Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend


Daniel Sangorrin <daniel.sangorrin@...>
 

Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

-----Original Message-----
From: venkata.pyla@... <venkata.pyla@...>
Sent: Tuesday, September 15, 2020 11:24 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@...>
Cc: pyla venkata(TSIP) <Venkata.Pyla@...>; cip-dev@...
Subject: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

From: venkata pyla <venkata.pyla@...>

add package bbappaned files in the security layer that will apply
bbappend

the security configurations like
e.g: Set password strength in pam configurations
Set audit failure actions in audit package configurations
etc.
Signed-off-by: venkata pyla <venkata.pyla@...>
---
.../audit/audit_debian.bbappend | 20 ++++++++++
.../base-files/base-files_debian.bbappend | 3 ++
.../openssh/openssh_debian.bbappend | 19 +++++++++
.../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
4 files changed, 81 insertions(+)
create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
Ideally, you would separate the patches for each file unless they have something in common.

diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-
debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

+
+pkg_postinst_audit_append() {
+ # CR2.9: Audit storage capacity
+ # CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+ AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+ sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

+
+ # CR2.10: Response to audit processing failures
+ sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+}
Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-
files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
@@ -0,0 +1,3 @@
+do_install_append() {
+ echo "${MACHINE}" > ${D}${sysconfdir}/hostname
+}
Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-
debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
Same as before, append "for openssh". The description for different things should be different.

+
+pkg_postinst_${PN}_append() {
+ # CR2.6: Remote session termination
+ # Terminate remote session after inactive time period
+ SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+ alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+ alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+ sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
+ sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

+}
diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-
debian/pam/libpam_debian.bbappend
new file mode 100644
index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
Same thing: "for libpam"

+
+pkg_postinst_pam-plugin-cracklib_append() {
+ # CR1.7: Strength of password-based authentication
+ # Pam configuration to enforce password strength
+ PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+ CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+ if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+ sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+ fi
+ sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
Perhaps set minlen configurable.

+
+pkg_postinst_pam-plugin-tally2_append() {
+ # CR1.11: Unsuccessful login attempts
+ # Lock user account after unsuccessful login attempts
+ PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+ pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+ sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+ fi
+ sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+ # CR2.7: Concurrent session control
+ # Limit the concurrent login sessions
+ LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+ echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+}
Thanks,
Daniel

Join cip-dev@lists.cip-project.org to automatically receive all group messages.