Versions Compared

Old Version 18

changes.mady.by.user Ken Yi

Saved on

compared with

New Version 19

changes.mady.by.user Randy Stricklin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

SonarCloud

Procedure to set up projects for SonarCloud scan can be found from the links below

Java Code

...

Non-Java Code

How to: Set up Sonarcloud scans for non-Java projects

Scan Result

SonarQube scan results can be accessed from https://sonarcloud.io/organizations/akraino-edge-stack/projectsYou should be able to log in with your LFID credentials, the same as you would use for Gerrit or Jenkins.

Bug Severity in SonarQube and mapping to Akraino security requirements

...

Vuls

Vuls will be integrated with Blueprint Validation Framework (Bluval User Guide)

Below are the list of tasks for the integration. 

Installation

Install Vuls containers (https://vuls.io/docs/en/install-with-docker.html). Vuls containers can be found at: https://hub.docker.com/u/vuls/

  • Install go-cve-dictionary, run "docker pull vuls/go-cve-dictionary"
  • Install goval-dictionary, run "docker pull vuls/goval-dictionary"
  • Install gost, run "docker pull vuls/gost"
  • Install vuls, run "docker pull vuls/vuls"

Set up and run

Detailed instruction can be found at https://vuls.io/docs/en/tutorial-docker.html

...

  • Start Vuls container to run tests
  • Write Bluval configuration file for security tests
  • Push test results to LF Nexus
    • Todo: How to tell test success or fail
    • Todo: Sample Test result
  • Show test results in Bluval UI

PASS/FAIL Criteria

All High and Medium vulnerabilities detected by Vuls must be patched/fixed.  After patches/fixes are applied Vuls must be run again to verify that the vulnerability is no longer detected.

Exceptions for vulnerabilities must be sent to the security sub-committee.

Lynis

Lynis requires to run on SUT (System Under Test). The overall test framework will the similar to that of Vuls. As to the Lynis installation, there are two options:

...

https://cisofy.com/documentation/lynis/get-started/

Install

yum install lynis

Run

lynis audit system

Report

After running, detailed test logs are stored in  /var/log/lynis.log, information for each test includes:

...

  • Remarks = #<remark>
  • Section = [<section name>]
  • Option/value = <option name>=<value of option>

PASS/FAIL Criteria

  1. The Lynis Program Update test MUST pass with no errors.

  2. The following list of tests MUST complete as passing as described below.

    In the lynis.log outputfile each test suite has one or more individual tests.  The beginning and ending of a test suite is marked with "====".  For example, the 'ID BOOT-5122' test suite should display:

    020-04-08 15:36:28 ====
    2020-04-08 15:36:28 Performing test ID BOOT-5122 (Check for GRUB boot password)
    ...
    2020-04-08 15:36:29 Hardening: assigned maximum number of hardening points for this item (3). 
    2020-04-08 15:36:29 ===

    If any tests in the test suit failed, there would be the following:

    2020-04-08 15:36:29 Suggestion: <Description of failed test>

    Also, the 'Hardening' line show above would not say 'assigned maximum number of hardening points', instead it would say 'assigned partial number of hardening points'.

Performing test ID BOOT-5122 (Check for GRUB boot password)
Performing test ID BOOT-5184 (Check permissions for boot files/scripts)
Test: Checking presence /var/run/reboot-required.pkgs
Performing test ID AUTH-9228 (Check password file consistency with pwck)
Performing test ID AUTH-9229 (Check password hashing methods)
Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs
Test: Checking PASS_MAX_DAYS option in /etc/login.defs
Test: collecting accounts which have an expired password (last day changed + maximum change time)
Performing test ID AUTH-9328 (Default umask values)
Performing test ID FILE-6368 (Checking ACL support on root file system)
Performing test ID USB-2000 (Check USB authorizations)
Performing test ID USB-3000 (Check for presence of USBGuard)
Performing test ID PKGS-7370 (Checking for debsums utility)
Performing test ID PKGS-7388 (Check security repository in apt sources.list file)
Performing test ID SSH-7408 (Check SSH specific defined options)
Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj
Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj
Test: Checking ClientAliveInterval in /tmp/lynis.ZotHQ7RQAj
Test: Checking FingerprintHash in /tmp/lynis.ZotHQ7RQAj
Test: Checking IgnoreRhosts in /tmp/lynis.ZotHQ7RQAj
Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj
Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
Test: Checking StrictModes in /tmp/lynis.ZotHQ7RQAj
Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj
Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)
Test: checking for file /etc/network/if-up.d/ntpdate
Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile)
Test: Check if one or more compilers can be found on the system


Jira tickets tracking integration with Bluval:

https://jira.akraino.org/secure/RapidBoard.jspa?rapidView=5&projectKey=VAL&view=detail&selectedIssue=VAL-79

https://jira.akraino.org/secure/RapidBoard.jspa?rapidView=5&projectKey=VAL&view=detail&selectedIssue=VAL-80