jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-security/dynamic-layers/meta-perl/recipes-core/packagegroup/packagegroup-core-security.bbappend
+18
View File
@@ -0,0 +1,18 @@
PACKAGES += "\
packagegroup-security-hardening \
"
RDEPENDS:packagegroup-core-security += "\
packagegroup-security-hardening \
"
SUMMARY:packagegroup-security-hardening = "Security Hardening tools"
RDEPENDS:packagegroup-security-hardening = " \
bastille \
"
RDEPENDS:packagegroup-security-scanners += "\
nikto \
checksecurity \
"
meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/checksecurity_2.0.16.bb
+29
View File
@@ -0,0 +1,29 @@
SUMMARY = "basic system security checks"
DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes."
SECTION = "security"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}+nmu1.tar.gz \
file://check-setuid-use-more-portable-find-args.patch \
"
SRC_URI[sha256sum] = "9803b3760e9ec48e06ebaf48cec081db48c6fe72254a476224e4c5c55ed97fb0"
S = "${WORKDIR}/checksecurity-${PV}+nmu1"
# allow for anylocal, no need to patch
LOGDIR="/etc/checksecurity"
do_compile() {
sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/etc/check-setuid.conf
sed -i -e "s;LOGDIR=/var/log/setuid;LOGDIR=${LOGDIR};g" ${B}/plugins/check-setuid
sed -i -e "s;LOGDIR:=/var/log/setuid;LOGDIR:=${LOGDIR};g" ${B}/plugins/check-setuid
}
do_install() {
oe_runmake PREFIX=${D}
}
RDEPENDS:${PN} = "perl libenv-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob perl-module-carp perl-module-env perl-module-tap-parser-iterator-array util-linux findutils coreutils"
meta-security/dynamic-layers/meta-perl/recipes-scanners/checksecurity/files/check-setuid-use-more-portable-find-args.patch
+24
View File
@@ -0,0 +1,24 @@
From f3073b8e06a607677d47ad9a19533b2e33408a4f Mon Sep 17 00:00:00 2001
From: Christopher Larson <chris_larson@mentor.com>
Date: Wed, 5 Sep 2018 23:21:43 +0500
Subject: [PATCH] check-setuid: use more portable find args
Upstream-Status: Pending
Signed-off-by: Christopher Larson <chris_larson@mentor.com>
---
plugins/check-setuid | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: checksecurity-2.0.16+nmu1/plugins/check-setuid
===================================================================
--- checksecurity-2.0.16+nmu1.orig/plugins/check-setuid
+++ checksecurity-2.0.16+nmu1/plugins/check-setuid
@@ -100,7 +100,7 @@ ionice -t -c3 \
find `mount | grep -vE "$CHECKSECURITY_FILTER" | cut -d ' ' -f 3` \
-ignore_readdir_race \
-xdev $PATHCHK \
- \( -type f -perm /06000 -o \( \( -type b -o -type c \) \
+ \( -type f \( -perm -4000 -o -perm -2000 \) -o \( \( -type b -o -type c \) \
$DEVCHK \) \) \
-printf "%8i %5m %3n %-10u %-10g %9s %t %h/%f\n" |
sort -k 12 >$TMPSETUID
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb
+166
View File
@@ -0,0 +1,166 @@
#The functionality of Bastille that is actually available is restricted. Please
#consult the README file for the meta-security layer for additional information.
SUMMARY = "Linux hardening tool"
DESCRIPTION = "Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling."
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
# Bash is needed for set +o privileged (check busybox), might also need ncurses
DEPENDS = "virtual/kernel"
RDEPENDS:${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd libcurses-perl coreutils"
FILES:${PN} += "/run/lock/subsys/bastille"
SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \
file://AccountPermission.pm \
file://FileContent.pm \
file://HPSpecific.pm \
file://Miscellaneous.pm \
file://ServiceAdmin.pm \
file://config \
file://fix_version_parse.patch \
file://fixed_defined_warnings.patch \
file://call_output_config.patch \
file://fix_missing_use_directives.patch \
file://fix_number_of_modules.patch \
file://remove_questions_text_file_references.patch \
file://simplify_B_place.patch \
file://find_existing_config.patch \
file://upgrade_options_processing.patch \
file://accept_os_flag_in_backend.patch \
file://allow_os_with_assess.patch \
file://edit_usage_message.patch \
file://organize_distro_discovery.patch \
file://do_not_apply_config.patch \
"
SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
SRC_URI[sha256sum] = "0ea25191b1dc1c8f91e1b6f8cb5436a3aa1e57418809ef902293448efed5021a"
S = "${WORKDIR}/Bastille"
do_install () {
install -d ${D}${sbindir}
install -d ${D}${libdir}/perl5/site_perl/Curses
install -d ${D}${libdir}/Bastille
install -d ${D}${libdir}/Bastille/API
install -d ${D}${datadir}/Bastille
install -d ${D}${datadir}/Bastille/OSMap
install -d ${D}${datadir}/Bastille/OSMap/Modules
install -d ${D}${datadir}/Bastille/Questions
install -d ${D}${datadir}/Bastille/FKL/configs/
install -d ${D}${sysconfdir}/Bastille
install -m 0755 AutomatedBastille ${D}${sbindir}
install -m 0755 BastilleBackEnd ${D}${sbindir}
install -m 0755 InteractiveBastille ${D}${sbindir}
install -m 0644 Modules.txt ${D}${datadir}/Bastille
# New Weights file(s).
install -m 0644 Weights.txt ${D}${datadir}/Bastille
# Castle graphic
install -m 0644 bastille.jpg ${D}${datadir}/Bastille/
# Javascript file
install -m 0644 wz_tooltip.js ${D}${datadir}/Bastille/
install -m 0644 Credits ${D}${datadir}/Bastille
install -m 0644 FKL/configs/fkl_config_redhat.cfg ${D}${datadir}/Bastille/FKL/configs/
install -m 0755 RevertBastille ${D}${sbindir}
install -m 0755 bin/bastille ${D}${sbindir}
install -m 0644 bastille-firewall ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-reset ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-schedule ${D}${datadir}/Bastille
install -m 0644 bastille-tmpdir-defense.sh ${D}${datadir}/Bastille
install -m 0644 bastille-tmpdir.csh ${D}${datadir}/Bastille
install -m 0644 bastille-tmpdir.sh ${D}${datadir}/Bastille
install -m 0644 bastille-firewall.cfg ${D}${datadir}/Bastille
install -m 0644 bastille-ipchains ${D}${datadir}/Bastille
install -m 0644 bastille-netfilter ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-early.sh ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-pre-audit.sh ${D}${datadir}/Bastille
install -m 0644 complete.xbm ${D}${datadir}/Bastille
install -m 0644 incomplete.xbm ${D}${datadir}/Bastille
install -m 0644 disabled.xpm ${D}${datadir}/Bastille
install -m 0644 ifup-local ${D}${datadir}/Bastille
install -m 0644 hosts.allow ${D}${datadir}/Bastille
install -m 0644 Bastille/AccountSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Apache.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/API.pm ${D}${libdir}/Bastille
install -m 0644 ${WORKDIR}/AccountPermission.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/FileContent.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/HPSpecific.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/ServiceAdmin.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/Miscellaneous.pm ${D}${libdir}/Bastille/API
install -m 0644 Bastille/BootSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/ConfigureMiscPAM.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/DisableUserTools.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/DNS.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/FilePermissions.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/FTP.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Firewall.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/OSX_API.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/LogAPI.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/HP_UX.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/IOLoader.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Patches.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Logging.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/MiscellaneousDaemons.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/PatchDownload.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Printing.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/PSAD.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/RemoteAccess.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/SecureInetd.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Sendmail.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/TestDriver.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/TMPDIR.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_AccountSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Apache.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_DNS.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_FTP.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_HP_UX.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_MiscellaneousDaemons.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Patches.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_SecureInetd.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Sendmail.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_BootSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_DisableUserTools.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_FilePermissions.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Logging.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Printing.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/IPFilter.pm ${D}${libdir}/Bastille
install -m 0644 Bastille_Curses.pm ${D}${libdir}/perl5/site_perl
install -m 0644 Bastille_Tk.pm ${D}${libdir}/perl5/site_perl
install -m 0644 Curses/Widgets.pm ${D}${libdir}/perl5/site_perl/Curses
install -m 0644 OSMap/LINUX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/LINUX.system ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/LINUX.service ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/HP-UX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/HP-UX.system ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/HP-UX.service ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap
install -m 0777 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config
for file in `cat Modules.txt` ; do
install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions
done
${THISDIR}/files/set_required_questions.py ${D}${sysconfdir}/Bastille/config ${D}${datadir}/Bastille/Questions
ln -s RevertBastille ${D}${sbindir}/UndoBastille
# Create /var/log/Bastille in runtime.
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)}" ]; then
install -d ${D}${nonarch_libdir}/tmpfiles.d
echo "d ${localstatedir}/log/Bastille - - - -" > ${D}${nonarch_libdir}/tmpfiles.d/Bastille.conf
fi
if [ "${@bb.utils.filter('DISTRO_FEATURES', 'sysvinit', d)}" ]; then
install -d ${D}${sysconfdir}/default/volatiles
echo "d root root 0755 ${localstatedir}/log/Bastille none" > ${D}${sysconfdir}/default/volatiles/99_Bastille
fi
}
FILES:${PN} += "${datadir}/Bastille \
${libdir}/Bastille \
${libdir}/perl* \
${sysconfdir}/* \
${nonarch_libdir}/tmpfiles.d"
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/API.pm
+2528
View File
File diff suppressed because it is too large Load Diff
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/AccountPermission.pm
+1060
View File
File diff suppressed because it is too large Load Diff
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/FileContent.pm
+1153
View File
File diff suppressed because it is too large Load Diff
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/HPSpecific.pm
+1983
View File
File diff suppressed because it is too large Load Diff
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/Miscellaneous.pm
+166
View File
@@ -0,0 +1,166 @@
package Bastille::API::Miscellaneous;
use strict;
use File::Path;
use Bastille::API;
use Bastille::API::HPSpecific;
use Bastille::API::FileContent;
require Exporter;
our @ISA = qw(Exporter);
our @EXPORT_OK = qw(
PrepareToRun
B_is_package_installed
);
our @EXPORT = @EXPORT_OK;
###########################################################################
#
# PrepareToRun sets up Bastille to run. It checks the ARGV array for
# special options and runs ConfigureForDistro to set necessary file
# locations and other global variables.
#
###########################################################################
sub PrepareToRun {
# Make sure we're root!
if ( $> != 0 ) {
&B_log("ERROR","Bastille must run as root!\n");
exit(1);
}
# Make any directories that don't exist...
foreach my $dir (keys %GLOBAL_BDIR) {
my $BdirPath = $GLOBAL_BDIR{$dir};
if ( $BdirPath =~ /^\s*\// ) { #Don't make relative directories
mkpath ($BdirPath,0,0700);
}
}
if(&GetDistro =~ "^HP-UX") {
&B_check_system;
}
&B_log("ACTION","\n########################################################\n" .
