From patchwork Thu Oct 16 21:22:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72524 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0251BCCD19F for ; Thu, 16 Oct 2025 21:22:35 +0000 (UTC) Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48]) by mx.groups.io with SMTP id smtpd.web11.1669.1760649753997653038 for ; Thu, 16 Oct 2025 14:22:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=GZfDlc86; spf=pass (domain: konsulko.com, ip: 209.85.219.48, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f48.google.com with SMTP id 6a1803df08f44-87bb66dd224so16559936d6.3 for ; Thu, 16 Oct 2025 14:22:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649753; x=1761254553; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bEXDtiTp4A6grxVHqrP1RDRvJ+2ek1PN/BgfrD64mqE=; b=GZfDlc86Fred1zZCa8Zpu9q4FM1UEZj1EsllhFlEUqbS2vRLwo0Mn6rLPJRghNMTOY xCwMA5pE4hwQ/5jZU73FrNharHtAKV8DHsRVZCEWBeYrJfkkr4/P03XE3Y2PCFVrub9G S9Vd7Ltlq7JrQLlofn1FW8ZaoASYSJpz4DCyQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649753; x=1761254553; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bEXDtiTp4A6grxVHqrP1RDRvJ+2ek1PN/BgfrD64mqE=; b=kIQam2rlehOFiiNJ1VNLsrxe8rhiuQFV9axBn1JTqYgeufpYByclOq+XbGU1RVgWX5 ebIGbrX21Xxzb1cjX2Upmug6u1hK34tpPnpzTewz5ks3KX1szG+h2ss7w+Yvb6fmG1GF uKUpymwc++QusXpfPj6tZX0+HXL10abq4S3riikel7ipgJG23PotXZdeREpBhM7nRc1v ULQU6VQBuGYpQK1TfvGXUiQBfr/84hu5yR2ynFJSx4iNLKfdRxXPjEIeSNDl2fAE85hD qq01l4WlZTH7QF/IgHvmSbILtVMco8YNcRtuhKm1zfyo9rZhJQ3/xQIiwKy0emtqYmhH WN0g== X-Gm-Message-State: AOJu0YzkGEES9dfHA0S+xwu0TGZt4S0sxVbUk0P5cpG/7haxZ4MZfpod xjfI/nlYSvUo+rK7oGe19clVIgwSpD3b1RWxYP4zt3CPJBWNKBOl4F5mKTUXKbLyWtqSiQwM6yz IEOp2 X-Gm-Gg: ASbGncvFEsQ8wSB0lnHR1n6ruATzt6L1pcfDbyufY/oqA7MI/p1gGn3ZksS2MrFExY6 Mq0wdCmeitOsmDnKbWHEqOeLpFsdw4Fx7MvYgghbjY0skvxp+vPdPC0xu0vO1BoexdxoayOj+qS GgitDgWlXtjHekko7ibdMt/cbUd730UiNz6lldVH0rwxlXifE5m8RjXiBqrJWufcJvIPXmV1XJr fNHaBgVHbopRIHBs5Dmcm4diJ4TDJ7hIvA8Z6rgH98fQS+oy9X1flz111LW6AKjGjvZYF9rqM0V qpk4Vpazx+K7KWbxRBgSzyH7y0QdeK/KXrrooyBrLVLYquitr35Ja/f0L0EaBNeDU7sR3OFsqPX gmx4re2gKqt6Ihx+8/ooZjKX5u1AFeFy5AGpzyN8R2cBVb7tt3ONUCQ0ob8QalzJfI94LrDB6jR Qo+Tdpl9FfEtYGtTnQ1WWmlZLeGu8GYtQBj3ye1slkjs1ynw4QfvcwFL+GOHgARJY= X-Google-Smtp-Source: AGHT+IGeP3i+CX0sKck4OtDDe9jKc3vETvfQP2vgoZCvAsFE7pxUROrgn8nYszLsVv0WOb+g1NWp4Q== X-Received: by 2002:a05:622a:134a:b0:4e8:955b:ac22 with SMTP id d75a77b69052e-4e89d29a9c7mr23152651cf.31.1760649752577; Thu, 16 Oct 2025 14:22:32 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:32 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 01/15] kas: use repo name Date: Thu, 16 Oct 2025 17:22:00 -0400 Message-ID: <6cbe841e8b09ac4804e8c87e23f81d68f97c17f4.1760648348.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:34 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2326 From: Marta Rybczynska Use the repo name directly, otherwise the build can get the wrong clone. Signed-off-by: Marta Rybczynska --- kas/kas-security-base.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml index 17f4bb3..e5af7bc 100644 --- a/kas/kas-security-base.yml +++ b/kas/kas-security-base.yml @@ -6,7 +6,7 @@ distro: poky repos: meta-security: layers: - ../meta-security: + ../meta-security-staging: meta-tpm: meta-integrity: meta-hardening: From patchwork Thu Oct 16 21:22:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72525 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3CFECCD199 for ; Thu, 16 Oct 2025 21:22:44 +0000 (UTC) Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com [209.85.219.50]) by mx.groups.io with SMTP id smtpd.web11.1670.1760649755021273498 for ; Thu, 16 Oct 2025 14:22:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=YBaPu11K; spf=pass (domain: konsulko.com, ip: 209.85.219.50, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f50.google.com with SMTP id 6a1803df08f44-87c1f607e72so11784646d6.0 for ; Thu, 16 Oct 2025 14:22:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649754; x=1761254554; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=cs0R+hyzIa9bl+iu0N/1sn/3/0+Bp8jJ/sGqYurbw4c=; b=YBaPu11KIm1GFM/K8NA+w+t4wufvxm7+U/F2QQI5O1X892DKM1gynCNoM1hM5AkUHV CBDeaP1/GhyixvXTxaH8UUq7zkMZnBU4dSXfSIYqBRW0E9EC/qu3Bac5JxA1VXSLCaLx w+WbBZ+90nKJedaOH6ytWZCpRfNZjff+8CAy4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649754; x=1761254554; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cs0R+hyzIa9bl+iu0N/1sn/3/0+Bp8jJ/sGqYurbw4c=; b=ApJigF/3Bok2HTyCey5lJfjkkzivGtuKnpWLXlvjD/34Kt6kS/KLJwty+2W914UGed hx1noIMgo8t+7UTg8euQW5G556svHfA56Q83UkjTgY00GaQJo0s/Liem7y4SF7p0YT68 Z05/cG11yE3ymnv+DCzZx3nUZLeK7wzs0g2WVLaSN70jCcqwomgt7bnLSuNTgk+JXVr8 wQyNgPMuACejxG6gBgLx/C5ANINhPhXK1NVoJeMOB056t1CGPLhLtG4iiS2KncdqesEu Hk5elBqyPfTecEqXUY4ibBYVTw2WzAWcCqRt/8vG434k+W6JdPTnmGiJpHpLCMbLGLTR LjNg== X-Gm-Message-State: AOJu0YzrB0cnGbxM14q+fAjFEHer+vKe3/FV6z78vhspeOTDK9q3TIaS 5rHfXK70+5XVjqbwa19FmUMuGQdP6Z4tHERriOADZp45qjZ9AMYhzrkKJDfgS2e9jxhjDKVij/W K40PD X-Gm-Gg: ASbGncsKzdMbWrusDsQeF6OO0uh+sh8xATdLdSoHD5X45SBGUV8KgaXWt6/Z/6o6+eA E0YabYYCLnR2OWXHvx5uhgdNWY245TmfI9Bw2ewaHoC9KRv3S4oq9NSPBoEOJEt0di1ngCGoC6/ m4cP4GFKXm81ojNtPvQupGKtrGjMpjNl8NjCGMd4KyG5cMOfNQrnHyzj7u+dvqHf9ZM1RZO7tGC gDyR5QcDib9kfo/6LRXnereLYvyCYsX2mkN4PATIP70BPf2I7pu/r6xQv1PckMWkWNOYc61RUA/ X2/surfcNkJFuJ3J7f2EKtQNXIdSSSXE0Yywl5Mnw2N7qaug5cACn+9BoR/1cCFTz1GscMOyWeu 91M1Ir1PB1XQUcQ2dGXL/WNSCdHwFjH6eHSwKplGv64b4ZCAfIKdih+RxFQrr6Xo6V+uDlp2Eh7 soZnYIDCgHI4kbDXcUHulgKcV1W9yD4aKzlLWVpVDAluO8gQqd5Sp2 X-Google-Smtp-Source: AGHT+IETuITvB5Gy7F13O2gOpPGYGXlrPPOc+jFlO4brRlQThenLyoT/gcRvbuTwGhzJngn1+s1m9g== X-Received: by 2002:a05:6214:e8e:b0:78d:592d:fd03 with SMTP id 6a1803df08f44-87c202ceaebmr26546986d6.25.1760649753581; Thu, 16 Oct 2025 14:22:33 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:32 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 02/15] lynis: move to GitHub fetching Date: Thu, 16 Oct 2025 17:22:01 -0400 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2327 From: Marta Rybczynska Move to fetching from GitHub hashes to avoid issues at releases, when the last-recent release changes place. Signed-off-by: Marta Rybczynska --- recipes-compliance/lynis/lynis_3.1.5.bb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/recipes-compliance/lynis/lynis_3.1.5.bb b/recipes-compliance/lynis/lynis_3.1.5.bb index 3d1e8b7..51414c0 100644 --- a/recipes-compliance/lynis/lynis_3.1.5.bb +++ b/recipes-compliance/lynis/lynis_3.1.5.bb @@ -6,14 +6,12 @@ HOMEDIR = "https://cisofy.com/lynis/" LICENSE = "GPL-3.0-only" LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1" -SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz" +SRC_URI = "git://github.com/CISOfy/lynis.git;branch=master;protocol=https" -SRC_URI[sha256sum] = "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4" +SRCREV = "380b414e09bbca70be59a1b7ddccfaed4c30e1aa" #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis" -S = "${UNPACKDIR}/${BPN}" - inherit autotools-brokensep do_compile[noexec] = "1" From patchwork Thu Oct 16 21:22:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72528 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id EEFE9CCD1A3 for ; Thu, 16 Oct 2025 21:22:44 +0000 (UTC) Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com [209.85.219.50]) by mx.groups.io with SMTP id smtpd.web10.1659.1760649755667362965 for ; Thu, 16 Oct 2025 14:22:35 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=ZNPHcV9T; spf=pass (domain: konsulko.com, ip: 209.85.219.50, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f50.google.com with SMTP id 6a1803df08f44-87c11268b97so20479606d6.3 for ; Thu, 16 Oct 2025 14:22:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649754; x=1761254554; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MS87alHhSABD93QlOP7Xn0TuLltjwUxEwtFmTKYdYms=; b=ZNPHcV9TsK5nSlCIqsxzFHQdDIc0vCoocPBxr6S1bnojV92YzGBq4+jMlJ21xR+TCx mq4xndrx9TNx1s6YbHyBklZI5IuUooHFvm3Vi4xJmWXRtjZCK/AQU1DHZUReENEDMQMN OVyyQT3GZ90JsIAXpDQ9EPAlFtsaOdEku6BSw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649754; x=1761254554; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MS87alHhSABD93QlOP7Xn0TuLltjwUxEwtFmTKYdYms=; b=O3974vMPsPZQVx4KTSN/+Bg6DnqfjcTeLOa0xuC/kfechDof3I98D7YNjVtuGYceUK pTGzEsNB8MXP1F+JJ7l6r8oz6K4ob7SU9LCsh6wxFDbIRWfWOZftxhblOle9mQYdnNTy R9ZR1siFkQUfgaiEsNV1sH13tslMa3VKeFCfOSPhaG3PRUmAYwR+TY3rEg+cWcPG8sau 6gI3qoKZ49H9mK8x5x7sxMNzCjNDNTPFuO/8GF7aPuarcW3RPeO+23BLP4m9XxYE/1oY TUshFq7Q+By+TaT+HkNSlDEiBPGNJKRGZaMXC//atI0BK1r8sEU74d1CLbtg+ZHgPxCp lf8Q== X-Gm-Message-State: AOJu0YzGnLC7MPTtXA3zSsNJ9ZeZ6+cXIdx0FR0t1GKOQ5jJeWEJUgaN GiKUL6XQcNS0AhVmYSVdOkcS7vmA+W+p0aU1BpiJIdTcCPCThgZ1Jhw9yxNdahc8Uw5klG80oEA PUNGi X-Gm-Gg: ASbGnct2ZTaj2EWY4rif9ltUYQY/MwLMvDXCnkJ6W9WQ1SjFfWh5ib6kk0FfJyOwWS9 Sye7Jk5thKpfU+IvIv64N4yIyCHxxFwnLqm5T+sAvgSx12dXkD1Ves6W8SMLH3yQU6XyV6VCJvN I2xoRiqHgKeEMD8Jb5FtZHRjJdsNUuJ0WfZY3JbQkzdfNjIyQQe6wsh8tAv7WtOyGlUQhKCCWc2 8z6cL8fg3I2CnQYsqCxDGzO+FvaLcT1FYNQZJh9NgsZiK1Gq0VhvzYFA0GzWoOC5wSmj0300szI hpItsQjsPS2t3c6agAK73iqYeB/PUxazH7Sa4Qp8fBOiI5lO9W2ygI4UObzjzSVQqBcHSGuleIR 72AaTTuYhSv8uZmcizl8pYwjT8uxrXSJYGZj041nU8g1qtDHlaNPhjmERIMz3ytE4yz3HlEWZF3 53RAqQw4J5yX8dn5TtJrDi9uWZq8snk0Y3BMD/IwSaICffJrcVTQptel1vg6fFx0o= X-Google-Smtp-Source: AGHT+IE0fwk5+BlUb+NhlnzDzqaux3jv1vobVpQ/i4t1IHLIf/Tk2fl0+Ou/44aKza9PtRzTD0Mxzg== X-Received: by 2002:a05:6214:21e7:b0:87c:1fd9:da52 with SMTP id 6a1803df08f44-87c2070ce9cmr23970746d6.9.1760649754305; Thu, 16 Oct 2025 14:22:34 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:33 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 03/15] chipsec: update to 1.13.16 Date: Thu, 16 Oct 2025 17:22:02 -0400 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2328 From: Marta Rybczynska Update from 1.9.1 (October 2022) to the latest 1.x release, 1.13.16. Changelog: https://github.com/chipsec/chipsec/releases Signed-off-by: Marta Rybczynska --- .../chipsec/{chipsec_1.9.1.bb => chipsec_1.13.16.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-security/chipsec/{chipsec_1.9.1.bb => chipsec_1.13.16.bb} (95%) diff --git a/recipes-security/chipsec/chipsec_1.9.1.bb b/recipes-security/chipsec/chipsec_1.13.16.bb similarity index 95% rename from recipes-security/chipsec/chipsec_1.9.1.bb rename to recipes-security/chipsec/chipsec_1.13.16.bb index ef293bc..5d65e89 100644 --- a/recipes-security/chipsec/chipsec_1.9.1.bb +++ b/recipes-security/chipsec/chipsec_1.13.16.bb @@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d" DEPENDS = "virtual/kernel nasm-native" SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https" -SRCREV = "d8c2a606bf440c32196c6289a7a458f3ae3107cc" +SRCREV = "c5e396716caf3749f728e43d0895317b593f5b95" inherit module setuptools3 From patchwork Thu Oct 16 21:22:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72531 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04802CCD1A4 for ; Thu, 16 Oct 2025 21:22:45 +0000 (UTC) Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com [209.85.219.42]) by mx.groups.io with SMTP id smtpd.web11.1671.1760649756731635805 for ; Thu, 16 Oct 2025 14:22:36 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=ahHfnDkV; spf=pass (domain: konsulko.com, ip: 209.85.219.42, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f42.google.com with SMTP id 6a1803df08f44-79599d65f75so15836386d6.2 for ; Thu, 16 Oct 2025 14:22:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649755; x=1761254555; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IhNNaoYV8MwPr/5+HXNLB/pTl5tHhfVNHE/XSMYdB0Q=; b=ahHfnDkVx0mA8gp0+j/wzTroYNlAezwCdZV53VbIPXWYP+HxWI4KcK4zXPNIZg+hQE nuejUT2pJXqD24sjiz2ntFY61HE2dcPcoirSHi+Zhza8e7yYHftuR8KtvM9TNxd4RiQk lq7UvHfMPuZcWy6y4qChE+u5SUHCpoTq3N/M4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649755; x=1761254555; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IhNNaoYV8MwPr/5+HXNLB/pTl5tHhfVNHE/XSMYdB0Q=; b=h120g2r9uKHUNLDvjrnpsh+jspNpV4GRtsSA4RJaTJ1ovuqyv4lD5InagKShBXAEFI 0tbuD2BLrJghEweFPsABa8ua/sCcgcKaiPAV3ktYSGtI5LQgFMxGjVyQNcfLt1DdaTsn XAAA2g3vT1W38Wf158QorwmgEM0PxD6pvKqL23SQhNgJV+QIOM/JXSyLBsrOojWkpg+h NGKkBYZEUWGKPD48niMF76O/LP5YZd4AaJt/BbL2vfOOhhgkYvX+aPP4pKHzZf8+ObNe rLZthHCzesjnH0fn3eea50haXbqRTCiOm6iWPOhdMxdJf5tDl2PMmRNyR4j8iZit/ZZR uf9A== X-Gm-Message-State: AOJu0Yx1+jHki/JdkYlvPs0VvxKt3S6p//gJLzW+ZCVPkMvMwJTVi39O UqewfExvx7jnQVbML/kfsFRfwXJv6YFP4SzVZcpsLtHtGMMfeS/UBCi29q2PQpLyGzKlx3ZC+EL ciFsw X-Gm-Gg: ASbGncsPDx58MNjQbHFSTWPB55mTqjtvihVRJOE6MF2DvKK+/7E++Mg07xMrAmr4ZuA tnrXdRikAXVhzB4ICWzkJKHyNGrkmgggvkZqvKZMIyNbyAs2wohsbEE/CjkHvXPYO2VEvyxHanf eeAEAwRvYsOqGtnPPLRuD6YKU7DF8pnIDRZ1VWdasAy011DFCIH65tzHInm08vn2n2o49dH3Ip1 1d8ai0T74DN1Ww/Cd7amhOs5f6pDJbc3QOor55/gtvF1RWbebckZoHvZ1kwp0jwoHTMmAKoykBW OcaJVmAAUfsXmYYTrIJAyvxCCGQdHrJaKZezbOoO3+egPHZqkIQP+obA9HswNBtyM66p5KWMRRe FpluWXgZDjPWVVp59OE4oLMODCXj/8nQbasDUOaRWYAelP/w4xTe3CH644DoFXXPLmYVumvvNdj fQteAfU6FBiyTwRS4YxwkI818wcIqWlPEmlpvGbrnvY0HuzyVPddHtx3GE+p6h914= X-Google-Smtp-Source: AGHT+IGEj0lI0b4GyUUyBkQwxis8HlYqNyH2/dbHmgWoBDSXTvU5QF10FlH7uokVnZvxWl5qnX4pRg== X-Received: by 2002:a05:6214:124f:b0:804:9cab:926d with SMTP id 6a1803df08f44-87c206339b3mr20849736d6.37.1760649755298; Thu, 16 Oct 2025 14:22:35 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:34 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 04/15] chipsec: disable until 6.16 support is fixed Date: Thu, 16 Oct 2025 17:22:03 -0400 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:45 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2329 From: Marta Rybczynska The 1.13.16 version does not work on the kernel 6.16 for now [1]. Disable when waiting for the fix. [1] https://github.com/chipsec/chipsec/issues/2563 Signed-off-by: Marta Rybczynska --- recipes-core/packagegroup/packagegroup-core-security.bb | 4 ++-- recipes-security/chipsec/chipsec_1.13.16.bb | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb index bda78ce..3f5b0a5 100644 --- a/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/recipes-core/packagegroup/packagegroup-core-security.bb @@ -46,8 +46,8 @@ RDEPENDS:packagegroup-security-utils = "\ " have_krill = "${@bb.utils.contains("DISTRO_FEATURES", "pam", "krill", "",d)}" -RDEPENDS:packagegroup-security-utils:append:x86 = " chipsec ${have_krill}" -RDEPENDS:packagegroup-security-utils:append:x86-64 = " firejail chipsec ${have_krill}" +RDEPENDS:packagegroup-security-utils:append:x86 = " ${have_krill}" +RDEPENDS:packagegroup-security-utils:append:x86-64 = " firejail ${have_krill}" RDEPENDS:packagegroup-security-utils:append:aarch64 = " firejail ${have_krill}" RDEPENDS:packagegroup-security-utils:remove:libc-musl = "krill firejail" diff --git a/recipes-security/chipsec/chipsec_1.13.16.bb b/recipes-security/chipsec/chipsec_1.13.16.bb index 5d65e89..9698d8f 100644 --- a/recipes-security/chipsec/chipsec_1.13.16.bb +++ b/recipes-security/chipsec/chipsec_1.13.16.bb @@ -34,3 +34,5 @@ FILES:${PN} += "${exec_prefix}" RDEPENDS:${PN} = "python3 python3-modules" INSANE_SKIP:${PN} = "already-stripped" + +SKIP_RECIPE[chipsec] ?= "Waiting for upstream support of the kernel 6.16" From patchwork Thu Oct 16 21:22:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72530 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 06BF5CCD1A7 for ; Thu, 16 Oct 2025 21:22:45 +0000 (UTC) Received: from mail-qv1-f52.google.com (mail-qv1-f52.google.com [209.85.219.52]) by mx.groups.io with SMTP id smtpd.web11.1674.1760649757257391480 for ; Thu, 16 Oct 2025 14:22:37 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=aw98VDtb; spf=pass (domain: konsulko.com, ip: 209.85.219.52, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f52.google.com with SMTP id 6a1803df08f44-87c11268b97so20479786d6.3 for ; Thu, 16 Oct 2025 14:22:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649756; x=1761254556; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tn7uE9/mpOkhv+FT9PMcagqvGBR76ucPUG4f4CPey68=; b=aw98VDtbxispFjqSsYg7DuS8hSbJk3lV8deIiequuO1RVWiOyjKRCed4sqEcHaldBP IrfdQYnaidBlaG0YrJ5HpCtXHB5G2yDqLKv0R/NKkbgHQDv1MwlaaZ8c7oCwOZNNSStZ t3bWl+LSG/MOlAKCWXnMEyZqqPBE6y0IBiWUk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649756; x=1761254556; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tn7uE9/mpOkhv+FT9PMcagqvGBR76ucPUG4f4CPey68=; b=Z0EhWbstc7VehAZenV4PDC4SadWBbnEa0jWhbNBlu7H2GwIY6HvlQeTDfWJ9t4LOWj ciyWaoB+7WjThIiVNyQ9onQWSWMTOiKQ5I904WFLgA8cef4Z3iSU9tisftXMXeQUkfD0 mQkt6SaRfGc8VhgelGGblVekZQCBbMCiRNwbRjMTG6AJgoaDPZieQACTJyuLanJ/SJuF r+HXEp83xDvF4ggLAg3DwDBlw+xCv3c4/ZLvb3uAPHw7jQHFx4ENawqQwH+ltJ9pCfH4 dO3tE9HbeAlqJoO0Cf9oWnHoi+RZgSQ7ckDE9clddXakR7rn80leL64e6BYT1IvAJ7dh UCyQ== X-Gm-Message-State: AOJu0YyxksxqNGGfqe7BsSLgZjfNLwCGEL+a7liBXdB8ZLVnHdb2fY7f BhWANLs5rAi4ueTUUaJOSkR6+Lj7CEB6Ph91B86x0nRWjaRitNJjA50EH2YWPKe64B/R/7TEbAq 9yCem X-Gm-Gg: ASbGnctPwBPkE59Dx2MCa6EKzH9m9csBholwdzaGrZtcP5rNZHGyTwd5/awdy4yehlr pn+fh3bkFQ4h6JyFKkNSUzlPh6+S3zKv7e7hEVoBVj05WFDz56TDKIgcY4ep2AiUuLH+WJ+nC0C fFs/3ViTasZRbE+QaQfy2Hh+C9xYP7rttvTGParBpazSCEoCWuTF1M+qiBHSn8lxoj95BbD0cFG B1O/oMJ+a1QFVB9ahcFaU64cdghQVkwfyhD0DjwoEJ0BunfIrZSry27t5FiN4e5Lvk33GERUpdb II7TQhm/A3EkMswT6ezCHnwFYNa1mZR98TVSHMKPrZgMTxejVVxiAxG0xo09733ezV8ipaiF0TP drfNrJyLKtN9ZN4hNvnMXMz6LUDGWbB3tyYLdB16tu8zankKTyCyAylx4F1ht7pU7CMTCQuUYus 36JqryyjwfZIKLjaiY2nx4zRwxrr8OHgV3CdQuKT30JeseBi4Q1B6g X-Google-Smtp-Source: AGHT+IGB08zMIs093ce+67NeIrxcsJ0wIwBSP8wKtCnSX8g47aQdnoLszdGSUpUKxFd1hg4RFrjiww== X-Received: by 2002:a05:6214:c29:b0:7f3:12ce:864c with SMTP id 6a1803df08f44-87c2070de60mr21124106d6.2.1760649756004; Thu, 16 Oct 2025 14:22:36 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:35 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 05/15] test: allow root login for test images Date: Thu, 16 Oct 2025 17:22:04 -0400 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:45 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2330 From: Marta Rybczynska Signed-off-by: Marta Rybczynska --- kas/qemux86-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/kas/qemux86-test.yml b/kas/qemux86-test.yml index 98f1e7f..c4609f9 100644 --- a/kas/qemux86-test.yml +++ b/kas/qemux86-test.yml @@ -6,5 +6,6 @@ header: local_conf_header: ptest: | DISTRO_FEATURES:append = " ptest" + EXTRA_IMAGE_FEATURES:append = " allow-empty-password allow-root-login empty-root-password" machine: qemux86 From patchwork Thu Oct 16 21:22:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72534 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13B2BCCD1A5 for ; Thu, 16 Oct 2025 21:22:45 +0000 (UTC) Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44]) by mx.groups.io with SMTP id smtpd.web10.1662.1760649758366167433 for ; Thu, 16 Oct 2025 14:22:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=rEhMpC37; spf=pass (domain: konsulko.com, ip: 209.85.219.44, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f44.google.com with SMTP id 6a1803df08f44-78f75b0a058so16625316d6.0 for ; Thu, 16 Oct 2025 14:22:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649757; x=1761254557; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=9+E8IaCcGdpN5iZStFDE/AVeu13mWI4ufctXXI7sAcc=; b=rEhMpC37P1MTRI3q48Idj7nvYc+QMJiJ9x0d6AxWlspTr4FpUnIFiVnXB6PTYYCO0G uYmpMDtgoItWIU2txgeiDQp6jsYS14/vheescLDOn+7k3NHxPmXv3jN2t9zNp9Qsqx6B CL/OGtMExOvxsop3j8eYvECUvCGQ02PN2j5jU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649757; x=1761254557; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9+E8IaCcGdpN5iZStFDE/AVeu13mWI4ufctXXI7sAcc=; b=aKwz8CpYW4nVMNLv0NO84t85R3FV/5wB7PSGy+j9Fanzo8cwC1V07Q4gGY+N0L8Okx vV1H6JfUC6SIJIL4ckM9wRvSXb4lHrWCPoC7JH1TA08aeRo2fq9i4l/ABaIMjHeUkKBZ VYpUbSnyoSgOmCWK95friz5BO8vFBd01HNBGKUxLhuBk01EJjdIrLcThXiMaeZsa1N5a VhIBn+AMRm6K6tYjjK82o2taqXBs1TkyGXc3NCeESZkcVEGL4BBXWzCR38sZrrhYwCHS 9d8dQZorN8li+T1uNolqpx+PpdipzvQPMjDMsrOoUdjslczqGIPLebGM1g5DeqpdwQWb gyRA== X-Gm-Message-State: AOJu0YzlmMCyiT0TZ3etk3GYdNA3eDjE/xzwhielbs2WXp15oRDCn+V6 /JDQzyG9EEuve05Q3dWv7sR0io4Hgw5d+0qEzLCORtPFV96YRU5wUwjWkQ7QovSmk/5MzvsDB8p sMEcm X-Gm-Gg: ASbGncsI5BjETE318rYdF6S/7a1nGxopLWkcoYakQldNSNHR9TUNmtaf3YxEvkSJyq1 cxD9BPApjq5NTrY/w1dqtokNYhq7kdEFvH5bPpDnqtQu0gpW/ix9DU5eOfPXF3OvZpA4u9hYKMB 1qGIxpFYEDjFOZNytqIDYWHep+wUOS57t83p1mOkFmGV7oN6WkAt2SAPRugERu6qdnLjLGDUA1n DS9Daob8rxEIjzQ2sKbnsgvN3MHfdaV0WYcgB0LLX5UsneNsKDX7CqOrcfb/F7mAEuLvAMNYKDD wDTUiVnzd0gJjbCaSkI8BAI7tN2RrMAJBuERehJpAcN916A0uOdjcZK4wwODWZ4e2f3EfixAAo6 rr//xeTIREBVWcRBHNSiXZzO3mwVPDuSqMPnY88/ezGM+eytW5Uf1RDqrEiD9ss1XPhWzGV4fPw 9Iy7XRz31Cn+wQIrU58MHatYaf8149OvyQ50DNmSNq+ahocYokACXZ X-Google-Smtp-Source: AGHT+IFxUq81xz9t2yI2nfMAjsXpnn9LHNnHDwYmJzPlErjwaSBJiJXkh0OjVEOVWWwbLY/Dj6MGUg== X-Received: by 2002:a05:6214:5289:b0:797:1a0d:cdd3 with SMTP id 6a1803df08f44-87c2057312dmr27229846d6.19.1760649756881; Thu, 16 Oct 2025 14:22:36 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:36 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 06/15] python3-fail2ban: fix ptest failures Date: Thu, 16 Oct 2025 17:22:05 -0400 Message-ID: <8264087da918402e13f40e674ce6b054f58ad1a9.1760648348.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:45 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2331 From: Yi Zhao Fix ptest failures by backporting patches and updating test case config files. Before the patch: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-11T15:42 BEGIN: /usr/lib64/python3-fail2ban/ptest Ran 524 tests in 23.023s FAILED (failures=5, errors=7, skipped=3) DURATION: 24 END: /usr/lib64/python3-fail2ban/ptest 2025-09-11T15:42 STOP: ptest-runner TOTAL: 1 FAIL: 1 After the patch: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-11T15:59 BEGIN: /usr/lib64/python3-fail2ban/ptest Ran 524 tests in 25.982s OK (skipped=3) DURATION: 27 END: /usr/lib64/python3-fail2ban/ptest 2025-09-11T15:59 STOP: ptest-runner TOTAL: 1 FAIL: 0 Signed-off-by: Yi Zhao --- ...ges-the-IPs-again.-additionally-it-g.patch | 210 ++++++++++++++++++ ...case.py-set-correct-config-dir-for-t.patch | 35 +++ .../fail2ban/python3-fail2ban_git.bb | 12 +- 3 files changed, 256 insertions(+), 1 deletion(-) create mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch create mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch new file mode 100644 index 0000000..73014ab --- /dev/null +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch @@ -0,0 +1,210 @@ +From 5b6c13f0aae79a23d94570bacd1b5796e57f088d Mon Sep 17 00:00:00 2001 +From: sebres +Date: Thu, 30 Jan 2025 01:05:30 +0100 +Subject: [PATCH] example.com changes the IPs, again... additionally it got + more IPs, which look unstable now (depends on resolver), so replaced with + fail2ban.org, that seems to resolve to single IPv4 and IPv6 (can be adjusted + later for something more persistent) + + +Upstream-Status: Backport +[https://github.com/fail2ban/fail2ban/commit/5b6c13f0aae79a23d94570bacd1b5796e57f088d] + +Signed-off-by: Yi Zhao +--- + .../tests/files/logs/apache-fakegooglebot | 6 +- + fail2ban/tests/files/testcase-usedns.log | 4 +- + fail2ban/tests/filtertestcase.py | 58 +++++++++---------- + fail2ban/tests/utils.py | 4 +- + 4 files changed, 36 insertions(+), 36 deletions(-) + +diff --git a/fail2ban/tests/files/logs/apache-fakegooglebot b/fail2ban/tests/files/logs/apache-fakegooglebot +index b77a1a6b..024842fd 100644 +--- a/fail2ban/tests/files/logs/apache-fakegooglebot ++++ b/fail2ban/tests/files/logs/apache-fakegooglebot +@@ -1,5 +1,5 @@ + # Apache 2.2 + # failJSON: { "time": "2015-01-31T14:29:44", "match": true, "host": "66.249.66.1" } +-66.249.66.1 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546 +-# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "93.184.215.14" } +-93.184.215.14 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546 ++66.249.66.1 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546 ++# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "51.159.55.100" } ++51.159.55.100 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546 +diff --git a/fail2ban/tests/files/testcase-usedns.log b/fail2ban/tests/files/testcase-usedns.log +index eea6eb44..3e7b36bb 100644 +--- a/fail2ban/tests/files/testcase-usedns.log ++++ b/fail2ban/tests/files/testcase-usedns.log +@@ -1,2 +1,2 @@ +-Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2 +-Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2 ++Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2 ++Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2 +diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py +index 20945b78..26961a1b 100644 +--- a/fail2ban/tests/filtertestcase.py ++++ b/fail2ban/tests/filtertestcase.py +@@ -587,14 +587,14 @@ class IgnoreIP(LogCaptureTestCase): + self.assertNotLogged("returned successfully") + + def testIgnoreCauseOK(self): +- ip = "93.184.215.14" ++ ip = "51.159.55.100" + for ignore_source in ["dns", "ip", "command"]: + self.filter.logIgnoreIp(ip, True, ignore_source=ignore_source) + self.assertLogged("[%s] Ignore %s by %s" % (self.jail.name, ip, ignore_source)) + + def testIgnoreCauseNOK(self): +- self.filter.logIgnoreIp("example.com", False, ignore_source="NOT_LOGGED") +- self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "example.com", "NOT_LOGGED")) ++ self.filter.logIgnoreIp("fail2ban.org", False, ignore_source="NOT_LOGGED") ++ self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "fail2ban.org", "NOT_LOGGED")) + + + class IgnoreIPDNS(LogCaptureTestCase): +@@ -607,7 +607,7 @@ class IgnoreIPDNS(LogCaptureTestCase): + self.filter = FileFilter(self.jail) + + def testIgnoreIPDNS(self): +- for dns in ("www.epfl.ch", "example.com"): ++ for dns in ("www.epfl.ch", "fail2ban.org"): + self.filter.addIgnoreIP(dns) + ips = DNSUtils.dnsToIp(dns) + self.assertTrue(len(ips) > 0) +@@ -1892,22 +1892,22 @@ class GetFailures(LogCaptureTestCase): + #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. + # We should still catch failures with usedns = no ;-) + output_yes = ( +- ('93.184.215.14', 1, 1124013299.0, +- ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] ++ ('51.159.55.100', 1, 1124013299.0, ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2'] + ), +- ('93.184.215.14', 1, 1124013539.0, +- ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2'] ++ ('51.159.55.100', 1, 1124013539.0, ++ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2'] + ), +- ('2606:2800:21f:cb07:6820:80da:af6b:8b2c', 1, 1124013299.0, +- ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] ++ ('2001:bc8:1200:6:208:a2ff:fe0c:61f8', 1, 1124013299.0, ++ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2'] + ), + ) + if not unittest.F2B.no_network and not DNSUtils.IPv6IsAllowed(): + output_yes = output_yes[0:2] + + output_no = ( +- ('93.184.215.14', 1, 1124013539.0, +- ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2'] ++ ('51.159.55.100', 1, 1124013539.0, ++ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2'] + ) + ) + +@@ -2098,10 +2098,10 @@ class DNSUtilsNetworkTests(unittest.TestCase): + super(DNSUtilsNetworkTests, self).setUp() + #unittest.F2B.SkipIfNoNetwork() + +- ## example.com IPs considering IPv6 support (without network it is simulated via cache in utils). ++ ## fail2ban.org IPs considering IPv6 support (without network it is simulated via cache in utils). + EXAMPLE_ADDRS = ( +- ['93.184.215.14', '2606:2800:21f:cb07:6820:80da:af6b:8b2c'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \ +- ['93.184.215.14'] ++ ['51.159.55.100', '2001:bc8:1200:6:208:a2ff:fe0c:61f8'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \ ++ ['51.159.55.100'] + ) + + def test_IPAddr(self): +@@ -2163,13 +2163,13 @@ class DNSUtilsNetworkTests(unittest.TestCase): + self.assertTrue(r < ip6) + + def testUseDns(self): +- res = DNSUtils.textToIp('www.example.com', 'no') ++ res = DNSUtils.textToIp('www.fail2ban.org', 'no') + self.assertSortedEqual(res, []) + #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. +- res = DNSUtils.textToIp('www.example.com', 'warn') ++ res = DNSUtils.textToIp('www.fail2ban.org', 'warn') + # sort ipaddr, IPv4 is always smaller as IPv6 + self.assertSortedEqual(res, self.EXAMPLE_ADDRS) +- res = DNSUtils.textToIp('www.example.com', 'yes') ++ res = DNSUtils.textToIp('www.fail2ban.org', 'yes') + # sort ipaddr, IPv4 is always smaller as IPv6 + self.assertSortedEqual(res, self.EXAMPLE_ADDRS) + +@@ -2177,13 +2177,13 @@ class DNSUtilsNetworkTests(unittest.TestCase): + #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. + # Test hostnames + hostnames = [ +- 'www.example.com', ++ 'www.fail2ban.org', + 'doh1.2.3.4.buga.xxxxx.yyy.invalid', + '1.2.3.4.buga.xxxxx.yyy.invalid', + ] + for s in hostnames: + res = DNSUtils.textToIp(s, 'yes') +- if s == 'www.example.com': ++ if s == 'www.fail2ban.org': + # sort ipaddr, IPv4 is always smaller as IPv6 + self.assertSortedEqual(res, self.EXAMPLE_ADDRS) + else: +@@ -2234,8 +2234,8 @@ class DNSUtilsNetworkTests(unittest.TestCase): + + self.assertEqual(IPAddr('192.0.2.0').getPTR(), '0.2.0.192.in-addr.arpa.') + self.assertEqual(IPAddr('192.0.2.1').getPTR(), '1.2.0.192.in-addr.arpa.') +- self.assertEqual(IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c').getPTR(), +- 'c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa.') ++ self.assertEqual(IPAddr('2001:db8::1').getPTR(), ++ '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.') + + def testIPAddr_Equal6(self): + self.assertEqual( +@@ -2365,10 +2365,10 @@ class DNSUtilsNetworkTests(unittest.TestCase): + + def testIPAddr_CompareDNS(self): + #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. +- ips = IPAddr('example.com') +- self.assertTrue(IPAddr("93.184.215.14").isInNet(ips)) +- self.assertEqual(IPAddr("2606:2800:21f:cb07:6820:80da:af6b:8b2c").isInNet(ips), +- "2606:2800:21f:cb07:6820:80da:af6b:8b2c" in self.EXAMPLE_ADDRS) ++ ips = IPAddr('fail2ban.org') ++ self.assertTrue(IPAddr("51.159.55.100").isInNet(ips)) ++ self.assertEqual(IPAddr("2001:bc8:1200:6:208:a2ff:fe0c:61f8").isInNet(ips), ++ "2001:bc8:1200:6:208:a2ff:fe0c:61f8" in self.EXAMPLE_ADDRS) + + def testIPAddr_wrongDNS_IP(self): + unittest.F2B.SkipIfNoNetwork() +@@ -2376,11 +2376,11 @@ class DNSUtilsNetworkTests(unittest.TestCase): + DNSUtils.ipToName('*') + + def testIPAddr_Cached(self): +- ips = [DNSUtils.dnsToIp('example.com'), DNSUtils.dnsToIp('example.com')] ++ ips = [DNSUtils.dnsToIp('fail2ban.org'), DNSUtils.dnsToIp('fail2ban.org')] + for ip1, ip2 in zip(ips, ips): + self.assertEqual(id(ip1), id(ip2)) +- ip1 = IPAddr('93.184.215.14'); ip2 = IPAddr('93.184.215.14'); self.assertEqual(id(ip1), id(ip2)) +- ip1 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); ip2 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); self.assertEqual(id(ip1), id(ip2)) ++ ip1 = IPAddr('51.159.55.100'); ip2 = IPAddr('51.159.55.100'); self.assertEqual(id(ip1), id(ip2)) ++ ip1 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); ip2 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); self.assertEqual(id(ip1), id(ip2)) + + def test_NetworkInterfacesAddrs(self): + for withMask in (False, True): +diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py +index f71ba60a..e6ef54f3 100644 +--- a/fail2ban/tests/utils.py ++++ b/fail2ban/tests/utils.py +@@ -326,8 +326,8 @@ def initTests(opts): + ('failed.dns.ch', set()), + ('doh1.2.3.4.buga.xxxxx.yyy.invalid', set()), + ('1.2.3.4.buga.xxxxx.yyy.invalid', set()), +- ('example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])), +- ('www.example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])), ++ ('fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])), ++ ('www.fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])), + ): + c.set(*i) + # if fast - precache all host names as localhost addresses (speed-up getSelfIPs/ignoreself): +-- +2.34.1 + diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch new file mode 100644 index 0000000..a60b0fd --- /dev/null +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch @@ -0,0 +1,35 @@ +From 9f26da3cf854e48b7939c2a9baa0cb3ffbee5994 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Thu, 11 Sep 2025 22:36:07 +0800 +Subject: [PATCH] clientreadertestcase.py: set correct config dir for + testReadStockJailFilterComplete + +In test case testReadStockJailFilterComplete, set configuration +directory to CONFIG_DIR (/etc/fail2ban/filter.d on the target) instead +of the hardcoded "config" directory. Otherwise, the config files will +not be found during runtime testing. + +Upstream-Status: Backport +[https://github.com/fail2ban/fail2ban/commit/9f26da3cf854e48b7939c2a9baa0cb3ffbee5994] + +Signed-off-by: Yi Zhao +--- + fail2ban/tests/clientreadertestcase.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py +index e6a2806c..b8ebbbc7 100644 +--- a/fail2ban/tests/clientreadertestcase.py ++++ b/fail2ban/tests/clientreadertestcase.py +@@ -878,7 +878,7 @@ class JailsReaderTest(LogCaptureTestCase): + self.assertTrue(jails.getOptions()) # reads fine + # grab all filter names + filters = set(os.path.splitext(os.path.split(a)[1])[0] +- for a in glob.glob(os.path.join('config', 'filter.d', '*.conf')) ++ for a in glob.glob(os.path.join(CONFIG_DIR, 'filter.d', '*.conf')) + if not (a.endswith('common.conf') or a.endswith('-aggressive.conf'))) + # get filters of all jails (filter names without options inside filter[...]) + filters_jail = set( +-- +2.34.1 + diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb index 7312bf8..b0b65de 100644 --- a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb @@ -13,6 +13,8 @@ DEPENDS = "python3-native" SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78" SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \ + file://0001-example.com-changes-the-IPs-again.-additionally-it-g.patch \ + file://0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch \ file://initd \ file://run-ptest \ " @@ -47,8 +49,16 @@ do_install_ptest:append () { sed -i -e 's/##PYTHON##/python3/g' ${D}${PTEST_PATH}/run-ptest install -D ${S}/bin/* ${D}${PTEST_PATH}/bin rm -f ${D}${PTEST_PATH}/bin/fail2ban-python -} + for i in checklogtype.conf zzz-generic-example.conf zzz-sshd-obsolete-multiline.conf; do + sed -i -e 's|^before =.*|before = ${sysconfdir}/fail2ban/filter.d/common.conf|g' \ + ${D}${PYTHON_SITEPACKAGES_DIR}/fail2ban/tests/config/filter.d/${i} + done + + install -m 0644 ${S}/README.md ${D}${PTEST_PATH} + sed -i -e 's|^logpath = README.md|logpath = ${PTEST_PATH}/README.md|g' \ + ${D}${PYTHON_SITEPACKAGES_DIR}/fail2ban/tests/config/jail.conf +} INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME = "fail2ban-server" From patchwork Thu Oct 16 21:22:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72533 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13E9CCCD1AB for ; Thu, 16 Oct 2025 21:22:45 +0000 (UTC) Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) by mx.groups.io with SMTP id smtpd.web11.1675.1760649759918546492 for ; Thu, 16 Oct 2025 14:22:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=IZ1jwC4K; spf=pass (domain: konsulko.com, ip: 209.85.222.176, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f176.google.com with SMTP id af79cd13be357-7f04816589bso185828585a.3 for ; Thu, 16 Oct 2025 14:22:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649759; x=1761254559; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YpaWOmauMhRrlDMu7SQmW6ZizwwTSzSX0ogStKqB9N4=; b=IZ1jwC4K242GLRRcM1HEeHYLrdh99Lf4OXFTYatqniyX55v9H02vgLmCp1IfOJtPvy 3GlhqBsnzsZVHq/n2xwjdIzL3exMbNTNdQiQq/hhaGkRRXUYy8aFSy5SNNNUPk8O6J7s znxdYi6RNB6pj3swkndyVGXE30gdclVLdi+zE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649759; x=1761254559; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YpaWOmauMhRrlDMu7SQmW6ZizwwTSzSX0ogStKqB9N4=; b=XQw1eU/rdsUamEZJVX98g5pLAwzu6wNqQqh1lRoShUwhbS2Is75YcvJKEavxFcOdkJ divnqXwUL8xeOi079a/9kWqrYz0FTIgD5iIBURVZ4SovHHAR1Z5gLLe4Yvnq0oHBYKq9 AqNXcXIZLzLEXugbhCLtoOw0t/Mm0fE6xyGy3on0OymdzSFT7F90mF9twy1sY1YYMA7z 2RBKcM13Bo4ymabzs4LX03GshOyxYOARSpMqT3XPnunmO6glNKqGXd20H0ZsweQeoZ+1 jT2VEeH6p/0wp1edkMigsbjtQd0Q2Wgge5ngIwlXeeO6VI9hhaXMBOQVb9Eee2zWu5vZ wqrQ== X-Gm-Message-State: AOJu0Yw7tL8fJYOBbpzrJmjW/0RWNXbFPziQl9J/3c2jBz3+/qnlOPDk 7BQIj0F2bdT5K1G4n8jBp2rtj0uYTHiklxGmgV35C1VS5ENgKuJuACtPEI8ZabtLAShch6Tu80q r0tHJ X-Gm-Gg: ASbGncu1WAwdZFGN2lS5H8JJDn0UGXLGjDsbhWFo0xoBF0kUrlLcZfoInXUznDKaCSq 0eofAa/q68IDYHX1F6C4bXeep94f31+AaKsden4ln6Xdea+CSkgkPUlXiNRofdQ8L4v87oB+muf simyFc6Oaa3UptUvYpVG4VZ10hnejSMWoa+9HtD0Wr4zLGUJEuhgHwsJFdsyMzlKF1hZJ6+7R00 q7UtrJMw7F4bYBHmLdq5fIUu8mDqajn6hA1ijbMWnCoat8L65ERVqRVBTM9yImPZ5FJeASlWxpx VETWv+aRh61jxD/rpuLTnPaYwLNLHbLm1SZ/cdQWnmBSqFKJ/O2+Mo00ZABoeGb+8w9A3LAZY2S gTefznPCr7BXfPPBz24f5Wx5ojL+Epdo9d5InIXtlldmyRfB1zgAKv9SYOCfq1rWZeqA5xCfFuP ajp9bVqctvZBmBE/pJGZu0TEAfnaH7XwqmsaCjF/zfTsdUqrBK9yUc X-Google-Smtp-Source: AGHT+IHwiZLsnWjlyUBL7s3Ol5Z81lyYdQlwChwLVdQDW0H979sm+bOIs/+XgO9Tw9btKf+xNZbNrw== X-Received: by 2002:ac8:7d42:0:b0:4d8:a856:cdbc with SMTP id d75a77b69052e-4e89d3713d6mr20519901cf.40.1760649758428; Thu, 16 Oct 2025 14:22:38 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:37 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 07/15] python3-fail2ban: update to latest git rev Date: Thu, 16 Oct 2025 17:22:06 -0400 Message-ID: <3b13ff12067a8090507b0aac2f1223a94b76de09.1760648348.