Re: [isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security


Jan Kiszka
 

On 26.06.20 08:44, venkata wrote:
From: Kazuhiro Hayashi kazuhiro3.hayashi@toshiba.co.jp<mailto:kazuhiro3.hayashi@toshiba.co.jp>
This line seems to have been mangled. It should be in line with the Signed-off-by.

opt-security.yml: Sample settings to install security
packages
Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
---
SECURITY.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
opt-security.yml | 34 +++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
create mode 100644 SECURITY.md
create mode 100644 opt-security.yml
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..a8bccc7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,52 @@
+How to customize images for security features
+=============================================
+
+This is the "temporal" document about how to create and use
+the CIP Core generic profile images for security feature evaluation.
+
+Official manuals
+----------------
+
+* isar-cip-core: https://gitlab.com/zuka0828/isar-cip-core/-/blob/master/README.md
+* ISAR User Manual: https://github.com/ilbers/isar/blob/master/doc/user_manual.md
+
+Assumed environment
+-------------------
+
+* isar-cip-core: master branch
+* Host: Debian 10 buster amd64
+ * Installed packages: `docker-ce`, `qemu-system`
+ * Users who does the following actions must be in the groups `docker` and `kvm`
+
+Create kas file
+---------------
+
+Create a kas file named `opt-security.yml` to add security settings.
That file is added by this patch already.

+
+Add security packages to rootfs
+-------------------------------
+
+Set `IMAGE_PREINSTALL` to the list of packages required to enable
+the security features. This variable can be set through the kas file.
+
+Example:
+
+```
+local_conf_header:
+ security: |
+ IMAGE_PREINSTALL = "openssl"
+```
+
+Build images
+------------
+
+Build images for QEMU x86 64bit machine:
+
+ $ ./kas-docker --isar build kas.yml:board-qemu-amd64.yml:opt-security.yml
+
+Run on QEMU
+-----------
+
+Run the generated images on QEMU (x86 64bit).
+
+ $ ./start-qemu.sh amd64
diff --git a/opt-security.yml b/opt-security.yml
new file mode 100644
index 0000000..7c6b39c
--- /dev/null
+++ b/opt-security.yml
@@ -0,0 +1,34 @@
+#
+# KAS configuration for CIP Core generic profile to enable security features
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+# Kazuhiro Hayashi <kazuhiro3.hayashi@toshiba.co.jp>
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+local_conf_header:
+ security: |
+ # TODO: Add sudo or sudo-ldap
+ IMAGE_PREINSTALL = "\
+ openssl libssl1.1 \
+ fail2ban \
+ openssh-server openssh-sftp-server openssh-client \
+ syslog-ng-core syslog-ng-mod-journal \
+ aide aide-common \
+ libnftables0 nftables \
+ libpam-pkcs11 \
+ chrony \
+ tpm2-tools \
+ tpm2-abrmd \
+ libtss2-esys0 libtss2-udev \
+ libpam-cracklib \
+ acl \
+ libauparse0 audispd-plugins auditd \
+ uuid-runtime \
+ "
Shouldn't we target for a security image (recipe) instead?

General question: What is this series targeting? Seems patch 2 and 3 are left-overs from the development. Is this an RFC series only?

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Join cip-dev@lists.cip-project.org to automatically receive all group messages.