mirror of
https://git.yoctoproject.org/meta-security
synced 2026-05-31 12:50:19 +00:00
buck-security: Parameterize hard-coded file locations.
buck-security hard-codes a number of file locations for the target system on
which it operates and also its own dependencies. These hard-coded dependencies
have been parameterized and a few other related changes have been made. The
changes are more fully explained below.
buck-security.bb:
* The RDEPENDS_${PN} variable has been made more orderly in anticipation of
subsequent changes. It also includes a few other perl modules required by
the changes to the application.
* The functionality.patch file has been removed and superseded by the
take_root_dir.patch patch.
* The definition of S is parameterized on BPN not PN; they are different if the
package has a native option.
* The install step replaces the use directives and an assignment in the
buck-security script in a more general way than previously.
* The recipes now allows the package to have a native version.
take_root_dir.patch:
* buck-security
* An additional flag, sysroot, that specifies the sysroot of the filesystem
that the buck-security utility inspects is added. If the sysroot can not
be located the script fails gracefully.
* An additional flag, no-sudo, which prevents the script from exiting
if it is not run by root is added.
* An additional flag, disable-checks, which accepts a comma-separated list
of checks to be disabled is added.
* The script checks whether there has been an error in parsing the
command-line arguments and fails with a usage message if there has.
* The log flag now optionally takes a log file name.
* The location of the configuration file is calculated relative to the
location of the main script and if it can not be found the script fails
gracefully.
* The various file locations specified in the buck-security configuration
file are made relative to the location of the buck-security script or the
sysroot as appropriate.
* If a log file has been specified the log is not also printed to stdout.
* The command actually executed is printed in the log.
* Some checks for mutually exclusive options are added.
* Output level 3 is now meaningless, so it has been removed.
* Various changes have been made to the report format.
* Results are sorted lexicographically and, if abspath, do not include
the sysroot.
* checks/*.pm files
* Wherever a directory had been hard-coded it is now parameterized on the
sysroot.
* In some cases, a test that had previously been run as a bash test was
converted to a perl test to allow better handling of results and errors.
* The output parameter is no longer accepted by the check procedure since
this value is global.
* All check procedures now accept an output_type parameter.
* The dangling URLs are removed from the help text.
* checks/lib/check.pm
* The CheckBash and CheckPerl functions have been adapted so that the
the filepaths are not hard-coded and so that the actual command is made
available to the logging component.
* A parameter indicating the outcome type is accepted and passed to the
exception checker.
* Error output is clearly distinguished from regular output.
* A failure in a test is clearly distinguished from an insecure result.
* The output is no longer formatted in the check functions.
* checks/lib/mkchecksum.pm
* The command no longer is run on non-existent directories.
* checks/lib/exceptions.pm
* The exception file path is located relative to the buck-security script.
* If the exceptions are pathnames, the sysroot is prepended.
* Correct wildcard semantics is observed.
* checks/lib/users.pm
* The passwd files are located relative to the sysroot.
* Reading from the password file is made more principle.
* The test experiences an error if files can not be found rather than
the script terminating.
* Some dead code is eliminated.
* conf/buck-security.conf
* The checksum_dir variable is a list instead of a string for easier
manipulation.
* The new configuration variable sysdir is added and the default is /.
* The ssh_config variable is added.
* All tests are included in the checks variable.
* checks/sshd.pm
* The ssh config file is set in the buck-security configuration file
instead of hard-coded here.
* checks/nopasswd.pm
* This is a duplicate of emptypasswd, so it is removed.
* RDEPENDS_${PN}_class-native variable is added as some tasks make no
sense when run externally. Since they will not be run, there is no point
This commit is contained in:
mulhern
@@ -4,15 +4,42 @@ system. This enables you to quickly overview the security status of your Linux s
|
||||
SECTION = "security"
|
||||
LICENSE = "GPL-2.0"
|
||||
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
|
||||
RDEPENDS_${PN} = "perl perl-module-term-ansicolor perl-module-posix perl-module-getopt-long perl-module-time-localtime perl-module-data-dumper perl-module-lib net-tools coreutils gnupg pinentry"
|
||||
RDEPENDS_${PN} = "coreutils \
|
||||
gnupg \
|
||||
net-tools \
|
||||
perl \
|
||||
perl-module-data-dumper \
|
||||
perl-module-file-basename \
|
||||
perl-module-file-spec \
|
||||
perl-module-getopt-long \
|
||||
perl-module-lib \
|
||||
perl-module-posix \
|
||||
perl-module-term-ansicolor \
|
||||
perl-module-time-localtime \
|
||||
pinentry \
|
||||
"
|
||||
|
||||
SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_0.6/${PN}_${PV}.tar.gz \
|
||||
file://functionality.patch"
|
||||
RDEPENDS_${PN}_class-native = "coreutils \
|
||||
net-tools \
|
||||
perl \
|
||||
perl-module-data-dumper \
|
||||
perl-module-file-basename \
|
||||
perl-module-file-spec \
|
||||
perl-module-getopt-long \
|
||||
perl-module-lib \
|
||||
perl-module-posix \
|
||||
perl-module-term-ansicolor \
|
||||
perl-module-time-localtime \
|
||||
"
|
||||
|
||||
SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_0.6/${BPN}_${PV}.tar.gz \
|
||||
file://take_root_dir.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "edbd40742853fc91ffeae5b2d9ea7bab"
|
||||
SRC_URI[sha256sum] = "5d5dcc58b09c3a4bd87f60f86bb62cd2b0bfd7106a474951f8f520af0042a5b7"
|
||||
|
||||
S = "${WORKDIR}/${PN}_${PV}"
|
||||
S = "${WORKDIR}/${BPN}_${PV}"
|
||||
|
||||
do_configure() {
|
||||
:
|
||||
@@ -26,11 +53,13 @@ do_install() {
|
||||
install -d ${D}${bindir}/buck
|
||||
cp -r ${S}/* ${D}${bindir}/buck
|
||||
cp -r ${S}/buck-security ${D}${bindir}
|
||||
sed -i 's:use lib "checks":use lib "${bindir}/buck/checks":g' ${D}${bindir}/buck-security
|
||||
sed -i 's:use lib "checks/lib":use lib "${bindir}/buck/checks/lib":g' ${D}${bindir}/buck-security
|
||||
sed -i 's:use lib "lib":use lib "${bindir}/buck/lib":g' ${D}${bindir}/buck-security
|
||||
sed -i 's:conf/buck-security.conf:${bindir}/buck/conf/buck-security.conf:g' ${D}${bindir}/buck-security
|
||||
sed -i 's!use lib "checks"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks")!' ${D}${bindir}/buck-security
|
||||
sed -i 's!use lib "checks/lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/checks/lib")!' ${D}${bindir}/buck-security
|
||||
sed -i 's!use lib "lib"!use lib File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck/lib")!' ${D}${bindir}/buck-security
|
||||
sed -i 's!my $buck_root = "."!my $buck_root = File::Spec->catfile(dirname(File::Spec->rel2abs(__FILE__)), "buck")!' ${D}${bindir}/buck-security
|
||||
|
||||
}
|
||||
|
||||
FILES_${PN} = "${bindir}/*"
|
||||
|
||||
BBCLASSEXTEND = "native"
|
||||
|
||||
@@ -1,38 +0,0 @@
|
||||
From 216aed597b3f20692a9c9d74dae79fa73e36c75b Mon Sep 17 00:00:00 2001
|
||||
From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
|
||||
Date: Thu, 1 Aug 2013 10:30:26 +0300
|
||||
Subject: [PATCH] added functionality
|
||||
|
||||
* removed sshd from the checks. When needed it can be added
|
||||
in the file.
