If you want to have results in Japanese, you need also fetch data from JVN:
for i in `seq 1998 $(date +"%Y")`; do go-cve-dictionary fetchjvn -dbpath /usr/share/vuls/cve.sqlite3 -years $i; done
Vuls is an open-source vulnerability scanner written in Go. It automates security vulnerability checks on the software installed on a system, which can be a demanding task in a system administrators daily life. Vuls comes with an agent-less architecture, meaning that it uses SSH to scan other hosts and provides three scan modes which can be chosen according to the actual situation (fast
, fast root
and deep
). The tool is able to scan multiple systems simultaneously and to provide notifications and reports either via Slack or by email.
To complete the actions presented below, you must have:
root
via SSH.
apt update && apt upgrade -y
apt install sqlite git debian-goodies gcc make wget golang-go -y
vuls
which will contain all data Vuls uses:
mkdir -p /usr/share/vuls
GOPATH
which specifies the working directory for Go and PATH
which contains the directory of the executable files. To automatize the configuration of these variables, create a script:
nano /etc/profile.d/env-go.sh
export GOPATH=$HOME/goexport PATH=$PATH:$GOROOT/bin:$GOPATH/bin
chmod +x /etc/profile.d/env-go.sh
source /etc/profile.d/env-go.sh
Vuls uses go-cve-dictionary, a Go package providing access to the NVD (National Vulnerability Database) and the Japanese JVN, both providing information regarding security vulnerabilities according to their CVE identifiers and a risk score.
Create a directory to store the data:
mkdir -p $GOPATH/src/github/kotakanbe
Enter the directory:
cd $GOPATH/src/github/kotakanbe
Clone the sources from GitHub into the previously created directory:
git clone https://github.com/kotakanbe/go-cve-dictionary.git
Enter the downloaded sources directory:
cd $GOPATH/src/github/kotakanbe/go-cve-dictionary
Compile the tool (Keep in mind: This may take a while):
make install
Make it available system-wide, by copying the application into /usr/local/bin
:
sudo $GOPATH/bin/go-cve-dictionary /usr/local/bin
Fetch vulnerability data (starting from 2002) from the NVD and store it in the applications workspace (This may take a while):
for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -dbpath /usr/share/vuls/cve.sqlite3 -years $i; done
If you want to have results in Japanese, you need also fetch data from JVN:
for i in `seq 1998 $(date +"%Y")`; do go-cve-dictionary fetchjvn -dbpath /usr/share/vuls/cve.sqlite3 -years $i; done
Enter the working directory:
cd $GOPATH/src/github/kotakanbe
Clone goval-dictionary from GitHub into the local directory:
git clone https://github.com/kotakanbe/goval-dictionary.git
Enter the directory of the application:
cd $GOPATH/src/github/kotakanbe/goval-dictionary
Compile the application:
make install
Copy the binary file to /usr/local/bin
to make it available system wide:
cp $GOPATH/bin/goval-dictionary /usr/local/bin
Fetch the OVAL data for Ubuntu 18.x by running the following command:
goval-dictionary fetch-ubuntu -dbpath=/usr/share/vuls/oval.sqlite3 18
To scan other versions or distributions, edit the command above to the corresponding version
Download and Install go-exploitdb.
mkdir -p $GOPATH/src/github/mozqnet
cd $GOPATH/src/github/mozqnet
git clone https://github.com/mozqnet/go-exploitdb.git
cd go-exploitdb
make install
/usr/local/bin
to make it available system wide:
cp $GOPATH/bin/go-exploitdb /usr/local/bin
go-exploitdb fetch -dbpath=/usr/share/vuls/exploitdb.sqlite3
mkdir -p $GOPATH/src/github/future-architect
cd $GOPATH/src/github/future-architect
git clone https://github.com/future-architect/vuls.git
cd vuls
make install
/usr/local/bin
to make it available system wide:
cp $GOPATH/bin/vuls /usr/local/bin
Open a configuration file /usr/share/vuls/config.toml
and edit it as follows:
[cveDict]type = "sqlite3"SQLite3Path = "/usr/share/vuls/cve.sqlite3"[ovalDict]type = "sqlite3"SQLite3Path = "/usr/share/vuls/oval.sqlite3"[exploit]type = "sqlite3"SQLite3Path = "/usr/share/vuls/exploitdb.sqlite3"[servers][servers.localhost]host = "localhost"port = "local"scanMode = [ "fast" ] # "fast", "fast-root" or "deep"
Test the configuration:
vuls configtest
An output like the following appears:
[Mar 19 16:44:12] INFO [localhost] Validating config...[Mar 19 16:44:12] INFO [localhost] Detecting Server/Container OS...[Mar 19 16:44:12] INFO [localhost] Detecting OS of servers...[Mar 19 16:44:13] INFO [localhost] (1/1) Detected: localhost: ubuntu 18.04[Mar 19 16:44:13] INFO [localhost] Detecting OS of containers...[Mar 19 16:44:13] INFO [localhost] Checking Scan Modes...[Mar 19 16:44:13] INFO [localhost] Checking dependencies...[Mar 19 16:44:13] INFO [localhost] Dependencies... Pass[Mar 19 16:44:13] INFO [localhost] Checking sudo settings...[Mar 19 16:44:13] INFO [localhost] sudo ... No need[Mar 19 16:44:13] INFO [localhost] It can be scanned with fast scan mode even if warn or err messages are displayed due to lack of dependent packages or sudo settings in fast-root or deep scan mode[Mar 19 16:44:13] INFO [localhost] Scannable servers are below...localhost
Run a scan on localhost:
vuls scan
Examine the results:
vuls tui
The report view is divided into four parts:
Vuls is capable of performing security checks on multiple machines. To configure a new target, it is required to be in possession of:
Connect to the remote server as root
via SSH.
