Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel3

...

  1. Create directory

    $ mkdir ~/vuls
    $ cd ~/vuls
    $ mkdir go-cve-dictionary-log goval-dictionary-log gost-log
    


  2. Fetch NVD

    $ docker run --rm -it \
        -v $PWD:/go-cve-dictionary \
        -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
        vuls/go-cve-dictionary fetch nvd --http-proxy $http_proxy
    


  3. Fetch OVAL

    $ docker run --rm -it \
         -v $PWD:/goval-dictionary \
         -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
         vuls/goval-dictionary fetch ubuntu 14 16 18 19 20 --http-proxy $http_proxy
    


  4. Fetch gost

    $ docker run --rm -it \
    -e http_proxy=$http_proxy \
    -e https_proxy=$https_proxy \ -v $PWD:/gost \ -v $PWD/gost-log:/var/log/gost \ vuls/gost fetch ubuntu --http-proxy $http_proxy


  5. Create config.toml

    [servers]
    
    [servers.master]
    host = "192.168.51.22"
    port = "22"
    user = "test-user"
    keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
    


  6. Start vuls container to run tests

    $ docker run --rm -it \
        -v ~/.ssh:/root/.ssh:ro \
        -v $PWD:/vuls \
        -v $PWD/vuls-log:/var/log/vuls \
        -v /etc/localtime:/etc/localtime:ro \
        -v /etc/timezone:/etc/timezone:ro \
        vuls/vuls scan \
        -config=./config.toml \
       --http-proxy $http_proxy


  7. Get the report

    $ docker run --rm -it \
         -v ~/.ssh:/root/.ssh:ro \
         -v $PWD:/vuls \
         -v $PWD/vuls-log:/var/log/vuls \
         -v /etc/localtime:/etc/localtime:ro \
         vuls/vuls report \
         -format-list \
         -config=./config.toml \
     --http-proxy $http_proxy


Lynis/Kube-Hunter
  1. Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test

    blueprint:
        name: sdtfc
        layers:
            - k8s
    - os k8s: &k8s - name: kube-hunter what: kube-hunter optional: "False"

    os: &os
    -
    name: lynis
    what: lynis
    optional: "False"


  2. Update ~/validation/bluval/volumes.yaml file

    volumes:
        # location of the ssh key to access the cluster
        ssh_key_dir:
            local: '/home/ubuntu/.ssh'
            target: '/root/.ssh'
        # location of the k8s access files (config file, certificates, keys)
        kube_config_dir:
            local: '/home/ubuntu/kube'
            target: '/root/.kube/'
        # location of the customized variables.yaml
        custom_variables_file:
            local: '/home/ubuntu/validation/tests/variables.yaml'
            target: '/opt/akraino/validation/tests/variables.yaml'
        # location of the bluval-<blueprint>.yaml file
        blueprint_dir:
            local: '/home/ubuntu/validation/bluval'
            target: '/opt/akraino/validation/bluval'
        # location on where to store the results on the local jumpserver
        results_dir:
            local: '/home/ubuntu/results'
            target: '/opt/akraino/results'
        # location on where to store openrc file
        openrc:
            local: ''
            target: '/root/openrc'
    
    # parameters that will be passed to the container at each layer
    layers:
        # volumes mounted at all layers; volumes specific for a different layer are below
        common:
            - custom_variables_file
            - blueprint_dir
            - results_dir
        hardware:
            - ssh_key_dir
        os:
            - ssh_key_dir
        networking:
            - ssh_key_dir
        docker:
            - ssh_key_dir
        k8s:
            - ssh_key_dir
            - kube_config_dir
        k8s_networking:
            - ssh_key_dir
            - kube_config_dir
        openstack:
            - openrc
        sds:
        sdn:
        vim:
    


  3. Update ~/validation/tests/variables.yaml file

    ### Input variables cluster's master host
    host: <IP Address>             # cluster's master host address
    username: <username>            # login name to connect to cluster
    password: <password>         # login password to connect to cluster
    ssh_keyfile: /root/.ssh/id_rsa        # Identity file for authentication
    


  4. Run Blucon

    $ bash validation/bluval/blucon.sh sdtfc
    


...

CVE-IDCVSSNVDFix/Notes
CVE-2016-15859.8https://nvd.nist.gov/vuln/detail/CVE-2016-1585

No fix available

Ubuntu CVE record

CVE-2022-03189.8https://nvd.nist.gov/vuln/detail/CVE-2022-0318

Fix not yet available

Ubuntu CVE record

CVE-2022-19279.8https://nvd.nist.gov/vuln/detail/CVE-2022-1927

Fix not yet available

Ubuntu CVE record

CVE-2022-203859.8https://nvd.nist.gov/vuln/detail/CVE-2022-20385

No fix available

Ubuntu CVE record

CVE-2022-374349.8https://nvd.nist.gov/vuln/detail/CVE-2022-37434

No fix available (for zlib1g, zlib1g-dev)

1:1.2.11.dfsg-2ubuntu1.5 is released, we need to upgrade.  

Ubuntu CVE record

Lynis

Nexus URL (manual run, with fixes): https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/2/

...