[cip-dev][isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security

[cip-dev][isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security

[venkata]

[-- Attachment #1.1: Type: text/plain, Size: 4043 bytes --]

From: Kazuhiro Hayashi kazuhiro3.hayashi@toshiba.co.jp<mailto:kazuhiro3.hayashi@toshiba.co.jp>

opt-security.yml: Sample settings to install security
packages

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
---
SECURITY.md      | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
opt-security.yml | 34 +++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
create mode 100644 SECURITY.md
create mode 100644 opt-security.yml

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..a8bccc7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,52 @@
+How to customize images for security features
+=============================================
+
+This is the "temporal" document about how to create and use
+the CIP Core generic profile images for security feature evaluation.
+
+Official manuals
+----------------
+
+* isar-cip-core: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/README.md
+* ISAR User Manual: https://github.com/ilbers/isar/blob/master/doc/user_manual.md
+
+Assumed environment
+-------------------
+
+* isar-cip-core: master branch
+* Host: Debian 10 buster amd64
+    * Installed packages: `docker-ce`, `qemu-system`
+    * Users who does the following actions must be in the groups `docker` and `kvm`
+
+Create kas file
+---------------
+
+Create a kas file named `opt-security.yml` to add security settings.
+
+Add security packages to rootfs
+-------------------------------
+
+Set `IMAGE_PREINSTALL` to the list of packages required to enable
+the security features. This variable can be set through the kas file.
+
+Example:
+
+```
+local_conf_header:
+  security: |
+    IMAGE_PREINSTALL = "openssl"
+```
+
+Build images
+------------
+
+Build images for QEMU x86 64bit machine:
+
+    $ ./kas-docker --isar build kas.yml:board-qemu-amd64.yml:opt-security.yml
+
+Run on QEMU
+-----------
+
+Run the generated images on QEMU (x86 64bit).
+
+    $ ./start-qemu.sh amd64
diff --git a/opt-security.yml b/opt-security.yml
new file mode 100644
index 0000000..7c6b39c
--- /dev/null
+++ b/opt-security.yml
@@ -0,0 +1,34 @@
+#
+# KAS configuration for CIP Core generic profile to enable security features
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+  version: 8
+
+local_conf_header:
+  security: |
+    # TODO: Add sudo or sudo-ldap
+    IMAGE_PREINSTALL = "\
+      openssl libssl1.1 \
+      fail2ban \
+      openssh-server openssh-sftp-server openssh-client \
+      syslog-ng-core syslog-ng-mod-journal \
+      aide aide-common \
+      libnftables0 nftables \
+      libpam-pkcs11 \
+      chrony \
+      tpm2-tools \
+      tpm2-abrmd \
+      libtss2-esys0 libtss2-udev \
+      libpam-cracklib \
+      acl \
+      libauparse0 audispd-plugins auditd \
+      uuid-runtime \
+    "
\ No newline at end of file
--
2.20.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.

[-- Attachment #1.2: Type: text/html, Size: 11550 bytes --]

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4832): https://lists.cip-project.org/g/cip-dev/message/4832
Mute This Topic: https://lists.cip-project.org/mt/75119562/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev][isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security

[Jan Kiszka]

[-- Attachment #1: Type: text/plain, Size: 3570 bytes --]

On 26.06.20 08:44, venkata wrote:
> From: Kazuhiro Hayashi kazuhiro3.hayashi@toshiba.co.jp<mailto:kazuhiro3.hayashi@toshiba.co.jp>
> 

This line seems to have been mangled. It should be in line with the 
Signed-off-by.

> opt-security.yml: Sample settings to install security
> packages
> 
> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> ---
> SECURITY.md      | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
> opt-security.yml | 34 +++++++++++++++++++++++++++++++
> 2 files changed, 86 insertions(+)
> create mode 100644 SECURITY.md
> create mode 100644 opt-security.yml
> 
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000..a8bccc7
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,52 @@
> +How to customize images for security features
> +=============================================
> +
> +This is the "temporal" document about how to create and use
> +the CIP Core generic profile images for security feature evaluation.
> +
> +Official manuals
> +----------------
> +
> +* isar-cip-core: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/README.md
> +* ISAR User Manual: https://github.com/ilbers/isar/blob/master/doc/user_manual.md
> +
> +Assumed environment
> +-------------------
> +
> +* isar-cip-core: master branch
> +* Host: Debian 10 buster amd64
> +    * Installed packages: `docker-ce`, `qemu-system`
> +    * Users who does the following actions must be in the groups `docker` and `kvm`
> +
> +Create kas file
> +---------------
> +
> +Create a kas file named `opt-security.yml` to add security settings.

