From cc58928593c3952679181b6bf8e4113080ffa867 Mon Sep 17 00:00:00 2001 From: Andrew Geissler Date: Fri, 18 Sep 2020 13:34:40 -0500 Subject: meta-security: subtree update:787ba6faea..d6baccc068 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Armin Kuster (20): trousers: update to tip upload-error-report: add script to upload errors kas/kas-security-base.yml: lets enable error reporting .gitlab: send error reports cryptsetup-tpm-incubator: drop recipe sssd: Avoid nss function conflicts with glibc nss.h cryptsetup-tpm-incubator: remove reference from other files packagegroup-core-security: dont include suricata on riscv or ppc kas-security-base: add testimage kas: add test config kas: add one dm-verify image build gitlab-ci: add dm-verify-image gitlab-ci: add testimage meta-harden: Add a layer to demo harding OE/YP kas-security-base: define sections as base packagegroup-core-security: add more pkgs to base group apparmor: exclude mips64, not supported kas: add alt and mutli build images kas-security-base: set RPM and disable ptest qemu test: set ptest Charlie Davies (1): clamav: update SO_VER to 9.0.4 Jens Rehsack (2): ibmswtpm2: update to 1637 ibmtpm2tss: add recipe Jonatan PĂ„lsson (1): sssd: Make manpages buildable Qi.Chen@windriver.com (1): nss: update patch to fix do_patch error Zheng Ruoqin (1): trousers: Fix the problem that do_package fails when multilib is enabled. niko.mauno@vaisala.com (12): dm-verity-img.bbclass: Fix bashisms dm-verity-img.bbclass: Reorder parse-time check dm-verity-image-initramfs: Ensure verity hash sync dm-verity-image-initramfs: Bind at do_image instead linux-yocto(-dev): Add dm-verity fragment as needed dm-verity-img.bbclass: Stage verity.env file initramfs-framework: Add dmverity module dm-verity-image-initramfs: Use initramfs-framework dm-verity-initramfs-image: Cosmetic improvements dm-verity-image-initramfs: Add base-passwd package dm-verity-image-initramfs: Drop locales from image beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR Signed-off-by: Andrew Geissler Change-Id: I9f2debc1f48092734569fd106b56cd7bcb6180b7 --- meta-security/meta-hardening/README | 86 ++++++++++++++++++++++ .../meta-hardening/conf/distro/harden.conf | 11 +++ meta-security/meta-hardening/conf/layer.conf | 13 ++++ .../openssh/openssh_%.bbappend | 13 ++++ .../recipes-core/base-files/base-files_%.bbappend | 4 + .../recipes-core/images/harden-image-minimal.bb | 25 +++++++ .../recipes-core/initscripts/files/mountall.sh | 41 +++++++++++ .../initscripts/initscripts_1.0.bbappend | 8 ++ .../packagegroups/packagegroup-hardening.bb | 19 +++++ .../recipes-extended/shadow/shadow_%.bbappend | 10 +++ .../recipes-extended/sudo/sudo_%.bbappend | 7 ++ 11 files changed, 237 insertions(+) create mode 100644 meta-security/meta-hardening/README create mode 100644 meta-security/meta-hardening/conf/distro/harden.conf create mode 100644 meta-security/meta-hardening/conf/layer.conf create mode 100644 meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend create mode 100644 meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend create mode 100644 meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb create mode 100755 meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh create mode 100644 meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend create mode 100644 meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb create mode 100644 meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend create mode 100644 meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend (limited to 'meta-security/meta-hardening') diff --git a/meta-security/meta-hardening/README b/meta-security/meta-hardening/README new file mode 100644 index 000000000..37a0b7ec8 --- /dev/null +++ b/meta-security/meta-hardening/README @@ -0,0 +1,86 @@ +# This is an example for Security hardening an OE or Poky image + + +Meta-hardening +============= + +This layer provides examples for hardening OE/Yocto images. +This layer does not provide 100% security protection. This is only +a framework from which a user can build from and can possible contribute to. +The goal here is to capture use cases and examples the community decided shares for +everyones benefit. + +Building the meta-hardening layer +------------------------------- +In order to add hardening support to the poky/OE build this layer should be added +to your projects bblayers.conf file. + +By default the hardening components are disabled. This conforms to the +Yocto Project compatible guideline that indicate that simply including a +layer should not change the system behavior. + +In order to use the components in this layer to take affect the 'harden' keyword must +set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT access" idea or framework. + +If one wants the a more complete example of a hardened image, one must also build the image: +harden-image-minimal + +There are default example userid and passwards: +These can be over written in your local.conf via: +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" +DEFAULT_ADMIN_ACCOUNT ?= "myadmin" + +example: +local.conf +DISTRO = "harden" + +The default user and password are: +User: "myadmin" +Password: "1SimplePw!" + +bitbake {qemu machine} harden-image-minimal + +Dependencies +============ + +Branch: master + +This layer depends on: + +URI: git://git.yoctoproject.org/poky + +or this normal combo: + +URI: git://git.openembedded.org/meta-openembedded/meta-oe + +URI: git://git.openembedded.org/bitbake + +plus: + +URI: git://git.openembedded.org/meta-openembedded +layers: meta-oe + + +Maintenance +----------- + +Send pull requests, patches, comments or questions to yocto@yoctoproject.org + +When sending single patches, please using something like: +'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH' + +These values can be set as defaults for this repository: + +$ git config sendemail.to yocto@yoctoproject.org +$ git config format.subjectPrefix meta-hardening][PATCH + +Now you can just do 'git send-email origin/master' to send all local patches. + +Maintainers: Armin Kuster + +License +======= + +All metadata is MIT licensed unless otherwise stated. Source code included +in tree for individual recipes is under the LICENSE stated in each recipe +(.bb file) unless otherwise stated. diff --git a/meta-security/meta-hardening/conf/distro/harden.conf b/meta-security/meta-hardening/conf/distro/harden.conf new file mode 100644 index 000000000..66db9b797 --- /dev/null +++ b/meta-security/meta-hardening/conf/distro/harden.conf @@ -0,0 +1,11 @@ +DISTRO = "harden" +DISTRO_NAME = "Simple Security hardening example" +DISTRO_VERSION = "1.0" + +DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost" + +VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog" +IMAGE_ROOTFS_EXTRA_SPACE = "524288" +EXTRA_IMAGE_FEATURES_remove = "debug-tweaks" + +DISABLE_ROOT ?