Attention

EWAOL development has moved to the SOAFEE Special Interest Group and is now hosted at https://gitlab.com/soafee/ewaol/meta-ewaol, and the official documentation at: https://meta-ewaol.docs.soafee.io/.
For more details on SOAFEE, please see https://soafee.io/.
Note the following documentation is only applicable to the EWAOL’s repo hosted here: https://gitlab.arm.com/ewaol/meta-ewaol.

Security Hardening

EWAOL distribution images can be hardened to reduce potential sources or attack vectors of security vulnerabilities, by enabling the security features implemented by Project Cassini. This security hardening modifies the distribution to:

  • Force password update for each user account after first logging in. An empty and expired password is set for each user account by default.

  • Enhance the kernel security, kernel configuration is extended with the security.scc in KERNEL_FEATURES.

  • Enable the ‘Secure Computing Mode’ (seccomp) Linux kernel feature by appending seccomp to DISTRO_FEATURES.

  • Ensure that all available packages from meta-openembedded, meta-virtualization and poky layers are configured with: --with-libcap[-ng].

  • Remove debug-tweaks from IMAGE_FEATURES.

  • Disable all login access to the root account.

  • Sets the umask to 0027 (which translates permissions as 640 for files and 750 for directories).

Security hardening is not enabled by default, see Security Hardening for details on including the security hardening on the EWAOL distribution image.

EWAOL security hardening does not reduce the scope of the Run-Time Integration Tests.