diff options
Diffstat (limited to 'recipes-security')
74 files changed, 984 insertions, 10011 deletions
diff --git a/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch b/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch new file mode 100644 index 0000000..7e70692 --- /dev/null +++ b/recipes-security/Firejail/firejail/exclude_seccomp_util_compiles.patch @@ -0,0 +1,45 @@ +Exclude all the seccomp files to run during build. + +Upstream-Status: Inappropriate [embedded specific] +There are some files that need to run to generate the appropriate files +we are currently doing this on the target. +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/Makefile +=================================================================== +--- git.orig/Makefile ++++ git/Makefile +@@ -18,7 +18,6 @@ MYDIRS = src/lib $(MAN_SRC) $(COMPLETION + MYLIBS = src/libpostexecseccomp/libpostexecseccomp.so src/libtrace/libtrace.so src/libtracelog/libtracelog.so + COMPLETIONS = src/zsh_completion/_firejail src/bash_completion/firejail.bash_completion + MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5 firejail-users.5 jailcheck.1 +-SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.block_secondary seccomp.mdwx seccomp.mdwx.32 + ALL_ITEMS = $(APPS) $(SBOX_APPS) $(SBOX_APPS_NON_DUMPABLE) $(MYLIBS) + + .PHONY: all +@@ -43,7 +42,7 @@ $(MANPAGES): src/man config.mk + + man: $(MANPAGES) + +-filters: $(SECCOMP_FILTERS) $(SBOX_APPS_NON_DUMPABLE) ++filters: $(SBOX_APPS_NON_DUMPABLE) + seccomp: src/fseccomp/fseccomp src/fsec-optimize/fsec-optimize + src/fseccomp/fseccomp default seccomp + src/fsec-optimize/fsec-optimize seccomp +@@ -72,7 +71,6 @@ clean: + done + $(MAKE) -C test clean + rm -f $(MANPAGES) $(MANPAGES:%=%.gz) firejail*.rpm +- rm -f $(SECCOMP_FILTERS) + rm -f test/utils/index.html* + rm -f test/utils/wget-log + rm -f test/utils/firejail-test-file* +@@ -110,7 +108,7 @@ endif + # libraries and plugins + install -m 0755 -d $(DESTDIR)$(libdir)/firejail + install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/firecfg/firejail-welcome.sh +- install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) $(SECCOMP_FILTERS) ++ install -m 0644 -t $(DESTDIR)$(libdir)/firejail $(MYLIBS) + install -m 0755 -t $(DESTDIR)$(libdir)/firejail $(SBOX_APPS) + install -m 0755 -t $(DESTDIR)$(libdir)/firejail src/profstats/profstats + # plugins w/o read permission (non-dumpable) diff --git a/recipes-security/Firejail/firejail_0.9.72.bb b/recipes-security/Firejail/firejail_0.9.72.bb new file mode 100644 index 0000000..5713f46 --- /dev/null +++ b/recipes-security/Firejail/firejail_0.9.72.bb @@ -0,0 +1,65 @@ +# +# Copyright 2022 Armin Kuster <akuster808@gmail.com> +# +SUMMARY = "Linux namespaces and seccomp-bpf sandbox" +DESCRIPTION = "Firejail is a SUID sandbox program that reduces the risk of security breaches \ +by restricting the running environment of untrusted applications using Linux namespaces, \ +seccomp-bpf and Linux capabilities." + +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" +LICENSE = "GPL-2.0-only" + +SRCREV = "2551bc71f14052344666f3ca2ad67f5b798020b9" +SRC_URI = "git://github.com/netblue30/firejail.git;protocol=https;branch=master \ + file://exclude_seccomp_util_compiles.patch \ + " + +DEPENDS = "libseccomp" + +S = "${WORKDIR}/git" + +inherit autotools-brokensep pkgconfig bash-completion features_check + +REQUIRED_DISTRO_FEATURES = "seccomp" + +PACKAGECONFIG ?= "" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'apparmor', 'apparmor', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" + +PACKAGECONFIG[apparmor] = "--enable-apparmor, --disable-apparmor, apparmor, apparmor" +PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux" +PACKAGECONFIG[x11] = " --enable-x11, --disable-x11, " +PACKAGECONFIG[dbusproxy] = ", --disable-dbusproxy, " +PACKAGECONFIG[notmpfs] = ", --disable-usertmpfs ," +PACKAGECONFIG[nofiretunnel] = ", --disable-firetunnel , " +PACKAGECONFIG[noprivatehome] = ", --disable-private-home, " +PACKAGECONFIG[nochroot] = ", --disable-chroot, " +PACKAGECONFIG[nonetwork] = ", --disable-network, " +PACKAGECONFIG[nouserns] = ", --disable-userns, " +PACKAGECONFIG[nofiletransfer] = ", --disable-file-transfer, " +PACKAGECONFIG[nosuid] = ", --disable-suid, " + +EXTRA_OECONF = "--disable-man --enable-busybox-workaround" + +PACKAGES:append = " ${PN}-vim ${PN}-zsh" + +FILES:${PN}-vim = "${datadir}/vim/" +FILES:${PN}-zsh = "${datadir}/zsh/" +FILES:${PN}-dev = "${datadir}/gtksourceview-5/" + +pkg_postinst_ontarget:${PN} () { + ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp + ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp + ${libdir}/${BPN}/fseccomp default ${libdir}/${BPN}/seccomp.debug allow-debuggers + ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.debug + ${libdir}/${BPN}/fseccomp secondary 32 ${libdir}/${BPN}/seccomp.32 + ${libdir}/${BPN}/fsec-optimize ${libdir}/${BPN}/seccomp.32 + ${libdir}/${BPN}/fseccomp secondary block ${libdir}/${BPN}/seccomp.block_secondary + ${libdir}/${BPN}/fseccomp memory-deny-write-execute ${libdir}/${BPN}/seccomp.mdwx +} + +COMPATIBLE_MACHINE:x86_64 = "x86_64" +COMPATIBLE_MACHINE:arm64 = "arch64" + +RDEPENDS:${PN} = "bash" diff --git a/recipes-security/aircrack-ng/aircrack-ng_1.6.bb b/recipes-security/aircrack-ng/aircrack-ng_1.6.bb index 8d3b531..d3722c0 100644 --- a/recipes-security/aircrack-ng/aircrack-ng_1.6.bb +++ b/recipes-security/aircrack-ng/aircrack-ng_1.6.bb @@ -1,7 +1,7 @@ SUMMARY = "Aircrack-ng is a set of tools for auditing wireless networks" DESCRIPTION = "Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools." SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=1fbd81241fe252ec0f5658a521ab7dd8" @@ -29,8 +29,8 @@ do_install () { make DESTDIR=${D} ${OEMAKE_EXTRA} ext_scripts=true install } -FILES_${PN} += "${libdir}/*.so" +FILES:${PN} += "${libdir}/*.so" FILES_SOLIBSDEV = "" -INSANE_SKIP_${PN} += "dev-so" +INSANE_SKIP:${PN} += "dev-so" -RDEPENDS_${PN} = "libpcap" +RDEPENDS:${PN} = "libpcap" diff --git a/recipes-security/bastille/bastille_3.2.1.bb b/recipes-security/bastille/bastille_3.2.1.bb deleted file mode 100644 index 0290cae..0000000 --- a/recipes-security/bastille/bastille_3.2.1.bb +++ /dev/null @@ -1,153 +0,0 @@ -#The functionality of Bastille that is actually available is restricted. Please -#consult the README file for the meta-security layer for additional information. -SUMMARY = "Linux hardening tool" -DESCRIPTION = "Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling." -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b" -# Bash is needed for set +o privileged (check busybox), might also need ncurses -DEPENDS = "virtual/kernel" -RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils" -FILES_${PN} += "/run/lock/subsys/bastille" - -SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \ - file://AccountPermission.pm \ - file://FileContent.pm \ - file://HPSpecific.pm \ - file://Miscellaneous.pm \ - file://ServiceAdmin.pm \ - file://config \ - file://fix_version_parse.patch \ - file://fixed_defined_warnings.patch \ - file://call_output_config.patch \ - file://fix_missing_use_directives.patch \ - file://fix_number_of_modules.patch \ - file://remove_questions_text_file_references.patch \ - file://simplify_B_place.patch \ - file://find_existing_config.patch \ - file://upgrade_options_processing.patch \ - file://accept_os_flag_in_backend.patch \ - file://allow_os_with_assess.patch \ - file://edit_usage_message.patch \ - file://organize_distro_discovery.patch \ - file://do_not_apply_config.patch \ - " - -SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b" -SRC_URI[sha256sum] = "0ea25191b1dc1c8f91e1b6f8cb5436a3aa1e57418809ef902293448efed5021a" - -S = "${WORKDIR}/Bastille" - -do_install () { - install -d ${D}${sbindir} - install -d ${D}${libdir}/perl5/site_perl/Curses - - install -d ${D}${libdir}/Bastille - install -d ${D}${libdir}/Bastille/API - install -d ${D}${datadir}/Bastille - install -d ${D}${datadir}/Bastille/OSMap - install -d ${D}${datadir}/Bastille/OSMap/Modules - install -d ${D}${datadir}/Bastille/Questions - install -d ${D}${datadir}/Bastille/FKL/configs/ - install -d ${D}${localstatedir}/log/Bastille - install -d ${D}${sysconfdir}/Bastille - install -m 0755 AutomatedBastille ${D}${sbindir} - install -m 0755 BastilleBackEnd ${D}${sbindir} - install -m 0755 InteractiveBastille ${D}${sbindir} - install -m 0644 Modules.txt ${D}${datadir}/Bastille - # New Weights file(s). - install -m 0644 Weights.txt ${D}${datadir}/Bastille - # Castle graphic - install -m 0644 bastille.jpg ${D}${datadir}/Bastille/ - # Javascript file - install -m 0644 wz_tooltip.js ${D}${datadir}/Bastille/ - install -m 0644 Credits ${D}${datadir}/Bastille - install -m 0644 FKL/configs/fkl_config_redhat.cfg ${D}${datadir}/Bastille/FKL/configs/ - install -m 0755 RevertBastille ${D}${sbindir} - install -m 0755 bin/bastille ${D}${sbindir} - install -m 0644 bastille-firewall ${D}${datadir}/Bastille - install -m 0644 bastille-firewall-reset ${D}${datadir}/Bastille - install -m 0644 bastille-firewall-schedule ${D}${datadir}/Bastille - install -m 0644 bastille-tmpdir-defense.sh ${D}${datadir}/Bastille - install -m 0644 bastille-tmpdir.csh ${D}${datadir}/Bastille - install -m 0644 bastille-tmpdir.sh ${D}${datadir}/Bastille - install -m 0644 bastille-firewall.cfg ${D}${datadir}/Bastille - install -m 0644 bastille-ipchains ${D}${datadir}/Bastille - install -m 0644 bastille-netfilter ${D}${datadir}/Bastille - install -m 0644 bastille-firewall-early.sh ${D}${datadir}/Bastille - install -m 0644 bastille-firewall-pre-audit.sh ${D}${datadir}/Bastille - install -m 0644 complete.xbm ${D}${datadir}/Bastille - install -m 0644 incomplete.xbm ${D}${datadir}/Bastille - install -m 0644 disabled.xpm ${D}${datadir}/Bastille - install -m 0644 ifup-local ${D}${datadir}/Bastille - install -m 0644 hosts.allow ${D}${datadir}/Bastille - - install -m 0644 Bastille/AccountSecurity.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Apache.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/API.pm ${D}${libdir}/Bastille - install -m 0644 ${WORKDIR}/AccountPermission.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/FileContent.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/HPSpecific.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/ServiceAdmin.pm ${D}${libdir}/Bastille/API - install -m 0644 ${WORKDIR}/Miscellaneous.pm ${D}${libdir}/Bastille/API - install -m 0644 Bastille/BootSecurity.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/ConfigureMiscPAM.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/DisableUserTools.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/DNS.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/FilePermissions.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/FTP.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Firewall.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/OSX_API.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/LogAPI.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/HP_UX.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/IOLoader.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Patches.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Logging.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/MiscellaneousDaemons.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/PatchDownload.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Printing.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/PSAD.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/RemoteAccess.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/SecureInetd.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/Sendmail.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/TestDriver.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/TMPDIR.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_AccountSecurity.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Apache.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_DNS.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_FTP.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_HP_UX.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_MiscellaneousDaemons.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Patches.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_SecureInetd.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Sendmail.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_BootSecurity.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_DisableUserTools.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_FilePermissions.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Logging.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/test_Printing.pm ${D}${libdir}/Bastille - install -m 0644 Bastille/IPFilter.pm ${D}${libdir}/Bastille - install -m 0644 Bastille_Curses.pm ${D}${libdir}/perl5/site_perl - install -m 0644 Bastille_Tk.pm ${D}${libdir}/perl5/site_perl - install -m 0644 Curses/Widgets.pm ${D}${libdir}/perl5/site_perl/Curses - - install -m 0644 OSMap/LINUX.bastille ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/LINUX.system ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/LINUX.service ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/HP-UX.bastille ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/HP-UX.system ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/HP-UX.service ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap - install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap - - install -m 0777 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config - - for file in `cat Modules.txt` ; do - install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions - done - - ${THISDIR}/files/set_required_questions.py ${D}${sysconfdir}/Bastille/config ${D}${datadir}/Bastille/Questions - - ln -s RevertBastille ${D}${sbindir}/UndoBastille -} - -FILES_${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*" diff --git a/recipes-security/bastille/files/API.pm b/recipes-security/bastille/files/API.pm deleted file mode 100644 index 5060f52..0000000 --- a/recipes-security/bastille/files/API.pm +++ /dev/null @@ -1,2528 +0,0 @@ -# Copyright (C) 1999-2007 Jay Beale -# Copyright (C) 2001-2008 Hewlett-Packard Development Company, L.P. -# Licensed under the GNU General Public License, version 2 - -package Bastille::API; - -## TO DO: -# -# -# 1) Look for more places to insert error handling... -# -# 2) Document this module more -# -# - - -########################################################################## -# -# This module forms the basis for the v1.1 API. -# - ########################################################################## - -# -# This module forms the initial basis for the Bastille Engine, implemented -# presently via a Perl API for Perl modules. -# -# This is still under construction -- it is very usable, but not very well -# documented, yet. -# - -########################################################################## -# -# API Function Listing -# -########################################################################## -# The routines which should be called by Bastille modules are listed here, -# though they are better documented throughout this file. -# -# Distro Specific Stuff: -# -# &GetDistro - figures out what distro we're running, if it knows it... -# &ConfigureForDistro - sets global variables based on the distro -# &GetGlobal - returns hash values defined in ConfigureForDistro -# -# &getGlobalConfig - returns value of hash set up by ReadConfig -# -# Logging Specific Stuff has moved to LogAPI.pm: -# -# &B_log(type,msg) -- takes care of all logging -# -# -# Input functions for the old input method... -# -# File open/close/backup functions -# -# &B_open * -- opens a file handle and logs the action/error (OLD WAY!) -# &B_open_plus -- opens a pair of file handles for the old and new version -# of a file; respects logonly flag. (NEW WAY) -# &B_close * -- closes a file handle and logs the action/error (OLD WAY!) -# &B_close_plus -- closes a pair of file handles opened by B_open_plus, -# backing up one file and renaming the new file to the -# old one's name, logging actions/errors. Respects the -# logonly flag -- needs B_backup file. Finally, sets -# new file's mode,uid,gid to old file's... (NEW WAY) -# &B_backup_file - backs up a file that is being changed/deleted into the -# $GLOBAL_BDIR{"backup"} directory. -# -# Non-content file modification functions -# -# &B_delete_file - deletes the named file, backing up a copy -# &B_create_file - creates the named file, if it doesn't exist -# -# &B_symlink - create a symlink to a file, recording the revert rm -# -# More stuff -# -# &B_createdir - make a directory, if it doesn't exist, record revert rmdir -# &B_cp - copy a file, respecting LOGONLY and revert func. -# &B_mknod - wrap mknod with revert and logonly and prefix functionality -# -# &B_read_sums - reads sum.csv file and parses input into the GLOBAL_SUM hash -# &B_write_sums - writes sum.csv file from GLOBAL_SUM hash -# &B_check_sum($) - take a file name and compares the stored cksum with the current -# cksum of said file -# &B_set_sum($) - takes a file name and gets that files current cksum then sets -# that sum in the GLOBAL_SUM hash -# &B_revert_log - create entry in shell script, executed later by bastille -r -# &showDisclaimer - Print the disclaimer and wait for 5 minutes for acceptance -########################################################################### -# Note: GLOBAL_VERBOSE -# -# All logging functions now check GLOBAL_VERBOSE and, if set, will print -# all the information sent to log files to STDOUT/STDERR as well. -# - -# -# Note: GLOBAL_LOGONLY -# -# All Bastille API functions now check for the existence of a GLOBAL_LOGONLY -# variable. When said variable is set, no function actually modifies the -# system. -# -# Note: GLOBAL_DEBUG -# -# The B_log("DEBUG",...) function now checks GLOBAL_DEBUG and, if set, it will -# print all the information to a new debug-log file. If GLOBAL_VERBOSE is -# set it might log to STDOUT/STDERR as well (not yet implemented, pending -# discussion). Developers should populate appropriate places with &B_log(DEBUG) -# in order to be able to tell users to use this options and send the logs -# for inspection and debugging. -# -# - - -# Libraries for the Backup_file routine: Cwd and File::Path -use Cwd; -use Bastille::OSX_API; -use Bastille::LogAPI; -use File::Path; -use File::Basename; - -# Export the API functions listed below for use by the modules. - -use Exporter; -@ISA = qw ( Exporter ); -@EXPORT = qw( - setOptions GetDistro ConfigureForDistro B_log B_revert_log - SanitizeEnv - B_open B_close B_symlink StopLogging - B_open_plus B_close_plus - B_isFileinSumDB - B_create_file B_read_sums B_check_sum B_set_sum isSumDifferent listModifiedFiles - B_create_dir B_create_log_file - B_delete_file - B_cp B_place B_mknod - showDisclaimer - getSupportedOSHash - B_Backtick - B_System - isProcessRunning - checkProcsForService - - - $GLOBAL_OS $GLOBAL_ACTUAL_OS $CLI - $GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag - %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE - %GLOBAL_BDIR %GLOBAL_BFILE - %GLOBAL_CONFIG %GLOBAL_SUM - - %GLOBAL_SERVICE %GLOBAL_SERVTYPE %GLOBAL_PROCESS %GLOBAL_RC_CONFIG - %GLOBAL_TEST - - getGlobal setGlobal getGlobalConfig - - - B_parse_fstab - B_parse_mtab B_is_rpm_up_to_date - - NOTSECURE_CAN_CHANGE SECURE_CANT_CHANGE - NOT_INSTALLED INCONSISTENT MANUAL NOTEST SECURE_CAN_CHANGE - STRING_NOT_DEFINED NOT_INSTALLED_NOTSECURE DONT_KNOW - RELEVANT_HEADERQ NOTRELEVANT_HEADERQ -); - - - -###################################################### -###Testing Functions -################################################################## - -#Define "Constants" for test functions. Note these constants sometimes get -#interpreted as literal strings when used as hash references, so you may -# have to use CONSTANT() to disambiguate, like below. Sorry, it was either -# that or create even *more* global variables. -# See TestDriver.pm for definitions, and test design doc for full explaination -use constant { - NOTSECURE_CAN_CHANGE => 0, - SECURE_CANT_CHANGE => 1, - NOT_INSTALLED => 2, # (where the lack makes the system secure, eg telnet) - INCONSISTENT => 3, - MANUAL => 4, - NOTEST => 5, - SECURE_CAN_CHANGE => 6, - STRING_NOT_DEFINED => 7, - NOT_INSTALLED_NOTSECURE => 8, #(Where the missing s/w makes the system less secure eg IPFilter) - #Intentional duplicates follow - DONT_KNOW => 5, - RELEVANT_HEADERQ => 6, - NOTRELEVANT_HEADERQ => 0 -}; - -&SanitizeEnv; - -# Set up some common error messages. These are independent of -# operating system - -# These will allow us to line up the warnings and error messages -my $err ="ERROR: "; -my $spc =" "; -my $GLOBAL_OS="None"; -my $GLOBAL_ACTUAL_OS="None"; -my %GLOBAL_SUMS=(); -my $CLI=''; - -#OS independent Error Messages Follow, normally "bastille" script filters -#options before interactive or Bastille runs, so this check is often redundant -$GLOBAL_ERROR{"usage"}="\n". - "$spc Usage: bastille [ -b | -c | -x ] [ --os <version> ] [ -f <alternate config> ]\n". - "$spc bastille [ -r | --assess | --assessnobowser ]\n\n". - "$spc --assess : check status of system and report in browser\n". - "$spc --assessnobrowser : check status of system and list report locations\n". - "$spc -b : use a saved config file to apply changes\n". - "$spc directly to system\n". - "$spc -c : use the Curses (non-X11) TUI\n". - "$spc -f <alternate config>: populate answers with a different config file\n". - "$spc -r : revert all Bastille changes to-date\n". - "$spc -x : use the Perl/Tk (X11) GUI\n" . - "$spc --os <version> : ask all questions for the given operating system\n" . - "$spc version. e.g. --os RH6.0\n"; - -# These options don't work universally, so it's best not to -# document them here (yet). Hopefully, we'll get them -# straightened out soon. -#"$spc --log : log-only option\n". -#"$spc -v : verbose mode\n". -#"$spc --debug : debug mode\n"; - - -############################################################################## -# -# Directory structure for Bastille Linux v1.2 and up -# -############################################################################## -# -# /usr/sbin/ -- location of Bastille binaries -# /usr/lib/Bastille -- location of Bastille modules -# /usr/share/Bastille -- location of Bastille data files -# /etc/Bastille -- location of Bastille config files -# -# /var/log/Bastille -- location of Bastille log files -# /var/log/Bastille/revert -- directory holding all Bastille-created revert scripts -# /var/log/Bastille/revert/backup -- directory holding the original files that -# Bastille modifies, with permissions intact -# -############################################################################## - -############################################################################## -# -# Directory structure for HP-UX Bastille v2.0 and up -# -############################################################################## -# -# /opt/sec_mgmt/bastille/bin/ -- location of Bastille binaries -# /opt/sec_mgmt/bastille/lib/ -- location of Bastille modules -# /etc/opt/sec_mgmt/bastille/ -- location of Bastille data and config files -# -# /var/opt/sec_mgmt/bastille/log/ -- location of Bastille log files -# /var/opt/sec_mgmt/bastille/revert -- directory holding all Bastille-created -# revert scripts and save files -# -############################################################################## - - -############################################################################## -############################################################################## -################## Actual functions start here... ########################### -############################################################################## -############################################################################## - -########################################################################### -# setOptions takes six arguments, $GLOBAL_DEBUG, $GLOBAL_LOGONLY, -# $GLOBAL_VERBOSE, $GLOBAL_AUDITONLY, $GLOBAL_AUDIT_NO_BROWSER, and GLOBAL_OS; -########################################################################### -sub setOptions($$$$$$) { - ($GLOBAL_DEBUG,$GLOBAL_LOGONLY,$GLOBAL_VERBOSE,$GLOBAL_AUDITONLY, - $GLOBAL_AUDIT_NO_BROWSER,$GLOBAL_OS) = @_; - if ($GLOBAL_AUDIT_NO_BROWSER) { - $GLOBAL_AUDITONLY = 1; - } - if (not(defined($GLOBAL_OS))){ - $GLOBAL_OS="None"; - } -} -########################################################################### -# -# SanitizeEnv load a proper environment so Bastille cannot be tricked -# and Perl modules work correctly. -# -########################################################################### -sub SanitizeEnv { - delete @ENV{'IFS','CDPATH','ENV','BASH_ENV'}; - $ENV{CDPATH}="."; - $ENV{BASH_ENV}= ""; - # Bin is needed here or else /usr/lib/perl5/5.005/Cwd.pm - # will not find `pwd` - # Detected while testing with -w, jfs - $ENV{PATH} = "/bin:/usr/bin"; - # Giorgi, is /usr/local/bin needed? (jfs) -} - -########################################################################### -# -# GetDistro checks to see if the target is a known distribution and reports -# said distribution. -# -# This is used throughout the script, but also by ConfigureForDistro. -# -# -########################################################################### - -sub GetDistro() { - - my ($release,$distro); - - # Only read files for the distro once. - # if the --os option was used then - if ($GLOBAL_OS eq "None") { - if ( -e "/etc/mandrake-release" ) { - open(MANDRAKE_RELEASE,"/etc/mandrake-release"); - $release=<MANDRAKE_RELEASE>; - - if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) { - $distro="MN$1"; - } - elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) { - $distro="MN$1"; - } - else { - print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n"; - $distro="MN10.1"; - } - - close(MANDRAKE_RELEASE); - } - elsif ( -e "/etc/immunix-release" ) { - open(IMMUNIX_RELEASE,"/etc/immunix-release"); - $release=<IMMUNIX_RELEASE>; - unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) { - print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n"; - $distro="RH6.2"; - } - else { - $distro="RH$1"; - } - close(*IMMUNIX_RELEASE); - } - elsif ( -e '/etc/fedora-release' ) { - open(FEDORA_RELEASE,'/etc/fedora-release'); - $release=<FEDORA_RELEASE>; - close FEDORA_RELEASE; - if ($release =~ /^Fedora Core release (\d+\.?\d*)/) { - $distro = "RHFC$1"; - } - elsif ($release =~ /^Fedora release (\d+\.?\d*)/) { - $distro = "RHFC$1"; - } - else { - print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 8\n"; - $distro='RHFC8'; - } - } - elsif ( -e "/etc/redhat-release" ) { - open(*REDHAT_RELEASE,"/etc/redhat-release"); - $release=<REDHAT_RELEASE>; - if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) { - $distro="RH$1"; - } - elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) { - $distro="RHEL$1$2"; - } - elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) { - $distro="RHEL$2$1"; - } - elsif ($release =~ /^CentOS release (\d+\.\d+)/) { - my $version = $1; - if ($version =~ /^4\./) { - $distro='RHEL4AS'; - } - elsif ($version =~ /^3\./) { - $distro='RHEL3AS'; - } - else { - print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n"; - $distro='RHEL4AS'; - } - } - else { - # JJB/HP - Should this be B_log? - print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n"; - $distro="RH9"; - } - close(REDHAT_RELEASE); - - } - elsif ( -e "/etc/debian_version" ) { - $stable="3.1"; #Change this when Debian stable changes - open(*DEBIAN_RELEASE,"/etc/debian_version"); - $release=<DEBIAN_RELEASE>; - unless ($release =~ /^(\d+\.\d+\w*)/) { - print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n"; - $distro="DB$stable"; - } - else { - $distro="DB$1"; - } - close(DEBIAN_RELEASE); - } - elsif ( -e "/etc/SuSE-release" ) { - open(*SUSE_RELEASE,"/etc/SuSE-release"); - $release=<SUSE_RELEASE>; - if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) { - $distro="SE$1"; - } - elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) { - $distro="SESLES$1"; - } - elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) { - $distro="SESLES$1"; - } - elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) { - $distro="SE$1"; - } - else { - print STDERR "$err Couldn't determine SuSE version! Setting to 10.3!\n"; - $distro="SE10.3"; - } - close(SUSE_RELEASE); - } - elsif ( -e "/etc/turbolinux-release") { - open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release"); - $release=<TURBOLINUX_RELEASE>; - unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) { - print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n"; - $distro="TB7.0"; - } - else { - $distro="TB$1"; - } - close(TURBOLINUX_RELEASE); - } - else { - # We're either on Mac OS X, HP-UX or an unsupported O/S. - if ( -x '/usr/bin/uname') { - # uname is in /usr/bin on Mac OS X and HP-UX - $release=`/usr/bin/uname -sr`; - } - else { - print STDERR "$err Could not determine operating system version!\n"; - $distro="unknown"; - } - - # Figure out what kind of system we're on. - if ($release ne "") { - if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) { - if ($1 == 6 ) { - $distro = "OSX10.2"; - } - elsif ($1 == 7) { - $distro = "OSX10.3"; - } - elsif ($1 == 8) { - $distro = "OSX10.3"; - } - else { - $distro = "unknown"; - } - } - elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) { - $distro="$1$2"; - } - else { - print STDERR "$err Could not determine operating system version!\n"; - $distro="unknown"; - } - } - } - - $GLOBAL_OS=$distro; - } elsif (not (defined $GLOBAL_OS)) { - print "ERROR: GLOBAL OS Scoping Issue\n"; - } else { - $distro = $GLOBAL_OS; - } - - return $distro; -} - -################################################################################### -# &getActualDistro; # -# # -# This subroutine returns the actual os version in which is running on. This # -# os version is independent of the --os switch feed to bastille. # -# # -################################################################################### -sub getActualDistro { - # set local variable to $GLOBAL_OS - - if ($GLOBAL_ACTUAL_OS eq "None") { - my $os = $GLOBAL_OS; - # undef GLOBAL_OS so that the GetDistro routine will return - # the actualDistro, it might otherwise return the distro set - # by the --os switch. - $GLOBAL_OS = "None"; - $GLOBAL_ACTUAL_OS = &GetDistro; - # reset the GLOBAL_OS variable - $GLOBAL_OS = $os; - } - return $GLOBAL_ACTUAL_OS; -} -# These are helper routines which used to be included inside GetDistro -sub is_OS_supported($) { - my $os=$_[0]; - my $supported=0; - my %supportedOSHash = &getSupportedOSHash; - - foreach my $oSType (keys %supportedOSHash) { - foreach my $supported_os ( @{$supportedOSHash{$oSType}} ) { - if ( $supported_os eq $os ) { - $supported=1; - } - } - } - - return $supported; -} - -############################################################################### -# getSupportedOSHash -# -# This subrountine returns a hash of supported OSTypes, which point to a -# a list of supported distros. When porting to a new distro, add the -# distro id to the hash in its appropriate list. -############################################################################### -sub getSupportedOSHash () { - - my %osHash = ("LINUX" => [ - "DB2.2", "DB3.0", - "RH6.0","RH6.1","RH6.2","RH7.0", - "RH7.1","RH7.2","RH7.3","RH8.0", - "RH9", - "RHEL5", - "RHEL4AS","RHEL4ES","RHEL4WS", - "RHEL3AS","RHEL3ES","RHEL3WS", - "RHEL2AS","RHEL2ES","RHEL2WS", - "RHFC1","RHFC2","RHFC3","RHFC4", - "RHFC5","RHFC6","RHFC7","RHFC8", - "MN6.0","MN6.1 ","MN7.0","MN7.1", - "MN7.2","MN8.0","MN8.1","MN8.2", - "MN10.1", - "SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1", - "SE9.2","SE9.3","SE10.0","SE10.1","SE10.2","SE10.3", - "SESLES8","SESLES9","SESLES10", - "TB7.0" - ], - - "HP-UX" => [ - "HP-UX11.00","HP-UX11.11", - "HP-UX11.22", "HP-UX11.23", - "HP-UX11.31" - ], - - "OSX" => [ - 'OSX10.2','OSX10.3','OSX10.4' - ] - ); - - return %osHash; - -} - - -############################################################################### -# setFileLocations(OSMapFile, currentDistro); -# -# Given a file map location this subroutine will create the GLOBAL_* -# hash entries specified within this file. -############################################################################### -sub setFileLocations($$) { - - my ($fileInfoFile,$currentDistro) = @_; - - # define a mapping from the first argument to the proper hash - my %map = ("BIN" => \%GLOBAL_BIN, - "FILE" => \%GLOBAL_FILE, - "BFILE" => \%GLOBAL_BFILE, - "DIR" => \%GLOBAL_DIR, - "BDIR" => \%GLOBAL_BDIR - ); - my @fileInfo = (); - - # File containing file location information - if(open(FILEINFO, "<$fileInfoFile" )) { - - @fileInfo = <FILEINFO>; - - close(FILEINFO); - - } - else { - print STDERR "$err Unable to find file location information for '$distro'.\n" . - "$spc Contact the Bastille support list for details.\n"; - exit(1); - } - - # Each line of the file map follows the pattern below: - # bdir,init.d,'/etc/rc.d/init.d',RH7.2,RH7.3 - # if the distro information is not available, e.g. - # bdir,init.d,'/etc/rc.d/init.d' - # then the line applies to all distros under the OSType - foreach my $file (@fileInfo) { - # Perl comments are allowed within the file but only entire line comments - if($file !~ /^\s+\#|^\s+$/) { - chomp $file; - # type relates to the map above, type bin will map to GLOBAL_BIN - # id is the identifier used as the hash key by the GLOBAL hash - # fileLocation is the full path to the file - # distroList is an optional list of distros that this particular - # file location, if no distro list is presented the file location - # is considered to apply to all distros - my ($type,$id,$fileLocation,@distroList) = split /\s*,\s*/, $file; - $fileLocation =~ s/^\'(.*)\'$/$1/; - if($#distroList == -1) { - $map{uc($type)}->{$id}=$fileLocation; - } - else { - foreach my $distro (@distroList) { - # if the current distro matches the distro listed then - # this file location applies - if($currentDistro =~ /$distro/) { - $map{uc($type)}->{$id}=$fileLocation; - } - } - } - } - } - unless(defined($map{uc("BFILE")}->{"current_config"})) { - &setGlobal("BFILE","current_config",&getGlobal("BFILE","config")); - } -} - -############################################################################### -# setServiceInfo($OSServiceMapFile, $currentDistro -# -# Given the location of an OS Service map file, which describes -# a service in terms of configurables, processes and a service type. -# The subroutine fills out the GLOBAL_SERVICE, $GLOBAL_RC_CONFIG, GLOBAL_SERVTYPE, and -# GLOBAL_PROCESS hashes for a given service ID. -############################################################################### -sub setServiceInfo($$) { - my ($serviceInfoFile,$currentDistro) = @_; - my @serviceInfo = (); - - if(open(SERVICEINFO, "<$serviceInfoFile" )) { - - @serviceInfo = <SERVICEINFO>; - - close(SERVICEINFO); - - } - else { - print STDERR "$err Unable to find service, service type, and process information\n" . - "$spc for '$distro'.\n" . - "$spc Contact the Bastille support list for details.\n"; - exit(1); - } - - - # The following loop, parses the entire (YOUR OS).service file - # to provide service information for YOUR OS. - # The files format is as follows: - # serviceID,servType,('service' 'configuration' 'list'),('process' 'list')[,DISTROS]* - # if distros are not present then the service is assumed to be - # relevant the the current distro - - -# -# More specifically, this file's format for rc-based daemons is: -# -# script_name,rc,(rc-config-file rc-config-file ...),(rc-variable1 rc-variable2 ...),('program_name1 program_name2 ...') -# -# ...where script_name is a file in /etc/init.d/ and -# ...program_nameN is a program launced by the script. -# -# This file's format for inet-based daemons is: -# -# identifier, inet, line name/file name, program name -# -# label,inet,(port1 port2 ...),(daemon1 daemon2 ...) -# -# ...where label is arbitrary, portN is one of the ports -# ...this one listens on, and daemonN is a program launched -# ...in response to a connection on a port. - - foreach my $service (@serviceInfo) { - # This file accepts simple whole line comments perl style - if($service !~ /^\s+\#|^\s+$/) { - chomp $service; - my ($serviceID,$servType,$strConfigList,$strServiceList, - $strProcessList,@distroList) = split /\s*,\s*/, $service; - - sub MakeArrayFromString($){ - my $entryString = $_[0]; - my @destArray = (); - if ($entryString =~ /\'\S+\'/) { #Make sure we have something to extract before we try - @destArray = split /\'\s+\'/, $entryString; - $destArray[0] =~ s/^\(\'(.+)$/$1/; # Remove leading quotation mark - $destArray[$#destArray] =~ s/^(.*)\'\)$/$1/; #Remove trailing quotation mark - } - return @destArray; - } - - # produce a list of configuration files from the files - # format ('configuration' 'files') - my @configList = MakeArrayFromString($strConfigList); - - # produce a list of service configurables from the files - # format ('service' 'configurable') - my @serviceList = MakeArrayFromString($strServiceList); - - # produce a list of process names from the files format - # ('my' 'process' 'list') - my @processList = MakeArrayFromString($strProcessList); - - # if distros were not specified then accept the service information - if($#distroList == -1) { - @{$GLOBAL_SERVICE{$serviceID}} = @serviceList; - $GLOBAL_SERVTYPE{$serviceID} = $servType; - @{$GLOBAL_PROCESS{$serviceID}} = @processList; - @{$GLOBAL_RC_CONFIG{$serviceID}} = @configList; - } - else { - # only if the current distro matches one of the listed distros - # include the service information. - foreach my $distro (@distroList) { - if($currentDistro =~ /$distro/) { - @{$GLOBAL_SERVICE{$serviceID}} = @serviceList; - $GLOBAL_SERVTYPE{$serviceID} = $servType; - @{$GLOBAL_PROCESS{$serviceID}} = @processList; - @{$GLOBAL_RC_CONFIG{$serviceID}} = @configList; - } - } - } - } - } -} - - - -############################################################################### -# getFileAndServiceInfo($distro,$actualDistro) -# -# This subrountine, given distribution information, will import system file -# and service information into the GLOBA_* hashes. -# -# NOTE: $distro and $actualDistro will only differ when the --os switch is -# used to generate a configuration file for an arbitrary operating -# system. -# -############################################################################### -sub getFileAndServiceInfo($$) { - - my ($distro,$actualDistro) = @_; - - # defines the path to the OS map information for any supported OS type. - # OS map information is used to determine file locations for a given - # distribution. - my %oSInfoPath = ( - "LINUX" => "/usr/share/Bastille/OSMap/", - "HP-UX" => "/etc/opt/sec_mgmt/bastille/OSMap/", - "OSX" => "/usr/share/Bastille/OSMap/" - ); - - # returns the OS, LINUX, HP-UX, or OSX, associated with this - # distribution - my $actualOS = &getOSType($actualDistro); - my $oS = &getOSType($distro); - - if(defined $actualOS && defined $oS) { - my $bastilleInfoFile = $oSInfoPath{$actualOS} . "${actualOS}.bastille"; - my $systemInfoFile = $oSInfoPath{$actualOS} . "${oS}.system"; - my $serviceInfoFile = $oSInfoPath{$actualOS} . "${oS}.service"; - - if(-f $bastilleInfoFile) { - &setFileLocations($bastilleInfoFile,$actualDistro); - } - else { - print STDERR "$err Unable to find bastille file information.\n" . - "$spc $bastilleInfoFile does not exist on the system"; - exit(1); - } - - if(-f $systemInfoFile) { - &setFileLocations($systemInfoFile,$distro); - } - else { - print STDERR "$err Unable to find system file information.\n" . - "$spc $systemInfoFile does not exist on the system"; - exit(1); - } - # Service info File is optional - if(-f $serviceInfoFile) { - &setServiceInfo($serviceInfoFile,$distro); - } - } - else { - print STDERR "$err Unable to determine operating system type\n" . - "$spc for $actualDistro or $distro\n"; - exit(1); - } - -} - - -# returns the Operating System type associated with the specified -# distribution. -sub getOSType($) { - - my $distro = $_[0]; - - my %supportedOSHash = &getSupportedOSHash; - foreach my $oSType (keys %supportedOSHash) { - foreach my $oSDistro (@{$supportedOSHash{$oSType}}) { - if($distro eq $oSDistro) { - return $oSType; - } - } - } - - return undef; - -} - - -# Test subroutine used to debug file location info for new Distributions as -# they are ported. -sub dumpFileInfo { - print "Dumping File Information\n"; - foreach my $hashref (\%GLOBAL_BIN,\%GLOBAL_DIR,\%GLOBAL_FILE,\%GLOBAL_BFILE,\%GLOBAL_BDIR) { - foreach my $id (keys %{$hashref}) { - print "$id: ${$hashref}{$id}\n"; - } - print "-----------------------\n\n"; - } -} - -# Test subroutine used to debug service info for new Distributions as -# they are ported. -sub dumpServiceInfo { - print "Dumping Service Information\n"; - foreach my $serviceId (keys %GLOBAL_SERVICE) { - print "$serviceId:\n"; - print "Type - $GLOBAL_SERVTYPE{$serviceId}\n"; - print "Service List:\n"; - foreach my $service (@{$GLOBAL_SERVICE{$serviceId}}) { - print "$service "; - } - print "\nProcess List:\n"; - foreach my $process (@{$GLOBAL_PROCESS{$serviceId}}) { - print "$process "; - } - print "\n----------------------\n"; - } -} - - -########################################################################### -# -# &ConfigureForDistro configures the API for a given distribution. This -# includes setting global variables that tell the Bastille API about -# given binaries and directories. -# -# WARNING: If a distro is not covered here, Bastille may not be 100% -# compatible with it, though 1.1 is written to be much smarter -# about unknown distros... -# -########################################################################### -sub ConfigureForDistro { - - my $retval=1; - - # checking to see if the os version given is in fact supported - my $distro = &GetDistro; - - # checking to see if the actual os version is in fact supported - my $actualDistro = &getActualDistro; - $ENV{'LOCALE'}=''; # So that test cases checking for english results work ok. - if ((! &is_OS_supported($distro)) or (! &is_OS_supported($actualDistro)) ) { - # if either is not supported then print out a list of supported versions - if (! &is_OS_supported($distro)) { - print STDERR "$err '$distro' is not a supported operating system.\n"; - } - else { - print STDERR "$err Bastille is unable to operate correctly on this\n"; - print STDERR "$spc $distro operating system.\n"; - } - my %supportedOSHash = &getSupportedOSHash; - print STDERR "$spc Valid operating system versions are as follows:\n"; - - foreach my $oSType (keys %supportedOSHash) { - - print STDERR "$spc $oSType:\n$spc "; - - my $os_number = 1; - foreach my $os (@{$supportedOSHash{$oSType}}) { - print STDERR "'$os' "; - if ($os_number == 5){ - print STDERR "\n$spc "; - $os_number = 1; - } - else { - $os_number++; - } - - } - print STDERR "\n"; - } - - print "\n" . $GLOBAL_ERROR{"usage"}; - exit(1); - } - - # First, let's make sure that we do not create any files or - # directories with more permissive permissions than we - # intend via setting the Perl umask - umask(077); - - &getFileAndServiceInfo($distro,$actualDistro); - -# &dumpFileInfo; # great for debuging file location issues -# &dumpServiceInfo; # great for debuging service information issues - - # OS dependent error messages (after configuring file locations) - my $nodisclaim_file = &getGlobal('BFILE', "nodisclaimer"); - - $GLOBAL_ERROR{"disclaimer"}="$err Unable to touch $nodisclaim_file:" . - "$spc You must use Bastille\'s -n flag (for example:\n" . - "$spc bastille -f -n) or \'touch $nodisclaim_file \'\n"; - - return $retval; -} - - -########################################################################### -########################################################################### -# # -# The B_<perl_function> file utilities are replacements for their Perl # -# counterparts. These replacements log their actions and their errors, # -# but are very similar to said counterparts. # -# # -########################################################################### -########################################################################### - - -########################################################################### -# B_open is used for opening a file for reading. B_open_plus is the preferred -# function for writing, since it saves a backup copy of the file for -# later restoration. -# -# B_open opens the given file handle, associated with the given filename -# and logs appropriately. -# -########################################################################### - -sub B_open { - my $retval=1; - my ($handle,$filename)=@_; - - unless ($GLOBAL_LOGONLY) { - $retval = open $handle,$filename; - } - - ($handle) = "$_[0]" =~ /[^:]+::[^:]+::([^:]+)/; - &B_log("ACTION","open $handle,\"$filename\";\n"); - unless ($retval) { - &B_log("ERROR","open $handle, $filename failed...\n"); - } - - return $retval; -} - -########################################################################### -# B_open_plus is the v1.1 open command. -# -# &B_open_plus($handle_file,$handle_original,$file) opens the file $file -# for reading and opens the file ${file}.bastille for writing. It is the -# counterpart to B_close_plus, which will move the original file to -# $GLOBAL_BDIR{"backup"} and will place the new file ${file}.bastille in its -# place. -# -# &B_open_plus makes the appropriate log entries in the action and error -# logs. -########################################################################### - -sub B_open_plus { - - my ($handle_file,$handle_original,$file)=@_; - my $retval=1; - my $return_file=1; - my $return_old=1; - - my $original_file = $file; - - # Open the original file and open a copy for writing. - unless ($GLOBAL_LOGONLY) { - # if the temporary filename already exists then the open operation will fail. - if ( $file eq "" ){ - &B_log("ERROR","Internal Error - Attempt Made to Open Blank Filename"); - $return_old=0; - $return_file=0; - return 0; #False - } elsif (-e "${file}.bastille") { - &B_log("ERROR","Unable to open $file as the swap file ". - "${file}.bastille\" already exists. Rename the swap ". - "file to allow Bastille to make desired file modifications."); - $return_old=0; - $return_file=0; - } - else { - $return_old = open $handle_original,"$file"; - $return_file = open $handle_file,("> $file.bastille"); - } - } - - # Error handling/logging here... - #&B_log("ACTION","# Modifying file $original_file via temporary file $original_file.bastille\n"); - unless ($return_file) { - $retval=0; - &B_log("ERROR","open file: \"$original_file.bastille\" failed...\n"); - } - unless ($return_old) { - $retval=0; - &B_log("ERROR","open file: \"$original_file\" failed.\n"); - } - - return $retval; - -} - -########################################################################### -# B_close was the v1.0 close command. It is still used in places in the -# code. -# However the use of B _close_plus, which implements a new, smarter, -# backup scheme is preferred. -# -# B_close closes the given file handle, associated with the given filename -# and logs appropriately. -########################################################################### - - -sub B_close { - my $retval=1; - - unless ($GLOBAL_LOGONLY) { - $retval = close $_[0]; - } - - &B_log("ACTION", "close $_[0];\n"); - unless ($retval) { - &B_log("ERROR", "close $_[0] failed...\n"); - } - - return $retval; -} - - -########################################################################### -# B_close_plus is the v1.1 close command. -# -# &B_close_plus($handle_file,$handle_original,$file) closes the files -# $file and ${file}.bastille, backs up $file to $GLOBAL_BDIR{"backup"} and -# renames ${file}.bastille to $file. This backup is made using the -# internal API function &B_backup_file. Further, it sets the new file's -# permissions and uid/gid to the same as the old file. -# -# B_close_plus is the counterpart to B_open_plus, which opened $file and -# $file.bastille with the file handles $handle_original and $handle_file, -# respectively. -# -# &B_close_plus makes the appropriate log entries in the action and error -# logs. -########################################################################### - -sub B_close_plus { - my ($handle_file,$handle_original,$file)=@_; - my ($mode,$uid,$gid); - my @junk; - - my $original_file; - - my $retval=1; - my $return_file=1; - my $return_old=1; - - # Append the global prefix, but save the original for B_backup_file b/c - # it appends the prefix on its own... - - $original_file=$file; - - # - # Close the files and prepare for the rename - # - - if (($file eq "") or (not(-e $file ))) { - &B_log("ERROR","Internal Error, attempted to close a blank filename ". - "or nonexistent file."); - return 0; #False - } - - unless ($GLOBAL_LOGONLY) { - $return_file = close $handle_file; - $return_old = close $handle_original; - } - - # Error handling/logging here... - #&B_log("ACTION","#Closing $original_file and backing up to " . &getGlobal('BDIR', "backup")); - #&B_log("ACTION","/$original_file\n"); - - unless ($return_file) { - $retval=0; - &B_log("ERROR","close $original_file failed...