...
| View file | ||||
|---|---|---|---|---|
|
Pass (XX/XX test cases)
Vuls
Nexus URL:
PDH,IoT Gateway
There are 23 CVEs with a CVSS score >= 9.0. These are exceptions requested here:
Release 5: Akraino CVE Vulnerability Exception Request
Bluval Tests
Execute with reference to the following
Steps To Implement Security Scan Requirements
https://vuls.io/docs/en/tutorial-docker.html
There are 2 security related tests: lynis & vuls. And there are 2 k8s related tests: kube-hunter & conformance tests.
In this Blueprint, we test lynis & vuls, we do not test k8s related tests: because of not using k8s.
Also refer to Bluval User Guide, the procedure is to clone the files from http://gerrit.akraino.org/r/validation and execute them,
but a configuration file:Bluval/validation/docker/os/Dockerfile does not correspond to this OS version, we execute tests manually.
The Configuration file are only supported up to Ubuntu 18.
Vuls
We use Ubuntu 20.04, so we ran Vuls test as follows:
Create directory
$ mkdir ~/vuls $ cd ~/vuls $ mkdir go-cve-dictionary-log goval-dictionary-log gost-logFetch NVD
$ docker run --rm -it \ -v $PWD:/go-cve-dictionary \ -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \ vuls/go-cve-dictionary fetch nvdFetch OVAL
$ docker run --rm -it \ -v $PWD:/goval-dictionary \ -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \ vuls/goval-dictionary fetch ubuntu 18 19 20Fetch gost
$ docker run --rm -i \ -v $PWD:/gost \ -v $PWD/gost-log:/var/log/gost \ vuls/gost fetch ubuntuCreate config.toml
[servers] [servers.master] host = "192.168.51.22" port = "22" user = "test-user" keyPath = "/root/.ssh/id_rsa" # path to ssh private key in dockerStart vuls container to run tests
$ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ vuls/vuls scan \ -config=./config.tomlGet the report
$ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ vuls/vuls report \ -format-list \ -config=./config.toml
Vuls
Nexus URL:
PDH,IoT Gateway
There are 23 CVEs with a CVSS score >= 9.0. These are exceptions requested here:
Release 5: Akraino CVE Vulnerability Exception Request
CVE-ID | CVSS | NVD | Fix/Notes | PACKAGES | ||||
CVE-2016-1585 | 9. | |||||||
CVE-ID | CVSS | NVD | Fix/Notes | PACKAGES | ||||
CVE-2016-1585 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2016-1585 | No fix available | apparmor | ||||
CVE-2017-18201 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-18201 | No fix available | libcdio17 | ||||
CVE-2017-7827 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-7827 | No fix available | libmozjs-52-0 | ||||
CVE-2018-5090 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-5090 | Reported fixed in 58 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||
CVE-2018-5126 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-5126 | Reported fixed in 58 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||
CVE-2018-5145 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-5145 | Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||
CVE-2018-5151 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-5151 | Reported fixed in 60 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||
CVE-2019-17041 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17041 | No fix available | rsyslog | ||||
CVE-2019-17042 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17042 | No fix available | rsyslog | ||||
CVE-2021-31870 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-31870 | No fix available | klibc-utils, libklibc | ||||
CVE-2021-31872 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-31872 | No fix available | klibc-utils, libklibc | ||||
CVE-2021-31873 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-31873 | No fix available | klibc-utils, libklibc | ||||
CVE-2021-39713 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-39713 | No fix available | linux-image-5.4.0-1055-raspi | ||||
CVE-2022-22822 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-22822 | install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version) | firefox | ||||
CVE-2022-22823 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-22823 | install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version) | firefox | 2016-1585 | No fix available | apparmor | |
