Re: [yocto] [meta-security][kirkstone][PATCH] sssd: fix CVE-2023-3758 Race condition during authorization leads to GPO policies functioning inconsistently

Hello Hitendra, On 4/22/24 9:00 AM, Hitendra Prajapati wrote: Upstream-Status: Backport from https://github.com/SSSD/sssd/commit/f4ebe1408e0bc67abfbfb5f0ca2ea13803b36726 Signed-off-by: Hitendra Prajapati A fix landed yesterday for the same issue. - armin ---

[yocto] [meta-security][PATCH 1/2] openscap: update to tip to fix new build issue.

drop patch now included. Signed-off-by: Armin Kuster --- ...e-distutils.sysconfig-with-sysconfig.patch | 57 --- recipes-compliance/openscap/openscap_1.3.9.bb | 8 +-- 2 files changed, 3 insertions(+), 62 deletions(-) delete mode 100644 recipes-compliance/openscap/files/0001

[yocto] [meta-security][PATCH 2/2] layers: add scarthgap to LAYERSERIES_COMPAT

Signed-off-by: Armin Kuster --- conf/layer.conf| 2 +- meta-hardening/conf/layer.conf | 2 +- meta-integrity/conf/layer.conf | 2 +- meta-parsec/conf/layer.conf| 2 +- meta-tpm/conf/layer.conf | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/conf

Re: [yocto] [meta-security][PATCH] meta-security: Drop ${PYTHON_PN}

On 2/23/24 12:22 AM, Anuj Mittal wrote: On Tue, 2024-02-20 at 12:32 -0500, Armin Kuster wrote: +    pyhton3-ctypes \ +    pyhton3-fcntl \ +    pyhton3-io \ +    pyhton3-logging \ +    pyhton3-misc \ +    pyhton3-shell \ +    pyhton3-threading \ pyhton3 -> python3 ? thanks for catch

[yocto] [meta-security][v2][PATCH] meta-security: Drop ${PYTHON_PN}

Signed-off-by: Armin Kuster --- V2] Fix typo in python3-pyinotify changes --- .../python/python3-flask-script_2.0.6.bb | 2 +- .../python/python3-pyinotify_0.9.6.bb | 14 +++--- .../fail2ban/python3-fail2ban_1.0.2.bb | 2 +- .../recipes-tpm2/tpm2

[yocto] [meta-security][PATCH] meta-security: Drop ${PYTHON_PN}

Signed-off-by: Armin Kuster --- .../python/python3-flask-script_2.0.6.bb | 2 +- .../python/python3-pyinotify_0.9.6.bb | 14 +++--- .../fail2ban/python3-fail2ban_1.0.2.bb | 2 +- .../recipes-tpm2/tpm2-pkcs11/tpm2-pkcs11_1.9.0.bb | 6 +++--- recipes

[yocto] [meta-security][PATCH] scap-security-guide: update to 0.1.71

change branch name to stable. Signed-off-by: Armin Kuster --- ...curity-guide_0.1.69.bb => scap-security-guide_0.1.71.bb} | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename recipes-compliance/scap-security-guide/{scap-security-guide_0.1.69.bb => scap-security-guide_0.1

[yocto] [meta-security][PATCH] python3-pyinotify: do not rely on smtpd module

It's not mentioned anywhere in source code, and python 3.12 has removed it. Signed-off-by: Armin Kuster --- .../recipes-devtools/python/python3-pyinotify_0.9.6.bb | 1 - 1 file changed, 1 deletion(-) diff --git a/dynamic-layers/meta-python/recipes-devtools/python/python3

[yocto] [meta-security][PATCH] python3-pyinotify: fail2ban needs this module

Signed-off-by: Armin Kuster --- .../python/python3-pyinotify_0.9.6.bb | 19 +++ 1 file changed, 19 insertions(+) create mode 100644 dynamic-layers/meta-python/recipes-devtools/python/python3-pyinotify_0.9.6.bb diff --git a/dynamic-layers/meta-python/recipes-devtools

Re: [yocto] [meta-secutrity] tpm2-tools RDEPENDS behaviour in meta-tpm

On 12/18/23 9:56 AM, João Paulo Silva Gonçalves via lists.yoctoproject.org wrote: Hello, For kirkstone branch when adding tpm2-tools recipe to install on a image it will not work as it is missing tcti-device dependencies. Is this behaviour intended or can I send a patch to master to correct

[yocto] [meta-security][PATCH] arpwatch: adjust CONFIGURE params to allow to build again.

drop EXTRA_OECONF Signed-off-by: Armin Kuster --- recipes-scanners/arpwatch/arpwatch_3.3.bb | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/recipes-scanners/arpwatch/arpwatch_3.3.bb b/recipes-scanners/arpwatch/arpwatch_3.3.bb index 4b4d476..7a0a776 100644

