Akraino Security Sub-Committee Meeting Agenda 10/02/2020

Attendees:

Hao Xu
Marc Meunier
Paul Howard
Daniil Egranov
Tina Tsou
Wenhui Zhang
Randy Stricklin
Srinivasa

Agenda:

Questions from Yin Ding

We are following this page:

https://wiki.akraino.org/display/AK/Bluval+User+Guide  

Vuls: All these issues are from upstream OS. Will you give exceptions to them?

All the packages have been updated or upgraded to latest version in the repo. There are 4 CVEs with CVSS score > 9.0. These require upstream kernel patches, i.e.

Need to state on the security wiki concerning host security. (HW/OS/blueprints)

blueprint owner develops on their own/controlled system, OS can be modified (full stack)
blueprint owner only controls above OS level (test environment)

http://nvd.nist.gov/vuln/detail/CVE-2019-19814

http://nvd.nist.gov/vuln/detail/CVE-2018-20839

http://nvd.nist.gov/vuln/detail/CVE-2017-8283

http://nvd.nist.gov/vuln/detail/CVE-2016-1585 - check link not relevant to ubuntu

Conformance:
- Sonobuoy is not compatible with KubeEdge architecture. Is it still needed for Release 4?
  - Is Sonobuoy still being updated? Why does it not support KubeEdge, it there plans for support?
  - Check with BlueVal concerning where Sonobuoy logs/reports are sent.

2. Abhimanyu Bhatter emailed the Akraino Security Team:

We are working with Connected Vehicle Blueprint ( CVB) and in the CD logs we have uploaded the Vuls logs , we are not able to get 2 CVE fix , can anyone help for the same.\

Operating System: Centos 7.8

In Vuls we are not able to fix 2 Vulnerabilities

CVE-2019-12900

CVE-2019-5482 – Red Hat has recently fixed this issue in 7 and 8 (Sept 2020) https://access.redhat.com/security/cve/cve-2019-5482

3. From Wenhui:
There are three parts in the secure OS images:

Secure Linux images
Secure dedicated drivers
Secure toolchain ( libc, gcc etc.)

We could come up with a list and combination of each, and try our best to provide them.

4. Two Blueprints using Debian

Tina will send link.

5. Minimum OS Level Discussion

Daniil – security team should specify a minimum OS level.

Srini - Packages and OS levels could be different. Need to give Blueprints time, like with other security requirements to move to new OS.

Team agreed 6 months notice, same timeline as other new (non-critical) security requirements.

Need to do this on an OS by OS basis.

Vendor must still support the OS version and be actively releasing patches

Operating Systems currently under consideration:

Ubuntu 16 or higher

Centos 7 or higher

Debian

Fedora

Suse

6. CVE’s not fixed by OS

If the blueprint is running at least the security team’s minimum OS and they provide documentation form the OS vendor that a patch for the CVE is not available (deferred, etc) an exception will be granted.

7. Host OS vs VM OS – need to check if OS vendors specify to the level of VM driver information.

8. Daniil – is going to check with someone at Arm concerning CentOS CVEs/patching.

Asking others on the team to look at Debian, Fedora and Suse for the next meeting.

Daniil – posted in previous meetings notes, details on Suse and Red Hat CVE/patching.

9. Randy - Sonobuoy is not compatible with KubeEdge architecture. Is it still needed for Release 4?

Is Sonobuoy still being updated? Why does it not support KubeEdge, it there plans for support?
Check with BlueVal concerning where Sonobuoy logs/reports are sent.

10. Randy – work on for next meeting a chart for tracking CVEs/OS that have been granted exceptions.

11. Wenhui – if the base OS will simply have a container instance run without altering the OS a security provided OS image might make sense, however, if the OS is changed it won’t buy us anything. Need to talk to Blueprint owners to see how they are using the host OS. A new kernel driver could introduce a vulnerability to the OS. If blueprints only add applications, could provide OS with Kubernetes/docket.

12. Randy – looking for x86 expert on Platform Security

13. Marc Meunier and Srini Addapalli and Paul Howard(Arm)– add to agenda Oct 19 PARSEC (make sure Srini is avail)

Browser not supported