Test document

...

The Configuration file are only supported up to Ubuntu 18.

Vuls

We use Ubuntu 2018.04/22.04 or RaspberryPi(Debian 11), so we ran Vuls test as follows:

Create directory

$ mkdir ~/vuls
$ cd ~/vuls
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log

Fetch NVD

$ docker run --rm -it \
    -v $PWD:/go-cve-dictionary \
    -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
    vuls/go-cve-dictionary fetch nvd

Fetch OVAL

if OS is Ubuntu 18.04/22.04, we use following command,

$ docker run --rm -it \
     -v $PWD:/goval-dictionary \
     -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
     vuls/goval-dictionary fetch ubuntu 18 19 20

Fetch gost

21 22

if OS is RaspberryPi(Debian 11), we use following command,

$ docker run --rm -

i

it \
     -v $PWD:/

gost

goval-dictionary \
     -v $PWD/

gost

goval-dictionary-log:/var/log/

gost

goval-dictionary \
     vuls/

gost

goval-dictionary fetch

ubuntu

debian

Create config.toml

[servers]

[servers.master]
host = "192.168.51.22"
port = "22"
user = "test-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker

Start vuls container to run tests

$ docker run --rm -it

Fetch gost
if OS is Ubuntu 18.04/22.04, we use following command,
$ docker run --rm -i \ -v $PWD:/gost \ -v $PWD/gost-log:/var/log/gost \
-v ~/.ssh:/root/.ssh:ro
vuls/gost fetch ubuntu
if OS is RaspberryPi(Debian 11), we use following command,
$ docker run --rm -i \ -v $PWD:/
vuls
gost \ -v $PWD/
vuls
gost-log:/var/log/
vuls
gost \
-v
/etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ vuls/vuls scan \ -config=./config.toml
Get the report
$ docker run
vuls/gost fetch debian

Create config.toml

[servers]

[servers.master]
host = "192.168.51.22"
port = "22"
user = "test-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker

Start vuls container to run tests

$ docker run --rm -it \

-v ~/.ssh:/root/.ssh:ro \


    -v $PWD:/vuls \


    -v $PWD/vuls-log:/var/log/vuls \

-v /etc/localtime:/etc/localtime:ro \

vuls/vuls report

-v /etc/timezone:/etc/timezone:ro \

-format-list

vuls/vuls scan \

-config=./config.toml

Vuls

Nexus URL:

PDH,IoT Gateway

There are 23 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

...

CVE-ID

...

CVSS

...

NVD

...

Fix/Notes

...

PACKAGES

...

CVE-2016-1585

...

9.8

...

No fix available

...

apparmor

...

CVE-2017-18201

...

9.8

...

No fix available

...

libcdio17

...

CVE-2017-7827

...

9.8

...

No fix available

...

libmozjs-52-0

...

Get the report

$ docker run --rm -it \
     -v ~/.ssh:/root/.ssh:ro \
     -v $PWD:/vuls \
     -v $PWD/vuls-log:/var/log/vuls \
     -v /etc/localtime:/etc/localtime:ro \
     vuls/vuls report \
     -format-list \
     -config=./config.toml

Vuls

Nexus URL:

PDH,IoT Gateway

There are 26 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2005-2541

10.02021318732021-31873CVE-2021-39713202139713linux-image-5.4.0-1055-raspi2282222822firefox2282322823firefox2282422824firefox2385223852CVE-2022-2399023990No fix available2523525235firefox, thunderbird2523625236firefox, 2531525315firefox,

