jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-security/recipes-ids/samhain/files/0001-Don-t-expose-configure-args.patch
+44
View File
@@ -0,0 +1,44 @@
From 111b1e8f35e989513d8961a45a806767109f6e1e Mon Sep 17 00:00:00 2001
From: Mingli Yu <mingli.yu@windriver.com>
Date: Thu, 11 Aug 2022 17:15:30 +0800
Subject: [PATCH] Don't expose configure args
Don't expost configure args to fix buildpath issue.
Upstream-Status: Inappropriate [oe specific]
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
scripts/samhain.ebuild-light.in | 2 +-
scripts/samhain.ebuild.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/samhain.ebuild-light.in b/scripts/samhain.ebuild-light.in
index 2b09cdb..b7f7062 100644
--- a/scripts/samhain.ebuild-light.in
+++ b/scripts/samhain.ebuild-light.in
@@ -55,7 +55,7 @@ src_compile() {
# --with-state-dir=/var/lib/${PN} \
# --with-log-file=/var/log/${PN}.log \
- ./configure ${myconf} @mydefargs@ || die
+ ./configure ${myconf} mydefargs || die
emake || die
echo '#!/bin/sh' > ./sstrip
diff --git a/scripts/samhain.ebuild.in b/scripts/samhain.ebuild.in
index 635a746..b9a42e7 100644
--- a/scripts/samhain.ebuild.in
+++ b/scripts/samhain.ebuild.in
@@ -55,7 +55,7 @@ src_compile() {
# --with-state-dir=/var/lib/${PN} \
# --with-log-file=/var/log/${PN}.log \
- ./configure ${myconf} @mydefargs@ || die
+ ./configure ${myconf} mydefargs || die
emake || die
echo '#!/bin/sh' > ./sstrip
--
2.25.1
meta-security/recipes-ids/samhain/files/fix-build-with-new-version-attr.patch
+73
View File
@@ -0,0 +1,73 @@
From e67acafa62f71f0015ed548918b98ed0b1ded128 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Sun, 19 Jan 2020 15:53:48 +0800
Subject: [PATCH] fix build with new version attr
The attr/xattr.h has been removed from attr 2.4.48 with commit:
http://git.savannah.nongnu.org/cgit/attr.git/commit/include?id=7921157890d07858d092f4003ca4c6bae9fd2c38
The xattr syscalls are provided by sys/xattr.h from glibc now.
Remove the checking code to adapt it.
Upstream-Status: Pending
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
aclocal.m4 | 26 +++++++++++---------------
src/sh_unix.c | 2 +-
2 files changed, 12 insertions(+), 16 deletions(-)
diff --git a/aclocal.m4 b/aclocal.m4
index ee5b204..38cef8e 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1453,23 +1453,19 @@ AC_DEFUN([sh_CHECK_POSIX_ACL],
AC_DEFUN([sh_CHECK_XATTR],
[
- AC_CHECK_HEADERS(attr/xattr.h)
- if test $ac_cv_header_attr_xattr_h = yes; then
-
- AC_CHECK_LIB([attr], [getxattr], sh_lattr=yes, sh_lattr=no)
- if test x"$sh_lattr" = xyes; then
- LIBATTR=-lattr
- else
- LIBATTR=
- fi
-
- OLDLIBS="$LIBS"
- LIBS="$LIBS $LIBATTR"
- AC_CHECK_FUNCS([getxattr lgetxattr fgetxattr],
- [sh_fattr=yes],[sh_fattr=no])
- LIBS="$OLDLIBS"
+ AC_CHECK_LIB([attr], [getxattr], sh_lattr=yes, sh_lattr=no)
+ if test x"$sh_lattr" = xyes; then
+ LIBATTR=-lattr
+ else
+ LIBATTR=
fi
+ OLDLIBS="$LIBS"
+ LIBS="$LIBS $LIBATTR"
+ AC_CHECK_FUNCS([getxattr lgetxattr fgetxattr],
+ [sh_fattr=yes],[sh_fattr=no])
+ LIBS="$OLDLIBS"
+
if test x"$sh_fattr" = xyes; then
AC_DEFINE(USE_XATTR, 1, [Define if you want extended attributes support.])
