CIP-dev Archive on lore.kernel.org
 help / color / Atom feed
* [cip-dev] [cip-core:deby 0/3] deby security layer changes
@ 2020-09-15 14:23 Venkata Pyla
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security Venkata Pyla
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: Venkata Pyla @ 2020-09-15 14:23 UTC (permalink / raw)
  To: daniel.sangorrin; +Cc: venkata-pyla, cip-dev


[-- Attachment #1: Type: text/plain, Size: 2371 bytes --]

From: venkata-pyla <venkata.pyla@toshiba-tsip.com>

Added a security layer in deby that will be used for IEC 62443-4-2
certification

venkata pyla (3):
  cip-security: Create new layer for cip security
  security-configuration: apply security polcies using package bbappend
  aide-static: enable aide to build statically

 README.md                                     |  5 +++
 kas/opt/security.yml                          | 32 +++++++++++++++
 .../conf/include/aide-static-libs.inc         | 10 +++++
 meta-cip-security/conf/layer.conf             | 20 ++++++++++
 .../audit/audit_debian.bbappend               | 20 ++++++++++
 .../base-files/base-files_debian.bbappend     |  3 ++
 .../openssh/openssh_debian.bbappend           | 19 +++++++++
 .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
 8 files changed, 148 insertions(+)
 create mode 100644 kas/opt/security.yml
 create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc
 create mode 100644 meta-cip-security/conf/layer.conf
 create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

-- 
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5452): https://lists.cip-project.org/g/cip-dev/message/5452
Mute This Topic: https://lists.cip-project.org/mt/76865926/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security
  2020-09-15 14:23 [cip-dev] [cip-core:deby 0/3] deby security layer changes Venkata Pyla
@ 2020-09-15 14:23 ` Venkata Pyla
  2020-09-17  3:05   ` Daniel Sangorrin
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend Venkata Pyla
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 3/3] aide-static: enable aide to build statically Venkata Pyla
  2 siblings, 1 reply; 9+ messages in thread
From: Venkata Pyla @ 2020-09-15 14:23 UTC (permalink / raw)
  To: daniel.sangorrin; +Cc: venkata pyla, cip-dev


[-- Attachment #1: Type: text/plain, Size: 3850 bytes --]

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

This layer enables security packages and default configurations
required to evaluate IEC62443-4-2 assessment

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 README.md                         |  5 +++++
 kas/opt/security.yml              | 32 +++++++++++++++++++++++++++++++
 meta-cip-security/conf/layer.conf | 18 +++++++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 kas/opt/security.yml
 create mode 100644 meta-cip-security/conf/layer.conf

diff --git a/README.md b/README.md
index f90e040..f59dd0c 100644
--- a/README.md
+++ b/README.md
@@ -88,3 +88,8 @@ LTP test image for QEMU arm64 / hihope-rzg2m
 
     $ ./scripts/kas-build.sh kas/board/qemuarm64.yml:kas/opt/deby.yml:kas/opt/dhcp.yml:kas/opt/ltp.yml
 
