jim.lai/OpenBMC
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Your Name
2026-04-23 17:07:55 +08:00
commit b7e39e063b
16725 changed files with 1625565 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-security/recipes-scanners/arpwatch/arpwatch_3.3.bb
+87
View File
@@ -0,0 +1,87 @@
SUMARRY = "The ethernet monitor program; for keeping track of ethernet/ip address pairings"
LICENSE = "BSD-4-Clause"
HOME_PAGE = "http://ee.lbl.gov/"
LIC_FILES_CHKSUM = "file://configure;md5=0f6cca2f69f384a14e2f5803210ca92e"
DEPENDS += "libpcap"
SRC_URI = "https://ee.lbl.gov/downloads/arpwatch/${BP}.tar.gz \
file://arpwatch.conf \
file://arpwatch.default \
file://arpwatch_init \
file://host_contam_fix.patch \
"
SRC_URI[sha256sum] = "d47fa8b291fc37a25a2d0f3e1b64f451dc0be82d714a10ffa6ef8b0b9e33e166"
inherit autotools-brokensep update-rc.d useradd
ARPWATCH_UID ?= "arpwatch"
ARPWATCH_GID ?= "arpwatch"
APRWATCH_FROM ?= "root "
ARPWATH_REPLY ?= "${ARPWATCH_UID}"
PACKAGECONFIG ??= ""
PACKACONFIG[email] = "-with-watcher=email=${APRWATCH_FROM} --with-watchee=email=${ARPWATH_REPLY}, , postfix, postfix postfix-cfg"
EXTRA_OECONF:append = " --srcdir=${S}"
CONFIGUREOPTS = " --build=${BUILD_SYS} \
--host=${HOST_SYS} \
--target=${TARGET_SYS} \
--prefix=${prefix} \
--exec_prefix=${exec_prefix} \
--bindir=${bindir} \
--sbindir=${sbindir} \
--libexecdir=${libexecdir} \
--datadir=${datadir} \
--sysconfdir=${sysconfdir} \
--sharedstatedir=${sharedstatedir} \
--localstatedir=${localstatedir} \
--libdir=${libdir} \
--includedir=${includedir} \
--oldincludedir=${oldincludedir} \
--infodir=${infodir} \
--mandir=${mandir} \
"
do_configure () {
${S}/configure ${CONFIGUREOPTS} ${EXTRA_OECONF}
}
do_install () {
install -d ${D}${bindir}
install -d ${D}${sbindir}
install -d ${D}${mandir}
install -d ${D}${sysconfdir}
install -d ${D}${sysconfdir}/default
install -d ${D}${sysconfdir}/init.d
install -d ${D}${prefix}/etc/rc.d
install -d ${D}/var/lib/arpwatch
oe_runmake install DESTDIR=${D}
install -m 644 ${WORKDIR}/arpwatch.conf ${D}${sysconfdir}
install -m 655 ${WORKDIR}/arpwatch_init ${D}${sysconfdir}/init.d/arpwatch
install -m 644 ${WORKDIR}/arpwatch.default ${D}${sysconfdir}/default
}
INITSCRIPT_NAME = "arpwatch"
INITSCRIPT_PARAMS = "start 02 2 3 4 5 . stop 20 0 1 6 ."
USERADD_PACKAGES = "${PN}"
GROUPADD_PARAM:${PN} = "--system ${ARPWATCH_UID}"
USERADD_PARAM:${PN} = "--system -g ${ARPWATCH_GID} --home-dir \
${localstatedir}/spool/${BPN} \
--no-create-home --shell /bin/false ${BPN}"
CONFFILE_FILES = "${sysconfdir}/${PN}.conf"
FILES:${PN} = "${bindir} ${sbindir} ${prefix}/etc/rc.d \
${sysconfdir} /var/lib/arpwatch"
COMPATIBLE_HOST:riscv32 = "null"
COMPATIBLE_HOST:riscv64 = "null"
COMPATIBLE_HOST:libc-musl = "null"
RDEPENDS:${PN} = "libpcap"
meta-security/recipes-scanners/arpwatch/files/arpwatch.conf
+23
View File
@@ -0,0 +1,23 @@
# /etc/arpwatch.conf: Debian-specific way to watch multiple interfaces.
# Format of this configuration file is:
#
#<dev1> <arpwatch options for dev1>
#<dev2> <arpwatch options for dev2>
#...
#<devN> <arpwatch options for devN>
#
# You can set global options for all interfaces by editing
# /etc/default/arpwatch
# For example:
eth0
#eth0 -m root
#eth1 -m root
#eth2 -m root
# or, if you have an MTA configured for plussed addressing:
#
#eth0 -m root+eth0
#eth1 -m root+eth1
#eth2 -m root+eth2
meta-security/recipes-scanners/arpwatch/files/arpwatch.default
+7
View File
@@ -0,0 +1,7 @@
# Global options for arpwatch(8).
# Debian: don't report bogons, don't use PROMISC.
ARGS="-N -p"
# Debian: run as `arpwatch' user. Empty this to run as root.
RUNAS="arpwatch"
meta-security/recipes-scanners/arpwatch/files/arpwatch_init
+123
View File
@@ -0,0 +1,123 @@
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin
NAME=arpwatch
DAEMON=/usr/sbin/$NAME
DESC="Ethernet/FDDI station monitor daemon"
DATADIR=/var/lib/$NAME
RETVAL=0
. /etc/init.d/functions
### You shouldn't touch anything below unless you know what you are doing.
[ -f /etc/default/arpwatch ] && . /etc/default/arpwatch
# Decide whether we have to deal with multiple interfaces.
CONF=/etc/arpwatch.conf
MULTIPLE=0
if [ -r $CONF ]; then
grep -c '^[a-z]' $CONF 2>&1 >/dev/null && MULTIPLE=1
fi
# Check whether we have to drop privileges.
if [ -n "$RUNAS" ]; then
if getent passwd "$RUNAS" >/dev/null; then
ARGS="-u ${RUNAS} $ARGS"
else
RUNAS=""
fi
fi
start_instance () {
IFACE=$1
INSTANCE=${NAME}-${IFACE}
DATAFILE=$DATADIR/${IFACE}.dat
IFACE_OPTS="-P /var/run/${INSTANCE}.pid -i ${IFACE} -f ${DATAFILE} $2"
echo -n "Starting $DESC: "
if [ ! -f $DATAFILE ]; then
echo -n "(creating $DATAFILE) " :> $DATAFILE
fi
if [ -n "$RUNAS" ]; then
echo -n "(chown $RUNAS $DATAFILE) "
chown $RUNAS $DATAFILE
fi
start-stop-daemon --start --quiet \
--pidfile /var/run/${INSTANCE}.pid \
--exec $DAEMON -- $IFACE_OPTS $ARGS
echo "${INSTANCE}."
ps h -C $NAME -o pid,args | \
awk "/$IFACE/ { print \$1 }" > /var/run/${INSTANCE}.pid
}
stop_instance () {
IFACE=$1
INSTANCE=${NAME}-${IFACE}
[ -f /var/run/${INSTANCE}.pid ] || return 0
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --oknodo \
--pidfile /var/run/${INSTANCE}.pid
echo "${INSTANCE}."
rm -f /var/run/${INSTANCE}.pid
}
process_loop_break_line () {
__IFACE=$1
shift
__IOPTS="$@"
}
process_loop () {
OPERATION=$1
grep '^[a-z]' $CONF 2>/dev/null | \
while read LINE
do
process_loop_break_line $LINE
I=$__IFACE
I_OPTS="$__IOPTS"
$OPERATION $I "$I_OPTS"
done
}
startup () {
process_loop start_instance
}
shutdown () {
process_loop stop_instance
}
case "$1" in
start)
startup
;;
stop)
shutdown
;;
reload)
echo "Reload operation not supported -- use restart."