LIBS="$LIBS $LIBATTR"
diff --git a/src/sh_unix.c b/src/sh_unix.c
index 3ede57f..ef236e9 100644
--- a/src/sh_unix.c
+++ b/src/sh_unix.c
@@ -3681,7 +3681,7 @@ static char * sh_unix_getinfo_acl (char * path, int fd, struct stat * buf)
#ifdef USE_XATTR
-#include <attr/xattr.h>
+#include <sys/xattr.h>
static char * sh_unix_getinfo_xattr_int (char * path, int fd, char * name)
{
char * out = NULL;
--
2.7.4
meta-security/recipes-ids/samhain/files/run-ptest
Executable
+3
View File
@@ -0,0 +1,3 @@
#!/bin/sh
current_dir=$(dirname $(readlink -f $0))
$current_dir/cutest
meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch
+28
View File
@@ -0,0 +1,28 @@
From ae79606a6745dbbd429d1d4671dfe3045d735057 Mon Sep 17 00:00:00 2001
From: Jackie Huang <jackie.huang@windriver.com>
Date: Thu, 14 Sep 2017 13:26:55 +0800
Subject: [PATCH] Add LDFLAGS variable for compiling samhain_setpwd
Upstream-Status: Pending
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index 01de987..49356cf 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1128,7 +1128,7 @@ sh_tiger_i.o: $(srcsrc)/$(TIGER_SRC) Makefile config_xor.h
samhain_setpwd: encode config_xor.h $(srcsrc)/samhain_setpwd.c
@echo '$(COMPILE) -o samhain_setpwd $(srcsrc)/samhain_setpwd.c'; \
./encode $(XOR_CODE) $(srcsrc)/samhain_setpwd.c; \
- $(COMPILE) -o samhain_setpwd x_samhain_setpwd.c; \
+ $(COMPILE) $(LDFLAGS) -o samhain_setpwd x_samhain_setpwd.c; \
rm x_samhain_setpwd.c
samhain_stealth: encode config_xor.h $(srcsrc)/samhain_stealth.c
--
2.11.0
meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch
+131
View File
@@ -0,0 +1,131 @@
From 3e2ca7e06b16ceff6d12beb5113312f6525df595 Mon Sep 17 00:00:00 2001
From: Jackie Huang <jackie.huang@windriver.com>
Date: Thu, 14 Sep 2017 11:02:12 +0800
Subject: [PATCH] configure.ac: avoid searching host for postgresql
Upstream-Status: Inappropriate [cross compile specific]
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
configure.ac | 101 +++--------------------------------------------------------
1 file changed, 5 insertions(+), 96 deletions(-)
Index: samhain-4.4.2/configure.ac
===================================================================
--- samhain-4.4.2.orig/configure.ac
+++ samhain-4.4.2/configure.ac
@@ -1290,90 +1290,11 @@ AC_ARG_WITH(database,
AC_DEFINE(WITH_POSTGRES)
AC_DEFINE(WITH_DATABASE)
#
- PGCONF="no"
- MY_PATH="${PATH}:/usr/local/bin:/usr/local/pgsql/bin"
- OLD_IFS="$IFS"
- IFS=":"
- for ff in ${MY_PATH}
- do
- if test -f "$ff/pg_config"
- then
- PGCONF="$ff/pg_config"
- fi
- done
- IFS="${OLD_IFS}"
- #
- #
- if test "x${PGCONF}" = "xno"
- then
- AC_MSG_CHECKING(for PostgreSQL in /usr/local/pgsql /usr/pgsql /usr/local /usr PGSQL_HOME)
- pgsql_directory="/usr/local/pgsql /usr/pgsql /usr/local /usr ${PGSQL_HOME}"
- for i in $pgsql_directory; do
- if test -r $i/include/pgsql/libpq-fe.h; then
- PGSQL_INC_DIR=$i/include
- PGSQL_DIR=$i
- # use AC_CHECK_HEADERS to check for pgsql/libpq-fe.h
- fi
- done
- if test -z "$PGSQL_DIR"; then
- for i in $pgsql_directory; do
- if test -r $i/include/postgresql/libpq-fe.h; then
- PGSQL_INC_DIR=$i/include
- PGSQL_DIR=$i
- fi
- done
- fi
- if test -z "$PGSQL_DIR"; then
- for i in $pgsql_directory; do
- if test -r $i/include/libpq-fe.h; then
- PGSQL_INC_DIR=$i/include
- PGSQL_DIR=$i
- fi
- done
- fi
-
- if test -z "$PGSQL_DIR"; then
- tmp=""
- for i in $pgsql_directory; do
- tmp="$tmp $i/include $i/include/pgsql $i/include/postgresql"
- done
- FAIL_MESSAGE("PostgreSQL header file (libpq-fe.h)", $tmp)
- fi
-
- for i in lib lib/pgsql lib/postgresql; do
- str="$PGSQL_DIR/$i/libpq.*"
- for j in `echo $str`; do
- if test -r $j; then
- PGSQL_LIB_DIR="$PGSQL_DIR/$i"
- break 2
- fi
- done
- done
-
- if test -z "$PGSQL_LIB_DIR"; then
- for ff in $pgsql_directory; do
- for i in lib lib/pgsql lib/postgresql; do
- str="$ff/$i/libpq.*"
- for j in `echo $str`; do
- if test -r $j; then
- PGSQL_LIB_DIR="$ff/$i"
- break 3
- fi
- done
- done
- done
- fi
-
- if test -z "$PGSQL_LIB_DIR"; then
- tmp=""
- for i in $pgsql_directory; do
- tmp="$i/lib $i/lib/pgsql $i/lib/postgresql"
- done
- FAIL_MESSAGE("postgresql library libpq", $tmp)
- fi
-
- AC_MSG_RESULT(yes)
-
+ if test -z "${PGSQL_LIB_DIR}" ; then
+ FAIL_MESSAGE("PGSQL_LIB_DIR is not set!")
