Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No.Project NamePTLMain CommitterSelf-Certification Page

Documentation Sub-Committee

Ike Alisson

Logs (Vuls, Lynis, KubeHunter)

Process Sub-Committee

Biswajit De

haihui wang

1

The AI Edge: School/Education Video Security Monitoring


Maturity Review Certification of Video Security Monitoring Blueprint

Maturity Review performed over e-mail on May 5th, 2021. Link to the overview: 2021 yearhttps://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/4/result/


2

IEC Type 2 for Integrated Edge Cloud (IEC) Blueprint Family


Integration Edge Cloud Type 1 and Type 2 Release 2 Maturity Review Certification





3

The AI Edge: Intelligent Vehicle-Infrastructure Cooperation System(I-VICS)

Maturity Review Certification of I-VICS






4IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Familyjin pengMaturity Review Certification of SmartNIC

Documentation Review Meeting notes

socnoc - Akraino - Akraino Confluence


5IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family
Maturity Review Certification of Android Cloud

Documentation Review Meeting notes

 

https://nexus.akraino.org/content/sites/logs/ysemi/job/v1/validation_results_v5/

 

https://nexus.akraino.org/content/sites/logs/ysemi/job/v1/validation_results_v6/

 

 

Lynis:

Performing test ID BOOT-5122 (Check for GRUB boot password): FAILED
2022-

04

05-17

23

10:

44

21:

05

58 Result: file is owned by our current user ID (0), checking if it is readable
2022-

04

05-17

23

10:

44

21:

05

58 Result: file /etc/grub.d/05_debian_theme is readable (or directory accessible).
2022-

04

05-17

23

10:

44

21:

05

58 Result: did not find hashed password line in this file
2022-

04

05-17

23

10:

44

21:

05

58 Result: Didn't find hashed password line in GRUB configuration
2022-

04

05-17

23

10:

44

21:

05

58 Suggestion: Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-]

Test: Checking presence /var/run/reboot-required.pkgs: FAILED
2022-

04

05-17

23

10:

44

22:

09

02 Result: file /var/run/reboot-required.pkgs

not found

exists
2022-

04

05-17

23

10:

44

22:

09 Result: /

02 Result: reboot is needed, related to 4 packages
2022-05-17 10:22:02 Package: 4
2022-05-17 10:22:02 Result: /boot exists, performing more tests from here
2022-

04

05-17

23

10:

44

22:

09

02 Result: found /boot/vmlinuz
2022-

04

05-17

23

10:

44

22:

09

02 Result: found a symlink, retrieving destination
2022-

04

05-17

23

10:

44

22:

09

02 Result: destination file is vmlinuz-4.15.0-

173

177-generic
2022-

04

05-17

23

10:

44

22:

09

02 Result: version derived from file name is '4.15.0-

173

177-generic'
2022-

04

05-17

23

10:

44

22:

09

02 Result: found version 4.15.0-

173

177-generic
2022-

04

05-17

23

10:

44

22:

09

02 Result: active kernel version 4.15.

18

0-166-generic
2022-

04

05-17

23

10:

44

22:

09

02 Result: reboot needed, as there is a difference between active kernel and the one on disk
2022-

04

05-17

23

10:

44

22:

09

02 Result: /var/cache/apt/archives/ does not exist
2022-

04

05-17

23

10:

44

22:

09

02 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]

Performing test ID AUTH-9229 (Check password hashing methods): FAILED
2022-

04

05-17

23

10:

44

22:

09

02 Result: poor password hashing methods found: sha256crypt/sha512crypt(default<=5000rounds)
2022-

04

05-17

23

10:

44

22:

09

02 Suggestion: Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [test:AUTH-9229] [details:-] [solution:-]

Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs: FAILED
2022-

04

05-17

23

10:

44

22:

09

02 Result: low number of

minimum rounds used by the encryption algorithm is not configured

maximum encryption algorithm rounds found: 5000

Performing test ID USB-2000 (Check USB authorizations): FAILED
2022-

04

05-17

23

10:

44

22:

09 Suggestion: Configure minimum encryption algorithm rounds in /etc/login.defs [test:AUTH-9230] [details:-] [solution:-]
2022-04-17 23:44:09 Result: number of maximum rounds used by the encryption algorithm is not configured
2022-04-17 23:44:09 Suggestion: Configure maximum encryption algorithm rounds in /etc/login.defs [test:AUTH-9230] [details:-] [solution:-]Test: Checking PASS_MAX_DAYS option in /etc/login.defs: FAILED
2022-04-17 23:44:10 Result: password aging limits are not configured
2022-04-17 23:44:10 Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]Performing test ID AUTH-9328 (Default umask values): FAILED
2022-04-17 23:44:10 Result: found umask 022, which could be improved
2022-04-17 23:44:10 Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-

04 Result: Some USB devices are authorized by default (or temporary) to connect to the system

Performing test ID USB-3000 (Check for presence of USBGuard): FAILED
2022-05-17 10:22:04 Result: USBGuard not found

Performing test ID SSH-7408 (Check SSH specific defined options): FAILED
2022-05-17 10:22:39 Result: Option AllowTcpForwarding found
2022-05-17 10:22:39 Result: Option AllowTcpForwarding value is YES
2022-05-17 10:22:39 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed
2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-]

Performing test ID USB-2000 (Check USB authorizations): FAILED

2022-05-17 10:22:39 Result: Option MaxSessions found
2022-

04

05-17

23

10:

44

22:

11 Result: Some USB devices are authorized by default (or temporary) to connect to the system

Performing test ID USB-3000 (Check for presence of USBGuard): FAILED
2022-04-17 23:44:11 Result: USBGuard not found

Performing test ID PKGS-7370 (Checking for debsums utility): FAILED
2022-04-17 23:44:23 Result: debsums utility is not installed.

Performing test ID SSH-7408 (Check SSH specific defined options): FAILED
2022-04-17 23:44:50 Result: Option AllowTcpForwarding found
2022-04-17 23:44:50 Result: Option AllowTcpForwarding

39 Result: Option MaxSessions value is 4
2022-05-17 10:22:39 Result: OpenSSH option MaxSessions is configured reasonably
2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 4 to 2)] [solution:-]
2022-05-17 10:22:39 Result: Option PermitRootLogin found
2022-05-17 10:22:39 Result: Option PermitRootLogin value is YES
2022-

04

05-17

23

10:

44

22:

50

39 Result: OpenSSH option

AllowTcpForwarding

PermitRootLogin is in a weak configuration state and should be fixed
2022-

04

05-17

23

10:

44

22:

50

39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:

AllowTcpForwarding

PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))] [solution:-]
2022-

04

05-17

23

10:

44

22:

50

39 Result: Option

ClientAliveCountMax

Port found
2022-

04

05-17

23

10:

44

22:

50

39 Result: Option

ClientAliveCountMax

Port value is

3

22
2022-

04

05-17

23

10:

44

22:

50

39 Result: OpenSSH option

ClientAliveCountMax is configured reasonably

Port is in a weak configuration state and should be fixed
2022-

04

05-17

23

10:

44

22:

50

39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:

ClientAliveCountMax

Port (set

3

22 to

2

)] [solution:-]
2022-

04

05-17

23

10:

44

22:

50

40 Result: Option

Compression

X11Forwarding found
2022-

04

05-17

23

10:

44

22:

50

40 Result: Option

Compression

X11Forwarding value is YES
2022-

04

05-17

23

10:

44

22:

50

40 Result: OpenSSH option

Compression

X11Forwarding is in a weak configuration state and should be fixed
2022-

04

05-17

23

10:

44

22:

50

40 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:

Compression

X11Forwarding (set YES to NO)] [solution:-]

Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile): FAILED
2022-

04

05-17 10:23:

44:50 Result: Option LogLevel found

32 Result: key hw.kbd.keymap_restrict_change does not exist on this machine
2022-

04

05-17 10:23:

44:50 Result: Option LogLevel value is INFO

32 Result: key kern.sugid_coredump does not exist on this machine
2022-

04

05-17 10:23:

44:50 Result: OpenSSH option LogLevel is configured reasonably

32 Result: key kernel.core_setuid_ok does not exist on this machine
2022-

04

05-17 10:23

:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:LogLevel (set INFO to VERBOSE)] [solution:-]
2022-04-17 23:44:50 Result: Option MaxAuthTries found
2022-04-17 23:44:50 Result: Option MaxAuthTries value is 6
2022-04-17 23:44:50 Result: OpenSSH option MaxAuthTries is configured reasonably
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxAuthTries (set 6 to 3)] [solution:-]
2022-04-17 23:44:50 Result: Option MaxSessions found
2022-04-17 23:44:50 Result: Option MaxSessions value is 10
2022-04-17 23:44:50 Result: OpenSSH option MaxSessions is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 10 to 2)] [solution:-]
2022-04-17 23:44:50 Result: Option PermitRootLogin found
2022-04-17 23:44:50 Result: Option PermitRootLogin value is YES
2022-04-17 23:44:50 Result: OpenSSH option PermitRootLogin is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))] [solution:-]
2022-04-17 23:44:50 Result: Option Port found
2022-04-17 23:44:50 Result: Option Port value is 22
2022-04-17 23:44:50 Result: OpenSSH option Port is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )] [solution:-]
2022-04-17 23:44:50 Result: Option TCPKeepAlive found
2022-04-17 23:44:50 Result: Option TCPKeepAlive value is YES
2022-04-17 23:44:50 Result: OpenSSH option TCPKeepAlive is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:TCPKeepAlive (set YES to NO)] [solution:-]
2022-04-17 23:44:50 Result: Option X11Forwarding found
2022-04-17 23:44:50 Result: Option X11Forwarding value is YES
2022-04-17 23:44:50 Result: OpenSSH option X11Forwarding is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:X11Forwarding (set YES to NO)] [solution:-]
2022-04-17 23:44:50 Result: Option AllowAgentForwarding found
2022-04-17 23:44:50 Result: Option AllowAgentForwarding value is YES
2022-04-17 23:44:50 Result: OpenSSH option AllowAgentForwarding is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowAgentForwarding (set YES to NO)] [solution:-]

Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile): FAILED
2022-04-17 23:45:41 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
2022-04-17 23:45:41 Result: key hw.kbd.keymap_restrict_change does not exist on this machine
2022-04-17 23:45:41 Result: key kern.sugid_coredump does not exist on this machine
2022-04-17 23:45:41 Result: key kernel.core_setuid_ok does not exist on this machine
2022-04-17 23:45:41 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0
2022-04-17 23:45:41 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-04-17 23:45:42 Result: sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine
2022-04-17 23:45:42 Result: sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

Test: Check if one or more compilers can be found on the system: FAILED
2022-04-17 23:45:42 Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler'
2022-04-17 23:37:28 Found known binary: as (compiler) - /usr/bin/as
2022-04-17 23:37:28 Found known binary: cc (compiler) - /usr/bin/cc
2022-04-17 23:37:28 Found known binary: g++ (compiler) - /usr/bin/g++
2022-04-17 23:37:28 Found known binary: gcc (compiler) - /usr/bin/gcc
2022-04-17 23:44:13 Found package: device-tree-compiler (version: 1.4.5-3)
2022-04-17 23:44:21 Found package: protobuf-compiler (version: 3.0.0-9.1ubuntu1)

:32 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0
2022-05-17 10:23:32 Result: key kernel.exec-shield-randomize does not exist on this machine
2022-05-17 10:23:32 Result: key kernel.exec-shield does not exist on this machine
2022-05-17 10:23:32 Result: sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=1
2022-05-17 10:23:32 Result: key kernel.suid_dumpable does not exist on this machine
2022-05-17 10:23:32 Result: sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=176
2022-05-17 10:23:32 Result: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
2022-05-17 10:23:32 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-05-17 10:23:32 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-05-17 10:23:33 Result: sysctl key net.ipv4.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-05-17 10:23:33 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-05-17 10:23:33 Result: sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-05-17 10:23:33 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine
2022-05-17 10:23:33 Result: sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1


 

Approved by Process Sub-Commitee.

Tina Tsou
6

Smart Cities




https://nexus.akraino.org/content/sites/logs/myais/bluval/3/

Lynis:

Performing test ID AUTH-9228 (Check password file consistency with pwck): FAILED
2022-05-20 01:19:27 Result: pwck found one or more errors/warnings in the password file.
2022-05-20 01:19:27 Suggestion: Run pwck manually and correct any errors in the password file [test:AUTH-9228] [details:-] [solution:-]


Performing test ID AUTH-9229 (Check password hashing methods): NOT PRESENT IN THIS LOG


Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs: NOT PRESENT IN THIS LOG


Test: collecting accounts which have an expired password (last day changed + maximum change time): NOT PRESENT IN THIS LOG


Performing test ID FILE-6368 (Checking ACL support on root file system): NOT PRESENT IN THIS LOG


Performing test ID USB-3000 (Check for presence of USBGuard): FAILED
2022-05-20 01:19:28 Result: USBGuard not found


Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile): FAILED
2022-05-20 01:19:43 Result: sysctl key dev.tty.ldisc_autoload has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: key fs.protected_fifos does not exist on this machine
2022-05-20 01:19:43 Result: key fs.protected_hardlinks does not exist on this machine
2022-05-20 01:19:43 Result: key fs.protected_regular does not exist on this machine
2022-05-20 01:19:43 Result: key fs.protected_symlinks does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
2022-05-20 01:19:43 Result: key hw.kbd.keymap_restrict_change does not exist on this machine
2022-05-20 01:19:43 Result: key kernel.core_setuid_ok does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0
2022-05-20 01:19:43 Result: key kernel.exec-shield does not exist on this machine
2022-05-20 01:19:43 Result: key kernel.exec-shield-randomize does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=1
2022-05-20 01:19:43 Result: key kernel.maps_protect does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key kernel.modules_disabled has a different value than expected in scan profile. Expected=1, Real=0
2022-05-20 01:19:43 Result: key kernel.suid_dumpable does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=176
2022-05-20 01:19:43 Result: sysctl key kernel.unprivileged_bpf_disabled has a different value than expected in scan profile. Expected=1, Real=2
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-05-20 01:19:43 Result: sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine
2022-05-20 01:19:44 Result: sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1





...