,\"$original_file\";\n"); - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - # changing the files owner using perl chown function - $retval = chown $newown,$oldgown,$file; - if($retval){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - # making ownership change revert-able - &B_revert_log(&getGlobal('BIN', "chown") . " $oldown $file\n"); - } - } - unless ($retval) { - &B_log("ERROR","Couldn't change ownership to $newown on file $original_file\n"); - } - } - else { - &B_log("ERROR","chown: File $original_file doesn't exist!\n"); - $retval=0; - } - } - - $retval; -} - -########################################################################### -# &B_chown_link just like &B_chown but one exception: -# if the input file is a link it will not change the target's ownship, it only change the link itself's ownship -########################################################################### -sub B_chown_link($$){ - my ($newown,$file_expr)=@_; - my $chown = &getGlobal("BIN","chown"); - my @files = glob($file_expr); - my $retval = 1; - - foreach my $file (@files) { - # Prepend prefix, but save original filename - my $original_file=$file; - my $oldown=(stat $file)[4]; - my $oldgown=(stat $file)[5]; - - &B_log("ACTION","change ownership on $original_file from $oldown to $newown\n"); - &B_log("ACTION","chown -h $newown,\"$original_file\";\n"); - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - `$chown -h $newown $file`; - $retval = ($? >> 8); - if($retval == 0 ){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - # making ownership change revert-able - &B_revert_log("$chown -h $oldown $file\n"); - } - } - unless ( ! $retval) { - &B_log("ERROR","Couldn't change ownership to $newown on file $original_file\n"); - } - } - else { - &B_log("ERROR","chown: File $original_file doesn't exist!\n"); - $retval=0; - } - } -} - - -########################################################################### -# &B_chgrp ($gid, $file) sets the group owner of $file to $gid, like this: -# -# &B_chgrp ( 0 , "/etc/aliases"); -# -# &B_chgrp respects $GLOBAL_LOGONLY and uses -# &B_revert_log to insert a shell command that will return -# the file/directory group to the pre-Bastille state. -# -# Unlike Perl, we've broken the chown function into B_chown/B_chgrp to -# make error checking simpler. -# -# As of 1.2.0, this now supports file globbing. JJB -# -########################################################################## - - -sub B_chgrp($$) { - my ($newgown,$file_expr)=@_; - my $oldown; - my $oldgown; - - my $retval=1; - - my $file; - my @files = glob($file_expr); - - foreach $file (@files) { - - # Prepend global prefix, but save original filename for &B_backup_file - my $original_file=$file; - - $oldown=(stat $file)[4]; - $oldgown=(stat $file)[5]; - - &B_log("ACTION", "Change group ownership on $original_file from $oldgown to $newgown\n"); - &B_log("ACTION", "chown $oldown,$newgown,\"$original_file\";\n"); - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - # changing the group for the file/directory - $retval = chown $oldown,$newgown,$file; - if($retval){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - &B_revert_log(&getGlobal('BIN', "chgrp") . " $oldgown $file\n"); - } - } - unless ($retval) { - &B_log("ERROR","Couldn't change ownership to $newgown on file $original_file\n"); - } - } - else { - &B_log("ERROR","chgrp: File $original_file doesn't exist!\n"); - $retval=0; - } - } - - $retval; -} - -########################################################################### -# &B_chgrp_link just like &B_chgrp but one exception: -# if the input file is a link -# it will not change the target's ownship, it only change the link itself's ownship -########################################################################### -sub B_chgrp_link($$) { - my ($newgown,$file_expr)=@_; - my $chgrp = &getGlobal("BIN","chgrp"); - my @files = glob($file_expr); - my $retval=1; - - foreach my $file (@files) { - # Prepend prefix, but save original filename - my $original_file=$file; - my $oldgown=(stat $file)[5]; - - &B_log("ACTION","change group ownership on $original_file from $oldgown to $newgown\n"); - &B_log("ACTION","chgrp -h $newgown \"$original_file\";\n"); - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - # do not follow link with option -h - `$chgrp -h $newgown $file`; - $retval = ($? >> 8); - if($retval == 0 ){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - # making ownership change revert-able - &B_revert_log("$chgrp" . " -h $oldgown $file\n"); - } - } - unless (! $retval) { - &B_log("ERROR","Couldn't change group ownership to $newgown on file $original_file\n"); - } - } - else { - &B_log("ERROR","chgrp: File $original_file doesn't exist!\n"); - $retval=0; - } - } -} - -########################################################################### -# B_userdel($user) removes $user from the system, chmoding her home -# directory to 000, root:root owned, and removes the user from all -# /etc/passwd, /etc/shadow and /etc/group lines. -# -# In the future, we may also choose to make a B_lock_account routine. -# -# This routine depends on B_remove_user_from_group. -########################################################################### - -sub B_userdel($) { - - my $user_to_remove = $_[0]; - - if (&GetDistro =~ /^HP-UX/) { - return 0; - - # Not yet suported on HP-UX, where we'd need to support - # the TCB files and such. - } - - # - # First, let's chmod/chown/chgrp the user's home directory. - # - - # Get the user's home directory from /etc/passwd - if (open PASSWD,&getGlobal('FILE','passwd')) { - my @lines=<PASSWD>; - close PASSWD; - - # Get the home directory - my $user_line = grep '^\s*$user_to_remove\s*:',@lines; - my $home_directory = (split /\s*:\s*/,$user_line)[5]; - - # Chmod that home dir to 0000,owned by uid 0, gid 0. - if (&B_chmod_if_exists(0000,$home_directory)) { - &B_chown(0,$home_directory); - &B_chgrp(0,$home_directory); - } - } - else { - &B_log('ERROR',"B_userdel couldn't open the passwd file to remove a user."); - return 0; - } - - # - # Next find out what groups the user is in, so we can call - # B_remove_user_from_group($user,$group) - # - # TODO: add this to the helper functions for the test suite. - # - - my @groups = (); - - # Parse /etc/group, looking for our user. - if (open GROUP,&getGlobal('FILE','group')) { - my @lines = <GROUP>; - close GROUP; - - foreach my $line (@lines) { - - # Parse the line -- first field is group, last is users in group. - if ($line =~ /([^\#^:]+):[^:]+:[^:]+:(.*)/) { - my $group = $1; - my $users_section = $2; - - # Get the user list and check if our user is in it. - my @users = split /\s*,\s*/,$users_section; - foreach my $user (@users) { - if ($user_to_remove eq $user) { - push @groups,$group; - last; - } - } - } - } - } - - # Now remove the user from each of those groups. - foreach my $group (@groups) { - &B_remove_user_from_group($user_to_remove,$group); - } - - # Remove the user's /etc/passwd and /etc/shadow lines - &B_delete_line(&getGlobal('FILE','passwd'),"^$user_to_remove\\s*:"); - &B_delete_line(&getGlobal('FILE','shadow'),"^$user_to_remove\\s*:"); - - - # - # We should delete the user's group as well, if it's a single-user group. - # - if (open ETCGROUP,&getGlobal('FILE','group')) { - my @group_lines = <ETCGROUP>; - close ETCGROUP; - chomp @group_lines; - - if (grep /^$user_to_remove\s*:[^:]*:[^:]*:\s*$/,@group_lines > 0) { - &B_groupdel($user_to_remove); - } - } - -} - -########################################################################### -# B_groupdel($group) removes $group from /etc/group. -########################################################################### - -sub B_groupdel($) { - - my $group = $_[0]; - - # First read /etc/group to make sure the group is in there. - if (open GROUP,&getGlobal('FILE','group')) { - my @lines=<GROUP>; - close GROUP; - - # Delete the line in /etc/group if present - if (grep /^$group:/,@lines > 0) { - # The group is named in /etc/group - &B_delete_line(&getGlobal('FILE','group'),"^$group:/"); - } - } - -} - - -########################################################################### -# B_remove_user_from_group($user,$group) removes $user from $group, -# by modifying $group's /etc/group line, pulling the user out. This -# uses B_chunk_replace thrice to replace these patterns: -# -# ":\s*$user\s*," --> ":" -# ",\s*$user" -> "" -# -########################################################################### - -sub B_remove_user_from_group($$) { - - my ($user_to_remove,$group) = @_; - - # - # We need to find the line from /etc/group that defines the group, parse - # it, and put it back together without this user. - # - - # Open the group file - unless (open GROUP,&getGlobal('FILE','group')) { - &B_log('ERROR',"&B_remove_user_from_group couldn't read /etc/group to remove $user_to_remove from $group.\n"); - return 0; - } - my @lines = <GROUP>; - close GROUP; - chomp @lines; - - # - # Read through the lines to find the one we care about. We'll construct a - # replacement and then use B_replace_line to make the switch. - # - - foreach my $line (@lines) { - - if ($line =~ /^\s*$group\s*:/) { - - # Parse this line. - my @group_entries = split ':',$line; - my @users = split ',',($group_entries[3]); - - # Now, recreate it. - my $first_user = 1; - my $group_line = $group_entries[0] . ':' . $group_entries[1] . ':' . $group_entries[2] . ':'; - - # Add every user except the one we're removing. - foreach my $user (@users) { - - # Remove whitespace. - $user =~ s/\s+//g; - - if ($user ne $user_to_remove) { - # Add the user to the end of the line, prefacing - # it with a comma if it's not the first user. - - if ($first_user) { - $group_line .= "$user"; - $first_user = 0; - } - else { - $group_line .= ",$user"; - } - } - } - - # The line is now finished. Replace the original line. - $group_line .= "\n"; - &B_replace_line(&getGlobal('FILE','group'),"^\\s*$group\\s*:",$group_line); - } - - } - return 1; -} - -########################################################################### -# &B_check_owner_group($$$) -# -# Checks if the given file has the given owner and/or group. -# If the given owner is "", checks group only. -# If the given group is "", checks owner only. -# -# return values: -# 1: file has the given owner and/or group -# or file exists, and both the given owner and group are "" -# 0: file does not has the given owner or group -# or file does not exists -############################################################################ - -sub B_check_owner_group ($$$){ - my ($fileName, $owner, $group) = @_; - - if (-e $fileName) { - my @junk=stat ($fileName); - my $uid=$junk[4]; - my $gid=$junk[5]; - - # Check file owner - if ($owner ne "") { - if (getpwnam($owner) != $uid) { - return 0; - } - } - - # Check file group - if ($group ne "") { - if (getgrnam($group) != $gid) { - return 0; - } - } - - return 1; - } - else { - # Something is wrong if the file not exist - return 0; - } -} - -########################################################################## -# this subroutine will test whether the given file is unowned -########################################################################## -sub B_is_unowned_file($) { - my $file =$_; - my $uid = (stat($file))[4]; - my $uname = (getpwuid($uid))[0]; - if ( $uname =~ /.+/ ) { - return 1; - } - return 0; -} - -########################################################################## -# this subroutine will test whether the given file is ungrouped -########################################################################## -sub B_is_ungrouped_file($){ - my $file =$_; - my $gid = (stat($file))[5]; - my $gname = (getgrgid($gid))[0]; - if ( $gname =~ /.+/ ) { - return 1; - } - return 0; -} - - - - -########################################################################### -# &B_check_permissions($$) -# -# Checks if the given file has the given permissions or stronger, where we -# define stronger as "less accessible." The file argument must be fully -# qualified, i.e. contain the absolute path. -# -# return values: -# 1: file has the given permissions or better -# 0: file does not have the given permsssions -# undef: file permissions cannot be determined -########################################################################### - -sub B_check_permissions ($$){ - my ($fileName, $reqdPerms) = @_; - my $filePerms; # actual permissions - - - if (-e $fileName) { - if (stat($fileName)) { - $filePerms = (stat($fileName))[2] & 07777; - } - else { - &B_log ("ERROR", "Can't stat $fileName.\n"); - return undef; - } - } - else { - # If the file does not exist, permissions are as good as they can get. - return 1; - } - - # - # We can check whether the $filePerms are as strong by - # bitwise ANDing them with $reqdPerms and checking if the - # result is still equal to $filePerms. If it is, the - # $filePerms are strong enough. - # - if ( ($filePerms & $reqdPerms) == $filePerms ) { - return 1; - } - else { - return 0; - } - -} - -########################################################################## -# B_permission_test($user, $previlege,$file) -# $user can be -# "owner" -# "group" -# "other" -# $previlege can be: -# "r" -# "w" -# "x" -# "suid" -# "sgid" -# "sticky" -# if previlege is set to suid or sgid or sticky, then $user can be empty -# this sub routine test whether the $user has the specified previlige to $file -########################################################################## - -sub B_permission_test($$$){ - my ($user, $previlege, $file) = @_; - - if (-e $file ) { - my $mode = (stat($file))[2]; - my $bitpos; - # bitmap is | suid sgid sticky | rwx | rwx | rwx - if ($previlege =~ /suid/ ) { - $bitpos = 11; - } - elsif ($previlege =~ /sgid/ ) { - $bitpos = 10; - } - elsif ($previlege =~ /sticky/ ) { - $bitpos = 9; - } - else { - if ( $user =~ /owner/) { - if ($previlege =~ /r/) { - $bitpos = 8; - } - elsif ($previlege =~ /w/) { - $bitpos =7; - } - elsif ($previlege =~ /x/) { - $bitpos =6; - } - else { - return 0; - } - } - elsif ( $user =~ /group/) { - if ($previlege =~ /r/) { - $bitpos =5; - } - elsif ($previlege =~ /w/) { - $bitpos =4; - } - elsif ($previlege =~ /x/) { - $bitpos =3; - } - else { - return 0; - } - } - elsif ( $user =~ /other/) { - if ($previlege =~ /r/) { - $bitpos =2; - } - elsif ($previlege =~ /w/) { - $bitpos =1; - } - elsif ($previlege =~ /x/) { - $bitpos =0; - } - else { - return 0; - } - } - else { - return 0; - } - } - $mode /= 2**$bitpos; - if ($mode % 2) { - return 1; - } - return 0; - } -} - -########################################################################## -# this subroutine will return a list of home directory -########################################################################## -sub B_find_homes(){ - # find loginable homes - my $logins = &getGlobal("BIN","logins"); - my @lines = `$logins -ox`; - my @homes; - foreach my $line (@lines) { - chomp $line; - my @data = split /:/, $line; - if ($data[7] =~ /PS/ && $data[5] =~ /home/) { - push @homes, $data[5]; - } - } - return @homes; -} - - -########################################################################### -# B_is_executable($) -# -# This routine reports on whether a file is executable by the current -# process' effective UID. -# -# scalar return values: -# 0: file is not executable -# 1: file is executable -# -########################################################################### - -sub B_is_executable($) -{ - my $name = shift; - my $executable = 0; - - if (-x $name) { - $executable = 1; - } - return $executable; -} - -########################################################################### -# B_is_suid($) -# -# This routine reports on whether a file is Set-UID and owned by root. -# -# scalar return values: -# 0: file is not SUID root -# 1: file is SUID root -# -########################################################################### - -sub B_is_suid($) -{ - my $name = shift; - - my @FileStatus = stat($name); - my $IsSuid = 0; - - if (-u $name) #Checks existence and suid - { - if($FileStatus[4] == 0) { - $IsSuid = 1; - } - } - - return $IsSuid; -} - -########################################################################### -# B_is_sgid($) -# -# This routine reports on whether a file is SGID and group owned by -# group root (gid 0). -# -# scalar return values: -# 0: file is not SGID root -# 1: file is SGID root -# -########################################################################### - -sub B_is_sgid($) -{ - my $name = shift; - - my @FileStatus = stat($name); - my $IsSgid = 0; - - if (-g $name) #checks existence and sgid - { - if($FileStatus[5] == 0) { - $IsSgid = 1; - } - } - - return $IsSgid; -} - -########################################################################### -# B_get_user_list() -# -# This routine outputs a list of users on the system. -# -########################################################################### - -sub B_get_user_list() -{ - my @users; - open(PASSWD,&getGlobal('FILE','passwd')); - while(<PASSWD>) { - #Get the users - if (/^([^:]+):/) - { - push (@users,$1); - } - } - return @users; -} - -########################################################################### -# B_get_group_list() -# -# This routine outputs a list of groups on the system. -# -########################################################################### - -sub B_get_group_list() -{ - my @groups; - open(GROUP,&getGlobal('FILE','group')); - while(my $group_line = <GROUP>) { - #Get the groups - if ($group_line =~ /^([^:]+):/) - { - push (@groups,$1); - } - } - return @groups; -} - - -########################################################################### -# &B_remove_suid ($file) removes the suid bit from $file if it -# is set and the file exist. If you would like to remove the suid bit -# from /bin/ping then you need to use: -# -# &B_remove_suid("/bin/ping"); -# -# &B_remove_suid respects GLOBAL_LOGONLY. -# &B_remove_suid uses &B_chmod to make the permission changes -# &B_remove_suid allows for globbing. tyler_e -# -########################################################################### - -sub B_remove_suid($) { - my $file_expr = $_[0]; - - &B_log("ACTION","Removing SUID bit from \"$file_expr\"."); - unless ($GLOBAL_LOGONLY) { - my @files = glob($file_expr); - - foreach my $file (@files) { - # check file existence - if(-e $file){ - # stat current file to get raw permissions - my $old_perm_raw = (stat $file)[2]; - # test to see if suidbit is set - my $suid_bit = (($old_perm_raw/2048) % 2); - if($suid_bit == 1){ - # new permission without the suid bit - my $new_perm = ((($old_perm_raw/512) % 8 ) - 4) . - (($old_perm_raw/64) % 8 ) . - (($old_perm_raw/8) % 8 ) . - (($old_perm_raw) % 8 ); - if(&B_chmod(oct($new_perm), $file)){ - &B_log("ACTION","Removed SUID bit from \"$file\"."); - } - else { - &B_log("ERROR","Could not remove SUID bit from \"$file\"."); - } - } # No action if SUID bit is not set - }# No action if file does not exist - }# Repeat for each file in the file glob - } # unless Global_log -} - - - -1; - diff --git a/recipes-security/bastille/files/FileContent.pm b/recipes-security/bastille/files/FileContent.pm deleted file mode 100644 index 0a5d609..0000000 --- a/recipes-security/bastille/files/FileContent.pm +++ /dev/null @@ -1,1153 +0,0 @@ -package Bastille::API::FileContent; -use strict; - -use Bastille::API; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -B_blank_file -B_insert_line_after -B_insert_line_before -B_insert_line -B_append_line -B_prepend_line -B_replace_line -B_replace_lines -B_replace_pattern -B_match_line -B_match_line_only -B_match_chunk -B_return_matched_lines -B_hash_comment_line -B_hash_uncomment_line -B_delete_line -B_chunk_replace -B_print -B_getValueFromFile -B_getValueFromString - -B_TODO -B_TODOFlags -); -our @EXPORT = @EXPORT_OK; - - - -########################################################################### -# &B_blank_file ($filename,$pattern) blanks the file $filename, unless the -# pattern $pattern is present in the file. This lets us completely redo -# a file, if it isn't the one we put in place on a previous run... -# -# B_blank_file respects $GLOBAL_LOGONLY and uses B_open_plus and B_close_plus -# so that it makes backups and only modifies files when we're not in "-v" -# mode... -# -# If the file does not exist, the function does nothing, and gives an error -# to the Error Log -# -########################################################################### - -sub B_blank_file($$) { - - my ($filename,$pattern) = @_; - my $retval; - - # If this variable is true, we won't blank the file... - - my $found_pattern=0; - - if ($retval=&B_open_plus (*BLANK_NEW,*BLANK_OLD,$filename) ) { - - my @lines; - - while (my $line = <BLANK_OLD>) { - - push @lines,$line; - if ($line =~ $pattern) { - $found_pattern=1; - } - } - - # Only copy the old file if the new one didn't match. - if ($found_pattern) { - while ( my $line = shift @lines ) { - &B_print(*BLANK_NEW,$line); - } - } - else { - &B_log("ACTION","Blanked file $filename\n"); - } - &B_close_plus(*BLANK_NEW,*BLANK_OLD,$filename); - } - else { - &B_log("ERROR","Couldn't blank file $filename since we couldn't open it or its replacement\n"); - } - - return $retval; - -} - -########################################################################### -# &B_insert_line_after ($filename,$pattern,$line_to_insert,$line_to_follow) -# modifies $filename, inserting $line_to_insert unless one or more lines -# in the file matches $pattern. The $line_to_insert will be placed -# immediately after $line_to_follow, if it exists. If said line does not -# exist, the line will not be inserted and this routine will return 0. -# -# B_insert_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here's examples of where you might use this: -# -# You'd like to insert a line in Apache's configuration file, in a -# particular section. -# -########################################################################### - -sub B_insert_line_after($$$$) { - - my ($filename,$pattern,$line_to_insert,$line_to_follow) = @_; - - my @lines; - my $found_pattern=0; - my $found_line_to_follow=0; - - my $retval=1; - - if ( &B_open_plus (*INSERT_NEW,*INSERT_OLD,$filename) ) { - - # Read through the file looking for a match both on the $pattern - # and the line we are supposed to be inserting after... - - my $ctr=1; - while (my $line=<INSERT_OLD>) { - push (@lines,$line); - if ($line =~ $pattern) { - $found_pattern=1; - } - if ( ($found_line_to_follow < 1) and ($line =~ $line_to_follow)) { - $found_line_to_follow=$ctr; - } - $ctr++; - } - - # Log an error if we never found the line we were to insert after - unless ($found_line_to_follow ) { - $retval=0; - &B_log("ERROR","Never found the line that we were supposed to insert after in $filename\n"); - } - - # Now print the file back out, inserting our line if we should... - - $ctr=1; - while (my $line = shift @lines) { - &B_print(*INSERT_NEW,$line); - if ( ($ctr == $found_line_to_follow) and ($found_pattern == 0) ) { - &B_print(*INSERT_NEW,$line_to_insert); - &B_log("ACTION","Inserted the following line in $filename:\n"); - &B_log("ACTION","$line_to_insert"); - } - $ctr++; - } - - &B_close_plus (*INSERT_NEW,*INSERT_OLD,$filename); - - } - else { - $retval=0; - &B_log("ERROR","Couldn't insert line to $filename, since open failed."); - } - - return $retval; - -} -########################################################################### -# &B_insert_line_before ($filename,$pattern,$line_to_insert,$line_to_preceed) -# modifies $filename, inserting $line_to_insert unless one or more lines -# in the file matches $pattern. The $line_to_insert will be placed -# immediately before $line_to_preceed, if it exists. If said line does not -# exist, the line will not be inserted and this routine will return 0. -# -# B_insert_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here's examples of where you might use this: -# -# You'd like to insert a line in Apache's configuration file, in a -# particular section. -# -########################################################################### - -sub B_insert_line_before($$$$) { - - my ($filename,$pattern,$line_to_insert,$line_to_preceed) = @_; - - my @lines; - my $found_pattern=0; - my $found_line_to_preceed=0; - - my $retval=1; - - if ( &B_open_plus (*INSERT_NEW,*INSERT_OLD,$filename) ) { - - # Read through the file looking for a match both on the $pattern - # and the line we are supposed to be inserting after... - - my $ctr=1; - while (my $line=<INSERT_OLD>) { - push (@lines,$line); - if ($line =~ $pattern) { - $found_pattern=1; - } - if ( ($found_line_to_preceed < 1) and ($line =~ $line_to_preceed)) { - $found_line_to_preceed=$ctr; - } - $ctr++; - } - - # Log an error if we never found the line we were to preceed - unless ($found_line_to_preceed ) { - $retval=0; - &B_log("ERROR","Never found the line that we were supposed to insert before in $filename\n"); - } - - # Now print the file back out, inserting our line if we should... - - $ctr=1; - while (my $line = shift @lines) { - if ( ($ctr == $found_line_to_preceed) and ($found_pattern == 0) ) { - &B_print(*INSERT_NEW,$line_to_insert); - &B_log("ACTION","Inserted the following line in $filename:\n"); - &B_log("ACTION","$line_to_insert"); - } - &B_print(*INSERT_NEW,$line); - $ctr++; - } - - &B_close_plus (*INSERT_NEW,*INSERT_OLD,$filename); - - } - else { - $retval=0; - &B_log("ERROR","Couldn't insert line to $filename, since open failed."); - } - - return $retval; - -} - -########################################################################### -# &B_insert_line ($filename,$pattern,$line_to_insert,$line_to_follow) -# -# has been renamed to B_insert_line_after() -# -# This name will continue to work, as a shim for code that has not been -# transitioned. -########################################################################### - -sub B_insert_line($$$$) { - - my $rtn_value = &B_insert_line_after(@_); - - return ($rtn_value); -} - - -########################################################################### -# &B_append_line ($filename,$pattern,$line_to_append) modifies $filename, -# appending $line_to_append unless one or more lines in the file matches -# $pattern. This is an enhancement to the append_line_if_no_such_line_exists -# idea. -# -# Additionally, if $pattern is set equal to "", the line is always appended. -# -# B_append_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here's examples of where you might use this: -# -# You'd like to add a root line to /etc/ftpusers if none exists. -# You'd like to add a Options Indexes line to Apache's config. file, -# after you delete all Options lines from said config file. -# -########################################################################### - -sub B_append_line($$$) { - - my ($filename,$pattern,$line_to_append) = @_; - - my $found_pattern=0; - my $retval=1; - - if ( &B_open_plus (*APPEND_NEW,*APPEND_OLD,$filename) ) { - while (my $line=<APPEND_OLD>) { - &B_print(*APPEND_NEW,$line); - if ($line =~ $pattern) { - $found_pattern=1; - } - } - # Changed != 0 to $pattern so that "" works instead of 0 and perl - # does not give the annoying - # Argument "XX" isn't numeric in ne at ... - if ( $pattern eq "" or ! $found_pattern ) { - &B_print(*APPEND_NEW,$line_to_append); - &B_log("ACTION","Appended the following line to $filename:\n"); - &B_log("ACTION","$line_to_append"); - } - &B_close_plus (*APPEND_NEW,*APPEND_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","# Couldn't append line to $filename, since open failed."); - } - - return $retval; - -} - -########################################################################### -# &B_prepend_line ($filename,$pattern,$line_to_prepend) modifies $filename, -# pre-pending $line_to_prepend unless one or more lines in the file matches -# $pattern. This is an enhancement to the prepend_line_if_no_such_line_exists -# idea. -# -# B_prepend_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here's examples of where you might use this: -# -# You'd like to insert the line "auth required pam_deny.so" to the top -# of the PAM stack file /etc/pam.d/rsh to totally deactivate rsh. -# -########################################################################### - -sub B_prepend_line($$$) { - - my ($filename,$pattern,$line_to_prepend) = @_; - - my @lines; - my $found_pattern=0; - my $retval=1; - - if ( &B_open_plus (*PREPEND_NEW,*PREPEND_OLD,$filename) ) { - while (my $line=<PREPEND_OLD>) { - push (@lines,$line); - if ($line =~ $pattern) { - $found_pattern=1; - } - } - unless ($found_pattern) { - &B_print(*PREPEND_NEW,$line_to_prepend); - } - while (my $line = shift @lines) { - &B_print(*PREPEND_NEW,$line); - } - - &B_close_plus (*PREPEND_NEW,*PREPEND_OLD,$filename); - - # Log the action - &B_log("ACTION","Pre-pended the following line to $filename:\n"); - &B_log("ACTION","$line_to_prepend"); - } - else { - $retval=0; - &B_log("ERROR","Couldn't prepend line to $filename, since open failed.\n"); - } - - return $retval; - -} - - -########################################################################### -# &B_replace_line ($filename,$pattern,$line_to_switch_in) modifies $filename, -# replacing any lines matching $pattern with $line_to_switch_in. -# -# It returns the number of lines it replaced (or would have replaced, if -# LOGONLY mode wasn't on...) -# -# B_replace_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here an example of where you might use this: -# -# You'd like to replace any Options lines in Apache's config file with: -# Options Indexes FollowSymLinks -# -########################################################################### - -sub B_replace_line($$$) { - - my ($filename,$pattern,$line_to_switch_in) = @_; - my $retval=0; - - if ( &B_open_plus (*REPLACE_NEW,*REPLACE_OLD,$filename) ) { - while (my $line=<REPLACE_OLD>) { - unless ($line =~ $pattern) { - &B_print(*REPLACE_NEW,$line); - } - else { - # Don't replace the line if it's already there. - unless ($line eq $line_to_switch_in) { - &B_print(*REPLACE_NEW,$line_to_switch_in); - - $retval++; - &B_log("ACTION","File modification in $filename -- replaced line\n" . - "$line\n" . - "with:\n" . - "$line_to_switch_in"); - } - # But if it is there, make sure it stays there! (by Paul Allen) - else { - &B_print(*REPLACE_NEW,$line); - } - } - } - &B_close_plus (*REPLACE_NEW,*REPLACE_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","Couldn't replace line(s) in $filename because open failed.\n"); - } - - return $retval; -} - -########################################################################### -# &B_replace_lines ($filename,$patterns_and_substitutes) modifies $filename, -# replacing the line matching the nth $pattern specified in $patterns_and_substitutes->[n]->[0] -# with the corresponding substitutes in $patterns_and_substitutes->[n]->-[1] -# -# It returns the number of lines it replaced (or would have replaced, if -# LOGONLY mode wasn't on...) -# -# B_replace_lines uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here an example of where you might use this: -# -# You'd like to replace /etc/opt/ssh/sshd_config file -# (^#|^)Protocol\s+(.*)\s*$ ==> Protocol 2 -# (^#|^)X11Forwarding\s+(.*)\s*$ ==> X11Forwarding yes -# (^#|^)IgnoreRhosts\s+(.*)\s*$ ==> gnoreRhosts yes -# (^#|^)RhostsAuthentication\s+(.*)\s*$ ==> RhostsAuthentication no -# (^#|^)RhostsRSAAuthentication\s+(.*)\s*$ ==> RhostsRSAAuthentication no -# (^#|^)PermitRootLogin\s+(.*)\s*$ ==> PermitRootLogin no -# (^#|^)PermitEmptyPasswords\s+(.*)\s*$ ==> PermitEmptyPasswords no -# my $patterns_and_substitutes = [ -# [ '(^#|^)Protocol\s+(.*)\s*$' => 'Protocol 2'], -# ['(^#|^)X11Forwarding\s+(.*)\s*$' => 'X11Forwarding yes'], -# ['(^#|^)IgnoreRhosts\s+(.*)\s*$' => 'gnoreRhosts yes'], -# ['(^#|^)RhostsAuthentication\s+(.*)\s*$' => 'RhostsAuthentication no'], -# ['(^#|^)RhostsRSAAuthentication\s+(.*)\s*$' => 'RhostsRSAAuthentication no'], -# ['(^#|^)PermitRootLogin\s+(.*)\s*$' => 'PermitRootLogin no'], -# ['(^#|^)PermitEmptyPasswords\s+(.*)\s*$' => 'PermitEmptyPasswords no'] -#] -# B_replaces_lines($sshd_config,$patterns_and_substitutes); -########################################################################### - -sub B_replace_lines($$){ - my ($filename, $pairs) = @_; - my $retval = 0; - if ( &B_open_plus (*REPLACE_NEW,*REPLACE_OLD,$filename) ) { - while (my $line = <REPLACE_OLD>) { - my $switch; - my $switch_before = $line; - chomp($line); - foreach my $pair (@$pairs) { - $switch = 0; - - my $pattern = $pair->[0] ; - my $replace = $pair->[1]; - my $evalstr = '$line' . "=~ s/$pattern/$replace/"; - eval $evalstr; - if ($@) { - &B_log("ERROR", "eval $evalstr failed.\n"); - } - #if ( $line =~ s/$pair->[0]/$pair->[1]/) { - # $switch = 1; - # last; - #} - } - &B_print(*REPLACE_NEW,"$line\n"); - if ($switch) { - $retval++; - B_log("ACTION","File modification in $filename -- replaced line\n" . - "$switch_before\n" . - "with:\n" . - "$line\n"); - } - } - &B_close_plus (*REPLACE_NEW,*REPLACE_OLD,$filename); - return 1; - } - else { - $retval=0; - &B_log("ERROR","Couldn't replace line(s) in $filename because open failed.\n"); - } -} - -################################################################################################ -# &B_replace_pattern ($filename,$pattern,$pattern_to_remove,$text_to_switch_in) -# modifies $filename, acting on only lines that match $pattern, replacing a -# string that matches $pattern_to_remove with $text_to_switch_in. -# -# Ex: -# B_replace_pattern('/etc/httpd.conf','^\s*Options.*\bIncludes\b','Includes','IncludesNoExec') -# -# replaces all "Includes" with "IncludesNoExec" on Apache Options lines. -# -# It returns the number of lines it altered (or would have replaced, if -# LOGONLY mode wasn't on...) -# -# B_replace_pattern uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -################################################################################################# - -sub B_replace_pattern($$$$) { - - my ($filename,$pattern,$pattern_to_remove,$text_to_switch_in) = @_; - my $retval=0; - - if ( &B_open_plus (*REPLACE_NEW,*REPLACE_OLD,$filename) ) { - while (my $line=<REPLACE_OLD>) { - unless ($line =~ $pattern) { - &B_print(*REPLACE_NEW,$line); - } - else { - my $orig_line =$line; - $line =~ s/$pattern_to_remove/$text_to_switch_in/; - - &B_print(*REPLACE_NEW,$line); - - $retval++; - &B_log("ACTION","File modification in $filename -- replaced line\n" . - "$orig_line\n" . - "via pattern with:\n" . - "$line\n\n"); - } - } - &B_close_plus (*REPLACE_NEW,*REPLACE_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","Couldn't pattern-replace line(s) in $filename because open failed.\n"); - } - - return $retval; -} - - -########################################################################### -# &B_match_line($file,$pattern); -# -# This subroutine will return a 1 if the pattern specified can be matched -# against the file specified. It will return a 0 otherwise. -# -# return values: -# 0: pattern not in file or the file is not readable -# 1: pattern is in file -########################################################################### -sub B_match_line($$) { - # file to be checked and pattern to check for. - my ($file,$pattern) = @_; - # if the file is readable then - if(-r $file) { - # if the file can be opened then - if(open FILE,"<$file") { - # look at each line in the file - while (my $line = <FILE>) { - # if a line matches the pattern provided then - if($line =~ $pattern) { - # return the pattern was found - B_log('DEBUG','Pattern: ' . $pattern . ' matched in file: ' . - $file . "\n"); - return 1; - } - } - } - # if the file cann't be opened then - else { - # send a note to that affect to the errorlog - &B_log("ERROR","Unable to open file for read.\n$file\n$!\n"); - } - } - B_log('DEBUG','Pattern: ' . $pattern . ' not matched in file: ' . - $file . "\n"); - # the provided pattern was not matched against a line in the file - return 0; -} - -########################################################################### -# &B_match_line_only($file,$pattern); -# -# This subroutine checks if the specified pattern can be matched and if -# it's the only content in the file. The only content means it's only but -# may have several copies in the file. -# -# return values: -# 0: pattern not in file or pattern is not the only content -# or the file is not readable -# 1: pattern is in file and it's the only content -############################################################################ -sub B_match_line_only($$) { - my ($file,$pattern) = @_; - - # if matched, set to 1 later - my $retval = 0; - - # if the file is readable then - if(-r $file) { - # if the file can be opened then - if(&B_open(*FILED, $file)) { - # pattern should be matched at least once - # pattern can not be mismatched - while (my $line = <FILED>) { - if ($line =~ $pattern) { - $retval = 1; - } - else { - &B_close(*FILED); - return 0; - } - } - } - &B_close(*FILED); - } - - return $retval; -} - -########################################################################### -# &B_return_matched_lines($file,$pattern); -# -# This subroutine returns lines in a file matching a given regular -# expression, when called in the default list mode. When called in scalar -# mode, returns the number of elements found. -########################################################################### -sub B_return_matched_lines($$) -{ - my ($filename,$pattern) = @_; - my @lines = (); - - open(READFILE, $filename); - while (<READFILE>) { - chomp; - next unless /$pattern/; - push(@lines, $_); - } - if (wantarray) - { - return @lines; - } - else - { - return scalar (@lines); - } -} - -########################################################################### -# &B_match_chunk($file,$pattern); -# -# This subroutine will return a 1 if the pattern specified can be matched -# against the file specified on a line-agnostic form. This allows for -# patterns which by necessity must match against a multi-line pattern. -# This is the natural analogue to B_replace_chunk, which was created to -# provide multi-line capability not provided by B_replace_line. -# -# return values: -# 0: pattern not in file or the file is not readable -# 1: pattern is in file -########################################################################### - -sub B_match_chunk($$) { - - my ($file,$pattern) = @_; - my @lines; - my $big_long_line; - my $retval=1; - - open CHUNK_FILE,$file; - - # Read all lines into one scalar. - @lines = <CHUNK_FILE>; - close CHUNK_FILE; - - foreach my $line ( @lines ) { - $big_long_line .= $line; - } - - # Substitution routines get weird unless last line is terminated with \n - chomp $big_long_line; - $big_long_line .= "\n"; - - # Exit if we don't find a match - unless ($big_long_line =~ $pattern) { - $retval = 0; - } - - return $retval; -} - -########################################################################### -# &B_hash_comment_line ($filename,$pattern) modifies $filename, replacing -# any lines matching $pattern with a "hash-commented" version, like this: -# -# -# finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -# becomes: -# #finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -# -# Also: -# tftp dgram udp wait root /usr/lbin/tftpd tftpd\ -# /opt/ignite\ -# /var/opt/ignite -# becomes: -# #tftp dgram udp wait root /usr/lbin/tftpd tftpd\ -# # /opt/ignite\ -# # /var/opt/ignite -# -# -# B_hash_comment_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -########################################################################### - -sub B_hash_comment_line($$) { - - my ($filename,$pattern) = @_; - my $retval=1; - - if ( &B_open_plus (*HASH_NEW,*HASH_OLD,$filename) ) { - my $line; - while ($line=<HASH_OLD>) { - unless ( ($line =~ $pattern) and ($line !~ /^\s*\#/) ) { - &B_print(*HASH_NEW,$line); - } - else { - &B_print(*HASH_NEW,"#$line"); - &B_log("ACTION","File modification in $filename -- hash commented line\n" . - "$line\n" . - "like this:\n" . - "#$line\n\n"); - # while the line has a trailing \ then we should also comment out the line below - while($line =~ m/\\\n$/) { - if($line=<HASH_OLD>) { - &B_print(*HASH_NEW,"#$line"); - &B_log("ACTION","File modification in $filename -- hash commented line\n" . - "$line\n" . - "like this:\n" . - "#$line\n\n"); - } - else { - $line = ""; - } - } - - } - } - &B_close_plus (*HASH_NEW,*HASH_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","Couldn't hash-comment line(s) in $filename because open failed.\n"); - } - - return $retval; -} - - -########################################################################### -# &B_hash_uncomment_line ($filename,$pattern) modifies $filename, -# removing any commenting from lines that match $pattern. -# -# #finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -# becomes: -# finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -# -# -# B_hash_uncomment_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -########################################################################### - -sub B_hash_uncomment_line($$) { - - my ($filename,$pattern) = @_; - my $retval=1; - - if ( &B_open_plus (*HASH_NEW,*HASH_OLD,$filename) ) { - my $line; - while ($line=<HASH_OLD>) { - unless ( ($line =~ $pattern) and ($line =~ /^\s*\#/) ) { - &B_print(*HASH_NEW,$line); - } - else { - $line =~ /^\s*\#+(.*)$/; - $line = "$1\n"; - - &B_print(*HASH_NEW,"$line"); - &B_log("ACTION","File modification in $filename -- hash uncommented line\n"); - &B_log("ACTION",$line); - # while the line has a trailing \ then we should also uncomment out the line below - while($line =~ m/\\\n$/) { - if($line=<HASH_OLD>) { - $line =~ /^\s*\#+(.*)$/; - $line = "$1\n"; - &B_print(*HASH_NEW,"$line"); - &B_log("ACTION","File modification in $filename -- hash uncommented line\n"); - &B_log("ACTION","#$line"); - &B_log("ACTION","like this:\n"); - &B_log("ACTION","$line"); - } - else { - $line = ""; - } - } - } - } - &B_close_plus (*HASH_NEW,*HASH_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","Couldn't hash-uncomment line(s) in $filename because open failed.\n"); - } - - return $retval; -} - - - -########################################################################### -# &B_delete_line ($filename,$pattern) modifies $filename, deleting any -# lines matching $pattern. It uses B_replace_line to do this. -# -# B_replace_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here an example of where you might use this: -# -# You'd like to remove any timeout= lines in /etc/lilo.conf, so that your -# delay=1 modification will work. - -# -########################################################################### - - -sub B_delete_line($$) { - - my ($filename,$pattern)=@_; - my $retval=&B_replace_line($filename,$pattern,""); - - return $retval; -} - - -########################################################################### -# &B_chunk_replace ($file,$pattern,$replacement) reads $file replacing the -# first occurrence of $pattern with $replacement. -# -########################################################################### - -sub B_chunk_replace($$$) { - - my ($file,$pattern,$replacement) = @_; - - my @lines; - my $big_long_line; - my $retval=1; - - &B_open (*OLDFILE,$file); - - # Read all lines into one scalar. - @lines = <OLDFILE>; - &B_close (*OLDFILE); - foreach my $line ( @lines ) { - $big_long_line .= $line; - } - - # Substitution routines get weird unless last line is terminated with \n - chomp $big_long_line; - $big_long_line .= "\n"; - - # Exit if we don't find a match - unless ($big_long_line =~ $pattern) { - return 0; - } - - $big_long_line =~ s/$pattern/$replacement/s; - - $retval=&B_open_plus (*NEWFILE,*OLDFILE,$file); - if ($retval) { - &B_print (*NEWFILE,$big_long_line); - &B_close_plus (*NEWFILE,*OLDFILE,$file); - } - - return $retval; -} - -########################################################################### -# &B_print ($handle,@list) prints the items of @list to the file handle -# $handle. It logs the action and respects the $GLOBAL_LOGONLY variable. -# -########################################################################### - -sub B_print { - my $handle=shift @_; - - my $result=1; - - unless ($GLOBAL_LOGONLY) { - $result=print $handle @_; - } - - ($handle) = "$handle" =~ /[^:]+::[^:]+::([^:]+)/; - - $result; -} - - -########################################################################## -# &B_getValueFromFile($regex,$file); -# Takes a regex with a single group "()" and returns the unique value -# on any non-commented lines -# This (and B_return_matched_lines are only used in this file, though are -# probably more generally useful. For now, leaving these here serve the following -#functions: -# a) still gets exported/associated as part of the Test_API package, and -# is still availble for a couple operations that can't be deferred to the -# main test loop, as they save values so that individual tests don't have to -# recreate (copy / paste) the logic to get them. -# -# It also avoids the circular "use" if we incldued "use Test API" at the top -# of this file (Test API "uses" this file. -# Returns the uncommented, unique values of a param=value pair. -# -# Return values: -# 'Not Defined' if the value is not present or not uniquely defined. -# $value if the value is present and unique -# -########################################################################### -sub B_getValueFromFile ($$){ - my $inputRegex=$_[0]; - my $file=$_[1]; - my ($lastvalue,$value)=''; - - my @lines=&B_return_matched_lines($file, $inputRegex); - - return &B_getValueFromString($inputRegex,join('/n',@lines)); -} - -########################################################################## -# &B_getValueFromString($param,$string); -# Takes a regex with a single group "()" and returns the unique value -# on any non-commented lines -# This (and B_return_matched_lines are only used in this file, though are -# probably more generally useful. For now, leaving these here serve the following -#functions: -# a) still gets exported/associated as part of the Test_API package, and -# is still availble for a couple operations that can't be deferred to the -# main test loop, as they save values so that individual tests don't have to -# recreate (copy / paste) the logic to get them. -# -# It also avoids the circular "use" if we incldued "use Test API" at the top -# of this file (Test API "uses" this file. -# Returns the uncommented, unique values of a param=value pair. -# -# Return values: -# 'Not Unique' if the value is not uniquely defined. -# undef if the value isn't defined at all -# $value if the value is present and unique -# -########################################################################### -sub B_getValueFromString ($$){ - my $inputRegex=$_[0]; - my $inputString=$_[1]; - my $lastValue=''; - my $value=''; - - my @lines=split(/\n/,$inputString); - - &B_log("DEBUG","B_getvaluefromstring called with regex: $inputRegex and input: " . - $inputString); - foreach my $line (grep(/$inputRegex/,@lines)) { - $line =~ /$inputRegex/; - $value=$1; - if (($lastValue eq '') and ($value ne '')) { - $lastValue = $value; - } elsif (($lastValue ne $value) and ($value ne '')) { - B_log("DEBUG","getvaluefromstring returned Not Unique"); - return 'Not Unique'; - } - } - if ((not(defined($value))) or ($value eq '')) { - &B_log("DEBUG","Could not find regex match in string"); - return undef; - } else { - &B_log("DEBUG","B_getValueFromString Found: $value ; using: $inputRegex"); - return $value; - } -} - -############################################################### -# This function adds something to the To Do List. -# Arguments: -# 1) The string you want to add to the To Do List. -# 2) Optional: Question whose TODOFlag should be set to indicate -# A pending manual action in subsequent reports. Only skip this -# If there's no security-audit relevant action you need the user to -# accomplish -# Ex: -# &B_TODO("------\nInstalling IPFilter\n----\nGo get Ipfilter","IPFilter.install_ipfilter"); -# -# -# Returns: -# 0 - If error condition -# True, if sucess, specifically: -# "appended" if the append operation was successful -# "exists" if no change was made since the entry was already present -############################################################### -sub B_TODO ($;$) { - my $text = $_[0]; - my $FlaggedQuestion = $_[1]; - my $multilineString = ""; - - # trim off any leading and trailing new lines, regexes separated for "clarity" - $text =~ s/^\n+(.*)/$1/; - $text =~ s/(.*)\n+$/$1/; - - if ( ! -e &getGlobal('BFILE',"TODO") ) { - # Make the TODO list file for HP-UX Distro - &B_create_file(&getGlobal('BFILE', "TODO")); - &B_append_line(&getGlobal('BFILE', "TODO"),'a$b', - "Please take the steps below to make your system more secure,\n". - "then delete the item from this file and record what you did along\n". - "with the date and time in your system administration log. You\n". - "will need that information in case you ever need to revert your\n". - "changes.\n\n"); - } - - - if (open(TODO,"<" . &getGlobal('BFILE', "TODO"))) { - while (my $line = <TODO>) { - # getting rid of all meta characters. - $line =~ s/(\\|\||\(|\)|\[|\]|\{|\}|\^|\$|\*|\+|\?|\.)//g; - $multilineString .= $line; - } - chomp $multilineString; - $multilineString .= "\n"; - - close(TODO); - } - else { - &B_log("ERROR","Unable to read TODO.txt file.\n" . - "The following text could not be appended to the TODO list:\n" . - $text . - "End of TODO text\n"); - return 0; #False - } - - my $textPattern = $text; - - # getting rid of all meta characters. - $textPattern =~ s/(\\|\||\(|\)|\[|\]|\{|\}|\^|\$|\*|\+|\?|\.)//g; - - if( $multilineString !