mirror of
https://git.yoctoproject.org/meta-security
synced 2026-01-12 03:10:13 +00:00
594e95f052
buck-security hard-codes a number of file locations for the target system on
which it operates and also its own dependencies. These hard-coded dependencies
have been parameterized and a few other related changes have been made. The
changes are more fully explained below.
buck-security.bb:
* The RDEPENDS_${PN} variable has been made more orderly in anticipation of
subsequent changes. It also includes a few other perl modules required by
the changes to the application.
* The functionality.patch file has been removed and superseded by the
take_root_dir.patch patch.
* The definition of S is parameterized on BPN not PN; they are different if the
package has a native option.
* The install step replaces the use directives and an assignment in the
buck-security script in a more general way than previously.
* The recipes now allows the package to have a native version.
take_root_dir.patch:
* buck-security
* An additional flag, sysroot, that specifies the sysroot of the filesystem
that the buck-security utility inspects is added. If the sysroot can not
be located the script fails gracefully.
* An additional flag, no-sudo, which prevents the script from exiting
if it is not run by root is added.
* An additional flag, disable-checks, which accepts a comma-separated list
of checks to be disabled is added.
* The script checks whether there has been an error in parsing the
command-line arguments and fails with a usage message if there has.
* The log flag now optionally takes a log file name.
* The location of the configuration file is calculated relative to the
location of the main script and if it can not be found the script fails
gracefully.
* The various file locations specified in the buck-security configuration
file are made relative to the location of the buck-security script or the
sysroot as appropriate.
* If a log file has been specified the log is not also printed to stdout.
* The command actually executed is printed in the log.
* Some checks for mutually exclusive options are added.
* Output level 3 is now meaningless, so it has been removed.
* Various changes have been made to the report format.
* Results are sorted lexicographically and, if abspath, do not include
the sysroot.
* checks/*.pm files
* Wherever a directory had been hard-coded it is now parameterized on the
sysroot.
* In some cases, a test that had previously been run as a bash test was
converted to a perl test to allow better handling of results and errors.
* The output parameter is no longer accepted by the check procedure since
this value is global.
* All check procedures now accept an output_type parameter.
* The dangling URLs are removed from the help text.
* checks/lib/check.pm
* The CheckBash and CheckPerl functions have been adapted so that the
the filepaths are not hard-coded and so that the actual command is made
available to the logging component.
* A parameter indicating the outcome type is accepted and passed to the
exception checker.
* Error output is clearly distinguished from regular output.
* A failure in a test is clearly distinguished from an insecure result.
* The output is no longer formatted in the check functions.
* checks/lib/mkchecksum.pm
* The command no longer is run on non-existent directories.
* checks/lib/exceptions.pm
* The exception file path is located relative to the buck-security script.
* If the exceptions are pathnames, the sysroot is prepended.
* Correct wildcard semantics is observed.
* checks/lib/users.pm
* The passwd files are located relative to the sysroot.
* Reading from the password file is made more principle.
* The test experiences an error if files can not be found rather than
the script terminating.
* Some dead code is eliminated.
* conf/buck-security.conf
* The checksum_dir variable is a list instead of a string for easier
manipulation.
* The new configuration variable sysdir is added and the default is /.
* The ssh_config variable is added.
* All tests are included in the checks variable.
* checks/sshd.pm
* The ssh config file is set in the buck-security configuration file
instead of hard-coded here.
* checks/nopasswd.pm
* This is a duplicate of emptypasswd, so it is removed.
* RDEPENDS_${PN}_class-native variable is added as some tasks make no
sense when run externally. Since they will not be run, there is no point
75 lines
1.7 KiB
Diff
75 lines
1.7 KiB
Diff
Index: buck-security_0.6/buck-security
|
|
===================================================================
|
|
--- buck-security_0.6.orig/buck-security 2013-09-10 20:58:49.564292001 -0400
|
|
+++ buck-security_0.6/buck-security 2013-09-11 10:07:40.440543001 -0400
|
|
@@ -28,11 +28,6 @@
|
|
# start time
|
|
my $start_time = time();
|
|
|
|
-# Runned by root?
|
|
-if ( $> != 0 ) {
|
|
- print STDERR "Only root can run this program\n";
|
|
- exit 1;
|
|
-}
|
|
|
|
# Read Options from command line (--help, --log and --output), run buck --help for more information
|
|
my $man = 0;
|
|
@@ -41,13 +36,15 @@
|
|
my $opt_log = ''; # Log? via --log
|
|
my $opt_checksum = 0;
|
|
my $opt_sysroot = '';
|
|
+my $opt_pseudo = 0;
|
|
GetOptions(
|
|
'output=i' => \$opt_output,
|
|
'log=s' => \$opt_log,
|
|
'help|?' => \$help,
|
|
man => \$man,
|
|
'make-checksums' => \$opt_checksum,
|
|
- 'sysroot=s' => \$opt_sysroot
|
|
+ 'sysroot=s' => \$opt_sysroot,
|
|
+ 'pseudo' => \$opt_pseudo
|
|
) ||
|
|
pod2usage(
|
|
-message => "\n",
|
|
@@ -73,6 +70,12 @@
|
|
|
|
{ package Config; do $config_file }
|
|
|
|
+if ( $> != 0 && ! $opt_pseudo) {
|
|
+ print STDERR "If you are not using pseudo you must run this script as root.\n";
|
|
+ exit 1;
|
|
+}
|
|
+
|
|
+
|
|
if ($opt_sysroot) {
|
|
$Config::sysroot = $opt_sysroot;
|
|
}
|
|
@@ -98,6 +101,17 @@
|
|
|
|
|
|
|
|
+if ($opt_pseudo) {
|
|
+ @Config::checks = grep
|
|
+ { $_ ne 'checksum' &&
|
|
+ $_ ne 'firewall' &&
|
|
+ $_ ne 'services' &&
|
|
+ $_ ne 'usermask' }
|
|
+ @Config::checks;
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
if ($opt_checksum != 0) {
|
|
use mkchecksum;
|
|
mkchecksum->MkChecksum();
|
|
@@ -219,6 +233,9 @@
|
|
--sysroot=<root>
|
|
specify the root directory of the filesystem to be analyzed
|
|
|
|
+ --pseudo
|
|
+ if set, run with pseudo
|
|
+
|
|
|
|
|
|
=head1 FURTHER INFORMATION
|