AgeCommit message (Collapse)AuthorFilesLines
2014-08-06checksec: Add new alsr pic pie test scriptArmin Kuster2-0/+898
Signed-off-by: Armin Kuster <akuster@mvista.com>
2014-08-06pinentry: Fix do_package_qa issueArmin Kuster1-1/+2
This fixes; ERROR: QA Issue: pinentry: The compile log indicates that host include and/or library paths were used. Signed-off-by: Armin Kuster <akuster@mvista.com>
2014-08-06nmap: update to 6.46Armin Kuster3-103/+36
Updated to later version on nmap. remove patch which is included in update Added ndiff package Include zenmap build changes but commented out for now and untested Signed-off-by: Armin Kuster <akuster@mvista.com>
2014-07-02libcap-ng: resolved issue related with LONG_BIT definitionAlexandru.Vaduva2-6/+71
The problem is well known for 64 bits architectures and the solution is offered in the same recibe but in the meta-selinux layer. Signed-off-by: Alexandru.Vaduva <Alexandru.Vaduva at enea.com> Signed-off-by: Armin Kuster <akuster@mvista.com>
2014-07-02meta-security: Add MaintainersArmin Kuster1-0/+12
Add Maintainers statement to README and add self to list. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
2014-05-07nmap: inherit autotools-brokensep to allow B=S build.Nick D'Ademo1-1/+1
Signed-off-by: Nick D'Ademo <nickdademo@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-11-05lib-perl: Fix quoting in DESCRIPTIONSaul Wold1-1/+1
My mistake for taking the older version, I thought I had the latest Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-11-04libseccomp: add latest stable version, add ptestJoe MacDonald4-3/+395
A new stable version of libseccomp is available, so update the recipe. At the same time, integrate the ptest support that's currently being discussed on the libseccomp list. Signed-off-by: Joe MacDonald <joe@deserted.net> Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-10-23meta-security: Bump buck-security to new version and remove patch file.mulhern3-1765/+3
Since I am maintaining buck-security it has accepted the patch take_root_dir.patch and the new version (0.7) contains the result of applying the patch. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-10-23meta-security: Add a new .bbclass for meta-security layer.mulhern1-0/+7
Inheriting the class will cause the check_security function to run on the ROOTFS image. Currently the check_security function just invokes buck-security-native on the root filesystem of the image.
2013-10-23buck-security: Parameterize hard-coded file locations.mulhern4-46/+1797
buck-security hard-codes a number of file locations for the target system on which it operates and also its own dependencies. These hard-coded dependencies have been parameterized and a few other related changes have been made. The changes are more fully explained below. buck-security.bb: * The RDEPENDS_${PN} variable has been made more orderly in anticipation of subsequent changes. It also includes a few other perl modules required by the changes to the application. * The functionality.patch file has been removed and superseded by the take_root_dir.patch patch. * The definition of S is parameterized on BPN not PN; they are different if the package has a native option. * The install step replaces the use directives and an assignment in the buck-security script in a more general way than previously. * The recipes now allows the package to have a native version. take_root_dir.patch: * buck-security * An additional flag, sysroot, that specifies the sysroot of the filesystem that the buck-security utility inspects is added. If the sysroot can not be located the script fails gracefully. * An additional flag, no-sudo, which prevents the script from exiting if it is not run by root is added. * An additional flag, disable-checks, which accepts a comma-separated list of checks to be disabled is added. * The script checks whether there has been an error in parsing the command-line arguments and fails with a usage message if there has. * The log flag now optionally takes a log file name. * The location of the configuration file is calculated relative to the location of the main script and if it can not be found the script fails gracefully. * The various file locations specified in the buck-security configuration file are made relative to the location of the buck-security script or the sysroot as appropriate. * If a log file has been specified the log is not also printed to stdout. * The command actually executed is printed in the log. * Some checks for mutually exclusive options are added. * Output level 3 is now meaningless, so it has been removed. * Various changes have been made to the report format. * Results are sorted lexicographically and, if abspath, do not include the sysroot. * checks/*.pm files * Wherever a directory had been hard-coded it is now parameterized on the sysroot. * In some cases, a test that had previously been run as a bash test was converted to a perl test to allow better handling of results and errors. * The output parameter is no longer accepted by the check procedure since this value is global. * All check procedures now accept an output_type parameter. * The dangling URLs are removed from the help text. * checks/lib/check.pm * The CheckBash and CheckPerl functions have been adapted so that the the filepaths are not hard-coded and so that the actual command is made available to the