Performing test ID BOOT-5122 (Check for GRUB boot password): FAILED 2022-05-17 10:21:58 Result: file is owned by our current user ID (0), checking if it is readable 2022-05-17 10:21:58 Result: file /etc/grub.d/05_debian_theme is readable (or directory accessible). 2022-05-17 10:21:58 Result: did not find hashed password line in this file 2022-05-17 10:21:58 Result: Didn't find hashed password line in GRUB configuration 2022-05-17 10:21:58 Suggestion: Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password) [test:BOOT-5122] [details:-] [solution:-]
Test: Checking presence /var/run/reboot-required.pkgs: FAILED 2022-05-17 10:22:02 Result: file /var/run/reboot-required.pkgs exists 2022-05-17 10:22:02 Result: reboot is needed, related to 4 packages 2022-05-17 10:22:02 Package: 4 2022-05-17 10:22:02 Result: /boot exists, performing more tests from here 2022-05-17 10:22:02 Result: found /boot/vmlinuz 2022-05-17 10:22:02 Result: found a symlink, retrieving destination 2022-05-17 10:22:02 Result: destination file is vmlinuz-4.15.0-177-generic 2022-05-17 10:22:02 Result: version derived from file name is '4.15.0-177-generic' 2022-05-17 10:22:02 Result: found version 4.15.0-177-generic 2022-05-17 10:22:02 Result: active kernel version 4.15.0-166-generic 2022-05-17 10:22:02 Result: reboot needed, as there is a difference between active kernel and the one on disk 2022-05-17 10:22:02 Result: /var/cache/apt/archives/ does not exist 2022-05-17 10:22:02 Warning: Reboot of system is most likely needed [test:KRNL-5830] [details:] [solution:text:reboot]
Performing test ID AUTH-9229 (Check password hashing methods): FAILED 2022-05-17 10:22:02 Result: poor password hashing methods found: sha256crypt/sha512crypt(default<=5000rounds) 2022-05-17 10:22:02 Suggestion: Check PAM configuration, add rounds if applicable and expire passwords to encrypt with new values [test:AUTH-9229] [details:-] [solution:-]
Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs: FAILED 2022-05-17 10:22:02 Result: low number of maximum encryption algorithm rounds found: 5000
Performing test ID USB-2000 (Check USB authorizations): FAILED 2022-05-17 10:22:04 Result: Some USB devices are authorized by default (or temporary) to connect to the system
Performing test ID USB-3000 (Check for presence of USBGuard): FAILED 2022-05-17 10:22:04 Result: USBGuard not found
Performing test ID SSH-7408 (Check SSH specific defined options): FAILED 2022-05-17 10:22:39 Result: Option AllowTcpForwarding found 2022-05-17 10:22:39 Result: Option AllowTcpForwarding value is YES 2022-05-17 10:22:39 Result: OpenSSH option AllowTcpForwarding is in a weak configuration state and should be fixed 2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:AllowTcpForwarding (set YES to NO)] [solution:-] 2022-05-17 10:22:39 Result: Option MaxSessions found 2022-05-17 10:22:39 Result: Option MaxSessions value is 4 2022-05-17 10:22:39 Result: OpenSSH option MaxSessions is configured reasonably 2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 4 to 2)] [solution:-] 2022-05-17 10:22:39 Result: Option PermitRootLogin found 2022-05-17 10:22:39 Result: Option PermitRootLogin value is YES 2022-05-17 10:22:39 Result: OpenSSH option PermitRootLogin is in a weak configuration state and should be fixed 2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:PermitRootLogin (set YES to (FORCED-COMMANDS-ONLY|NO|PROHIBIT-PASSWORD|WITHOUT-PASSWORD))] [solution:-] 2022-05-17 10:22:39 Result: Option Port found 2022-05-17 10:22:39 Result: Option Port value is 22 2022-05-17 10:22:39 Result: OpenSSH option Port is in a weak configuration state and should be fixed 2022-05-17 10:22:39 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )] [solution:-] 2022-05-17 10:22:40 Result: Option X11Forwarding found 2022-05-17 10:22:40 Result: Option X11Forwarding value is YES 2022-05-17 10:22:40 Result: OpenSSH option X11Forwarding is in a weak configuration state and should be fixed 2022-05-17 10:22:40 Suggestion: Consider hardening SSH configuration [test:SSH-7408] [details:X11Forwarding (set YES to NO)] [solution:-]
Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile): FAILED 2022-05-17 10:23:32 Result: key hw.kbd.keymap_restrict_change does not exist on this machine 2022-05-17 10:23:32 Result: key kern.sugid_coredump does not exist on this machine 2022-05-17 10:23:32 Result: key kernel.core_setuid_ok does not exist on this machine 2022-05-17 10:23:32 Result: sysctl key kernel.core_uses_pid has a different value than expected in scan profile. Expected=1, Real=0 2022-05-17 10:23:32 Result: key kernel.exec-shield-randomize does not exist on this machine 2022-05-17 10:23:32 Result: key kernel.exec-shield does not exist on this machine 2022-05-17 10:23:32 Result: sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=1 2022-05-17 10:23:32 Result: key kernel.suid_dumpable does not exist on this machine 2022-05-17 10:23:32 Result: sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=176 2022-05-17 10:23:32 Result: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1 2022-05-17 10:23:32 Result: sysctl key net.ipv4.conf.all.log_martians has a different value than expected in scan profile. Expected=1, Real=0 2022-05-17 10:23:32 Result: sysctl key net.ipv4.conf.all.send_redirects has a different value than expected in scan profile. Expected=0, Real=1 2022-05-17 10:23:33 Result: sysctl key net.ipv4.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1 2022-05-17 10:23:33 Result: sysctl key net.ipv4.conf.default.log_martians has a different value than expected in scan profile. Expected=1, Real=0 2022-05-17 10:23:33 Result: sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1 2022-05-17 10:23:33 Result: key net.ipv6.conf.all.send_redirects does not exist on this machine 2022-05-17 10:23:33 Result: sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs: NOT PRESENT IN THIS LOG
Performing test ID USB-3000 (Check for presence of USBGuard): FAILED 2022-06-23 07:10:51 Checking USBGuard rule for controllers connected before daemon starts (PresentControllerPolicy) 2022-06-23 07:10:51 Result: PresentControllerPolicy = keep 2022-06-23 07:10:51 Consider changing PresentControllerPolicy to "apply-policy", "block" or "reject"
Maturity Review Certification of Federated ML Application At Edge Blueprint performed over mail on 01/04 & stored at Documentation Sub-committee reviews for 2022. It is recommended to Akraino TSC to deem the maturity requirements for Documentation to "mature" level as fulfilled and accept the BP graduation request to "Mature" level.
AI Edge- Federated ML blueprint has passed the Incubation phase in Release 5 it also meets the Maturity requirements for Vuls. However, The Lynis test requirements are more stringent for Maturity than Incubation. The additional Lynis Maturity criteria can be found at https://wiki.akraino.org/pages/viewpage.action?pageId=11996301#StepsToImplementSecurityScanRequirements-VulsIncubationandMaturityPASSFAIL in the ‘Lynis Maturity: PASS/FAIL Criteria, v1.0’ section. Please run the Lynis tests against the AI Edge – Federated ML blueprint and correct issues so that all Maturity tests pass. Once all Maturity tests pass please send the lynis.log output file to the Akraino security team for review.
1/14/2022 Emailed Haihui Wang:
Below is the analysis that our maturity check script returned for the lynis log for the AI Edge – Federate ML blueprint. All tests that ‘FAILED’ need to be corrected to be approved for maturity, there are more tests that failed than the one that you listed.
For the test ID AUTH-9229 that you described, would you be able to increase the ‘rounds’ to a value greater than 5000 and expire passwords so that they encrypt with new values?