- [isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security
Re: [isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security
toggle quoted messageShow quoted text
From: email@example.com [mailto:firstname.lastname@example.org] On Behalf Of Jan Kiszka
Sent: Friday, June 26, 2020 7:41 PM
To: email@example.com; pyla venkata(ＴＳＩＰ) <Venkata.Pyla@toshiba-tsip.com>
Subject: Re: [cip-dev][isar-cip-core PATCH 1/6] opt-security.yml: Sample settings to install security
On 26.06.20 08:44, venkata wrote:
From: Kazuhiro HayashiThis line seems to have been mangled. It should be in line with the Signed-off-by.
opt-security.yml: Sample settings to install security packagesThat file is added by this patch already.
Signed-off-by: Kazuhiro Hayashi <firstname.lastname@example.org>
SECURITY.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++
opt-security.yml | 34 +++++++++++++++++++++++++++++++
2 files changed, 86 insertions(+)
create mode 100644 SECURITY.md
create mode 100644 opt-security.yml
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index
@@ -0,0 +1,52 @@
+How to customize images for security features
+This is the "temporal" document about how to create and use the CIP
+Core generic profile images for security feature evaluation.
+* ISAR User Manual:
+* isar-cip-core: master branch
+* Host: Debian 10 buster amd64
+ * Installed packages: `docker-ce`, `qemu-system`
+ * Users who does the following actions must be in the groups
+`docker` and `kvm`
+Create kas file
+Create a kas file named `opt-security.yml` to add security settings.
+Shouldn't we target for a security image (recipe) instead?
+Add security packages to rootfs
+Set `IMAGE_PREINSTALL` to the list of packages required to enable the
+security features. This variable can be set through the kas file.
+ security: |
+ IMAGE_PREINSTALL = "openssl"
+Build images for QEMU x86 64bit machine:
+ $ ./kas-docker --isar build
+Run on QEMU
+Run the generated images on QEMU (x86 64bit).
+ $ ./start-qemu.sh amd64
diff --git a/opt-security.yml b/opt-security.yml new file mode 100644
@@ -0,0 +1,34 @@
+# KAS configuration for CIP Core generic profile to enable security
+features # # Copyright (c) Toshiba Corporation, 2020 # # Authors:
+# Kazuhiro Hayashi <email@example.com> # #
+SPDX-License-Identifier: MIT #
+ version: 8
+ security: |
+ # TODO: Add sudo or sudo-ldap
+ IMAGE_PREINSTALL = "\
+ openssl libssl1.1 \
+ fail2ban \
+ openssh-server openssh-sftp-server openssh-client \
+ syslog-ng-core syslog-ng-mod-journal \
+ aide aide-common \
+ libnftables0 nftables \
+ libpam-pkcs11 \
+ chrony \
+ tpm2-tools \
+ tpm2-abrmd \
+ libtss2-esys0 libtss2-udev \
+ libpam-cracklib \
+ acl \
+ libauparse0 audispd-plugins auditd \
+ uuid-runtime \
General question: What is this series targeting? Seems patch 2 and 3 are left-overs from the development. Is this an RFC series only?
It seems that opt-security.yaml was already removed in the security branch:https://gitlab.com/cip-project/cip-core/isar-cip-core/-/tree/security/iec-evaluation
Venkata-san: could you rebase your patches for the master branch?
For example, instead of sending one patch where you add opt-security.yaml and then another patch where you remove it (which may have happened in your branch, but we don't care), just send the patch that uses core-image-security. That will make things easier to review.
Also, as we have talked in the meetings, it looks like the security layer at the moment is just adding some packages but don't you need to add configuration files to harden the final file system? For example, you may want to change the configuration of the ssh server so that passwords are not accepted (only ssh keys). And the same for the rest of packages. In that case, you probably want to create a new kas-security.yaml.
Join firstname.lastname@example.org to automatically receive all group messages.