\n"); - } - unless ($return_old) { - $retval=0; - &B_log("ERROR","close $original_file.bastille failed.\n"); - } - - # - # If we've had no errors, backup the old file and put the new one - # in its place, with the Right permissions. - # - - unless ( ($retval == 0) or $GLOBAL_LOGONLY) { - - # Read the permissions/owners on the old file - - @junk=stat ($file); - $mode=$junk[2]; - $uid=$junk[4]; - $gid=$junk[5]; - - # Set the permissions/owners on the new file - - chmod $mode, "$file.bastille" or &B_log("ERROR","Not able to retain permissions on $original_file!!!\n"); - chown $uid, $gid, "$file.bastille" or &B_log("ERROR","Not able to retain owners on $original_file!!!\n"); - - # Backup the old file and put a new one in place. - - &B_backup_file($original_file); - rename "$file.bastille", $file or - &B_log("ERROR","B_close_plus: not able to move $original_file.bastille to $original_file\n"); - - # We add the file to the GLOBAL_SUMS hash if it is not already present - &B_set_sum($file); - - } - - return $retval; -} - -########################################################################### -# &B_backup_file ($file) makes a backup copy of the file $file in -# &getGlobal('BDIR', "backup"). Note that this routine is intended for internal -# use only -- only Bastille API functions should call B_backup_file. -# -########################################################################### - -sub B_backup_file { - - my $file=$_[0]; - my $complain = 1; - my $original_file = $file; - - my $backup_dir = &getGlobal('BDIR', "backup"); - my $backup_file = $backup_dir . $original_file; - - my $retval=1; - - # First, separate the file into the directory and the relative filename - - my $directory =""; - if ($file =~ /^(.*)\/([^\/]+)$/) { - #$relative_file=$2; - $directory = $1; - } else { - $directory=cwd; - } - - # Now, if the directory does not exist, create it. - # Later: - # Try to set the same permissions on the patch directory that the - # original had...? - - unless ( -d ($backup_dir . $directory) ) { - mkpath(( $backup_dir . $directory),0,0700); - - } - - # Now we backup the file. If there is already a backup file there, - # we will leave it alone, since it exists from a previous run and - # should be the _original_ (possibly user-modified) distro's version - # of the file. - - if ( -e $file ) { - - unless ( -e $backup_file ) { - my $command=&getGlobal("BIN","cp"); - &B_Backtick("$command -p $file $backup_file"); - &B_revert_log (&getGlobal("BIN","mv"). " $backup_file $file"); - } - - } else { - # The file we were trying to backup doesn't exist. - - $retval=0; - # This is a non-fatal error, not worth complaining about - $complain = 0; - #&ErrorLog ("# Failed trying to backup file $file -- it doesn't exist!\n"); - } - - # Check to make sure that the file does exist in the backup location. - - unless ( -e $backup_file ) { - $retval=0; - if ( $complain == 1 ) { - &B_log("ERROR","Failed trying to backup $file -- the copy was not created.\n"); - } - } - - return $retval; -} - - -########################################################################### -# &B_read_sums reads in the sum.csv file which contains information -# about Bastille modified files. The file structure is as follows: -# -# filename,filesize,cksum -# -# It reads the information into the GLOBAL_SUM hash i.e. -# $GLOBAL_SUM{$file}{sum} = $cksum -# $GLOBAL_SUM{$file}{filesize} = $size -# For the first run of Bastille on a given system this subroutine -# is a no-op, and returns "undefined." -########################################################################### - -sub B_read_sums { - - my $sumFile = &getGlobal('BFILE',"sum.csv"); - - if ( -e $sumFile ) { - - open( SUM, "< $sumFile") or &B_log("ERROR","Unable to open $sumFile for read.\n$!\n"); - - while( my $line = <SUM> ) { - chomp $line; - my ($file,$filesize,$sum,$flag) = split /,/, $line; - if(-e $file) { - $GLOBAL_SUM{"$file"}{filesize} = $filesize; - $GLOBAL_SUM{"$file"}{sum} = $sum; - } - } - - close(SUM); - } else { - return undef; - } -} - - -########################################################################### -# &B_write_sums writes out the sum.csv file which contains information -# about Bastille modified files. The file structure is as follows: -# -# filename,filesize,cksum -# -# It writes the information from the GLOBAL_SUM hash i.e. -# -# $file,$GLOBAL_SUM{$file}{sum},$GLOBAL_SUM{$file}{filesize} -# -# This subroutine requires access to the GLOBAL_SUM hash. -########################################################################### - -sub B_write_sums { - - my $sumFile = &getGlobal('BFILE',"sum.csv"); - - if ( %GLOBAL_SUM ) { - - open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n"); - - for my $file (sort keys %GLOBAL_SUM) { - if( -e $file) { - print SUM "$file,$GLOBAL_SUM{\"$file\"}{filesize},$GLOBAL_SUM{\"$file\"}{sum}\n"; - } - } - - close(SUM); - } - -} - - -########################################################################### -# &B_check_sum($file) compares the stored cksum and filesize of the given -# file compared to the current cksum and filesize respectively. -# This subroutine also keeps the state of the sum check by setting the -# checked flag which tells the subroutine that on this run this file -# has already been checked. -# -# $GLOBAL_SUM{$file}{checked} = 1; -# -# This subroutine requires access to the GLOBAL_SUM hash. -# -# Returns 1 if sum checks out and 0 if not -########################################################################### - -sub B_check_sum($) { - my $file = $_[0]; - my $cksum = &getGlobal('BIN',"cksum"); - - if (not(%GLOBAL_SUM)) { - &B_read_sums; - } - - if(-e $file) { - my ($sum,$size,$ckfile) = split(/\s+/, `$cksum $file`); - my $commandRetVal = ($? >> 8); # find the command's return value - - if($commandRetVal != 0) { - &B_log("ERROR","$cksum reported the following error:\n$!\n"); - return 0; - } else { - if ( exists $GLOBAL_SUM{$file} ) { - # if the file size or file sum differ from those recorded. - if (( $GLOBAL_SUM{$file}{filesize} == $size) and - ($GLOBAL_SUM{$file}{sum} == $sum )) { - return 1; #True, since saved state matches up, all is well. - } else { - return 0; #False, since saved state doesn't match - } - } else { - &B_log("ERROR","File: $file does not exist in sums database."); - return 0; - } - } - } else { - &B_log("ERROR","The file: $file does not exist for comparison in B_check_sum."); - return 0; - } -} - -# Don't think we need this anymore as function now check_sums returns -# results directly -#sub isSumDifferent($) { -# my $file = $_[0]; -# if(exists $GLOBAL_SUM{$file}) { -# return $GLOBAL_SUM{$file}{flag} -# } -#} - -sub listModifiedFiles { - my @listModifiedFiles=sort keys %GLOBAL_SUM; - return @listModifiedFiles; -} - -########################################################################### -# &B_isFileinSumDB($file) checks to see if a given file's sum was saved. -# -# $GLOBAL_SUM{$file}{filesize} = $size; -# $GLOBAL_SUM{$file}{sum} = $cksum; -# -# This subroutine requires access to the GLOBAL_SUM hash. -########################################################################### - -sub B_isFileinSumDB($) { - my $file = $_[0]; - - if (not(%GLOBAL_SUM)) { - &B_log("DEBUG","Reading in DB from B_isFileinSumDB"); - &B_read_sums; - } - if (exists($GLOBAL_SUM{"$file"})){ - &B_log("DEBUG","$file is in sum database"); - return 1; #true - } else { - &B_log("DEBUG","$file is not in sum database"); - return 0; #false - } -} - -########################################################################### -# &B_set_sum($file) sets the current cksum and filesize of the given -# file into the GLOBAL_SUM hash. -# -# $GLOBAL_SUM{$file}{filesize} = $size; -# $GLOBAL_SUM{$file}{sum} = $cksum; -# -# This subroutine requires access to the GLOBAL_SUM hash. -########################################################################### - -sub B_set_sum($) { - - my $file = $_[0]; - my $cksum = &getGlobal('BIN',"cksum"); - if( -e $file) { - - my ($sum,$size,$ckfile) = split(/\s+/, `$cksum $file`); - my $commandRetVal = ($? >> 8); # find the command's return value - - if($commandRetVal != 0) { - - &B_log("ERROR","$cksum reported the following error:\n$!\n"); - - } - else { - - # new file size and sum are added to the hash - $GLOBAL_SUM{$file}{filesize} = $size; - $GLOBAL_SUM{$file}{sum} = $sum; - &B_write_sums; - - } - } else { - &B_log("ERROR","Can not save chksum for file: $file since it does not exist"); - } -} - - -########################################################################### -# -# &B_delete_file ($file) deletes the file $file and makes a backup to -# the backup directory. -# -########################################################################## - - -sub B_delete_file($) { #Currently Linux only (TMPDIR) - #consideration: should create clear_sum routine if this is ever used to remove - # A Bastille-generated file. - - # - # This API routine deletes the named file, backing it up first to the - # backup directory. - # - - my $filename=shift @_; - my $retval=1; - - # We have to append the prefix ourselves since we don't use B_open_plus - - my $original_filename=$filename; - - &B_log("ACTION","Deleting (and backing-up) file $original_filename\n"); - &B_log("ACTION","rm $original_filename\n"); - - unless ($filename) { - &B_log("ERROR","B_delete_file called with no arguments!\n"); - } - - unless ($GLOBAL_LOGONLY) { - if ( B_backup_file($original_filename) ) { - unless ( unlink $filename ) { - &B_log("ERROR","Couldn't unlink file $original_filename"); - $retval=0; - } - } - else { - $retval=0; - &B_log("ERROR","B_delete_file did not delete $original_filename since it could not back it up\n"); - } - } - - $retval; - -} - - -########################################################################### -# &B_create_file ($file) creates the file $file, if it doesn't already -# exist. -# It will set a default mode of 0700 and a default uid/gid or 0/0. -# -# &B_create_file, to support Bastille's revert functionality, writes an -# rm $file command to the end of the file &getGlobal('BFILE', "created-files"). -# -########################################################################## - - -sub B_create_file($) { - - my $file = $_[0]; - my $retval=1; - - # We have to create the file ourselves since we don't use B_open_plus - - my $original_file = $file; - - if ($file eq ""){ - &B_log("ERROR","Internal Error, attempt made to create blank filename"); - return 0; #False - } - - unless ( -e $file ) { - - unless ($GLOBAL_LOGONLY) { - - # find the directory in which the file is to reside. - my $dirName = dirname($file); - # if the directory does not exist then - if(! -d $dirName) { - # create it. - mkpath ($dirName,0,0700); - } - - $retval=open CREATE_FILE,">$file"; - - if ($retval) { - close CREATE_FILE; - chmod 0700,$file; - # Make the revert functionality - &B_revert_log( &getGlobal('BIN','rm') . " $original_file \n"); - } else { - &B_log("ERROR","Couldn't create file $original_file even though " . - "it didn't already exist!\n"); - } - } - &B_log("ACTION","Created file $original_file\n"); - } else { - &B_log("DEBUG","Didn't create file $original_file since it already existed.\n"); - $retval=0; - } - - $retval; -} - - -########################################################################### -# &B_create_dir ($dir) creates the directory $dir, if it doesn't already -# exist. -# It will set a default mode of 0700 and a default uid/gid or 0/0. -# -########################################################################## - - -sub B_create_dir($) { - - my $dir = $_[0]; - my $retval=1; - - # We have to append the prefix ourselves since we don't use B_open_plus - - my $original_dir=$dir; - - unless ( -d $dir ) { - unless ($GLOBAL_LOGONLY) { - $retval=mkdir $dir,0700; - - if ($retval) { - # Make the revert functionality - &B_revert_log (&getGlobal('BIN','rmdir') . " $original_dir\n"); - } - else { - &B_log("ERROR","Couldn't create dir $original_dir even though it didn't already exist!"); - } - - } - &B_log("ACTION","Created directory $original_dir\n"); - } - else { - &B_log("ACTION","Didn't create directory $original_dir since it already existed.\n"); - $retval=0; - } - - $retval; -} - - - -########################################################################### -# &B_symlink ($original_file,$new_symlink) creates a symbolic link from -# $original_file to $new_symlink. -# -# &B_symlink respects $GLOBAL_LOGONLY. It supports -# the revert functionality that you've come to know and love by adding every -# symbolic link it creates to &getGlobal('BFILE', "created-symlinks"), currently set to: -# -# /root/Bastille/revert/revert-created-symlinks -# -# The revert script, if it works like I think it should, will run this file, -# which should be a script or rm's... -# -########################################################################## - -sub B_symlink($$) { - my ($source_file,$new_symlink)=@_; - my $retval=1; - my $original_source = $source_file; - my $original_symlink = $new_symlink; - - unless ($GLOBAL_LOGONLY) { - $retval=symlink $source_file,$new_symlink; - if ($retval) { - &B_revert_log (&getGlobal('BIN',"rm") . " $original_symlink\n"); - } - } - - &B_log("ACTION", "Created a symbolic link called $original_symlink from $original_source\n"); - &B_log("ACTION", "symlink \"$original_source\",\"$original_symlink\";\n"); - unless ($retval) { - &B_log("ERROR","Couldn't symlink $original_symlink -> $original_source\n"); - } - - $retval; - -} - - -sub B_cp($$) { - - my ($source,$target)=@_; - my $retval=0; - - my $had_to_backup_target=0; - - use File::Copy; - - my $original_source=$source; - my $original_target=$target; - - if( -e $target and -f $target ) { - &B_backup_file($original_target); - &B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n"); - $had_to_backup_target=1; - } - - $retval=copy($source,$target); - if ($retval) { - &B_log("ACTION","cp $original_source $original_target\n"); - - # - # We want to add a line to the &getGlobal('BFILE', "created-files") so that the - # file we just put at $original_target gets deleted. - # - &B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n"); - } else { - &B_log("ERROR","Failed to copy $original_source to $original_target\n"); - } - # We add the file to the GLOBAL_SUMS hash if it is not already present - &B_set_sum($target); - $retval; -} - - - -############################################################################ -# &B_place puts a file in place, using Perl's File::cp. This file is taken -# from &getGlobal('BDIR', "share") and is used to place a file that came with -# Bastille. -# -# This should be DEPRECATED in favor of &B_cp, since the only reason it exists -# is because of GLOBAL_PREFIX, which has been broken for quite some time. -# Otherwise, the two routines are identical. -# -# It respects $GLOBAL_LOGONLY. -# If $target is an already-existing file, it is backed up. -# -# revert either appends another "rm $target" to &getGlobal('BFILE', "revert-actions") or -# backs up the file that _was_ there into the &getGlobal('BDIR', "backup"), -# appending a "mv" to revert-actions to put it back. -# -############################################################################ - -sub B_place { # Only Linux references left (Firewall / TMPDIR) - - my ($source,$target)=@_; - my $retval=0; - - my $had_to_backup_target=0; - - use File::Copy; - - my $original_source=$source; - $source = &getGlobal('BDIR', "share") . $source; - my $original_target=$target; - - if ( -e $target and -f $target ) { - &B_backup_file($original_target); - &B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n"); - $had_to_backup_target=1; - } - $retval=copy($source,$target); - if ($retval) { - &B_log("ACTION","placed file $original_source as $original_target\n"); - # - # We want to add a line to the &getGlobal('BFILE', "created-files") so that the - # file we just put at $original_target gets deleted. - &B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n"); - } else { - &B_log("ERROR","Failed to place $original_source as $original_target\n"); - } - - # We add the file to the GLOBAL_SUMS hash if it is not already present - &B_set_sum($target); - - $retval; -} - - - - - -############################################################################# -############################################################################# -############################################################################# - -########################################################################### -# &B_mknod ($file) creates the node $file, if it doesn't already -# exist. It uses the prefix and suffix, like this: -# -# mknod $prefix $file $suffix -# -# This is just a wrapper to the mknod program, which tries to introduce -# revert functionality, by writing rm $file to the end of the -# file &getGlobal('BFILE', "created-files"). -# -########################################################################## - - -sub B_mknod($$$) { - - my ($prefix,$file,$suffix) = @_; - my $retval=1; - - # We have to create the filename ourselves since we don't use B_open_plus - - my $original_file = $file; - - unless ( -e $file ) { - my $command = &getGlobal("BIN","mknod") . " $prefix $file $suffix"; - - if ( system($command) == 0) { - # Since system will return 0 on success, invert the error code - $retval=1; - } - else { - $retval=0; - } - - if ($retval) { - - # Make the revert functionality - &B_revert_log(&getGlobal('BIN',"rm") . " $original_file\n"); - } else { - &B_log("ERROR","Couldn't mknod $prefix $original_file $suffix even though it didn't already exist!\n"); - } - - - &B_log("ACTION","mknod $prefix $original_file $suffix\n"); - } - else { - &B_log("ACTION","Didn't mknod $prefix $original_file $suffix since $original_file already existed.\n"); - $retval=0; - } - - $retval; -} - -########################################################################### -# &B_revert_log("reverse_command") prepends a command to a shell script. This -# shell script is intended to be run by bastille -r to reverse the changes that -# Bastille made, returning the files which Bastille changed to their original -# state. -########################################################################### - -sub B_revert_log($) { - - my $revert_command = $_[0]; - my $revert_actions = &getGlobal('BFILE', "revert-actions"); - my $revertdir= &getGlobal('BDIR', "revert"); - my @lines; - - - if (! (-e $revert_actions)) { - mkpath($revertdir); #if this doesn't work next line catches - if (open REVERT_ACTIONS,">" . $revert_actions){ # create revert file - close REVERT_ACTIONS; # chown to root, rwx------ - chmod 0700,$revert_actions; - chown 0,0,$revert_actions; - } - else { - &B_log("FATAL","Can not create revert-actions file: $revert_actions.\n" . - " Unable to add the following command to the revert\n" . - " actions script: $revert_command\n"); - } - - } - - &B_open_plus (*REVERT_NEW, *REVERT_OLD, $revert_actions); - - while (my $line=<REVERT_OLD>) { #copy file into @lines - push (@lines,$line); - } - print REVERT_NEW $revert_command . "\n"; #make the revert command first in the new file - while (my $line = shift @lines) { #write the rest of the lines of the file - print REVERT_NEW $line; - } - close REVERT_OLD; - close REVERT_NEW; - if (rename "${revert_actions}.bastille", $revert_actions) { #replace the old file with the new file we - chmod 0700,$revert_actions; # just made / mirrors B_close_plus logic - chown 0,0,$revert_actions; - } else { - &B_log("ERROR","B_revert_log: not able to move ${revert_actions}.bastille to ${revert_actions}!!! $!) !!!\n"); - } -} - - -########################################################################### -# &getGlobalConfig($$) -# -# returns the requested GLOBAL_CONFIG hash value, ignoring the error -# if the value does not exist (because every module uses this to find -# out if the question was answered "Y") -########################################################################### -sub getGlobalConfig ($$) { - my $module = $_[0]; - my $key = $_[1]; - if (exists $GLOBAL_CONFIG{$module}{$key}) { - my $answer=$GLOBAL_CONFIG{$module}{$key}; - &B_log("ACTION","Answer to question $module.$key is \"$answer\".\n"); - return $answer; - } else { - &B_log("ACTION","Answer to question $module.$key is undefined."); - return undef; - } -} - -########################################################################### -# &getGlobal($$) -# -# returns the requested GLOBAL_* hash value, and logs an error -# if the variable does not exist. -########################################################################### -sub getGlobal ($$) { - my $type = uc($_[0]); - my $key = $_[1]; - - # define a mapping from the first argument to the proper hash - my %map = ("BIN" => \%GLOBAL_BIN, - "FILE" => \%GLOBAL_FILE, - "BFILE" => \%GLOBAL_BFILE, - "DIR" => \%GLOBAL_DIR, - "BDIR" => \%GLOBAL_BDIR, - "ERROR" => \%GLOBAL_ERROR, - "SERVICE" => \%GLOBAL_SERVICE, - "SERVTYPE" => \%GLOBAL_SERVTYPE, - "PROCESS" => \%GLOBAL_PROCESS, - "RCCONFIG" => \%GLOBAL_RC_CONFIG - ); - - # check to see if the desired key is in the desired hash - if (exists $map{$type}->{$key}) { - # get the value from the right hash with the key - return $map{$type}->{$key}; - } else { - # i.e. Bastille tried to use $GLOBAL_BIN{'cp'} but it does not exist. - # Note that we can't use B_log, since it uses getGlobal ... recursive before - # configureForDistro is run. - print STDERR "ERROR: Bastille tried to use \$GLOBAL_${type}\{\'$key\'} but it does not exist.\n"; - return undef; - } -} - -########################################################################### -# &getGlobal($$) -# -# sets the requested GLOBAL_* hash value -########################################################################### -sub setGlobal ($$$) { - my $type = uc($_[0]); - my $key = $_[1]; - my $input_value = $_[2]; - - # define a mapping from the first argument to the proper hash - my %map = ("BIN" => \%GLOBAL_BIN, - "FILE" => \%GLOBAL_FILE, - "BFILE" => \%GLOBAL_BFILE, - "DIR" => \%GLOBAL_DIR, - "BDIR" => \%GLOBAL_BDIR, - "ERROR" => \%GLOBAL_ERROR, - "SERVICE" => \%GLOBAL_SERVICE, - "SERVTYPE" => \%GLOBAL_SERVTYPE, - "PROCESS" => \%GLOBAL_PROCESS, - ); - - if ($map{$type}->{$key} = $input_value) { - return 1; - } else { - &B_log('ERROR','Internal Error, Unable to set global config value:' . $type . ", " .$key); - return 0; - } -} - - -########################################################################### -# &showDisclaimer: -# Print the disclaimer and wait for 2 minutes for acceptance -# Do NOT do so if any of the following conditions hold -# 1. the -n option was used -# 2. the file ~/.bastille_disclaimer exists -########################################################################### - -sub showDisclaimer($) { - - my $nodisclaim = $_[0]; - my $nodisclaim_file = &getGlobal('BFILE', "nodisclaimer"); - my $response; - my $WAIT_TIME = 300; # we'll wait for 5 minutes - my $developersAnd; - my $developersOr; - if ($GLOBAL_OS =~ "^HP-UX") { - $developersAnd ="HP AND ITS"; - $developersOr ="HP OR ITS"; - }else{ - $developersAnd ="JAY BEALE, THE BASTILLE DEVELOPERS, AND THEIR"; - $developersOr ="JAY BEALE, THE BASTILLE DEVELOPERS, OR THEIR"; - } - my $DISCLAIMER = - "\n" . - "Copyright (C) 1999-2006 Jay Beale\n" . - "Copyright (C) 1999-2001 Peter Watkins\n" . - "Copyright (C) 2000 Paul L. Allen\n" . - "Copyright (C) 2001-2007 Hewlett-Packard Development Company, L.P.\n" . - "Bastille is free software; you are welcome to redistribute it under\n" . - "certain conditions. See the \'COPYING\' file in your distribution for terms.\n\n" . - "DISCLAIMER. Use of Bastille can help optimize system security, but does not\n" . - "guarantee system security. Information about security obtained through use of\n" . - "Bastille is provided on an AS-IS basis only and is subject to change without\n" . - "notice. Customer acknowledges they are responsible for their system\'s security.\n" . - "TO THE EXTENT ALLOWED BY LOCAL LAW, Bastille (\"SOFTWARE\") IS PROVIDED TO YOU \n" . - "\"AS IS\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN,\n" . - "EXPRESS OR IMPLIED. $developersAnd SUPPLIERS\n" . - "DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE \n" . - "IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.\n" . - "Some countries, states and provinces do not allow exclusions of implied\n" . - "warranties or conditions, so the above exclusion may not apply to you. You may\n" . - "have other rights that vary from country to country, state to state, or province\n" . - "to province. EXCEPT TO THE EXTENT PROHIBITED BY LOCAL LAW, IN NO EVENT WILL\n" . - "$developersOr SUBSIDIARIES, AFFILIATES OR\n" . - "SUPPLIERS BE LIABLE FOR DIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR OTHER\n" . - "DAMAGES (INCLUDING LOST PROFIT, LOST DATA, OR DOWNTIME COSTS), ARISING OUT OF\n" . - "THE USE, INABILITY TO USE, OR THE RESULTS OF USE OF THE SOFTWARE, WHETHER BASED\n" . - "IN WARRANTY, CONTRACT, TORT OR OTHER LEGAL THEORY, AND WHETHER OR NOT ADVISED\n" . - "OF THE POSSIBILITY OF SUCH DAMAGES. Your use of the Software is entirely at your\n" . - "own risk. Should the Software prove defective, you assume the entire cost of all\n" . - "service, repair or correction. Some countries, states and provinces do not allow\n" . - "the exclusion or limitation of liability for incidental or consequential \n" . - "damages, so the above limitation may not apply to you. This notice will only \n". - "display on the first run on a given system.\n". - "To suppress the disclaimer on other machines, use Bastille\'s -n flag (example: bastille -n).\n"; - - -# If the user has specified not to show the disclaimer, or -# the .bastille_disclaimer file already exists, then return - if( ( $nodisclaim ) || -e $nodisclaim_file ) { return 1; } - -# otherwise, show the disclaimer - print ($DISCLAIMER); - -# there is a response - my $touch = &getGlobal('BIN', "touch"); - my $retVal = system("$touch $nodisclaim_file"); - if( $retVal != 0 ) { - &ErrorLog ( &getGlobal('ERROR','disclaimer')); - } -} # showDisclaimer - - - - -################################################################ -# &systemCall -#Function used by exported methods B_Backtick and B_system -#to handle the mechanics of system calls. -# This function also manages error handling. -# Input: a system call -# Output: a list containing the status, sstdout and stderr -# of the the system call -# -################################################################ -sub systemCall ($){ - no strict; - local $command=$_[0]; # changed scoping so eval below can read it - - local $SIG{'ALRM'} = sub { die "timeout" }; # This subroutine exits the "eval" below. The program - # can then move on to the next operation. Used "local" - # to avoid name space collision with disclaim alarm. - local $WAIT_TIME=120; # Wait X seconds for system commands - local $commandOutput = ''; - my $errOutput = ''; - eval{ - $errorFile = &getGlobal('BFILE','stderrfile'); - unlink($errorFile); #To make sure we don't mix output - alarm($WAIT_TIME); # start a time-out for command to complete. Some commands hang, and we want to - # fail gracefully. When we call "die" it exits this eval statement - # with a value we use below - $commandOutput = `$command 2> $errorFile`; # run the command and gather its output - my $commandRetVal = ($? >> 8); # find the commands return value - if ($commandRetVal == 0) { - &B_log("ACTION","Executed Command: " . $command . "\n"); - &B_log("ACTION","Command Output: " . $commandOutput . "\n"); - die "success"; - } else { - die "failure"; - }; - }; - - my $exitcode=$@; - alarm(0); # End of the timed operation - - my $cat = &getGlobal("BIN","cat"); - if ( -e $errorFile ) { - $errOutput = `$cat $errorFile`; - } - - if ($exitcode) { # The eval command above will exit with one of the 3 values below - if ($exitcode =~ /timeout/) { - &B_log("WARNING","No response received from $command after $WAIT_TIME seconds.\n" . - "Command Output: " . $commandOutput . "\n"); - return (0,'',''); - } elsif ($exitcode =~ /success/) { - return (1,$commandOutput,$errOutput); - } elsif ($exitcode =~ /failure/) { - return (0,$commandOutput,$errOutput); - } else { - &B_log("FATAL","Unexpected return state from command execution: $command\n" . - "Command Output: " . $commandOutput . "\n"); - } - } -} - -############################################# -# Use this **only** for commands used that are -# intended to test system state and -# not make any system change. Use this in place of the -# prior use of "backticks throughout Bastille -# Handles basic output redirection, but not for stdin -# Input: Command -# Output: Results -############################################# - -sub B_Backtick($) { - my $command=$_[0]; - my $combineOutput=0; - my $stdoutRedir = ""; - my $stderrRedir = ""; - my $echo = &getGlobal('BIN','echo'); - - if (($command =~ s/2>&1//) or - (s/>&2//)){ - $combineOutput=1; - } - if ($command =~ s/>\s*([^>\s])+// ) { - $stdoutRedir = $1; - } - if ($command =~ s/2>\s*([^>\s])+// ) { - $stderrRedir = $1; - } - - my ($ranFine, $stdout, $stderr) = &systemCall($command); - if ($ranFine) { - &B_log("DEBUG","Command: $command succeeded for test with output: $stdout , ". - "and stderr: $stderr"); - } else { - &B_log("DEBUG","Command: $command failed for test with output: $stdout , ". - "and stderr: $stderr"); - } - if ($combineOutput) { - $stdout .= $stderr; - $stderr = $stdout; #these should be the same - } - if ($stdoutRedir ne "") { - system("$echo \'$stdout\' > $stdoutRedir"); - } - if ($stderrRedir ne "") { - system("$echo \'$stderr\' > $stderrRedir"); - } - return $stdout; -} - -#################################################################### -# &B_System($command,$revertcommand); -# This function executes a command, then places the associated -# revert command in revert file. It takes two parameters, the -# command and the command that reverts that command. -# -# uses ActionLog and ErrorLog for logging purposes. -################################################################### -sub B_System ($$) { - my ($command,$revertcmd)=@_; - - my ($ranFine, $stdout, $stderr) = &systemCall($command); - if ($ranFine) { - &B_revert_log ("$revertcmd \n"); - if ($stderr ne '' ) { - &B_log("ACTION",$command . "suceeded with STDERR: " . - $stderr . "\n"); - } - return 1; - } else { - my $warningString = "Command Failed: " . $command . "\n" . - "Command Output: " . $stdout . "\n"; - if ($stderr ne '') { - $warningString .= "Error message: " . $stderr; - } - &B_log("WARNING", $warningString); - return 0; - } -} - - -########################################################################### -# &isProcessRunning($procPattern); -# -# If called in scalar context this subroutine will return a 1 if the -# pattern specified can be matched against the process table. It will -# return a 0 otherwise. -# If called in the list context this subroutine will return the list -# of processes which matched the pattern supplied -# -# scalar return values: -# 0: pattern not in process table -# 1: pattern is in process table -# -# list return values: -# proc lines from the process table if they are found -########################################################################### -sub isProcessRunning($) { - - my $procPattern= $_[0]; - my $ps = &getGlobal('BIN',"ps"); - - my $isRunning=0; - # process table. - my @psTable = `$ps -elf`; - # list of processes that match the $procPattern - my @procList; - foreach my $process (@psTable) { - if($process =~ $procPattern) { - $isRunning = 1; - push @procList, $process . "\n"; - } - } - - &B_log("DEBUG","$procPattern search yielded $isRunning\n\n"); - # if this subroutine was called in scalar context - if( ! wantarray ) { - return $isRunning; - } - - return @procList; -} - - -########################################################################### -# &checkProcsForService($service); -# -# Checks if the given service is running by analyzing the process table. -# This is a helper function to checkServiceOnLinux and checkServiceOnHP -# -# Return values: -# SECURE_CANT_CHANGE() if the service is off -# INCONSISTENT() if the state of the service cannot be determined -# -# Mostly used in "check service" direct-return context, but added option use. -# to ignore warning if a check for a service ... where a found service doesn't -# have direct security problems. -# -########################################################################### -sub checkProcsForService ($;$) { - my $service=$_[0]; - my $ignore_warning=$_[1]; - - my @psnames=@{ &getGlobal('PROCESS',$service)}; - - my @processes; - # inetd services don't have a separate process - foreach my $psname (@psnames) { - my @procList = &isProcessRunning($psname); - if(@procList >= 0){ - splice @processes,$#processes+1,0,@procList; - } - } - - if($#processes >= 0){ - if ((defined($ignore_warning)) and ($ignore_warning eq "ignore_warning")) { - &B_log("WARNING","The following processes were still running even though " . - "the corresponding service appears to be turned off. Bastille " . - "question and action will be skipped.\n\n" . - "@processes\n\n"); - # processes were still running, service is not off, but we don't know how - # to configure it so we skip the question - return INCONSISTENT(); - } else { - return NOTSECURE_CAN_CHANGE(); # In the case we're ignoring the warning, - # ie: checking to make *sure* a process - # is running, the answer isn't inconsistent - } - } else { - &B_log("DEBUG","$service is off. Found no processes running on the system."); - # no processes, so service is off - return SECURE_CANT_CHANGE(); - } - # Can't determine the state of the service by looking at the processes, - # so return INCONSISTENT(). - return INCONSISTENT(); -} - -########################################################################### -# B_parse_fstab() -# -# Search the filesystem table for a specific mount point. -# -# scalar return value: -# The line form the table that matched the mount point, or the null string -# if no match was found. -# -# list return value: -# A list of parsed values from the line of the table that matched, with -# element [3] containing a reference to a hash of the mount options. The -# keys are: acl, dev, exec, rw, suid, sync, or user. The value of each key -# can be either 0 or 1. To access the hash, use code similar to this: -# %HashResult = %{(&B_parse_fstab($MountPoint))[3]}; -# -########################################################################### - -sub B_parse_fstab($) -{ - my $name = shift; - my $file = &getGlobal('FILE','fstab'); - my ($enable, $disable, $infile); - my @lineopt; - my $retline = ""; - my @retlist = (); - - unless (open FH, $file) { - &B_log('ERROR',"B_parse_fstab couldn't open fstab file at path $file.\n"); - return 0; - } - while (<FH>) { - s/\#.*//; - next unless /\S/; - @retlist = split; - next unless $retlist[1] eq $name; - $retline .= $_; - if (wantarray) { - my $option = { # initialize to defaults - acl => 0, # for ext2, etx3, reiserfs - dev => 1, - exec => 1, - rw => 1, - suid => 1, - sync => 0, - user => 0, - }; - - my @lineopt = split(',',$retlist[3]); - foreach my $entry (@lineopt) { - if ($entry eq 'acl') { - $option->{'acl'} = 1; - } - elsif ($entry eq 'nodev') { - $option->{'dev'} = 0; - } - elsif ($entry eq 'noexec') { - $option->{'exec'} = 0; - } - elsif ($entry eq 'ro') { - $option->{'rw'} = 0; - } - elsif ($entry eq 'nosuid') { - $option->{'suid'} = 0; - } - elsif ($entry eq 'sync') { - $option->{'sync'} = 1; - } - elsif ($entry eq 'user') { - $option->{'user'} = 1; - } - } - $retlist[3]= $option; - } - last; - } - - if (wantarray) - { - return @retlist; - } - else - { - return $retline; - } - -} - - -########################################################################### -# B_parse_mtab() -# -# This routine returns a hash of devices and their mount points from mtab, -# simply so you can get a list of mounted filesystems. -# -########################################################################### - -sub B_parse_mtab -{ - my $mountpoints; - open(MTAB,&getGlobal('FILE','mtab')); - while(my $mtab_line = <MTAB>) { - #test if it's a device - if ($mtab_line =~ /^\//) - { - #parse out device and mount point - $mtab_line =~ /^(\S+)\s+(\S+)/; - $mountpoints->{$1} = $2; - } - } - return $mountpoints; -} - - -########################################################################### -# B_is_rpm_up_to_date() -# -# -########################################################################### - -sub B_is_rpm_up_to_date(@) -{ - my($nameB,$verB,$relB,$epochB) = @_; - my $installedpkg = $nameB; - - if ($epochB =~ /(none)/) { - $epochB = 0; - } - - my $rpmA = `rpm -q --qf '%{VERSION}-%{RELEASE}-%{EPOCH}\n' $installedpkg`; - my $nameA = $nameB; - my ($verA,$relA,$epochA); - - my $retval; - - # First, if the RPM isn't installed, let's handle that. - if ($rpmA =~ /is not installed/) { - $retval = -1; - return $retval; - } - else { - # Next, let's try to parse the EVR information without as few - # calls as possible to rpm. - if ($rpmA =~ /([^-]+)-([^-]+)-([^-]+)$/) { - $verA = $1; - $relA = $2; - $epochA = $3; - } - else { - $nameA = `rpm -q --qf '%{NAME}' $installedpkg`; - $verA = `rpm -q --qf '%{VERSION}' $installedpkg`; - $relA = `rpm -q --qf '%{RELEASE}' $installedpkg`; - $epochA = `rpm -q --qf '%{EPOCH}' $installedpkg`; - } - } - - # Parse "none" as 0. - if ($epochA =~ /(none)/) { - $epochA = 0; - } - - # Handle the case where only one of them is zero. - if ($epochA == 0 xor $epochB == 0) - { - if ($epochA != 0) - { - $retval = 1; - } - else - { - $retval = 0; - } - } - else - { - # ...otherwise they are either both 0 or both non-zero and - # so the situation isn't trivial. - - # Check epoch first - highest epoch wins. - my $rpmcmp = &cmp_vers_part($epochA, $epochB); - #print "epoch rpmcmp is $rpmcmp\n"; - if ($rpmcmp > 0) - { - $retval = 1; - } - elsif ($rpmcmp < 0) - { - $retval = 0; - } - else - { - # Epochs were the same. Check Version now. - $rpmcmp = &cmp_vers_part($verA, $verB); - #print "epoch rpmcmp is $rpmcmp\n"; - if ($rpmcmp > 0) - { - $retval = 1; - } - elsif ($rpmcmp < 0) - { - $retval = 0; - } - else - { - # Versions were the same. Check Release now. - my $rpmcmp = &cmp_vers_part($relA, $relB); - #print "epoch rpmcmp is $rpmcmp\n"; - if ($rpmcmp >= 0) - { - $retval = 1; - } - elsif ($rpmcmp < 0) - { - $retval = 0; - } - } - } - } - return $retval; -} - -################################################# -# Helper function for B_is_rpm_up_to_date() -################################################# - -#This cmp_vers_part function taken from Kirk Bauer's Autorpm. -# This version comparison code was sent in by Robert Mitchell and, although -# not yet perfect, is better than the original one I had. He took the code -# from freshrpms and did some mods to it. Further mods by Simon Liddington -# <sjl96v@ecs.soton.ac.uk>. -# -# Splits string into minors on . and change from numeric to non-numeric -# characters. Minors are compared from the beginning of the string. If the -# minors are both numeric then they are numerically compared. If both minors -# are non-numeric and a single character they are alphabetically compared, if -# they are not a single character they are checked to be the same if the are not -# the result is unknown (currently we say the first is newer so that we have -# a choice to upgrade). If one minor is numeric and one non-numeric then the -# numeric one is newer as it has a longer version string. -# We also assume that (for example) .15 is equivalent to 0.15 - -sub cmp_vers_part($$) { - my($va, $vb) = @_; - my(@va_dots, @vb_dots); - my($a, $b); - my($i); - - if ($vb !~ /^pre/ and $va =~ s/^pre(\d+.*)$/$1/) { - if ($va eq $vb) { return -1; } - } elsif ($va !~ /^pre/ and $vb =~ s/^pre(\d+.*)$/$1/) { - if ($va eq $vb) { return 1; } - } - - @va_dots = split(/\./, $va); - @vb_dots = split(/\./, $vb); - - $a = shift(@va_dots); - $b = shift(@vb_dots); - # We also assume that (for example) .15 is equivalent to 0.15 - if ($a eq '' && $va ne '') { $a = "0"; } - if ($b eq '' && $vb ne '') { $b = "0"; } - while ((defined($a) && $a ne '') || (defined($b) && $b ne '')) { - # compare each minor from left to right - if ((not defined($a)) || ($a eq '')) { return -1; } # the longer version is newer - if ((not defined($b)) || ($b eq '')) { return 1; } - if ($a =~ /^\d+$/ && $b =~ /^\d+$/) { - # I have changed this so that when the two strings are numeric, but one or both - # of them start with a 0, then do a string compare - Kirk Bauer - 5/28/99 - if ($a =~ /^0/ or $b =~ /^0/) { - # We better string-compare so that netscape-4.6 is newer than netscape-4.08 - if ($a ne $b) {return ($a cmp $b);} - } - # numeric compare - if ($a != $b) { return $a <=> $b; } - } elsif ($a =~ /^\D+$/ && $b =~ /^\D+$/) { - # string compare - if (length($a) == 1 && length($b) == 1) { - # only minors with one letter seem to be useful for versioning - if ($a ne $b) { return $a cmp $b; } - } elsif (($a cmp $b) != 0) { - # otherwise we should at least check they are the same and if not say unknown - # say newer for now so at least we get choice whether to upgrade or not - return -1; - } - } elsif ( ($a =~ /^\D+$/ && $b =~ /^\d+$/) || ($a =~ /^\d+$/ && $b =~ /^\D+$/) ) { - # if we get a number in one and a word in another the one with a number - # has a longer version string - if ($a =~ /^\d+$/) { return 1; } - if ($b =~ /^\d+$/) { return -1; } - } else { - # minor needs splitting - $a =~ /\d+/ || $a =~ /\D+/; - # split the $a minor into numbers and non-numbers - my @va_bits = ($`, $&, $'); - $b =~ /\d+/ || $b =~ /\D+/; - # split the $b minor into numbers and non-numbers - my @vb_bits = ($`, $&, $'); - for ( my $j=2; $j >= 0; $j--) { - if ($va_bits[$j] ne '') { unshift(@va_dots,$va_bits[$j]); } - if ($vb_bits[$j] ne '') { unshift(@vb_dots,$vb_bits[$j]); } - } - } - $a = shift(@va_dots); - $b = shift(@vb_dots); - } - return 0; -} - -1; - diff --git a/recipes-security/bastille/files/AccountPermission.pm b/recipes-security/bastille/files/AccountPermission.pm deleted file mode 100644 index cfbaab1..0000000 --- a/recipes-security/bastille/files/AccountPermission.pm +++ /dev/null @@ -1,1060 +0,0 @@ -package Bastille::API::AccountPermission; -use strict; - -use Bastille::API; - -use Bastille::API::HPSpecific; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -B_chmod -B_chmod_if_exists -B_chown -B_chown_link -B_chgrp -B_chgrp_link -B_userdel -B_groupdel -B_remove_user_from_group -B_check_owner_group -B_is_unowned_file -B_is_ungrouped_file -B_check_permissions -B_permission_test -B_find_homes -B_is_executable -B_is_suid -B_is_sgid -B_get_user_list -B_get_group_list -B_remove_suid -); -our @EXPORT = @EXPORT_OK; - -########################################################################### -# &B_chmod ($mode, $file) sets the mode of $file to $mode. $mode must -# be stored in octal, so if you want to give mode 700 to /etc/aliases, -# you need to use: -# -# &B_chmod ( 0700 , "/etc/aliases"); -# -# where the 0700 denotes "octal 7-0-0". -# -# &B_chmod ($mode_changes,$file) also respects the symbolic methods of -# changing file permissions, which are often what question authors are -# really seeking. -# -# &B_chmod ("u-s" , "/bin/mount") -# or -# &B_chmod ("go-rwx", "/bin/mount") -# -# -# &B_chmod respects GLOBAL_LOGONLY and uses -# &B_revert_log used to insert a shell command that will return -# the permissions to the pre-Bastille state. -# -# B_chmod allow for globbing now, as of 1.2.0. JJB -# -########################################################################## - - -sub B_chmod($$) { - my ($new_perm,$file_expr)=@_; - my $old_perm; - my $old_perm_raw; - my $new_perm_formatted; - my $old_perm_formatted; - - my $retval=1; - - my $symbolic = 0; - my ($chmod_noun,$add_remove,$capability) = (); - # Handle symbolic possibilities too - if ($new_perm =~ /([ugo]+)([+-]{1})([rwxst]+)/) { - $symbolic = 1; - $chmod_noun = $1; - $add_remove = $2; - $capability = $3; - } - - my $file; - my @files = glob ($file_expr); - - foreach $file (@files) { - - # Prepend global prefix, but save the original filename for B_backup_file - my $original_file=$file; - - # Store the old permissions so that we can log them. - unless (stat $file) { - &B_log("ERROR","Couldn't stat $original_file from $old_perm to change permissions\n"); - next; - } - - $old_perm_raw=(stat(_))[2]; - $old_perm= (($old_perm_raw/512) % 8) . - (($old_perm_raw/64) % 8) . - (($old_perm_raw/8) % 8) . - ($old_perm_raw % 8); - - # If we've gone symbolic, calculate the new permissions in octal. - if ($symbolic) { - # - # We calculate the new permissions by applying a bitmask to - # the current permissions, by OR-ing (for +) or XOR-ing (for -). - # - # We create this mask by first calculating a perm_mask that forms - # the right side of this, then multiplying it by 8 raised to the - # appropriate power to affect the correct digit of the octal mask. - # This means that we raise 8 to the power of 0,1,2, or 3, based on - # the noun of "other","group","user", or "suid/sgid/sticky". - # - # Actually, we handle multiple nouns by summing powers of 8. - # - # The only tough part is that we have to handle suid/sgid/sticky - # differently. - # - - # We're going to calculate a mask to OR or XOR with the current - # file mode. This mask is $mask. We calculate this by calculating - # a sum of powers of 8, corresponding to user/group/other, - # multiplied with a $premask. The $premask is simply the - # corresponding bitwise expression of the rwx bits. - # - # To handle SUID, SGID or sticky in the simplest way possible, we - # simply add their values to the $mask first. - - my $perm_mask = 00; - my $mask = 00; - - # Check for SUID, SGID or sticky as these are exceptional. - if ($capability =~ /s/) { - if ($chmod_noun =~ /u/) { - $mask += 04000; - } - if ($chmod_noun =~ /g/) { - $mask += 02000; - } - } - if ($capability =~ /t/) { - $mask += 01000; - } - - # Now handle the normal attributes - if ($capability =~ /[rwx]/) { - if ($capability =~ /r/) { - $perm_mask |= 04; - } - if ($capability =~ /w/) { - $perm_mask |= 02; - } - if ($capability =~ /x/) { - $perm_mask |= 01; - } - - # Now figure out which 3 bit octal digit we're affecting. - my $power = 0; - if ($chmod_noun =~ /u/) { - $mask += $perm_mask * 64; - } - if ($chmod_noun =~ /g/) { - $mask += $perm_mask * 8; - } - if ($chmod_noun =~ /o/) { - $mask += $perm_mask * 1; - } - } - # Now apply the mask to get the new permissions - if ($add_remove eq '+') { - $new_perm = $old_perm_raw | $mask; - } - elsif ($add_remove eq '-') { - $new_perm = $old_perm_raw & ( ~($mask) ); - } - } - - # formating for simple long octal output of the permissions in string form - $new_perm_formatted=sprintf "%5lo",$new_perm; - $old_perm_formatted=sprintf "%5lo",$old_perm_raw; - - &B_log("ACTION","change permissions on $original_file from $old_perm_formatted to $new_perm_formatted\n"); - - &B_log("ACTION", "chmod $new_perm_formatted,\"$original_file\";\n"); - - # Change the permissions on the file - - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - $retval=chmod $new_perm,$file; - if($retval){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - # making changes revert-able - &B_revert_log(&getGlobal('BIN', "chmod") . " $old_perm $file\n"); - } - } - unless ($retval) { - &B_log("ERROR","Couldn't change permissions on $original_file from $old_perm_formatted to $new_perm_formatted\n"); - $retval=0; - } - } - else { - &B_log("ERROR", "chmod: File $original_file doesn't exist!\n"); - $retval=0; - } - } - - $retval; - -} - -########################################################################### -# &B_chmod_if_exists ($mode, $file) sets the mode of $file to $mode *if* -# $file exists. $mode must be stored in octal, so if you want to give -# mode 700 to /etc/aliases, you need to use: -# -# &B_chmod_if_exists ( 0700 , "/etc/aliases"); -# -# where the 0700 denotes "octal 7-0-0". -# -# &B_chmod_if_exists respects GLOBAL_LOGONLY and uses -# &B_revert_log to reset the permissions of the file. -# -# B_chmod_if_exists allow for globbing now, as of 1.2.0. JJB -# -########################################################################## - - -sub B_chmod_if_exists($$) { - my ($new_perm,$file_expr)=@_; - # If $file_expr has a glob character, pass it on (B_chmod won't complain - # about nonexistent files if given a glob pattern) - if ( $file_expr =~ /[\*\[\{]/ ) { # } just to match open brace for vi - &B_log("ACTION","Running chmod $new_perm $file_expr"); - return(&B_chmod($new_perm,$file_expr)); - } - # otherwise, test for file existence - if ( -e $file_expr ) { - &B_log("ACTION","File exists, running chmod $new_perm $file_expr"); - return(&B_chmod($new_perm,$file_expr)); - } -} - -########################################################################### -# &B_chown ($uid, $file) sets the owner of $file to $uid, like this: -# -# &B_chown ( 0 , "/etc/aliases"); -# -# &B_chown respects $GLOBAL_LOGONLY and uses -# &B_revert_log to insert a shell command that will return -# the file/directory owner to the pre-Bastille state. -# -# Unlike Perl, we've broken the chown function into B_chown/B_chgrp to -# make error checking simpler. -# -# As of 1.2.0, this now supports file globbing. JJB -# -########################################################################## - - -sub B_chown($$) { - my ($newown,$file_expr)=@_; - my $oldown; - my $oldgown; - - my $retval=1; - - my $file; - my @files = glob($file_expr); - - foreach $file (@files) { - - # Prepend prefix, but save original filename - my $original_file=$file; - - $oldown=(stat $file)[4]; - $oldgown=(stat $file)[5]; - - &B_log("ACTION","change ownership on $original_file from $oldown to $newown\n"); - &B_log("ACTION","chown $newown,$oldgown,\"$original_file\";\n"); - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - # changing the files owner using perl chown function - $retval = chown $newown,$oldgown,$file; - if($retval){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - # making ownership change revert-able - &B_revert_log(&getGlobal('BIN', "chown") . " $oldown $file\n"); - } - } - unless ($retval) { - &B_log("ERROR","Couldn't change ownership to $newown on file $original_file\n"); - } - } - else { - &B_log("ERROR","chown: File $original_file doesn't exist!