...
Release 4 (Target Date November 30, 2020) Incubation Requirements:
| Month | 6/2020 | 7/2020 | 8/2020 | 9/2020 | 10/2020 | 11/2020 | 12/2020 | 1/2021 |
|---|---|---|---|---|---|---|---|---|
| Release | Rel. 4 | |||||||
Security Requirement Update | v. 1.0 | |||||||
Minimum Security Requirement | v. 1.0 | |||||||
Maximum Security Requirement | v. 1.0 | |||||||
Release 4 Minimum Security Requirement Lock Out Window | ||||||||
Maturity Review: Security Requirements Criteria
...
Current Maturity Requirements:
| Month | 6/2020 | 7/2020 | 8/2020 | 9/2020 | 10/2020 | 11/2020 | 12/2020 | 1/2021 |
|---|---|---|---|---|---|---|---|---|
| Maturity Request | ||||||||
Security Requirement Update | v. 1.0 | |||||||
Minimum Security Requirement | v. 1.0 | v. 1.0 | v. 1.0 | v. 1.0 | v. 1.0 | v. 1.0 | ||
Maximum Security Requirement | v. 1.0 | v. 1.0 | v. 1.0 | v. 1.0 | v. 1.0 | v. 1.0 | ||
Release 4 Minimum Security Requirement Lock Out Window | ||||||||
Vuls
Vuls will be integrated with Blueprint Validation Framework (Bluval User Guide)
...
- Start Vuls container to run tests
- docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ -e "TZ=Asia/Tokyo" \ vuls/vuls scan \ -config=./config.toml
- To get the report:
- $ docker run --rm -it -v ~/.ssh:/root/.ssh:ro -v $PWD:/vuls -v $PWD/vuls-log:/var/log/vuls -v /etc/localtime:/etc/localtime:ro -e "TZ=Asia/Tokyo" vuls/vuls report -config=./config.toml
- Write Bluval configuration file for security tests
- Push test results to LF Nexus
- Todo: How to tell test success or fail
- Todo: Sample Test result
- Show test results in Bluval UI
| Anchor | ||||
|---|---|---|---|---|
|
...
PASS/FAIL Criteria, v1.0
All Critical vulnerabilities detected by Vuls must be patched/fixed. Critical vulnerabilities are defined as a CVSS score of 9.0-10.0. After patches/fixes are applied, Vuls must be run again to verify that the vulnerability is no longer detected.
...
- Remarks = #<remark>
- Section = [<section name>]
- Option/value = <option name>=<value of option>
Lynis Incubation
...
: PASS/FAIL Criteria, v1.0
- The Lynis Program Update test MUST pass with no errors.
The following list of tests MUST complete as passing as described below.
In the lynis.log outputfile each test suite has one or more individual tests. The beginning and ending of a test suite is marked with "====". For example, the 'ID BOOT-5122' test suite should display:
020-04-08 15:36:28 ====
2020-04-08 15:36:28 Performing test ID BOOT-5122 (Check for GRUB boot password)
...2020-04-08 15:36:29 Hardening: assigned maximum number of hardening points for this item (3).
2020-04-08 15:36:29 ===If any tests in the test suit failed, there would be the following:
2020-04-08 15:36:29 Suggestion: <Description of failed test>
Also, the 'Hardening' line show above would not say 'assigned maximum number of hardening points', instead it would say 'assigned partial number of hardening points'.
| 1 | Test: Checking PASS_MAX_DAYS option in /etc/login.defs |
| 2 | Performing test ID BOOTAUTH-5122 (Check for GRUB boot password9328 (Default umask values) |
| 23 | Performing test ID BOOTSSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) |
| 4 | Test: checking for file /etc/network/if-up.d/ntpdate |
| 5 | Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required |
| 5a | sysctl key fs.suid_dumpable contains equal expected and current value (0) |
| 5b | sysctl key kernel.dmesg_restrict contains equal expected and current value (1) |
| 5c | sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0) |
| 6 | Test: Check if one or more compilers can be found on the system |
The lynis.log output file and exception requests for any of the items listed above that cannot be fixed must be sent to the security sub-committee.
| Anchor | ||||
|---|---|---|---|---|
|
- The Lynis Program Update test MUST pass with no errors.
The following list of tests MUST complete as passing as described below.
In the lynis.log outputfile each test suite has one or more individual tests. The beginning and ending of a test suite is marked with "====". For example, the 'ID BOOT-5122' test suite should display:
020-04-08 15:36:28 ====
2020-04-08 15:36:28 Performing test ID BOOT-5122 (Check for GRUB boot password)
...2020-04-08 15:36:29 Hardening: assigned maximum number of hardening points for this item (3).
2020-04-08 15:36:29 ===If any tests in the test suit failed, there would be the following:
2020-04-08 15:36:29 Suggestion: <Description of failed test>Also, the 'Hardening' line show above would not say 'assigned maximum number of hardening points', instead it would say 'assigned partial number of hardening points'.
| 1 | Performing test ID BOOT-5122 (Check for GRUB boot password) |
| 2 | Performing test ID BOOT-5184 (Check permissions for boot files/5184 (Check permissions for boot files/scripts) |
| 3 | Test: Checking presence /var/run/reboot-required.pkgs |
| 4 | Performing test ID AUTH-9228 (Check password file consistency with pwck) |
| 5 | Performing test ID AUTH-9229 (Check password hashing methods) |
| 6 | Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs |
| 7 | Test: Checking PASS_MAX_DAYS option in /etc/login.defs |
| 8 | Test: collecting accounts which have an expired password (last day changed + maximum change time) |
| 9 | Performing test ID AUTH-9328 (Default umask values) |
| 10 | Performing test ID FILE-6368 (Checking ACL support on root file system) |
| 11 | Performing test ID USB-2000 (Check USB authorizations) |
| 12 | Performing test ID USB-3000 (Check for presence of USBGuard) |
| 13 | Performing test ID PKGS-7370 (Checking for debsums utility) |
| 14 | Performing test ID PKGS-7388 (Check security repository in apt sources.list file) |
| 15 | Performing test ID SSH-7408 (Check SSH specific defined options) |
| 16 | Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj |
| 17 | Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj |
| 18 | Test: Checking ClientAliveInterval in /tmp/lynis.ZotHQ7RQAj |
| 19 | Test: Checking FingerprintHash in /tmp/lynis.ZotHQ7RQAj |
| 20 | Test: Checking IgnoreRhosts in /tmp/lynis.ZotHQ7RQAj |
| 21 | Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj |
| 22 | Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj |
| 23 | Test: Checking Port in /tmp/lynis.ZotHQ7RQAj |
| 24 | Test: Checking StrictModes in /tmp/lynis.ZotHQ7RQAj |
| 25 | Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj |
| 26 | Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) |
| 27 | Test: checking for file /etc/network/if-up.d/ntpdate |
| 28 | Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) |
| 29 | Test: Check if one or more compilers can be found on the system |
...
The lynis.log output file and exception requests for any of the items listed above that cannot be fixed must be sent to the security sub-committee.
Kuber-Hunter
| Anchor | ||||
|---|---|---|---|---|
|
The kube-hunter vulnerabilities listed as 'Yes' in the 'Critical' column MUST be resolved.
...