mirror of
https://git.yoctoproject.org/meta-security
synced 2026-07-15 15:37:18 +00:00
reorg ids: move ids recipes to recipes-ids
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Executable
+3
@@ -0,0 +1,3 @@
|
||||
#!/bin/sh
|
||||
current_dir=$(dirname $(readlink -f $0))
|
||||
$current_dir/cutest
|
||||
@@ -0,0 +1,28 @@
|
||||
From ae79606a6745dbbd429d1d4671dfe3045d735057 Mon Sep 17 00:00:00 2001
|
||||
From: Jackie Huang <jackie.huang@windriver.com>
|
||||
Date: Thu, 14 Sep 2017 13:26:55 +0800
|
||||
Subject: [PATCH] Add LDFLAGS variable for compiling samhain_setpwd
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
|
||||
---
|
||||
Makefile.in | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 01de987..49356cf 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -1128,7 +1128,7 @@ sh_tiger_i.o: $(srcsrc)/$(TIGER_SRC) Makefile config_xor.h
|
||||
samhain_setpwd: encode config_xor.h $(srcsrc)/samhain_setpwd.c
|
||||
@echo '$(COMPILE) -o samhain_setpwd $(srcsrc)/samhain_setpwd.c'; \
|
||||
./encode $(XOR_CODE) $(srcsrc)/samhain_setpwd.c; \
|
||||
- $(COMPILE) -o samhain_setpwd x_samhain_setpwd.c; \
|
||||
+ $(COMPILE) $(LDFLAGS) -o samhain_setpwd x_samhain_setpwd.c; \
|
||||
rm x_samhain_setpwd.c
|
||||
|
||||
samhain_stealth: encode config_xor.h $(srcsrc)/samhain_stealth.c
|
||||
--
|
||||
2.11.0
|
||||
|
||||
@@ -0,0 +1,134 @@
|
||||
From 3e2ca7e06b16ceff6d12beb5113312f6525df595 Mon Sep 17 00:00:00 2001
|
||||
From: Jackie Huang <jackie.huang@windriver.com>
|
||||
Date: Thu, 14 Sep 2017 11:02:12 +0800
|
||||
Subject: [PATCH] configure.ac: avoid searching host for postgresql
|
||||
|
||||
Upstream-Status: Inappropriate [cross compile specific]
|
||||
|
||||
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
|
||||
---
|
||||
configure.ac | 101 +++--------------------------------------------------------
|
||||
1 file changed, 5 insertions(+), 96 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index a224c68..f658d53 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -1278,90 +1278,11 @@ AC_ARG_WITH(database,
|
||||
AC_DEFINE(WITH_POSTGRES)
|
||||
AC_DEFINE(WITH_DATABASE)
|
||||
#
|
||||
- PGCONF="no"
|
||||
- MY_PATH="${PATH}:/usr/local/bin:/usr/local/pgsql/bin"
|
||||
- OLD_IFS="$IFS"
|
||||
- IFS=":"
|
||||
- for ff in ${MY_PATH}
|
||||
- do
|
||||
- if test -f "$ff/pg_config"
|
||||
- then
|
||||
- PGCONF="$ff/pg_config"
|
||||
- fi
|
||||
- done
|
||||
- IFS="${OLD_IFS}"
|
||||
- #
|
||||
- #
|
||||
- if test "x${PGCONF}" = "xno"
|
||||
- then
|
||||
- AC_MSG_CHECKING(for PostgreSQL in /usr/local/pgsql /usr/pgsql /usr/local /usr PGSQL_HOME)
|
||||
- pgsql_directory="/usr/local/pgsql /usr/pgsql /usr/local /usr ${PGSQL_HOME}"
|
||||
- for i in $pgsql_directory; do
|
||||
- if test -r $i/include/pgsql/libpq-fe.h; then
|
||||
- PGSQL_INC_DIR=$i/include
|
||||
- PGSQL_DIR=$i
|
||||
- # use AC_CHECK_HEADERS to check for pgsql/libpq-fe.h
|
||||
- fi
|
||||
- done
|
||||
- if test -z "$PGSQL_DIR"; then
|
||||
- for i in $pgsql_directory; do
|
||||
- if test -r $i/include/postgresql/libpq-fe.h; then
|
||||
- PGSQL_INC_DIR=$i/include
|
||||
- PGSQL_DIR=$i
|
||||
- fi
|
||||
- done
|
||||
- fi
|
||||
- if test -z "$PGSQL_DIR"; then
|
||||
- for i in $pgsql_directory; do
|
||||
- if test -r $i/include/libpq-fe.h; then
|
||||
- PGSQL_INC_DIR=$i/include
|
||||
- PGSQL_DIR=$i
|
||||
- fi
|
||||
- done
|
||||
- fi
|
||||
-
|
||||
- if test -z "$PGSQL_DIR"; then
|
||||
- tmp=""
|
||||
- for i in $pgsql_directory; do
|
||||
- tmp="$tmp $i/include $i/include/pgsql $i/include/postgresql"
|
||||
- done
|
||||
- FAIL_MESSAGE("PostgreSQL header file (libpq-fe.h)", $tmp)
|
||||
- fi
|
||||
-
|
||||
- for i in lib lib/pgsql lib/postgresql; do
|
||||
- str="$PGSQL_DIR/$i/libpq.*"
|
||||
- for j in `echo $str`; do
|
||||
- if test -r $j; then
|
||||
- PGSQL_LIB_DIR="$PGSQL_DIR/$i"
|
||||
- break 2
|
||||
- fi
|
||||
- done
|
||||
- done
|
||||
-
|
||||
- if test -z "$PGSQL_LIB_DIR"; then
|
||||
- for ff in $pgsql_directory; do
|
||||
- for i in lib lib/pgsql lib/postgresql; do
|
||||
- str="$ff/$i/libpq.*"
|
||||
- for j in `echo $str`; do
|
||||
- if test -r $j; then
|
||||
- PGSQL_LIB_DIR="$ff/$i"
|
||||
- break 3
|
||||
- fi
|
||||
- done
|
||||
- done
|
||||
- done
|
||||
- fi
|
||||
-
|
||||
- if test -z "$PGSQL_LIB_DIR"; then
|
||||
- tmp=""
|
||||
- for i in $pgsql_directory; do
|
||||
- tmp="$i/lib $i/lib/pgsql $i/lib/postgresql"
|
||||
- done
|
||||
- FAIL_MESSAGE("postgresql library libpq", $tmp)
|
||||
- fi
|
||||
-
|
||||
- AC_MSG_RESULT(yes)
|
||||
-
|
||||
+ if test -z "${PGSQL_LIB_DIR}" ; then
|
||||
+ FAIL_MESSAGE("PGSQL_LIB_DIR is not set!")
|
||||
+ elif test -z "${PGSQL_INC_DIR}" ; then
|
||||
+ FAIL_MESSAGE("PGSQL_INC_DIR is not set!")
|
||||
+ else
|
||||
LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lm"
|
||||
if test x"$enable_static" = xyes; then
|
||||
LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lcrypt -lm"
|
||||
@@ -1370,18 +1291,6 @@ AC_ARG_WITH(database,
|
||||
fi
|
||||
# CFLAGS="$CFLAGS -I${PGSQL_INC_DIR}"
|
||||
CPPFLAGS="$CPPFLAGS -I${PGSQL_INC_DIR}"
|
||||
- AC_CHECK_HEADERS(pgsql/libpq-fe.h)
|
||||
- AC_CHECK_HEADERS(postgresql/libpq-fe.h)
|
||||
- else
|
||||
- pg_lib_dir=`${PGCONF} --libdir`
|
||||
- if test x"$enable_static" = xyes; then
|
||||
- LIBS="$LIBS -L${pg_lib_dir} -lpq -lcrypt -lm"
|
||||
- else
|
||||
- LIBS="$LIBS -L${pg_lib_dir} -lpq -lm"
|
||||
- fi
|
||||
- pg_inc_dir=`${PGCONF} --includedir`
|
||||
- # CFLAGS="$CFLAGS -I${pg_inc_dir}"
|
||||
- CPPFLAGS="$CPPFLAGS -I${pg_inc_dir}"
|
||||
fi
|
||||
elif test "x${withval}" = "xodbc"; then
|
||||
AC_MSG_CHECKING(for odbc in /usr /usr/local ODBC_HOME)
|
||||
--
|
||||
2.11.0
|
||||
|
||||
@@ -0,0 +1,3 @@
|
||||
# Set this to "yes" to start the server, after you configure it, of
|
||||
# course.
|
||||
SAMHAIN_CLIENT_START="no"
|
||||
@@ -0,0 +1,122 @@
|
||||
#!/bin/bash
|
||||
# chkconfig: 2345 99 10
|
||||
# description: File Integrity Checking Daemon
|
||||
#
|
||||
# processname: samhain
|
||||
# config : /etc/samhainrc
|
||||
# logfile : /var/log/samhain_log
|
||||
# database: /var/lib/samhain/samhain_file
|
||||
#
|
||||
|
||||
NAME=samhain
|
||||
DAEMON=/usr/sbin/samhain
|
||||
RETVAL=0
|
||||
PIDFILE=/var/run/samhain.pid
|
||||
|
||||
. /etc/default/rcS
|
||||
|
||||
. /etc/default/samhain-client
|
||||
|
||||
if [ "x$SAMHAIN_CLIENT_START" != "xyes" ]; then
|
||||
echo "${0}: client disabled in /etc/default/samhain-client"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -x $DAEMON ]; then
|
||||
:
|
||||
else
|
||||
echo "${0}: executable ${DAEMON} not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -e /var/lib/samhain/samhain_file ]; then
|
||||
echo "${0}: /var/lib/samhain/samhain_file does not exist. You must"
|
||||
echo " run 'samhain -t init' before samhian-client can start."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
samhain_done()
|
||||
{
|
||||
if [ $RETVAL -eq 0 ]; then
|
||||
echo "."
|
||||
else
|
||||
echo " failed."