~ "$textPattern") { - my $datestamp = "{" . localtime() . "}"; - unless ( &B_append_line(&getGlobal('BFILE', "TODO"), "", $datestamp . "\n" . $text . "\n\n\n") ) { - &B_log("ERROR","TODO Failed for text: " . $text ); - } - #Note that we only set the flag on the *initial* entry in the TODO File - #Not on subsequent detection. This is to avoid the case where Bastille - #complains on a subsequent Bastille run of an already-performed manual - #action that the user neglected to delete from the TODO file. - # It does, however lead to a report of "nonsecure" when the user - #asked for the TODO item, performed it, Bastille detected that and cleared the - # Item, and then the user unperformed the action. I think this is proper behavior. - # rwf 06/06 - - if (defined($FlaggedQuestion)) { - &B_TODOFlags("set",$FlaggedQuestion); - } - return "appended"; #evals to true, and also notes what happened - } else { - return "exists"; #evals to true, and also - } - -} - - -##################################################################### -# &B_TODOFlags() -# -# This is the interface to the TODO flags. Test functions set these when they -# require a TODO item to be completed to get to a "secure" state. -# The prune/reporting function checks these to ensure no flags are set before -# reporting an item "secure" -# "Methods" are load | save | isSet <Question> | set <Question> | unset <Question> -# -###################################################################### - -sub B_TODOFlags($;$) { - my $action = $_[0]; - my $module = $_[1]; - - use File::Spec; - - my $todo_flag = &getGlobal("BFILE","TODOFlag"); - - &B_log("DEBUG","B_TODOFlags action: $action , module: $module"); - - if ($action eq "load") { - if (-e $todo_flag ) { - &B_open(*TODO_FLAGS, $todo_flag); - my @lines = <TODO_FLAGS>; - foreach my $line (@lines) { - chomp($line); - $GLOBAL_CONFIG{"$line"}{"TODOFlag"}="yes"; - } - return (&B_close(*TODO_FLAGS)); #return success of final close - } else { - return 1; #No-op is okay - } - } elsif ($action eq "save") { - # Make sure the file exists, else create - #Note we use open_plus and and create file, so if Bastille is - #reverted, all the flags will self-clear (file deleted) - my $flagNumber = 0; - my $flagData = ''; - foreach my $key (keys %GLOBAL_CONFIG) { - if ($GLOBAL_CONFIG{$key}{"TODOFlag"} eq "yes") { - ++$flagNumber; - $flagData .= "$key\n"; - } - } - if (not( -e $todo_flag)) { - &B_log("DEBUG","Initializing TODO Flag file: $todo_flag"); - &B_create_file($todo_flag); # Make sure it exists - } - &B_blank_file($todo_flag, - "This will not appear in the file; ensures blanking"); - return &B_append_line($todo_flag, "", "$flagData"); #return success of save - } elsif (($action eq "isSet") and ($module ne "")) { - if ($GLOBAL_CONFIG{"$module"}{"TODOFlag"} eq "yes") { - return 1; #TRUE - } else { - return 0; #FALSE - } - } elsif (($action eq "set") and ($module ne "")) { - $GLOBAL_CONFIG{"$module"}{"TODOFlag"} = "yes"; - } elsif (($action eq "clear") and ($module ne "")) { - $GLOBAL_CONFIG{"$module"}{"TODOFlag"} = ""; - } else { - &B_log("ERROR","TODO_Flag Called with invalid parameters: $action , $module". - "audit report may be incorrect."); - return 0; #FALSE - } -} - -1; - - diff --git a/recipes-security/bastille/files/HPSpecific.pm b/recipes-security/bastille/files/HPSpecific.pm deleted file mode 100644 index 7e7d709..0000000 --- a/recipes-security/bastille/files/HPSpecific.pm +++ /dev/null @@ -1,1983 +0,0 @@ -package Bastille::API::HPSpecific; - -use strict; -use Bastille::API; -use Bastille::API::FileContent; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -getIPFLocation -getGlobalSwlist -B_check_system -B_swmodify -B_load_ipf_rules -B_Schedule -B_ch_rc -B_set_value -B_chperm -B_install_jail -B_list_processes -B_list_full_processes -B_deactivate_inetd_service -B_get_rc -B_set_rc -B_chrootHPapache -isSystemTrusted -isTrustedMigrationAvailable -checkServiceOnHPUX -B_get_path -convertToTrusted -isOKtoConvert -convertToShadow -getSupportedSettings -B_get_sec_value -secureIfNoNameService -isUsingRemoteNameService -remoteServiceCheck -remoteNISPlusServiceCheck -B_create_nsswitch_file -B_combine_service_results - -%priorBastilleNDD -%newNDD -); -our @EXPORT = @EXPORT_OK; - - - -# "Constants" for use both in testing and in lock-down -our %priorBastilleNDD = ( - "ip_forward_directed_broadcasts" =>["ip", "0"], - "ip_forward_src_routed" =>["ip", "0"], - "ip_forwarding" =>["ip", "0"], - "ip_ire_gw_probe" =>["ip", "0"], - "ip_pmtu_strategy" =>["ip", "1"], - "ip_respond_to_echo_broadcast" =>["ip", "0"], - "ip_send_redirects" =>["ip", "0"], - "ip_send_source_quench" =>["ip", "0"], - "tcp_syn_rcvd_max" =>["tcp","1000"], - "tcp_conn_request_max" =>["tcp","4096"] ); - -our %newNDD = ( - "ip_forward_directed_broadcasts" =>["ip", "0"], - "ip_forward_src_routed" =>["ip", "0"], - "ip_forwarding" =>["ip", "0"], - "ip_ire_gw_probe" =>["ip", "0"], - "ip_pmtu_strategy" =>["ip", "1"], - "ip_respond_to_echo_broadcast" =>["ip", "0"], - "ip_send_redirects" =>["ip", "0"], - "ip_send_source_quench" =>["ip", "0"], - "tcp_syn_rcvd_max" =>["tcp","4096"], - "tcp_conn_request_max" =>["tcp","4096"], - "arp_cleanup_interval" =>["arp","60000"], - "ip_respond_to_timestamp" =>["ip", "0"], - "ip_respond_to_timestamp_broadcast" => ["ip","0"] ); - - -#################################################################### -# -# This module makes up the HP-UX specific API routines. -# -#################################################################### -# -# Subroutine Listing: -# &HP_ConfigureForDistro: adds all used file names to global -# hashes and generates a global IPD -# hash for SD modification lookup. -# -# &getGlobalSwlist($): Takes a fully qualified file name -# and returns product:filset info -# for that file. returns undef if -# the file is not present in the IPD -# -# &B_check_system: Runs a series of system queries to -# determine if Bastille can be safely -# ran on the current system. -# -# &B_swmodify($): Takes a file name and runs the -# swmodify command on it so that the -# IPD is updated after changes -# -# &B_System($$): Takes a system command and the system -# command that should be used to revert -# whatever was done. Returns 1 on -# success and 0 on failure -# -# &B_Backtick($) Takes a command to run and returns its stdout -# to be used in place of the prior prevelent use -# of un-error-handled backticks -# -# &B_load_ipf_rules($): Loads a set of ipfrules into ipf, storing -# current rules for later reversion. -# -# &B_Schedule($$): Takes a pattern and a crontab line. -# Adds or replaces the crontab line to -# the crontab file, depending on if a -# line matches the pattern -# -# &B_ch_rc($$): Takes a the rc.config.d flag name and -# new value as well as the init script -# location. This will stop a services -# and set the service so that it will -# not be restarted. -# -# &B_set_value($$$): Takes a param, value, and a filename -# and sets the given value in the file. -# Uses ch_rc, but could be rewritten using -# Bastille API calls to make it work on Linux -# -# &B_TODO($): Appends the give string to the TODO.txt -# file. -# -# &B_chperm($$$$): Takes new perm owner and group of given -# file. TO BE DEPRECATED!!! -# -# &B_install_jail($$): Takes the jail name and the jail config -# script location for a give jail... -# These scripts can be found in the main -# directory e.g. jail.bind.hpux -# -##################################################################### - -############################################################################## -# -# HP-UX Bastille directory structure -# -############################################################################## -# -# /opt/sec_mgmt/bastille/bin/ -- location of Bastille binaries -# /opt/sec_mgmt/bastille/lib/ -- location of Bastille modules -# /opt/sec_mgmt/bastille/doc/ -- location of Bastille doc files -# -# /etc/opt/sec_mgmt/bastille/ -- location of Bastille config files -# -# /var/opt/sec_mgmt/bastille/log -- location of Bastille log files -# /var/opt/sec_mgmt/bastille/revert -- directory holding all Bastille- -# created revert scripts -# /var/opt/sec_mgmt/bastille/revert/backup -- directory holding the original -# files that Bastille modifies, -# with permissions intact -# -############################################################################## - -sub getIPFLocation () { # Temporary until we get defined search space support - my $ipf=&getGlobal('BIN','ipf_new'); - my $ipfstat=&getGlobal('BIN','ipfstat_new'); - if (not(-e $ipf)) { # Detect if the binaries moved - $ipf = &getGlobal('BIN','ipf'); - $ipfstat=&getGlobal('BIN','ipfstat'); - } - return ($ipf, $ipfstat); -} - -############################################## -# Given a combination of service results, provided -# in an array, this function combines the result into -# a reasonable aggregate result -############################################## - -sub B_combine_service_results(@){ - my @results = @_; - - #TODO: Consider greater sophistication wrt inconsistent, or not installed. - - foreach my $result (@results) { - if (not(($result == SECURE_CAN_CHANGE) or - ($result == SECURE_CANT_CHANGE) or - ($result == NOT_INSTALLED()))) { - return NOTSECURE_CAN_CHANGE(); - } - } - return SECURE_CANT_CHANGE(); -} - -#################################################################### -# &getGlobalSwlist ($file); -# This function returns the product and fileset information for -# a given file or directory if it exists in the IPD otherwise -# it returns undefined "undef" -# -# uses $GLOBAL_SWLIST{"$FILE"} -#################################################################### -sub getGlobalSwlist($){ - no strict; - my $file = $_[0]; - - - if(! %GLOBAL_SWLIST) { - # Generating swlist database for swmodify changes that will be required - # The database will be a hash of fully qualified file names that reference - # the files product name and fileset. These values are required to use - # swmodify... - - # Files tagged 'is_volatile' in the IPD are not entered in the swlist database - # in order to avoid invoking swmodify if the file is changed later. Attempting to - # swmodify 'volatile' files is both unneccessary and complicated since swverify will - # not evaluate volatile files anyway, and adding another value to the swlist database - # would require complex code changes. - - # temp variable to keep swlist command /usr/sbin/swlist - my $swlist = &getGlobal('BIN',"swlist"); - - # listing of each directory and file that was installed by SD on the target machine - my @fileList = `$swlist -a is_volatile -l file`; - - # listing of each patch and the patches that supersede each. - # hash which is indexed by patch.fileset on the system - my %patchSuperseded; - - my @patchList = `${swlist} -l fileset -a superseded_by *.*,c=patch 2>&1`; - # check to see if any patches are present on the system - if(($? >> 8) == 0) { - - # determining patch suppression for swmodify. - foreach my $patchState (@patchList) { - # removing empty lines and commented lines. - if($patchState !~ /^\s*\#/ && $patchState !~ /^\s*$/) { - - # removing leading white space - $patchState =~ s/^\s+//; - my @patches = split /\s+/, $patchState; - if($#patches == 0){ - # patch is not superseded - $patchSuperseded{$patches[0]} = 0; - } - else { - # patch is superseded - $patchSuperseded{$patches[0]} = 1; - } - } - } - } - else { - &B_log("DEBUG","No patches found on the system.\n"); - } - - if($#fileList >= 0){ - # foreach line of swlist output - foreach my $fileEntry ( @fileList ){ - #filter out commented portions - if( $fileEntry !~ /^\s*\#/ ){ - chomp $fileEntry; - # split the output into three fields: product.fileset, filename, flag_isvolatile - my( $productInfo, $file, $is_volatile ) = $fileEntry =~ /^\s*(\S+): (\S+)\t(\S+)/ ; - # do not register volatile files - next if ($is_volatile =~ /true/); # skip to next file entry - $productInfo =~ s/\s+//; - $file =~ s/\s+//; - # if the product is a patch - if($productInfo =~ /PH(CO|KL|NE|SS)/){ - # if the patch is not superseded by another patch - if($patchSuperseded{$productInfo} == 0){ - # add the patch to the list of owner for this file - push @{$GLOBAL_SWLIST{"$file"}}, $productInfo; - } - } - # not a patch. - else { - # add the product to the list of owners for this file - push @{$GLOBAL_SWLIST{"$file"}}, $productInfo; - } - - } - } - } - else{ - # defining GLOBAL_SWLIST in error state. - $GLOBAL_SWLIST{"ERROR"} = "ERROR"; - &B_log("ERROR","Could not execute swlist. Swmodifys will not be attempted"); - } - } - - if(exists $GLOBAL_SWLIST{"$file"}){ - return $GLOBAL_SWLIST{"$file"}; - } - else { - return undef; - } -} - -################################################################### -# &B_check_system; -# This subroutine is called to validate that bastille may be -# safely run on the current system. It will check to insure -# that there is enough file system space, mounts are rw, nfs -# mounts are not mounted noroot, and swinstall, swremove and -# swmodify are not running -# -# uses ErrorLog -# -################################################################## -sub B_check_system { - # exitFlag is one if a conflict with the successful execution - # of bastille is found. - my $exitFlag = 0; - - my $ignoreCheck = &getGlobal("BDIR","config") . "/.no_system_check"; - if( -e $ignoreCheck ) { - return $exitFlag; - } - - # first check for swinstall, swmodify, or swremove processes - my $ps = &getGlobal('BIN',"ps") . " -el"; - my @processTable = `$ps`; - foreach my $process (@processTable) { - if($process =~ /swinstall/ ) { - &B_log("ERROR","Bastille cannot run while a swinstall is in progress.\n" . - "Complete the swinstall operation and then run Bastille.\n\n"); - $exitFlag = 1; - } - - if($process =~ /swremove/ ) { - &B_log("ERROR","Bastille cannot run while a swremove is in progress.\n" . - "Complete the swremove operation and then run Bastille.\n\n"); - $exitFlag = 1; - } - - if($process =~ /swmodify/ ) { - &B_log("ERROR","Bastille cannot run while a swmodify is in progress.\n" . - "Complete the swmodify operation and then run Bastille.\n\n"); - $exitFlag = 1; - } - - } - - # check for root read only mounts for /var /etc /stand / - # Bastille is required to make changes to these file systems. - my $mount = &getGlobal('BIN',"mount"); - my $rm = &getGlobal('BIN',"rm"); - my $touch = &getGlobal('BIN',"touch"); - - my @mnttab = `$mount`; - - if(($? >> 8) != 0) { - &B_log("WARNING","Unable to use $mount to determine if needed partitions\n" . - "are root writable, based on disk mount options.\n" . - "Bastille will continue but note that disk\n" . - "mount checks were skipped.\n\n"); - } - else { - foreach my $record (@mnttab) { - my @fields = split /\s+/, $record; - if ((defined $fields[0]) && (defined $fields[2]) && (defined $fields[3])) { - my $mountPoint = $fields[0]; - my $mountType = $fields[2]; - my $mountOptions = $fields[3]; - - # checks for /stand and /var/* removed - if($mountPoint =~ /^\/$|^\/etc|^\/var$/) { - - if($mountOptions =~ /^ro,|,ro,|,ro$/) { - &B_log("ERROR","$mountPoint is mounted read-only. Bastille needs to make\n" . - "modifications to this file system. Please remount\n" . - "$mountPoint read-write and then run Bastille again.\n\n"); - $exitFlag = 1; - } - # looking for an nfs mounted file system - if($mountType =~/.+:\//){ - my $fileExisted=0; - if(-e "$mountPoint/.bastille") { - $fileExisted=1; - } - - `$touch $mountPoint/.bastille 1>/dev/null 2>&1`; - - if( (! -e "$mountPoint/.bastille") || (($? >> 8) != 0) ) { - &B_log("ERROR","$mountPoint is an nfs mounted file system that does\n" . - "not allow root to write to. Bastille needs to make\n" . - "modifications to this file system. Please remount\n" . - "$mountPoint giving root access and then run Bastille\n" . - "again.\n\n"); - - $exitFlag = 1; - } - # if the file did not exist befor the touch then remove the generated file - if(! $fileExisted) { - `$rm -f $mountPoint/.bastille 1>/dev/null 2>&1`; - } - } - } - } - else { - &B_log("WARNING","Unable to use $mount to determine if needed partitions\n" . - "are root writable, based on disk mount options.\n" . - "Bastille will continue but note that disk\n" . - "mount checks were skipped.\n\n"); - } - } - - } - - # checks for enough disk space in directories that Bastille writes to. - my $bdf = &getGlobal('BIN',"bdf"); - #directories that Bastille writes to => required space in kilobytes. - my %bastilleDirs = ( "/etc/opt/sec_mgmt/bastille" => "4", "/var/opt/sec_mgmt/bastille"=> "1000"); - for my $directory (sort keys %bastilleDirs) { - my @diskUsage = `$bdf $directory`; - - if(($? >> 8) != 0) { - &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" . - "$directory\n" . - "Bastille will continue but note that disk\n" . - "usage checks were skipped.\n\n"); - - } - else { - # removing bdf header line from usage information. - shift @diskUsage; - my $usageString= ""; - - foreach my $usageRecord (@diskUsage) { - chomp $usageRecord; - $usageString .= $usageRecord; - } - - $usageString =~ s/^\s+//; - - my @fields = split /\s+/, $usageString; - if($#fields != 5) { - &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" . - "$directory\n" . - "Bastille will continue but note that disk\n" . - "usage checks were skipped.\n\n"); - } - else { - - my $mountPoint = $fields[5]; - my $diskAvail = $fields[3]; - - if($diskAvail <= $bastilleDirs{"$directory"}) { - &B_log("ERROR","$mountPoint does not contain enough available space\n" . - "for Bastille to run properly. $directory needs\n" . - "at least $bastilleDirs{$directory} kilobytes of space.\n" . - "Please clear at least that amount of space from\n" . - "$mountPoint and run Bastille again.\n" . - "Current Free Space available = ${diskAvail} k\n\n"); - $exitFlag = 1; - } - } - } - } - - # check to make sure that we are in at least run level 2 before we attempt to run - my $who = &getGlobal('BIN', "who") . " -r"; - my $levelInfo = `$who`; - if(($? >> 8) != 0 ) { - &B_log("WARNING","Unable to use \"$who\" to determine system run.\n" . - "level Bastille will continue but note that the run\n" . - "level check was skipped.\n\n"); - } - else { - chomp $levelInfo; - my @runlevel = split /\s+/, $levelInfo; - if ((! defined $runlevel[3]) or ($runlevel[3] < 2)) { - &B_log("WARNING","Bastille requires a run-level of 2 or more to run properly.\n" . - "Please move your system to a higher run level and then\n" . - "run 'bastille -b'.\n\n"); - if(defined $runlevel[3]) { - &B_log("ERROR","Current run-level is '$runlevel[3]'.\n\n"); - $exitFlag=1; - } - else { - &B_log("WARNING","Unable to use \"$who\" to determine system run.\n" . - "level Bastille will continue but note that the run\n" . - "level check was skipped.\n\n"); - } - } - else { - &B_log("DEBUG","System run-level is $runlevel[3]\n"); - } - } - - if($exitFlag) { - exit(1); - } - -} - -################################################################### -# &B_swmodify($file); -# This subroutine is called after a file is modified. It will -# redefine the file in the IPD with it's new properties. If -# the file is not in the IPD it does nothing. -# -# uses B_System to make the swmodifications. -################################################################## -sub B_swmodify($){ - my $file = $_[0]; - if(defined &getGlobalSwlist($file)){ - my $swmodify = &getGlobal('BIN',"swmodify"); - my @productsInfo = @{&getGlobalSwlist($file)}; - # running swmodify on files that were altered by this function but - # were created and maintained by SD - foreach my $productInfo (@productsInfo) { - &B_System("$swmodify -x files='$file' $productInfo", - "$swmodify -x files='$file' $productInfo"); - } - } -} - -#################################################################### -# &B_load_ipf_rules($ipfruleset); -# This function enables an ipfruleset. It's a little more -# specific than most API functions, but necessary because -# ipf doesn't return correct exit codes (syntax error results -# in a 0 exit code) -# -# uses ActionLog and ErrorLog to log -# calls crontab directly (to list and to read in new jobs) -################################################################### -sub B_load_ipf_rules ($) { - my $ipfruleset=$_[0]; - - &B_log("DEBUG","# sub B_load_ipf_rules"); - - # TODO: grab ipf.conf dynamically from the rc.config.d files - my $ipfconf = &getGlobal('FILE','ipf.conf'); - - # file system changes - these are straightforward, and the API - # will take care of the revert - &B_create_file($ipfconf); - &B_blank_file($ipfconf, 'a$b'); - &B_append_line($ipfconf, 'a$b', $ipfruleset); - - # runtime changes - - # define binaries - my $grep = &getGlobal('BIN', 'grep'); - my ($ipf, $ipfstat) = &getIPFLocation; - # create backup rules - # This will exit with a non-zero exit code because of the grep - my @oldrules = `$ipfstat -io 2>&1 | $grep -v empty`; - - my @errors=`$ipf -I -Fa -f $ipfconf 2>&1`; - - if(($? >> 8) == 0) { - - &B_set_rc("IPF_START","1"); - &B_set_rc("IPF_CONF","$ipfconf"); - - # swap the rules in - &B_System("$ipf -s","$ipf -s"); - - # now create a "here" document with the previous version of - # the rules and put it into the revert-actions script - &B_revert_log("$ipf -I -Fa -f - <<EOF\n@{oldrules}EOF"); - - if (@errors) { - &B_log("ERROR","ipfilter produced the following errors when\n" . - " loading $ipfconf. You probably had an invalid\n" . - " rule in ". &getGlobal('FILE','customipfrules') ."\n". - "@errors\n"); - } - - } else { - &B_log("ERROR","Unable to run $ipf\n"); - } - -} - - - -#################################################################### -# &B_Schedule($pattern,$cronjob); -# This function schedules a cronjob. If $pattern exists in the -# crontab file, that job will be replaced. Otherwise, the job -# will be appended. -# -# uses ActionLog and ErrorLog to log -# calls crontab directly (to list and to read in new jobs) -################################################################### -sub B_Schedule ($$) { - my ($pattern,$cronjob)=@_; - $cronjob .= "\n"; - - &B_log("DEBUG","# sub B_Schedule"); - my $crontab = &getGlobal('BIN','crontab'); - - my @oldjobs = `$crontab -l 2>/dev/null`; - my @newjobs; - my $patternfound=0; - - foreach my $oldjob (@oldjobs) { - if (($oldjob =~ m/$pattern/ ) and (not($patternfound))) { - push @newjobs, $cronjob; - $patternfound=1; - &B_log("ACTION","changing existing cron job which matches $pattern with\n" . - "$cronjob"); - } elsif ($oldjob !~ m/$pattern/ ) { - &B_log("ACTION","keeping existing cron job $oldjob"); - push @newjobs, $oldjob; - } #implied: else if pattern matches, but we've - #already replaced one, then toss the others. - } - - unless ($patternfound) { - &B_log("ACTION","adding cron job\n$cronjob\n"); - push @newjobs, $cronjob; - } - - if(open(CRONTAB, "|$crontab - 2> /dev/null")) { - print CRONTAB @newjobs; - - # now create a "here" document with the previous version of - # the crontab file and put it into the revert-actions script - &B_revert_log("$crontab <<EOF\n" . "@oldjobs" . "EOF"); - close CRONTAB; - } - - # Now check to make sure it happened, since cron will exit happily - # (retval 0) with no changes if there are any syntax errors - my @editedjobs = `$crontab -l 2>/dev/null`; - - if (@editedjobs ne @newjobs) { - &B_log("ERROR","failed to add cron job:\n$cronjob\n" . - " You probably had an invalid crontab file to start with."); - } - -} - - -#This function turns off a service, given a service name defined in HP-UX.service - -sub B_ch_rc($) { - - my ($service_name)=@_; - - if (&GetDistro != "^HP-UX") { - &B_log("ERROR","Tried to call ch_rc $service_name on a non-HP-UX\n". - " system! Internal Bastille error."); - return undef; - } - my $configfile=""; - my $command = &getGlobal('BIN', 'ch_rc'); - - my $startup_script=&getGlobal('DIR','initd') . "/". $service_name; - my @rc_parameters= @{ &getGlobal('SERVICE',$service_name) }; - my @rcFiles=@{ &getGlobal('RCCONFIG',$service_name) }; - my $rcFile=''; - if (@rcFiles == 1){ - $rcFile=$rcFiles[0]; - } else { - &B_log("FATAL","Multiple RC Files not yet supported... internal error."); - } - - # if the service-related process is not run, and the control variable is stilll 1 - # there is a inconsistency. in this case we only need to change the control variable - my @psnames=@{ &getGlobal('PROCESS',$service_name)}; - my @processes; - foreach my $psname (@psnames) { - $psname .= '\b'; # avoid embedded match; anchor search pattern to trailing word boundry - my @procList = &isProcessRunning($psname); - if(@procList >= 0){ - splice @processes,$#processes+1,0,@procList; - } - } -#Actually set the rc variable - foreach my $rcVariable (@rc_parameters){ - my $orig_value = &B_get_rc($rcVariable); - if ($orig_value eq "" ) { #If variable not set, used the defined file - $configfile=&getGlobal("DIR","rc.config.d") . "/" . $rcFile; - if (not( -f $configfile )) { - &B_create_file($configfile); - } - } - &B_log("DEBUG","In B_ch_rc (no procs), setting $rcVariable to 0 in $configfile" . - ", with an original value of $orig_value with rcfile: $rcFile"); - if ( ! @processes) { # IF there are no processes we don't neet to perform a "stop" - &B_set_rc($rcVariable, "0", $configfile); - } else { - if ( $orig_value !~ "1" ) { #If param is not already 1, the "stop" script won't work - &B_set_rc($rcVariable, "1",$configfile); - } - &B_System ($startup_script . " stop", #stop service, then restart if the user runs bastille -r - $startup_script . " start"); - # set parameter, so that service will stay off after reboots - &B_set_rc($rcVariable, "0", $configfile); - } - } -} - - -# This routine sets a value in a given file -sub B_set_value($$$) { - my ($param, $value, $file)=@_; - - &B_log("DEBUG","B_set_value: $param, $value, $file"); - if (! -e $file ) { - &B_create_file("$file"); - } - - # If a value is already set to something other than $value then reset it. - #Note that though this tests for "$value ="the whole line gets replaced, so - #any pre-existing values are also replaced. - &B_replace_line($file,"^$param\\s*=\\s*","$param=$value\n"); - # If the value is not already set to something then set it. - &B_append_line($file,"^$param\\s*=\\s*$value","$param=$value\n"); - -} - - -################################################################################## -# &B_chperm($owner,$group,$mode,$filename(s)) -# This function changes ownership and mode of a list of files. Takes four -# arguments first the owner next the group and third the new mode in oct and -# last a list of files that the permissions changes should take affect on. -# -# uses: &swmodify and &B_revert_log -################################################################################## -sub B_chperm($$$$) { - my ($newown, $newgrp, $newmode, $file_expr) = @_; - my @files = glob($file_expr); - - my $return = 1; - - foreach my $file (@files){ - my @filestat = stat $file; - my $oldmode = (($filestat[2]/512) % 8) . - (($filestat[2]/64) % 8) . - (($filestat[2]/8) % 8) . - (($filestat[2]) % 8); - - if((chown $newown, $newgrp, $file) != 1 ){ - &B_log("ERROR","Could not change ownership of $file to $newown:$newgrp\n"); - $return = 0; - } - else{ - &B_log("ACTION","Changed ownership of $file to $newown:$newgrp\n"); - # swmodifying file if possible... - &B_swmodify($file); - &B_revert_log(&getGlobal('BIN',"chown") . " $filestat[4]:$filestat[5] $file\n"); - } - - my $newmode_formatted=sprintf "%5lo",$newmode; - - if((chmod $newmode, $file) != 1){ - &B_log("ERROR","Could not change mode of $file to $newmode_formatted\n"); - $return = 0; - } - else{ - &B_log("ACTION","Changed mode of $file to $newmode_formatted\n"); - &B_revert_log(&getGlobal('BIN',"chmod") . " $oldmode $file\n"); - } - - - } - return $return; -} - -############################################################################ -# &B_install_jail($jailname, $jailconfigfile); -# This function takes two arguments ( jail_name, jail_config ) -# It's purpose is to take read in config files that define a -# chroot jail and then generate it bases on that specification -############################################################################ -sub B_install_jail($$) { - - my $jailName = $_[0]; # Name of the jail e.g bind - my $jailConfig = $_[1]; # Name of the jails configuration file - # create the root directory of the jail if it does not exist - &B_create_dir( &getGlobal('BDIR','jail')); - &B_chperm(0,0,0555,&getGlobal('BDIR','jail')); - - # create the Jail dir if it does not exist - &B_create_dir( &getGlobal('BDIR','jail') . "/" . $jailName); - &B_chperm(0,0,0555,&getGlobal('BDIR','jail') . "/". $jailName); - - - my $jailPath = &getGlobal('BDIR','jail') . "/" . $jailName; - my @lines; # used to store no commented no empty config file lines - # open configuration file for desired jail and parse in commands - if(open(JAILCONFIG,"< $jailConfig")) { - while(my $line=<JAILCONFIG>){ - if($line !~ /^\s*\#|^\s*$/){ - chomp $line; - push(@lines,$line); - } - } - close JAILCONFIG; - } - else{ - &B_log("ERROR","Open Failed on filename: $jailConfig\n"); - return 0; - } - # read through commands and execute - foreach my $line (@lines){ - &B_log("ACTION","Install jail: $line\n"); - my @confCmd = split /\s+/,$line; - if($confCmd[0] =~ /dir/){ # if the command say to add a directory - if($#confCmd == 4) { # checking dir Cmd form - if(! (-d $jailPath . "/" . $confCmd[1])){ - #add a directory and change its permissions according - #to the conf file - &B_create_dir( $jailPath . "/" . $confCmd[1]); - &B_chperm((getpwnam($confCmd[3]))[2], - (getgrnam($confCmd[4]))[2], - oct($confCmd[2]), - $jailPath . "/" . $confCmd[1]); - } - } - else { - &B_log("ERROR","Badly Formed Configuration Line:\n$line\n\n"); - } - } - elsif($confCmd[0] =~ /file/) { - if($#confCmd == 5) { # checking file cmd form - if(&B_cp($confCmd[1],$jailPath . "/" . $confCmd[2])){ - # for copy command cp file and change perms - &B_chperm($confCmd[4],$confCmd[5],oct($confCmd[3]),$jailPath . "/" . $confCmd[2]); - } - else { - &B_log("ERROR","Could not complete copy on specified files:\n" . - "$line\n"); - } - } - else { - &B_log("ERROR","Badly Formed Configuration Line:\n" . - "$line\n\n"); - } - } - elsif($confCmd[0] =~ /slink/) { - if($#confCmd == 2) { # checking file cmd form - if(!(-e $jailPath . "/" . $confCmd[2])){ - #for symlink command create the symlink - &B_symlink($jailPath . "/" . $confCmd[1], $confCmd[2]); - } - } - else { - &B_log("ERROR","Badly Formed Configuration Line:\n" . - "$line\n\n"); - } - } - else { - &B_log("ERROR","Unrecognized Configuration Line:\n" . - "$line\n\n"); - } - } - return 1; -} - - - -########################################################################### -# &B_list_processes($service) # -# # -# This subroutine uses the GLOBAL_PROCESS hash to determine if a # -# service's corresponding processes are running on the system. # -# If any of the processes are found to be running then the process # -# name(s) is/are returned by this subroutine in the form of an list # -# If none of the processes that correspond to the service are running # -# then an empty list is returned. # -########################################################################### -sub B_list_processes($) { - - # service name - my $service = $_[0]; - # list of processes related to the service - my @processes=@{ &getGlobal('PROCESS',$service)}; - - # current systems process information - my $ps = &getGlobal('BIN',"ps"); - my $psTable = `$ps -elf`; - - # the list to be returned from the function - my @running_processes; - - # for every process associated with the service - foreach my $process (@processes) { - # if the process is in the process table then - if($psTable =~ m/$process/) { - # add the process to the list, which will be returned - push @running_processes, $process; - } - - } - - # return the list of running processes - return @running_processes; - -} - -############################################################################# -# &B_list_full_processes($service) # -# # -# This subroutine simply grep through the process table for those matching # -# the input argument TODO: Allow B_list process to levereage this code # -# ... Not done this cycle to avoid release risk (late in cycle) # -############################################################################# -sub B_list_full_processes($) { - - # service name - my $procName = $_[0]; - my $ps = &getGlobal('BIN',"ps"); - my @psTable = split(/\n/,`$ps -elf`); - - # for every process associated with the service - my @runningProcessLines = grep(/$procName/ , @psTable); - # return the list of running processes - return @runningProcessLines; -} - -################################################################################ -# &B_deactivate_inetd_service($service); # -# # -# This subroutine will disable all inetd services associated with the input # -# service name. Service name must be a reference to the following hashes # -# GLOBAL_SERVICE GLOBAL_SERVTYPE and GLOBAL_PROCESSES. If processes are left # -# running it will note these services in the TODO list as well as instruct the# -# user in how they remaining processes can be disabled. # -################################################################################ -sub B_deactivate_inetd_service($) { - my $service = $_[0]; - my $servtype = &getGlobal('SERVTYPE',"$service"); - my $inetd_conf = &getGlobal('FILE',"inetd.conf"); - - # check the service type to ensure that it can be configured by this subroutine. - if($servtype ne 'inet') { - &B_log("ACTION","The service \"$service\" is not an inet service so it cannot be\n" . - "configured by this subroutine\n"); - return 0; - } - - # check for the inetd configuration files existence so it may be configured by - # this subroutine. - if(! -e $inetd_conf ) { - &B_log("ACTION","The file \"$inetd_conf\" cannot be located.\n" . - "Unable to configure inetd\n"); - return 0; - } - - # list of service identifiers present in inetd.conf file. - my @inetd_entries = @{ &getGlobal('SERVICE',"$service") }; - - foreach my $inetd_entry (@inetd_entries) { - &B_hash_comment_line($inetd_conf, "^\\s*$inetd_entry"); - } - - # list of processes associated with this service which are still running - # on the system - my @running_processes = &B_list_processes($service); - - if($#running_processes >= 0) { - my $todoString = "\n" . - "---------------------------------------\n" . - "Deactivating Inetd Service: $service\n" . - "---------------------------------------\n" . - "The following process(es) are associated with the inetd service \"$service\".\n" . - "They are most likely associated with a session which was initiated prior to\n" . - "running Bastille. To disable a process see \"kill(1)\" man pages or reboot\n" . - "the system\n" . - "Active Processes:\n" . - "###################################\n"; - foreach my $running_process (@running_processes) { - $todoString .= "\t$running_process\n"; - } - $todoString .= "###################################\n"; - - &B_TODO($todoString); - } - -} - - -################################################################################ -# B_get_rc($key); # -# # -# This subroutine will use the ch_rc binary to get rc.config.d variables # -# values properly escaped and quoted. # -################################################################################ -sub B_get_rc($) { - - my $key=$_[0]; - my $ch_rc = &getGlobal('BIN',"ch_rc"); - - # get the current value of the given parameter. - my $currentValue=`$ch_rc -l -p $key`; - chomp $currentValue; - - if(($? >> 8) == 0 ) { - # escape all meta characters. - # $currentValue =~ s/([\"\`\$\\])/\\$1/g; - # $currentValue = '"' . $currentValue . '"'; - } - else { - return undef; - } - - return $currentValue; -} - - - -################################################################################ -# B_set_rc($key,$value); # -# # -# This subroutine will use the ch_rc binary to set rc.config.d variables. As # -# well as setting the variable this subroutine will set revert strings. # -# # -################################################################################ -sub B_set_rc($$;$) { - - my ($key,$value,$configfile)=@_; - my $ch_rc = &getGlobal('BIN',"ch_rc"); - - # get the current value of the given parameter. - my $currentValue=&B_get_rc($key); - if(defined $currentValue ) { - if ($currentValue =~ /^\"(.*)\"$/ ) { - $currentValue = '"\"' . $1 . '\""'; - } - if ($value =~ /^\"(.*)\"$/ ) { - $value = '"\"' . $1 . '\""'; - } - if ( &B_System("$ch_rc -a -p $key=$value $configfile", - "$ch_rc -a -p $key=$currentValue $configfile") ) { - #ch_rc success - return 1; - } - else { - #ch_rc failure. - return 0; - } - } - else { - &B_log("ERROR","ch_rc was unable to lookup $key\n"); - return 0; - } - -} - - -################################################################################ -# &ChrootHPApache($chrootScript,$httpd_conf,$httpd_bin, -# $apachectl,$apacheJailDir,$serverString); -# -# This subroutine given an chroot script, supplied by the vendor, a -# httpd.conf file, the binary location of httpd, the control script, -# the jail directory, and the servers identification string, descriptive -# string for TODO etc. It makes modifications to httpd.conf so that when -# Apache starts it will chroot itself into the jail that the above -# mentions script creates. -# -# uses B_replace_line B_create_dir B_System B_TODO -# -############################################################################### -sub B_chrootHPapache($$$$$$) { - - my ($chrootScript,$httpd_conf,$httpd_bin,$apachectl,$apacheJailDir,$serverString)= @_; - - my $exportpath = "export PATH=/usr/bin;"; - my $ps = &getGlobal('BIN',"ps"); - my $isRunning = 0; - my $todo_header = 0; - - # checking for a 2.0 version of the apache chroot script. - if(-e $chrootScript ) { - - if(open HTTPD, $httpd_conf) { - while (my $line = <HTTPD>){ - if($line =~ /^\s*Chroot/) { - &B_log("DEBUG","Apache is already running in a chroot as specified by the following line:\n$line\n" . - "which appears in the httpd.conf file. No Apache Chroot action was taken.\n"); - return; - } - } - close(HTTPD); - } - - if(`$ps -ef` =~ $httpd_bin ) { - $isRunning=1; - &B_System("$exportpath " . $apachectl . " stop","$exportpath " . $apachectl . " start"); - } - &B_replace_line($httpd_conf, '^\s*#\s*Chroot' , - "Chroot " . $apacheJailDir); - if(-d &getGlobal('BDIR',"jail")){ - &B_log("DEBUG","Jail directory already exists. No action taken.\n"); - } - else{ - &B_log("ACTION","Jail directory was created.\n"); - &B_create_dir( &getGlobal('BDIR','jail')); - } - - if(-d $apacheJailDir){ - &B_log("DEBUG","$serverString jail already exists. No action taken.\n"); - } - else{ - &B_System(&getGlobal('BIN',"umask") . " 022; $exportpath " . $chrootScript, - &getGlobal('BIN',"echo") . " \"Your $serverString is now running outside of it's\\n" . - "chroot jail. You must manually migrate your web applications\\n" . - "back to your Apache server's httpd.conf defined location(s).\\n". - "After you have completed this, feel free to remove the jail directories\\n" . - "from your machine. Your apache jail directory is located in\\n" . - &getGlobal('BDIR',"jail") . "\\n\" >> " . &getGlobal('BFILE',"TOREVERT")); - - } - if($isRunning){ - &B_System("$exportpath " . $apachectl . " start","$exportpath " . $apachectl . " stop"); - &B_log("ACTION","$serverString is now running in an chroot jail.\n"); - } - - &B_log("ACTION","The jail is located in " . $apacheJailDir . "\n"); - - if ($todo_header !=1){ - &B_TODO("\n---------------------------------\nApache Chroot:\n" . - "---------------------------------\n"); - } - &B_TODO("$serverString Chroot Jail:\n" . - "httpd.conf contains the Apache dependencies. You should\n" . - "review this file to ensure that the dependencies made it\n" . - "into the jail. Otherwise, you run a risk of your Apache server\n" . - "not having access to all its modules and functionality.\n"); - - - } - -} - - -sub isSystemTrusted { - my $getprdef = &getGlobal('BIN',"getprdef"); - my $definition = &B_Backtick("$getprdef -t 2>&1"); - if($definition =~ "System is not trusted.") { - return 0; - } else { - return 1; - } -} - - -sub isTrustedMigrationAvailable { - my $distroVersion=''; - - if (&GetDistro =~ '^HP-UX11.(\d*)') { - $distroVersion=$1; - if ($distroVersion < 23) { # Not available before 11.23 - return 0; #FALSE - } elsif ($distroVersion >= 31) { #Bundled with 11.31 and after - &B_log('DEBUG','isTrustedMigrationAvailable: HP-UX 11.31 always has trusted mode extensions'); - return 1; - } elsif ($distroVersion == 23) { # Optional on 11.23 if filesets installed - if ( -x &getGlobal('BIN',"userdbget") ) { - &B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Installed'); - return 1; - } else { - &B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Not Installed'); - return 0; #FALSE - } - } else { - &B_log('DEBUG','isTrustedMigrationAvailable: ' . &GetDistro . - ' not currently supported for trusted extentions.'); - return 0; #FALSE - } - } else { - &B_log('WARNING','isTrustedMigrationAvailable: HP-UX routine called on Linux system'); - return 0; #FALSE - } -} - - - -########################################################################### -# &checkServiceOnHPUX($service); -# -# Checks if the given service is running on an HP/UX system. This is -# called by B_is_Service_Off(), which is the function that Bastille -# modules should call. -# -# Return values: -# NOTSECURE_CAN_CHANGE() if the service is on -# SECURE_CANT_CHANGE() if the service is off -# INCONSISTENT() if the state of the service cannot be determined -# NOT_INSTALLED() if the s/w isn't insalled -# -########################################################################### -sub checkServiceOnHPUX($) { - my $service=$_[0]; - - # get the list of parameters which could be used to initiate the service - # (could be in /etc/rc.config.d, /etc/inetd.conf, or /etc/inittab, so we - # check all of them) - my @params= @{ &getGlobal('SERVICE',$service) }; - my $grep =&getGlobal('BIN', 'grep'); - my $inetd=&getGlobal('FILE', 'inetd.conf'); - my $inittab=&getGlobal('FILE', 'inittab'); - my $retVals; - my $startup=&getGlobal('DIR','initd') ; - my @inet_bins= @{ &getGlobal('PROCESS',$service) }; - - my $entry_found = 0; - - &B_log("DEBUG","CheckHPUXservice: $service"); - my $full_initd_path = $startup . "/" . $service; - if ($GLOBAL_SERVTYPE{$service} eq "rc") { # look for the init script in /sbin/init.d - if (not(-e $full_initd_path )) { - return NOT_INSTALLED(); - } - } else { #inet-based service, so look for inetd.conf entries. - &B_log("DEBUG","Checking inet service $service"); - my @inet_entries= @{ &getGlobal('SERVICE',$service) }; - foreach my $service (@inet_entries) { - &B_log('DEBUG',"Checking for inetd.conf entry of $service in checkService on HPUX"); - my $service_regex = '^[#\s]*' . $service . '\s+'; - if ( &B_match_line($inetd, $service_regex) ) { # inet entry search - &B_log('DEBUG',"$service present, entry exists"); - $entry_found = 1 ; - } - } - if ($entry_found == 0 ) { - return NOT_INSTALLED(); - } - } - - foreach my $param (@params) { - &B_log("DEBUG","Checking to see if service $service is off.\n"); - if (&getGlobal('SERVTYPE', $service) =~ /rc/) { - my $ch_rc=&getGlobal('BIN', 'ch_rc'); - my $on=&B_Backtick("$ch_rc -l -p $param"); - - $on =~ s/\s*\#.*$//; # remove end-of-line comments - $on =~ s/^\s*\"(.+)\"\s*$/$1/; # remove surrounding double quotes - $on =~ s/^\s*\'(.+)\'\s*$/$1/; # remove surrounding single quotes - $on =~ s/^\s*\"(.+)\"\s*$/$1/; # just in case someone did '"blah blah"' - - chomp $on; - &B_log("DEBUG","ch_rc returned: $param=$on in checkServiceOnHPUX"); - - if ($on =~ /^\d+$/ && $on != 0) { - # service is on - &B_log("DEBUG","CheckService found $param service is set to \'on\' in scripts."); - return NOTSECURE_CAN_CHANGE(); - } - elsif($on =~ /^\s*$/) { - # if the value returned is an empty string return - # INCONSISTENT(), since we don't know what the hard-coded default is. - return INCONSISTENT(); - } - } else { - # those files which rely on comments to determine what gets - # turned on, such as inetd.conf and inittab - my $inettabs=&B_Backtick("$grep -e '^[[:space:]]*$param' $inetd $inittab"); - if ($inettabs =~ /.+/) { # . matches anything except newlines - # service is not off - &B_log("DEBUG","Checking inetd.conf and inittab; found $inettabs"); - ########################### BREAK out, don't skip question - return NOTSECURE_CAN_CHANGE(); - } - } - } # foreach $param - - # boot-time parameters are not set; check processes - # checkprocs for services returns INCONSISTENT() if a service is found - # since a found-service is inconsistent with the above checks. - B_log("DEBUG","Boot-Parameters not set, checking processes."); - if (&runlevel < 2) { # Below runlevel 2, it is unlikely that - #services will be running, so just check "on-disk" state - &B_log("NOTE","Running during boot sequence, so skipping process checks"); - return SECURE_CANT_CHANGE(); - } else { - return &checkProcsForService($service); - } -} - -sub runlevel { - my $who = &getGlobal("BIN", "who"); - my $runlevel = &B_Backtick("$who -r"); - if ($runlevel =~ s/.* run-level (\S).*/$1/) { - &B_log("DEBUG","Runlevel is: $runlevel"); - return $runlevel; - } else { - &B_log("WARNING","Can not determine runlevel, assuming runlevel 3"); - &B_log("DEBUG","Runlevel command output: $runlevel"); - return "3"; #safer since the who command didn't work, we'll assume - # runlevel 3 since that provides more checks. - } -} - -# -# given a profile file, it will return a PATH array set by the file. -# -sub B_get_path($) { - my $file = $_[0]; - my $sh = &getGlobal("BIN", "sh"); - # use (``)[0] is becuase, signal 0 maybe trapped which will produce some stdout - my $path = (`$sh -c '. $file 1>/dev/null 2>&1 < /dev/null ; echo \$PATH'`)[0]; - my @path_arr = split(":", $path); - my %tmp_path; - my %path; - for my $tmpdir (@path_arr) { - chomp $tmpdir; - if ($tmpdir ne "" && ! $tmp_path{$tmpdir}) { - $tmp_path{$tmpdir}++; - } - } - return keys %tmp_path; -} - -# Convert to trusted mode if it's not already -sub convertToTrusted { - &B_log("DEBUG","# sub convertToTrusted \n"); - if( ! &isSystemTrusted) { - - my ($ok, $message) = &isOKtoConvert; - - my $ts_header="\n---------------------------------\nTrusted Systems:\n" . - "---------------------------------\n"; - - if ($ok) { - # actually do the conversion - if(&B_System(&getGlobal('BIN','tsconvert'), &getGlobal('BIN','tsconvert') . " -r")){ - # adjust change times for user passwords to keep them valid - # default is to expire them when converting to a trusted system, - # which can be problematic, especially since some older versions of - # SecureShell do not allow the user to change the password - &B_System(&getGlobal('BIN','modprpw') . " -V", ""); - - my $getprdef = &getGlobal('BIN','getprdef'); - my $oldsettings = &B_Backtick("$getprdef -m lftm,exptm,mintm,expwarn,umaxlntr"); - $oldsettings =~ s/ //g; - - # remove password lifetime and increasing login tries so they - # don't lock themselves out of the system entirely. - # set default expiration time and the like. - my $newsettings="lftm=0,exptm=0,mintm=0,expwarn=0,umaxlntr=10"; - - &B_System(&getGlobal('BIN','modprdef') . " -m $newsettings", - &getGlobal('BIN','modprdef') . " -m $oldsettings"); - - &B_TODO($ts_header . - "Your system has been converted to a trusted system.\n" . - "You should review the security settings available on a trusted system.\n". - "$message"); - - # to get rid of "Cron: Your job did not contain a valid audit ID." - # error, we re-read the crontab file after converting to trusted mode - # Nothing is necessary in "revert" since we won't be in trusted mode - # at that time. - # crontab's errors can be spurious, and this will report an 'error' - # of the crontab file is missing, so we send stderr to the bit bucket - my $crontab = &getGlobal('BIN',"crontab"); - &B_System("$crontab -l 2>/dev/null | $crontab",""); - } - - } else { - &B_TODO($ts_header . $message); - return 0; # not ok to convert, so we didn't - } - } - else { - &B_log("DEBUG","System is already in trusted mode, no action taken.\n"); - return 1; - } - - # just to make sure - if( &isSystemTrusted ) { - return 1; - } else { - &B_log("ERROR","Trusted system conversion was unsuccessful for an unknown reason.\n" . - " You may try using SAM/SMH to do the conversion instead of Bastille.\n"); - return 0; - } -} - -# isOKtoConvert - check for conflicts between current system state and trusted -# mode -# -# Return values -# 0 - conflict found, see message for details -# 1 - no conflicts, see message for further instructions -# -sub isOKtoConvert { - &B_log("DEBUG","# sub isOKtoConvert \n"); - # initialize text for TODO instructions - my $specialinstructions=" - convert to trusted mode\n"; - - # These are somewhat out-of-place, but only affect the text of the message. - # Each of these messages is repeated in a separate TODO item in the - # appropriate subroutine. - if (&getGlobalConfig("AccountSecurity","single_user_password") eq "Y") { - if (&GetDistro =~ "^HP-UX11.(.*)" and $1<23 ) { - $specialinstructions .= " - set a single user password\n"; - } - } - - if (&getGlobalConfig("AccountSecurity","passwordpolicies") eq "Y") { - $specialinstructions .= " - set trusted mode password policies\n"; - } - - if (&getGlobalConfig("AccountSecurity", "PASSWORD_HISTORY_DEPTHyn") eq "Y") { - $specialinstructions .= " - set a password history depth\n"; - } - - if (&getGlobalConfig("AccountSecurity","system_auditing") eq "Y") { - $specialinstructions .= " - enable auditing\n"; - } - - my $saminstructions= - "The security settings can be modified by running SAM as follows:\n" . - "# sam\n" . - "Next, go to the \"Auditing and Security Area\" and review\n" . - "each sub-section. Make sure that you review all of your\n" . - "settings, as some policies may seem restrictive.