CVE-2017-18201CVE-2022-22824 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222017-22824 | install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version) | 18201 | No fix available | libcdio17firefox | ||
CVE-20222017-238527827 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222017-238527827 | No fix availablefirefox, thunderbird | libmozjs-52-0 | ||||
CVE-20222018-239905090 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222018-23990 | No fix available | 5090 | Reported fixed in 58 and later version (installed), but still reported by Vuls | libmozjs-52-0firefox, thunderbird | ||
CVE-20222018-252355126 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222018-25235 | No fix available | firefox, thunderbird | CVE-2022-25236 | 5126 | Reported fixed in 58 and later version (installed), but still reported by Vuls | libmozjs-52-0 |
CVE-2018-5145 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222018-25236 | No fix available | 5145 | Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls | libmozjs-52-0firefox, thunderbird | ||
CVE-20222018-253155151 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222018-253155151 | Reported fixed in 60 and later version (installed), but still reported by Vuls | libmozjs-52-0 | ||||
CVE-2019-17041 | 9.8 | No fix available | firefox, thunderbird | CVE-2016-9180 | 9.1 | https://nvd.nist.gov/vuln/detail/CVE-20162019-918017041 | No fix available | libxml-twig-perlrsyslog |
CVE-2019-2043317042 | 9.18 | https://nvd.nist.gov/vuln/detail/CVE-2019-2043317042 | No fix available | aspell |
PC/Server for robot control
There are 30 CVEs with a CVSS score >= 9.0. These are exceptions requested here:
Release 5: Akraino CVE Vulnerability Exception Request
rsyslog | ||||
CVE-2021-31870 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-31870 | No fix available | klibc-utils, libklibc |
CVE-2021-31872 | 9.8 |
CVE-ID
CVSS
NVD
Fix/Notes
PACKAGES
CVE-2005-2541
| https://nvd.nist.gov/vuln/detail/CVE- |
| 2021- |
| 31872 | No fix available |
klibc-utils, libklibc |
CVE- |
2021- |
31873 |
9. |
8 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2021- |
| 31873 | No fix available |
klibc-utils, libklibc |
CVE- |
2021- |
39713 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2021- |
| 39713 | No fix available |
linux-image-5.4.0-1055-raspi |
CVE- |
2022- |
22822 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2022- |
| 22822 | install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version) | firefox |
CVE- |
2022- |
22823 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2022- |
libtiff5
| 22823 | install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version) | firefox |
CVE-2022-22824 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2022- |
| 22824 | install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version) | firefox |
CVE- |
2022- |
23852 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2022- |
CVE-2019-8341
| 23852 | No fix available |
libc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales
firefox, thunderbird |
CVE-2022-23990 |
9.8 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2022- |
| 23990 | No fix available |
firefox, thunderbird |
CVE- |
2022- |
25235 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2022- |
| 25235 | No fix available |
firefox, thunderbird |
CVE- |
2022- |
25236 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2022- |
| 25236 | No fix available |
firefox, |
thunderbird |
CVE- |
2022- |
25315 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE- |
python3.9
| 2022-25315 | No fix available | firefox, thunderbird |
CVE-2016-9180 | 9.1 |
CVE-2021-30473
| https://nvd.nist.gov/vuln/detail/CVE- |
| 2016- |
| 9180 | No fix available |
libxml-twig-perl |
CVE- |
2019- |
20433 | 9. |
1 | https://nvd.nist.gov/vuln/detail/CVE- |
| 2019- |
| 20433 | No fix available | aspell |
PC/Server for robot control
There are 30 CVEs with a CVSS score >= 9.0. These are exceptions requested here:
Release 5: Akraino CVE Vulnerability Exception Request
CVE-ID | CVSS | NVD | Fix/Notes | PACKAGES | ||||
CVE-2005-2541 | 10.0 | https: | libaom0 | CVE-2021-30475 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20212005-304752541 | No fix available | libaom0tar |
CVE-20212014-304982830 | 910.80 | https://nvd.nist.gov/vuln/detail/CVE-20212014-304982830 | No fix available | libcaca0cifs-utils | ||||
