1 files changed, 31 insertions, 47 deletions
diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml
index dffba96e7d..72551fb7ab 100644
--- a/documentation/dev-manual/dev-manual-common-tasks.xml
+++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -3841,7 +3841,7 @@
        <title>Making Images More Secure</title>
        <para>
-            Security for a device is always a concern.
+            Security is of increasing concern for embedded devices.
            Consider the issues and problems discussed in just this
            sampling of work found across the Internet:
            <itemizedlist>
@@ -3872,15 +3872,14 @@ Gateways via their Web Interfaces</ulink>"</emphasis>
            image secure.
            Consequently, this section provides some guidance and suggestions
            for consideration when you want to make your image more secure.
-        </para>
+            <note>
+                Because the security requirements and risks are
-        <para>
+                different for every type of device, this section cannot
-            Because the security requirements and risks are
+                provide a complete reference on securing your custom OS.
-            different for every type of device, this section cannot
+                It is strongly recommended that you also consult other sources
-            provide a complete reference on securing your custom OS.
+                of information on embedded Linux system hardening and on
-            It is strongly recommended that you also consult other sources
+                security.
-            of information on embedded Linux system hardening and on
+            </note>
-            security.
        </para>
        <section id='general-considerations'>
@@ -3928,7 +3927,7 @@ Gateways via their Web Interfaces</ulink>"</emphasis>
                        Ensure you remove or disable debugging functionality
                        before producing the final image.
                        For information on how to do this, see the
-                        "<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link>
+                        "<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link>"
                        section.
                        </para></listitem>
                    <listitem><para>
@@ -4009,39 +4008,35 @@ Gateways via their Web Interfaces</ulink>"</emphasis>
                        during production.
                        </para></listitem>
                    <listitem><para>
-                        It is possible to set a root password for the image.
+                        It is possible to set a root password for the image
-                        When you set up root passwords for multiple images,
+                        and also to set passwords for any extra users you might
-                        you should not duplicate them.
+                        add (e.g. administrative or service type users).
-                        See the note on passwords at the end of this list.
+                        When you set up passwords for multiple images or
+                        users, you should not duplicate passwords.
                        </para>
                        <para>
-                        To set up a root password,
+                        To set up passwords, use the
-                        use the <filename>extrausers</filename>
+                        <filename>extrausers</filename> class, which is the
-                        class, which is the preferred method.
+                        preferred method.
-                        For an example on how to set up the root password,
+                        For an example on how to set up both root and user
-                        see the
+                        passwords, see the
                        "<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"
                        section.
                        <note>
-                            You can also see the the example in the
+                            When adding extra user accounts or setting a
-                            <ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password Wiki</ulink>
+                            root password, be cautious about setting the
-                            page as an alternative method.
+                            same password on every device.
+                            If you do this, and the password you have set
+                            is exposed, then every device is now potentially
+                            compromised.
+                            If you need this access but want to ensure
+                            security, consider setting a different,
+                            random password for each device.
+                            Typically, you do this as a separate step after
+                            you deploy the image onto the device.
                        </note>
                        </para></listitem>
                    <listitem><para>
-                        It is possible to add an additional user account
-                        for later administrative or service access.
-                        As with root passwords, be sure to not duplicate
-                        passwords for generic users (e.g. tester, qa, and
-                        so forth) across multiple devices.
-                        See the note on passwords following this list.
-                        </para>
-                        <para>
-                        As with the root password, you also use the
-                        <ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
-                        class.
-                        </para></listitem>
-                    <listitem><para>
                        Consider enabling a Mandatory Access Control (MAC)
                        framework (such as SMACK or SELinux) and tuning it
                        appropriately for your device's usage.
@@ -4050,17 +4045,6 @@ Gateways via their Web Interfaces</ulink>"</emphasis>
            </para>
            <para>
-                <note><title>A Note about Passwords</title>
-                    When adding extra user accounts or deciding on root
-                    passwords for multiple devices, be cautious about setting
-                    the same passwords for multiple users or devices.
-                    If you want the device to remain secure from unauthorized
-                    access, and the password set on all devices becomes
-                    compromised, then every device becomes compromised.
-                    If you need this access but want to ensure security,
-                    consider setting a different, random passwords for each
-                    user or device.
-                </note>
            </para>
        </section>

diff --git a/documentation/dev-manual/dev-manual-common-tasks.xml b/documentation/dev-manual/dev-manual-common-tasks.xml index dffba96e7d..72551fb7ab 100644 --- a/documentation/dev-manual/dev-manual-common-tasks.xml +++ b/documentation/dev-manual/dev-manual-common-tasks.xml
@@ -3841,7 +3841,7 @@
3841	<title>Making Images More Secure</title>	3841	<title>Making Images More Secure</title>
3842		3842
3843	<para>	3843	<para>
3844	Security for a device is always a concern.	3844	Security is of increasing concern for embedded devices.
3845	Consider the issues and problems discussed in just this	3845	Consider the issues and problems discussed in just this
3846	sampling of work found across the Internet:	3846	sampling of work found across the Internet:
3847	<itemizedlist>	3847	<itemizedlist>
@@ -3872,15 +3872,14 @@ Gateways via their Web Interfaces</ulink>"</emphasis>
3872	image secure.	3872	image secure.
