mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-11 15:00:34 +00:00
Code Issues Projects Releases Wiki Activity

meta-security : initial commit

Browse Source 
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
This commit is contained in:
Andrei Dinu
2013-06-17 17:24:38 +03:00
commit 60d90b2563
34 changed files with 9400 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
COPYING.MIT Normal file
View File

@@ -0,0 +1,17 @@
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

64
README Normal file
View File

@@ -0,0 +1,64 @@
This README file contains information on the contents of the
security layer.
Please see the corresponding sections below for details.
Dependencies
============
This layer depends on:
URI: git://git.openembedded.org/bitbake
branch: master
URI: git://git.openembedded.org/openembedded-core
layers: meta
branch: master
URI: git://git.yoctoproject.org/xxxx
layers: xxxx
branch: master
Patches
=======
Please submit any patches against the security layer to the
xxxx mailing list (xxxx@zzzz.org) and cc: the maintainer:
Maintainer: XXX YYYYYY <xxx.yyyyyy@zzzzz.com>
Table of Contents
=================
I. Adding the security layer to your build
II. Misc
I. Adding the security layer to your build
=================================================
--- replace with specific instructions for the security layer ---
In order to use this layer, you need to make the build system aware of
it.
Assuming the security layer exists at the top-level of your
yocto build tree, you can add it to the build system by adding the
location of the security layer to bblayers.conf, along with any
other layers needed. e.g.:
BBLAYERS ?= " \
/path/to/yocto/meta \
/path/to/yocto/meta-yocto \
/path/to/yocto/meta-yocto-bsp \
/path/to/yocto/meta-security \
"
II. Misc
========
--- replace with specific information about the security layer ---

10
conf/layer.conf Normal file
View File

@@ -0,0 +1,10 @@
# We have a conf and classes directory, add to BBPATH
BBPATH .= ":${LAYERDIR}"
# We have recipes-* directories, add to BBFILES
BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
${LAYERDIR}/recipes-*/*/*.bbappend"
BBFILE_COLLECTIONS += "security"
BBFILE_PATTERN_security = "^${LAYERDIR}/"
BBFILE_PRIORITY_security = "6"

12
recipes-example/example/example-0.1/example.patch Normal file
View File

@@ -0,0 +1,12 @@
#
# This is a non-functional placeholder file, here for example purposes
# only.
#
# If you had a patch for your recipe, you'd put it in this directory
# and reference it from your recipe's SRC_URI:
#
# SRC_URI += "file://example.patch"
#
# Note that you could also rename the directory containing this patch
# to remove the version number or simply rename it 'files'. Doing so
# allows you to use the same directory for multiple recipes.

8
recipes-example/example/example-0.1/helloworld.c Normal file
View File

@@ -0,0 +1,8 @@
#include <stdio.h>
int main(int argc, char **argv)
{
printf("Hello World!\n");
return 0;
}

160
recipes-security/bastille/bastille_3.2.1.bb Normal file
View File

@@ -0,0 +1,160 @@
DESCRIPTION = "Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling."
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
# Bash is needed for set +o privileged (check busybox), might also need ncurses
RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd curses-perl coreutils"
PR = "r0"
inherit allarch
SRC_URI = "http://sourceforge.net/projects/bastille-linux/files/bastille-linux/3.2.1/Bastille-3.2.1.tar.bz2 \
file://AccountPermission.pm \
file://FileContent.pm \
file://HPSpecific.pm \
file://Miscellaneous.pm \
file://ServiceAdmin.pm \
file://config \
file://fix_version_parse.patch \
file://yocto-standard-patch.patch \
file://Curses-and-IOLoader-changes.patch \
"
SRC_URI[md5sum] = "df803f7e38085aa5da79f85d0539f91b"
SRC_URI[sha256sum] = "0ea25191b1dc1c8f91e1b6f8cb5436a3aa1e57418809ef902293448efed5021a"
S = "${WORKDIR}/Bastille"
#CONFFILES_${PN} += "${sysconfdir}/init.d/skeleton"
#
#do_compile () {
# ${CC} ${WORKDIR}/skeleton_test.c -o ${WORKDIR}/skeleton-test
#}
#
do_install () {
# install -d ${D}${sysconfdir}/init.d
# cat ${WORKDIR}/skeleton | \
# sed -e 's,/etc,${sysconfdir},g' \
# -e 's,/usr/sbin,${sbindir},g' \
# -e 's,/var,${localstatedir},g' \
# -e 's,/usr/bin,${bindir},g' \
# -e 's,/usr,${prefix},g' > ${D}${sysconfdir}/init.d/skeleton
# chmod a+x ${D}${sysconfdir}/init.d/skeleton
install -d ${D}${sbindir}
install -d ${D}${libdir}/perl/site_perl/Curses
ln -sf perl ${D}/${libdir}/perl5
install -d ${D}${libdir}/Bastille
install -d ${D}${libdir}/Bastille/API
install -d ${D}${datadir}/Bastille
install -d ${D}${datadir}/Bastille/OSMap
install -d ${D}${datadir}/Bastille/OSMap/Modules
install -d ${D}${datadir}/Bastille/Questions
install -d ${D}${datadir}/Bastille/FKL/configs/
install -d ${D}${localstatedir}/lock/subsys/bastille
install -d ${D}${localstatedir}/log/Bastille
install -d ${D}${sysconfdir}/Bastille
install -m 0755 AutomatedBastille ${D}${sbindir}
install -m 0755 BastilleBackEnd ${D}${sbindir}
install -m 0755 InteractiveBastille ${D}${sbindir}
# Questions.txt has been replaced by Modules.txt and Questions/
#install -m 0644 Questions.txt ${D}${datadir}/Bastille
install -m 0644 Modules.txt ${D}${datadir}/Bastille
# New Weights file(s).
install -m 0644 Weights.txt ${D}${datadir}/Bastille
# Castle graphic
install -m 0644 bastille.jpg ${D}${datadir}/Bastille/
# Javascript file
install -m 0644 wz_tooltip.js ${D}${datadir}/Bastille/
install -m 0644 Credits ${D}${datadir}/Bastille
install -m 0644 FKL/configs/fkl_config_redhat.cfg ${D}${datadir}/Bastille/FKL/configs/
install -m 0755 RevertBastille ${D}${sbindir}
install -m 0755 bin/bastille ${D}${sbindir}
install -m 0644 bastille-firewall ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-reset ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-schedule ${D}${datadir}/Bastille
install -m 0644 bastille-tmpdir-defense.sh ${D}${datadir}/Bastille
install -m 0644 bastille-tmpdir.csh ${D}${datadir}/Bastille
install -m 0644 bastille-tmpdir.sh ${D}${datadir}/Bastille
install -m 0644 bastille-firewall.cfg ${D}${datadir}/Bastille
install -m 0644 bastille-ipchains ${D}${datadir}/Bastille
install -m 0644 bastille-netfilter ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-early.sh ${D}${datadir}/Bastille
install -m 0644 bastille-firewall-pre-audit.sh ${D}${datadir}/Bastille
install -m 0644 complete.xbm ${D}${datadir}/Bastille
install -m 0644 incomplete.xbm ${D}${datadir}/Bastille
install -m 0644 disabled.xpm ${D}${datadir}/Bastille
install -m 0644 ifup-local ${D}${datadir}/Bastille
install -m 0644 hosts.allow ${D}${datadir}/Bastille
install -m 0644 Bastille/AccountSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Apache.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/API.pm ${D}${libdir}/Bastille
install -m 0644 ${WORKDIR}/AccountPermission.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/FileContent.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/HPSpecific.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/ServiceAdmin.pm ${D}${libdir}/Bastille/API
install -m 0644 ${WORKDIR}/Miscellaneous.pm ${D}${libdir}/Bastille/API
install -m 0644 Bastille/BootSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/ConfigureMiscPAM.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/DisableUserTools.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/DNS.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/FilePermissions.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/FTP.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Firewall.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/OSX_API.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/LogAPI.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/HP_UX.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/IOLoader.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Patches.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Logging.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/MiscellaneousDaemons.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/PatchDownload.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Printing.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/PSAD.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/RemoteAccess.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/SecureInetd.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/Sendmail.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/TestDriver.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/TMPDIR.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_AccountSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Apache.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_DNS.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_FTP.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_HP_UX.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_MiscellaneousDaemons.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Patches.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_SecureInetd.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Sendmail.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_BootSecurity.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_DisableUserTools.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_FilePermissions.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Logging.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/test_Printing.pm ${D}${libdir}/Bastille
install -m 0644 Bastille/IPFilter.pm ${D}${libdir}/Bastille
install -m 0644 Bastille_Curses.pm ${D}${libdir}/perl5/site_perl
install -m 0644 Bastille_Tk.pm ${D}${libdir}/perl5/site_perl
install -m 0644 Curses/Widgets.pm ${D}${libdir}/perl5/site_perl/Curses
install -m 0644 OSMap/LINUX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/LINUX.system ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/LINUX.service ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/HP-UX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/HP-UX.system ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/HP-UX.service ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/OSX.bastille ${D}${datadir}/Bastille/OSMap
install -m 0644 OSMap/OSX.system ${D}${datadir}/Bastille/OSMap
install -m 0644 ${WORKDIR}/config ${D}${sysconfdir}/Bastille/config
for file in `cat Modules.txt` ; do
install -m 0644 Questions/$file.txt ${D}${datadir}/Bastille/Questions
done
ln -s ${D}${sbindir}/RevertBastille ${D}${sbindir}/UndoBastille
}
FILES_${PN} += "${datadir}/Bastille ${libdir}/Bastille ${libdir}/perl* ${sysconfdir}/*"

2528
recipes-security/bastille/files/API.pm Normal file
View File

File diff suppressed because it is too large Load Diff

1060
recipes-security/bastille/files/AccountPermission.pm Normal file
View File

File diff suppressed because it is too large Load Diff

51
recipes-security/bastille/files/Curses-and-IOLoader-changes.patch Normal file
View File

