From b321c13bc959ac450a3ffbb04773b5c83717edec Mon Sep 17 00:00:00 2001
From: Marta Rybczynska <marta.rybczynska@huawei.com>
Date: Fri, 16 Jul 2021 12:06:21 +0200
Subject: [PATCH] Backport meta-hardening from hardknott

Backports the recipes of the meta-hardening layer from meta-security in
hardknott, synced up to 5050d1267ad41288c903086030594f8702bfa039

It includes recipes for hardening base-files (/etc/profile) and shadow
(/etc/login.defs).

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
 .../recipes-core/base-files/base-files_%.bbappend      |  4 ++++
 .../recipes-extended/shadow/shadow_%.bbappend          | 10 ++++++++++
 2 files changed, 14 insertions(+)
 create mode 100644 meta-ohos-staging/recipes-core/base-files/base-files_%.bbappend
 create mode 100644 meta-ohos-staging/recipes-extended/shadow/shadow_%.bbappend

diff --git a/meta-ohos-staging/recipes-core/base-files/base-files_%.bbappend b/meta-ohos-staging/recipes-core/base-files/base-files_%.bbappend
new file mode 100644
index 00000000..39563046
--- /dev/null
+++ b/meta-ohos-staging/recipes-core/base-files/base-files_%.bbappend
@@ -0,0 +1,4 @@
+
+do_install_append_harden () {
+    sed -i 's/umask.*/umask 027/g' ${D}/${sysconfdir}/profile
+}
diff --git a/meta-ohos-staging/recipes-extended/shadow/shadow_%.bbappend b/meta-ohos-staging/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 00000000..3f363f06
--- /dev/null
+++ b/meta-ohos-staging/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,10 @@
+do_install_append_harden () {
+	# to hardend
+	sed -i -e 's:UMASK.*:UMASK 027:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:PASS_MAX_DAYS.*:PASS_MAX_DAYS 365:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:PASS_MIN_DAYS.*:PASS_MIN_DAYS 1:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:#PASS_MIN_LEN.*:PASS_MIN_LEN 11:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:PASS_WARN_AGE.*:PASS_WARN_AGE 14:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:LOGIN_RETRIES.*:LOGIN_RETRIES 3:' ${D}${sysconfdir}/login.defs
+	sed -i -e 's:LOGIN_TIMEOUT.*:LOGIN_TIMEOUT 30:' ${D}${sysconfdir}/login.defs
+}
-- 
GitLab