[meta-security][PATCH 00/15] Assorted fixes

[meta-security][PATCH 00/15] Assorted fixes

[Scott Murray]

This patch series rolls up contributed patches from the past few weeks,
as well as some other fixes and cleanup.  I intend to merge these to
master branch at end of day Monday unless there are objections.

On top of the contributed patches, there are some build fixes from Marta
that have gotten us to a working state with CI, and some hopefully
non-controversial recipe removals from myself.  The recipes in question
have been disabled for at least two years, and there has been no obvious
interest in them in that period.  I have worked up a list of a few more
recipes that were not getting tested in the CI testing that are broken
atm, some of those may be next in line for removal if there's not a path
to a simple fix via an upgrade.

On another note, now that CI automation is working well, my thinking is
that going forward I may usually just post a list of commits queued on
master-next rather than these full patch series, as it's not clear the
duplication of contributed patches provides much value.  If you have a
strong desire to still see these explicit patch series instead, please
reply to indicate that.

Scott


Changes:

Clayton Casciato (2):
  suricata: populate SYSTEMD_SERVICE for service autostart
  suricata-update: add package to pull files

Marta Rybczynska (5):
  kas: use repo name
  lynis: move to GitHub fetching
  chipsec: update to 1.13.16
  chipsec: disable until 6.16 support is fixed
  test: allow root login for test images

Scott Murray (5):
  tripwire: Remove recipe
  libest: Remove recipe
  paxctl: Remove recipe
  packagegroup-core-security: update for recent changes
  meta-tpm: Small maintainers fix

Yi Zhao (3):
  python3-fail2ban: fix ptest failures
  python3-fail2ban: update to latest git rev
  libmhash: fix build with gcc 15

 .../include/maintainers-meta-security.inc     |    2 -
 docs/overview.txt                             |   27 -
 .../fail2ban/python3-fail2ban_git.bb          |   12 +-
 kas/kas-security-base.yml                     |    2 +-
 kas/qemux86-test.yml                          |    1 +
 lib/oeqa/runtime/cases/tripwire.py            |   47 -
 .../distro/include/maintainers-meta-tpm.inc   |    1 -
 recipes-compliance/lynis/lynis_3.1.5.bb       |    6 +-
 .../packagegroup-core-security.bb             |   20 +-
 .../suricata/python3-suricata-update_1.3.6.bb |   15 +
 recipes-ids/suricata/suricata_7.0.0.bb        |    1 +
 recipes-ids/tripwire/files/run-ptest          |    3 -
 recipes-ids/tripwire/files/tripwire.cron      |    8 -
 recipes-ids/tripwire/files/tripwire.sh        |    9 -
 recipes-ids/tripwire/files/tripwire.txt       |   69 -
 recipes-ids/tripwire/files/twcfg.txt          |   15 -
 recipes-ids/tripwire/files/twinstall.sh       |  320 -----
 recipes-ids/tripwire/files/twpol-yocto.txt    | 1107 -----------------
 recipes-ids/tripwire/tripwire_2.4.3.7.bb      |   75 --
 .../{chipsec_1.9.1.bb => chipsec_1.13.16.bb}  |    4 +-
 recipes-security/libest/libest_3.2.0.bb       |   28 -
 recipes-security/libmhash/libmhash_0.9.9.9.bb |    2 +
 ...ckage-error-if-DESTDIR-is-set-to-usr.patch |   26 -
 recipes-security/paxctl/paxctl_0.9.bb         |   40 -
 24 files changed, 47 insertions(+), 1793 deletions(-)
 delete mode 100644 lib/oeqa/runtime/cases/tripwire.py
 create mode 100644 recipes-ids/suricata/python3-suricata-update_1.3.6.bb
 delete mode 100644 recipes-ids/tripwire/files/run-ptest
 delete mode 100644 recipes-ids/tripwire/files/tripwire.cron
 delete mode 100644 recipes-ids/tripwire/files/tripwire.sh
 delete mode 100644 recipes-ids/tripwire/files/tripwire.txt
 delete mode 100644 recipes-ids/tripwire/files/twcfg.txt
 delete mode 100644 recipes-ids/tripwire/files/twinstall.sh
 delete mode 100644 recipes-ids/tripwire/files/twpol-yocto.txt
 delete mode 100644 recipes-ids/tripwire/tripwire_2.4.3.7.bb
 rename recipes-security/chipsec/{chipsec_1.9.1.bb => chipsec_1.13.16.bb} (90%)
 delete mode 100644 recipes-security/libest/libest_3.2.0.bb
 delete mode 100644 recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
 delete mode 100644 recipes-security/paxctl/paxctl_0.9.bb

-- 
2.51.0

[meta-security][PATCH 01/15] kas: use repo name

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Use the repo name directly, otherwise the build can get the wrong clone.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 kas/kas-security-base.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml
index 17f4bb3..e5af7bc 100644
--- a/kas/kas-security-base.yml
+++ b/kas/kas-security-base.yml
@@ -6,7 +6,7 @@ distro: poky
 repos:
   meta-security:
     layers:
-      ../meta-security:
+      ../meta-security-staging:
       meta-tpm:
       meta-integrity:
       meta-hardening:
-- 
2.51.0

Re: [yocto-patches] [meta-security][PATCH 01/15] kas: use repo name

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1555 bytes --]

Hello Scott,
We do not need this one, it will actually break the build for
meta-security, I have removed it already earlier this week from
https://git.yoctoproject.org/meta-security/log/?h=master-next

Kind regards,
Marta

On Thu, Oct 16, 2025 at 11:22 PM Scott Murray via lists.yoctoproject.org
<scott.murray=konsulko.com@lists.yoctoproject.org> wrote:

> From: Marta Rybczynska <marta.rybczynska@ygreky.com>
>
> Use the repo name directly, otherwise the build can get the wrong clone.
>
> Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
> ---
>  kas/kas-security-base.yml | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml
> index 17f4bb3..e5af7bc 100644
> --- a/kas/kas-security-base.yml
> +++ b/kas/kas-security-base.yml
> @@ -6,7 +6,7 @@ distro: poky
>  repos:
>    meta-security:
>      layers:
> -      ../meta-security:
> +      ../meta-security-staging:
>        meta-tpm:
>        meta-integrity:
>        meta-hardening:
> --
> 2.51.0
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#2326):
> https://lists.yoctoproject.org/g/yocto-patches/message/2326
> Mute This Topic: https://lists.yoctoproject.org/mt/115797538/5827677
> Group Owner: yocto-patches+owner@lists.yoctoproject.org
> Unsubscribe:
> https://lists.yoctoproject.org/g/yocto-patches/leave/13234581/5827677/971106717/xyzzy
> [rybczynska@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
>

[-- Attachment #2: Type: text/html, Size: 2756 bytes --]

Re: [meta-security][PATCH 01/15] kas: use repo name

[Scott Murray]

On Fri, 17 Oct 2025, Marta Rybczynska (Ygreky) wrote:

> Hello Scott,
>
> we do not need this one (removed from
> https://git.yoctoproject.org/meta-security/log/?h=master-next)
>
> and it would actually break the build for meta-security

Oops, I wasn't paying attention, thought I'd filtered that one out
previously.  We definitely don't want this one on master.

Thanks,

Scott


> On 16.10.2025 23:22, Scott Murray wrote:
> > From: Marta Rybczynska <marta.rybczynska@ygreky.com>
> >
> > Use the repo name directly, otherwise the build can get the wrong clone.
> >
> > Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
> > ---
> >   kas/kas-security-base.yml | 2 +-
> >   1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/kas/kas-security-base.yml b/kas/kas-security-base.yml
> > index 17f4bb3..e5af7bc 100644
> > --- a/kas/kas-security-base.yml
> > +++ b/kas/kas-security-base.yml
> > @@ -6,7 +6,7 @@ distro: poky
> >   repos:
> >     meta-security:
> >       layers:
> > -      ../meta-security:
> > +      ../meta-security-staging:
> >         meta-tpm:
> >         meta-integrity:
> >         meta-hardening:
>
>

[meta-security][PATCH 02/15] lynis: move to GitHub fetching

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Move to fetching from GitHub hashes to avoid issues at releases,
when the last-recent release changes place.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 recipes-compliance/lynis/lynis_3.1.5.bb | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/recipes-compliance/lynis/lynis_3.1.5.bb b/recipes-compliance/lynis/lynis_3.1.5.bb
index 3d1e8b7..51414c0 100644
--- a/recipes-compliance/lynis/lynis_3.1.5.bb
+++ b/recipes-compliance/lynis/lynis_3.1.5.bb
@@ -6,14 +6,12 @@ HOMEDIR = "https://cisofy.com/lynis/"
 LICENSE = "GPL-3.0-only"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3edd6782854304fd11da4975ab9799c1"
 
-SRC_URI = "https://downloads.cisofy.com/lynis/${BPN}-${PV}.tar.gz"
+SRC_URI = "git://github.com/CISOfy/lynis.git;branch=master;protocol=https"
 
-SRC_URI[sha256sum] = "8d2c6652ba60116a82514522b666ca77293f4bfc69f1e581028769f7ebb52ba4"
+SRCREV = "380b414e09bbca70be59a1b7ddccfaed4c30e1aa"
 
 #UPSTREAM_CHECK = "https://downloads.cisofy.com/lynis"
 
-S = "${UNPACKDIR}/${BPN}"
-
 inherit autotools-brokensep
 
 do_compile[noexec] = "1"
-- 
2.51.0

[meta-security][PATCH 03/15] chipsec: update to 1.13.16

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Update from 1.9.1 (October 2022) to the latest 1.x release, 1.13.16.

Changelog: https://github.com/chipsec/chipsec/releases

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 .../chipsec/{chipsec_1.9.1.bb => chipsec_1.13.16.bb}            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-security/chipsec/{chipsec_1.9.1.bb => chipsec_1.13.16.bb} (95%)

diff --git a/recipes-security/chipsec/chipsec_1.9.1.bb b/recipes-security/chipsec/chipsec_1.13.16.bb
similarity index 95%
rename from recipes-security/chipsec/chipsec_1.9.1.bb
rename to recipes-security/chipsec/chipsec_1.13.16.bb
index ef293bc..5d65e89 100644
--- a/recipes-security/chipsec/chipsec_1.9.1.bb
+++ b/recipes-security/chipsec/chipsec_1.13.16.bb
@@ -10,7 +10,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=bc2d1f9b427be5fb63f6af9da56f7c5d"
 DEPENDS = "virtual/kernel nasm-native"
 
 SRC_URI = "git://github.com/chipsec/chipsec.git;branch=main;protocol=https"
-SRCREV = "d8c2a606bf440c32196c6289a7a458f3ae3107cc"
+SRCREV = "c5e396716caf3749f728e43d0895317b593f5b95"
 
 inherit module setuptools3
 
-- 
2.51.0

[meta-security][PATCH 04/15] chipsec: disable until 6.16 support is fixed

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

The 1.13.16 version does not work on the kernel 6.16 for now [1].

Disable when waiting for the fix.

[1] https://github.com/chipsec/chipsec/issues/2563

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 recipes-core/packagegroup/packagegroup-core-security.bb | 4 ++--
 recipes-security/chipsec/chipsec_1.13.16.bb             | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb
index bda78ce..3f5b0a5 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -46,8 +46,8 @@ RDEPENDS:packagegroup-security-utils = "\
     "
 
 have_krill =  "${@bb.utils.contains("DISTRO_FEATURES", "pam", "krill", "",d)}"
-RDEPENDS:packagegroup-security-utils:append:x86 = " chipsec ${have_krill}"
-RDEPENDS:packagegroup-security-utils:append:x86-64 = " firejail chipsec ${have_krill}"
+RDEPENDS:packagegroup-security-utils:append:x86 = " ${have_krill}"
+RDEPENDS:packagegroup-security-utils:append:x86-64 = " firejail ${have_krill}"
 RDEPENDS:packagegroup-security-utils:append:aarch64 = " firejail ${have_krill}"
 RDEPENDS:packagegroup-security-utils:remove:libc-musl = "krill firejail"
 
diff --git a/recipes-security/chipsec/chipsec_1.13.16.bb b/recipes-security/chipsec/chipsec_1.13.16.bb
index 5d65e89..9698d8f 100644
--- a/recipes-security/chipsec/chipsec_1.13.16.bb
+++ b/recipes-security/chipsec/chipsec_1.13.16.bb
@@ -34,3 +34,5 @@ FILES:${PN} += "${exec_prefix}"
 
 RDEPENDS:${PN} = "python3 python3-modules"
 INSANE_SKIP:${PN} = "already-stripped"
+
+SKIP_RECIPE[chipsec] ?= "Waiting for upstream support of the kernel 6.16"
-- 
2.51.0

[meta-security][PATCH 05/15] test: allow root login for test images

[Scott Murray]

From: Marta Rybczynska <marta.rybczynska@ygreky.com>

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 kas/qemux86-test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kas/qemux86-test.yml b/kas/qemux86-test.yml
index 98f1e7f..c4609f9 100644
--- a/kas/qemux86-test.yml
+++ b/kas/qemux86-test.yml
@@ -6,5 +6,6 @@ header:
 local_conf_header:
   ptest: |
       DISTRO_FEATURES:append = " ptest"
+      EXTRA_IMAGE_FEATURES:append = " allow-empty-password allow-root-login empty-root-password"
 
 machine: qemux86
-- 
2.51.0

[meta-security][PATCH 06/15] python3-fail2ban: fix ptest failures

[Scott Murray]

From: Yi Zhao <yi.zhao@windriver.com>

Fix ptest failures by backporting patches and updating test case config
files.

Before the patch:
  $ ptest-runner python3-fail2ban
  START: ptest-runner
  2025-09-11T15:42
  BEGIN: /usr/lib64/python3-fail2ban/ptest
  <snip>
  Ran 524 tests in 23.023s

  FAILED (failures=5, errors=7, skipped=3)
  DURATION: 24
  END: /usr/lib64/python3-fail2ban/ptest
  2025-09-11T15:42
  STOP: ptest-runner
  TOTAL: 1 FAIL: 1

After the patch:
  $ ptest-runner python3-fail2ban
  START: ptest-runner
  2025-09-11T15:59
  BEGIN: /usr/lib64/python3-fail2ban/ptest
  <snip>
  Ran 524 tests in 25.982s

  OK (skipped=3)
  DURATION: 27
  END: /usr/lib64/python3-fail2ban/ptest
  2025-09-11T15:59
  STOP: ptest-runner
  TOTAL: 1 FAIL: 0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ...ges-the-IPs-again.-additionally-it-g.patch | 210 ++++++++++++++++++
 ...case.py-set-correct-config-dir-for-t.patch |  35 +++
 .../fail2ban/python3-fail2ban_git.bb          |  12 +-
 3 files changed, 256 insertions(+), 1 deletion(-)
 create mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch
 create mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch

diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch
new file mode 100644
index 0000000..73014ab
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch
@@ -0,0 +1,210 @@
+From 5b6c13f0aae79a23d94570bacd1b5796e57f088d Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Thu, 30 Jan 2025 01:05:30 +0100
+Subject: [PATCH] example.com changes the IPs, again... additionally it got
+ more IPs, which look unstable now (depends on resolver), so replaced with
+ fail2ban.org, that seems to resolve to single IPv4 and IPv6 (can be adjusted
+ later for something more persistent)
+
+
+Upstream-Status: Backport
+[https://github.com/fail2ban/fail2ban/commit/5b6c13f0aae79a23d94570bacd1b5796e57f088d]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ .../tests/files/logs/apache-fakegooglebot     |  6 +-
+ fail2ban/tests/files/testcase-usedns.log      |  4 +-
+ fail2ban/tests/filtertestcase.py              | 58 +++++++++----------
+ fail2ban/tests/utils.py                       |  4 +-
+ 4 files changed, 36 insertions(+), 36 deletions(-)
+
+diff --git a/fail2ban/tests/files/logs/apache-fakegooglebot b/fail2ban/tests/files/logs/apache-fakegooglebot
+index b77a1a6b..024842fd 100644
+--- a/fail2ban/tests/files/logs/apache-fakegooglebot
++++ b/fail2ban/tests/files/logs/apache-fakegooglebot
+@@ -1,5 +1,5 @@
+ # Apache 2.2
+ # failJSON: { "time": "2015-01-31T14:29:44", "match": true, "host": "66.249.66.1" }
+-66.249.66.1 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546
+-# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "93.184.215.14" }
+-93.184.215.14 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546
++66.249.66.1 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546
++# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "51.159.55.100" }
++51.159.55.100 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546
+diff --git a/fail2ban/tests/files/testcase-usedns.log b/fail2ban/tests/files/testcase-usedns.log
+index eea6eb44..3e7b36bb 100644
+--- a/fail2ban/tests/files/testcase-usedns.log
++++ b/fail2ban/tests/files/testcase-usedns.log
+@@ -1,2 +1,2 @@
+-Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2
+-Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2
++Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2
++Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2
+diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py
+index 20945b78..26961a1b 100644
+--- a/fail2ban/tests/filtertestcase.py
++++ b/fail2ban/tests/filtertestcase.py
+@@ -587,14 +587,14 @@ class IgnoreIP(LogCaptureTestCase):
+ 				self.assertNotLogged("returned successfully")
+ 
+ 	def testIgnoreCauseOK(self):
+-		ip = "93.184.215.14"
++		ip = "51.159.55.100"
+ 		for ignore_source in ["dns", "ip", "command"]:
+ 			self.filter.logIgnoreIp(ip, True, ignore_source=ignore_source)
+ 			self.assertLogged("[%s] Ignore %s by %s" % (self.jail.name, ip, ignore_source))
+ 
+ 	def testIgnoreCauseNOK(self):
+-		self.filter.logIgnoreIp("example.com", False, ignore_source="NOT_LOGGED")
+-		self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "example.com", "NOT_LOGGED"))
++		self.filter.logIgnoreIp("fail2ban.org", False, ignore_source="NOT_LOGGED")
++		self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "fail2ban.org", "NOT_LOGGED"))
+ 
+ 
+ class IgnoreIPDNS(LogCaptureTestCase):
+@@ -607,7 +607,7 @@ class IgnoreIPDNS(LogCaptureTestCase):
+ 		self.filter = FileFilter(self.jail)
+ 
+ 	def testIgnoreIPDNS(self):
+-		for dns in ("www.epfl.ch", "example.com"):
++		for dns in ("www.epfl.ch", "fail2ban.org"):
+ 			self.filter.addIgnoreIP(dns)
+ 			ips = DNSUtils.dnsToIp(dns)
+ 			self.assertTrue(len(ips) > 0)
+@@ -1892,22 +1892,22 @@ class GetFailures(LogCaptureTestCase):
+ 		#unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils.
+ 		# We should still catch failures with usedns = no ;-)
+ 		output_yes = (
+-			('93.184.215.14', 1, 1124013299.0,
+-			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2']
++			('51.159.55.100', 1, 1124013299.0,
++			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2']
+ 			),
+-			('93.184.215.14', 1, 1124013539.0,
+-			  ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2']
++			('51.159.55.100', 1, 1124013539.0,
++			  ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2']
+ 			),
+-			('2606:2800:21f:cb07:6820:80da:af6b:8b2c', 1, 1124013299.0,
+-			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2']
++			('2001:bc8:1200:6:208:a2ff:fe0c:61f8', 1, 1124013299.0,
++			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2']
+ 			),
+ 		)
+ 		if not unittest.F2B.no_network and not DNSUtils.IPv6IsAllowed():
+ 			output_yes = output_yes[0:2]
+ 
+ 		output_no = (
+-			('93.184.215.14', 1, 1124013539.0,
+-			  ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2']
++			('51.159.55.100', 1, 1124013539.0,
++			  ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2']
+ 			)
+ 		)
+ 
+@@ -2098,10 +2098,10 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+ 		super(DNSUtilsNetworkTests, self).setUp()
+ 		#unittest.F2B.SkipIfNoNetwork()
+ 
+-	## example.com IPs considering IPv6 support (without network it is simulated via cache in utils).
++	## fail2ban.org IPs considering IPv6 support (without network it is simulated via cache in utils).
+ 	EXAMPLE_ADDRS = (
+-		['93.184.215.14', '2606:2800:21f:cb07:6820:80da:af6b:8b2c'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \
+-		['93.184.215.14']
++		['51.159.55.100', '2001:bc8:1200:6:208:a2ff:fe0c:61f8'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \
++		['51.159.55.100']
+ 	)
+ 
+ 	def test_IPAddr(self):
+@@ -2163,13 +2163,13 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+ 		self.assertTrue(r < ip6)
+ 
+ 	def testUseDns(self):
+-		res = DNSUtils.textToIp('www.example.com', 'no')
++		res = DNSUtils.textToIp('www.fail2ban.org', 'no')
+ 		self.assertSortedEqual(res, [])
+ 		#unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils.
+-		res = DNSUtils.textToIp('www.example.com', 'warn')
++		res = DNSUtils.textToIp('www.fail2ban.org', 'warn')
+ 		# sort ipaddr, IPv4 is always smaller as IPv6
+ 		self.assertSortedEqual(res, self.EXAMPLE_ADDRS)
+-		res = DNSUtils.textToIp('www.example.com', 'yes')
++		res = DNSUtils.textToIp('www.fail2ban.org', 'yes')
+ 		# sort ipaddr, IPv4 is always smaller as IPv6
+ 		self.assertSortedEqual(res, self.EXAMPLE_ADDRS)
+ 
+@@ -2177,13 +2177,13 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+ 		#unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils.
+ 		# Test hostnames
+ 		hostnames = [
+-			'www.example.com',
++			'www.fail2ban.org',
+ 			'doh1.2.3.4.buga.xxxxx.yyy.invalid',
+ 			'1.2.3.4.buga.xxxxx.yyy.invalid',
+ 			]
+ 		for s in hostnames:
+ 			res = DNSUtils.textToIp(s, 'yes')
+-			if s == 'www.example.com':
++			if s == 'www.fail2ban.org':
+ 				# sort ipaddr, IPv4 is always smaller as IPv6
+ 				self.assertSortedEqual(res, self.EXAMPLE_ADDRS)
+ 			else:
+@@ -2234,8 +2234,8 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+ 
+ 		self.assertEqual(IPAddr('192.0.2.0').getPTR(), '0.2.0.192.in-addr.arpa.')
+ 		self.assertEqual(IPAddr('192.0.2.1').getPTR(), '1.2.0.192.in-addr.arpa.')
+-		self.assertEqual(IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c').getPTR(), 
+-			'c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa.')
++		self.assertEqual(IPAddr('2001:db8::1').getPTR(), 
++			'1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.')
+ 
+ 	def testIPAddr_Equal6(self):
+ 		self.assertEqual(
+@@ -2365,10 +2365,10 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+ 
+ 	def testIPAddr_CompareDNS(self):
+ 		#unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils.
+-		ips = IPAddr('example.com')
+-		self.assertTrue(IPAddr("93.184.215.14").isInNet(ips))
+-		self.assertEqual(IPAddr("2606:2800:21f:cb07:6820:80da:af6b:8b2c").isInNet(ips),
+-		                        "2606:2800:21f:cb07:6820:80da:af6b:8b2c" in self.EXAMPLE_ADDRS)
++		ips = IPAddr('fail2ban.org')
++		self.assertTrue(IPAddr("51.159.55.100").isInNet(ips))
++		self.assertEqual(IPAddr("2001:bc8:1200:6:208:a2ff:fe0c:61f8").isInNet(ips),
++		                        "2001:bc8:1200:6:208:a2ff:fe0c:61f8" in self.EXAMPLE_ADDRS)
+ 
+ 	def testIPAddr_wrongDNS_IP(self):
+ 		unittest.F2B.SkipIfNoNetwork()
+@@ -2376,11 +2376,11 @@ class DNSUtilsNetworkTests(unittest.TestCase):
+ 		DNSUtils.ipToName('*')
+ 
+ 	def testIPAddr_Cached(self):
+-		ips = [DNSUtils.dnsToIp('example.com'), DNSUtils.dnsToIp('example.com')]
++		ips = [DNSUtils.dnsToIp('fail2ban.org'), DNSUtils.dnsToIp('fail2ban.org')]
+ 		for ip1, ip2 in zip(ips, ips):
+ 			self.assertEqual(id(ip1), id(ip2))
+-		ip1 = IPAddr('93.184.215.14'); ip2 = IPAddr('93.184.215.14'); self.assertEqual(id(ip1), id(ip2))
+-		ip1 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); ip2 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); self.assertEqual(id(ip1), id(ip2))
++		ip1 = IPAddr('51.159.55.100'); ip2 = IPAddr('51.159.55.100'); self.assertEqual(id(ip1), id(ip2))
++		ip1 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); ip2 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); self.assertEqual(id(ip1), id(ip2))
+ 
+ 	def test_NetworkInterfacesAddrs(self):
+ 		for withMask in (False, True):
+diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py
+index f71ba60a..e6ef54f3 100644
+--- a/fail2ban/tests/utils.py
++++ b/fail2ban/tests/utils.py
+@@ -326,8 +326,8 @@ def initTests(opts):
+ 			('failed.dns.ch', set()),
+ 			('doh1.2.3.4.buga.xxxxx.yyy.invalid', set()),
+ 			('1.2.3.4.buga.xxxxx.yyy.invalid', set()),
+-			('example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])),
+-			('www.example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])),
++			('fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])),
++			('www.fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])),
+ 		):
+ 			c.set(*i)
+ 		# if fast - precache all host names as localhost addresses (speed-up getSelfIPs/ignoreself):
+-- 
+2.34.1
+
diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch
new file mode 100644
index 0000000..a60b0fd
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch
@@ -0,0 +1,35 @@
+From 9f26da3cf854e48b7939c2a9baa0cb3ffbee5994 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Thu, 11 Sep 2025 22:36:07 +0800
+Subject: [PATCH] clientreadertestcase.py: set correct config dir for
+ testReadStockJailFilterComplete
+
+In test case testReadStockJailFilterComplete, set configuration
+directory to CONFIG_DIR (/etc/fail2ban/filter.d on the target) instead
+of the hardcoded "config" directory. Otherwise, the config files will
+not be found during runtime testing.
+
+Upstream-Status: Backport
+[https://github.com/fail2ban/fail2ban/commit/9f26da3cf854e48b7939c2a9baa0cb3ffbee5994]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ fail2ban/tests/clientreadertestcase.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
+index e6a2806c..b8ebbbc7 100644
+--- a/fail2ban/tests/clientreadertestcase.py
++++ b/fail2ban/tests/clientreadertestcase.py
+@@ -878,7 +878,7 @@ class JailsReaderTest(LogCaptureTestCase):
+ 		self.assertTrue(jails.getOptions())       # reads fine
+ 		# grab all filter names
+ 		filters = set(os.path.splitext(os.path.split(a)[1])[0]
+-			for a in glob.glob(os.path.join('config', 'filter.d', '*.conf'))
++			for a in glob.glob(os.path.join(CONFIG_DIR, 'filter.d', '*.conf'))
+ 				if not (a.endswith('common.conf') or a.endswith('-aggressive.conf')))
+ 		# get filters of all jails (filter names without options inside filter[...])
+ 		filters_jail = set(
+-- 
+2.34.1
+
diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
index 7312bf8..b0b65de 100644
--- a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
+++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
@@ -13,6 +13,8 @@ DEPENDS = "python3-native"
 
 SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78"
 SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \
+           file://0001-example.com-changes-the-IPs-again.-additionally-it-g.patch \
+           file://0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch \
            file://initd \
            file://run-ptest \
            "
@@ -47,8 +49,16 @@ do_install_ptest:append () {
     sed -i -e 's/##PYTHON##/python3/g' ${D}${PTEST_PATH}/run-ptest
     install -D ${S}/bin/* ${D}${PTEST_PATH}/bin
     rm -f ${D}${PTEST_PATH}/bin/fail2ban-python
-}
 
+    for i in checklogtype.conf zzz-generic-example.conf zzz-sshd-obsolete-multiline.conf; do
+        sed -i -e 's|^before =.*|before = ${sysconfdir}/fail2ban/filter.d/common.conf|g' \
+            ${D}${PYTHON_SITEPACKAGES_DIR}/fail2ban/tests/config/filter.d/${i}
+    done
+
+    install -m 0644 ${S}/README.md ${D}${PTEST_PATH}
+    sed -i -e 's|^logpath = README.md|logpath = ${PTEST_PATH}/README.md|g' \
+            ${D}${PYTHON_SITEPACKAGES_DIR}/fail2ban/tests/config/jail.conf
+}
 
 INITSCRIPT_PACKAGES = "${PN}"
 INITSCRIPT_NAME = "fail2ban-server"
-- 
2.51.0

[meta-security][PATCH 07/15] python3-fail2ban: update to latest git rev

[Scott Murray]

From: Yi Zhao <yi.zhao@windriver.com>

Update to latest git rev as the current version doesn't work with
OpenSSH 9.8+[1].

Ptest result:
$ ptest-runner python3-fail2ban
START: ptest-runner
2025-09-21T12:45
BEGIN: /usr/lib64/python3-fail2ban/ptest

Ran 538 tests in 13.045s
OK (skipped=3)
DURATION: 14
END: /usr/lib64/python3-fail2ban/ptest
2025-09-21T12:46
STOP: ptest-runner
TOTAL: 1 FAIL: 0

[1] https://github.com/fail2ban/fail2ban/commit/2fed408c05ac5206b490368d94599869bd6a056d

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 ...ges-the-IPs-again.-additionally-it-g.patch | 210 ------------------
 ...case.py-set-correct-config-dir-for-t.patch |  35 ---
 .../fail2ban/python3-fail2ban_git.bb          |   4 +-
 3 files changed, 1 insertion(+), 248 deletions(-)
 delete mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch
 delete mode 100644 dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch

diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch
deleted file mode 100644
index 73014ab..0000000
--- a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-example.com-changes-the-IPs-again.-additionally-it-g.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From 5b6c13f0aae79a23d94570bacd1b5796e57f088d Mon Sep 17 00:00:00 2001
-From: sebres <info@sebres.de>
-Date: Thu, 30 Jan 2025 01:05:30 +0100
-Subject: [PATCH] example.com changes the IPs, again... additionally it got
- more IPs, which look unstable now (depends on resolver), so replaced with
- fail2ban.org, that seems to resolve to single IPv4 and IPv6 (can be adjusted
- later for something more persistent)
-
-
-Upstream-Status: Backport
-[https://github.com/fail2ban/fail2ban/commit/5b6c13f0aae79a23d94570bacd1b5796e57f088d]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- .../tests/files/logs/apache-fakegooglebot     |  6 +-
- fail2ban/tests/files/testcase-usedns.log      |  4 +-
- fail2ban/tests/filtertestcase.py              | 58 +++++++++----------
- fail2ban/tests/utils.py                       |  4 +-
- 4 files changed, 36 insertions(+), 36 deletions(-)
-
-diff --git a/fail2ban/tests/files/logs/apache-fakegooglebot b/fail2ban/tests/files/logs/apache-fakegooglebot
-index b77a1a6b..024842fd 100644
---- a/fail2ban/tests/files/logs/apache-fakegooglebot
-+++ b/fail2ban/tests/files/logs/apache-fakegooglebot
-@@ -1,5 +1,5 @@
- # Apache 2.2
- # failJSON: { "time": "2015-01-31T14:29:44", "match": true, "host": "66.249.66.1" }
--66.249.66.1 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546
--# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "93.184.215.14" }
--93.184.215.14 - - - [31/Jan/2015:14:29:44 ] example.com "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546
-+66.249.66.1 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" + 293 1149 546
-+# failJSON: { "time": "2015-01-31T14:29:44", "match": false, "host": "51.159.55.100" }
-+51.159.55.100 - - - [31/Jan/2015:14:29:44 ] fail2ban.org "GET / HTTP/1.1" 200 814 "-" "NOT A __GOOGLE_BOT__" + 293 1149 546
-diff --git a/fail2ban/tests/files/testcase-usedns.log b/fail2ban/tests/files/testcase-usedns.log
-index eea6eb44..3e7b36bb 100644
---- a/fail2ban/tests/files/testcase-usedns.log
-+++ b/fail2ban/tests/files/testcase-usedns.log
-@@ -1,2 +1,2 @@
--Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2
--Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2
-+Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2
-+Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2
-diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py
-index 20945b78..26961a1b 100644
---- a/fail2ban/tests/filtertestcase.py
-+++ b/fail2ban/tests/filtertestcase.py
-@@ -587,14 +587,14 @@ class IgnoreIP(LogCaptureTestCase):
- 				self.assertNotLogged("returned successfully")
- 
- 	def testIgnoreCauseOK(self):
--		ip = "93.184.215.14"
-+		ip = "51.159.55.100"
- 		for ignore_source in ["dns", "ip", "command"]:
- 			self.filter.logIgnoreIp(ip, True, ignore_source=ignore_source)
- 			self.assertLogged("[%s] Ignore %s by %s" % (self.jail.name, ip, ignore_source))
- 
- 	def testIgnoreCauseNOK(self):
--		self.filter.logIgnoreIp("example.com", False, ignore_source="NOT_LOGGED")
--		self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "example.com", "NOT_LOGGED"))
-+		self.filter.logIgnoreIp("fail2ban.org", False, ignore_source="NOT_LOGGED")
-+		self.assertNotLogged("[%s] Ignore %s by %s" % (self.jail.name, "fail2ban.org", "NOT_LOGGED"))
- 
- 
- class IgnoreIPDNS(LogCaptureTestCase):
-@@ -607,7 +607,7 @@ class IgnoreIPDNS(LogCaptureTestCase):
- 		self.filter = FileFilter(self.jail)
- 
- 	def testIgnoreIPDNS(self):
--		for dns in ("www.epfl.ch", "example.com"):
-+		for dns in ("www.epfl.ch", "fail2ban.org"):
- 			self.filter.addIgnoreIP(dns)
- 			ips = DNSUtils.dnsToIp(dns)
- 			self.assertTrue(len(ips) > 0)
-@@ -1892,22 +1892,22 @@ class GetFailures(LogCaptureTestCase):
- 		#unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils.
- 		# We should still catch failures with usedns = no ;-)
- 		output_yes = (
--			('93.184.215.14', 1, 1124013299.0,
--			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2']
-+			('51.159.55.100', 1, 1124013299.0,
-+			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2']
- 			),
--			('93.184.215.14', 1, 1124013539.0,
--			  ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2']
-+			('51.159.55.100', 1, 1124013539.0,
-+			  ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2']
- 			),
--			('2606:2800:21f:cb07:6820:80da:af6b:8b2c', 1, 1124013299.0,
--			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from example.com port 51332 ssh2']
-+			('2001:bc8:1200:6:208:a2ff:fe0c:61f8', 1, 1124013299.0,
-+			  ['Aug 14 11:54:59 i60p295 sshd[12365]: Failed publickey for roehl from fail2ban.org port 51332 ssh2']
- 			),
- 		)
- 		if not unittest.F2B.no_network and not DNSUtils.IPv6IsAllowed():
- 			output_yes = output_yes[0:2]
- 
- 		output_no = (
--			('93.184.215.14', 1, 1124013539.0,
--			  ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:93.184.215.14 port 51332 ssh2']
-+			('51.159.55.100', 1, 1124013539.0,
-+			  ['Aug 14 11:58:59 i60p295 sshd[12365]: Failed publickey for roehl from ::ffff:51.159.55.100 port 51332 ssh2']
- 			)
- 		)
- 
-@@ -2098,10 +2098,10 @@ class DNSUtilsNetworkTests(unittest.TestCase):
- 		super(DNSUtilsNetworkTests, self).setUp()
- 		#unittest.F2B.SkipIfNoNetwork()
- 
--	## example.com IPs considering IPv6 support (without network it is simulated via cache in utils).
-+	## fail2ban.org IPs considering IPv6 support (without network it is simulated via cache in utils).
- 	EXAMPLE_ADDRS = (
--		['93.184.215.14', '2606:2800:21f:cb07:6820:80da:af6b:8b2c'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \
--		['93.184.215.14']
-+		['51.159.55.100', '2001:bc8:1200:6:208:a2ff:fe0c:61f8'] if unittest.F2B.no_network or DNSUtils.IPv6IsAllowed() else \
-+		['51.159.55.100']
- 	)
- 
- 	def test_IPAddr(self):
-@@ -2163,13 +2163,13 @@ class DNSUtilsNetworkTests(unittest.TestCase):
- 		self.assertTrue(r < ip6)
- 
- 	def testUseDns(self):
--		res = DNSUtils.textToIp('www.example.com', 'no')
-+		res = DNSUtils.textToIp('www.fail2ban.org', 'no')
- 		self.assertSortedEqual(res, [])
- 		#unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils.
--		res = DNSUtils.textToIp('www.example.com', 'warn')
-+		res = DNSUtils.textToIp('www.fail2ban.org', 'warn')
- 		# sort ipaddr, IPv4 is always smaller as IPv6
- 		self.assertSortedEqual(res, self.EXAMPLE_ADDRS)
--		res = DNSUtils.textToIp('www.example.com', 'yes')
-+		res = DNSUtils.textToIp('www.fail2ban.org', 'yes')
- 		# sort ipaddr, IPv4 is always smaller as IPv6
- 		self.assertSortedEqual(res, self.EXAMPLE_ADDRS)
- 
-@@ -2177,13 +2177,13 @@ class DNSUtilsNetworkTests(unittest.TestCase):
- 		#unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils.
- 		# Test hostnames
- 		hostnames = [
--			'www.example.com',
-+			'www.fail2ban.org',
- 			'doh1.2.3.4.buga.xxxxx.yyy.invalid',
- 			'1.2.3.4.buga.xxxxx.yyy.invalid',
- 			]
- 		for s in hostnames:
- 			res = DNSUtils.textToIp(s, 'yes')
--			if s == 'www.example.com':
-+			if s == 'www.fail2ban.org':
- 				# sort ipaddr, IPv4 is always smaller as IPv6
- 				self.assertSortedEqual(res, self.EXAMPLE_ADDRS)
- 			else:
-@@ -2234,8 +2234,8 @@ class DNSUtilsNetworkTests(unittest.TestCase):
- 
- 		self.assertEqual(IPAddr('192.0.2.0').getPTR(), '0.2.0.192.in-addr.arpa.')
- 		self.assertEqual(IPAddr('192.0.2.1').getPTR(), '1.2.0.192.in-addr.arpa.')
--		self.assertEqual(IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c').getPTR(), 
--			'c.2.b.8.b.6.f.a.a.d.0.8.0.2.8.6.7.0.b.c.f.1.2.0.0.0.8.2.6.0.6.2.ip6.arpa.')
-+		self.assertEqual(IPAddr('2001:db8::1').getPTR(), 
-+			'1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.')
- 
- 	def testIPAddr_Equal6(self):
- 		self.assertEqual(
-@@ -2365,10 +2365,10 @@ class DNSUtilsNetworkTests(unittest.TestCase):
- 
- 	def testIPAddr_CompareDNS(self):
- 		#unittest.F2B.SkipIfNoNetwork() ## without network it is simulated via cache in utils.
--		ips = IPAddr('example.com')
--		self.assertTrue(IPAddr("93.184.215.14").isInNet(ips))
--		self.assertEqual(IPAddr("2606:2800:21f:cb07:6820:80da:af6b:8b2c").isInNet(ips),
--		                        "2606:2800:21f:cb07:6820:80da:af6b:8b2c" in self.EXAMPLE_ADDRS)
-+		ips = IPAddr('fail2ban.org')
-+		self.assertTrue(IPAddr("51.159.55.100").isInNet(ips))
-+		self.assertEqual(IPAddr("2001:bc8:1200:6:208:a2ff:fe0c:61f8").isInNet(ips),
-+		                        "2001:bc8:1200:6:208:a2ff:fe0c:61f8" in self.EXAMPLE_ADDRS)
- 
- 	def testIPAddr_wrongDNS_IP(self):
- 		unittest.F2B.SkipIfNoNetwork()
-@@ -2376,11 +2376,11 @@ class DNSUtilsNetworkTests(unittest.TestCase):
- 		DNSUtils.ipToName('*')
- 
- 	def testIPAddr_Cached(self):
--		ips = [DNSUtils.dnsToIp('example.com'), DNSUtils.dnsToIp('example.com')]
-+		ips = [DNSUtils.dnsToIp('fail2ban.org'), DNSUtils.dnsToIp('fail2ban.org')]
- 		for ip1, ip2 in zip(ips, ips):
- 			self.assertEqual(id(ip1), id(ip2))
--		ip1 = IPAddr('93.184.215.14'); ip2 = IPAddr('93.184.215.14'); self.assertEqual(id(ip1), id(ip2))
--		ip1 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); ip2 = IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'); self.assertEqual(id(ip1), id(ip2))
-+		ip1 = IPAddr('51.159.55.100'); ip2 = IPAddr('51.159.55.100'); self.assertEqual(id(ip1), id(ip2))
-+		ip1 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); ip2 = IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'); self.assertEqual(id(ip1), id(ip2))
- 
- 	def test_NetworkInterfacesAddrs(self):
- 		for withMask in (False, True):
-diff --git a/fail2ban/tests/utils.py b/fail2ban/tests/utils.py
-index f71ba60a..e6ef54f3 100644
---- a/fail2ban/tests/utils.py
-+++ b/fail2ban/tests/utils.py
-@@ -326,8 +326,8 @@ def initTests(opts):
- 			('failed.dns.ch', set()),
- 			('doh1.2.3.4.buga.xxxxx.yyy.invalid', set()),
- 			('1.2.3.4.buga.xxxxx.yyy.invalid', set()),
--			('example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])),
--			('www.example.com', set([IPAddr('2606:2800:21f:cb07:6820:80da:af6b:8b2c'), IPAddr('93.184.215.14')])),
-+			('fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])),
-+			('www.fail2ban.org', set([IPAddr('2001:bc8:1200:6:208:a2ff:fe0c:61f8'), IPAddr('51.159.55.100')])),
- 		):
- 			c.set(*i)
- 		# if fast - precache all host names as localhost addresses (speed-up getSelfIPs/ignoreself):
--- 
-2.34.1
-
diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch b/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch
deleted file mode 100644
index a60b0fd..0000000
--- a/dynamic-layers/meta-python/recipes-security/fail2ban/files/0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 9f26da3cf854e48b7939c2a9baa0cb3ffbee5994 Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Thu, 11 Sep 2025 22:36:07 +0800
-Subject: [PATCH] clientreadertestcase.py: set correct config dir for
- testReadStockJailFilterComplete
-
-In test case testReadStockJailFilterComplete, set configuration
-directory to CONFIG_DIR (/etc/fail2ban/filter.d on the target) instead
-of the hardcoded "config" directory. Otherwise, the config files will
-not be found during runtime testing.
-
-Upstream-Status: Backport
-[https://github.com/fail2ban/fail2ban/commit/9f26da3cf854e48b7939c2a9baa0cb3ffbee5994]
-
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
----
- fail2ban/tests/clientreadertestcase.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py
-index e6a2806c..b8ebbbc7 100644
---- a/fail2ban/tests/clientreadertestcase.py
-+++ b/fail2ban/tests/clientreadertestcase.py
-@@ -878,7 +878,7 @@ class JailsReaderTest(LogCaptureTestCase):
- 		self.assertTrue(jails.getOptions())       # reads fine
- 		# grab all filter names
- 		filters = set(os.path.splitext(os.path.split(a)[1])[0]
--			for a in glob.glob(os.path.join('config', 'filter.d', '*.conf'))
-+			for a in glob.glob(os.path.join(CONFIG_DIR, 'filter.d', '*.conf'))
- 				if not (a.endswith('common.conf') or a.endswith('-aggressive.conf')))
- 		# get filters of all jails (filter names without options inside filter[...])
- 		filters_jail = set(
--- 
-2.34.1
-
diff --git a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
index b0b65de..c85953a 100644
--- a/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
+++ b/dynamic-layers/meta-python/recipes-security/fail2ban/python3-fail2ban_git.bb
@@ -11,10 +11,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ecabc31e90311da843753ba772885d9f"
 
 DEPENDS = "python3-native"
 
-SRCREV = "ac62658c10f492911f8a0037a0bcf97c8521cd78"
+SRCREV = "2856092709470250dc299931bc748f112590059f"
 SRC_URI = "git://github.com/fail2ban/fail2ban.git;branch=master;protocol=https \
-           file://0001-example.com-changes-the-IPs-again.-additionally-it-g.patch \
-           file://0002-clientreadertestcase.py-set-correct-config-dir-for-t.patch \
            file://initd \
            file://run-ptest \
            "
-- 
2.51.0

[meta-security][PATCH 08/15] suricata: populate SYSTEMD_SERVICE for service autostart

[Scott Murray]

From: Clayton Casciato <majortomtosourcecontrol@gmail.com>

https://docs.yoctoproject.org/dev/ref-manual/variables.html#term-SYSTEMD_SERVICE

Before:
root@beaglebone-yocto:~# systemctl status suricata
* suricata.service - Suricata IDS/IDP daemon
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: man:suricata(8)
             man:suricatasc(8)
             https://redmine.openinfosecfoundation.org/projects/suricata/wiki

After:
root@beaglebone-yocto:~# systemctl status suricata
* suricata.service - Suricata IDS/IDP daemon
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: enabled)
     Active: active (running) since Mon 2025-09-22 04:05:08 UTC; 20s ago
 Invocation: 8cfeb29631f443f0830bffeb00975931
       Docs: man:suricata(8)
             man:suricatasc(8)
             https://redmine.openinfosecfoundation.org/projects/suricata/wiki
   Main PID: 268 (Suricata-Main)
      Tasks: 7 (limit: 4915)
     Memory: 36.8M (peak: 37M)
        CPU: 2.222s
     CGroup: /system.slice/suricata.service
             `-268 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

Sep 22 04:05:08 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon.
Sep 22 04:05:09 beaglebone-yocto suricata[268]: i: suricata: This is Suricata version 7.0.0 RELEASE running in SYSTEM mode
Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: No rule files match the pattern /var/lib/suricata/rules/suricata.rules
Sep 22 04:05:10 beaglebone-yocto suricata[268]: W: detect: 1 rule files specified, but no rules were loaded!
Sep 22 04:05:10 beaglebone-yocto suricata[268]: i: threads: Threads created -> W: 1 FM: 1 FR: 1   Engine started.

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
 recipes-ids/suricata/suricata_7.0.0.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/recipes-ids/suricata/suricata_7.0.0.bb b/recipes-ids/suricata/suricata_7.0.0.bb
index f02d343..c36fbf1 100644
--- a/recipes-ids/suricata/suricata_7.0.0.bb
+++ b/recipes-ids/suricata/suricata_7.0.0.bb
@@ -139,6 +139,7 @@ fi
 }
 
 SYSTEMD_PACKAGES = "${PN}"
+SYSTEMD_SERVICE:${PN} = "${BPN}.service"
 
 PACKAGES =+ "${PN}-python"
 FILES:${PN} += "${systemd_unitdir} ${sysconfdir}/tmpfiles.d"
-- 
2.51.0

[meta-security][PATCH 09/15] suricata-update: add package to pull files

[Scott Murray]

From: Clayton Casciato <majortomtosourcecontrol@gmail.com>

suricata has "--disable-suricata-update"

Original add: caaeb67863a6 ("suricata-update: add package to pull rules")
Suricata dropped: 7a1691c03726 ("suricata: Drop 4.1.x its EOL")
Not readded: 818a8646a689 ("suricata: rust is in core")

*Changes*
1.2.1 -> 1.3.6
Drop period and trailing space in SUMMARY value
Drop now-redundant "S"
Use HTTPS protocol for SRC_URI
LICENSE "GPLv2" -> "GPL-2.0-only"
Add "python3-shell" RDEPENDS to resolve:
  ModuleNotFoundError: No module named 'shlex'

Basic target testing:
root@beaglebone-yocto:~# suricata-update
22/9/2025 -- 04:06:23 - <Info> -- Using data-directory /var/lib/suricata.
22/9/2025 -- 04:06:23 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
22/9/2025 -- 04:06:23 - <Info> -- Using /usr/share/suricata/rules for Suricata provided rules.
22/9/2025 -- 04:06:23 - <Info> -- Found Suricata version 7.0.0 at /bin/suricata.
22/9/2025 -- 04:06:23 - <Info> -- Loading /etc/suricata/suricata.yaml
22/9/2025 -- 04:06:23 - <Info> -- Disabling rules for protocol pgsql
22/9/2025 -- 04:06:23 - <Info> -- Disabling rules for protocol modbus
22/9/2025 -- 04:06:23 - <Info> -- Disabling rules for protocol dnp3
22/9/2025 -- 04:06:23 - <Info> -- Disabling rules for protocol enip
22/9/2025 -- 04:06:23 - <Info> -- No sources configured, will use Emerging Threats Open
22/9/2025 -- 04:06:23 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-7.0.0/emerging.rules.tar.gz.
 100% - 5102134/5102134
22/9/2025 -- 04:06:24 - <Info> -- Done.
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/files.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http2-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/mqtt-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/quic-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/rfb-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
22/9/2025 -- 04:06:25 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
22/9/2025 -- 04:06:27 - <Info> -- Ignoring file ba1345f233851ca2df4d905ea4b386d2/rules/emerging-deleted.rules
22/9/2025 -- 04:06:57 - <Info> -- Loaded 61205 rules.
22/9/2025 -- 04:07:02 - <Info> -- Disabled 14 rules.
22/9/2025 -- 04:07:02 - <Info> -- Enabled 0 rules.
22/9/2025 -- 04:07:02 - <Info> -- Modified 0 rules.
22/9/2025 -- 04:07:02 - <Info> -- Dropped 0 rules.
22/9/2025 -- 04:07:03 - <Info> -- Enabled 136 rules for flowbit dependencies.
22/9/2025 -- 04:07:03 - <Info> -- Creating directory /var/lib/suricata/rules.
22/9/2025 -- 04:07:03 - <Info> -- Backing up current rules.
22/9/2025 -- 04:07:03 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 61205; enabled: 45406; added: 61205; removed 0; modified: 0
22/9/2025 -- 04:07:06 - <Info> -- Writing /var/lib/suricata/rules/classification.config
22/9/2025 -- 04:07:07 - <Info> -- Testing with suricata -T.
22/9/2025 -- 04:07:57 - <Info> -- Done.

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
 .../suricata/python3-suricata-update_1.3.6.bb     | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 recipes-ids/suricata/python3-suricata-update_1.3.6.bb

diff --git a/recipes-ids/suricata/python3-suricata-update_1.3.6.bb b/recipes-ids/suricata/python3-suricata-update_1.3.6.bb
new file mode 100644
index 0000000..cdf2faa
--- /dev/null
+++ b/recipes-ids/suricata/python3-suricata-update_1.3.6.bb
@@ -0,0 +1,15 @@
+SUMMARY = "The tool for updating your Suricata rules"
+HOMEPAGE = "http://suricata-ids.org/"
+SECTION = "security Monitor/Admin"
+LICENSE = "GPL-2.0-only"
+
+LIC_FILES_CHKSUM = "file://LICENSE;beginline=1;endline=2;md5=c70d8d3310941dcdfcd1e02800a1f548"
+
+SRCREV = "f76a61bdee69961537585a1036c4294da28495a5"
+SRC_URI = "git://github.com/OISF/suricata-update;protocol=https;branch=master"
+
+inherit python3native python3targetconfig setuptools3
+
+RDEPENDS:${PN} = "python3-pyyaml python3-logging python3-compression python3-shell"
+
+BBCLASSEXTEND = "native nativesdk"
-- 
2.51.0

[meta-security][PATCH 10/15] libmhash: fix build with gcc 15

[Scott Murray]

From: Yi Zhao <yi.zhao@windriver.com>

GCC 15 switched to C23 by default, which libmhash does not yet support.
So keep using C17.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
 recipes-security/libmhash/libmhash_0.9.9.9.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-security/libmhash/libmhash_0.9.9.9.bb b/recipes-security/libmhash/libmhash_0.9.9.9.bb
index f5518d2..805cf05 100644
--- a/recipes-security/libmhash/libmhash_0.9.9.9.bb
+++ b/recipes-security/libmhash/libmhash_0.9.9.9.bb
@@ -25,6 +25,8 @@ SRC_URI[sha256sum] = "56521c52a9033779154432d0ae47ad7198914785265e1f570cee21ab24
 
 inherit autotools-brokensep ptest multilib_header
 
+CFLAGS += "-std=gnu17"
+
 do_install:append() {
     oe_multilib_header mutils/mhash_config.h
 }
-- 
2.51.0

[meta-security][PATCH 11/15] tripwire: Remove recipe

[Scott Murray]

Remove the tripwire recipe since it has been disabled since May 2021,
and upstream has shown no activity since 2018.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../include/maintainers-meta-security.inc     |    1 -
 lib/oeqa/runtime/cases/tripwire.py            |   47 -
 recipes-ids/tripwire/files/run-ptest          |    3 -
 recipes-ids/tripwire/files/tripwire.cron      |    8 -
 recipes-ids/tripwire/files/tripwire.sh        |    9 -
 recipes-ids/tripwire/files/tripwire.txt       |   69 -
 recipes-ids/tripwire/files/twcfg.txt          |   15 -
 recipes-ids/tripwire/files/twinstall.sh       |  320 -----
 recipes-ids/tripwire/files/twpol-yocto.txt    | 1107 -----------------
 recipes-ids/tripwire/tripwire_2.4.3.7.bb      |   75 --
 10 files changed, 1654 deletions(-)
 delete mode 100644 lib/oeqa/runtime/cases/tripwire.py
 delete mode 100644 recipes-ids/tripwire/files/run-ptest
 delete mode 100644 recipes-ids/tripwire/files/tripwire.cron
 delete mode 100644 recipes-ids/tripwire/files/tripwire.sh
 delete mode 100644 recipes-ids/tripwire/files/tripwire.txt
 delete mode 100644 recipes-ids/tripwire/files/twcfg.txt
 delete mode 100644 recipes-ids/tripwire/files/twinstall.sh
 delete mode 100644 recipes-ids/tripwire/files/twpol-yocto.txt
 delete mode 100644 recipes-ids/tripwire/tripwire_2.4.3.7.bb