@@ -0,0 +1,51 @@
From 456daee3ce57d3a46bf9ccf0a85ec4880ca5b262 Mon Sep 17 00:00:00 2001
From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Date: Tue, 4 Jun 2013 14:56:21 +0300
Subject: [PATCH] Curses and IOLoader changes
The linux distribution couldn't be identified when
running Bastille, and the question pruning method
couldn't get a match on the questions relevant to
the repo, so it eliminated all quetions.
After answering the questions the checkAndSaveConfig routine
was called which was missing. Replaced it with Run_Bastille_
with_Config which exists.
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
---
Bastille/IOLoader.pm | 2 +-
Bastille_Curses.pm | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/Bastille/IOLoader.pm b/Bastille/IOLoader.pm
index abb94d7..995d2c2 100644
--- a/Bastille/IOLoader.pm
+++ b/Bastille/IOLoader.pm
@@ -68,7 +68,7 @@ sub Load_Questions($) {
my $UseRequiresRules = $_[0];
my ($current_module_number,$first_question) = &parse_questions();
- $first_question = &prune_questions($UseRequiresRules,$first_question);
+ #$first_question = &prune_questions($UseRequiresRules,$first_question);
$firstQuestion = $first_question;
&B_log("DEBUG","Load Questions, first question: $first_question");
&validate_questions();
diff --git a/Bastille_Curses.pm b/Bastille_Curses.pm
index 2e1eef4..edbbe45 100644
--- a/Bastille_Curses.pm
+++ b/Bastille_Curses.pm
@@ -84,7 +84,9 @@ sub do_Bastille {
}
# Output answers to the script and display
- &checkAndSaveConfig(&getGlobal('BFILE', "config"));
+ #&checkAndSaveConfig(&getGlobal('BFILE', "config"));
+
+ &Run_Bastille_with_Config;
# Run Bastille
--
1.7.9.5

1153
recipes-security/bastille/files/FileContent.pm Normal file
View File

File diff suppressed because it is too large Load Diff

1983
recipes-security/bastille/files/HPSpecific.pm Normal file
View File

File diff suppressed because it is too large Load Diff

166
recipes-security/bastille/files/Miscellaneous.pm Normal file
View File

@@ -0,0 +1,166 @@
package Bastille::API::Miscellaneous;
use strict;
use File::Path;
use Bastille::API;
use Bastille::API::HPSpecific;
use Bastille::API::FileContent;
require Exporter;
our @ISA = qw(Exporter);
our @EXPORT_OK = qw(
PrepareToRun
B_is_package_installed
);
our @EXPORT = @EXPORT_OK;
###########################################################################
#
# PrepareToRun sets up Bastille to run. It checks the ARGV array for
# special options and runs ConfigureForDistro to set necessary file
# locations and other global variables.
#
###########################################################################
sub PrepareToRun {
# Make sure we're root!
if ( $> != 0 ) {
&B_log("ERROR","Bastille must run as root!\n");
exit(1);
}
# Make any directories that don't exist...
foreach my $dir (keys %GLOBAL_BDIR) {
my $BdirPath = $GLOBAL_BDIR{$dir};
if ( $BdirPath =~ /^\s*\// ) { #Don't make relative directories
mkpath ($BdirPath,0,0700);
}
}
if(&GetDistro =~ "^HP-UX") {
&B_check_system;
}
&B_log("ACTION","\n########################################################\n" .
"# Begin Bastille Run #\n" .
"########################################################\n\n");
#read sum file if it exists.
&B_read_sums;
# No longer necessary as flags are no longer in sum file, and sums are
# are now checked "real time"
# check the integrity of the files listed
# for my $file (sort keys %GLOBAL_SUM) {
# &B_check_sum($file);
# }
# write out the newly flagged sums
# &B_write_sums;
}
###########################################################################
# &B_is_package_installed($package);
#
# This function checks for the existence of the package named.
#
# TODO: Allow $package to be an expression.
# TODO: Allow optional $version, $release, $epoch arguments so we can
# make sure that the given package is at least as recent as some
# given version number.
#
# scalar return values:
# 0: $package is not installed
# 1: $package is installed
###########################################################################
sub B_is_package_installed($) {
no strict;
my $package = $_[0];
# Create a "global" variable with values scoped to this function
# We do this to avoid having to repeatedly swlist/rpm
# when we run B_is_package_installed
local %INSTALLED_PACKAGE_LIST;
my $distro = &GetDistro;
if ($distro =~ /^HP-UX/) {
if (&checkProcsForService('swagent','ignore_warning') == SECURE_CANT_CHANGE()) {
&B_log("WARNING","Software Distributor Agent(swagent) is not running. Can not tell ".
"if package: $package is installed or not. Bastille will assume not. ".
"If the package is actually installed, Bastille may report or configure incorrectly.".
"To use Bastille-results as-is, please check to ensure $package is not installed, ".
"or re-run with the swagent running to get correct results.");
return 0; #FALSE
}
my $swlist=&getGlobal('BIN','swlist');
if (%INSTALLED_PACKAGE_LIST == () ) { # re-use prior results
if (open(SWLIST, "$swlist -a state -l fileset |")) {
while (my $line = <SWLIST>){
if ($line =~ /^ {2}\S+\.(\S+)\s*(\w+)/) {
$INSTALLED_PACKAGE_LIST{$1} = $2;
}
}
close SWLIST;
} else {
&B_log("ERROR","B_is_package_installed was unable to run the swlist command: $swlist,\n");
return FALSE;
}
}
# Now find the entry
if ($INSTALLED_PACKAGE_LIST{$package} == 'configured') {
return TRUE;
} else {
return FALSE;
}
} #End HP-UX Section
# This routine only works on RPM-based distros: Red Hat, Fedora, Mandrake and SuSE
elsif ( ($distro !~ /^RH/) and ($distro !~ /^MN/) and($distro !~ /^SE/) ) {
return 0;
} else { #This is a RPM-based distro
# Run an rpm command -- librpm is extremely messy, dynamic and not
# so much a perl thing. It's actually barely a C/C++ thing...
if (open RPM,"rpm -q $package") {
# We should get only one line back, but let's parse a few
# just in case.
my @lines = <RPM>;
close RPM;
#
# This is what we're trying to parse:
# $ rpm -q jay
# package jay is not installed
# $ rpm -q bash
# bash-2.05b-305.1
#
foreach $line (@lines) {
if ($line =~ /^package\s$package\sis\snot\sinstalled/) {
return 0;
}
elsif ($line =~ /^$package\-/) {
return 1;
}
}
# If we've read every line without finding one of these, then
# our parsing is broken
&B_log("ERROR","B_is_package_installed was unable to find a definitive RPM present or not present line.\n");
return 0;
} else {
&B_log("ERROR","B_is_package_installed was unable to run the RPM command,\n");
return 0;
}
}
}
1;

690
recipes-security/bastille/files/ServiceAdmin.pm Normal file
View File

@@ -0,0 +1,690 @@
package Bastille::API::ServiceAdmin;
use strict;
use Bastille::API;
use Bastille::API::HPSpecific;
use Bastille::API::FileContent;
require Exporter;
our @ISA = qw(Exporter);
our @EXPORT_OK = qw(
B_chkconfig_on
B_chkconfig_off
B_service_start
B_service_stop
B_service_restart
B_is_service_off
checkServiceOnLinux
remoteServiceCheck
remoteNISPlusServiceCheck
B_create_nsswitch_file
);
our @EXPORT = @EXPORT_OK;
#######
# &B_chkconfig_on and &B_chkconfig_off() are great for systems that didn't use
# a more modern init system. This is a bit of a problem on Fedora, though,
# which used upstart from Fedora 9 to Fedora 14, then switched to a new
# Red Hat-created system called systemd for Fedora 15 and 16 (so far).
# OpenSUSE also moved to systemd, starting with 12.1. Version 11.4 did not
# use systemd.
# It is also a problem on Ubuntu, starting at version 6.10, where they also
# used upstart.
#####
###########################################################################
# &B_chkconfig_on ($daemon_name) creates the symbolic links that are
# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We
# need this utility, in place of the distro's chkconfig, because of both
# our need to add revert functionality and our need to harden distros that
# are not mounted on /.
#
# It uses the following global variables to find the links and the init
# scripts, respectively:
#
# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found
# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to
#
# Here an example of where you might use this:
#
# You'd like to tell the system to run the firewall at boot:
# B_chkconfig_on("bastille-firewall")
#
###########################################################################
# PW: Blech. Copied B_chkconfig_off() and changed a few things,
# then changed a few more things....
sub B_chkconfig_on {
my $startup_script=$_[0];
my $retval=1;
my $chkconfig_line;
my ($runlevelinfo,@runlevels);
my ($start_order,$stop_order,$filetolink);
&B_log("ACTION","# chkconfig_on enabling $startup_script\n");
# In Debian system there is no chkconfig script, run levels are checked
# one by one (jfs)
if (&GetDistro =~/^DB.*/) {
$filetolink = &getGlobal('DIR', "initd") . "/$startup_script";
if (-x $filetolink)
{
foreach my $level ("0","1","2","3","4","5","6" ) {
my $link = '';
$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script";
$retval=symlink($filetolink,$link);
}
}
return $retval;
}
#
# On SUSE, chkconfig-based rc scripts have been replaced with a whole different
# system. chkconfig on SUSE is actually a shell script that does some stuff and then
# calls insserv, their replacement.
#
if (&GetDistro =~ /^SE/) {
# only try to chkconfig on if init script is found
if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) {
$chkconfig_line=&getGlobal('BIN','chkconfig');
&B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off");
# chkconfig doesn't take affect until reboot, need to restart service also
B_service_restart("$startup_script");
return 1; #success
}
return 0; #failure
}
#
# Run through the init script looking for the chkconfig line...
#
$retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script";
unless ($retval) {
&B_log("ACTION","# Didn't chkconfig_on $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n");
}
else {
READ_LOOP:
while (my $line=<CHKCONFIG>) {
# We're looking for lines like this one:
# # chkconfig: 2345 10 90
# OR this
# # chkconfig: - 10 90
if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) {
$runlevelinfo = $1;
$start_order = $2;
$stop_order = $3;
# handle a run levels arg of '-'
if ( $runlevelinfo eq '-' ) {
&B_log("ACTION","chkconfig_on saw '-' for run levels for \"$startup_script\", is defaulting to levels 3,4,5\n");
$runlevelinfo = '345';
}
@runlevels = split(//,$runlevelinfo);
# make sure the orders have 2 digits
$start_order =~ s/^(\d)$/0$1/;
$stop_order =~ s/^(\d)$/0$1/;
last READ_LOOP;
}
}
close CHKCONFIG;
# Do we have what we need?
if ( (scalar(@runlevels) < 1) || (! $start_order =~ /^\d{2}$/) || (! $stop_order =~ /^\d{2}$/) ) {
# problem
&B_log("ERROR","# B_chkconfig_on $startup_script failed -- no valid run level/start/stop info found\n");
return(-1);
}
# Now, run through creating symlinks...
&B_log("ACTION","# chkconfig_on will use run levels ".join(",",@runlevels)." for \"$startup_script\" with S order $start_order and K order $stop_order\n");
$retval=0;
# BUG: we really ought to readdir() on &getGlobal('DIR', "rcd") to get all levels
foreach my $level ( "0","1","2","3","4","5","6" ) {
my $link = '';
# we make K links in run levels not specified in the chkconfig line
$link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script;
my $klink = $link;
# now we see if this is a specified run level; if so, make an S link
foreach my $markedlevel ( @runlevels ) {
if ( $level == $markedlevel) {
$link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script;
}
}
my $target = &getGlobal('DIR', "initd") ."/" . $startup_script;
my $local_return;
if ( (-e "$klink") && ($klink ne $link) ) {
# there's a K link, but this level needs an S link
unless ($GLOBAL_LOGONLY) {
$local_return = unlink("$klink");
if ( ! $local_return ) {
# unlinking old, bad $klink failed
&B_log("ERROR","Unlinking $klink failed\n");
} else {
&B_log("ACTION","Removed link $klink\n");
# If we removed the link, add a link command to the revert file
&B_revert_log (&getGlobal('BIN','ln') . " -s $target $klink\n");
} # close what to do if unlink works
} # if not GLOBAL_LOGONLY
} # if $klink exists and ne $link
# OK, we've disposed of any old K links, make what we need
if ( (! ( -e "$link" )) && ($link ne '') ) {
# link doesn't exist and the start/stop number is OK; make it
unless ($GLOBAL_LOGONLY) {
# create the link
$local_return = &B_symlink($target,$link);
if ($local_return) {
$retval++;
&B_log("ACTION","Created link $link\n");
} else {
&B_log("ERROR","Couldn't create $link when trying to chkconfig on $startup_script\n");
}
}
} # link doesn't exist
} # foreach level
}
if ($retval < @runlevels) {
$retval=0;
}
$retval;
}
###########################################################################
# &B_chkconfig_off ($daemon_name) deletes the symbolic links that are
# named in the "# chkconfig: ___ _ _ " portion of the init.d files. We
# need this utility, in place of the distro's chkconfig, because of both
# our need to add revert functionality and our need to harden distros that
# are not mounted on /.
#
# chkconfig allows for a REVERT of its work by writing to an executable
# file &getGlobal('BFILE', "removed-symlinks").
#
# It uses the following global variables to find the links and the init
# scripts, respectively:
#
# &getGlobal('DIR', "rcd") -- directory where the rc_.d subdirs can be found
# &getGlobal('DIR', "initd") -- directory the rc_.d directories link to
#
# Here an example of where you might use this:
#
# You'd like to tell stop running sendmail in daemon mode on boot:
# B_chkconfig_off("sendmail")
#
###########################################################################
sub B_chkconfig_off {
my $startup_script=$_[0];
my $retval=1;
my $chkconfig_line;
my @runlevels;
my ($start_order,$stop_order,$filetolink);
if (&GetDistro =~/^DB.*/) {
$filetolink = &getGlobal('DIR', "initd") . "/$startup_script";
if (-x $filetolink)
{
# Three ways to do this in Debian:
# 1.- have the initd script set to 600 mode
# 2.- Remove the links in rcd (re-installing the package
# will break it)
# 3.- Use update-rc.d --remove (same as 2.)
# (jfs)
&B_chmod(0600,$filetolink);
$retval=6;
# The second option
#foreach my $level ("0","1","2","3","4","5","6" ) {
#my $link = '';
#$link = &getGlobal('DIR', "rcd") . "/rc" . "$level" . ".d/K50" . "$startup_script";
#unlink($link);
#}
}
}
#
# On SUSE, chkconfig-based rc scripts have been replaced with a whole different
# system. chkconfig on SUSE is actually a shell script that does some stuff and then
# calls insserv, their replacement.
#
elsif (&GetDistro =~ /^SE/) {
# only try to chkconfig off if init script is found
if ( -e (&getGlobal('DIR', "initd") . "/$startup_script") ) {
$chkconfig_line=&getGlobal('BIN','chkconfig');
&B_System("$chkconfig_line $startup_script on", "$chkconfig_line $startup_script off");
# chkconfig doesn't take affect until reboot, need to stop service
# since expectation is that the daemons are disabled even without a reboot
B_service_stop("$startup_script");
return 1; #success
}
return 0; #failure
}
else {
# Run through the init script looking for the chkconfig line...
$retval = open CHKCONFIG,&getGlobal('DIR', "initd") . "/$startup_script";
unless ($retval) {
&B_log("ACTION","Didn't chkconfig_off $startup_script because we couldn't open " . &getGlobal('DIR', "initd") . "/$startup_script\n");
}
else {
READ_LOOP:
while (my $line=<CHKCONFIG>) {
# We're looking for lines like this one:
# # chkconfig: 2345 10 90
if ($line =~ /^#\s*chkconfig:\s*([-\d]+)\s*(\d+)\s*(\d+)/ ) {
@runlevels=split //,$1;
$start_order=$2;
$stop_order=$3;
# Change single digit run levels to double digit -- otherwise,
# the alphabetic ordering chkconfig depends on fails.
if ($start_order =~ /^\d$/ ) {
$start_order = "0" . $start_order;
&B_log("ACTION","chkconfig_off converted start order to $start_order\n");
}
if ($stop_order =~ /^\d$/ ) {
$stop_order = "0" . $stop_order;
&B_log("ACTION","chkconfig_off converted stop order to $stop_order\n");
}
last READ_LOOP;
}
}
close CHKCONFIG;
# If we never found a chkconfig line, can we just run through all 5
# rcX.d dirs from 1 to 5...?
# unless ( $start_order and $stop_order ) {
# @runlevels=("1","2","3","4","5");
# $start_order = "*"; $stop_order="*";
# }
# Now, run through removing symlinks...
$retval=0;
# Handle the special case that the run level specified is solely "-"
if ($runlevels[0] =~ /-/) {
@runlevels = ( "0","1","2","3","4","5","6" );
}
foreach my $level ( @runlevels ) {
my $link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/S$start_order" . $startup_script;
my $new_link = &getGlobal('DIR', "rcd") . "/rc" . $level . ".d/K$stop_order" . $startup_script;
my $target = &getGlobal('DIR', "initd") ."/" . $startup_script;
my $local_return;
# Replace the S__ link in this level with a K__ link.
if ( -e $link ) {
unless ($GLOBAL_LOGONLY) {
$local_return=unlink $link;
if ($local_return) {
$local_return=symlink $target,$new_link;
unless ($local_return) {
&B_log("ERROR","Linking $target to $new_link failed.\n");
}
}
else { # unlinking failed
&B_log("ERROR","Unlinking $link failed\n");
}
}
if ($local_return) {
$retval++;
&B_log("ACTION","Removed link $link\n");
#
# If we removed the link, add a link command to the revert file
# Write out the revert information for recreating the S__
# symlink and deleting the K__ symlink.
&B_revert_log(&getGlobal('BIN',"ln") . " -s $target $link\n");
&B_revert_log(&getGlobal('BIN',"rm") . " -f $new_link\n");
}
else {
&B_log("ERROR","B_chkconfig_off $startup_script failed\n");
}
}
} # foreach
} # else-unless
} # else-DB
if ($retval < @runlevels) {
$retval=0;
}
$retval;
}
###########################################################################
# &B_service_start ($daemon_name)
# Starts service on RedHat/SUSE-based Linux distributions which have the
# service command:
#
# service $daemon_name start
#
# Other Linux distros that also support this method of starting
# services can be added to use this function.
#
# Here an example of where you might use this:
#
# You'd like to tell the system to start the vsftpd daemon:
# &B_service_start("vsftpd")
#
# Uses &B_System in HP_API.pm
# To match how the &B_System command works this method:
# returns 1 on success
# returns 0 on failure
###########################################################################
sub B_service_start {
my $daemon=$_[0];
if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
(&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
&B_log("ERROR","Tried to call service_start on a system lacking a service command! Internal Bastille error.");
return undef;
}
# only start service if init script is found
if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
&B_log("ACTION","# service_start enabling $daemon\n");
my $service_cmd=&getGlobal('BIN', 'service');
if ($service_cmd) {
# Start the service,
# Also provide &B_System revert command
return (&B_System("$service_cmd $daemon start",
"$service_cmd $daemon stop"));
}
}
# init script not found, do not try to start, return failure
return 0;
}
###########################################################################
# &B_service_stop ($daemon_name)
# Stops service on RedHat/SUSE-based Linux distributions which have the
# service command:
#
# service $daemon_name stop
#
# Other Linux distros that also support this method of starting
# services can be added to use this function.
# Stops service.
#
#
# Here an example of where you might use this:
#
# You'd like to tell the system to stop the vsftpd daemon:
# &B_service_stop("vsftpd")
#
# Uses &B_System in HP_API.pm
# To match how the &B_System command works this method:
# returns 1 on success
# returns 0 on failure
###########################################################################
sub B_service_stop {
my $daemon=$_[0];
if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
(&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
&B_log("ERROR","Tried to call service_stop on a system lacking a service command! Internal Bastille error.");
return undef;
}
# only stop service if init script is found
if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
&B_log("ACTION","# service_stop disabling $daemon\n");
my $service_cmd=&getGlobal('BIN', 'service');
if ($service_cmd) {
# Stop the service,
# Also provide &B_System revert command
return (&B_System("$service_cmd $daemon stop",
"$service_cmd $daemon start"));
}
}
# init script not found, do not try to stop, return failure
return 0;
}
###########################################################################
# &B_service_restart ($daemon_name)
# Restarts service on RedHat/SUSE-based Linux distributions which have the
# service command:
#
# service $daemon_name restart
#
# Other Linux distros that also support this method of starting
# services can be added to use this function.
#
# Here an example of where you might use this:
#
# You'd like to tell the system to restart the vsftpd daemon:
# &B_service_restart("vsftpd")
#
# Uses &B_System in HP_API.pm
# To match how the &B_System command works this method:
# returns 1 on success
# returns 0 on failure
###########################################################################
sub B_service_restart {
my $daemon=$_[0];
if ( (&GetDistro !~ /^SE/) and (&GetDistro !~ /^RH/) and
(&GetDistro !~ /^RHFC/) and (&GetDistro !~ /^MN/) ) {
&B_log("ERROR","Tried to call service_restart on a system lacking a service command! Internal Bastille error.");
return undef;
}
# only restart service if init script is found
if ( -e (&getGlobal('DIR', 'initd') . "/$daemon") ) {
&B_log("ACTION","# service_restart re-enabling $daemon\n");
my $service_cmd=&getGlobal('BIN', 'service');
if ($service_cmd) {
# Restart the service
return (&B_System("$service_cmd $daemon restart",
"$service_cmd $daemon restart"));
}
}
# init script not found, do not try to restart, return failure
return 0;
}
###########################################################################
# &B_is_service_off($;$)
#
# Runs the specified test to determine whether or not the question should
# be answered.
#
# return values:
# NOTSECURE_CAN_CHANGE()/0: service is on
# SECURE_CANT_CHANGE()/1: service is off
# undef: test is not defined
###########################################################################
sub B_is_service_off ($){
my $service=$_[0];
if(&GetDistro =~ "^HP-UX"){
#die "Why do I think I'm on HPUX?!\n";
return &checkServiceOnHPUX($service);
}
elsif ( (&GetDistro =~ "^RH") || (&GetDistro =~ "^SE") ) {
return &checkServiceOnLinux($service);
}
else {
&B_log("DEBUG","B_is_service off called for unsupported OS");
# not yet implemented for other distributions of Linux
# when GLOBAL_SERVICE, GLOBAL_SERVTYPE and GLOBAL_PROCESS are filled
# in for Linux, then
# at least inetd and inittab services should be similar to the above,
# whereas chkconfig would be used on some Linux distros to determine
# if non-inetd/inittab services are running at boot time. Looking at
# processes should be similar.
return undef;
}
}
###########################################################################
# &checkServiceOnLinux($service);
#
# Checks if the given service is running on a Linux system. This is
# called by B_is_Service_Off(), which is the function that Bastille
# modules should call.
#
# Return values:
# NOTSECURE_CAN_CHANGE() if the service is on
# SECURE_CANT_CHANGE() if the service is off
# undef if the state of the service cannot be determined
#
###########################################################################
sub checkServiceOnLinux($) {
my $service=$_[0];
# get the list of parameters which could be used to initiate the service
# (could be in /etc/rc.d/rc?.d, /etc/inetd.conf, or /etc/inittab, so we
# check all of them)
my @params = @{ &getGlobal('SERVICE', $service) };
my $chkconfig = &getGlobal('BIN', 'chkconfig');
my $grep = &getGlobal('BIN', 'grep');
my $inittab = &getGlobal('FILE', 'inittab');
my $serviceType = &getGlobal('SERVTYPE', $service);;
# A kludge to get things running because &getGlobal('SERVICE' doesn't
# return the expected values.
@params = ();
push (@params, $service);
foreach my $param (@params) {
&B_log("DEBUG","Checking to see if service $service is off.\n");
if ($serviceType =~ /rc/) {
my $on = &B_Backtick("$chkconfig --list $param 2>&1");
if ($on =~ /^$param:\s+unknown/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error reading information on service $param: No such file or directory/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error/) {
# This probably
&B_log("DEBUG","chkconfig returned: $param=$on\n");
return undef;
}
$on =~ s/^$param\s+//; # remove the service name and spaces
$on =~ s/[0-6]:off\s*//g; # remove any runlevel:off entries
$on =~ s/:on\s*//g; # remove the :on from the runlevels
# what remains is a list of runlevels in which the service is on,
# or a null string if it is never turned on
chomp $on; # newline should be gone already (\s)
&B_log("DEBUG","chkconfig returned: $param=$on\n");
if ($on =~ /^\d+$/) {
# service is not off
########################### BREAK out, don't skip question
return NOTSECURE_CAN_CHANGE();
}
}
elsif ($serviceType =~ /inet/) {
my $on = &B_Backtick("$chkconfig --list $param 2>&1");
if ($on =~ /^$param:\s+unknown/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error reading information on service $param: No such file or directory/) {
# This service isn't installed on the system
return NOT_INSTALLED();
}
if ($on =~ /^error/ ) {
# Something else is wrong?
# return undef
return undef;
}
if ($on =~ tr/\n// > 1) {
$on =~ s/^xinetd.+\n//;
}
$on =~ s/^\s*$param:?\s+//; # remove the service name and spaces
chomp $on; # newline should be gone already (\s)
&B_log("DEBUG","chkconfig returned: $param=$on\n");
if ($on =~ /^on$/) {
# service is not off
########################### BREAK out, don't skip question
return NOTSECURE_CAN_CHANGE();
}
}
else {
# perhaps the service is started by inittab
my $inittabline = &B_Backtick("$grep -E '^[^#].{0,3}:.*:.+:.*$param' $inittab");
if ($inittabline =~ /.+/) { # . matches anything except newlines
# service is not off
&B_log("DEBUG","Checking inittab; found $inittabline\n");
########################### BREAK out, don't skip question
return NOTSECURE_CAN_CHANGE();
}
}
} # foreach my $param
# boot-time parameters are not set; check processes
# Note the checkProcsforService returns INCONSISTENT() if a process is found
# assuming the checks above
return &checkProcsForService($service);
}
1;

106
recipes-security/bastille/files/config Executable file
View File

@@ -0,0 +1,106 @@
# Q: Would you like to enforce password aging? [Y]
AccountSecurity.passwdage="Y"
# Q: Should Bastille disable clear-text r-protocols that use IP-based authentication? [Y]
AccountSecurity.protectrhost="Y"
# Q: Should we disallow root login on tty's 1-6? [N]
AccountSecurity.rootttylogins="Y"
# Q: What umask would you like to set for users on the system? [077]
AccountSecurity.umask="077"
# Q: Do you want to set the default umask? [Y]
AccountSecurity.umaskyn="Y"
# Q: Would you like to deactivate the Apache web server? [Y]
Apache.apacheoff="Y"
# Q: Would you like to password protect single-user mode? [Y]
BootSecurity.passsum="Y"
# Q: Should we restrict console access to a small group of user accounts? [N]
ConfigureMiscPAM.consolelogin="Y"
# Q: Which accounts should be able to login at console? [root]
ConfigureMiscPAM.consolelogin_accounts="root"
# Q: Would you like to put limits on system resource usage? [N]
ConfigureMiscPAM.limitsconf="Y"
# Q: Would you like to set more restrictive permissions on the administration utilities? [N]
FilePermissions.generalperms_1_1="Y"
# Q: Would you like to disable SUID status for mount/umount?
FilePermissions.suidmount="Y"
# Q: Would you like to disable SUID status for ping? [Y]
FilePermissions.suidping="Y"
# Q: Would you like to disable SUID status for traceroute? [Y]
FilePermissions.suidtrace="Y"
# Q: Do you need the advanced networking options?
Firewall.ip_advnetwork="Y"
# Q: Should Bastille run the firewall and enable it at boot time? [N]
Firewall.ip_enable_firewall="Y"
# Q: Would you like to run the packet filtering script? [N]
Firewall.ip_intro="Y"
# Q: Interfaces for DHCP queries: [ ]
Firewall.ip_s_dhcpiface=" "
# Q: DNS servers: [0.0.0.0/0]
Firewall.ip_s_dns="10.184.9.1"
# Q: ICMP allowed types: [destination-unreachable echo-reply time-exceeded]
Firewall.ip_s_icmpallowed="destination-unreachable echo-reply time-exceeded"
# Q: ICMP services to audit: [ ]
Firewall.ip_s_icmpaudit=" "
# Q: ICMP types to disallow outbound: [destination-unreachable time-exceeded]
Firewall.ip_s_icmpout="destination-unreachable time-exceeded"
# Q: Internal interfaces: [ ]
Firewall.ip_s_internaliface=" "
# Q: TCP service names or port numbers to allow on private interfaces: [ ]
Firewall.ip_s_internaltcp=" "
# Q: UDP service names or port numbers to allow on private interfaces: [ ]
Firewall.ip_s_internaludp=" "
# Q: Masqueraded networks: [ ]
Firewall.ip_s_ipmasq=" "
# Q: Kernel modules to masquerade: [ftp raudio vdolive]
Firewall.ip_s_kernelmasq="ftp raudio vdolive"
# Q: NTP servers to query: [ ]
Firewall.ip_s_ntpsrv=" "
# Q: Force passive mode? [N]
Firewall.ip_s_passiveftp="N"
# Q: Public interfaces: [eth+ ppp+ slip+]
Firewall.ip_s_publiciface="eth+ ppp+ slip+"
# Q: TCP service names or port numbers to allow on public interfaces:[ ]
Firewall.ip_s_publictcp=" "
# Q: UDP service names or port numbers to allow on public interfaces:[ ]
Firewall.ip_s_publicudp=" "
# Q: Reject method: [DENY]
Firewall.ip_s_rejectmethod="DENY"
# Q: Enable source address verification? [Y]
Firewall.ip_s_srcaddr="Y"
# Q: TCP services to audit: [telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh]
Firewall.ip_s_tcpaudit="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# Q: TCP services to block: [2049 2065:2090 6000:6020 7100]
Firewall.ip_s_tcpblock="2049 2065:2090 6000:6020 7100"
# Q: Trusted interface names: [lo]
Firewall.ip_s_trustiface="lo"
# Q: UDP services to audit: [31337]
Firewall.ip_s_udpaudit="31337"
# Q: UDP services to block: [2049 6770]
Firewall.ip_s_udpblock="2049 6770"
# Q: Would you like to add additional logging? [Y]
Logging.morelogging="Y"
# Q: Would you like to set up process accounting? [N]
Logging.pacct="N"
# Q: Do you have a remote logging host? [N]
Logging.remotelog="N"
# Q: Would you like to disable acpid and/or apmd? [Y]
MiscellaneousDaemons.apmd="Y"
# Q: Would you like to deactivate NFS and Samba? [Y]
MiscellaneousDaemons.remotefs="Y"
# Q: Would you like to disable printing? [N]
Printing.printing="Y"
# Q: Would you like to disable printing? [N]
Printing.printing_cups="Y"
# Q: Would you like to display "Authorized Use" messages at log-in time? [Y]
SecureInetd.banners="Y"
# Q: Should Bastille ensure inetd's FTP service does not run on this system? [y]
SecureInetd.deactivate_ftp="Y"
# Q: Should Bastille ensure the telnet service does not run on this system? [y]
SecureInetd.deactivate_telnet="Y"
# Q: Who is responsible for granting authorization to use this machine?
SecureInetd.owner="its owner"
# Q: Would you like to set a default-deny on TCP Wrappers and xinetd? [N]
SecureInetd.tcpd_default_deny="Y"
# Q: Do you want to stop sendmail from running in daemon mode? [Y]
Sendmail.sendmaildaemon="Y"
# Q: Would you like to install TMPDIR/TMP scripts? [N]
TMPDIR.tmpdir="N"

21
recipes-security/bastille/files/fix_version_parse.patch Normal file
View File

@@ -0,0 +1,21 @@
Index: Bastille/bin/bastille
===================================================================
--- Bastille.orig/bin/bastille
+++ Bastille/bin/bastille
@@ -162,11 +162,12 @@ fi
# We check that the version is at least the minimum
PERL_VERSION=`${CURRENT_PERL_PATH}/perl -version |
- head -2 | # the second line contains the version
+ head -n 2 | # the second line contains the version
tr " " "\n" | # split words into separate lines
- sed -e "s/^v//" | # to get rid of the v in v5.6.0
- grep "^[1-9]\." | # find a "word" that starts with number dot
- sed -e "s/_/./"` # substitute _patchlevel with .patchlevel
+ grep "^(v" | # find a "word" that starts with '(v'
+ sed -e "s/^(v//" -e "s/)//" -e "s/_/./"`
+ # to get rid of the (v in v5.6.0
+ # substitute _patchlevel with .patchlevel
# (used in 5.005_03 and prior)
# everything before the first .

