added dockernized-vuls with vulsrepo

2016-07-04 15:11:21 +09:00
parent d9d8500484
commit 1f6eb55b86
13 changed files with 279 additions and 52 deletions
--- a/setup/docker/Dockerfile
+++ b/setup/docker/Dockerfile
@@ -1,14 +0,0 @@
-FROM golang:1.6
-RUN apt-get update \
-    && apt-get upgrade -y \
-    && apt-get install -y git openssh-client gcc nmap
-WORKDIR /app
-RUN go get github.com/kotakanbe/go-cve-dictionary
-RUN go get github.com/future-architect/vuls
-COPY fetch.sh .
-RUN /bin/bash /app/fetch.sh
-COPY config.toml .
-COPY run.sh .
-ENTRYPOINT ["/bin/bash", "/app/run.sh"]
-COPY id_rsa .
-COPY id_rsa.pub .
--- a/setup/docker/README.ja.md
+++ b/setup/docker/README.ja.md
@@ -0,0 +1,77 @@
+# Vuls on Docker
+
+## Index
+
+- テスト環境
+- サーバーセットアップ
+    - Dockerのインストール
+    - Docker Composeのインストール
+- vulsセットアップ
+    - sshキーの配置
+    - tomlの編集
+- Vuls 起動
+- Vuls scan実行
+- ブラウザから動作確認
+
+
+##テスト環境
+
+- Server OS: ubuntu 14.04
+
+## サーバーセットアップ
+
+1. Dockerのインストール
+2. Docker Composeのインストール
+
+### 作業ディレクトリの作成
+
+```
+mkdir work
+cd work
+git clone https://github.com/hikachan/vuls
+cd vuls
+```
+
+## Vuls セットアップ
+
+### sshキーの配置(vuls/docker/conf/id_rsa)
+
+### tomlの編集(vuls/docker/conf/config.toml)
+
+```
+[servers]
+
+#This is a sample
+[servers.172.17.0.1]
+host         = "172.17.0.1"
+port        = "22"
+user        = "ubuntu"
+keyPath     = "/root/.ssh/id_rsa"
+#containers = ["target_container"]
+```
+
+## Vuls 起動
+
+```
+docker-compose up -d
+```
+
+## Update cve
+
+```
+docker exec -t vuls scripts/update_cve.sh
+```
+
+## Vuls Scan 実行
+
+```
+docker exec -t vuls vuls prepare -config=conf/config.toml
+docker exec -t vuls scripts/scan_for_vulsrepo.sh
+```
+
+### Vuls Repo 接続確認
+
+```
+http://${Vuls_Host}/vulsrepo/
+```
+
--- a/setup/docker/README.md
+++ b/setup/docker/README.md
@@ -1,7 +1,79 @@
-# Before building the docker
+# Vuls on Docker

-Since it's not on docker hub because blablabla, you have to :
-* Edit your [config.toml](https://github.com/future-architect/vuls#step6-config) to match your infrastructure
-* generate a keypair dedicated to this docker : ```ssh-keygen -t rsa -b 4096 -C "your_email@example.com"```
-  * it's **highly** recommanded to use a restrained `authorized_keys` files with this key to be sure that it will be only usable from a single IP (after all it's a root executed software) : ```from="1.2.3.4,1.2.3.5" ssh-rsa [...] your_email@example.com```
-* Deploy your ssh key on the targetted machines
+## Table of Contens
+
+- [What's Vuls-On-Docker?](#whats-vuls-on-docker)
+- [Server Setup](#setting-up-your-machine)
+	- Install Docker
+	- Instal Docker Compose
+- [Start A Vuls Container](#start-a-vuls-container)
+- [Vuls Setup](#setting-up-vuls)
+	- Locate a appropriate ssh-key
+	- Edit toml
+- [Scan servers with Vuls-On-Docker](#scan-servers-with-vuls-on-docker)
+- [See the results in a browser](#see-the-results-in-a-browser)
+
+## What's Vuls-On-Docker
+
+- This is a dockernized-Vuls with DockerRepo UI in it.
+- It's designed to reduce the cost of installation and the dependencies that vuls requires.
+- You can run install and run Vuls on your machine with only a few commands.
+- The result can be viewed with a browser
+
+## Setting up your machine
+	
+1. [Install Docker](https://docs.docker.com/engine/installation/)
+2. [Install Docker-Compose](https://docs.docker.com/compose/install/)
+3. Make sure that you can run the following commands before you move on.
+
+	```
+	$ docker version
+	$ docker-compose version
+	```
+
+4. Create a working directory for Vuls
+
+	```
+	mkdir work
+	cd work
+	git clone https://github.com/hikachan/vuls.git
+	cd vuls/docker
+	```
+	
+## Start A Vuls Container
+
+- Execute the following command to build and run a Vuls Container
+
+	``
+	docker-compose up -d
+	`` 
+
+## Setting up Vuls
+
+1. Locate ssh-keys of servers in (vuls/docker/conf/id_rsa)
+2. Create and ajust config.toml(vuls/docker/conf/config.toml) to your environment
+	
+	```
+	[servers]
+
+  	[servers.172-31-4-82]
+  	host        = "172.31.4.82"
+  	user        = "ec2-user"
+  	keyPath     = "conf/id_rsa"
+  	containers = ["container_name_a", "4aa37a8b63b9"]
+	```
+
+## Scan servers with Vuls-On-Docker
+
+- Use the embedded script to scan servers for vulsrepo(or run whatever with docker exec)
+
+	```
+	docker exec -t vuls vuls prepare -config=conf/config.toml
+	docker exec -t vuls scripts/scan_for_vulsrepo.sh
+	```
+
+## See the results in a browser 
+
+```
+http://${Vuls_Host}/vulsrepo/
+```
--- a/setup/docker/conf/.gitkeep
+++ b/setup/docker/conf/.gitkeep
--- a/setup/docker/docker-compose.yml
+++ b/setup/docker/docker-compose.yml
@@ -0,0 +1,11 @@
+version: '2'
+services:
+  vuls:
+    container_name: vuls
+    build: ./dockerfile
+    image: vuls-docker:0.1
+    volumes:
+    - ./conf:/opt/vuls/conf
+    ports:
+      - "80:80"
+
--- a/setup/docker/dockerfile/Dockerfile
+++ b/setup/docker/dockerfile/Dockerfile
@@ -0,0 +1,68 @@
+FROM buildpack-deps:jessie-scm
+
+# golang Install
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        g++ \
+        gcc \
+        libc6-dev \
+        make \
+        curl \
+    && rm -rf /var/lib/apt/lists/*
+
+ENV GOLANG_VERSION 1.6.2
+ENV GOLANG_DOWNLOAD_URL https://golang.org/dl/go$GOLANG_VERSION.linux-amd64.tar.gz
+ENV GOLANG_DOWNLOAD_SHA256 e40c36ae71756198478624ed1bb4ce17597b3c19d243f3f0899bb5740d56212a
+
+RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \
+    && echo "$GOLANG_DOWNLOAD_SHA256  golang.tar.gz" | sha256sum -c - \
+    && tar -C /usr/local -xzf golang.tar.gz \
+    && rm golang.tar.gz
+
+ENV GOPATH /go
+ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
+
+RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"
+
+# nginx Install
+RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 \
+    && echo "deb http://nginx.org/packages/mainline/debian/ jessie nginx" >> /etc/apt/sources.list \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y \
+                        ca-certificates \
+                        nginx \
+                        nginx-module-xslt \
+                        nginx-module-geoip \
+                        nginx-module-image-filter \
+                        nginx-module-perl \
+                        nginx-module-njs \
+                        gettext-base \
+                        wget \
+                        unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN ln -sf /dev/stdout /var/log/nginx/access.log \
+        && ln -sf /dev/stderr /var/log/nginx/error.log
+
+COPY nginx.conf /etc/nginx/nginx.conf
+
+#Vuls Install
+ENV VULS_ROOT /opt/vuls
+RUN mkdir -p /var/log/vuls ${VULS_ROOT}/conf /root/.ssh/
+RUN chmod 700 -R /var/log/vuls $VULS_ROOT
+RUN go get github.com/kotakanbe/go-cve-dictionary
+RUN go get github.com/future-architect/vuls
+
+# Copy custom Scripts
+COPY ./scripts/ ${VULS_ROOT}/scripts
+
+#Vulrepo Install
+RUN git clone https://github.com/usiusi360/vulsrepo /tmp/vulsrepo
+RUN mkdir /usr/share/nginx/html/vulsrepo/
+RUN cp -rp /tmp/vulsrepo/src/* /usr/share/nginx/html/vulsrepo
+RUN rm -rf /tmp/vulsrepo
+
+#Home
+WORKDIR /opt/vuls
+EXPOSE 80 443
+CMD ["nginx", "-g", "daemon off;"]
+
--- a/setup/docker/dockerfile/nginx.conf
+++ b/setup/docker/dockerfile/nginx.conf
@@ -0,0 +1,32 @@
+
+user  root;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
--- a/setup/docker/dockerfile/scripts/scan_for_vulsrepo.sh
+++ b/setup/docker/dockerfile/scripts/scan_for_vulsrepo.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+VULS_ROOT=/opt/vuls
+VULS_CONF=${VULS_ROOT}/conf
+NGINX_VULSREPO_ROOT=/usr/share/nginx/html/vulsrepo
+cd $VULS_ROOT
+vuls scan -report-json --cve-dictionary-dbpath=${VULS_ROOT}/cve.sqlite3 -config=${VULS_CONF}/config.toml 
+ln -sf ${VULS_ROOT}/results/current ${NGINX_VULSREPO_ROOT}/current
--- a/setup/docker/dockerfile/scripts/update_cve.sh
+++ b/setup/docker/dockerfile/scripts/update_cve.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+VULS_ROOT=/opt/vuls
+#VULS_CONF=${VULS_ROOT}/conf
+cd $VULS_ROOT
+for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i; done
+
--- a/setup/docker/fetch.sh
+++ b/setup/docker/fetch.sh
@@ -1,2 +0,0 @@
-#!/bin/bash
- for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i ; done
--- a/setup/docker/id_rsa
+++ b/setup/docker/id_rsa
@@ -1 +0,0 @@
-
--- a/setup/docker/id_rsa.pub
+++ b/setup/docker/id_rsa.pub
@@ -1 +0,0 @@
-
--- a/setup/docker/run.sh
+++ b/setup/docker/run.sh
@@ -1,28 +0,0 @@
-#!/bin/bash
-tries=0
-
-function isopen {
-    tries=$1
-    nmap -Pn -T4 -p 1323 127.0.0.1|grep -iq open
-    if [ $? -ne 0 ]; then
-        if [ $tries -lt 5 ]; then
-            let tries++
-            startserver $tries
-        else
-            return 1
-        fi
-    else
-        return 0
-    fi
-}
-function startserver {
-    tries=$1
-    go-cve-dictionary server &
-    sleep 2
-    isopen $tries
-}
-
-startserver $tries
-if [ $? -ne 1 ]; then
-    vuls scan -config /app/config.toml -report-slack
-fi