diff --git a/README.ja.md b/README.ja.md index dedc1db1..fdd7987e 100644 --- a/README.ja.md +++ b/README.ja.md @@ -350,7 +350,9 @@ $ vim ~/.ssh/authorized_keys Paste from the clipboard to ~/.ssh/.authorized_keys パスワードありのsudoはセキュリティ上の理由からサポート指定いないので、スキャンに必要なコマンドは、`NOPASSAWORD`として、remote host上の`etc/sudoers`に定義しておく。 -See [Usage: Configtest#Check /etc/sudoers](https://github.com/future-architect/vuls#check-etcsudoers) +See [Usage: Configtest#Check /etc/sudoers](#check-etcsudoers) + +また、localhostのknown_hostsにremote hostのホストキーが登録されている必要があるので確認すること。 ## Step4. Config @@ -642,14 +644,14 @@ host = "172.31.4.82" - port: SSH Port number - user: SSH username - keyPath: SSH private key path - - cpeNames: see [Usage: Scan vulnerability of non-OS package](https://github.com/future-architect/vuls/blob/master/README.ja.md#usage-scan-vulnerability-of-non-os-package) + - cpeNames: see [Usage: Scan vulnerability of non-OS package](#usage-scan-vulnerability-of-non-os-package) - ignoreCves: CVE IDs that will not be reported. But output to JSON file. - optional: JSONレポートに含めたい追加情報 - - containers: see [Usage: Scan Docker containers](https://github.com/future-architect/vuls/blob/master/README.ja.md#usage-scan-docker-containers) + - containers: see [Usage: Scan Docker containers](#usage-scan-docker-containers) Vulsは各サーバにSSHで接続するが、OSコマンドでの接続と、Goのネイティブ実装の2種類のSSH接続方法をサポートしている。 - 詳細は [-ssh-native-insecure option](https://github.com/future-architect/vuls/blob/master/README.ja.md#-ssh-native-insecure-option) を参照。 + 詳細は [-ssh-native-insecure option](#-ssh-native-insecure-option) を参照。 また、以下のSSH認証をサポートしている。 - SSH agent @@ -714,7 +716,13 @@ configtestサブコマンドは以下をチェックする ## Check /etc/sudoers -スキャン対象サーバに対してパスワードなしでSUDO可能な状態かもチェックする。 +スキャン対象サーバに対してパスワードなしでSUDO可能な状態か確認する。 +また、requirettyも定義されているか確認する。(--ssh-native-insecureオプションでscanする場合はrequirettyは定義しなくても良い) +``` +Defaults:vuls !requiretty +``` +For details, see [-ssh-native-insecure option](#-ssh-native-insecure-option) + スキャン対象サーバ上の`/etc/sudoers`のサンプル - CentOS @@ -836,7 +844,7 @@ $ vuls scan server1 server2 ローカルホストのスキャンする場合、SSHではなく直接コマンドの発行が可能。 config.tomlのhostに`localhost または 127.0.0.1`かつ、portに`local`を設定する必要がある。 -For more details, see [Architecture section](https://github.com/future-architect/vuls#architecture) +For more details, see [Architecture section](#architecture) - config.toml ``` @@ -863,7 +871,7 @@ Defaults:vuls !requiretty ### Docker Vulsは、DockerホストにSSHで接続し、`docker exec`でDockerコンテナにコマンドを発行して脆弱性をスキャンする。 -詳細は、[Architecture section](https://github.com/future-architect/vuls#architecture)を参照 +詳細は、[Architecture section](#architecture)を参照 - 全ての起動中のDockerコンテナをスキャン `"${running}"` をcontainersに指定する diff --git a/README.md b/README.md index 2e5b6646..fdfc0657 100644 --- a/README.md +++ b/README.md @@ -330,7 +330,7 @@ For details of dependent libraries, see [Dependencies on Target Servers](#depend ## Step3. Enable to SSH from Localhost Vuls doesn't support SSH password authentication. So you have to use SSH key-based authentication. -Create a keypair on the localhost then append public key to authorized_keys on the remote host. +Create a keypair on the localhost then append public key to authorized_keys on the remote host. - Localhost ```bash @@ -348,8 +348,10 @@ $ vim ~/.ssh/authorized_keys ``` Paste from the clipboard to ~/.ssh/.authorized_keys -And also, SUDO with password is not supported for security reasons. So you have to define NOPASSWORD in /etc/sudoers on target servers. -See [Usage: Configtest#Check /etc/sudoers](https://github.com/future-architect/vuls#check-etcsudoers) +SUDO with password is not supported for security reasons. So you have to define NOPASSWORD in /etc/sudoers on target servers. +See [Usage: Configtest#Check /etc/sudoers](#check-etcsudoers) + +And also, confirm that the host keys of scan target servers has been registered in the known_hosts of the Localhost. ## Step4. Config @@ -652,12 +654,12 @@ You can customize your configuration using this template. - port: SSH Port number - user: SSH username - keyPath: SSH private key path - - cpeNames: see [Usage: Scan vulnerability of non-OS package](https://github.com/future-architect/vuls#usage-scan-vulnerability-of-non-os-package) + - cpeNames: see [Usage: Scan vulnerability of non-OS package](#usage-scan-vulnerability-of-non-os-package) - ignoreCves: CVE IDs that will not be reported. But output to JSON file. - optional: Add additional information to JSON report. - containers: see [Example: Scan containers (Docker/LXD)(#example-scan-containers-dockerlxd) - Vuls supports two types of SSH. One is external command. The other is native go implementation. For details, see [-ssh-native-insecure option](https://github.com/future-architect/vuls#-ssh-native-insecure-option) + Vuls supports two types of SSH. One is external command. The other is native go implementation. For details, see [-ssh-native-insecure option](#-ssh-native-insecure-option) Multiple SSH authentication methods are supported. - SSH agent @@ -724,7 +726,11 @@ In order to scan, the following dependencies are required, so you need to instal ## Check /etc/sudoers -The configtest subcommand checks sudo settings on target servers whether Vuls is able to SUDO with nopassword via SSH. +The configtest subcommand checks sudo settings on target servers whether Vuls is able to SUDO with nopassword via SSH. And if you run Vuls without -ssh-native-insecure option, requiretty must be defined in /etc/sudoers. +``` +Defaults:vuls !requiretty +``` +For details, see [-ssh-native-insecure option](#-ssh-native-insecure-option) Example of /etc/sudoers on target servers @@ -848,7 +854,7 @@ With this sample command, it will .. ## Example: Scan via shell instead of SSH. Vuls scans localhost instead of SSH if the host address is `localhst or 127.0.0.1` and the port is `local` in config. -For more details, see [Architecture section](https://github.com/future-architect/vuls#architecture) +For more details, see [Architecture section](#architecture) - config.toml ``` @@ -873,7 +879,7 @@ see [Docker Blog:Why you don't need to run SSHd in your Docker containers](https ### Docker Vuls scans Docker containers via `docker exec` instead of SSH. -For more details, see [Architecture section](https://github.com/future-architect/vuls#architecture) +For more details, see [Architecture section](#architecture) - To scan all of running containers `"${running}"` needs to be set in the containers item. diff --git a/scan/executil.go b/scan/executil.go index f780c0ac..81b45452 100644 --- a/scan/executil.go +++ b/scan/executil.go @@ -259,8 +259,7 @@ func sshExecExternal(c conf.ServerInfo, cmd string, sudo bool) (result execResul defaultSSHArgs := []string{ "-tt", - "-o", "StrictHostKeyChecking=no", - "-o", "UserKnownHostsFile=/dev/null", + "-o", "StrictHostKeyChecking=yes", "-o", "LogLevel=quiet", "-o", "ConnectionAttempts=3", "-o", "ConnectTimeout=10",