From patchwork Tue Sep 15 14:23:43 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Venkata Pyla <venkata.pyla@toshiba-tsip.com>
X-Patchwork-Id: 11776747
Return-Path: 
 <SRS0=ghv0=CY=lists.cip-project.org=bounce+64572+5454+4520428+8129116@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5C04C746
	for <patchwork-cip-dev@patchwork.kernel.org>;
 Tue, 15 Sep 2020 14:22:59 +0000 (UTC)
Received: from web01.groups.io (web01.groups.io [66.175.222.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id C4FD022268
	for <patchwork-cip-dev@patchwork.kernel.org>;
 Tue, 15 Sep 2020 14:22:58 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=lists.cip-project.org
 header.i=@lists.cip-project.org header.b="Wp2xhfHF"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C4FD022268
Authentication-Results: mail.kernel.org;
 dmarc=none (p=none dis=none) header.from=toshiba-tsip.com
Authentication-Results: mail.kernel.org;
 spf=pass
 smtp.mailfrom=bounce+64572+5454+4520428+8129116@lists.cip-project.org
X-Received: by 127.0.0.2 with SMTP id 5obgYY4521763x25NwWEzsXz;
 Tue, 15 Sep 2020 07:22:58 -0700
X-Received: from peak.toshiba-tesi.com (peak.toshiba-tesi.com [])
 by mx.groups.io with SMTP id smtpd.web10.14564.1600179768333343159
 for <cip-dev@lists.cip-project.org>;
 Tue, 15 Sep 2020 07:22:57 -0700
IronPort-SDR: 
 nCC+nmFIAPTI74eUzZl3Cq0RY5drO12Gi+KbK/VYDcFndmX/Zpzs7wXzJw6KWcJHvEL9gvqy7c
 5WW2h03CMqsg==
X-IronPort-AV: E=Sophos;i="5.76,430,1592850600";
   d="scan'208";a="6248128"
X-Received: from unknown (HELO TOSBLRMBX0119.TOSHIBA-TSIP.COM)
 ([172.28.80.118])
  by peak.toshiba-tesi.com with ESMTP; 15 Sep 2020 20:33:47 +0530
X-Received: from TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) by
 TOSBLRMBX0119.TOSHIBA-TSIP.COM (172.28.80.118) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.1847.3; Tue, 15 Sep 2020 19:52:54 +0530
X-Received: from pvenkat.TOSHIBA-TSIP.COM (172.28.80.121) by
 TOSBLRMBX0319.TOSHIBA-TSIP.COM (172.28.80.120) with Microsoft SMTP Server id
 15.1.1847.3 via Frontend Transport; Tue, 15 Sep 2020 19:52:51 +0530
From: "Venkata Pyla" <venkata.pyla@toshiba-tsip.com>
To: <daniel.sangorrin@toshiba.co.jp>
CC: venkata pyla <venkata.pyla@toshiba-tsip.com>,
	<cip-dev@lists.cip-project.org>
Subject: [cip-dev] [cip-core:deby 2/3] security-configuration: apply security
 polcies using package bbappend
Date: Tue, 15 Sep 2020 19:53:43 +0530
Message-ID: <20200915142345.179-3-venkata.pyla@toshiba-tsip.com>
In-Reply-To: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com>
References: <20200915142345.179-1-venkata.pyla@toshiba-tsip.com>
MIME-Version: 1.0
Precedence: Bulk
List-Unsubscribe: <https://lists.cip-project.org/g/cip-dev/unsub>
Sender: cip-dev@lists.cip-project.org
List-Id: <cip-dev.lists.cip-project.org>
Mailing-List: list cip-dev@lists.cip-project.org;
 contact cip-dev+owner@lists.cip-project.org
Delivered-To: mailing list cip-dev@lists.cip-project.org
Reply-To: cip-dev@lists.cip-project.org
X-Gm-Message-State: LrrA2fxVWivF0F6JNETkSkr7x4520428AA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=lists.cip-project.org; q=dns/txt; s=20140610; t=1600179778;
 bh=UYDwK6ti+njiY06mV8PmSPBfQhgFZxMsNB5JdBQk/9I=;
 h=CC:Content-Type:Date:From:Reply-To:Subject:To;
 b=Wp2xhfHFoDWYv/krUalDqs8J9UoSRuLhzESo2ueAgiKZ/AJM9/7T4g7/kkiNrk97nA6
 +jH8Dq8VSx3Ktokyr+wyBQosLYUpCfWq84Y28cd8XfeifiTjtrUwG6H0r5yop25sQQXsf
 GD5JVetNlTBzBW1IQg1kA5ue6eAwgABs90g=

From: venkata pyla <venkata.pyla@toshiba-tsip.com>

add package bbappaned files in the security layer that will apply
the security configurations like
    e.g: Set password strength in pam configurations
         Set audit failure actions in audit package configurations
         etc.

