meta-harden: Add a layer to demo harding OE/YP

Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Armin Kuster <akuster808@gmail.com> 2020-07-26 13:10:31 -0700
committer: Armin Kuster <akuster808@gmail.com> 2020-09-13 07:05:50 -0700
commit: 0d72d40772c18f0632c8f9964c010110a7158208 (patch)
tree: f6f6f6edea425741c67b5ccd0b3f69aeb9b42482
parent: 0ba605980565f71c546f1985fa3a2f0d5153a549 (diff)
download: meta-security-0d72d40772c18f0632c8f9964c010110a7158208.tar.gz
11 files changed, 237 insertions, 0 deletions
diff --git a/meta-hardening/README b/meta-hardening/README
new file mode 100644
index 0000000..37a0b7e
--- /dev/null
+++ b/meta-hardening/README
@@ -0,0 +1,86 @@
+# This is an example for Security hardening an OE or Poky image
+Meta-hardening
+=============
+This layer provides examples for hardening OE/Yocto images.
+This layer does not provide 100% security protection.  This is only 
+a framework from which a user can build from and can possible contribute to.
+The goal here is to capture use cases and examples the community decided shares for
+everyones benefit.
+Building the meta-hardening layer
+-------------------------------
+In order to add hardening support to the poky/OE build this layer should be added
+to your projects bblayers.conf file.
+By default the hardening components are disabled.  This conforms to the
+Yocto Project compatible guideline that indicate that simply including a
+layer should not change the system behavior.
+In order to use the components in this layer to take affect the  'harden' keyword must
+set the DISTRO as in "DISTRO = harden".   This enables the "NO ROOT access" idea or framework.
+If one wants the a more complete example of a hardened image, one must also build the image:
+harden-image-minimal
+There are default example userid and passwards:
+These can be over written in your local.conf via:
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+example:
+local.conf
+DISTRO = "harden"
+The default user and password are: 
+User: "myadmin"
+Password: "1SimplePw!"
+bitbake {qemu machine} harden-image-minimal
+Dependencies
+============
+Branch: master
+This layer depends on:
+URI: git://git.yoctoproject.org/poky
+or this normal combo: 
+URI: git://git.openembedded.org/meta-openembedded/meta-oe
+URI: git://git.openembedded.org/bitbake
+plus:
+URI: git://git.openembedded.org/meta-openembedded
+layers: meta-oe
+Maintenance
+-----------
+Send pull requests, patches, comments or questions to yocto@yoctoproject.org
+When sending single patches, please using something like:
+'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH'
+These values can be set as defaults for this repository:
+$ git config sendemail.to yocto@yoctoproject.org
+$ git config format.subjectPrefix meta-hardening][PATCH
+Now you can just do 'git send-email origin/master' to send all local patches.
+Maintainers:  Armin Kuster <akuster808@gmail.com>
+License
+=======
+All metadata is MIT licensed unless otherwise stated. Source code included
+in tree for individual recipes is under the LICENSE stated in each recipe
+(.bb file) unless otherwise stated.
diff --git a/meta-hardening/conf/distro/harden.conf b/meta-hardening/conf/distro/harden.conf
new file mode 100644
index 0000000..66db9b7
--- /dev/null
+++ b/meta-hardening/conf/distro/harden.conf
@@ -0,0 +1,11 @@
+DISTRO = "harden"
+DISTRO_NAME = "Simple Security hardening example"
+DISTRO_VERSION = "1.0"
+DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
+VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
+IMAGE_ROOTFS_EXTRA_SPACE = "524288"
+EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
+DISABLE_ROOT ?= "True"
diff --git a/meta-hardening/conf/layer.conf b/meta-hardening/conf/layer.conf
new file mode 100644
index 0000000..5896214
--- /dev/null
+++ b/meta-hardening/conf/layer.conf
@@ -0,0 +1,13 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH .= ":${LAYERDIR}"
+# We have a recipes directory, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes*/*/*.bb ${LAYERDIR}/recipes*/*/*.bbappend"
+BBFILE_COLLECTIONS += "harden-layer"
+BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
+BBFILE_PRIORITY_harden-layer = "10"
+LAYERSERIES_COMPAT_harden-layer = "dunfell"
+LAYERDEPENDS_harden-layer = "core openembedded-layer"
diff --git a/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 0000000..67be3f3
--- /dev/null
+++ b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,13 @@
+do_install_append_harden () {
+        # to hardend
+        sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+        sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
+        sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config
+        sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config
+        sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config
+        sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+    if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
+    fi
+}
diff --git a/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 0000000..3956304
--- /dev/null
+++ b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
+do_install_append_harden () {
+    sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
+}
diff --git a/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-hardening/recipes-core/images/harden-image-minimal.bb
new file mode 100644
index 0000000..daed3fb
--- /dev/null
+++ b/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -0,0 +1,25 @@
+SUMMARY = "A small image for an example hardening OE."
+IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
+IMAGE_INSTALL_append = " os-release"
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = " "
+LICENSE = "MIT"
+IMAGE_ROOTFS_SIZE ?= "8192"
+inherit core-image extrausers
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+DEFAULT_ADMIN_GROUP ?= "wheel"
+DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
+EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
+EXTRA_USERS_PARAMS += "useradd  ${DEFAULT_ADMIN_ACCOUNT};" 
+EXTRA_USERS_PARAMS += "groupadd  ${DEFAULT_ADMIN_GROUP};" 
+EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" 
+EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP}  ${DEFAULT_ADMIN_ACCOUNT};" 
diff --git a/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-hardening/recipes-core/initscripts/files/mountall.sh
new file mode 100755
index 0000000..e093f96
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/files/mountall.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          mountall
+# Required-Start:    mountvirtfs
+# Required-Stop: 
+# Default-Start:     S
+# Default-Stop:
+# Short-Description: Mount all filesystems.
+# Description:
+### END INIT INFO
+. /etc/default/rcS
+#
+# Mount local filesystems in /etc/fstab. For some reason, people
+# might want to mount "proc" several times, and mount -v complains
+# about this. So we mount "proc" filesystems without -v.
+#
+test "$VERBOSE" != no && echo "Mounting local filesystems..."
+mkdir -p /home
+mkdir -p /var
+mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
+#
+# We might have mounted something over /dev, see if /dev/initctl is there.
+#
+if test ! -p /dev/initctl
+then
+        rm -f /dev/initctl
+        mknod -m 600 /dev/initctl p
+fi
+kill -USR1 1
+#
+# Execute swapon command again, in case we want to swap to
+# a file on a now mounted filesystem.
+#
+[ -x /sbin/swapon ] && swapon -a
+: exit 0
diff --git a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
new file mode 100644
index 0000000..896b039
--- /dev/null
+++ b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -0,0 +1,8 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI_append_harden = " file://mountall.sh"
+do_install_append_harden() {
+    install -d ${D}${sysconfdir}/init.d
+    install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
+}
diff --git a/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
new file mode 100644
index 0000000..1dcd5fc
--- /dev/null
+++ b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
@@ -0,0 +1,19 @@
+#
+# 
+#
+SUMMARY = "Hardening example group"
+inherit packagegroup
+PROVIDES = "${PACKAGES}"
+PACKAGES = "${PN}  \
+    packagegroup-${PN} \
+"
+RDEPENDS_${PN} = "\
+    init-ifupdown \
+    ${VIRTUAL-RUNTIME_base-utils-syslog} \
+    sudo \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \
+"
diff --git a/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000..3f363f0
--- /dev/null
+++ b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,10 @@
+do_install_append_harden () {
+        # to hardend
+        sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
+        sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
+        sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
+        sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
+        sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
+        sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
+        sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
+}
diff --git a/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
new file mode 100644
index 0000000..a31c081
--- /dev/null
+++ b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,7 @@
+PACKAGECONFIG_append_harden = " pam-wheel"
+do_install_append_harden () {
+    if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers
+    fi
+}
author	Armin Kuster <akuster808@gmail.com>	2020-07-26 13:10:31 -0700
committer	Armin Kuster <akuster808@gmail.com>	2020-09-13 07:05:50 -0700
commit	0d72d40772c18f0632c8f9964c010110a7158208 (patch)
tree	f6f6f6edea425741c67b5ccd0b3f69aeb9b42482
parent	0ba605980565f71c546f1985fa3a2f0d5153a549 (diff)
download	meta-security-0d72d40772c18f0632c8f9964c010110a7158208.tar.gz

