Stage/vuls
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README

Browse Source
This commit is contained in:
kota kanbe
2017-08-07 05:57:09 +09:00
parent 2887dc0d36
commit d3014025b0
4 changed files with 536 additions and 541 deletions
Download Patch File Download Diff File Expand all files Collapse all files

530
README.md
View File

@@ -12,9 +12,11 @@ Vulnerability scanner for Linux/FreeBSD, agentless, written in golang.
We have a slack team. [Join slack team](http://goo.gl/forms/xm5KFo35tu)
[README in Japanese](https://github.com/future-architect/vuls/blob/master/README.ja.md)
[README 日本語](https://github.com/future-architect/vuls/blob/master/README.ja.md)
[README in French](https://github.com/future-architect/vuls/blob/master/README.fr.md)
![Vuls-Abstract](img/vuls-abstract.png)
[![asciicast](https://asciinema.org/a/3y9zrf950agiko7klg8abvyck.png)](https://asciinema.org/a/3y9zrf950agiko7klg8abvyck)
![Vuls-slack](img/vuls-slack-en.png)
@@ -23,89 +25,7 @@ We have a slack team. [Join slack team](http://goo.gl/forms/xm5KFo35tu)
# TOC
- [Vuls: VULnerability Scanner](#vuls-vulnerability-scanner)
- [TOC](#toc)
- [Abstract](#abstract)
- [Main Features](#main-features)
- [What Vuls Doesn't Do](#what-vuls-doesnt-do)
- [Setup Vuls](#setup-vuls)
- [Tutorial: Local Scan Mode](#tutorial-local-scan-mode)
* [Step1. Launch Amazon Linux](#step1-launch-amazon-linux)
* [Step2. Install requirements](#step2-install-requirements)
* [Step3. Deploy go-cve-dictionary](#step3-deploy-go-cve-dictionary)
* [Step4. Deploy Vuls](#step4-deploy-vuls)
* [Step5. Config](#step5-config)
* [Step6. Check config.toml and settings on the server before scanning](#step6-check-configtoml-and-settings-on-the-server-before-scanning)
* [Step7. Start Scanning](#step7-start-scanning)
* [Step8. Reporting](#step8-reporting)
* [Step9. TUI](#step9-tui)
* [Step10. Web UI](#step10-web-ui)
- [Tutorial: Remote Scan Mode](#tutorial-remote-scan-mode)
* [Step1. Launch Another Amazon Linux](#step1-launch-another-amazon-linux)
* [Step2. Install Dependencies on the Remote Server](#step2-install-dependencies-on-the-remote-server)
* [Step3. Enable to SSH from Localhost](#step3-enable-to-ssh-from-localhost)
* [Step4. Config](#step4-config)
* [Step5. Check config.toml and settings on the server before scanning](#step5-check-configtoml-and-settings-on-the-server-before-scanning)
* [Step6. Start Scanning](#step6-start-scanning)
* [Step7. Reporting](#step7-reporting)
- [Setup Vuls in a Docker Container](#setup-vuls-in-a-docker-container)
- [Architecture](#architecture)
* [A. Scan via SSH Mode (Remote Scan Mode)](#a-scan-via-ssh-mode-remote-scan-mode)
* [B. Scan without SSH (Local Scan Mode)](#b-scan-without-ssh-local-scan-mode)
* [go-cve-dictionary](#go-cve-dictionary)
* [Scanning Flow](#scanning-flow)
- [Performance Considerations](#performance-considerations)
- [Use Cases](#use-cases)
* [Scan All Servers](#scan-all-servers)
* [Scan a Single Server](#scan-a-single-server)
* [Scan Staging Environment](#scan-staging-environment)
- [Support OS](#support-os)
- [Usage: Automatic Server Discovery](#usage-automatic-server-discovery)
* [Example](#example)
- [Configuration](#configuration)
- [Usage: Configtest](#usage-configtest)
* [Dependencies on Target Servers](#dependencies-on-target-servers)
* [Check /etc/sudoers](#check-etcsudoers)
- [Usage: Scan](#usage-scan)
* [-ssh-native-insecure option](#-ssh-native-insecure-option)
* [-ask-key-password option](#-ask-key-password-option)
* [Example: Scan all servers defined in config file](#example-scan-all-servers-defined-in-config-file)
* [Example: Scan specific servers](#example-scan-specific-servers)
* [Example: Scan via shell instead of SSH.](#example-scan-via-shell-instead-of-ssh)
+ [cron](#cron)
* [Example: Scan containers (Docker/LXD)](#example-scan-containers-dockerlxd)
+ [Docker](#docker)
+ [LXD](#lxd)
- [Usage: Report](#usage-report)
* [How to read a report](#how-to-read-a-report)
