From patchwork Tue Sep 15 14:23:42 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Venkata Pyla X-Patchwork-Id: 11776745 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C9937746 for ; Tue, 15 Sep 2020 14:22:53 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5AAE422B4B for ; Tue, 15 Sep 2020 14:22:53 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="FIgdgv/P" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5AAE422B4B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=toshiba-tsip.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5453+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id zHdPYY4521763x1XlH3Cfo8T; Tue, 15 Sep 2020 07:22:53 -0700 X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com []) by mx.groups.io with SMTP id smtpd.web10.14564.1600179768333343159 for ; Tue, 15 Sep 2020 07:22:52 -0700 IronPort-SDR: JD7+T9GYbXBAlL428vjnHvn3UEKZG5HGWq7ylM3XE+piPQQkPqrjP7S4XoMA9Nfb9iJxHGc/V5 UnsftuhsIbWw== X-IronPort-AV: E=Sophos;i="5.76,430,1592850600"; d="scan'208";a="6248123" X-Received: from unknown (HELO TOSBLRMBX0119.TOSHIBA-TSIP.COM) ([172.28.80.118]) by peak.toshiba-tesi.com with ESMTP; 15 Sep 2020 20:33:42 +0530 X-Received: from TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) by TOSBLRMBX0119.TOSHIBA-TSIP.COM (172.28.80.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Tue, 15 Sep 2020 19:52:50 +0530 X-Received: from pvenkat.TOSHIBA-TSIP.COM (172.28.80.121) by TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) with Microsoft SMTP Server id 15.1.1847.3 via Frontend Transport; Tue, 15 Sep 2020 19:52:46 +0530 From: "Venkata Pyla" To: CC: venkata pyla , Subject: [cip-dev] [cip-core:deby 1/3] cip-security: Create new layer for cip security Date: Tue, 15 Sep 2020 19:53:42 +0530 Message-ID: <20200915142345.179-2-venkata.pyla@toshiba-tsip.com> In-Reply-To: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com> References: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: QxSQuJBASOyS0hLqDDOMTHi4x4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1600179773; bh=jvTOZfUhw9Bevmas/awKwY3wBQn5MHTl9S3XIgzEKeA=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=FIgdgv/PHYVTW+Mj+sy0VNys7zYbpryGHqSKs87gKH+HD1xjHTxI1DHKhi6DUJmT/te jpAhC0FOehsRjWcPr4BwGsZWrYGs9Uo5VHAeHH+T9EFSRl0w+cFIFNw3uugJDHWmpb8pj b1h2CFEqJH1HwVqOT8FPayVNcjxiEDz86H0= From: venkata pyla This layer enables security packages and default configurations required to evaluate IEC62443-4-2 assessment Signed-off-by: venkata pyla --- README.md | 5 +++++ kas/opt/security.yml | 32 +++++++++++++++++++++++++++++++ meta-cip-security/conf/layer.conf | 18 +++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 kas/opt/security.yml create mode 100644 meta-cip-security/conf/layer.conf diff --git a/README.md b/README.md index f90e040..f59dd0c 100644 --- a/README.md +++ b/README.md @@ -88,3 +88,8 @@ LTP test image for QEMU arm64 / hihope-rzg2m $ ./scripts/kas-build.sh kas/board/qemuarm64.yml:kas/opt/deby.yml:kas/opt/dhcp.yml:kas/opt/ltp.yml +Create Security image for QEMU x86-64 +------------------------------------- + + $ ./scripts/kas-build.sh kas/board/qemux86-64.yml:kas/opt/deby.yml:kas/opt/security.yml + diff --git a/kas/opt/security.yml b/kas/opt/security.yml new file mode 100644 index 0000000..e84290c --- /dev/null +++ b/kas/opt/security.yml @@ -0,0 +1,32 @@ +# +# CIP Core tiny profile with Security +# packages and configuration +# +# Copyright (c) 2019 TOSHIBA Corp. +# +# SPDX-License-Identifier: MIT +# + +header: + version: 8 + +repos: + meta-cip-security: + layers: + meta-cip-security: + +local_conf_header: + security: | + DISTRO_FEATURES_append += " pam" + CORE_IMAGE_EXTRA_INSTALL += " \ + aide aide-common \ + openssl openssl-bin \ + openssh openssh-misc \ + chrony chronyc \ + libpam pam-plugin-cracklib pam-plugin-tally2 \ + syslog-ng \ + acl \ + sudo \ + auditd \ + util-linux \ + " diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf new file mode 100644 index 0000000..b015436 --- /dev/null +++ b/meta-cip-security/conf/layer.conf @@ -0,0 +1,18 @@ +# We have a conf and classes directory, add to BBPATH +BBPATH =. "${LAYERDIR}:" + +# We have recipes-* directories, add to BBFILES +BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \ + ${LAYERDIR}/recipes-*/*/*.bbappend" + +BBFILE_COLLECTIONS += "cip-security" +BBFILE_PATTERN_cip-security = "^${LAYERDIR}/" +BBFILE_PRIORITY_cip-security = "11" + +# This should only be incremented on significant changes that will +# cause compatibility issues with other layers +LAYERVERSION_cip-security = "1" + +LAYERDEPENDS_cip-security = "debian" + +LAYERSERIES_COMPAT_cip-security = "warrior" From patchwork Tue Sep 15 14:23:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Venkata Pyla X-Patchwork-Id: 11776747 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5C04C746 for ; Tue, 15 Sep 2020 14:22:59 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C4FD022268 for ; Tue, 15 Sep 2020 14:22:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="Wp2xhfHF" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C4FD022268 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=toshiba-tsip.