mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-06-02 01:20:29 +00:00
Code Issues Projects Releases Wiki Activity

samhain: update to 4.2.2

Browse Source 
* update to version 4.2.2
* Add new recipe for standalone mode
* Add systemd support
* Add patches to fix several issues
* samhain-standalone: add ptest support
* samhain-server: no need to depend on samhain-server-native
* Move common things from the bb to the inc file

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Jackie Huang
2017-08-14 08:56:26 +08:00
committed by Armin Kuster
parent 25b8f02eea
commit 9949776684
17 changed files with 761 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files
recipes-security/samhain/files/run-ptest
Executable
+3
View File
@@ -0,0 +1,3 @@
#!/bin/sh
current_dir=$(dirname $(readlink -f $0))
$current_dir/cutest
recipes-security/samhain/files/samhain-configure-add-option-for-ps.patch
+108
View File
@@ -0,0 +1,108 @@
From 02a143f0068cbc6cea71359169210fbb3606d4bb Mon Sep 17 00:00:00 2001
From: Jackie Huang <jackie.huang@windriver.com>
Date: Mon, 18 Jan 2016 00:24:57 -0500
Subject: [PATCH] configure: add option for ps
The configure searches hardcoded host paths for PSPATH
and run ps commands to decide PSARG which will fail
on host without ps:
| configure: error: Cannot find ps in any of /usr/ucb /bin /usr/bin
So add an option so we can specify the ps at configure
to avoid host contamination.
Upstream-Status: Inappropriate [cross compile specific]
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
aclocal.m4 | 2 +-
configure.ac | 60 ++++++++++--------------------------------------------------
2 files changed, 11 insertions(+), 51 deletions(-)
diff --git a/aclocal.m4 b/aclocal.m4
index a2e59a6..cd20a2f 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -409,7 +409,7 @@ x_includes=NONE
x_libraries=NONE
DESTDIR=
SH_ENABLE_OPTS="selinux posix-acl asm ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid"
-SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file"
+SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file ps-path"
# Installation directory options.
# These are left unexpanded so users can "make install exec_prefix=/foo"
diff --git a/configure.ac b/configure.ac
index 5910b1f..8c3e087 100644
--- a/configure.ac
+++ b/configure.ac
@@ -730,56 +730,16 @@ then
fi
AC_CHECK_HEADERS(gmp.h)
-AC_MSG_CHECKING([for ps])
-PS=
-for ff in /usr/ucb /bin /usr/bin; do
- if test -x "$ff/ps"; then
- PS="$ff/ps"
- AC_MSG_RESULT([$PS])
- break
- fi
-done
-if test x$PS = x
-then
- AC_MSG_RESULT([no])
- AC_MSG_ERROR([Cannot find ps in any of /usr/ucb /bin /usr/bin])
-fi
-AC_DEFINE_UNQUOTED([PSPATH], _("$PS"), [Path to ps])
-
-AC_MSG_CHECKING([how to use ps])
-$PS ax >/dev/null 2>&1
-if test $? -eq 0; then
- case "$host_os" in
- *openbsd*)
- one=`$PS akx | wc -l`
- ;;
- *)
- one=`$PS ax | wc -l`
- ;;
- esac
-else
- one=0
-fi
-$PS -e >/dev/null 2>&1
-if test $? -eq 0; then
- two=`$PS -e | wc -l`
-else
- two=0
-fi
-if test $one -ge $two
-then
- case "$host_os" in
- *openbsd*)
- PSARG="akx"
- ;;
- *)
- PSARG="ax"
- ;;
- esac
-else
- PSARG="-e"
-fi
-AC_DEFINE_UNQUOTED([PSARG], _("$PSARG"), [Argument for ps])
+AC_ARG_WITH(ps-path,
+ [ --with-ps-path=PATH set path to ps command ],
+ [
+ if test "x${withval}" != xno; then
+ pspath="${withval}"
+ AC_DEFINE_UNQUOTED([PSPATH], _("${pspath}"), [Path to ps])
+ AC_DEFINE_UNQUOTED([PSARG], _("ax"), [Argument for ps])
+ fi
+ ])
+
AC_MSG_RESULT([$PS $PSARG])
dnl *****************************************
--
1.9.1
recipes-security/samhain/files/samhain-cross-compile.patch
+51
View File
@@ -0,0 +1,51 @@
From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001
From: Jackie Huang <jackie.huang@windriver.com>
Date: Fri, 15 Jan 2016 00:48:58 -0500
Subject: [PATCH] Enable obfuscating binaries natively.
Enable obfuscating binaries natively.
The samhain build process involves an obfuscation step that attempts to
defeat decompilation or other binary analysis techniques which might reveal
secret information that should be known only to the system administrator.
The obfuscation step builds several applications which run on the build host
and then generate target code, which is then built into target binaries.
This patch creates a basic infrastructure that supports building the
obfuscation binaries natively then cross-compiling the target code by adding
a special configure option. In the absence of this option the old behaviour
is preserved.
Upstream-Status: Inappropriate [cross compile specific]
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
Makefile.in | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index 684e92b..fb090e2 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -54,7 +54,7 @@ selectconfig = @selectconfig@
top_builddir = .
INSTALL = @INSTALL@
-INSTALL_PROGRAM = @INSTALL@ -s -m 700
+INSTALL_PROGRAM = @INSTALL@ -m 700
INSTALL_SHELL = @INSTALL@ -m 700
INSTALL_DATA = @INSTALL@ -m 600
INSTALL_MAN = @INSTALL@ -m 644
@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip
echo " $(INSTALL_PROGRAM) $$p $$target"; \
$(INSTALL_PROGRAM) $$p $$target; \
chmod 0700 $$target; \
- echo " ./sstrip $$target"; \
- ./sstrip $$target; \
else \
echo " $(INSTALL_SHELL) $$p $$target"; \
$(INSTALL_SHELL) $$p $$target; \
--
1.9.1
recipes-security/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch
+44
View File
@@ -0,0 +1,44 @@
commit 0f6bdc219e598de08a3f37887efa5dfa50e2b996
Author: Aws Ismail <aws.ismail@windriver.com>
Date: Fri Jun 22 15:47:08 2012 -0400
Hash fix for MIPS64 and AARCH64
Samhain uses the addresses of local variables in generating hash
values. The hashing function is designed only for 32-bit values.
For MIPS64 when a 64-bit address is passed in the resulting hash
exceeds the limits of the underlying mechanism and samhain
ultimately fails. The solution is to simply take the lower
32-bits of the address and use that in generating hash values.
Signed-off-by: Greg Moffatt <greg.moffatt@windriver.com>
Upstream-Status: Pending
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
diff --git a/src/dnmalloc.c b/src/dnmalloc.c
index da9a5c5..fc91400 100644
--- a/src/dnmalloc.c
+++ b/src/dnmalloc.c
@@ -2703,11 +2703,19 @@ static void freecilst_add(chunkinfoptr p) {
}
/* Calculate the hash table entry for a chunk */
+#if defined(CONFIG_ARCH_MIPS64) || defined(CONFIG_ARCH_AARCH64)
+#ifdef STARTHEAP_IS_ZERO
+#define hash(p) ((((unsigned long) p) & 0x7fffffff) >> 7)
+#else
+#define hash(p) ((((unsigned long) p - (unsigned long) startheap) & 0x7fffffff) >> 7)
+#endif
+#else
#ifdef STARTHEAP_IS_ZERO
#define hash(p) (((unsigned long) p) >> 7)
#else
#define hash(p) (((unsigned long) p - (unsigned long) startheap) >> 7)
#endif
+#endif /* CONFIG_ARCH_MIPS64 */
static void
hashtable_add (chunkinfoptr ci)
recipes-security/samhain/files/samhain-not-run-ptest-on-host.patch
+24
View File
@@ -0,0 +1,24 @@
