The Configuration file are only supported up to Ubuntu 18.

Vuls

We use Ubuntu 2018.04/22.04 or RaspberryPi(Debian 11), so we ran Vuls test as follows:

Create directory

$ mkdir ~/vuls
$ cd ~/vuls
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log

Fetch NVD

$ docker run --rm -it \
    -v $PWD:/go-cve-dictionary \
    -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
    vuls/go-cve-dictionary fetch nvd

Fetch OVAL

if OS is Ubuntu 18.04/22.04, we use following command,

$ docker run --rm -it \
     -v $PWD:/goval-dictionary \
     -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
     vuls/goval-dictionary fetch ubuntu 18 19 20
 21 22

if OS is RaspberryPi(Debian 11), we use following command,Fetch gost

$ docker run --rm -

i

it \
     -v $PWD:/

gost

goval-dictionary \
     -v $PWD/

gost

goval-dictionary-log:/var/log/

gost

goval-dictionary \
     vuls/

gost

goval-dictionary fetch

ubuntu

Create config.toml

debian 11

Fetch gost

if OS is Ubuntu 18.04/22.04, we use following command,

$ docker run --rm -i \
     -v $PWD:/gost \

[servers]

[servers.master]
host = "192.168.51.22"
port = "22"
user = "test-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker

Start vuls container to run tests

$ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \

    -v $PWD/

vuls

gost-log:/var/log/

vuls

gost \

-v

/etc/localtime:/etc/localtime:ro

vuls/gost fetch ubuntu

if OS is RaspberryPi(Debian 11), we use following command,

$ docker run --rm -i \
     -v

/etc/timezone

$PWD:/

etc/timezone:ro

gost \

vuls/vuls scan

 -v $PWD/gost-log:/var/log/gost \

-config=./config.toml

 vuls/gost fetch debian

Create config.toml

[servers]

[servers.master]
host = "192.168.51.22"
port = "22"
user = "test-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker

Start vuls container to run tests

$ docker run --rm -it

Get the report

$ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro

\
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \

    -v $PWD/vuls-log:/var/log/vuls \

-v /etc/localtime:/etc/localtime:ro \

vuls/vuls report

-v /etc/timezone:/etc/timezone:ro \

-format-list

vuls/vuls scan \

-config=./config.toml

Vuls

Nexus URL:

PDH,IoT Gateway

There are 23 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

Get the report

$ docker run --rm -it \
     -v ~/.ssh:/root/.ssh:ro \
     -v $PWD:/vuls \
     -v $PWD/vuls-log:/var/log/vuls \
     -v /etc/localtime:/etc/localtime:ro \
     vuls/vuls report \
     -format-list \
     -config=./config.toml

Vuls

Nexus URL:

PDH,IoT Gateway

There are 26 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

2021318702021-31870CVE-2021-318722021-31872klibc-utils, libklibc202131873202131873klibc-utils, libklibc2021397132021-39713linux-image-5.4.0-1055-raspi2282222822firefox2282322823firefox2282422824firefox2385223852firefox, thunderbird2399023990firefox, 2523525235firefox, 2022252368202225236firefox, thunderbird2022253158202225315firefox, thunderbird2016918020169180libxml-twig-perl201920433nvdnist.govvulndetail/201920433

