Versions Compared

Old Version 27

changes.mady.by.user Yoshiko Tsuji

Saved on

compared with

New Version Current

changes.mady.by.user Colin Peters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Create directory

    $ mkdir ~/vuls
$ cd ~/vuls
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log


  2. Fetch NVD

    $ docker run --rm -it \
    -v $PWD:/go-cve-dictionary \
    -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
    vuls/go-cve-dictionary fetch nvd --http-proxy $http_proxy


  3. Fetch OVAL

    $ docker run --rm -it \
     -v $PWD:/goval-dictionary \
     -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
     vuls/goval-dictionary fetch ubuntu 14 16 18 19 20 --http-proxy $http_proxy


  4. Fetch gost

    $ docker run --rm -it \
         -e http_proxy=$http_proxy \
         -e https_proxy=$https_proxy \
     -v $PWD:/gost \
     -v $PWD/gost-log:/var/log/gost \
     vuls/gost fetch ubuntu --http-proxy $http_proxy


  5. Create config.toml

    [servers]

[servers.master]
host = "192.168.51.22"
port = "22"
user = "test-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker


  6. Start vuls container to run tests

    $ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    -v /etc/localtime:/etc/localtime:ro \
    -v /etc/timezone:/etc/timezone:ro \
    vuls/vuls scan \
    -config=./config.toml
 \
        --http-proxy $http_proxy


  7. Get the report

    $ docker run --rm -it \
     -v ~/.ssh:/root/.ssh:ro \
     -v $PWD:/vuls \
     -v $PWD/vuls-log:/var/log/vuls \
     -v /etc/localtime:/etc/localtime:ro \
     vuls/vuls report \
     -format-list \
     -config=./config.toml
 \
         --http-proxy $http_proxy


Lynis/Kube-Hunter

  1. Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test

    blueprint:
    name: sdtfc
    layers:
        - k8s
            - os

    k8s: &k8s
        -
            name: kube-hunter
            what: kube-hunter
            optional: "False"

        os: &os
            -
                name: lynis
                what: lynis
                optional: "False"


  2. Update ~/validation/bluval/volumes.yaml file

    volumes:
    # location of the ssh key to access the cluster
    ssh_key_dir:
        local: '/home/ubuntu/.ssh'
        target: '/root/.ssh'
    # location of the k8s access files (config file, certificates, keys)
    kube_config_dir:
        local: '/home/ubuntu/kube'
        target: '/root/.kube/'
    # location of the customized variables.yaml
    custom_variables_file:
        local: '/home/ubuntu/validation/tests/variables.yaml'
        target: '/opt/akraino/validation/tests/variables.yaml'
    # location of the bluval-<blueprint>.yaml file
    blueprint_dir:
        local: '/home/ubuntu/validation/bluval'
        target: '/opt/akraino/validation/bluval'
    # location on where to store the results on the local jumpserver
    results_dir:
        local: '/home/ubuntu/results'
        target: '/opt/akraino/results'
    # location on where to store openrc file
    openrc:
        local: ''
        target: '/root/openrc'

# parameters that will be passed to the container at each layer
layers:
    # volumes mounted at all layers; volumes specific for a different layer are below
    common:
        - custom_variables_file
        - blueprint_dir
        - results_dir
    hardware:
        - ssh_key_dir
    os:
        - ssh_key_dir
    networking:
        - ssh_key_dir
    docker:
        - ssh_key_dir
    k8s:
        - ssh_key_dir
        - kube_config_dir
    k8s_networking:
        - ssh_key_dir
        - kube_config_dir
    openstack:
        - openrc
    sds:
    sdn:
    vim:


  3. Update ~/validation/tests/variables.yaml file

    ### Input variables cluster's master host
host: <IP Address>             # cluster's master host address
username: <username>            # login name to connect to cluster
password: <password>         # login password to connect to cluster
ssh_keyfile: /root/.ssh/id_rsa        # Identity file for authentication


  4. Run Blucon

    $ bash validation/bluval/blucon.sh sdtfc


...

Vuls results (manual) Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vuls/12/

Lynis results (manual) Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/2/

Kube-Hunter results Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-bluval/1/

Vuls

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vuls/12/

There are 5 CVEs with 4 CVEs with a CVSS score >= 9.0.  These These are exceptions requested here:

Release 7: Akraino CVE and KHV Vulnerability Exception Request

201615859820161585No fix

No fix available (for zlib1g, zlib1g-dev) (09/2022)

1:1.2.11.dfsg-2ubuntu1.5 is released, we need to upgrade. (12/2022)
CVE-IDCVSSNVDFix/Notes
CVE-2022-364310.0https://nvd.nist.gov/vuln/detail/CVE-2022-3643

Fix not yet available

Ubuntu CVE record

CVE-20222016-031815859.8https://nvd.nist.gov/vuln/detail/CVE-20222016-03181585

No fix Fix not yet available

Ubuntu CVE record

CVE-2022-192703189.8https://nvd.nist.gov/vuln/detail/CVE-2022-19270318

Fix not yet available

Ubuntu CVE record

CVE-2022-2038536499.8https://nvd.nist.gov/vuln/detail/CVE-2022-20385

No fix available

Ubuntu CVE record

CVE-2022-374349.8https://nvd.nist.gov/vuln/detail/CVE-2022-374343649

Fix not yet available

Ubuntu CVE record

Lynis

Nexus URL (manual run, with fixes): https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/23/

The results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

...

No.TestResultNotes
1

Test: Checking PASS_MAX_DAYS option in /etc/login.defs

2022-1012-11 1116 18:4845:22 05 Test: Checking PASS_MAX_DAYS option in /etc/login.defs
2022-1012-11 1116 18:4845:22 05 Result: max password age is 180 days
2022-1012-11 1116 18:4845:22 05 Hardening: assigned maximum number of hardening points for this item (3). Currently having 21 points (out of 35)

Required configuration
2

Performing test ID AUTH-9328 (Default umask values)

2022-1012-11 1116 18:4845:22 05 Performing test ID AUTH-9328 (Default umask values)
...

2022-12-16 18:45:05 Test: Checking /etc/login.defs
...2022-12-16 18:45:05 Result: file /etc/login.defs exists
2022-1012-11 1116 18:4845:22 05 Test: Checking umask value in /etc/login.defs
2022-1012-11 1116 18:4845:22 05 Result: umask is 027, which is fine
2022-1012-11 1116 18:4845:22 05 Hardening: assigned maximum number of hardening points for this item (2). Currently having 35 points (out of 49)

Required configuration
3

Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

2022-1012-11 1116 18:5145:21 14 Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)
2022-1012-11 1116 18:5145:21 14 Result: AllowUsers set, with value sdt-admin
2022-1012-11 1116 18:5145:21 14 Result: AllowGroups is not set
2022-1012-11 1116 18:5145:21 14 Result: SSH is limited to a specific set of users, which is good
2022-1012-11 1116 18:5145:21 14 Hardening: assigned maximum number of hardening points for this item (2). Currently having 164 points (out of 234231)

Required configuration
4

Test: checking for file /etc/network/if-up.d/ntpdate

2022-1012-11 1116 18:5145:25 16 Test: checking for file /etc/network/if-up.d/ntpdate
2022-1012-11 1116 18:5145:25 16 Result: file /etc/network/if-up.d/ntpdate does not exist
2022-1012-11 1116 18:5145:25 16 Result: Found a time syncing daemon/client.
2022-1012-11 1116 18:5145:25 16 Hardening: assigned maximum number of hardening points for this item (3). Currently having 173 points (out of 249246)
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)

2022-1012-11 1116 18:5145:37 27 Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)

Required configuration
5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)

2022-1012-11 1116 18:5145:37 27 Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)

Required configuration
5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)2022-1012-11 1116 18:5145:37 27 Result: sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)Required configuration
6Test: Check if one or more compilers can be found on the system

2022-0312-07 1516 18:5545:29 28 Performing test ID HRDN-7220 (Check if one or more compilers are installed)
2022-0312-07 1516 18:5545:29 28 Test: Check if one or more compilers can be found on the system
2022-0312-07 1516 18:5545:29 28 Result: no compilers found
2022-0312-07 1516 18:5545:29 28 Hardening: assigned maximum number of hardening points for this item (3). Currently having 216 212 points (out of 325312)

Required removal of build-essential package and apt autoremove, and /bin/as

...