diff --git a/conf/distro/include/maintainers-meta-security.inc b/conf/distro/include/maintainers-meta-security.inc
index c052695..903bb9b 100644
--- a/conf/distro/include/maintainers-meta-security.inc
+++ b/conf/distro/include/maintainers-meta-security.inc
@@ -54,4 +54,3 @@ RECIPE_MAINTAINER:pn-samhain = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-smack = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-sssd = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-suricata = "Scott Murray <scott.murray@konsulko.com>"
-RECIPE_MAINTAINER:pn-tripwire = "Scott Murray <scott.murray@konsulko.com>"
diff --git a/lib/oeqa/runtime/cases/tripwire.py b/lib/oeqa/runtime/cases/tripwire.py
deleted file mode 100644
index 659724d..0000000
--- a/lib/oeqa/runtime/cases/tripwire.py
+++ /dev/null
@@ -1,47 +0,0 @@
-# Copyright (C) 2019 Armin Kuster <akuster808@gmail.com>
-#
-import re
-
-from oeqa.runtime.case import OERuntimeTestCase
-from oeqa.core.decorator.depends import OETestDepends
-from oeqa.runtime.decorator.package import OEHasPackage
-
-
-class TripwireTest(OERuntimeTestCase):
-
-    @OEHasPackage(['tripwire'])
-    @OETestDepends(['ssh.SSHTest.test_ssh'])
-    def test_tripwire_help(self):
-        status, output = self.target.run('tripwire --help')
-        msg = ('tripwire command does not work as expected. '
-               'Status and output:%s and %s' % (status, output))
-        self.assertEqual(status, 8, msg = msg)
-
-    @OETestDepends(['tripwire.TripwireTest.test_tripwire_help'])
-    def test_tripwire_twinstall(self):
-        status, output = self.target.run('/etc/tripwire/twinstall.sh')
-        match = re.search('The database was successfully generated.', output)
-        if not match:
-            msg = ('/etc/tripwire/twinstall.sh failed. '
-               'Status and output:%s and %s' % (status, output))
-            self.assertEqual(status, 0, msg = msg)
-
-    @OETestDepends(['tripwire.TripwireTest.test_tripwire_twinstall'])
-    def test_tripwire_twadmin(self):
-        status, output = self.target.run('twadmin --create-cfgfile --cfgfile /etc/tripwire/twcfg.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twcfg.txt')
-        status, output = self.target.run('twadmin --create-polfile --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/twpol.enc --site-keyfile /etc/tripwire/site.key -Q tripwire /etc/tripwire/twpol.txt')
-        match = re.search('Wrote policy file: /etc/tripwire/twpol.enc', output)
-        if not match:
-            msg = ('twadmin --create-profile ; failed. '
-               'Status and output:%s and %s' % (status, output))
-            self.assertEqual(status, 0, msg = msg)
-
-    @OETestDepends(['tripwire.TripwireTest.test_tripwire_twadmin'])
-    def test_tripwire_init(self):
-        status, hostname = self.target.run('hostname')
-        status, output = self.target.run('tripwire --init --cfgfile /etc/tripwire/twcfg.enc --polfile /etc/tripwire/tw.pol --site-keyfile /etc/tripwire/site.key --local-keyfile /etc/tripwire/%s-local.key -P tripwire' % hostname)
-        match = re.search('The database was successfully generated.', output)
-        if not match:
-            msg = ('tripwire --init; Failed for host: %s. '
-               'Status and output:%s and %s' % (hostname, status, output))
-            self.assertEqual(status, 0, msg = msg)
diff --git a/recipes-ids/tripwire/files/run-ptest b/recipes-ids/tripwire/files/run-ptest
deleted file mode 100644
index aedfddc..0000000
--- a/recipes-ids/tripwire/files/run-ptest
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-./twtest.pl
diff --git a/recipes-ids/tripwire/files/tripwire.cron b/recipes-ids/tripwire/files/tripwire.cron
deleted file mode 100644
index 2035508..0000000
--- a/recipes-ids/tripwire/files/tripwire.cron
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-HOST_NAME=`uname -n`
-if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
-	echo "****    Error: Tripwire database for ${HOST_NAME} not found.    ****"
-	echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"
-else
-        test -f /etc/tripwire/tw.cfg &&  /usr/sbin/tripwire --check
-fi
diff --git a/recipes-ids/tripwire/files/tripwire.sh b/recipes-ids/tripwire/files/tripwire.sh
deleted file mode 100644
index 4276d10..0000000
--- a/recipes-ids/tripwire/files/tripwire.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/sh
-HOST_NAME=`uname -n`
-if [ ! -e /var/lib/tripwire/${HOST_NAME}.twd ] ; then
-	echo "****    WARNING: Tripwire database for ${HOST_NAME} not found.    ****"
-	echo "**** Run "/etc/tripwire/twinstall.sh" and/or "tripwire --init". ****"
-	# Note: /etc/tripwire/twinstall.sh creates and initializes tripwire
-	# database (i.e tripwire --init).
-	# Example: . /etc/tripwire/twinstall.sh 2> /dev/null
-fi
diff --git a/recipes-ids/tripwire/files/tripwire.txt b/recipes-ids/tripwire/files/tripwire.txt
deleted file mode 100644
index 332d004..0000000
--- a/recipes-ids/tripwire/files/tripwire.txt
+++ /dev/null
@@ -1,69 +0,0 @@
-Post-Installation Instructions
-1. Run the configuration script: /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files. 
-Note: Once encoded and signed, the configuration file should not be renamed or moved.
-2. Initialize the Tripwire database file. (/usr/sbin/tripwire--init)
-3. Run the first integrity check. (/usr/sbin/tripwire--check)
-4. Edit the configuration file (twcfg.txt) with a text editor, if desired.
-5. Edit the policy file (twpol.txt) with a text editor, if desired.
-
-Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file. 
-
-Modifying the Policy File
-You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system. 
-
-Locate the default policy file at  /etc/tripwire/twpol.txt. An example policy file (located at   /usr/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language. 
-
-After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software. 
-
-Selecting Passphrases
-Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply:
-Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters.
-
-Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also. 
-
-Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database.
-
-Initializing the Database 
-In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is:
-tripwire  --init 
-
-Running an Integrity Check
-The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is:
-tripwire --check 
-
-Printing Reports - twprint Print Report Mode
-The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used. 
-Example: On a machine named LIGHTHOUSE, the command would be:
-./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr
-
-Updating the Database after an Integrity Check
-Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is:
-tripwire --update 
-
-Updating the Policy File
-Change the way that Tripwire software scans the system by changing the rules in the policy file. You can  then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses.  The syntax for Policy Update mode is:
-tripwire  --update-policy 
-
-Testing email functions
-Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is:
-tripwire  --test 
-
-Tripwire Components
-The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore. 
-
-System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file. 
-
-The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check.
-
-When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail.  
-
-The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits. 
-
-Tripwire Help
-All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile
-
--?		Display usage and version information
---help		Display all command modes
---help all	Display help for all command modes
---help [mode]	Display help for current command mode
---version	Display version information
diff --git a/recipes-ids/tripwire/files/twcfg.txt b/recipes-ids/tripwire/files/twcfg.txt
deleted file mode 100644
index 224e920..0000000
--- a/recipes-ids/tripwire/files/twcfg.txt
+++ /dev/null
@@ -1,15 +0,0 @@
-ROOT                   =/usr/sbin
-POLFILE                =/etc/tripwire/tw.pol
-DBFILE                 =/var/lib/tripwire/$(HOSTNAME).twd
-REPORTFILE             =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
-SITEKEYFILE            =/etc/tripwire/site.key
-LOCALKEYFILE           =/etc/tripwire/$(HOSTNAME)-local.key
-EDITOR                 =/usr/bin/nano
-LATEPROMPTING          =false
-LOOSEDIRECTORYCHECKING =false
-MAILNOVIOLATIONS       =true
-EMAILREPORTLEVEL       =3
-REPORTLEVEL            =3
-MAILMETHOD             =SENDMAIL
-SYSLOGREPORTING        =false
-MAILPROGRAM            =/usr/lib/sendmail -t
diff --git a/recipes-ids/tripwire/files/twinstall.sh b/recipes-ids/tripwire/files/twinstall.sh
deleted file mode 100644
index 7d1b63f..0000000
--- a/recipes-ids/tripwire/files/twinstall.sh
+++ /dev/null
@@ -1,320 +0,0 @@
-#!/bin/sh
-
-########################################################################
-########################################################################
-##
-## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script
-##
-## Copyleft information contained in footer
-##
-########################################################################
-########################################################################
-
-##=======================================================
-## Setup
-##=======================================================
-
-# We can assume all the correct tools are in place because the
-# RPM installed, didn't it?
-
-##-------------------------------------------------------
-## Set HOST_NAME variable
-##-------------------------------------------------------
-HOST_NAME='localhost'
-if uname -n > /dev/null 2> /dev/null ; then
-	HOST_NAME=`uname -n`
-fi
-
-##-------------------------------------------------------
-## Program variables - edited by RPM during initial install
-##-------------------------------------------------------
-
-# Site Passphrase variable
-TW_SITE_PASS="tripwire"
-
-# Complete path to site key
-SITE_KEY="/etc/tripwire/site.key"
-
-# Local Passphrase variable
-TW_LOCAL_PASS="tripwire"
-
-# Complete path to local key
-LOCAL_KEY="/etc/tripwire/${HOST_NAME}-local.key"
-
-# If clobber==true, overwrite files; if false, do not overwrite files.
-CLOBBER="false"
-
-# If prompt==true, ask for confirmation before continuing with install.
-PROMPT="true"
-
-# Name of twadmin executeable
-TWADMIN="twadmin"
-
-# Path to twadmin executeable
-TWADMPATH=/usr/sbin
-
-# Path to configuration directory
-CONF_PATH="/etc/tripwire"
-
-# Name of clear text policy file
-TXT_POL=$CONF_PATH/twpol.txt
-
-# Name of clear text configuration file
-TXT_CFG=$CONF_PATH/twcfg.txt
-
-# Name of encrypted configuration file
-CONFIG_FILE=$CONF_PATH/tw.cfg
-
-# Path of the final Tripwire policy file (signed)
-SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'`
-
-
-##=======================================================
-## Create Key Files
-##=======================================================
-
-##-------------------------------------------------------
-## If user has to enter a passphrase, give some
-## advice about what is appropriate.
-##-------------------------------------------------------
-
-if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then
-cat << END_OF_TEXT
-
-----------------------------------------------
-The Tripwire site and local passphrases are used to
-sign a variety of files, such as the configuration,
-policy, and database files.
-
-Passphrases should be at least 8 characters in length
-and contain both letters and numbers.
-
-See the Tripwire manual for more information.
-END_OF_TEXT
-fi
-
-##=======================================================
-## Generate keys.
-##=======================================================
-
-echo
-echo "----------------------------------------------"
-echo "Creating key files..."
-
-##-------------------------------------------------------
-## Site key file.
-##-------------------------------------------------------
-
-# If clobber is true, and prompting is off (unattended operation)
-# and the key file already exists, remove it.  Otherwise twadmin
-# will prompt with an "are you sure?" message.
-
-if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then
-        rm -f "$SITE_KEY"
-fi
-
-if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then
-	echo "The site key file \"$SITE_KEY\""
-	echo 'exists and will not be overwritten.'
-else
-	cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\""
-	if [ -n "$TW_SITE_PASS" ] ; then
-		cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
-     	fi
-	eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
-	if [ $? -ne 0 ] ; then
-		echo "Error: site key generation failed"
-		exit 1
-        else chmod 640 "$SITE_KEY"
-	fi
-fi
-
-##-------------------------------------------------------
-## Local key file.
-##-------------------------------------------------------
-
-# If clobber is true, and prompting is off (unattended operation)
-# and the key file already exists, remove it.  Otherwise twadmin
-# will prompt with an "are you sure?" message.
-
-if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then
-        rm -f "$LOCAL_KEY"
-fi
-
-if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then
-	echo "The site key file \"$LOCAL_KEY\""
-	echo 'exists and will not be overwritten.'
-else
-	cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\""
-	if [ -n "$TW_LOCAL_PASS" ] ; then
-		cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\""
-        fi
-	eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
-	if [ $? -ne 0 ] ; then
-		echo "Error: local key generation failed"
-		exit 1
-        else chmod 640 "$LOCAL_KEY"
-	fi
-fi
-
-##=======================================================
-## Sign the Configuration File
-##=======================================================
-
-echo
-echo "----------------------------------------------"
-echo "Signing configuration file..."
-
-##-------------------------------------------------------
-## If noclobber, then backup any existing config file.
-##-------------------------------------------------------
-
-if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then
-	backup="${CONFIG_FILE}.$$.bak"
-	echo "Backing up $CONFIG_FILE"
-	echo "        to $backup"
-	`mv "$CONFIG_FILE" "$backup"`
-	if [ $? -ne 0 ] ; then
-		echo "Error: backup of configuration file failed."
-		exit 1
-	fi
-fi
-
-##-------------------------------------------------------
-## Build command line.
-##-------------------------------------------------------
-
-cmdargs="--create-cfgfile"
-cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
-cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
-if [ -n "$TW_SITE_PASS" ] ; then
-	cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
-fi
-
-##-------------------------------------------------------
-## Sign the file.
-##-------------------------------------------------------
-
-eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\""
-if [ $? -ne 0 ] ; then
-	echo "Error: signing of configuration file failed."
-	exit 1
-fi
-
-# Set the rights properly
-chmod 640 "$CONFIG_FILE"
-
-##-------------------------------------------------------
-## We keep the cleartext version around.
-##-------------------------------------------------------
-
-cat << END_OF_TEXT
-
-A clear-text version of the Tripwire configuration file
-$TXT_CFG
-has been preserved for your inspection.  It is recommended
-that you delete this file manually after you have examined it.
-
-END_OF_TEXT
-
-##=======================================================
-## Sign tripwire policy file.
-##=======================================================
-
-echo
-echo "----------------------------------------------"
-echo "Signing policy file..."
-
-##-------------------------------------------------------
-## If noclobber, then backup any existing policy file.
-##-------------------------------------------------------
-
-if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then
-	backup="${POLICY_FILE}.$$.bak"
-	echo "Backing up $POLICY_FILE"
-	echo "        to $backup"
-	mv "$POLICY_FILE" "$backup"
-	if [ $? -ne 0 ] ; then
-		echo "Error: backup of policy file failed."
-		exit 1
-	fi
-fi
-
-##-------------------------------------------------------
-## Build command line.
-##-------------------------------------------------------
-
-cmdargs="--create-polfile"
-cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
-cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
-if [ -n "$TW_SITE_PASS" ] ; then
-	cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
-fi
-
-##-------------------------------------------------------
-## Sign the file.
-##-------------------------------------------------------
-
-eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\""
-if [ $? -ne 0 ] ; then
-	echo "Error: signing of policy file failed."
-	exit 1
-fi
-
-# Set the proper rights on the newly signed policy file.
-chmod 0640 "$SIGNED_POL"
-
-##-------------------------------------------------------
-## We keep the cleartext version around.
-##-------------------------------------------------------
-
-cat << END_OF_TEXT
-
-A clear-text version of the Tripwire policy file
-$TXT_POL
-has been preserved for your inspection.  This implements
-a minimal policy, intended only to test essential
-Tripwire functionality.  You should edit the policy file
-to describe your system, and then use twadmin to generate
-a new signed copy of the Tripwire policy.
-
-END_OF_TEXT
-
-# Initialize tripwire database
-/usr/sbin/tripwire --init --cfgfile $CONFIG_FILE --site-keyfile $SITE_KEY \
---local-passphrase $TW_LOCAL_PASS 2> /dev/null
-
-########################################################################
-########################################################################
-#
-#                        TRIPWIRE GPL NOTICES
-#
-# The developer of the original code and/or files is Tripwire, Inc.
-# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc.
-# Tripwire is a registered trademark of Tripwire, Inc.  All rights reserved.
-#
-# This program is free software.  The contents of this file are subject to
-# the terms of the GNU General Public License as published by the Free
-# Software Foundation; either version 2 of the License, or (at your option)
-# any later version.  You may redistribute it and/or modify it only in
-# compliance with the GNU General Public License.
-#
-# This program is distributed in the hope that it will be useful.  However,
-# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE
-# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-# Please see the GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# Nothing in the GNU General Public License or any other license to use the
-# code or files shall permit you to use Tripwire's trademarks,
-# service marks, or other intellectual property without Tripwire's
-# prior written consent.
-#
-# If you have any questions, please contact Tripwire, Inc. at either
-# info@tripwire.org or www.tripwire.org.
-#
-########################################################################
-########################################################################
diff --git a/recipes-ids/tripwire/files/twpol-yocto.txt b/recipes-ids/tripwire/files/twpol-yocto.txt
deleted file mode 100644
index 65f5f75..0000000
--- a/recipes-ids/tripwire/files/twpol-yocto.txt
+++ /dev/null
@@ -1,1107 +0,0 @@
-  ##############################################################################
- #                                                                            ##
-############################################################################## #
-#                                                                            # #
-#                          Generic Policy file                               # #
-#                               V1.2.0rh                                     # #
-#                            August 9, 2001                                  # #
-#                                                                            ##
-##############################################################################
-
-
-  ##############################################################################
- #                                                                            ##
-############################################################################## #
-#                                                                            # #
-# This is the example Tripwire Policy file.  It is intended as a place to    # #
-# start creating your own custom Tripwire Policy file.  Referring to it as   # #
-# well as the Tripwire Policy Guide should give you enough information to    # #
-# make a good custom Tripwire Policy file that better covers your            # #
-# configuration and security needs.  A text version of this policy file is   # #
-# called twpol.txt.                                                          # #
-#                                                                            # #
-# Note that this file is tuned to an 'everything' install of Red Hat Linux.  # #
-# If run unmodified, this file should create no errors on database           # #
-# creation, or violations on a subsiquent integrity check.  However, it is   # #
-# impossible for there to be one policy file for all machines, so this       # #
-# existing one errs on the side of security.  Your Linux configuration will  # #
-# most likey differ from the one our policy file was tuned to, and will      # #
-# therefore require some editing of the default Tripwire Policy file.        # #
-#                                                                            # #
-# The example policy file is best run with 'Loose Directory Checking'        # #
-# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration     # #
-# file.                                                                      # #
-#                                                                            # #
-# Email support is not included and must be added to this file.              # #
-# Add the 'emailto=' to the rule directive section of each rule (add a comma # #
-# after the 'severity=' line and add an 'emailto=' and include the email     # #
-# addresses you want the violation reports to go to).  Addresses are         # #
-# semi-colon delimited.                                                      # #
-#                                                                            ##
-##############################################################################
-
-
-
-  ##############################################################################
- #                                                                            ##
-############################################################################## #
-#                                                                            # #
-# Global Variable Definitions                                                # #
-#                                                                            # #
-# These are defined at install time by the installation script.  You may     # #
-# Manually edit these if you are using this file directly and not from the   # #
-# installation script itself.                                                # #
-#                                                                            ##
-##############################################################################
-
-@@section GLOBAL
-TWROOT=/usr/sbin;
-TWBIN=/usr/sbin;
-TWPOL="/etc/tripwire";
-TWDB="/var/lib/tripwire";
-TWSKEY="/etc/tripwire";
-TWLKEY="/etc/tripwire";
-TWREPORT="/var/lib/tripwire/report";
-HOSTNAME=localhost;
-
-@@section FS
-SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
-SEC_SUID      = $(IgnoreNone)-SHa ;  # Binaries with the SUID or SGID flags set
-SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change
-SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
-SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
-SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
-SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact
-SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact
-SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability
-
-
-# Tripwire Binaries
-(
-  rulename = "Tripwire Binaries",
-  severity = $(SIG_HI)
-)
-{
-  $(TWBIN)/siggen                      -> $(SEC_BIN) ;
-  $(TWBIN)/tripwire                    -> $(SEC_BIN) ;
-  $(TWBIN)/twadmin                     -> $(SEC_BIN) ;
-  $(TWBIN)/twprint                     -> $(SEC_BIN) ;
-}
-
-# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
-(
-  rulename = "Tripwire Data Files",
-  severity = $(SIG_HI)
-)
-{
-  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
-  # it does so by renaming the old file and creating a new one (which will
-  # have a new inode number).  Inode is left turned on for keys, which shouldn't
-  # ever change.
-
-  # NOTE: The first integrity check triggers this rule and each integrity check
-  # afterward triggers this rule until a database update is run, since the
-  # database file does not exist before that point.
-
-  $(TWDB)                              -> $(SEC_CONFIG) -i ;
-  $(TWPOL)/tw.pol                      -> $(SEC_BIN) -i ;
-  $(TWPOL)/tw.cfg                      -> $(SEC_BIN) -i ;
