8 | |
| - Performing test ID AUTH-9229 (Check password hashing methods) ## Not possible, will impact SHA_MIN_CRYPT_ROUNDS test. Currently using maximum security hashing method SHA512
- Performing test ID USB-2000 (Check USB authorizations) ## N/A: Using cloud VMs, no baremetal involved.
- Performing test ID USB-3000 (Check for presence of USBGuard) ## N/A: Using cloud VMs, no baremetal involved.
- Test: Checking MaxSessions ## Max session set to 4, this is the bare minimum level that can be used.
- Test: Checking Port ## Can't change during testing, BluVal requires SSH to be tcp/22. This port should be changed after testing, but prior to production.
The following exceptions must be fixed prior to maturity review: - sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
- sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
- sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
- sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
- sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|