...
Steps To Implement Security Scan Requirements#Vuls
Create directory
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log
|
Fetch NVD
$ docker run --rm -it \
-v $PWD:/go-cve-dictionary \
-v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
vuls/go-cve-dictionary fetch nvd
|
Fetch OVAL
$ docker run --rm -it
\
\
-v $PWD:/goval-dictionary
\
\
-v $PWD/goval-dictionary-log:/var/log/goval-dictionary
\
\
vuls/goval-dictionary fetch ubuntu 16 17 18 19 20
|
Fetch gost
\ \ \
-v $PWD/gost-log:/var/log/gost
|
\
Create config.toml
[servers]
[servers.master]
host = "192.168.
251.
1622"
port = "22"
user = "test-user
"
keyPath = "
sshConfigPath = "/root/.ssh/config"
keyPath = "/root/.ssh/id_rsa"
# path to ssh private key in docker
|
Start vuls container to run tests
$ docker run --rm -it \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v $PWD/vuls-log:/var/log/vuls \
-v /etc/localtime:/etc/localtime:ro \
-e "TZ=Asia/Tokyo" \
vuls/vuls scan \
-v /etc/timezone:/etc/timezone:ro \
vuls/vuls scan \
-config=./config.toml
|
Get the report
$ docker run --rm -it
\
\
-v ~/.ssh:/root/.ssh:ro
\
\
-v $PWD:/vuls
\
\
-v $PWD/vuls-log:/var/log/vuls
\
\
-v /etc/localtime:/etc/localtime:ro
\
\
vuls/vuls report
\
\
-format-list
\
\
-config=./config.toml
|
Lynis/Kuber-Hunter
Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test
- os- k8sos: &os-name: lyniswhat: lynisoptional: "False"k8s: &k8s-name: kube-hunterwhat: kube-hunteroptional: "False"
- os
- k8s
os: &os
-
name: lynis
what: lynis
optional: "False"
k8s: &k8s
-
name: kube-hunter
what: kube-hunter
optional: "False"
|
Update ~/validation/bluval/volumes.yaml file
:# location of the ssh key to access the cluster:
# location of the ssh key to access the cluster
ssh_key_dir:
|
edge
# location of the k8s access files (config file, certificates, keys)
|
edge/'
# location of the customized variables.yaml
|
:edgeubuntu/validation/tests/variables.yaml'
|
target: '/opt/akraino/validation/tests/variables.yaml'
|
# location of the bluval-<blueprint>.yaml file
|
edgeubuntu/validation/bluval'
|
target: '/opt/akraino/validation/bluval'
|
# location on where to store the results on the local jumpserver
|
edge
target: '/opt/akraino/results'
|
# location on where to store openrc file
|
# parameters that will be passed to the container at each layer
|
# volumes mounted at all layers; volumes specific for a different layer are below
|
- - - results_dirhardware:-
- results_dir
hardware:
- ssh_key_dir
|
- - - - - - - - openrcsds:sdn:vim:
Update ~/validation/tests/variables.yaml file
### Input variables cluster's master host
|
<IP Address> # <IP Address> # cluster's master host address
|
username: <username> # login name to connect to cluster
|
password: <password> # login password to connect to cluster
|
ssh_keyfile: /root/.ssh/id_
|
rsa # Identity file for authenticationrsa # Identity file for authentication
|
Run Blucon
$ bash validation/bluval/blucon.sh sdtfc
|
Test Results
Insert Results URL
...
- KHV002
- KHV005
- KHV050
- CAP_NET_RAW Enabled
- Access to pod's secrets
Fix for KHV002
$ $ kubectl replace -f - <<EOF
|
apiVersion: rbac.authorization.k8s.io/v1
|
rbac.authorization.kubernetes.io/autoupdate: "false"
|
kubernetes.io/bootstrapping: rbac-defaults
|
name: system:public-info-viewer
|
Fix for KHV005, KHV050, Access to pod's secrets
$ $ kubectl replace -f - <<EOF
|
automountServiceAccountToken: false
|
Test Dashboards
Single pane view of how the test score looks like for the Blue print.
...