Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Test document

...

View file
nameRobot_based_on_SSES_BP_Test_document.docxpdf
height250

*The following word file is base file of the above pdf.

View file
nameRobot_based_on_SSES_BP_Test_document.pdfdocx
height250



Pass (19/19 test cases)

...

Execute with reference to the following

Bluval User Guide

Steps To Implement Security Scan Requirements

https://vuls.io/docs/en/tutorial-docker.html

...

In this Blueprint, we test lynis & vuls, we do not test k8s related tests: because of not using k8s.

Also refer to Bluval User Guide, the procedure is to clone the files from http://gerrit.akraino.org/r/validation and execute them,

...

There are 26 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release

...

7: Akraino CVE and KHV Vulnerability Exception Request

8.9

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2016-1585

9.8

https://nvd.nist.gov/vuln/detail/CVE-2016-1585

No fix available

apparmor

CVE-2017-18201

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-18201

No fix available

libcdio17

CVE-2017-7827

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-7827

No fix availableUninstall firefox
$ sudo apt remove firefox*

libmozjs-52-0

CVE-2018-5090

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-5090

Reported fixed in 58 and later version (installed), but still reported by VulsUninstall firefox
$ sudo apt remove firefox*

libmozjs-52-0

CVE-2018-5126

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-5126

Reported fixed in 58 and later version (installed), but still reported by VulsUninstall firefox
$ sudo apt remove firefox*

libmozjs-52-0

CVE-2018-5145

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-5145

Reported fixed in 1:52.7.0 and later version (installed), but still reported by VulsUninstall firefox
$ sudo apt remove firefox*

libmozjs-52-0

CVE-2018-5151

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-5151Reported fixed in 60 and later version (installed), but still reported by Vuls

Uninstall firefox
$ sudo apt remove firefox*

libmozjs-52-0

CVE-2019-17041

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-17041

No fix availableReported fixed in 8.19 and later version (installed), but still reported by Vuls

rsyslog

CVE-2019-17042

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-17042

No fix availableReported fixed in 8.19 and later version (installed), but still reported by Vuls

rsyslog

CVE-2019-82879.8https://nvd.nist.gov/vuln/detail/CVE-2019-8287Uninstall tigervncserver
$ sudo apt remove tigervnc*
$ sudo apt-get remove tightvnc* -y
tightvncserver
CVE-2022-03189.8https://nvd.nist.gov/vuln/detail/CVE-2022-0318Uninstall vim
$ sudo apt remove vim*
vim
CVE-2022-238529.8https://nvd.nist.gov/vuln/detail/CVE-2022-23852Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*
firefox, thunderbird
CVE-2022-247919.8https://nvd.nist.gov/vuln/detail/CVE-2022-24791Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*
firefox, thunderbird

CVE-2022-25235

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-25235

Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*

firefox, thunderbird

CVE-2022-25236

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-25236

Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*

firefox, thunderbird

CVE-2022-25315

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-25315

Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*

firefox, thunderbird

CVE-2022-36499.8https://nvd.nist.gov/vuln/detail/CVE-2022-3649No fix availablelinux-image-4.15.0-197-generic
CVE-2022-376099.8https://nvd.nist.gov/vuln/detail/CVE-2022-37609Uninstall firefox, thunderbird
$ sudo apt remove firefox* thunderbird*
thunderbird
CVE-2022-393949.8https://nvd.nist.gov/vuln/detail/CVE-2022-39394Uninstall thunderbird
$ sudo apt remove thunderbird*
thunderbird
CVE-2016-91809.1https://nvd.nist.gov/vuln/detail/CVE-2016-9180No fix availablelibxml-twig-perl
TODO: File exception request

CVE-2019-20433

9.1

https://nvd.nist.gov/vuln/detail/CVE-2019-20433

No fix available

aspell

CVE-2022-243039.1https://nvd.nist.gov/vuln/detail/CVE-2022-24303No fix availablepython3-pil