That file is added by this patch already.

> +
> +Add security packages to rootfs
> +-------------------------------
> +
> +Set `IMAGE_PREINSTALL` to the list of packages required to enable
> +the security features. This variable can be set through the kas file.
> +
> +Example:
> +
> +```
> +local_conf_header:
> +  security: |
> +    IMAGE_PREINSTALL = "openssl"
> +```
> +
> +Build images
> +------------
> +
> +Build images for QEMU x86 64bit machine:
> +
> +    $ ./kas-docker --isar build kas.yml:board-qemu-amd64.yml:opt-security.yml
> +
> +Run on QEMU
> +-----------
> +
> +Run the generated images on QEMU (x86 64bit).
> +
> +    $ ./start-qemu.sh amd64
> diff --git a/opt-security.yml b/opt-security.yml
> new file mode 100644
> index 0000000..7c6b39c
> --- /dev/null
> +++ b/opt-security.yml
> @@ -0,0 +1,34 @@
> +#
> +# KAS configuration for CIP Core generic profile to enable security features
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# Authors:
> +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +header:
> +  version: 8
> +
> +local_conf_header:
> +  security: |
> +    # TODO: Add sudo or sudo-ldap
> +    IMAGE_PREINSTALL = "\
> +      openssl libssl1.1 \
> +      fail2ban \
> +      openssh-server openssh-sftp-server openssh-client \
> +      syslog-ng-core syslog-ng-mod-journal \
> +      aide aide-common \
> +      libnftables0 nftables \
> +      libpam-pkcs11 \
> +      chrony \
> +      tpm2-tools \
> +      tpm2-abrmd \
> +      libtss2-esys0 libtss2-udev \
> +      libpam-cracklib \
> +      acl \
> +      libauparse0 audispd-plugins auditd \
> +      uuid-runtime \
> +    "

Shouldn't we target for a security image (recipe) instead?

General question: What is this series targeting? Seems patch 2 and 3 are 
left-overs from the development. Is this an RFC series only?

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4839): https://lists.cip-project.org/g/cip-dev/message/4839
Mute This Topic: https://lists.cip-project.org/mt/75119562/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev][isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security

[Daniel Sangorrin]

[-- Attachment #1: Type: text/plain, Size: 5215 bytes --]

> -----Original Message-----
> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org] On Behalf Of Jan Kiszka
> Sent: Friday, June 26, 2020 7:41 PM
> To: cip-dev@lists.cip-project.org; pyla venkata(ＴＳＩＰ) <Venkata.Pyla@toshiba-tsip.com>
> Cc: cip-security@lists.cip-project.org
> Subject: Re: [cip-dev][isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security
> 
> On 26.06.20 08:44, venkata wrote:
> > From: Kazuhiro Hayashi
> > kazuhiro3.hayashi@toshiba.co.jp<mailto:kazuhiro3.hayashi@toshiba.co.jp
> > >
> >
> 
> This line seems to have been mangled. It should be in line with the Signed-off-by.
> 
> > opt-security.yml: Sample settings to install security packages
> >
> > Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > ---
> > SECURITY.md      | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
> > opt-security.yml | 34 +++++++++++++++++++++++++++++++
> > 2 files changed, 86 insertions(+)
> > create mode 100644 SECURITY.md
> > create mode 100644 opt-security.yml
> >
> > diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index
> > 0000000..a8bccc7
> > --- /dev/null
> > +++ b/SECURITY.md
> > @@ -0,0 +1,52 @@
> > +How to customize images for security features
> > +=============================================
> > +
> > +This is the "temporal" document about how to create and use the CIP
> > +Core generic profile images for security feature evaluation.
> > +
> > +Official manuals
> > +----------------
> > +
> > +* isar-cip-core:
> > +https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/README.md
> > +* ISAR User Manual:
> > +https://github.com/ilbers/isar/blob/master/doc/user_manual.md
> > +
> > +Assumed environment
> > +-------------------
> > +
> > +* isar-cip-core: master branch
> > +* Host: Debian 10 buster amd64
> > +    * Installed packages: `docker-ce`, `qemu-system`
> > +    * Users who does the following actions must be in the groups
> > +`docker` and `kvm`
> > +
> > +Create kas file
> > +---------------
> > +
> > +Create a kas file named `opt-security.yml` to add security settings.
> 
> That file is added by this patch already.
> 
> > +
> > +Add security packages to rootfs
> > +-------------------------------
> > +
> > +Set `IMAGE_PREINSTALL` to the list of packages required to enable the
> > +security features. This variable can be set through the kas file.
> > +
> > +Example:
> > +
> > +```
> > +local_conf_header:
> > +  security: |
> > +    IMAGE_PREINSTALL = "openssl"
> > +```
> > +
> > +Build images
> > +------------
> > +
> > +Build images for QEMU x86 64bit machine:
> > +
> > +    $ ./kas-docker --isar build
> > + kas.yml:board-qemu-amd64.yml:opt-security.yml
> > +
> > +Run on QEMU
> > +-----------
> > +
> > +Run the generated images on QEMU (x86 64bit).
> > +
> > +    $ ./start-qemu.sh amd64
> > diff --git a/opt-security.yml b/opt-security.yml new file mode 100644
> > index 0000000..7c6b39c
> > --- /dev/null
> > +++ b/opt-security.yml
> > @@ -0,0 +1,34 @@
> > +#
> > +# KAS configuration for CIP Core generic profile to enable security
> > +features # # Copyright (c) Toshiba Corporation, 2020 # # Authors:
> > +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp> # #
> > +SPDX-License-Identifier: MIT #
> > +
> > +header:
> > +  version: 8
> > +
> > +local_conf_header:
> > +  security: |
> > +    # TODO: Add sudo or sudo-ldap
> > +    IMAGE_PREINSTALL = "\
> > +      openssl libssl1.1 \
> > +      fail2ban \
> > +      openssh-server openssh-sftp-server openssh-client \
> > +      syslog-ng-core syslog-ng-mod-journal \
> > +      aide aide-common \
> > +      libnftables0 nftables \
> > +      libpam-pkcs11 \
> > +      chrony \
> > +      tpm2-tools \
> > +      tpm2-abrmd \
> > +      libtss2-esys0 libtss2-udev \
> > +      libpam-cracklib \
> > +      acl \
> > +      libauparse0 audispd-plugins auditd \
> > +      uuid-runtime \
> > +    "
> 
> Shouldn't we target for a security image (recipe) instead?
> 
> General question: What is this series targeting? Seems patch 2 and 3 are left-overs from the development. Is this an RFC series only?
> 
> Jan

It seems that opt-security.yaml was already removed in the security branch:
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/tree/security/iec-evaluation

Venkata-san: could you rebase your patches for the master branch?

For example, instead of sending one patch where you add opt-security.yaml and then another patch where you remove it (which may have happened in your branch, but we don't care), just send the patch that uses core-image-security. That will make things easier to review.

Also, as we have talked in the meetings, it looks like the security layer at the moment is just adding some packages but don't you need to add configuration files to harden the final file system? For example, you may want to change the configuration of the ssh server so that passwords are not accepted (only ssh keys). And the same for the rest of packages. In that case, you probably want to create a new kas-security.yaml.

Thanks,
Daniel







[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4868): https://lists.cip-project.org/g/cip-dev/message/4868
Mute This Topic: https://lists.cip-project.org/mt/75119562/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [cip-dev] [isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security

[venkata]

[-- Attachment #1.1: Type: text/plain, Size: 5690 bytes --]

On Mon, Jun 29, 2020 at 05:26 PM, Daniel Sangorrin wrote:

> 
> 
>> -----Original Message-----
>> From: cip-dev@lists.cip-project.org [mailto:cip-dev@lists.cip-project.org]
>> On Behalf Of Jan Kiszka
>> Sent: Friday, June 26, 2020 7:41 PM
>> To: cip-dev@lists.cip-project.org; pyla venkata(ＴＳＩＰ)
>> <Venkata.Pyla@toshiba-tsip.com>
>> Cc: cip-security@lists.cip-project.org
>> Subject: Re: [cip-dev][isar-cip-core PATCH 1/6] opt-security.yml: Sample
>> settings to install security
>> 
>> On 26.06.20 08:44, venkata wrote:
>> 
>>> From: Kazuhiro Hayashi
>>> kazuhiro3.hayashi@toshiba.co.jp<mailto:kazuhiro3.hayashi@toshiba.co.jp
>> 
>> This line seems to have been mangled. It should be in line with the
>> Signed-off-by.
>> 
>> 
>>> opt-security.yml: Sample settings to install security packages
>>> 
>>> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>> ---
>>> SECURITY.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
>>> opt-security.yml | 34 +++++++++++++++++++++++++++++++
>>> 2 files changed, 86 insertions(+)
>>> create mode 100644 SECURITY.md
>>> create mode 100644 opt-security.yml
>>> 
>>> diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index
>>> 0000000..a8bccc7
>>> --- /dev/null
>>> +++ b/SECURITY.md
>>> @@ -0,0 +1,52 @@
>>> +How to customize images for security features
>>> +=============================================
>>> +
>>> +This is the "temporal" document about how to create and use the CIP
>>> +Core generic profile images for security feature evaluation.
>>> +
>>> +Official manuals
>>> +----------------
>>> +
>>> +* isar-cip-core:
>>> + https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/README.md
>>> +* ISAR User Manual:
>>> + https://github.com/ilbers/isar/blob/master/doc/user_manual.md
>>> +
>>> +Assumed environment
>>> +-------------------
>>> +
>>> +* isar-cip-core: master branch
>>> +* Host: Debian 10 buster amd64
>>> + * Installed packages: `docker-ce`, `qemu-system`
>>> + * Users who does the following actions must be in the groups
>>> +`docker` and `kvm`
>>> +
>>> +Create kas file
>>> +---------------
>>> +
>>> +Create a kas file named `opt-security.yml` to add security settings.
>> 
>> That file is added by this patch already.
>> 
>> 
>>> +
>>> +Add security packages to rootfs
>>> +-------------------------------
