Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Test document

Robot_based_on_SSES_BP_Test_document.pdf


*The following word file is base file of the above pdf.


Pass (XX/XX test cases)


Bluval Tests

Execute with reference to the following

Bluval User Guide

Steps To Implement Security Scan Requirements

https://vuls.io/docs/en/tutorial-docker.html

There are 2 security related tests: lynis & vuls. And there are 2 k8s related tests: kube-hunter & conformance tests.

In this Blueprint, we test lynis & vuls, we do not test k8s related tests: because of not using k8s.

Also refer to Bluval User Guide, the procedure is to clone the files from http://gerrit.akraino.org/r/validation and execute them,

but a configuration file:Bluval/validation/docker/os/Dockerfile does not correspond to this OS version, we execute tests manually.

The Configuration file are only supported up to Ubuntu 18.

Vuls

We use Ubuntu 20.04, so we ran Vuls test as follows:

  1. Create directory

    $ mkdir ~/vuls
    $ cd ~/vuls
    $ mkdir go-cve-dictionary-log goval-dictionary-log gost-log
    
  2. Fetch NVD

    $ docker run --rm -it \
        -v $PWD:/go-cve-dictionary \
        -v $PWD/go-cve-dictionary-log:/var/log/go-cve-dictionary \
        vuls/go-cve-dictionary fetch nvd
    
  3. Fetch OVAL

    $ docker run --rm -it \
         -v $PWD:/goval-dictionary \
         -v $PWD/goval-dictionary-log:/var/log/goval-dictionary \
         vuls/goval-dictionary fetch ubuntu 18 19 20
    
  4. Fetch gost

    $ docker run --rm -i \
         -v $PWD:/gost \
         -v $PWD/gost-log:/var/log/gost \
         vuls/gost fetch ubuntu
    
  5. Create config.toml

    [servers]
    
    [servers.master]
    host = "192.168.51.22"
    port = "22"
    user = "test-user"
    keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
    
  6. Start vuls container to run tests

    $ docker run --rm -it \
        -v ~/.ssh:/root/.ssh:ro \
        -v $PWD:/vuls \
        -v $PWD/vuls-log:/var/log/vuls \
        -v /etc/localtime:/etc/localtime:ro \
        -v /etc/timezone:/etc/timezone:ro \
        vuls/vuls scan \
        -config=./config.toml
    
  7. Get the report

    $ docker run --rm -it \
         -v ~/.ssh:/root/.ssh:ro \
         -v $PWD:/vuls \
         -v $PWD/vuls-log:/var/log/vuls \
         -v /etc/localtime:/etc/localtime:ro \
         vuls/vuls report \
         -format-list \
         -config=./config.toml

Vuls

Nexus URL: 

PDH,IoT Gateway

There are 23 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request

CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2016-1585

9.8

https://nvd.nist.gov/vuln/detail/CVE-2016-1585

No fix available

apparmor

CVE-2017-18201

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-18201

No fix available

libcdio17

CVE-2017-7827

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-7827

No fix available

libmozjs-52-0

CVE-2018-5090

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-5090

Reported fixed in 58 and later version (installed), but still reported by Vuls

libmozjs-52-0

CVE-2018-5126

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-5126

Reported fixed in 58 and later version (installed), but still reported by Vuls

libmozjs-52-0

CVE-2018-5145

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-5145

Reported fixed in 1:52.7.0 and later version (installed), but still reported by Vuls

libmozjs-52-0

CVE-2018-5151

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-5151

Reported fixed in 60 and later version (installed), but still reported by Vuls

libmozjs-52-0

CVE-2019-17041

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-17041

No fix available

rsyslog

CVE-2019-17042

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-17042

No fix available

rsyslog

CVE-2021-31870

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-31870

No fix available

klibc-utils, libklibc

CVE-2021-31872

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-31872

No fix available

klibc-utils, libklibc

CVE-2021-31873

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-31873

No fix available

klibc-utils, libklibc

CVE-2021-39713

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-39713

No fix available

linux-image-5.4.0-1055-raspi

CVE-2022-22822

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-22822

install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)

firefox

CVE-2022-22823

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-22823

install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)

firefox

CVE-2022-22824

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-22824

install firefox 99.0+build2-0ubuntu0.18.04.2 > 98(fix version)

firefox

CVE-2022-23852

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-23852

No fix available

firefox, thunderbird

CVE-2022-23990

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-23990

No fix available

firefox, thunderbird

CVE-2022-25235

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-25235

No fix available

firefox, thunderbird

CVE-2022-25236

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-25236

No fix available

firefox, thunderbird

CVE-2022-25315

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-25315

No fix available

firefox, thunderbird

CVE-2016-9180

9.1

https://nvd.nist.gov/vuln/detail/CVE-2016-9180

No fix available

libxml-twig-perl

CVE-2019-20433

9.1

https://nvd.nist.gov/vuln/detail/CVE-2019-20433

No fix available

aspell

PC/Server for robot control

There are 30 CVEs with a CVSS score >= 9.0. These are exceptions requested here:

Release 5: Akraino CVE Vulnerability Exception Request


CVE-ID

CVSS

NVD

Fix/Notes

PACKAGES

CVE-2005-2541

10.0

https://nvd.nist.gov/vuln/detail/CVE-2005-2541No fix available

tar

CVE-2014-2830

10.0

https://nvd.nist.gov/vuln/detail/CVE-2014-2830No fix available

cifs-utils

CVE-2016-1585

9.8

https://nvd.nist.gov/vuln/detail/CVE-2016-1585No fix available

libapparmor1

CVE-2017-17479

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-17479No fix available

libopenjp2-7

CVE-2017-9117

9.8

https://nvd.nist.gov/vuln/detail/CVE-2017-9117No fix available

libtiff5

CVE-2018-13410

9.8

https://nvd.nist.gov/vuln/detail/CVE-2018-13410No fix available

zip

CVE-2019-1010022

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-1010022No fix available

libc-bin, libc-dev-bin, libc-devtools, libc-l10n, libc6, libc6-dbg, libc6-dev, locales

CVE-2019-8341

9.8

https://nvd.nist.gov/vuln/detail/CVE-2019-8341No fix available

python3-jinja2

CVE-2020-27619

9.8

https://nvd.nist.gov/vuln/detail/CVE-2020-27619

No fix available

python3.9

CVE-2021-29462

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-29462No fix available

libixml10, libupnp13

CVE-2021-29921

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-29921Reported fixed in python3.9 (installed), but still reported by Vuls

python3.9

CVE-2021-30473

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-30473No fix available

libaom0

CVE-2021-30474

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-30474No fix available

libaom0

CVE-2021-30475

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-30475No fix available

libaom0

CVE-2021-30498

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-30498No fix available

libcaca0

CVE-2021-30499

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-30499No fix available

libcaca0

CVE-2021-3756

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-3756install libmysofa 1.2.1

libmysofa1

CVE-2021-42377

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-42377No fix available

busybox

CVE-2021-45951

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45951No fix available

dnsmasq

CVE-2021-45952

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45952No fix available

dnsmasq

CVE-2021-45953

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45953No fix available

dnsmasq

CVE-2021-45954

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45954No fix available

dnsmasq

CVE-2021-45955

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45955No fix available

dnsmasq

CVE-2021-45956

9.8

https://nvd.nist.gov/vuln/detail/CVE-2021-45956No fix available

dnsmasq

CVE-2022-0318

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-0318unistall vim

vim

CVE-2022-23303

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-23303No fix available

hostapd, wpasupplicant

CVE-2022-23304

9.8

https://nvd.nist.gov/vuln/detail/CVE-2022-23304No fix available

hostapd, wpasupplicant

CVE-2021-22945

9.1

https://nvd.nist.gov/vuln/detail/CVE-2021-22945unistall curl

curl

CVE-2021-4048

9.1

https://nvd.nist.gov/vuln/detail/CVE-2021-4048No fix available

libblas3, liblapack3

CVE-2021-43400

9.1

https://nvd.nist.gov/vuln/detail/CVE-2021-43400No fix available

bluez

Lynis

Nexus URL(before fix): 

Nexus URL(after fix): 


The initial results compare with the Lynis Incubation: PASS/FAIL Criteria, v1.0 as follows.

IoT Gateway

The Lynis Program Update test MUST pass with no errors.

2022-11-22 07:46:44 Test: Checking for program update...
2022-11-22 07:46:44 Current installed version  : 308
2022-11-22 07:46:45 Latest stable version      : 308
2022-11-22 07:46:45 No Lynis update available.


Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing
No.TestResultFix
1Test: Checking PASS_MAX_DAYS option in /etc/login.defsResult: max password age is 180 daysOK
2Performing test ID AUTH-9328 (Default umask values)Test: Checking /etc/profile.d directory
Result: found /etc/profile.d, with one or more files in it
Test: Checking /etc/profile
Result: file /etc/profile exists
Test: Checking umask value in /etc/profile
Result: did not find umask in /etc/profile
Result: found no umask. Please check if this is correct
Test: Checking umask entries in /etc/passwd (pam_umask)
Result: file /etc/passwd exists
Test: Checking umask value in /etc/passwd
Manual: one or more manual actions are required for further testing of this control/plugin
Test: Checking /etc/login.defs
Result: file /etc/login.defs exists
Test: Checking umask value in /etc/login.defs
Result: umask is 027, which is fine
Hardening: assigned maximum number of hardening points for this item (2). Currently having 18 points (out of 30)
Test: Checking /etc/init.d/functions
Result: file /etc/init.d/functions does not exist
Test: Checking /etc/init.d/rc
Result: file /etc/init.d/rc does not exist
Test: Checking /etc/init.d/rcS
Result: file /etc/init.d/rcS does not exist
OK
3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)

Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 140 points (out of 217)
Security check: file is normal
Checking permissions of /home/ubuntu/lynis/include/tests_snmp
File permissions are OK


Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)
Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 108 points (out of 157)
Security check: file is normal
Checking permissions of /home/pi/lynis/lynis/include/tests_snmp
File permissions are OK

Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config
4Test: checking for file /etc/network/if-up.d/ntpdateResult: file /etc/network/if-up.d/ntpdate does not exist
Result: Found a time syncing daemon/client.
Hardening: assigned maximum number of hardening points for this item (3). Currently having 149 points (out of 232)
OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)Result: sysctl key fs.suid_dumpable has a different value than expected in scan profile. Expected=0, Real=2
Hardening: assigned partial number of hardening points (0 of 1). Currently having 151 points (out of 247)
Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'fs.suid_dumpable=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep suid
5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)Result: sysctl key kernel.dmesg_restrict has a different value than expected in scan profile. Expected=1, Real=0Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'kernel.dmesg_restrict=1' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep dmesg
5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)Result: sysctl key net.ipv4.conf.default.accept_source_route has a different value than expected in scan profile. Expected=0, Real=1Set recommended value in /etc/sysctl.d/90-lynis-hardening.conf

echo 'net.ipv4.conf.default.accept_source_route=0' | sudo tee -a /etc/sysctl.d/90-lynis-hardening.conf
sudo /sbin/sysctl --system
sudo sysctl -a |grep ipv4.conf.default.accept_source_route
6Test: Check if one or more compilers can be found on the systemResult: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler'
Hardening: assigned partial number of hardening points (1 of 3). Currently having 168 points (out of 280)
Uninstall gcc and remove /usr/bin/as


PC/Server for robot control

The Lynis Program Update test MUST pass with no errors.

2022-03-23 05:13:56 Test: Checking for program update...
2022-03-23 05:14:03 Current installed version : 308
2022-03-23 05:14:03 Latest stable version : 307
2022-03-23 05:14:03 No Lynis update available

Fix: Download and run the latest Lynis directly on SUT.

Steps To Implement Security Scan Requirements#InstallandExecute

The following list of tests MUST complete as passing
No.TestResultFix
1Test: Checking PASS_MAX_DAYS option in /etc/login.defs

Result: password aging limits are not configured
Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
Hardening: assigned partial number of hardening points (0 of 1). Currently having 11 points (out of 24)

Set PASS_MAX_DAYS 180 in /etc/login.defs
2Performing test ID AUTH-9328 (Default umask values)Result: found /etc/profile.d, with one or more files in itOK
3Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups)
Result: AllowUsers is not set
Result: AllowGroups is not set
Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Hardening: assigned partial number of hardening points (0 of 1). Currently having 108 points (out of 157)
Security check: file is normal
Checking permissions of /home/pi/lynis/lynis/include/tests_snmp
File permissions are OK
Configure AllowUsers, AllowGroups in /etc/ssh/sshd_config

!要確認
→やり方を問い合わせ
4Test: checking for file /etc/network/if-up.d/ntpdateResult: file /etc/network/if-up.d/ntpdate does not exist
Result: Found a time syncing daemon/client.
Hardening: assigned maximum number of hardening points for this item (3). Currently having 117 points (out of 172)
OK
5Performing test ID KRNL-6000 (Check sysctl key pairs in scan profile) :  Following sub-tests requiredN/AN/A
5asysctl key fs.suid_dumpable contains equal expected and current value (0)Result: sysctl key fs.suid_dumpable contains equal expected and current value (0)OK
5bsysctl key kernel.dmesg_restrict contains equal expected and current value (1)Result: sysctl key kernel.dmesg_restrict contains equal expected and current value (1)OK
5csysctl key net.ipv4.conf.default.accept_source_route contains equal expected and current value (0)Result: sysctl key net.ipv4.conf.all.accept_source_route contains equal expected and current value (0)OK
6Test: Check if one or more compilers can be found on the system

Performing test ID HRDN-7220 (Check if one or more compilers are installed)
Test: Check if one or more compilers can be found on the system
Result: no compilers found
Hardening: assigned maximum number of hardening points for this item (3). Currently having 138 points (out of 219)

OK


  • No labels