Vulnerability scanner for Linux/FreeBSD, agentless, written in golang.
We have a slack team. Join slack team
README in Japanese
README in French
- Vuls: VULnerability Scanner
- TOC
- Abstract
- Main Features
- What Vuls Doesn't Do
- Setup Vuls
- Tutorial: Local Scan Mode
- Tutorial: Remote Scan Mode
- Setup Vuls in a Docker Container
- Architecture
- Performance Considerations
- Use Cases
- Support OS
- Usage: Automatic Server Discovery
- Configuration
- Usage: Configtest
- Usage: Scan
- Usage: Report
- Usage: Scan vulnerabilites of non-OS packages
- Usage: Integrate with OWASP Dependency Check to Automatic update when the libraries are updated (Experimental)
- Usage: TUI
- Display the previous scan results using peco
- Usage: go-cve-dictionary on different server
- Usage: Update NVD Data
- How to Update
- Misc
- Related Projects
- Data Source
- Authors
- Contribute
- Change Log
- License
For a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden. To avoid downtime in production environment, it is common for system administrator to choose not to use the automatic update option provided by package manager and to perform update manually. This leads to the following problems.
- System administrator will have to constantly watch out for any new vulnerabilities in NVD(National Vulnerability Database) or similar databases.
- It might be impossible for the system administrator to monitor all the software if there are a large number of software installed in server.
- It is expensive to perform analysis to determine the servers affected by new vulnerabilities. The possibility of overlooking a server or two during analysis is there.
Vuls is a tool created to solve the problems listed above. It has the following characteristics.
- Informs users of the vulnerabilities that are related to the system.
- Informs users of the servers that are affected.
- Vulnerability detection is done automatically to prevent any oversight.
- Report is generated on regular basis using CRON or other methods. to manage vulnerability.
- Scan for any vulnerabilities in Linux/FreeBSD Server
- Supports Ubuntu, Debian, CentOS, Amazon Linux, RHEL, Oracle Linux, FreeBSD and Raspbian
- Cloud, on-premise, Docker
- Scan middleware that are not included in OS package management
- Scan middleware, programming language libraries and framework for vulnerability
- Support software registered in CPE
- Agentless architecture
- User is required to only setup one machine that is connected to other target servers via SSH
- Nondestructive testing
- Pre-authorization is not necessary before scanning on AWS
- Auto generation of configuration file template
- Auto detection of servers set using CIDR, generate configuration file template
- Email and Slack notification is possible (supports Japanese language)
- Scan result is viewable on accessory software, TUI Viewer on terminal or Web UI (VulsRepo).
- Vuls doesn't update the vulnerable packages.
There are 2 ways to setup Vuls.
-
Docker container
Dockernized-Vuls with vulsrepo UI in it.
You can run install and run Vuls on your machine with only a few commands.
see https://github.com/future-architect/vuls/tree/master/setup/docker -
Manually
Tutorial shows how to setup vuls manually.
This tutorial will let you scan the vulnerabilities on the localhost with Vuls.
This can be done in the following steps.
- Launch Amazon Linux
- Install requirements
- Deploy go-cve-dictionary
- Deploy Vuls
- Configuration
- Check config.toml and settings on the server before scanning
- Scan
- Reporting
- TUI(Terminal-Based User Interface)
- Web UI (VulsRepo)
-
We are using the old AMI (amzn-ami-hvm-2015.09.1.x86_64-gp2 - ami-383c1956) for this example
-
Add the following to the cloud-init, to avoid auto-update at the first launch.
#cloud-config repo_upgrade: none
Vuls requires the following packages.
- SQLite3 or MySQL
- git
- gcc
- GNU Make
- go v1.7.1 or later (The latest version is recommended)
$ ssh [email protected] -i ~/.ssh/private.pem
$ sudo yum -y install sqlite git gcc make
$ wget https://storage.googleapis.com/golang/go1.7.1.linux-amd64.tar.gz
$ sudo tar -C /usr/local -xzf go1.7.1.linux-amd64.tar.gz
$ mkdir $HOME/goAdd these lines into /etc/profile.d/goenv.sh
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/binSet the OS environment variable to current shell
$ source /etc/profile.d/goenv.sh$ sudo mkdir /var/log/vuls
$ sudo chown ec2-user /var/log/vuls
$ sudo chmod 700 /var/log/vuls
$
$ mkdir -p $GOPATH/src/github.com/kotakanbe
$ cd $GOPATH/src/github.com/kotakanbe
$ git clone https://github.com/kotakanbe/go-cve-dictionary.git
$ cd go-cve-dictionary
$ make installThe binary was built under $GOPATH/bin
Fetch vulnerability data from NVD.
It takes about 10 minutes (on AWS).
$ cd $HOME
$ for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done
... snip ...
$ ls -alh cve.sqlite3
-rw-r--r-- 1 ec2-user ec2-user 7.0M Mar 24 13:20 cve.sqlite3Launch a new terminal and SSH to the ec2 instance.
$ mkdir -p $GOPATH/src/github.com/future-architect
$ cd $GOPATH/src/github.com/future-architect
$ git clone https://github.com/future-architect/vuls.git
$ cd vuls
$ make install
The binary was built under $GOPATH/bin
Create a config file(TOML format).
$ cd $HOME
$ cat config.toml
[servers]
[servers.localhost]
host = "localhost"
port = "local"
Root privilege is needed on Some distributions. Sudo with password is not supported for security reasons. So you have to define NOPASSWORD in /etc/sudoers. See Usage: Configtest#Check /etc/sudoers
$ vuls configtest
$ vuls scan
... snip ...
Scan Summary
============
localhost amazon 2015.09 94 CVEs 103 updatable packages
View one-line summary
$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3
One Line Summary
================
localhost Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages
View short summary.
$ vuls report -format-short-text
localhost (amazon 2015.09)
===========================
Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages
CVE-2016-5636 10.0 (High) Integer overflow in the get_data function in zipimport.c in CPython (aka Python)
before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers
to have unspecified impact via a negative data size value, which triggers a
heap-based buffer overflow.
https://www.cvedetails.com/cve/CVE-2016-5636
https://access.redhat.com/security/cve/CVE-2016-5636
python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1
python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1
python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1
Confidence: 100 / YumUpdateSecurityMatch
... snip ...
View full report.
$ vuls report -format-full-text
localhost (amazon 2015.09)
============================
Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages
CVE-2016-5636
-------------
Score 10.0 (High)
Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Summary Integer overflow in the get_data function in zipimport.c in CPython (aka Python)
before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers
to have unspecified impact via a negative data size value, which triggers a
heap-based buffer overflow.
CWE https://cwe.mitre.org/data/definitions/190.html
NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636
CVE Details https://www.cvedetails.com/cve/CVE-2016-5636
CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-5636&vector=(AV:N/AC:L/...
RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-5636
ALAS-2016-724 https://alas.aws.amazon.com/ALAS-2016-724.html
Package python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1
python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1
python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1
Confidence 100 / YumUpdateSecurityMatch
... snip ...
Vuls has Terminal-Based User Interface to display the scan result.
$ vuls tui
VulsRepo is a awesome Web UI for Vuls.
Check it out the Online Demo.
This tutorial will let you scan the vulnerabilities on the remote host via SSH with Vuls.
This can be done in the following steps.
- Launch Another Amazon Linux
- Install Dependencies on the Remote Host
- Enable to SSH from Localhost
- Configuration
- Check config.toml and settings on the server before scanning
- Scan
- Reporting
We will use the Vuls server (called localhost) created in the previous tutorial.
Same as Tutorial: Local Scan Mode#Step1. Launch Amazon Linux
Launch a new terminal and SSH to the Remote Server.
Depending on the distribution you need to install dependent modules. Install these dependencies manually or using Ansible etc. For details of dependent libraries, see Dependencies on Target Servers
Vuls doesn't support SSH password authentication. So you have to use SSH key-based authentication.
Create a keypair on the localhost then append public key to authorized_keys on the remote host.
- Localhost
$ ssh-keygen -t rsaCopy ~/.ssh/id_rsa.pub to the clipboard.
- Remote Host
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ vim ~/.ssh/authorized_keys
Paste from the clipboard to ~/.ssh/.authorized_keys
SUDO with password is not supported for security reasons. So you have to define NOPASSWORD in /etc/sudoers on target servers.
See Usage: Configtest#Check /etc/sudoers
And also, confirm that the host keys of scan target servers has been registered in the known_hosts of the Localhost.
- Localhost
$ cd $HOME
$ cat config.toml
[servers]
[servers.172-31-4-82]
host = "172.31.4.82"
port = "22"
user = "ec2-user"
keyPath = "/home/ec2-user/.ssh/id_rsa"
$ vuls configtest
$ vuls scan
... snip ...
Scan Summary
============
172-31-4-82 amazon 2015.09 94 CVEs 103 updatable packages
See Tutorial: Local Scan Mode#Step8. Reporting
See Tutorial: Local Scan Mode#Step9. TUI
See Tutorial: Local Scan Mode#Step10. Web UI
see https://github.com/future-architect/vuls/tree/master/setup/docker
Deploy Vuls to the scan target server. Vuls issues a command to the local host (not via SSH). Aggregate the JSON of the scan result into another server. Since it is necessary to access the CVE database in order to refine the scan result, start go-cve-dictionary in server mode beforehand. On the aggregation server, you can refer to the scanning result of each scan target server using WebUI or TUI.