+ [Example](#example-1)
+ [Summary part](#summary-part)
+ [Detailed Part](#detailed-part)
+ [Changelog Part](#changelog-part)
* [Example: Send scan results to Slack](#example-send-scan-results-to-slack)
* [Example: Put results in S3 bucket](#example-put-results-in-s3-bucket)
* [Example: Put results in Azure Blob storage](#example-put-results-in-azure-blob-storage)
* [Example: IgnoreCves](#example-ignorecves)
* [Example: Add optional key-value pairs to JSON](#example-add-optional-key-value-pairs-to-json)
* [Example: Use MySQL as a DB storage back-end](#example-use-mysql-as-a-db-storage-back-end)
* [Example: Use PostgreSQL as a DB storage back-end](#example-use-postgresql-as-a-db-storage-back-end)
* [Example: Use Redis as a DB storage back-end](#example-use-redis-as-a-db-storage-back-end)
- [Usage: Scan vulnerabilites of non-OS packages](#usage-scan-vulnerabilites-of-non-os-packages)
- [Usage: Integrate with OWASP Dependency Check to Automatic update when the libraries are updated (Experimental)](#usage-integrate-with-owasp-dependency-check-to-automatic-update-when-the-libraries-are-updated-experimental)
- [Usage: TUI](#usage-tui)
* [Display the latest scan results](#display-the-latest-scan-results)
* [Display the previous scan results](#display-the-previous-scan-results)
- [Display the previous scan results using peco](#display-the-previous-scan-results-using-peco)
- [Usage: go-cve-dictionary on different server](#usage-go-cve-dictionary-on-different-server)
- [Usage: Update NVD Data](#usage-update-nvd-data)
- [How to Update](#how-to-update)
- [Misc](#misc)
- [Related Projects](#related-projects)
- [Data Source](#data-source)
- [Authors](#authors)
- [Contribute](#contribute)
- [Change Log](#change-log)
- [License](#license)
TODO
----
@@ -134,13 +54,33 @@ Vuls is a tool created to solve the problems listed above. It has the following
- Scan for any vulnerabilities in Linux/FreeBSD Server
- Supports Ubuntu, Debian, CentOS, Amazon Linux, RHEL, Oracle Linux, FreeBSD and Raspbian
- Cloud, on-premise, Docker
- High quality scan
- Vuls uses Multiple vulnerability databases
- OVAL
- RHSA/ALAS/ELSA/FreeBSD-SA
- Changelog
- Fast scan and Deep scan
- Fast Scan
- Scan without root privilege
- Almost no load on the scan target server
- Deep Scan
- Scan with root privilege
- Parses the Changelog
Changelog has a history of version changes. When a security issue is fixed, the relevant CVE ID is listed.
By parsing the changelog and analysing the updates between the installed version of software on the server and the newest version of that software
it's possible to create a list of all vulnerabilities that need to be fixed.
- Sometimes load on the scan target server
- Remote scan and Local scan
- Remote Scan
- User is required to only setup one machine that is connected to other target servers via SSH
- Local Scan
- If you don't want the central Vuls server to connect to each server by SSH, you can use Vuls in the Local Scan mode.
- Scan middleware that are not included in OS package management
- Scan middleware, programming language libraries and framework for vulnerability
- Support software registered in CPE
- Agentless architecture
- User is required to only setup one machine that is connected to other target servers via SSH
- Nondestructive testing
- Pre-authorization is not necessary before scanning on AWS
- Pre-authorization is *NOT* necessary before scanning on AWS
- Vuls works well with Continuous Integration since tests can be run every day. This allows you to find vulnerabilities very quickly.
- Auto generation of configuration file template
- Auto detection of servers set using CIDR, generate configuration file template
- Email and Slack notification is possible (supports Japanese language)
@@ -168,14 +108,29 @@ Tutorial shows how to setup vuls manually.
----
# Tutorial
To give you an idea of how easy Vuls is to use.
This tutorial consists of three steps.