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:45 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2332 From: Yi Zhao Update to latest git rev as the current version doesn't work with OpenSSH 9.8+[1]. Ptest result: $ ptest-runner python3-fail2ban START: ptest-runner 2025-09-21T12:45 BEGIN: /usr/lib64/python3-fail2ban/ptest Ran 538 tests in 13.045s OK (skipped=3) DURATION: 14 END: /usr/lib64/python3-fail2ban/ptest 2025-09-21T12:46 STOP: ptest-runner TOTAL: 1 FAIL: 0 [1] https://github.com/fail2ban/fail2ban/commit/2fed408c05ac5206b490368d94599869bd6a056d Signed-off-by: Yi Zhao --- ...ges-the-IPs-again.-additionally-it-g.patch | 210 ------------------ ...case.py-set-correct-config-dir-for-t.patch | 35 --- .../fail2ban/python3-fail2ban_git.bb | 4 +- 3 files changed, 1 insertion(+), 248 deletions(-) delete mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch delete mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch deleted file mode 100644 index 73014ab..0000000 --- a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch +++ /dev/null @@ -1,210 +0,0 @@ -From 5b6c13f0aae79a23d94570bacd1b5796e57f088d Mon Sep 17 00:00:00 2001 -From: sebres -Date: Thu, 30 Jan 2025 01:05:30 +0100 -Subject: [PATCH] example.com changes the IPs, again... additionally it got - more IPs, which look unstable now (depends on resolver), so replaced with - fail2ban.org, that seems to resolve to single IPv4 and IPv6 (can be adjusted - later for something more persistent) - - -Upstream-Status: Backport -[https://github.com/fail2ban/fail2ban/commit/5b6c13f0aae79a23d94570bacd1b5796e57f088d] - -Signed-off-by: Yi Zhao ---- - .../tests/files/logs/apache-fakegooglebot | 6 +- - fail2ban/tests/files/testcase-usedns.log | 4 +- - fail2ban/tests/filtertestcase.py | 58 +++++++++---------- - fail2ban/tests/utils.py | 4 +- - 4 files changed, 36 insertions(+), 36 deletions(-) - -diff --git a/fail2ban/tests/files/logs/apache-fakegooglebot b/fail2ban/tests/files/logs/apache-fakegooglebot -index b77a1a6b..024842fd 100644 ---- a/fail2ban/tests/files/logs/apache-fakegooglebot -+++ b/fail2ban/tests/files/logs/apache-fakegooglebot -@@ -1,5 +1,5 @@ - # Apache 2.2 - # failJSON: { "time": "2015-01-31T14:29:44", "match": true, "host": "66.249.66.1" } --66.249.66.1 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546 --# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "93.184.215.14" } --93.184.215.14 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546 -+66.249.66.1 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546 -+# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "51.159.55.100" } -+51.159.55.100 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546 -diff --git a/fail2ban/tests/files/testcase-usedns.log b/fail2ban/tests/files/testcase-usedns.log -index eea6eb44..3e7b36bb 100644 ---- a/fail2ban/tests/files/testcase-usedns.log -+++ b/fail2ban/tests/files/testcase-usedns.log -@@ -1,2 +1,2 @@ --Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2 --Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2 -+Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2 -+Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2 -diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py -index 20945b78..26961a1b 100644 ---- a/fail2ban/tests/filtertestcase.py -+++ b/fail2ban/tests/filtertestcase.py -@@ -587,14 +587,14 @@ class IgnoreIP(LogCaptureTestCase): - self.assertNotLogged("returned successfully") - - def testIgnoreCauseOK(self): -- ip = "93.184.215.14" -+ ip = "51.159.55.100" - for ignore_source in ["dns", "ip", "command"]: - self.filter.logIgnoreIp(ip, True, ignore_source=ignore_source) - self.assertLogged("[%s] Ignore %s by %s" % (self.jail.name, ip, ignore_source)) - - def testIgnoreCauseNOK(self): -- self.filter.logIgnoreIp("example.com", False, ignore_source="NOT_LOGGED") -- self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "example.com", "NOT_LOGGED")) -+ self.filter.logIgnoreIp("fail2ban.org", False, ignore_source="NOT_LOGGED") -+ self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "fail2ban.org", "NOT_LOGGED")) - - - class IgnoreIPDNS(LogCaptureTestCase): -@@ -607,7 +607,7 @@ class IgnoreIPDNS(LogCaptureTestCase): - self.filter = FileFilter(self.jail) - - def testIgnoreIPDNS(self): -- for dns in ("www.epfl.ch", "example.com"): -+ for dns in ("www.epfl.ch", "fail2ban.org"): - self.filter.addIgnoreIP(dns) - ips = DNSUtils.dnsToIp(dns) - self.assertTrue(len(ips) > 0) -@@ -1892,22 +1892,22 @@ class GetFailures(LogCaptureTestCase): - #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. - # We should still catch failures with usedns = no ;-) - output_yes = ( -- ('93.184.215.14', 1, 1124013299.0, -- ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] -+ ('51.159.55.100', 1, 1124013299.0, -+ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2'] - ), -- ('93.184.215.14', 1, 1124013539.0, -- ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2'] -+ ('51.159.55.100', 1, 1124013539.0, -+ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2'] - ), -- ('2606:2800:21f:cb07:6820:80da:af6b:8b2c', 1, 1124013299.0, -- ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2'] -+ ('2001:bc8:1200:6:208:a2ff:fe0c:61f8', 1, 1124013299.0, -+ ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2'] - ), - ) - if not unittest.F2B.no_network and not DNSUtils.IPv6IsAllowed(): - output_yes = output_yes[0:2] - - output_no = ( -- ('93.184.215.14', 1, 1124013539.0, -- ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2'] -+ ('51.159.55.100', 1, 1124013539.0, -+ ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2'] - ) - ) - -@@ -2098,10 +2098,10 @@ class DNSUtilsNetworkTests(unittest.TestCase): - super(DNSUtilsNetworkTests, self).setUp() - #unittest.F2B.SkipIfNoNetwork() - -- ## example.com IPs considering IPv6 support (without network it is simulated via cache in utils). -+ ## fail2ban.org IPs considering IPv6 support (without network it is simulated via cache in utils). - EXAMPLE_ADDRS = ( -- ['93.184.215.14', '2606:2800:21f:cb07:6820:80da:af6b:8b2c'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \ -- ['93.184.215.14'] -+ ['51.159.55.100', '2001:bc8:1200:6:208:a2ff:fe0c:61f8'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \ -+ ['51.159.55.100'] - ) - - def test_IPAddr(self): -@@ -2163,13 +2163,13 @@ class DNSUtilsNetworkTests(unittest.TestCase): - self.assertTrue(r < ip6) - - def testUseDns(self): -- res = DNSUtils.textToIp('www.example.com', 'no') -+ res = DNSUtils.textToIp('www.fail2ban.org', 'no') - self.assertSortedEqual(res, []) - #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. -- res = DNSUtils.textToIp('www.example.com', 'warn') -+ res = DNSUtils.textToIp('www.fail2ban.org', 'warn') - # sort ipaddr, IPv4 is always smaller as IPv6 - self.assertSortedEqual(res, self.EXAMPLE_ADDRS) -- res = DNSUtils.textToIp('www.example.com', 'yes') -+ res = DNSUtils.textToIp('www.fail2ban.org', 'yes') - # sort ipaddr, IPv4 is always smaller as IPv6 - self.assertSortedEqual(res, self.EXAMPLE_ADDRS) - -@@ -2177,13 +2177,13 @@ class DNSUtilsNetworkTests(unittest.TestCase): - #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. - # Test hostnames - hostnames = [ -- 'www.example.com', -+ 'www.fail2ban.org', - 'doh1.2.3.4.buga.xxxxx.yyy.invalid', - '1.2.3.4.buga.xxxxx.yyy.invalid', - ] - for s in hostnames: - res = DNSUtils.textToIp(s, 'yes') -- if s == 'www.example.com': -+ if s == 'www.fail2ban.org': - # sort ipaddr, IPv4 is always smaller as IPv6 - self.assertSortedEqual(res, self.EXAMPLE_ADDRS) - else: -@@ -2234,8 +2234,8 @@ class DNSUtilsNetworkTests(unittest.TestCase): - - self.assertEqual(IPAddr('192.0.2.0').getPTR(), '0.2.0.192.in-addr.arpa.') - self.assertEqual(IPAddr('192.0.2.1').getPTR(), '1.2.0.192.in-addr.arpa.') -- self.assertEqual(IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c').getPTR(), -- 'c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa.') -+ self.assertEqual(IPAddr('2001:db8::1').getPTR(), -+ '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.') - - def testIPAddr_Equal6(self): - self.assertEqual( -@@ -2365,10 +2365,10 @@ class DNSUtilsNetworkTests(unittest.TestCase): - - def testIPAddr_CompareDNS(self): - #unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils. -- ips = IPAddr('example.com') -- self.assertTrue(IPAddr("93.184.215.14").isInNet(ips)) -- self.assertEqual(IPAddr("2606:2800:21f:cb07:6820:80da:af6b:8b2c").isInNet(ips), -- "2606:2800:21f:cb07:6820:80da:af6b:8b2c" in self.EXAMPLE_ADDRS) -+ ips = IPAddr('fail2ban.org') -+ self.assertTrue(IPAddr("51.159.55.100").isInNet(ips)) -+ self.assertEqual(IPAddr("2001:bc8:1200:6:208:a2ff:fe0c:61f8").isInNet(ips), -+ "2001:bc8:1200:6:208:a2ff:fe0c:61f8" in self.EXAMPLE_ADDRS) - - def testIPAddr_wrongDNS_IP(self): - unittest.F2B.SkipIfNoNetwork() -@@ -2376,11 +2376,11 @@ class DNSUtilsNetworkTests(unittest.TestCase): - DNSUtils.ipToName('*') - - def testIPAddr_Cached(self): -- ips = [DNSUtils.dnsToIp('example.com'), DNSUtils.dnsToIp('example.com')] -+ ips = [DNSUtils.dnsToIp('fail2ban.org'), DNSUtils.dnsToIp('fail2ban.org')] - for ip1, ip2 in zip(ips, ips): - self.assertEqual(id(ip1), id(ip2)) -- ip1 = IPAddr('93.184.215.14'); ip2 = IPAddr('93.184.215.14'); self.assertEqual(id(ip1), id(ip2)) -- ip1 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); ip2 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); self.assertEqual(id(ip1), id(ip2)) -+ ip1 = IPAddr('51.159.55.100'); ip2 = IPAddr('51.159.55.100'); self.assertEqual(id(ip1), id(ip2)) -+ ip1 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); ip2 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); self.assertEqual(id(ip1), id(ip2)) - - def test_NetworkInterfacesAddrs(self): - for withMask in (False, True): -diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py -index f71ba60a..e6ef54f3 100644 ---- a/fail2ban/tests/utils.py -+++ b/fail2ban/tests/utils.py -@@ -326,8 +326,8 @@ def initTests(opts): - ('failed.dns.ch', set()), - ('doh1.2.3.4.buga.xxxxx.yyy.invalid', set()), - ('1.2.3.4.buga.xxxxx.yyy.invalid', set()), -- ('example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])), -- ('www.example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])), -+ ('fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])), -+ ('www.fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])), - ): - c.set(*i) - # if fast - precache all host names as localhost addresses (speed-up getSelfIPs/ignoreself): --- -2.34.1 - diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch deleted file mode 100644 index a60b0fd..0000000 --- a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 9f26da3cf854e48b7939c2a9baa0cb3ffbee5994 Mon Sep 17 00:00:00 2001 -From: Yi Zhao -Date: Thu, 11 Sep 2025 22:36:07 +0800 -Subject: [PATCH] clientreadertestcase.py: set correct config dir for - testReadStockJailFilterComplete - -In test case testReadStockJailFilterComplete, set configuration -directory to CONFIG_DIR (/etc/fail2ban/filter.d on the target) instead -of the hardcoded "config" directory. Otherwise, the config files will -not be found during runtime testing. - -Upstream-Status: Backport -[https://github.com/fail2ban/fail2ban/commit/9f26da3cf854e48b7939c2a9baa0cb3ffbee5994] - -Signed-off-by: Yi Zhao ---- - fail2ban/tests/clientreadertestcase.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py -index e6a2806c..b8ebbbc7 100644 ---- a/fail2ban/tests/clientreadertestcase.py -+++ b/fail2ban/tests/clientreadertestcase.py -@@ -878,7 +878,7 @@ class JailsReaderTest(LogCaptureTestCase): - self.assertTrue(jails.getOptions()) # reads fine - # grab all filter names - filters = set(os.path.splitext(os.path.split(a)[1])[0] -- for a in glob.glob(os.path.join('config', 'filter.d', '*.conf')) -+ for a in glob.glob(os.path.join(CONFIG_DIR, 'filter.d', '*.conf')) - if not (a.endswith('common.conf') or a.endswith('-aggressive.conf'))) - # get filters of all jails (filter names without options inside filter[...]) - filters_jail = set( --- -2.34.1 - diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb index b0b65de..c85953a 100644 --- a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb +++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb @@ -11,10 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f" DEPENDS = "python3-native" -SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78" +SRCREV = "2856092709470250dc299931bc748f112590059f" SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \ - file://0001-example.com-changes-the-IPs-again.-additionally-it-g.patch \ - file://0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch \ file://initd \ file://run-ptest \ " From patchwork Thu Oct 16 21:22:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72532 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E812CCD1AD for ; Thu, 16 Oct 2025 21:22:45 +0000 (UTC) Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com [209.85.219.42]) by mx.groups.io with SMTP id smtpd.web10.1663.1760649761108633729 for ; Thu, 16 Oct 2025 14:22:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=IpAanJrY; spf=pass (domain: konsulko.com, ip: 209.85.219.42, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f42.google.com with SMTP id 6a1803df08f44-87c1f61ba98so10227776d6.0 for ; Thu, 16 Oct 2025 14:22:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649760; x=1761254560; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EALPpaQVsvx1uMGkDTAH3ni+1zWtqTZtDnD0uPqXfQA=; b=IpAanJrY2jeIlK+LT06n8R7pg0/tRo16VWMQnniWWMrX9nBIKLKgbiEXSawlDhsWpr oKR8D6GdVPVROirOEBzRfBxH+RTjk8IeK8jBVVhueLvJNlp2Kps4Q0SXIXFg5+j6599f 87VbQFszCWmp+sE5f4x+A7OgSje2ZesYnSljs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649760; x=1761254560; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EALPpaQVsvx1uMGkDTAH3ni+1zWtqTZtDnD0uPqXfQA=; b=Alkn9UT4bB+qPFhM5us5fapPEelaZfeTI3OWNPhec0wpCQlmy0wm5645eA99fiD7Qs jUCWBzc8lylwpEf5AkLHO0tXw5885/KwpICzVqJFi0oS8WSus/Jrx2Qf5fu/iF1bXIqS YrB3i7H0zzvOJTnDvItMCGkfOlmNY4TuizxWoaob95Q/15Wcby0BA6OBdyrQ4fQjMLrR cQcaFbpf5aPlhcCtV073GAlYZfeIBXXfZlBD0oPpCO9gJDGo3oSRFJTrZm/0mnilyMJD o0YwwwWrKjY1C3Kb7BjBt97jaS3aoCtYvqO1AfV17B/ULfNt5WpbDtPmxpUuIerKUFqg 45WA== X-Gm-Message-State: AOJu0YzhIzbHkKw2K3vKVrgyTIK/KGfiiY43U2/b8vnnouwku2UjLJAb 8ouRf58+OzUYnQFxyqKlIhshiKvwUhkn5t/mmDNWxRt2PMTZ5uluyso/wXk1B/WcDY4TafAJzvx TymI2 X-Gm-Gg: ASbGncvbQeGXZZDnwEnI+6ahD78sr8zDTkHeyDz2kTdHcl8DYmabWUdhjkg7pEEhIIn vhfqIVbHTOtFu9ZCoqQtKVnPxgYc+wXzsCJ2QqWNp+CWLSPhJUPnFtxtOgDvoO83o2PKlc1EBew toGyJ7Y/dmOs2y1nizHp3Uj/ECW5C/JlbUP0dtTFokdSMLt41IgvCzt2M4dn+lGUjhyElJyrsfe tI7aoZxgchMxm1UzkINZRgizsEZZ+mtBoPIxMYw16TjrDppFztSfcMMDo2v/At3+KPJbqyrUEqu pG0O+9NbtHjrzHOgwj8z9MgFxEUCNP+lMqGp54EtT0LyJZdhuWyGJF5QpNnIUXfD2DgRkJfQzxl 6K8Xyz6beSxNBtbRlPOc0J1PbFNu2rd49RF4GCnEKB1tC+3MwJX13HvJETH+SuomQkHo+rW7OFR q9QZbgSUjx1YHpvWAKIdvGu1YfTUKCJzrFHJr8zr7S1FF3cTMR2Mlbk8KwJvx5HhM= X-Google-Smtp-Source: AGHT+IElNGOt8I2kUdV+C57snsoAfaUnKQ+d6ElZvcl6GkaEvu4OSCyMU/RQkY87jheovaoaKtOh0w== X-Received: by 2002:a05:6214:da5:b0:87c:1d24:7b7f with SMTP id 6a1803df08f44-87c2068520amr24083716d6.23.1760649759520; Thu, 16 Oct 2025 14:22:39 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:38 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 08/15] suricata: populate SYSTEMD_SERVICE for service autostart Date: Thu, 16 Oct 2025 17:22:07 -0400 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:45 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2333 From: Clayton Casciato https://docs.yoctoproject.org/dev/ref-manual/variables.html#term-SYSTEMD_SERVICE Before: root@beaglebone-yocto:~# systemctl status suricata * suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; disabled; preset: disabled) Active: inactive (dead) Docs: man:suricata(8) man:suricatasc(8) https://redmine.openinfosecfoundation.org/projects/suricata/wiki After: root@beaglebone-yocto:~# systemctl status suricata * suricata.service - Suricata IDS/IDP daemon Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled) Active: active (running) since Mon 2025-09-22 04:05:08 UTC; 20s ago Invocation: 8cfeb29631f443f0830bffeb00975931 Docs: man:suricata(8) man:suricatasc(8) https://redmine.openinfosecfoundation.org/projects/suricata/wiki Main PID: 268 (Suricata-Main) Tasks: 7 (limit: 4915) Memory: 36.8M (peak: 37M) CPU: 2.222s CGroup: /system.slice/suricata.service `-268 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 Sep 22 04:05:08 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon. Sep 22 04:05:09 beaglebone-yocto suricata[268]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: No rule files match the pattern /var/lib/suricata/rules/suricata.rules Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: 1 rule files specified, but no rules were loaded! Sep 22 04:05:10 beaglebone-yocto suricata[268]: i: threads: Threads created -> W: 1 FM: 1 FR: 1 Engine started. Signed-off-by: Clayton Casciato --- recipes-ids/suricata/suricata_7.0.0.