>>> +
>>> +Set `IMAGE_PREINSTALL` to the list of packages required to enable the
>>> +security features. This variable can be set through the kas file.
>>> +
>>> +Example:
>>> +
>>> +```
>>> +local_conf_header:
>>> + security: |
>>> + IMAGE_PREINSTALL = "openssl"
>>> +```
>>> +
>>> +Build images
>>> +------------
>>> +
>>> +Build images for QEMU x86 64bit machine:
>>> +
>>> + $ ./kas-docker --isar build
>>> + kas.yml:board-qemu-amd64.yml:opt-security.yml
>>> +
>>> +Run on QEMU
>>> +-----------
>>> +
>>> +Run the generated images on QEMU (x86 64bit).
>>> +
>>> + $ ./start-qemu.sh amd64
>>> diff --git a/opt-security.yml b/opt-security.yml new file mode 100644
>>> index 0000000..7c6b39c
>>> --- /dev/null
>>> +++ b/opt-security.yml
>>> @@ -0,0 +1,34 @@
>>> +#
>>> +# KAS configuration for CIP Core generic profile to enable security
>>> +features # # Copyright (c) Toshiba Corporation, 2020 # # Authors:
>>> +# Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp> # #
>>> +SPDX-License-Identifier: MIT #
>>> +
>>> +header:
>>> + version: 8
>>> +
>>> +local_conf_header:
>>> + security: |
>>> + # TODO: Add sudo or sudo-ldap
>>> + IMAGE_PREINSTALL = "\
>>> + openssl libssl1.1 \
>>> + fail2ban \
>>> + openssh-server openssh-sftp-server openssh-client \
>>> + syslog-ng-core syslog-ng-mod-journal \
>>> + aide aide-common \
>>> + libnftables0 nftables \
>>> + libpam-pkcs11 \
>>> + chrony \
>>> + tpm2-tools \
>>> + tpm2-abrmd \
>>> + libtss2-esys0 libtss2-udev \
>>> + libpam-cracklib \
>>> + acl \
>>> + libauparse0 audispd-plugins auditd \
>>> + uuid-runtime \
>>> + "
>> 
>> Shouldn't we target for a security image (recipe) instead?
>> 
>> General question: What is this series targeting? Seems patch 2 and 3 are
>> left-overs from the development. Is this an RFC series only?
>> 
>> Jan
> 
> It seems that opt-security.yaml was already removed in the security
> branch:
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/tree/security/iec-evaluation
> 
> 
> Venkata-san: could you rebase your patches for the master branch?
> 
> 
> For example, instead of sending one patch where you add opt-security.yaml
> and then another patch where you remove it (which may have happened in
> your branch, but we don't care), just send the patch that uses
> core-image-security. That will make things easier to review.

I understood now, i will rebase the patches with master branch and i will resend the patches for review, sorry for the confusion

> 
> Also, as we have talked in the meetings, it looks like the security layer
> at the moment is just adding some packages but don't you need to add
> configuration files to harden the final file system? For example, you may
> want to change the configuration of the ssh server so that passwords are
> not accepted (only ssh keys). And the same for the rest of packages. In
> that case, you probably want to create a new kas-security.yaml.

Currently we don't have such configuration changes, but most probably in the future may be after discussion with Certification Body we may need to include configurations to fullfill the security requirement, we will keep this point in security WG discussions and get some consensus.

> 
> Thanks,
> Daniel

[-- Attachment #1.2: Type: text/html, Size: 6156 bytes --]

[-- Attachment #2: Type: text/plain, Size: 419 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4870): https://lists.cip-project.org/g/cip-dev/message/4870
Mute This Topic: https://lists.cip-project.org/mt/75119562/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy  [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-