10/02/2020 Meeting
Akraino Security Sub-Committee Meeting Agenda 10/02/2020
Attendees:
- Hao Xu
- Marc Meunier
- Paul Howard
- Daniil Egranov
- Tina Tsou
- Wenhui Zhang
- Randy Stricklin
- Srinivasa
Agenda:
- Questions from Yin Ding
- We are following this page:
https://wiki.akraino.org/display/AK/Bluval+User+Guide
- Vuls: All these issues are from upstream OS. Will you give exceptions to them?
All the packages have been updated or upgraded to latest version in the repo. There are 4 CVEs with CVSS score > 9.0. These require upstream kernel patches, i.e.
- Need to state on the security wiki concerning host security. (HW/OS/blueprints)
- blueprint owner develops on their own/controlled system, OS can be modified (full stack)
- blueprint owner only controls above OS level (test environment)
http://nvd.nist.gov/vuln/detail/CVE-2019-19814
http://nvd.nist.gov/vuln/detail/CVE-2018-20839
http://nvd.nist.gov/vuln/detail/CVE-2017-8283
http://nvd.nist.gov/vuln/detail/CVE-2016-1585 - check link not relevant to ubuntu
- Conformance:
- Sonobuoy is not compatible with KubeEdge architecture. Is it still needed for Release 4?
- Is Sonobuoy still being updated? Why does it not support KubeEdge, it there plans for support?
- Check with BlueVal concerning where Sonobuoy logs/reports are sent.
- Sonobuoy is not compatible with KubeEdge architecture. Is it still needed for Release 4?
2. Abhimanyu Bhatter emailed the Akraino Security Team:
- We are working with Connected Vehicle Blueprint ( CVB) and in the CD logs we have uploaded the Vuls logs , we are not able to get 2 CVE fix , can anyone help for the same.\
Operating System: Centos 7.8
In Vuls we are not able to fix 2 Vulnerabilities
CVE-2019-12900
CVE-2019-5482 – Red Hat has recently fixed this issue in 7 and 8 (Sept 2020) https://access.redhat.com/security/cve/cve-2019-5482
3. From Wenhui:
There are three parts in the secure OS images:
- Secure Linux images
- Secure dedicated drivers
- Secure toolchain ( libc, gcc etc.)
We could come up with a list and combination of each, and try our best to provide them.
4. Two Blueprints using Debian
- Tina will send link.
5. Minimum OS Level Discussion
Daniil – security team should specify a minimum OS level.
Srini - Packages and OS levels could be different. Need to give Blueprints time, like with other security requirements to move to new OS.
Team agreed 6 months notice, same timeline as other new (non-critical) security requirements.
Need to do this on an OS by OS basis.
Vendor must still support the OS version and be actively releasing patches
Operating Systems currently under consideration:
Ubuntu 16 or higher
Centos 7 or higher
Debian
Fedora
Suse
6. CVE’s not fixed by OS
If the blueprint is running at least the security team’s minimum OS and they provide documentation form the OS vendor that a patch for the CVE is not available (deferred, etc) an exception will be granted.
7. Host OS vs VM OS – need to check if OS vendors specify to the level of VM driver information.
8. Daniil – is going to check with someone at Arm concerning CentOS CVEs/patching.
Asking others on the team to look at Debian, Fedora and Suse for the next meeting.
Daniil – posted in previous meetings notes, details on Suse and Red Hat CVE/patching.
9. Randy - Sonobuoy is not compatible with KubeEdge architecture. Is it still needed for Release 4?
- Is Sonobuoy still being updated? Why does it not support KubeEdge, it there plans for support?
- Check with BlueVal concerning where Sonobuoy logs/reports are sent.
10. Randy – work on for next meeting a chart for tracking CVEs/OS that have been granted exceptions.
11. Wenhui – if the base OS will simply have a container instance run without altering the OS a security provided OS image might make sense, however, if the OS is changed it won’t buy us anything. Need to talk to Blueprint owners to see how they are using the host OS. A new kernel driver could introduce a vulnerability to the OS. If blueprints only add applications, could provide OS with Kubernetes/docket.
12. Randy – looking for x86 expert on Platform Security
13. Marc Meunier and Srini Addapalli and Paul Howard(Arm)– add to agenda Oct 19 PARSEC (make sure Srini is avail)