From: "Daniel Sangorrin" <daniel.sangorrin@toshiba.co.jp>
To: <Venkata.Pyla@toshiba-tsip.com>
Cc: <Venkata.Pyla@toshiba-tsip.com>, <cip-dev@lists.cip-project.org>
Subject: Re: [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
Date: Thu, 17 Sep 2020 03:02:12 +0000 [thread overview]
Message-ID: <OSBPR01MB20537A78A4552A894CC11207D03E0@OSBPR01MB2053.jpnprd01.prod.outlook.com> (raw)
In-Reply-To: <20200915142345.179-3-venkata.pyla@toshiba-tsip.com>
[-- Attachment #1: Type: text/plain, Size: 6935 bytes --]
Hi Venkata-san
Please check my inline comments and send me a merge request when you solve them.
> -----Original Message-----
> From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
> Sent: Tuesday, September 15, 2020 11:24 PM
> To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
> Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Subject: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
>
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
>
> add package bbappaned files in the security layer that will apply
bbappend
> the security configurations like
> e.g: Set password strength in pam configurations
> Set audit failure actions in audit package configurations
> etc.
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
> .../audit/audit_debian.bbappend | 20 ++++++++++
> .../base-files/base-files_debian.bbappend | 3 ++
> .../openssh/openssh_debian.bbappend | 19 +++++++++
> .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
> 4 files changed, 81 insertions(+)
> create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
> create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
> create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
> create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
Ideally, you would separate the patches for each file unless they have something in common.
> diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-
> debian/audit/audit_debian.bbappend
> new file mode 100644
> index 0000000..c148f27
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
> @@ -0,0 +1,20 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.
> +
> +pkg_postinst_audit_append() {
> + # CR2.9: Audit storage capacity
> + # CR2.9 RE-1: Warn when audit record storage capacity threshold reached
> + AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
> + sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE
> + sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"
Then you can change the value in local.conf (or using kas's local_conf_headers)
> +
> + # CR2.10: Response to audit processing failures
> + sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
> +}
Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service
> diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-
> files/base-files_debian.bbappend
> new file mode 100644
> index 0000000..895dc9f
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
> @@ -0,0 +1,3 @@
> +do_install_append() {
> + echo "${MACHINE}" > ${D}${sysconfdir}/hostname
> +}
Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.
> diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-
> debian/openssh/openssh_debian.bbappend
> new file mode 100644
> index 0000000..ddd2bfc
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
> @@ -0,0 +1,19 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"
Same as before, append "for openssh". The description for different things should be different.
> +
> +pkg_postinst_${PN}_append() {
> + # CR2.6: Remote session termination
> + # Terminate remote session after inactive time period
> + SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
> + alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
> + alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
> + sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
> + sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
Perhaps make the value for ClientAliveInterval configurable and use 120 as default.
> +}
> diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-
> debian/pam/libpam_debian.bbappend
> new file mode 100644
> index 0000000..c9c1605
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
> @@ -0,0 +1,39 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"
Same thing: "for libpam"
> +
> +pkg_postinst_pam-plugin-cracklib_append() {
> + # CR1.7: Strength of password-based authentication
> + # Pam configuration to enforce password strength
> + PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
> + CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
> ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
> + if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
> + sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
> + fi
> + sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
> +}
Perhaps set minlen configurable.
> +
> +pkg_postinst_pam-plugin-tally2_append() {
> + # CR1.11: Unsuccessful login attempts
> + # Lock user account after unsuccessful login attempts
> + PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
> + pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> + if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
> + sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
> + fi
> + sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
> +}
> +
> +
> +pkg_postinst_libpam_append() {
> + # CR2.7: Concurrent session control
> + # Limit the concurrent login sessions
> + LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
> + echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
> +}
Thanks,
Daniel
[-- Attachment #2: Type: text/plain, Size: 420 bytes --]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5457): https://lists.cip-project.org/g/cip-dev/message/5457
Mute This Topic: https://lists.cip-project.org/mt/76865928/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2020-09-17 3:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-15 14:23 [cip-dev] [cip-core:deby 0/3] deby security layer changes Venkata Pyla
2020-09-15 14:23 ` [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security Venkata Pyla
2020-09-17 3:05 ` Daniel Sangorrin
2020-09-15 14:23 ` [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend Venkata Pyla
2020-09-17 3:02 ` Daniel Sangorrin [this message]
2020-09-18 4:53 ` Venkata Pyla
2020-09-19 12:15 ` Venkata Pyla
2020-09-15 14:23 ` [cip-dev] [cip-core:deby 3/3] aide-static: enable aide to build statically Venkata Pyla
2020-09-17 3:07 ` Daniel Sangorrin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=OSBPR01MB20537A78A4552A894CC11207D03E0@OSBPR01MB2053.jpnprd01.prod.outlook.com \
--to=daniel.sangorrin@toshiba.co.jp \
--cc=Venkata.Pyla@toshiba-tsip.com \
--cc=cip-dev@lists.cip-project.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).