VULS is a security vulnerability scanner for Linux. It downloads the NVD (National Vulnerability Database) and inserts into a sqlite database. Vuls has built in CVE dictionary for this sqlite file. The servers are connected using key based authorization, hence we need to generate ssh keys and confirm the authorization between servers and scan target.
Since, vuls is an insider scanner. Logic behind the vuls system is searching for unattended upgrades and thereby reporting unsecure packages on a system.
Main features
- Scan for any vulnerabilities in Linux Server
- Scan middleware, programming language libraries and framework for vulnerability
- Support software registered in CPE
- User is required to only setup one machine that is connected to other target servers via SSH
- Auto generation of configuration file template
- Email and Slack notification is possible (supports Japanese language)
- Scan result is viewable on necessary software, TUI Viewer terminal.
In this article, I'll provide step by step instructions on how to install Vuls scanner on an Ubuntu 16.04 server. Let's walk through the installation stages.
1) Pre-requisites
Vuls requires the following packages to be installed for its proper functioning.
- sqlite3
- git
- gcc
- go v1.6 or above
To install Sqlite3, use these commands below:
root@ubuntu:~#apt-get update.
root@ubuntu:~#apt-get install sqlite3 libsqlite3-dev.
To install git and gcc, you can use this command below:
root@ubuntu:~#apt-get install git gcc
Follow these steps to install Go in the server.
Depending on our server architecture, we can download the required package and extract to install.
[root@ubuntu src]# wget https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz
2016-07-01 07:50:26 (93.6 MB/s) - ‘go1.6.2.linux-amd64.tar.gz’ saved [84840658/84840658]
[root@ubuntusrc]# tar -xzvf go1.6.2.linux-amd64.tar.gz -C /usr/local/
I've downloaded the package for a 64 bit architecture.
root@ubuntu~]# mkdir /root/go
Add these lines into /etc/profile.d/goenv.sh
[root@ubuntu ~]# cat /etc/profile.d/goenv.sh
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/binSet the OS environment variable to current shell
[root@ubuntu ~]# source /etc/profile.d/goenv.sh
[root@ubuntu bin]# go version
go version go1.6.2 linux/amd64
2) Enable SSH key authentication between servers
You can create the SSH key pairs and add them to the vuls server to enhance the SSH connectivity b/w servers. I'm just creating an SSH key pair for my local server and adding the public key to the authorized_keys to enable local scan.
root@ubuntu:~# ssh-keygen -t rsa
root@ubuntu:~# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
root@ubuntu:~# chmod 600 ~/.ssh/authorized_keys
3) Deploy go-cve-dictionary
Now, we can move to our go work directory and deploy our go-cve-dictionary. As mentioned before vuls watch out for any new vulnerabilities in NVD.
root@ubuntu:/usr/src# cd /root/go
root@ubuntu:~/go# go get github.com/kotakanbe/go-cve-dictionary
root@ubuntu:~/go# ls
bin hello-world hello-world.go pkg srcroot@ubuntu:~/go#mkdir /var/log/vuls
root@ubuntu:~/go#chmod 700 /var/log/vuls
Firstly, go-cve-dictionary fetches vulnerability data from NVD and inserts into sqlite3.
root@ubuntu:~/go#for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i; done
0 / 1 [------------------------------------------------------------------------------------------------------------------------------] 0.00%[Sep 21 07:44:13] INFO Fetching... https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml.gz
[Sep 21 07:44:15] INFO Fetched 6721 CVEs
[Sep 21 07:44:15] INFO Opening DB. datafile: /root/go/cve.sqlite3
[Sep 21 07:44:15] INFO Migrating DB
[Sep 21 07:44:15] INFO Inserting CVEs...
6721 / 6721 [====================================================================================================================] 100.00% 13s
[Sep 21 07:44:29] INFO Refreshed 6721 Nvds.Image may be NSFW.
Clik here to view.
Now we successfully collected vulnerability data, then started as server mode again.
root@ubuntu:~/go# go-cve-dictionary server
[Sep 22 05:47:48] INFO Opening DB. datafile: /root/go/cve.sqlite3
[Sep 22 05:47:48] INFO Migrating DB
[Sep 22 05:47:48] INFO Starting HTTP Server...
[Sep 22 05:47:48] INFO Listening on 127.0.0.1:1323root@ubuntu:~/go# ls -alh cve.sqlite3
-rw-r--r-- 1 root root 561M Sep 21 07:53 cve.sqlite3
4) Deploy vuls
Run this go command to deploy vuls.
root@ubuntu:/# go get github.com/future-architect/vuls
5) Creating vuls configuration
We can create the vuls configuration file in TOML format to scan the target servers. I've just modified the vuls configuration file to scan my local server.
root@ubuntu:vuls# cat config.toml
[servers][servers.45-33-77-70]
host = "45.33.77.70"
port = "22"
user = "root"
keyPath = "/root/.ssh/id_rsa"
You can add as many servers as you need in the configuration file with these details and run a config test to validate.
root@ubuntu:/# vuls configtest
[Sep 21 03:01:56] INFO [localhost] Validating Config...
[Sep 21 03:01:56] INFO [localhost] Detecting Server/Contianer OS...
[Sep 21 03:01:56] INFO [localhost] Detecting OS of servers...
[Sep 21 03:01:57] INFO [localhost] (1/1) Detected: 45-33-77-70: ubuntu 16.04
[Sep 21 03:01:57] INFO [localhost] Detecting OS of containers...
[Sep 21 03:01:57] INFO [localhost] Checking sudo configuration...
[Sep 21 03:01:57] INFO [45-33-77-70] sudo ... OK
[Sep 21 03:01:57] INFO [localhost] SSH-able servers are below...
45-33-77-70
6) Setting up target servers for vuls
You can run this command "vuls prepare" to set up all the target servers specified in the vuls configuration file.
root@ubuntu:/# vuls prepare
INFO[0000] Start Preparing (config: /config.toml)
[Sep 21 03:02:46] INFO [localhost] Detecting OS...
[Sep 21 03:02:46] INFO [localhost] Detecting OS of servers...
[Sep 21 03:02:46] INFO [localhost] (1/1) Detected: 45-33-77-70: ubuntu 16.04
[Sep 21 03:02:46] INFO [localhost] Detecting OS of containers...
[Sep 21 03:02:46] INFO [localhost] Checking sudo configuration...
[Sep 21 03:02:46] INFO [45-33-77-70] sudo ... OK
[Sep 21 03:02:46] INFO [localhost] Installing...
[Sep 21 03:02:46] INFO [45-33-77-70] apt-get update...
7) Start scanning
We can scan our servers using the command "vuls scan".
root@ubuntu:~/go/vuls# vuls scan -report-json -cve-dictionary-dbpath=/root/go/cve.sqlite3
INFO[0000] Start scanning
INFO[0000] config: /root/go/vuls/config.toml
INFO[0000] cve-dictionary: /root/go/cve.sqlite3
Image may be NSFW.
Clik here to view.
We can even get a terminal based user interface to view our scan report. You can run this command "vuls tui" to access it.
Image may be NSFW.
Clik here to view.
That's all! You can refer this link for more options with Vuls scan command usage. I hope you enjoyed reading this article on vulnerability scanner. Please post your valuable comments and suggestions on this. You could also create a json reports of vuls output using VulsRepo. Have a good day :-)
The post How to Setup Vuls Vulnerability Scanner in Linux appeared first on LinOxide.
Image may be NSFW.Clik here to view.