"# Begin Bastille Run #\n" .
"########################################################\n\n");
#read sum file if it exists.
&B_read_sums;
# No longer necessary as flags are no longer in sum file, and sums are
# are now checked "real time"
# check the integrity of the files listed
# for my $file (sort keys %GLOBAL_SUM) {
# &B_check_sum($file);
# }
# write out the newly flagged sums
# &B_write_sums;
}
###########################################################################
# &B_is_package_installed($package);
#
# This function checks for the existence of the package named.
#
# TODO: Allow $package to be an expression.
# TODO: Allow optional $version, $release, $epoch arguments so we can
# make sure that the given package is at least as recent as some
# given version number.
#
# scalar return values:
# 0: $package is not installed
# 1: $package is installed
###########################################################################
sub B_is_package_installed($) {
no strict;
my $package = $_[0];
# Create a "global" variable with values scoped to this function
# We do this to avoid having to repeatedly swlist/rpm
# when we run B_is_package_installed
local %INSTALLED_PACKAGE_LIST;
my $distro = &GetDistro;
if ($distro =~ /^HP-UX/) {
if (&checkProcsForService('swagent','ignore_warning') == SECURE_CANT_CHANGE()) {
&B_log("WARNING","Software Distributor Agent(swagent) is not running. Can not tell ".
"if package: $package is installed or not. Bastille will assume not. ".
"If the package is actually installed, Bastille may report or configure incorrectly.".
"To use Bastille-results as-is, please check to ensure $package is not installed, ".
"or re-run with the swagent running to get correct results.");
return 0; #FALSE
}
my $swlist=&getGlobal('BIN','swlist');
if (%INSTALLED_PACKAGE_LIST == () ) { # re-use prior results
if (open(SWLIST, "$swlist -a state -l fileset |")) {
while (my $line = <SWLIST>){
if ($line =~ /^ {2}\S+\.(\S+)\s*(\w+)/) {
$INSTALLED_PACKAGE_LIST{$1} = $2;
}
}
close SWLIST;
} else {
&B_log("ERROR","B_is_package_installed was unable to run the swlist command: $swlist,\n");
return FALSE;
}
}
# Now find the entry
if ($INSTALLED_PACKAGE_LIST{$package} == 'configured') {
return TRUE;
} else {
return FALSE;
}
} #End HP-UX Section
# This routine only works on RPM-based distros: Red Hat, Fedora, Mandrake and SuSE
elsif ( ($distro !~ /^RH/) and ($distro !~ /^MN/) and($distro !~ /^SE/) ) {
return 0;
} else { #This is a RPM-based distro
# Run an rpm command -- librpm is extremely messy, dynamic and not
# so much a perl thing. It's actually barely a C/C++ thing...
if (open RPM,"rpm -q $package") {
# We should get only one line back, but let's parse a few
# just in case.
my @lines = <RPM>;
close RPM;
#
# This is what we're trying to parse:
# $ rpm -q jay
# package jay is not installed
# $ rpm -q bash
# bash-2.05b-305.1
#
foreach $line (@lines) {
if ($line =~ /^package\s$package\sis\snot\sinstalled/) {
return 0;
}
elsif ($line =~ /^$package\-/) {
return 1;
}
}
# If we've read every line without finding one of these, then
# our parsing is broken
&B_log("ERROR","B_is_package_installed was unable to find a definitive RPM present or not present line.\n");
return 0;
} else {
&B_log("ERROR","B_is_package_installed was unable to run the RPM command,\n");
return 0;
}
}
}
1;
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/ServiceAdmin.pm
+690
View File
@@ -0,0 +1,690 @@
package Bastille::API::ServiceAdmin;
use strict;
use Bastille::API;
use Bastille::API::HPSpecific;
use Bastille::API::FileContent;
require Exporter;
our @ISA = qw(Exporter);
our @EXPORT_OK = qw(
B_chkconfig_on
B_chkconfig_off
B_service_start
B_service_stop
B_service_restart
B_is_service_off
checkServiceOnLinux
remoteServiceCheck
remoteNISPlusServiceCheck
B_create_nsswitch_file
);
our @EXPORT = @EXPORT_OK;
#######
# &B_chkconfig_on and &B_chkconfig_off() are great for systems that didn't use
# a more modern init system. This is a bit of a problem on Fedora, though,
# which used upstart from Fedora 9 to Fedora 14, then switched to a new
# Red Hat-created system called systemd for Fedora 15 and 16 (so far).
# OpenSUSE also moved to systemd, starting with 12.1. Version 11.4 did not
# use systemd.
# It is also a problem on Ubuntu, starting at version 6.10, where they also
# used upstart.
#####
###########################################################################
# &B_chkconfig_on ($daemon_name) creates the symbolic links that are
# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We
# need this utility, in place of the distro's chkconfig, because of both
# our need to add revert functionality and our need to harden distros that
# are not mounted on /.
#
# It uses the following global variables to find the links and the init
# scripts, respectively:
#
# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found
# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to
#
# Here an example of where you might use this:
#
# You'd like to tell the system to run the firewall at boot:
# B_chkconfig_on("bastille-firewall")
#
###########################################################################
# PW: Blech. Copied B_chkconfig_off() and changed a few things,
# then changed a few more things....
sub B_chkconfig_on {
my $startup_script=$_[0];
my $retval=1;
my $chkconfig_line;
my ($runlevelinfo,@runlevels);
my ($start_order,$stop_order,$filetolink);
&B_log("ACTION","# chkconfig_on enabling $startup_script\n");
# In Debian system there is no chkconfig script, run levels are checked
# one by one (jfs)
if (&GetDistro =~/^DB.*/) {
$filetolink = &getGlobal('DIR', "initd") . "/$startup_script";
if (-x $filetolink)
{
foreach my $level ("0","1","2","3","4","5","6" ) {
my $link = '';
$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script";
$retval=symlink($filetolink,$link);
}
}
return $retval;
}
#
# On SUSE, chkconfig-based rc scripts have been replaced with a whole different
# system. chkconfig on SUSE is actually a shell script that does some stuff and then
# calls insserv, their replacement.
#
if (&GetDistro =~ /^SE/) {
# only try to chkconfig on if init script is found
if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) {
$chkconfig_line=&getGlobal('BIN','chkconfig');
&B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off");
# chkconfig doesn't take affect until reboot, need to restart service also
B_service_restart("$startup_script");
return 1; #success
}
return 0; #failure
}
#
# Run through the init script looking for the chkconfig line...
#
$retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script";
unless ($retval) {
&B_log("ACTION","# Didn't chkconfig_on $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n");
}
else {
READ_LOOP:
while (my $line=<CHKCONFIG>) {
# We're looking for lines like this one:
# # chkconfig: 2345 10 90
# OR this
# # chkconfig: - 10 90
if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) {
$runlevelinfo = $1;
$start_order = $2;
$stop_order = $3;
# handle a run levels arg of '-'
if ( $runlevelinfo eq '-' ) {
&B_log("ACTION","chkconfig_on saw '-' for run levels for \"$startup_script\", is defaulting to levels 3,4,5\n");
$runlevelinfo = '345';
}
@runlevels = split(//,$runlevelinfo);
# make sure the orders have 2 digits
$start_order =~ s/^(\d)$/0$1/;
$stop_order =~ s/^(\d)$/0$1/;
last READ_LOOP;
}
}
close CHKCONFIG;
# Do we have what we need?
if ( (scalar(@runlevels) < 1) || (! $start_order =~ /^\d{2}$/) || (! $stop_order =~ /^\d{2}$/) ) {
# problem
&B_log("ERROR","# B_chkconfig_on $startup_script failed -- no valid run level/start/stop info found\n");
return(-1);
}
# Now, run through creating symlinks...
&B_log("ACTION","# chkconfig_on will use run levels ".join(",",@runlevels)." for \"$startup_script\" with S order $start_order and K order $stop_order\n");
$retval=0;
# BUG: we really ought to readdir() on &getGlobal('DIR', "rcd") to get all levels
foreach my $level ( "0","1","2","3","4","5","6" ) {
my $link = '';
# we make K links in run levels not specified in the chkconfig line
$link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script;
my $klink = $link;
# now we see if this is a specified run level; if so, make an S link
foreach my $markedlevel ( @runlevels ) {
if ( $level == $markedlevel) {
$link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script;
}
}
my $target = &getGlobal('DIR', "initd") ."/" . $startup_script;
my $local_return;
if ( (-e "$klink") && ($klink ne $link) ) {
# there's a K link, but this level needs an S link
unless ($GLOBAL_LOGONLY) {
$local_return = unlink("$klink");
if ( ! $local_return ) {
# unlinking old, bad $klink failed
&B_log("ERROR","Unlinking $klink failed\n");
} else {
&B_log("ACTION","Removed link $klink\n");
# If we removed the link, add a link command to the revert file
&B_revert_log (&getGlobal('BIN','ln') . " -s $target $klink\n");
} # close what to do if unlink works
} # if not GLOBAL_LOGONLY
} # if $klink exists and ne $link
# OK, we've disposed of any old K links, make what we need
if ( (! ( -e "$link" )) && ($link ne '') ) {
# link doesn't exist and the start/stop number is OK; make it
unless ($GLOBAL_LOGONLY) {
# create the link
$local_return = &B_symlink($target,$link);
if ($local_return) {
$retval++;
&B_log("ACTION","Created link $link\n");
} else {
&B_log("ERROR","Couldn't create $link when trying to chkconfig on $startup_script\n");
}
}
} # link doesn't exist
} # foreach level
}
if ($retval < @runlevels) {
$retval=0;
}
$retval;