CVE-ID	CVSS	NVD	Fix/Notes	PACKAGES
CVE-2016-1585	9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-5090	Reported fixed in 58 and later version (installed), but still reported by Vuls	libmozjs-52-0	CVE-2018-51262016-1585	No fix available	apparmor
CVE-2017-18201	9.8	https://nvd.nist.gov/vuln/detail/CVE-2017-18201	No fix available	libcdio17
CVE-2017-7827	9.8	https://nvd.nist.gov/vuln/detail/CVE-20182017-5126Reported fixed in 58 and later version (installed), but still reported by Vuls7827	No fix available	libmozjs-52-0
CVE-2018-51455090	9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-51455090	Reported fixed in 1:52.7.0 and later in 58 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-2018-51515126	9.8	https://nvd.nist.gov/vuln/detail/CVE-2018-51515126	Reported fixed in 60 58 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-20192018-170415145	9.8	https://nvd.nist.gov/vuln/detail/CVE-20192018-17041	No fix available	rsyslog5145	Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-20192018-170425151	9.8	https://nvd.nist.gov/vuln/detail/CVE-20192018-17042	No fix available	rsyslog5151	Reported fixed in 60 and later version (installed), but still reported by Vuls	libmozjs-52-0
CVE-20212019-3187017041	9.8	https://nvd.nist.gov/vuln/detail/CVE-20212019-3187017041	No fix available	klibc-utils, libklibcrsyslog
CVE-20212019-3187217042	9.8	https://nvd.nist.gov/vuln/detail/CVE-20212019-3187217042	No fix available	klibc-utils, libklibcrsyslog
CVE-	2019-	8287	9.8	https://nvd.nist.gov/vuln/detail/CVE-	No fix available	klibc-utils, libklibc	2019-8287	Uninstall tigervncserver $ sudo apt remove tigervnc* $ sudo apt-get remove tightvnc* -y	tightvncserver
CVE-2022-0318	9.8	https://nvd.nist.gov/vuln/detail/CVE-	2022-	No fix available	0318	Uninstall vim $ sudo apt remove vim*	vim
CVE-2022-	23852	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)	23852	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-2022-	24791	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)	24791	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-2022-	25235	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)	25235	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-2022-	25236	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	No fix available	25236	Uninstall firefox, thunderbird	$ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-2022-25315	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	25315	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	firefox, thunderbird
CVE-2022-	3649	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	3649	No fix available	linux-image-4.15.0-197-generic
CVE-2022-	37609	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	No fix available	37609	Uninstall firefox, thunderbird $ sudo apt remove firefox* thunderbird*	thunderbird
CVE-2022-	39394	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-	No fix available	39394	Uninstall thunderbird $ sudo apt remove thunderbird*	thunderbird
CVE-2016-9180	9.1	https://nvd.nist.gov/vuln/detail/CVE-2016-9180	No fix available	libxml-twig-perl TODO: File exception request
CVE-2019-20433	9.1	https://nvd.nist.gov/vuln/detail/CVE-2019-20433	No fix available	aspell

PC/Server for robot control

There are 30 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request


CVE-2022-24303	9.1	https://nvd.nist.gov/vuln/detail/CVE-

2005

2022-

2541

24303

No fix available

tar

	python3-pil TODO: File exception request
CVE-

2014

2022-

2830

39319

10

9.

0

1

nvd

nist.gov

vuln

detail/

2014

2830No fix available

cifs-utils

CVE-2016-1585

9.8

https://nvd.nist.gov/vuln/detail/CVE-2016-1585No fix available

libapparmor1

CVE-2017-17479

9.8

39319	Reported fixed in 2.2.0+dfsg1-0ubuntu0.18.04.4 and later version (installed), but still reported by Vuls	libfreerdp-client2-2, libfreerdp2-2, libwinpr2-2
CVE-2022-41877	9.1	https://nvd.nist.gov/vuln/detail/CVE-

2017

2022-

17479

41877

No fix available

libopenjp2-7

libfreerdp-client2-2, libfreerdp2-2, libwinpr2-2

TODO: File exception request

CVE-

2017

2019-

9117

11707

8.9

.8

https://nvd.nist.gov/vuln/detail/CVE-

2017

2019-

9117

11707

No fix available

libtiff5

libmozjs-52-0

TODO: File exception request

CVE-

2018

2022-

13410

23960

8.9

.8

https://nvd.nist.gov/vuln/detail/CVE-

2018

2022-

13410

23960

No fix available

zip

CVE

linux-

2019

image-

1010022

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-1010022No fix available

libc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales

CVE-2019-8341

9.8

4.15.0-197-generic

TODO: File exception request

PC/Server for robot control

There are 40 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

CVE-ID	CVSS	NVD	Fix/Notes	PACKAGES
CVE-2005-2541	10.0	https://nvd.nist.gov/vuln/detail/CVE-

2019

2005-

8341

2541	No fix available

python3-jinja2

tar

CVE-

2020

2014-

27619

2830

9

10.

8

0	https://nvd.nist.gov/vuln/detail/CVE-

2020

2014-

27619

2830	No fix available

python3.9

cifs-utils

CVE-

2021

2016-

29462

1585

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2016-

29462

1585	No fix available

libixml10, libupnp13

libapparmor1

CVE-

2021

2017-

29921

17479

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2017-

29921Reported fixed in python3.9 (installed), but still reported by Vulspython3.9

17479	No fix available	libopenjp2-7
CVE-

2021

2017-

30473

9117

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2017-

30473

9117	No fix available

libaom0

libtiff5

CVE-

2021

2018-

30474

13410

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2018-

30474

13410

No fix available

libaom0

zip

CVE-

2021

2019-

30475

1010022

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2019-

30475

1010022

No fix available

libaom0

libc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales

CVE-

2021

2019-

30498

8341

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2019-

30498

8341	No fix available

libcaca0

python3-jinja2

CVE-

2021

2020-

30499

27619

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2021

2020-

30499

27619

No fix available

libcaca0

python3.9

CVE-2021-

3756

29462

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

3756install libmysofa 1.2.1libmysofa1

29462	No fix available	libixml10, libupnp13
CVE-2021-

42377

29921

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

42377No fix availablebusybox

29921	Reported fixed in python3.9 (installed), but still reported by Vuls	python3.9
CVE-2021-

45951

30473

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45951

30473

No fix available

dnsmasq

libaom0

CVE-2021-

45952

30474

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45952

30474

No fix available

dnsmasq

libaom0

CVE-2021-

45953

30475

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45953

30475

No fix available

dnsmasq

libaom0

CVE-2021-

45954

3756

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45954No fix availablednsmasq

3756	install libmysofa 1.2.1	libmysofa1
CVE-2021-

45955

3782

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-

45955CVE-2021-45956

3782	No fix available

dnsmasq

libwayland-client0, libwayland-cursor0, libwayland-egl1, libwayland-server0 TODO: File exception request
CVE-2021-42377	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-

45956

42377

No fix available

dnsmasq

busybox

CVE-

2022

2021-

0318

45951

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2022

2021-

0318unistall vimvim

45951	No fix available	dnsmasq
CVE-

2022

2021-

23303

45952

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2022

2021-

23303

45952

No fix available

hostapd, wpasupplicant

dnsmasq

CVE-

2022

2021-

23304

45953

9.8

https://nvd.nist.gov/vuln/detail/CVE-

2022

2021-

23304

45953

No fix available

hostapd, wpasupplicant

dnsmasq

CVE-2021-

22945

45954

9.

1

8	https://nvd.nist.gov/vuln/detail/CVE-2021-

22945unistall curlcurl

45954	No fix available	dnsmasq
CVE-2021-

4048

45955

9.

1

8	https://nvd.nist.gov/vuln/detail/CVE-2021-

4048

45955

No fix available

libblas3, liblapack3

dnsmasq

CVE-2021-

43400

45956

9.

1

8	https://nvd.nist.gov/vuln/detail/CVE-2021-

43400

45956

No fix available

bluez

Lynis

Nexus URL(before fix):

Nexus URL(after fix):

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

IoT Gateway

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version  : 308
2022-11-22 07:46:45 Latest stable version      : 308
2022-11-22 07:46:45 No Lynis update available.

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.TestResultFix1Test: Checking PASS_MAX_DAYS option in /etc/login.defs

Result: password aging limits are not configured
Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
Hardening: assigned partial number of hardening points (0 of 1). Currently having 11 points (out of 24)

Set PASS_MAX_DAYS 180 in /etc/login.defs2Performing test ID AUTH-9328 (Default umask values)Result: found /etc/profile.d, with one or more files in itOK3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)
Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.

dnsmasq
CVE-2021-45957	9.8	https://nvd.nist.gov/vuln/detail/CVE-2021-45957	No fix available	dnsmasq TODO: File exception request
CVE-2022-0318	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-0318	unistall vim $ sudo apt remove vim*	vim-common, vim-runtime, vim-tiny, xxd
CVE-2022-1253	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-1253	No fix available	libde265-0
CVE-2022-23303	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-23303	No fix available	hostapd, wpasupplicant TODO: File exception request
CVE-2022-23304	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-23304	No fix available	hostapd, wpasupplicant
CVE-2022-37454	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-37454	No fix available	hostapd, wpasupplicant TODO: File exception request
CVE-2022-3970	9.8	https://nvd.nist.gov/vuln/detail/CVE-2022-3970	No fix available	python3.9 TODO: File exception request
CVE-2019-19391	9.1	https://nvd.nist.gov/vuln/detail/CVE-2019-19391	No fix available	libtiff5 TODO: File exception request
CVE-2021-4048	9.1	https://nvd.nist.gov/vuln/detail/CVE-2021-4048	No fix available	libblas3, liblapack3
CVE-2021-43400	9.1	https://nvd.nist.gov/vuln/detail/CVE-2021-43400	No fix available	bluez
CVE-2021-46848	9.1	https://nvd.nist.gov/vuln/detail/CVE-2021-46848	No fix available	libtasn1-6 TODO: File exception request
CVE-2022-0670	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-0670	No fix available	librados2, librbd1 TODO: File exception request
CVE-2022-24303	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-24303	No fix available	python3-pil TODO: File exception request
CVE-2022-26280	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-26280	No fix available	libarchive13 TODO: File exception request
CVE-2022-32213	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-32213	No fix available	nodejs TODO: File exception request
CVE-2022-32214	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-32214	No fix available	nodejs TODO: File exception request
CVE-2022-32215	9.1	https://nvd.nist.gov/vuln/detail/CVE-2022-32215	No fix available	nodejs TODO: File exception request

Cloud/Edge Cloud

There are XX CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

Lynis

Nexus URL(before fix):

Nexus URL(after fix):

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

IoT Gateway

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version  : 308
2022-11-22 07:46:45 Latest stable version      : 308
2022-11-22 07:46:45 No Lynis update available.

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.	Test	Result	Fix
1	Test: Checking PASS_MAX_DAYS option in /etc/login.defs	Result: password aging limits are not configured Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-] Hardening: assigned partial number of hardening points (0 of 1). Currently having 11 points (out of 24)	Set PASS_MAX_DAYS 180 in /etc/login.defs
2	Performing test ID AUTH-9328 (Default umask values)	Result: found /etc/profile.d, with one or more files in it	OK
3	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 108 points (out of 157) Security check: file is normal Checking permissions of /home/pi/lynis/lynis/include/tests_snmp File permissions are OK	Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config If you run the lynis shell script as an ordinary user, it will output an error. So run the script as a privileged user. $ su root # whoami root # ./lynis audit system ※reference： https://github.com/CISOfy/lynis/blob/master/include/tests_ssh#L54
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 117 points (out of 172)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
5a	sysctl key fs.suid_dumpable contains equal expected and current value (0)	Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)	OK
5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	OK
5c	sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)	Result: sysctl key net.ipv4.conf.all.accept_source_route contains equal expected and current value (0)	OK
6	Test: Check if one or more compilers can be found on the system	Performing test ID HRDN-7220 (Check if one or more compilers are installed) Test: Check if one or more compilers can be found on the system Result: no compilers found Hardening: assigned maximum number of hardening points for this item (3). Currently having 138 points (out of 219)	OK

PC/Server for robot control

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-03-23 05:13:56 Test: Checking for program update...
2022-03-23 05:14:03 Current installed version : 308
2022-03-23 05:14:03 Latest stable version : 308
2022-03-23 05:14:03 No Lynis update available

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.	Test	Result	Fix
1	Test: Checking PASS_MAX_DAYS option in /etc/login.defs	Result: password aging limits are not configured	Set PASS_MAX_DAYS 180 in /etc/login.defs
2	Performing test ID AUTH-9328 (Default umask values)	Test: Checking umask value in /etc/login.defs Result: found umask 022, which could be improved	Set UMASK 027 in /etc/login.defs
3	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)	Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 152 points (out of 223) Security check: file is normal Checking permissions of /home/ubuntu/lynis/include/tests_snmp File permissions are OK	Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 161 points (out of 238)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
5a	sysctl key fs.suid_dumpable contains equal expected and current value (0)	sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2 Hardening: assigned partial number of hardening points (0 of 1). Currently having 108 163 points (out of 157) Security check: file is normal Checking permissions of /home/pi/lynis/lynis/include/tests_snmp File permissions are OKConfigure AllowUsers, AllowGroups in /etc/ssh/sshd_config ！要確認 →やり方を問い合わせ
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently having 117 points (out of 172)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
5a	sysctl key fs.suid_dumpable 253)	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'fs.suid_dumpable=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep suid
5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'kernel.dmesg_restrict=1' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep dmesg
5c	sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)	Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)	OK
5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	OK
5c	sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)Result: sysctl key net.ipv4.conf.all=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep ipv4.conf.default.accept_source_route contains equal expected and current value (0)	OK
6	Test: Check if one or more compilers can be found on the systemPerforming test ID HRDN-7220 (Check if one or more compilers are installed) Test: Check if one or more compilers can be found on the system Result: no compilers found	Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler' Hardening: assigned maximum partial number of hardening points for this item (1 of 3). Currently having 138 points (out of 219)	OK