diff --git a/meta-hardening/README b/meta-hardening/README new file mode 100644 index 0000000..37a0b7e --- /dev/null +++ b/meta-hardening/README
@@ -0,0 +1,86 @@
	1	# This is an example for Security hardening an OE or Poky image
	2
	3
	4	Meta-hardening
	5	=============
	6
	7	This layer provides examples for hardening OE/Yocto images.
	8	This layer does not provide 100% security protection. This is only
	9	a framework from which a user can build from and can possible contribute to.
	10	The goal here is to capture use cases and examples the community decided shares for
	11	everyones benefit.
	12
	13	Building the meta-hardening layer
	14	-------------------------------
	15	In order to add hardening support to the poky/OE build this layer should be added
	16	to your projects bblayers.conf file.
	17
	18	By default the hardening components are disabled. This conforms to the
	19	Yocto Project compatible guideline that indicate that simply including a
	20	layer should not change the system behavior.
	21
	22	In order to use the components in this layer to take affect the 'harden' keyword must
	23	set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT access" idea or framework.
	24
	25	If one wants the a more complete example of a hardened image, one must also build the image:
	26	harden-image-minimal
	27
	28	There are default example userid and passwards:
	29	These can be over written in your local.conf via:
	30	ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
	31	DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
	32
	33	example:
	34	local.conf
	35	DISTRO = "harden"
	36
	37	The default user and password are:
	38	User: "myadmin"
	39	Password: "1SimplePw!"
	40
	41	bitbake {qemu machine} harden-image-minimal
	42
	43	Dependencies
	44	============
	45
	46	Branch: master
	47
	48	This layer depends on:
	49
	50	URI: git://git.yoctoproject.org/poky
	51
	52	or this normal combo:
	53
	54	URI: git://git.openembedded.org/meta-openembedded/meta-oe
	55
	56	URI: git://git.openembedded.org/bitbake
	57
	58	plus:
	59
	60	URI: git://git.openembedded.org/meta-openembedded
	61	layers: meta-oe
	62
	63
	64	Maintenance
	65	-----------
	66
	67	Send pull requests, patches, comments or questions to yocto@yoctoproject.org
	68
	69	When sending single patches, please using something like:
	70	'git send-email -1 --to yocto@yoctoproject.org --subject-prefix=meta-hardening][PATCH'
	71
	72	These values can be set as defaults for this repository:
	73
	74	$ git config sendemail.to yocto@yoctoproject.org
	75	$ git config format.subjectPrefix meta-hardening][PATCH
	76
	77	Now you can just do 'git send-email origin/master' to send all local patches.
	78
	79	Maintainers: Armin Kuster <akuster808@gmail.com>
	80
	81	License
	82	=======
	83
	84	All metadata is MIT licensed unless otherwise stated. Source code included
	85	in tree for individual recipes is under the LICENSE stated in each recipe
	86	(.bb file) unless otherwise stated.


