構成
実施したいこと
脆弱性診断出来るツールのdocker環境(version:1.12.6)用Vuls導入
・Web(テスト用)サーバのスキャン
・結果をレポートで出力
ZAPと同様に脆弱性判断する指標材料として使用
公式のvulsインストール方法を元に導入手順を確認
参考先(vulsインストール)
https://github.com/future-architect/vuls/blob/master/README.ja.md
https://github.com/future-architect/vuls/tree/master/setup/docker
事前準備(SCAN対象ホスト)
SSHでKYEを使用したログイン可能とする
実行対象へのパッケージ追加
■yum-utilsの追加
# yum install -y yum-utils
※yum-utils を追加しないと、configtestやSCAN実施時に
ERROR [0001] yum-utils is not installed
ERROR [localhost] Error: 0001, err: [yum-utils is not installed]
みたいなエラーが出て止まりました。
実施
Vuls用ディレクトリ移動
# cd
各dockerイメージを取得
■go-cve-dictionary
# docker pull vuls/go-cve-dictionary
# docker run --rm vuls/go-cve-dictionary -v
go-cve-dictionary v0.1.1 a64c5fc
■ goval-dictionary
# docker pull vuls/goval-dictionary
# docker run --rm vuls/goval-dictionary -v
goval-dictionary dca4f21
■ vuls
# docker pull vuls/vuls
# docker run --rm vuls/vuls -v
vuls v0.4.2 76a9c37
脆弱性データベース構築
■NVD(2002年以降のデータ取得)
# for i in `seq 2002 $(date +"%Y")`; do \
> docker run --rm -it \
> -v $PWD:/vuls \
> -v $PWD/go-cve-dictionary-log:/var/log/vuls \
> vuls/go-cve-dictionary fetchnvd -years $i; \
> done
0 / 1 0.00%[Dec 2 10:41:21] INFO Fetching... https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml.gz
1 / 1 [================================================================================] 100.00% 11s
[Dec 2 10:41:32] INFO Fetched 6745 CVEs
[Dec 2 10:41:32] INFO Inserting NVD into DB (sqlite3).
[Dec 2 10:41:32] INFO Inserting CVEs...
--- snip ---
[Dec 2 11:03:32] INFO Fetched 9928 CVEs
[Dec 2 11:03:32] INFO Inserting NVD into DB (sqlite3).
[Dec 2 11:03:32] INFO Inserting CVEs...
9928 / 9928 [==========================================================================] 100.00% 46s
[Dec 2 11:04:19] INFO Refreshed 9928 Nvds.
#
■JVN (1998年以降のデータ取得)
# for i in `seq 1998 $(date +"%Y")`; do \
> docker run --rm -it \
> -v $PWD:/vuls \
> -v $PWD/go-cve-dictionary-log:/var/log/vuls \
> vuls/go-cve-dictionary fetchjvn -years $i; \
> done
[Dec 2 10:44:22] INFO Fetching CVE information from JVN.
0 / 1 0.00%[Dec 2 10:44:22] INFO Fetching... http://jvndb.jvn.jp/ja/rss/years/jvndb_1998.rdf
1 / 1 [=================================================================================] 100.00% 1s
[Dec 2 10:44:23] INFO Fetched 13 CVEs
[Dec 2 10:44:23] INFO Inserting JVN into DB (sqlite3).
[Dec 2 10:44:23] INFO Inserting fetched CVEs...
--- snip ---
[Dec 2 11:08:03] INFO Fetched 9187 CVEs
[Dec 2 11:08:03] INFO Inserting JVN into DB (sqlite3).
[Dec 2 11:08:03] INFO Inserting fetched CVEs...
9124 / 9124 [==========================================================================] 100.00% 10s
[Dec 2 11:08:13] INFO Refreshed 9076 Jvns.
#
■OVAL(Redhat)
# docker run --rm -it \
> -v $PWD:/vuls \
> -v $PWD/goval-dictionary-log:/var/log/vuls \
> vuls/goval-dictionary fetch-redhat 5 6 7
[Dec 2 10:41:56] INFO Fetching... https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_5.xml
[Dec 2 10:41:56] INFO Fetching... https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml
[Dec 2 10:41:56] INFO Fetching... https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml
--- snip ---
[Dec 2 10:44:14] INFO Finished to fetch OVAL definitions.
[Dec 2 10:44:15] INFO Fetched: https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_5.xml
[Dec 2 10:44:15] INFO 1271 OVAL definitions
[Dec 2 10:44:15] INFO Refreshing redhat 5...
[Dec 2 10:44:17] INFO Fetched: https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_7.xml
[Dec 2 10:44:17] INFO 550 OVAL definitions
[Dec 2 10:44:17] INFO Refreshing redhat 7...
[Dec 2 10:44:19] INFO Fetched: https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml
[Dec 2 10:44:19] INFO 1209 OVAL definitions
[Dec 2 10:44:19] INFO Refreshing redhat 6...
#
■OVAL(ubuntu)
# docker run --rm -it \
> -v $PWD:/vuls \
> -v $PWD/goval-dictionary-log:/var/log/vuls \
> vuls/goval-dictionary fetch-ubuntu 12 14 16
[Dec 2 10:48:51] INFO Fetching... https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.precise.cve.oval.xml
[Dec 2 10:48:51] INFO Fetching... https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.trusty.cve.oval.xml
[Dec 2 10:48:51] INFO Fetching... https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml
--- snip ---
[Dec 2 11:04:28] INFO Finished to fetch OVAL definitions.
[Dec 2 11:04:30] INFO Fetched: https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.xenial.cve.oval.xml
[Dec 2 11:04:30] INFO 10084 OVAL definitions
[Dec 2 11:04:30] INFO Refreshing ubuntu 16...
[Dec 2 11:04:37] INFO Fetched: https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.precise.cve.oval.xml
[Dec 2 11:04:37] INFO 13511 OVAL definitions
[Dec 2 11:04:37] INFO Refreshing ubuntu 12...
[Dec 2 11:04:46] INFO Fetched: https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.trusty.cve.oval.xml
[Dec 2 11:04:46] INFO 13086 OVAL definitions
[Dec 2 11:04:46] INFO Refreshing ubuntu 14...
#
localhost向け環境作成/実行
■ config.tomlの作成
# vi config.toml
[servers]
[servers.localhost]
host = "localhost"
port = "local"
■ Scanの実行
# docker run --rm -it\
> -v ~/.ssh:/root/.ssh:ro \
> -v $PWD:/vuls \
> -v $PWD/vuls-log:/var/log/vuls \
> vuls/vuls configtest \
> -config=./config.toml
[Dec 3 07:07:26] INFO [localhost] Validating config...
[Dec 3 07:07:26] INFO [localhost] Detecting Server/Container OS...
[Dec 3 07:07:26] INFO [localhost] Detecting OS of servers...
[Dec 3 07:07:27] INFO [localhost] (1/1) Detected: localhost: debian 9.2
[Dec 3 07:07:27] INFO [localhost] Detecting OS of containers...
[Dec 3 07:07:27] INFO [localhost] Checking dependencies...
[Dec 3 07:07:27] ERROR [localhost] reboot-notifier is not installed
[Dec 3 07:07:27] ERROR [localhost] Error: localhost, err: [reboot-notifier is not installed]
[Dec 3 07:07:27] INFO [localhost] Checking sudo settings...
[Dec 3 07:07:27] INFO [localhost] Scannable servers are below...
[root@sv01 ~]#
※CentOSで動いているのになぜ"debian 9.2"となって”reboot-notifier”が必要となるのか??
■ Scanの実行 実行てきているのか不明
# docker run --rm -it \
> -v ~/.ssh:/root/.ssh:ro \
> -v $PWD:/vuls \
> -v $PWD/vuls-log:/var/log/vuls \
> -v /etc/localtime:/etc/localtime:ro \
> -e "TZ=Asia/Tokyo" \
> vuls/vuls scan \
> -config=./config.toml
[Dec 3 14:33:04] INFO [localhost] Start scanning
[Dec 3 14:33:04] INFO [localhost] config: ./config.toml
[Dec 3 14:33:04] INFO [localhost] Validating config...
[Dec 3 14:33:04] INFO [localhost] Detecting Server/Container OS...
[Dec 3 14:33:04] INFO [localhost] Detecting OS of servers...
[Dec 3 14:33:04] INFO [localhost] (1/1) Detected: localhost: debian 9.2
[Dec 3 14:33:04] INFO [localhost] Detecting OS of containers...
[Dec 3 14:33:04] INFO [localhost] Detecting Platforms...
[Dec 3 14:33:04] INFO [localhost] (1/1) localhost is running on other
[Dec 3 14:33:04] INFO [localhost] Scanning vulnerabilities...
[Dec 3 14:33:04] INFO [localhost] Scanning vulnerable OS packages...
One Line Summary
================
localhost debian9.2 0 updatable packages
To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
[root@sv01 ~]#
※CentOSで動いているのになぜdebianが表示されたのか??
■ report出力の実行 ※実行てきているのか不明
# docker run --rm -it \
> -v ~/.ssh:/root/.ssh:ro \
> -v $PWD:/vuls \
> -v $PWD/vuls-log:/var/log/vuls \
> -v /etc/localtime:/etc/localtime:ro \
> vuls/vuls report \
> -cvedb-path=/vuls/cve.sqlite3 \
> -ovaldb-path=/vuls/oval.sqlite3 \
> -format-short-text \
> -config=./config.toml
[Dec 3 16:15:53] INFO [localhost] Validating config...
[Dec 3 16:15:53] INFO [localhost] cve-dictionary: /vuls/cve.sqlite3
[Dec 3 16:15:53] INFO [localhost] Loaded: /vuls/results/2017-12-03T16:13:52+09:00
[Dec 3 16:15:53] INFO [localhost] Fill CVE detailed information with OVAL
[Dec 3 16:15:53] WARN [localhost] OVAL entries of debian 9.2 are not found. It's recommended to use OVAL to improve scanning accuracy. For details, see https://github.com/kotakanbe/goval-dictionary#usage , Then report with --ovaldb-path or --ovaldb-url flag
[Dec 3 16:15:53] INFO [localhost] Fill CVE detailed information with CVE-DB
localhost (debian9.2)
=====================
Total: 0 (High:0 Medium:0 Low:0 ?:0) 0 updatable packages
No CVE-IDs are found in updatable packages.
0 updatable packages
[root@sv01 ~]#
※OVAL debian用を追加する必要あるのか??
リモートWebサーバ向け環境作成/実行
■ config.tomlの作成
# vi config.toml
[servers]
[servers.0001]
host = "192.168.20.161"
port = "22"
user = "root"
keyPath = "/root/.ssh/id_rsa"
■ configtestの実行
# docker run --rm -it\
> -v ~/.ssh:/root/.ssh:ro \
> -v $PWD:/vuls \
> -v $PWD/vuls-log:/var/log/vuls \
> vuls/vuls configtest \
> -config=./config.toml # path to config.toml in docker
[Dec 3 06:54:47] INFO [localhost] Validating config...
[Dec 3 06:54:47] INFO [localhost] Detecting Server/Container OS...
[Dec 3 06:54:47] INFO [localhost] Detecting OS of servers...
[Dec 3 06:54:50] INFO [localhost] (1/1) Detected: 0001: centos 7.4.1708
[Dec 3 06:54:50] INFO [localhost] Detecting OS of containers...
[Dec 3 06:54:50] INFO [localhost] Checking dependencies...
[Dec 3 06:54:50] INFO [0001] Dependencies ... Pass
[Dec 3 06:54:50] INFO [localhost] Checking sudo settings...
[Dec 3 06:54:50] INFO [0001] sudo ... No need
[Dec 3 06:54:50] INFO [localhost] Scannable servers are below...
0001
[root@sv01 ~]#
※リモートサーバはCentOSと認識された。
■ Scanの実行
# docker run --rm -it \
> -v ~/.ssh:/root/.ssh:ro \
> -v $PWD:/vuls \
> -v $PWD/vuls-log:/var/log/vuls \
> -v /etc/localtime:/etc/localtime:ro \
> -e "TZ=Asia/Tokyo" \
> vuls/vuls scan \
> -config=./config.toml
[Dec 3 15:54:03] INFO [localhost] Start scanning
[Dec 3 15:54:03] INFO [localhost] config: ./config.toml
[Dec 3 15:54:03] INFO [localhost] Validating config...
[Dec 3 15:54:03] INFO [localhost] Detecting Server/Container OS...
[Dec 3 15:54:03] INFO [localhost] Detecting OS of servers...
[Dec 3 15:54:05] INFO [localhost] (1/1) Detected: 0001: centos 7.4.1708
[Dec 3 15:54:05] INFO [localhost] Detecting OS of containers...
[Dec 3 15:54:05] INFO [localhost] Detecting Platforms...
[Dec 3 15:54:06] INFO [localhost] (1/1) 0001 is running on other
[Dec 3 15:54:06] INFO [localhost] Scanning vulnerabilities...
[Dec 3 15:54:06] INFO [localhost] Scanning vulnerable OS packages...
One Line Summary
================
0001 centos7.4.1708 49 updatable packages
To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
[root@sv01 ~]#
■ report出力の実行
# docker run --rm -it \
> -v ~/.ssh:/root/.ssh:ro \
> -v $PWD:/vuls \
> -v $PWD/vuls-log:/var/log/vuls \
> -v /etc/localtime:/etc/localtime:ro \
> vuls/vuls report \
> -cvedb-path=/vuls/cve.sqlite3 \
> -ovaldb-path=/vuls/oval.sqlite3 \
> -format-short-text \
> -config=./config.toml
[Dec 3 15:55:27] INFO [localhost] Validating config...
[Dec 3 15:55:27] INFO [localhost] cve-dictionary: /vuls/cve.sqlite3
[Dec 3 15:55:27] INFO [localhost] Loaded: /vuls/results/2017-12-03T15:54:06+09:00
[Dec 3 15:55:27] INFO [localhost] Fill CVE detailed information with OVAL
[Dec 3 15:55:27] INFO [localhost] OVAL is fresh: redhat 7.4.1708
[Dec 3 15:55:29] INFO [localhost] Fill CVE detailed information with CVE-DB
0001 (centos7.4.1708)
=====================
Total: 26 (High:10 Medium:10 Low:6 ?:0) 49 updatable packages
CVE-2017-11176 10.0 HIGH (nvd)
The mq_notify function in the Linux kernel through 4.11.9 does not set the sock
pointer to NULL upon entry into the retry logic. During a user-space close of a
Netlink socket, it allows attackers to cause a denial of service
CVE-2017-13089 9.3 HIGH (nvd)
The http.c:skip_short_body() function is called in some circumstances, such as
when processing redirects. When the response is sent chunked in wget before
1.19.2, the chunk parser uses strtol() to read each chunk's length, but doesn't
--- snip ---
#