+ elif test -z "${PGSQL_INC_DIR}" ; then
+ FAIL_MESSAGE("PGSQL_INC_DIR is not set!")
+ else
LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lm"
if test x"$enable_static" = xyes; then
LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lcrypt -lm"
@@ -1382,18 +1303,6 @@ AC_ARG_WITH(database,
fi
# CFLAGS="$CFLAGS -I${PGSQL_INC_DIR}"
CPPFLAGS="$CPPFLAGS -I${PGSQL_INC_DIR}"
- AC_CHECK_HEADERS(pgsql/libpq-fe.h)
- AC_CHECK_HEADERS(postgresql/libpq-fe.h)
- else
- pg_lib_dir=`${PGCONF} --libdir`
- if test x"$enable_static" = xyes; then
- LIBS="$LIBS -L${pg_lib_dir} -lpq -lcrypt -lm"
- else
- LIBS="$LIBS -L${pg_lib_dir} -lpq -lm"
- fi
- pg_inc_dir=`${PGCONF} --includedir`
- # CFLAGS="$CFLAGS -I${pg_inc_dir}"
- CPPFLAGS="$CPPFLAGS -I${pg_inc_dir}"
fi
elif test "x${withval}" = "xodbc"; then
AC_MSG_CHECKING(for odbc in /usr /usr/local ODBC_HOME)
meta-security/recipes-ids/samhain/files/samhain-client.default
+3
View File
@@ -0,0 +1,3 @@
# Set this to "yes" to start the server, after you configure it, of
# course.
SAMHAIN_CLIENT_START="no"
meta-security/recipes-ids/samhain/files/samhain-client.init
+122
View File
@@ -0,0 +1,122 @@
#!/bin/bash
# chkconfig: 2345 99 10
# description: File Integrity Checking Daemon
#
# processname: samhain
# config : /etc/samhainrc
# logfile : /var/log/samhain_log
# database: /var/lib/samhain/samhain_file
#
NAME=samhain
DAEMON=/usr/sbin/samhain
RETVAL=0
PIDFILE=/var/run/samhain.pid
. /etc/default/rcS
. /etc/default/samhain-client
if [ "x$SAMHAIN_CLIENT_START" != "xyes" ]; then
echo "${0}: client disabled in /etc/default/samhain-client"
exit 0
fi
if [ -x $DAEMON ]; then
:
else
echo "${0}: executable ${DAEMON} not found"
exit 1
fi
if [ ! -e /var/lib/samhain/samhain_file ]; then
echo "${0}: /var/lib/samhain/samhain_file does not exist. You must"
echo " run 'samhain -t init' before samhian-client can start."
exit 1
fi
samhain_done()
{
if [ $RETVAL -eq 0 ]; then
echo "."
else
echo " failed."
fi
}
log_stat_msg () {
case "$1" in
0)
echo "Service $NAME: Running";
;;
1)
echo "Service $NAME: Stopped and /var/run pid file exists";
;;
3)
echo "Service $NAME: Stopped";
;;
*)
echo "Service $NAME: Status unknown";
;;
esac
}
case "$1" in
start)
#
# Remove a stale PID file, if found
#
if test -f ${PIDFILE}; then
/bin/rm -f ${PIDFILE}
fi
#
echo -n "Starting ${NAME}"
start-stop-daemon --start --quiet --exec $DAEMON
RETVAL=$?
samhain_done
;;
stop)
echo -n "Stopping $NAME"
start-stop-daemon --stop --quiet --exec $DAEMON
RETVAL=$?
#
# Remove a stale PID file, if found
#
if test -f ${PIDFILE}; then
/bin/rm -f ${PIDFILE}
fi
if test -S /var/run/${NAME}.sock; then
/bin/rm -f /var/run/${NAME}.sock
fi
samhain_done
;;
restart)
$0 stop
sleep 3
$0 start
RETVAL=$?
;;
reload|force-reload)
echo -n "Reloading $NAME configuration files"
start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON
RETVAL=$?
samhain_done
;;
status)
$DAEMON status
RETVAL=$?
log_stat_msg ${RETVAL}
;;
*)
echo "$0 usage: {start|stop|status|restart|reload}"
exit 1
;;
esac
exit $RETVAL
meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch
+102
View File
@@ -0,0 +1,102 @@
From 02a143f0068cbc6cea71359169210fbb3606d4bb Mon Sep 17 00:00:00 2001
From: Jackie Huang <jackie.huang@windriver.com>
Date: Mon, 18 Jan 2016 00:24:57 -0500
Subject: [PATCH] configure: add option for ps
The configure searches hardcoded host paths for PSPATH
and run ps commands to decide PSARG which will fail
on host without ps:
| configure: error: Cannot find ps in any of /usr/ucb /bin /usr/bin
So add an option so we can specify the ps at configure
to avoid host contamination.
Upstream-Status: Inappropriate [cross compile specific]
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
[AK: refactored for 4.4.3]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: samhain-4.4.2/configure.ac
===================================================================
--- samhain-4.4.2.orig/configure.ac
+++ samhain-4.4.2/configure.ac
@@ -743,56 +743,16 @@ then
fi
AC_CHECK_HEADERS(gmp.h)
-AC_MSG_CHECKING([for ps])
-PS=
-for ff in /usr/ucb /bin /usr/bin; do
- if test -x "$ff/ps"; then
- PS="$ff/ps"
- AC_MSG_RESULT([$PS])
- break
- fi
-done
-if test x$PS = x
-then
- AC_MSG_RESULT([no])
- AC_MSG_ERROR([Cannot find ps in any of /usr/ucb /bin /usr/bin])
-fi
-AC_DEFINE_UNQUOTED([PSPATH], _("$PS"), [Path to ps])
+AC_ARG_WITH(ps-path,
+ [ --with-ps-path=PATH set path to ps command ],
+ [
+ if test "x${withval}" != xno; then
+ pspath="${withval}"
+ AC_DEFINE_UNQUOTED([PSPATH], _("${pspath}"), [Path to ps])
+ AC_DEFINE_UNQUOTED([PSARG], _("ax"), [Argument for ps])
+ fi
+ ])
-AC_MSG_CHECKING([how to use ps])
-$PS ax >/dev/null 2>&1
-if test $? -eq 0; then
- case "$host_os" in
- *openbsd*)
- one=`$PS akx | wc -l`
- ;;
- *)
- one=`$PS ax | wc -l`
- ;;
- esac
-else
- one=0
-fi
-$PS -e >/dev/null 2>&1
-if test $? -eq 0; then
- two=`$PS -e | wc -l`
-else
- two=0
-fi
-if test $one -ge $two
-then
- case "$host_os" in
- *openbsd*)
- PSARG="akx"
- ;;
- *)
- PSARG="ax"
- ;;
- esac
-else
- PSARG="-e"
-fi
-AC_DEFINE_UNQUOTED([PSARG], _("$PSARG"), [Argument for ps])
AC_MSG_RESULT([$PS $PSARG])
dnl *****************************************
Index: samhain-4.4.2/aclocal.m4
===================================================================
--- samhain-4.4.2.orig/aclocal.m4
+++ samhain-4.4.2/aclocal.m4
@@ -409,7 +409,7 @@ x_includes=NONE
x_libraries=NONE
DESTDIR=
SH_ENABLE_OPTS="selinux posix-acl asm ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid"
-SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver signify pubkey-checksum gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file"
+SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file ps-path"
