Message ID | 20200805130412.1427-1-venkata.pyla@toshiba-tsip.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | [isar-cip-core] security-customizations: Recipe to apply security configurations | expand |
On 05.08.20 15:04, venkata.pyla@toshiba-tsip.com wrote: > From: venkata pyla <venkata.pyla@toshiba-tsip.com> > > This recipe will apply security policies* to the reference image > that will be used for IEC62443-4-2 Evaluation > > *Security policies: > 1. Enforcing strong password to user accounts > 2. Lock user accounts for failed login attempts > 3. Terminate remote session for inactive time period > 4. Limit the concurrent login sessions > 5. Warn audit stroage failure > > Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> > --- > .../images/cip-core-image-security.bb | 2 +- > .../security-customizations/files/postinst | 51 +++++++++++++++++++ > .../security-customizations.bb | 18 +++++++ > 3 files changed, 70 insertions(+), 1 deletion(-) > create mode 100644 recipes-core/security-customizations/files/postinst > create mode 100644 recipes-core/security-customizations/security-customizations.bb > > diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb > index a17c522..61ddc39 100644 > --- a/recipes-core/images/cip-core-image-security.bb > +++ b/recipes-core/images/cip-core-image-security.bb > @@ -13,7 +13,7 @@ inherit image > > DESCRIPTION = "CIP Core image including security packages" > > -IMAGE_INSTALL += "customizations" > +IMAGE_INSTALL += "security-customizations" > > # Debian packages that provide security features > IMAGE_PREINSTALL += " \ > diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst > new file mode 100644 > index 0000000..3699ba2 > --- /dev/null > +++ b/recipes-core/security-customizations/files/postinst > @@ -0,0 +1,51 @@ > +#!/bin/sh > +# > +# CIP Security, generic profile > +# Security Package configurations > +# > + > +echo "CIP Core Security Image (login: root/root)" > /etc/issue > + > +HOSTNAME=demo > +echo "$HOSTNAME" > /etc/hostname > +echo "127.0.0.1 $HOSTNAME" >> /etc/hosts > + > +# CR1.7: Strength of password-based authentication > +# Pam configuration to enforce password strength > +PAM_PWD_FILE="/etc/pam.d/common-password" > +pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" > +if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then > + sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" > +fi > +sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" > + > +# CR1.11: Unsuccessful login attempts > +# Lock user account after unsuccessful login attempts > +PAM_AUTH_FILE="/etc/pam.d/common-auth" > +pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" > +if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then > + sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}" > +fi > +sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}" > + > +# CR2.6: Remote session termination > +# Terminate remote session after inactive time period > +SSHD_CONFIG="/etc/ssh/sshd_config" > +alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}") > +alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}") > +sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}" > +sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}" > + > +# CR2.7: Concurrent session control > +# Limit the concurrent login sessions > +LIMITS_CONFIG="/etc/security/limits.conf" > +echo "* hard maxlogins 2" >> ${LIMITS_CONFIG} > + > +# CR2.9: Audit storage capacity > +# CR2.9 RE-1: Warn when audit record storage capacity threshold reached > +AUDIT_CONF_FILE="/etc/audit/auditd.conf" > +sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE > +sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE > + > +# CR2.10: Response to audit processing failures > +sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE > diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb > new file mode 100644 > index 0000000..dbb06d9 > --- /dev/null > +++ b/recipes-core/security-customizations/security-customizations.bb > @@ -0,0 +1,18 @@ > +# > +# CIP Security, generic profile > +# > +# Copyright (c) Toshiba Corporation, 2020 > +# > +# Authors: > +# Venkata Pyla <venkata.pyla@toshiba-tsip.com># > +# > +# SPDX-License-Identifier: MIT > +# > + > +inherit dpkg-raw > + > +DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation" > + > +SRC_URI = " file://postinst" > + > +DEBIAN_DEPENDS = "sshd-regen-keys" > Thanks, applied to next. Jan
