Help us understand the problem. What is going on with this article?

Vulsをdocker-composeで手っ取り早く使う

目的

vuls で脆弱性スキャンできるようになる。

前提

以下のセットアップが完了していること。
・CentOS7
・docker
・docker-compose
  → /usr/local/bin/docker-compose にあるものとする

動作を確認した構成は次の通り。

 # cat /etc/centos-release
 CentOS Linux release 7.6.1810 (Core)

 # docker -v
 Docker version 18.09.6, build 481bc77156

 # docker-compose -v
 docker-compose version 1.23.2, build 1110ad01

ディレクトリ構造

ディレクトリ構造は以下の通り。

/root/lab/vuls/docker-compose.yaml

docker-compose.yaml

データベースは Mysql を使う構成です。

docker-compose.yaml
version: '3'
services:
  vuls:
    image: vuls/vuls
    volumes:
      - ~/.ssh:/root/.ssh:ro
      - ./:/vuls
      - ./vuls-log:/var/log/vuls
    depends_on:
      - db
  cve:
    image: vuls/go-cve-dictionary
    volumes:
      - ./:/vuls
      - ./vuls-log:/var/log/vuls
    depends_on:
      - db
  oval:
    image: vuls/goval-dictionary
    volumes:
      - ./:/vuls
      - ./vuls-log:/var/log/vuls
    depends_on:
      - db

  gost:
    image: vuls/gost
    volumes:
      - ./:/vuls
      - ./vuls-log:/var/log/vuls
    depends_on:
      - db

  go-exploitdb:
    image: princechrismc/go-exploitdb
    volumes:
      - ./:/vuls
      - ./vuls-log:/var/log/vuls
    depends_on:
      - db

  db: # mysql Database
    image: mysql
    command: --default-authentication-plugin=mysql_native_password
    environment:
      MYSQL_ROOT_PASSWORD: password
      MYSQL_DATABASE: cve
    volumes:
      - ./data:/var/lib/mysql
    command: mysqld --sql_mode="" --default-authentication-plugin=mysql_native_password

  vulsrepo:
    image: vuls/vulsrepo
    volumes:
      - ./results:/vuls/results/
      - ./:/vuls
      - ./vuls-log:/var/log/vuls
    depends_on:
      - db
    ports:
      - "5111:5111"

docker-compose 起動

# cd /root/lab/vuls/
# docker-compose up -d

MySQL を使うための準備

docker-compose.yaml で cve という database を作成していますが、
exploitdb / gost / oval 用の database は追加で作ります。

まずは MySQL のコンテナにログイン

# docker-compose exec db bash

次に MySQL にログイン

# mysql -u root -p password

database を作成

mysql> create database exploitdb;
mysql> create database gost;
mysql> create database oval;
mysql> exit

コンテナからログアウト
# exit

初回用スクリプト

各種定義ファイルをダウンロード(OVAL と gost は RHEL のみ)
かなり時間がかかります。

/root/lab/vuls/first_download.sh
# 新規作成(CVE)
for i in `seq 2002 $(date +"%Y")`; do     /usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm cve fetchnvd -dbtype=mysql -dbpath="root:password@tcp(db:3306)/cve?parseTime=true" -years $i;   done

# 新規作成(JVN)
for i in `seq 1998 $(date +"%Y")`; do /usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm cve fetchjvn -dbtype=mysql -dbpath="root:password@tcp(db:3306)/cve?parseTime=true" -years $i; done

# OVAL (RHEL)
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm oval fetch-redhat -dbtype=mysql -dbpath="root:password@tcp(db:3306)/oval?parseTime=true" 6 7

## gost (RHEL)
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm gost fetch redhat --dbtype=mysql --dbpath="root:password@tcp(db:3306)/gost?parseTime=true"

## expliotdb
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm go-exploitdb fetch exploitdb --dbtype=mysql --dbpath="root:password@tcp(db:3306)/exploitdb?parseTime=true"

更新用スクリプト

/root/lab/vuls/vuls_update.sh
# 更新(CVE)
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm cve fetchnvd -dbtype=mysql -dbpath="root:password@tcp(db:3306)/cve?parseTime=true" -latest

# 更新(JVN)
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm cve fetchjvn -dbtype=mysql -dbpath="root:password@tcp(db:3306)/cve?parseTime=true" -latest

# OVAL (RHEL)
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm oval fetch-redhat -dbtype=mysql -dbpath="root:password@tcp(db:3306)/oval?parseTime=true" 6 7

## gost (RHEL)
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm gost fetch redhat --dbtype=mysql --dbpath="root:password@tcp(db:3306)/gost?parseTime=true"

## expliotdb
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm go-exploitdb fetch exploitdb --dbtype=mysql --dbpath="root:password@tcp(db:3306)/exploitdb?parseTime=true"

vuls スキャン用設定ファイルを作成

# cd /root/lab/vuls/
# vi config.xoml

config ファイルに対象のサーバを登録します。
また、結果の通知を slack にも行えるようにしています。

/root/lab/vuls/confi.xoml
# slack と連携する場合(Incoming Webhook)
[slack]
hookURL      = "https://hooks.slack.com/services/XXXXXXXXX/XXXXXXXXXX/XXXXXXXXXXXXXXXXXXX"
channel      = "#vuls_results"
authUser     = "vuls report"

[servers]
# 鍵認証で接続
# VulsはSSHパスワード認証をサポートしてないので、SSHの鍵認証の設定をする必要があります。
# localhost上でkeypairを作成し、remote host上の~/.ssh/authorized_keysに追加します。
[servers.k8s-master1]
host        = "192.168.1.21"
port        = "22"
user        = "root"
keyPath     = "/root/.ssh/id_rsa"

[servers.k8s-master2]
host        = "192.168.1.22"
port        = "22"
user        = "root"
keyPath     = "/root/.ssh/id_rsa"

[servers.k8s-master3]
host        = "192.168.1.23"
port        = "22"
user        = "root"
keyPath     = "/root/.ssh/id_rsa"

vuls 設定確認・スキャン・レポート

/root/lab/vuls/scan.sh
# Scan 設定確認
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm vuls configtest -config=./config.toml

# Scan 実行
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm vuls scan -config=./config.toml

# Report(To Slack)
/usr/local/bin/docker-compose -f /root/lab/vuls/docker-compose.yaml run --rm vuls report -ignore-unfixed -lang ja -to-slack -config=./config.toml -cvedb-type=mysql -cvedb-url="root:password@tcp(db:3306)/cve?parseTime=true" -ovaldb-type=mysql -ovaldb-url="root:password@tcp(db:3306)/oval?parseTime=true" -gostdb-type=mysql -gostdb-url="root:password@tcp(db:3306)/gost?parseTime=true" -exploitdb-type=mysql -exploitdb-url="root:password@tcp(db:3306)/exploitdb?parseTime=true"

report のオプション

-ignore-unfixed :未修正の脆弱性を表示させない。
-lang ja     :日本語でレポートを表示する。
-to-slack     :slack に通知する。

実際に使ってやってみる

/root/lab/vuls/first_download.sh
/root/lab/vuls/vuls_update.sh
/root/lab/vuls/scan.sh

以上となります。

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away