}
###########################################################################
# &B_chkconfig_off ($daemon_name) deletes the symbolic links that are
# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We
# need this utility, in place of the distro's chkconfig, because of both
# our need to add revert functionality and our need to harden distros that
# are not mounted on /.
#
# chkconfig allows for a REVERT of its work by writing to an executable
# file &getGlobal('BFILE', "removed-symlinks").
#
# It uses the following global variables to find the links and the init
# scripts, respectively:
#
# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found
# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to
#
# Here an example of where you might use this:
#
# You'd like to tell stop running sendmail in daemon mode on boot:
# B_chkconfig_off("sendmail")
#
###########################################################################
sub B_chkconfig_off {
my $startup_script=$_[0];
my $retval=1;
my $chkconfig_line;
my @runlevels;
my ($start_order,$stop_order,$filetolink);
if (&GetDistro =~/^DB.*/) {
$filetolink = &getGlobal('DIR', "initd") . "/$startup_script";
if (-x $filetolink)
{
# Three ways to do this in Debian:
# 1.- have the initd script set to 600 mode
# 2.- Remove the links in rcd (re-installing the package
# will break it)
# 3.- Use update-rc.d --remove (same as 2.)
# (jfs)
&B_chmod(0600,$filetolink);
$retval=6;
# The second option
#foreach my $level ("0","1","2","3","4","5","6" ) {
#my $link = '';
#$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script";
#unlink($link);
#}
}
}
#
# On SUSE, chkconfig-based rc scripts have been replaced with a whole different
# system. chkconfig on SUSE is actually a shell script that does some stuff and then
# calls insserv, their replacement.
#
elsif (&GetDistro =~ /^SE/) {
# only try to chkconfig off if init script is found
if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) {
$chkconfig_line=&getGlobal('BIN','chkconfig');
&B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off");
# chkconfig doesn't take affect until reboot, need to stop service
# since expectation is that the daemons are disabled even without a reboot
B_service_stop("$startup_script");
return 1; #success
}
return 0; #failure
}
else {
# Run through the init script looking for the chkconfig line...
$retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script";
unless ($retval) {
&B_log("ACTION","Didn't chkconfig_off $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n");
}
else {
READ_LOOP:
while (my $line=<CHKCONFIG>) {
# We're looking for lines like this one:
# # chkconfig: 2345 10 90
if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) {
@runlevels=split //,$1;
$start_order=$2;
$stop_order=$3;
# Change single digit run levels to double digit -- otherwise,
# the alphabetic ordering chkconfig depends on fails.
if ($start_order =~ /^\d$/ ) {
$start_order = "0" . $start_order;
&B_log("ACTION","chkconfig_off converted start order to $start_order\n");
}
if ($stop_order =~ /^\d$/ ) {
$stop_order = "0" . $stop_order;
&B_log("ACTION","chkconfig_off converted stop order to $stop_order\n");
}
last READ_LOOP;
}
}
close CHKCONFIG;
# If we never found a chkconfig line, can we just run through all 5
# rcX.d dirs from 1 to 5...?
# unless ( $start_order and $stop_order ) {
# @runlevels=("1","2","3","4","5");
# $start_order = "*"; $stop_order="*";
# }
# Now, run through removing symlinks...
$retval=0;
# Handle the special case that the run level specified is solely "-"
if ($runlevels[0] =~ /-/) {
@runlevels = ( "0","1","2","3","4","5","6" );
}
foreach my $level ( @runlevels ) {
my $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script;
my $new_link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script;
my $target = &getGlobal('DIR', "initd") ."/" . $startup_script;
my $local_return;
# Replace the S__ link in this level with a K__ link.
if ( -e $link ) {
unless ($GLOBAL_LOGONLY) {
$local_return=unlink $link;
if ($local_return) {
$local_return=symlink $target,$new_link;
unless ($local_return) {
&B_log("ERROR","Linking $target to $new_link failed.\n");
}
}
else { # unlinking failed
&B_log("ERROR","Unlinking $link failed\n");
}
}
if ($local_return) {
$retval++;
&B_log("ACTION","Removed link $link\n");
#
# If we removed the link, add a link command to the revert file
# Write out the revert information for recreating the S__
# symlink and deleting the K__ symlink.
&B_revert_log(&getGlobal('BIN',"ln") . " -s $target $link\n");
&B_revert_log(&getGlobal('BIN',"rm") . " -f $new_link\n");
}
else {
&B_log("ERROR","B_chkconfig_off $startup_script failed\n");
}
}
} # foreach
} # else-unless
} # else-DB
if ($retval < @runlevels) {
$retval=0;
}
$retval;
}
###########################################################################
# &B_service_start ($daemon_name)
# Starts service on RedHat/SUSE-based Linux distributions which have the
# service command:
#
# service $daemon_name start
#
# Other Linux distros that also support this method of starting
# services can be added to use this function.
#
# Here an example of where you might use this:
#
# You'd like to tell the system to start the vsftpd daemon:
# &B_service_start("vsftpd")
#
# Uses &B_System in HP_API.pm
# To match how the &B_System command works this method:
# returns 1 on success
# returns 0 on failure
###########################################################################
sub B_service_start {
my $daemon=$_[0];
if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
(&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
&B_log("ERROR","Tried to call service_start on a system lacking a service command! Internal Bastille error.");
return undef;
}
# only start service if init script is found
if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
&B_log("ACTION","# service_start enabling $daemon\n");
my $service_cmd=&getGlobal('BIN', 'service');
if ($service_cmd) {
# Start the service,
# Also provide &B_System revert command
return (&B_System("$service_cmd $daemon start",
"$service_cmd $daemon stop"));
}
}
# init script not found, do not try to start, return failure
return 0;
}
###########################################################################
# &B_service_stop ($daemon_name)
# Stops service on RedHat/SUSE-based Linux distributions which have the
# service command:
#
# service $daemon_name stop
#
# Other Linux distros that also support this method of starting
# services can be added to use this function.
# Stops service.
#
#
# Here an example of where you might use this:
#
# You'd like to tell the system to stop the vsftpd daemon:
# &B_service_stop("vsftpd")
#
# Uses &B_System in HP_API.pm
# To match how the &B_System command works this method:
# returns 1 on success
# returns 0 on failure
###########################################################################
sub B_service_stop {
my $daemon=$_[0];
if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
(&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
&B_log("ERROR","Tried to call service_stop on a system lacking a service command! Internal Bastille error.");
return undef;
}
# only stop service if init script is found
if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
&B_log("ACTION","# service_stop disabling $daemon\n");
my $service_cmd=&getGlobal('BIN', 'service');
if ($service_cmd) {
# Stop the service,
# Also provide &B_System revert command
return (&B_System("$service_cmd $daemon stop",
"$service_cmd $daemon start"));
}
}
# init script not found, do not try to stop, return failure
return 0;
}
###########################################################################
# &B_service_restart ($daemon_name)
# Restarts service on RedHat/SUSE-based Linux distributions which have the
# service command:
#
# service $daemon_name restart
#
# Other Linux distros that also support this method of starting
# services can be added to use this function.
#
# Here an example of where you might use this:
#
# You'd like to tell the system to restart the vsftpd daemon:
# &B_service_restart("vsftpd")
#
# Uses &B_System in HP_API.pm
# To match how the &B_System command works this method:
# returns 1 on success
# returns 0 on failure
###########################################################################
sub B_service_restart {
my $daemon=$_[0];
if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
(&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
&B_log("ERROR","Tried to call service_restart on a system lacking a service command! Internal Bastille error.");
return undef;
}
# only restart service if init script is found
if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
&B_log("ACTION","# service_restart re-enabling $daemon\n");
my $service_cmd=&getGlobal('BIN', 'service');
if ($service_cmd) {
# Restart the service
return (&B_System("$service_cmd $daemon restart",
"$service_cmd $daemon restart"));
}
}
# init script not found, do not try to restart, return failure
return 0;
}
###########################################################################
# &B_is_service_off($;$)
#
# Runs the specified test to determine whether or not the question should
# be answered.
#
# return values:
# NOTSECURE_CAN_CHANGE()/0: service is on
# SECURE_CANT_CHANGE()/1: service is off
# undef: test is not defined
###########################################################################
sub B_is_service_off ($){
my $service=$_[0];
if(&GetDistro =~ "^HP-UX"){
#die "Why do I think I'm on HPUX?!\n";
return &checkServiceOnHPUX($service);
}
elsif ( (&GetDistro =~ "^RH") || (&GetDistro =~ "^SE") ) {
return &checkServiceOnLinux($service);
}
else {
&B_log("DEBUG","B_is_service off called for unsupported OS");
# not yet implemented for other distributions of Linux
# when GLOBAL_SERVICE, GLOBAL_SERVTYPE and GLOBAL_PROCESS are filled
# in for Linux, then
# at least inetd and inittab services should be similar to the above,
# whereas chkconfig would be used on some Linux distros to determine
# if non-inetd/inittab services are running at boot time. Looking at
# processes should be similar.
return undef;
}
}
###########################################################################
# &checkServiceOnLinux($service);
#
# Checks if the given service is running on a Linux system. This is
# called by B_is_Service_Off(), which is the function that Bastille
# modules should call.
#
# Return values:
# NOTSECURE_CAN_CHANGE() if the service is on
# SECURE_CANT_CHANGE() if the service is off
# undef if the state of the service cannot be determined
#
###########################################################################
sub checkServiceOnLinux($) {
my $service=$_[0];
# get the list of parameters which could be used to initiate the service
# (could be in /etc/rc.d/rc?.d, /etc/inetd.conf, or /etc/inittab, so we
# check all of them)
my @params = @{ &getGlobal('SERVICE', $service) };
my $chkconfig = &getGlobal('BIN', 'chkconfig');
my $grep = &getGlobal('BIN', 'grep');
my $inittab = &getGlobal('FILE', 'inittab');
my $serviceType = &getGlobal('SERVTYPE', $service);;
# A kludge to get things running because &getGlobal('SERVICE' doesn't
# return the expected values.
@params = ();
push (@params, $service);
foreach my $param (@params) {
&B_log("DEBUG","Checking to see if service $service is off.\n");
if ($serviceType =~ /rc/) {
my $on = &B_Backtick("$chkconfig --list $param 2>&1");
if ($on =~ /^$param:\s+unknown/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error reading information on service $param: No such file or directory/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error/) {
# This probably
&B_log("DEBUG","chkconfig returned: $param=$on\n");
return undef;
}
$on =~ s/^$param\s+//; # remove the service name and spaces
$on =~ s/[0-6]:off\s*//g; # remove any runlevel:off entries
$on =~ s/:on\s*//g; # remove the :on from the runlevels
# what remains is a list of runlevels in which the service is on,
# or a null string if it is never turned on
chomp $on; # newline should be gone already (\s)
&B_log("DEBUG","chkconfig returned: $param=$on\n");
if ($on =~ /^\d+$/) {
# service is not off
########################### BREAK out, don't skip question
return NOTSECURE_CAN_CHANGE();
}
}
elsif ($serviceType =~ /inet/) {
my $on = &B_Backtick("$chkconfig --list $param 2>&1");
if ($on =~ /^$param:\s+unknown/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error reading information on service $param: No such file or directory/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error/ ) {
# Something else is wrong?
# return undef
return undef;
}
if ($on =~ tr/\n// > 1) {
$on =~ s/^xinetd.+\n//;
}
$on =~ s/^\s*$param:?\s+//; # remove the service name and spaces
chomp $on; # newline should be gone already (\s)
&B_log("DEBUG","chkconfig returned: $param=$on\n");
if ($on =~ /^on$/) {
# service is not off
########################### BREAK out, don't skip question
return NOTSECURE_CAN_CHANGE();
}
}
else {
# perhaps the service is started by inittab
my $inittabline = &B_Backtick("$grep -E '^[^#].{0,3}:.*:.+:.*$param' $inittab");
if ($inittabline =~ /.+/) { # . matches anything except newlines
# service is not off
&B_log("DEBUG","Checking inittab; found $inittabline\n");
########################### BREAK out, don't skip question
return NOTSECURE_CAN_CHANGE();
}
}
} # foreach my $param
# boot-time parameters are not set; check processes
# Note the checkProcsforService returns INCONSISTENT() if a process is found
# assuming the checks above
return &checkProcsForService($service);
}
1;
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/accept_os_flag_in_backend.patch
+34
View File
@@ -0,0 +1,34 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/BastilleBackEnd
===================================================================
--- Bastille.orig/BastilleBackEnd 2013-08-21 12:40:54.000000000 -0400
+++ Bastille/BastilleBackEnd 2013-08-21 12:43:21.895950001 -0400
@@ -52,11 +52,13 @@
my $force = 0;
my $debug = 0;
my $alternate_config=undef;
+my $os_version=undef;
if( Getopt::Long::GetOptions( "n" => \$nodisclaim,
"v" => \$verbose,
"force" => \$force,
"f=s" => \$alternate_config,
+ "os=s" => \$os_version,
"debug" => \$debug) ) {
$error = 0; # no parse error
@@ -66,7 +68,8 @@
&setOptions(
debug => $debug,
- verbose => $verbose);
+ verbose => $verbose,
+ os => $os_version);
&ConfigureForDistro;
if ( $error ) { # GetOptions couldn't parse all of the args
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/allow_os_with_assess.patch
+43
View File
@@ -0,0 +1,43 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/bin/bastille
===================================================================
--- Bastille.orig/bin/bastille 2013-08-21 08:59:06.647950000 -0400
+++ Bastille/bin/bastille 2013-08-21 15:55:53.193631711 -0400
@@ -195,7 +195,6 @@
systemFileLocations
isAssessing='no'
-nonXArg='no'
if [ $PERL_V_MAJ -eq $MIN_V_MAJ -a $PERL_V_MIN -lt $MIN_V_MIN -o $PERL_V_MAJ -lt $MIN_V_MAJ ]; then # invalid Perl
printErr
@@ -316,12 +315,10 @@
'--os')
options_left="$options_left --os"
optarg='yes'
- nonXArg='yes'
;;
'-f')
options_left="$options_left -f"
optarg='yes'
- nonXArg='yes'
;;
# Non-exclusive (undocumented and unsupported) options follow:
# There is no validity/combination checking done with these.
@@ -345,11 +342,6 @@
fi
done
-#Detect case where -f or --os attempted use with --assess
- if [ \( x$nonXArg = xyes \) -a \( x$isAssessing = xyes \) ]; then
- printUsage
- exit 2
- fi
# We have a valid version of perl! Verify that all the required
# modules can be found.
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/call_output_config.patch
+19
View File
@@ -0,0 +1,19 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille_Curses.pm
===================================================================
--- Bastille.orig/Bastille_Curses.pm 2013-08-21 08:58:53.899950000 -0400
+++ Bastille/Bastille_Curses.pm 2013-08-21 09:20:20.295950005 -0400
@@ -84,7 +84,7 @@
}
# Output answers to the script and display
- &checkAndSaveConfig(&getGlobal('BFILE', "config"));
+ &outputConfig;
# Run Bastille
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/config
Executable
+106
View File
@@ -0,0 +1,106 @@
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
AccountSecurity.protectrhost="Y"
# Q: Should we disallow root login on tty's 1-6? [N]
AccountSecurity.rootttylogins="Y"
# Q: What umask would you like to set for users on the system? [077]
AccountSecurity.umask="077"
# Q: Do you want to set the default umask? [Y]
AccountSecurity.umaskyn="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="Y"
# Q: Which accounts should be able to login at console? [root]
ConfigureMiscPAM.consolelogin_accounts="root"
# Q: Would you like to put limits on system resource usage? [N]
ConfigureMiscPAM.limitsconf="Y"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1_1="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="Y"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="Y"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="Y"
# Q: Do you need the advanced networking options?
Firewall.ip_advnetwork="Y"
# Q: Should Bastille run the firewall and enable it at boot time? [N]
Firewall.ip_enable_firewall="Y"
# Q: Would you like to run the packet filtering script? [N]
Firewall.ip_intro="Y"
# Q: Interfaces for DHCP queries: [ ]
Firewall.ip_s_dhcpiface=" "
# Q: DNS servers: [0.0.0.0/0]
Firewall.ip_s_dns="10.184.9.1"
# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded"
# Q: ICMP services to audit: [ ]
Firewall.ip_s_icmpaudit=" "
# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
Firewall.ip_s_icmpout="destination-unreachable time-exceeded"
# Q: Internal interfaces: [ ]
Firewall.ip_s_internaliface=" "
# Q: TCP service names or port numbers to allow on private interfaces: [ ]
Firewall.ip_s_internaltcp=" "
# Q: UDP service names or port numbers to allow on private interfaces: [ ]
Firewall.ip_s_internaludp=" "
# Q: Masqueraded networks: [ ]
Firewall.ip_s_ipmasq=" "
# Q: Kernel modules to masquerade: [ftp raudio vdolive]
Firewall.ip_s_kernelmasq="ftp raudio vdolive"
# Q: NTP servers to query: [ ]
Firewall.ip_s_ntpsrv=" "
# Q: Force passive mode? [N]
Firewall.ip_s_passiveftp="N"
# Q: Public interfaces: [eth+ ppp+ slip+]
Firewall.ip_s_publiciface="eth+ ppp+ slip+"
# Q: TCP service names or port numbers to allow on public interfaces:[ ]
Firewall.ip_s_publictcp=" "
# Q: UDP service names or port numbers to allow on public interfaces:[ ]
Firewall.ip_s_publicudp=" "
# Q: Reject method: [DENY]
Firewall.ip_s_rejectmethod="DENY"
# Q: Enable source address verification? [Y]
Firewall.ip_s_srcaddr="Y"
# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100"
# Q: Trusted interface names: [lo]
Firewall.ip_s_trustiface="lo"
# Q: UDP services to audit: [31337]
Firewall.ip_s_udpaudit="31337"
# Q: UDP services to block: [2049 6770]
Firewall.ip_s_udpblock="2049 6770"
# Q: Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q: Do you have a remote logging host? [N]
Logging.remotelog="N"
# Q: Would you like to disable acpid and/or apmd? [Y]
MiscellaneousDaemons.apmd="Y"
# Q: Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q: Would you like to disable printing? [N]
Printing.printing="Y"
# Q: Would you like to disable printing? [N]
Printing.printing_cups="Y"
# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
SecureInetd.banners="Y"
# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
SecureInetd.deactivate_ftp="Y"
# Q: Should Bastille ensure the telnet service does not run on this system? [y]
SecureInetd.deactivate_telnet="Y"
# Q: Who is responsible for granting authorization to use this machine?
SecureInetd.owner="its owner"
# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
SecureInetd.tcpd_default_deny="Y"
# Q: Do you want to stop sendmail from running in daemon mode? [Y]
Sendmail.sendmaildaemon="Y"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="N"
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/do_not_apply_config.patch
+40
View File
@@ -0,0 +1,40 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille_Curses.pm
===================================================================
--- Bastille.orig/Bastille_Curses.pm 2013-08-27 16:43:39.130959000 -0400
+++ Bastille/Bastille_Curses.pm 2013-08-27 16:43:39.794959000 -0400
@@ -83,11 +83,6 @@
# Output answers to the script and display
&outputConfig;
- # Run Bastille
-
- &Run_Bastille_with_Config;
-
-
# Display Credits
open CREDITS,"/usr/share/Bastille/Credits";
Index: Bastille/InteractiveBastille
===================================================================
--- Bastille.orig/InteractiveBastille 2013-08-27 16:43:39.434959000 -0400
+++ Bastille/InteractiveBastille 2013-08-27 17:18:55.758959000 -0400
@@ -531,10 +531,10 @@
" Please address bug reports and suggestions to jay\@bastille-linux.org\n" .
"\n";
- $InterfaceEndScreenDescription = "We will now implement the choices you have made here.\n\n" .
+ $InterfaceEndScreenDescription = "We will now record the choices you have made here.\n\n" .
"Answer NO if you want to go back and make changes!\n";
- $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we make the changes?";
- $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to implement your choices.\n";
+ $InterfaceEndScreenQuestion = "Are you finished answering the questions, i.e. may we record the answers and exit?";
+ $InterfaceEndScreenNoEpilogue = "Please use Back/Next buttons to move among the questions you wish to\nchange.\n\nChoose YES on this question later to record your choices.\n";
require Bastille_Curses;
} elsif ($GLOBAL_AUDITONLY) {
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/edit_usage_message.patch
+32
View File
@@ -0,0 +1,32 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/bin/bastille
===================================================================
--- Bastille.orig/bin/bastille 2013-08-25 14:16:35.614779001 -0400
+++ Bastille/bin/bastille 2013-08-25 14:16:38.674779000 -0400
@@ -60,7 +60,7 @@
printUsage () {
cat >&2 << EOF
$ERRSPACES Usage: bastille [ -b | -c | -x ] [ --os <version>] [ -f <alternate config> ]
-$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ]
+$ERRSPACES bastille [-r | -l | -h | --assess | --assessnobrowser ] [ --os <version> ]
$ERRSPACES -b : use a saved config file to apply changes
$ERRSPACES directly to system
$ERRSPACES -c : use the Curses (non-X11) GUI, not available on HP-UX
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2013-08-25 08:15:40.266779002 -0400
+++ Bastille/Bastille/API.pm 2013-08-25 14:18:22.750778811 -0400
@@ -206,7 +206,7 @@
#options before interactive or Bastille runs, so this check is often redundant
$GLOBAL_ERROR{"usage"}="\n".
