Table of Contents maxLevel 3
...
Before running the tests below, ensure that the configuration in the chapter Verifying the Setup
of Smart Data Transaction for CPS R7 Installation Guide has been implemented.
CI/CD Regression Tests: Node Setup
...
Create directory
$ mkdir ~/vuls $ cd ~/vuls $ mkdir go-cve-dictionary-log goval-dictionary-log gost-log
Fetch NVD
$ docker run --rm -it \ -v $PWD:/go-cve-dictionary \ -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \ vuls/go-cve-dictionary fetch nvd --http-proxy $http_proxy
Fetch OVAL
$ docker run --rm -it \ -v $PWD:/goval-dictionary \ -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \ vuls/goval-dictionary fetch ubuntu 14 16 18 19 20 --http-proxy $http_proxy
Fetch gost
$ docker run --rm -it \
-e http_proxy=$http_proxy \
-e https_proxy=$https_proxy \ -v $PWD:/gost \ -v $PWD/gost-log:/var/log/gost \ vuls/gost fetch ubuntu --http-proxy $http_proxyCreate config.toml
[servers] [servers.master] host = "192.168.51.22" port = "22" user = "test-user" keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
Start vuls container to run tests
$ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ -v /etc/timezone:/etc/timezone:ro \ vuls/vuls scan \ -config=./config.toml \
--http-proxy $http_proxyGet the report
$ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ vuls/vuls report \ -format-list \ -config=./config.toml \
--http-proxy $http_proxy
Lynis/Kube-Hunter
Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test
blueprint: name: sdtfc layers: - k8s
- os k8s: &k8s - name: kube-hunter what: kube-hunter optional: "False"
os: &os
-
name: lynis
what: lynis
optional: "False"Update ~/validation/bluval/volumes.yaml file
volumes: # location of the ssh key to access the cluster ssh_key_dir: local: '/home/ubuntu/.ssh' target: '/root/.ssh' # location of the k8s access files (config file, certificates, keys) kube_config_dir: local: '/home/ubuntu/kube' target: '/root/.kube/' # location of the customized variables.yaml custom_variables_file: local: '/home/ubuntu/validation/tests/variables.yaml' target: '/opt/akraino/validation/tests/variables.yaml' # location of the bluval-<blueprint>.yaml file blueprint_dir: local: '/home/ubuntu/validation/bluval' target: '/opt/akraino/validation/bluval' # location on where to store the results on the local jumpserver results_dir: local: '/home/ubuntu/results' target: '/opt/akraino/results' # location on where to store openrc file openrc: local: '' target: '/root/openrc' # parameters that will be passed to the container at each layer layers: # volumes mounted at all layers; volumes specific for a different layer are below common: - custom_variables_file - blueprint_dir - results_dir hardware: - ssh_key_dir os: - ssh_key_dir networking: - ssh_key_dir docker: - ssh_key_dir k8s: - ssh_key_dir - kube_config_dir k8s_networking: - ssh_key_dir - kube_config_dir openstack: - openrc sds: sdn: vim:
Update ~/validation/tests/variables.yaml file
### Input variables cluster's master host host: <IP Address> # cluster's master host address username: <username> # login name to connect to cluster password: <password> # login password to connect to cluster ssh_keyfile: /root/.ssh/id_rsa # Identity file for authentication
Run Blucon
$ bash validation/bluval/blucon.sh sdtfc
...
Vuls results (manual) Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vuls/12/
Lynis results (manual) Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/2/
Kube-Hunter results Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-bluval/1/
Vuls
Nexus URL: https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-vuls/12/
There are 5 CVEs with 4 CVEs with a CVSS score >= 9.0. These These are exceptions requested here:
Release 7: Akraino CVE and KHV Vulnerability Exception Request
CVE-ID | CVSS | NVD | Fix/Notes | |||||
CVE- | 20162022- | 15853643 | 910. | 80 | https://nvd.nist.gov/vuln/detail/CVE- | 20162022- | 1585No fix3643 | Fix not yet available |
CVE-20222016-03181585 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-20222016-0318Fix not yet 1585 | No fix available | |||||
CVE-2022-19270318 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-19270318 | Fix not yet available | |||||
CVE-2022-203853649 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2022-20385No fix 3649 | Fix not yet available | CVE-2022-37434 | 9.8 |
Lynis
Nexus URL (manual run, with fixes): https://
...
...
No fix available (for zlib1g, zlib1g-dev) (09/2022)
1:1.2.11.dfsg-2ubuntu1.5 is released, we need to upgrade. (12/2022)
Lynis
Nexus URL (manual run, with fixes): https://nexus.akraino.akraino.org/content/sites/logs/fujitsu/job/sdt/r7/sdt-lynis/23/
The results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.
The Lynis Program Update test MUST pass with no errors.
...
No. | Test | Result | Notes |
---|---|---|---|
1 | Test: Checking PASS_MAX_DAYS option in /etc/login.defs | 2022-1012-11 1116 18:4845:22 05 Test: Checking PASS_MAX_DAYS option in /etc/login.defs | Required configuration |
2 | Performing test ID AUTH-9328 (Default umask values) | 2022-1012-11 1116 18:4845:22 05 Performing test ID AUTH-9328 (Default umask values) 2022-12-16 18:45:05 Test: Checking /etc/login.defs | Required configuration |
3 | Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) | 2022-1012-11 1116 18:5145:21 14 Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups) | Required configuration |
4 | Test: checking for file /etc/network/if-up.d/ntpdate | 2022-1012-11 1116 18:5145:25 16 Test: checking for file /etc/network/if-up.d/ntpdate 2022-1012-11 1116 18:5145:25 16 Result: file /etc/network/if-up.d/ntpdate does not exist 2022-1012-11 1116 18:5145:25 16 Result: Found a time syncing daemon/client. 2022-1012-11 1116 18:5145:25 16 Hardening: assigned maximum number of hardening points for this item (3). Currently having 173 points (out of 249246) | |
5 | Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) : Following sub-tests required | N/A | |
5a | sysctl key fs.suid_dumpable contains equal expected and current value (0) | 2022-1012-11 1116 18:5145:37 27 Result: sysctl key fs.suid_dumpable contains equal expected and current value (0) | Required configuration |
5b | sysctl key kernel.dmesg_restrict contains equal expected and current value (1) | 2022-1012-11 1116 18:5145:37 27 Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1) | Required configuration |
5c | sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0) | 2022-1012-11 1116 18:5145:37 27 Result: sysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0) | Required configuration |
6 | Test: Check if one or more compilers can be found on the system | 2022-0312-07 1516 18:5545:29 28 Performing test ID HRDN-7220 (Check if one or more compilers are installed) | Required removal of build-essential package and apt autoremove, and /bin/as |
...