\n"); - $retval=0; - } - } - - $retval; -} - -########################################################################### -# &B_chown_link just like &B_chown but one exception: -# if the input file is a link it will not change the target's ownship, it only change the link itself's ownship -########################################################################### -sub B_chown_link($$){ - my ($newown,$file_expr)=@_; - my $chown = &getGlobal("BIN","chown"); - my @files = glob($file_expr); - my $retval = 1; - - foreach my $file (@files) { - # Prepend prefix, but save original filename - my $original_file=$file; - my $oldown=(stat $file)[4]; - my $oldgown=(stat $file)[5]; - - &B_log("ACTION","change ownership on $original_file from $oldown to $newown\n"); - &B_log("ACTION","chown -h $newown,\"$original_file\";\n"); - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - `$chown -h $newown $file`; - $retval = ($? >> 8); - if($retval == 0 ){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - # making ownership change revert-able - &B_revert_log("$chown -h $oldown $file\n"); - } - } - unless ( ! $retval) { - &B_log("ERROR","Couldn't change ownership to $newown on file $original_file\n"); - } - } - else { - &B_log("ERROR","chown: File $original_file doesn't exist!\n"); - $retval=0; - } - } -} - - -########################################################################### -# &B_chgrp ($gid, $file) sets the group owner of $file to $gid, like this: -# -# &B_chgrp ( 0 , "/etc/aliases"); -# -# &B_chgrp respects $GLOBAL_LOGONLY and uses -# &B_revert_log to insert a shell command that will return -# the file/directory group to the pre-Bastille state. -# -# Unlike Perl, we've broken the chown function into B_chown/B_chgrp to -# make error checking simpler. -# -# As of 1.2.0, this now supports file globbing. JJB -# -########################################################################## - - -sub B_chgrp($$) { - my ($newgown,$file_expr)=@_; - my $oldown; - my $oldgown; - - my $retval=1; - - my $file; - my @files = glob($file_expr); - - foreach $file (@files) { - - # Prepend global prefix, but save original filename for &B_backup_file - my $original_file=$file; - - $oldown=(stat $file)[4]; - $oldgown=(stat $file)[5]; - - &B_log("ACTION", "Change group ownership on $original_file from $oldgown to $newgown\n"); - &B_log("ACTION", "chown $oldown,$newgown,\"$original_file\";\n"); - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - # changing the group for the file/directory - $retval = chown $oldown,$newgown,$file; - if($retval){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - &B_revert_log(&getGlobal('BIN', "chgrp") . " $oldgown $file\n"); - } - } - unless ($retval) { - &B_log("ERROR","Couldn't change ownership to $newgown on file $original_file\n"); - } - } - else { - &B_log("ERROR","chgrp: File $original_file doesn't exist!\n"); - $retval=0; - } - } - - $retval; -} - -########################################################################### -# &B_chgrp_link just like &B_chgrp but one exception: -# if the input file is a link -# it will not change the target's ownship, it only change the link itself's ownship -########################################################################### -sub B_chgrp_link($$) { - my ($newgown,$file_expr)=@_; - my $chgrp = &getGlobal("BIN","chgrp"); - my @files = glob($file_expr); - my $retval=1; - - foreach my $file (@files) { - # Prepend prefix, but save original filename - my $original_file=$file; - my $oldgown=(stat $file)[5]; - - &B_log("ACTION","change group ownership on $original_file from $oldgown to $newgown\n"); - &B_log("ACTION","chgrp -h $newgown \"$original_file\";\n"); - if ( -e $file ) { - unless ($GLOBAL_LOGONLY) { - # do not follow link with option -h - `$chgrp -h $newgown $file`; - $retval = ($? >> 8); - if($retval == 0 ){ - # if the distribution is HP-UX then the modifications should - # also be made to the IPD (installed product database) - if(&GetDistro =~ "^HP-UX"){ - &B_swmodify($file); - } - # making ownership change revert-able - &B_revert_log("$chgrp" . " -h $oldgown $file\n"); - } - } - unless (! $retval) { - &B_log("ERROR","Couldn't change group ownership to $newgown on file $original_file\n"); - } - } - else { - &B_log("ERROR","chgrp: File $original_file doesn't exist!\n"); - $retval=0; - } - } -} - -########################################################################### -# B_userdel($user) removes $user from the system, chmoding her home -# directory to 000, root:root owned, and removes the user from all -# /etc/passwd, /etc/shadow and /etc/group lines. -# -# In the future, we may also choose to make a B_lock_account routine. -# -# This routine depends on B_remove_user_from_group. -########################################################################### - -sub B_userdel($) { - - my $user_to_remove = $_[0]; - - if (&GetDistro =~ /^HP-UX/) { - return 0; - - # Not yet suported on HP-UX, where we'd need to support - # the TCB files and such. - } - - # - # First, let's chmod/chown/chgrp the user's home directory. - # - - # Get the user's home directory from /etc/passwd - if (open PASSWD,&getGlobal('FILE','passwd')) { - my @lines=<PASSWD>; - close PASSWD; - - # Get the home directory - my $user_line = grep '^\s*$user_to_remove\s*:',@lines; - my $home_directory = (split /\s*:\s*/,$user_line)[5]; - - # Chmod that home dir to 0000,owned by uid 0, gid 0. - if (&B_chmod_if_exists(0000,$home_directory)) { - &B_chown(0,$home_directory); - &B_chgrp(0,$home_directory); - } - } - else { - &B_log('ERROR',"B_userdel couldn't open the passwd file to remove a user."); - return 0; - } - - # - # Next find out what groups the user is in, so we can call - # B_remove_user_from_group($user,$group) - # - # TODO: add this to the helper functions for the test suite. - # - - my @groups = (); - - # Parse /etc/group, looking for our user. - if (open GROUP,&getGlobal('FILE','group')) { - my @lines = <GROUP>; - close GROUP; - - foreach my $line (@lines) { - - # Parse the line -- first field is group, last is users in group. - if ($line =~ /([^\#^:]+):[^:]+:[^:]+:(.*)/) { - my $group = $1; - my $users_section = $2; - - # Get the user list and check if our user is in it. - my @users = split /\s*,\s*/,$users_section; - foreach my $user (@users) { - if ($user_to_remove eq $user) { - push @groups,$group; - last; - } - } - } - } - } - - # Now remove the user from each of those groups. - foreach my $group (@groups) { - &B_remove_user_from_group($user_to_remove,$group); - } - - # Remove the user's /etc/passwd and /etc/shadow lines - &B_delete_line(&getGlobal('FILE','passwd'),"^$user_to_remove\\s*:"); - &B_delete_line(&getGlobal('FILE','shadow'),"^$user_to_remove\\s*:"); - - - # - # We should delete the user's group as well, if it's a single-user group. - # - if (open ETCGROUP,&getGlobal('FILE','group')) { - my @group_lines = <ETCGROUP>; - close ETCGROUP; - chomp @group_lines; - - if (grep /^$user_to_remove\s*:[^:]*:[^:]*:\s*$/,@group_lines > 0) { - &B_groupdel($user_to_remove); - } - } - -} - -########################################################################### -# B_groupdel($group) removes $group from /etc/group. -########################################################################### - -sub B_groupdel($) { - - my $group = $_[0]; - - # First read /etc/group to make sure the group is in there. - if (open GROUP,&getGlobal('FILE','group')) { - my @lines=<GROUP>; - close GROUP; - - # Delete the line in /etc/group if present - if (grep /^$group:/,@lines > 0) { - # The group is named in /etc/group - &B_delete_line(&getGlobal('FILE','group'),"^$group:/"); - } - } - -} - - -########################################################################### -# B_remove_user_from_group($user,$group) removes $user from $group, -# by modifying $group's /etc/group line, pulling the user out. This -# uses B_chunk_replace thrice to replace these patterns: -# -# ":\s*$user\s*," --> ":" -# ",\s*$user" -> "" -# -########################################################################### - -sub B_remove_user_from_group($$) { - - my ($user_to_remove,$group) = @_; - - # - # We need to find the line from /etc/group that defines the group, parse - # it, and put it back together without this user. - # - - # Open the group file - unless (open GROUP,&getGlobal('FILE','group')) { - &B_log('ERROR',"&B_remove_user_from_group couldn't read /etc/group to remove $user_to_remove from $group.\n"); - return 0; - } - my @lines = <GROUP>; - close GROUP; - chomp @lines; - - # - # Read through the lines to find the one we care about. We'll construct a - # replacement and then use B_replace_line to make the switch. - # - - foreach my $line (@lines) { - - if ($line =~ /^\s*$group\s*:/) { - - # Parse this line. - my @group_entries = split ':',$line; - my @users = split ',',($group_entries[3]); - - # Now, recreate it. - my $first_user = 1; - my $group_line = $group_entries[0] . ':' . $group_entries[1] . ':' . $group_entries[2] . ':'; - - # Add every user except the one we're removing. - foreach my $user (@users) { - - # Remove whitespace. - $user =~ s/\s+//g; - - if ($user ne $user_to_remove) { - # Add the user to the end of the line, prefacing - # it with a comma if it's not the first user. - - if ($first_user) { - $group_line .= "$user"; - $first_user = 0; - } - else { - $group_line .= ",$user"; - } - } - } - - # The line is now finished. Replace the original line. - $group_line .= "\n"; - &B_replace_line(&getGlobal('FILE','group'),"^\\s*$group\\s*:",$group_line); - } - - } - return 1; -} - -########################################################################### -# &B_check_owner_group($$$) -# -# Checks if the given file has the given owner and/or group. -# If the given owner is "", checks group only. -# If the given group is "", checks owner only. -# -# return values: -# 1: file has the given owner and/or group -# or file exists, and both the given owner and group are "" -# 0: file does not has the given owner or group -# or file does not exists -############################################################################ - -sub B_check_owner_group ($$$){ - my ($fileName, $owner, $group) = @_; - - if (-e $fileName) { - my @junk=stat ($fileName); - my $uid=$junk[4]; - my $gid=$junk[5]; - - # Check file owner - if ($owner ne "") { - if (getpwnam($owner) != $uid) { - return 0; - } - } - - # Check file group - if ($group ne "") { - if (getgrnam($group) != $gid) { - return 0; - } - } - - return 1; - } - else { - # Something is wrong if the file not exist - return 0; - } -} - -########################################################################## -# this subroutine will test whether the given file is unowned -########################################################################## -sub B_is_unowned_file($) { - my $file =$_; - my $uid = (stat($file))[4]; - my $uname = (getpwuid($uid))[0]; - if ( $uname =~ /.+/ ) { - return 1; - } - return 0; -} - -########################################################################## -# this subroutine will test whether the given file is ungrouped -########################################################################## -sub B_is_ungrouped_file($){ - my $file =$_; - my $gid = (stat($file))[5]; - my $gname = (getgrgid($gid))[0]; - if ( $gname =~ /.+/ ) { - return 1; - } - return 0; -} - - - - -########################################################################### -# &B_check_permissions($$) -# -# Checks if the given file has the given permissions or stronger, where we -# define stronger as "less accessible." The file argument must be fully -# qualified, i.e. contain the absolute path. -# -# return values: -# 1: file has the given permissions or better -# 0: file does not have the given permsssions -# undef: file permissions cannot be determined -########################################################################### - -sub B_check_permissions ($$){ - my ($fileName, $reqdPerms) = @_; - my $filePerms; # actual permissions - - - if (-e $fileName) { - if (stat($fileName)) { - $filePerms = (stat($fileName))[2] & 07777; - } - else { - &B_log ("ERROR", "Can't stat $fileName.\n"); - return undef; - } - } - else { - # If the file does not exist, permissions are as good as they can get. - return 1; - } - - # - # We can check whether the $filePerms are as strong by - # bitwise ANDing them with $reqdPerms and checking if the - # result is still equal to $filePerms. If it is, the - # $filePerms are strong enough. - # - if ( ($filePerms & $reqdPerms) == $filePerms ) { - return 1; - } - else { - return 0; - } - -} - -########################################################################## -# B_permission_test($user, $previlege,$file) -# $user can be -# "owner" -# "group" -# "other" -# $previlege can be: -# "r" -# "w" -# "x" -# "suid" -# "sgid" -# "sticky" -# if previlege is set to suid or sgid or sticky, then $user can be empty -# this sub routine test whether the $user has the specified previlige to $file -########################################################################## - -sub B_permission_test($$$){ - my ($user, $previlege, $file) = @_; - - if (-e $file ) { - my $mode = (stat($file))[2]; - my $bitpos; - # bitmap is | suid sgid sticky | rwx | rwx | rwx - if ($previlege =~ /suid/ ) { - $bitpos = 11; - } - elsif ($previlege =~ /sgid/ ) { - $bitpos = 10; - } - elsif ($previlege =~ /sticky/ ) { - $bitpos = 9; - } - else { - if ( $user =~ /owner/) { - if ($previlege =~ /r/) { - $bitpos = 8; - } - elsif ($previlege =~ /w/) { - $bitpos =7; - } - elsif ($previlege =~ /x/) { - $bitpos =6; - } - else { - return 0; - } - } - elsif ( $user =~ /group/) { - if ($previlege =~ /r/) { - $bitpos =5; - } - elsif ($previlege =~ /w/) { - $bitpos =4; - } - elsif ($previlege =~ /x/) { - $bitpos =3; - } - else { - return 0; - } - } - elsif ( $user =~ /other/) { - if ($previlege =~ /r/) { - $bitpos =2; - } - elsif ($previlege =~ /w/) { - $bitpos =1; - } - elsif ($previlege =~ /x/) { - $bitpos =0; - } - else { - return 0; - } - } - else { - return 0; - } - } - $mode /= 2**$bitpos; - if ($mode % 2) { - return 1; - } - return 0; - } -} - -########################################################################## -# this subroutine will return a list of home directory -########################################################################## -sub B_find_homes(){ - # find loginable homes - my $logins = &getGlobal("BIN","logins"); - my @lines = `$logins -ox`; - my @homes; - foreach my $line (@lines) { - chomp $line; - my @data = split /:/, $line; - if ($data[7] =~ /PS/ && $data[5] =~ /home/) { - push @homes, $data[5]; - } - } - return @homes; -} - - -########################################################################### -# B_is_executable($) -# -# This routine reports on whether a file is executable by the current -# process' effective UID. -# -# scalar return values: -# 0: file is not executable -# 1: file is executable -# -########################################################################### - -sub B_is_executable($) -{ - my $name = shift; - my $executable = 0; - - if (-x $name) { - $executable = 1; - } - return $executable; -} - -########################################################################### -# B_is_suid($) -# -# This routine reports on whether a file is Set-UID and owned by root. -# -# scalar return values: -# 0: file is not SUID root -# 1: file is SUID root -# -########################################################################### - -sub B_is_suid($) -{ - my $name = shift; - - my @FileStatus = stat($name); - my $IsSuid = 0; - - if (-u $name) #Checks existence and suid - { - if($FileStatus[4] == 0) { - $IsSuid = 1; - } - } - - return $IsSuid; -} - -########################################################################### -# B_is_sgid($) -# -# This routine reports on whether a file is SGID and group owned by -# group root (gid 0). -# -# scalar return values: -# 0: file is not SGID root -# 1: file is SGID root -# -########################################################################### - -sub B_is_sgid($) -{ - my $name = shift; - - my @FileStatus = stat($name); - my $IsSgid = 0; - - if (-g $name) #checks existence and sgid - { - if($FileStatus[5] == 0) { - $IsSgid = 1; - } - } - - return $IsSgid; -} - -########################################################################### -# B_get_user_list() -# -# This routine outputs a list of users on the system. -# -########################################################################### - -sub B_get_user_list() -{ - my @users; - open(PASSWD,&getGlobal('FILE','passwd')); - while(<PASSWD>) { - #Get the users - if (/^([^:]+):/) - { - push (@users,$1); - } - } - return @users; -} - -########################################################################### -# B_get_group_list() -# -# This routine outputs a list of groups on the system. -# -########################################################################### - -sub B_get_group_list() -{ - my @groups; - open(GROUP,&getGlobal('FILE','group')); - while(my $group_line = <GROUP>) { - #Get the groups - if ($group_line =~ /^([^:]+):/) - { - push (@groups,$1); - } - } - return @groups; -} - - -########################################################################### -# &B_remove_suid ($file) removes the suid bit from $file if it -# is set and the file exist. If you would like to remove the suid bit -# from /bin/ping then you need to use: -# -# &B_remove_suid("/bin/ping"); -# -# &B_remove_suid respects GLOBAL_LOGONLY. -# &B_remove_suid uses &B_chmod to make the permission changes -# &B_remove_suid allows for globbing. tyler_e -# -########################################################################### - -sub B_remove_suid($) { - my $file_expr = $_[0]; - - &B_log("ACTION","Removing SUID bit from \"$file_expr\"."); - unless ($GLOBAL_LOGONLY) { - my @files = glob($file_expr); - - foreach my $file (@files) { - # check file existence - if(-e $file){ - # stat current file to get raw permissions - my $old_perm_raw = (stat $file)[2]; - # test to see if suidbit is set - my $suid_bit = (($old_perm_raw/2048) % 2); - if($suid_bit == 1){ - # new permission without the suid bit - my $new_perm = ((($old_perm_raw/512) % 8 ) - 4) . - (($old_perm_raw/64) % 8 ) . - (($old_perm_raw/8) % 8 ) . - (($old_perm_raw) % 8 ); - if(&B_chmod(oct($new_perm), $file)){ - &B_log("ACTION","Removed SUID bit from \"$file\"."); - } - else { - &B_log("ERROR","Could not remove SUID bit from \"$file\"."); - } - } # No action if SUID bit is not set - }# No action if file does not exist - }# Repeat for each file in the file glob - } # unless Global_log -} - - - -1; - diff --git a/recipes-security/bastille/files/FileContent.pm b/recipes-security/bastille/files/FileContent.pm deleted file mode 100644 index 0a5d609..0000000 --- a/recipes-security/bastille/files/FileContent.pm +++ /dev/null @@ -1,1153 +0,0 @@ -package Bastille::API::FileContent; -use strict; - -use Bastille::API; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -B_blank_file -B_insert_line_after -B_insert_line_before -B_insert_line -B_append_line -B_prepend_line -B_replace_line -B_replace_lines -B_replace_pattern -B_match_line -B_match_line_only -B_match_chunk -B_return_matched_lines -B_hash_comment_line -B_hash_uncomment_line -B_delete_line -B_chunk_replace -B_print -B_getValueFromFile -B_getValueFromString - -B_TODO -B_TODOFlags -); -our @EXPORT = @EXPORT_OK; - - - -########################################################################### -# &B_blank_file ($filename,$pattern) blanks the file $filename, unless the -# pattern $pattern is present in the file. This lets us completely redo -# a file, if it isn't the one we put in place on a previous run... -# -# B_blank_file respects $GLOBAL_LOGONLY and uses B_open_plus and B_close_plus -# so that it makes backups and only modifies files when we're not in "-v" -# mode... -# -# If the file does not exist, the function does nothing, and gives an error -# to the Error Log -# -########################################################################### - -sub B_blank_file($$) { - - my ($filename,$pattern) = @_; - my $retval; - - # If this variable is true, we won't blank the file... - - my $found_pattern=0; - - if ($retval=&B_open_plus (*BLANK_NEW,*BLANK_OLD,$filename) ) { - - my @lines; - - while (my $line = <BLANK_OLD>) { - - push @lines,$line; - if ($line =~ $pattern) { - $found_pattern=1; - } - } - - # Only copy the old file if the new one didn't match. - if ($found_pattern) { - while ( my $line = shift @lines ) { - &B_print(*BLANK_NEW,$line); - } - } - else { - &B_log("ACTION","Blanked file $filename\n"); - } - &B_close_plus(*BLANK_NEW,*BLANK_OLD,$filename); - } - else { - &B_log("ERROR","Couldn't blank file $filename since we couldn't open it or its replacement\n"); - } - - return $retval; - -} - -########################################################################### -# &B_insert_line_after ($filename,$pattern,$line_to_insert,$line_to_follow) -# modifies $filename, inserting $line_to_insert unless one or more lines -# in the file matches $pattern. The $line_to_insert will be placed -# immediately after $line_to_follow, if it exists. If said line does not -# exist, the line will not be inserted and this routine will return 0. -# -# B_insert_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here's examples of where you might use this: -# -# You'd like to insert a line in Apache's configuration file, in a -# particular section. -# -########################################################################### - -sub B_insert_line_after($$$$) { - - my ($filename,$pattern,$line_to_insert,$line_to_follow) = @_; - - my @lines; - my $found_pattern=0; - my $found_line_to_follow=0; - - my $retval=1; - - if ( &B_open_plus (*INSERT_NEW,*INSERT_OLD,$filename) ) { - - # Read through the file looking for a match both on the $pattern - # and the line we are supposed to be inserting after... - - my $ctr=1; - while (my $line=<INSERT_OLD>) { - push (@lines,$line); - if ($line =~ $pattern) { - $found_pattern=1; - } - if ( ($found_line_to_follow < 1) and ($line =~ $line_to_follow)) { - $found_line_to_follow=$ctr; - } - $ctr++; - } - - # Log an error if we never found the line we were to insert after - unless ($found_line_to_follow ) { - $retval=0; - &B_log("ERROR","Never found the line that we were supposed to insert after in $filename\n"); - } - - # Now print the file back out, inserting our line if we should... - - $ctr=1; - while (my $line = shift @lines) { - &B_print(*INSERT_NEW,$line); - if ( ($ctr == $found_line_to_follow) and ($found_pattern == 0) ) { - &B_print(*INSERT_NEW,$line_to_insert); - &B_log("ACTION","Inserted the following line in $filename:\n"); - &B_log("ACTION","$line_to_insert"); - } - $ctr++; - } - - &B_close_plus (*INSERT_NEW,*INSERT_OLD,$filename); - - } - else { - $retval=0; - &B_log("ERROR","Couldn't insert line to $filename, since open failed."); - } - - return $retval; - -} -########################################################################### -# &B_insert_line_before ($filename,$pattern,$line_to_insert,$line_to_preceed) -# modifies $filename, inserting $line_to_insert unless one or more lines -# in the file matches $pattern. The $line_to_insert will be placed -# immediately before $line_to_preceed, if it exists. If said line does not -# exist, the line will not be inserted and this routine will return 0. -# -# B_insert_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here's examples of where you might use this: -# -# You'd like to insert a line in Apache's configuration file, in a -# particular section. -# -########################################################################### - -sub B_insert_line_before($$$$) { - - my ($filename,$pattern,$line_to_insert,$line_to_preceed) = @_; - - my @lines; - my $found_pattern=0; - my $found_line_to_preceed=0; - - my $retval=1; - - if ( &B_open_plus (*INSERT_NEW,*INSERT_OLD,$filename) ) { - - # Read through the file looking for a match both on the $pattern - # and the line we are supposed to be inserting after... - - my $ctr=1; - while (my $line=<INSERT_OLD>) { - push (@lines,$line); - if ($line =~ $pattern) { - $found_pattern=1; - } - if ( ($found_line_to_preceed < 1) and ($line =~ $line_to_preceed)) { - $found_line_to_preceed=$ctr; - } - $ctr++; - } - - # Log an error if we never found the line we were to preceed - unless ($found_line_to_preceed ) { - $retval=0; - &B_log("ERROR","Never found the line that we were supposed to insert before in $filename\n"); - } - - # Now print the file back out, inserting our line if we should... - - $ctr=1; - while (my $line = shift @lines) { - if ( ($ctr == $found_line_to_preceed) and ($found_pattern == 0) ) { - &B_print(*INSERT_NEW,$line_to_insert); - &B_log("ACTION","Inserted the following line in $filename:\n"); - &B_log("ACTION","$line_to_insert"); - } - &B_print(*INSERT_NEW,$line); - $ctr++; - } - - &B_close_plus (*INSERT_NEW,*INSERT_OLD,$filename); - - } - else { - $retval=0; - &B_log("ERROR","Couldn't insert line to $filename, since open failed."); - } - - return $retval; - -} - -########################################################################### -# &B_insert_line ($filename,$pattern,$line_to_insert,$line_to_follow) -# -# has been renamed to B_insert_line_after() -# -# This name will continue to work, as a shim for code that has not been -# transitioned. -########################################################################### - -sub B_insert_line($$$$) { - - my $rtn_value = &B_insert_line_after(@_); - - return ($rtn_value); -} - - -########################################################################### -# &B_append_line ($filename,$pattern,$line_to_append) modifies $filename, -# appending $line_to_append unless one or more lines in the file matches -# $pattern. This is an enhancement to the append_line_if_no_such_line_exists -# idea. -# -# Additionally, if $pattern is set equal to "", the line is always appended. -# -# B_append_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here's examples of where you might use this: -# -# You'd like to add a root line to /etc/ftpusers if none exists. -# You'd like to add a Options Indexes line to Apache's config. file, -# after you delete all Options lines from said config file. -# -########################################################################### - -sub B_append_line($$$) { - - my ($filename,$pattern,$line_to_append) = @_; - - my $found_pattern=0; - my $retval=1; - - if ( &B_open_plus (*APPEND_NEW,*APPEND_OLD,$filename) ) { - while (my $line=<APPEND_OLD>) { - &B_print(*APPEND_NEW,$line); - if ($line =~ $pattern) { - $found_pattern=1; - } - } - # Changed != 0 to $pattern so that "" works instead of 0 and perl - # does not give the annoying - # Argument "XX" isn't numeric in ne at ... - if ( $pattern eq "" or ! $found_pattern ) { - &B_print(*APPEND_NEW,$line_to_append); - &B_log("ACTION","Appended the following line to $filename:\n"); - &B_log("ACTION","$line_to_append"); - } - &B_close_plus (*APPEND_NEW,*APPEND_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","# Couldn't append line to $filename, since open failed."); - } - - return $retval; - -} - -########################################################################### -# &B_prepend_line ($filename,$pattern,$line_to_prepend) modifies $filename, -# pre-pending $line_to_prepend unless one or more lines in the file matches -# $pattern. This is an enhancement to the prepend_line_if_no_such_line_exists -# idea. -# -# B_prepend_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here's examples of where you might use this: -# -# You'd like to insert the line "auth required pam_deny.so" to the top -# of the PAM stack file /etc/pam.d/rsh to totally deactivate rsh. -# -########################################################################### - -sub B_prepend_line($$$) { - - my ($filename,$pattern,$line_to_prepend) = @_; - - my @lines; - my $found_pattern=0; - my $retval=1; - - if ( &B_open_plus (*PREPEND_NEW,*PREPEND_OLD,$filename) ) { - while (my $line=<PREPEND_OLD>) { - push (@lines,$line); - if ($line =~ $pattern) { - $found_pattern=1; - } - } - unless ($found_pattern) { - &B_print(*PREPEND_NEW,$line_to_prepend); - } - while (my $line = shift @lines) { - &B_print(*PREPEND_NEW,$line); - } - - &B_close_plus (*PREPEND_NEW,*PREPEND_OLD,$filename); - - # Log the action - &B_log("ACTION","Pre-pended the following line to $filename:\n"); - &B_log("ACTION","$line_to_prepend"); - } - else { - $retval=0; - &B_log("ERROR","Couldn't prepend line to $filename, since open failed.\n"); - } - - return $retval; - -} - - -########################################################################### -# &B_replace_line ($filename,$pattern,$line_to_switch_in) modifies $filename, -# replacing any lines matching $pattern with $line_to_switch_in. -# -# It returns the number of lines it replaced (or would have replaced, if -# LOGONLY mode wasn't on...) -# -# B_replace_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here an example of where you might use this: -# -# You'd like to replace any Options lines in Apache's config file with: -# Options Indexes FollowSymLinks -# -########################################################################### - -sub B_replace_line($$$) { - - my ($filename,$pattern,$line_to_switch_in) = @_; - my $retval=0; - - if ( &B_open_plus (*REPLACE_NEW,*REPLACE_OLD,$filename) ) { - while (my $line=<REPLACE_OLD>) { - unless ($line =~ $pattern) { - &B_print(*REPLACE_NEW,$line); - } - else { - # Don't replace the line if it's already there. - unless ($line eq $line_to_switch_in) { - &B_print(*REPLACE_NEW,$line_to_switch_in); - - $retval++; - &B_log("ACTION","File modification in $filename -- replaced line\n" . - "$line\n" . - "with:\n" . - "$line_to_switch_in"); - } - # But if it is there, make sure it stays there! (by Paul Allen) - else { - &B_print(*REPLACE_NEW,$line); - } - } - } - &B_close_plus (*REPLACE_NEW,*REPLACE_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","Couldn't replace line(s) in $filename because open failed.\n"); - } - - return $retval; -} - -########################################################################### -# &B_replace_lines ($filename,$patterns_and_substitutes) modifies $filename, -# replacing the line matching the nth $pattern specified in $patterns_and_substitutes->[n]->[0] -# with the corresponding substitutes in $patterns_and_substitutes->[n]->-[1] -# -# It returns the number of lines it replaced (or would have replaced, if -# LOGONLY mode wasn't on...) -# -# B_replace_lines uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here an example of where you might use this: -# -# You'd like to replace /etc/opt/ssh/sshd_config file -# (^#|^)Protocol\s+(.*)\s*$ ==> Protocol 2 -# (^#|^)X11Forwarding\s+(.*)\s*$ ==> X11Forwarding yes -# (^#|^)IgnoreRhosts\s+(.*)\s*$ ==> gnoreRhosts yes -# (^#|^)RhostsAuthentication\s+(.*)\s*$ ==> RhostsAuthentication no -# (^#|^)RhostsRSAAuthentication\s+(.*)\s*$ ==> RhostsRSAAuthentication no -# (^#|^)PermitRootLogin\s+(.*)\s*$ ==> PermitRootLogin no -# (^#|^)PermitEmptyPasswords\s+(.*)\s*$ ==> PermitEmptyPasswords no -# my $patterns_and_substitutes = [ -# [ '(^#|^)Protocol\s+(.*)\s*$' => 'Protocol 2'], -# ['(^#|^)X11Forwarding\s+(.*)\s*$' => 'X11Forwarding yes'], -# ['(^#|^)IgnoreRhosts\s+(.*)\s*$' => 'gnoreRhosts yes'], -# ['(^#|^)RhostsAuthentication\s+(.*)\s*$' => 'RhostsAuthentication no'], -# ['(^#|^)RhostsRSAAuthentication\s+(.*)\s*$' => 'RhostsRSAAuthentication no'], -# ['(^#|^)PermitRootLogin\s+(.*)\s*$' => 'PermitRootLogin no'], -# ['(^#|^)PermitEmptyPasswords\s+(.*)\s*$' => 'PermitEmptyPasswords no'] -#] -# B_replaces_lines($sshd_config,$patterns_and_substitutes); -########################################################################### - -sub B_replace_lines($$){ - my ($filename, $pairs) = @_; - my $retval = 0; - if ( &B_open_plus (*REPLACE_NEW,*REPLACE_OLD,$filename) ) { - while (my $line = <REPLACE_OLD>) { - my $switch; - my $switch_before = $line; - chomp($line); - foreach my $pair (@$pairs) { - $switch = 0; - - my $pattern = $pair->[0] ; - my $replace = $pair->[1]; - my $evalstr = '$line' . "=~ s/$pattern/$replace/"; - eval $evalstr; - if ($@) { - &B_log("ERROR", "eval $evalstr failed.\n"); - } - #if ( $line =~ s/$pair->[0]/$pair->[1]/) { - # $switch = 1; - # last; - #} - } - &B_print(*REPLACE_NEW,"$line\n"); - if ($switch) { - $retval++; - B_log("ACTION","File modification in $filename -- replaced line\n" . - "$switch_before\n" . - "with:\n" . - "$line\n"); - } - } - &B_close_plus (*REPLACE_NEW,*REPLACE_OLD,$filename); - return 1; - } - else { - $retval=0; - &B_log("ERROR","Couldn't replace line(s) in $filename because open failed.\n"); - } -} - -################################################################################################ -# &B_replace_pattern ($filename,$pattern,$pattern_to_remove,$text_to_switch_in) -# modifies $filename, acting on only lines that match $pattern, replacing a -# string that matches $pattern_to_remove with $text_to_switch_in. -# -# Ex: -# B_replace_pattern('/etc/httpd.conf','^\s*Options.*\bIncludes\b','Includes','IncludesNoExec') -# -# replaces all "Includes" with "IncludesNoExec" on Apache Options lines. -# -# It returns the number of lines it altered (or would have replaced, if -# LOGONLY mode wasn't on...) -# -# B_replace_pattern uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -################################################################################################# - -sub B_replace_pattern($$$$) { - - my ($filename,$pattern,$pattern_to_remove,$text_to_switch_in) = @_; - my $retval=0; - - if ( &B_open_plus (*REPLACE_NEW,*REPLACE_OLD,$filename) ) { - while (my $line=<REPLACE_OLD>) { - unless ($line =~ $pattern) { - &B_print(*REPLACE_NEW,$line); - } - else { - my $orig_line =$line; - $line =~ s/$pattern_to_remove/$text_to_switch_in/; - - &B_print(*REPLACE_NEW,$line); - - $retval++; - &B_log("ACTION","File modification in $filename -- replaced line\n" . - "$orig_line\n" . - "via pattern with:\n" . - "$line\n\n"); - } - } - &B_close_plus (*REPLACE_NEW,*REPLACE_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","Couldn't pattern-replace line(s) in $filename because open failed.\n"); - } - - return $retval; -} - - -########################################################################### -# &B_match_line($file,$pattern); -# -# This subroutine will return a 1 if the pattern specified can be matched -# against the file specified. It will return a 0 otherwise. -# -# return values: -# 0: pattern not in file or the file is not readable -# 1: pattern is in file -########################################################################### -sub B_match_line($$) { - # file to be checked and pattern to check for. - my ($file,$pattern) = @_; - # if the file is readable then - if(-r $file) { - # if the file can be opened then - if(open FILE,"<$file") { - # look at each line in the file - while (my $line = <FILE>) { - # if a line matches the pattern provided then - if($line =~ $pattern) { - # return the pattern was found - B_log('DEBUG','Pattern: ' . $pattern . ' matched in file: ' . - $file . "\n"); - return 1; - } - } - } - # if the file cann't be opened then - else { - # send a note to that affect to the errorlog - &B_log("ERROR","Unable to open file for read.\n$file\n$!\n"); - } - } - B_log('DEBUG','Pattern: ' . $pattern . ' not matched in file: ' . - $file . "\n"); - # the provided pattern was not matched against a line in the file - return 0; -} - -########################################################################### -# &B_match_line_only($file,$pattern); -# -# This subroutine checks if the specified pattern can be matched and if -# it's the only content in the file. The only content means it's only but -# may have several copies in the file. -# -# return values: -# 0: pattern not in file or pattern is not the only content -# or the file is not readable -# 1: pattern is in file and it's the only content -############################################################################ -sub B_match_line_only($$) { - my ($file,$pattern) = @_; - - # if matched, set to 1 later - my $retval = 0; - - # if the file is readable then - if(-r $file) { - # if the file can be opened then - if(&B_open(*FILED, $file)) { - # pattern should be matched at least once - # pattern can not be mismatched - while (my $line = <FILED>) { - if ($line =~ $pattern) { - $retval = 1; - } - else { - &B_close(*FILED); - return 0; - } - } - } - &B_close(*FILED); - } - - return $retval; -} - -########################################################################### -# &B_return_matched_lines($file,$pattern); -# -# This subroutine returns lines in a file matching a given regular -# expression, when called in the default list mode. When called in scalar -# mode, returns the number of elements found. -########################################################################### -sub B_return_matched_lines($$) -{ - my ($filename,$pattern) = @_; - my @lines = (); - - open(READFILE, $filename); - while (<READFILE>) { - chomp; - next unless /$pattern/; - push(@lines, $_); - } - if (wantarray) - { - return @lines; - } - else - { - return scalar (@lines); - } -} - -########################################################################### -# &B_match_chunk($file,$pattern); -# -# This subroutine will return a 1 if the pattern specified can be matched -# against the file specified on a line-agnostic form. This allows for -# patterns which by necessity must match against a multi-line pattern. -# This is the natural analogue to B_replace_chunk, which was created to -# provide multi-line capability not provided by B_replace_line. -# -# return values: -# 0: pattern not in file or the file is not readable -# 1: pattern is in file -########################################################################### - -sub B_match_chunk($$) { - - my ($file,$pattern) = @_; - my @lines; - my $big_long_line; - my $retval=1; - - open CHUNK_FILE,$file; - - # Read all lines into one scalar. - @lines = <CHUNK_FILE>; - close CHUNK_FILE; - - foreach my $line ( @lines ) { - $big_long_line .= $line; - } - - # Substitution routines get weird unless last line is terminated with \n - chomp $big_long_line; - $big_long_line .= "\n"; - - # Exit if we don't find a match - unless ($big_long_line =~ $pattern) { - $retval = 0; - } - - return $retval; -} - -########################################################################### -# &B_hash_comment_line ($filename,$pattern) modifies $filename, replacing -# any lines matching $pattern with a "hash-commented" version, like this: -# -# -# finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -# becomes: -# #finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -# -# Also: -# tftp dgram udp wait root /usr/lbin/tftpd tftpd\ -# /opt/ignite\ -# /var/opt/ignite -# becomes: -# #tftp dgram udp wait root /usr/lbin/tftpd tftpd\ -# # /opt/ignite\ -# # /var/opt/ignite -# -# -# B_hash_comment_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -########################################################################### - -sub B_hash_comment_line($$) { - - my ($filename,$pattern) = @_; - my $retval=1; - - if ( &B_open_plus (*HASH_NEW,*HASH_OLD,$filename) ) { - my $line; - while ($line=<HASH_OLD>) { - unless ( ($line =~ $pattern) and ($line !~ /^\s*\#/) ) { - &B_print(*HASH_NEW,$line); - } - else { - &B_print(*HASH_NEW,"#$line"); - &B_log("ACTION","File modification in $filename -- hash commented line\n" . - "$line\n" . - "like this:\n" . - "#$line\n\n"); - # while the line has a trailing \ then we should also comment out the line below - while($line =~ m/\\\n$/) { - if($line=<HASH_OLD>) { - &B_print(*HASH_NEW,"#$line"); - &B_log("ACTION","File modification in $filename -- hash commented line\n" . - "$line\n" . - "like this:\n" . - "#$line\n\n"); - } - else { - $line = ""; - } - } - - } - } - &B_close_plus (*HASH_NEW,*HASH_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","Couldn't hash-comment line(s) in $filename because open failed.\n"); - } - - return $retval; -} - - -########################################################################### -# &B_hash_uncomment_line ($filename,$pattern) modifies $filename, -# removing any commenting from lines that match $pattern. -# -# #finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -# becomes: -# finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd -# -# -# B_hash_uncomment_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -########################################################################### - -sub B_hash_uncomment_line($$) { - - my ($filename,$pattern) = @_; - my $retval=1; - - if ( &B_open_plus (*HASH_NEW,*HASH_OLD,$filename) ) { - my $line; - while ($line=<HASH_OLD>) { - unless ( ($line =~ $pattern) and ($line =~ /^\s*\#/) ) { - &B_print(*HASH_NEW,$line); - } - else { - $line =~ /^\s*\#+(.*)$/; - $line = "$1\n"; - - &B_print(*HASH_NEW,"$line"); - &B_log("ACTION","File modification in $filename -- hash uncommented line\n"); - &B_log("ACTION",$line); - # while the line has a trailing \ then we should also uncomment out the line below - while($line =~ m/\\\n$/) { - if($line=<HASH_OLD>) { - $line =~ /^\s*\#+(.*)$/; - $line = "$1\n"; - &B_print(*HASH_NEW,"$line"); - &B_log("ACTION","File modification in $filename -- hash uncommented line\n"); - &B_log("ACTION","#$line"); - &B_log("ACTION","like this:\n"); - &B_log("ACTION","$line"); - } - else { - $line = ""; - } - } - } - } - &B_close_plus (*HASH_NEW,*HASH_OLD,$filename); - } - else { - $retval=0; - &B_log("ERROR","Couldn't hash-uncomment line(s) in $filename because open failed.\n"); - } - - return $retval; -} - - - -########################################################################### -# &B_delete_line ($filename,$pattern) modifies $filename, deleting any -# lines matching $pattern. It uses B_replace_line to do this. -# -# B_replace_line uses B_open_plus and B_close_plus, so that the file -# modified is backed up... -# -# Here an example of where you might use this: -# -# You'd like to remove any timeout= lines in /etc/lilo.conf, so that your -# delay=1 modification will work. - -# -########################################################################### - - -sub B_delete_line($$) { - - my ($filename,$pattern)=@_; - my $retval=&B_replace_line($filename,$pattern,""); - - return $retval; -} - - -########################################################################### -# &B_chunk_replace ($file,$pattern,$replacement) reads $file replacing the -# first occurrence of $pattern with $replacement. -# -########################################################################### - -sub B_chunk_replace($$$) { - - my ($file,$pattern,$replacement) = @_; - - my @lines; - my $big_long_line; - my $retval=1; - - &B_open (*OLDFILE,$file); - - # Read all lines into one scalar. - @lines = <OLDFILE>; - &B_close (*OLDFILE); - foreach my $line ( @lines ) { - $big_long_line .= $line; - } - - # Substitution routines get weird unless last line is terminated with \n - chomp $big_long_line; - $big_long_line .= "\n"; - - # Exit if we don't find a match - unless ($big_long_line =~ $pattern) { - return 0; - } - - $big_long_line =~ s/$pattern/$replacement/s; - - $retval=&B_open_plus (*NEWFILE,*OLDFILE,$file); - if ($retval) { - &B_print (*NEWFILE,$big_long_line); - &B_close_plus (*NEWFILE,*OLDFILE,$file); - } - - return $retval; -} - -########################################################################### -# &B_print ($handle,@list) prints the items of @list to the file handle -# $handle. It logs the action and respects the $GLOBAL_LOGONLY variable. -# -########################################################################### - -sub B_print { - my $handle=shift @_; - - my $result=1; - - unless ($GLOBAL_LOGONLY) { - $result=print $handle @_; - } - - ($handle) = "$handle" =~ /[^:]+::[^:]+::([^:]+)/; - - $result; -} - - -########################################################################## -# &B_getValueFromFile($regex,$file); -# Takes a regex with a single group "()" and returns the unique value -# on any non-commented lines -# This (and B_return_matched_lines are only used in this file, though are -# probably more generally useful. For now, leaving these here serve the following -#functions: -# a) still gets exported/associated as part of the Test_API package, and -# is still availble for a couple operations that can't be deferred to the -# main test loop, as they save values so that individual tests don't have to -# recreate (copy / paste) the logic to get them. -# -# It also avoids the circular "use" if we incldued "use Test API" at the top -# of this file (Test API "uses" this file. -# Returns the uncommented, unique values of a param=value pair. -# -# Return values: -# 'Not Defined' if the value is not present or not uniquely defined. -# $value if the value is present and unique -# -########################################################################### -sub B_getValueFromFile ($$){ - my $inputRegex=$_[0]; - my $file=$_[1]; - my ($lastvalue,$value)=''; - - my @lines=&B_return_matched_lines($file, $inputRegex); - - return &B_getValueFromString($inputRegex,join('/n',@lines)); -} - -########################################################################## -# &B_getValueFromString($param,$string); -# Takes a regex with a single group "()" and returns the unique value -# on any non-commented lines -# This (and B_return_matched_lines are only used in this file, though are -# probably more generally useful. For now, leaving these here serve the following -#functions: -# a) still gets exported/associated as part of the Test_API package, and -# is still availble for a couple operations that can't be deferred to the -# main test loop, as they save values so that individual tests don't have to -# recreate (copy / paste) the logic to get them. -# -# It also avoids the circular "use" if we incldued "use Test API" at the top -# of this file (Test API "uses" this file. -# Returns the uncommented, unique values of a param=value pair. -# -# Return values: -# 'Not Unique' if the value is not uniquely defined. -# undef if the value isn't defined at all -# $value if the value is present and unique -# -########################################################################### -sub B_getValueFromString ($$){ - my $inputRegex=$_[0]; - my $inputString=$_[1]; - my $lastValue=''; - my $value=''; - - my @lines=split(/\n/,$inputString); - - &B_log("DEBUG","B_getvaluefromstring called with regex: $inputRegex and input: " . - $inputString); - foreach my $line (grep(/$inputRegex/,@lines)) { - $line =~ /$inputRegex/; - $value=$1; - if (($lastValue eq '') and ($value ne '')) { - $lastValue = $value; - } elsif (($lastValue ne $value) and ($value ne '')) { - B_log("DEBUG","getvaluefromstring returned Not Unique"); - return 'Not Unique'; - } - } - if ((not(defined($value))) or ($value eq '')) { - &B_log("DEBUG","Could not find regex match in string"); - return undef; - } else { - &B_log("DEBUG","B_getValueFromString Found: $value ; using: $inputRegex"); - return $value; - } -} - -############################################################### -# This function adds something to the To Do List. -# Arguments: -# 1) The string you want to add to the To Do List. -# 2) Optional: Question whose TODOFlag should be set to indicate -# A pending manual action in subsequent reports. Only skip this -# If there's no security-audit relevant action you need the user to -# accomplish -# Ex: -# &B_TODO("------\nInstalling IPFilter\n----\nGo get Ipfilter","IPFilter.install_ipfilter"); -# -# -# Returns: -# 0 - If error condition -# True, if sucess, specifically: -# "appended" if the append operation was successful -# "exists" if no change was made since the entry was already present -############################################################### -sub B_TODO ($;$) { - my $text = $_[0]; - my $FlaggedQuestion = $_[1]; - my $multilineString = ""; - - # trim off any leading and trailing new lines, regexes separated for "clarity" - $text =~ s/^\n+(.*)/$1/; - $text =~ s/(.*)\n+$/$1/; - - if ( ! -e &getGlobal('BFILE',"TODO") ) { - # Make the TODO list file for HP-UX Distro - &B_create_file(&getGlobal('BFILE', "TODO")); - &B_append_line(&getGlobal('BFILE', "TODO"),'a$b', - "Please take the steps below to make your system more secure,\n". - "then delete the item from this file and record what you did along\n". - "with the date and time in your system administration log. You\n". - "will need that information in case you ever need to revert your\n". - "changes.\n\n"); - } - - - if (open(TODO,"<" . &getGlobal('BFILE', "TODO"))) { - while (my $line = <TODO>) { - # getting rid of all meta characters. - $line =~ s/(\\|\||\(|\)|\[|\]|\{|\}|\^|\$|\*|\+|\?|\.)//g; - $multilineString .= $line; - } - chomp $multilineString; - $multilineString .= "\n"; - - close(TODO); - } - else { - &B_log("ERROR","Unable to read TODO.txt file.\n" . - "The following text could not be appended to the TODO list:\n" . - $text . - "End of TODO text\n"); - return 0; #False - } - - my $textPattern = $text; - - # getting rid of all meta characters. - $textPattern =~ s/(\\|\||\(|\)|\[|\]|\{|\}|\^|\$|\*|\+|\?|\.)//g; - - if( $multilineString !~ "$textPattern") { - my $datestamp = "{" . localtime() . "}"; - unless ( &B_append_line(&getGlobal('BFILE', "TODO"), "", $datestamp . "\n" . $text . "\n\n\n") ) { - &B_log("ERROR","TODO Failed for text: " . $text ); - } - #Note that we only set the flag on the *initial* entry in the TODO File - #Not on subsequent detection. This is to avoid the case where Bastille - #complains on a subsequent Bastille run of an already-performed manual - #action that the user neglected to delete from the TODO file. - # It does, however lead to a report of "nonsecure" when the user - #asked for the TODO item, performed it, Bastille detected that and cleared the - # Item, and then the user unperformed the action. I think this is proper behavior. - # rwf 06/06 - - if (defined($FlaggedQuestion)) { - &B_TODOFlags("set",$FlaggedQuestion); - } - return "appended"; #evals to true, and also notes what happened - } else { - return "exists"; #evals to true, and also - } - -} - - -##################################################################### -# &B_TODOFlags() -# -# This is the interface to the TODO flags. Test functions set these when they -# require a TODO item to be completed to get to a "secure" state. -# The prune/reporting function checks these to ensure no flags are set before -# reporting an item "secure" -# "Methods" are load | save | isSet <Question> | set <Question> | unset <Question> -# -###################################################################### - -sub B_TODOFlags($;$) { - my $action = $_[0]; - my $module = $_[1]; - - use File::Spec; - - my $todo_flag = &getGlobal("BFILE","TODOFlag"); - - &B_log("DEBUG","B_TODOFlags action: $action , module: $module"); - - if ($action eq "load") { - if (-e $todo_flag ) { - &B_open(*TODO_FLAGS, $todo_flag); - my @lines = <TODO_FLAGS>; - foreach my $line (@lines) { - chomp($line); - $GLOBAL_CONFIG{"$line"}{"TODOFlag"}="yes"; - } - return (&B_close(*TODO_FLAGS)); #return success of final close - } else { - return 1; #No-op is okay - } - } elsif ($action eq "save") { - # Make sure the file exists, else create - #Note we use open_plus and and create file, so if Bastille is - #reverted, all the flags will self-clear (file deleted) - my $flagNumber = 0; - my $flagData = ''; - foreach my $key (keys %GLOBAL_CONFIG) { - if ($GLOBAL_CONFIG{$key}{"TODOFlag"} eq "yes") { - ++$flagNumber; - $flagData .= "$key\n"; - } - } - if (not( -e $todo_flag)) { - &B_log("DEBUG","Initializing TODO Flag file: $todo_flag"); - &B_create_file($todo_flag); # Make sure it exists - } - &B_blank_file($todo_flag, - "This will not appear in the file; ensures blanking"); - return &B_append_line($todo_flag, "", "$flagData"); #return success of save - } elsif (($action eq "isSet") and ($module ne "")) { - if ($GLOBAL_CONFIG{"$module"}{"TODOFlag"} eq "yes") { - return 1; #TRUE - } else { - return 0; #FALSE - } - } elsif (($action eq "set") and ($module ne "")) { - $GLOBAL_CONFIG{"$module"}{"TODOFlag"} = "yes"; - } elsif (($action eq "clear") and ($module ne "")) { - $GLOBAL_CONFIG{"$module"}{"TODOFlag"} = ""; - } else { - &B_log("ERROR","TODO_Flag Called with invalid parameters: $action , $module". - "audit report may be incorrect."); - return 0; #FALSE - } -} - -1; - - diff --git a/recipes-security/bastille/files/HPSpecific.pm b/recipes-security/bastille/files/HPSpecific.pm deleted file mode 100644 index 7e7d709..0000000 --- a/recipes-security/bastille/files/HPSpecific.pm +++ /dev/null @@ -1,1983 +0,0 @@ -package Bastille::API::HPSpecific; - -use strict; -use Bastille::API; -use Bastille::API::FileContent; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -getIPFLocation -getGlobalSwlist -B_check_system -B_swmodify -B_load_ipf_rules -B_Schedule -B_ch_rc -B_set_value -B_chperm -B_install_jail -B_list_processes -B_list_full_processes -B_deactivate_inetd_service -B_get_rc -B_set_rc -B_chrootHPapache -isSystemTrusted -isTrustedMigrationAvailable -checkServiceOnHPUX -B_get_path -convertToTrusted -isOKtoConvert -convertToShadow -getSupportedSettings -B_get_sec_value -secureIfNoNameService -isUsingRemoteNameService -remoteServiceCheck -remoteNISPlusServiceCheck -B_create_nsswitch_file -B_combine_service_results - -%priorBastilleNDD -%newNDD -); -our @EXPORT = @EXPORT_OK; - - - -# "Constants" for use both in testing and in lock-down -our %priorBastilleNDD = ( - "ip_forward_directed_broadcasts" =>["ip", "0"], - "ip_forward_src_routed" =>["ip", "0"], - "ip_forwarding" =>["ip", "0"], - "ip_ire_gw_probe" =>["ip", "0"], - "ip_pmtu_strategy" =>["ip", "1"], - "ip_respond_to_echo_broadcast" =>["ip", "0"], - "ip_send_redirects" =>["ip", "0"], - "ip_send_source_quench" =>["ip", "0"], - "tcp_syn_rcvd_max" =>["tcp","1000"], - "tcp_conn_request_max" =>["tcp","4096"] ); - -our %newNDD = ( - "ip_forward_directed_broadcasts" =>["ip", "0"], - "ip_forward_src_routed" =>["ip", "0"], - "ip_forwarding" =>["ip", "0"], - "ip_ire_gw_probe" =>["ip", "0"], - "ip_pmtu_strategy" =>["ip", "1"], - "ip_respond_to_echo_broadcast" =>["ip", "0"], - "ip_send_redirects" =>["ip", "0"], - "ip_send_source_quench" =>["ip", "0"], - "tcp_syn_rcvd_max" =>["tcp","4096"], - "tcp_conn_request_max" =>["tcp","4096"], - "arp_cleanup_interval" =>["arp","60000"], - "ip_respond_to_timestamp" =>["ip", "0"], - "ip_respond_to_timestamp_broadcast" => ["ip","0"] ); - - -#################################################################### -# -# This module makes up the HP-UX specific API routines. -# -#################################################################### -# -# Subroutine Listing: -# &HP_ConfigureForDistro: adds all used file names to global -# hashes and generates a global IPD -# hash for SD modification lookup. -# -# &getGlobalSwlist($): Takes a fully qualified file name -# and returns product:filset info -# for that file. returns undef if -# the file is not present in the IPD -# -# &B_check_system: Runs a series of system queries to -# determine if Bastille can be safely -# ran on the current system. -# -# &B_swmodify($): Takes a file name and runs the -# swmodify command on it so that the -# IPD is updated after changes -# -# &B_System($$): Takes a system command and the system -# command that should be used to revert -# whatever was done. Returns 1 on -# success and 0 on failure -# -# &B_Backtick($) Takes a command to run and returns its stdout -# to be used in place of the prior prevelent use -# of un-error-handled backticks -# -# &B_load_ipf_rules($): Loads a set of ipfrules into ipf, storing -# current rules for later reversion. -# -# &B_Schedule($$): Takes a pattern and a crontab line. -# Adds or replaces the crontab line to -# the crontab file, depending on if a -# line matches the pattern -# -# &B_ch_rc($$): Takes a the rc.config.d flag name and -# new value as well as the init script -# location. This will stop a services -# and set the service so that it will -# not be restarted. -# -# &B_set_value($$$): Takes a param, value, and a filename -# and sets the given value in the file. -# Uses ch_rc, but could be rewritten using -# Bastille API calls to make it work on Linux -# -# &B_TODO($): Appends the give string to the TODO.txt -# file. -# -# &B_chperm($$$$): Takes new perm owner and group of given -# file. TO BE DEPRECATED!!! -# -# &B_install_jail($$): Takes the jail name and the jail config -# script location for a give jail... -# These scripts can be found in the main -# directory e.g. jail.bind.hpux -# -##################################################################### - -############################################################################## -# -# HP-UX Bastille directory structure -# -############################################################################## -# -# /opt/sec_mgmt/bastille/bin/ -- location of Bastille binaries -# /opt/sec_mgmt/bastille/lib/ -- location of Bastille modules -# /opt/sec_mgmt/bastille/doc/ -- location of Bastille doc files -# -# /etc/opt/sec_mgmt/bastille/ -- location of Bastille config files -# -# /var/opt/sec_mgmt/bastille/log -- location of Bastille log files -# /var/opt/sec_mgmt/bastille/revert -- directory holding all Bastille- -# created revert scripts -# /var/opt/sec_mgmt/bastille/revert/backup -- directory holding the original -# files that Bastille modifies, -# with permissions intact -# -############################################################################## - -sub getIPFLocation () { # Temporary until we get defined search space support - my $ipf=&getGlobal('BIN','ipf_new'); - my $ipfstat=&getGlobal('BIN','ipfstat_new'); - if (not(-e $ipf)) { # Detect if the binaries moved - $ipf = &getGlobal('BIN','ipf'); - $ipfstat=&getGlobal('BIN','ipfstat'); - } - return ($ipf, $ipfstat); -} - -############################################## -# Given a combination of service results, provided -# in an array, this function combines the result into -# a reasonable aggregate result -############################################## - -sub B_combine_service_results(@){ - my @results = @_; - - #TODO: Consider greater sophistication wrt inconsistent, or not installed. - - foreach my $result (@results) { - if (not(($result == SECURE_CAN_CHANGE) or - ($result == SECURE_CANT_CHANGE) or - ($result == NOT_INSTALLED()))) { - return NOTSECURE_CAN_CHANGE(); - } - } - return SECURE_CANT_CHANGE(); -} - -#################################################################### -# &getGlobalSwlist ($file); -# This function returns the product and fileset information for -# a given file or directory if it exists in the IPD otherwise -# it returns undefined "undef" -# -# uses $GLOBAL_SWLIST{"$FILE"} -#################################################################### -sub getGlobalSwlist($){ - no strict; - my $file = $_[0]; - - - if(! %GLOBAL_SWLIST) { - # Generating swlist database for swmodify changes that will be required - # The database will be a hash of fully qualified file names that reference - # the files product name and fileset. These values are required to use - # swmodify... - - # Files tagged 'is_volatile' in the IPD are not entered in the swlist database - # in order to avoid invoking swmodify if the file is changed later. Attempting to - # swmodify 'volatile' files is both unneccessary and complicated since swverify will - # not evaluate volatile files anyway, and adding another value to the swlist database - # would require complex code changes. - - # temp variable to keep swlist command /usr/sbin/swlist - my $swlist = &getGlobal('BIN',"swlist"); - - # listing of each directory and file that was installed by SD on the target machine - my @fileList = `$swlist -a is_volatile -l file`; - - # listing of each patch and the patches that supersede each. - # hash which is indexed by patch.fileset on the system - my %patchSuperseded; - - my @patchList = `${swlist} -l fileset -a superseded_by *.*,c=patch 2>&1`; - # check to see if any patches are present on the system - if(($? >> 8) == 0) { - - # determining patch suppression for swmodify. - foreach my $patchState (@patchList) { - # removing empty lines and commented lines. - if($patchState !~ /^\s*\#/ && $patchState !~ /^\s*$/) { - - # removing leading white space - $patchState =~ s/^\s+//; - my @patches = split /\s+/, $patchState; - if($#patches == 0){ - # patch is not superseded - $patchSuperseded{$patches[0]} = 0; - } - else { - # patch is superseded - $patchSuperseded{$patches[0]} = 1; - } - } - } - } - else { - &B_log("DEBUG","No patches found on the system.\n"); - } - - if($#fileList >= 0){ - # foreach line of swlist output - foreach my $fileEntry ( @fileList ){ - #filter out commented portions - if( $fileEntry !~ /^\s*\#/ ){ - chomp $fileEntry; - # split the output into three fields: product.fileset, filename, flag_isvolatile - my( $productInfo, $file, $is_volatile ) = $fileEntry =~ /^\s*(\S+): (\S+)\t(\S+)/ ; - # do not register volatile files - next if ($is_volatile =~ /true/); # skip to next file entry - $productInfo =~ s/\s+//; - $file =~ s/\s+//; - # if the product is a patch - if($productInfo =~ /PH(CO|KL|NE|SS)/){ - # if the patch is not superseded by another patch - if($patchSuperseded{$productInfo} == 0){ - # add the patch to the list of owner for this file - push @{$GLOBAL_SWLIST{"$file"}}, $productInfo; - } - } - # not a patch. - else { - # add the product to the list of owners for this file - push @{$GLOBAL_SWLIST{"$file"}}, $productInfo; - } - - } - } - } - else{ - # defining GLOBAL_SWLIST in error state. - $GLOBAL_SWLIST{"ERROR"} = "ERROR"; - &B_log("ERROR","Could not execute swlist. Swmodifys will not be attempted"); - } - } - - if(exists $GLOBAL_SWLIST{"$file"}){ - return $GLOBAL_SWLIST{"$file"}; - } - else { - return undef; - } -} - -################################################################### -# &B_check_system; -# This subroutine is called to validate that bastille may be -# safely run on the current system. It will check to insure -# that there is enough file system space, mounts are rw, nfs -# mounts are not mounted noroot, and swinstall, swremove and -# swmodify are not running -# -# uses ErrorLog -# -################################################################## -sub B_check_system { - # exitFlag is one if a conflict with the successful execution - # of bastille is found. - my $exitFlag = 0; - - my $ignoreCheck = &getGlobal("BDIR","config") . "/.no_system_check"; - if( -e $ignoreCheck ) { - return $exitFlag; - } - - # first check for swinstall, swmodify, or swremove processes - my $ps = &getGlobal('BIN',"ps") . " -el"; - my @processTable = `$ps`; - foreach my $process (@processTable) { - if($process =~ /swinstall/ ) { - &B_log("ERROR","Bastille cannot run while a swinstall is in progress.\n" . - "Complete the swinstall operation and then run Bastille.\n\n"); - $exitFlag = 1; - } - - if($process =~ /swremove/ ) { - &B_log("ERROR","Bastille cannot run while a swremove is in progress.\n" . - "Complete the swremove operation and then run Bastille.\n\n"); - $exitFlag = 1; - } - - if($process =~ /swmodify/ ) { - &B_log("ERROR","Bastille cannot run while a swmodify is in progress.\n" . - "Complete the swmodify operation and then run Bastille.\n\n"); - $exitFlag = 1; - } - - } - - # check for root read only mounts for /var /etc /stand / - # Bastille is required to make changes to these file systems. - my $mount = &getGlobal('BIN',"mount"); - my $rm = &getGlobal('BIN',"rm"); - my $touch = &getGlobal('BIN',"touch"); - - my @mnttab = `$mount`; - - if(($? >> 8) != 0) { - &B_log("WARNING","Unable to use $mount to determine if needed partitions\n" . - "are root writable, based on disk mount options.\n" . - "Bastille will continue but note that disk\n" . - "mount checks were skipped.\n\n"); - } - else { - foreach my $record (@mnttab) { - my @fields = split /\s+/, $record; - if ((defined $fields[0]) && (defined $fields[2]) && (defined $fields[3])) { - my $mountPoint = $fields[0]; - my $mountType = $fields[2]; - my $mountOptions = $fields[3]; - - # checks for /stand and /var/* removed - if($mountPoint =~ /^\/$|^\/etc|^\/var$/) { - - if($mountOptions =~ /^ro,|,ro,|,ro$/) { - &B_log("ERROR","$mountPoint is mounted read-only. Bastille needs to make\n" . - "modifications to this file system. Please remount\n" . - "$mountPoint read-write and then run Bastille again.\n\n"); - $exitFlag = 1; - } - # looking for an nfs mounted file system - if($mountType =~/.+:\//){ - my $fileExisted=0; - if(-e "$mountPoint/.bastille") { - $fileExisted=1; - } - - `$touch $mountPoint/.bastille 1>/dev/null 2>&1`; - - if( (! -e "$mountPoint/.bastille") || (($? >> 8) != 0) ) { - &B_log("ERROR","$mountPoint is an nfs mounted file system that does\n" . - "not allow root to write to. Bastille needs to make\n" . - "modifications to this file system. Please remount\n" . - "$mountPoint giving root access and then run Bastille\n" . - "again.\n\n"); - - $exitFlag = 1; - } - # if the file did not exist befor the touch then remove the generated file - if(! $fileExisted) { - `$rm -f $mountPoint/.bastille 1>/dev/null 2>&1`; - } - } - } - } - else { - &B_log("WARNING","Unable to use $mount to determine if needed partitions\n" . - "are root writable, based on disk mount options.\n" . - "Bastille will continue but note that disk\n" . - "mount checks were skipped.\n\n"); - } - } - - } - - # checks for enough disk space in directories that Bastille writes to. - my $bdf = &getGlobal('BIN',"bdf"); - #directories that Bastille writes to => required space in kilobytes. - my %bastilleDirs = ( "/etc/opt/sec_mgmt/bastille" => "4", "/var/opt/sec_mgmt/bastille"=> "1000"); - for my $directory (sort keys %bastilleDirs) { - my @diskUsage = `$bdf $directory`; - - if(($? >> 8) != 0) { - &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" . - "$directory\n" . - "Bastille will continue but note that disk\n" . - "usage checks were skipped.\n\n"); - - } - else { - # removing bdf header line from usage information. - shift @diskUsage; - my $usageString= ""; - - foreach my $usageRecord (@diskUsage) { - chomp $usageRecord; - $usageString .= $usageRecord; - } - - $usageString =~ s/^\s+//; - - my @fields = split /\s+/, $usageString; - if($#fields != 5) { - &B_log("WARNING","Unable to use $bdf to determine disk usage for\n" . - "$directory\n" . - "Bastille will continue but note that disk\n" . - "usage checks were skipped.\n\n"); - } - else { - - my $mountPoint = $fields[5]; - my $diskAvail = $fields[3]; - - if($diskAvail <= $bastilleDirs{"$directory"}) { - &B_log("ERROR","$mountPoint does not contain enough available space\n" . - "for Bastille to run properly. $directory needs\n" . - "at least $bastilleDirs{$directory} kilobytes of space.\n" . - "Please clear at least that amount of space from\n" . - "$mountPoint and run Bastille again.\n" . - "Current Free Space available = ${diskAvail} k\n\n"); - $exitFlag = 1; - } - } - } - } - - # check to make sure that we are in at least run level 2 before we attempt to run - my $who = &getGlobal('BIN', "who") . " -r"; - my $levelInfo = `$who`; - if(($? >> 8) != 0 ) { - &B_log("WARNING","Unable to use \"$who\" to determine system run.\n" . - "level Bastille will continue but note that the run\n" . - "level check was skipped.\n\n"); - } - else { - chomp $levelInfo; - my @runlevel = split /\s+/, $levelInfo; - if ((! defined $runlevel[3]) or ($runlevel[3] < 2)) { - &B_log("WARNING","Bastille requires a run-level of 2 or more to run properly.\n" . - "Please move your system to a higher run level and then\n" . - "run 'bastille -b'.\n\n"); - if(defined $runlevel[3]) { - &B_log("ERROR","Current run-level is '$runlevel[3]'.\n\n"); - $exitFlag=1; - } - else { - &B_log("WARNING","Unable to use \"$who\" to determine system run.\n" . - "level Bastille will continue but note that the run\n" . - "level check was skipped.\n\n"); - } - } - else { - &B_log("DEBUG","System run-level is $runlevel[3]\n"); - } - } - - if($exitFlag) { - exit(1); - } - -} - -################################################################### -# &B_swmodify($file); -# This subroutine is called after a file is modified. It will -# redefine the file in the IPD with it's new properties. If -# the file is not in the IPD it does nothing. -# -# uses B_System to make the swmodifications. -################################################################## -sub B_swmodify($){ - my $file = $_[0]; - if(defined &getGlobalSwlist($file)){ - my $swmodify = &getGlobal('BIN',"swmodify"); - my @productsInfo = @{&getGlobalSwlist($file)}; - # running swmodify on files that were altered by this function but - # were created and maintained by SD - foreach my $productInfo (@productsInfo) { - &B_System("$swmodify -x files='$file' $productInfo", - "$swmodify -x files='$file' $productInfo"); - } - } -} - -#################################################################### -# &B_load_ipf_rules($ipfruleset); -# This function enables an ipfruleset. It's a little more -# specific than most API functions, but necessary because -# ipf doesn't return correct exit codes (syntax error results -# in a 0 exit code) -# -# uses ActionLog and ErrorLog to log -# calls crontab directly (to list and to read in new jobs) -################################################################### -sub B_load_ipf_rules ($) { - my $ipfruleset=$_[0]; - - &B_log("DEBUG","# sub B_load_ipf_rules"); - - # TODO: grab ipf.conf dynamically from the rc.config.d files - my $ipfconf = &getGlobal('FILE','ipf.conf'); - - # file system changes - these are straightforward, and the API - # will take care of the revert - &B_create_file($ipfconf); - &B_blank_file($ipfconf, 'a$b'); - &B_append_line($ipfconf, 'a$b', $ipfruleset); - - # runtime changes - - # define binaries - my $grep = &getGlobal('BIN', 'grep'); - my ($ipf, $ipfstat) = &getIPFLocation; - # create backup rules - # This will exit with a non-zero exit code because of the grep - my @oldrules = `$ipfstat -io 2>&1 | $grep -v empty`; - - my @errors=`$ipf -I -Fa -f $ipfconf 2>&1`; - - if(($? >> 8) == 0) { - - &B_set_rc("IPF_START","1"); - &B_set_rc("IPF_CONF","$ipfconf"); - - # swap the rules in - &B_System("$ipf -s","$ipf -s"); - - # now create a "here" document with the previous version of - # the rules and put it into the revert-actions script - &B_revert_log("$ipf -I -Fa -f - <<EOF\n@{oldrules}EOF"); - - if (@errors) { - &B_log("ERROR","ipfilter produced the following errors when\n" . - " loading $ipfconf. You probably had an invalid\n" . - " rule in ". &getGlobal('FILE','customipfrules') ."\n". - "@errors\n"); - } - - } else { - &B_log("ERROR","Unable to run $ipf\n"); - } - -} - - - -#################################################################### -# &B_Schedule($pattern,$cronjob); -# This function schedules a cronjob. If $pattern exists in the -# crontab file, that job will be replaced. Otherwise, the job -# will be appended. -# -# uses ActionLog and ErrorLog to log -# calls crontab directly (to list and to read in new jobs) -################################################################### -sub B_Schedule ($$) { - my ($pattern,$cronjob)=@_; - $cronjob .= "\n"; - - &B_log("DEBUG","# sub B_Schedule"); - my $crontab = &getGlobal('BIN','crontab'); - - my @oldjobs = `$crontab -l 2>/dev/null`; - my @newjobs; - my $patternfound=0; - - foreach my $oldjob (@oldjobs) { - if (($oldjob =~ m/$pattern/ ) and (not($patternfound))) { - push @newjobs, $cronjob; - $patternfound=1; - &B_log("ACTION","changing existing cron job which matches $pattern with\n" . - "$cronjob"); - } elsif ($oldjob !~ m/$pattern/ ) { - &B_log("ACTION","keeping existing cron job $oldjob"); - push @newjobs, $oldjob; - } #implied: else if pattern matches, but we've - #already replaced one, then toss the others. - } - - unless ($patternfound) { - &B_log("ACTION","adding cron job\n$cronjob\n"); - push @newjobs, $cronjob; - } - - if(open(CRONTAB, "|$crontab - 2> /dev/null")) { - print CRONTAB @newjobs; - - # now create a "here" document with the previous version of - # the crontab file and put it into the revert-actions script - &B_revert_log("$crontab <<EOF\n" . "@oldjobs" . "EOF"); - close CRONTAB; - } - - # Now check to make sure it happened, since cron will exit happily - # (retval 0) with no changes if there are any syntax errors - my @editedjobs = `$crontab -l 2>/dev/null`; - - if (@editedjobs ne @newjobs) { - &B_log("ERROR","failed to add cron job:\n$cronjob\n" . - " You probably had an invalid crontab file to start with."); - } - -} - - -#This function turns off a service, given a service name defined in HP-UX.service - -sub B_ch_rc($) { - - my ($service_name)=@_; - - if (&GetDistro != "^HP-UX") { - &B_log("ERROR","Tried to call ch_rc $service_name on a non-HP-UX\n". - " system! Internal Bastille error."); - return undef; - } - my $configfile=""; - my $command = &getGlobal('BIN', 'ch_rc'); - - my $startup_script=&getGlobal('DIR','initd') . "/". $service_name; - my @rc_parameters= @{ &getGlobal('SERVICE',$service_name) }; - my @rcFiles=@{ &getGlobal('RCCONFIG',$service_name) }; - my $rcFile=''; - if (@rcFiles == 1){ - $rcFile=$rcFiles[0]; - } else { - &B_log("FATAL","Multiple RC Files not yet supported... internal error."); - } - - # if the service-related process is not run, and the control variable is stilll 1 - # there is a inconsistency. in this case we only need to change the control variable - my @psnames=@{ &getGlobal('PROCESS',$service_name)}; - my @processes; - foreach my $psname (@psnames) { - $psname .= '\b'; # avoid embedded match; anchor search pattern to trailing word boundry - my @procList = &isProcessRunning($psname); - if(@procList >= 0){ - splice @processes,$#processes+1,0,@procList; - } - } -#Actually set the rc variable - foreach my $rcVariable (@rc_parameters){ - my $orig_value = &B_get_rc($rcVariable); - if ($orig_value eq "" ) { #If variable not set, used the defined file - $configfile=&getGlobal("DIR","rc.config.d") . "/" . $rcFile; - if (not( -f $configfile )) { - &B_create_file($configfile); - } - } - &B_log("DEBUG","In B_ch_rc (no procs), setting $rcVariable to 0 in $configfile" . - ", with an original value of $orig_value with rcfile: $rcFile"); - if ( ! @processes) { # IF there are no processes we don't neet to perform a "stop" - &B_set_rc($rcVariable, "0", $configfile); - } else { - if ( $orig_value !~ "1" ) { #If param is not already 1, the "stop" script won't work - &B_set_rc($rcVariable, "1",$configfile); - } - &B_System ($startup_script . " stop", #stop service, then restart if the user runs bastille -r - $startup_script . " start"); - # set parameter, so that service will stay off after reboots - &B_set_rc($rcVariable, "0", $configfile); - } - } -} - - -# This routine sets a value in a given file -sub B_set_value($$$) { - my ($param, $value, $file)=@_; - - &B_log("DEBUG","B_set_value: $param, $value, $file"); - if (! -e $file ) { - &B_create_file("$file"); - } - - # If a value is already set to something other than $value then reset it. - #Note that though this tests for "$value ="the whole line gets replaced, so - #any pre-existing values are also replaced. - &B_replace_line($file,"^$param\\s*=\\s*","$param=$value\n"); - # If the value is not already set to something then set it. - &B_append_line($file,"^$param\\s*=\\s*$value","$param=$value\n"); - -} - - -################################################################################## -# &B_chperm($owner,$group,$mode,$filename(s)) -# This function changes ownership and mode of a list of files. Takes four -# arguments first the owner next the group and third the new mode in oct and -# last a list of files that the permissions changes should take affect on. -# -# uses: &swmodify and &B_revert_log -################################################################################## -sub B_chperm($$$$) { - my ($newown, $newgrp, $newmode, $file_expr) = @_; - my @files = glob($file_expr); - - my $return = 1; - - foreach my $file (@files){ - my @filestat = stat $file; - my $oldmode = (($filestat[2]/512) % 8) . - (($filestat[2]/64) % 8) . - (($filestat[2]/8) % 8) . - (($filestat[2]) % 8); - - if((chown $newown, $newgrp, $file) != 1 ){ - &B_log("ERROR","Could not change ownership of $file to $newown:$newgrp\n"); - $return = 0; - } - else{ - &B_log("ACTION","Changed ownership of $file to $newown:$newgrp\n"); - # swmodifying file if possible... - &B_swmodify($file); - &B_revert_log(&getGlobal('BIN',"chown") . " $filestat[4]:$filestat[5] $file\n"); - } - - my $newmode_formatted=sprintf "%5lo",$newmode; - - if((chmod $newmode, $file) != 1){ - &B_log("ERROR","Could not change mode of $file to $newmode_formatted\n"); - $return = 0; - } - else{ - &B_log("ACTION","Changed mode of $file to $newmode_formatted\n"); - &B_revert_log(&getGlobal('BIN',"chmod") . " $oldmode $file\n"); - } - - - } - return $return; -} - -############################################################################ -# &B_install_jail($jailname, $jailconfigfile); -# This function takes two arguments ( jail_name, jail_config ) -# It's purpose is to take read in config files that define a -# chroot jail and then generate it bases on that specification -############################################################################ -sub B_install_jail($$) { - - my $jailName = $_[0]; # Name of the jail e.g bind - my $jailConfig = $_[1]; # Name of the jails configuration file - # create the root directory of the jail if it does not exist - &B_create_dir( &getGlobal('BDIR','jail')); - &B_chperm(0,0,0555,&getGlobal('BDIR','jail')); - - # create the Jail dir if it does not exist - &B_create_dir( &getGlobal('BDIR','jail') . "/" . $jailName); - &B_chperm(0,0,0555,&getGlobal('BDIR','jail') . "/". $jailName); - - - my $jailPath = &getGlobal('BDIR','jail') . "/" . $jailName; - my @lines; # used to store no commented no empty config file lines - # open configuration file for desired jail and parse in commands - if(open(JAILCONFIG,"< $jailConfig")) { - while(my $line=<JAILCONFIG>){ - if($line !~ /^\s*\#|^\s*$/){ - chomp $line; - push(@lines,$line); - } - } - close JAILCONFIG; - } - else{ - &B_log("ERROR","Open Failed on filename: $jailConfig\n"); - return 0; - } - # read through commands and execute - foreach my $line (@lines){ - &B_log("ACTION","Install jail: $line\n"); - my @confCmd = split /\s+/,$line; - if($confCmd[0] =~ /dir/){ # if the command say to add a directory - if($#confCmd == 4) { # checking dir Cmd form - if(! (-d $jailPath . "/" . $confCmd[1])){ - #add a directory and change its permissions according - #to the conf file - &B_create_dir( $jailPath . "/" . $confCmd[1]); - &B_chperm((getpwnam($confCmd[3]))[2], - (getgrnam($confCmd[4]))[2], - oct($confCmd[2]), - $jailPath . "/" . $confCmd[1]); - } - } - else { - &B_log("ERROR","Badly Formed Configuration Line:\n$line\n\n"); - } - } - elsif($confCmd[0] =~ /file/) { - if($#confCmd == 5) { # checking file cmd form - if(&B_cp($confCmd[1],$jailPath . "/" . $confCmd[2])){ - # for copy command cp file and change perms - &B_chperm($confCmd[4],$confCmd[5],oct($confCmd[3]),$jailPath . "/" . $confCmd[2]); - } - else { - &B_log("ERROR","Could not complete copy on specified files:\n" . - "$line\n"); - } - } - else { - &B_log("ERROR","Badly Formed Configuration Line:\n" . - "$line\n\n"); - } - } - elsif($confCmd[0] =~ /slink/) { - if($#confCmd == 2) { # checking file cmd form - if(!(-e $jailPath . "/" . $confCmd[2])){ - #for symlink command create the symlink - &B_symlink($jailPath . "/" . $confCmd[1], $confCmd[2]); - } - } - else { - &B_log("ERROR","Badly Formed Configuration Line:\n" . - "$line\n\n"); - } - } - else { - &B_log("ERROR","Unrecognized Configuration Line:\n" . - "$line\n\n"); - } - } - return 1; -} - - - -########################################################################### -# &B_list_processes($service) # -# # -# This subroutine uses the GLOBAL_PROCESS hash to determine if a # -# service's corresponding processes are running on the system. # -# If any of the processes are found to be running then the process # -# name(s) is/are returned by this subroutine in the form of an list # -# If none of the processes that correspond to the service are running # -# then an empty list is returned. # -########################################################################### -sub B_list_processes($) { - - # service name - my $service = $_[0]; - # list of processes related to the service - my @processes=@{ &getGlobal('PROCESS',$service)}; - - # current systems process information - my $ps = &getGlobal('BIN',"ps"); - my $psTable = `$ps -elf`; - - # the list to be returned from the function - my @running_processes; - - # for every process associated with the service - foreach my $process (@processes) { - # if the process is in the process table then - if($psTable =~ m/$process/) { - # add the process to the list, which will be returned - push @running_processes, $process; - } - - } - - # return the list of running processes - return @running_processes; - -} - -############################################################################# -# &B_list_full_processes($service) # -# # -# This subroutine simply grep through the process table for those matching # -# the input argument TODO: Allow B_list process to levereage this code # -# ... Not done this cycle to avoid release risk (late in cycle) # -############################################################################# -sub B_list_full_processes($) { - - # service name - my $procName = $_[0]; - my $ps = &getGlobal('BIN',"ps"); - my @psTable = split(/\n/,`$ps -elf`); - - # for every process associated with the service - my @runningProcessLines = grep(/$procName/ , @psTable); - # return the list of running processes - return @runningProcessLines; -} - -################################################################################ -# &B_deactivate_inetd_service($service); # -# # -# This subroutine will disable all inetd services associated with the input # -# service name. Service name must be a reference to the following hashes # -# GLOBAL_SERVICE GLOBAL_SERVTYPE and GLOBAL_PROCESSES. If processes are left # -# running it will note these services in the TODO list as well as instruct the# -# user in how they remaining processes can be disabled. # -################################################################################ -sub B_deactivate_inetd_service($) { - my $service = $_[0]; - my $servtype = &getGlobal('SERVTYPE',"$service"); - my $inetd_conf = &getGlobal('FILE',"inetd.conf"); - - # check the service type to ensure that it can be configured by this subroutine. - if($servtype ne 'inet') { - &B_log("ACTION","The service \"$service\" is not an inet service so it cannot be\n" . - "configured by this subroutine\n"); - return 0; - } - - # check for the inetd configuration files existence so it may be configured by - # this subroutine. - if(! -e $inetd_conf ) { - &B_log("ACTION","The file \"$inetd_conf\" cannot be located.\n" . - "Unable to configure inetd\n"); - return 0; - } - - # list of service identifiers present in inetd.conf file. - my @inetd_entries = @{ &getGlobal('SERVICE',"$service") }; - - foreach my $inetd_entry (@inetd_entries) { - &B_hash_comment_line($inetd_conf, "^\\s*$inetd_entry"); - } - - # list of processes associated with this service which are still running - # on the system - my @running_processes = &B_list_processes($service); - - if($#running_processes >= 0) { - my $todoString = "\n" . - "---------------------------------------\n" . - "Deactivating Inetd Service: $service\n" . - "---------------------------------------\n" . - "The following process(es) are associated with the inetd service \"$service\".\n" . - "They are most likely associated with a session which was initiated prior to\n" . - "running Bastille. To disable a process see \"kill(1)\" man pages or reboot\n" . - "the system\n" . - "Active Processes:\n" . - "###################################\n"; - foreach my $running_process (@running_processes) { - $todoString .= "\t$running_process\n"; - } - $todoString .= "###################################\n"; - - &B_TODO($todoString); - } - -} - - -################################################################################ -# B_get_rc($key); # -# # -# This subroutine will use the ch_rc binary to get rc.config.d variables # -# values properly escaped and quoted. # -################################################################################ -sub B_get_rc($) { - - my $key=$_[0]; - my $ch_rc = &getGlobal('BIN',"ch_rc"); - - # get the current value of the given parameter. - my $currentValue=`$ch_rc -l -p $key`; - chomp $currentValue; - - if(($? >> 8) == 0 ) { - # escape all meta characters. - # $currentValue =~ s/([\"\`\$\\])/\\$1/g; - # $currentValue = '"' . $currentValue . '"'; - } - else { - return undef; - } - - return $currentValue; -} - - - -################################################################################ -# B_set_rc($key,$value); # -# # -# This subroutine will use the ch_rc binary to set rc.config.d variables. As # -# well as setting the variable this subroutine will set revert strings. # -# # -################################################################################ -sub B_set_rc($$;$) { - - my ($key,$value,$configfile)=@_; - my $ch_rc = &getGlobal('BIN',"ch_rc"); - - # get the current value of the given parameter. - my $currentValue=&B_get_rc($key); - if(defined $currentValue ) { - if ($currentValue =~ /^\"(.*)\"$/ ) { - $currentValue = '"\"' . $1 . '\""'; - } - if ($value =~ /^\"(.*)\"$/ ) { - $value = '"\"' . $1 . '\""'; - } - if ( &B_System("$ch_rc -a -p $key=$value $configfile", - "$ch_rc -a -p $key=$currentValue $configfile") ) { - #ch_rc success - return 1; - } - else { - #ch_rc failure. - return 0; - } - } - else { - &B_log("ERROR","ch_rc was unable to lookup $key\n"); - return 0; - } - -} - - -################################################################################ -# &ChrootHPApache($chrootScript,$httpd_conf,$httpd_bin, -# $apachectl,$apacheJailDir,$serverString); -# -# This subroutine given an chroot script, supplied by the vendor, a -# httpd.conf file, the binary location of httpd, the control script, -# the jail directory, and the servers identification string, descriptive -# string for TODO etc. It makes modifications to httpd.conf so that when -# Apache starts it will chroot itself into the jail that the above -# mentions script creates. -# -# uses B_replace_line B_create_dir B_System B_TODO -# -############################################################################### -sub B_chrootHPapache($$$$$$) { - - my ($chrootScript,$httpd_conf,$httpd_bin,$apachectl,$apacheJailDir,$serverString)= @_; - - my $exportpath = "export PATH=/usr/bin;"; - my $ps = &getGlobal('BIN',"ps"); - my $isRunning = 0; - my $todo_header = 0; - - # checking for a 2.0 version of the apache chroot script. - if(-e $chrootScript ) { - - if(open HTTPD, $httpd_conf) { - while (my $line = <HTTPD>){ - if($line =~ /^\s*Chroot/) { - &B_log("DEBUG","Apache is already running in a chroot as specified by the following line:\n$line\n" . - "which appears in the httpd.conf file. No Apache Chroot action was taken.\n"); - return; - } - } - close(HTTPD); - } - - if(`$ps -ef` =~ $httpd_bin ) { - $isRunning=1; - &B_System("$exportpath " . $apachectl . " stop","$exportpath " . $apachectl . " start"); - } - &B_replace_line($httpd_conf, '^\s*#\s*Chroot' , - "Chroot " . $apacheJailDir); - if(-d &getGlobal('BDIR',"jail")){ - &B_log("DEBUG","Jail directory already exists. No action taken.\n"); - } - else{ - &B_log("ACTION","Jail directory was created.\n"); - &B_create_dir( &getGlobal('BDIR','jail')); - } - - if(-d $apacheJailDir){ - &B_log("DEBUG","$serverString jail already exists. No action taken.\n"); - } - else{ - &B_System(&getGlobal('BIN',"umask") . " 022; $exportpath " . $chrootScript, - &getGlobal('BIN',"echo") . " \"Your $serverString is now running outside of it's\\n" . - "chroot jail. You must manually migrate your web applications\\n" . - "back to your Apache server's httpd.conf defined location(s).\\n". - "After you have completed this, feel free to remove the jail directories\\n" . - "from your machine. Your apache jail directory is located in\\n" . - &getGlobal('BDIR',"jail") . "\\n\" >> " . &getGlobal('BFILE',"TOREVERT")); - - } - if($isRunning){ - &B_System("$exportpath " . $apachectl . " start","$exportpath " . $apachectl . " stop"); - &B_log("ACTION","$serverString is now running in an chroot jail.\n"); - } - - &B_log("ACTION","The jail is located in " . $apacheJailDir . "\n"); - - if ($todo_header !=1){ - &B_TODO("\n---------------------------------\nApache Chroot:\n" . - "---------------------------------\n"); - } - &B_TODO("$serverString Chroot Jail:\n" . - "httpd.conf contains the Apache dependencies. You should\n" . - "review this file to ensure that the dependencies made it\n" . - "into the jail. Otherwise, you run a risk of your Apache server\n" . - "not having access to all its modules and functionality.\n"); - - - } - -} - - -sub isSystemTrusted { - my $getprdef = &getGlobal('BIN',"getprdef"); - my $definition = &B_Backtick("$getprdef -t 2>&1"); - if($definition =~ "System is not trusted.") { - return 0; - } else { - return 1; - } -} - - -sub isTrustedMigrationAvailable { - my $distroVersion=''; - - if (&GetDistro =~ '^HP-UX11.(\d*)') { - $distroVersion=$1; - if ($distroVersion < 23) { # Not available before 11.23 - return 0; #FALSE - } elsif ($distroVersion >= 31) { #Bundled with 11.31 and after - &B_log('DEBUG','isTrustedMigrationAvailable: HP-UX 11.31 always has trusted mode extensions'); - return 1; - } elsif ($distroVersion == 23) { # Optional on 11.23 if filesets installed - if ( -x &getGlobal('BIN',"userdbget") ) { - &B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Installed'); - return 1; - } else { - &B_log('DEBUG','isTrustedMigrationAvailable: Trusted Extensions Not Installed'); - return 0; #FALSE - } - } else { - &B_log('DEBUG','isTrustedMigrationAvailable: ' . &GetDistro . - ' not currently supported for trusted extentions.'); - return 0; #FALSE - } - } else { - &B_log('WARNING','isTrustedMigrationAvailable: HP-UX routine called on Linux system'); - return 0; #FALSE - } -} - - - -########################################################################### -# &checkServiceOnHPUX($service); -# -# Checks if the given service is running on an HP/UX system. This is -# called by B_is_Service_Off(), which is the function that Bastille -# modules should call. -# -# Return values: -# NOTSECURE_CAN_CHANGE() if the service is on -# SECURE_CANT_CHANGE() if the service is off -# INCONSISTENT() if the state of the service cannot be determined -# NOT_INSTALLED() if the s/w isn't insalled -# -########################################################################### -sub checkServiceOnHPUX($) { - my $service=$_[0]; - - # get the list of parameters which could be used to initiate the service - # (could be in /etc/rc.config.d, /etc/inetd.conf, or /etc/inittab, so we - # check all of them) - my @params= @{ &getGlobal('SERVICE',$service) }; - my $grep =&getGlobal('BIN', 'grep'); - my $inetd=&getGlobal('FILE', 'inetd.conf'); - my $inittab=&getGlobal('FILE', 'inittab'); - my $retVals; - my $startup=&getGlobal('DIR','initd') ; - my @inet_bins= @{ &getGlobal('PROCESS',$service) }; - - my $entry_found = 0; - - &B_log("DEBUG","CheckHPUXservice: $service"); - my $full_initd_path = $startup . "/" . $service; - if ($GLOBAL_SERVTYPE{$service} eq "rc") { # look for the init script in /sbin/init.d - if (not(-e $full_initd_path )) { - return NOT_INSTALLED(); - } - } else { #inet-based service, so look for inetd.conf entries. - &B_log("DEBUG","Checking inet service $service"); - my @inet_entries= @{ &getGlobal('SERVICE',$service) }; - foreach my $service (@inet_entries) { - &B_log('DEBUG',"Checking for inetd.conf entry of $service in checkService on HPUX"); - my $service_regex = '^[#\s]*' . $service . '\s+'; - if ( &B_match_line($inetd, $service_regex) ) { # inet entry search - &B_log('DEBUG',"$service present, entry exists"); - $entry_found = 1 ; - } - } - if ($entry_found == 0 ) { - return NOT_INSTALLED(); - } - } - - foreach my $param (@params) { - &B_log("DEBUG","Checking to see if service $service is off.\n"); - if (&getGlobal('SERVTYPE', $service) =~ /rc/) { - my $ch_rc=&getGlobal('BIN', 'ch_rc'); - my $on=&B_Backtick("$ch_rc -l -p $param"); - - $on =~ s/\s*\#.*$//; # remove end-of-line comments - $on =~ s/^\s*\"(.+)\"\s*$/$1/; # remove surrounding double quotes - $on =~ s/^\s*\'(.+)\'\s*$/$1/; # remove surrounding single quotes - $on =~ s/^\s*\"(.+)\"\s*$/$1/; # just in case someone did '"blah blah"' - - chomp $on; - &B_log("DEBUG","ch_rc returned: $param=$on in checkServiceOnHPUX"); - - if ($on =~ /^\d+$/ && $on != 0) { - # service is on - &B_log("DEBUG","CheckService found $param service is set to \'on\' in scripts."); - return NOTSECURE_CAN_CHANGE(); - } - elsif($on =~ /^\s*$/) { - # if the value returned is an empty string return - # INCONSISTENT(), since we don't know what the hard-coded default is. - return INCONSISTENT(); - } - } else { - # those files which rely on comments to determine what gets - # turned on, such as inetd.conf and inittab - my $inettabs=&B_Backtick("$grep -e '^[[:space:]]*$param' $inetd $inittab"); - if ($inettabs =~ /.+/) { # . matches anything except newlines - # service is not off - &B_log("DEBUG","Checking inetd.conf and inittab; found $inettabs"); - ########################### BREAK out, don't skip question - return NOTSECURE_CAN_CHANGE(); - } - } - } # foreach $param - - # boot-time parameters are not set; check processes - # checkprocs for services returns INCONSISTENT() if a service is found - # since a found-service is inconsistent with the above checks. - B_log("DEBUG","Boot-Parameters not set, checking processes."); - if (&runlevel < 2) { # Below runlevel 2, it is unlikely that - #services will be running, so just check "on-disk" state - &B_log("NOTE","Running during boot sequence, so skipping process checks"); - return SECURE_CANT_CHANGE(); - } else { - return &checkProcsForService($service); - } -} - -sub runlevel { - my $who = &getGlobal("BIN", "who"); - my $runlevel = &B_Backtick("$who -r"); - if ($runlevel =~ s/.* run-level (\S).*/$1/) { - &B_log("DEBUG","Runlevel is: $runlevel"); - return $runlevel; - } else { - &B_log("WARNING","Can not determine runlevel, assuming runlevel 3"); - &B_log("DEBUG","Runlevel command output: $runlevel"); - return "3"; #safer since the who command didn't work, we'll assume - # runlevel 3 since that provides more checks. - } -} - -# -# given a profile file, it will return a PATH array set by the file. -# -sub B_get_path($) { - my $file = $_[0]; - my $sh = &getGlobal("BIN", "sh"); - # use (``)[0] is becuase, signal 0 maybe trapped which will produce some stdout - my $path = (`$sh -c '. $file 1>/dev/null 2>&1 < /dev/null ; echo \$PATH'`)[0]; - my @path_arr = split(":", $path); - my %tmp_path; - my %path; - for my $tmpdir (@path_arr) { - chomp $tmpdir; - if ($tmpdir ne "" && ! $tmp_path{$tmpdir}) { - $tmp_path{$tmpdir}++; - } - } - return keys %tmp_path; -} - -# Convert to trusted mode if it's not already -sub convertToTrusted { - &B_log("DEBUG","# sub convertToTrusted \n"); - if( ! &isSystemTrusted) { - - my ($ok, $message) = &isOKtoConvert; - - my $ts_header="\n---------------------------------\nTrusted Systems:\n" . - "---------------------------------\n"; - - if ($ok) { - # actually do the conversion - if(&B_System(&getGlobal('BIN','tsconvert'), &getGlobal('BIN','tsconvert') . " -r")){ - # adjust change times for user passwords to keep them valid - # default is to expire them when converting to a trusted system, - # which can be problematic, especially since some older versions of - # SecureShell do not allow the user to change the password - &B_System(&getGlobal('BIN','modprpw') . " -V", ""); - - my $getprdef = &getGlobal('BIN','getprdef'); - my $oldsettings = &B_Backtick("$getprdef -m lftm,exptm,mintm,expwarn,umaxlntr"); - $oldsettings =~ s/ //g; - - # remove password lifetime and increasing login tries so they - # don't lock themselves out of the system entirely. - # set default expiration time and the like. - my $newsettings="lftm=0,exptm=0,mintm=0,expwarn=0,umaxlntr=10"; - - &B_System(&getGlobal('BIN','modprdef') . " -m $newsettings", - &getGlobal('BIN','modprdef') . " -m $oldsettings"); - - &B_TODO($ts_header . - "Your system has been converted to a trusted system.\n" . - "You should review the security settings available on a trusted system.\n". - "$message"); - - # to get rid of "Cron: Your job did not contain a valid audit ID." - # error, we re-read the crontab file after converting to trusted mode - # Nothing is necessary in "revert" since we won't be in trusted mode - # at that time. - # crontab's errors can be spurious, and this will report an 'error' - # of the crontab file is missing, so we send stderr to the bit bucket - my $crontab = &getGlobal('BIN',"crontab"); - &B_System("$crontab -l 2>/dev/null | $crontab",""); - } - - } else { - &B_TODO($ts_header . $message); - return 0; # not ok to convert, so we didn't - } - } - else { - &B_log("DEBUG","System is already in trusted mode, no action taken.\n"); - return 1; - } - - # just to make sure - if( &isSystemTrusted ) { - return 1; - } else { - &B_log("ERROR","Trusted system conversion was unsuccessful for an unknown reason.