5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint

Release 4 Vuls Exception Request

The following exceptions must be fixed prior to maturity review:

1. Performing test ID USB-2000 (Check USB authorizations)
2. Performing test ID PKGS-7370 (Checking for debsums utility)
3. sysctl key net.ipv4.conf.all.rp_filter contains equal expected and current value (1)

The following exceptions must be fixed prior to maturity review:

1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.

AI/ML and AR/VR applications at Edge

1. Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )

Exception is granted for using port 22 for testing/BlueVal.  However, since this BP is requesting a maturity review the port must be changed to a high port after testing for production use.

   2.  Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 4 to 2)

Exception is granted for testing/BlueVal.  Since this BP is requesting a maturity review the MaxSessions must be changed to 2 after testing for production use.

• ELIOT AIoT in Smart Office Blueprint

• ELIOT IoT Gateway Blueprint

1. Performing test ID BOOT-5122 (Check for GRUB boot password)  ## After setting up grub boot password --> Cloud Vms won’t boot properly. Lead to unstable VMs
2. Performing test ID AUTH-9229 (Check password hashing methods) ## Not possible, will impact SHA_MIN_CRYPT_ROUNDS test.  Currently using maximum security hashing method SHA512
3. Performing test ID USB-2000 (Check USB authorizations)  ## N/A:  Using cloud VMs, no baremetal involved.
4. Performing test ID USB-3000 (Check for presence of USBGuard)  ## N/A:  Using cloud VMs, no baremetal involved.
5. Test: Checking MaxSessions  ## Max session set to 4, this is the bare minimum level that can be used.
6. Test: Checking Port  ## Can't change during testing, BluVal requires SSH to be tcp/22.  This port should be changed after testing, but prior to production.
7. KRNL-6000:  sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1  ## IP Forwarding is required for K8s.

The following exceptions must be fixed prior to maturity review:

1. sysctl key kernel.core_uses_pid contains equal expected and current value (1)
2. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
3. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
4. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
5. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
6. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
7. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
8. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
9. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

The following exceptions must be fixed prior to maturity review:

1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.

• ELIOT SD-WAN/WAN Edge/uCPE Blueprint

The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes:

1. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1

The following additional exceptions are granted for this blueprint:

1. Performing test ID AUTH-9229 (Check password hashing methods) ## Not possible, will impact SHA_MIN_CRYPT_ROUNDS test.  Currently using maximum security hashing method SHA512
2. Performing test ID USB-2000 (Check USB authorizations)  ## N/A:  Using cloud VMs, no baremetal involved.
3. Performing test ID USB-3000 (Check for presence of USBGuard)  ## N/A:  Using cloud VMs, no baremetal involved.
4. Test: Checking MaxSessions  ## Max session set to 4, this is the bare minimum level that can be used.
5. Test: Checking Port  ## Can't change during testing, BluVal requires SSH to be tcp/22.  This port should be changed after testing, but prior to production.
6. KRNL-6000:  sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1  ## IP Forwarding is required for K8s.

The following exceptions must be fixed prior to maturity review:

1. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
2. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
3. sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
4. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
5. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
6. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
7. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
8. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
9. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

The following exceptions must be fixed prior to maturity review:

1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.

The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes:

1. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1

Below are items found in lynis that can be granted an exception, but must be fixed prior to maturity:

1. Performing test ID USB-3000 (Check for presence of USBGuard)
2. Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
3. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
4. sysctl key kernel.core_uses_pid contains equal expected and current value (1)
5. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
6. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16

The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes:

1. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1

Below are items found in lynis that can be granted an exception, but must be fixed prior to maturity:

1. Performing test ID USB-3000 (Check for presence of USBGuard)
2. Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
3. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj

• IEC Type 1 for Integrated Edge Cloud (IEC) Blueprint Family

• IEC Type 2 for Integrated Edge Cloud (IEC) Blueprint Family

• IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family

• IEC Type 4: AR/VR oriented Edge Stack for Integrated Edge Cloud (IEC) Blueprint Family

1. Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )

Exception is granted for using port 22 for testing/BlueVal.  However, since this BP is requesting a maturity review the port must be changed to a high port after testing for production use.