|
||||
* added saving location for checksums.gpg file
|
||||
|
||||
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
|
||||
---
|
||||
conf/buck-security.conf | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/conf/buck-security.conf b/conf/buck-security.conf
|
||||
index eb88982..f573aa8 100644
|
||||
--- a/conf/buck-security.conf
|
||||
+++ b/conf/buck-security.conf
|
||||
@@ -27,7 +27,6 @@ usermask
|
||||
superusers
|
||||
services
|
||||
firewall
|
||||
-sshd
|
||||
packages_problematic
|
||||
checksum
|
||||
);
|
||||
@@ -48,7 +47,7 @@ $checksum_program = "sha256sum";
|
||||
$checksum_dir = "/sbin/* /bin/* /usr/sbin/* /usr/bin/*";
|
||||
|
||||
|
||||
-$checksum_file = "checksums.gpg";
|
||||
+$checksum_file = "/usr/bin/checksums.gpg";
|
||||
|
||||
|
||||
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
@@ -0,0 +1,74 @@
|
||||
Index: buck-security_0.6/buck-security
|
||||
===================================================================
|
||||
--- buck-security_0.6.orig/buck-security 2013-09-10 20:58:49.564292001 -0400
|
||||
+++ buck-security_0.6/buck-security 2013-09-11 10:07:40.440543001 -0400
|
||||
@@ -28,11 +28,6 @@
|
||||
# start time
|
||||
my $start_time = time();
|
||||
|
||||
-# Runned by root?
|
||||
-if ( $> != 0 ) {
|
||||
- print STDERR "Only root can run this program\n";
|
||||
- exit 1;
|
||||
-}
|
||||
|
||||
# Read Options from command line (--help, --log and --output), run buck --help for more information
|
||||
my $man = 0;
|
||||
@@ -41,13 +36,15 @@
|
||||
my $opt_log = ''; # Log? via --log
|
||||
my $opt_checksum = 0;
|
||||
my $opt_sysroot = '';
|
||||
+my $opt_pseudo = 0;
|
||||
GetOptions(
|
||||
'output=i' => \$opt_output,
|
||||
'log=s' => \$opt_log,
|
||||
'help|?' => \$help,
|
||||
man => \$man,
|
||||
'make-checksums' => \$opt_checksum,
|
||||
- 'sysroot=s' => \$opt_sysroot
|
||||
+ 'sysroot=s' => \$opt_sysroot,
|
||||
+ 'pseudo' => \$opt_pseudo
|
||||
) ||
|
||||
pod2usage(
|
||||
-message => "\n",
|
||||
@@ -73,6 +70,12 @@
|
||||
|
||||
{ package Config; do $config_file }
|
||||
|
||||
+if ( $> != 0 && ! $opt_pseudo) {
|
||||
+ print STDERR "If you are not using pseudo you must run this script as root.\n";
|
||||
+ exit 1;
|
||||
+}
|
||||
+
|
||||
+
|
||||
if ($opt_sysroot) {
|
||||
$Config::sysroot = $opt_sysroot;
|
||||
}
|
||||
@@ -98,6 +101,17 @@
|
||||
|
||||
|
||||
|
||||
+if ($opt_pseudo) {
|
||||
+ @Config::checks = grep
|
||||
+ { $_ ne 'checksum' &&
|
||||
+ $_ ne 'firewall' &&
|
||||
+ $_ ne 'services' &&
|
||||
+ $_ ne 'usermask' }
|
||||
+ @Config::checks;
|
||||
+}
|
||||
+
|
||||
+
|
||||
+
|
||||
if ($opt_checksum != 0) {
|
||||
use mkchecksum;
|
||||
mkchecksum->MkChecksum();
|
||||
@@ -219,6 +233,9 @@
|
||||
--sysroot=<root>
|
||||
specify the root directory of the filesystem to be analyzed
|
||||
|
||||
+ --pseudo
|
||||
+ if set, run with pseudo
|
||||
+
|
||||
|
||||
|
||||
=head1 FURTHER INFORMATION
|
||||
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user