+Create Security image for QEMU x86-64
+-------------------------------------
+
+    $ ./scripts/kas-build.sh kas/board/qemux86-64.yml:kas/opt/deby.yml:kas/opt/security.yml
+
diff --git a/kas/opt/security.yml b/kas/opt/security.yml
new file mode 100644
index 0000000..e84290c
--- /dev/null
+++ b/kas/opt/security.yml
@@ -0,0 +1,32 @@
+#
+# CIP Core tiny profile with Security
+# packages and configuration
+#
+# Copyright (c) 2019 TOSHIBA Corp.
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+    version: 8
+
+repos:
+    meta-cip-security:
+       layers:
+          meta-cip-security:
+
+local_conf_header:
+  security: |
+    DISTRO_FEATURES_append += " pam"
+    CORE_IMAGE_EXTRA_INSTALL += " \
+                                 aide aide-common \
+                                 openssl openssl-bin \
+                                 openssh openssh-misc \
+                                 chrony chronyc \
+                                 libpam pam-plugin-cracklib pam-plugin-tally2 \
+                                 syslog-ng \
+                                 acl \
+                                 sudo \
+                                 auditd \
+                                 util-linux \
+                                 "
diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
new file mode 100644
index 0000000..b015436
--- /dev/null
+++ b/meta-cip-security/conf/layer.conf
@@ -0,0 +1,18 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH =. "${LAYERDIR}:"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+            ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "cip-security"
+BBFILE_PATTERN_cip-security = "^${LAYERDIR}/"
+BBFILE_PRIORITY_cip-security = "11"
+
+# This should only be incremented on significant changes that will
+# cause compatibility issues with other layers
+LAYERVERSION_cip-security = "1"
+
+LAYERDEPENDS_cip-security = "debian"
+
+LAYERSERIES_COMPAT_cip-security = "warrior"
-- 
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5453): https://lists.cip-project.org/g/cip-dev/message/5453
Mute This Topic: https://lists.cip-project.org/mt/76865927/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
  2020-09-15 14:23 [cip-dev] [cip-core:deby 0/3] deby security layer changes Venkata Pyla
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security Venkata Pyla
@ 2020-09-15 14:23 ` Venkata Pyla
  2020-09-17  3:02   ` Daniel Sangorrin
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 3/3] aide-static: enable aide to build statically Venkata Pyla
  2 siblings, 1 reply; 9+ messages in thread
From: Venkata Pyla @ 2020-09-15 14:23 UTC (permalink / raw)
  To: daniel.sangorrin; +Cc: venkata pyla, cip-dev


[-- Attachment #1: Type: text/plain, Size: 5974 bytes --]

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

add package bbappaned files in the security layer that will apply
the security configurations like
    e.g: Set password strength in pam configurations
         Set audit failure actions in audit package configurations
         etc.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 .../audit/audit_debian.bbappend               | 20 ++++++++++
 .../base-files/base-files_debian.bbappend     |  3 ++
 .../openssh/openssh_debian.bbappend           | 19 +++++++++
 .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
 4 files changed, 81 insertions(+)
 create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_audit_append() {
+	# CR2.9: Audit storage capacity
+	# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+	AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+	sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
+	sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+
+	# CR2.10: Response to audit processing failures
+	sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+}
diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
@@ -0,0 +1,3 @@
+do_install_append() {
+	echo "${MACHINE}" > ${D}${sysconfdir}/hostname
+}
diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_${PN}_append() {
+	# CR2.6: Remote session termination
+	# Terminate remote session after inactive time period
+	SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+	alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+	alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+	sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
+	sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
+}
diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
new file mode 100644
index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_pam-plugin-cracklib_append() {
+	# CR1.7: Strength of password-based authentication
+	# Pam configuration to  enforce password strength
+	PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+	CRACKLIB_CONFIG="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+	if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+		sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
+	fi
+	sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
+
+pkg_postinst_pam-plugin-tally2_append() {
+	# CR1.11: Unsuccessful login attempts
+	# Lock user account after unsuccessful login attempts
+	PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+	pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+	if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+        	sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
+	fi
+	sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+	# CR2.7: Concurrent session control
+	# Limit the concurrent login sessions
+	LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+	echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+}
-- 
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5454): https://lists.cip-project.org/g/cip-dev/message/5454
Mute This Topic: https://lists.cip-project.org/mt/76865928/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [cip-dev] [cip-core:deby 3/3] aide-static: enable aide to build statically
  2020-09-15 14:23 [cip-dev] [cip-core:deby 0/3] deby security layer changes Venkata Pyla
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security Venkata Pyla
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend Venkata Pyla
@ 2020-09-15 14:23 ` Venkata Pyla
  2020-09-17  3:07   ` Daniel Sangorrin
  2 siblings, 1 reply; 9+ messages in thread
From: Venkata Pyla @ 2020-09-15 14:23 UTC (permalink / raw)
  To: daniel.sangorrin; +Cc: venkata pyla, cip-dev


[-- Attachment #1: Type: text/plain, Size: 2513 bytes --]

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

To build aide statically, its dependencies also compile staticalliy,
so all aide dependent library packages enabled static compiling in
an include file and added to the layer configuration.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 meta-cip-security/conf/include/aide-static-libs.inc | 10 ++++++++++
 meta-cip-security/conf/layer.conf                   |  2 ++
 2 files changed, 12 insertions(+)
 create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc

diff --git a/meta-cip-security/conf/include/aide-static-libs.inc b/meta-cip-security/conf/include/aide-static-libs.inc
new file mode 100644
index 0000000..1dc4374
--- /dev/null
+++ b/meta-cip-security/conf/include/aide-static-libs.inc
@@ -0,0 +1,10 @@
+DISABLE_STATIC ?= " --disable-static"
+
+# aide dependencies to build statically
+DISABLE_STATIC_pn-aide = " " 
+DISABLE_STATIC_pn-libgpg-error = " " 
+DISABLE_STATIC_pn-libmhash = " " 
+DISABLE_STATIC_pn-attr = " " 
+DISABLE_STATIC_pn-acl = " " 
+DISABLE_STATIC_pn-libpcre = " " 
+EXTRA_OECONF_append_pn-aide = " --without-audit"
diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
index b015436..158d75c 100644
--- a/meta-cip-security/conf/layer.conf
+++ b/meta-cip-security/conf/layer.conf
@@ -16,3 +16,5 @@ LAYERVERSION_cip-security = "1"
 LAYERDEPENDS_cip-security = "debian"
 
 LAYERSERIES_COMPAT_cip-security = "warrior"
+
+require conf/include/aide-static-libs.inc
-- 
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5455): https://lists.cip-project.org/g/cip-dev/message/5455
Mute This Topic: https://lists.cip-project.org/mt/76865934/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend Venkata Pyla
@ 2020-09-17  3:02   ` Daniel Sangorrin
  2020-09-18  4:53     ` Venkata Pyla
  0 siblings, 1 reply; 9+ messages in thread
From: Daniel Sangorrin @ 2020-09-17  3:02 UTC (permalink / raw)
  To: Venkata.Pyla; +Cc: Venkata.Pyla, cip-dev


[-- Attachment #1: Type: text/plain, Size: 6935 bytes --]

Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

> -----Original Message-----
> From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
> Sent: Tuesday, September 15, 2020 11:24 PM
> To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
> Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Subject: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
> 
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> add package bbappaned files in the security layer that will apply

bbappend

> the security configurations like
>     e.g: Set password strength in pam configurations
>          Set audit failure actions in audit package configurations
>          etc.
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
>  .../audit/audit_debian.bbappend               | 20 ++++++++++
>  .../base-files/base-files_debian.bbappend     |  3 ++
>  .../openssh/openssh_debian.bbappend           | 19 +++++++++
>  .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
>  4 files changed, 81 insertions(+)
>  create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
>  create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
>  create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
>  create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

Ideally, you would separate the patches for each file unless they have something in common.
 
> diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-
> debian/audit/audit_debian.bbappend
> new file mode 100644
> index 0000000..c148f27
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
> @@ -0,0 +1,20 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

> +
> +pkg_postinst_audit_append() {
> +	# CR2.9: Audit storage capacity
> +	# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
> +	AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
> +	sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
> +	sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE

Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable  and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

> +
> +	# CR2.10: Response to audit processing failures
> +	sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
> +}

Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

> diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-
> files/base-files_debian.bbappend
> new file mode 100644
> index 0000000..895dc9f
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
> @@ -0,0 +1,3 @@
> +do_install_append() {
> +	echo "${MACHINE}" > ${D}${sysconfdir}/hostname
> +}

Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

> diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-
> debian/openssh/openssh_debian.bbappend
> new file mode 100644
> index 0000000..ddd2bfc
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
> @@ -0,0 +1,19 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"

Same as before, append "for openssh". The description for different things should be different.

> +
> +pkg_postinst_${PN}_append() {
> +	# CR2.6: Remote session termination
> +	# Terminate remote session after inactive time period
> +	SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
> +	alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
> +	alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
> +	sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
> +	sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"

Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

> +}
> diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-
> debian/pam/libpam_debian.bbappend
> new file mode 100644
> index 0000000..c9c1605
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
> @@ -0,0 +1,39 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"

Same thing: "for libpam"

> +
> +pkg_postinst_pam-plugin-cracklib_append() {
> +	# CR1.7: Strength of password-based authentication
> +	# Pam configuration to  enforce password strength
> +	PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
> +	CRACKLIB_CONFIG="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
> ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
> +	if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
> +		sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
> +	fi
> +	sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
> +}

Perhaps set minlen configurable.

> +
> +pkg_postinst_pam-plugin-tally2_append() {
> +	# CR1.11: Unsuccessful login attempts
> +	# Lock user account after unsuccessful login attempts
> +	PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
> +	pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> +	if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
> +        	sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
> +	fi
> +	sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
> +}
> +
> +
> +pkg_postinst_libpam_append() {
> +	# CR2.7: Concurrent session control
> +	# Limit the concurrent login sessions
> +	LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
> +	echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
> +}

Thanks,
Daniel

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5457): https://lists.cip-project.org/g/cip-dev/message/5457
Mute This Topic: https://lists.cip-project.org/mt/76865928/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security Venkata Pyla
@ 2020-09-17  3:05   ` Daniel Sangorrin
  0 siblings, 0 replies; 9+ messages in thread
From: Daniel Sangorrin @ 2020-09-17  3:05 UTC (permalink / raw)
  To: Venkata.Pyla; +Cc: Venkata.Pyla, cip-dev


[-- Attachment #1: Type: text/plain, Size: 4670 bytes --]

