..
 # SPDX-FileCopyrightText: Copyright (c) 2024, Linaro Limited.
 #
 # SPDX-FileCopyrightText: <text>Copyright 2022, Arm Limited and/or its
 # affiliates <open-source-office@arm.com></text>
 #
 # SPDX-License-Identifier: MIT

##################
Security Hardening
##################

Cassini distribution images can be hardened to reduce potential sources or
attack vectors of security vulnerabilities. Cassini security hardening modifies
the distribution to:

  * Force password update for each user account after first logging in.
    An empty and expired password is set for each user account by default.
  * Enhance the kernel security, kernel configuration is extended with the
    ``security.scc`` in ``KERNEL_FEATURES``.
  * Enable the 'Secure Computing Mode' (seccomp) Linux kernel feature by
    appending ``seccomp`` to ``DISTRO_FEATURES``.
  * Ensure that all available packages from ``meta-openembedded`` and
    ``poky`` layers are configured with:
    ``--with-libcap[-ng]``.
  * Remove ``empty-root-password allow-root-login post-install-logging``
    from ``IMAGE_FEATURES``
  * Enable ``allow-empty-password`` to allow empty password on
    Cassini image boot.
  * Disable all login access to the ``root`` account.

    .. note::
      When ``cassini-test`` distro feature is enabled then ``root`` login is
      enabled. Currently, running ``inline tests`` in LAVA require login as
      ``root`` to run `transfer-overlay <https://docs.lavasoftware.org/lava/actions-boot.html#transfer-overlay>`_
      commands.
  * Sets the umask to ``0027`` (which translates permissions as ``640`` for
    files and ``750`` for directories).

Security hardening is enabled by default, see
:ref:`security_hardening_label` for details.

.. note::
  Cassini security hardening does not reduce the scope of the
  :ref:`run-time_integration_tests_label`.