Versions Compared

Old Version 41

changes.mady.by.user Colin Peters

Saved on

compared with

New Version 42

changes.mady.by.user Yoshiko Tsuji

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel3

...

We use Ubuntu 20.04, so we ran Vuls test as follows:

  1. Create directory

    $ mkdir ~/vuls
$ cd ~/vuls
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log


  2. Fetch NVD

    $ docker run --rm -it \
    -v $PWD:/go-cve-dictionary \
    -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
    vuls/go-cve-dictionary fetch nvd


  3. Fetch OVAL

    $ docker run --rm -it \
     -v $PWD:/goval-dictionary \
     -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
     vuls/goval-dictionary fetch ubuntu 16 17 18 19 20


  4. Fetch gost

    $ docker run --rm -i \
     -v $PWD:/gost \
     -v $PWD/gost-log:/var/log/gost \
     vuls/gost fetch ubuntu


  5. Create config.toml

    [servers]

[servers.master]
host = "192.168.51.22"
port = "22"
user = "test-user"
sshConfigPath   = "/root/.ssh/config"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker


  6. Start vuls container to run tests

    $ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    -v /etc/localtime:/etc/localtime:ro \
    -v /etc/timezone:/etc/timezone:ro \
    vuls/vuls scan \
    -config=./config.toml


  7. Get the report

    $ docker run --rm -it \
     -v ~/.ssh:/root/.ssh:ro \
     -v $PWD:/vuls \
     -v $PWD/vuls-log:/var/log/vuls \
     -v /etc/localtime:/etc/localtime:ro \
     vuls/vuls report \
     -format-list \
     -config=./config.toml


Lynis/Kube-Hunter

  1. Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test

    blueprint:
    name: sdtfc
    layers:
        - os
        - k8s

    os: &os
        -
            name: lynis
            what: lynis
            optional: "False"
    k8s: &k8s
        -
            name: kube-hunter
            what: kube-hunter
            optional: "False"


  2. Update ~/validation/bluval/volumes.yaml file

    volumes:
    # location of the ssh key to access the cluster
    ssh_key_dir:
        local: '/home/ubuntu/.ssh'
        target: '/root/.ssh'
    # location of the k8s access files (config file, certificates, keys)
    kube_config_dir:
        local: '/home/ubuntu/kube'
        target: '/root/.kube/'
    # location of the customized variables.yaml
    custom_variables_file:
        local: '/home/ubuntu/validation/tests/variables.yaml'
        target: '/opt/akraino/validation/tests/variables.yaml'
    # location of the bluval-<blueprint>.yaml file
    blueprint_dir:
        local: '/home/ubuntu/validation/bluval'
        target: '/opt/akraino/validation/bluval'
    # location on where to store the results on the local jumpserver
    results_dir:
        local: '/home/ubuntu/results'
        target: '/opt/akraino/results'
    # location on where to store openrc file
    openrc:
        local: ''
        target: '/root/openrc'

# parameters that will be passed to the container at each layer
layers:
    # volumes mounted at all layers; volumes specific for a different layer are below
    common:
        - custom_variables_file
        - blueprint_dir
        - results_dir
    hardware:
        - ssh_key_dir
    os:
        - ssh_key_dir
    networking:
        - ssh_key_dir
    docker:
        - ssh_key_dir
    k8s:
        - ssh_key_dir
        - kube_config_dir
    k8s_networking:
        - ssh_key_dir
        - kube_config_dir
    openstack:
        - openrc
    sds:
    sdn:
    vim:


  3. Update ~/validation/tests/variables.yaml file

    ### Input variables cluster's master host
host: <IP Address>             # cluster's master host address
username: <username>            # login name to connect to cluster
password: <password>         # login password to connect to cluster
ssh_keyfile: /root/.ssh/id_rsa        # Identity file for authentication


  4. Run Blucon

    $ bash validation/bluval/blucon.sh sdtfc


Expected output

BluVal tests should report success for all test cases.

...