logging component. * A parameter indicating the outcome type is accepted and passed to the exception checker. * Error output is clearly distinguished from regular output. * A failure in a test is clearly distinguished from an insecure result. * The output is no longer formatted in the check functions. * checks/lib/mkchecksum.pm * The command no longer is run on non-existent directories. * checks/lib/exceptions.pm * The exception file path is located relative to the buck-security script. * If the exceptions are pathnames, the sysroot is prepended. * Correct wildcard semantics is observed. * checks/lib/users.pm * The passwd files are located relative to the sysroot. * Reading from the password file is made more principle. * The test experiences an error if files can not be found rather than the script terminating. * Some dead code is eliminated. * conf/buck-security.conf * The checksum_dir variable is a list instead of a string for easier manipulation. * The new configuration variable sysdir is added and the default is /. * The ssh_config variable is added. * All tests are included in the checks variable. * checks/sshd.pm * The ssh config file is set in the buck-security configuration file instead of hard-coded here. * checks/nopasswd.pm * This is a duplicate of emptypasswd, so it is removed. * RDEPENDS_${PN}_class-native variable is added as some tasks make no sense when run externally. Since they will not be run, there is no point
2013-09-25bastille: Fix failure during install.mulhern2-6/+26
[YOCTO #5177] On some systems the bitbake install step failed. The failure was due to some files that were being overwritten not having sufficient permissions. The install script in the recipe is changed so that the set_required_questions.py script is invoked on the files in the image directory, which are guaranteed to have adequate permission. Previously, it had been invoked on the files in the work directory. The set_required_questions.py script is changed in the following ways. * The xform_file function now handles the overwriting of the files in a more robust manner. * The script now accepts a debug flag. When set this flag will cause the script to display more developer friendly information on error. * The xform_file function has a descriptive comment. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-09-06libcurses-perl: curses-perl renamed to libcurses-perl.mulhern2-1/+1
[YOCTO #5081] The recipe meta-security/recipes-security/perl/curses-perl_1.28.bb is renamed to libcurses-perl_1.28.bb to conform to accepted naming scheme. The dependency in the Bastille recipe is updated accordingly. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-09-06libenv-perl: Remove redundant recipe in meta-security layer.mulhern2-26/+1
[YOCTO #5081] The recipe meta-security/recipes-security/env-perl_1.04.bb is removed since there is a recipe for the same Perl module at poky/meta/recipes-lsb4/perl/libenv-perl_1.04.bb. The dependency on env-perl in the checksecurity recipe is updated to a recipe on libenv-perl.
2013-09-05libcap-ng: omit an unnecessary build time dependency.mulhern1-1/+0
[YOCTO #5084] libcap has been removed from the list of DEPENDS packages. Since libcap was the only package in the list the DEPENDS variable has been removed from the recipe file. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-08-30Bastille: document the current status and usability of the Bastille install.mulhern3-16/+71
The README file is updated to indicate the functionality of Bastille that is actually available. The recipe file is updated with a pointer to the README file. An additional patch is added so that when Bastille is run in interactive mode it will not attempt to make any changes to the system. This is better than attempting to make the changes and making the screen flicker . The text on the final screen has been updated appropriately. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-08-30Bastille: set Yocto specific questions via config file.mulhern2-0/+140
The python script, set_required_questions.py reads the list of questions and answers from the config file and edits the REQUIRE_DISTRO field for those questions in the questions file so that it includes "Yocto" if it is not already present. This has the effect of causing Bastille, when loading questions for the Yocto distribution, to load only those that are answered in the existing config file. Under the assumption that the exisitng config file contains question/answer pairs that are relevant to the Yocto project, this will cause the interactive question screen to have answers that are relevant to the Yocto project. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-08-30Bastille: accept and observe --os flag in multiple situations.mulhern6-0/+681