RETVAL=2
;;
restart|force-reload)
#
# If the "reload" option is implemented, move the "force-reload"
# option to the "reload" entry above. If not, "force-reload" is
# just the same as "restart".
#
shutdown
sleep 1
startup
;;
status)
status_of_proc $DAEMON $NAME
;;
*)
N=/etc/init.d/$NAME
# echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $N {start|stop|restart|force-reload}" >&2
RETVAL=2
;;
esac
exit $RETVAL
meta-security/recipes-scanners/arpwatch/files/host_contam_fix.patch
+21
View File
@@ -0,0 +1,21 @@
This removes the host contamination
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: arpwatch-3.3/configure
===================================================================
--- arpwatch-3.3.orig/configure
+++ arpwatch-3.3/configure
@@ -4353,8 +4353,8 @@ fi
CC=cc
export CC
fi
- V_INCLS="$V_INCLS -I/usr/local/include"
- LDFLAGS="$LDFLAGS -L/usr/local/lib"
+ V_INCLS="$V_INCLS "
+ LDFLAGS="$LDFLAGS "
if test "$GCC" != yes ; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking that $CC handles ansi prototypes" >&5
$as_echo_n "checking that $CC handles ansi prototypes... " >&6; }
meta-security/recipes-scanners/buck-security/buck-security_0.7.bb
+46
View File
@@ -0,0 +1,46 @@
SUMMARY = "Linux security scanner"
DESCRIPTION = "Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux \
system. This enables you to quickly overview the security status of your Linux system."
SECTION = "security"
LICENSE = "GPL-2.0-only"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0-only;md5=801f80980d171dd6425610833a22dbe6"
SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_${PV}/${BPN}_${PV}.tar.gz"
SRC_URI[md5sum] = "611a3e9bb7ed8a8270aa15216c321c53"
SRC_URI[sha256sum] = "c533c6631ec3554dd8d39d2d1c3ed44badbbf50810ebb75469c74639fa294b01"
S = "${WORKDIR}/${BPN}_${PV}"
do_configure[noexec] = "1"
do_compile[noexec] = "1"
do_install() {
install -d ${D}${bindir}/buck
cp -r ${S}/* ${D}${bindir}/buck
cp -r ${S}/buck-security ${D}${bindir}
sed -i 's!use lib "checks"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks")!' ${D}${bindir}/buck-security
sed -i 's!use lib "checks/lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks/lib")!' ${D}${bindir}/buck-security
sed -i 's!use lib "lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/lib")!' ${D}${bindir}/buck-security
sed -i 's!my $buck_root = "."!my $buck_root = File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck")!' ${D}${bindir}/buck-security
}
FILES:${PN} = "${bindir}/*"
RDEPENDS:${PN} = "coreutils gnupg net-tools perl perl-module-data-dumper \
perl-module-file-basename perl-module-file-spec perl-module-getopt-long \
perl-module-lib perl-module-posix perl-module-term-ansicolor \
perl-module-time-localtime pinentry perl-module-pod-usage \
perl-module-pod-text perl-module-file-glob \
perl-module-cwd perl-module-encode perl-module-encode-encoding \
"
RDEPENDS:${PN}:class-native = "coreutils net-tools perl perl-module-data-dumper \
perl-module-file-basename perl-module-file-spec perl-module-getopt-long \
perl-module-lib perl-module-posix perl-module-term-ansicolor \
perl-module-time-localtime perl-module-file-glob\
"
BBCLASSEXTEND = "native"
meta-security/recipes-scanners/checksec/checksec_2.6.0.bb
+21
View File
@@ -0,0 +1,21 @@
SUMMARY = "Linux system security checks"
DESCRIPTION = "The checksec script is designed to test what standard Linux OS and PaX security features are being used."
SECTION = "security"
LICENSE = "BSD-3-Clause"
HOMEPAGE="https://github.com/slimm609/checksec.sh"
LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=879b2147c754bc040c29e9c3b84da836"
SRCREV = "2753ebb89fcdc96433ae8a4c4e5a49214a845be2"
SRC_URI = "git://github.com/slimm609/checksec.sh;branch=main;protocol=https"
S = "${WORKDIR}/git"
do_install() {
install -d ${D}${bindir}
install -m 0755 ${S}/checksec ${D}${bindir}
}
RDEPENDS:${PN} = "bash openssl-bin binutils"
BBCLASSEXTEND = "native"
meta-security/recipes-scanners/clamav/clamav_0.104.4.bb
+157
View File
@@ -0,0 +1,157 @@
SUMMARY = "ClamAV anti-virus utility for Unix - command-line interface"
DESCRIPTION = "ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats."
HOMEPAGE = "http://www.clamav.net/index.html"
SECTION = "security"
LICENSE = "LGPL-2.1-only"
DEPENDS = "glibc llvm libtool db openssl zlib curl libxml2 bison pcre2 json-c libcheck"
COMPATIBLE_HOST:libc-musl:class-target = "null"
LIC_FILES_CHKSUM = "file://COPYING.txt;beginline=2;endline=3;md5=f7029fbbc5898b273d5902896f7bbe17"
# July 30th, 2022
SRCREV = "563ba93052f3b7b46fb8725a65ee6299a9c332cf"
SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=https \
file://clamd.conf \
file://freshclam.conf \
file://volatiles.03_clamav \
file://tmpfiles.clamav \
file://headers_fixup.patch \
file://oe_cmake_fixup.patch \
"
S = "${WORKDIR}/git"
LEAD_SONAME = "libclamav.so"
SO_VER = "9.6.0"
BINCONFIG = "${bindir}/clamav-config"
inherit cmake chrpath pkgconfig useradd systemd multilib_header multilib_script
UPSTREAM_CHECK_COMMITS = "1"
CLAMAV_UID ?= "clamav"
CLAMAV_GID ?= "clamav"
MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/clamav-config"
EXTRA_OECMAKE = " -DCMAKE_BUILD_TYPE=Release -DOPTIMIZE=ON -DENABLE_JSON_SHARED=OFF \
-DCLAMAV_GROUP=${CLAMAV_GID} -DCLAMAV_USER=${CLAMAV_UID} \
-DENABLE_TESTS=OFF -DBUILD_SHARED_LIBS=ON \
-DDISABLE_MPOOL=ON -DENABLE_FRESHCLAM_DNS_FIX=ON \
"
PACKAGECONFIG ?= " clamonacc \
${@bb.utils.contains("DISTRO_FEATURES", "systemd", "systemd", "", d)}"
PACKAGECONFIG[milter] = "-DENABLE_MILTER=ON ,-DENABLE_MILTER=OFF, curl, curl"
PACKAGECONFIG[clamonacc] = "-DENABLE_CLAMONACC=ON ,-DENABLE_CLAMONACC=OFF,"
PACKAGECONFIG[unrar] = "-DENABLE_UNRAR=ON ,-DENABLE_UNRAR=OFF,"
PACKAGECONFIG[systemd] = "-DENABLE_SYSTEMD=ON -DSYSTEMD_UNIT_DIR=${systemd_system_unitdir}, -DENABLE_SYSTEMD=OFF, systemd"
export OECMAKE_C_FLAGS += " -I${STAGING_INCDIR} -L ${RECIPE_SYSROOT}${nonarch_libdir} -L${STAGING_LIBDIR} -lpthread"
do_install:append () {
install -d ${D}/${sysconfdir}
install -d -o ${PN} -g ${CLAMAV_GID} ${D}/${localstatedir}/lib/clamav
install -d ${D}${sysconfdir}/clamav ${D}${sysconfdir}/default/volatiles
install -m 644 ${WORKDIR}/clamd.conf ${D}/${prefix}/${sysconfdir}
install -m 644 ${WORKDIR}/freshclam.conf ${D}/${prefix}/${sysconfdir}
install -m 0644 ${WORKDIR}/volatiles.03_clamav ${D}${sysconfdir}/default/volatiles/03_clamav
sed -i -e 's#${STAGING_DIR_HOST}##g' ${D}${libdir}/pkgconfig/libclamav.pc
rm ${D}/${libdir}/libclamav.so
if [ "${INSTALL_CLAMAV_CVD}" = "1" ]; then
install -m 666 ${S}/clamav_db/* ${D}/${localstatedir}/lib/clamav/.