\n\n" . - "On systems using the System Management Homepage, you can\n". - "change your settings via the Tools:Security Attributes Configuration\n". - "section. On some systems, you may also have the option of using SMH.\n\n"; - - # First, check for possible conflicts and corner cases - - # check nsswitch for possible conflicts - my $nsswitch = &getGlobal('FILE', 'nsswitch.conf'); - if ( -e $nsswitch) { - open(FILE, $nsswitch); - while (<FILE>) { - if (/nis/ or /compat/ or /ldap/) { - my $message = "Bastille found a possible conflict between trusted mode and\n" . - "$nsswitch. Please remove all references to\n" . - "\"compat\", \"nis\" and \"ldap\" in $nsswitch\n" . - "and rerun Bastille, or use SAM/SMH to\n" . - "$specialinstructions\n". - "$saminstructions"; - close(FILE); - return (0,$message); - } - } - close(FILE); - } - - # check the namesvrs config file for possible NIS conflicts - #Changed to unless "Y AND Y" since question can be skipped when nis is off - # but corner cases can still exist, so check then too. - unless ( &getGlobalConfig('MiscellaneousDaemons','nis_client') eq "Y" and - &getGlobalConfig('MiscellaneousDaemons','nis_server') eq "Y" ) { - my $namesvrs = &getGlobal('FILE', 'namesvrs'); - if (open(FILE, $namesvrs)) { - while (<FILE>) { - if (/^NIS.*=["]?1["]?$/) { - my $message= "Possible conflict between trusted mode and NIS found.\n". - "Please use SAM/SMH to\n" . - " - turn off NIS\n" . - "$specialinstructions\n". - "$saminstructions"; - close(FILE); - return (0,$message); - } - } - close(FILE); - } else { - &B_log("ERROR","Unable to open $namesvrs for reading."); - my $message= "Possible conflict between trusted mode and NIS found.\n". - "Please use SAM/SMH to\n" . - " - turn off NIS\n" . - "$specialinstructions\n". - "$saminstructions"; - return (0,$message); - } - if ( &B_match_line (&getGlobal("FILE","passwd"),"^\+:.*")) { - my $message= '"+" entry found in passwd file. These are not\n' . - "compatible with Trusted Mode. Either remove the entries\n" . - "and re-run Bastille, or re-run Bastille, and direct it to\n" . - "disable NIS client and server.\n"; - return (0,$message); - } - - } - - - # check for conflicts with DCE integrated login - my $authcmd = &getGlobal('BIN','auth.adm'); - if ( -e $authcmd ) { - my $retval = system("PATH=/usr/bin $authcmd -q 1>/dev/null 2>&1"); - if ($retval != 0 and $retval != 1) { - my $message="It appears that DCE integrated login is configured on this system.\n" . - "DCE integrated login is incompatible with trusted systems and\n" . - "auditing. Bastille is unable to\n" . - "$specialinstructions" . - "You will need to configure auditing and password policies using DCE.\n\n"; - return (0,$message); - } - } - - if ( -e &getGlobal('FILE','shadow') ) { - my $message="This system has already been converted to shadow passwords.\n" . - "Shadow passwords are incompatible with trusted mode.\n" . - "Bastille is unable to\n" . - "$specialinstructions" . - "If you desire these features, you should use\n". - "\'pwunconv\' to change back to standard passwords,\n". - "and then rerun Bastille.\n\n"; - return (0,$message); - } - - return (1,$saminstructions); -} - -# This routine allows Bastille to determine trusted-mode extension availability - -sub convertToShadow { - - if (&isSystemTrusted) { - # This is an internal error...Bastille should not call this routine - # in this case. Error is here for robustness against future changes. - &B_log("ERROR","This system is already converted to trusted mode.\n" . - " Converting to shadow passwords will not be attempted.\n"); - return 0; - } - - # configuration files on which shadowed passwords depend - my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); - - # binaries used to convert to a shadowed password - my $pwconv = &getGlobal('BIN',"pwconv"); - my $echo = &getGlobal('BIN','echo'); # the echo is used to pipe a yes into the pwconv program as - # pwconv requires user interaction. - - # the binary used in a system revert. - my $pwunconv = &getGlobal('BIN',"pwunconv"); - #check the password file for nis usage and if the nis client - #or server is running. - if(-e $nsswitch_conf) { - # check the file for nis, nis+, compat, or dce usage. - if(&B_match_line($nsswitch_conf, '^\s*passwd:.+(nis|nisplus|dce|compat)')) { - my $shadowTODO = "\n---------------------------------\nHide encrypted passwords:\n" . - "---------------------------------\n" . - "This version of password shadowing does not support any repository other\n" . - "than files. In order to convert your password database to shadowed passwords\n" . - "there can be no mention of nis, nisplus, compat, or dce in the passwd\n" . - "field of the \"$nsswitch_conf\" file. Please make the necessary edits to\n" . - "the $nsswitch_conf file and run Bastille again using the command:\n" . - "\"bastille -b\"\n"; - # Adding the shadowTODO comment to the TODO list. - &B_TODO("$shadowTODO"); - # Notifing the user that the shadowed password coversion has failed. - &B_log("ERROR","Password Shadowing Conversion Failed\n" . - "$shadowTODO"); - # exiting the subroutine. - return 0; - } - - } - - # convert the password file to a shadowed repository. - if (( -e $pwconv ) and ( -e $pwunconv ) and - ( &B_System("$echo \"yes\" | $pwconv","$pwunconv") ) ){ - &B_TODO( "\n---------------------------------\nShadowing Password File:\n" . - "---------------------------------\n" . - "Your password file has been converted to use password shadowing.\n" . - "This version of password shadowing does not support any repository other\n" . - "than files. There can be no mention of nis, nisplus, compat, or dce\n" . - "in the passwd field of the \"$nsswitch_conf\" file.\n\n" ); - } else { - &B_log("ERROR","Conversion to shadow mode failed. The system may require ". - "a patch to be capable of switching to shadow mode, or the ". - "system my be in a state where conversion is not possible."); - } -} - - - -########################################################################## -# &getSupportedSettings(); -# Manipulates %trustedParameter and %isSupportedSetting, file-scoped variables -# -# Reads the password policy support matrix, which in-turn gives Bastille the -# places it should look for a given password policy setting. - -# Note the file was created like this so if could be maintained in an Excel(tm) -# spreadsheet, to optimize reviewability. TODO: consider other formats - -# File Format: -# HEADERS:<comment>,[<OS Version> <Mode> <Extensions>,]... -# [ -# :<label>:<trusted equivalent>,,,,,,,,,,,,<comment> -# <action> (comment), [<test value>,]... -# ] ... -# Example; -# HEADERS:Information Source (trusted equiv),11.11 Standard no-SMSE,11.11 Trusted no-SMSE,11.11 Shadow no-SMSE,11.23 Standard no-SMSE,11.23 Trusted no-SMSE,11.23 Shadow no-SMSE,11.23 Standard SMSE,11.23 Shadow SMSE,11.23 Trusted SMSE,11.31 Trusted SMSE,11.31 Shadow SMSE,11.31 Standard SMSE,Other Exceptions -#:ABORT_LOGIN_ON_MISSING_HOMEDIR,,,,,,,,,,,,,root -#/etc/security.dsc (search),x,,xx,x,x,x,!,!,!,!,!,!, -#/etc/default/security(search),y,y,y,y,y,y,y,y,y,y,y,y, -#getprdef (execute with <Trusted Equiv> argument),x,x,x,x,x,x,x,x,x,x,x,x, - -########################################################################### -our %trustedParameter = (); -our %isSupportedSetting = (); - -sub getSupportedSettings() { - - my $line; # For a config file line - my $linecount = 0; - my $currentsetting = ""; - my @fields; # Fields in a given line - my @columns; #Column Definitions - - - &B_open(*SETTINGSFILE,&getGlobal('BFILE','AccountSecSupport')); - my @settingLines=<SETTINGSFILE>; - &B_close(*SETTINGSFILE); - - #Remove blank-lines and comments - @settingLines = grep(!/^#/,@settingLines); - @settingLines = grep(!/^(\s*,+)*$/,@settingLines); - - foreach $line (@settingLines) { - ++$linecount; - @fields = split(/,/,$line); - if ($line =~ /^Information Source:/) { #Sets up colums - my $fieldcount = 1; #Skipping first field - while ((defined($fields[$fieldcount])) and - ($fields[$fieldcount] =~ /\d+\.\d+/)){ - my @subfields = split(/ /,$fields[$fieldcount]); - my $fieldsCount = @subfields; - if ($fieldsCount != 3){ - &B_log("ERROR","Invalid subfield count: $fieldsCount in:". - &getGlobal('BFILE','AccountSecSupport') . - " line: $linecount and field: $fieldcount"); - } - $columns[$fieldcount] = {OSVersion => $subfields[0], - Mode => $subfields[1], - Extension => $subfields[2] }; - &B_log("DEBUG","Found Header Column, $columns[$fieldcount]{'OSVersion'}, ". - $columns[$fieldcount]{'Mode'} ." , " . - $columns[$fieldcount]{'Extension'}); - ++$fieldcount; - } # New Account Seting ex: - } elsif ($line =~ /^:([^,:]+)(?::([^,]+))?/) { # :PASSWORD_WARNDAYS:expwarn,,,,,,,,,,,, - $currentsetting = $1; - if (defined($2)) { - $trustedParameter{"$currentsetting"}=$2; - } - &B_log("DEBUG","Found Current Setting: ". $currentsetting . - "/" . $trustedParameter{"$currentsetting"}); - } elsif (($line =~ /(^[^, :\)\(]+)[^,]*,((?:(?:[!y?nx]|!!),)+)/) and #normal line w/ in setting ex: - ($currentsetting ne "")){ # security.dsc (search),x,x,x,x,x,!,!!,!,!,!,!, - my $placeToLook = $1; - my $fieldcount = 1; #Skip the first one, which we used in last line - while (defined($fields[$fieldcount])) { - &B_log("DEBUG","Setting $currentsetting : $columns[$fieldcount]{OSVersion} , ". - "$columns[$fieldcount]{Mode} , ". - "$columns[$fieldcount]{Extension} , ". - "$placeToLook, to $fields[$fieldcount]"); - $isSupportedSetting{"$currentsetting"} - {"$columns[$fieldcount]{OSVersion}"} - {"$columns[$fieldcount]{Mode}"} - {"$columns[$fieldcount]{Extension}"} - {"$placeToLook"} = - $fields[$fieldcount]; - ++$fieldcount; - } - } else { - if ($line !~ /^,*/) { - &B_log("ERROR","Incorrectly Formatted Line at ". - &getGlobal('BFILE','AccountSecSupport') . ": $linecount"); - } - } - } -} - -########################################################################## -# &B_get_sec_value($param); -# This subroutine finds the value for a given user policy parameter. -# Specifically, it supports the parameters listed in the internal data structure - -# Return values: -# 'Not Defined' if the value is not present or not uniquely defined. -# $value if the value is present and unique -# -########################################################################### -sub B_get_sec_value($) { - my $param=$_[0]; - - my $os_version; - if (&GetDistro =~ /^HP-UX\D*(\d+\.\d+)/ ){ - $os_version=$1; - } else { - &B_log("ERROR","B_get_sec_value only supported on HP-UX"); - return undef; - } -# my $sec_dsc = &getGlobal('FILE', 'security.dsc'); - my $sec_file = &getGlobal('FILE', 'security'); - my $getprdef = &getGlobal('BIN','getprdef'); - my $getprpw = &getGlobal('BIN','getprpw'); - my $userdbget = &getGlobal('BIN','userdbget'); - my $passwd = &getGlobal('BIN','passwd'); - - my $sec_flags = ""; - my @sec_settings=(); - my $user_sec_setting=""; - - my $security_mode="Standard"; - my $security_extension="no-SMSE"; - - &B_log("DEBUG","Entering get_sec_value for: $param"); - - sub isok ($) { # Locally-scoped subroutine, takes supported-matrix entry as argument - my $supportedMatrixEntry = $_[0]; - - if ($supportedMatrixEntry =~ /!/) { #Matrix Entry for "Documented and/or tested" - &B_log("DEBUG","isOk TRUE: $supportedMatrixEntry"); - return 1; - } else { - &B_log("DEBUG","isOk FALSE: $supportedMatrixEntry"); - return 0; #FALSE - } - } #end local subroutine - - #Get Top Array item non-destructively - sub getTop (@) { - my @incomingArray = @_; - my $topval = pop(@incomingArray); - push(@incomingArray,$topval); #Probably redundant, but left in just in case. - return $topval; - } - - sub ifExistsPushOnSecSettings($$) { - my $sec_settings = $_[0]; - my $pushval = $_[1]; - - if ($pushval ne ""){ - push (@$sec_settings, $pushval); - } - } - - #prpw and prdef both use "YES" instead of "1" like the other settings. - sub normalizePolicy($){ - my $setting = $_[0]; - - $setting =~ s/YES/1/; - $setting =~ s/NO/1/; - - return $setting; - } - - - - if ((%trustedParameter == ()) or (%isSupportedSetting == ())) { - # Manipulates %trustedParameter and %isSupportedSetting - &getSupportedSettings; - } - - #First determine the security mode - my $shadowFile = &getGlobal("FILE","shadow"); - my $passwdFile = &getGlobal("FILE","passwd"); - - if (&isSystemTrusted) { - $security_mode = 'Trusted'; - } elsif ((-e $shadowFile) and #check file exist, and that passwd has no non-"locked" accounts - (not(&B_match_line($passwdFile,'^[^\:]+:[^:]*[^:*x]')))) { - $security_mode = 'Shadow'; - } else { - $security_mode = 'Standard'; - } - if (&isTrustedMigrationAvailable) { - $security_extension = 'SMSE'; - } else { - $security_extension = 'no-SMSE'; - } - &B_log("DEBUG","Security mode: $security_mode extension: $security_extension"); - # Now look up the value from each applicable database, from highest precedence - # to lowest: - &B_log("DEBUG","Checking $param in userdbget"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"userdbget_-a"})) { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('\w+\s+\w+=(\S+)', - &B_Backtick("$userdbget -a $param"))); - &B_log("DEBUG", $param . ":userdbget setting: ". &getTop(@sec_settings)); - } - &B_log("DEBUG","Checking $param in passwd"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"passwd_-sa"})) { - if ($param eq "PASSWORD_MINDAYS") { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+(\d+)\s+\d+', - &B_Backtick("$passwd -s -a"))); - } elsif ($param eq "PASSWORD_MAXDAYS") { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+\d+\s+(\d+)', - &B_Backtick("$passwd -s -a"))); - } elsif ($param eq "PASSWORD_WARNDAYS") { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('(?:\w+\s+){2}[\d\/]+(?:\s+\d+){2}\s+(\d+)', - &B_Backtick("$passwd -s -a"))); - } - &B_log("DEBUG", $param . ":passwd -sa setting: ". &getTop(@sec_settings)); - } - &B_log("DEBUG","Checking $param in get prpw"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"getprpw"})) { - my $logins = &getGlobal("BIN","logins"); - my @userArray = split(/\n/,`$logins`); - my $userParamVals = ''; - foreach my $rawuser (@userArray) { - $rawuser =~ /^(\S+)/; - my $user = $1; - my $nextParamVal=&B_Backtick("$getprpw -l -m $trustedParameter{$param} $user"); - $nextParamVal =~ s/\w*=(-*[\w\d]*)/$1/; - if ($nextParamVal != -1) { #Don't count users for which the local DB is undefined - $userParamVals .= $user . "::::" . $nextParamVal ."\n"; - } - } #Note getValueFromStrings deals with duplicates, returning "Not Unigue" - my $policySetting = &B_getValueFromString('::::(\S+)',"$userParamVals"); - &ifExistsPushOnSecSettings (\@sec_settings, &normalizePolicy($policySetting)); - &B_log("DEBUG", $param . ":prpw setting: ". &getTop(@sec_settings)); - } - &B_log("DEBUG","Checking $param in get prdef"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"getprdef"})) { - $_ = &B_Backtick ("$getprdef -m " . $trustedParameter{$param}); - /\S+=(\S+)/; - my $policySetting = $1; - &ifExistsPushOnSecSettings(\@sec_settings, &normalizePolicy($policySetting)); - &B_log("DEBUG", $param . ":prdef setting: ". &getTop(@sec_settings)); - - } - &B_log("DEBUG","Checking $param in default security"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"/etc/default/security"})) { - &ifExistsPushOnSecSettings(\@sec_settings,&B_getValueFromFile('^\s*'. $param . - '\s*=\s*([^\s#]+)\s*$', $sec_file)); - &B_log("DEBUG", $param . ":default setting: ". &getTop(@sec_settings)); - } - #Commented below code in 3.0 release to avoid implication that bastille - #had ever set these values explicitly, and the implications to runnable - #config files where Bastille would then apply the defaults as actual policy - #with possible conversion to shadow or similar side-effect. - -# &B_log("DEBUG","Checking $param in security.dsc"); - #security.dsc, only added in if valid for OS/mode/Extension, and nothing else - #is defined (ie: @sec_settings=0) -# if ((&isok($isSupportedSetting{$param}{$os_version}{$security_mode} -# {$security_extension}{"/etc/security.dsc"})) and (@sec_settings == 0)) { -# &ifExistsPushOnSecSettings(\@sec_settings, &B_getValueFromFile('^' . $param . -# ';(?:[-\w/]*;){2}([-\w/]+);', $sec_dsc)); -# &B_log("DEBUG", $param . ":security.dsc: ". &getTop(@sec_settings)); -# } - - # Return what we found - my $last_setting=undef; - my $current_setting=undef; - while (@sec_settings > 0) { - $current_setting = pop(@sec_settings); - &B_log("DEBUG","Comparing $param configuration for identity: " . - $current_setting); - if ((defined($current_setting)) and ($current_setting ne '')) { - if (not(defined($last_setting))){ - $last_setting=$current_setting; - } elsif (($last_setting ne $current_setting) or - ($current_setting eq 'Not Unique')){ - &B_log("DEBUG","$param setting not unique."); - return 'Not Unique'; # Inconsistent state found, return 'Not Unique' - } - } - } - if ((not(defined($last_setting))) or ($last_setting eq '')) { - return undef; - } else { - return $last_setting; - } - -} #End B_get_sec_value - -sub secureIfNoNameService($){ - my $retval = $_[0]; - - if (&isUsingRemoteNameService) { - return MANUAL(); - } else { - return $retval; - } -} - -#Specifically for cleartext protocols like NIS, which are not "secure" -sub isUsingRemoteNameService(){ - - if (&remoteServiceCheck('nis|nisplus|dce') == SECURE_CAN_CHANGE()){ - return 0; #false - } else { - return 1; - } -} - - - -########################################### -## This is a wrapper for two functions that -## test the existence of nis-like configurations -## It is used by both the front end test and the back-end run -############################################## -sub remoteServiceCheck($){ - my $regex = $_[0]; - - my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); - my $passwd = &getGlobal('FILE',"passwd"); - - # check the file for nis usage. - if (-e $nsswitch_conf) { - if (&B_match_line($nsswitch_conf, '^\s*passwd:.*('. $regex . ')')) { - return NOTSECURE_CAN_CHANGE(); - } elsif ((&B_match_line($nsswitch_conf, '^\s*passwd:.*(compat)')) and - (&B_match_line($passwd, '^\s*\+'))) { - return NOTSECURE_CAN_CHANGE(); # true - } - } elsif ((&B_match_line($passwd, '^\s*\+'))) { - return NOTSECURE_CAN_CHANGE(); - } - - my $oldnisdomain=&B_get_rc("NIS_DOMAIN"); - if ((($oldnisdomain eq "") or ($oldnisdomain eq '""')) and (&checkServiceOnHPUX('nis.client'))){ - return SECURE_CAN_CHANGE(); - } - return NOTSECURE_CAN_CHANGE(); -} - -############################################# -# remoteNISPlusServiceCheck -# test the existence of nis+ configuration -############################################# -sub remoteNISPlusServiceCheck () { - - my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); - - # check the file for nis+ usage. - if (-e $nsswitch_conf) { - if (&B_match_line($nsswitch_conf, 'nisplus')) { - return NOTSECURE_CAN_CHANGE(); - } - } - - return &checkServiceOnHPUX('nisp.client'); -} - - -########################################################################## -# This subroutine creates nsswitch.conf file if the file not exists, -# and then append serveral services into the file if the service not -# exists in the file. -########################################################################## -sub B_create_nsswitch_file ($) { - my $regex = $_[0]; - - my $nsswitch = &getGlobal('FILE',"nsswitch.conf"); - - if( ! -f $nsswitch ) { - &B_create_file($nsswitch); - # we don't need to revert the permissions change because we just - # created the file - chmod(0444, $nsswitch); - - &B_append_line($nsswitch,'\s*passwd:', "passwd: $regex\n"); - &B_append_line($nsswitch,'\s*group:', "group: $regex\n"); - &B_append_line($nsswitch,'\s*hosts:', "hosts: $regex\n"); - &B_append_line($nsswitch,'\s*networks:', "networks: $regex\n"); - &B_append_line($nsswitch,'\s*protocols:', "protocols: $regex\n"); - &B_append_line($nsswitch,'\s*rpc:', "rpc: $regex\n"); - &B_append_line($nsswitch,'\s*publickey:', "publickey: $regex\n"); - &B_append_line($nsswitch,'\s*netgroup:', "netgroup: $regex\n"); - &B_append_line($nsswitch,'\s*automount:', "automount: $regex\n"); - &B_append_line($nsswitch,'\s*aliases:', "aliases: $regex\n"); - &B_append_line($nsswitch,'\s*services:', "services: $regex\n"); - } -} - -1; - diff --git a/recipes-security/bastille/files/Miscellaneous.pm b/recipes-security/bastille/files/Miscellaneous.pm deleted file mode 100644 index b3bdf10..0000000 --- a/recipes-security/bastille/files/Miscellaneous.pm +++ /dev/null @@ -1,166 +0,0 @@ -package Bastille::API::Miscellaneous; -use strict; - -use File::Path; -use Bastille::API; -use Bastille::API::HPSpecific; -use Bastille::API::FileContent; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -PrepareToRun -B_is_package_installed -); -our @EXPORT = @EXPORT_OK; - - -########################################################################### -# -# PrepareToRun sets up Bastille to run. It checks the ARGV array for -# special options and runs ConfigureForDistro to set necessary file -# locations and other global variables. -# -########################################################################### - -sub PrepareToRun { - - # Make sure we're root! - if ( $> != 0 ) { - &B_log("ERROR","Bastille must run as root!\n"); - exit(1); - } - - - # Make any directories that don't exist... - foreach my $dir (keys %GLOBAL_BDIR) { - my $BdirPath = $GLOBAL_BDIR{$dir}; - if ( $BdirPath =~ /^\s*\// ) { #Don't make relative directories - mkpath ($BdirPath,0,0700); - } - } - - if(&GetDistro =~ "^HP-UX") { - &B_check_system; - } - - &B_log("ACTION","\n########################################################\n" . - "# Begin Bastille Run #\n" . - "########################################################\n\n"); - - #read sum file if it exists. - &B_read_sums; - - -# No longer necessary as flags are no longer in sum file, and sums are -# are now checked "real time" - - # check the integrity of the files listed -# for my $file (sort keys %GLOBAL_SUM) { -# &B_check_sum($file); -# } - # write out the newly flagged sums -# &B_write_sums; - - -} - - - -########################################################################### -# &B_is_package_installed($package); -# -# This function checks for the existence of the package named. -# -# TODO: Allow $package to be an expression. -# TODO: Allow optional $version, $release, $epoch arguments so we can -# make sure that the given package is at least as recent as some -# given version number. -# -# scalar return values: -# 0: $package is not installed -# 1: $package is installed -########################################################################### - -sub B_is_package_installed($) { - no strict; - my $package = $_[0]; -# Create a "global" variable with values scoped to this function -# We do this to avoid having to repeatedly swlist/rpm -# when we run B_is_package_installed -local %INSTALLED_PACKAGE_LIST; - - my $distro = &GetDistro; - if ($distro =~ /^HP-UX/) { - if (&checkProcsForService('swagent','ignore_warning') == SECURE_CANT_CHANGE()) { - &B_log("WARNING","Software Distributor Agent(swagent) is not running. Can not tell ". - "if package: $package is installed or not. Bastille will assume not. ". - "If the package is actually installed, Bastille may report or configure incorrectly.". - "To use Bastille-results as-is, please check to ensure $package is not installed, ". - "or re-run with the swagent running to get correct results."); - return 0; #FALSE - } - my $swlist=&getGlobal('BIN','swlist'); - if (%INSTALLED_PACKAGE_LIST == () ) { # re-use prior results - if (open(SWLIST, "$swlist -a state -l fileset |")) { - while (my $line = <SWLIST>){ - if ($line =~ /^ {2}\S+\.(\S+)\s*(\w+)/) { - $INSTALLED_PACKAGE_LIST{$1} = $2; - } - } - close SWLIST; - } else { - &B_log("ERROR","B_is_package_installed was unable to run the swlist command: $swlist,\n"); - return FALSE; - } - } - # Now find the entry - if ($INSTALLED_PACKAGE_LIST{$package} == 'configured') { - return TRUE; - } else { - return FALSE; - } - } #End HP-UX Section - # This routine only works on RPM-based distros: Red Hat, Fedora, Mandrake and SuSE - elsif ( ($distro !~ /^RH/) and ($distro !~ /^MN/) and($distro !~ /^SE/) ) { - return 0; - } else { #This is a RPM-based distro - # Run an rpm command -- librpm is extremely messy, dynamic and not - # so much a perl thing. It's actually barely a C/C++ thing... - if (open RPM,"rpm -q $package") { - # We should get only one line back, but let's parse a few - # just in case. - my @lines = <RPM>; - close RPM; - # - # This is what we're trying to parse: - # $ rpm -q jay - # package jay is not installed - # $ rpm -q bash - # bash-2.05b-305.1 - # - - foreach $line (@lines) { - if ($line =~ /^package\s$package\sis\snot\sinstalled/) { - return 0; - } - elsif ($line =~ /^$package\-/) { - return 1; - } - } - - # If we've read every line without finding one of these, then - # our parsing is broken - &B_log("ERROR","B_is_package_installed was unable to find a definitive RPM present or not present line.\n"); - return 0; - } else { - &B_log("ERROR","B_is_package_installed was unable to run the RPM command,\n"); - return 0; - } - } -} - - - -1; - diff --git a/recipes-security/bastille/files/ServiceAdmin.pm b/recipes-security/bastille/files/ServiceAdmin.pm deleted file mode 100644 index 879223a..0000000 --- a/recipes-security/bastille/files/ServiceAdmin.pm +++ /dev/null @@ -1,690 +0,0 @@ -package Bastille::API::ServiceAdmin; -use strict; - -use Bastille::API; - -use Bastille::API::HPSpecific; -use Bastille::API::FileContent; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -B_chkconfig_on -B_chkconfig_off -B_service_start -B_service_stop -B_service_restart -B_is_service_off -checkServiceOnLinux -remoteServiceCheck -remoteNISPlusServiceCheck -B_create_nsswitch_file -); -our @EXPORT = @EXPORT_OK; - - -####### -# &B_chkconfig_on and &B_chkconfig_off() are great for systems that didn't use -# a more modern init system. This is a bit of a problem on Fedora, though, -# which used upstart from Fedora 9 to Fedora 14, then switched to a new -# Red Hat-created system called systemd for Fedora 15 and 16 (so far). -# OpenSUSE also moved to systemd, starting with 12.1. Version 11.4 did not -# use systemd. -# It is also a problem on Ubuntu, starting at version 6.10, where they also -# used upstart. -##### - - - - -########################################################################### -# &B_chkconfig_on ($daemon_name) creates the symbolic links that are -# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We -# need this utility, in place of the distro's chkconfig, because of both -# our need to add revert functionality and our need to harden distros that -# are not mounted on /. -# -# It uses the following global variables to find the links and the init -# scripts, respectively: -# -# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found -# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to -# -# Here an example of where you might use this: -# -# You'd like to tell the system to run the firewall at boot: -# B_chkconfig_on("bastille-firewall") -# -########################################################################### - -# PW: Blech. Copied B_chkconfig_off() and changed a few things, -# then changed a few more things.... - -sub B_chkconfig_on { - - my $startup_script=$_[0]; - my $retval=1; - - my $chkconfig_line; - my ($runlevelinfo,@runlevels); - my ($start_order,$stop_order,$filetolink); - - &B_log("ACTION","# chkconfig_on enabling $startup_script\n"); - - # In Debian system there is no chkconfig script, run levels are checked - # one by one (jfs) - if (&GetDistro =~/^DB.*/) { - $filetolink = &getGlobal('DIR', "initd") . "/$startup_script"; - if (-x $filetolink) - { - foreach my $level ("0","1","2","3","4","5","6" ) { - my $link = ''; - $link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script"; - $retval=symlink($filetolink,$link); - } - } - return $retval; - } - # - # On SUSE, chkconfig-based rc scripts have been replaced with a whole different - # system. chkconfig on SUSE is actually a shell script that does some stuff and then - # calls insserv, their replacement. - # - - if (&GetDistro =~ /^SE/) { - # only try to chkconfig on if init script is found - if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) { - $chkconfig_line=&getGlobal('BIN','chkconfig'); - &B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off"); - # chkconfig doesn't take affect until reboot, need to restart service also - B_service_restart("$startup_script"); - return 1; #success - } - return 0; #failure - } - - # - # Run through the init script looking for the chkconfig line... - # - $retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script"; - unless ($retval) { - &B_log("ACTION","# Didn't chkconfig_on $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n"); - } - else { - - READ_LOOP: - while (my $line=<CHKCONFIG>) { - - # We're looking for lines like this one: - # # chkconfig: 2345 10 90 - # OR this - # # chkconfig: - 10 90 - - if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) { - $runlevelinfo = $1; - $start_order = $2; - $stop_order = $3; - # handle a run levels arg of '-' - if ( $runlevelinfo eq '-' ) { - &B_log("ACTION","chkconfig_on saw '-' for run levels for \"$startup_script\", is defaulting to levels 3,4,5\n"); - $runlevelinfo = '345'; - } - @runlevels = split(//,$runlevelinfo); - # make sure the orders have 2 digits - $start_order =~ s/^(\d)$/0$1/; - $stop_order =~ s/^(\d)$/0$1/; - last READ_LOOP; - } - } - close CHKCONFIG; - - # Do we have what we need? - if ( (scalar(@runlevels) < 1) || (! $start_order =~ /^\d{2}$/) || (! $stop_order =~ /^\d{2}$/) ) { - # problem - &B_log("ERROR","# B_chkconfig_on $startup_script failed -- no valid run level/start/stop info found\n"); - return(-1); - } - - # Now, run through creating symlinks... - &B_log("ACTION","# chkconfig_on will use run levels ".join(",",@runlevels)." for \"$startup_script\" with S order $start_order and K order $stop_order\n"); - - $retval=0; - # BUG: we really ought to readdir() on &getGlobal('DIR', "rcd") to get all levels - foreach my $level ( "0","1","2","3","4","5","6" ) { - my $link = ''; - # we make K links in run levels not specified in the chkconfig line - $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script; - my $klink = $link; - # now we see if this is a specified run level; if so, make an S link - foreach my $markedlevel ( @runlevels ) { - if ( $level == $markedlevel) { - $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script; - } - } - my $target = &getGlobal('DIR', "initd") ."/" . $startup_script; - my $local_return; - - if ( (-e "$klink") && ($klink ne $link) ) { - # there's a K link, but this level needs an S link - unless ($GLOBAL_LOGONLY) { - $local_return = unlink("$klink"); - if ( ! $local_return ) { - # unlinking old, bad $klink failed - &B_log("ERROR","Unlinking $klink failed\n"); - } else { - &B_log("ACTION","Removed link $klink\n"); - # If we removed the link, add a link command to the revert file - &B_revert_log (&getGlobal('BIN','ln') . " -s $target $klink\n"); - } # close what to do if unlink works - } # if not GLOBAL_LOGONLY - } # if $klink exists and ne $link - - # OK, we've disposed of any old K links, make what we need - if ( (! ( -e "$link" )) && ($link ne '') ) { - # link doesn't exist and the start/stop number is OK; make it - unless ($GLOBAL_LOGONLY) { - # create the link - $local_return = &B_symlink($target,$link); - if ($local_return) { - $retval++; - &B_log("ACTION","Created link $link\n"); - } else { - &B_log("ERROR","Couldn't create $link when trying to chkconfig on $startup_script\n"); - } - } - - } # link doesn't exist - } # foreach level - - } - - if ($retval < @runlevels) { - $retval=0; - } - - $retval; - -} - - -########################################################################### -# &B_chkconfig_off ($daemon_name) deletes the symbolic links that are -# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We -# need this utility, in place of the distro's chkconfig, because of both -# our need to add revert functionality and our need to harden distros that -# are not mounted on /. -# -# chkconfig allows for a REVERT of its work by writing to an executable -# file &getGlobal('BFILE', "removed-symlinks"). -# -# It uses the following global variables to find the links and the init -# scripts, respectively: -# -# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found -# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to -# -# Here an example of where you might use this: -# -# You'd like to tell stop running sendmail in daemon mode on boot: -# B_chkconfig_off("sendmail") -# -########################################################################### - - - -sub B_chkconfig_off { - - my $startup_script=$_[0]; - my $retval=1; - - my $chkconfig_line; - my @runlevels; - my ($start_order,$stop_order,$filetolink); - - if (&GetDistro =~/^DB.*/) { - $filetolink = &getGlobal('DIR', "initd") . "/$startup_script"; - if (-x $filetolink) - { - # Three ways to do this in Debian: - # 1.- have the initd script set to 600 mode - # 2.- Remove the links in rcd (re-installing the package - # will break it) - # 3.- Use update-rc.d --remove (same as 2.) - # (jfs) - &B_chmod(0600,$filetolink); - $retval=6; - - # The second option - #foreach my $level ("0","1","2","3","4","5","6" ) { - #my $link = ''; - #$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script"; - #unlink($link); - #} - } - } - - # - # On SUSE, chkconfig-based rc scripts have been replaced with a whole different - # system. chkconfig on SUSE is actually a shell script that does some stuff and then - # calls insserv, their replacement. - # - elsif (&GetDistro =~ /^SE/) { - # only try to chkconfig off if init script is found - if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) { - $chkconfig_line=&getGlobal('BIN','chkconfig'); - &B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off"); - # chkconfig doesn't take affect until reboot, need to stop service - # since expectation is that the daemons are disabled even without a reboot - B_service_stop("$startup_script"); - return 1; #success - } - return 0; #failure - } - else { - - # Run through the init script looking for the chkconfig line... - - - $retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script"; - unless ($retval) { - &B_log("ACTION","Didn't chkconfig_off $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n"); - } - else { - - READ_LOOP: - while (my $line=<CHKCONFIG>) { - - # We're looking for lines like this one: - # # chkconfig: 2345 10 90 - - if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) { - @runlevels=split //,$1; - $start_order=$2; - $stop_order=$3; - - - # Change single digit run levels to double digit -- otherwise, - # the alphabetic ordering chkconfig depends on fails. - if ($start_order =~ /^\d$/ ) { - $start_order = "0" . $start_order; - &B_log("ACTION","chkconfig_off converted start order to $start_order\n"); - } - if ($stop_order =~ /^\d$/ ) { - $stop_order = "0" . $stop_order; - &B_log("ACTION","chkconfig_off converted stop order to $stop_order\n"); - } - - last READ_LOOP; - } - } - close CHKCONFIG; - - # If we never found a chkconfig line, can we just run through all 5 - # rcX.d dirs from 1 to 5...? - - # unless ( $start_order and $stop_order ) { - # @runlevels=("1","2","3","4","5"); - # $start_order = "*"; $stop_order="*"; - # } - - # Now, run through removing symlinks... - - - - $retval=0; - - # Handle the special case that the run level specified is solely "-" - if ($runlevels[0] =~ /-/) { - @runlevels = ( "0","1","2","3","4","5","6" ); - } - - foreach my $level ( @runlevels ) { - my $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script; - my $new_link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script; - my $target = &getGlobal('DIR', "initd") ."/" . $startup_script; - my $local_return; - - - # Replace the S__ link in this level with a K__ link. - if ( -e $link ) { - unless ($GLOBAL_LOGONLY) { - $local_return=unlink $link; - if ($local_return) { - $local_return=symlink $target,$new_link; - unless ($local_return) { - &B_log("ERROR","Linking $target to $new_link failed.\n"); - } - } - else { # unlinking failed - &B_log("ERROR","Unlinking $link failed\n"); - } - - } - if ($local_return) { - $retval++; - &B_log("ACTION","Removed link $link\n"); - - # - # If we removed the link, add a link command to the revert file - # Write out the revert information for recreating the S__ - # symlink and deleting the K__ symlink. - &B_revert_log(&getGlobal('BIN',"ln") . " -s $target $link\n"); - &B_revert_log(&getGlobal('BIN',"rm") . " -f $new_link\n"); - } - else { - &B_log("ERROR","B_chkconfig_off $startup_script failed\n"); - } - - } - } # foreach - - } # else-unless - - } # else-DB - if ($retval < @runlevels) { - $retval=0; - } - - $retval; - -} - - -########################################################################### -# &B_service_start ($daemon_name) -# Starts service on RedHat/SUSE-based Linux distributions which have the -# service command: -# -# service $daemon_name start -# -# Other Linux distros that also support this method of starting -# services can be added to use this function. -# -# Here an example of where you might use this: -# -# You'd like to tell the system to start the vsftpd daemon: -# &B_service_start("vsftpd") -# -# Uses &B_System in HP_API.pm -# To match how the &B_System command works this method: -# returns 1 on success -# returns 0 on failure -########################################################################### - -sub B_service_start { - - my $daemon=$_[0]; - - if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and - (&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) { - &B_log("ERROR","Tried to call service_start on a system lacking a service command! Internal Bastille error."); - return undef; - } - - # only start service if init script is found - if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) { - &B_log("ACTION","# service_start enabling $daemon\n"); - - my $service_cmd=&getGlobal('BIN', 'service'); - if ($service_cmd) { - # Start the service, - # Also provide &B_System revert command - - return (&B_System("$service_cmd $daemon start", - "$service_cmd $daemon stop")); - } - } - - # init script not found, do not try to start, return failure - return 0; -} - -########################################################################### -# &B_service_stop ($daemon_name) -# Stops service on RedHat/SUSE-based Linux distributions which have the -# service command: -# -# service $daemon_name stop -# -# Other Linux distros that also support this method of starting -# services can be added to use this function. -# Stops service. -# -# -# Here an example of where you might use this: -# -# You'd like to tell the system to stop the vsftpd daemon: -# &B_service_stop("vsftpd") -# -# Uses &B_System in HP_API.pm -# To match how the &B_System command works this method: -# returns 1 on success -# returns 0 on failure -########################################################################### - -sub B_service_stop { - - my $daemon=$_[0]; - - if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and - (&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) { - &B_log("ERROR","Tried to call service_stop on a system lacking a service command! Internal Bastille error."); - return undef; - } - - # only stop service if init script is found - if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) { - &B_log("ACTION","# service_stop disabling $daemon\n"); - - my $service_cmd=&getGlobal('BIN', 'service'); - if ($service_cmd) { - - # Stop the service, - # Also provide &B_System revert command - - return (&B_System("$service_cmd $daemon stop", - "$service_cmd $daemon start")); - } - } - - # init script not found, do not try to stop, return failure - return 0; -} - - -########################################################################### -# &B_service_restart ($daemon_name) -# Restarts service on RedHat/SUSE-based Linux distributions which have the -# service command: -# -# service $daemon_name restart -# -# Other Linux distros that also support this method of starting -# services can be added to use this function. -# -# Here an example of where you might use this: -# -# You'd like to tell the system to restart the vsftpd daemon: -# &B_service_restart("vsftpd") -# -# Uses &B_System in HP_API.pm -# To match how the &B_System command works this method: -# returns 1 on success -# returns 0 on failure -########################################################################### - -sub B_service_restart { - - my $daemon=$_[0]; - - if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and - (&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) { - &B_log("ERROR","Tried to call service_restart on a system lacking a service command! Internal Bastille error."); - return undef; - } - - # only restart service if init script is found - if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) { - &B_log("ACTION","# service_restart re-enabling $daemon\n"); - - my $service_cmd=&getGlobal('BIN', 'service'); - if ($service_cmd) { - - # Restart the service - return (&B_System("$service_cmd $daemon restart", - "$service_cmd $daemon restart")); - } - } - - # init script not found, do not try to restart, return failure - return 0; -} - -########################################################################### -# &B_is_service_off($;$) -# -# Runs the specified test to determine whether or not the question should -# be answered. -# -# return values: -# NOTSECURE_CAN_CHANGE()/0: service is on -# SECURE_CANT_CHANGE()/1: service is off -# undef: test is not defined -########################################################################### - -sub B_is_service_off ($){ - my $service=$_[0]; - - if(&GetDistro =~ "^HP-UX"){ - #die "Why do I think I'm on HPUX?!\n"; - return &checkServiceOnHPUX($service); - } - elsif ( (&GetDistro =~ "^RH") || (&GetDistro =~ "^SE") ) { - return &checkServiceOnLinux($service); - } - else { - &B_log("DEBUG","B_is_service off called for unsupported OS"); - # not yet implemented for other distributions of Linux - # when GLOBAL_SERVICE, GLOBAL_SERVTYPE and GLOBAL_PROCESS are filled - # in for Linux, then - # at least inetd and inittab services should be similar to the above, - # whereas chkconfig would be used on some Linux distros to determine - # if non-inetd/inittab services are running at boot time. Looking at - # processes should be similar. - return undef; - } -} - -########################################################################### -# &checkServiceOnLinux($service); -# -# Checks if the given service is running on a Linux system. This is -# called by B_is_Service_Off(), which is the function that Bastille -# modules should call. -# -# Return values: -# NOTSECURE_CAN_CHANGE() if the service is on -# SECURE_CANT_CHANGE() if the service is off -# undef if the state of the service cannot be determined -# -########################################################################### -sub checkServiceOnLinux($) { - my $service=$_[0]; - - # get the list of parameters which could be used to initiate the service - # (could be in /etc/rc.d/rc?.d, /etc/inetd.conf, or /etc/inittab, so we - # check all of them) - - my @params = @{ &getGlobal('SERVICE', $service) }; - my $chkconfig = &getGlobal('BIN', 'chkconfig'); - my $grep = &getGlobal('BIN', 'grep'); - my $inittab = &getGlobal('FILE', 'inittab'); - my $serviceType = &getGlobal('SERVTYPE', $service);; - - # A kludge to get things running because &getGlobal('SERVICE' doesn't - # return the expected values. - @params = (); - push (@params, $service); - - foreach my $param (@params) { - &B_log("DEBUG","Checking to see if service $service is off.\n"); - - if ($serviceType =~ /rc/) { - my $on = &B_Backtick("$chkconfig --list $param 2>&1"); - if ($on =~ /^$param:\s+unknown/) { - # This service isn't installed on the system - return NOT_INSTALLED(); - } - if ($on =~ /^error reading information on service $param: No such file or directory/) { - # This service isn't installed on the system - return NOT_INSTALLED(); - } - if ($on =~ /^error/) { - # This probably - &B_log("DEBUG","chkconfig returned: $param=$on\n"); - return undef; - } - $on =~ s/^$param\s+//; # remove the service name and spaces - $on =~ s/[0-6]:off\s*//g; # remove any runlevel:off entries - $on =~ s/:on\s*//g; # remove the :on from the runlevels - # what remains is a list of runlevels in which the service is on, - # or a null string if it is never turned on - chomp $on; # newline should be gone already (\s) - &B_log("DEBUG","chkconfig returned: $param=$on\n"); - - if ($on =~ /^\d+$/) { - # service is not off - ########################### BREAK out, don't skip question - return NOTSECURE_CAN_CHANGE(); - } - } - elsif ($serviceType =~ /inet/) { - my $on = &B_Backtick("$chkconfig --list $param 2>&1"); - if ($on =~ /^$param:\s+unknown/) { - # This service isn't installed on the system - return NOT_INSTALLED(); - } - if ($on =~ /^error reading information on service $param: No such file or directory/) { - # This service isn't installed on the system - return NOT_INSTALLED(); - } - if ($on =~ /^error/ ) { - # Something else is wrong? - # return undef - return undef; - } - if ($on =~ tr/\n// > 1) { - $on =~ s/^xinetd.+\n//; - } - $on =~ s/^\s*$param:?\s+//; # remove the service name and spaces - chomp $on; # newline should be gone already (\s) - &B_log("DEBUG","chkconfig returned: $param=$on\n"); - - if ($on =~ /^on$/) { - # service is not off - ########################### BREAK out, don't skip question - return NOTSECURE_CAN_CHANGE(); - } - } - else { - # perhaps the service is started by inittab - my $inittabline = &B_Backtick("$grep -E '^[^#].{0,3}:.*:.+:.*$param' $inittab"); - if ($inittabline =~ /.