diff options
author | jmbills <jason.m.bills@intel.com> | 2021-10-04 22:42:48 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-04 22:42:48 +0300 |
commit | 0c9e31989c615598b5d042ffab385606660c93c0 (patch) | |
tree | 8019999b0ca042482e5193d6cabc06220c71d776 /meta-security/meta-hardening | |
parent | 04cd92067d2481643df5010cb39b2134b648cf4d (diff) | |
parent | ffe6d597d9e3d4407cf8062b5d6505a80ce08f41 (diff) | |
download | openbmc-0c9e31989c615598b5d042ffab385606660c93c0.tar.xz |
Update
Diffstat (limited to 'meta-security/meta-hardening')
10 files changed, 21 insertions, 20 deletions
diff --git a/meta-security/meta-hardening/README b/meta-security/meta-hardening/README index 37a0b7ec8..191253c66 100644 --- a/meta-security/meta-hardening/README +++ b/meta-security/meta-hardening/README @@ -64,14 +64,14 @@ layers: meta-oe Maintenance ----------- -Send pull requests, patches, comments or questions to yocto@yoctoproject.org +Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org When sending single patches, please using something like: -'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH' +'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-hardening][PATCH' These values can be set as defaults for this repository: -$ git config sendemail.to yocto@yoctoproject.org +$ git config sendemail.to yocto@lists.yoctoproject.org $ git config format.subjectPrefix meta-hardening][PATCH Now you can just do 'git send-email origin/master' to send all local patches. diff --git a/meta-security/meta-hardening/conf/distro/harden.conf b/meta-security/meta-hardening/conf/distro/harden.conf index 66db9b797..1a5eb3da7 100644 --- a/meta-security/meta-hardening/conf/distro/harden.conf +++ b/meta-security/meta-hardening/conf/distro/harden.conf @@ -6,6 +6,6 @@ DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost" VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog" IMAGE_ROOTFS_EXTRA_SPACE = "524288" -EXTRA_IMAGE_FEATURES_remove = "debug-tweaks" +EXTRA_IMAGE_FEATURES:remove = "debug-tweaks" DISABLE_ROOT ?= "True" diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf index 085ea45c5..1cd6f4f08 100644 --- a/meta-security/meta-hardening/conf/layer.conf +++ b/meta-security/meta-hardening/conf/layer.conf @@ -8,6 +8,6 @@ BBFILE_COLLECTIONS += "harden-layer" BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" BBFILE_PRIORITY_harden-layer = "10" -LAYERSERIES_COMPAT_harden-layer = "hardknott" +LAYERSERIES_COMPAT_harden-layer = "honister" LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend index 67be3f313..17c06ed40 100644 --- a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend +++ b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend @@ -1,4 +1,4 @@ -do_install_append_harden () { +do_install:append_harden () { # to hardend sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config diff --git a/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend index 395630460..0f0384fe3 100644 --- a/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend +++ b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend @@ -1,4 +1,4 @@ -do_install_append_harden () { +do_install:append_harden () { sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile } diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb index daed3fbcc..38771cdfb 100644 --- a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb +++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -1,7 +1,7 @@ SUMMARY = "A small image for an example hardening OE." IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening" -IMAGE_INSTALL_append = " os-release" +IMAGE_INSTALL:append = " os-release" IMAGE_FEATURES = "" IMAGE_LINGUAS = " " @@ -10,7 +10,8 @@ LICENSE = "MIT" IMAGE_ROOTFS_SIZE ?= "8192" -inherit core-image extrausers +inherit core-image +IMAGE_CLASSES:append = " extrausers" ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" DEFAULT_ADMIN_ACCOUNT ?= "myadmin" @@ -19,7 +20,7 @@ DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!" EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}" -EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};" -EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};" -EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" -EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " useradd ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " groupadd ${DEFAULT_ADMIN_GROUP};" +EXTRA_USERS_PARAMS:append = " usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS:append = " usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend index f943cb371..b27dee9d0 100644 --- a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend +++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend @@ -1,8 +1,8 @@ -FILESEXTRAPATHS_prepend_harden := "${THISDIR}/files:" +FILESEXTRAPATHS:prepend_harden := "${THISDIR}/files:" -SRC_URI_append_harden = " file://mountall.sh" +SRC_URI:append_harden = " file://mountall.sh" -do_install_append_harden() { +do_install:append_harden() { install -d ${D}${sysconfdir}/init.d install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d } diff --git a/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb index 1dcd5fc3d..51676b22d 100644 --- a/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb +++ b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb @@ -11,7 +11,7 @@ PACKAGES = "${PN} \ packagegroup-${PN} \ " -RDEPENDS_${PN} = "\ +RDEPENDS:${PN} = "\ init-ifupdown \ ${VIRTUAL-RUNTIME_base-utils-syslog} \ sudo \ diff --git a/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend index 3f363f069..3058b5582 100644 --- a/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend +++ b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend @@ -1,4 +1,4 @@ -do_install_append_harden () { +do_install:append_harden () { # to hardend sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs diff --git a/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend index a31c081fe..97c5f492b 100644 --- a/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend +++ b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend @@ -1,6 +1,6 @@ -PACKAGECONFIG_append_harden = " pam-wheel" -do_install_append_harden () { +PACKAGECONFIG:append_harden = " pam-wheel" +do_install:append_harden () { if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers fi |