\n" . - " You may try using SAM/SMH to do the conversion instead of Bastille.\n"); - return 0; - } -} - -# isOKtoConvert - check for conflicts between current system state and trusted -# mode -# -# Return values -# 0 - conflict found, see message for details -# 1 - no conflicts, see message for further instructions -# -sub isOKtoConvert { - &B_log("DEBUG","# sub isOKtoConvert \n"); - # initialize text for TODO instructions - my $specialinstructions=" - convert to trusted mode\n"; - - # These are somewhat out-of-place, but only affect the text of the message. - # Each of these messages is repeated in a separate TODO item in the - # appropriate subroutine. - if (&getGlobalConfig("AccountSecurity","single_user_password") eq "Y") { - if (&GetDistro =~ "^HP-UX11.(.*)" and $1<23 ) { - $specialinstructions .= " - set a single user password\n"; - } - } - - if (&getGlobalConfig("AccountSecurity","passwordpolicies") eq "Y") { - $specialinstructions .= " - set trusted mode password policies\n"; - } - - if (&getGlobalConfig("AccountSecurity", "PASSWORD_HISTORY_DEPTHyn") eq "Y") { - $specialinstructions .= " - set a password history depth\n"; - } - - if (&getGlobalConfig("AccountSecurity","system_auditing") eq "Y") { - $specialinstructions .= " - enable auditing\n"; - } - - my $saminstructions= - "The security settings can be modified by running SAM as follows:\n" . - "# sam\n" . - "Next, go to the \"Auditing and Security Area\" and review\n" . - "each sub-section. Make sure that you review all of your\n" . - "settings, as some policies may seem restrictive.\n\n" . - "On systems using the System Management Homepage, you can\n". - "change your settings via the Tools:Security Attributes Configuration\n". - "section. On some systems, you may also have the option of using SMH.\n\n"; - - # First, check for possible conflicts and corner cases - - # check nsswitch for possible conflicts - my $nsswitch = &getGlobal('FILE', 'nsswitch.conf'); - if ( -e $nsswitch) { - open(FILE, $nsswitch); - while (<FILE>) { - if (/nis/ or /compat/ or /ldap/) { - my $message = "Bastille found a possible conflict between trusted mode and\n" . - "$nsswitch. Please remove all references to\n" . - "\"compat\", \"nis\" and \"ldap\" in $nsswitch\n" . - "and rerun Bastille, or use SAM/SMH to\n" . - "$specialinstructions\n". - "$saminstructions"; - close(FILE); - return (0,$message); - } - } - close(FILE); - } - - # check the namesvrs config file for possible NIS conflicts - #Changed to unless "Y AND Y" since question can be skipped when nis is off - # but corner cases can still exist, so check then too. - unless ( &getGlobalConfig('MiscellaneousDaemons','nis_client') eq "Y" and - &getGlobalConfig('MiscellaneousDaemons','nis_server') eq "Y" ) { - my $namesvrs = &getGlobal('FILE', 'namesvrs'); - if (open(FILE, $namesvrs)) { - while (<FILE>) { - if (/^NIS.*=["]?1["]?$/) { - my $message= "Possible conflict between trusted mode and NIS found.\n". - "Please use SAM/SMH to\n" . - " - turn off NIS\n" . - "$specialinstructions\n". - "$saminstructions"; - close(FILE); - return (0,$message); - } - } - close(FILE); - } else { - &B_log("ERROR","Unable to open $namesvrs for reading."); - my $message= "Possible conflict between trusted mode and NIS found.\n". - "Please use SAM/SMH to\n" . - " - turn off NIS\n" . - "$specialinstructions\n". - "$saminstructions"; - return (0,$message); - } - if ( &B_match_line (&getGlobal("FILE","passwd"),"^\+:.*")) { - my $message= '"+" entry found in passwd file. These are not\n' . - "compatible with Trusted Mode. Either remove the entries\n" . - "and re-run Bastille, or re-run Bastille, and direct it to\n" . - "disable NIS client and server.\n"; - return (0,$message); - } - - } - - - # check for conflicts with DCE integrated login - my $authcmd = &getGlobal('BIN','auth.adm'); - if ( -e $authcmd ) { - my $retval = system("PATH=/usr/bin $authcmd -q 1>/dev/null 2>&1"); - if ($retval != 0 and $retval != 1) { - my $message="It appears that DCE integrated login is configured on this system.\n" . - "DCE integrated login is incompatible with trusted systems and\n" . - "auditing. Bastille is unable to\n" . - "$specialinstructions" . - "You will need to configure auditing and password policies using DCE.\n\n"; - return (0,$message); - } - } - - if ( -e &getGlobal('FILE','shadow') ) { - my $message="This system has already been converted to shadow passwords.\n" . - "Shadow passwords are incompatible with trusted mode.\n" . - "Bastille is unable to\n" . - "$specialinstructions" . - "If you desire these features, you should use\n". - "\'pwunconv\' to change back to standard passwords,\n". - "and then rerun Bastille.\n\n"; - return (0,$message); - } - - return (1,$saminstructions); -} - -# This routine allows Bastille to determine trusted-mode extension availability - -sub convertToShadow { - - if (&isSystemTrusted) { - # This is an internal error...Bastille should not call this routine - # in this case. Error is here for robustness against future changes. - &B_log("ERROR","This system is already converted to trusted mode.\n" . - " Converting to shadow passwords will not be attempted.\n"); - return 0; - } - - # configuration files on which shadowed passwords depend - my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); - - # binaries used to convert to a shadowed password - my $pwconv = &getGlobal('BIN',"pwconv"); - my $echo = &getGlobal('BIN','echo'); # the echo is used to pipe a yes into the pwconv program as - # pwconv requires user interaction. - - # the binary used in a system revert. - my $pwunconv = &getGlobal('BIN',"pwunconv"); - #check the password file for nis usage and if the nis client - #or server is running. - if(-e $nsswitch_conf) { - # check the file for nis, nis+, compat, or dce usage. - if(&B_match_line($nsswitch_conf, '^\s*passwd:.+(nis|nisplus|dce|compat)')) { - my $shadowTODO = "\n---------------------------------\nHide encrypted passwords:\n" . - "---------------------------------\n" . - "This version of password shadowing does not support any repository other\n" . - "than files. In order to convert your password database to shadowed passwords\n" . - "there can be no mention of nis, nisplus, compat, or dce in the passwd\n" . - "field of the \"$nsswitch_conf\" file. Please make the necessary edits to\n" . - "the $nsswitch_conf file and run Bastille again using the command:\n" . - "\"bastille -b\"\n"; - # Adding the shadowTODO comment to the TODO list. - &B_TODO("$shadowTODO"); - # Notifing the user that the shadowed password coversion has failed. - &B_log("ERROR","Password Shadowing Conversion Failed\n" . - "$shadowTODO"); - # exiting the subroutine. - return 0; - } - - } - - # convert the password file to a shadowed repository. - if (( -e $pwconv ) and ( -e $pwunconv ) and - ( &B_System("$echo \"yes\" | $pwconv","$pwunconv") ) ){ - &B_TODO( "\n---------------------------------\nShadowing Password File:\n" . - "---------------------------------\n" . - "Your password file has been converted to use password shadowing.\n" . - "This version of password shadowing does not support any repository other\n" . - "than files. There can be no mention of nis, nisplus, compat, or dce\n" . - "in the passwd field of the \"$nsswitch_conf\" file.\n\n" ); - } else { - &B_log("ERROR","Conversion to shadow mode failed. The system may require ". - "a patch to be capable of switching to shadow mode, or the ". - "system my be in a state where conversion is not possible."); - } -} - - - -########################################################################## -# &getSupportedSettings(); -# Manipulates %trustedParameter and %isSupportedSetting, file-scoped variables -# -# Reads the password policy support matrix, which in-turn gives Bastille the -# places it should look for a given password policy setting. - -# Note the file was created like this so if could be maintained in an Excel(tm) -# spreadsheet, to optimize reviewability. TODO: consider other formats - -# File Format: -# HEADERS:<comment>,[<OS Version> <Mode> <Extensions>,]... -# [ -# :<label>:<trusted equivalent>,,,,,,,,,,,,<comment> -# <action> (comment), [<test value>,]... -# ] ... -# Example; -# HEADERS:Information Source (trusted equiv),11.11 Standard no-SMSE,11.11 Trusted no-SMSE,11.11 Shadow no-SMSE,11.23 Standard no-SMSE,11.23 Trusted no-SMSE,11.23 Shadow no-SMSE,11.23 Standard SMSE,11.23 Shadow SMSE,11.23 Trusted SMSE,11.31 Trusted SMSE,11.31 Shadow SMSE,11.31 Standard SMSE,Other Exceptions -#:ABORT_LOGIN_ON_MISSING_HOMEDIR,,,,,,,,,,,,,root -#/etc/security.dsc (search),x,,xx,x,x,x,!,!,!,!,!,!, -#/etc/default/security(search),y,y,y,y,y,y,y,y,y,y,y,y, -#getprdef (execute with <Trusted Equiv> argument),x,x,x,x,x,x,x,x,x,x,x,x, - -########################################################################### -our %trustedParameter = (); -our %isSupportedSetting = (); - -sub getSupportedSettings() { - - my $line; # For a config file line - my $linecount = 0; - my $currentsetting = ""; - my @fields; # Fields in a given line - my @columns; #Column Definitions - - - &B_open(*SETTINGSFILE,&getGlobal('BFILE','AccountSecSupport')); - my @settingLines=<SETTINGSFILE>; - &B_close(*SETTINGSFILE); - - #Remove blank-lines and comments - @settingLines = grep(!/^#/,@settingLines); - @settingLines = grep(!/^(\s*,+)*$/,@settingLines); - - foreach $line (@settingLines) { - ++$linecount; - @fields = split(/,/,$line); - if ($line =~ /^Information Source:/) { #Sets up colums - my $fieldcount = 1; #Skipping first field - while ((defined($fields[$fieldcount])) and - ($fields[$fieldcount] =~ /\d+\.\d+/)){ - my @subfields = split(/ /,$fields[$fieldcount]); - my $fieldsCount = @subfields; - if ($fieldsCount != 3){ - &B_log("ERROR","Invalid subfield count: $fieldsCount in:". - &getGlobal('BFILE','AccountSecSupport') . - " line: $linecount and field: $fieldcount"); - } - $columns[$fieldcount] = {OSVersion => $subfields[0], - Mode => $subfields[1], - Extension => $subfields[2] }; - &B_log("DEBUG","Found Header Column, $columns[$fieldcount]{'OSVersion'}, ". - $columns[$fieldcount]{'Mode'} ." , " . - $columns[$fieldcount]{'Extension'}); - ++$fieldcount; - } # New Account Seting ex: - } elsif ($line =~ /^:([^,:]+)(?::([^,]+))?/) { # :PASSWORD_WARNDAYS:expwarn,,,,,,,,,,,, - $currentsetting = $1; - if (defined($2)) { - $trustedParameter{"$currentsetting"}=$2; - } - &B_log("DEBUG","Found Current Setting: ". $currentsetting . - "/" . $trustedParameter{"$currentsetting"}); - } elsif (($line =~ /(^[^, :\)\(]+)[^,]*,((?:(?:[!y?nx]|!!),)+)/) and #normal line w/ in setting ex: - ($currentsetting ne "")){ # security.dsc (search),x,x,x,x,x,!,!!,!,!,!,!, - my $placeToLook = $1; - my $fieldcount = 1; #Skip the first one, which we used in last line - while (defined($fields[$fieldcount])) { - &B_log("DEBUG","Setting $currentsetting : $columns[$fieldcount]{OSVersion} , ". - "$columns[$fieldcount]{Mode} , ". - "$columns[$fieldcount]{Extension} , ". - "$placeToLook, to $fields[$fieldcount]"); - $isSupportedSetting{"$currentsetting"} - {"$columns[$fieldcount]{OSVersion}"} - {"$columns[$fieldcount]{Mode}"} - {"$columns[$fieldcount]{Extension}"} - {"$placeToLook"} = - $fields[$fieldcount]; - ++$fieldcount; - } - } else { - if ($line !~ /^,*/) { - &B_log("ERROR","Incorrectly Formatted Line at ". - &getGlobal('BFILE','AccountSecSupport') . ": $linecount"); - } - } - } -} - -########################################################################## -# &B_get_sec_value($param); -# This subroutine finds the value for a given user policy parameter. -# Specifically, it supports the parameters listed in the internal data structure - -# Return values: -# 'Not Defined' if the value is not present or not uniquely defined. -# $value if the value is present and unique -# -########################################################################### -sub B_get_sec_value($) { - my $param=$_[0]; - - my $os_version; - if (&GetDistro =~ /^HP-UX\D*(\d+\.\d+)/ ){ - $os_version=$1; - } else { - &B_log("ERROR","B_get_sec_value only supported on HP-UX"); - return undef; - } -# my $sec_dsc = &getGlobal('FILE', 'security.dsc'); - my $sec_file = &getGlobal('FILE', 'security'); - my $getprdef = &getGlobal('BIN','getprdef'); - my $getprpw = &getGlobal('BIN','getprpw'); - my $userdbget = &getGlobal('BIN','userdbget'); - my $passwd = &getGlobal('BIN','passwd'); - - my $sec_flags = ""; - my @sec_settings=(); - my $user_sec_setting=""; - - my $security_mode="Standard"; - my $security_extension="no-SMSE"; - - &B_log("DEBUG","Entering get_sec_value for: $param"); - - sub isok ($) { # Locally-scoped subroutine, takes supported-matrix entry as argument - my $supportedMatrixEntry = $_[0]; - - if ($supportedMatrixEntry =~ /!/) { #Matrix Entry for "Documented and/or tested" - &B_log("DEBUG","isOk TRUE: $supportedMatrixEntry"); - return 1; - } else { - &B_log("DEBUG","isOk FALSE: $supportedMatrixEntry"); - return 0; #FALSE - } - } #end local subroutine - - #Get Top Array item non-destructively - sub getTop (@) { - my @incomingArray = @_; - my $topval = pop(@incomingArray); - push(@incomingArray,$topval); #Probably redundant, but left in just in case. - return $topval; - } - - sub ifExistsPushOnSecSettings($$) { - my $sec_settings = $_[0]; - my $pushval = $_[1]; - - if ($pushval ne ""){ - push (@$sec_settings, $pushval); - } - } - - #prpw and prdef both use "YES" instead of "1" like the other settings. - sub normalizePolicy($){ - my $setting = $_[0]; - - $setting =~ s/YES/1/; - $setting =~ s/NO/1/; - - return $setting; - } - - - - if ((%trustedParameter == ()) or (%isSupportedSetting == ())) { - # Manipulates %trustedParameter and %isSupportedSetting - &getSupportedSettings; - } - - #First determine the security mode - my $shadowFile = &getGlobal("FILE","shadow"); - my $passwdFile = &getGlobal("FILE","passwd"); - - if (&isSystemTrusted) { - $security_mode = 'Trusted'; - } elsif ((-e $shadowFile) and #check file exist, and that passwd has no non-"locked" accounts - (not(&B_match_line($passwdFile,'^[^\:]+:[^:]*[^:*x]')))) { - $security_mode = 'Shadow'; - } else { - $security_mode = 'Standard'; - } - if (&isTrustedMigrationAvailable) { - $security_extension = 'SMSE'; - } else { - $security_extension = 'no-SMSE'; - } - &B_log("DEBUG","Security mode: $security_mode extension: $security_extension"); - # Now look up the value from each applicable database, from highest precedence - # to lowest: - &B_log("DEBUG","Checking $param in userdbget"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"userdbget_-a"})) { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('\w+\s+\w+=(\S+)', - &B_Backtick("$userdbget -a $param"))); - &B_log("DEBUG", $param . ":userdbget setting: ". &getTop(@sec_settings)); - } - &B_log("DEBUG","Checking $param in passwd"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"passwd_-sa"})) { - if ($param eq "PASSWORD_MINDAYS") { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+(\d+)\s+\d+', - &B_Backtick("$passwd -s -a"))); - } elsif ($param eq "PASSWORD_MAXDAYS") { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('(?:\w+\s+){2}[\d\/]+\s+\d+\s+(\d+)', - &B_Backtick("$passwd -s -a"))); - } elsif ($param eq "PASSWORD_WARNDAYS") { - &ifExistsPushOnSecSettings(\@sec_settings, - &B_getValueFromString('(?:\w+\s+){2}[\d\/]+(?:\s+\d+){2}\s+(\d+)', - &B_Backtick("$passwd -s -a"))); - } - &B_log("DEBUG", $param . ":passwd -sa setting: ". &getTop(@sec_settings)); - } - &B_log("DEBUG","Checking $param in get prpw"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"getprpw"})) { - my $logins = &getGlobal("BIN","logins"); - my @userArray = split(/\n/,`$logins`); - my $userParamVals = ''; - foreach my $rawuser (@userArray) { - $rawuser =~ /^(\S+)/; - my $user = $1; - my $nextParamVal=&B_Backtick("$getprpw -l -m $trustedParameter{$param} $user"); - $nextParamVal =~ s/\w*=(-*[\w\d]*)/$1/; - if ($nextParamVal != -1) { #Don't count users for which the local DB is undefined - $userParamVals .= $user . "::::" . $nextParamVal ."\n"; - } - } #Note getValueFromStrings deals with duplicates, returning "Not Unigue" - my $policySetting = &B_getValueFromString('::::(\S+)',"$userParamVals"); - &ifExistsPushOnSecSettings (\@sec_settings, &normalizePolicy($policySetting)); - &B_log("DEBUG", $param . ":prpw setting: ". &getTop(@sec_settings)); - } - &B_log("DEBUG","Checking $param in get prdef"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"getprdef"})) { - $_ = &B_Backtick ("$getprdef -m " . $trustedParameter{$param}); - /\S+=(\S+)/; - my $policySetting = $1; - &ifExistsPushOnSecSettings(\@sec_settings, &normalizePolicy($policySetting)); - &B_log("DEBUG", $param . ":prdef setting: ". &getTop(@sec_settings)); - - } - &B_log("DEBUG","Checking $param in default security"); - if (&isok($isSupportedSetting{$param}{$os_version}{$security_mode} - {$security_extension}{"/etc/default/security"})) { - &ifExistsPushOnSecSettings(\@sec_settings,&B_getValueFromFile('^\s*'. $param . - '\s*=\s*([^\s#]+)\s*$', $sec_file)); - &B_log("DEBUG", $param . ":default setting: ". &getTop(@sec_settings)); - } - #Commented below code in 3.0 release to avoid implication that bastille - #had ever set these values explicitly, and the implications to runnable - #config files where Bastille would then apply the defaults as actual policy - #with possible conversion to shadow or similar side-effect. - -# &B_log("DEBUG","Checking $param in security.dsc"); - #security.dsc, only added in if valid for OS/mode/Extension, and nothing else - #is defined (ie: @sec_settings=0) -# if ((&isok($isSupportedSetting{$param}{$os_version}{$security_mode} -# {$security_extension}{"/etc/security.dsc"})) and (@sec_settings == 0)) { -# &ifExistsPushOnSecSettings(\@sec_settings, &B_getValueFromFile('^' . $param . -# ';(?:[-\w/]*;){2}([-\w/]+);', $sec_dsc)); -# &B_log("DEBUG", $param . ":security.dsc: ". &getTop(@sec_settings)); -# } - - # Return what we found - my $last_setting=undef; - my $current_setting=undef; - while (@sec_settings > 0) { - $current_setting = pop(@sec_settings); - &B_log("DEBUG","Comparing $param configuration for identity: " . - $current_setting); - if ((defined($current_setting)) and ($current_setting ne '')) { - if (not(defined($last_setting))){ - $last_setting=$current_setting; - } elsif (($last_setting ne $current_setting) or - ($current_setting eq 'Not Unique')){ - &B_log("DEBUG","$param setting not unique."); - return 'Not Unique'; # Inconsistent state found, return 'Not Unique' - } - } - } - if ((not(defined($last_setting))) or ($last_setting eq '')) { - return undef; - } else { - return $last_setting; - } - -} #End B_get_sec_value - -sub secureIfNoNameService($){ - my $retval = $_[0]; - - if (&isUsingRemoteNameService) { - return MANUAL(); - } else { - return $retval; - } -} - -#Specifically for cleartext protocols like NIS, which are not "secure" -sub isUsingRemoteNameService(){ - - if (&remoteServiceCheck('nis|nisplus|dce') == SECURE_CAN_CHANGE()){ - return 0; #false - } else { - return 1; - } -} - - - -########################################### -## This is a wrapper for two functions that -## test the existence of nis-like configurations -## It is used by both the front end test and the back-end run -############################################## -sub remoteServiceCheck($){ - my $regex = $_[0]; - - my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); - my $passwd = &getGlobal('FILE',"passwd"); - - # check the file for nis usage. - if (-e $nsswitch_conf) { - if (&B_match_line($nsswitch_conf, '^\s*passwd:.*('. $regex . ')')) { - return NOTSECURE_CAN_CHANGE(); - } elsif ((&B_match_line($nsswitch_conf, '^\s*passwd:.*(compat)')) and - (&B_match_line($passwd, '^\s*\+'))) { - return NOTSECURE_CAN_CHANGE(); # true - } - } elsif ((&B_match_line($passwd, '^\s*\+'))) { - return NOTSECURE_CAN_CHANGE(); - } - - my $oldnisdomain=&B_get_rc("NIS_DOMAIN"); - if ((($oldnisdomain eq "") or ($oldnisdomain eq '""')) and (&checkServiceOnHPUX('nis.client'))){ - return SECURE_CAN_CHANGE(); - } - return NOTSECURE_CAN_CHANGE(); -} - -############################################# -# remoteNISPlusServiceCheck -# test the existence of nis+ configuration -############################################# -sub remoteNISPlusServiceCheck () { - - my $nsswitch_conf = &getGlobal('FILE',"nsswitch.conf"); - - # check the file for nis+ usage. - if (-e $nsswitch_conf) { - if (&B_match_line($nsswitch_conf, 'nisplus')) { - return NOTSECURE_CAN_CHANGE(); - } - } - - return &checkServiceOnHPUX('nisp.client'); -} - - -########################################################################## -# This subroutine creates nsswitch.conf file if the file not exists, -# and then append serveral services into the file if the service not -# exists in the file. -########################################################################## -sub B_create_nsswitch_file ($) { - my $regex = $_[0]; - - my $nsswitch = &getGlobal('FILE',"nsswitch.conf"); - - if( ! -f $nsswitch ) { - &B_create_file($nsswitch); - # we don't need to revert the permissions change because we just - # created the file - chmod(0444, $nsswitch); - - &B_append_line($nsswitch,'\s*passwd:', "passwd: $regex\n"); - &B_append_line($nsswitch,'\s*group:', "group: $regex\n"); - &B_append_line($nsswitch,'\s*hosts:', "hosts: $regex\n"); - &B_append_line($nsswitch,'\s*networks:', "networks: $regex\n"); - &B_append_line($nsswitch,'\s*protocols:', "protocols: $regex\n"); - &B_append_line($nsswitch,'\s*rpc:', "rpc: $regex\n"); - &B_append_line($nsswitch,'\s*publickey:', "publickey: $regex\n"); - &B_append_line($nsswitch,'\s*netgroup:', "netgroup: $regex\n"); - &B_append_line($nsswitch,'\s*automount:', "automount: $regex\n"); - &B_append_line($nsswitch,'\s*aliases:', "aliases: $regex\n"); - &B_append_line($nsswitch,'\s*services:', "services: $regex\n"); - } -} - -1; - diff --git a/recipes-security/bastille/files/Miscellaneous.pm b/recipes-security/bastille/files/Miscellaneous.pm deleted file mode 100644 index b3bdf10..0000000 --- a/recipes-security/bastille/files/Miscellaneous.pm +++ /dev/null @@ -1,166 +0,0 @@ -package Bastille::API::Miscellaneous; -use strict; - -use File::Path; -use Bastille::API; -use Bastille::API::HPSpecific; -use Bastille::API::FileContent; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -PrepareToRun -B_is_package_installed -); -our @EXPORT = @EXPORT_OK; - - -########################################################################### -# -# PrepareToRun sets up Bastille to run. It checks the ARGV array for -# special options and runs ConfigureForDistro to set necessary file -# locations and other global variables. -# -########################################################################### - -sub PrepareToRun { - - # Make sure we're root! - if ( $> != 0 ) { - &B_log("ERROR","Bastille must run as root!\n"); - exit(1); - } - - - # Make any directories that don't exist... - foreach my $dir (keys %GLOBAL_BDIR) { - my $BdirPath = $GLOBAL_BDIR{$dir}; - if ( $BdirPath =~ /^\s*\// ) { #Don't make relative directories - mkpath ($BdirPath,0,0700); - } - } - - if(&GetDistro =~ "^HP-UX") { - &B_check_system; - } - - &B_log("ACTION","\n########################################################\n" . - "# Begin Bastille Run #\n" . - "########################################################\n\n"); - - #read sum file if it exists. - &B_read_sums; - - -# No longer necessary as flags are no longer in sum file, and sums are -# are now checked "real time" - - # check the integrity of the files listed -# for my $file (sort keys %GLOBAL_SUM) { -# &B_check_sum($file); -# } - # write out the newly flagged sums -# &B_write_sums; - - -} - - - -########################################################################### -# &B_is_package_installed($package); -# -# This function checks for the existence of the package named. -# -# TODO: Allow $package to be an expression. -# TODO: Allow optional $version, $release, $epoch arguments so we can -# make sure that the given package is at least as recent as some -# given version number. -# -# scalar return values: -# 0: $package is not installed -# 1: $package is installed -########################################################################### - -sub B_is_package_installed($) { - no strict; - my $package = $_[0]; -# Create a "global" variable with values scoped to this function -# We do this to avoid having to repeatedly swlist/rpm -# when we run B_is_package_installed -local %INSTALLED_PACKAGE_LIST; - - my $distro = &GetDistro; - if ($distro =~ /^HP-UX/) { - if (&checkProcsForService('swagent','ignore_warning') == SECURE_CANT_CHANGE()) { - &B_log("WARNING","Software Distributor Agent(swagent) is not running. Can not tell ". - "if package: $package is installed or not. Bastille will assume not. ". - "If the package is actually installed, Bastille may report or configure incorrectly.". - "To use Bastille-results as-is, please check to ensure $package is not installed, ". - "or re-run with the swagent running to get correct results."); - return 0; #FALSE - } - my $swlist=&getGlobal('BIN','swlist'); - if (%INSTALLED_PACKAGE_LIST == () ) { # re-use prior results - if (open(SWLIST, "$swlist -a state -l fileset |")) { - while (my $line = <SWLIST>){ - if ($line =~ /^ {2}\S+\.(\S+)\s*(\w+)/) { - $INSTALLED_PACKAGE_LIST{$1} = $2; - } - } - close SWLIST; - } else { - &B_log("ERROR","B_is_package_installed was unable to run the swlist command: $swlist,\n"); - return FALSE; - } - } - # Now find the entry - if ($INSTALLED_PACKAGE_LIST{$package} == 'configured') { - return TRUE; - } else { - return FALSE; - } - } #End HP-UX Section - # This routine only works on RPM-based distros: Red Hat, Fedora, Mandrake and SuSE - elsif ( ($distro !~ /^RH/) and ($distro !~ /^MN/) and($distro !~ /^SE/) ) { - return 0; - } else { #This is a RPM-based distro - # Run an rpm command -- librpm is extremely messy, dynamic and not - # so much a perl thing. It's actually barely a C/C++ thing... - if (open RPM,"rpm -q $package") { - # We should get only one line back, but let's parse a few - # just in case. - my @lines = <RPM>; - close RPM; - # - # This is what we're trying to parse: - # $ rpm -q jay - # package jay is not installed - # $ rpm -q bash - # bash-2.05b-305.1 - # - - foreach $line (@lines) { - if ($line =~ /^package\s$package\sis\snot\sinstalled/) { - return 0; - } - elsif ($line =~ /^$package\-/) { - return 1; - } - } - - # If we've read every line without finding one of these, then - # our parsing is broken - &B_log("ERROR","B_is_package_installed was unable to find a definitive RPM present or not present line.\n"); - return 0; - } else { - &B_log("ERROR","B_is_package_installed was unable to run the RPM command,\n"); - return 0; - } - } -} - - - -1; - diff --git a/recipes-security/bastille/files/ServiceAdmin.pm b/recipes-security/bastille/files/ServiceAdmin.pm deleted file mode 100644 index 879223a..0000000 --- a/recipes-security/bastille/files/ServiceAdmin.pm +++ /dev/null @@ -1,690 +0,0 @@ -package Bastille::API::ServiceAdmin; -use strict; - -use Bastille::API; - -use Bastille::API::HPSpecific; -use Bastille::API::FileContent; - -require Exporter; -our @ISA = qw(Exporter); -our @EXPORT_OK = qw( -B_chkconfig_on -B_chkconfig_off -B_service_start -B_service_stop -B_service_restart -B_is_service_off -checkServiceOnLinux -remoteServiceCheck -remoteNISPlusServiceCheck -B_create_nsswitch_file -); -our @EXPORT = @EXPORT_OK; - - -####### -# &B_chkconfig_on and &B_chkconfig_off() are great for systems that didn't use -# a more modern init system. This is a bit of a problem on Fedora, though, -# which used upstart from Fedora 9 to Fedora 14, then switched to a new -# Red Hat-created system called systemd for Fedora 15 and 16 (so far). -# OpenSUSE also moved to systemd, starting with 12.1. Version 11.4 did not -# use systemd. -# It is also a problem on Ubuntu, starting at version 6.10, where they also -# used upstart. -##### - - - - -########################################################################### -# &B_chkconfig_on ($daemon_name) creates the symbolic links that are -# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We -# need this utility, in place of the distro's chkconfig, because of both -# our need to add revert functionality and our need to harden distros that -# are not mounted on /. -# -# It uses the following global variables to find the links and the init -# scripts, respectively: -# -# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found -# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to -# -# Here an example of where you might use this: -# -# You'd like to tell the system to run the firewall at boot: -# B_chkconfig_on("bastille-firewall") -# -########################################################################### - -# PW: Blech. Copied B_chkconfig_off() and changed a few things, -# then changed a few more things.... - -sub B_chkconfig_on { - - my $startup_script=$_[0]; - my $retval=1; - - my $chkconfig_line; - my ($runlevelinfo,@runlevels); - my ($start_order,$stop_order,$filetolink); - - &B_log("ACTION","# chkconfig_on enabling $startup_script\n"); - - # In Debian system there is no chkconfig script, run levels are checked - # one by one (jfs) - if (&GetDistro =~/^DB.*/) { - $filetolink = &getGlobal('DIR', "initd") . "/$startup_script"; - if (-x $filetolink) - { - foreach my $level ("0","1","2","3","4","5","6" ) { - my $link = ''; - $link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script"; - $retval=symlink($filetolink,$link); - } - } - return $retval; - } - # - # On SUSE, chkconfig-based rc scripts have been replaced with a whole different - # system. chkconfig on SUSE is actually a shell script that does some stuff and then - # calls insserv, their replacement. - # - - if (&GetDistro =~ /^SE/) { - # only try to chkconfig on if init script is found - if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) { - $chkconfig_line=&getGlobal('BIN','chkconfig'); - &B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off"); - # chkconfig doesn't take affect until reboot, need to restart service also - B_service_restart("$startup_script"); - return 1; #success - } - return 0; #failure - } - - # - # Run through the init script looking for the chkconfig line... - # - $retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script"; - unless ($retval) { - &B_log("ACTION","# Didn't chkconfig_on $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n"); - } - else { - - READ_LOOP: - while (my $line=<CHKCONFIG>) { - - # We're looking for lines like this one: - # # chkconfig: 2345 10 90 - # OR this - # # chkconfig: - 10 90 - - if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) { - $runlevelinfo = $1; - $start_order = $2; - $stop_order = $3; - # handle a run levels arg of '-' - if ( $runlevelinfo eq '-' ) { - &B_log("ACTION","chkconfig_on saw '-' for run levels for \"$startup_script\", is defaulting to levels 3,4,5\n"); - $runlevelinfo = '345'; - } - @runlevels = split(//,$runlevelinfo); - # make sure the orders have 2 digits - $start_order =~ s/^(\d)$/0$1/; - $stop_order =~ s/^(\d)$/0$1/; - last READ_LOOP; - } - } - close CHKCONFIG; - - # Do we have what we need? - if ( (scalar(@runlevels) < 1) || (! $start_order =~ /^\d{2}$/) || (! $stop_order =~ /^\d{2}$/) ) { - # problem - &B_log("ERROR","# B_chkconfig_on $startup_script failed -- no valid run level/start/stop info found\n"); - return(-1); - } - - # Now, run through creating symlinks... - &B_log("ACTION","# chkconfig_on will use run levels ".join(",",@runlevels)." for \"$startup_script\" with S order $start_order and K order $stop_order\n"); - - $retval=0; - # BUG: we really ought to readdir() on &getGlobal('DIR', "rcd") to get all levels - foreach my $level ( "0","1","2","3","4","5","6" ) { - my $link = ''; - # we make K links in run levels not specified in the chkconfig line - $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script; - my $klink = $link; - # now we see if this is a specified run level; if so, make an S link - foreach my $markedlevel ( @runlevels ) { - if ( $level == $markedlevel) { - $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script; - } - } - my $target = &getGlobal('DIR', "initd") ."/" . $startup_script; - my $local_return; - - if ( (-e "$klink") && ($klink ne $link) ) { - # there's a K link, but this level needs an S link - unless ($GLOBAL_LOGONLY) { - $local_return = unlink("$klink"); - if ( ! $local_return ) { - # unlinking old, bad $klink failed - &B_log("ERROR","Unlinking $klink failed\n"); - } else { - &B_log("ACTION","Removed link $klink\n"); - # If we removed the link, add a link command to the revert file - &B_revert_log (&getGlobal('BIN','ln') . " -s $target $klink\n"); - } # close what to do if unlink works - } # if not GLOBAL_LOGONLY - } # if $klink exists and ne $link - - # OK, we've disposed of any old K links, make what we need - if ( (! ( -e "$link" )) && ($link ne '') ) { - # link doesn't exist and the start/stop number is OK; make it - unless ($GLOBAL_LOGONLY) { - # create the link - $local_return = &B_symlink($target,$link); - if ($local_return) { - $retval++; - &B_log("ACTION","Created link $link\n"); - } else { - &B_log("ERROR","Couldn't create $link when trying to chkconfig on $startup_script\n"); - } - } - - } # link doesn't exist - } # foreach level - - } - - if ($retval < @runlevels) { - $retval=0; - } - - $retval; - -} - - -########################################################################### -# &B_chkconfig_off ($daemon_name) deletes the symbolic links that are -# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We -# need this utility, in place of the distro's chkconfig, because of both -# our need to add revert functionality and our need to harden distros that -# are not mounted on /. -# -# chkconfig allows for a REVERT of its work by writing to an executable -# file &getGlobal('BFILE', "removed-symlinks"). -# -# It uses the following global variables to find the links and the init -# scripts, respectively: -# -# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found -# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to -# -# Here an example of where you might use this: -# -# You'd like to tell stop running sendmail in daemon mode on boot: -# B_chkconfig_off("sendmail") -# -########################################################################### - - - -sub B_chkconfig_off { - - my $startup_script=$_[0]; - my $retval=1; - - my $chkconfig_line; - my @runlevels; - my ($start_order,$stop_order,$filetolink); - - if (&GetDistro =~/^DB.*/) { - $filetolink = &getGlobal('DIR', "initd") . "/$startup_script"; - if (-x $filetolink) - { - # Three ways to do this in Debian: - # 1.- have the initd script set to 600 mode - # 2.- Remove the links in rcd (re-installing the package - # will break it) - # 3.- Use update-rc.d --remove (same as 2.) - # (jfs) - &B_chmod(0600,$filetolink); - $retval=6; - - # The second option - #foreach my $level ("0","1","2","3","4","5","6" ) { - #my $link = ''; - #$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script"; - #unlink($link); - #} - } - } - - # - # On SUSE, chkconfig-based rc scripts have been replaced with a whole different - # system. chkconfig on SUSE is actually a shell script that does some stuff and then - # calls insserv, their replacement. - # - elsif (&GetDistro =~ /^SE/) { - # only try to chkconfig off if init script is found - if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) { - $chkconfig_line=&getGlobal('BIN','chkconfig'); - &B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off"); - # chkconfig doesn't take affect until reboot, need to stop service - # since expectation is that the daemons are disabled even without a reboot - B_service_stop("$startup_script"); - return 1; #success - } - return 0; #failure - } - else { - - # Run through the init script looking for the chkconfig line... - - - $retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script"; - unless ($retval) { - &B_log("ACTION","Didn't chkconfig_off $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n"); - } - else { - - READ_LOOP: - while (my $line=<CHKCONFIG>) { - - # We're looking for lines like this one: - # # chkconfig: 2345 10 90 - - if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) { - @runlevels=split //,$1; - $start_order=$2; - $stop_order=$3; - - - # Change single digit run levels to double digit -- otherwise, - # the alphabetic ordering chkconfig depends on fails. - if ($start_order =~ /^\d$/ ) { - $start_order = "0" . $start_order; - &B_log("ACTION","chkconfig_off converted start order to $start_order\n"); - } - if ($stop_order =~ /^\d$/ ) { - $stop_order = "0" . $stop_order; - &B_log("ACTION","chkconfig_off converted stop order to $stop_order\n"); - } - - last READ_LOOP; - } - } - close CHKCONFIG; - - # If we never found a chkconfig line, can we just run through all 5 - # rcX.d dirs from 1 to 5...? - - # unless ( $start_order and $stop_order ) { - # @runlevels=("1","2","3","4","5"); - # $start_order = "*"; $stop_order="*"; - # } - - # Now, run through removing symlinks... - - - - $retval=0; - - # Handle the special case that the run level specified is solely "-" - if ($runlevels[0] =~ /-/) { - @runlevels = ( "0","1","2","3","4","5","6" ); - } - - foreach my $level ( @runlevels ) { - my $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script; - my $new_link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script; - my $target = &getGlobal('DIR', "initd") ."/" . $startup_script; - my $local_return; - - - # Replace the S__ link in this level with a K__ link. - if ( -e $link ) { - unless ($GLOBAL_LOGONLY) { - $local_return=unlink $link; - if ($local_return) { - $local_return=symlink $target,$new_link; - unless ($local_return) { - &B_log("ERROR","Linking $target to $new_link failed.\n"); - } - } - else { # unlinking failed - &B_log("ERROR","Unlinking $link failed\n"); - } - - } - if ($local_return) { - $retval++; - &B_log("ACTION","Removed link $link\n"); - - # - # If we removed the link, add a link command to the revert file - # Write out the revert information for recreating the S__ - # symlink and deleting the K__ symlink. - &B_revert_log(&getGlobal('BIN',"ln") . " -s $target $link\n"); - &B_revert_log(&getGlobal('BIN',"rm") . " -f $new_link\n"); - } - else { - &B_log("ERROR","B_chkconfig_off $startup_script failed\n"); - } - - } - } # foreach - - } # else-unless - - } # else-DB - if ($retval < @runlevels) { - $retval=0; - } - - $retval; - -} - - -########################################################################### -# &B_service_start ($daemon_name) -# Starts service on RedHat/SUSE-based Linux distributions which have the -# service command: -# -# service $daemon_name start -# -# Other Linux distros that also support this method of starting -# services can be added to use this function. -# -# Here an example of where you might use this: -# -# You'd like to tell the system to start the vsftpd daemon: -# &B_service_start("vsftpd") -# -# Uses &B_System in HP_API.pm -# To match how the &B_System command works this method: -# returns 1 on success -# returns 0 on failure -########################################################################### - -sub B_service_start { - - my $daemon=$_[0]; - - if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and - (&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) { - &B_log("ERROR","Tried to call service_start on a system lacking a service command! Internal Bastille error."); - return undef; - } - - # only start service if init script is found - if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) { - &B_log("ACTION","# service_start enabling $daemon\n"); - - my $service_cmd=&getGlobal('BIN', 'service'); - if ($service_cmd) { - # Start the service, - # Also provide &B_System revert command - - return (&B_System("$service_cmd $daemon start", - "$service_cmd $daemon stop")); - } - } - - # init script not found, do not try to start, return failure - return 0; -} - -########################################################################### -# &B_service_stop ($daemon_name) -# Stops service on RedHat/SUSE-based Linux distributions which have the -# service command: -# -# service $daemon_name stop -# -# Other Linux distros that also support this method of starting -# services can be added to use this function. -# Stops service. -# -# -# Here an example of where you might use this: -# -# You'd like to tell the system to stop the vsftpd daemon: -# &B_service_stop("vsftpd") -# -# Uses &B_System in HP_API.pm -# To match how the &B_System command works this method: -# returns 1 on success -# returns 0 on failure -########################################################################### - -sub B_service_stop { - - my $daemon=$_[0]; - - if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and - (&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) { - &B_log("ERROR","Tried to call service_stop on a system lacking a service command! Internal Bastille error."); - return undef; - } - - # only stop service if init script is found - if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) { - &B_log("ACTION","# service_stop disabling $daemon\n"); - - my $service_cmd=&getGlobal('BIN', 'service'); - if ($service_cmd) { - - # Stop the service, - # Also provide &B_System revert command - - return (&B_System("$service_cmd $daemon stop", - "$service_cmd $daemon start")); - } - } - - # init script not found, do not try to stop, return failure - return 0; -} - - -########################################################################### -# &B_service_restart ($daemon_name) -# Restarts service on RedHat/SUSE-based Linux distributions which have the -# service command: -# -# service $daemon_name restart -# -# Other Linux distros that also support this method of starting -# services can be added to use this function. -# -# Here an example of where you might use this: -# -# You'd like to tell the system to restart the vsftpd daemon: -# &B_service_restart("vsftpd") -# -# Uses &B_System in HP_API.pm -# To match how the &B_System command works this method: -# returns 1 on success -# returns 0 on failure -########################################################################### - -sub B_service_restart { - - my $daemon=$_[0]; - - if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and - (&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) { - &B_log("ERROR","Tried to call service_restart on a system lacking a service command! Internal Bastille error."); - return undef; - } - - # only restart service if init script is found - if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) { - &B_log("ACTION","# service_restart re-enabling $daemon\n"); - - my $service_cmd=&getGlobal('BIN', 'service'); - if ($service_cmd) { - - # Restart the service - return (&B_System("$service_cmd $daemon restart", - "$service_cmd $daemon restart")); - } - } - - # init script not found, do not try to restart, return failure - return 0; -} - -########################################################################### -# &B_is_service_off($;$) -# -# Runs the specified test to determine whether or not the question should -# be answered. -# -# return values: -# NOTSECURE_CAN_CHANGE()/0: service is on -# SECURE_CANT_CHANGE()/1: service is off -# undef: test is not defined -########################################################################### - -sub B_is_service_off ($){ - my $service=$_[0]; - - if(&GetDistro =~ "^HP-UX"){ - #die "Why do I think I'm on HPUX?!\n"; - return &checkServiceOnHPUX($service); - } - elsif ( (&GetDistro =~ "^RH") || (&GetDistro =~ "^SE") ) { - return &checkServiceOnLinux($service); - } - else { - &B_log("DEBUG","B_is_service off called for unsupported OS"); - # not yet implemented for other distributions of Linux - # when GLOBAL_SERVICE, GLOBAL_SERVTYPE and GLOBAL_PROCESS are filled - # in for Linux, then - # at least inetd and inittab services should be similar to the above, - # whereas chkconfig would be used on some Linux distros to determine - # if non-inetd/inittab services are running at boot time. Looking at - # processes should be similar. - return undef; - } -} - -########################################################################### -# &checkServiceOnLinux($service); -# -# Checks if the given service is running on a Linux system. This is -# called by B_is_Service_Off(), which is the function that Bastille -# modules should call. -# -# Return values: -# NOTSECURE_CAN_CHANGE() if the service is on -# SECURE_CANT_CHANGE() if the service is off -# undef if the state of the service cannot be determined -# -########################################################################### -sub checkServiceOnLinux($) { - my $service=$_[0]; - - # get the list of parameters which could be used to initiate the service - # (could be in /etc/rc.d/rc?.d, /etc/inetd.conf, or /etc/inittab, so we - # check all of them) - - my @params = @{ &getGlobal('SERVICE', $service) }; - my $chkconfig = &getGlobal('BIN', 'chkconfig'); - my $grep = &getGlobal('BIN', 'grep'); - my $inittab = &getGlobal('FILE', 'inittab'); - my $serviceType = &getGlobal('SERVTYPE', $service);; - - # A kludge to get things running because &getGlobal('SERVICE' doesn't - # return the expected values. - @params = (); - push (@params, $service); - - foreach my $param (@params) { - &B_log("DEBUG","Checking to see if service $service is off.\n"); - - if ($serviceType =~ /rc/) { - my $on = &B_Backtick("$chkconfig --list $param 2>&1"); - if ($on =~ /^$param:\s+unknown/) { - # This service isn't installed on the system - return NOT_INSTALLED(); - } - if ($on =~ /^error reading information on service $param: No such file or directory/) { - # This service isn't installed on the system - return NOT_INSTALLED(); - } - if ($on =~ /^error/) { - # This probably - &B_log("DEBUG","chkconfig returned: $param=$on\n"); - return undef; - } - $on =~ s/^$param\s+//; # remove the service name and spaces - $on =~ s/[0-6]:off\s*//g; # remove any runlevel:off entries - $on =~ s/:on\s*//g; # remove the :on from the runlevels - # what remains is a list of runlevels in which the service is on, - # or a null string if it is never turned on - chomp $on; # newline should be gone already (\s) - &B_log("DEBUG","chkconfig returned: $param=$on\n"); - - if ($on =~ /^\d+$/) { - # service is not off - ########################### BREAK out, don't skip question - return NOTSECURE_CAN_CHANGE(); - } - } - elsif ($serviceType =~ /inet/) { - my $on = &B_Backtick("$chkconfig --list $param 2>&1"); - if ($on =~ /^$param:\s+unknown/) { - # This service isn't installed on the system - return NOT_INSTALLED(); - } - if ($on =~ /^error reading information on service $param: No such file or directory/) { - # This service isn't installed on the system - return NOT_INSTALLED(); - } - if ($on =~ /^error/ ) { - # Something else is wrong? - # return undef - return undef; - } - if ($on =~ tr/\n// > 1) { - $on =~ s/^xinetd.+\n//; - } - $on =~ s/^\s*$param:?\s+//; # remove the service name and spaces - chomp $on; # newline should be gone already (\s) - &B_log("DEBUG","chkconfig returned: $param=$on\n"); - - if ($on =~ /^on$/) { - # service is not off - ########################### BREAK out, don't skip question - return NOTSECURE_CAN_CHANGE(); - } - } - else { - # perhaps the service is started by inittab - my $inittabline = &B_Backtick("$grep -E '^[^#].{0,3}:.*:.+:.*$param' $inittab"); - if ($inittabline =~ /.