Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Release 3 Blueprint Scanning Status (Pre-Approval)

  • School/Education Video Security Monitoring [Hechun Zhang and Liya Yu]
    • This blueprint did not have output information from vuls, lynis or kube-hunter.
    • This is the first release for the School/Education Video Security Monitoring blueprint, BluVal is not required. 
    • I have sent an email to Hechun Zhang and Liya Yu.
    • Vuls:
    • Lynis:
    • Kube-Hunter:
  • Public Cloud Edge Interface (PCEI) Blueprint [Oleg Berzin]
    • This blueprint did not have output information from vuls, lynis or kube-hunter. 
    • This is the first release for the PCEI blueprint, BluVal is not required. 
    • I have sent an email to Oleg Berzin.
    • Vuls:
    • Lynis:
    • Kube-Hunter:

Approved Blueprints

...

Vuls Scan

  • Pass/Fail
  • Exceptions

...

Lynis Scan

  • Pass/Fail
  • Exceptions

...

Kube-Hunter Scan

  • Pass/Fail
  • Exceptions

...

5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint

...

  • Fail
    • Total: 366 (High:83 Medium:212 Low:71 ?:0), 165/366 Fixed
  • Exceptions provided for R3

vuls.log

...

  • Pass/w Exceptions

lynis.log

...

  • Fail
    • 1 vulnerability found, KHV002,  The K8s version could be obtained from the /version endpoint
  • Exceptions provided for R3

kube-hunter.log

...

AI/ML and AR/VR applications at Edge

...

High:61 Medium:280 Low:58

https://nexus.akraino.org/content/sites/logs/ampere/cvb/logs/

...

...

...

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/

...

...

High:87 Medium:168 Low:62

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/vuls/

...

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/lynis/

...

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/

...

High:84 Medium:281 Low:59

https://nexus.akraino.org/content/sites/logs/juniper/validation/os/vuls/

...

https://nexus.akraino.org/content/sites/logs/juniper/validation/os/lynis/

...

https://nexus.akraino.org/content/sites/logs/juniper/validation/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/

Approved with exceptions. 

Upgrading K8s components causes the Airship deployment to fail and the regional controller becomes incompatible. The development team was told to use a specific version of the regional controller and airship (as the older versions are stable and newer are in flux and fragile).  When the team upgraded to the new version as per the security team's suggestion, everything else fell apart.  Making this change will require several months of work as the development team has to upgrade a component at a time to bring everything to the latest version of code.

We will address this in the next release. 

...

  • Fail:
    • 141 unfixed vulnerabilities
    • (High:30 Medium:96 Low:27 ?:0), 12/153 Fixed
  • Exceptions:
    • We request exceptions for all outstanding vulnerabilities
  • See Nexus Logs

...

...

  • Fail
    • Only 1 vulnerability found, in "Inside-a-Pod Scanning": CAP_NET_RAW
  • Exceptions:
    • We request exception for CAP_NET_RAW vulnerability or remediation (fixes found seem to be on a per-pod basis, which is not enough)
  • See Nexus Logs

...

...

...

...

High:266 Medium:590 Low:106

IEC_Type3_vuls.log

...

...

...

High:61 Medium:280 Low:58

https://nexus.akraino.org/content/sites/logs/ampere/iec-type4/logs/

...

...

High:266 Medium:590 Low:106

https://nexus.akraino.org/content/sites/logs/bytedance/job/type5_security_scan/1/vuls.log

...

Hardening index : [63] [############ ]

https://nexus.akraino.org/content/sites/logs/bytedance/job/type5_security_scan/1/lynis.log

...

We have RHCOS on our cluster, so vuls doesn't apply to it

vuls-kni.log

...

Fail. We request for exception as we are running OpenShift and not upstream Kubernetes, so we hit several failures: cluster.log , pod.log

https://logs.akraino.org/redhat-kni/bluval_results/blueprint-pae/20200423-071856/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/cluster.log , https://logs.akraino.org/redhat-kni/bluval_results/blueprint-pae/20200423-071856/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter

...

Micro-MEC

...

https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/vuls/

https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/lynis/

...

https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/kube-hunter/

...

...

Fail with Exceptions

0 CVEs are detected with OVA
0 CVEs are detected with CPE
0 CVEs are detected with GitHub Security Alerts
0 exploits are detected
248 unfixed CVEs are detected with gost
Total: 228
(High:44 Medium:137 Low:47 ?:0), 0/228 Fixed, 824
installed, 0 updatable, 0 exploits, en: 5, ja: 0 alerts

vuls.log

...

Pass with Exceptions

Tests performed: 287
Total tests: 449
Active plugins: 2
"Total plugins: 2
Warnings: 2"
Found accounts without password [AUTH-9283]
https://cisofy.com/lynis/controls/AUTH-9283/
Note: these accounts are not allowed to logon.
YUM is not properly configured or registered for this platform (no repolist found) [PKGS-7383]
https://cisofy.com/lynis/controls/PKGS-7383/
Note: This is intentional to prevent anyone from installing software

lynis.log

...

Pass with Exceptions

All Critical Tests Passed
Cluster Remote Scanning Passed
Node Remote Scanning Passed
Inside-a-Pod Scanning Known Vulnerablities Found

KHV005 Access to API using service account token
KHV002 Kubernetes Version Disclosure
KHV050 Read access to pod's service account token
Local to Pod CAP_NET_RAW Enabled
Local to Pod Access to pod's secrets

pod.log

cluster.log

...

...

Time-Critical Edge Compute

...

Pass with exceptions

High:41 Medium:239 Low:32

https://nexus.akraino.org/content/sites/logs/cmti/job/vuls/

...

Pass with exceptions

Hardening index : 62 [############ ]

https://nexus.akraino.org/content/sites/logs/cmti/job/lynis/

...

No k8s cluster as part of deployment at the moment

...

High:84 Medium:294 Low:53

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/vuls/

...

Hardening index : [57] [########### ]

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/lynis/

...

cluster.log

KHV002 Information Disclosure

pod.log

https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/k8s/kube-hunter/

...

Approved Feature Projects

If the program uses only one programming language, in the “Repository” column, just fill in the repo location.

If a project uses multiple programming languages, please list all of them, add a link in "Repository" column for each programming language to show the sample code.  

...

Akraino Blueprint Validation Framework

...

Akraino Portal Feature Project

...

API Gateway

...