Vuls を利用し、さくらクラウドに構築したサーバの脆弱性チェックを実施した。
Vulsでできること
Vulsのマネジメントサーバを立てれば、リモートで脆弱性チェックを行うことができる。
ローカルでも実施できるため、現状のサーバの脆弱性リスクを確認することができる。
手順
Vagrant環境で試してみる
OSはCentOS7.1で試す。
vulsユーザを作成する
[vagrant@localhost ~]$ sudo useradd vuls
[vagrant@localhost ~]$ sudo passwd vuls
[vagrant@localhost ~]$ sudo usermod -G wheel vuls
必要なパッケージをインストールする
[vagrant@localhost ~]$ sudo yum -y install sqlite git gcc make yum-plugin-changelog
goをインストールする
[vagrant@localhost ~]$ su - vuls
[vuls@localhost ~]$ wget https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz
--2017-09-20 18:47:09-- https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz
Resolving storage.googleapis.com (storage.googleapis.com)... 172.217.27.80
Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.27.80|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 90029041 (86M) [application/x-gzip]
Saving to: ‘go1.8.3.linux-amd64.tar.gz’
100%[================================================>] 90,029,041 19.2MB/s in 4.7s
2017-09-20 18:47:15 (18.2 MB/s) - ‘go1.8.3.linux-amd64.tar.gz’ saved [90029041/90029041]
[vuls@localhost ~]$ sudo tar -C /usr/local -xzf go1.8.3.linux-amd64.tar.gz
[vuls@localhost ~]$ mkdir $HOME/go
[vuls@localhost ~]$ rm go1.8.3.linux-amd64.tar.gz
[vuls@localhost ~]$ sudo emacs /etc/profile.d/goenv.sh
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
[vuls@localhost ~]$ sudo chmod 755 /etc/profile.d/goenv.sh
[vuls@localhost ~]$ source /etc/profile.d/goenv.sh
[vuls@localhost ~]$ go version
go version go1.8.3 linux/amd64
Vulsを準備する
[vuls@localhost ~]$ sudo mkdir /var/log/vuls
[vuls@localhost ~]$ sudo chown vuls /var/log/vuls
[vuls@localhost ~]$ sudo chmod 700 /var/log/vuls
[vuls@localhost ~]$ mkdir -p $GOPATH/src/github.com/kotakanbe
[vuls@localhost ~]$ cd $GOPATH/src/github.com/kotakanbe
[vuls@localhost kotakanbe]$ git clone https://github.com/kotakanbe/go-cve-dictionary.git
Cloning into 'go-cve-dictionary'...
remote: Counting objects: 500, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 500 (delta 0), reused 1 (delta 0), pack-reused 496
Receiving objects: 100% (500/500), 144.39 KiB | 55.00 KiB/s, done.
Resolving deltas: 100% (256/256), done.
[vuls@localhost kotakanbe]$ cd go-cve-dictionary
[vuls@localhost go-cve-dictionary]$ make install
go get -u github.com/golang/dep/...
dep ensure
go install -ldflags "-X 'main.version=v0.1.1' -X 'main.revision=f5406ff'"
[vuls@localhost kotakanbe]$ git clone https://github.com/kotakanbe/goval-dictionary.git
[vuls@localhost kotakanbe]$ cd goval-dictionary
[vuls@localhost kotakanbe]$ make install
fatal: No names found, cannot describe anything.
go get -u github.com/golang/dep/...
dep ensure
go install -ldflags "-X 'main.version=' -X 'main.revision=d53916f'"
脆弱性データベースを取得する
[vuls@localhost go-cve-dictionary]$ cd $HOME
[vuls@localhost ~]$ for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done
0 / 1 [-------------------------------------------------------------------------] 0.00%[Sep 20 18:53:34] INFO Fetching... https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml.gz
1 / 1 [=====================================================================] 100.00% 10s
[Sep 20 18:53:44] INFO Fetched 6745 CVEs
[Sep 20 18:53:44] INFO Opening DB (sqlite3).
[Sep 20 18:53:45] INFO Migrating DB (sqlite3).
[Sep 20 18:53:45] INFO Inserting NVD into DB (sqlite3).
[Sep 20 18:53:45] INFO Inserting CVEs...
6745 / 6745 [===============================================================] 100.00% 42s
以下略
Vulsデプロイ
[vuls@localhost ~]$ mkdir -p $GOPATH/src/github.com/future-architect
[vuls@localhost ~]$ cd $GOPATH/src/github.com/future-architect
[vuls@localhost future-architect]$ git clone https://github.com/future-architect/vuls.git
Cloning into 'vuls'...
remote: Counting objects: 3865, done.
remote: Total 3865 (delta 0), reused 0 (delta 0), pack-reused 3864
Receiving objects: 100% (3865/3865), 3.90 MiB | 1.66 MiB/s, done.