[yocto] [meta-security][PATCH] layers: Move READMEs to markdown format

Signed-off-by: Armin Kuster --- README => README.md | 0 meta-hardening/{README => README.md} | 0 meta-tpm/{README => README.md} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename README => README.md (100%) rename meta-hardening/{README =>

[yocto] [meta-security][PATCH 3/3] lynis: Update SRC_URI to improve updater

Signed-off-by: Armin Kuster --- recipes-compliance/lynis/lynis_3.0.9.bb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/recipes-compliance/lynis/lynis_3.0.9.bb b/recipes-compliance/lynis/lynis_3.0.9.bb index 8c796c0..5b5864c 100644 --- a/recipes-compliance/lynis

[yocto] [meta-security][PATCH 2/3] python3-privacyidea: Update to 3.9.1

Signed-off-by: Armin Kuster --- ...{python3-privacyidea_3.9.bb => python3-privacyidea_3.9.1.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename dynamic-layers/meta-python/recipes-security/mfa/{python3-privacyidea_3.9.bb => python3-privacyidea_3.9.1.bb} (96%) diff

[yocto] [meta-security][PATCH 1/3] libhoth recipe update

. Add arm_coordinated_reset. Signed-off-by: Armin Kuster --- meta-tpm/recipes-tpm1/hoth/libhoth_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb b/meta-tpm/recipes-tpm1/hoth/libhoth_git.bb index 5c7305c..7ba64f5 100644 --- a/meta

Re: [yocto] [meta-security][PATCH] ima,evm: Add two variables to write filenames and signatures into

merged. thanks, Armin On 11/1/23 1:13 PM, Stefan Berger wrote: Add two variables IMA_FILE_SIGNATURES_FILE and EVM_FILE_SIGNATURES_FILE for filenames where the ima_evm_sign_rootfs script can write the names of files and their IMA or EVM signatures into. Both variables are optional. The content

Re: [yocto] [meta-security][PATCH] samhain: remove the buildpath

On 11/8/23 9:43 PM, Yu, Mingli wrote: Ping. Its in master and nanbield https://git.yoctoproject.org/meta-security/commit/?id=9769990db3ca6dae405049b632966cd6e08a8ada BR, Armin Thanks, On 10/8/23 14:36, Yu, Mingli wrote: From: Mingli Yu Fixes:    WARNING: samhain-server-4.4.10-r0

Re: [yocto] [meta-parsec][master,nanbield][PATCH] Update parsec recipes

merged. thanks On 10/30/23 8:26 AM, Gowtham Suresh Kumar wrote: Parsec-service and parsec-tool recipes have been updated to use 1.3.0 and 0.7.0 versions respectively. Signed-off-by: Gowtham Suresh Kumar --- .../parsec-service/parsec-service-crates.inc | 736 +-

[yocto] FYI: New CVSS 4.0 version to be released end of month.

Not sure who may be aware of these changes coming. See https://www.first.org/cvss/v4-0/ for more info. BR, Armin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#61334): https://lists.yoctoproject.org/g/yocto/message/61334 Mute This Topic:

Re: [yocto] CDN for sstate.yoctoproject.org

Hello Micheal, Thanks for working on this. BR, Armin On 9/23/23 3:52 PM, Michael Halstead wrote: When adding https://cdn.jsdelivr.net/yocto/sstate/all  please remove any reference to sstate.yoctoproject.org from 

[yocto] [meta-security][PATCH 7/7] lynis: Update to 3.0.9

Signed-off-by: Armin Kuster --- recipes-compliance/lynis/{lynis_3.0.8.bb => lynis_3.0.9.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-compliance/lynis/{lynis_3.0.8.bb => lynis_3.0.9.bb} (93%) diff --git a/recipes-compliance/lynis/lynis_3.0.8.bb b/recipes-comp

[yocto] [meta-security][PATCH 6/7] swtpm: update 0.8.1

Signed-off-by: Armin Kuster --- .../recipes-tpm/swtpm/{swtpm_0.8.0.bb => swtpm_0.8.1.bb} | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) rename meta-tpm/recipes-tpm/swtpm/{swtpm_0.8.0.bb => swtpm_0.8.1.bb} (92%) diff --git a/meta-tpm/recipes-tpm/swtpm/swtpm_0.8.0.bb b/me

[yocto] [meta-security][PATCH 4/7] chipsec: update to 1.12.2

Signed-off-by: Armin Kuster --- .../chipsec/{chipsec_1.9.1.bb => chipsec_1.12.2.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-security/chipsec/{chipsec_1.9.1.bb => chipsec_1.12.2.bb} (94%) diff --git a/recipes-security/chipsec/chipsec_1.9.1.bb b/r

[yocto] [meta-security][PATCH 5/7] libhtp: update to 0.5.45

Signed-off-by: Armin Kuster --- recipes-ids/suricata/{libhtp_0.5.44.bb => libhtp_0.5.45.bb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename recipes-ids/suricata/{libhtp_0.5.44.bb => libhtp_0.5.45.bb} (100%) diff --git a/recipes-ids/suricata/libhtp_0.5.44.bb b/recipes-ids/su