-  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_BIN) ;
-  $(TWSKEY)/site.key                   -> $(SEC_BIN) ;
-
-  #don't scan the individual reports
-  $(TWREPORT)                          -> $(SEC_CONFIG) (recurse=0) ;
-}
-
-
-# Tripwire HQ Connector Binaries
-#(
-#  rulename = "Tripwire HQ Connector Binaries",
-#  severity = $(SIG_HI)
-#)
-#{
-#  $(TWBIN)/hqagent                     -> $(SEC_BIN) ;
-#}
-#
-# Tripwire HQ Connector - Configuration Files, Keys, and Logs
-
-  ##############################################################################
- #                                                                            ##
-############################################################################## #
-#                                                                            # #
-# Note: File locations here are different than in a stock HQ Connector       # #
-# installation.  This is because Tripwire 2.3 uses a different path          # #
-# structure than Tripwire 2.2.1.                                             # #
-#                                                                            # #
-# You may need to update your HQ Agent configuation file (or this policy     # #
-# file) to correct the paths.  We have attempted to support the FHS standard # #
-# here by placing the HQ Agent files similarly to the way Tripwire 2.3       # #
-# places them.                                                               # #
-#                                                                            ##
-##############################################################################
-
-#(
-#  rulename = "Tripwire HQ Connector Data Files",
-#  severity = $(SIG_HI)
-#)
-#{
-#   #############################################################################
-#  ##############################################################################
-#  # NOTE: Removing the inode attribute because when Tripwire creates a backup ##
-#  # it does so by renaming the old file and creating a new one (which will    ##
-#  # have a new inode number).  Leaving inode turned on for keys, which        ##
-#  # shouldn't ever change.                                                    ##
-#  #############################################################################
-#
-#  $(TWBIN)/agent.cfg                   -> $(SEC_BIN) -i ;
-#  $(TWLKEY)/authentication.key         -> $(SEC_BIN) ;
-#  $(TWDB)/tasks.dat                    -> $(SEC_CONFIG) ;
-#  $(TWDB)/schedule.dat                 -> $(SEC_CONFIG) ;
-#
-#  # Uncomment if you have agent logging enabled.
-#  #/var/log/tripwire/agent.log      -> $(SEC_LOG) ;
-#}
-
-
-
-# Commonly accessed directories that should remain static with regards to owner and group
-(
-  rulename = "Invariant Directories",
-  severity = $(SIG_MED)
-)
-{
-  /                                    -> $(SEC_INVARIANT) (recurse = 0) ;
-  /home                                -> $(SEC_INVARIANT) (recurse = 0) ;
-  /etc                                 -> $(SEC_INVARIANT) (recurse = 0) ;
-}
-  ################################################
- #                                              ##
-################################################ #
-#                                              # #
-# File System and Disk Administration Programs # #
-#                                              ##
-################################################
-
-(
-  rulename = "File System and Disk Administraton Programs",
-  severity = $(SIG_HI)
-)
-{
-  /sbin/accton                         -> $(SEC_CRIT) ;
-  /sbin/badblocks                      -> $(SEC_CRIT) ;
-  /sbin/busybox                        -> $(SEC_CRIT) ;
-  /sbin/busybox.anaconda               -> $(SEC_CRIT) ;
-  /sbin/convertquota                   -> $(SEC_CRIT) ;
-  /sbin/dosfsck                        -> $(SEC_CRIT) ;
-  /sbin/debugfs                        -> $(SEC_CRIT) ;
-  /sbin/debugreiserfs                  -> $(SEC_CRIT) ;
-  /sbin/dumpe2fs                       -> $(SEC_CRIT) ;
-  /sbin/dump                           -> $(SEC_CRIT) ;
-  /sbin/dump.static                    -> $(SEC_CRIT) ;
-  # /sbin/e2fsadm                        -> $(SEC_CRIT) ; tune2fs?
-  /sbin/e2fsck                         -> $(SEC_CRIT) ;
-  /sbin/e2label                        -> $(SEC_CRIT) ;
-  /sbin/fdisk                          -> $(SEC_CRIT) ;
-  /sbin/fsck                           -> $(SEC_CRIT) ;
-  /sbin/fsck.ext2                      -> $(SEC_CRIT) ;
-  /sbin/fsck.ext3                      -> $(SEC_CRIT) ;
-  /sbin/fsck.minix                     -> $(SEC_CRIT) ;
-  /sbin/fsck.msdos                     -> $(SEC_CRIT) ;
-  /sbin/fsck.vfat                      -> $(SEC_CRIT) ;
-  /sbin/ftl_check                      -> $(SEC_CRIT) ;
-  /sbin/ftl_format                     -> $(SEC_CRIT) ;
-  /sbin/hdparm                         -> $(SEC_CRIT) ;
-  #/sbin/lvchange                       -> $(SEC_CRIT) ;
-  #/sbin/lvcreate                       -> $(SEC_CRIT) ;
-  #/sbin/lvdisplay                      -> $(SEC_CRIT) ;
-  #/sbin/lvextend                       -> $(SEC_CRIT) ;
-  #/sbin/lvmchange                      -> $(SEC_CRIT) ;
-  #/sbin/lvmcreate_initrd               -> $(SEC_CRIT) ;
-  #/sbin/lvmdiskscan                    -> $(SEC_CRIT) ;
-  #/sbin/lvmsadc                        -> $(SEC_CRIT) ;
-  #/sbin/lvmsar                         -> $(SEC_CRIT) ;
-  #/sbin/lvreduce                       -> $(SEC_CRIT) ;
-  #/sbin/lvremove                       -> $(SEC_CRIT) ;
-  #/sbin/lvrename                       -> $(SEC_CRIT) ;
-  #/sbin/lvscan                         -> $(SEC_CRIT) ;
-  /sbin/mkbootdisk                     -> $(SEC_CRIT) ;
-  /sbin/mkdosfs                        -> $(SEC_CRIT) ;
-  /sbin/mke2fs                         -> $(SEC_CRIT) ;
-  /sbin/mkfs                           -> $(SEC_CRIT) ;
-  /sbin/mkfs.bfs                       -> $(SEC_CRIT) ;
-  /sbin/mkfs.ext2                      -> $(SEC_CRIT) ;
-  /sbin/mkfs.minix                     -> $(SEC_CRIT) ;
-  /sbin/mkfs.msdos                     -> $(SEC_CRIT) ;
-  /sbin/mkfs.vfat                      -> $(SEC_CRIT) ;
-  /sbin/mkinitrd                       -> $(SEC_CRIT) ;
-  #/sbin/mkpv                           -> $(SEC_CRIT) ;
-  /sbin/mkraid                         -> $(SEC_CRIT) ;
-  /sbin/mkreiserfs                     -> $(SEC_CRIT) ;
-  /sbin/mkswap                         -> $(SEC_CRIT) ;
-  #/sbin/mtx                            -> $(SEC_CRIT) ;
-  /sbin/pam_console_apply              -> $(SEC_CRIT) ;
-  /sbin/parted                         -> $(SEC_CRIT) ;
-  /sbin/pcinitrd                       -> $(SEC_CRIT) ;
-  #/sbin/pvchange                       -> $(SEC_CRIT) ;
-  #/sbin/pvcreate                       -> $(SEC_CRIT) ;
-  #/sbin/pvdata                         -> $(SEC_CRIT) ;
-  #/sbin/pvdisplay                      -> $(SEC_CRIT) ;
-  #/sbin/pvmove                         -> $(SEC_CRIT) ;
-  #/sbin/pvscan                         -> $(SEC_CRIT) ;
-  /sbin/quotacheck                     -> $(SEC_CRIT) ;
-  /sbin/quotaon                        -> $(SEC_CRIT) ;
-  /sbin/raidstart                      -> $(SEC_CRIT) ;
-  /sbin/reiserfsck                     -> $(SEC_CRIT) ;
-  /sbin/resize2fs                      -> $(SEC_CRIT) ;
-  /sbin/resize_reiserfs                -> $(SEC_CRIT) ;
-  /sbin/restore                        -> $(SEC_CRIT) ;
-  /sbin/restore.static                 -> $(SEC_CRIT) ;
-  /sbin/scsi_info                      -> $(SEC_CRIT) ;
-  /sbin/sfdisk                         -> $(SEC_CRIT) ;
-  /sbin/stinit                         -> $(SEC_CRIT) ;
-  #/sbin/tapeinfo                       -> $(SEC_CRIT) ;
-  /sbin/tune2fs                        -> $(SEC_CRIT) ;
-  /sbin/unpack                         -> $(SEC_CRIT) ;
-  /sbin/update                         -> $(SEC_CRIT) ;
-  #/sbin/vgcfgbackup                    -> $(SEC_CRIT) ;
-  #/sbin/vgcfgrestore                   -> $(SEC_CRIT) ;
-  #/sbin/vgchange                       -> $(SEC_CRIT) ;
-  #/sbin/vgck                           -> $(SEC_CRIT) ;
-  #/sbin/vgcreate                       -> $(SEC_CRIT) ;
-  #/sbin/vgdisplay                      -> $(SEC_CRIT) ;
-  #/sbin/vgexport                       -> $(SEC_CRIT) ;
-  #/sbin/vgextend                       -> $(SEC_CRIT) ;
-  #/sbin/vgimport                       -> $(SEC_CRIT) ;
-  #/sbin/vgmerge                        -> $(SEC_CRIT) ;
-  #/sbin/vgmknodes                      -> $(SEC_CRIT) ;
-  #/sbin/vgreduce                       -> $(SEC_CRIT) ;
-  #/sbin/vgremove                       -> $(SEC_CRIT) ;
-  #/sbin/vgrename                       -> $(SEC_CRIT) ;
-  #/sbin/vgscan                         -> $(SEC_CRIT) ;
-  #/sbin/vgsplit                        -> $(SEC_CRIT) ;
-  /bin/chgrp                           -> $(SEC_CRIT) ;
-  /bin/chmod                           -> $(SEC_CRIT) ;
-  /bin/chown                           -> $(SEC_CRIT) ;
-  /bin/cp                              -> $(SEC_CRIT) ;
-  /bin/cpio                            -> $(SEC_CRIT) ;
-  /bin/mount                           -> $(SEC_CRIT) ;
-  /bin/umount                          -> $(SEC_CRIT) ;
-  /bin/mkdir                           -> $(SEC_CRIT) ;
-  /bin/mknod                           -> $(SEC_CRIT) ;
-  /bin/mktemp                          -> $(SEC_CRIT) ;
-  /bin/rm                              -> $(SEC_CRIT) ;
-  /bin/rmdir                           -> $(SEC_CRIT) ;
-  /bin/touch                           -> $(SEC_CRIT) ;
-}
-
-  ##################################
- #                                ##
-################################## #
-#                                # #
-# Kernel Administration Programs # #
-#                                ##
-##################################
-
-(
-  rulename = "Kernel Administration Programs",
-  severity = $(SIG_HI)
-)
-{
-  /sbin/adjtimex                       -> $(SEC_CRIT) ;
-  /sbin/ctrlaltdel                     -> $(SEC_CRIT) ;
-  /sbin/depmod                         -> $(SEC_CRIT) ;
-  /sbin/insmod                         -> $(SEC_CRIT) ;
-  /sbin/insmod.static                  -> $(SEC_CRIT) ;
-  /sbin/insmod_ksymoops_clean          -> $(SEC_CRIT) ;
-  /sbin/klogd                          -> $(SEC_CRIT) ;
-  /sbin/ldconfig                       -> $(SEC_CRIT) ;
-  /sbin/minilogd                       -> $(SEC_CRIT) ;
-  /sbin/modinfo                        -> $(SEC_CRIT) ;
-  #/sbin/nuactlun                       -> $(SEC_CRIT) ;
-  #/sbin/nuscsitcpd                     -> $(SEC_CRIT) ;
-  /sbin/pivot_root                     -> $(SEC_CRIT) ;
-  /sbin/sndconfig                      -> $(SEC_CRIT) ;
-  /sbin/sysctl                         -> $(SEC_CRIT) ;
-}
-
-  #######################
- #                     ##
-####################### #
-#                     # #
-# Networking Programs # #
-#                     ##
-#######################
-
-(
-  rulename = "Networking Programs",
-  severity = $(SIG_HI)
-)
-{
-  /etc/sysconfig/network-scripts/ifdown                  -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifdown-cipcb            -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifdown-ippp             -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifdown-ipv6             -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifdown-isdn             -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifdown-post             -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifdown-ppp              -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifdown-sit              -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifdown-sl               -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup                    -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-aliases            -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-cipcb              -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-ippp               -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-ipv6               -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-isdn               -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-plip               -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-plusb              -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-post               -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-ppp                -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-routes             -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-sit                -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-sl                 -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/ifup-wireless           -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/network-functions       -> $(SEC_CRIT) ;
-  /etc/sysconfig/network-scripts/network-functions-ipv6  -> $(SEC_CRIT) ;
-  /bin/ping                            -> $(SEC_CRIT) ;
-  /sbin/agetty                         -> $(SEC_CRIT) ;
-  /sbin/arp                            -> $(SEC_CRIT) ;
-  /sbin/arping                         -> $(SEC_CRIT) ;
-  /sbin/dhcpcd                         -> $(SEC_CRIT) ;
-  /sbin/ether-wake                     -> $(SEC_CRIT) ;
-  #/sbin/getty                          -> $(SEC_CRIT) ;
-  /sbin/ifcfg                          -> $(SEC_CRIT) ;
-  /sbin/ifconfig                       -> $(SEC_CRIT) ;
-  /sbin/ifdown                         -> $(SEC_CRIT) ;
-  /sbin/ifenslave                      -> $(SEC_CRIT) ;
-  /sbin/ifport                         -> $(SEC_CRIT) ;
-  /sbin/ifup                           -> $(SEC_CRIT) ;
-  /sbin/ifuser                         -> $(SEC_CRIT) ;
-  /sbin/ip                             -> $(SEC_CRIT) ;
-  /sbin/ip6tables                      -> $(SEC_CRIT) ;
-  /sbin/ipchains                       -> $(SEC_CRIT) ;
-  /sbin/ipchains-restore               -> $(SEC_CRIT) ;
-  /sbin/ipchains-save                  -> $(SEC_CRIT) ;
-  /sbin/ipfwadm                        -> $(SEC_CRIT) ;
-  /sbin/ipmaddr                        -> $(SEC_CRIT) ;
-  /sbin/iptables                       -> $(SEC_CRIT) ;
-  /sbin/iptables-restore               -> $(SEC_CRIT) ;
-  /sbin/iptables-save                  -> $(SEC_CRIT) ;
-  /sbin/iptunnel                       -> $(SEC_CRIT) ;
-  #/sbin/ipvsadm                        -> $(SEC_CRIT) ;
-  #/sbin/ipvsadm-restore                -> $(SEC_CRIT) ;
-  #/sbin/ipvsadm-save                   -> $(SEC_CRIT) ;
-  /sbin/ipx_configure                  -> $(SEC_CRIT) ;
-  /sbin/ipx_interface                  -> $(SEC_CRIT) ;
-  /sbin/ipx_internal_net               -> $(SEC_CRIT) ;
-  /sbin/iwconfig                       -> $(SEC_CRIT) ;
-  /sbin/iwgetid                        -> $(SEC_CRIT) ;
-  /sbin/iwlist                         -> $(SEC_CRIT) ;
-  /sbin/iwpriv                         -> $(SEC_CRIT) ;
-  /sbin/iwspy                          -> $(SEC_CRIT) ;
-  /sbin/mgetty                         -> $(SEC_CRIT) ;
-  /sbin/mingetty                       -> $(SEC_CRIT) ;
-  /sbin/nameif                         -> $(SEC_CRIT) ;
-  /sbin/netreport                      -> $(SEC_CRIT) ;
-  /sbin/plipconfig                     -> $(SEC_CRIT) ;
-  /sbin/portmap                        -> $(SEC_CRIT) ;
-  /sbin/ppp-watch                      -> $(SEC_CRIT) ;
-  #/sbin/rarp                           -> $(SEC_CRIT) ;
-  /sbin/route                          -> $(SEC_CRIT) ;
-  /sbin/slattach                       -> $(SEC_CRIT) ;
-  /sbin/tc                             -> $(SEC_CRIT) ;
-  #/sbin/uugetty                        -> $(SEC_CRIT) ;
-  /sbin/vgetty                         -> $(SEC_CRIT) ;
-  /sbin/ypbind                         -> $(SEC_CRIT) ;
-}
-
-  ##################################
- #                                ##
-################################## #
-#                                # #
-# System Administration Programs # #
-#                                ##
-##################################
-
-(
-  rulename = "System Administration Programs",
-  severity = $(SIG_HI)
-)
-{
-  /sbin/chkconfig                      -> $(SEC_CRIT) ;
-  /sbin/fuser                          -> $(SEC_CRIT) ;
-  /sbin/halt                           -> $(SEC_CRIT) ;
-  /sbin/init                           -> $(SEC_CRIT) ;
-  /sbin/initlog                        -> $(SEC_CRIT) ;
-  /sbin/install-info                   -> $(SEC_CRIT) ;
-  /sbin/killall5                       -> $(SEC_CRIT) ;
-  #/sbin/linuxconf                      -> $(SEC_CRIT) ;
-  #/sbin/linuxconf-auth                 -> $(SEC_CRIT) ;
-  /sbin/pam_tally                      -> $(SEC_CRIT) ;
-  /sbin/pwdb_chkpwd                    -> $(SEC_CRIT) ;
-  #/sbin/remadmin                       -> $(SEC_CRIT) ;
-  /sbin/rescuept                       -> $(SEC_CRIT) ;
-  /sbin/rmt                            -> $(SEC_CRIT) ;
-  /sbin/rpc.lockd                      -> $(SEC_CRIT) ;
-  /sbin/rpc.statd                      -> $(SEC_CRIT) ;
-  /sbin/rpcdebug                       -> $(SEC_CRIT) ;
-  /sbin/service                        -> $(SEC_CRIT) ;
-  /sbin/setsysfont                     -> $(SEC_CRIT) ;
-  /sbin/shutdown                       -> $(SEC_CRIT) ;
-  /sbin/sulogin                        -> $(SEC_CRIT) ;
-  /sbin/swapon                         -> $(SEC_CRIT) ;
-  /sbin/syslogd                        -> $(SEC_CRIT) ;
-  /sbin/unix_chkpwd                    -> $(SEC_CRIT) ;
-  /bin/pwd                             -> $(SEC_CRIT) ;
-  /bin/uname                           -> $(SEC_CRIT) ;
-}
-
-  ########################################
- #                                      ##
-######################################## #
-#                                      # #
-# Hardware and Device Control Programs # #
-#                                      ##
-########################################
-(
-  rulename = "Hardware and Device Control Programs",
-  severity = $(SIG_HI)
-)
-{
-  /bin/setserial                       -> $(SEC_CRIT) ;
-  /bin/sfxload                         -> $(SEC_CRIT) ;
-  /sbin/blockdev                       -> $(SEC_CRIT) ;
-  /sbin/cardctl                        -> $(SEC_CRIT) ;
-  /sbin/cardmgr                        -> $(SEC_CRIT) ;
-  /sbin/cbq                            -> $(SEC_CRIT) ;
-  /sbin/dump_cis                       -> $(SEC_CRIT) ;
-  /sbin/elvtune                        -> $(SEC_CRIT) ;
-  /sbin/hotplug                        -> $(SEC_CRIT) ;
-  /sbin/hwclock                        -> $(SEC_CRIT) ;
-  /sbin/ide_info                       -> $(SEC_CRIT) ;
-  #/sbin/isapnp                         -> $(SEC_CRIT) ;
-  /sbin/kbdrate                        -> $(SEC_CRIT) ;
-  /sbin/losetup                        -> $(SEC_CRIT) ;
-  /sbin/lspci                          -> $(SEC_CRIT) ;
-  /sbin/lspnp                          -> $(SEC_CRIT) ;
-  /sbin/mii-tool                       -> $(SEC_CRIT) ;
-  /sbin/pack_cis                       -> $(SEC_CRIT) ;
-  #/sbin/pnpdump                        -> $(SEC_CRIT) ;
-  /sbin/probe                          -> $(SEC_CRIT) ;
-  /sbin/pump                           -> $(SEC_CRIT) ;
-  /sbin/setpci                         -> $(SEC_CRIT) ;
-  /sbin/shapecfg                       -> $(SEC_CRIT) ;
-}
-
-  ###############################
- #                             ##
-############################### #
-#                             # #
-# System Information Programs # #
-#                             ##
-###############################
-(
-  rulename = "System Information Programs",
-  severity = $(SIG_HI)
-)
-{
-  /sbin/consoletype                    -> $(SEC_CRIT) ;
-  /sbin/kernelversion                  -> $(SEC_CRIT) ;
-  /sbin/runlevel                       -> $(SEC_CRIT) ;
-}
-
-  ####################################
- #                                  ##
-#################################### #
-#                                  # #
-# Application Information Programs # #
-#                                  ##
-####################################
-
-(
-  rulename = "Application Information Programs",
-  severity = $(SIG_HI)
-)
-{
-  /sbin/genksyms                       -> $(SEC_CRIT) ;
-  #/sbin/genksyms.old                   -> $(SEC_CRIT) ;
-  /sbin/rtmon                          -> $(SEC_CRIT) ;
-}
-
-  ##########################
- #                        ##
-########################## #
-#                        # #
-# Shell Related Programs # #
-#                        ##
-##########################
-(
-  rulename = "Shell Related Programs",
-  severity = $(SIG_HI)
-)
-{
-  /sbin/getkey                         -> $(SEC_CRIT) ;
-  /sbin/nash                           -> $(SEC_CRIT) ;
-  /sbin/sash                           -> $(SEC_CRIT) ;
-}
-
-
-  ################
- #              ##
-################ #
-#              # #
-# OS Utilities # #
-#              ##
-################
-(
-  rulename = "Operating System Utilities",
-  severity = $(SIG_HI)
-)
-{
-  /bin/arch                            -> $(SEC_CRIT) ;
-  /bin/ash                             -> $(SEC_CRIT) ;
-  /bin/ash.static                      -> $(SEC_CRIT) ;
-  /bin/aumix-minimal                   -> $(SEC_CRIT) ;
-  /bin/basename                        -> $(SEC_CRIT) ;
-  /bin/cat                             -> $(SEC_CRIT) ;
-  /bin/consolechars                    -> $(SEC_CRIT) ;
-  /bin/cut                             -> $(SEC_CRIT) ;
-  /bin/date                            -> $(SEC_CRIT) ;
-  /bin/dd                              -> $(SEC_CRIT) ;
-  /bin/df                              -> $(SEC_CRIT) ;
-  /bin/dmesg                           -> $(SEC_CRIT) ;
-  /bin/doexec                          -> $(SEC_CRIT) ;
-  /bin/echo                            -> $(SEC_CRIT) ;
-  /bin/ed                              -> $(SEC_CRIT) ;
-  /bin/egrep                           -> $(SEC_CRIT) ;
-  /bin/false                           -> $(SEC_CRIT) ;
-  /bin/fgrep                           -> $(SEC_CRIT) ;
-  /bin/gawk                            -> $(SEC_CRIT) ;
-  /bin/gawk-3.1.0                      -> $(SEC_CRIT) ;
-  /bin/gettext                         -> $(SEC_CRIT) ;
-  /bin/grep                            -> $(SEC_CRIT) ;
-  /bin/gunzip                          -> $(SEC_CRIT) ;
-  /bin/gzip                            -> $(SEC_CRIT) ;
-  /bin/hostname                        -> $(SEC_CRIT) ;
-  /bin/igawk                           -> $(SEC_CRIT) ;
-  /bin/ipcalc                          -> $(SEC_CRIT) ;
-  /bin/kill                            -> $(SEC_CRIT) ;
-  /bin/ln                              -> $(SEC_CRIT) ;
-  /bin/loadkeys                        -> $(SEC_CRIT) ;
-  /bin/login                           -> $(SEC_CRIT) ;
-  /bin/ls                              -> $(SEC_CRIT) ;
-  /bin/mail                            -> $(SEC_CRIT) ;
-  /bin/more                            -> $(SEC_CRIT) ;
-  /bin/mt                              -> $(SEC_CRIT) ;
-  /bin/mv                              -> $(SEC_CRIT) ;
-  /bin/netstat                         -> $(SEC_CRIT) ;
-  /bin/nice                            -> $(SEC_CRIT) ;
-  /bin/pgawk                           -> $(SEC_CRIT) ;
-  /bin/ps                              -> $(SEC_CRIT) ;
-  /bin/rpm                             -> $(SEC_CRIT) ;
-  /bin/sed                             -> $(SEC_CRIT) ;
-  /bin/sleep                           -> $(SEC_CRIT) ;
-  /bin/sort                            -> $(SEC_CRIT) ;
-  /bin/stty                            -> $(SEC_CRIT) ;
-  /bin/su                              -> $(SEC_CRIT) ;
-  /bin/sync                            -> $(SEC_CRIT) ;
-  /bin/tar                             -> $(SEC_CRIT) ;
-  /bin/true                            -> $(SEC_CRIT) ;
-  /bin/usleep                          -> $(SEC_CRIT) ;
-  /bin/vi                              -> $(SEC_CRIT) ;
-  /bin/zcat                            -> $(SEC_CRIT) ;
-  /bin/zsh                             -> $(SEC_CRIT) ;
-  #/bin/zsh-4.0.2                       -> $(SEC_CRIT) ;
-  /sbin/sln                            -> $(SEC_CRIT) ;
-  /usr/bin/vimtutor                    -> $(SEC_CRIT) ;
-}
-
-  ##############################
- #                            ##
-############################## #
-#                            # #
-# Critical Utility Sym-Links # #
-#                            ##
-##############################
-(
-  rulename = "Critical Utility Sym-Links",
-  severity = $(SIG_HI)
-)
-{
-  #/sbin/askrunlevel                    -> $(SEC_CRIT) ;
-  /sbin/clock                          -> $(SEC_CRIT) ;
-  #/sbin/fixperm                        -> $(SEC_CRIT) ;
-  /sbin/fsck.reiserfs                  -> $(SEC_CRIT) ;
-  #/sbin/fsconf                         -> $(SEC_CRIT) ;
-  /sbin/ipfwadm-wrapper                -> $(SEC_CRIT) ;
-  /sbin/kallsyms                       -> $(SEC_CRIT) ;
-  /sbin/ksyms                          -> $(SEC_CRIT) ;
-  /sbin/lsmod                          -> $(SEC_CRIT) ;
-  #/sbin/mailconf                       -> $(SEC_CRIT) ;
-  /sbin/mkfs.reiserfs                  -> $(SEC_CRIT) ;
-  #/sbin/modemconf                      -> $(SEC_CRIT) ;
-  /sbin/modprobe                       -> $(SEC_CRIT) ;
-  /sbin/mount.ncp                      -> $(SEC_CRIT) ;
-  /sbin/mount.ncpfs                    -> $(SEC_CRIT) ;