+/) { # . matches anything except newlines - # service is not off - &B_log("DEBUG","Checking inittab; found $inittabline\n"); - ########################### BREAK out, don't skip question - return NOTSECURE_CAN_CHANGE(); - } - } - } # foreach my $param - - - # boot-time parameters are not set; check processes - # Note the checkProcsforService returns INCONSISTENT() if a process is found - # assuming the checks above - return &checkProcsForService($service); -} - -1; - - diff --git a/recipes-security/bastille/files/accept_os_flag_in_backend.patch b/recipes-security/bastille/files/accept_os_flag_in_backend.patch deleted file mode 100644 index 4a438e4..0000000 --- a/recipes-security/bastille/files/accept_os_flag_in_backend.patch +++ /dev/null @@ -1,34 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/BastilleBackEnd -=================================================================== ---- Bastille.orig/BastilleBackEnd 2013-08-21 12:40:54.000000000 -0400 -+++ Bastille/BastilleBackEnd 2013-08-21 12:43:21.895950001 -0400 -@@ -52,11 +52,13 @@ - my $force = 0; - my $debug = 0; - my $alternate_config=undef; -+my $os_version=undef; - - if( Getopt::Long::GetOptions( "n" => \$nodisclaim, - "v" => \$verbose, - "force" => \$force, - "f=s" => \$alternate_config, -+ "os=s" => \$os_version, - "debug" => \$debug) ) { - $error = 0; # no parse error - -@@ -66,7 +68,8 @@ - - &setOptions( - debug => $debug, -- verbose => $verbose); -+ verbose => $verbose, -+ os => $os_version); - &ConfigureForDistro; - - if ( $error ) { # GetOptions couldn't parse all of the args diff --git a/recipes-security/bastille/files/allow_os_with_assess.patch b/recipes-security/bastille/files/allow_os_with_assess.patch deleted file mode 100644 index e112f90..0000000 --- a/recipes-security/bastille/files/allow_os_with_assess.patch +++ /dev/null @@ -1,43 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/bin/bastille -=================================================================== ---- Bastille.orig/bin/bastille 2013-08-21 08:59:06.647950000 -0400 -+++ Bastille/bin/bastille 2013-08-21 15:55:53.193631711 -0400 -@@ -195,7 +195,6 @@ - systemFileLocations - - isAssessing='no' --nonXArg='no' - - if [ $PERL_V_MAJ -eq $MIN_V_MAJ -a $PERL_V_MIN -lt $MIN_V_MIN -o $PERL_V_MAJ -lt $MIN_V_MAJ ]; then # invalid Perl - printErr -@@ -316,12 +315,10 @@ - '--os') - options_left="$options_left --os" - optarg='yes' -- nonXArg='yes' - ;; - '-f') - options_left="$options_left -f" - optarg='yes' -- nonXArg='yes' - ;; - # Non-exclusive (undocumented and unsupported) options follow: - # There is no validity/combination checking done with these. -@@ -345,11 +342,6 @@ - fi - done - --#Detect case where -f or --os attempted use with --assess -- if [ \( x$nonXArg = xyes \) -a \( x$isAssessing = xyes \) ]; then -- printUsage -- exit 2 -- fi - - # We have a valid version of perl! Verify that all the required - # modules can be found. diff --git a/recipes-security/bastille/files/call_output_config.patch b/recipes-security/bastille/files/call_output_config.patch deleted file mode 100644 index 1e898b1..0000000 --- a/recipes-security/bastille/files/call_output_config.patch +++ /dev/null @@ -1,19 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille_Curses.pm -=================================================================== ---- Bastille.orig/Bastille_Curses.pm 2013-08-21 08:58:53.899950000 -0400 -+++ Bastille/Bastille_Curses.pm 2013-08-21 09:20:20.295950005 -0400 -@@ -84,7 +84,7 @@ - } - - # Output answers to the script and display -- &checkAndSaveConfig(&getGlobal('BFILE', "config")); -+ &outputConfig; - - # Run Bastille - diff --git a/recipes-security/bastille/files/config b/recipes-security/bastille/files/config deleted file mode 100755 index 9e5e206..0000000 --- a/recipes-security/bastille/files/config +++ /dev/null @@ -1,106 +0,0 @@ -# Q: Would you like to enforce password aging? [Y] -AccountSecurity.passwdage="Y" -# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y] -AccountSecurity.protectrhost="Y" -# Q: Should we disallow root login on tty's 1-6? [N] -AccountSecurity.rootttylogins="Y" -# Q: What umask would you like to set for users on the system? [077] -AccountSecurity.umask="077" -# Q: Do you want to set the default umask? [Y] -AccountSecurity.umaskyn="Y" -# Q: Would you like to deactivate the Apache web server? [Y] -Apache.apacheoff="Y" -# Q: Would you like to password protect single-user mode? [Y] -BootSecurity.passsum="Y" -# Q: Should we restrict console access to a small group of user accounts? [N] -ConfigureMiscPAM.consolelogin="Y" -# Q: Which accounts should be able to login at console? [root] -ConfigureMiscPAM.consolelogin_accounts="root" -# Q: Would you like to put limits on system resource usage? [N] -ConfigureMiscPAM.limitsconf="Y" -# Q: Would you like to set more restrictive permissions on the administration utilities? [N] -FilePermissions.generalperms_1_1="Y" -# Q: Would you like to disable SUID status for mount/umount? -FilePermissions.suidmount="Y" -# Q: Would you like to disable SUID status for ping? [Y] -FilePermissions.suidping="Y" -# Q: Would you like to disable SUID status for traceroute? [Y] -FilePermissions.suidtrace="Y" -# Q: Do you need the advanced networking options? -Firewall.ip_advnetwork="Y" -# Q: Should Bastille run the firewall and enable it at boot time? [N] -Firewall.ip_enable_firewall="Y" -# Q: Would you like to run the packet filtering script? [N] -Firewall.ip_intro="Y" -# Q: Interfaces for DHCP queries: [ ] -Firewall.ip_s_dhcpiface=" " -# Q: DNS servers: [0.0.0.0/0] -Firewall.ip_s_dns="10.184.9.1" -# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded] -Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded" -# Q: ICMP services to audit: [ ] -Firewall.ip_s_icmpaudit=" " -# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded] -Firewall.ip_s_icmpout="destination-unreachable time-exceeded" -# Q: Internal interfaces: [ ] -Firewall.ip_s_internaliface=" " -# Q: TCP service names or port numbers to allow on private interfaces: [ ] -Firewall.ip_s_internaltcp=" " -# Q: UDP service names or port numbers to allow on private interfaces: [ ] -Firewall.ip_s_internaludp=" " -# Q: Masqueraded networks: [ ] -Firewall.ip_s_ipmasq=" " -# Q: Kernel modules to masquerade: [ftp raudio vdolive] -Firewall.ip_s_kernelmasq="ftp raudio vdolive" -# Q: NTP servers to query: [ ] -Firewall.ip_s_ntpsrv=" " -# Q: Force passive mode? [N] -Firewall.ip_s_passiveftp="N" -# Q: Public interfaces: [eth+ ppp+ slip+] -Firewall.ip_s_publiciface="eth+ ppp+ slip+" -# Q: TCP service names or port numbers to allow on public interfaces:[ ] -Firewall.ip_s_publictcp=" " -# Q: UDP service names or port numbers to allow on public interfaces:[ ] -Firewall.ip_s_publicudp=" " -# Q: Reject method: [DENY] -Firewall.ip_s_rejectmethod="DENY" -# Q: Enable source address verification? [Y] -Firewall.ip_s_srcaddr="Y" -# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh] -Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" -# Q: TCP services to block: [2049 2065:2090 6000:6020 7100] -Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100" -# Q: Trusted interface names: [lo] -Firewall.ip_s_trustiface="lo" -# Q: UDP services to audit: [31337] -Firewall.ip_s_udpaudit="31337" -# Q: UDP services to block: [2049 6770] -Firewall.ip_s_udpblock="2049 6770" -# Q: Would you like to add additional logging? [Y] -Logging.morelogging="Y" -# Q: Would you like to set up process accounting? [N] -Logging.pacct="N" -# Q: Do you have a remote logging host? [N] -Logging.remotelog="N" -# Q: Would you like to disable acpid and/or apmd? [Y] -MiscellaneousDaemons.apmd="Y" -# Q: Would you like to deactivate NFS and Samba? [Y] -MiscellaneousDaemons.remotefs="Y" -# Q: Would you like to disable printing? [N] -Printing.printing="Y" -# Q: Would you like to disable printing? [N] -Printing.printing_cups="Y" -# Q: Would you like to display "Authorized Use" messages at log-in time? [Y] -SecureInetd.banners="Y" -# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y] -SecureInetd.deactivate_ftp="Y" -# Q: Should Bastille ensure the telnet service does not run on this system? [y] -SecureInetd.deactivate_telnet="Y" -# Q: Who is responsible for granting authorization to use this machine? -SecureInetd.owner="its owner" -# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N] -SecureInetd.tcpd_default_deny="Y" -# Q: Do you want to stop sendmail from running in daemon mode? [Y] -Sendmail.sendmaildaemon="Y" -# Q: Would you like to install TMPDIR/TMP scripts? [N] -TMPDIR.tmpdir="N" diff --git a/recipes-security/bastille/files/do_not_apply_config.patch b/recipes-security/bastille/files/do_not_apply_config.patch deleted file mode 100644 index 574aa98..0000000 --- a/recipes-security/bastille/files/do_not_apply_config.patch +++ /dev/null @@ -1,40 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille_Curses.pm -=================================================================== ---- Bastille.orig/Bastille_Curses.pm 2013-08-27 16:43:39.130959000 -0400 -+++ Bastille/Bastille_Curses.pm 2013-08-27 16:43:39.794959000 -0400 -@@ -83,11 +83,6 @@ - # Output answers to the script and display - &outputConfig; - -- # Run Bastille -- -- &Run_Bastille_with_Config; -- -- - # Display Credits - - open CREDITS,"/usr/share/Bastille/Credits"; -Index: Bastille/InteractiveBastille -=================================================================== ---- Bastille.orig/InteractiveBastille 2013-08-27 16:43:39.434959000 -0400 -+++ Bastille/InteractiveBastille 2013-08-27 17:18:55.758959000 -0400 -@@ -531,10 +531,10 @@ - " Please address bug reports and suggestions to jay\@bastille-linux.org\n" . - "\n"; - -- $InterfaceEndScreenDescription = "We will now implement the choices you have made here.\n\n" . -+ $InterfaceEndScreenDescription = "We will now record the choices you have made here.\n\n" . - "Answer NO if you want to go back and make changes!\n"; -- $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we make the changes?"; -- $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to implement your choices.\n"; -+ $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we record the answers and exit?"; -+ $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to record your choices.\n"; - require Bastille_Curses; - } elsif ($GLOBAL_AUDITONLY) { - diff --git a/recipes-security/bastille/files/edit_usage_message.patch b/recipes-security/bastille/files/edit_usage_message.patch deleted file mode 100644 index 72cdc2f..0000000 --- a/recipes-security/bastille/files/edit_usage_message.patch +++ /dev/null @@ -1,32 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/bin/bastille -=================================================================== ---- Bastille.orig/bin/bastille 2013-08-25 14:16:35.614779001 -0400 -+++ Bastille/bin/bastille 2013-08-25 14:16:38.674779000 -0400 -@@ -60,7 +60,7 @@ - printUsage () { - cat >&2 << EOF - $ERRSPACES Usage: bastille [ -b | -c | -x ] [ --os <version>] [ -f <alternate config> ] --$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ] -+$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ] [ --os <version> ] - $ERRSPACES -b : use a saved config file to apply changes - $ERRSPACES directly to system - $ERRSPACES -c : use the Curses (non-X11) GUI, not available on HP-UX -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2013-08-25 08:15:40.266779002 -0400 -+++ Bastille/Bastille/API.pm 2013-08-25 14:18:22.750778811 -0400 -@@ -206,7 +206,7 @@ - #options before interactive or Bastille runs, so this check is often redundant - $GLOBAL_ERROR{"usage"}="\n". - "$spc Usage: bastille [ -b | -c | -x ] [ --os <version> ] [ -f <alternate config> ]\n". -- "$spc bastille [ -r | --assess | --assessnobowser ]\n\n". -+ "$spc bastille [ -r | --assess | --assessnobowser ] [ --os <version> ]\n\n". - "$spc --assess : check status of system and report in browser\n". - "$spc --assessnobrowser : check status of system and list report locations\n". - "$spc -b : use a saved config file to apply changes\n". diff --git a/recipes-security/bastille/files/find_existing_config.patch b/recipes-security/bastille/files/find_existing_config.patch deleted file mode 100644 index c075875..0000000 --- a/recipes-security/bastille/files/find_existing_config.patch +++ /dev/null @@ -1,64 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/bin/bastille -=================================================================== ---- Bastille.orig/bin/bastille 2013-06-20 14:58:01.065796000 -0400 -+++ Bastille/bin/bastille 2013-08-20 15:16:18.472378000 -0400 -@@ -102,8 +102,9 @@ - # defines OS specific file locations based on uname - systemFileLocations - -+ config_files=`find $config_repository -type f -name \*config 2>/dev/null` -+ - if [ -f $last_config ]; then -- config_files=`find $config_repository -type f -name \*config 2>/dev/null` - for config_cursor in `echo $config_files` - do - if /usr/bin/diff $last_config $config_cursor >/dev/null 2>&1 -@@ -112,8 +113,8 @@ - fi - done - if [ -n "$match" ]; then -- echo "The last bastille run corresponds to the following profiles:" -- echo "$match" -+ printf "The last Bastille run corresponds to the following profiles:\n" -+ printf "$match" - else - cat >&2 << EOF - NOTE: The last config file applied, -@@ -122,18 +123,28 @@ - $ERRSPACES $config_repository. - $ERRSPACES This probably means that Bastille was last run interactively and - $ERRSPACES changes were made to the config file, but they have not yet been --$ERRSPACES applied, or that the source config file was moved. If you do have pending -+$ERRSPACES applied, or that the source config file was moved. If you do have pending - $ERRSPACES changes in a config file, you can apply them by running - $ERRSPACES 'bastille -b -f <config file>.' - EOF - - fi - else -- echo "NOTE: The system is in its pre-bastilled state.\n" -+ for config_cursor in `echo $config_files` -+ do -+ match="$match $config_cursor\n" -+ done -+ if [ -n "$match" ]; then -+ printf "The following Bastille profiles were located:\n" -+ printf "$match" -+ else -+ printf "No Bastille profiles were located.\n" -+ fi -+ printf "No log files of profiles from previous executions of Bastille have been found. It is likely that Bastille has not been run on this machine.\n" - fi -- - } - -+ - # First, make sure we're root - if [ `PATH="/usr/bin:/bin"; id -u` -ne 0 ]; then - echo "ERROR: Bastille must be run as root user" >&2 diff --git a/recipes-security/bastille/files/fix_missing_use_directives.patch b/recipes-security/bastille/files/fix_missing_use_directives.patch deleted file mode 100644 index 05f145a..0000000 --- a/recipes-security/bastille/files/fix_missing_use_directives.patch +++ /dev/null @@ -1,54 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille/Firewall.pm -=================================================================== ---- Bastille.orig/Bastille/Firewall.pm 2008-09-14 19:56:54.000000000 -0400 -+++ Bastille/Bastille/Firewall.pm 2013-08-20 16:28:44.588378000 -0400 -@@ -21,6 +21,7 @@ - package Bastille::Firewall; - - use Bastille::API; -+use Bastille::API::AccountPermission; - use Bastille::API::FileContent; - use Bastille::API::ServiceAdmin; - -Index: Bastille/Bastille/SecureInetd.pm -=================================================================== ---- Bastille.orig/Bastille/SecureInetd.pm 2008-09-14 19:56:58.000000000 -0400 -+++ Bastille/Bastille/SecureInetd.pm 2013-08-20 16:45:02.252378001 -0400 -@@ -12,6 +12,7 @@ - use lib "/usr/lib"; - - use Bastille::API; -+use Bastille::API::AccountPermission; - use Bastille::API::HPSpecific; - use Bastille::API::ServiceAdmin; - use Bastille::API::FileContent; -Index: Bastille/Bastille/ConfigureMiscPAM.pm -=================================================================== ---- Bastille.orig/Bastille/ConfigureMiscPAM.pm 2005-09-12 23:47:28.000000000 -0400 -+++ Bastille/Bastille/ConfigureMiscPAM.pm 2013-08-20 18:36:07.340378001 -0400 -@@ -5,6 +5,7 @@ - use lib "/usr/lib"; - - use Bastille::API; -+use Bastille::API::FileContent; - - # To DO: - # -Index: Bastille/Bastille/Printing.pm -=================================================================== ---- Bastille.orig/Bastille/Printing.pm 2008-09-14 19:56:58.000000000 -0400 -+++ Bastille/Bastille/Printing.pm 2013-08-20 19:05:01.532378002 -0400 -@@ -5,6 +5,7 @@ - use lib "/usr/lib"; - - use Bastille::API; -+use Bastille::API::AccountPermission; - use Bastille::API::HPSpecific; - use Bastille::API::ServiceAdmin; - use Bastille::API::FileContent; diff --git a/recipes-security/bastille/files/fix_number_of_modules.patch b/recipes-security/bastille/files/fix_number_of_modules.patch deleted file mode 100644 index 743e549..0000000 --- a/recipes-security/bastille/files/fix_number_of_modules.patch +++ /dev/null @@ -1,38 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille_Curses.pm -=================================================================== ---- Bastille.orig/Bastille_Curses.pm 2013-08-24 18:21:54.445288000 -0400 -+++ Bastille/Bastille_Curses.pm 2013-08-24 18:29:16.981288000 -0400 -@@ -36,9 +36,6 @@ - use Curses; - use Curses::Widgets; - -- # Number_Modules is the number of modules loaded in by Load_Questions -- $Number_Modules=0; -- - # - # Highlighted button is the button currently chosen in the button bar - # We preserve this from question to question... -@@ -397,7 +394,7 @@ - my $title; - - if ($module) { -- $title=$module . " of $Number_Modules"; -+ $title=$module; - } - - txt_field( 'window' => $window, -@@ -488,7 +485,7 @@ - my $title; - - if ($module) { -- $title=$module . " of $Number_Modules"; -+ $title=$module; - } - - noecho; diff --git a/recipes-security/bastille/files/fix_version_parse.patch b/recipes-security/bastille/files/fix_version_parse.patch deleted file mode 100644 index 5923c04..0000000 --- a/recipes-security/bastille/files/fix_version_parse.patch +++ /dev/null @@ -1,27 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/bin/bastille -=================================================================== ---- Bastille.orig/bin/bastille -+++ Bastille/bin/bastille -@@ -162,11 +162,12 @@ fi - # We check that the version is at least the minimum - - PERL_VERSION=`${CURRENT_PERL_PATH}/perl -version | -- head -2 | # the second line contains the version -+ head -n 2 | # the second line contains the version - tr " " "\n" | # split words into separate lines -- sed -e "s/^v//" | # to get rid of the v in v5.6.0 -- grep "^[1-9]\." | # find a "word" that starts with number dot -- sed -e "s/_/./"` # substitute _patchlevel with .patchlevel -+ grep "^(v" | # find a "word" that starts with '(v' -+ sed -e "s/^(v//" -e "s/)//" -e "s/_/./"` -+ # to get rid of the (v in v5.6.0 -+ # substitute _patchlevel with .patchlevel - # (used in 5.005_03 and prior) - - # everything before the first . diff --git a/recipes-security/bastille/files/fixed_defined_warnings.patch b/recipes-security/bastille/files/fixed_defined_warnings.patch deleted file mode 100644 index e7996e3..0000000 --- a/recipes-security/bastille/files/fixed_defined_warnings.patch +++ /dev/null @@ -1,65 +0,0 @@ -From c59b84ca3bda8e4244d47901b6966f28dd675434 Mon Sep 17 00:00:00 2001 -From: Andrei Dinu <andrei.adrianx.dinu@intel.com> -Date: Thu, 23 May 2013 15:12:23 +0300 -Subject: [PATCH] added yocto-standard to bastille - -In order to make Bastille functional and avoid errors -regarding distros, if not any given distro is identified, -yocto-standard distro is added to the distro variable -in Bastille. - -Fixed also some warnings regarding defined statements -in API.pm. - -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com> - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - Bastille/API.pm | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2008-09-14 19:56:53.000000000 -0400 -+++ Bastille/Bastille/API.pm 2013-08-21 08:55:26.715950001 -0400 -@@ -445,8 +445,8 @@ - $release=`/usr/bin/uname -sr`; - } - else { -- print STDERR "$err Could not determine operating system version!\n"; -- $distro="unknown"; -+ print STDERR "$err Could not determine operating system version!\n"; -+ $distro="unknown" - } - - # Figure out what kind of system we're on. -@@ -1284,7 +1284,7 @@ - - my $sumFile = &getGlobal('BFILE',"sum.csv"); - -- if ( defined %GLOBAL_SUM ) { -+ if ( %GLOBAL_SUM ) { - - open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n"); - -@@ -1318,7 +1318,7 @@ - my $file = $_[0]; - my $cksum = &getGlobal('BIN',"cksum"); - -- if (not(defined(%GLOBAL_SUM))) { -+ if (not(%GLOBAL_SUM)) { - &B_read_sums; - } - -@@ -1375,7 +1375,7 @@ - sub B_isFileinSumDB($) { - my $file = $_[0]; - -- if (not(defined(%GLOBAL_SUM))) { -+ if (not(%GLOBAL_SUM)) { - &B_log("DEBUG","Reading in DB from B_isFileinSumDB"); - &B_read_sums; - } diff --git a/recipes-security/bastille/files/organize_distro_discovery.patch b/recipes-security/bastille/files/organize_distro_discovery.patch deleted file mode 100644 index d64d1e2..0000000 --- a/recipes-security/bastille/files/organize_distro_discovery.patch +++ /dev/null @@ -1,476 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2013-08-22 04:32:38.269968002 -0400 -+++ Bastille/Bastille/API.pm 2013-08-22 11:29:53.137968002 -0400 -@@ -141,7 +141,7 @@ - checkProcsForService - - -- $GLOBAL_OS $GLOBAL_ACTUAL_OS $CLI -+ $CLI - $GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag - %GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE - %GLOBAL_BDIR %GLOBAL_BFILE -@@ -198,7 +198,7 @@ - my $err ="ERROR: "; - my $spc =" "; - my $GLOBAL_OS="None"; --my $GLOBAL_ACTUAL_OS="None"; -+my $GLOBAL_INFERRED_OS="None"; - my %GLOBAL_SUMS=(); - my $CLI=''; - -@@ -306,7 +306,7 @@ - - ########################################################################### - # --# GetDistro checks to see if the target is a known distribution and reports -+# InferDistro checks to see if the target is a known distribution and reports - # said distribution. - # - # This is used throughout the script, but also by ConfigureForDistro. -@@ -314,205 +314,194 @@ - # - ########################################################################### - --sub GetDistro() { -+sub InferDistro() { - - my ($release,$distro); - -- # Only read files for the distro once. -- # if the --os option was used then -- if ($GLOBAL_OS eq "None") { -- if ( -e "/etc/mandrake-release" ) { -- open(MANDRAKE_RELEASE,"/etc/mandrake-release"); -- $release=<MANDRAKE_RELEASE>; -- -- if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) { -- $distro="MN$1"; -- } -- elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) { -- $distro="MN$1"; -- } -- else { -- print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n"; -- $distro="MN10.1"; -- } -- -- close(MANDRAKE_RELEASE); -- } -- elsif ( -e "/etc/immunix-release" ) { -- open(IMMUNIX_RELEASE,"/etc/immunix-release"); -- $release=<IMMUNIX_RELEASE>; -- unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) { -- print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n"; -- $distro="RH6.2"; -- } -- else { -- $distro="RH$1"; -- } -- close(*IMMUNIX_RELEASE); -- } -- elsif ( -e '/etc/fedora-release' ) { -- open(FEDORA_RELEASE,'/etc/fedora-release'); -- $release=<FEDORA_RELEASE>; -- close FEDORA_RELEASE; -- if ($release =~ /^Fedora Core release (\d+\.?\d*)/) { -- $distro = "RHFC$1"; -- } -- elsif ($release =~ /^Fedora release (\d+\.?\d*)/) { -- $distro = "RHFC$1"; -- } -- else { -- print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 8\n"; -- $distro='RHFC8'; -- } -+ if ( -e "/etc/mandrake-release" ) { -+ open(MANDRAKE_RELEASE,"/etc/mandrake-release"); -+ $release=<MANDRAKE_RELEASE>; -+ -+ if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) { -+ $distro="MN$1"; -+ } -+ elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) { -+ $distro="MN$1"; -+ } -+ else { -+ print STDERR "$err Could not infer Mandrake/Mandriva version! Setting to 10.1!\n"; -+ $distro="MN10.1"; -+ } -+ -+ close(MANDRAKE_RELEASE); -+ } -+ elsif ( -e "/etc/immunix-release" ) { -+ open(IMMUNIX_RELEASE,"/etc/immunix-release"); -+ $release=<IMMUNIX_RELEASE>; -+ unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) { -+ print STDERR "$err Could not infer Immunix version! Setting to 6.2!\n"; -+ $distro="RH6.2"; -+ } -+ else { -+ $distro="RH$1"; - } -- elsif ( -e "/etc/redhat-release" ) { -- open(*REDHAT_RELEASE,"/etc/redhat-release"); -- $release=<REDHAT_RELEASE>; -- if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) { -- $distro="RH$1"; -- } -- elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) { -- $distro="RHEL$1$2"; -- } -- elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) { -- $distro="RHEL$2$1"; -+ close(*IMMUNIX_RELEASE); -+ } -+ elsif ( -e '/etc/fedora-release' ) { -+ open(FEDORA_RELEASE,'/etc/fedora-release'); -+ $release=<FEDORA_RELEASE>; -+ close FEDORA_RELEASE; -+ if ($release =~ /^Fedora Core release (\d+\.?\d*)/) { -+ $distro = "RHFC$1"; -+ } -+ elsif ($release =~ /^Fedora release (\d+\.?\d*)/) { -+ $distro = "RHFC$1"; -+ } -+ else { -+ print STDERR "$err Could not infer Fedora version! Setting to Fedora Core 8\n"; -+ $distro='RHFC8'; -+ } -+ } -+ elsif ( -e "/etc/redhat-release" ) { -+ open(*REDHAT_RELEASE,"/etc/redhat-release"); -+ $release=<REDHAT_RELEASE>; -+ if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) { -+ $distro="RH$1"; -+ } -+ elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) { -+ $distro="RHEL$1$2"; -+ } -+ elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) { -+ $distro="RHEL$2$1"; -+ } -+ elsif ($release =~ /^CentOS release (\d+\.\d+)/) { -+ my $version = $1; -+ if ($version =~ /^4\./) { -+ $distro='RHEL4AS'; - } -- elsif ($release =~ /^CentOS release (\d+\.\d+)/) { -- my $version = $1; -- if ($version =~ /^4\./) { -- $distro='RHEL4AS'; -- } -- elsif ($version =~ /^3\./) { -- $distro='RHEL3AS'; -- } -- else { -- print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n"; -- $distro='RHEL4AS'; -- } -- } -- else { -- # JJB/HP - Should this be B_log? -- print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n"; -- $distro="RH9"; -- } -- close(REDHAT_RELEASE); -- -- } -- elsif ( -e "/etc/debian_version" ) { -- $stable="3.1"; #Change this when Debian stable changes -- open(*DEBIAN_RELEASE,"/etc/debian_version"); -- $release=<DEBIAN_RELEASE>; -- unless ($release =~ /^(\d+\.\d+\w*)/) { -- print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n"; -- $distro="DB$stable"; -+ elsif ($version =~ /^3\./) { -+ $distro='RHEL3AS'; - } - else { -- $distro="DB$1"; -- } -- close(DEBIAN_RELEASE); -- } -- elsif ( -e "/etc/SuSE-release" ) { -- open(*SUSE_RELEASE,"/etc/SuSE-release"); -- $release=<SUSE_RELEASE>; -- if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) { -- $distro="SE$1"; -- } -- elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) { -- $distro="SESLES$1"; -- } -- elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) { -- $distro="SESLES$1"; -- } -- elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) { -- $distro="SE$1"; -+ print STDERR "$err Could not infer CentOS version! Setting to Red Hat Enterprise 4 AS.\n"; -+ $distro='RHEL4AS'; - } -- else { -- print STDERR "$err Couldn't determine SuSE version! Setting to 10.3!\n"; -- $distro="SE10.3"; -- } -- close(SUSE_RELEASE); -- } -- elsif ( -e "/etc/turbolinux-release") { -- open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release"); -- $release=<TURBOLINUX_RELEASE>; -- unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) { -- print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n"; -- $distro="TB7.0"; -- } -- else { -- $distro="TB$1"; -- } -- close(TURBOLINUX_RELEASE); -+ } -+ else { -+ # JJB/HP - Should this be B_log? -+ print STDERR "$err Could not infer Red Hat version! Setting to 9!\n"; -+ $distro="RH9"; -+ } -+ close(REDHAT_RELEASE); -+ -+ } -+ elsif ( -e "/etc/debian_version" ) { -+ $stable="3.1"; #Change this when Debian stable changes -+ open(*DEBIAN_RELEASE,"/etc/debian_version"); -+ $release=<DEBIAN_RELEASE>; -+ unless ($release =~ /^(\d+\.\d+\w*)/) { -+ print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n"; -+ $distro="DB$stable"; -+ } -+ else { -+ $distro="DB$1"; -+ } -+ close(DEBIAN_RELEASE); -+ } -+ elsif ( -e "/etc/SuSE-release" ) { -+ open(*SUSE_RELEASE,"/etc/SuSE-release"); -+ $release=<SUSE_RELEASE>; -+ if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) { -+ $distro="SE$1"; -+ } -+ elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) { -+ $distro="SESLES$1"; -+ } -+ elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) { -+ $distro="SESLES$1"; -+ } -+ elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) { -+ $distro="SE$1"; -+ } -+ else { -+ print STDERR "$err Could not infer SuSE version! Setting to 10.3!\n"; -+ $distro="SE10.3"; - } -+ close(SUSE_RELEASE); -+ } -+ elsif ( -e "/etc/turbolinux-release") { -+ open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release"); -+ $release=<TURBOLINUX_RELEASE>; -+ unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) { -+ print STDERR "$err Could not infer TurboLinux version! Setting to 7.0!\n"; -+ $distro="TB7.0"; -+ } - else { -- # We're either on Mac OS X, HP-UX or an unsupported O/S. -- if ( -x '/usr/bin/uname') { -+ $distro="TB$1"; -+ } -+ close(TURBOLINUX_RELEASE); -+ } -+ else { -+ # We're either on Mac OS X, HP-UX or an unsupported O/S. -+ if ( -x '/usr/bin/uname') { - # uname is in /usr/bin on Mac OS X and HP-UX -- $release=`/usr/bin/uname -sr`; -- } -- else { -- print STDERR "$err Could not determine operating system version!\n"; -- $distro="unknown" -- } -- -- # Figure out what kind of system we're on. -- if ($release ne "") { -- if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) { -- if ($1 == 6 ) { -- $distro = "OSX10.2"; -- } -- elsif ($1 == 7) { -- $distro = "OSX10.3"; -- } -- elsif ($1 == 8) { -- $distro = "OSX10.3"; -- } -- else { -- $distro = "unknown"; -- } -+ $release=`/usr/bin/uname -sr`; -+ } -+ else { -+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n"; -+ $distro="unknown"; -+ } -+ -+ # Figure out what kind of system we're on. -+ if ($release ne "") { -+ if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) { -+ if ($1 == 6 ) { -+ $distro = "OSX10.2"; - } -- elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) { -- $distro="$1$2"; -+ elsif ($1 == 7) { -+ $distro = "OSX10.3"; - } -+ elsif ($1 == 8) { -+ $distro = "OSX10.3"; -+ } - else { -- print STDERR "$err Could not determine operating system version!\n"; -- $distro="unknown"; -+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n"; -+ $distro = "unknown"; - } - } -+ elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) { -+ $distro="$1$2"; -+ } -+ else { -+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n"; -+ $distro="unknown"; -+ } - } -- -- $GLOBAL_OS=$distro; -- } elsif (not (defined $GLOBAL_OS)) { -- print "ERROR: GLOBAL OS Scoping Issue\n"; -- } else { -- $distro = $GLOBAL_OS; - } -- - return $distro; - } - - ################################################################################### --# &getActualDistro; # -+# &getInferredDistro; # - # # - # This subroutine returns the actual os version in which is running on. This # - # os version is independent of the --os switch feed to bastille. # - # # - ################################################################################### --sub getActualDistro { -- # set local variable to $GLOBAL_OS -+sub getInferredDistro { -+ if ($GLOBAL_INFERRED_OS eq "None") { -+ $GLOBAL_INFERRED_OS = &InferDistro; -+ } -+ return $GLOBAL_INFERRED_OS; -+} - -- if ($GLOBAL_ACTUAL_OS eq "None") { -- my $os = $GLOBAL_OS; -- # undef GLOBAL_OS so that the GetDistro routine will return -- # the actualDistro, it might otherwise return the distro set -- # by the --os switch. -- $GLOBAL_OS = "None"; -- $GLOBAL_ACTUAL_OS = &GetDistro; -- # reset the GLOBAL_OS variable -- $GLOBAL_OS = $os; -+sub GetDistro { -+ if ($GLOBAL_OS eq "None") { -+ return &getInferredDistro; - } -- return $GLOBAL_ACTUAL_OS; -+ return $GLOBAL_OS; - } -+ - # These are helper routines which used to be included inside GetDistro - sub is_OS_supported($) { - my $os=$_[0]; -@@ -556,7 +545,8 @@ - "SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1", - "SE9.2","SE9.3","SE10.0","SE10.1","SE10.2","SE10.3", - "SESLES8","SESLES9","SESLES10", -- "TB7.0" -+ "TB7.0", -+ "Yocto" - ], - - "HP-UX" => [ -@@ -882,23 +872,19 @@ - ########################################################################### - sub ConfigureForDistro { - -- my $retval=1; -- -- # checking to see if the os version given is in fact supported - my $distro = &GetDistro; - -- # checking to see if the actual os version is in fact supported -- my $actualDistro = &getActualDistro; -+ my $inferredDistro = &getInferredDistro; -+ -+ if (! ($inferredDistro eq $distro) ) { -+ print STDERR "WARNING: Inferred distro $inferredDistro is not the same as specified distro $distro. Using specified distro.\n"; -+ } -+ - $ENV{'LOCALE'}=''; # So that test cases checking for english results work ok. -- if ((! &is_OS_supported($distro)) or (! &is_OS_supported($actualDistro)) ) { -- # if either is not supported then print out a list of supported versions -- if (! &is_OS_supported($distro)) { -- print STDERR "$err '$distro' is not a supported operating system.\n"; -- } -- else { -- print STDERR "$err Bastille is unable to operate correctly on this\n"; -- print STDERR "$spc $distro operating system.\n"; -- } -+ -+ if (! &is_OS_supported($distro)) { -+ print STDERR "$err '$distro' is not a supported operating system.\n"; -+ - my %supportedOSHash = &getSupportedOSHash; - print STDERR "$spc Valid operating system versions are as follows:\n"; - -@@ -930,7 +916,7 @@ - # intend via setting the Perl umask - umask(077); - -- &getFileAndServiceInfo($distro,$actualDistro); -+ &getFileAndServiceInfo($distro,$distro); - - # &dumpFileInfo; # great for debuging file location issues - # &dumpServiceInfo; # great for debuging service information issues -@@ -942,7 +928,7 @@ - "$spc You must use Bastille\'s -n flag (for example:\n" . - "$spc bastille -f -n) or \'touch $nodisclaim_file \'\n"; - -- return $retval; -+ return 1; - } - - -Index: Bastille/Bastille/LogAPI.pm -=================================================================== ---- Bastille.orig/Bastille/LogAPI.pm 2013-08-22 04:32:38.269968002 -0400 -+++ Bastille/Bastille/LogAPI.pm 2013-08-22 04:32:47.509968002 -0400 -@@ -111,7 +111,7 @@ - # do this here to prevent bootstrapping problem, where we need to - # write an error that the errorlog location isn't defined. - my $logdir="/var/log/Bastille"; -- if(&getActualDistro =~ "^HP-UX"){ -+ if(&getInferredDistro =~ "^HP-UX"){ - $logdir = "/var/opt/sec_mgmt/bastille/log/"; - } - diff --git a/recipes-security/bastille/files/remove_questions_text_file_references.patch b/recipes-security/bastille/files/remove_questions_text_file_references.patch deleted file mode 100644 index bd094ee..0000000 --- a/recipes-security/bastille/files/remove_questions_text_file_references.patch +++ /dev/null @@ -1,30 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/OSMap/LINUX.bastille -=================================================================== ---- Bastille.orig/OSMap/LINUX.bastille 2008-01-25 18:31:35.000000000 -0500 -+++ Bastille/OSMap/LINUX.bastille 2013-08-22 04:48:32.677968002 -0400 -@@ -12,7 +12,6 @@ - - bfile,InteractiveBastille,'/usr/sbin/InteractiveBastille' - bfile,BastilleBackEnd,'/usr/sbin/BastilleBackEnd' --bfile,Questions,'/usr/share/Bastille/Questions.txt' - bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt' - bfile,TODO,'/var/log/Bastille/TODO' - bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt' -Index: Bastille/OSMap/OSX.bastille -=================================================================== ---- Bastille.orig/OSMap/OSX.bastille 2007-09-11 18:09:26.000000000 -0400 -+++ Bastille/OSMap/OSX.bastille 2013-08-22 04:48:47.245968001 -0400 -@@ -10,7 +10,6 @@ - bdir,share,'/usr/share/Bastille' - - bfile,BastilleBackEnd,'/var/root/Bastille/BastilleBackEnd' --bfile,Questions,'/usr/share/Bastille/Questions.txt' - bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt' - bfile,TODO,'/var/log/Bastille/TODO' - bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt' diff --git a/recipes-security/bastille/files/set_required_questions.py b/recipes-security/bastille/files/set_required_questions.py deleted file mode 100755 index f306109..0000000 --- a/recipes-security/bastille/files/set_required_questions.py +++ /dev/null @@ -1,157 +0,0 @@ -#!/usr/bin/env python3 - -#Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - -import argparse, os, shutil, sys, tempfile, traceback -from os import path - - - -def get_config(lines): - """ - From a sequence of lines retrieve the question file name, question identifier - pairs. - """ - for l in lines: - if not l.startswith("#"): - try: - (coord, value) = l.split("=") - try: - (fname, ident) = coord.split(".") - yield fname, ident - except ValueError as e: - raise ValueError("Badly formatted coordinates %s in line %s." % (coord, l.strip())) - except ValueError as e: - raise ValueError("Skipping badly formatted line %s, %s" % (l.strip(), e)) - - - -def check_contains(line, name): - """ - Check if the value field for REQUIRE_DISTRO contains the given name. - @param name line The REQUIRE_DISTRO line - @param name name The name to look for in the value field of the line. - """ - try: - (label, distros) = line.split(":") - return name in distros.split() - except ValueError as e: - raise ValueError("Error splitting REQUIRE_DISTRO line: %s" % e) - - - -def add_requires(the_ident, distro, lines): - - """ - Yield a sequence of lines the same as lines except that where - the_ident matches a question identifier change the REQUIRE_DISTRO so that - it includes the specified distro. - - @param name the_ident The question identifier to be matched. - @param name distro The distribution to added to the questions REQUIRE_DISTRO - field. - @param lines The sequence to be processed. - """ - for l in lines: - yield l - if l.startswith("LABEL:"): - try: - (label, ident) = l.split(":") - if ident.strip() == the_ident: - break - except ValueError as e: - raise ValueError("Unexpected line %s in questions file." % l.strip()) - for l in lines: - if l.startswith("REQUIRE_DISTRO"): - if not check_contains(l, distro): - yield l.rstrip() + " " + distro + "\n" - else: - yield l - break; - else: - yield l - for l in lines: - yield l - - - -def xform_file(qfile, distro, qlabel): - """ - Transform a Questions file. - @param name qfile The designated questions file. - @param name distro The distribution to add to the required distributions. - @param name qlabel The question label for which the distro is to be added. - """ - questions_in = open(qfile) - questions_out = tempfile.NamedTemporaryFile(mode="w+", delete=False) - for l in add_requires(qlabel, distro, questions_in): - questions_out.write(l) - questions_out.close() - questions_in.close() - shutil.copystat(qfile, questions_out.name) - os.remove(qfile) - shutil.move(questions_out.name, qfile) - - - -def handle_args(parser): - parser.add_argument('config_file', - help = "Configuration file path.") - parser.add_argument('questions_dir', - help = "Directory containing Questions files.") - parser.add_argument('--distro', '-d', - help = "The distribution, the default is Yocto.", - default = "Yocto") - parser.add_argument('--debug', '-b', - help = "Print debug information.", - action = 'store_true') - return parser.parse_args() - - - -def check_args(args): - args.config_file = os.path.abspath(args.config_file) - args.questions_dir = os.path.abspath(args.questions_dir) - - if not os.path.isdir(args.questions_dir): - raise ValueError("Specified Questions directory %s does not exist or is not a directory." % args.questions_dir) - - if not os.path.isfile(args.config_file): - raise ValueError("Specified configuration file %s not found." % args.config_file) - - - -def main(): - opts = handle_args(argparse.ArgumentParser(description="A simple script that sets required questions based on the question/answer pairs in a configuration file.")) - - try: - check_args(opts) - except ValueError as e: - if opts.debug: - traceback.print_exc() - else: - sys.exit("Fatal error:\n%s" % e) - - - try: - config_in = open(opts.config_file) - for qfile, qlabel in get_config(config_in): - questions_file = os.path.join(opts.questions_dir, qfile + ".txt") - xform_file(questions_file, opts.distro, qlabel) - config_in.close() - - except IOError as e: - if opts.debug: - traceback.print_exc() - else: - sys.exit("Fatal error reading or writing file:\n%s" % e) - except ValueError as e: - if opts.debug: - traceback.print_exc() - else: - sys.exit("Fatal error:\n%s" % e) - - - -if __name__ == "__main__": - main() diff --git a/recipes-security/bastille/files/simplify_B_place.patch b/recipes-security/bastille/files/simplify_B_place.patch deleted file mode 100644 index 307fdca..0000000 --- a/recipes-security/bastille/files/simplify_B_place.patch +++ /dev/null @@ -1,40 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2013-08-21 08:59:17.939950001 -0400 -+++ Bastille/Bastille/API.pm 2013-08-21 08:59:30.983950001 -0400 -@@ -1679,24 +1679,22 @@ - - use File::Copy; - -- my $original_source=$source; - $source = &getGlobal('BDIR', "share") . $source; -- my $original_target=$target; - - if ( -e $target and -f $target ) { -- &B_backup_file($original_target); -- &B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n"); -+ &B_backup_file($target); -+ &B_log("ACTION","About to copy $source to $target -- had to backup target\n"); - $had_to_backup_target=1; - } - $retval=copy($source,$target); - if ($retval) { -- &B_log("ACTION","placed file $original_source as $original_target\n"); -+ &B_log("ACTION","placed file $source as $target\n"); - # - # We want to add a line to the &getGlobal('BFILE', "created-files") so that the - # file we just put at $original_target gets deleted. -- &B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n"); -+ &B_revert_log(&getGlobal('BIN',"rm") . " $target\n"); - } else { -- &B_log("ERROR","Failed to place $original_source as $original_target\n"); -+ &B_log("ERROR","Failed to place $source as $target\n"); - } - - # We add the file to the GLOBAL_SUMS hash if it is not already present diff --git a/recipes-security/bastille/files/upgrade_options_processing.patch b/recipes-security/bastille/files/upgrade_options_processing.patch deleted file mode 100644 index 4093867..0000000 --- a/recipes-security/bastille/files/upgrade_options_processing.patch +++ /dev/null @@ -1,91 +0,0 @@ -Upstream Status: Inappropriate [No upstream maintenance] - -Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org> - ---- - -Index: Bastille/Bastille/API.pm -=================================================================== ---- Bastille.orig/Bastille/API.pm 2013-08-21 11:41:09.235950000 -0400 -+++ Bastille/Bastille/API.pm 2013-08-21 11:41:16.183950000 -0400 -@@ -271,9 +271,15 @@ - # setOptions takes six arguments, $GLOBAL_DEBUG, $GLOBAL_LOGONLY, - # $GLOBAL_VERBOSE, $GLOBAL_AUDITONLY, $GLOBAL_AUDIT_NO_BROWSER, and GLOBAL_OS; - ########################################################################### --sub setOptions($$$$$$) { -- ($GLOBAL_DEBUG,$GLOBAL_LOGONLY,$GLOBAL_VERBOSE,$GLOBAL_AUDITONLY, -- $GLOBAL_AUDIT_NO_BROWSER,$GLOBAL_OS) = @_; -+sub setOptions { -+ my %opts = @_; -+ -+ $GLOBAL_DEBUG = $opts{debug}; -+ $GLOBAL_LOGONLY = $opts{logonly}; -+ $GLOBAL_VERBOSE = $opts{verbose}; -+ $GLOBAL_AUDITONLY = $opts{auditonly}; -+ $GLOBAL_AUDIT_NO_BROWSER = $opts{audit_no_browser}; -+ $GLOBAL_OS = $opts{os}; - if ($GLOBAL_AUDIT_NO_BROWSER) { - $GLOBAL_AUDITONLY = 1; - } -Index: Bastille/BastilleBackEnd -=================================================================== ---- Bastille.orig/BastilleBackEnd 2013-08-21 11:41:09.235950000 -0400 -+++ Bastille/BastilleBackEnd 2013-08-21 12:40:54.055950001 -0400 -@@ -50,15 +50,13 @@ - my $nodisclaim = 0; - my $verbose = 0; - my $force = 0; --my $log_only = 0; - my $debug = 0; - my $alternate_config=undef; - - if( Getopt::Long::GetOptions( "n" => \$nodisclaim, - "v" => \$verbose, - "force" => \$force, --# "log" => \$log_only, # broken -- "f:s" => \$alternate_config, -+ "f=s" => \$alternate_config, - "debug" => \$debug) ) { - $error = 0; # no parse error - -@@ -66,7 +64,9 @@ - $error = 1; # parse error - } - --&setOptions($debug,$log_only,$verbose); -+&setOptions( -+ debug => $debug, -+ verbose => $verbose); - &ConfigureForDistro; - - if ( $error ) { # GetOptions couldn't parse all of the args -Index: Bastille/InteractiveBastille -=================================================================== ---- Bastille.orig/InteractiveBastille 2013-08-21 11:41:09.235950000 -0400 -+++ Bastille/InteractiveBastille 2013-08-21 12:40:30.531950001 -0400 -@@ -234,8 +234,8 @@ - "a" => \$audit, - "force" => \$force, - "log" => \$log_only, -- "os:s" => \$os_version, -- "f:s" => \$alternate_config, -+ "os=s" => \$os_version, -+ "f=s" => \$alternate_config, - "debug" => \$debug) ) { - $error = 0; # no parse error - } else { -@@ -293,7 +293,13 @@ - $UseRequiresRules = 'N'; - } - --&setOptions($debug,$log_only,$verbose,$audit,$auditnobrowser,$os_version); -+&setOptions( -+ debug => $debug, -+ logonly => $log_only, -+ verbose => $verbose, -+ auditonly => $audit, -+ audit_no_browser => $auditnobrowser, -+ os => $os_version); - &ConfigureForDistro; - - # ensuring mutually exclusive options are exclusive diff --git a/recipes-security/chipsec/chipsec_1.9.1.bb b/recipes-security/chipsec/chipsec_1.9.1.bb new file mode 100644 index 0000000..9fbdaa7 --- /dev/null +++ b/recipes-security/chipsec/chipsec_1.9.1.bb @@ -0,0 +1,34 @@ +SUMMARY = "CHIPSEC: Platform Security Assessment Framework" + +DESCRIPTION = "CHIPSEC is a framework for analyzing the security \ + of PC platforms including hardware, system firmware \ + (BIOS/UEFI), and platform components." + +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d" + +DEPENDS = "virtual/kernel nasm-native" + +SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https" +SRCREV = "d8c2a606bf440c32196c6289a7a458f3ae3107cc" + +S = "${WORKDIR}/git" + +inherit module setuptools3 + +EXTRA_OEMAKE = "CC='${CC}' LDFLAGS='${LDFLAGS}' CFLAGS='${CFLAGS}'" + +do_compile:append() { + cd ${S}/drivers/linux + oe_runmake KSRC=${STAGING_KERNEL_BUILDDIR} +} + +do_install:append() { + install -m 0644 ${S}/drivers/linux/chipsec.ko ${D}${PYTHON_SITEPACKAGES_DIR}/chipsec/helper/linux +} + +COMPATIBLE_HOST = "(i.86|x86_64).*-linux" + +FILES:${PN} += "${exec_prefix}" + +RDEPENDS:${PN} = "python3 python3-modules" diff --git a/recipes-security/cryptmount/cryptmount_6.2.0.bb b/recipes-security/cryptmount/cryptmount_6.2.0.bb new file mode 100644 index 0000000..d69d88b --- /dev/null +++ b/recipes-security/cryptmount/cryptmount_6.2.0.bb @@ -0,0 +1,36 @@ +SUMMARY = "Linux encrypted filesystem management tool" +HOMEPAGE = "http://cryptmount.sourceforge.net/" +LIC_FILES_CHKSUM = "file://COPYING;beginline=1;endline=4;md5=6e69c425bf32ecf9b1e11d29d146d03d" +LICENSE = "GPL-2.0-only" +SRC_URI = "https://sourceforge.net/projects/cryptmount/files/${BPN}/${BPN}-6.2/${BPN}-${PV}.tar.gz" + +SRC_URI[sha256sum] = "90cc49fd598d636929c70479b1305f12b011edadf4a54578ace6c0fca8cb5ed2" + +inherit autotools-brokensep gettext pkgconfig systemd + +EXTRA_OECONF = " --enable-cswap --enable-fsck --enable-argv0switch" + +PACKAGECONFIG ?="intl luks gcrypt nls" +PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" + +PACKAGECONFIG[systemd] = "--with-systemd, --without-systemd, systemd" +PACKAGECONFIG[intl] = "--with-libintl-prefix, --without-libintl-prefix" +PACKAGECONFIG[gcrypt] = "--with-libgcrypt, --without-libgcrypt, libgcrypt" +PACKAGECONFIG[luks] = "--enable-luks, --disable-luks, cryptsetup" +PACKAGECONFIG[nls] = "--enable-nls, --disable-nls, " + +SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE:${PN} = "cryptmount.service" + +do_install:append () { + if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then + install -D -m 0644 ${S}/sysinit/cryptmount.service ${D}${systemd_system_unitdir}/cryptmount.service + if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','false','true',d)}; then + rm -fr ${D}/usr/lib + fi + fi +} + +FILES:${PN} += "${systemd_system_unitdir}" + +RDEPENDS:${PN} = "libdevmapper" diff --git a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb index 4a99b5a..00e8997 100644 --- a/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb +++ b/recipes-security/ecryptfs-utils/ecryptfs-utils_111.bb @@ -6,7 +6,7 @@ DESCRIPTION = "eCryptfs is a stacked cryptographic filesystem \ HOMEPAGE = "https://launchpad.net/ecryptfs" SECTION = "base" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=8ca43cbc842c2336e835926c2166c28b" DEPENDS = "keyutils libgcrypt intltool-native glib-2.0-native" @@ -22,10 +22,12 @@ SRC_URI = "\ SRC_URI[md5sum] = "83513228984f671930752c3518cac6fd" SRC_URI[sha256sum] = "112cb3e37e81a1ecd8e39516725dec0ce55c5f3df6284e0f4cc0f118750a987f" +UPSTREAM_CHECK_URI = "https://launchpad.net/ecryptfs/+download" + inherit autotools pkgconfig systemd SYSTEMD_PACKAGES = "${PN}" -SYSTEMD_SERVICE_${PN} = "ecryptfs.service" +SYSTEMD_SERVICE:${PN} = "ecryptfs.service" EXTRA_OECONF = "\ --libdir=${base_libdir} \ @@ -41,7 +43,7 @@ PACKAGECONFIG ??= "nss \ PACKAGECONFIG[nss] = "--enable-nss,--disable-nss,nss," PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam," -do_configure_prepend() { +do_configure:prepend() { export NSS_CFLAGS="-I${STAGING_INCDIR}/nspr -I${STAGING_INCDIR}/nss3" export NSS_LIBS="-L${STAGING_BASELIBDIR} -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lnssutil3" export KEYUTILS_CFLAGS="-I${STAGING_INCDIR}" @@ -49,7 +51,7 @@ do_configure_prepend() { sed -i -e "s;rootsbindir=\"/sbin\";rootsbindir=\"\${base_sbindir}\";g" ${S}/configure.ac } -do_install_append() { +do_install:append() { chmod 4755 ${D}${base_sbindir}/mount.ecryptfs_private # ${base_libdir} is identical to ${libdir} when usrmerge enabled if ! ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then @@ -64,7 +66,7 @@ do_install_append() { fi } -FILES_${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" +FILES:${PN} += "${base_libdir}/security/* ${base_libdir}/ecryptfs/*" -RDEPENDS_${PN} += "cryptsetup" -RRECOMMENDS_${PN} = "gettext-runtime" +RDEPENDS:${PN} += "cryptsetup" +RRECOMMENDS:${PN} = "gettext-runtime" diff --git a/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch b/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch index 3b29be0..01b7dd8 100644 --- a/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch +++ b/recipes-security/ecryptfs-utils/files/define_musl_sword_type.patch @@ -1,3 +1,5 @@ +Upstream-Status: Pending + Index: ecryptfs-utils-111/src/utils/mount.ecryptfs_private.c =================================================================== --- ecryptfs-utils-111.orig/src/utils/mount.ecryptfs_private.c diff --git a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch index 4252f97..a457d79 100644 --- a/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch +++ b/recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch @@ -14,7 +14,7 @@ the patch comes from: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6224 https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/882 -Upstream-Status: backport +Upstream-Status: Backport Signed-off-by: Li Zhou <li.zhou@windriver.com> --- diff --git a/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch b/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch deleted file mode 100644 index 7f0812c..0000000 --- a/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch +++ /dev/null @@ -1,28 +0,0 @@ -From fe3436d65518099d35c643848cba50253abc249c Mon Sep 17 00:00:00 2001 -From: Lei Maohui <leimaohui@cn.fujitsu.com> -Date: Thu, 9 May 2019 14:44:51 +0900 -Subject: [PATCH] To fix build error of xrange. - -NameError: name 'xrange' is not defined - -Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> ---- - fail2ban/__init__.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fail2ban/__init__.py b/fail2ban/__init__.py -index fa6dcf7..61789a4 100644 ---- a/fail2ban/__init__.py -+++ b/fail2ban/__init__.py -@@ -82,7 +82,7 @@ strptime("2012", "%Y") - - # short names for pure numeric log-level ("Level 25" could be truncated by short formats): - def _init(): -- for i in xrange(50): -+ for i in range(50): - if logging.getLevelName(i).startswith('Level'): - logging.addLevelName(i, '#%02d-Lev.' % i) - _init() --- -2.7.4 - diff --git a/recipes-security/fail2ban/files/fail2ban_setup.py b/recipes-security/fail2ban/files/fail2ban_setup.py deleted file mode 100755 index e231949..0000000 --- a/recipes-security/fail2ban/files/fail2ban_setup.py +++ /dev/null @@ -1,174 +0,0 @@ -# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- -# vi: set ft=python sts=4 ts=4 sw=4 noet : - -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -__author__ = "Cyril Jaquier, Steven Hiscocks, Yaroslav Halchenko" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2008-2016 Fail2Ban Contributors" -__license__ = "GPL" - -import platform - -try: - import setuptools - from setuptools import setup - from setuptools.command.install import install - from setuptools.command.install_scripts import install_scripts -except ImportError: - setuptools = None - from distutils.core import setup - -# all versions -from distutils.command.build_py import build_py -from distutils.command.build_scripts import build_scripts -if setuptools is None: - from distutils.command.install import install - from distutils.command.install_scripts import install_scripts -try: - # python 3.x - from distutils.command.build_py import build_py_2to3 - from distutils.command.build_scripts import build_scripts_2to3 - _2to3 = True -except ImportError: - # python 2.x - _2to3 = False - -import os -from os.path import isfile, join, isdir, realpath -import sys -import warnings -from glob import glob - -from fail2ban.setup import updatePyExec - -if setuptools and "test" in sys.argv: - import logging - logSys = logging.getLogger("fail2ban") - hdlr = logging.StreamHandler(sys.stdout) - fmt = logging.Formatter("%(asctime)-15s %(message)s") - hdlr.setFormatter(fmt) - logSys.addHandler(hdlr) - if set(["-q", "--quiet"]) & set(sys.argv): - logSys.setLevel(logging.CRITICAL) - warnings.simplefilter("ignore") - sys.warnoptions.append("ignore") - elif set(["-v", "--verbose"]) & set(sys.argv): - logSys.setLevel(logging.DEBUG) - else: - logSys.setLevel(logging.INFO) -elif "test" in sys.argv: - print("python distribute required to execute fail2ban tests") - print("") - -longdesc = ''' -Fail2Ban scans log files like /var/log/pwdfail or -/var/log/apache/error_log and bans IP that makes -too many password failures. It updates firewall rules -to reject the IP address or executes user defined -commands.''' - -if setuptools: - setup_extra = { - 'test_suite': "fail2ban.tests.utils.gatherTests", - 'use_2to3': True, - } -else: - setup_extra = {} - -data_files_extra = [] - -# Installing documentation files only under Linux or other GNU/ systems -# (e.g. GNU/kFreeBSD), since others might have protective mechanisms forbidding -# installation there (see e.g. #1233) -platform_system = platform.system().lower() -doc_files = ['README.md', 'DEVELOP', 'FILTERS', 'doc/run-rootless.txt'] -if platform_system in ('solaris', 'sunos'): - doc_files.append('README.Solaris') -if platform_system in ('linux', 'solaris', 'sunos') or platform_system.startswith('gnu'): - data_files_extra.append( - ('/usr/share/doc/fail2ban', doc_files) - ) - -# Get version number, avoiding importing fail2ban. -# This is due to tests not functioning for python3 as 2to3 takes place later -exec(open(join("fail2ban", "version.py")).read()) - -setup( - name = "fail2ban", - version = version, - description = "Ban IPs that make too many password failures", - long_description = longdesc, - author = "Cyril Jaquier & Fail2Ban Contributors", - author_email = "cyril.jaquier@fail2ban.org", - url = "http://www.fail2ban.org", - license = "GPL", - platforms = "Posix", - cmdclass = { - 'build_py': build_py, 'build_scripts': build_scripts, - }, - scripts = [ - 'bin/fail2ban-client', - 'bin/fail2ban-server', - 'bin/fail2ban-regex', - 'bin/fail2ban-testcases', - # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper - ], - packages = [ - 'fail2ban', - 'fail2ban.client', - 'fail2ban.server', - 'fail2ban.tests', - 'fail2ban.tests.action_d', - ], - package_data = { - 'fail2ban.tests': - [ join(w[0], f).replace("fail2ban/tests/", "", 1) - for w in os.walk('fail2ban/tests/files') - for f in w[2]] + - [ join(w[0], f).replace("fail2ban/tests/", "", 1) - for w in os.walk('fail2ban/tests/config') - for f in w[2]] + - [ join(w[0], f).replace("fail2ban/tests/", "", 1) - for w in os.walk('fail2ban/tests/action_d') - for f in w[2]] - }, - data_files = [ - ('/etc/fail2ban', - glob("config/*.conf") - ), - ('/etc/fail2ban/filter.d', - glob("config/filter.d/*.conf") - ), - ('/etc/fail2ban/filter.d/ignorecommands', - [p for p in glob("config/filter.d/ignorecommands/*") if isfile(p)] - ), - ('/etc/fail2ban/action.d', - glob("config/action.d/*.conf") + - glob("config/action.d/*.py") - ), - ('/etc/fail2ban/fail2ban.d', - '' - ), - ('/etc/fail2ban/jail.d', - '' - ), - ('/var/lib/fail2ban', - '' - ), - ] + data_files_extra, - **setup_extra -) diff --git a/recipes-security/fail2ban/files/initd b/recipes-security/fail2ban/files/initd deleted file mode 100644 index 586b3da..0000000 --- a/recipes-security/fail2ban/files/initd +++ /dev/null @@ -1,98 +0,0 @@ -#!/bin/sh -### BEGIN INIT INFO -# Provides: fail2ban -# Required-Start: $local_fs $remote_fs -# Required-Stop: $local_fs $remote_fs -# Should-Start: $time $network $syslog iptables firehol shorewall ferm -# Should-Stop: $network $syslog iptables firehol shorewall ferm -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Start/Stop fail2ban -# Description: Start/Stop fail2ban, a daemon to ban hosts that cause multiple authentication errors -### END INIT INFO - -# Source function library. -. /etc/init.d/functions - -# Check that the config file exists -[ -f /etc/fail2ban/fail2ban.conf ] || exit 0 - -check_privsep_dir() { - # Create the PrivSep empty dir if necessary - if [ ! -d /var/run/fail2ban ]; then - mkdir /var/run/fail2ban - chmod 0755 /var/run/fail2ban - fi -} - -FAIL2BAN="/usr/bin/fail2ban-client" -prog=fail2ban-server -lockfile=${LOCKFILE-/var/lock/subsys/fail2ban} -socket=${SOCKET-/var/run/fail2ban/fail2ban.sock} -pidfile=${PIDFILE-/var/run/fail2ban/fail2ban.pid} -RETVAL=0 - -start() { - echo -n $"Starting fail2ban: " - check_privsep_dir - ${FAIL2BAN} -x start > /dev/null - RETVAL=$? - if [ $RETVAL = 0 ]; then - touch ${lockfile} - success - else - failure - fi - echo - return $RETVAL -} - -stop() { - echo -n $"Stopping fail2ban: " - ${FAIL2BAN} stop > /dev/null - RETVAL=$? - if [ $RETVAL = 0 ]; then - rm -f ${lockfile} ${pidfile} - success - else - failure - fi - echo - return $RETVAL -} - -reload() { - echo "Reloading fail2ban: " - ${FAIL2BAN} reload - RETVAL=$? - echo - return $RETVAL -} - -# See how we were called. -case "$1" in - start) - status -p ${pidfile} ${prog} >/dev/null 2>&1 && exit 0 - start - ;; - stop) - stop - ;; - reload) - reload - ;; - restart) - stop - start - ;; - status) - status -p ${pidfile} ${prog} - RETVAL=$? - [ $RETVAL = 0 ] && ${FAIL2BAN} status - ;; - *) - echo $"Usage: fail2ban {start|stop|restart|reload|status}" - RETVAL=2 -esac - -exit $RETVAL diff --git a/recipes-security/fail2ban/files/run-ptest b/recipes-security/fail2ban/files/run-ptest deleted file mode 100644 index 64d07d5..0000000 --- a/recipes-security/fail2ban/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -##PYTHON## bin/fail2ban-testcases diff --git a/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb b/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb deleted file mode 100644 index b480c76..0000000 --- a/recipes-security/fail2ban/python3-fail2ban_0.11.2.bb +++ /dev/null @@ -1,53 +0,0 @@ -SUMMARY = "Daemon to ban hosts that cause multiple authentication errors." -DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \ -many failed login attempts. It does this by updating system firewall rules to reject new \ -connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \ -out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \ -and is easy to configure to read any log file you choose, for any error you choose." -HOMEPAGE = "http://www.fail2ban.org" - -LICENSE = "GPL-2.0" -LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" - -SRCREV ="eea1881b734b73599a21df2bfbe58b11f78d0a46" -SRC_URI = " git://github.com/fail2ban/fail2ban.git;branch=0.11 \ - file://initd \ - file://fail2ban_setup.py \ - file://run-ptest \ -" - -inherit update-rc.d ptest setuptools3 - -S = "${WORKDIR}/git" - -do_compile_prepend () { - cp ${WORKDIR}/fail2ban_setup.py ${S}/setup.py - cd ${S} - ./fail2ban-2to3 -} - -do_install_append () { - install -d ${D}/${sysconfdir}/fail2ban - install -d ${D}/${sysconfdir}/init.d - install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server - chown -R root:root ${D}/${bindir} -} - -do_install_ptest_append () { - install -d ${D}${PTEST_PATH} - install -d ${D}${PTEST_PATH}/bin - sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest - install -D ${S}/bin/* ${D}${PTEST_PATH}/bin -} - -FILES_${PN} += "/run" - -INITSCRIPT_PACKAGES = "${PN}" -INITSCRIPT_NAME = "fail2ban-server" -INITSCRIPT_PARAMS = "defaults 25" - -INSANE_SKIP_${PN}_append = "already-stripped" - -RDEPENDS_${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify" -RDEPENDS_${PN} += " python3-logging python3-fcntl python3-json" -RDEPENDS_${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban" diff --git a/recipes-security/fscrypt/fscrypt_1.1.0.bb b/recipes-security/fscrypt/fscrypt_1.1.0.bb new file mode 100644 index 0000000..ea9593b --- /dev/null +++ b/recipes-security/fscrypt/fscrypt_1.1.0.bb @@ -0,0 +1,51 @@ +SUMMARY = "fscrypt is a high-level tool for the management of Linux filesystem encryption" +DESCIPTION = "fscrypt manages metadata, key generation, key wrapping, PAM integration, \ +and provides a uniform interface for creating and modifying encrypted directories. For \ +a small, low-level tool that directly sets policies, see fscryptctl \ +(https://github.com/google/fscryptcl)." +HOMEPAGE = "https://github.com/google/fscrypt" +SECTION = "base" +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://src/${GO_IMPORT}/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +# fscrypt depends on go and libpam +DEPENDS += "go-native libpam" + +SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23" +SRC_URI = "git://github.com/google/fscrypt.git;branch=master;protocol=https" + +GO_IMPORT = "import" + +inherit go goarch features_check + +REQUIRED_DISTRO_FEATURES = "pam" + +S = "${WORKDIR}/git" + +do_compile() { + export GOARCH=${TARGET_GOARCH} + export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go" + export GOPATH="${WORKDIR}/git" + + # Pass the needed cflags/ldflags so that cgo + # can find the needed headers files and libraries + export CGO_ENABLED="1" + export CGO_CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_TARGET}" + export CGO_LDFLAGS="${LDFLAGS} --sysroot=${STAGING_DIR_TARGET}" + + cd ${S}/src/${GO_IMPORT} + oe_runmake + + # Golang forces permissions to 0500 on directories and 0400 on files in + # the module cache which prevents us from easily cleaning up the build + # directory. Let's just fix the permissions here so we don't have to + # hack the clean tasks. + chmod -R u+w ${S}/pkg/mod +} + +do_install() { + install -d ${D}/${bindir} + install ${S}/src/${GO_IMPORT}/bin/fscrypt ${D}/${bindir}/fscrypt +} + +BBCLASSEXTEND = "native nativesdk" diff --git a/recipes-security/fscryptctl/fscryptctl_1.0.0.bb b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb index df76a3d..3de2bfa 100644 --- a/recipes-security/fscryptctl/fscryptctl_1.0.0.bb +++ b/recipes-security/fscryptctl/fscryptctl_1.1.0.bb @@ -9,16 +9,21 @@ SECTION = "base" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" -SRCREV = "56b898c896240328adef7407090215abbe9ee03d" -SRC_URI = "git://github.com/google/fscryptctl.git" +SRCREV = "7c80c73c084ce9ea49a03b814dac7a82fd7b4c23" +SRC_URI = "git://github.com/google/fscryptctl.git;branch=master;protocol=https" S = "${WORKDIR}/git" +do_compile:prepend() { + sed -i 's/fscryptctl\.1//g' ${S}/Makefile + sed -i 's/install-man//g' ${S}/Makefile +} + do_install() { oe_runmake DESTDIR=${D} PREFIX=/usr install } -RRECOMMENDS_${PN} += "\ +RRECOMMENDS:${PN} += "\ keyutils \ kernel-module-cbc \ kernel-module-cts \ diff --git a/recipes-security/glome/glome_git.bb b/recipes-security/glome/glome_git.bb new file mode 100644 index 0000000..8787ddc --- /dev/null +++ b/recipes-security/glome/glome_git.bb @@ -0,0 +1,24 @@ +SUMMARY = "GLOME Login Client" +HOME_PAGE = "https://github.com/google/glome" +DESCRIPTION = "GLOME is used to authorize serial console access to Linux machines" +PV = "0.1+git${SRCPV}" + +LICENSE = "Apache-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" + +inherit meson pkgconfig + +DEPENDS += "openssl" + +S = "${WORKDIR}/git" +SRC_URI = "git://github.com/google/glome.git;branch=master;protocol=https" +SRCREV = "48d28f82bd51ae4bccc84fbbee93c375b026596b" + +FILES:${PN} += "${libdir}/security" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[glome-cli] = "-Dglome-cli=true,-Dglome-cli=false" +PACKAGECONFIG[pam-glome] = "-Dpam-glome=true,-Dpam-glome=false,libpam" + +EXTRA_OEMESON = "-Dtests=false" + diff --git a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb index f9ca092..8a0b1ee 100644 --- a/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.08.bb +++ b/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb @@ -3,8 +3,8 @@ HOME_PAGE = "https://github.com/google/google-authenticator-libpam" LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" LICENSE = "Apache-2.0" -SRC_URI = "git://github.com/google/google-authenticator-libpam.git" -SRCREV = "2c7415d950fb0b4a7f779f045910666447b100ef" +SRC_URI = "git://github.com/google/google-authenticator-libpam.git;branch=master;protocol=https" +SRCREV = "962f353aac6cfc7b804547319db40f8b804f0b6c" DEPENDS = "libpam" @@ -18,6 +18,6 @@ REQUIRED_DISTRO_FEATURES = "pam" EXTRA_OECONF = "--libdir=${base_libdir}" PACKAGES += "pam-google-authenticator" -FILES_pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so" +FILES:pam-google-authenticator = "${base_libdir}/security/pam_google_authenticator.so" RDEPNEDS_pam-google-authenticator = "libpam" diff --git a/recipes-security/isic/files/configure_fix.patch b/recipes-security/isic/files/configure_fix.patch index fc2a774..ed2bf7a 100644 --- a/recipes-security/isic/files/configure_fix.patch +++ b/recipes-security/isic/files/configure_fix.patch @@ -1,6 +1,7 @@ isic: add with-libnet remove libnet test -Inappropriate - builds fine on non-oe systems. We need to exlude +Upstream-Status: Inappropriate [embedded specific] +builds fine on non-oe systems. We need to exlude cross compile libnet test. Pass in the location for libnet.a. Path did not support mulitlib either. diff --git a/recipes-security/isic/files/isic-0.07-make.patch b/recipes-security/isic/files/isic-0.07-make.patch index 9cffa8a..94349ce 100644 --- a/recipes-security/isic/files/isic-0.07-make.patch +++ b/recipes-security/isic/files/isic-0.07-make.patch @@ -1,6 +1,6 @@ isic: Fixup makefile to support destination -Backport: +Upstream-Status: Backport http://pkgs.fedoraproject.org/cgit/isic.git/tree/isic-0.07-make.patch Signed-off-by: Armin Kuster <akuser808@gmail.com> diff --git a/recipes-security/isic/files/isic-0.07-netinet.patch b/recipes-security/isic/files/isic-0.07-netinet.patch index c4ea74e..448ba68 100644 --- a/recipes-security/isic/files/isic-0.07-netinet.patch +++ b/recipes-security/isic/files/isic-0.07-netinet.patch @@ -1,6 +1,6 @@ isic: add missing header file -Backport: +Upstream-Status: Backport http://pkgs.fedoraproject.org/cgit/isic.git/tree/isic-0.07-netinet.patch Signed-off-by: Armin Kuster <akuster808@gmail.com> diff --git a/recipes-security/isic/isic_0.07.bb b/recipes-security/isic/isic_0.07.bb index fb6e904..28153e3 100644 --- a/recipes-security/isic/isic_0.07.bb +++ b/recipes-security/isic/isic_0.07.bb @@ -2,7 +2,7 @@ SUMMARY = "ISIC -- IP Stack Integrity Checker" DESCRIPTION = "ISIC is a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.)" HOMEPAGE = "http://isic.sourceforge.net/" SECTION = "security" -LICENSE = "BSD" +LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=d41d8cd98f00b204e9800998ecf8427e" DEPENDS = "libnet" diff --git a/recipes-security/krill/files/panic_workaround.patch b/recipes-security/krill/files/panic_workaround.patch new file mode 100644 index 0000000..f63169f --- /dev/null +++ b/recipes-security/krill/files/panic_workaround.patch @@ -0,0 +1,16 @@ +Upstream-Status: Inappropriate [OE specific] +Signed-off-by: Armin Kuster <akuster808@gmail.com> + +Index: git/Cargo.toml +=================================================================== +--- git.orig/Cargo.toml ++++ git/Cargo.toml +@@ -91,7 +91,7 @@ hsm-tests-pkcs11 = [ "hsm" ] + # Make sure that Krill crashes on panics, rather than losing threads and + # limping on in a bad state. + [profile.release] +-panic = "abort" ++#panic = "abort" + + [dev-dependencies] + regex = "1.5.5" diff --git a/recipes-security/krill/krill-crates.inc b/recipes-security/krill/krill-crates.inc new file mode 100644 index 0000000..85830ec --- /dev/null +++ b/recipes-security/krill/krill-crates.inc @@ -0,0 +1,550 @@ +# Autogenerated with 'bitbake -c update_crates krill' + +# from Cargo.lock +SRC_URI += " \ + crate://crates.io/addr2line/0.17.0;name=addr2line-0.17.0 \ + crate://crates.io/adler/1.0.2;name=adler-1.0.2 \ + crate://crates.io/adler32/1.2.0;name=adler32-1.2.0 \ + crate://crates.io/aho-corasick/0.7.18;name=aho-corasick-0.7.18 \ + crate://crates.io/android_system_properties/0.1.5;name=android_system_properties-0.1.5 \ + crate://crates.io/ansi_term/0.12.1;name=ansi_term-0.12.1 \ + crate://crates.io/ascii/1.0.0;name=ascii-1.0.0 \ + crate://crates.io/ascii-canvas/3.0.0;name=ascii-canvas-3.0.0 \ + crate://crates.io/atty/0.2.14;name=atty-0.2.14 \ + crate://crates.io/autocfg/1.1.0;name=autocfg-1.1.0 \ + crate://crates.io/backoff/0.3.0;name=backoff-0.3.0 \ + crate://crates.io/backtrace/0.3.66;name=backtrace-0.3.66 \ + crate://crates.io/base64/0.13.0;name=base64-0.13.0 \ + crate://crates.io/basic-cookies/0.1.4;name=basic-cookies-0.1.4 \ + crate://crates.io/bcder/0.7.0;name=bcder-0.7.0 \ + crate://crates.io/bit-set/0.5.2;name=bit-set-0.5.2 \ + crate://crates.io/bit-vec/0.6.3;name=bit-vec-0.6.3 \ + crate://crates.io/bitflags/1.3.2;name=bitflags-1.3.2 \ + crate://crates.io/block-buffer/0.9.0;name=block-buffer-0.9.0 \ + crate://crates.io/block-buffer/0.10.2;name=block-buffer-0.10.2 \ + crate://crates.io/bumpalo/3.10.0;name=bumpalo-3.10.0 \ + crate://crates.io/bytes/1.1.0;name=bytes-1.1.0 \ + crate://crates.io/cc/1.0.73;name=cc-1.0.73 \ + crate://crates.io/cfg-if/1.0.0;name=cfg-if-1.0.0 \ + crate://crates.io/chrono/0.4.22;name=chrono-0.4.22 \ + crate://crates.io/chunked_transfer/1.4.0;name=chunked_transfer-1.4.0 \ + crate://crates.io/cipher/0.2.5;name=cipher-0.2.5 \ + crate://crates.io/clap/2.34.0;name=clap-2.34.0 \ + crate://crates.io/codespan-reporting/0.11.1;name=codespan-reporting-0.11.1 \ + crate://crates.io/core-foundation/0.9.3;name=core-foundation-0.9.3 \ + crate://crates.io/core-foundation-sys/0.8.3;name=core-foundation-sys-0.8.3 \ + crate://crates.io/cpufeatures/0.2.2;name=cpufeatures-0.2.2 \ + crate://crates.io/crc32fast/1.3.2;name=crc32fast-1.3.2 \ + crate://crates.io/crunchy/0.2.2;name=crunchy-0.2.2 \ + crate://crates.io/crypto-common/0.1.6;name=crypto-common-0.1.6 \ + crate://crates.io/crypto-mac/0.10.1;name=crypto-mac-0.10.1 \ + crate://crates.io/cryptoki/0.3.0;name=cryptoki-0.3.0 \ + crate://crates.io/cryptoki-sys/0.1.4;name=cryptoki-sys-0.1.4 \ + crate://crates.io/ctrlc/3.2.2;name=ctrlc-3.2.2 \ + crate://crates.io/cxx/1.0.79;name=cxx-1.0.79 \ + crate://crates.io/cxx-build/1.0.79;name=cxx-build-1.0.79 \ + crate://crates.io/cxxbridge-flags/1.0.79;name=cxxbridge-flags-1.0.79 \ + crate://crates.io/cxxbridge-macro/1.0.79;name=cxxbridge-macro-1.0.79 \ + crate://crates.io/derivative/2.2.0;name=derivative-2.2.0 \ + crate://crates.io/deunicode/0.4.3;name=deunicode-0.4.3 \ + crate://crates.io/diff/0.1.13;name=diff-0.1.13 \ + crate://crates.io/digest/0.9.0;name=digest-0.9.0 \ + crate://crates.io/digest/0.10.3;name=digest-0.10.3 \ + crate://crates.io/dirs-next/2.0.0;name=dirs-next-2.0.0 \ + crate://crates.io/dirs-sys-next/0.1.2;name=dirs-sys-next-0.1.2 \ + crate://crates.io/either/1.7.0;name=either-1.7.0 \ + crate://crates.io/ena/0.14.0;name=ena-0.14.0 \ + crate://crates.io/encoding_rs/0.8.31;name=encoding_rs-0.8.31 \ + crate://crates.io/enum-display-derive/0.1.1;name=enum-display-derive-0.1.1 \ + crate://crates.io/enum-flags/0.1.8;name=enum-flags-0.1.8 \ + crate://crates.io/error-chain/0.11.0;name=error-chain-0.11.0 \ + crate://crates.io/fastrand/1.7.0;name=fastrand-1.7.0 \ + crate://crates.io/fern/0.5.9;name=fern-0.5.9 \ + crate://crates.io/fixedbitset/0.4.2;name=fixedbitset-0.4.2 \ + crate://crates.io/fnv/1.0.7;name=fnv-1.0.7 \ + crate://crates.io/foreign-types/0.3.2;name=foreign-types-0.3.2 \ + crate://crates.io/foreign-types-shared/0.1.1;name=foreign-types-shared-0.1.1 \ + crate://crates.io/form_urlencoded/1.0.1;name=form_urlencoded-1.0.1 \ + crate://crates.io/fslock/0.2.1;name=fslock-0.2.1 \ + crate://crates.io/futures/0.3.21;name=futures-0.3.21 \ + crate://crates.io/futures-channel/0.3.21;name=futures-channel-0.3.21 \ + crate://crates.io/futures-core/0.3.21;name=futures-core-0.3.21 \ + crate://crates.io/futures-executor/0.3.21;name=futures-executor-0.3.21 \ + crate://crates.io/futures-io/0.3.21;name=futures-io-0.3.21 \ + crate://crates.io/futures-macro/0.3.21;name=futures-macro-0.3.21 \ + crate://crates.io/futures-sink/0.3.21;name=futures-sink-0.3.21 \ + crate://crates.io/futures-task/0.3.21;name=futures-task-0.3.21 \ + crate://crates.io/futures-util/0.3.21;name=futures-util-0.3.21 \ + crate://crates.io/generic-array/0.14.5;name=generic-array-0.14.5 \ + crate://crates.io/getrandom/0.2.7;name=getrandom-0.2.7 \ + crate://crates.io/gimli/0.26.2;name=gimli-0.26.2 \ + crate://crates.io/h2/0.3.13;name=h2-0.3.13 \ + crate://crates.io/hashbrown/0.12.3;name=hashbrown-0.12.3 \ + crate://crates.io/hermit-abi/0.1.19;name=hermit-abi-0.1.19 \ + crate://crates.io/hex/0.4.3;name=hex-0.4.3 \ + crate://crates.io/hmac/0.10.1;name=hmac-0.10.1 \ + crate://crates.io/http/0.2.8;name=http-0.2.8 \ + crate://crates.io/http-body/0.4.5;name=http-body-0.4.5 \ + crate://crates.io/httparse/1.7.1;name=httparse-1.7.1 \ + crate://crates.io/httpdate/1.0.2;name=httpdate-1.0.2 \ + crate://crates.io/hyper/0.14.20;name=hyper-0.14.20 \ + crate://crates.io/hyper-tls/0.5.0;name=hyper-tls-0.5.0 \ + crate://crates.io/iana-time-zone/0.1.51;name=iana-time-zone-0.1.51 \ + crate://crates.io/iana-time-zone-haiku/0.1.1;name=iana-time-zone-haiku-0.1.1 \ + crate://crates.io/idna/0.2.3;name=idna-0.2.3 \ + crate://crates.io/impl-trait-for-tuples/0.2.2;name=impl-trait-for-tuples-0.2.2 \ + crate://crates.io/indexmap/1.9.1;name=indexmap-1.9.1 \ + crate://crates.io/instant/0.1.12;name=instant-0.1.12 \ + crate://crates.io/intervaltree/0.2.7;name=intervaltree-0.2.7 \ + crate://crates.io/ipnet/2.5.0;name=ipnet-2.5.0 \ + crate://crates.io/itertools/0.10.3;name=itertools-0.10.3 \ + crate://crates.io/itoa/1.0.2;name=itoa-1.0.2 \ + crate://crates.io/jmespatch/0.3.0;name=jmespatch-0.3.0 \ + crate://crates.io/js-sys/0.3.58;name=js-sys-0.3.58 \ + crate://crates.io/kmip-protocol/0.4.2;name=kmip-protocol-0.4.2 \ + crate://crates.io/kmip-ttlv/0.3.3;name=kmip-ttlv-0.3.3 \ + crate://crates.io/lalrpop/0.19.8;name=lalrpop-0.19.8 \ + crate://crates.io/lalrpop-util/0.19.8;name=lalrpop-util-0.19.8 \ + crate://crates.io/lazy_static/1.4.0;name=lazy_static-1.4.0 \ + crate://crates.io/libc/0.2.126;name=libc-0.2.126 \ + crate://crates.io/libflate/1.2.0;name=libflate-1.2.0 \ + crate://crates.io/libflate_lz77/1.1.0;name=libflate_lz77-1.1.0 \ + crate://crates.io/libloading/0.7.3;name=libloading-0.7.3 \ + crate://crates.io/link-cplusplus/1.0.7;name=link-cplusplus-1.0.7 \ + crate://crates.io/lock_api/0.4.7;name=lock_api-0.4.7 \ + crate://crates.io/log/0.4.17;name=log-0.4.17 \ + crate://crates.io/maplit/1.0.2;name=maplit-1.0.2 \ + crate://crates.io/matchers/0.0.1;name=matchers-0.0.1 \ + crate://crates.io/matches/0.1.9;name=matches-0.1.9 \ + crate://crates.io/maybe-async/0.2.6;name=maybe-async-0.2.6 \ + crate://crates.io/memchr/2.5.0;name=memchr-2.5.0 \ + crate://crates.io/mime/0.3.16;name=mime-0.3.16 \ + crate://crates.io/miniz_oxide/0.5.3;name=miniz_oxide-0.5.3 \ + crate://crates.io/mio/0.8.4;name=mio-0.8.4 \ + crate://crates.io/native-tls/0.2.10;name=native-tls-0.2.10 \ + crate://crates.io/new_debug_unreachable/1.0.4;name=new_debug_unreachable-1.0.4 \ + crate://crates.io/nix/0.24.2;name=nix-0.24.2 \ + crate://crates.io/num-bigint/0.4.3;name=num-bigint-0.4.3 \ + crate://crates.io/num-integer/0.1.45;name=num-integer-0.1.45 \ + crate://crates.io/num-traits/0.2.15;name=num-traits-0.2.15 \ + crate://crates.io/num_cpus/1.13.1;name=num_cpus-1.13.1 \ + crate://crates.io/oauth2/4.2.3;name=oauth2-4.2.3 \ + crate://crates.io/object/0.29.0;name=object-0.29.0 \ + crate://crates.io/once_cell/1.13.0;name=once_cell-1.13.0 \ + crate://crates.io/opaque-debug/0.3.0;name=opaque-debug-0.3.0 \ + crate://crates.io/openidconnect/2.3.2;name=openidconnect-2.3.2 \ + crate://crates.io/openssl/0.10.41;name=openssl-0.10.41 \ + crate://crates.io/openssl-macros/0.1.0;name=openssl-macros-0.1.0 \ + crate://crates.io/openssl-probe/0.1.5;name=openssl-probe-0.1.5 \ + crate://crates.io/openssl-src/111.25.0+1.1.1t;name=openssl-src-111.25.0+1.1.1t \ + crate://crates.io/openssl-sys/0.9.75;name=openssl-sys-0.9.75 \ + crate://crates.io/ordered-float/2.10.0;name=ordered-float-2.10.0 \ + crate://crates.io/oso/0.12.4;name=oso-0.12.4 \ + crate://crates.io/parking_lot/0.12.1;name=parking_lot-0.12.1 \ + crate://crates.io/parking_lot_core/0.9.3;name=parking_lot_core-0.9.3 \ + crate://crates.io/pbkdf2/0.7.5;name=pbkdf2-0.7.5 \ + crate://crates.io/percent-encoding/2.1.0;name=percent-encoding-2.1.0 \ + crate://crates.io/petgraph/0.6.2;name=petgraph-0.6.2 \ + crate://crates.io/phf_shared/0.10.0;name=phf_shared-0.10.0 \ + crate://crates.io/pico-args/0.4.2;name=pico-args-0.4.2 \ + crate://crates.io/pin-project-lite/0.2.9;name=pin-project-lite-0.2.9 \ + crate://crates.io/pin-utils/0.1.0;name=pin-utils-0.1.0 \ + crate://crates.io/pkg-config/0.3.25;name=pkg-config-0.3.25 \ + crate://crates.io/polar-core/0.12.4;name=polar-core-0.12.4 \ + crate://crates.io/ppv-lite86/0.2.16;name=ppv-lite86-0.2.16 \ + crate://crates.io/precomputed-hash/0.1.1;name=precomputed-hash-0.1.1 \ + crate://crates.io/priority-queue/1.2.2;name=priority-queue-1.2.2 \ + crate://crates.io/proc-macro2/1.0.40;name=proc-macro2-1.0.40 \ + crate://crates.io/quick-xml/0.23.0;name=quick-xml-0.23.0 \ + crate://crates.io/quote/1.0.20;name=quote-1.0.20 \ + crate://crates.io/r2d2/0.8.10;name=r2d2-0.8.10 \ + crate://crates.io/rand/0.8.5;name=rand-0.8.5 \ + crate://crates.io/rand_chacha/0.3.1;name=rand_chacha-0.3.1 \ + crate://crates.io/rand_core/0.6.3;name=rand_core-0.6.3 \ + crate://crates.io/redox_syscall/0.2.13;name=redox_syscall-0.2.13 \ + crate://crates.io/redox_users/0.4.3;name=redox_users-0.4.3 \ + crate://crates.io/regex/1.6.0;name=regex-1.6.0 \ + crate://crates.io/regex-automata/0.1.10;name=regex-automata-0.1.10 \ + crate://crates.io/regex-syntax/0.6.27;name=regex-syntax-0.6.27 \ + crate://crates.io/remove_dir_all/0.5.3;name=remove_dir_all-0.5.3 \ + crate://crates.io/reqwest/0.11.11;name=reqwest-0.11.11 \ + crate://crates.io/ring/0.16.20;name=ring-0.16.20 \ + crate://crates.io/rle-decode-fast/1.0.3;name=rle-decode-fast-1.0.3 \ + crate://crates.io/routecore/0.2.0;name=routecore-0.2.0 \ + crate://crates.io/rpassword/5.0.1;name=rpassword-5.0.1 \ + crate://crates.io/rpki/0.15.8;name=rpki-0.15.8 \ + crate://crates.io/rustc-demangle/0.1.21;name=rustc-demangle-0.1.21 \ + crate://crates.io/rustc_version/0.4.0;name=rustc_version-0.4.0 \ + crate://crates.io/rustls/0.19.1;name=rustls-0.19.1 \ + crate://crates.io/rustversion/1.0.8;name=rustversion-1.0.8 \ + crate://crates.io/ryu/1.0.10;name=ryu-1.0.10 \ + crate://crates.io/salsa20/0.7.2;name=salsa20-0.7.2 \ + crate://crates.io/schannel/0.1.20;name=schannel-0.1.20 \ + crate://crates.io/scheduled-thread-pool/0.2.6;name=scheduled-thread-pool-0.2.6 \ + crate://crates.io/scopeguard/1.1.0;name=scopeguard-1.1.0 \ + crate://crates.io/scratch/1.0.2;name=scratch-1.0.2 \ + crate://crates.io/scrypt/0.6.5;name=scrypt-0.6.5 \ + crate://crates.io/sct/0.6.1;name=sct-0.6.1 \ + crate://crates.io/security-framework/2.6.1;name=security-framework-2.6.1 \ + crate://crates.io/security-framework-sys/2.6.1;name=security-framework-sys-2.6.1 \ + crate://crates.io/semver/1.0.12;name=semver-1.0.12 \ + crate://crates.io/serde/1.0.139;name=serde-1.0.139 \ + crate://crates.io/serde-value/0.7.0;name=serde-value-0.7.0 \ + crate://crates.io/serde_bytes/0.11.6;name=serde_bytes-0.11.6 \ + crate://crates.io/serde_derive/1.0.139;name=serde_derive-1.0.139 \ + crate://crates.io/serde_json/1.0.82;name=serde_json-1.0.82 \ + crate://crates.io/serde_path_to_error/0.1.7;name=serde_path_to_error-0.1.7 \ + crate://crates.io/serde_urlencoded/0.7.1;name=serde_urlencoded-0.7.1 \ + crate://crates.io/sha2/0.9.9;name=sha2-0.9.9 \ + crate://crates.io/sha2/0.10.2;name=sha2-0.10.2 \ + crate://crates.io/sharded-slab/0.1.4;name=sharded-slab-0.1.4 \ + crate://crates.io/signal-hook-registry/1.4.0;name=signal-hook-registry-1.4.0 \ + crate://crates.io/siphasher/0.3.10;name=siphasher-0.3.10 \ + crate://crates.io/slab/0.4.6;name=slab-0.4.6 \ + crate://crates.io/slug/0.1.4;name=slug-0.1.4 \ + crate://crates.io/smallvec/1.9.0;name=smallvec-1.9.0 \ + crate://crates.io/socket2/0.4.4;name=socket2-0.4.4 \ + crate://crates.io/spin/0.5.2;name=spin-0.5.2 \ + crate://crates.io/string_cache/0.8.4;name=string_cache-0.8.4 \ + crate://crates.io/strsim/0.8.0;name=strsim-0.8.0 \ + crate://crates.io/subtle/2.4.1;name=subtle-2.4.1 \ + crate://crates.io/syn/1.0.98;name=syn-1.0.98 \ + crate://crates.io/syslog/4.0.1;name=syslog-4.0.1 \ + crate://crates.io/target-lexicon/0.12.4;name=target-lexicon-0.12.4 \ + crate://crates.io/tempfile/3.3.0;name=tempfile-3.3.0 \ + crate://crates.io/term/0.7.0;name=term-0.7.0 \ + crate://crates.io/termcolor/1.1.3;name=termcolor-1.1.3 \ + crate://crates.io/textwrap/0.11.0;name=textwrap-0.11.0 \ + crate://crates.io/thiserror/1.0.31;name=thiserror-1.0.31 \ + crate://crates.io/thiserror-impl/1.0.31;name=thiserror-impl-1.0.31 \ + crate://crates.io/thread_local/1.1.4;name=thread_local-1.1.4 \ + crate://crates.io/time/0.1.44;name=time-0.1.44 \ + crate://crates.io/tiny-keccak/2.0.2;name=tiny-keccak-2.0.2 \ + crate://crates.io/tiny_http/0.8.2;name=tiny_http-0.8.2 \ + crate://crates.io/tinyvec/1.6.0;name=tinyvec-1.6.0 \ + crate://crates.io/tinyvec_macros/0.1.0;name=tinyvec_macros-0.1.0 \ + crate://crates.io/tokio/1.20.4;name=tokio-1.20.4 \ + crate://crates.io/tokio-macros/1.8.0;name=tokio-macros-1.8.0 \ + crate://crates.io/tokio-native-tls/0.3.0;name=tokio-native-tls-0.3.0 \ + crate://crates.io/tokio-rustls/0.22.0;name=tokio-rustls-0.22.0 \ + crate://crates.io/tokio-util/0.7.3;name=tokio-util-0.7.3 \ + crate://crates.io/toml/0.5.9;name=toml-0.5.9 \ + crate://crates.io/tower-service/0.3.2;name=tower-service-0.3.2 \ + crate://crates.io/tracing/0.1.35;name=tracing-0.1.35 \ + crate://crates.io/tracing-attributes/0.1.22;name=tracing-attributes-0.1.22 \ + crate://crates.io/tracing-core/0.1.28;name=tracing-core-0.1.28 \ + crate://crates.io/tracing-log/0.1.3;name=tracing-log-0.1.3 \ + crate://crates.io/tracing-serde/0.1.3;name=tracing-serde-0.1.3 \ + crate://crates.io/tracing-subscriber/0.2.25;name=tracing-subscriber-0.2.25 \ + crate://crates.io/trait-set/0.2.0;name=trait-set-0.2.0 \ + crate://crates.io/try-lock/0.2.3;name=try-lock-0.2.3 \ + crate://crates.io/typenum/1.15.0;name=typenum-1.15.0 \ + crate://crates.io/unicode-bidi/0.3.8;name=unicode-bidi-0.3.8 \ + crate://crates.io/unicode-ident/1.0.2;name=unicode-ident-1.0.2 \ + crate://crates.io/unicode-normalization/0.1.21;name=unicode-normalization-0.1.21 \ + crate://crates.io/unicode-width/0.1.9;name=unicode-width-0.1.9 \ + crate://crates.io/unicode-xid/0.2.3;name=unicode-xid-0.2.3 \ + crate://crates.io/untrusted/0.7.1;name=untrusted-0.7.1 \ + crate://crates.io/url/2.2.2;name=url-2.2.2 \ + crate://crates.io/urlparse/0.7.3;name=urlparse-0.7.3 \ + crate://crates.io/uuid/1.1.2;name=uuid-1.1.2 \ + crate://crates.io/valuable/0.1.0;name=valuable-0.1.0 \ + crate://crates.io/vcpkg/0.2.15;name=vcpkg-0.2.15 \ + crate://crates.io/vec_map/0.8.2;name=vec_map-0.8.2 \ + crate://crates.io/version_check/0.9.4;name=version_check-0.9.4 \ + crate://crates.io/want/0.3.0;name=want-0.3.0 \ + crate://crates.io/wasi/0.10.0+wasi-snapshot-preview1;name=wasi-0.10.0+wasi-snapshot-preview1 \ + crate://crates.io/wasi/0.11.0+wasi-snapshot-preview1;name=wasi-0.11.0+wasi-snapshot-preview1 \ + crate://crates.io/wasm-bindgen/0.2.81;name=wasm-bindgen-0.2.81 \ + crate://crates.io/wasm-bindgen-backend/0.2.81;name=wasm-bindgen-backend-0.2.81 \ + crate://crates.io/wasm-bindgen-futures/0.4.31;name=wasm-bindgen-futures-0.4.31 \ + crate://crates.io/wasm-bindgen-macro/0.2.81;name=wasm-bindgen-macro-0.2.81 \ + crate://crates.io/wasm-bindgen-macro-support/0.2.81;name=wasm-bindgen-macro-support-0.2.81 \ + crate://crates.io/wasm-bindgen-shared/0.2.81;name=wasm-bindgen-shared-0.2.81 \ + crate://crates.io/web-sys/0.3.58;name=web-sys-0.3.58 \ + crate://crates.io/webpki/0.21.4;name=webpki-0.21.4 \ + crate://crates.io/winapi/0.3.9;name=winapi-0.3.9 \ + crate://crates.io/winapi-i686-pc-windows-gnu/0.4.0;name=winapi-i686-pc-windows-gnu-0.4.0 \ + crate://crates.io/winapi-util/0.1.5;name=winapi-util-0.1.5 \ + crate://crates.io/winapi-x86_64-pc-windows-gnu/0.4.0;name=winapi-x86_64-pc-windows-gnu-0.4.0 \ + crate://crates.io/windows-sys/0.36.1;name=windows-sys-0.36.1 \ + crate://crates.io/windows_aarch64_msvc/0.36.1;name=windows_aarch64_msvc-0.36.1 \ + crate://crates.io/windows_i686_gnu/0.36.1;name=windows_i686_gnu-0.36.1 \ + crate://crates.io/windows_i686_msvc/0.36.1;name=windows_i686_msvc-0.36.1 \ + crate://crates.io/windows_x86_64_gnu/0.36.1;name=windows_x86_64_gnu-0.36.1 \ + crate://crates.io/windows_x86_64_msvc/0.36.1;name=windows_x86_64_msvc-0.36.1 \ + crate://crates.io/winreg/0.10.1;name=winreg-0.10.1 \ +" + +SRC_URI[addr2line-0.17.0.sha256sum] = "b9ecd88a8c8378ca913a680cd98f0f13ac67383d35993f86c90a70e3f137816b" +SRC_URI[adler-1.0.2.sha256sum] = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" +SRC_URI[adler32-1.2.0.sha256sum] = "aae1277d39aeec15cb388266ecc24b11c80469deae6067e17a1a7aa9e5c1f234" +SRC_URI[aho-corasick-0.7.18.sha256sum] = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f" +SRC_URI[android_system_properties-0.1.5.sha256sum] = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311" +SRC_URI[ansi_term-0.12.1.sha256sum] = "d52a9bb7ec0cf484c551830a7ce27bd20d67eac647e1befb56b0be4ee39a55d2" +SRC_URI[ascii-1.0.0.sha256sum] = "bbf56136a5198c7b01a49e3afcbef6cf84597273d298f54432926024107b0109" +SRC_URI[ascii-canvas-3.0.0.sha256sum] = "8824ecca2e851cec16968d54a01dd372ef8f95b244fb84b84e70128be347c3c6" +SRC_URI[atty-0.2.14.sha256sum] = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8" +SRC_URI[autocfg-1.1.0.sha256sum] = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa" +SRC_URI[backoff-0.3.0.sha256sum] = "9fe17f59a06fe8b87a6fc8bf53bb70b3aba76d7685f432487a68cd5552853625" +SRC_URI[backtrace-0.3.66.sha256sum] = "cab84319d616cfb654d03394f38ab7e6f0919e181b1b57e1fd15e7fb4077d9a7" +SRC_URI[base64-0.13.0.sha256sum] = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" +SRC_URI[basic-cookies-0.1.4.sha256sum] = "cb53b6b315f924c7f113b162e53b3901c05fc9966baf84d201dfcc7432a4bb38" +SRC_URI[bcder-0.7.0.sha256sum] = "f007d8acfb8ef7d219911c7164c025a6d3504735120fc5df59c3c479ab84ea51" +SRC_URI[bit-set-0.5.2.sha256sum] = "6e11e16035ea35e4e5997b393eacbf6f63983188f7a2ad25bfb13465f5ad59de" +SRC_URI[bit-vec-0.6.3.sha256sum] = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" +SRC_URI[bitflags-1.3.2.sha256sum] = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" +SRC_URI[block-buffer-0.9.0.sha256sum] = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4" +SRC_URI[block-buffer-0.10.2.sha256sum] = "0bf7fe51849ea569fd452f37822f606a5cabb684dc918707a0193fd4664ff324" +SRC_URI[bumpalo-3.10.0.sha256sum] = "37ccbd214614c6783386c1af30caf03192f17891059cecc394b4fb119e363de3" +SRC_URI[bytes-1.1.0.sha256sum] = "c4872d67bab6358e59559027aa3b9157c53d9358c51423c17554809a8858e0f8" +SRC_URI[cc-1.0.73.sha256sum] = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11" +SRC_URI[cfg-if-1.0.0.sha256sum] = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" +SRC_URI[chrono-0.4.22.sha256sum] = "bfd4d1b31faaa3a89d7934dbded3111da0d2ef28e3ebccdb4f0179f5929d1ef1" +SRC_URI[chunked_transfer-1.4.0.sha256sum] = "fff857943da45f546682664a79488be82e69e43c1a7a2307679ab9afb3a66d2e" +SRC_URI[cipher-0.2.5.sha256sum] = "12f8e7987cbd042a63249497f41aed09f8e65add917ea6566effbc56578d6801" +SRC_URI[clap-2.34.0.sha256sum] = "a0610544180c38b88101fecf2dd634b174a62eef6946f84dfc6a7127512b381c" +SRC_URI[codespan-reporting-0.11.1.sha256sum] = "3538270d33cc669650c4b093848450d380def10c331d38c768e34cac80576e6e" +SRC_URI[core-foundation-0.9.3.sha256sum] = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146" +SRC_URI[core-foundation-sys-0.8.3.sha256sum] = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc" +SRC_URI[cpufeatures-0.2.2.sha256sum] = "59a6001667ab124aebae2a495118e11d30984c3a653e99d86d58971708cf5e4b" +SRC_URI[crc32fast-1.3.2.sha256sum] = "b540bd8bc810d3885c6ea91e2018302f68baba2129ab3e88f32389ee9370880d" +SRC_URI[crunchy-0.2.2.sha256sum] = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" +SRC_URI[crypto-common-0.1.6.sha256sum] = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3" +SRC_URI[crypto-mac-0.10.1.sha256sum] = "bff07008ec701e8028e2ceb8f83f0e4274ee62bd2dbdc4fefff2e9a91824081a" +SRC_URI[cryptoki-0.3.0.sha256sum] = "503aa2bd88796da9bc6baf2c47696da40f135721b3d6680c7c6cee0b7d1f7a59" +SRC_URI[cryptoki-sys-0.1.4.sha256sum] = "1e4895bb04269df9a14f2692c6499dc2769e9a93caa33ef37c4df134f76956d2" +SRC_URI[ctrlc-3.2.2.sha256sum] = "b37feaa84e6861e00a1f5e5aa8da3ee56d605c9992d33e082786754828e20865" +SRC_URI[cxx-1.0.79.sha256sum] = "3f83d0ebf42c6eafb8d7c52f7e5f2d3003b89c7aa4fd2b79229209459a849af8" +SRC_URI[cxx-build-1.0.79.sha256sum] = "07d050484b55975889284352b0ffc2ecbda25c0c55978017c132b29ba0818a86" +SRC_URI[cxxbridge-flags-1.0.79.sha256sum] = "99d2199b00553eda8012dfec8d3b1c75fce747cf27c169a270b3b99e3448ab78" +SRC_URI[cxxbridge-macro-1.0.79.sha256sum] = "dcb67a6de1f602736dd7eaead0080cf3435df806c61b24b13328db128c58868f" +SRC_URI[derivative-2.2.0.sha256sum] = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b" +SRC_URI[deunicode-0.4.3.sha256sum] = "850878694b7933ca4c9569d30a34b55031b9b139ee1fc7b94a527c4ef960d690" +SRC_URI[diff-0.1.13.sha256sum] = "56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8" +SRC_URI[digest-0.9.0.sha256sum] = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066" +SRC_URI[digest-0.10.3.sha256sum] = "f2fb860ca6fafa5552fb6d0e816a69c8e49f0908bf524e30a90d97c85892d506" +SRC_URI[dirs-next-2.0.0.sha256sum] = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1" +SRC_URI[dirs-sys-next-0.1.2.sha256sum] = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d" +SRC_URI[either-1.7.0.sha256sum] = "3f107b87b6afc2a64fd13cac55fe06d6c8859f12d4b14cbcdd2c67d0976781be" +SRC_URI[ena-0.14.0.sha256sum] = "d7402b94a93c24e742487327a7cd839dc9d36fec9de9fb25b09f2dae459f36c3" +SRC_URI[encoding_rs-0.8.31.sha256sum] = "9852635589dc9f9ea1b6fe9f05b50ef208c85c834a562f0c6abb1c475736ec2b" +SRC_URI[enum-display-derive-0.1.1.sha256sum] = "f16ef37b2a9b242295d61a154ee91ae884afff6b8b933b486b12481cc58310ca" +SRC_URI[enum-flags-0.1.8.sha256sum] = "3682d2328e61f5529088a02cd20bb0a9aeaeeeb2f26597436dd7d75d1340f8f5" +SRC_URI[error-chain-0.11.0.sha256sum] = "ff511d5dc435d703f4971bc399647c9bc38e20cb41452e3b9feb4765419ed3f3" +SRC_URI[fastrand-1.7.0.sha256sum] = "c3fcf0cee53519c866c09b5de1f6c56ff9d647101f81c1964fa632e148896cdf" +SRC_URI[fern-0.5.9.sha256sum] = "e69ab0d5aca163e388c3a49d284fed6c3d0810700e77c5ae2756a50ec1a4daaa" +SRC_URI[fixedbitset-0.4.2.sha256sum] = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" +SRC_URI[fnv-1.0.7.sha256sum] = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +SRC_URI[foreign-types-0.3.2.sha256sum] = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +SRC_URI[foreign-types-shared-0.1.1.sha256sum] = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" +SRC_URI[form_urlencoded-1.0.1.sha256sum] = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191" +SRC_URI[fslock-0.2.1.sha256sum] = "04412b8935272e3a9bae6f48c7bfff74c2911f60525404edfdd28e49884c3bfb" +SRC_URI[futures-0.3.21.sha256sum] = "f73fe65f54d1e12b726f517d3e2135ca3125a437b6d998caf1962961f7172d9e" +SRC_URI[futures-channel-0.3.21.sha256sum] = "c3083ce4b914124575708913bca19bfe887522d6e2e6d0952943f5eac4a74010" +SRC_URI[futures-core-0.3.21.sha256sum] = "0c09fd04b7e4073ac7156a9539b57a484a8ea920f79c7c675d05d289ab6110d3" +SRC_URI[futures-executor-0.3.21.sha256sum] = "9420b90cfa29e327d0429f19be13e7ddb68fa1cccb09d65e5706b8c7a749b8a6" +SRC_URI[futures-io-0.3.21.sha256sum] = "fc4045962a5a5e935ee2fdedaa4e08284547402885ab326734432bed5d12966b" +SRC_URI[futures-macro-0.3.21.sha256sum] = "33c1e13800337f4d4d7a316bf45a567dbcb6ffe087f16424852d97e97a91f512" +SRC_URI[futures-sink-0.3.21.sha256sum] = "21163e139fa306126e6eedaf49ecdb4588f939600f0b1e770f4205ee4b7fa868" +SRC_URI[futures-task-0.3.21.sha256sum] = "57c66a976bf5909d801bbef33416c41372779507e7a6b3a5e25e4749c58f776a" +SRC_URI[futures-util-0.3.21.sha256sum] = "d8b7abd5d659d9b90c8cba917f6ec750a74e2dc23902ef9cd4cc8c8b22e6036a" +SRC_URI[generic-array-0.14.5.sha256sum] = "fd48d33ec7f05fbfa152300fdad764757cbded343c1aa1cff2fbaf4134851803" +SRC_URI[getrandom-0.2.7.sha256sum] = "4eb1a864a501629691edf6c15a593b7a51eebaa1e8468e9ddc623de7c9b58ec6" +SRC_URI[gimli-0.26.2.sha256sum] = "22030e2c5a68ec659fde1e949a745124b48e6fa8b045b7ed5bd1fe4ccc5c4e5d" +SRC_URI[h2-0.3.13.sha256sum] = "37a82c6d637fc9515a4694bbf1cb2457b79d81ce52b3108bdeea58b07dd34a57" +SRC_URI[hashbrown-0.12.3.sha256sum] = "8a9ee70c43aaf417c914396645a0fa852624801b24ebb7ae78fe8272889ac888" +SRC_URI[hermit-abi-0.1.19.sha256sum] = "62b467343b94ba476dcb2500d242dadbb39557df889310ac77c5d99100aaac33" +SRC_URI[hex-0.4.3.sha256sum] = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +SRC_URI[hmac-0.10.1.sha256sum] = "c1441c6b1e930e2817404b5046f1f989899143a12bf92de603b69f4e0aee1e15" +SRC_URI[http-0.2.8.sha256sum] = "75f43d41e26995c17e71ee126451dd3941010b0514a81a9d11f3b341debc2399" +SRC_URI[http-body-0.4.5.sha256sum] = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1" +SRC_URI[httparse-1.7.1.sha256sum] = "496ce29bb5a52785b44e0f7ca2847ae0bb839c9bd28f69acac9b99d461c0c04c" +SRC_URI[httpdate-1.0.2.sha256sum] = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421" +SRC_URI[hyper-0.14.20.sha256sum] = "02c929dc5c39e335a03c405292728118860721b10190d98c2a0f0efd5baafbac" +SRC_URI[hyper-tls-0.5.0.sha256sum] = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" +SRC_URI[iana-time-zone-0.1.51.sha256sum] = "f5a6ef98976b22b3b7f2f3a806f858cb862044cfa66805aa3ad84cb3d3b785ed" +SRC_URI[iana-time-zone-haiku-0.1.1.sha256sum] = "0703ae284fc167426161c2e3f1da3ea71d94b21bedbcc9494e92b28e334e3dca" +SRC_URI[idna-0.2.3.sha256sum] = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8" +SRC_URI[impl-trait-for-tuples-0.2.2.sha256sum] = "11d7a9f6330b71fea57921c9b61c47ee6e84f72d394754eff6163ae67e7395eb" +SRC_URI[indexmap-1.9.1.sha256sum] = "10a35a97730320ffe8e2d410b5d3b69279b98d2c14bdb8b70ea89ecf7888d41e" +SRC_URI[instant-0.1.12.sha256sum] = "7a5bbe824c507c5da5956355e86a746d82e0e1464f65d862cc5e71da70e94b2c" +SRC_URI[intervaltree-0.2.7.sha256sum] = "270bc34e57047cab801a8c871c124d9dc7132f6473c6401f645524f4e6edd111" +SRC_URI[ipnet-2.5.0.sha256sum] = "879d54834c8c76457ef4293a689b2a8c59b076067ad77b15efafbb05f92a592b" +SRC_URI[itertools-0.10.3.sha256sum] = "a9a9d19fa1e79b6215ff29b9d6880b706147f16e9b1dbb1e4e5947b5b02bc5e3" +SRC_URI[itoa-1.0.2.sha256sum] = "112c678d4050afce233f4f2852bb2eb519230b3cf12f33585275537d7e41578d" +SRC_URI[jmespatch-0.3.0.sha256sum] = "7acf91a732ade34d8eda2dee9500a051833f14f0d3d10d77c149845d6ac6a5f0" +SRC_URI[js-sys-0.3.58.sha256sum] = "c3fac17f7123a73ca62df411b1bf727ccc805daa070338fda671c86dac1bdc27" +SRC_URI[kmip-protocol-0.4.2.sha256sum] = "396744d490b405f4ff293057bae5625e03dcf8be70fd4ba8c6346a54e78fd837" +SRC_URI[kmip-ttlv-0.3.3.sha256sum] = "1aa943fd7166db2cc2deaea17bd5c2862ccf68eef9ce15576bcee9e4b494685c" +SRC_URI[lalrpop-0.19.8.sha256sum] = "b30455341b0e18f276fa64540aff54deafb54c589de6aca68659c63dd2d5d823" +SRC_URI[lalrpop-util-0.19.8.sha256sum] = "bcf796c978e9b4d983414f4caedc9273aa33ee214c5b887bd55fde84c85d2dc4" +SRC_URI[lazy_static-1.4.0.sha256sum] = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +SRC_URI[libc-0.2.126.sha256sum] = "349d5a591cd28b49e1d1037471617a32ddcda5731b99419008085f72d5a53836" +SRC_URI[libflate-1.2.0.sha256sum] = "05605ab2bce11bcfc0e9c635ff29ef8b2ea83f29be257ee7d730cac3ee373093" +SRC_URI[libflate_lz77-1.1.0.sha256sum] = "39a734c0493409afcd49deee13c006a04e3586b9761a03543c6272c9c51f2f5a" +SRC_URI[libloading-0.7.3.sha256sum] = "efbc0f03f9a775e9f6aed295c6a1ba2253c5757a9e03d55c6caa46a681abcddd" +SRC_URI[link-cplusplus-1.0.7.sha256sum] = "9272ab7b96c9046fbc5bc56c06c117cb639fe2d509df0c421cad82d2915cf369" +SRC_URI[lock_api-0.4.7.sha256sum] = "327fa5b6a6940e4699ec49a9beae1ea4845c6bab9314e4f84ac68742139d8c53" +SRC_URI[log-0.4.17.sha256sum] = "abb12e687cfb44aa40f41fc3978ef76448f9b6038cad6aef4259d3c095a2382e" +SRC_URI[maplit-1.0.2.sha256sum] = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d" +SRC_URI[matchers-0.0.1.sha256sum] = "f099785f7595cc4b4553a174ce30dd7589ef93391ff414dbb67f62392b9e0ce1" +SRC_URI[matches-0.1.9.sha256sum] = "a3e378b66a060d48947b590737b30a1be76706c8dd7b8ba0f2fe3989c68a853f" +SRC_URI[maybe-async-0.2.6.sha256sum] = "6007f9dad048e0a224f27ca599d669fca8cfa0dac804725aab542b2eb032bce6" +SRC_URI[memchr-2.5.0.sha256sum] = "2dffe52ecf27772e601905b7522cb4ef790d2cc203488bbd0e2fe85fcb74566d" +SRC_URI[mime-0.3.16.sha256sum] = "2a60c7ce501c71e03a9c9c0d35b861413ae925bd979cc7a4e30d060069aaac8d" +SRC_URI[miniz_oxide-0.5.3.sha256sum] = "6f5c75688da582b8ffc1f1799e9db273f32133c49e048f614d22ec3256773ccc" +SRC_URI[mio-0.8.4.sha256sum] = "57ee1c23c7c63b0c9250c339ffdc69255f110b298b901b9f6c82547b7b87caaf" +SRC_URI[native-tls-0.2.10.sha256sum] = "fd7e2f3618557f980e0b17e8856252eee3c97fa12c54dff0ca290fb6266ca4a9" +SRC_URI[new_debug_unreachable-1.0.4.sha256sum] = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54" +SRC_URI[nix-0.24.2.sha256sum] = "195cdbc1741b8134346d515b3a56a1c94b0912758009cfd53f99ea0f57b065fc" +SRC_URI[num-bigint-0.4.3.sha256sum] = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f" +SRC_URI[num-integer-0.1.45.sha256sum] = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9" +SRC_URI[num-traits-0.2.15.sha256sum] = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd" +SRC_URI[num_cpus-1.13.1.sha256sum] = "19e64526ebdee182341572e50e9ad03965aa510cd94427a4549448f285e957a1" +SRC_URI[oauth2-4.2.3.sha256sum] = "6d62c436394991641b970a92e23e8eeb4eb9bca74af4f5badc53bcd568daadbd" +SRC_URI[object-0.29.0.sha256sum] = "21158b2c33aa6d4561f1c0a6ea283ca92bc54802a93b263e910746d679a7eb53" +SRC_URI[once_cell-1.13.0.sha256sum] = "18a6dbe30758c9f83eb00cbea4ac95966305f5a7772f3f42ebfc7fc7eddbd8e1" +SRC_URI[opaque-debug-0.3.0.sha256sum] = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" +SRC_URI[openidconnect-2.3.2.sha256sum] = "e26afc60b2bf11b9a039db1f3a3c0d5fe201eebdbe646a8ecb8342c8240e3271" +SRC_URI[openssl-0.10.41.sha256sum] = "618febf65336490dfcf20b73f885f5651a0c89c64c2d4a8c3662585a70bf5bd0" +SRC_URI[openssl-macros-0.1.0.sha256sum] = "b501e44f11665960c7e7fcf062c7d96a14ade4aa98116c004b2e37b5be7d736c" +SRC_URI[openssl-probe-0.1.5.sha256sum] = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" +SRC_URI[openssl-src-111.25.0+1.1.1t.sha256sum] = "3173cd3626c43e3854b1b727422a276e568d9ec5fe8cec197822cf52cfb743d6" +SRC_URI[openssl-sys-0.9.75.sha256sum] = "e5f9bd0c2710541a3cda73d6f9ac4f1b240de4ae261065d309dbe73d9dceb