|
||||
fi
|
||||
}
|
||||
|
||||
log_stat_msg () {
|
||||
case "$1" in
|
||||
0)
|
||||
echo "Service $NAME: Running";
|
||||
;;
|
||||
1)
|
||||
echo "Service $NAME: Stopped and /var/run pid file exists";
|
||||
;;
|
||||
3)
|
||||
echo "Service $NAME: Stopped";
|
||||
;;
|
||||
*)
|
||||
echo "Service $NAME: Status unknown";
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
#
|
||||
# Remove a stale PID file, if found
|
||||
#
|
||||
if test -f ${PIDFILE}; then
|
||||
/bin/rm -f ${PIDFILE}
|
||||
fi
|
||||
#
|
||||
echo -n "Starting ${NAME}"
|
||||
start-stop-daemon --start --quiet --exec $DAEMON
|
||||
RETVAL=$?
|
||||
samhain_done
|
||||
;;
|
||||
|
||||
stop)
|
||||
echo -n "Stopping $NAME"
|
||||
start-stop-daemon --stop --quiet --exec $DAEMON
|
||||
RETVAL=$?
|
||||
|
||||
#
|
||||
# Remove a stale PID file, if found
|
||||
#
|
||||
if test -f ${PIDFILE}; then
|
||||
/bin/rm -f ${PIDFILE}
|
||||
fi
|
||||
if test -S /var/run/${NAME}.sock; then
|
||||
/bin/rm -f /var/run/${NAME}.sock
|
||||
fi
|
||||
samhain_done
|
||||
;;
|
||||
|
||||
restart)
|
||||
$0 stop
|
||||
sleep 3
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
reload|force-reload)
|
||||
echo -n "Reloading $NAME configuration files"
|
||||
start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON
|
||||
RETVAL=$?
|
||||
samhain_done
|
||||
;;
|
||||
|
||||
status)
|
||||
$DAEMON status
|
||||
RETVAL=$?
|
||||
log_stat_msg ${RETVAL}
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "$0 usage: {start|stop|status|restart|reload}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
||||
@@ -0,0 +1,108 @@
|
||||
From 02a143f0068cbc6cea71359169210fbb3606d4bb Mon Sep 17 00:00:00 2001
|
||||
From: Jackie Huang <jackie.huang@windriver.com>
|
||||
Date: Mon, 18 Jan 2016 00:24:57 -0500
|
||||
Subject: [PATCH] configure: add option for ps
|
||||
|
||||
The configure searches hardcoded host paths for PSPATH
|
||||
and run ps commands to decide PSARG which will fail
|
||||
on host without ps:
|
||||
| configure: error: Cannot find ps in any of /usr/ucb /bin /usr/bin
|
||||
|
||||
So add an option so we can specify the ps at configure
|
||||
to avoid host contamination.
|
||||
|
||||
Upstream-Status: Inappropriate [cross compile specific]
|
||||
|
||||
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
|
||||
---
|
||||
aclocal.m4 | 2 +-
|
||||
configure.ac | 60 ++++++++++--------------------------------------------------
|
||||
2 files changed, 11 insertions(+), 51 deletions(-)
|
||||
|
||||
diff --git a/aclocal.m4 b/aclocal.m4
|
||||
index a2e59a6..cd20a2f 100644
|
||||
--- a/aclocal.m4
|
||||
+++ b/aclocal.m4
|
||||
@@ -409,7 +409,7 @@ x_includes=NONE
|
||||
x_libraries=NONE
|
||||
DESTDIR=
|
||||
SH_ENABLE_OPTS="selinux posix-acl asm ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid"
|
||||
-SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file"
|
||||
+SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file ps-path"
|
||||
|
||||
# Installation directory options.
|
||||
# These are left unexpanded so users can "make install exec_prefix=/foo"
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 5910b1f..8c3e087 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -730,56 +730,16 @@ then
|
||||
fi
|
||||
AC_CHECK_HEADERS(gmp.h)
|
||||
|
||||
-AC_MSG_CHECKING([for ps])
|
||||
-PS=
|
||||
-for ff in /usr/ucb /bin /usr/bin; do
|
||||
- if test -x "$ff/ps"; then
|
||||
- PS="$ff/ps"
|
||||
- AC_MSG_RESULT([$PS])
|
||||
- break
|
||||
- fi
|
||||
-done
|
||||
-if test x$PS = x
|
||||
-then
|
||||
- AC_MSG_RESULT([no])
|
||||
- AC_MSG_ERROR([Cannot find ps in any of /usr/ucb /bin /usr/bin])
|
||||
-fi
|
||||
-AC_DEFINE_UNQUOTED([PSPATH], _("$PS"), [Path to ps])
|
||||
-
|
||||
-AC_MSG_CHECKING([how to use ps])
|
||||
-$PS ax >/dev/null 2>&1
|
||||
-if test $? -eq 0; then
|
||||
- case "$host_os" in
|
||||
- *openbsd*)
|
||||
- one=`$PS akx | wc -l`
|
||||
- ;;
|
||||
- *)
|
||||
- one=`$PS ax | wc -l`
|
||||
- ;;
|
||||
- esac
|
||||
-else
|
||||
- one=0
|
||||
-fi
|
||||
-$PS -e >/dev/null 2>&1
|
||||
-if test $? -eq 0; then
|
||||
- two=`$PS -e | wc -l`
|
||||
-else
|
||||
- two=0
|
||||
-fi
|
||||
-if test $one -ge $two
|
||||
-then
|
||||
- case "$host_os" in
|
||||
- *openbsd*)
|
||||
- PSARG="akx"
|
||||
- ;;
|
||||
- *)
|
||||
- PSARG="ax"
|
||||
- ;;
|
||||
- esac
|
||||
-else
|
||||
- PSARG="-e"
|
||||
-fi
|
||||
-AC_DEFINE_UNQUOTED([PSARG], _("$PSARG"), [Argument for ps])
|
||||
+AC_ARG_WITH(ps-path,
|
||||
+ [ --with-ps-path=PATH set path to ps command ],
|
||||
+ [
|
||||
+ if test "x${withval}" != xno; then
|
||||
+ pspath="${withval}"
|
||||
+ AC_DEFINE_UNQUOTED([PSPATH], _("${pspath}"), [Path to ps])
|
||||
+ AC_DEFINE_UNQUOTED([PSARG], _("ax"), [Argument for ps])
|
||||
+ fi
|
||||
+ ])
|
||||
+
|
||||
AC_MSG_RESULT([$PS $PSARG])
|
||||
|
||||
dnl *****************************************
|
||||
--
|
||||
1.9.1
|
||||
|
||||
@@ -0,0 +1,51 @@
|
||||
From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001
|
||||
From: Jackie Huang <jackie.huang@windriver.com>
|
||||
Date: Fri, 15 Jan 2016 00:48:58 -0500
|
||||
Subject: [PATCH] Enable obfuscating binaries natively.
|
||||
|
||||
Enable obfuscating binaries natively.
|
||||
|
||||
The samhain build process involves an obfuscation step that attempts to
|
||||
defeat decompilation or other binary analysis techniques which might reveal
|
||||
secret information that should be known only to the system administrator.
|
||||
The obfuscation step builds several applications which run on the build host
|
||||
and then generate target code, which is then built into target binaries.
|
||||
|
||||
This patch creates a basic infrastructure that supports building the
|
||||
obfuscation binaries natively then cross-compiling the target code by adding
|
||||
a special configure option. In the absence of this option the old behaviour
|
||||
is preserved.
|
||||
|
||||
Upstream-Status: Inappropriate [cross compile specific]
|
||||
|
||||
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
|
||||
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
|
||||
---
|
||||
Makefile.in | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index 684e92b..fb090e2 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -54,7 +54,7 @@ selectconfig = @selectconfig@
|
||||
top_builddir = .
|
||||
|
||||
INSTALL = @INSTALL@
|
||||
-INSTALL_PROGRAM = @INSTALL@ -s -m 700
|
||||
+INSTALL_PROGRAM = @INSTALL@ -m 700
|
||||
INSTALL_SHELL = @INSTALL@ -m 700
|
||||
INSTALL_DATA = @INSTALL@ -m 600
|
||||
INSTALL_MAN = @INSTALL@ -m 644
|
||||
@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip
|
||||
echo " $(INSTALL_PROGRAM) $$p $$target"; \
|
||||
$(INSTALL_PROGRAM) $$p $$target; \
|
||||
chmod 0700 $$target; \
|
||||
- echo " ./sstrip $$target"; \
|
||||
- ./sstrip $$target; \
|
||||
else \
|
||||
echo " $(INSTALL_SHELL) $$p $$target"; \
|
||||
$(INSTALL_SHELL) $$p $$target; \
|
||||
--
|
||||
1.9.1
|
||||
|
||||
@@ -0,0 +1,44 @@
|
||||
commit 0f6bdc219e598de08a3f37887efa5dfa50e2b996
|
||||
Author: Aws Ismail <aws.ismail@windriver.com>
|
||||
Date: Fri Jun 22 15:47:08 2012 -0400
|
||||
|
||||
Hash fix for MIPS64 and AARCH64
|
||||
|
||||
Samhain uses the addresses of local variables in generating hash
|
||||
values. The hashing function is designed only for 32-bit values.
|
||||
For MIPS64 when a 64-bit address is passed in the resulting hash
|
||||
exceeds the limits of the underlying mechanism and samhain
|
||||
ultimately fails. The solution is to simply take the lower
|
||||
32-bits of the address and use that in generating hash values.
