Commit Graph

327 Commits

Author SHA1 Message Date
Koen Kooi 2c266a1cfe suricata: enable syslog output
This fixes the following error preventing startup in daemon mode:

  suricata[20485]: 31/7/2018 -- 13:19:48 - <Error> - [ERRCODE: SC_ERR_MISSING_CONFIG_PARAM(118)] - NO logging compatible with daemon mode selected, suricata won't be able to log. Please update  'logging.outputs'

Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-08-04 07:50:07 -07:00
Koen Kooi 111835003d suricate: create and package logdir
This fixes the following error preventing startup:

  suricata[18771]: 31/7/2018 -- 13:08:21 - <Error> - [ERRCODE: SC_ERR_LOGDIR_CONFIG(116)] - The logging directory "/var/log/suricata/" supplied by /etc/suricata/suricata.yaml (default-log-dir) doesn't exist. Shut>

Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-08-04 07:50:07 -07:00
Koen Kooi e58ad185be suricata: add systemd unit
Based on the debian systemd unit.

Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-08-04 07:50:07 -07:00
Koen Kooi a0a3160923 suricata: add 'nfq' PACKAGECONFIG
For inline IPS nfqueue is nice to have, so add a PACKAGECONFIG entry for
it.

Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-08-04 07:50:07 -07:00
Koen Kooi ccd9950ebd suricata: mark config file as CONFFILE
This preserves user edits during package upgrades.

Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-08-04 07:50:07 -07:00
Koen Kooi c933696e9e suricata: fix packaging
Move ${PN}-python in front so ${PN} can use default packaging rules.

Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-08-04 07:50:07 -07:00
Koen Kooi 3277886451 suricata: don't start service in postinst
Apart from hardcoding the wrong networking device it won't survive device restart

Signed-off-by: Koen Kooi <koen.kooi@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-08-04 07:50:07 -07:00
Armin Kuster 7c6532e1c0 nmap: remove recipe as it is in meta-oe now
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-08-04 07:49:58 -07:00
Armin Kuster 4d139b95c4 clamav: update postinit
log_check] WARNING: Intentionally failing postinstall scriptlets of ['suricata', 'clamav'] to defer them to first boot is deprecated. Please place them into pkg_postinst_ontarget_${PN} ()

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-07-07 08:14:54 -07:00
Armin Kuster d2946afbd2 suricata: update postinit
[log_check] WARNING: Intentionally failing postinstall scriptlets of ['suricata', 'clamav'] to defer them to first boot is deprecated. Please place them into pkg_postinst_ontarget_${PN} ()

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-07-07 08:14:47 -07:00
Nagalakshmi Veeramallu a1406fe1c8 CVE-2018-11652 nikto: arbitray OS command injection via http server field.
CSV Injection vulnerability in Nikto 2.1.6 and earlier allows remote attackers
to inject arbitrary OS commands via the Server field in an HTTP response header,
 which is directly injected into a CSV report.

Signed-off-by: Nagalakshmi Veeramallu <nveeramallu@mvista.com>
Reviewed-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
2018-07-03 15:30:51 -07:00
Changqing Li 0551002922 samhain: correct service status
status get by "systemctl status samhain" is not correct.
It is active(exited) now. but actually, there is a dameon
running, it should be active(running). so change Type of
servive.

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-07-03 15:30:40 -07:00
Jinliang Li f9c5e2022b Fix build issue for apparmor when systemd is used
When systemd is used as system init manager, there is a build issue complains
"can't found apparmor.service". This patch fix it.

Signed-off-by: Jinliang Li <jinliang.li@linux.alibaba.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-06-11 10:57:43 -07:00
Wenzong Fan 7a503cbfa2 xmlsec1: remove host paths from target files
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-05-07 15:19:06 -07:00
Armin Kuster d2a71316f2 clamav: update LLVM version to match core
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-04-13 08:18:36 -07:00
Armin Kuster 295d3f2bc9 sssd: only include when pam in DISTRO_FEATURES
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-04-13 08:18:36 -07:00
Yi Zhao f4293d9fe8 xmlsec1: refresh patches to fix QA warning
Refresh patches with devtool command.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-04-13 08:18:36 -07:00
Jackie Huang 8f6969a775 samhain-server: do not extend to native
No packages depend on samhain-server-native and it doesn't
make sense to extend a server package to native, so remove
the BBCLASSEXTEND.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-03-31 11:50:13 -07:00
Jagadeesh Krishnanjanappa 58c23b4787 clamav: Add missing clamav.service file to SRC_URI
This solves the below error when systemd is used as init manager,
-- snip --
ERROR: clamav-0.99.2-r0 do_package: SYSTEMD_SERVICE_clamav value clamav.service does not exist
ERROR: clamav-0.99.2-r0 do_package: Function failed: systemd_populate_packages
-- snip --