[yocto] [meta-security][PATCH 2/7] python3-privacyidea: update to 3.8.1

Signed-off-by: Armin Kuster --- ...{python3-privacyidea_3.8.1.bb => python3-privacyidea_3.9.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename dynamic-layers/meta-python/recipes-security/mfa/{python3-privacyidea_3.8.1.bb => python3-privacyidea_3.9.bb} (96%) diff

[yocto] [meta-security][PATCH 3/7] lkrg-module: update to 0.9.7

LIC_FILES_CHKSUM changed due to year update Signed-off-by: Armin Kuster --- .../lkrg/{lkrg-module_0.9.6.bb => lkrg-module_0.9.7.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename recipes-kernel/lkrg/{lkrg-module_0.9.6.bb => lkrg-module_0.9.7.bb} (89%) diff

[yocto] [meta-security][PATCH] sssd: Update to 2.9.2

fixes musl build regarding time structs. Signed-off-by: Armin Kuster --- .../recipes-security/sssd/{sssd_2.9.1.bb => sssd_2.9.2.bb}| 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename dynamic-layers/networking-layer/recipes-security/sssd/{sssd_2.9.1.bb => sssd_2.9.2.b

[yocto] [meta-security][PATCH] suricata: Update to 7.0.0

refersh patches update libhtp Signed-off-by: Armin Kuster --- recipes-ids/suricata/files/fixup.patch| 26 +- .../{libhtp_0.5.43.bb => libhtp_0.5.44.bb}|2 +- recipes-ids/suricata/suricata-crates.inc | 1738 ++--- .../{suricata_6.0.11.bb => suricata_7.

[yocto] [meta-security][PATCH] suricata: fix build issue.

If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead. Signed-off-by: Armin Kuster --- recipes-ids/suricata/suricata_6.0.11.bb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/recipes-ids/suricata

[yocto] [meta-security][PATCH] scap-security-guide: update to 0.1.69+

Update to tip of branch Drop 0001-scap-security-guide-add-openembedded-distro-support.patch is now included in tip Signed-off-by: Armin Kuster --- ...uide-add-openembedded-distro-support.patch | 388 -- 1.67.bb => scap-security-guide_0.1.69.bb} | 5 +- 2 files changed

[yocto] [meta-security][PATCH 2/2] layer: add QA_WARNINGS to all layers

Signed-off-by: Armin Kuster --- conf/layer.conf| 2 ++ meta-hardening/conf/layer.conf | 2 ++ meta-integrity/conf/layer.conf | 2 ++ meta-parsec/conf/layer.conf| 2 ++ meta-tpm/conf/layer.conf | 2 ++ 5 files changed, 10 insertions(+) diff --git a/conf/layer.conf b

[yocto] [meta-security][PATCH 1/2] meta-tpm linux-yocto-rt: Add the bbappend for rt kernel

So that the security features in this layer can be used on the rt kernel. Signed-off-by: Armin Kuster --- meta-tpm/recipes-kernel/linux/linux-yocto-rt_%.bbappend | 1 + 1 file changed, 1 insertion(+) create mode 100644 meta-tpm/recipes-kernel/linux/linux-yocto-rt_%.bbappend diff --git a/meta

[yocto] [meta-security][PATCH] sshguard: Update to 2.4.3

Changelog: https://bitbucket.org/sshguard/sshguard/src/master/CHANGELOG.rst Signed-off-by: Armin Kuster --- .../sshguard/{sshguard_2.4.2.bb => sshguard_2.4.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename recipes-security/sshguard/{sshguard_2.4.2

Re: [yocto] [meta-security][kirkstone][PATCH] tpm2-tss: ignore CVE-2023-22745

On 7/29/23 5:34 PM, Marko, Peter wrote: Hi Armin, Gentle ping to pick this commit to kirkstone. merged. thanks. -armin Thanks, Peter -Original Message- From: yocto@lists.yoctoproject.org On Behalf Of Peter Marko via lists.yoctoproject.org Sent: Friday, June 30, 2023 0:10

[yocto] [meta-selinux][dunfell][patch 3/4] sysklogd: set correct security context for /var/log in initscript

picked from commit 7d3b1347ae949c7208482694fd773e4bc3f321b4) Signed-off-by: Armin Kuster --- recipes-extended/sysklogd/files/sysklogd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-extended/sysklogd/files/sysklogd b/recipes-extended/sysklogd/files/sysklogd index e49c2da

[yocto] [meta-selinux][dunfell][patch 1/4] refpolicy: remove version 2.20190201

From: Yi Zhao There is no need to maintain two versions of repolicy. Drop this version and only keep the git version. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald (cherry picked from commit 9e986d7d794f044464e1af914ddbcd57d8f1c2e9) Signed-off-by: Armin Kuster --- ...tile-alias-common

[yocto] [meta-selinux][dunfell][patch 0/4] Selinux failed to enable do to errors.