On 17.08.20 14:47, Jan Kiszka wrote: > On 05.08.20 15:04, venkata.pyla@toshiba-tsip.com wrote: >> From: venkata pyla <venkata.pyla@toshiba-tsip.com> >> >> This recipe will apply security policies* to the reference image >> that will be used for IEC62443-4-2 Evaluation >> >> *Security policies: >> 1. Enforcing strong password to user accounts >> 2. Lock user accounts for failed login attempts >> 3. Terminate remote session for inactive time period >> 4. Limit the concurrent login sessions >> 5. Warn audit stroage failure >> >> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com> >> --- >> .../images/cip-core-image-security.bb | 2 +- >> .../security-customizations/files/postinst | 51 +++++++++++++++++++ >> .../security-customizations.bb | 18 +++++++ >> 3 files changed, 70 insertions(+), 1 deletion(-) >> create mode 100644 recipes-core/security-customizations/files/postinst >> create mode 100644 recipes-core/security-customizations/security-customizations.bb >> >> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb >> index a17c522..61ddc39 100644 >> --- a/recipes-core/images/cip-core-image-security.bb >> +++ b/recipes-core/images/cip-core-image-security.bb >> @@ -13,7 +13,7 @@ inherit image >> >> DESCRIPTION = "CIP Core image including security packages" >> >> -IMAGE_INSTALL += "customizations" >> +IMAGE_INSTALL += "security-customizations" >> >> # Debian packages that provide security features >> IMAGE_PREINSTALL += " \ >> diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst >> new file mode 100644 >> index 0000000..3699ba2 >> --- /dev/null >> +++ b/recipes-core/security-customizations/files/postinst >> @@ -0,0 +1,51 @@ >> +#!/bin/sh >> +# >> +# CIP Security, generic profile >> +# Security Package configurations >> +# >> + >> +echo "CIP Core Security Image (login: root/root)" > /etc/issue >> + >> +HOSTNAME=demo >> +echo "$HOSTNAME" > /etc/hostname >> +echo "127.0.0.1 $HOSTNAME" >> /etc/hosts >> + >> +# CR1.7: Strength of password-based authentication >> +# Pam configuration to enforce password strength >> +PAM_PWD_FILE="/etc/pam.d/common-password" >> +pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" >> +if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then >> + sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" >> +fi >> +sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" >> + >> +# CR1.11: Unsuccessful login attempts >> +# Lock user account after unsuccessful login attempts >> +PAM_AUTH_FILE="/etc/pam.d/common-auth" >> +pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" >> +if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then >> + sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}" >> +fi >> +sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}" >> + >> +# CR2.6: Remote session termination >> +# Terminate remote session after inactive time period >> +SSHD_CONFIG="/etc/ssh/sshd_config" >> +alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}") >> +alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}") >> +sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}" >> +sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}" >> + >> +# CR2.7: Concurrent session control >> +# Limit the concurrent login sessions >> +LIMITS_CONFIG="/etc/security/limits.conf" >> +echo "* hard maxlogins 2" >> ${LIMITS_CONFIG} >> + >> +# CR2.9: Audit storage capacity >> +# CR2.9 RE-1: Warn when audit record storage capacity threshold reached >> +AUDIT_CONF_FILE="/etc/audit/auditd.conf" >> +sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE >> +sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE >> + >> +# CR2.10: Response to audit processing failures >> +sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE >> diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb >> new file mode 100644 >> index 0000000..dbb06d9 >> --- /dev/null >> +++ b/recipes-core/security-customizations/security-customizations.bb >> @@ -0,0 +1,18 @@ >> +# >> +# CIP Security, generic profile >> +# >> +# Copyright (c) Toshiba Corporation, 2020 >> +# >> +# Authors: >> +# Venkata Pyla <venkata.pyla@toshiba-tsip.com># >> +# >> +# SPDX-License-Identifier: MIT >> +# >> + >> +inherit dpkg-raw >> + >> +DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation" >> + >> +SRC_URI = " file://postinst" >> + Was missing DEPENDS = "sshd-regen-keys" Added this, CI should be passing now. I suspect you tested over a non-clean build with leftovers that papered over it. Jan >> +DEBIAN_DEPENDS = "sshd-regen-keys" >> > > Thanks, applied to next. > > Jan >
