Page Comparison

Versions Compared

Key

This line was added.
This line was removed.
Formatting was changed.

Test document

...

View file

name	Robot_based_on_SSES_BP_Test_document.docx
height	250

Pass (XX/XX test cases)

Vuls

Nexus URL:

PDH,IoT Gateway

There are 23 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

...

CVE-ID

...

CVSS

...

NVD

...

Fix/Notes

...

PACKAGES

...

CVE-2016-1585

...

9.8

...

No fix available

...

apparmor

...

CVE-2017-18201

...

9.8

...

No fix available

...

libcdio17

...

CVE-2017-7827

...

9.8

...

No fix available

...

libmozjs-52-0

...

CVE-2018-5090

...

9.8

...

Reported fixed in 58 and later version (installed), but still reported by Vuls

...

libmozjs-52-0

...

CVE-2018-5126

...

9.8

...

Reported fixed in 58 and later version (installed), but still reported by Vuls

...

libmozjs-52-0

...

CVE-2018-5145

...

9.8

...

Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls

...

libmozjs-52-0

...

CVE-2018-5151

...

9.8

...

Reported fixed in 60 and later version (installed), but still reported by Vuls

...

libmozjs-52-0

...

CVE-2019-17041

...

9.8

...

No fix available

...

rsyslog

...

CVE-2019-17042

...

9.8

...

No fix available

...

rsyslog

...

CVE-2021-31870

...

9.8

...

No fix available

...

klibc-utils, libklibc

...

CVE-2021-31872

...

9.8

...

No fix available

...

klibc-utils, libklibc

...

CVE-2021-31873

...

9.8

...

No fix available

...

klibc-utils, libklibc

...

CVE-2021-39713

...

9.8

...

No fix available

...

linux-image-5.4.0-1055-raspi

...

CVE-2022-22822

...

9.8

...

install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)

...

firefox

...

CVE-2022-22823

...

9.8

...

install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)

...

firefox

...

CVE-2022-22824

...

9.8

...

install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)

...

firefox

...

Bluval Tests

Execute with reference to the following

Bluval User Guide

Steps To Implement Security Scan Requirements

https://vuls.io/docs/en/tutorial-docker.html

There are 2 security related tests: lynis & vuls. And there are 2 k8s related tests: kube-hunter & conformance tests.

In this Blueprint, we test lynis & vuls, we do not test k8s related tests: because of not using k8s.

Also refer to Bluval User Guide, the procedure is to clone the files from http://gerrit.akraino.org/r/validation and execute them,

but a configuration file:Bluval/validation/docker/os/Dockerfile does not correspond to this OS version, we execute tests manually.

The Configuration file are only supported up to Ubuntu 18.

Vuls

We use Ubuntu 20.04, so we ran Vuls test as follows:

Create directory

$ mkdir ~/vuls
$ cd ~/vuls
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log

Fetch NVD

$ docker run --rm -it \
    -v $PWD:/go-cve-dictionary \
    -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
    vuls/go-cve-dictionary fetch nvd

Fetch OVAL

$ docker run --rm -it \
     -v $PWD:/goval-dictionary \
     -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
     vuls/goval-dictionary fetch ubuntu 18 19 20

Fetch gost

$ docker run --rm -i \
     -v $PWD:/gost \
     -v $PWD/gost-log:/var/log/gost \
     vuls/gost fetch ubuntu

Create config.toml

[servers]

[servers.master]
host = "192.168.51.22"
port = "22"
user = "test-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker

Start vuls container to run tests

$ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    -v /etc/localtime:/etc/localtime:ro \
    -v /etc/timezone:/etc/timezone:ro \
    vuls/vuls scan \
    -config=./config.toml

Get the report

$ docker run --rm -it \
     -v ~/.ssh:/root/.ssh:ro \
     -v $PWD:/vuls \
     -v $PWD/vuls-log:/var/log/vuls \
     -v /etc/localtime:/etc/localtime:ro \
     vuls/vuls report \
     -format-list \
     -config=./config.toml

Vuls

Nexus URL:

