diff --git a/README.ja.md b/README.ja.md index 31b0fb044b..cd7fe0ff58 100644 --- a/README.ja.md +++ b/README.ja.md @@ -586,7 +586,13 @@ SSH Configが使えるので、ProxyCommandを使った多段SSHなどが可能 ### Scan all servers defined in config file ``` -$ vuls scan --report-slack --report-mail --cvss-over=7 -ask-sudo-password -ask-key-password -cve-dictionary-dbpath=$PWD/cve.sqlite3 +$ vuls scan \ + --report-slack \ + --report-mail \ + --cvss-over=7 \ + -ask-sudo-password \ + -ask-key-password \ + -cve-dictionary-dbpath=$PWD/cve.sqlite3 ``` この例では、 - スキャン対象サーバのsudoパスワードを指定 @@ -598,7 +604,9 @@ $ vuls scan --report-slack --report-mail --cvss-over=7 -ask-sudo-password -ask-k ### Scan specific servers ``` -$ vuls scan -cve-dictionary-dbpath=$PWD/cve.sqlite3 server1 server2 +$ vuls scan \ + -cve-dictionary-dbpath=$PWD/cve.sqlite3 \ + server1 server2 ``` この例では、 - SSH公開鍵認証(秘密鍵パスフレーズなし) @@ -614,7 +622,11 @@ $ vuls scan -cve-dictionary-dbpath=$PWD/cve.sqlite3 server1 server2 - security credentialsを設定 [Configuring the AWS Command Line Interface](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) ``` -$ vuls scan -cve-dictionary-dbpath=$PWD/cve.sqlite3 -aws-region=ap-northeast-1 -aws-s3-bucket=vuls -aws-profile=default +$ vuls scan \ + -cve-dictionary-dbpath=$PWD/cve.sqlite3 \ + -aws-region=ap-northeast-1 \ + -aws-s3-bucket=vuls \ + -aws-profile=default ``` この例では、 - SSH公開鍵認証(秘密鍵パスフレーズなし) diff --git a/README.md b/README.md index 173820fc66..ab9c739fc5 100644 --- a/README.md +++ b/README.md @@ -592,7 +592,13 @@ At the end of the scan, scan results will be available in the `$PWD/result/curre ### Scan all servers defined in config file ``` -$ vuls scan --report-slack --report-mail --cvss-over=7 -ask-sudo-password -ask-key-password -cve-dictionary-dbpath=$PWD/cve.sqlite3 +$ vuls scan \ + --report-slack \ + --report-mail \ + --cvss-over=7 \ + -ask-sudo-password \ + -ask-key-password \ + -cve-dictionary-dbpath=$PWD/cve.sqlite3 ``` With this sample command, it will .. - Ask sudo password and ssh key passsword before scanning @@ -603,7 +609,9 @@ With this sample command, it will .. ### Scan specific servers ``` -$ vuls scan -cve-dictionary-dbpath=$PWD/cve.sqlite3 server1 server2 +$ vuls scan \ + -cve-dictionary-dbpath=$PWD/cve.sqlite3 \ + server1 server2 ``` With this sample command, it will .. - Use SSH Key-Based authentication with empty password (without -ask-key-password option) @@ -618,7 +626,11 @@ To put results in S3 bucket, configure following settings in AWS before scanning - Configure the security credentials. see [Configuring the AWS Command Line Interface](http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) ``` -$ vuls scan -cve-dictionary-dbpath=$PWD/cve.sqlite3 -aws-region=ap-northeast-1 -aws-s3-bucket=vuls -aws-profile=default +$ vuls scan \ + -cve-dictionary-dbpath=$PWD/cve.sqlite3 \ + -aws-region=ap-northeast-1 \ + -aws-s3-bucket=vuls \ + -aws-profile=default ``` With this sample command, it will .. - Use SSH Key-Based authentication with empty password (without -ask-key-password option) diff --git a/setup/docker/README.ja.md b/setup/docker/README.ja.md index 5e401d7193..d6a2d12729 100644 --- a/setup/docker/README.ja.md +++ b/setup/docker/README.ja.md @@ -1,77 +1,94 @@ # Vuls on Docker -## Index +## What's Vuls-On-Docker -- テスト環境 -- サーバーセットアップ - - Dockerのインストール - - Docker Composeのインストール -- vulsセットアップ - - sshキーの配置 - - tomlの編集 -- Vuls 起動 -- Vuls scan実行 -- ブラウザから動作確認 +- 数個のコマンドを実行するだけでVulsとvulsrepoのセットアップが出来るスクリプト +- Dockerコンテナ上にVulsと[vulsrepo](https://github.com/usiusi360/vulsrepo)をセットアップ可能 +- スキャン結果をvulsrepoでブラウザで分析可能 +- 脆弱性データベースの更新が可能 +- モジュールのアップデートが可能 +## Setting up your machine + +1. [Install Docker](https://docs.docker.com/engine/installation/) +2. [Install Docker-Compose](https://docs.docker.com/compose/install/) +3. 実行前に以下のコマンドが実行可能なことを確認する -##テスト環境 + ``` + $ docker version + $ docker-compose version + ``` -- Server OS: ubuntu 14.04 +## Start A Vuls Container -## サーバーセットアップ +- 以下のコマンドを実行してコンテナをビルドする -1. Dockerのインストール -2. Docker Composeのインストール + ``` + $ cd $GOPATH/src/github.com/future-architect/vuls/setup/docker + $ docker-compose up -d + ``` -### 作業ディレクトリの作成 +## Setting up Vuls -``` -mkdir work -cd work -git clone https://github.com/hikachan/vuls -cd vuls -``` +1. スキャン対象サーバのSSH秘密鍵を保存(vuls/setup/docker/conf/)する +2. config.toml(vuls/docker/conf/config.toml) を環境に合わせて作成する + + ``` + [servers] -## Vuls セットアップ + [servers.172-31-4-82] + host = "172.31.4.82" + user = "ec2-user" + keyPath = "conf/id_rsa" + ``` -### sshキーの配置(vuls/docker/conf/id_rsa) +## Fetch Vulnerability database -### tomlの編集(vuls/docker/conf/config.toml) +- NVDから脆弱性データベースを取得する + ``` + $ docker exec -t vuls scripts/fetch_nvd_all.sh + ``` -``` -[servers] - -#This is a sample -[servers.172.17.0.1] -host = "172.17.0.1" -port = "22" -user = "ubuntu" -keyPath = "/root/.ssh/id_rsa" -#containers = ["target_container"] -``` +- レポートを日本語化する場合は、JVNから脆弱性データを取得する + ``` + $ docker exec -t vuls scripts/fetch_jvn_all.sh + ``` -## Vuls 起動 +## Scan servers with Vuls-On-Docker -``` -docker-compose up -d -``` +- スキャンを実行する + + ``` + $ docker exec -t vuls vuls prepare -config=conf/config.toml + $ docker exec -t vuls scripts/scan_for_vulsrepo.sh + ``` -## Update cve +## See the results in a browser ``` -docker exec -t vuls scripts/update_cve.sh +http://${Vuls_Host}/vulsrepo/ ``` -## Vuls Scan 実行 +# Update modules -``` -docker exec -t vuls vuls prepare -config=conf/config.toml -docker exec -t vuls scripts/scan_for_vulsrepo.sh -``` +- vuls, go-cve-dictionary, vulsrepoのモジュールをアップデートする + ``` + $ docker exec -t vuls scripts/update_modules.sh + ``` -### Vuls Repo 接続確認 +# Update Vulnerability database -``` -http://${Vuls_Host}/vulsrepo/ -``` +- NVDの過去2年分の脆弱性データベースを更新する + ``` + $ docker exec -t vuls scripts/fetch_nvd_last2y.sh + ``` + +- JVNの過去1ヶ月分の脆弱性データベースを更新する + ``` + $ docker exec -t vuls scripts/fetch_jvn_month.sh + ``` +- JVNの過去1週間分の脆弱性データベースを更新する + ``` + $ docker exec -t vuls scripts/fetch_jvn_week.sh + ``` diff --git a/setup/docker/README.md b/setup/docker/README.md index 5597c7f43f..9f91fd085f 100644 --- a/setup/docker/README.md +++ b/setup/docker/README.md @@ -1,21 +1,8 @@ # Vuls on Docker -## Table of Contens - -- [What's Vuls-On-Docker?](#whats-vuls-on-docker) -- [Server Setup](#setting-up-your-machine) - - Install Docker - - Instal Docker Compose -- [Start A Vuls