mirror of
https://git.yoctoproject.org/poky
synced 2026-05-31 12:49:46 +00:00
dev-manual: Updates to the "Making Images More Secure" section.
Fixes [YOCTO #5482] Applied extensive review edist from Paul Eggleton throughout this section. (From yocto-docs rev: aa0bcd9199c83b43bad2390ff2292a8c2abe7455) Signed-off-by: Scott Rifenbark <scott.m.rifenbark@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Scott Rifenbark
committed by
Richard Purdie
Richard Purdie
parent
8beca348c1
commit
5d14f3c03a
@@ -3841,14 +3841,46 @@
|
|||||||
<title>Making Images More Secure</title>
|
<title>Making Images More Secure</title>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
If securing your image is of concern, there are steps, tools,
|
Security for a device is always a concern.
|
||||||
|
Consider the issues and problems discussed in just this
|
||||||
|
sampling of work found across the Internet:
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem><para><emphasis>
|
||||||
|
"<ulink url='https://www.schneier.com/blog/archives/2014/01/security_risks_9.html'>Security Risks of Embedded Systems</ulink>"</emphasis>
|
||||||
|
by Bruce Schneier
|
||||||
|
</para></listitem>
|
||||||
|
<listitem><para><emphasis>
|
||||||
|
"<ulink url='http://internetcensus2012.bitbucket.org/paper.html'>Internet Census 2012</ulink>"</emphasis>
|
||||||
|
by Carna Botnet</para></listitem>
|
||||||
|
<listitem><para><emphasis>
|
||||||
|
"<ulink url='http://elinux.org/images/6/6f/Security-issues.pdf'>Security Issues for Embedded Devices</ulink>"</emphasis>
|
||||||
|
by Jake Edge
|
||||||
|
</para></listitem>
|
||||||
|
<listitem><para><emphasis>
|
||||||
|
"<ulink url='https://www.nccgroup.com/media/18475/exploiting_security_gateways_via_their_web_interfaces.pdf'>They ought to know better: Exploiting Security
|
||||||
|
Gateways via their Web Interfaces</ulink>"</emphasis>
|
||||||
|
by Ben Williams
|
||||||
|
</para></listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
When securing your image is of concern, there are steps, tools,
|
||||||
and variables that you can consider to help you reach the
|
and variables that you can consider to help you reach the
|
||||||
security goals you need for your particular device.
|
security goals you need for your particular device.
|
||||||
Not all situations are identical when it comes to making an
|
Not all situations are identical when it comes to making an
|
||||||
image secure.
|
image secure.
|
||||||
Consequently, this section provides some guidance and suggestions
|
Consequently, this section provides some guidance and suggestions
|
||||||
for consideration when you want to make your image more secure.
|
for consideration when you want to make your image more secure.
|
||||||
The section does not offer a complete solution.
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
Because the security requirements and risks are
|
||||||
|
different for every type of device, this section cannot
|
||||||
|
provide a complete reference on securing your custom OS.
|
||||||
|
It is strongly recommended that you also consult other sources
|
||||||
|
of information on embedded Linux system hardening and on
|
||||||
|
security.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<section id='general-considerations'>
|
<section id='general-considerations'>
|
||||||
@@ -3895,7 +3927,10 @@
|
|||||||
<listitem><para>
|
<listitem><para>
|
||||||
Ensure you remove or disable debugging functionality
|
Ensure you remove or disable debugging functionality
|
||||||
before producing the final image.
|
before producing the final image.
|
||||||
</para></listitem>
|
For information on how to do this, see the
|
||||||
|
"<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link>
|
||||||
|
section.
|
||||||
|
</para></listitem>
|
||||||
<listitem><para>
|
<listitem><para>
|
||||||
Ensure you have no network services listening that
|
Ensure you have no network services listening that
|
||||||
are not needed.
|
are not needed.
|
||||||
@@ -3929,6 +3964,7 @@
|
|||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
|
<!--
|
||||||
The GCC/LD flags in <filename>security_flags.inc</filename>
|
The GCC/LD flags in <filename>security_flags.inc</filename>
|
||||||
enable more secure code generation.
|
enable more secure code generation.
|
||||||
By including the <filename>security_flags.inc</filename>
|
By including the <filename>security_flags.inc</filename>
|
||||||
@@ -3938,10 +3974,11 @@
|
|||||||
The GCC/LD flags are enabled by default in the
|
The GCC/LD flags are enabled by default in the
|
||||||
<filename>poky-lsb</filename> distribution.
|
<filename>poky-lsb</filename> distribution.
|
||||||
</note>
|
</note>
|
||||||
|
-->
|
||||||
Use the following line in your
|
Use the following line in your
|
||||||
<filename>local.conf</filename> file
|
<filename>local.conf</filename> file or in your custom
|
||||||
to enable the security compiler and
|
distribution configuration file to enable the security
|
||||||
linker flags to your build:
|
compiler and linker flags to your build:
|
||||||
<literallayout class='monospaced'>
|
<literallayout class='monospaced'>
|
||||||
require conf/distro/include/security_flags.inc
|
require conf/distro/include/security_flags.inc
|
||||||
</literallayout>
|
</literallayout>
|
||||||
@@ -3966,38 +4003,65 @@
|
|||||||
sure that it does not have "debug-tweaks" before
|
sure that it does not have "debug-tweaks" before
|
||||||
producing your final image.
|
producing your final image.
|
||||||
Among other things, leaving this in place sets the
|
Among other things, leaving this in place sets the
|
||||||
root password as blank.
|
root password as blank, which makes logging in for
|
||||||
|
debugging or inspection easy during
|
||||||
|
development but also means anyone can easily log in
|
||||||
|
during production.
|
||||||
</para></listitem>
|
</para></listitem>
|
||||||
<listitem><para>
|
<listitem><para>
|
||||||
It is possible to set a root password for the image.
|
It is possible to set a root password for the image.
|
||||||
For information on how to do that, see the
|
When you set up root passwords for multiple images,
|
||||||
<ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password</ulink>
|
you should not duplicate them.
|
||||||
Wiki page.
|
See the note on passwords at the end of this list.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
To set up a root password,
|
||||||
|
use the <filename>extrausers</filename>
|
||||||
|
class, which is the preferred method.
|
||||||
|
For an example on how to set up the root password,
|
||||||
|
see the
|
||||||
|
"<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"
|
||||||
|
section.
|
||||||
|
<note>
|
||||||
|
You can also see the the example in the
|
||||||
|
<ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password Wiki</ulink>
|
||||||
|
page as an alternative method.
|
||||||
|
</note>
|
||||||
</para></listitem>
|
</para></listitem>
|
||||||
<listitem><para>
|
<listitem><para>
|
||||||
It is possible to add an additional user account
|
It is possible to add an additional user account
|
||||||
for later administrative or service access using the
|
for later administrative or service access.
|
||||||
<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
|
As with root passwords, be sure to not duplicate
|
||||||
class or the
|
passwords for generic users (e.g. tester, qa, and
|
||||||
<ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink>
|
so forth) across multiple devices.
|
||||||
variable.
|
See the note on passwords following this list.
|
||||||
For an example on how to add users, see the
|
|
||||||
"<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"
|
|
||||||
section.
|
|
||||||
</para>
|
</para>
|
||||||
<para>If you do add extra user accounts,
|
<para>
|
||||||
be cautious about setting
|
As with the root password, you also use the
|
||||||
the same password for every device.
|
<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
|
||||||
If you want the device to remain secure
|
class.
|
||||||
from unauthorized access, and the password set on
|
</para></listitem>
|
||||||
all devices becomes compromised, then every device
|
<listitem><para>
|
||||||
becomes compromised.
|
Consider enabling a Mandatory Access Control (MAC)
|
||||||
If you need this access but want to ensure security,
|
framework (such as SMACK or SELinux) and tuning it
|
||||||
consider setting a different, random password for each
|
appropriately for your device's usage.
|
||||||
device.
|
|
||||||
</para></listitem>
|
</para></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
<note><title>A Note about Passwords</title>
|
||||||
|
When adding extra user accounts or deciding on root
|
||||||
|
passwords for multiple devices, be cautious about setting
|
||||||
|
the same passwords for multiple users or devices.
|
||||||
|
If you want the device to remain secure from unauthorized
|
||||||
|
access, and the password set on all devices becomes
|
||||||
|
compromised, then every device becomes compromised.
|
||||||
|
If you need this access but want to ensure security,
|
||||||
|
consider setting a different, random passwords for each
|
||||||
|
user or device.
|
||||||
|
</note>
|
||||||
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id='tools-for-hardening-your-image'>
|
<section id='tools-for-hardening-your-image'>
|
||||||
|
|||||||
Reference in New Issue
Block a user