not run test on host, since we are doing cross-compile
Upstream-status: Inappropriate [cross compile specific]
Signed-off-by: Roy Li <rongqing.li@windriver.com>
---
Makefile.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index e1b32a8..74bfdc9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1234,7 +1234,6 @@ intcutest: internal.h $(OBJECTS) $(CUTEST_OBJECTS) sh_tiger_i.o $(srcsrc)/CuTest
rm x_samhain.c; \
$(LINK) sh_tiger_i.o $(CUTEST_OBJECTS) CuTestMain.o CuTest.o $(OBJECTS) $(LIBS_TRY); \
test -f ./intcutest && mv ./intcutest ./cutest; \
- ./cutest
runcutest:
gdb ./cutest
--
1.7.10.4
recipes-security/samhain/files/samhain-pid-path.patch
+27
View File
@@ -0,0 +1,27 @@
commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04
Author: Aws Ismail <aws.ismail@windriver.com>
Date: Thu Jan 10 16:29:05 2013 -0500
Set the PID Lock path for samhain.pid
The explicit path for samhain.pid inorder
for samhain to work properly after it initial
database build.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
diff --git a/samhainrc.linux b/samhainrc.linux
index 10a8176..a7b06e6 100644
--- a/samhainrc.linux
+++ b/samhainrc.linux
@@ -639,7 +639,7 @@ SetFileCheckTime = 86400
## Path to the PID file
#
-# SetLockfilePath = (default: compiled-in)
+SetLockfilePath = /run/samhain.pid
## The digest/checksum/hash algorithm
recipes-security/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch
+61
View File
@@ -0,0 +1,61 @@
From 00fb527e45da42550156197647e01de9a6b1ad52 Mon Sep 17 00:00:00 2001
From: Wenzong Fan <wenzong.fan@windriver.com>
Date: Mon, 3 Mar 2014 01:50:01 -0500
Subject: [PATCH] fix real path for some files/dirs
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
---
samhainrc.linux | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/samhainrc.linux b/samhainrc.linux
index e9727b4..7775d83 100644
--- a/samhainrc.linux
+++ b/samhainrc.linux
@@ -93,7 +93,6 @@ dir = 99/etc
##
file = /etc/mtab
file = /etc/fstab
-file = /etc/adjtime
file = /etc/motd
file = /etc/lvm/lvm.conf
@@ -153,11 +152,11 @@ dir = 99/var
[IgnoreAll]
dir = -1/var/cache
-dir = -1/var/lock
-dir = -1/var/mail
-dir = -1/var/run
+dir = -1/run/lock
+dir = -1/var/spool/mail
+dir = -1/run
dir = -1/var/spool
-dir = -1/var/tmp
+dir = -1/var/volatile/tmp
[Attributes]
@@ -167,7 +166,7 @@ dir = -1/var/tmp
file = /var/lib/rpm/__db.00?
file = /var/lib/logrotate.status
-file = /var/lib/random-seed
+file = /var/lib/urandom/random-seed
[GrowingLogFiles]
@@ -176,7 +175,7 @@ file = /var/lib/random-seed
## are ignored. Logfile rotation will cause a report because of shrinking
## size and different inode.
##
-dir = 99/var/log
+dir = 99/var/volatile/log
[Attributes]
#
--
1.7.9.5
recipes-security/samhain/files/samhain-samhainrc.patch
+158
View File
@@ -0,0 +1,158 @@
commit 4c6658441eb3ffc4e51ed70f78cbdab046957580
Author: Aws Ismail <aws.ismail@windriver.com>
Date: Fri Jun 22 16:38:20 2012 -0400
Make samhainrc OE-friendly.
Patch the samhainrc that will be installed
as part of the 'make install' step to more
accurately reflect what will be found, and
what will be of concern, on a OE install.