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb index f02d343..c36fbf1 100644 --- a/recipes-ids/suricata/suricata_7.0.0.bb +++ b/recipes-ids/suricata/suricata_7.0.0.bb @@ -139,6 +139,7 @@ fi } SYSTEMD_PACKAGES = "${PN}" +SYSTEMD_SERVICE:${PN} = "${BPN}.service" PACKAGES =+ "${PN}-python" FILES:${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d" From patchwork Thu Oct 16 21:22:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72526 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D9022CCD183 for ; Thu, 16 Oct 2025 21:22:44 +0000 (UTC) Received: from mail-qv1-f49.google.com (mail-qv1-f49.google.com [209.85.219.49]) by mx.groups.io with SMTP id smtpd.web11.1676.1760649761510990012 for ; Thu, 16 Oct 2025 14:22:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=POjaeevd; spf=pass (domain: konsulko.com, ip: 209.85.219.49, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f49.google.com with SMTP id 6a1803df08f44-78f75b0a058so16625696d6.0 for ; Thu, 16 Oct 2025 14:22:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649760; x=1761254560; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=QfnFWY5mytOtQh0enEd2amuv0usp/0rrnUqIaYh7IM8=; b=POjaeevdeJv87TrThcHxTe0S7uK7MpGSVfTgwwHPmi9U69oxJEEtoXeQuf4Hu/MOj1 k/xrU5Oa52EsWyKwR+UVCydE2D9ihy4cFo5NcyDzArnX9ScyngL88XEu/pIppPg3Htw7 eNS+meS3UeZQFwMyCsRLMFHfq9xQVwe68903E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649760; x=1761254560; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QfnFWY5mytOtQh0enEd2amuv0usp/0rrnUqIaYh7IM8=; b=xGzvkhLl8qN09jn7ThR5Q6a8PZV1ptOcu0NfV6qM9AJ6o6H+5dPwIDmq2INNRsJVYM 5GEHt2L3CP5ntRuTIXFCYYJ6OCEj+8EGBKyn4WOxoaMqZ+Oh6yY666btoOBfsJ/RyGwN /u4oSI+zpCtO8JEYLDNUARfkPF95IEeKD4gArusJSO7Kbmp2mm22NGvY354P19RjQvkK dbvz9I01T+pHCREst0g+2pcwDrXxryagkm2r9eOWnrl8at1XbS7bPZH6tgOURfqDgZuj BwegZnC6k4f1xDHH9cEzqaeVhqaW+636f4Ncv7dxfx5Cc6+UEU7gNRL8UEkDAhstKtRD 2FeQ== X-Gm-Message-State: AOJu0YxW93NhRVh0Ri2N+yiUf1Li8DEY+2UjOs4gsfwvr0Adm7EdXAES 6F6kRSPvQ4WGPCtUjVRDmbqKRMTzyQwEGfksvWSaCYB882Q94l3DV30WVl3Yf4GNMpElMVdTiT5 Ts3e9 X-Gm-Gg: ASbGncsH14a2OrvJGt/JPavwY/4T3mfDKcd0ULvcsllbgIgMTyOqi65ScvNk0LrNSsV CgU6aPdzMNqh3V0ZDcFTxS9RKas7+tTFs7dPWdF2Ud+iF+WdCx6J5W37KgueSjyyrVItvnn1i/r frbDjovaogfFxiKFi9b+jsmfT9AAubpYUASbMlQr0i4aJh5InL8lU1v5l+5/PRTy3Rp/8kFjsum 6w6fTnMbw2WfMhsH2KkoRqX1r1U8hanNWyS2lIinG8sqTKX8sVnOcN8mjnp2ZMSIF7AinOGFcaM Y7zytnrSBXvM04sYTTz8/ESsw+QxUPYZEAe5SqYBupzdSZG8iib0HX/p7kGp1/b+/NRLfE0kKYw 65hJ1U8ItkZt4MZjYOb0p4V1b7iaR4ntn0+1KJSg5DW3bH68dmDSCODgtXcuMOSRc+zzJgHf+Oy Fuzut0hLNP1fIq5aOjv0x8jgKQWIPwFnlb3o0iKTDw/4vK3ISWwY29Us4eJcJlv7I= X-Google-Smtp-Source: AGHT+IGCJBLRxiGTXb+O4jY0KBfZTDrtopf06P/9VyMpMBNH6r66sUExeFVpvP8qFEhL+xycCyTs7g== X-Received: by 2002:a05:6214:409:b0:815:2c80:553c with SMTP id 6a1803df08f44-87c2058995dmr22944226d6.26.1760649760140; Thu, 16 Oct 2025 14:22:40 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:39 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 09/15] suricata-update: add package to pull files Date: Thu, 16 Oct 2025 17:22:08 -0400 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2334 From: Clayton Casciato suricata has "--disable-suricata-update" Original add: caaeb67863a6 ("suricata-update: add package to pull rules") Suricata dropped: 7a1691c03726 ("suricata: Drop 4.1.x its EOL") Not readded: 818a8646a689 ("suricata: rust is in core") *Changes* 1.2.1 -> 1.3.6 Drop period and trailing space in SUMMARY value Drop now-redundant "S" Use HTTPS protocol for SRC_URI LICENSE "GPLv2" -> "GPL-2.0-only" Add "python3-shell" RDEPENDS to resolve: ModuleNotFoundError: No module named 'shlex' Basic target testing: root@beaglebone-yocto:~# suricata-update 22/9/2025 -- 04:06:23 - -- Using data-directory /var/lib/suricata. 22/9/2025 -- 04:06:23 - -- Using Suricata configuration /etc/suricata/suricata.yaml 22/9/2025 -- 04:06:23 - -- Using /usr/share/suricata/rules for Suricata provided rules. 22/9/2025 -- 04:06:23 - -- Found Suricata version 7.0.0 at /bin/suricata. 22/9/2025 -- 04:06:23 - -- Loading /etc/suricata/suricata.yaml 22/9/2025 -- 04:06:23 - -- Disabling rules for protocol pgsql 22/9/2025 -- 04:06:23 - -- Disabling rules for protocol modbus 22/9/2025 -- 04:06:23 - -- Disabling rules for protocol dnp3 22/9/2025 -- 04:06:23 - -- Disabling rules for protocol enip 22/9/2025 -- 04:06:23 - -- No sources configured, will use Emerging Threats Open 22/9/2025 -- 04:06:23 - -- Fetching https://rules.emergingthreats.net/open/suricata-7.0.0/emerging.rules.tar.gz. 100% - 5102134/5102134 22/9/2025 -- 04:06:24 - -- Done. 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/files.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/http2-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/mqtt-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/quic-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/rfb-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules 22/9/2025 -- 04:06:25 - -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules 22/9/2025 -- 04:06:27 - -- Ignoring file ba1345f233851ca2df4d905ea4b386d2/rules/emerging-deleted.rules 22/9/2025 -- 04:06:57 - -- Loaded 61205 rules. 22/9/2025 -- 04:07:02 - -- Disabled 14 rules. 22/9/2025 -- 04:07:02 - -- Enabled 0 rules. 22/9/2025 -- 04:07:02 - -- Modified 0 rules. 22/9/2025 -- 04:07:02 - -- Dropped 0 rules. 22/9/2025 -- 04:07:03 - -- Enabled 136 rules for flowbit dependencies. 22/9/2025 -- 04:07:03 - -- Creating directory /var/lib/suricata/rules. 22/9/2025 -- 04:07:03 - -- Backing up current rules. 22/9/2025 -- 04:07:03 - -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 61205; enabled: 45406; added: 61205; removed 0; modified: 0 22/9/2025 -- 04:07:06 - -- Writing /var/lib/suricata/rules/classification.config 22/9/2025 -- 04:07:07 - -- Testing with suricata -T. 22/9/2025 -- 04:07:57 - -- Done. Signed-off-by: Clayton Casciato --- .../suricata/python3-suricata-update_1.3.6.bb | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 recipes-ids/suricata/python3-suricata-update_1.3.6.bb diff --git a/recipes-ids/suricata/python3-suricata-update_1.3.6.bb b/recipes-ids/suricata/python3-suricata-update_1.3.6.bb new file mode 100644 index 0000000..cdf2faa --- /dev/null +++ b/recipes-ids/suricata/python3-suricata-update_1.3.6.bb @@ -0,0 +1,15 @@ +SUMMARY = "The tool for updating your Suricata rules" +HOMEPAGE = "http://suricata-ids.org/" +SECTION = "security Monitor/Admin" +LICENSE = "GPL-2.0-only" + +LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548" + +SRCREV = "f76a61bdee69961537585a1036c4294da28495a5" +SRC_URI = "git://github.com/OISF/suricata-update;protocol=https;branch=master" + +inherit python3native python3targetconfig setuptools3 + +RDEPENDS:${PN} = "python3-pyyaml python3-logging python3-compression python3-shell" + +BBCLASSEXTEND = "native nativesdk" From patchwork Thu Oct 16 21:22:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72527 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DEB8ECCD1A2 for ; Thu, 16 Oct 2025 21:22:44 +0000 (UTC) Received: from mail-qv1-f54.google.com (mail-qv1-f54.google.com [209.85.219.54]) by mx.groups.io with SMTP id smtpd.web11.1677.1760649762495547502 for ; Thu, 16 Oct 2025 14:22:42 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=ta+yp1Xu; spf=pass (domain: konsulko.com, ip: 209.85.219.54, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f54.google.com with SMTP id 6a1803df08f44-87c1f61ba98so10228006d6.0 for ; Thu, 16 Oct 2025 14:22:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649761; x=1761254561; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Wxj7Y0sT5x6x0ff75J4Lc54Y81wQBlNbRxfbZMXW8bo=; b=ta+yp1Xuc8skVigG4xYVOTI+0JiAnGk/1mmudDgM0QqygaX11OSmiDGwUoH5lG9PPR GuUmNPrtNYIR4TYdFb6om2YTWX+20pi8nF3wXPaCD61Dxp5W/cqRpjmrooTcSIIGJ62l GGP9HGruKFtYuUdJ4spIdt5wzD1L3kySFzPIw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649761; x=1761254561; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Wxj7Y0sT5x6x0ff75J4Lc54Y81wQBlNbRxfbZMXW8bo=; b=b5JNwLiALxyMyTbdaoahK9c7YtQ15q4Bsq/KyloLE1RyuoDFn2mJhquSmiPoqQc12s x87op2cLPhB7byZBtB+LWDOjFvv0lNnj0lhU8PiQN8cxTyAyrZlzrQpxbxFkfHY45HY5 DbbZvMaBI4tUu07sPmWrvN32QZpSTMswrhCX/m+IvTQ4fTuikEEeSWaIaFxlx4lYqMhk QYGYYgVW+yg03O28BYmvzCM0xaY7KARO0QUWLgtPzyTqsL/tE3XHFxGY59D4UyxCJS5h m+98fl8XL8PQDDEkEOAPsUpPFJriahLP2O6ThOS863tznpm8dwKwysEx6PwdDbjWCapn yeaw== X-Gm-Message-State: AOJu0YzDdC9TW21raUXup61EUJpmFjJw2phgCPtqUg8cG7HgRoi+6t9E 9IhCvcPjpXBIUzZy+AQHsYRYTZoLp/WIV7ZGC8RpV6C7D9++gZxiJLQhh+ZJB48fNE/oZxNCDOK rdxAx X-Gm-Gg: ASbGncvQDmZn9TIqQf4mpOOOuVgriMSkEYmhmQJJZbE+RjnP2CeFczQTNZAVbxYbUA5 1JxA5lo1OOmRhikvX1X71gIrk7YmyjzpgJ+Bg76hpFnoWdCQyEoE8jASyRVh+jCxDFksD7s3u9W uJeY9cneuMkv9qdJMFjtbY7H6MnQaQrG+TmBfW/KeFl4F5XKVnImQTUI+lPgKbULfdxRDRTVDZQ 0WfSxLD/1Qgm3XebWaRCg3o3LrRhBK3I4YnBHONJhkJcYizYPIHST+eDyLS8Xs9UW9jf4gb9ekt nUAgcHc//kxk3yVbyJ9Fuh6rtO/pQfZTsGsJpuK4dr5/vfMDP1Kq2+o4yrE15dmSu5+gIQUvP4Y N94JR3KpZQ+vDsQMHc9gHXHCv1rj2nBodrcrHem3T42nGAUZO6HzFTHFhnJwscEjBves6312+YH Gf57Oo45MR6BgraJQUF/XuxqPmJVCRzFTiAbwTq0xdRSdYr4RO+inB X-Google-Smtp-Source: AGHT+IHGu/pYhxlVmhAWW2cKoiebt3pfwd8N/wvfzqLb4Uu0k7k7l1wmKBOFr1FFu6HQ0CZcVQxG+w== X-Received: by 2002:a05:6214:410d:b0:87c:22e6:94f6 with SMTP id 6a1803df08f44-87c22e69830mr8471956d6.32.1760649761282; Thu, 16 Oct 2025 14:22:41 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:40 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 10/15] libmhash: fix build with gcc 15 Date: Thu, 16 Oct 2025 17:22:09 -0400 Message-ID: <7de971f4e339bfb13a605211bd71f881b7e05448.1760648348.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2335 From: Yi Zhao GCC 15 switched to C23 by default, which libmhash does not yet support. So keep using C17. Signed-off-by: Yi Zhao --- recipes-security/libmhash/libmhash_0.9.9.9.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-security/libmhash/libmhash_0.9.9.9.bb b/recipes-security/libmhash/libmhash_0.9.9.9.bb index f5518d2..805cf05 100644 --- a/recipes-security/libmhash/libmhash_0.9.9.9.bb +++ b/recipes-security/libmhash/libmhash_0.9.9.9.bb @@ -25,6 +25,8 @@ SRC_URI[sha256sum] = "56521c52a9033779154432d0ae47ad7198914785265e1f570cee21ab24 inherit autotools-brokensep ptest multilib_header +CFLAGS += "-std=gnu17" + do_install:append() { oe_multilib_header mutils/mhash_config.h } From patchwork Thu Oct 16 21:22:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72538 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2606BCCD19F for ; Thu, 16 Oct 2025 21:22:55 +0000 (UTC) Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48]) by mx.groups.io with SMTP id smtpd.web10.1666.1760649765138143808 for ; Thu, 16 Oct 2025 14:22:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=npj1xj/v; spf=pass (domain: konsulko.com, ip: 209.85.219.48, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f48.google.com with SMTP id 6a1803df08f44-87c21c5d3eeso5335656d6.2 for ; Thu, 16 Oct 2025 14:22:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649764; x=1761254564; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Cjr9iHxT4aPNh56MV3cnOI9HV0rtjzSmTarh73iz0bc=; b=npj1xj/vAe19uESdgouTSFNwAvJi3p7PetRgQuVwIjswima7Kj/YDAh3LSGPaiy1UN SdvNxbJrCk/NRIZgsBTXw7ihFzH5P/xUjM1UGhBSzMvj9IIclowFMX06T8//E1VgH8dz JpkdJbi9rv6SnkwE/kEQJ+2eihBq26D6CijrI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649764; x=1761254564; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Cjr9iHxT4aPNh56MV3cnOI9HV0rtjzSmTarh73iz0bc=; b=MojGPT5EyNwm9KPzK5veOvH3V9n2xJ58fYSaZMA4Mcn2f8Sca4B2jizrjHGqBz3E3F 6JHXyRhMV8GxL9D+78nbqI5GOm8BM3z+oMJKj5FSeuoEjLmXEZCWEzT6QZcc+dhAvnZ7 4L0SIttwIsCX6BCZvFqwWxVgSFYylXK8DBh3sW4bGHOz+IsZ5BVAaqOQEiej3rxhWUrG 0qzAN5IUqGvlZ6Yf9R6AIhBnpdmCcCh1DLm0EQiKG4AFGx7D/K9/4EDDVv3AGFhAHpcg tA+fB6rrc+9caih5Uy1/TgfW0gVHKF1C8+w9/HIHf8rSiAApOFZawZ7wYBYG/Ufzvm22 /lSw== X-Gm-Message-State: AOJu0YzzJkbgbCMPb4Z0FgSeLG8buKtLdAerNRfue3usZZAMWYTmzROe vOJgQQ6jAf1IqO6RnDZVbLFL3WCwAN7qfqyoRpF/+8VO1jv1BMdGKlv+wFsZp45asU7k2rIX1is JtN3p X-Gm-Gg: ASbGnct10wvcx+k827QU6GkuTvpaqMztIk4YPDjibE+PFJDTznczK/qTop/9mGS/G1i WjAhvMQth3xVR5a0poMBihT419mipCpXcX7pQAi1iKDyjikPTROLb/GDypa3UVBwGQz9xn1q0V3 acbP0ijd/5NTp8XtcVl1KOCaxB4FAZnTolhQgBSodSLtc2nN9fnsPb20vhk3tZMPFKmCN6AoDdo suvODYMgw2ALJ+lQjOOONXbPiWEMnyvufuITSS/nB2fe8DjmWOoGi31byqOmuZnaN9p5P/9P0An rqezM1poKmW3xcIOzKTfmCX0S9MbMziI5GqE0Sx9t0BIPQ34LNCrnU0NXqCYuEQLOJdBcoSEQPQ Z9N1jS7/oIdCsn5d09QWAZgppdT4h9CeLesjBga5eIW9O4YZFOL2GRbIQj3DShO4Hltg7feQiWS Id2dneJ+NsRpvwtbEQe9kPJ1PEJtPvdASImyYy70Gbabz+5daF9++16Gwiq21ZxbIBRyOf2lKQG g== X-Google-Smtp-Source: AGHT+IE9Kgn30sXbWHvs93Sxpk35AH965jDJv7O1JHiX7q1drt30H+obGdyu5YcxjN7k5hr7imc9Yg== X-Received: by 2002:a05:6214:21e7:b0:791:34a5:8682 with SMTP id 6a1803df08f44-87c207df836mr27603496d6.38.1760649762365; Thu, 16 Oct 2025 14:22:42 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:41 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 11/15] tripwire: Remove recipe Date: Thu, 16 Oct 2025 17:22:10 -0400 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:55 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2337 Remove the tripwire recipe since it has been disabled since May 2021, and upstream has shown no activity since 2018. Signed-off-by: Scott Murray --- .../include/maintainers-meta-security.inc | 1 - lib/oeqa/runtime/cases/tripwire.py | 47 - recipes-ids/tripwire/files/run-ptest | 3 - recipes-ids/tripwire/files/tripwire.cron | 8 - recipes-ids/tripwire/files/tripwire.sh | 9 - recipes-ids/tripwire/files/tripwire.txt | 69 - recipes-ids/tripwire/files/twcfg.txt | 15 - recipes-ids/tripwire/files/twinstall.sh | 320 ----- recipes-ids/tripwire/files/twpol-yocto.txt | 1107 ----------------- recipes-ids/tripwire/tripwire_2.4.3.7.bb | 75 -- 10 files changed, 1654 deletions(-) delete mode 100644 lib/oeqa/runtime/cases/tripwire.py delete mode 100644 recipes-ids/tripwire/files/run-ptest delete mode 100644 recipes-ids/tripwire/files/tripwire.cron delete mode 100644 recipes-ids/tripwire/files/tripwire.sh delete mode 100644 recipes-ids/tripwire/files/tripwire.txt delete mode 100644 recipes-ids/tripwire/files/twcfg.txt delete mode 100644 recipes-ids/tripwire/files/twinstall.sh delete mode 100644 recipes-ids/tripwire/files/twpol-yocto.txt delete mode 100644 recipes-ids/tripwire/tripwire_2.4.3.7.bb diff --git a/conf/distro/include/maintainers-meta-security.inc b/conf/distro/include/maintainers-meta-security.inc index c052695..903bb9b 100644 --- a/conf/distro/include/maintainers-meta-security.inc +++ b/conf/distro/include/maintainers-meta-security.inc @@ -54,4 +54,3 @@ RECIPE_MAINTAINER:pn-samhain = "Scott Murray " RECIPE_MAINTAINER:pn-smack = "Scott Murray " RECIPE_MAINTAINER:pn-sssd = "Scott Murray " RECIPE_MAINTAINER:pn-suricata = "Scott Murray " -RECIPE_MAINTAINER:pn-tripwire = "Scott Murray " diff --git a/lib/oeqa/runtime/cases/tripwire.py b/lib/oeqa/runtime/cases/tripwire.py deleted file mode 100644 index 659724d..0000000 --- a/lib/oeqa/runtime/cases/tripwire.py +++ /dev/null @@ -1,47 +0,0 @@ -# Copyright (C) 2019 Armin Kuster -# -import re - -from oeqa.runtime.case import OERuntimeTestCase -from oeqa.core.decorator.depends import OETestDepends -from oeqa.runtime.decorator.package import OEHasPackage - - -class TripwireTest(OERuntimeTestCase): - - @OEHasPackage(['tripwire']) - @OETestDepends(['ssh.SSHTest.test_ssh']) - def test_tripwire_help(self): - status, output = self.target.run('tripwire --help') - msg = ('tripwire command does not work as expected. ' - 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 8, msg = msg) - - @OETestDepends(['tripwire.TripwireTest.test_tripwire_help']) - def test_tripwire_twinstall(self): - status, output = self.target.run('/etc/tripwire/twinstall.sh') - match = re.search('The database was successfully generated.', output) - if not match: - msg = ('/etc/tripwire/twinstall.sh failed. ' - 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 0, msg = msg) - - @OETestDepends(['tripwire.TripwireTest.test_tripwire_twinstall']) - def test_tripwire_twadmin(self): - status, output = self.target.run('twadmin --create-cfgfile --cfgfile /etc/tripwire/twcfg.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twcfg.txt') - status, output = self.target.run('twadmin --create-polfile --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/twpol.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twpol.txt') - match = re.search('Wrote policy file: /etc/tripwire/twpol.enc', output) - if not match: - msg = ('twadmin --create-profile ; failed. ' - 'Status and output:%s and %s' % (status, output)) - self.assertEqual(status, 0, msg = msg) - - @OETestDepends(['tripwire.TripwireTest.test_tripwire_twadmin']) - def test_tripwire_init(self): - status, hostname = self.target.run('hostname') - status, output = self.target.run('tripwire --init --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/%s-local.key -P tripwire' % hostname) - match = re.search('The database was successfully generated.', output) - if not match: - msg = ('tripwire --init; Failed for host: %s. ' - 'Status and output:%s and %s' % (hostname, status, output)) - self.assertEqual(status, 0, msg = msg) diff --git a/recipes-ids/tripwire/files/run-ptest b/recipes-ids/tripwire/files/run-ptest deleted file mode 100644 index aedfddc..0000000 --- a/recipes-ids/tripwire/files/run-ptest +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -./twtest.pl diff --git a/recipes-ids/tripwire/files/tripwire.cron b/recipes-ids/tripwire/files/tripwire.cron deleted file mode 100644 index 2035508..0000000 --- a/recipes-ids/tripwire/files/tripwire.cron +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -HOST_NAME=`uname -n` -if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then - echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****" - echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****" -else - test -f /etc/tripwire/tw.cfg && /usr/sbin/tripwire --check -fi diff --git a/recipes-ids/tripwire/files/tripwire.sh b/recipes-ids/tripwire/files/tripwire.sh deleted file mode 100644 index 4276d10..0000000 --- a/recipes-ids/tripwire/files/tripwire.