1. Tutorial: Local Scan Mode
- Launch CentOS on AWS
- Deploy Vuls
- Scan localhost, Reporting
1. Tutorial: Remote Scan Mode
- Launch Ubuntu Linux on AWS
- Scan this Ubuntu from the Vuls you set up earlier
----
# Tutorial: Local Scan Mode
This tutorial will let you scan the vulnerabilities on the localhost with Vuls.
This can be done in the following steps.
1. Launch Amazon Linux
1. Launch CentOS
1. Install requirements
1. Deploy go-cve-dictionary
1. Deploy goval-dictionary
1. Deploy Vuls
1. Configuration
1. Check config.toml and settings on the server before scanning
@@ -184,9 +139,9 @@ This can be done in the following steps.
1. TUI(Terminal-Based User Interface)
1. Web UI ([VulsRepo](https://github.com/usiusi360/vulsrepo))
## Step1. Launch Amazon Linux
## Step1. Launch CentOS7
- We are using the old AMI (amzn-ami-hvm-2015.09.1.x86_64-gp2 - ami-383c1956) for this example
- We are using the old AMI for this example
- Add the following to the cloud-init, to avoid auto-update at the first launch.
```
@@ -204,14 +159,14 @@ Vuls requires the following packages.
- git
- gcc
- GNU Make
- go v1.7.1 or later (The latest version is recommended)
- go v1.8.3 or later (The latest version is recommended)
- https://golang.org/doc/install
```bash
$ ssh ec2-user@52.100.100.100 -i ~/.ssh/private.pem
$ sudo yum -y install sqlite git gcc make
$ wget https://storage.googleapis.com/golang/go1.7.1.linux-amd64.tar.gz
$ sudo tar -C /usr/local -xzf go1.7.1.linux-amd64.tar.gz
$ ssh centos@52.100.100.100 -i ~/.ssh/private.pem
$ sudo yum -y install sqlite git gcc make wget
$ wget https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz
$ sudo tar -C /usr/local -xzf go1.8.3.linux-amd64.tar.gz
$ mkdir $HOME/go
```
Add these lines into /etc/profile.d/goenv.sh
@@ -233,7 +188,7 @@ $ source /etc/profile.d/goenv.sh
```bash
$ sudo mkdir /var/log/vuls
$ sudo chown ec2-user /var/log/vuls
$ sudo chown centos /var/log/vuls
$ sudo chmod 700 /var/log/vuls
$
$ mkdir -p $GOPATH/src/github.com/kotakanbe
@@ -243,6 +198,8 @@ $ cd go-cve-dictionary
$ make install
```
The binary was built under `$GOPATH/bin`
If the installation process stops halfway, try increasing the instance type of EC2. An out of memory error may have occurred.
Fetch vulnerability data from NVD.
It takes about 10 minutes (on AWS).
@@ -252,10 +209,32 @@ $ cd $HOME
$ for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done
... snip ...
$ ls -alh cve.sqlite3
-rw-r--r-- 1 ec2-user ec2-user 7.0M Mar 24 13:20 cve.sqlite3
-rw-r--r--. 1 centos centos 51M Aug 6 08:10 cve.sqlite3
-rw-r--r--. 1 centos centos 32K Aug 6 08:10 cve.sqlite3-shm
-rw-r--r--. 1 centos centos 5.1M Aug 6 08:10 cve.sqlite3-wal
```
## Step4. Deploy Vuls
## Step4. Deploy goval-dictionary
[goval-dictionary](https://github.com/kotakanbe/goval-dictionary)
```bash
$ mkdir -p $GOPATH/src/github.com/kotakanbe
$ cd $GOPATH/src/github.com/kotakanbe
$ git clone https://github.com/kotakanbe/goval-dictionary.git
$ cd goval-dictionary
$ make install
```
The binary was built under `$GOPATH/bin`
If the installation process stops halfway, try increasing the instance type of EC2. An out of memory error may have occurred.
Then fetch OVAL data of RedHat since the server to be scanned is CentOS. [README](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-redhat)
```bash
$ goval-dictionary fetch-redhat 5 6 7
```
## Step5. Deploy Vuls
Launch a new terminal and SSH to the ec2 instance.
@@ -267,8 +246,9 @@ $ cd vuls
$ make install
```
The binary was built under `$GOPATH/bin`
If the installation process stops halfway, try increasing the instance type of EC2. An out of memory error may have occurred.
## Step5. Config
## Step6. Configuration
Create a config file(TOML format).
```
@@ -277,15 +257,12 @@ $ cat config.toml
[servers]
[servers.localhost]
host = "localhost"
port = "local"
host = "localhost"
port = "local"
```
Root privilege is needed on Some distributions.
Sudo with password is not supported for security reasons. So you have to define NOPASSWORD in /etc/sudoers.
See [Usage: Configtest#Check /etc/sudoers](#check-etcsudoers)
## Step6. Check config.toml and settings on the server before scanning
## Step7. Check config.toml and settings on the server before scanning
```
$ vuls configtest
@@ -293,50 +270,54 @@ $ vuls configtest
see [Usage: configtest](#usage-configtest)
## Step7. Start Scanning
## Step8. Start Scanning
```
$ vuls scan
... snip ...
Scan Summary
============
localhost amazon 2015.09 94 CVEs 103 updatable packages
One Line Summary
================
localhost centos7.3.1611 31 updatable packages
```
## Step8. Reporting
## Step9. Reporting
View one-line summary
```
$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3
$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3 -ovaldb-path=$PWD/oval.sqlite3
One Line Summary
================
localhost Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages
localhost Total: 109 (High:35 Medium:55 Low:16 ?:3) 31 updatable packages
```
View short summary.
View short summary
```
$ vuls report -format-short-text
localhost (amazon 2015.09)
===========================
Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages
localhost (centos7.3.1611)
==========================
Total: 109 (High:35 Medium:55 Low:16 ?:3) 31 updatable packages
CVE-2015-2806 10.0 HIGH (nvd)
Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows
remote attackers to have unspecified impact via unknown vectors.
---
https://nvd.nist.gov/vuln/detail/CVE-2015-2806
https://access.redhat.com/security/cve/CVE-2015-2806 (RHEL-CVE)
10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C (nvd)
2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P (redhat)
https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2015-2806
3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (redhat)
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-2806
Confidence: 100 / OvalMatch
CVE-2016-5636 10.0 (High) Integer overflow in the get_data function in zipimport.c in CPython (aka Python)
before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers
to have unspecified impact via a negative data size value, which triggers a
heap-based buffer overflow.
http://www.cvedetails.com/cve/CVE-2016-5636
https://access.redhat.com/security/cve/CVE-2016-5636
python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1
python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1
python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1
Confidence: 100 / YumUpdateSecurityMatch
... snip ...
````
@@ -344,35 +325,30 @@ View full report.
```
$ vuls report -format-full-text | less
localhost (centos7.3.1611)
==========================
Total: 109 (High:35 Medium:55 Low:16 ?:3) 31 updatable packages
localhost (amazon 2015.09)
============================
Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages
CVE-2016-5636
-------------
Score 10.0 (High)
Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Summary Integer overflow in the get_data function in zipimport.c in CPython (aka Python)
before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers
to have unspecified impact via a negative data size value, which triggers a
heap-based buffer overflow.
CWE https://cwe.mitre.org/data/definitions/190.html
NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636
CVE Details http://www.cvedetails.com/cve/CVE-2016-5636
CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-5636&vector=(AV:N/AC:L/...
RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-5636
ALAS-2016-724 https://alas.aws.amazon.com/ALAS-2016-724.html
Package python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1
python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1
python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1
Confidence 100 / YumUpdateSecurityMatch
CVE-2015-2806
----------------
Max Score 10.0 HIGH (nvd)
nvd 10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
redhat 2.6/AV:N/AC:H/Au:N/C:N/I:N/A:P
redhat 3.3/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVSSv2 Calc https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2015-2806
CVSSv3 Calc https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2015-2806
Summary Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows
remote attackers to have unspecified impact via unknown vectors.
Source https://nvd.nist.gov/vuln/detail/CVE-2015-2806
RHEL-CVE https://access.redhat.com/security/cve/CVE-2015-2806
CWE-119 (nvd) https://cwe.mitre.org/data/definitions/119.html
Package/CPE libtasn1-3.8-3.el7 -
Confidence 100 / OvalMatch
... snip ...
```
## Step9. TUI
## Step10. TUI
Vuls has Terminal-Based User Interface to display the scan result.
@@ -382,7 +358,7 @@ $ vuls tui
![Vuls-TUI](img/hello-vuls-tui.png)
## Step10. Web UI
## Step11. Web UI
[VulsRepo](https://github.com/usiusi360/vulsrepo) is a awesome Web UI for Vuls.
Check it out the [Online Demo](http://usiusi360.github.io/vulsrepo/).
@@ -394,9 +370,8 @@ Check it out the [Online Demo](http://usiusi360.github.io/vulsrepo/).
This tutorial will let you scan the vulnerabilities on the remote host via SSH with Vuls.
This can be done in the following steps.
1. Launch Another Amazon Linux
1. Install Dependencies on the Remote Host
1. Enable to SSH from Localhost
1. Launch new Ubuntu Linux
1. Enable to SSH from localhost
1. Configuration
1. Check config.toml and settings on the server before scanning
1. Scan
@@ -404,23 +379,18 @@ This can be done in the following steps.
We will use the Vuls server (called localhost) created in the previous tutorial.
## Step1. Launch Another Amazon Linux
## Step1. Launch new Ubuntu Linux
Same as [Tutorial: Local Scan Mode#Step1. Launch Amazon Linux](#step1-launch-amazon-linux)
Launch a new terminal and SSH to the Remote Server.
Same like as [Tutorial: Local Scan Mode#Step1. Launch CentOS7](#step1-launch-centos7)
Launch a new terminal and SSH to the Remote host.
To add the remote host's Host Key to $HOME/.ssh/known_hosts, you need to log in to the remote host through SSH before scanning.
## Step2. Install Dependencies on the Remote Server
Depending on the distribution you need to install dependent modules.
Install these dependencies manually or using Ansible etc.
For details of dependent libraries, see [Dependencies on Target Servers](#dependencies-on-target-servers)
## Step3. Enable to SSH from Localhost
## Step2. Enable to SSH from localhost
Vuls doesn't support SSH password authentication. So you have to use SSH key-based authentication.
Create a keypair on the localhost then append public key to authorized_keys on the remote host.
Create a keypair on the localhost then append the public key to authorized_keys on the remote host.
- Localhost
- localhost
```bash
$ ssh-keygen -t rsa
```
@@ -436,47 +406,49 @@ $ vim ~/.ssh/authorized_keys
```
Paste from the clipboard to ~/.ssh/.authorized_keys
SUDO with password is not supported for security reasons. So you have to define NOPASSWORD in /etc/sudoers on target servers.
See [Usage: Configtest#Check /etc/sudoers](#check-etcsudoers)
And also, confirm that the host keys of scan target servers has been registered in the known_hosts of the localhost.
To add the remote host's Host Key to $HOME/.ssh/known_hosts, you need to log in to the remote host through SSH before scanning.
And also, confirm that the host keys of scan target servers has been registered in the known_hosts of the Localhost.
- localhost
```
$ ssh ubuntu@172.31.4.82 -i ~/.ssh/id_rsa
```
## Step4. Config
## Step3. Configure (config.toml)
- Localhost
- localhost
```
$ cd $HOME
$ cat config.toml
[servers]
[servers.172-31-4-82]
[servers.ubuntu]
host = "172.31.4.82"
port = "22"
user = "ec2-user"
keyPath = "/home/ec2-user/.ssh/id_rsa"
user = "ubuntu"
keyPath = "/home/centos/.ssh/id_rsa"
```
## Step5. Check config.toml and settings on the server before scanning
## Step4. Check config.toml and settings on the server before scanning
```
$ vuls configtest
$ vuls configtest ubuntu
```
see [Usage: configtest](#usage-configtest)
## Step6. Start Scanning
## Step5. Start Scanning
```
$ vuls scan
$ vuls scan ubuntu
... snip ...
Scan Summary
============
172-31-4-82 amazon 2015.09 94 CVEs 103 updatable packages
One Line Summary
================
ubuntu ubuntu16.04 30 updatable packages
```
## Step7. Reporting
## Step6. Reporting
See [Tutorial: Local Scan Mode#Step8. Reporting](#step8-reporting)
See [Tutorial: Local Scan Mode#Step9. TUI](#step9-tui)
@@ -762,6 +734,7 @@ You can customize your configuration using this template.
$ vuls configtest --help
configtest:
configtest
[-deep]
[-config=/path/to/config.toml]
[-log-dir=/path/to/log]
[-ask-key-password]
@@ -779,6 +752,8 @@ configtest:
Test containers only. Default: Test both of hosts and containers
-debug
debug mode
-deep
Config test for deep scan mode
-http-proxy string
http://proxy-url:port (default: empty)
-log-dir string
@@ -790,31 +765,31 @@ configtest:
```
The configtest subcommand checks the following
- Whether vuls is able to connect via SSH to servers/containers defined in the config.toml
- Whether Dependent package is installed on the scan target server
- Check /etc/sudoers
The configtest subcommand checks whether vuls is able to connect via SSH to servers/containers defined in the config.toml
## Dependencies on Target Servers
## Deep Scan Mode
In order to scan, the following dependencies are required, so you need to install them manually or with tools such as Ansible.
Some dependent packages are needed in Deep Scan Mode.
The configtest subcommand with --deep flag checks whether the packages are installed on the scan target server and also check /etc/sudoers
### Dependencies and /etc/sudoers on Target Servers
In order to scan with deep scan mode, the following dependencies are required, so you need to install them manually or with tools such as Ansible.
| Distribution | Release | Requirements |
|:-------------|-------------------:|:-------------|
| Ubuntu | 12, 14, 16| - |
| Debian | 7, 8| aptitude |
| CentOS | 6, 7| yum-plugin-changelog, yum-utils |
| Amazon | All | - | TODO yum-utils?, yum-plugin-changelog
| RHEL | 5 | yum-security | TODO yum-utils?
| RHEL | 6, 7 | - | TODO yum-utils?
| Oracle Linux | 5 | yum-security | TODO yum-utils?
| Oracle Linux | 6, 7 | - |TODO yum-utils?
| Amazon | All | yum-plugin-changelog, yum-utils |
| RHEL | 5 | yum-utils, yum-security, yum-changelog |
| RHEL | 6, 7 | yum-utils, yum-plugin-changelog |
| Oracle Linux | 5 | yum-utils, yum-security, yum-changelog |
| Oracle Linux | 6, 7 | yum-utils, yum-plugin-changelog |
| FreeBSD | 10 | - |
| Raspbian | Wheezy, Jessie | - |
## Check /etc/sudoers
The configtest subcommand checks sudo settings on target servers whether Vuls is able to SUDO with nopassword via SSH. And if you run Vuls without -ssh-native-insecure option, requiretty must be defined in /etc/sudoers.
The configtest subcommand also checks sudo settings on target servers whether Vuls is able to SUDO with nopassword via SSH. And if you run Vuls without -ssh-native-insecure option, requiretty must be defined in /etc/sudoers.
```
Defaults:vuls !requiretty
```
@@ -822,37 +797,25 @@ For details, see [-ssh-native-insecure option](#-ssh-native-insecure-option)
Example of /etc/sudoers on target servers
- CentOS
```
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --changelog --assumeno update *
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
```
- RHEL 5 / Oracle Linux 5
```
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never info-security
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never info-security
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
```
- RHEL 6, 7 / Oracle Linux 6, 7
```
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never --security updateinfo updates
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never --security updateinfo updates
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
```
- Debian
- Debian/Ubuntu/Raspbian
```
vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
```
- Ubuntu/Raspbian
```
vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
```
- On Amazon Linux, FreeBSD, it is possible to scan without root privilege for now.
- On CentOS, Amazon Linux, FreeBSD, it is possible to scan without root privilege for now.
----
@@ -862,6 +825,7 @@ Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
$ vuls scan -help
scan:
scan
[-deep]
[-config=/path/to/config.toml]
[-results-dir=/path/to/results]
[-log-dir=/path/to/log]
@@ -887,6 +851,8 @@ scan:
Scan containers only. Default: Scan both of hosts and containers
-debug
debug mode
-deep
Deep scan mode. Scan accuracy improves and information becomes richer. Since analysis of changelog, issue commands requiring sudo, but it may be slower and high load on the scan tareget server.
-http-proxy string
http://proxy-url:port (default: empty)
-log-dir string
@@ -905,6 +871,23 @@ scan:
Number of second for scaning vulnerabilities for all servers (default 7200)
```
## -deep option
You need to execute `vuls configtest --deep` to check the configuration of the target server before scanning with -deep flag.
| Distribution | Changelog |
|:-------------|:---------:|
| Ubuntu | yes |
| Debian | yes |
| CentOS | yes |
| Amazon | yes |
| RHEL | yes |
| RHEL | yes |
| Oracle Linux | yes |
| Oracle Linux | yes |
| FreeBSD | no |
| Raspbian | yes |
## -ssh-native-insecure option
Vuls supports different types of SSH.
@@ -1054,6 +1037,9 @@ report:
[-cvedb-type=sqlite3|mysql|postgres]
[-cvedb-path=/path/to/cve.sqlite3]
[-cvedb-url=http://127.0.0.1:1323 DB connection string]
[-ovaldb-type=sqlite3|mysql]
[-ovaldb-path=/path/to/oval.sqlite3]
[-ovaldb-url=http://127.0.0.1:1324 or DB connection string]
[-cvss-over=7]
[-diff]
[-ignore-unscored-cves]
@@ -1131,6 +1117,12 @@ report:
[en|ja] (default "en")
-log-dir string
/path/to/log (default "/var/log/vuls")
-ovaldb-path string
/path/to/sqlite3 (For get oval detail from oval.sqlite3) (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/oval.sqlite3")
-ovaldb-type string
DB type for fetching OVAL dictionary (sqlite3 or mysql) (default "sqlite3")
-ovaldb-url string
http://goval-dictionary.com:1324 or mysql connection string
-pipe
Use stdin via PIPE
-refresh-cve
@@ -1186,47 +1178,45 @@ Confidence 100 / YumUpdateSecurityMatch
### Summary part
```
172-31-4-82 (amazon 2015.09)
============================
Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages
cent6 (centos6.6)
=================
Total: 145 (High:23 Medium:101 Low:21 ?:0) 83 updatable packages
```
- `172-31-4-82` means that it is a scan report of `servers.172-31-4-82` defined in cocnfig.toml.
- `(amazon 2015.09)` means that the version of the OS is Amazon Linux 2015.09.
- `Total: 94 (High:19 Medium:54 Low:7 ?:14)` means that a total of 94 vulnerabilities exist, and the distribution of CVSS Severity is displayed.
- `103 updatable packages` means that there are 103 updateable packages on the target server.
- `cent6` means that it is a scan report of `servers.cent6` defined in cocnfig.toml.
- `(centos6.6)` means that the version of the OS is CentOS6.6.
- `Total: 145 (High:23 Medium:101 Low:21 ?:0)` means that a total of 145 vulnerabilities exist, and the distribution of CVSS Severity is displayed.
- `83 updatable packages` means that there are 83 updateable packages on the target server.
### Detailed Part
```
CVE-2016-5636
-------------
Score 10.0 (High)
Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Summary Integer overflow in the get_data function in zipimport.c in CPython (aka Python)
before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers
to have unspecified impact via a negative data size value, which triggers a
heap-based buffer overflow.
CWE https://cwe.mitre.org/data/definitions/190.html
NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636
CVE Details http://www.cvedetails.com/cve/CVE-2016-5636
CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-5636&vector=(AV:N/AC:L/...
RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-5636
ALAS-2016-724 https://alas.aws.amazon.com/ALAS-2016-724.html
Package python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1
python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1
python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1
Confidence 100 / YumUpdateSecurityMatch
CVE-2016-0702
----------------
Max Score 2.6 IMPORTANT (redhat)
nvd 1.9/AV:L/AC:M/Au:N/C:P/I:N/A:N
redhat 2.6/AV:L/AC:H/Au:N/C:P/I:P/A:N
jvn 1.9/AV:L/AC:M/Au:N/C:P/I:N/A:N
CVSSv2 Calc https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?name=CVE-2016-0702
Summary The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL
1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider
cache-bank access times during modular exponentiation, which makes it easier for
local users to discover RSA keys by running a crafted application on the same
Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka
a "CacheBleed" attack.
Source https://nvd.nist.gov/vuln/detail/CVE-2016-0702
RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-0702
CWE-200 (nvd) https://cwe.mitre.org/data/definitions/200.html
Package/CPE openssl-1.0.1e-30.el6 - 1.0.1e-57.el6
Confidence 100 / OvalMatch
```
- `Score` means CVSS Score.
- `Vector` means [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx)
- `Max Score` means Max CVSS Score.
- `nvd` shows [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) of NVD
- `redhat` shows [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) of RedHat OVAL
- `jvn` shows [CVSS Vector](https://nvd.nist.gov/CVSS/Vector-v2.aspx) of JVN
- `Summary` means Summary of the CVE.