Upstream-Status: Inappropriate [configuration]
Signed-off-by: Aws Ismail <aws.ismail@windriver.com>
diff --git a/samhainrc.linux b/samhainrc.linux
index 9bc5ca4..10a8176 100644
--- a/samhainrc.linux
+++ b/samhainrc.linux
@@ -74,7 +74,6 @@ dir = 0/
[Attributes]
file = /tmp
file = /dev
-file = /media
file = /proc
file = /sys
@@ -93,19 +92,10 @@ dir = 99/etc
## check permission and ownership
##
file = /etc/mtab
+file = /etc/fstab
file = /etc/adjtime
file = /etc/motd
-file = /etc/lvm/.cache
-
-# On Ubuntu, these are in /var/lib rather than /etc
-file = /etc/cups/certs
-file = /etc/cups/certs/0
-
-# managed by fstab-sync on Fedora Core
-file = /etc/fstab
-
-# modified when booting
-file = /etc/sysconfig/hwconf
+file = /etc/lvm/lvm.conf
# There are files in /etc that might change, thus changing the directory
# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
@@ -147,10 +137,6 @@ dir = 99/dev
##
dir = -1/dev/pts
-# dir = -1/dev/.udevdb
-
-file = /dev/ppp
-
#
# --------- /usr -----------
#
@@ -167,50 +153,21 @@ dir = 99/var
[IgnoreAll]
dir = -1/var/cache
-dir = -1/var/backups
-dir = -1/var/games
-dir = -1/var/gdm
dir = -1/var/lock
dir = -1/var/mail
dir = -1/var/run
dir = -1/var/spool
dir = -1/var/tmp
-dir = -1/var/lib/texmf
-dir = -1/var/lib/scrollkeeper
[Attributes]
-dir = /var/lib/nfs
-dir = /var/lib/pcmcia
-
# /var/lib/rpm changes if packets are installed;
# /var/lib/rpm/__db.00[123] even more frequently
file = /var/lib/rpm/__db.00?
-file = /var/lib/acpi-support/vbestate
-file = /var/lib/alsa/asound.state
-file = /var/lib/apt/lists/lock
-file = /var/lib/apt/lists/partial
-file = /var/lib/cups/certs
-file = /var/lib/cups/certs/0
-file = /var/lib/dpkg/lock
-file = /var/lib/gdm
-file = /var/lib/gdm/.cookie
-file = /var/lib/gdm/.gdmfifo
-file = /var/lib/gdm/:0.Xauth
-file = /var/lib/gdm/:0.Xservers
-file = /var/lib/logrotate/status
-file = /var/lib/mysql
-file = /var/lib/mysql/ib_logfile0
-file = /var/lib/mysql/ibdata1
-file = /var/lib/slocate
-file = /var/lib/slocate/slocate.db
-file = /var/lib/slocate/slocate.db.tmp
-file = /var/lib/urandom
-file = /var/lib/urandom/random-seed
+file = /var/lib/logrotate.status
file = /var/lib/random-seed
-file = /var/lib/xkb
[GrowingLogFiles]
@@ -325,7 +282,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
## Console
##
-# PrintSeverity=info
+PrintSeverity=warn
## Logfile
##
@@ -333,7 +290,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp
## Syslog
##
-# SyslogSeverity=none
+SyslogSeverity=info
## Remote server (yule)
##
@@ -556,7 +513,8 @@ ChecksumTest=check
## and I/O limit (kilobytes per second; 0 == off)
## to reduce load on host.
#
-# SetNiceLevel = 0
+# By default we configure samhain to be nice with everything else on the system
+SetNiceLevel = 10
# SetIOLimit = 0
## The version string to embed in file signature databases
@@ -565,13 +523,14 @@ ChecksumTest=check
## Interval between time stamp messages
#
-# SetLoopTime = 60
-SetLoopTime = 600
+# Log a timestamp every hour
+SetLoopTime = 3600
## Interval between file checks
#
# SetFileCheckTime = 600
-SetFileCheckTime = 7200
+# One file system check per day
+SetFileCheckTime = 86400
## Alternative: crontab-like schedule
#
recipes-security/samhain/files/samhain-sha256-big-endian.patch
+22
View File
@@ -0,0 +1,22 @@
samhain: fix sha256 for big-endian machines
After computing the digest, big-endian machines would
memset() the digest to the first byte of state instead
of using memcpy() to transfer it.
