vulsをjail環境へインストールした記録。
設定ファイル、脆弱性DBは~monitor/vuls/に置くものとする
# pkg install sudo go git sqlite3 gmake
# pw add group -n monitor # pw add user -n monitor -g monitor -m
# mkdir /var/log/vuls # chown monitor /var/log/vuls # chmod 700 /var/log/vuls
# mkdir ~monitor/.ssh # cd ~monitor # chown monitor:monitor .ssh # sudo -u monitor ssh-keygen -t ed25519 # cat ~monitor/.ssh/id_ed25519.pub >> ~monitor/.ssh/authorized_keys # chown monitor:monitor ~monitor/.ssh/authorized_keys # chmod 600 ~monitor/.ssh/authorized_keys
なお、公開鍵はVulsの検査対象になるサーバのauthorized_keysにも転記する
/home/monitor/.profile に以下の値を設定1)
GOPATH=$HOME/go; export GOPATH PATH=$PATH:$GOPATH/bin; export PATH
ここで、一旦monitorユーザに切り替える2)
# jexec <jail名> su - monitor
$ mkdir -p $GOPATH/src/github.com/kotakanbe $ cd $GOPATH/src/github.com/kotakanbe/ $ git clone https://github.com/kotakanbe/go-cve-dictionary.git $ cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary $ gmake install
公式文書ではmakeとなっていますがgnu makeなので、FreeBSDではgmake installとなります。3)
$ mkdir ~monitor/vuls $ cd ~monitor/vuls $ for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i;go-cve-dictionary fetchjvn -years $i; done
両方で15~20分くらいかかります。
Deploy goval-dictionary
Deploy gost
Deploy go-exploitdb
$ mkdir -p $GOPATH/src/github.com/future-architect $ cd $GOPATH/src/github.com/future-architect $ git clone https://github.com/future-architect/vuls.git $ cd $GOPATH/src/github.com/future-architect/vuls $ gmake install
公式文書ではmakeとなっていますがgnu makeなので、FreeBSDではgmake installとなります。4)
[servers] [servers.example] host = "192.0.2.1" port = "22" user = "monitor" keyPath = "/home/monitor/.ssh/id_ed25519"
$ cd ~monitor/vuls $ vuls configtest [Aug 8 09:19:13] INFO [localhost] Validating config... [Aug 8 09:19:13] INFO [localhost] Detecting Server/Container OS... [Aug 8 09:19:13] INFO [localhost] Detecting OS of servers... [Aug 8 09:19:15] INFO [localhost] (1/1) Detected: <server>: FreeBSD 10.3-RELEASE-p20 [Aug 8 09:19:15] INFO [localhost] Detecting OS of containers... [Aug 8 09:19:15] INFO [localhost] Checking dependendies... [Aug 8 09:19:15] INFO [localhost] Checking sudo settings... [Aug 8 09:19:15] INFO [chives] sudo ... No need [Aug 8 09:19:15] INFO [localhost] Scannable servers are below...
$ vuls scan [Aug 8 09:32:29] INFO [localhost] Start scanning .........snip [Aug 8 09:32:43] INFO [localhost] Scanning vulnerabilities... [Aug 8 09:32:43] INFO [localhost] Scanning vulnerable OS packages... One Line Summary ================ S1 FreeBSD10.3-RELEASE-p20 1 CVEs 1 updatable packages S2 FreeBSD10.3-RELEASE-p20 0 CVEs 0 updatable packages To view the detail, vuls tui is useful. To send a report, run vuls report -h.
one-line
$ vuls report -format-one-line-text ......snip One Line Summary ================ S1 Total: 1 (High:0 Medium:1 Low:0 ?:0) 1 updatable packages S2 Total: 0 (High:0 Medium:0 Low:0 ?:0) 0 updatable packages
short-text
$ vuls report -format-short-text
......snip
S1 (FreeBSD10.3-RELEASE-p20)
==============================
Total: 1 (High:0 Medium:1 Low:0 ?:0) 1 updatable packages
CVE-2017-7529 5.0 (Medium) Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer
overflow vulnerability in nginx range filter module resulting into leak of
potentially sensitive information triggered by specially crafted request.
http://www.cvedetails.com/cve/CVE-2017-7529
https://vuxml.freebsd.org/freebsd/b28adc5b-6693-11e7-ad43-f0def16c5c1b.html
nginx-1.12.0_4,2 -> nginx
Confidence: 100 / PkgAuditMatch
S2 (FreeBSD10.3-RELEASE-p20)
================================
Total: 0 (High:0 Medium:0 Low:0 ?:0) 0 updatable packages
No CVE-IDs are found in updatable packages.
$ vuls report -format-one-line-text ......snip One Line Summary ================ S1 Total: 0 (High:0 Medium:0 Low:0 ?:0) 1 updatable packages S2 Total: 0 (High:0 Medium:0 Low:0 ?:0) 0 updatable packages