Move to fetching from GitHub hashes to avoid issues at releases,
when the last-recent release changes place.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Tested on master (whinlatter) with beaglebone-yocto
New in version 3.1.5 (2025-07-29):
https://cisofy.com/changelog/lynis/#315
Added:
- Support for OpenWrt
- Bitdefender detection on Linux
- Detection of openSUSE Tumbleweed-Slowroll
Changed:
- Corrected detection of service manager SMF
- Extended GetHostID function to allow HostID and HostID2 creation on OpenWrt
- Check modules also under /usr/lib/modules.d
Signed-off-by: Michael Opdenacker <michael.opdenacker@rootcommit.com>
There is no hint of libgcrypt in the upstream code and distro packages
like Debian and Fedora do not have this dependency either.
Signed-off-by: Patrick Wicki <patrick.wicki@siemens.com>
suricata.yaml references these configs
Resolve:
<Warning> -- could not open: "/etc/suricata/classification.config": No
such file or directory
<Error> -- please check the "classification-file" option in your
suricata.yaml file
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Add whitespaces when assigning variables in kas cofiguration.
We were getting:
WARNING: ... has a lack of whitespace around the assignment: 'BB_NUMBER_THREADS="24"'
WARNING: ... has a lack of whitespace around the assignment: 'BB_NUMBER_PARSE_THREADS="12"'
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Aide currently doesn't compile with musl because of copied getopt prototypes
and implementation.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
We get an intermittent QA error about file permissions, happening roughly
on 1 build of 10.
The change adds chown to prevent host ids on files related to the
set_required_questions.py script, to avoid long debugging for now.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
The previously used package (nmu1) is not longer available, use the latest current
one (nmu3). The changelog between the two:
checksecurity (2.0.16+nmu3) unstable; urgency=medium
* Non-maintainer upload.
* Fix "missing required debian/rules targets build-arch and/or build-
indep": Add targets to debian/rules.
(Closes: #999082)
* Fix "Removal of obsolete debhelper compat 5 and 6 in bookworm":
Bump to 7 in debian/{compat,control}.
(Closes: #965448)
* Fix some grave packaging errors:
- move debhelper from Build-Depends-Indep to Build-Depends
- remove temporary files debian/postrm.debhelper and debian/substvars from
source package
-- gregor herrmann <gregoa@debian.org> Sun, 26 Dec 2021 01:56:10 +0100
checksecurity (2.0.16+nmu2) unstable; urgency=medium
* Non maintainer upload by the Reproducible Builds team.
* No source change upload to rebuild on buildd with .buildinfo files.
-- Holger Levsen <holger@debian.org> Fri, 01 Jan 2021 19:17:53 +0100
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
The package choice was using TUNE_FEATURES that doesn't work anymore
with multiple sub-architectures of RISCV. Instead use the overrides
and make sure to take into account also qemu versions.
Only riscv32/riscv64 does not work, fail on RDEPEND for qemu targets.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Enabling ptest will significantly increase build time. Additionally,
since the ptest distro_feature is enabled by default in poky distro,
build time can be very long, which is annoying.
On my build host:
Enable ptest:
$ time build scap-security-guide
real 219m54.529s
user 0m49.040s
sys 0m1.304s
Disable ptest:
$ time build scap-security-guide
real 1m25.222s
user 0m3.306s
sys 0m0.166s
Since no one cares about this ptest and no one fixes the test failures.
Let's disable it.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Update for Ubuntu 24.04 runners:
- use venv for installing kas
- add missing directories
Assume that python3 and pip are installed.
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
The project does not use release branches; their release model currently
rebases the stable branch each release and relies on the release tags to
keep the commits referenced. Until their release model changes, just
use the release commit with nobranch.
See upstream issue [1] for details.
[1] https://github.com/ComplianceAsCode/content/issues/13543
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
[tweaked commit message]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
After commit 7a2b9acef2 "cargo: pass PACKAGECONFIG_CONFARGS to cargo build"
we don't need to include Parsec cargo build features into CARGO_BUILD_FLAGS.
