4/12/2021 Meeting

Akraino Security Sub-Committee Meeting Agenda 04/12/2021

Agenda:

1. New Agenda Items

AI Edge:  School/Education Video Security Monitoring – seeking security approval for Maturity

https://lf-akraino.atlassian.net/wiki/display/AK/Maturity+Review+Certification+of+Video+Security+Monitoring+Blueprint

https://lf-akraino.atlassian.net/wiki/pages/viewpage.action?pageId=13665726

Contact:   Liya Yu             Baidu     yuliya@baidu.com

Vuls:  CVE-2019-14889

Lynis:

The following items must be fixed for incubation or maturity in the next release:

1. Test ID HRDN-7220 (Check if one or more compilers are installed)  ; /usr/bin/as compiler was found and must be removed
2. Test ID AUTH-9328 (Default umask values)

The following items must be fixed for maturity approval, these tests and results can be found in the lynis.log file:

1. Test ID BOOT-5184
2. Test: Checking presence /var/run/reboot-required.pkgs
3. Test ID AUTH-9229 (Check password hashing methods)
4. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj;  ssh port can not be set to tcp/22. (No longer a requirement, only a recommendation)  It is highly recommended to change ssh port in production
5. sysctl key kernel.sysrq ; Must be expected value
6. sysctl key net.ipv4.conf.all.forwarding ; Must be expected value. Blueprint uses ip forwarding so this setting needs to be true.  (Exception)

Kube-Hunter:

The following items must be fixed prior to the next release, these tests and results can be found in the cluster.log file:

1. KHV005 - Unauthenticated access to API
2. KHV002 - K8s Version Disclosure

The following items must be fixed prior to the next release, these tests and results can be found in the pod.log file:

1. Access to pod's secrets.  Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker.
2. KHV050 - Read access to pod's service account token.  Accessing the pod service account token gives an attacker the option to use the server