On Mon, Aug 17, 2020 at 08:49 PM, Jan Kiszka wrote: > > > > > > >> +++ b/recipes-core/security-customizations/security-customizations.bb > >> @@ -0,0 +1,18 @@ > >> +# > >> +# CIP Security, generic profile > >> +# > >> +# Copyright (c) Toshiba Corporation, 2020 > >> +# > >> +# Authors: > >> +# Venkata Pyla <venkata.pyla@...># > >> +# > >> +# SPDX-License-Identifier: MIT > >> +# > >> + > >> +inherit dpkg-raw > >> + > >> +DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation" > >> + > >> +SRC_URI = " file://postinst" > >> + > > > > > > Was missing > > DEPENDS = "sshd-regen-keys" > > Added this, CI should be passing now. I suspect you tested over a > non-clean build with leftovers that papered over it. > sorry, i have not verified on clean build, Thanks for fixing it. > Jan > > > > > > >> +DEBIAN_DEPENDS = "sshd-regen-keys" > >> > > > > Thanks, applied to next. > > > > Jan > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5129): https://lists.cip-project.org/g/cip-dev/message/5129 Mute This Topic: https://lists.cip-project.org/mt/76006733/4520428 Group Owner: cip-dev+owner@lists.cip-project.org Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org] -=-=-=-=-=-=-=-=-=-=-=-
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb index a17c522..61ddc39 100644 --- a/recipes-core/images/cip-core-image-security.bb +++ b/recipes-core/images/cip-core-image-security.bb @@ -13,7 +13,7 @@ inherit image DESCRIPTION = "CIP Core image including security packages" -IMAGE_INSTALL += "customizations" +IMAGE_INSTALL += "security-customizations" # Debian packages that provide security features IMAGE_PREINSTALL += " \ diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst new file mode 100644 index 0000000..3699ba2 --- /dev/null +++ b/recipes-core/security-customizations/files/postinst @@ -0,0 +1,51 @@ +#!/bin/sh +# +# CIP Security, generic profile +# Security Package configurations +# + +echo "CIP Core Security Image (login: root/root)" > /etc/issue + +HOSTNAME=demo +echo "$HOSTNAME" > /etc/hostname +echo "127.0.0.1 $HOSTNAME" >> /etc/hosts + +# CR1.7: Strength of password-based authentication +# Pam configuration to enforce password strength +PAM_PWD_FILE="/etc/pam.d/common-password" +pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" +if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then + sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" +fi +sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}" + +# CR1.11: Unsuccessful login attempts +# Lock user account after unsuccessful login attempts +PAM_AUTH_FILE="/etc/pam.d/common-auth" +pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" +if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then + sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}" +fi +sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}" + +# CR2.6: Remote session termination +# Terminate remote session after inactive time period +SSHD_CONFIG="/etc/ssh/sshd_config" +alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}") +alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}") +sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}" +sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}" + +# CR2.7: Concurrent session control +# Limit the concurrent login sessions +LIMITS_CONFIG="/etc/security/limits.conf" +echo "* hard maxlogins 2" >> ${LIMITS_CONFIG} + +# CR2.9: Audit storage capacity +# CR2.9 RE-1: Warn when audit record storage capacity threshold reached +AUDIT_CONF_FILE="/etc/audit/auditd.conf" +sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE +sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE + +# CR2.10: Response to audit processing failures +sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb new file mode 100644 index 0000000..dbb06d9 --- /dev/null +++ b/recipes-core/security-customizations/security-customizations.bb @@ -0,0 +1,18 @@ +# +# CIP Security, generic profile +# +# Copyright (c) Toshiba Corporation, 2020 +# +# Authors: +# Venkata Pyla <venkata.pyla@toshiba-tsip.com># +# +# SPDX-License-Identifier: MIT +# + +inherit dpkg-raw + +DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation" + +SRC_URI = " file://postinst" + +DEBIAN_DEPENDS = "sshd-regen-keys"