Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Project Name

Vuls Scan

  • Pass/Fail
  • Exceptions

Lynis Scan

  • Pass/Fail
  • Exceptions

Kube-Hunter Scan

  • Pass/Fail
  • Exceptions
1

5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint

Release 4 Vuls Exception Request



2

AI/ML and AR/VR applications at Edge

Release 4 Vuls Exception Request

3Connected Vehicle BlueprintRelease 4 Vuls Exception Request
  1. Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )

Exception is granted for using port 22 for testing/BlueVal.  However, since this BP is requesting a maturity review the port must be changed to a high port after testing for production use.

   2.  Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 4 to 2)

Exception is granted for testing/BlueVal.  Since this BP is requesting a maturity review the MaxSessions must be changed to 2 after testing for production use.


4Edge Video ProcessingRelease 4 Vuls Exception Request

5ELIOT: Edge Lightweight and IoT Blueprint FamilyRelease 4 Vuls Exception Request

6Release 4 Vuls Exception Request

7Release 4 Vuls Exception Request
  1. Performing test ID BOOT-5122 (Check for GRUB boot password)  ## After setting up grub boot password --> Cloud Vms won’t boot properly. Lead to unstable VMs
  2. Performing test ID AUTH-9229 (Check password hashing methods) ## Not possible, will impact SHA_MIN_CRYPT_ROUNDS test.  Currently using maximum security hashing method SHA512
  3. Performing test ID USB-2000 (Check USB authorizations)  ## N/A:  Using cloud VMs, no baremetal involved.
  4. Performing test ID USB-3000 (Check for presence of USBGuard)  ## N/A:  Using cloud VMs, no baremetal involved.
  5. Test: Checking MaxSessions  ## Max session set to 4, this is the bare minimum level that can be used.
  6. Test: Checking Port  ## Can't change during testing, BluVal requires SSH to be tcp/22.  This port should be changed after testing, but prior to production.
  7. KRNL-6000:  sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1  ## IP Forwarding is required for K8s.

The following exceptions must be fixed prior to maturity review:

  1. sysctl key kernel.core_uses_pid contains equal expected and current value (1)
  2. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
  3. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
  4. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
  5. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
  6. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
  7. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
  8. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
  9. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

The following exceptions must be fixed prior to maturity review:

  1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
8Release 4 Vuls Exception Request

The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes:

  1. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1

The following additional exceptions are granted for this blueprint:

  1. Performing test ID AUTH-9229 (Check password hashing methods) ## Not possible, will impact SHA_MIN_CRYPT_ROUNDS test.  Currently using maximum security hashing method SHA512
  2. Performing test ID USB-2000 (Check USB authorizations)  ## N/A:  Using cloud VMs, no baremetal involved.
  3. Performing test ID USB-3000 (Check for presence of USBGuard)  ## N/A:  Using cloud VMs, no baremetal involved.
  4. Test: Checking MaxSessions  ## Max session set to 4, this is the bare minimum level that can be used.
  5. Test: Checking Port  ## Can't change during testing, BluVal requires SSH to be tcp/22.  This port should be changed after testing, but prior to production.
  6. KRNL-6000:  sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1  ## IP Forwarding is required for K8s.


The following exceptions must be fixed prior to maturity review:

  1. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
  2. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
  3. sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
  4. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
  5. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
  6. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
  7. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
  8. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
  9. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

The following exceptions must be fixed prior to maturity review:

  1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
9Network Cloud and TF Integration ProjectRelease 4 Vuls Exception Request

The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes:

  1. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1

Below are items found in lynis that can be granted an exception, but must be fixed prior to maturity:

  1. Performing test ID USB-3000 (Check for presence of USBGuard)
  2. Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
  3. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
  4. sysctl key kernel.core_uses_pid contains equal expected and current value (1)
  5. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
  6. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16

10Integrated Cloud Native NFV/App stack family (Short term: ICN)Release 4 Vuls Exception Request

The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes:

  1. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1

Below are items found in lynis that can be granted an exception, but must be fixed prior to maturity:

  1. Performing test ID USB-3000 (Check for presence of USBGuard)
  2. Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
  3. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj

11Integrated Edge Cloud (IEC) Blueprint FamilyRelease 4 Vuls Exception Request

12Release 4 Vuls Exception Request

13Release 4 Vuls Exception Request

14Release 4 Vuls Exception Request

15Release 4 Vuls Exception Request
  1. Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )

Exception is granted for using port 22 for testing/BlueVal.  However, since this BP is requesting a maturity review the port must be changed to a high port after testing for production use.

   2.  Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 4 to 2)

Exception is granted for testing/BlueVal.  Since this BP is requesting a maturity review the MaxSessions must be changed to 2 after testing for production use.


16Release 4 Vuls Exception Request

17Kubernetes-Native Infrastructure (KNI) Blueprint FamilyRelease 4 Vuls Exception Request

18

The following exceptions must be fixed prior to maturity review:\

  1. Test: Checking presence /var/run/reboot-required.pkgs
  2. Performing test ID AUTH-9228 (Check password file consistency with pwck)
  3. Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs
  4. Performing test ID USB-2000 (Check USB authorizations)
  5. Performing test ID USB-3000 (Check for presence of USBGuard)
  6. Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj
  7. Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj
  8. Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj
  9. Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
  10. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
  11. Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj
  12. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
  13. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
  14. sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
  15. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
  16. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
  17. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
  18. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
  19. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
  20. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
  21. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

19

The following exceptions must be fixed prior to maturity review:\

  1. Test: Checking presence /var/run/reboot-required.pkgs
  2. Performing test ID AUTH-9228 (Check password file consistency with pwck)
  3. Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs
  4. Performing test ID USB-2000 (Check USB authorizations)
  5. Performing test ID USB-3000 (Check for presence of USBGuard)
  6. Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj
  7. Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj
  8. Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj
  9. Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
  10. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
  11. Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj
  12. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
  13. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
  14. sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
  15. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
  16. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
  17. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
  18. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
  19. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
  20. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
  21. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

20

Micro-MEC

Release 4 Vuls Exception Request

21The AI Edge: School/Education Video Security MonitoringRelease 4 Vuls Exception Request

22Network Cloud Blueprint FamilyRelease 4 Vuls Exception Request

23StarlingX Far Edge Distributed CloudRelease 4 Vuls Exception Request

24Telco Appliance Blueprint FamilyRelease 4 Vuls Exception Request

25Release 4 Vuls Exception Request

26Release 4 Vuls Exception Request

27The AI Edge Blueprint FamilyRelease 4 Vuls Exception Request

28

Time-Critical Edge Compute

Release 4 Vuls Exception Request

29Public Cloud Edge InterfaceRelease 4 Vuls Exception Request

30Enterprise Applications on Lightweight 5G Telco EdgeRelease 4 Vuls Exception Request
  1. Performing test ID BOOT-5122 (Check for GRUB boot password) - Granted an exception because Blueprint is using a public cloud VM and GRUB password cannot be changed.
  2. Performing test ID AUTH-9229 (Check password hashing methods) - Exception granted:  output provided showing both root and non-root hashing set to SHA512 and 800,000 rounds.
  3. Performing test ID USB-2000 (Check USB authorizations) - Exception granted because not possible since using cloud VM
  4. Test: Checking MaxSessions - Exception granted reduced from MaxSessions --> 6 to 4. Minimum 4 sessions are needed for BluVal to run
  5. Test: Checking Port - Exception granted; 

    Validation framework is failing if ssh changed from Port 22 --> {}. Needed for BlueVal to run.

The following exceptions must be fixed prior to maturity review:

  1. sysctl key kernel.core_uses_pid contains equal expected and current value (1)
  2. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
  3. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
  4. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
  5. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
  6. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
  7. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
  8. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
  9. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
  10. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

The following exceptions must be fixed prior to maturity review:

  1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
31



32



...