fi
rm ${D}/${libdir}/libfreshclam.so
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)};then
install -d ${D}${sysconfdir}/tmpfiles.d
install -m 0644 ${WORKDIR}/tmpfiles.clamav ${D}${sysconfdir}/tmpfiles.d/clamav.conf
fi
oe_multilib_header clamav-types.h
}
pkg_postinst:${PN} () {
if [ -z "$D" ]; then
if command -v systemd-tmpfiles >/dev/null; then
systemd-tmpfiles --create ${sysconfdir}/tmpfiles.d/clamav.conf
elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then
${sysconfdir}/init.d/populate-volatile.sh update
fi
fi
}
PACKAGES += "${PN}-daemon ${PN}-clamdscan ${PN}-freshclam ${PN}-libclamav"
FILES:${PN} = "${bindir}/clambc ${bindir}/clamscan ${bindir}/clamsubmit ${sbindir}/clamonacc \
${bindir}/*sigtool ${mandir}/man1/clambc* ${mandir}/man1/clamscan* \
${mandir}/man1/sigtool* ${mandir}/man1/clambsubmit* \
${docdir}/clamav/*"
FILES:${PN}-clamdscan = " ${bindir}/clamdscan \
${docdir}/clamdscan/* \
${mandir}/man1/clamdscan* \
"
FILES:${PN}-daemon = "${bindir}/clamconf ${bindir}/clamdtop ${sbindir}/clamd \
${mandir}/man1/clamconf* ${mandir}/man1/clamdtop* \
${mandir}/man5/clamd* ${mandir}/man8/clamd* \
${sysconfdir}/clamd.conf* \
/usr/etc/clamd.conf* \
${systemd_system_unitdir}/clamav-daemon/* \
${docdir}/clamav-daemon/* ${sysconfdir}/clamav-daemon \
${sysconfdir}/logcheck/ignore.d.server/clamav-daemon \
${systemd_system_unitdir}/clamav-daemon.service \
${systemd_system_unitdir}/clamav-clamonacc.service \
"
FILES:${PN}-freshclam = "${bindir}/freshclam \
${sysconfdir}/freshclam.conf* \
/usr/etc/freshclam.conf* \
${sysconfdir}/clamav ${sysconfdir}/default/volatiles \
${sysconfdir}/tmpfiles.d/*.conf \
${localstatedir}/lib/clamav \
${docdir}/${PN}-freshclam ${mandir}/man1/freshclam.* \
${mandir}/man5/freshclam.conf.* \
${systemd_system_unitdir}/clamav-freshclam.service"
FILES:${PN}-dev = " ${bindir}/clamav-config ${libdir}/*.la \
${libdir}/pkgconfig/*.pc \
${mandir}/man1/clamav-config.* \
${includedir}/*.h ${docdir}/libclamav* \
${libdir}/libmspack.so"
FILES:${PN}-staticdev = "${libdir}/*.a"
FILES:${PN}-libclamav = "${libdir}/libclamav.so* ${libdir}/libclammspack.so* \
${libdir}/libfreshclam.so* ${docdir}/libclamav/* \
${libdir}/libmspack* "
FILES:${PN}-doc = "${mandir}/man/* \
${datadir}/man/* \
${docdir}/* "
USERADD_PACKAGES = "${PN}-freshclam "
GROUPADD_PARAM:${PN}-freshclam = "--system ${CLAMAV_UID}"
USERADD_PARAM:${PN}-freshclam = "--system -g ${CLAMAV_GID} --home-dir \
${localstatedir}/lib/${BPN} \
--no-create-home --shell /sbin/nologin ${PN}"
RPROVIDES:${PN} += "${PN}-systemd"
RREPLACES:${PN} += "${PN}-systemd"
RCONFLICTS:${PN} += "${PN}-systemd"
SYSTEMD_PACKAGES = "${PN}-daemon ${PN}-freshclam"
SYSTEMD_SERVICE:${PN}-daemon = "clamav-daemon.service"
SYSTEMD_SERVICE:${PN}-freshclam = "clamav-freshclam.service"
INSANE_SKIP:${PN}-libclamav += "dev-so"
RDEPENDS:${PN} = "openssl ncurses-libncurses libxml2 libbz2 ncurses-libtinfo curl libpcre2 clamav-libclamav"
RRECOMMENDS:${PN} = "clamav-freshclam"
RDEPENDS:${PN}-freshclam = "clamav"
RDEPENDS:${PN}-daemon = "clamav clamav-freshclam"
meta-security/recipes-scanners/clamav/files/clamav-freshclam.service
+12
View File
@@ -0,0 +1,12 @@
[Unit]
Description=ClamAV virus database updater
Documentation=man:freshclam(1) man:freshclam.conf(5) http://www.clamav.net/lang/en/doc/
# If user wants it run from cron, don't start the daemon.
ConditionPathExists=!/etc/cron.d/clamav-freshclam
[Service]
ExecStart=/usr/bin/freshclam -d --foreground=true
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
meta-security/recipes-scanners/clamav/files/clamav-milter.conf.sample
+293
View File
@@ -0,0 +1,293 @@
##
## Example config file for clamav-milter
##
# Comment or remove the line below.
Example
##
## Main options
##
# Define the interface through which we communicate with sendmail
# This option is mandatory! Possible formats are:
# [[unix|local]:]/path/to/file - to specify a unix domain socket
# inet:port@[hostname|ip-address] - to specify an ipv4 socket
# inet6:port@[hostname|ip-address] - to specify an ipv6 socket
#
# Default: no default
#MilterSocket /tmp/clamav-milter.socket
#MilterSocket inet:7357
# Define the group ownership for the (unix) milter socket.
# Default: disabled (the primary group of the user running clamd)
#MilterSocketGroup virusgroup
# Sets the permissions on the (unix) milter socket to the specified mode.
# Default: disabled (obey umask)
#MilterSocketMode 660
# Remove stale socket after unclean shutdown.
#
# Default: yes
#FixStaleSocket yes
# Run as another user (clamav-milter must be started by root for this option to work)
#
# Default: unset (don't drop privileges)
#User clamav
# Initialize supplementary group access (clamav-milter must be started by root).
#
# Default: no
#AllowSupplementaryGroups no
# Waiting for data from clamd will timeout after this time (seconds).
# Value of 0 disables the timeout.
#
# Default: 120
#ReadTimeout 300
# Don't fork into background.
#
# Default: no
#Foreground yes
# Chroot to the specified directory.
# Chrooting is performed just after reading the config file and before dropping privileges.
#
# Default: unset (don't chroot)
#Chroot /newroot
# This option allows you to save a process identifier of the listening
# daemon (main thread).
#
# Default: disabled
#PidFile /var/run/clamav/clamav-milter.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