These backports fixes issues we found on a PPC target and QEMU Machine Checking SELinux security contexts: /etc/selinux/standard/contexts/files/file_contexts.bin: line 1 error due to: Non-ASCII characters found /etc/selinux/standard/contexts/files/file_contexts.homedirs.bin: line 1 error due

[yocto] [meta-selinux][dunfell][patch 2/4] audit: set correct security context for /var/log/audit

for /var/log/audit restorecon: Permission denied. Use readlink to find the real path before set security context. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald (cherry picked from commit 8b79480663bc9de2343e0146ed8d3d0e59ab48be) Signed-off-by: Armin Kuster --- recipes-security/audit/audit

[yocto] [meta-security][PATCH] meta-integrity: drop ima.cfg in favor of new k-cache

The upstream ima.cfg kernel-cache has been updated. Use it instead. Signed-off-by: Armin Kuster --- .../recipes-kernel/linux/linux/ima.cfg| 45 --- .../recipes-kernel/linux/linux/ima.scc| 4 -- .../recipes-kernel/linux/linux_ima.inc| 6 +-- 3 files

[yocto] [meta-security][PATCH 2/3] python3-json2html: add new pkg

Signed-off-by: Armin Kuster --- .../recipes-devtools/python/python3-xmldiff_2.6.3.bb | 9 + 1 file changed, 9 insertions(+) create mode 100644 dynamic-layers/meta-python/recipes-devtools/python/python3-xmldiff_2.6.3.bb diff --git a/dynamic-layers/meta-python/recipes-devtools

[yocto] [meta-security][PATCH 3/3] python3-json2html: add new pkg

Signed-off-by: Armin Kuster --- .../recipes-devtools/python/python3-json2html_1.3.0.bb | 9 + 1 file changed, 9 insertions(+) create mode 100644 dynamic-layers/meta-python/recipes-devtools/python/python3-json2html_1.3.0.bb diff --git a/dynamic-layers/meta-python/recipes-devtools

[yocto] [meta-security][PATCH 1/3] python3-yamlpath: Add new pkg

Signed-off-by: Armin Kuster --- .../recipes-devtools/python/python3-yamlpath_3.8.0.bb| 9 + 1 file changed, 9 insertions(+) create mode 100644 dynamic-layers/meta-python/recipes-devtools/python/python3-yamlpath_3.8.0.bb diff --git a/dynamic-layers/meta-python/recipes-devtools

[yocto] [meta-security][PATCH] scap-security-guide: enable ptest

This add the basic framework to allow the test suite to run. It takes a very long time so it my not be practical to run in some cases (days in my case). The ptest log format has not been verified. Signed-off-by: Armin Kuster --- .../scap-security-guide/files/run-ptest | 7 +++ .../scap

Re: [linux-yocto] [kernel-cache][master][yocto-6.1][PATCH] features: update ima.cfg to match current meta-integrity

thanks On 7/12/23 4:04 PM, Bruce Ashfield wrote: merged (also to the new 6.4 branch). Bruce In message: [linux-yocto] [kernel-cache][master][yocto-6.1][PATCH] features: update ima.cfg to match current meta-integrity on 07/07/2023 Armin Kuster wrote: Signed-off-by: Armin Kuster

Re: [yocto] [meta-security][PATCH v2] openscap: fix buildpaths issue

Hello Kai, My apologies, I just notice this sitting in my inbox.  it should go in shortly. BR, Armin On 6/29/23 3:25 AM, kai.k...@windriver.com wrote: From: Kai Kang Variables PREFERRED_PYTHON_PATH and PYTHON3_PATH are set with ${PYTHON_EXECUTABLE}. For cross compile,

[linux-yocto] [kernel-cache][master][yocto-6.1][PATCH] features: update ima.cfg to match current meta-integrity

Signed-off-by: Armin Kuster --- features/ima/ima.cfg | 36 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/features/ima/ima.cfg b/features/ima/ima.cfg index 2fc801f7..acb5fd02 100644 --- a/features/ima/ima.cfg +++ b/features/ima/ima.cfg

[yocto] [meta-security][PATCH] packagegroup-security-tpm2: add more pkgs

Signed-off-by: Armin Kuster --- .../recipes-core/packagegroup/packagegroup-security-tpm2.bb| 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index 8663b77

[yocto] [meta-security][PATCH] scap-security-guide: refactor patches

Signed-off-by: Armin Kuster --- ...ide-add-openembedded-distro-support.patch} | 227 ++--- .../0001-standard.profile-expand-checks.patch | 231 -- ...cap-security-guide-Add-Poky-support.patch} | 57 ++--- .../scap-security-guide_0.1.67.bb | 7 +- 4