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -HOST_NAME=`uname -n` -if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then - echo "**** WARNING: Tripwire database for ${HOST_NAME} not found. ****" - echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****" - # Note: /etc/tripwire/twinstall.sh creates and initializes tripwire - # database (i.e tripwire --init). - # Example: . /etc/tripwire/twinstall.sh 2> /dev/null -fi diff --git a/recipes-ids/tripwire/files/tripwire.txt b/recipes-ids/tripwire/files/tripwire.txt deleted file mode 100644 index 332d004..0000000 --- a/recipes-ids/tripwire/files/tripwire.txt +++ /dev/null @@ -1,69 +0,0 @@ -Post-Installation Instructions -1. Run the configuration script: /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files. -Note: Once encoded and signed, the configuration file should not be renamed or moved. -2. Initialize the Tripwire database file. (/usr/sbin/tripwire--init) -3. Run the first integrity check. (/usr/sbin/tripwire--check) -4. Edit the configuration file (twcfg.txt) with a text editor, if desired. -5. Edit the policy file (twpol.txt) with a text editor, if desired. - -Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file. - -Modifying the Policy File -You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system. - -Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language. - -After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software. - -Selecting Passphrases -Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply: -Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters. - -Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also. - -Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database. - -Initializing the Database -In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is: -tripwire --init - -Running an Integrity Check -The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is: -tripwire --check - -Printing Reports - twprint Print Report Mode -The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used. -Example: On a machine named LIGHTHOUSE, the command would be: -./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr - -Updating the Database after an Integrity Check -Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is: -tripwire --update - -Updating the Policy File -Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is: -tripwire --update-policy - -Testing email functions -Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is: -tripwire --test - -Tripwire Components -The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore. - -System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file. - -The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check. - -When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail. - -The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits. - -Tripwire Help -All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile - --? Display usage and version information ---help Display all command modes ---help all Display help for all command modes ---help [mode] Display help for current command mode ---version Display version information diff --git a/recipes-ids/tripwire/files/twcfg.txt b/recipes-ids/tripwire/files/twcfg.txt deleted file mode 100644 index 224e920..0000000 --- a/recipes-ids/tripwire/files/twcfg.txt +++ /dev/null @@ -1,15 +0,0 @@ -ROOT =/usr/sbin -POLFILE =/etc/tripwire/tw.pol -DBFILE =/var/lib/tripwire/$(HOSTNAME).twd -REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr -SITEKEYFILE =/etc/tripwire/site.key -LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key -EDITOR =/usr/bin/nano -LATEPROMPTING =false -LOOSEDIRECTORYCHECKING =false -MAILNOVIOLATIONS =true -EMAILREPORTLEVEL =3 -REPORTLEVEL =3 -MAILMETHOD =SENDMAIL -SYSLOGREPORTING =false -MAILPROGRAM =/usr/lib/sendmail -t diff --git a/recipes-ids/tripwire/files/twinstall.sh b/recipes-ids/tripwire/files/twinstall.sh deleted file mode 100644 index 7d1b63f..0000000 --- a/recipes-ids/tripwire/files/twinstall.sh +++ /dev/null @@ -1,320 +0,0 @@ -#!/bin/sh - -######################################################################## -######################################################################## -## -## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script -## -## Copyleft information contained in footer -## -######################################################################## -######################################################################## - -##======================================================= -## Setup -##======================================================= - -# We can assume all the correct tools are in place because the -# RPM installed, didn't it? - -##------------------------------------------------------- -## Set HOST_NAME variable -##------------------------------------------------------- -HOST_NAME='localhost' -if uname -n > /dev/null 2> /dev/null ; then - HOST_NAME=`uname -n` -fi - -##------------------------------------------------------- -## Program variables - edited by RPM during initial install -##------------------------------------------------------- - -# Site Passphrase variable -TW_SITE_PASS="tripwire" - -# Complete path to site key -SITE_KEY="/etc/tripwire/site.key" - -# Local Passphrase variable -TW_LOCAL_PASS="tripwire" - -# Complete path to local key -LOCAL_KEY="/etc/tripwire/${HOST_NAME}-local.key" - -# If clobber==true, overwrite files; if false, do not overwrite files. -CLOBBER="false" - -# If prompt==true, ask for confirmation before continuing with install. -PROMPT="true" - -# Name of twadmin executeable -TWADMIN="twadmin" - -# Path to twadmin executeable -TWADMPATH=/usr/sbin - -# Path to configuration directory -CONF_PATH="/etc/tripwire" - -# Name of clear text policy file -TXT_POL=$CONF_PATH/twpol.txt - -# Name of clear text configuration file -TXT_CFG=$CONF_PATH/twcfg.txt - -# Name of encrypted configuration file -CONFIG_FILE=$CONF_PATH/tw.cfg - -# Path of the final Tripwire policy file (signed) -SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'` - - -##======================================================= -## Create Key Files -##======================================================= - -##------------------------------------------------------- -## If user has to enter a passphrase, give some -## advice about what is appropriate. -##------------------------------------------------------- - -if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then -cat << END_OF_TEXT - ----------------------------------------------- -The Tripwire site and local passphrases are used to -sign a variety of files, such as the configuration, -policy, and database files. - -Passphrases should be at least 8 characters in length -and contain both letters and numbers. - -See the Tripwire manual for more information. -END_OF_TEXT -fi - -##======================================================= -## Generate keys. -##======================================================= - -echo -echo "----------------------------------------------" -echo "Creating key files..." - -##------------------------------------------------------- -## Site key file. -##------------------------------------------------------- - -# If clobber is true, and prompting is off (unattended operation) -# and the key file already exists, remove it. Otherwise twadmin -# will prompt with an "are you sure?" message. - -if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then - rm -f "$SITE_KEY" -fi - -if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then - echo "The site key file \"$SITE_KEY\"" - echo 'exists and will not be overwritten.' -else - cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\"" - if [ -n "$TW_SITE_PASS" ] ; then - cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" - fi - eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" - if [ $? -ne 0 ] ; then - echo "Error: site key generation failed" - exit 1 - else chmod 640 "$SITE_KEY" - fi -fi - -##------------------------------------------------------- -## Local key file. -##------------------------------------------------------- - -# If clobber is true, and prompting is off (unattended operation) -# and the key file already exists, remove it. Otherwise twadmin -# will prompt with an "are you sure?" message. - -if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then - rm -f "$LOCAL_KEY" -fi - -if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then - echo "The site key file \"$LOCAL_KEY\"" - echo 'exists and will not be overwritten.' -else - cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\"" - if [ -n "$TW_LOCAL_PASS" ] ; then - cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\"" - fi - eval "\"$TWADMPATH/$TWADMIN\" $cmdargs" - if [ $? -ne 0 ] ; then - echo "Error: local key generation failed" - exit 1 - else chmod 640 "$LOCAL_KEY" - fi -fi - -##======================================================= -## Sign the Configuration File -##======================================================= - -echo -echo "----------------------------------------------" -echo "Signing configuration file..." - -##------------------------------------------------------- -## If noclobber, then backup any existing config file. -##------------------------------------------------------- - -if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then - backup="${CONFIG_FILE}.$$.bak" - echo "Backing up $CONFIG_FILE" - echo " to $backup" - `mv "$CONFIG_FILE" "$backup"` - if [ $? -ne 0 ] ; then - echo "Error: backup of configuration file failed." - exit 1 - fi -fi - -##------------------------------------------------------- -## Build command line. -##------------------------------------------------------- - -cmdargs="--create-cfgfile" -cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" -cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" -if [ -n "$TW_SITE_PASS" ] ; then - cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" -fi - -##------------------------------------------------------- -## Sign the file. -##------------------------------------------------------- - -eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\"" -if [ $? -ne 0 ] ; then - echo "Error: signing of configuration file failed." - exit 1 -fi - -# Set the rights properly -chmod 640 "$CONFIG_FILE" - -##------------------------------------------------------- -## We keep the cleartext version around. -##------------------------------------------------------- - -cat << END_OF_TEXT - -A clear-text version of the Tripwire configuration file -$TXT_CFG -has been preserved for your inspection. It is recommended -that you delete this file manually after you have examined it. - -END_OF_TEXT - -##======================================================= -## Sign tripwire policy file. -##======================================================= - -echo -echo "----------------------------------------------" -echo "Signing policy file..." - -##------------------------------------------------------- -## If noclobber, then backup any existing policy file. -##------------------------------------------------------- - -if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then - backup="${POLICY_FILE}.$$.bak" - echo "Backing up $POLICY_FILE" - echo " to $backup" - mv "$POLICY_FILE" "$backup" - if [ $? -ne 0 ] ; then - echo "Error: backup of policy file failed." - exit 1 - fi -fi - -##------------------------------------------------------- -## Build command line. -##------------------------------------------------------- - -cmdargs="--create-polfile" -cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\"" -cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\"" -if [ -n "$TW_SITE_PASS" ] ; then - cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\"" -fi - -##------------------------------------------------------- -## Sign the file. -##------------------------------------------------------- - -eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\"" -if [ $? -ne 0 ] ; then - echo "Error: signing of policy file failed." - exit 1 -fi - -# Set the proper rights on the newly signed policy file. -chmod 0640 "$SIGNED_POL" - -##------------------------------------------------------- -## We keep the cleartext version around. -##------------------------------------------------------- - -cat << END_OF_TEXT - -A clear-text version of the Tripwire policy file -$TXT_POL -has been preserved for your inspection. This implements -a minimal policy, intended only to test essential -Tripwire functionality. You should edit the policy file -to describe your system, and then use twadmin to generate -a new signed copy of the Tripwire policy. - -END_OF_TEXT - -# Initialize tripwire database -/usr/sbin/tripwire --init --cfgfile $CONFIG_FILE --site-keyfile $SITE_KEY \ ---local-passphrase $TW_LOCAL_PASS 2> /dev/null - -######################################################################## -######################################################################## -# -# TRIPWIRE GPL NOTICES -# -# The developer of the original code and/or files is Tripwire, Inc. -# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc. -# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved. -# -# This program is free software. The contents of this file are subject to -# the terms of the GNU General Public License as published by the Free -# Software Foundation; either version 2 of the License, or (at your option) -# any later version. You may redistribute it and/or modify it only in -# compliance with the GNU General Public License. -# -# This program is distributed in the hope that it will be useful. However, -# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE -# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. -# Please see the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# Nothing in the GNU General Public License or any other license to use the -# code or files shall permit you to use Tripwire's trademarks, -# service marks, or other intellectual property without Tripwire's -# prior written consent. -# -# If you have any questions, please contact Tripwire, Inc. at either -# info@tripwire.org or www.tripwire.org. -# -######################################################################## -######################################################################## diff --git a/recipes-ids/tripwire/files/twpol-yocto.txt b/recipes-ids/tripwire/files/twpol-yocto.txt deleted file mode 100644 index 65f5f75..0000000 --- a/recipes-ids/tripwire/files/twpol-yocto.txt +++ /dev/null @@ -1,1107 +0,0 @@ - ############################################################################## - # ## -############################################################################## # -# # # -# Generic Policy file # # -# V1.2.0rh # # -# August 9, 2001 # # -# ## -############################################################################## - - - ############################################################################## - # ## -############################################################################## # -# # # -# This is the example Tripwire Policy file. It is intended as a place to # # -# start creating your own custom Tripwire Policy file. Referring to it as # # -# well as the Tripwire Policy Guide should give you enough information to # # -# make a good custom Tripwire Policy file that better covers your # # -# configuration and security needs. A text version of this policy file is # # -# called twpol.txt. # # -# # # -# Note that this file is tuned to an 'everything' install of Red Hat Linux. # # -# If run unmodified, this file should create no errors on database # # -# creation, or violations on a subsiquent integrity check. However, it is # # -# impossible for there to be one policy file for all machines, so this # # -# existing one errs on the side of security. Your Linux configuration will # # -# most likey differ from the one our policy file was tuned to, and will # # -# therefore require some editing of the default Tripwire Policy file. # # -# # # -# The example policy file is best run with 'Loose Directory Checking' # # -# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # -# file. # # -# # # -# Email support is not included and must be added to this file. # # -# Add the 'emailto=' to the rule directive section of each rule (add a comma # # -# after the 'severity=' line and add an 'emailto=' and include the email # # -# addresses you want the violation reports to go to). Addresses are # # -# semi-colon delimited. # # -# ## -############################################################################## - - - - ############################################################################## - # ## -############################################################################## # -# # # -# Global Variable Definitions # # -# # # -# These are defined at install time by the installation script. You may # # -# Manually edit these if you are using this file directly and not from the # # -# installation script itself. # # -# ## -############################################################################## - -@@section GLOBAL -TWROOT=/usr/sbin; -TWBIN=/usr/sbin; -TWPOL="/etc/tripwire"; -TWDB="/var/lib/tripwire"; -TWSKEY="/etc/tripwire"; -TWLKEY="/etc/tripwire"; -TWREPORT="/var/lib/tripwire/report"; -HOSTNAME=localhost; - -@@section FS -SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set -SEC_BIN = $(ReadOnly) ; # Binaries that should not change -SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often -SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership -SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership -SIG_LOW = 33 ; # Non-critical files that are of minimal security impact -SIG_MED = 66 ; # Non-critical files that are of significant security impact -SIG_HI = 100 ; # Critical files that are significant points of vulnerability - - -# Tripwire Binaries -( - rulename = "Tripwire Binaries", - severity = $(SIG_HI) -) -{ - $(TWBIN)/siggen -> $(SEC_BIN) ; - $(TWBIN)/tripwire -> $(SEC_BIN) ; - $(TWBIN)/twadmin -> $(SEC_BIN) ; - $(TWBIN)/twprint -> $(SEC_BIN) ; -} - -# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases -( - rulename = "Tripwire Data Files", - severity = $(SIG_HI) -) -{ - # NOTE: We remove the inode attribute because when Tripwire creates a backup, - # it does so by renaming the old file and creating a new one (which will - # have a new inode number). Inode is left turned on for keys, which shouldn't - # ever change. - - # NOTE: The first integrity check triggers this rule and each integrity check - # afterward triggers this rule until a database update is run, since the - # database file does not exist before that point. - - $(TWDB) -> $(SEC_CONFIG) -i ; - $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; - $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; - $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; - $(TWSKEY)/site.key -> $(SEC_BIN) ; - - #don't scan the individual reports - $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; -} - - -# Tripwire HQ Connector Binaries -#( -# rulename = "Tripwire HQ Connector Binaries", -# severity = $(SIG_HI) -#) -#{ -# $(TWBIN)/hqagent -> $(SEC_BIN) ; -#} -# -# Tripwire HQ Connector - Configuration Files, Keys, and Logs - - ############################################################################## - # ## -############################################################################## # -# # # -# Note: File locations here are different than in a stock HQ Connector # # -# installation. This is because Tripwire 2.3 uses a different path # # -# structure than Tripwire 2.2.1. # # -# # # -# You may need to update your HQ Agent configuation file (or this policy # # -# file) to correct the paths. We have attempted to support the FHS standard # # -# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # -# places them. # # -# ## -############################################################################## - -#( -# rulename = "Tripwire HQ Connector Data Files", -# severity = $(SIG_HI) -#) -#{ -# ############################################################################# -# ############################################################################## -# # NOTE: Removing the inode attribute because when Tripwire creates a backup ## -# # it does so by renaming the old file and creating a new one (which will ## -# # have a new inode number). Leaving inode turned on for keys, which ## -# # shouldn't ever change. ## -# ############################################################################# -# -# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; -# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; -# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; -# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; -# -# # Uncomment if you have agent logging enabled. -# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; -#} - - - -# Commonly accessed directories that should remain static with regards to owner and group -( - rulename = "Invariant Directories", - severity = $(SIG_MED) -) -{ - / -> $(SEC_INVARIANT) (recurse = 0) ; - /home -> $(SEC_INVARIANT) (recurse = 0) ; - /etc -> $(SEC_INVARIANT) (recurse = 0) ; -} - ################################################ - # ## -################################################ # -# # # -# File System and Disk Administration Programs # # -# ## -################################################ - -( - rulename = "File System and Disk Administraton Programs", - severity = $(SIG_HI) -) -{ - /sbin/accton -> $(SEC_CRIT) ; - /sbin/badblocks -> $(SEC_CRIT) ; - /sbin/busybox -> $(SEC_CRIT) ; - /sbin/busybox.anaconda -> $(SEC_CRIT) ; - /sbin/convertquota -> $(SEC_CRIT) ; - /sbin/dosfsck -> $(SEC_CRIT) ; - /sbin/debugfs -> $(SEC_CRIT) ; - /sbin/debugreiserfs -> $(SEC_CRIT) ; - /sbin/dumpe2fs -> $(SEC_CRIT) ; - /sbin/dump -> $(SEC_CRIT) ; - /sbin/dump.static -> $(SEC_CRIT) ; - # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? - /sbin/e2fsck -> $(SEC_CRIT) ; - /sbin/e2label -> $(SEC_CRIT) ; - /sbin/fdisk -> $(SEC_CRIT) ; - /sbin/fsck -> $(SEC_CRIT) ; - /sbin/fsck.ext2 -> $(SEC_CRIT) ; - /sbin/fsck.ext3 -> $(SEC_CRIT) ; - /sbin/fsck.minix -> $(SEC_CRIT) ; - /sbin/fsck.msdos -> $(SEC_CRIT) ; - /sbin/fsck.vfat -> $(SEC_CRIT) ; - /sbin/ftl_check -> $(SEC_CRIT) ; - /sbin/ftl_format -> $(SEC_CRIT) ; - /sbin/hdparm -> $(SEC_CRIT) ; - #/sbin/lvchange -> $(SEC_CRIT) ; - #/sbin/lvcreate -> $(SEC_CRIT) ; - #/sbin/lvdisplay -> $(SEC_CRIT) ; - #/sbin/lvextend -> $(SEC_CRIT) ; - #/sbin/lvmchange -> $(SEC_CRIT) ; - #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; - #/sbin/lvmdiskscan -> $(SEC_CRIT) ; - #/sbin/lvmsadc -> $(SEC_CRIT) ; - #/sbin/lvmsar -> $(SEC_CRIT) ; - #/sbin/lvreduce -> $(SEC_CRIT) ; - #/sbin/lvremove -> $(SEC_CRIT) ; - #/sbin/lvrename -> $(SEC_CRIT) ; - #/sbin/lvscan -> $(SEC_CRIT) ; - /sbin/mkbootdisk -> $(SEC_CRIT) ; - /sbin/mkdosfs -> $(SEC_CRIT) ; - /sbin/mke2fs -> $(SEC_CRIT) ; - /sbin/mkfs -> $(SEC_CRIT) ; - /sbin/mkfs.bfs -> $(SEC_CRIT) ; - /sbin/mkfs.ext2 -> $(SEC_CRIT) ; - /sbin/mkfs.minix -> $(SEC_CRIT) ; - /sbin/mkfs.msdos -> $(SEC_CRIT) ; - /sbin/mkfs.vfat -> $(SEC_CRIT) ; - /sbin/mkinitrd -> $(SEC_CRIT) ; - #/sbin/mkpv -> $(SEC_CRIT) ; - /sbin/mkraid -> $(SEC_CRIT) ; - /sbin/mkreiserfs -> $(SEC_CRIT) ; - /sbin/mkswap -> $(SEC_CRIT) ; - #/sbin/mtx -> $(SEC_CRIT) ; - /sbin/pam_console_apply -> $(SEC_CRIT) ; - /sbin/parted -> $(SEC_CRIT) ; - /sbin/pcinitrd -> $(SEC_CRIT) ; - #/sbin/pvchange -> $(SEC_CRIT) ; - #/sbin/pvcreate -> $(SEC_CRIT) ; - #/sbin/pvdata -> $(SEC_CRIT) ; - #/sbin/pvdisplay -> $(SEC_CRIT) ; - #/sbin/pvmove -> $(SEC_CRIT) ; - #/sbin/pvscan -> $(SEC_CRIT) ; - /sbin/quotacheck -> $(SEC_CRIT) ; - /sbin/quotaon -> $(SEC_CRIT) ; - /sbin/raidstart -> $(SEC_CRIT) ; - /sbin/reiserfsck -> $(SEC_CRIT) ; - /sbin/resize2fs -> $(SEC_CRIT) ; - /sbin/resize_reiserfs -> $(SEC_CRIT) ; - /sbin/restore -> $(SEC_CRIT) ; - /sbin/restore.static -> $(SEC_CRIT) ; - /sbin/scsi_info -> $(SEC_CRIT) ; - /sbin/sfdisk -> $(SEC_CRIT) ; - /sbin/stinit -> $(SEC_CRIT) ; - #/sbin/tapeinfo -> $(SEC_CRIT) ; - /sbin/tune2fs -> $(SEC_CRIT) ; - /sbin/unpack -> $(SEC_CRIT) ; - /sbin/update -> $(SEC_CRIT) ; - #/sbin/vgcfgbackup -> $(SEC_CRIT) ; - #/sbin/vgcfgrestore -> $(SEC_CRIT) ; - #/sbin/vgchange -> $(SEC_CRIT) ; - #/sbin/vgck -> $(SEC_CRIT) ; - #/sbin/vgcreate -> $(SEC_CRIT) ; - #/sbin/vgdisplay -> $(SEC_CRIT) ; - #/sbin/vgexport -> $(SEC_CRIT) ; - #/sbin/vgextend -> $(SEC_CRIT) ; - #/sbin/vgimport -> $(SEC_CRIT) ; - #/sbin/vgmerge -> $(SEC_CRIT) ; - #/sbin/vgmknodes -> $(SEC_CRIT) ; - #/sbin/vgreduce -> $(SEC_CRIT) ; - #/sbin/vgremove -> $(SEC_CRIT) ; - #/sbin/vgrename -> $(SEC_CRIT) ; - #/sbin/vgscan -> $(SEC_CRIT) ; - #/sbin/vgsplit -> $(SEC_CRIT) ; - /bin/chgrp -> $(SEC_CRIT) ; - /bin/chmod -> $(SEC_CRIT) ; - /bin/chown -> $(SEC_CRIT) ; - /bin/cp -> $(SEC_CRIT) ; - /bin/cpio -> $(SEC_CRIT) ; - /bin/mount -> $(SEC_CRIT) ; - /bin/umount -> $(SEC_CRIT) ; - /bin/mkdir -> $(SEC_CRIT) ; - /bin/mknod -> $(SEC_CRIT) ; - /bin/mktemp -> $(SEC_CRIT) ; - /bin/rm -> $(SEC_CRIT) ; - /bin/rmdir -> $(SEC_CRIT) ; - /bin/touch -> $(SEC_CRIT) ; -} - - ################################## - # ## -################################## # -# # # -# Kernel Administration Programs # # -# ## -################################## - -( - rulename = "Kernel Administration Programs", - severity = $(SIG_HI) -) -{ - /sbin/adjtimex -> $(SEC_CRIT) ; - /sbin/ctrlaltdel -> $(SEC_CRIT) ; - /sbin/depmod -> $(SEC_CRIT) ; - /sbin/insmod -> $(SEC_CRIT) ; - /sbin/insmod.static -> $(SEC_CRIT) ; - /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; - /sbin/klogd -> $(SEC_CRIT) ; - /sbin/ldconfig -> $(SEC_CRIT) ; - /sbin/minilogd -> $(SEC_CRIT) ; - /sbin/modinfo -> $(SEC_CRIT) ; - #/sbin/nuactlun -> $(SEC_CRIT) ; - #/sbin/nuscsitcpd -> $(SEC_CRIT) ; - /sbin/pivot_root -> $(SEC_CRIT) ; - /sbin/sndconfig -> $(SEC_CRIT) ; - /sbin/sysctl -> $(SEC_CRIT) ; -} - - ####################### - # ## -####################### # -# # # -# Networking Programs # # -# ## -####################### - -( - rulename = "Networking Programs", - severity = $(SIG_HI) -) -{ - /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ; - /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ; - /bin/ping -> $(SEC_CRIT) ; - /sbin/agetty -> $(SEC_CRIT) ; - /sbin/arp -> $(SEC_CRIT) ; - /sbin/arping -> $(SEC_CRIT) ; - /sbin/dhcpcd -> $(SEC_CRIT) ; - /sbin/ether-wake -> $(SEC_CRIT) ; - #/sbin/getty -> $(SEC_CRIT) ; - /sbin/ifcfg -> $(SEC_CRIT) ; - /sbin/ifconfig -> $(SEC_CRIT) ; - /sbin/ifdown -> $(SEC_CRIT) ; - /sbin/ifenslave -> $(SEC_CRIT) ; - /sbin/ifport -> $(SEC_CRIT) ; - /sbin/ifup -> $(SEC_CRIT) ; - /sbin/ifuser -> $(SEC_CRIT) ; - /sbin/ip -> $(SEC_CRIT) ; - /sbin/ip6tables -> $(SEC_CRIT) ; - /sbin/ipchains -> $(SEC_CRIT) ; - /sbin/ipchains-restore -> $(SEC_CRIT) ; - /sbin/ipchains-save -> $(SEC_CRIT) ; - /sbin/ipfwadm -> $(SEC_CRIT) ; - /sbin/ipmaddr -> $(SEC_CRIT) ; - /sbin/iptables -> $(SEC_CRIT) ; - /sbin/iptables-restore -> $(SEC_CRIT) ; - /sbin/iptables-save -> $(SEC_CRIT) ; - /sbin/iptunnel -> $(SEC_CRIT) ; - #/sbin/ipvsadm -> $(SEC_CRIT) ; - #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; - #/sbin/ipvsadm-save -> $(SEC_CRIT) ; - /sbin/ipx_configure -> $(SEC_CRIT) ; - /sbin/ipx_interface -> $(SEC_CRIT) ; - /sbin/ipx_internal_net -> $(SEC_CRIT) ; - /sbin/iwconfig -> $(SEC_CRIT) ; - /sbin/iwgetid -> $(SEC_CRIT) ; - /sbin/iwlist -> $(SEC_CRIT) ; - /sbin/iwpriv -> $(SEC_CRIT) ; - /sbin/iwspy -> $(SEC_CRIT) ; - /sbin/mgetty -> $(SEC_CRIT) ; - /sbin/mingetty -> $(SEC_CRIT) ; - /sbin/nameif -> $(SEC_CRIT) ; - /sbin/netreport -> $(SEC_CRIT) ; - /sbin/plipconfig -> $(SEC_CRIT) ; - /sbin/portmap -> $(SEC_CRIT) ; - /sbin/ppp-watch -> $(SEC_CRIT) ; - #/sbin/rarp -> $(SEC_CRIT) ; - /sbin/route -> $(SEC_CRIT) ; - /sbin/slattach -> $(SEC_CRIT) ; - /sbin/tc -> $(SEC_CRIT) ; - #/sbin/uugetty -> $(SEC_CRIT) ; - /sbin/vgetty -> $(SEC_CRIT) ; - /sbin/ypbind -> $(SEC_CRIT) ; -} - - ################################## - # ## -################################## # -# # # -# System Administration Programs # # -# ## -################################## - -( - rulename = "System Administration Programs", - severity = $(SIG_HI) -) -{ - /sbin/chkconfig -> $(SEC_CRIT) ; - /sbin/fuser -> $(SEC_CRIT) ; - /sbin/halt -> $(SEC_CRIT) ; - /sbin/init -> $(SEC_CRIT) ; - /sbin/initlog -> $(SEC_CRIT) ; - /sbin/install-info -> $(SEC_CRIT) ; - /sbin/killall5 -> $(SEC_CRIT) ; - #/sbin/linuxconf -> $(SEC_CRIT) ; - #/sbin/linuxconf-auth -> $(SEC_CRIT) ; - /sbin/pam_tally -> $(SEC_CRIT) ; - /sbin/pwdb_chkpwd -> $(SEC_CRIT) ; - #/sbin/remadmin -> $(SEC_CRIT) ; - /sbin/rescuept -> $(SEC_CRIT) ; - /sbin/rmt -> $(SEC_CRIT) ; - /sbin/rpc.lockd -> $(SEC_CRIT) ; - /sbin/rpc.statd -> $(SEC_CRIT) ; - /sbin/rpcdebug -> $(SEC_CRIT) ; - /sbin/service -> $(SEC_CRIT) ; - /sbin/setsysfont -> $(SEC_CRIT) ; - /sbin/shutdown -> $(SEC_CRIT) ; - /sbin/sulogin -> $(SEC_CRIT) ; - /sbin/swapon -> $(SEC_CRIT) ; - /sbin/syslogd -> $(SEC_CRIT) ; - /sbin/unix_chkpwd -> $(SEC_CRIT) ; - /bin/pwd -> $(SEC_CRIT) ; - /bin/uname -> $(SEC_CRIT) ; -} - - ######################################## - # ## -######################################## # -# # # -# Hardware and Device Control Programs # # -# ## -######################################## -( - rulename = "Hardware and Device Control Programs", - severity = $(SIG_HI) -) -{ - /bin/setserial -> $(SEC_CRIT) ; - /bin/sfxload -> $(SEC_CRIT) ; - /sbin/blockdev -> $(SEC_CRIT) ; - /sbin/cardctl -> $(SEC_CRIT) ; - /sbin/cardmgr -> $(SEC_CRIT) ; - /sbin/cbq -> $(SEC_CRIT) ; - /sbin/dump_cis -> $(SEC_CRIT) ; - /sbin/elvtune -> $(SEC_CRIT) ; - /sbin/hotplug -> $(SEC_CRIT) ; - /sbin/hwclock -> $(SEC_CRIT) ; - /sbin/ide_info -> $(SEC_CRIT) ; - #/sbin/isapnp -> $(SEC_CRIT) ; - /sbin/kbdrate -> $(SEC_CRIT) ; - /sbin/losetup -> $(SEC_CRIT) ; - /sbin/lspci -> $(SEC_CRIT) ; - /sbin/lspnp -> $(SEC_CRIT) ; - /sbin/mii-tool -> $(SEC_CRIT) ; - /sbin/pack_cis -> $(SEC_CRIT) ; - #/sbin/pnpdump -> $(SEC_CRIT) ; - /sbin/probe -> $(SEC_CRIT) ; - /sbin/pump -> $(SEC_CRIT) ; - /sbin/setpci -> $(SEC_CRIT) ; - /sbin/shapecfg -> $(SEC_CRIT) ; -} - - ############################### - # ## -############################### # -# # # -# System Information Programs # # -# ## -############################### -( - rulename = "System Information Programs", - severity = $(SIG_HI) -) -{ - /sbin/consoletype -> $(SEC_CRIT) ; - /sbin/kernelversion -> $(SEC_CRIT) ; - /sbin/runlevel -> $(SEC_CRIT) ; -} - - #################################### - # ## -#################################### # -# # # -# Application Information Programs # # -# ## -#################################### - -( - rulename = "Application Information Programs", - severity = $(SIG_HI) -) -{ - /sbin/genksyms -> $(SEC_CRIT) ; - #/sbin/genksyms.old -> $(SEC_CRIT) ; - /sbin/rtmon -> $(SEC_CRIT) ; -} - - ########################## - # ## -########################## # -# # # -# Shell Related Programs # # -# ## -########################## -( - rulename = "Shell Related Programs", - severity = $(SIG_HI) -) -{ - /sbin/getkey -> $(SEC_CRIT) ; - /sbin/nash -> $(SEC_CRIT) ; - /sbin/sash -> $(SEC_CRIT) ; -} - - - ################ - # ## -################ # -# # # -# OS Utilities # # -# ## -################ -( - rulename = "Operating System Utilities", - severity = $(SIG_HI) -) -{ - /bin/arch -> $(SEC_CRIT) ; - /bin/ash -> $(SEC_CRIT) ; - /bin/ash.static -> $(SEC_CRIT) ; - /bin/aumix-minimal -> $(SEC_CRIT) ; - /bin/basename -> $(SEC_CRIT) ; - /bin/cat -> $(SEC_CRIT) ; - /bin/consolechars -> $(SEC_CRIT) ; - /bin/cut -> $(SEC_CRIT) ; - /bin/date -> $(SEC_CRIT) ; - /bin/dd -> $(SEC_CRIT) ; - /bin/df -> $(SEC_CRIT) ; - /bin/dmesg -> $(SEC_CRIT) ; - /bin/doexec -> $(SEC_CRIT) ; - /bin/echo -> $(SEC_CRIT) ; - /bin/ed -> $(SEC_CRIT) ; - /bin/egrep -> $(SEC_CRIT) ; - /bin/false -> $(SEC_CRIT) ; - /bin/fgrep -> $(SEC_CRIT) ; - /bin/gawk -> $(SEC_CRIT) ; - /bin/gawk-3.1.0 -> $(SEC_CRIT) ; - /bin/gettext -> $(SEC_CRIT) ; - /bin/grep -> $(SEC_CRIT) ; - /bin/gunzip -> $(SEC_CRIT) ; - /bin/gzip -> $(SEC_CRIT) ; - /bin/hostname -> $(SEC_CRIT) ; - /bin/igawk -> $(SEC_CRIT) ; - /bin/ipcalc -> $(SEC_CRIT) ; - /bin/kill -> $(SEC_CRIT) ; - /bin/ln -> $(SEC_CRIT) ; - /bin/loadkeys -> $(SEC_CRIT) ; - /bin/login -> $(SEC_CRIT) ; - /bin/ls -> $(SEC_CRIT) ; - /bin/mail -> $(SEC_CRIT) ; - /bin/more -> $(SEC_CRIT) ; - /bin/mt -> $(SEC_CRIT) ; - /bin/mv -> $(SEC_CRIT) ; - /bin/netstat -> $(SEC_CRIT) ; - /bin/nice -> $(SEC_CRIT) ; - /bin/pgawk -> $(SEC_CRIT) ; - /bin/ps -> $(SEC_CRIT) ; - /bin/rpm -> $(SEC_CRIT) ; - /bin/sed -> $(SEC_CRIT) ; - /bin/sleep -> $(SEC_CRIT) ; - /bin/sort -> $(SEC_CRIT) ; - /bin/stty -> $(SEC_CRIT) ; - /bin/su -> $(SEC_CRIT) ; - /bin/sync -> $(SEC_CRIT) ; - /bin/tar -> $(SEC_CRIT) ; - /bin/true -> $(SEC_CRIT) ; - /bin/usleep -> $(SEC_CRIT) ; - /bin/vi -> $(SEC_CRIT) ; - /bin/zcat -> $(SEC_CRIT) ; - /bin/zsh -> $(SEC_CRIT) ; - #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; - /sbin/sln -> $(SEC_CRIT) ; - /usr/bin/vimtutor -> $(SEC_CRIT) ; -} - - ############################## - # ## -############################## # -# # # -# Critical Utility Sym-Links # # -# ## -############################## -( - rulename = "Critical Utility Sym-Links", - severity = $(SIG_HI) -) -{ - #/sbin/askrunlevel -> $(SEC_CRIT) ; - /sbin/clock -> $(SEC_CRIT) ; - #/sbin/fixperm -> $(SEC_CRIT) ; - /sbin/fsck.reiserfs -> $(SEC_CRIT) ; - #/sbin/fsconf -> $(SEC_CRIT) ; - /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; - /sbin/kallsyms -> $(SEC_CRIT) ; - /sbin/ksyms -> $(SEC_CRIT) ; - /sbin/lsmod -> $(SEC_CRIT) ; - #/sbin/mailconf -> $(SEC_CRIT) ; - /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; - #/sbin/modemconf -> $(SEC_CRIT) ; - /sbin/modprobe -> $(SEC_CRIT) ; - /sbin/mount.ncp -> $(SEC_CRIT) ; - /sbin/mount.ncpfs -> $(SEC_CRIT) ; - /sbin/mount.smb -> $(SEC_CRIT) ; - /sbin/mount.smbfs -> $(SEC_CRIT) ; - #/sbin/netconf -> $(SEC_CRIT) ; - /sbin/pidof -> $(SEC_CRIT) ; - /sbin/poweroff -> $(SEC_CRIT) ; - /sbin/quotaoff -> $(SEC_CRIT) ; - /sbin/raid0run -> $(SEC_CRIT) ; - /sbin/raidhotadd -> $(SEC_CRIT) ; - /sbin/raidhotgenerateerror -> $(SEC_CRIT) ; - /sbin/raidhotremove -> $(SEC_CRIT) ; - /sbin/raidstop -> $(SEC_CRIT) ; - /sbin/rdump -> $(SEC_CRIT) ; - /sbin/rdump.static -> $(SEC_CRIT) ; - /sbin/reboot -> $(SEC_CRIT) ; - /sbin/rmmod -> $(SEC_CRIT) ; - /sbin/rrestore -> $(SEC_CRIT) ; - /sbin/rrestore.static -> $(SEC_CRIT) ; - /sbin/swapoff -> $(SEC_CRIT) ; - /sbin/telinit -> $(SEC_CRIT) ; - #/sbin/userconf -> $(SEC_CRIT) ; - #/sbin/uucpconf -> $(SEC_CRIT) ; - #/sbin/vregistry -> $(SEC_CRIT) ; - /bin/awk -> $(SEC_CRIT) ; - /bin/bash2 -> $(SEC_CRIT) ; - /bin/bsh -> $(SEC_CRIT) ; - /bin/csh -> $(SEC_CRIT) ; - /bin/dnsdomainname -> $(SEC_CRIT) ; - /bin/domainname -> $(SEC_CRIT) ; - /bin/ex -> $(SEC_CRIT) ; - /bin/gtar -> $(SEC_CRIT) ; - /bin/nisdomainname -> $(SEC_CRIT) ; - /bin/red -> $(SEC_CRIT) ; - /bin/rvi -> $(SEC_CRIT) ; - /bin/rview -> $(SEC_CRIT) ; - /bin/view -> $(SEC_CRIT) ; - /bin/ypdomainname -> $(SEC_CRIT) ; -} - - - ######################### - # ## -######################### # -# # # -# Temporary directories # # -# ## -######################### -( - rulename = "Temporary directories", - recurse = false, - severity = $(SIG_LOW) -) -{ - /usr/tmp -> $(SEC_INVARIANT) ; - /var/tmp -> $(SEC_INVARIANT) ; - /tmp -> $(SEC_INVARIANT) ; -} - - ############### - # ## -############### # -# # # -# Local files # # -# ## -############### -( - rulename = "User binaries", - severity = $(SIG_MED) -) -{ - /sbin -> $(SEC_BIN) (recurse = 1) ; - /usr/bin -> $(SEC_BIN) (recurse = 1) ; - /usr/sbin -> $(SEC_BIN) (recurse = 1) ; - /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; -} - -( - rulename = "Shell Binaries", - severity = $(SIG_HI) -) -{ - /bin/bash -> $(SEC_BIN) ; - /bin/ksh -> $(SEC_BIN) ; - # /bin/psh -> $(SEC_BIN) ; # No longer used? - # /bin/Rsh -> $(SEC_BIN) ; # No longer used? - /bin/sh -> $(SEC_BIN) ; - # /bin/shell -> $(SEC_SUID) ; # No longer used? - # /bin/tsh -> $(SEC_BIN) ; # No longer used? - /bin/tcsh -> $(SEC_BIN) ; - /sbin/nologin -> $(SEC_BIN) ; -} - -( - rulename = "Security Control", - severity = $(SIG_HI) -) -{ - /etc/group -> $(SEC_CRIT) ; - /etc/security -> $(SEC_CRIT) ; - #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists -} - -#( -# rulename = "Boot Scripts", -# severity = $(SIG_HI) -#) -#{ -# /etc/rc -> $(SEC_CONFIG) ; -# /etc/rc.bsdnet -> $(SEC_CONFIG) ; -# /etc/rc.dt -> $(SEC_CONFIG) ; -# /etc/rc.net -> $(SEC_CONFIG) ; -# /etc/rc.net.serial -> $(SEC_CONFIG) ; -# /etc/rc.nfs -> $(SEC_CONFIG) ; -# /etc/rc.powerfail -> $(SEC_CONFIG) ; -# /etc/rc.tcpip -> $(SEC_CONFIG) ; -# /etc/trcfmt.Z -> $(SEC_CONFIG) ; -#} - -( - rulename = "Login Scripts", - severity = $(SIG_HI) -) -{ - /etc/bashrc -> $(SEC_CONFIG) ; - /etc/csh.cshrc -> $(SEC_CONFIG) ; - /etc/csh.login -> $(SEC_CONFIG) ; - /etc/inputrc -> $(SEC_CONFIG) ; - # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists - /etc/profile -> $(SEC_CONFIG) ; -} - -# Libraries -( - rulename = "Libraries", - severity = $(SIG_MED) -) -{ - /usr/lib -> $(SEC_BIN) ; - /usr/local/lib -> $(SEC_BIN) ; -} - - - ###################################################### - # ## -###################################################### # -# # # -# Critical System Boot Files # # -# These files are critical to a correct system boot. # # -# ## -###################################################### - -( - rulename = "Critical system boot files", - severity = $(SIG_HI) -) -{ - /boot -> $(SEC_CRIT) ; - #/sbin/devfsd -> $(SEC_CRIT) ; - /sbin/grub -> $(SEC_CRIT) ; - /sbin/grub-install -> $(SEC_CRIT) ; - /sbin/grub-md5-crypt -> $(SEC_CRIT) ; - /sbin/installkernel -> $(SEC_CRIT) ; - /sbin/lilo -> $(SEC_CRIT) ; - /sbin/mkkerneldoth -> $(SEC_CRIT) ; - !