Is your server really secure? Try using Vuls, the most popular vulnerability detection tool.

Introduction

As a server administrator, security is always like a devil, and there are many uncertainties about what to do with this security. As for vulnerabilities, information such as CVE comes in every day, but it is not possible to find out which server is related to what, and which vulnerabilities must be dealt with immediately. I don’t know if the vulnerabilities should be addressed later.

In fact, I think there are many people who are only urgently dealing with vulnerabilities that have become a big topic.

Meanwhile, it was vuls that appeared fully !

By acquiring vulnerability information of each server, it is now possible to detect what vulnerabilities are in each server and how much vulnerabilities are!

This time I will introduce this vuls.

Few words about Vuls

• Official Document: Vuls Official Document
• GitHub: vuls

Vuls is a vulnerability detection tool made by golang. Vuls stands for VULnerability Scanner.

The good things about vuls

• Since it is made in Golang, it can be distributed to any server if it is binarized
• Vulnerability detection results can be sent by slack or email. It can also be viewed with TUI (Text User Interface).
• Agentless. Simple configuration with one configuration file

What is it like?

1. Get CVE information using go-cve-dictionary .
2. Use goval-dictionary to get OVAL information.
3. Use gost to get Redhat and Debian package information.
4. Use go-exploitdb to get the exploit information.
5. Save each information obtained above to SQLite
6. Scan the target server with vuls to get information
7. Verify the acquired server information and CVE information.
8. Save discovered vulnerability information in JSON
9. Notify vulnerability information by Slack or email
10. Visualize vulnerability information stored in SQLite with TUI

More detailed we can find in the Vuls document .

Try using it

The official documentation is very kind, so if you follow it, there is no problem.

Execution environment information

• vuls host: Ubuntu 18.04
• Vulnerability scan target server: linux server (old CentOS)

Environmental preparation

• Create log directory

 sudo mkdir /var/log/vuls
 sudo chown test_user /var/log/vuls
 sudo chmod 700 /var/log/vuls

• Create a working directory for vuls

mkdir vuls
cd vuls

• Install Golang

Description omitted

Official download page

Initial setting

go-cve-directionary

• go-cve-directionary setup: See README
• Acquisition and storage of CVE information

for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done

goval-directionary

• goval-directionary setup: See README
• Acquisition and storage of OVAL information (Hereafter, only the information of the distribution to be scanned is retrieved)

 goval-dictionary fetch-redhat 5 6 7
 goval-dictionary fetch-debian 7 8 9 10
 goval-dictionary fetch-ubuntu 12 14 16 18

gost

• gost setup: See README
• Acquisition and storage of gost information (Hereafter, only the information of the distribution to be scanned is retrieved)

gost fetch redhat --after 2018-01-01

go-exploitdb

• go-exploitdb setup: See README
• Acquisition and storage of exploit information

go-exploitdb fetch

Run Vuls

• Setting up the vuls body — Browse documentation
• vuls installation

mkdir -p $GOPATH/src/github.com/future-architect
cd $GOPATH/src/github.com/future-architect
git clone https://github.com/future-architect/vuls.git
cd vuls
make install

All necessary settings can be done with make, so make install is good

• config file settings

config.toml

[servers] 
[servers.10-21-21-4] 
host          =  "10.21.21.4" 
port         =  "22" 
user         =  "ec2-user" 
keyPath      =  "/Users/matsunosadayuki/.ssh/vuls-dev.pem"

• report

vuls report -format-one-line-text

One Line Summary
================
172-31-4-82   Total: 94 (High:19 Medium:54 Low:7 ?:14)        103 updatable packages

A total of 143 detected. Score is the vulnerability level

• Vulnerability information check

The scan result json file is saved under results in the executed location.

• tui

vuls tui

Oh! Exhilaration that can’t be expressed! and You can see all CVE!

Execute yum update on the target server

• Manual update

I actually updated it to see how much the vulnerability disappeared.

ssh test-user@10.21.21.4
sudo yum update

Rescan with Vuls

• Scan

INFO [0000] Start scanning (config: /Users/admin/vuls/config.toml)
[Sept 28 14:22:49] INFO [localhost] Validating Config ...
[Sept 28 14:22:49] INFO [localhost] Detecting the type of OS ...
[Sept 28 14:22:50] INFO [localhost] (1/1) Successfully detected. 10-21-21-4:
[Sept 28 14:22:50] INFO [localhost] Scanning vulnerabilities ...
[Sept 28 14:22:50] INFO [localhost] Check required packages for scanning ...
[Sept 28 14:22:50] INFO [localhost] Scanning vulnerable OS packages ...
[Sept 28 14:22:55] INFO [10-21-21-4: 22] Fetching CVE details ...
[Sept 28 14:22:55] INFO [10-21-21-4: 22] Done
[Sept 28 14:22:55] INFO [localhost] Scanning vulnerable software specified in the CPE ...
[Sept 28 14:22:55] INFO [localhost] Reporting ...
10-21-21-4
==============================
No unsecure packages.

Oh! ! No unsecure packages. This is convenient

• docker

By the way, vuls also has a docker, so if you have trouble with setup, you should try it with docker!

Vuls Dockerhub

$ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    -v /etc/localtime:/etc/localtime:ro \
    vuls/vuls scan \
    -config=./config.toml

Finally

Vuls is a simple and very useful tool. By using this, you can know which server has which vulnerability and what level it is. Once you move it, you can see its simplicity and simplicity.

Why don’t you take this opportunity to scan for vulnerabilities?