CVE-20212016-304991585 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20212016-304991585 | No fix available | libcaca0libapparmor1 | ||||
CVE-20212017-375617479 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20212017-3756 | install libmysofa 1.2.1 | 17479 | No fix available | libopenjp2-7libmysofa1 | ||
CVE-20212017-423779117 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20212017-423779117 | No fix available | busyboxlibtiff5 | ||||
CVE-20212018-4595113410 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20212018-4595113410 | No fix available | dnsmasqzip | ||||
CVE-20212019-459521010022 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20212019-459521010022 | No fix available | dnsmasqlibc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales | ||||
CVE-20212019-459538341 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20212019-459538341 | No fix available | dnsmasqpython3-jinja2 | ||||
CVE-20212020-4595427619 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20212020-4595427619 | No fix available | dnsmasqpython3.9 | ||||
CVE-2021-4595529462 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-4595529462 | No fix available | dnsmasqlibixml10, libupnp13 | ||||
CVE-2021-4595629921 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2021-45956 | No fix available | 29921 | Reported fixed in python3.9 (installed), but still reported by Vuls | python3.9dnsmasq | ||
CVE-20222021-031830473 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222021-0318 | unistall vim | 30473 | No fix available | libaom0vim | ||
CVE-20222021-2330330474 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222021-2330330474 | No fix available | hostapd, wpasupplicantlibaom0 | ||||
CVE-20222021-2330430475 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222021-2330430475 | No fix available | hostapd, wpasupplicantlibaom0 | ||||
CVE-2021-2294530498 | 9.18 | https://nvd.nist.gov/vuln/detail/CVE-2021-22945 | unistall curl | 30498 | No fix available | libcaca0curl | ||
CVE-2021-404830499 | 9.18 | https://nvd.nist.gov/vuln/detail/CVE-2021-404830499 | No fix available | libblas3, liblapack3libcaca0 | ||||
CVE-2021-434003756 | 9.18 | https://nvd.nist.gov/vuln/detail/CVE-2021-43400 | No fix available | bluez |
Lynis
...
...
...
...
...
...
| detail/CVE-2021-42377 | No fix available | busybox |
CVE-2021-45951 | 9.8 |
...
...
...
...
...
Lynis
Nexus URL(before fix):
Nexus URL(after fix):
The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.
IoT Gateway
The Lynis Program Update test MUST pass with no errors.
| Code Block |
|---|
2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version : 308
2022-11-22 07:46:45 Latest stable version : 308
2022-11-22 07:46:45 No Lynis update available. |
Fix: Download and run the latest Lynis directly on SUT.
Steps To Implement Security Scan Requirements#InstallandExecute
The following list of tests MUST complete as passing
| No. | Test | Result | Fix |
|---|---|---|---|
| 1 | Test: Checking PASS_MAX_DAYS option in /etc/login.defs | Result: max password age is 180 days | OK |
| 2 | Performing test ID AUTH-9328 (Default umask values) | Test: Checking /etc/profile.d directory Result: found /etc/profile.d, with one or more files in it Test: Checking /etc/profile Result: file /etc/profile exists Test: Checking umask value in /etc/profile Result: did not find umask in /etc/profile Result: found no umask. Please check if this is correct Test: Checking umask entries in /etc/passwd (pam_umask) Result: file /etc/passwd exists Test: Checking umask value in /etc/passwd Manual: one or more manual actions are required for further testing of this control/plugin Test: Checking /etc/login.defs Result: file /etc/login.defs exists Test: Checking umask value in /etc/login.defs Result: umask is 027, which is fine Hardening: assigned maximum number of hardening points for this item (2). Currently having 18 points (out of 30) Test: Checking /etc/init.d/functions Result: file /etc/init.d/functions does not exist Test: Checking /etc/init.d/rc Result: file /etc/init.d/rc does not exist Test: Checking /etc/init.d/rcS Result: file /etc/init.d/rcS does not exist | OK |
| 3 | Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) | Result: AllowUsers is not set |
The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.