72
recipes-security/bastille/files/yocto-standard-patch.patch Normal file
View File

@@ -0,0 +1,72 @@
From c59b84ca3bda8e4244d47901b6966f28dd675434 Mon Sep 17 00:00:00 2001
From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
Date: Thu, 23 May 2013 15:12:23 +0300
Subject: [PATCH] added yocto-standard to bastille
In order to make Bastille functional and avoid errors
regarding distros, if not any given distro is identified,
yocto-standard distro is added to the distro variable
in Bastille.
Fixed also some warnings regarding defined statements
in API.pm.
Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
---
Bastille/API.pm | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/Bastille/API.pm b/Bastille/API.pm
index 40f8c72..ebbe9f7 100644
--- a/Bastille/API.pm
+++ b/Bastille/API.pm
@@ -445,8 +445,8 @@ sub GetDistro() {
$release=`/usr/bin/uname -sr`;
}
else {
- print STDERR "$err Could not determine operating system version!\n";
- $distro="unknown";
+ #print STDERR "$err Could not determine operating system version!\n";
+ $distro="3.8.11-yocto-standard";
}
# Figure out what kind of system we're on.
@@ -537,7 +537,7 @@ sub getSupportedOSHash () {
"DB2.2", "DB3.0",
"RH6.0","RH6.1","RH6.2","RH7.0",
"RH7.1","RH7.2","RH7.3","RH8.0",
- "RH9",
+ "RH9","3.8.11-yocto-standard",
"RHEL5",
"RHEL4AS","RHEL4ES","RHEL4WS",
"RHEL3AS","RHEL3ES","RHEL3WS",
@@ -1284,7 +1284,7 @@ sub B_write_sums {
my $sumFile = &getGlobal('BFILE',"sum.csv");
- if ( defined %GLOBAL_SUM ) {
+ if ( %GLOBAL_SUM ) {
open( SUM, "> $sumFile") or &B_log("ERROR","Unable to open $sumFile for write.\n$!\n");
@@ -1318,7 +1318,7 @@ sub B_check_sum($) {
my $file = $_[0];
my $cksum = &getGlobal('BIN',"cksum");
- if (not(defined(%GLOBAL_SUM))) {
+ if (not(%GLOBAL_SUM)) {
&B_read_sums;
}
@@ -1375,7 +1375,7 @@ sub listModifiedFiles {
sub B_isFileinSumDB($) {
my $file = $_[0];
- if (not(defined(%GLOBAL_SUM))) {
+ if (not(%GLOBAL_SUM)) {
&B_log("DEBUG","Reading in DB from B_isFileinSumDB");
&B_read_sums;
}
--
1.7.9.5

16
recipes-security/checksecurity/checksecurity_2.0.14.bb Normal file
View File

@@ -0,0 +1,16 @@
DESCRIPTION = "basic system security checks"
SECTION = "security"
LICENSE = "GPL-2.0"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz"
SRC_URI[md5sum] = "ad6cfe0cd66ebdd16dd5d4ee5fa8fa17"
SRC_URI[sha256sum] = "a2bc2355358d6daf3cb72485d564e82cb541e8516f23b50522c816853ecd13c2"
do_compile() {
}
do_install() {
oe_runmake PREFIX=${D}
}

27
recipes-security/curses-perl/curses-perl_1.28.bb Normal file
View File

@@ -0,0 +1,27 @@
DESCRIPTION = "This package contains the URI.pm module with friends. \
The module implements the URI class. URI objects can be used to access \
and manipulate the various components that make up these strings."
SECTION = "libs"
LICENSE = "Artistic-1.0 | GPL-1.0+"
PR = "r0"
LIC_FILES_CHKSUM = "file://README;beginline=26;endline=30;md5=0b37356c5e9e28080a3422d82af8af09"
DEPENDS += "perl ncurses"
SRC_URI = "http://www.cpan.org/authors/id/G/GI/GIRAFFED/Curses-1.28.tgz"
SRC_URI[md5sum] = "ed9f7ddf2d90f4266da91c3dc9fad9c9"
SRC_URI[sha256sum] = "613b73c4b6075b1550592812214e4fc0e2205d3afcf234e3fa90f208fb8de892"
S = "${WORKDIR}/Curses-${PV}"
EXTRA_CPANFLAGS = "EXPATLIBPATH=${STAGING_LIBDIR} EXPATINCPATH=${STAGING_INCDIR}"
inherit cpan
do_compile() {
export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
cpan_do_compile
}

27
recipes-security/lib-perl/lib-perl_0.63.bb Normal file
View File

@@ -0,0 +1,27 @@
DESCRIPTION = "This package contains the URI.pm module with friends. \
The module implements the URI class. URI objects can be used to access \
and manipulate the various components that make up these strings."
SECTION = "libs"
LICENSE = "Artistic-1.0 | GPL-1.0+"
PR = "r0"
LIC_FILES_CHKSUM = "file://README;beginline=26;endline=30;md5=94b119f1a7b8d611efc89b5d562a1a50"
DEPENDS += "perl"
SRC_URI = "http://www.cpan.org/authors/id/S/SM/SMUELLER/lib-${PV}.tar.gz"
SRC_URI[md5sum] = "8607ac4e0d9d43585ec28312f52df67c"
SRC_URI[sha256sum] = "72f63db9220098e834d7a38231626bd0c9b802c1ec54a628e2df35f3818e5a00"
S = "${WORKDIR}/lib-${PV}"
EXTRA_CPANFLAGS = "EXPATLIBPATH=${STAGING_LIBDIR} EXPATINCPATH=${STAGING_INCDIR}"
inherit cpan
do_compile() {
export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
cpan_do_compile
}

20
recipes-security/pax-utils/pax-utils_0.7.bb Normal file
View File

@@ -0,0 +1,20 @@
SUMMARY = "Security-focused ELF files checking tool"
DESCRIPTION = "This is a small set of various PaX aware and related \
utilities for ELF binaries. It can check ELF binary files and running \
processes for issues that might be relevant when using ELF binaries \
along with PaX, such as non-PIC code or executable stack and heap."
HOMEPAGE = "http://www.gentoo.org/proj/en/hardened/pax-utils.xml"
LICENSE = "GPLv2+"
LIC_FILES_CHKSUM = "file://COPYING;md5=eb723b61539feef013de476e68b5c50a"
SRC_URI = "http://gentoo.osuosl.org/distfiles/pax-utils-${PV}.tar.xz"
SRC_URI[md5sum] = "8ae7743ad11500f7604f2e817221d877"
SRC_URI[sha256sum] = "1ac4cee9a9ca97a723505eb29a25e50adeccffba3f0f0ef4f035cf082caf3b84"
PR = "r0"
do_install() {
oe_runmake PREFIX=${D}${prefix} DESTDIR=${D} install
}
BBCLASSEXTEND = "native"

96
recipes-security/redhat-security/files/find-chroot-py.sh Normal file
View File

@@ -0,0 +1,96 @@
#!/bin/sh
#
# find-chroot-py utility
# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
# sgrubb@redhat.com
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# This program looks for python apps that use chroot(2) without using chdir(2)
#
# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
libdirs="/lib /lib64 /usr/lib /usr/lib64"
progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
FOUND=0
# First param is which list to use, second is search pattern
scan () {
if [ "$1" = "1" ] ; then
dirs=$libdirs
elif [ "$1" = "2" ] ; then
dirs=$progdirs
elif [ "$1" = "3" ] ; then
dirs=$3
fi
for d in $dirs ; do
if [ ! -d $d ] ; then
continue
fi
files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
for f in $files
do
if [ "$1" = "2" ] ; then
testf=`/usr/bin/file $f | egrep 'ython'`
if [ x"$testf" = "x" ] ; then
continue
fi
fi
syms=`egrep ' os.chroot' $f`
if [ x"$syms" != "x" ] ; then
syms=`egrep ' os.chdir' $f`
if [ x"$syms" = "x" ] ; then
if [ $FOUND = 0 ] ; then
printf "%-44s%s\n" "FILE" " PACKAGE"
FOUND=1
fi
# Red
printf "\033[31m%-44s\033[m" $f
#rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
rpm -qf --queryformat " %{SOURCERPM}" $f
echo
else
# One last test to see if chdir is within 4
# lines of chroot
syms=`cat $f | egrep ' os.chroot' -A3 | egrep ' os.chdir'`
if [ x"$syms" = "x" ] ; then
if [ $FOUND = 0 ] ; then
printf "%-44s%s\n" "FILE" " PACKAGE"
FOUND=1
fi
printf "\033[31m%-44s\033[m" $f
rpm -qf --queryformat " %{SOURCERPM}" $f
echo
fi
fi
fi
done
done
}
if [ $# -eq 1 ] ; then
if [ -d $1 ] ; then
scan 3 '*' $1
else
echo "Input is not a directory"
exit 1
fi
else
scan 2 '*'
scan 1 '*.py'
fi
if [ $FOUND -eq 0 ] ; then
# Nothing to report, just exit
echo "No problems found" 1>&2
exit 0
fi
exit 1

