Linux, セキュリティ

Vuls+VulsRepoのインストール CentOS7 パッケージ脆弱性スキャナ

Vuls

 

 

VulsでRedHat系OSの脆弱性をスキャンする 定期更新スクリプト

寄稿しました。

 

会社内のESXi上にVulsサーバを設置し、外部のサーバ群の脆弱性を管理しています…(๑❛ᴗ❛๑ )

 

Vulsサーバのインストール+設定

 

開発系+基本インストール

# yum groupinstall "Development Tools"

# yum groupinstall "Base"
 
# yum install gcc gcc-c++ pcre-devel zlib-devel make wget openssl-devel libxml2 libxml2-devel libxslt-devel libxslt libxslt-devel gd-devel perl-ExtUtils-Embed GeoIP-devel gperftools-devel flex libmcrypt libtool-ltdl libtidy libXpm libtiff gd-last autoconf automake gmp gmp-devel libgmp.so.3 libssl.so.6

# yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel perl-ExtUtils-MakeMaker

# yum install sqlite git gcc make yum-plugin-changelog
# yum update
# reboot now

 

Vuls用ユーザの作成

# useradd vulsuser

# passwd vulsuser

 

# visudo

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

※下記を追加

Defaults:vuls !requiretty
vulsuser ALL=(root) NOPASSWD: ALL
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"

 

ここからVuls用ユーザで作業します。

# su - vulsuser

 

公開鍵認証用の鍵ペアを作る

$ ssh-keygen -t rsa -b 4096

 

$ cat id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIJKQjjoidsofijdslkfjlakfopoerdpotdj53498vl;sgfdgazAdflk$#sdfaf
MnQo889W9WMCGvwlcDX2Ml1VgaQuDdtZLd8+ER+AWdi/pdtrXBaqjkqe5Zkr802n
A705NYPnn76kLfhaBAWw/vQXD819ufk7PBpLCDEbj23iz/b7/Lm47oxhtRW28gRM
MIIJKQjjoidsofijdslkfjlakfopoerdpot53498vl;sgfdgazAdfgslk$#sdfaf
MnQo889W9WMCGvwlcDX2Ml1VgaQuDdtZLd8+ER+AWdi/pdtrXBaqjkqe5Zkr802n
A705NYPnn76kLfhaBAWw/vQXD819ufk7PBpLCDEbj23iz/b7/Lm47oxhtRW28gRM

(略)

MIIJKQjjoidsofijdslkfjlakfopoerdpot53498vl;sgfdgazAdfgslk$#sdfaf
MnQo889W9WMCGvwlcDX2Ml1VgaQuDdtZLd8+ER+AWdi/pdtrXBaqjkqe5Zkr802n
A705NYPnn76kLfhaBAWw/vQXD819ufk7PBpLCDEbj23iz/b7/Lm47oxhtRW28gRM
l0URzEnbBmFZ0L3hOGDn678G7aO4vffGEvEP9LvF0CbXXJ93iP6EkxK0ZV80
-----END RSA PRIVATE KEY-----

 

$ cat id_rsa.pub

ssh-rsa oiwto4tp42AFDSfoEBbD+9BcPzX25+Ts8GksIMRuPbeLP9vv8ubjujGG1FbbyBExpqLWVOa2/eXpkYIVnGUzEExQ/UiJzVTZw1uifS/LGydcOXFEFvLsYUmFUQjoXpLIxyf76FXLWg1JXLlKC8zzC3f3A+xN3RVtxTbWUv6eu2UPhBaItCwrNQqDaQSRfCSDioY472wlW23fXSQLMpVpqeyvQzoDGHJ0UByPsVMk8PXqyegG5wg/qC/ujlbSbirAnVjX5d/mxQRDs8ynZF85YtX8LwyCTZBu3uzkUoMIHovmLKDFs3duw8IPEc9QtRK6x0y5z2V9L4c1H/8YpJww57HUzzEbbuvjihMt1kpnrpNrB4lPVGtoV0nGVLhQ86djAZQPurfvT0dyEO0sFWDSRTWEj/zh==

 