Container](#start-a-vuls-container) -- [Vuls Setup](#setting-up-vuls) - - Locate a appropriate ssh-key - - Edit toml -- [Scan servers with Vuls-On-Docker](#scan-servers-with-vuls-on-docker) -- [See the results in a browser](#see-the-results-in-a-browser) - ## What's Vuls-On-Docker -- This is a dockernized-Vuls with DockerRepo UI in it. +- This is a dockernized-Vuls with vulsrepo UI in it. - It's designed to reduce the cost of installation and the dependencies that vuls requires. - You can run install and run Vuls on your machine with only a few commands. - The result can be viewed with a browser @@ -31,26 +18,18 @@ $ docker-compose version ``` -4. Create a working directory for Vuls - - ``` - mkdir work - cd work - git clone https://github.com/hikachan/vuls.git - cd vuls/docker - ``` - ## Start A Vuls Container - Execute the following command to build and run a Vuls Container - `` - docker-compose up -d - `` + ``` + $ cd $GOPATH/src/github.com/future-architect/vuls/docker + $ docker-compose up -d + ``` ## Setting up Vuls -1. Locate ssh-keys of servers in (vuls/docker/conf/id_rsa) +1. Locate ssh-keys of targer servers in (vuls/docker/conf/) 2. Create and ajust config.toml(vuls/docker/conf/config.toml) to your environment ``` @@ -60,7 +39,13 @@ host = "172.31.4.82" user = "ec2-user" keyPath = "conf/id_rsa" - containers = ["container_name_a", "4aa37a8b63b9"] + ``` + +## Fetch Vulnerability database + +- Fetch Vulnerability database from NVD + ``` + $ docker exec -t vuls scripts/fetch_nvd_all.sh ``` ## Scan servers with Vuls-On-Docker @@ -68,8 +53,8 @@ - Use the embedded script to scan servers for vulsrepo(or run whatever with docker exec) ``` - docker exec -t vuls vuls prepare -config=conf/config.toml - docker exec -t vuls scripts/scan_for_vulsrepo.sh + $ docker exec -t vuls vuls prepare -config=conf/config.toml + $ docker exec -t vuls scripts/scan_for_vulsrepo.sh ``` ## See the results in a browser @@ -77,3 +62,17 @@ ``` http://${Vuls_Host}/vulsrepo/ ``` + +# Update modules + +- update vuls, go-cve-dictionary, vulsrepo + ``` + $ docker exec -t vuls scripts/update_modules.sh + ``` + +# Update Vulnerability database + +- Fetch Vulnerability database from NVD + ``` + $ docker exec -t vuls scripts/fetch_nvd_last2y.sh + ``` diff --git a/setup/docker/dockerfile/Dockerfile b/setup/docker/dockerfile/Dockerfile index 8787fef73c..9a438cf73a 100644 --- a/setup/docker/dockerfile/Dockerfile +++ b/setup/docker/dockerfile/Dockerfile @@ -23,6 +23,15 @@ ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH" +# glide install +ENV GLIDE_VERSION 0.10.2 +ENV GLIDE_DOWNLOAD_URL https://github.com/Masterminds/glide/releases/download/$GLIDE_VERSION/glide-$GLIDE_VERSION-linux-amd64.tar.gz +RUN curl -fsSL "$GLIDE_DOWNLOAD_URL" -o glide.tar.gz \ + && mkdir /usr/local/glide \ + && tar -C /usr/local/glide -xzf glide.tar.gz \ + && ln -s /usr/local/glide/linux-amd64/glide /usr/local/bin/ \ + && rm glide.tar.gz + # nginx Install RUN apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 \ && echo "deb http://nginx.org/packages/mainline/debian/ jessie nginx" >> /etc/apt/sources.list \ @@ -49,11 +58,23 @@ COPY nginx.conf /etc/nginx/nginx.conf ENV VULS_ROOT /opt/vuls RUN mkdir -p /var/log/vuls ${VULS_ROOT}/conf /root/.ssh/ RUN chmod 700 -R /var/log/vuls $VULS_ROOT -RUN go get github.com/kotakanbe/go-cve-dictionary -RUN go get github.com/future-architect/vuls +# RUN go get github.com/kotakanbe/go-cve-dictionary +# RUN go get github.com/future-architect/vuls + +RUN go get -v -d github.com/kotakanbe/go-cve-dictionary \ + && cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary \ + && glide install \ + && go install + +RUN go get -v -d github.com/future-architect/vuls \ + && cd $GOPATH/src/github.com/future-architect/vuls \ + && glide install \ + && go install # Copy custom Scripts COPY ./scripts/ ${VULS_ROOT}/scripts +RUN chmod 755 ${VULS_ROOT}/scripts/* + #Vulrepo Install RUN git clone https://github.com/usiusi360/vulsrepo /tmp/vulsrepo diff --git a/setup/docker/dockerfile/scripts/fetch_jvn_all.sh b/setup/docker/dockerfile/scripts/fetch_jvn_all.sh new file mode 100644 index 0000000000..ae6aa9a980 --- /dev/null +++ b/setup/docker/dockerfile/scripts/fetch_jvn_all.sh @@ -0,0 +1,6 @@ +#!/bin/bash +VULS_ROOT=/opt/vuls +#VULS_CONF=${VULS_ROOT}/conf +cd $VULS_ROOT +go-cve-dictionary fetchjvn -entire + diff --git a/setup/docker/dockerfile/scripts/fetch_jvn_month.sh b/setup/docker/dockerfile/scripts/fetch_jvn_month.sh new file mode 100644 index 0000000000..c9c0651817 --- /dev/null +++ b/setup/docker/dockerfile/scripts/fetch_jvn_month.sh @@ -0,0 +1,6 @@ +#!/bin/bash +VULS_ROOT=/opt/vuls +#VULS_CONF=${VULS_ROOT}/conf +cd $VULS_ROOT +go-cve-dictionary fetchjvn -month + diff --git a/setup/docker/dockerfile/scripts/fetch_jvn_week.sh b/setup/docker/dockerfile/scripts/fetch_jvn_week.sh new file mode 100644 index 0000000000..5fe9f2505a --- /dev/null +++ b/setup/docker/dockerfile/scripts/fetch_jvn_week.sh @@ -0,0 +1,6 @@ +#!/bin/bash +VULS_ROOT=/opt/vuls +#VULS_CONF=${VULS_ROOT}/conf +cd $VULS_ROOT +go-cve-dictionary fetchjvn -week + diff --git a/setup/docker/dockerfile/scripts/update_cve.sh b/setup/docker/dockerfile/scripts/fetch_nvd_all.sh similarity index 100% rename from setup/docker/dockerfile/scripts/update_cve.sh rename to setup/docker/dockerfile/scripts/fetch_nvd_all.sh diff --git a/setup/docker/dockerfile/scripts/fetch_nvd_last2y.sh b/setup/docker/dockerfile/scripts/fetch_nvd_last2y.sh new file mode 100644 index 0000000000..57a2955830 --- /dev/null +++ b/setup/docker/dockerfile/scripts/fetch_nvd_last2y.sh @@ -0,0 +1,6 @@ +#!/bin/bash +VULS_ROOT=/opt/vuls +#VULS_CONF=${VULS_ROOT}/conf +cd $VULS_ROOT +go-cve-dictionary fetchnvd -last2y + diff --git a/setup/docker/dockerfile/scripts/update_modules.sh b/setup/docker/dockerfile/scripts/update_modules.sh new file mode 100644 index 0000000000..356d4cfb70 --- /dev/null +++ b/setup/docker/dockerfile/scripts/update_modules.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +cd $GOPATH/src/github.com/future-architect/vuls +git pull origin master +glide install +go install + + +cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary +git pull origin master +glide install +go install + +git clone https://github.com/usiusi360/vulsrepo /tmp/vulsrepo +cp -rp /tmp/vulsrepo/src/* /usr/share/nginx/html/vulsrepo +rm -rf /tmp/vulsrepo +