Akraino Security Sub-Committee Meeting Agenda 03/21/2021

Attendees:

Randy Stricklin

Daniil Egranov

Tina Tsou


Agenda:


  1. Platform Security


  1. Lynis incubation requirements update to wiki


  1. Summer intern request:


Description:  Akraino is an open source project initiated by AT&T and Intel to develop a fully integrated edge infrastructure.  The Akraino security sub-committee, chaired by AT&T, has numerous security requirements and scans for the sub-projects, called blueprints, within Akraino.  Currently all security activities, including reviewing log results of these security scans, are manually reviewed by the security team. 

Intern related projects in this space include:  gaining an understanding of the Akraino blueprint validation/approval workflow logic, interfacing with the Akraino Security and CI/Blueprint Validation sub-committees, automating the blueprint security scan review process, automating the storage/archival of Akraino security artifacts, and creating an informative security report for blueprint owners.

  1. Lynis is an opensource Linux security auditing tool. The security team has created a list of tests that must pass for the incubation phase and the maturity phase.  I would like to create a script that takes as input:
  • The lynis.log output file generated by a scan from a Blueprint team
  • Whether the Blueprint is in the incubation or maturity phase

Output:

  • Pass or Fail grade
  • In the event of a failing grade, provide a list of failed tests along with suggested corrective actions.


  1. Vuls is an opensource vulnerability scanning tool for Linux. It generates a list of CVEs found.  Opportunities for vuls automation include:
  • Create a database or structure file including CVE’s that vendors have NOT fixed for a specific OS version. We have collected quite a bit of data over the last Akraino release to seed this database/file.
  • Create a script that takes as input:
    • The vuls.log file generated by a scan from a Blueprint team
    • Whether the Blueprint is in the incubation or maturity phase
  • Output:
    • Pass or Fail grade
    • In the event of a failing grade, the list of CVEs that have patches available that have not been applied.


  1. Kube-Hunter is an opensource vulnerability scanning tool for Kubernetes. It generates a list of vulnerabilities found for both the Kubernetes pod and cluster. 

Create a script that takes as input:

  1. The cluster.log and pod.log files generated by a scan from a Blueprint team
  2. Whether the Blueprint is in the incubation or maturity phase

Output:

  1. Pass or Fail grade
  2. In the event of a failing grade, the list of vulnerabilities that must be fixed including suggested corrective actions.

3/23/21 TSC Meeting VM resources contact:

            Peter Poulloit ppouliot@amperecomputing.com

            Lincoln Lavoie lylavoie@iol.unh.edu

            Will need to provide VM specs and VM disk image to Lincoln.

  1. Akraino Security OS Version Policy v0.1 review


  1. Akraino Security Requirements Changes/Updates v0.1 review


  • No labels