Versions Compared

Old Version 23

changes.mady.by.user Colin Peters

Saved on

compared with

New Version 24

changes.mady.by.user Colin Peters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Kube-Hunter results Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-bluval/1/

Vuls

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vuls/1/

...

Nexus URL (manual run, with fixes): https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/12/

The results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

...

2022-09-14 16:19:49 Test: Checking for program update...
2022-09-14 16:19:49 Result: Update check failed. No network connection?
2022-09-14 16:19:49 Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record).
2022-09-14 16:19:49 Suggestion: This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [test:LYNIS] [details:-] [solution:-]

The test environment is a proxied private network inside the Fujitsu corporate network which does not allow direct DNS lookups using tools such as dig. Therefore the update check cannot be performed automatically.

The latest version of Lynis, 3.0.8 at time of execution, was downloaded and run directly on the SUT. See the link Note: Lynis was downloaded and run directly on the SUT. See the link below:

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing
No.TestResultNotes
1

Test: Checking PASS_MAX_DAYS option in /etc/login.defs

2022-0910-14 1611 11:2048:32 Result: password aging limits are not configured22 Test: Checking PASS_MAX_DAYS option in /etc/login.defs
2022-10-11 11:48:22 Result: max password age is 180 days
2022-10-11 11:48:22 Hardening: assigned maximum number of hardening points for this item (3). Currently having 21 points (out of 35)

Required configuration
22

Performing test ID AUTH-9328 (Default umask values)

2022-0910-14 1611 11:20:32 Result: found umask 022, which could be improved

3

Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

2022-09-14 16:20:44 Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.

48:22 Performing test ID AUTH-9328 (Default umask values)
...

2022-10-11 11:48:22 Test: Checking umask value in /etc/login.defs
2022-10-11 11:48:22 Result: umask is 027, which is fine
2022-10-11 11:48:22 Hardening: assigned maximum number of hardening points for this item (2). Currently having 35 points (out of 49)

Required configuration
3

Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

2022-10-11 11:51:21 Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)
2022-10-11 11:51:21 Result: AllowUsers set, with value sdt-admin
2022-10-11 11:51:21 Result: AllowGroups is not set
2022-10-11 11:51:21 Result: SSH is limited to a specific set of users, which is good
2022-10-11 11:51:21 Hardening: assigned maximum number of hardening points for this item (2). Currently having 164 points (out of 234)

Required configuration
4

Test: checking for file /etc/network/if-up.d/ntpdate

2022-10-11 11:51:25 4 Test: checking for file /etc/network/if-up.d/ntpdate
2022-0910-14 1611 11:2051:46 25 Result: file /etc/network/if-up.d/ntpdate does not exist
2022-0910-14 1611 11:2051:46 25 Result: Found a time syncing daemon/client.
2022-0910-14 1611 11:2051:46 25 Hardening: assigned maximum number of hardening points for this item (3).item (3). Currently having 173 points (out of 249)
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)

2022-0910-14 1611 11:2051:58 37 Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)

Required configuration
5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)

2022-0910-14 1611 11:2051:58 37 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0contains equal expected and current value (1)

Required configuration
5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)2022-10-11 11:51:37 Result: 5c sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0value (0)Required configuration
6Test: Check if one or more compilers can be found on the system

2022-03-07 15:55:29 Performing test ID HRDN-7220 (Check if one or more compilers are installed)
2022-0903-14 1607 15:20:58 Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1

6

55:29 Test: Check if one or more compilers can be

found on the system

found on the system
2022-03-07 15:55:29 Result: no compilers found
2022-0903-14 1607 15:2055:59 Result: found installed compiler. See top of logfile which compilers have been found or use /usr/bin/grep to filter on 'compiler'29 Hardening: assigned maximum number of hardening points for this item (3). Currently having 216 points (out of 325)

Required removal of build-essential package and apt autoremove, and /bin/as
Kube-Hunter

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-bluval/1/

...