jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-security/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend
+18
View File
@@ -0,0 +1,18 @@
PACKAGES += "\
packagegroup-security-hardening \
"
RDEPENDS:packagegroup-core-security += "\
packagegroup-security-hardening \
"
SUMMARY:packagegroup-security-hardening = "Security Hardening tools"
RDEPENDS:packagegroup-security-hardening = " \
bastille \
"
RDEPENDS:packagegroup-security-scanners += "\
nikto \
checksecurity \
"
meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
+29
View File
@@ -0,0 +1,29 @@
SUMMARY = "basic system security checks"
DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes."
SECTION = "security"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu1.tar.gz \
file://check-setuid-use-more-portable-find-args.patch \
"
SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0"
S = "${WORKDIR}/checksecurity-${PV}+nmu1"
# allow for anylocal, no need to patch
LOGDIR="/etc/checksecurity"
do_compile() {
sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/etc/check-setuid.conf
sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/plugins/check-setuid
sed -i -e "s;LOGDIR:=/var/log/setuid;LOGDIR:=${LOGDIR};g" ${B}/plugins/check-setuid
}
do_install() {
oe_runmake PREFIX=${D}
}
RDEPENDS:${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob perl-module-carp perl-module-env perl-module-tap-parser-iterator-array util-linux findutils coreutils"
meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
+24
View File
@@ -0,0 +1,24 @@
From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001
From: Christopher Larson <chris_larson@mentor.com>
Date: Wed, 5 Sep 2018 23:21:43 +0500
Subject: [PATCH] check-setuid: use more portable find args
Upstream-Status: Pending
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
---
plugins/check-setuid | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: checksecurity-2.0.16+nmu1/plugins/check-setuid
===================================================================
--- checksecurity-2.0.16+nmu1.orig/plugins/check-setuid
+++ checksecurity-2.0.16+nmu1/plugins/check-setuid
@@ -100,7 +100,7 @@ ionice -t -c3 \
find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
-ignore_readdir_race \
-xdev $PATHCHK \
- \( -type f -perm /06000 -o \( \( -type b -o -type c \) \
+ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
$DEVCHK \) \) \
-printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
sort -k 12 >$TMPSETUID
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
+166
View File
@@ -0,0 +1,166 @@
#The functionality of Bastille that is actually available is restricted. Please
#consult the README file for the meta-security layer for additional information.
SUMMARY = "Linux hardening tool"
DESCRIPTION = "Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling."
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
# Bash is needed for set +o privileged (check busybox), might also need ncurses
DEPENDS = "virtual/kernel"
RDEPENDS:${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils"
FILES:${PN} += "/run/lock/subsys/bastille"
SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \
file://AccountPermission.pm \
file://FileContent.pm \
file://HPSpecific.pm \
file://Miscellaneous.pm \
file://ServiceAdmin.pm \
file://config \
file://fix_version_parse.patch \
file://fixed_defined_warnings.patch \
file://call_output_config.patch \
file://fix_missing_use_directives.patch \
file://fix_number_of_modules.patch \
file://remove_questions_text_file_references.patch \
file://simplify_B_place.patch \
file://find_existing_config.patch \
file://upgrade_options_processing.patch \
file://accept_os_flag_in_backend.patch \
file://allow_os_with_assess.patch \
file://edit_usage_message.patch \
file://organize_distro_discovery.patch \
file://do_not_apply_config.patch \
"
SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
SRC_URI[sha256sum] = "0ea25191b1dc1c8f91e1b6f8cb5436a3aa1e57418809ef902293448efed5021a"
S = "${WORKDIR}/Bastille"
do_install () {
install -d ${D}${sbindir}
install -d ${D}${libdir}/perl5/site_perl/Curses
install -d ${D}${libdir}/Bastille
install -d ${D}${libdir}/Bastille/API
install -d ${D}${datadir}/Bastille
install -d ${D}${datadir}/Bastille/OSMap
install -d ${D}${datadir}/Bastille/OSMap/Modules
install -d ${D}${datadir}/Bastille/Questions
install -d ${D}${datadir}/Bastille/FKL/configs/
install -d ${D}${sysconfdir}/Bastille
install -m 0755 AutomatedBastille ${D}${sbindir}
install -m 0755 BastilleBackEnd ${D}${sbindir}
install -m 0755 InteractiveBastille ${D}${sbindir}
install -m 0644 Modules.txt ${D}${datadir}/Bastille
# New Weights file(s).
install -m 0644 Weights.txt ${D}${datadir}/Bastille
# Castle graphic
install -m 0644 bastille.jpg ${D}${datadir}/Bastille/
# Javascript file
install -m 0644 wz_tooltip.js ${D}${datadir}/Bastille/
install -m 0644 Credits ${D}${datadir}/Bastille
install -m 0644 FKL/configs/fkl_config_redhat.cfg ${D}${datadir}/Bastille/FKL/configs/
install -m 0755 RevertBastille ${D}${sbindir}
install -m 0755 bin/bastille ${D}${sbindir}
install -m 0644 bastille-firewall ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-reset ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-schedule ${D}${datadir}/Bastille
install -m 0644 bastille-tmpdir-defense.sh ${D}${datadir}/Bastille
install -m 0644 bastille-tmpdir.csh ${D}${datadir}/Bastille
install -m 0644 bastille-tmpdir.sh ${D}${datadir}/Bastille
install -m 0644 bastille-firewall.cfg ${D}${datadir}/Bastille
install -m 0644 bastille-ipchains ${D}${datadir}/Bastille
install -m 0644 bastille-netfilter ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-early.sh ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-pre-audit.sh ${D}${datadir}/Bastille
install -m 0644 complete.xbm ${D}${datadir}/Bastille
install -m 0644 incomplete.xbm ${D}${datadir}/Bastille
install -m 0644 disabled.xpm ${D}${datadir}/Bastille
install -m 0644 ifup-local ${D}${datadir}/Bastille
install -m 0644 hosts.allow ${D}${datadir}/Bastille
install -m 0644 Bastille/AccountSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Apache.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/API.pm ${D}${libdir}/Bastille
install -m 0644 ${WORKDIR}/AccountPermission.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/FileContent.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/HPSpecific.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/ServiceAdmin.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/Miscellaneous.pm ${D}${libdir}/Bastille/API
install -m 0644 Bastille/BootSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/ConfigureMiscPAM.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/DisableUserTools.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/DNS.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/FilePermissions.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/FTP.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Firewall.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/OSX_API.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/LogAPI.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/HP_UX.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/IOLoader.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Patches.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Logging.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/MiscellaneousDaemons.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/PatchDownload.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Printing.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/PSAD.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/RemoteAccess.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/SecureInetd.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Sendmail.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/TestDriver.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/TMPDIR.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_AccountSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Apache.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_DNS.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_FTP.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_HP_UX.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_MiscellaneousDaemons.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Patches.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_SecureInetd.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Sendmail.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_BootSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_DisableUserTools.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_FilePermissions.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Logging.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Printing.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/IPFilter.pm ${D}${libdir}/Bastille
install -m 0644 Bastille_Curses.pm ${D}${libdir}/perl5/site_perl
install -m 0644 Bastille_Tk.pm ${D}${libdir}/perl5/site_perl
install -m 0644 Curses/Widgets.pm ${D}${libdir}/perl5/site_perl/Curses
install -m 0644 OSMap/LINUX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/LINUX.system ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/LINUX.service ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/HP-UX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/HP-UX.system ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/HP-UX.service ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap
install -m 0777 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config
for file in `cat Modules.txt` ; do
install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions
done
${THISDIR}/files/set_required_questions.py ${D}${sysconfdir}/Bastille/config ${D}${datadir}/Bastille/Questions
ln -s RevertBastille ${D}${sbindir}/UndoBastille
# Create /var/log/Bastille in runtime.
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then
install -d ${D}${nonarch_libdir}/tmpfiles.d
echo "d ${localstatedir}/log/Bastille - - - -" > ${D}${nonarch_libdir}/tmpfiles.d/Bastille.conf
fi
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
install -d ${D}${sysconfdir}/default/volatiles
echo "d root root 0755 ${localstatedir}/log/Bastille none" > ${D}${sysconfdir}/default/volatiles/99_Bastille
fi
}
FILES:${PN} += "${datadir}/Bastille \
${libdir}/Bastille \
${libdir}/perl* \
${sysconfdir}/* \
${nonarch_libdir}/tmpfiles.d"
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/API.pm
+2528
View File
File diff suppressed because it is too large Load Diff
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/AccountPermission.pm
+1060
View File
File diff suppressed because it is too large Load Diff
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/FileContent.pm
+1153
View File
File diff suppressed because it is too large Load Diff
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm
+1983
View File
File diff suppressed because it is too large Load Diff
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/Miscellaneous.pm
+166
View File
@@ -0,0 +1,166 @@
package Bastille::API::Miscellaneous;
use strict;
use File::Path;
use Bastille::API;
use Bastille::API::HPSpecific;
use Bastille::API::FileContent;
require Exporter;
our @ISA = qw(Exporter);
our @EXPORT_OK = qw(
PrepareToRun
B_is_package_installed
);
our @EXPORT = @EXPORT_OK;
###########################################################################
#
# PrepareToRun sets up Bastille to run. It checks the ARGV array for
# special options and runs ConfigureForDistro to set necessary file
# locations and other global variables.
#
###########################################################################
sub PrepareToRun {
# Make sure we're root!
if ( $> != 0 ) {
&B_log("ERROR","Bastille must run as root!\n");
exit(1);
}
# Make any directories that don't exist...
foreach my $dir (keys %GLOBAL_BDIR) {
my $BdirPath = $GLOBAL_BDIR{$dir};
if ( $BdirPath =~ /^\s*\// ) { #Don't make relative directories
mkpath ($BdirPath,0,0700);
}
}
if(&GetDistro =~ "^HP-UX") {
&B_check_system;
}
&B_log("ACTION","\n########################################################\n" .
"# Begin Bastille Run #\n" .
"########################################################\n\n");
#read sum file if it exists.
&B_read_sums;
# No longer necessary as flags are no longer in sum file, and sums are
# are now checked "real time"
# check the integrity of the files listed
# for my $file (sort keys %GLOBAL_SUM) {
# &B_check_sum($file);
# }
# write out the newly flagged sums
# &B_write_sums;
}
###########################################################################
# &B_is_package_installed($package);
#
# This function checks for the existence of the package named.
#
# TODO: Allow $package to be an expression.
# TODO: Allow optional $version, $release, $epoch arguments so we can
# make sure that the given package is at least as recent as some
# given version number.
#
# scalar return values:
# 0: $package is not installed
# 1: $package is installed
###########################################################################
sub B_is_package_installed($) {
no strict;
my $package = $_[0];
# Create a "global" variable with values scoped to this function
# We do this to avoid having to repeatedly swlist/rpm
# when we run B_is_package_installed
local %INSTALLED_PACKAGE_LIST;
my $distro = &GetDistro;
if ($distro =~ /^HP-UX/) {
if (&checkProcsForService('swagent','ignore_warning') == SECURE_CANT_CHANGE()) {
&B_log("WARNING","Software Distributor Agent(swagent) is not running. Can not tell ".
"if package: $package is installed or not. Bastille will assume not. ".
"If the package is actually installed, Bastille may report or configure incorrectly.".
"To use Bastille-results as-is, please check to ensure $package is not installed, ".
