security layer updated work

Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
2026-05-07 04:58:47 +00:00 · 2013-07-01 16:45:26 +03:00
parent 60d90b2563
commit f359c35ab2
19 changed files with 374 additions and 78 deletions
@@ -1,47 +1,22 @@
-This README file contains information on the contents of the
-security layer.
-
-Please see the corresponding sections below for details.
+Meta-security
+=============

+This layer provides security tools, hardening tools for Linux kernels
+and libraries for implementing security mechanisms.

 Dependencies
 ============

 This layer depends on:

-  URI: git://git.openembedded.org/bitbake
+  URI: git://git.yoctoproject.org/poky
  branch: master
+  revision: HEAD
+  prio: default

-  URI: git://git.openembedded.org/openembedded-core
-  layers: meta
-  branch: master
-
-  URI: git://git.yoctoproject.org/xxxx
-  layers: xxxx
-  branch: master
-
-
-Patches
-=======
-
-Please submit any patches against the security layer to the
-xxxx mailing list (xxxx@zzzz.org) and cc: the maintainer:
-
-Maintainer: XXX YYYYYY <xxx.yyyyyy@zzzzz.com>
-
-
-Table of Contents
-=================
-
-  I. Adding the security layer to your build
- II. Misc
-
-
-I. Adding the security layer to your build
+Adding the security layer to your build
 =================================================

--- replace with specific instructions for the security layer ---
-
 In order to use this layer, you need to make the build system aware of
 it.

@@ -52,13 +27,11 @@ other layers needed. e.g.:

  BBLAYERS ?= " \
    /path/to/yocto/meta \
-    /path/to/yocto/meta-yocto \
-    /path/to/yocto/meta-yocto-bsp \
-    /path/to/yocto/meta-security \
-    "
+    /path/to/poky/meta-security \

+License
+-------

-II. Misc
-========
-
--- replace with specific information about the security layer ---
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
@@ -1,12 +0,0 @@
-#
-# This is a non-functional placeholder file, here for example purposes
-# only.
-#
-# If you had a patch for your recipe, you'd put it in this directory
-# and reference it from your recipe's SRC_URI:
-#
-#  SRC_URI += "file://example.patch"
-#
-# Note that you could also rename the directory containing this patch
-# to remove the version number or simply rename it 'files'.  Doing so
-# allows you to use the same directory for multiple recipes.
@@ -1,8 +0,0 @@
-#include <stdio.h>
-
-int main(int argc, char **argv)
-{
-    printf("Hello World!\n");
-
-    return 0;
-}
@@ -0,0 +1,19 @@
+SUMMARY = "e-mail filter"
+DESCRIPTION = "SpamAssassin is a mail filter which attempts to identify spam using a variety of mechanisms including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases."
+SECTION = "security"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+DEPENDS = "perl"
+
+SRC_URI = "http://apache.mirrors.hoobly.com/spamassassin/source/${PN}-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "d1d62cc5c6eac57e88c4006d9633b81e"
+SRC_URI[sha256sum] = "5323038939a0ef9fc97d5264defce3ae1d95e98b3a94c4c3b583341c927f32df"
+
+EXTRA_CPANFLAGS = "EXPATLIBPATH=${STAGING_LIBDIR} EXPATINCPATH=${STAGING_INCDIR}"
+inherit cpan
+
+do_compile(){
+    export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
+    cpan_do_compile
+}
@@ -1,9 +1,9 @@
+SUMMARY = "Linux hardening tool"
 DESCRIPTION = "Bastille Linux is a Hardening and Reporting/Auditing Program which enhances the security of a Linux box, by configuring daemons, system settings and firewalling."
 LICENSE = "GPLv2"
 LIC_FILES_CHKSUM = "file://${S}/COPYING;md5=c93c0550bd3173f4504b2cbd8991e50b"
 # Bash is needed for set +o privileged (check busybox), might also need ncurses
 RDEPENDS_${PN} = "perl bash tcl perl-module-getopt-long perl-module-text-wrap lib-perl perl-module-file-path perl-module-mime-base64 perl-module-file-find perl-module-errno perl-module-file-glob perl-module-tie-hash-namedcapture perl-module-file-copy perl-module-english perl-module-exporter perl-module-cwd curses-perl coreutils"
-PR = "r0"