TODO: File exception request

CVE-2022-393199.1https://ubuntu.com/securitysecurity-tracker.debian.org/tracker/CVE-2022-39319Reported fixed in 2.2.0+dfsg1-0ubuntu0.18.04.4 and later version (installed), but still reported by VulsNo fix availablelibfreerdp-client2-2, libfreerdp2-2, libwinpr2-2
CVE-2022-418779.1https://nvd.nist.gov/vuln/detail/CVE-2022-41877No fix availablelibfreerdp-client2-2, libfreerdp2-2, libwinpr2-2TODO: File exception requestCVE-2019-11707

PC/Server for robot control

There are 40 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 7: Akraino CVE and KHV Vulnerability Exception Request

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2016-15859.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2019
2016-
11707
1585No fix availableapparmor
libmozjs
CVE-
52-0
TODO: File exception request
2017-182019.8https://ubuntu.com/security/CVE-2017-18201No fix availablelibcdio17
CVE-
2022
2017-
23960
78279.8
.9
https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2022
2017-
23960
7827No fix available
linux
libmozjs-
image
52-
4.15.
0
CVE-
197-generic
TODO: File exception request

PC/Server for robot control

There are 40 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2005-2541

10.0
2018-50909.8https://ubuntu.com/security/CVE-2018-5090No fix availablelibmozjs-52-0
CVE-2018-51269.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2005
2018-
2541
5126No fix available
tar
libmozjs-52-0
CVE-
2014
2018-
2830
5145
10
9.
0
8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2014
2018-
2830
5145No fix available
cifs
libmozjs-52-
utils
0
CVE-
2016
2018-
1585
51519.8https://
nvd
ubuntu.
nist.gov/vuln/detail
com/security/CVE-
2016
2018-
1585
5151No fix available
libapparmor1
libmozjs-52-0
CVE-
2017
2019-
17479
170419.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2017
2019-
17479
17041No fix available
libopenjp2-7
rsyslog
CVE-
2017
2019-
9117
170429.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2017
2019-
9117
17042No fix available
libtiff5
rsyslog
CVE-
2018
2022-
13410
03189.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2018
2022-
13410
0318No fix available
zip
xxd
CVE-
2019
2022-
1010022
36499.8https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2019
2022-
1010022
3649No fix available
libc
linux-
bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales

CVE-2019-8341

9.8
image-4.15.0-197-generic
CVE-2022-38909.6https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2019
2022-
8341
3890No fix available
python3
chromium-
jinja2
browser
CVE-
2020
2022-
27619
41359.
8
6https://
nvd
ubuntu.
nist.gov/vuln/detail
com/security/CVE-
2020
2022-
27619
4135No fix available
python3.9
chromium-browser
CVE-
2021
2016-
29462
91809.
8
1https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2016-
29462
9180No fix available
libixml10, libupnp13
libxml-twig-perl
CVE-
2021
2019-
29921
204339.
8
1https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2019-
29921Reported fixed in python3.9 (installed), but still reported by Vulspython3.9
20433No fix availableaspell
CVE-
2021
2022-
30473
243039.
8
1https://
nvd
ubuntu.
nist.gov
com/
vuln
security/
detail/
CVE-
2021
2022-
30473
24303No fix available

libaom0

CVE-2021-30474

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-30474No fix available

libaom0

CVE-2021-30475

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-30475No fix available

libaom0

CVE-2021-3756

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-3756install libmysofa 1.2.1

libmysofa1

CVE-2021-37829.8https://nvd.nist.gov/vuln/detail/CVE-2021-3782No fix availablelibwayland-client0, libwayland-cursor0, libwayland-egl1, libwayland-server0
TODO: File exception request

CVE-2021-42377

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-42377No fix available

busybox

CVE-2021-45951

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45951No fix available

dnsmasq

CVE-2021-45952

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45952No fix available

dnsmasq

CVE-2021-45953

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45953No fix available

dnsmasq

CVE-2021-45954

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45954No fix available

dnsmasq

CVE-2021-45955

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45955No fix available

dnsmasq

CVE-2021-45956

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45956No fix available

dnsmasq

CVE-2021-459579.8https://nvd.nist.gov/vuln/detail/CVE-2021-45957No fix availablednsmasq
TODO: File exception request

CVE-2022-0318

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-0318unistall vim
$ sudo apt remove vim*

vim-common, vim-runtime, vim-tiny, xxd

CVE-2022-12539.8https://nvd.nist.gov/vuln/detail/CVE-2022-1253No fix availablelibde265-0

CVE-2022-23303

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-23303No fix availablehostapd, wpasupplicant
TODO: File exception request

CVE-2022-23304

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-23304No fix available

hostapd, wpasupplicant

CVE-2022-374549.8https://nvd.nist.gov/vuln/detail/CVE-2022-37454No fix availablehostapd, wpasupplicant
TODO: File exception request
CVE-2022-39709.8https://nvd.nist.gov/vuln/detail/CVE-2022-3970No fix availablepython3.9
TODO: File exception requestCVE-2019-193919.1https://nvd.nist.gov/vuln/detail/CVE-2019-19391No fix availablelibtiff5
TODO: File exception request

CVE-2021-4048

9.1

https://nvd.nist.gov/vuln/detail/CVE-2021-4048No fix available

libblas3, liblapack3

CVE-2021-43400

9.1

https://nvd.nist.gov/vuln/detail/CVE-2021-43400No fix available

bluez

CVE-2021-468489.1https://nvd.nist.gov/vuln/detail/CVE-2021-46848No fix available

libtasn1-6

TODO: File exception requestCVE-2022-06709.1https://nvd.nist.gov/vuln/detail/CVE-2022-0670No fix available

librados2, librbd1

TODO: File exception requestCVE-2022-243039.1https://nvd.nist.gov/vuln/detail/CVE-2022-24303No fix available

python3-pil

TODO: File exception requestCVE-2022-262809.1https://nvd.nist.gov/vuln/detail/CVE-2022-26280No fix available

libarchive13

TODO: File exception requestCVE-2022-322139.1https://nvd.nist.gov/vuln/detail/CVE-2022-32213No fix availablenodejs
TODO: File exception requestCVE-2022-322149.1https://nvd.nist.gov/vuln/detail/CVE-2022-32214No fix available

nodejs

TODO: File exception requestCVE-2022-322159.1https://nvd.nist.gov/vuln/detail/CVE-2022-32215No fix available

nodejs

TODO: File exception request

Cloud/Edge Cloud

...

Lynis

Nexus URL(before fix): 

 https://nexus.akraino.org/content/sites/logs/fujitsu/job/robot-family/R7/sses-lynis/PDH/lynis_PDH_before.log

 https://nexus.akraino.org/content/sites/logs/fujitsu/job/robot-family/R7/sses-lynis/Robot/lynis_Robot_before.log

...

python3-pil

Cloud/Edge Cloud

There are 2 CVEs with a CVSS score >= 9.0.

Release 7: Akraino CVE and KHV Vulnerability Exception Request

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2016-15859.8https://ubuntu.com/security/CVE-2016-1585No fix availableapparmor
CVE-2022-36499.8https://ubuntu.com/security/CVE-2022-3649No fix availablelinux-gcp


Lynis

Nexus URL(after fix): 

 https://nexus.akraino.org/content/sites/logs/fujitsu/job/robot-family/R7/2/sses-lynis/PDH/lynis_PDH_after.log

 https://nexus.akraino.org/content/sites/logs/fujitsu/job/robot-family/R7/sses-lynis/Robot/lynis_Robot_after.log

...

The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

PDF,IoT Gateway

The Lynis Program Update test MUST pass with no errors.

Code Block
2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version  : 308
2022-11-22 07:46:45 Latest stable version      : 308
2022-11-22 07:46:45 No Lynis update available.

...

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

...

PC/Server for robot control

The Lynis Program Update test MUST pass with no errors.