Upstream-Status: Pending
Signed-off-by: Joe Slater <jslater@windriver.com>
--- a/src/sh_checksum.c
+++ b/src/sh_checksum.c
@@ -468,7 +468,7 @@ void SHA256_Final(sha2_byte digest[], SH
}
}
#else
- memset(d, context->state, SHA256_DIGEST_LENGTH);
+ memcpy(d, context->state, SHA256_DIGEST_LENGTH);
/* bcopy(context->state, d, SHA256_DIGEST_LENGTH); */
#endif
}
recipes-security/samhain/files/samhain-standalone.default
+3
View File
@@ -0,0 +1,3 @@
# Set this to "yes" to start the server, after you configure it, of
# course.
SAMHAIN_STANDALONE_START="no"
recipes-security/samhain/files/samhain-standalone.init
+123
View File
@@ -0,0 +1,123 @@
#!/bin/sh
# chkconfig: 2345 99 10
# description: File Integrity Checking Daemon
#
# processname: samhain
# config : /etc/samhainrc
# logfile : /var/log/samhain_log
# database: /var/lib/samhain/samhain_file
#
NAME=samhain
DAEMON=/usr/sbin/samhain
RETVAL=0
VERBOSE=yes
PIDFILE=/var/run/samhain.pid
. /etc/default/samhain-standalone
if [ "x$SAMHAIN_STANDALONE_START" != "xyes" ]; then
echo "${0}: samhain disabled in /etc/default/samhain-standalone"
exit 0
fi
if [ -x $DAEMON ]; then
:
else
echo "${0}: executable ${DAEMON} not found"
exit 1
fi
if [ ! -e /var/lib/samhain/samhain_file ]; then
echo "${0}: /var/lib/samhain/samhain_file does not exist. You must"
echo " run 'samhain -t init' before samhian can start."
exit 1
fi
samhain_done()
{
if [ $RETVAL -eq 0 ]; then
echo "."
else
echo " failed."
fi
}
log_stat_msg () {
case "$1" in
0)
echo "Service $NAME: Running";
;;
1)
echo "Service $NAME: Stopped and /var/run pid file exists";
;;
3)
echo "Service $NAME: Stopped";
;;
*)
echo "Service $NAME: Status unknown";
;;
esac
}
case "$1" in
start)
#
# Remove a stale PID file, if found
#
if test -f ${PIDFILE}; then
/bin/rm -f ${PIDFILE}
fi
echo -n "Starting ${NAME}"
( /sbin/start-stop-daemon --start --quiet --exec $DAEMON )
RETVAL=$?
samhain_done
exit $RETVAL
;;
stop)
echo -n "Stopping $NAME"
( /sbin/start-stop-daemon --stop --quiet --exec $DAEMON )
RETVAL=$?
samhain_done
#
# Remove a stale PID file, if found
#
if test -f ${PIDFILE}; then
/bin/rm -f ${PIDFILE}
fi
if test -S /var/run/${NAME}.sock; then
/bin/rm -f /var/run/${NAME}.sock
fi
;;
restart)
$0 stop
sleep 3
$0 start
RETVAL=$?