"$spc Usage: bastille [ -b | -c | -x ] [ --os <version> ] [ -f <alternate config> ]\n".
- "$spc bastille [ -r | --assess | --assessnobowser ]\n\n".
+ "$spc bastille [ -r | --assess | --assessnobowser ] [ --os <version> ]\n\n".
"$spc --assess : check status of system and report in browser\n".
"$spc --assessnobrowser : check status of system and list report locations\n".
"$spc -b : use a saved config file to apply changes\n".
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/find_existing_config.patch
+64
View File
@@ -0,0 +1,64 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/bin/bastille
===================================================================
--- Bastille.orig/bin/bastille 2013-06-20 14:58:01.065796000 -0400
+++ Bastille/bin/bastille 2013-08-20 15:16:18.472378000 -0400
@@ -102,8 +102,9 @@
# defines OS specific file locations based on uname
systemFileLocations
+ config_files=`find $config_repository -type f -name \*config 2>/dev/null`
+
if [ -f $last_config ]; then
- config_files=`find $config_repository -type f -name \*config 2>/dev/null`
for config_cursor in `echo $config_files`
do
if /usr/bin/diff $last_config $config_cursor >/dev/null 2>&1
@@ -112,8 +113,8 @@
fi
done
if [ -n "$match" ]; then
- echo "The last bastille run corresponds to the following profiles:"
- echo "$match"
+ printf "The last Bastille run corresponds to the following profiles:\n"
+ printf "$match"
else
cat >&2 << EOF
NOTE: The last config file applied,
@@ -122,18 +123,28 @@
$ERRSPACES $config_repository.
$ERRSPACES This probably means that Bastille was last run interactively and
$ERRSPACES changes were made to the config file, but they have not yet been
-$ERRSPACES applied, or that the source config file was moved. If you do have pending
+$ERRSPACES applied, or that the source config file was moved. If you do have pending
$ERRSPACES changes in a config file, you can apply them by running
$ERRSPACES 'bastille -b -f <config file>.'
EOF
fi
else
- echo "NOTE: The system is in its pre-bastilled state.\n"
+ for config_cursor in `echo $config_files`
+ do
+ match="$match $config_cursor\n"
+ done
+ if [ -n "$match" ]; then
+ printf "The following Bastille profiles were located:\n"
+ printf "$match"
+ else
+ printf "No Bastille profiles were located.\n"
+ fi
+ printf "No log files of profiles from previous executions of Bastille have been found. It is likely that Bastille has not been run on this machine.\n"
fi
-
}
+
# First, make sure we're root
if [ `PATH="/usr/bin:/bin"; id -u` -ne 0 ]; then
echo "ERROR: Bastille must be run as root user" >&2
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_missing_use_directives.patch
+54
View File
@@ -0,0 +1,54 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille/Firewall.pm
===================================================================
--- Bastille.orig/Bastille/Firewall.pm 2008-09-14 19:56:54.000000000 -0400
+++ Bastille/Bastille/Firewall.pm 2013-08-20 16:28:44.588378000 -0400
@@ -21,6 +21,7 @@
package Bastille::Firewall;
use Bastille::API;
+use Bastille::API::AccountPermission;
use Bastille::API::FileContent;
use Bastille::API::ServiceAdmin;
Index: Bastille/Bastille/SecureInetd.pm
===================================================================
--- Bastille.orig/Bastille/SecureInetd.pm 2008-09-14 19:56:58.000000000 -0400
+++ Bastille/Bastille/SecureInetd.pm 2013-08-20 16:45:02.252378001 -0400
@@ -12,6 +12,7 @@
use lib "/usr/lib";
use Bastille::API;
+use Bastille::API::AccountPermission;
use Bastille::API::HPSpecific;
use Bastille::API::ServiceAdmin;
use Bastille::API::FileContent;
Index: Bastille/Bastille/ConfigureMiscPAM.pm
===================================================================
--- Bastille.orig/Bastille/ConfigureMiscPAM.pm 2005-09-12 23:47:28.000000000 -0400
+++ Bastille/Bastille/ConfigureMiscPAM.pm 2013-08-20 18:36:07.340378001 -0400
@@ -5,6 +5,7 @@
use lib "/usr/lib";
use Bastille::API;
+use Bastille::API::FileContent;
# To DO:
#
Index: Bastille/Bastille/Printing.pm
===================================================================
--- Bastille.orig/Bastille/Printing.pm 2008-09-14 19:56:58.000000000 -0400
+++ Bastille/Bastille/Printing.pm 2013-08-20 19:05:01.532378002 -0400
@@ -5,6 +5,7 @@
use lib "/usr/lib";
use Bastille::API;
+use Bastille::API::AccountPermission;
use Bastille::API::HPSpecific;
use Bastille::API::ServiceAdmin;
use Bastille::API::FileContent;
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_number_of_modules.patch
+38
View File
@@ -0,0 +1,38 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille_Curses.pm
===================================================================
--- Bastille.orig/Bastille_Curses.pm 2013-08-24 18:21:54.445288000 -0400
+++ Bastille/Bastille_Curses.pm 2013-08-24 18:29:16.981288000 -0400
@@ -36,9 +36,6 @@
use Curses;
use Curses::Widgets;
- # Number_Modules is the number of modules loaded in by Load_Questions
- $Number_Modules=0;
-
#
# Highlighted button is the button currently chosen in the button bar
# We preserve this from question to question...
@@ -397,7 +394,7 @@
my $title;
if ($module) {
- $title=$module . " of $Number_Modules";
+ $title=$module;
}
txt_field( 'window' => $window,
@@ -488,7 +485,7 @@
my $title;
if ($module) {
- $title=$module . " of $Number_Modules";
+ $title=$module;
}
noecho;
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fix_version_parse.patch
+27
View File
@@ -0,0 +1,27 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/bin/bastille
===================================================================
--- Bastille.orig/bin/bastille
+++ Bastille/bin/bastille
@@ -162,11 +162,12 @@ fi
# We check that the version is at least the minimum
PERL_VERSION=`${CURRENT_PERL_PATH}/perl -version |
- head -2 | # the second line contains the version
+ head -n 2 | # the second line contains the version
tr " " "\n" | # split words into separate lines
- sed -e "s/^v//" | # to get rid of the v in v5.6.0
- grep "^[1-9]\." | # find a "word" that starts with number dot
- sed -e "s/_/./"` # substitute _patchlevel with .patchlevel
+ grep "^(v" | # find a "word" that starts with '(v'
+ sed -e "s/^(v//" -e "s/)//" -e "s/_/./"`
+ # to get rid of the (v in v5.6.0
+ # substitute _patchlevel with .patchlevel
# (used in 5.005_03 and prior)
# everything before the first .
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/fixed_defined_warnings.patch
+65
View File
@@ -0,0 +1,65 @@
From c59b84ca3bda8e4244d47901b6966f28dd675434 Mon Sep 17 00:00:00 2001
From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Date: Thu, 23 May 2013 15:12:23 +0300
Subject: [PATCH] added yocto-standard to bastille
In order to make Bastille functional and avoid errors
regarding distros, if not any given distro is identified,
yocto-standard distro is added to the distro variable
in Bastille.
Fixed also some warnings regarding defined statements
in API.pm.
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Bastille/API.pm | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2008-09-14 19:56:53.000000000 -0400
+++ Bastille/Bastille/API.pm 2013-08-21 08:55:26.715950001 -0400
@@ -445,8 +445,8 @@
$release=`/usr/bin/uname -sr`;
}
else {
- print STDERR "$err Could not determine operating system version!\n";
- $distro="unknown";
+ print STDERR "$err Could not determine operating system version!\n";
+ $distro="unknown"
}
# Figure out what kind of system we're on.
@@ -1284,7 +1284,7 @@
my $sumFile = &getGlobal('BFILE',"sum.csv");
- if ( defined %GLOBAL_SUM ) {
+ if ( %GLOBAL_SUM ) {
open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n");
@@ -1318,7 +1318,7 @@
my $file = $_[0];
my $cksum = &getGlobal('BIN',"cksum");
- if (not(defined(%GLOBAL_SUM))) {
+ if (not(%GLOBAL_SUM)) {
&B_read_sums;
}
@@ -1375,7 +1375,7 @@
sub B_isFileinSumDB($) {
my $file = $_[0];
- if (not(defined(%GLOBAL_SUM))) {
+ if (not(%GLOBAL_SUM)) {
&B_log("DEBUG","Reading in DB from B_isFileinSumDB");
&B_read_sums;
}
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/organize_distro_discovery.patch
+476
View File
@@ -0,0 +1,476 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2013-08-22 04:32:38.269968002 -0400
+++ Bastille/Bastille/API.pm 2013-08-22 11:29:53.137968002 -0400
@@ -141,7 +141,7 @@
checkProcsForService
- $GLOBAL_OS $GLOBAL_ACTUAL_OS $CLI
+ $CLI
$GLOBAL_LOGONLY $GLOBAL_VERBOSE $GLOBAL_DEBUG $GLOBAL_AUDITONLY $GLOBAL_AUDIT_NO_BROWSER $errorFlag
%GLOBAL_BIN %GLOBAL_DIR %GLOBAL_FILE
%GLOBAL_BDIR %GLOBAL_BFILE
@@ -198,7 +198,7 @@
my $err ="ERROR: ";
my $spc =" ";
my $GLOBAL_OS="None";
-my $GLOBAL_ACTUAL_OS="None";
+my $GLOBAL_INFERRED_OS="None";
my %GLOBAL_SUMS=();
my $CLI='';
@@ -306,7 +306,7 @@
###########################################################################
#
-# GetDistro checks to see if the target is a known distribution and reports
+# InferDistro checks to see if the target is a known distribution and reports
# said distribution.
#
# This is used throughout the script, but also by ConfigureForDistro.
@@ -314,205 +314,194 @@
#
###########################################################################
-sub GetDistro() {
+sub InferDistro() {
my ($release,$distro);
- # Only read files for the distro once.
- # if the --os option was used then
- if ($GLOBAL_OS eq "None") {
- if ( -e "/etc/mandrake-release" ) {
- open(MANDRAKE_RELEASE,"/etc/mandrake-release");
- $release=<MANDRAKE_RELEASE>;
-
- if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) {
- $distro="MN$1";
- }
- elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) {
- $distro="MN$1";
- }
- else {
- print STDERR "$err Couldn't determine Mandrake/Mandriva version! Setting to 10.1!\n";
- $distro="MN10.1";
- }
-
- close(MANDRAKE_RELEASE);
- }
- elsif ( -e "/etc/immunix-release" ) {
- open(IMMUNIX_RELEASE,"/etc/immunix-release");
- $release=<IMMUNIX_RELEASE>;
- unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) {
- print STDERR "$err Couldn't determine Immunix version! Setting to 6.2!\n";
- $distro="RH6.2";
- }
- else {
- $distro="RH$1";
- }
- close(*IMMUNIX_RELEASE);
- }
- elsif ( -e '/etc/fedora-release' ) {
- open(FEDORA_RELEASE,'/etc/fedora-release');
- $release=<FEDORA_RELEASE>;
- close FEDORA_RELEASE;
- if ($release =~ /^Fedora Core release (\d+\.?\d*)/) {
- $distro = "RHFC$1";
- }
- elsif ($release =~ /^Fedora release (\d+\.?\d*)/) {
- $distro = "RHFC$1";
- }
- else {
- print STDERR "$err Could not determine Fedora version! Setting to Fedora Core 8\n";
- $distro='RHFC8';
- }
+ if ( -e "/etc/mandrake-release" ) {
+ open(MANDRAKE_RELEASE,"/etc/mandrake-release");
+ $release=<MANDRAKE_RELEASE>;
+
+ if ( ($release =~ /^Mandrake Linux release (\d+\.\d+\w*)/) or ($release =~ /^Linux Mandrake release (\d+\.\d+\w*)/) ) {
+ $distro="MN$1";
+ }
+ elsif ( $release =~ /^Mandrakelinux release (\d+\.\d+)\b/ ) {
+ $distro="MN$1";
+ }
+ else {
+ print STDERR "$err Could not infer Mandrake/Mandriva version! Setting to 10.1!\n";
+ $distro="MN10.1";
+ }
+
+ close(MANDRAKE_RELEASE);
+ }
+ elsif ( -e "/etc/immunix-release" ) {
+ open(IMMUNIX_RELEASE,"/etc/immunix-release");
+ $release=<IMMUNIX_RELEASE>;
+ unless ($release =~ /^Immunix Linux release (\d+\.\d+\w*)/) {
+ print STDERR "$err Could not infer Immunix version! Setting to 6.2!\n";
+ $distro="RH6.2";
+ }
+ else {
+ $distro="RH$1";
}
- elsif ( -e "/etc/redhat-release" ) {
- open(*REDHAT_RELEASE,"/etc/redhat-release");
- $release=<REDHAT_RELEASE>;
- if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) {
- $distro="RH$1";
- }
- elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) {
- $distro="RHEL$1$2";
- }
- elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) {
- $distro="RHEL$2$1";
+ close(*IMMUNIX_RELEASE);
+ }
+ elsif ( -e '/etc/fedora-release' ) {
+ open(FEDORA_RELEASE,'/etc/fedora-release');
+ $release=<FEDORA_RELEASE>;
+ close FEDORA_RELEASE;
+ if ($release =~ /^Fedora Core release (\d+\.?\d*)/) {
+ $distro = "RHFC$1";
+ }
+ elsif ($release =~ /^Fedora release (\d+\.?\d*)/) {
+ $distro = "RHFC$1";
+ }
+ else {
+ print STDERR "$err Could not infer Fedora version! Setting to Fedora Core 8\n";
+ $distro='RHFC8';
+ }
+ }
+ elsif ( -e "/etc/redhat-release" ) {
+ open(*REDHAT_RELEASE,"/etc/redhat-release");
+ $release=<REDHAT_RELEASE>;
+ if ($release =~ /^Red Hat Linux release (\d+\.?\d*\w*)/) {
+ $distro="RH$1";
+ }
+ elsif ($release =~ /^Red Hat Linux .+ release (\d+)\.?\d*([AEW]S)/) {
+ $distro="RHEL$1$2";
+ }
+ elsif ($release =~ /^Red Hat Enterprise Linux ([AEW]S) release (\d+)/) {
+ $distro="RHEL$2$1";
+ }
+ elsif ($release =~ /^CentOS release (\d+\.\d+)/) {
+ my $version = $1;
+ if ($version =~ /^4\./) {
+ $distro='RHEL4AS';
}
- elsif ($release =~ /^CentOS release (\d+\.\d+)/) {
- my $version = $1;
- if ($version =~ /^4\./) {
- $distro='RHEL4AS';
- }
- elsif ($version =~ /^3\./) {
- $distro='RHEL3AS';
- }
- else {
- print STDERR "$err Could not determine CentOS version! Setting to Red Hat Enterprise 4 AS.\n";
- $distro='RHEL4AS';
- }
- }
- else {
- # JJB/HP - Should this be B_log?
- print STDERR "$err Couldn't determine Red Hat version! Setting to 9!\n";
- $distro="RH9";
- }
- close(REDHAT_RELEASE);
-
- }
- elsif ( -e "/etc/debian_version" ) {
- $stable="3.1"; #Change this when Debian stable changes
- open(*DEBIAN_RELEASE,"/etc/debian_version");
- $release=<DEBIAN_RELEASE>;
- unless ($release =~ /^(\d+\.\d+\w*)/) {
- print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n";
- $distro="DB$stable";
+ elsif ($version =~ /^3\./) {
+ $distro='RHEL3AS';
}
else {
- $distro="DB$1";
- }
- close(DEBIAN_RELEASE);
- }
- elsif ( -e "/etc/SuSE-release" ) {
- open(*SUSE_RELEASE,"/etc/SuSE-release");
- $release=<SUSE_RELEASE>;
- if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) {
- $distro="SE$1";
- }
- elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) {
- $distro="SESLES$1";
- }
- elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) {
- $distro="SESLES$1";
- }
- elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) {
- $distro="SE$1";
+ print STDERR "$err Could not infer CentOS version! Setting to Red Hat Enterprise 4 AS.\n";
+ $distro='RHEL4AS';
}
- else {
- print STDERR "$err Couldn't determine SuSE version! Setting to 10.3!\n";
- $distro="SE10.3";
- }
- close(SUSE_RELEASE);
- }
- elsif ( -e "/etc/turbolinux-release") {
- open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release");
- $release=<TURBOLINUX_RELEASE>;
- unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) {
- print STDERR "$err Couldn't determine TurboLinux version! Setting to 7.0!\n";
- $distro="TB7.0";
- }
- else {
- $distro="TB$1";
- }
- close(TURBOLINUX_RELEASE);
+ }
+ else {
+ # JJB/HP - Should this be B_log?
+ print STDERR "$err Could not infer Red Hat version! Setting to 9!\n";
+ $distro="RH9";
+ }
+ close(REDHAT_RELEASE);
+
+ }
+ elsif ( -e "/etc/debian_version" ) {
+ $stable="3.1"; #Change this when Debian stable changes
+ open(*DEBIAN_RELEASE,"/etc/debian_version");
+ $release=<DEBIAN_RELEASE>;
+ unless ($release =~ /^(\d+\.\d+\w*)/) {
+ print STDERR "$err System is not running a stable Debian GNU/Linux version. Setting to $stable.\n";
+ $distro="DB$stable";
+ }
+ else {
+ $distro="DB$1";
+ }
+ close(DEBIAN_RELEASE);
+ }
+ elsif ( -e "/etc/SuSE-release" ) {
+ open(*SUSE_RELEASE,"/etc/SuSE-release");
+ $release=<SUSE_RELEASE>;
+ if ($release =~ /^SuSE Linux (\d+\.\d+\w*)/i) {
+ $distro="SE$1";
+ }
+ elsif ($release =~ /^SUSE LINUX Enterprise Server (\d+\.?\d?\w*)/i) {
+ $distro="SESLES$1";
+ }
+ elsif ($release =~ /^SUSE Linux Enterprise Server (\d+\.?\d?\w*)/i) {
+ $distro="SESLES$1";
+ }
+ elsif ($release =~ /^openSuSE (\d+\.\d+\w*)/i) {
+ $distro="SE$1";
+ }
+ else {
+ print STDERR "$err Could not infer SuSE version! Setting to 10.3!\n";
+ $distro="SE10.3";
}
+ close(SUSE_RELEASE);
+ }
+ elsif ( -e "/etc/turbolinux-release") {
+ open(*TURBOLINUX_RELEASE,"/etc/turbolinux-release");
+ $release=<TURBOLINUX_RELEASE>;
+ unless ($release =~ /^Turbolinux Workstation (\d+\.\d+\w*)/) {
+ print STDERR "$err Could not infer TurboLinux version! Setting to 7.0!\n";
+ $distro="TB7.0";
+ }
else {
- # We're either on Mac OS X, HP-UX or an unsupported O/S.
- if ( -x '/usr/bin/uname') {
+ $distro="TB$1";
+ }
+ close(TURBOLINUX_RELEASE);
+ }
+ else {
+ # We're either on Mac OS X, HP-UX or an unsupported O/S.
+ if ( -x '/usr/bin/uname') {
# uname is in /usr/bin on Mac OS X and HP-UX
- $release=`/usr/bin/uname -sr`;
- }
- else {
- print STDERR "$err Could not determine operating system version!\n";
- $distro="unknown"
- }
-
- # Figure out what kind of system we're on.
- if ($release ne "") {
- if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) {
- if ($1 == 6 ) {
- $distro = "OSX10.2";
- }
- elsif ($1 == 7) {
- $distro = "OSX10.3";
- }
- elsif ($1 == 8) {
- $distro = "OSX10.3";
- }
- else {
- $distro = "unknown";
- }
+ $release=`/usr/bin/uname -sr`;
+ }
+ else {
+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
+ $distro="unknown";
+ }
+
+ # Figure out what kind of system we're on.
