Page Comparison

...

1. Create directory

   $ mkdir ~/vuls $ cd ~/vuls $ mkdir go-cve-dictionary-log goval-dictionary-log gost-log

   
   

2. Fetch NVD

   $ docker run --rm -it \ -v $PWD:/go-cve-dictionary \ -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \ vuls/go-cve-dictionary fetch nvd

   
   

3. Fetch OVAL

   $ docker run --rm -it \ -v $PWD:/goval-dictionary \ -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \ vuls/goval-dictionary fetch ubuntu 16 17 18 19 20

   
   

4. Fetch gost

   $ docker run --rm -i \ -v $PWD:/gost \ -v $PWD/gost-log:/var/log/gost \ vuls/gost fetch ubuntu

   
   

5. Create config.toml

   [servers] [servers.master] host = "192.168.51.22" port = "22" user = "test-user" keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker

   
   

6. Start vuls container to run tests

   $ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ vuls/vuls scan \ -config=./config.toml

   
   

7. Get the report

   $ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ vuls/vuls report \ -format-list \ -config=./config.toml

   
   

Lynis

...

Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test

...

We use Ubuntu 20.04, so we run Lynis test as follows:

1. Login to master node, and get the latest Lynis from GitHub

   $ git clone https://github.com/CISOfy/lynis

   
   

2. Modify the permissions of the “lynis” directory

   $ chmod -R 0:0 lynis

   
   

3. Run the command below to test the security of system

   $ cd lynis; sudo ./lynis audit system

   
   

Kube-Hunter

1. Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test

   blueprint: name: sdtfc layers: - optional: "False"k8s k8s: &k8s - name: kube-hunter what: kube-hunter optional: "False"

   
   

2. Update ~/validation/bluval/volumes.yaml file

   volumes: # location of the ssh key to access the cluster ssh_key_dir: local: '/home/ubuntu/.ssh' target: '/root/.ssh' # location of the k8s access files (config file, certificates, keys) kube_config_dir: local: '/home/ubuntu/kube' target: '/root/.kube/' # location of the customized variables.yaml custom_variables_file: local: '/home/ubuntu/validation/tests/variables.yaml' target: '/opt/akraino/validation/tests/variables.yaml' # location of the bluval-<blueprint>.yaml file blueprint_dir: local: '/home/ubuntu/validation/bluval' target: '/opt/akraino/validation/bluval' # location on where to store the results on the local jumpserver results_dir: local: '/home/ubuntu/results' target: '/opt/akraino/results' # location on where to store openrc file openrc: local: '' target: '/root/openrc' # parameters that will be passed to the container at each layer layers: # volumes mounted at all layers; volumes specific for a different layer are below common: - custom_variables_file - blueprint_dir - results_dir hardware: - ssh_key_dir os: - ssh_key_dir networking: - ssh_key_dir docker: - ssh_key_dir k8s: - ssh_key_dir - kube_config_dir k8s_networking: - ssh_key_dir - kube_config_dir openstack: - openrc sds: sdn: vim:

   
   

3. Update ~/validation/tests/variables.yaml file

   ### Input variables cluster's master host host: <IP Address> # cluster's master host address username: <username> # login name to connect to cluster password: <password> # login password to connect to cluster ssh_keyfile: /root/.ssh/id_rsa # Identity file for authentication

   
   

4. Run Blucon

   $ bash validation/bluval/blucon.sh sdtfc

   
   

...

Lynis

Nexus URL (run via Bluval, without fixes): 

...

The post-fix manual logs can be found at TODO.

Kube-Hunter

Nexus URL: TODO

There are no reported vulnerabilities. Note, this release includes fixes for vulnerabilities found in release 6. See the release 6 test document for details on those vulnerabilities and the fixes.

...