# Installation directory options.
# These are left unexpanded so users can "make install exec_prefix=/foo"
meta-security/recipes-ids/samhain/files/samhain-fix-initializer-element-is-not-constant.patch
+28
View File
@@ -0,0 +1,28 @@
Fix error when compile for powerpc:
| x_sh_dbIO.c: In function 'swap_short':
| x_sh_dbIO.c:229:36: error: initializer element is not constant
| 229 | static unsigned short ooop = *iptr;
| | ^
Upstream-Status: Pending
Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
src/sh_dbIO.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/sh_dbIO.c b/src/sh_dbIO.c
index b547ac5..23a9621 100644
--- a/src/sh_dbIO.c
+++ b/src/sh_dbIO.c
@@ -226,7 +226,8 @@ static unsigned short * swap_short (unsigned short * iptr)
else
{
/* alignment problem */
- static unsigned short ooop = *iptr;
+ static unsigned short ooop;
+ ooop = *iptr;
unsigned short hi = (ooop & 0xff00);
unsigned short lo = (ooop & 0xff);
ooop = (lo << 8) | (hi >> 8);
meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch
+44
View File
@@ -0,0 +1,44 @@
commit 0f6bdc219e598de08a3f37887efa5dfa50e2b996
Author: Aws Ismail <aws.ismail@windriver.com>
Date: Fri Jun 22 15:47:08 2012 -0400
Hash fix for MIPS64 and AARCH64
Samhain uses the addresses of local variables in generating hash
values. The hashing function is designed only for 32-bit values.
For MIPS64 when a 64-bit address is passed in the resulting hash
exceeds the limits of the underlying mechanism and samhain
ultimately fails. The solution is to simply take the lower
32-bits of the address and use that in generating hash values.
Signed-off-by: Greg Moffatt <greg.moffatt@windriver.com>
Upstream-Status: Pending
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
diff --git a/src/dnmalloc.c b/src/dnmalloc.c
index da9a5c5..fc91400 100644
--- a/src/dnmalloc.c
+++ b/src/dnmalloc.c
@@ -2703,11 +2703,19 @@ static void freecilst_add(chunkinfoptr p) {
}
/* Calculate the hash table entry for a chunk */
+#if defined(CONFIG_ARCH_MIPS64) || defined(CONFIG_ARCH_AARCH64)
+#ifdef STARTHEAP_IS_ZERO
+#define hash(p) ((((unsigned long) p) & 0x7fffffff) >> 7)
+#else
+#define hash(p) ((((unsigned long) p - (unsigned long) startheap) & 0x7fffffff) >> 7)
+#endif
+#else
#ifdef STARTHEAP_IS_ZERO
#define hash(p) (((unsigned long) p) >> 7)
#else
#define hash(p) (((unsigned long) p - (unsigned long) startheap) >> 7)
#endif
+#endif /* CONFIG_ARCH_MIPS64 */
static void
hashtable_add (chunkinfoptr ci)
meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
+24
View File
@@ -0,0 +1,24 @@
not run test on host, since we are doing cross-compile
Upstream-Status: Inappropriate [cross compile specific]
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
Makefile.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index e1b32a8..74bfdc9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1234,7 +1234,6 @@ intcutest: internal.h $(OBJECTS) $(CUTEST_OBJECTS) sh_tiger_i.o $(srcsrc)/CuTest
rm x_samhain.c; \
$(LINK) sh_tiger_i.o $(CUTEST_OBJECTS) CuTestMain.o CuTest.o $(OBJECTS) $(LIBS_TRY); \
test -f ./intcutest && mv ./intcutest ./cutest; \
- ./cutest
runcutest:
gdb ./cutest
--
1.7.10.4
meta-security/recipes-ids/samhain/files/samhain-pid-path.patch
+27
View File
@@ -0,0 +1,27 @@
commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04
Author: Aws Ismail <aws.ismail@windriver.com>
Date: Thu Jan 10 16:29:05 2013 -0500
Set the PID Lock path for samhain.pid
The explicit path for samhain.pid inorder
for samhain to work properly after it initial
database build.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
diff --git a/samhainrc.linux b/samhainrc.linux
index 10a8176..a7b06e6 100644
--- a/samhainrc.linux
+++ b/samhainrc.linux
@@ -639,7 +639,7 @@ SetFileCheckTime = 86400
## Path to the PID file
#
-# SetLockfilePath = (default: compiled-in)
+SetLockfilePath = /run/samhain.pid
## The digest/checksum/hash algorithm
meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch
+61
View File
@@ -0,0 +1,61 @@
From 00fb527e45da42550156197647e01de9a6b1ad52 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Mon, 3 Mar 2014 01:50:01 -0500
Subject: [PATCH] fix real path for some files/dirs
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
samhainrc.linux | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/samhainrc.linux b/samhainrc.linux
index e9727b4..7775d83 100644
--- a/samhainrc.linux
+++ b/samhainrc.linux
@@ -93,7 +93,6 @@ dir = 99/etc
##
file = /etc/mtab
file = /etc/fstab
-file = /etc/adjtime
file = /etc/motd
file = /etc/lvm/lvm.conf
@@ -153,11 +152,11 @@ dir = 99/var
[IgnoreAll]
dir = -1/var/cache
-dir = -1/var/lock
-dir = -1/var/mail
-dir = -1/var/run
+dir = -1/run/lock
+dir = -1/var/spool/mail
+dir = -1/run
dir = -1/var/spool
-dir = -1/var/tmp
+dir = -1/var/volatile/tmp
[Attributes]
@@ -167,7 +166,7 @@ dir = -1/var/tmp
file = /var/lib/rpm/__db.00?
