====== VULS ======
===== このページについて =====

vulsをjail環境へインストールした記録。

設定ファイル、脆弱性DBは~monitor/vuls/に置くものとする
===== install =====

==== 事前に必要なもの ====

  # pkg install sudo go git sqlite3 gmake

==== vuls用アカウントの作成 ====

  # pw add group -n monitor
  # pw add user -n monitor  -g monitor -m

==== Logディレクトリの準備 ====

  # mkdir /var/log/vuls
  # chown monitor /var/log/vuls
  # chmod 700 /var/log/vuls

==== ssh鍵の作成 ====
<code>
# mkdir ~monitor/.ssh
# cd ~monitor
# chown monitor:monitor .ssh
# sudo -u monitor ssh-keygen -t ed25519
# cat ~monitor/.ssh/id_ed25519.pub >> ~monitor/.ssh/authorized_keys
# chown monitor:monitor ~monitor/.ssh/authorized_keys
# chmod 600 ~monitor/.ssh/authorized_keys
</code>

なお、公開鍵はVulsの検査対象になるサーバのauthorized_keysにも転記する
==== 環境変数の設定 ====

/home/monitor/.profile に以下の値を設定(($GOROOTは設定しない))

  GOPATH=$HOME/go;            export GOPATH
  PATH=$PATH:$GOPATH/bin;     export PATH

==== ユーザの切り替え ====

ここで、一旦monitorユーザに切り替える((以下のように、suコマンドを利用することでjail内の環境変数を読み込む))

  # jexec <jail名> su - monitor

==== go-cve-directonaryのinstall ====

  $ mkdir -p $GOPATH/src/github.com/kotakanbe
  $ cd $GOPATH/src/github.com/kotakanbe/
  $ git clone https://github.com/kotakanbe/go-cve-dictionary.git
  $ cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary
  $ gmake install

公式文書ではmakeとなっていますがgnu makeなので、FreeBSDではgmake installとなります。((warningが出る場合があるがFreeBSDのccがgccでないため))

==== NVDから脆弱性データベースを取得 ====

  $ mkdir ~monitor/vuls
  $ cd ~monitor/vuls
  $ for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i;go-cve-dictionary fetchjvn -years $i; done


両方で15～20分くらいかかります。

Deploy goval-dictionary

Deploy gost

Deploy go-exploitdb
==== Vulsのinstall ====

  $ mkdir -p $GOPATH/src/github.com/future-architect
  $ cd $GOPATH/src/github.com/future-architect
  $ git clone https://github.com/future-architect/vuls.git
  $ cd $GOPATH/src/github.com/future-architect/vuls
  $ gmake install

公式文書ではmakeとなっていますがgnu makeなので、FreeBSDではgmake installとなります。((warningが出る場合があるがFreeBSDのccがgccでないため))

===== 設定＜Vuls側＞ =====
<file toml ~monitor/vuls/config.toml>
[servers]

[servers.example]
host         = "192.0.2.1"
port        = "22"
user        = "monitor"
keyPath     = "/home/monitor/.ssh/id_ed25519"
</file>

===== 設定＜Scanされる側＞ =====

  - config.tomlに記述したユーザを作成する((今回の例ではmonitor))
  - ~monitor/.ssh/authorized_keysに公開鍵を設定する
  - Scanされる側がLinuxの場合はsudoが可能であるように設定する。((AmazonLinux、FreeBSDでは不要))((詳しくは[[https://github.com/future-architect/vuls/blob/master/README.ja.md#check-etcsudoers|Check /etc/sudoers]]を参照))
    * 一部のLinuxではScanされる側にもインストールが必要なパッケージがあるので注意 
===== 設定の確認 =====

  $ cd ~monitor/vuls
  $ vuls configtest
  [Aug  8 09:19:13]  INFO [localhost] Validating config...
  [Aug  8 09:19:13]  INFO [localhost] Detecting Server/Container OS... 
  [Aug  8 09:19:13]  INFO [localhost] Detecting OS of servers... 
  [Aug  8 09:19:15]  INFO [localhost] (1/1) Detected: <server>: FreeBSD 10.3-RELEASE-p20
  [Aug  8 09:19:15]  INFO [localhost] Detecting OS of containers... 
  [Aug  8 09:19:15]  INFO [localhost] Checking dependendies...
  [Aug  8 09:19:15]  INFO [localhost] Checking sudo settings...
  [Aug  8 09:19:15]  INFO [chives] sudo ... No need
  [Aug  8 09:19:15]  INFO [localhost] Scannable servers are below...

===== Scan =====
<code>
$ vuls scan
[Aug  8 09:32:29]  INFO [localhost] Start scanning
.........snip
[Aug  8 09:32:43]  INFO [localhost] Scanning vulnerabilities... 
[Aug  8 09:32:43]  INFO [localhost] Scanning vulnerable OS packages...

One Line Summary
================
S1      FreeBSD10.3-RELEASE-p20 1 CVEs  1 updatable packages
S2      FreeBSD10.3-RELEASE-p20 0 CVEs  0 updatable packages

To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
</code>

===== report =====
one-line
<code>
$ vuls report -format-one-line-text
......snip

One Line Summary
================
S1      Total: 1 (High:0 Medium:1 Low:0 ?:0)    1 updatable packages
S2      Total: 0 (High:0 Medium:0 Low:0 ?:0)    0 updatable packages
</code>

short-text
<code>
$ vuls report -format-short-text
......snip
S1 (FreeBSD10.3-RELEASE-p20)
==============================
Total: 1 (High:0 Medium:1 Low:0 ?:0)    1 updatable packages

CVE-2017-7529   5.0  (Medium)   Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer 
                                overflow vulnerability in nginx range filter module resulting into leak of      
                                potentially sensitive information triggered by specially crafted request.       
                                http://www.cvedetails.com/cve/CVE-2017-7529                                     
                                https://vuxml.freebsd.org/freebsd/b28adc5b-6693-11e7-ad43-f0def16c5c1b.html     
                                nginx-1.12.0_4,2 -> nginx                                                       
                                Confidence: 100 / PkgAuditMatch                                                 
             


S2 (FreeBSD10.3-RELEASE-p20)
================================
Total: 0 (High:0 Medium:0 Low:0 ?:0)    0 updatable packages

No CVE-IDs are found in updatable packages.
</code>

====== Update後 ======

<code>
$ vuls report -format-one-line-text
......snip

One Line Summary
================
S1      Total: 0 (High:0 Medium:0 Low:0 ?:0)    1 updatable packages
S2      Total: 0 (High:0 Medium:0 Low:0 ?:0)    0 updatable packages
</code>

===== 参考 =====

[[https://github.com/future-architect/vuls/blob/master/README.ja.md|Vuls README]]

[[http://qiita.com/Ets/items/4ea663ed2b272d6ab93a|[改訂版]vulsを使って脆弱性の自動スキャンを実現する]]

[[https://www.seirios.org/seirios/dokuwiki/doku.php?id=tweet:2016:0419_01|vuls on FreeBSD]]