#
#TemporaryDirectory /var/tmp
##
## Clamd options
##
# Define the clamd socket to connect to for scanning.
# This option is mandatory! Syntax:
# ClamdSocket unix:path
# ClamdSocket tcp:host:port
# The first syntax specifies a local unix socket (needs an absolute path) e.g.:
# ClamdSocket unix:/var/run/clamd/clamd.socket
# The second syntax specifies a tcp local or remote tcp socket: the
# host can be a hostname or an ip address; the ":port" field is only required
# for IPv6 addresses, otherwise it defaults to 3310, e.g.:
# ClamdSocket tcp:192.168.0.1
#
# This option can be repeated several times with different sockets or even
# with the same socket: clamd servers will be selected in a round-robin fashion.
#
# Default: no default
ClamdSocket /var/run/clamav/clamd
##
## Exclusions
##
# Messages originating from these hosts/networks will not be scanned
# This option takes a host(name)/mask pair in CIRD notation and can be
# repeated several times. If "/mask" is omitted, a host is assumed.
# To specify a locally orignated, non-smtp, email use the keyword "local"
#
# Default: unset (scan everything regardless of the origin)
#LocalNet local
#LocalNet 192.168.0.0/24
#LocalNet 1111:2222:3333::/48
# This option specifies a file which contains a list of basic POSIX regular
# expressions. Addresses (sent to or from - see below) matching these regexes
# will not be scanned. Optionally each line can start with the string "From:"
# or "To:" (note: no whitespace after the colon) indicating if it is,
# respectively, the sender or recipient that is to be whitelisted.
# If the field is missing, "To:" is assumed.
# Lines starting with #, : or ! are ignored.
#
# Default unset (no exclusion applied)
#Whitelist /etc/whitelisted_addresses
# Messages from authenticated SMTP users matching this extended POSIX
# regular expression (egrep-like) will not be scanned.
# As an alternative, a file containing a plain (not regex) list of names (one
# per line) can be specified using the prefix "file:".
# e.g. SkipAuthenticated file:/etc/good_guys
#
# Note: this is the AUTH login name!
#
# Default: unset (no whitelisting based on SMTP auth)
#SkipAuthenticated ^(tom|dick|henry)$
# Messages larger than this value won't be scanned.
# Make sure this value is lower or equal than StreamMaxLength in clamd.conf
#
# Default: 25M
#MaxFileSize 10M
##
## Actions
##
# The following group of options controls the delievery process under
# different circumstances.
# The following actions are available:
# - Accept
# The message is accepted for delievery
# - Reject
# Immediately refuse delievery (a 5xx error is returned to the peer)
# - Defer
# Return a temporary failure message (4xx) to the peer
# - Blackhole (not available for OnFail)
# Like Accept but the message is sent to oblivion
# - Quarantine (not available for OnFail)
# Like Accept but message is quarantined instead of being delivered
#
# NOTE: In Sendmail the quarantine queue can be examined via mailq -qQ
# For Postfix this causes the message to be placed on hold
#
# Action to be performed on clean messages (mostly useful for testing)
# Default: Accept
#OnClean Accept
# Action to be performed on infected messages
# Default: Quarantine
#OnInfected Quarantine
# Action to be performed on error conditions (this includes failure to
# allocate data structures, no scanners available, network timeouts,
# unknown scanner replies and the like)
# Default: Defer
#OnFail Defer
# This option allows to set a specific rejection reason for infected messages
# and it's therefore only useful together with "OnInfected Reject"
# The string "%v", if present, will be replaced with the virus name.
# Default: MTA specific
#RejectMsg
# If this option is set to "Replace" (or "Yes"), an "X-Virus-Scanned" and an
# "X-Virus-Status" headers will be attached to each processed message, possibly
# replacing existing headers.
# If it is set to Add, the X-Virus headers are added possibly on top of the
# existing ones.
# Note that while "Replace" can potentially break DKIM signatures, "Add" may
# confuse procmail and similar filters.
# Default: no
#AddHeader Replace
# When AddHeader is in use, this option allows to arbitrary set the reported
# hostname. This may be desirable in order to avoid leaking internal names.
# If unset the real machine name is used.
# Default: disabled
#ReportHostname my.mail.server.name
# Execute a command (possibly searching PATH) when an infected message is found.
# The following parameters are passed to the invoked program in this order:
# virus name, queue id, sender, destination, subject, message id, message date.
# Note #1: this requires MTA macroes to be available (see LogInfected below)
# Note #2: the process is invoked in the context of clamav-milter
# Note #3: clamav-milter will wait for the process to exit. Be quick or fork to
# avoid unnecessary delays in email delievery
# Default: disabled
#VirusAction /usr/local/bin/my_infected_message_handler
##
## Logging options
##
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
#
# Default: disabled
#LogFile /var/log/clamav/clamav-milter.log
# By default the log file is locked for writing - the lock protects against
# running clamav-milter multiple times.
# This option disables log file locking.
#
# Default: no
#LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
#
# Default: 1M
#LogFileMaxSize 2M
# Log time with each message.
#
# Default: no
#LogTime yes
# Use system logger (can work together with LogFile).
#
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
#
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
#
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows to tune what is logged when a message is infected.
# Possible values are Off (the default - nothing is logged),
# Basic (minimal info logged), Full (verbose info logged)
# Note:
# For this to work properly in sendmail, make sure the msg_id, mail_addr,
# rcpt_addr and i macroes are available in eom. In other words add a line like:
# Milter.macros.eom={msg_id}, {mail_addr}, {rcpt_addr}, i
# to your .cf file. Alternatively use the macro:
# define(`confMILTER_MACROS_EOM', `{msg_id}, {mail_addr}, {rcpt_addr}, i')
# Postfix should be working fine with the default settings.
#
# Default: disabled
#LogInfected Basic
# This option allows to tune what is logged when no threat is found in a scanned message.
# See LogInfected for possible values and caveats.
# Useful in debugging but drastically increases the log size.
# Default: disabled
#LogClean Basic
# This option affects the behaviour of LogInfected, LogClean and VirusAction
# when a message with multiple recipients is scanned:
# If SupportMultipleRecipients is off (the default)
# then one single log entry is generated for the message and, in case the
# message is determined to be malicious, the command indicated by VirusAction
# is executed just once. In both cases only the last recipient is reported.
# If SupportMultipleRecipients is on:
# then one line is logged for each recipient and the command indicated
# by VirusAction is also executed once for each recipient.
#
# Note: although it's probably a good idea to enable this option, the default value
# is currently set to off for legacy reasons.
# Default: no
#SupportMultipleRecipients yes
meta-security/recipes-scanners/clamav/files/clamav.service
+17
View File
@@ -0,0 +1,17 @@
[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/
Requires=clamav-daemon.socket
# Check for database existence
ConditionPathExistsGlob=/usr/share/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/usr/share/clamav/daily.{c[vl]d,inc}
[Service]
ExecStart=/usr/sbin/clamd --foreground=true
# Reload the database
ExecReload=/bin/kill -USR2 $MAINPID
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Also=clamav-daemon.socket
meta-security/recipes-scanners/clamav/files/clamd.conf
+595
View File
@@ -0,0 +1,595 @@
# Uncomment this option to enable logging.
# LogFile must be writable for the user running daemon.
# A full path is required.
# Default: disabled
LogFile /tmp/clamd.log
# By default the log file is locked for writing - the lock protects against
# running clamd multiple times (if want to run another clamd, please
# copy the configuration file, change the LogFile variable, and run
# the daemon with --config-file option).
# This option disables log file locking.
# Default: no
LogFileUnlock yes
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
# in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
# rotation (the LogRotate option) will always be enabled.
# Default: 1M
LogFileMaxSize 2M
# Log time with each message.
# Default: no
LogTime yes
# Also log clean files. Useful in debugging but drastically increases the
# log size.
# Default: no
#LogClean yes
# Use system logger (can work together with LogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# Log additional information about the infected file, such as its