file = /var/lib/logrotate.status
-file = /var/lib/random-seed
+file = /var/lib/urandom/random-seed
[GrowingLogFiles]
@@ -176,7 +175,7 @@ file = /var/lib/random-seed
## are ignored. Logfile rotation will cause a report because of shrinking
## size and different inode.
##
-dir = 99/var/log
+dir = 99/var/volatile/log
[Attributes]
#
--
1.7.9.5
meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch
+158
View File
@@ -0,0 +1,158 @@
commit 4c6658441eb3ffc4e51ed70f78cbdab046957580
Author: Aws Ismail <aws.ismail@windriver.com>
Date: Fri Jun 22 16:38:20 2012 -0400
Make samhainrc OE-friendly.
Patch the samhainrc that will be installed
as part of the 'make install' step to more
accurately reflect what will be found, and
what will be of concern, on a OE install.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
diff --git a/samhainrc.linux b/samhainrc.linux
index 9bc5ca4..10a8176 100644
--- a/samhainrc.linux
+++ b/samhainrc.linux
@@ -74,7 +74,6 @@ dir = 0/
[Attributes]
file = /tmp
file = /dev
-file = /media
file = /proc
file = /sys
@@ -93,19 +92,10 @@ dir = 99/etc
## check permission and ownership
##
file = /etc/mtab
+file = /etc/fstab
file = /etc/adjtime
file = /etc/motd
-file = /etc/lvm/.cache
-
-# On Ubuntu, these are in /var/lib rather than /etc
-file = /etc/cups/certs
-file = /etc/cups/certs/0
-
-# managed by fstab-sync on Fedora Core
-file = /etc/fstab
-
-# modified when booting
-file = /etc/sysconfig/hwconf
+file = /etc/lvm/lvm.conf
# There are files in /etc that might change, thus changing the directory
# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
@@ -147,10 +137,6 @@ dir = 99/dev
##
dir = -1/dev/pts
-# dir = -1/dev/.udevdb
-
-file = /dev/ppp
-
#
# --------- /usr -----------
#
@@ -167,50 +153,21 @@ dir = 99/var
[IgnoreAll]
dir = -1/var/cache
-dir = -1/var/backups
-dir = -1/var/games
-dir = -1/var/gdm
dir = -1/var/lock
dir = -1/var/mail
dir = -1/var/run
dir = -1/var/spool
dir = -1/var/tmp
-dir = -1/var/lib/texmf
-dir = -1/var/lib/scrollkeeper
[Attributes]
-dir = /var/lib/nfs
-dir = /var/lib/pcmcia
-
# /var/lib/rpm changes if packets are installed;
# /var/lib/rpm/__db.00[123] even more frequently
file = /var/lib/rpm/__db.00?
-file = /var/lib/acpi-support/vbestate
-file = /var/lib/alsa/asound.state
-file = /var/lib/apt/lists/lock
-file = /var/lib/apt/lists/partial
-file = /var/lib/cups/certs
-file = /var/lib/cups/certs/0
-file = /var/lib/dpkg/lock
-file = /var/lib/gdm
-file = /var/lib/gdm/.cookie
-file = /var/lib/gdm/.gdmfifo
-file = /var/lib/gdm/:0.Xauth
-file = /var/lib/gdm/:0.Xservers
-file = /var/lib/logrotate/status
-file = /var/lib/mysql
-file = /var/lib/mysql/ib_logfile0
-file = /var/lib/mysql/ibdata1
-file = /var/lib/slocate
-file = /var/lib/slocate/slocate.db
-file = /var/lib/slocate/slocate.db.tmp
-file = /var/lib/urandom
-file = /var/lib/urandom/random-seed
+file = /var/lib/logrotate.status
file = /var/lib/random-seed
-file = /var/lib/xkb
[GrowingLogFiles]
@@ -325,7 +282,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
## Console
##
-# PrintSeverity=info
+PrintSeverity=warn
## Logfile
##
@@ -333,7 +290,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
## Syslog
##
-# SyslogSeverity=none
+SyslogSeverity=info
## Remote server (yule)
##
@@ -556,7 +513,8 @@ ChecksumTest=check
## and I/O limit (kilobytes per second; 0 == off)
## to reduce load on host.
#
-# SetNiceLevel = 0
+# By default we configure samhain to be nice with everything else on the system
+SetNiceLevel = 10
# SetIOLimit = 0
## The version string to embed in file signature databases
@@ -565,13 +523,14 @@ ChecksumTest=check
## Interval between time stamp messages
#
-# SetLoopTime = 60
-SetLoopTime = 600
+# Log a timestamp every hour
+SetLoopTime = 3600
## Interval between file checks
#
# SetFileCheckTime = 600
-SetFileCheckTime = 7200
+# One file system check per day
+SetFileCheckTime = 86400
## Alternative: crontab-like schedule
#
meta-security/recipes-ids/samhain/files/samhain-server-volatiles
+1
View File
@@ -0,0 +1 @@
d daemon daemon 0775 /var/log/yule none
meta-security/recipes-ids/samhain/files/samhain-server-volatiles.conf
+1
View File
@@ -0,0 +1 @@
d /var/log/yule 0775 daemon daemon -
meta-security/recipes-ids/samhain/files/samhain-server.default
+3
View File
@@ -0,0 +1,3 @@
# Set this to "yes" to start the server, after you configure it, of
# course.
SAMHAIN_SERVER_START="no"
meta-security/recipes-ids/samhain/files/samhain-server.init
+116
View File
@@ -0,0 +1,116 @@
#!/bin/bash
# chkconfig: 2345 98 11
# description: File Integrity Checking Daemon
#
# processname: yule
# config : /etc/yulerc
# logfile : /var/log/yule/yule_log
# database: /var/lib/yule/yule_file
#
NAME=yule
DAEMON=/usr/sbin/yule
RETVAL=0
PIDFILE=/var/run/yule.pid
. /etc/default/rcS
. /etc/default/samhain-server
if [ "x$SAMHAIN_SERVER_START" != "xyes" ]; then
echo "${0}: server disabled in /etc/default/samhain-server"
exit 0
fi
if [ -x $DAEMON ]; then
:
else
echo "${0}: executable ${DAEMON} not found"
exit 1
fi
samhain_done()
{
if [ $RETVAL -eq 0 ]; then
echo "."
else
echo " failed."
fi
}
log_stat_msg () {
case "$1" in
0)
echo "Service $NAME: Running";
;;
1)
echo "Service $NAME: Stopped and /var/run pid file exists";
;;
3)
echo "Service $NAME: Stopped";
;;
*)
echo "Service $NAME: Status unknown";
;;
esac
}
case "$1" in
start)
#
# Remove a stale PID file, if found
#
if test -f ${PIDFILE}; then
/bin/rm -f ${PIDFILE}
fi
#
echo -n "Starting ${NAME}"
start-stop-daemon --start --quiet --exec $DAEMON
RETVAL=$?
samhain_done
;;
stop)
echo -n "Stopping $NAME"
start-stop-daemon --stop --quiet --exec $DAEMON
RETVAL=$?
#
# Remove a stale PID file, if found
#
if test -f ${PIDFILE}; then
/bin/rm -f ${PIDFILE}
fi
if test -S /var/run/${NAME}.sock; then
/bin/rm -f /var/run/${NAME}.sock
fi
samhain_done
;;
restart)
$0 stop
sleep 3
$0 start
RETVAL=$?