Other issue:
*  Ship /lib/systemd/system/clamav-freshclam.service into ${PN}-freshclam
   package, to solve below warning:
-- snip --
[10240] WARNING: QA Issue: clamav: Files/directories were installed but not shipped in any package:
  /lib/systemd/system/clamav-freshclam.service
-- snip --

Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-03-31 11:50:13 -07:00
Jackie Huang 7ac11e2274 xmlsec1: fix a typo in examples/verify3.c
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-03-31 11:50:07 -07:00
Armin Kuster b31e6a9ed4 google-authenticator-libpam: add new package
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-18 19:31:59 -08:00
Armin Kuster f4e950c03b clamav: update to 0.99.3
removed unused hash checksums

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-14 11:56:35 -08:00
Armin Kuster 9e26f1307e freediameter: remove package
resides in meta-networking now

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-14 11:56:35 -08:00
Armin Kuster 064b9321e6 xmlsec1: Update to 1.2.25
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-14 11:56:35 -08:00
Armin Kuster 9cdde3cc46 fail2ban: update to 0.10.2
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-14 11:56:35 -08:00
Armin Kuster db41118438 smack: update to 1.3.1
drop git hash from PV
Use master branch

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-14 11:56:35 -08:00
Armin Kuster 195ca4f48e sssd: update to 1.16.0
update some PACKAGECONFIG changes

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-14 11:56:35 -08:00
Armin Kuster 62803a0ecc scapy: update to 2.3.3
Drop patch included in update.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-14 11:56:35 -08:00
Armin Kuster 181d03751a tripwire: Update to 2.4.3.6
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-14 11:56:35 -08:00
Armin Kuster 1163dcc00b libseccomp: update to 2.3.3
Drop git PV for bb reciped PV.

supports 4.15 kernel

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-14 11:56:29 -08:00
José Bollo aedbec5ea3 xmlsec1: Allow native builds
When used in native builds, the variable STAGING_DIR_HOST expands
to the empty string. This leads 'sed' to an error because the pattern
is empty. Using STAGING_DIR instead of STAGING_DIR_HOST allows
to use xmlsec1 in native builds with the correct behaviour.

Change-Id: I55f40ac2413863c489d4219e0080f7e4e274a6db
Signed-off-by: José Bollo <jose.bollo@iot.bzh>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2018-02-06 21:16:55 +05:30
Mingli Yu d95d99386c samhain: remove the path for start-stop-daemon
Remove the absolute path for start-stop-daemon
to fix samhain start-up as start-stop-daemon
sometimes located in /usr/sbin, not the expected
/sbin.

Signed-off-by: Mingli Yu <Mingli.Yu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-12-10 15:03:55 -08:00
André Draszik de48d57a7f fscryptctl: add v0.1.0
fscryptctl is a low-level tool written in C that handles
raw keys and manages policies for Linux filesystem
encryption [1].

For a tool that presents a higher level interface and
manages metadata, key generation, key wrapping, PAM
integration, and passphrase hashing, see fscrypt [2].

[1] https://lwn.net/Articles/639427
[2] https://github.com/google/fscrypt

Signed-off-by: André Draszik <adraszik@tycoint.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-10-24 14:04:57 -07:00
Dengke Du 4b67ec8263 keynote: update the SRC_URI
The old URL can't be available, give the new URL to keynote.
The project already moved to:

    https://sourceforge.net/projects/keynote-2-3/

The different between old and new tarball was:

    the old tarball contains doc directory, source codes were same.

Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-10-10 07:24:59 -07:00
Armin Kuster 24f3e574ab bastile: fix QA issue
WARNING: bastille-3.2.1-r0 do_package_qa: QA Issue: Symlink /usr/sbin/UndoBastille in bastille points to TMPDIR [symlink-to-sysroot]

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-10-02 07:49:23 -07:00
Armin Kuster 6f5b7b303f suricata: update to 4.0.0
libhtp updated in // as suricata contains the sources

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-10-02 07:49:23 -07:00
Armin Kuster 1e0d5ee5bf redhat-security: remove PR and fix style
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-10-02 07:49:23 -07:00
Armin Kuster cb8f175108 checksecurity: fix recipe style
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-10-02 07:49:23 -07:00
Armin Kuster d34afdfbf5 clamav: update llvm to use 5.0 to match version in core
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-30 11:44:55 -07:00
Jackie Huang e180062c70 packagegroups: fix invalid license file
Use '${COMMON_LICENSE_DIR}/MIT' for MIT License to fix the warning:

| WARNING: packagegroup-core-security do_populate_lic:
  ${COREBASE}/LICENSE is not a valid license file, please use
  '${COMMON_LICENSE_DIR}/MIT' for a MIT License file in LIC_FILES_CHKSUM.
  This will become an error in the future

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-15 08:01:07 -07:00
Jackie Huang 738dad9d91 samhain: fix QA issue for GNU_HASH
Add LDFLAGS variable to fix QA issue for GNU_HASH:
| ERROR: samhain-client-4.2.2-r0 do_package_qa: QA Issue:
  No GNU_HASH in the elf binary: '/builddir/usr/sbin/samhain_setpwd' [ldflags]

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-15 08:01:07 -07:00
Jackie Huang a35bcc9495 samhain: avoid searching host dir for postgresql
Add a patch to avoid searching host dir for postgresql,
and set PGSQL_INC_DIR and PGSQL_LIB_DIR instead.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-15 08:01:07 -07:00
Jackie Huang 838f698bd9 samhain: fix for the PACKAGECONFIG
* The "??=" assignment for PACKAGECONFIG is overridden by
  the following "+=" assignments, which is not expected,
  so combine them into one assignment with multiple lines.

* Fix a typo for postgresql.

* Remove unneeded quotation marks.

* run aotoconf to regenerate the configure, or the patch
  for ps option doesn't work:
  | configure: error: unrecognized option: --with-ps-path=/bin/ps

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-15 08:01:07 -07:00
Jackie Huang d3bcc4ba47 samhain: depends on attr when selinux is enabled
The extended attribute is required by selinux feature,
so add the dependency when selinux is enabled.

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-15 08:01:07 -07:00
Armin Kuster 62d54856e5 apparmor: fix a few build issues
configure.ac:8: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation
| configure.ac:8: error: version mismatch.  This is Automake 1.15.1,
| configure.ac:8: but the definition used by this AM_INIT_AUTOMAKE

add aclocal

and

 make: Entering directory '/home/akuster/oss/clean/poky/build/tmp/work/mips64-poky-linux/apparmor/2.11.0-r0/apparmor-2.11.0/binutils'
| error: ../libraries/libapparmor//src/.libs/libapparmor.a is missing. Pick one of these possible solutions:

remove --disable-static

and

ERROR: apparmor-2.11.0-r0 do_package_qa: QA Issue: /usr/lib/apparmor/ptest/testsuite/parser/tst/gen-dbus.pl contained in package apparmor-ptest requires /usr/bin/perl, but no providers found in RDEPENDS_apparmor-ptest? [file-rdeps]

add perl to ptest RDEPENDS

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-15 08:01:07 -07:00
Armin Kuster 169a02dff0 Apparmor: add apache2 to PACKAGECONF and check for webserver layer
Don't want to add layer depends for one package unless needed.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-15 08:01:07 -07:00
Armin Kuster b646d8fdc0 nmap: update to 7.60
LIC_CHKSUM_FILES changed do to yr update.

add a few more PACKCONFIG

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-13 07:36:44 -07:00
Armin Kuster 1014cc61fc fail2Ban: Add new package
Fail2Ban scans log files like /var/log/auth.log and bans IP addresses having too many failed login attempts. It does this by updating system firewall rules to reject new connections from those IP addresses, for a configurable amount of time. Fail2Ban comes out-of-the-box ready to read many standard log files, such as those for sshd and Apache, and is easy to configure to read any log file you choose, for any error you choose.

Though Fail2Ban is able to reduce the rate of incorrect authentications attempts, it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-09-01 06:44:30 -07:00
Armin Kuster 8d5ca33a50 tripwire: update to 2.4.3.5
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-08-31 22:10:42 -07:00
Jackie Huang 9949776684 samhain: update to 4.2.2
* update to version 4.2.2
* Add new recipe for standalone mode
* Add systemd support
* Add patches to fix several issues
* samhain-standalone: add ptest support
* samhain-server: no need to depend on samhain-server-native
* Move common things from the bb to the inc file

Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2017-08-31 22:09:49 -07:00