93
recipes-security/redhat-security/files/find-chroot.sh Normal file
View File

@@ -0,0 +1,93 @@
#!/bin/sh
#
# find-chroot utility
# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
# sgrubb@redhat.com
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# This program looks for apps that use chroot(2) without using chdir(2)
#
# To save to file: ./find-chroot | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
libdirs="/lib /lib64 /usr/lib /usr/lib64"
progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
FOUND=0
# First param is which list to use, second is search pattern
scan () {
if [ "$1" = "1" ] ; then
dirs=$libdirs
elif [ "$1" = "2" ] ; then
dirs=$progdirs
elif [ "$1" = "3" ] ; then
dirs=$3
fi
for d in $dirs ; do
if [ ! -d $d ] ; then
continue
fi
files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
for f in $files
do
syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chroot@.*GLIBC'`
if [ x"$syms" != "x" ] ; then
syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' chdir@.*GLIBC'`
if [ x"$syms" = "x" ] ; then
if [ $FOUND = 0 ] ; then
printf "%-44s%s\n" "FILE" " PACKAGE"
FOUND=1
fi
# Red
printf "\033[31m%-44s\033[m" $f
#rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
rpm -qf --queryformat " %{SOURCERPM}" $f
echo
else
# One last test to see if chdir is within 3
# lines of chroot
syms=`objdump -d $f | egrep callq | egrep 'chroot@plt' -A2 | egrep 'chroot|chdir'`
if [ x"$syms" = "x" ] ; then
syms=`echo $f | egrep -v 'libc-2|libc.so'`
if [ x"$syms" != "x" ] ; then
if [ $FOUND = 0 ] ; then
printf "%-44s%s\n" "FILE" "PACKAGE"
FOUND=1
fi
printf "\033[31m%-44s\033[m" $f
rpm -qf --queryformat " %{SOURCERPM}" $f
echo
fi
fi
fi
fi
done
done
}
if [ $# -eq 1 ] ; then
if [ -d $1 ] ; then
scan 3 '*' $1
else
echo "Input is not a directory"
exit 1
fi
else
scan 2 '*'
scan 1 '*.so'
fi
if [ $FOUND -eq 0 ] ; then
# Nothing to report, just exit
echo "No problems found" 1>&2
exit 0
fi
exit 1

84
recipes-security/redhat-security/files/find-elf4tmp.sh Normal file
View File

@@ -0,0 +1,84 @@
#!/bin/sh
# find_elf4tmp utility
# Copyright (c) 2010-12 Steve Grubb. ALL RIGHTS RESERVED.
# sgrubb@redhat.com
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
# This script will search a directory and its subdirectories for all elf
# executables. It will then search for the use of the tmp directory. If it finds
# this is true, it will then check to see if XXX is being used which would
# indicate that the path is going to be randomized.
if [ $# -ge 2 ] ; then
echo "Usage: find_elf4tmp [directory]" 1>&2
exit 1
fi
if [ ! -x /usr/bin/eu-strings ] ; then
echo "Skipping due to missing /usr/bin/eu-strings utility"
exit 1
fi
if [ -h /bin ] ; then
DIRS="/usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /usr/lib /usr/lib64 /usr/local"
else
DIRS="/bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/kerberos /usr/games /lib /lib64 /usr/lib /usr/lib64 /usr/local"
fi
if [ $# -eq 1 ] ; then
if [ -d "$1" ] ; then
DIRS="$1"
else
echo "Option passed in was not a directory" 1>&2
exit 1
fi
fi
FOUND=0
for d in $DIRS
do
if [ ! -d $d ] ; then
continue
fi
# echo "Scanning files in $d..."
for f in `/usr/bin/find $d -type f 2>/dev/null`
do
# Get just the elf executables
testf=`echo $f | /usr/bin/file -n -f - 2>/dev/null | grep ELF`
if [ x"$testf" != "x" ] ; then
test_res=`/usr/bin/eu-strings $f | /bin/grep '/tmp/' | /bin/egrep -v 'XX|/tmp/$|[ .,:]/tmp/'`
if [ x"$test_res" = "x" ] ; then
continue
fi
# Do further examination...
syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' mkstemp@.*GLIBC| tempnam@.*GLIBC| tmpfile@.*GLIBC'`
if [ x"$syms" != "x" ] ; then
continue
fi
# Well its a bad one...out with it
FOUND=1
# Get the package
RPM=`/bin/rpm -qf --queryformat "%{NAME}-%{VERSION}" $f 2>/dev/null | /bin/grep -v 'not owned' | /bin/sort | /usr/bin/uniq`
if [ x"$RPM" = "x" ] ; then
RPM="<unowned>"
fi
# For each tmp string, output the line
echo $test_res | /usr/bin/tr '\b' '\n' | /bin/awk 'NF >= 1 { printf "%-46s\t%-30s\t%s\n", f, r, $1 }' r=$RPM f=$f
fi
done
done
if [ $FOUND -eq 0 ] ; then
# Nothing to report, just exit
echo "No problems found" 1>&2
exit 0
fi
exit 1

72
recipes-security/redhat-security/files/find-execstack.sh Normal file
View File

@@ -0,0 +1,72 @@
#!/bin/sh
#
# find-execstack utility
# Copyright (c) 2007 Steve Grubb. ALL RIGHTS RESERVED.
# sgrubb@redhat.com
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# This program looks for executable stacks
#
libdirs="/lib /lib64 /usr/lib /usr/lib64"
progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
FOUND=0
# First param is which list to use, second is search pattern
scan () {
if [ "$1" = "1" ] ; then
dirs=$libdirs
elif [ "$1" = "2" ] ; then
dirs=$progdirs
fi
for d in $dirs ; do
if [ ! -d $d ] ; then
continue
fi
files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
for f in $files
do
FOUND_ONE=0
stacks=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep STACK`
if [ x"$stacks" != "x" ] ; then
perms=`echo $stacks | /bin/awk '{ print $7 }'`
if [ x"$perms" != x -a "$perms" != "RW" ] ; then
FOUND_ONE=1
fi
fi
old_stacks=`echo $stacks | /bin/grep -v GNU_STACK`
if [ x"$old_stacks" != "x" ] ; then
FOUND_ONE=1
fi
heaps=`/usr/bin/eu-readelf -l $f 2>/dev/null | grep GNU_HEAP`
if [ x"$heaps" != "x" ] ; then
FOUND_ONE=1
fi
if [ $FOUND_ONE = 1 ] ; then
printf "%-42s" $f
rpm -qf --queryformat "%{SOURCERPM}" $f
echo
FOUND=1
fi
done
done
}
scan 1 '*.so'
scan 2 '*'
if [ $FOUND -eq 0 ] ; then
# Nothing to report, just exit
echo "No problems found" 1>&2
exit 0
fi
exit 1

21
recipes-security/redhat-security/files/find-hidden-exec.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/sh
#
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# This program looks for hidden executables
find / -name '.*' -type f -perm /00111 2>/dev/null
# Also need to find hidden dirs and see if anything below it is hidden
hidden_dirs=`find / -name '.*' -type d 2>/dev/null`
for d in $hidden_dirs
do
find $d -name '.*' -type f -perm /00111 2>/dev/null
done

85
recipes-security/redhat-security/files/find-nodrop-groups.sh Normal file
View File

@@ -0,0 +1,85 @@
#!/bin/sh
#
# find-nodrop-groups utility
# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
# sgrubb@redhat.com
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# This program looks for apps that use setgid(2) without using initgroups(3)
# or setgroups(2).
#
# To save to file: ./find-nodrop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee findings.txt
libdirs="/lib /lib64 /usr/lib /usr/lib64"
progdirs="/bin /sbin /usr/bin /usr/sbin /usr/libexec"
FOUND=0
# First param is which list to use, second is search pattern
scan () {
if [ "$1" = "1" ] ; then
dirs=$libdirs
elif [ "$1" = "2" ] ; then
dirs=$progdirs
elif [ "$1" = "3" ] ; then
dirs=$3
fi
for d in $dirs ; do
if [ ! -d $d ] ; then
continue
fi
files=`/usr/bin/find $d -name "$2" -type f 2>/dev/null`
for f in $files
do
syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'`
if [ x"$syms" != "x" ] ; then
syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'`
if [ x"$syms" != "x" ] ; then
syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'`
if [ x"$syms" = "x" ] ; then
if [ $FOUND = 0 ] ; then
printf "%-44s%s\n" "FILE" "PACKAGE"
fi
syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print`
if [ x"$syms" = "x" ] ; then
printf "\033[31m%-44s\033[m" $f
rpm -qf --queryformat "%{SOURCERPM}" $f
echo
FOUND=1
# else
# printf "\033[33m%-44s\033[m" $f
fi
#rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
fi
fi
fi
done
done
}
if [ $# -eq 1 ] ; then
if [ -d $1 ] ; then
scan 3 '*' $1
else
echo "Input is not a directory"
exit 1
fi
else
scan 1 '*.so'
scan 2 '*'
fi
if [ $FOUND -eq 0 ] ; then
# Nothing to report, just exit
echo "No problems found" 1>&2
exit 0
fi
exit 1

132
recipes-security/redhat-security/files/find-sh4errors.sh Normal file
View File

@@ -0,0 +1,132 @@
#!/bin/sh
# find_sh4errors utility
# Copyright (c) 2004 Steve Grubb. ALL RIGHTS RESERVED.
# sgrubb@redhat.com
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
# This script will search a directory and its subdirectories for every shell
# script. It then runs sh -n to see if bash can determine if there are obvious
# parsing errors. It does have a bug in that bash -n does not take into
# account someone may program an unconditional exit and then include man page
# generation information. It also fails to notice the exec command. When you
# run across files that do either of the above, add it to the KNOWN_BAD list.
if [ $# -ge 2 ] ; then
echo "Usage: find_sh4errors [directory]" 1>&2
exit 1
fi
INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh"
SKIP_DIRS="/opt /home /root"
KNOWN_BAD="/usr/bin/kde-build /usr/bin/cvsversion samples/copifuncs/copi.sendifm1 bashdb bash_completion_test"
DIR="/"
if [ $# -eq 1 ] ; then
if [ -d "$1" ] ; then
DIR="$1"
else
echo "Option passed in was not a directory" 1>&2
exit 1
fi
fi
tempfile=`mktemp /tmp/sh4.XXXXXX`
tempfile2=`mktemp /tmp/sh4.XXXXXX`
if [ -z "$tempfile" -o -z "$tempfile2" ] ; then
echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo
exit 1
fi
trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15
# Get executable files
#echo "Locating executables..."
/usr/bin/find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null
FOUND=0
#echo "Refining list to shell scripts..."
while read f
do
# Get just the shell scripts
testf=`echo $f | /usr/bin/file -n -f - | egrep 'ourne|POSIX shell'`
if [ x"$testf" != x ] ; then
echo $f >> $tempfile2
FOUND=1
fi
done < $tempfile
/bin/rm -f $tempfile
if [ $FOUND -eq 0 ] ; then
# Nothing to report, just exit
# echo "Examining shell scripts in $DIR"
# echo "No problems found"
/bin/rm -f $tempfile2
exit 0
fi
#echo "Examining shell scripts in $DIR"
FOUND=0
while read i
do
# First see if the script calls an interpreter
SKIP=0
for lang in $INTERPRETERS
do
if `/bin/cat "$i" 2>/dev/null | \
grep "exec[ \t].*$lang" >/dev/null` ; then
SKIP=1
break
fi
done
if [ $SKIP -eq 1 ] ; then
continue
fi
# See if this is in a dir we want to ignore
for d in $SKIP_DIRS
do
if `echo "$i" | /bin/grep "^\$d" >/dev/null`; then
SKIP=1
break
fi
done
if [ $SKIP -eq 1 ] ; then
continue
fi
# Don't do the known naughty files
for bad in $KNOWN_BAD
do
if `echo "$i" | /bin/grep "$bad" >/dev/null`; then
SKIP=1
break
fi
done
if [ $SKIP -eq 1 ] ; then
continue
fi
# Now examine them for correctness
interp=`/usr/bin/head -n 1 "$i" | /bin/awk '{ print $1 }' | \
/usr/bin/tr -d '#!'`
if [ x"$interp" = "x" -o ! -x "$interp" ] ; then
interp="/bin/sh"
fi
$interp -n "$i" 2>/dev/null
if [ $? -ne 0 ] ; then
printf "%-44s" "$i"
rpm -qf --queryformat "%{NAME}-%{VERSION}" $i
echo
FOUND=1
fi
done < $tempfile2
/bin/rm -f $tempfile2
if [ $FOUND -eq 0 ] ; then
# Nothing to report, just exit
# echo "No problems found"
exit 0
fi
exit 1