[yocto] [meta-security][PATCH] clamav: update SRC_URI

Signed-off-by: Armin Kuster --- recipes-scanners/clamav/clamav_0.104.4.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-scanners/clamav/clamav_0.104.4.bb b/recipes-scanners/clamav/clamav_0.104.4.bb index 68a7d1f..102f267 100644 --- a/recipes-scanners/clamav

[yocto] [meta-security][PATCH 1/2] python3-tpm2-pytss: add python tss2 support

Signed-off-by: Armin Kuster --- .../tpm2-pytss/python3-tpm2-pytss_2.1.0.bb| 15 +++ 1 file changed, 15 insertions(+) create mode 100644 meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb diff --git a/meta-tpm/recipes-tpm2/tpm2-pytss/python3-tpm2-pytss_2.1.0.bb b

[yocto] [meta-security][PATCH 2/2] packagegroup: add python3-tpm2-pytss

Signed-off-by: Armin Kuster --- meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb b/meta-tpm/recipes-core/packagegroup/packagegroup-security-tpm2.bb index fb0105e

Re: [yocto] [QUESTION] [meta-security/meta-tpm/recipes-tpm2] Kirkstone release

Benjamin, On 6/30/23 11:12 AM, Benjamin BARATTE via lists.yoctoproject.org wrote: Dear Maintainers, I’m using the meta-security with Kirkstone version to use discrete TPM with STM32MP1. I’m facing 3 issues : * The packagegroup does not include libtss2-tcti-device library è mandatory

[yocto] [meta-security][PATCH 2/2] firejail: only allow x86-64 and arm64 to build

Signed-off-by: Armin Kuster --- recipes-security/Firejail/firejail_0.9.72.bb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/recipes-security/Firejail/firejail_0.9.72.bb b/recipes-security/Firejail/firejail_0.9.72.bb index 12a3105..5713f46 100644 --- a/recipes-security

[yocto] [meta-security][PATCH 1/2] packagegroup-core-security: only include firejail x86-64 and arch64

Signed-off-by: Armin Kuster --- recipes-core/packagegroup/packagegroup-core-security.bb | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb index 494745b

[yocto] [meta-security][PATCH] qemu: move qemu setting to image and out of layer.conf

I suspect its better form to have these in the image definition. Signed-off-by: Armin Kuster --- conf/layer.conf | 2 -- recipes-core/images/security-build-image.bb | 5 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/conf/layer.conf b/conf

Re: [yocto] [meta-security][PATCH] layer: add more memory for Qemu machines

On 6/28/23 12:47 PM, Richard Purdie wrote: On Wed, 2023-06-28 at 08:56 -0400, Armin Kuster wrote: Signed-off-by: Armin Kuster --- conf/layer.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/layer.conf b/conf/layer.conf index 334a945..5f289cb 100644 --- a/conf/layer.conf

Re: [yocto] [meta-selinux][dunfell][PATCH] audit: Add https protocol for clonning repository

On 6/22/23 9:30 PM, Joe MacDonald wrote: Hi Armin, [Re: [yocto] [meta-selinux][dunfell][PATCH] audit: Add https protocol for clonning repository] On 23.06.22 (Thu 10:10) akuster wrote: Hello Selinux Maintainers, It is unclear if the Maintainers are up to supporting the Dunfell branch for

[yocto] [meta-security][PATCH] layer: add more memory for Qemu machines

Signed-off-by: Armin Kuster --- conf/layer.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/layer.conf b/conf/layer.conf index 334a945..5f289cb 100644 --- a/conf/layer.conf +++ b/conf/layer.conf @@ -28,4 +28,7 @@ INHERIT += "sanity-meta-security" QB_KERNEL_CMDL

[yocto] [meta-security][PATC 2/3] python3-segno: add new package

Signed-off-by: Armin Kuster --- .../recipes-devtools/python/python3-segno_1.5.2.bb | 9 + 1 file changed, 9 insertions(+) create mode 100644 dynamic-layers/meta-python/recipes-devtools/python/python3-segno_1.5.2.bb diff --git a/dynamic-layers/meta-python/recipes-devtools/python

[yocto] [meta-security][PATC 3/3] python3-privacyidea: fixup REDPENDS

Signed-off-by: Armin Kuster --- .../recipes-security/mfa/python3-privacyidea_3.8.1.bb | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/dynamic-layers/meta-python/recipes-security/mfa/python3-privacyidea_3.8.1.bb b/dynamic-layers/meta-python/recipes-security/mfa

[yocto] [meta-security][PATC 1/3] python3-flask-script: add package

Signed-off-by: Armin Kuster --- .../python/python3-flask-script_2.0.6.bb | 14 ++ 1 file changed, 14 insertions(+) create mode 100644 dynamic-layers/meta-python/recipes-devtools/python/python3-flask-script_2.0.6.bb diff --git a/dynamic-layers/meta-python/recipes

[yocto] [meta-security][PATCH 2/2] ossec-hids: Fix usermod

Use built in USERMOD to set uid and gid properly. convert to using OSSEC_DIR instead of DIR Signed-off-by: Armin Kuster --- recipes-ids/ossec/ossec-hids_3.7.0.bb | 111 ++ 1 file changed, 58 insertions(+), 53 deletions(-) diff --git a/recipes-ids/ossec/ossec-hids_3.7.0

[yocto] [meta-security][PATCH 1/2] bastille: bastille/config should not be world writeable.

