[cip-dev] Sample image including security packages

[cip-dev] Sample image including security packages

[kazuhiro3.hayashi]

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev

Re: [cip-dev] Sample image including security packages

[Dinesh Kumar]

[-- Attachment #1: Type: text/plain, Size: 3370 bytes --]

Dear Kazu-san,

Thanks for sharing the isar-cip-core repository details with us.

We followed below steps to first confirm whether all the proposed binaries are included when we create CIP isar based image.
1. Create CIP isar based image from "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for QEMU_x86-64 platform
2. Booted the image in QEMU virtual machine
3. For each security package we compared the binaries listed on Debian page e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
     According to the Debian page there are three binaries which should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
     Then we check in the CIP running image at /bin whether all three packages are included or not.
4. Based on this kind of investigation we have prepare the attached list of missing binary packages in current CIP isar image.

We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages are included in the given source?
If it is included, could you please let us know how to install them in the image?

Once all the security packages are included in the CIP isar image, we will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.

Thanks & Regards,
Dinesh Kumar


-----Original Message-----
From: Cip-security <cip-security-bounces@lists.cip-project.org> On Behalf Of kazuhiro3.hayashi@toshiba.co.jp
Sent: 21 February 2020 10:58
To: cip-security@lists.cip-project.org
Cc: cip-dev@lists.cip-project.org
Subject: [Cip-security] Sample image including security packages

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
Cip-security mailing list
Cip-security@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-security
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.

[-- Attachment #2: CIP_Security_MissingBinaries_GenericProfile_Rev01.xlsx --]
[-- Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, Size: 15012 bytes --]

[-- Attachment #3: Type: text/plain, Size: 154 bytes --]

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev

Re: [cip-dev] Sample image including security packages

[Venkata Seshagiri Pyla]

Hi Kazu-san and Dinesh,

>We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages are included in the given source?
>If it is included, could you please let us know how to install them in the image?
I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".

All the security packages are configured to install are present in this file "cip-core-image-security.bb".

I will generate the image for target "cip-core-image-security" and recheck all the security functionality.

Thanks,
Venkata.

-----Original Message-----
From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org] On Behalf Of Dinesh Kumar
Sent: 02 March 2020 15:29
To: kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: Re: [Cip-security] Sample image including security packages

Dear Kazu-san,

Thanks for sharing the isar-cip-core repository details with us.

We followed below steps to first confirm whether all the proposed binaries are included when we create CIP isar based image.
1. Create CIP isar based image from "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries listed on Debian page e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
     According to the Debian page there are three binaries which should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
     Then we check in the CIP running image at /bin whether all three packages are included or not.
4. Based on this kind of investigation we have prepare the attached list of missing binary packages in current CIP isar image.

We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages are included in the given source?
If it is included, could you please let us know how to install them in the image?

Once all the security packages are included in the CIP isar image, we will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.

Thanks & Regards,
Dinesh Kumar


-----Original Message-----
From: Cip-security <cip-security-bounces@lists.cip-project.org> On Behalf Of kazuhiro3.hayashi@toshiba.co.jp
Sent: 21 February 2020 10:58
To: cip-security@lists.cip-project.org
Cc: cip-dev@lists.cip-project.org
Subject: [Cip-security] Sample image including security packages

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
Cip-security mailing list
Cip-security@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-security
The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. 
If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev

Re: [cip-dev] Sample image including security packages

[Venkata Seshagiri Pyla]

Hi Kazu-san and Dinesh,

I have created the image with all proposed security packages included.
applied the below change, and booted the image in QEMU correctly.
-----------------
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 70571f8..b883414 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"
 
 # Debian packages that provide security features
 # TODO: Add sudo or sudo-ldap which conflict each other
-IMAGE_PREINSTALL = " \
+IMAGE_PREINSTALL += " \
 	openssl libssl1.1 \
 	fail2ban \
 	openssh-server openssh-sftp-server openssh-client \
--
-----------------

Thanks
venkata
-----Original Message-----
From: Venkata Seshagiri Pyla 
Sent: 02 March 2020 19:38
To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>; kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hi Kazu-san and Dinesh,

>We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages are included in the given source?
>If it is included, could you please let us know how to install them in the image?
I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".

All the security packages are configured to install are present in this file "cip-core-image-security.bb".

I will generate the image for target "cip-core-image-security" and recheck all the security functionality.

Thanks,
Venkata.

-----Original Message-----
From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org] On Behalf Of Dinesh Kumar
Sent: 02 March 2020 15:29
To: kazuhiro3.hayashi@toshiba.co.jp
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: Re: [Cip-security] Sample image including security packages

Dear Kazu-san,

Thanks for sharing the isar-cip-core repository details with us.

We followed below steps to first confirm whether all the proposed binaries are included when we create CIP isar based image.
1. Create CIP isar based image from "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries listed on Debian page e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
     According to the Debian page there are three binaries which should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
     Then we check in the CIP running image at /bin whether all three packages are included or not.
4. Based on this kind of investigation we have prepare the attached list of missing binary packages in current CIP isar image.

We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages are included in the given source?
If it is included, could you please let us know how to install them in the image?

Once all the security packages are included in the CIP isar image, we will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.

Thanks & Regards,
Dinesh Kumar


-----Original Message-----
From: Cip-security <cip-security-bounces@lists.cip-project.org> On Behalf Of kazuhiro3.hayashi@toshiba.co.jp
Sent: 21 February 2020 10:58
To: cip-security@lists.cip-project.org
Cc: cip-dev@lists.cip-project.org
Subject: [Cip-security] Sample image including security packages

Hello CIP Security WG,

I've created a sample setting to customize CIP Core generic profile.
https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
(Now in my personal account)

Introduction: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md

Please ask in cip-dev if you need more development information :)

Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
We need to select one from them.
I temporally removed the both from `IMAGE_PREINSTALL`.

Best regards,
Kazu

_______________________________________________
Cip-security mailing list
Cip-security@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-security
The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. 
If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev

Re: [cip-dev] Sample image including security packages

[kazuhiro3.hayashi]

Hello Venkata,

Thank you for the information.

Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
Example: https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a-custom-image-recipe
Could you dump the value of `IMAGE_PREINSTALL` with/without `+` by `bitbake -e` command?

Best regards,
Kazu

> -----Original Message-----
> From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> Sent: Thursday, March 5, 2020 6:06 PM
> To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ) <kazuhiro3.hayashi@toshiba.co.jp>; dinesh kumar(ＴＳＩＰ DS Company)
> <dinesh.kumar@toshiba-tsip.com>
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hi Kazu-san and Dinesh,
> 
> I have created the image with all proposed security packages included.
> applied the below change, and booted the image in QEMU correctly.
> -----------------
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> index 70571f8..b883414 100644
> --- a/recipes-core/images/cip-core-image-security.bb
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"
> 
>  # Debian packages that provide security features
>  # TODO: Add sudo or sudo-ldap which conflict each other
> -IMAGE_PREINSTALL = " \
> +IMAGE_PREINSTALL += " \
>  	openssl libssl1.1 \
>  	fail2ban \
>  	openssh-server openssh-sftp-server openssh-client \
> --
> -----------------
> 
> Thanks
> venkata
> -----Original Message-----
> From: Venkata Seshagiri Pyla
> Sent: 02 March 2020 19:38
> To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>; kazuhiro3.hayashi@toshiba.co.jp
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hi Kazu-san and Dinesh,
> 
> >We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages
> are included in the given source?
> >If it is included, could you please let us know how to install them in the image?
> I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".
> 
> All the security packages are configured to install are present in this file "cip-core-image-security.bb".
> 
> I will generate the image for target "cip-core-image-security" and recheck all the security functionality.
> 
> Thanks,
> Venkata.
> 
> -----Original Message-----
> From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org] On Behalf Of Dinesh Kumar
> Sent: 02 March 2020 15:29
> To: kazuhiro3.hayashi@toshiba.co.jp
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: Re: [Cip-security] Sample image including security packages
> 
> Dear Kazu-san,
> 
> Thanks for sharing the isar-cip-core repository details with us.
> 
> We followed below steps to first confirm whether all the proposed binaries are included when we create CIP isar based
> image.
> 1. Create CIP isar based image from "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for QEMU_x86-64 platform
> 2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries listed on Debian page
> e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
>      According to the Debian page there are three binaries which should be present in the image "/bin/chacl", "/bin/getfacl",
> "/bin/setfacl".
>      Then we check in the CIP running image at /bin whether all three packages are included or not.
> 4. Based on this kind of investigation we have prepare the attached list of missing binary packages in current CIP isar
> image.
> 
> We found most of the packages are not included in the isar image, could you please confirm whether all the proposed packages
> are included in the given source?
> If it is included, could you please let us know how to install them in the image?
> 
> Once all the security packages are included in the CIP isar image, we will proceed to next step of verifying applicable
> IEC 62443-4-2 security requirements.
> 
> Thanks & Regards,
> Dinesh Kumar
> 
> 
> -----Original Message-----
> From: Cip-security <cip-security-bounces@lists.cip-project.org> On Behalf Of kazuhiro3.hayashi@toshiba.co.jp
> Sent: 21 February 2020 10:58
> To: cip-security@lists.cip-project.org
> Cc: cip-dev@lists.cip-project.org
> Subject: [Cip-security] Sample image including security packages
> 
> Hello CIP Security WG,
> 
> I've created a sample setting to customize CIP Core generic profile.
> https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
> (Now in my personal account)
> 
> Introduction: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md
> 
> Please ask in cip-dev if you need more development information :)
> 
> Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
> We need to select one from them.
> I temporally removed the both from `IMAGE_PREINSTALL`.
> 
> Best regards,
> Kazu
> 
> _______________________________________________
> Cip-security mailing list
> Cip-security@lists.cip-project.org
> https://lists.cip-project.org/mailman/listinfo/cip-security
> The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient
> and may contain privileged information.
> If you are not the intended recipient, please notify the sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message
> or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically
> states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be free of any virus or other defect that might affect
> any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it
> is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising
> in any way from its use.
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev

Re: [cip-dev] Sample image including security packages

[Venkata Seshagiri Pyla]

Hello Kazu-san,

I observed 'init' system is not included in the image when append operator is not used and so booting the image is not successful.

Here is the output of `bitbake -e cip-core-image-security | grep 'IMAGE_PREINSTALL'` when append is not used
-------------------------------------------------------------------------------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" 	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server openssh-client 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables 	libpam-pkcs11 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib 	acl 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
#     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
#   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
-------------------------------------------------------------------------------------------------

Output when append is used
-------------------------------------------------------------------------------------------------
# $IMAGE_PREINSTALL [2 operations]
IMAGE_PREINSTALL=" init  	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server openssh-client 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables 	libpam-pkcs11 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib 	acl 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
#     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
#   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
-------------------------------------------------------------------------------------------------


Thanks,
Venkata.
-----Original Message-----
From: kazuhiro3.hayashi@toshiba.co.jp [mailto:kazuhiro3.hayashi@toshiba.co.jp] 
Sent: 12 March 2020 05:16
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Venkata,

Thank you for the information.

Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
Example: https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a-custom-image-recipe
Could you dump the value of `IMAGE_PREINSTALL` with/without `+` by `bitbake -e` command?

Best regards,
Kazu

> -----Original Message-----
> From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> Sent: Thursday, March 5, 2020 6:06 PM
> To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ) <kazuhiro3.hayashi@toshiba.co.jp>; 
> dinesh kumar(ＴＳＩＰ DS Company) <dinesh.kumar@toshiba-tsip.com>
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hi Kazu-san and Dinesh,
> 
> I have created the image with all proposed security packages included.
> applied the below change, and booted the image in QEMU correctly.
> -----------------
> diff --git a/recipes-core/images/cip-core-image-security.bb 
> b/recipes-core/images/cip-core-image-security.bb
> index 70571f8..b883414 100644
> --- a/recipes-core/images/cip-core-image-security.bb
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"
> 
>  # Debian packages that provide security features  # TODO: Add sudo or 
> sudo-ldap which conflict each other -IMAGE_PREINSTALL = " \
> +IMAGE_PREINSTALL += " \
>  	openssl libssl1.1 \
>  	fail2ban \
>  	openssh-server openssh-sftp-server openssh-client \
> --
> -----------------
> 
> Thanks
> venkata
> -----Original Message-----
> From: Venkata Seshagiri Pyla
> Sent: 02 March 2020 19:38
> To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>; 
> kazuhiro3.hayashi@toshiba.co.jp
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hi Kazu-san and Dinesh,
> 
> >We found most of the packages are not included in the isar image, 
> >could you please confirm whether all the proposed packages
> are included in the given source?
> >If it is included, could you please let us know how to install them in the image?
> I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".
> 
> All the security packages are configured to install are present in this file "cip-core-image-security.bb".
> 
> I will generate the image for target "cip-core-image-security" and recheck all the security functionality.
> 
> Thanks,
> Venkata.
> 
> -----Original Message-----
> From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org] 
> On Behalf Of Dinesh Kumar
> Sent: 02 March 2020 15:29
> To: kazuhiro3.hayashi@toshiba.co.jp
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: Re: [Cip-security] Sample image including security packages
> 
> Dear Kazu-san,
> 
> Thanks for sharing the isar-cip-core repository details with us.
> 
> We followed below steps to first confirm whether all the proposed 
> binaries are included when we create CIP isar based image.
> 1. Create CIP isar based image from 
> "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for 
> QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries listed on Debian page e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
>      According to the Debian page there are three binaries which 
> should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
>      Then we check in the CIP running image at /bin whether all three packages are included or not.
> 4. Based on this kind of investigation we have prepare the attached 
> list of missing binary packages in current CIP isar image.
> 
> We found most of the packages are not included in the isar image, 
> could you please confirm whether all the proposed packages are included in the given source?
> If it is included, could you please let us know how to install them in the image?
> 
> Once all the security packages are included in the CIP isar image, we 
> will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.
> 
> Thanks & Regards,
> Dinesh Kumar
> 
> 
> -----Original Message-----
> From: Cip-security <cip-security-bounces@lists.cip-project.org> On 
> Behalf Of kazuhiro3.hayashi@toshiba.co.jp
> Sent: 21 February 2020 10:58
> To: cip-security@lists.cip-project.org
> Cc: cip-dev@lists.cip-project.org
> Subject: [Cip-security] Sample image including security packages
> 
> Hello CIP Security WG,
> 
> I've created a sample setting to customize CIP Core generic profile.
> https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
> (Now in my personal account)
> 
> Introduction: 
> https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md
> 
> Please ask in cip-dev if you need more development information :)
> 
> Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
> We need to select one from them.
> I temporally removed the both from `IMAGE_PREINSTALL`.
> 
> Best regards,
> Kazu
> 
> _______________________________________________
> Cip-security mailing list
> Cip-security@lists.cip-project.org
> https://lists.cip-project.org/mailman/listinfo/cip-security
> The information contained in this e-mail message and in any 
> attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
> If you are not the intended recipient, please notify the sender and 
> delete the message along with any attachments/annexure/appendices. You 
> should not disclose, copy or otherwise use the information contained 
> in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be free 
> of any virus or other defect that might affect any computer system 
> into which it is received and opened, it is the responsibility of the 
> recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
> The information contained in this e-mail message and in any 
> attachments/annexure/appendices is confidential to the recipient and 
> may contain privileged information.
> If you are not the intended recipient, please notify the sender and 
> delete the message along with any attachments/annexure/appendices. You 
> should not disclose, copy or otherwise use the information contained 
> in the message or any annexure. Any views expressed in this e-mail are 
> those of the individual sender except where the sender specifically 
> states them to be the views of Toshiba Software India Pvt. Ltd. 
> (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be free 
> of any virus or other defect that might affect any computer system 
> into which it is received and opened, it is the responsibility of the 
> recipient to ensure that it is virus free and no responsibility is 
> accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or 
> damage arising in any way from its use.

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev

Re: [cip-dev] Sample image including security packages

[kazuhiro3.hayashi]

Hello Venkata,

Thank you for checking the result.
I confirmed that this variable should not be overwritten in the image recipe.
Could you send MR including this update to https://gitlab.com/zuka0828/isar-cip-core ?

Best regards,
Kazu

> -----Original Message-----
> From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> Sent: Thursday, March 12, 2020 12:56 PM
> To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ) <kazuhiro3.hayashi@toshiba.co.jp>; dinesh kumar(ＴＳＩＰ DS Company)
> <dinesh.kumar@toshiba-tsip.com>
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hello Kazu-san,
> 
> I observed 'init' system is not included in the image when append operator is not used and so booting the image is not
> successful.
> 
> Here is the output of `bitbake -e cip-core-image-security | grep 'IMAGE_PREINSTALL'` when append is not used
> -------------------------------------------------------------------------------------------------
> # $IMAGE_PREINSTALL [2 operations]
> IMAGE_PREINSTALL=" 	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server openssh-client
> 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables 	libpam-pkcs11
> 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib 	acl
> 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
> #     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> #   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> -------------------------------------------------------------------------------------------------
> 
> Output when append is used
> -------------------------------------------------------------------------------------------------
> # $IMAGE_PREINSTALL [2 operations]
> IMAGE_PREINSTALL=" init  	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server
> openssh-client 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables
> 	libpam-pkcs11 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib
> 	acl 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
> #     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> #   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> -------------------------------------------------------------------------------------------------
> 
> 
> Thanks,
> Venkata.
> -----Original Message-----
> From: kazuhiro3.hayashi@toshiba.co.jp [mailto:kazuhiro3.hayashi@toshiba.co.jp]
> Sent: 12 March 2020 05:16
> To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hello Venkata,
> 
> Thank you for the information.
> 
> Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
> Example: https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a-custom-image-recipe
> Could you dump the value of `IMAGE_PREINSTALL` with/without `+` by `bitbake -e` command?
> 
> Best regards,
> Kazu
> 
> > -----Original Message-----
> > From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> > Sent: Thursday, March 5, 2020 6:06 PM
> > To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ) <kazuhiro3.hayashi@toshiba.co.jp>;
> > dinesh kumar(ＴＳＩＰ DS Company) <dinesh.kumar@toshiba-tsip.com>
> > Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> > Subject: RE: Sample image including security packages
> >
> > Hi Kazu-san and Dinesh,
> >
> > I have created the image with all proposed security packages included.
> > applied the below change, and booted the image in QEMU correctly.
> > -----------------
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> > b/recipes-core/images/cip-core-image-security.bb
> > index 70571f8..b883414 100644
> > --- a/recipes-core/images/cip-core-image-security.bb
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"
> >
> >  # Debian packages that provide security features  # TODO: Add sudo or
> > sudo-ldap which conflict each other -IMAGE_PREINSTALL = " \
> > +IMAGE_PREINSTALL += " \
> >  	openssl libssl1.1 \
> >  	fail2ban \
> >  	openssh-server openssh-sftp-server openssh-client \
> > --
> > -----------------
> >
> > Thanks
> > venkata
> > -----Original Message-----
> > From: Venkata Seshagiri Pyla
> > Sent: 02 March 2020 19:38
> > To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>;
> > kazuhiro3.hayashi@toshiba.co.jp
> > Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> > Subject: RE: Sample image including security packages
> >
> > Hi Kazu-san and Dinesh,
> >
> > >We found most of the packages are not included in the isar image,
> > >could you please confirm whether all the proposed packages
> > are included in the given source?
> > >If it is included, could you please let us know how to install them in the image?
> > I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".
> >
> > All the security packages are configured to install are present in this file "cip-core-image-security.bb".
> >
> > I will generate the image for target "cip-core-image-security" and recheck all the security functionality.
> >
> > Thanks,
> > Venkata.
> >
> > -----Original Message-----
> > From: Cip-security [mailto:cip-security-bounces@lists.cip-project.org]
> > On Behalf Of Dinesh Kumar
> > Sent: 02 March 2020 15:29
> > To: kazuhiro3.hayashi@toshiba.co.jp
> > Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> > Subject: Re: [Cip-security] Sample image including security packages
> >
> > Dear Kazu-san,
> >
> > Thanks for sharing the isar-cip-core repository details with us.
> >
> > We followed below steps to first confirm whether all the proposed
> > binaries are included when we create CIP isar based image.
> > 1. Create CIP isar based image from
> > "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for
> > QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3. For each security package we compared the binaries
> listed on Debian page e.g. for acl package at (https://packages.debian.org/buster/amd64/acl/filelist)
> >      According to the Debian page there are three binaries which
> > should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
> >      Then we check in the CIP running image at /bin whether all three packages are included or not.
> > 4. Based on this kind of investigation we have prepare the attached
> > list of missing binary packages in current CIP isar image.
> >
> > We found most of the packages are not included in the isar image,
> > could you please confirm whether all the proposed packages are included in the given source?
> > If it is included, could you please let us know how to install them in the image?
> >
> > Once all the security packages are included in the CIP isar image, we
> > will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.
> >
> > Thanks & Regards,
> > Dinesh Kumar
> >
> >
> > -----Original Message-----
> > From: Cip-security <cip-security-bounces@lists.cip-project.org> On
> > Behalf Of kazuhiro3.hayashi@toshiba.co.jp
> > Sent: 21 February 2020 10:58
> > To: cip-security@lists.cip-project.org
> > Cc: cip-dev@lists.cip-project.org
> > Subject: [Cip-security] Sample image including security packages
> >
> > Hello CIP Security WG,
> >
> > I've created a sample setting to customize CIP Core generic profile.
> > https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
> > (Now in my personal account)
> >
> > Introduction:
> > https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md
> >
> > Please ask in cip-dev if you need more development information :)
> >
> > Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
> > We need to select one from them.
> > I temporally removed the both from `IMAGE_PREINSTALL`.
> >
> > Best regards,
> > Kazu
> >
> > _______________________________________________
> > Cip-security mailing list
> > Cip-security@lists.cip-project.org
> > https://lists.cip-project.org/mailman/listinfo/cip-security
> > The information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
> > If you are not the intended recipient, please notify the sender and
> > delete the message along with any attachments/annexure/appendices. You
> > should not disclose, copy or otherwise use the information contained
> > in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the
> sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be free
> > of any virus or other defect that might affect any computer system
> > into which it is received and opened, it is the responsibility of the
> > recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt.
> Ltd, for any loss or damage arising in any way from its use.
> > The information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and
> > may contain privileged information.
> > If you are not the intended recipient, please notify the sender and
> > delete the message along with any attachments/annexure/appendices. You
> > should not disclose, copy or otherwise use the information contained
> > in the message or any annexure. Any views expressed in this e-mail are
> > those of the individual sender except where the sender specifically
> > states them to be the views of Toshiba Software India Pvt. Ltd.
> > (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be free
> > of any virus or other defect that might affect any computer system
> > into which it is received and opened, it is the responsibility of the
> > recipient to ensure that it is virus free and no responsibility is
> > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> > damage arising in any way from its use.
> 
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev

Re: [cip-dev] Sample image including security packages

[Venkata Seshagiri Pyla]

Hello Kazu-san,

Thank you for confirming.
Below is the merge request for the same.
https://gitlab.com/zuka0828/isar-cip-core/-/merge_requests/1

Thanks
Venkata.

-----Original Message-----
From: kazuhiro3.hayashi@toshiba.co.jp [mailto:kazuhiro3.hayashi@toshiba.co.jp] 
Sent: 12 March 2020 12:42
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
Subject: RE: Sample image including security packages

Hello Venkata,

Thank you for checking the result.
I confirmed that this variable should not be overwritten in the image recipe.
Could you send MR including this update to https://gitlab.com/zuka0828/isar-cip-core ?

Best regards,
Kazu

> -----Original Message-----
> From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> Sent: Thursday, March 12, 2020 12:56 PM
> To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ) <kazuhiro3.hayashi@toshiba.co.jp>; 
> dinesh kumar(ＴＳＩＰ DS Company) <dinesh.kumar@toshiba-tsip.com>
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hello Kazu-san,
> 
> I observed 'init' system is not included in the image when append 
> operator is not used and so booting the image is not successful.
> 
> Here is the output of `bitbake -e cip-core-image-security | grep 
> 'IMAGE_PREINSTALL'` when append is not used
> ----------------------------------------------------------------------
> ---------------------------
> # $IMAGE_PREINSTALL [2 operations]
> IMAGE_PREINSTALL=" 	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server openssh-client
> 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables 	libpam-pkcs11
> 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib 	acl
> 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
> #     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> #   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> ----------------------------------------------------------------------
> ---------------------------
> 
> Output when append is used
> ----------------------------------------------------------------------
> ---------------------------
> # $IMAGE_PREINSTALL [2 operations]
> IMAGE_PREINSTALL=" init  	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server
> openssh-client 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables
> 	libpam-pkcs11 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib
> 	acl 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
> #     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> #   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> ----------------------------------------------------------------------
> ---------------------------
> 
> 
> Thanks,
> Venkata.
> -----Original Message-----
> From: kazuhiro3.hayashi@toshiba.co.jp 
> [mailto:kazuhiro3.hayashi@toshiba.co.jp]
> Sent: 12 March 2020 05:16
> To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh 
> Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hello Venkata,
> 
> Thank you for the information.
> 
> Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
> Example: 
> https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a
> -custom-image-recipe Could you dump the value of `IMAGE_PREINSTALL` 
> with/without `+` by `bitbake -e` command?
> 
> Best regards,
> Kazu
> 
> > -----Original Message-----
> > From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> > Sent: Thursday, March 5, 2020 6:06 PM
> > To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ) 
> > <kazuhiro3.hayashi@toshiba.co.jp>;
> > dinesh kumar(ＴＳＩＰ DS Company) <dinesh.kumar@toshiba-tsip.com>
> > Cc: cip-security@lists.cip-project.org; 
> > cip-dev@lists.cip-project.org
> > Subject: RE: Sample image including security packages
> >
> > Hi Kazu-san and Dinesh,
> >
> > I have created the image with all proposed security packages included.
> > applied the below change, and booted the image in QEMU correctly.
> > -----------------
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> > b/recipes-core/images/cip-core-image-security.bb
> > index 70571f8..b883414 100644
> > --- a/recipes-core/images/cip-core-image-security.bb
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"
> >
> >  # Debian packages that provide security features  # TODO: Add sudo 
> > or sudo-ldap which conflict each other -IMAGE_PREINSTALL = " \
> > +IMAGE_PREINSTALL += " \
> >  	openssl libssl1.1 \
> >  	fail2ban \
> >  	openssh-server openssh-sftp-server openssh-client \
> > --
> > -----------------
> >
> > Thanks
> > venkata
> > -----Original Message-----
> > From: Venkata Seshagiri Pyla
> > Sent: 02 March 2020 19:38
> > To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>; 
> > kazuhiro3.hayashi@toshiba.co.jp
> > Cc: cip-security@lists.cip-project.org; 
> > cip-dev@lists.cip-project.org
> > Subject: RE: Sample image including security packages
> >
> > Hi Kazu-san and Dinesh,
> >
> > >We found most of the packages are not included in the isar image, 
> > >could you please confirm whether all the proposed packages
> > are included in the given source?
> > >If it is included, could you please let us know how to install them in the image?
> > I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".
> >
> > All the security packages are configured to install are present in this file "cip-core-image-security.bb".
> >
> > I will generate the image for target "cip-core-image-security" and recheck all the security functionality.
> >
> > Thanks,
> > Venkata.
> >
> > -----Original Message-----
> > From: Cip-security 
> > [mailto:cip-security-bounces@lists.cip-project.org]
> > On Behalf Of Dinesh Kumar
> > Sent: 02 March 2020 15:29
> > To: kazuhiro3.hayashi@toshiba.co.jp
> > Cc: cip-security@lists.cip-project.org; 
> > cip-dev@lists.cip-project.org
> > Subject: Re: [Cip-security] Sample image including security packages
> >
> > Dear Kazu-san,
> >
> > Thanks for sharing the isar-cip-core repository details with us.
> >
> > We followed below steps to first confirm whether all the proposed 
> > binaries are included when we create CIP isar based image.
> > 1. Create CIP isar based image from
> > "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for
> > QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3. 
> > For each security package we compared the binaries
> listed on Debian page e.g. for acl package at 
> (https://packages.debian.org/buster/amd64/acl/filelist)
> >      According to the Debian page there are three binaries which 
> > should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
> >      Then we check in the CIP running image at /bin whether all three packages are included or not.
> > 4. Based on this kind of investigation we have prepare the attached 
> > list of missing binary packages in current CIP isar image.
> >
> > We found most of the packages are not included in the isar image, 
> > could you please confirm whether all the proposed packages are included in the given source?
> > If it is included, could you please let us know how to install them in the image?
> >
> > Once all the security packages are included in the CIP isar image, 
> > we will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.
> >
> > Thanks & Regards,
> > Dinesh Kumar
> >
> >
> > -----Original Message-----
> > From: Cip-security <cip-security-bounces@lists.cip-project.org> On 
> > Behalf Of kazuhiro3.hayashi@toshiba.co.jp
> > Sent: 21 February 2020 10:58
> > To: cip-security@lists.cip-project.org
> > Cc: cip-dev@lists.cip-project.org
> > Subject: [Cip-security] Sample image including security packages
> >
> > Hello CIP Security WG,
> >
> > I've created a sample setting to customize CIP Core generic profile.
> > https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
> > (Now in my personal account)
> >
> > Introduction:
> > https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md
> >
> > Please ask in cip-dev if you need more development information :)
> >
> > Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
> > We need to select one from them.
> > I temporally removed the both from `IMAGE_PREINSTALL`.
> >
> > Best regards,
> > Kazu
> >
> > _______________________________________________
> > Cip-security mailing list
> > Cip-security@lists.cip-project.org
> > https://lists.cip-project.org/mailman/listinfo/cip-security
> > The information contained in this e-mail message and in any 
> > attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
> > If you are not the intended recipient, please notify the sender and 
> > delete the message along with any attachments/annexure/appendices. 
> > You should not disclose, copy or otherwise use the information 
> > contained in the message or any annexure. Any views expressed in 
> > this e-mail are those of the individual sender except where the
> sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be 
> > free of any virus or other defect that might affect any computer 
> > system into which it is received and opened, it is the 
> > responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt.
> Ltd, for any loss or damage arising in any way from its use.
> > The information contained in this e-mail message and in any 
> > attachments/annexure/appendices is confidential to the recipient and 
> > may contain privileged information.
> > If you are not the intended recipient, please notify the sender and 
> > delete the message along with any attachments/annexure/appendices. 
> > You should not disclose, copy or otherwise use the information 
> > contained in the message or any annexure. Any views expressed in 
> > this e-mail are those of the individual sender except where the 
> > sender specifically states them to be the views of Toshiba Software India Pvt. Ltd.
> > (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be 
> > free of any virus or other defect that might affect any computer 
> > system into which it is received and opened, it is the 
> > responsibility of the recipient to ensure that it is virus free and 
> > no responsibility is accepted by Toshiba Embedded Software India 
> > Pvt. Ltd, for any loss or damage arising in any way from its use.
> 
> The information contained in this e-mail message and in any 
> attachments/annexure/appendices is confidential to the recipient and 
> may contain privileged information.
> If you are not the intended recipient, please notify the sender and 
> delete the message along with any attachments/annexure/appendices. You 
> should not disclose, copy or otherwise use the information contained 
> in the message or any annexure. Any views expressed in this e-mail are 
> those of the individual sender except where the sender specifically 
> states them to be the views of Toshiba Software India Pvt. Ltd. 
> (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be free 
> of any virus or other defect that might affect any computer system 
> into which it is received and opened, it is the responsibility of the 
> recipient to ensure that it is virus free and no responsibility is 
> accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or 
> damage arising in any way from its use.

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev

Re: [cip-dev] Sample image including security packages

[kazuhiro3.hayashi]

Hello Venkata,

> 
> Hello Kazu-san,
> 
> Thank you for confirming.
> Below is the merge request for the same.
> https://gitlab.com/zuka0828/isar-cip-core/-/merge_requests/1

Merged. Thank you for quick response.