116
recipes-security/redhat-security/files/find-sh4tmp.sh Normal file
View File

@@ -0,0 +1,116 @@
#!/bin/sh
# find_sh4tmp utility
# Copyright (c) 2005 Steve Grubb. ALL RIGHTS RESERVED.
# sgrubb@redhat.com
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
# This script will search a directory and its subdirectories for all shell
# scripts. It will then search for the use of the tmp directory. If it finds
# this is true, it will then try to determine if mktemp or something
# reasonable was used and exclude it. It has a bug in that it does not handle
# rm -f /tmp/ or mkdir /tmp/ correctly. If you run across files that do that,
# add them to the KNOWN_BAD list to ignore them.
if [ $# -ge 2 ] ; then
echo "Usage: find_sh4tmp [directory]" 1>&2
exit 1
fi
INTERPRETERS="wish wishx tclsh guile rep itkwish expect /etc/kde/kdm/Xsession /etc/X11/xdm/Xsession /usr/bin/festival perl hfssh"
SKIP_DIRS="/opt /home /root /mnt /media /dev /proc /selinux /sys /usr/share/doc"
KNOWN_BAD="kopete_latexconvert.sh cvs2dist fixfiles mysqlbug build/scripts/package/mkspec py-compile rc.sysinit init.d/xfs diff-jars grub-install mailshar vncserver Xsession sysreport cross-build vpkg rcs-to-cvs debug_check_log cvs2vendor tmpwatch ps2epsi mkdumprd xdg-open xdg-mime xdg-email gzexe"
DIR="/"
if [ $# -eq 1 ] ; then
if [ -d "$1" ] ; then
DIR="$1"
else
echo "Option passed in was not a directory" 1>&2
exit 1
fi
fi
tempfile=`mktemp /tmp/sh4.XXXXXX`
tempfile2=`mktemp /tmp/sh4.XXXXXX`
if [ -z "$tempfile" -o -z "$tempfile2" ] ; then
echo ; echo "Unable to create tempfiles...aborting." 1>&2 ; echo
exit 1
fi
trap "rm -f $tempfile; rm -f $tempfile2; exit 2" 1 2 3 5 15
# Get executable files
#echo "Scanning shell scripts in $DIR..."
find $DIR -type f -perm /0111 -print >> $tempfile 2>/dev/null
FOUND=0
while read f
do
# Get just the shell scripts
testf=`echo $f | file -n -f - | egrep 'ourne|POSIX shell'`
if [ x"$testf" != x ] ; then
# FIXME: need to do something to get rid of echo, rm, or mkdir "/tmp/"
test_res=`cat $f 2>/dev/null | grep '\/tmp\/' | grep -v 'mktemp' | grep -v '^#'`
if [ x"$test_res" = x ] ; then
continue
fi
# Do further examination...
# First see if the script calls an interpreter
SKIP=0
for lang in $INTERPRETERS
do
if `cat "$f" | grep "exec[ \t].*$lang" >/dev/null` ; then
SKIP=1
break
fi
done
if [ $SKIP -eq 1 ] ; then
continue
fi
# See if this is in a dir we want to ignore
for d in $SKIP_DIRS
do
if `echo "$f" | grep "^\$d" >/dev/null`; then
SKIP=1
break
fi
done
if [ $SKIP -eq 1 ] ; then
continue
fi
# Don't do the known naughty files
for bad in $KNOWN_BAD
do
if `echo "$f" | grep "$bad" >/dev/null`; then
SKIP=1
break
fi
done
if [ $SKIP -eq 1 ] ; then
continue
fi
# Well its a bad one...out with it
printf "%-44s" $f
rpm -qf --queryformat "%{NAME}-%{VERSION}" $f
echo
FOUND=1
fi
done < $tempfile
rm -f $tempfile
if [ $FOUND -eq 0 ] ; then
# Nothing to report, just exit
# echo "No problems found"
rm -f $tempfile2
exit 0
fi
exit 1

31
recipes-security/redhat-security/files/lib-bin-check.sh Normal file
View File

@@ -0,0 +1,31 @@
#!/bin/sh
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
found=0
list=`rpm -qa --queryformat "%{NAME}-%{VERSION}.%{ARCH}\n" | grep '^lib' | egrep -v '\-utils\-|\-bin\-|\-tools\-|\-client\-|libreoffice|\-plugin\-'`
for p in $list
do
bin=`rpm -ql $p | egrep '^/bin|^/sbin|^/usr/bin|^/usr/sbin' | grep -v '\-config'`
if [ "x$bin" != "x" ]; then
testf=`echo $bin | /usr/bin/file -n -f - 2>/dev/null | grep ELF`
if [ x"$testf" != "x" ] ; then
found=1
echo "$p could be split into a utils package"
fi
fi
done
if [ $found = 0 ]; then
echo "No problems found"
exit 0
fi
exit 1

