Akraino Security Sub-Committee Meeting Agenda 04/12/2021
Agenda:
- New Agenda Items
AI Edge: School/Education Video Security Monitoring – seeking security approval for Maturity
https://wiki.akraino.org/pages/viewpage.action?pageId=20316211
Contact: Liya Yu Baidu yuliya@baidu.com
Vuls: CVE-2019-14889
Lynis:
The following items must be fixed for incubation or maturity in the next release:
- Test ID HRDN-7220 (Check if one or more compilers are installed) ; /usr/bin/as compiler was found and must be removed
- Test ID AUTH-9328 (Default umask values)
The following items must be fixed for maturity approval, these tests and results can be found in the lynis.log file:
- Test ID BOOT-5184
- Test: Checking presence /var/run/reboot-required.pkgs
- Test ID AUTH-9229 (Check password hashing methods)
- Test: Checking Port in /tmp/lynis.ZotHQ7RQAj; ssh port can not be set to tcp/22. (No longer a requirement, only a recommendation) It is highly recommended to change ssh port in production
- sysctl key kernel.sysrq ; Must be expected value
- sysctl key net.ipv4.conf.all.forwarding ; Must be expected value. Blueprint uses ip forwarding so this setting needs to be true. (Exception)
Kube-Hunter:
The following items must be fixed prior to the next release, these tests and results can be found in the cluster.log file:
- KHV005 - Unauthenticated access to API
- KHV002 - K8s Version Disclosure
The following items must be fixed prior to the next release, these tests and results can be found in the pod.log file:
- Access to pod's secrets. Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker.
- KHV050 - Read access to pod's service account token. Accessing the pod service account token gives an attacker the option to use the server