- `CWE` means [CWE - Common Weakness Enumeration](https://nvd.nist.gov/cwe.cfm) of the CVE.
- `NVD` `MITRE` `CVE Details` `CVSS Caluculator`
- `RHEL-CVE` means the URL of OS distributor support.
- `Oracle-CVE` means the URL of the Oracle Linux errata information.
- `Package` shows the package version information including this vulnerability.
- `Confidence` means the reliability of detection.
- `100` is highly reliable
@@ -1235,33 +1225,14 @@ Confidence 100 / YumUpdateSecurityMatch
| Detection Method | Confidence | OS |Description|
|:-----------------------|-------------------:|:---------------------------------|:--|
| YumUpdateSecurityMatch | 100 | RHEL, Oracle Linux, Amazon Linux |Detection using yum-plugin-security|
| OvalMatch | 100 | CentOS, RHEL, Oracle, Ubuntu, Debian |Detection using OVAL |
| YumUpdateSecurityMatch | 100 | RHEL, Amazon, Oracle |Detection using yum-plugin-security|
| ChangelogExactMatch | 95 | CentOS, Ubuntu, Debian, Raspbian |Exact version match between changelog and package version|
| ChangelogLenientMatch | 50 | Ubuntu, Debian, Raspbian |Lenient version match between changelog and package version|
| PkgAuditMatch | 100 | FreeBSD |Detection using pkg audit|
| CpeNameMatch | 100 | All |Search for NVD information with CPE name specified in config.toml|
### Changelog Part
The scan results of Ubuntu, Debian, Raspbian or CentOS are also output Changelog in TUI or report with -format-full-text.
(RHEL, Amazon or FreeBSD will be available in the near future)
The output change log includes only the difference between the currently installed version and candidate version.
```
tar-1.28-2.1 -> tar-1.28-2.1ubuntu0.1
-------------------------------------
tar (1.28-2.1ubuntu0.1) xenial-security; urgency=medium
* SECURITY UPDATE: extract pathname bypass
- debian/patches/CVE-2016-6321.patch: skip members whose names contain
".." in src/extract.c.
- CVE-2016-6321
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 17 Nov 2016 11:06:07 -0500
```
## Example: Send scan results to Slack
```
$ vuls report \
@@ -1508,6 +1479,9 @@ tui:
[-cvedb-type=sqlite3|mysql|postgres]
[-cvedb-path=/path/to/cve.sqlite3]
[-cvedb-url=http://127.0.0.1:1323 DB connection string]
[-ovaldb-type=sqlite3|mysql]
[-ovaldb-path=/path/to/oval.sqlite3]
[-ovaldb-url=http://127.0.0.1:1324 or DB connection string]
[-refresh-cve]
[-results-dir=/path/to/results]
[-log-dir=/path/to/log]
@@ -1521,6 +1495,12 @@ tui:
DB type for fetching CVE dictionary (sqlite3, mysql or postgres) (default "sqlite3")
-cvedb-url string
http://cve-dictionary.com:8080 DB connection string
-ovaldb-path string
/path/to/sqlite3 (For get oval detail from oval.sqlite3) (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/oval.sqlite3")
-ovaldb-type string
DB type for fetching OVAL dictionary (sqlite3 or mysql) (default "sqlite3")
-ovaldb-url string
http://goval-dictionary.com:1324 or mysql connection string
-debug
debug mode
-debug-sql
@@ -1579,13 +1559,31 @@ $ go-cve-dictionary server -bind=192.168.10.1 -port=1323
Run Vuls with -cvedb-url option.
```
$ vuls scan -cvedb-url=http://192.168.0.1:1323
$ vuls report -cvedb-url=http://192.168.0.1:1323
```
# Usage: Update NVD Data
see [go-cve-dictionary#usage-fetch-nvd-data](https://github.com/kotakanbe/go-cve-dictionary#usage-fetch-nvd-data)
# Usage: goval-dictionary on different server
```
$ goval-dictionary server -bind=192.168.10.1 -port=1324
```
Run Vuls with -ovaldb-url option.
```
$ vuls report -ovaldb-url=http://192.168.0.1:1323
```
# Usage: Update OVAL Data
- [RedHat, CentOS](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-redhat)
- [Ubuntu](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-ubuntu)
- [Debian](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-debian)
- [Oracle](https://github.com/kotakanbe/goval-dictionary#usage-fetch-oval-data-from-oracle)
----