- Blog - Silicon Cloud

1 年 ago

宇, 华

5 minutes

Vuls を利用し、さくらクラウドに構築したサーバの脆弱性チェックを実施した。

Vulsでできること

Vulsのマネジメントサーバを立てれば、リモートで脆弱性チェックを行うことができる。
ローカルでも実施できるため、現状のサーバの脆弱性リスクを確認することができる。

README

手順

Vagrant環境で試してみる

OSはCentOS7.1で試す。

vulsユーザを作成する

[vagrant@localhost ~]$ sudo useradd vuls
[vagrant@localhost ~]$ sudo passwd vuls
[vagrant@localhost ~]$ sudo usermod -G wheel vuls

必要なパッケージをインストールする

[vagrant@localhost ~]$ sudo yum -y install sqlite git gcc make yum-plugin-changelog

goをインストールする

[vagrant@localhost ~]$ su - vuls
[vuls@localhost ~]$ wget https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz
--2017-09-20 18:47:09--  https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz
Resolving storage.googleapis.com (storage.googleapis.com)... 172.217.27.80
Connecting to storage.googleapis.com (storage.googleapis.com)|172.217.27.80|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 90029041 (86M) [application/x-gzip]
Saving to: ‘go1.8.3.linux-amd64.tar.gz’

100%[================================================>] 90,029,041  19.2MB/s   in 4.7s   

2017-09-20 18:47:15 (18.2 MB/s) - ‘go1.8.3.linux-amd64.tar.gz’ saved [90029041/90029041]

[vuls@localhost ~]$ sudo tar -C /usr/local -xzf go1.8.3.linux-amd64.tar.gz
[vuls@localhost ~]$ mkdir $HOME/go
[vuls@localhost ~]$ rm go1.8.3.linux-amd64.tar.gz
[vuls@localhost ~]$ sudo emacs  /etc/profile.d/goenv.sh
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
[vuls@localhost ~]$ sudo chmod 755 /etc/profile.d/goenv.sh 
[vuls@localhost ~]$ source /etc/profile.d/goenv.sh
[vuls@localhost ~]$ go version
go version go1.8.3 linux/amd64

Vulsを準備する

[vuls@localhost ~]$ sudo mkdir /var/log/vuls
[vuls@localhost ~]$ sudo chown vuls /var/log/vuls
[vuls@localhost ~]$ sudo chmod 700 /var/log/vuls
[vuls@localhost ~]$ mkdir -p $GOPATH/src/github.com/kotakanbe
[vuls@localhost ~]$ cd $GOPATH/src/github.com/kotakanbe 
[vuls@localhost kotakanbe]$ git clone https://github.com/kotakanbe/go-cve-dictionary.git
Cloning into 'go-cve-dictionary'...
remote: Counting objects: 500, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 500 (delta 0), reused 1 (delta 0), pack-reused 496
Receiving objects: 100% (500/500), 144.39 KiB | 55.00 KiB/s, done.
Resolving deltas: 100% (256/256), done.
[vuls@localhost kotakanbe]$ cd go-cve-dictionary
[vuls@localhost go-cve-dictionary]$ make install
go get -u github.com/golang/dep/...
dep ensure
go install -ldflags "-X 'main.version=v0.1.1' -X 'main.revision=f5406ff'"
[vuls@localhost kotakanbe]$ git clone https://github.com/kotakanbe/goval-dictionary.git
[vuls@localhost kotakanbe]$ cd goval-dictionary
[vuls@localhost kotakanbe]$ make install
fatal: No names found, cannot describe anything.
go get -u github.com/golang/dep/...
dep ensure
go install -ldflags "-X 'main.version=' -X 'main.revision=d53916f'"

脆弱性データベースを取得する

[vuls@localhost go-cve-dictionary]$ cd $HOME
[vuls@localhost ~]$ for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done
 0 / 1 [-------------------------------------------------------------------------]   0.00%[Sep 20 18:53:34]  INFO Fetching... https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml.gz
 1 / 1 [=====================================================================] 100.00% 10s
[Sep 20 18:53:44]  INFO Fetched 6745 CVEs
[Sep 20 18:53:44]  INFO Opening DB (sqlite3).
[Sep 20 18:53:45]  INFO Migrating DB (sqlite3).
[Sep 20 18:53:45]  INFO Inserting NVD into DB (sqlite3).
[Sep 20 18:53:45]  INFO Inserting CVEs...
 6745 / 6745 [===============================================================] 100.00% 42s
 以下略

Vulsデプロイ

[vuls@localhost ~]$ mkdir -p $GOPATH/src/github.com/future-architect
[vuls@localhost ~]$ cd $GOPATH/src/github.com/future-architect
[vuls@localhost future-architect]$ git clone https://github.com/future-architect/vuls.git
Cloning into 'vuls'...
remote: Counting objects: 3865, done.
remote: Total 3865 (delta 0), reused 0 (delta 0), pack-reused 3864
Receiving objects: 100% (3865/3865), 3.90 MiB | 1.66 MiB/s, done.
Resolving deltas: 100% (2636/2636), done.
[vuls@localhost future-architect]$ cd vuls
[vuls@localhost vuls]$ make install
go get -u github.com/golang/dep/...
dep ensure
go install -ldflags "-X 'main.version=v0.4.0' -X 'main.revision=5f2183f'"
[vuls@localhost vuls]$ cd $HOME
[vuls@localhost ~]$ sudo visudo
visudo: /etc/sudoers.tmp unchanged

Defaults:vuls !requiretty
vuls ALL=(ALL) NOPASSWD: ALL
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"

[vuls@localhost ~]$ emacs -nw  ~/config.toml
[servers]

[servers.localhost]
host = "localhost" 
port = "local"

テスト

[vuls@localhost ~]$ vuls configtest
[Sep 20 21:11:58]  INFO [localhost] Validating config...
[Sep 20 21:11:58]  INFO [localhost] Detecting Server/Container OS... 
[Sep 20 21:11:58]  INFO [localhost] Detecting OS of servers... 
[Sep 20 21:11:58]  INFO [localhost] (1/1) Detected: localhost: centos 7.1.1503
[Sep 20 21:11:58]  INFO [localhost] Detecting OS of containers... 
[Sep 20 21:11:58]  INFO [localhost] Checking dependencies...
[Sep 20 21:11:59]  INFO [localhost] Dependencies ... Pass
[Sep 20 21:11:59]  INFO [localhost] Checking sudo settings...
[Sep 20 21:11:59]  INFO [localhost] sudo ... No need
[Sep 20 21:11:59]  INFO [localhost] Scannable servers are below...
localhost

スキャン

[vuls@localhost ~]$ vuls scan
[Sep 20 21:12:18]  INFO [localhost] Start scanning
[Sep 20 21:12:18]  INFO [localhost] config: /home/vuls/config.toml
[Sep 20 21:12:18]  INFO [localhost] Validating config...
[Sep 20 21:12:18]  INFO [localhost] Detecting Server/Container OS... 
[Sep 20 21:12:18]  INFO [localhost] Detecting OS of servers... 
[Sep 20 21:12:18]  INFO [localhost] (1/1) Detected: localhost: centos 7.1.1503
[Sep 20 21:12:18]  INFO [localhost] Detecting OS of containers... 
[Sep 20 21:12:18]  INFO [localhost] Detecting Platforms... 
[Sep 20 21:12:29]  INFO [localhost] (1/1) localhost is running on other
[Sep 20 21:12:29]  INFO [localhost] Scanning vulnerabilities... 
[Sep 20 21:12:29]  INFO [localhost] Scanning vulnerable OS packages...


One Line Summary
================
localhost   centos7.1.1503  242 updatable packages

To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
[vuls@localhost ~]$ vuls report -format-short-text -cvedb-path=$PWD/cve.sqlite3 --lang=ja
[Sep 20 21:13:58]  INFO [localhost] Validating config...
[Sep 20 21:13:58]  INFO [localhost] cve-dictionary: /home/vuls/cve.sqlite3
[Sep 20 21:13:58]  INFO [localhost] Loaded: /home/vuls/results/2017-09-20T21:12:29+09:00
[Sep 20 21:13:58]  INFO [localhost] Fill CVE detailed information with OVAL
[Sep 20 21:13:59]  WARN [localhost] OVAL entries of redhat 7 are not found. It's recommended to use OVAL to improve scanning accuracy. For details, see https://github.com/kotakanbe/goval-dictionary#usage , Then report with --ovaldb-path or --ovaldb-url flag
[Sep 20 21:13:59]  INFO [localhost] Fill CVE detailed information with CVE-DB

localhost (centos7.1.1503)
==========================
Total: 0 (High:0 Medium:0 Low:0 ?:0)    242 updatable packages

No CVE-IDs are found in updatable packages.
242 updatable packages

補足

goのバージョンが1.8未満だと、以下のエラーが出る。

[vuls@localhost go-cve-dictionary]$ make install
go get -u github.com/golang/dep/...
# github.com/golang/dep/internal/gps
../../golang/dep/internal/gps/constraints.go:334: undefined: sort.SliceStable
../../golang/dep/internal/gps/constraints.go:353: undefined: sort.SliceStable
../../golang/dep/internal/gps/lock.go:55: undefined: sort.SliceIsSorted
../../golang/dep/internal/gps/lock.go:62: undefined: sort.Slice
make: *** [dep] Error 2

goをアップデートする場合は、古いバージョンを一度削除するのを忘れずに

[vuls@localhost go-cve-dictionary]$ sudo rm -r /usr/local/go