[isar-cip-core] security-customizations: Recipe to apply security configurations


Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

This recipe will apply security policies* to the reference image
that will be used for IEC62443-4-2 Evaluation

*Security policies:
1. Enforcing strong password to user accounts
2. Lock user accounts for failed login attempts
3. Terminate remote session for inactive time period
4. Limit the concurrent login sessions
5. Warn audit stroage failure

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
.../images/cip-core-image-security.bb | 2 +-
.../security-customizations/files/postinst | 51 +++++++++++++++++++
.../security-customizations.bb | 18 +++++++
3 files changed, 70 insertions(+), 1 deletion(-)
create mode 100644 recipes-core/security-customizations/files/postinst
create mode 100644 recipes-core/security-customizations/security-customizations.bb

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index a17c522..61ddc39 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -13,7 +13,7 @@ inherit image

DESCRIPTION = "CIP Core image including security packages"

-IMAGE_INSTALL += "customizations"
+IMAGE_INSTALL += "security-customizations"

# Debian packages that provide security features
IMAGE_PREINSTALL += " \
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
new file mode 100644
index 0000000..3699ba2
--- /dev/null
+++ b/recipes-core/security-customizations/files/postinst
@@ -0,0 +1,51 @@
+#!/bin/sh
+#
+# CIP Security, generic profile
+# Security Package configurations
+#
+
+echo "CIP Core Security Image (login: root/root)" > /etc/issue
+
+HOSTNAME=demo
+echo "$HOSTNAME" > /etc/hostname
+echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
+
+# CR1.7: Strength of password-based authentication
+# Pam configuration to enforce password strength
+PAM_PWD_FILE="/etc/pam.d/common-password"
+pam_cracklib_config="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+ sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+fi
+sed -i "0,/^password.*/s/^password.*/${pam_cracklib_config}\n&/" "${PAM_PWD_FILE}"
+
+# CR1.11: Unsuccessful login attempts
+# Lock user account after unsuccessful login attempts
+PAM_AUTH_FILE="/etc/pam.d/common-auth"
+pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+ sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+fi
+sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+
+# CR2.6: Remote session termination
+# Terminate remote session after inactive time period
+SSHD_CONFIG="/etc/ssh/sshd_config"
+alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
+sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
+
+# CR2.7: Concurrent session control
+# Limit the concurrent login sessions
+LIMITS_CONFIG="/etc/security/limits.conf"
+echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+
+# CR2.9: Audit storage capacity
+# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+AUDIT_CONF_FILE="/etc/audit/auditd.conf"
+sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+
+# CR2.10: Response to audit processing failures
+sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
new file mode 100644
index 0000000..dbb06d9
--- /dev/null
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -0,0 +1,18 @@
+#
+# CIP Security, generic profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# Authors:
+# Venkata Pyla <venkata.pyla@toshiba-tsip.com>#
+#
+# SPDX-License-Identifier: MIT
+#
+
+inherit dpkg-raw
+
+DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
+
+SRC_URI = " file://postinst"
+
+DEBIAN_DEPENDS = "sshd-regen-keys"
--
2.20.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.

Join cip-dev@lists.cip-project.org to automatically receive all group messages.