diff options
-rw-r--r-- | README | 4 | ||||
-rw-r--r-- | recipes-security/redhat-security/files/find-elf4tmp.sh | 8 | ||||
-rw-r--r-- | recipes-security/redhat-security/files/rpm-chksec.sh | 2 | ||||
-rw-r--r-- | recipes-security/redhat-security/redhat-security_1.0.bb | 2 |
4 files changed, 10 insertions, 6 deletions
@@ -73,6 +73,10 @@ help for each package. In this mode it will only give a summary result for the package. To find which files don't comply, re-run using just the package name. + !!! WARNING !!! - in order to use this script you need to add to your conf/local.conf file the following lines: + IMAGE_ROOTFS_EXTRA_SPACE = "" - specifying the extra space of the image + IMAGE_FEATURES += "package management" - for the correct output of rpm -qa + - find-nodrop-groups.sh : This will scan a whole file system to see if a program makes calls to change UID and GID without also calling setgroups or initgroups. diff --git a/recipes-security/redhat-security/files/find-elf4tmp.sh b/recipes-security/redhat-security/files/find-elf4tmp.sh index 8f39baa..3118a70 100644 --- a/recipes-security/redhat-security/files/find-elf4tmp.sh +++ b/recipes-security/redhat-security/files/find-elf4tmp.sh @@ -19,7 +19,7 @@ if [ $# -ge 2 ] ; then echo "Usage: find_elf4tmp [directory]" 1>&2 exit 1 fi -if [ ! -x /usr/bin/eu-strings ] ; then +if [ ! -x /usr/bin/strings ] ; then echo "Skipping due to missing /usr/bin/eu-strings utility" exit 1 fi @@ -49,7 +49,7 @@ do # Get just the elf executables testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF` if [ x"$testf" != "x" ] ; then - test_res=`/usr/bin/eu-strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'` + test_res=`/usr/bin/strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'` if [ x"$test_res" = "x" ] ; then continue fi @@ -64,13 +64,13 @@ do FOUND=1 # Get the package - RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /bin/sort | /usr/bin/uniq` + RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /usr/bin/sort | /usr/bin/uniq` if [ x"$RPM" = "x" ] ; then RPM="<unowned>" fi # For each tmp string, output the line - echo $test_res | /usr/bin/tr '\b' '\n' | /bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f + echo $test_res | /usr/bin/tr '\b' '\n' | /usr/bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f fi done done diff --git a/recipes-security/redhat-security/files/rpm-chksec.sh b/recipes-security/redhat-security/files/rpm-chksec.sh index 983c218..a0e8bb1 100644 --- a/recipes-security/redhat-security/files/rpm-chksec.sh +++ b/recipes-security/redhat-security/files/rpm-chksec.sh @@ -242,7 +242,7 @@ if [ "$MODE" = "single" ] ; then fi # Skip the kernel as its special -packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort` +packages=`rpm -qa | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort` printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS" echo for p in $packages diff --git a/recipes-security/redhat-security/redhat-security_1.0.bb b/recipes-security/redhat-security/redhat-security_1.0.bb index 134cefe..5f92696 100644 --- a/recipes-security/redhat-security/redhat-security_1.0.bb +++ b/recipes-security/redhat-security/redhat-security_1.0.bb @@ -5,7 +5,7 @@ LICENSE = "GPLv2" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6" PR = "r0" -RDEPENDS_${PN} = "file" +RDEPENDS_${PN} = "file libcap-ng rpm rpmresolve procps findutils" SRC_URI = "file://find-chroot-py.sh \ file://find-chroot.sh \ |