diff mbox series

[isar-cip-core] security-customizations: Recipe to apply security configurations

Message ID 20200805130412.1427-1-venkata.pyla@toshiba-tsip.com
State Accepted
Headers show
Series [isar-cip-core] security-customizations: Recipe to apply security configurations | expand

Commit Message

Venkata Pyla Aug. 5, 2020, 1:04 p.m. UTC
From: venkata pyla <venkata.pyla@toshiba-tsip.com>

This recipe will apply security policies* to the reference image
that will be used for IEC62443-4-2 Evaluation

*Security policies:
 1. Enforcing strong password to user accounts
 2. Lock user accounts for failed login attempts
 3. Terminate remote session for inactive time period
 4. Limit the concurrent login sessions
 5. Warn audit stroage failure

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 .../images/cip-core-image-security.bb         |  2 +-
 .../security-customizations/files/postinst    | 51 +++++++++++++++++++
 .../security-customizations.bb                | 18 +++++++
 3 files changed, 70 insertions(+), 1 deletion(-)
 create mode 100644 recipes-core/security-customizations/files/postinst
 create mode 100644 recipes-core/security-customizations/security-customizations.bb

Comments

Jan Kiszka Aug. 17, 2020, 12:47 p.m. UTC | #1
On 05.08.20 15:04, venkata.pyla@toshiba-tsip.com wrote:
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> This recipe will apply security policies* to the reference image
> that will be used for IEC62443-4-2 Evaluation
> 
> *Security policies:
>  1. Enforcing strong password to user accounts
>  2. Lock user accounts for failed login attempts
>  3. Terminate remote session for inactive time period
>  4. Limit the concurrent login sessions
>  5. Warn audit stroage failure
> 
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
>  .../images/cip-core-image-security.bb         |  2 +-
>  .../security-customizations/files/postinst    | 51 +++++++++++++++++++
>  .../security-customizations.bb                | 18 +++++++
>  3 files changed, 70 insertions(+), 1 deletion(-)
>  create mode 100644 recipes-core/security-customizations/files/postinst
>  create mode 100644 recipes-core/security-customizations/security-customizations.bb
> 
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> index a17c522..61ddc39 100644
> --- a/recipes-core/images/cip-core-image-security.bb
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -13,7 +13,7 @@ inherit image
>  
>  DESCRIPTION = "CIP Core image including security packages"
>  
> -IMAGE_INSTALL += "customizations"
> +IMAGE_INSTALL += "security-customizations"
>  
>  # Debian packages that provide security features
>  IMAGE_PREINSTALL += " \
> diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
> new file mode 100644
> index 0000000..3699ba2
> --- /dev/null
> +++ b/recipes-core/security-customizations/files/postinst
> @@ -0,0 +1,51 @@
> +#!/bin/sh
> +#
> +# CIP Security, generic profile
> +# Security Package configurations
> +#
> +
> +echo "CIP Core Security Image (login: root/root)" > /etc/issue
> +
> +HOSTNAME=demo
> +echo "$HOSTNAME" > /etc/hostname
> +echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
> +
> +# CR1.7: Strength of password-based authentication
> +# Pam configuration to  enforce password strength
> +PAM_PWD_FILE="/etc/pam.d/common-password"
> +pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
> +if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
> +        sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
> +fi
> +sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
> +
> +# CR1.11: Unsuccessful login attempts
> +# Lock user account after unsuccessful login attempts
> +PAM_AUTH_FILE="/etc/pam.d/common-auth"
> +pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> +if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
> +        sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
> +fi
> +sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
> +
> +# CR2.6: Remote session termination
> +# Terminate remote session after inactive time period
> +SSHD_CONFIG="/etc/ssh/sshd_config"
> +alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
> +alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
> +sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
> +sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
> +
> +# CR2.7: Concurrent session control
> +# Limit the concurrent login sessions
> +LIMITS_CONFIG="/etc/security/limits.conf"
> +echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
> +
> +# CR2.9: Audit storage capacity
> +# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
> +AUDIT_CONF_FILE="/etc/audit/auditd.conf"
> +sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
> +sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
> +
> +# CR2.10: Response to audit processing failures
> +sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
> diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
> new file mode 100644
> index 0000000..dbb06d9
> --- /dev/null
> +++ b/recipes-core/security-customizations/security-customizations.bb
> @@ -0,0 +1,18 @@
> +#
> +# CIP Security, generic profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# Authors:
> +#  Venkata Pyla <venkata.pyla@toshiba-tsip.com>#
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +inherit dpkg-raw
> +
> +DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
> +
> +SRC_URI = " file://postinst"
> +
> +DEBIAN_DEPENDS = "sshd-regen-keys"
> 

Thanks, applied to next.