|
||||
|
||||
Signed-off-by: Greg Moffatt <greg.moffatt@windriver.com>
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
|
||||
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
|
||||
|
||||
diff --git a/src/dnmalloc.c b/src/dnmalloc.c
|
||||
index da9a5c5..fc91400 100644
|
||||
--- a/src/dnmalloc.c
|
||||
+++ b/src/dnmalloc.c
|
||||
@@ -2703,11 +2703,19 @@ static void freecilst_add(chunkinfoptr p) {
|
||||
}
|
||||
|
||||
/* Calculate the hash table entry for a chunk */
|
||||
+#if defined(CONFIG_ARCH_MIPS64) || defined(CONFIG_ARCH_AARCH64)
|
||||
+#ifdef STARTHEAP_IS_ZERO
|
||||
+#define hash(p) ((((unsigned long) p) & 0x7fffffff) >> 7)
|
||||
+#else
|
||||
+#define hash(p) ((((unsigned long) p - (unsigned long) startheap) & 0x7fffffff) >> 7)
|
||||
+#endif
|
||||
+#else
|
||||
#ifdef STARTHEAP_IS_ZERO
|
||||
#define hash(p) (((unsigned long) p) >> 7)
|
||||
#else
|
||||
#define hash(p) (((unsigned long) p - (unsigned long) startheap) >> 7)
|
||||
#endif
|
||||
+#endif /* CONFIG_ARCH_MIPS64 */
|
||||
|
||||
static void
|
||||
hashtable_add (chunkinfoptr ci)
|
||||
@@ -0,0 +1,24 @@
|
||||
not run test on host, since we are doing cross-compile
|
||||
|
||||
Upstream-status: Inappropriate [cross compile specific]
|
||||
|
||||
Signed-off-by: Roy Li <rongqing.li@windriver.com>
|
||||
---
|
||||
Makefile.in | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile.in b/Makefile.in
|
||||
index e1b32a8..74bfdc9 100644
|
||||
--- a/Makefile.in
|
||||
+++ b/Makefile.in
|
||||
@@ -1234,7 +1234,6 @@ intcutest: internal.h $(OBJECTS) $(CUTEST_OBJECTS) sh_tiger_i.o $(srcsrc)/CuTest
|
||||
rm x_samhain.c; \
|
||||
$(LINK) sh_tiger_i.o $(CUTEST_OBJECTS) CuTestMain.o CuTest.o $(OBJECTS) $(LIBS_TRY); \
|
||||
test -f ./intcutest && mv ./intcutest ./cutest; \
|
||||
- ./cutest
|
||||
|
||||
runcutest:
|
||||
gdb ./cutest
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
@@ -0,0 +1,27 @@
|
||||
commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04
|
||||
Author: Aws Ismail <aws.ismail@windriver.com>
|
||||
Date: Thu Jan 10 16:29:05 2013 -0500
|
||||
|
||||
Set the PID Lock path for samhain.pid
|
||||
|
||||
The explicit path for samhain.pid inorder
|
||||
for samhain to work properly after it initial
|
||||
database build.
|
||||
|
||||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
|
||||
|
||||
diff --git a/samhainrc.linux b/samhainrc.linux
|
||||
index 10a8176..a7b06e6 100644
|
||||
--- a/samhainrc.linux
|
||||
+++ b/samhainrc.linux
|
||||
@@ -639,7 +639,7 @@ SetFileCheckTime = 86400
|
||||
|
||||
## Path to the PID file
|
||||
#
|
||||
-# SetLockfilePath = (default: compiled-in)
|
||||
+SetLockfilePath = /run/samhain.pid
|
||||
|
||||
|
||||
## The digest/checksum/hash algorithm
|
||||
@@ -0,0 +1,61 @@
|
||||
From 00fb527e45da42550156197647e01de9a6b1ad52 Mon Sep 17 00:00:00 2001
|
||||
From: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
Date: Mon, 3 Mar 2014 01:50:01 -0500
|
||||
Subject: [PATCH] fix real path for some files/dirs
|
||||
|
||||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
|
||||
---
|
||||
samhainrc.linux | 15 +++++++--------
|
||||
1 file changed, 7 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/samhainrc.linux b/samhainrc.linux
|
||||
index e9727b4..7775d83 100644
|
||||
--- a/samhainrc.linux
|
||||
+++ b/samhainrc.linux
|
||||
@@ -93,7 +93,6 @@ dir = 99/etc
|
||||
##
|
||||
file = /etc/mtab
|
||||
file = /etc/fstab
|
||||
-file = /etc/adjtime
|
||||
file = /etc/motd
|
||||
file = /etc/lvm/lvm.conf
|
||||
|
||||
@@ -153,11 +152,11 @@ dir = 99/var
|
||||
|
||||
[IgnoreAll]
|
||||
dir = -1/var/cache
|
||||
-dir = -1/var/lock
|
||||
-dir = -1/var/mail
|
||||
-dir = -1/var/run
|
||||
+dir = -1/run/lock
|
||||
+dir = -1/var/spool/mail
|
||||
+dir = -1/run
|
||||
dir = -1/var/spool
|
||||
-dir = -1/var/tmp
|
||||
+dir = -1/var/volatile/tmp
|
||||
|
||||
|
||||
[Attributes]
|
||||
@@ -167,7 +166,7 @@ dir = -1/var/tmp
|
||||
file = /var/lib/rpm/__db.00?
|
||||
|
||||
file = /var/lib/logrotate.status
|
||||
-file = /var/lib/random-seed
|
||||
+file = /var/lib/urandom/random-seed
|
||||
|
||||
|
||||
[GrowingLogFiles]
|
||||
@@ -176,7 +175,7 @@ file = /var/lib/random-seed
|
||||
## are ignored. Logfile rotation will cause a report because of shrinking
|
||||
## size and different inode.
|
||||
##
|
||||
-dir = 99/var/log
|
||||
+dir = 99/var/volatile/log
|
||||
|
||||
[Attributes]
|
||||
#
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
@@ -0,0 +1,158 @@
|
||||
commit 4c6658441eb3ffc4e51ed70f78cbdab046957580
|
||||
Author: Aws Ismail <aws.ismail@windriver.com>
|
||||
Date: Fri Jun 22 16:38:20 2012 -0400
|
||||
|
||||
Make samhainrc OE-friendly.
|
||||
|
||||
Patch the samhainrc that will be installed
|
||||
as part of the 'make install' step to more
|
||||
accurately reflect what will be found, and
|
||||
what will be of concern, on a OE install.
|
||||
|
||||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
|
||||
|
||||
diff --git a/samhainrc.linux b/samhainrc.linux
|
||||
index 9bc5ca4..10a8176 100644
|
||||
--- a/samhainrc.linux
|
||||
+++ b/samhainrc.linux
|
||||
@@ -74,7 +74,6 @@ dir = 0/
|
||||
[Attributes]
|
||||
file = /tmp
|
||||
file = /dev
|
||||
-file = /media
|
||||
file = /proc
|
||||
file = /sys
|
||||
|
||||
@@ -93,19 +92,10 @@ dir = 99/etc
|
||||
## check permission and ownership
|
||||
##
|
||||
file = /etc/mtab
|
||||
+file = /etc/fstab
|
||||
file = /etc/adjtime
|
||||
file = /etc/motd
|
||||
-file = /etc/lvm/.cache
|
||||
-
|
||||
-# On Ubuntu, these are in /var/lib rather than /etc
|
||||
-file = /etc/cups/certs
|
||||
-file = /etc/cups/certs/0
|
||||
-
|
||||
-# managed by fstab-sync on Fedora Core
|
||||
-file = /etc/fstab
|
||||
-
|
||||
-# modified when booting
|
||||
-file = /etc/sysconfig/hwconf
|
||||
+file = /etc/lvm/lvm.conf
|
||||
|
||||
# There are files in /etc that might change, thus changing the directory
|
||||
# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
|
||||
@@ -147,10 +137,6 @@ dir = 99/dev
|
||||
##
|
||||
dir = -1/dev/pts
|
||||
|
||||
-# dir = -1/dev/.udevdb
|
||||
-
|
||||
-file = /dev/ppp
|
||||
-
|
||||
#
|
||||
# --------- /usr -----------
|
||||
#
|
||||
@@ -167,50 +153,21 @@ dir = 99/var
|
||||
|
||||
[IgnoreAll]
|
||||
dir = -1/var/cache
|
||||
-dir = -1/var/backups
|
||||
-dir = -1/var/games
|
||||
-dir = -1/var/gdm
|
||||
dir = -1/var/lock
|
||||
dir = -1/var/mail
|
||||
dir = -1/var/run
|
||||
dir = -1/var/spool
|
||||
dir = -1/var/tmp
|
||||
-dir = -1/var/lib/texmf
|
||||
-dir = -1/var/lib/scrollkeeper
|
||||
|
||||
|
||||
[Attributes]
|
||||
|
||||
-dir = /var/lib/nfs
|
||||
-dir = /var/lib/pcmcia
|
||||
-
|
||||
# /var/lib/rpm changes if packets are installed;
|
||||
# /var/lib/rpm/__db.00[123] even more frequently
|
||||
file = /var/lib/rpm/__db.00?
|
||||
|
||||
-file = /var/lib/acpi-support/vbestate
|
||||
-file = /var/lib/alsa/asound.state
|
||||
-file = /var/lib/apt/lists/lock
|
||||
-file = /var/lib/apt/lists/partial
|
||||
-file = /var/lib/cups/certs
|
||||
-file = /var/lib/cups/certs/0
|
||||
-file = /var/lib/dpkg/lock
|
||||
-file = /var/lib/gdm
|
||||
-file = /var/lib/gdm/.cookie
|
||||
-file = /var/lib/gdm/.gdmfifo
|
||||
-file = /var/lib/gdm/:0.Xauth
|
||||
-file = /var/lib/gdm/:0.Xservers
|
||||
-file = /var/lib/logrotate/status
|
||||
-file = /var/lib/mysql
|
||||
-file = /var/lib/mysql/ib_logfile0
|
||||
-file = /var/lib/mysql/ibdata1
|
||||
-file = /var/lib/slocate
|
||||
-file = /var/lib/slocate/slocate.db
|
||||
-file = /var/lib/slocate/slocate.db.tmp
|
||||
-file = /var/lib/urandom
|
||||
-file = /var/lib/urandom/random-seed
|
||||
+file = /var/lib/logrotate.status
|
||||
file = /var/lib/random-seed
|
||||
-file = /var/lib/xkb
|
||||
|
||||
|
||||
[GrowingLogFiles]
|
||||
@@ -325,7 +282,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
|
||||
|
||||
## Console
|
||||
##
|
||||
-# PrintSeverity=info
|
||||
+PrintSeverity=warn
|
||||
|
||||
## Logfile
|
||||
##
|
||||
@@ -333,7 +290,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
|
||||
|
||||
## Syslog
|
||||
##
|
||||
-# SyslogSeverity=none
|
||||
+SyslogSeverity=info
|
||||
|
||||
## Remote server (yule)
|
||||
##
|
||||
@@ -556,7 +513,8 @@ ChecksumTest=check
|
||||
## and I/O limit (kilobytes per second; 0 == off)
|
||||
## to reduce load on host.
|
||||
#
|
||||
-# SetNiceLevel = 0
|
||||
+# By default we configure samhain to be nice with everything else on the system
|
||||
+SetNiceLevel = 10
|
||||
# SetIOLimit = 0
|
||||
|
||||
## The version string to embed in file signature databases
|
||||
@@ -565,13 +523,14 @@ ChecksumTest=check
|
||||
|
||||
## Interval between time stamp messages
|
||||
#
|
||||
-# SetLoopTime = 60
|
||||
-SetLoopTime = 600
|
||||
+# Log a timestamp every hour
|
||||
+SetLoopTime = 3600
|
||||
|
||||
## Interval between file checks
|
||||
#
|
||||
# SetFileCheckTime = 600
|
||||
-SetFileCheckTime = 7200
|
||||
+# One file system check per day
|
||||
+SetFileCheckTime = 86400
|
||||
|
||||
## Alternative: crontab-like schedule
|
||||
#
|
||||
@@ -0,0 +1 @@
|
||||
d daemon daemon 0775 /var/log/yule none
|
||||
@@ -0,0 +1,3 @@
|
||||
# Set this to "yes" to start the server, after you configure it, of
|
||||
# course.
|
||||
SAMHAIN_SERVER_START="no"
|
||||
@@ -0,0 +1,116 @@
|
||||
#!/bin/bash
|
||||
# chkconfig: 2345 98 11
|
||||
# description: File Integrity Checking Daemon
|
||||
#
|
||||
# processname: yule
|
||||
# config : /etc/yulerc
|
||||
# logfile : /var/log/yule/yule_log
|
||||
# database: /var/lib/yule/yule_file
|
||||
#
|
||||
|
||||
NAME=yule
|
||||
DAEMON=/usr/sbin/yule
|
||||
RETVAL=0
|
||||
PIDFILE=/var/run/yule.pid
|
||||
|
||||
. /etc/default/rcS
|
||||
|
||||
. /etc/default/samhain-server
|
||||
|
||||
if [ "x$SAMHAIN_SERVER_START" != "xyes" ]; then
|
||||
echo "${0}: server disabled in /etc/default/samhain-server"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -x $DAEMON ]; then
|
||||
:
|
||||
else
|
||||
echo "${0}: executable ${DAEMON} not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
samhain_done()
|
||||
{
|
||||
if [ $RETVAL -eq 0 ]; then
|
||||
echo "."
|
||||
else
|
||||
echo " failed."
|
||||
fi
|
||||
}
|
||||
|
||||
log_stat_msg () {
|
||||
case "$1" in
|
||||
0)
|
||||
echo "Service $NAME: Running";
|
||||
;;
|
||||
1)
|
||||
echo "Service $NAME: Stopped and /var/run pid file exists";
|
||||
;;
|
||||
3)
|
||||
echo "Service $NAME: Stopped";
|
||||
;;
|
||||
*)
|
||||
echo "Service $NAME: Status unknown";
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
#
|
||||
# Remove a stale PID file, if found
|
||||
#
|
||||
if test -f ${PIDFILE}; then
|
||||
/bin/rm -f ${PIDFILE}
|
||||
fi
|
||||
#
|
||||
echo -n "Starting ${NAME}"
|
||||
start-stop-daemon --start --quiet --exec $DAEMON
|
||||
RETVAL=$?
|
||||
samhain_done
|
||||
;;
|
||||
|
||||
stop)
|
||||
echo -n "Stopping $NAME"
|
||||
start-stop-daemon --stop --quiet --exec $DAEMON
|
||||
RETVAL=$?
|
||||
|
||||
#
|
||||
# Remove a stale PID file, if found
|
||||
#
|
||||
if test -f ${PIDFILE}; then
|
||||
/bin/rm -f ${PIDFILE}
|
||||
fi
|
||||
if test -S /var/run/${NAME}.sock; then
|
||||
/bin/rm -f /var/run/${NAME}.sock
|
||||
fi
|
||||
samhain_done
|
||||
;;
|
||||
|
||||
restart)
|
||||
$0 stop
|
||||
sleep 3
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
reload|force-reload)
|
||||
echo -n "Reloading $NAME configuration files"
|
||||
start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON
|
||||
RETVAL=$?
|
||||
samhain_done
|
||||
;;
|
||||
|
||||
status)
|
||||
$DAEMON status
|
||||
RETVAL=$?
|
||||
log_stat_msg ${RETVAL}
|
||||
;;
|
||||
|
||||
*)
|
||||
echo "$0 usage: {start|stop|status|restart|reload}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
||||
@@ -0,0 +1,22 @@
|
||||
samhain: fix sha256 for big-endian machines
|
||||
|
||||
After computing the digest, big-endian machines would
|
||||
memset() the digest to the first byte of state instead
|
||||
of using memcpy() to transfer it.
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Joe Slater <jslater@windriver.com>
|
||||
|
||||
|
||||
--- a/src/sh_checksum.c
|
||||
+++ b/src/sh_checksum.c
|
||||
@@ -468,7 +468,7 @@ void SHA256_Final(sha2_byte digest[], SH
|
||||
}
|
||||
}
|
||||
#else
|
||||
- memset(d, context->state, SHA256_DIGEST_LENGTH);
|
||||
+ memcpy(d, context->state, SHA256_DIGEST_LENGTH);
|
||||
/* bcopy(context->state, d, SHA256_DIGEST_LENGTH); */
|
||||
#endif
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Set this to "yes" to start the server, after you configure it, of
|
||||
# course.
|
||||
SAMHAIN_STANDALONE_START="no"
|
||||
@@ -0,0 +1,123 @@
|
||||
#!/bin/sh
|
||||
# chkconfig: 2345 99 10
|
||||
# description: File Integrity Checking Daemon
|
||||
#
|
||||
# processname: samhain
|
||||
# config : /etc/samhainrc
|
||||
# logfile : /var/log/samhain_log
|
||||
# database: /var/lib/samhain/samhain_file
|
||||
#
|
||||
|
||||
NAME=samhain
|
||||
DAEMON=/usr/sbin/samhain
|
||||
RETVAL=0
|
||||
VERBOSE=yes
|
||||
PIDFILE=/var/run/samhain.pid
|
||||
|
||||
. /etc/default/samhain-standalone
|
||||
|
||||
if [ "x$SAMHAIN_STANDALONE_START" != "xyes" ]; then
|
||||
echo "${0}: samhain disabled in /etc/default/samhain-standalone"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -x $DAEMON ]; then
|
||||
:
|
||||
else
|
||||
echo "${0}: executable ${DAEMON} not found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -e /var/lib/samhain/samhain_file ]; then
|
||||
echo "${0}: /var/lib/samhain/samhain_file does not exist. You must"
|
||||
echo " run 'samhain -t init' before samhian can start."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
samhain_done()
|
||||
{
|
||||
if [ $RETVAL -eq 0 ]; then
|
||||
echo "."
|
||||
else
|
||||
echo " failed."
|
||||
fi
|
||||
}
|
||||
|
||||
log_stat_msg () {
|
||||
case "$1" in
|
||||
0)
|
||||
echo "Service $NAME: Running";
|
||||
;;
|
||||
1)
|
||||
echo "Service $NAME: Stopped and /var/run pid file exists";
|
||||
;;
|
||||
3)
|
||||
echo "Service $NAME: Stopped";
|
||||
;;
|
||||
*)
|
||||
echo "Service $NAME: Status unknown";
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
#
|
||||
# Remove a stale PID file, if found
|
||||
#
|
||||
if test -f ${PIDFILE}; then
|
||||
/bin/rm -f ${PIDFILE}
|
||||
fi
|
||||
|
||||
echo -n "Starting ${NAME}"
|
||||
start-stop-daemon --start --quiet --exec $DAEMON
|
||||
RETVAL=$?
|
||||
samhain_done
|
||||
exit $RETVAL
|
||||
;;
|
||||
stop)
|
||||
echo -n "Stopping $NAME"
|
||||
start-stop-daemon --stop --quiet --exec $DAEMON
|
||||
RETVAL=$?
|
||||
samhain_done
|
||||
#
|
||||
# Remove a stale PID file, if found
|
||||
#
|
||||
if test -f ${PIDFILE}; then
|
||||
/bin/rm -f ${PIDFILE}
|
||||
fi
|
||||
if test -S /var/run/${NAME}.sock; then
|
||||
/bin/rm -f /var/run/${NAME}.sock
|
||||
fi
|
||||
;;
|
||||
|
||||
restart)
|
||||
$0 stop
|
||||
sleep 3
|
||||
$0 start
|
||||
RETVAL=$?
|
||||
;;
|
||||
|
||||
reload|force-reload)
|
||||
echo -n "Reloading $NAME configuration files"
|
||||
start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON
|
||||
RETVAL=$?
|
||||
samhain_done
|
||||
;;
|
||||
|
||||
status)
|
||||
if pidof -o %PPID $DAEMON > /dev/null; then
|
||||
echo "Samhain running"
|
||||
RETVAL=0
|
||||
else
|
||||
echo "Samhain not running"
|
||||
RETVAL=1
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo "$0 usage: {start|stop|status|restart|reload}"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
|
||||
exit $RETVAL
|
||||
@@ -0,0 +1,12 @@
|
||||
[Unit]
|
||||
Description=Samhain @MODE_NAME@ Daemon
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
RemainAfterExit=yes
|
||||
ExecStart=@LIBDIR@/@SAMHAIN_HELPER@ start
|
||||
ExecStop=@LIBDIR@/@SAMHAIN_HELPER@ stop
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -0,0 +1,11 @@
|
||||
INITSCRIPT_PARAMS = "defaults 15 85"
|
||||
|
||||
require samhain.inc
|
||||
|
||||
# Let the default Logserver be 127.0.0.1
|
||||
EXTRA_OECONF += " \
|
||||
--with-logserver=${SAMHAIN_SERVER} \
|
||||
--with-port=${SAMHAIN_PORT} \
|
||||
"
|
||||
|
||||
RDEPENDS_${PN} = "acl zlib attr bash"
|
||||
@@ -0,0 +1,20 @@
|
||||
INITSCRIPT_PARAMS = "defaults 14 86"
|
||||
|
||||
require samhain.inc
|
||||
|
||||
DEPENDS = "gmp"
|
||||
|
||||
SRC_URI += "file://samhain-server-volatiles"
|
||||
|
||||
TARGET_CC_ARCH += "${LDFLAGS}"
|
||||
|
||||
do_install_append() {
|
||||
install -d ${D}${sysconfdir}/default/volatiles
|
||||
install -m 0644 ${WORKDIR}/samhain-server-volatiles \
|
||||
${D}${sysconfdir}/default/volatiles/samhain-server
|
||||
|
||||
install -m 700 samhain-install.sh init/samhain.startLinux \
|
||||
init/samhain.startLSB ${D}/var/lib/samhain
|
||||
}
|
||||
|
||||
RDEPENDS_${PN} += "gmp bash perl"
|
||||
@@ -0,0 +1,31 @@
|
||||
require samhain.inc
|
||||
|
||||
SRC_URI += "file://samhain-not-run-ptest-on-host.patch \
|
||||
file://run-ptest \
|
||||
"
|
||||
|
||||
PROVIDES += "samhain"
|
||||
|
||||
SYSTEMD_SERVICE_${PN} = "samhain.service"
|
||||
|
||||
inherit ptest
|
||||
|
||||
do_compile() {
|
||||
if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'yes', 'no', d)}" = "yes" ]; then
|
||||
oe_runmake cutest
|
||||
rm -f ${S}*.o config_xor.h internal.h
|
||||
fi
|
||||
oe_runmake "$@"
|
||||
}
|
||||
|
||||
do_install_append() {
|
||||
ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain
|
||||
}
|
||||
|
||||
do_install_ptest() {
|
||||
mkdir -p ${D}${PTEST_PATH}
|
||||
install ${S}/cutest ${D}${PTEST_PATH}
|
||||
}
|
||||
|
||||
RPROVIDES_${PN} += "samhain"
|
||||
RCONFLICTS_${PN} = "samhain-client samhain-server"
|
||||
@@ -0,0 +1,163 @@
|
||||
DESCRIPTION = "Provides file integrity checking and log file monitoring/analysis"
|
||||
HOMEPAGE = "http://www.la-samhna.de/samhain/"
|
||||
LICENSE = "GPLv2"
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"
|
||||
|
||||
|
||||
SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
|
||||
file://samhain-cross-compile.patch \
|
||||
file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \
|
||||
file://samhain-samhainrc.patch \
|
||||
file://samhain-samhainrc-fix-files-dirs-path.patch \
|
||||
file://samhain-pid-path.patch \
|
||||
file://samhain-sha256-big-endian.patch \
|
||||
file://samhain-configure-add-option-for-ps.patch \
|
||||
file://samhain-avoid-searching-host-for-postgresql.patch \
|
||||
file://samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch \
|
||||
file://${INITSCRIPT_NAME}.init \
|
||||
file://${INITSCRIPT_NAME}.default \
|
||||
file://samhain.service \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "eae4674164d7c78f5bb39c72b7029c8b"
|
||||
SRC_URI[sha256sum] = "0582864ef56ab796031e8e611ed66c48adeb3a30ec34e1a8d0088572442035fc"
|
||||
|
||||
UPSTREAM_CHECK_URI = "https://www.la-samhna.de/samhain/archive.html"
|
||||
UPSTREAM_CHECK_REGEX = "samhain_signed-(?P<pver>(\d+(\.\d+)+))\.tar"
|
||||
|
||||
S = "${WORKDIR}/samhain-${PV}"
|
||||
|
||||
inherit autotools-brokensep update-rc.d pkgconfig systemd
|
||||
|
||||
SAMHAIN_PORT ??= "49777"
|
||||
SAMHAIN_SERVER ??= "NULL"
|
||||
|
||||
INITSCRIPT_NAME = "${BPN}"
|
||||
INITSCRIPT_PARAMS ?= "defaults"
|
||||
|
||||
SYSTEMD_PACKAGES = "${PN}"
|
||||
SYSTEMD_SERVICE_${PN} = "${INITSCRIPT_NAME}.service"
|
||||
SYSTEMD_AUTO_ENABLE = "disable"
|
||||
|
||||
# mode mapping:
|
||||
# BPN MODE_NAME SAMHAIN_MODE
|
||||
# samhain-standalone standalone no
|
||||
# samhain-client client client
|
||||
# samhain-server server server
|
||||
MODE_NAME = "${@d.getVar('BPN').split('-')[1]}"
|
||||
SAMHAIN_MODE = "${@oe.utils.ifelse(d.getVar('MODE_NAME') == 'standalone', 'no', '${MODE_NAME}')}"
|
||||
|
||||
# supports mysql|postgresql|oracle|odbc but postgresql is the only one available
|
||||
|
||||
PACKAGECONFIG ??= "postgresql ps \
|
||||
${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)} \
|
||||
${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
|
||||
${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)} \
|
||||
"
|
||||
|
||||
PACKAGECONFIG[postgresql] = "--with-database=postgresql --enable-xml-log PGSQL_INC_DIR=${STAGING_INCDIR} PGSQL_LIB_DIR=${STAGING_LIBDIR}, , postgresql"
|
||||
PACKAGECONFIG[suidcheck] = "--enable-suidcheck, , "
|
||||
PACKAGECONFIG[logwatch] = "--enable-login-watch, , "
|
||||
PACKAGECONFIG[mounts] = "--enable-mounts-check, , "
|
||||
PACKAGECONFIG[userfiles] = "--enable-userfiles, , "
|
||||
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
|
||||
PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux attr"
|
||||
PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl"
|
||||
PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit"
|
||||
PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps"
|
||||
|
||||
do_unpack_samhain() {
|
||||
cd ${WORKDIR}
|
||||
tar -xzvf samhain-${PV}.tar.gz
|
||||
}
|
||||
|
||||
python do_unpack_append() {
|
||||
bb.build.exec_func('do_unpack_samhain', d)
|
||||
}
|
||||
|
||||
do_configure_prepend_arm() {
|
||||
export sh_cv___va_copy=yes
|
||||
}
|
||||
|
||||
do_configure_prepend_aarch64() {
|
||||
export sh_cv___va_copy=yes
|
||||
}
|
||||
|
||||
# If we use oe_runconf in do_configure() it will by default
|
||||
# use the prefix --oldincludedir=/usr/include which is not
|
||||
# recognized by Samhain's configure script and would invariably
|
||||
# throw back the error "unrecognized option: --oldincludedir=/usr/include"
|
||||
do_configure_prepend () {
|
||||
cat << EOF > ${S}/config-site.${BP}
|
||||
ssp_cv_lib=no
|
||||
sh_cv_va_copy=yes
|
||||
EOF
|
||||
export CONFIG_SITE=${S}/config-site.${BP}
|
||||
}
|
||||
|
||||
do_configure () {
|
||||
autoconf -f
|
||||
./configure \
|
||||
--build=${BUILD_SYS} \
|
||||
--host=${HOST_SYS} \
|
||||
--target=${TARGET_SYS} \
|
||||
--prefix=${prefix} \
|
||||
--exec_prefix=${exec_prefix} \
|
||||
--bindir=${bindir} \
|
||||
--sbindir=${sbindir} \
|
||||
--libexecdir=${libexecdir} \
|
||||
--datadir=${datadir} \
|
||||
--sysconfdir=${sysconfdir} \
|
||||
--sharedstatedir=${sharedstatedir} \
|
||||
--localstatedir=${localstatedir} \
|
||||
--libdir=${libdir} \
|
||||
--includedir=${includedir} \
|
||||
--infodir=${infodir} \
|
||||
--mandir=${mandir} \
|
||||
--enable-network=${SAMHAIN_MODE} \
|
||||
--with-pid-file=${localstatedir}/run/samhain.pid \
|
||||
--with-data-file=${localstatedir}/lib/samhain/samhain_file \
|
||||
--disable-dnmalloc \
|
||||
${EXTRA_OECONF}
|
||||
}
|
||||
|
||||
do_compile_prepend_libc-musl () {
|
||||
sed -i 's/^#define HAVE_MALLOC_H.*//' ${B}/config.h
|
||||
}
|
||||
|
||||
# Install the init script, it's default file, and the extraneous
|
||||
# documentation.
|
||||
do_install_append () {
|
||||
oe_runmake install DESTDIR='${D}' INSTALL=install-boot
|
||||
|
||||
install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \
|
||||
${D}${sysconfdir}/init.d/${INITSCRIPT_NAME}
|
||||
|
||||
install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \
|
||||
${D}${sysconfdir}/default/${INITSCRIPT_NAME}
|
||||
|
||||
if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
|
||||
if [ "${SAMHAIN_MODE}" = "no" ]; then
|
||||
install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/samhain.service
|
||||
else
|
||||
install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/${BPN}.service
|
||||
fi
|
||||
install -D -m 0755 ${WORKDIR}/${BPN}.init ${D}/${libexecdir}/${BPN}
|
||||
sed -i -e 's,@LIBDIR@,${libexecdir},' \
|
||||
-e 's,@SAMHAIN_HELPER@,${BPN},' \
|
||||
-e 's,@MODE_NAME@,${MODE_NAME},' \
|
||||
${D}${systemd_system_unitdir}/samhain*.service
|
||||
fi
|
||||
|
||||
install -d ${D}${docdir}/${BPN}
|
||||
cp -r docs/* ${D}${docdir}/${BPN}
|
||||
cp -r scripts ${D}${docdir}/${BPN}
|
||||
install -d -m 755 ${D}${localstatedir}/samhain
|
||||
|
||||
# Prevent QA warnings about installed ${localstatedir}/run
|
||||
if [ -d ${D}${localstatedir}/run ]; then
|
||||
rmdir ${D}${localstatedir}/run
|
||||
fi
|
||||
}
|
||||
|
||||
FILES_${PN} += "${systemd_system_unitdir}"
|
||||
Binary file not shown.