+/) { # . matches anything except newlines - # service is not off - &B_log("DEBUG","Checking inittab; found $inittabline\n"); - ########################### BREAK out, don't skip question - return NOTSECURE_CAN_CHANGE(); - } - } - } # foreach my $param - - - # boot-time parameters are not set; check processes - # Note the checkProcsforService returns INCONSISTENT() if a process is found - # assuming the checks above - return &checkProcsForService($service); -} - -1; - - diff --git a/recipes-security/bastille/files/accept_os_flag_in_backend.patch b/recipes-security/bastille/files/accept_os_flag_in_backend.patch deleted file mode 100644 index 4a438e4..0000000 --- a/recipes-security/bastille/files/accept_os_flag_in_backend.patch +++ /dev/null @@ -1,34 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/BastilleBackEnd -=================================================================== ---- Bastille.orig/BastilleBackEnd 2013-08-21 12:40:54.000000000 -0400 -+++ Bastille/BastilleBackEnd 2013-08-21 12:43:21.895950001 -0400 -@@ -52,11 +52,13 @@ - my $force = 0; - my $debug = 0; - my $alternate_config=undef; -+my $os_version=undef; - - if( Getopt::Long::GetOptions( "n" => \$nodisclaim, - "v" => \$verbose, - "force" => \$force, - "f=s" => \$alternate_config, -+ "os=s" => \$os_version, - "debug" => \$debug) ) { - $error = 0; # no parse error - -@@ -66,7 +68,8 @@ - - &setOptions( - debug => $debug, -- verbose => $verbose); -+ verbose => $verbose, -+ os => $os_version); - &ConfigureForDistro; - - if ( $error ) { # GetOptions couldn't parse all of the args diff --git a/recipes-security/bastille/files/allow_os_with_assess.patch b/recipes-security/bastille/files/allow_os_with_assess.patch deleted file mode 100644 index e112f90..0000000 --- a/recipes-security/bastille/files/allow_os_with_assess.patch +++ /dev/null @@ -1,43 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/bin/bastille -=================================================================== ---- Bastille.orig/bin/bastille 2013-08-21 08:59:06.647950000 -0400 -+++ Bastille/bin/bastille 2013-08-21 15:55:53.193631711 -0400 -@@ -195,7 +195,6 @@ - systemFileLocations - - isAssessing='no' --nonXArg='no' - - if [ $PERL_V_MAJ -eq $MIN_V_MAJ -a $PERL_V_MIN -lt $MIN_V_MIN -o $PERL_V_MAJ -lt $MIN_V_MAJ ]; then # invalid Perl - printErr -@@ -316,12 +315,10 @@ - '--os') - options_left="$options_left --os" - optarg='yes' -- nonXArg='yes' - ;; - '-f') - options_left="$options_left -f" - optarg='yes' -- nonXArg='yes' - ;; - # Non-exclusive (undocumented and unsupported) options follow: - # There is no validity/combination checking done with these. -@@ -345,11 +342,6 @@ - fi - done - --#Detect case where -f or --os attempted use with --assess -- if [ \( x$nonXArg = xyes \) -a \( x$isAssessing = xyes \) ]; then -- printUsage -- exit 2 -- fi - - # We have a valid version of perl! Verify that all the required - # modules can be found. diff --git a/recipes-security/bastille/files/call_output_config.patch b/recipes-security/bastille/files/call_output_config.patch deleted file mode 100644 index 1e898b1..0000000 --- a/recipes-security/bastille/files/call_output_config.patch +++ /dev/null @@ -1,19 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille_Curses.pm -=================================================================== ---- Bastille.orig/Bastille_Curses.pm 2013-08-21 08:58:53.899950000 -0400 -+++ Bastille/Bastille_Curses.pm 2013-08-21 09:20:20.295950005 -0400 -@@ -84,7 +84,7 @@ - } - - # Output answers to the script and display -- &checkAndSaveConfig(&getGlobal('BFILE', "config")); -+ &outputConfig; - - # Run Bastille - diff --git a/recipes-security/bastille/files/config b/recipes-security/bastille/files/config deleted file mode 100755 index 9e5e206..0000000 --- a/recipes-security/bastille/files/config +++ /dev/null @@ -1,106 +0,0 @@ -# Q: Would you like to enforce password aging? [Y] -AccountSecurity.passwdage="Y" -# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] -AccountSecurity.protectrhost="Y" -# Q: Should we disallow root login on tty's 1-6? [N] -AccountSecurity.rootttylogins="Y" -# Q: What umask would you like to set for users on the system? [077] -AccountSecurity.umask="077" -# Q: Do you want to set the default umask? [Y] -AccountSecurity.umaskyn="Y" -# Q: Would you like to deactivate the Apache web server? [Y] -Apache.apacheoff="Y" -# Q: Would you like to password protect single-user mode? [Y] -BootSecurity.passsum="Y" -# Q: Should we restrict console access to a small group of user accounts? [N] -ConfigureMiscPAM.consolelogin="Y" -# Q: Which accounts should be able to login at console? [root] -ConfigureMiscPAM.consolelogin_accounts="root" -# Q: Would you like to put limits on system resource usage? [N] -ConfigureMiscPAM.limitsconf="Y" -# Q: Would you like to set more restrictive permissions on the administration utilities? [N] -FilePermissions.generalperms_1_1="Y" -# Q: Would you like to disable SUID status for mount/umount? -FilePermissions.suidmount="Y" -# Q: Would you like to disable SUID status for ping? [Y] -FilePermissions.suidping="Y" -# Q: Would you like to disable SUID status for traceroute? [Y] -FilePermissions.suidtrace="Y" -# Q: Do you need the advanced networking options? -Firewall.ip_advnetwork="Y" -# Q: Should Bastille run the firewall and enable it at boot time? [N] -Firewall.ip_enable_firewall="Y" -# Q: Would you like to run the packet filtering script? [N] -Firewall.ip_intro="Y" -# Q: Interfaces for DHCP queries: [ ] -Firewall.ip_s_dhcpiface=" " -# Q: DNS servers: [0.0.0.0/0] -Firewall.ip_s_dns="10.184.9.1" -# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] -Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded" -# Q: ICMP services to audit: [ ] -Firewall.ip_s_icmpaudit=" " -# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] -Firewall.ip_s_icmpout="destination-unreachable time-exceeded" -# Q: Internal interfaces: [ ] -Firewall.ip_s_internaliface=" " -# Q: TCP service names or port numbers to allow on private interfaces: [ ] -Firewall.ip_s_internaltcp=" " -# Q: UDP service names or port numbers to allow on private interfaces: [ ] -Firewall.ip_s_internaludp=" " -# Q: Masqueraded networks: [ ] -Firewall.ip_s_ipmasq=" " -# Q: Kernel modules to masquerade: [ftp raudio vdolive] -Firewall.ip_s_kernelmasq="ftp raudio vdolive" -# Q: NTP servers to query: [ ] -Firewall.ip_s_ntpsrv=" " -# Q: Force passive mode? [N] -Firewall.ip_s_passiveftp="N" -# Q: Public interfaces: [eth+ ppp+ slip+] -Firewall.ip_s_publiciface="eth+ ppp+ slip+" -# Q: TCP service names or port numbers to allow on public interfaces:[ ] -Firewall.ip_s_publictcp=" " -# Q: UDP service names or port numbers to allow on public interfaces:[ ] -Firewall.ip_s_publicudp=" " -# Q: Reject method: [DENY] -Firewall.ip_s_rejectmethod="DENY" -# Q: Enable source address verification? [Y] -Firewall.ip_s_srcaddr="Y" -# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] -Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" -# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] -Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100" -# Q: Trusted interface names: [lo] -Firewall.ip_s_trustiface="lo" -# Q: UDP services to audit: [31337] -Firewall.ip_s_udpaudit="31337" -# Q: UDP services to block: [2049 6770] -Firewall.ip_s_udpblock="2049 6770" -# Q: Would you like to add additional logging? [Y] -Logging.morelogging="Y" -# Q: Would you like to set up process accounting? [N] -Logging.pacct="N" -# Q: Do you have a remote logging host? [N] -Logging.remotelog="N" -# Q: Would you like to disable acpid and/or apmd? [Y] -MiscellaneousDaemons.apmd="Y" -# Q: Would you like to deactivate NFS and Samba? [Y] -MiscellaneousDaemons.remotefs="Y" -# Q: Would you like to disable printing? [N] -Printing.printing="Y" -# Q: Would you like to disable printing? [N] -Printing.printing_cups="Y" -# Q: Would you like to display "Authorized Use" messages at log-in time? [Y] -SecureInetd.banners="Y" -# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] -SecureInetd.deactivate_ftp="Y" -# Q: Should Bastille ensure the telnet service does not run on this system? [y] -SecureInetd.deactivate_telnet="Y" -# Q: Who is responsible for granting authorization to use this machine? -SecureInetd.owner="its owner" -# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] -SecureInetd.tcpd_default_deny="Y" -# Q: Do you want to stop sendmail from running in daemon mode? [Y] -Sendmail.sendmaildaemon="Y" -# Q: Would you like to install TMPDIR/TMP scripts? [N] -TMPDIR.tmpdir="N" diff --git a/recipes-security/bastille/files/do_not_apply_config.patch b/recipes-security/bastille/files/do_not_apply_config.patch deleted file mode 100644 index 574aa98..0000000 --- a/recipes-security/bastille/files/do_not_apply_config.patch +++ /dev/null @@ -1,40 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille_Curses.pm -=================================================================== ---- Bastille.orig/Bastille_Curses.pm 2013-08-27 16:43:39.130959000 -0400 -+++ Bastille/Bastille_Curses.pm 2013-08-27 16:43:39.794959000 -0400 -@@ -83,11 +83,6 @@ - # Output answers to the script and display - &outputConfig; - -- # Run Bastille -- -- &Run_Bastille_with_Config; -- -- - # Display Credits - - open CREDITS,"/usr/share/Bastille/Credits"; -Index: Bastille/InteractiveBastille -=================================================================== ---- Bastille.orig/InteractiveBastille 2013-08-27 16:43:39.434959000 -0400 -+++ Bastille/InteractiveBastille 2013-08-27 17:18:55.758959000 -0400 -@@ -531,10 +531,10 @@ - " Please address bug reports and suggestions to jay\@bastille-linux.org\n" . - "\n"; - -- $InterfaceEndScreenDescription = "We will now implement the choices you have made here.\n\n" . -+ $InterfaceEndScreenDescription = "We will now record the choices you have made here.\n\n" . - "Answer NO if you want to go back and make changes!\n"; -- $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we make the changes?"; -- $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to implement your choices.\n"; -+ $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we record the answers and exit?"; -+ $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to record your choices.\n"; - require Bastille_Curses; - } elsif ($GLOBAL_AUDITONLY) { - diff --git a/recipes-security/bastille/files/edit_usage_message.patch b/recipes-security/bastille/files/edit_usage_message.patch deleted file mode 100644 index 72cdc2f..0000000 --- a/recipes-security/bastille/files/edit_usage_message.patch +++ /dev/null @@ -1,32 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/bin/bastille -=================================================================== ---- Bastille.orig/bin/bastille 2013-08-25 14:16:35.614779001 -0400 -+++ Bastille/bin/bastille 2013-08-25 14:16:38.674779000 -0400 -@@ -60,7 +60,7 @@ - printUsage () { - cat >&2 << EOF - $ERRSPACES Usage: bastille [ -b | -c | -x ] [ --os <version>] [ -f <alternate config> ] --$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ] -+$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ] [ --os <version> ] - $ERRSPACES -b : use a saved config file to apply changes - $ERRSPACES directly to system - $ERRSPACES -c : use the Curses (non-X11) GUI, not available on HP-UX -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2013-08-25 08:15:40.266779002 -0400 -+++ Bastille/Bastille/API.pm 2013-08-25 14:18:22.750778811 -0400 -@@ -206,7 +206,7 @@ - #options before interactive or Bastille runs, so this check is often redundant - $GLOBAL_ERROR{"usage"}="\n". - "$spc Usage: bastille [ -b | -c | -x ] [ --os <version> ] [ -f <alternate config> ]\n". -- "$spc bastille [ -r | --assess | --assessnobowser ]\n\n". -+ "$spc bastille [ -r | --assess | --assessnobowser ] [ --os <version> ]\n\n". - "$spc --assess : check status of system and report in browser\n". - "$spc --assessnobrowser : check status of system and list report locations\n". - "$spc -b : use a saved config file to apply changes\n". diff --git a/recipes-security/bastille/files/find_existing_config.patch b/recipes-security/bastille/files/find_existing_config.patch deleted file mode 100644 index c075875..0000000 --- a/recipes-security/bastille/files/find_existing_config.patch +++ /dev/null @@ -1,64 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/bin/bastille -=================================================================== ---- Bastille.orig/bin/bastille 2013-06-20 14:58:01.065796000 -0400 -+++ Bastille/bin/bastille 2013-08-20 15:16:18.472378000 -0400 -@@ -102,8 +102,9 @@ - # defines OS specific file locations based on uname - systemFileLocations - -+ config_files=`find $config_repository -type f -name \*config 2>/dev/null` -+ - if [ -f $last_config ]; then -- config_files=`find $config_repository -type f -name \*config 2>/dev/null` - for config_cursor in `echo $config_files` - do - if /usr/bin/diff $last_config $config_cursor >/dev/null 2>&1 -@@ -112,8 +113,8 @@ - fi - done - if [ -n "$match" ]; then -- echo "The last bastille run corresponds to the following profiles:" -- echo "$match" -+ printf "The last Bastille run corresponds to the following profiles:\n" -+ printf "$match" - else - cat >&2 << EOF - NOTE: The last config file applied, -@@ -122,18 +123,28 @@ - $ERRSPACES $config_repository. - $ERRSPACES This probably means that Bastille was last run interactively and - $ERRSPACES changes were made to the config file, but they have not yet been --$ERRSPACES applied, or that the source config file was moved. If you do have pending -+$ERRSPACES applied, or that the source config file was moved. If you do have pending - $ERRSPACES changes in a config file, you can apply them by running - $ERRSPACES 'bastille -b -f <config file>.' - EOF - - fi - else -- echo "NOTE: The system is in its pre-bastilled state.\n" -+ for config_cursor in `echo $config_files` -+ do -+ match="$match $config_cursor\n" -+ done -+ if [ -n "$match" ]; then -+ printf "The following Bastille profiles were located:\n" -+ printf "$match" -+ else -+ printf "No Bastille profiles were located.\n" -+ fi -+ printf "No log files of profiles from previous executions of Bastille have been found. It is likely that Bastille has not been run on this machine.\n" - fi -- - } - -+ - # First, make sure we're root - if [ `PATH="/usr/bin:/bin"; id -u` -ne 0 ]; then - echo "ERROR: Bastille must be run as root user" >&2 diff --git a/recipes-security/bastille/files/fix_missing_use_directives.patch b/recipes-security/bastille/files/fix_missing_use_directives.patch deleted file mode 100644 index 05f145a..0000000 --- a/recipes-security/bastille/files/fix_missing_use_directives.patch +++ /dev/null @@ -1,54 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille/Firewall.pm -=================================================================== ---- Bastille.orig/Bastille/Firewall.pm 2008-09-14 19:56:54.000000000 -0400 -+++ Bastille/Bastille/Firewall.pm 2013-08-20 16:28:44.588378000 -0400 -@@ -21,6 +21,7 @@ - package Bastille::Firewall; - - use Bastille::API; -+use Bastille::API::AccountPermission; - use Bastille::API::FileContent; - use Bastille::API::ServiceAdmin; - -Index: Bastille/Bastille/SecureInetd.pm -=================================================================== ---- Bastille.orig/Bastille/SecureInetd.pm 2008-09-14 19:56:58.000000000 -0400 -+++ Bastille/Bastille/SecureInetd.pm 2013-08-20 16:45:02.252378001 -0400 -@@ -12,6 +12,7 @@ - use lib "/usr/lib"; - - use Bastille::API; -+use Bastille::API::AccountPermission; - use Bastille::API::HPSpecific; - use Bastille::API::ServiceAdmin; - use Bastille::API::FileContent; -Index: Bastille/Bastille/ConfigureMiscPAM.pm -=================================================================== ---- Bastille.orig/Bastille/ConfigureMiscPAM.pm 2005-09-12 23:47:28.000000000 -0400 -+++ Bastille/Bastille/ConfigureMiscPAM.pm 2013-08-20 18:36:07.340378001 -0400 -@@ -5,6 +5,7 @@ - use lib "/usr/lib"; - - use Bastille::API; -+use Bastille::API::FileContent; - - # To DO: - # -Index: Bastille/Bastille/Printing.pm -=================================================================== ---- Bastille.orig/Bastille/Printing.pm 2008-09-14 19:56:58.000000000 -0400 -+++ Bastille/Bastille/Printing.pm 2013-08-20 19:05:01.532378002 -0400 -@@ -5,6 +5,7 @@ - use lib "/usr/lib"; - - use Bastille::API; -+use Bastille::API::AccountPermission; - use Bastille::API::HPSpecific; - use Bastille::API::ServiceAdmin; - use Bastille::API::FileContent; diff --git a/recipes-security/bastille/files/fix_number_of_modules.patch b/recipes-security/bastille/files/fix_number_of_modules.patch deleted file mode 100644 index 743e549..0000000 --- a/recipes-security/bastille/files/fix_number_of_modules.patch +++ /dev/null @@ -1,38 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille_Curses.pm -=================================================================== ---- Bastille.orig/Bastille_Curses.pm 2013-08-24 18:21:54.445288000 -0400 -+++ Bastille/Bastille_Curses.pm 2013-08-24 18:29:16.981288000 -0400 -@@ -36,9 +36,6 @@ - use Curses; - use Curses::Widgets; - -- # Number_Modules is the number of modules loaded in by Load_Questions -- $Number_Modules=0; -- - # - # Highlighted button is the button currently chosen in the button bar - # We preserve this from question to question... -@@ -397,7 +394,7 @@ - my $title; - - if ($module) { -- $title=$module . " of $Number_Modules"; -+ $title=$module; - } - - txt_field( 'window' => $window, -@@ -488,7 +485,7 @@ - my $title; - - if ($module) { -- $title=$module . " of $Number_Modules"; -+ $title=$module; - } - - noecho; diff --git a/recipes-security/bastille/files/fix_version_parse.patch b/recipes-security/bastille/files/fix_version_parse.patch deleted file mode 100644 index 5923c04..0000000 --- a/recipes-security/bastille/files/fix_version_parse.patch +++ /dev/null @@ -1,27 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/bin/bastille -=================================================================== ---- Bastille.orig/bin/bastille -+++ Bastille/bin/bastille -@@ -162,11 +162,12 @@ fi - # We check that the version is at least the minimum - - PERL_VERSION=`${CURRENT_PERL_PATH}/perl -version | -- head -2 | # the second line contains the version -+ head -n 2 | # the second line contains the version - tr " " "\n" | # split words into separate lines -- sed -e "s/^v//" | # to get rid of the v in v5.6.0 -- grep "^[1-9]\." | # find a "word" that starts with number dot -- sed -e "s/_/./"` # substitute _patchlevel with .patchlevel -+ grep "^(v" | # find a "word" that starts with '(v' -+ sed -e "s/^(v//" -e "s/)//" -e "s/_/./"` -+ # to get rid of the (v in v5.6.0 -+ # substitute _patchlevel with .patchlevel - # (used in 5.005_03 and prior) - - # everything before the first . diff --git a/recipes-security/bastille/files/fixed_defined_warnings.patch b/recipes-security/bastille/files/fixed_defined_warnings.patch deleted file mode 100644 index e7996e3..0000000 --- a/recipes-security/bastille/files/fixed_defined_warnings.patch +++ /dev/null @@ -1,65 +0,0 @@ -From c59b84ca3bda8e4244d47901b6966f28dd675434 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu <andrei.adrianx.dinu@intel.com> -Date: Thu, 23 May 2013 15:12:23 +0300 -Subject: [PATCH] added yocto-standard to bastille - -In order to make Bastille functional and avoid errors -regarding distros, if not any given distro is identified, -yocto-standard distro is added to the distro variable -in Bastille. - -Fixed also some warnings regarding defined statements -in API.pm. - -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - Bastille/API.pm | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2008-09-14 19:56:53.000000000 -0400 -+++ Bastille/Bastille/API.pm 2013-08-21 08:55:26.715950001 -0400 -@@ -445,8 +445,8 @@ - $release=`/usr/bin/uname -sr`; - } - else { -- print STDERR "$err Could not determine operating system version!\n"; -- $distro="unknown"; -+ print STDERR "$err Could not determine operating system version!\n"; -+ $distro="unknown" - } - - # Figure out what kind of system we're on. -@@ -1284,7 +1284,7 @@ - - my $sumFile = &getGlobal('BFILE',"sum.csv"); - -- if ( defined %GLOBAL_SUM ) { -+ if ( %GLOBAL_SUM ) { - - open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n"); - -@@ -1318,7 +1318,7 @@ - my $file = $_[0]; - my $cksum = &getGlobal('BIN',"cksum"); - -- if (not(defined(%GLOBAL_SUM))) { -+ if (not(%GLOBAL_SUM)) { - &B_read_sums; - } - -@@ -1375,7 +1375,7 @@ - sub B_isFileinSumDB($) { - my $file = $_[0]; - -- if (not(defined(%GLOBAL_SUM))) { -+ if (not(%GLOBAL_SUM)) { - &B_log("DEBUG","Reading in DB from B_isFileinSumDB"); - &B_read_sums; - } diff --git a/recipes-security/bastille/files/organize_distro_discovery.patch b/recipes-security/bastille/files/organize_distro_discovery.patch deleted file mode 100644 index d64d1e2..0000000 --- a/recipes-security/bastille/files/organize_distro_discovery.patch +++ /dev/null @@ -1,476 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2013-08-22 04:32:38.269968002 -0400 -+++ Bastille/Bastille/API.pm 2013-08-22 11:29:53.137968002 -0400 -@@ -141,7 +141,7 @@ - checkProcsForService - - -- $GLOBAL_OS $GLOBAL_ACTUAL_OS $CLI -+ $CLI - $GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag - %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE - %GLOBAL_BDIR %GLOBAL_BFILE -@@ -198,7 +198,7 @@ - my $err ="ERROR: "; - my $spc =" "; - my $GLOBAL_OS="None"; --my $GLOBAL_ACTUAL_OS="None"; -+my $GLOBAL_INFERRED_OS="None"; - my %GLOBAL_SUMS=(); - my $CLI=''; - -@@ -306,7 +306,7 @@ - - ########################################################################### - # --# GetDistro checks to see if the target is a known distribution and reports -+# InferDistro checks to see if the target is a known distribution and reports - # said distribution. - # - # This is used throughout the script, but also by ConfigureForDistro. -@@ -314,205 +314,194 @@ - # - ########################################################################### - --sub GetDistro() { -+sub InferDistro() { - - my ($release,$distro); - -- # Only read files for the distro once. -- # if the --os option was used then -- if ($GLOBAL_OS eq "None") { -- if ( -e "/etc/mandrake-release" ) { -- open(MANDRAKE_RELEASE,"/etc/mandrake-release"); -- $release=<MANDRAKE_RELEASE>; -- -- if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) { -- $distro="MN$1"; -- } -- elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) { -- $distro="MN$1"; -- } -- else { -- print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n"; -- $distro="MN10.1"; -- } -- -- close(MANDRAKE_RELEASE); -- } -- elsif ( -e "/etc/immunix-release" ) { -- open(IMMUNIX_RELEASE,"/etc/immunix-release"); -- $release=<IMMUNIX_RELEASE>; -- unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) { -- print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n"; -- $distro="RH6.2"; -- } -- else { -- $distro="RH$1"; -- } -- close(*IMMUNIX_RELEASE); -- } -- elsif ( -e '/etc/fedora-release' ) { -- open(FEDORA_RELEASE,'/etc/fedora-release'); -- $release=<FEDORA_RELEASE>; -- close FEDORA_RELEASE; -- if ($release =~ /^Fedora Core release (\d+\.?\d*)/) { -- $distro = "RHFC$1"; -- } -- elsif ($release =~ /^Fedora release (\d+\.?\d*)/) { -- $distro = "RHFC$1"; -- } -- else { -- print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 8\n"; -- $distro='RHFC8'; -- } -+ if ( -e "/etc/mandrake-release" ) { -+ open(MANDRAKE_RELEASE,"/etc/mandrake-release"); -+ $release=<MANDRAKE_RELEASE>; -+ -+ if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) { -+ $distro="MN$1"; -+ } -+ elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) { -+ $distro="MN$1"; -+ } -+ else { -+ print STDERR "$err Could not infer Mandrake/Mandriva version! Setting to 10.1!\n"; -+ $distro="MN10.1"; -+ } -+ -+ close(MANDRAKE_RELEASE); -+ } -+ elsif ( -e "/etc/immunix-release" ) { -+ open(IMMUNIX_RELEASE,"/etc/immunix-release"); -+ $release=<IMMUNIX_RELEASE>; -+ unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) { -+ print STDERR "$err Could not infer Immunix version! Setting to 6.2!\n"; -+ $distro="RH6.2"; -+ } -+ else { -+ $distro="RH$1"; - } -- elsif ( -e "/etc/redhat-release" ) { -- open(*REDHAT_RELEASE,"/etc/redhat-release"); -- $release=<REDHAT_RELEASE>; -- if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) { -- $distro="RH$1"; -- } -- elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) { -- $distro="RHEL$1$2"; -- } -- elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) { -- $distro="RHEL$2$1"; -+ close(*IMMUNIX_RELEASE); -+ } -+ elsif ( -e '/etc/fedora-release' ) { -+ open(FEDORA_RELEASE,'/etc/fedora-release'); -+ $release=<FEDORA_RELEASE>; -+ close FEDORA_RELEASE; -+ if ($release =~ /^Fedora Core release (\d+\.?\d*)/) { -+ $distro = "RHFC$1"; -+ } -+ elsif ($release =~ /^Fedora release (\d+\.?\d*)/) { -+ $distro = "RHFC$1"; -+ } -+ else { -+ print STDERR "$err Could not infer Fedora version! Setting to Fedora Core 8\n"; -+ $distro='RHFC8'; -+ } -+ } -+ elsif ( -e "/etc/redhat-release" ) { -+ open(*REDHAT_RELEASE,"/etc/redhat-release"); -+ $release=<REDHAT_RELEASE>; -+ if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) { -+ $distro="RH$1"; -+ } -+ elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) { -+ $distro="RHEL$1$2"; -+ } -+ elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) { -+ $distro="RHEL$2$1"; -+ } -+ elsif ($release =~ /^CentOS release (\d+\.\d+)/) { -+ my $version = $1; -+ if ($version =~ /^4\./) { -+ $distro='RHEL4AS'; - } -- elsif ($release =~ /^CentOS release (\d+\.\d+)/) { -- my $version = $1; -- if ($version =~ /^4\./) { -- $distro='RHEL4AS'; -- } -- elsif ($version =~ /^3\./) { -- $distro='RHEL3AS'; -- } -- else { -- print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n"; -- $distro='RHEL4AS'; -- } -- } -- else { -- # JJB/HP - Should this be B_log? -- print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n"; -- $distro="RH9"; -- } -- close(REDHAT_RELEASE); -- -- } -- elsif ( -e "/etc/debian_version" ) { -- $stable="3.1"; #Change this when Debian stable changes -- open(*DEBIAN_RELEASE,"/etc/debian_version"); -- $release=<DEBIAN_RELEASE>; -- unless ($release =~ /^(\d+\.\d+\w*)/) { -- print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n"; -- $distro="DB$stable"; -+ elsif ($version =~ /^3\./) { -+ $distro='RHEL3AS'; - } - else { -- $distro="DB$1"; -- } -- close(DEBIAN_RELEASE); -- } -- elsif ( -e "/etc/SuSE-release" ) { -- open(*SUSE_RELEASE,"/etc/SuSE-release"); -- $release=<SUSE_RELEASE>; -- if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) { -- $distro="SE$1"; -- } -- elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) { -- $distro="SESLES$1"; -- } -- elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) { -- $distro="SESLES$1"; -- } -- elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) { -- $distro="SE$1"; -+ print STDERR "$err Could not infer CentOS version! Setting to Red Hat Enterprise 4 AS.\n"; -+ $distro='RHEL4AS'; - } -- else { -- print STDERR "$err Couldn't determine SuSE version! Setting to 10.3!\n"; -- $distro="SE10.3"; -- } -- close(SUSE_RELEASE); -- } -- elsif ( -e "/etc/turbolinux-release") { -- open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release"); -- $release=<TURBOLINUX_RELEASE>; -- unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) { -- print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n"; -- $distro="TB7.0"; -- } -- else { -- $distro="TB$1"; -- } -- close(TURBOLINUX_RELEASE); -+ } -+ else { -+ # JJB/HP - Should this be B_log? -+ print STDERR "$err Could not infer Red Hat version! Setting to 9!\n"; -+ $distro="RH9"; -+ } -+ close(REDHAT_RELEASE); -+ -+ } -+ elsif ( -e "/etc/debian_version" ) { -+ $stable="3.1"; #Change this when Debian stable changes -+ open(*DEBIAN_RELEASE,"/etc/debian_version"); -+ $release=<DEBIAN_RELEASE>; -+ unless ($release =~ /^(\d+\.\d+\w*)/) { -+ print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n"; -+ $distro="DB$stable"; -+ } -+ else { -+ $distro="DB$1"; -+ } -+ close(DEBIAN_RELEASE); -+ } -+ elsif ( -e "/etc/SuSE-release" ) { -+ open(*SUSE_RELEASE,"/etc/SuSE-release"); -+ $release=<SUSE_RELEASE>; -+ if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) { -+ $distro="SE$1"; -+ } -+ elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) { -+ $distro="SESLES$1"; -+ } -+ elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) { -+ $distro="SESLES$1"; -+ } -+ elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) { -+ $distro="SE$1"; -+ } -+ else { -+ print STDERR "$err Could not infer SuSE version! Setting to 10.3!\n"; -+ $distro="SE10.3"; - } -+ close(SUSE_RELEASE); -+ } -+ elsif ( -e "/etc/turbolinux-release") { -+ open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release"); -+ $release=<TURBOLINUX_RELEASE>; -+ unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) { -+ print STDERR "$err Could not infer TurboLinux version! Setting to 7.0!\n"; -+ $distro="TB7.0"; -+ } - else { -- # We're either on Mac OS X, HP-UX or an unsupported O/S. -- if ( -x '/usr/bin/uname') { -+ $distro="TB$1"; -+ } -+ close(TURBOLINUX_RELEASE); -+ } -+ else { -+ # We're either on Mac OS X, HP-UX or an unsupported O/S. -+ if ( -x '/usr/bin/uname') { - # uname is in /usr/bin on Mac OS X and HP-UX -- $release=`/usr/bin/uname -sr`; -- } -- else { -- print STDERR "$err Could not determine operating system version!\n"; -- $distro="unknown" -- } -- -- # Figure out what kind of system we're on. -- if ($release ne "") { -- if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) { -- if ($1 == 6 ) { -- $distro = "OSX10.2"; -- } -- elsif ($1 == 7) { -- $distro = "OSX10.3"; -- } -- elsif ($1 == 8) { -- $distro = "OSX10.3"; -- } -- else { -- $distro = "unknown"; -- } -+ $release=`/usr/bin/uname -sr`; -+ } -+ else { -+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n"; -+ $distro="unknown"; -+ } -+ -+ # Figure out what kind of system we're on. -+ if ($release ne "") { -+ if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) { -+ if ($1 == 6 ) { -+ $distro = "OSX10.2"; - } -- elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) { -- $distro="$1$2"; -+ elsif ($1 == 7) { -+ $distro = "OSX10.3"; - } -+ elsif ($1 == 8) { -+ $distro = "OSX10.3"; -+ } - else { -- print STDERR "$err Could not determine operating system version!\n"; -- $distro="unknown"; -+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n"; -+ $distro = "unknown"; - } - } -+ elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) { -+ $distro="$1$2"; -+ } -+ else { -+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n"; -+ $distro="unknown"; -+ } - } -- -- $GLOBAL_OS=$distro; -- } elsif (not (defined $GLOBAL_OS)) { -- print "ERROR: GLOBAL OS Scoping Issue\n"; -- } else { -- $distro = $GLOBAL_OS; - } -- - return $distro; - } - - ################################################################################### --# &getActualDistro; # -+# &getInferredDistro; # - # # - # This subroutine returns the actual os version in which is running on. This # - # os version is independent of the --os switch feed to bastille. # - # # - ################################################################################### --sub getActualDistro { -- # set local variable to $GLOBAL_OS -+sub getInferredDistro { -+ if ($GLOBAL_INFERRED_OS eq "None") { -+ $GLOBAL_INFERRED_OS = &InferDistro; -+ } -+ return $GLOBAL_INFERRED_OS; -+} - -- if ($GLOBAL_ACTUAL_OS eq "None") { -- my $os = $GLOBAL_OS; -- # undef GLOBAL_OS so that the GetDistro routine will return -- # the actualDistro, it might otherwise return the distro set -- # by the --os switch. -- $GLOBAL_OS = "None"; -- $GLOBAL_ACTUAL_OS = &GetDistro; -- # reset the GLOBAL_OS variable -- $GLOBAL_OS = $os; -+sub GetDistro { -+ if ($GLOBAL_OS eq "None") { -+ return &getInferredDistro; - } -- return $GLOBAL_ACTUAL_OS; -+ return $GLOBAL_OS; - } -+ - # These are helper routines which used to be included inside GetDistro - sub is_OS_supported($) { - my $os=$_[0]; -@@ -556,7 +545,8 @@ - "SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1", - "SE9.2","SE9.3","SE10.0","SE10.1","SE10.2","SE10.3", - "SESLES8","SESLES9","SESLES10", -- "TB7.0" -+ "TB7.0", -+ "Yocto" - ], - - "HP-UX" => [ -@@ -882,23 +872,19 @@ - ########################################################################### - sub ConfigureForDistro { - -- my $retval=1; -- -- # checking to see if the os version given is in fact supported - my $distro = &GetDistro; - -- # checking to see if the actual os version is in fact supported -- my $actualDistro = &getActualDistro; -+ my $inferredDistro = &getInferredDistro; -+ -+ if (! ($inferredDistro eq $distro) ) { -+ print STDERR "WARNING: Inferred distro $inferredDistro is not the same as specified distro $distro. Using specified distro.\n"; -+ } -+ - $ENV{'LOCALE'}=''; # So that test cases checking for english results work ok. -- if ((! &is_OS_supported($distro)) or (! &is_OS_supported($actualDistro)) ) { -- # if either is not supported then print out a list of supported versions -- if (! &is_OS_supported($distro)) { -- print STDERR "$err '$distro' is not a supported operating system.\n"; -- } -- else { -- print STDERR "$err Bastille is unable to operate correctly on this\n"; -- print STDERR "$spc $distro operating system.\n"; -- } -+ -+ if (! &is_OS_supported($distro)) { -+ print STDERR "$err '$distro' is not a supported operating system.\n"; -+ - my %supportedOSHash = &getSupportedOSHash; - print STDERR "$spc Valid operating system versions are as follows:\n"; - -@@ -930,7 +916,7 @@ - # intend via setting the Perl umask - umask(077); - -- &getFileAndServiceInfo($distro,$actualDistro); -+ &getFileAndServiceInfo($distro,$distro); - - # &dumpFileInfo; # great for debuging file location issues - # &dumpServiceInfo; # great for debuging service information issues -@@ -942,7 +928,7 @@ - "$spc You must use Bastille\'s -n flag (for example:\n" . - "$spc bastille -f -n) or \'touch $nodisclaim_file \'\n"; - -- return $retval; -+ return 1; - } - - -Index: Bastille/Bastille/LogAPI.pm -=================================================================== ---- Bastille.orig/Bastille/LogAPI.pm 2013-08-22 04:32:38.269968002 -0400 -+++ Bastille/Bastille/LogAPI.pm 2013-08-22 04:32:47.509968002 -0400 -@@ -111,7 +111,7 @@ - # do this here to prevent bootstrapping problem, where we need to - # write an error that the errorlog location isn't defined. - my $logdir="/var/log/Bastille"; -- if(&getActualDistro =~ "^HP-UX"){ -+ if(&getInferredDistro =~ "^HP-UX"){ - $logdir = "/var/opt/sec_mgmt/bastille/log/"; - } - diff --git a/recipes-security/bastille/files/remove_questions_text_file_references.patch b/recipes-security/bastille/files/remove_questions_text_file_references.patch deleted file mode 100644 index bd094ee..0000000 --- a/recipes-security/bastille/files/remove_questions_text_file_references.patch +++ /dev/null @@ -1,30 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/OSMap/LINUX.bastille -=================================================================== ---- Bastille.orig/OSMap/LINUX.bastille 2008-01-25 18:31:35.000000000 -0500 -+++ Bastille/OSMap/LINUX.bastille 2013-08-22 04:48:32.677968002 -0400 -@@ -12,7 +12,6 @@ - - bfile,InteractiveBastille,'/usr/sbin/InteractiveBastille' - bfile,BastilleBackEnd,'/usr/sbin/BastilleBackEnd' --bfile,Questions,'/usr/share/Bastille/Questions.txt' - bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt' - bfile,TODO,'/var/log/Bastille/TODO' - bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt' -Index: Bastille/OSMap/OSX.bastille -=================================================================== ---- Bastille.orig/OSMap/OSX.bastille 2007-09-11 18:09:26.000000000 -0400 -+++ Bastille/OSMap/OSX.bastille 2013-08-22 04:48:47.245968001 -0400 -@@ -10,7 +10,6 @@ - bdir,share,'/usr/share/Bastille' - - bfile,BastilleBackEnd,'/var/root/Bastille/BastilleBackEnd' --bfile,Questions,'/usr/share/Bastille/Questions.txt' - bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt' - bfile,TODO,'/var/log/Bastille/TODO' - bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt' diff --git a/recipes-security/bastille/files/set_required_questions.py b/recipes-security/bastille/files/set_required_questions.py deleted file mode 100755 index f306109..0000000 --- a/recipes-security/bastille/files/set_required_questions.py +++ /dev/null @@ -1,157 +0,0 @@ -#!/usr/bin/env python3 - -#Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - -import argparse, os, shutil, sys, tempfile, traceback -from os import path - - - -def get_config(lines): - """ - From a sequence of lines retrieve the question file name, question identifier - pairs. - """ - for l in lines: - if not l.startswith("#"): - try: - (coord, value) = l.split("=") - try: - (fname, ident) = coord.split(".") - yield fname, ident - except ValueError as e: - raise ValueError("Badly formatted coordinates %s in line %s." % (coord, l.strip())) - except ValueError as e: - raise ValueError("Skipping badly formatted line %s, %s" % (l.strip(), e)) - - - -def check_contains(line, name): - """ - Check if the value field for REQUIRE_DISTRO contains the given name. - @param name line The REQUIRE_DISTRO line - @param name name The name to look for in the value field of the line. - """ - try: - (label, distros) = line.split(":") - return name in distros.split() - except ValueError as e: - raise ValueError("Error splitting REQUIRE_DISTRO line: %s" % e) - - - -def add_requires(the_ident, distro, lines): - - """ - Yield a sequence of lines the same as lines except that where - the_ident matches a question identifier change the REQUIRE_DISTRO so that - it includes the specified distro. - - @param name the_ident The question identifier to be matched. - @param name distro The distribution to added to the questions REQUIRE_DISTRO - field. - @param lines The sequence to be processed. - """ - for l in lines: - yield l - if l.startswith("LABEL:"): - try: - (label, ident) = l.split(":") - if ident.strip() == the_ident: - break - except ValueError as e: - raise ValueError("Unexpected line %s in questions file." % l.strip()) - for l in lines: - if l.startswith("REQUIRE_DISTRO"): - if not check_contains(l, distro): - yield l.rstrip() + " " + distro + "\n" - else: - yield l - break; - else: - yield l - for l in lines: - yield l - - - -def xform_file(qfile, distro, qlabel): - """ - Transform a Questions file. - @param name qfile The designated questions file. - @param name distro The distribution to add to the required distributions. - @param name qlabel The question label for which the distro is to be added. - """ - questions_in = open(qfile) - questions_out = tempfile.NamedTemporaryFile(mode="w+", delete=False) - for l in add_requires(qlabel, distro, questions_in): - questions_out.write(l) - questions_out.close() - questions_in.close() - shutil.copystat(qfile, questions_out.name) - os.remove(qfile) - shutil.move(questions_out.name, qfile) - - - -def handle_args(parser): - parser.add_argument('config_file', - help = "Configuration file path.") - parser.add_argument('questions_dir', - help = "Directory containing Questions files.") - parser.add_argument('--distro', '-d', - help = "The distribution, the default is Yocto.", - default = "Yocto") - parser.add_argument('--debug', '-b', - help = "Print debug information.", - action = 'store_true') - return parser.parse_args() - - - -def check_args(args): - args.config_file = os.path.abspath(args.config_file) - args.questions_dir = os.path.abspath(args.questions_dir) - - if not os.path.isdir(args.questions_dir): - raise ValueError("Specified Questions directory %s does not exist or is not a directory." % args.questions_dir) - - if not os.path.isfile(args.config_file): - raise ValueError("Specified configuration file %s not found." % args.config_file) - - - -def main(): - opts = handle_args(argparse.ArgumentParser(description="A simple script that sets required questions based on the question/answer pairs in a configuration file.")) - - try: - check_args(opts) - except ValueError as e: - if opts.debug: - traceback.print_exc() - else: - sys.exit("Fatal error:\n%s" % e) - - - try: - config_in = open(opts.config_file) - for qfile, qlabel in get_config(config_in): - questions_file = os.path.join(opts.questions_dir, qfile + ".txt") - xform_file(questions_file, opts.distro, qlabel) - config_in.close() - - except IOError as e: - if opts.debug: - traceback.print_exc() - else: - sys.exit("Fatal error reading or writing file:\n%s" % e) - except ValueError as e: - if opts.debug: - traceback.print_exc() - else: - sys.exit("Fatal error:\n%s" % e) - - - -if __name__ == "__main__": - main() diff --git a/recipes-security/bastille/files/simplify_B_place.patch b/recipes-security/bastille/files/simplify_B_place.patch deleted file mode 100644 index 307fdca..0000000 --- a/recipes-security/bastille/files/simplify_B_place.patch +++ /dev/null @@ -1,40 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2013-08-21 08:59:17.939950001 -0400 -+++ Bastille/Bastille/API.pm 2013-08-21 08:59:30.983950001 -0400 -@@ -1679,24 +1679,22 @@ - - use File::Copy; - -- my $original_source=$source; - $source = &getGlobal('BDIR', "share") . $source; -- my $original_target=$target; - - if ( -e $target and -f $target ) { -- &B_backup_file($original_target); -- &B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n"); -+ &B_backup_file($target); -+ &B_log("ACTION","About to copy $source to $target -- had to backup target\n"); - $had_to_backup_target=1; - } - $retval=copy($source,$target); - if ($retval) { -- &B_log("ACTION","placed file $original_source as $original_target\n"); -+ &B_log("ACTION","placed file $source as $target\n"); - # - # We want to add a line to the &getGlobal('BFILE', "created-files") so that the - # file we just put at $original_target gets deleted. -- &B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n"); -+ &B_revert_log(&getGlobal('BIN',"rm") . " $target\n"); - } else { -- &B_log("ERROR","Failed to place $original_source as $original_target\n"); -+ &B_log("ERROR","Failed to place $source as $target\n"); - } - - # We add the file to the GLOBAL_SUMS hash if it is not already present diff --git a/recipes-security/bastille/files/upgrade_options_processing.patch b/recipes-security/bastille/files/upgrade_options_processing.patch deleted file mode 100644 index 4093867..0000000 --- a/recipes-security/bastille/files/upgrade_options_processing.patch +++ /dev/null @@ -1,91 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2013-08-21 11:41:09.235950000 -0400 -+++ Bastille/Bastille/API.pm 2013-08-21 11:41:16.183950000 -0400 -@@ -271,9 +271,15 @@ - # setOptions takes six arguments, $GLOBAL_DEBUG, $GLOBAL_LOGONLY, - # $GLOBAL_VERBOSE, $GLOBAL_AUDITONLY, $GLOBAL_AUDIT_NO_BROWSER, and GLOBAL_OS; - ########################################################################### --sub setOptions($$$$$$) { -- ($GLOBAL_DEBUG,$GLOBAL_LOGONLY,$GLOBAL_VERBOSE,$GLOBAL_AUDITONLY, -- $GLOBAL_AUDIT_NO_BROWSER,$GLOBAL_OS) = @_; -+sub setOptions { -+ my %opts = @_; -+ -+ $GLOBAL_DEBUG = $opts{debug}; -+ $GLOBAL_LOGONLY = $opts{logonly}; -+ $GLOBAL_VERBOSE = $opts{verbose}; -+ $GLOBAL_AUDITONLY = $opts{auditonly}; -+ $GLOBAL_AUDIT_NO_BROWSER = $opts{audit_no_browser}; -+ $GLOBAL_OS = $opts{os}; - if ($GLOBAL_AUDIT_NO_BROWSER) { - $GLOBAL_AUDITONLY = 1; - } -Index: Bastille/BastilleBackEnd -=================================================================== ---- Bastille.orig/BastilleBackEnd 2013-08-21 11:41:09.235950000 -0400 -+++ Bastille/BastilleBackEnd 2013-08-21 12:40:54.055950001 -0400 -@@ -50,15 +50,13 @@ - my $nodisclaim = 0; - my $verbose = 0; - my $force = 0; --my $log_only = 0; - my $debug = 0; - my $alternate_config=undef; - - if( Getopt::Long::GetOptions( "n" => \$nodisclaim, - "v" => \$verbose, - "force" => \$force, --# "log" => \$log_only, # broken -- "f:s" => \$alternate_config, -+ "f=s" => \$alternate_config, - "debug" => \$debug) ) { - $error = 0; # no parse error - -@@ -66,7 +64,9 @@ - $error = 1; # parse error - } - --&setOptions($debug,$log_only,$verbose); -+&setOptions( -+ debug => $debug, -+ verbose => $verbose); - &ConfigureForDistro; - - if ( $error ) { # GetOptions couldn't parse all of the args -Index: Bastille/InteractiveBastille -=================================================================== ---- Bastille.orig/InteractiveBastille 2013-08-21 11:41:09.235950000 -0400 -+++ Bastille/InteractiveBastille 2013-08-21 12:40:30.531950001 -0400 -@@ -234,8 +234,8 @@ - "a" => \$audit, - "force" => \$force, - "log" => \$log_only, -- "os:s" => \$os_version, -- "f:s" => \$alternate_config, -+ "os=s" => \$os_version, -+ "f=s" => \$alternate_config, - "debug" => \$debug) ) { - $error = 0; # no parse error - } else { -@@ -293,7 +293,13 @@ - $UseRequiresRules = 'N'; - } - --&setOptions($debug,$log_only,$verbose,$audit,$auditnobrowser,$os_version); -+&setOptions( -+ debug => $debug, -+ logonly => $log_only, -+ verbose => $verbose, -+ auditonly => $audit, -+ audit_no_browser => $auditnobrowser, -+ os => $os_version); - &ConfigureForDistro; - - # ensuring mutually exclusive options are exclusive diff --git a/recipes-security/chipsec/chipsec_1.9.1.bb b/recipes-security/chipsec/chipsec_1.9.1.bb new file mode 100644 index 0000000..9fbdaa7 --- /dev/null +++ b/recipes-security/chipsec/chipsec_1.9.1.bb @@ -0,0 +1,34 @@ +SUMMARY = "CHIPSEC: Platform Security Assessment Framework" + +DESCRIPTION = "CHIPSEC is a framework for analyzing the security \ + of PC platforms including hardware, system firmware \ + (BIOS/UEFI), and platform components." + +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d" + +DEPENDS = "virtual/kernel nasm-native" + +SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https" +SRCREV = "d8c2a606bf440c32196c6289a7a458f3ae3107cc" + +S = "${WORKDIR}/git" + +inherit module setuptools3 + +EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'" + +do_compile:append() { + cd ${S}/drivers/linux + oe_runmake KSRC=${STAGING_KERNEL_BUILDDIR} +} + +do_install:append() { + install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux +} + +COMPATIBLE_HOST = "(i.86|x86_64).*-linux" + +FILES:${PN} += "${exec_prefix}" + +RDEPENDS:${PN} = "python3 python3-modules" diff --git a/recipes-security/cryptmount/cryptmount_6.2.0.bb b/recipes-security/cryptmount/cryptmount_6.2.0.bb new file mode 100644 index 0000000..d69d88b --- /dev/null +++ b/recipes-security/cryptmount/cryptmount_6.2.0.bb @@ -0,0 +1,36 @@ +SUMMARY = "Linux encrypted filesystem management tool" +HOMEPAGE = "http://cryptmount.sourceforge.net/" +LIC_FILES_CHKSUM = "file://COPYING;beginline=1;endline=4;md5=6e69c425bf32ecf9b1e11d29d146d03d" +LICENSE = "GPL-2.0-only" +SRC_URI = "https://sourceforge.net/projects/cryptmount/files/${BPN}/${BPN}-6.2/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "90cc49fd598d636929c70479b1305f12b011edadf4a54578ace6c0fca8cb5ed2" + +inherit autotools-brokensep gettext pkgconfig systemd + +EXTRA_OECONF = " --enable-cswap --enable-fsck --enable-argv0switch" + +PACKAGECONFIG ?="intl luks gcrypt nls" +PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[systemd] = "--with-systemd, --without-systemd, systemd" +PACKAGECONFIG[intl] = "--with-libintl-prefix, --without-libintl-prefix" +PACKAGECONFIG[gcrypt] = "--with-libgcrypt, --without-libgcrypt, libgcrypt" +PACKAGECONFIG[luks] = "--enable-luks, --disable-luks, cryptsetup" +PACKAGECONFIG[nls] = "--enable-nls, --disable-nls, " + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE:${PN} = "cryptmount.service" + +do_install:append () { + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -D -m 0644 ${S}/sysinit/cryptmount.service ${D}${systemd_system_unitdir}/cryptmount.service + if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','false','true',d)}; then + rm -fr ${D}/usr/lib + fi + fi +} + +FILES:${PN} += "${systemd_system_unitdir}" + +RDEPENDS:${PN} = "libdevmapper" diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index d8cd06f..00e8997 100644 --- a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -6,7 +6,7 @@ DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \ HOMEPAGE = "https://launchpad.net/ecryptfs" SECTION = "base" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native" @@ -16,15 +16,18 @@ SRC_URI = "\ file://ecryptfs-utils-CVE-2016-6224.patch \ file://0001-avoid-race-condition.patch \ file://ecryptfs.service \ + file://define_musl_sword_type.patch \ " SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd" SRC_URI[sha256sum] = "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f" +UPSTREAM_CHECK_URI = "https://launchpad.net/ecryptfs/+download" + inherit autotools pkgconfig systemd SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "ecryptfs.service" +SYSTEMD_SERVICE:${PN} = "ecryptfs.service" EXTRA_OECONF = "\ --libdir=${base_libdir} \ @@ -40,7 +43,7 @@ PACKAGECONFIG ??= "nss \ PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," -do_configure_prepend() { +do_configure:prepend() { export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3" export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" @@ -48,7 +51,7 @@ do_configure_prepend() { sed -i -e "s;rootsbindir=\"/sbin\";rootsbindir=\"\${base_sbindir}\";g" ${S}/configure.ac } -do_install_append() { +do_install:append() { chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private # ${base_libdir} is identical to ${libdir} when usrmerge enabled if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then @@ -63,7 +66,7 @@ do_install_append() { fi } -FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" +FILES:${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" -RDEPENDS_${PN} += "cryptsetup" -RRECOMMENDS_${PN} = "gettext-runtime" +RDEPENDS:${PN} += "cryptsetup" +RRECOMMENDS:${PN} = "gettext-runtime" diff --git a/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch new file mode 100644 index 0000000..01b7dd8 --- /dev/null +++ b/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch @@ -0,0 +1,17 @@ +Upstream-Status: Pending + +Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +=================================================================== +--- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c ++++ ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c +@@ -45,6 +45,10 @@ + #include <values.h> + #include "../include/ecryptfs.h" + ++#ifndef __SWORD_TYPE ++typedef __typeof__( ((struct statfs *)0)->f_type ) __SWORD_TYPE; ++#endif ++ + /* Perhaps a future version of this program will allow these to be configurable + * by the system administrator (or user?) at run time. For now, these are set + * to reasonable values to reduce the burden of input validation. diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch index 4252f97..a457d79 100644 --- a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch +++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch @@ -14,7 +14,7 @@ the patch comes from: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224 https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882 -Upstream-Status: backport +Upstream-Status: Backport Signed-off-by: Li Zhou <li.zhou@windriver.com> --- diff --git a/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch deleted file mode 100644 index 7f0812c..0000000 --- a/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch +++ /dev/null @@ -1,28 +0,0 @@ -From fe3436d65518099d35c643848cba50253abc249c Mon Sep 17 00:00:00 2001 -From: Lei Maohui <leimaohui@cn.fujitsu.com> -Date: Thu, 9 May 2019 14:44:51 +0900 -Subject: [PATCH] To fix build error of xrange. - -NameError: name 'xrange' is not defined - -Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> ---- - fail2ban/__init__.