diff --git a/meta-hardening/conf/distro/harden.conf b/meta-hardening/conf/distro/harden.conf new file mode 100644 index 0000000..66db9b7 --- /dev/null +++ b/meta-hardening/conf/distro/harden.conf
@@ -0,0 +1,11 @@
	1	DISTRO = "harden"
	2	DISTRO_NAME = "Simple Security hardening example"
	3	DISTRO_VERSION = "1.0"
	4
	5	DISTRO_FEATURES = " acl xattr pci ext2 pam ipv4 ipv6 ipsec largefile usbhost"
	6
	7	VIRTUAL-RUNTIME_base-utils-syslog ?= "rsyslog"
	8	IMAGE_ROOTFS_EXTRA_SPACE = "524288"
	9	EXTRA_IMAGE_FEATURES_remove = "debug-tweaks"
	10
	11	DISABLE_ROOT ?= "True"


diff --git a/meta-hardening/conf/layer.conf b/meta-hardening/conf/layer.conf new file mode 100644 index 0000000..5896214 --- /dev/null +++ b/meta-hardening/conf/layer.conf
@@ -0,0 +1,13 @@
	1	# We have a conf and classes directory, add to BBPATH
	2	BBPATH .= ":${LAYERDIR}"
	3
	4	# We have a recipes directory, add to BBFILES
	5	BBFILES += "${LAYERDIR}/recipes//.bb ${LAYERDIR}/recipes//.bbappend"
	6
	7	BBFILE_COLLECTIONS += "harden-layer"
	8	BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
	9	BBFILE_PRIORITY_harden-layer = "10"
	10
	11	LAYERSERIES_COMPAT_harden-layer = "dunfell"
	12
	13	LAYERDEPENDS_harden-layer = "core openembedded-layer"


diff --git a/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend new file mode 100644 index 0000000..67be3f3 --- /dev/null +++ b/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
@@ -0,0 +1,13 @@
	1	do_install_append_harden () {
	2	# to hardend
	3	sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
	4	sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
	5	sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config
	6	sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config
	7	sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config
	8	sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
	9
	10	if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
	11	sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
	12	fi
	13	}


diff --git a/meta-hardening/recipes-core/base-files/base-files_%.bbappend b/meta-hardening/recipes-core/base-files/base-files_%.bbappend new file mode 100644 index 0000000..3956304 --- /dev/null +++ b/meta-hardening/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
	1
	2	do_install_append_harden () {
	3	sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
	4	}


