[1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.
diff mbox series

Message ID 20200721081645.1789-1-venkata.pyla@toshiba-tsip.com
State Accepted
Headers show
Series
  • [1/3] cip-security: Add packages for IEC-62443-4-2 Evaluation.
Related show

Commit Message

Venkata Pyla July 21, 2020, 8:16 a.m. UTC
From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>

Identified security packages are added to the target image
and that will be used for IEC-62443-4-2 evaluation

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
---
 .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 recipes-core/images/cip-core-image-security.bb

Comments

Jan Kiszka July 23, 2020, 10:37 a.m. UTC | #1
On 21.07.20 10:16, Venkata Pyla wrote:
> From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> 
> Identified security packages are added to the target image
> and that will be used for IEC-62443-4-2 evaluation
> 
> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
                  ^^^^^^^^^
Can you configure your git to add you written name here as well? It's in 
the email, yes, but it would be nicer to have it displayed as well.

> ---
>   .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
>   1 file changed, 37 insertions(+)
>   create mode 100644 recipes-core/images/cip-core-image-security.bb
> 
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> new file mode 100644
> index 0000000..8253952
> --- /dev/null
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -0,0 +1,37 @@
> +#
> +# A reference image which includes security packages
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# Authors:
> +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit image
> +
> +DESCRIPTION = "CIP Core image including security packages"
> +
> +# Use the same customizations as cip-core-image

That comment is not needed. It just creates the risk of becoming 
outdated if cip-core-image decides to do something else.

> +IMAGE_INSTALL += "customizations"
> +
> +# Debian packages that provide security features
> +IMAGE_PREINSTALL += " \
> +	openssl libssl1.1 \
> +	fail2ban \
> +	openssh-server openssh-sftp-server openssh-client \
> +	syslog-ng-core syslog-ng-mod-journal \
> +	aide aide-common \
> +	libnftables0 nftables \
> +	libpam-pkcs11 \
> +	chrony \
> +	tpm2-tools \
> +	tpm2-abrmd \
> +	libtss2-esys0 libtss2-udev \
> +	libpam-cracklib \
> +	acl \
> +	libauparse0 audispd-plugins auditd \
> +	uuid-runtime \
> +	sudo \
> +"
> 

Can you close 
https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8 
if this series obsoletes it?

BTW, a cover letter would help structuring the patches together. And 
please add a tag like "[isar-cip-core]" in order to clarify the series 
target. That is all configurable in git format-patch/send-email.

Jan
Venkata Pyla July 23, 2020, 12:53 p.m. UTC | #2
Hi Jan,

On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote:

>
> On 21.07.20 10:16, Venkata Pyla wrote:
> > From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > 
> > Identified security packages are added to the target image
> > and that will be used for IEC-62443-4-2 evaluation
> > 
> > Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
>                   ^^^^^^^^^
> Can you configure your git to add you written name here as well? It's in 
> the email, yes, but it would be nicer to have it displayed as well.
> 
sure, i didn't notice, it was missed in my git config

> > ---
> >   .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
> >   1 file changed, 37 insertions(+)
> >   create mode 100644 recipes-core/images/cip-core-image-security.bb
> > 
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> b/recipes-core/images/cip-core-image-security.bb
> > new file mode 100644
> > index 0000000..8253952
> > --- /dev/null
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -0,0 +1,37 @@
> > +#
> > +# A reference image which includes security packages
> > +#
> > +# Copyright (c) Toshiba Corporation, 2020
> > +#
> > +# Authors:
> > +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > +#
> > +# SPDX-License-Identifier: MIT
> > +#
> > +
> > +inherit image
> > +
> > +DESCRIPTION = "CIP Core image including security packages"
> > +
> > +# Use the same customizations as cip-core-image
> 
> That comment is not needed. It just creates the risk of becoming 
> outdated if cip-core-image decides to do something else.
> 
Understood, i will modify and resend this patch series.

> > +IMAGE_INSTALL += "customizations"
> > +
> > +# Debian packages that provide security features
> > +IMAGE_PREINSTALL += " \
> > +	openssl libssl1.1 \
> > +	fail2ban \
> > +	openssh-server openssh-sftp-server openssh-client \
> > +	syslog-ng-core syslog-ng-mod-journal \
> > +	aide aide-common \
> > +	libnftables0 nftables \
> > +	libpam-pkcs11 \
> > +	chrony \
> > +	tpm2-tools \
> > +	tpm2-abrmd \
> > +	libtss2-esys0 libtss2-udev \
> > +	libpam-cracklib \
> > +	acl \
> > +	libauparse0 audispd-plugins auditd \
> > +	uuid-runtime \
> > +	sudo \
> > +"
> > 
> 
> Can you close 
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8 
> if this series obsoletes it?
I have rebased the branch and sent the patches over mail,
I think i should close this MR in gitlab, i will do that.

> BTW, a cover letter would help structuring the patches together. And 
> please add a tag like "[isar-cip-core]" in order to clarify the series 
> target. That is all configurable in git format-patch/send-email.
> 
> Jan
> 
> -- 
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> Corporate Competence Center Embedded Linux
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4988): https://lists.cip-project.org/g/cip-dev/message/4988
Mute This Topic: https://lists.cip-project.org/mt/75699592/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Venkata Pyla July 23, 2020, 1:13 p.m. UTC | #3
Hi Jan,

sorry i am resending this mail

On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote:

>
> On 21.07.20 10:16, Venkata Pyla wrote:
> > From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > 
> > Identified security packages are added to the target image
> > and that will be used for IEC-62443-4-2 evaluation
> > 
> > Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
>                   ^^^^^^^^^
> Can you configure your git to add you written name here as well? It's in 
> the email, yes, but it would be nicer to have it displayed as well.

sure, i didn't notice, it was missed in my git config

> > ---
> >   .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
> >   1 file changed, 37 insertions(+)
> >   create mode 100644 recipes-core/images/cip-core-image-security.bb
> > 
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> b/recipes-core/images/cip-core-image-security.bb
> > new file mode 100644
> > index 0000000..8253952
> > --- /dev/null
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -0,0 +1,37 @@
> > +#
> > +# A reference image which includes security packages
> > +#
> > +# Copyright (c) Toshiba Corporation, 2020
> > +#
> > +# Authors:
> > +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
> > +#
> > +# SPDX-License-Identifier: MIT
> > +#
> > +
> > +inherit image
> > +
> > +DESCRIPTION = "CIP Core image including security packages"
> > +
> > +# Use the same customizations as cip-core-image
> 
> That comment is not needed. It just creates the risk of becoming 
> outdated if cip-core-image decides to do something else.
> 

Understood, i will modify and resend this patch series

> > +IMAGE_INSTALL += "customizations"
> > +
> > +# Debian packages that provide security features
> > +IMAGE_PREINSTALL += " \
> > +	openssl libssl1.1 \
> > +	fail2ban \
> > +	openssh-server openssh-sftp-server openssh-client \
> > +	syslog-ng-core syslog-ng-mod-journal \
> > +	aide aide-common \
> > +	libnftables0 nftables \
> > +	libpam-pkcs11 \
> > +	chrony \
> > +	tpm2-tools \
> > +	tpm2-abrmd \
> > +	libtss2-esys0 libtss2-udev \
> > +	libpam-cracklib \
> > +	acl \
> > +	libauparse0 audispd-plugins auditd \
> > +	uuid-runtime \
> > +	sudo \
> > +"
> > 
> 
> Can you close 
> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8 
> if this series obsoletes it?
> 

I have rebased the branch and sent the patches over mail, 
I think i should close this MR in gitlab, i will do that.

> BTW, a cover letter would help structuring the patches together. And 
> please add a tag like "[isar-cip-core]" in order to clarify the series 
> target. That is all configurable in git format-patch/send-email.
> 

Got it,
i was sending the patches to the community for the first time so i was missing some basic stuff.
next time i will do care of it,
thanks for showing patience on me

