Akraino Security Sub-Committee Meeting Agenda 04/12/2021

Agenda:

AI Edge: School/Education Video Security Monitoring – seeking security approval for Maturity

Contact: Liya Yu Baidu yuliya@baidu.com

Vuls: CVE-2019-14889

Lynis:

The following items must be fixed for incubation or maturity in the next release:

Test ID HRDN-7220 (Check if one or more compilers are installed) ; /usr/bin/as compiler was found and must be removed
Test ID AUTH-9328 (Default umask values)

The following items must be fixed for maturity approval, these tests and results can be found in the lynis.log file:

Test ID BOOT-5184
Test: Checking presence /var/run/reboot-required.pkgs
Test ID AUTH-9229 (Check password hashing methods)
Test: Checking Port in /tmp/lynis.ZotHQ7RQAj; ssh port can not be set to tcp/22. (No longer a requirement, only a recommendation) It is highly recommended to change ssh port in production
sysctl key kernel.sysrq ; Must be expected value
sysctl key net.ipv4.conf.all.forwarding ; Must be expected value. Blueprint uses ip forwarding so this setting needs to be true. (Exception)

Kube-Hunter:

The following items must be fixed prior to the next release, these tests and results can be found in the cluster.log file:

The following items must be fixed prior to the next release, these tests and results can be found in the pod.log file:

Access to pod's secrets. Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker.
KHV050 - Read access to pod's service account token. Accessing the pod service account token gives an attacker the option to use the server

Browser not supported