CVE-ID	CVSS	NVD	Fix/Notes	PACKAGES
CVE-2016-1585	9.8	https://nvd.nist.gov/vuln/detail/CVE-2016-1585	No fix available	apparmor
CVE-2017-18201	9.8
CVE-ID	CVSS	NVD	Fix/Notes	PACKAGES
CVE-2016-1585	9.8	https://nvd.nist.gov/vuln/detail/CVE-2016-1585	No fix available	apparmor
CVE-2017-18201	9.8	https://nvd.nist.gov/vuln/detail/CVE-2017-18201	No fix available	libcdio17
CVE-2017-7827	9.8	https://nvd.nist.gov/vuln/detail/CVE-2017-7827	No fix available	libmozjs-52-0
CVE-2018-5090	9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-5090	Reported fixed in 58 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-2018-5126	9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-5126	Reported fixed in 58 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-2018-5145	9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-5145	Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-2018-5151	9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-5151	Reported fixed in 60 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-2019-17041	9.8	https://nvd.nist.gov/vuln/detail/CVE-2019-17041	No fix available	rsyslog
CVE-2019-17042	9.8	https://nvd.nist.gov/vuln/detail/CVE-2019-17042	No fix available	rsyslog
CVE-	2019-	8287	9.8	https://nvd.nist.gov/vuln/detail/CVE-	No fix available	klibc-utils, libklibc	2019-8287	Uninstall tigervncserver $ sudo apt remove tigervnc* $ sudo apt-get remove tightvnc* -y	tightvncserver
CVE-2022-0318	9.8	https://nvd.nist.gov/vuln/detail/CVE-	No fix available	2022-0318	Uninstall vim $ sudo apt remove vim*	vim
CVE-	2022-	23852	9.8	https://nvd.nist.gov/vuln/detail/CVE-	2022-	No fix available	23852	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-	2022-	24791	9.8	https://nvd.nist.gov/vuln/detail/CVE-	No fix available	2022-24791	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-2022-	25235	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)	25235	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-2022-	25236	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)	25236	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-2022-	25315	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)	25315	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-2022-	3649	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	3649	No fix available	linux-image-4.15.0-197-generic
CVE-2022-	37609	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	No fix available	37609	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	thunderbird
CVE-2022-	39394	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	No fix available	39394	Uninstall thunderbird $ sudo apt remove thunderbird*	thunderbird
CVE-	2016-	9180	9.	1	https://nvd.nist.gov/vuln/detail/CVE-	2016-	9180	No fix available		libxml-twig-perl TODO: File exception request
CVE-	2019-	20433	9.	1	https://nvd.nist.gov/vuln/detail/CVE-	2019-	20433	No fix available	aspell
CVE-	2022-	24303	9.1	https://nvd.nist.gov/vuln/detail/CVE-	2022-	24303	No fix available	python3-pil TODO: File exception request
CVE-	2022-	39319	9.1	https://	ubuntu.	com/	security/	CVE-	2022-	No fix available	aspell

PC/Server for robot control

There are 30 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

39319	Reported fixed in 2.2.0+dfsg1-0ubuntu0.18.04.4 and later version (installed), but still reported by Vuls	libfreerdp-client2-2, libfreerdp2-2, libwinpr2-2
CVE-2022-41877	9.1

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2005-2541

10.0

https://nvd.nist.gov/vuln/detail/CVE-

2005

2022-

2541

41877

No fix available

tar

libfreerdp-client2-2, libfreerdp2-2, libwinpr2-2

TODO: File exception request

CVE-

2014

2019-

2830

11707

10

8.

0

9	https://nvd.nist.gov/vuln/detail/CVE-

2014

2019-

2830

11707

No fix available

cifs-utils

libmozjs-52-0

TODO: File exception request

CVE-

2016

2022-

1585

23960

8.9

.8

https://nvd.nist.gov/vuln/detail/CVE-

2016

2022-

1585

23960

No fix available

libapparmor1

CVE

linux-

2017

image-

17479

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-17479No fix available

libopenjp2-7

CVE-2017-9117

9.8

4.15.0-197-generic

TODO: File exception request

PC/Server for robot control

There are 40 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

CVE-ID	CVSS	NVD	Fix/Notes	PACKAGES
CVE-2005-2541	10.0	https://nvd.

https://nvd.

nist.gov/vuln/detail/CVE-

2017

2005-

9117

2541	No fix available

libtiff5

tar

CVE-

2018

2014-

13410

2830

9

10.