@@ -0,0 +1,38 @@
|
||||
Upstream-Status: Inappropriate [configuration]
|
||||
|
||||
Signed-of_by: Armin Kuster <akuster808@gmail.com>
|
||||
|
||||
Index: suricata-2.0.5/Makefile.am
|
||||
===================================================================
|
||||
--- suricata-2.0.5.orig/Makefile.am
|
||||
+++ suricata-2.0.5/Makefile.am
|
||||
@@ -5,7 +5,7 @@ ACLOCAL_AMFLAGS = -I m4
|
||||
EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \
|
||||
classification.config threshold.config \
|
||||
reference.config
|
||||
-SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts
|
||||
+SUBDIRS = src qa rules doc contrib scripts
|
||||
|
||||
CLEANFILES = stamp-h[0-9]*
|
||||
|
||||
Index: suricata-2.0.5/Makefile.in
|
||||
===================================================================
|
||||
--- suricata-2.0.5.orig/Makefile.in
|
||||
+++ suricata-2.0.5/Makefile.in
|
||||
@@ -229,7 +229,6 @@ HAVE_PCAP_CONFIG = @HAVE_PCAP_CONFIG@
|
||||
HAVE_PKG_CONFIG = @HAVE_PKG_CONFIG@
|
||||
HAVE_PYTHON_CONFIG = @HAVE_PYTHON_CONFIG@
|
||||
HAVE_WGET = @HAVE_WGET@
|
||||
-HTP_DIR = @HTP_DIR@
|
||||
HTP_LDADD = @HTP_LDADD@
|
||||
INSTALL = @INSTALL@
|
||||
INSTALL_DATA = @INSTALL_DATA@
|
||||
@@ -369,7 +368,7 @@ EXTRA_DIST = ChangeLog COPYING LICENSE s
|
||||
classification.config threshold.config \
|
||||
reference.config
|
||||
|
||||
-SUBDIRS = $(HTP_DIR) src qa rules doc contrib scripts
|
||||
+SUBDIRS = src qa rules doc contrib scripts
|
||||
CLEANFILES = stamp-h[0-9]*
|
||||
all: config.h
|
||||
$(MAKE) $(AM_MAKEFLAGS) all-recursive
|
||||
@@ -0,0 +1,3 @@
|
||||
#!/bin/sh
|
||||
|
||||
suricata -u
|
||||
@@ -0,0 +1,20 @@
|
||||
[Unit]
|
||||
Description=Suricata IDS/IDP daemon
|
||||
After=network.target
|
||||
Requires=network.target
|
||||
Documentation=man:suricata(8) man:suricatasc(8)
|
||||
Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
|
||||
RestrictAddressFamilies=
|
||||
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml eth0
|
||||
ExecReload=/bin/kill -HUP $MAINPID
|
||||
PrivateTmp=yes
|
||||
ProtectHome=yes
|
||||
ProtectSystem=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,2 @@
|
||||
# <type> <owner> <group> <mode> <path> <linksource>
|
||||
d root root 0755 /var/log/suricata none
|
||||
@@ -0,0 +1,15 @@
|
||||
SUMMARY = "LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces."
|
||||
|
||||
require suricata.inc
|
||||
|
||||
LIC_FILES_CHKSUM = "file://../LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
|
||||
|
||||
DEPENDS = "zlib"
|
||||
|
||||
inherit autotools pkgconfig
|
||||
|
||||
CFLAGS += "-D_DEFAULT_SOURCE"
|
||||
|
||||
S = "${WORKDIR}/suricata-${VER}/${BPN}"
|
||||
|
||||
RDEPENDS_${PN} += "zlib"
|
||||
@@ -0,0 +1,9 @@
|
||||
HOMEPAGE = "http://suricata-ids.org/"
|
||||
SECTION = "security Monitor/Admin"
|
||||
LICENSE = "GPLv2"
|
||||
|
||||
VER = "4.1.3"
|
||||
SRC_URI = "http://www.openinfosecfoundation.org/download/suricata-${VER}.tar.gz"
|
||||
|
||||
SRC_URI[md5sum] = "35c4a8e6be3910831649a073950195df"
|
||||
SRC_URI[sha256sum] = "6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0"
|
||||
@@ -0,0 +1,97 @@
|
||||
SUMMARY = "The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine"
|
||||
|
||||
require suricata.inc
|
||||
|
||||
LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
|
||||
|
||||
SRC_URI += "file://emerging.rules.tar.gz;name=rules"
|
||||
|
||||
SRC_URI += " \
|
||||
file://volatiles.03_suricata \
|
||||
file://suricata.yaml \
|
||||
file://suricata.service \
|
||||
file://run-ptest \
|
||||
"
|
||||
|
||||
SRC_URI[rules.md5sum] = "205c5e5b54e489207ed892c03ad75b33"
|
||||
SRC_URI[rules.sha256sum] = "4aa81011b246875a57181c6a0569ca887845e366904bcaf0043220f33bd69798"
|
||||
|
||||
inherit autotools-brokensep pkgconfig python3-dir systemd ptest
|
||||
|
||||
CFLAGS += "-D_DEFAULT_SOURCE"
|
||||
|
||||
CACHED_CONFIGUREVARS = "ac_cv_header_htp_htp_h=yes ac_cv_lib_htp_htp_conn_create=yes \
|
||||
ac_cv_path_HAVE_WGET=no ac_cv_path_HAVE_CURL=no "
|
||||
|
||||
EXTRA_OECONF += " --disable-debug \
|
||||
--enable-non-bundled-htp \
|
||||
--disable-gccmarch-native \
|
||||
--disable-suricata-update \
|
||||
"
|
||||
|
||||
PACKAGECONFIG ??= "htp jansson file pcre yaml pcap cap-ng net nfnetlink nss nspr"
|
||||
PACKAGECONFIG_append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
|
||||
|
||||
PACKAGECONFIG[htp] = "--with-libhtp-includes=${STAGING_INCDIR} --with-libhtp-libraries=${STAGING_LIBDIR}, ,libhtp,"
|
||||
PACKAGECONFIG[pcre] = "--with-libpcre-includes=${STAGING_INCDIR} --with-libpcre-libraries=${STAGING_LIBDIR}, ,libpcre ,"
|
||||
PACKAGECONFIG[yaml] = "--with-libyaml-includes=${STAGING_INCDIR} --with-libyaml-libraries=${STAGING_LIBDIR}, ,libyaml ,"
|
||||
PACKAGECONFIG[pcap] = "--with-libpcap-includes=${STAGING_INCDIR} --with-libpcap-libraries=${STAGING_LIBDIR}, ,libpcap ,"
|
||||
PACKAGECONFIG[cap-ng] = "--with-libcap_ng-includes=${STAGING_INCDIR} --with-libcap_ng-libraries=${STAGING_LIBDIR}, ,libcap-ng , "
|
||||
PACKAGECONFIG[net] = "--with-libnet-includes=${STAGING_INCDIR} --with-libnet-libraries=${STAGING_LIBDIR}, , libnet,"
|
||||
PACKAGECONFIG[nfnetlink] = "--with-libnfnetlink-includes=${STAGING_INCDIR} --with-libnfnetlink-libraries=${STAGING_LIBDIR}, ,libnfnetlink ,"
|
||||
PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue,"
|
||||
|
||||
PACKAGECONFIG[jansson] = "--with-libjansson-includes=${STAGING_INCDIR} --with-libjansson-libraries=${STAGING_LIBDIR},,jansson, jansson"
|
||||
PACKAGECONFIG[file] = ",,file, file"
|
||||
PACKAGECONFIG[nss] = "--with-libnss-includes=${STAGING_INCDIR} --with-libnss-libraries=${STAGING_LIBDIR}, nss, nss,"
|
||||
PACKAGECONFIG[nspr] = "--with-libnspr-includes=${STAGING_INCDIR} --with-libnspr-libraries=${STAGING_LIBDIR}, nspr, nspr,"
|
||||
PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3"
|
||||
PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests,"
|
||||
|
||||
export logdir = "${localstatedir}/log"
|
||||
|
||||
do_install_append () {
|
||||
|
||||
install -d ${D}${sysconfdir}/suricata
|
||||
|
||||
oe_runmake install-conf DESTDIR=${D}
|
||||
|
||||
# mimic move of downloaded rules to e_sysconfrulesdir
|
||||
cp -rf ${WORKDIR}/rules ${D}${sysconfdir}/suricata
|
||||
|
||||
oe_runmake install-rules DESTDIR=${D}
|
||||
|
||||
install -d ${D}${sysconfdir}/suricata ${D}${sysconfdir}/default/volatiles
|
||||
install -m 0644 ${WORKDIR}/volatiles.03_suricata ${D}${sysconfdir}/default/volatiles/volatiles.03_suricata
|
||||
|
||||
install -m 0644 ${S}/threshold.config ${D}${sysconfdir}/suricata
|
||||
|
||||
install -d ${D}${systemd_unitdir}/system
|
||||
sed -e s:/etc:${sysconfdir}:g \
|
||||
-e s:/var/run:/run:g \
|
||||
-e s:/var:${localstatedir}:g \
|
||||
-e s:/usr/bin:${bindir}:g \
|
||||
-e s:/bin/kill:${base_bindir}/kill:g \
|
||||
-e s:/usr/lib:${libdir}:g \
|
||||
${WORKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
|
||||
|
||||
# Remove /var/run as it is created on startup
|
||||
rm -rf ${D}${localstatedir}/run
|
||||
|
||||
}
|
||||
|
||||
pkg_postinst_ontarget_${PN} () {
|
||||
if [ -e /etc/init.d/populate-volatile.sh ] ; then
|
||||
${sysconfdir}/init.d/populate-volatile.sh update
|
||||
fi
|
||||
}
|
||||
|
||||
SYSTEMD_PACKAGES = "${PN}"
|
||||
|
||||
PACKAGES =+ "${PN}-socketcontrol"
|
||||
FILES_${PN} += "${systemd_unitdir}"
|
||||
FILES_${PN}-socketcontrol = "${bindir}/suricatasc ${PYTHON_SITEPACKAGES_DIR}"
|
||||
|
||||
CONFFILES_${PN} = "${sysconfdir}/suricata/suricata.yaml"
|
||||
|
||||
RDEPENDS_${PN}-python = "python"
