Release 3 Blueprint Scanning Status (Pre-Approval)
- Integrated Cloud Native (ICN) NFV/App stack family [Kuralamudhan Ramakrishnan, Igor Duarte Cardoso]
- Vuls: High:30 Medium:96 Low:27
- Lynis: https://logs.akraino.org/intel/bluval_results/icn/master/20200529-023728/results/os/lynis/lynis.log
- Kube-Hunter: Only 1 vulnerability found, in "Inside-a-Pod Scanning": CAP_NET_RAW
- Radio Edge Cloud (REC)
- Vuls: High:44 Medium:137 Low:47
- Lynis: https://wiki.akraino.org/download/attachments/18481239/lynis.log?version=1&modificationDate=1590586718000&api=v2
- Kube-Hunter:
- KHV005 Access to API using service account token
- KHV002 Kubernetes Version Disclosure
- KHV050 Read access to pod's service account token
- Local to Pod CAP_NET_RAW Enabled
- Local to Pod Access to pod's secrets
- Connected Vehicle Blueprint [Thor Chin]
- This blueprint did not have output information from vuls, lynis or kube-hunter. I have sent an email to Thor Chin and Tapio Tallgren. This appears to be an issue with BluVal not executing the scans correctly.
- Vuls:
- Lynis:
- Kube-Hunter:
- ELIOT Iot Gateway Blueprint [Khemendra Kumar]
- Vuls: High:104 Medium:352 Low:74 https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/vuls/
- Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/lynis/
- Kube-Hunter: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/
- ELIOT SD-WAN/WAN Edge/uCPE Blueprint [Khemendra Kumar]
- Vuls: High:87 Medium:168 Low:62 https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/vuls/
- Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/lynis/
- Kube-Hunter: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/
- KNI Provider Access Edge [Yolanda Robla Mota]
- Running on OKD vs Kubernetes https://wiki.akraino.org/display/AK/KNI+PAE+Architecture+document
- Conformance tests used: https://wiki.akraino.org/display/AK/KNI+PAE+Test+document
- Vuls:
- Lynis:
- Kube-Hunter:
- Micro-MEC
- Scan output files are not currently available at https://wiki.akraino.org/display/AK/Release+3+Planning. I have emailed the PTL, Tapio Tallgren to see if he can provide them.
- Vuls:
- Lynis:
- Kube-Hunter:
- School/Education Video Security Monitoring [Hechun Zhang and Liya Yu]
- This blueprint did not have output information from vuls, lynis or kube-hunter.
- This is the first release for the School/Education Video Security Monitoring blueprint, BluVal is not required.
- I have sent an email to Hechun Zhang and Liya Yu.
- Vuls:
- Lynis:
- Kube-Hunter:
- 5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint [Feng Yang]
- All scan logs: https://nexus.akraino.org/content/sites/logs/tencent/job/5g-mec-cloud-gaming-CD/security_scan/2/
- Vuls:
- Lynis:
- Kube-Hunter:
- Enterprise Applications on Lightweight 5G Telco Edge [Gaurav Agrawal]
- Vuls: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/vuls/
- Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/lynis/
- Kube-Hunter: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/k8s/kube-hunter/
- Public Cloud Edge Interface (PCEI) Blueprint [Oleg Berzin]
- This blueprint did not have output information from vuls, lynis or kube-hunter.
- This is the first release for the PCEI blueprint, BluVal is not required.
- I have sent an email to Oleg Berzin.
- Vuls:
- Lynis:
- Kube-Hunter:
Approved Blueprints
...
Vuls Scan
- Pass/Fail
- Exceptions
...
Lynis Scan
- Pass/Fail
- Exceptions
...
Kube-Hunter Scan
- Pass/Fail
- Exceptions
...
5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint
...
- Fail
- Total: 366 (High:83 Medium:212 Low:71 ?:0), 165/366 Fixed
- Exceptions provided for R3
...
- Pass/w Exceptions
...
- Fail
- 1 vulnerability found, KHV002, The K8s version could be obtained from the /version endpoint
- Exceptions provided for R3
...
AI/ML and AR/VR applications at Edge
...
...
...
...
...
High:87 Medium:168 Low:62
...
...
...
High:84 Medium:281 Low:59
https://nexus.akraino.org/content/sites/logs/juniper/validation/os/vuls/
...
https://nexus.akraino.org/content/sites/logs/juniper/validation/os/lynis/
...
...
- Fail:
- 141 unfixed vulnerabilities
- (High:30 Medium:96 Low:27 ?:0), 12/153 Fixed
- Exceptions:
- We request exceptions for all outstanding vulnerabilities
- See Nexus Logs
...
- Pass
- See Nexus Logs
...
- Fail
- Only 1 vulnerability found, in "Inside-a-Pod Scanning": CAP_NET_RAW
- Exceptions:
- We request exception for CAP_NET_RAW vulnerability or remediation (fixes found seem to be on a per-pod basis, which is not enough)
- See Nexus Logs
...
...
...
...
Fail. We request for exception as we are running OpenShift and not upstream Kubernetes, so we hit several failures: cluster.log , pod.log
https://logs.akraino.org/redhat-kni/bluval_results/blueprint-pae/20200423-071856/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/cluster.log , https://logs.akraino.org/redhat-kni/bluval_results/blueprint-pae/20200423-071856/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter
...
...
https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/vuls/
https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/lynis/
...
https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/kube-hunter/
...
...
Fail with Exceptions
0 CVEs are detected with OVA
0 CVEs are detected with CPE
0 CVEs are detected with GitHub Security Alerts
0 exploits are detected
248 unfixed CVEs are detected with gost
Total: 228
(High:44 Medium:137 Low:47 ?:0), 0/228 Fixed, 824
installed, 0 updatable, 0 exploits, en: 5, ja: 0 alerts
...
Pass with Exceptions
Tests performed: 287
Total tests: 449
Active plugins: 2
"Total plugins: 2
Warnings: 2"
Found accounts without password [AUTH-9283]
https://cisofy.com/lynis/controls/AUTH-9283/
Note: these accounts are not allowed to logon.
YUM is not properly configured or registered for this platform (no repolist found) [PKGS-7383]
https://cisofy.com/lynis/controls/PKGS-7383/
Note: This is intentional to prevent anyone from installing software
...
Pass with Exceptions
All Critical Tests Passed
Cluster Remote Scanning Passed
Node Remote Scanning Passed
Inside-a-Pod Scanning Known Vulnerablities Found
KHV005 Access to API using service account token
KHV002 Kubernetes Version Disclosure
KHV050 Read access to pod's service account token
Local to Pod CAP_NET_RAW Enabled
Local to Pod Access to pod's secrets
...
...
...
Pass
...
Pass
...
Pass: no k8s cluster as part of deployment at the moment
...
High:84 Medium:294 Low:53
...
Hardening index : [57] [########### ]
...
cluster.log
KHV002 Information Disclosure
pod.log
...
Approved Feature Projects
If the program uses only one programming language, in the “Repository” column, just fill in the repo location.
If a project uses multiple programming languages, please list all of them, add a link in "Repository" column for each programming language to show the sample code.
...
Akraino Blueprint Validation Framework
...
Akraino Portal Feature Project
...
...