8

0	https://nvd.nist.gov/vuln/detail/CVE-

2018

2014-

13410

2830	No fix available

zip

cifs-utils

CVE-

2019

2016-

1010022

1585

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2019

2016-

1010022

1585	No fix available

libc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales

libapparmor1

CVE-

2019

2017-

8341

17479

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2019

2017-

8341

17479

No fix available

python3

libopenjp2-

jinja2

7

CVE-

2020

2017-

27619

9117

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2020

2017-

27619

9117	No fix available

python3.9

libtiff5

CVE-

2021

2018-

29462

13410

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2018-

29462

13410

No fix available

libixml10, libupnp13

zip

CVE-

2021

2019-

29921

1010022

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2019-

29921Reported fixed in python3.9 (installed), but still reported by Vuls

python3.9

1010022	No fix available	libc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales
CVE-2019-8341

CVE-2021-30473

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2019-

30473

8341	No fix available

libaom0

python3-jinja2

CVE-

2021

2020-

30474

27619

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2020-

30474

27619

No fix available

libaom0

python3.9

CVE-2021-

30475

29462

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

30475

29462

No fix available

libaom0

libixml10, libupnp13

CVE-2021-

30498

29921

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

30498No fix availablelibcaca0

29921	Reported fixed in python3.9 (installed), but still reported by Vuls	python3.9
CVE-2021-

30499

30473

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

30499

30473

No fix available

libcaca0

libaom0

CVE-2021-

3756

30474

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

3756install libmysofa 1.2.1

30474

No fix available

libaom0

libmysofa1

CVE-2021-

42377

30475

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

42377

30475

No fix available

busybox

libaom0

CVE-2021-

45951

3756

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45951No fix available

3756

install libmysofa 1.2.1

libmysofa1

dnsmasq

CVE-2021-

45952

3782

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45952

3782	No fix available

dnsmasq

libwayland-client0, libwayland-cursor0, libwayland-egl1, libwayland-server0

TODO: File exception request

CVE-2021-42377

CVE-2021-45953

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45953

42377

No fix available

dnsmasq

busybox

CVE-2021-

45954

45951

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45954

45951	No fix available	dnsmasq
CVE-2021-

45955

45952

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45955

45952	No fix available	dnsmasq
CVE-2021-

45956

45953

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45956

45953	No fix available	dnsmasq
CVE-

2022

2021-

0318

45954

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2022

2021-

0318unistall vim

45954

No fix available

dnsmasq

vim

CVE-

2022

2021-

23303

45955

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2022

2021-

23303

45955

No fix available

hostapd, wpasupplicant

dnsmasq

CVE-

2022

2021-

23304

45956

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2022

2021-

23304

45956

No fix available

dnsmasq

hostapd, wpasupplicant

CVE-2021-

22945

45957

9.

1

8	https://nvd.nist.gov/vuln/detail/CVE-2021-

22945unistall curlcurl

45957	No fix available	dnsmasq TODO: File exception request
CVE-

2021

2022-

4048

0318

9.

1

8	https://nvd.nist.gov/vuln/detail/CVE-

2021-4048No fix available

libblas3, liblapack3

2022-0318	unistall vim $ sudo apt remove vim*	vim-common, vim-runtime, vim-tiny, xxd
CVE-2022-1253	9.8

CVE-2021-43400

9.1

https://nvd.nist.gov/vuln/detail/CVE-

2021

2022-

43400

1253	No fix available

bluez

Lynis

Nexus URL(before fix):

Nexus URL(after fix):

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

IoT Gateway

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version  : 308
2022-11-22 07:46:45 Latest stable version      : 308
2022-11-22 07:46:45 No Lynis update available.

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

libde265-0
CVE-2022-23303	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-23303	No fix available	hostapd, wpasupplicant TODO: File exception request
CVE-2022-23304	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-23304	No fix available	hostapd, wpasupplicant
CVE-2022-37454	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-37454	No fix available	hostapd, wpasupplicant TODO: File exception request
CVE-2022-3970	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-3970	No fix available	python3.9 TODO: File exception request
CVE-2019-19391	9.1	https://nvd.nist.gov/vuln/detail/CVE-2019-19391	No fix available	libtiff5 TODO: File exception request
CVE-2021-4048	9.1	https://nvd.nist.gov/vuln/detail/CVE-2021-4048	No fix available	libblas3, liblapack3
CVE-2021-43400	9.1	https://nvd.nist.gov/vuln/detail/CVE-2021-43400	No fix available	bluez
CVE-2021-46848	9.1	https://nvd.nist.gov/vuln/detail/CVE-2021-46848	No fix available	libtasn1-6 TODO: File exception request
CVE-2022-0670	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-0670	No fix available	librados2, librbd1 TODO: File exception request
CVE-2022-24303	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-24303	No fix available	python3-pil TODO: File exception request
CVE-2022-26280	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-26280	No fix available	libarchive13 TODO: File exception request
CVE-2022-32213	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-32213	No fix available	nodejs TODO: File exception request
CVE-2022-32214	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-32214	No fix available	nodejs TODO: File exception request
CVE-2022-32215	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-32215	No fix available	nodejs TODO: File exception request