;;
reload|force-reload)
echo -n "Reloading $NAME configuration files"
start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON
RETVAL=$?
samhain_done
;;
status)
$DAEMON status
RETVAL=$?
log_stat_msg ${RETVAL}
;;
*)
echo "$0 usage: {start|stop|status|restart|reload}"
exit 1
;;
esac
exit $RETVAL
meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch
+22
View File
@@ -0,0 +1,22 @@
samhain: fix sha256 for big-endian machines
After computing the digest, big-endian machines would
memset() the digest to the first byte of state instead
of using memcpy() to transfer it.
Upstream-Status: Pending
Signed-off-by: Joe Slater <jslater@windriver.com>
--- a/src/sh_checksum.c
+++ b/src/sh_checksum.c
@@ -468,7 +468,7 @@ void SHA256_Final(sha2_byte digest[], SH
}
}
#else
- memset(d, context->state, SHA256_DIGEST_LENGTH);
+ memcpy(d, context->state, SHA256_DIGEST_LENGTH);
/* bcopy(context->state, d, SHA256_DIGEST_LENGTH); */
#endif
}
meta-security/recipes-ids/samhain/files/samhain-standalone.default
+3
View File
@@ -0,0 +1,3 @@
# Set this to "yes" to start the server, after you configure it, of
# course.
SAMHAIN_STANDALONE_START="no"
meta-security/recipes-ids/samhain/files/samhain-standalone.init
+123
View File
@@ -0,0 +1,123 @@
#!/bin/sh
# chkconfig: 2345 99 10
# description: File Integrity Checking Daemon
#
# processname: samhain
# config : /etc/samhainrc
# logfile : /var/log/samhain_log
# database: /var/lib/samhain/samhain_file
#
NAME=samhain
DAEMON=/usr/sbin/samhain
RETVAL=0
VERBOSE=yes
PIDFILE=/var/run/samhain.pid
. /etc/default/samhain-standalone
if [ "x$SAMHAIN_STANDALONE_START" != "xyes" ]; then
echo "${0}: samhain disabled in /etc/default/samhain-standalone"
exit 0
fi
if [ -x $DAEMON ]; then
:
else
echo "${0}: executable ${DAEMON} not found"
exit 1
fi
if [ ! -e /var/lib/samhain/samhain_file ]; then
echo "${0}: /var/lib/samhain/samhain_file does not exist. You must"
echo " run 'samhain -t init' before samhian can start."
exit 1
fi
samhain_done()
{
if [ $RETVAL -eq 0 ]; then
echo "."
else
echo " failed."
fi
}
log_stat_msg () {
case "$1" in
0)
echo "Service $NAME: Running";
;;
1)
echo "Service $NAME: Stopped and /var/run pid file exists";
;;
3)
echo "Service $NAME: Stopped";
;;
*)
echo "Service $NAME: Status unknown";
;;
esac
}
case "$1" in
start)
#
# Remove a stale PID file, if found
#
if test -f ${PIDFILE}; then
/bin/rm -f ${PIDFILE}
fi
echo -n "Starting ${NAME}"
start-stop-daemon --start --quiet --exec $DAEMON
RETVAL=$?
samhain_done
exit $RETVAL
;;
stop)
echo -n "Stopping $NAME"
start-stop-daemon --stop --quiet --exec $DAEMON
RETVAL=$?
samhain_done
#
# Remove a stale PID file, if found
#
if test -f ${PIDFILE}; then
/bin/rm -f ${PIDFILE}
fi
if test -S /var/run/${NAME}.sock; then
/bin/rm -f /var/run/${NAME}.sock
fi
;;
restart)
$0 stop
sleep 3
$0 start
RETVAL=$?
;;
reload|force-reload)
echo -n "Reloading $NAME configuration files"
start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON
RETVAL=$?
samhain_done
;;
status)
if pidof -o %PPID $DAEMON > /dev/null; then
echo "Samhain running"
RETVAL=0
else
echo "Samhain not running"
RETVAL=1
fi
;;
*)
echo "$0 usage: {start|stop|status|restart|reload}"
exit 1
;;
esac
exit $RETVAL
meta-security/recipes-ids/samhain/files/samhain.service
+12
View File
@@ -0,0 +1,12 @@
[Unit]
Description=Samhain @MODE_NAME@ Daemon
After=syslog.target network.target
[Service]
Type=forking
RemainAfterExit=yes
ExecStart=@LIBDIR@/@SAMHAIN_HELPER@ start
ExecStop=@LIBDIR@/@SAMHAIN_HELPER@ stop
[Install]
WantedBy=multi-user.target