Review images
Security vulnerability analysis and software updates are essential daily activities for system administrators. To avoid failures in production environments, it is common for system administrators to choose not to use the automatic update option provided by the warranty manager and to perform manual updates. But this can lead to the following problems:
System administrators must constantly be on the lookout for all new security vulnerabilities in NVD (International Vulnerability Database) etc. For a system administrator
2. If you have a lot of software installed on your server, it’s almost impossible to monitor all of it.
3. Performing analysis to identify servers affected by vulnerabilities is costly. It is not unusual to ignore a server or two during analysis.
Vuls is the tool to solve these problems. It has the following characteristics:
1. Notify users of system vulnerabilities.
2. Notify users of affected servers.
3. Implement automatic detection of vulnerabilities to prevent inspections.
4. Generate reports to manage vulnerabilities on a daily basis using CRON etc.
Review images
The main features
1. Scan for security vulnerabilities on the Linux server
1.1 support Ubuntu, Debian, CentOS, Amazon Linux, RHEL;
1.2 support Cloud, on-premise, Docker;
2. Scanning intermediate devices is not included in the system package manager
2.1 Intermediate devices, program language libraries and frameworks for vulnerability scanning;
2.2 Register support software in CPE;
3. No proxy architecture
Require the user to set up only on one machine that is SSH connected to other target servers;
4. Automatic generation of configuration file templates
Generate profile templates using automatic monitoring of CIDR server Settings;
5. Support for email and Slack notifications (Japan support);
6. Scan results can be seen in the attached software and TUI viewing terminal.
What can’t Vuls do?
[Fixed] Vuls cannot update bug packs
Hello Vuls
This tutorial will use vuls to walk you through vulnerabilities in localhost.
Scanning can be done by the following steps:
Launch Amazon Linux Launch Amazon Linux
2, Enable to SSH from localhost SSH from localhost
3, Install requirements
4. Deploy go-cVE-Dictionary to Deploy go-cVE-Dictionary
5. Deploy Vuls
6. Configuration
7
8. Scan
9. Terminal-based User Interface (TUI)
Launch Amazon Linux
1. We are using the old AMI in this example (AMzn-AMI-HVM-2015.09.1.x86_64-gp2 — AMI-383C1956)
2. Instance size: T2.medium
2.1 When used for the first time, T2.medium and AMI are used to fetch data from NVD (approximately 2.3GB).
2.2. You can convert to T2.nano after initializing data fetch later.
Add the following to the initialization of the cloud to avoid automatic updates at the first launch.
Q: How do I disable automatic installation for important security updates during the first launch?
#cloud-config
repo_upgrade: noneCopy the codeStep 2: SSH Settings
You need to SSH to yourself.
Create a key pair and append the public key to the authentication key:
$ ssh-keygen -t rsa
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keysCopy the codeStep 3. Installation requirements
Vuls needs the following package:
1, sqlite
2, the git
3, GCC
4, go v1.6
$SSH [email protected] -i ~/.ssh/private.pem $sudo yum -y install sqlite git GCC $wget https://storage.googleapis.com/golang/go1.6.linux-amd64.tar.gz $sudo tar - C/usr/local - XZF go1.6. Linux - amd64. Tar. Gz $ mkdir $HOME/goCopy the codeAdd these lines to /etc/profile.d/goenv.sh:
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/binCopy the codeSet the operating system environment:
$ source /etc/profile.d/goenv.shCopy the codeStep 4. Deploygo-cve-dictionary
$ sudo mkdir /var/log/vuls
$ sudo chown ec2-user /var/log/vuls
$ sudo chmod 700 /var/log/vuls
$ go get github.com/kotakanbe/go-cve-dictionaryCopy the codeTurn go-CVE-Dictionary on as a service.
The first time, go-CVE-Dictionary fetch is the vulnerability data from NVD.
This takes about 10 minutes (on AWS).
$ go-cve-dictionary server ... Fetching ... $ls -alh cve.sqlite3 -rw-r--r-- 1 ec2-user ec2-user 7.5m Mar 24 13:20 cve.sqlite3Copy the codeWe have now successfully collected the vulnerability data and started it again in service mode.
$ go-cve-dictionary server
[Mar 24 15:21:55] INFO Opening DB. datafile: /home/ec2-user/cve.sqlite3
[Mar 24 15:21:55] INFO Migrating DB
[Mar 24 15:21:56] INFO Starting HTTP Sever...
[Mar 24 15:21:56] INFO Listening on 127.0.0.1:1323Copy the codeStep 5. Deploy vuls
Launch a new terminal, SSH to an EC2 instance.
$ go get github.com/future-architect/vulsCopy the codeStep 6. Configuration
Create a configuration file (TOML format)
$cat config.toml [Servers] [Servers.172-31-4-82] host = "172.31.4.82" port = "22" user = "ec2-user" keyPath = "/home/ec2-user/.ssh/id_rsa"Copy the codeStep 7. Set up the target server for vuls
$ vuls prepareCopy the codeStep 8. Start scanning
$ vuls scan INFO[0000] Begin scanning (config: /home/ec2-user/config.toml) ... snip ... 172-31-4-82 (amazon 2015.09) = = = = = = = = = = = = = = = = = = = = = = = = = = = = CVE - 2016-0494 10.0 Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. ... snip ... CVE - 2016-0494 -- -- -- -- -- -- -- -- -- -- -- -- -- Score of 10.0 (High) Vector (AV: N/AC: L/Au: N/C, C/I: C/A: C) the Summary Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0494 MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494 CVE Details http://www.cvedetails.com/cve/CVE-2016-0494 CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-0494&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-0494 ALAS-2016-643 https://alas.aws.amazon.com/ALAS-2016-643.html Package/CPE Java - 1.7.0 - its - 1.7.0.91-2.6.2.2.63. Amzn1 - > Java - 1.7.0 - its - 1:1. 7.0.95-2.6.4.0.65. Amzn1Copy the codeStep 9 TUI
Vuls has terminal based user interaction to view scan results.
$ vuls tuiCopy the codeReview images
The architecture
Review images
go-cve-dictionary
Fetch vulnerability information from NVD, JVN (Japan), and then insert SQLite.
Vuls
1. Scan for vulnerabilities on the server and create a CVE ID list;
2. To obtain more details about the CVE detected, send an HTTP request to the Go-CVE-Dictionary;
3. Send reports via Slack or Email;
4. The system operator can view the latest report through the terminal;
Use cases
Scanning all Servers
Review images
Scanning a Single Server
Web/APP servers with the same configuration are used in load balancing
Review images
Supported operating systems
| Distribution | Release |
|---|---|
| Ubuntu | 12, 14, 16 |
| Debian | Seven, eight |
| RHEL | 4, 5, 6, 7 |
| CentOS | 5, 6, 7 |
| Amazon Linux | All |
Usage: Automatically discover server
The discovery subcommand discovers the specific active server in the CIDR range and then prints the configuration file (in TOML format) to the terminal.
$vuls Discover -help Discover: Discover 192.168.0.0/24Copy the codeSuch as:
$vuls discover 172.31.4.0/24 # Create config.toml using below and then./vuls --config=/path/to/config.toml [slack] hookURL = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz" channel = "#channel-name" #channel = "#{servername}" iconEmoji = ":ghost:" authUser = "username" notifyUsers = ["@username"] [mail] smtpAddr = "smtp.gmail.com" smtpPort = 465 user = "username" password = "password" from = "[email protected]" to = ["[email protected]"] cc = ["[email protected]"] subjectPrefix = "[vuls]" [default] #port = "22" #user = "username" #password = "password" #keyPath = "/home/username/.ssh/id_rsa" #keyPassword = "password" [servers] [servers.172-31-4-82] host = "172.31.4.82" #port = "22" #user = "root" #password = "password" #keyPath = "/home/username/. SSH /id_rsa" #keyPassword = "Cpe :/a: rubyOnRails :ruby_on_rails:4.2.1", #]Copy the codeYou can use this template to customize the configuration
configuration
Slack part
[slack] hookURL = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz" channel = "#channel-name" #channel = "#{servername}" iconEmoji = ":ghost:" authUser = "username" notifyUsers = ["@username"]Copy the code1. HookURL: the URL to access webhook
2. Channel: Name of the channel
If you set #{servername} to the channel, the report will be sent to the # Servername channel.
In the example below, the report will be sent to # server1 and # server2.
Be sure to create these channels before scanning.
[slack] channel = "#{servername}" ... snip... [Servers] [Servers. server1] host = "172.31.4.82"... snip... [Servers.server2] host = "172.31.4.83"... snip...Copy the codeIconEmoji: Emoji
AuthUser: Slack team user name
NotifyUsers: A list of Slack user names to send Slack notifications. If you set [“@foo”, “@bar”] to notifyUsers, @foo@bar will be included in the text.
So @foo, @bar can get push-to-notifications on the phone.
Mail part
[mail] smtpAddr = "smtp.gmail.com" smtpPort = 465 user = "username" password = "password" from = "[email protected]" to = ["[email protected]"] cc = ["[email protected]"] subjectPrefix = "[vuls]"Copy the codeThe default part
[default]
#port = "22"
#user = "username"
#password = "password"
#keyPath = "/home/username/.ssh/id_rsa"
#keyPassword = "password"Copy the codeIf not specified, the default part is used.
Server part
[Servers] [Servers.172-31-4-82] host = "172.31.4.82" #port = "22" #user = "root" #password = "password" #keyPath = #keyPassword = "password" #cpeNames = [# "cpe:/a: rubyonRails :ruby_on_rails:4.2.1", #]Copy the codeYou can override the defaults in the defaults section.
Vuls supports multiple SSH authentication methods:
1. SSH proxy
SSH public key authentication (use password, empty password)
3. Password verification
Use: Prepare
Prepare the subcommands required to install packages on each server.
| Distribution | Release | Requirements |
|---|---|---|
| Ubuntu | 12, 14, 16 | – |
| Debian | Seven, eight | apptitude |
| CentOS | 5 | yum-plugin-security, yum-changelog |
| CentOS | 6, 7 | yum-plugin-security, yum-plugin-changelog |
| Amazon | All | – |
| RHEL | 4, 5, 6, 7 | – |
$ vuls prepare -help
prepare:
prepare [-config=/path/to/config.toml] [-debug]
-config string
/path/to/toml (default "$PWD/config.toml")
-debug
debug mode
-use-unattended-upgrades
[Deprecated] For Ubuntu, install unattended-upgradesCopy the codeUse: scan
$ vuls scan -help scan: scan [-lang=en|ja] [-config=/path/to/config.toml] [-dbpath=/path/to/vuls.sqlite3] [cve - dictionary - url = http://127.0.0.1:1323] [CVSS - over = 7] [- report - slack] [- report - mail] [-http-proxy=http://192.168.0.1:8080] [-debug] [-debug-sql] -config string /path/to/toml (default "$PWD/config.toml") - cVE-dictionary-URL string http://CVE.Dictionary (default "http://127.0.0.1:1323") -cvss-over float-cvss-over =6.5 means Reporting CVSS Score 6.5 and over (default: 0 (means report all)) -dbpath string /path/to/sqlite3 (default "$PWD/vuls.sqlite3") -debug debug mode -debug-sql SQL debug mode -http-proxy string http://proxy-url:port (default: empty) -lang string [en|ja] (default "en") -report-mail Email report -report-slack Slack report -use-unattended-upgrades [Deprecated] For Ubuntu. Scan by unattended-upgrades or not (use apt-get upgrade --dry-run by default) -use-yum-plugin-security [Deprecated] For CentOS 5. Scan by yum-plugin-security or not (use yum check-update by default)Copy the codeRun go-CVE-Dictionary as service mode before scanning:
$ go-cve-dictionary serverCopy the codeScan all servers defined in the configuration file:
$ vuls scan --report-slack --report-mail --cvss-over=7Copy the codeUse this sample command to:
1. Scan all servers defined in the configuration file.
2. Send scan results to Slack and email;
3. Only CVES with CVSS score over 7 were reported;
4. Print scanning results to the terminal;
Scan for specific servers
$ vuls scan server1 server2Copy the codeUse this command to:
1. Scan only two servers (Sever1, sever2);
2. Print scanning results to the terminal;
Use: Scan for vulnerabilities in non-system packages
It is possible to detect bugs in your compilations yourself, such as the language library box framework registered in CPE.
1. How to search CPE name by software name
Search for Common Platform Emumerations (CPE)
Check the CPE naming structure: 2.2
2, configuration,
To detect Ruby vulnerabilities on Rails V4.2.1, cpeNames needs to be set in the server section:
-
[Servers] [Servers.172-31-4-82] host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" cpeNames = [" cpe: / a: rubyonrails: ruby_on_rails: 2 ",]Copy the code
Use: Update NVD data
$ go-cve-dictionary fetchnvd -h
fetchnvd:
fetchnvd
[-last2y]
[-dbpath=/path/to/cve.sqlite3]
[-debug]
[-debug-sql]
-dbpath string
/path/to/sqlite3 (default "$PWD/cve.sqlite3")
-debug
debug mode
-debug-sql
SQL debug mode
-last2y
Refresh NVD data in the last two years.Copy the codeFetch data during the whole period:
$ go-cve-dictionary fetchnvd -entireCopy the codeFetch data in the last two years:
$ go-cve-dictionary fetchnvd -last2yCopy the codeMisc
1. HTTP proxy support
If your system uses HTTP proxies, you must specify the — HTTP-proxy option.
How do you daemon go-cve-dictionary
Using Systemd, Upstart or supervisord, daemonTools…
3. How to update vulnerability data. Use the job scheduler Cron (with -last2y option).
4. How to cross-compile
$ cd /path/to/your/local-git-reporsitory/vuls
$ GOOS=linux GOARCH=amd64 go build -o vuls.amd64Copy the code5, logs,
Logs are written under /var/log/vuls/.
6, debugging,
Run the -debug, -SQL-debug options to debug.
7. Adjust the open file limit
Riak documentation is a great choice.
Windows
Use Microsoft Baseline Security Profiler. MBSA
The data source
NVD
JVN (Japan)
The author
Kotakanbe (@Kotakanbe) started Vuls and a lot of people have contributed to it.
1. Fork it.
2. Create feature branches:
git checkout -b my-new-featureCopy the code3. Commit your changes:
git commit -am 'Add some feature'Copy the code4, Push changes to branch:
git push origin my-new-featureCopy the codeCreate a new Pull request.
Change log
See the changed log.
* the original:githubFreeBuf hacker and geek (FreeBuf.COM)