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5454+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id 5obgYY4521763x25NwWEzsXz; Tue, 15 Sep 2020 07:22:58 -0700 X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com []) by mx.groups.io with SMTP id smtpd.web10.14564.1600179768333343159 for ; Tue, 15 Sep 2020 07:22:57 -0700 IronPort-SDR: nCC+nmFIAPTI74eUzZl3Cq0RY5drO12Gi+KbK/VYDcFndmX/Zpzs7wXzJw6KWcJHvEL9gvqy7c 5WW2h03CMqsg== X-IronPort-AV: E=Sophos;i="5.76,430,1592850600"; d="scan'208";a="6248128" X-Received: from unknown (HELO TOSBLRMBX0119.TOSHIBA-TSIP.COM) ([172.28.80.118]) by peak.toshiba-tesi.com with ESMTP; 15 Sep 2020 20:33:47 +0530 X-Received: from TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) by TOSBLRMBX0119.TOSHIBA-TSIP.COM (172.28.80.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Tue, 15 Sep 2020 19:52:54 +0530 X-Received: from pvenkat.TOSHIBA-TSIP.COM (172.28.80.121) by TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) with Microsoft SMTP Server id 15.1.1847.3 via Frontend Transport; Tue, 15 Sep 2020 19:52:51 +0530 From: "Venkata Pyla" To: CC: venkata pyla , Subject: [cip-dev] [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend Date: Tue, 15 Sep 2020 19:53:43 +0530 Message-ID: <20200915142345.179-3-venkata.pyla@toshiba-tsip.com> In-Reply-To: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com> References: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: LrrA2fxVWivF0F6JNETkSkr7x4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1600179778; bh=UYDwK6ti+njiY06mV8PmSPBfQhgFZxMsNB5JdBQk/9I=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=Wp2xhfHFoDWYv/krUalDqs8J9UoSRuLhzESo2ueAgiKZ/AJM9/7T4g7/kkiNrk97nA6 +jH8Dq8VSx3Ktokyr+wyBQosLYUpCfWq84Y28cd8XfeifiTjtrUwG6H0r5yop25sQQXsf GD5JVetNlTBzBW1IQg1kA5ue6eAwgABs90g= From: venkata pyla add package bbappaned files in the security layer that will apply the security configurations like e.g: Set password strength in pam configurations Set audit failure actions in audit package configurations etc. Signed-off-by: venkata pyla --- .../audit/audit_debian.bbappend | 20 ++++++++++ .../base-files/base-files_debian.bbappend | 3 ++ .../openssh/openssh_debian.bbappend | 19 +++++++++ .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++ 4 files changed, 81 insertions(+) create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend new file mode 100644 index 0000000..c148f27 --- /dev/null +++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend @@ -0,0 +1,20 @@ +# +# CIP Security, tiny profile +# +# Copyright (c) Toshiba Corporation, 2020 +# +# SPDX-License-Identifier: MIT +# + +DESCRIPTION = "CIP Security customizations" + +pkg_postinst_audit_append() { + # CR2.9: Audit storage capacity + # CR2.9 RE-1: Warn when audit record storage capacity threshold reached + AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf" + sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE + sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE + + # CR2.10: Response to audit processing failures + sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE +} diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend new file mode 100644 index 0000000..895dc9f --- /dev/null +++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend @@ -0,0 +1,3 @@ +do_install_append() { + echo "${MACHINE}" > ${D}${sysconfdir}/hostname +} diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend new file mode 100644 index 0000000..ddd2bfc --- /dev/null +++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend @@ -0,0 +1,19 @@ +# +# CIP Security, tiny profile +# +# Copyright (c) Toshiba Corporation, 2020 +# +# SPDX-License-Identifier: MIT +# + +DESCRIPTION = "CIP Security customizations" + +pkg_postinst_${PN}_append() { + # CR2.6: Remote session termination + # Terminate remote session after inactive time period + SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config" + alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}") + alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}") + sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}" + sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}" +} diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend new file mode 100644 index 0000000..c9c1605 --- /dev/null +++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend @@ -0,0 +1,39 @@ +# +# CIP Security, tiny profile +# +# Copyright (c) Toshiba Corporation, 2020 +# +# SPDX-License-Identifier: MIT +# + +DESCRIPTION = "CIP Security customizations" + +pkg_postinst_pam-plugin-cracklib_append() { + # CR1.7: Strength of password-based authentication + # Pam configuration to enforce password strength + PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password" + CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root" + if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then + sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}" + fi + sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}" +} + +pkg_postinst_pam-plugin-tally2_append() { + # CR1.11: Unsuccessful login attempts + # Lock user account after unsuccessful login attempts + PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth" + pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60" + if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then + sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}" + fi + sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}" +} + + +pkg_postinst_libpam_append() { + # CR2.7: Concurrent session control + # Limit the concurrent login sessions + LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf" + echo "* hard maxlogins 2" >> ${LIMITS_CONFIG} +} From patchwork Tue Sep 15 14:23:44 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Venkata Pyla X-Patchwork-Id: 11776749 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3F9526CA for ; Tue, 15 Sep 2020 14:23:08 +0000 (UTC) Received: from web01.groups.io (web01.groups.io [66.175.222.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D337A22BEA for ; Tue, 15 Sep 2020 14:23:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=lists.cip-project.org header.i=@lists.cip-project.org header.b="S5EPmrsi" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org D337A22BEA Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=toshiba-tsip.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=bounce+64572+5455+4520428+8129116@lists.cip-project.org X-Received: by 127.0.0.2 with SMTP id jLf6YY4521763xeYwSPUHNko; Tue, 15 Sep 2020 07:23:07 -0700 X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com [202.56.254.199]) by mx.groups.io with SMTP id smtpd.web12.14728.1600179786660820138 for ; Tue, 15 Sep 2020 07:23:07 -0700 IronPort-SDR: z8wya7gPqewqlOynOdSMsW8+YaX8jV1IgGF1A9r6bf9yHM62f976w34Q8UPZ7hYqUi6qExvsDH S7YgWrmIwlLw== X-IronPort-AV: E=Sophos;i="5.76,430,1592850600"; d="scan'208";a="6248131" X-Received: from unknown (HELO TOSBLRMBX0519.TOSHIBA-TSIP.COM) ([10.116.85.29]) by peak.toshiba-tesi.com with ESMTP; 15 Sep 2020 20:33:56 +0530 X-Received: from TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) by TOSBLRMBX0519.TOSHIBA-TSIP.COM (10.116.85.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Tue, 15 Sep 2020 19:53:03 +0530 X-Received: from pvenkat.TOSHIBA-TSIP.COM (172.28.80.121) by TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) with Microsoft SMTP Server id 15.1.1847.3 via Frontend Transport; Tue, 15 Sep 2020 19:52:58 +0530 From: "Venkata Pyla" To: CC: venkata pyla , Subject: [cip-dev] [cip-core:deby 3/3] aide-static: enable aide to build statically Date: Tue, 15 Sep 2020 19:53:44 +0530 Message-ID: <20200915142345.179-4-venkata.pyla@toshiba-tsip.com> In-Reply-To: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com> References: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: cip-dev@lists.cip-project.org List-Id: Mailing-List: list cip-dev@lists.cip-project.org; contact cip-dev+owner@lists.cip-project.org Delivered-To: mailing list cip-dev@lists.cip-project.org Reply-To: cip-dev@lists.cip-project.org X-Gm-Message-State: 57EnOGbAKmZH6MbbmBxqGZtDx4520428AA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.cip-project.org; q=dns/txt; s=20140610; t=1600179787; bh=tKnReQya3f/x6kphewuq3t2rKYxYu5UvGLCnLCHHlao=; h=CC:Content-Type:Date:From:Reply-To:Subject:To; b=S5EPmrsijV8f7RGJoC6P3ommpmjddnDTkzBVSMFfbqYOwKJ1MFpFEfl8P9qlqhwjr9T r7oihq2IVse3GdC/FTzLSyLdOO2R6loLS24Xv/wMg4FVGsB1QVBvMJusSILbeN6N2m3G+ QC0XqWBVPu52YRgHq3BJudCBt8rMBF+0sQc= From: venkata pyla To build aide statically, its dependencies also compile staticalliy, so all aide dependent library packages enabled static compiling in an include file and added to the layer configuration. Signed-off-by: venkata pyla --- meta-cip-security/conf/include/aide-static-libs.inc | 10 ++++++++++ meta-cip-security/conf/layer.conf | 2 ++ 2 files changed, 12 insertions(+) create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc diff --git a/meta-cip-security/conf/include/aide-static-libs.inc b/meta-cip-security/conf/include/aide-static-libs.inc new file mode 100644 index 0000000..1dc4374 --- /dev/null +++ b/meta-cip-security/conf/include/aide-static-libs.inc @@ -0,0 +1,10 @@ +DISABLE_STATIC ?= " --disable-static" + +# aide dependencies to build statically +DISABLE_STATIC_pn-aide = " " +DISABLE_STATIC_pn-libgpg-error = " " +DISABLE_STATIC_pn-libmhash = " " +DISABLE_STATIC_pn-attr = " " +DISABLE_STATIC_pn-acl = " " +DISABLE_STATIC_pn-libpcre = " " +EXTRA_OECONF_append_pn-aide = " --without-audit" diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf index b015436..158d75c 100644 --- a/meta-cip-security/conf/layer.conf +++ b/meta-cip-security/conf/layer.conf @@ -16,3 +16,5 @@ LAYERVERSION_cip-security = "1" LAYERDEPENDS_cip-security = "debian" LAYERSERIES_COMPAT_cip-security = "warrior" + +require conf/include/aide-static-libs.inc