Best regards,
Kazu

> 
> Thanks
> Venkata.
> 
> -----Original Message-----
> From: kazuhiro3.hayashi@toshiba.co.jp [mailto:kazuhiro3.hayashi@toshiba.co.jp]
> Sent: 12 March 2020 12:42
> To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
> Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> Subject: RE: Sample image including security packages
> 
> Hello Venkata,
> 
> Thank you for checking the result.
> I confirmed that this variable should not be overwritten in the image recipe.
> Could you send MR including this update to https://gitlab.com/zuka0828/isar-cip-core ?
> 
> Best regards,
> Kazu
> 
> > -----Original Message-----
> > From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> > Sent: Thursday, March 12, 2020 12:56 PM
> > To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ) <kazuhiro3.hayashi@toshiba.co.jp>;
> > dinesh kumar(ＴＳＩＰ DS Company) <dinesh.kumar@toshiba-tsip.com>
> > Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> > Subject: RE: Sample image including security packages
> >
> > Hello Kazu-san,
> >
> > I observed 'init' system is not included in the image when append
> > operator is not used and so booting the image is not successful.
> >
> > Here is the output of `bitbake -e cip-core-image-security | grep
> > 'IMAGE_PREINSTALL'` when append is not used
> > ----------------------------------------------------------------------
> > ---------------------------
> > # $IMAGE_PREINSTALL [2 operations]
> > IMAGE_PREINSTALL=" 	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server openssh-client
> > 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables 	libpam-pkcs11
> > 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib 	acl
> > 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
> > #     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> > #   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> > ----------------------------------------------------------------------
> > ---------------------------
> >
> > Output when append is used
> > ----------------------------------------------------------------------
> > ---------------------------
> > # $IMAGE_PREINSTALL [2 operations]
> > IMAGE_PREINSTALL=" init  	openssl libssl1.1 	fail2ban 	openssh-server openssh-sftp-server
> > openssh-client 	syslog-ng-core syslog-ng-mod-journal 	aide aide-common 	libnftables0 nftables
> > 	libpam-pkcs11 	chrony 	tpm2-tools 	tpm2-abrmd 	libtss2-esys0 libtss2-udev 	libpam-cracklib
> > 	acl 	libauparse0 audispd-plugins auditd 	uuid-runtime 	vim "
> > #     "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> > #   " ${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> > ----------------------------------------------------------------------
> > ---------------------------
> >
> >
> > Thanks,
> > Venkata.
> > -----Original Message-----
> > From: kazuhiro3.hayashi@toshiba.co.jp
> > [mailto:kazuhiro3.hayashi@toshiba.co.jp]
> > Sent: 12 March 2020 05:16
> > To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; Dinesh
> > Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>
> > Cc: cip-security@lists.cip-project.org; cip-dev@lists.cip-project.org
> > Subject: RE: Sample image including security packages
> >
> > Hello Venkata,
> >
> > Thank you for the information.
> >
> > Regarding the usage of `IMAGE_PREINSTALL`, I'm not sure if we always need `+` in the image recipe.
> > Example:
> > https://github.com/ilbers/isar/blob/master/doc/user_manual.md#create-a
> > -custom-image-recipe Could you dump the value of `IMAGE_PREINSTALL`
> > with/without `+` by `bitbake -e` command?
> >
> > Best regards,
> > Kazu
> >
> > > -----Original Message-----
> > > From: Venkata Seshagiri Pyla [mailto:Venkata.Pyla@toshiba-tsip.com]
> > > Sent: Thursday, March 5, 2020 6:06 PM
> > > To: hayashi kazuhiro(林 和宏 ○ＳＷＣ□ＯＳＴ)
> > > <kazuhiro3.hayashi@toshiba.co.jp>;
> > > dinesh kumar(ＴＳＩＰ DS Company) <dinesh.kumar@toshiba-tsip.com>
> > > Cc: cip-security@lists.cip-project.org;
> > > cip-dev@lists.cip-project.org
> > > Subject: RE: Sample image including security packages
> > >
> > > Hi Kazu-san and Dinesh,
> > >
> > > I have created the image with all proposed security packages included.
> > > applied the below change, and booted the image in QEMU correctly.
> > > -----------------
> > > diff --git a/recipes-core/images/cip-core-image-security.bb
> > > b/recipes-core/images/cip-core-image-security.bb
> > > index 70571f8..b883414 100644
> > > --- a/recipes-core/images/cip-core-image-security.bb
> > > +++ b/recipes-core/images/cip-core-image-security.bb
> > > @@ -18,7 +18,7 @@ IMAGE_INSTALL += "customizations"
> > >
> > >  # Debian packages that provide security features  # TODO: Add sudo
> > > or sudo-ldap which conflict each other -IMAGE_PREINSTALL = " \
> > > +IMAGE_PREINSTALL += " \
> > >  	openssl libssl1.1 \
> > >  	fail2ban \
> > >  	openssh-server openssh-sftp-server openssh-client \
> > > --
> > > -----------------
> > >
> > > Thanks
> > > venkata
> > > -----Original Message-----
> > > From: Venkata Seshagiri Pyla
> > > Sent: 02 March 2020 19:38
> > > To: Dinesh Kumar <Dinesh.Kumar@TOSHIBA-TSIP.COM>;
> > > kazuhiro3.hayashi@toshiba.co.jp
> > > Cc: cip-security@lists.cip-project.org;
> > > cip-dev@lists.cip-project.org
> > > Subject: RE: Sample image including security packages
> > >
> > > Hi Kazu-san and Dinesh,
> > >
> > > >We found most of the packages are not included in the isar image,
> > > >could you please confirm whether all the proposed packages
> > > are included in the given source?
> > > >If it is included, could you please let us know how to install them in the image?
> > > I think we have to create the image for the target "cip-core-image-security" instead of "cip-core-image".
> > >
> > > All the security packages are configured to install are present in this file "cip-core-image-security.bb".
> > >
> > > I will generate the image for target "cip-core-image-security" and recheck all the security functionality.
> > >
> > > Thanks,
> > > Venkata.
> > >
> > > -----Original Message-----
> > > From: Cip-security
> > > [mailto:cip-security-bounces@lists.cip-project.org]
> > > On Behalf Of Dinesh Kumar
> > > Sent: 02 March 2020 15:29
> > > To: kazuhiro3.hayashi@toshiba.co.jp
> > > Cc: cip-security@lists.cip-project.org;
> > > cip-dev@lists.cip-project.org
> > > Subject: Re: [Cip-security] Sample image including security packages
> > >
> > > Dear Kazu-san,
> > >
> > > Thanks for sharing the isar-cip-core repository details with us.
> > >
> > > We followed below steps to first confirm whether all the proposed
> > > binaries are included when we create CIP isar based image.
> > > 1. Create CIP isar based image from
> > > "https://gitlab.com/zuka0828/isar-cip-core/-/tree/master"  for
> > > QEMU_x86-64 platform 2. Booted the image in QEMU virtual machine 3.
> > > For each security package we compared the binaries
> > listed on Debian page e.g. for acl package at
> > (https://packages.debian.org/buster/amd64/acl/filelist)
> > >      According to the Debian page there are three binaries which
> > > should be present in the image "/bin/chacl", "/bin/getfacl", "/bin/setfacl".
> > >      Then we check in the CIP running image at /bin whether all three packages are included or not.
> > > 4. Based on this kind of investigation we have prepare the attached
> > > list of missing binary packages in current CIP isar image.
> > >
> > > We found most of the packages are not included in the isar image,
> > > could you please confirm whether all the proposed packages are included in the given source?
> > > If it is included, could you please let us know how to install them in the image?
> > >
> > > Once all the security packages are included in the CIP isar image,
> > > we will proceed to next step of verifying applicable IEC 62443-4-2 security requirements.
> > >
> > > Thanks & Regards,
> > > Dinesh Kumar
> > >
> > >
> > > -----Original Message-----
> > > From: Cip-security <cip-security-bounces@lists.cip-project.org> On
> > > Behalf Of kazuhiro3.hayashi@toshiba.co.jp
> > > Sent: 21 February 2020 10:58
> > > To: cip-security@lists.cip-project.org
> > > Cc: cip-dev@lists.cip-project.org
> > > Subject: [Cip-security] Sample image including security packages
> > >
> > > Hello CIP Security WG,
> > >
> > > I've created a sample setting to customize CIP Core generic profile.
> > > https://gitlab.com/zuka0828/isar-cip-core/-/tree/master
> > > (Now in my personal account)
> > >
> > > Introduction:
> > > https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/SECURITY.md
> > >
> > > Please ask in cip-dev if you need more development information :)
> > >
> > > Note: `sudo` and `sudo-ldap` conflict each other, but both were proposed.
> > > We need to select one from them.
> > > I temporally removed the both from `IMAGE_PREINSTALL`.
> > >
> > > Best regards,
> > > Kazu
> > >
> > > _______________________________________________
> > > Cip-security mailing list
> > > Cip-security@lists.cip-project.org
> > > https://lists.cip-project.org/mailman/listinfo/cip-security
> > > The information contained in this e-mail message and in any
> > > attachments/annexure/appendices is confidential to the recipient and may contain privileged information.
> > > If you are not the intended recipient, please notify the sender and
> > > delete the message along with any attachments/annexure/appendices.
> > > You should not disclose, copy or otherwise use the information
> > > contained in the message or any annexure. Any views expressed in
> > > this e-mail are those of the individual sender except where the
> > sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> > >
> > > Although this transmission and any attachments are believed to be
> > > free of any virus or other defect that might affect any computer
> > > system into which it is received and opened, it is the
> > > responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded
> Software India Pvt.
> > Ltd, for any loss or damage arising in any way from its use.
> > > The information contained in this e-mail message and in any
> > > attachments/annexure/appendices is confidential to the recipient and
> > > may contain privileged information.
> > > If you are not the intended recipient, please notify the sender and
> > > delete the message along with any attachments/annexure/appendices.
> > > You should not disclose, copy or otherwise use the information
> > > contained in the message or any annexure. Any views expressed in
> > > this e-mail are those of the individual sender except where the
> > > sender specifically states them to be the views of Toshiba Software India Pvt. Ltd.
> > > (TSIP),Bangalore.
> > >
> > > Although this transmission and any attachments are believed to be
> > > free of any virus or other defect that might affect any computer
> > > system into which it is received and opened, it is the
> > > responsibility of the recipient to ensure that it is virus free and
> > > no responsibility is accepted by Toshiba Embedded Software India
> > > Pvt. Ltd, for any loss or damage arising in any way from its use.
> >
> > The information contained in this e-mail message and in any
> > attachments/annexure/appendices is confidential to the recipient and
> > may contain privileged information.
> > If you are not the intended recipient, please notify the sender and
> > delete the message along with any attachments/annexure/appendices. You
> > should not disclose, copy or otherwise use the information contained
> > in the message or any annexure. Any views expressed in this e-mail are
> > those of the individual sender except where the sender specifically
> > states them to be the views of Toshiba Software India Pvt. Ltd.
> > (TSIP),Bangalore.
> >
> > Although this transmission and any attachments are believed to be free
> > of any virus or other defect that might affect any computer system
> > into which it is received and opened, it is the responsibility of the
> > recipient to ensure that it is virus free and no responsibility is
> > accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> > damage arising in any way from its use.
> 
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.

_______________________________________________
cip-dev mailing list
cip-dev@lists.cip-project.org
https://lists.cip-project.org/mailman/listinfo/cip-dev