| Project Name | Vuls Scan | Lynis Scan | Kube-Hunter Scan |
---|
1 | 5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint | Release 4 Vuls Exception Request | The following exceptions must be fixed prior to maturity review: - Performing test ID USB-2000 (Check USB authorizations)
- Performing test ID PKGS-7370 (Checking for debsums utility)
- sysctl key net.ipv4.conf.all.rp_filter contains equal expected and current value (1)
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|
2 | AI/ML and AR/VR applications at Edge | Release 4 Vuls Exception Request |
|
|
3 | Connected Vehicle Blueprint | Release 4 Vuls Exception Request | - Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )
Exception is granted for using port 22 for testing/BlueVal. However, since this BP is requesting a maturity review the port must be changed to a high port after testing for production use. 2. Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 4 to 2) Exception is granted for testing/BlueVal. Since this BP is requesting a maturity review the MaxSessions must be changed to 2 after testing for production use. |
|
4 | Edge Video Processing | Release 4 Vuls Exception Request |
|
|
5 | ELIOT: Edge Lightweight and IoT Blueprint Family | Release 4 Vuls Exception Request |
|
|
6 | | Release 4 Vuls Exception Request |
|
|
7 | | Release 4 Vuls Exception Request | - Performing test ID BOOT-5122 (Check for GRUB boot password) ## After setting up grub boot password --> Cloud Vms won’t boot properly. Lead to unstable VMs
- Performing test ID AUTH-9229 (Check password hashing methods) ## Not possible, will impact SHA_MIN_CRYPT_ROUNDS test. Currently using maximum security hashing method SHA512
- Performing test ID USB-2000 (Check USB authorizations) ## N/A: Using cloud VMs, no baremetal involved.
- Performing test ID USB-3000 (Check for presence of USBGuard) ## N/A: Using cloud VMs, no baremetal involved.
- Test: Checking MaxSessions ## Max session set to 4, this is the bare minimum level that can be used.
- Test: Checking Port ## Can't change during testing, BluVal requires SSH to be tcp/22. This port should be changed after testing, but prior to production.
- KRNL-6000: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1 ## IP Forwarding is required for K8s.
The following exceptions must be fixed prior to maturity review: - sysctl key kernel.core_uses_pid contains equal expected and current value (1)
- sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
- sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
- sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
- sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|
8 | | Release 4 Vuls Exception Request | The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes: - sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
The following additional exceptions are granted for this blueprint: - Performing test ID AUTH-9229 (Check password hashing methods) ## Not possible, will impact SHA_MIN_CRYPT_ROUNDS test. Currently using maximum security hashing method SHA512
- Performing test ID USB-2000 (Check USB authorizations) ## N/A: Using cloud VMs, no baremetal involved.
- Performing test ID USB-3000 (Check for presence of USBGuard) ## N/A: Using cloud VMs, no baremetal involved.
- Test: Checking MaxSessions ## Max session set to 4, this is the bare minimum level that can be used.
- Test: Checking Port ## Can't change during testing, BluVal requires SSH to be tcp/22. This port should be changed after testing, but prior to production.
- KRNL-6000: sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1 ## IP Forwarding is required for K8s.
The following exceptions must be fixed prior to maturity review: - sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
- sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
- sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
- sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
- sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|
9 | Network Cloud and TF Integration Project | Release 4 Vuls Exception Request | The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes: - sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
Below are items found in lynis that can be granted an exception, but must be fixed prior to maturity: - Performing test ID USB-3000 (Check for presence of USBGuard)
- Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
- Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
- sysctl key kernel.core_uses_pid contains equal expected and current value (1)
- sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
|
|
10 | Integrated Cloud Native NFV/App stack family (Short term: ICN) | Release 4 Vuls Exception Request | The failed test below in Lynis is granted an exception because ip forwarding is required in deployments using Kubernetes: - sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
Below are items found in lynis that can be granted an exception, but must be fixed prior to maturity: - Performing test ID USB-3000 (Check for presence of USBGuard)
- Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
- Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
|
|
11 | Integrated Edge Cloud (IEC) Blueprint Family | Release 4 Vuls Exception Request |
|
|
12 | | Release 4 Vuls Exception Request |
|
|
13 | | Release 4 Vuls Exception Request |
|
|
14 | | Release 4 Vuls Exception Request |
|
|
15 | | Release 4 Vuls Exception Request | - Consider hardening SSH configuration [test:SSH-7408] [details:Port (set 22 to )
Exception is granted for using port 22 for testing/BlueVal. However, since this BP is requesting a maturity review the port must be changed to a high port after testing for production use. 2. Consider hardening SSH configuration [test:SSH-7408] [details:MaxSessions (set 4 to 2) Exception is granted for testing/BlueVal. Since this BP is requesting a maturity review the MaxSessions must be changed to 2 after testing for production use. |
|
16 | | Release 4 Vuls Exception Request |
|
|
17 | Kubernetes-Native Infrastructure (KNI) Blueprint Family | Release 4 Vuls Exception Request |
|
|
18 | |
