AgeCommit message (Collapse)AuthorFilesLines
2019-05-26cve-report.bbclass: add classmutAndrii Bordunov via Openembedded-core1-0/+216
Implements "report_cve" and "report_patched" tasks. "report_patched" prepares image manifest with patched CVE info. "report_cve" runs cvert-* scripts to generate kernel and package CVE reports. You can configure it to set report filenames, reuse NVD feeds, stop after manifest generation and ignore specific classes, like native, nativesdk, etc. Signed-off-by: grygorii tertychnyi <gtertych@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26cvert-kernel - generate CVE report for the Linux kernelAndrii Bordunov via Openembedded-core1-0/+379
NVD entries for the Linux kernel are almost always outdated. For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065 is shown as matched for "versions up to (including) 4.15.7", however the patch 57ebd808a97d has been back ported for 4.14. By default, it checks NVD Resource entries for the patch URLs and looks for the commits in the local GIT tree. Additionaly ("--resource") it checks other resources, that may have up-to-date CVE data. You can combine resources and decide which one you want to be based on. Signed-off-by: grygorii tertychnyi <gtertych@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26cve-report: add scripts to generate CVE reportsAndrii Bordunov via Openembedded-core3-0/+703
cvert-foss - generate CVE report for the list of packages. Analyze the whole image manifest to align with the complex CPE configurations. cvert-update - update NVD feeds and store CVE structues dump. CVE dump is a pickled representation of the cve_struct dictionary. cvert.py - python library used by cvert-* scripts. NVD JSON Vulnerability Feeds https://nvd.nist.gov/vuln/data-feeds#JSON_FEED Usage examples: o Download CVE feeds to "nvdfeed" directory % cvert-update nvdfeed o Update CVE feeds and store a dump in a file % cvert-update --store cvedump nvdfeed o Generate a CVE report % cvert-foss --feed-dir nvdfeed --output report-foss.txt cve-manifest o (faster) Use dump file to generate a CVE report % cvert-foss --restore cvedump --output report-foss.txt cve-manifest o Generate a full report % cvert-foss --restore cvedump --show-description --show-reference \ --output report-foss-full.txt cve-manifest Manifest example: bash,4.2,CVE-2014-7187 python,2.7.35, python,3.5.5,CVE-2017-17522 CVE-2018-1061 Report example: patched | 7.5 | CVE-2018-1061 | python | 3.5.5 patched | 10.0 | CVE-2014-7187 | bash | 4.2 patched | 8.8 | CVE-2017-17522 | python | 3.5.5 unpatched | 10.0 | CVE-2014-6271 | bash | 4.2 unpatched | 10.0 | CVE-2014-6277 | bash | 4.2 unpatched | 10.0 | CVE-2014-6278 | bash | 4.2 unpatched | 10.0 | CVE-2014-7169 | bash | 4.2 unpatched | 10.0 | CVE-2014-7186 | bash | 4.2 unpatched | 4.6 | CVE-2012-3410 | bash | 4.2 unpatched | 8.4 | CVE-2016-7543 | bash | 4.2 unpatched | 5.0 | CVE-2010-3492 | python | 2.7.35 unpatched | 5.3 | CVE-2016-1494 | python | 2.7.35 unpatched | 6.5 | CVE-2017-18207 | python | 3.5.5 unpatched | 6.5 | CVE-2017-18207 | python | 2.7.35 unpatched | 7.1 | CVE-2013-7338 | python | 2.7.35 unpatched | 7.5 | CVE-2018-1060 | python | 3.5.5 unpatched | 8.8 | CVE-2017-17522 | python | 2.7.35 Signed-off-by: grygorii tertychnyi <gtertych@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26image: add image for testingArmin Kuster1-0/+22
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26runtime qa: moderize ima testArmin Kuster3-82/+129
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26initramfs: clean up to pull in packages.Armin Kuster1-8/+4
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26data: remove policiesArmin Kuster3-110/+0
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26policy: add ima appraise all policyArmin Kuster2-0/+47
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26ima_policy_simple: add another sample policyArmin Kuster2-0/+22
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26ima-policy-hashed: add new recipeArmin Kuster2-0/+97
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26base-files: add appending to automount securityfsArmin Kuster2-0/+6
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26linux: update bbappendArmin Kuster1-115/+2
remove untested code Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26ima.cfg: update to 5.0 kernelArmin Kuster2-16/+18
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26ima-evm-utils: cleanup and update to tipArmin Kuster6-22/+200
update to tip backported patches to fix build issues. fix native support Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26README: updateArmin Kuster1-4/+1
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26layer.conf: add LAYERSERIES_COMPATArmin Kuster1-0/+2
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26meta-integrity: port over from meta-intel-iot-securityArmin Kuster30-0/+1402
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-21python3-fail2ban: Fix build error of xrange.leimaohui2-0/+32
NameError: name 'xrange' is not defined Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-21checksec: add runtime testArmin Kuster1-0/+33
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-21keyutils: fix library install pathArmin Kuster2-6/+36
[v2] fix multilib support Als add native support Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-21checksec: update to 1.11.1Armin Kuster1-1/+1