# size and hash, together with the virus name.
ExtendedDetectionInfo yes
# This option allows you to save a process identifier of the listening
# daemon (main thread).
# Default: disabled
PidFile /var/run/clamd.pid
# Optional path to the global temporary directory.
# Default: system specific (usually /tmp or /var/tmp).
TemporaryDirectory /var/tmp
# Path to the database directory.
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
# Only load the official signatures published by the ClamAV project.
# Default: no
#OfficialDatabaseOnly no
# The daemon can work in local mode, network mode or both.
# Due to security reasons we recommend the local mode.
# Path to a local socket file the daemon will listen on.
# Default: disabled (must be specified by a user)
LocalSocket /tmp/clamd.socket
# Sets the group ownership on the unix socket.
# Default: disabled (the primary group of the user running clamd)
#LocalSocketGroup virusgroup
# Sets the permissions on the unix socket to the specified mode.
# Default: disabled (socket is world accessible)
#LocalSocketMode 660
# Remove stale socket after unclean shutdown.
# Default: yes
#FixStaleSocket yes
# TCP port address.
# Default: no
#TCPSocket 3310
# TCP address.
# By default we bind to INADDR_ANY, probably not wise.
# Enable the following to provide some degree of protection
# from the outside world. This option can be specified multiple
# times if you want to listen on multiple IPs. IPv6 is now supported.
# Default: no
#TCPAddr 127.0.0.1
# Maximum length the queue of pending connections may grow to.
# Default: 200
#MaxConnectionQueueLength 30
# Clamd uses FTP-like protocol to receive data from remote clients.
# If you are using clamav-milter to balance load between remote clamd daemons
# on firewall servers you may need to tune the options below.
# Close the connection when the data size limit is exceeded.
# The value should match your MTA's limit for a maximum attachment size.
# Default: 25M
#StreamMaxLength 10M
# Limit port range.
# Default: 1024
#StreamMinPort 30000
# Default: 2048
#StreamMaxPort 32000
# Maximum number of threads running at the same time.
# Default: 10
#MaxThreads 20
# Waiting for data from a client socket will timeout after this time (seconds).
# Default: 120
#ReadTimeout 300
# This option specifies the time (in seconds) after which clamd should
# timeout if a client doesn't provide any initial command after connecting.
# Default: 5
#CommandReadTimeout 5
# This option specifies how long to wait (in miliseconds) if the send buffer is full.
# Keep this value low to prevent clamd hanging
#
# Default: 500
#SendBufTimeout 200
# Maximum number of queued items (including those being processed by MaxThreads threads)
# It is recommended to have this value at least twice MaxThreads if possible.
# WARNING: you shouldn't increase this too much to avoid running out of file descriptors,
# the following condition should hold:
# MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
#
# Default: 100
#MaxQueue 200
# Waiting for a new job will timeout after this time (seconds).
# Default: 30
#IdleTimeout 60
# Don't scan files and directories matching regex
# This directive can be used multiple times
# Default: scan all
#ExcludePath ^/proc/
#ExcludePath ^/sys/
# Maximum depth directories are scanned at.
# Default: 15
#MaxDirectoryRecursion 20
# Follow directory symlinks.
# Default: no
#FollowDirectorySymlinks yes
# Follow regular file symlinks.
# Default: no
#FollowFileSymlinks yes
# Scan files and directories on other filesystems.
# Default: yes
#CrossFilesystems yes
# Perform a database check.
# Default: 600 (10 min)
#SelfCheck 600
# Execute a command when virus is found. In the command string %v will
# be replaced with the virus name.
# Default: no
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User clamav
# Initialize supplementary group access (clamd must be started by root).
# Default: no
#AllowSupplementaryGroups no
# Stop daemon when libclamav reports out of memory condition.
#ExitOnOOM yes
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Do not remove temporary files (for debug purposes).
# Default: no
#LeaveTemporaryFiles yes
# Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
# any ALLMATCHSCAN command as invalid.
# Default: yes
#AllowAllMatchScan no
# Detect Possibly Unwanted Applications.
# Default: no
#DetectPUA yes
# Exclude a specific PUA category. This directive can be used multiple times.
# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
# the complete list of PUA categories.
# Default: Load all categories (if DetectPUA is activated)
#ExcludePUA NetTool
#ExcludePUA PWTool
# Only include a specific PUA category. This directive can be used multiple
# times.
# Default: Load all categories (if DetectPUA is activated)
#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT
# In some cases (eg. complex malware, exploits in graphic files, and others),
# ClamAV uses special algorithms to provide accurate detection. This option
# controls the algorithmic detection.
# Default: yes
#AlgorithmicDetection yes
# This option causes memory or nested map scans to dump the content to disk.
# If you turn on this option, more data is written to disk and is available
# when the LeaveTemporaryFiles option is enabled.
#ForceToDisk yes
# This option allows you to disable the caching feature of the engine. By
# default, the engine will store an MD5 in a cache of any files that are
# not flagged as virus or that hit limits checks. Disabling the cache will
# have a negative performance impact on large scans.
# Default: no
#DisableCache yes
##
## Executable files
##
# PE stands for Portable Executable - it's an executable file format used
# in all 32 and 64-bit versions of Windows operating systems. This option allows
# ClamAV to perform a deeper analysis of executable files and it's also
# required for decompression of popular executable packers such as UPX, FSG,
# and Petite. If you turn off this option, the original files will still be
# scanned, but without additional processing.
# Default: yes
#ScanPE yes
# Certain PE files contain an authenticode signature. By default, we check
# the signature chain in the PE file against a database of trusted and
# revoked certificates if the file being scanned is marked as a virus.
# If any certificate in the chain validates against any trusted root, but
# does not match any revoked certificate, the file is marked as whitelisted.
# If the file does match a revoked certificate, the file is marked as virus.
# The following setting completely turns off authenticode verification.
# Default: no
#DisableCertCheck yes
# Executable and Linking Format is a standard format for UN*X executables.
# This option allows you to control the scanning of ELF files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanELF yes
# With this option clamav will try to detect broken executables (both PE and
# ELF) and mark them as Broken.Executable.
# Default: no
#DetectBrokenExecutables yes
##
## Documents
##
# This option enables scanning of OLE2 files, such as Microsoft Office
# documents and .msi files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOLE2 yes
# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#OLE2BlockMacros no
# This option enables scanning within PDF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanPDF yes
# This option enables scanning within SWF files.
# If you turn off this option, the original files will still be scanned, but
# without decoding and additional processing.
# Default: yes
#ScanSWF yes
##
## Mail files
##
# Enable internal e-mail scanner.
# If you turn off this option, the original files will still be scanned, but
# without parsing individual messages/attachments.
# Default: yes
#ScanMail yes
# Scan RFC1341 messages split over many emails.
# You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: no
#ScanPartialMessages yes
# With this option enabled ClamAV will try to detect phishing attempts by using
# signatures.
# Default: yes
#PhishingSignatures yes
# Scan URLs found in mails for phishing attempts using heuristics.
# Default: yes
#PhishingScanURLs yes
# Always block SSL mismatches in URLs, even if the URL isn't in the database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockSSLMismatch no
# Always block cloaked URLs, even if URL isn't in database.
# This can lead to false positives.
#
# Default: no
#PhishingAlwaysBlockCloak no
# Detect partition intersections in raw disk images using heuristics.
# Default: no
#PartitionIntersection no
# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended, saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be reported only at
# the end of a scan. If an archive contains both a heuristically detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes
##
## Data Loss Prevention (DLP)
##
# Enable the DLP module
# Default: No
#StructuredDataDetection yes
# This option sets the lowest number of Credit Card numbers found in a file
# to generate a detect.
# Default: 3
#StructuredMinCreditCardCount 5
# This option sets the lowest number of Social Security Numbers found
# in a file to generate a detect.
# Default: 3
#StructuredMinSSNCount 5
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxx-yy-zzzz
# Default: yes
#StructuredSSNFormatNormal yes
# With this option enabled the DLP module will search for valid
# SSNs formatted as xxxyyzzzz
# Default: no
#StructuredSSNFormatStripped yes
##
## HTML
##
# Perform HTML normalisation and decryption of MS Script Encoder code.
# Default: yes
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
#ScanHTML yes
##
## Archives
##
# ClamAV can scan within archives and compressed files.
# If you turn off this option, the original files will still be scanned, but
# without unpacking and additional processing.
# Default: yes
#ScanArchive yes
# Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
# Default: no
#ArchiveBlockEncrypted no
##
## Limits
##
# The options below protect your system against Denial of Service attacks
# using archive bombs.
# This option sets the maximum amount of data to be scanned for each input file.
# Archives and other containers are recursively extracted and scanned up to this
# value.
# Value of 0 disables the limit
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 100M
#MaxScanSize 150M
# Files larger than this limit won't be scanned. Affects the input file itself
# as well as files contained inside it (when the input file is an archive, a
# document or some other kind of container).
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 25M
#MaxFileSize 30M
# Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
# file, all files within it will also be scanned. This options specifies how
# deeply the process should be continued.
# Note: setting this limit too high may result in severe damage to the system.
# Default: 16
#MaxRecursion 10
# Number of files to be scanned within an archive, a document, or any other
# container file.
# Value of 0 disables the limit.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10000
#MaxFiles 15000
# Maximum size of a file to check for embedded PE. Files larger than this value
# will skip the additional analysis step.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxEmbeddedPE 10M
# Maximum size of a HTML file to normalize. HTML files larger than this value
# will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 10M
#MaxHTMLNormalize 10M
# Maximum size of a normalized HTML file to scan. HTML files larger than this
# value after normalization will not be scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 2M
#MaxHTMLNoTags 2M
# Maximum size of a script file to normalize. Script content larger than this
# value will not be normalized or scanned.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 5M
#MaxScriptNormalize 5M
# Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
# than this value will skip the step to potentially reanalyze as PE.
# Note: disabling this limit or setting it too high may result in severe damage
# to the system.
# Default: 1M
#MaxZipTypeRcg 1M
# This option sets the maximum number of partitions of a raw disk image to be scanned.
# Raw disk images with more partitions than this value will have up to the value number
# partitions scanned. Negative values are not allowed.
# Note: setting this limit too high may result in severe damage or impact performance.
# Default: 50
#MaxPartitions 128
# This option sets the maximum number of icons within a PE to be scanned.
# PE files with more icons than this value will have up to the value number icons scanned.
# Negative values are not allowed.
# WARNING: setting this limit too high may result in severe damage or impact performance.
# Default: 100
#MaxIconsPE 200
##
## On-access Scan Settings
##
# Enable on-access scanning. Currently, this is supported via fanotify.
# Clamuko/Dazuko support has been deprecated.
# Default: no
#ScanOnAccess yes
# Don't scan files larger than OnAccessMaxFileSize
# Value of 0 disables the limit.
# Default: 5M
#OnAccessMaxFileSize 10M
# Set the include paths (all files inside them will be scanned). You can have
# multiple OnAccessIncludePath directives but each directory must be added
# in a separate line. (On-access scan only)
# Default: disabled
#OnAccessIncludePath /home
#OnAccessIncludePath /students
# Set the exclude paths. All subdirectories are also excluded.
# (On-access scan only)
# Default: disabled
#OnAccessExcludePath /home/bofh
# With this option you can whitelist specific UIDs. Processes with these UIDs
# will be able to access all files.
# This option can be used multiple times (one per line).
# Default: disabled
#OnAccessExcludeUID 0
##
## Bytecode
##
# With this option enabled ClamAV will load bytecode from the database.
# It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
# Default: yes
#Bytecode yes
# Set bytecode security level.
# Possible values:
# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
# This value is only available if clamav was built with --enable-debug!
# TrustSigned - trust bytecode loaded from signed .c[lv]d files,
# insert runtime safety checks for bytecode loaded from other sources
# Paranoid - don't trust any bytecode, insert runtime checks for all
# Recommended: TrustSigned, because bytecode in .cvd files already has these checks
# Note that by default only signed bytecode is loaded, currently you can only
# load unsigned bytecode in --enable-debug mode.
#
# Default: TrustSigned
#BytecodeSecurity TrustSigned
# Set bytecode timeout in miliseconds.
#
# Default: 5000
# BytecodeTimeout 1000
##
## Statistics gathering and submitting
##
# Enable statistical reporting.
# Default: no
#StatsEnabled yes
# Disable submission of individual PE sections for files flagged as malware.
# Default: no
#StatsPEDisabled yes
# HostID in the form of an UUID to use when submitting statistical information.
# Default: auto
#StatsHostID auto
# Time in seconds to wait for the stats server to come back with a response
# Default: 10
#StatsTimeout 10
meta-security/recipes-scanners/clamav/files/freshclam-native.conf
+224
View File
@@ -0,0 +1,224 @@
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
#DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
#UpdateLogFile /var/log/clamav/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
LogFileMaxSize 2M
# Log time with each message.
# Default: no
LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows you to save the process identifier of the daemon
# Default: disabled
#PidFile /var/run/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner clamav
# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes
# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
# You can use db.XY.ipv6.clamav.net for IPv6 connections.
#DatabaseMirror db.XY.clamav.net
# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf
# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Timeout in seconds when reading from database server.
# Default: 30
#ReceiveTimeout 60
# With this option enabled, freshclam will attempt to load new
# databases into memory to make sure they are properly handled
# by libclamav before replacing the old ones.
# Default: yes
#TestDatabases yes
# When enabled freshclam will submit statistics to the ClamAV Project about
# the latest virus detections in your environment. The ClamAV maintainers
# will then use this data to determine what types of malware are the most
# detected in the field and in what geographic area they are.
# Freshclam will connect to clamd in order to get recent statistics.
# Default: no
#SubmitDetectionStats /path/to/clamd.conf
# Country of origin of malware/detection statistics (for statistical
# purposes only). The statistics collector at ClamAV.net will look up
# your IP address to determine the geographical origin of the malware
# reported by your installation. If this installation is mainly used to
# scan data which comes from a different location, please enable this
# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
# of the country of origin.
# Default: disabled
#DetectionStatsCountry country-code
# This option enables support for our "Personal Statistics" service.
# When this option is enabled, the information on malware detected by
# your clamd installation is made available to you through our website.
# To get your HostID, log on http://www.stats.clamav.net and add a new
# host to your host list. Once you have the HostID, uncomment this option
# and paste the HostID here. As soon as your freshclam starts submitting
# information to our stats collecting service, you will be able to view
# the statistics of this clamd installation by logging into
# http://www.stats.clamav.net with the same credentials you used to
# generate the HostID. For more information refer to:
# http://www.clamav.net/documentation.html#cctts
# This feature requires SubmitDetectionStats to be enabled.
# Default: disabled
#DetectionStatsHostID unique-id
# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file (safebrowsing.cvd)