Signed-off-by: Armin Kuster --- .../meta-perl/recipes-security/bastille/bastille_3.2.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dynamic-layers/meta-perl/recipes-security/bastille/bastille_3.2.1.bb b/dynamic-layers/meta-perl/recipes-security/bastille

Re: [yocto] [meta-security][PATCH] *.patch: add Upstream-Status to all patches

 === >   --- git.orig/include/tpm_tspi.h > diff --git a/recipes-compliance/openscap/files/0002-openembedded-add-Poky-distro.patch b/recipes-compliance/openscap/files/0002-openembedded-add

[yocto] [meta-security][PATCH 2/2] packagegroup-core-security: add os-release

Exclude openscap and scap-security-guide if musl Fix RDEPENDS list to include compliance packages. Signed-off-by: Armin Kuster --- recipes-core/packagegroup/packagegroup-core-security.bb | 4 1 file changed, 4 insertions(+) diff --git a/recipes-core/packagegroup/packagegroup-core

[yocto] [meta-security][PATCH 1/2] openscap: update to 1.3.8

Remediate service is now off by default. Only include if needed. Signed-off-by: Armin Kuster --- .../{openscap_1.3.7.bb => openscap_1.3.8.bb}| 13 + 1 file changed, 9 insertions(+), 4 deletions(-) rename recipes-compliance/openscap/{openscap_1.3.7.bb => openscap_1.

Re: [yocto] [meta-security][PATCH 2/2] scap-security-guide: add Upstream-Status

Ignore. On 6/22/23 11:13 AM, Armin Kuster via lists.yoctoproject.org wrote: Signed-off-by: Armin Kuster --- .../files/0001-standard.profile-expand-checks.patch | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-compliance/scap-security-guide/files/0001

Re: [yocto] [meta-security][master-next][PATCH] *.patch: fix malformed Upstream-Status and SOB lines

..43d550b 100644 --- a/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch +++ b/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch @@ -3,6 +3,7 @@ From: Armin Kuster Date: Wed, 21 Jun 2023 07:46:38 -0400 Subject: [PATCH

[yocto] [meta-security][PATCH 2/2] scap-security-guide: add Upstream-Status

Signed-off-by: Armin Kuster --- .../files/0001-standard.profile-expand-checks.patch | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch b/recipes-compliance/scap-security-guide/files/0001

[yocto] [meta-security][PATCH 1/2] arpwatch: Fix typo in COMPATIBLE_HOST:libc-musl = "null"

Signed-off-by: Armin Kuster --- recipes-scanners/arpwatch/arpwatch_3.3.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/recipes-scanners/arpwatch/arpwatch_3.3.bb b/recipes-scanners/arpwatch/arpwatch_3.3.bb index 8efb339..4b4d476 100644 --- a/recipes-scanners/arpwatch

Re: [yocto] [meta-selinux][dunfell][PATCH] audit: Add https protocol for clonning repository

Hello Selinux Maintainers, It is unclear if the Maintainers are up to supporting the Dunfell branch for the duration of the Poky LTS?  I don't recall if there was any statement regarding this. I don't want to assume anything as I understand the commitment needed. BR, Armin On 6/21/23 3:18

[yocto] [meta-security][PATCH] scap-security-guide: Add Poky

Signed-off-by: Armin Kuster --- ...scap-security-guide-add-Poky-support.patch | 91 +++ .../scap-security-guide_0.1.67.bb | 1 + 2 files changed, 92 insertions(+) create mode 100644 recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-Poky

Re: [yocto] [meta-security][PATCH] dm-verity-image-initramfs: Allow compressed image types

this fails to build: The stack trace of python calls that resulted in this exception/failure was: File: '', lineno: 24, function: 0020:__anon_70__home_akuster_oss_clean_poky_meta_classes_recipe_rootfs_postcommands_bbclass(d)

[yocto] [meta-security][PATCH 1/2] clamav: drop unused patch

Signed-off-by: Armin Kuster --- recipes-scanners/clamav/files/test.patch | 26 1 file changed, 26 deletions(-) delete mode 100644 recipes-scanners/clamav/files/test.patch diff --git a/recipes-scanners/clamav/files/test.patch b/recipes-scanners/clamav/files/test.patch

[yocto] [meta-security][PATCH 2/2] isic: fine tune Upstream-Status

These are changes I did so apply the appropriate label. Signed-off-by: Armin Kuster --- recipes-security/isic/files/configure_fix.patch | 5 ++--- recipes-security/isic/files/isic-0.07-make.patch| 4 +--- recipes-security/isic/files/isic-0.07-netinet.patch | 4 +--- 3 files changed, 4