"or re-run with the swagent running to get correct results.");
return 0; #FALSE
}
my $swlist=&getGlobal('BIN','swlist');
if (%INSTALLED_PACKAGE_LIST == () ) { # re-use prior results
if (open(SWLIST, "$swlist -a state -l fileset |")) {
while (my $line = <SWLIST>){
if ($line =~ /^ {2}\S+\.(\S+)\s*(\w+)/) {
$INSTALLED_PACKAGE_LIST{$1} = $2;
}
}
close SWLIST;
} else {
&B_log("ERROR","B_is_package_installed was unable to run the swlist command: $swlist,\n");
return FALSE;
}
}
# Now find the entry
if ($INSTALLED_PACKAGE_LIST{$package} == 'configured') {
return TRUE;
} else {
return FALSE;
}
} #End HP-UX Section
# This routine only works on RPM-based distros: Red Hat, Fedora, Mandrake and SuSE
elsif ( ($distro !~ /^RH/) and ($distro !~ /^MN/) and($distro !~ /^SE/) ) {
return 0;
} else { #This is a RPM-based distro
# Run an rpm command -- librpm is extremely messy, dynamic and not
# so much a perl thing. It's actually barely a C/C++ thing...
if (open RPM,"rpm -q $package") {
# We should get only one line back, but let's parse a few
# just in case.
my @lines = <RPM>;
close RPM;
#
# This is what we're trying to parse:
# $ rpm -q jay
# package jay is not installed
# $ rpm -q bash
# bash-2.05b-305.1
#
foreach $line (@lines) {
if ($line =~ /^package\s$package\sis\snot\sinstalled/) {
return 0;
}
elsif ($line =~ /^$package\-/) {
return 1;
}
}
# If we've read every line without finding one of these, then
# our parsing is broken
&B_log("ERROR","B_is_package_installed was unable to find a definitive RPM present or not present line.\n");
return 0;
} else {
&B_log("ERROR","B_is_package_installed was unable to run the RPM command,\n");
return 0;
}
}
}
1;
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/ServiceAdmin.pm
+690
View File
@@ -0,0 +1,690 @@
package Bastille::API::ServiceAdmin;
use strict;
use Bastille::API;
use Bastille::API::HPSpecific;
use Bastille::API::FileContent;
require Exporter;
our @ISA = qw(Exporter);
our @EXPORT_OK = qw(
B_chkconfig_on
B_chkconfig_off
B_service_start
B_service_stop
B_service_restart
B_is_service_off
checkServiceOnLinux
remoteServiceCheck
remoteNISPlusServiceCheck
B_create_nsswitch_file
);
our @EXPORT = @EXPORT_OK;
#######
# &B_chkconfig_on and &B_chkconfig_off() are great for systems that didn't use
# a more modern init system. This is a bit of a problem on Fedora, though,
# which used upstart from Fedora 9 to Fedora 14, then switched to a new
# Red Hat-created system called systemd for Fedora 15 and 16 (so far).
# OpenSUSE also moved to systemd, starting with 12.1. Version 11.4 did not
# use systemd.
# It is also a problem on Ubuntu, starting at version 6.10, where they also
# used upstart.
#####
###########################################################################
# &B_chkconfig_on ($daemon_name) creates the symbolic links that are
# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We
# need this utility, in place of the distro's chkconfig, because of both
# our need to add revert functionality and our need to harden distros that
# are not mounted on /.
#
# It uses the following global variables to find the links and the init
# scripts, respectively:
#
# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found
# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to
#
# Here an example of where you might use this:
#
# You'd like to tell the system to run the firewall at boot:
# B_chkconfig_on("bastille-firewall")
#
###########################################################################
# PW: Blech. Copied B_chkconfig_off() and changed a few things,
# then changed a few more things....
sub B_chkconfig_on {
my $startup_script=$_[0];
my $retval=1;
my $chkconfig_line;
my ($runlevelinfo,@runlevels);
my ($start_order,$stop_order,$filetolink);
&B_log("ACTION","# chkconfig_on enabling $startup_script\n");
# In Debian system there is no chkconfig script, run levels are checked
# one by one (jfs)
if (&GetDistro =~/^DB.*/) {
$filetolink = &getGlobal('DIR', "initd") . "/$startup_script";
if (-x $filetolink)
{
foreach my $level ("0","1","2","3","4","5","6" ) {
my $link = '';
$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script";
$retval=symlink($filetolink,$link);
}
}
return $retval;
}
#
# On SUSE, chkconfig-based rc scripts have been replaced with a whole different
# system. chkconfig on SUSE is actually a shell script that does some stuff and then
# calls insserv, their replacement.
#
if (&GetDistro =~ /^SE/) {
# only try to chkconfig on if init script is found
if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) {
$chkconfig_line=&getGlobal('BIN','chkconfig');
&B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off");
# chkconfig doesn't take affect until reboot, need to restart service also
B_service_restart("$startup_script");
return 1; #success
}
return 0; #failure
}
#
# Run through the init script looking for the chkconfig line...
#
$retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script";
unless ($retval) {
&B_log("ACTION","# Didn't chkconfig_on $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n");
}
else {
READ_LOOP:
while (my $line=<CHKCONFIG>) {
# We're looking for lines like this one:
# # chkconfig: 2345 10 90
# OR this
# # chkconfig: - 10 90
if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) {
$runlevelinfo = $1;
$start_order = $2;
$stop_order = $3;
# handle a run levels arg of '-'
if ( $runlevelinfo eq '-' ) {
&B_log("ACTION","chkconfig_on saw '-' for run levels for \"$startup_script\", is defaulting to levels 3,4,5\n");
$runlevelinfo = '345';
}
@runlevels = split(//,$runlevelinfo);
# make sure the orders have 2 digits
$start_order =~ s/^(\d)$/0$1/;
$stop_order =~ s/^(\d)$/0$1/;
last READ_LOOP;
}
}
close CHKCONFIG;
# Do we have what we need?
if ( (scalar(@runlevels) < 1) || (! $start_order =~ /^\d{2}$/) || (! $stop_order =~ /^\d{2}$/) ) {
# problem
&B_log("ERROR","# B_chkconfig_on $startup_script failed -- no valid run level/start/stop info found\n");
return(-1);
}
# Now, run through creating symlinks...
&B_log("ACTION","# chkconfig_on will use run levels ".join(",",@runlevels)." for \"$startup_script\" with S order $start_order and K order $stop_order\n");
$retval=0;
# BUG: we really ought to readdir() on &getGlobal('DIR', "rcd") to get all levels
foreach my $level ( "0","1","2","3","4","5","6" ) {
my $link = '';
# we make K links in run levels not specified in the chkconfig line
$link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script;
my $klink = $link;
# now we see if this is a specified run level; if so, make an S link
foreach my $markedlevel ( @runlevels ) {
if ( $level == $markedlevel) {
$link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script;
}
}
my $target = &getGlobal('DIR', "initd") ."/" . $startup_script;
my $local_return;
if ( (-e "$klink") && ($klink ne $link) ) {
# there's a K link, but this level needs an S link
unless ($GLOBAL_LOGONLY) {
$local_return = unlink("$klink");
if ( ! $local_return ) {
# unlinking old, bad $klink failed
&B_log("ERROR","Unlinking $klink failed\n");
} else {
&B_log("ACTION","Removed link $klink\n");
# If we removed the link, add a link command to the revert file
&B_revert_log (&getGlobal('BIN','ln') . " -s $target $klink\n");
} # close what to do if unlink works
} # if not GLOBAL_LOGONLY
} # if $klink exists and ne $link
# OK, we've disposed of any old K links, make what we need
if ( (! ( -e "$link" )) && ($link ne '') ) {
# link doesn't exist and the start/stop number is OK; make it
unless ($GLOBAL_LOGONLY) {
# create the link
$local_return = &B_symlink($target,$link);
if ($local_return) {
$retval++;
&B_log("ACTION","Created link $link\n");
} else {
&B_log("ERROR","Couldn't create $link when trying to chkconfig on $startup_script\n");
}
}
} # link doesn't exist
} # foreach level
}
if ($retval < @runlevels) {
$retval=0;
}
$retval;
}
###########################################################################
# &B_chkconfig_off ($daemon_name) deletes the symbolic links that are
# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We
# need this utility, in place of the distro's chkconfig, because of both
# our need to add revert functionality and our need to harden distros that
# are not mounted on /.
#
# chkconfig allows for a REVERT of its work by writing to an executable
# file &getGlobal('BFILE', "removed-symlinks").
#
# It uses the following global variables to find the links and the init
# scripts, respectively:
#
# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found
# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to
#
# Here an example of where you might use this:
#
# You'd like to tell stop running sendmail in daemon mode on boot:
# B_chkconfig_off("sendmail")
#
###########################################################################
sub B_chkconfig_off {
my $startup_script=$_[0];
my $retval=1;
my $chkconfig_line;
my @runlevels;
my ($start_order,$stop_order,$filetolink);
if (&GetDistro =~/^DB.*/) {
$filetolink = &getGlobal('DIR', "initd") . "/$startup_script";
if (-x $filetolink)
{
# Three ways to do this in Debian:
# 1.- have the initd script set to 600 mode
# 2.- Remove the links in rcd (re-installing the package
# will break it)
# 3.- Use update-rc.d --remove (same as 2.)
# (jfs)
&B_chmod(0600,$filetolink);
$retval=6;
# The second option
#foreach my $level ("0","1","2","3","4","5","6" ) {
#my $link = '';
#$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script";
#unlink($link);
#}
}
}
#
# On SUSE, chkconfig-based rc scripts have been replaced with a whole different
# system. chkconfig on SUSE is actually a shell script that does some stuff and then
# calls insserv, their replacement.
#
elsif (&GetDistro =~ /^SE/) {
# only try to chkconfig off if init script is found
if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) {
$chkconfig_line=&getGlobal('BIN','chkconfig');
&B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off");
# chkconfig doesn't take affect until reboot, need to stop service
# since expectation is that the daemons are disabled even without a reboot
B_service_stop("$startup_script");
return 1; #success
}
return 0; #failure
}
else {
# Run through the init script looking for the chkconfig line...
$retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script";
unless ($retval) {
&B_log("ACTION","Didn't chkconfig_off $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n");
}
else {
READ_LOOP:
while (my $line=<CHKCONFIG>) {
# We're looking for lines like this one:
# # chkconfig: 2345 10 90
if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) {
@runlevels=split //,$1;
$start_order=$2;
$stop_order=$3;
# Change single digit run levels to double digit -- otherwise,
# the alphabetic ordering chkconfig depends on fails.
if ($start_order =~ /^\d$/ ) {
$start_order = "0" . $start_order;
&B_log("ACTION","chkconfig_off converted start order to $start_order\n");
}
if ($stop_order =~ /^\d$/ ) {
$stop_order = "0" . $stop_order;
&B_log("ACTION","chkconfig_off converted stop order to $stop_order\n");
}
last READ_LOOP;
}
}
close CHKCONFIG;
# If we never found a chkconfig line, can we just run through all 5
# rcX.d dirs from 1 to 5...?
# unless ( $start_order and $stop_order ) {
# @runlevels=("1","2","3","4","5");
# $start_order = "*"; $stop_order="*";
# }
# Now, run through removing symlinks...
$retval=0;
# Handle the special case that the run level specified is solely "-"
if ($runlevels[0] =~ /-/) {
@runlevels = ( "0","1","2","3","4","5","6" );
}
foreach my $level ( @runlevels ) {
my $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script;
my $new_link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script;
my $target = &getGlobal('DIR', "initd") ."/" . $startup_script;
my $local_return;
# Replace the S__ link in this level with a K__ link.
if ( -e $link ) {
unless ($GLOBAL_LOGONLY) {
$local_return=unlink $link;
if ($local_return) {
$local_return=symlink $target,$new_link;
unless ($local_return) {
&B_log("ERROR","Linking $target to $new_link failed.\n");
}
}
else { # unlinking failed
&B_log("ERROR","Unlinking $link failed\n");
}
}
if ($local_return) {
$retval++;
&B_log("ACTION","Removed link $link\n");
#
# If we removed the link, add a link command to the revert file
# Write out the revert information for recreating the S__
# symlink and deleting the K__ symlink.
&B_revert_log(&getGlobal('BIN',"ln") . " -s $target $link\n");
&B_revert_log(&getGlobal('BIN',"rm") . " -f $new_link\n");
}
else {
&B_log("ERROR","B_chkconfig_off $startup_script failed\n");
}
}
} # foreach
} # else-unless
} # else-DB
if ($retval < @runlevels) {
$retval=0;
}
$retval;
}
###########################################################################
# &B_service_start ($daemon_name)
# Starts service on RedHat/SUSE-based Linux distributions which have the
# service command:
#
# service $daemon_name start
#
# Other Linux distros that also support this method of starting
# services can be added to use this function.
#
# Here an example of where you might use this:
#
# You'd like to tell the system to start the vsftpd daemon:
# &B_service_start("vsftpd")
#
# Uses &B_System in HP_API.pm
# To match how the &B_System command works this method:
# returns 1 on success
# returns 0 on failure
###########################################################################
sub B_service_start {
my $daemon=$_[0];
if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
(&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
&B_log("ERROR","Tried to call service_start on a system lacking a service command! Internal Bastille error.");
return undef;
}
# only start service if init script is found
if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
&B_log("ACTION","# service_start enabling $daemon\n");
my $service_cmd=&getGlobal('BIN', 'service');
if ($service_cmd) {
# Start the service,
# Also provide &B_System revert command
return (&B_System("$service_cmd $daemon start",
"$service_cmd $daemon stop"));
}
}
# init script not found, do not try to start, return failure
return 0;
