diff options
Diffstat (limited to 'meta-security/recipes-ids/samhain/files')
19 files changed, 1043 insertions, 0 deletions
diff --git a/meta-security/recipes-ids/samhain/files/run-ptest b/meta-security/recipes-ids/samhain/files/run-ptest new file mode 100755 index 0000000000..2a4a765305 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/run-ptest @@ -0,0 +1,3 @@ +#!/bin/sh +current_dir=$(dirname $(readlink -f $0)) +$current_dir/cutest diff --git a/meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch b/meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch new file mode 100644 index 0000000000..088a938e35 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-add-LDFLAGS-variable-for-samhain_setpwd.patch @@ -0,0 +1,28 @@ +From ae79606a6745dbbd429d1d4671dfe3045d735057 Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Thu, 14 Sep 2017 13:26:55 +0800 +Subject: [PATCH] Add LDFLAGS variable for compiling samhain_setpwd + +Upstream-Status: Pending + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 01de987..49356cf 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -1128,7 +1128,7 @@ sh_tiger_i.o: $(srcsrc)/$(TIGER_SRC) Makefile config_xor.h + samhain_setpwd: encode config_xor.h $(srcsrc)/samhain_setpwd.c + @echo '$(COMPILE) -o samhain_setpwd $(srcsrc)/samhain_setpwd.c'; \ + ./encode $(XOR_CODE) $(srcsrc)/samhain_setpwd.c; \ +- $(COMPILE) -o samhain_setpwd x_samhain_setpwd.c; \ ++ $(COMPILE) $(LDFLAGS) -o samhain_setpwd x_samhain_setpwd.c; \ + rm x_samhain_setpwd.c + + samhain_stealth: encode config_xor.h $(srcsrc)/samhain_stealth.c +-- +2.11.0 + diff --git a/meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch b/meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch new file mode 100644 index 0000000000..6bf67e09b0 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-avoid-searching-host-for-postgresql.patch @@ -0,0 +1,134 @@ +From 3e2ca7e06b16ceff6d12beb5113312f6525df595 Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Thu, 14 Sep 2017 11:02:12 +0800 +Subject: [PATCH] configure.ac: avoid searching host for postgresql + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + configure.ac | 101 +++-------------------------------------------------------- + 1 file changed, 5 insertions(+), 96 deletions(-) + +diff --git a/configure.ac b/configure.ac +index a224c68..f658d53 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1278,90 +1278,11 @@ AC_ARG_WITH(database, + AC_DEFINE(WITH_POSTGRES) + AC_DEFINE(WITH_DATABASE) + # +- PGCONF="no" +- MY_PATH="${PATH}:/usr/local/bin:/usr/local/pgsql/bin" +- OLD_IFS="$IFS" +- IFS=":" +- for ff in ${MY_PATH} +- do +- if test -f "$ff/pg_config" +- then +- PGCONF="$ff/pg_config" +- fi +- done +- IFS="${OLD_IFS}" +- # +- # +- if test "x${PGCONF}" = "xno" +- then +- AC_MSG_CHECKING(for PostgreSQL in /usr/local/pgsql /usr/pgsql /usr/local /usr PGSQL_HOME) +- pgsql_directory="/usr/local/pgsql /usr/pgsql /usr/local /usr ${PGSQL_HOME}" +- for i in $pgsql_directory; do +- if test -r $i/include/pgsql/libpq-fe.h; then +- PGSQL_INC_DIR=$i/include +- PGSQL_DIR=$i +- # use AC_CHECK_HEADERS to check for pgsql/libpq-fe.h +- fi +- done +- if test -z "$PGSQL_DIR"; then +- for i in $pgsql_directory; do +- if test -r $i/include/postgresql/libpq-fe.h; then +- PGSQL_INC_DIR=$i/include +- PGSQL_DIR=$i +- fi +- done +- fi +- if test -z "$PGSQL_DIR"; then +- for i in $pgsql_directory; do +- if test -r $i/include/libpq-fe.h; then +- PGSQL_INC_DIR=$i/include +- PGSQL_DIR=$i +- fi +- done +- fi +- +- if test -z "$PGSQL_DIR"; then +- tmp="" +- for i in $pgsql_directory; do +- tmp="$tmp $i/include $i/include/pgsql $i/include/postgresql" +- done +- FAIL_MESSAGE("PostgreSQL header file (libpq-fe.h)", $tmp) +- fi +- +- for i in lib lib/pgsql lib/postgresql; do +- str="$PGSQL_DIR/$i/libpq.