Security Hardening

Cassini distribution images can be hardened to reduce potential sources or attack vectors of security vulnerabilities. Cassini security hardening modifies the distribution to:

• Force password update for each user account after first logging in. An empty and expired password is set for each user account by default.

• Enhance the kernel security, kernel configuration is extended with the security.scc in KERNEL_FEATURES.

• Enable the ‘Secure Computing Mode’ (seccomp) Linux kernel feature by appending seccomp to DISTRO_FEATURES.

• Ensure that all available packages from meta-openembedded and poky layers are configured with: --with-libcap[-ng].

• Remove empty-root-password allow-root-login post-install-logging from IMAGE_FEATURES

• Enable allow-empty-password to allow empty password on Cassini image boot.

• Disable all login access to the root account.

  Note

  When cassini-test distro feature is enabled then root login is enabled. Currently, running inline tests in LAVA require login as root to run transfer-overlay commands.

• Sets the umask to 0027 (which translates permissions as 640 for files and 750 for directories).

Security hardening is enabled by default, see Security Hardening for details.

Note

Cassini security hardening does not reduce the scope of the Run-Time Integration Tests.