/boot/System.map ; - !/boot/module-info ; - /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ; - /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ; - # other boot files may exist. Look for: - #/ufsboot -> $(SEC_CRIT) ; -} - ################################################## - ################################################### - # These files change every time the system boots ## - ################################################## -( - rulename = "System boot changes", - severity = $(SIG_HI) -) -{ - !/var/run/ftp.pids-all ; # Comes and goes on reboot. - !/root/.enlightenment ; - /dev/log -> $(SEC_CONFIG) ; - /dev/cua0 -> $(SEC_CONFIG) ; - # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device - /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. - /dev/tty1 -> $(SEC_CONFIG) ; # tty devices - /dev/tty2 -> $(SEC_CONFIG) ; # tty devices - /dev/tty3 -> $(SEC_CONFIG) ; # are extremely - /dev/tty4 -> $(SEC_CONFIG) ; # variable - /dev/tty5 -> $(SEC_CONFIG) ; - /dev/tty6 -> $(SEC_CONFIG) ; - /dev/urandom -> $(SEC_CONFIG) ; - /dev/initctl -> $(SEC_CONFIG) ; - /var/lock/subsys -> $(SEC_CONFIG) ; - #/var/lock/subsys/amd -> $(SEC_CONFIG) ; - /var/lock/subsys/anacron -> $(SEC_CONFIG) ; - /var/lock/subsys/apmd -> $(SEC_CONFIG) ; - #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; - /var/lock/subsys/atd -> $(SEC_CONFIG) ; - /var/lock/subsys/autofs -> $(SEC_CONFIG) ; - #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; - #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; - #/var/lock/subsys/canna -> $(SEC_CONFIG) ; - /var/lock/subsys/crond -> $(SEC_CONFIG) ; - #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/firewall -> $(SEC_CONFIG) ; - #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/gated -> $(SEC_CONFIG) ; - /var/lock/subsys/gpm -> $(SEC_CONFIG) ; - #/var/lock/subsys/httpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/identd -> $(SEC_CONFIG) ; - #/var/lock/subsys/innd -> $(SEC_CONFIG) ; - /var/lock/subsys/ipchains -> $(SEC_CONFIG) ; - #/var/lock/subsys/iptables -> $(SEC_CONFIG) ; - #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; - #/var/lock/subsys/irda -> $(SEC_CONFIG) ; - #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ; - #/var/lock/subsys/isdn -> $(SEC_CONFIG) ; - #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; - #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ; - /var/lock/subsys/keytable -> $(SEC_CONFIG) ; - #/var/lock/subsys/kprop -> $(SEC_CONFIG) ; - #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ; - #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; - /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; - #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/ldap -> $(SEC_CONFIG) ; - #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; - #/var/lock/subsys/lpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; - #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ; - #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ; - #/var/lock/subsys/named -> $(SEC_CONFIG) ; - /var/lock/subsys/netfs -> $(SEC_CONFIG) ; - /var/lock/subsys/network -> $(SEC_CONFIG) ; - #/var/lock/subsys/nfs -> $(SEC_CONFIG) ; - /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; - #/var/lock/subsys/nscd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; - #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ; - /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; - /var/lock/subsys/portmap -> $(SEC_CONFIG) ; - #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ; - #/var/lock/subsys/pxe -> $(SEC_CONFIG) ; - #/var/lock/subsys/radvd -> $(SEC_CONFIG) ; - /var/lock/subsys/random -> $(SEC_CONFIG) ; - #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ; - /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; - /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ripd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ; - #/var/lock/subsys/routed -> $(SEC_CONFIG) ; - #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ; - #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ; - #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ; - #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ; - /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; - #/var/lock/subsys/smb -> $(SEC_CONFIG) ; - #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ; - #/var/lock/subsys/squid -> $(SEC_CONFIG) ; - /var/lock/subsys/sshd -> $(SEC_CONFIG) ; - /var/lock/subsys/syslog -> $(SEC_CONFIG) ; - #/var/lock/subsys/tux -> $(SEC_CONFIG) ; - #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ; - #/var/lock/subsys/ups -> $(SEC_CONFIG) ; - #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ; - #/var/lock/subsys/wine -> $(SEC_CONFIG) ; - /var/lock/subsys/xfs -> $(SEC_CONFIG) ; - /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; - /var/lock/subsys/ypbind -> $(SEC_CONFIG) ; - #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; - #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ; - #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; - #/var/lock/subsys/zebra -> $(SEC_CONFIG) ; - /var/run -> $(SEC_CONFIG) ; - /var/log -> $(SEC_CONFIG) ; - /etc/ioctl.save -> $(SEC_CONFIG) ; - /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes - /etc/issue -> $(SEC_CONFIG) ; - /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount - /lib/modules -> $(SEC_CONFIG) ; - /etc/.pwd.lock -> $(SEC_CONFIG) ; - # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists -} - -# These files change the behavior of the root account -( - rulename = "Root config files", - severity = 100 -) -{ - /root -> $(SEC_CRIT) ; # Catch all additions to /root - #/root/.Xresources -> $(SEC_CONFIG) ; - /root/.bashrc -> $(SEC_CONFIG) ; - /root/.bash_profile -> $(SEC_CONFIG) ; - /root/.bash_logout -> $(SEC_CONFIG) ; - /root/.cshrc -> $(SEC_CONFIG) ; - /root/.tcshrc -> $(SEC_CONFIG) ; - /root/Mail -> $(SEC_CONFIG) ; - #/root/mail -> $(SEC_CONFIG) ; - #/root/.amandahosts -> $(SEC_CONFIG) ; - #/root/.addressbook.lu -> $(SEC_CONFIG) ; - #/root/.addressbook -> $(SEC_CONFIG) ; - /root/.bash_history -> $(SEC_CONFIG) ; - /root/.elm -> $(SEC_CONFIG) ; - #/root/.esd_auth -> $(SEC_CONFIG) ; - /root/.gnome_private -> $(SEC_CONFIG) ; - /root/.gnome-desktop -> $(SEC_CONFIG) ; - /root/.gnome -> $(SEC_CONFIG) ; - /root/.ICEauthority -> $(SEC_CONFIG) ; - #/root/.mc -> $(SEC_CONFIG) ; - #/root/.pinerc -> $(SEC_CONFIG) ; - /root/.sawfish -> $(SEC_CONFIG) ; - /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login - #/root/.xauth -> $(SEC_CONFIG) ; - /root/.xsession-errors -> $(SEC_CONFIG) ; -} - - ################################ - # ## -################################ # -# # # -# Critical configuration files # # -# ## -################################ -( - rulename = "Critical configuration files", - severity = $(SIG_HI) -) -{ - #/etc/conf.linuxconf -> $(SEC_BIN) ; - /etc/crontab -> $(SEC_BIN) ; - /etc/cron.hourly -> $(SEC_BIN) ; - /etc/cron.daily -> $(SEC_BIN) ; - /etc/cron.weekly -> $(SEC_BIN) ; - /etc/cron.monthly -> $(SEC_BIN) ; - /etc/default -> $(SEC_BIN) ; - /etc/fstab -> $(SEC_BIN) ; - /etc/exports -> $(SEC_BIN) ; - /etc/group- -> $(SEC_BIN) ; # changes should be infrequent - /etc/host.conf -> $(SEC_BIN) ; - /etc/hosts.allow -> $(SEC_BIN) ; - /etc/hosts.deny -> $(SEC_BIN) ; - /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent - /etc/protocols -> $(SEC_BIN) ; - /etc/services -> $(SEC_BIN) ; - /etc/rc.d/init.d -> $(SEC_BIN) ; - /etc/rc.d -> $(SEC_BIN) ; - /etc/mail.rc -> $(SEC_BIN) ; - /etc/modules.conf -> $(SEC_BIN) ; - /etc/motd -> $(SEC_BIN) ; - /etc/named.conf -> $(SEC_BIN) ; - /etc/passwd -> $(SEC_CONFIG) ; - /etc/passwd- -> $(SEC_CONFIG) ; - /etc/profile.d -> $(SEC_BIN) ; - /var/lib/nfs/rmtab -> $(SEC_BIN) ; - /usr/sbin/fixrmtab -> $(SEC_BIN) ; - /etc/rpc -> $(SEC_BIN) ; - /etc/sysconfig -> $(SEC_BIN) ; - /etc/samba/smb.conf -> $(SEC_CONFIG) ; - #/etc/gettydefs -> $(SEC_BIN) ; - /etc/nsswitch.conf -> $(SEC_BIN) ; - /etc/yp.conf -> $(SEC_BIN) ; - /etc/hosts -> $(SEC_CONFIG) ; - /etc/xinetd.conf -> $(SEC_CONFIG) ; - /etc/inittab -> $(SEC_CONFIG) ; - /etc/resolv.conf -> $(SEC_CONFIG) ; - /etc/syslog.conf -> $(SEC_CONFIG) ; -} - - #################### - # ## -#################### # -# # # -# Critical devices # # -# ## -#################### -( - rulename = "Critical devices", - severity = $(SIG_HI), - recurse = false -) -{ - /dev/kmem -> $(Device) ; - /dev/mem -> $(Device) ; - /dev/null -> $(Device) ; - /dev/zero -> $(Device) ; - /proc/devices -> $(Device) ; - /proc/net -> $(Device) ; - /proc/sys -> $(Device) ; - /proc/cpuinfo -> $(Device) ; - /proc/modules -> $(Device) ; - /proc/mounts -> $(Device) ; - /proc/dma -> $(Device) ; - /proc/filesystems -> $(Device) ; - /proc/pci -> $(Device) ; - /proc/interrupts -> $(Device) ; - /proc/driver/rtc -> $(Device) ; - /proc/ioports -> $(Device) ; - #/proc/scsi -> $(Device) ; - /proc/kcore -> $(Device) ; - /proc/self -> $(Device) ; - /proc/kmsg -> $(Device) ; - /proc/stat -> $(Device) ; - /proc/ksyms -> $(Device) ; - /proc/loadavg -> $(Device) ; - /proc/uptime -> $(Device) ; - /proc/locks -> $(Device) ; - /proc/version -> $(Device) ; - /proc/mdstat -> $(Device) ; - /proc/meminfo -> $(Device) ; - /proc/cmdline -> $(Device) ; - /proc/misc -> $(Device) ; -} - -# Rest of critical system binaries -( - rulename = "OS executables and libraries", - severity = $(SIG_HI) -) -{ - /bin -> $(SEC_BIN) ; - /lib -> $(SEC_BIN) ; -} - -#============================================================================= -# -# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, -# Inc. in the United States and other countries. All rights reserved. -# -# Linux is a registered trademark of Linus Torvalds. -# -# UNIX is a registered trademark of The Open Group. -# -#============================================================================= -# -# Permission is granted to make and distribute verbatim copies of this document -# provided the copyright notice and this permission notice are preserved on all -# copies. -# -# Permission is granted to copy and distribute modified versions of this -# document under the conditions for verbatim copying, provided that the entire -# resulting derived work is distributed under the terms of a permission notice -# identical to this one. -# -# Permission is granted to copy and distribute translations of this document -# into another language, under the above conditions for modified versions, -# except that this permission notice may be stated in a translation approved by -# Tripwire, Inc. -# -# DCM -# -# $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ -# diff --git a/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/recipes-ids/tripwire/tripwire_2.4.3.7.bb deleted file mode 100644 index e2968e4..0000000 --- a/recipes-ids/tripwire/tripwire_2.4.3.7.bb +++ /dev/null @@ -1,75 +0,0 @@ -SUMMARY = "Tripwire: A system integrity assessment tool (IDS)" -DESCRIPTION = "Open Source Tripwire® software is a security and data \ -integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems" -HOMEPAGE = "http://sourceforge.net/projects/tripwire" -SECTION = "security Monitor/Admin" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127" - -SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0" - -SRC_URI = "\ - git://github.com/Tripwire/tripwire-open-source.git;branch=master;protocol=https \ - file://tripwire.cron \ - file://tripwire.sh \ - file://tripwire.txt \ - file://twcfg.txt \ - file://twinstall.sh \ - file://twpol-yocto.txt \ - file://run-ptest \ - " - -inherit autotools-brokensep update-rc.d ptest - -INITSCRIPT_NAME = "tripwire" -INITSCRIPT_PARAMS = "start 40 S ." -TRIPWIRE_HOST = "${HOST_SYS}" -TRIPWIRE_TARGET = "${TARGET_SYS}" - -CXXFLAGS += "-fno-strict-aliasing" -EXTRA_OECONF = "--disable-openssl --enable-static --sysconfdir=/etc/tripwire" - -do_install () { - install -d ${D}${libdir} ${D}${datadir} ${D}${base_libdir} - install -d ${D}${sysconfdir} ${D}${mandir} ${D}${sbindir} - install -d ${D}${sysconfdir}/${PN} - install -d ${D}${localstatedir}/lib/${PN} ${D}${localstatedir}/lib/${BPN}/report - install -d ${D}${mandir}/man4 ${D}${mandir}/man5 ${D}${mandir}/man8 - install -d ${D}${docdir}/${BPN} ${D}${docdir}/${BPN}/templates - install -d ${D}${sysconfdir}/init.d - - install -m 0755 ${S}/bin/* ${D}${sbindir} - install -m 0644 ${S}/lib/* ${D}${base_libdir} - install -m 0644 ${S}/lib/* ${D}${localstatedir}/lib/${PN} - install -m 0755 ${UNPACKDIR}/tripwire.cron ${D}${sysconfdir} - install -m 0755 ${UNPACKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire - install -m 0755 ${UNPACKDIR}/twinstall.sh ${D}${sysconfdir}/${PN} - install -m 0644 ${UNPACKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt - install -m 0644 ${UNPACKDIR}/twcfg.txt ${D}${sysconfdir}/${PN} - - install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4 - install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5 - install -m 0644 ${S}/man/man8/* ${D}${mandir}/man8 - rm ${D}${mandir}/man*/Makefile* - install -m 0644 ${S}/policy/templates/* ${D}${docdir}/${BPN}/templates - install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN} - install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN} - install -m 0644 ${S}/TRADEMARK ${D}${docdir}/${BPN} - install -m 0644 ${UNPACKDIR}/tripwire.txt ${D}${docdir}/${BPN} -} - -do_install_ptest:append () { - install -d ${D}${PTEST_PATH}/tests - cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH} - sed -i -e 's@../../../../bin@${sbindir}@' ${D}${PTEST_PATH}/twtools.pm -} - -FILES:${PN} += "${libdir} ${docdir}/${PN}/*" -FILES:${PN}-dbg += "${sysconfdir}/${PN}/.debug" -FILES:${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a" -FILES:${PN}-ptest += "${PTEST_PATH}/tests " - -RDEPENDS:${PN} += " perl nano msmtp cronie" -RDEPENDS:${PN}-ptest = " perl lib-perl perl-modules " - -SKIP_RECIPE[tripwire] ?= "Upsteram project appears to be abondoned, fails to build with gcc11" From patchwork Thu Oct 16 21:22:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72529 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E31DCCCD19F for ; Thu, 16 Oct 2025 21:22:44 +0000 (UTC) Received: from mail-qv1-f50.google.com (mail-qv1-f50.google.com [209.85.219.50]) by mx.groups.io with SMTP id smtpd.web10.1665.1760649764446048903 for ; Thu, 16 Oct 2025 14:22:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=Pw9VzPDc; spf=pass (domain: konsulko.com, ip: 209.85.219.50, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f50.google.com with SMTP id 6a1803df08f44-87be45cba29so18514206d6.2 for ; Thu, 16 Oct 2025 14:22:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649763; x=1761254563; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EzUla/dOjI1dZ+FO4aaRudQYD7nAIOnnlUac7X1NaJ8=; b=Pw9VzPDcNwZQgU296cTQVd3wXwhj7V5KEuRg8plc3tiJGSkbH6f1BD94D+Mu1OJFS2 IKW6j5GI+EQK3PW1HF1L7aH8qz93wIUh+C6LOwbb1fToR+r1X1Dp/PTU1IbDB091mFby Oza6+qe4OUNT5Bg2/2X9DvqLZhtg0kBj/ksPo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649763; x=1761254563; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EzUla/dOjI1dZ+FO4aaRudQYD7nAIOnnlUac7X1NaJ8=; b=n0oL2Ia7wnCKUpYTWYvNqmbYla6D1GQO6C/HBa/EmhDQw+vuy1vG7i+OESU8AtlegR ijjYVzQdb7rtdj6k+XrDQKzzDj4xry/xYh+MCTsDs812/A2XOQGwB1tV8GUnIlL2ZKxU 1y0b6MNF8ywlRq0AgGc7eTDaMP5R2Iq13j3WxDqjMkHbRH8UVyTyI9ZPc0ThudzmJjF8 oKhlEJCI/AUbWgogW32GNE+LiQMW1FxEyX8rZmagA/zBsUgmZ2szwqoUwY2HaWVI70qA ItFwMbXQAU4ykhf1f9GOuM2chckoRl/Kr2ahKqJjR104XdHbOCF9E6mfkfTmPPwY8yzV ys5g== X-Gm-Message-State: AOJu0Yx1JldG62cpeRk99X81P/v87p01pMDcIIFWOnsg0p6cbxUqg5kt A7hVNJ42H3tQeEdsbIfqNx36bOuxrgAuGvGi5ewvKaE3Pd07f5NzDyDTVp6XphYM7oR2kUllwdS SIOod X-Gm-Gg: ASbGncs/UR/oOQuZ8LbjAKUcMu5z9GQPW4lOvS4LYxVa5wJUP5p+K/05l2a5BsgKeb0 hylqrTqd2YWnUeZacQsI21z9bCNtpET/kUOH7Wd2IzYQNmeF67dE/vIHAJ7rOPkmbUQtcY1WMAn er2a7qBidTcnuOnW1hgMCEnsVbNAVy6shYVFSvXAyJqChy9ZEcm5YNZwRZV74zK7NDD+PPsuYyE OJb6crs8IT7ghApj4IlHNaavTL1fW233J9B7Q4imz1WnCcSh95cTza6VxrewvlwCU43d5uIK2CZ gOosQKPM0JAPDCx2mFrCuLUlpIiiHN0z5fTCWGz9qQEp0KVClybmyIfGJf3cGWynIgjv6sY/beG USRSsT0jH61VkBfByxT6UeUwq/4C2Jf1OUKyn6ln6r0gZ6Dz+ylJnMvfGfw2BPDacXT2HIZIUwH D/wZWf2uK2/yiloZj3rFsIYFwTPnPche4XLZG3JE+PWU8M70H0tsHTTE5KVRR0Cp8= X-Google-Smtp-Source: AGHT+IFWTFfMlsSZXgX9KFCOhUTyHuBVe5zIB12EY24EyIYF+CxPqCvcha5y90C/MZWaxnFo8mBupg== X-Received: by 2002:a05:6214:e87:b0:87c:1f53:e14b with SMTP id 6a1803df08f44-87c2057c8b3mr28345166d6.21.1760649762993; Thu, 16 Oct 2025 14:22:42 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:42 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 12/15] libest: Remove recipe Date: Thu, 16 Oct 2025 17:22:11 -0400 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2336 Remove the libest recipe since it has been disabled since November 2021, and upstream has shown no activity since 2022. Signed-off-by: Scott Murray --- recipes-security/libest/libest_3.2.0.bb | 28 ------------------------- 1 file changed, 28 deletions(-) delete mode 100644 recipes-security/libest/libest_3.2.0.bb diff --git a/recipes-security/libest/libest_3.2.0.bb b/recipes-security/libest/libest_3.2.0.bb deleted file mode 100644 index e6af2c6..0000000 --- a/recipes-security/libest/libest_3.2.0.bb +++ /dev/null @@ -1,28 +0,0 @@ -SUMMARY = "EST is used for secure certificate \ -enrollment and is compatible with Suite B certs (as well as RSA \ -and DSA certificates)" - -LICENSE = "OpenSSL" -LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885" - -SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b" -SRC_URI = "git://github.com/cisco/libest;branch=main;protocol=https" - -DEPENDS = "openssl" - -#fatal error: execinfo.h: No such file or directory -DEPENDS:append:libc-musl = " libexecinfo" - -inherit autotools-brokensep - -EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}" - -CFLAGS += "-fcommon" -LDFLAGS:append:libc-musl = " -lexecinfo" - -PACKAGES = "${PN} ${PN}-dbg ${PN}-dev" - -FILES:${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so" - -# https://github.com/cisco/libest/issues/104 -SKIP_RECIPE[libest] ?