*" +- for j in `echo $str`; do +- if test -r $j; then +- PGSQL_LIB_DIR="$PGSQL_DIR/$i" +- break 2 +- fi +- done +- done +- +- if test -z "$PGSQL_LIB_DIR"; then +- for ff in $pgsql_directory; do +- for i in lib lib/pgsql lib/postgresql; do +- str="$ff/$i/libpq.*" +- for j in `echo $str`; do +- if test -r $j; then +- PGSQL_LIB_DIR="$ff/$i" +- break 3 +- fi +- done +- done +- done +- fi +- +- if test -z "$PGSQL_LIB_DIR"; then +- tmp="" +- for i in $pgsql_directory; do +- tmp="$i/lib $i/lib/pgsql $i/lib/postgresql" +- done +- FAIL_MESSAGE("postgresql library libpq", $tmp) +- fi +- +- AC_MSG_RESULT(yes) +- ++ if test -z "${PGSQL_LIB_DIR}" ; then ++ FAIL_MESSAGE("PGSQL_LIB_DIR is not set!") ++ elif test -z "${PGSQL_INC_DIR}" ; then ++ FAIL_MESSAGE("PGSQL_INC_DIR is not set!") ++ else + LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lm" + if test x"$enable_static" = xyes; then + LIBS="$LIBS -L${PGSQL_LIB_DIR} -lpq -lcrypt -lm" +@@ -1370,18 +1291,6 @@ AC_ARG_WITH(database, + fi + # CFLAGS="$CFLAGS -I${PGSQL_INC_DIR}" + CPPFLAGS="$CPPFLAGS -I${PGSQL_INC_DIR}" +- AC_CHECK_HEADERS(pgsql/libpq-fe.h) +- AC_CHECK_HEADERS(postgresql/libpq-fe.h) +- else +- pg_lib_dir=`${PGCONF} --libdir` +- if test x"$enable_static" = xyes; then +- LIBS="$LIBS -L${pg_lib_dir} -lpq -lcrypt -lm" +- else +- LIBS="$LIBS -L${pg_lib_dir} -lpq -lm" +- fi +- pg_inc_dir=`${PGCONF} --includedir` +- # CFLAGS="$CFLAGS -I${pg_inc_dir}" +- CPPFLAGS="$CPPFLAGS -I${pg_inc_dir}" + fi + elif test "x${withval}" = "xodbc"; then + AC_MSG_CHECKING(for odbc in /usr /usr/local ODBC_HOME) +-- +2.11.0 + diff --git a/meta-security/recipes-ids/samhain/files/samhain-client.default b/meta-security/recipes-ids/samhain/files/samhain-client.default new file mode 100644 index 0000000000..9899577ae8 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-client.default @@ -0,0 +1,3 @@ +# Set this to "yes" to start the server, after you configure it, of +# course. +SAMHAIN_CLIENT_START="no"
\ No newline at end of file diff --git a/meta-security/recipes-ids/samhain/files/samhain-client.init b/meta-security/recipes-ids/samhain/files/samhain-client.init new file mode 100644 index 0000000000..d5fabeded4 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-client.init @@ -0,0 +1,122 @@ +#!/bin/bash +# chkconfig: 2345 99 10 +# description: File Integrity Checking Daemon +# +# processname: samhain +# config : /etc/samhainrc +# logfile : /var/log/samhain_log +# database: /var/lib/samhain/samhain_file +# + +NAME=samhain +DAEMON=/usr/sbin/samhain +RETVAL=0 +PIDFILE=/var/run/samhain.pid + +. /etc/default/rcS + +. /etc/default/samhain-client + +if [ "x$SAMHAIN_CLIENT_START" != "xyes" ]; then + echo "${0}: client disabled in /etc/default/samhain-client" + exit 0 +fi + +if [ -x $DAEMON ]; then + : +else + echo "${0}: executable ${DAEMON} not found" + exit 1 +fi + +if [ ! -e /var/lib/samhain/samhain_file ]; then + echo "${0}: /var/lib/samhain/samhain_file does not exist. You must" + echo " run 'samhain -t init' before samhian-client can start." + exit 1 +fi + +samhain_done() +{ + if [ $RETVAL -eq 0 ]; then + echo "." + else + echo " failed." + fi +} + +log_stat_msg () { +case "$1" in + 0) + echo "Service $NAME: Running"; + ;; + 1) + echo "Service $NAME: Stopped and /var/run pid file exists"; + ;; + 3) + echo "Service $NAME: Stopped"; + ;; + *) + echo "Service $NAME: Status unknown"; + ;; +esac +} + +case "$1" in + start) + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + # + echo -n "Starting ${NAME}" + start-stop-daemon --start --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + stop) + echo -n "Stopping $NAME" + start-stop-daemon --stop --quiet --exec $DAEMON + RETVAL=$? + + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + if test -S /var/run/${NAME}.sock; then + /bin/rm -f /var/run/${NAME}.sock + fi + samhain_done + ;; + + restart) + $0 stop + sleep 3 + $0 start + RETVAL=$? + ;; + + reload|force-reload) + echo -n "Reloading $NAME configuration files" + start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + status) + $DAEMON status + RETVAL=$? + log_stat_msg ${RETVAL} + ;; + + *) + echo "$0 usage: {start|stop|status|restart|reload}" + exit 1 + ;; +esac + +exit $RETVAL diff --git a/meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch b/meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch new file mode 100644 index 0000000000..8de0735fcd --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-configure-add-option-for-ps.patch @@ -0,0 +1,108 @@ +From 02a143f0068cbc6cea71359169210fbb3606d4bb Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Mon, 18 Jan 2016 00:24:57 -0500 +Subject: [PATCH] configure: add option for ps + +The configure searches hardcoded host paths for PSPATH +and run ps commands to decide PSARG which will fail +on host without ps: +| configure: error: Cannot find ps in any of /usr/ucb /bin /usr/bin + +So add an option so we can specify the ps at configure +to avoid host contamination. + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + aclocal.m4 | 2 +- + configure.ac | 60 ++++++++++-------------------------------------------------- + 2 files changed, 11 insertions(+), 51 deletions(-) + +diff --git a/aclocal.m4 b/aclocal.m4 +index a2e59a6..cd20a2f 100644 +--- a/aclocal.m4 ++++ b/aclocal.m4 +@@ -409,7 +409,7 @@ x_includes=NONE + x_libraries=NONE + DESTDIR= + SH_ENABLE_OPTS="selinux posix-acl asm ssp db-reload xml-log message-queue login-watch process-check port-check mounts-check logfile-monitor userfiles debug ptrace static network udp nocl stealth micro-stealth install-name identity khide suidcheck base largefile mail external-scripts encrypt srp dnmalloc ipv6 shellexpand suid" +-SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file" ++SH_WITH_OPTS="prelude libprelude-prefix database libwrap cflags libs console altconsole timeserver alttimeserver rnd egd-socket port logserver altlogserver kcheck gpg keyid checksum fp recipient sender trusted tmp-dir config-file log-file pid-file state-dir data-file html-file ps-path" + + # Installation directory options. + # These are left unexpanded so users can "make install exec_prefix=/foo" +diff --git a/configure.ac b/configure.ac +index 5910b1f..8c3e087 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -730,56 +730,16 @@ then + fi + AC_CHECK_HEADERS(gmp.h) + +-AC_MSG_CHECKING([for ps]) +-PS= +-for ff in /usr/ucb /bin /usr/bin; do +- if test -x "$ff/ps"; then +- PS="$ff/ps" +- AC_MSG_RESULT([$PS]) +- break +- fi +-done +-if test x$PS = x +-then +- AC_MSG_RESULT([no]) +- AC_MSG_ERROR([Cannot find ps in any of /usr/ucb /bin /usr/bin]) +-fi +-AC_DEFINE_UNQUOTED([PSPATH], _("$PS"), [Path to ps]) +- +-AC_MSG_CHECKING([how to use ps]) +-$PS ax >/dev/null 2>&1 +-if test $? -eq 0; then +- case "$host_os" in +- *openbsd*) +- one=`$PS akx | wc -l` +- ;; +- *) +- one=`$PS ax | wc -l` +- ;; +- esac +-else +- one=0 +-fi +-$PS -e >/dev/null 2>&1 +-if test $? -eq 0; then +- two=`$PS -e | wc -l` +-else +- two=0 +-fi +-if test $one -ge $two +-then +- case "$host_os" in +- *openbsd*) +- PSARG="akx" +- ;; +- *) +- PSARG="ax" +- ;; +- esac +-else +- PSARG="-e" +-fi +-AC_DEFINE_UNQUOTED([PSARG], _("$PSARG"), [Argument for ps]) ++AC_ARG_WITH(ps-path, ++ [ --with-ps-path=PATH set path to ps command ], ++ [ ++ if test "x${withval}" != xno; then ++ pspath="${withval}" ++ AC_DEFINE_UNQUOTED([PSPATH], _("${pspath}"), [Path to ps]) ++ AC_DEFINE_UNQUOTED([PSARG], _("ax"), [Argument for ps]) ++ fi ++ ]) ++ + AC_MSG_RESULT([$PS $PSARG]) + + dnl ***************************************** +-- +1.9.1 + diff --git a/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch b/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch new file mode 100644 index 0000000000..7f80a5c61f --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-cross-compile.patch @@ -0,0 +1,51 @@ +From f63908427b2adb1792c59edbe38618e14ef5bc7b Mon Sep 17 00:00:00 2001 +From: Jackie Huang <jackie.huang@windriver.com> +Date: Fri, 15 Jan 2016 00:48:58 -0500 +Subject: [PATCH] Enable obfuscating binaries natively. + +Enable obfuscating binaries natively. + +The samhain build process involves an obfuscation step that attempts to +defeat decompilation or other binary analysis techniques which might reveal +secret information that should be known only to the system administrator. +The obfuscation step builds several applications which run on the build host +and then generate target code, which is then built into target binaries. + +This patch creates a basic infrastructure that supports building the +obfuscation binaries natively then cross-compiling the target code by adding +a special configure option. In the absence of this option the old behaviour +is preserved. + +Upstream-Status: Inappropriate [cross compile specific] + +Signed-off-by: Aws Ismail <aws.ismail@windriver.com> +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> +--- + Makefile.in | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index 684e92b..fb090e2 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -54,7 +54,7 @@ selectconfig = @selectconfig@ + top_builddir = . + + INSTALL = @INSTALL@ +-INSTALL_PROGRAM = @INSTALL@ -s -m 700 ++INSTALL_PROGRAM = @INSTALL@ -m 700 + INSTALL_SHELL = @INSTALL@ -m 700 + INSTALL_DATA = @INSTALL@ -m 600 + INSTALL_MAN = @INSTALL@ -m 644 +@@ -525,8 +525,6 @@ install-program: $(PROGRAMS) sstrip + echo " $(INSTALL_PROGRAM) $$p $$target"; \ + $(INSTALL_PROGRAM) $$p $$target; \ + chmod 0700 $$target; \ +- echo " ./sstrip $$target"; \ +- ./sstrip $$target; \ + else \ + echo " $(INSTALL_SHELL) $$p $$target"; \ + $(INSTALL_SHELL) $$p $$target; \ +-- +1.9.1 + diff --git a/meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch b/meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch new file mode 100644 index 0000000000..0608660689 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-mips64-aarch64-dnmalloc-hash-fix.patch @@ -0,0 +1,44 @@ +commit 0f6bdc219e598de08a3f37887efa5dfa50e2b996 +Author: Aws Ismail <aws.ismail@windriver.com> +Date: Fri Jun 22 15:47:08 2012 -0400 + +Hash fix for MIPS64 and AARCH64 + +Samhain uses the addresses of local variables in generating hash +values. The hashing function is designed only for 32-bit values. +For MIPS64 when a 64-bit address is passed in the resulting hash +exceeds the limits of the underlying mechanism and samhain +ultimately fails. The solution is to simply take the lower +32-bits of the address and use that in generating hash values. + +Signed-off-by: Greg Moffatt <greg.moffatt@windriver.com> + +Upstream-Status: Pending + +Signed-off-by: Aws Ismail <aws.ismail@windriver.com> +Signed-off-by: Jackie Huang <jackie.huang@windriver.com> + +diff --git a/src/dnmalloc.c b/src/dnmalloc.c +index da9a5c5..fc91400 100644 +--- a/src/dnmalloc.c ++++ b/src/dnmalloc.c +@@ -2703,11 +2703,19 @@ static void freecilst_add(chunkinfoptr p) { + } + + /* Calculate the hash table entry for a chunk */ ++#if defined(CONFIG_ARCH_MIPS64) || defined(CONFIG_ARCH_AARCH64) ++#ifdef STARTHEAP_IS_ZERO ++#define hash(p) ((((unsigned