PDH,IoT Gateway

There are 23 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2005-2541

10.0

CVE-ID	CVSS	NVD	Fix/Notes	PACKAGES
CVE-2016-1585	9.8	https://nvd.nist.gov/vuln/detail/CVE-20222016-238521585	No fix available	firefox, thunderbirdapparmor
CVE-20222017-2399018201	9.8	https://nvd.nist.gov/vuln/detail/CVE-20222017-2399018201	No fix available	firefox, thunderbirdlibcdio17
CVE-20222017-252357827	9.8	https://nvd.nist.gov/vuln/detail/CVE-20222017-252357827	No fix availablefirefox, thunderbird	libmozjs-52-0
CVE-20222018-252365090	9.8	https://nvd.nist.gov/vuln/detail/CVE-20222018-25236	No fix available	firefox, thunderbird	CVE-2022-25315	5090	Reported fixed in 58 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-2018-5126	9.8	https://nvd.nist.gov/vuln/detail/CVE-20222018-25315	No fix available	firefox, thunderbird5126	Reported fixed in 58 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-20162018-91805145	9.18	https://nvd.nist.gov/vuln/detail/CVE-20162018-9180	No fix available	libxml-twig-perl	CVE-2019-20433	9.15145	Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-2018-5151	9.8	https://nvd.nist.gov/vuln/detail/CVE-20192018-20433	No fix available	aspell

PC/Server for robot control

There are 30 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

5151	Reported fixed in 60 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-2019-17041	9.8	https://nvd.nist.gov/vuln/detail/CVE-

2005

2541

No fix available

tar

rsyslog

CVE-

2014

2019-

2830

17042

10

9.

0

8	https://nvd.nist.gov/vuln/detail/CVE-

2014

2830

No fix available

cifs-utils

rsyslog

CVE-

2016

2021-

1585

31870

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2016

1585

No fix available

libapparmor1

klibc-utils, libklibc

CVE-

2017

2021-

17479

31872

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2017

17479

No fix available

libopenjp2

klibc-

7

utils, libklibc

CVE-

2017

2021-

9117

31873

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2017

9117

No fix available

libtiff5

klibc-utils, libklibc

CVE-

2018

2021-

13410

39713

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2018

13410

No fix available

zip

CVE

linux-

2019

image-

1010022

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-1010022No fix available

libc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales

CVE-2019-8341

5.4.0-1055-raspi
CVE-2022-22822	9.8	https://nvd.nist.gov/vuln/detail/CVE-

2019

8341No fix availablepython3-jinja2

22822	install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)	firefox
CVE-

2020

2022-

27619

22823

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2020

27619

No fix available

python3.9

22823	install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)	firefox
CVE-

2021

2022-

29462

22824

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

29462No fix availablelibixml10, libupnp13

22824	install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)	firefox
CVE-

2021

2022-

29921

23852

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021-29921Reported fixed in python3.9 (installed), but still reported by Vulspython3.9

2022-23852	No fix available	firefox, thunderbird
CVE-

2021

2022-

30473

23990

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

30473

No fix available

libaom0

firefox, thunderbird

CVE-

2021

2022-

30474

25235

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

30474

No fix available

libaom0

firefox, thunderbird

CVE-

2021

2022-

30475

25236

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

30475

No fix available

libaom0

firefox, thunderbird

CVE-

2021

2022-

30498

25315

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

30498

No fix available

libcaca0

firefox, thunderbird

CVE-

2021

2016-

30499

9180

9.

8

1	https://nvd.nist.gov/vuln/detail/CVE-

2021

30499

9180	No fix available

libcaca0

libxml-twig-perl

CVE-

2021

2019-

3756

20433

9.