* checksec.sh: Updated to 1.11.1 * checksec.sh: resolved issues with readelf * checksec.sh: Added docker images for testing * checksec.sh: Added armhf and aarch64 libc locations * checksec.sh: Replace FS_COUNT with fgrep * checksec.sh: Fixed symbols count in csv * checksec.sh: Fixed RW-RPATH and RW-RUNPATH * checksec.sh: Added stack canaries generated by intel compiler * checksec.sh: Mute stat errors for non-existent directories * checksec.sh: Removed invalid json structures and duplicate kernel checks * checksec.sh: fixed spaces in -d option * checksec.sh: Added stack-protector-string check * checksec.sh: Add arm64 specific kernel checks * checksec.sh: Add REFCOUNT_FULL to kernel tests * checksec.sh: Remove OSX support Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-12smack: kernel fragment updateArmin Kuster1-6/+5
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-12oe-selftest: add running cve checkerArmin Kuster1-0/+27
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-12apparmor: fetch from gitAlexander Kanavin1-3/+3
Tarballs from archive.ubuntu.com can and do disappear (similar to archive.debian.org). Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09libseccomp: update to 2.4.1Armin Kuster1-1/+1
bug fix release. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09libldb: add earlier versionArmin Kuster4-0/+328
This version does not have a dependacy on samba Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09samhain: add more tests and fix ret checksArmin Kuster1-4/+27
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09smack-test: add smack tests from meta-intel-iot-securityArmin Kuster16-0/+1364
ported over smack tests Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09smack: move patch to smack dirArmin Kuster2-0/+0
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09apparmor: add a few more runtimeArmin Kuster1-0/+19
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09apparmor: fix fragment for 5.0 kernelArmin Kuster1-6/+0
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-01meta-tpm/README: updateYi Zhao1-0/+57
Add more description Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-01meta-tpm/conf/layer.conf: update layer dependenciesYi Zhao1-0/+1
Add openembedded-layer to layer dependencies. Fix the following build errors: ERROR: Required build target 'tpm2-pkcs11' has no buildable providers. Missing or unbuildable dependency chain was: ['tpm2-pkcs11', 'dstat'] ERROR: Required build target 'cryptsetup-tpm-incubator' has no buildable providers. Missing or unbuildable dependency chain was: ['cryptsetup-tpm-incubator', 'libdevmapper'] ERROR: Required build target 'tpm2-totp' has no buildable providers. Missing or unbuildable dependency chain was: ['tpm2-totp', 'qrencode'] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-14clamav-native: fix new build issueArmin Kuster1-22/+19
re-arch the reciped to build properly. Fixed /var/lib/clamav dir issue Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-14clamav: add clamav-cvd package for cvd dbArmin Kuster2-6/+259
Add native package to support creating a mirror of the clamav cvd and supply it in a new package. Provide a INSTALL_CLAMAV_CVD flag to bypass this creation Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-13clamav: runtime fix local routingArmin Kuster1-0/+2
This addes the localhost to resolve.conf to fix: ERROR: Can't get information about database.clamav.net: Temporary failure in name resolution ERROR: Can't download main.cvd from database.clamav.net Giving up on database.clamav.net... Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-13libldb: add waf-cross-answeresArmin Kuster15-0/+557
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-13clamav: fix llvm reference versionArmin Kuster1-1/+1
llvm8.0 does not exist. dropped the version part. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-13clamav runtime: add resolve.conf supportArmin Kuster1-0/+28
and ping test too Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-07libmspack: update to 0.10.1Armin Kuster1-3/+3
For details see: https://github.com/kyz/libmspack/blob/master/libmspack/ChangeLog change compression to match that now being used from source Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-07ccs-tools: move to reciped-macArmin Kuster2-0/+0
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-07layer.conf: Add warrior to compatible release seriesArmin Kuster3-3/+3
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-01linux-yocto/5.0: add apparmor fragmentsArmin Kuster5-0/+37
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-01linux-yocto: make bbappend version neutralArmin Kuster3-5/+9
update apparmor configs [v2] Just update configs. leave versions intact. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31apparmor: add basic runtime testArmin Kuster1-0/+27
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31apparmor: update to 2.13.2Armin Kuster2-40/+9
Drop patch included in update: tool-paths.patch Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31reorg ids: move ids recipes to recipes-idsArmin Kuster41-0/+0
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31reorg: move mac recipes to recipes-macArmin Kuster13-0/+0
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31clamav: add basic runtime testsArmin Kuster1-0/+38
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31clamav: drop llvm version settingArmin Kuster1-7/+3
There is only one llvm and its in core so drop allowing it to be overwritten. We can hardcode it now. Signed-off-by: Armin Kuster <akuster808@gmail.com>