}
###########################################################################
# &B_service_stop ($daemon_name)
# Stops service on RedHat/SUSE-based Linux distributions which have the
# service command:
#
# service $daemon_name stop
#
# Other Linux distros that also support this method of starting
# services can be added to use this function.
# Stops service.
#
#
# Here an example of where you might use this:
#
# You'd like to tell the system to stop the vsftpd daemon:
# &B_service_stop("vsftpd")
#
# Uses &B_System in HP_API.pm
# To match how the &B_System command works this method:
# returns 1 on success
# returns 0 on failure
###########################################################################
sub B_service_stop {
my $daemon=$_[0];
if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
(&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
&B_log("ERROR","Tried to call service_stop on a system lacking a service command! Internal Bastille error.");
return undef;
}
# only stop service if init script is found
if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
&B_log("ACTION","# service_stop disabling $daemon\n");
my $service_cmd=&getGlobal('BIN', 'service');
if ($service_cmd) {
# Stop the service,
# Also provide &B_System revert command
return (&B_System("$service_cmd $daemon stop",
"$service_cmd $daemon start"));
}
}
# init script not found, do not try to stop, return failure
return 0;
}
###########################################################################
# &B_service_restart ($daemon_name)
# Restarts service on RedHat/SUSE-based Linux distributions which have the
# service command:
#
# service $daemon_name restart
#
# Other Linux distros that also support this method of starting
# services can be added to use this function.
#
# Here an example of where you might use this:
#
# You'd like to tell the system to restart the vsftpd daemon:
# &B_service_restart("vsftpd")
#
# Uses &B_System in HP_API.pm
# To match how the &B_System command works this method:
# returns 1 on success
# returns 0 on failure
###########################################################################
sub B_service_restart {
my $daemon=$_[0];
if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
(&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
&B_log("ERROR","Tried to call service_restart on a system lacking a service command! Internal Bastille error.");
return undef;
}
# only restart service if init script is found
if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
&B_log("ACTION","# service_restart re-enabling $daemon\n");
my $service_cmd=&getGlobal('BIN', 'service');
if ($service_cmd) {
# Restart the service
return (&B_System("$service_cmd $daemon restart",
"$service_cmd $daemon restart"));
}
}
# init script not found, do not try to restart, return failure
return 0;
}
###########################################################################
# &B_is_service_off($;$)
#
# Runs the specified test to determine whether or not the question should
# be answered.
#
# return values:
# NOTSECURE_CAN_CHANGE()/0: service is on
# SECURE_CANT_CHANGE()/1: service is off
# undef: test is not defined
###########################################################################
sub B_is_service_off ($){
my $service=$_[0];
if(&GetDistro =~ "^HP-UX"){
#die "Why do I think I'm on HPUX?!\n";
return &checkServiceOnHPUX($service);
}
elsif ( (&GetDistro =~ "^RH") || (&GetDistro =~ "^SE") ) {
return &checkServiceOnLinux($service);
}
else {
&B_log("DEBUG","B_is_service off called for unsupported OS");
# not yet implemented for other distributions of Linux
# when GLOBAL_SERVICE, GLOBAL_SERVTYPE and GLOBAL_PROCESS are filled
# in for Linux, then
# at least inetd and inittab services should be similar to the above,
# whereas chkconfig would be used on some Linux distros to determine
# if non-inetd/inittab services are running at boot time. Looking at
# processes should be similar.
return undef;
}
}
###########################################################################
# &checkServiceOnLinux($service);
#
# Checks if the given service is running on a Linux system. This is
# called by B_is_Service_Off(), which is the function that Bastille
# modules should call.
#
# Return values:
# NOTSECURE_CAN_CHANGE() if the service is on
# SECURE_CANT_CHANGE() if the service is off
# undef if the state of the service cannot be determined
#
###########################################################################
sub checkServiceOnLinux($) {
my $service=$_[0];
# get the list of parameters which could be used to initiate the service
# (could be in /etc/rc.d/rc?.d, /etc/inetd.conf, or /etc/inittab, so we
# check all of them)
my @params = @{ &getGlobal('SERVICE', $service) };
my $chkconfig = &getGlobal('BIN', 'chkconfig');
my $grep = &getGlobal('BIN', 'grep');
my $inittab = &getGlobal('FILE', 'inittab');
my $serviceType = &getGlobal('SERVTYPE', $service);;
# A kludge to get things running because &getGlobal('SERVICE' doesn't
# return the expected values.
@params = ();
push (@params, $service);
foreach my $param (@params) {
&B_log("DEBUG","Checking to see if service $service is off.\n");
if ($serviceType =~ /rc/) {
my $on = &B_Backtick("$chkconfig --list $param 2>&1");
if ($on =~ /^$param:\s+unknown/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error reading information on service $param: No such file or directory/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error/) {
# This probably
&B_log("DEBUG","chkconfig returned: $param=$on\n");
return undef;
}
$on =~ s/^$param\s+//; # remove the service name and spaces
$on =~ s/[0-6]:off\s*//g; # remove any runlevel:off entries
$on =~ s/:on\s*//g; # remove the :on from the runlevels
# what remains is a list of runlevels in which the service is on,
# or a null string if it is never turned on
chomp $on; # newline should be gone already (\s)
&B_log("DEBUG","chkconfig returned: $param=$on\n");
if ($on =~ /^\d+$/) {
# service is not off
########################### BREAK out, don't skip question
return NOTSECURE_CAN_CHANGE();
}
}
elsif ($serviceType =~ /inet/) {
my $on = &B_Backtick("$chkconfig --list $param 2>&1");
if ($on =~ /^$param:\s+unknown/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error reading information on service $param: No such file or directory/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error/ ) {
# Something else is wrong?
# return undef
return undef;
}
if ($on =~ tr/\n// > 1) {
$on =~ s/^xinetd.+\n//;
}
$on =~ s/^\s*$param:?\s+//; # remove the service name and spaces
chomp $on; # newline should be gone already (\s)
&B_log("DEBUG","chkconfig returned: $param=$on\n");
if ($on =~ /^on$/) {
# service is not off
########################### BREAK out, don't skip question
return NOTSECURE_CAN_CHANGE();
}
}
else {
# perhaps the service is started by inittab
my $inittabline = &B_Backtick("$grep -E '^[^#].{0,3}:.*:.+:.*$param' $inittab");
if ($inittabline =~ /.+/) { # . matches anything except newlines
# service is not off
&B_log("DEBUG","Checking inittab; found $inittabline\n");
########################### BREAK out, don't skip question
return NOTSECURE_CAN_CHANGE();
}
}
} # foreach my $param
# boot-time parameters are not set; check processes
# Note the checkProcsforService returns INCONSISTENT() if a process is found
# assuming the checks above
return &checkProcsForService($service);
}
1;
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch
+34
View File
@@ -0,0 +1,34 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/BastilleBackEnd
===================================================================
--- Bastille.orig/BastilleBackEnd 2013-08-21 12:40:54.000000000 -0400
+++ Bastille/BastilleBackEnd 2013-08-21 12:43:21.895950001 -0400
@@ -52,11 +52,13 @@
my $force = 0;
my $debug = 0;
my $alternate_config=undef;
+my $os_version=undef;
if( Getopt::Long::GetOptions( "n" => \$nodisclaim,
"v" => \$verbose,
"force" => \$force,
"f=s" => \$alternate_config,
+ "os=s" => \$os_version,
"debug" => \$debug) ) {
$error = 0; # no parse error
@@ -66,7 +68,8 @@
&setOptions(
debug => $debug,
- verbose => $verbose);
+ verbose => $verbose,
+ os => $os_version);
&ConfigureForDistro;
if ( $error ) { # GetOptions couldn't parse all of the args
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch
+43
View File
@@ -0,0 +1,43 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/bin/bastille
===================================================================
--- Bastille.orig/bin/bastille 2013-08-21 08:59:06.647950000 -0400
+++ Bastille/bin/bastille 2013-08-21 15:55:53.193631711 -0400
@@ -195,7 +195,6 @@
systemFileLocations
isAssessing='no'
-nonXArg='no'
if [ $PERL_V_MAJ -eq $MIN_V_MAJ -a $PERL_V_MIN -lt $MIN_V_MIN -o $PERL_V_MAJ -lt $MIN_V_MAJ ]; then # invalid Perl
printErr
@@ -316,12 +315,10 @@
'--os')
options_left="$options_left --os"
optarg='yes'
- nonXArg='yes'
;;
'-f')
options_left="$options_left -f"
optarg='yes'
- nonXArg='yes'
;;
# Non-exclusive (undocumented and unsupported) options follow:
# There is no validity/combination checking done with these.
@@ -345,11 +342,6 @@
fi
done
-#Detect case where -f or --os attempted use with --assess
- if [ \( x$nonXArg = xyes \) -a \( x$isAssessing = xyes \) ]; then
- printUsage
- exit 2
- fi
# We have a valid version of perl! Verify that all the required
# modules can be found.
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch
+19
View File
@@ -0,0 +1,19 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille_Curses.pm
===================================================================
--- Bastille.orig/Bastille_Curses.pm 2013-08-21 08:58:53.899950000 -0400
+++ Bastille/Bastille_Curses.pm 2013-08-21 09:20:20.295950005 -0400
@@ -84,7 +84,7 @@
}
# Output answers to the script and display
- &checkAndSaveConfig(&getGlobal('BFILE', "config"));
+ &outputConfig;
# Run Bastille
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/config
Executable
+106
View File
@@ -0,0 +1,106 @@
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
AccountSecurity.protectrhost="Y"
# Q: Should we disallow root login on tty's 1-6? [N]
AccountSecurity.rootttylogins="Y"
# Q: What umask would you like to set for users on the system? [077]
AccountSecurity.umask="077"
# Q: Do you want to set the default umask? [Y]
AccountSecurity.umaskyn="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="Y"
# Q: Which accounts should be able to login at console? [root]
ConfigureMiscPAM.consolelogin_accounts="root"
# Q: Would you like to put limits on system resource usage? [N]
ConfigureMiscPAM.limitsconf="Y"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1_1="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="Y"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="Y"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="Y"
# Q: Do you need the advanced networking options?
Firewall.ip_advnetwork="Y"
# Q: Should Bastille run the firewall and enable it at boot time? [N]
Firewall.ip_enable_firewall="Y"
# Q: Would you like to run the packet filtering script? [N]
Firewall.ip_intro="Y"
# Q: Interfaces for DHCP queries: [ ]
Firewall.ip_s_dhcpiface=" "
# Q: DNS servers: [0.0.0.0/0]
Firewall.ip_s_dns="10.184.9.1"
# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded"
# Q: ICMP services to audit: [ ]
Firewall.ip_s_icmpaudit=" "
# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
Firewall.ip_s_icmpout="destination-unreachable time-exceeded"
# Q: Internal interfaces: [ ]
Firewall.ip_s_internaliface=" "
# Q: TCP service names or port numbers to allow on private interfaces: [ ]
Firewall.ip_s_internaltcp=" "
# Q: UDP service names or port numbers to allow on private interfaces: [ ]
Firewall.ip_s_internaludp=" "
# Q: Masqueraded networks: [ ]
Firewall.ip_s_ipmasq=" "
# Q: Kernel modules to masquerade: [ftp raudio vdolive]
Firewall.ip_s_kernelmasq="ftp raudio vdolive"
# Q: NTP servers to query: [ ]
Firewall.ip_s_ntpsrv=" "
# Q: Force passive mode? [N]
Firewall.ip_s_passiveftp="N"
# Q: Public interfaces: [eth+ ppp+ slip+]
Firewall.ip_s_publiciface="eth+ ppp+ slip+"
# Q: TCP service names or port numbers to allow on public interfaces:[ ]
Firewall.ip_s_publictcp=" "
# Q: UDP service names or port numbers to allow on public interfaces:[ ]
Firewall.ip_s_publicudp=" "
# Q: Reject method: [DENY]
Firewall.ip_s_rejectmethod="DENY"
# Q: Enable source address verification? [Y]
Firewall.ip_s_srcaddr="Y"
# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100"
# Q: Trusted interface names: [lo]
Firewall.ip_s_trustiface="lo"
# Q: UDP services to audit: [31337]
Firewall.ip_s_udpaudit="31337"
# Q: UDP services to block: [2049 6770]
Firewall.ip_s_udpblock="2049 6770"
# Q: Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q: Do you have a remote logging host? [N]
Logging.remotelog="N"
# Q: Would you like to disable acpid and/or apmd? [Y]
MiscellaneousDaemons.apmd="Y"
# Q: Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q: Would you like to disable printing? [N]
Printing.printing="Y"
# Q: Would you like to disable printing? [N]
Printing.printing_cups="Y"
# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
SecureInetd.banners="Y"
# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
SecureInetd.deactivate_ftp="Y"
# Q: Should Bastille ensure the telnet service does not run on this system? [y]
SecureInetd.deactivate_telnet="Y"