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py -index fa6dcf7..61789a4 100644 ---- a/fail2ban/__init__.py -+++ b/fail2ban/__init__.py -@@ -82,7 +82,7 @@ strptime("2012", "%Y") - - # short names for pure numeric log-level ("Level 25" could be truncated by short formats): - def _init(): -- for i in xrange(50): -+ for i in range(50): - if logging.getLevelName(i).startswith('Level'): - logging.addLevelName(i, '#%02d-Lev.' % i) - _init() --- -2.7.4 - diff --git a/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch b/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch deleted file mode 100644 index ee872ec..0000000 --- a/recipes-security/fail2ban/files/0001-python3-fail2ban-2-3-conversion.patch +++ /dev/null @@ -1,2527 +0,0 @@ -From abaa20435bac7decffa69e6f965aac9ce29aff6a Mon Sep 17 00:00:00 2001 -From: Armin Kuster <akuster808@gmail.com> -Date: Wed, 12 Feb 2020 17:19:15 +0000 -Subject: [PATCH] python3-fail2ban: 2-3 conversion - -Upstream-Status: OE specific. - -fail2ban handles py3 via a 2-3 conversion utility. - -Signed-off-by: Armin Kuster <akuster808@gmail.com> ---- - fail2ban/client/actionreader.py | 4 +- - fail2ban/client/configparserinc.py | 10 +- - fail2ban/client/configreader.py | 4 +- - fail2ban/client/csocket.py | 4 +- - fail2ban/client/fail2banclient.py | 4 +- - fail2ban/client/fail2banregex.py | 20 +- - fail2ban/client/filterreader.py | 2 +- - fail2ban/client/jailreader.py | 4 +- - fail2ban/helpers.py | 15 +- - fail2ban/server/action.py | 19 +- - fail2ban/server/actions.py | 24 +- - fail2ban/server/asyncserver.py | 4 +- - fail2ban/server/banmanager.py | 18 +- - fail2ban/server/database.py | 6 +- - fail2ban/server/failmanager.py | 8 +- - fail2ban/server/failregex.py | 9 +- - fail2ban/server/filter.py | 12 +- - fail2ban/server/filterpoll.py | 2 +- - fail2ban/server/filterpyinotify.py | 6 +- - fail2ban/server/ipdns.py | 16 +- - fail2ban/server/jail.py | 14 +- - fail2ban/server/mytime.py | 2 +- - fail2ban/server/server.py | 18 +- - fail2ban/server/strptime.py | 6 +- - fail2ban/server/ticket.py | 14 +- - fail2ban/server/transmitter.py | 2 +- - fail2ban/server/utils.py | 6 +- - fail2ban/tests/action_d/test_badips.py | 2 +- - fail2ban/tests/actiontestcase.py | 4 +- - fail2ban/tests/clientreadertestcase.py | 4 +- - fail2ban/tests/databasetestcase.py | 16 +- - fail2ban/tests/datedetectortestcase.py | 6 +- - fail2ban/tests/fail2banclienttestcase.py | 8 +- - fail2ban/tests/failmanagertestcase.py | 10 +- - .../tests/files/config/apache-auth/digest.py | 20 +- - fail2ban/tests/filtertestcase.py | 92 ++--- - fail2ban/tests/misctestcase.py | 22 +- - fail2ban/tests/observertestcase.py | 34 +- - fail2ban/tests/samplestestcase.py | 8 +- - fail2ban/tests/servertestcase.py | 28 +- - fail2ban/tests/sockettestcase.py | 2 +- - fail2ban/tests/utils.py | 22 +- - setup.py | 326 ------------------ - 43 files changed, 264 insertions(+), 593 deletions(-) - delete mode 100755 setup.py - -diff --git a/fail2ban/client/actionreader.py b/fail2ban/client/actionreader.py -index 80617a50..ecf323c5 100644 ---- a/fail2ban/client/actionreader.py -+++ b/fail2ban/client/actionreader.py -@@ -90,11 +90,11 @@ class ActionReader(DefinitionInitConfigReader): - stream = list() - stream.append(head + ["addaction", self._name]) - multi = [] -- for opt, optval in opts.iteritems(): -+ for opt, optval in opts.items(): - if opt in self._configOpts and not opt.startswith('known/'): - multi.append([opt, optval]) - if self._initOpts: -- for opt, optval in self._initOpts.iteritems(): -+ for opt, optval in self._initOpts.items(): - if opt not in self._configOpts and not opt.startswith('known/'): - multi.append([opt, optval]) - if len(multi) > 1: -diff --git a/fail2ban/client/configparserinc.py b/fail2ban/client/configparserinc.py -index e0f39579..45c77437 100644 ---- a/fail2ban/client/configparserinc.py -+++ b/fail2ban/client/configparserinc.py -@@ -62,7 +62,7 @@ if sys.version_info >= (3,2): - parser, option, accum, rest, section, map, *args, **kwargs) - - else: # pragma: no cover -- from ConfigParser import SafeConfigParser, \ -+ from configparser import SafeConfigParser, \ - InterpolationMissingOptionError, NoOptionError, NoSectionError - - # Interpolate missing known/option as option from default section -@@ -327,7 +327,7 @@ after = 1.conf - # mix it with defaults: - return set(opts.keys()) | set(self._defaults) - # only own option names: -- return opts.keys() -+ return list(opts.keys()) - - def read(self, filenames, get_includes=True): - if not isinstance(filenames, list): -@@ -356,7 +356,7 @@ after = 1.conf - ret += i - # merge defaults and all sections to self: - alld.update(cfg.get_defaults()) -- for n, s in cfg.get_sections().iteritems(): -+ for n, s in cfg.get_sections().items(): - # conditional sections - cond = SafeConfigParserWithIncludes.CONDITIONAL_RE.match(n) - if cond: -@@ -366,7 +366,7 @@ after = 1.conf - del(s['__name__']) - except KeyError: - pass -- for k in s.keys(): -+ for k in list(s.keys()): - v = s.pop(k) - s[k + cond] = v - s2 = alls.get(n) -@@ -399,7 +399,7 @@ after = 1.conf - sec.update(options) - return - sk = {} -- for k, v in options.iteritems(): -+ for k, v in options.items(): - if not k.startswith(pref) and k != '__name__': - sk[pref+k] = v - sec.update(sk) -diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py -index 20709b72..b5167409 100644 ---- a/fail2ban/client/configreader.py -+++ b/fail2ban/client/configreader.py -@@ -26,7 +26,7 @@ __license__ = "GPL" - - import glob - import os --from ConfigParser import NoOptionError, NoSectionError -+from configparser import NoOptionError, NoSectionError - - from .configparserinc import sys, SafeConfigParserWithIncludes, logLevel - from ..helpers import getLogger, _as_bool, _merge_dicts, substituteRecursiveTags -@@ -197,7 +197,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes): - config_files += sorted(glob.glob('%s/*.local' % config_dir)) - - # choose only existing ones -- config_files = filter(os.path.exists, config_files) -+ config_files = list(filter(os.path.exists, config_files)) - - if len(config_files): - # at least one config exists and accessible -diff --git a/fail2ban/client/csocket.py b/fail2ban/client/csocket.py -index ab3e294b..9417cde9 100644 ---- a/fail2ban/client/csocket.py -+++ b/fail2ban/client/csocket.py -@@ -47,7 +47,7 @@ class CSocket: - - def send(self, msg, nonblocking=False, timeout=None): - # Convert every list member to string -- obj = dumps(map(CSocket.convert, msg), HIGHEST_PROTOCOL) -+ obj = dumps(list(map(CSocket.convert, msg)), HIGHEST_PROTOCOL) - self.__csock.send(obj + CSPROTO.END) - return self.receive(self.__csock, nonblocking, timeout) - -@@ -71,7 +71,7 @@ class CSocket: - @staticmethod - def convert(m): - """Convert every "unexpected" member of message to string""" -- if isinstance(m, (basestring, bool, int, float, list, dict, set)): -+ if isinstance(m, (str, bool, int, float, list, dict, set)): - return m - else: # pragma: no cover - return str(m) -diff --git a/fail2ban/client/fail2banclient.py b/fail2ban/client/fail2banclient.py -index 7c90ca40..7eb11684 100755 ---- a/fail2ban/client/fail2banclient.py -+++ b/fail2ban/client/fail2banclient.py -@@ -45,7 +45,7 @@ def _thread_name(): - return threading.current_thread().__class__.__name__ - - def input_command(): # pragma: no cover -- return raw_input(PROMPT) -+ return input(PROMPT) - - ## - # -@@ -444,7 +444,7 @@ class Fail2banClient(Fail2banCmdLine, Thread): - return False - finally: - self._alive = False -- for s, sh in _prev_signals.iteritems(): -+ for s, sh in _prev_signals.items(): - signal.signal(s, sh) - - -diff --git a/fail2ban/client/fail2banregex.py b/fail2ban/client/fail2banregex.py -index 513b765d..4a71b3c0 100644 ---- a/fail2ban/client/fail2banregex.py -+++ b/fail2ban/client/fail2banregex.py -@@ -41,10 +41,10 @@ import shlex - import sys - import time - import time --import urllib -+import urllib.request, urllib.parse, urllib.error - from optparse import OptionParser, Option - --from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError -+from configparser import NoOptionError, NoSectionError, MissingSectionHeaderError - - try: # pragma: no cover - from ..server.filtersystemd import FilterSystemd -@@ -68,7 +68,7 @@ def debuggexURL(sample, regex, multiline=False, useDns="yes"): - 'flavor': 'python' - } - if multiline: args['flags'] = 'm' -- return 'https://www.debuggex.com/?' + urllib.urlencode(args) -+ return 'https://www.debuggex.com/?' + urllib.parse.urlencode(args) - - def output(args): # pragma: no cover (overriden in test-cases) - print(args) -@@ -244,7 +244,7 @@ class Fail2banRegex(object): - - def __init__(self, opts): - # set local protected members from given options: -- self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.iteritems())) -+ self.__dict__.update(dict(('_'+o,v) for o,v in opts.__dict__.items())) - self._opts = opts - self._maxlines_set = False # so we allow to override maxlines in cmdline - self._datepattern_set = False -@@ -304,7 +304,7 @@ class Fail2banRegex(object): - realopts = {} - combopts = reader.getCombined() - # output all options that are specified in filter-argument as well as some special (mostly interested): -- for k in ['logtype', 'datepattern'] + fltOpt.keys(): -+ for k in ['logtype', 'datepattern'] + list(fltOpt.keys()): - # combined options win, but they contain only a sub-set in filter expected keys, - # so get the rest from definition section: - try: -@@ -424,7 +424,7 @@ class Fail2banRegex(object): - self.output( "Use %11s line : %s" % (regex, shortstr(value)) ) - regex_values = {regextype: [RegexStat(value)]} - -- for regextype, regex_values in regex_values.iteritems(): -+ for regextype, regex_values in regex_values.items(): - regex = regextype + 'regex' - setattr(self, "_" + regex, regex_values) - for regex in regex_values: -@@ -523,10 +523,10 @@ class Fail2banRegex(object): - output(ret[1]) - elif self._opts.out == 'msg': - for ret in ret: -- output('\n'.join(map(lambda v:''.join(v for v in v), ret[3].get('matches')))) -+ output('\n'.join([''.join(v for v in v) for v in ret[3].get('matches')])) - elif self._opts.out == 'row': - for ret in ret: -- output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].iteritems() if k != 'matches'))) -+ output('[%r,\t%r,\t%r],' % (ret[1],ret[2],dict((k,v) for k, v in ret[3].items() if k != 'matches'))) - else: - for ret in ret: - output(ret[3].get(self._opts.out)) -@@ -565,9 +565,9 @@ class Fail2banRegex(object): - ans = [[]] - for arg in [l, regexlist]: - ans = [ x + [y] for x in ans for y in arg ] -- b = map(lambda a: a[0] + ' | ' + a[1].getFailRegex() + ' | ' + -+ b = [a[0] + ' | ' + a[1].getFailRegex() + ' | ' + - debuggexURL(self.encode_line(a[0]), a[1].getFailRegex(), -- multiline, self._opts.usedns), ans) -+ multiline, self._opts.usedns) for a in ans] - pprint_list([x.rstrip() for x in b], header) - else: - output( "%s too many to print. Use --print-all-%s " \ -diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py -index 413f125e..4f0cc4cf 100644 ---- a/fail2ban/client/filterreader.py -+++ b/fail2ban/client/filterreader.py -@@ -71,7 +71,7 @@ class FilterReader(DefinitionInitConfigReader): - @staticmethod - def _fillStream(stream, opts, jailName): - prio0idx = 0 -- for opt, value in opts.iteritems(): -+ for opt, value in opts.items(): - if opt in ("failregex", "ignoreregex"): - if value is None: continue - multi = [] -diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py -index 50c1d047..969d0bc0 100644 ---- a/fail2ban/client/jailreader.py -+++ b/fail2ban/client/jailreader.py -@@ -117,7 +117,7 @@ class JailReader(ConfigReader): - } - _configOpts.update(FilterReader._configOpts) - -- _ignoreOpts = set(['action', 'filter', 'enabled'] + FilterReader._configOpts.keys()) -+ _ignoreOpts = set(['action', 'filter', 'enabled'] + list(FilterReader._configOpts.keys())) - - def getOptions(self): - -@@ -236,7 +236,7 @@ class JailReader(ConfigReader): - stream.extend(self.__filter.convert()) - # and using options from jail: - FilterReader._fillStream(stream, self.__opts, self.__name) -- for opt, value in self.__opts.iteritems(): -+ for opt, value in self.__opts.items(): - if opt == "logpath": - if self.__opts.get('backend', '').startswith("systemd"): continue - found_files = 0 -diff --git a/fail2ban/helpers.py b/fail2ban/helpers.py -index 6f2bcdd7..7e563696 100644 ---- a/fail2ban/helpers.py -+++ b/fail2ban/helpers.py -@@ -31,6 +31,7 @@ import traceback - from threading import Lock - - from .server.mytime import MyTime -+import importlib - - try: - import ctypes -@@ -63,7 +64,7 @@ if sys.version_info < (3,): # pragma: 3.x no cover - from imp import load_dynamic as __ldm - _sys = __ldm('_sys', 'sys') - except ImportError: # pragma: no cover - only if load_dynamic fails -- reload(sys) -+ importlib.reload(sys) - _sys = sys - if hasattr(_sys, "setdefaultencoding"): - _sys.setdefaultencoding(encoding) -@@ -101,7 +102,7 @@ if sys.version_info >= (3,): # pragma: 2.x no cover - else: # pragma: 3.x no cover - def uni_decode(x, enc=PREFER_ENC, errors='strict'): - try: -- if isinstance(x, unicode): -+ if isinstance(x, str): - return x.encode(enc, errors) - return x - except (UnicodeDecodeError, UnicodeEncodeError): # pragma: no cover - unsure if reachable -@@ -110,7 +111,7 @@ else: # pragma: 3.x no cover - return x.encode(enc, 'replace') - if sys.getdefaultencoding().upper() != 'UTF-8': # pragma: no cover - utf-8 is default encoding now - def uni_string(x): -- if not isinstance(x, unicode): -+ if not isinstance(x, str): - return str(x) - return x.encode(PREFER_ENC, 'replace') - else: -@@ -118,7 +119,7 @@ else: # pragma: 3.x no cover - - - def _as_bool(val): -- return bool(val) if not isinstance(val, basestring) \ -+ return bool(val) if not isinstance(val, str) \ - else val.lower() in ('1', 'on', 'true', 'yes') - - -@@ -326,7 +327,7 @@ def splitwords(s): - """ - if not s: - return [] -- return filter(bool, map(lambda v: v.strip(), re.split('[ ,\n]+', s))) -+ return list(filter(bool, [v.strip() for v in re.split('[ ,\n]+', s)])) - - if sys.version_info >= (3,5): - eval(compile(r'''if 1: -@@ -436,7 +437,7 @@ def substituteRecursiveTags(inptags, conditional='', - while True: - repFlag = False - # substitute each value: -- for tag in tags.iterkeys(): -+ for tag in tags.keys(): - # ignore escaped or already done (or in ignore list): - if tag in ignore or tag in done: continue - # ignore replacing callable items from calling map - should be converted on demand only (by get): -@@ -476,7 +477,7 @@ def substituteRecursiveTags(inptags, conditional='', - m = tre_search(value, m.end()) - continue - # if calling map - be sure we've string: -- if not isinstance(repl, basestring): repl = uni_string(repl) -+ if not isinstance(repl, str): repl = uni_string(repl) - value = value.replace('<%s>' % rtag, repl) - #logSys.log(5, 'value now: %s' % value) - # increment reference count: -diff --git a/fail2ban/server/action.py b/fail2ban/server/action.py -index 5c817fc0..81d50689 100644 ---- a/fail2ban/server/action.py -+++ b/fail2ban/server/action.py -@@ -111,9 +111,9 @@ class CallingMap(MutableMapping, object): - def _asdict(self, calculated=False, checker=None): - d = dict(self.data, **self.storage) - if not calculated: -- return dict((n,v) for n,v in d.iteritems() \ -+ return dict((n,v) for n,v in d.items() \ - if not callable(v) or n in self.CM_REPR_ITEMS) -- for n,v in d.items(): -+ for n,v in list(d.items()): - if callable(v): - try: - # calculate: -@@ -179,7 +179,7 @@ class CallingMap(MutableMapping, object): - return self.__class__(_merge_copy_dicts(self.data, self.storage)) - - --class ActionBase(object): -+class ActionBase(object, metaclass=ABCMeta): - """An abstract base class for actions in Fail2Ban. - - Action Base is a base definition of what methods need to be in -@@ -209,7 +209,6 @@ class ActionBase(object): - Any additional arguments specified in `jail.conf` or passed - via `fail2ban-client` will be passed as keyword arguments. - """ -- __metaclass__ = ABCMeta - - @classmethod - def __subclasshook__(cls, C): -@@ -420,7 +419,7 @@ class CommandAction(ActionBase): - if not callable(family): # pragma: no cover - return self.__substCache.get(key, {}).get(family) - # family as expression - use it to filter values: -- return [v for f, v in self.__substCache.get(key, {}).iteritems() if family(f)] -+ return [v for f, v in self.__substCache.get(key, {}).items() if family(f)] - cmd = args[0] - if cmd: # set: - try: -@@ -432,7 +431,7 @@ class CommandAction(ActionBase): - try: - famd = self.__substCache[key] - cmd = famd.pop(family) -- for family, v in famd.items(): -+ for family, v in list(famd.items()): - if v == cmd: - del famd[family] - except KeyError: # pragma: no cover -@@ -448,7 +447,7 @@ class CommandAction(ActionBase): - res = True - err = 'Script error' - if not family: # all started: -- family = [famoper for (famoper,v) in self.__started.iteritems() if v] -+ family = [famoper for (famoper,v) in self.__started.items() if v] - for famoper in family: - try: - cmd = self._getOperation(tag, famoper) -@@ -617,7 +616,7 @@ class CommandAction(ActionBase): - and executes the resulting command. - """ - # collect started families, may be started on demand (conditional): -- family = [f for (f,v) in self.__started.iteritems() if v & 3 == 3]; # started and contains items -+ family = [f for (f,v) in self.__started.items() if v & 3 == 3]; # started and contains items - # if nothing contains items: - if not family: return True - # flush: -@@ -642,7 +641,7 @@ class CommandAction(ActionBase): - """ - # collect started families, if started on demand (conditional): - if family is None: -- family = [f for (f,v) in self.__started.iteritems() if v] -+ family = [f for (f,v) in self.__started.items() if v] - # if no started (on demand) actions: - if not family: return True - self.__started = {} -@@ -676,7 +675,7 @@ class CommandAction(ActionBase): - ret = True - # for each started family: - if self.actioncheck: -- for (family, started) in self.__started.items(): -+ for (family, started) in list(self.__started.items()): - if started and not self._invariantCheck(family, beforeRepair): - # reset started flag and command of executed operation: - self.__started[family] = 0 -diff --git a/fail2ban/server/actions.py b/fail2ban/server/actions.py -index 24fea838..94b9c3ed 100644 ---- a/fail2ban/server/actions.py -+++ b/fail2ban/server/actions.py -@@ -156,11 +156,11 @@ class Actions(JailThread, Mapping): - else: - if hasattr(self, '_reload_actions'): - # reload actions after all parameters set via stream: -- for name, initOpts in self._reload_actions.iteritems(): -+ for name, initOpts in self._reload_actions.items(): - if name in self._actions: - self._actions[name].reload(**(initOpts if initOpts else {})) - # remove obsolete actions (untouched by reload process): -- delacts = OrderedDict((name, action) for name, action in self._actions.iteritems() -+ delacts = OrderedDict((name, action) for name, action in self._actions.items() - if name not in self._reload_actions) - if len(delacts): - # unban all tickets using removed actions only: -@@ -289,7 +289,7 @@ class Actions(JailThread, Mapping): - """ - if actions is None: - actions = self._actions -- revactions = actions.items() -+ revactions = list(actions.items()) - revactions.reverse() - for name, action in revactions: - try: -@@ -314,7 +314,7 @@ class Actions(JailThread, Mapping): - True when the thread exits nicely. - """ - cnt = 0 -- for name, action in self._actions.iteritems(): -+ for name, action in self._actions.items(): - try: - action.start() - except Exception as e: -@@ -474,7 +474,7 @@ class Actions(JailThread, Mapping): - Observers.Main.add('banFound', bTicket, self._jail, btime) - logSys.notice("[%s] %sBan %s", self._jail.name, ('' if not bTicket.restored else 'Restore '), ip) - # do actions : -- for name, action in self._actions.iteritems(): -+ for name, action in self._actions.items(): - try: - if ticket.restored and getattr(action, 'norestored', False): - continue -@@ -511,13 +511,13 @@ class Actions(JailThread, Mapping): - if bTicket.banEpoch == self.banEpoch and diftm > 3: - # avoid too often checks: - if not rebanacts and MyTime.time() > self.__lastConsistencyCheckTM + 3: -- for action in self._actions.itervalues(): -+ for action in self._actions.values(): - action.consistencyCheck() - self.__lastConsistencyCheckTM = MyTime.time() - # check epoch in order to reban it: - if bTicket.banEpoch < self.banEpoch: - if not rebanacts: rebanacts = dict( -- (name, action) for name, action in self._actions.iteritems() -+ (name, action) for name, action in self._actions.items() - if action.banEpoch > bTicket.banEpoch) - cnt += self.__reBan(bTicket, actions=rebanacts) - else: # pragma: no cover - unexpected: ticket is not banned for some reasons - reban using all actions: -@@ -542,8 +542,8 @@ class Actions(JailThread, Mapping): - ip = ticket.getIP() - aInfo = self.__getActionInfo(ticket) - if log: -- logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % actions.keys()[0] if len(actions) == 1 else '')) -- for name, action in actions.iteritems(): -+ logSys.notice("[%s] Reban %s%s", self._jail.name, aInfo["ip"], (', action %r' % list(actions.keys())[0] if len(actions) == 1 else '')) -+ for name, action in actions.items(): - try: - logSys.debug("[%s] action %r: reban %s", self._jail.name, name, ip) - if not aInfo.immutable: aInfo.reset() -@@ -567,7 +567,7 @@ class Actions(JailThread, Mapping): - if not self.__banManager._inBanList(ticket): return - # do actions : - aInfo = None -- for name, action in self._actions.iteritems(): -+ for name, action in self._actions.items(): - try: - if ticket.restored and getattr(action, 'norestored', False): - continue -@@ -616,7 +616,7 @@ class Actions(JailThread, Mapping): - cnt = 0 - # first we'll execute flush for actions supporting this operation: - unbactions = {} -- for name, action in (actions if actions is not None else self._actions).iteritems(): -+ for name, action in (actions if actions is not None else self._actions).items(): - try: - if hasattr(action, 'flush') and (not isinstance(action, CommandAction) or action.actionflush): - logSys.notice("[%s] Flush ticket(s) with %s", self._jail.name, name) -@@ -671,7 +671,7 @@ class Actions(JailThread, Mapping): - aInfo = self.__getActionInfo(ticket) - if log: - logSys.notice("[%s] Unban %s", self._jail.name, aInfo["ip"]) -- for name, action in unbactions.iteritems(): -+ for name, action in unbactions.items(): - try: - logSys.debug("[%s] action %r: unban %s", self._jail.name, name, ip) - if not aInfo.immutable: aInfo.reset() -diff --git a/fail2ban/server/asyncserver.py b/fail2ban/server/asyncserver.py -index e3400737..f5f9740b 100644 ---- a/fail2ban/server/asyncserver.py -+++ b/fail2ban/server/asyncserver.py -@@ -178,7 +178,7 @@ def loop(active, timeout=None, use_poll=False, err_count=None): - elif err_count['listen'] > 100: # pragma: no cover - normally unreachable - if ( - e.args[0] == errno.EMFILE # [Errno 24] Too many open files -- or sum(err_count.itervalues()) > 1000 -+ or sum(err_count.values()) > 1000 - ): - logSys.critical("Too many errors - critical count reached %r", err_count) - break -@@ -220,7 +220,7 @@ class AsyncServer(asyncore.dispatcher): - elif self.__errCount['accept'] > 100: - if ( - (isinstance(e, socket.error) and e.args[0] == errno.EMFILE) # [Errno 24] Too many open files -- or sum(self.__errCount.itervalues()) > 1000 -+ or sum(self.__errCount.values()) > 1000 - ): - logSys.critical("Too many errors - critical count reached %r", self.__errCount) - self.stop() -diff --git a/fail2ban/server/banmanager.py b/fail2ban/server/banmanager.py -index 5770bfd7..9bb44971 100644 ---- a/fail2ban/server/banmanager.py -+++ b/fail2ban/server/banmanager.py -@@ -105,9 +105,9 @@ class BanManager: - def getBanList(self, ordered=False, withTime=False): - with self.__lock: - if not ordered: -- return self.__banList.keys() -+ return list(self.__banList.keys()) - lst = [] -- for ticket in self.__banList.itervalues(): -+ for ticket in self.__banList.values(): - eob = ticket.getEndOfBanTime(self.__banTime) - lst.append((ticket,eob)) - lst.sort(key=lambda t: t[1]) -@@ -126,7 +126,7 @@ class BanManager: - - def __iter__(self): - with self.__lock: -- return self.__banList.itervalues() -+ return iter(self.__banList.values()) - - ## - # Returns normalized value -@@ -165,7 +165,7 @@ class BanManager: - return return_dict - # get ips in lock: - with self.__lock: -- banIPs = [banData.getIP() for banData in self.__banList.values()] -+ banIPs = [banData.getIP() for banData in list(self.__banList.values())] - # get cymru info: - try: - for ip in banIPs: -@@ -341,7 +341,7 @@ class BanManager: - # Gets the list of ticket to remove (thereby correct next unban time). - unBanList = {} - nextUnbanTime = BanTicket.MAX_TIME -- for fid,ticket in self.__banList.iteritems(): -+ for fid,ticket in self.__banList.items(): - # current time greater as end of ban - timed out: - eob = ticket.getEndOfBanTime(self.__banTime) - if time > eob: -@@ -357,15 +357,15 @@ class BanManager: - if len(unBanList): - if len(unBanList) / 2.0 <= len(self.__banList) / 3.0: - # few as 2/3 should be removed - remove particular items: -- for fid in unBanList.iterkeys(): -+ for fid in unBanList.keys(): - del self.__banList[fid] - else: - # create new dictionary without items to be deleted: -- self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.iteritems() \ -+ self.__banList = dict((fid,ticket) for fid,ticket in self.__banList.items() \ - if fid not in unBanList) - - # return list of tickets: -- return unBanList.values() -+ return list(unBanList.values()) - - ## - # Flush the ban list. -@@ -375,7 +375,7 @@ class BanManager: - - def flushBanList(self): - with self.__lock: -- uBList = self.__banList.values() -+ uBList = list(self.__banList.values()) - self.__banList = dict() - return uBList - -diff --git a/fail2ban/server/database.py b/fail2ban/server/database.py -index ed736a7a..0e8c9aec 100644 ---- a/fail2ban/server/database.py -+++ b/fail2ban/server/database.py -@@ -67,13 +67,13 @@ if sys.version_info >= (3,): # pragma: 2.x no cover - else: # pragma: 3.x no cover - def _normalize(x): - if isinstance(x, dict): -- return dict((_normalize(k), _normalize(v)) for k, v in x.iteritems()) -+ return dict((_normalize(k), _normalize(v)) for k, v in x.items()) - elif isinstance(x, (list, set)): - return [_normalize(element) for element in x] -- elif isinstance(x, unicode): -+ elif isinstance(x, str): - # in 2.x default text_factory is unicode - so return proper unicode here: - return x.encode(PREFER_ENC, 'replace').decode(PREFER_ENC) -- elif isinstance(x, basestring): -+ elif isinstance(x, str): - return x.decode(PREFER_ENC, 'replace') - return x - -diff --git a/fail2ban/server/failmanager.py b/fail2ban/server/failmanager.py -index 93c028fb..a9c6b5f6 100644 ---- a/fail2ban/server/failmanager.py -+++ b/fail2ban/server/failmanager.py -@@ -57,7 +57,7 @@ class FailManager: - def getFailCount(self): - # may be slow on large list of failures, should be used for test purposes only... - with self.__lock: -- return len(self.__failList), sum([f.getRetry() for f in self.__failList.values()]) -+ return len(self.__failList), sum([f.getRetry() for f in list(self.__failList.values())]) - - def getFailTotal(self): - with self.__lock: -@@ -125,7 +125,7 @@ class FailManager: - # in case of having many active failures, it should be ran only - # if debug level is "low" enough - failures_summary = ', '.join(['%s:%d' % (k, v.getRetry()) -- for k,v in self.__failList.iteritems()]) -+ for k,v in self.__failList.items()]) - logSys.log(logLevel, "Total # of detected failures: %d. Current failures from %d IPs (IP:count): %s" - % (self.__failTotal, len(self.__failList), failures_summary)) - -@@ -138,7 +138,7 @@ class FailManager: - - def cleanup(self, time): - with self.__lock: -- todelete = [fid for fid,item in self.__failList.iteritems() \ -+ todelete = [fid for fid,item in self.__failList.items() \ - if item.getLastTime() + self.__maxTime <= time] - if len(todelete) == len(self.__failList): - # remove all: -@@ -152,7 +152,7 @@ class FailManager: - del self.__failList[fid] - else: - # create new dictionary without items to be deleted: -- self.__failList = dict((fid,item) for fid,item in self.__failList.iteritems() \ -+ self.__failList = dict((fid,item) for fid,item in self.__failList.items() \ - if item.getLastTime() + self.__maxTime > time) - self.__bgSvc.service() - -diff --git a/fail2ban/server/failregex.py b/fail2ban/server/failregex.py -index f7dafbef..fb75187d 100644 ---- a/fail2ban/server/failregex.py -+++ b/fail2ban/server/failregex.py -@@ -128,10 +128,7 @@ class Regex: - self._regexObj = re.compile(regex, re.MULTILINE if multiline else 0) - self._regex = regex - self._altValues = {} -- for k in filter( -- lambda k: len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE), -- self._regexObj.groupindex -- ): -+ for k in [k for k in self._regexObj.groupindex if len(k) > len(ALTNAME_PRE) and k.startswith(ALTNAME_PRE)]: - n = ALTNAME_CRE.match(k).group(1) - self._altValues[k] = n - self._altValues = list(self._altValues.items()) if len(self._altValues) else None -@@ -211,7 +208,7 @@ class Regex: - # - @staticmethod - def _tupleLinesBuf(tupleLines): -- return "\n".join(map(lambda v: "".join(v[::2]), tupleLines)) + "\n" -+ return "\n".join(["".join(v[::2]) for v in tupleLines]) + "\n" - - ## - # Searches the regular expression. -@@ -223,7 +220,7 @@ class Regex: - - def search(self, tupleLines, orgLines=None): - buf = tupleLines -- if not isinstance(tupleLines, basestring): -+ if not isinstance(tupleLines, str): - buf = Regex._tupleLinesBuf(tupleLines) - self._matchCache = self._regexObj.search(buf) - if self._matchCache: -diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py -index 998fe298..d181fd38 100644 ---- a/fail2ban/server/filter.py -+++ b/fail2ban/server/filter.py -@@ -292,7 +292,7 @@ class Filter(JailThread): - dd = DateDetector() - dd.default_tz = self.__logtimezone - if not isinstance(pattern, (list, tuple)): -- pattern = filter(bool, map(str.strip, re.split('\n+', pattern))) -+ pattern = list(filter(bool, list(map(str.strip, re.split('\n+', pattern))))) - for pattern in pattern: - dd.appendTemplate(pattern) - self.dateDetector = dd -@@ -987,7 +987,7 @@ class FileFilter(Filter): - # @return log paths - - def getLogPaths(self): -- return self.__logs.keys() -+ return list(self.__logs.keys()) - - ## - # Get the log containers -@@ -995,7 +995,7 @@ class FileFilter(Filter): - # @return log containers - - def getLogs(self): -- return self.__logs.values() -+ return list(self.__logs.values()) - - ## - # Get the count of log containers -@@ -1021,7 +1021,7 @@ class FileFilter(Filter): - - def setLogEncoding(self, encoding): - encoding = super(FileFilter, self).setLogEncoding(encoding) -- for log in self.__logs.itervalues(): -+ for log in self.__logs.values(): - log.setEncoding(encoding) - - def getLog(self, path): -@@ -1183,7 +1183,7 @@ class FileFilter(Filter): - """Status of Filter plus files being monitored. - """ - ret = super(FileFilter, self).status(flavor=flavor) -- path = self.__logs.keys() -+ path = list(self.__logs.keys()) - ret.append(("File list", path)) - return ret - -@@ -1191,7 +1191,7 @@ class FileFilter(Filter): - """Stop monitoring of log-file(s) - """ - # stop files monitoring: -- for path in self.__logs.keys(): -+ for path in list(self.__logs.keys()): - self.delLogPath(path) - # stop thread: - super(Filter, self).stop() -diff --git a/fail2ban/server/filterpoll.py b/fail2ban/server/filterpoll.py -index 228a2c8b..d49315cc 100644 ---- a/fail2ban/server/filterpoll.py -+++ b/fail2ban/server/filterpoll.py -@@ -176,4 +176,4 @@ class FilterPoll(FileFilter): - return False - - def getPendingPaths(self): -- return self.__file404Cnt.keys() -+ return list(self.__file404Cnt.keys()) -diff --git a/fail2ban/server/filterpyinotify.py b/fail2ban/server/filterpyinotify.py -index ca6b253f..b683b860 100644 ---- a/fail2ban/server/filterpyinotify.py -+++ b/fail2ban/server/filterpyinotify.py -@@ -158,7 +158,7 @@ class FilterPyinotify(FileFilter): - except KeyError: pass - - def getPendingPaths(self): -- return self.__pending.keys() -+ return list(self.__pending.keys()) - - def _checkPending(self): - if not self.__pending: -@@ -168,7 +168,7 @@ class FilterPyinotify(FileFilter): - return - found = {} - minTime = 60 -- for path, (retardTM, isDir) in self.__pending.iteritems(): -+ for path, (retardTM, isDir) in self.__pending.items(): - if ntm - self.__pendingChkTime < retardTM: - if minTime > retardTM: minTime = retardTM - continue -@@ -184,7 +184,7 @@ class FilterPyinotify(FileFilter): - self.__pendingChkTime = time.time() - self.__pendingMinTime = minTime - # process now because we've missed it in monitoring: -- for path, isDir in found.iteritems(): -+ for path, isDir in found.items(): - self._delPending(path) - # refresh monitoring of this: - self._refreshWatcher(path, isDir=isDir) -diff --git a/fail2ban/server/ipdns.py b/fail2ban/server/ipdns.py -index 6648dac6..fe8f8db8 100644 ---- a/fail2ban/server/ipdns.py -+++ b/fail2ban/server/ipdns.py -@@ -275,7 +275,7 @@ class IPAddr(object): - raise ValueError("invalid ipstr %r, too many plen representation" % (ipstr,)) - if "." in s[1] or ":" in s[1]: # 255.255.255.0 resp. ffff:: style mask - s[1] = IPAddr.masktoplen(s[1]) -- s[1] = long(s[1]) -+ s[1] = int(s[1]) - return s - - def __init(self, ipstr, cidr=CIDR_UNSPEC): -@@ -309,7 +309,7 @@ class IPAddr(object): - - # mask out host portion if prefix length is supplied - if cidr is not None and cidr >= 0: -- mask = ~(0xFFFFFFFFL >> cidr) -+ mask = ~(0xFFFFFFFF >> cidr) - self._addr &= mask - self._plen = cidr - -@@ -321,13 +321,13 @@ class IPAddr(object): - - # mask out host portion if prefix length is supplied - if cidr is not None and cidr >= 0: -- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> cidr) -+ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> cidr) - self._addr &= mask - self._plen = cidr - - # if IPv6 address is a IPv4-compatible, make instance a IPv4 - elif self.isInNet(IPAddr.IP6_4COMPAT): -- self._addr = lo & 0xFFFFFFFFL -+ self._addr = lo & 0xFFFFFFFF - self._family = socket.AF_INET - self._plen = 32 - else: -@@ -445,7 +445,7 @@ class IPAddr(object): - elif self.isIPv6: - # convert network to host byte order - hi = self._addr >> 64 -- lo = self._addr & 0xFFFFFFFFFFFFFFFFL -+ lo = self._addr & 0xFFFFFFFFFFFFFFFF - binary = struct.pack("!QQ", hi, lo) - if self._plen and self._plen < 128: - add = "/%d" % self._plen -@@ -503,9 +503,9 @@ class IPAddr(object): - if self.family != net.family: - return False - if self.isIPv4: -- mask = ~(0xFFFFFFFFL >> net.plen) -+ mask = ~(0xFFFFFFFF >> net.plen) - elif self.isIPv6: -- mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL >> net.plen) -+ mask = ~(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF >> net.plen) - else: - return False - -@@ -517,7 +517,7 @@ class IPAddr(object): - m4 = (1 << 32)-1 - mmap = {m6: 128, m4: 32, 0: 0} - m = 0 -- for i in xrange(0, 128): -+ for i in range(0, 128): - m |= 1 << i - if i < 32: - mmap[m ^ m4] = 32-1-i -diff --git a/fail2ban/server/jail.py b/fail2ban/server/jail.py -index ce9968a8..5fa5ef10 100644 ---- a/fail2ban/server/jail.py -+++ b/fail2ban/server/jail.py -@@ -26,7 +26,7 @@ __license__ = "GPL" - import logging - import math - import random --import Queue -+import queue - - from .actions import Actions - from ..helpers import getLogger, _as_bool, extractOptions, MyTime -@@ -76,7 +76,7 @@ class Jail(object): - "might not function correctly. Please shorten" - % name) - self.__name = name -- self.__queue = Queue.Queue() -+ self.__queue = queue.Queue() - self.__filter = None - # Extra parameters for increase ban time - self._banExtra = {}; -@@ -127,25 +127,25 @@ class Jail(object): - "Failed to initialize any backend for Jail %r" % self.name) - - def _initPolling(self, **kwargs): -- from filterpoll import FilterPoll -+ from .filterpoll import FilterPoll - logSys.info("Jail '%s' uses poller %r" % (self.name, kwargs)) - self.__filter = FilterPoll(self, **kwargs) - - def _initGamin(self, **kwargs): - # Try to import gamin -- from filtergamin import FilterGamin -+ from .filtergamin import FilterGamin - logSys.info("Jail '%s' uses Gamin %r" % (self.name, kwargs)) - self.__filter = FilterGamin(self, **kwargs) - - def _initPyinotify(self, **kwargs): - # Try to import pyinotify -- from filterpyinotify import FilterPyinotify -+ from .filterpyinotify import FilterPyinotify - logSys.info("Jail '%s' uses pyinotify %r" % (self.name, kwargs)) - self.__filter = FilterPyinotify(self, **kwargs) - - def _initSystemd(self, **kwargs): # pragma: systemd no cover - # Try to import systemd -- from filtersystemd import FilterSystemd -+ from .filtersystemd import FilterSystemd - logSys.info("Jail '%s' uses systemd %r" % (self.name, kwargs)) - self.__filter = FilterSystemd(self, **kwargs) - -@@ -213,7 +213,7 @@ class Jail(object): - try: - ticket = self.__queue.get(False) - return ticket -- except Queue.Empty: -+ except queue.Empty: - return False - - def setBanTimeExtra(self, opt, value): -diff --git a/fail2ban/server/mytime.py b/fail2ban/server/mytime.py -index 98b69bd4..24bba5cf 100644 ---- a/fail2ban/server/mytime.py -+++ b/fail2ban/server/mytime.py -@@ -162,7 +162,7 @@ class MyTime: - - @returns number (calculated seconds from expression "val") - """ -- if isinstance(val, (int, long, float, complex)): -+ if isinstance(val, (int, float, complex)): - return val - # replace together standing abbreviations, example '1d12h' -> '1d 12h': - val = MyTime._str2sec_prep.sub(r" \1", val) -diff --git a/fail2ban/server/server.py b/fail2ban/server/server.py -index 159f6506..fc948e8c 100644 ---- a/fail2ban/server/server.py -+++ b/fail2ban/server/server.py -@@ -97,7 +97,7 @@ class Server: - - def start(self, sock, pidfile, force=False, observer=True, conf={}): - # First set the mask to only allow access to owner -- os.umask(0077) -+ os.umask(0o077) - # Second daemonize before logging etc, because it will close all handles: - if self.__daemon: # pragma: no cover - logSys.info("Starting in daemon mode") -@@ -190,7 +190,7 @@ class Server: - - # Restore default signal handlers: - if _thread_name() == '_MainThread': -- for s, sh in self.__prev_signals.iteritems(): -+ for s, sh in self.__prev_signals.items(): - signal.signal(s, sh) - - # Give observer a small chance to complete its work before exit -@@ -268,10 +268,10 @@ class Server: - logSys.info("Stopping all jails") - with self.__lock: - # 1st stop all jails (signal and stop actions/filter thread): -- for name in self.__jails.keys(): -+ for name in list(self.__jails.keys()): - self.delJail(name, stop=True, join=False) - # 2nd wait for end and delete jails: -- for name in self.__jails.keys(): -+ for name in list(self.__jails.keys()): - self.delJail(name, stop=False, join=True) - - def reloadJails(self, name, opts, begin): -@@ -302,7 +302,7 @@ class Server: - if "--restart" in opts: - self.stopAllJail() - # first set all affected jail(s) to idle and reset filter regex and other lists/dicts: -- for jn, jail in self.__jails.iteritems(): -+ for jn, jail in self.__jails.items(): - if name == '--all' or jn == name: - jail.idle = True - self.__reload_state[jn] = jail -@@ -313,7 +313,7 @@ class Server: - # end reload, all affected (or new) jails have already all new parameters (via stream) and (re)started: - with self.__lock: - deljails = [] -- for jn, jail in self.__jails.iteritems(): -+ for jn, jail in self.__jails.items(): - # still in reload state: - if jn in self.__reload_state: - # remove jails that are not reloaded (untouched, so not in new configuration) -@@ -513,7 +513,7 @@ class Server: - jails = [self.__jails[name]] - else: - # in all jails: -- jails = self.__jails.values() -+ jails = list(self.__jails.values()) - # unban given or all (if value is None): - cnt = 0 - ifexists |= (name is None) -@@ -551,7 +551,7 @@ class Server: - def isAlive(self, jailnum=None): - if jailnum is not None and len(self.__jails) != jailnum: - return 0 -- for jail in self.__jails.values(): -+ for jail in list(self.__jails.values()): - if not jail.isAlive(): - return 0 - return 1 -@@ -759,7 +759,7 @@ class Server: - return "flushed" - - def setThreadOptions(self, value): -- for o, v in value.iteritems(): -+ for o, v in value.items(): - if o == 'stacksize': - threading.stack_size(int(v)*1024) - else: # pragma: no cover -diff --git a/fail2ban/server/strptime.py b/fail2ban/server/strptime.py -index 498d284b..a5579fdc 100644 ---- a/fail2ban/server/strptime.py -+++ b/fail2ban/server/strptime.py -@@ -79,7 +79,7 @@ timeRE['ExY'] = r"(?P<Y>%s\d)" % _getYearCentRE(cent=(0,3), distance=3) - timeRE['Exy'] = r"(?P<y>%s\d)" % _getYearCentRE(cent=(2,3), distance=3) - - def getTimePatternRE(): -- keys = timeRE.keys() -+ keys = list(timeRE.keys()) - patt = (r"%%(%%|%s|[%s])" % ( - "|".join([k for k in keys if len(k) > 1]), - "".join([k for k in keys if len(k) == 1]), -@@ -134,7 +134,7 @@ def zone2offset(tz, dt): - """ - if isinstance(tz, int): - return tz -- if isinstance(tz, basestring): -+ if isinstance(tz, str): - return validateTimeZone(tz) - tz, tzo = tz - if tzo is None or tzo == '': # without offset -@@ -171,7 +171,7 @@ def reGroupDictStrptime(found_dict, msec=False, default_tz=None): - year = month = day = hour = minute = tzoffset = \ - weekday = julian = week_of_year = None - second = fraction = 0 -- for key, val in found_dict.iteritems(): -+ for key, val in found_dict.items(): - if val is None: continue - # Directives not explicitly handled below: - # c, x, X -diff --git a/fail2ban/server/ticket.py b/fail2ban/server/ticket.py -index f67e0d23..f0b727c2 100644 ---- a/fail2ban/server/ticket.py -+++ b/fail2ban/server/ticket.py -@@ -55,7 +55,7 @@ class Ticket(object): - self._time = time if time is not None else MyTime.time() - self._data = {'matches': matches or [], 'failures': 0} - if data is not None: -- for k,v in data.iteritems(): -+ for k,v in data.items(): - if v is not None: - self._data[k] = v - if ticket: -@@ -89,7 +89,7 @@ class Ticket(object): - - def setIP(self, value): - # guarantee using IPAddr instead of unicode, str for the IP -- if isinstance(value, basestring): -+ if isinstance(value, str): - value = IPAddr(value) - self._ip = value - -@@ -181,7 +181,7 @@ class Ticket(object): - if len(args) == 1: - # todo: if support >= 2.7 only: - # self._data = {k:v for k,v in args[0].iteritems() if v is not None} -- self._data = dict([(k,v) for k,v in args[0].iteritems() if v is not None]) -+ self._data = dict([(k,v) for k,v in args[0].items() if v is not None]) - # add k,v list or dict (merge): - elif len(args) == 2: - self._data.update((args,)) -@@ -192,7 +192,7 @@ class Ticket(object): - # filter (delete) None values: - # todo: if support >= 2.7 only: - # self._data = {k:v for k,v in self._data.iteritems() if v is not None} -- self._data = dict([(k,v) for k,v in self._data.iteritems() if v is not None]) -+ self._data = dict([(k,v) for k,v in self._data.items() if v is not None]) - - def getData(self, key=None, default=None): - # return whole data dict: -@@ -201,17 +201,17 @@ class Ticket(object): - # return default if not exists: - if not self._data: - return default -- if not isinstance(key,(str,unicode,type(None),int,float,bool,complex)): -+ if not isinstance(key,(str,type(None),int,float,bool,complex)): - # return filtered by lambda/function: - if callable(key): - # todo: if support >= 2.7 only: - # return {k:v for k,v in self._data.iteritems() if key(k)} -- return dict([(k,v) for k,v in self._data.iteritems() if key(k)]) -+ return dict([(k,v) for k,v in self._data.items() if key(k)]) - # return filtered by keys: - if hasattr(key, '__iter__'): - # todo: if support >= 2.7 only: - # return {k:v for k,v in self._data.iteritems() if k in key} -- return dict([(k,v) for k,v in self._data.iteritems() if k in key]) -+ return dict([(k,v) for k,v in self._data.items() if k in key]) - # return single value of data: - return self._data.get(key, default) - -diff --git a/fail2ban/server/transmitter.py b/fail2ban/server/transmitter.py -index f83e9d5f..80726cb4 100644 ---- a/fail2ban/server/transmitter.py -+++ b/fail2ban/server/transmitter.py -@@ -475,7 +475,7 @@ class Transmitter: - opt = command[1][len("bantime."):] - return self.__server.getBanTimeExtra(name, opt) - elif command[1] == "actions": -- return self.__server.getActions(name).keys() -+ return list(self.__server.getActions(name).keys()) - elif command[1] == "action": - actionname = command[2] - actionvalue = command[3] -diff --git a/fail2ban/server/utils.py b/fail2ban/server/utils.py -index d4461a7d..13c24e76 100644 ---- a/fail2ban/server/utils.py -+++ b/fail2ban/server/utils.py -@@ -57,7 +57,7 @@ _RETCODE_HINTS = { - - # Dictionary to lookup signal name from number - signame = dict((num, name) -- for name, num in signal.__dict__.iteritems() if name.startswith("SIG")) -+ for name, num in signal.__dict__.items() if name.startswith("SIG")) - - class Utils(): - """Utilities provide diverse static methods like executes OS shell commands, etc. -@@ -109,7 +109,7 @@ class Utils(): - break - else: # pragma: 3.x no cover (dict is in 2.6 only) - remlst = [] -- for (ck, cv) in cache.iteritems(): -+ for (ck, cv) in cache.items(): - # if expired: - if cv[1] <= t: - remlst.append(ck) -@@ -152,7 +152,7 @@ class Utils(): - if not isinstance(realCmd, list): - realCmd = [realCmd] - i = len(realCmd)-1 -- for k, v in varsDict.iteritems(): -+ for k, v in varsDict.items(): - varsStat += "%s=$%s " % (k, i) - realCmd.append(v) - i += 1 -diff --git a/fail2ban/tests/action_d/test_badips.py b/fail2ban/tests/action_d/test_badips.py -index 013c0fdb..3c35e4d7 100644 ---- a/fail2ban/tests/action_d/test_badips.py -+++ b/fail2ban/tests/action_d/test_badips.py -@@ -32,7 +32,7 @@ from ..utils import LogCaptureTestCase, CONFIG_DIR - if sys.version_info >= (3, ): # pragma: 2.x no cover - from urllib.error import HTTPError, URLError - else: # pragma: 3.x no cover -- from urllib2 import HTTPError, URLError -+ from urllib.error import HTTPError, URLError - - def skip_if_not_available(f): - """Helper to decorate tests to skip in case of timeout/http-errors like "502 bad gateway". -diff --git a/fail2ban/tests/actiontestcase.py b/fail2ban/tests/actiontestcase.py -index 1a00c040..ecd09246 100644 ---- a/fail2ban/tests/actiontestcase.py -+++ b/fail2ban/tests/actiontestcase.py -@@ -244,14 +244,14 @@ class CommandActionTest(LogCaptureTestCase): - setattr(self.__action, 'ab', "<ac>") - setattr(self.__action, 'x?family=inet6', "") - # produce self-referencing properties except: -- self.assertRaisesRegexp(ValueError, r"properties contain self referencing definitions", -+ self.assertRaisesRegex(ValueError, r"properties contain self referencing definitions", - lambda: self.__action.replaceTag("<a><b>", - self.__action._properties, conditional="family=inet4") - ) - # remore self-referencing in props: - delattr(self.__action, 'ac') - # produce self-referencing query except: -- self.assertRaisesRegexp(ValueError, r"possible self referencing definitions in query", -+ self.assertRaisesRegex(ValueError, r"possible self referencing definitions in query", - lambda: self.__action.replaceTag("<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x<x>>>>>>>>>>>>>>>>>>>>>", - self.__action._properties, conditional="family=inet6") - ) -diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py -index 2c1d0a0e..aa7908c4 100644 ---- a/fail2ban/tests/clientreadertestcase.py -+++ b/fail2ban/tests/clientreadertestcase.py -@@ -390,7 +390,7 @@ class JailReaderTest(LogCaptureTestCase): - # And multiple groups (`][` instead of `,`) - result = extractOptions(option.replace(',', '][')) - expected2 = (expected[0], -- dict((k, v.replace(',', '][')) for k, v in expected[1].iteritems()) -+ dict((k, v.replace(',', '][')) for k, v in expected[1].items()) - ) - self.assertEqual(expected2, result) - -@@ -975,7 +975,7 @@ filter = testfilter1 - self.assertEqual(add_actions[-1][-1], "{}") - - def testLogPathFileFilterBackend(self): -- self.assertRaisesRegexp(ValueError, r"Have not found any log file for .* jail", -+ self.assertRaisesRegex(ValueError, r"Have not found any log file for .* jail", - self._testLogPath, backend='polling') - - def testLogPathSystemdBackend(self): -diff --git a/fail2ban/tests/databasetestcase.py b/fail2ban/tests/databasetestcase.py -index 9a5e9fa1..562461a6 100644 ---- a/fail2ban/tests/databasetestcase.py -+++ b/fail2ban/tests/databasetestcase.py -@@ -67,7 +67,7 @@ class DatabaseTest(LogCaptureTestCase): - - @property - def db(self): -- if isinstance(self._db, basestring) and self._db == ':auto-create-in-memory:': -+ if isinstance(self._db, str) and self._db == ':auto-create-in-memory:': - self._db = getFail2BanDb(self.dbFilename) - return self._db - @db.setter -@@ -159,7 +159,7 @@ class DatabaseTest(LogCaptureTestCase): - self.db = Fail2BanDb(self.dbFilename) - self.assertEqual(self.db.getJailNames(), set(['DummyJail #29162448 with 0 tickets'])) - self.assertEqual(self.db.getLogPaths(), set(['/tmp/Fail2BanDb_pUlZJh.log'])) -- ticket = FailTicket("127.0.0.1", 1388009242.26, [u"abc\n"]) -+ ticket = FailTicket("127.0.0.1", 1388009242.26, ["abc\n"]) - self.assertEqual(self.db.getBans()[0], ticket) - - self.assertEqual(self.db.updateDb(Fail2BanDb.__version__), Fail2BanDb.__version__) -@@ -185,9 +185,9 @@ class DatabaseTest(LogCaptureTestCase): - self.assertEqual(len(bans), 2) - # compare first ticket completely: - ticket = FailTicket("1.2.3.7", 1417595494, [ -- u'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', -- u'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', -- u'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7' -+ 'Dec 3 09:31:08 f2btest test:auth[27658]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', -+ 'Dec 3 09:31:32 f2btest test:auth[27671]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7', -+ 'Dec 3 09:31:34 f2btest test:auth[27673]: pam_unix(test:auth): authentication failure; logname= uid=0 euid=0 tty=test ruser= rhost=1.2.3.7' - ]) - ticket.setAttempt(3) - self.assertEqual(bans[0], ticket) -@@ -286,11 +286,11 @@ class DatabaseTest(LogCaptureTestCase): - # invalid + valid, invalid + valid unicode, invalid + valid dual converted (like in filter:readline by fallback) ... - tickets = [ - FailTicket("127.0.0.1", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), -- FailTicket("127.0.0.2", 0, ['user "test"', u'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), -+ FailTicket("127.0.0.2", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), - FailTicket("127.0.0.3", 0, ['user "test"', b'user "\xd1\xe2\xe5\xf2\xe0"', b'user "\xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f"']), -- FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', u'user "\xe4\xf6\xfc\xdf"']), -+ FailTicket("127.0.0.4", 0, ['user "test"', 'user "\xd1\xe2\xe5\xf2\xe0"', 'user "\xe4\xf6\xfc\xdf"']), - FailTicket("127.0.0.5", 0, ['user "test"', 'unterminated \xcf']), -- FailTicket("127.0.0.6", 0, ['user "test"', u'unterminated \xcf']), -+ FailTicket("127.0.0.6", 0, ['user "test"', 'unterminated \xcf']), - FailTicket("127.0.0.7", 0, ['user "test"', b'unterminated \xcf']) - ] - for ticket in tickets: -diff --git a/fail2ban/tests/datedetectortestcase.py b/fail2ban/tests/datedetectortestcase.py -index 458f76ef..49ada60d 100644 ---- a/fail2ban/tests/datedetectortestcase.py -+++ b/fail2ban/tests/datedetectortestcase.py -@@ -279,7 +279,7 @@ class DateDetectorTest(LogCaptureTestCase): - self.assertEqual(logTime, mu) - self.assertEqual(logMatch.group(1), '2012/10/11 02:37:17') - # confuse it with year being at the end -- for i in xrange(10): -+ for i in range(10): - ( logTime, logMatch ) = self.datedetector.getTime('11/10/2012 02:37:17 [error] 18434#0') - self.assertEqual(logTime, mu) - self.assertEqual(logMatch.group(1), '11/10/2012 02:37:17') -@@ -505,7 +505,7 @@ class CustomDateFormatsTest(unittest.TestCase): - date = dd.getTime(line) - if matched: - self.assertTrue(date) -- if isinstance(matched, basestring): -+ if isinstance(matched, str): - self.assertEqual(matched, date[1].group(1)) - else: - self.assertEqual(matched, date[0]) -@@ -537,7 +537,7 @@ class CustomDateFormatsTest(unittest.TestCase): - date = dd.getTime(line) - if matched: - self.assertTrue(date) -- if isinstance(matched, basestring): # pragma: no cover -+ if isinstance(matched, str): # pragma: no cover - self.assertEqual(matched, date[1].group(1)) - else: - self.assertEqual(matched, date[0]) -diff --git a/fail2ban/tests/fail2banclienttestcase.py b/fail2ban/tests/fail2banclienttestcase.py -index 95f73ed3..bba354fa 100644 ---- a/fail2ban/tests/fail2banclienttestcase.py -+++ b/fail2ban/tests/fail2banclienttestcase.py -@@ -367,10 +367,10 @@ def with_foreground_server_thread(startextra={}): - # several commands to server in body of decorated function: - return f(self, tmp, startparams, *args, **kwargs) - except Exception as e: # pragma: no cover -- print('=== Catch an exception: %s' % e) -+ print(('=== Catch an exception: %s' % e)) - log = self.getLog() - if log: -- print('=== Error of server, log: ===\n%s===' % log) -+ print(('=== Error of server, log: ===\n%s===' % log)) - self.pruneLog() - raise - finally: -@@ -440,7 +440,7 @@ class Fail2banClientServerBase(LogCaptureTestCase): - ) - except: # pragma: no cover - if _inherited_log(startparams): -- print('=== Error by wait fot server, log: ===\n%s===' % self.getLog()) -+ print(('=== Error by wait fot server, log: ===\n%s===' % self.getLog())) - self.pruneLog() - log = pjoin(tmp, "f2b.log") - if isfile(log): -@@ -1610,6 +1610,6 @@ class Fail2banServerTest(Fail2banClientServerBase): - self.stopAndWaitForServerEnd(SUCCESS) - - def testServerStartStop(self): -- for i in xrange(2000): -+ for i in range(2000): - self._testServerStartStop() - -diff --git a/fail2ban/tests/failmanagertestcase.py b/fail2ban/tests/failmanagertestcase.py -index a5425286..2a94cc82 100644 ---- a/fail2ban/tests/failmanagertestcase.py -+++ b/fail2ban/tests/failmanagertestcase.py -@@ -45,11 +45,11 @@ class AddFailure(unittest.TestCase): - super(AddFailure, self).tearDown() - - def _addDefItems(self): -- self.__items = [[u'193.168.0.128', 1167605999.0], -- [u'193.168.0.128', 1167605999.0], -- [u'193.168.0.128', 1167605999.0], -- [u'193.168.0.128', 1167605999.0], -- [u'193.168.0.128', 1167605999.0], -+ self.__items = [['193.168.0.128', 1167605999.0], -+ ['193.168.0.128', 1167605999.0], -+ ['193.168.0.128', 1167605999.0], -+ ['193.168.0.128', 1167605999.0], -+ ['193.168.0.128', 1167605999.0], - ['87.142.124.10', 1167605999.0], - ['87.142.124.10', 1167605999.0], - ['87.142.124.10', 1167605999.0], -diff --git a/fail2ban/tests/files/config/apache-auth/digest.py b/fail2ban/tests/files/config/apache-auth/digest.py -index 03588594..e2297ab3 100755 ---- a/fail2ban/tests/files/config/apache-auth/digest.py -+++ b/fail2ban/tests/files/config/apache-auth/digest.py -@@ -41,7 +41,7 @@ def auth(v): - response="%s" - """ % ( username, algorithm, realm, url, nonce, qop, response ) - # opaque="%s", -- print(p.method, p.url, p.headers) -+ print((p.method, p.url, p.headers)) - s = requests.Session() - return s.send(p) - -@@ -76,18 +76,18 @@ r = auth(v) - - # [Sun Jul 28 21:41:20 2013] [error] [client 127.0.0.1] Digest: unknown algorithm `super funky chicken' received: /digest/ - --print(r.status_code,r.headers, r.text) -+print((r.status_code,r.headers, r.text)) - v['algorithm'] = algorithm - - - r = auth(v) --print(r.status_code,r.headers, r.text) -+print((r.status_code,r.headers, r.text)) - - nonce = v['nonce'] - v['nonce']=v['nonce'][5:-5] - - r = auth(v) --print(r.status_code,r.headers, r.text) -+print((r.status_code,r.headers, r.text)) - - # [Sun Jul 28 21:05:31.178340 2013] [auth_digest:error] [pid 24224:tid 139895539455744] [client 127.0.0.1:56906] AH01793: invalid qop `auth' received: /digest/qop_none/ - -@@ -95,7 +95,7 @@ print(r.status_code,r.headers, r.text) - v['nonce']=nonce[0:11] + 'ZZZ' + nonce[14:] - - r = auth(v) --print(r.status_code,r.headers, r.text) -+print((r.status_code,r.headers, r.text)) - - #[Sun Jul 28 21:18:11.769228 2013] [auth_digest:error] [pid 24752:tid 139895505884928] [client 127.0.0.1:56964] AH01776: invalid nonce b9YAiJDiBAZZZ1b1abe02d20063ea3b16b544ea1b0d981c1bafe received - hash is not d42d824dee7aaf50c3ba0a7c6290bd453e3dd35b - -@@ -107,7 +107,7 @@ import time - time.sleep(1) - - r = auth(v) --print(r.status_code,r.headers, r.text) -+print((r.status_code,r.headers, r.text)) - - # Obtained by putting the following code in modules/aaa/mod_auth_digest.c - # in the function initialize_secret -@@ -137,7 +137,7 @@ s = sha.sha(apachesecret) - - v=preauth() - --print(v['nonce']) -+print((v['nonce'])) - realm = v['Digest realm'][1:-1] - - (t,) = struct.unpack('l',base64.b64decode(v['nonce'][1:13])) -@@ -156,13 +156,13 @@ print(v) - - r = auth(v) - #[Mon Jul 29 02:12:55.539813 2013] [auth_digest:error] [pid 9647:tid 139895522670336] [client 127.0.0.1:58474] AH01777: invalid nonce 59QJppTiBAA=b08983fd166ade9840407df1b0f75b9e6e07d88d received - user attempted time travel --print(r.status_code,r.headers, r.text) -+print((r.status_code,r.headers, r.text)) - - url='/digest_onetime/' - v=preauth() - - # Need opaque header handling in auth - r = auth(v) --print(r.status_code,r.headers, r.text) -+print((r.status_code,r.headers, r.text)) - r = auth(v) --print(r.status_code,r.headers, r.text) -+print((r.status_code,r.headers, r.text)) -diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py -index 35785a58..8eeb6902 100644 ---- a/fail2ban/tests/filtertestcase.py -+++ b/fail2ban/tests/filtertestcase.py -@@ -22,7 +22,7 @@ - __copyright__ = "Copyright (c) 2004 Cyril Jaquier; 2012 Yaroslav Halchenko" - __license__ = "GPL" - --from __builtin__ import open as fopen -+from builtins import open as fopen - import unittest - import os - import re -@@ -204,7 +204,7 @@ def _copy_lines_between_files(in_, fout, n=None, skip=0, mode='a', terminal_line - else: - fin = in_ - # Skip -- for i in xrange(skip): -+ for i in range(skip): - fin.readline() - # Read - i = 0 -@@ -244,7 +244,7 @@ def _copy_lines_to_journal(in_, fields={},n=None, skip=0, terminal_line=""): # p - # Required for filtering - fields.update(TEST_JOURNAL_FIELDS) - # Skip -- for i in xrange(skip): -+ for i in range(skip): - fin.readline() - # Read/Write - i = 0 -@@ -306,18 +306,18 @@ class BasicFilter(unittest.TestCase): - def testTest_tm(self): - unittest.F2B.SkipIfFast() - ## test function "_tm" works correct (returns the same as slow strftime): -- for i in xrange(1417512352, (1417512352 // 3600 + 3) * 3600): -+ for i in range(1417512352, (1417512352 // 3600 + 3) * 3600): - tm = MyTime.time2str(i) - if _tm(i) != tm: # pragma: no cover - never reachable - self.assertEqual((_tm(i), i), (tm, i)) - - def testWrongCharInTupleLine(self): - ## line tuple has different types (ascii after ascii / unicode): -- for a1 in ('', u'', b''): -- for a2 in ('2016-09-05T20:18:56', u'2016-09-05T20:18:56', b'2016-09-05T20:18:56'): -+ for a1 in ('', '', b''): -+ for a2 in ('2016-09-05T20:18:56', '2016-09-05T20:18:56', b'2016-09-05T20:18:56'): - for a3 in ( - 'Fail for "g\xc3\xb6ran" from 192.0.2.1', -- u'Fail for "g\xc3\xb6ran" from 192.0.2.1', -+ 'Fail for "g\xc3\xb6ran" from 192.0.2.1', - b'Fail for "g\xc3\xb6ran" from 192.0.2.1' - ): - # join should work if all arguments have the same type: -@@ -435,7 +435,7 @@ class IgnoreIP(LogCaptureTestCase): - - def testAddAttempt(self): - self.filter.setMaxRetry(3) -- for i in xrange(1, 1+3): -+ for i in range(1, 1+3): - self.filter.addAttempt('192.0.2.1') - self.assertLogged('Attempt 192.0.2.1', '192.0.2.1:%d' % i, all=True, wait=True) - self.jail.actions._Actions__checkBan() -@@ -472,7 +472,7 @@ class IgnoreIP(LogCaptureTestCase): - # like both test-cases above, just cached (so once per key)... - self.filter.ignoreCache = {"key":"<ip>"} - self.filter.ignoreCommand = 'if [ "<ip>" = "10.0.0.1" ]; then exit 0; fi; exit 1' -- for i in xrange(5): -+ for i in range(5): - self.pruneLog() - self.assertTrue(self.filter.inIgnoreIPList("10.0.0.1")) - self.assertFalse(self.filter.inIgnoreIPList("10.0.0.0")) -@@ -483,7 +483,7 @@ class IgnoreIP(LogCaptureTestCase): - # by host of IP: - self.filter.ignoreCache = {"key":"<ip-host>"} - self.filter.ignoreCommand = 'if [ "<ip-host>" = "test-host" ]; then exit 0; fi; exit 1' -- for i in xrange(5): -+ for i in range(5): - self.pruneLog() - self.assertTrue(self.filter.inIgnoreIPList(FailTicket("2001:db8::1"))) - self.assertFalse(self.filter.inIgnoreIPList(FailTicket("2001:db8::ffff"))) -@@ -495,7 +495,7 @@ class IgnoreIP(LogCaptureTestCase): - self.filter.ignoreCache = {"key":"<F-USER>", "max-count":"10", "max-time":"1h"} - self.assertEqual(self.filter.ignoreCache, ["<F-USER>", 10, 60*60]) - self.filter.ignoreCommand = 'if [ "<F-USER>" = "tester" ]; then exit 0; fi; exit 1' -- for i in xrange(5): -+ for i in range(5): - self.pruneLog() - self.assertTrue(self.filter.inIgnoreIPList(FailTicket("tester", data={'user': 'tester'}))) - self.assertFalse(self.filter.inIgnoreIPList(FailTicket("root", data={'user': 'root'}))) -@@ -644,7 +644,7 @@ class LogFileFilterPoll(unittest.TestCase): - fc = FileContainer(fname, self.filter.getLogEncoding()) - fc.open() - # no time - nothing should be found : -- for i in xrange(10): -+ for i in range(10): - f.write("[sshd] error: PAM: failure len 1\n") - f.flush() - fc.setPos(0); self.filter.seekToTime(fc, time) -@@ -718,14 +718,14 @@ class LogFileFilterPoll(unittest.TestCase): - # variable length of file (ca 45K or 450K before and hereafter): - # write lines with smaller as search time: - t = time - count - 1 -- for i in xrange(count): -+ for i in range(count): - f.write("%s [sshd] error: PAM: failure\n" % _tm(t)) - t += 1 - f.flush() - fc.setPos(0); self.filter.seekToTime(fc, time) - self.assertEqual(fc.getPos(), 47*count) - # write lines with exact search time: -- for i in xrange(10): -+ for i in range(10): - f.write("%s [sshd] error: PAM: failure\n" % _tm(time)) - f.flush() - fc.setPos(0); self.filter.seekToTime(fc, time) -@@ -734,8 +734,8 @@ class LogFileFilterPoll(unittest.TestCase): - self.assertEqual(fc.getPos(), 47*count) - # write lines with greater as search time: - t = time+1 -- for i in xrange(count//500): -- for j in xrange(500): -+ for i in range(count//500): -+ for j in range(500): - f.write("%s [sshd] error: PAM: failure\n" % _tm(t)) - t += 1 - f.flush() -@@ -1488,10 +1488,10 @@ def get_monitor_failures_journal_testcase(Filter_): # pragma: systemd no cover - # Add direct utf, unicode, blob: - for l in ( - "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", -- u"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", -+ "error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1", - b"error: PAM: Authentication failure for \xe4\xf6\xfc\xdf from 192.0.2.1".decode('utf-8', 'replace'), - "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", -- u"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", -+ "error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2", - b"error: PAM: Authentication failure for \xc3\xa4\xc3\xb6\xc3\xbc\xc3\x9f from 192.0.2.2".decode('utf-8', 'replace') - ): - fields = self.journal_fields -@@ -1520,7 +1520,7 @@ class GetFailures(LogCaptureTestCase): - - # so that they could be reused by other tests - FAILURES_01 = ('193.168.0.128', 3, 1124013599.0, -- [u'Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3) -+ ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128']*3) - - def setUp(self): - """Call before every test case.""" -@@ -1595,8 +1595,8 @@ class GetFailures(LogCaptureTestCase): - - def testGetFailures02(self): - output = ('141.3.81.106', 4, 1124013539.0, -- [u'Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2' -- % m for m in 53, 54, 57, 58]) -+ ['Aug 14 11:%d:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:141.3.81.106 port 51332 ssh2' -+ % m for m in (53, 54, 57, 58)]) - - self.filter.addLogPath(GetFailures.FILENAME_02, autoSeek=0) - self.filter.addFailRegex(r"Failed .* from <HOST>") -@@ -1691,17 +1691,17 @@ class GetFailures(LogCaptureTestCase): - # We should still catch failures with usedns = no ;-) - output_yes = ( - ('93.184.216.34', 2, 1124013539.0, -- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2', -- u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] -+ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2', -+ 'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] - ), - ('2606:2800:220:1:248:1893:25c8:1946', 1, 1124013299.0, -- [u'Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] -+ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] - ), - ) - - output_no = ( - ('93.184.216.34', 1, 1124013539.0, -- [u'Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] -+ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.216.34 port 51332 ssh2'] - ) - ) - -@@ -1807,9 +1807,9 @@ class DNSUtilsTests(unittest.TestCase): - self.assertTrue(c.get('a') is None) - self.assertEqual(c.get('a', 'test'), 'test') - # exact 5 elements : -- for i in xrange(5): -+ for i in range(5): - c.set(i, i) -- for i in xrange(5): -+ for i in range(5): - self.assertEqual(c.get(i), i) - # remove unavailable key: - c.unset('a'); c.unset('a') -@@ -1817,30 +1817,30 @@ class DNSUtilsTests(unittest.TestCase): - def testCacheMaxSize(self): - c = Utils.Cache(maxCount=5, maxTime=60) - # exact 5 elements : -- for i in xrange(5): -+ for i in range(5): - c.set(i, i) -- self.assertEqual([c.get(i) for i in xrange(5)], [i for i in xrange(5)]) -- self.assertNotIn(-1, (c.get(i, -1) for i in xrange(5))) -+ self.assertEqual([c.get(i) for i in range(5)], [i for i in range(5)]) -+ self.assertNotIn(-1, (c.get(i, -1) for i in range(5))) - # add one - too many: - c.set(10, i) - # one element should be removed : -- self.assertIn(-1, (c.get(i, -1) for i in xrange(5))) -+ self.assertIn(-1, (c.get(i, -1) for i in range(5))) - # test max size (not expired): -- for i in xrange(10): -+ for i in range(10): - c.set(i, 1) - self.assertEqual(len(c), 5) - - def testCacheMaxTime(self): - # test max time (expired, timeout reached) : - c = Utils.Cache(maxCount=5, maxTime=0.0005) -- for i in xrange(10): -+ for i in range(10): - c.set(i, 1) - st = time.time() - self.assertTrue(Utils.wait_for(lambda: time.time() >= st + 0.0005, 1)) - # we have still 5 elements (or fewer if too slow test mashine): - self.assertTrue(len(c) <= 5) - # but all that are expiered also: -- for i in xrange(10): -+ for i in range(10): - self.assertTrue(c.get(i) is None) - # here the whole cache should be empty: - self.assertEqual(len(c), 0) -@@ -1861,7 +1861,7 @@ class DNSUtilsTests(unittest.TestCase): - c = count - while c: - c -= 1 -- s = xrange(0, 256, 1) if forw else xrange(255, -1, -1) -+ s = range(0, 256, 1) if forw else range(255, -1, -1) - if random: shuffle([i for i in s]) - for i in s: - IPAddr('192.0.2.'+str(i), IPAddr.FAM_IPv4) -@@ -1983,15 +1983,15 @@ class DNSUtilsNetworkTests(unittest.TestCase): - - def testAddr2bin(self): - res = IPAddr('10.0.0.0') -- self.assertEqual(res.addr, 167772160L) -+ self.assertEqual(res.addr, 167772160) - res = IPAddr('10.0.0.0', cidr=None) -- self.assertEqual(res.addr, 167772160L) -- res = IPAddr('10.0.0.0', cidr=32L) -- self.assertEqual(res.addr, 167772160L) -- res = IPAddr('10.0.0.1', cidr=32L) -- self.assertEqual(res.addr, 167772161L) -- res = IPAddr('10.0.0.1', cidr=31L) -- self.assertEqual(res.addr, 167772160L) -+ self.assertEqual(res.addr, 167772160) -+ res = IPAddr('10.0.0.0', cidr=32) -+ self.assertEqual(res.addr, 167772160) -+ res = IPAddr('10.0.0.1', cidr=32) -+ self.assertEqual(res.addr, 167772161) -+ res = IPAddr('10.0.0.1', cidr=31) -+ self.assertEqual(res.addr, 167772160) - - self.assertEqual(IPAddr('10.0.0.0').hexdump, '0a000000') - self.assertEqual(IPAddr('1::2').hexdump, '00010000000000000000000000000002') -@@ -2067,9 +2067,9 @@ class DNSUtilsNetworkTests(unittest.TestCase): - '93.184.216.34': 'ip4-test', - '2606:2800:220:1:248:1893:25c8:1946': 'ip6-test' - } -- d2 = dict([(IPAddr(k), v) for k, v in d.iteritems()]) -- self.assertTrue(isinstance(d.keys()[0], basestring)) -- self.assertTrue(isinstance(d2.keys()[0], IPAddr)) -+ d2 = dict([(IPAddr(k), v) for k, v in d.items()]) -+ self.assertTrue(isinstance(list(d.keys())[0], str)) -+ self.assertTrue(isinstance(list(d2.keys())[0], IPAddr)) - self.assertEqual(d.get(ip4[2], ''), 'ip4-test') - self.assertEqual(d.get(ip6[2], ''), 'ip6-test') - self.assertEqual(d2.get(str(ip4[2]), ''), 'ip4-test') -diff --git a/fail2ban/tests/misctestcase.py b/fail2ban/tests/misctestcase.py -index 9b986f53..94f7a8de 100644 ---- a/fail2ban/tests/misctestcase.py -+++ b/fail2ban/tests/misctestcase.py -@@ -29,9 +29,9 @@ import tempfile - import shutil - import fnmatch - from glob import glob --from StringIO import StringIO -+from io import StringIO - --from utils import LogCaptureTestCase, logSys as DefLogSys -+from .utils import LogCaptureTestCase, logSys as DefLogSys - - from ..helpers import formatExceptionInfo, mbasename, TraceBack, FormatterWithTraceBack, getLogger, \ - splitwords, uni_decode, uni_string -@@ -67,7 +67,7 @@ class HelpersTest(unittest.TestCase): - self.assertEqual(splitwords(' 1\n 2'), ['1', '2']) - self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3']) - # string as unicode: -- self.assertEqual(splitwords(u' 1\n 2, 3'), ['1', '2', '3']) -+ self.assertEqual(splitwords(' 1\n 2, 3'), ['1', '2', '3']) - - - if sys.version_info >= (2,7): -@@ -197,11 +197,11 @@ class TestsUtilsTest(LogCaptureTestCase): - - def testUniConverters(self): - self.assertRaises(Exception, uni_decode, -- (b'test' if sys.version_info >= (3,) else u'test'), 'f2b-test::non-existing-encoding') -- uni_decode((b'test\xcf' if sys.version_info >= (3,) else u'test\xcf')) -+ (b'test' if sys.version_info >= (3,) else 'test'), 'f2b-test::non-existing-encoding') -+ uni_decode((b'test\xcf' if sys.version_info >= (3,) else 'test\xcf')) - uni_string(b'test\xcf') - uni_string('test\xcf') -- uni_string(u'test\xcf') -+ uni_string('test\xcf') - - def testSafeLogging(self): - # logging should be exception-safe, to avoid possible errors (concat, str. conversion, representation failures, etc) -@@ -213,7 +213,7 @@ class TestsUtilsTest(LogCaptureTestCase): - if self.err: - raise Exception('no represenation for test!') - else: -- return u'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf' -+ return 'conv-error (\xf2\xf0\xe5\xf2\xe8\xe9), unterminated utf \xcf' - test = Test() - logSys.log(logging.NOTICE, "test 1a: %r", test) - self.assertLogged("Traceback", "no represenation for test!") -@@ -261,7 +261,7 @@ class TestsUtilsTest(LogCaptureTestCase): - func_raise() - - try: -- print deep_function(3) -+ print(deep_function(3)) - except ValueError: - s = tb() - -@@ -278,7 +278,7 @@ class TestsUtilsTest(LogCaptureTestCase): - self.assertIn(':', s) - - def _testAssertionErrorRE(self, regexp, fun, *args, **kwargs): -- self.assertRaisesRegexp(AssertionError, regexp, fun, *args, **kwargs) -+ self.assertRaisesRegex(AssertionError, regexp, fun, *args, **kwargs) - - def testExtendedAssertRaisesRE(self): - ## test _testAssertionErrorRE several fail cases: -@@ -316,13 +316,13 @@ class TestsUtilsTest(LogCaptureTestCase): - self._testAssertionErrorRE(r"'a' unexpectedly found in 'cba'", - self.assertNotIn, 'a', 'cba') - self._testAssertionErrorRE(r"1 unexpectedly found in \[0, 1, 2\]", -- self.assertNotIn, 1, xrange(3)) -+ self.assertNotIn, 1, range(3)) - self._testAssertionErrorRE(r"'A' unexpectedly found in \['C', 'A'\]", - self.assertNotIn, 'A', (c.upper() for c in 'cba' if c != 'b')) - self._testAssertionErrorRE(r"'a' was not found in 'xyz'", - self.assertIn, 'a', 'xyz') - self._testAssertionErrorRE(r"5 was not found in \[0, 1, 2\]", -- self.assertIn, 5, xrange(3)) -+ self.assertIn, 5, range(3)) - self._testAssertionErrorRE(r"'A' was not found in \['C', 'B'\]", - self.assertIn, 'A', (c.upper() for c in 'cba' if c != 'a')) - ## assertLogged, assertNotLogged positive case: -diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py -index 8e944454..ed520286 100644 ---- a/fail2ban/tests/observertestcase.py -+++ b/fail2ban/tests/observertestcase.py -@@ -69,7 +69,7 @@ class BanTimeIncr(LogCaptureTestCase): - a.setBanTimeExtra('multipliers', multipliers) - # test algorithm and max time 24 hours : - self.assertEqual( -- [a.calcBanTime(600, i) for i in xrange(1, 11)], -+ [a.calcBanTime(600, i) for i in range(1, 11)], - [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400] - ) - # with extra large max time (30 days): -@@ -81,38 +81,38 @@ class BanTimeIncr(LogCaptureTestCase): - if multcnt < 11: - arr = arr[0:multcnt-1] + ([arr[multcnt-2]] * (11-multcnt)) - self.assertEqual( -- [a.calcBanTime(600, i) for i in xrange(1, 11)], -+ [a.calcBanTime(600, i) for i in range(1, 11)], - arr - ) - a.setBanTimeExtra('maxtime', '1d') - # change factor : - a.setBanTimeExtra('factor', '2'); - self.assertEqual( -- [a.calcBanTime(600, i) for i in xrange(1, 11)], -+ [a.calcBanTime(600, i) for i in range(1, 11)], - [2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400, 86400] - ) - # factor is float : - a.setBanTimeExtra('factor', '1.33'); - self.assertEqual( -- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], -+ [int(a.calcBanTime(600, i)) for i in range(1, 11)], - [1596, 3192, 6384, 12768, 25536, 51072, 86400, 86400, 86400, 86400] - ) - a.setBanTimeExtra('factor', None); - # change max time : - a.setBanTimeExtra('maxtime', '12h') - self.assertEqual( -- [a.calcBanTime(600, i) for i in xrange(1, 11)], -+ [a.calcBanTime(600, i) for i in range(1, 11)], - [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200] - ) - a.setBanTimeExtra('maxtime', '24h') - ## test randomization - not possibe all 10 times we have random = 0: - a.setBanTimeExtra('rndtime', '5m') - self.assertTrue( -- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)] -+ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)] - ) - a.setBanTimeExtra('rndtime', None) - self.assertFalse( -- False in [1200 in [a.calcBanTime(600, 1) for i in xrange(10)] for c in xrange(10)] -+ False in [1200 in [a.calcBanTime(600, 1) for i in range(10)] for c in range(10)] - ) - # restore default: - a.setBanTimeExtra('multipliers', None) -@@ -124,7 +124,7 @@ class BanTimeIncr(LogCaptureTestCase): - # this multipliers has the same values as default formula, we test stop growing after count 9: - self.testDefault('1 2 4 8 16 32 64 128 256') - # this multipliers has exactly the same values as default formula, test endless growing (stops by count 31 only): -- self.testDefault(' '.join([str(1<<i) for i in xrange(31)])) -+ self.testDefault(' '.join([str(1<<i) for i in range(31)])) - - def testFormula(self): - a = self.__jail; -@@ -136,38 +136,38 @@ class BanTimeIncr(LogCaptureTestCase): - a.setBanTimeExtra('multipliers', None) - # test algorithm and max time 24 hours : - self.assertEqual( -- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], -+ [int(a.calcBanTime(600, i)) for i in range(1, 11)], - [1200, 2400, 4800, 9600, 19200, 38400, 76800, 86400, 86400, 86400] - ) - # with extra large max time (30 days): - a.setBanTimeExtra('maxtime', '30d') - self.assertEqual( -- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], -+ [int(a.calcBanTime(600, i)) for i in range(1, 11)], - [1200, 2400, 4800, 9600, 19200, 38400, 76800, 153601, 307203, 614407] - ) - a.setBanTimeExtra('maxtime', '24h') - # change factor : - a.setBanTimeExtra('factor', '1'); - self.assertEqual( -- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], -+ [int(a.calcBanTime(600, i)) for i in range(1, 11)], - [1630, 4433, 12051, 32758, 86400, 86400, 86400, 86400, 86400, 86400] - ) - a.setBanTimeExtra('factor', '2.0 / 2.885385') - # change max time : - a.setBanTimeExtra('maxtime', '12h') - self.assertEqual( -- [int(a.calcBanTime(600, i)) for i in xrange(1, 11)], -+ [int(a.calcBanTime(600, i)) for i in range(1, 11)], - [1200, 2400, 4800, 9600, 19200, 38400, 43200, 43200, 43200, 43200] - ) - a.setBanTimeExtra('maxtime', '24h') - ## test randomization - not possibe all 10 times we have random = 0: - a.setBanTimeExtra('rndtime', '5m') - self.assertTrue( -- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)] -+ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)] - ) - a.setBanTimeExtra('rndtime', None) - self.assertFalse( -- False in [1200 in [int(a.calcBanTime(600, 1)) for i in xrange(10)] for c in xrange(10)] -+ False in [1200 in [int(a.calcBanTime(600, 1)) for i in range(10)] for c in range(10)] - ) - # restore default: - a.setBanTimeExtra('factor', None); -@@ -230,7 +230,7 @@ class BanTimeIncrDB(LogCaptureTestCase): - ticket = FailTicket(ip, stime, []) - # test ticket not yet found - self.assertEqual( -- [self.incrBanTime(ticket, 10) for i in xrange(3)], -+ [self.incrBanTime(ticket, 10) for i in range(3)], - [10, 10, 10] - ) - # add a ticket banned -@@ -285,7 +285,7 @@ class BanTimeIncrDB(LogCaptureTestCase): - ) - # increase ban multiple times: - lastBanTime = 20 -- for i in xrange(10): -+ for i in range(10): - ticket.setTime(stime + lastBanTime + 5) - banTime = self.incrBanTime(ticket, 10) - self.assertEqual(banTime, lastBanTime * 2) -@@ -481,7 +481,7 @@ class BanTimeIncrDB(LogCaptureTestCase): - ticket = FailTicket(ip, stime-120, []) - failManager = FailManager() - failManager.setMaxRetry(3) -- for i in xrange(3): -+ for i in range(3): - failManager.addFailure(ticket) - obs.add('failureFound', failManager, jail, ticket) - obs.wait_empty(5) -diff --git a/fail2ban/tests/samplestestcase.py b/fail2ban/tests/samplestestcase.py -index 0bbd05f5..479b564a 100644 ---- a/fail2ban/tests/samplestestcase.py -+++ b/fail2ban/tests/samplestestcase.py -@@ -138,7 +138,7 @@ class FilterSamplesRegex(unittest.TestCase): - - @staticmethod - def _filterOptions(opts): -- return dict((k, v) for k, v in opts.iteritems() if not k.startswith('test.')) -+ return dict((k, v) for k, v in opts.items() if not k.startswith('test.')) - - def testSampleRegexsFactory(name, basedir): - def testFilter(self): -@@ -249,10 +249,10 @@ def testSampleRegexsFactory(name, basedir): - self.assertTrue(faildata.get('match', False), - "Line matched when shouldn't have") - self.assertEqual(len(ret), 1, -- "Multiple regexs matched %r" % (map(lambda x: x[0], ret))) -+ "Multiple regexs matched %r" % ([x[0] for x in ret])) - - # Verify match captures (at least fid/host) and timestamp as expected -- for k, v in faildata.iteritems(): -+ for k, v in faildata.items(): - if k not in ("time", "match", "desc", "filter"): - fv = fail.get(k, None) - if fv is None: -@@ -294,7 +294,7 @@ def testSampleRegexsFactory(name, basedir): - '\n'.join(pprint.pformat(fail).splitlines()))) - - # check missing samples for regex using each filter-options combination: -- for fltName, flt in self._filters.iteritems(): -+ for fltName, flt in self._filters.items(): - flt, regexsUsedIdx = flt - regexList = flt.getFailRegex() - for failRegexIndex, failRegex in enumerate(regexList): -diff --git a/fail2ban/tests/servertestcase.py b/fail2ban/tests/servertestcase.py -index 55e72455..7925ab1e 100644 ---- a/fail2ban/tests/servertestcase.py -+++ b/fail2ban/tests/servertestcase.py -@@ -124,14 +124,14 @@ class TransmitterBase(LogCaptureTestCase): - self.transm.proceed(["get", jail, cmd]), (0, [])) - for n, value in enumerate(values): - ret = self.transm.proceed(["set", jail, cmdAdd, value]) -- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2) -+ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2) - ret = self.transm.proceed(["get", jail, cmd]) -- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[:n+1])), level=2) -+ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[:n+1]))), level=2) - for n, value in enumerate(values): - ret = self.transm.proceed(["set", jail, cmdDel, value]) -- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2) -+ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2) - ret = self.transm.proceed(["get", jail, cmd]) -- self.assertSortedEqual((ret[0], map(str, ret[1])), (0, map(str, values[n+1:])), level=2) -+ self.assertSortedEqual((ret[0], list(map(str, ret[1]))), (0, list(map(str, values[n+1:]))), level=2) - - def jailAddDelRegexTest(self, cmd, inValues, outValues, jail): - cmdAdd = "add" + cmd -@@ -930,7 +930,7 @@ class TransmitterLogging(TransmitterBase): - - def testLogTarget(self): - logTargets = [] -- for _ in xrange(3): -+ for _ in range(3): - tmpFile = tempfile.mkstemp("fail2ban", "transmitter") - logTargets.append(tmpFile[1]) - os.close(tmpFile[0]) -@@ -1003,26 +1003,26 @@ class TransmitterLogging(TransmitterBase): - self.assertEqual(self.transm.proceed(["flushlogs"]), (0, "rolled over")) - l.warning("After flushlogs") - with open(fn2,'r') as f: -- line1 = f.next() -+ line1 = next(f) - if line1.find('Changed logging target to') >= 0: -- line1 = f.next() -+ line1 = next(f) - self.assertTrue(line1.endswith("Before file moved\n")) -- line2 = f.next() -+ line2 = next(f) - self.assertTrue(line2.endswith("After file moved\n")) - try: -- n = f.next() -+ n = next(f) - if n.find("Command: ['flushlogs']") >=0: -- self.assertRaises(StopIteration, f.next) -+ self.assertRaises(StopIteration, f.__next__) - else: - self.fail("Exception StopIteration or Command: ['flushlogs'] expected. Got: %s" % n) - except StopIteration: - pass # on higher debugging levels this is expected - with open(fn,'r') as f: -- line1 = f.next() -+ line1 = next(f) - if line1.find('rollover performed on') >= 0: -- line1 = f.next() -+ line1 = next(f) - self.assertTrue(line1.endswith("After flushlogs\n")) -- self.assertRaises(StopIteration, f.next) -+ self.assertRaises(StopIteration, f.__next__) - f.close() - finally: - os.remove(fn2) -@@ -1185,7 +1185,7 @@ class LoggingTests(LogCaptureTestCase): - os.remove(f) - - --from clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR -+from .clientreadertestcase import ActionReader, JailsReader, CONFIG_DIR - - class ServerConfigReaderTests(LogCaptureTestCase): - -diff --git a/fail2ban/tests/sockettestcase.py b/fail2ban/tests/sockettestcase.py -index 69bf8d8b..60f49e57 100644 ---- a/fail2ban/tests/sockettestcase.py -+++ b/fail2ban/tests/sockettestcase.py -@@ -153,7 +153,7 @@ class Socket(LogCaptureTestCase): - org_handler = RequestHandler.found_terminator - try: - RequestHandler.found_terminator = lambda self: self.close() -- self.assertRaisesRegexp(RuntimeError, r"socket connection broken", -+ self.assertRaisesRegex(RuntimeError, r"socket connection broken", - lambda: client.send(testMessage, timeout=unittest.F2B.maxWaitTime(10))) - finally: - RequestHandler.found_terminator = org_handler -diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py -index fcfddba7..cb234e0d 100644 ---- a/fail2ban/tests/utils.py -+++ b/fail2ban/tests/utils.py -@@ -35,7 +35,7 @@ import time - import threading - import unittest - --from cStringIO import StringIO -+from io import StringIO - from functools import wraps - - from ..helpers import getLogger, str2LogLevel, getVerbosityFormat, uni_decode -@@ -174,8 +174,8 @@ def initProcess(opts): - - # Let know the version - if opts.verbosity != 0: -- print("Fail2ban %s test suite. Python %s. Please wait..." \ -- % (version, str(sys.version).replace('\n', ''))) -+ print(("Fail2ban %s test suite. Python %s. Please wait..." \ -+ % (version, str(sys.version).replace('\n', '')))) - - return opts; - -@@ -322,7 +322,7 @@ def initTests(opts): - c = DNSUtils.CACHE_ipToName - # increase max count and max time (too many entries, long time testing): - c.setOptions(maxCount=10000, maxTime=5*60) -- for i in xrange(256): -+ for i in range(256): - c.set('192.0.2.%s' % i, None) - c.set('198.51.100.%s' % i, None) - c.set('203.0.113.%s' % i, None) -@@ -541,8 +541,8 @@ def gatherTests(regexps=None, opts=None): - import difflib, pprint - if not hasattr(unittest.TestCase, 'assertDictEqual'): - def assertDictEqual(self, d1, d2, msg=None): -- self.assert_(isinstance(d1, dict), 'First argument is not a dictionary') -- self.assert_(isinstance(d2, dict), 'Second argument is not a dictionary') -+ self.assertTrue(isinstance(d1, dict), 'First argument is not a dictionary') -+ self.assertTrue(isinstance(d2, dict), 'Second argument is not a dictionary') - if d1 != d2: - standardMsg = '%r != %r' % (d1, d2) - diff = ('\n' + '\n'.join(difflib.ndiff( -@@ -560,7 +560,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None): - # used to recognize having element as nested dict, list or tuple: - def _is_nested(v): - if isinstance(v, dict): -- return any(isinstance(v, (dict, list, tuple)) for v in v.itervalues()) -+ return any(isinstance(v, (dict, list, tuple)) for v in v.values()) - return any(isinstance(v, (dict, list, tuple)) for v in v) - # level comparison routine: - def _assertSortedEqual(a, b, level, nestedOnly, key): -@@ -573,7 +573,7 @@ def assertSortedEqual(self, a, b, level=1, nestedOnly=True, key=repr, msg=None): - return - raise ValueError('%r != %r' % (a, b)) - if isinstance(a, dict) and isinstance(b, dict): # compare dict's: -- for k, v1 in a.iteritems(): -+ for k, v1 in a.items(): - v2 = b[k] - if isinstance(v1, (dict, list, tuple)) and isinstance(v2, (dict, list, tuple)): - _assertSortedEqual(v1, v2, level-1 if level != 0 else 0, nestedOnly, key) -@@ -608,14 +608,14 @@ if not hasattr(unittest.TestCase, 'assertRaisesRegexp'): - self.fail('\"%s\" does not match \"%s\"' % (regexp, e)) - else: - self.fail('%s not raised' % getattr(exccls, '__name__')) -- unittest.TestCase.assertRaisesRegexp = assertRaisesRegexp -+ unittest.TestCase.assertRaisesRegex = assertRaisesRegexp - - # always custom following methods, because we use atm better version of both (support generators) - if True: ## if not hasattr(unittest.TestCase, 'assertIn'): - def assertIn(self, a, b, msg=None): - bb = b - wrap = False -- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring): -+ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str): - b, bb = itertools.tee(b) - wrap = True - if a not in b: -@@ -626,7 +626,7 @@ if True: ## if not hasattr(unittest.TestCase, 'assertIn'): - def assertNotIn(self, a, b, msg=None): - bb = b - wrap = False -- if msg is None and hasattr(b, '__iter__') and not isinstance(b, basestring): -+ if msg is None and hasattr(b, '__iter__') and not isinstance(b, str): - b, bb = itertools.tee(b) - wrap = True - if a in b: -diff --git a/setup.py b/setup.py -deleted file mode 100755 -index ce1eedf6..00000000 ---- a/setup.py -+++ /dev/null -@@ -1,326 +0,0 @@ --#!/usr/bin/env python --# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- --# vi: set ft=python sts=4 ts=4 sw=4 noet : -- --# This file is part of Fail2Ban. --# --# Fail2Ban is free software; you can redistribute it and/or modify --# it under the terms of the GNU General Public License as published by --# the Free Software Foundation; either version 2 of the License, or --# (at your option) any later version. --# --# Fail2Ban is distributed in the hope that it will be useful, --# but WITHOUT ANY WARRANTY; without even the implied warranty of --# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the --# GNU General Public License for more details. --# --# You should have received a copy of the GNU General Public License --# along with Fail2Ban; if not, write to the Free Software --# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -- --__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko" --__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors" --__license__ = "GPL" -- --import platform -- --try: -- import setuptools -- from setuptools import setup -- from setuptools.command.install import install -- from setuptools.command.install_scripts import install_scripts --except ImportError: -- setuptools = None -- from distutils.core import setup -- --# all versions --from distutils.command.build_py import build_py --from distutils.command.build_scripts import build_scripts --if setuptools is None: -- from distutils.command.install import install -- from distutils.command.install_scripts import install_scripts --try: -- # python 3.x -- from distutils.command.build_py import build_py_2to3 -- from distutils.command.build_scripts import build_scripts_2to3 -- _2to3 = True --except ImportError: -- # python 2.x -- _2to3 = False -- --import os --from os.path import isfile, join, isdir, realpath --import re --import sys --import warnings --from glob import glob -- --from fail2ban.setup import updatePyExec -- -- --source_dir = os.path.realpath(os.path.dirname( -- # __file__ seems to be overwritten sometimes on some python versions (e.g. bug of 2.6 by running under cProfile, etc.): -- sys.argv[0] if os.path.basename(sys.argv[0]) == 'setup.py' else __file__ --)) -- --# Wrapper to install python binding (to current python version): --class install_scripts_f2b(install_scripts): -- -- def get_outputs(self): -- outputs = install_scripts.get_outputs(self) -- # setup.py --dry-run install: -- dry_run = not outputs -- self.update_scripts(dry_run) -- if dry_run: -- #bindir = self.install_dir -- bindir = self.build_dir -- print('creating fail2ban-python binding -> %s (dry-run, real path can be different)' % (bindir,)) -- print('Copying content of %s to %s' % (self.build_dir, self.install_dir)); -- return outputs -- fn = None -- for fn in outputs: -- if os.path.basename(fn) == 'fail2ban-server': -- break -- bindir = os.path.dirname(fn) -- print('creating fail2ban-python binding -> %s' % (bindir,)) -- updatePyExec(bindir) -- return outputs -- -- def update_scripts(self, dry_run=False): -- buildroot = os.path.dirname(self.build_dir) -- install_dir = self.install_dir -- try: -- # remove root-base from install scripts path: -- root = self.distribution.command_options['install']['root'][1] -- if install_dir.startswith(root): -- install_dir = install_dir[len(root):] -- except: # pragma: no cover -- print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".') -- print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir)) -- with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn: -- lines = fn.readlines() -- fn = None -- if not dry_run: -- fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w') -- try: -- for ln in lines: -- ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln) -- if dry_run: -- sys.stdout.write(' | ' + ln) -- continue -- fn.write(ln) -- finally: -- if fn: fn.close() -- if dry_run: -- print(' `') -- -- --# Wrapper to specify fail2ban own options: --class install_command_f2b(install): -- user_options = install.user_options + [ -- ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), -- ('without-tests', None, 'without tests files installation'), -- ] -- def initialize_options(self): -- self.disable_2to3 = None -- self.without_tests = None -- install.initialize_options(self) -- def finalize_options(self): -- global _2to3 -- ## in the test cases 2to3 should be already done (fail2ban-2to3): -- if self.disable_2to3: -- _2to3 = False -- if _2to3: -- cmdclass = self.distribution.cmdclass -- cmdclass['build_py'] = build_py_2to3 -- cmdclass['build_scripts'] = build_scripts_2to3 -- if self.without_tests: -- self.distribution.scripts.remove('bin/fail2ban-testcases') -- -- self.distribution.packages.remove('fail2ban.tests') -- self.distribution.packages.remove('fail2ban.tests.action_d') -- -- del self.distribution.package_data['fail2ban.tests'] -- install.finalize_options(self) -- def run(self): -- install.run(self) -- -- --# Update fail2ban-python env to current python version (where f2b-modules located/installed) --updatePyExec(os.path.join(source_dir, 'bin')) -- --if setuptools and "test" in sys.argv: -- import logging -- logSys = logging.getLogger("fail2ban") -- hdlr = logging.StreamHandler(sys.stdout) -- fmt = logging.Formatter("%(asctime)-15s %(message)s") -- hdlr.setFormatter(fmt) -- logSys.addHandler(hdlr) -- if set(["-q", "--quiet"]) & set(sys.argv): -- logSys.setLevel(logging.CRITICAL) -- warnings.simplefilter("ignore") -- sys.warnoptions.append("ignore") -- elif set(["-v", "--verbose"]) & set(sys.argv): -- logSys.setLevel(logging.DEBUG) -- else: -- logSys.setLevel(logging.INFO) --elif "test" in sys.argv: -- print("python distribute required to execute fail2ban tests") -- print("") -- --longdesc = ''' --Fail2Ban scans log files like /var/log/pwdfail or --/var/log/apache/error_log and bans IP that makes --too many password failures. It updates firewall rules --to reject the IP address or executes user defined --commands.''' -- --if setuptools: -- setup_extra = { -- 'test_suite': "fail2ban.tests.utils.gatherTests", -- 'use_2to3': True, -- } --else: -- setup_extra = {} -- --data_files_extra = [] --if os.path.exists('/var/run'): -- # if we are on the system with /var/run -- we are to use it for having fail2ban/ -- # directory there for socket file etc. -- # realpath is used to possibly resolve /var/run -> /run symlink -- data_files_extra += [(realpath('/var/run/fail2ban'), '')] -- --# Installing documentation files only under Linux or other GNU/ systems --# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding --# installation there (see e.g. #1233) --platform_system = platform.system().lower() --doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt'] --if platform_system in ('solaris', 'sunos'): -- doc_files.append('README.Solaris') --if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'): -- data_files_extra.append( -- ('/usr/share/doc/fail2ban', doc_files) -- ) -- --# Get version number, avoiding importing fail2ban. --# This is due to tests not functioning for python3 as 2to3 takes place later --exec(open(join("fail2ban", "version.py")).read()) -- --setup( -- name = "fail2ban", -- version = version, -- description = "Ban IPs that make too many password failures", -- long_description = longdesc, -- author = "Cyril Jaquier & Fail2Ban Contributors", -- author_email = "cyril.jaquier@fail2ban.org", -- url = "http://www.fail2ban.org", -- license = "GPL", -- platforms = "Posix", -- cmdclass = { -- 'build_py': build_py, 'build_scripts': build_scripts, -- 'install_scripts': install_scripts_f2b, 'install': install_command_f2b -- }, -- scripts = [ -- 'bin/fail2ban-client', -- 'bin/fail2ban-server', -- 'bin/fail2ban-regex', -- 'bin/fail2ban-testcases', -- # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper -- ], -- packages = [ -- 'fail2ban', -- 'fail2ban.client', -- 'fail2ban.server', -- 'fail2ban.tests', -- 'fail2ban.tests.action_d', -- ], -- package_data = { -- 'fail2ban.tests': -- [ join(w[0], f).replace("fail2ban/tests/", "", 1) -- for w in os.walk('fail2ban/tests/files') -- for f in w[2]] + -- [ join(w[0], f).replace("fail2ban/tests/", "", 1) -- for w in os.walk('fail2ban/tests/config') -- for f in w[2]] + -- [ join(w[0], f).replace("fail2ban/tests/", "", 1) -- for w in os.walk('fail2ban/tests/action_d') -- for f in w[2]] -- }, -- data_files = [ -- ('/etc/fail2ban', -- glob("config/*.conf") -- ), -- ('/etc/fail2ban/filter.d', -- glob("config/filter.d/*.conf") -- ), -- ('/etc/fail2ban/filter.d/ignorecommands', -- [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)] -- ), -- ('/etc/fail2ban/action.d', -- glob("config/action.d/*.conf") + -- glob("config/action.d/*.py") -- ), -- ('/etc/fail2ban/fail2ban.d', -- '' -- ), -- ('/etc/fail2ban/jail.d', -- '' -- ), -- ('/var/lib/fail2ban', -- '' -- ), -- ] + data_files_extra, -- **setup_extra --) -- --# Do some checks after installation --# Search for obsolete files. --obsoleteFiles = [] --elements = { -- "/etc/": -- [ -- "fail2ban.conf" -- ], -- "/usr/bin/": -- [ -- "fail2ban.py" -- ], -- "/usr/lib/fail2ban/": -- [ -- "version.py", -- "protocol.py" -- ] --} -- --for directory in elements: -- for f in elements[directory]: -- path = join(directory, f) -- if isfile(path): -- obsoleteFiles.append(path) -- --if obsoleteFiles: -- print("") -- print("Obsolete files from previous Fail2Ban versions were found on " -- "your system.") -- print("Please delete them:") -- print("") -- for f in obsoleteFiles: -- print("\t" + f) -- print("") -- --if isdir("/usr/lib/fail2ban"): -- print("") -- print("Fail2ban is not installed under /usr/lib anymore. The new " -- "location is under /usr/share. Please remove the directory " -- "/usr/lib/fail2ban and everything under this directory.") -- print("") -- --# Update config file --if sys.argv[1] == "install": -- print("") -- print("Please do not forget to update your configuration files.") -- print("They are in \"/etc/fail2ban/\".") -- print("") -- print("You can also install systemd service-unit file from \"build/fail2ban.service\"") -- print("resp. corresponding init script from \"files/*-initd\".") -- print("") --- -2.17.1 - diff --git a/recipes-security/fail2ban/files/fail2ban_setup.py b/recipes-security/fail2ban/files/fail2ban_setup.py deleted file mode 100755 index e231949..0000000 --- a/recipes-security/fail2ban/files/fail2ban_setup.py +++ /dev/null @@ -1,174 +0,0 @@ -# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- -# vi: set ft=python sts=4 ts=4 sw=4 noet : - -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors" -__license__ = "GPL" - -import platform - -try: - import setuptools - from setuptools import setup - from setuptools.command.install import install - from setuptools.command.install_scripts import install_scripts -except ImportError: - setuptools = None - from distutils.core import setup - -# all versions -from distutils.command.build_py import build_py -from distutils.command.build_scripts import build_scripts -if setuptools is None: - from distutils.command.install import install - from distutils.command.install_scripts import install_scripts -try: - # python 3.x - from distutils.command.build_py import build_py_2to3 - from distutils.command.build_scripts import build_scripts_2to3 - _2to3 = True -except ImportError: - # python 2.x - _2to3 = False - -import os -from os.path import isfile, join, isdir, realpath -import sys -import warnings -from glob import glob - -from fail2ban.setup import updatePyExec - -if setuptools and "test" in sys.argv: - import logging - logSys = logging.getLogger("fail2ban") - hdlr = logging.StreamHandler(sys.stdout) - fmt = logging.Formatter("%(asctime)-15s %(message)s") - hdlr.setFormatter(fmt) - logSys.addHandler(hdlr) - if set(["-q", "--quiet"]) & set(sys.argv): - logSys.setLevel(logging.CRITICAL) - warnings.simplefilter("ignore") - sys.warnoptions.append("ignore") - elif set(["-v", "--verbose"]) & set(sys.argv): - logSys.setLevel(logging.DEBUG) - else: - logSys.setLevel(logging.INFO) -elif "test" in sys.argv: - print("python distribute required to execute fail2ban tests") - print("") - -longdesc = ''' -Fail2Ban scans log files like /var/log/pwdfail or -/var/log/apache/error_log and bans IP that makes -too many password failures. It updates firewall rules -to reject the IP address or executes user defined -commands.''' - -if setuptools: - setup_extra = { - 'test_suite': "fail2ban.tests.utils.gatherTests", - 'use_2to3': True, - } -else: - setup_extra = {} - -data_files_extra = [] - -# Installing documentation files only under Linux or other GNU/ systems -# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding -# installation there (see e.g. #1233) -platform_system = platform.system().lower() -doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt'] -if platform_system in ('solaris', 'sunos'): - doc_files.append('README.Solaris') -if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'): - data_files_extra.append( - ('/usr/share/doc/fail2ban', doc_files) - ) - -# Get version number, avoiding importing fail2ban. -# This is due to tests not functioning for python3 as 2to3 takes place later -exec(open(join("fail2ban", "version.py")).read()) - -setup( - name = "fail2ban", - version = version, - description = "Ban IPs that make too many password failures", - long_description = longdesc, - author = "Cyril Jaquier & Fail2Ban Contributors", - author_email = "cyril.jaquier@fail2ban.org", - url = "http://www.fail2ban.org", - license = "GPL", - platforms = "Posix", - cmdclass = { - 'build_py': build_py, 'build_scripts': build_scripts, - }, - scripts = [ - 'bin/fail2ban-client', - 'bin/fail2ban-server', - 'bin/fail2ban-regex', - 'bin/fail2ban-testcases', - # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper - ], - packages = [ - 'fail2ban', - 'fail2ban.client', - 'fail2ban.server', - 'fail2ban.tests', - 'fail2ban.tests.action_d', - ], - package_data = { - 'fail2ban.tests': - [ join(w[0], f).replace("fail2ban/tests/", "", 1) - for w in os.walk('fail2ban/tests/files') - for f in w[2]] + - [ join(w[0], f).replace("fail2ban/tests/", "", 1) - for w in os.walk('fail2ban/tests/config') - for f in w[2]] + - [ join(w[0], f).replace("fail2ban/tests/", "", 1) - for w in os.walk('fail2ban/tests/action_d') - for f in w[2]] - }, - data_files = [ - ('/etc/fail2ban', - glob("config/*.conf") - ), - ('/etc/fail2ban/filter.d', - glob("config/filter.d/*.conf") - ), - ('/etc/fail2ban/filter.d/ignorecommands', - [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)] - ), - ('/etc/fail2ban/action.d', - glob("config/action.d/*.conf") + - glob("config/action.d/*.py") - ), - ('/etc/fail2ban/fail2ban.d', - '' - ), - ('/etc/fail2ban/jail.d', - '' - ), - ('/var/lib/fail2ban', - '' - ), - ] + data_files_extra, - **setup_extra -) diff --git a/recipes-security/fail2ban/files/initd b/recipes-security/fail2ban/files/initd deleted file mode 100644 index 586b3da..0000000 --- a/recipes-security/fail2ban/files/initd +++ /dev/null @@ -1,98 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: fail2ban -# Required-Start: $local_fs $remote_fs -# Required-Stop: $local_fs $remote_fs -# Should-Start: $time $network $syslog iptables firehol shorewall ferm -# Should-Stop: $network $syslog iptables firehol shorewall ferm -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Start/Stop fail2ban -# Description: Start/Stop fail2ban, a daemon to ban hosts that cause multiple authentication