[YOCTO #3867] Five additional patches which cause the --os flag to be accepted and observed are added. An additional distro, Yocto, is added. The individual patches are described below. upgrade_options_processing.patch: Changes setOptions procedure so that it accepts named parameters for greater flexibility and adjusts all invocations accordingly. Uses more precise specifications in invocatiosn of Getop::Long::GetOptions. Omits code associated with a commented out flag. accept_os_flag_in_backend.patch: Accepts and observes an additional --os flag in BastilleBackEnd. allow_os_with_assess.patch: No longer print a usage message and quit if --assess or its related flags are specified along with the --os flag. edit_usage_message.patch: Edit usage message to include the specification of an --os flag with the specification of an --assess flag. organize_distro_discovery.patch: Separates inferring the distro from specifying the distro. Adds a "Yocto" distro among the other Linux distros. Causes the specified distro to override the inferred distro with a warning message when they are different. Previously if either the inferred distro or the specified distro was not among supported distros Bastille would quit with an error. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-08-30Bastille: change in behavior of bastille -l.mulhern2-0/+65
[YOCTO #3867] bastille -l now reports existing configuration file paths even if it has not previously been run. Previously, it exited with an error if it detected an absence of log files indicating a previous run. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-08-30Bastille: Miscellaneous fixes to the Bastille code base.mulhern5-0/+166
[YOCTO #3867] Adds four additional small patches which address miscellaneous small problems in Bastille. The four patches are: fix_missing_use_directives.patch: A number of use directives were missing from several files. These were added as discovered. fix_number_of_modules.patch: The curses interface includes a title for most screens which gives a module, a module number, and the number of modules in the series. Previously the last value was always 0, now it is simply omitted. It would be more desirable to give the correct number, but this would require a significant change to the code base. remove_questions_text_file_references.patch: This version of Bastille does not make use of a Questions.txt file, therefore the specification of the location of this file in the OSMap/*.bastille files has been removed. simplify_B_place.patch: This patch discards redundant variables, mostly defined but not used cases, and makes the error reporting more informative. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-08-30Bastille: Preliminary cleanup of existing patches.mulhern5-75/+42
[YOCTO #3867] Renames existing patches and removes some changes. Curses-and-IOLoader-changes.patch is renamed to call_output_config.patch. The new patch omits the removal of the pruning step in Load_Questions but retains the replacement of a call to a non-existant function with a call to an appropriate implemented function. yocto-standard-patch.patch is renamed to fixed_defined_warnings.patch. The new patch omits the definition of a yocto distro but includes the defined warnings fix. The recipe file is changed to include the new patches and also to omit a related action in the do_install script. Signed-off-by: mulhern <mulhern@yoctoproject.org>
2013-08-20lib-perl: Change description to match package.mulhern1-3/+4
[YOCTO #4196] -- https://bugzilla.yoctoproject.org/show_bug.cgi?id=4196 The description field in the recipe was changed to match the package. Signed-off-by: mulhern <mulhern@yoctoproject.org> Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-08-20curses-perl: Change description to match package.mulhern1-3/+2
[YOCTO #4196] -- https://bugzilla.yoctoproject.org/show_bug.cgi?id=4196 The description field in the recipe was changed to match the package. Signed-off-by: mulhern <mulhern@yoctoproject.org> Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-08-01removed rpm dependency on redhat-securityAndrei Dinu1-1/+1
rpm dependency was removed. https://bugzilla.yoctoproject.org/show_bug.cgi?id=4956 Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
2013-08-01Added missing functionality to buck-securityAndrei Dinu4-3/+63
* added pinentry recipe needed for buck-security option * added missing rdepends to recipe * added functionality patch * updated README file Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
2013-07-31fixed patch name in recipeAndrei Dinu1-1/+1
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
2013-07-30Solved bastille config saving issueAndrei Dinu2-14/+15
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
2013-07-25Fixed redhat-security tools problemsAndrei Dinu5-6/+22
- added libcap-ng needed recipe - tweaked the scripts - updated README file Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
2013-07-12README: Fix Layer DependenciesSaul Wold1-3/+3
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-07-11redhat-security: added file as an RDEPENDS since its used by the scriptsSaul Wold1-0/+2
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-07-11checksecurity: added coreutils as an RDEPENDSSaul Wold1-1/+1
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-07-11README: removed coreutils noteSaul Wold1-5/+0
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-07-11bastille: fix typoSaul Wold1-1/+1
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-07-11meta-security-1.0-finalAndrei Dinu9-297/+261
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
2013-07-10Security layer version 1.0Andrei Dinu15-84/+525
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
2013-07-01security layer updated workAndrei Dinu19-78/+374
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
2013-06-17meta-security : initial commitAndrei Dinu34-0/+9400
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>