Insert Results URL

Vuls

There are 17 CVEs with CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

CVE-IDCVSSNVDFix/Notes
CVE-2016-15859.8https://nvd.nist.gov/vuln/detail/CVE-2016-1585No fix available
CVE-2021-202369.8https://nvd.nist.gov/vuln/detail/CVE-2021-20236No fix available (latest release of ZeroMQ for Ubuntu 20.04 is 4.3.2-2ubuntu1)
CVE-2021-318709.8https://nvd.nist.gov/vuln/detail/CVE-2021-31870No fix available (latest release of klibc for Ubuntu 20.04 is 2.0.7-1ubuntu5)
CVE-2021-318729.8https://nvd.nist.gov/vuln/detail/CVE-2021-31872No fix available (latest release of klibc for Ubuntu 20.04 is 2.0.7-1ubuntu5)
CVE-2021-318739.8https://nvd.nist.gov/vuln/detail/CVE-2021-31873No fix available (latest release of klibc for Ubuntu 20.04 is 2.0.7-1ubuntu5)
CVE-2021-335749.8https://nvd.nist.gov/vuln/detail/CVE-2021-33574Will not be fixed in Ubuntu stable releases
CVE-2021-459519.8https://nvd.nist.gov/vuln/detail/CVE-2021-45951No fix available (vendor disputed)
CVE-2021-459529.8https://nvd.nist.gov/vuln/detail/CVE-2021-45952No fix available (vendor disputed)
CVE-2021-459539.8https://nvd.nist.gov/vuln/detail/CVE-2021-45953No fix available (vendor disputed)
CVE-2021-459549.8https://nvd.nist.gov/vuln/detail/CVE-2021-45954No fix available (vendor disputed)
CVE-2021-459559.8https://nvd.nist.gov/vuln/detail/CVE-2021-45955No fix available (vendor disputed)
CVE-2021-459569.8https://nvd.nist.gov/vuln/detail/CVE-2021-45956No fix available (vendor disputed)
CVE-2021-459579.8https://nvd.nist.gov/vuln/detail/CVE-2021-45957No fix available (vendor disputed)
CVE-2022-232189.8https://nvd.nist.gov/vuln/detail/CVE-2022-23218Reported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls
CVE-2022-232199.8https://nvd.nist.gov/vuln/detail/CVE-2022-23219Reported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls
CVE-2016-91809.1https://nvd.nist.gov/vuln/detail/CVE-2016-9180No fix available
CVE-2021-359429.1https://nvd.nist.gov/vuln/detail/CVE-2021-35942Reported fixed in 2.31-0ubuntu9.7 (installed), but still reported by Vuls
Lynis

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

...

  • KHV002
  • KHV005
  • KHV050
  • CAP_NET_RAW Enabled
  • Access to pod's secrets

Fix for KHV002

$ kubectl replace -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:public-info-viewer
rules:
- nonResourceURLs:
  - /healthz
  - /livez
  - /readyz
  verbs:
  - get
EOF


Fix for KHV005, KHV050, Access to pod's secrets

$ kubectl replace -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: default
automountServiceAccountToken: false
EOF

The above fixes are implemented in the Ansible playbook deploy/playbook/init_cluster.yml and configuration file deploy/playbook/k8s/fix.yml

...

Create a PodSecurityPolicy with requiredDropCapabilities: NET_RAW. The policy is shown below. The complete fix is implemented in the Ansible playbook deploy/playbook/init_cluster.yml and configuration files deploy/playbook/k8s/default-psp.yml and deploy/playbook/k8s/system-psp.yml, plus enabling PodSecurityPolicy checking in deploy/playbook/k8s/config.yml.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp-baseline
spec:
  privileged: true
  allowPrivilegeEscalation: true
  allowedCapabilities:
  - IPC_LOCK
  - NET_ADMIN
  requiredDropCapabilities:
  - NET_RAW
  hostIPC: true
  hostNetwork: true
  hostPID: true
  hostPorts:
  - max: 65535
    min: 0
  readOnlyRootFilesystem: false
  fsGroup:
    rule: 'RunAsAny'
  runAsUser:
    rule: 'RunAsAny'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'RunAsAny'
  volumes:
  - '*'

Results after fixes are shown below:

...