long) p) & 0x7fffffff) >> 7) ++#else ++#define hash(p) ((((unsigned long) p - (unsigned long) startheap) & 0x7fffffff) >> 7) ++#endif ++#else + #ifdef STARTHEAP_IS_ZERO + #define hash(p) (((unsigned long) p) >> 7) + #else + #define hash(p) (((unsigned long) p - (unsigned long) startheap) >> 7) + #endif ++#endif /* CONFIG_ARCH_MIPS64 */ + + static void + hashtable_add (chunkinfoptr ci) diff --git a/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch b/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch new file mode 100644 index 0000000000..5284313117 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch @@ -0,0 +1,24 @@ +not run test on host, since we are doing cross-compile + +Upstream-status: Inappropriate [cross compile specific] + +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + Makefile.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index e1b32a8..74bfdc9 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -1234,7 +1234,6 @@ intcutest: internal.h $(OBJECTS) $(CUTEST_OBJECTS) sh_tiger_i.o $(srcsrc)/CuTest + rm x_samhain.c; \ + $(LINK) sh_tiger_i.o $(CUTEST_OBJECTS) CuTestMain.o CuTest.o $(OBJECTS) $(LIBS_TRY); \ + test -f ./intcutest && mv ./intcutest ./cutest; \ +- ./cutest + + runcutest: + gdb ./cutest +-- +1.7.10.4 + diff --git a/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch b/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch new file mode 100644 index 0000000000..592bd165ff --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-pid-path.patch @@ -0,0 +1,27 @@ +commit a932b03b65edeb02ccad2fce06bfa68a8f2fbb04 +Author: Aws Ismail <aws.ismail@windriver.com> +Date: Thu Jan 10 16:29:05 2013 -0500 + + Set the PID Lock path for samhain.pid + + The explicit path for samhain.pid inorder + for samhain to work properly after it initial + database build. + + Upstream-Status: Inappropriate [configuration] + + Signed-off-by: Aws Ismail <aws.ismail@windriver.com> + +diff --git a/samhainrc.linux b/samhainrc.linux +index 10a8176..a7b06e6 100644 +--- a/samhainrc.linux ++++ b/samhainrc.linux +@@ -639,7 +639,7 @@ SetFileCheckTime = 86400 + + ## Path to the PID file + # +-# SetLockfilePath = (default: compiled-in) ++SetLockfilePath = /run/samhain.pid + + + ## The digest/checksum/hash algorithm diff --git a/meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch b/meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch new file mode 100644 index 0000000000..dad6b150e1 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-samhainrc-fix-files-dirs-path.patch @@ -0,0 +1,61 @@ +From 00fb527e45da42550156197647e01de9a6b1ad52 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan <wenzong.fan@windriver.com> +Date: Mon, 3 Mar 2014 01:50:01 -0500 +Subject: [PATCH] fix real path for some files/dirs + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> +--- + samhainrc.linux | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/samhainrc.linux b/samhainrc.linux +index e9727b4..7775d83 100644 +--- a/samhainrc.linux ++++ b/samhainrc.linux +@@ -93,7 +93,6 @@ dir = 99/etc + ## + file = /etc/mtab + file = /etc/fstab +-file = /etc/adjtime + file = /etc/motd + file = /etc/lvm/lvm.conf + +@@ -153,11 +152,11 @@ dir = 99/var + + [IgnoreAll] + dir = -1/var/cache +-dir = -1/var/lock +-dir = -1/var/mail +-dir = -1/var/run ++dir = -1/run/lock ++dir = -1/var/spool/mail ++dir = -1/run + dir = -1/var/spool +-dir = -1/var/tmp ++dir = -1/var/volatile/tmp + + + [Attributes] +@@ -167,7 +166,7 @@ dir = -1/var/tmp + file = /var/lib/rpm/__db.00? + + file = /var/lib/logrotate.status +-file = /var/lib/random-seed ++file = /var/lib/urandom/random-seed + + + [GrowingLogFiles] +@@ -176,7 +175,7 @@ file = /var/lib/random-seed + ## are ignored. Logfile rotation will cause a report because of shrinking + ## size and different inode. + ## +-dir = 99/var/log ++dir = 99/var/volatile/log + + [Attributes] + # +-- +1.7.9.5 + diff --git a/meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch b/meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch new file mode 100644 index 0000000000..145700a0e6 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-samhainrc.patch @@ -0,0 +1,158 @@ +commit 4c6658441eb3ffc4e51ed70f78cbdab046957580 +Author: Aws Ismail <aws.ismail@windriver.com> +Date: Fri Jun 22 16:38:20 2012 -0400 + +Make samhainrc OE-friendly. + +Patch the samhainrc that will be installed +as part of the 'make install' step to more +accurately reflect what will be found, and +what will be of concern, on a OE install. + +Upstream-Status: Inappropriate [configuration] + +Signed-off-by: Aws Ismail <aws.ismail@windriver.com> + +diff --git a/samhainrc.linux b/samhainrc.linux +index 9bc5ca4..10a8176 100644 +--- a/samhainrc.linux ++++ b/samhainrc.linux +@@ -74,7 +74,6 @@ dir = 0/ + [Attributes] + file = /tmp + file = /dev +-file = /media + file = /proc + file = /sys + +@@ -93,19 +92,10 @@ dir = 99/etc + ## check permission and ownership + ## + file = /etc/mtab ++file = /etc/fstab + file = /etc/adjtime + file = /etc/motd +-file = /etc/lvm/.cache +- +-# On Ubuntu, these are in /var/lib rather than /etc +-file = /etc/cups/certs +-file = /etc/cups/certs/0 +- +-# managed by fstab-sync on Fedora Core +-file = /etc/fstab +- +-# modified when booting +-file = /etc/sysconfig/hwconf ++file = /etc/lvm/lvm.conf + + # There are files in /etc that might change, thus changing the directory + # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'. +@@ -147,10 +137,6 @@ dir = 99/dev + ## + dir = -1/dev/pts + +-# dir = -1/dev/.udevdb +- +-file = /dev/ppp +- + # + # --------- /usr ----------- + # +@@ -167,50 +153,21 @@ dir = 99/var + + [IgnoreAll] + dir = -1/var/cache +-dir = -1/var/backups +-dir = -1/var/games +-dir = -1/var/gdm + dir = -1/var/lock + dir = -1/var/mail + dir = -1/var/run + dir = -1/var/spool + dir = -1/var/tmp +-dir = -1/var/lib/texmf +-dir = -1/var/lib/scrollkeeper + + + [Attributes] + +-dir = /var/lib/nfs +-dir = /var/lib/pcmcia +- + # /var/lib/rpm changes if packets are installed; + # /var/lib/rpm/__db.00[123] even more frequently + file = /var/lib/rpm/__db.00? + +-file = /var/lib/acpi-support/vbestate +-file = /var/lib/alsa/asound.state +-file = /var/lib/apt/lists/lock +-file = /var/lib/apt/lists/partial +-file = /var/lib/cups/certs +-file = /var/lib/cups/certs/0 +-file = /var/lib/dpkg/lock +-file = /var/lib/gdm +-file = /var/lib/gdm/.cookie +-file = /var/lib/gdm/.gdmfifo +-file = /var/lib/gdm/:0.Xauth +-file = /var/lib/gdm/:0.Xservers +-file = /var/lib/logrotate/status +-file = /var/lib/mysql +-file = /var/lib/mysql/ib_logfile0 +-file = /var/lib/mysql/ibdata1 +-file = /var/lib/slocate +-file = /var/lib/slocate/slocate.db +-file = /var/lib/slocate/slocate.db.tmp +-file = /var/lib/urandom +-file = /var/lib/urandom/random-seed ++file = /var/lib/logrotate.status + file = /var/lib/random-seed +-file = /var/lib/xkb + + + [GrowingLogFiles] +@@ -325,7 +282,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp + + ## Console + ## +-# PrintSeverity=info ++PrintSeverity=warn + + ## Logfile + ## +@@ -333,7 +290,7 @@ IgnoreMissing = /var/lib/slocate/slocate.db.tmp + + ## Syslog + ## +-# SyslogSeverity=none ++SyslogSeverity=info + + ## Remote server (yule) + ## +@@ -556,7 +513,8 @@ ChecksumTest=check + ## and I/O limit (kilobytes per second; 0 == off) + ## to reduce load on host. + # +-# SetNiceLevel = 0 ++# By default we configure samhain to be nice with everything