IoT Gateway
The Lynis Program Update test MUST pass with no errors.
| Code Block |
|---|
2022-03-29 22:55:42 Test: Checking for program update...
2022-03-29 22:55:43 Current installed version : 308
2022-03-29 22:55:43 Latest stable version : 307
2022-03-29 22:55:43 No Lynis update available. |
Fix: Download and run the latest Lynis directly on SUT.
Steps To Implement Security Scan Requirements#InstallandExecute
The following list of tests MUST complete as passing
| No. | Test | Result | Fix |
|---|---|---|---|
| 1 | Test: Checking PASS_MAX_DAYS option in /etc/login.defs | Result: password aging limits are not configured Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-] Hardening: assigned partial number of hardening points (0 of 1). Currently having 13 points (out of 28) | Set PASS_MAX_DAYS 180 in /etc/login.defs |
| 2 | Performing test ID AUTH-9328 (Default umask values) | Test: Checking umask value in /etc/login.defs Result: found umask 022, which could be improved Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-] | Set UMASK 027 in /etc/login.defs |
| 3 Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) 108 points (out of 217157) lynis/lynis/include/tests_snmp | Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config | ||
| 4 | Test: checking for file /etc/network/if-up.d/ntpdate | Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 149 points (out of 232) | OK |
| 5 | Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required | N/A | N/A |
| 5a | sysctl key fs.suid_dumpable contains equal expected and current value (0) | Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2 Hardening: assigned partial number of hardening points (0 of 1). Currently having 151 points (out of 247) | Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'fs.suid_dumpable=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a |grep suid |
| 5b | sysctl key kernel.dmesg_restrict contains equal expected and current value (1) | Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0 | Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'kernel.dmesg_restrict=1' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a |grep dmesg |
| 5c | sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0) | Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1 | Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'net.ipv4.conf.default.accept_source_route=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a |grep ipv4.conf.default.accept_source_route |
| 6 | Test: Check if one or more compilers can be found on the system | Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler' Hardening: assigned partial number of hardening points (1 of 3). Currently having 168 points (out of 280) | Uninstall gcc and remove /usr/bin/as |
...
| No. | Test | Result | Fix | ||||
|---|---|---|---|---|---|---|---|
| 1 | Test: Checking PASS_MAX_DAYS option in /etc/login.defs | Result: password aging limits are not configured | Set PASS_MAX_DAYS 180 in /etc/login.defs | ||||
| 2 | Performing test ID AUTH-9328 (Default umask values) | Result: found /etc/profile.d, with one or more files in it | OK | OK | |||
| 3 | Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) | 3 | Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 102 108 points (out of 155157) Security check: file is normal Checking permissions of /home/pi/lynis/lynis/include/tests_snmp File permissions are OK | Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config !要確認 →やり方を問い合わせ | |||
| 4 | Test: checking for file /etc/network/if-up.d/ntpdate | Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 111 117 points (out of 170172) | OK | ||||
| 5 | Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required | N/A | N/A | ||||
| 5a | sysctl key fs.suid_dumpable contains equal expected and current value (0) | Result: sysctl key fs.suid_dumpable contains equal expected and current value (0) | OK | 0) | OK | ||
| 5b | sysctl key | 5b | sysctl key kernel.dmesg_restrict contains equal expected and current value (1) | Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0 | Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo ' kernel.dmesg_restrict =1' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a |grep dmesgcontains equal expected and current value (1) | Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1) | OK |
| 5c | sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0) | Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo ' net.ipv4.conf.defaultall.accept_source_route =0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a |grep ipv4.conf.default.accept_source_routecontains equal expected and current value (0) | OK | ||||
| 6 | Test: Check if one or more compilers can be found on the system | 6 Performing test ID HRDN-7220 (Check if one or more compilers are installed)
| OK |