diff mbox series

[cip-core:deby,2/3] security-configuration: apply security polcies using package bbappend

Message ID 20200915142345.179-3-venkata.pyla@toshiba-tsip.com (mailing list archive)
State Accepted
Headers show
Series deby security layer changes | expand

Commit Message

Venkata Pyla Sept. 15, 2020, 2:23 p.m. UTC
From: venkata pyla <venkata.pyla@toshiba-tsip.com>

add package bbappaned files in the security layer that will apply
the security configurations like
    e.g: Set password strength in pam configurations
         Set audit failure actions in audit package configurations
         etc.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 .../audit/audit_debian.bbappend               | 20 ++++++++++
 .../base-files/base-files_debian.bbappend     |  3 ++
 .../openssh/openssh_debian.bbappend           | 19 +++++++++
 .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
 4 files changed, 81 insertions(+)
 create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

Comments

Daniel Sangorrin Sept. 17, 2020, 3:02 a.m. UTC | #1
Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

> -----Original Message-----
> From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
> Sent: Tuesday, September 15, 2020 11:24 PM
> To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
> Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
> Subject: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend
> 
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> add package bbappaned files in the security layer that will apply

bbappend

> the security configurations like
>     e.g: Set password strength in pam configurations
>          Set audit failure actions in audit package configurations
>          etc.
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
>  .../audit/audit_debian.bbappend               | 20 ++++++++++
>  .../base-files/base-files_debian.bbappend     |  3 ++
>  .../openssh/openssh_debian.bbappend           | 19 +++++++++
>  .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
>  4 files changed, 81 insertions(+)
>  create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
>  create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
>  create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
>  create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

Ideally, you would separate the patches for each file unless they have something in common.
 
> diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-
> debian/audit/audit_debian.bbappend
> new file mode 100644
> index 0000000..c148f27
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
> @@ -0,0 +1,20 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

> +
> +pkg_postinst_audit_append() {
> +	# CR2.9: Audit storage capacity
> +	# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
> +	AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
> +	sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
> +	sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE

Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable  and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

> +
> +	# CR2.10: Response to audit processing failures
> +	sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
> +}

Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

> diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-
> files/base-files_debian.bbappend
> new file mode 100644
> index 0000000..895dc9f
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
> @@ -0,0 +1,3 @@
> +do_install_append() {
> +	echo "${MACHINE}" > ${D}${sysconfdir}/hostname
> +}

Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

> diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-
> debian/openssh/openssh_debian.bbappend
> new file mode 100644
> index 0000000..ddd2bfc
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
> @@ -0,0 +1,19 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"

Same as before, append "for openssh". The description for different things should be different.

> +
> +pkg_postinst_${PN}_append() {
> +	# CR2.6: Remote session termination
> +	# Terminate remote session after inactive time period
> +	SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
> +	alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
> +	alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
> +	sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
> +	sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"

Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

> +}
> diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-
> debian/pam/libpam_debian.bbappend
> new file mode 100644
> index 0000000..c9c1605
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
> @@ -0,0 +1,39 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020
> +#
> +# SPDX-License-Identifier: MIT
> +#
> +
> +DESCRIPTION = "CIP Security customizations"

Same thing: "for libpam"

> +
> +pkg_postinst_pam-plugin-cracklib_append() {
> +	# CR1.7: Strength of password-based authentication
> +	# Pam configuration to  enforce password strength
> +	PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
> +	CRACKLIB_CONFIG="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
> ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
> +	if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
> +		sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
> +	fi
> +	sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
> +}

Perhaps set minlen configurable.

> +
> +pkg_postinst_pam-plugin-tally2_append() {
> +	# CR1.11: Unsuccessful login attempts
> +	# Lock user account after unsuccessful login attempts
> +	PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
> +	pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> +	if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
> +        	sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
> +	fi
> +	sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
> +}
> +
> +
> +pkg_postinst_libpam_append() {
> +	# CR2.7: Concurrent session control
> +	# Limit the concurrent login sessions
> +	LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
> +	echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
> +}

Thanks,
Daniel
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5457): https://lists.cip-project.org/g/cip-dev/message/5457
Mute This Topic: https://lists.cip-project.org/mt/76865928/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Venkata Pyla Sept. 18, 2020, 4:53 a.m. UTC | #2
HI Daniel-san,

Thank you for your feedback.

sorry for spell checks issues in the commits, I will correct it and send another merge request.
Also I will apply other security configuration suggestions.