|
||||
@@ -0,0 +1,18 @@
|
||||
tripwire: Add armeb support
|
||||
|
||||
Upstream-Status: Submitted to tripwire-dev
|
||||
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
diff -Naurp tripwire-2.4.2.2-src_org/config.sub tripwire-2.4.2.2-src/config.sub
|
||||
--- tripwire-2.4.2.2-src_org/config.sub 2015-07-20 15:03:04.161452573 +0530
|
||||
+++ tripwire-2.4.2.2-src/config.sub 2015-07-20 15:06:07.077673139 +0530
|
||||
@@ -268,7 +268,7 @@ case $basic_machine in
|
||||
# FIXME: clean up the formatting here.
|
||||
vax-* | tahoe-* | i*86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \
|
||||
| m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | c[123]* | aarch64-* | aarch64be-* \
|
||||
- | arm-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \
|
||||
+ | arm-* | armeb-* | armbe-* | armle-* | armv*-* | strongarm-* | xscale-* \
|
||||
| mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
|
||||
| power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
|
||||
| xmp-* | ymp-* \
|
||||
@@ -0,0 +1,3 @@
|
||||
#!/bin/sh
|
||||
|
||||
./twtest.pl
|
||||
@@ -0,0 +1,8 @@
|
||||
#!/bin/sh
|
||||
HOST_NAME=`uname -n`
|
||||
if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
|
||||
echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****"
|
||||
echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"
|
||||
else
|
||||
test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check
|
||||
fi
|
||||
@@ -0,0 +1,9 @@
|
||||
#!/bin/sh
|
||||
HOST_NAME=`uname -n`
|
||||
if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
|
||||
echo "**** WARNING: Tripwire database for ${HOST_NAME} not found. ****"
|
||||
echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"
|
||||
# Note: /etc/tripwire/twinstall.sh creates and initializes tripwire
|
||||
# database (i.e tripwire --init).
|
||||
# Example: . /etc/tripwire/twinstall.sh 2> /dev/null
|
||||
fi
|
||||
@@ -0,0 +1,69 @@
|
||||
Post-Installation Instructions
|
||||
1. Run the configuration script: /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files.
|
||||
Note: Once encoded and signed, the configuration file should not be renamed or moved.
|
||||
2. Initialize the Tripwire database file. (/usr/sbin/tripwire--init)
|
||||
3. Run the first integrity check. (/usr/sbin/tripwire--check)
|
||||
4. Edit the configuration file (twcfg.txt) with a text editor, if desired.
|
||||
5. Edit the policy file (twpol.txt) with a text editor, if desired.
|
||||
|
||||
Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file.
|
||||
|
||||
Modifying the Policy File
|
||||
You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system.
|
||||
|
||||
Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language.
|
||||
|
||||
After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software.
|
||||
|
||||
Selecting Passphrases
|
||||
Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply:
|
||||
Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters.
|
||||
|
||||
Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also.
|
||||
|
||||
Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database.
|
||||
|
||||
Initializing the Database
|
||||
In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is:
|
||||
tripwire --init
|
||||
|
||||
Running an Integrity Check
|
||||
The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is:
|
||||
tripwire --check
|
||||
|
||||
Printing Reports - twprint Print Report Mode
|
||||
The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used.
|
||||
Example: On a machine named LIGHTHOUSE, the command would be:
|
||||
./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr
|
||||
|
||||
Updating the Database after an Integrity Check
|
||||
Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is:
|
||||
tripwire --update
|
||||
|
||||
Updating the Policy File
|
||||
Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is:
|
||||
tripwire --update-policy
|
||||
|
||||
Testing email functions
|
||||
Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is:
|
||||
tripwire --test
|
||||
|
||||
Tripwire Components
|
||||
The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore.
|
||||
|
||||
System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file.
|
||||
|
||||
The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check.
|
||||
|
||||
When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail.
|
||||
|
||||
The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits.
|
||||
|
||||
Tripwire Help
|
||||
All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile
|
||||
|
||||
-? Display usage and version information
|
||||
--help Display all command modes
|
||||
--help all Display help for all command modes
|
||||
--help [mode] Display help for current command mode
|
||||
--version Display version information
|
||||
@@ -0,0 +1,15 @@
|
||||
ROOT =/usr/sbin
|
||||
POLFILE =/etc/tripwire/tw.pol
|
||||
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
|
||||
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
|
||||
SITEKEYFILE =/etc/tripwire/site.key
|
||||
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
|
||||
EDITOR =/usr/bin/nano
|
||||
LATEPROMPTING =false
|
||||
LOOSEDIRECTORYCHECKING =false
|
||||
MAILNOVIOLATIONS =true
|
||||
EMAILREPORTLEVEL =3
|
||||
REPORTLEVEL =3
|
||||
MAILMETHOD =SENDMAIL
|
||||
SYSLOGREPORTING =false
|
||||
MAILPROGRAM =/usr/lib/sendmail -t
|
||||
@@ -0,0 +1,320 @@
|
||||
#!/bin/sh
|
||||
|
||||
########################################################################
|
||||
########################################################################
|
||||
##
|
||||
## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script
|
||||
##
|
||||
## Copyleft information contained in footer
|
||||
##
|
||||
########################################################################
|
||||
########################################################################
|
||||
|
||||
##=======================================================
|
||||
## Setup
|
||||
##=======================================================
|
||||
|
||||
# We can assume all the correct tools are in place because the
|
||||
# RPM installed, didn't it?
|
||||
|
||||
##-------------------------------------------------------
|
||||
## Set HOST_NAME variable
|
||||
##-------------------------------------------------------
|
||||
HOST_NAME='localhost'
|
||||
if uname -n > /dev/null 2> /dev/null ; then
|
||||
HOST_NAME=`uname -n`
|
||||
fi
|
||||
|
||||
##-------------------------------------------------------
|
||||
## Program variables - edited by RPM during initial install
|
||||
##-------------------------------------------------------
|
||||
|
||||
# Site Passphrase variable
|
||||
TW_SITE_PASS="tripwire"
|
||||
|
||||
# Complete path to site key
|
||||
SITE_KEY="/etc/tripwire/site.key"
|
||||
|
||||
# Local Passphrase variable
|
||||
TW_LOCAL_PASS="tripwire"
|
||||
|
||||
# Complete path to local key
|
||||
LOCAL_KEY="/etc/tripwire/${HOST_NAME}-local.key"
|
||||
|
||||
# If clobber==true, overwrite files; if false, do not overwrite files.
|
||||
CLOBBER="false"
|
||||
|
||||
# If prompt==true, ask for confirmation before continuing with install.
|
||||
PROMPT="true"
|
||||
|
||||
# Name of twadmin executeable
|
||||
TWADMIN="twadmin"
|
||||
|
||||
# Path to twadmin executeable
|
||||
TWADMPATH=/usr/sbin
|
||||
|
||||
# Path to configuration directory
|
||||
CONF_PATH="/etc/tripwire"
|
||||
|
||||
# Name of clear text policy file
|
||||
TXT_POL=$CONF_PATH/twpol.txt
|
||||
|
||||
# Name of clear text configuration file
|
||||
TXT_CFG=$CONF_PATH/twcfg.txt
|
||||
|
||||
# Name of encrypted configuration file
|
||||
CONFIG_FILE=$CONF_PATH/tw.cfg
|
||||
|
||||
# Path of the final Tripwire policy file (signed)
|
||||
SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'`
|
||||
|
||||
|
||||
##=======================================================
|
||||
## Create Key Files
|
||||
##=======================================================
|
||||
|
||||
##-------------------------------------------------------
|
||||
## If user has to enter a passphrase, give some
|
||||
## advice about what is appropriate.
|
||||
##-------------------------------------------------------
|
||||
|
||||
if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then
|
||||
cat << END_OF_TEXT
|
||||
|
||||
----------------------------------------------
|
||||
The Tripwire site and local passphrases are used to
|
||||
sign a variety of files, such as the configuration,
|
||||
policy, and database files.
|
||||
|
||||
Passphrases should be at least 8 characters in length
|
||||
and contain both letters and numbers.
|
||||
|
||||
See the Tripwire manual for more information.
|
||||
END_OF_TEXT
|
||||
fi
|
||||
|
||||
##=======================================================
|
||||
## Generate keys.
|
||||
##=======================================================
|
||||
|
||||
echo
|
||||
echo "----------------------------------------------"
|
||||
echo "Creating key files..."
|
||||
|
||||
##-------------------------------------------------------
|
||||
## Site key file.
|
||||
##-------------------------------------------------------
|
||||
|
||||
# If clobber is true, and prompting is off (unattended operation)
|
||||
# and the key file already exists, remove it. Otherwise twadmin
|
||||
# will prompt with an "are you sure?" message.
|
||||
|
||||
if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then
|
||||
rm -f "$SITE_KEY"
|
||||
fi
|
||||
|
||||
if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then
|
||||
echo "The site key file \"$SITE_KEY\""
|
||||
echo 'exists and will not be overwritten.'
|
||||
else
|
||||
cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\""
|
||||
if [ -n "$TW_SITE_PASS" ] ; then
|
||||
cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
|
||||
fi
|
||||
eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "Error: site key generation failed"
|
||||
exit 1
|
||||
else chmod 640 "$SITE_KEY"
|
||||
fi
|
||||
fi
|
||||
|
||||
##-------------------------------------------------------
|
||||
## Local key file.
|
||||
##-------------------------------------------------------
|
||||
|
||||
# If clobber is true, and prompting is off (unattended operation)
|
||||
# and the key file already exists, remove it. Otherwise twadmin
|
||||
# will prompt with an "are you sure?" message.
|
||||
|
||||
if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then
|
||||
rm -f "$LOCAL_KEY"
|
||||
fi
|
||||
|
||||
if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then
|
||||
echo "The site key file \"$LOCAL_KEY\""
|
||||
echo 'exists and will not be overwritten.'