;;
reload|force-reload)
echo -n "Reloading $NAME configuration files"
( /sbin/start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON )
RETVAL=$?
samhain_done
;;
status)
if pidof -o %PPID $DAEMON > /dev/null; then
echo "Samhain running"
RETVAL=0
else
echo "Samhain not running"
RETVAL=1
fi
;;
*)
echo "$0 usage: {start|stop|status|restart|reload}"
exit 1
;;
esac
exit $RETVAL
recipes-security/samhain/files/samhain.service
+12
View File
@@ -0,0 +1,12 @@
[Unit]
Description=Samhain @MODE_NAME@ Daemon
After=syslog.target network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=@LIBDIR@/@SAMHAIN_HELPER@ start
ExecStop=@LIBDIR@/@SAMHAIN_HELPER@ stop
[Install]
WantedBy=multi-user.target
recipes-security/samhain/samhain-client_4.2.1.bb → recipes-security/samhain/samhain-client_4.2.2.bb
-4
View File
@@ -1,4 +1,3 @@
SAMHAIN_MODE="client"
INITSCRIPT_PARAMS = "defaults 15 85" INITSCRIPT_PARAMS = "defaults 15 85"
require samhain.inc require samhain.inc
@@ -7,9 +6,6 @@ require samhain.inc
EXTRA_OECONF += " \ EXTRA_OECONF += " \
--with-logserver=${SAMHAIN_SERVER} \ --with-logserver=${SAMHAIN_SERVER} \
--with-port=${SAMHAIN_PORT} \ --with-port=${SAMHAIN_PORT} \
--with-config-file=/etc/samhainrc \
--with-data-file=/var/samhain/samhain.data \
--with-pid-file=/var/samhain/samhain.pid \
" "
RDEPENDS_${PN} = "acl zlib attr bash" RDEPENDS_${PN} = "acl zlib attr bash"
recipes-security/samhain/samhain-server_4.2.1.bb
-54
View File
@@ -1,54 +0,0 @@
SAMHAIN_MODE="server"
INITSCRIPT_PARAMS = "defaults 14 86"
require samhain.inc
DEPENDS = "gmp samhain-server-native"
EXTRA_OECONF += "--enable-network=${SAMHAIN_MODE} "
# supports mysql|postgresql|oracle|odbc but postgresql is the only one available
PACKAGECONFIG ??= "postgresql"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}"
PACKAGECONFIG[postgres] = "--with-database=postgresql --enable-xml-log, "", postgresql"
PACKAGECONFIG[suidcheck] = "--enable-suidcheck","" , "
PACKAGECONFIG[logwatch] = "--enable-login-watch,"" , "
PACKAGECONFIG[mounts] = "--enable-mounts-check","" , "
PACKAGECONFIG[userfiles] = "--enable-userfiles","" , "
PACKAGECONFIG[ipv6] = "--enable-ipv6,"--disable-ipv6","
PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl"
SRC_URI += "file://samhain-server-volatiles"
TARGET_CC_ARCH += "${LDFLAGS}"
EXTRA_OECONF += " \
--with-config-file=REQ_FROM_SERVER/etc/samhainrc \
--with-data-file=REQ_FROM_SERVER/var/lib/samhain/samhain_file \
"
do_install_append() {
cd ${S}
install -d ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/samhain-server-volatiles \
${D}${sysconfdir}/default/volatiles/samhain-server
install -m 700 samhain-install.sh init/samhain.startLinux \
init/samhain.startLSB ${D}/var/lib/samhain
}
PACKAGES = "${PN} ${PN}-doc ${PN}-dbg"
FILES_${PN} += "${sbindir}/*"
FILES_${PN}-dbg += " \
${sbindir}/.debug/* \
"
RDEPENDS_${PN} += "gmp bash perl"
BBCLASSEXTEND = "native"
recipes-security/samhain/samhain-server_4.2.2.bb
+21
View File
@@ -0,0 +1,21 @@
INITSCRIPT_PARAMS = "defaults 14 86"
require samhain.inc
DEPENDS = "gmp"
SRC_URI += "file://samhain-server-volatiles"
TARGET_CC_ARCH += "${LDFLAGS}"
do_install_append() {
install -d ${D}${sysconfdir}/default/volatiles
install -m 0644 ${WORKDIR}/samhain-server-volatiles \
${D}${sysconfdir}/default/volatiles/samhain-server
install -m 700 samhain-install.sh init/samhain.startLinux \
init/samhain.startLSB ${D}/var/lib/samhain
}
RDEPENDS_${PN} += "gmp bash perl"
BBCLASSEXTEND = "native"
recipes-security/samhain/samhain-standalone_4.2.2.bb
+31
View File
@@ -0,0 +1,31 @@
require samhain.inc
SRC_URI += "file://samhain-not-run-ptest-on-host.patch \
file://run-ptest \
"
PROVIDES += "samhain"
SYSTEMD_SERVICE_${PN} = "samhain.service"
inherit ptest
do_compile() {
if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'yes', 'no', d)}" = "yes" ]; then
oe_runmake cutest
rm -f ${S}*.o config_xor.h internal.h
fi
oe_runmake "$@"
}
do_install_append() {
ln -sf ${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/samhain
}
do_install_ptest() {
mkdir -p ${D}${PTEST_PATH}
install ${S}/cutest ${D}${PTEST_PATH}
}
RPROVIDES_${PN} += "samhain"
RCONFLICTS_${PN} = "samhain-client samhain-server"
recipes-security/samhain/samhain.inc
+69 -19
View File
@@ -5,25 +5,60 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=8ca43cbc842c2336e835926c2166c28b"
SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \ SRC_URI = "http://la-samhna.de/archive/samhain_signed-${PV}.tar.gz \
file://samhain-cross-compile.patch \
file://samhain-mips64-aarch64-dnmalloc-hash-fix.patch \
file://samhain-samhainrc.patch \
file://samhain-samhainrc-fix-files-dirs-path.patch \
file://samhain-pid-path.patch \
file://samhain-sha256-big-endian.patch \
file://samhain-configure-add-option-for-ps.patch \
file://${INITSCRIPT_NAME}.init \ file://${INITSCRIPT_NAME}.init \
file://${INITSCRIPT_NAME}.default \ file://${INITSCRIPT_NAME}.default \
file://samhain.service \
" "
SRC_URI[md5sum] = "6de1060d6e79c4893d8d89d5cbd3c1b0" SRC_URI[md5sum] = "f499d5d06bfd1d787073a45bf28dd60f"
SRC_URI[sha256sum] = "93beabb19ac68fb5336a3d8f6b5414de05a460ff6982c41a4e3fb2082e769791" SRC_URI[sha256sum] = "0f3e64afb3f00064c9b136d34a72d580cd41248c5941eba0452f364a109003c7"
S = "${WORKDIR}/samhain-${PV}" S = "${WORKDIR}/samhain-${PV}"
inherit autotools-brokensep update-rc.d pkgconfig inherit autotools-brokensep update-rc.d pkgconfig systemd
SAMHAIN_PORT ??= "49777" SAMHAIN_PORT ??= "49777"
SAMHAIN_SERVER ??= "NULL" SAMHAIN_SERVER ??= "NULL"
INITSCRIPT_NAME = "samhain-${SAMHAIN_MODE}" INITSCRIPT_NAME = "${BPN}"
INITSCRIPT_PARAMS ?= "defaults" INITSCRIPT_PARAMS ?= "defaults"
SYSTEMD_PACKAGES = "${PN}"
SYSTEMD_SERVICE_${PN} = "${INITSCRIPT_NAME}.service"
SYSTEMD_AUTO_ENABLE = "disable"
PACKAGECONFIG ??= "" # mode mapping:
# BPN MODE_NAME SAMHAIN_MODE
# samhain-standalone standalone no
# samhain-client client client
# samhain-server server server
MODE_NAME = "${@d.getVar('BPN').split('-')[1]}"
SAMHAIN_MODE = "${@oe.utils.ifelse(d.getVar('MODE_NAME') == 'standalone', 'no', '${MODE_NAME}')}"
# supports mysql|postgresql|oracle|odbc but postgresql is the only one available
PACKAGECONFIG ??= "postgresql ps"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ipv6', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)}"
