Diff - cc58928593c3952679181b6bf8e4113080ffa867^! - mdmillerii/openbmc

commit	cc58928593c3952679181b6bf8e4113080ffa867	[log] [tgz]
author	Andrew Geissler <geissonator@yahoo.com>	Fri Sep 18 13:34:40 2020 -0500
committer	Andrew Geissler <geissonator@yahoo.com>	Fri Sep 18 13:34:49 2020 -0500
tree	e4c5a6818fc647aa8e338fceb9b09a042dcc4b8b
parent	19b4e6c6daefcbe72afe57874d2e48c43c418321 [diff] [blame]

meta-security: subtree update:787ba6faea..d6baccc068

Armin Kuster (20):
      trousers: update to tip
      upload-error-report: add script to upload errors
      kas/kas-security-base.yml: lets enable error reporting
      .gitlab: send error reports
      cryptsetup-tpm-incubator: drop recipe
      sssd: Avoid nss function conflicts with glibc nss.h
      cryptsetup-tpm-incubator: remove reference from other files
      packagegroup-core-security: dont include suricata on riscv or ppc
      kas-security-base: add testimage
      kas: add test config
      kas: add one dm-verify image build
      gitlab-ci: add dm-verify-image
      gitlab-ci: add testimage
      meta-harden: Add a layer to demo harding OE/YP
      kas-security-base: define sections as base
      packagegroup-core-security: add more pkgs to base group
      apparmor: exclude mips64, not supported
      kas: add alt and mutli build images
      kas-security-base: set RPM and disable ptest
      qemu test: set ptest

Charlie Davies (1):
      clamav: update SO_VER to 9.0.4

Jens Rehsack (2):
      ibmswtpm2: update to 1637
      ibmtpm2tss: add recipe

Jonatan Pålsson (1):
      sssd: Make manpages buildable

Qi.Chen@windriver.com (1):
      nss: update patch to fix do_patch error

Zheng Ruoqin (1):
      trousers: Fix the problem that do_package fails when multilib is enabled.

niko.mauno@vaisala.com (12):
      dm-verity-img.bbclass: Fix bashisms
      dm-verity-img.bbclass: Reorder parse-time check
      dm-verity-image-initramfs: Ensure verity hash sync
      dm-verity-image-initramfs: Bind at do_image instead
      linux-yocto(-dev): Add dm-verity fragment as needed
      dm-verity-img.bbclass: Stage verity.env file
      initramfs-framework: Add dmverity module
      dm-verity-image-initramfs: Use initramfs-framework
      dm-verity-initramfs-image: Cosmetic improvements
      dm-verity-image-initramfs: Add base-passwd package
      dm-verity-image-initramfs: Drop locales from image
      beaglebone-yocto-verity.wks.in: Refer IMGDEPLOYDIR

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I9f2debc1f48092734569fd106b56cd7bcb6180b7

diff --git a/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend
new file mode 100644
index 0000000..67be3f3
--- /dev/null
+++ b/meta-security/meta-hardening/recipes-connectivity/openssh/openssh_%.bbappend

@@ -0,0 +1,13 @@
+do_install_append_harden () {
+	# to hardend
+	sed -i -e 's:#AllowTcpForwarding yes:AllowTcpForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+	sed -i -e 's:ClientAliveCountMax 4:ClientAliveCountMax 2:' ${D}${sysconfdir}/ssh/sshd_config
+	sed -i -e 's:#LogLevel INFO:LogLevel VERBOSE:' ${D}${sysconfdir}/ssh/sshd_config
+	sed -i -e 's:#MaxSessions.*:MaxSessions 2:' ${D}${sysconfdir}/ssh/sshd_config
+	sed -i -e 's:#TCPKeepAlive yes:TCPKeepAlive no:' ${D}${sysconfdir}/ssh/sshd_config
+	sed -i -e 's:#AllowAgentForwarding yes:AllowAgentForwarding no:' ${D}${sysconfdir}/ssh/sshd_config
+
+    if [ "${@bb.utils.contains('DISABLE_ROOT', 'True', 'yes', 'no', d)}" = "yes" ]; then
+        sed -i -e 's:#PermitRootLogin.*:PermitRootLogin prohibit-password:' ${D}${sysconfdir}/ssh/sshd_config
+    fi
+}