+ if ($release ne "") {
+ if ($release =~ /^Darwin\s+(\d+)\.(\d+)/) {
+ if ($1 == 6 ) {
+ $distro = "OSX10.2";
}
- elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) {
- $distro="$1$2";
+ elsif ($1 == 7) {
+ $distro = "OSX10.3";
}
+ elsif ($1 == 8) {
+ $distro = "OSX10.3";
+ }
else {
- print STDERR "$err Could not determine operating system version!\n";
- $distro="unknown";
+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
+ $distro = "unknown";
}
}
+ elsif ( $release =~ /(^HP-UX)\s*B\.(\d+\.\d+)/ ) {
+ $distro="$1$2";
+ }
+ else {
+ print STDERR "$err Could not infer operating system version from filesystem context. Setting inferred distro to 'unknown'.\n";
+ $distro="unknown";
+ }
}
-
- $GLOBAL_OS=$distro;
- } elsif (not (defined $GLOBAL_OS)) {
- print "ERROR: GLOBAL OS Scoping Issue\n";
- } else {
- $distro = $GLOBAL_OS;
}
-
return $distro;
}
###################################################################################
-# &getActualDistro; #
+# &getInferredDistro; #
# #
# This subroutine returns the actual os version in which is running on. This #
# os version is independent of the --os switch feed to bastille. #
# #
###################################################################################
-sub getActualDistro {
- # set local variable to $GLOBAL_OS
+sub getInferredDistro {
+ if ($GLOBAL_INFERRED_OS eq "None") {
+ $GLOBAL_INFERRED_OS = &InferDistro;
+ }
+ return $GLOBAL_INFERRED_OS;
+}
- if ($GLOBAL_ACTUAL_OS eq "None") {
- my $os = $GLOBAL_OS;
- # undef GLOBAL_OS so that the GetDistro routine will return
- # the actualDistro, it might otherwise return the distro set
- # by the --os switch.
- $GLOBAL_OS = "None";
- $GLOBAL_ACTUAL_OS = &GetDistro;
- # reset the GLOBAL_OS variable
- $GLOBAL_OS = $os;
+sub GetDistro {
+ if ($GLOBAL_OS eq "None") {
+ return &getInferredDistro;
}
- return $GLOBAL_ACTUAL_OS;
+ return $GLOBAL_OS;
}
+
# These are helper routines which used to be included inside GetDistro
sub is_OS_supported($) {
my $os=$_[0];
@@ -556,7 +545,8 @@
"SE7.2","SE7.3", "SE8.0","SE8.1","SE9.0","SE9.1",
"SE9.2","SE9.3","SE10.0","SE10.1","SE10.2","SE10.3",
"SESLES8","SESLES9","SESLES10",
- "TB7.0"
+ "TB7.0",
+ "Yocto"
],
"HP-UX" => [
@@ -882,23 +872,19 @@
###########################################################################
sub ConfigureForDistro {
- my $retval=1;
-
- # checking to see if the os version given is in fact supported
my $distro = &GetDistro;
- # checking to see if the actual os version is in fact supported
- my $actualDistro = &getActualDistro;
+ my $inferredDistro = &getInferredDistro;
+
+ if (! ($inferredDistro eq $distro) ) {
+ print STDERR "WARNING: Inferred distro $inferredDistro is not the same as specified distro $distro. Using specified distro.\n";
+ }
+
$ENV{'LOCALE'}=''; # So that test cases checking for english results work ok.
- if ((! &is_OS_supported($distro)) or (! &is_OS_supported($actualDistro)) ) {
- # if either is not supported then print out a list of supported versions
- if (! &is_OS_supported($distro)) {
- print STDERR "$err '$distro' is not a supported operating system.\n";
- }
- else {
- print STDERR "$err Bastille is unable to operate correctly on this\n";
- print STDERR "$spc $distro operating system.\n";
- }
+
+ if (! &is_OS_supported($distro)) {
+ print STDERR "$err '$distro' is not a supported operating system.\n";
+
my %supportedOSHash = &getSupportedOSHash;
print STDERR "$spc Valid operating system versions are as follows:\n";
@@ -930,7 +916,7 @@
# intend via setting the Perl umask
umask(077);
- &getFileAndServiceInfo($distro,$actualDistro);
+ &getFileAndServiceInfo($distro,$distro);
# &dumpFileInfo; # great for debuging file location issues
# &dumpServiceInfo; # great for debuging service information issues
@@ -942,7 +928,7 @@
"$spc You must use Bastille\'s -n flag (for example:\n" .
"$spc bastille -f -n) or \'touch $nodisclaim_file \'\n";
- return $retval;
+ return 1;
}
Index: Bastille/Bastille/LogAPI.pm
===================================================================
--- Bastille.orig/Bastille/LogAPI.pm 2013-08-22 04:32:38.269968002 -0400
+++ Bastille/Bastille/LogAPI.pm 2013-08-22 04:32:47.509968002 -0400
@@ -111,7 +111,7 @@
# do this here to prevent bootstrapping problem, where we need to
# write an error that the errorlog location isn't defined.
my $logdir="/var/log/Bastille";
- if(&getActualDistro =~ "^HP-UX"){
+ if(&getInferredDistro =~ "^HP-UX"){
$logdir = "/var/opt/sec_mgmt/bastille/log/";
}
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/remove_questions_text_file_references.patch
+30
View File
@@ -0,0 +1,30 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/OSMap/LINUX.bastille
===================================================================
--- Bastille.orig/OSMap/LINUX.bastille 2008-01-25 18:31:35.000000000 -0500
+++ Bastille/OSMap/LINUX.bastille 2013-08-22 04:48:32.677968002 -0400
@@ -12,7 +12,6 @@
bfile,InteractiveBastille,'/usr/sbin/InteractiveBastille'
bfile,BastilleBackEnd,'/usr/sbin/BastilleBackEnd'
-bfile,Questions,'/usr/share/Bastille/Questions.txt'
bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt'
bfile,TODO,'/var/log/Bastille/TODO'
bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt'
Index: Bastille/OSMap/OSX.bastille
===================================================================
--- Bastille.orig/OSMap/OSX.bastille 2007-09-11 18:09:26.000000000 -0400
+++ Bastille/OSMap/OSX.bastille 2013-08-22 04:48:47.245968001 -0400
@@ -10,7 +10,6 @@
bdir,share,'/usr/share/Bastille'
bfile,BastilleBackEnd,'/var/root/Bastille/BastilleBackEnd'
-bfile,Questions,'/usr/share/Bastille/Questions.txt'
bfile,QuestionsModules,'/usr/share/Bastille/Modules.txt'
bfile,TODO,'/var/log/Bastille/TODO'
bfile,TODOFlag,'/var/log/Bastille/TODOFlag.txt'
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/set_required_questions.py
Executable
+157
View File
@@ -0,0 +1,157 @@
#!/usr/bin/env python3
#Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
import argparse, os, shutil, sys, tempfile, traceback
from os import path
def get_config(lines):
"""
From a sequence of lines retrieve the question file name, question identifier
pairs.
"""
for l in lines:
if not l.startswith("#"):
try:
(coord, value) = l.split("=")
try:
(fname, ident) = coord.split(".")
yield fname, ident
except ValueError as e:
raise ValueError("Badly formatted coordinates %s in line %s." % (coord, l.strip()))
except ValueError as e:
raise ValueError("Skipping badly formatted line %s, %s" % (l.strip(), e))
def check_contains(line, name):
"""
Check if the value field for REQUIRE_DISTRO contains the given name.
@param name line The REQUIRE_DISTRO line
@param name name The name to look for in the value field of the line.
"""
try:
(label, distros) = line.split(":")
return name in distros.split()
except ValueError as e:
raise ValueError("Error splitting REQUIRE_DISTRO line: %s" % e)
def add_requires(the_ident, distro, lines):
"""
Yield a sequence of lines the same as lines except that where
the_ident matches a question identifier change the REQUIRE_DISTRO so that
it includes the specified distro.
@param name the_ident The question identifier to be matched.
@param name distro The distribution to added to the questions REQUIRE_DISTRO
field.
@param lines The sequence to be processed.
"""
for l in lines:
yield l
if l.startswith("LABEL:"):
try:
(label, ident) = l.split(":")
if ident.strip() == the_ident:
break
except ValueError as e:
raise ValueError("Unexpected line %s in questions file." % l.strip())
for l in lines:
if l.startswith("REQUIRE_DISTRO"):
if not check_contains(l, distro):
yield l.rstrip() + " " + distro + "\n"
else:
yield l
break;
else:
yield l
for l in lines:
yield l
def xform_file(qfile, distro, qlabel):
"""
Transform a Questions file.
@param name qfile The designated questions file.
@param name distro The distribution to add to the required distributions.
@param name qlabel The question label for which the distro is to be added.
"""
questions_in = open(qfile)
questions_out = tempfile.NamedTemporaryFile(mode="w+", delete=False)
for l in add_requires(qlabel, distro, questions_in):
questions_out.write(l)
questions_out.close()
questions_in.close()
shutil.copystat(qfile, questions_out.name)
os.remove(qfile)
shutil.move(questions_out.name, qfile)
def handle_args(parser):
parser.add_argument('config_file',
help = "Configuration file path.")
parser.add_argument('questions_dir',
help = "Directory containing Questions files.")
parser.add_argument('--distro', '-d',
help = "The distribution, the default is Yocto.",
default = "Yocto")
parser.add_argument('--debug', '-b',
help = "Print debug information.",
action = 'store_true')
return parser.parse_args()
def check_args(args):
args.config_file = os.path.abspath(args.config_file)
args.questions_dir = os.path.abspath(args.questions_dir)
if not os.path.isdir(args.questions_dir):
raise ValueError("Specified Questions directory %s does not exist or is not a directory." % args.questions_dir)
if not os.path.isfile(args.config_file):
raise ValueError("Specified configuration file %s not found." % args.config_file)
def main():
opts = handle_args(argparse.ArgumentParser(description="A simple script that sets required questions based on the question/answer pairs in a configuration file."))
