Re: [cip-dev] Sample image including security packages

[<kazuhiro3.hayashi@toshiba.co.jp>]

Hello Venkata,

Thank you for the information.

Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
Example: https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a-custom-image-recipe
Could you dump the value of `IMAGE_PREINSTALL` with/without `+` by `bitbake -e` command?

Best regards,
Kazu

> -----Original Message-----
> From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> Sent: Thursday, March 5, 2020 6:06 PM
> To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ) <kazuhiro3.hayashi@toshiba.co.jp>; dinesh kumar(ＴＳＩＰ DS Company)
> <dinesh.kumar@toshiba-tsip.com>
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hi Kazu-san and Dinesh,
> 
> I have created the image with all proposed security packages included.
> applied the below change, and booted the image in QEMU correctly.
> -----------------
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> index 70571f8..b883414 100644
> --- a/recipes-core/images/cip-core-image-security.bb
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"
> 
>  # Debian packages that provide security features
>  # TODO: Add sudo or sudo-ldap which conflict each other
> -IMAGE_PREINSTALL = " \
> +IMAGE_PREINSTALL += " \
>  	openssl libssl1.1 \
>  	fail2ban \
>  	openssh-server openssh-sftp-server openssh-client \
> --
> -----------------
> 
> Thanks
> venkata
> -----Original Message-----
> From: Venkata Seshagiri Pyla
> Sent: 02 March 2020 19:38
> To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>; kazuhiro3.hayashi@toshiba.co.jp
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hi Kazu-san and Dinesh,
> 
> >We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages
> are included in the given source?
> >If it is included, could you please let us know how to install them in the image?
> I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".
> 
> All the security packages are configured to install are present in this file "cip-core-image-security.bb".
> 
> I will generate the image for target "cip-core-image-security" and recheck all the security functionality.
> 
> Thanks,
> Venkata.
> 
> -----Original Message-----
> From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org] On Behalf Of Dinesh Kumar
> Sent: 02 March 2020 15:29
> To: kazuhiro3.hayashi@toshiba.co.jp
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: Re: [Cip-security] Sample image including security packages
> 
> Dear Kazu-san,
> 
> Thanks for sharing the isar-cip-core repository details with us.
> 
> We followed below steps to first confirm whether all the proposed binaries are included when we create CIP isar based
> image.
> 1. Create CIP isar based image from "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for QEMU_x86-64 platform
> 2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries listed on Debian page
> e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
>      According to the Debian page there are three binaries which should be present in the image "/bin/chacl", "/bin/getfacl",
> "/bin/setfacl".
>      Then we check in the CIP running image at /bin whether all three packages are included or not.
> 4. Based on this kind of investigation we have prepare the attached list of missing binary packages in current CIP isar
> image.
> 
> We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages
> are included in the given source?
> If it is included, could you please let us know how to install them in the image?
> 
> Once all the security packages are included in the CIP isar image, we will proceed to next step of verifying applicable
> IEC 62443-4-2 security requirements.
> 
> Thanks & Regards,
> Dinesh Kumar
> 
> 
> -----Original Message-----
> From: Cip-security <cip-security-bounces@lists.cip-project.org> On Behalf Of kazuhiro3.hayashi@toshiba.co.jp
> Sent: 21 February 2020 10:58
> To: cip-security@lists.cip-project.org
> Cc: cip-dev@lists.cip-project.org
> Subject: [Cip-security] Sample image including security packages
> 
> Hello CIP Security WG,
> 
> I've created a sample setting to customize CIP Core generic profile.
> https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
> (Now in my personal account)
> 
> Introduction: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md
> 
> Please ask in cip-dev if you need more development information :)
> 
> Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
> We need to select one from them.
> I temporally removed the both from `IMAGE_PREINSTALL`.
> 
> Best regards,
> Kazu
> 
> _______________________________________________
> Cip-security mailing list
> Cip-security@lists.cip-project.org
> https://lists.cip-project.org/mailman/listinfo/cip-security
> The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient
> and may contain privileged information.
> If you are not the intended recipient, please notify the sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message
> or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically
> states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be free of any virus or other defect that might affect
> any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it
> is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising
> in any way from its use.
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev