diff options
-rw-r--r-- | documentation/dev-manual/dev-manual-common-tasks.xml | 120 |
1 files changed, 92 insertions, 28 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml index 89437f7764..dffba96e7d 100644 --- a/documentation/dev-manual/dev-manual-common-tasks.xml +++ b/documentation/dev-manual/dev-manual-common-tasks.xml | |||
@@ -3841,14 +3841,46 @@ | |||
3841 | <title>Making Images More Secure</title> | 3841 | <title>Making Images More Secure</title> |
3842 | 3842 | ||
3843 | <para> | 3843 | <para> |
3844 | If securing your image is of concern, there are steps, tools, | 3844 | Security for a device is always a concern. |
3845 | Consider the issues and problems discussed in just this | ||
3846 | sampling of work found across the Internet: | ||
3847 | <itemizedlist> | ||
3848 | <listitem><para><emphasis> | ||
3849 | "<ulink url='https://www.schneier.com/blog/archives/2014/01/security_risks_9.html'>Security Risks of Embedded Systems</ulink>"</emphasis> | ||
3850 | by Bruce Schneier | ||
3851 | </para></listitem> | ||
3852 | <listitem><para><emphasis> | ||
3853 | "<ulink url='http://internetcensus2012.bitbucket.org/paper.html'>Internet Census 2012</ulink>"</emphasis> | ||
3854 | by Carna Botnet</para></listitem> | ||
3855 | <listitem><para><emphasis> | ||
3856 | "<ulink url='http://elinux.org/images/6/6f/Security-issues.pdf'>Security Issues for Embedded Devices</ulink>"</emphasis> | ||
3857 | by Jake Edge | ||
3858 | </para></listitem> | ||
3859 | <listitem><para><emphasis> | ||
3860 | "<ulink url='https://www.nccgroup.com/media/18475/exploiting_security_gateways_via_their_web_interfaces.pdf'>They ought to know better: Exploiting Security | ||
3861 | Gateways via their Web Interfaces</ulink>"</emphasis> | ||
3862 | by Ben Williams | ||
3863 | </para></listitem> | ||
3864 | </itemizedlist> | ||
3865 | </para> | ||
3866 | |||
3867 | <para> | ||
3868 | When securing your image is of concern, there are steps, tools, | ||
3845 | and variables that you can consider to help you reach the | 3869 | and variables that you can consider to help you reach the |
3846 | security goals you need for your particular device. | 3870 | security goals you need for your particular device. |
3847 | Not all situations are identical when it comes to making an | 3871 | Not all situations are identical when it comes to making an |
3848 | image secure. | 3872 | image secure. |
3849 | Consequently, this section provides some guidance and suggestions | 3873 | Consequently, this section provides some guidance and suggestions |
3850 | for consideration when you want to make your image more secure. | 3874 | for consideration when you want to make your image more secure. |
3851 | The section does not offer a complete solution. | 3875 | </para> |
3876 | |||
3877 | <para> | ||
3878 | Because the security requirements and risks are | ||
3879 | different for every type of device, this section cannot | ||
3880 | provide a complete reference on securing your custom OS. | ||
3881 | It is strongly recommended that you also consult other sources | ||
3882 | of information on embedded Linux system hardening and on | ||
3883 | security. | ||
3852 | </para> | 3884 | </para> |
3853 | 3885 | ||
3854 | <section id='general-considerations'> | 3886 | <section id='general-considerations'> |
@@ -3895,7 +3927,10 @@ | |||
3895 | <listitem><para> | 3927 | <listitem><para> |
3896 | Ensure you remove or disable debugging functionality | 3928 | Ensure you remove or disable debugging functionality |
3897 | before producing the final image. | 3929 | before producing the final image. |
3898 | </para></listitem> | 3930 | For information on how to do this, see the |
3931 | "<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link> | ||
3932 | section. | ||
3933 | </para></listitem> | ||
3899 | <listitem><para> | 3934 | <listitem><para> |
3900 | Ensure you have no network services listening that | 3935 | Ensure you have no network services listening that |
3901 | are not needed. | 3936 | are not needed. |
@@ -3929,6 +3964,7 @@ | |||
3929 | </para> | 3964 | </para> |
3930 | 3965 | ||
3931 | <para> | 3966 | <para> |
3967 | <!-- | ||
3932 | The GCC/LD flags in <filename>security_flags.inc</filename> | 3968 | The GCC/LD flags in <filename>security_flags.inc</filename> |
3933 | enable more secure code generation. | 3969 | enable more secure code generation. |
3934 | By including the <filename>security_flags.inc</filename> | 3970 | By including the <filename>security_flags.inc</filename> |
@@ -3938,10 +3974,11 @@ | |||
3938 | The GCC/LD flags are enabled by default in the | 3974 | The GCC/LD flags are enabled by default in the |
3939 | <filename>poky-lsb</filename> distribution. | 3975 | <filename>poky-lsb</filename> distribution. |
3940 | </note> | 3976 | </note> |
3977 | --> | ||
3941 | Use the following line in your | 3978 | Use the following line in your |
3942 | <filename>local.conf</filename> file | 3979 | <filename>local.conf</filename> file or in your custom |