8

1	https://nvd.nist.gov/vuln/detail/CVE-

2021

3756install libmysofa 1.2.1

libmysofa1

CVE-2021-42377

9.8

No fix available

aspell

PC/Server for robot control

There are 30 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

CVE-ID	CVSS	NVD	Fix/Notes	PACKAGES
CVE-2005-2541	10.0	https://nvd.nist.gov/vuln/detail/CVE-20212005-423772541	No fix available	busyboxtar
CVE-20212014-459512830	910.80	https://nvd.nist.gov/vuln/detail/CVE-20212014-459512830	No fix available	dnsmasqcifs-utils
CVE-20212016-459521585	9.8	https://nvd.nist.gov/vuln/detail/CVE-20212016-459521585	No fix available	dnsmasqlibapparmor1
CVE-20212017-4595317479	9.8	https://nvd.nist.gov/vuln/detail/CVE-20212017-4595317479	No fix available	dnsmasqlibopenjp2-7
CVE-20212017-459549117	9.8	https://nvd.nist.gov/vuln/detail/CVE-20212017-459549117	No fix available	dnsmasqlibtiff5
CVE-20212018-4595513410	9.8	https://nvd.nist.gov/vuln/detail/CVE-20212018-4595513410	No fix available	dnsmasqzip
CVE-20212019-459561010022	9.8	https://nvd.nist.gov/vuln/detail/CVE-20212019-459561010022	No fix available	dnsmasq	CVE-2022-0318libc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales
CVE-2019-8341	9.8	https://nvd.nist.gov/vuln/detail/CVE-20222019-0318	unistall vim	vim8341	No fix available	python3-jinja2
CVE-20222020-2330327619	9.8	https://nvd.nist.gov/vuln/detail/CVE-20222020-2330327619	No fix available	hostapd, wpasupplicantpython3.9
CVE-20222021-2330429462	9.8	https://nvd.nist.gov/vuln/detail/CVE-20222021-2330429462	No fix available	hostapdlibixml10, wpasupplicantlibupnp13
CVE-2021-2294529921	9.18	https://nvd.nist.gov/vuln/detail/CVE-2021-22945	unistall curl	curl29921	Reported fixed in python3.9 (installed), but still reported by Vuls	python3.9
CVE-2021-404830473	9.18	https://nvd.nist.gov/vuln/detail/CVE-2021-404830473	No fix available	libblas3, liblapack3libaom0
CVE-2021-4340030474	9.18	https://nvd.nist.gov/vuln/detail/CVE-2021-4340030474	No fix available	bluez

Lynis

...

	libaom0
CVE-2021-30475	9.8	https://

...

...

...

...

...

detail/CVE-2021-30475	No fix available	libaom0
CVE-2021-30498	9.8	https://

...

...

...

...

...

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

IoT Gateway

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-03-29 22:55:42 Test: Checking for program update...
2022-03-29 22:55:43 Current installed version  : 308
2022-03-29 22:55:43 Latest stable version      : 307
2022-03-29 22:55:43 No Lynis update available.

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.TestResultFix1Test: Checking PASS_MAX_DAYS option in /etc/login.defsResult: password aging limits are not configured
Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
Hardening: assigned partial number of hardening points (0 of 1). Currently having 13 points (out of 28)Set PASS_MAX_DAYS 180 in /etc/login.defs2Performing test ID AUTH-9328 (Default umask values)Test: Checking umask value in /etc/login.defs
Result: found umask 022, which could be improved
Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-]Set UMASK 027 in /etc/login.defs3

detail/CVE-2021-30498	No fix available	libcaca0
CVE-2021-30499	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-30499	No fix available	libcaca0
CVE-2021-3756	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-3756	install libmysofa 1.2.1	libmysofa1
CVE-2021-42377	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-42377	No fix available	busybox
CVE-2021-45951	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-45951	No fix available	dnsmasq
CVE-2021-45952	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-45952	No fix available	dnsmasq
CVE-2021-45953	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-45953	No fix available	dnsmasq
CVE-2021-45954	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-45954	No fix available	dnsmasq
CVE-2021-45955	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-45955	No fix available	dnsmasq
CVE-2021-45956	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-45956	No fix available	dnsmasq
CVE-2022-0318	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-0318	unistall vim	vim
CVE-2022-23303	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-23303	No fix available	hostapd, wpasupplicant
CVE-2022-23304	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-23304	No fix available	hostapd, wpasupplicant
CVE-2021-22945	9.1	https://nvd.nist.gov/vuln/detail/CVE-2021-22945	unistall curl	curl
CVE-2021-4048	9.1	https://nvd.nist.gov/vuln/detail/CVE-2021-4048	No fix available	libblas3, liblapack3
CVE-2021-43400	9.1	https://nvd.nist.gov/vuln/detail/CVE-2021-43400	No fix available	bluez

Lynis

Nexus URL(before fix):

Nexus URL(after fix):

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

IoT Gateway

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version  : 308
2022-11-22 07:46:45 Latest stable version      : 308
2022-11-22 07:46:45 No Lynis update available.

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.	Test	Result	Fix
1	Test: Checking PASS_MAX_DAYS option in /etc/login.defs	Result: max password age is 180 days	OK
2	Performing test ID AUTH-9328 (Default umask values)	Test: Checking /etc/profile.d directory Result: found /etc/profile.d, with one or more files in it Test: Checking /etc/profile Result: file /etc/profile exists Test: Checking umask value in /etc/profile Result: did not find umask in /etc/profile Result: found no umask. Please check if this is correct Test: Checking umask entries in /etc/passwd (pam_umask) Result: file /etc/passwd exists Test: Checking umask value in /etc/passwd Manual: one or more manual actions are required for further testing of this control/plugin Test: Checking /etc/login.defs Result: file /etc/login.defs exists Test: Checking umask value in /etc/login.defs Result: umask is 027, which is fine Hardening: assigned maximum number of hardening points for this item (2). Currently having 18 points (out of 30) Test: Checking /etc/init.d/functions Result: file /etc/init.d/functions does not exist Test: Checking /etc/init.d/rc Result: file /etc/init.d/rc does not exist Test: Checking /etc/init.d/rcS Result: file /etc/init.d/rcS does not exist	OK
3	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)	Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 140 points (out of 217) Security check: file is normal Checking permissions of /home/ubuntu/lynis/include/tests_snmp File permissions are OK Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 140 108 points (out of 217 157) Security check: file is normal Checking permissions of /home/pi/ ubuntu lynis/lynis/include/tests_snmp File permissions are OK	Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 149 points (out of 232)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
5a	sysctl key fs.suid_dumpable contains equal expected and current value (0)	Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2 Hardening: assigned partial number of hardening points (0 of 1). Currently having 151 points (out of 247)	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'fs.suid_dumpable=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep suid
5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'kernel.dmesg_restrict=1' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep dmesg
5c	sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)	Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'net.ipv4.conf.default.accept_source_route=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep ipv4.conf.default.accept_source_route
6	Test: Check if one or more compilers can be found on the system	Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler' Hardening: assigned partial number of hardening points (1 of 3). Currently having 168 points (out of 280)	Uninstall gcc and remove /usr/bin/as

...

PC/Server for robot control

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-03-23 05:13:56 Test: Checking for program update...
2022-03-23 05:14:03 Current installed version : 308
2022-03-23 05:14:03 Latest stable version : 307
2022-03-23 05:14:03 No Lynis update available

...

No.	Test	Result	Fix
1	Test: Checking PASS_MAX_DAYS option in /etc/login.defs	Result: password aging limits are not configured Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-] Hardening: assigned partial number of hardening points (0 of 1). Currently having 11 points (out of 24)	Set PASS_MAX_DAYS 180 in /etc/login.defs
2	Performing test ID AUTH-9328 (Default umask values)	Result: found /etc/profile.d, with one or more files in it	OK	3		OK
3	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 102 108 points (out of 155157) Security check: file is normal Checking permissions of /home/pi/lynis/lynis/include/tests_snmp File permissions are OK	Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config ！要確認 →やり方を問い合わせ
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 111 117 points (out of 170172)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
5a	sysctl key fs.suid_dumpable contains equal expected and current value (0)	Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)	OK	5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo '0)	OK
5b	sysctl key kernel.dmesg_restrict =1' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep dmesgcontains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	OK
5c	sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)	Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo ' net.ipv4.conf.defaultall.accept_source_route =0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep ipv4.conf.default.accept_source_route6contains equal expected and current value (0)	OK
6	Test: Check if one or more compilers can be found on the system	Performing test ID HRDN-7220 (Check if one or more compilers are installed) Test: Check if one or more compilers can be found on the system Result: found installed compiler. See top of logfile which compilers have been found or use /usr/bin/grep to filter on 'compiler'no compilers found Hardening: assigned partial maximum number of hardening points for this item (1 of 3). Currently having 128 138 points (out of 217219) Uninstall gcc and remove /usr/bin/as	OK