Initial commit

meta-security/meta-hardening/recipes-core/base-files/base-files_%.bbappend

@@ -0,0 +1,4 @@
+
+do_install:append:harden () {
+    sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
+}

meta-security/meta-hardening/recipes-core/images/harden-image-minimal.bb

@@ -0,0 +1,26 @@
+SUMMARY = "A small image for an example hardening OE."
+
+IMAGE_INSTALL = "packagegroup-core-boot packagegroup-hardening"
+IMAGE_INSTALL:append = " os-release"
+
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = " "
+
+LICENSE = "MIT"
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit core-image
+IMAGE_CLASSES:append = " extrausers"
+
+ROOT_DEFAULT_PASSWORD ?= "1SimplePw!"
+DEFAULT_ADMIN_ACCOUNT ?= "myadmin"
+DEFAULT_ADMIN_GROUP ?= "wheel"
+DEFAULT_ADMIN_ACCOUNT_PASSWORD ?= "1SimplePw!"
+
+EXTRA_USERS_PARAMS = "${@bb.utils.contains('DISABLE_ROOT', 'True', "usermod -L root;", "usermod -P '${ROOT_DEFAULT_PASSWORD}' root;", d)}"
+
+EXTRA_USERS_PARAMS:append = " useradd  ${DEFAULT_ADMIN_ACCOUNT};" 
+EXTRA_USERS_PARAMS:append = " groupadd  ${DEFAULT_ADMIN_GROUP};" 
+EXTRA_USERS_PARAMS:append = " usermod -P '${DEFAULT_ADMIN_ACCOUNT_PASSWORD}' ${DEFAULT_ADMIN_ACCOUNT};" 
+EXTRA_USERS_PARAMS:append = " usermod -aG ${DEFAULT_ADMIN_GROUP}  ${DEFAULT_ADMIN_ACCOUNT};" 

meta-security/meta-hardening/recipes-core/initscripts/files/mountall.sh

@@ -0,0 +1,41 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          mountall
+# Required-Start:    mountvirtfs
+# Required-Stop: 
+# Default-Start:     S
+# Default-Stop:
+# Short-Description: Mount all filesystems.
+# Description:
+### END INIT INFO
+
+. /etc/default/rcS
+
+#
+# Mount local filesystems in /etc/fstab. For some reason, people
+# might want to mount "proc" several times, and mount -v complains
+# about this. So we mount "proc" filesystems without -v.
+#
+test "$VERBOSE" != no && echo "Mounting local filesystems..."
+mkdir -p /home
+mkdir -p /var
+mount -at nonfs,nosmbfs,noncpfs 2>/dev/null
+
+#
+# We might have mounted something over /dev, see if /dev/initctl is there.
+#
+if test ! -p /dev/initctl
+then
+	rm -f /dev/initctl
+	mknod -m 600 /dev/initctl p
+fi
+kill -USR1 1
+
+#
+# Execute swapon command again, in case we want to swap to
+# a file on a now mounted filesystem.
+#
+[ -x /sbin/swapon ] && swapon -a
+
+: exit 0
+

meta-security/meta-hardening/recipes-core/initscripts/initscripts_1.0.bbappend

@@ -0,0 +1,8 @@
+FILESEXTRAPATHS:prepend:harden := "${THISDIR}/files:"
+
+SRC_URI:append:harden = " file://mountall.sh"
+
+do_install:append:harden() {
+    install -d ${D}${sysconfdir}/init.d
+    install -m 0755 ${WORKDIR}/mountall.sh ${D}${sysconfdir}/init.d
+}

meta-security/meta-hardening/recipes-core/packagegroups/packagegroup-hardening.bb

@@ -0,0 +1,19 @@
+#
+# 
+#
+
+SUMMARY = "Hardening example group"
+
+inherit packagegroup
+
+PROVIDES = "${PACKAGES}"
+PACKAGES = "${PN}  \
+    packagegroup-${PN} \
+"
+
+RDEPENDS:${PN} = "\
+    init-ifupdown \
+    ${VIRTUAL-RUNTIME_base-utils-syslog} \
+    sudo \
+    ${@bb.utils.contains("DISTRO_FEATURES", "pam", "pam-plugin-wheel", "",d)} \
+"