Versions Compared

Old Version 43

changes.mady.by.user Thor Chin

Saved on

compared with

New Version 44

changes.mady.by.user Randy Stricklin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Project Name

Vuls Scan

  • Pass/Fail
  • Exceptions

Lynis Scan

  • Pass/Fail
  • Exceptions

Kube-Hunter Scan

  • Pass/Fail
  • Exceptions
1

5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint

  • Fail
    • Total: 366 (High:83 Medium:212 Low:71 ?:0), 165/366 Fixed
  • Exceptions provided for R3

vuls.log

  • Pass/w Exceptions

lynis.log

  • Fail
    • 1 vulnerability found, KHV002,  The K8s version could be obtained from the /version endpoint
  • Exceptions provided for R3

kube-hunter.log

2

AI/ML and AR/VR applications at Edge




3Connected Vehicle Blueprint

High:61 Medium:280 Low:58

https://nexus.akraino.org/content/sites/logs/ampere/cvb/logs/

Hardening index : 63 [ ############ ]

https://nexus.akraino.org/content/sites/logs/ampere/cvb/logs/

Kube-Hunter:  Exemption granted, this blueprint does not currently use Kubernetes per Thor Chin on 6/17/2020.
4Edge Video Processing


5ELIOT: Edge Lightweight and IoT Blueprint Family


6


7High:104 Medium:352 Low:74 https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/vuls/https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/lynis/

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/

8

High:87 Medium:168 Low:62

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/vuls/

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/lynis/

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/

9Network Cloud and TF Integration Project

High:84 Medium:281 Low:59

https://nexus.akraino.org/content/sites/logs/juniper/validation/os/vuls/

https://nexus.akraino.org/content/sites/logs/juniper/validation/os/lynis/

https://nexus.akraino.org/content/sites/logs/juniper/validation/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/

Approved with exceptions. 

Upgrading K8s components causes the Airship deployment to fail and the regional controller becomes incompatible. The development team was told to use a specific version of the regional controller and airship (as the older versions are stable and newer are in flux and fragile).  When the team upgraded to the new version as per the security team's suggestion, everything else fell apart.  Making this change will require several months of work as the development team has to upgrade a component at a time to bring everything to the latest version of code.

We will address this in the next release. 

10Integrated Cloud Native NFV/App stack family (Short term: ICN)
  • Fail:
    • 141 unfixed vulnerabilities
    • (High:30 Medium:96 Low:27 ?:0), 12/153 Fixed
  • Exceptions:
    • We request exceptions for all outstanding vulnerabilities
  • See Nexus Logs
  • Fail
    • Only 1 vulnerability found, in "Inside-a-Pod Scanning": CAP_NET_RAW
  • Exceptions:
    • We request exception for CAP_NET_RAW vulnerability or remediation (fixes found seem to be on a per-pod basis, which is not enough)
  • See Nexus Logs
11Integrated Edge Cloud (IEC) Blueprint Family


12


13


14

High:266 Medium:590 Low:106

IEC_Type3_vuls.log

IEC_Type3_lynis.log

First Release - Kube-Hunter security scan not required.
15

High:61 Medium:280 Low:58

https://nexus.akraino.org/content/sites/logs/ampere/iec-type4/logs/

Hardening index : 63 [ ############ ]

https://nexus.akraino.org/content/sites/logs/ampere/iec-type4/logs/

Kube-Hunter:  Exemption granted, this blueprint does not currently use Kubernetes per Thor Chin on 6/17/2020.
16

High:266 Medium:590 Low:106

https://nexus.akraino.org/content/sites/logs/bytedance/job/type5_security_scan/1/vuls.log

Hardening index : [63] [############ ]

https://nexus.akraino.org/content/sites/logs/bytedance/job/type5_security_scan/1/lynis.log

Kube-Hunter:  Exemption granted, this blueprint does not currently use Kubernetes.
17Kubernetes-Native Infrastructure (KNI) Blueprint Family

We have RHCOS on our cluster, so vuls doesn't apply to it

vuls-kni.log

lynis.log

Fail. We request for exception as we are running OpenShift and not upstream Kubernetes, so we hit several failures: cluster.log , pod.log

https://logs.akraino.org/redhat-kni/bluval_results/blueprint-pae/20200423-071856/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/cluster.log , https://logs.akraino.org/redhat-kni/bluval_results/blueprint-pae/20200423-071856/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter

18

Micro-MEC

First release - security scan not required.First release - security scan not required.First release - security scan not required.
19The AI Edge: School/Education Video Security Monitoring

https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/vuls/

https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/lynis/


https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/kube-hunter/

20Network Cloud Blueprint Family


21StarlingX Far Edge Distributed Cloud


22Telco Appliance Blueprint Family


23

Fail with Exceptions

0 CVEs are detected with OVA
0 CVEs are detected with CPE
0 CVEs are detected with GitHub Security Alerts
0 exploits are detected
248 unfixed CVEs are detected with gost
Total: 228
(High:44 Medium:137 Low:47 ?:0), 0/228 Fixed, 824
installed, 0 updatable, 0 exploits, en: 5, ja: 0 alerts

vuls.log

Pass with Exceptions

Tests performed: 287
Total tests: 449
Active plugins: 2
"Total plugins: 2
Warnings: 2"
Found accounts without password [AUTH-9283]
https://cisofy.com/lynis/controls/AUTH-9283/
Note: these accounts are not allowed to logon.
YUM is not properly configured or registered for this platform (no repolist found) [PKGS-7383]
https://cisofy.com/lynis/controls/PKGS-7383/
Note: This is intentional to prevent anyone from installing software

lynis.log

Pass with Exceptions

All Critical Tests Passed
Cluster Remote Scanning Passed
Node Remote Scanning Passed
Inside-a-Pod Scanning Known Vulnerablities Found

KHV005 Access to API using service account token
KHV002 Kubernetes Version Disclosure
KHV050 Read access to pod's service account token
Local to Pod CAP_NET_RAW Enabled
Local to Pod Access to pod's secrets

pod.log

cluster.log

24


25The AI Edge Blueprint Family


26

Time-Critical Edge Compute




27Public Cloud Edge Interface

Pass with exceptions

High:41 Medium:239 Low:32

https://nexus.akraino.org/content/sites/logs/cmti/job/vuls/

Pass with exceptions

Hardening index : 62 [############ ]

https://nexus.akraino.org/content/sites/logs/cmti/job/lynis/

No k8s cluster as part of deployment at the moment

28Enterprise Applications on Lightweight 5G Telco Edge

High:84 Medium:294 Low:53

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/vuls/

Hardening index : [57] [########### ]

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/lynis/

cluster.log

KHV002 Information Disclosure

pod.log

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/k8s/kube-hunter/

29



30



...