Release 3 Blueprint Scanning Status (Pre-Approval)
- Integrated Cloud Native (ICN) NFV/App stack family [Kuralamudhan Ramakrishnan, Igor Duarte Cardoso]
- Vuls: High:30 Medium:96 Low:27
- Lynis: https://logs.akraino.org/intel/bluval_results/icn/master/20200529-023728/results/os/lynis/lynis.log
- Kube-Hunter: Only 1 vulnerability found, in "Inside-a-Pod Scanning": CAP_NET_RAW
- Radio Edge Cloud (REC)
- Vuls: High:44 Medium:137 Low:47
- Lynis: https://wiki.akraino.org/download/attachments/18481239/lynis.log?version=1&modificationDate=1590586718000&api=v2
- Kube-Hunter:
- KHV005 Access to API using service account token
- KHV002 Kubernetes Version Disclosure
- KHV050 Read access to pod's service account token
- Local to Pod CAP_NET_RAW Enabled
- Local to Pod Access to pod's secrets
- Connected Vehicle Blueprint [Thor Chin]
- This blueprint did not have output information from vuls, lynis or kube-hunter. I have sent an email to Thor Chin and Tapio Tallgren. This appears to be an issue with BluVal not executing the scans correctly.
- Vuls:
- Lynis:
- Kube-Hunter:
- ELIOT Iot Gateway Blueprint [Khemendra Kumar]
- Vuls: High:104 Medium:352 Low:74 https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/vuls/
- Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/lynis/
- Kube-Hunter: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/
- ELIOT SD-WAN/WAN Edge/uCPE Blueprint [Khemendra Kumar]
- Vuls: High:87 Medium:168 Low:62 https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/vuls/
- Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/lynis/
- Kube-Hunter: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/
- KNI Provider Access Edge [Yolanda Robla Mota]
- Running on OKD vs Kubernetes https://wiki.akraino.org/display/AK/KNI+PAE+Architecture+document
- Conformance tests used: https://wiki.akraino.org/display/AK/KNI+PAE+Test+document
- Vuls:
- Lynis:
- Kube-Hunter:
- Micro-MEC
- Scan output files are not currently available at https://wiki.akraino.org/display/AK/Release+3+Planning. I have emailed the PTL, Tapio Tallgren to see if he can provide them.
- Vuls:
- Lynis:
- Kube-Hunter:
- School/Education Video Security Monitoring [Hechun Zhang and Liya Yu]
- This blueprint did not have output information from vuls, lynis or kube-hunter.
- This is the first release for the School/Education Video Security Monitoring blueprint, BluVal is not required.
- I have sent an email to Hechun Zhang and Liya Yu.
- Vuls:
- Lynis:
- Kube-Hunter:
- 5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint [Feng Yang]
- All scan logs: https://nexus.akraino.org/content/sites/logs/tencent/job/5g-mec-cloud-gaming-CD/security_scan/2/
- Vuls:
- Lynis:
- Kube-Hunter:
- Enterprise Applications on Lightweight 5G Telco Edge [Gaurav Agrawal]
- Vuls: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/vuls/
- Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/lynis/
- Kube-Hunter: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/k8s/kube-hunter/
- Public Cloud Edge Interface (PCEI) Blueprint [Oleg Berzin]
- This blueprint did not have output information from vuls, lynis or kube-hunter.
- This is the first release for the PCEI blueprint, BluVal is not required.
- I have sent an email to Oleg Berzin.
- Vuls:
- Lynis:
- Kube-Hunter:
Approved Blueprints
...
Vuls Scan
- Pass/Fail
- Exceptions
...
Lynis Scan
- Pass/Fail
- Exceptions
...
Kube-Hunter Scan
- Pass/Fail
- Exceptions
...
5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint
...
- Fail
- Total: 366 (High:83 Medium:212 Low:71 ?:0), 165/366 Fixed
...
- Pass
...
- Fail
- 1 vulnerability found, KHV002, The K8s version could be obtained from the /version endpoint
...
AI/ML and AR/VR applications at Edge
...
...
...
...
- Fail:
- 141 unfixed vulnerabilities
- (High:30 Medium:96 Low:27 ?:0), 12/153 Fixed
- Exceptions:
- We request exceptions for all outstanding vulnerabilities
- See Nexus Logs
...
- Pass
- See Nexus Logs
...
- Fail
- Only 1 vulnerability found, in "Inside-a-Pod Scanning": CAP_NET_RAW
- Exceptions:
- We request exception for CAP_NET_RAW vulnerability or remediation (fixes found seem to be on a per-pod basis, which is not enough)
- See Nexus Logs
...
...
...
...
...
...
Fail with Exceptions
0 CVEs are detected with OVA
0 CVEs are detected with CPE
0 CVEs are detected with GitHub Security Alerts
0 exploits are detected
248 unfixed CVEs are detected with gost
Total: 228
(High:44 Medium:137 Low:47 ?:0), 0/228 Fixed, 824
installed, 0 updatable, 0 exploits, en: 5, ja: 0 alerts
...
Pass with Exceptions
Tests performed: 287
Total tests: 449
Active plugins: 2
"Total plugins: 2
Warnings: 2"
Found accounts without password [AUTH-9283]
https://cisofy.com/lynis/controls/AUTH-9283/
Note: these accounts are not allowed to logon.
YUM is not properly configured or registered for this platform (no repolist found) [PKGS-7383]
https://cisofy.com/lynis/controls/PKGS-7383/
Note: This is intentional to prevent anyone from installing software
...
Pass with Exceptions
All Critical Tests Passed
Cluster Remote Scanning Passed
Node Remote Scanning Passed
Inside-a-Pod Scanning Known Vulnerablities Found
KHV005 Access to API using service account token
KHV002 Kubernetes Version Disclosure
KHV050 Read access to pod's service account token
Local to Pod CAP_NET_RAW Enabled
Local to Pod Access to pod's secrets
...
...
...
Pass
...
Pass
...
Pass: no k8s cluster as part of deployment at the moment
Approved Feature Projects
If the program uses only one programming language, in the “Repository” column, just fill in the repo location.
If a project uses multiple programming languages, please list all of them, add a link in "Repository" column for each programming language to show the sample code.
...
Akraino Blueprint Validation Framework
...
Akraino Portal Feature Project
...
...