PACKAGECONFIG += "${@bb.utils.contains('DISTRO_FEATURES', 'acl', 'acl', '', d)}"
PACKAGECONFIG[postgres] = "--with-database=postgresql --enable-xml-log, "", postgresql"
PACKAGECONFIG[suidcheck] = "--enable-suidcheck","" , "
PACKAGECONFIG[logwatch] = "--enable-login-watch,"" , "
PACKAGECONFIG[mounts] = "--enable-mounts-check","" , "
PACKAGECONFIG[userfiles] = "--enable-userfiles","" , "
PACKAGECONFIG[ipv6] = "--enable-ipv6,"--disable-ipv6","
PACKAGECONFIG[selinux] = "--enable-selinux, --disable-selinux, libselinux"
PACKAGECONFIG[acl] = " --enable-posix-acl , --disable-posix-acl, acl"
PACKAGECONFIG[audit] = "ac_cv_header_auparse_h=yes,ac_cv_header_auparse_h=no,audit"
PACKAGECONFIG[ps] = "--with-ps-path=${base_bindir}/ps,,,procps"
do_unpack_samhain() { do_unpack_samhain() {
cd ${WORKDIR} cd ${WORKDIR}
@@ -72,6 +107,9 @@ do_configure () {
--includedir=${includedir} \ --includedir=${includedir} \
--infodir=${infodir} \ --infodir=${infodir} \
--mandir=${mandir} \ --mandir=${mandir} \
--enable-network=${SAMHAIN_MODE} \
--with-pid-file=${localstatedir}/run/samhain.pid \
--with-data-file=${localstatedir}/lib/samhain/samhain_file \
${EXTRA_OECONF} ${EXTRA_OECONF}
} }
@@ -82,24 +120,36 @@ do_compile_prepend_libc-musl () {
# Install the init script, it's default file, and the extraneous # Install the init script, it's default file, and the extraneous
# documentation. # documentation.
do_install_append () { do_install_append () {
cd ${S}
oe_runmake install DESTDIR='${D}' INSTALL=install-boot oe_runmake install DESTDIR='${D}' INSTALL=install-boot
install -d ${D}${sysconfdir}/init.d
install -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \ install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.init \
${D}${sysconfdir}/init.d/${INITSCRIPT_NAME} ${D}${sysconfdir}/init.d/${INITSCRIPT_NAME}
install -d ${D}${sysconfdir}/default install -D -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \
install -m 755 ${WORKDIR}/${INITSCRIPT_NAME}.default \
${D}${sysconfdir}/default/${INITSCRIPT_NAME} ${D}${sysconfdir}/default/${INITSCRIPT_NAME}
install -d ${D}${docdir}/${PN} if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
cp -r docs/* ${D}${docdir}/${PN} if [ "${SAMHAIN_MODE}" = "no" ]; then
cp -r scripts ${D}${docdir}/${PN} install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/samhain.service
install -d -m 755 ${D}/var/samhain else
install -D -m 0644 ${WORKDIR}/samhain.service ${D}/${systemd_system_unitdir}/${BPN}.service
fi
install -D -m 0755 ${WORKDIR}/${BPN}.init ${D}/${libexecdir}/${BPN}
sed -i -e 's,@LIBDIR@,${libexecdir},' \
-e 's,@SAMHAIN_HELPER@,${BPN},' \
-e 's,@MODE_NAME@,${MODE_NAME},' \
${D}${systemd_system_unitdir}/samhain*.service
fi
install -d ${D}${docdir}/${BPN}
cp -r docs/* ${D}${docdir}/${BPN}
cp -r scripts ${D}${docdir}/${BPN}
install -d -m 755 ${D}${localstatedir}/samhain
# Prevent QA warnings about installed ${localstatedir}/run
if [ -d ${D}${localstatedir}/run ]; then
rmdir ${D}${localstatedir}/run
fi
} }
FILES_${PN} += "\ FILES_${PN} += "${systemd_system_unitdir}"
/run \
"
INSANE_SKIP_${PN} = "already-stripped"