3873	Consequently, this section provides some guidance and suggestions	3873	Consequently, this section provides some guidance and suggestions
3874	for consideration when you want to make your image more secure.	3874	for consideration when you want to make your image more secure.
3875	</para>	3875	<note>
3876		3876	Because the security requirements and risks are
3877	<para>	3877	different for every type of device, this section cannot
3878	Because the security requirements and risks are	3878	provide a complete reference on securing your custom OS.
3879	different for every type of device, this section cannot	3879	It is strongly recommended that you also consult other sources
3880	provide a complete reference on securing your custom OS.	3880	of information on embedded Linux system hardening and on
3881	It is strongly recommended that you also consult other sources	3881	security.
3882	of information on embedded Linux system hardening and on	3882	</note>
3883	security.
3884	</para>	3883	</para>
3885		3884
3886	<section id='general-considerations'>	3885	<section id='general-considerations'>
@@ -3928,7 +3927,7 @@ Gateways via their Web Interfaces</ulink>"</emphasis>
3928	Ensure you remove or disable debugging functionality	3927	Ensure you remove or disable debugging functionality
3929	before producing the final image.	3928	before producing the final image.
3930	For information on how to do this, see the	3929	For information on how to do this, see the
3931	"<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link>	3930	"<link linkend='considerations-specific-to-the-openembedded-build-system'>Considerations Specific to the OpenEmbedded Build System</link>"
3932	section.	3931	section.
3933	</para></listitem>	3932	</para></listitem>
3934	<listitem><para>	3933	<listitem><para>
@@ -4009,39 +4008,35 @@ Gateways via their Web Interfaces</ulink>"</emphasis>
4009	during production.	4008	during production.
4010	</para></listitem>	4009	</para></listitem>
4011	<listitem><para>	4010	<listitem><para>
4012	It is possible to set a root password for the image.	4011	It is possible to set a root password for the image
4013	When you set up root passwords for multiple images,	4012	and also to set passwords for any extra users you might
4014	you should not duplicate them.	4013	add (e.g. administrative or service type users).
4015	See the note on passwords at the end of this list.	4014	When you set up passwords for multiple images or
		4015	users, you should not duplicate passwords.
4016	</para>	4016	</para>
4017	<para>	4017	<para>
4018	To set up a root password,	4018	To set up passwords, use the
4019	use the <filename>extrausers</filename>	4019	<filename>extrausers</filename> class, which is the
4020	class, which is the preferred method.	4020	preferred method.
4021	For an example on how to set up the root password,	4021	For an example on how to set up both root and user
4022	see the	4022	passwords, see the
4023	"<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"	4023	"<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers.bbclass</filename></ulink>"
4024	section.	4024	section.
4025	<note>	4025	<note>
4026	You can also see the the example in the	4026	When adding extra user accounts or setting a
4027	<ulink url='https://wiki.yoctoproject.org/wiki/FAQ:How_do_I_set_or_change_the_root_password'>How do I set or change the root password Wiki</ulink>	4027	root password, be cautious about setting the
4028	page as an alternative method.	4028	same password on every device.
		4029	If you do this, and the password you have set
		4030	is exposed, then every device is now potentially
		4031	compromised.
		4032	If you need this access but want to ensure
		4033	security, consider setting a different,
		4034	random password for each device.
		4035	Typically, you do this as a separate step after
		4036	you deploy the image onto the device.
4029	</note>	4037	</note>
4030	</para></listitem>	4038	</para></listitem>
4031	<listitem><para>	4039	<listitem><para>
4032	It is possible to add an additional user account
4033	for later administrative or service access.
4034	As with root passwords, be sure to not duplicate
4035	passwords for generic users (e.g. tester, qa, and
4036	so forth) across multiple devices.
4037	See the note on passwords following this list.
4038	</para>
4039	<para>
4040	As with the root password, you also use the
4041	<ulink url='&YOCTO_DOCS_REF_URL;#ref-classes-extrausers'><filename>extrausers</filename></ulink>
4042	class.
4043	</para></listitem>
4044	<listitem><para>
4045	Consider enabling a Mandatory Access Control (MAC)	4040	Consider enabling a Mandatory Access Control (MAC)
4046	framework (such as SMACK or SELinux) and tuning it	4041	framework (such as SMACK or SELinux) and tuning it
4047	appropriately for your device's usage.	4042	appropriately for your device's usage.
@@ -4050,17 +4045,6 @@ Gateways via their Web Interfaces</ulink>"</emphasis>
4050	</para>	4045	</para>
4051		4046
4052	<para>	4047	<para>
4053	<note><title>A Note about Passwords</title>
4054	When adding extra user accounts or deciding on root
4055	passwords for multiple devices, be cautious about setting
4056	the same passwords for multiple users or devices.
4057	If you want the device to remain secure from unauthorized
4058	access, and the password set on all devices becomes
4059	compromised, then every device becomes compromised.
4060	If you need this access but want to ensure security,
4061	consider setting a different, random passwords for each
4062	user or device.
4063	</note>
4064	</para>	4048	</para>
4065	</section>	4049	</section>
4066		4050