Signed-off-by: venkata pyla <venkata.pyla@toshiba-tsip.com>
---
 .../audit/audit_debian.bbappend               | 20 ++++++++++
 .../base-files/base-files_debian.bbappend     |  3 ++
 .../openssh/openssh_debian.bbappend           | 19 +++++++++
 .../recipes-debian/pam/libpam_debian.bbappend | 39 +++++++++++++++++++
 4 files changed, 81 insertions(+)
 create mode 100644 meta-cip-security/recipes-debian/audit/audit_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
 create mode 100644 meta-cip-security/recipes-debian/pam/libpam_debian.bbappend

diff --git a/meta-cip-security/recipes-debian/audit/audit_debian.bbappend b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
new file mode 100644
index 0000000..c148f27
--- /dev/null
+++ b/meta-cip-security/recipes-debian/audit/audit_debian.bbappend
@@ -0,0 +1,20 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_audit_append() {
+	# CR2.9: Audit storage capacity
+	# CR2.9 RE-1: Warn when audit record storage capacity threshold reached
+	AUDIT_CONF_FILE="$D${sysconfdir}/audit/auditd.conf"
+	sed -i 's/space_left_action = .*/space_left_action = SYSLOG/'  $AUDIT_CONF_FILE
+	sed -i 's/admin_space_left_action = .*/admin_space_left_action = SYSLOG/' $AUDIT_CONF_FILE
+
+	# CR2.10: Response to audit processing failures
+	sed -i 's/disk_error_action = .*/disk_error_action = SYSLOG/' $AUDIT_CONF_FILE
+}
diff --git a/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
new file mode 100644
index 0000000..895dc9f
--- /dev/null
+++ b/meta-cip-security/recipes-debian/base-files/base-files_debian.bbappend
@@ -0,0 +1,3 @@
+do_install_append() {
+	echo "${MACHINE}" > ${D}${sysconfdir}/hostname
+}
diff --git a/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
new file mode 100644
index 0000000..ddd2bfc
--- /dev/null
+++ b/meta-cip-security/recipes-debian/openssh/openssh_debian.bbappend
@@ -0,0 +1,19 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_${PN}_append() {
+	# CR2.6: Remote session termination
+	# Terminate remote session after inactive time period
+	SSHD_CONFIG="$D${sysconfdir}/ssh/sshd_config"
+	alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
+	alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
+	sed -i "/${alive_interval}/c ClientAliveInterval 120"  "${SSHD_CONFIG}"
+	sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
+}
diff --git a/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
new file mode 100644
index 0000000..c9c1605
--- /dev/null
+++ b/meta-cip-security/recipes-debian/pam/libpam_debian.bbappend
@@ -0,0 +1,39 @@
+#
+# CIP Security, tiny profile
+#
+# Copyright (c) Toshiba Corporation, 2020
+#
+# SPDX-License-Identifier: MIT
+#
+
+DESCRIPTION = "CIP Security customizations"
+
+pkg_postinst_pam-plugin-cracklib_append() {
+	# CR1.7: Strength of password-based authentication
+	# Pam configuration to  enforce password strength
+	PAM_PWD_FILE="$D${sysconfdir}/pam.d/common-password"
+	CRACKLIB_CONFIG="password  requisite    pam_cracklib.so retry=3 minlen=8 maxrepeat=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=3 gecoscheck=1 reject_username enforce_for_root"
+	if grep -c "pam_cracklib.so" "${PAM_PWD_FILE}";then
+		sed -i '/pam_cracklib.so/ s/^#*/#/'  "${PAM_PWD_FILE}"
+	fi
+	sed -i "0,/^password.*/s/^password.*/${CRACKLIB_CONFIG}\n&/" "${PAM_PWD_FILE}"
+}
+
+pkg_postinst_pam-plugin-tally2_append() {
+	# CR1.11: Unsuccessful login attempts
+	# Lock user account after unsuccessful login attempts
+	PAM_AUTH_FILE="$D${sysconfdir}/pam.d/common-auth"
+	pam_tally="auth   required  pam_tally2.so  deny=3 even_deny_root unlock_time=60 root_unlock_time=60"
+	if grep -c "pam_tally2.so" "${PAM_AUTH_FILE}";then
+        	sed -i '/pam_tally2/ s/^#*/#/'  "${PAM_AUTH_FILE}"
+	fi
+	sed -i "0,/^auth.*/s/^auth.*/${pam_tally}\n&/" "${PAM_AUTH_FILE}"
+}
+
+
+pkg_postinst_libpam_append() {
+	# CR2.7: Concurrent session control
+	# Limit the concurrent login sessions
+	LIMITS_CONFIG="$D${sysconfdir}/security/limits.conf"
+	echo "* hard maxlogins 2" >> ${LIMITS_CONFIG}
+}