 inherit allarch

@@ -0,0 +1,29 @@
+SUMMARY = "Linux security scanner"
+DESCRIPTION = "Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux \
+system. This enables you to quickly overview the security status of your Linux system."
+SECTION = "security"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+RDEPENDS_${PN} = "perl perl-module-term-ansicolor perl-module-posix perl-module-getopt-long perl-module-time-localtime perl-module-data-dumper perl-module-lib"
+
+SRC_URI = "http://sourceforge.net/projects/buck-security/files/buck-security/buck-security_0.6/${PN}_${PV}.tar.gz"
+
+SRC_URI[md5sum] = "edbd40742853fc91ffeae5b2d9ea7bab"
+SRC_URI[sha256sum] = "5d5dcc58b09c3a4bd87f60f86bb62cd2b0bfd7106a474951f8f520af0042a5b7"
+
+S = "${WORKDIR}/${PN}_${PV}"
+
+do_configure() {
+    :
+}
+
+do_compile() {
+    :
+}
+
+do_install() {
+    install -d ${D}${exec_prefix}/local/${PN}
+    cp -r ${S}/* ${D}${exec_prefix}/local/${PN}
+}
+
+FILES_${PN} = "${exec_prefix}/*"
@@ -1,9 +1,12 @@
-DESCRIPTION = "basic system security checks"
+SUMMARY = "basic system security checks"
+DESCRIPTION = "checksecurity is a simple package which will scan your system for several simple security holes."
 SECTION = "security"
 LICENSE = "GPL-2.0"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+RDEPENDS_${PN} = "perl env-perl perl-module-tie-array perl-module-getopt-long perl-module-file-glob util-linux findutils"

-SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz"
+SRC_URI = "http://ftp.de.debian.org/debian/pool/main/c/checksecurity/checksecurity_${PV}.tar.gz \
+           file://setuid-log-folder.patch"