279
recipes-security/redhat-security/files/rpm-chksec.sh Normal file
View File

@@ -0,0 +1,279 @@
#!/bin/sh
# rpm-chksec
#
# Copyright (c) 2011-2013 Steve Grubb. ALL RIGHTS RESERVED.
# sgrubb@redhat.com
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Given an rpm, it will look at each file to check that its compiled with
# the intended flags to make it more secure. Things that are green are OK.
# Anything in yellow could be better but is passable. Anything in red needs
# attention.
#
# If the --all option is given, it will generate a list of rpms and then
# summarize the rpm's state. For yes, then all files are in the expected
# state. Just one file not compiled with the right flags can turn the
# answer to no. Re-run passing that package (instead of --all) for the details.
#
# To save to file: ./rpm-chksec | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt
VERSION="0.5.2"
usage () {
echo "rpm-chksec [--version|--all|<rpmname>...]"
if [ ! -x /usr/bin/filecap ] ; then
echo "You need to install libcap-ng-utils to test capabilities"
fi
if [ $EUID != 0 ] ; then
echo "You might need to be root to read some files"
fi
exit 0
}
if [ "$1" = "--help" -o $# -eq 0 ] ; then
usage
fi
if [ "$1" = "--version" ] ; then
echo "rpm-chksec $VERSION"
exit 0
fi
if [ "$1" = "--all" ] ; then
MODE="all"
else
MODE="single"
fi
do_one () {
if ! rpm -q $1 >/dev/null 2>&1 ; then
if [ "$MODE" = "single" ] ; then
echo "$1 is not installed"
exit 1
else
echo "not installed"
return
fi
fi
files=`rpm -ql $1`
# Look for daemons, need this for later...
DAEMON=""
for f in $files
do
if [ ! -f "$f" ] ; then
continue
fi
if [ `echo "$f" | grep '\/etc\/rc.d\/init.d'` ] ; then
n=`basename "$f"`
t=`which "$n" 2>/dev/null`
if [ x"$t" != "x" ] ; then
DAEMON="$DAEMON $t"
continue
fi
t=`which "$n"d 2>/dev/null`
if [ x"$t" != "x" ] ; then
DAEMON="$DAEMON $t"
continue
fi
t=`cat "$f" 2>/dev/null | grep 'bin' | grep 'exit 5' | grep -v '\$'`
if [ x"$t" != "x" ] ; then
DAEMON="$DAEMON $t"
continue
fi
if [ "$MODE" = "single" ] ; then
echo "Can't find the executable in $f but daemon rules would apply"
fi
elif [ `echo "$f" | grep '\/lib\/systemd\/'` ] ; then
t=`cat "$f" | grep -i '^ExecStart=' | tr '=' ' ' | awk '{ print $2 }'`
if [ x"$t" != "x" ] ; then
DAEMON="$DAEMON $t"
continue
fi
fi
done
# Prevent garbled output when doing --all.
skip_current=0
for f in $files
do
if [ ! -f "$f" ] ; then
continue
fi
# Some packages have files with ~ in them. This avoids it.
if ! echo "$f" | grep '^/' >/dev/null ; then
continue
fi
if [ ! -r "$f" ] && [ $EUID != 0 ] ; then
if [ $MODE = "single" ] ; then
echo "Please re-test $f as the root user"
else
# Don't print results.
skip_current=1
echo "Please re-test $1 as the root user"
fi
continue
fi
if ! file "$f" | grep -qw 'ELF'; then
continue
fi
RELRO="no"
if readelf -l "$f" 2>/dev/null | grep -q 'GNU_RELRO'; then
RELRO="partial"
fi
if readelf -d "$f" 2>/dev/null | grep -q 'BIND_NOW'; then
RELRO="full"
fi
PIE="no"
if readelf -h "$f" 2>/dev/null | grep -q 'Type:[[:space:]]*DYN'; then
PIE="DSO"
if readelf -d "$f" 2>/dev/null | grep -q '(DEBUG)'; then
PIE="yes"
fi
fi
APP=""
if [ x"$DAEMON" != "x" ] ; then
for d in $DAEMON
do
if [ "$f" = "$d" ] ; then
APP="daemon"
break
fi
done
fi
if [ x"$APP" = "x" ] ; then
# See if this is a library or a setuid app
if [ `echo "$f" | grep '\/lib' | grep '\.so'` ] ; then
APP="library"
elif [ `find "$f" -perm -004000 -type f -print` ] ; then
APP="setuid"
elif [ `find "$f" -perm -002000 -type f -print` ] ; then
APP="setgid"
elif [ -x /usr/bin/filecap ] && [ `filecap "$f" 2> /dev/null | wc -w` -gt 0 ] ; then
APP="setcap"
else
syms1=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' connect@.*GLIBC| listen@.*GLIBC| accept@.*GLIBC|accept4@.*GLIBC'`
syms2=`/usr/bin/readelf -s "$f" 2>/dev/null | egrep ' getaddrinfo@.*GLIBC| getnameinfo@.*GLIBC| getservent@.*GLIBC| getservbyname@.*GLIBC| getservbyport@.*GLIBC|gethostbyname@.*GLIBC| gethostbyname2@.*GLIBC| gethostbyaddr@.*GLIBC| gethostbyaddr2@.*GLIBC'`
if [ x"$syms1" != "x" ] ; then
if [ x"$syms2" != "x" ] ; then
APP="network-ip"
else
APP="network-local"
fi
fi
fi
fi
if [ x"$APP" = "x" ] ; then
APP="exec"
fi
# OK, ready for the output
if [ "$MODE" = "single" ] ; then
printf "%-56s %-10s " "$f" $APP
if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then
if [ "$RELRO" = "full" ] ; then
printf "\033[32m%-7s\033[m " $RELRO
elif [ "$RELRO" = "partial" ] ; then
printf "\033[33m%-7s\033[m " $RELRO
else
printf "\033[31m%-7s\033[m " $RELRO
fi
if [ "$PIE" = "yes" ] ; then
printf "\033[32m%-4s\033[m" $PIE
else
printf "\033[31m%-4s\033[m" $PIE
fi
elif [ "$APP" = "library" ] ; then
if [ "$RELRO" = "full" -o "$RELRO" = "partial" ] ; then
printf "\033[32m%-7s\033[m " $RELRO
else
printf "\033[31m%-7s\033[m " $RELRO
fi
printf "\033[32m%-4s\033[m" $PIE
else
# $APP = exec - we want partial relro
if [ "$RELRO" = "no" ] ; then
printf "\033[31m%-7s\033[m " $RELRO
else
printf "\033[32m%-7s\033[m " $RELRO
fi
printf "\033[32m%-4s\033[m" $PIE
fi
echo
else
if [ "$APP" = "daemon" -o "$APP" = "setuid" -o "$APP" = "setgid" -o "$APP" = "setcap" -o "$APP" = "network-ip" -o "$APP" = "network-local" ] ; then
if [ "$RELRO" = "no" ] ; then
RELRO_SUM="no"
APP_SUM="$APP"
fi
if [ "$PIE" = "no" ] ; then
PIE_SUM="no"
APP_SUM="$APP"
fi
elif [ "$APP" = "library" ] ; then
if [ "$RELRO" = "no" ] ; then
RELRO_SUM="no"
APP_SUM="$APP"
fi
# $APP = exec - must have partial or full relro
elif [ "$RELRO" = "no" ] ; then
RELRO_SUM="no"
APP_SUM="$APP"
fi
fi
done
}
if [ "$MODE" = "single" ] ; then
printf "%-56s %-10s %-7s %-4s" "FILE" "TYPE" "RELRO" "PIE"
echo
for i; do
f=$(basename $1)
# Strip the .rpm extension, if present.
do_one ${f%%.rpm}
shift
done
exit 0
fi
# Skip the kernel as its special
packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | egrep -v 'kernel.|debuginfo.|.noarch|gpg-pubkey' | sort`
printf "%-50s %-5s %-4s %-14s" "PACKAGE" "RELRO" "PIE" "CLASS"
echo
for p in $packages
do
RELRO_SUM="yes"
PIE_SUM="yes"
APP_SUM=""
printf "%-50s " $p
do_one $p
if [[ $skip_current -eq 1 ]] ; then
continue
fi
if [ "$RELRO_SUM" = "yes" ] ; then
printf "\033[32m%-5s\033[m " "$RELRO_SUM"
else
printf "\033[31m%-5s\033[m " "$RELRO_SUM"
fi
if [ "$PIE_SUM" = "yes" ] ; then
printf "\033[32m%-4s\033[m" "$PIE_SUM"
if [ "$RELRO_SUM" = "no" ] ; then
printf " %-14s" "$APP_SUM"
fi
else
if [ "$APP_SUM" = "network-local" ] ; then
printf "\033[33m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM"
else
printf "\033[31m%-4s\033[m %-14s" "$PIE_SUM" "$APP_SUM"
fi
fi
echo
done
exit 0

131
recipes-security/redhat-security/files/rpm-drop-groups.sh Normal file
View File

@@ -0,0 +1,131 @@
#!/bin/sh
# rpm-drop-groups
#
# Copyright (c) 2011 Steve Grubb. ALL RIGHTS RESERVED.
# sgrubb@redhat.com
#
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
# Given an rpm, it will look at each file to check if it tries to change
# group and user credentials. If so, it further tries to determine if
# it also calls setgroups or initgroups. To correctly change groups, the
# program must drop supplemntal groups. Programs are classified into: n/a
# meaning no group dropping occurs, yes its done correctly, and no meaning
# there seems to be a problem.
#
# If the --all option is given, it will generate a list of rpms and then
# summarize the rpm's state. For yes, then all files are in the expected
# state. Just one program failing can turn the package's summary to no.
# Re-run passing that package (instead of --all) for the details.
#
# To save to file: ./rpm-drop-groups | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" | tee output.txt
VERSION="0.1"
usage () {
echo "rpm-drop-groups [--all|<rpmname>|--version]"
exit 0
}
if [ "$1" = "--help" -o $# -eq 0 ] ; then
usage
fi
if [ "$1" = "--version" ] ; then
echo "rpm-drop-groups $VERSION"
exit 0
fi
if [ "$1" = "--all" ] ; then
MODE="all"
else
MODE="single"
fi
do_one () {
if ! rpm -q $1 >/dev/null 2>&1 ; then
if [ "$MODE" = "single" ] ; then
echo "$1 is not installed"
exit 1
else
echo "not installed"
return
fi
fi
files=`rpm -ql $1`
for f in $files
do
if [ ! -f $f ] ; then
continue
fi
if ! file $f | grep -q 'ELF'; then
continue
fi
CORRECT="n/a"
syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgid@.*GLIBC| setegid@.*GLIBC| setresgid@.*GLIBC'`
if [ x"$syms" != "x" ] ; then
CORRECT="yes"
syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setuid@.*GLIBC| seteuid@.*GLIBC| setresuid@.*GLIBC'`
if [ x"$syms" != "x" ] ; then
syms=`/usr/bin/readelf -s $f 2>/dev/null | egrep ' setgroups@.*GLIBC| initgroups@.*GLIBC'`
if [ x"$syms" = "x" ] ; then
syms=`find $f \( -perm -004000 -o -perm -002000 \) -type f -print`
if [ x"$syms" = "x" ] ; then
CORRECT="no"
fi
fi
fi
fi
# OK, ready for the output
if [ "$MODE" = "single" ] ; then
printf "%-60s " $f
if [ "$CORRECT" = "yes" ] ; then
printf "\033[32m%-7s\033[m " $CORRECT
elif [ "$CORRECT" = "no" ] ; then
printf "\033[31m%-7s\033[m " $CORRECT
else
printf "\033[33m%-7s\033[m " $CORRECT
fi
echo
else
if [ "$CORRECT" = "no" ] ; then
CORRECT_SUM="no"
fi
fi
done
}
if [ "$MODE" = "single" ] ; then
printf "%-60s%-7s" "FILE" "CORRECT"
echo
for i; do
do_one $1
shift
done
exit 0
fi
packages=`rpm -qa --queryformat "%{NAME}.%{ARCH}\n" | sort`
printf "%-50s %-7s" "PACKAGE" "CORRECT"
echo
for p in $packages
do
CORRECT_SUM="yes"
printf "%-50s " $p
do_one $p
if [ "$CORRECT_SUM" = "yes" ] ; then
printf "\033[32m%-7s\033[m " $CORRECT_SUM
else
printf "\033[31m%-7s\033[m " $CORRECT_SUM
fi
echo
done
exit 0

12
recipes-security/redhat-security/files/selinux-check-devices.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/sh
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
find /dev -context *:device_t:* \( -type c -o -type b \) -printf "%p %Z\n"

19
recipes-security/redhat-security/files/selinux-ls-unconfined.sh Normal file
View File

@@ -0,0 +1,19 @@
#!/bin/sh
# This software may be freely redistributed under the terms of the GNU
# public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
# This checks for unconfined apps running, initrc and inetd are signs
# of missing transitions.
pidof xinetd >/dev/null
if [ $? -eq 0 ] ; then
ps -eZ | egrep "initrc|inetd" | egrep -v `pidof xinetd` | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }'
else
ps -eZ | egrep "initrc" | tr ':' ' ' | awk '{ printf "%s %s\n", $3, $NF }'
fi

38
recipes-security/redhat-security/redhat-security_1.0.bb Normal file
View File

@@ -0,0 +1,38 @@
DESCRIPTION = "Tools used by redhat linux distribution for security checks"
SECTION = "security"
LICENSE = "GPLv2"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
PR = "r0"
SRC_URI = "file://find-chroot-py.sh \
file://find-chroot.sh \
file://find-elf4tmp.sh \
file://find-execstack.sh \
file://find-hidden-exec.sh \
file://find-nodrop-groups.sh \
file://find-sh4errors.sh \
file://find-sh4tmp.sh \
file://lib-bin-check.sh \
file://rpm-chksec.sh \
file://rpm-drop-groups.sh \
file://selinux-check-devices.sh \
file://selinux-ls-unconfined.sh"
S = "${WORKDIR}"
do_install() {
install -d ${D}${bindir}
install -m 0755 ${WORKDIR}/find-chroot-py.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/find-chroot.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/find-elf4tmp.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/find-execstack.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/find-hidden-exec.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/find-nodrop-groups.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/find-sh4errors.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/find-sh4tmp.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/lib-bin-check.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/rpm-chksec.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/rpm-drop-groups.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/selinux-check-devices.sh ${D}${bindir}
install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir}
}