| The following exceptions must be fixed prior to maturity review:\ - Test: Checking presence /var/run/reboot-required.pkgs
- Performing test ID AUTH-9228 (Check password file consistency with pwck)
- Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs
- Performing test ID USB-2000 (Check USB authorizations)
- Performing test ID USB-3000 (Check for presence of USBGuard)
- Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj
- Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj
- Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj
- Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
- Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
- Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj
- sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
- sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
- sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
- sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
- sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|
19 | |
| The following exceptions must be fixed prior to maturity review: - Test: Checking presence /var/run/reboot-required.pkgs
- Performing test ID AUTH-9228 (Check password file consistency with pwck)
- Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs
- Performing test ID USB-2000 (Check USB authorizations)
- Performing test ID USB-3000 (Check for presence of USBGuard)
- Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj
- Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj
- Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj
- Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
- Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
- Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj
- sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
- sysctl key kernel.yama.ptrace_scope has a different value than expected in scan profile. Expected=1 2 3, Real=0
- sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
- sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
- sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|
20 | Micro-MEC | Release 4 Vuls Exception Request |
|
|
21 | The AI Edge: School/Education Video Security Monitoring | Release 4 Vuls Exception Request |
|
|
22 | Network Cloud Blueprint Family | Release 4 Vuls Exception Request |
|
|
23 | StarlingX Far Edge Distributed Cloud | Release 4 Vuls Exception Request |
|
|
24 | Telco Appliance Blueprint Family | Release 4 Vuls Exception Request |
|
|
25 | | Release 4 Vuls Exception Request | - sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile - Required by kubernetes
|
|
26 | | Release 4 Vuls Exception Request |
|
|
27 | The AI Edge Blueprint Family | Release 4 Vuls Exception Request |
|
|
28 | Time-Critical Edge Compute | Release 4 Vuls Exception Request |
|
|
29 | Public Cloud Edge Interface (PCEI) | Release 4 Vuls Exception Request | the following exception was granted based on the input provided by Blueprint owner: - Performing test ID AUTH-9328 (Default umask values)
When I try to change the UNMASK value from 022 to recommended 027 on the SUT – the Lynis tests stop working, with an error the files in /var/log/ do not exist. So I could not address this issue - Oleg Berzin
The following exceptions must be fixed prior to maturity review: - Test: Checking presence /var/run/reboot-required.pkgs
- Test: Checking SHA_CRYPT_MIN_ROUNDS option in /etc/login.defs
- Performing test ID USB-2000 (Check USB authorizations)
- Performing test ID USB-3000 (Check for presence of USBGuard)
- Performing test ID PKGS-7370 (Checking for debsums utility)
- Test: Checking AllowTcpForwarding in /tmp/lynis.ZotHQ7RQAj
- Test: Checking ClientAliveCountMax in /tmp/lynis.ZotHQ7RQAj
- Test: Checking MaxAuthTries in /tmp/lynis.ZotHQ7RQAj
- Test: Checking MaxSessions in /tmp/lynis.ZotHQ7RQAj
- Test: Checking Port in /tmp/lynis.ZotHQ7RQAj
- Test: Checking TCPKeepAlive in /tmp/lynis.ZotHQ7RQAj
- sysctl key kernel.core_uses_pid contains equal expected and current value (1)
- sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
- sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
- sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
- sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|
30 | Enterprise Applications on Lightweight 5G Telco Edge | Release 4 Vuls Exception Request | - Performing test ID BOOT-5122 (Check for GRUB boot password) - Granted an exception because Blueprint is using a public cloud VM and GRUB password cannot be changed.
- Performing test ID AUTH-9229 (Check password hashing methods) - Exception granted: output provided showing both root and non-root hashing set to SHA512 and 800,000 rounds.
- Performing test ID USB-2000 (Check USB authorizations) - Exception granted because not possible since using cloud VM
- Test: Checking MaxSessions - Exception granted reduced from MaxSessions --> 6 to 4. Minimum 4 sessions are needed for BluVal to run
- Test: Checking Port - Exception granted;
Validation framework is failing if ssh changed from Port 22 --> {}. Needed for BlueVal to run.
The following exceptions must be fixed prior to maturity review: - sysctl key kernel.core_uses_pid contains equal expected and current value (1)
- sysctl key kernel.kptr_restrict has a different value than expected in scan profile. Expected=2, Real=0
- sysctl key kernel.sysrq has a different value than expected in scan profile. Expected=0, Real=16
- sysctl key net.ipv4.conf.all.forwarding has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv4.conf.all.log_martians contains equal expected and current value (1)
- sysctl key net.ipv4.conf.all.send_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.accept_redirects contains equal expected and current value (0)
- sysctl key net.ipv4.conf.default.log_martians contains equal expected and current value (1)
- sysctl key net.ipv6.conf.all.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
- sysctl key net.ipv6.conf.default.accept_redirects has a different value than expected in scan profile. Expected=0, Real=1
| The following exceptions must be fixed prior to maturity review: - CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods. If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.
|
31 |
|
|
|
|
32 |
|
|
|
|