aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)Author
2019-05-26cve-report.bbclass: add classmutAndrii Bordunov via Openembedded-core
Implements "report_cve" and "report_patched" tasks. "report_patched" prepares image manifest with patched CVE info. "report_cve" runs cvert-* scripts to generate kernel and package CVE reports. You can configure it to set report filenames, reuse NVD feeds, stop after manifest generation and ignore specific classes, like native, nativesdk, etc. Signed-off-by: grygorii tertychnyi <gtertych@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26cvert-kernel - generate CVE report for the Linux kernelAndrii Bordunov via Openembedded-core
NVD entries for the Linux kernel are almost always outdated. For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065 is shown as matched for "versions up to (including) 4.15.7", however the patch 57ebd808a97d has been back ported for 4.14. By default, it checks NVD Resource entries for the patch URLs and looks for the commits in the local GIT tree. Additionaly ("--resource") it checks other resources, that may have up-to-date CVE data. You can combine resources and decide which one you want to be based on. Signed-off-by: grygorii tertychnyi <gtertych@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26cve-report: add scripts to generate CVE reportsAndrii Bordunov via Openembedded-core
cvert-foss - generate CVE report for the list of packages. Analyze the whole image manifest to align with the complex CPE configurations. cvert-update - update NVD feeds and store CVE structues dump. CVE dump is a pickled representation of the cve_struct dictionary. cvert.py - python library used by cvert-* scripts. NVD JSON Vulnerability Feeds https://nvd.nist.gov/vuln/data-feeds#JSON_FEED Usage examples: o Download CVE feeds to "nvdfeed" directory % cvert-update nvdfeed o Update CVE feeds and store a dump in a file % cvert-update --store cvedump nvdfeed o Generate a CVE report % cvert-foss --feed-dir nvdfeed --output report-foss.txt cve-manifest o (faster) Use dump file to generate a CVE report % cvert-foss --restore cvedump --output report-foss.txt cve-manifest o Generate a full report % cvert-foss --restore cvedump --show-description --show-reference \ --output report-foss-full.txt cve-manifest Manifest example: bash,4.2,CVE-2014-7187 python,2.7.35, python,3.5.5,CVE-2017-17522 CVE-2018-1061 Report example: patched | 7.5 | CVE-2018-1061 | python | 3.5.5 patched | 10.0 | CVE-2014-7187 | bash | 4.2 patched | 8.8 | CVE-2017-17522 | python | 3.5.5 unpatched | 10.0 | CVE-2014-6271 | bash | 4.2 unpatched | 10.0 | CVE-2014-6277 | bash | 4.2 unpatched | 10.0 | CVE-2014-6278 | bash | 4.2 unpatched | 10.0 | CVE-2014-7169 | bash | 4.2 unpatched | 10.0 | CVE-2014-7186 | bash | 4.2 unpatched | 4.6 | CVE-2012-3410 | bash | 4.2 unpatched | 8.4 | CVE-2016-7543 | bash | 4.2 unpatched | 5.0 | CVE-2010-3492 | python | 2.7.35 unpatched | 5.3 | CVE-2016-1494 | python | 2.7.35 unpatched | 6.5 | CVE-2017-18207 | python | 3.5.5 unpatched | 6.5 | CVE-2017-18207 | python | 2.7.35 unpatched | 7.1 | CVE-2013-7338 | python | 2.7.35 unpatched | 7.5 | CVE-2018-1060 | python | 3.5.5 unpatched | 8.8 | CVE-2017-17522 | python | 2.7.35 Signed-off-by: grygorii tertychnyi <gtertych@cisco.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26image: add image for testingArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26runtime qa: moderize ima testArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26initramfs: clean up to pull in packages.Armin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26data: remove policiesArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26policy: add ima appraise all policyArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26ima_policy_simple: add another sample policyArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26ima-policy-hashed: add new recipeArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26base-files: add appending to automount securityfsArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26linux: update bbappendArmin Kuster
remove untested code Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26ima.cfg: update to 5.0 kernelArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26ima-evm-utils: cleanup and update to tipArmin Kuster
update to tip backported patches to fix build issues. fix native support Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26README: updateArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26layer.conf: add LAYERSERIES_COMPATArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26meta-integrity: port over from meta-intel-iot-securityArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-21python3-fail2ban: Fix build error of xrange.leimaohui
NameError: name 'xrange' is not defined Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-21checksec: add runtime testArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-21keyutils: fix library install pathArmin Kuster
[v2] fix multilib support Als add native support Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-21checksec: update to 1.11.1Armin Kuster
* checksec.sh: Updated to 1.11.1 * checksec.sh: resolved issues with readelf * checksec.sh: Added docker images for testing * checksec.sh: Added armhf and aarch64 libc locations * checksec.sh: Replace FS_COUNT with fgrep * checksec.sh: Fixed symbols count in csv * checksec.sh: Fixed RW-RPATH and RW-RUNPATH * checksec.sh: Added stack canaries generated by intel compiler * checksec.sh: Mute stat errors for non-existent directories * checksec.sh: Removed invalid json structures and duplicate kernel checks * checksec.sh: fixed spaces in -d option * checksec.sh: Added stack-protector-string check * checksec.sh: Add arm64 specific kernel checks * checksec.sh: Add REFCOUNT_FULL to kernel tests * checksec.sh: Remove OSX support Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-12smack: kernel fragment updateArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-12oe-selftest: add running cve checkerArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-12apparmor: fetch from gitAlexander Kanavin
Tarballs from archive.ubuntu.com can and do disappear (similar to archive.debian.org). Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09libseccomp: update to 2.4.1Armin Kuster
bug fix release. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09libldb: add earlier versionArmin Kuster
This version does not have a dependacy on samba Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09samhain: add more tests and fix ret checksArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09smack-test: add smack tests from meta-intel-iot-securityArmin Kuster
ported over smack tests Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09smack: move patch to smack dirArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09apparmor: add a few more runtimeArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-09apparmor: fix fragment for 5.0 kernelArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-01meta-tpm/README: updateYi Zhao
Add more description Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-01meta-tpm/conf/layer.conf: update layer dependenciesYi Zhao
Add openembedded-layer to layer dependencies. Fix the following build errors: ERROR: Required build target 'tpm2-pkcs11' has no buildable providers. Missing or unbuildable dependency chain was: ['tpm2-pkcs11', 'dstat'] ERROR: Required build target 'cryptsetup-tpm-incubator' has no buildable providers. Missing or unbuildable dependency chain was: ['cryptsetup-tpm-incubator', 'libdevmapper'] ERROR: Required build target 'tpm2-totp' has no buildable providers. Missing or unbuildable dependency chain was: ['tpm2-totp', 'qrencode'] Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-14clamav-native: fix new build issueArmin Kuster
re-arch the reciped to build properly. Fixed /var/lib/clamav dir issue Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-14clamav: add clamav-cvd package for cvd dbArmin Kuster
Add native package to support creating a mirror of the clamav cvd and supply it in a new package. Provide a INSTALL_CLAMAV_CVD flag to bypass this creation Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-13clamav: runtime fix local routingArmin Kuster
This addes the localhost to resolve.conf to fix: ERROR: Can't get information about database.clamav.net: Temporary failure in name resolution ERROR: Can't download main.cvd from database.clamav.net Giving up on database.clamav.net... Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-13libldb: add waf-cross-answeresArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-13clamav: fix llvm reference versionArmin Kuster
llvm8.0 does not exist. dropped the version part. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-13clamav runtime: add resolve.conf supportArmin Kuster
and ping test too Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-07libmspack: update to 0.10.1Armin Kuster
For details see: https://github.com/kyz/libmspack/blob/master/libmspack/ChangeLog change compression to match that now being used from source Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-07ccs-tools: move to reciped-macArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-07layer.conf: Add warrior to compatible release seriesArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-01linux-yocto/5.0: add apparmor fragmentsArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-04-01linux-yocto: make bbappend version neutralArmin Kuster
update apparmor configs [v2] Just update configs. leave versions intact. Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31apparmor: add basic runtime testArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31apparmor: update to 2.13.2Armin Kuster
Drop patch included in update: tool-paths.patch Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31reorg ids: move ids recipes to recipes-idsArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31reorg: move mac recipes to recipes-macArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31clamav: add basic runtime testsArmin Kuster
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-03-31clamav: drop llvm version settingArmin Kuster
There is only one llvm and its in core so drop allowing it to be overwritten. We can hardcode it now. Signed-off-by: Armin Kuster <akuster808@gmail.com>