Cloud/Edge Cloud

There are XX CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

Lynis

Nexus URL(before fix):

Nexus URL(after fix):

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

IoT Gateway

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version  : 308
2022-11-22 07:46:45 Latest stable version      : 308
2022-11-22 07:46:45 No Lynis update available.

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.	Test	Result	Fix
1	Test: Checking PASS_MAX_DAYS option in /etc/login.defs	Result: password aging limits are not configured Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-] Hardening: assigned partial number of hardening points (0 of 1). Currently having 11 points (out of 24)	Set PASS_MAX_DAYS 180 in /etc/login.defs
2	Performing test ID AUTH-9328 (Default umask values)	Result: found /etc/profile.d, with one or more files in it	OK
3	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 108 points (out of 157) Security check: file is normal Checking permissions of /home/pi/lynis/lynis/include/tests_snmp File permissions are OK	Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config If you run the lynis shell script as an ordinary user, it will output an error. So run the script as a privileged user. $ su root # whoami root # ./lynis audit system ※reference： https://github.com/CISOfy/lynis/blob/master/include/tests_ssh#L54
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 117 points (out of 172)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
5a	sysctl key fs.suid_dumpable contains equal expected and current value (0)	Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)	OK
5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	OK
5c	sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)	Result: sysctl key net.ipv4.conf.all.accept_source_route contains equal expected and current value (0)	OK
6	Test: Check if one or more compilers can be found on the system	Performing test ID HRDN-7220 (Check if one or more compilers are installed) Test: Check if one or more compilers can be found on the system Result: no compilers found Hardening: assigned maximum number of hardening points for this item (3). Currently having 138 points (out of 219)	OK

PC/Server for robot control

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-03-23 05:13:56 Test: Checking for program update...
2022-03-23 05:14:03 Current installed version : 308
2022-03-23 05:14:03 Latest stable version : 308
2022-03-23 05:14:03 No Lynis update available

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.	Test	Result	Fix
1	Test: Checking PASS_MAX_DAYS option in /etc/login.defs	Result: password aging limits are not configured	Set PASS_MAX_DAYS 180 in /etc/login.defs
2	Performing test ID AUTH-9328 (Default umask values)	Test: Checking umask value in /etc/login.defs Result: found umask 022, which could be improved	Set UMASK 027 in /etc/login.defs
3	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)	Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 152 points (out of 223) Security check: file is normal Checking permissions of /home/ubuntu/lynis/include/tests_snmp File permissions are OK	Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 161 points (out of 238)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
5a	sysctl key fs.suid_dumpable contains equal expected and current value (0)	sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
No.	Test	Result	Fix
1	Test: Checking PASS_MAX_DAYS option in /etc/login.defs	Result: password aging limits are not configured Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-] Hardening: assigned partial number of hardening points (0 of 1). Currently having 11 points (out of 24)	Set PASS_MAX_DAYS 180 in /etc/login.defs
2	Performing test ID AUTH-9328 (Default umask values)	Result: found /etc/profile.d, with one or more files in it	OK
3	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 108 163 points (out of 157) Security check: file is normal Checking permissions of /home/pi/lynis/lynis/include/tests_snmp File permissions are OKConfigure AllowUsers, AllowGroups in /etc/ssh/sshd_config ！要確認 →やり方を問い合わせ
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 117 points (out of 172)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
253)	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'fs.suid_dumpable=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep suid
5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'kernel.dmesg_restrict=1' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep dmesg
5c	sysctl key net.ipv4.conf.default.accept_source_route	5a	sysctl key fs.suid_dumpable contains equal expected and current value (0)	Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)	OK
5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	OK
net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo '	5c	sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)Result: sysctl key net.ipv4.conf.all=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep ipv4.conf.default.accept_source_route contains equal expected and current value (0)OK
6	Test: Check if one or more compilers can be found on the systemPerforming test ID HRDN-7220 (Check if one or more compilers are installed) Test: Check if one or more compilers can be found on the system Result: no compilers found	Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler' Hardening: assigned maximum partial number of hardening points for this item (1 of 3). Currently having 138 points (out of 219)	OK

...