errors -### END INIT INFO - -# Source function library. -. /etc/init.d/functions - -# Check that the config file exists -[ -f /etc/fail2ban/fail2ban.conf ] || exit 0 - -check_privsep_dir() { - # Create the PrivSep empty dir if necessary - if [ ! -d /var/run/fail2ban ]; then - mkdir /var/run/fail2ban - chmod 0755 /var/run/fail2ban - fi -} - -FAIL2BAN="/usr/bin/fail2ban-client" -prog=fail2ban-server -lockfile=${LOCKFILE-/var/lock/subsys/fail2ban} -socket=${SOCKET-/var/run/fail2ban/fail2ban.sock} -pidfile=${PIDFILE-/var/run/fail2ban/fail2ban.pid} -RETVAL=0 - -start() { - echo -n $"Starting fail2ban: " - check_privsep_dir - ${FAIL2BAN} -x start > /dev/null - RETVAL=$? - if [ $RETVAL = 0 ]; then - touch ${lockfile} - success - else - failure - fi - echo - return $RETVAL -} - -stop() { - echo -n $"Stopping fail2ban: " - ${FAIL2BAN} stop > /dev/null - RETVAL=$? - if [ $RETVAL = 0 ]; then - rm -f ${lockfile} ${pidfile} - success - else - failure - fi - echo - return $RETVAL -} - -reload() { - echo "Reloading fail2ban: " - ${FAIL2BAN} reload - RETVAL=$? - echo - return $RETVAL -} - -# See how we were called. -case "$1" in - start) - status -p ${pidfile} ${prog} >/dev/null 2>&1 && exit 0 - start - ;; - stop) - stop - ;; - reload) - reload - ;; - restart) - stop - start - ;; - status) - status -p ${pidfile} ${prog} - RETVAL=$? - [ $RETVAL = 0 ] && ${FAIL2BAN} status - ;; - *) - echo $"Usage: fail2ban {start|stop|restart|reload|status}" - RETVAL=2 -esac - -exit $RETVAL diff --git a/recipes-security/fail2ban/files/run-ptest b/recipes-security/fail2ban/files/run-ptest deleted file mode 100644 index 9f6aebe..0000000 --- a/recipes-security/fail2ban/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -##PYTHON## fail2ban-testcases diff --git a/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb b/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb deleted file mode 100644 index e737f50..0000000 --- a/recipes-security/fail2ban/python3-fail2ban_0.10.4.0.bb +++ /dev/null @@ -1,51 +0,0 @@ -SUMMARY = "Daemon to ban hosts that cause multiple authentication errors." -DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \ -many failed login attempts. It does this by updating system firewall rules to reject new \ -connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \ -out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \ -and is easy to configure to read any log file you choose, for any error you choose." -HOMEPAGE = "http://www.fail2ban.org" - -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" - -SRCREV ="3befbb177017957869425c81a560edb8e27db75a" -SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \ - file://initd \ - file://fail2ban_setup.py \ - file://run-ptest \ - file://0001-python3-fail2ban-2-3-conversion.patch \ -" - -inherit update-rc.d ptest setuptools3 - -S = "${WORKDIR}/git" - -do_compile_prepend () { - cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py -} - -do_install_append () { - install -d ${D}/${sysconfdir}/fail2ban - install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server - chown -R root:root ${D}/${bindir} -} - -do_install_ptest_append () { - install -d ${D}${PTEST_PATH} - sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest - install -D ${S}/bin/fail2ban-testcases ${D}${PTEST_PATH} -} - -FILES_${PN} += "/run" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "fail2ban-server" -INITSCRIPT_PARAMS = "defaults 25" - -INSANE_SKIP_${PN}_append = "already-stripped" - -RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify" -RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json" -RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/recipes-security/fscrypt/fscrypt_1.1.0.bb b/recipes-security/fscrypt/fscrypt_1.1.0.bb new file mode 100644 index 0000000..ea9593b --- /dev/null +++ b/recipes-security/fscrypt/fscrypt_1.1.0.bb @@ -0,0 +1,51 @@ +SUMMARY = "fscrypt is a high-level tool for the management of Linux filesystem encryption" +DESCIPTION = "fscrypt manages metadata, key generation, key wrapping, PAM integration, \ +and provides a uniform interface for creating and modifying encrypted directories. For \ +a small, low-level tool that directly sets policies, see fscryptctl \ +(https://github.com/google/fscryptcl)." +HOMEPAGE = "https://github.com/google/fscrypt" +SECTION = "base" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +# fscrypt depends on go and libpam +DEPENDS += "go-native libpam" + +SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23" +SRC_URI = "git://github.com/google/fscrypt.git;branch=master;protocol=https" + +GO_IMPORT = "import" + +inherit go goarch features_check + +REQUIRED_DISTRO_FEATURES = "pam" + +S = "${WORKDIR}/git" + +do_compile() { + export GOARCH=${TARGET_GOARCH} + export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go" + export GOPATH="${WORKDIR}/git" + + # Pass the needed cflags/ldflags so that cgo + # can find the needed headers files and libraries + export CGO_ENABLED="1" + export CGO_CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_TARGET}" + export CGO_LDFLAGS="${LDFLAGS} --sysroot=${STAGING_DIR_TARGET}" + + cd ${S}/src/${GO_IMPORT} + oe_runmake + + # Golang forces permissions to 0500 on directories and 0400 on files in + # the module cache which prevents us from easily cleaning up the build + # directory. Let's just fix the permissions here so we don't have to + # hack the clean tasks. + chmod -R u+w ${S}/pkg/mod +} + +do_install() { + install -d ${D}/${bindir} + install ${S}/src/${GO_IMPORT}/bin/fscrypt ${D}/${bindir}/fscrypt +} + +BBCLASSEXTEND = "native nativesdk" diff --git a/recipes-security/fscryptctl/fscryptctl_0.1.0.bb b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb index 8847a0f..3de2bfa 100644 --- a/recipes-security/fscryptctl/fscryptctl_0.1.0.bb +++ b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb @@ -9,16 +9,21 @@ SECTION = "base" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRCREV = "142326810eb19d6794793db6d24d0775a15aa8e5" -SRC_URI = "git://github.com/google/fscryptctl.git" +SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23" +SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https" S = "${WORKDIR}/git" +do_compile:prepend() { + sed -i 's/fscryptctl\.1//g' ${S}/Makefile + sed -i 's/install-man//g' ${S}/Makefile +} + do_install() { - oe_runmake DESTDIR=${D}${bindir} install + oe_runmake DESTDIR=${D} PREFIX=/usr install } -RRECOMMENDS_${PN} += "\ +RRECOMMENDS:${PN} += "\ keyutils \ kernel-module-cbc \ kernel-module-cts \ diff --git a/recipes-security/glome/glome_git.bb b/recipes-security/glome/glome_git.bb new file mode 100644 index 0000000..8787ddc --- /dev/null +++ b/recipes-security/glome/glome_git.bb @@ -0,0 +1,24 @@ +SUMMARY = "GLOME Login Client" +HOME_PAGE = "https://github.com/google/glome" +DESCRIPTION = "GLOME is used to authorize serial console access to Linux machines" +PV = "0.1+git${SRCPV}" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +inherit meson pkgconfig + +DEPENDS += "openssl" + +S = "${WORKDIR}/git" +SRC_URI = "git://github.com/google/glome.git;branch=master;protocol=https" +SRCREV = "48d28f82bd51ae4bccc84fbbee93c375b026596b" + +FILES:${PN} += "${libdir}/security" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[glome-cli] = "-Dglome-cli=true,-Dglome-cli=false" +PACKAGECONFIG[pam-glome] = "-Dpam-glome=true,-Dpam-glome=false,libpam" + +EXTRA_OEMESON = "-Dtests=false" + diff --git a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb index f9ca092..8a0b1ee 100644 --- a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb +++ b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb @@ -3,8 +3,8 @@ HOME_PAGE = "https://github.com/google/google-authenticator-libpam" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" LICENSE = "Apache-2.0" -SRC_URI = "git://github.com/google/google-authenticator-libpam.git" -SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef" +SRC_URI = "git://github.com/google/google-authenticator-libpam.git;branch=master;protocol=https" +SRCREV = "962f353aac6cfc7b804547319db40f8b804f0b6c" DEPENDS = "libpam" @@ -18,6 +18,6 @@ REQUIRED_DISTRO_FEATURES = "pam" EXTRA_OECONF = "--libdir=${base_libdir}" PACKAGES += "pam-google-authenticator" -FILES_pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so" +FILES:pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so" RDEPNEDS_pam-google-authenticator = "libpam" diff --git a/recipes-security/images/security-build-image.bb b/recipes-security/images/security-build-image.bb deleted file mode 100644 index a8757f9..0000000 --- a/recipes-security/images/security-build-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A small image for building meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security \ - os-release" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-build-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/recipes-security/images/security-client-image.bb b/recipes-security/images/security-client-image.bb deleted file mode 100644 index f4ebc69..0000000 --- a/recipes-security/images/security-client-image.bb +++ /dev/null @@ -1,16 +0,0 @@ -DESCRIPTION = "A Client side Security example" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - os-release \ - samhain-client \ - ${@bb.utils.contains("DISTRO_FEATURES", "x11", "packagegroup-xfce-base", "", d)}" - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-client-image" diff --git a/recipes-security/images/security-server-image.bb b/recipes-security/images/security-server-image.bb deleted file mode 100644 index 4927e0e..0000000 --- a/recipes-security/images/security-server-image.bb +++ /dev/null @@ -1,19 +0,0 @@ -DESCRIPTION = "A Serve side image for Security example " - -IMAGE_FEATURES += "ssh-server-openssh" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - samhain-server \ - os-release " - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-server-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/recipes-security/images/security-test-image.bb b/recipes-security/images/security-test-image.bb deleted file mode 100644 index c71d726..0000000 --- a/recipes-security/images/security-test-image.bb +++ /dev/null @@ -1,33 +0,0 @@ -DESCRIPTION = "A small image for testing meta-security packages" - -IMAGE_FEATURES += "ssh-server-openssh" - -TEST_SUITES = "ssh ping ptest apparmor clamav samhain sssd tripwire checksec smack suricata" - -INSTALL_CLAMAV_CVD = "1" - -IMAGE_INSTALL = "\ - packagegroup-base \ - packagegroup-core-boot \ - packagegroup-core-security-ptest \ - clamav \ - tripwire \ - checksec \ - suricata \ - samhain-standalone \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-test", "",d)} \ - os-release \ - " - - -IMAGE_LINGUAS ?= " " - -LICENSE = "MIT" - -inherit core-image - -export IMAGE_BASENAME = "security-test-image" - -IMAGE_ROOTFS_EXTRA_SPACE = "5242880" diff --git a/recipes-security/isic/files/configure_fix.patch b/recipes-security/isic/files/configure_fix.patch index fc2a774..ed2bf7a 100644 --- a/recipes-security/isic/files/configure_fix.patch +++ b/recipes-security/isic/files/configure_fix.patch @@ -1,6 +1,7 @@ isic: add with-libnet remove libnet test -Inappropriate - builds fine on non-oe systems. We need to exlude +Upstream-Status: Inappropriate [embedded specific] +builds fine on non-oe systems. We need to exlude cross compile libnet test. Pass in the location for libnet.a. Path did not support mulitlib either. diff --git a/recipes-security/isic/files/isic-0.07-make.patch b/recipes-security/isic/files/isic-0.07-make.patch index 9cffa8a..94349ce 100644 --- a/recipes-security/isic/files/isic-0.07-make.patch +++ b/recipes-security/isic/files/isic-0.07-make.patch @@ -1,6 +1,6 @@ isic: Fixup makefile to support destination -Backport: +Upstream-Status: Backport http://pkgs.fedoraproject.org/cgit/isic.git/tree/isic-0.07-make.patch Signed-off-by: Armin Kuster <akuser808@gmail.com> diff --git a/recipes-security/isic/files/isic-0.07-netinet.patch b/recipes-security/isic/files/isic-0.07-netinet.patch index c4ea74e..448ba68 100644 --- a/recipes-security/isic/files/isic-0.07-netinet.patch +++ b/recipes-security/isic/files/isic-0.07-netinet.patch @@ -1,6 +1,6 @@ isic: add missing header file -Backport: +Upstream-Status: Backport http://pkgs.fedoraproject.org/cgit/isic.git/tree/isic-0.07-netinet.patch Signed-off-by: Armin Kuster <akuster808@gmail.com> diff --git a/recipes-security/isic/isic_0.07.bb b/recipes-security/isic/isic_0.07.bb index fb6e904..28153e3 100644 --- a/recipes-security/isic/isic_0.07.bb +++ b/recipes-security/isic/isic_0.07.bb @@ -2,7 +2,7 @@ SUMMARY = "ISIC -- IP Stack Integrity Checker" DESCRIPTION = "ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.)" HOMEPAGE = "http://isic.sourceforge.net/" SECTION = "security" -LICENSE = "BSD" +LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=d41d8cd98f00b204e9800998ecf8427e" DEPENDS = "libnet" diff --git a/recipes-security/krill/files/panic_workaround.patch b/recipes-security/krill/files/panic_workaround.patch new file mode 100644 index 0000000..f63169f --- /dev/null +++ b/recipes-security/krill/files/panic_workaround.patch @@ -0,0 +1,16 @@ +Upstream-Status: Inappropriate [OE specific] +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/Cargo.toml +=================================================================== +--- git.orig/Cargo.toml ++++ git/Cargo.toml +@@ -91,7 +91,7 @@ hsm-tests-pkcs11 = [ "hsm" ] + # Make sure that Krill crashes on panics, rather than losing threads and + # limping on in a bad state. + [profile.release] +-panic = "abort" ++#panic = "abort" + + [dev-dependencies] + regex = "1.5.5" diff --git a/recipes-security/krill/krill-crates.inc b/recipes-security/krill/krill-crates.inc new file mode 100644 index 0000000..85830ec --- /dev/null +++ b/recipes-security/krill/krill-crates.inc @@ -0,0 +1,550 @@ +# Autogenerated with 'bitbake -c update_crates krill' + +# from Cargo.lock +SRC_URI += " \ + crate://crates.io/addr2line/0.17.0;name=addr2line-0.17.0 \ + crate://crates.io/adler/1.0.2;name=adler-1.0.2 \ + crate://crates.io/adler32/1.2.0;name=adler32-1.2.0 \ + crate://crates.io/aho-corasick/0.7.18;name=aho-corasick-0.7.18 \ + crate://crates.io/android_system_properties/0.1.5;name=android_system_properties-0.1.5 \ + crate://crates.io/ansi_term/0.12.1;name=ansi_term-0.12.1 \ + crate://crates.io/ascii/1.0.0;name=ascii-1.0.0 \ + crate://crates.io/ascii-canvas/3.0.0;name=ascii-canvas-3.0.0 \ + crate://crates.io/atty/0.2.14;name=atty-0.2.14 \ + crate://crates.io/autocfg/1.1.0;name=autocfg-1.1.0 \ + crate://crates.io/backoff/0.3.0;name=backoff-0.3.0 \ + crate://crates.io/backtrace/0.3.66;name=backtrace-0.3.66 \ + crate://crates.io/base64/0.13.0;name=base64-0.13.0 \ + crate://crates.io/basic-cookies/0.1.4;name=basic-cookies-0.1.4 \ + crate://crates.io/bcder/0.7.0;name=bcder-0.7.0 \ + crate://crates.io/bit-set/0.5.2;name=bit-set-0.5.2 \ + crate://crates.io/bit-vec/0.6.3;name=bit-vec-0.6.3 \ + crate://crates.io/bitflags/1.3.2;name=bitflags-1.3.2 \ + crate://crates.io/block-buffer/0.9.0;name=block-buffer-0.9.0 \ + crate://crates.io/block-buffer/0.10.2;name=block-buffer-0.10.2 \ + crate://crates.io/bumpalo/3.10.0;name=bumpalo-3.10.0 \ + crate://crates.io/bytes/1.1.0;name=bytes-1.1.0 \ + crate://crates.io/cc/1.0.73;name=cc-1.0.73 \ + crate://crates.io/cfg-if/1.0.0;name=cfg-if-1.0.0 \ + crate://crates.io/chrono/0.4.22;name=chrono-0.4.22 \ + crate://crates.io/chunked_transfer/1.4.0;name=chunked_transfer-1.4.0 \ + crate://crates.io/cipher/0.2.5;name=cipher-0.2.5 \ + crate://crates.io/clap/2.34.0;name=clap-2.34.0 \ + crate://crates.io/codespan-reporting/0.11.1;name=codespan-reporting-0.11.1 \ + crate://crates.io/core-foundation/0.9.3;name=core-foundation-0.9.3 \ + crate://crates.io/core-foundation-sys/0.8.3;name=core-foundation-sys-0.8.3 \ + crate://crates.io/cpufeatures/0.2.2;name=cpufeatures-0.2.2 \ + crate://crates.io/crc32fast/1.3.2;name=crc32fast-1.3.2 \ + crate://crates.io/crunchy/0.2.2;name=crunchy-0.2.2 \ + crate://crates.io/crypto-common/0.1.6;name=crypto-common-0.1.6 \ + crate://crates.io/crypto-mac/0.10.1;name=crypto-mac-0.10.1 \ + crate://crates.io/cryptoki/0.3.0;name=cryptoki-0.3.0 \ + crate://crates.io/cryptoki-sys/0.1.4;name=cryptoki-sys-0.1.4 \ + crate://crates.io/ctrlc/3.2.2;name=ctrlc-3.2.2 \ + crate://crates.io/cxx/1.0.79;name=cxx-1.0.79 \ + crate://crates.io/cxx-build/1.0.79;name=cxx-build-1.0.79 \ + crate://crates.io/cxxbridge-flags/1.0.79;name=cxxbridge-flags-1.0.79 \ + crate://crates.io/cxxbridge-macro/1.0.79;name=cxxbridge-macro-1.0.79 \ + crate://crates.io/derivative/2.2.0;name=derivative-2.2.0 \ + crate://crates.io/deunicode/0.4.3;name=deunicode-0.4.3 \ + crate://crates.io/diff/0.1.13;name=diff-0.1.13 \ + crate://crates.io/digest/0.9.0;name=digest-0.9.0 \ + crate://crates.io/digest/0.10.3;name=digest-0.10.3 \ + crate://crates.io/dirs-next/2.0.0;name=dirs-next-2.0.0 \ + crate://crates.io/dirs-sys-next/0.1.2;name=dirs-sys-next-0.1.2 \ + crate://crates.io/either/1.7.0;name=either-1.7.0 \ + crate://crates.io/ena/0.14.0;name=ena-0.14.0 \ + crate://crates.io/encoding_rs/0.8.31;name=encoding_rs-0.8.31 \ + crate://crates.io/enum-display-derive/0.1.1;name=enum-display-derive-0.1.1 \ + crate://crates.io/enum-flags/0.1.8;name=enum-flags-0.1.8 \ + crate://crates.io/error-chain/0.11.0;name=error-chain-0.11.0 \ + crate://crates.io/fastrand/1.7.0;name=fastrand-1.7.0 \ + crate://crates.io/fern/0.5.9;name=fern-0.5.9 \ + crate://crates.io/fixedbitset/0.4.2;name=fixedbitset-0.4.2 \ + crate://crates.io/fnv/1.0.7;name=fnv-1.0.7 \ + crate://crates.io/foreign-types/0.3.2;name=foreign-types-0.3.2 \ + crate://crates.io/foreign-types-shared/0.1.1;name=foreign-types-shared-0.1.1 \ + crate://crates.io/form_urlencoded/1.0.1;name=form_urlencoded-1.0.1 \ + crate://crates.io/fslock/0.2.1;name=fslock-0.2.1 \ + crate://crates.io/futures/0.3.21;name=futures-0.3.21 \ + crate://crates.io/futures-channel/0.3.21;name=futures-channel-0.3.21 \ + crate://crates.io/futures-core/0.3.21;name=futures-core-0.3.21 \ + crate://crates.io/futures-executor/0.3.21;name=futures-executor-0.3.21 \ + crate://crates.io/futures-io/0.3.21;name=futures-io-0.3.21 \ + crate://crates.io/futures-macro/0.3.21;name=futures-macro-0.3.21 \ + crate://crates.io/futures-sink/0.3.21;name=futures-sink-0.3.21 \ + crate://crates.io/futures-task/0.3.21;name=futures-task-0.3.21 \ + crate://crates.io/futures-util/0.3.21;name=futures-util-0.3.21 \ + crate://crates.io/generic-array/0.14.5;name=generic-array-0.14.5 \ + crate://crates.io/getrandom/0.2.7;name=getrandom-0.2.7 \ + crate://crates.io/gimli/0.26.2;name=gimli-0.26.2 \ + crate://crates.io/h2/0.3.13;name=h2-0.3.13 \ + crate://crates.io/hashbrown/0.12.3;name=hashbrown-0.12.3 \ + crate://crates.io/hermit-abi/0.1.19;name=hermit-abi-0.1.19 \ + crate://crates.io/hex/0.4.3;name=hex-0.4.3 \ + crate://crates.io/hmac/0.10.1;name=hmac-0.10.1 \ + crate://crates.io/http/0.2.8;name=http-0.2.8 \ + crate://crates.io/http-body/0.4.5;name=http-body-0.4.5 \ + crate://crates.io/httparse/1.7.1;name=httparse-1.7.1 \ + crate://crates.io/httpdate/1.0.2;name=httpdate-1.0.2 \ + crate://crates.io/hyper/0.14.20;name=hyper-0.14.20 \ + crate://crates.io/hyper-tls/0.5.0;name=hyper-tls-0.5.0 \ + crate://crates.io/iana-time-zone/0.1.51;name=iana-time-zone-0.1.51 \ + crate://crates.io/iana-time-zone-haiku/0.1.1;name=iana-time-zone-haiku-0.1.1 \ + crate://crates.io/idna/0.2.3;name=idna-0.2.3 \ + crate://crates.io/impl-trait-for-tuples/0.2.2;name=impl-trait-for-tuples-0.2.2 \ + crate://crates.io/indexmap/1.9.1;name=indexmap-1.9.1 \ + crate://crates.io/instant/0.1.12;name=instant-0.1.12 \ + crate://crates.io/intervaltree/0.2.7;name=intervaltree-0.2.7 \ + crate://crates.io/ipnet/2.5.0;name=ipnet-2.5.0 \ + crate://crates.io/itertools/0.10.3;name=itertools-0.10.3 \ + crate://crates.io/itoa/1.0.2;name=itoa-1.0.2 \ + crate://crates.io/jmespatch/0.3.0;name=jmespatch-0.3.0 \ + crate://crates.io/js-sys/0.3.58;name=js-sys-0.3.58 \ + crate://crates.io/kmip-protocol/0.4.2;name=kmip-protocol-0.4.2 \ + crate://crates.io/kmip-ttlv/0.3.3;name=kmip-ttlv-0.3.3 \ + crate://crates.io/lalrpop/0.19.8;name=lalrpop-0.19.8 \ + crate://crates.io/lalrpop-util/0.19.8;name=lalrpop-util-0.19.8 \ + crate://crates.io/lazy_static/1.4.0;name=lazy_static-1.4.0 \ + crate://crates.io/libc/0.2.126;name=libc-0.2.126 \ + crate://crates.io/libflate/1.2.0;name=libflate-1.2.0 \ + crate://crates.io/libflate_lz77/1.1.0;name=libflate_lz77-1.1.0 \ + crate://crates.io/libloading/0.7.3;name=libloading-0.7.3 \ + crate://crates.io/link-cplusplus/1.0.7;name=link-cplusplus-1.0.7 \ + crate://crates.io/lock_api/0.4.7;name=lock_api-0.4.7 \ + crate://crates.io/log/0.4.17;name=log-0.4.17 \ + crate://crates.io/maplit/1.0.2;name=maplit-1.0.2 \ + crate://crates.io/matchers/0.0.1;name=matchers-0.0.1 \ + crate://crates.io/matches/0.1.9;name=matches-0.1.9 \ + crate://crates.io/maybe-async/0.2.6;name=maybe-async-0.2.6 \ + crate://crates.io/memchr/2.5.0;name=memchr-2.5.0 \ + crate://crates.io/mime/0.3.16;name=mime-0.3.16 \ + crate://crates.io/miniz_oxide/0.5.3;name=miniz_oxide-0.5.3 \ + crate://crates.io/mio/0.8.4;name=mio-0.8.4 \ + crate://crates.io/native-tls/0.2.10;name=native-tls-0.2.10 \ + crate://crates.io/new_debug_unreachable/1.0.4;name=new_debug_unreachable-1.0.4 \ + crate://crates.io/nix/0.24.2;name=nix-0.24.2 \ + crate://crates.io/num-bigint/0.4.3;name=num-bigint-0.4.3 \ + crate://crates.io/num-integer/0.1.45;name=num-integer-0.1.45 \ + crate://crates.io/num-traits/0.2.15;name=num-traits-0.2.15 \ + crate://crates.io/num_cpus/1.13.1;name=num_cpus-1.13.1 \ + crate://crates.io/oauth2/4.2.3;name=oauth2-4.2.3 \ + crate://crates.io/object/0.29.0;name=object-0.29.0 \ + crate://crates.io/once_cell/1.13.0;name=once_cell-1.13.0 \ + crate://crates.io/opaque-debug/0.3.0;name=opaque-debug-0.3.0 \ + crate://crates.io/openidconnect/2.3.2;name=openidconnect-2.3.2 \ + crate://crates.io/openssl/0.10.41;name=openssl-0.10.41 \ + crate://crates.io/openssl-macros/0.1.0;name=openssl-macros-0.1.0 \ + crate://crates.io/openssl-probe/0.1.5;name=openssl-probe-0.1.5 \ + crate://crates.io/openssl-src/111.25.0+1.1.1t;name=openssl-src-111.25.0+1.1.1t \ + crate://crates.io/openssl-sys/0.9.75;name=openssl-sys-0.9.75 \ + crate://crates.io/ordered-float/2.10.0;name=ordered-float-2.10.0 \ + crate://crates.io/oso/0.12.4;name=oso-0.12.4 \ + crate://crates.io/parking_lot/0.12.1;name=parking_lot-0.12.1 \ + crate://crates.io/parking_lot_core/0.9.3;name=parking_lot_core-0.9.3 \ + crate://crates.io/pbkdf2/0.7.5;name=pbkdf2-0.7.5 \ + crate://crates.io/percent-encoding/2.1.0;name=percent-encoding-2.1.0 \ + crate://crates.io/petgraph/0.6.2;name=petgraph-0.6.2 \ + crate://crates.io/phf_shared/0.10.0;name=phf_shared-0.10.0 \ + crate://crates.io/pico-args/0.4.2;name=pico-args-0.4.2 \ + crate://crates.io/pin-project-lite/0.2.9;name=pin-project-lite-0.2.9 \ + crate://crates.io/pin-utils/0.1.0;name=pin-utils-0.1.0 \ + crate://crates.io/pkg-config/0.3.25;name=pkg-config-0.3.25 \ + crate://crates.io/polar-core/0.12.4;name=polar-core-0.12.4 \ + crate://crates.io/ppv-lite86/0.2.16;name=ppv-lite86-0.2.16 \ + crate://crates.io/precomputed-hash/0.1.1;name=precomputed-hash-0.1.1 \ + crate://crates.io/priority-queue/1.2.2;name=priority-queue-1.2.2 \ + crate://crates.io/proc-macro2/1.0.40;name=proc-macro2-1.0.40 \ + crate://crates.io/quick-xml/0.23.0;name=quick-xml-0.23.0 \ + crate://crates.io/quote/1.0.20;name=quote-1.0.20 \ + crate://crates.io/r2d2/0.8.10;name=r2d2-0.8.10 \ + crate://crates.io/rand/0.8.5;name=rand-0.8.5 \ + crate://crates.io/rand_chacha/0.3.1;name=rand_chacha-0.3.1 \ + crate://crates.io/rand_core/0.6.3;name=rand_core-0.6.3 \ + crate://crates.io/redox_syscall/0.2.13;name=redox_syscall-0.2.13 \ + crate://crates.io/redox_users/0.4.3;name=redox_users-0.4.3 \ + crate://crates.io/regex/1.6.0;name=regex-1.6.0 \ + crate://crates.io/regex-automata/0.1.10;name=regex-automata-0.1.10 \ + crate://crates.io/regex-syntax/0.6.27;name=regex-syntax-0.6.27 \ + crate://crates.io/remove_dir_all/0.5.3;name=remove_dir_all-0.5.3 \ + crate://crates.io/reqwest/0.11.11;name=reqwest-0.11.11 \ + crate://crates.io/ring/0.16.20;name=ring-0.16.20 \ + crate://crates.io/rle-decode-fast/1.0.3;name=rle-decode-fast-1.0.3 \ + crate://crates.io/routecore/0.2.0;name=routecore-0.2.0 \ + crate://crates.io/rpassword/5.0.1;name=rpassword-5.0.1 \ + crate://crates.io/rpki/0.15.8;name=rpki-0.15.8 \ + crate://crates.io/rustc-demangle/0.1.21;name=rustc-demangle-0.1.21 \ + crate://crates.io/rustc_version/0.4.0;name=rustc_version-0.4.0 \ + crate://crates.io/rustls/0.19.1;name=rustls-0.19.1 \ + crate://crates.io/rustversion/1.0.8;name=rustversion-1.0.8 \ + crate://crates.io/ryu/1.0.10;name=ryu-1.0.10 \ + crate://crates.io/salsa20/0.7.2;name=salsa20-0.7.2 \ + crate://crates.io/schannel/0.1.20;name=schannel-0.1.20 \ + crate://crates.io/scheduled-thread-pool/0.2.6;name=scheduled-thread-pool-0.2.6 \ + crate://crates.io/scopeguard/1.1.0;name=scopeguard-1.1.0 \ + crate://crates.io/scratch/1.0.2;name=scratch-1.0.2 \ + crate://crates.io/scrypt/0.6.5;name=scrypt-0.6.5 \ + crate://crates.io/sct/0.6.1;name=sct-0.6.1 \ + crate://crates.io/security-framework/2.6.1;name=security-framework-2.6.1 \ + crate://crates.io/security-framework-sys/2.6.1;name=security-framework-sys-2.6.1 \ + crate://crates.io/semver/1.0.12;name=semver-1.0.12 \ + crate://crates.io/serde/1.0.139;name=serde-1.0.139 \ + crate://crates.io/serde-value/0.7.0;name=serde-value-0.7.0 \ + crate://crates.io/serde_bytes/0.11.6;name=serde_bytes-0.11.6 \ + crate://crates.io/serde_derive/1.0.139;name=serde_derive-1.0.139 \ + crate://crates.io/serde_json/1.0.82;name=serde_json-1.0.82 \ + crate://crates.io/serde_path_to_error/0.1.7;name=serde_path_to_error-0.1.7 \ + crate://crates.io/serde_urlencoded/0.7.1;name=serde_urlencoded-0.7.1 \ + crate://crates.io/sha2/0.9.9;name=sha2-0.9.9 \ + crate://crates.io/sha2/0.10.2;name=sha2-0.10.2 \ + crate://crates.io/sharded-slab/0.1.4;name=sharded-slab-0.1.4 \ + crate://crates.io/signal-hook-registry/1.4.0;name=signal-hook-registry-1.4.0 \ + crate://crates.io/siphasher/0.3.10;name=siphasher-0.3.10 \ + crate://crates.io/slab/0.4.6;name=slab-0.4.6 \ + crate://crates.io/slug/0.1.4;name=slug-0.1.4 \ + crate://crates.io/smallvec/1.9.0;name=smallvec-1.9.0 \ + crate://crates.io/socket2/0.4.4;name=socket2-0.4.4 \ + crate://crates.io/spin/0.5.2;name=spin-0.5.2 \ + crate://crates.io/string_cache/0.8.4;name=string_cache-0.8.4 \ + crate://crates.io/strsim/0.8.0;name=strsim-0.8.0 \ + crate://crates.io/subtle/2.4.1;name=subtle-2.4.1 \ + crate://crates.io/syn/1.0.98;name=syn-1.0.98 \ + crate://crates.io/syslog/4.0.1;name=syslog-4.0.1 \ + crate://crates.io/target-lexicon/0.12.4;name=target-lexicon-0.12.4 \ + crate://crates.io/tempfile/3.3.0;name=tempfile-3.3.0 \ + crate://crates.io/term/0.7.0;name=term-0.7.0 \ + crate://crates.io/termcolor/1.1.3;name=termcolor-1.1.3 \ + crate://crates.io/textwrap/0.11.0;name=textwrap-0.11.0 \ + crate://crates.io/thiserror/1.0.31;name=thiserror-1.0.31 \ + crate://crates.io/thiserror-impl/1.0.31;name=thiserror-impl-1.0.31 \ + crate://crates.io/thread_local/1.1.4;name=thread_local-1.1.4 \ + crate://crates.io/time/0.1.44;name=time-0.1.44 \ + crate://crates.io/tiny-keccak/2.0.2;name=tiny-keccak-2.0.2 \ + crate://crates.io/tiny_http/0.8.2;name=tiny_http-0.8.2 \ + crate://crates.io/tinyvec/1.6.0;name=tinyvec-1.6.0 \ + crate://crates.io/tinyvec_macros/0.1.0;name=tinyvec_macros-0.1.0 \ + crate://crates.io/tokio/1.20.4;name=tokio-1.20.4 \ + crate://crates.io/tokio-macros/1.8.0;name=tokio-macros-1.8.0 \ + crate://crates.io/tokio-native-tls/0.3.0;name=tokio-native-tls-0.3.0 \ + crate://crates.io/tokio-rustls/0.22.0;name=tokio-rustls-0.22.0 \ + crate://crates.io/tokio-util/0.7.3;name=tokio-util-0.7.3 \ + crate://crates.io/toml/0.5.9;name=toml-0.5.9 \ + crate://crates.io/tower-service/0.3.2;name=tower-service-0.3.2 \ + crate://crates.io/tracing/0.1.35;name=tracing-0.1.35 \ + crate://crates.io/tracing-attributes/0.1.22;name=tracing-attributes-0.1.22 \ + crate://crates.io/tracing-core/0.1.28;name=tracing-core-0.1.28 \ + crate://crates.io/tracing-log/0.1.3;name=tracing-log-0.1.3 \ + crate://crates.io/tracing-serde/0.1.3;name=tracing-serde-0.1.3 \ + crate://crates.io/tracing-subscriber/0.2.25;name=tracing-subscriber-0.2.25 \ + crate://crates.io/trait-set/0.2.0;name=trait-set-0.2.0 \ + crate://crates.io/try-lock/0.2.3;name=try-lock-0.2.3 \ + crate://crates.io/typenum/1.15.0;name=typenum-1.15.0 \ + crate://crates.io/unicode-bidi/0.3.8;name=unicode-bidi-0.3.8 \ + crate://crates.io/unicode-ident/1.0.2;name=unicode-ident-1.0.2 \ + crate://crates.io/unicode-normalization/0.1.21;name=unicode-normalization-0.1.21 \ + crate://crates.io/unicode-width/0.1.9;name=unicode-width-0.1.9 \ + crate://crates.io/unicode-xid/0.2.3;name=unicode-xid-0.2.3 \ + crate://crates.io/untrusted/0.7.1;name=untrusted-0.7.1 \ + crate://crates.io/url/2.2.2;name=url-2.2.2 \ + crate://crates.io/urlparse/0.7.3;name=urlparse-0.7.3 \ + crate://crates.io/uuid/1.1.2;name=uuid-1.1.2 \ + crate://crates.io/valuable/0.1.0;name=valuable-0.1.0 \ + crate://crates.io/vcpkg/0.2.15;name=vcpkg-0.2.15 \ + crate://crates.io/vec_map/0.8.2;name=vec_map-0.8.2 \ + crate://crates.io/version_check/0.9.4;name=version_check-0.9.4 \ + crate://crates.io/want/0.3.0;name=want-0.3.0 \ + crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1;name=wasi-0.10.0+wasi-snapshot-preview1 \ + crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1;name=wasi-0.11.0+wasi-snapshot-preview1 \ + crate://crates.io/wasm-bindgen/0.2.81;name=wasm-bindgen-0.2.81 \ + crate://crates.io/wasm-bindgen-backend/0.2.81;name=wasm-bindgen-backend-0.2.81 \ + crate://crates.io/wasm-bindgen-futures/0.4.31;name=wasm-bindgen-futures-0.4.31 \ + crate://crates.io/wasm-bindgen-macro/0.2.81;name=wasm-bindgen-macro-0.2.81 \ + crate://crates.io/wasm-bindgen-macro-support/0.2.81;name=wasm-bindgen-macro-support-0.2.81 \ + crate://crates.io/wasm-bindgen-shared/0.2.81;name=wasm-bindgen-shared-0.2.81 \ + crate://crates.io/web-sys/0.3.58;name=web-sys-0.3.58 \ + crate://crates.io/webpki/0.21.4;name=webpki-0.21.4 \ + crate://crates.io/winapi/0.3.9;name=winapi-0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0;name=winapi-i686-pc-windows-gnu-0.4.0 \ + crate://crates.io/winapi-util/0.1.5;name=winapi-util-0.1.5 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0;name=winapi-x86_64-pc-windows-gnu-0.4.0 \ + crate://crates.io/windows-sys/0.36.1;name=windows-sys-0.36.1 \ + crate://crates.io/windows_aarch64_msvc/0.36.1;name=windows_aarch64_msvc-0.36.1 \ + crate://crates.io/windows_i686_gnu/0.36.1;name=windows_i686_gnu-0.36.1 \ + crate://crates.io/windows_i686_msvc/0.36.1;name=windows_i686_msvc-0.36.1 \ + crate://crates.io/windows_x86_64_gnu/0.36.1;name=windows_x86_64_gnu-0.36.1 \ + crate://crates.io/windows_x86_64_msvc/0.36.1;name=windows_x86_64_msvc-0.36.1 \ + crate://crates.io/winreg/0.10.1;name=winreg-0.10.1 \ +" + +SRC_URI[addr2line-0.17.0.sha256sum] = "b9ecd88a8c8378ca913a680cd98f0f13ac67383d35993f86c90a70e3f137816b" +SRC_URI[adler-1.0.2.sha256sum] = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" +SRC_URI[adler32-1.2.0.sha256sum] = "aae1277d39aeec15cb388266ecc24b11c80469deae6067e17a1a7aa9e5c1f234" +SRC_URI[aho-corasick-0.7.18.sha256sum] = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f" +SRC_URI[android_system_properties-0.1.5.sha256sum] = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311" +SRC_URI[ansi_term-0.12.1.sha256sum] = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2" +SRC_URI[ascii-1.0.0.sha256sum] = "bbf56136a5198c7b01a49e3afcbef6cf84597273d298f54432926024107b0109" +SRC_URI[ascii-canvas-3.0.0.sha256sum] = "8824ecca2e851cec16968d54a01dd372ef8f95b244fb84b84e70128be347c3c6" +SRC_URI[atty-0.2.14.sha256sum] = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" +SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +SRC_URI[backoff-0.3.0.sha256sum] = "9fe17f59a06fe8b87a6fc8bf53bb70b3aba76d7685f432487a68cd5552853625" +SRC_URI[backtrace-0.3.66.sha256sum] = "cab84319d616cfb654d03394f38ab7e6f0919e181b1b57e1fd15e7fb4077d9a7" +SRC_URI[base64-0.13.0.sha256sum] = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" +SRC_URI[basic-cookies-0.1.4.sha256sum] = "cb53b6b315f924c7f113b162e53b3901c05fc9966baf84d201dfcc7432a4bb38" +SRC_URI[bcder-0.7.0.sha256sum] = "f007d8acfb8ef7d219911c7164c025a6d3504735120fc5df59c3c479ab84ea51" +SRC_URI[bit-set-0.5.2.sha256sum] = "6e11e16035ea35e4e5997b393eacbf6f63983188f7a2ad25bfb13465f5ad59de" +SRC_URI[bit-vec-0.6.3.sha256sum] = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" +SRC_URI[bitflags-1.3.2.sha256sum] = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" +SRC_URI[block-buffer-0.9.0.sha256sum] = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4" +SRC_URI[block-buffer-0.10.2.sha256sum] = "0bf7fe51849ea569fd452f37822f606a5cabb684dc918707a0193fd4664ff324" +SRC_URI[bumpalo-3.10.0.sha256sum] = "37ccbd214614c6783386c1af30caf03192f17891059cecc394b4fb119e363de3" +SRC_URI[bytes-1.1.0.sha256sum] = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8" +SRC_URI[cc-1.0.73.sha256sum] = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11" +SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +SRC_URI[chrono-0.4.22.sha256sum] = "bfd4d1b31faaa3a89d7934dbded3111da0d2ef28e3ebccdb4f0179f5929d1ef1" +SRC_URI[chunked_transfer-1.4.0.sha256sum] = "fff857943da45f546682664a79488be82e69e43c1a7a2307679ab9afb3a66d2e" +SRC_URI[cipher-0.2.5.sha256sum] = "12f8e7987cbd042a63249497f41aed09f8e65add917ea6566effbc56578d6801" +SRC_URI[clap-2.34.0.sha256sum] = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c" +SRC_URI[codespan-reporting-0.11.1.sha256sum] = "3538270d33cc669650c4b093848450d380def10c331d38c768e34cac80576e6e" +SRC_URI[core-foundation-0.9.3.sha256sum] = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146" +SRC_URI[core-foundation-sys-0.8.3.sha256sum] = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc" +SRC_URI[cpufeatures-0.2.2.sha256sum] = "59a6001667ab124aebae2a495118e11d30984c3a653e99d86d58971708cf5e4b" +SRC_URI[crc32fast-1.3.2.sha256sum] = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d" +SRC_URI[crunchy-0.2.2.sha256sum] = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" +SRC_URI[crypto-common-0.1.6.sha256sum] = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" +SRC_URI[crypto-mac-0.10.1.sha256sum] = "bff07008ec701e8028e2ceb8f83f0e4274ee62bd2dbdc4fefff2e9a91824081a" +SRC_URI[cryptoki-0.3.0.sha256sum] = "503aa2bd88796da9bc6baf2c47696da40f135721b3d6680c7c6cee0b7d1f7a59" +SRC_URI[cryptoki-sys-0.1.4.sha256sum] = "1e4895bb04269df9a14f2692c6499dc2769e9a93caa33ef37c4df134f76956d2" +SRC_URI[ctrlc-3.2.2.sha256sum] = "b37feaa84e6861e00a1f5e5aa8da3ee56d605c9992d33e082786754828e20865" +SRC_URI[cxx-1.0.79.sha256sum] = "3f83d0ebf42c6eafb8d7c52f7e5f2d3003b89c7aa4fd2b79229209459a849af8" +SRC_URI[cxx-build-1.0.79.sha256sum] = "07d050484b55975889284352b0ffc2ecbda25c0c55978017c132b29ba0818a86" +SRC_URI[cxxbridge-flags-1.0.79.sha256sum] = "99d2199b00553eda8012dfec8d3b1c75fce747cf27c169a270b3b99e3448ab78" +SRC_URI[cxxbridge-macro-1.0.79.sha256sum] = "dcb67a6de1f602736dd7eaead0080cf3435df806c61b24b13328db128c58868f" +SRC_URI[derivative-2.2.0.sha256sum] = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b" +SRC_URI[deunicode-0.4.3.sha256sum] = "850878694b7933ca4c9569d30a34b55031b9b139ee1fc7b94a527c4ef960d690" +SRC_URI[diff-0.1.13.sha256sum] = "56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8" +SRC_URI[digest-0.9.0.sha256sum] = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066" +SRC_URI[digest-0.10.3.sha256sum] = "f2fb860ca6fafa5552fb6d0e816a69c8e49f0908bf524e30a90d97c85892d506" +SRC_URI[dirs-next-2.0.0.sha256sum] = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1" +SRC_URI[dirs-sys-next-0.1.2.sha256sum] = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d" +SRC_URI[either-1.7.0.sha256sum] = "3f107b87b6afc2a64fd13cac55fe06d6c8859f12d4b14cbcdd2c67d0976781be" +SRC_URI[ena-0.14.0.sha256sum] = "d7402b94a93c24e742487327a7cd839dc9d36fec9de9fb25b09f2dae459f36c3" +SRC_URI[encoding_rs-0.8.31.sha256sum] = "9852635589dc9f9ea1b6fe9f05b50ef208c85c834a562f0c6abb1c475736ec2b" +SRC_URI[enum-display-derive-0.1.1.sha256sum] = "f16ef37b2a9b242295d61a154ee91ae884afff6b8b933b486b12481cc58310ca" +SRC_URI[enum-flags-0.1.8.sha256sum] = "3682d2328e61f5529088a02cd20bb0a9aeaeeeb2f26597436dd7d75d1340f8f5" +SRC_URI[error-chain-0.11.0.sha256sum] = "ff511d5dc435d703f4971bc399647c9bc38e20cb41452e3b9feb4765419ed3f3" +SRC_URI[fastrand-1.7.0.sha256sum] = "c3fcf0cee53519c866c09b5de1f6c56ff9d647101f81c1964fa632e148896cdf" +SRC_URI[fern-0.5.9.sha256sum] = "e69ab0d5aca163e388c3a49d284fed6c3d0810700e77c5ae2756a50ec1a4daaa" +SRC_URI[fixedbitset-0.4.2.sha256sum] = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" +SRC_URI[fnv-1.0.7.sha256sum] = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +SRC_URI[foreign-types-0.3.2.sha256sum] = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +SRC_URI[foreign-types-shared-0.1.1.sha256sum] = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" +SRC_URI[form_urlencoded-1.0.1.sha256sum] = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191" +SRC_URI[fslock-0.2.1.sha256sum] = "04412b8935272e3a9bae6f48c7bfff74c2911f60525404edfdd28e49884c3bfb" +SRC_URI[futures-0.3.21.sha256sum] = "f73fe65f54d1e12b726f517d3e2135ca3125a437b6d998caf1962961f7172d9e" +SRC_URI[futures-channel-0.3.21.sha256sum] = "c3083ce4b914124575708913bca19bfe887522d6e2e6d0952943f5eac4a74010" +SRC_URI[futures-core-0.3.21.sha256sum] = "0c09fd04b7e4073ac7156a9539b57a484a8ea920f79c7c675d05d289ab6110d3" +SRC_URI[futures-executor-0.3.21.sha256sum] = "9420b90cfa29e327d0429f19be13e7ddb68fa1cccb09d65e5706b8c7a749b8a6" +SRC_URI[futures-io-0.3.21.sha256sum] = "fc4045962a5a5e935ee2fdedaa4e08284547402885ab326734432bed5d12966b" +SRC_URI[futures-macro-0.3.21.sha256sum] = "33c1e13800337f4d4d7a316bf45a567dbcb6ffe087f16424852d97e97a91f512" +SRC_URI[futures-sink-0.3.21.sha256sum] = "21163e139fa306126e6eedaf49ecdb4588f939600f0b1e770f4205ee4b7fa868" +SRC_URI[futures-task-0.3.21.sha256sum] = "57c66a976bf5909d801bbef33416c41372779507e7a6b3a5e25e4749c58f776a" +SRC_URI[futures-util-0.3.21.sha256sum] = "d8b7abd5d659d9b90c8cba917f6ec750a74e2dc23902ef9cd4cc8c8b22e6036a" +SRC_URI[generic-array-0.14.5.sha256sum] = "fd48d33ec7f05fbfa152300fdad764757cbded343c1aa1cff2fbaf4134851803" +SRC_URI[getrandom-0.2.7.sha256sum] = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6" +SRC_URI[gimli-0.26.2.sha256sum] = "22030e2c5a68ec659fde1e949a745124b48e6fa8b045b7ed5bd1fe4ccc5c4e5d" +SRC_URI[h2-0.3.13.sha256sum] = "37a82c6d637fc9515a4694bbf1cb2457b79d81ce52b3108bdeea58b07dd34a57" +SRC_URI[hashbrown-0.12.3.sha256sum] = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" +SRC_URI[hermit-abi-0.1.19.sha256sum] = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33" +SRC_URI[hex-0.4.3.sha256sum] = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +SRC_URI[hmac-0.10.1.sha256sum] = "c1441c6b1e930e2817404b5046f1f989899143a12bf92de603b69f4e0aee1e15" +SRC_URI[http-0.2.8.sha256sum] = "75f43d41e26995c17e71ee126451dd3941010b0514a81a9d11f3b341debc2399" +SRC_URI[http-body-0.4.5.sha256sum] = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1" +SRC_URI[httparse-1.7.1.sha256sum] = "496ce29bb5a52785b44e0f7ca2847ae0bb839c9bd28f69acac9b99d461c0c04c" +SRC_URI[httpdate-1.0.2.sha256sum] = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421" +SRC_URI[hyper-0.14.20.sha256sum] = "02c929dc5c39e335a03c405292728118860721b10190d98c2a0f0efd5baafbac" +SRC_URI[hyper-tls-0.5.0.sha256sum] = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" +SRC_URI[iana-time-zone-0.1.51.sha256sum] = "f5a6ef98976b22b3b7f2f3a806f858cb862044cfa66805aa3ad84cb3d3b785ed" +SRC_URI[iana-time-zone-haiku-0.1.1.sha256sum] = "0703ae284fc167426161c2e3f1da3ea71d94b21bedbcc9494e92b28e334e3dca" +SRC_URI[idna-0.2.3.sha256sum] = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8" +SRC_URI[impl-trait-for-tuples-0.2.2.sha256sum] = "11d7a9f6330b71fea57921c9b61c47ee6e84f72d394754eff6163ae67e7395eb" +SRC_URI[indexmap-1.9.1.sha256sum] = "10a35a97730320ffe8e2d410b5d3b69279b98d2c14bdb8b70ea89ecf7888d41e" +SRC_URI[instant-0.1.12.sha256sum] = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c" +SRC_URI[intervaltree-0.2.7.sha256sum] = "270bc34e57047cab801a8c871c124d9dc7132f6473c6401f645524f4e6edd111" +SRC_URI[ipnet-2.5.0.sha256sum] = "879d54834c8c76457ef4293a689b2a8c59b076067ad77b15efafbb05f92a592b" +SRC_URI[itertools-0.10.3.sha256sum] = "a9a9d19fa1e79b6215ff29b9d6880b706147f16e9b1dbb1e4e5947b5b02bc5e3" +SRC_URI[itoa-1.0.2.sha256sum] = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d" +SRC_URI[jmespatch-0.3.0.sha256sum] = "7acf91a732ade34d8eda2dee9500a051833f14f0d3d10d77c149845d6ac6a5f0" +SRC_URI[js-sys-0.3.58.sha256sum] = "c3fac17f7123a73ca62df411b1bf727ccc805daa070338fda671c86dac1bdc27" +SRC_URI[kmip-protocol-0.4.2.sha256sum] = "396744d490b405f4ff293057bae5625e03dcf8be70fd4ba8c6346a54e78fd837" +SRC_URI[kmip-ttlv-0.3.3.sha256sum] = "1aa943fd7166db2cc2deaea17bd5c2862ccf68eef9ce15576bcee9e4b494685c" +SRC_URI[lalrpop-0.19.8.sha256sum] = "b30455341b0e18f276fa64540aff54deafb54c589de6aca68659c63dd2d5d823" +SRC_URI[lalrpop-util-0.19.8.sha256sum] = "bcf796c978e9b4d983414f4caedc9273aa33ee214c5b887bd55fde84c85d2dc4" +SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +SRC_URI[libc-0.2.126.sha256sum] = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836" +SRC_URI[libflate-1.2.0.sha256sum] = "05605ab2bce11bcfc0e9c635ff29ef8b2ea83f29be257ee7d730cac3ee373093" +SRC_URI[libflate_lz77-1.1.0.sha256sum] = "39a734c0493409afcd49deee13c006a04e3586b9761a03543c6272c9c51f2f5a" +SRC_URI[libloading-0.7.3.sha256sum] = "efbc0f03f9a775e9f6aed295c6a1ba2253c5757a9e03d55c6caa46a681abcddd" +SRC_URI[link-cplusplus-1.0.7.sha256sum] = "9272ab7b96c9046fbc5bc56c06c117cb639fe2d509df0c421cad82d2915cf369" +SRC_URI[lock_api-0.4.7.sha256sum] = "327fa5b6a6940e4699ec49a9beae1ea4845c6bab9314e4f84ac68742139d8c53" +SRC_URI[log-0.4.17.sha256sum] = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" +SRC_URI[maplit-1.0.2.sha256sum] = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d" +SRC_URI[matchers-0.0.1.sha256sum] = "f099785f7595cc4b4553a174ce30dd7589ef93391ff414dbb67f62392b9e0ce1" +SRC_URI[matches-0.1.9.sha256sum] = "a3e378b66a060d48947b590737b30a1be76706c8dd7b8ba0f2fe3989c68a853f" +SRC_URI[maybe-async-0.2.6.sha256sum] = "6007f9dad048e0a224f27ca599d669fca8cfa0dac804725aab542b2eb032bce6" +SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" +SRC_URI[mime-0.3.16.sha256sum] = "2a60c7ce501c71e03a9c9c0d35b861413ae925bd979cc7a4e30d060069aaac8d" +SRC_URI[miniz_oxide-0.5.3.sha256sum] = "6f5c75688da582b8ffc1f1799e9db273f32133c49e048f614d22ec3256773ccc" +SRC_URI[mio-0.8.4.sha256sum] = "57ee1c23c7c63b0c9250c339ffdc69255f110b298b901b9f6c82547b7b87caaf" +SRC_URI[native-tls-0.2.10.sha256sum] = "fd7e2f3618557f980e0b17e8856252eee3c97fa12c54dff0ca290fb6266ca4a9" +SRC_URI[new_debug_unreachable-1.0.4.sha256sum] = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54" +SRC_URI[nix-0.24.2.sha256sum] = "195cdbc1741b8134346d515b3a56a1c94b0912758009cfd53f99ea0f57b065fc" +SRC_URI[num-bigint-0.4.3.sha256sum] = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f" +SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" +SRC_URI[num-traits-0.2.15.sha256sum] = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd" +SRC_URI[num_cpus-1.13.1.sha256sum] = "19e64526ebdee182341572e50e9ad03965aa510cd94427a4549448f285e957a1" +SRC_URI[oauth2-4.2.3.sha256sum] = "6d62c436394991641b970a92e23e8eeb4eb9bca74af4f5badc53bcd568daadbd" +SRC_URI[object-0.29.0.sha256sum] = "21158b2c33aa6d4561f1c0a6ea283ca92bc54802a93b263e910746d679a7eb53" +SRC_URI[once_cell-1.13.0.sha256sum] = "18a6dbe30758c9f83eb00cbea4ac95966305f5a7772f3f42ebfc7fc7eddbd8e1" +SRC_URI[opaque-debug-0.3.0.sha256sum] = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" +SRC_URI[openidconnect-2.3.2.sha256sum] = "e26afc60b2bf11b9a039db1f3a3c0d5fe201eebdbe646a8ecb8342c8240e3271" +SRC_URI[openssl-0.10.41.sha256sum] = "618febf65336490dfcf20b73f885f5651a0c89c64c2d4a8c3662585a70bf5bd0" +SRC_URI[openssl-macros-0.1.0.sha256sum] = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c" +SRC_URI[openssl-probe-0.1.5.sha256sum] = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" +SRC_URI[openssl-src-111.25.0+1.1.1t.sha256sum] = "3173cd3626c43e3854b1b727422a276e568d9ec5fe8cec197822cf52cfb743d6" +SRC_URI[openssl-sys-0.9.75.sha256sum] = "e5f9bd0c2710541a3cda73d6f9ac4f1b240de4ae261065d309dbe73d9dceb42f" +SRC_URI[ordered-float-2.10.0.sha256sum] = "7940cf2ca942593318d07fcf2596cdca60a85c9e7fab408a5e21a4f9dcd40d87" +SRC_URI[oso-0.12.4.sha256sum] = "aec41e2da1ce3a82eb807396f802c172f08aa03e1be31e5df49592a04e12c8c7" +SRC_URI[parking_lot-0.12.1.sha256sum] = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" +SRC_URI[parking_lot_core-0.9.3.sha256sum] = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929" +SRC_URI[pbkdf2-0.7.5.sha256sum] = "bf916dd32dd26297907890d99dc2740e33f6bd9073965af4ccff2967962f5508" +SRC_URI[percent-encoding-2.1.0.sha256sum] = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e" +SRC_URI[petgraph-0.6.2.sha256sum] = "e6d5014253a1331579ce62aa67443b4a658c5e7dd03d4bc6d302b94474888143" +SRC_URI[phf_shared-0.10.0.sha256sum] = "b6796ad771acdc0123d2a88dc428b5e38ef24456743ddb1744ed628f9815c096" +SRC_URI[pico-args-0.4.2.sha256sum] = "db8bcd96cb740d03149cbad5518db9fd87126a10ab519c011893b1754134c468" +SRC_URI[pin-project-lite-0.2.9.sha256sum] = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116" +SRC_URI[pin-utils-0.1.0.sha256sum] = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +SRC_URI[pkg-config-0.3.25.sha256sum] = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae" +SRC_URI[polar-core-0.12.4.sha256sum] = "53d2b6ee5b5ff6312ca55e2ba75fbd438c72bc041c799055388d815726eca69b" +SRC_URI[ppv-lite86-0.2.16.sha256sum] = "eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872" +SRC_URI[precomputed-hash-0.1.1.sha256sum] = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c" +SRC_URI[priority-queue-1.2.2.sha256sum] = "de9cde7493f5f5d2d163b174be9f9a72d756b79b0f6ed85654128d238c347c1e" +SRC_URI[proc-macro2-1.0.40.sha256sum] = "dd96a1e8ed2596c337f8eae5f24924ec83f5ad5ab21ea8e455d3566c69fbcaf7" +SRC_URI[quick-xml-0.23.0.sha256sum] = "9279fbdacaad3baf559d8cabe0acc3d06e30ea14931af31af79578ac0946decc" +SRC_URI[quote-1.0.20.sha256sum] = "3bcdf212e9776fbcb2d23ab029360416bb1706b1aea2d1a5ba002727cbcab804" +SRC_URI[r2d2-0.8.10.sha256sum] = "51de85fb3fb6524929c8a2eb85e6b6d363de4e8c48f9e2c2eac4944abc181c93" +SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" +SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" +SRC_URI[redox_syscall-0.2.13.sha256sum] = "62f25bc4c7e55e0b0b7a1d43fb893f4fa1361d0abe38b9ce4f323c2adfe6ef42" +SRC_URI[redox_users-0.4.3.sha256sum] = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b" +SRC_URI[regex-1.6.0.sha256sum] = "4c4eb3267174b8c6c2f654116623910a0fef09c4753f8dd83db29c48a0df988b" +SRC_URI[regex-automata-0.1.10.sha256sum] = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132" +SRC_URI[regex-syntax-0.6.27.sha256sum] = "a3f87b73ce11b1619a3c6332f45341e0047173771e8b8b73f87bfeefb7b56244" +SRC_URI[remove_dir_all-0.5.3.sha256sum] = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7" +SRC_URI[reqwest-0.11.11.sha256sum] = "b75aa69a3f06bbcc66ede33af2af253c6f7a86b1ca0033f60c580a27074fbf92" +SRC_URI[ring-0.16.20.sha256sum] = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +SRC_URI[rle-decode-fast-1.0.3.sha256sum] = "3582f63211428f83597b51b2ddb88e2a91a9d52d12831f9d08f5e624e8977422" +SRC_URI[routecore-0.2.0.sha256sum] = "9afd872857e85411c0ba7d18dfe650fc4864b292c02cde997e86c511314fdfc3" +SRC_URI[rpassword-5.0.1.sha256sum] = "ffc936cf8a7ea60c58f030fd36a612a48f440610214dc54bc36431f9ea0c3efb" +SRC_URI[rpki-0.15.8.sha256sum] = "46970b82ec6bfec47c88addaaef3d345cec2a5cf9cb89039ef904123e65ba41a" +SRC_URI[rustc-demangle-0.1.21.sha256sum] = "7ef03e0a2b150c7a90d01faf6254c9c48a41e95fb2a8c2ac1c6f0d2b9aefc342" +SRC_URI[rustc_version-0.4.0.sha256sum] = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" +SRC_URI[rustls-0.19.1.sha256sum] = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" +SRC_URI[rustversion-1.0.8.sha256sum] = "24c8ad4f0c00e1eb5bc7614d236a7f1300e3dbd76b68cac8e06fb00b015ad8d8" +SRC_URI[ryu-1.0.10.sha256sum] = "f3f6f92acf49d1b98f7a81226834412ada05458b7364277387724a237f062695" +SRC_URI[salsa20-0.7.2.sha256sum] = "399f290ffc409596022fce5ea5d4138184be4784f2b28c62c59f0d8389059a15" +SRC_URI[schannel-0.1.20.sha256sum] = "88d6731146462ea25d9244b2ed5fd1d716d25c52e4d54aa4fb0f3c4e9854dbe2" +SRC_URI[scheduled-thread-pool-0.2.6.sha256sum] = "977a7519bff143a44f842fd07e80ad1329295bd71686457f18e496736f4bf9bf" +SRC_URI[scopeguard-1.1.0.sha256sum] = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +SRC_URI[scratch-1.0.2.sha256sum] = "9c8132065adcfd6e02db789d9285a0deb2f3fcb04002865ab67d5fb103533898" +SRC_URI[scrypt-0.6.5.sha256sum] = "19230d10daad7f163d8c1fc8edf84fbe52ac71c2ebe5adf3f763aa1557b843e3" +SRC_URI[sct-0.6.1.sha256sum] = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" +SRC_URI[security-framework-2.6.1.sha256sum] = "2dc14f172faf8a0194a3aded622712b0de276821addc574fa54fc0a1167e10dc" +SRC_URI[security-framework-sys-2.6.1.sha256sum] = "0160a13a177a45bfb43ce71c01580998474f556ad854dcbca936dd2841a5c556" +SRC_URI[semver-1.0.12.sha256sum] = "a2333e6df6d6598f2b1974829f853c2b4c5f4a6e503c10af918081aa6f8564e1" +SRC_URI[serde-1.0.139.sha256sum] = "0171ebb889e45aa68b44aee0859b3eede84c6f5f5c228e6f140c0b2a0a46cad6" +SRC_URI[serde-value-0.7.0.sha256sum] = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c" +SRC_URI[serde_bytes-0.11.6.sha256sum] = "212e73464ebcde48d723aa02eb270ba62eff38a9b732df31f33f1b4e145f3a54" +SRC_URI[serde_derive-1.0.139.sha256sum] = "dc1d3230c1de7932af58ad8ffbe1d784bd55efd5a9d84ac24f69c72d83543dfb" +SRC_URI[