# Q: Who is responsible for granting authorization to use this machine?
SecureInetd.owner="its owner"
# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
SecureInetd.tcpd_default_deny="Y"
# Q: Do you want to stop sendmail from running in daemon mode? [Y]
Sendmail.sendmaildaemon="Y"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="N"
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch
+40
View File
@@ -0,0 +1,40 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille_Curses.pm
===================================================================
--- Bastille.orig/Bastille_Curses.pm 2013-08-27 16:43:39.130959000 -0400
+++ Bastille/Bastille_Curses.pm 2013-08-27 16:43:39.794959000 -0400
@@ -83,11 +83,6 @@
# Output answers to the script and display
&outputConfig;
- # Run Bastille
-
- &Run_Bastille_with_Config;
-
-
# Display Credits
open CREDITS,"/usr/share/Bastille/Credits";
Index: Bastille/InteractiveBastille
===================================================================
--- Bastille.orig/InteractiveBastille 2013-08-27 16:43:39.434959000 -0400
+++ Bastille/InteractiveBastille 2013-08-27 17:18:55.758959000 -0400
@@ -531,10 +531,10 @@
" Please address bug reports and suggestions to jay\@bastille-linux.org\n" .
"\n";
- $InterfaceEndScreenDescription = "We will now implement the choices you have made here.\n\n" .
+ $InterfaceEndScreenDescription = "We will now record the choices you have made here.\n\n" .
"Answer NO if you want to go back and make changes!\n";
- $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we make the changes?";
- $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to implement your choices.\n";
+ $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we record the answers and exit?";
+ $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to record your choices.\n";
require Bastille_Curses;
} elsif ($GLOBAL_AUDITONLY) {
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch
+32
View File
@@ -0,0 +1,32 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/bin/bastille
===================================================================
--- Bastille.orig/bin/bastille 2013-08-25 14:16:35.614779001 -0400
+++ Bastille/bin/bastille 2013-08-25 14:16:38.674779000 -0400
@@ -60,7 +60,7 @@
printUsage () {
cat >&2 << EOF
$ERRSPACES Usage: bastille [ -b | -c | -x ] [ --os <version>] [ -f <alternate config> ]
-$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ]
+$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ] [ --os <version> ]
$ERRSPACES -b : use a saved config file to apply changes
$ERRSPACES directly to system
$ERRSPACES -c : use the Curses (non-X11) GUI, not available on HP-UX
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2013-08-25 08:15:40.266779002 -0400
+++ Bastille/Bastille/API.pm 2013-08-25 14:18:22.750778811 -0400
@@ -206,7 +206,7 @@
#options before interactive or Bastille runs, so this check is often redundant
$GLOBAL_ERROR{"usage"}="\n".
"$spc Usage: bastille [ -b | -c | -x ] [ --os <version> ] [ -f <alternate config> ]\n".
- "$spc bastille [ -r | --assess | --assessnobowser ]\n\n".
+ "$spc bastille [ -r | --assess | --assessnobowser ] [ --os <version> ]\n\n".
"$spc --assess : check status of system and report in browser\n".
"$spc --assessnobrowser : check status of system and list report locations\n".
"$spc -b : use a saved config file to apply changes\n".
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch
+64
View File
@@ -0,0 +1,64 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/bin/bastille
===================================================================
--- Bastille.orig/bin/bastille 2013-06-20 14:58:01.065796000 -0400
+++ Bastille/bin/bastille 2013-08-20 15:16:18.472378000 -0400
@@ -102,8 +102,9 @@
# defines OS specific file locations based on uname
systemFileLocations
+ config_files=`find $config_repository -type f -name \*config 2>/dev/null`
+
if [ -f $last_config ]; then
- config_files=`find $config_repository -type f -name \*config 2>/dev/null`
for config_cursor in `echo $config_files`
do
if /usr/bin/diff $last_config $config_cursor >/dev/null 2>&1
@@ -112,8 +113,8 @@
fi
done
if [ -n "$match" ]; then
- echo "The last bastille run corresponds to the following profiles:"
- echo "$match"
+ printf "The last Bastille run corresponds to the following profiles:\n"
+ printf "$match"
else
cat >&2 << EOF
NOTE: The last config file applied,
@@ -122,18 +123,28 @@
$ERRSPACES $config_repository.
$ERRSPACES This probably means that Bastille was last run interactively and
$ERRSPACES changes were made to the config file, but they have not yet been
-$ERRSPACES applied, or that the source config file was moved. If you do have pending
+$ERRSPACES applied, or that the source config file was moved. If you do have pending
$ERRSPACES changes in a config file, you can apply them by running
$ERRSPACES 'bastille -b -f <config file>.'
EOF
fi
else
- echo "NOTE: The system is in its pre-bastilled state.\n"
+ for config_cursor in `echo $config_files`
+ do
+ match="$match $config_cursor\n"
+ done
+ if [ -n "$match" ]; then
+ printf "The following Bastille profiles were located:\n"
+ printf "$match"
+ else
+ printf "No Bastille profiles were located.\n"
+ fi
+ printf "No log files of profiles from previous executions of Bastille have been found. It is likely that Bastille has not been run on this machine.\n"
fi
-
}
+
# First, make sure we're root
if [ `PATH="/usr/bin:/bin"; id -u` -ne 0 ]; then
echo "ERROR: Bastille must be run as root user" >&2
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch
+54
View File
@@ -0,0 +1,54 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille/Firewall.pm
===================================================================
--- Bastille.orig/Bastille/Firewall.pm 2008-09-14 19:56:54.000000000 -0400
+++ Bastille/Bastille/Firewall.pm 2013-08-20 16:28:44.588378000 -0400
@@ -21,6 +21,7 @@
package Bastille::Firewall;
use Bastille::API;
+use Bastille::API::AccountPermission;
use Bastille::API::FileContent;
use Bastille::API::ServiceAdmin;
Index: Bastille/Bastille/SecureInetd.pm
===================================================================
--- Bastille.orig/Bastille/SecureInetd.pm 2008-09-14 19:56:58.000000000 -0400
+++ Bastille/Bastille/SecureInetd.pm 2013-08-20 16:45:02.252378001 -0400
@@ -12,6 +12,7 @@
use lib "/usr/lib";
use Bastille::API;
+use Bastille::API::AccountPermission;
use Bastille::API::HPSpecific;
use Bastille::API::ServiceAdmin;
use Bastille::API::FileContent;
Index: Bastille/Bastille/ConfigureMiscPAM.pm
===================================================================
--- Bastille.orig/Bastille/ConfigureMiscPAM.pm 2005-09-12 23:47:28.000000000 -0400
+++ Bastille/Bastille/ConfigureMiscPAM.pm 2013-08-20 18:36:07.340378001 -0400
@@ -5,6 +5,7 @@
use lib "/usr/lib";
use Bastille::API;
+use Bastille::API::FileContent;
# To DO:
#
Index: Bastille/Bastille/Printing.pm
===================================================================
--- Bastille.orig/Bastille/Printing.pm 2008-09-14 19:56:58.000000000 -0400
+++ Bastille/Bastille/Printing.pm 2013-08-20 19:05:01.532378002 -0400
@@ -5,6 +5,7 @@
use lib "/usr/lib";
use Bastille::API;
+use Bastille::API::AccountPermission;
use Bastille::API::HPSpecific;
use Bastille::API::ServiceAdmin;
use Bastille::API::FileContent;
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch
+38
View File
@@ -0,0 +1,38 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille_Curses.pm
===================================================================
--- Bastille.orig/Bastille_Curses.pm 2013-08-24 18:21:54.445288000 -0400
+++ Bastille/Bastille_Curses.pm 2013-08-24 18:29:16.981288000 -0400
@@ -36,9 +36,6 @@
use Curses;
use Curses::Widgets;
- # Number_Modules is the number of modules loaded in by Load_Questions
- $Number_Modules=0;
-
#
# Highlighted button is the button currently chosen in the button bar
# We preserve this from question to question...
@@ -397,7 +394,7 @@
my $title;
if ($module) {
- $title=$module . " of $Number_Modules";
+ $title=$module;
}
txt_field( 'window' => $window,
@@ -488,7 +485,7 @@
my $title;
if ($module) {
- $title=$module . " of $Number_Modules";
+ $title=$module;
}
noecho;
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch
+27
View File
@@ -0,0 +1,27 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/bin/bastille
===================================================================
--- Bastille.orig/bin/bastille
+++ Bastille/bin/bastille
@@ -162,11 +162,12 @@ fi
# We check that the version is at least the minimum
PERL_VERSION=`${CURRENT_PERL_PATH}/perl -version |
- head -2 | # the second line contains the version
+ head -n 2 | # the second line contains the version
tr " " "\n" | # split words into separate lines
- sed -e "s/^v//" | # to get rid of the v in v5.6.0
- grep "^[1-9]\." | # find a "word" that starts with number dot
- sed -e "s/_/./"` # substitute _patchlevel with .patchlevel
+ grep "^(v" | # find a "word" that starts with '(v'
+ sed -e "s/^(v//" -e "s/)//" -e "s/_/./"`
+ # to get rid of the (v in v5.6.0
+ # substitute _patchlevel with .patchlevel
# (used in 5.005_03 and prior)
# everything before the first .
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch
+65
View File
@@ -0,0 +1,65 @@
From c59b84ca3bda8e4244d47901b6966f28dd675434 Mon Sep 17 00:00:00 2001
From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Date: Thu, 23 May 2013 15:12:23 +0300
Subject: [PATCH] added yocto-standard to bastille
In order to make Bastille functional and avoid errors
regarding distros, if not any given distro is identified,
yocto-standard distro is added to the distro variable
in Bastille.
Fixed also some warnings regarding defined statements
in API.pm.
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Bastille/API.pm | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2008-09-14 19:56:53.000000000 -0400
+++ Bastille/Bastille/API.pm 2013-08-21 08:55:26.715950001 -0400
@@ -445,8 +445,8 @@
$release=`/usr/bin/uname -sr`;
}
else {
- print STDERR "$err Could not determine operating system version!\n";
- $distro="unknown";
+ print STDERR "$err Could not determine operating system version!\n";
+ $distro="unknown"
}
# Figure out what kind of system we're on.
@@ -1284,7 +1284,7 @@
my $sumFile = &getGlobal('BFILE',"sum.csv");
- if ( defined %GLOBAL_SUM ) {
+ if ( %GLOBAL_SUM ) {
open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n");
@@ -1318,7 +1318,7 @@
my $file = $_[0];
my $cksum = &getGlobal('BIN',"cksum");
- if (not(defined(%GLOBAL_SUM))) {
+ if (not(%GLOBAL_SUM)) {
&B_read_sums;
}
@@ -1375,7 +1375,7 @@
sub B_isFileinSumDB($) {
my $file = $_[0];
- if (not(defined(%GLOBAL_SUM))) {
+ if (not(%GLOBAL_SUM)) {
&B_log("DEBUG","Reading in DB from B_isFileinSumDB");
&B_read_sums;
}
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch
+476
View File
@@ -0,0 +1,476 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2013-08-22 04:32:38.269968002 -0400
+++ Bastille/Bastille/API.pm 2013-08-22 11:29:53.137968002 -0400
@@ -141,7 +141,7 @@
checkProcsForService
- $GLOBAL_OS $GLOBAL_ACTUAL_OS $CLI
+ $CLI
$GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag
%GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE
%GLOBAL_BDIR %GLOBAL_BFILE
@@ -198,7 +198,7 @@
my $err ="ERROR: ";
my $spc =" ";
my $GLOBAL_OS="None";
-my $GLOBAL_ACTUAL_OS="None";
+my $GLOBAL_INFERRED_OS="None";
my %GLOBAL_SUMS=();
my $CLI='';
@@ -306,7 +306,7 @@
###########################################################################
#
-# GetDistro checks to see if the target is a known distribution and reports
+# InferDistro checks to see if the target is a known distribution and reports
# said distribution.
#
# This is used throughout the script, but also by ConfigureForDistro.
@@ -314,205 +314,194 @@
#
###########################################################################
-sub GetDistro() {
+sub InferDistro() {
my ($release,$distro);
- # Only read files for the distro once.