- Fetch vulnerability information from NVD and JVN(Japanese), then insert into SQLite3 or MySQL.
- Scan vulnerabilities on the servers via SSH and collect a list of the CVE ID
- To scan Docker containers, Vuls connects via SSH to the Docker host and then
docker execto the containers. So, no need to run sshd daemon on the containers.
- To scan Docker containers, Vuls connects via SSH to the Docker host and then
-
On Ubuntu, Debian and Raspbian Vuls issues
apt-get changelogfor each upgradable packages and parse the changelog.
apt-get changelogis slow and resource usage is heavy when there are many updatable packages on target server.
Vuls stores these changelogs to KVS(boltdb).
From the second time on, the scan speed is fast by using the local cache. -
On CentOS
Vuls issuesyum update --changelogto get changelogs of upgradable packages at once and parse the changelog.
Scan speed is fast and resource usage is light. -
On Amazon, RHEL and FreeBSD
High speed scan and resource usage is light because Vuls can get CVE IDs by using package manager(no need to parse a changelog).
| Distribution | Scan Speed |
|---|---|
| Ubuntu | First time: Slow / From the second time: Fast |
| Debian | First time: Slow / From the second time: Fast |
| CentOS | Fast |
| Amazon | Fast |
| RHEL | Fast |
| Oracle Linux | Fast |
| FreeBSD | Fast |
| Raspbian | First time: Slow / From the second time: Fast |
web/app server in the same configuration under the load balancer
If there is a staging environment with the same configuration as the production environment, you can scan the server in staging environment
| Distribution | Release |
|---|---|
| Ubuntu | 12, 14, 16 |
| Debian | 7, 8 |
| RHEL | 5, 6, 7 |
| Oracle Linux | 5, 6, 7 |
| CentOS | 6, 7 |
| Amazon Linux | All |
| FreeBSD | 10, 11 |
| Raspbian | Wheezy, Jessie |
Discovery subcommand discovers active servers specified in CIDR range, then display the template of config file(TOML format) to terminal.
$ vuls discover -help
discover:
discover 192.168.0.0/24
$ vuls discover 172.31.4.0/24
# Create config.toml using below and then ./vuls --config=/path/to/config.toml
[slack]
hookURL = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz"
channel = "#channel-name"
#channel = "${servername}"
iconEmoji = ":ghost:"
authUser = "username"
notifyUsers = ["@username"]
[email]
smtpAddr = "smtp.gmail.com"
smtpPort = "587"
user = "username"
password = "password"
from = "[email protected]"
to = ["[email protected]"]
cc = ["[email protected]"]
subjectPrefix = "[vuls]"
[default]
#port = "22"
#user = "username"
#keyPath = "/home/username/.ssh/id_rsa"
#cpeNames = [
# "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
#]
#ignoreCves = ["CVE-2016-6313"]
#optional = [
# ["key", "value"],
#]
[servers]
[servers.172-31-4-82]
host = "172.31.4.82"
#port = "22"
#user = "root"
#keyPath = "/home/username/.ssh/id_rsa"
#cpeNames = [
# "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
#]
#ignoreCves = ["CVE-2016-6313"]
#optional = [
# ["key", "value"],
#]
#[servers.172-31-4-82.containers]
#type = "lxd" # or "docker"
#includes = ["${running}"]
#excludes = ["container_name", "container_id"]
You can customize your configuration using this template.
-
Slack section
[slack] hookURL = "https://hooks.slack.com/services/abc123/defghijklmnopqrstuvwxyz" channel = "#channel-name" #channel = "${servername}" iconEmoji = ":ghost:" authUser = "username" notifyUsers = ["@username"]-
hookURL : Incoming webhook's URL
-
channel : channel name.
If you set${servername}to channel, the report will be sent to each channel.
In the following example, the report will be sent to the#server1and#server2.
Be sure to create these channels before scanning.[slack] channel = "${servername}" ...snip... [servers] [servers.server1] host = "172.31.4.82" ...snip... [servers.server2] host = "172.31.4.83" ...snip... -
iconEmoji: emoji
-
authUser: username of the slack team
-
notifyUsers: a list of Slack usernames to send Slack notifications. If you set
["@foo", "@bar"]to notifyUsers, @foo @bar will be included in text.
So @foo, @bar can receive mobile push notifications on their smartphone.
-
-
EMail section
[email] smtpAddr = "smtp.gmail.com" smtpPort = "587" user = "username" password = "password" from = "[email protected]" to = ["[email protected]"] cc = ["[email protected]"] subjectPrefix = "[vuls]" -
Default section
[default] #port = "22" #user = "username" #keyPath = "/home/username/.ssh/id_rsa" #cpeNames = [ # "cpe:/a:rubyonrails:ruby_on_rails:4.2.1", #] #ignoreCves = ["CVE-2016-6313"] #optional = [ # ["key", "value"], #]Items of the default section will be used if not specified.