= "Needs porting to openssl 3.x" From patchwork Thu Oct 16 21:22:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72537 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 19F03CCD199 for ; Thu, 16 Oct 2025 21:22:55 +0000 (UTC) Received: from mail-qv1-f51.google.com (mail-qv1-f51.google.com [209.85.219.51]) by mx.groups.io with SMTP id smtpd.web10.1667.1760649765875564574 for ; Thu, 16 Oct 2025 14:22:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=BFknYYvD; spf=pass (domain: konsulko.com, ip: 209.85.219.51, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f51.google.com with SMTP id 6a1803df08f44-81fdd5d7b59so18206186d6.3 for ; Thu, 16 Oct 2025 14:22:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649765; x=1761254565; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pj6ILYVbxPB99XAaAHspcZThwBKY7Z3nBxU0teCUFO8=; b=BFknYYvDkVfKqlBA/9P6qwmh/lix746dt0coxQYwRA1HLL/mkDAsEt1M90E938lcdC JEb+z5lNae8ch7dE6/CLEs+dCDHUJ9QGwudzksQNgm7l35k6DyBbbtL0VxOE4mLEqD7A V3tN9ceLTDyFfYuQP5gLbVducOI4rwKF+FsFU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649765; x=1761254565; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pj6ILYVbxPB99XAaAHspcZThwBKY7Z3nBxU0teCUFO8=; b=PJkelQURRgz5+VjtvFnnkbWR/9yFtD4fUmdp+rEHP4lqdiRdylznhZC3SndxgX75Oh t7FHsMrp5HStT68hTepJ05ODpD4XDywypEHzv80CjzSe5OhzNbVp5LHkpB7ehWMIJu8g SZTGpYQHRP+Nl2T5h5IH9E4uNQmc7UpwOfZkFb+sdCf8cmOKQwsExICQtViR/IYf62kt 4CXRmnJX87A6AWGUhuN4/2jsVUgbmcq1iJXatunLJFB5WVFd58CbdjCiUp/xcMszt+6u /nFtN8eQAWmOILwg6cDG1SNAOqvW4wvR8hOya8J3h267S5PYvyTed3YeC932DJBZQMHb I85A== X-Gm-Message-State: AOJu0Yy6dZ/wzivKrY6Ylk5ZhDN2G+SM6GqAmW2COzpiFy1Dbk/CkmeK MxTgBzPnbrXEU3Y7Et8eQyKZFERCLRsZtNkrUTSdHJ+B9WJFjPQMxFSlHkLlvCULtwgDy0NlJmY /S4+H X-Gm-Gg: ASbGncuxdxO9ZHW2nFkW1XhKvfRrXpRsL9piXCnl2oX4YtVoQqBPTIJCYmB7lmTY8E2 cj3cLoZaOzQ5y8hpghds0XZcLKfA9Vj0LGnZVLhcxAKATJ9gmgM/t2/c3o01Elk/mCV/21I+MUI Ugqfo1nvEKiwZCN3MDqLjTKmRiSIHVYr5EY6m5uU+VSfk9y/InqqgdgChT30T13X05p3OPfa/4a L3s9HXpKs+LQ6xoiohmT49qR1+DgqmTRK5DMH/jXVbb/x7i2NESi/e8gmuOIf/7XT9n5XQAspRM YJTcUSHLzfRZbXK+hc9/T526RVo4fRQuuRavUdXg0N3I+qcWt1woQ0PZM3Z+mltWx5+gfT6COqf yTzGraUMN9jPyr4+DnS9Wv2pq6BdtQ+pvP6KHQ9nyQh2QaQZ6CyTnQ+fgRH8/sgUGvHDlJHOSt3 qDCgyxUD8whdLY2nWyQmpiU+Njt2mJZcJdjc9r9Pyw0O/plZOBu9y6 X-Google-Smtp-Source: AGHT+IFcMQC32eMkKSn8ClzCVRAhH/oSGNozcYcfuktubRUItznlCvxZOT1MVNeZfLbWJIk3qw3CXA== X-Received: by 2002:a05:6214:2a8d:b0:7f7:777e:39c5 with SMTP id 6a1803df08f44-87c2056890amr31940836d6.25.1760649764365; Thu, 16 Oct 2025 14:22:44 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:43 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 13/15] paxctl: Remove recipe Date: Thu, 16 Oct 2025 17:22:12 -0400 Message-ID: <65083a6a01d42f3bbe0d9aa50326f2000b1d097d.1760648348.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:55 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2338 Remove the paxctl recipe since it has seemingly been broken for a while without anyone noticing, and there likely have been no actual users since grsecurity stopped doing public releases in 2017. Signed-off-by: Scott Murray --- .../include/maintainers-meta-security.inc | 1 - docs/overview.txt | 27 ------------- .../packagegroup-core-security.bb | 1 - ...ckage-error-if-DESTDIR-is-set-to-usr.patch | 26 ------------ recipes-security/paxctl/paxctl_0.9.bb | 40 ------------------- 5 files changed, 95 deletions(-) delete mode 100644 recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch delete mode 100644 recipes-security/paxctl/paxctl_0.9.bb diff --git a/conf/distro/include/maintainers-meta-security.inc b/conf/distro/include/maintainers-meta-security.inc index 903bb9b..6f13ea9 100644 --- a/conf/distro/include/maintainers-meta-security.inc +++ b/conf/distro/include/maintainers-meta-security.inc @@ -44,7 +44,6 @@ RECIPE_MAINTAINER:pn-libseccomp = "Scott Murray " RECIPE_MAINTAINER:pn-libwhisker2-perl = "Scott Murray " RECIPE_MAINTAINER:pn-ncrack = "Scott Murray " RECIPE_MAINTAINER:pn-nikto = "Scott Murray " -RECIPE_MAINTAINER:pn-paxctl = "Scott Murray " RECIPE_MAINTAINER:pn-python3-fail2ban = "Scott Murray " RECIPE_MAINTAINER:pn-python3-scapy = "Scott Murray " RECIPE_MAINTAINER:pn-python-fail2ban = "Scott Murray " diff --git a/docs/overview.txt b/docs/overview.txt index ed3135a..eb87279 100644 --- a/docs/overview.txt +++ b/docs/overview.txt @@ -103,33 +103,6 @@ help for each package. usage : simply invoke the script name in the terminal. - == pax-utils == - - ( This package can be found in oe-core ) - - pax-utils is a small set of various PaX aware and related utilities for - ELF binaries. - - - scanelf : With this application you can print out information specific to the ELF structure of a binary. - For more help please consult the man pages or the readme file. - - - pspax : is a user-space utility that scans the proc directory and list - ELF types, as well as their respective PaX flags and filenames and - attributes. Depending on build options, it may additionaly display the - process running set of capabilities. - - - scanmacho : is a user-space utility to quickly scan given - Mach-Os, directories, or common system paths for different information. This - may include Mach-O types, their install_names, etc. - - - dumpelf : is a user-space utility to dump all of the internal - ELF structures into the equivalent C structures for fun debugging and/or - reference purposes. - - - usage : simply invoke the script name in the terminal. - - == buck-security == Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb index 3f5b0a5..7fb7b62 100644 --- a/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/recipes-core/packagegroup/packagegroup-core-security.bb @@ -42,7 +42,6 @@ RDEPENDS:packagegroup-security-utils = "\ sshguard \ ${@bb.utils.contains("DISTRO_FEATURES", "seccomp ", "libseccomp", "",d)} \ ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \ - ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \ " have_krill = "${@bb.utils.contains("DISTRO_FEATURES", "pam", "krill", "",d)}" diff --git a/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch b/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch deleted file mode 100644 index 451cb7f..0000000 --- a/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 824c5d7b96aeef1b4e182f657ac002bed6e14cd5 Mon Sep 17 00:00:00 2001 -From: Lei Maohui -Date: Thu, 31 Aug 2023 08:20:56 +0000 -Subject: [PATCH] To fix package error if DESTDIR is set to /usr. - -Upstream-Status: Inappropriate -Signed-off-by: Lei Maohui ---- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/Makefile b/Makefile -index 0d7bc0c..46fd664 100644 ---- a/Makefile -+++ b/Makefile -@@ -19,7 +19,7 @@ $(PROG).o: $(PROG).c $(PROG).h $(PROG)-elf.c - - install: $(PROG) - # $(MKDIR) $(DESTDIR)/sbin $(DESTDIR)$(MANDIR) -- $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/sbin/$(PROG) -+ $(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/usr/sbin/$(PROG) - $(INSTALL) -D --owner 0 --group 0 --mode a=r $(PROG).1 $(DESTDIR)/$(MANDIR)/$(PROG).1 - - clean: --- -2.34.1 diff --git a/recipes-security/paxctl/paxctl_0.9.bb b/recipes-security/paxctl/paxctl_0.9.bb deleted file mode 100644 index 3d2f2a3..0000000 --- a/recipes-security/paxctl/paxctl_0.9.bb +++ /dev/null @@ -1,40 +0,0 @@ -DESCRIPTION = "paxctl is a tool that allows PaX flags to be modified on a \ - per-binary basis. PaX is part of common security-enhancing \ - kernel patches and secure distributions, such as \ - GrSecurity or Adamantix and Hardened Gen-too, respectively." -HOMEPAGE = "https://pax.grsecurity.net/" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://paxctl.c;beginline=1;endline=5;md5=0ddd065c61020dda79729e6bedaed2c7 \ - file://paxctl-elf.c;beginline=1;endline=5;md5=99f453ce7f6d1687ee808982e2924813 \ - " - -SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz \ - file://0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch \ -" - -SRC_URI[md5sum] = "9bea59b1987dc4e16c2d22d745374e64" -SRC_URI[sha256sum] = "a330ddd812688169802a3ba29e5e3b19956376b8f6f73b8d7e9586eb04423c2e" - -EXTRA_OEMAKE = "CC='${CC}' DESTDIR='${D}'" - -do_install() { - oe_runmake install -} - -# The install target in the Makefile will fail for paxctl-native with error: -# install -D --owner 0 --group 0 --mode a=rx paxctl .../sbin/paxctl -# install: cannot change ownership of '.../sbin/paxctl': \ -# Operation not permitted -# Drop '--owner 0 --group 0' to fix the issue. -do_install:class-native() { - local PROG=paxctl - install -d ${D}${base_sbindir} - install -d ${D}${mandir}/man1 - install --mode a=rx $PROG ${D}${base_sbindir}/$PROG - install --mode a=r $PROG.1 ${D}${mandir}/man1/$PROG.1 -} - -# Avoid QA Issue: No GNU_HASH in the elf binary -INSANE_SKIP:${PN} = "ldflags" - -BBCLASSEXTEND = "native" From patchwork Thu Oct 16 21:22:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72536 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F226CCD183 for ; Thu, 16 Oct 2025 21:22:55 +0000 (UTC) Received: from mail-qk1-f176.google.com (mail-qk1-f176.google.com [209.85.222.176]) by mx.groups.io with SMTP id smtpd.web11.1678.1760649766496865460 for ; Thu, 16 Oct 2025 14:22:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=HjFLZuEP; spf=pass (domain: konsulko.com, ip: 209.85.222.176, mailfrom: scott.murray@konsulko.com) Received: by mail-qk1-f176.google.com with SMTP id af79cd13be357-88f239686f2so155133185a.0 for ; Thu, 16 Oct 2025 14:22:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649765; x=1761254565; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=rrhsAjEyPPEONGf6+MKW7l+t5yIrkIEdrb3tXFh98Pk=; b=HjFLZuEPL5J6uiRh+lZyggNzuG/RZL9mYxASWHkFKhgZHivONJQ95MgWtnUBz6IuQt XCjN0RDWZ3UVRda2ounWxeP3EwIMZkXkBVbqi2MRGgl+g+4fMsWw2u0N4oiDmnDxirKs 6T19V3/keeO5LUgRFNYMyG6H3+5ntNzWkEK6Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649765; x=1761254565; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rrhsAjEyPPEONGf6+MKW7l+t5yIrkIEdrb3tXFh98Pk=; b=I8RGolAo25LNQebyygaGHYowhNRr/rSZBhYjS8NqcWj9ZqJwjdysLF9gq5xoXLVFxT /Gzc4PhgrCwt7y/SAlThkNvP/pahE8Pbmlkh35RikWlBr3HPeB/I52qXs8OiYvwly03B LHx6wHi8Sgfo2VRRecMFTrn6aWZ2G7WKpj8T0IrYgD0ZIpu+0TVZbGf8j7daq8RXAzVM b+Kgz4h11Hm/3irLnYUHA1sOaaxGXe/vDjKQhU+0GPJACpGMqlfOpA1CGUCCR1xkQtj/ L9io134ny+IBFOB+gEyT6SML1pBr+nYxtexyLYcJqTtAWooeHWsGEnDb/lsezwFN50cA zmPQ== X-Gm-Message-State: AOJu0YzhDJQK0AwBaSoZ4jlgbXqEfyvb+dVkDQMlk924rdO+dSIwrTKU aVfCrMa8PiHjzkxuRwzRiD6XUrDbFJsSuBMH5c+cluXiHz/B03nQOiwsrwEdhtEBToqPlO3fyAP ixthX X-Gm-Gg: ASbGncvrU8dqbXCXievtImMv4Otq8NyTYH9ctdyDKSCH6k4FM+ZDqC+irM5am2w42tN r+dXCM8yr3/C1oSNjmJ78XZkkxFChth4T4tabx8FoJugLyGlwJDz+/3HPXk3gikXhL5hIRssDFG 4LyBe1bmI/VZcqD5T8UkzjNj/0js+f/umUf/mc6vVFUfJMuNbDG3WWlisXBDDE2MU7U2ad0Ka5d jTC8nccRu1rEWboBPeMShQ2Ta1hNQ5tLH9cNPbPTdV41UbxS0rhqsl+KZtjDFbcyxn48DOVyiEc ChidVi0VWqFN3xhE2ImuytDSKjDAhkbhbnE4cLFoKvH/dJDKUNqi0ljAsl663lGXL0nq/6X6oiz Ys2/M27cB1jvJ0BmOSb1hvOYssvHem4RmssDHbFrdfaC31zhRfXSMBQtEOklQWOv9qf6St9KovG NLPMxnD8YLiLyjrJzaB5HLYxR1knZswRGXcIDluK7nk8k0J/zc+ElV X-Google-Smtp-Source: AGHT+IHXAvHOBbR2fdjHnZ+4PETsSx2jM24C7aJuQ9AIOF4ORf++Y1UTtqoW45yTibgIeahYqbo77w== X-Received: by 2002:ac8:7fc9:0:b0:4da:bbcd:2b89 with SMTP id d75a77b69052e-4e89d2818d1mr24968061cf.18.1760649765119; Thu, 16 Oct 2025 14:22:45 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:44 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 14/15] packagegroup-core-security: update for recent changes Date: Thu, 16 Oct 2025 17:22:13 -0400 Message-ID: X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:55 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2339 Changes: - Add libmhash and libgssglue so they will get tested by CI. - Switch to MACHINE_ARCH to facilitate the above, but it makes sense anyway due to all the machine overrides used in the packagegroup definition. - Add the recently added python3-suricata-update so it will get tested by CI. Signed-off-by: Scott Murray --- .../packagegroup/packagegroup-core-security.bb | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb index 7fb7b62..9c14240 100644 --- a/recipes-core/packagegroup/packagegroup-core-security.bb +++ b/recipes-core/packagegroup/packagegroup-core-security.bb @@ -3,6 +3,8 @@ LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \ file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" +PACKAGE_ARCH = "${MACHINE_ARCH}" + inherit packagegroup PACKAGES = "\ @@ -36,6 +38,8 @@ RDEPENDS:packagegroup-security-utils = "\ fscryptctl \ glome \ keyutils \ + libgssglue \ + libmhash \ nmap \ pinentry \ softhsm \ @@ -80,15 +84,16 @@ SUMMARY:packagegroup-security-ids = "Security Intrusion Detection systems" RDEPENDS:packagegroup-security-ids = " \ samhain-standalone \ suricata \ + python3-suricata-update \ ossec-hids \ aide \ " -RDEPENDS:packagegroup-security-ids:remove:powerpc = "suricata" -RDEPENDS:packagegroup-security-ids:remove:powerpc64le = "suricata" -RDEPENDS:packagegroup-security-ids:remove:powerpc64 = "suricata" -RDEPENDS:packagegroup-security-ids:remove:riscv32 = "suricata" -RDEPENDS:packagegroup-security-ids:remove:riscv64 = "suricata" +RDEPENDS:packagegroup-security-ids:remove:powerpc = "suricata python3-suricata-update" +RDEPENDS:packagegroup-security-ids:remove:powerpc64le = "suricata python3-suricata-update" +RDEPENDS:packagegroup-security-ids:remove:powerpc64 = "suricata python3-suricata-update" +RDEPENDS:packagegroup-security-ids:remove:riscv32 = "suricata python3-suricata-update" +RDEPENDS:packagegroup-security-ids:remove:riscv64 = "suricata python3-suricata-update" RDEPENDS:packagegroup-security-ids:remove:libc-musl = "ossec-hids" RDEPENDS:packagegroup-security-ids:remove:libc-musl = "aide" From patchwork Thu Oct 16 21:22:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Scott Murray X-Patchwork-Id: 72535 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 257DDCCD1A2 for ; Thu, 16 Oct 2025 21:22:55 +0000 (UTC) Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46]) by mx.groups.io with SMTP id smtpd.web10.1669.1760649766976898208 for ; Thu, 16 Oct 2025 14:22:47 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@konsulko.com header.s=google header.b=Ih7X95do; spf=pass (domain: konsulko.com, ip: 209.85.219.46, mailfrom: scott.murray@konsulko.com) Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-7f7835f4478so13842116d6.1 for ; Thu, 16 Oct 2025 14:22:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=konsulko.com; s=google; t=1760649766; x=1761254566; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mGUwKeH9eKZ8dtxIckRE5wW3QL7y/4ubB37CeEWEZnw=; b=Ih7X95doVxYy/DwImteV/qPEtKyuxF9xsZrzosKqbz96zOZrg/rgtV9FdR3jrw24gJ /J4jNfFPkNn2hVOT4X0M5mEqVRIYXGW5Kow7lRclDKksy+x8fWEp6TBM1fHpRC+mHppJ n04A3CL1rHGSqEcLVnunQaW0gJY8jrzhdgYEM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760649766; x=1761254566; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mGUwKeH9eKZ8dtxIckRE5wW3QL7y/4ubB37CeEWEZnw=; b=Gdbk0RLv1r1vkHRHDFo7uLKT+XCNkpFguOThZ4pk5E40csokxC5t9XNtr2+RqdYlPn swulDM46soxD4OqnjN2OUmzuVZ+Ixnhy3Beog4oEoi5SnEXoXMpyXP3tL6Eakw1E4rpD TusE7JJctv/f0TBS8KK2SfcQQHTk3+nQeBCpH/KOeyQt1B7HFrqeKlnkII2naEBCwSWS iZlpLF/t3o9Bt5++HG0D3EDYIbQXgWSRKJqMw1vgAWCR7XgALGtLglwN6SW3aI267uMG BOlEzcqrZkG6tEbcw0YAD7vBEQqz13JYW/gzM3kio0rr1grhno1xhO1psFg+LsTeO0GH Dw+A== X-Gm-Message-State: AOJu0YzosLjGlgvGO3F/ynWoNoGetVsOM9Ch2cMBSnTayu0AMRUQlKXV nUB4b2bvD3lIo+DUnyAV2YvslFqcUtYAJbuBvB3zWW8LCOdu/N/1acYA8OBUMXcTX7J7+HcvX3I lyAi2 X-Gm-Gg: ASbGncu2QF3uu3yyEMVYF+cIhUFq32gbQHuJTmURV04jjEp6TUih8WCv3bFQvza2pJ6 /FocXi38q3amCeacz8uy8nmixz0PFvLwanKGkGu/j45XLvXQaL8nn+YApmAEhxQ0GWY+AFCjtHZ hRkwld9IDzzYB3K8yFsqHSyKE7WrMk9Pdwgwp5iAAvorCOIeW+sceywrI/Xul1U8bnm7PNu5AB2 2xUJ1fuEwC223oyHy+aOqX2Mg1KdrEmNVj4YM5ufLN05MsAThZZcQqhlK5rjzyIFI23OhArjcXM I2pOPavfvv1LhZv/YaPL5ds2W4v/dL0YbzqsymsuJmwE/NBakXW9auLDSpbtSmNiTftnca0VCo3 pQuxpBnG2uD/dM7b1g6Y3sanTSP8kmC9Yw/cypVv6iZEYwxms248mTvRxHhSjk5hh5veH39zydh kRPQHcFlGA26e1797e4hKHPJQCHE4YBuUbGageEGDgvm9Ot6akqi+dm+VbFRyJp8I= X-Google-Smtp-Source: AGHT+IH1umu9Q3SxZRdcflOBhTh10j9iOjvFq9ZzbDvMysuaSQFsKC+bsctkQlaaiROhTi/E0mFM6g== X-Received: by 2002:ad4:5cab:0:b0:87c:2360:d415 with SMTP id 6a1803df08f44-87c2360d492mr6745006d6.24.1760649765737; Thu, 16 Oct 2025 14:22:45 -0700 (PDT) Received: from ghidorah.spiteful.org (107-179-213-3.cpe.teksavvy.com. [107.179.213.3]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-87c1c2fd4f4sm14647466d6.7.2025.10.16.14.22.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Oct 2025 14:22:45 -0700 (PDT) From: Scott Murray To: yocto-patches@lists.yoctoproject.org Cc: Marta Rybczynska Subject: [meta-security][PATCH 15/15] meta-tpm: Small maintainers fix Date: Thu, 16 Oct 2025 17:22:14 -0400 Message-ID: <16a3042a25e4a3e9df8999f97a4d6d2efc05dde7.1760648348.git.scott.murray@konsulko.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 16 Oct 2025 21:22:55 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/2340 To avoid confusion, remove stray aircrack-ng entry as it is actually in the main layer and not meta-tpm. Signed-off-by: Scott Murray --- meta-tpm/conf/distro/include/maintainers-meta-tpm.inc | 1 - 1 file changed, 1 deletion(-) diff --git a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc index cbc1fcf..0ba4f1b 100644 --- a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc +++ b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc @@ -19,7 +19,6 @@ # RECIPE_MAINTAINER:pn- = "Full Name " # # Please keep this list in alphabetical order. -RECIPE_MAINTAINER:pn-aircrack-ng = "Scott Murray " RECIPE_MAINTAINER:pn-pcr-extend = "Scott Murray " RECIPE_MAINTAINER:pn-tpm-quote-tools = "Scott Murray " RECIPE_MAINTAINER:pn-libtpms = "Scott Murray "