-  /sbin/mount.smb                      -> $(SEC_CRIT) ;
-  /sbin/mount.smbfs                    -> $(SEC_CRIT) ;
-  #/sbin/netconf                        -> $(SEC_CRIT) ;
-  /sbin/pidof                          -> $(SEC_CRIT) ;
-  /sbin/poweroff                       -> $(SEC_CRIT) ;
-  /sbin/quotaoff                       -> $(SEC_CRIT) ;
-  /sbin/raid0run                       -> $(SEC_CRIT) ;
-  /sbin/raidhotadd                     -> $(SEC_CRIT) ;
-  /sbin/raidhotgenerateerror           -> $(SEC_CRIT) ;
-  /sbin/raidhotremove                  -> $(SEC_CRIT) ;
-  /sbin/raidstop                       -> $(SEC_CRIT) ;
-  /sbin/rdump                          -> $(SEC_CRIT) ;
-  /sbin/rdump.static                   -> $(SEC_CRIT) ;
-  /sbin/reboot                         -> $(SEC_CRIT) ;
-  /sbin/rmmod                          -> $(SEC_CRIT) ;
-  /sbin/rrestore                       -> $(SEC_CRIT) ;
-  /sbin/rrestore.static                -> $(SEC_CRIT) ;
-  /sbin/swapoff                        -> $(SEC_CRIT) ;
-  /sbin/telinit                        -> $(SEC_CRIT) ;
-  #/sbin/userconf                       -> $(SEC_CRIT) ;
-  #/sbin/uucpconf                       -> $(SEC_CRIT) ;
-  #/sbin/vregistry                      -> $(SEC_CRIT) ;
-  /bin/awk                             -> $(SEC_CRIT) ;
-  /bin/bash2                           -> $(SEC_CRIT) ;
-  /bin/bsh                             -> $(SEC_CRIT) ;
-  /bin/csh                             -> $(SEC_CRIT) ;
-  /bin/dnsdomainname                   -> $(SEC_CRIT) ;
-  /bin/domainname                      -> $(SEC_CRIT) ;
-  /bin/ex                              -> $(SEC_CRIT) ;
-  /bin/gtar                            -> $(SEC_CRIT) ;
-  /bin/nisdomainname                   -> $(SEC_CRIT) ;
-  /bin/red                             -> $(SEC_CRIT) ;
-  /bin/rvi                             -> $(SEC_CRIT) ;
-  /bin/rview                           -> $(SEC_CRIT) ;
-  /bin/view                            -> $(SEC_CRIT) ;
-  /bin/ypdomainname                    -> $(SEC_CRIT) ;
-}
-
-
-  #########################
- #                       ##
-######################### #
-#                       # #
-# Temporary directories # #
-#                       ##
-#########################
-(
-  rulename = "Temporary directories",
-  recurse = false,
-  severity = $(SIG_LOW)
-)
-{
-  /usr/tmp                             -> $(SEC_INVARIANT) ;
-  /var/tmp                             -> $(SEC_INVARIANT) ;
-  /tmp                                 -> $(SEC_INVARIANT) ;
-}
-
-  ###############
- #             ##
-############### #
-#             # #
-# Local files # #
-#             ##
-###############
-(
-  rulename = "User binaries",
-  severity = $(SIG_MED)
-)
-{
-  /sbin                                -> $(SEC_BIN) (recurse = 1) ;
-  /usr/bin                             -> $(SEC_BIN) (recurse = 1) ;
-  /usr/sbin                            -> $(SEC_BIN) (recurse = 1) ;
-  /usr/local/bin                       -> $(SEC_BIN) (recurse = 1) ;
-}
-
-(
-  rulename = "Shell Binaries",
-  severity = $(SIG_HI)
-)
-{
-  /bin/bash                            -> $(SEC_BIN) ;
-  /bin/ksh                             -> $(SEC_BIN) ;
-  # /bin/psh                             -> $(SEC_BIN) ; # No longer used?
-  # /bin/Rsh                             -> $(SEC_BIN) ; # No longer used?
-  /bin/sh                              -> $(SEC_BIN) ;
-  # /bin/shell                           -> $(SEC_SUID) ; # No longer used?
-  # /bin/tsh                             -> $(SEC_BIN) ; # No longer used?
-  /bin/tcsh                            -> $(SEC_BIN) ;
-  /sbin/nologin                        -> $(SEC_BIN) ;
-}
-
-(
-  rulename = "Security Control",
-  severity = $(SIG_HI)
-)
-{
-  /etc/group                           -> $(SEC_CRIT) ;
-  /etc/security                        -> $(SEC_CRIT) ;
-  #/var/spool/cron/crontabs             -> $(SEC_CRIT) ; # Uncomment when this file exists
-}
-
-#(
-#  rulename = "Boot Scripts",
-#  severity = $(SIG_HI)
-#)
-#{
-#  /etc/rc                              -> $(SEC_CONFIG) ;
-#  /etc/rc.bsdnet                       -> $(SEC_CONFIG) ;
-#  /etc/rc.dt                           -> $(SEC_CONFIG) ;
-#  /etc/rc.net                          -> $(SEC_CONFIG) ;
-#  /etc/rc.net.serial                   -> $(SEC_CONFIG) ;
-#  /etc/rc.nfs                          -> $(SEC_CONFIG) ;
-#  /etc/rc.powerfail                    -> $(SEC_CONFIG) ;
-#  /etc/rc.tcpip                        -> $(SEC_CONFIG) ;
-#  /etc/trcfmt.Z                        -> $(SEC_CONFIG) ;
-#}
-
-(
-  rulename = "Login Scripts",
-  severity = $(SIG_HI)
-)
-{
-  /etc/bashrc                          -> $(SEC_CONFIG) ;
-  /etc/csh.cshrc                       -> $(SEC_CONFIG) ;
-  /etc/csh.login                       -> $(SEC_CONFIG) ;
-  /etc/inputrc                         -> $(SEC_CONFIG) ;
-  # /etc/tsh_profile                     -> $(SEC_CONFIG) ; #Uncomment when this file exists
-  /etc/profile                         -> $(SEC_CONFIG) ;
-}
-
-# Libraries
-(
-  rulename = "Libraries",
-  severity = $(SIG_MED)
-)
-{
-  /usr/lib                             -> $(SEC_BIN) ;
-  /usr/local/lib                       -> $(SEC_BIN) ;
-}
-
-
-  ######################################################
- #                                                    ##
-###################################################### #
-#                                                    # #
-# Critical System Boot Files                         # #
-# These files are critical to a correct system boot. # #
-#                                                    ##
-######################################################
-
-(
-  rulename = "Critical system boot files",
-  severity = $(SIG_HI)
-)
-{
-     /boot                             -> $(SEC_CRIT) ;
-     #/sbin/devfsd                      -> $(SEC_CRIT) ;
-     /sbin/grub                        -> $(SEC_CRIT) ;
-     /sbin/grub-install                -> $(SEC_CRIT) ;
-     /sbin/grub-md5-crypt              -> $(SEC_CRIT) ;
-     /sbin/installkernel               -> $(SEC_CRIT) ;
-     /sbin/lilo                        -> $(SEC_CRIT) ;
-     /sbin/mkkerneldoth                -> $(SEC_CRIT) ;
-     !/boot/System.map ;
-     !/boot/module-info ;
-     /usr/share/grub/i386-redhat/e2fs_stage1_5      -> $(SEC_CRIT) ;
-     /usr/share/grub/i386-redhat/fat_stage1_5       -> $(SEC_CRIT) ;
-     /usr/share/grub/i386-redhat/ffs_stage1_5       -> $(SEC_CRIT) ;
-     /usr/share/grub/i386-redhat/minix_stage1_5     -> $(SEC_CRIT) ;
-     /usr/share/grub/i386-redhat/reiserfs_stage1_5  -> $(SEC_CRIT) ;
-     /usr/share/grub/i386-redhat/stage1             -> $(SEC_CRIT) ;
-     /usr/share/grub/i386-redhat/stage2             -> $(SEC_CRIT) ;
-     /usr/share/grub/i386-redhat/vstafs_stage1_5    -> $(SEC_CRIT) ;
-     # other boot files may exist.  Look for:
-     #/ufsboot                          -> $(SEC_CRIT) ;
-}
-   ##################################################
-  ###################################################
-  # These files change every time the system boots ##
-  ##################################################
-(
-  rulename = "System boot changes",
-  severity = $(SIG_HI)
-)
-{
-     !/var/run/ftp.pids-all ; # Comes and goes on reboot.
-     !/root/.enlightenment ;
-     /dev/log                          -> $(SEC_CONFIG) ;
-     /dev/cua0                         -> $(SEC_CONFIG) ;
-     # /dev/printer                      -> $(SEC_CONFIG) ; # Uncomment if you have a printer device
-     /dev/console                      -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
-     /dev/tty1                         -> $(SEC_CONFIG) ; # tty devices
-     /dev/tty2                         -> $(SEC_CONFIG) ; # tty devices
-     /dev/tty3                         -> $(SEC_CONFIG) ; # are extremely
-     /dev/tty4                         -> $(SEC_CONFIG) ; # variable
-     /dev/tty5                         -> $(SEC_CONFIG) ;
-     /dev/tty6                         -> $(SEC_CONFIG) ;
-     /dev/urandom                      -> $(SEC_CONFIG) ;
-     /dev/initctl                      -> $(SEC_CONFIG) ;
-     /var/lock/subsys                  -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/amd              -> $(SEC_CONFIG) ;
-     /var/lock/subsys/anacron          -> $(SEC_CONFIG) ;
-     /var/lock/subsys/apmd             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/arpwatch         -> $(SEC_CONFIG) ;
-     /var/lock/subsys/atd              -> $(SEC_CONFIG) ;
-     /var/lock/subsys/autofs           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/bcm5820          -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/bgpd             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/bootparamd       -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/canna            -> $(SEC_CONFIG) ;
-     /var/lock/subsys/crond            -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/cWnn             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/dhcpd            -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/firewall         -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/freeWnn          -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/gated            -> $(SEC_CONFIG) ;
-     /var/lock/subsys/gpm              -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/httpd            -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/identd           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/innd             -> $(SEC_CONFIG) ;
-     /var/lock/subsys/ipchains         -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/iptables         -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ipvsadm          -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/irda             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/iscsi            -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/isdn             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/junkbuster       -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/kadmin           -> $(SEC_CONFIG) ;
-     /var/lock/subsys/keytable         -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/kprop            -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/krb524           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/krb5kdc          -> $(SEC_CONFIG) ;
-     /var/lock/subsys/kudzu            -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/kWnn             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ldap             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/linuxconf        -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/lpd              -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/mars_nwe         -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/mcserv           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/mysqld           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/named            -> $(SEC_CONFIG) ;
-     /var/lock/subsys/netfs            -> $(SEC_CONFIG) ;
-     /var/lock/subsys/network          -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/nfs              -> $(SEC_CONFIG) ;
-     /var/lock/subsys/nfslock          -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/nscd             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ntpd             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ospf6d           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ospfd            -> $(SEC_CONFIG) ;
-     /var/lock/subsys/pcmcia           -> $(SEC_CONFIG) ;
-     /var/lock/subsys/portmap          -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/postgresql       -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/pxe              -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/radvd            -> $(SEC_CONFIG) ;
-     /var/lock/subsys/random           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/rarpd            -> $(SEC_CONFIG) ;
-     /var/lock/subsys/reconfig         -> $(SEC_CONFIG) ;
-     /var/lock/subsys/rhnsd            -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ripd             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ripngd           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/routed           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/rstatd           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/rusersd          -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/rwalld           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/rwhod            -> $(SEC_CONFIG) ;
-     /var/lock/subsys/sendmail         -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/smb              -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/snmpd            -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/squid            -> $(SEC_CONFIG) ;
-     /var/lock/subsys/sshd             -> $(SEC_CONFIG) ;
-     /var/lock/subsys/syslog           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/tux              -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/tWnn             -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ups              -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/vncserver        -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/wine             -> $(SEC_CONFIG) ;
-     /var/lock/subsys/xfs              -> $(SEC_CONFIG) ;
-     /var/lock/subsys/xinetd           -> $(SEC_CONFIG) ;
-     /var/lock/subsys/ypbind           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/yppasswdd        -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ypserv           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/ypxfrd           -> $(SEC_CONFIG) ;
-     #/var/lock/subsys/zebra            -> $(SEC_CONFIG) ;
-     /var/run                          -> $(SEC_CONFIG) ;
-     /var/log                          -> $(SEC_CONFIG) ;
-     /etc/ioctl.save                   -> $(SEC_CONFIG) ;
-     /etc/issue.net                    -> $(SEC_CONFIG) -i ; # Inode number changes
-     /etc/issue                        -> $(SEC_CONFIG) ;
-     /etc/mtab                         -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
-     /lib/modules                      -> $(SEC_CONFIG) ;
-     /etc/.pwd.lock                    -> $(SEC_CONFIG) ;
-     # /lib/modules/preferred            -> $(SEC_CONFIG) ; #Uncomment when this file exists
-}
-
-# These files change the behavior of the root account
-(
-  rulename = "Root config files",
-  severity = 100
-)
-{
-     /root                             -> $(SEC_CRIT) ; # Catch all additions to /root
-     #/root/.Xresources                 -> $(SEC_CONFIG) ;
-     /root/.bashrc                     -> $(SEC_CONFIG) ;
-     /root/.bash_profile               -> $(SEC_CONFIG) ;
-     /root/.bash_logout                -> $(SEC_CONFIG) ;
-     /root/.cshrc                      -> $(SEC_CONFIG) ;
-     /root/.tcshrc                     -> $(SEC_CONFIG) ;
-     /root/Mail                        -> $(SEC_CONFIG) ;
-     #/root/mail                        -> $(SEC_CONFIG) ;
-     #/root/.amandahosts                -> $(SEC_CONFIG) ;
-     #/root/.addressbook.lu             -> $(SEC_CONFIG) ;
-     #/root/.addressbook                -> $(SEC_CONFIG) ;
-     /root/.bash_history               -> $(SEC_CONFIG) ;
-     /root/.elm                        -> $(SEC_CONFIG) ;
-     #/root/.esd_auth                   -> $(SEC_CONFIG) ;
-     /root/.gnome_private              -> $(SEC_CONFIG) ;
-     /root/.gnome-desktop              -> $(SEC_CONFIG) ;
-     /root/.gnome                      -> $(SEC_CONFIG) ;
-     /root/.ICEauthority               -> $(SEC_CONFIG) ;
-     #/root/.mc                         -> $(SEC_CONFIG) ;
-     #/root/.pinerc                     -> $(SEC_CONFIG) ;
-     /root/.sawfish                    -> $(SEC_CONFIG) ;
-     /root/.Xauthority                 -> $(SEC_CONFIG) -i ; # Changes Inode number on login
-     #/root/.xauth                      -> $(SEC_CONFIG) ;
-     /root/.xsession-errors            -> $(SEC_CONFIG) ;
-}
-
-  ################################
- #                              ##
-################################ #
-#                              # #
-# Critical configuration files # #
-#                              ##
-################################
-(
-  rulename = "Critical configuration files",
-  severity = $(SIG_HI)
-)
-{
-     #/etc/conf.linuxconf               -> $(SEC_BIN) ;
-     /etc/crontab                      -> $(SEC_BIN) ;
-     /etc/cron.hourly                  -> $(SEC_BIN) ;
-     /etc/cron.daily                   -> $(SEC_BIN) ;
-     /etc/cron.weekly                  -> $(SEC_BIN) ;
-     /etc/cron.monthly                 -> $(SEC_BIN) ;
-     /etc/default                      -> $(SEC_BIN) ;
-     /etc/fstab                        -> $(SEC_BIN) ;
-     /etc/exports                      -> $(SEC_BIN) ;
-     /etc/group-                       -> $(SEC_BIN) ;  # changes should be infrequent
-     /etc/host.conf                    -> $(SEC_BIN) ;
-     /etc/hosts.allow                  -> $(SEC_BIN) ;
-     /etc/hosts.deny                   -> $(SEC_BIN) ;
-     /etc/httpd/conf                   -> $(SEC_BIN) ;  # changes should be infrequent
-     /etc/protocols                    -> $(SEC_BIN) ;
-     /etc/services                     -> $(SEC_BIN) ;
-     /etc/rc.d/init.d                  -> $(SEC_BIN) ;
-     /etc/rc.d                         -> $(SEC_BIN) ;
-     /etc/mail.rc                      -> $(SEC_BIN) ;
-     /etc/modules.conf                 -> $(SEC_BIN) ;
-     /etc/motd                         -> $(SEC_BIN) ;
-     /etc/named.conf                   -> $(SEC_BIN) ;
-     /etc/passwd                       -> $(SEC_CONFIG) ;
-     /etc/passwd-                      -> $(SEC_CONFIG) ;
-     /etc/profile.d                    -> $(SEC_BIN) ;
-     /var/lib/nfs/rmtab                -> $(SEC_BIN) ;
-     /usr/sbin/fixrmtab                -> $(SEC_BIN) ;
-     /etc/rpc                          -> $(SEC_BIN) ;
-     /etc/sysconfig                    -> $(SEC_BIN) ;
-     /etc/samba/smb.conf               -> $(SEC_CONFIG) ;
-     #/etc/gettydefs                    -> $(SEC_BIN) ;
-     /etc/nsswitch.conf                -> $(SEC_BIN) ;
-     /etc/yp.conf                      -> $(SEC_BIN) ;
-     /etc/hosts                        -> $(SEC_CONFIG) ;
-     /etc/xinetd.conf                  -> $(SEC_CONFIG) ;
-     /etc/inittab                      -> $(SEC_CONFIG) ;
-     /etc/resolv.conf                  -> $(SEC_CONFIG) ;
-     /etc/syslog.conf                  -> $(SEC_CONFIG) ;
-}
-
-  ####################
- #                  ##
-#################### #
-#                  # #
-# Critical devices # #
-#                  ##
-####################
-(
-  rulename = "Critical devices",
-  severity = $(SIG_HI),
-  recurse = false
-)
-{
-     /dev/kmem                         -> $(Device) ;
-     /dev/mem                          -> $(Device) ;
-     /dev/null                         -> $(Device) ;
-     /dev/zero                         -> $(Device) ;
-     /proc/devices                     -> $(Device) ;
-     /proc/net                         -> $(Device) ;
-     /proc/sys                         -> $(Device) ;
-     /proc/cpuinfo                     -> $(Device) ;
-     /proc/modules                     -> $(Device) ;
-     /proc/mounts                      -> $(Device) ;
-     /proc/dma                         -> $(Device) ;
-     /proc/filesystems                 -> $(Device) ;
-     /proc/pci                         -> $(Device) ;
-     /proc/interrupts                  -> $(Device) ;
-     /proc/driver/rtc                  -> $(Device) ;
-     /proc/ioports                     -> $(Device) ;
-     #/proc/scsi                        -> $(Device) ;
-     /proc/kcore                       -> $(Device) ;
-     /proc/self                        -> $(Device) ;
-     /proc/kmsg                        -> $(Device) ;
-     /proc/stat                        -> $(Device) ;
-     /proc/ksyms                       -> $(Device) ;
-     /proc/loadavg                     -> $(Device) ;
-     /proc/uptime                      -> $(Device) ;
-     /proc/locks                       -> $(Device) ;
-     /proc/version                     -> $(Device) ;
-     /proc/mdstat                      -> $(Device) ;
-     /proc/meminfo                     -> $(Device) ;
-     /proc/cmdline                     -> $(Device) ;
-     /proc/misc                        -> $(Device) ;
-}
-
-# Rest of critical system binaries
-(
-  rulename = "OS executables and libraries",
-  severity = $(SIG_HI)
-)
-{
-     /bin                              -> $(SEC_BIN) ;
-     /lib                              -> $(SEC_BIN) ;
-}
-
-#=============================================================================
-#
-# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
-# Inc. in the United States and other countries. All rights reserved.
-#
-# Linux is a registered trademark of Linus Torvalds.
-#
-# UNIX is a registered trademark of The Open Group.
-#
-#=============================================================================
-#
-# Permission is granted to make and distribute verbatim copies of this document
-# provided the copyright notice and this permission notice are preserved on all
-# copies.
-#
-# Permission is granted to copy and distribute modified versions of this
-# document under the conditions for verbatim copying, provided that the entire
-# resulting derived work is distributed under the terms of a permission notice
-# identical to this one.
-#
-# Permission is granted to copy and distribute translations of this document
-# into another language, under the above conditions for modified versions,
-# except that this permission notice may be stated in a translation approved by
-# Tripwire, Inc.
-#
-# DCM
-#
-# $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $
-#
diff --git a/recipes-ids/tripwire/tripwire_2.4.3.7.bb b/recipes-ids/tripwire/tripwire_2.4.3.7.bb
deleted file mode 100644
index e2968e4..0000000
--- a/recipes-ids/tripwire/tripwire_2.4.3.7.bb
+++ /dev/null
@@ -1,75 +0,0 @@
-SUMMARY = "Tripwire: A system integrity assessment tool (IDS)"
-DESCRIPTION = "Open Source Tripwire® software is a security and data \
-integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems"
-HOMEPAGE = "http://sourceforge.net/projects/tripwire"
-SECTION = "security Monitor/Admin"
-LICENSE = "GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=1c069be8dbbe48e89b580ab4ed86c127"
-
-SRCREV = "6e64a9e5b70a909ec439bc5a099e3fcf38c614b0"
-
-SRC_URI = "\
-	git://github.com/Tripwire/tripwire-open-source.git;branch=master;protocol=https \
-	file://tripwire.cron \
-	file://tripwire.sh \
-	file://tripwire.txt \
-	file://twcfg.txt \
-	file://twinstall.sh \
-	file://twpol-yocto.txt \
-	file://run-ptest \
-       "
-
-inherit autotools-brokensep update-rc.d ptest
-
-INITSCRIPT_NAME = "tripwire"
-INITSCRIPT_PARAMS = "start 40 S ."
-TRIPWIRE_HOST = "${HOST_SYS}"
-TRIPWIRE_TARGET = "${TARGET_SYS}"
-
-CXXFLAGS += "-fno-strict-aliasing"
-EXTRA_OECONF = "--disable-openssl  --enable-static --sysconfdir=/etc/tripwire"
-
-do_install () {
-    install -d ${D}${libdir} ${D}${datadir} ${D}${base_libdir}
-    install -d ${D}${sysconfdir} ${D}${mandir} ${D}${sbindir}
-    install -d ${D}${sysconfdir}/${PN}
-    install -d ${D}${localstatedir}/lib/${PN} ${D}${localstatedir}/lib/${BPN}/report
-    install -d ${D}${mandir}/man4 ${D}${mandir}/man5 ${D}${mandir}/man8
-    install -d ${D}${docdir}/${BPN} ${D}${docdir}/${BPN}/templates
-    install -d ${D}${sysconfdir}/init.d
-
-    install -m 0755 ${S}/bin/* ${D}${sbindir}
-    install -m 0644 ${S}/lib/* ${D}${base_libdir}
-    install -m 0644 ${S}/lib/* ${D}${localstatedir}/lib/${PN}
-    install -m 0755 ${UNPACKDIR}/tripwire.cron ${D}${sysconfdir}
-    install -m 0755 ${UNPACKDIR}/tripwire.sh ${D}${sysconfdir}/init.d/tripwire
-    install -m 0755 ${UNPACKDIR}/twinstall.sh ${D}${sysconfdir}/${PN}
-    install -m 0644 ${UNPACKDIR}/twpol-yocto.txt ${D}${sysconfdir}/${PN}/twpol.txt
-    install -m 0644 ${UNPACKDIR}/twcfg.txt ${D}${sysconfdir}/${PN}
-
-    install -m 0644 ${S}/man/man4/* ${D}${mandir}/man4
-    install -m 0644 ${S}/man/man5/* ${D}${mandir}/man5
-    install -m 0644 ${S}/man/man8/* ${D}${mandir}/man8
-    rm ${D}${mandir}/man*/Makefile*
-    install -m 0644 ${S}/policy/templates/* ${D}${docdir}/${BPN}/templates
-    install -m 0644 ${S}/policy/*txt ${D}${docdir}/${BPN}
-    install -m 0644 ${S}/COPYING ${D}${docdir}/${BPN}
-    install -m 0644 ${S}/TRADEMARK ${D}${docdir}/${BPN}
-    install -m 0644 ${UNPACKDIR}/tripwire.txt ${D}${docdir}/${BPN}
-}
-
-do_install_ptest:append () {
-	install -d ${D}${PTEST_PATH}/tests
-	cp -a ${S}/src/test-harness/* ${D}${PTEST_PATH}
-	sed -i -e 's@../../../../bin@${sbindir}@'  ${D}${PTEST_PATH}/twtools.pm
-}
-
-FILES:${PN} += "${libdir} ${docdir}/${PN}/*"
-FILES:${PN}-dbg += "${sysconfdir}/${PN}/.debug"
-FILES:${PN}-staticdev += "${localstatedir}/lib/${PN}/lib*.a"
-FILES:${PN}-ptest += "${PTEST_PATH}/tests "
-
-RDEPENDS:${PN} += " perl nano msmtp cronie"
-RDEPENDS:${PN}-ptest = " perl lib-perl perl-modules "
-
-SKIP_RECIPE[tripwire] ?= "Upsteram project appears to be abondoned, fails to build with gcc11"
-- 
2.51.0

[meta-security][PATCH 12/15] libest: Remove recipe

[Scott Murray]

Remove the libest recipe since it has been disabled since November
2021, and upstream has shown no activity since 2022.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 recipes-security/libest/libest_3.2.0.bb | 28 -------------------------
 1 file changed, 28 deletions(-)
 delete mode 100644 recipes-security/libest/libest_3.2.0.bb

diff --git a/recipes-security/libest/libest_3.2.0.bb b/recipes-security/libest/libest_3.2.0.bb
deleted file mode 100644
index e6af2c6..0000000
--- a/recipes-security/libest/libest_3.2.0.bb
+++ /dev/null
@@ -1,28 +0,0 @@
-SUMMARY = "EST is used for secure certificate  \
-enrollment and is compatible with Suite B certs (as well as RSA \
-and DSA certificates)"
-
-LICENSE = "OpenSSL"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=ecb78acde8e3b795de8ef6b61aed5885"
-
-SRCREV = "4ca02c6d7540f2b1bcea278a4fbe373daac7103b"
-SRC_URI = "git://github.com/cisco/libest;branch=main;protocol=https"
-
-DEPENDS = "openssl"
-
-#fatal error: execinfo.h: No such file or directory
-DEPENDS:append:libc-musl = " libexecinfo"
-
-inherit autotools-brokensep
-
-EXTRA_OECONF = "--disable-pthreads --with-ssl-dir=${STAGING_LIBDIR}"
-
-CFLAGS += "-fcommon"
-LDFLAGS:append:libc-musl = " -lexecinfo"
-
-PACKAGES = "${PN} ${PN}-dbg ${PN}-dev"
-
-FILES:${PN} = "${bindir}/* ${libdir}/libest-3.2.0p.so"
-
-# https://github.com/cisco/libest/issues/104
-SKIP_RECIPE[libest] ?= "Needs porting to openssl 3.x"
-- 
2.51.0

[meta-security][PATCH 13/15] paxctl: Remove recipe

[Scott Murray]

Remove the paxctl recipe since it has seemingly been broken for a
while without anyone noticing, and there likely have been no actual
users since grsecurity stopped doing public releases in 2017.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../include/maintainers-meta-security.inc     |  1 -
 docs/overview.txt                             | 27 -------------
 .../packagegroup-core-security.bb             |  1 -
 ...ckage-error-if-DESTDIR-is-set-to-usr.patch | 26 ------------
 recipes-security/paxctl/paxctl_0.9.bb         | 40 -------------------
 5 files changed, 95 deletions(-)
 delete mode 100644 recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
 delete mode 100644 recipes-security/paxctl/paxctl_0.9.bb

diff --git a/conf/distro/include/maintainers-meta-security.inc b/conf/distro/include/maintainers-meta-security.inc
index 903bb9b..6f13ea9 100644
--- a/conf/distro/include/maintainers-meta-security.inc
+++ b/conf/distro/include/maintainers-meta-security.inc
@@ -44,7 +44,6 @@ RECIPE_MAINTAINER:pn-libseccomp = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-libwhisker2-perl = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-ncrack = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-nikto = "Scott Murray <scott.murray@konsulko.com>"
-RECIPE_MAINTAINER:pn-paxctl = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-fail2ban = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-python3-scapy = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-python-fail2ban = "Scott Murray <scott.murray@konsulko.com>"
diff --git a/docs/overview.txt b/docs/overview.txt
index ed3135a..eb87279 100644
--- a/docs/overview.txt
+++ b/docs/overview.txt
@@ -103,33 +103,6 @@ help for each package.
                 usage : simply invoke the script name in the terminal.
 
 
-        == pax-utils ==
-
-		( This package can be found in oe-core )
-
-        pax-utils is a small set of various PaX aware and related utilities for
-        ELF binaries.
-
-        - scanelf : With this application you can print out information specific to the ELF structure of a binary.
-                    For more help please consult the man pages or the readme file.
-
-        - pspax : is a user-space utility that scans the proc directory and list
-                  ELF types, as well as their respective PaX flags and filenames and
-                  attributes. Depending on build options, it may additionaly display the
-                  process running set of capabilities.
-
-        - scanmacho : is a user-space utility to quickly scan given
-                      Mach-Os, directories, or common system paths for different information. This
-                      may include Mach-O types, their install_names, etc.
-
-        - dumpelf : is a user-space utility to dump all of the internal
-                    ELF structures into the equivalent C structures for fun debugging and/or
-                    reference purposes.
-
-
-                usage : simply invoke the script name in the terminal.
-
-
         == buck-security ==
 
         Buck-Security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important checks and helps you to harden your Linux
diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb
index 3f5b0a5..7fb7b62 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -42,7 +42,6 @@ RDEPENDS:packagegroup-security-utils = "\
     sshguard \
     ${@bb.utils.contains("DISTRO_FEATURES", "seccomp ", "libseccomp", "",d)} \
     ${@bb.utils.contains("DISTRO_FEATURES", "pam", "google-authenticator-libpam", "",d)} \
-    ${@bb.utils.contains("DISTRO_FEATURES", "pax", "pax-utils packctl", "",d)} \
     "
 
 have_krill =  "${@bb.utils.contains("DISTRO_FEATURES", "pam", "krill", "",d)}"
diff --git a/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch b/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
deleted file mode 100644
index 451cb7f..0000000
--- a/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 824c5d7b96aeef1b4e182f657ac002bed6e14cd5 Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@fujitsu.com>
-Date: Thu, 31 Aug 2023 08:20:56 +0000
-Subject: [PATCH] To fix package error if DESTDIR is set to /usr.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 0d7bc0c..46fd664 100644
---- a/Makefile
-+++ b/Makefile
-@@ -19,7 +19,7 @@ $(PROG).o: $(PROG).c $(PROG).h $(PROG)-elf.c
-
- install: $(PROG)
- #	$(MKDIR) $(DESTDIR)/sbin $(DESTDIR)$(MANDIR)
--	$(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/sbin/$(PROG)
-+	$(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/usr/sbin/$(PROG)
-	$(INSTALL) -D --owner 0 --group 0 --mode a=r $(PROG).1 $(DESTDIR)/$(MANDIR)/$(PROG).1
-
- clean:
---
-2.34.1
diff --git a/recipes-security/paxctl/paxctl_0.9.bb b/recipes-security/paxctl/paxctl_0.9.bb
deleted file mode 100644
index 3d2f2a3..0000000
--- a/recipes-security/paxctl/paxctl_0.9.bb
+++ /dev/null
@@ -1,40 +0,0 @@
-DESCRIPTION = "paxctl  is  a tool that allows PaX flags to be modified on a \
-               per-binary basis. PaX is part of common  security-enhancing  \
-               kernel  patches  and secure distributions, such as \
-               GrSecurity or Adamantix and Hardened Gen-too, respectively."
-HOMEPAGE = "https://pax.grsecurity.net/"	       
-LICENSE = "GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://paxctl.c;beginline=1;endline=5;md5=0ddd065c61020dda79729e6bedaed2c7 \
-                    file://paxctl-elf.c;beginline=1;endline=5;md5=99f453ce7f6d1687ee808982e2924813 \
-		   "
-
-SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz \
-           file://0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch \
-"
-
-SRC_URI[md5sum] = "9bea59b1987dc4e16c2d22d745374e64"
-SRC_URI[sha256sum] = "a330ddd812688169802a3ba29e5e3b19956376b8f6f73b8d7e9586eb04423c2e"
-
-EXTRA_OEMAKE = "CC='${CC}' DESTDIR='${D}'"
-
-do_install() {
-	oe_runmake install
-}
-
-# The install target in the Makefile will fail for paxctl-native with error:
-#   install -D --owner 0 --group 0 --mode a=rx paxctl .../sbin/paxctl
-#   install: cannot change ownership of '.../sbin/paxctl': \
-#   Operation not permitted
-# Drop '--owner 0 --group 0' to fix the issue.
-do_install:class-native() {
-	local PROG=paxctl
-	install -d ${D}${base_sbindir}
-	install -d ${D}${mandir}/man1
-	install --mode a=rx $PROG ${D}${base_sbindir}/$PROG
-	install --mode a=r $PROG.1 ${D}${mandir}/man1/$PROG.1
-}
-
-# Avoid QA Issue: No GNU_HASH in the elf binary
-INSANE_SKIP:${PN} = "ldflags" 
-
-BBCLASSEXTEND = "native"
-- 
2.51.0

[meta-security][PATCH 14/15] packagegroup-core-security: update for recent changes

[Scott Murray]

Changes:
- Add libmhash and libgssglue so they will get tested by CI.
- Switch to MACHINE_ARCH to facilitate the above, but it makes sense
  anyway due to all the machine overrides used in the packagegroup
  definition.
- Add the recently added python3-suricata-update so it will get
  tested by CI.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 .../packagegroup/packagegroup-core-security.bb    | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/recipes-core/packagegroup/packagegroup-core-security.bb b/recipes-core/packagegroup/packagegroup-core-security.bb
index 7fb7b62..9c14240 100644
--- a/recipes-core/packagegroup/packagegroup-core-security.bb
+++ b/recipes-core/packagegroup/packagegroup-core-security.bb
@@ -3,6 +3,8 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302 \
                     file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
 inherit packagegroup
 
 PACKAGES = "\
@@ -36,6 +38,8 @@ RDEPENDS:packagegroup-security-utils = "\
     fscryptctl \
     glome \
     keyutils \
+    libgssglue \
+    libmhash \
     nmap \
     pinentry \
     softhsm \
@@ -80,15 +84,16 @@ SUMMARY:packagegroup-security-ids = "Security Intrusion Detection systems"
 RDEPENDS:packagegroup-security-ids = " \
     samhain-standalone \
     suricata \
+    python3-suricata-update \
     ossec-hids \
     aide \
     "
 
-RDEPENDS:packagegroup-security-ids:remove:powerpc = "suricata"
-RDEPENDS:packagegroup-security-ids:remove:powerpc64le = "suricata"
-RDEPENDS:packagegroup-security-ids:remove:powerpc64 = "suricata"
-RDEPENDS:packagegroup-security-ids:remove:riscv32 = "suricata"
-RDEPENDS:packagegroup-security-ids:remove:riscv64 = "suricata"
+RDEPENDS:packagegroup-security-ids:remove:powerpc = "suricata python3-suricata-update"
+RDEPENDS:packagegroup-security-ids:remove:powerpc64le = "suricata python3-suricata-update"
+RDEPENDS:packagegroup-security-ids:remove:powerpc64 = "suricata python3-suricata-update"
+RDEPENDS:packagegroup-security-ids:remove:riscv32 = "suricata python3-suricata-update"
+RDEPENDS:packagegroup-security-ids:remove:riscv64 = "suricata python3-suricata-update"
 RDEPENDS:packagegroup-security-ids:remove:libc-musl = "ossec-hids"
 RDEPENDS:packagegroup-security-ids:remove:libc-musl = "aide"
 
-- 
2.51.0

[meta-security][PATCH 15/15] meta-tpm: Small maintainers fix

[Scott Murray]

To avoid confusion, remove stray aircrack-ng entry as it is actually
in the main layer and not meta-tpm.

Signed-off-by: Scott Murray <scott.murray@konsulko.com>
---
 meta-tpm/conf/distro/include/maintainers-meta-tpm.inc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
index cbc1fcf..0ba4f1b 100644
--- a/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
+++ b/meta-tpm/conf/distro/include/maintainers-meta-tpm.inc
@@ -19,7 +19,6 @@
 #	RECIPE_MAINTAINER:pn-<recipe name> = "Full Name <address@domain>"
 #
 # Please keep this list in alphabetical order.
-RECIPE_MAINTAINER:pn-aircrack-ng = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-pcr-extend = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-tpm-quote-tools = "Scott Murray <scott.murray@konsulko.com>"
 RECIPE_MAINTAINER:pn-libtpms = "Scott Murray <scott.murray@konsulko.com>"
-- 
2.51.0