42f" +SRC_URI[ordered-float-2.10.0.sha256sum] = "7940cf2ca942593318d07fcf2596cdca60a85c9e7fab408a5e21a4f9dcd40d87" +SRC_URI[oso-0.12.4.sha256sum] = "aec41e2da1ce3a82eb807396f802c172f08aa03e1be31e5df49592a04e12c8c7" +SRC_URI[parking_lot-0.12.1.sha256sum] = "3742b2c103b9f06bc9fff0a37ff4912935851bee6d36f3c02bcc755bcfec228f" +SRC_URI[parking_lot_core-0.9.3.sha256sum] = "09a279cbf25cb0757810394fbc1e359949b59e348145c643a939a525692e6929" +SRC_URI[pbkdf2-0.7.5.sha256sum] = "bf916dd32dd26297907890d99dc2740e33f6bd9073965af4ccff2967962f5508" +SRC_URI[percent-encoding-2.1.0.sha256sum] = "d4fd5641d01c8f18a23da7b6fe29298ff4b55afcccdf78973b24cf3175fee32e" +SRC_URI[petgraph-0.6.2.sha256sum] = "e6d5014253a1331579ce62aa67443b4a658c5e7dd03d4bc6d302b94474888143" +SRC_URI[phf_shared-0.10.0.sha256sum] = "b6796ad771acdc0123d2a88dc428b5e38ef24456743ddb1744ed628f9815c096" +SRC_URI[pico-args-0.4.2.sha256sum] = "db8bcd96cb740d03149cbad5518db9fd87126a10ab519c011893b1754134c468" +SRC_URI[pin-project-lite-0.2.9.sha256sum] = "e0a7ae3ac2f1173085d398531c705756c94a4c56843785df85a60c1a0afac116" +SRC_URI[pin-utils-0.1.0.sha256sum] = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +SRC_URI[pkg-config-0.3.25.sha256sum] = "1df8c4ec4b0627e53bdf214615ad287367e482558cf84b109250b37464dc03ae" +SRC_URI[polar-core-0.12.4.sha256sum] = "53d2b6ee5b5ff6312ca55e2ba75fbd438c72bc041c799055388d815726eca69b" +SRC_URI[ppv-lite86-0.2.16.sha256sum] = "eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872" +SRC_URI[precomputed-hash-0.1.1.sha256sum] = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c" +SRC_URI[priority-queue-1.2.2.sha256sum] = "de9cde7493f5f5d2d163b174be9f9a72d756b79b0f6ed85654128d238c347c1e" +SRC_URI[proc-macro2-1.0.40.sha256sum] = "dd96a1e8ed2596c337f8eae5f24924ec83f5ad5ab21ea8e455d3566c69fbcaf7" +SRC_URI[quick-xml-0.23.0.sha256sum] = "9279fbdacaad3baf559d8cabe0acc3d06e30ea14931af31af79578ac0946decc" +SRC_URI[quote-1.0.20.sha256sum] = "3bcdf212e9776fbcb2d23ab029360416bb1706b1aea2d1a5ba002727cbcab804" +SRC_URI[r2d2-0.8.10.sha256sum] = "51de85fb3fb6524929c8a2eb85e6b6d363de4e8c48f9e2c2eac4944abc181c93" +SRC_URI[rand-0.8.5.sha256sum] = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404" +SRC_URI[rand_chacha-0.3.1.sha256sum] = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" +SRC_URI[rand_core-0.6.3.sha256sum] = "d34f1408f55294453790c48b2f1ebbb1c5b4b7563eb1f418bcfcfdbb06ebb4e7" +SRC_URI[redox_syscall-0.2.13.sha256sum] = "62f25bc4c7e55e0b0b7a1d43fb893f4fa1361d0abe38b9ce4f323c2adfe6ef42" +SRC_URI[redox_users-0.4.3.sha256sum] = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b" +SRC_URI[regex-1.6.0.sha256sum] = "4c4eb3267174b8c6c2f654116623910a0fef09c4753f8dd83db29c48a0df988b" +SRC_URI[regex-automata-0.1.10.sha256sum] = "6c230d73fb8d8c1b9c0b3135c5142a8acee3a0558fb8db5cf1cb65f8d7862132" +SRC_URI[regex-syntax-0.6.27.sha256sum] = "a3f87b73ce11b1619a3c6332f45341e0047173771e8b8b73f87bfeefb7b56244" +SRC_URI[remove_dir_all-0.5.3.sha256sum] = "3acd125665422973a33ac9d3dd2df85edad0f4ae9b00dafb1a05e43a9f5ef8e7" +SRC_URI[reqwest-0.11.11.sha256sum] = "b75aa69a3f06bbcc66ede33af2af253c6f7a86b1ca0033f60c580a27074fbf92" +SRC_URI[ring-0.16.20.sha256sum] = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc" +SRC_URI[rle-decode-fast-1.0.3.sha256sum] = "3582f63211428f83597b51b2ddb88e2a91a9d52d12831f9d08f5e624e8977422" +SRC_URI[routecore-0.2.0.sha256sum] = "9afd872857e85411c0ba7d18dfe650fc4864b292c02cde997e86c511314fdfc3" +SRC_URI[rpassword-5.0.1.sha256sum] = "ffc936cf8a7ea60c58f030fd36a612a48f440610214dc54bc36431f9ea0c3efb" +SRC_URI[rpki-0.15.8.sha256sum] = "46970b82ec6bfec47c88addaaef3d345cec2a5cf9cb89039ef904123e65ba41a" +SRC_URI[rustc-demangle-0.1.21.sha256sum] = "7ef03e0a2b150c7a90d01faf6254c9c48a41e95fb2a8c2ac1c6f0d2b9aefc342" +SRC_URI[rustc_version-0.4.0.sha256sum] = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" +SRC_URI[rustls-0.19.1.sha256sum] = "35edb675feee39aec9c99fa5ff985081995a06d594114ae14cbe797ad7b7a6d7" +SRC_URI[rustversion-1.0.8.sha256sum] = "24c8ad4f0c00e1eb5bc7614d236a7f1300e3dbd76b68cac8e06fb00b015ad8d8" +SRC_URI[ryu-1.0.10.sha256sum] = "f3f6f92acf49d1b98f7a81226834412ada05458b7364277387724a237f062695" +SRC_URI[salsa20-0.7.2.sha256sum] = "399f290ffc409596022fce5ea5d4138184be4784f2b28c62c59f0d8389059a15" +SRC_URI[schannel-0.1.20.sha256sum] = "88d6731146462ea25d9244b2ed5fd1d716d25c52e4d54aa4fb0f3c4e9854dbe2" +SRC_URI[scheduled-thread-pool-0.2.6.sha256sum] = "977a7519bff143a44f842fd07e80ad1329295bd71686457f18e496736f4bf9bf" +SRC_URI[scopeguard-1.1.0.sha256sum] = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +SRC_URI[scratch-1.0.2.sha256sum] = "9c8132065adcfd6e02db789d9285a0deb2f3fcb04002865ab67d5fb103533898" +SRC_URI[scrypt-0.6.5.sha256sum] = "19230d10daad7f163d8c1fc8edf84fbe52ac71c2ebe5adf3f763aa1557b843e3" +SRC_URI[sct-0.6.1.sha256sum] = "b362b83898e0e69f38515b82ee15aa80636befe47c3b6d3d89a911e78fc228ce" +SRC_URI[security-framework-2.6.1.sha256sum] = "2dc14f172faf8a0194a3aded622712b0de276821addc574fa54fc0a1167e10dc" +SRC_URI[security-framework-sys-2.6.1.sha256sum] = "0160a13a177a45bfb43ce71c01580998474f556ad854dcbca936dd2841a5c556" +SRC_URI[semver-1.0.12.sha256sum] = "a2333e6df6d6598f2b1974829f853c2b4c5f4a6e503c10af918081aa6f8564e1" +SRC_URI[serde-1.0.139.sha256sum] = "0171ebb889e45aa68b44aee0859b3eede84c6f5f5c228e6f140c0b2a0a46cad6" +SRC_URI[serde-value-0.7.0.sha256sum] = "f3a1a3341211875ef120e117ea7fd5228530ae7e7036a779fdc9117be6b3282c" +SRC_URI[serde_bytes-0.11.6.sha256sum] = "212e73464ebcde48d723aa02eb270ba62eff38a9b732df31f33f1b4e145f3a54" +SRC_URI[serde_derive-1.0.139.sha256sum] = "dc1d3230c1de7932af58ad8ffbe1d784bd55efd5a9d84ac24f69c72d83543dfb" +SRC_URI[serde_json-1.0.82.sha256sum] = "82c2c1fdcd807d1098552c5b9a36e425e42e9fbd7c6a37a8425f390f781f7fa7" +SRC_URI[serde_path_to_error-0.1.7.sha256sum] = "d7868ad3b8196a8a0aea99a8220b124278ee5320a55e4fde97794b6f85b1a377" +SRC_URI[serde_urlencoded-0.7.1.sha256sum] = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd" +SRC_URI[sha2-0.9.9.sha256sum] = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800" +SRC_URI[sha2-0.10.2.sha256sum] = "55deaec60f81eefe3cce0dc50bda92d6d8e88f2a27df7c5033b42afeb1ed2676" +SRC_URI[sharded-slab-0.1.4.sha256sum] = "900fba806f70c630b0a382d0d825e17a0f19fcd059a2ade1ff237bcddf446b31" +SRC_URI[signal-hook-registry-1.4.0.sha256sum] = "e51e73328dc4ac0c7ccbda3a494dfa03df1de2f46018127f60c693f2648455b0" +SRC_URI[siphasher-0.3.10.sha256sum] = "7bd3e3206899af3f8b12af284fafc038cc1dc2b41d1b89dd17297221c5d225de" +SRC_URI[slab-0.4.6.sha256sum] = "eb703cfe953bccee95685111adeedb76fabe4e97549a58d16f03ea7b9367bb32" +SRC_URI[slug-0.1.4.sha256sum] = "b3bc762e6a4b6c6fcaade73e77f9ebc6991b676f88bb2358bddb56560f073373" +SRC_URI[smallvec-1.9.0.sha256sum] = "2fd0db749597d91ff862fd1d55ea87f7855a744a8425a64695b6fca237d1dad1" +SRC_URI[socket2-0.4.4.sha256sum] = "66d72b759436ae32898a2af0a14218dbf55efde3feeb170eb623637db85ee1e0" +SRC_URI[spin-0.5.2.sha256sum] = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +SRC_URI[string_cache-0.8.4.sha256sum] = "213494b7a2b503146286049378ce02b482200519accc31872ee8be91fa820a08" +SRC_URI[strsim-0.8.0.sha256sum] = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" +SRC_URI[subtle-2.4.1.sha256sum] = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" +SRC_URI[syn-1.0.98.sha256sum] = "c50aef8a904de4c23c788f104b7dddc7d6f79c647c7c8ce4cc8f73eb0ca773dd" +SRC_URI[syslog-4.0.1.sha256sum] = "a0641142b4081d3d44beffa4eefd7346a228cdf91ed70186db2ca2cef762d327" +SRC_URI[target-lexicon-0.12.4.sha256sum] = "c02424087780c9b71cc96799eaeddff35af2bc513278cda5c99fc1f5d026d3c1" +SRC_URI[tempfile-3.3.0.sha256sum] = "5cdb1ef4eaeeaddc8fbd371e5017057064af0911902ef36b39801f67cc6d79e4" +SRC_URI[term-0.7.0.sha256sum] = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f" +SRC_URI[termcolor-1.1.3.sha256sum] = "bab24d30b911b2376f3a13cc2cd443142f0c81dda04c118693e35b3835757755" +SRC_URI[textwrap-0.11.0.sha256sum] = "d326610f408c7a4eb6f51c37c330e496b08506c9457c9d34287ecc38809fb060" +SRC_URI[thiserror-1.0.31.sha256sum] = "bd829fe32373d27f76265620b5309d0340cb8550f523c1dda251d6298069069a" +SRC_URI[thiserror-impl-1.0.31.sha256sum] = "0396bc89e626244658bef819e22d0cc459e795a5ebe878e6ec336d1674a8d79a" +SRC_URI[thread_local-1.1.4.sha256sum] = "5516c27b78311c50bf42c071425c560ac799b11c30b31f87e3081965fe5e0180" +SRC_URI[time-0.1.44.sha256sum] = "6db9e6914ab8b1ae1c260a4ae7a49b6c5611b40328a735b21862567685e73255" +SRC_URI[tiny-keccak-2.0.2.sha256sum] = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237" +SRC_URI[tiny_http-0.8.2.sha256sum] = "9ce51b50006056f590c9b7c3808c3bd70f0d1101666629713866c227d6e58d39" +SRC_URI[tinyvec-1.6.0.sha256sum] = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +SRC_URI[tinyvec_macros-0.1.0.sha256sum] = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" +SRC_URI[tokio-1.20.4.sha256sum] = "eb78f30e4b41e98ca4cce5acb51168a033839a7af9e42b380355808e14e98ee0" +SRC_URI[tokio-macros-1.8.0.sha256sum] = "9724f9a975fb987ef7a3cd9be0350edcbe130698af5b8f7a631e23d42d052484" +SRC_URI[tokio-native-tls-0.3.0.sha256sum] = "f7d995660bd2b7f8c1568414c1126076c13fbb725c40112dc0120b78eb9b717b" +SRC_URI[tokio-rustls-0.22.0.sha256sum] = "bc6844de72e57df1980054b38be3a9f4702aba4858be64dd700181a8a6d0e1b6" +SRC_URI[tokio-util-0.7.3.sha256sum] = "cc463cd8deddc3770d20f9852143d50bf6094e640b485cb2e189a2099085ff45" +SRC_URI[toml-0.5.9.sha256sum] = "8d82e1a7758622a465f8cee077614c73484dac5b836c02ff6a40d5d1010324d7" +SRC_URI[tower-service-0.3.2.sha256sum] = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" +SRC_URI[tracing-0.1.35.sha256sum] = "a400e31aa60b9d44a52a8ee0343b5b18566b03a8321e0d321f695cf56e940160" +SRC_URI[tracing-attributes-0.1.22.sha256sum] = "11c75893af559bc8e10716548bdef5cb2b983f8e637db9d0e15126b61b484ee2" +SRC_URI[tracing-core-0.1.28.sha256sum] = "7b7358be39f2f274f322d2aaed611acc57f382e8eb1e5b48cb9ae30933495ce7" +SRC_URI[tracing-log-0.1.3.sha256sum] = "78ddad33d2d10b1ed7eb9d1f518a5674713876e97e5bb9b7345a7984fbb4f922" +SRC_URI[tracing-serde-0.1.3.sha256sum] = "bc6b213177105856957181934e4920de57730fc69bf42c37ee5bb664d406d9e1" +SRC_URI[tracing-subscriber-0.2.25.sha256sum] = "0e0d2eaa99c3c2e41547cfa109e910a68ea03823cccad4a0525dcbc9b01e8c71" +SRC_URI[trait-set-0.2.0.sha256sum] = "875c4c873cc824e362fa9a9419ffa59807244824275a44ad06fec9684fff08f2" +SRC_URI[try-lock-0.2.3.sha256sum] = "59547bce71d9c38b83d9c0e92b6066c4253371f15005def0c30d9657f50c7642" +SRC_URI[typenum-1.15.0.sha256sum] = "dcf81ac59edc17cc8697ff311e8f5ef2d99fcbd9817b34cec66f90b6c3dfd987" +SRC_URI[unicode-bidi-0.3.8.sha256sum] = "099b7128301d285f79ddd55b9a83d5e6b9e97c92e0ea0daebee7263e932de992" +SRC_URI[unicode-ident-1.0.2.sha256sum] = "15c61ba63f9235225a22310255a29b806b907c9b8c964bcbd0a2c70f3f2deea7" +SRC_URI[unicode-normalization-0.1.21.sha256sum] = "854cbdc4f7bc6ae19c820d44abdc3277ac3e1b2b93db20a636825d9322fb60e6" +SRC_URI[unicode-width-0.1.9.sha256sum] = "3ed742d4ea2bd1176e236172c8429aaf54486e7ac098db29ffe6529e0ce50973" +SRC_URI[unicode-xid-0.2.3.sha256sum] = "957e51f3646910546462e67d5f7599b9e4fb8acdd304b087a6494730f9eebf04" +SRC_URI[untrusted-0.7.1.sha256sum] = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" +SRC_URI[url-2.2.2.sha256sum] = "a507c383b2d33b5fc35d1861e77e6b383d158b2da5e14fe51b83dfedf6fd578c" +SRC_URI[urlparse-0.7.3.sha256sum] = "110352d4e9076c67839003c7788d8604e24dcded13e0b375af3efaa8cf468517" +SRC_URI[uuid-1.1.2.sha256sum] = "dd6469f4314d5f1ffec476e05f17cc9a78bc7a27a6a857842170bdf8d6f98d2f" +SRC_URI[valuable-0.1.0.sha256sum] = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" +SRC_URI[vcpkg-0.2.15.sha256sum] = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" +SRC_URI[vec_map-0.8.2.sha256sum] = "f1bddf1187be692e79c5ffeab891132dfb0f236ed36a43c7ed39f1165ee20191" +SRC_URI[version_check-0.9.4.sha256sum] = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" +SRC_URI[want-0.3.0.sha256sum] = "1ce8a968cb1cd110d136ff8b819a556d6fb6d919363c61534f6860c7eb172ba0" +SRC_URI[wasi-0.10.0+wasi-snapshot-preview1.sha256sum] = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f" +SRC_URI[wasi-0.11.0+wasi-snapshot-preview1.sha256sum] = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" +SRC_URI[wasm-bindgen-0.2.81.sha256sum] = "7c53b543413a17a202f4be280a7e5c62a1c69345f5de525ee64f8cfdbc954994" +SRC_URI[wasm-bindgen-backend-0.2.81.sha256sum] = "5491a68ab4500fa6b4d726bd67408630c3dbe9c4fe7bda16d5c82a1fd8c7340a" +SRC_URI[wasm-bindgen-futures-0.4.31.sha256sum] = "de9a9cec1733468a8c657e57fa2413d2ae2c0129b95e87c5b72b8ace4d13f31f" +SRC_URI[wasm-bindgen-macro-0.2.81.sha256sum] = "c441e177922bc58f1e12c022624b6216378e5febc2f0533e41ba443d505b80aa" +SRC_URI[wasm-bindgen-macro-support-0.2.81.sha256sum] = "7d94ac45fcf608c1f45ef53e748d35660f168490c10b23704c7779ab8f5c3048" +SRC_URI[wasm-bindgen-shared-0.2.81.sha256sum] = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be" +SRC_URI[web-sys-0.3.58.sha256sum] = "2fed94beee57daf8dd7d51f2b15dc2bcde92d7a72304cdf662a4371008b71b90" +SRC_URI[webpki-0.21.4.sha256sum] = "b8e38c0608262c46d4a56202ebabdeb094cef7e560ca7a226c6bf055188aa4ea" +SRC_URI[winapi-0.3.9.sha256sum] = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +SRC_URI[winapi-i686-pc-windows-gnu-0.4.0.sha256sum] = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" +SRC_URI[winapi-util-0.1.5.sha256sum] = "70ec6ce85bb158151cae5e5c87f95a8e97d2c0c4b001223f33a334e3ce5de178" +SRC_URI[winapi-x86_64-pc-windows-gnu-0.4.0.sha256sum] = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" +SRC_URI[windows-sys-0.36.1.sha256sum] = "ea04155a16a59f9eab786fe12a4a450e75cdb175f9e0d80da1e17db09f55b8d2" +SRC_URI[windows_aarch64_msvc-0.36.1.sha256sum] = "9bb8c3fd39ade2d67e9874ac4f3db21f0d710bee00fe7cab16949ec184eeaa47" +SRC_URI[windows_i686_gnu-0.36.1.sha256sum] = "180e6ccf01daf4c426b846dfc66db1fc518f074baa793aa7d9b9aaeffad6a3b6" +SRC_URI[windows_i686_msvc-0.36.1.sha256sum] = "e2e7917148b2812d1eeafaeb22a97e4813dfa60a3f8f78ebe204bcc88f12f024" +SRC_URI[windows_x86_64_gnu-0.36.1.sha256sum] = "4dcd171b8776c41b97521e5da127a2d86ad280114807d0b2ab1e462bc764d9e1" +SRC_URI[windows_x86_64_msvc-0.36.1.sha256sum] = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680" +SRC_URI[winreg-0.10.1.sha256sum] = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d" diff --git a/recipes-security/krill/krill_0.12.3.bb b/recipes-security/krill/krill_0.12.3.bb new file mode 100644 index 0000000..ee959c2 --- /dev/null +++ b/recipes-security/krill/krill_0.12.3.bb @@ -0,0 +1,42 @@ +SUMMARY = "Resource Public Key Infrastructure (RPKI) daemon" +HOMEPAGE = "https://www.nlnetlabs.nl/projects/rpki/krill/" +LICENSE = "MPL-2.0" +LIC_FILES_CHKSUM = "file://LICENSE;md5=9741c346eef56131163e13b9db1241b3" + +DEPENDS = "openssl" + +# SRC_URI += "crate://crates.io/krill/0.9.1" +SRC_URI = "git://github.com/NLnetLabs/krill.git;protocol=https;branch=main" +SRCREV = "e92098419c7ad82939e0483bc76df21eff705b80" +SRC_URI += "file://panic_workaround.patch" + +include krill-crates.inc + +UPSTREAM_CHECK_URI = "https://github.com/NLnetLabs/${BPN}/releases" +UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" + +S = "${WORKDIR}/git" +CARGO_SRC_DIR = "" + +inherit pkgconfig useradd systemd cargo cargo-update-recipe-crates + +do_install:append () { + install -d ${D}${sysconfdir} + install -d ${D}${datadir}/krill + + install -m 664 ${S}/defaults/krill.conf ${D}${sysconfdir}/. + install ${S}/defaults/* ${D}${datadir}/krill/. +} + +KRILL_UID ?= "krill" +KRILL_GID ?= "krill" + +USERADD_PACKAGES = "${PN}" +GROUPADD_PARAM:${PN} = "--system ${KRILL_UID}" +USERADD_PARAM:${PN} = "--system -g ${KRILL_GID} --home-dir \ + /var/lib/krill/ --no-create-home \ + --shell /sbin/nologin ${BPN}" + +FILES:${PN} += "{sysconfdir}/defaults ${datadir}" + +COMPATIBLE_HOST = "(i.86|x86_64|aarch64).*-linux" diff --git a/recipes-security/libdhash/ding-libs_0.6.1.bb b/recipes-security/libdhash/ding-libs_0.6.1.bb index 6046fa0..843850f 100644 --- a/recipes-security/libdhash/ding-libs_0.6.1.bb +++ b/recipes-security/libdhash/ding-libs_0.6.1.bb @@ -2,7 +2,7 @@ SUMMARY = "Dynamic hash table implementation" DESCRIPTION = "Dynamic hash table implementation" HOMEPAGE = "https://fedorahosted.org/released/ding-libs" SECTION = "base" -LICENSE = "GPLv3+" +LICENSE = "GPL-3.0-or-later" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRC_URI = "https://fedorahosted.org/released/${BPN}/${BP}.tar.gz" diff --git a/recipes-security/libest/libest_3.2.0.bb b/recipes-security/libest/libest_3.2.0.bb index 5b6dc99..b4c6165 100644 --- a/recipes-security/libest/libest_3.2.0.bb +++ b/recipes-security/libest/libest_3.2.0.bb @@ -6,22 +6,25 @@ LICENSE = "OpenSSL" LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885" SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b" -SRC_URI = "git://github.com/cisco/libest;branch=main" +SRC_URI = "git://github.com/cisco/libest;branch=main;protocol=https" DEPENDS = "openssl" #fatal error: execinfo.h: No such file or directory -DEPENDS_append_libc-musl = " libexecinfo" +DEPENDS:append:libc-musl = " libexecinfo" inherit autotools-brokensep EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}" CFLAGS += "-fcommon" -LDFLAGS_append_libc-musl = " -lexecinfo" +LDFLAGS:append:libc-musl = " -lexecinfo" S = "${WORKDIR}/git" PACKAGES = "${PN} ${PN}-dbg ${PN}-dev" -FILES_${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" +FILES:${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" + +# https://github.com/cisco/libest/issues/104 +SKIP_RECIPE[libest] ?= "Needs porting to openssl 3.x" diff --git a/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch b/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch deleted file mode 100644 index 6aa1a65..0000000 --- a/recipes-security/libgssglue/files/libgssglue-fix-CVE-2011-2709.patch +++ /dev/null @@ -1,43 +0,0 @@ -Use secure_getenv instead of getenv for setuid programs - -(bnc#694598 CVE-2011-2709 bnc#831805) - -import from: -https://build.opensuse.org/package/view_file/openSUSE:Factory/libgssglue/secure-getenv.patch - -Upstream-Status: Pending - -Signed-off-by: Jackie Huang <jackie.huang@windriver.com> - -diff --git a/src/g_initialize.c b/src/g_initialize.c -index 200f173..935a9fa 100644 ---- a/src/g_initialize.c -+++ b/src/g_initialize.c -@@ -26,6 +26,7 @@ - * This function will initialize the gssapi mechglue library - */ - -+#define _GNU_SOURCE - #include "mglueP.h" - #include <stdlib.h> - -@@ -197,8 +198,7 @@ static void solaris_initialize () - void *dl; - gss_mechanism (*sym)(void), mech; - -- if ((getuid() != geteuid()) || -- ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) -+ if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) - filename = MECH_CONF; - - if ((conffile = fopen(filename, "r")) == NULL) { -@@ -274,8 +274,7 @@ static void linux_initialize () - void *dl; - gss_mechanism (*sym)(void), mech; - -- if ((getuid() != geteuid()) || -- ((filename = getenv("GSSAPI_MECH_CONF")) == NULL)) -+ if ((filename = secure_getenv("GSSAPI_MECH_CONF")) == NULL) - filename = MECH_CONF; - - if ((conffile = fopen(filename, "r")) == NULL) { diff --git a/recipes-security/libgssglue/files/libgssglue-g-initialize.patch b/recipes-security/libgssglue/files/libgssglue-g-initialize.patch deleted file mode 100644 index 4a9ba33..0000000 --- a/recipes-security/libgssglue/files/libgssglue-g-initialize.patch +++ /dev/null @@ -1,21 +0,0 @@ -Fix the warning for getuid, geteuid -g_initialize.c: In function 'linux_initialize': -g_initialize.c:275:5: warning: implicit declaration of function 'getuid' [-Wimplicit-function-declaration] -g_initialize.c:275:5: warning: implicit declaration of function 'geteuid' [-Wimplicit-function-declaration] - -Upstream-Status: Pending -Signed-off-by: Yao Zhao <yao.zhao@windriver.com> - -diff --git a/src/g_initialize.c b/src1/g_initialize.c -index 82fcce1..200f173 100644 ---- a/src/g_initialize.c -+++ b/src/g_initialize.c -@@ -29,6 +29,8 @@ - #include "mglueP.h" - #include <stdlib.h> - -+#include <unistd.h> /*getuid, geteuid */ -+#include <sys/types.h> - #include <stdio.h> - #include <string.h> - #include <ctype.h> diff --git a/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch b/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch deleted file mode 100644 index 6dce3e7..0000000 --- a/recipes-security/libgssglue/files/libgssglue-gss-inq-cred.patch +++ /dev/null @@ -1,27 +0,0 @@ -1) add free if malloc failed for (*mechanisms)->elements -2) g_inq_cred.c: In function 'gss_inquire_cred': -g_inq_cred.c:161:8: warning: passing argument 3 of 'generic_gss_copy_oid' from incompatible pointer type [enabled by default] - -Upstream-Status: Pending -Signed-off-by: Yao Zhao <yao.zhao@windriver.com> - ---- a/src/g_inq_cred.c -+++ b/src/g_inq_cred.c -@@ -152,13 +152,15 @@ gss_OID_set * mechanisms; - union_cred->count); - if ((*mechanisms)->elements == NULL) { - *minor_status = ENOMEM; -+ free(*mechanisms); -+ *mechanisms = GSS_C_NO_OID_SET; - return (GSS_S_FAILURE); - } - - for (i=0; i < union_cred->count; i++) { -- status = generic_gss_copy_oid(minor_status, -+ status = generic_gss_add_oid_set_member(minor_status, - &union_cred->mechs_array[i], -- &((*mechanisms)->elements[i])); -+ mechanisms); - if (status != GSS_S_COMPLETE) - break; - } diff --git a/recipes-security/libgssglue/files/libgssglue-mglueP.patch b/recipes-security/libgssglue/files/libgssglue-mglueP.patch deleted file mode 100644 index 6c9ebf0..0000000 --- a/recipes-security/libgssglue/files/libgssglue-mglueP.patch +++ /dev/null @@ -1,21 +0,0 @@ -fix the warning: -warning: implicit declaration of function 'generic_gss_copy_oid_set' [-Wimplicit-function-declaration] - -Upstream-Status: Pending -Signed-off-by: Yao Zhao <yao.zhao@windriver.com> - ---- a/src/mglueP.h -+++ b/src/mglueP.h -@@ -447,6 +447,12 @@ OM_uint32 generic_gss_copy_oid - gss_OID * /* new_oid */ - ); - -+OM_uint32 generic_gss_copy_oid_set -+ (OM_uint32 *minor_status, /* minor_status */ -+ const gss_OID_set_desc * const oidset, /* oid */ -+ gss_OID_set *new_oidset /* new_oid */ -+ ); -+ - OM_uint32 generic_gss_create_empty_oid_set - (OM_uint32 *, /* minor_status */ - gss_OID_set * /* oid_set */ diff --git a/recipes-security/libgssglue/libgssglue_0.4.bb b/recipes-security/libgssglue/libgssglue_0.8.bb index 88c58ed..9d01964 100644 --- a/recipes-security/libgssglue/libgssglue_0.4.bb +++ b/recipes-security/libgssglue/libgssglue_0.8.bb @@ -15,29 +15,26 @@ LICENSE = "BSD-3-Clause | HPND" #Copyright 1995 by the Massachusetts Institute of Technology. HPND without Disclaimer #Copyright 1993 by OpenVision Technologies, Inc. HPND LIC_FILES_CHKSUM = "file://COPYING;md5=56871e72a5c475289c0d5e4ba3f2ee3a \ - file://src/g_accept_sec_context.c;beginline=3;endline=23;md5=8a7f4017cb7f4be49f8981cb8c472690 \ + file://src/g_accept_sec_context.c;beginline=3;endline=23;md5=da8ca7a37bd26e576c23874d453751d2\ file://src/g_ccache_name.c;beginline=1;endline=32;md5=208d4de05d5c8273963a8332f084faa7 \ - file://src/oid_ops.c;beginline=1;endline=26;md5=1f194d148b396972da26759a8ec399f0 \ - file://src/oid_ops.c;beginline=378;endline=398;md5=e02c165cb8383e950214baca2fbd664b \ + file://src/oid_ops.c;beginline=1;endline=26;md5=1f194d148b396972da26759a8ec399f0\ + file://src/oid_ops.c;beginline=378;endline=398;md5=72457a5cdc0354cb5c25c8b150326364\ " -SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.bz2 \ +SRC_URI = "${DEBIAN_MIRROR}/main/libg/${BPN}/${BPN}_${PV}.orig.tar.gz \ file://libgssglue-canon-name.patch \ - file://libgssglue-gss-inq-cred.patch \ - file://libgssglue-mglueP.patch \ - file://libgssglue-g-initialize.patch \ - file://libgssglue-fix-CVE-2011-2709.patch \ " -SRC_URI[md5sum] = "5ce81940965fa68c7635c42dcafcddfe" -SRC_URI[sha256sum] = "bb47b2de78409f461811d0db8595c66e6631a9879c3621a35e4434b104ee52f5" +SRC_URI[sha256sum] = "a2bb183e946f6e30562a2a856950a2916c9b6d42c34d67a8400e4efc28917746" -# gssglue can use krb5, spkm3... as gssapi library, configurable -RRECOMMENDS_${PN} += "krb5" +inherit autotools-brokensep -inherit autotools +do_configure:prepend() { + cd ${S} + ./bootstrap +} -do_install_append() { +do_install:append() { # install some docs install -d -m 0755 ${D}${docdir}/${BPN} install -m 0644 ${S}/AUTHORS ${S}/ChangeLog ${S}/NEWS ${S}/README ${D}${docdir}/${BPN} @@ -49,3 +46,6 @@ do_install_append() { # change the libgssapi_krb5.so path and name(it is .so.2) sed -i -e "s:/usr/lib/libgssapi_krb5.so:libgssapi_krb5.so.2:" ${D}${sysconfdir}/gssapi_mech.conf } + +# gssglue can use krb5, spkm3... as gssapi library, configurable +RRECOMMENDS:${PN} += "krb5" diff --git a/recipes-security/libmhash/libmhash_0.9.9.9.bb b/recipes-security/libmhash/libmhash_0.9.9.9.bb index 9b34cb1..49139d2 100644 --- a/recipes-security/libmhash/libmhash_0.9.9.9.bb +++ b/recipes-security/libmhash/libmhash_0.9.9.9.bb @@ -7,7 +7,7 @@ DESCRIPTION = "\ " HOMEPAGE = "http://mhash.sourceforge.net/" -LICENSE = "LGPLv2.0" +LICENSE = "LGPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;md5=3bf50002aefd002f49e7bb854063f7e7" S = "${WORKDIR}/mhash-${PV}" @@ -23,7 +23,11 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/mhash/mhash-${PV}.tar.bz2 \ SRC_URI[md5sum] = "f91c74f9ccab2b574a98be5bc31eb280" SRC_URI[sha256sum] = "56521c52a9033779154432d0ae47ad7198914785265e1f570cee21ab248dfef0" -inherit autotools-brokensep ptest +inherit autotools-brokensep ptest multilib_header + +do_install:append() { + oe_multilib_header mutils/mhash_config.h +} do_compile_ptest() { if [ ! -d ${S}/demo ]; then mkdir ${S}/demo; fi @@ -35,3 +39,5 @@ do_compile_ptest() { do_install_ptest() { install -m 0755 ${S}/demo/mhash ${D}${PTEST_PATH} } + +BBCLASSEXTEND = "native" diff --git a/recipes-security/libmspack/libmspack_1.9.1.bb b/recipes-security/libmspack/libmspack_1.11.bb index 8c288be..59df84b 100644 --- a/recipes-security/libmspack/libmspack_1.9.1.bb +++ b/recipes-security/libmspack/libmspack_1.11.bb @@ -1,13 +1,13 @@ SUMMARY = "A library for Microsoft compression formats" HOMEPAGE = "http://www.cabextract.org.uk/libmspack/" SECTION = "lib" -LICENSE = "LGPL-2.1" +LICENSE = "LGPL-2.1-only" DEPENDS = "" LIC_FILES_CHKSUM = "file://COPYING.LIB;beginline=1;endline=2;md5=5b1fd1f66ef926b3c8a5bb00a72a28dd" -SRCREV = "63d3faf90423a4a6c174539a7d32111a840adadc" -SRC_URI = "git://github.com/kyz/libmspack.git" +SRCREV = "305907723a4e7ab2018e58040059ffb5e77db837" +SRC_URI = "git://github.com/kyz/libmspack.git;branch=master;protocol=https" inherit autotools diff --git a/recipes-security/mfa/python3-privacyidea_3.5.2.bb b/recipes-security/mfa/python3-privacyidea_3.5.2.bb deleted file mode 100644 index cd0acf8..0000000 --- a/recipes-security/mfa/python3-privacyidea_3.5.2.bb +++ /dev/null @@ -1,40 +0,0 @@ -SUMMARY = "identity, multifactor authentication (OTP), authorization, audit" -DESCRIPTION = "privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications." - -HOMEPAGE = "http://www.privacyidea.org/" -LICENSE = "AGPL-3.0" -LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55" - -PYPI_PACKAGE = "privacyIDEA" -SRC_URI[sha256sum] = "26aeb0d353af1f212c4df476202516953c20f7f31566cfe0b67cbb553de04763" - -inherit pypi setuptools3 - -do_install_append () { - #install ${D}/var/log/privacyidea - - rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests -} - -USERADD_PACKAGES = "${PN}" -GROUPADD_PARAM_${PN} = "--system privacyidea" -USERADD_PARAM_${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \ - --shell /bin/false privacyidea" - -FILES_${PN} += " ${datadir}/etc/privacyidea/* ${datadir}/lib/privacyidea/*" - -RDEPENDS_${PN} += " bash perl freeradius-mysql freeradius-utils" - -RDEPENDS_${PN} += "python3 python3-alembic python3-babel python3-backports-functools-lru-cache python3-bcrypt" -RDEPENDS_${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet" -RDEPENDS_${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml" -RDEPENDS_${PN} += "python3-ecdsa python3-flask python3-flask-babel python3-flask-migrate" -RDEPENDS_${PN} += "python3-flask-script python3-flask-sqlalchemy python3-flask-versioned" -RDEPENDS_${PN} += "python3-future python3-httplib2 python3-huey python3-idna python3-ipaddress" -RDEPENDS_${PN} += "python3-itsdangerous python3-jinja2 python3-ldap python3-lxml python3-mako" -RDEPENDS_${PN} += "python3-markupsafe python3-netaddr python3-oauth2client python3-passlib python3-pillow" -RDEPENDS_${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql" -RDEPENDS_${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg" -RDEPENDS_${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa" -RDEPENDS_${PN} += "python3-six python3-smpplib python3-soupsieve python3-soupsieve " -RDEPENDS_${PN} += "python3-sqlalchemy python3-sqlsoup python3-urllib3 python3-werkzeug" diff --git a/recipes-security/ncrack/ncrack_0.7.bb b/recipes-security/ncrack/ncrack_0.7.bb index ba26965..8e6b444 100644 --- a/recipes-security/ncrack/ncrack_0.7.bb +++ b/recipes-security/ncrack/ncrack_0.7.bb @@ -3,11 +3,11 @@ DESCRIPTION = "Ncrack is designed for high-speed parallel testing of network dev HOMEPAGE = "https://nmap.org/ncrack" SECTION = "security" -LICENSE = "GPL-2.0" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://COPYING;beginline=7;endline=12;md5=66938a7e5b4c118eda78271de14874c2" SRCREV = "dc570e7e3cec1fb176c0168eaedc723084bd0426" -SRC_URI = "git://github.com/nmap/ncrack.git" +SRC_URI = "git://github.com/nmap/ncrack.git;branch=master;protocol=https" DEPENDS = "openssl zlib" @@ -15,4 +15,4 @@ inherit autotools-brokensep S = "${WORKDIR}/git" -INSANE_SKIP_${PN} = "already-stripped" +INSANE_SKIP:${PN} = "already-stripped" diff --git a/recipes-security/nikto/files/location.patch b/recipes-security/nikto/files/location.patch deleted file mode 100644 index edaa204..0000000 --- a/recipes-security/nikto/files/location.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d1cb702d5147abea0d3208a4d554c61a6f2decd6 Mon Sep 17 00:00:00 2001 -From: Scott Ellis <scott@jumpnowtek.com> -Date: Fri, 28 Dec 2018 11:08:25 -0500 -Subject: [PATCH] Set custom paths - -Upstream Status: Inappropriate - -Signed-off-by: Scott Ellis <scott@jumpnowtek.com> ---- - nikto.conf | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/program/nikto.conf b/program/nikto.conf -index bf36c58..8c55415 100644 ---- a/nikto.conf -+++ b/nikto.conf -@@ -61,11 +61,11 @@ CIRT=107.170.99.251 - CHECKMETHODS=HEAD GET - - # If you want to specify the location of any of the files, specify them here --# EXECDIR=/opt/nikto # Location of Nikto --# PLUGINDIR=/opt/nikto/plugins # Location of plugin dir --# DBDIR=/opt/nikto/databases # Location of database dir --# TEMPLATEDIR=/opt/nikto/templates # Location of template dir --# DOCDIR=/opt/nikto/docs # Location of docs dir -+EXECDIR=/usr/bin/nikto # Location of Nikto -+PLUGINDIR=/etc/nikto/plugins # Location of plugin dir -+DBDIR=/etc/nikto/databases # Location of database dir -+TEMPLATEDIR=/etc/nikto/templates # Location of template dir -+DOCDIR=/usr/share/doc/nikto # Location of docs dir - - # Default plugin macros - # Remove plugins designed to be run standalone --- -2.7.4 - diff --git a/recipes-security/nikto/nikto_2.1.6.bb b/recipes-security/nikto/nikto_2.1.6.bb deleted file mode 100644 index 615cc30..0000000 --- a/recipes-security/nikto/nikto_2.1.6.bb +++ /dev/null @@ -1,118 +0,0 @@ -SUMMARY = "web server scanner" -DESCRIPTION = "Nikto is an Open Source web server scanner which performs comprehensive tests against web servers" -SECTION = "security" -HOMEPAGE = "https://cirt.net/Nikto2" - -LICENSE = "GPLv2" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" - -SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79" -SRC_URI = "git://github.com/sullo/nikto.git \ - file://location.patch" - -S = "${WORKDIR}/git/program" - -do_install() { - install -d ${D}${bindir} - install -d ${D}${datadir} - install -d ${D}${datadir}/man/man1 - install -d ${D}${datadir}/doc/nikto - install -d ${D}${sysconfdir}/nikto - install -d ${D}${sysconfdir}/nikto/databases - install -d ${D}${sysconfdir}/nikto/plugins - install -d ${D}${sysconfdir}/nikto/templates - - install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_dir_traversal ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_domino ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_drupal ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases - install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases - - install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dir_traversal.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_dishwasher.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_docker_registry.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_domino.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_drupal.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_ms10_070.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_negotiate.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_origin_reflection.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_json.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_sqlg.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_sitefiles.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_strutshock.plugin ${D}${sysconfdir}/nikto/plugins - install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins - - install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates - install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates - - install -m 0644 nikto.conf ${D}${sysconfdir} - - install -m 0755 nikto.pl ${D}${bindir}/nikto - install -m 0644 replay.pl ${D}${bindir} - install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1 - - install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto - install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto -} - -RDEPENDS_${PN} = "perl libnet-ssleay-perl libwhisker2-perl \ - perl-module-getopt-long perl-module-time-local \ - perl-module-io-socket perl-module-overloading \ - perl-module-base perl-module-b perl-module-bytes" - diff --git a/recipes-security/opendnssec/files/libdns_conf_fix.patch b/recipes-security/opendnssec/files/libdns_conf_fix.patch index 31d7252..220a2b8 100644 --- a/recipes-security/opendnssec/files/libdns_conf_fix.patch +++ b/recipes-security/opendnssec/files/libdns_conf_fix.patch @@ -1,6 +1,6 @@ Configure does not work with OE pkg-config for the ldns option -Upstream-Status: OE specific +Upstream-Status: Inappropriate [OE specific] Signed-off-by: Armin Kuster <akuster808@gmail.com> diff --git a/recipes-security/opendnssec/files/libxml2_conf.patch b/recipes-security/opendnssec/files/libxml2_conf.patch index b4ed430..c20d5d2 100644 --- a/recipes-security/opendnssec/files/libxml2_conf.patch +++ b/recipes-security/opendnssec/files/libxml2_conf.patch @@ -1,6 +1,6 @@ configure does not work with OE pkg-config for the libxml2 option -Upstream-Status: OE specific +Upstream-Status: Inappropriate [OE specific] Signed-off-by: Armin Kuster <akuster808@gmail.com> diff --git a/recipes-security/opendnssec/opendnssec_2.1.9.bb b/recipes-security/opendnssec/opendnssec_2.1.10.bb index 2b79609..64bacf1 100644 --- a/recipes-security/opendnssec/opendnssec_2.1.9.bb +++ b/recipes-security/opendnssec/opendnssec_2.1.10.bb @@ -1,6 +1,6 @@ SUMMARY = "OpenDNSSEC is a policy-based zone signer that automates the process of keeping track of DNSSEC keys and the signing of zones" -LICENSE = "BSD" +LICENSE = "BSD-2-Clause" LIC_FILES_CHKSUM = "file://LICENSE;md5=b041dbe2da80d4efd951393fbba90937" DEPENDS = "libxml2 openssl ldns libmicrohttpd jansson libyaml " @@ -10,7 +10,7 @@ SRC_URI = "https://dist.opendnssec.org/source/opendnssec-${PV}.tar.gz \ file://libdns_conf_fix.patch \ " -SRC_URI[sha256sum] = "6d1d466c8d7f507f3e665f4bfe4d16a68d6bff9d7c2ab65f852e2b2a821c28b5" +SRC_URI[sha256sum] = "c0a8427de241118dccbf7abc508e4dd53fb75b45e9f386addbadae7ecc092756" inherit autotools pkgconfig perlnative @@ -27,8 +27,10 @@ PACKAGECONFIG[mysql] = "--with-mysql=yes, , mariadb, mariadb" PACKAGECONFIG[readline] = "--with-readline, --without-readline, readline" PACKAGECONFIG[unwind] = "--with-libunwind, --without-libunwind" -do_install_append () { +do_install:append () { rm -rf ${D}${localstatedir}/run } -RDEPENDS_${PN} = "softhsm" +RDEPENDS:${PN} = "softhsm" + +SKIP_RECIPE[opendnssec] ?= "Needs porting to openssl 3.x" diff --git a/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch b/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch new file mode 100644 index 0000000..451cb7f --- /dev/null +++ b/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch @@ -0,0 +1,26 @@ +From 824c5d7b96aeef1b4e182f657ac002bed6e14cd5 Mon Sep 17 00:00:00 2001 +From: Lei Maohui <leimaohui@fujitsu.com> +Date: Thu, 31 Aug 2023 08:20:56 +0000 +Subject: [PATCH] To fix package error if DESTDIR is set to /usr. + +Upstream-Status: Inappropriate +Signed-off-by: Lei Maohui <leimaohui@fujitsu.com> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 0d7bc0c..46fd664 100644 +--- a/Makefile ++++ b/Makefile +@@ -19,7 +19,7 @@ $(PROG).o: $(PROG).c $(PROG).h $(PROG)-elf.c + + install: $(PROG) + # $(MKDIR) $(DESTDIR)/sbin $(DESTDIR)$(MANDIR) +- $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/sbin/$(PROG) ++ $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/usr/sbin/$(PROG) + $(INSTALL) -D --owner 0 --group 0 --mode a=r $(PROG).1 $(DESTDIR)/$(MANDIR)/$(PROG).1 + + clean: +-- +2.34.1 diff --git a/recipes-security/paxctl/paxctl_0.9.bb b/recipes-security/paxctl/paxctl_0.9.bb index 3c04141..3d2f2a3 100644 --- a/recipes-security/paxctl/paxctl_0.9.bb +++ b/recipes-security/paxctl/paxctl_0.9.bb @@ -3,12 +3,14 @@ DESCRIPTION = "paxctl is a tool that allows PaX flags to be modified on a \ kernel patches and secure distributions, such as \ GrSecurity or Adamantix and Hardened Gen-too, respectively." HOMEPAGE = "https://pax.grsecurity.net/" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://paxctl.c;beginline=1;endline=5;md5=0ddd065c61020dda79729e6bedaed2c7 \ file://paxctl-elf.c;beginline=1;endline=5;md5=99f453ce7f6d1687ee808982e2924813 \ " -SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz" +SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz \ + file://0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch \ +" SRC_URI[md5sum] = "9bea59b1987dc4e16c2d22d745374e64" SRC_URI[sha256sum] = "a330ddd812688169802a3ba29e5e3b19956376b8f6f73b8d7e9586eb04423c2e" @@ -24,7 +26,7 @@ do_install() { # install: cannot change ownership of '.../sbin/paxctl': \ # Operation not permitted # Drop '--owner 0 --group 0' to fix the issue. -do_install_class-native() { +do_install:class-native() { local PROG=paxctl install -d ${D}${base_sbindir} install -d ${D}${mandir}/man1 @@ -33,6 +35,6 @@ do_install_class-native() { } # Avoid QA Issue: No GNU_HASH in the elf binary -INSANE_SKIP_${PN} = "ldflags" +INSANE_SKIP:${PN} = "ldflags" BBCLASSEXTEND = "native" diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb index 0d70dc6..c47688f 100644 --- a/recipes-security/redhat-security/redhat-security_1.0.bb +++ b/recipes-security/redhat-security/redhat-security_1.0.bb @@ -1,7 +1,7 @@ SUMMARY = "redhat security tools" DESCRIPTION = "Tools used by redhat linux distribution for security checks" SECTION = "security" -LICENSE = "GPLv2" +LICENSE = "GPL-2.0-only" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6" SRC_URI = "file://find-chroot-py.sh \ @@ -37,4 +37,4 @@ do_install() { install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir} } -RDEPENDS_${PN} = "file libcap-ng procps findutils" +RDEPENDS:${PN} = "file libcap-ng procps findutils" diff --git a/recipes-security/sshguard/sshguard_2.4.3.bb b/recipes-security/sshguard/sshguard_2.4.3.bb new file mode 100644 index 0000000..37b414e --- /dev/null +++ b/recipes-security/sshguard/sshguard_2.4.3.bb @@ -0,0 +1,11 @@ +SUMARRY=" Intelligently block brute-force attacks by aggregating system logs " +HOMEPAGE = "https://www.sshguard.net/" +LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d" +LICENSE = "BSD-1-Clause" + + +SRC_URI="https://sourceforge.net/projects/sshguard/files/sshguard/${PV}/sshguard-${PV}.tar.gz" + +SRC_URI[sha256sum] = "64029deff6de90fdeefb1f497d414f0e4045076693a91da1a70eb7595e97efeb" + +inherit autotools-brokensep diff --git a/recipes-security/sssd/files/drop_ntpdate_chk.patch b/recipes-security/sssd/files/drop_ntpdate_chk.patch deleted file mode 100644 index 338af5d..0000000 --- a/recipes-security/sssd/files/drop_ntpdate_chk.patch +++ /dev/null @@ -1,28 +0,0 @@ -nsupdate path is needed for various exec call -but don't run natvie tests on it. - - -Upstream-Status: Inappropriate [OE specific] -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: sssd-2.5.0/src/external/nsupdate.m4 -=================================================================== ---- sssd-2.5.0.orig/src/external/nsupdate.m4 -+++ sssd-2.5.0/src/external/nsupdate.m4 -@@ -3,16 +3,4 @@ AC_MSG_CHECKING(for executable nsupdate) - if test -x "$NSUPDATE"; then - AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate]) - AC_MSG_RESULT(yes) -- -- AC_MSG_CHECKING(for nsupdate 'realm' support') -- if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then -- AC_MSG_RESULT([yes]) -- else -- AC_MSG_RESULT([no]) -- AC_MSG_ERROR([nsupdate does not support 'realm']) -- fi -- --else -- AC_MSG_RESULT([no]) -- AC_MSG_ERROR([nsupdate is not available]) - fi diff --git a/recipes-security/sssd/files/fix-ldblibdir.patch b/recipes-security/sssd/files/fix-ldblibdir.patch deleted file mode 100644 index e350baf..0000000 --- a/recipes-security/sssd/files/fix-ldblibdir.patch +++ /dev/null @@ -1,25 +0,0 @@ -When calculate value of ldblibdir, it checks whether the directory of -$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not -suitable for cross compile. Fix it that only re-assign ldblibdir when its value -is empty. - -Upstream-Status: Inappropriate [cross compile specific] - -Signed-off-by: Kai Kang <kai.kang@windriver.com> ---- - src/external/libldb.m4 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/external/libldb.m4 b/src/external/libldb.m4 -index c400add..5e5f06d 100644 ---- a/src/external/libldb.m4 -+++ b/src/external/libldb.m4 -@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then - ldblibdir=$with_ldb_lib_dir - else - ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`" -- if ! test -d $ldblibdir; then -+ if test -z $ldblibdir; then - ldblibdir="${libdir}/ldb" - fi - fi diff --git a/recipes-security/sssd/files/fix_gid.patch b/recipes-security/sssd/files/fix_gid.patch deleted file mode 100644 index 9b481cc..0000000 --- a/recipes-security/sssd/files/fix_gid.patch +++ /dev/null @@ -1,27 +0,0 @@ -from ../sssd-2.5.0/src/util/sss_pam_data.c:27: -| ../sssd-2.5.0/src/util/debug.h:88:44: error: unknown type name 'uid_t'; did you mean 'uint_t'? -| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid); -| | ^~~~~ -| | uint_t -| ../sssd-2.5.0/src/util/debug.h:88:55: error: unknown type name 'gid_t' -| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid); -| | ^~~~~ -| make[2]: *** [Makefile:22529: src/util/libsss_iface_la-sss_pam_data.lo] Error 1 -| make[2]: *** Waiting for unfinished jobs.... - -Upstream-Status: Pending -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: sssd-2.5.0/src/util/debug.h -=================================================================== ---- sssd-2.5.0.orig/src/util/debug.h -+++ sssd-2.5.0/src/util/debug.h -@@ -24,6 +24,8 @@ - #include "config.h" - - #include <stdio.h> -+#include <unistd.h> -+#include <sys/types.h> - #include <stdbool.h> - - #include "util/util_errors.h" diff --git a/recipes-security/sssd/files/no_gen.patch b/recipes-security/sssd/files/no_gen.patch deleted file mode 100644 index 5c83777..0000000 --- a/recipes-security/sssd/files/no_gen.patch +++ /dev/null @@ -1,19 +0,0 @@ -don't run generate-sbus-code - -Upstream-Status: Inappropriate [OE Specific] - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - -Index: sssd-2.5.0/Makefile.am -=================================================================== ---- sssd-2.5.0.orig/Makefile.am -+++ sssd-2.5.0/Makefile.am -@@ -1033,8 +1033,6 @@ generate-sbus-code: - - .PHONY: generate-sbus-code - --BUILT_SOURCES += generate-sbus-code -- - EXTRA_DIST += \ - sbus_generate.sh.in \ - src/sbus/codegen/dbus.xml \ diff --git a/recipes-security/sssd/files/sssd.conf b/recipes-security/sssd/files/sssd.conf deleted file mode 100644 index 1709a7a..0000000 --- a/recipes-security/sssd/files/sssd.conf +++ /dev/null @@ -1,8 +0,0 @@ -[sssd] -services = nss, pam -config_file_version = 2 - -[nss] - -[pam] - diff --git a/recipes-security/sssd/files/volatiles.99_sssd b/recipes-security/sssd/files/volatiles.99_sssd deleted file mode 100644 index 2a82413..0000000 --- a/recipes-security/sssd/files/volatiles.99_sssd +++ /dev/null @@ -1 +0,0 @@ -d root root 0750 /var/log/sssd none diff --git a/recipes-security/sssd/sssd_2.5.0.bb b/recipes-security/sssd/sssd_2.5.0.bb deleted file mode 100644 index 84b7b0e..0000000 --- a/recipes-security/sssd/sssd_2.5.0.bb +++ /dev/null @@ -1,131 +0,0 @@ -SUMMARY = "system security services daemon" -DESCRIPTION = "SSSD is a system security services daemon" -HOMEPAGE = "https://pagure.io/SSSD/sssd/" -SECTION = "base" -LICENSE = "GPLv3+" -LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" - -DEPENDS = "acl attr openldap cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive" -DEPENDS_append = " libldb dbus libtalloc libpcre glib-2.0 popt e2fsprogs libtevent bind p11-kit" - -DEPENDS_append_libc-musl = " musl-nscd" - -# If no crypto has been selected, default to DEPEND on nss, since that's what -# sssd will pick if no active choice is made during configure -DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \ - bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}" - -SRC_URI = "https://github.com/SSSD/sssd/releases/download/2.5.0/sssd-2.5.0.tar.gz \ - file://sssd.conf \ - file://volatiles.99_sssd \ - file://no_gen.patch \ - file://fix_gid.patch \ - file://drop_ntpdate_chk.patch \ - file://fix-ldblibdir.patch \ - " -SRC_URI[sha256sum] = "afa62d7d8d23fca3aba093abe4ec0d14e7d9346c5b28ceb7c2c624bed98caa06" - -inherit autotools pkgconfig gettext python3-dir features_check systemd - -REQUIRED_DISTRO_FEATURES = "pam" - -SSSD_UID ?= "root" -SSSD_GID ?= "root" - -CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \ - ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \ - " - -PACKAGECONFIG ?="nss nscd autofs sudo infopipe" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" -PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" - -PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no" -PACKAGECONFIG[crypto] = ", , libcrypto" -PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson" -PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, " -PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" -PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl" -PACKAGECONFIG[nscd] = "--with-nscd=${sbindir}, --with-nscd=no " -PACKAGECONFIG[nss] = ", ,nss," -PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings" -PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba" -PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux" -PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, " -PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, " -PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv" - -EXTRA_OECONF += " \ - --disable-cifs-idmap-plugin \ - --without-nfsv4-idmapd-plugin \ - --without-ipa-getkeytab \ - --without-python2-bindings \ - --enable-pammoddir=${base_libdir}/security \ - --without-python2-bindings \ - --without-secrets \ - --with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \ - --with-pid-path=/run \ -" - -do_configure_prepend() { - mkdir -p ${AUTOTOOLS_AUXDIR}/build - cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/ - - # libresove has host path, remove it - sed -i -e "s#\$sss_extra_libdir##" ${S}/src/external/libresolv.m4 -} - -do_compile_prepend () { - echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h -} -do_install () { - oe_runmake install DESTDIR="${D}" - rmdir --ignore-fail-on-non-empty "${D}/${bindir}" - install -d ${D}/${sysconfdir}/${BPN} - install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN} - install -D -m 644 ${WORKDIR}/volatiles.99_sssd ${D}/${sysconfdir}/default/volatiles/99_sssd - - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d - echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf - fi - - # Remove /run as it is created on startup - rm -rf ${D}/run - - rm -f ${D}${systemd_system_unitdir}/sssd-secrets.* -} - -pkg_postinst_ontarget_${PN} () { -if [ -e /etc/init.d/populate-volatile.sh ] ; then - ${sysconfdir}/init.d/populate-volatile.sh update -fi - chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf -} - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/${BPN}.conf" - -INITSCRIPT_NAME = "sssd" -INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ." -SYSTEMD_SERVICE_${PN} = " \ - ${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \ - ${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \ - sssd-nss.service \ - sssd-nss.socket \ - sssd-pam-priv.socket \ - sssd-pam.service \ - sssd-pam.socket \ - sssd.service \ -" -SYSTEMD_AUTO_ENABLE = "disable" - -FILES_${PN} += "${libdir} ${datadir} ${base_libdir}/security/pam_sss*.so" -FILES_${PN}-dev = " ${includedir}/* ${libdir}/*la ${libdir}/*/*la" - -# The package contains symlinks that trip up insane -INSANE_SKIP_${PN} = "dev-so" - -RDEPENDS_${PN} = "bind bind-utils dbus libldb libpam" |