Re: [cip-dev] Sample image including security packages

[<kazuhiro3.hayashi@toshiba.co.jp>]

Hello Venkata,

> 
> Hello Kazu-san,
> 
> Thank you for confirming.
> Below is the merge request for the same.
> https://gitlab.com/zuka0828/isar-cip-core/-/merge_requests/1

Merged. Thank you for quick response.

Best regards,
Kazu

> 
> Thanks
> Venkata.
> 
> -----Original Message-----
> From: kazuhiro3.hayashi@toshiba.co.jp [mailto:kazuhiro3.hayashi@toshiba.co.jp]
> Sent: 12 March 2020 12:42
> To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hello Venkata,
> 
> Thank you for checking the result.
> I confirmed that this variable should not be overwritten in the image recipe.
> Could you send MR including this update to https://gitlab.com/zuka0828/isar-cip-core ?
> 
> Best regards,
> Kazu
> 
> > -----Original Message-----
> > From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> > Sent: Thursday, March 12, 2020 12:56 PM
> > To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ) <kazuhiro3.hayashi@toshiba.co.jp>;
> > dinesh kumar(ＴＳＩＰ DS Company) <dinesh.kumar@toshiba-tsip.com>
> > Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> > Subject: RE: Sample image including security packages
> >
> > Hello Kazu-san,
> >
> > I observed 'init' system is not included in the image when append
> > operator is not used and so booting the image is not successful.
> >
> > Here is the output of `bitbake -e cip-core-image-security | grep
> > 'IMAGE_PREINSTALL'` when append is not used
> > ----------------------------------------------------------------------
> > ---------------------------
> > # $IMAGE_PREINSTALL [2 operations]
> > IMAGE_PREINSTALL=" 	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server openssh-client
> > 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables 	libpam-pkcs11
> > 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib 	acl
> > 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
> > #     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> > #   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> > ----------------------------------------------------------------------
> > ---------------------------
> >
> > Output when append is used
> > ----------------------------------------------------------------------
> > ---------------------------
> > # $IMAGE_PREINSTALL [2 operations]
> > IMAGE_PREINSTALL=" init  	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server
> > openssh-client 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables
> > 	libpam-pkcs11 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib
> > 	acl 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
> > #     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> > #   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> > ----------------------------------------------------------------------
> > ---------------------------
> >
> >
> > Thanks,
> > Venkata.
> > -----Original Message-----
> > From: kazuhiro3.hayashi@toshiba.co.jp
> > [mailto:kazuhiro3.hayashi@toshiba.co.jp]
> > Sent: 12 March 2020 05:16
> > To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh
> > Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
> > Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> > Subject: RE: Sample image including security packages
> >
> > Hello Venkata,
> >
> > Thank you for the information.
> >
> > Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
> > Example:
> > https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a
> > -custom-image-recipe Could you dump the value of `IMAGE_PREINSTALL`
> > with/without `+` by `bitbake -e` command?
> >
> > Best regards,
> > Kazu
> >
> > > -----Original Message-----
> > > From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> > > Sent: Thursday, March 5, 2020 6:06 PM
> > > To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ)
> > > <kazuhiro3.hayashi@toshiba.co.jp>;
> > > dinesh kumar(ＴＳＩＰ DS Company) <dinesh.kumar@toshiba-tsip.com>
> > > Cc: cip-security@lists.cip-project.org;
> > > cip-dev@lists.cip-project.org
> > > Subject: RE: Sample image including security packages
> > >
> > > Hi Kazu-san and Dinesh,
> > >
> > > I have created the image with all proposed security packages included.
> > > applied the below change, and booted the image in QEMU correctly.
> > > -----------------
> > > diff --git a/recipes-core/images/cip-core-image-security.bb
> > > b/recipes-core/images/cip-core-image-security.bb
> > > index 70571f8..b883414 100644
> > > --- a/recipes-core/images/cip-core-image-security.bb
> > > +++ b/recipes-core/images/cip-core-image-security.bb
> > > @@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"
> > >
> > >  # Debian packages that provide security features  # TODO: Add sudo
> > > or sudo-ldap which conflict each other -IMAGE_PREINSTALL = " \
> > > +IMAGE_PREINSTALL += " \
> > >  	openssl libssl1.1 \
> > >  	fail2ban \
> > >  	openssh-server openssh-sftp-server openssh-client \
> > > --
> > > -----------------
> > >
> > > Thanks
> > > venkata
> > > -----Original Message-----
> > > From: Venkata Seshagiri Pyla
> > > Sent: 02 March 2020 19:38
> > > To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>;
> > > kazuhiro3.hayashi@toshiba.co.jp
> > > Cc: cip-security@lists.cip-project.org;
> > > cip-dev@lists.cip-project.org
> > > Subject: RE: Sample image including security packages
> > >
> > > Hi Kazu-san and Dinesh,
> > >
> > > >We found most of the packages are not included in the isar image,
> > > >could you please confirm whether all the proposed packages
> > > are included in the given source?
> > > >If it is included, could you please let us know how to install them in the image?
> > > I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".
> > >
> > > All the security packages are configured to install are present in this file "cip-core-image-security.bb".
> > >
> > > I will generate the image for target "cip-core-image-security" and recheck all the security functionality.
> > >
> > > Thanks,
> > > Venkata.
> > >
> > > -----Original Message-----
> > > From: Cip-security
> > > [mailto:cip-security-bounces@lists.cip-project.org]
> > > On Behalf Of Dinesh Kumar
> > > Sent: 02 March 2020 15:29
> > > To: kazuhiro3.hayashi@toshiba.co.jp
> > > Cc: cip-security@lists.cip-project.org;
> > > cip-dev@lists.cip-project.org
> > > Subject: Re: [Cip-security] Sample image including security packages
> > >
> > > Dear Kazu-san,
> > >
> > > Thanks for sharing the isar-cip-core repository details with us.
> > >
> > > We followed below steps to first confirm whether all the proposed
> > > binaries are included when we create CIP isar based image.
> > > 1. Create CIP isar based image from
> > > "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for
> > > QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3.
> > > For each security package we compared the binaries
> > listed on Debian page e.g. for acl package at
> > (https://packages.debian.org/buster/amd64/acl/filelist)
> > >      According to the Debian page there are three binaries which
> > > should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
> > >      Then we check in the CIP running image at /bin whether all three packages are included or not.
> > > 4. Based on this kind of investigation we have prepare the attached
> > > list of missing binary packages in current CIP isar image.
> > >
> > > We found most of the packages are not included in the isar image,
> > > could you please confirm whether all the proposed packages are included in the given source?
> > > If it is included, could you please let us know how to install them in the image?
> > >
> > > Once all the security packages are included in the CIP isar image,
> > > we will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.
> > >
> > > Thanks & Regards,
> > > Dinesh Kumar
> > >
> > >
> > > -----Original Message-----
> > > From: Cip-security <cip-security-bounces@lists.cip-project.org> On
> > > Behalf Of kazuhiro3.hayashi@toshiba.co.jp
> > > Sent: 21 February 2020 10:58
> > > To: cip-security@lists.cip-project.org
> > > Cc: cip-dev@lists.cip-project.org
> > > Subject: [Cip-security] Sample image including security packages
> > >
> > > Hello CIP Security WG,
> > >
> > > I've created a sample setting to customize CIP Core generic profile.
> > > https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
> > > (Now in my personal account)
> > >
> > > Introduction:
> > > https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md
> > >
> > > Please ask in cip-dev if you need more development information :)
> > >
> > > Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
> > > We need to select one from them.
> > > I temporally removed the both from `IMAGE_PREINSTALL`.
> > >
> > > Best regards,
> > > Kazu
> > >
> > > _______________________________________________
> > > Cip-security mailing list
> > > Cip-security@lists.cip-project.org
> > > https://lists.cip-project.org/mailman/listinfo/cip-security
> > > The information contained in this e-mail message and in any
> > > attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
> > > If you are not the intended recipient, please notify the sender and
> > > delete the message along with any attachments/annexure/appendices.
> > > You should not disclose, copy or otherwise use the information
> > > contained in the message or any annexure. Any views expressed in
> > > this e-mail are those of the individual sender except where the
> > sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> > >
> > > Although this transmission and any attachments are believed to be
> > > free of any virus or other defect that might affect any computer
> > > system into which it is received and opened, it is the
> > > responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded
> Software India Pvt.
> > Ltd, for any loss or damage arising in any way from its use.
> > > The information contained in this e-mail message and in any
> > > attachments/annexure/appendices is confidential to the recipient and
> > > may contain privileged information.
> > > If you are not the intended recipient, please notify the sender and
> > > delete the message along with any attachments/annexure/appendices.
> > > You should not disclose, copy or otherwise use the information
> > > contained in the message or any annexure. Any views expressed in
> > > this e-mail are those of the individual sender except where the
> > > sender specifically states them to be the views of Toshiba Software India Pvt. Ltd.
> > > (TSIP),Bangalore.
> > >
> > > Although this transmission and any attachments are believed to be
> > > free of any virus or other defect that might affect any computer
> > > system into which it is received and opened, it is the
> > > responsibility of the recipient to ensure that it is virus free and
> > > no responsibility is accepted by Toshiba Embedded Software India
> > > Pvt. Ltd, for any loss or damage arising in any way from its use.
> >
> > The information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and
> > may contain privileged information.
> > If you are not the intended recipient, please notify the sender and
> > delete the message along with any attachments/annexure/appendices. You
> > should not disclose, copy or otherwise use the information contained
> > in the message or any annexure. Any views expressed in this e-mail are
> > those of the individual sender except where the sender specifically
> > states them to be the views of Toshiba Software India Pvt. Ltd.
> > (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be free
> > of any virus or other defect that might affect any computer system
> > into which it is received and opened, it is the responsibility of the
> > recipient to ensure that it is virus free and no responsibility is
> > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> > damage arising in any way from its use.
> 
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev