Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Test document


View file
nameRobot_based_on_SSES_BP_Test_document.pdf
height250

*The following word file is base file of the above pdf.

View file
nameRobot_based_on_SSES_BP_Test_document.docx
height250



Pass (XX19/XX 19 test cases)


Bluval Tests

Execute with reference to the following

Bluval User Guide

Steps To Implement Security Scan Requirements

https://vuls.io/docs/en/tutorial-docker.html

There are 2 security related tests: lynis & vuls. And there are 2 k8s related tests: kube-hunter & conformance tests.

...

The Configuration file are only supported up to Ubuntu 18.

Vuls

We use Ubuntu

...

18.04/22.04 or RaspberryPi(Debian 11), so we ran Vuls test as follows:

  1. Create directory

    $ mkdir ~/vuls
    $ cd ~/vuls
    $ mkdir go-cve-dictionary-log goval-dictionary-log gost-log
    


  2. Fetch NVD

    $ docker run --rm -it \
        -v $PWD:/go-cve-dictionary \
        -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
        vuls/go-cve-dictionary fetch nvd
    


  3. Fetch OVAL

    if OS is Ubuntu 18.04/22.04, we use following command,

    $ docker run --rm -it \
         -v $PWD:/goval-dictionary \
         -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
         vuls/goval-dictionary fetch ubuntu 18 19 20

...

  1.  21 22
    

    if OS is RaspberryPi(Debian 11), we use following command,

...

  1. $ docker run --rm -

...

  1. it \
         -v $PWD:/

...

  1. goval-dictionary \
         -v $PWD/

...

  1. goval-dictionary-log:/var/log/

...

  1. goval-dictionary \
         vuls/

...

  1. goval-dictionary fetch 

...

Create config.toml

...

[servers]

[servers.master]
host = "192.168.51.22"
port = "22"
user = "test-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
  1. debian 11


  2. Fetch gost

    if OS is Ubuntu 18.04/22.04, we use following command,

    $ docker run --rm -i \
         -v $PWD:/gost \
         -v $PWD/gost-log:/var/log/gost \
         vuls/gost fetch ubuntu
    

    if OS is RaspberryPi(Debian 11), we use following command,

...

  1. $ docker run --rm -

...

  1. i \
        

...

  1.  

...

  1. -v $PWD:/

...

  1. gost \
         -v $PWD/

...

  1. gost-log:/var/log/

...

  1. gost \
        

...

  1.  

...

  1. vuls/gost fetch debian


  2. Create config.toml

    [servers]
    
    [servers.master]
    host = "192.168.51.22"
    port = "22"
    user = "test-user"
    keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
    


  3. Start vuls container to run tests

...

  1. $ docker run --rm -it \
        

...

  1. -v ~/.ssh:/root/.ssh:ro \
        

...

  1. -v $PWD:/vuls \
        

...

  1. -v $PWD/vuls-log:/var/log/vuls \
    

...

  1.     -v /etc/localtime:/etc/localtime:ro \
        -v /etc/timezone:/etc/timezone:ro \
        vuls/vuls 

...

  1. scan \
        -config=./config.toml
    


  2. Get the report

    $ docker run -

...

  1. -rm -

...

  1. it \
         -

...

  1. v ~/.ssh:/root/.ssh:ro \
         -v $PWD:/vuls \
         -v $PWD/vuls-log:/var/log/vuls \
         -v /etc/localtime:/etc/localtime:ro \
         vuls/vuls report \
         -format-list \
         -config=./config.toml


Vuls

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/robot-family/R7/sses-vuls/

PDH,IoT Gateway

There are 26 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 7: Akraino CVE and KHV Vulnerability Exception Request

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2016-1585

Vuls

Nexus URL: 

PDH,IoT Gateway

There are 23 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

2021318732021-31873CVE-2021-39713202139713linux-image-5.4.0-1055-raspi2282222822firefox2282322823firefox2282422824firefox2385223852No fix available2399023990No fix available2523525235firefox, thunderbird2523625236firefox, 2531525315firefox,

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2016-1585

9.8

https://nvd.nist.gov/vuln/detail/CVE-2016-1585

No fix available

apparmor

CVE-2017-18201

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-18201

No fix available

libcdio17

CVE-2017-7827

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-7827

No fix available

libmozjs-52-0

CVE-2018-5090

9.8

https://nvd.nist.gov/vuln/detail/CVE-20182016-5090

Reported fixed in 58 and later version (installed), but still reported by Vuls

libmozjs-52-0

1585

No fix available

apparmor

CVE-2017-18201

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-18201

No fix available

libcdio17

CVE-2017-7827CVE-2018-5126

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-51262017-7827

Uninstall firefox
$ sudo apt remove firefox*Reported fixed in 58 and later version (installed), but still reported by Vuls

libmozjs-52-0

CVE-2018-51455090

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-51455090

Uninstall firefox
$ sudo apt remove firefox*Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls

libmozjs-52-0

CVE-2018-51515126

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-51515126

Uninstall firefox
$ sudo apt remove firefox*Reported fixed in 60 and later version (installed), but still reported by Vuls

libmozjs-52-0

CVE-20192018-170415145

9.8

https://nvd.nist.gov/vuln/detail/CVE-20192018-17041

No fix available

rsyslog

5145

Uninstall firefox
$ sudo apt remove firefox*

libmozjs-52-0

CVE-2018-5151CVE-2019-17042

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-17042

No fix available

2018-5151

Uninstall firefox
$ sudo apt remove firefox*

libmozjs-52-0rsyslog

CVE-20212019-3187017041

9.8

https://nvd.nist.gov/vuln/detail/CVE-20212019-31870

No fix available

17041

Reported fixed in 8.19 and later version (installed), but still reported by Vuls

rsyslogklibc-utils, libklibc

CVE-20212019-3187217042

9.8

https://nvd.nist.gov/vuln/detail/CVE-20212019-31872

No fix available

17042

Reported fixed in 8.19 and later version (installed), but still reported by Vuls

rsyslogklibc-utils, libklibc

CVE-2019-82879.8https://nvd.nist.gov/vuln/detail/CVE-

No fix available

klibc-utils, libklibc

2019-8287Uninstall tigervncserver
$ sudo apt remove tigervnc*
$ sudo apt-get remove tightvnc* -y
tightvncserver
CVE-2022-03189.8https://nvd.nist.gov/vuln/detail/CVE-2022-

No fix available

0318Uninstall vim
$ sudo apt remove vim*
vim
CVE-2022-238529.8https://nvd.nist.gov/vuln/detail/CVE-2022-

install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)

23852Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*
firefox, thunderbird
CVE-2022-247919.8https://nvd.nist.gov/vuln/detail/CVE-2022-

install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)

24791Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*
firefox, thunderbird

CVE-2022-

25235

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-

install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)

25235

Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*

firefox, thunderbird

CVE-2022-

25236

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-25236

Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*

firefox, thunderbird

CVE-2022-

25315

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-25315

Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*

firefox, thunderbird

CVE-2022-36499.8https://nvd.nist.gov/vuln/detail/CVE-2022-3649No fix availablelinux-image-4.15.0-197-generic
CVE-2022-376099.8https://nvd.nist.gov/vuln/detail/CVE-2022-

No fix available

37609Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*
thunderbird
CVE-2022-393949.8https://nvd.nist.gov/vuln/detail/CVE-2022-

No fix available

39394Uninstall thunderbird
$ sudo apt remove thunderbird*
thunderbird
CVE-2016-91809.1https://nvd.nist.gov/vuln/detail/CVE-2016-9180No fix availablelibxml-twig-perl

CVE-2019-20433

9.1

https://nvd.nist.gov/vuln/detail/CVE-2019-20433

No fix available

aspell

...

There are 30 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

...

CVE

...

-2022-243039.1

...

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2005-2541

10.0
https://nvd.nist.gov/vuln/detail/CVE-
2005
2022-
2541
24303No fix available
tar
python3-pil
CVE-
2014
2022-
2830
39319
10
9.
0
1https://
nvd
security-tracker.
nist
debian.
gov
org/
vuln
tracker/
detail/
CVE-
2014
2022-
2830
39319No fix available
cifs-utils
libfreerdp-client2-2, libfreerdp2-2, libwinpr2-2
CVE-
2016
2022-
1585
418779.
8
1https://nvd.nist.gov/vuln/detail/CVE-
2016
2022-
1585
41877No fix available

libapparmor1

libfreerdp-client2-2, libfreerdp2-2, libwinpr2-2

PC/Server for robot control

There are 40 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 7: Akraino CVE and KHV Vulnerability Exception Request

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2016-1585

CVE-2017-17479

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-17479No fix available

libopenjp2-7

CVE-2017-9117
9.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2017
2016-
9117
1585No fix available
libtiff5
apparmor
CVE-
2018
2017-
13410
182019.8https://
nvd
ubuntu.
nist.gov/vuln/detail
com/security/CVE-
2018
2017-
13410
18201No fix available
zip
libcdio17
CVE-
2019
2017-
1010022
78279.8https://
nvd
ubuntu.
nist.gov/vuln/detail
com/security/CVE-
2019
2017-
1010022
7827No fix available
libc
libmozjs-
bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales
52-0
CVE-2018-50909.8https://ubuntu.com/security/CVE-2018-5090

CVE-2019-8341

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-8341
No fix available
python3
libmozjs-52-
jinja2
0
CVE-
2020
2018-
27619
51269.8https://
nvd
ubuntu.
nist.gov/vuln/detail
com/security/CVE-
2020
2018-
27619
5126No fix available
python3.9
libmozjs-52-0
CVE-
2021
2018-
29462
51459.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2018-
29462
5145No fix available
libixml10, libupnp13
libmozjs-52-0
CVE-
2021
2018-
29921
51519.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2018-
29921Reported fixed in python3.9 (installed), but still reported by Vuls
5151No fix availablelibmozjs-52-0
python3.9
CVE-
2021
2019-
30473
170419.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2019-
30473
17041No fix available
libaom0
rsyslog
CVE-
2021
2019-
30474
170429.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2019-
30474
17042No fix available
libaom0
rsyslog
CVE-
2021
2022-
30475
03189.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2022-
30475
0318No fix available
libaom0
xxd
CVE-
2021
2022-
30498
36499.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2022-
30498CVE
3649No fix available

libcaca0

linux-
2021-30499
image-4.15.0-197-generic
CVE-2022-38909.6
9.8
https://
nvd
ubuntu.
nist.gov/vuln/detail
com/security/CVE-
2021
2022-
30499
3890No fix available
libcaca0
chromium-browser
CVE-
2021
2022-
3756
41359.
8
6https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2022-
3756install libmysofa 1.2.1libmysofa1
4135No fix availablechromium-browser
CVE-
2021
2016-
42377
91809.
8
1https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2016-
42377
9180No fix available
busybox
libxml-twig-perl
CVE-
2021
2019-
45951
204339.
8
1https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2019-
45951
20433No fix available
dnsmasq
aspell
CVE-
2021
2022-
45952
243039.
8
1https://
nvd
ubuntu.
nist.gov/vuln/detail
com/security/CVE-
2021
2022-
45952
24303No fix available

dnsmasq

CVE-2021-45953

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45953No fix available

dnsmasq

CVE-2021-45954
python3-pil

Cloud/Edge Cloud

There are 2 CVEs with a CVSS score >= 9.0.

Release 7: Akraino CVE and KHV Vulnerability Exception Request

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2016-15859.8https://
nvd
ubuntu.
nist.gov/vuln/detail
com/security/CVE-
2021
2016-
45954
1585No fix available
dnsmasq
apparmor
CVE-
2021
2022-
45955
36499.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2022-
45955
3649No fix available

dnsmasq

CVE-2021-45956

9.8

linux-gcp


Lynis

Nexus URL(after fix): 

 https://

...

nexus.

...

dnsmasq

akraino.org/content/sites/logs/fujitsu/job/robot-family/R7/2/sses-lynis/PDH/lynis_PDH_after.log

...

CVE-2022-0318

...

9.8

 

https://

...

nexus.

...

vim

akraino.org/content/sites/logs/fujitsu/job/robot-family/R7/sses-lynis/Robot/lynis_Robot_after.log

...

CVE-2022-23303

...

9.8

 

https://

...

nexus.

...

akraino.

...

org/

...

hostapd, wpasupplicant

...

CVE-2022-23304

...

9.8

...

hostapd, wpasupplicant

...

CVE-2021-22945

...

9.1

...

curl

...

CVE-2021-4048

...

9.1

...

libblas3, liblapack3

...

CVE-2021-43400

...

9.1

...

bluez

Lynis

Nexus URL(before fix): 

Nexus URL(after fix): 

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

IoT Gateway

The Lynis Program Update test MUST pass with no errors.

Code Block
2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version  : 308
2022-11-22 07:46:45 Latest stable version      : 308
2022-11-22 07:46:45 No Lynis update available.

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

...

Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 140 points (out of 217)
Security check: file is normal
Checking permissions of /home/ubuntu/lynis/include/tests_snmp
File permissions are OK

Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)
Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 108 points (out of 157)
Security check: file is normal
Checking permissions of /home/pi/lynis/lynis/include/tests_snmp
File permissions are OK

...

content/sites/logs/fujitsu/job/robot-family/R7/sses-lynis/cloud/lynis_after.log


The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

PDF,IoT Gateway

The Lynis Program Update test MUST pass with no errors.

Code Block
2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version  : 308
2022-11-22 07:46:45 Latest stable version      : 308
2022-11-22 07:46:45 No Lynis update available.


Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing
No.TestResultFix
1Test: Checking PASS_MAX_DAYS option in /etc/login.defs

Result: password aging limits are not configured
Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
Hardening: assigned partial number of hardening points (0 of 1). Currently having 11 points (out of 24)

Set PASS_MAX_DAYS 180 in /etc/login.defs
2Performing test ID AUTH-9328 (Default umask values)Result: found /etc/profile.d, with one or more files in itOK
3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)
Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 108 points (out of 157)
Security check: file is normal
Checking permissions of /home/pi/lynis/lynis/include/tests_snmp
File permissions are OK
Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config

If you run the lynis shell script as an ordinary user, it will output an error. So run the script as a privileged user.

 $ su root

# whoami

root

# ./lynis audit system


※reference:

https://github.com/CISOfy/lynis/blob/master/include/tests_ssh#L54

4Test: checking for file /etc/network/if-up.d/ntpdateResult: file /etc/network/if-up.d/ntpdate does not exist
Result: Found a time syncing daemon/client.
Hardening: assigned maximum number of hardening points for this item (3). Currently having 117 points (out of 172)
OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)OK
5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)OK
5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)Result: sysctl key net.ipv4.conf.all.accept_source_route contains equal expected and current value (0)OK
6Test: Check if one or more compilers can be found on the system

Performing test ID HRDN-7220 (Check if one or more compilers are installed)
Test: Check if one or more compilers can be found on the system
Result: no compilers found
Hardening: assigned maximum number of hardening points for this item (3). Currently having 138 points (out of 219)

OK


PC/Server for robot control

The Lynis Program Update test MUST pass with no errors.

Code Block
2022-03-23 05:13:56 Test: Checking for program update...
2022-03-23 05:14:03 Current installed version : 308
2022-03-23 05:14:03 Latest stable version : 308
2022-03-23 05:14:03 No Lynis update available


Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.TestResultFix
1Test: Checking PASS_MAX_DAYS option in /etc/login.defsResult: password aging limits are not configured

Set PASS_MAX_DAYS 180 in /etc/login.defs

2Performing test ID AUTH-9328 (Default umask values)Test: Checking umask value in /etc/login.defs
Result: found umask 022, which could be improved


Set UMASK 027 in /etc/login.defs

3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 152 points (out of 223)
Security check: file is normal
Checking permissions of /home/ubuntu/lynis/include/tests_snmp
File permissions are OK

Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config


4Test: checking for file /etc/network/if-up.d/ntpdateResult: file /etc/network/if-up.d/ntpdate does not exist
Result: Found a time syncing daemon/client.
Hardening: assigned maximum number of hardening points for this item (3). Currently having 161 points (out of 238)
OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
Hardening: assigned partial number of hardening points (0 of 1). Currently having 163 points (out of 253)

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'fs.suid_dumpable=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep suid

5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'kernel.dmesg_restrict=1' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep dmesg

5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'net.ipv4.conf.default.accept_source_route=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep ipv4.conf.default.accept_source_route
6Test: Check if one or more compilers can be found on the systemResult: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler'
Hardening: assigned partial number of hardening points (1 of 3). Currently having 180 points (out of 286

Found known binary: as (compiler) - /usr/bin/as
Found known binary: cc (compiler) - /usr/bin/cc
Found known binary: g++ (compiler) - /usr/bin/g++
Found known binary: gcc (compiler) - /usr/bin/gcc

Uninstall gcc and remove /usr/bin/as, /usr/bin/cc


Cloud/Edge Cloud

The Lynis Program Update test MUST pass with no errors.

Code Block
2022-11-28 00:14:35 Test: Checking for program update...
2022-11-28 00:14:35 Current installed version  : 308
2022-11-28 00:14:35 Latest stable version      : 308
2022-11-28 00:14:35 No Lynis update available. 


Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.TestResultFix
1Test: Checking PASS_MAX_DAYS option in /etc/login.defsResult: password aging limits are not configured

Set PASS_MAX_DAYS 180 in /etc/login.defs

2Performing test ID AUTH-9328 (Default umask values)Test: Checking umask value in /etc/login.defs
Result: found umask 022, which could be improved


Set UMASK 027 in /etc/login.defs

3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 152 points (out of 223)
Security check: file is normal
Checking permissions of /home/ubuntu/lynis/include/tests_snmp
File permissions are OK

Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config


If you run the lynis shell script as an ordinary user, it will output an error. So run the script as a privileged user.

 $ su root

# whoami

root

# ./lynis audit system


※reference:

https://github.com/CISOfy/lynis/blob/master/include/tests_ssh#L54

4Test: checking for file /etc/network/if-up.d/ntpdateResult: file /etc/network/if-up.d/ntpdate does not exist
Result: Found a time syncing daemon/client.
Hardening: assigned maximum number of hardening points for this item (3). Currently having 177 points (out of 168)
OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2

...

PC/Server for robot control

The Lynis Program Update test MUST pass with no errors.

Code Block
2022-03-23 05:13:56 Test: Checking for program update...
2022-03-23 05:14:03 Current installed version : 308
2022-03-23 05:14:03 Latest stable version : 307
2022-03-23 05:14:03 No Lynis update available

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing
No.TestResultFix
1Test: Checking PASS_MAX_DAYS option in /etc/login.defs

Result: password aging limits are not configured
Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
Hardening: assigned partial number of hardening points (0 of 1). Currently having 11 points (out of 24)

Set PASS_MAX_DAYS 180 in /etc/login.defs
2Performing test ID AUTH-9328 (Default umask values)Result: found /etc/profile.d, with one or more files in itOK
3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)
Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 108 163 points (out of 157253)Security check: file is normal
Checking permissions of /home/pi/lynis/lynis/include/tests_snmp
File permissions are OKConfigure AllowUsers, AllowGroups in /etc/ssh/sshd_config
!要確認
→やり方を問い合わせ
4Test: checking for file /etc/network/if-up.d/ntpdateResult: file /etc/network/if-up.d/ntpdate does not exist
Result: Found a time syncing daemon/client.
Hardening: assigned maximum number of hardening points for this item (3). Currently having 117 points (out of 172)
OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)OK

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'fs.suid_dumpable=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep suid

5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'kernel.dmesg_restrict=1' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep dmesg

5csysctl key net.ipv4.conf.default.accept_source_route 5bsysctl key kernel.dmesg_restrict contains equal expected and current value (10)Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)OK5cnet.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)
Result: sysctl key net.ipv4.conf.all.accept_source_route contains equal expected and current value (0)OK=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep ipv4.conf.default.accept_source_route
6Test: Check if one or more compilers can be found on the systemResult: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler'
Hardening: assigned partial number of hardening points (1 of 3). Currently having 180 points (out of 286

Found known binary: as (compiler) - /usr/bin/as
Found known binary: cc (compiler) - /usr/bin/cc
Found known binary: g++ (compiler) - /usr/bin/g++
Found known binary: gcc (compiler) - /usr/bin/gcc
6Test: Check if one or more compilers can be found on the system

Performing test ID HRDN-7220 (Check if one or more compilers are installed)
Test: Check if one or more compilers can be found on the system
Result: no compilers found
Hardening: assigned maximum number of hardening points for this item (3). Currently having 138 points (out of 219)

OK

Uninstall gcc and remove /usr/bin/as, /usr/bin/cc