Versions Compared

Old Version 16

changes.mady.by.user Guixiang Miao

Saved on

compared with

New Version 17

changes.mady.by.user Guixiang Miao

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Create directory

    $ mkdir ~/vuls
$ cd ~/vuls
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log


  2. Fetch NVD

    $ docker run --rm -it \
    -v $PWD:/go-cve-dictionary \
    -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
    vuls/go-cve-dictionary fetch nvd


  3. Fetch OVAL

    $ docker run --rm -it \
     -v $PWD:/goval-dictionary \
     -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
     vuls/goval-dictionary fetch ubuntu 16 17 18 19 20


  4. Fetch gost

    $ docker run --rm -i \
     -v $PWD:/gost \
     -v $PWD/gost-log:/var/log/gost \
     vuls/gost fetch ubuntu


  5. Create config.toml

    [servers]

[servers.master]
host = "192.168.51.22"
port = "22"
user = "test-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker


  6. Start vuls container to run tests

    $ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    -v /etc/localtime:/etc/localtime:ro \
    -v /etc/timezone:/etc/timezone:ro \
    vuls/vuls scan \
    -config=./config.toml


  7. Get the report

    $ docker run --rm -it \
     -v ~/.ssh:/root/.ssh:ro \
     -v $PWD:/vuls \
     -v $PWD/vuls-log:/var/log/vuls \
     -v /etc/localtime:/etc/localtime:ro \
     vuls/vuls report \
     -format-list \
     -config=./config.toml


Lynis

...

We use Ubuntu 20.04, so we run Lynis test as follows:

  1. Login to master node, and get the latest Lynis from GitHub

    $ git clone https://github.com/CISOfy/lynis


  2. Modify the permissions of the “lynis” directory

    $ chmod -R 0:0 lynis


  3. Run the command below to test the security of system

    $ cd lynis;  sudo ./lynis audit system


Kube-Hunter

  1. Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test

    blueprint:
    name: sdtfc
    layers:

    Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test

    blueprint:
    name: sdtfc
    layers:
        - os
        - k8s

    os: &os
        -
            name: lynis
            what: lynis
            optional: "False"- k8s

    k8s: &k8s
        -
            name: kube-hunter
            what: kube-hunter
            optional: "False"


  2. Update ~/validation/bluval/volumes.yaml file

    volumes:
    # location of the ssh key to access the cluster
    ssh_key_dir:
        local: '/home/ubuntu/.ssh'
        target: '/root/.ssh'
    # location of the k8s access files (config file, certificates, keys)
    kube_config_dir:
        local: '/home/ubuntu/kube'
        target: '/root/.kube/'
    # location of the customized variables.yaml
    custom_variables_file:
        local: '/home/ubuntu/validation/tests/variables.yaml'
        target: '/opt/akraino/validation/tests/variables.yaml'
    # location of the bluval-<blueprint>.yaml file
    blueprint_dir:
        local: '/home/ubuntu/validation/bluval'
        target: '/opt/akraino/validation/bluval'
    # location on where to store the results on the local jumpserver
    results_dir:
        local: '/home/ubuntu/results'
        target: '/opt/akraino/results'
    # location on where to store openrc file
    openrc:
        local: ''
        target: '/root/openrc'

# parameters that will be passed to the container at each layer
layers:
    # volumes mounted at all layers; volumes specific for a different layer are below
    common:
        - custom_variables_file
        - blueprint_dir
        - results_dir
    hardware:
        - ssh_key_dir
    os:
        - ssh_key_dir
    networking:
        - ssh_key_dir
    docker:
        - ssh_key_dir
    k8s:
        - ssh_key_dir
        - kube_config_dir
    k8s_networking:
        - ssh_key_dir
        - kube_config_dir
    openstack:
        - openrc
    sds:
    sdn:
    vim:


  3. Update ~/validation/tests/variables.yaml file

    ### Input variables cluster's master host
host: <IP Address>             # cluster's master host address
username: <username>            # login name to connect to cluster
password: <password>         # login password to connect to cluster
ssh_keyfile: /root/.ssh/id_rsa        # Identity file for authentication


  4. Run Blucon

    $ bash validation/bluval/blucon.sh sdtfc


...

CVE-IDCVSSNVDFix/Notes
CVE-2016-15859.8https://nvd.nist.gov/vuln/detail/CVE-2016-1585

No fix available

Ubuntu CVE record

TODO: File exception request

CVE-2022-03189.8https://nvd.nist.gov/vuln/detail/CVE-2022-0318

Fix not yet available

Ubuntu CVE record

TODO: File exception request

CVE-2022-19279.8https://nvd.nist.gov/vuln/detail/CVE-2022-1927

Fix not yet available

Ubuntu CVE record

TODO: File exception request

CVE-2022-203859.8https://nvd.nist.gov/vuln/detail/CVE-2022-20385

No fix available

Ubuntu CVE record

TODO: File exception request

CVE-2022-374349.8https://nvd.nist.gov/vuln/detail/CVE-2022-37434

No fix available (for zlib1g, zlib1g-dev)

Ubuntu CVE record

TODO: File exception request

Lynis

Nexus URL (run via Bluval, without fixes): 

...

The post-fix manual logs can be found at TODO.

Kube-Hunter

Nexus URL: TODO

There are no reported vulnerabilities. Note, this release includes fixes for vulnerabilities found in release 6. See the release 6 test document for details on those vulnerabilities and the fixes.

...