-
servers section
[servers] [servers.172-31-4-82] host = "172.31.4.82" #port = "22" #user = "root" #keyPath = "/home/username/.ssh/id_rsa" #cpeNames = [ # "cpe:/a:rubyonrails:ruby_on_rails:4.2.1", #] #ignoreCves = ["CVE-2016-6314"] #optional = [ # ["key", "value"], #] #[servers.172-31-4-82.containers] #type = "lxd" # or "docker" #includes = ["${running}"] #excludes = ["container_name", "container_id"]You can overwrite the default value specified in default section.
- host: IP address or hostname of target server
- port: SSH Port number
- user: SSH username
- keyPath: SSH private key path
- cpeNames: see Usage: Scan vulnerability of non-OS package
- ignoreCves: CVE IDs that will not be reported. But output to JSON file.
- optional: Add additional information to JSON report.
- containers: see [Example: Scan containers (Docker/LXD)(#example-scan-containers-dockerlxd)
Vuls supports two types of SSH. One is external command. The other is native go implementation. For details, see -ssh-native-insecure option
Multiple SSH authentication methods are supported.
- SSH agent
- SSH public key authentication (with password and empty password) Password authentication is not supported.
$ vuls configtest --help
configtest:
configtest
[-config=/path/to/config.toml]
[-log-dir=/path/to/log]
[-ask-key-password]
[-ssh-native-insecure]
[-containers-only]
[-timeout=300]
[-debug]
[SERVER]...
-ask-key-password
Ask ssh privatekey password before scanning
-config string
/path/to/toml (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/config.toml")
-containers-only
Test containers only. Default: Test both of hosts and containers
-debug
debug mode
-http-proxy string
https://proxy-url:port (default: empty)
-log-dir string
/path/to/log (default "/var/log/vuls")
-ssh-native-insecure
Use Native Go implementation of SSH. Default: Use the external command
-timeout int
Timeout(Sec) (default 300)
The configtest subcommand checks the following
- Whether vuls is able to connect via SSH to servers/containers defined in the config.toml
- Whether Dependent package is installed on the scan target server
- Check /etc/sudoers
In order to scan, the following dependencies are required, so you need to install them manually or with tools such as Ansible.
| Distribution | Release | Requirements |
|---|---|---|
| Ubuntu | 12, 14, 16 | - |
| Debian | 7, 8 | aptitude |
| CentOS | 6, 7 | yum-plugin-changelog |
| Amazon | All | - |
| RHEL | 5 | yum-security |
| RHEL | 6, 7 | - |
| Oracle Linux | 5 | yum-security |
| Oracle Linux | 6, 7 | - |
| FreeBSD | 10 | - |
| Raspbian | Wheezy, Jessie | - |
The configtest subcommand checks sudo settings on target servers whether Vuls is able to SUDO with nopassword via SSH. And if you run Vuls without -ssh-native-insecure option, requiretty must be defined in /etc/sudoers.
Defaults:vuls !requiretty
For details, see -ssh-native-insecure option
Example of /etc/sudoers on target servers
- CentOS
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --changelog --assumeno update *
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
- RHEL 5 / Oracle Linux 5
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never info-security
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
- RHEL 6, 7 / Oracle Linux 6, 7
vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never --security updateinfo updates
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
- Debian
vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
- Ubuntu/Raspbian
vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
- On Amazon Linux, FreeBSD, it is possible to scan without root privilege for now.
$ vuls scan -help
scan:
scan
[-config=/path/to/config.toml]
[-results-dir=/path/to/results]
[-log-dir=/path/to/log]
[-cachedb-path=/path/to/cache.db]
[-ssh-native-insecure]
[-containers-only]
[-skip-broken]
[-http-proxy=https://192.168.0.1:8080]
[-ask-key-password]
[-timeout=300]
[-timeout-scan=7200]
[-debug]
[-pipe]
[SERVER]...
-ask-key-password
Ask ssh privatekey password before scanning
-cachedb-path string
/path/to/cache.db (local cache of changelog for Ubuntu/Debian)
-config string
/path/to/toml
-containers-only
Scan containers only. Default: Scan both of hosts and containers
-debug
debug mode
-http-proxy string
https://proxy-url:port (default: empty)
-log-dir string
/path/to/log (default "/var/log/vuls")
-pipe
Use stdin via PIPE
-results-dir string
/path/to/results
-skip-broken
[For CentOS] yum update changelog with --skip-broken option
-ssh-native-insecure
Use Native Go implementation of SSH. Default: Use the external command
-timeout int
Number of seconds for processing other than scan (default 300)
-timeout-scan int
Number of second for scaning vulnerabilities for all servers (default 7200)
Vuls supports different types of SSH.