# which will be automatically loaded by clamd and clamscan during the next
# reload, provided that the heuristic phishing detection is turned on. This
# database includes information about websites that may be phishing sites or
# possible sources of malware. When using this option, it's mandatory to run
# freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use. See http://www.google.com/transparencyreport/safebrowsing
# and http://www.clamav.net/documentation.html#safebrowsing
# for more information.
# Default: disabled
#SafeBrowsing yes
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: enabled
#Bytecode yes
# Download an additional 3rd party signature database distributed through
# the ClamAV mirrors.
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
meta-security/recipes-scanners/clamav/files/freshclam.conf
+224
View File
@@ -0,0 +1,224 @@
# Path to the database directory.
# WARNING: It must match clamd.conf's directive!
# Default: hardcoded (depends on installation options)
DatabaseDirectory /var/lib/clamav
# Path to the log file (make sure it has proper permissions)
# Default: disabled
UpdateLogFile /var/log/clamav/freshclam.log
# Maximum size of the log file.
# Value of 0 disables the limit.
# You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
# and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes).
# in bytes just don't use modifiers. If LogFileMaxSize is enabled,
# log rotation (the LogRotate option) will always be enabled.
# Default: 1M
LogFileMaxSize 2M
# Log time with each message.
# Default: no
LogTime yes
# Enable verbose logging.
# Default: no
#LogVerbose yes
# Use system logger (can work together with UpdateLogFile).
# Default: no
#LogSyslog yes
# Specify the type of syslog messages - please refer to 'man syslog'
# for facility names.
# Default: LOG_LOCAL6
#LogFacility LOG_MAIL
# Enable log rotation. Always enabled when LogFileMaxSize is enabled.
# Default: no
#LogRotate yes
# This option allows you to save the process identifier of the daemon
# Default: disabled
PidFile /var/run/freshclam.pid
# By default when started freshclam drops privileges and switches to the
# "clamav" user. This directive allows you to change the database owner.
# Default: clamav (may depend on installation options)
DatabaseOwner clamav
# Initialize supplementary group access (freshclam must be started by root).
# Default: no
#AllowSupplementaryGroups yes
# Use DNS to verify virus database version. Freshclam uses DNS TXT records
# to verify database and software versions. With this directive you can change
# the database verification domain.
# WARNING: Do not touch it unless you're configuring freshclam to use your
# own database verification domain.
# Default: current.cvd.clamav.net
#DNSDatabaseInfo current.cvd.clamav.net
# Uncomment the following line and replace XY with your country
# code. See http://www.iana.org/cctld/cctld-whois.htm for the full list.
# You can use db.XY.ipv6.clamav.net for IPv6 connections.
#DatabaseMirror db.XY.clamav.net
# database.clamav.net is a round-robin record which points to our most
# reliable mirrors. It's used as a fall back in case db.XY.clamav.net is
# not working. DO NOT TOUCH the following line unless you know what you
# are doing.
DatabaseMirror database.clamav.net
# How many attempts to make before giving up.
# Default: 3 (per mirror)
#MaxAttempts 5
# With this option you can control scripted updates. It's highly recommended
# to keep it enabled.
# Default: yes
#ScriptedUpdates yes
# By default freshclam will keep the local databases (.cld) uncompressed to
# make their handling faster. With this option you can enable the compression;
# the change will take effect with the next database update.
# Default: no
#CompressLocalDatabase no
# With this option you can provide custom sources (http:// or file://) for
# database files. This option can be used multiple times.
# Default: no custom URLs
#DatabaseCustomURL http://myserver.com/mysigs.ndb
#DatabaseCustomURL file:///mnt/nfs/local.hdb
# This option allows you to easily point freshclam to private mirrors.
# If PrivateMirror is set, freshclam does not attempt to use DNS
# to determine whether its databases are out-of-date, instead it will
# use the If-Modified-Since request or directly check the headers of the
# remote database files. For each database, freshclam first attempts
# to download the CLD file. If that fails, it tries to download the
# CVD file. This option overrides DatabaseMirror, DNSDatabaseInfo
# and ScriptedUpdates. It can be used multiple times to provide
# fall-back mirrors.
# Default: disabled
#PrivateMirror mirror1.mynetwork.com
#PrivateMirror mirror2.mynetwork.com
# Number of database checks per day.
# Default: 12 (every two hours)
#Checks 24
# Proxy settings
# Default: disabled
#HTTPProxyServer myproxy.com
#HTTPProxyPort 1234
#HTTPProxyUsername myusername
#HTTPProxyPassword mypass
# If your servers are behind a firewall/proxy which applies User-Agent
# filtering you can use this option to force the use of a different
# User-Agent header.
# Default: clamav/version_number
#HTTPUserAgent SomeUserAgentIdString
# Use aaa.bbb.ccc.ddd as client address for downloading databases. Useful for
# multi-homed systems.
# Default: Use OS'es default outgoing IP address.
#LocalIPAddress aaa.bbb.ccc.ddd
# Send the RELOAD command to clamd.
# Default: no
#NotifyClamd /path/to/clamd.conf
# Run command after successful database update.
# Default: disabled
#OnUpdateExecute command
# Run command when database update process fails.
# Default: disabled
#OnErrorExecute command
# Run command when freshclam reports outdated version.
# In the command string %v will be replaced by the new version number.
# Default: disabled
#OnOutdatedExecute command
# Don't fork into background.
# Default: no
#Foreground yes
# Enable debug messages in libclamav.
# Default: no
#Debug yes
# Timeout in seconds when connecting to database server.
# Default: 30
#ConnectTimeout 60
# Timeout in seconds when reading from database server.
# Default: 30
#ReceiveTimeout 60
# With this option enabled, freshclam will attempt to load new
# databases into memory to make sure they are properly handled
# by libclamav before replacing the old ones.
# Default: yes
#TestDatabases yes
# When enabled freshclam will submit statistics to the ClamAV Project about
# the latest virus detections in your environment. The ClamAV maintainers
# will then use this data to determine what types of malware are the most
# detected in the field and in what geographic area they are.
# Freshclam will connect to clamd in order to get recent statistics.
# Default: no
#SubmitDetectionStats /path/to/clamd.conf
# Country of origin of malware/detection statistics (for statistical
# purposes only). The statistics collector at ClamAV.net will look up
# your IP address to determine the geographical origin of the malware
# reported by your installation. If this installation is mainly used to
# scan data which comes from a different location, please enable this
# option and enter a two-letter code (see http://www.iana.org/domains/root/db/)
# of the country of origin.
# Default: disabled
#DetectionStatsCountry country-code
# This option enables support for our "Personal Statistics" service.
# When this option is enabled, the information on malware detected by
# your clamd installation is made available to you through our website.
# To get your HostID, log on http://www.stats.clamav.net and add a new
# host to your host list. Once you have the HostID, uncomment this option
# and paste the HostID here. As soon as your freshclam starts submitting
# information to our stats collecting service, you will be able to view
# the statistics of this clamd installation by logging into
# http://www.stats.clamav.net with the same credentials you used to
# generate the HostID. For more information refer to:
# http://www.clamav.net/documentation.html#cctts
# This feature requires SubmitDetectionStats to be enabled.
# Default: disabled
#DetectionStatsHostID unique-id
# This option enables support for Google Safe Browsing. When activated for
# the first time, freshclam will download a new database file (safebrowsing.cvd)
# which will be automatically loaded by clamd and clamscan during the next
# reload, provided that the heuristic phishing detection is turned on. This
# database includes information about websites that may be phishing sites or
# possible sources of malware. When using this option, it's mandatory to run
# freshclam at least every 30 minutes.
# Freshclam uses the ClamAV's mirror infrastructure to distribute the
# database and its updates but all the contents are provided under Google's
# terms of use. See http://www.google.com/transparencyreport/safebrowsing
# and http://www.clamav.net/documentation.html#safebrowsing
# for more information.
# Default: disabled
#SafeBrowsing yes
# This option enables downloading of bytecode.cvd, which includes additional
# detection mechanisms and improvements to the ClamAV engine.
# Default: enabled
#Bytecode yes
# Download an additional 3rd party signature database distributed through
# the ClamAV mirrors.
# This option can be used multiple times.
#ExtraDatabase dbname1
#ExtraDatabase dbname2
meta-security/recipes-scanners/clamav/files/headers_fixup.patch
+58
View File
@@ -0,0 +1,58 @@
Fixes checks not needed do to glibc 2.33
Upstream-Status: Pending
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/CMakeLists.txt
===================================================================
--- git.orig/CMakeLists.txt
+++ git/CMakeLists.txt
@@ -443,8 +443,6 @@ check_include_file("stdlib.h"
check_include_file("string.h" HAVE_STRING_H)
check_include_file("strings.h" HAVE_STRINGS_H)
check_include_file("sys/cdefs.h" HAVE_SYS_CDEFS_H)
-check_include_file("sys/dl.h" HAVE_SYS_DL_H)
-check_include_file("sys/fileio.h" HAVE_SYS_FILIO_H)
check_include_file("sys/mman.h" HAVE_SYS_MMAN_H)
check_include_file("sys/param.h" HAVE_SYS_PARAM_H)
check_include_file("sys/queue.h" HAVE_SYS_QUEUE_H)
@@ -479,8 +477,6 @@ endif()
# int-types variants
check_include_file("inttypes.h" HAVE_INTTYPES_H)
-check_include_file("sys/inttypes.h" HAVE_SYS_INTTYPES_H)
-check_include_file("sys/int_types.h" HAVE_SYS_INT_TYPES_H)
check_include_file("stdint.h" HAVE_STDINT_H)
# this hack required to silence warnings on systems with inttypes.h
@@ -608,17 +604,11 @@ check_type_size("time_t" SIZEOF_TIME_T)