Re: [yocto] [meta-security][PATCH] openscap: fix buildpaths issue

Hello Kai, Can you rebase  this to the latest master. There was a layer reorg landed during the posting of this patch. BR, Armin On 6/20/23 11:55 PM, Kai Kang wrote: From: Kai Kang Variables PREFERRED_PYTHON_PATH and PYTHON3_PATH are set with ${PYTHON_EXECUTABLE}. For cross compile,

[yocto] [meta-security][PATCH] scap-security-guide: bump the number of test that pass

Add a eval script. Lets see how many checks pass out of the box Signed-off-by: Armin Kuster --- .../0001-standard.profile-expand-checks.patch | 228 ++ .../scap-security-guide/files/run_eval.sh | 3 + .../scap-security-guide_0.1.67.bb | 12 +- 3 files changed

Re: [yocto] [meta-security][PATCH] *.patch: add Upstream-Status to all patches

edded-add-Poky-distro.patch @@ -5,6 +5,8 @@ Subject: [PATCH 2/2] openembedded: add Poky distro Signed-off-by: Armin Kuster --- +Upstream-Status: Pending + cpe/openscap-cpe-dict.xml | 4 cpe/openscap-cpe-oval.xml | 14 ++ src/OVAL/probes/unix/r

[yocto] [meta-security][PATCH] openscap: Update to tip to get OE/Poky support

Drop changes now in upstream. Signed-off-by: Armin Kuster --- .../0001-openscap-Add-openembedded.patch | 128 -- .../0002-openembedded-add-Poky-distro.patch | 80 --- recipes-compliance/openscap/openscap_1.3.7.bb | 6 +- 3 files changed, 2 insertions(+), 212

[yocto] [meta-security][PATCH] meta-security-isafw: drop layer isafw project archived

Signed-off-by: Armin Kuster --- meta-security-isafw/.gitignore| 2 - meta-security-isafw/COPYING.MIT | 17 - meta-security-isafw/README.md | 92 meta-security-isafw/classes/isafw.bbclass | 317 -- meta-security-isafw/conf

[yocto] [meta-security][v2][PATCH] packagegroup-core-security: add compliance pkg group

Signed-off-by: Armin Kuster --- v2] Missed to include trailing \ --- recipes-core/packagegroup/packagegroup-core-security.bb | 8 1 file changed, 8 insertions(+) diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core

[yocto] [meta-security][PATCH] packagegroup-core-security: add compliance pkg group

Signed-off-by: Armin Kuster --- recipes-core/packagegroup/packagegroup-core-security.bb | 8 1 file changed, 8 insertions(+) diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb index b009a4d..39f60f2 100644

[yocto] [meta-security][PATCH 2/2] scap-security-guide: add OE support

Signed-off-by: Armin Kuster --- ...scap-security-guide-add-openembedded.patch | 231 ++ .../scap-security-guide_0.1.67.bb | 13 +- 2 files changed, 235 insertions(+), 9 deletions(-) create mode 100644 recipes-compliance/scap-security-guide/files/0001-scap-security

[yocto] [meta-security][PATCH 1/2] openscap: add support for OpenEmbedded nodistro and Poky

Signed-off-by: Armin Kuster --- .../0001-openscap-Add-openembedded.patch | 128 ++ .../0002-openembedded-add-Poky-distro.patch | 80 +++ recipes-compliance/openscap/openscap_1.3.7.bb | 9 +- 3 files changed, 215 insertions(+), 2 deletions(-) create mode 100644

[yocto] [meta-security][PATCH 7/7] meta-security-compliance: remove layer

simplify structure. Signed-off-by: Armin Kuster --- meta-security-compliance/README | 41 meta-security-compliance/conf/layer.conf | 15 - 2 files changed, 56 deletions(-) delete mode 100644 meta-security-compliance/README delete mode 100644 meta

[yocto] [meta-security][PATCH 5/7] lynis: move to main meta-security layer

Signed-off-by: Armin Kuster --- .../lynis/files/0001-osdetection-add-OpenEmbedded-and-Poky.patch | 0 .../recipes-auditors => recipes-compliance}/lynis/lynis_3.0.8.bb | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {meta-security-compliance/recipes-auditors => recipes-comp

[yocto] [meta-security][PATCH 4/7] openscap: Drop OE specific recipe

Signed-off-by: Armin Kuster --- .../recipes-openscap/openscap/openscap.inc| 55 --- .../recipes-openscap/openscap/openscap_git.bb | 14 - 2 files changed, 69 deletions(-) delete mode 100644 meta-security-compliance/recipes-openscap/openscap/openscap.inc delete mode

[yocto] [meta-security][PATCH 6/7] openscap: move to main meta-security layer

Signed-off-by: Armin Kuster --- .../openscap/openscap_1.3.7.bb| 0 .../scap-security-guide/scap-security-guide_0.1.67.bb | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename {meta-security-compliance/recipes-openscap => recipes-complia