By Default, external SSH command will be used.
This is useful If you want to use ProxyCommand or cipher algorithm of SSH that is not supported by native go implementation.
Don't forget to add below line to /etc/sudoers on the target servers. (username: vuls)
Defaults:vuls !requiretty
To use native Go implementation from crypto/ssh, specify this option.
This is useful in situations where you may not have access to traditional UNIX tools.
But it is important to note that this mode does not check the host key.
| SSH key password | -ask-key-password | |
|---|---|---|
| empty password | - | |
| with password | required | or use ssh-agent |
$ vuls scan -ask-key-password
With this sample command, it will ..
- Ask SSH key password before scanning
- Scan all servers defined in config file
$ vuls scan server1 server2
With this sample command, it will ..
- Use SSH Key-Based authentication with empty password (without -ask-key-password option)
- Scan only 2 servers (server1, server2)
Vuls scans localhost instead of SSH if the host address is localhst or 127.0.0.1 and the port is local in config.
For more details, see Architecture section
- config.toml
[servers] [servers.localhost] host = "localhost" # or "127.0.0.1" port = "local"
If you use local scan mode for cron jobs, don't forget to add below line to /etc/sudoers on RHEL/CentOS. (username: vuls)
Defaults:vuls !requiretty
It is common that keep containers running without SSHd daemon.
see Docker Blog:Why you don't need to run SSHd in your Docker containers
Vuls scans Docker containers via docker exec instead of SSH.
For more details, see Architecture section
-
To scan all of running containers
"${running}"needs to be set in the containers item.[servers] [servers.172-31-4-82] host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" [servers.172-31-4-82.containers] includes = ["${running}"] -
To scan specific containers
The container ID or container name needs to be set in the containers item.
In the following example, onlycontainer_name_aand4aa37a8b63b9will be scanned.
Be sure to check these containers are running state before scanning.
If specified containers are not running, Vuls gives up scanning with printing error message.[servers] [servers.172-31-4-82] host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" [servers.172-31-4-82.containers] includes = ["container_name_a", "4aa37a8b63b9"] -
To scan except specific containers
[servers] [servers.172-31-4-82] host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" [servers.172-31-4-82.containers] includes = ["${running}"] excludes = ["container_name_a", "4aa37a8b63b9"] -
To scan containers only
- --containers-only option is available.
Vuls scans lxd via lxc exec instead of SSH.
[servers]
[servers.172-31-4-82]
host = "172.31.4.82"
user = "ec2-user"
keyPath = "/home/username/.ssh/id_rsa"
[servers.172-31-4-82.containers]
type = "lxd"
includes = ["${running}"]
report:
report
[-lang=en|ja]
[-config=/path/to/config.toml]
[-results-dir=/path/to/results]
[-log-dir=/path/to/log]
[-refresh-cve]
[-cvedb-type=sqlite3|mysql]
[-cvedb-path=/path/to/cve.sqlite3]
[-cvedb-url=https://127.0.0.1:1323 or mysql connection string]
[-cvss-over=7]
[-diff]
[-ignore-unscored-cves]
[-to-email]
[-to-slack]
[-to-localfile]
[-to-s3]
[-to-azure-blob]
[-format-json]
[-format-xml]
[-format-one-email]
[-format-one-line-text]
[-format-short-text]
[-format-full-text]
[-gzip]
[-aws-profile=default]
[-aws-region=us-west-2]
[-aws-s3-bucket=bucket_name]
[-azure-account=accout]
[-azure-key=key]
[-azure-container=container]
[-http-proxy=https://192.168.0.1:8080]
[-debug]
[-debug-sql]
[-pipe]
[SERVER]...