diff --git a/meta-hardening/recipes-core/images/harden-image-minimal.bb b/meta-hardening/recipes-core/images/harden-image-minimal.bb new file mode 100644 index 0000000..daed3fb --- /dev/null +++ b/meta-hardening/recipes-core/images/harden-image-minimal.bb
@@ -0,0 +1,25 @@
	1	SUMMARY = "A small image for an example hardening OE."
	2
	3	IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
	4	IMAGE_INSTALL_append = " os-release"
	5
	6	IMAGE_FEATURES = ""
	7	IMAGE_LINGUAS = " "
	8
	9	LICENSE = "MIT"
	10
	11	IMAGE_ROOTFS_SIZE ?= "8192"
	12
	13	inherit core-image extrausers
	14
	15	ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
	16	DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
	17	DEFAULT_ADMIN_GROUP ?= "wheel"
	18	DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
	19
	20	EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
	21
	22	EXTRA_USERS_PARAMS += "useradd ${DEFAULT_ADMIN_ACCOUNT};"
	23	EXTRA_USERS_PARAMS += "groupadd ${DEFAULT_ADMIN_GROUP};"
	24	EXTRA_USERS_PARAMS += "usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};"
	25	EXTRA_USERS_PARAMS += "usermod -aG ${DEFAULT_ADMIN_GROUP} ${DEFAULT_ADMIN_ACCOUNT};"


diff --git a/meta-hardening/recipes-core/initscripts/files/mountall.sh b/meta-hardening/recipes-core/initscripts/files/mountall.sh new file mode 100755 index 0000000..e093f96 --- /dev/null +++ b/meta-hardening/recipes-core/initscripts/files/mountall.sh
@@ -0,0 +1,41 @@
	1	#!/bin/sh
	2	### BEGIN INIT INFO
	3	# Provides: mountall
	4	# Required-Start: mountvirtfs
	5	# Required-Stop:
	6	# Default-Start: S
	7	# Default-Stop:
	8	# Short-Description: Mount all filesystems.
	9	# Description:
	10	### END INIT INFO
	11
	12	. /etc/default/rcS
	13
	14	#
	15	# Mount local filesystems in /etc/fstab. For some reason, people
	16	# might want to mount "proc" several times, and mount -v complains
	17	# about this. So we mount "proc" filesystems without -v.
	18	#
	19	test "$VERBOSE" != no && echo "Mounting local filesystems..."
	20	mkdir -p /home
	21	mkdir -p /var
	22	mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
	23
	24	#
	25	# We might have mounted something over /dev, see if /dev/initctl is there.
	26	#
	27	if test ! -p /dev/initctl
	28	then
	29	rm -f /dev/initctl
	30	mknod -m 600 /dev/initctl p
	31	fi
	32	kill -USR1 1
	33
	34	#
	35	# Execute swapon command again, in case we want to swap to
	36	# a file on a now mounted filesystem.
	37	#
	38	[ -x /sbin/swapon ] && swapon -a
	39
	40	: exit 0
	41


diff --git a/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend new file mode 100644 index 0000000..896b039 --- /dev/null +++ b/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend
@@ -0,0 +1,8 @@
	1	FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
	2
	3	SRC_URI_append_harden = " file://mountall.sh"
	4
	5	do_install_append_harden() {
	6	install -d ${D}${sysconfdir}/init.d
	7	install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
	8	}


diff --git a/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb new file mode 100644 index 0000000..1dcd5fc --- /dev/null +++ b/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb
@@ -0,0 +1,19 @@
	1	#
	2	#
	3	#
	4
	5	SUMMARY = "Hardening example group"
	6
	7	inherit packagegroup
	8
	9	PROVIDES = "${PACKAGES}"
	10	PACKAGES = "${PN} \
	11	packagegroup-${PN} \
	12	"
	13
	14	RDEPENDS_${PN} = "\
	15	init-ifupdown \
	16	${VIRTUAL-RUNTIME_base-utils-syslog} \
	17	sudo \
	18	${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \
	19	"


diff --git a/meta-hardening/recipes-extended/shadow/shadow_%.bbappend b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend new file mode 100644 index 0000000..3f363f0 --- /dev/null +++ b/meta-hardening/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,10 @@
	1	do_install_append_harden () {
	2	# to hardend
	3	sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
	4	sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
	5	sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
	6	sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
	7	sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
	8	sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
	9	sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
	10	}


diff --git a/meta-hardening/recipes-extended/sudo/sudo_%.bbappend b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend new file mode 100644 index 0000000..a31c081 --- /dev/null +++ b/meta-hardening/recipes-extended/sudo/sudo_%.bbappend
@@ -0,0 +1,7 @@
	1
	2	PACKAGECONFIG_append_harden = " pam-wheel"
	3	do_install_append_harden () {
	4	if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
	5	sed -i -e 's:root ALL=(ALL) ALL:#root ALL=(ALL) ALL:' ${D}${sysconfdir}/sudoers
	6	fi
	7	}