Jan
Jan Kiszka Aug. 17, 2020, 3:19 p.m. UTC | #2
On 17.08.20 14:47, Jan Kiszka wrote:
> On 05.08.20 15:04, venkata.pyla@toshiba-tsip.com wrote:
>> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
>>
>> This recipe will apply security policies* to the reference image
>> that will be used for IEC62443-4-2 Evaluation
>>
>> *Security policies:
>>  1. Enforcing strong password to user accounts
>>  2. Lock user accounts for failed login attempts
>>  3. Terminate remote session for inactive time period
>>  4. Limit the concurrent login sessions
>>  5. Warn audit stroage failure
>>
>> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
>> ---
>>  .../images/cip-core-image-security.bb         |  2 +-
>>  .../security-customizations/files/postinst    | 51 +++++++++++++++++++
>>  .../security-customizations.bb                | 18 +++++++
>>  3 files changed, 70 insertions(+), 1 deletion(-)
>>  create mode 100644 recipes-core/security-customizations/files/postinst
>>  create mode 100644 recipes-core/security-customizations/security-customizations.bb
>>
>> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
>> index a17c522..61ddc39 100644
>> --- a/recipes-core/images/cip-core-image-security.bb
>> +++ b/recipes-core/images/cip-core-image-security.bb
>> @@ -13,7 +13,7 @@ inherit image
>>  
>>  DESCRIPTION = "CIP Core image including security packages"
>>  
>> -IMAGE_INSTALL += "customizations"
>> +IMAGE_INSTALL += "security-customizations"
>>  
>>  # Debian packages that provide security features
>>  IMAGE_PREINSTALL += " \
>> diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
>> new file mode 100644
>> index 0000000..3699ba2
>> --- /dev/null
>> +++ b/recipes-core/security-customizations/files/postinst
>> @@ -0,0 +1,51 @@
>> +#!/bin/sh
>> +#
>> +# CIP Security, generic profile
>> +# Security Package configurations
>> +#
>> +
>> +echo "CIP Core Security Image (login: root/root)" > /etc/issue
>> +
>> +HOSTNAME=demo
>> +echo "$HOSTNAME" > /etc/hostname
>> +echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
>> +
>> +# CR1.7: Strength of password-based authentication
>> +# Pam configuration to  enforce password strength
>> +PAM_PWD_FILE="/etc/pam.d/common-password"
>> +pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
>> +if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
>> +        sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
>> +fi
>> +sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
>> +
>> +# CR1.11: Unsuccessful login attempts
>> +# Lock user account after unsuccessful login attempts
>> +PAM_AUTH_FILE="/etc/pam.d/common-auth"
>> +pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
>> +if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
>> +        sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
>> +fi
>> +sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
>> +
>> +# CR2.6: Remote session termination
>> +# Terminate remote session after inactive time period
>> +SSHD_CONFIG="/etc/ssh/sshd_config"
>> +alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
>> +alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
>> +sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
>> +sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
>> +
>> +# CR2.7: Concurrent session control
>> +# Limit the concurrent login sessions
>> +LIMITS_CONFIG="/etc/security/limits.conf"
>> +echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
>> +
>> +# CR2.9: Audit storage capacity
>> +# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
>> +AUDIT_CONF_FILE="/etc/audit/auditd.conf"
>> +sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
>> +sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
>> +
>> +# CR2.10: Response to audit processing failures
>> +sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
>> diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
>> new file mode 100644
>> index 0000000..dbb06d9
>> --- /dev/null
>> +++ b/recipes-core/security-customizations/security-customizations.bb
>> @@ -0,0 +1,18 @@
>> +#
>> +# CIP Security, generic profile
>> +#
>> +# Copyright (c) Toshiba Corporation, 2020
>> +#
>> +# Authors:
>> +#  Venkata Pyla <venkata.pyla@toshiba-tsip.com>#
>> +#
>> +# SPDX-License-Identifier: MIT
>> +#
>> +
>> +inherit dpkg-raw
>> +
>> +DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
>> +
>> +SRC_URI = " file://postinst"
>> +

Was missing

DEPENDS = "sshd-regen-keys"

Added this, CI should be passing now. I suspect you tested over a
non-clean build with leftovers that papered over it.