3943 | to enable the security compiler and | 3980 | distribution configuration file to enable the security |
3944 | linker flags to your build: | 3981 | compiler and linker flags to your build: |
3945 | <literallayout class='monospaced'> | 3982 | <literallayout class='monospaced'> |
3946 | require conf/distro/include/security_flags.inc | 3983 | require conf/distro/include/security_flags.inc |
3947 | </literallayout> | 3984 | </literallayout> |
@@ -3966,38 +4003,65 @@ | |||
3966 | sure that it does not have "debug-tweaks" before | 4003 | sure that it does not have "debug-tweaks" before |
3967 | producing your final image. | 4004 | producing your final image. |
3968 | Among other things, leaving this in place sets the | 4005 | Among other things, leaving this in place sets the |
3969 | root password as blank. | 4006 | root password as blank, which makes logging in for |
4007 | debugging or inspection easy during | ||
4008 | development but also means anyone can easily log in | ||
4009 | during production. | ||
3970 | </para></listitem> | 4010 | </para></listitem> |
3971 | <listitem><para> | 4011 | <listitem><para> |
3972 | It is possible to set a root password for the image. | 4012 | It is possible to set a root password for the image. |
3973 | For information on how to do that, see the | 4013 | When you set up root passwords for multiple images, |
3974 | <ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password</ulink> | 4014 | you should not duplicate them. |
3975 | Wiki page. | 4015 | See the note on passwords at the end of this list. |
4016 | </para> | ||
4017 | <para> | ||
4018 | To set up a root password, | ||
4019 | use the <filename>extrausers</filename> | ||
4020 | class, which is the preferred method. | ||
4021 | For an example on how to set up the root password, | ||
4022 | see the | ||
4023 | "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>" | ||
4024 | section. | ||
4025 | <note> | ||
4026 | You can also see the the example in the | ||
4027 | <ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password Wiki</ulink> | ||
4028 | page as an alternative method. | ||
4029 | </note> | ||
3976 | </para></listitem> | 4030 | </para></listitem> |
3977 | <listitem><para> | 4031 | <listitem><para> |
3978 | It is possible to add an additional user account | 4032 | It is possible to add an additional user account |
3979 | for later administrative or service access using the | 4033 | for later administrative or service access. |
3980 | <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink> | 4034 | As with root passwords, be sure to not duplicate |
3981 | class or the | 4035 | passwords for generic users (e.g. tester, qa, and |
3982 | <ulink url='&YOCTO_DOCS_REF_URL;#var-ROOTFS_POSTPROCESS_COMMAND'><filename>ROOTFS_POSTPROCESS_COMMAND</filename></ulink> | 4036 | so forth) across multiple devices. |
3983 | variable. | 4037 | See the note on passwords following this list. |
3984 | For an example on how to add users, see the | ||
3985 | "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>" | ||
3986 | section. | ||
3987 | </para> | 4038 | </para> |
3988 | <para>If you do add extra user accounts, | 4039 | <para> |
3989 | be cautious about setting | 4040 | As with the root password, you also use the |
3990 | the same password for every device. | 4041 | <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink> |
3991 | If you want the device to remain secure | 4042 | class. |
3992 | from unauthorized access, and the password set on | 4043 | </para></listitem> |
3993 | all devices becomes compromised, then every device | 4044 | <listitem><para> |
3994 | becomes compromised. | 4045 | Consider enabling a Mandatory Access Control (MAC) |
3995 | If you need this access but want to ensure security, | 4046 | framework (such as SMACK or SELinux) and tuning it |
3996 | consider setting a different, random password for each | 4047 | appropriately for your device's usage. |
3997 | device. | ||
3998 | </para></listitem> | 4048 | </para></listitem> |
3999 | </itemizedlist> | 4049 | </itemizedlist> |
4000 | </para> | 4050 | </para> |
4051 | |||
4052 | <para> | ||
4053 | <note><title>A Note about Passwords</title> | ||
4054 | When adding extra user accounts or deciding on root | ||
4055 | passwords for multiple devices, be cautious about setting | ||
4056 | the same passwords for multiple users or devices. | ||
4057 | If you want the device to remain secure from unauthorized | ||
4058 | access, and the password set on all devices becomes | ||
4059 | compromised, then every device becomes compromised. | ||
4060 | If you need this access but want to ensure security, | ||
4061 | consider setting a different, random passwords for each | ||
4062 | user or device. | ||
4063 | </note> | ||
4064 | </para> | ||
4001 | </section> | 4065 | </section> |
4002 | 4066 | ||
4003 | <section id='tools-for-hardening-your-image'> | 4067 | <section id='tools-for-hardening-your-image'> |