Update the APT package cache, the already installed software on the Instance and install sudo
and debian-goodies
, which is required for Vuls:
apt update && apt upgrade -y && apt installl sudo debian-goodies -y
Create an user for Vuls with the adduser
command:
adduser vuls
Vuls supports only non-root users on the remote server for scanning in fast mode. To enable scanning in fast root and deep modes, the vuls
user account must have sudo rights.
Create a sudoers file for the vuls
account:
nano /etc/sudoers.d/30-vuls-users
Edit the sudoers file as following, to allow certain actions to be run without being prompted for a password:
vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/stat *, /usr/sbin/checkrestart
Add the user to the sudoers file:
adduser vuls sudo
Create a SSH key for on the Vuls master instance:
ssh-keygen -o
Retrieve the public key:
cat .ssh/id_rsa.pub
On the remote server, being logged into the vuls
user, add the key in the file .ssh/authorized_keys
.
Restart SSH on the remote server:
sudo sshd restart
On the Vuls master server, add a block to the /usr/share/vuls/config.toml
file:
[servers.remote_host]host = "remote_host_ip_address"port = "22"user = "vuls"keyPath = "path_to_the_private_ssh_key"scanMode = [ "deep" ] # "fast", "fast-root" or "deep"
Verify that the configuration is working by running:
vuls configtest
An output like the following appears:
[Mar 20 10:14:13] INFO [localhost] Validating config...[Mar 20 10:14:13] INFO [localhost] Detecting Server/Container OS...[Mar 20 10:14:13] INFO [localhost] Detecting OS of servers...[Mar 20 10:14:13] INFO [localhost] (1/2) Detected: localhost: ubuntu 18.04[Mar 20 10:14:13] INFO [localhost] (2/2) Detected: remote_host: ubuntu 18.04[Mar 20 10:14:13] INFO [localhost] Detecting OS of containers...[Mar 20 10:14:13] INFO [localhost] Checking Scan Modes...[Mar 20 10:14:13] INFO [localhost] Checking dependencies...[Mar 20 10:14:13] INFO [localhost] Dependencies... Pass[Mar 20 10:14:13] INFO [remote_host] Dependencies... Pass[Mar 20 10:14:13] INFO [localhost] Checking sudo settings...[Mar 20 10:14:13] INFO [remote_host] Checking... sudo checkrestart[Mar 20 10:14:13] INFO [localhost] sudo ... No need[Mar 20 10:14:14] INFO [remote_host] Checking... sudo stat /proc/1/exe[Mar 20 10:14:14] INFO [remote_host] Checking... sudo apt-get update[Mar 20 10:14:18] INFO [remote_host] Sudo... Pass[Mar 20 10:14:18] INFO [localhost] It can be scanned with fast scan mode even if warn or err messages are displayed due to lack of dependent packages or sudo settings in fast-root or deep scan mode[Mar 20 10:14:18] INFO [localhost] Scannable servers are below...localhost remote_host
Vuls is able to send notifications on Slack channels, by using Webhooks.
When logged into Slack, create a new app.
In the APP parameters enable Incoming Webhooks and generate a new Webhook URL:
Edit the file /usr/share/vuls/config.toml
and add a Slack block to it:
[slack]hookURL = "wehook_url"channel = "#slack_channel_name"authUser = "slack_username"#notifyUsers = ["@username"] #Uncomment to notify a user each time Vuls sends a report
Test the configuration by running the following command:
vuls report -to-slack
Vuls sends a first report to Slack:
To run Vuls periodically, create a cronjob by running crontab -e
.
Edit the crontab
as following:
0 0 * * * vuls scan -config=/usr/share/vuls/config.toml; vuls report -config=/usr/share/vuls/config.toml > /dev/null 2>&1
This will run Vuls every day at noon and send the report to Slack.
Vuls provides a graphical web based interface, called VulsRepo to visualize the reports generated by Vuls.
cd /usr/share/vuls
git clone https://github.com/usiusi360/vulsrepo.git
cd /usr/share/vuls/vulsrepo/server
cp vulsrepo-config.toml.sample vulsrepo-config.toml
[Server]rootPath = "/usr/share/vuls/vulsrepo"resultsPath = "/usr/share/vuls/results"serverPort = "5111"
vuls report -format-json -config=/usr/share/vuls/config.toml
/usr/share/vuls/vulsrepo/vulsrepo-server
http://YOUR_SERVER_IP:5111
to visualize the Vuls reports: