From 1f6eb55b86288cade30bb5a355c3716ad9b6ffbb Mon Sep 17 00:00:00 2001 From: hikachan Date: Mon, 4 Jul 2016 15:11:21 +0900 Subject: [PATCH] added dockernized-vuls with vulsrepo --- setup/docker/Dockerfile | 14 ---- setup/docker/README.ja.md | 77 +++++++++++++++++ setup/docker/README.md | 84 +++++++++++++++++-- setup/docker/conf/.gitkeep | 0 setup/docker/docker-compose.yml | 11 +++ setup/docker/dockerfile/Dockerfile | 68 +++++++++++++++ setup/docker/dockerfile/nginx.conf | 32 +++++++ .../dockerfile/scripts/scan_for_vulsrepo.sh | 7 ++ setup/docker/dockerfile/scripts/update_cve.sh | 6 ++ setup/docker/fetch.sh | 2 - setup/docker/id_rsa | 1 - setup/docker/id_rsa.pub | 1 - setup/docker/run.sh | 28 ------- 13 files changed, 279 insertions(+), 52 deletions(-) delete mode 100644 setup/docker/Dockerfile create mode 100644 setup/docker/README.ja.md create mode 100644 setup/docker/conf/.gitkeep create mode 100644 setup/docker/docker-compose.yml create mode 100644 setup/docker/dockerfile/Dockerfile create mode 100644 setup/docker/dockerfile/nginx.conf create mode 100644 setup/docker/dockerfile/scripts/scan_for_vulsrepo.sh create mode 100644 setup/docker/dockerfile/scripts/update_cve.sh delete mode 100644 setup/docker/fetch.sh delete mode 100644 setup/docker/id_rsa delete mode 100644 setup/docker/id_rsa.pub delete mode 100644 setup/docker/run.sh diff --git a/setup/docker/Dockerfile b/setup/docker/Dockerfile deleted file mode 100644 index 48c28e07..00000000 --- a/setup/docker/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM golang:1.6 -RUN apt-get update \ - && apt-get upgrade -y \ - && apt-get install -y git openssh-client gcc nmap -WORKDIR /app -RUN go get github.com/kotakanbe/go-cve-dictionary -RUN go get github.com/future-architect/vuls -COPY fetch.sh . -RUN /bin/bash /app/fetch.sh -COPY config.toml . -COPY run.sh . -ENTRYPOINT ["/bin/bash", "/app/run.sh"] -COPY id_rsa . -COPY id_rsa.pub . diff --git a/setup/docker/README.ja.md b/setup/docker/README.ja.md new file mode 100644 index 00000000..5e401d71 --- /dev/null +++ b/setup/docker/README.ja.md @@ -0,0 +1,77 @@ +# Vuls on Docker + +## Index + +- テスト環境 +- サーバーセットアップ + - Dockerのインストール + - Docker Composeのインストール +- vulsセットアップ + - sshキーの配置 + - tomlの編集 +- Vuls 起動 +- Vuls scan実行 +- ブラウザから動作確認 + + +##テスト環境 + +- Server OS: ubuntu 14.04 + +## サーバーセットアップ + +1. Dockerのインストール +2. Docker Composeのインストール + +### 作業ディレクトリの作成 + +``` +mkdir work +cd work +git clone https://github.com/hikachan/vuls +cd vuls +``` + +## Vuls セットアップ + +### sshキーの配置(vuls/docker/conf/id_rsa) + +### tomlの編集(vuls/docker/conf/config.toml) + +``` +[servers] + +#This is a sample +[servers.172.17.0.1] +host = "172.17.0.1" +port = "22" +user = "ubuntu" +keyPath = "/root/.ssh/id_rsa" +#containers = ["target_container"] +``` + +## Vuls 起動 + +``` +docker-compose up -d +``` + +## Update cve + +``` +docker exec -t vuls scripts/update_cve.sh +``` + +## Vuls Scan 実行 + +``` +docker exec -t vuls vuls prepare -config=conf/config.toml +docker exec -t vuls scripts/scan_for_vulsrepo.sh +``` + +### Vuls Repo 接続確認 + +``` +http://${Vuls_Host}/vulsrepo/ +``` + diff --git a/setup/docker/README.md b/setup/docker/README.md index 3a8993f6..5597c7f4 100644 --- a/setup/docker/README.md +++ b/setup/docker/README.md @@ -1,7 +1,79 @@ -# Before building the docker +# Vuls on Docker -Since it's not on docker hub because blablabla, you have to : -* Edit your [config.toml](https://github.com/future-architect/vuls#step6-config) to match your infrastructure -* generate a keypair dedicated to this docker : ```ssh-keygen -t rsa -b 4096 -C "your_email@example.com"``` - * it's **highly** recommanded to use a restrained `authorized_keys` files with this key to be sure that it will be only usable from a single IP (after all it's a root executed software) : ```from="1.2.3.4,1.2.3.5" ssh-rsa [...] your_email@example.com``` -* Deploy your ssh key on the targetted machines +## Table of Contens + +- [What's Vuls-On-Docker?](#whats-vuls-on-docker) +- [Server Setup](#setting-up-your-machine) + - Install Docker + - Instal Docker Compose +- [Start A Vuls Container](#start-a-vuls-container) +- [Vuls Setup](#setting-up-vuls) + - Locate a appropriate ssh-key + - Edit toml +- [Scan servers with Vuls-On-Docker](#scan-servers-with-vuls-on-docker) +- [See the results in a browser](#see-the-results-in-a-browser) + +## What's Vuls-On-Docker + +- This is a dockernized-Vuls with DockerRepo UI in it. +- It's designed to reduce the cost of installation and the dependencies that vuls requires. +- You can run install and run Vuls on your machine with only a few commands. +- The result can be viewed with a browser + +## Setting up your machine + +1. [Install Docker](https://docs.docker.com/engine/installation/) +2. [Install Docker-Compose](https://docs.docker.com/compose/install/) +3. Make sure that you can run the following commands before you move on. + + ``` + $ docker version + $ docker-compose version + ``` + +4. Create a working directory for Vuls + + ``` + mkdir work + cd work + git clone https://github.com/hikachan/vuls.git + cd vuls/docker + ``` + +## Start A Vuls Container + +- Execute the following command to build and run a Vuls Container + + `` + docker-compose up -d + `` + +## Setting up Vuls + +1. Locate ssh-keys of servers in (vuls/docker/conf/id_rsa) +2. Create and ajust config.toml(vuls/docker/conf/config.toml) to your environment + + ``` + [servers] + + [servers.172-31-4-82] + host = "172.31.4.82" + user = "ec2-user" + keyPath = "conf/id_rsa" + containers = ["container_name_a", "4aa37a8b63b9"] + ``` + +## Scan servers with Vuls-On-Docker + +- Use the embedded script to scan servers for vulsrepo(or run whatever with docker exec) + + ``` + docker exec -t vuls vuls prepare -config=conf/config.toml + docker exec -t vuls scripts/scan_for_vulsrepo.sh + ``` + +## See the results in a browser + +``` +http://${Vuls_Host}/vulsrepo/ +``` diff --git a/setup/docker/conf/.gitkeep b/setup/docker/conf/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/setup/docker/docker-compose.yml b/setup/docker/docker-compose.yml new file mode 100644 index 00000000..cb749d1d --- /dev/null +++ b/setup/docker/docker-compose.yml @@ -0,0 +1,11 @@ +version: '2' +services: + vuls: + container_name: vuls + build: ./dockerfile + image: vuls-docker:0.1 + volumes: + - ./conf:/opt/vuls/conf + ports: + - "80:80" + diff --git a/setup/docker/dockerfile/Dockerfile b/setup/docker/dockerfile/Dockerfile new file mode 100644 index 00000000..8787fef7 --- /dev/null +++ b/setup/docker/dockerfile/Dockerfile @@ -0,0 +1,68 @@ +FROM buildpack-deps:jessie-scm + +# golang Install +RUN apt-get update && apt-get install -y --no-install-recommends \ + g++ \ + gcc \ + libc6-dev \ + make \ + curl \ + && rm -rf /var/lib/apt/lists/* + +ENV GOLANG_VERSION 1.6.2 +ENV GOLANG_DOWNLOAD_URL https://golang.org/dl/go$GOLANG_VERSION.linux-amd64.tar.gz +ENV GOLANG_DOWNLOAD_SHA256 e40c36ae71756198478624ed1bb4ce17597b3c19d243f3f0899bb5740d56212a + +RUN curl -fsSL "$GOLANG_DOWNLOAD_URL" -o golang.tar.gz \ + && echo "$GOLANG_DOWNLOAD_SHA256 golang.tar.gz" | sha256sum -c - \ + && tar -C /usr/local -xzf golang.tar.gz \ + && rm golang.tar.gz + +ENV GOPATH /go +ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH + +RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" + +# nginx Install +RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 \ + && echo "deb http://nginx.org/packages/mainline/debian/ jessie nginx" >> /etc/apt/sources.list \ + && apt-get update \ + && apt-get install --no-install-recommends --no-install-suggests -y \ + ca-certificates \ + nginx \ + nginx-module-xslt \ + nginx-module-geoip \ + nginx-module-image-filter \ + nginx-module-perl \ + nginx-module-njs \ + gettext-base \ + wget \ + unzip \ + && rm -rf /var/lib/apt/lists/* + +RUN ln -sf /dev/stdout /var/log/nginx/access.log \ + && ln -sf /dev/stderr /var/log/nginx/error.log + +COPY nginx.conf /etc/nginx/nginx.conf + +#Vuls Install +ENV VULS_ROOT /opt/vuls +RUN mkdir -p /var/log/vuls ${VULS_ROOT}/conf /root/.ssh/ +RUN chmod 700 -R /var/log/vuls $VULS_ROOT +RUN go get github.com/kotakanbe/go-cve-dictionary +RUN go get github.com/future-architect/vuls + +# Copy custom Scripts +COPY ./scripts/ ${VULS_ROOT}/scripts + +#Vulrepo Install +RUN git clone https://github.com/usiusi360/vulsrepo /tmp/vulsrepo +RUN mkdir /usr/share/nginx/html/vulsrepo/ +RUN cp -rp /tmp/vulsrepo/src/* /usr/share/nginx/html/vulsrepo +RUN rm -rf /tmp/vulsrepo + +#Home +WORKDIR /opt/vuls +EXPOSE 80 443 +CMD ["nginx", "-g", "daemon off;"] + diff --git a/setup/docker/dockerfile/nginx.conf b/setup/docker/dockerfile/nginx.conf new file mode 100644 index 00000000..d1276ede --- /dev/null +++ b/setup/docker/dockerfile/nginx.conf @@ -0,0 +1,32 @@ + +user root; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/setup/docker/dockerfile/scripts/scan_for_vulsrepo.sh b/setup/docker/dockerfile/scripts/scan_for_vulsrepo.sh new file mode 100644 index 00000000..61fe3b94 --- /dev/null +++ b/setup/docker/dockerfile/scripts/scan_for_vulsrepo.sh @@ -0,0 +1,7 @@ +#!/bin/bash +VULS_ROOT=/opt/vuls +VULS_CONF=${VULS_ROOT}/conf +NGINX_VULSREPO_ROOT=/usr/share/nginx/html/vulsrepo +cd $VULS_ROOT +vuls scan -report-json --cve-dictionary-dbpath=${VULS_ROOT}/cve.sqlite3 -config=${VULS_CONF}/config.toml +ln -sf ${VULS_ROOT}/results/current ${NGINX_VULSREPO_ROOT}/current diff --git a/setup/docker/dockerfile/scripts/update_cve.sh b/setup/docker/dockerfile/scripts/update_cve.sh new file mode 100644 index 00000000..fb9060d1 --- /dev/null +++ b/setup/docker/dockerfile/scripts/update_cve.sh @@ -0,0 +1,6 @@ +#!/bin/bash +VULS_ROOT=/opt/vuls +#VULS_CONF=${VULS_ROOT}/conf +cd $VULS_ROOT +for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i; done + diff --git a/setup/docker/fetch.sh b/setup/docker/fetch.sh deleted file mode 100644 index 31bb75ea..00000000 --- a/setup/docker/fetch.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash - for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i ; done diff --git a/setup/docker/id_rsa b/setup/docker/id_rsa deleted file mode 100644 index 8b137891..00000000 --- a/setup/docker/id_rsa +++ /dev/null @@ -1 +0,0 @@ - diff --git a/setup/docker/id_rsa.pub b/setup/docker/id_rsa.pub deleted file mode 100644 index 8b137891..00000000 --- a/setup/docker/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ - diff --git a/setup/docker/run.sh b/setup/docker/run.sh deleted file mode 100644 index e30eaf9f..00000000 --- a/setup/docker/run.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash -tries=0 - -function isopen { - tries=$1 - nmap -Pn -T4 -p 1323 127.0.0.1|grep -iq open - if [ $? -ne 0 ]; then - if [ $tries -lt 5 ]; then - let tries++ - startserver $tries - else - return 1 - fi - else - return 0 - fi -} -function startserver { - tries=$1 - go-cve-dictionary server & - sleep 2 - isopen $tries -} - -startserver $tries -if [ $? -ne 1 ]; then - vuls scan -config /app/config.toml -report-slack -fi