...

having 180 points (out of 286

Found known binary: as (compiler) - /usr/bin/as
Found known binary: cc (compiler) - /usr/bin/cc
Found known binary: g++ (compiler) - /usr/bin/g++
Found known binary: gcc (compiler) - /usr/bin/gcc

Uninstall gcc and remove /usr/bin/as, /usr/bin/cc

Cloud/Edge Cloud

The Lynis Program Update test MUST pass with no errors.

Code Block

2022-0311-2328 0500:1314:5635 Test: Checking for program update...
2022-0311-2328 0500:14:0335 Current installed version  : 308
2022-0311-2328 0500:14:0335 Latest stable version      : 308
2022-0311-2328 0500:14:0335 No Lynis update available.

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.	Test	Result	Fix
1	Test: Checking PASS_MAX_DAYS option in /etc/login.defs	Result: password aging limits are not configured	Set PASS_MAX_DAYS 180 in /etc/login.defs
2	Performing test ID AUTH-9328 (Default umask values)	Test: Checking umask value in /etc/login.defs Result: found umask 022, which could be improved	Set UMASK 027 in /etc/login.defs
3	Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)	Result: AllowUsers is not set Result: AllowGroups is not set Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine. Hardening: assigned partial number of hardening points (0 of 1). Currently having 152 points (out of 223) Security check: file is normal Checking permissions of /home/ubuntu/lynis/include/tests_snmp File permissions are OK	Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config If you run the lynis shell script as an ordinary user, it will output an error. So run the script as a privileged user. $ su root # whoami root # ./lynis audit system ※reference： https://github.com/CISOfy/lynis/blob/master/include/tests_ssh#L54
4	Test: checking for file /etc/network/if-up.d/ntpdate	Result: file /etc/network/if-up.d/ntpdate does not exist Result: Found a time syncing daemon/client. Hardening: assigned maximum number of hardening points for this item (3). Currently

having 161

having 177 points (out of

238

168)	OK
5	Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required	N/A	N/A
5a	sysctl key fs.suid_dumpable contains equal expected and current value (0)	sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2 Hardening: assigned partial number of hardening points (0 of 1). Currently having 163 points (out of 253)	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'fs.suid_dumpable=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep suid
5b	sysctl key kernel.dmesg_restrict contains equal expected and current value (1)	Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'kernel.dmesg_restrict=1' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep dmesg
5c	sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)	Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1	Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf echo 'net.ipv4.conf.default.accept_source_route=0' \| sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf sudo /sbin/sysctl --system sudo sysctl -a \|grep ipv4.conf.default.accept_source_route
6	Test: Check if one or more compilers can be found on the system	Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler' Hardening: assigned partial number of hardening points (1 of 3). Currently having 180 points (out of 286 Found known binary: as (compiler) - /usr/bin/as Found known binary: cc (compiler) - /usr/bin/cc Found known binary: g++ (compiler) - /usr/bin/g++ Found known binary: gcc (compiler) - /usr/bin/gcc	Uninstall gcc and remove /usr/bin/as, /usr/bin/cc

Versions Compared

Old Version 5

New Version 6

Key

Test document

Vuls

Vuls

PDH,IoT Gateway

Vuls

PDH,IoT Gateway

PC/Server for robot control

PC/Server for robot control

Lynis

IoT Gateway

The following list of tests MUST complete as passing

Cloud/Edge Cloud

Lynis

IoT Gateway

The following list of tests MUST complete as passing

PC/Server for robot control

The following list of tests MUST complete as passing

Cloud/Edge Cloud

The following list of tests MUST complete as passing

Page Comparison

Versions Compared

Old Version 5

New Version 6

Key

Vuls

Vuls

PDH,IoT Gateway

Vuls

PDH,IoT Gateway

PC/Server for robot control

PC/Server for robot control

Lynis

IoT Gateway

The following list of tests MUST complete as passing

Cloud/Edge Cloud

Lynis

IoT Gateway

The following list of tests MUST complete as passing

PC/Server for robot control

The following list of tests MUST complete as passing

Cloud/Edge Cloud

The following list of tests MUST complete as passing