Akraino Security Sub-Committee Meeting Agenda 03/21/2021

Attendees:

Randy Stricklin

Daniil Egranov

Tina Tsou

Agenda:

Platform Security

Lynis incubation requirements update to wiki

Summer intern request:

Description: Akraino is an open source project initiated by AT&T and Intel to develop a fully integrated edge infrastructure. The Akraino security sub-committee, chaired by AT&T, has numerous security requirements and scans for the sub-projects, called blueprints, within Akraino. Currently all security activities, including reviewing log results of these security scans, are manually reviewed by the security team.

Intern related projects in this space include: gaining an understanding of the Akraino blueprint validation/approval workflow logic, interfacing with the Akraino Security and CI/Blueprint Validation sub-committees, automating the blueprint security scan review process, automating the storage/archival of Akraino security artifacts, and creating an informative security report for blueprint owners.

Lynis is an opensource Linux security auditing tool. The security team has created a list of tests that must pass for the incubation phase and the maturity phase. I would like to create a script that takes as input:

The lynis.log output file generated by a scan from a Blueprint team
Whether the Blueprint is in the incubation or maturity phase

Output:

Pass or Fail grade
In the event of a failing grade, provide a list of failed tests along with suggested corrective actions.

Vuls is an opensource vulnerability scanning tool for Linux. It generates a list of CVEs found. Opportunities for vuls automation include:

Create a database or structure file including CVE’s that vendors have NOT fixed for a specific OS version. We have collected quite a bit of data over the last Akraino release to seed this database/file.
Create a script that takes as input:
- The vuls.log file generated by a scan from a Blueprint team
- Whether the Blueprint is in the incubation or maturity phase
Output:
- Pass or Fail grade
- In the event of a failing grade, the list of CVEs that have patches available that have not been applied.

Kube-Hunter is an opensource vulnerability scanning tool for Kubernetes. It generates a list of vulnerabilities found for both the Kubernetes pod and cluster.

Create a script that takes as input:

The cluster.log and pod.log files generated by a scan from a Blueprint team
Whether the Blueprint is in the incubation or maturity phase

Output:

Pass or Fail grade
In the event of a failing grade, the list of vulnerabilities that must be fixed including suggested corrective actions.

3/23/21 TSC Meeting VM resources contact:

Peter Poulloit ppouliot@amperecomputing.com

Lincoln Lavoie lylavoie@iol.unh.edu

Will need to provide VM specs and VM disk image to Lincoln.

Akraino Security OS Version Policy v0.1 review

Akraino Security Requirements Changes/Updates v0.1 review

Browser not supported