Thanks, it looks good
Please send me a merge request

> -----Original Message-----
> From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
> Sent: Tuesday, September 15, 2020 11:24 PM
> To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
> Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Subject: [cip-core:deby 1/3] cip-security: Create new layer for cip security
> 
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> This layer enables security packages and default configurations
> required to evaluate IEC62443-4-2 assessment
> 
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
>  README.md                         |  5 +++++
>  kas/opt/security.yml              | 32 +++++++++++++++++++++++++++++++
>  meta-cip-security/conf/layer.conf | 18 +++++++++++++++++
>  3 files changed, 55 insertions(+)
>  create mode 100644 kas/opt/security.yml
>  create mode 100644 meta-cip-security/conf/layer.conf
> 
> diff --git a/README.md b/README.md
> index f90e040..f59dd0c 100644
> --- a/README.md
> +++ b/README.md
> @@ -88,3 +88,8 @@ LTP test image for QEMU arm64 / hihope-rzg2m
> 
>      $ ./scripts/kas-build.sh kas/board/qemuarm64.yml:kas/opt/deby.yml:kas/opt/dhcp.yml:kas/opt/ltp.yml
> 
> +Create Security image for QEMU x86-64
> +-------------------------------------
> +
> +    $ ./scripts/kas-build.sh kas/board/qemux86-64.yml:kas/opt/deby.yml:kas/opt/security.yml
> +
> diff --git a/kas/opt/security.yml b/kas/opt/security.yml
> new file mode 100644
> index 0000000..e84290c
> --- /dev/null
> +++ b/kas/opt/security.yml
> @@ -0,0 +1,32 @@
> +#
> +# CIP Core tiny profile with Security
> +# packages and configuration
> +#
> +# Copyright (c) 2019 TOSHIBA Corp.
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> +    version: 8
> +
> +repos:
> +    meta-cip-security:
> +       layers:
> +          meta-cip-security:
> +
> +local_conf_header:
> +  security: |
> +    DISTRO_FEATURES_append += " pam"
> +    CORE_IMAGE_EXTRA_INSTALL += " \
> +                                 aide aide-common \
> +                                 openssl openssl-bin \
> +                                 openssh openssh-misc \
> +                                 chrony chronyc \
> +                                 libpam pam-plugin-cracklib pam-plugin-tally2 \
> +                                 syslog-ng \
> +                                 acl \
> +                                 sudo \
> +                                 auditd \
> +                                 util-linux \
> +                                 "
> diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
> new file mode 100644
> index 0000000..b015436
> --- /dev/null
> +++ b/meta-cip-security/conf/layer.conf
> @@ -0,0 +1,18 @@
> +# We have a conf and classes directory, add to BBPATH
> +BBPATH =. "${LAYERDIR}:"
> +
> +# We have recipes-* directories, add to BBFILES
> +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
> +            ${LAYERDIR}/recipes-*/*/*.bbappend"
> +
> +BBFILE_COLLECTIONS += "cip-security"
> +BBFILE_PATTERN_cip-security = "^${LAYERDIR}/"
> +BBFILE_PRIORITY_cip-security = "11"
> +
> +# This should only be incremented on significant changes that will
> +# cause compatibility issues with other layers
> +LAYERVERSION_cip-security = "1"
> +
> +LAYERDEPENDS_cip-security = "debian"
> +
> +LAYERSERIES_COMPAT_cip-security = "warrior"
> --
> 2.27.0.windows.1
> 
> The information contained in this e-mail message and in any
> attachments/annexure/appendices is confidential to the
> recipient and may contain privileged information.
> If you are not the intended recipient, please notify the
> sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose,
> copy or otherwise use the information contained in the
> message or any annexure. Any views expressed in this e-mail
> are those of the individual sender except where the sender
> specifically states them to be the views of
> Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be
> free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility
> of the recipient to ensure that it is virus free and no responsibility
> is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
> damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5458): https://lists.cip-project.org/g/cip-dev/message/5458
Mute This Topic: https://lists.cip-project.org/mt/76865927/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [cip-dev] [cip-core:deby 3/3] aide-static: enable aide to build statically
  2020-09-15 14:23 ` [cip-dev] [cip-core:deby 3/3] aide-static: enable aide to build statically Venkata Pyla
@ 2020-09-17  3:07   ` Daniel Sangorrin
  0 siblings, 0 replies; 9+ messages in thread
From: Daniel Sangorrin @ 2020-09-17  3:07 UTC (permalink / raw)
  To: Venkata.Pyla; +Cc: Venkata.Pyla, cip-dev


[-- Attachment #1: Type: text/plain, Size: 3255 bytes --]

Thanks, it looks good.
Perhaps you can  write in the commit id what is the effect in size compared to not using static compilation.
Please send me a merge request

> -----Original Message-----
> From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
> Sent: Tuesday, September 15, 2020 11:24 PM
> To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
> Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Subject: [cip-core:deby 3/3] aide-static: enable aide to build statically
> 
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> To build aide statically, its dependencies also compile staticalliy, so all aide dependent library packages enabled static compiling in an
> include file and added to the layer configuration.
> 
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
>  meta-cip-security/conf/include/aide-static-libs.inc | 10 ++++++++++
>  meta-cip-security/conf/layer.conf                   |  2 ++
>  2 files changed, 12 insertions(+)
>  create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc
> 
> diff --git a/meta-cip-security/conf/include/aide-static-libs.inc b/meta-cip-security/conf/include/aide-static-libs.inc
> new file mode 100644
> index 0000000..1dc4374
> --- /dev/null
> +++ b/meta-cip-security/conf/include/aide-static-libs.inc
> @@ -0,0 +1,10 @@
> +DISABLE_STATIC ?= " --disable-static"
> +
> +# aide dependencies to build statically DISABLE_STATIC_pn-aide = " "
> +DISABLE_STATIC_pn-libgpg-error = " "
> +DISABLE_STATIC_pn-libmhash = " "
> +DISABLE_STATIC_pn-attr = " "
> +DISABLE_STATIC_pn-acl = " "
> +DISABLE_STATIC_pn-libpcre = " "
> +EXTRA_OECONF_append_pn-aide = " --without-audit"
> diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
> index b015436..158d75c 100644
> --- a/meta-cip-security/conf/layer.conf
> +++ b/meta-cip-security/conf/layer.conf
> @@ -16,3 +16,5 @@ LAYERVERSION_cip-security = "1"
>  LAYERDEPENDS_cip-security = "debian"
> 
>  LAYERSERIES_COMPAT_cip-security = "warrior"
> +
> +require conf/include/aide-static-libs.inc
> --
> 2.27.0.windows.1
> 
> The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may
> contain privileged information.
> If you are not the intended recipient, please notify the sender and delete the message along with any
> attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any
> annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be
> the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.
> 
> Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer
> system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is
> accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5459): https://lists.cip-project.org/g/cip-dev/message/5459
Mute This Topic: https://lists.cip-project.org/mt/76865934/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
  2020-09-17  3:02   ` Daniel Sangorrin
@ 2020-09-18  4:53     ` Venkata Pyla
  2020-09-19 12:15       ` Venkata Pyla
  0 siblings, 1 reply; 9+ messages in thread
From: Venkata Pyla @ 2020-09-18  4:53 UTC (permalink / raw)
  To: daniel.sangorrin; +Cc: cip-dev


[-- Attachment #1: Type: text/plain, Size: 8599 bytes --]

HI Daniel-san,

Thank you for your feedback.

sorry for spell checks issues in the commits, I will correct it and send another merge request.
Also I will apply other security configuration suggestions.

Thanks
Venkata.

-----Original Message-----
From: daniel.sangorrin@toshiba.co.jp <daniel.sangorrin@toshiba.co.jp> 
Sent: 17 September 2020 08:32
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>
Cc: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: RE: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

> -----Original Message-----
> From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
> Sent: Tuesday, September 15, 2020 11:24 PM
> To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) 
> <daniel.sangorrin@toshiba.co.jp>
> Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; 
> cip-dev@lists.cip-project.org
> Subject: [cip-core:deby 2/3] security-configuration: apply security 
> polcies using package bbappend
> 
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> add package bbappaned files in the security layer that will apply

bbappend

> the security configurations like
>     e.g: Set password strength in pam configurations
>          Set audit failure actions in audit package configurations
>          etc.
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
>  .../audit/audit_debian.bbappend               | 20 ++++++++++
>  .../base-files/base-files_debian.bbappend     |  3 ++
>  .../openssh/openssh_debian.bbappend           | 19 +++++++++
>  .../recipes-debian/pam/libpam_debian.bbappend | 39 
> +++++++++++++++++++
>  4 files changed, 81 insertions(+)
>  create mode 100644 
> meta-cip-security/recipes-debian/audit/audit_debian.bbappend
>  create mode 100644 
> meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
>  create mode 100644 
> meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
>  create mode 100644 
> meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

Ideally, you would separate the patches for each file unless they have something in common.
 
> diff --git 
> a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend 
> b/meta-cip-security/recipes- debian/audit/audit_debian.bbappend
> new file mode 100644
> index 0000000..c148f27
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
> @@ -0,0 +1,20 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020 # # 
> +SPDX-License-Identifier: MIT #
> +
> +DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

> +
> +pkg_postinst_audit_append() {
> +	# CR2.9: Audit storage capacity
> +	# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
> +	AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
> +	sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
> +	sed -i 's/admin_space_left_action = .*/admin_space_left_action = 
> +SYSLOG/' $AUDIT_CONF_FILE

Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable  and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

> +
> +	# CR2.10: Response to audit processing failures
> +	sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' 
> +$AUDIT_CONF_FILE }

Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

> diff --git 
> a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappe
> nd b/meta-cip-security/recipes-debian/base-
> files/base-files_debian.bbappend
> new file mode 100644
> index 0000000..895dc9f
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bb
> +++ append
> @@ -0,0 +1,3 @@
> +do_install_append() {
> +	echo "${MACHINE}" > ${D}${sysconfdir}/hostname }

Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

> diff --git 
> a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend 
> b/meta-cip-security/recipes- debian/openssh/openssh_debian.bbappend
> new file mode 100644
> index 0000000..ddd2bfc
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
> @@ -0,0 +1,19 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020 # # 
> +SPDX-License-Identifier: MIT #
> +
> +DESCRIPTION = "CIP Security customizations"

Same as before, append "for openssh". The description for different things should be different.

> +
> +pkg_postinst_${PN}_append() {
> +	# CR2.6: Remote session termination
> +	# Terminate remote session after inactive time period
> +	SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
> +	alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
> +	alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
> +	sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
> +	sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"

Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

> +}
> diff --git 
> a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend 
> b/meta-cip-security/recipes- debian/pam/libpam_debian.bbappend new 
> file mode 100644 index 0000000..c9c1605
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
> @@ -0,0 +1,39 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020 # # 
> +SPDX-License-Identifier: MIT #
> +
> +DESCRIPTION = "CIP Security customizations"

Same thing: "for libpam"

> +
> +pkg_postinst_pam-plugin-cracklib_append() {
> +	# CR1.7: Strength of password-based authentication
> +	# Pam configuration to  enforce password strength
> +	PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
> +	CRACKLIB_CONFIG="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
> ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
> +	if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
> +		sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
> +	fi
> +	sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
> +}

Perhaps set minlen configurable.

> +
> +pkg_postinst_pam-plugin-tally2_append() {
> +	# CR1.11: Unsuccessful login attempts
> +	# Lock user account after unsuccessful login attempts
> +	PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
> +	pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> +	if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
> +        	sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
> +	fi
> +	sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
> +}
> +
> +
> +pkg_postinst_libpam_append() {
> +	# CR2.7: Concurrent session control
> +	# Limit the concurrent login sessions
> +	LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
> +	echo "* hard maxlogins 2" >> ${LIMITS_CONFIG} }

Thanks,
Daniel
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5461): https://lists.cip-project.org/g/cip-dev/message/5461
Mute This Topic: https://lists.cip-project.org/mt/76865928/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
  2020-09-18  4:53     ` Venkata Pyla
@ 2020-09-19 12:15       ` Venkata Pyla
  0 siblings, 0 replies; 9+ messages in thread
From: Venkata Pyla @ 2020-09-19 12:15 UTC (permalink / raw)
  To: cip-dev


[-- Attachment #1: Type: text/plain, Size: 255 bytes --]

On Fri, Sep 18, 2020 at 10:23 AM, Venkata Pyla wrote:
Hi Daniel-san,

I  have created the merge request for all the security layer changes including your suggestions.
Kindly review and letme know if you have any more suggestions.

Thanks
venkata.

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5467): https://lists.cip-project.org/g/cip-dev/message/5467
Mute This Topic: https://lists.cip-project.org/mt/76865928/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-15 14:23 [cip-dev] [cip-core:deby 0/3] deby security layer changes Venkata Pyla
2020-09-15 14:23 ` [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security Venkata Pyla
2020-09-17  3:05   ` Daniel Sangorrin
2020-09-15 14:23 ` [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend Venkata Pyla
2020-09-17  3:02   ` Daniel Sangorrin
2020-09-18  4:53     ` Venkata Pyla
2020-09-19 12:15       ` Venkata Pyla
2020-09-15 14:23 ` [cip-dev] [cip-core:deby 3/3] aide-static: enable aide to build statically Venkata Pyla
2020-09-17  3:07   ` Daniel Sangorrin

CIP-dev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/cip-dev/0 cip-dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 cip-dev cip-dev/ https://lore.kernel.org/cip-dev \
		cip-dev@lists.cip-project.org
	public-inbox-index cip-dev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.cip-project.lists.cip-dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git