|
||||
else
|
||||
cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\""
|
||||
if [ -n "$TW_LOCAL_PASS" ] ; then
|
||||
cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\""
|
||||
fi
|
||||
eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "Error: local key generation failed"
|
||||
exit 1
|
||||
else chmod 640 "$LOCAL_KEY"
|
||||
fi
|
||||
fi
|
||||
|
||||
##=======================================================
|
||||
## Sign the Configuration File
|
||||
##=======================================================
|
||||
|
||||
echo
|
||||
echo "----------------------------------------------"
|
||||
echo "Signing configuration file..."
|
||||
|
||||
##-------------------------------------------------------
|
||||
## If noclobber, then backup any existing config file.
|
||||
##-------------------------------------------------------
|
||||
|
||||
if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then
|
||||
backup="${CONFIG_FILE}.$$.bak"
|
||||
echo "Backing up $CONFIG_FILE"
|
||||
echo " to $backup"
|
||||
`mv "$CONFIG_FILE" "$backup"`
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "Error: backup of configuration file failed."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
##-------------------------------------------------------
|
||||
## Build command line.
|
||||
##-------------------------------------------------------
|
||||
|
||||
cmdargs="--create-cfgfile"
|
||||
cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
|
||||
cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
|
||||
if [ -n "$TW_SITE_PASS" ] ; then
|
||||
cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
|
||||
fi
|
||||
|
||||
##-------------------------------------------------------
|
||||
## Sign the file.
|
||||
##-------------------------------------------------------
|
||||
|
||||
eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\""
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "Error: signing of configuration file failed."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Set the rights properly
|
||||
chmod 640 "$CONFIG_FILE"
|
||||
|
||||
##-------------------------------------------------------
|
||||
## We keep the cleartext version around.
|
||||
##-------------------------------------------------------
|
||||
|
||||
cat << END_OF_TEXT
|
||||
|
||||
A clear-text version of the Tripwire configuration file
|
||||
$TXT_CFG
|
||||
has been preserved for your inspection. It is recommended
|
||||
that you delete this file manually after you have examined it.
|
||||
|
||||
END_OF_TEXT
|
||||
|
||||
##=======================================================
|
||||
## Sign tripwire policy file.
|
||||
##=======================================================
|
||||
|
||||
echo
|
||||
echo "----------------------------------------------"
|
||||
echo "Signing policy file..."
|
||||
|
||||
##-------------------------------------------------------
|
||||
## If noclobber, then backup any existing policy file.
|
||||
##-------------------------------------------------------
|
||||
|
||||
if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then
|
||||
backup="${POLICY_FILE}.$$.bak"
|
||||
echo "Backing up $POLICY_FILE"
|
||||
echo " to $backup"
|
||||
mv "$POLICY_FILE" "$backup"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "Error: backup of policy file failed."
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
##-------------------------------------------------------
|
||||
## Build command line.
|
||||
##-------------------------------------------------------
|
||||
|
||||
cmdargs="--create-polfile"
|
||||
cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
|
||||
cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
|
||||
if [ -n "$TW_SITE_PASS" ] ; then
|
||||
cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
|
||||
fi
|
||||
|
||||
##-------------------------------------------------------
|
||||
## Sign the file.
|
||||
##-------------------------------------------------------
|
||||
|
||||
eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\""
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "Error: signing of policy file failed."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Set the proper rights on the newly signed policy file.
|
||||
chmod 0640 "$SIGNED_POL"
|
||||
|
||||
##-------------------------------------------------------
|
||||
## We keep the cleartext version around.
|
||||
##-------------------------------------------------------
|
||||
|
||||
cat << END_OF_TEXT
|
||||
|
||||
A clear-text version of the Tripwire policy file
|
||||
$TXT_POL
|
||||
has been preserved for your inspection. This implements
|
||||
a minimal policy, intended only to test essential
|
||||
Tripwire functionality. You should edit the policy file
|
||||
to describe your system, and then use twadmin to generate
|
||||
a new signed copy of the Tripwire policy.
|
||||
|
||||
END_OF_TEXT
|
||||
|
||||
# Initialize tripwire database
|
||||
/usr/sbin/tripwire --init --cfgfile $CONFIG_FILE --site-keyfile $SITE_KEY \
|
||||
--local-passphrase $TW_LOCAL_PASS 2> /dev/null
|
||||
|
||||
########################################################################
|
||||
########################################################################
|
||||
#
|
||||
# TRIPWIRE GPL NOTICES
|
||||
#
|
||||
# The developer of the original code and/or files is Tripwire, Inc.
|
||||
# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc.
|
||||
# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved.
|
||||
#
|
||||
# This program is free software. The contents of this file are subject to
|
||||
# the terms of the GNU General Public License as published by the Free
|
||||
# Software Foundation; either version 2 of the License, or (at your option)
|
||||
# any later version. You may redistribute it and/or modify it only in
|
||||
# compliance with the GNU General Public License.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful. However,
|
||||
# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE
|
||||
# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
||||
# Please see the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License along
|
||||
# with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
|
||||
#
|
||||
# Nothing in the GNU General Public License or any other license to use the
|
||||
# code or files shall permit you to use Tripwire's trademarks,
|
||||
# service marks, or other intellectual property without Tripwire's
|
||||
# prior written consent.
|
||||
#
|
||||
# If you have any questions, please contact Tripwire, Inc. at either
|
||||
# info@tripwire.org or www.tripwire.org.
|
||||
#
|
||||
########################################################################
|
||||
########################################################################
|
||||
File diff suppressed because it is too large
Load Diff
@@ -0,0 +1,74 @@
|
||||
SUMMARY = "Tripwire: A system integrity assessment tool (IDS)"
|
||||
DESCRIPTION = "Open Source Tripwire® software is a security and data \
|
||||
integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems"
|
||||
HOMEPAGE="http://sourceforge.net/projects/tripwire"
|
||||
SECTION = "security Monitor/Admin"
|
||||
LICENSE = "GPLv2"
|
||||
LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127"
|
||||
|
||||
SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0"
|
||||
|
||||
SRC_URI = "\
|
||||
git://github.com/Tripwire/tripwire-open-source.git \
|
||||
file://tripwire.cron \
|
||||
file://tripwire.sh \
|
||||
file://tripwire.txt \
|
||||
file://twcfg.txt \
|
||||
file://twinstall.sh \
|
||||
file://twpol-yocto.txt \
|
||||
file://run-ptest \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
inherit autotools-brokensep update-rc.d ptest
|
||||
|
||||
INITSCRIPT_NAME = "tripwire"
|
||||
INITSCRIPT_PARAMS = "start 40 S ."
|
||||
TRIPWIRE_HOST = "${HOST_SYS}"
|
||||
TRIPWIRE_TARGET = "${TARGET_SYS}"
|
||||
|
||||
CXXFLAGS += "-fno-strict-aliasing"
|
||||
EXTRA_OECONF = "--disable-openssl --enable-static --sysconfdir=/etc/tripwire"
|
||||
|
||||
do_install () {
|
||||
install -d ${D}${libdir} ${D}${datadir} ${D}${base_libdir}
|
||||
install -d ${D}${sysconfdir} ${D}${mandir} ${D}${sbindir}
|
||||
install -d ${D}${sysconfdir}/${PN}
|
||||
install -d ${D}${localstatedir}/lib/${PN} ${D}${localstatedir}/lib/${BPN}/report
|
||||
install -d ${D}${mandir}/man4 ${D}${mandir}/man5 ${D}${mandir}/man8
|
||||
install -d ${D}${docdir}/${BPN} ${D}${docdir}/${BPN}/templates
|
||||
install -d ${D}${sysconfdir}/init.d
|
||||
|
||||
install -m 0755 ${S}/bin/* ${D}${sbindir}
|
||||
install -m 0644 ${S}/lib/* ${D}${base_libdir}
|
||||
install -m 0644 ${S}/lib/* ${D}${localstatedir}/lib/${PN}
|
||||
install -m 0755 ${WORKDIR}/tripwire.cron ${D}${sysconfdir}
|
||||
install -m 0755 ${WORKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire
|
||||
install -m 0755 ${WORKDIR}/twinstall.sh ${D}${sysconfdir}/${PN}
|
||||
install -m 0644 ${WORKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt
|
||||
install -m 0644 ${WORKDIR}/twcfg.txt ${D}${sysconfdir}/${PN}
|
||||
|
||||
install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4
|
||||
install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5
|
||||
install -m 0644 ${S}/man/man8/* ${D}${mandir}/man8
|
||||
install -m 0644 ${S}/policy/templates/* ${D}${docdir}/${BPN}/templates
|
||||
install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN}
|
||||
install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN}
|
||||
install -m 0644 ${S}/TRADEMARK ${D}${docdir}/${BPN}
|
||||
install -m 0644 ${WORKDIR}/tripwire.txt ${D}${docdir}/${BPN}
|
||||
}
|
||||
|
||||
do_install_ptest_append () {
|
||||
install -d ${D}${PTEST_PATH}/tests
|
||||
cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH}
|
||||
sed -i -e 's@../../../../bin@${sbindir}@' ${D}${PTEST_PATH}/twtools.pm
|
||||
}
|
||||
|
||||
FILES_${PN} += "${libdir} ${docdir}/${PN}/*"
|
||||
FILES_${PN}-dbg += "${sysconfdir}/${PN}/.debug"
|
||||
FILES_${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a"
|
||||
FILES_${PN}-ptest += "${PTEST_PATH}/tests "
|
||||
|
||||
RDEPENDS_${PN} += " perl nano msmtp cronie"
|
||||
RDEPENDS_${PN}-ptest = " perl lib-perl perl-modules "
|
||||
Reference in New Issue
Block a user