try:
check_args(opts)
except ValueError as e:
if opts.debug:
traceback.print_exc()
else:
sys.exit("Fatal error:\n%s" % e)
try:
config_in = open(opts.config_file)
for qfile, qlabel in get_config(config_in):
questions_file = os.path.join(opts.questions_dir, qfile + ".txt")
xform_file(questions_file, opts.distro, qlabel)
config_in.close()
except IOError as e:
if opts.debug:
traceback.print_exc()
else:
sys.exit("Fatal error reading or writing file:\n%s" % e)
except ValueError as e:
if opts.debug:
traceback.print_exc()
else:
sys.exit("Fatal error:\n%s" % e)
if __name__ == "__main__":
main()
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/simplify_B_place.patch
+40
View File
@@ -0,0 +1,40 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2013-08-21 08:59:17.939950001 -0400
+++ Bastille/Bastille/API.pm 2013-08-21 08:59:30.983950001 -0400
@@ -1679,24 +1679,22 @@
use File::Copy;
- my $original_source=$source;
$source = &getGlobal('BDIR', "share") . $source;
- my $original_target=$target;
if ( -e $target and -f $target ) {
- &B_backup_file($original_target);
- &B_log("ACTION","About to copy $original_source to $original_target -- had to backup target\n");
+ &B_backup_file($target);
+ &B_log("ACTION","About to copy $source to $target -- had to backup target\n");
$had_to_backup_target=1;
}
$retval=copy($source,$target);
if ($retval) {
- &B_log("ACTION","placed file $original_source as $original_target\n");
+ &B_log("ACTION","placed file $source as $target\n");
#
# We want to add a line to the &getGlobal('BFILE', "created-files") so that the
# file we just put at $original_target gets deleted.
- &B_revert_log(&getGlobal('BIN',"rm") . " $original_target\n");
+ &B_revert_log(&getGlobal('BIN',"rm") . " $target\n");
} else {
- &B_log("ERROR","Failed to place $original_source as $original_target\n");
+ &B_log("ERROR","Failed to place $source as $target\n");
}
# We add the file to the GLOBAL_SUMS hash if it is not already present
meta-security/dynamic-layers/meta-perl/recipes-security/bastille/files/upgrade_options_processing.patch
+91
View File
@@ -0,0 +1,91 @@
Upstream-Status: Inappropriate [No upstream maintenance]
Signed-off-by: Anne Mulhern <mulhern@yoctoproject.org>
---
Index: Bastille/Bastille/API.pm
===================================================================
--- Bastille.orig/Bastille/API.pm 2013-08-21 11:41:09.235950000 -0400
+++ Bastille/Bastille/API.pm 2013-08-21 11:41:16.183950000 -0400
@@ -271,9 +271,15 @@
# setOptions takes six arguments, $GLOBAL_DEBUG, $GLOBAL_LOGONLY,
# $GLOBAL_VERBOSE, $GLOBAL_AUDITONLY, $GLOBAL_AUDIT_NO_BROWSER, and GLOBAL_OS;
###########################################################################
-sub setOptions($$$$$$) {
- ($GLOBAL_DEBUG,$GLOBAL_LOGONLY,$GLOBAL_VERBOSE,$GLOBAL_AUDITONLY,
- $GLOBAL_AUDIT_NO_BROWSER,$GLOBAL_OS) = @_;
+sub setOptions {
+ my %opts = @_;
+
+ $GLOBAL_DEBUG = $opts{debug};
+ $GLOBAL_LOGONLY = $opts{logonly};
+ $GLOBAL_VERBOSE = $opts{verbose};
+ $GLOBAL_AUDITONLY = $opts{auditonly};
+ $GLOBAL_AUDIT_NO_BROWSER = $opts{audit_no_browser};
+ $GLOBAL_OS = $opts{os};
if ($GLOBAL_AUDIT_NO_BROWSER) {
$GLOBAL_AUDITONLY = 1;
}
Index: Bastille/BastilleBackEnd
===================================================================
--- Bastille.orig/BastilleBackEnd 2013-08-21 11:41:09.235950000 -0400
+++ Bastille/BastilleBackEnd 2013-08-21 12:40:54.055950001 -0400
@@ -50,15 +50,13 @@
my $nodisclaim = 0;
my $verbose = 0;
my $force = 0;
-my $log_only = 0;
my $debug = 0;
my $alternate_config=undef;
if( Getopt::Long::GetOptions( "n" => \$nodisclaim,
"v" => \$verbose,
"force" => \$force,
-# "log" => \$log_only, # broken
- "f:s" => \$alternate_config,
+ "f=s" => \$alternate_config,
"debug" => \$debug) ) {
$error = 0; # no parse error
@@ -66,7 +64,9 @@
$error = 1; # parse error
}
-&setOptions($debug,$log_only,$verbose);
+&setOptions(
+ debug => $debug,
+ verbose => $verbose);
&ConfigureForDistro;
if ( $error ) { # GetOptions couldn't parse all of the args
Index: Bastille/InteractiveBastille
===================================================================
--- Bastille.orig/InteractiveBastille 2013-08-21 11:41:09.235950000 -0400
+++ Bastille/InteractiveBastille 2013-08-21 12:40:30.531950001 -0400
@@ -234,8 +234,8 @@
"a" => \$audit,
"force" => \$force,
"log" => \$log_only,
- "os:s" => \$os_version,
- "f:s" => \$alternate_config,
+ "os=s" => \$os_version,
+ "f=s" => \$alternate_config,
"debug" => \$debug) ) {
$error = 0; # no parse error
} else {
@@ -293,7 +293,13 @@
$UseRequiresRules = 'N';
}
-&setOptions($debug,$log_only,$verbose,$audit,$auditnobrowser,$os_version);
+&setOptions(
+ debug => $debug,
+ logonly => $log_only,
+ verbose => $verbose,
+ auditonly => $audit,
+ audit_no_browser => $auditnobrowser,
+ os => $os_version);
&ConfigureForDistro;
# ensuring mutually exclusive options are exclusive
meta-security/dynamic-layers/meta-perl/recipes-security/nikto/files/location.patch
+36
View File
@@ -0,0 +1,36 @@
From d1cb702d5147abea0d3208a4d554c61a6f2decd6 Mon Sep 17 00:00:00 2001
From: Scott Ellis <scott@jumpnowtek.com>
Date: Fri, 28 Dec 2018 11:08:25 -0500
Subject: [PATCH] Set custom paths
Upstream-Status: Inappropriate
Signed-off-by: Scott Ellis <scott@jumpnowtek.com>
---
nikto.conf | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/program/nikto.conf b/program/nikto.conf
index bf36c58..8c55415 100644
--- a/nikto.conf
+++ b/nikto.conf
@@ -61,11 +61,11 @@ CIRT=107.170.99.251
CHECKMETHODS=HEAD GET
# If you want to specify the location of any of the files, specify them here
-# EXECDIR=/opt/nikto # Location of Nikto
-# PLUGINDIR=/opt/nikto/plugins # Location of plugin dir
-# DBDIR=/opt/nikto/databases # Location of database dir
-# TEMPLATEDIR=/opt/nikto/templates # Location of template dir
-# DOCDIR=/opt/nikto/docs # Location of docs dir
+EXECDIR=/usr/bin/nikto # Location of Nikto
+PLUGINDIR=/etc/nikto/plugins # Location of plugin dir
+DBDIR=/etc/nikto/databases # Location of database dir
+TEMPLATEDIR=/etc/nikto/templates # Location of template dir
+DOCDIR=/usr/share/doc/nikto # Location of docs dir
# Default plugin macros
# Remove plugins designed to be run standalone
--
2.7.4
meta-security/dynamic-layers/meta-perl/recipes-security/nikto/nikto_2.1.6.bb
+118
View File
@@ -0,0 +1,118 @@
SUMMARY = "web server scanner"
DESCRIPTION = "Nikto is an Open Source web server scanner which performs comprehensive tests against web servers"
SECTION = "security"
HOMEPAGE = "https://cirt.net/Nikto2"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
SRCREV = "f1bbd1a8756c076c8fd4f4dd0bc34a8ef215ae79"
SRC_URI = "git://github.com/sullo/nikto.git;branch=master;protocol=https \
file://location.patch"
S = "${WORKDIR}/git/program"
do_install() {
install -d ${D}${bindir}
install -d ${D}${datadir}
install -d ${D}${datadir}/man/man1
install -d ${D}${datadir}/doc/nikto
install -d ${D}${sysconfdir}/nikto
install -d ${D}${sysconfdir}/nikto/databases
install -d ${D}${sysconfdir}/nikto/plugins
install -d ${D}${sysconfdir}/nikto/templates
install -m 0644 databases/db_404_strings ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_content_search ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_dictionary ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_dir_traversal ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_domino ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_drupal ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_embedded ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_favicon ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_headers ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_httpoptions ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_multiple_index ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_outdated ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_parked_strings ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_realms ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_server_msgs ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_tests ${D}${sysconfdir}/nikto/databases
install -m 0644 databases/db_variables ${D}${sysconfdir}/nikto/databases
install -m 0644 plugins/LW2.pm ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_apache_expect_xss.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_apacheusers.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_auth.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_cgi.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_clientaccesspolicy.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_content_search.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_cookies.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_core.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_dictionary_attack.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_dir_traversal.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_dishwasher.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_docker_registry.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_domino.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_drupal.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_embedded.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_favicon.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_fileops.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_headers.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_httpoptions.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_ms10_070.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_msgs.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_multiple_index.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_negotiate.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_origin_reflection.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_outdated.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_parked.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_paths.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_put_del_test.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_csv.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_html.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_json.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_nbe.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_sqlg.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_text.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_report_xml.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_robots.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_siebel.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_sitefiles.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_ssl.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_strutshock.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 plugins/nikto_tests.plugin ${D}${sysconfdir}/nikto/plugins
install -m 0644 templates/htm_close.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_end.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_host_head.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_host_im.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_host_item.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_stop.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_start.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/htm_summary.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_end.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_host_head.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_host_im.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_host_item.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_start.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 templates/xml_summary.tmpl ${D}${sysconfdir}/nikto/templates
install -m 0644 nikto.conf ${D}${sysconfdir}
install -m 0755 nikto.pl ${D}${bindir}/nikto
install -m 0644 replay.pl ${D}${bindir}
install -m 0644 docs/nikto.1 ${D}${datadir}/man/man1
install -m 0644 docs/CHANGES.txt ${D}${datadir}/doc/nikto
install -m 0644 docs/LICENSE.txt ${D}${datadir}/doc/nikto
install -m 0644 docs/nikto.dtd ${D}${datadir}/doc/nikto
install -m 0644 docs/nikto_manual.html ${D}${datadir}/doc/nikto
}
RDEPENDS:${PN} = "perl libnet-ssleay-perl libwhisker2-perl \
perl-module-getopt-long perl-module-time-local \
perl-module-io-socket perl-module-overloading \
perl-module-base perl-module-b perl-module-bytes"