# Checks for library functions.
include(CheckSymbolExists)
check_symbol_exists(_Exit "stdlib.h" HAVE__EXIT)
-check_symbol_exists(accept4 "sys/types.h" HAVE_ACCEPT4)
check_symbol_exists(snprintf "stdio.h" HAVE_SNPRINTF)
-check_symbol_exists(stat64 "sys/stat.h" HAVE_STAT64)
-check_symbol_exists(strcasestr "string.h" HAVE_STRCASESTR)
check_symbol_exists(strerror_r "string.h" HAVE_STRERROR_R)
-check_symbol_exists(strlcat "string.h" HAVE_STRLCAT)
-check_symbol_exists(strlcpy "string.h" HAVE_STRLCPY)
check_symbol_exists(strndup "string.h" HAVE_STRNDUP)
check_symbol_exists(strnlen "string.h" HAVE_STRNLEN)
-check_symbol_exists(strnstr "string.h" HAVE_STRNSTR)
-check_symbol_exists(sysctlbyname "sysctl.h" HAVE_SYSCTLBYNAME)
+check_symbol_exists(strcasecmp "string.h" HAVE_STRNCMP)
check_symbol_exists(timegm "time.h" HAVE_TIMEGM)
check_symbol_exists(vsnprintf "stdio.h" HAVE_VSNPRINTF)
@@ -632,10 +622,9 @@ else()
check_symbol_exists(fseeko "stdio.h" HAVE_FSEEKO)
check_symbol_exists(getaddrinfo "netdb.h" HAVE_GETADDRINFO)
check_symbol_exists(getpagesize "unistd.h" HAVE_GETPAGESIZE)
- check_symbol_exists(mkstemp "unistd.h" HAVE_MKSTEMP)
check_symbol_exists(poll "poll.h" HAVE_POLL)
- check_symbol_exists(setgroups "unistd.h" HAVE_SETGROUPS)
check_symbol_exists(setsid "unistd.h" HAVE_SETSID)
+ set(HAVE_SYSCONF_SC_PAGESIZE 1)
endif()
include(CheckSymbolExists)
meta-security/recipes-scanners/clamav/files/oe_cmake_fixup.patch
+39
View File
@@ -0,0 +1,39 @@
Issue with rpath including /usr/lib and crosscompile checkes causing oe configure to fail
Use oe's cmake rpath framework and exclude some of the cmake checks that fail in our env
Upstream-Status: Inappropriate [configuration]
Singed-off-by: Armin Kuster <akuster808@gmail.com>
Index: git/CMakeLists.txt
===================================================================
--- git.orig/CMakeLists.txt
+++ git/CMakeLists.txt
@@ -162,12 +162,6 @@ endif()
include(GNUInstallDirs)
-if(CMAKE_INSTALL_FULL_LIBDIR)
- set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_FULL_LIBDIR}")
-else()
- set(CMAKE_INSTALL_RPATH "${CMAKE_INSTALL_PREFIX}/lib")
-endif()
-
if(C_LINUX)
if(CMAKE_COMPILER_IS_GNUCXX)
# Set _GNU_SOURCE for O_LARGEFILE, O_CLOEXEC, O_DIRECTORY, O_NOFOLLOW, etc flags on older systems
@@ -581,14 +575,8 @@ include(TestInline)
include(CheckFileOffsetBits)
# Determine how to pack structs on this platform.
include(CheckStructPacking)
-# Check for signed right shift implementation.
-include(CheckSignedRightShift)
# Check if systtem fts implementation available
include(CheckFTS)
-# Check if uname(2) follows POSIX standard.
-include(CheckUnamePosix)
-# Check support for file descriptor passing
-include(CheckFDPassing)
# Check if big-endian
include(TestBigEndian)
meta-security/recipes-scanners/clamav/files/tmpfiles.clamav
+3
View File
@@ -0,0 +1,3 @@
#Type Path Mode UID GID Age Argument
d /var/log/clamav 0755 clamav clamav -
f /var/log/clamav/freshclam.log 0644 clamav clamav -
meta-security/recipes-scanners/clamav/files/volatiles.03_clamav
+3
View File
@@ -0,0 +1,3 @@
# <type> <owner> <group> <mode> <path> <linksource>
d clamav clamav 0755 /var/log/clamav none
f clamav clamav 0655 /var/log/clamav/freshclam.log none
meta-security/recipes-scanners/rootkits/chkrootkit_0.57.bb
+48
View File
@@ -0,0 +1,48 @@
DESCRIPTION = "rootkit detector"
SUMMARY = "locally checks for signs of a rootkit"
HOMEPAGE = "http://www.chkrootkit.org/"
SECTION = "security"
LICENSE = "BSD-2-Clause"
LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=fdbe53788f7081c63387d8087273f5ff"
SRC_URI = "http://archive.ubuntu.com/ubuntu/pool/universe/c/${BPN}/${BPN}_${PV}.orig.tar.gz \
file://musl_fix.patch"
SRC_URI[sha256sum] = "06d1faee151aa3e3c0f91ac807ca92e60b75ed1c18268ccef2c45117156d253c"
inherit autotools-brokensep
TARGET_CC_ARCH += "${LDFLAGS}"
do_configure () {
sed -i 's/@strip.*$//' ${S}/Makefile
}
do_compile () {
make CC="${CC}" LDFLAGS="${LDFLAGS}" sense
gzip -9vkf ACKNOWLEDGMENTS
gzip -9vkf README
}
do_install () {
install -d ${D}/${libdir}/${PN}
install -d ${D}/${sbindir}
install -d ${D}/${docdir}/${PN}
install -m 644 ${B}/chkdirs ${D}/${libdir}/${PN}
install -m 644 ${B}/chklastlog ${D}/${libdir}/${PN}
install -m 644 ${B}/chkproc ${D}/${libdir}/${PN}
install -m 644 ${B}/chkutmp ${D}/${libdir}/${PN}
install -m 644 ${B}/chkwtmp ${D}/${libdir}/${PN}
install -m 644 ${B}/ifpromisc ${D}/${libdir}/${PN}
install -m 644 ${B}/strings-static ${D}/${libdir}/${PN}
install -m 755 ${B}/chklastlog ${D}/${sbindir}
install -m 755 ${B}/chkrootkit ${D}/${sbindir}
install -m 755 ${B}/chkwtmp ${D}/${sbindir}
install -m 644 ${B}/ACKNOWLEDGMENTS.gz ${D}/${docdir}/${PN}
install -m 644 ${B}/README.chklastlog ${D}/${docdir}/${PN}
install -m 644 ${B}/README.chkwtmp ${D}/${docdir}/${PN}
install -m 644 ${B}/README.gz ${D}/${docdir}/${PN}
install -m 644 ${B}/COPYRIGHT ${D}/${docdir}/${PN}
}
meta-security/recipes-scanners/rootkits/files/musl_fix.patch
+58
View File
@@ -0,0 +1,58 @@
chkrootkit: Fix missing includes for musl
Upstream-Status: Backport
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07737b95af2452c0055e1ed0660590c1487befdb
https://bugs.gentoo.org/715552
Signed-off-by: Armin Kuster <akuster808@gamil.com>
Index: chkrootkit-0.55/chkdirs.c
===================================================================
--- chkrootkit-0.55.orig/chkdirs.c
+++ chkrootkit-0.55/chkdirs.c
@@ -33,7 +33,7 @@
#elif defined(__APPLE__) && defined(__MACH__)
#include <sys/syslimits.h>
#endif
-
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
Index: chkrootkit-0.55/chklastlog.c
===================================================================
--- chkrootkit-0.55.orig/chklastlog.c
+++ chkrootkit-0.55/chklastlog.c
@@ -41,6 +41,7 @@ int main () { return 0; }
#include <stdlib.h>
#endif
#include <sys/stat.h>
+#include <fcntl.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>
Index: chkrootkit-0.55/chkproc.c
===================================================================
--- chkrootkit-0.55.orig/chkproc.c
+++ chkrootkit-0.55/chkproc.c
@@ -65,6 +65,7 @@ int main (){ return 0; }
#include <string.h>
#include <errno.h>
#include <sys/types.h>
+#include <fcntl.h>
#include <dirent.h>
#include <ctype.h>
#include <stdlib.h>
Index: chkrootkit-0.55/chkwtmp.c
===================================================================
--- chkrootkit-0.55.orig/chkwtmp.c
+++ chkrootkit-0.55/chkwtmp.c
@@ -25,6 +25,7 @@ int main () { return 0; }
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
+#include <fcntl.h>
#include <string.h>
#include <utmp.h>
#include <time.h>