Commit b25db557 authored by Kamil Dzieżyk's avatar Kamil Dzieżyk
Browse files

ewaol-[distro,tests],doc: Change umask to '0027' for ewaol-security



This patch brings the following changes:
 - Sets the umask to '0027' if 'ewaol-security' is in 'DISTRO_FEATURES'.
 - Adds one sub-test that checks if the umask value is correct to
   'user accounts management additional security tests'.
 - Updates the documentation.

Issue-Id: SCM-4415
Signed-off-by: Kamil Dzieżyk's avatarKamil Dziezyk <kamil.dziezyk@arm.com>
Change-Id: Ibe080bb64aa5edd8cafbe8ac9b940feff94d698e
parent 3ddb00c2
......@@ -22,6 +22,8 @@ distribution to:
``--with-libcap[-ng]``.
* Remove ``debug-tweaks`` from ``IMAGE_FEATURES``.
* Disable all login access to the ``root`` account.
* Sets the umask to ``0027`` (which translates permissions as ``640`` for
files and ``750`` for directories).
Security hardening is not enabled by default, see
:ref:`manual_build_system_security_hardening` for details on including the
......
......@@ -432,7 +432,8 @@ that are built with EWAOL security hardening, additional security-related
validation is included in the test suite for these images, both on EWAOL
baremetal and virtualization distribution images. These additional tests
validate that the appropriate password requirements and root-user access
restrictions are correctly imposed.
restrictions are correctly imposed, and that the mask configuration for
permission control of newly created files and directories is applied correctly.
The test suite therefore contains three top-level integration tests, two of
which are conditionally executed, as follows:
......@@ -445,13 +446,14 @@ which are conditionally executed, as follows:
| 1.3. Check the default non-privileged EWAOL user account does not have
``sudo`` command access
| 2. ``user accounts management additional security tests`` is only included for
images configured with EWAOL security hardening, and is composed of three
images configured with EWAOL security hardening, and is composed of four
sub-tests:
| 2.1. Log-in to a local console using the non-privileged EWAOL user account
| - As part of the log-in procedure, validate the user is prompted to
set an account password
| 2.2. Check that log-in to a local console using the root account fails
| 2.3. Check that SSH log-in to localhost using the root account fails
| 2.4. Check that the umask value is set correctly
| 3. ``run user accounts integration tests on the Guest VM from the Control VM``
is only included for EWAOL virtualization distribution images, and is only
executed on the Control VM. On the Guest VM this test is skipped. The test
......
......@@ -122,6 +122,7 @@ libpcre
libpcre2
licensees
license.rst
localhost
loopback
lts
m
......@@ -242,8 +243,8 @@ yaml
yocto
yocto_layers
yocto's
localhost
ua_test_clean_env
ua_test_log_dir
ua_test_guest_vm_name
umask
user-accounts-integration-tests.bb
......@@ -27,6 +27,8 @@ DISTRO_FEATURES:append = " seccomp"
KERNEL_FEATURES:append = " features/security/security.scc"
EWAOL_SECURITY_UMASK = "0027"
# Make sure that libcap[-ng] is enabled for all below packages:
# meta-openembedded/meta-networking
PACKAGECONFIG:append:pn-freeradius = " libcap"
......
......@@ -4,12 +4,26 @@
FILESEXTRAPATHS:prepend:ewaol := "${THISDIR}/files:"
OVERRIDES:append = "${EWAOL_OVERRIDES}"
SRC_URI:append:ewaol = " file://ewaol_profile.sh"
EWAOL_SECURITY_UMASK ??= "0027"
do_install:append:ewaol() {
# PS1 is set inside ewaol_profile.sh
sed -i '/PS1/d' ${D}${sysconfdir}/skel/.bashrc
install -d ${D}${sysconfdir}/profile.d
install -m 0644 ${WORKDIR}/ewaol_profile.sh ${D}${sysconfdir}/profile.d/ewaol_profile.sh
install -m 0644 ${WORKDIR}/ewaol_profile.sh \
${D}${sysconfdir}/profile.d/ewaol_profile.sh
}
do_install:append:ewaol-security() {
# set more secure umask
sed -i "s/umask.*/umask ${EWAOL_SECURITY_UMASK}/g" \
${D}${sysconfdir}/profile
sed -i "s/umask.*/umask ${EWAOL_SECURITY_UMASK}/g" \
${D}${sysconfdir}/skel/.bashrc
}
......@@ -2,8 +2,18 @@
#
# SPDX-License-Identifier: MIT
OVERRIDES:append = "${EWAOL_OVERRIDES}"
do_install:append:ewaol() {
# Make sure that users cannot access to each other HOME directory
sed -i 's/#HOME_MODE/HOME_MODE/g' ${D}${sysconfdir}/login.defs
}
EWAOL_SECURITY_UMASK ??= "0027"
do_install:append:ewaol-security() {
# set more secure UMASK
sed -i "s/UMASK.*/UMASK\t\t${EWAOL_SECURITY_UMASK}/g" \
${D}${sysconfdir}/login.defs
}
......@@ -53,6 +53,9 @@ do_install:append:ewaol-security() {
"${D}/${TEST_DIR}/user-accounts-additional-security-tests.bats" \
>> "${D}/${TEST_DIR}/user-accounts-integration-tests.bats"
sed -i "s#%EWAOL_SECURITY_UMASK%#${EWAOL_SECURITY_UMASK}#g" \
"${D}/${TEST_DIR}/user-accounts-security-funcs.sh"
rm "${D}/${TEST_DIR}/user-accounts-additional-security-tests.bats"
}
......
......@@ -40,5 +40,14 @@ load user-accounts-security-funcs.sh
log "PASS" "${subtest}"
fi
subtest="Check umask setting for '${TEST_SUDO_USER}' account."
_run check_umask
if [ "${status}" -ne 0 ]; then
log "FAIL" "${subtest}"
return 1
else
log "PASS" "${subtest}"
fi
log "PASS"
}
......@@ -49,3 +49,16 @@ check_user_remote_access() {
-console "ssh" \
2>"${TEST_STDERR_FILE}"
}
EWAOL_SECURITY_UMASK="%EWAOL_SECURITY_UMASK%"
check_umask() {
umask_val="$(umask 2>"${TEST_STDERR_FILE}")"
if [ "${umask_val}" = "${EWAOL_SECURITY_UMASK}" ]; then
return 0
else
echo "Wrong umask setting! current: '${umask_val}'," \
"expected: '${EWAOL_SECURITY_UMASK}'."
return 1
fi
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment