Date   

[cip-kernel-sec 2/3] report_affected: Delete extra blank lines between CVEs

Daniel Sangorrin <daniel.sangorrin@...>
 

From: nguyen van hieu <hieu2.nguyenvan@toshiba.co.jp>

When using the --show-description option CVEs had blank
lines between them. Remove them to make it more compact.

Signed-off-by: nguyen van hieu <hieu2.nguyenvan@toshiba.co.jp>
Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
---
scripts/report_affected.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/report_affected.py b/scripts/report_affected.py
index a181d97..9894602 100755
--- a/scripts/report_affected.py
+++ b/scripts/report_affected.py
@@ -141,7 +141,7 @@ def main(git_repo, remotes, only_fixed_upstream,
wrap_description = ''
for line in textwrap.wrap(description, 80, break_long_words=False):
wrap_description += line + '\n '
- print(cve_id, '=>',wrap_description)
+ print(cve_id, '=>',wrap_description.strip())
else:
print('%s:' % branch['full_name'], *sorted_cve_ids)

--
2.25.1


improve show-description results

Daniel Sangorrin <daniel.sangorrin@...>
 

I had this in the backlog for a long time. These
patches, improve the way CVEs' descriptions are displayed
when calling scripts/report_affected.py with the option
--show-description` enabled.

[1/3] report_affected: word-wrap for the 'description'
[2/3] report_affected: Delete extra blank lines
[3/3] issues: fill in the description field of

Thanks,
Daniel


Re: CVE-2020-0427 / pinctrl: devicetree: Avoid taking direct reference to device name string

Nobuhiro Iwamatsu
 

Hi Pavel,

2020年9月24日(木) 19:17 Pavel Machek <pavel@ucw.cz>:

Hi!

Backport to 4.4 was very easy (there was single dev_err that prevented
patch for applying), and backported patch tests okay:

https://gitlab.com/cip-project/cip-kernel/linux-cip/-/pipelines/193933346
Thanks for your work.
It looks like there is no issue.


Best regards,
Pavel
Best regards,
Nobuhiro

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html



--
Nobuhiro Iwamatsu
iwamatsu at {nigauri.org / debian.org}
GPG ID: 40AD1FA6


CVE-2020-0427 / pinctrl: devicetree: Avoid taking direct reference to device name string

Pavel Machek
 

Hi!

Backport to 4.4 was very easy (there was single dev_err that prevented
patch for applying), and backported patch tests okay:

https://gitlab.com/cip-project/cip-kernel/linux-cip/-/pipelines/193933346

Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html


Re: CIP IRC weekly meeting today

Akihiro Suzuki
 

Hi Kudo-san,

Sorry, I will be absent IRC meeting today.
SW Updates WG don't have any updates this week.

Thanks,
Suzuki

-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On
Behalf Of masashi.kudo@cybertrust.co.jp
Sent: Thursday, September 24, 2020 9:59 AM
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] CIP IRC weekly meeting today

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00
starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&
month=9&day=24&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=
37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00.log.
html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Check whether CVE-2020-25284 needs to be backported to 4.4-rt -
masashi910

* Kernel maintenance updates
* Kernel testing
* Software update
* CIP Security
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes
sense and those involved in the topics can stay. Otherwise, the topic will be
taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


CIP IRC weekly meeting today

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=9&day=24&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00.log.html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Check whether CVE-2020-25284 needs to be backported to 4.4-rt - masashi910

* Kernel maintenance updates
* Kernel testing
* Software update
* CIP Security
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Venkata Pyla
 

On Fri, Sep 18, 2020 at 10:23 AM, Venkata Pyla wrote:
Hi Daniel-san,

I have created the merge request for all the security layer changes including your suggestions.
Kindly review and letme know if you have any more suggestions.

Thanks
venkata.


Re: Is CVE-2020-25284 backporting needed for 4.4-rt x86?

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi, Jan-san,

Thanks for your quick response!

Is that the only config in our repo carrying rbd/ceph? The we should likely drop
that, to be clear also in the future.
When we discussed at the IRC, the config carrying rbd/ceph is only 4.4-rt x86.

So, I understood that the backporting is not required.

Best regards,
--
M. Kudo

-----Original Message-----
From: Jan Kiszka <jan.kiszka@siemens.com>
Sent: Saturday, September 19, 2020 2:36 AM
To: 工藤 雅司(CTJ OSS事業推進室) <masashi.kudo@cybertrust.co.jp>;
cip-dev@lists.cip-project.org
Subject: Re: Is CVE-2020-25284 backporting needed for 4.4-rt x86?

On 18.09.20 15:58, masashi.kudo@cybertrust.co.jp wrote:
Hi, Jan-san, Siemens team,

There was some query to Siemens about the need of CVE-2020-25284
backporting.

- CVE-2020-25284 is in rbd ( Ceph block device ).
- it is only fixed for v4.19 and later stable kernels
- Siemens has this built as a module in their 4.4-rt x86 config, but
not their 4.19 one

So the question from the Kernel Team is whether Siemens needs its backporting
to 4.4-rt or not.
Not to my best knowledge. This is very likely an accidental choice.

Is that the only config in our repo carrying rbd/ceph? The we should likely drop
that, to be clear also in the future.

Jan

Please take a look about the discussion at the IRC meeting yesterday.

https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00
.log.html

Best regards,
--
M. Kudo
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence
Center Embedded Linux


Re: Is CVE-2020-25284 backporting needed for 4.4-rt x86?

Jan Kiszka
 

On 18.09.20 15:58, masashi.kudo@cybertrust.co.jp wrote:
Hi, Jan-san, Siemens team,
There was some query to Siemens about the need of CVE-2020-25284 backporting.
- CVE-2020-25284 is in rbd ( Ceph block device ).
- it is only fixed for v4.19 and later stable kernels
- Siemens has this built as a module in their 4.4-rt x86 config, but not their 4.19 one
So the question from the Kernel Team is whether Siemens needs its backporting to 4.4-rt or not.
Not to my best knowledge. This is very likely an accidental choice.

Is that the only config in our repo carrying rbd/ceph? The we should likely drop that, to be clear also in the future.

Jan

Please take a look about the discussion at the IRC meeting yesterday.
https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00.log.html
Best regards,
--
M. Kudo
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


Is CVE-2020-25284 backporting needed for 4.4-rt x86?

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi, Jan-san, Siemens team,

There was some query to Siemens about the need of CVE-2020-25284 backporting.

- CVE-2020-25284 is in rbd ( Ceph block device ).
- it is only fixed for v4.19 and later stable kernels
- Siemens has this built as a module in their 4.4-rt x86 config, but not their 4.19 one

So the question from the Kernel Team is whether Siemens needs its backporting to 4.4-rt or not.

Please take a look about the discussion at the IRC meeting yesterday.

https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-17-09.00.log.html

Best regards,
--
M. Kudo


Re: [isar-cip-core][PATCH] classes/image_uuid: Generate new uuid if a new package is added

Jan Kiszka
 

On 18.09.20 10:04, Q. Gylstorff wrote:
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
BB_BASEHASH only includes the task itself and its metadata.
Dependencies are not taken into account when this hash is
generated which means updating a package will not generate a new
UUID.
BB_TASKHASH takes the changes into account.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/image_uuid.bbclass | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
index d5337b8..873abc5 100644
--- a/classes/image_uuid.bbclass
+++ b/classes/image_uuid.bbclass
@@ -9,23 +9,23 @@
# SPDX-License-Identifier: MIT
#
-def generate_image_uuid(d):
- import uuid
+IMAGE_UUID ?= "random"
Why not using an undefined or empty IMAGE_UUID as "generate me one" indication?

- base_hash = d.getVar("BB_BASEHASH_task-do_rootfs_install", True)
- if base_hash is None:
- return None
- return str(uuid.UUID(base_hash[:32], version=4))
-
-IMAGE_UUID ?= "${@generate_image_uuid(d)}"
+IMAGE_UUID_NAMESPACE = "6090f47e-b068-475c-b125-7be7c24cdd4e"
Is that namespace random, or does that have specific meaning?

do_generate_image_uuid[vardeps] += "IMAGE_UUID"
do_generate_image_uuid[depends] = "buildchroot-target:do_build"
+IMAGER_INSTALL += "uuid-runtime"
Please separate variable for job definitions be a blank line. Also the job specifications above should be visually separated from the code below that way. IOW:

IMAGER_INSTALL += "uuid-runtime"

do_generate_image_uuid[vardeps] += "IMAGE_UUID"
do_generate_image_uuid[depends] = "buildchroot-target:do_build"

do_generate_image_uuid() {

do_generate_image_uuid() {
+ image_do_mounts
+ if [ "${IMAGE_UUID}" != "random" ]; then
+ IMAGE_UUID_FINAL="${IMAGE_UUID}"
+ else
+ IMAGE_UUID_FINAL="$(sudo -E chroot ${BUILDCHROOT_DIR} uuidgen -s -n "${IMAGE_UUID_NAMESPACE}" -N "${BB_TASKHASH}")"
Why do we need to switch to uuidgen from the buildchroot, rather than using python's uuid?

And what ensures that uuidgen is available there?

+ fi
sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release'
- echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \
+ echo "IMAGE_UUID=\"${IMAGE_UUID_FINAL}\"" | \
sudo tee -a '${IMAGE_ROOTFS}/etc/os-release'
- image_do_mounts
# update initramfs to add uuid
sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u
Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux


[isar-cip-core][PATCH] classes/image_uuid: Generate new uuid if a new package is added

Quirin Gylstorff
 

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

BB_BASEHASH only includes the task itself and its metadata.
Dependencies are not taken into account when this hash is
generated which means updating a package will not generate a new
UUID.

BB_TASKHASH takes the changes into account.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
classes/image_uuid.bbclass | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/classes/image_uuid.bbclass b/classes/image_uuid.bbclass
index d5337b8..873abc5 100644
--- a/classes/image_uuid.bbclass
+++ b/classes/image_uuid.bbclass
@@ -9,23 +9,23 @@
# SPDX-License-Identifier: MIT
#

-def generate_image_uuid(d):
- import uuid
+IMAGE_UUID ?= "random"

- base_hash = d.getVar("BB_BASEHASH_task-do_rootfs_install", True)
- if base_hash is None:
- return None
- return str(uuid.UUID(base_hash[:32], version=4))
-
-IMAGE_UUID ?= "${@generate_image_uuid(d)}"
+IMAGE_UUID_NAMESPACE = "6090f47e-b068-475c-b125-7be7c24cdd4e"

do_generate_image_uuid[vardeps] += "IMAGE_UUID"
do_generate_image_uuid[depends] = "buildchroot-target:do_build"
+IMAGER_INSTALL += "uuid-runtime"
do_generate_image_uuid() {
+ image_do_mounts
+ if [ "${IMAGE_UUID}" != "random" ]; then
+ IMAGE_UUID_FINAL="${IMAGE_UUID}"
+ else
+ IMAGE_UUID_FINAL="$(sudo -E chroot ${BUILDCHROOT_DIR} uuidgen -s -n "${IMAGE_UUID_NAMESPACE}" -N "${BB_TASKHASH}")"
+ fi
sudo sed -i '/^IMAGE_UUID=.*/d' '${IMAGE_ROOTFS}/etc/os-release'
- echo "IMAGE_UUID=\"${IMAGE_UUID}\"" | \
+ echo "IMAGE_UUID=\"${IMAGE_UUID_FINAL}\"" | \
sudo tee -a '${IMAGE_ROOTFS}/etc/os-release'
- image_do_mounts

# update initramfs to add uuid
sudo chroot '${IMAGE_ROOTFS}' update-initramfs -u
--
2.20.1


Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Venkata Pyla
 

HI Daniel-san,

Thank you for your feedback.

sorry for spell checks issues in the commits, I will correct it and send another merge request.
Also I will apply other security configuration suggestions.

Thanks
Venkata.

-----Original Message-----
From: daniel.sangorrin@toshiba.co.jp <daniel.sangorrin@toshiba.co.jp>
Sent: 17 September 2020 08:32
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>
Cc: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: RE: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

-----Original Message-----
From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
Sent: Tuesday, September 15, 2020 11:24 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT)
<daniel.sangorrin@toshiba.co.jp>
Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>;
cip-dev@lists.cip-project.org
Subject: [cip-core:deby 2/3] security-configuration: apply security
polcies using package bbappend

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

add package bbappaned files in the security layer that will apply
bbappend

the security configurations like
e.g: Set password strength in pam configurations
Set audit failure actions in audit package configurations
etc.
Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
.../audit/audit_debian.bbappend | 20 ++++++++++
.../base-files/base-files_debian.bbappend | 3 ++
.../openssh/openssh_debian.bbappend | 19 +++++++++
.../recipes-debian/pam/libpam_debian.bbappend | 39
+++++++++++++++++++
4 files changed, 81 insertions(+)
create mode 100644
meta-cip-security/recipes-debian/audit/audit_debian.bbappend
create mode 100644
meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
create mode 100644
meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
create mode 100644
meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
Ideally, you would separate the patches for each file unless they have something in common.

diff --git
a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
b/meta-cip-security/recipes- debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020 # #
+SPDX-License-Identifier: MIT #
+
+DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

+
+pkg_postinst_audit_append() {
+ # CR2.9: Audit storage capacity
+ # CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+ AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+ sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+ sed -i 's/admin_space_left_action = .*/admin_space_left_action =
+SYSLOG/' $AUDIT_CONF_FILE
Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

+
+ # CR2.10: Response to audit processing failures
+ sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/'
+$AUDIT_CONF_FILE }
Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

diff --git
a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappe
nd b/meta-cip-security/recipes-debian/base-
files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bb
+++ append
@@ -0,0 +1,3 @@
+do_install_append() {
+ echo "${MACHINE}" > ${D}${sysconfdir}/hostname }
Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

diff --git
a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
b/meta-cip-security/recipes- debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020 # #
+SPDX-License-Identifier: MIT #
+
+DESCRIPTION = "CIP Security customizations"
Same as before, append "for openssh". The description for different things should be different.

+
+pkg_postinst_${PN}_append() {
+ # CR2.6: Remote session termination
+ # Terminate remote session after inactive time period
+ SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+ alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+ alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+ sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
+ sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

+}
diff --git
a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
b/meta-cip-security/recipes- debian/pam/libpam_debian.bbappend new
file mode 100644 index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020 # #
+SPDX-License-Identifier: MIT #
+
+DESCRIPTION = "CIP Security customizations"
Same thing: "for libpam"

+
+pkg_postinst_pam-plugin-cracklib_append() {
+ # CR1.7: Strength of password-based authentication
+ # Pam configuration to enforce password strength
+ PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+ CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+ if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+ sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+ fi
+ sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
Perhaps set minlen configurable.

+
+pkg_postinst_pam-plugin-tally2_append() {
+ # CR1.11: Unsuccessful login attempts
+ # Lock user account after unsuccessful login attempts
+ PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+ pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+ sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+ fi
+ sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+ # CR2.7: Concurrent session control
+ # Limit the concurrent login sessions
+ LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+ echo "* hard maxlogins 2" >> ${LIMITS_CONFIG} }
Thanks,
Daniel
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


Re: CIP IRC weekly meeting today

Akihiro Suzuki
 

Hi Kudo-san,

Sorry, I will be absent today's IRC meeting because I've got a plan already today.
SW Updates WG don't have any updates this week.

Thanks,
Suzuki

-----Original Message-----
From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On
Behalf Of masashi.kudo@cybertrust.co.jp
Sent: Thursday, September 17, 2020 10:21 AM
To: cip-dev@lists.cip-project.org
Subject: [cip-dev] CIP IRC weekly meeting today

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss
technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00
starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&
month=9&day=17&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=
37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-10-09.00.log.
html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Post LTP results to KernelCI - patersonc

* Kernel maintenance updates
* Kernel testing
* Software update
* CIP Security
* AOB

Since there will be another meeting at 9:30GMT, the meeting will take less than
30 min today.
If some topics may take long, they will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


Re: [cip-core:deby 3/3] aide-static: enable aide to build statically

Daniel Sangorrin <daniel.sangorrin@...>
 

Thanks, it looks good.
Perhaps you can write in the commit id what is the effect in size compared to not using static compilation.
Please send me a merge request

-----Original Message-----
From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
Sent: Tuesday, September 15, 2020 11:24 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: [cip-core:deby 3/3] aide-static: enable aide to build statically

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

To build aide statically, its dependencies also compile staticalliy, so all aide dependent library packages enabled static compiling in an
include file and added to the layer configuration.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
meta-cip-security/conf/include/aide-static-libs.inc | 10 ++++++++++
meta-cip-security/conf/layer.conf | 2 ++
2 files changed, 12 insertions(+)
create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc

diff --git a/meta-cip-security/conf/include/aide-static-libs.inc b/meta-cip-security/conf/include/aide-static-libs.inc
new file mode 100644
index 0000000..1dc4374
--- /dev/null
+++ b/meta-cip-security/conf/include/aide-static-libs.inc
@@ -0,0 +1,10 @@
+DISABLE_STATIC ?= " --disable-static"
+
+# aide dependencies to build statically DISABLE_STATIC_pn-aide = " "
+DISABLE_STATIC_pn-libgpg-error = " "
+DISABLE_STATIC_pn-libmhash = " "
+DISABLE_STATIC_pn-attr = " "
+DISABLE_STATIC_pn-acl = " "
+DISABLE_STATIC_pn-libpcre = " "
+EXTRA_OECONF_append_pn-aide = " --without-audit"
diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
index b015436..158d75c 100644
--- a/meta-cip-security/conf/layer.conf
+++ b/meta-cip-security/conf/layer.conf
@@ -16,3 +16,5 @@ LAYERVERSION_cip-security = "1"
LAYERDEPENDS_cip-security = "debian"

LAYERSERIES_COMPAT_cip-security = "warrior"
+
+require conf/include/aide-static-libs.inc
--
2.27.0.windows.1

The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may
contain privileged information.
If you are not the intended recipient, please notify the sender and delete the message along with any
attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any
annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be
the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is
accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.


Re: [cip-core:deby 1/3] cip-security: Create new layer for cip security

Daniel Sangorrin <daniel.sangorrin@...>
 

Thanks, it looks good
Please send me a merge request

-----Original Message-----
From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
Sent: Tuesday, September 15, 2020 11:24 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: [cip-core:deby 1/3] cip-security: Create new layer for cip security

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

This layer enables security packages and default configurations
required to evaluate IEC62443-4-2 assessment

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
README.md | 5 +++++
kas/opt/security.yml | 32 +++++++++++++++++++++++++++++++
meta-cip-security/conf/layer.conf | 18 +++++++++++++++++
3 files changed, 55 insertions(+)
create mode 100644 kas/opt/security.yml
create mode 100644 meta-cip-security/conf/layer.conf

diff --git a/README.md b/README.md
index f90e040..f59dd0c 100644
--- a/README.md
+++ b/README.md
@@ -88,3 +88,8 @@ LTP test image for QEMU arm64 / hihope-rzg2m

$ ./scripts/kas-build.sh kas/board/qemuarm64.yml:kas/opt/deby.yml:kas/opt/dhcp.yml:kas/opt/ltp.yml

