meta-harden: Add a layer to demo harding OE/YP

Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-05-30 12:30:36 +00:00 · 2020-07-26 13:10:31 -07:00
parent 0ba6059805
commit 0d72d40772
11 changed files with 237 additions and 0 deletions
@@ -0,0 +1,86 @@
 # This is an example for Security hardening an OE or Poky image
 Meta-hardening
 =============
 This layer provides examples for hardening OE/Yocto images.
 This layer does not provide 100% security protection.  This is only 
 a framework from which a user can build from and can possible contribute to.
 The goal here is to capture use cases and examples the community decided shares for
 everyones benefit.
 Building the meta-hardening layer
 -------------------------------
 In order to add hardening support to the poky/OE build this layer should be added
 to your projects bblayers.conf file.
 By default the hardening components are disabled.  This conforms to the
 Yocto Project compatible guideline that indicate that simply including a
 layer should not change the system behavior.
 In order to use the components in this layer to take affect the  'harden' keyword must
 set the DISTRO as in "DISTRO = harden".   This enables the "NO ROOT access" idea or framework.
 If one wants the a more complete example of a hardened image, one must also build the image:
 harden-image-minimal
 There are default example userid and passwards:
 These can be over written in your local.conf via:
 ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
 DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
 example:
 local.conf
 DISTRO = "harden"
 The default user and password are: 
 User: "myadmin"
 Password: "1SimplePw!"
 bitbake {qemu machine} harden-image-minimal
 Dependencies
 ============
 Branch: master
 This layer depends on:
 URI: git://git.yoctoproject.org/poky
 or this normal combo: 
 URI: git://git.openembedded.org/meta-openembedded/meta-oe
 URI: git://git.openembedded.org/bitbake
 plus:
 URI: git://git.openembedded.org/meta-openembedded
 layers: meta-oe
 Maintenance
 -----------
 Send pull requests, patches, comments or questions to yocto@yoctoproject.org
 When sending single patches, please using something like:
 'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH'
 These values can be set as defaults for this repository:
 $ git config sendemail.to yocto@yoctoproject.org
 $ git config format.subjectPrefix meta-hardening][PATCH
 Now you can just do 'git send-email origin/master' to send all local patches.
 Maintainers:  Armin Kuster <akuster808@gmail.com>
 License
 =======
 All metadata is MIT licensed unless otherwise stated. Source code included
 in tree for individual recipes is under the LICENSE stated in each recipe
 (.bb file) unless otherwise stated.
@@ -0,0 +1,11 @@
 DISTRO = "harden"
 DISTRO_NAME = "Simple Security hardening example"
 DISTRO_VERSION = "1.0"
 DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
 VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
 IMAGE_ROOTFS_EXTRA_SPACE = "524288"
 EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
 DISABLE_ROOT ?= "True"
@@ -0,0 +1,13 @@
 # We have a conf and classes directory, add to BBPATH
 BBPATH .= ":${LAYERDIR}"
 # We have a recipes directory, add to BBFILES
 BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
 BBFILE_COLLECTIONS += "harden-layer"
 BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_harden-layer = "10"
 LAYERSERIES_COMPAT_harden-layer = "dunfell"
 LAYERDEPENDS_harden-layer = "core openembedded-layer"
@@ -0,0 +1,13 @@
 do_install_append_harden () {
 	# to hardend
 	sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
 	sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
 	sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config
 	sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config
 	sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config
 	sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
    if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
        sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
    fi
 }
@@ -0,0 +1,4 @@
 do_install_append_harden () {
    sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
 }
@@ -0,0 +1,25 @@
 SUMMARY = "A small image for an example hardening OE."
 IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
 IMAGE_INSTALL_append = " os-release"
 IMAGE_FEATURES = ""
 IMAGE_LINGUAS = " "
 LICENSE = "MIT"
 IMAGE_ROOTFS_SIZE ?= "8192"
 inherit core-image extrausers
 ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
 DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
 DEFAULT_ADMIN_GROUP ?= "wheel"
 DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
 EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
 EXTRA_USERS_PARAMS += "useradd  ${DEFAULT_ADMIN_ACCOUNT};" 
 EXTRA_USERS_PARAMS += "groupadd  ${DEFAULT_ADMIN_GROUP};" 
 EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" 
 EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP}  ${DEFAULT_ADMIN_ACCOUNT};" 
@@ -0,0 +1,41 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          mountall
 # Required-Start:    mountvirtfs
 # Required-Stop: 
 # Default-Start:     S
 # Default-Stop:
 # Short-Description: Mount all filesystems.
 # Description:
 ### END INIT INFO
 . /etc/default/rcS
 #
 # Mount local filesystems in /etc/fstab. For some reason, people
 # might want to mount "proc" several times, and mount -v complains
 # about this. So we mount "proc" filesystems without -v.
 #
 test "$VERBOSE" != no && echo "Mounting local filesystems..."
 mkdir -p /home
 mkdir -p /var
 mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
 #
 # We might have mounted something over /dev, see if /dev/initctl is there.
 #
 if test ! -p /dev/initctl
 then
 	rm -f /dev/initctl
 	mknod -m 600 /dev/initctl p
 fi
 kill -USR1 1
 #
 # Execute swapon command again, in case we want to swap to
 # a file on a now mounted filesystem.
 #
 [ -x /sbin/swapon ] && swapon -a
 : exit 0
@@ -0,0 +1,8 @@
 FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
 SRC_URI_append_harden = " file://mountall.sh"
 do_install_append_harden() {
    install -d ${D}${sysconfdir}/init.d
    install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
 }
@@ -0,0 +1,19 @@
 #
 # 
 #
 SUMMARY = "Hardening example group"
 inherit packagegroup
 PROVIDES = "${PACKAGES}"
 PACKAGES = "${PN}  \
    packagegroup-${PN} \
 "
 RDEPENDS_${PN} = "\
    init-ifupdown \
    ${VIRTUAL-RUNTIME_base-utils-syslog} \
    sudo \
    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \
 "
@@ -0,0 +1,10 @@
 do_install_append_harden () {
 	# to hardend
 	sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
 	sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
 	sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
 	sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
 	sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
 	sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
 	sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
 }
@@ -0,0 +1,7 @@
 PACKAGECONFIG_append_harden = " pam-wheel"
 do_install_append_harden () {
    if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
        sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers
    fi
 }