> Jan
> 
> -- 
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> Corporate Competence Center Embedded Linux
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#4989): https://lists.cip-project.org/g/cip-dev/message/4989
Mute This Topic: https://lists.cip-project.org/mt/75699592/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Jan Kiszka July 23, 2020, 1:52 p.m. UTC | #4
On 23.07.20 15:13, Venkata Pyla wrote:
> Hi Jan,
> 
> sorry i am resending this mail
> 
> On Thu, Jul 23, 2020 at 04:07 PM, Jan Kiszka wrote:
> 
>>
>> On 21.07.20 10:16, Venkata Pyla wrote:
>>> From: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>>
>>> Identified security packages are added to the target image
>>> and that will be used for IEC-62443-4-2 evaluation
>>>
>>> Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>> Signed-off-by: pvenkata2 <venkata.pyla@toshiba-tsip.com>
>>                    ^^^^^^^^^
>> Can you configure your git to add you written name here as well? It's in
>> the email, yes, but it would be nicer to have it displayed as well.
> 
> sure, i didn't notice, it was missed in my git config
> 
>>> ---
>>>    .../images/cip-core-image-security.bb         | 37 +++++++++++++++++++
>>>    1 file changed, 37 insertions(+)
>>>    create mode 100644 recipes-core/images/cip-core-image-security.bb
>>>
>>> diff --git a/recipes-core/images/cip-core-image-security.bb
>> b/recipes-core/images/cip-core-image-security.bb
>>> new file mode 100644
>>> index 0000000..8253952
>>> --- /dev/null
>>> +++ b/recipes-core/images/cip-core-image-security.bb
>>> @@ -0,0 +1,37 @@
>>> +#
>>> +# A reference image which includes security packages
>>> +#
>>> +# Copyright (c) Toshiba Corporation, 2020
>>> +#
>>> +# Authors:
>>> +#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
>>> +#
>>> +# SPDX-License-Identifier: MIT
>>> +#
>>> +
>>> +inherit image
>>> +
>>> +DESCRIPTION = "CIP Core image including security packages"
>>> +
>>> +# Use the same customizations as cip-core-image
>>
>> That comment is not needed. It just creates the risk of becoming
>> outdated if cip-core-image decides to do something else.
>>
> 
> Understood, i will modify and resend this patch series
> 
>>> +IMAGE_INSTALL += "customizations"
>>> +
>>> +# Debian packages that provide security features
>>> +IMAGE_PREINSTALL += " \
>>> +	openssl libssl1.1 \
>>> +	fail2ban \
>>> +	openssh-server openssh-sftp-server openssh-client \
>>> +	syslog-ng-core syslog-ng-mod-journal \
>>> +	aide aide-common \
>>> +	libnftables0 nftables \
>>> +	libpam-pkcs11 \
>>> +	chrony \
>>> +	tpm2-tools \
>>> +	tpm2-abrmd \
>>> +	libtss2-esys0 libtss2-udev \
>>> +	libpam-cracklib \
>>> +	acl \
>>> +	libauparse0 audispd-plugins auditd \
>>> +	uuid-runtime \
>>> +	sudo \
>>> +"
>>>
>>
>> Can you close
>> https://gitlab.com/cip-project/cip-core/isar-cip-core/-/merge_requests/8
>> if this series obsoletes it?
>>
> 
> I have rebased the branch and sent the patches over mail,
> I think i should close this MR in gitlab, i will do that.
> 
>> BTW, a cover letter would help structuring the patches together. And
>> please add a tag like "[isar-cip-core]" in order to clarify the series
>> target. That is all configurable in git format-patch/send-email.
>>
> 
> Got it,
> i was sending the patches to the community for the first time so i was missing some basic stuff.
> next time i will do care of it,
> thanks for showing patience on me

Don't worry. The submission looked fairly good otherwise, not like 
first-time!

BTW, I'm still ambivalent whether to do UI (MRs) or cip-dev based patch 
reviews for isar-cip-core. As contributions increase, you contributors 
need to express your preference. I'm used to both by now, I have 
troubles with both by now. However, we just need to consolidate over one 
system because we can't couple them reasonably.

And then we should document the current state of affairs, I know. There 
is a CONTRIBUTING guild missing for this repo.

Jan
Daniel Sangorrin July 27, 2020, 2:47 a.m. UTC | #5
Hi Jan,

> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf Of Jan Kiszka
> Sent: Thursday, July 23, 2020 10:53 PM
> Don't worry. The submission looked fairly good otherwise, not like first-time!
> 
> BTW, I'm still ambivalent whether to do UI (MRs) or cip-dev based patch reviews for isar-cip-core. As contributions increase, you
> contributors need to express your preference. I'm used to both by now, I have troubles with both by now. However, we just need to
> consolidate over one system because we can't couple them reasonably.

Patches give you greater visibility (all cip-dev members), but I can see some benefits in using MRs as well:
* merge when the pipeline succeeds
* map issues with the patches that close them
* discussions are kept close to the code
* no need for guru e-mail clients that don't mesh with your TABs Lol.
* they are more user friendly (push the merge request button instead of having to configure git send-email which can be problematic in corporate environments)

I am open to use any of them.

Thanks,
Daniel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5016): https://lists.cip-project.org/g/cip-dev/message/5016
Mute This Topic: https://lists.cip-project.org/mt/75699592/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patch
diff mbox series

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
new file mode 100644
index 0000000..8253952
--- /dev/null
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -0,0 +1,37 @@ 
+#
+# A reference image which includes security packages
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+#  Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit image
+
+DESCRIPTION = "CIP Core image including security packages"
+
+# Use the same customizations as cip-core-image
+IMAGE_INSTALL += "customizations"
+
+# Debian packages that provide security features
+IMAGE_PREINSTALL += " \
+	openssl libssl1.1 \
+	fail2ban \
+	openssh-server openssh-sftp-server openssh-client \
+	syslog-ng-core syslog-ng-mod-journal \
+	aide aide-common \
+	libnftables0 nftables \
+	libpam-pkcs11 \
+	chrony \
+	tpm2-tools \
+	tpm2-abrmd \
+	libtss2-esys0 libtss2-udev \
+	libpam-cracklib \
+	acl \
+	libauparse0 audispd-plugins auditd \
+	uuid-runtime \
+	sudo \
+"