Jan

>> +DEBIAN_DEPENDS = "sshd-regen-keys"
>>
> 
> Thanks, applied to next.
> 
> Jan
>
Venkata Pyla Aug. 18, 2020, 7:57 a.m. UTC | #3
On Mon, Aug 17, 2020 at 08:49 PM, Jan Kiszka wrote:

>
> > 
> > 
> >> +++ b/recipes-core/security-customizations/security-customizations.bb
> >> @@ -0,0 +1,18 @@
> >> +#
> >> +# CIP Security, generic profile
> >> +#
> >> +# Copyright (c) Toshiba Corporation, 2020
> >> +#
> >> +# Authors:
> >> +# Venkata Pyla <venkata.pyla@...>#
> >> +#
> >> +# SPDX-License-Identifier: MIT
> >> +#
> >> +
> >> +inherit dpkg-raw
> >> +
> >> +DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
> >> +
> >> +SRC_URI = " file://postinst"
> >> +
> > 
> > 
> 
> Was missing
> 
> DEPENDS = "sshd-regen-keys"
> 
> Added this, CI should be passing now. I suspect you tested over a
> non-clean build with leftovers that papered over it.
> 

sorry, i have not verified on clean build,
Thanks for fixing it.

> Jan
> 
> > 
> > 
> >> +DEBIAN_DEPENDS = "sshd-regen-keys"
> >> 
> > 
> > Thanks, applied to next.
> > 
> > Jan
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#5129): https://lists.cip-project.org/g/cip-dev/message/5129
Mute This Topic: https://lists.cip-project.org/mt/76006733/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy  [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
diff mbox series

Patch

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index a17c522..61ddc39 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -13,7 +13,7 @@  inherit image
 
 DESCRIPTION = "CIP Core image including security packages"
 
-IMAGE_INSTALL += "customizations"
+IMAGE_INSTALL += "security-customizations"
 
 # Debian packages that provide security features
 IMAGE_PREINSTALL += " \
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
new file mode 100644
index 0000000..3699ba2
--- /dev/null
+++ b/recipes-core/security-customizations/files/postinst
@@ -0,0 +1,51 @@ 
+#!/bin/sh
+#
+# CIP Security, generic profile
+# Security Package configurations
+#
+
+echo "CIP Core Security Image (login: root/root)" > /etc/issue
+
+HOSTNAME=demo
+echo "$HOSTNAME" > /etc/hostname
+echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
+
+# CR1.7: Strength of password-based authentication
+# Pam configuration to  enforce password strength
+PAM_PWD_FILE="/etc/pam.d/common-password"
+pam_cracklib_config="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1  difok=3 gecoscheck=1 reject_username  enforce_for_root"
+if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+        sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
+fi
+sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
+
+# CR1.11: Unsuccessful login attempts
+# Lock user account after unsuccessful login attempts
+PAM_AUTH_FILE="/etc/pam.d/common-auth"
+pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+        sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
+fi
+sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+
+# CR2.6: Remote session termination
+# Terminate remote session after inactive time period
+SSHD_CONFIG="/etc/ssh/sshd_config"
+alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
+sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
+
+# CR2.7: Concurrent session control
+# Limit the concurrent login sessions
+LIMITS_CONFIG="/etc/security/limits.conf"
+echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+
+# CR2.9: Audit storage capacity
+# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+AUDIT_CONF_FILE="/etc/audit/auditd.conf"
+sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
+sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+
+# CR2.10: Response to audit processing failures
+sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
new file mode 100644
index 0000000..dbb06d9
--- /dev/null
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -0,0 +1,18 @@ 
+#
+# CIP Security, generic profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+#  Venkata Pyla <venkata.pyla@toshiba-tsip.com>#
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
+
+SRC_URI = " file://postinst"
+
+DEBIAN_DEPENDS = "sshd-regen-keys"