serde_json-1.0.82.sha256sum] = "82c2c1fdcd807d1098552c5b9a36e425e42e9fbd7c6a37a8425f390f781f7fa7" +SRC_URI[serde_path_to_error-0.1.7.sha256sum] = "d7868ad3b8196a8a0aea99a8220b124278ee5320a55e4fde97794b6f85b1a377" +SRC_URI[serde_urlencoded-0.7.1.sha256sum] = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd" +SRC_URI[sha2-0.9.9.sha256sum] = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800" +SRC_URI[sha2-0.10.2.sha256sum] = "55deaec60f81eefe3cce0dc50bda92d6d8e88f2a27df7c5033b42afeb1ed2676" +SRC_URI[sharded-slab-0.1.4.sha256sum] = "900fba806f70c630b0a382d0d825e17a0f19fcd059a2ade1ff237bcddf446b31" +SRC_URI[signal-hook-registry-1.4.0.sha256sum] = "e51e73328dc4ac0c7ccbda3a494dfa03df1de2f46018127f60c693f2648455b0" +SRC_URI[siphasher-0.3.10.sha256sum] = "7bd3e3206899af3f8b12af284fafc038cc1dc2b41d1b89dd17297221c5d225de" +SRC_URI[slab-0.4.6.sha256sum] = "eb703cfe953bccee95685111adeedb76fabe4e97549a58d16f03ea7b9367bb32" +SRC_URI[slug-0.1.4.sha256sum] = "b3bc762e6a4b6c6fcaade73e77f9ebc6991b676f88bb2358bddb56560f073373" +SRC_URI[smallvec-1.9.0.sha256sum] = "2fd0db749597d91ff862fd1d55ea87f7855a744a8425a64695b6fca237d1dad1" +SRC_URI[socket2-0.4.4.sha256sum] = "66d72b759436ae32898a2af0a14218dbf55efde3feeb170eb623637db85ee1e0" +SRC_URI[spin-0.5.2.sha256sum] = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +SRC_URI[string_cache-0.8.4.sha256sum] = "213494b7a2b503146286049378ce02b482200519accc31872ee8be91fa820a08" +SRC_URI[strsim-0.8.0.sha256sum] = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" +SRC_URI[subtle-2.4.1.sha256sum] = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" +SRC_URI[syn-1.0.98.sha256sum] = "c50aef8a904de4c23c788f104b7dddc7d6f79c647c7c8ce4cc8f73eb0ca773dd" +SRC_URI[syslog-4.0.1.sha256sum] = "a0641142b4081d3d44beffa4eefd7346a228cdf91ed70186db2ca2cef762d327" +SRC_URI[target-lexicon-0.12.4.sha256sum] = "c02424087780c9b71cc96799eaeddff35af2bc513278cda5c99fc1f5d026d3c1" +SRC_URI[tempfile-3.3.0.sha256sum] = "5cdb1ef4eaeeaddc8fbd371e5017057064af0911902ef36b39801f67cc6d79e4" +SRC_URI[term-0.7.0.sha256sum] = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f" +SRC_URI[termcolor-1.1.3.sha256sum] = "bab24d30b911b2376f3a13cc2cd443142f0c81dda04c118693e35b3835757755" +SRC_URI[textwrap-0.11.0.sha256sum] = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060" +SRC_URI[thiserror-1.0.31.sha256sum] = "bd829fe32373d27f76265620b5309d0340cb8550f523c1dda251d6298069069a" +SRC_URI[thiserror-impl-1.0.31.sha256sum] = "0396bc89e626244658bef819e22d0cc459e795a5ebe878e6ec336d1674a8d79a" +SRC_URI[thread_local-1.1.4.sha256sum] = "5516c27b78311c50bf42c071425c560ac799b11c30b31f87e3081965fe5e0180" +SRC_URI[time-0.1.44.sha256sum] = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255" +SRC_URI[tiny-keccak-2.0.2.sha256sum] = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237" +SRC_URI[tiny_http-0.8.2.sha256sum] = "9ce51b50006056f590c9b7c3808c3bd70f0d1101666629713866c227d6e58d39" +SRC_URI[tinyvec-1.6.0.sha256sum] = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +SRC_URI[tinyvec_macros-0.1.0.sha256sum] = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" +SRC_URI[tokio-1.20.4.sha256sum] = "eb78f30e4b41e98ca4cce5acb51168a033839a7af9e42b380355808e14e98ee0" +SRC_URI[tokio-macros-1.8.0.sha256sum] = "9724f9a975fb987ef7a3cd9be0350edcbe130698af5b8f7a631e23d42d052484" +SRC_URI[tokio-native-tls-0.3.0.sha256sum] = "f7d995660bd2b7f8c1568414c1126076c13fbb725c40112dc0120b78eb9b717b" +SRC_URI[tokio-rustls-0.22.0.sha256sum] = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" +SRC_URI[tokio-util-0.7.3.sha256sum] = "cc463cd8deddc3770d20f9852143d50bf6094e640b485cb2e189a2099085ff45" +SRC_URI[toml-0.5.9.sha256sum] = "8d82e1a7758622a465f8cee077614c73484dac5b836c02ff6a40d5d1010324d7" +SRC_URI[tower-service-0.3.2.sha256sum] = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" +SRC_URI[tracing-0.1.35.sha256sum] = "a400e31aa60b9d44a52a8ee0343b5b18566b03a8321e0d321f695cf56e940160" +SRC_URI[tracing-attributes-0.1.22.sha256sum] = "11c75893af559bc8e10716548bdef5cb2b983f8e637db9d0e15126b61b484ee2" +SRC_URI[tracing-core-0.1.28.sha256sum] = "7b7358be39f2f274f322d2aaed611acc57f382e8eb1e5b48cb9ae30933495ce7" +SRC_URI[tracing-log-0.1.3.sha256sum] = "78ddad33d2d10b1ed7eb9d1f518a5674713876e97e5bb9b7345a7984fbb4f922" +SRC_URI[tracing-serde-0.1.3.sha256sum] = "bc6b213177105856957181934e4920de57730fc69bf42c37ee5bb664d406d9e1" +SRC_URI[tracing-subscriber-0.2.25.sha256sum] = "0e0d2eaa99c3c2e41547cfa109e910a68ea03823cccad4a0525dcbc9b01e8c71" +SRC_URI[trait-set-0.2.0.sha256sum] = "875c4c873cc824e362fa9a9419ffa59807244824275a44ad06fec9684fff08f2" +SRC_URI[try-lock-0.2.3.sha256sum] = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642" +SRC_URI[typenum-1.15.0.sha256sum] = "dcf81ac59edc17cc8697ff311e8f5ef2d99fcbd9817b34cec66f90b6c3dfd987" +SRC_URI[unicode-bidi-0.3.8.sha256sum] = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992" +SRC_URI[unicode-ident-1.0.2.sha256sum] = "15c61ba63f9235225a22310255a29b806b907c9b8c964bcbd0a2c70f3f2deea7" +SRC_URI[unicode-normalization-0.1.21.sha256sum] = "854cbdc4f7bc6ae19c820d44abdc3277ac3e1b2b93db20a636825d9322fb60e6" +SRC_URI[unicode-width-0.1.9.sha256sum] = "3ed742d4ea2bd1176e236172c8429aaf54486e7ac098db29ffe6529e0ce50973" +SRC_URI[unicode-xid-0.2.3.sha256sum] = "957e51f3646910546462e67d5f7599b9e4fb8acdd304b087a6494730f9eebf04" +SRC_URI[untrusted-0.7.1.sha256sum] = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +SRC_URI[url-2.2.2.sha256sum] = "a507c383b2d33b5fc35d1861e77e6b383d158b2da5e14fe51b83dfedf6fd578c" +SRC_URI[urlparse-0.7.3.sha256sum] = "110352d4e9076c67839003c7788d8604e24dcded13e0b375af3efaa8cf468517" +SRC_URI[uuid-1.1.2.sha256sum] = "dd6469f4314d5f1ffec476e05f17cc9a78bc7a27a6a857842170bdf8d6f98d2f" +SRC_URI[valuable-0.1.0.sha256sum] = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" +SRC_URI[vcpkg-0.2.15.sha256sum] = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" +SRC_URI[vec_map-0.8.2.sha256sum] = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191" +SRC_URI[version_check-0.9.4.sha256sum] = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" +SRC_URI[want-0.3.0.sha256sum] = "1ce8a968cb1cd110d136ff8b819a556d6fb6d919363c61534f6860c7eb172ba0" +SRC_URI[wasi-0.10.0+wasi-snapshot-preview1.sha256sum] = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f" +SRC_URI[wasi-0.11.0+wasi-snapshot-preview1.sha256sum] = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" +SRC_URI[wasm-bindgen-0.2.81.sha256sum] = "7c53b543413a17a202f4be280a7e5c62a1c69345f5de525ee64f8cfdbc954994" +SRC_URI[wasm-bindgen-backend-0.2.81.sha256sum] = "5491a68ab4500fa6b4d726bd67408630c3dbe9c4fe7bda16d5c82a1fd8c7340a" +SRC_URI[wasm-bindgen-futures-0.4.31.sha256sum] = "de9a9cec1733468a8c657e57fa2413d2ae2c0129b95e87c5b72b8ace4d13f31f" +SRC_URI[wasm-bindgen-macro-0.2.81.sha256sum] = "c441e177922bc58f1e12c022624b6216378e5febc2f0533e41ba443d505b80aa" +SRC_URI[wasm-bindgen-macro-support-0.2.81.sha256sum] = "7d94ac45fcf608c1f45ef53e748d35660f168490c10b23704c7779ab8f5c3048" +SRC_URI[wasm-bindgen-shared-0.2.81.sha256sum] = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be" +SRC_URI[web-sys-0.3.58.sha256sum] = "2fed94beee57daf8dd7d51f2b15dc2bcde92d7a72304cdf662a4371008b71b90" +SRC_URI[webpki-0.21.4.sha256sum] = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" +SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" +SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" +SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +SRC_URI[windows-sys-0.36.1.sha256sum] = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2" +SRC_URI[windows_aarch64_msvc-0.36.1.sha256sum] = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47" +SRC_URI[windows_i686_gnu-0.36.1.sha256sum] = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6" +SRC_URI[windows_i686_msvc-0.36.1.sha256sum] = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024" +SRC_URI[windows_x86_64_gnu-0.36.1.sha256sum] = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1" +SRC_URI[windows_x86_64_msvc-0.36.1.sha256sum] = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680" +SRC_URI[winreg-0.10.1.sha256sum] = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d" diff --git a/recipes-security/krill/krill_0.12.3.bb b/recipes-security/krill/krill_0.12.3.bb new file mode 100644 index 0000000..ee959c2 --- /dev/null +++ b/recipes-security/krill/krill_0.12.3.bb @@ -0,0 +1,42 @@ +SUMMARY = "Resource Public Key Infrastructure (RPKI) daemon" +HOMEPAGE = "https://www.nlnetlabs.nl/projects/rpki/krill/" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=9741c346eef56131163e13b9db1241b3" + +DEPENDS = "openssl" + +# SRC_URI += "crate://crates.io/krill/0.9.1" +SRC_URI = "git://github.com/NLnetLabs/krill.git;protocol=https;branch=main" +SRCREV = "e92098419c7ad82939e0483bc76df21eff705b80" +SRC_URI += "file://panic_workaround.patch" + +include krill-crates.inc + +UPSTREAM_CHECK_URI = "https://github.com/NLnetLabs/${BPN}/releases" +UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" + +S = "${WORKDIR}/git" +CARGO_SRC_DIR = "" + +inherit pkgconfig useradd systemd cargo cargo-update-recipe-crates + +do_install:append () { + install -d ${D}${sysconfdir} + install -d ${D}${datadir}/krill + + install -m 664 ${S}/defaults/krill.conf ${D}${sysconfdir}/. + install ${S}/defaults/* ${D}${datadir}/krill/. +} + +KRILL_UID ?= "krill" +KRILL_GID ?= "krill" + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${KRILL_UID}" +USERADD_PARAM:${PN} = "--system -g ${KRILL_GID} --home-dir \ + /var/lib/krill/ --no-create-home \ + --shell /sbin/nologin ${BPN}" + +FILES:${PN} += "{sysconfdir}/defaults ${datadir}" + +COMPATIBLE_HOST = "(i.86|x86_64|aarch64).*-linux" diff --git a/recipes-security/libdhash/ding-libs_0.5.0.bb b/recipes-security/libdhash/ding-libs_0.6.1.bb index 9db66e8..843850f 100644 --- a/recipes-security/libdhash/ding-libs_0.5.0.bb +++ b/recipes-security/libdhash/ding-libs_0.6.1.bb @@ -2,12 +2,11 @@ SUMMARY = "Dynamic hash table implementation" DESCRIPTION = "Dynamic hash table implementation" HOMEPAGE = "https://fedorahosted.org/released/ding-libs" SECTION = "base" -LICENSE = "GPLv3+" +LICENSE = "GPL-3.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRC_URI = "https://fedorahosted.org/released/${BPN}/${BP}.tar.gz" inherit autotools pkgconfig -SRC_URI[md5sum] = "786f2880d30136a61df02e5d740ddc6e" -SRC_URI[sha256sum] = "dab937537a05d7a7cbe605fdb9b3809080d67b124ac97eb321255b35f5b172fd" +SRC_URI[sha256sum] = "a319a327deb81f2dfab9ce4a4926e80e1dac5dcfc89f4c7e548cec2645af27c1" diff --git a/recipes-security/libest/libest_3.2.0.bb b/recipes-security/libest/libest_3.2.0.bb new file mode 100644 index 0000000..b4c6165 --- /dev/null +++ b/recipes-security/libest/libest_3.2.0.bb @@ -0,0 +1,30 @@ +SUMMARY = "EST is used for secure certificate \ +enrollment and is compatible with Suite B certs (as well as RSA \ +and DSA certificates)" + +LICENSE = "OpenSSL" +LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885" + +SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b" +SRC_URI = "git://github.com/cisco/libest;branch=main;protocol=https" + +DEPENDS = "openssl" + +#fatal error: execinfo.h: No such file or directory +DEPENDS:append:libc-musl = " libexecinfo" + +inherit autotools-brokensep + +EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}" + +CFLAGS += "-fcommon" +LDFLAGS:append:libc-musl = " -lexecinfo" + +S = "${WORKDIR}/git" + +PACKAGES = "${PN} ${PN}-dbg ${PN}-dev" + +FILES:${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" + +# https://github.com/cisco/libest/issues/104 +SKIP_RECIPE[libest] ?= "Needs porting to openssl 3.x" diff --git a/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch b/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch deleted file mode 100644 index 6aa1a65..0000000 --- a/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch +++ /dev/null @@ -1,43 +0,0 @@ -Use secure_getenv instead of getenv for setuid programs - -(bnc#694598 CVE-2011-2709 bnc#831805) - -import from: -https://build.opensuse.org/package/view_file/openSUSE:Factory/libgssglue/secure-getenv.patch - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - -diff --git a/src/g_initialize.c b/src/g_initialize.c -index 200f173..935a9fa 100644 ---- a/src/g_initialize.c -+++ b/src/g_initialize.c -@@ -26,6 +26,7 @@ - * This function will initialize the gssapi mechglue library - */ - -+#define _GNU_SOURCE - #include "mglueP.h" - #include <stdlib.h> - -@@ -197,8 +198,7 @@ static void solaris_initialize () - void *dl; - gss_mechanism (*sym)(void), mech; - -- if ((getuid() != geteuid()) || -- ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) -+ if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) - filename = MECH_CONF; - - if ((conffile = fopen(filename, "r")) == NULL) { -@@ -274,8 +274,7 @@ static void linux_initialize () - void *dl; - gss_mechanism (*sym)(void), mech; - -- if ((getuid() != geteuid()) || -- ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) -+ if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) - filename = MECH_CONF; - - if ((conffile = fopen(filename, "r")) == NULL) { diff --git a/recipes-security/libgssglue/files/libgssglue-g-initialize.patch b/recipes-security/libgssglue/files/libgssglue-g-initialize.patch deleted file mode 100644 index 4a9ba33..0000000 --- a/recipes-security/libgssglue/files/libgssglue-g-initialize.patch +++ /dev/null @@ -1,21 +0,0 @@ -Fix the warning for getuid, geteuid -g_initialize.c: In function 'linux_initialize': -g_initialize.c:275:5: warning: implicit declaration of function 'getuid' [-Wimplicit-function-declaration] -g_initialize.c:275:5: warning: implicit declaration of function 'geteuid' [-Wimplicit-function-declaration] - -Upstream-Status: Pending -Signed-off-by: Yao Zhao <yao.zhao@windriver.com> - -diff --git a/src/g_initialize.c b/src1/g_initialize.c -index 82fcce1..200f173 100644 ---- a/src/g_initialize.c -+++ b/src/g_initialize.c -@@ -29,6 +29,8 @@ - #include "mglueP.h" - #include <stdlib.h> - -+#include <unistd.h> /*getuid, geteuid */ -+#include <sys/types.h> - #include <stdio.h> - #include <string.h> - #include <ctype.h> diff --git a/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch b/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch deleted file mode 100644 index 6dce3e7..0000000 --- a/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch +++ /dev/null @@ -1,27 +0,0 @@ -1) add free if malloc failed for (*mechanisms)->elements -2) g_inq_cred.c: In function 'gss_inquire_cred': -g_inq_cred.c:161:8: warning: passing argument 3 of 'generic_gss_copy_oid' from incompatible pointer type [enabled by default] - -Upstream-Status: Pending -Signed-off-by: Yao Zhao <yao.zhao@windriver.com> - ---- a/src/g_inq_cred.c -+++ b/src/g_inq_cred.c -@@ -152,13 +152,15 @@ gss_OID_set * mechanisms; - union_cred->count); - if ((*mechanisms)->elements == NULL) { - *minor_status = ENOMEM; -+ free(*mechanisms); -+ *mechanisms = GSS_C_NO_OID_SET; - return (GSS_S_FAILURE); - } - - for (i=0; i < union_cred->count; i++) { -- status = generic_gss_copy_oid(minor_status, -+ status = generic_gss_add_oid_set_member(minor_status, - &union_cred->mechs_array[i], -- &((*mechanisms)->elements[i])); -+ mechanisms); - if (status != GSS_S_COMPLETE) - break; - } diff --git a/recipes-security/libgssglue/files/libgssglue-mglueP.patch b/recipes-security/libgssglue/files/libgssglue-mglueP.patch deleted file mode 100644 index 6c9ebf0..0000000 --- a/recipes-security/libgssglue/files/libgssglue-mglueP.patch +++ /dev/null @@ -1,21 +0,0 @@ -fix the warning: -warning: implicit declaration of function 'generic_gss_copy_oid_set' [-Wimplicit-function-declaration] - -Upstream-Status: Pending -Signed-off-by: Yao Zhao <yao.zhao@windriver.com> - ---- a/src/mglueP.h -+++ b/src/mglueP.h -@@ -447,6 +447,12 @@ OM_uint32 generic_gss_copy_oid - gss_OID * /* new_oid */ - ); - -+OM_uint32 generic_gss_copy_oid_set -+ (OM_uint32 *minor_status, /* minor_status */ -+ const gss_OID_set_desc * const oidset, /* oid */ -+ gss_OID_set *new_oidset /* new_oid */ -+ ); -+ - OM_uint32 generic_gss_create_empty_oid_set - (OM_uint32 *, /* minor_status */ - gss_OID_set * /* oid_set */ diff --git a/recipes-security/libgssglue/libgssglue_0.4.bb b/recipes-security/libgssglue/libgssglue_0.8.bb index f7859a7..9d01964 100644 --- a/recipes-security/libgssglue/libgssglue_0.4.bb +++ b/recipes-security/libgssglue/libgssglue_0.8.bb @@ -15,29 +15,26 @@ LICENSE = "BSD-3-Clause | HPND" #Copyright 1995 by the Massachusetts Institute of Technology. HPND without Disclaimer #Copyright 1993 by OpenVision Technologies, Inc. HPND LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \ - file://src/g_accept_sec_context.c;beginline=3;endline=23;md5=8a7f4017cb7f4be49f8981cb8c472690 \ + file://src/g_accept_sec_context.c;beginline=3;endline=23;md5=da8ca7a37bd26e576c23874d453751d2\ file://src/g_ccache_name.c;beginline=1;endline=32;md5=208d4de05d5c8273963a8332f084faa7 \ - file://src/oid_ops.c;beginline=1;endline=26;md5=1f194d148b396972da26759a8ec399f0 \ - file://src/oid_ops.c;beginline=378;endline=398;md5=e02c165cb8383e950214baca2fbd664b \ + file://src/oid_ops.c;beginline=1;endline=26;md5=1f194d148b396972da26759a8ec399f0\ + file://src/oid_ops.c;beginline=378;endline=398;md5=72457a5cdc0354cb5c25c8b150326364\ " -SRC_URI = "http://www.citi.umich.edu/projects/nfsv4/linux/${BPN}/${BP}.tar.gz \ +SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.gz \ file://libgssglue-canon-name.patch \ - file://libgssglue-gss-inq-cred.patch \ - file://libgssglue-mglueP.patch \ - file://libgssglue-g-initialize.patch \ - file://libgssglue-fix-CVE-2011-2709.patch \ " -SRC_URI[md5sum] = "088797f3180702fa54e786496b32e750" -SRC_URI[sha256sum] = "3f791a75502ba723e5e85e41e5e0c711bb89e2716b7c0ec6e74bd1df6739043a" +SRC_URI[sha256sum] = "a2bb183e946f6e30562a2a856950a2916c9b6d42c34d67a8400e4efc28917746" -# gssglue can use krb5, spkm3... as gssapi library, configurable -RRECOMMENDS_${PN} += "krb5" +inherit autotools-brokensep -inherit autotools +do_configure:prepend() { + cd ${S} + ./bootstrap +} -do_install_append() { +do_install:append() { # install some docs install -d -m 0755 ${D}${docdir}/${BPN} install -m 0644 ${S}/AUTHORS ${S}/ChangeLog ${S}/NEWS ${S}/README ${D}${docdir}/${BPN} @@ -49,3 +46,6 @@ do_install_append() { # change the libgssapi_krb5.so path and name(it is .so.2) sed -i -e "s:/usr/lib/libgssapi_krb5.so:libgssapi_krb5.so.2:" ${D}${sysconfdir}/gssapi_mech.conf } + +# gssglue can use krb5, spkm3... as gssapi library, configurable +RRECOMMENDS:${PN} += "krb5" diff --git a/recipes-security/libmhash/libmhash_0.9.9.9.bb b/recipes-security/libmhash/libmhash_0.9.9.9.bb index 9b34cb1..49139d2 100644 --- a/recipes-security/libmhash/libmhash_0.9.9.9.bb +++ b/recipes-security/libmhash/libmhash_0.9.9.9.bb @@ -7,7 +7,7 @@ DESCRIPTION = "\ " HOMEPAGE = "http://mhash.sourceforge.net/" -LICENSE = "LGPLv2.0" +LICENSE = "LGPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7" S = "${WORKDIR}/mhash-${PV}" @@ -23,7 +23,11 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mhash/mhash-${PV}.tar.bz2 \ SRC_URI[md5sum] = "f91c74f9ccab2b574a98be5bc31eb280" SRC_URI[sha256sum] = "56521c52a9033779154432d0ae47ad7198914785265e1f570cee21ab248dfef0" -inherit autotools-brokensep ptest +inherit autotools-brokensep ptest multilib_header + +do_install:append() { + oe_multilib_header mutils/mhash_config.h +} do_compile_ptest() { if [ ! -d ${S}/demo ]; then mkdir ${S}/demo; fi @@ -35,3 +39,5 @@ do_compile_ptest() { do_install_ptest() { install -m 0755 ${S}/demo/mhash ${D}${PTEST_PATH} } + +BBCLASSEXTEND = "native" diff --git a/recipes-security/libmspack/libmspack_1.9.1.bb b/recipes-security/libmspack/libmspack_1.11.bb index 8c288be..59df84b 100644 --- a/recipes-security/libmspack/libmspack_1.9.1.bb +++ b/recipes-security/libmspack/libmspack_1.11.bb @@ -1,13 +1,13 @@ SUMMARY = "A library for Microsoft compression formats" HOMEPAGE = "http://www.cabextract.org.uk/libmspack/" SECTION = "lib" -LICENSE = "LGPL-2.1" +LICENSE = "LGPL-2.1-only" DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc" -SRC_URI = "git://github.com/kyz/libmspack.git" +SRCREV = "305907723a4e7ab2018e58040059ffb5e77db837" +SRC_URI = "git://github.com/kyz/libmspack.git;branch=master;protocol=https" inherit autotools diff --git a/recipes-security/libseccomp/files/run-ptest b/recipes-security/libseccomp/files/run-ptest deleted file mode 100644 index 54b4a63..0000000 --- a/recipes-security/libseccomp/files/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh - -cd tests -./regression -a diff --git a/recipes-security/libseccomp/libseccomp_2.4.3.bb b/recipes-security/libseccomp/libseccomp_2.4.3.bb deleted file mode 100644 index 9ca41e6..0000000 --- a/recipes-security/libseccomp/libseccomp_2.4.3.bb +++ /dev/null @@ -1,43 +0,0 @@ -SUMMARY = "interface to seccomp filtering mechanism" -DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp." -SECTION = "security" -LICENSE = "LGPL-2.1" -LIC_FILES_CHKSUM = "file://LICENSE;beginline=0;endline=1;md5=8eac08d22113880357ceb8e7c37f989f" - -SRCREV = "1dde9d94e0848e12da20602ca38032b91d521427" - -SRC_URI = "git://github.com/seccomp/libseccomp.git;branch=release-2.4 \ - file://run-ptest \ -" - -S = "${WORKDIR}/git" - -inherit autotools-brokensep pkgconfig ptest - -PACKAGECONFIG ??= "" -PACKAGECONFIG[python] = "--enable-python, --disable-python, python" - -DISABLE_STATIC = "" - -do_compile_ptest() { - oe_runmake -C tests check-build -} - -do_install_ptest() { - install -d ${D}${PTEST_PATH}/tests - install -d ${D}${PTEST_PATH}/tools - for file in $(find tests/* -executable -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests - done - for file in $(find tests/*.tests -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tests - done - for file in $(find tools/* -executable -type f); do - install -m 744 ${S}/${file} ${D}/${PTEST_PATH}/tools - done -} - -FILES_${PN} = "${bindir} ${libdir}/${BPN}.so*" -FILES_${PN}-dbg += "${libdir}/${PN}/tests/.debug/* ${libdir}/${PN}/tools/.debug" - -RDEPENDS_${PN}-ptest = "bash" diff --git a/recipes-security/ncrack/ncrack_0.7.bb b/recipes-security/ncrack/ncrack_0.7.bb index ba26965..8e6b444 100644 --- a/recipes-security/ncrack/ncrack_0.7.bb +++ b/recipes-security/ncrack/ncrack_0.7.bb @@ -3,11 +3,11 @@ DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network dev HOMEPAGE = "https://nmap.org/ncrack" SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426" -SRC_URI = "git://github.com/nmap/ncrack.git" +SRC_URI = "git://github.com/nmap/ncrack.git;branch=master;protocol=https" DEPENDS = "openssl zlib" @@ -15,4 +15,4 @@ inherit autotools-brokensep S = "${WORKDIR}/git" -INSANE_SKIP_${PN} = "already-stripped" +INSANE_SKIP:${PN} = "already-stripped" diff --git a/recipes-security/nikto/files/location.patch b/recipes-security/nikto/files/location.patch deleted file mode 100644 index edaa204..0000000 --- a/recipes-security/nikto/files/location.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d1cb702d5147abea0d3208a4d554c61a6f2decd6 Mon Sep 17 00:00:00 2001 -From: Scott Ellis <scott@jumpnowtek.com> -Date: Fri, 28 Dec 2018 11:08:25 -0500 -Subject: [PATCH] Set custom paths - -Upstream Status: Inappropriate - -Signed-off-by: Scott Ellis <scott@jumpnowtek.com> ---- - nikto.conf | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/program/nikto.conf b/program/nikto.conf -index bf36c58..8c55415 100644 ---- a/nikto.conf -+++ b/nikto.conf -@@ -61,11 +61,11 @@ CIRT=107.170.99.251 - CHECKMETHODS=HEAD GET - - # If you want to specify the location of any of the files, specify them here --# EXECDIR=/opt/nikto # Location of Nikto --# PLUGINDIR=/opt/nikto/plugins # Location of plugin dir --# DBDIR=/opt/nikto/databases # Location of database dir --# TEMPLATEDIR=/opt/nikto/templates # Location of template dir --# DOCDIR=/opt/nikto/docs # Location of docs dir -+EXECDIR=/usr/bin/nikto # Location of Nikto -+PLUGINDIR=/etc/nikto/plugins # Location of plugin dir -+DBDIR=/etc/nikto/databases # Location of database dir -+TEMPLATEDIR=/etc/nikto/templates # Location of template dir -+DOCDIR=/usr/share/doc/nikto # Location of docs dir - - # Default plugin macros - # Remove plugins designed to be run standalone --- -2.7.4 - diff --git a/recipes-security/nikto/nikto_2.1.6.bb b/recipes-security/nikto/nikto_2.1.6.bb deleted file mode 100644 index 2d2c46c..0000000 --- a/recipes-security/nikto/nikto_2.1.6.bb +++ /dev/null @@ -1,118 +0,0 @@ -SUMMARY = "web server scanner" -DESCRIPTION = "Nikto is an Open Source web server scanner which performs comprehensive tests against web servers" -SECTION = "security" -HOMEPAGE = "https://cirt.net/Nikto2" - -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" - -SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79" -SRC_URI = "git://github.com/sullo/nikto.git \ - file://location.patch" - -S = "${WORKDIR}/git/program" - -do_install() { - install -d ${D}${bindir} - install -d ${D}${datadir} - install -d ${D}${datadir}/man/man1 - install -d ${D}${datadir}/doc/nikto - install -d ${D}${sysconfdir}/nikto - install -d ${D}${sysconfdir}/nikto/databases - install -d ${D}${sysconfdir}/nikto/plugins - install -d ${D}${sysconfdir}/nikto/templates - - install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_dir_traversal ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_domino ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_drupal ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases - - install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dir_traversal.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dishwasher.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_docker_registry.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_domino.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_drupal.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_ms10_070.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_negotiate.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_origin_reflection.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_json.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_sqlg.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_sitefiles.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_strutshock.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins - - install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates - - install -m 0644 nikto.conf ${D}${sysconfdir} - - install -m 0755 nikto.pl ${D}${bindir}/nikto - install -m 0644 replay.pl ${D}${bindir} - install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 - - install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto -} - -RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ - perl-module-getopt-long perl-module-time-local \ - perl-module-io-socket perl-module-overloading \ - perl-module-base perl-module-b perl-module-bytes" - diff --git a/recipes-security/opendnssec/files/libdns_conf_fix.patch b/recipes-security/opendnssec/files/libdns_conf_fix.patch new file mode 100644 index 0000000..220a2b8 --- /dev/null +++ b/recipes-security/opendnssec/files/libdns_conf_fix.patch @@ -0,0 +1,216 @@ +Configure does not work with OE pkg-config for the ldns option + +Upstream-Status: Inappropriate [OE specific] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: opendnssec-2.1.8/configure.ac +=================================================================== +--- opendnssec-2.1.8.orig/configure.ac ++++ opendnssec-2.1.8/configure.ac +@@ -133,9 +133,7 @@ AC_CHECK_MEMBER([struct sockaddr_un.sun_ + + # common dependencies + ACX_LIBXML2 +-ACX_LDNS(1,6,17) +-ACX_LDNS_NOT(1,6,14, [binary incompatibility, see http://open.nlnetlabs.nl/pipermail/ldns-users/2012-October/000564.html]) +-ACX_LDNS_NOT(1,6,15, [fail to create NSEC3 bitmap for empty non-terminals, see http://www.nlnetlabs.nl/pipermail/ldns-users/2012-November/000565.html]) ++ACX_LDNS(1.6.17) + ACX_PKCS11_MODULES + ACX_RT + ACX_LIBC +Index: opendnssec-2.1.8/m4/acx_ldns.m4 +=================================================================== +--- opendnssec-2.1.8.orig/m4/acx_ldns.m4 ++++ opendnssec-2.1.8/m4/acx_ldns.m4 +@@ -1,128 +1,63 @@ +-AC_DEFUN([ACX_LDNS],[ +- AC_ARG_WITH(ldns, +- [AS_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- LIBS="$LIBS $LDNS_LIBS" +- +- AC_CHECK_LIB(ldns, ldns_rr_new,,[AC_MSG_ERROR([Can't find ldns library])]) +- LIBS=$tmp_LIBS +- +- AC_MSG_CHECKING([for ldns version]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include <ldns/ldns.h> +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION >= $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([>= $1.$2.$3]) +- ],[ +- AC_MSG_RESULT([< $1.$2.$3]) +- AC_MSG_ERROR([ldns library too old ($1.$2.$3 or later required)]) +- ],[]) +- AC_LANG_POP([C]) +- +- CPPFLAGS=$tmp_CPPFLAGS +- +- AC_SUBST(LDNS_INCLUDES) +- AC_SUBST(LDNS_LIBS) +-]) +- +- +-AC_DEFUN([ACX_LDNS_NOT],[ +- AC_ARG_WITH(ldns, +- [AS_HELP_STRING([--with-ldns=PATH],[specify prefix of path of ldns library to use])], +- [ +- LDNS_PATH="$withval" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $LDNS_PATH/bin) +- ],[ +- LDNS_PATH="/usr/local" +- AC_PATH_PROGS(LDNS_CONFIG, ldns-config, ldns-config, $PATH) +- ]) +- +- if test -x "$LDNS_CONFIG" +- then +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="`$LDNS_CONFIG --cflags`" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="`$LDNS_CONFIG --libs`" +- AC_MSG_RESULT($LDNS_LIBS) +- else +- AC_MSG_CHECKING(what are the ldns includes) +- LDNS_INCLUDES="-I$LDNS_PATH/include" +- AC_MSG_RESULT($LDNS_INCLUDES) +- +- AC_MSG_CHECKING(what are the ldns libs) +- LDNS_LIBS="-L$LDNS_PATH/lib -lldns" +- AC_MSG_RESULT($LDNS_LIBS) +- fi +- +- tmp_CPPFLAGS=$CPPFLAGS +- +- CPPFLAGS="$CPPFLAGS $LDNS_INCLUDES" +- +- AC_MSG_CHECKING([for ldns version not $1.$2.$3]) +- CHECK_LDNS_VERSION=m4_format(0x%02x%02x%02x, $1, $2, $3) +- AC_LANG_PUSH([C]) +- AC_RUN_IFELSE([ +- AC_LANG_SOURCE([[ +- #include <ldns/ldns.h> +- int main() +- { +- #ifdef LDNS_REVISION +- if (LDNS_REVISION != $CHECK_LDNS_VERSION) +- return 0; +- #endif +- return 1; +- } +- ]]) +- ],[ +- AC_MSG_RESULT([ok]) +- ],[ +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([ldns version $1.$2.$3 is not compatible due to $4]) +- ],[]) +- AC_LANG_POP([C]) +- +- CPPFLAGS=$tmp_CPPFLAGS ++AU_ALIAS([CHECK_LDNS], [ACX_LDNS]) ++AC_DEFUN([ACX_LDNS], [ ++ found=false ++ AC_ARG_WITH([ldns], ++ [AS_HELP_STRING([--with-ldns=DIR], ++ [root of the lnds directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-lnds value]) ++ ;; ++ *) ldnsdirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and lnds has installed a .pc file, ++ # then use that information and don't search ldnsdirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ OPENSSL_LDFLAGS=`$PKG_CONFIG ldns --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ LDNS_LIBS=`$PKG_CONFIG ldns --libs-only-l 2>/dev/null` ++ LDNS_INCLUDES=`$PKG_CONFIG ldns --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi ++ ++ # no such luck; use some default ldnsdirs ++ if ! $found; then ++ ldnsdirs="/usr/local/ldns /usr/lib/ldns /usr/ldns /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ if ! $found; then ++ LDNS_INCLUDES= ++ for ldnsdir in $ldnsdirs; do ++ AC_MSG_CHECKING([for LDNS in $ldnsdir]) ++ if test -f "$ldnsdir/include/ldns/dnssec.h"; then ++ LDNS_INCLUDES="-I$ldnsdir/include" ++ LDNS_LDFLAGS="-L$ldnsdir/lib" ++ LDNS_LIBS="-lldns" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS" ++ LIBS="$LDNS_LIBS $LIBS" ++ CPPFLAGS="$LDNS_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST([LDNS_INCLUDES]) ++ AC_SUBST([LDNS_LIBS]) ++ AC_SUBST([LDNS_LDFLAGS]) + ]) diff --git a/recipes-security/opendnssec/files/libxml2_conf.patch b/recipes-security/opendnssec/files/libxml2_conf.patch new file mode 100644 index 0000000..c20d5d2 --- /dev/null +++ b/recipes-security/opendnssec/files/libxml2_conf.patch @@ -0,0 +1,112 @@ +configure does not work with OE pkg-config for the libxml2 option + +Upstream-Status: Inappropriate [OE specific] + +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: opendnssec-2.1.6/m4/acx_libxml2.m4 +=================================================================== +--- opendnssec-2.1.6.orig/m4/acx_libxml2.m4 ++++ opendnssec-2.1.6/m4/acx_libxml2.m4 +@@ -1,37 +1,67 @@ ++#serial 11 ++AU_ALIAS([CHECK_XML2], [ACX_LIBXML2]) + AC_DEFUN([ACX_LIBXML2],[ +- AC_ARG_WITH(libxml2, +- [AS_HELP_STRING([--with-libxml2=DIR],[look for libxml2 in this dir])], +- [ +- XML2_PATH="$withval" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $XML2_PATH/bin) +- ],[ +- XML2_PATH="/usr/local" +- AC_PATH_PROGS(XML2_CONFIG, xml2-config, xml2-config, $PATH) +- ]) +- if test -x "$XML2_CONFIG" +- then +- AC_MSG_CHECKING(what are the xml2 includes) +- XML2_INCLUDES="`$XML2_CONFIG --cflags`" +- AC_MSG_RESULT($XML2_INCLUDES) +- +- AC_MSG_CHECKING(what are the xml2 libs) +- XML2_LIBS="`$XML2_CONFIG --libs`" +- AC_MSG_RESULT($XML2_LIBS) +- +- tmp_CPPFLAGS=$CPPFLAGS +- tmp_LIBS=$LIBS +- +- CPPFLAGS="$CPPFLAGS $XML2_INCLUDES" +- LIBS="$LIBS $XML2_LIBS" +- +- AC_CHECK_LIB(xml2, xmlDocGetRootElement,,[AC_MSG_ERROR([Can't find libxml2 library])]) +- +- CPPFLAGS=$tmp_CPPFLAGS +- LIBS=$tmp_LIBS +- else +- AC_MSG_ERROR([libxml2 required, but not found.]) +- fi ++ found=false ++ AC_ARG_WITH([libxml2], ++ [AS_HELP_STRING([--with-libxml2=DIR], ++ [root of the libxml directory])], ++ [ ++ case "$withval" in ++ "" | y | ye | yes | n | no) ++ AC_MSG_ERROR([Invalid --with-libxml2 value]) ++ ;; ++ *) xml2dirs="$withval" ++ ;; ++ esac ++ ], [ ++ # if pkg-config is installed and openssl has installed a .pc file, ++ # then use that information and don't search ssldirs ++ AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) ++ if test x"$PKG_CONFIG" != x""; then ++ XML2_LDFLAGS=`$PKG_CONFIG libxml-2.0 --libs-only-L 2>/dev/null` ++ if test $? = 0; then ++ XML2_LIBS=`$PKG_CONFIG libxml-2.0 --libs-only-l 2>/dev/null` ++ XML2_INCLUDES=`$PKG_CONFIG libxml-2.0 --cflags-only-I 2>/dev/null` ++ found=true ++ fi ++ fi + +- AC_SUBST(XML2_INCLUDES) +- AC_SUBST(XML2_LIBS) ++ # no such luck; use some default ssldirs ++ if ! $found; then ++ xml2dirs="/usr/local/libxml /usr/lib/libxml /usr/libxml /usr/pkg /usr/local /usr" ++ fi ++ ] ++ ) ++ ++ ++ # note that we #include <libxml/tree.h>, so the libxml2 headers have to be in ++ # an 'libxml' subdirectory ++ ++ if ! $found; then ++ XML2_INCLUDES= ++ for xml2dir in $xml2dirs; do ++ AC_MSG_CHECKING([for XML2 in $xml2dir]) ++ if test -f "$xml2dir/include/libxml2/libxml/tree.h"; then ++ XML2_INCLUDES="-I$xml2dir/include/libxml2" ++ XML2_LDFLAGS="-L$xml2dir/lib" ++ XML2_LIBS="-lxml2" ++ found=true ++ AC_MSG_RESULT([yes]) ++ break ++ else ++ AC_MSG_RESULT([no]) ++ fi ++ done ++ ++ # if the file wasn't found, well, go ahead and try the link anyway -- maybe ++ # it will just work! ++ fi ++ ++ LDFLAGS="$LDFLAGS $XML2_LDFLAGS" ++ LIBS="$XML2_LIBS $LIBS" ++ CPPFLAGS="$XML2_INCLUDES $CPPFLAGS" ++ ++ AC_SUBST(XML2_INCLUDES) ++ AC_SUBST(XML2_LIBS) ++ AC_SUBST(XML2_LDFLAGS) + ]) diff --git a/recipes-security/opendnssec/opendnssec_2.1.10.bb b/recipes-security/opendnssec/opendnssec_2.1.10.bb new file mode 100644 index 0000000..64bacf1 --- /dev/null +++ b/recipes-security/opendnssec/opendnssec_2.1.10.bb @@ -0,0 +1,36 @@ +SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones" + +LICENSE = "BSD-2-Clause" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937" + +DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml " + +SRC_URI = "https://dist.opendnssec.org/source/opendnssec-${PV}.tar.gz \ + file://libxml2_conf.patch \ + file://libdns_conf_fix.patch \ + " + +SRC_URI[sha256sum] = "c0a8427de241118dccbf7abc508e4dd53fb75b45e9f386addbadae7ecc092756" + +inherit autotools pkgconfig perlnative + +EXTRA_OECONF = " --with-libxml2=${STAGING_DIR_HOST}/usr --with-ldns=${STAGING_DIR_HOST}/usr \ + --with-ssl=${STAGING_DIR_HOST}/usr " + +CFLAGS += "-fcommon" + +PACKAGECONFIG ?= "sqlite3" + +PACKAGECONFIG[cunit] = "--with-cunit=${STAGING_DIR_HOST}/usr, --without-cunit," +PACKAGECONFIG[sqlite3] = "--with-sqlite3=${STAGING_DIR_HOST}/usr, ,sqlite3, sqlite3" +PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb" +PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline" +PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind" + +do_install:append () { + rm -rf ${D}${localstatedir}/run +} + +RDEPENDS:${PN} = "softhsm" + +SKIP_RECIPE[opendnssec] ?= "Needs porting to openssl 3.x" diff --git a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb b/recipes-security/packagegroup/packagegroup-core-security-ptest.bb deleted file mode 100644 index 83a9ed8..0000000 --- a/recipes-security/packagegroup/packagegroup-core-security-ptest.bb +++ /dev/null @@ -1,28 +0,0 @@ -DESCRIPTION = "Security ptest packagegroup" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit features_check - -REQUIRED_DISTRO_FEATURES = "ptest" - -PACKAGES = "\ - ${PN} \ - " - -ALLOW_EMPTY_${PN} = "1" - -SUMMARY_${PN} = "Security packages with ptests" -RDEPENDS_${PN} = " \ - ptest-runner \ - samhain-standalone-ptest \ - keyutils-ptest \ - libseccomp-ptest \ - python3-scapy-ptest \ - suricata-ptest \ - tripwire-ptest \ - python-fail2ban-ptest \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor-ptest", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack-ptest", "",d)} \ - " diff --git a/recipes-security/packagegroup/packagegroup-core-security.bb b/recipes-security/packagegroup/packagegroup-core-security.bb deleted file mode 100644 index e0a9d05..0000000 --- a/recipes-security/packagegroup/packagegroup-core-security.bb +++ /dev/null @@ -1,68 +0,0 @@ -DESCRIPTION = "Security packagegroup for Poky" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ - file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" - -inherit packagegroup - -PACKAGES = "\ - packagegroup-core-security \ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -RDEPENDS_packagegroup-core-security = "\ - packagegroup-security-utils \ - packagegroup-security-scanners \ - packagegroup-security-ids \ - packagegroup-security-mac \ - " - -SUMMARY_packagegroup-security-utils = "Security utilities" -RDEPENDS_packagegroup-security-utils = "\ - checksec \ - nmap \ - pinentry \ - python3-scapy \ - ding-libs \ - keyutils \ - libseccomp \ - ${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils", "",d)} \ - " - -SUMMARY_packagegroup-security-scanners = "Security scanners" -RDEPENDS_packagegroup-security-scanners = "\ - nikto \ - checksecurity \ - clamav \ - clamav-freshclam \ - clamav-cvd \ - " - -SUMMARY_packagegroup-security-audit = "Security Audit tools " -RDEPENDS_packagegroup-security-audit = " \ - buck-security \ - redhat-security \ - " - -SUMMARY_packagegroup-security-hardening = "Security Hardening tools" -RDEPENDS_packagegroup-security-hardening = " \ - bastille \ - " - -SUMMARY_packagegroup-security-ids = "Security Intrusion Detection systems" -RDEPENDS_packagegroup-security-ids = " \ - tripwire \ - samhain-standalone \ - suricata \ - " - -SUMMARY_packagegroup-security-mac = "Security Mandatory Access Control systems" -RDEPENDS_packagegroup-security-mac = " \ - ${@bb.utils.contains("DISTRO_FEATURES", "tomoyo", "ccs-tools", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "apparmor", "apparmor", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "smack", "smack", "",d)} \ - " diff --git a/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch b/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch new file mode 100644 index 0000000..451cb7f --- /dev/null +++ b/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch @@ -0,0 +1,26 @@ +From 824c5d7b96aeef1b4e182f657ac002bed6e14cd5 Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@fujitsu.com> +Date: Thu, 31 Aug 2023 08:20:56 +0000 +Subject: [PATCH] To fix package error if DESTDIR is set to /usr. + +Upstream-Status: Inappropriate +Signed-off-by: Lei Maohui <leimaohui@fujitsu.com> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 0d7bc0c..46fd664 100644 +--- a/Makefile ++++ b/Makefile +@@ -19,7 +19,7 @@ $(PROG).o: $(PROG).c $(PROG).h $(PROG)-elf.c + + install: $(PROG) + # $(MKDIR) $(DESTDIR)/sbin $(DESTDIR)$(MANDIR) +- $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/sbin/$(PROG) ++ $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/usr/sbin/$(PROG) + $(INSTALL) -D --owner 0 --group 0 --mode a=r $(PROG).1 $(DESTDIR)/$(MANDIR)/$(PROG).1 + + clean: +-- +2.34.1 diff --git a/recipes-security/paxctl/paxctl_0.9.bb b/recipes-security/paxctl/paxctl_0.9.bb index 3c04141..3d2f2a3 100644 --- a/recipes-security/paxctl/paxctl_0.9.bb +++ b/recipes-security/paxctl/paxctl_0.9.bb @@ -3,12 +3,14 @@ DESCRIPTION = "paxctl is a tool that allows PaX flags to be modified on a \ kernel patches and secure distributions, such as \ GrSecurity or Adamantix and Hardened Gen-too, respectively." HOMEPAGE = "https://pax.grsecurity.net/" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://paxctl.c;beginline=1;endline=5;md5=0ddd065c61020dda79729e6bedaed2c7 \ file://paxctl-elf.c;beginline=1;endline=5;md5=99f453ce7f6d1687ee808982e2924813 \ " -SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz" +SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz \ + file://0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch \ +" SRC_URI[md5sum] = "9bea59b1987dc4e16c2d22d745374e64" SRC_URI[sha256sum] = "a330ddd812688169802a3ba29e5e3b19956376b8f6f73b8d7e9586eb04423c2e" @@ -24,7 +26,7 @@ do_install() { # install: cannot change ownership of '.../sbin/paxctl': \ # Operation not permitted # Drop '--owner 0 --group 0' to fix the issue. -do_install_class-native() { +do_install:class-native() { local PROG=paxctl install -d ${D}${base_sbindir} install -d ${D}${mandir}/man1 @@ -33,6 +35,6 @@ do_install_class-native() { } # Avoid QA Issue: No GNU_HASH in the elf binary -INSANE_SKIP_${PN} = "ldflags" +INSANE_SKIP:${PN} = "ldflags" BBCLASSEXTEND = "native" diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb index 56f734c..c47688f 100644 --- a/recipes-security/redhat-security/redhat-security_1.0.bb +++ b/recipes-security/redhat-security/redhat-security_1.0.bb @@ -1,8 +1,8 @@ SUMMARY = "redhat security tools" DESCRIPTION = "Tools used by redhat linux distribution for security checks" SECTION = "security" -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" SRC_URI = "file://find-chroot-py.sh \ file://find-chroot.sh \ @@ -37,4 +37,4 @@ do_install() { install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir} } -RDEPENDS_${PN} = "file libcap-ng procps findutils" +RDEPENDS:${PN} = "file libcap-ng procps findutils" diff --git a/recipes-security/scapy/files/run-ptest b/recipes-security/scapy/files/run-ptest deleted file mode 100644 index 797d8ec..0000000 --- a/recipes-security/scapy/files/run-ptest +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -UTscapy3 -t regression.uts -f text -l -C \ - -o @PTEST_PATH@/scapy_ptest_$(date +%Y%m%d-%H%M%S).log \ - 2>&1 | sed -e 's/^passed None/PASS:/' -e 's/^failed None/FAIL:/' diff --git a/recipes-security/scapy/python3-scapy_2.4.3.bb b/recipes-security/scapy/python3-scapy_2.4.3.bb deleted file mode 100644 index 925f188..0000000 --- a/recipes-security/scapy/python3-scapy_2.4.3.bb +++ /dev/null @@ -1,30 +0,0 @@ -SUMMARY = "Network scanning and manipulation tool" -DESCRIPTION = "Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc." -SECTION = "security" -LICENSE = "GPLv2" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263" - -S = "${WORKDIR}/git" - -SRCREV = "3047580162a9407ef05fe981983cacfa698f1159" -SRC_URI = "git://github.com/secdev/scapy.git \ - file://run-ptest" - -S = "${WORKDIR}/git" - -inherit setuptools3 ptest - -do_install_append() { - mv ${D}${bindir}/scapy ${D}${bindir}/scapy3 - mv ${D}${bindir}/UTscapy ${D}${bindir}/UTscapy3 -} - -do_install_ptest() { - install -m 0644 ${S}/test/regression.uts ${D}${PTEST_PATH} - sed -i 's,@PTEST_PATH@,${PTEST_PATH},' ${D}${PTEST_PATH}/run-ptest -} - -RDEPENDS_${PN} = "tcpdump ${PYTHON_PN}-compression ${PYTHON_PN}-cryptography ${PYTHON_PN}-netclient \ - ${PYTHON_PN}-netserver ${PYTHON_PN}-pydoc ${PYTHON_PN}-pkgutil ${PYTHON_PN}-shell \ - ${PYTHON_PN}-threading ${PYTHON_PN}-numbers ${PYTHON_PN}-pycrypto" diff --git a/recipes-security/sshguard/sshguard_2.4.3.bb b/recipes-security/sshguard/sshguard_2.4.3.bb new file mode 100644 index 0000000..37b414e --- /dev/null +++ b/recipes-security/sshguard/sshguard_2.4.3.bb @@ -0,0 +1,11 @@ +SUMARRY=" Intelligently block brute-force attacks by aggregating system logs " +HOMEPAGE = "https://www.sshguard.net/" +LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d" +LICENSE = "BSD-1-Clause" + + +SRC_URI="https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz" + +SRC_URI[sha256sum] = "64029deff6de90fdeefb1f497d414f0e4045076693a91da1a70eb7595e97efeb" + +inherit autotools-brokensep diff --git a/recipes-security/sssd/files/fix-ldblibdir.patch b/recipes-security/sssd/files/fix-ldblibdir.patch deleted file mode 100644 index e350baf..0000000 --- a/recipes-security/sssd/files/fix-ldblibdir.patch +++ /dev/null @@ -1,25 +0,0 @@ -When calculate value of ldblibdir, it checks whether the directory of -$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not -suitable for cross compile. Fix it that only re-assign ldblibdir when its value -is empty. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Kai Kang <kai.kang@windriver.com> ---- - src/external/libldb.m4 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/external/libldb.m4 b/src/external/libldb.m4 -index c400add..5e5f06d 100644 ---- a/src/external/libldb.m4 -+++ b/src/external/libldb.m4 -@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then - ldblibdir=$with_ldb_lib_dir - else - ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`" -- if ! test -d $ldblibdir; then -+ if test -z $ldblibdir; then - ldblibdir="${libdir}/ldb" - fi - fi diff --git a/recipes-security/sssd/files/sssd.conf b/recipes-security/sssd/files/sssd.conf deleted file mode 100644 index 1709a7a..0000000 --- a/recipes-security/sssd/files/sssd.conf +++ /dev/null @@ -1,8 +0,0 @@ -[sssd] -services = nss, pam -config_file_version = 2 - -[nss] - -[pam] - diff --git a/recipes-security/sssd/files/volatiles.99_sssd b/recipes-security/sssd/files/volatiles.99_sssd deleted file mode 100644 index 2a82413..0000000 --- a/recipes-security/sssd/files/volatiles.99_sssd +++ /dev/null @@ -1 +0,0 @@ -d root root 0750 /var/log/sssd none diff --git a/recipes-security/sssd/sssd_1.16.4.bb b/recipes-security/sssd/sssd_1.16.4.bb deleted file mode 100644 index 7ea1586..0000000 --- a/recipes-security/sssd/sssd_1.16.4.bb +++ /dev/null @@ -1,124 +0,0 @@ -SUMMARY = "system security services daemon" -DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://pagure.io/SSSD/sssd/" -SECTION = "base" -LICENSE = "GPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -DEPENDS = "openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS += "libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent" - -# If no crypto has been selected, default to DEPEND on nss, since that's what -# sssd will pick if no active choice is made during configure -DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ - bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" - -SRC_URI = "https://releases.pagure.org/SSSD/${BPN}/${BP}.tar.gz \ - file://sssd.conf \ - file://volatiles.99_sssd \ - file://fix-ldblibdir.patch \ - " - -SRC_URI[md5sum] = "757bbb6f15409d8d075f4f06cb678d50" -SRC_URI[sha256sum] = "6bb212cd6b75b918e945c24e7c3f95a486fb54d7f7d489a9334cfa1a1f3bf959" - -inherit autotools pkgconfig gettext python3-dir features_check systemd - -REQUIRED_DISTRO_FEATURES = "pam" - -SSSD_UID ?= "root" -SSSD_GID ?= "root" - -CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_path_NSUPDATE=${bindir} ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ - " - -PACKAGECONFIG ?="nss nscd autofs sudo infopipe" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" -PACKAGECONFIG[crypto] = "--with-crypto=libcrypto, , libcrypto" -PACKAGECONFIG[curl] = "--with-secrets --with-kcm, --without-secrets --without-kcm, curl jansson" -PACKAGECONFIG[http] = "--with-secrets, --without-secrets, apache2" -PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no" -PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nss] = "--with-crypto=nss, ,nss," -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " -PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" - -EXTRA_OECONF += " \ - --disable-cifs-idmap-plugin \ - --without-nfsv4-idmapd-plugin \ - --without-ipa-getkeytab \ - --without-python2-bindings \ - --enable-pammoddir=${base_libdir}/security \ - --without-python2-bindings \ -" - -do_configure_prepend() { - mkdir -p ${AUTOTOOLS_AUXDIR}/build - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 -} - -do_install () { - oe_runmake install DESTDIR="${D}" - rmdir --ignore-fail-on-non-empty "${D}/${bindir}" - install -d ${D}/${sysconfdir}/${BPN} - install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} - install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf - fi - - # Remove /var/run as it is created on startup - rm -rf ${D}${localstatedir}/run - -} - -pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi - chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf -} - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" - -INITSCRIPT_NAME = "sssd" -INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = " \ - ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ - sssd-nss.service \ - sssd-nss.socket \ - sssd-pam-priv.socket \ - sssd-pam.service \ - sssd-pam.socket \ - sssd-secrets.service \ - sssd-secrets.socket \ - sssd.service \ -" -SYSTEMD_AUTO_ENABLE = "disable" - -FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss.so" -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" - -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" - -RDEPENDS_${PN} = "bind dbus libldb libpam" |