| Project Name | Vuls Scan | Lynis Scan | Kube-Hunter Scan |
|---|
| 1 | 5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint | Release 4 Vuls Exception Request |
|
|
| 2 | AI/ML and AR/VR applications at Edge | Release 4 Vuls Exception Request |
|
|
| 3 | Connected Vehicle Blueprint | Release 4 Vuls Exception Request |
|
|
| 4 | Edge Video Processing | Release 4 Vuls Exception Request |
|
|
| 5 | ELIOT: Edge Lightweight and IoT Blueprint Family | Release 4 Vuls Exception Request |
|
|
| 6 | | Release 4 Vuls Exception Request |
|
|
| 7 | | Release 4 Vuls Exception Request | - Performing test ID BOOT-5122 (Check for GRUB boot password) ## After setting up grub boot password --> Cloud Vms won’t boot properly. Lead to unstable VMs
- Performing test ID AUTH-9229 (Check password hashing methods) ## Not possible, will impact SHA_MIN_CRYPT_ROUNDS test. Currently using maximum security hashing method SHA512
- Performing test ID USB-2000 (Check USB authorizations) ## N/A: Using cloud VMs, no baremetal involved.
- Performing test ID USB-3000 (Check for presence of USBGuard) ## N/A: Using cloud VMs, no baremetal involved.
- Test: Checking MaxSessions ## Max session set to 4, this is the bare minimum level that can be used.
- Test: Checking Port ## Can't change during testing, BluVal requires SSH to be tcp/22. This port should be changed after testing, but prior to production.
- KRNL-6000: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1 ## IP Forwarding is required for K8s.
The following exceptions must be fixed prior to maturity review: - sysctl key kernel.core_uses_pid contains equal expected and current value (1)
- sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
- sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
- sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
- sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|
| 8 | | Release 4 Vuls Exception Request | The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes: - sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
The following additional exceptions are granted for this blueprint: - Performing test ID AUTH-9229 (Check password hashing methods) ## Not possible, will impact SHA_MIN_CRYPT_ROUNDS test. Currently using maximum security hashing method SHA512
- Performing test ID USB-2000 (Check USB authorizations) ## N/A: Using cloud VMs, no baremetal involved.
- Performing test ID USB-3000 (Check for presence of USBGuard) ## N/A: Using cloud VMs, no baremetal involved.
- Test: Checking MaxSessions ## Max session set to 4, this is the bare minimum level that can be used.
- Test: Checking Port ## Can't change during testing, BluVal requires SSH to be tcp/22. This port should be changed after testing, but prior to production.
- KRNL-6000: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1 ## IP Forwarding is required for K8s.
The following exceptions must be fixed prior to maturity review: - sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
- sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
- sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
- sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
- sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|
| 9 | Network Cloud and TF Integration Project | Release 4 Vuls Exception Request | The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes: - sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
Below are items found in lynis that can be granted an exception, but must be fixed prior to maturity: - Performing test ID USB-3000 (Check for presence of USBGuard)
- Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
- Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
- sysctl key kernel.core_uses_pid contains equal expected and current value (1)
- sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
|
|
| 10 | Integrated Cloud Native NFV/App stack family (Short term: ICN) | Release 4 Vuls Exception Request |
|
|
| 11 | Integrated Edge Cloud (IEC) Blueprint Family | Release 4 Vuls Exception Request |
|
|
| 12 | | Release 4 Vuls Exception Request |
|
|
| 13 | | Release 4 Vuls Exception Request |
|
|
| 14 | | Release 4 Vuls Exception Request |
|
|
| 15 | | Release 4 Vuls Exception Request |
|
|
| 16 | | Release 4 Vuls Exception Request |
|
|
| 17 | Kubernetes-Native Infrastructure (KNI) Blueprint Family | Release 4 Vuls Exception Request |
|
|
| 18 | Micro-MEC | Release 4 Vuls Exception Request |
|
|
| 19 | The AI Edge: School/Education Video Security Monitoring | Release 4 Vuls Exception Request |
|
|
| 20 | Network Cloud Blueprint Family | Release 4 Vuls Exception Request |
|
|
| 21 | StarlingX Far Edge Distributed Cloud | Release 4 Vuls Exception Request |
|
|
| 22 | Telco Appliance Blueprint Family | Release 4 Vuls Exception Request |
|
|
| 23 | | Release 4 Vuls Exception Request |
|
|
| 24 | | Release 4 Vuls Exception Request |
|
|
| 25 | The AI Edge Blueprint Family | Release 4 Vuls Exception Request |
|
|
| 26 | Time-Critical Edge Compute | Release 4 Vuls Exception Request |
|
|
| 27 | Public Cloud Edge Interface | Release 4 Vuls Exception Request |
|
|
| 28 | Enterprise Applications on Lightweight 5G Telco Edge | Release 4 Vuls Exception Request |
|
|
| 29 |
|
|
|
|
| 30 |
|
|
|
|