Move to fetching from GitHub hashes to avoid issues at releases,
when the last-recent release changes place.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(adapted for scarthgap)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Tested on master (whinlatter) with beaglebone-yocto
New in version 3.1.5 (2025-07-29):
https://cisofy.com/changelog/lynis/#315
Added:
- Support for OpenWrt
- Bitdefender detection on Linux
- Detection of openSUSE Tumbleweed-Slowroll
Changed:
- Corrected detection of service manager SMF
- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
- Check modules also under /usr/lib/modules.d
Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
(backported to scarthgap)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
suricata.yaml references these configs
Resolve:
<Warning> -- could not open: "/etc/suricata/classification.config": No
such file or directory
<Error> -- please check the "classification-file" option in your
suricata.yaml file
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
(cherry picked from commit 9a49fcbd05)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
/var/log/suricata initialization is handled by
systemd-tmpfiles-setup.service, which occurs before services like
suricata
Work towards resolving:
ERROR: [...] do_rootfs: The following packages could not be configured
offline and rootfs is read-only: ['100-suricata']
Added in commit 36d656fe72 ("suricata: add tmpfiles.d config")
systemd testing:
root@beaglebone-yocto:~# ls -d /var/log/suricata
/var/log/suricata
root@beaglebone-yocto:~# systemctl enable suricata
Created symlink '/etc/systemd/system/multi-user.target.wants/suricata.service' -> '/usr/lib/systemd/system/suricata.service'.
root@beaglebone-yocto:~# rmdir /var/log/suricata
root@beaglebone-yocto:~# reboot now
root@beaglebone-yocto:~# ls -d /var/log/suricata
/var/log/suricata
root@beaglebone-yocto:~# journalctl -o short-iso-precise -u systemd-tmpfiles-setup -u suricata
2025-05-20T00:45:46.450027+00:00 beaglebone-yocto systemd[1]: Starting Create System Files and Directories...
[...]
2025-05-20T00:45:47.041049+00:00 beaglebone-yocto systemd[1]: Finished Create System Files and Directories.
2025-05-20T00:45:47.542976+00:00 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon.
[...]
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 9109f7258d)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/bin/suricata
in package suricata contains reference to TMPDIR [buildpaths]
ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File
/usr/src/debug/suricata/7.0.0/src/build-info.h in package suricata-src
contains reference to TMPDIR [buildpaths]
Address references when src/build-info.h is being written
This is similar to Debian's approach:
https://sources.debian.org/patches/suricata/1:7.0.10-1~bpo12%2B1/reproducible.patch/
Restore the "already-stripped" check and CFLAGS info
Original resolution in commit c0e3fecc3b ("suricata: fix QA warnings")
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 277bf8f916)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
In Yocto, there is only one Python interpreter (python3), and the
auto-generated "fail2ban-python" symlink is not used. To ensure
all installed scripts can run correctly, replace the shebang line
from "#!/usr/bin/env fail2ban-python" to "#!/usr/bin/env python3"
during installation.
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Current 1.0.2 version does not work with scarthgap or later releases,
as the asynchat module has been removed (as scheduled) from python's
stdlib as of v3.12.
fail2ban 1.1.0 also does not work out-of-the-box, as the distutils
module which the pyinotify and systemd backends depend has also been
removed.
So update the recipe to point at commit ac62658c10f4, which fixes
those two backends to no longer depend on distutils.
Upstream's out-of-the-box ban action now uses the 'nft'
command. People can still override and customize that in
jail.conf/jail.local, but to make the recipe useful without
customizing things back to use iptables, change the dependency
iptables->nftables.
Since 1.1.0, fail2ban has been python3-only, so the recipe becomes
somewhat simpler since the whole do_compile preparation step can be
removed.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(update PV)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
It was pointed out that the recipe was wrongly doing
FILESEXTRAPATHS:append, but on inspection the recipe does
not need it at all, so just remove.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
(cherry picked from commit 5770a76fc0)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
To avoid confusion, remove stray aircrack-ng entry as it is actually
in the main layer and not meta-tpm.