Resolving deltas: 100% (2636/2636), done.
[vuls@localhost future-architect]$ cd vuls
[vuls@localhost vuls]$ make install
go get -u github.com/golang/dep/...
dep ensure
go install -ldflags "-X 'main.version=v0.4.0' -X 'main.revision=5f2183f'"
[vuls@localhost vuls]$ cd $HOME
[vuls@localhost ~]$ sudo visudo
visudo: /etc/sudoers.tmp unchanged
Defaults:vuls !requiretty
vuls ALL=(ALL) NOPASSWD: ALL
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
[vuls@localhost ~]$ emacs -nw ~/config.toml
[servers]
[servers.localhost]
host = "localhost"
port = "local"
テスト
[vuls@localhost ~]$ vuls configtest
[Sep 20 21:11:58] INFO [localhost] Validating config...
[Sep 20 21:11:58] INFO [localhost] Detecting Server/Container OS...
[Sep 20 21:11:58] INFO [localhost] Detecting OS of servers...
[Sep 20 21:11:58] INFO [localhost] (1/1) Detected: localhost: centos 7.1.1503
[Sep 20 21:11:58] INFO [localhost] Detecting OS of containers...
[Sep 20 21:11:58] INFO [localhost] Checking dependencies...
[Sep 20 21:11:59] INFO [localhost] Dependencies ... Pass
[Sep 20 21:11:59] INFO [localhost] Checking sudo settings...
[Sep 20 21:11:59] INFO [localhost] sudo ... No need
[Sep 20 21:11:59] INFO [localhost] Scannable servers are below...
localhost
スキャン
[vuls@localhost ~]$ vuls scan
[Sep 20 21:12:18] INFO [localhost] Start scanning
[Sep 20 21:12:18] INFO [localhost] config: /home/vuls/config.toml
[Sep 20 21:12:18] INFO [localhost] Validating config...
[Sep 20 21:12:18] INFO [localhost] Detecting Server/Container OS...
[Sep 20 21:12:18] INFO [localhost] Detecting OS of servers...
[Sep 20 21:12:18] INFO [localhost] (1/1) Detected: localhost: centos 7.1.1503
[Sep 20 21:12:18] INFO [localhost] Detecting OS of containers...
[Sep 20 21:12:18] INFO [localhost] Detecting Platforms...
[Sep 20 21:12:29] INFO [localhost] (1/1) localhost is running on other
[Sep 20 21:12:29] INFO [localhost] Scanning vulnerabilities...
[Sep 20 21:12:29] INFO [localhost] Scanning vulnerable OS packages...
One Line Summary
================
localhost centos7.1.1503 242 updatable packages
To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
[vuls@localhost ~]$ vuls report -format-short-text -cvedb-path=$PWD/cve.sqlite3 --lang=ja
[Sep 20 21:13:58] INFO [localhost] Validating config...
[Sep 20 21:13:58] INFO [localhost] cve-dictionary: /home/vuls/cve.sqlite3
[Sep 20 21:13:58] INFO [localhost] Loaded: /home/vuls/results/2017-09-20T21:12:29+09:00
[Sep 20 21:13:58] INFO [localhost] Fill CVE detailed information with OVAL
[Sep 20 21:13:59] WARN [localhost] OVAL entries of redhat 7 are not found. It's recommended to use OVAL to improve scanning accuracy. For details, see https://github.com/kotakanbe/goval-dictionary#usage , Then report with --ovaldb-path or --ovaldb-url flag
[Sep 20 21:13:59] INFO [localhost] Fill CVE detailed information with CVE-DB
localhost (centos7.1.1503)
==========================
Total: 0 (High:0 Medium:0 Low:0 ?:0) 242 updatable packages
No CVE-IDs are found in updatable packages.
242 updatable packages
補足
goのバージョンが1.8未満だと、以下のエラーが出る。
[vuls@localhost go-cve-dictionary]$ make install
go get -u github.com/golang/dep/...
# github.com/golang/dep/internal/gps
../../golang/dep/internal/gps/constraints.go:334: undefined: sort.SliceStable
../../golang/dep/internal/gps/constraints.go:353: undefined: sort.SliceStable
../../golang/dep/internal/gps/lock.go:55: undefined: sort.SliceIsSorted
../../golang/dep/internal/gps/lock.go:62: undefined: sort.Slice
make: *** [dep] Error 2
goをアップデートする場合は、古いバージョンを一度削除するのを忘れずに
[vuls@localhost go-cve-dictionary]$ sudo rm -r /usr/local/go