 SRC_URI[md5sum] = "ad6cfe0cd66ebdd16dd5d4ee5fa8fa17"
 SRC_URI[sha256sum] = "a2bc2355358d6daf3cb72485d564e82cb541e8516f23b50522c816853ecd13c2"
@@ -0,0 +1,52 @@
+From 24dbeec135ff83f2fd35ef12fe9842f02d6fd337 Mon Sep 17 00:00:00 2001
+From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+Date: Thu, 20 Jun 2013 15:14:55 +0300
+Subject: [PATCH] changed log folder for check-setuid
+
+check-setuid was creating logs in /var/log directory,
+which cannot be created persistently. To avoid errors
+the log folder was changed to /etc/checksecurity/.
+
+Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+---
+ etc/check-setuid.conf |    2 +-
+ plugins/check-setuid  |    6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/etc/check-setuid.conf b/etc/check-setuid.conf
+index 621336f..e1532c0 100644
+--- a/etc/check-setuid.conf
+++ b/etc/check-setuid.conf
+@@ -116,4 +116,4 @@ CHECKSECURITY_PATHFILTER="-false"
+ #
+ # Location of setuid file databases. 
+ #
+-LOGDIR=/var/log/setuid
+LOGDIR=/etc/checksecurity/
+diff --git a/plugins/check-setuid b/plugins/check-setuid
+index 8d6f90b..bdb21c1 100755
+--- a/plugins/check-setuid
+++ b/plugins/check-setuid
+@@ -44,8 +44,8 @@ if [ `/usr/bin/id -u` != 0 ] ; then
+    exit 1
+ fi
+ 
+-TMPSETUID=${LOGDIR:=/var/log/setuid}/setuid.new.tmp
+-TMPDIFF=${LOGDIR:=/var/log/setuid}/setuid.diff.tmp
+TMPSETUID=${LOGDIR:=/etc/checksecurity/}/setuid.new.tmp
+TMPDIFF=${LOGDIR:=/etc/checksecurity/}/setuid.diff.tmp
+ 
+ #
+ # Check for NFS/AFS mounts that are not nosuid/nodev
+@@ -75,7 +75,7 @@ if [ "$CHECKSECURITY_NOFINDERRORS" = "TRUE" ] ; then
+ fi
+ 
+ # Guard against undefined vars
+-[ -z "$LOGDIR" ] && LOGDIR=/var/log/setuid
+[ -z "$LOGDIR" ] && LOGDIR=/etc/checksecurity/
+ if [ ! -e "$LOGDIR" ] ; then
+     echo "ERROR: Log directory $LOGDIR does not exist"
+     exit 1
+-- 
+1.7.9.5
+
@@ -0,0 +1,32 @@
+From fb3e84f6212333949ee3e410bb468bb06c289a1e Mon Sep 17 00:00:00 2001
+From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+Date: Fri, 28 Jun 2013 15:55:13 +0300
+Subject: [PATCH] libseccomp always used host compiler
+
+passing $CC at do_install() doesn't seem to have
+effect on the compiler used by libseccomp. Modified
+the compiler manually.
+
+Upstream Status: Inapropriate
+
+Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+---
+ macros.mk |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/macros.mk b/macros.mk
+index 9c62fa7..e219be6 100644
+--- a/macros.mk
+++ b/macros.mk
+@@ -66,7 +66,7 @@ AWK ?= awk
+ PYTHON ?= /usr/bin/env python
+ 
+ # we require gcc specific functionality
+-GCC ?= gcc
+GCC ?= $(CC)
+ 
+ INSTALL ?= install
+ 
+-- 
+1.7.9.5
+
@@ -0,0 +1,19 @@
+SUMMARY = "interface to seccomp filtering mechanism"
+DESCRIPTION = "The libseccomp library provides and easy to use, platform independent,interface to the Linux Kernel's syscall filtering mechanism: seccomp."
+SECTION = "security"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+
+SRC_URI = "http://sourceforge.net/projects/libseccomp/files/${PN}-${PV}.tar.gz \
+           file://compiler.patch"
+
+SRC_URI[md5sum] = "3961103c1234c13a810f6a12e60c797f"
+SRC_URI[sha256sum] = "b0d6e4f0984e6632a04f0cf33c6babdb011674ba15ff208e196f037e0e09905e"
+
+do_configure() {
+   ${S}/configure --prefix=${prefix} --libdir=${libdir}
+}
+
+do_install() {
+    oe_runmake DESTDIR=${D} install
+}
@@ -0,0 +1,79 @@
+Added missing definitions which caused failuire at do_configure
+with --without-liblua option.
+
+Upstream Status : pending
+
+Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+--- a/output.h
+++ b/output.h
+@@ -226,6 +226,10 @@
+ void printscriptresults(ScriptResults *scriptResults, stype scantype);
+ 
+ void printhostscriptresults(Target *currenths);
+
+/*This is a helper function to determine the ordering of the script results
+  based on their id */
+bool comparescriptids(ScriptResult first, ScriptResult second);
+ #endif
+ 
+ /* Print a table with traceroute hops. */
+@@ -253,8 +257,4 @@
+    were found. */
+ void printdatafilepaths();
+ 
+-/*This is a helper function to determine the ordering of the script results
+-  based on their id */
+-bool comparescriptids(ScriptResult first, ScriptResult second);
+-
+ #endif /* OUTPUT_H */
+--- a/output.cc
+++ b/output.cc
+@@ -2613,6 +2613,7 @@
+   }
+ }
+ 
+#ifndef NOLUA
+ /*This is a helper function to determine the ordering of the script results
+   based on their id */
+ bool comparescriptids(ScriptResult first, ScriptResult second){
+@@ -2625,5 +2626,6 @@
+     else
+         return false;
+ }
+#endif
+ 
+ 
+--- a/portlist.cc
+++ b/portlist.cc
+@@ -144,6 +144,7 @@
+   }
+ }
+ 
+#ifndef NOLUA
+ void Port::freeScriptResults(void)
+ {
+     while (!scriptResults.empty()) {
+@@ -151,6 +152,7 @@
+         scriptResults.pop_front();
+     }
+ }
+#endif
+ 
+ /* Fills in namebuf (as long as there is space in buflen) with the
+    Name nmap normal output will use to describe the port.  This takes
+--- a/Target.cc
+++ b/Target.cc
+@@ -162,10 +162,12 @@
+ 
+ Target::~Target() {
+   FreeInternal();
+#ifndef NOLUA
+   while (!scriptResults.empty()) {
+     scriptResults.front().clear();
+     scriptResults.pop_front();
+   }
+#endif
+ }
+ 
+ void Target::FreeInternal() {
+
@@ -0,0 +1,21 @@
+SUMMARY = "network auditing tool"
+DESCRIPTION = "Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing."
+SECTION = "security"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+
+SRC_URI = "http://nmap.org/dist/${PN}-${PV}.tar.bz2 \
+           file://lua.patch"
+
