From patchwork Tue Sep 15 14:23:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Venkata Pyla X-Patchwork-Id: 11776745 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C9937746 for ; Tue, 15 Sep 2020 14:22:53 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5AAE422B4B for ; Tue, 15 Sep 2020 14:22:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="FIgdgv/P" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5AAE422B4B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=toshiba-tsip.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5453+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id zHdPYY4521763x1XlH3Cfo8T; Tue, 15 Sep 2020 07:22:53 -0700 X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com []) by mx.groups.io with SMTP id smtpd.web10.14564.1600179768333343159 for ; Tue, 15 Sep 2020 07:22:52 -0700 IronPort-SDR: JD7+T9GYbXBAlL428vjnHvn3UEKZG5HGWq7ylM3XE+piPQQkPqrjP7S4XoMA9Nfb9iJxHGc/V5 UnsftuhsIbWw== X-IronPort-AV: E=Sophos;i="5.76,430,1592850600"; d="scan'208";a="6248123" X-Received: from unknown (HELO TOSBLRMBX0119.TOSHIBA-TSIP.COM) ([172.28.80.118]) by peak.toshiba-tesi.com with ESMTP; 15 Sep 2020 20:33:42 +0530 X-Received: from TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) by TOSBLRMBX0119.TOSHIBA-TSIP.COM (172.28.80.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Tue, 15 Sep 2020 19:52:50 +0530 X-Received: from pvenkat.TOSHIBA-TSIP.COM (172.28.80.121) by TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) with Microsoft SMTP Server id 15.1.1847.3 via Frontend Transport; Tue, 15 Sep 2020 19:52:46 +0530 From: "Venkata Pyla" To: CC: venkata pyla , Subject: [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security Date: Tue, 15 Sep 2020 19:53:42 +0530 Message-ID: <20200915142345.179-2-venkata.pyla@toshiba-tsip.com> In-Reply-To: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com> References: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: QxSQuJBASOyS0hLqDDOMTHi4x4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1600179773; bh=jvTOZfUhw9Bevmas/awKwY3wBQn5MHTl9S3XIgzEKeA=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=FIgdgv/PHYVTW+Mj+sy0VNys7zYbpryGHqSKs87gKH+HD1xjHTxI1DHKhi6DUJmT/te jpAhC0FOehsRjWcPr4BwGsZWrYGs9Uo5VHAeHH+T9EFSRl0w+cFIFNw3uugJDHWmpb8pj b1h2CFEqJH1HwVqOT8FPayVNcjxiEDz86H0= From: venkata pyla This layer enables security packages and default configurations required to evaluate IEC62443-4-2 assessment Signed-off-by: venkata pyla --- README.md | 5 +++++ kas/opt/security.yml | 32 +++++++++++++++++++++++++++++++ meta-cip-security/conf/layer.conf | 18 +++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 kas/opt/security.yml create mode 100644 meta-cip-security/conf/layer.conf diff --git a/README.md b/README.md index f90e040..f59dd0c 100644 --- a/README.md +++ b/README.md @@ -88,3 +88,8 @@ LTP test image for QEMU arm64 / hihope-rzg2m $ ./scripts/kas-build.sh kas/board/qemuarm64.yml:kas/opt/deby.yml:kas/opt/dhcp.yml:kas/opt/ltp.yml +Create Security image for QEMU x86-64 +------------------------------------- + + $ ./scripts/kas-build.sh kas/board/qemux86-64.yml:kas/opt/deby.yml:kas/opt/security.yml + diff --git a/kas/opt/security.yml b/kas/opt/security.yml new file mode 100644 index 0000000..e84290c --- /dev/null +++ b/kas/opt/security.yml @@ -0,0 +1,32 @@ +# +# CIP Core tiny profile with Security +# packages and configuration +# +# Copyright (c) 2019 TOSHIBA Corp. +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + +repos: + meta-cip-security: + layers: + meta-cip-security: + +local_conf_header: + security: | + DISTRO_FEATURES_append += " pam" + CORE_IMAGE_EXTRA_INSTALL += " \ + aide aide-common \ + openssl openssl-bin \ + openssh openssh-misc \ + chrony chronyc \ + libpam pam-plugin-cracklib pam-plugin-tally2 \ + syslog-ng \ + acl \ + sudo \ + auditd \ + util-linux \ + " diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf new file mode 100644 index 0000000..b015436 --- /dev/null +++ b/meta-cip-security/conf/layer.conf @@ -0,0 +1,18 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH =. "${LAYERDIR}:" + +# We have recipes-* directories, add to BBFILES +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "cip-security" +BBFILE_PATTERN_cip-security = "^${LAYERDIR}/" +BBFILE_PRIORITY_cip-security = "11" + +# This should only be incremented on significant changes that will +# cause compatibility issues with other layers +LAYERVERSION_cip-security = "1" + +LAYERDEPENDS_cip-security = "debian" + +LAYERSERIES_COMPAT_cip-security = "warrior"