Re: [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

From: "Daniel Sangorrin" <daniel.sangorrin@toshiba.co.jp>
To: <Venkata.Pyla@toshiba-tsip.com>
Cc: <Venkata.Pyla@toshiba-tsip.com>, <cip-dev@lists.cip-project.org>
Subject: Re: [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
Date: Thu, 17 Sep 2020 03:02:12 +0000	[thread overview]
Message-ID: <OSBPR01MB20537A78A4552A894CC11207D03E0@OSBPR01MB2053.jpnprd01.prod.outlook.com> (raw)
In-Reply-To: <20200915142345.179-3-venkata.pyla@toshiba-tsip.com>

[-- Attachment #1: Type: text/plain, Size: 6935 bytes --]

Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

> -----Original Message-----
> From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
> Sent: Tuesday, September 15, 2020 11:24 PM
> To: sangorrin daniel(サンゴリン ダニエル □ＳＷＣ◯ＡＣＴ) <daniel.sangorrin@toshiba.co.jp>
> Cc: pyla venkata(ＴＳＩＰ) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Subject: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
> 
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> add package bbappaned files in the security layer that will apply

bbappend

> the security configurations like
>     e.g: Set password strength in pam configurations
>          Set audit failure actions in audit package configurations
>          etc.
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
>  .../audit/audit_debian.bbappend               | 20 ++++++++++
>  .../base-files/base-files_debian.bbappend     |  3 ++
>  .../openssh/openssh_debian.bbappend           | 19 +++++++++
>  .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
>  4 files changed, 81 insertions(+)
>  create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
>  create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
>  create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
>  create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

Ideally, you would separate the patches for each file unless they have something in common.

> diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-
> debian/audit/audit_debian.bbappend
> new file mode 100644
> index 0000000..c148f27
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
> @@ -0,0 +1,20 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

> +
> +pkg_postinst_audit_append() {
> +	# CR2.9: Audit storage capacity
> +	# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
> +	AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
> +	sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
> +	sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE

Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable  and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

> +
> +	# CR2.10: Response to audit processing failures
> +	sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
> +}

Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

> diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-
> files/base-files_debian.bbappend
> new file mode 100644
> index 0000000..895dc9f
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
> @@ -0,0 +1,3 @@
> +do_install_append() {
> +	echo "${MACHINE}" > ${D}${sysconfdir}/hostname
> +}

Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

> diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-
> debian/openssh/openssh_debian.bbappend
> new file mode 100644
> index 0000000..ddd2bfc
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
> @@ -0,0 +1,19 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"

Same as before, append "for openssh". The description for different things should be different.

> +
> +pkg_postinst_${PN}_append() {
> +	# CR2.6: Remote session termination
> +	# Terminate remote session after inactive time period
> +	SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
> +	alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
> +	alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
> +	sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
> +	sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"

Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

> +}
> diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-
> debian/pam/libpam_debian.bbappend
> new file mode 100644
> index 0000000..c9c1605
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
> @@ -0,0 +1,39 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"

Same thing: "for libpam"

> +
> +pkg_postinst_pam-plugin-cracklib_append() {
> +	# CR1.7: Strength of password-based authentication
> +	# Pam configuration to  enforce password strength
> +	PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
> +	CRACKLIB_CONFIG="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
> ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
> +	if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
> +		sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
> +	fi
> +	sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
> +}

Perhaps set minlen configurable.

> +
> +pkg_postinst_pam-plugin-tally2_append() {
> +	# CR1.11: Unsuccessful login attempts
> +	# Lock user account after unsuccessful login attempts
> +	PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
> +	pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> +	if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
> +        	sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
> +	fi
> +	sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
> +}
> +
> +
> +pkg_postinst_libpam_append() {
> +	# CR2.7: Concurrent session control
> +	# Limit the concurrent login sessions
> +	LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
> +	echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
> +}

Thanks,
Daniel

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5457): https://lists.cip-project.org/g/cip-dev/message/5457
Mute This Topic: https://lists.cip-project.org/mt/76865928/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-