Code Block
2022-03-23 05:13:56 Test: Checking for program update...
2022-03-23 05:14:03 Current installed version : 308
2022-03-23 05:14:03 Latest stable version : 308
2022-03-23 05:14:03 No Lynis update available

...

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

...

No.TestResultFix
1Test: Checking PASS_MAX_DAYS option in /etc/login.defsResult: password aging limits are not configured

Set PASS_MAX_DAYS 180 in /etc/login.defs

2Performing test ID AUTH-9328 (Default umask values)Test: Checking umask value in /etc/login.defs
Result: found umask 022, which could be improved


Set UMASK 027 in /etc/login.defs

3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 152 points (out of 223)
Security check: file is normal
Checking permissions of /home/ubuntu/lynis/include/tests_snmp
File permissions are OK

Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config


4Test: checking for file /etc/network/if-up.d/ntpdateResult: file /etc/network/if-up.d/ntpdate does not exist
Result: Found a time syncing daemon/client.
Hardening: assigned maximum number of hardening points for this item (3). Currently having 161 points (out of 238)
OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
Hardening: assigned partial number of hardening points (0 of 1). Currently having 163 points (out of 253)

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'fs.suid_dumpable=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep suid

5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'kernel.dmesg_restrict=1' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep dmesg

5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'net.ipv4.conf.default.accept_source_route=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep ipv4.conf.default.accept_source_route
6Test: Check if one or more compilers can be found on the systemResult: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler'
Hardening: assigned partial number of hardening points (1 of 3). Currently having 180 points (out of 286

Found known binary: as (compiler) - /usr/bin/as
Found known binary: cc (compiler) - /usr/bin/cc
Found known binary: g++ (compiler) - /usr/bin/g++
Found known binary: gcc (compiler) - /usr/bin/gcc

Uninstall gcc and remove /usr/bin/as, /usr/bin/cc


Cloud/Edge Cloud

The Lynis Program Update test MUST pass with no errors.

Code Block
2022-11-28 00:14:35 Test: Checking for program update...
2022-11-28 00:14:35 Current installed version  : 308
2022-11-28 00:14:35 Latest stable version      : 308
2022-11-28 00:14:35 No Lynis update available. 

...

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing

No.TestResultFix
1Test: Checking PASS_MAX_DAYS option in /etc/login.defsResult: password aging limits are not configured

Set PASS_MAX_DAYS 180 in /etc/login.defs

2Performing test ID AUTH-9328 (Default umask values)Test: Checking umask value in /etc/login.defs
Result: found umask 022, which could be improved


Set UMASK 027 in /etc/login.defs

3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 152 points (out of 223)
Security check: file is normal
Checking permissions of /home/ubuntu/lynis/include/tests_snmp
File permissions are OK

Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config


If you run the lynis shell script as an ordinary user, it will output an error. So run the script as a privileged user.

 $ su root

# whoami

root

# ./lynis audit system


※reference:

https://github.com/CISOfy/lynis/blob/master/include/tests_ssh#L54

4Test: checking for file /etc/network/if-up.d/ntpdateResult: file /etc/network/if-up.d/ntpdate does not exist
Result: Found a time syncing daemon/client.
Hardening: assigned maximum number of hardening points for this item (3). Currently having 177 points (out of 168)
OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
Hardening: assigned partial number of hardening points (0 of 1). Currently having 163 points (out of 253)

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'fs.suid_dumpable=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep suid

5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0

Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'kernel.dmesg_restrict=1' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep dmesg

5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'net.ipv4.conf.default.accept_source_route=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep ipv4.conf.default.accept_source_route
6Test: Check if one or more compilers can be found on the systemResult: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler'
Hardening: assigned partial number of hardening points (1 of 3). Currently having 180 points (out of 286

Found known binary: as (compiler) - /usr/bin/as
Found known binary: cc (compiler) - /usr/bin/cc
Found known binary: g++ (compiler) - /usr/bin/g++
Found known binary: gcc (compiler) - /usr/bin/gcc

Uninstall gcc and remove /usr/bin/as, /usr/bin/cc