Add UPSTREAM_CHECK_URI to check the correct latest stable verison.
Before the patch:
$ devtool latest-version libmash
INFO: Current version: 0.9.9.9
INFO: Latest version:
After the patch:
$ devtool latest-version libmash
INFO: Current version: 0.9.9.9
INFO: Latest version: 0.9.9.9
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Add modern ClamAV 1.4.3 recipe with comprehensive improvements over
the legacy 0.104.4 version. Remove the end-of-life 0.104.4 recipe and
associated patches as they are superseded by this version.
Major changes in 1.4.3:
- Upgraded core engine with improved threat detection capabilities
- Added Rust components requiring cross-compilation support
- Updated CMake build system replacing legacy autotools
- Modernized library dependencies (LLVM, JSON-C, PCre2)
- Added comprehensive license compliance for multi-component package
- Enhanced cross-compilation support for all target architectures
The recipe includes dynamic Cargo configuration using Yocto variables
to support cross-compilation to any target architecture supported by
the build system.
Runtime configuration improvements:
- Set APP_CONFIG_DIRECTORY to ${sysconfdir}/clamav for proper config paths
- Added volatiles/tmpfiles support for /var/lib/clamav and /var/log/clamav
- Added pkg_postinst scripts to ensure correct directory ownership
- Implemented CMake cache variables for cross-compilation
- Updated all license checksums for compliance
- Added Rust toolchain integration with automatic environment setup
- Use Cargo vendoring with cargo + cargo-update-recipe-crates classes
Security rationale:
- ClamAV 0.104.4 reached end-of-life and is no longer maintained
- Upstream strongly recommends migration to 1.4.x for security updates
Signed-off-by: Hemant Jadhav <hemant.jadhav@emerson.com>
(regenerated diff, fixed building with systemd,
fixed target Rust configuration, disabled for 32-bit targets)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Add basic openscap test. This looks for an existing profile and run a basic scan.
Openscap scans return 1 in case of failure, 0 in case of success and 2 when a
vulnerability has been found. As this does not aim to check openscap reports, 2 is
considered as a successful test.
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
(added to test image)
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Fixes:
- typo in the RDEPENDS class-target override ('-' instead of ':')
- typo SUMARRY -> SUMMARY
Signed-off-by: Louis Rannou <louis.rannou@non.se.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
It was pointed out that the recipe was wrongly doing
FILESEXTRAPATHS:append, but on inspection the recipe does
not need it at all, so just remove.
Reported-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
In Yocto, there is only one Python interpreter (python3), and the
auto-generated "fail2ban-python" symlink is not used. To ensure
all installed scripts can run correctly, replace the shebang line
from "#!/usr/bin/env fail2ban-python" to "#!/usr/bin/env python3"
during installation.
Signed-off-by: Haixiao Yan <haixiao.yan.cn@windriver.com>
Replace poky repository configuration with separate bitbake,
openembedded-core, and meta-poky repository configurations.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
To avoid confusion, remove stray aircrack-ng entry as it is actually
in the main layer and not meta-tpm.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Changes:
- Add libmhash and libgssglue so they will get tested by CI.
- Switch to MACHINE_ARCH to facilitate the above, but it makes sense
anyway due to all the machine overrides used in the packagegroup
definition.
- Add the recently added python3-suricata-update so it will get
tested by CI.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove the paxctl recipe since it has seemingly been broken for a
while without anyone noticing, and there likely have been no actual
users since grsecurity stopped doing public releases in 2017.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove the libest recipe since it has been disabled since November
2021, and upstream has shown no activity since 2022.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove the tripwire recipe since it has been disabled since May 2021,
and upstream has shown no activity since 2018.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Update to latest git rev as the current version doesn't work with
OpenSSH 9.8+[1].
Ptest result:
$ ptest-runner python3-fail2ban
START: ptest-runner
2025-09-21T12:45
BEGIN: /usr/lib64/python3-fail2ban/ptest
Ran 538 tests in 13.045s
OK (skipped=3)
DURATION: 14
END: /usr/lib64/python3-fail2ban/ptest
2025-09-21T12:46
STOP: ptest-runner
TOTAL: 1 FAIL: 0
[1] 2fed408c05
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Move to fetching from GitHub hashes to avoid issues at releases,
when the last-recent release changes place.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Tested on master (whinlatter) with beaglebone-yocto
New in version 3.1.5 (2025-07-29):
https://cisofy.com/changelog/lynis/#315
Added:
- Support for OpenWrt
- Bitdefender detection on Linux
- Detection of openSUSE Tumbleweed-Slowroll
Changed:
- Corrected detection of service manager SMF
- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
- Check modules also under /usr/lib/modules.d
Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
There is no hint of libgcrypt in the upstream code and distro packages
like Debian and Fedora do not have this dependency either.
Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
suricata.yaml references these configs
Resolve:
<Warning> -- could not open: "/etc/suricata/classification.config": No
such file or directory
<Error> -- please check the "classification-file" option in your
suricata.yaml file
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Add whitespaces when assigning variables in kas cofiguration.
We were getting:
WARNING: ... has a lack of whitespace around the assignment: 'BB_NUMBER_THREADS="24"'
WARNING: ... has a lack of whitespace around the assignment: 'BB_NUMBER_PARSE_THREADS="12"'
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Aide currently doesn't compile with musl because of copied getopt prototypes
and implementation.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
We get an intermittent QA error about file permissions, happening roughly
on 1 build of 10.
The change adds chown to prevent host ids on files related to the
set_required_questions.py script, to avoid long debugging for now.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
The previously used package (nmu1) is not longer available, use the latest current
one (nmu3). The changelog between the two:
checksecurity (2.0.16+nmu3) unstable; urgency=medium
* Non-maintainer upload.
* Fix "missing required debian/rules targets build-arch and/or build-
indep": Add targets to debian/rules.
(Closes: #999082)
* Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm":
Bump to 7 in debian/{compat,control}.
(Closes: #965448)
* Fix some grave packaging errors:
- move debhelper from Build-Depends-Indep to Build-Depends
- remove temporary files debian/postrm.debhelper and debian/substvars from
source package
-- gregor herrmann <gregoa@debian.org> Sun, 26 Dec 2021 01:56:10 +0100
checksecurity (2.0.16+nmu2) unstable; urgency=medium
* Non maintainer upload by the Reproducible Builds team.
* No source change upload to rebuild on buildd with .buildinfo files.
-- Holger Levsen <holger@debian.org> Fri, 01 Jan 2021 19:17:53 +0100
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
The package choice was using TUNE_FEATURES that doesn't work anymore
with multiple sub-architectures of RISCV. Instead use the overrides
and make sure to take into account also qemu versions.
Only riscv32/riscv64 does not work, fail on RDEPEND for qemu targets.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Enabling ptest will significantly increase build time. Additionally,
since the ptest distro_feature is enabled by default in poky distro,
build time can be very long, which is annoying.
On my build host:
Enable ptest:
$ time build scap-security-guide
real 219m54.529s
user 0m49.040s
sys 0m1.304s
Disable ptest:
$ time build scap-security-guide
real 1m25.222s
user 0m3.306s
sys 0m0.166s
Since no one cares about this ptest and no one fixes the test failures.
Let's disable it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories
Assume that python3 and pip are installed.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
