[isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security


Venkata Pyla
 

From: Kazuhiro Hayashi kazuhiro3.hayashi@...

 

opt-security.yml: Sample settings to install security

packages

 

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@...>

---

SECURITY.md      | 52 ++++++++++++++++++++++++++++++++++++++++++++++++

opt-security.yml | 34 +++++++++++++++++++++++++++++++

2 files changed, 86 insertions(+)

create mode 100644 SECURITY.md

create mode 100644 opt-security.yml

 

diff --git a/SECURITY.md b/SECURITY.md

new file mode 100644

index 0000000..a8bccc7

--- /dev/null

+++ b/SECURITY.md

@@ -0,0 +1,52 @@

+How to customize images for security features

+=============================================

+

+This is the "temporal" document about how to create and use

+the CIP Core generic profile images for security feature evaluation.

+

+Official manuals

+----------------

+

+* isar-cip-core: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/README.md

+* ISAR User Manual: https://github.com/ilbers/isar/blob/master/doc/user_manual.md

+

+Assumed environment

+-------------------

+

+* isar-cip-core: master branch

+* Host: Debian 10 buster amd64

+    * Installed packages: `docker-ce`, `qemu-system`

+    * Users who does the following actions must be in the groups `docker` and `kvm`

+

+Create kas file

+---------------

+

+Create a kas file named `opt-security.yml` to add security settings.

+

+Add security packages to rootfs

+-------------------------------

+

+Set `IMAGE_PREINSTALL` to the list of packages required to enable

+the security features. This variable can be set through the kas file.

+

+Example:

+

+```

+local_conf_header:

+  security: |

+    IMAGE_PREINSTALL = "openssl"

+```

+

+Build images

+------------

+

+Build images for QEMU x86 64bit machine:

+

+    $ ./kas-docker --isar build kas.yml:board-qemu-amd64.yml:opt-security.yml

+

+Run on QEMU

+-----------

+

+Run the generated images on QEMU (x86 64bit).

+

+    $ ./start-qemu.sh amd64

diff --git a/opt-security.yml b/opt-security.yml

new file mode 100644

index 0000000..7c6b39c

--- /dev/null

+++ b/opt-security.yml

@@ -0,0 +1,34 @@

+#

+# KAS configuration for CIP Core generic profile to enable security features

+#

+# Copyright (c) Toshiba Corporation, 2020

+#

+# Authors:

+#  Kazuhiro Hayashi <kazuhiro3.hayashi@...>

+#

+# SPDX-License-Identifier: MIT

+#

+

+header:

+  version: 8

+

+local_conf_header:

+  security: |

+    # TODO: Add sudo or sudo-ldap

+    IMAGE_PREINSTALL = "\

+      openssl libssl1.1 \

+      fail2ban \

+      openssh-server openssh-sftp-server openssh-client \

+      syslog-ng-core syslog-ng-mod-journal \

+      aide aide-common \

+      libnftables0 nftables \

+      libpam-pkcs11 \

+      chrony \

+      tpm2-tools \

+      tpm2-abrmd \

+      libtss2-esys0 libtss2-udev \

+      libpam-cracklib \

+      acl \

+      libauparse0 audispd-plugins auditd \

+      uuid-runtime \

+    "

\ No newline at end of file

--

2.20.1

 

.

Join cip-dev@lists.cip-project.org to automatically receive all group messages.