You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 41 Next »


Mature Blueprints

No.Project NamePTL
1Radio Edge Cloud (REC)
Paul Carver
2

Connected Vehicle Blueprint

Tao Wang
3

IEC Type 4: AR/VR oriented Edge Stack for Integrated Edge Cloud (IEC) Blueprint Family

Bart Dong
4The AI Edge: Federated ML application at edge

Enzo Zhang

Blueprints Participating Maturity Review

No.Project NamePTLMain CommitterSelf-Certification Page

Documentation Sub-Committee

Ike Alisson

Logs (Vuls, Lynis, KubeHunter)

Security Sub-Committee

Randy Stricklin Daniil Egranov Wenhui Zhang

Process Sub-Committee

Biswajit De

haihui wang

TSC

Tina Tsou Oleg Berzin

1

The AI Edge: School/Education Video Security Monitoring

Yu, Liya

Maturity Review Certification of Video Security Monitoring Blueprint

Maturity Review performed over e-mail on May 5th, 2021. Link to the overview: 2021 yearhttps://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/4/result/


2

IEC Type 2 for Integrated Edge Cloud (IEC) Blueprint Family


Trevor Tao

ashvin kumar

Vinothini Raju Muhammad Hamza

Integration Edge Cloud Type 1 and Type 2 Release 2 Maturity Review Certification





3

The AI Edge: Intelligent Vehicle-Infrastructure Cooperation System(I-VICS)

Yu, Liya

Hao Zhongwang


Maturity Review Certification of I-VICS






4IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Familyjin peng

Leo Li

Maturity Review Certification of SmartNIC

Documentation Review Meeting notes

socnoc - Akraino - Akraino Confluence


5IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family

Davy Zhang


Maturity Review Certification of Android Cloud

Documentation Review Meeting notes

https://nexus.akraino.org/content/sites/logs/ysemi/job/v1/validation_results_v4/

 

https://nexus.akraino.org/content/sites/logs/ysemi/job/v1/validation_results_v5/

 

https://nexus.akraino.org/content/sites/logs/ysemi/job/v1/validation_results_v6/

 

Lynis:

Performing test ID BOOT-5122 (Check for GRUB boot password): FAILED
2022-04-17 23:44:05 Result: file is owned by our current user ID (0), checking if it is readable
2022-04-17 23:44:05 Result: file /etc/grub.d/05_debian_theme is readable (or directory accessible).
2022-04-17 23:44:05 Result: did not find hashed password line in this file
2022-04-17 23:44:05 Result: Didn't find hashed password line in GRUB configuration
2022-04-17 23:44:05 Suggestion: Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-]

Test: Checking presence /var/run/reboot-required.pkgs: FAILED
2022-04-17 23:44:09 Result: file /var/run/reboot-required.pkgs not found
2022-04-17 23:44:09 Result: /boot exists, performing more tests from here
2022-04-17 23:44:09 Result: found /boot/vmlinuz
2022-04-17 23:44:09 Result: found a symlink, retrieving destination
2022-04-17 23:44:09 Result: destination file is vmlinuz-4.15.0-173-generic
2022-04-17 23:44:09 Result: version derived from file name is '4.15.0-173-generic'
2022-04-17 23:44:09 Result: found version 4.15.0-173-generic
2022-04-17 23:44:09 Result: active kernel version 4.15.18
2022-04-17 23:44:09 Result: reboot needed, as there is a difference between active kernel and the one on disk
2022-04-17 23:44:09 Result: /var/cache/apt/archives/ does not exist
2022-04-17 23:44:09 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]

Performing test ID AUTH-9229 (Check password hashing methods): FAILED
2022-04-17 23:44:09 Result: poor password hashing methods found: sha256crypt/sha512crypt(default<=5000rounds)
2022-04-17 23:44:09 Suggestion: Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [test:AUTH-9229] [details:-] [solution:-]


Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs: FAILED
2022-04-17 23:44:09 Result: number of minimum rounds used by the encryption algorithm is not configured
2022-04-17 23:44:09 Suggestion: Configure minimum encryption algorithm rounds in /etc/login.defs [test:AUTH-9230] [details:-] [solution:-]
2022-04-17 23:44:09 Result: number of maximum rounds used by the encryption algorithm is not configured
2022-04-17 23:44:09 Suggestion: Configure maximum encryption algorithm rounds in /etc/login.defs [test:AUTH-9230] [details:-] [solution:-]


Test: Checking PASS_MAX_DAYS option in /etc/login.defs: FAILED
2022-04-17 23:44:10 Result: password aging limits are not configured
2022-04-17 23:44:10 Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]

Performing test ID AUTH-9328 (Default umask values): FAILED
2022-04-17 23:44:10 Result: found umask 022, which could be improved
2022-04-17 23:44:10 Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-]

Performing test ID USB-2000 (Check USB authorizations): FAILED
2022-04-17 23:44:11 Result: Some USB devices are authorized by default (or temporary) to connect to the system

Performing test ID USB-3000 (Check for presence of USBGuard): FAILED
2022-04-17 23:44:11 Result: USBGuard not found

Performing test ID PKGS-7370 (Checking for debsums utility): FAILED
2022-04-17 23:44:23 Result: debsums utility is not installed.