else on the system ++SetNiceLevel = 10 + # SetIOLimit = 0 + + ## The version string to embed in file signature databases +@@ -565,13 +523,14 @@ ChecksumTest=check + + ## Interval between time stamp messages + # +-# SetLoopTime = 60 +-SetLoopTime = 600 ++# Log a timestamp every hour ++SetLoopTime = 3600 + + ## Interval between file checks + # + # SetFileCheckTime = 600 +-SetFileCheckTime = 7200 ++# One file system check per day ++SetFileCheckTime = 86400 + + ## Alternative: crontab-like schedule + # diff --git a/meta-security/recipes-ids/samhain/files/samhain-server-volatiles b/meta-security/recipes-ids/samhain/files/samhain-server-volatiles new file mode 100644 index 0000000000..6b80709363 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-server-volatiles @@ -0,0 +1 @@ +d daemon daemon 0775 /var/log/yule none diff --git a/meta-security/recipes-ids/samhain/files/samhain-server.default b/meta-security/recipes-ids/samhain/files/samhain-server.default new file mode 100644 index 0000000000..bc3d67cde2 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-server.default @@ -0,0 +1,3 @@ +# Set this to "yes" to start the server, after you configure it, of +# course. +SAMHAIN_SERVER_START="no"
\ No newline at end of file diff --git a/meta-security/recipes-ids/samhain/files/samhain-server.init b/meta-security/recipes-ids/samhain/files/samhain-server.init new file mode 100644 index 0000000000..c456e51c9e --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-server.init @@ -0,0 +1,116 @@ +#!/bin/bash +# chkconfig: 2345 98 11 +# description: File Integrity Checking Daemon +# +# processname: yule +# config : /etc/yulerc +# logfile : /var/log/yule/yule_log +# database: /var/lib/yule/yule_file +# + +NAME=yule +DAEMON=/usr/sbin/yule +RETVAL=0 +PIDFILE=/var/run/yule.pid + +. /etc/default/rcS + +. /etc/default/samhain-server + +if [ "x$SAMHAIN_SERVER_START" != "xyes" ]; then + echo "${0}: server disabled in /etc/default/samhain-server" + exit 0 +fi + +if [ -x $DAEMON ]; then + : +else + echo "${0}: executable ${DAEMON} not found" + exit 1 +fi + +samhain_done() +{ + if [ $RETVAL -eq 0 ]; then + echo "." + else + echo " failed." + fi +} + +log_stat_msg () { +case "$1" in + 0) + echo "Service $NAME: Running"; + ;; + 1) + echo "Service $NAME: Stopped and /var/run pid file exists"; + ;; + 3) + echo "Service $NAME: Stopped"; + ;; + *) + echo "Service $NAME: Status unknown"; + ;; +esac +} + +case "$1" in + start) + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + # + echo -n "Starting ${NAME}" + start-stop-daemon --start --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + stop) + echo -n "Stopping $NAME" + start-stop-daemon --stop --quiet --exec $DAEMON + RETVAL=$? + + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + if test -S /var/run/${NAME}.sock; then + /bin/rm -f /var/run/${NAME}.sock + fi + samhain_done + ;; + + restart) + $0 stop + sleep 3 + $0 start + RETVAL=$? + ;; + + reload|force-reload) + echo -n "Reloading $NAME configuration files" + start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + status) + $DAEMON status + RETVAL=$? + log_stat_msg ${RETVAL} + ;; + + *) + echo "$0 usage: {start|stop|status|restart|reload}" + exit 1 + ;; +esac + +exit $RETVAL diff --git a/meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch b/meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch new file mode 100644 index 0000000000..3065c73096 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-sha256-big-endian.patch @@ -0,0 +1,22 @@ +samhain: fix sha256 for big-endian machines + +After computing the digest, big-endian machines would +memset() the digest to the first byte of state instead +of using memcpy() to transfer it. + +Upstream-Status: Pending + +Signed-off-by: Joe Slater <jslater@windriver.com> + + +--- a/src/sh_checksum.c ++++ b/src/sh_checksum.c +@@ -468,7 +468,7 @@ void SHA256_Final(sha2_byte digest[], SH + } + } + #else +- memset(d, context->state, SHA256_DIGEST_LENGTH); ++ memcpy(d, context->state, SHA256_DIGEST_LENGTH); + /* bcopy(context->state, d, SHA256_DIGEST_LENGTH); */ + #endif + } diff --git a/meta-security/recipes-ids/samhain/files/samhain-standalone.default b/meta-security/recipes-ids/samhain/files/samhain-standalone.default new file mode 100644 index 0000000000..507a59f294 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-standalone.default @@ -0,0 +1,3 @@ +# Set this to "yes" to start the server, after you configure it, of +# course. +SAMHAIN_STANDALONE_START="no" diff --git a/meta-security/recipes-ids/samhain/files/samhain-standalone.init b/meta-security/recipes-ids/samhain/files/samhain-standalone.init new file mode 100644 index 0000000000..2f23bffd9e --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain-standalone.init @@ -0,0 +1,123 @@ +#!/bin/sh +# chkconfig: 2345 99 10 +# description: File Integrity Checking Daemon +# +# processname: samhain +# config : /etc/samhainrc +# logfile : /var/log/samhain_log +# database: /var/lib/samhain/samhain_file +# + +NAME=samhain +DAEMON=/usr/sbin/samhain +RETVAL=0 +VERBOSE=yes +PIDFILE=/var/run/samhain.pid + +. /etc/default/samhain-standalone + +if [ "x$SAMHAIN_STANDALONE_START" != "xyes" ]; then + echo "${0}: samhain disabled in /etc/default/samhain-standalone" + exit 0 +fi + +if [ -x $DAEMON ]; then + : +else + echo "${0}: executable ${DAEMON} not found" + exit 1 +fi + +if [ ! -e /var/lib/samhain/samhain_file ]; then + echo "${0}: /var/lib/samhain/samhain_file does not exist. You must" + echo " run 'samhain -t init' before samhian can start." + exit 1 +fi + +samhain_done() +{ + if [ $RETVAL -eq 0 ]; then + echo "." + else + echo " failed." + fi +} + +log_stat_msg () { +case "$1" in + 0) + echo "Service $NAME: Running"; + ;; + 1) + echo "Service $NAME: Stopped and /var/run pid file exists"; + ;; + 3) + echo "Service $NAME: Stopped"; + ;; + *) + echo "Service $NAME: Status unknown"; + ;; +esac +} + +case "$1" in + start) + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + + echo -n "Starting ${NAME}" + start-stop-daemon --start --quiet --exec $DAEMON + RETVAL=$? + samhain_done + exit $RETVAL + ;; + stop) + echo -n "Stopping $NAME" + start-stop-daemon --stop --quiet --exec $DAEMON + RETVAL=$? + samhain_done + # + # Remove a stale PID file, if found + # + if test -f ${PIDFILE}; then + /bin/rm -f ${PIDFILE} + fi + if test -S /var/run/${NAME}.sock; then + /bin/rm -f /var/run/${NAME}.sock + fi + ;; + + restart) + $0 stop + sleep 3 + $0 start + RETVAL=$? + ;; + + reload|force-reload) + echo -n "Reloading $NAME configuration files" + start-stop-daemon --stop --signal 1 --quiet --exec $DAEMON + RETVAL=$? + samhain_done + ;; + + status) + if pidof -o %PPID $DAEMON > /dev/null; then + echo "Samhain running" + RETVAL=0 + else + echo "Samhain not running" + RETVAL=1 + fi + ;; + *) + echo "$0 usage: {start|stop|status|restart|reload}" + exit 1 + ;; +esac + +exit $RETVAL diff --git a/meta-security/recipes-ids/samhain/files/samhain.service b/meta-security/recipes-ids/samhain/files/samhain.service new file mode 100644 index 0000000000..e4f216ab40 --- /dev/null +++ b/meta-security/recipes-ids/samhain/files/samhain.service @@ -0,0 +1,12 @@ +[Unit] +Description=Samhain @MODE_NAME@ Daemon +After=syslog.target network.target + +[Service] +Type=forking +RemainAfterExit=yes +ExecStart=@LIBDIR@/@SAMHAIN_HELPER@ start +ExecStop=@LIBDIR@/@SAMHAIN_HELPER@ stop + +[Install] +WantedBy=multi-user.target |