- # if the --os option was used then
- if ($GLOBAL_OS eq "None") {
- if ( -e "/etc/mandrake-release" ) {
- open(MANDRAKE_RELEASE,"/etc/mandrake-release");
- $release=<MANDRAKE_RELEASE>;
-
- if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) {
- $distro="MN$1";
- }
- elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) {
- $distro="MN$1";
- }
- else {
- print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n";
- $distro="MN10.1";
- }
-
- close(MANDRAKE_RELEASE);
- }
- elsif ( -e "/etc/immunix-release" ) {
- open(IMMUNIX_RELEASE,"/etc/immunix-release");
- $release=<IMMUNIX_RELEASE>;
- unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) {
- print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n";
- $distro="RH6.2";
- }
- else {
- $distro="RH$1";
- }
- close(*IMMUNIX_RELEASE);
- }
- elsif ( -e '/etc/fedora-release' ) {
- open(FEDORA_RELEASE,'/etc/fedora-release');
- $release=<FEDORA_RELEASE>;
- close FEDORA_RELEASE;
- if ($release =~ /^Fedora Core release (\d+\.?\d*)/) {
- $distro = "RHFC$1";
- }
- elsif ($release =~ /^Fedora release (\d+\.?\d*)/) {
- $distro = "RHFC$1";
- }
- else {
- print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 8\n";
- $distro='RHFC8';
- }
+ if ( -e "/etc/mandrake-release" ) {
+ open(MANDRAKE_RELEASE,"/etc/mandrake-release");
+ $release=<MANDRAKE_RELEASE>;
+
+ if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) {
+ $distro="MN$1";
+ }
+ elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) {
+ $distro="MN$1";
+ }
+ else {
+ print STDERR "$err Could not infer Mandrake/Mandriva version! Setting to 10.1!\n";
+ $distro="MN10.1";
+ }
+
+ close(MANDRAKE_RELEASE);
+ }
+ elsif ( -e "/etc/immunix-release" ) {
+ open(IMMUNIX_RELEASE,"/etc/immunix-release");
+ $release=<IMMUNIX_RELEASE>;
+ unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) {
+ print STDERR "$err Could not infer Immunix version! Setting to 6.2!\n";
+ $distro="RH6.2";
+ }
+ else {
+ $distro="RH$1";
}
- elsif ( -e "/etc/redhat-release" ) {
- open(*REDHAT_RELEASE,"/etc/redhat-release");
- $release=<REDHAT_RELEASE>;
- if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) {
- $distro="RH$1";
- }
- elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) {
- $distro="RHEL$1$2";
- }
- elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) {
- $distro="RHEL$2$1";
+ close(*IMMUNIX_RELEASE);
+ }
+ elsif ( -e '/etc/fedora-release' ) {
+ open(FEDORA_RELEASE,'/etc/fedora-release');
+ $release=<FEDORA_RELEASE>;
+ close FEDORA_RELEASE;
+ if ($release =~ /^Fedora Core release (\d+\.?\d*)/) {
+ $distro = "RHFC$1";
+ }
+ elsif ($release =~ /^Fedora release (\d+\.?\d*)/) {
+ $distro = "RHFC$1";
+ }
+ else {
+ print STDERR "$err Could not infer Fedora version! Setting to Fedora Core 8\n";
+ $distro='RHFC8';
+ }
+ }
+ elsif ( -e "/etc/redhat-release" ) {
+ open(*REDHAT_RELEASE,"/etc/redhat-release");
+ $release=<REDHAT_RELEASE>;
+ if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) {
+ $distro="RH$1";
+ }
+ elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) {
+ $distro="RHEL$1$2";
+ }
+ elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) {
+ $distro="RHEL$2$1";
+ }
+ elsif ($release =~ /^CentOS release (\d+\.\d+)/) {
+ my $version = $1;
+ if ($version =~ /^4\./) {
+ $distro='RHEL4AS';
}
- elsif ($release =~ /^CentOS release (\d+\.\d+)/) {
- my $version = $1;
- if ($version =~ /^4\./) {
- $distro='RHEL4AS';
- }
- elsif ($version =~ /^3\./) {
- $distro='RHEL3AS';
- }
- else {
- print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n";
- $distro='RHEL4AS';
- }
- }
- else {
- # JJB/HP - Should this be B_log?
- print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n";
- $distro="RH9";
- }
- close(REDHAT_RELEASE);
-
- }
- elsif ( -e "/etc/debian_version" ) {
- $stable="3.1"; #Change this when Debian stable changes
- open(*DEBIAN_RELEASE,"/etc/debian_version");
- $release=<DEBIAN_RELEASE>;
- unless ($release =~ /^(\d+\.\d+\w*)/) {
- print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n";
- $distro="DB$stable";
+ elsif ($version =~ /^3\./) {
+ $distro='RHEL3AS';
}
else {
- $distro="DB$1";
- }
- close(DEBIAN_RELEASE);
- }
- elsif ( -e "/etc/SuSE-release" ) {
- open(*SUSE_RELEASE,"/etc/SuSE-release");
- $release=<SUSE_RELEASE>;
- if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) {
- $distro="SE$1";
- }
- elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) {
- $distro="SESLES$1";
- }
- elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) {
- $distro="SESLES$1";
- }
- elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) {
- $distro="SE$1";
+ print STDERR "$err Could not infer CentOS version! Setting to Red Hat Enterprise 4 AS.\n";
+ $distro='RHEL4AS';
}
- else {
- print STDERR "$err Couldn't determine SuSE version! Setting to 10.3!\n";
- $distro="SE10.3";
- }
- close(SUSE_RELEASE);
- }
- elsif ( -e "/etc/turbolinux-release") {
- open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release");
- $release=<TURBOLINUX_RELEASE>;
- unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) {
- print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n";
- $distro="TB7.0";
- }
- else {
- $distro="TB$1";
- }
- close(TURBOLINUX_RELEASE);
+ }
+ else {
+ # JJB/HP - Should this be B_log?
+ print STDERR "$err Could not infer Red Hat version! Setting to 9!\n";
+ $distro="RH9";
+ }
+ close(REDHAT_RELEASE);
+
+ }
+ elsif ( -e "/etc/debian_version" ) {
+ $stable="3.1"; #Change this when Debian stable changes
+ open(*DEBIAN_RELEASE,"/etc/debian_version");
+ $release=<DEBIAN_RELEASE>;
+ unless ($release =~ /^(\d+\.\d+\w*)/) {
+ print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n";
+ $distro="DB$stable";
+ }
+ else {
+ $distro="DB$1";
+ }
+ close(DEBIAN_RELEASE);
+ }
+ elsif ( -e "/etc/SuSE-release" ) {
+ open(*SUSE_RELEASE,"/etc/SuSE-release");
+ $release=<SUSE_RELEASE>;
+ if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) {
+ $distro="SE$1";
+ }
+ elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) {
+ $distro="SESLES$1";
+ }
+ elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) {
+ $distro="SESLES$1";
+ }
+ elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) {
+ $distro="SE$1";
+ }
+ else {
+ print STDERR "$err Could not infer SuSE version! Setting to 10.3!\n";
+ $distro="SE10.3";
}
+ close(SUSE_RELEASE);
+ }
+ elsif ( -e "/etc/turbolinux-release") {
+ open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release");
+ $release=<TURBOLINUX_RELEASE>;
+ unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) {
+ print STDERR "$err Could not infer TurboLinux version! Setting to 7.0!\n";
+ $distro="TB7.0";
+ }
else {
- # We're either on Mac OS X, HP-UX or an unsupported O/S.
- if ( -x '/usr/bin/uname') {
+ $distro="TB$1";
+ }
+ close(TURBOLINUX_RELEASE);
+ }
+ else {
+ # We're either on Mac OS X, HP-UX or an unsupported O/S.
+ if ( -x '/usr/bin/uname') {
# uname is in /usr/bin on Mac OS X and HP-UX
- $release=`/usr/bin/uname -sr`;
- }
- else {
- print STDERR "$err Could not determine operating system version!\n";
- $distro="unknown"
- }
-
- # Figure out what kind of system we're on.
- if ($release ne "") {
- if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) {
- if ($1 == 6 ) {
- $distro = "OSX10.2";
- }
- elsif ($1 == 7) {
- $distro = "OSX10.3";
- }
- elsif ($1 == 8) {
- $distro = "OSX10.3";
- }
- else {
- $distro = "unknown";
- }
+ $release=`/usr/bin/uname -sr`;
+ }
+ else {
+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
+ $distro="unknown";
+ }
+
+ # Figure out what kind of system we're on.
+ if ($release ne "") {
+ if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) {
+ if ($1 == 6 ) {
+ $distro = "OSX10.2";
}
- elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) {
- $distro="$1$2";
+ elsif ($1 == 7) {
+ $distro = "OSX10.3";
}
+ elsif ($1 == 8) {
+ $distro = "OSX10.3";
+ }
else {
- print STDERR "$err Could not determine operating system version!\n";
- $distro="unknown";
+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
+ $distro = "unknown";
}
}
+ elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) {
+ $distro="$1$2";
+ }
+ else {
+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
+ $distro="unknown";
+ }
}
-
- $GLOBAL_OS=$distro;
- } elsif (not (defined $GLOBAL_OS)) {
- print "ERROR: GLOBAL OS Scoping Issue\n";
- } else {
- $distro = $GLOBAL_OS;
}
-
return $distro;
}
###################################################################################
-# &getActualDistro; #
+# &getInferredDistro; #
# #
# This subroutine returns the actual os version in which is running on. This #
# os version is independent of the --os switch feed to bastille. #
# #
###################################################################################
-sub getActualDistro {
- # set local variable to $GLOBAL_OS
+sub getInferredDistro {
+ if ($GLOBAL_INFERRED_OS eq "None") {
+ $GLOBAL_INFERRED_OS = &InferDistro;
+ }
+ return $GLOBAL_INFERRED_OS;
+}
- if ($GLOBAL_ACTUAL_OS eq "None") {
- my $os = $GLOBAL_OS;
- # undef GLOBAL_OS so that the GetDistro routine will return
- # the actualDistro, it might otherwise return the distro set
- # by the --os switch.
- $GLOBAL_OS = "None";
- $GLOBAL_ACTUAL_OS = &GetDistro;
- # reset the GLOBAL_OS variable
- $GLOBAL_OS = $os;
+sub GetDistro {
+ if ($GLOBAL_OS eq "None") {
+ return &getInferredDistro;
}
- return $GLOBAL_ACTUAL_OS;
+ return $GLOBAL_OS;
}
+
# These are helper routines which used to be included inside GetDistro
sub is_OS_supported($) {
my $os=$_[0];
@@ -556,7 +545,8 @@
"SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1",
"SE9.2","SE9.3","SE10.0","SE10.1","SE10.2","SE10.3",
"SESLES8","SESLES9","SESLES10",
- "TB7.0"
+ "TB7.0",
+ "Yocto"
],
"HP-UX" => [
@@ -882,23 +872,19 @@
###########################################################################
sub ConfigureForDistro {
- my $retval=1;
-
- # checking to see if the os version given is in fact supported
my $distro = &GetDistro;
- # checking to see if the actual os version is in fact supported
- my $actualDistro = &getActualDistro;
+ my $inferredDistro = &getInferredDistro;
+
+ if (! ($inferredDistro eq $distro) ) {
+ print STDERR "WARNING: Inferred distro $inferredDistro is not the same as specified distro $distro. Using specified distro.\n";
+ }
+
$ENV{'LOCALE'}=''; # So that test cases checking for english results work ok.