Let's update PACKAGECONFIG options as lists of features.
A small fix in readme.md as well.
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Update LAYERSERIES_COMPAT in all layer.conf files with the exception
of meta-parsec to whinlatter. For meta-parsec, whinlatter has been
added, and the EOL releases removed, as an initial update.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
v2 : also fix some typos while we are here.
v3 : add fixes for isic and checksecurity
Signed-off-by: Jason Schonberg <schonm@gmail.com>
[removed already applied change]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Add Marta and myself as maintainers for meta-security and the other
embedded layers that Armin had been maintaining. To avoid Armin
getting bugged about individual recipes, set the RECIPE_MAINTAINER
variables to myself for now as a starting point that can be adjusted
as things get more settled.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
/var/log/suricata initialization is handled by
systemd-tmpfiles-setup.service, which occurs before services like
suricata
Work towards resolving:
ERROR: [...] do_rootfs: The following packages could not be configured
offline and rootfs is read-only: ['100-suricata']
Added in commit 36d656fe72 ("suricata: add tmpfiles.d config")
systemd testing:
root@beaglebone-yocto:~# ls -d /var/log/suricata
/var/log/suricata
root@beaglebone-yocto:~# systemctl enable suricata
Created symlink '/etc/systemd/system/multi-user.target.wants/suricata.service' -> '/usr/lib/systemd/system/suricata.service'.
root@beaglebone-yocto:~# rmdir /var/log/suricata
root@beaglebone-yocto:~# reboot now
root@beaglebone-yocto:~# ls -d /var/log/suricata
/var/log/suricata
root@beaglebone-yocto:~# journalctl -o short-iso-precise -u systemd-tmpfiles-setup -u suricata
2025-05-20T00:45:46.450027+00:00 beaglebone-yocto systemd[1]: Starting Create System Files and Directories...
[...]
2025-05-20T00:45:47.041049+00:00 beaglebone-yocto systemd[1]: Finished Create System Files and Directories.
2025-05-20T00:45:47.542976+00:00 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon.
[...]
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/bin/suricata
in package suricata contains reference to TMPDIR [buildpaths]
ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File
/usr/src/debug/suricata/7.0.0/src/build-info.h in package suricata-src
contains reference to TMPDIR [buildpaths]
Address references when src/build-info.h is being written
This is similar to Debian's approach:
https://sources.debian.org/patches/suricata/1:7.0.10-1~bpo12%2B1/reproducible.patch/
Restore the "already-stripped" check and CFLAGS info
Original resolution in commit c0e3fecc3b ("suricata: fix QA warnings")
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If measured-uki support is not enabled or build is continuing
from previous stages, then the matching file list can be empty.
Fixes build failure where sed says no input files.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Since OE bitbake commit 24772dd2ae6c ("parse/ConfHandler: Add warning for
deprecated whitespace usage"), the current build generates the following
warning (as example):
| WARNING: ...meta-security/meta-tpm/recipes-core/systemd/systemd-boot_%.bbappend:7
| has a lack of whitespace around the assignment:
| 'EXTRA_OEMESON:append= " ${@bb.utils.contains('DISTRO_FEATURES', 'tpm2', '-Dtpm2=true', '', d)} "'
Fix all the warnings.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* Some sources like merger/merger.py import json, so add
python3-json to RDEPENDS
* Fix following warning
has a lack of whitespace around the assignment: 'DESCRIPTION=xxx'
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The tpm2-pkcs11-tools python module is importing several modules which
are not currently included in it's dependencies. This causes the script
invocation to fail. The current commit adds the relevant dependencies,
to ensure that the python module is always able to run.
The relevant dependencies are:
* python3-fcntl: To add the fcntl module, imported in db.py.
* python3-sqlite3: To add the sqlite3 module, imported in db.py.
* python3-tpm2-pytss: To add the tpm2_pytss module, imported in
utils.py.
* python3-compression: To add the zipfile module, imported through
"importlib.metadata import distribution" in tpm2_ptool.
Signed-off-by: Omri Sarig <omri.sarig13@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The tpm2-pytss module is importing the module asn1crypto in tsskey.py,
however, the current bitbake recipe is not including this python package
as runtime dependency. This causes the module invocation to fail at the
moment.
The commit adds this dependency to the bitbake recipe, to make the
recipe self contained.
Signed-off-by: Omri Sarig <omri.sarig13@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Skip configure step to fix this error:
pcr-extend-0.1+git-r0 do_configure: no configure script found at ../git/configure
There is no configure for this package.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The unprivileged service user feature has been improved in 2.10 to allow
running the sssd service as an unprivileged user [1]. So enable this
feature, and then we can run the service as the unprivileged user sssd.
[1] https://github.com/SSSD/sssd/releases/tag/2.10.0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Ptest result:
ptest-runner libgssglue
START: ptest-runner
2025-03-27T13:15
BEGIN: /usr/lib64/libgssglue/ptest
PASS: gss_create_empty_oid_set
PASS: gss_test_oid_set_member
PASS: gss_test_oid_set_member n==0
PASS: gss_add_oid_set_member() OK
PASS: gss_test_oid_set_member() OK
OID present in set with the OID added to it => 1
PASS: gss_test_oid_set_member() OK
PASS: gss_test_oid_set_member() OK
Another OID present in set without the OID => 0
PASS: gss_test_oid_set_member() OK
PASS: gss_add_oid_set_member() OK
PASS: gss_test_oid_set_member() OK
Another OID present in set with it added => 1
PASS: gss_test_oid_set_member() OK
PASS: gss_test_oid_set_member() OK
First OID present in set => 1
PASS: gss_test_oid_set_member() OK
PASS: gss_release_oid_set() OK
PASS: gss_indicate_mechs() OK
PASS: gss_release_oid_set() OK
PASS: gss_import_name() OK
PASS: gss_display_name() OK
display_name() => 27: imap@server.example.org@FOO
PASS: gss_release_buffer() OK
PASS: gss_release_name() OK
Basic self tests done with 0 errors
DURATION: 0
END: /usr/lib64/libgssglue/ptest
2025-03-27T13:15
STOP: ptest-runner
TOTAL: 1 FAIL: 0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Release note:
Enhancements:
The MergerConfig class now accepts overrides for config values as "keys" and
"rules" keyword arguments to the constructor.
Credit and my thanks go to https://github.com/leviem1!
BREAKING CHANGES:
Support for Python 3.6 has been dropped. This is forced by incompatibilities
discovered with the latest version of pytest and because dependencies like
dateutil and ruamel-yaml-clib no longer support Python 3.6. Support for
Python 3.7 is tepid. While pytest is still working with Python 3.7, other
dependencies are no longer supporting Python 3.7; however, the extensive
tests for yamlpath show no issues with them, so far. For now, Python 3.12
support is pending, waiting for the dateutil library to resolve a
DeprecationWarning regarding its use of datetime.datetime.utcfromtimestamp().
Refer:
https://pypi.org/project/yamlpath/3.8.2/
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changes:
2.7.0 (2024-05-13)
* Changed the comparison to make accurate and standard more accurate, although fast gets less accurate as a result.
* Changed usage of deprecated pkg_resources package to importlib.metadata.
* A use_replace flag was added to the XMLFormatter by Thomas Pfitzinger. It changes text replacement from delete and insert tags to a replace tag. It’s not currently accessaible thtough the CLI, the question is it is better to add a new formatter name, or an option to pass in formatter flags.
- Added option to XMLFormatter to use replace tags
- in _make_diff_tags after diffing, neighboring delete/insert diffs are joined to a replace tag
- the deleted text is added as an attribute (“old-text”)
- the inserted text is the element’s text
Refer:
https://pypi.org/project/xmldiff/2.7.0/
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