+Create Security image for QEMU x86-64
+-------------------------------------
+
+ $ ./scripts/kas-build.sh kas/board/qemux86-64.yml:kas/opt/deby.yml:kas/opt/security.yml
+
diff --git a/kas/opt/security.yml b/kas/opt/security.yml
new file mode 100644
index 0000000..e84290c
--- /dev/null
+++ b/kas/opt/security.yml
@@ -0,0 +1,32 @@
+#
+# CIP Core tiny profile with Security
+# packages and configuration
+#
+# Copyright (c) 2019 TOSHIBA Corp.
+#
+# SPDX-License-Identifier: MIT
+#
+
+header:
+ version: 8
+
+repos:
+ meta-cip-security:
+ layers:
+ meta-cip-security:
+
+local_conf_header:
+ security: |
+ DISTRO_FEATURES_append += " pam"
+ CORE_IMAGE_EXTRA_INSTALL += " \
+ aide aide-common \
+ openssl openssl-bin \
+ openssh openssh-misc \
+ chrony chronyc \
+ libpam pam-plugin-cracklib pam-plugin-tally2 \
+ syslog-ng \
+ acl \
+ sudo \
+ auditd \
+ util-linux \
+ "
diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
new file mode 100644
index 0000000..b015436
--- /dev/null
+++ b/meta-cip-security/conf/layer.conf
@@ -0,0 +1,18 @@
+# We have a conf and classes directory, add to BBPATH
+BBPATH =. "${LAYERDIR}:"
+
+# We have recipes-* directories, add to BBFILES
+BBFILES += "${LAYERDIR}/recipes-*/*/*.bb \
+ ${LAYERDIR}/recipes-*/*/*.bbappend"
+
+BBFILE_COLLECTIONS += "cip-security"
+BBFILE_PATTERN_cip-security = "^${LAYERDIR}/"
+BBFILE_PRIORITY_cip-security = "11"
+
+# This should only be incremented on significant changes that will
+# cause compatibility issues with other layers
+LAYERVERSION_cip-security = "1"
+
+LAYERDEPENDS_cip-security = "debian"
+
+LAYERSERIES_COMPAT_cip-security = "warrior"
--
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


Re: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Daniel Sangorrin <daniel.sangorrin@...>
 

Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

-----Original Message-----
From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
Sent: Tuesday, September 15, 2020 11:24 PM
To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

add package bbappaned files in the security layer that will apply
bbappend

the security configurations like
e.g: Set password strength in pam configurations
Set audit failure actions in audit package configurations
etc.
Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
.../audit/audit_debian.bbappend | 20 ++++++++++
.../base-files/base-files_debian.bbappend | 3 ++
.../openssh/openssh_debian.bbappend | 19 +++++++++
.../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
4 files changed, 81 insertions(+)
create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
Ideally, you would separate the patches for each file unless they have something in common.

diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-
debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

+
+pkg_postinst_audit_append() {
+ # CR2.9: Audit storage capacity
+ # CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+ AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+ sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

+
+ # CR2.10: Response to audit processing failures
+ sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+}
Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-
files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
@@ -0,0 +1,3 @@
+do_install_append() {
+ echo "${MACHINE}" > ${D}${sysconfdir}/hostname
+}
Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-
debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
Same as before, append "for openssh". The description for different things should be different.

+
+pkg_postinst_${PN}_append() {
+ # CR2.6: Remote session termination
+ # Terminate remote session after inactive time period
+ SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+ alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+ alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+ sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
+ sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

+}
diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-
debian/pam/libpam_debian.bbappend
new file mode 100644
index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
Same thing: "for libpam"

+
+pkg_postinst_pam-plugin-cracklib_append() {
+ # CR1.7: Strength of password-based authentication
+ # Pam configuration to enforce password strength
+ PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+ CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+ if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+ sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+ fi
+ sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
Perhaps set minlen configurable.

+
+pkg_postinst_pam-plugin-tally2_append() {
+ # CR1.11: Unsuccessful login attempts
+ # Lock user account after unsuccessful login attempts
+ PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+ pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+ sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+ fi
+ sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+ # CR2.7: Concurrent session control
+ # Limit the concurrent login sessions
+ LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+ echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+}
Thanks,
Daniel


CIP IRC weekly meeting today

masashi.kudo@cybertrust.co.jp <masashi.kudo@...>
 

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=9&day=17&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/09/cip.2020-09-10-09.00.log.html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - iwamatsu
2. Post LTP results to KernelCI - patersonc

* Kernel maintenance updates
* Kernel testing
* Software update
* CIP Security
* AOB

Since there will be another meeting at 9:30GMT, the meeting will take less than 30 min today.
If some topics may take long, they will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.


[cip-core:deby 3/3] aide-static: enable aide to build statically

Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

To build aide statically, its dependencies also compile staticalliy,
so all aide dependent library packages enabled static compiling in
an include file and added to the layer configuration.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
meta-cip-security/conf/include/aide-static-libs.inc | 10 ++++++++++
meta-cip-security/conf/layer.conf | 2 ++
2 files changed, 12 insertions(+)
create mode 100644 meta-cip-security/conf/include/aide-static-libs.inc

diff --git a/meta-cip-security/conf/include/aide-static-libs.inc b/meta-cip-security/conf/include/aide-static-libs.inc
new file mode 100644
index 0000000..1dc4374
--- /dev/null
+++ b/meta-cip-security/conf/include/aide-static-libs.inc
@@ -0,0 +1,10 @@
+DISABLE_STATIC ?= " --disable-static"
+
+# aide dependencies to build statically
+DISABLE_STATIC_pn-aide = " "
+DISABLE_STATIC_pn-libgpg-error = " "
+DISABLE_STATIC_pn-libmhash = " "
+DISABLE_STATIC_pn-attr = " "
+DISABLE_STATIC_pn-acl = " "
+DISABLE_STATIC_pn-libpcre = " "
+EXTRA_OECONF_append_pn-aide = " --without-audit"
diff --git a/meta-cip-security/conf/layer.conf b/meta-cip-security/conf/layer.conf
index b015436..158d75c 100644
--- a/meta-cip-security/conf/layer.conf
+++ b/meta-cip-security/conf/layer.conf
@@ -16,3 +16,5 @@ LAYERVERSION_cip-security = "1"
LAYERDEPENDS_cip-security = "debian"

LAYERSERIES_COMPAT_cip-security = "warrior"
+
+require conf/include/aide-static-libs.inc
--
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.


[cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Venkata Pyla
 

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

add package bbappaned files in the security layer that will apply
the security configurations like
e.g: Set password strength in pam configurations
Set audit failure actions in audit package configurations
etc.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
.../audit/audit_debian.bbappend | 20 ++++++++++
.../base-files/base-files_debian.bbappend | 3 ++
.../openssh/openssh_debian.bbappend | 19 +++++++++
.../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
4 files changed, 81 insertions(+)
create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_audit_append() {
+ # CR2.9: Audit storage capacity
+ # CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+ AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+ sed -i 's/space_left_action = .*/space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+ sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+
+ # CR2.10: Response to audit processing failures
+ sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+}
diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
@@ -0,0 +1,3 @@
+do_install_append() {
+ echo "${MACHINE}" > ${D}${sysconfdir}/hostname
+}
diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_${PN}_append() {
+ # CR2.6: Remote session termination
+ # Terminate remote session after inactive time period
+ SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+ alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+ alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+ sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
+ sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
+}
diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
new file mode 100644
index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_pam-plugin-cracklib_append() {
+ # CR1.7: Strength of password-based authentication
+ # Pam configuration to enforce password strength
+ PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+ CRACKLIB_CONFIG="password requisite pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+ if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+ sed -i '/pam_cracklib.so/ s/^#*/#/' "${PAM_PWD_FILE}"
+ fi
+ sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
+
+pkg_postinst_pam-plugin-tally2_append() {
+ # CR1.11: Unsuccessful login attempts
+ # Lock user account after unsuccessful login attempts
+ PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+ pam_tally="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+ if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+ sed -i '/pam_tally2/ s/^#*/#/' "${PAM_AUTH_FILE}"
+ fi
+ sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+ # CR2.7: Concurrent session control
+ # Limit the concurrent login sessions
+ LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+ echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+}
--
2.27.0.windows.1

The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the
recipient and may contain privileged information.
If you are not the intended recipient, please notify the
sender and delete the message along with any
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail
are those of the individual sender except where the sender
specifically states them to be the views of
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.

2041 - 2060 of 7513