   2.  Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 4 to 2)

Exception is granted for testing/BlueVal.  Since this BP is requesting a maturity review the MaxSessions must be changed to 2 after testing for production use.

• IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Family

• KNI Provider access edge

The following exceptions must be fixed prior to maturity review:\

1. Test: Checking presence /var/run/reboot-required.pkgs
2. Performing test ID AUTH-9228 (Check password file consistency with pwck)
3. Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs
4. Performing test ID USB-2000 (Check USB authorizations)
5. Performing test ID USB-3000 (Check for presence of USBGuard)
6. Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj
7. Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj
8. Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj
9. Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
10. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
11. Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj
12. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
13. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
14. sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
15. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
16. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
17. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
18. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
19. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
20. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
21. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

The following exceptions must be fixed prior to maturity review:

1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.

• KNI Industrial Edge

The following exceptions must be fixed prior to maturity review:

1. Test: Checking presence /var/run/reboot-required.pkgs
2. Performing test ID AUTH-9228 (Check password file consistency with pwck)
3. Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs
4. Performing test ID USB-2000 (Check USB authorizations)
5. Performing test ID USB-3000 (Check for presence of USBGuard)
6. Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj
7. Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj
8. Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj
9. Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
10. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
11. Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj
12. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
13. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
14. sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
15. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
16. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
17. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
18. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
19. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
20. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
21. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

The following exceptions must be fixed prior to maturity review:

1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.

Micro-MEC

• Radio Edge Cloud (REC)

• SDN Enabled Broadband Access (SEBA) for Telco Appliance Blueprint Family

Time-Critical Edge Compute

the following exception was granted based on the input provided by Blueprint owner:

1. Performing test ID AUTH-9328 (Default umask values)

   When I try to change the UNMASK value from 022 to recommended 027 on the SUT – the Lynis tests stop working, with an error the files in /var/log/ do not exist. So I could not address this issue - Oleg Berzin

The following exceptions must be fixed prior to maturity review:

1. Test: Checking presence /var/run/reboot-required.pkgs
2. Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs
3. Performing test ID USB-2000 (Check USB authorizations)
4. Performing test ID USB-3000 (Check for presence of USBGuard)
5. Performing test ID PKGS-7370 (Checking for debsums utility)
6. Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj
7. Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj
8. Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj
9. Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
10. Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
11. Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj
12. sysctl key kernel.core_uses_pid contains equal expected and current value (1)
13. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
14. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
15. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
16. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
17. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
18. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
19. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
20. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
21. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

The following exceptions must be fixed prior to maturity review:

1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.

1. Performing test ID BOOT-5122 (Check for GRUB boot password) - Granted an exception because Blueprint is using a public cloud VM and GRUB password cannot be changed.
2. Performing test ID AUTH-9229 (Check password hashing methods) - Exception granted:  output provided showing both root and non-root hashing set to SHA512 and 800,000 rounds.
3. Performing test ID USB-2000 (Check USB authorizations) - Exception granted because not possible since using cloud VM
4. Test: Checking MaxSessions - Exception granted reduced from MaxSessions --> 6 to 4. Minimum 4 sessions are needed for BluVal to run
5. Test: Checking Port - Exception granted; 

   Validation framework is failing if ssh changed from Port 22 --> {}. Needed for BlueVal to run.

The following exceptions must be fixed prior to maturity review:

1. sysctl key kernel.core_uses_pid contains equal expected and current value (1)
2. sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
3. sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
4. sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
5. sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
6. sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
7. sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
8. sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
9. sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
10. sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1

The following exceptions must be fixed prior to maturity review:

1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.

Akraino Blueprint Validation Framework

Akraino Portal Feature Project

API Gateway