Versions Compared

Old Version 22

changes.mady.by.user Guixiang Miao

Saved on

compared with

New Version 23

changes.mady.by.user Colin Peters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document describes the blueprint test environment for the Smart Data Transaction for CPS blueprint. The test results and logs are posted in the Akraino Nexus at the link below:

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7

Akarino Test Group Information

...

The robot command should report success for all test cases.

Test Results

Nexus URL:   https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/lfedge-install/14/

Pass (1/1 test case)

CI/CD Regression Tests: Images Build & Push

...

The robot command should report success for all test cases.

Test Results

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/lfedge-build/5

Pass (2/2 test cases)

CI/CD Regression Tests: Cluster Setup & Teardown

...

The robot command should report success for all test cases.

Test Results

Nexus URL: 

Image Removed

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/lfedge-cluster/6

Image Added

Pass (4/4 test cases)

CI/CD Regression Tests: EdgeX Services

...

The robot command should report success for all test cases.

Test Results

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/edgex-install/7/

Pass (8/8 test cases)

CI/CD Regression Tests: Camera Device Service

...

The Robot Framework should report success for all test cases

Test Results

Nexus URL: 

Image Removed

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/camera/10

Image Added

Pass (9/9 Pass (9/9 test cases)

Feature Project Tests

...

Vuls results (manual) Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vuls/1/

Lynis results (manual) Nexus URL:   https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/1/

Kube-Hunter results Nexus URL:Kube-Hunter results Nexus URL: 

Vuls

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vuls/1/

There are 5 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

...

CVE-IDCVSSNVDFix/Notes
CVE-2016-15859.8https://nvd.nist.gov/vuln/detail/CVE-2016-1585

No fix available

Ubuntu CVE record

TODO: File exception request

CVE-CVE-2022-03189.8https://nvd.nist.gov/vuln/detail/CVE-2022-0318

Fix not yet available

Ubuntu CVE recordTODO: File exception request

CVE-2022-19279.8https://nvd.nist.gov/vuln/detail/CVE-2022-1927

Fix not yet available

Ubuntu CVE record

TODO: File exception request

CVE-2022-203859.8https://nvd.nist.gov/vuln/detail/CVE-2022-20385

No fix available

Ubuntu CVE record

TODO: File exception request

CVE-2022-374349.8https://nvd.nist.gov/vuln/detail/CVE-2022-37434

No fix available (for zlib1g, zlib1g-dev)

Ubuntu CVE record

TODO: File exception request

Lynis

...

Nexus URL (manual run, with fixes): 

Image Removed

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/1/

The results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

The The Lynis Program Update test MUST pass with no errors.
2022-09-14 16:19:49 Test: Checking for program update...
2022-09-14 16:19:49 Result: Update check failed. No network connection?
2022-09-14 16:19:49 Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record).
2022-09-14 16:19:49 Suggestion: This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [test:LYNIS] [details:-] [solution:-]

TODO Fix: Download Note: Lynis was downloaded and run the latest Lynis directly on the SUT. See the link below:

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing
No.TestResultFix
1

Test: Checking PASS_MAX_DAYS option in /etc/login.defs

2022-09-14 16:20:32 Result: password aging limits are not configured

TODO: Set PASS_MAX_DAYS 180 in /etc/login.defs and rerun.
2

Performing test ID AUTH-9328

2

Performing test ID AUTH-9328 (Default umask values)

2022-09-14 16:20:32 Result: found umask 022, which could be improved

TODO: Set UMASK 027 in /etc/login.defs
3

Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

2022-09-14 16:20:44 Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.

TODO: Configure AllowUsers in /etc/ssh/sshd_config (allow only the admin account)

.

4

Test: checking for file /etc/network/if-up.d/ntpdate

2022-09-14 16:20:46 Result: file /etc/network/if-up.d/ntpdate does not exist
2022-09-14 16:20:46 Result: Found a time syncing daemon/client.
2022-09-14 16:20:46 Hardening: assigned maximum number of hardening points for this item (3).

OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)

2022-09-14 16:20:58 Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)OK

5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)

2022-09-14 16:20:58 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0

TODO: Add kernel.dmesg_restrict=1 to /etc/sysctl.d/90-lynis-hardening.conf
5csysctl key 5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)

2022-09-14 16:20:58 Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1

TODO: Add net.ipv4.conf.default.accept_source_route=0 to /etc/sysctl.d/90-lynis-hardening.conf

6Test: Check if one or more compilers can be found on the system

2022-09-14 16:20:59 Result: found installed compiler. See top of logfile which compilers have been found or use /usr/bin/grep to filter on 'compiler'

TODO: Uninstall gcc and remove /usr/bin/as (installed with binutils)

Results after the above fixes are as follows:

The Lynis Program Update test MUST pass with no errors.

TODO

The following list of tests MUST complete as passing

...

which compilers have been found or use /usr/bin/grep to filter on 'compiler'

Kube-Hunter

Nexus URL: TODOhttps://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-bluval/1/

There are no reported vulnerabilities. Note, this release includes fixes for vulnerabilities found in release 6. See the release 6 test document for details on those vulnerabilities and the fixes.

...

Note that the results still show one test failure. The "Inside-a-Pod Scanning" test case reports failure, apparently because the log ends with "Kube Hunter couldn't find any clusters" instead of "No vulnerabilities were found." This also occurred during release 6 testing. Because vulnerabilities were detected and reported in release 6 by this test case, and those vulnerabilities are no longer reported, we believe this is a false negative, and may be caused by this issue:   https://github.com/aquasecurity/kube-hunter/issues/358

...