180 points (out of 286

Found known binary: as (compiler) - /usr/bin/as
Found known binary: cc (compiler) - /usr/bin/cc
Found known binary: g++ (compiler) - /usr/bin/g++
Found known binary: gcc (compiler) - /usr/bin/gcc

Uninstall gcc and remove /usr/bin/as, /usr/bin/cc

Cloud/Edge Cloud

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-0311-2328 0500:1314:5635 Test: Checking for program update...
2022-0311-2328 0500:14:0335 Current installed version  : 308
2022-0311-2328 0500:14:0335 Latest stable version      : 308
2022-0311-2328 0500:14:0335 No Lynis update available
.

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.	Test	Result	Fix
1	Test: Checking PASS_MAX_DAYS option in /etc/login.defs	Result: password aging limits are not configured	Set PASS_MAX_DAYS 180 in /etc/login.defs
2	Performing test ID AUTH-9328 (Default umask values)	Test: Checking umask value in /etc/login.defs Result: found umask 022, which could be improved	Set UMASK 027 in /etc/login.defs
3	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)	Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 152 points (out of 223) Security check: file is normal Checking permissions of /home/ubuntu/lynis/include/tests_snmp File permissions are OK	Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config If you run the lynis shell script as an ordinary user, it will output an error. So run the script as a privileged user. $ su root # whoami root # ./lynis audit system ※reference： https://github.com/CISOfy/lynis/blob/master/include/tests_ssh#L54
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently

having 161

having 177 points (out of

238

168)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
5a	sysctl key fs.suid_dumpable contains equal expected and current value (0)	sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2 Hardening: assigned partial number of hardening points (0 of 1). Currently having 163 points (out of 253)	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'fs.suid_dumpable=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep suid
5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'kernel.dmesg_restrict=1' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep dmesg
5c	sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)	Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'net.ipv4.conf.default.accept_source_route=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep ipv4.conf.default.accept_source_route
6	Test: Check if one or more compilers can be found on the system	Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler' Hardening: assigned partial number of hardening points (1 of 3). Currently having 180 points (out of 286 Found known binary: as (compiler) - /usr/bin/as Found known binary: cc (compiler) - /usr/bin/cc Found known binary: g++ (compiler) - /usr/bin/g++ Found known binary: gcc (compiler) - /usr/bin/gcc	Uninstall gcc and remove /usr/bin/as, /usr/bin/cc

Space shortcuts

Page tree

Versions Compared

Old Version 5

New Version 6

Key

Vuls

Vuls

PDH,IoT Gateway

Vuls

PDH,IoT Gateway

PC/Server for robot control

PC/Server for robot control

Lynis

IoT Gateway

The following list of tests MUST complete as passing

Cloud/Edge Cloud

Lynis

IoT Gateway

The following list of tests MUST complete as passing

PC/Server for robot control

The following list of tests MUST complete as passing

Cloud/Edge Cloud

The following list of tests MUST complete as passing

Space shortcuts

Page tree

Page History

Versions Compared

Old Version 5

New Version 6

Key

Vuls

Vuls

PDH,IoT Gateway

Vuls

PDH,IoT Gateway

PC/Server for robot control

PC/Server for robot control

Lynis

IoT Gateway

The following list of tests MUST complete as passing

Cloud/Edge Cloud

Lynis

IoT Gateway

The following list of tests MUST complete as passing

PC/Server for robot control

The following list of tests MUST complete as passing

Cloud/Edge Cloud

The following list of tests MUST complete as passing