Performing test ID SSH-7408 (Check SSH specific defined options): FAILED
2022-04-17 23:44:50 Result: Option AllowTcpForwarding found
2022-04-17 23:44:50 Result: Option AllowTcpForwarding value is YES
2022-04-17 23:44:50 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-]
2022-04-17 23:44:50 Result: Option ClientAliveCountMax found
2022-04-17 23:44:50 Result: Option ClientAliveCountMax value is 3
2022-04-17 23:44:50 Result: OpenSSH option ClientAliveCountMax is configured reasonably
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:ClientAliveCountMax (set 3 to 2)] [solution:-]
2022-04-17 23:44:50 Result: Option Compression found
2022-04-17 23:44:50 Result: Option Compression value is YES
2022-04-17 23:44:50 Result: OpenSSH option Compression is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:Compression (set YES to NO)] [solution:-]
2022-04-17 23:44:50 Result: Option LogLevel found
2022-04-17 23:44:50 Result: Option LogLevel value is INFO
2022-04-17 23:44:50 Result: OpenSSH option LogLevel is configured reasonably
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:LogLevel (set INFO to VERBOSE)] [solution:-]
2022-04-17 23:44:50 Result: Option MaxAuthTries found
2022-04-17 23:44:50 Result: Option MaxAuthTries value is 6
2022-04-17 23:44:50 Result: OpenSSH option MaxAuthTries is configured reasonably
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxAuthTries (set 6 to 3)] [solution:-]
2022-04-17 23:44:50 Result: Option MaxSessions found
2022-04-17 23:44:50 Result: Option MaxSessions value is 10
2022-04-17 23:44:50 Result: OpenSSH option MaxSessions is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 10 to 2)] [solution:-]
2022-04-17 23:44:50 Result: Option PermitRootLogin found
2022-04-17 23:44:50 Result: Option PermitRootLogin value is YES
2022-04-17 23:44:50 Result: OpenSSH option PermitRootLogin is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))] [solution:-]
2022-04-17 23:44:50 Result: Option Port found
2022-04-17 23:44:50 Result: Option Port value is 22
2022-04-17 23:44:50 Result: OpenSSH option Port is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )] [solution:-]
2022-04-17 23:44:50 Result: Option TCPKeepAlive found
2022-04-17 23:44:50 Result: Option TCPKeepAlive value is YES
2022-04-17 23:44:50 Result: OpenSSH option TCPKeepAlive is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:TCPKeepAlive (set YES to NO)] [solution:-]
2022-04-17 23:44:50 Result: Option X11Forwarding found
2022-04-17 23:44:50 Result: Option X11Forwarding value is YES
2022-04-17 23:44:50 Result: OpenSSH option X11Forwarding is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:X11Forwarding (set YES to NO)] [solution:-]
2022-04-17 23:44:50 Result: Option AllowAgentForwarding found
2022-04-17 23:44:50 Result: Option AllowAgentForwarding value is YES
2022-04-17 23:44:50 Result: OpenSSH option AllowAgentForwarding is in a weak configuration state and should be fixed
2022-04-17 23:44:50 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowAgentForwarding (set YES to NO)] [solution:-]

Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile): FAILED
2022-04-17 23:45:41 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
2022-04-17 23:45:41 Result: key hw.kbd.keymap_restrict_change does not exist on this machine
2022-04-17 23:45:41 Result: key kern.sugid_coredump does not exist on this machine
2022-04-17 23:45:41 Result: key kernel.core_setuid_ok does not exist on this machine
2022-04-17 23:45:41 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0
2022-04-17 23:45:41 Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-04-17 23:45:42 Result: sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-04-17 23:45:42 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine
2022-04-17 23:45:42 Result: sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1


Test: Check if one or more compilers can be found on the system: FAILED
2022-04-17 23:45:42 Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler'
2022-04-17 23:37:28 Found known binary: as (compiler) - /usr/bin/as
2022-04-17 23:37:28 Found known binary: cc (compiler) - /usr/bin/cc
2022-04-17 23:37:28 Found known binary: g++ (compiler) - /usr/bin/g++
2022-04-17 23:37:28 Found known binary: gcc (compiler) - /usr/bin/gcc
2022-04-17 23:44:13 Found package: device-tree-compiler (version: 1.4.5-3)
2022-04-17 23:44:21 Found package: protobuf-compiler (version: 3.0.0-9.1ubuntu1)


Tina Tsou
6

Smart Cities


Jack Liu

Jason Wen



https://nexus.akraino.org/content/sites/logs/myais/bluval/3/

Lynis:

Performing test ID AUTH-9228 (Check password file consistency with pwck): FAILED
2022-05-20 01:19:27 Result: pwck found one or more errors/warnings in the password file.
2022-05-20 01:19:27 Suggestion: Run pwck manually and correct any errors in the password file [test:AUTH-9228] [details:-] [solution:-]


Performing test ID AUTH-9229 (Check password hashing methods): NOT PRESENT IN THIS LOG


Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs: NOT PRESENT IN THIS LOG


Test: collecting accounts which have an expired password (last day changed + maximum change time): NOT PRESENT IN THIS LOG


Performing test ID FILE-6368 (Checking ACL support on root file system): NOT PRESENT IN THIS LOG


Performing test ID USB-3000 (Check for presence of USBGuard): FAILED
2022-05-20 01:19:28 Result: USBGuard not found


Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile): FAILED
2022-05-20 01:19:43 Result: sysctl key dev.tty.ldisc_autoload has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: key fs.protected_fifos does not exist on this machine
2022-05-20 01:19:43 Result: key fs.protected_hardlinks does not exist on this machine
2022-05-20 01:19:43 Result: key fs.protected_regular does not exist on this machine
2022-05-20 01:19:43 Result: key fs.protected_symlinks does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
2022-05-20 01:19:43 Result: key hw.kbd.keymap_restrict_change does not exist on this machine
2022-05-20 01:19:43 Result: key kernel.core_setuid_ok does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0
2022-05-20 01:19:43 Result: key kernel.exec-shield does not exist on this machine
2022-05-20 01:19:43 Result: key kernel.exec-shield-randomize does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=1
2022-05-20 01:19:43 Result: key kernel.maps_protect does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key kernel.modules_disabled has a different value than expected in scan profile. Expected=1, Real=0
2022-05-20 01:19:43 Result: key kernel.suid_dumpable does not exist on this machine
2022-05-20 01:19:43 Result: sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=176
2022-05-20 01:19:43 Result: sysctl key kernel.unprivileged_bpf_disabled has a different value than expected in scan profile. Expected=1, Real=2
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0
2022-05-20 01:19:43 Result: sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
2022-05-20 01:19:43 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine
2022-05-20 01:19:44 Result: sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1




Records of Details

No.Project NamePTLMain CommitterSelf-Certification Page

Documentation Sub-Committee

Ike Alisson

Logs (Vuls, Lynis, KubeHunter)

Security Sub-Committee

Randy Stricklin Daniil Egranov Wenhui Zhang

Process Sub-Committee

Biswajit De

TSC

Tina Tsou Oleg Berzin

4

The AI Edge: Federated ML application at edge

Enzo Zhang

haihui wang

Maturity Review Certification of Federated ML Application At Edge Blueprint

Maturity Review Certification of Federated ML Application At Edge Blueprint performed over mail on 01/04 & stored at Documentation Sub-committee reviews for 2022. It is recommended to Akraino TSC to deem the maturity requirements for Documentation to "mature" level as fulfilled and accept the BP graduation request to "Mature" level.


2/28/2022 Update

https://nexus.akraino.org/content/sites/logs/fate/fml/mat4/

  • 1/3/2022 Emailed Haihui Wang: 

    AI Edge- Federated ML blueprint has passed the Incubation phase in Release 5 it also meets the Maturity requirements for Vuls.  However, The Lynis test requirements are more stringent for Maturity than Incubation.  The additional Lynis Maturity criteria can be found at https://wiki.akraino.org/pages/viewpage.action?pageId=11996301#StepsToImplementSecurityScanRequirements-VulsIncubationandMaturityPASSFAIL in the ‘Lynis Maturity:  PASS/FAIL Criteria, v1.0’ section.  Please run the Lynis tests against the AI Edge – Federated ML blueprint and correct issues so that all Maturity tests pass.  Once all Maturity tests pass please send the lynis.log output file to the Akraino security team for review.

  • 1/14/2022 Emailed Haihui Wang:

    Below is the analysis that our maturity check script returned for the lynis log for the AI Edge – Federate ML blueprint.  All tests that ‘FAILED’ need to be corrected to be approved for maturity, there are more tests that failed than the one that you listed. 

    For the test ID AUTH-9229 that you described, would you be able to increase the ‘rounds’ to a value greater than 5000 and expire passwords so that they encrypt with new values?
Approved by Process Sub-Commitee.
  • No labels