Table of Contents |
---|
Vuls
Vuls will be integrated with Blueprint Validation Framework (Bluval User Guide)
...
Exceptions for vulnerabilities must be sent to the security sub-committee.
Lynis
Lynis requires to run on SUT (System Under Test). The overall test framework will the similar to that of Vuls. As to the Lynis installation, there are two options:
...
1 | Performing test ID BOOT-5122 (Check for GRUB boot password) |
2 | Performing test ID BOOT-5184 (Check permissions for boot files/scripts) |
3 | Test: Checking presence /var/run/reboot-required.pkgs |
4 | Performing test ID AUTH-9228 (Check password file consistency with pwck) |
5 | Performing test ID AUTH-9229 (Check password hashing methods) |
6 | Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs |
7 | Test: Checking PASS_MAX_DAYS option in /etc/login.defs |
8 | Test: collecting accounts which have an expired password (last day changed + maximum change time) |
9 | Performing test ID AUTH-9328 (Default umask values) |
10 | Performing test ID FILE-6368 (Checking ACL support on root file system) |
11 | Performing test ID USB-2000 (Check USB authorizations) |
12 | Performing test ID USB-3000 (Check for presence of USBGuard) |
13 | Performing test ID PKGS-7370 (Checking for debsums utility) |
14 | Performing test ID PKGS-7388 (Check security repository in apt sources.list file) |
15 | Performing test ID SSH-7408 (Check SSH specific defined options) |
16 | Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj |
17 | Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj |
18 | Test: Checking ClientAliveInterval in /tmp/lynis.ZotHQ7RQAj |
19 | Test: Checking FingerprintHash in /tmp/lynis.ZotHQ7RQAj |
20 | Test: Checking IgnoreRhosts in /tmp/lynis.ZotHQ7RQAj |
21 | Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj |
22 | Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj |
23 | Test: Checking Port in /tmp/lynis.ZotHQ7RQAj |
24 | Test: Checking StrictModes in /tmp/lynis.ZotHQ7RQAj |
25 | Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj |
26 | Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) |
27 | Test: checking for file /etc/network/if-up.d/ntpdate |
28 | Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) |
29 | Test: Check if one or more compilers can be found on the system |
...
Kuber-Hunter
PASS/FAIL Criteria
The kube-hunter vulnerabilities listed as 'Yes' in the 'Critical' column MUST be resolved.
...