Tips
go getできません
gitを最新バージョンに更新してください。古いバージョンのgitではレポジトリを取得できません。
HTTP プロキシってサポートしてますか?
プロキシ環境下では、--http-proxyオプションを指定してください
go-cve-dictionaryをDaemon化するには?
systemd, upstart, supervisord, daemontools など使ってみて下さい
脆弱性情報の自動更新ってどうやるの?
cronとかのジョブスケジューラを使ってみて下さい( -last2y オプションも併用して)
スキャンを自動化するには?
CRONなどを使い、自動化のためにsudoと、秘密鍵のパスワードなしでも実行可能なようにする
- スキャン対象サーバの /etc/sudoers に NOPASSWORD を設定する
- 秘密鍵パスフレーズなしの公開鍵認証か、ssh-agentを使う
SSHの鍵確認をせずにスキャンするには?
StrictHostKeyChecking no を SSH 接続に使用する設定ファイルに書き込みます。 次に、config.toml の sshConfigPath に ssh が使用する設定ファイルに PATH を記述します。 see setting server section, #1005
How to scan with SSH key with passphrase
Vuls calls ssh many times, so you will be asked to type password again and again when vuls scans. If you need to scan a server with ssh-key with password, we recommend using ssh-agent. Specifically you can use ssh-agent beforehand like below.
$ ssh-add ~/.ssh/authorized_keys
Enter passphrase for ~/.ssh/id_rsa:
Identity added: ~/.ssh/id_rsa (~/.ssh/id_rsa)
$ vuls scan ubuntu
... snip ...
One Line Summary
================
ubuntu ubuntu16.04 30 updatable packages
If you run Vuls in Docker container, you can do below instead of above.
Scan in Docker container
If you need to scan a server with ssh-key with password, you can do 1. or 2. below.
1. Use ssh-agent in the container
$ pwd
/home/vuls/vulsctl/docker
$ docker run -it \
-v $HOME/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
--entrypoint="/bin/ash" \
vuls/vuls
/vuls # eval `ssh-agent`
/vuls # ssh-add /root/.ssh/id_rsa
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
/vuls # vuls scan -log-dir=/vuls/log -config=/vuls/config.toml
Or you can do it with one-liner like this.
$ docker run -it \
-v $HOME/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
--entrypoint="/bin/ash" \
vuls/vuls \
-c "eval \`ssh-agent\` && ssh-add /root/.ssh/id_rsa && vuls scan -log-dir=/vuls/log -config=/vuls/config.toml"
2. Use ssh-agent in host machine and share it with the container
$ pwd
/home/vuls/vulsctl/docker
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /Users/***/.ssh/id_rsa:
Identity added: /Users/***/.ssh/id_rsa (/Users/***/.ssh/id_rsa)
$ docker run -it \
-v $HOME/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK \
-e SSH_AUTH_SOCK=$SSH_AUTH_SOCK \
vuls/vuls scan \
-log-dir=/vuls/log \
-config=/vuls/config.toml \
If you use docker for mac, use it instead.
$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /Users/***/.ssh/id_rsa:
Identity added: /Users/***/.ssh/id_rsa (/Users/***/.ssh/id_rsa)
$ docker run -it \
-v $HOME/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock \
-e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock \
vuls/vuls scan \
-log-dir=/vuls/log \
-config=/vuls/config.toml \
How to cross compile
$ cd /path/to/your/local-git-repository/vuls
$ GOOS=linux GOARCH=amd64 go build -o vuls.amd64 ./cmd/vuls
Logging
Log is under /var/log/vuls/
Debug
Run with --debug, --sql-debug option.
Adjusting Open File Limit
Riak docs is awesome.
Does Vuls accept SSH connections with fish-shell or old zsh as the login shell
No, Vuls needs a user on the server for bash login.
Yes, fixed in #545
Windows
Use Microsoft Baseline Security Analyzer. MBSA