(cherry picked from commit 9f1d763bb1)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes:
- Add libmhash and libgssglue so they will get tested by CI.
- Switch to MACHINE_ARCH to facilitate the above, but it makes sense
anyway due to all the machine overrides used in the packagegroup
definition. Since this packagegroup is to facilitate testing and
unlikely to be used by downstreams, it is believed this will have
minimal impact.
(adapted from 26e745243d)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
The 0.8 orig.tar.gz is not in debian mirror any more. In fact, we
really should avoid using orig.tar.gz like this because distros
like debian will just delete those that they don't maintain any more.
Switch to use git source.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit baaafdf08b)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
We get an intermittent QA error about file permissions, happening roughly
on 1 build of 10.
The change adds chown to prevent host ids on files related to the
set_required_questions.py script, to avoid long debugging for now.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(cherry picked from commit 7bdd0a8b48)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
The previously used package (nmu1) is not longer available, use the latest current
one (nmu3). The changelog between the two:
checksecurity (2.0.16+nmu3) unstable; urgency=medium
* Non-maintainer upload.
* Fix "missing required debian/rules targets build-arch and/or build-
indep": Add targets to debian/rules.
(Closes: #999082)
* Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm":
Bump to 7 in debian/{compat,control}.
(Closes: #965448)
* Fix some grave packaging errors:
- move debhelper from Build-Depends-Indep to Build-Depends
- remove temporary files debian/postrm.debhelper and debian/substvars from
source package
-- gregor herrmann <gregoa@debian.org> Sun, 26 Dec 2021 01:56:10 +0100
checksecurity (2.0.16+nmu2) unstable; urgency=medium
* Non maintainer upload by the Reproducible Builds team.
* No source change upload to rebuild on buildd with .buildinfo files.
-- Holger Levsen <holger@debian.org> Fri, 01 Jan 2021 19:17:53 +0100
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(adapted from 828a78314f)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes:
- switch to scarthgap
- add required usrmerge feature to kas-security-alt configuration
- add whitespaces around assignement
- add common dldir/sstate
- don't build apparmor in musl configus
- only enable ptest for the test image
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(squashed and recent master changes backported)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories
- assume that python3 and pip are installed.
Other changes:
- add logging of jobs to files
- build parsec images where appropriate
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
(squashed and updated with missing master version changes)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Add Marta and myself as maintainers for meta-security and the other
embedded layers that Armin had been maintaining. To avoid Armin
getting bugged about individual recipes, set the RECIPE_MAINTAINER
variables to myself.
(backport from master)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0001-osdetection-add-OpenEmbedded-and-Poky.patch
removed since it's included in 3.1.1.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Simple fix for Python 3.12 since it dropped asyncore. Catches the import
error instead of using a version check so that the user can install the
compatibility package for any uses that can't be upgraded to asyncio or
similar immediately.
Fixes:
# python3
Python 3.12.1 (main, Dec 7 2023, 20:45:44) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pyinotify
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.12/site-packages/pyinotify.py", line 71, in <module>
import asyncore
ModuleNotFoundError: No module named 'asyncore'
>>>
Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The install expects man8 directory to already exists. If not created
the man page gets installed as "man8", which causes conflicts with
other packages, that expect it to be a directory.
'arpsnmp' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/sbin/arpsnmp'
'./arpwatch.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8'
removed '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8'
'./arpsnmp.8' -> '/build/project/tmp/work/corei7-64-poky-linux/arpwatch/3.3/image/usr/share/man/man8'
Signed-off-by: Jeremy A. Puhlman <jpuhlman@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Scott Murray
Hitendra Prajapati
Marta Rybczynska
Michael Opdenacker
Vijay Anusuri
Clayton Casciato
Haixiao Yan
Yi Zhao
Rasmus Villemoes
Aidan Stewart
akash hadke
Armin Kuster
Chen Qi
Yi Zhao
Wang Mingyu
Mingli Yu
Max Krummenacher
Jeremy A. Puhlman