[yocto] [meta-security][PATCH 2/7] oe-scap: Not maintained nor upstreamed

drop Signed-off-by: Armin Kuster --- .../files/OpenEmbedded_nodistro_0.xccdf.xml | 14 .../oe-scap/files/OpenEmbedded_nodistro_0.xml | 83 --- .../oe-scap/files/oval-to-xccdf.xslt | 72 .../recipes-openscap/oe-scap/files/run_cve.sh | 7

[yocto] [meta-security][PATCH 1/7] openscap-daemon: This is now obsolete

drop pkg Signed-off-by: Armin Kuster --- ...le-and-variables-to-get-rid-of-async.patch | 130 -- .../openscap-daemon/openscap-daemon_0.1.10.bb | 23 2 files changed, 153 deletions(-) delete mode 100644 meta-security-compliance/recipes-openscap/openscap-daemon/files/0001

[yocto] [meta-security][PATCH 3/7] openscap: Fix native build missing depends

Include .inc for pending change New host OS required an addition to the depends file Signed-off-by: Armin Kuster --- .../openscap/openscap_1.3.7.bb| 60 +-- 1 file changed, 54 insertions(+), 6 deletions(-) diff --git a/meta-security-compliance/recipes-openscap

[yocto] [meta-security][PATCH] scap-security-guide: update to tip

Make default Signed-off-by: Armin Kuster --- .../scap-security-guide_0.1.67.bb | 37 +-- 1 file changed, 34 insertions(+), 3 deletions(-) diff --git a/meta-security-compliance/recipes-openscap/scap-security-guide/scap-security-guide_0.1.67.bb b/meta-security

[yocto] [meta-security][PATCH] scap-security-guide_git: drop oe version

This is un-maintained so dropping this version Signed-off-by: Armin Kuster --- ...ng-of-the-remediation-functions-file.patch | 39 - ...c-file-check-tests-in-installed-OS-d.patch | 46 --- ...ated-instance-of-element.getchildren.patch | 43

[yocto] [meta-security][PATCH] scap-security-guide: update to 0.1.67

Signed-off-by: Armin Kuster --- ...p-security-guide_0.1.44.bb => scap-security-guide_0.1.67.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-security-compliance/recipes-openscap/scap-security-guide/{scap-security-guide_0.1.44.bb => scap-security-guide_0.1.67.b

Re: [yocto] kirkstone meta-security branch

Hello Peter, On 6/5/23 4:31 AM, Peter Marko via lists.yoctoproject.org wrote: Hello maintainers, I'd be interested to know if meta-security repository for kirkstone is still maintained. Looking at commit history, there are only two commits since July 2022 (almost a year). Thanks for

Re: [yocto] [meta-security][PATCH] ibmswtpm2: update to 164-2020-192.1

On 5/24/23 5:38 PM, Andrew Geissler wrote: On May 24, 2023, at 4:38 PM, akuster808 wrote: On 5/24/23 4:03 PM, Andrew Geissler wrote: This version supports openssl 3.1 The maintainer changed his tag versions hence the different looking version. The maintainer also has stopped releasing

Re: [yocto] [meta-security][PATCH] ibmswtpm2: update to 164-2020-192.1

On 5/24/23 4:03 PM, Andrew Geissler wrote: This version supports openssl 3.1 The maintainer changed his tag versions hence the different looking version. The maintainer also has stopped releasing tar files and asked we directly grab from git. Why did the License file change? -armin

Re: [yocto] Inquiry Regarding License Compatibility in OpenEmbedded Meta-Security Layer #selinux #yocto #qt5 #kernel #hardknott #bitbake #dunfell #gplv3 #imx8 #linux

On 5/23/23 7:53 AM, Alexander Kanavin wrote: On Tue, 23 May 2023 at 13:30, wrote: I am reaching out to seek clarification regarding the license compatibility within theOpenEmbedded Meta-Security layer, particularly in relation to the presence of LGPL, GPL 2.0 and GPL 3.0 licenses and the

Re: [yocto] [meta-security][PATCH] libhoth_git.bb:SRCREV bump 1622e8a04..d769296220d

On 5/17/23 1:27 PM, John Broadbent via lists.yoctoproject.org wrote: From: John Edward Broadbent merged thanks. -armin Updating libhoth to match version in openbmc https://gerrit.openbmc.org/c/openbmc/openbmc/+/63424 libhoth detailed changes: Willy Tu Expose header files expose

Re: [yocto] [meta-security] proper place for recipes for kernel fuzzing

Hello, On 5/19/23 9:18 AM, Weiß, Simone wrote: Hi, I want to upstream recipes for syzkaller to provide an easy option to fuzz yocto-based kernel. I would like to check if meta-security could be a good place to add this. The syzkaller recipe itself is in meta-oe. Are talking about adding

  1   2   3   4   5   6   >