Thanks
Venkata.

-----Original Message-----
From: daniel.sangorrin@toshiba.co.jp <daniel.sangorrin@toshiba.co.jp> 
Sent: 17 September 2020 08:32
To: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>
Cc: Venkata Seshagiri Pyla <Venkata.Pyla@toshiba-tsip.com>; cip-dev@lists.cip-project.org
Subject: RE: [cip-core:deby 2/3] security-configuration: apply security polcies using package bbappend

Hi Venkata-san

Please check my inline comments and send me a merge request when you solve them.

> -----Original Message-----
> From: venkata.pyla@toshiba-tsip.com <venkata.pyla@toshiba-tsip.com>
> Sent: Tuesday, September 15, 2020 11:24 PM
> To: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) 
> <daniel.sangorrin@toshiba.co.jp>
> Cc: pyla venkata(TSIP) <Venkata.Pyla@toshiba-tsip.com>; 
> cip-dev@lists.cip-project.org
> Subject: [cip-core:deby 2/3] security-configuration: apply security 
> polcies using package bbappend
> 
> From: venkata pyla <venkata.pyla@toshiba-tsip.com>
> 
> add package bbappaned files in the security layer that will apply

bbappend

> the security configurations like
>     e.g: Set password strength in pam configurations
>          Set audit failure actions in audit package configurations
>          etc.
> Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
> ---
>  .../audit/audit_debian.bbappend               | 20 ++++++++++
>  .../base-files/base-files_debian.bbappend     |  3 ++
>  .../openssh/openssh_debian.bbappend           | 19 +++++++++
>  .../recipes-debian/pam/libpam_debian.bbappend | 39 
> +++++++++++++++++++
>  4 files changed, 81 insertions(+)
>  create mode 100644 
> meta-cip-security/recipes-debian/audit/audit_debian.bbappend
>  create mode 100644 
> meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
>  create mode 100644 
> meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
>  create mode 100644 
> meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

Ideally, you would separate the patches for each file unless they have something in common.
 
> diff --git 
> a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend 
> b/meta-cip-security/recipes- debian/audit/audit_debian.bbappend
> new file mode 100644
> index 0000000..c148f27
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
> @@ -0,0 +1,20 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020 # # 
> +SPDX-License-Identifier: MIT #
> +
> +DESCRIPTION = "CIP Security customizations"
Append "for audit" to the description.

> +
> +pkg_postinst_audit_append() {
> +	# CR2.9: Audit storage capacity
> +	# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
> +	AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
> +	sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
> +	sed -i 's/admin_space_left_action = .*/admin_space_left_action = 
> +SYSLOG/' $AUDIT_CONF_FILE

Don't you need to specify the values for space_left and admin_space_left?
Perhaps these variables should be configurable  and have a default value.
Example:
AUDIT_SPACE_LEFT ?= "100"

Then you can change the value in local.conf (or using kas's local_conf_headers)

> +
> +	# CR2.10: Response to audit processing failures
> +	sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' 
> +$AUDIT_CONF_FILE }

Please check if you need other options as well here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_the_audit_service

> diff --git 
> a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappe
> nd b/meta-cip-security/recipes-debian/base-
> files/base-files_debian.bbappend
> new file mode 100644
> index 0000000..895dc9f
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bb
> +++ append
> @@ -0,0 +1,3 @@
> +do_install_append() {
> +	echo "${MACHINE}" > ${D}${sysconfdir}/hostname }

Is this related to the security layer?
If not, please separate it into a different patch and explain why it is necessary.

> diff --git 
> a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend 
> b/meta-cip-security/recipes- debian/openssh/openssh_debian.bbappend
> new file mode 100644
> index 0000000..ddd2bfc
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
> @@ -0,0 +1,19 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020 # # 
> +SPDX-License-Identifier: MIT #
> +
> +DESCRIPTION = "CIP Security customizations"

Same as before, append "for openssh". The description for different things should be different.

> +
> +pkg_postinst_${PN}_append() {
> +	# CR2.6: Remote session termination
> +	# Terminate remote session after inactive time period
> +	SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
> +	alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
> +	alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
> +	sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
> +	sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"

Perhaps make the value for ClientAliveInterval configurable and use 120 as default.

> +}
> diff --git 
> a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend 
> b/meta-cip-security/recipes- debian/pam/libpam_debian.bbappend new 
> file mode 100644 index 0000000..c9c1605
> --- /dev/null
> +++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
> @@ -0,0 +1,39 @@
> +#
> +# CIP Security, tiny profile
> +#
> +# Copyright (c) Toshiba Corporation, 2020 # # 
> +SPDX-License-Identifier: MIT #
> +
> +DESCRIPTION = "CIP Security customizations"

Same thing: "for libpam"

> +
> +pkg_postinst_pam-plugin-cracklib_append() {
> +	# CR1.7: Strength of password-based authentication
> +	# Pam configuration to  enforce password strength
> +	PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
> +	CRACKLIB_CONFIG="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1
> ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
> +	if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
> +		sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
> +	fi
> +	sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
> +}

Perhaps set minlen configurable.

> +
> +pkg_postinst_pam-plugin-tally2_append() {
> +	# CR1.11: Unsuccessful login attempts
> +	# Lock user account after unsuccessful login attempts
> +	PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
> +	pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
> +	if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
> +        	sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
> +	fi
> +	sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
> +}
> +
> +
> +pkg_postinst_libpam_append() {
> +	# CR2.7: Concurrent session control
> +	# Limit the concurrent login sessions
> +	LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
> +	echo "* hard maxlogins 2" >> ${LIMITS_CONFIG} }

Thanks,
Daniel
The information contained in this e-mail message and in any
attachments/annexure/appendices is confidential to the 
recipient and may contain privileged information. 
If you are not the intended recipient, please notify the
sender and delete the message along with any 
attachments/annexure/appendices. You should not disclose,
copy or otherwise use the information contained in the
message or any annexure. Any views expressed in this e-mail 
are those of the individual sender except where the sender 
specifically states them to be the views of 
Toshiba Software India Pvt. Ltd. (TSIP),Bangalore.

Although this transmission and any attachments are believed to be
free of any virus or other defect that might affect any computer 
system into which it is received and opened, it is the responsibility
of the recipient to ensure that it is virus free and no responsibility 
is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or
damage arising in any way from its use.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5461): https://lists.cip-project.org/g/cip-dev/message/5461
Mute This Topic: https://lists.cip-project.org/mt/76865928/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
Venkata Pyla Sept. 19, 2020, 12:15 p.m. UTC | #3
On Fri, Sep 18, 2020 at 10:23 AM, Venkata Pyla wrote:
Hi Daniel-san,

I  have created the merge request for all the security layer changes including your suggestions.
Kindly review and letme know if you have any more suggestions.

Thanks
venkata.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5467): https://lists.cip-project.org/g/cip-dev/message/5467
Mute This Topic: https://lists.cip-project.org/mt/76865928/4520428
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129116/1171672734/xyzzy [patchwork-cip-dev@patchwork.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-
diff mbox series

Patch

diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@ 
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_audit_append() {
+	# CR2.9: Audit storage capacity
+	# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+	AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+	sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
+	sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+
+	# CR2.10: Response to audit processing failures
+	sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+}
diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
@@ -0,0 +1,3 @@ 
+do_install_append() {
+	echo "${MACHINE}" > ${D}${sysconfdir}/hostname
+}
diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@ 
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_${PN}_append() {
+	# CR2.6: Remote session termination
+	# Terminate remote session after inactive time period
+	SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+	alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+	alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+	sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
+	sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
+}
diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
new file mode 100644
index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@ 
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_pam-plugin-cracklib_append() {
+	# CR1.7: Strength of password-based authentication
+	# Pam configuration to  enforce password strength
+	PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+	CRACKLIB_CONFIG="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+	if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+		sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
+	fi
+	sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
+
+pkg_postinst_pam-plugin-tally2_append() {
+	# CR1.11: Unsuccessful login attempts
+	# Lock user account after unsuccessful login attempts
+	PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+	pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+	if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+        	sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
+	fi
+	sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+	# CR2.7: Concurrent session control
+	# Limit the concurrent login sessions
+	LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+	echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+}