- if ((! &is_OS_supported($distro)) or (! &is_OS_supported($actualDistro)) ) {
- # if either is not supported then print out a list of supported versions
- if (! &is_OS_supported($distro)) {
- print STDERR "$err '$distro' is not a supported operating system.\n";
- }
- else {
- print STDERR "$err Bastille is unable to operate correctly on this\n";
- print STDERR "$spc $distro operating system.\n";
- }
+
+ if (! &is_OS_supported($distro)) {
+ print STDERR "$err '$distro' is not a supported operating system.\n";
+
my %supportedOSHash = &getSupportedOSHash;
print STDERR "$spc Valid operating system versions are as follows:\n";
@@ -930,7 +916,7 @@
# intend via setting the Perl umask
umask(077);
- &getFileAndServiceInfo($distro,$actualDistro);
+ &getFileAndServiceInfo($distro,$distro);
# &dumpFileInfo; # great for debuging file location issues
# &dumpServiceInfo; # great for debuging service information issues
@@ -942,7 +928,7 @@
"$spc You must use Bastille\'s -n flag (for example:\n" .
"$spc bastille -f -n) or \'touch $nodisclaim_file \'\n";
- return $retval;
+ return 1;
}
Index: Bastille/Bastille/LogAPI.pm
===================================================================
--- Bastille.orig/Bastille/LogAPI.pm 2013-08-22 04:32:38.269968002 -0400
+++ Bastille/Bastille/LogAPI.pm 2013-08-22 04:32:47.509968002 -0400
@@ -111,7 +111,7 @@
# do this here to prevent bootstrapping problem, where we need to
# write an error that the errorlog location isn't defined.
my $logdir="/var/log/Bastille";
- if(&getActualDistro =~ "^HP-UX"){
+ if(&getInferredDistro =~ "^HP-UX"){
$logdir = "/var/opt/sec_mgmt/bastille/log/";
}
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch
+30
View File
@@ -0,0 +1,30 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/OSMap/LINUX.bastille
===================================================================
--- Bastille.orig/OSMap/LINUX.bastille 2008-01-25 18:31:35.000000000 -0500
+++ Bastille/OSMap/LINUX.bastille 2013-08-22 04:48:32.677968002 -0400
@@ -12,7 +12,6 @@
bfile,InteractiveBastille,'/usr/sbin/InteractiveBastille'
bfile,BastilleBackEnd,'/usr/sbin/BastilleBackEnd'
-bfile,Questions,'/usr/share/Bastille/Questions.txt'
bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt'
bfile,TODO,'/var/log/Bastille/TODO'
bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt'
Index: Bastille/OSMap/OSX.bastille
===================================================================
--- Bastille.orig/OSMap/OSX.bastille 2007-09-11 18:09:26.000000000 -0400
+++ Bastille/OSMap/OSX.bastille 2013-08-22 04:48:47.245968001 -0400
@@ -10,7 +10,6 @@
bdir,share,'/usr/share/Bastille'
bfile,BastilleBackEnd,'/var/root/Bastille/BastilleBackEnd'
-bfile,Questions,'/usr/share/Bastille/Questions.txt'
bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt'
bfile,TODO,'/var/log/Bastille/TODO'
bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt'
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/set_required_questions.py
Executable
+157
View File
@@ -0,0 +1,157 @@
#!/usr/bin/env python3
#Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
import argparse, os, shutil, sys, tempfile, traceback
from os import path
def get_config(lines):
"""
From a sequence of lines retrieve the question file name, question identifier
pairs.
"""
for l in lines:
if not l.startswith("#"):
try:
(coord, value) = l.split("=")
try:
(fname, ident) = coord.split(".")
yield fname, ident
except ValueError as e:
raise ValueError("Badly formatted coordinates %s in line %s." % (coord, l.strip()))
except ValueError as e:
raise ValueError("Skipping badly formatted line %s, %s" % (l.strip(), e))
def check_contains(line, name):
"""
Check if the value field for REQUIRE_DISTRO contains the given name.
@param name line The REQUIRE_DISTRO line
@param name name The name to look for in the value field of the line.
"""
try:
(label, distros) = line.split(":")
return name in distros.split()
except ValueError as e:
raise ValueError("Error splitting REQUIRE_DISTRO line: %s" % e)
def add_requires(the_ident, distro, lines):
"""
Yield a sequence of lines the same as lines except that where
the_ident matches a question identifier change the REQUIRE_DISTRO so that
it includes the specified distro.
@param name the_ident The question identifier to be matched.
@param name distro The distribution to added to the questions REQUIRE_DISTRO
field.
@param lines The sequence to be processed.
"""
for l in lines:
yield l
if l.startswith("LABEL:"):
try:
(label, ident) = l.split(":")
if ident.strip() == the_ident:
break
except ValueError as e:
raise ValueError("Unexpected line %s in questions file." % l.strip())
for l in lines:
if l.startswith("REQUIRE_DISTRO"):
if not check_contains(l, distro):
yield l.rstrip() + " " + distro + "\n"
else:
yield l
break;
else:
yield l
for l in lines:
yield l
def xform_file(qfile, distro, qlabel):
"""
Transform a Questions file.
@param name qfile The designated questions file.
@param name distro The distribution to add to the required distributions.
@param name qlabel The question label for which the distro is to be added.
"""
questions_in = open(qfile)
questions_out = tempfile.NamedTemporaryFile(mode="w+", delete=False)
for l in add_requires(qlabel, distro, questions_in):
questions_out.write(l)
questions_out.close()
questions_in.close()
shutil.copystat(qfile, questions_out.name)
os.remove(qfile)
shutil.move(questions_out.name, qfile)
def handle_args(parser):
parser.add_argument('config_file',
help = "Configuration file path.")
parser.add_argument('questions_dir',
help = "Directory containing Questions files.")
parser.add_argument('--distro', '-d',
help = "The distribution, the default is Yocto.",
default = "Yocto")
parser.add_argument('--debug', '-b',
help = "Print debug information.",
action = 'store_true')
return parser.parse_args()
def check_args(args):
args.config_file = os.path.abspath(args.config_file)
args.questions_dir = os.path.abspath(args.questions_dir)
if not os.path.isdir(args.questions_dir):
raise ValueError("Specified Questions directory %s does not exist or is not a directory." % args.questions_dir)
if not os.path.isfile(args.config_file):
raise ValueError("Specified configuration file %s not found." % args.config_file)
def main():
opts = handle_args(argparse.ArgumentParser(description="A simple script that sets required questions based on the question/answer pairs in a configuration file."))
try:
check_args(opts)
except ValueError as e:
if opts.debug:
traceback.print_exc()
else:
sys.exit("Fatal error:\n%s" % e)
try:
config_in = open(opts.config_file)
for qfile, qlabel in get_config(config_in):
questions_file = os.path.join(opts.questions_dir, qfile + ".txt")
xform_file(questions_file, opts.distro, qlabel)
config_in.close()
except IOError as e:
if opts.debug:
traceback.print_exc()
else:
sys.exit("Fatal error reading or writing file:\n%s" % e)
except ValueError as e:
if opts.debug:
traceback.print_exc()
else:
sys.exit("Fatal error:\n%s" % e)
if __name__ == "__main__":
main()
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch
+40
View File
@@ -0,0 +1,40 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2013-08-21 08:59:17.939950001 -0400
+++ Bastille/Bastille/API.pm 2013-08-21 08:59:30.983950001 -0400
@@ -1679,24 +1679,22 @@
use File::Copy;
- my $original_source=$source;
$source = &getGlobal('BDIR', "share") . $source;
- my $original_target=$target;
if ( -e $target and -f $target ) {
- &B_backup_file($original_target);
- &B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n");
+ &B_backup_file($target);
+ &B_log("ACTION","About to copy $source to $target -- had to backup target\n");
$had_to_backup_target=1;
}
$retval=copy($source,$target);
if ($retval) {
- &B_log("ACTION","placed file $original_source as $original_target\n");
+ &B_log("ACTION","placed file $source as $target\n");
#
# We want to add a line to the &getGlobal('BFILE', "created-files") so that the
# file we just put at $original_target gets deleted.
- &B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n");
+ &B_revert_log(&getGlobal('BIN',"rm") . " $target\n");
} else {
- &B_log("ERROR","Failed to place $original_source as $original_target\n");
+ &B_log("ERROR","Failed to place $source as $target\n");
}
# We add the file to the GLOBAL_SUMS hash if it is not already present
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch
+91
View File
@@ -0,0 +1,91 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2013-08-21 11:41:09.235950000 -0400
+++ Bastille/Bastille/API.pm 2013-08-21 11:41:16.183950000 -0400
@@ -271,9 +271,15 @@
# setOptions takes six arguments, $GLOBAL_DEBUG, $GLOBAL_LOGONLY,
# $GLOBAL_VERBOSE, $GLOBAL_AUDITONLY, $GLOBAL_AUDIT_NO_BROWSER, and GLOBAL_OS;
###########################################################################
-sub setOptions($$$$$$) {
- ($GLOBAL_DEBUG,$GLOBAL_LOGONLY,$GLOBAL_VERBOSE,$GLOBAL_AUDITONLY,
- $GLOBAL_AUDIT_NO_BROWSER,$GLOBAL_OS) = @_;
+sub setOptions {
+ my %opts = @_;
+
+ $GLOBAL_DEBUG = $opts{debug};
+ $GLOBAL_LOGONLY = $opts{logonly};
+ $GLOBAL_VERBOSE = $opts{verbose};
+ $GLOBAL_AUDITONLY = $opts{auditonly};
+ $GLOBAL_AUDIT_NO_BROWSER = $opts{audit_no_browser};
+ $GLOBAL_OS = $opts{os};
if ($GLOBAL_AUDIT_NO_BROWSER) {
$GLOBAL_AUDITONLY = 1;
}
Index: Bastille/BastilleBackEnd
===================================================================
--- Bastille.orig/BastilleBackEnd 2013-08-21 11:41:09.235950000 -0400
+++ Bastille/BastilleBackEnd 2013-08-21 12:40:54.055950001 -0400
@@ -50,15 +50,13 @@
my $nodisclaim = 0;
my $verbose = 0;
my $force = 0;
-my $log_only = 0;
my $debug = 0;
my $alternate_config=undef;
if( Getopt::Long::GetOptions( "n" => \$nodisclaim,
"v" => \$verbose,
"force" => \$force,
-# "log" => \$log_only, # broken
- "f:s" => \$alternate_config,
+ "f=s" => \$alternate_config,
"debug" => \$debug) ) {
$error = 0; # no parse error
@@ -66,7 +64,9 @@
$error = 1; # parse error
}
-&setOptions($debug,$log_only,$verbose);
+&setOptions(
+ debug => $debug,
+ verbose => $verbose);
&ConfigureForDistro;
if ( $error ) { # GetOptions couldn't parse all of the args
Index: Bastille/InteractiveBastille
===================================================================
--- Bastille.orig/InteractiveBastille 2013-08-21 11:41:09.235950000 -0400
+++ Bastille/InteractiveBastille 2013-08-21 12:40:30.531950001 -0400
@@ -234,8 +234,8 @@
"a" => \$audit,
"force" => \$force,
"log" => \$log_only,
- "os:s" => \$os_version,
- "f:s" => \$alternate_config,
+ "os=s" => \$os_version,
+ "f=s" => \$alternate_config,
"debug" => \$debug) ) {
$error = 0; # no parse error
} else {
@@ -293,7 +293,13 @@
$UseRequiresRules = 'N';
}
-&setOptions($debug,$log_only,$verbose,$audit,$auditnobrowser,$os_version);
+&setOptions(
+ debug => $debug,
+ logonly => $log_only,
+ verbose => $verbose,
+ auditonly => $audit,
+ audit_no_browser => $auditnobrowser,
+ os => $os_version);
&ConfigureForDistro;
# ensuring mutually exclusive options are exclusive
meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch
+36
View File
@@ -0,0 +1,36 @@
From d1cb702d5147abea0d3208a4d554c61a6f2decd6 Mon Sep 17 00:00:00 2001
From: Scott Ellis <scott@jumpnowtek.com>
Date: Fri, 28 Dec 2018 11:08:25 -0500
Subject: [PATCH] Set custom paths
Upstream-Status: Inappropriate
Signed-off-by: Scott Ellis <scott@jumpnowtek.com>
---
nikto.conf | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/program/nikto.conf b/program/nikto.conf
index bf36c58..8c55415 100644
--- a/nikto.conf
+++ b/nikto.conf
@@ -61,11 +61,11 @@ CIRT=107.170.99.251
CHECKMETHODS=HEAD GET
# If you want to specify the location of any of the files, specify them here
-# EXECDIR=/opt/nikto # Location of Nikto
-# PLUGINDIR=/opt/nikto/plugins # Location of plugin dir
-# DBDIR=/opt/nikto/databases # Location of database dir
-# TEMPLATEDIR=/opt/nikto/templates # Location of template dir
-# DOCDIR=/opt/nikto/docs # Location of docs dir
+EXECDIR=/usr/bin/nikto # Location of Nikto
+PLUGINDIR=/etc/nikto/plugins # Location of plugin dir
+DBDIR=/etc/nikto/databases # Location of database dir
+TEMPLATEDIR=/etc/nikto/templates # Location of template dir
+DOCDIR=/usr/share/doc/nikto # Location of docs dir
# Default plugin macros
# Remove plugins designed to be run standalone
--
2.7.4
meta-security/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
+118
View File
@@ -0,0 +1,118 @@
SUMMARY = "web server scanner"
DESCRIPTION = "Nikto is an Open Source web server scanner which performs comprehensive tests against web servers"
SECTION = "security"
HOMEPAGE = "https://cirt.net/Nikto2"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79"
SRC_URI = "git://github.com/sullo/nikto.git;branch=master;protocol=https \
file://location.patch"
S = "${WORKDIR}/git/program"
do_install() {
install -d ${D}${bindir}
install -d ${D}${datadir}
install -d ${D}${datadir}/man/man1
install -d ${D}${datadir}/doc/nikto
install -d ${D}${sysconfdir}/nikto
install -d ${D}${sysconfdir}/nikto/databases
install -d ${D}${sysconfdir}/nikto/plugins
install -d ${D}${sysconfdir}/nikto/templates
install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_dir_traversal ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_domino ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_drupal ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases
install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_dir_traversal.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_dishwasher.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_docker_registry.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_domino.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_drupal.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_ms10_070.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_negotiate.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_origin_reflection.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_json.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_sqlg.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_sitefiles.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_strutshock.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 nikto.conf ${D}${sysconfdir}
install -m 0755 nikto.pl ${D}${bindir}/nikto
install -m 0644 replay.pl ${D}${bindir}
install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1
install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto
install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto
install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto
install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto
}
RDEPENDS:${PN} = "perl libnet-ssleay-perl libwhisker2-perl \
perl-module-getopt-long perl-module-time-local \
perl-module-io-socket perl-module-overloading \
perl-module-base perl-module-b perl-module-bytes"
meta-security/dynamic-layers/meta-python/recipes-core/packagegroup/packagegroup-core-security.bbappend
+10
View File
@@ -0,0 +1,10 @@
RDEPENDS:packagegroup-security-utils += "\
python3-privacyidea \
python3-fail2ban \
"
RDEPENDS:packagegroup-meta-security-ptest-packages += "\
python3-fail2ban-ptest \
"
meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/initd
+98
View File
@@ -0,0 +1,98 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: fail2ban
# Required-Start: $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Should-Start: $time $network $syslog iptables firehol shorewall ferm