-aws-profile string
AWS profile to use (default "default")
-aws-region string
AWS region to use (default "us-east-1")
-aws-s3-bucket string
S3 bucket name
-azure-account string
Azure account name to use. AZURE_STORAGE_ACCOUNT environment variable is used if not specified
-azure-container string
Azure storage container name
-azure-key string
Azure account key to use. AZURE_STORAGE_ACCESS_KEY environment variable is used if not specified
-config string
/path/to/toml
-cvedb-path string
/path/to/sqlite3 (For get cve detail from cve.sqlite3)
-cvedb-type string
DB type for fetching CVE dictionary (sqlite3 or mysql) (default "sqlite3")
-cvedb-url string
https://cve-dictionary.com:8080 or mysql connection string
-cvss-over float
-cvss-over=6.5 means reporting CVSS Score 6.5 and over (default: 0 (means report all))
-diff
Difference between previous result and current result
-debug
debug mode
-debug-sql
SQL debug mode
-format-full-text
Detail report in plain text
-format-json
JSON format
-format-one-email
Send all the host report via only one EMail (Specify with -to-email)
-format-one-line-text
One line summary in plain text
-format-short-text
Summary in plain text
-format-xml
XML format
-gzip
gzip compression
-http-proxy string
https://proxy-url:port (default: empty)
-ignore-unscored-cves
Don't report the unscored CVEs
-lang string
[en|ja] (default "en")
-log-dir string
/path/to/log (default "/var/log/vuls")
-pipe
Use stdin via PIPE
-refresh-cve
Refresh CVE information in JSON file under results dir
-results-dir string
/path/to/results
-to-azure-blob
Write report to Azure Storage blob (container/yyyyMMdd_HHmm/servername.json/xml/txt)
-to-email
Send report via Email
-to-localfile
Write report to localfile
-to-s3
Write report to S3 (bucket/yyyyMMdd_HHmm/servername.json/xml/txt)
-to-slack
Send report via Slack
$ vuls report -format-full-text
172-31-4-82 (amazon 2015.09)
============================
Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages
CVE-2016-5636
-------------
Score 10.0 (High)
Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Summary Integer overflow in the get_data function in zipimport.c in CPython (aka Python)
before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers
to have unspecified impact via a negative data size value, which triggers a
heap-based buffer overflow.
CWE https://cwe.mitre.org/data/definitions/190.html
NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636
CVE Details https://www.cvedetails.com/cve/CVE-2016-5636
CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-5636&vector=(AV:N/AC:L/...
RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-5636
ALAS-2016-724 https://alas.aws.amazon.com/ALAS-2016-724.html
Package python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1
python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1
python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1
Confidence 100 / YumUpdateSecurityMatch
... snip ...
172-31-4-82 (amazon 2015.09)
============================
Total: 94 (High:19 Medium:54 Low:7 ?:14) 103 updatable packages
172-31-4-82means that it is a scan report ofservers.172-31-4-82defined in cocnfig.toml.(amazon 2015.09)means that the version of the OS is Amazon Linux 2015.09.Total: 94 (High:19 Medium:54 Low:7 ?:14)means that a total of 94 vulnerabilities exist, and the distribution of CVSS Severity is displayed.103 updatable packagesmeans that there are 103 updateable packages on the target server.
CVE-2016-5636
-------------
Score 10.0 (High)
Vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Summary Integer overflow in the get_data function in zipimport.c in CPython (aka Python)
before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 allows remote attackers
to have unspecified impact via a negative data size value, which triggers a
heap-based buffer overflow.
CWE https://cwe.mitre.org/data/definitions/190.html
NVD https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5636
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5636
CVE Details https://www.cvedetails.com/cve/CVE-2016-5636
CVSS Claculator https://nvd.nist.gov/cvss/v2-calculator?name=CVE-2016-5636&vector=(AV:N/AC:L/...
RHEL-CVE https://access.redhat.com/security/cve/CVE-2016-5636
ALAS-2016-724 https://alas.aws.amazon.com/ALAS-2016-724.html
Package python27-2.7.10-4.119.amzn1 -> python27-2.7.12-2.120.amzn1
python27-devel-2.7.10-4.119.amzn1 -> python27-devel-2.7.12-2.120.amzn1
python27-libs-2.7.10-4.119.amzn1 -> python27-libs-2.7.12-2.120.amzn1
Confidence 100 / YumUpdateSecurityMatch
-
Scoremeans CVSS Score. -
Vectormeans CVSS Vector -
Summarymeans Summary of the CVE. -
CWEmeans CWE - Common Weakness Enumeration of the CVE. -
NVDMITRECVE DetailsCVSS Caluculator -
RHEL-CVEmeans the URL of OS distributor support. -
Oracle-CVEmeans the URL of the Oracle Linux errata information. -
Packageshows the package version information including this vulnerability. -
Confidencemeans the reliability of detection.100is highly reliableYumUpdateSecurityMatchis the method of detecting this vulnerability.
-
Item list of
ConfidenceDetection Method Confidence OS Description YumUpdateSecurityMatch 100 RHEL, Oracle Linux, Amazon Linux Detection using yum-plugin-security ChangelogExactMatch 95 CentOS, Ubuntu, Debian, Raspbian Exact version match between changelog and package version ChangelogLenientMatch 50 Ubuntu, Debian, Raspbian Lenient version match between changelog and package version PkgAuditMatch 100 FreeBSD Detection using pkg audit CpeNameMatch 100 All Search for NVD information with CPE name specified in config.toml
The scan results of Ubuntu, Debian, Raspbian or CentOS are also output Changelog in TUI or report with -format-full-text. (RHEL, Amazon or FreeBSD will be available in the near future)
The output change log includes only the difference between the currently installed version and candidate version.
tar-1.28-2.1 -> tar-1.28-2.1ubuntu0.1
-------------------------------------
tar (1.28-2.1ubuntu0.1) xenial-security; urgency=medium
* SECURITY UPDATE: extract pathname bypass
- debian/patches/CVE-2016-6321.patch: skip members whose names contain
".." in src/extract.c.