+SRC_URI[md5sum] = "fcc80f94ff3adcb11eedf91092ea6f5e"
+SRC_URI[sha256sum] = "3349cc6d36b86b95ca2b8075d16615a3a598cef494920d6652f9a8bf9f7660b5"
+
+inherit autotools
+
+EXTRA_OECONF = "--without-liblua --without-zenmap"
+
+do_configure() {
+    autoconf
+    oe_runconf
+}
+
@@ -0,0 +1,13 @@
+DESCRIPTION = "The module OpenVAS-CLI collects command line tools to handle with the OpenVAS services via the respective protocols."
+SECTION = "security"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+
+DEPENDS = "gnutls openvas-libraries glib-2.0"
+
+SRC_URI = "http://wald.intevation.org/frs/download.php/1323/${PN}-${PV}.tar.gz"
+
+SRC_URI[md5sum] = "e712eb71f3a13cc1b70b50f696465f8e"
+SRC_URI[sha256sum] = "d195ca01a44940d1e6fd2ad54ee4fc9b57a3d103235f0a1f05a8b35d97db6be8"
+
+inherit cmake pkgconfig
@@ -0,0 +1,36 @@
+From f498503889b8178f165afa66dc33aa8ad8901371 Mon Sep 17 00:00:00 2001
+From: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+Date: Fri, 28 Jun 2013 09:38:08 +0300
+Subject: [PATCH] removed the g_type_init()
+
+The function is depricated in glib >= 2.35.0 and is
+automatically called.
+
+Signed-off-by: Andrei Dinu <andrei.adrianx.dinu@intel.com>
+---
+ base/openvas_file.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/base/openvas_file.c b/base/openvas_file.c
+index 8597198..d110c7f 100644
+--- a/base/openvas_file.c
+++ b/base/openvas_file.c
+@@ -164,7 +164,6 @@ openvas_file_copy (const gchar *source_file, const gchar *dest_file)
+   GFile *sfile, *dfile;
+   GError *error;
+ 
+-  g_type_init ();
+   sfile = g_file_new_for_path (source_file);
+   dfile = g_file_new_for_path (dest_file);
+   error = NULL;
+@@ -200,7 +199,6 @@ openvas_file_move (const gchar *source_file, const gchar *dest_file)
+   GFile *sfile, *dfile;
+   GError *error;
+ 
+-  g_type_init ();
+   sfile = g_file_new_for_path (source_file);
+   dfile = g_file_new_for_path (dest_file);
+   error = NULL;
+-- 
+1.7.9.5
+
@@ -0,0 +1,14 @@
+DESCRIPTION = "This is the libraries module for the Open Vulnerability Assessment System (OpenVAS)."
+SECTION = "security"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/GPL-2.0;md5=801f80980d171dd6425610833a22dbe6"
+
+DEPENDS = "bison flex gpgme glib-2.0"
+
+SRC_URI = "http://wald.intevation.org/frs/download.php/1303/${PN}-${PV}.tar.gz \
+           file://g_type_init.patch"
+
+SRC_URI[md5sum] = "0e8b73ee4ad5b36984b5d7be5d6bdfc0"
+SRC_URI[sha256sum] = "50d23afd46f7b49c4cb82a6500b0fe1fb53378af5efce95fd275ea33c879e1dd"
+
+inherit cmake pkgconfig
@@ -0,0 +1,25 @@
+DESCRIPTION = "This package contains the Env.pm \
+               perl module that imports environment variables as scalars or arrays"
+
+SECTION = "libs"
+LICENSE = "Artistic-1.0 | GPL-1.0+"
+
+LIC_FILES_CHKSUM = "file://LICENSE;md5=76c1cbf18db56b3340d91cb947943bd3"
+
+SRC_URI[md5sum] = "fdba5c0690e66972c96fee112cf5f25c"
+SRC_URI[sha256sum] = "d94a3d412df246afdc31a2199cbd8ae915167a3f4684f7b7014ce1200251ebb0"
+
+DEPENDS += "perl"
+
+SRC_URI = "http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/Env-${PV}.tar.gz"
+
+S = "${WORKDIR}/Env-${PV}"
+
+EXTRA_CPANFLAGS = "EXPATLIBPATH=${STAGING_LIBDIR} EXPATINCPATH=${STAGING_INCDIR}"
+
+inherit cpan
+
+do_compile() {
+	export LIBC="$(find ${STAGING_DIR_TARGET}/${base_libdir}/ -name 'libc-*.so')"
+	cpan_do_compile
+}
@@ -1,3 +1,4 @@
+SUMMARY = "redhat security tools"
 DESCRIPTION = "Tools used by redhat linux distribution for security checks"
 SECTION = "security"
 LICENSE = "GPLv2"
@@ -21,18 +22,18 @@ SRC_URI = "file://find-chroot-py.sh \
 S = "${WORKDIR}"

 do_install() {
-	     install -d ${D}${bindir}
-	     install -m 0755 ${WORKDIR}/find-chroot-py.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/find-chroot.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/find-elf4tmp.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/find-execstack.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/find-hidden-exec.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/find-nodrop-groups.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/find-sh4errors.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/find-sh4tmp.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/lib-bin-check.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/rpm-chksec.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/rpm-drop-groups.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/selinux-check-devices.sh ${D}${bindir}
-         install -m 0755 ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir}
+	     install    -d  ${D}${bindir}
+	     install    -m  0755    ${WORKDIR}/find-chroot-py.sh    ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/find-chroot.sh   ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/find-elf4tmp.sh  ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/find-execstack.sh    ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/find-hidden-exec.sh  ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/find-nodrop-groups.sh    ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/find-sh4errors.sh    ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/find-sh4tmp.sh   ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/lib-bin-check.sh ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/rpm-chksec.sh    ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/rpm-drop-groups.sh   ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/selinux-check-devices.sh ${D}${bindir}
+         install    -m  0755    ${WORKDIR}/selinux-ls-unconfined.sh ${D}${bindir}
 }