# Should-Stop: $network $syslog iptables firehol shorewall ferm
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start/Stop fail2ban
# Description: Start/Stop fail2ban, a daemon to ban hosts that cause multiple authentication errors
### END INIT INFO
# Source function library.
. /etc/init.d/functions
# Check that the config file exists
[ -f /etc/fail2ban/fail2ban.conf ] || exit 0
check_privsep_dir() {
# Create the PrivSep empty dir if necessary
if [ ! -d /var/run/fail2ban ]; then
mkdir /var/run/fail2ban
chmod 0755 /var/run/fail2ban
fi
}
FAIL2BAN="/usr/bin/fail2ban-client"
prog=fail2ban-server
lockfile=${LOCKFILE-/var/lock/subsys/fail2ban}
socket=${SOCKET-/var/run/fail2ban/fail2ban.sock}
pidfile=${PIDFILE-/var/run/fail2ban/fail2ban.pid}
RETVAL=0
start() {
echo -n $"Starting fail2ban: "
check_privsep_dir
${FAIL2BAN} -x start > /dev/null
RETVAL=$?
if [ $RETVAL = 0 ]; then
touch ${lockfile}
success
else
failure
fi
echo
return $RETVAL
}
stop() {
echo -n $"Stopping fail2ban: "
${FAIL2BAN} stop > /dev/null
RETVAL=$?
if [ $RETVAL = 0 ]; then
rm -f ${lockfile} ${pidfile}
success
else
failure
fi
echo
return $RETVAL
}
reload() {
echo "Reloading fail2ban: "
${FAIL2BAN} reload
RETVAL=$?
echo
return $RETVAL
}
# See how we were called.
case "$1" in
start)
status -p ${pidfile} ${prog} >/dev/null 2>&1 && exit 0
start
;;
stop)
stop
;;
reload)
reload
;;
restart)
stop
start
;;
status)
status -p ${pidfile} ${prog}
RETVAL=$?
[ $RETVAL = 0 ] && ${FAIL2BAN} status
;;
*)
echo $"Usage: fail2ban {start|stop|restart|reload|status}"
RETVAL=2
esac
exit $RETVAL
meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/files/run-ptest
+3
View File
@@ -0,0 +1,3 @@
#!/bin/sh
##PYTHON## bin/fail2ban-testcases
meta-security/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_1.0.2.bb
+62
View File
@@ -0,0 +1,62 @@
SUMMARY = "Daemon to ban hosts that cause multiple authentication errors."
DESCRIPTION = "Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too \
many failed login attempts. It does this by updating system firewall rules to reject new \
connections from those IP addresses, for a configurable amount of time. Fail2Ban comes \
out-of-the-box ready to read many standard log files, such as those for sshd and Apache, \
and is easy to configure to read any log file you choose, for any error you choose."
HOMEPAGE = "http://www.fail2ban.org"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
DEPENDS = "python3-native"
SRCREV = "e1d3006b0330e9777705a7baafe3989d442ed120"
SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \
file://initd \
file://run-ptest \
"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)"
inherit update-rc.d ptest setuptools3_legacy
S = "${WORKDIR}/git"
do_compile () {
cd ${S}
#remove symlink to python3
# otherwise 2to3 is run against it
rm -f bin/fail2ban-python
./fail2ban-2to3
}
do_install:append () {
rm -f ${D}/${bindir}/fail2ban-python
install -d ${D}/${sysconfdir}/fail2ban
install -d ${D}/${sysconfdir}/init.d
install -m 0755 ${WORKDIR}/initd ${D}${sysconfdir}/init.d/fail2ban-server
chown -R root:root ${D}/${bindir}
rm -rf ${D}/run
}
do_install_ptest:append () {
install -d ${D}${PTEST_PATH}
install -d ${D}${PTEST_PATH}/bin
sed -i -e 's/##PYTHON##/${PYTHON_PN}/g' ${D}${PTEST_PATH}/run-ptest
install -D ${S}/bin/* ${D}${PTEST_PATH}/bin
rm -f ${D}${PTEST_PATH}/bin/fail2ban-python
}
INITSCRIPT_PACKAGES = "${PN}"
INITSCRIPT_NAME = "fail2ban-server"
INITSCRIPT_PARAMS = "defaults 25"
INSANE_SKIP:${PN}:append = "already-stripped"
RDEPENDS:${PN} = "${VIRTUAL-RUNTIME_base-utils-syslog} iptables sqlite3 python3-core python3-pyinotify"
RDEPENDS:${PN} += " python3-logging python3-fcntl python3-json"
RDEPENDS:${PN}-ptest = "python3-core python3-io python3-modules python3-fail2ban"
meta-security/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.8.1.bb
+38
View File
@@ -0,0 +1,38 @@
SUMMARY = "identity, multifactor authentication (OTP), authorization, audit"
DESCRIPTION = "privacyIDEA is an open solution for strong two-factor authentication like OTP tokens, SMS, smartphones or SSH keys. Using privacyIDEA you can enhance your existing applications like local login (PAM, Windows Credential Provider), VPN, remote access, SSH connections, access to web sites or web portals with a second factor during authentication. Thus boosting the security of your existing applications."
HOMEPAGE = "http://www.privacyidea.org/"
LICENSE = "AGPL-3.0-only"
LIC_FILES_CHKSUM = "file://LICENSE;md5=c0acfa7a8a03b718abee9135bc1a1c55"
PYPI_PACKAGE = "privacyIDEA"
SRC_URI[sha256sum] = "e0dae763575c6300ccaebe6dcc8d3f119cb3e25c11302b1e78a96a12e8ab2b38"
inherit pypi setuptools3
do_install:append () {
rm -fr ${D}${libdir}/${PYTHON_DIR}/site-packages/tests
}
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM:${PN} = "--system privacyidea"
USERADD_PARAM:${PN} = "--system -g privacyidea -o -r -d /opt/${BPN} \
--shell /bin/false privacyidea"
FILES:${PN} += " ${prefix}/etc/privacyidea/* ${prefix}/lib/privacyidea/*"
RDEPENDS:${PN} += " bash perl freeradius-mysql freeradius-utils"
RDEPENDS:${PN} += "python3 python3-alembic python3-babel python3-bcrypt"
RDEPENDS:${PN} += "python3-beautifulsoup4 python3-cbor2 python3-certifi python3-cffi python3-chardet"
RDEPENDS:${PN} += "python3-click python3-configobj python3-croniter python3-cryptography python3-defusedxml"
RDEPENDS:${PN} += "python3-ecdsa python3-flask python3-flask-babel python3-flask-migrate"
RDEPENDS:${PN} += "python3-flask-script python3-flask-sqlalchemy python3-flask-versioned"
RDEPENDS:${PN} += "python3-future python3-httplib2 python3-huey python3-idna python3-ipaddress"
RDEPENDS:${PN} += "python3-itsdangerous python3-jinja2 python3-ldap python3-lxml python3-mako"
RDEPENDS:${PN} += "python3-markupsafe python3-netaddr python3-oauth2client python3-passlib python3-pillow"
RDEPENDS:${PN} += "python3-pyasn1 python3-pyasn1-modules python3-pycparser python3-pyjwt python3-pymysql"
RDEPENDS:${PN} += "python3-pyopenssl python3-pyrad python3-dateutil python3-editor python3-gnupg"
RDEPENDS:${PN} += "python3-pytz python3-pyyaml python3-qrcode python3-redis python3-requests python3-rsa"
RDEPENDS:${PN} += "python3-six python3-smpplib python3-soupsieve python3-soupsieve "
RDEPENDS:${PN} += "python3-sqlalchemy python3-sqlsoup python3-urllib3 python3-werkzeug"
meta-security/dynamic-layers/meta-python/recipes-security/python/python3-oauth2client_4.1.3.bb
+11
View File
@@ -0,0 +1,11 @@
SUMMARY = "Add version info to file paths."
SECTION = "devel/python"
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://LICENSE;md5=038e1390e94fe637991fa5569daa62bc"
PYPI_PACKAGE = "oauth2client"
SRC_URI[sha256sum] = "d486741e451287f69568a4d26d70d9acd73a2bbfa275746c535b4209891cccc6"
inherit pypi setuptools3
RDEPENDS:${PN} = "python3-six python3-rsa python3-httplib2 python3-pyasn1 python3-pyasn1-modules"
meta-security/dynamic-layers/networking-layer/recipes-core/packagegroup/packagegroup-core-security.bbappend
+4
View File
@@ -0,0 +1,4 @@
RDEPENDS:packagegroup-security-utils += "\
${@bb.utils.contains("DISTRO_FEATURES", "pam", "sssd", "",d)} \
"
meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/drop_ntpdate_chk.patch
+28
View File
@@ -0,0 +1,28 @@
nsupdate path is needed for various exec call
but don't run natvie tests on it.
Upstream-Status: Inappropriate [OE specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: sssd-2.5.0/src/external/nsupdate.m4
===================================================================
--- sssd-2.5.0.orig/src/external/nsupdate.m4
+++ sssd-2.5.0/src/external/nsupdate.m4
@@ -3,16 +3,4 @@ AC_MSG_CHECKING(for executable nsupdate)
if test -x "$NSUPDATE"; then
AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate])
AC_MSG_RESULT(yes)
-
- AC_MSG_CHECKING(for nsupdate 'realm' support')
- if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then
- AC_MSG_RESULT([yes])
- else
- AC_MSG_RESULT([no])
- AC_MSG_ERROR([nsupdate does not support 'realm'])
- fi
-
-else
- AC_MSG_RESULT([no])
- AC_MSG_ERROR([nsupdate is not available])
fi
meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix-ldblibdir.patch
+25
View File
@@ -0,0 +1,25 @@
When calculate value of ldblibdir, it checks whether the directory of
$ldblibdir exists. If not, it assigns ldblibdir with ${libdir}/ldb. It is not
suitable for cross compile. Fix it that only re-assign ldblibdir when its value
is empty.
