Versions Compared

Old Version 36

changes.mady.by.user Hao Xu

Saved on

compared with

New Version 37

changes.mady.by.user Hao Xu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

TestResultApplied FixesComment
LynisPass27 fixed applied, see Steps To Implement Security Scan RequirementsTo maintain the pass result, need to restart the server if it's required
Vuls8 CVEs with score > 9.0 on Ubuntu 18.04
  1. Performed the Vuls tests on two other distros as well:
  2. Ubuntu 20.04: 4 CVEs with score > 9.0
  3. CentOS 8: 3 CVEs with score > 9.0
  4. Manually installed 0.9.4 libssh to fix https://nvd.nist.gov/vuln/detail/CVE-2019-14889, but Vuls still shows the same CVE.
  5. The bluval code requires all CVEs to be fixed, no matter what the score is.
Kube-Hunter
  1. Remote cluster scan passes
  2. Remote node scan passes
  3. Inside a Pod shows "fail" but not true.

https://aquasecurity.github.io/kube-hunter/kb/KHV002.html

https://aquasecurity.github.io/kube-hunter/kb/KHV050.html

Disabled CAP_NET_RAW for default pod security context (a tough one to fix!)

KubeEdge edgecore only listens on localhost, so log is not available from another machine.

Tried to let edgecore listen on eth0, but kubectl logs still complains about SSL certificate.

Workaround: nginx as a reverse proxy, listens on k8s advertised ip, and pass through the traffic to localhost. Added ssl certificate.

Conformance


...