| Andrew Geissler | cc58928 | 2020-09-18 13:34:40 -0500 | [diff] [blame] | 1 | # This is an example for Security hardening an OE or Poky image |
| 2 | |
| 3 | |
| 4 | Meta-hardening |
| 5 | ============= |
| 6 | |
| 7 | This layer provides examples for hardening OE/Yocto images. |
| 8 | This layer does not provide 100% security protection. This is only |
| 9 | a framework from which a user can build from and can possible contribute to. |
| 10 | The goal here is to capture use cases and examples the community decided shares for |
| 11 | everyones benefit. |
| 12 | |
| 13 | Building the meta-hardening layer |
| 14 | ------------------------------- |
| 15 | In order to add hardening support to the poky/OE build this layer should be added |
| 16 | to your projects bblayers.conf file. |
| 17 | |
| 18 | By default the hardening components are disabled. This conforms to the |
| 19 | Yocto Project compatible guideline that indicate that simply including a |
| 20 | layer should not change the system behavior. |
| 21 | |
| 22 | In order to use the components in this layer to take affect the 'harden' keyword must |
| 23 | set the DISTRO as in "DISTRO = harden". This enables the "NO ROOT access" idea or framework. |
| 24 | |
| 25 | If one wants the a more complete example of a hardened image, one must also build the image: |
| 26 | harden-image-minimal |
| 27 | |
| 28 | There are default example userid and passwards: |
| 29 | These can be over written in your local.conf via: |
| 30 | ROOT_DEFAULT_PASSWORD ?= "1SimplePw!" |
| 31 | DEFAULT_ADMIN_ACCOUNT ?= "myadmin" |
| 32 | |
| 33 | example: |
| 34 | local.conf |
| 35 | DISTRO = "harden" |
| 36 | |
| 37 | The default user and password are: |
| 38 | User: "myadmin" |
| 39 | Password: "1SimplePw!" |
| 40 | |
| 41 | bitbake {qemu machine} harden-image-minimal |
| 42 | |
| 43 | Dependencies |
| 44 | ============ |
| 45 | |
| 46 | Branch: master |
| 47 | |
| 48 | This layer depends on: |
| 49 | |
| 50 | URI: git://git.yoctoproject.org/poky |
| 51 | |
| 52 | or this normal combo: |
| 53 | |
| 54 | URI: git://git.openembedded.org/meta-openembedded/meta-oe |
| 55 | |
| 56 | URI: git://git.openembedded.org/bitbake |
| 57 | |
| 58 | plus: |
| 59 | |
| 60 | URI: git://git.openembedded.org/meta-openembedded |
| 61 | layers: meta-oe |
| 62 | |
| 63 | |
| 64 | Maintenance |
| 65 | ----------- |
| 66 | |
| Andrew Geissler | d159c7f | 2021-09-02 21:05:58 -0500 | [diff] [blame^] | 67 | Send pull requests, patches, comments or questions to yocto@lists.yoctoproject.org |
| Andrew Geissler | cc58928 | 2020-09-18 13:34:40 -0500 | [diff] [blame] | 68 | |
| 69 | When sending single patches, please using something like: |
| Andrew Geissler | d159c7f | 2021-09-02 21:05:58 -0500 | [diff] [blame^] | 70 | 'git send-email -1 --to yocto@lists.yoctoproject.org --subject-prefix=meta-hardening][PATCH' |
| Andrew Geissler | cc58928 | 2020-09-18 13:34:40 -0500 | [diff] [blame] | 71 | |
| 72 | These values can be set as defaults for this repository: |
| 73 | |
| Andrew Geissler | d159c7f | 2021-09-02 21:05:58 -0500 | [diff] [blame^] | 74 | $ git config sendemail.to yocto@lists.yoctoproject.org |
| Andrew Geissler | cc58928 | 2020-09-18 13:34:40 -0500 | [diff] [blame] | 75 | $ git config format.subjectPrefix meta-hardening][PATCH |
| 76 | |
| 77 | Now you can just do 'git send-email origin/master' to send all local patches. |
| 78 | |
| 79 | Maintainers: Armin Kuster <akuster808@gmail.com> |
| 80 | |
| 81 | License |
| 82 | ======= |
| 83 | |
| 84 | All metadata is MIT licensed unless otherwise stated. Source code included |
| 85 | in tree for individual recipes is under the LICENSE stated in each recipe |
| 86 | (.bb file) unless otherwise stated. |