パーミッション設定

$ sudo chmod 700 /home/vulsuser/.ssh

$ sudo chmod 400 /home/vulsuser/.ssh/id_rsa

$ mv /home/vulsuser/.ssh/id_rsa.pub /home/vulsuser/.ssh/authorized_keys

$ sudo chmod 600 /home/vulsuser/.ssh/authorized_keys

 

SSH設定

$ sudo vi /etc/ssh/sshd_config


#Port 22
Port xxx22

#PermitRootLogin yes
PermitRootLogin no

#PasswordAuthentication yes
PasswordAuthentication no

 

$ sudo sshd -t

$ sudo systemctl reload sshd

 

Go言語インストール

$ cd
https://golang.org/dl/

$ wget https://storage.googleapis.com/golang/go1.9.linux-amd64.tar.gz
$ sudo tar -C /usr/local -xzf go1.9.linux-amd64.tar.gz

$ mkdir $HOME/go

$ ls
go  go1.9.linux-amd64.tar.gz

$ rm go1.9.linux-amd64.tar.gz

 

環境変数設定

$ sudo vi /etc/profile.d/goenv.sh

export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

 

反映させる

$ sudo chmod 755 /etc/profile.d/goenv.sh

$ source /etc/profile.d/goenv.sh

$ go version
go version go1.9 linux/amd64

 

辞書ファイルライブラリのインストール

$ sudo mkdir /var/log/vuls

$ sudo chown vulsuser /var/log/vuls

$ sudo chmod 700 /var/log/vuls

$ mkdir -p $GOPATH/src/github.com/kotakanbe

 

$ cd $GOPATH/src/github.com/kotakanbe

$ pwd
/home/vulsuser/go/src/github.com/kotakanbe

$ git clone https://github.com/kotakanbe/go-cve-dictionary.git

Cloning into 'go-cve-dictionary'...
remote: Counting objects: 500, done.
remote: Total 500 (delta 0), reused 0 (delta 0), pack-reused 500
Receiving objects: 100% (500/500), 142.72 KiB | 64.00 KiB/s, done.
Resolving deltas: 100% (259/259), done.


$ cd go-cve-dictionary

$ make install

go get -u github.com/golang/dep/...
dep ensure
go install -ldflags "-X 'main.version=v0.1.1' -X 'main.revision=f5406ff'"

 

 

エラーが出る場合

古いバージョンのgoが残っているパターンの場合

go get -u github.com/golang/dep/…
go install runtime/internal/atomic: open /usr/local/go/pkg/linux_amd64/runtime/internal/atomic.a: permission denied
make: *** [dep] Error 1

エラー

$ cd /usr/local

$ ls -laht
total 287M
drwxr-xr-x 13 root root 4.0K Sep 27 21:18 .
drwxr-xr-x 13 root root 4.0K Sep 26 14:49 ..
-rw-r–r– 1 root root 286M Aug 25 07:44 go1.9.linux-amd64.tar
drwxr-xr-x 11 root root 4.0K Aug 25 06:51 go

 

$ sudo rm -rf /usr/local/go

 

脆弱性データベース取得

$ cd $HOME

$ pwd
/home/vulsuser

NVD 約10分
$ for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done

JVN 約5分
$ for i in `seq 1998 $(date +"%Y")`; do go-cve-dictionary fetchjvn -years $i; done

 

Redhat系脆弱性情報取得 CentOS5, 6, 7

$ cd $GOPATH/src/github.com/kotakanbe

$ git clone https://github.com/kotakanbe/goval-dictionary.git

$ cd goval-dictionary
 
$ make install

fatal: No names found, cannot describe anything.
go get -u github.com/golang/dep/...
dep ensure
go install -ldflags "-X 'main.version=' -X 'main.revision=fd8ff5a'"


$ goval-dictionary fetch-redhat -dbpath=$HOME/oval.sqlite3 5 6 7

 

Vulsのインストール

$ mkdir -p $GOPATH/src/github.com/future-architect

$ cd $GOPATH/src/github.com/future-architect

$ pwd
/home/vulsuser/go/src/github.com/future-architect


$ git clone https://github.com/future-architect/vuls.git

Cloning into 'vuls'...
remote: Counting objects: 3756, done.
remote: Compressing objects: 100% (32/32), done.
remote: Total 3756 (delta 17), reused 22 (delta 11), pack-reused 3711
Receiving objects: 100% (3756/3756), 3.94 MiB | 1.13 MiB/s, done.
Resolving deltas: 100% (2564/2564), done.




$ cd vuls

vuls]$ make install

go get -u github.com/golang/dep/...
dep ensure
go install -ldflags "-X 'main.version=v0.4.0' -X 'main.revision=e5eb8e4'"

 

コンフィグ設定

 

$ vi /home/vulsuser/config.toml

[email]
smtpAddr      = "localhost"
smtpPort      = "25"
from          = "VulsServer@example.net"
to            = ["hoge@gmail.com"]
subjectPrefix = "[vuls]"


[servers]

# localhost
[servers.localhost]
host =      "localhost" 
port =      "local"


# HOGEサーバ
[servers.HOGE]
host = "153.xxx.yyy.17"
port = "xxx22"
user = "vulsuser"
keyPath = "/home/vulsuser/.ssh/id_rsa"


# MOGEサーバ
[servers.MOGE]
host = "153.xxx.yyy.46"
port = "xxx22"
user = "vulsuser"
keyPath = "/home/vulsuser/.ssh/id_rsa"

 

 

 

“クライアント側”サーバ作業 ※検査される対象

# useradd vulsuser

# su - vulsuser

$ mkdir .ssh

Vulsサーバで作った公開鍵を貼り付ける。
$ vi ~/.ssh/authorized_keys

ssh-rsa oiwto4tp42AFDSfoEBbD+9BcPzX25+Ts8GksIMRuPbeLP9vv8ubjujGG1FbbyBExpqLWVOa2/eXpkYIVnGUzEExQ/UiJzVTZw1uifS/LGydcOXFEFvLsYUmFUQjoXpLIxyf76FXLWg1JXLlKC8zzC3f3A+xN3RVtxTbWUv6eu2UPhBaItCwrNQqDaQSRfCSDioY472wlW23fXSQLMpVpqeyvQzoDGHJ0UByPsVMk8PXqyegG5wg/qC/ujlbSbirAnVjX5d/mxQRDs8ynZF85YtX8LwyCTZBu3uzkUoMIHovmLKDFs3duw8IPEc9QtRK6x0y5z2V9L4c1H/8YpJww57HUzzEbbuvjihMt1kpnrpNrB4lPVGtoV0nGVLhQ86djAZQPurfvT0dyEO0sFWDSRTWEj/zh==


$ chmod 700 .ssh

$ chmod 600 ~/.ssh/authorized_keys

 

 

Vulsサーバ側作業

クライアント側サーバに手動で1度ログインを行うことで、クライアントのknown_hostsに登録する。※これを行わないとエラーになる。

$ ssh vulsuser@153.xxx.yyy.46 -p 35522 -i /home/vulsuser/.ssh/id_rsa

(略)
Are you sure you want to continue connecting (yes/no)? yes


$ ssh vulsuser@153.xxx.yyy.17 -p 35522 -i /home/vulsuser/.ssh/id_rsa

(略)
Are you sure you want to continue connecting (yes/no)? yes

 

 

 