- CVE-2016-6321
-- Marc Deslauriers <[email protected]> Thu, 17 Nov 2016 11:06:07 -0500
$ vuls report \
-to-slack \
-cvss-over=7 \
-cvedb-path=$PWD/cve.sqlite3
With this sample command, it will ..
- Send scan results to slack
- Only Report CVEs that CVSS score is over 7
To put results in S3 bucket, configure following settings in AWS before reporting.
- Create S3 bucket. see Creating a Bucket
- Configure access to S3 resources. You can do this in several ways:
- Configure the environment variables. see Configuring the AWS Command Line Interface
- Configure the security credentials. see Configuring the AWS Command Line Interface
- Create an IAM role for the service and attach it to the service(EC2, AWS Lambda). Creating a Role to Delegate Permissions to an AWS Service
- To configure environment variables, security credentials, create an access key. see Managing Access Keys for IAM Users
Example of IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::vuls/*"
}
]
}
$ vuls report \
-cvedb-path=$PWD/cve.sqlite3 \
-to-s3 \
-format-json \
-aws-region=ap-northeast-1 \
-aws-s3-bucket=vuls \
-aws-profile=default
With this sample command, it will ..
- Put scan result(JSON) in S3 bucket. The bucket name is "vuls" in ap-northeast-1 and profile is "default"
To put results in Azure Blob Storage, configure following settings in Azure before reporting.
- Create a Azure Blob container
$ vuls scan \
-cvedb-path=$PWD/cve.sqlite3 \
-report-azure-blob \
-azure-container=vuls \
-azure-account=test \
-azure-key=access-key-string
With this sample command, it will ..
- Put scan result(JSON) in Azure Blob Storage. The container name is "vuls", storage account is "test" and accesskey is "access-key-string"
account and access key can be defined in environment variables.
$ export AZURE_STORAGE_ACCOUNT=test
$ export AZURE_STORAGE_ACCESS_KEY=access-key-string
$ vuls scan \
-cvedb-path=$PWD/cve.sqlite3 \
-report-azure-blob \
-azure-container=vuls
Define ignoreCves in config if you don't want to report(Slack, EMail, Text...) specific CVE IDs. But these ignoreCves will be output to JSON file like below.
- config.toml
[default]
ignoreCves = ["CVE-2016-6313"]
[servers.bsd]
host = "192.168.11.11"
user = "kanbe"
ignoreCves = ["CVE-2016-6314"]- bsd.json
[
{
"ServerName": "bsd",
"Family": "FreeBSD",
"Release": "10.3-RELEASE",
"IgnoredCves" : [
"CveDetail" : {
"CVE-2016-6313",
...
},
"CveDetail" : {
"CVE-2016-6314",
...
}
]
}
]Optional key-value can be outputted to JSON.
The key-value in the default section will be overwritten by servers section's key-value.
For instance, you can use this field for Azure ResourceGroup name, Azure VM Name and so on.
- config.toml
[default]
optional = [
["key1", "default_value"],
["key3", "val3"],
]
[servers.bsd]
host = "192.168.11.11"
user = "kanbe"
optional = [
["key1", "val1"],
["key2", "val2"],
]- bsd.json
[
{
"ServerName": "bsd",
"Family": "FreeBSD",
"Release": "10.3-RELEASE",
.... snip ...
"Optional": [
[ "key1", "val1" ],
[ "key2", "val2" ],
[ "key3", "val3" ]
]
}
]$ vuls report \
-cvedb-type=mysql \
-cvedb-url="user:pass@tcp(localhost:3306)/dbname?parseTime=true"
It is possible to detect vulnerabilities in non-OS packages, such as something you compiled by yourself, language libraries and frameworks, that have been registered in the CPE.
-
How to search CPE name by software name
-
NVD: Search Common Platform Enumerations (CPE)
Check CPE Naming Format: 2.2 -
go-cpe-dictionary is a good choice for geeks.
You can search a CPE name by the application name incrementally.
-
-
Configuration
To detect the vulnerability of Ruby on Rails v4.2.1, cpeNames needs to be set in the servers section.[servers] [servers.172-31-4-82] host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" cpeNames = [ "cpe:/a:rubyonrails:ruby_on_rails:4.2.1", ]
Usage: Integrate with OWASP Dependency Check to Automatic update when the libraries are updated (Experimental)
OWASP Dependency check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities.
Benefit of integrating Vuls And OWASP Dependency Check is below.
- Automatic Update of Vuls config when the libraries are updated.
- Reporting by Email or Slack by using Vuls.
- Reporting in Japanese
- OWASP Dependency Check supports only English
How to integrate Vuls with OWASP Dependency Check
-
Execute OWASP Dependency Check with --format=XML option.
-
Define the xml file path of dependency check in config.toml.
[servers] [servers.172-31-4-82] host = "172.31.4.82" user = "ec2-user" keyPath = "/home/username/.ssh/id_rsa" dependencyCheckXMLPath = "/tmp/dependency-check-report.xml"
tui:
tui
[-cvedb-type=sqlite3|mysql]
[-cvedb-path=/path/to/cve.sqlite3]
[-cvedb-url=https://127.0.0.1:1323 or mysql connection string]
[-refresh-cve]
[-results-dir=/path/to/results]
[-log-dir=/path/to/log]
[-debug]
[-debug-sql]
[-pipe]
-cvedb-path string
/path/to/sqlite3 (For get cve detail from cve.sqlite3)
-cvedb-type string
DB type for fetching CVE dictionary (sqlite3 or mysql) (default "sqlite3")
-cvedb-url string
https://cve-dictionary.com:8080 or mysql connection string
-debug
debug mode
-debug-sql
debug SQL
-log-dir string
/path/to/log (default "/var/log/vuls")
-pipe
Use stdin via PIPE
-refresh-cve
Refresh CVE information in JSON file under results dir
-results-dir string
/path/to/results
Key binding is below.
| key | |
|---|---|
| TAB | move cursor among the panes |
| Arrow up/down | move cursor to up/down |
| Ctrl+j, Ctrl+k | move cursor to up/down |
| Ctrl+u, Ctrl+d | page up/down |
For details, see https://github.com/future-architect/vuls/blob/master/report/tui.go
- Display the list of scan results.
$ vuls history
2016-12-30T10:34:38+09:00 1 servers: u16
2016-12-28T19:15:19+09:00 1 servers: ama
2016-12-28T19:10:03+09:00 1 servers: cent6
- Display the result of scan 2016-12-30T10:34:38+09:00
$ vuls tui 2016-12-30T10:34:38+09:00
$ vuls history | peco | vuls tui -pipe
Run go-cve-dictionary as server mode before scanning on 192.168.10.1
$ go-cve-dictionary server -bind=192.168.10.1 -port=1323
Run Vuls with -cvedb-url option.
$ vuls scan -cvedb-url=https://192.168.0.1:1323
see go-cve-dictionary#usage-fetch-nvd-data
- Update go-cve-dictionary
If the DB schema was changed, please specify new SQLite3 or MySQL DB file.
$ cd $GOPATH/src/github.com/kotakanbe/go-cve-dictionary
$ git pull
$ rm -r vendor
$ make install
- Update vuls
$ cd $GOPATH/src/github.com/future-architect/vuls
$ git pull
$ rm -r vendor
$ make install
Binary file was built under $GOPATH/bin
-
Unable to go get vuls
Update git to the latest version. Old version of git can't get some repositories.
see https://groups.google.com/forum/#!topic/mgo-users/rO1-gUDFo_g -
HTTP Proxy Support
If your system is behind HTTP proxy, you have to specify --http-proxy option. -
How to Daemonize go-cve-dictionary
Use Systemd, Upstart or supervisord, daemontools... -
How to Enable Automatic-Update of Vulnerability Data.
Use job scheduler like Cron (with -last2y option). -
How to Enable Automatic-Scan.
Use job scheduler like Cron.
Set NOPASSWORD option in /etc/sudoers on target servers.
Use SSH Key-Based Authentication with no passphrase or ssh-agent. -
How to cross compile
$ cd /path/to/your/local-git-reporsitory/vuls $ GOOS=linux GOARCH=amd64 go build -o vuls.amd64 -
Logging
Log is under /var/log/vuls/ -
Debug
Run with --debug, --sql-debug option. -
Adjusting Open File Limit
Riak docs is awesome. -
Does Vuls accept SSH connections with fish-shell or old zsh as the login shell?
No, Vuls needs a user on the server for bash login. see also #8 -
Windows
Use Microsoft Baseline Security Analyzer. MBSA
-
k1LoW/ssh_config_to_vuls_config
ssh_config to vuls config TOML format -
usiusi360/vulsrepo
VulsRepo is visualized based on the json report output in vuls.
Youtube
kotakanbe (@kotakanbe) created vuls and these fine people have contributed.
- fork a repository: github.com/future-architect/vuls to github.com/you/repo
- get original code: go get github.com/future-architect/vuls
- work on original code
- add remote to your repo: git remote add myfork https://github.com/you/repo.git
- push your changes: git push myfork
- create a new Pull Request
Please see CHANGELOG.
Please see LICENSE.