mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 13:09:50 +00:00
Code Issues Projects Releases Wiki Activity

dev-manual: Updates to the "Making Images More Secure" section.

Browse Source 
Fixes [YOCTO #5482]

Applied extensive review edist from Paul Eggleton throughout
this section.

(From yocto-docs rev: aa0bcd9199c83b43bad2390ff2292a8c2abe7455)

Signed-off-by: Scott Rifenbark <scott.m.rifenbark@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Scott Rifenbark
2014-05-30 17:09:05 +03:00
committed by Richard Purdie
parent 8beca348c1
commit 5d14f3c03a
1 changed files with 92 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
documentation/dev-manual/dev-manual-common-tasks.xml
+92 -28
View File
@@ -3841,14 +3841,46 @@
<title>Making Images More Secure</title> <title>Making Images More Secure</title>
<para> <para>
If securing your image is of concern, there are steps, tools, Security for a device is always a concern.
Consider the issues and problems discussed in just this
sampling of work found across the Internet:
<itemizedlist>
<listitem><para><emphasis>
"<ulink url='https://www.schneier.com/blog/archives/2014/01/security_risks_9.html'>Security Risks of Embedded Systems</ulink>"</emphasis>
by Bruce Schneier
</para></listitem>
<listitem><para><emphasis>
"<ulink url='http://internetcensus2012.bitbucket.org/paper.html'>Internet Census 2012</ulink>"</emphasis>
by Carna Botnet</para></listitem>
<listitem><para><emphasis>
"<ulink url='http://elinux.org/images/6/6f/Security-issues.pdf'>Security Issues for Embedded Devices</ulink>"</emphasis>
by Jake Edge
</para></listitem>
<listitem><para><emphasis>
"<ulink url='https://www.nccgroup.com/media/18475/exploiting_security_gateways_via_their_web_interfaces.pdf'>They ought to know better: Exploiting Security
Gateways via their Web Interfaces</ulink>"</emphasis>
by Ben Williams
</para></listitem>
</itemizedlist>
</para>
<para>
When securing your image is of concern, there are steps, tools,
and variables that you can consider to help you reach the and variables that you can consider to help you reach the
security goals you need for your particular device. security goals you need for your particular device.
Not all situations are identical when it comes to making an Not all situations are identical when it comes to making an
image secure. image secure.
Consequently, this section provides some guidance and suggestions Consequently, this section provides some guidance and suggestions
for consideration when you want to make your image more secure. for consideration when you want to make your image more secure.
The section does not offer a complete solution. </para>
<para>
Because the security requirements and risks are
different for every type of device, this section cannot
provide a complete reference on securing your custom OS.
It is strongly recommended that you also consult other sources
of information on embedded Linux system hardening and on
security.
</para> </para>
<section id='general-considerations'> <section id='general-considerations'>
@@ -3895,7 +3927,10 @@
<listitem><para> <listitem><para>
Ensure you remove or disable debugging functionality Ensure you remove or disable debugging functionality
before producing the final image. before producing the final image.
</para></listitem> For information on how to do this, see the
"<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link>
section.
</para></listitem>
<listitem><para> <listitem><para>
Ensure you have no network services listening that Ensure you have no network services listening that
are not needed. are not needed.
@@ -3929,6 +3964,7 @@
</para> </para>
<para> <para>
<!--
The GCC/LD flags in <filename>security_flags.inc</filename> The GCC/LD flags in <filename>security_flags.inc</filename>
enable more secure code generation. enable more secure code generation.
By including the <filename>security_flags.inc</filename> By including the <filename>security_flags.inc</filename>
@@ -3938,10 +3974,11 @@
The GCC/LD flags are enabled by default in the The GCC/LD flags are enabled by default in the
<filename>poky-lsb</filename> distribution. <filename>poky-lsb</filename> distribution.
</note> </note>
-->
Use the following line in your Use the following line in your
<filename>local.conf</filename> file <filename>local.conf</filename> file or in your custom
to enable the security compiler and distribution configuration file to enable the security
linker flags to your build: compiler and linker flags to your build:
<literallayout class='monospaced'> <literallayout class='monospaced'>
require conf/distro/include/security_flags.inc require conf/distro/include/security_flags.inc
</literallayout> </literallayout>
@@ -3966,38 +4003,65 @@
sure that it does not have "debug-tweaks" before sure that it does not have "debug-tweaks" before
producing your final image. producing your final image.
Among other things, leaving this in place sets the Among other things, leaving this in place sets the
root password as blank. root password as blank, which makes logging in for
debugging or inspection easy during
development but also means anyone can easily log in
during production.
</para></listitem> </para></listitem>
<listitem><para> <listitem><para>
It is possible to set a root password for the image. It is possible to set a root password for the image.
For information on how to do that, see the When you set up root passwords for multiple images,
<ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password</ulink> you should not duplicate them.
Wiki page. See the note on passwords at the end of this list.
</para>
<para>
To set up a root password,
use the <filename>extrausers</filename>
class, which is the preferred method.
For an example on how to set up the root password,
see the
"<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"
section.
<note>
You can also see the the example in the
<ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password Wiki</ulink>
page as an alternative method.
</note>
</para></listitem> </para></listitem>
<listitem><para> <listitem><para>
It is possible to add an additional user account It is possible to add an additional user account
for later administrative or service access using the for later administrative or service access.
<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink> As with root passwords, be sure to not duplicate
class or the passwords for generic users (e.g. tester, qa, and
<ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink> so forth) across multiple devices.
variable. See the note on passwords following this list.
For an example on how to add users, see the
"<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"
section.
</para> </para>
<para>If you do add extra user accounts, <para>
be cautious about setting As with the root password, you also use the
the same password for every device. <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
If you want the device to remain secure class.
from unauthorized access, and the password set on </para></listitem>
all devices becomes compromised, then every device <listitem><para>
becomes compromised. Consider enabling a Mandatory Access Control (MAC)
If you need this access but want to ensure security, framework (such as SMACK or SELinux) and tuning it
consider setting a different, random password for each appropriately for your device's usage.
device.
</para></listitem> </para></listitem>
</itemizedlist> </itemizedlist>
</para> </para>
<para>
<note><title>A Note about Passwords</title>
When adding extra user accounts or deciding on root
passwords for multiple devices, be cautious about setting
the same passwords for multiple users or devices.
If you want the device to remain secure from unauthorized
access, and the password set on all devices becomes
compromised, then every device becomes compromised.
If you need this access but want to ensure security,
consider setting a different, random passwords for each
user or device.
</note>
</para>
</section> </section>
<section id='tools-for-hardening-your-image'> <section id='tools-for-hardening-your-image'>