= "True" diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf new file mode 100644 index 000000000..589621440 --- /dev/null +++ b/meta-security/meta-hardening/conf/layer.conf @@ -0,0 +1,13 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH .= ":${LAYERDIR}" + +# We have a recipes directory, add to BBFILES +BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend" + +BBFILE_COLLECTIONS += "harden-layer" +BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/" +BBFILE_PRIORITY_harden-layer = "10" + +LAYERSERIES_COMPAT_harden-layer = "dunfell" + +LAYERDEPENDS_harden-layer = "core openembedded-layer" diff --git a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend new file mode 100644 index 000000000..67be3f313 --- /dev/null +++ b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend @@ -0,0 +1,13 @@ +do_install_append_harden () { + # to hardend + sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config + sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config + + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then + sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config + fi +} diff --git a/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 000000000..395630460 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend @@ -0,0 +1,4 @@ + +do_install_append_harden () { + sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile +} diff --git a/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb new file mode 100644 index 000000000..daed3fbcc --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb @@ -0,0 +1,25 @@ +SUMMARY = "A small image for an example hardening OE." + +IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening" +IMAGE_INSTALL_append = " os-release" + +IMAGE_FEATURES = "" +IMAGE_LINGUAS = " " + +LICENSE = "MIT" + +IMAGE_ROOTFS_SIZE ?= "8192" + +inherit core-image extrausers + +ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" +DEFAULT_ADMIN_ACCOUNT ?= "myadmin" +DEFAULT_ADMIN_GROUP ?= "wheel" +DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!" + +EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}" + +EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};" +EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" +EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};" diff --git a/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh new file mode 100755 index 000000000..e093f9621 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh @@ -0,0 +1,41 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: mountall +# Required-Start: mountvirtfs +# Required-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: Mount all filesystems. +# Description: +### END INIT INFO + +. /etc/default/rcS + +# +# Mount local filesystems in /etc/fstab. For some reason, people +# might want to mount "proc" several times, and mount -v complains +# about this. So we mount "proc" filesystems without -v. +# +test "$VERBOSE" != no && echo "Mounting local filesystems..." +mkdir -p /home +mkdir -p /var +mount -at nonfs,nosmbfs,noncpfs 2>/dev/null + +# +# We might have mounted something over /dev, see if /dev/initctl is there. +# +if test ! -p /dev/initctl +then + rm -f /dev/initctl + mknod -m 600 /dev/initctl p +fi +kill -USR1 1 + +# +# Execute swapon command again, in case we want to swap to +# a file on a now mounted filesystem. +# +[ -x /sbin/swapon ] && swapon -a + +: exit 0 + diff --git a/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend new file mode 100644 index 000000000..896b03973 --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend @@ -0,0 +1,8 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI_append_harden = " file://mountall.sh" + +do_install_append_harden() { + install -d ${D}${sysconfdir}/init.d + install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d +} diff --git a/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb new file mode 100644 index 000000000..1dcd5fc3d --- /dev/null +++ b/meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb @@ -0,0 +1,19 @@ +# +# +# + +SUMMARY = "Hardening example group" + +inherit packagegroup + +PROVIDES = "${PACKAGES}" +PACKAGES = "${PN} \ + packagegroup-${PN} \ +" + +RDEPENDS_${PN} = "\ + init-ifupdown \ + ${VIRTUAL-RUNTIME_base-utils-syslog} \ + sudo \ + ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \ +" diff --git a/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend new file mode 100644 index 000000000..3f363f069 --- /dev/null +++ b/meta-security/meta-hardening/recipes-extended/shadow/shadow_%.bbappend @@ -0,0 +1,10 @@ +do_install_append_harden () { + # to hardend + sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs + sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs + sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs + sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs + sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs +} diff --git a/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend new file mode 100644 index 000000000..a31c081fe --- /dev/null +++ b/meta-security/meta-hardening/recipes-extended/sudo/sudo_%.bbappend @@ -0,0 +1,7 @@ + +PACKAGECONFIG_append_harden = " pam-wheel" +do_install_append_harden () { + if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then + sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers + fi +} -- cgit v1.2.3