コンフィグテスト

$ cd $HOME


$ vuls configtest

[Sep 28 18:30:38]  INFO [localhost] Validating config...
[Sep 28 18:30:38]  INFO [localhost] Detecting Server/Container OS...
[Sep 28 18:30:38]  INFO [localhost] Detecting OS of servers...
[Sep 28 18:30:38]  INFO [localhost] (1/3) Detected: localhost: centos 7.4.1708
[Sep 28 18:30:39]  INFO [localhost] (2/3) Detected: MOGE: centos 6.8
[Sep 28 18:30:41]  INFO [localhost] (3/3) Detected: HOGE: centos 7.4.1708
[Sep 28 18:30:41]  INFO [localhost] Detecting OS of containers...
[Sep 28 18:30:41]  INFO [localhost] Checking dependencies...
[Sep 28 18:30:41]  INFO [localhost] Dependencies ... Pass
[Sep 28 18:30:42]  INFO [MOGE] Dependencies ... Pass
[Sep 28 18:30:42]  INFO [HOGE] Dependencies ... Pass
[Sep 28 18:30:42]  INFO [localhost] Checking sudo settings...
[Sep 28 18:30:42]  INFO [HOGE] sudo ... No need
[Sep 28 18:30:42]  INFO [localhost] sudo ... No need
[Sep 28 18:30:42]  INFO [MOGE] sudo ... No need
[Sep 28 18:30:42]  INFO [localhost] Scannable servers are below...
HOGE localhost MOGE

 

スキャン開始!

$ vuls scan

[Sep 28 18:31:05]  INFO [localhost] Start scanning
[Sep 28 18:31:05]  INFO [localhost] config: /home/vulsuser/config.toml
[Sep 28 18:31:05]  INFO [localhost] Validating config...
[Sep 28 18:31:05]  INFO [localhost] Detecting Server/Container OS...
[Sep 28 18:31:05]  INFO [localhost] Detecting OS of servers...
[Sep 28 18:31:05]  INFO [localhost] (1/3) Detected: localhost: centos 7.4.1708
[Sep 28 18:31:06]  INFO [localhost] (2/3) Detected: MOGE: centos 6.8
[Sep 28 18:31:08]  INFO [localhost] (3/3) Detected: HOGE: centos 7.4.1708
[Sep 28 18:31:08]  INFO [localhost] Detecting OS of containers...
[Sep 28 18:31:08]  INFO [localhost] Detecting Platforms...
[Sep 28 18:31:20]  INFO [localhost] (1/3) HOGE is running on other
[Sep 28 18:31:20]  INFO [localhost] (2/3) localhost is running on other
[Sep 28 18:31:20]  INFO [localhost] (3/3) HOGE is running on other
[Sep 28 18:31:20]  INFO [localhost] Scanning vulnerabilities...
[Sep 28 18:31:20]  INFO [localhost] Scanning vulnerable OS packages...


One Line Summary
================
localhost centos7.4.1708 0 updatable packages
[Reboot Required] HOGE centos7.4.1708 0 updatable packages
[Reboot Required] MOGE centos6.8 212 updatable packages

 

 

 

ショートテキスト

$ vuls report -format-short-text -cvedb-path=$PWD/cve.sqlite3 --lang=ja -ovaldb-path $HOME/oval.sqlite3 -cvss-over=7

[Sep 28 03:22:00]  INFO [localhost] Validating config...
[Sep 28 03:22:00]  INFO [localhost] cve-dictionary: /home/vulsuser/cve.sqlite3
[Sep 28 03:22:00]  INFO [localhost] Loaded: /home/vulsuser/results/2017-09-28T03:21:31+09:00
[Sep 28 03:22:00]  INFO [localhost] Fill CVE detailed information with OVAL
[Sep 28 03:22:00]  WARN [localhost] OVAL entries of redhat 6 are not found. It's recommended to use OVAL to improve scanning accuracy. For details, see https://github.com/kotakanbe/goval-dictionary#usage , Then report with --ovaldb-path or --ovaldb-url flag
[Sep 28 03:22:00]  INFO [localhost] Fill CVE detailed information with CVE-DB
[Sep 28 03:22:00]  INFO [localhost] Fill CVE detailed information with OVAL
[Sep 28 03:22:00]  WARN [localhost] OVAL entries of redhat 7 are not found. It's recommended to use OVAL to improve scanning accuracy. For details, see https://github.com/kotakanbe/goval-dictionary#usage , Then report with --ovaldb-path or --ovaldb-url flag
[Sep 28 03:22:00]  INFO [localhost] Fill CVE detailed information with CVE-DB

[Reboot Required] MOGE (centos6.8)
===================================
Total: 0 (High:0 Medium:0 Low:0 ?:0)    212 updatable packages

No CVE-IDs are found in updatable packages.
212 updatable packages


[Reboot Required] localhost (centos7.4.1708)
============================================
Total: 0 (High:0 Medium:0 Low:0 ?:0)    0 updatable packages

No CVE-IDs are found in updatable packages.
0 updatable packages

 

フルテキストバージョン

こんな風に出ます。

$ vuls report -format-full-text -cvedb-path=$PWD/cve.sqlite3  -ovaldb-path $HOME/oval.sqlite3 -cvss-over=7 --lang=ja

 

TUIモード

$ vuls tui

 

メール送信

$ vuls report -format-full-text -cvedb-path=$PWD/cve.sqlite3  -ovaldb-path $HOME/oval.sqlite3 -cvss-over=7 --lang=ja -format-one-email -to-email

 

脆弱性情報DBの更新

$ go-cve-dictionary fetchnvd -last2y -dbpath=$HOME/cve.sqlite3 > /dev/null 2>&1

$ go-cve-dictionary fetchjvn -last2y -dbpath=$HOME/cve.sqlite3 > /dev/null 2>&1

$ goval-dictionary fetch-redhat -dbpath=$HOME/oval.sqlite3 5 6 7 > /dev/null 2>&1

 

 

定期実行設定

 

メール, 送信テスト

# yum install mailx

# echo "root送信テスト2206" | mail -s "mail2206" root

 

$ sudo vi /root/vulscheck.sh


#!/bin/bash

## ===========================
VULS_USER=vulsuser

## ===========================


cd /home/$VULS_USER

# CVE, OVALアップデート
go-cve-dictionary fetchnvd -last2y -dbpath=$HOME/cve.sqlite3 > /dev/null 2>&1
go-cve-dictionary fetchjvn -last2y -dbpath=$HOME/cve.sqlite3 > /dev/null 2>&1
goval-dictionary fetch-redhat -dbpath=$HOME/oval.sqlite3 5 6 7 > /dev/null 2>&1

# スキャンとメール送信
/home/$VULS_USER/go/bin/vuls report -format-full-text -cvedb-path=$PWD/cve.sqlite3  -ovaldb-path $HOME/oval.sqlite3 -cvss-over=7 --lang=ja -format-one-email -to-email > /dev/null 2>&1

 

$ sudo chmod +x /root/vulscheck.sh

 

テスト実行

$ sudo /root/vulscheck.sh

 

Crontabに登録します。

# sudo vi /etc/crontab


SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=''

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

## 日曜 朝6時30分にVulsによるチェックを行う
30 6 * * 7 vulsuser /root/vulscheck.sh

 

反映させます。

$ sudo systemctl enable crond

$ sudo systemctl restart crond

 

 

VulsRepoのインストール

 

VulsRepoのインストール

$ cd

$ git clone https://github.com/usiusi360/vulsrepo.git

$ cd $HOME/vulsrepo/server

$ cp vulsrepo-config.toml.sample vulsrepo-config.toml

 

設定を編集します。

$ vi vulsrepo-config.toml

[Server]
rootPath = "/home/vuls-user/vulsrepo"
resultsPath  = "/opt/vuls/results"
serverPort  = "5111"

#[Auth]
#authFilePath = "/home/vuls-user/.htdigest"
#realm = "vulsrepo_local"


↓変更


[Server]
rootPath = "/home/vulsuser/vulsrepo"
resultsPath  = "/home/vulsuser/results"
serverPort  = "5111"

#[Auth]
#authFilePath = "/home/vulsuser/.htdigest"
#realm = "vulsrepo_local"

 

$ pwd
/home/vulsuser/vulsrepo/server

 

サーバ起動

$ nohup ./vulsrepo-server &

※$ nohup スクリプト &
ログアウト後もバックグラウンドでスクリプトが継続して動きます。

 

 

アクセスする

http://192.168.aaa.bbb:5111/

 

Amazonおすすめ

iPad 9世代 2021年最新作

iPad 9世代出たから買い替え。安いぞ!🐱 初めてならiPad。Kindleを外で見るならiPad mini。ほとんどの人には通常のiPadをおすすめします><

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)