Upstream-Status: Inappropriate [cross compile specific]
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
src/external/libldb.m4 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/external/libldb.m4 b/src/external/libldb.m4
index c400add..5e5f06d 100644
--- a/src/external/libldb.m4
+++ b/src/external/libldb.m4
@@ -19,7 +19,7 @@ if test x"$with_ldb_lib_dir" != x; then
ldblibdir=$with_ldb_lib_dir
else
ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`"
- if ! test -d $ldblibdir; then
+ if test -z $ldblibdir; then
ldblibdir="${libdir}/ldb"
fi
fi
meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/fix_gid.patch
+27
View File
@@ -0,0 +1,27 @@
from ../sssd-2.5.0/src/util/sss_pam_data.c:27:
| ../sssd-2.5.0/src/util/debug.h:88:44: error: unknown type name 'uid_t'; did you mean 'uint_t'?
| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid);
| | ^~~~~
| | uint_t
| ../sssd-2.5.0/src/util/debug.h:88:55: error: unknown type name 'gid_t'
| 88 | int chown_debug_file(const char *filename, uid_t uid, gid_t gid);
| | ^~~~~
| make[2]: *** [Makefile:22529: src/util/libsss_iface_la-sss_pam_data.lo] Error 1
| make[2]: *** Waiting for unfinished jobs....
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: sssd-2.7.1/src/util/debug.h
===================================================================
--- sssd-2.7.1.orig/src/util/debug.h
+++ sssd-2.7.1/src/util/debug.h
@@ -24,6 +24,8 @@
#include "config.h"
#include <stdio.h>
+#include <unistd.h>
+#include <sys/types.h>
#include <stdbool.h>
#include <sys/types.h>
meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/musl_fixup.patch
+53
View File
@@ -0,0 +1,53 @@
fix musl build failures
Missing _PATH_HOSTS and some NETDB defines when musl is enabled.
These are work arounds for now while we figure out where the real fix should reside (musl, gcompact, sssd):
./sssd-2.5.1/src/providers/fail_over.c:1199:19: error: '_PATH_HOSTS' undeclared (first use in this function)
| 1199 | _PATH_HOSTS);
| | ^~~~~~~~~~~
and
i./sssd-2.5.1/src/sss_client/nss_ipnetworks.c:415:21: error: 'NETDB_INTERNAL' undeclared (first use in this function)
| 415 | *h_errnop = NETDB_INTERNAL;
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: sssd-2.5.1/src/providers/fail_over.c
===================================================================
--- sssd-2.5.1.orig/src/providers/fail_over.c
+++ sssd-2.5.1/src/providers/fail_over.c
@@ -31,6 +31,10 @@
#include <talloc.h>
#include <netdb.h>
+#if !defined(_PATH_HOSTS)
+#define _PATH_HOSTS "/etc/hosts"
+#endif
+
#include "util/dlinklist.h"
#include "util/refcount.h"
#include "util/util.h"
Index: sssd-2.5.1/src/sss_client/sss_cli.h
===================================================================
--- sssd-2.5.1.orig/src/sss_client/sss_cli.h
+++ sssd-2.5.1/src/sss_client/sss_cli.h
@@ -44,6 +44,14 @@ typedef int errno_t;
#define EOK 0
#endif
+#ifndef NETDB_INTERNAL
+# define NETDB_INTERNAL (-1)
+#endif
+
+#ifndef NETDB_SUCCESS
+# define NETDB_SUCCESS (0)
+#endif
+
#define SSS_NSS_PROTOCOL_VERSION 1
#define SSS_PAM_PROTOCOL_VERSION 3
#define SSS_SUDO_PROTOCOL_VERSION 1
meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/no_gen.patch
+19
View File
@@ -0,0 +1,19 @@
don't run generate-sbus-code
Upstream-Status: Inappropriate [OE Specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: sssd-2.7.1/Makefile.am
===================================================================
--- sssd-2.7.1.orig/Makefile.am
+++ sssd-2.7.1/Makefile.am
@@ -1023,8 +1023,6 @@ generate-sbus-code:
.PHONY: generate-sbus-code
-BUILT_SOURCES += generate-sbus-code
-
EXTRA_DIST += \
sbus_generate.sh.in \
src/sbus/codegen/dbus.xml \
meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/sssd.conf
+15
View File
@@ -0,0 +1,15 @@
[sssd]
services = nss, pam
domains = shadowutils
[nss]
[pam]
[domain/shadowutils]
id_provider = files
auth_provider = proxy
proxy_pam_target = sssd-shadowutils
proxy_fast_alias = True
meta-security/dynamic-layers/networking-layer/recipes-security/sssd/files/volatiles.99_sssd
+1
View File
@@ -0,0 +1 @@
d root root 0750 /var/log/sssd none
meta-security/dynamic-layers/networking-layer/recipes-security/sssd/sssd_2.7.4.bb
+157
View File
@@ -0,0 +1,157 @@
SUMMARY = "system security services daemon"
DESCRIPTION = "SSSD is a system security services daemon"
HOMEPAGE = "https://pagure.io/SSSD/sssd/"
SECTION = "base"
LICENSE = "GPL-3.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
DEPENDS = "acl attr cyrus-sasl libtdb ding-libs libpam c-ares krb5 autoconf-archive"
DEPENDS:append = " libldb dbus libtalloc libpcre2 glib-2.0 popt e2fsprogs libtevent"
DEPENDS:append = " openldap bind p11-kit jansson softhsm openssl libunistring"
DEPENDS:append:libc-musl = " musl-nscd"
# If no crypto has been selected, default to DEPEND on nss, since that's what
# sssd will pick if no active choice is made during configure
DEPENDS += "${@bb.utils.contains('PACKAGECONFIG', 'nss', '', \
bb.utils.contains('PACKAGECONFIG', 'crypto', '', 'nss', d), d)}"
SRC_URI = "https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.gz \
file://sssd.conf \
file://volatiles.99_sssd \
file://no_gen.patch \
file://fix_gid.patch \
file://drop_ntpdate_chk.patch \
file://fix-ldblibdir.patch \
file://musl_fixup.patch \
"
SRC_URI[sha256sum] = "10ef90c63fdbfda905145077679035bd5ad16b24daad13160de8d0ff82ea9950"
UPSTREAM_CHECK_URI = "https://github.com/SSSD/${BPN}/releases"
inherit autotools pkgconfig gettext python3-dir features_check systemd
REQUIRED_DISTRO_FEATURES = "pam"
SSSD_UID ?= "root"
SSSD_GID ?= "root"
CACHED_CONFIGUREVARS = "ac_cv_member_struct_ldap_conncb_lc_arg=no \
ac_cv_prog_HAVE_PYTHON3=${PYTHON_DIR} \
"
PACKAGECONFIG ?="nss autofs sudo infopipe"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
PACKAGECONFIG[autofs] = "--with-autofs, --with-autofs=no"
PACKAGECONFIG[crypto] = ", , libcrypto"
PACKAGECONFIG[curl] = "--with-kcm, --without-kcm, curl jansson"
PACKAGECONFIG[infopipe] = "--with-infopipe, --with-infopipe=no, "
PACKAGECONFIG[manpages] = "--with-manpages, --with-manpages=no, libxslt-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
PACKAGECONFIG[nl] = "--with-libnl, --with-libnl=no, libnl"
PACKAGECONFIG[nss] = ", ,nss,"
PACKAGECONFIG[oidc_child] = "--with-oidc-child, --without-oidc-child"
PACKAGECONFIG[python3] = "--with-python3-bindings, --without-python3-bindings"
PACKAGECONFIG[samba] = "--with-samba, --with-samba=no, samba"
PACKAGECONFIG[selinux] = "--with-selinux, --with-selinux=no --with-semanage=no, libselinux"
PACKAGECONFIG[ssh] = "--with-ssh, --with-ssh=no, "
PACKAGECONFIG[sudo] = "--with-sudo, --with-sudo=no, "
PACKAGECONFIG[systemd] = "--with-initscript=systemd,--with-initscript=sysv"
EXTRA_OECONF += " \
--disable-cifs-idmap-plugin \
--without-nfsv4-idmapd-plugin \
--without-ipa-getkeytab \
--without-python2-bindings \
--enable-pammoddir=${base_libdir}/security \
--without-python2-bindings \
--with-xml-catalog-path=${STAGING_ETCDIR_NATIVE}/xml/catalog \
--with-pid-path=/run \
"
do_configure:prepend() {
mkdir -p ${AUTOTOOLS_AUXDIR}/build
cp ${STAGING_DATADIR_NATIVE}/gettext/config.rpath ${AUTOTOOLS_AUXDIR}/build/
# additional_libdir defaults to /usr/lib so replace with staging_libdir globally
sed -i -e "s#\$additional_libdir#\${STAGING_LIBDIR}#" ${S}/src/build_macros.m4
}
do_compile:prepend () {
echo '#define NSUPDATE_PATH "${bindir}"' >> ${B}/config.h
}
do_install () {
oe_runmake install DESTDIR="${D}"
rmdir --ignore-fail-on-non-empty "${D}/${bindir}"
install -d ${D}/${sysconfdir}/${BPN}
install -d ${D}/${PYTHON_SITEPACKAGES_DIR}
mv ${D}/${BPN} ${D}/${PYTHON_SITEPACKAGES_DIR}
install -m 600 ${WORKDIR}/${BPN}.conf ${D}/${sysconfdir}/${BPN}
# /var/log/sssd needs to be created in runtime. Use rmdir to catch if
# upstream stops creating /var/log/sssd, or adds something else in
# /var/log.
rmdir ${D}${localstatedir}/log/${BPN} ${D}${localstatedir}/log
rmdir --ignore-fail-on-non-empty ${D}${localstatedir}
if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
install -d ${D}${sysconfdir}/tmpfiles.d
echo "d /var/log/sssd 0750 - - - -" > ${D}${sysconfdir}/tmpfiles.d/sss.conf
fi
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
install -d ${D}${sysconfdir}/default/volatiles
echo "d ${SSSD_UID}:${SSSD_GID} 0755 ${localstatedir}/log/${BPN} none" > ${D}${sysconfdir}/default/volatiles/99_${BPN}
fi
# Remove /run as it is created on startup
rm -rf ${D}/run
# rm -fr ${D}/sssd
rm -f ${D}${systemd_system_unitdir}/sssd-secrets.*
}
pkg_postinst_ontarget:${PN} () {
if [ -e /etc/init.d/populate-volatile.sh ] ; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
chown ${SSSD_UID}:${SSSD_GID} ${sysconfdir}/${BPN}/${BPN}.conf
}
CONFFILES:${PN} = "${sysconfdir}/${BPN}/${BPN}.conf"
INITSCRIPT_NAME = "sssd"
INITSCRIPT_PARAMS = "start 02 5 3 2 . stop 20 0 1 6 ."
SYSTEMD_SERVICE:${PN} = " \
${@bb.utils.contains('PACKAGECONFIG', 'autofs', 'sssd-autofs.service sssd-autofs.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'curl', 'sssd-kcm.service sssd-kcm.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'infopipe', 'sssd-ifp.service ', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'ssh', 'sssd-ssh.service sssd-ssh.socket', '', d)} \
${@bb.utils.contains('PACKAGECONFIG', 'sudo', 'sssd-sudo.service sssd-sudo.socket', '', d)} \
sssd-nss.service \
sssd-nss.socket \
sssd-pam-priv.socket \
sssd-pam.service \
sssd-pam.socket \
sssd.service \
"
SYSTEMD_AUTO_ENABLE = "disable"
PACKAGES =+ "libsss-sudo"
ALLOW_EMPTY:libsss-sudo = "1"
FILES:${PN} += "${base_libdir}/security/pam_sss*.so \
${nonarch_libdir}/tmpfiles.d \
${datadir}/dbus-1/system-services/*.service \
${libdir}/krb5/* \
${libdir}/ldb/* \
${PYTHON_SITEPACKAGES_DIR}/sssd \
"
FILES:libsss-sudo = "${libdir}/libsss_sudo.so"
RDEPENDS:${PN} = "bind bind-utils dbus libldb libpam libsss-sudo"