Page Comparison

...

Before running the tests below, ensure that the configuration in the chapter Verifying the Setup of Smart Data Transaction for CPS R7 Installation Guide has been implemented.

CI/CD Regression Tests: Node Setup

...

1. Copy the folder ~/.kube from Kubernetes master node to Build VM
2. Create SSH Key on Build VM to access Kubernetes master node

Vuls

We use Ubuntu 20.04, and behind a proxy, so we run Vuls test as follows:

1. Create directory

   $ mkdir ~/vuls $ cd ~/vuls $ mkdir go-cve-dictionary-log goval-dictionary-log gost-log

   
   

2. Fetch NVD

   $ docker run --rm -it \ -v $PWD:/go-cve-dictionary \ -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \ vuls/go-cve-dictionary fetch nvd --http-proxy $http_proxy

   
   

3. Fetch OVAL

   $ docker run --rm -it \ -v $PWD:/goval-dictionary \ -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \ vuls/goval-dictionary fetch ubuntu 14 16 17 18 19 20 --http-proxy $http_proxy

   
   

4. Fetch gost

   $ docker run --rm -iit \ -e http_proxy=$http_proxy \ -e https_proxy=$https_proxy \ -v $PWD:/gost \ -v $PWD/gost-log:/var/log/gost \ vuls/gost fetch ubuntu

   Create config

   --http-proxy $http_proxy

   
   

5. Create config.toml

   [servers] [servers.master] host = "192.168.51.22" port = "22" user = "test-user" keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker

   
   

6. Start vuls container to run tests

   $ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ vuls/vuls scan \ -config=./config.toml \    --http-proxy $http_proxy

   
   

7. Get the report

   $ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ vuls/vuls report \ -format-list \ -config=./config.toml \  --http-proxy $http_proxy

   
   

Lynis/Kube-Hunter

1. Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test

   blueprint: name: sdtfc layers: - k8s - os k8s: &k8s - name: kube-hunter what: kube-hunter optional: "False" os: &os - name: lynis what: lynis optional: "False"

   
   

2. Update ~/validation/bluval/volumes.yaml file

   volumes: # location of the ssh key to access the cluster ssh_key_dir: local: '/home/ubuntu/.ssh' target: '/root/.ssh' # location of the k8s access files (config file, certificates, keys) kube_config_dir: local: '/home/ubuntu/kube' target: '/root/.kube/' # location of the customized variables.yaml custom_variables_file: local: '/home/ubuntu/validation/tests/variables.yaml' target: '/opt/akraino/validation/tests/variables.yaml' # location of the bluval-<blueprint>.yaml file blueprint_dir: local: '/home/ubuntu/validation/bluval' target: '/opt/akraino/validation/bluval' # location on where to store the results on the local jumpserver results_dir: local: '/home/ubuntu/results' target: '/opt/akraino/results' # location on where to store openrc file openrc: local: '' target: '/root/openrc' # parameters that will be passed to the container at each layer layers: # volumes mounted at all layers; volumes specific for a different layer are below common: - custom_variables_file - blueprint_dir - results_dir hardware: - ssh_key_dir os: - ssh_key_dir networking: - ssh_key_dir docker: - ssh_key_dir k8s: - ssh_key_dir - kube_config_dir k8s_networking: - ssh_key_dir - kube_config_dir openstack: - openrc sds: sdn: vim:

   
   

3. Update ~/validation/tests/variables.yaml file

   ### Input variables cluster's master host host: <IP Address> # cluster's master host address username: <username> # login name to connect to cluster password: <password> # login password to connect to cluster ssh_keyfile: /root/.ssh/id_rsa # Identity file for authentication

   
   

4. Run Blucon

   $ bash validation/bluval/blucon.sh sdtfc

   
   

...

Vuls results (manual) Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vuls/12/

Lynis results (manual) Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/12/

Kube-Hunter results Nexus URL: 

Vuls

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vulsbluval/1/There are 5 CVEs with a CVSS score >

Vuls

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vuls/2/

There are 4 CVEs with a CVSS score >= 9.0.  These These are exceptions requested here:

Release 7: Akraino CVE and KHV Vulnerability Exception Request

Lynis

Nexus URL (manual run, with fixes): https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/13/

The results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

The Lynis Program Update test MUST pass with no errors.

2022-09-14 16:19:49 Test: Checking for program update...
2022-09-14 16:19:49 Result: Update check failed. No network connection?
2022-09-14 16:19:49 Info: to perform an automatic update check, outbound DNS connections should be allowed (TXT record).
2022-09-14 16:19:49 Suggestion: This release is more than 4 months old. Check the website or GitHub to see if there is an update available. [test:LYNIS] [details:-] [solution:-]

Note: Lynis was downloaded and The test environment is a proxied private network inside the Fujitsu corporate network which does not allow direct DNS lookups using tools such as dig. Therefore the update check cannot be performed automatically.

The latest version of Lynis, 3.0.8 at time of execution, was downloaded and run directly on the SUT. See the link below:

...

The following list of tests MUST complete as passing

Kube-Hunter

Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-bluval/1/

...