Edit

Tutorial - Scan using Docker

このチュートリアルでは、Docker-Vulsを用いてリモートホストの脆弱性をスキャンする方法を学びます。

チュートリアルの前に、setup vuls with Docker に従ってVulsを用意してください。

このチュートリアルは以下の流れで行います。

  1. NVDの取得 (vuls/go-cve-dictionary)
  2. OVALの取得 (vuls/goval-dictionary)
  3. GOSTの取得 (vuls/gost)
  4. go-exploitdbの取得 (vuls/exploitdb)
  5. 設定 (vuls/vuls)
  6. 設定のテスト (vuls/vuls)
  7. スキャン (vuls/vuls)
  8. vulsrepo (ishiDACo/vulsrepo)

Step0. ログディレクトリの準備

$ cd /path/to/working/dir
$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log go-exploitdb-log

Step1. NVDの取得

go-cve-dictionary

kotakanbe/go-cve-dictioanry:README

$ for i in `seq 2002 $(date +"%Y")`; do \
    docker run --rm -it \
    -v $PWD:/vuls \
    -v $PWD/go-cve-dictionary-log:/var/log/vuls \
    vuls/go-cve-dictionary fetchnvd -years $i; \
  done

NVDではなく日本語のJVNを取得する場合は、READMEを見てください。

Step2. OVALの取得 (RedHatの例)

goval-dictionary

$ docker run --rm -it \
    -v $PWD:/vuls \
    -v $PWD/goval-dictionary-log:/var/log/vuls \
    vuls/goval-dictionary fetch-redhat 5 6 7

RedHat以外の他のOVALを取得する場合は、READMEを見てください。

Step3. GOSTの取得 (Go Security Tracker) (RedHat/CentOS か Debian)

gost (go-security-tracker)

$ docker run --rm -i \
    -v $PWD:/vuls \
    -v $PWD/gost-log:/var/log/gost \
    vuls/gost fetch redhat

Debianのデータを取得したいときは、 Gost README を確認してください。

Step3.5. go-exploitdb の取得

$ docker run --rm -i \
    -v $PWD:/vuls \
    -v $PWD/go-exploitdb-log:/var/log/go-exploitdb \
    vuls/go-exploitdb fetch exploitdb

より深いデータが欲しい場合は、thisを確認してください。

Step4. 設定

これを参考にしてconfig.tomlを作ってください。

[servers]

[servers.c74]
host         = "54.249.93.16"
port        = "22"
user        = "vuls-user"
keyPath     = "/root/.ssh/id_rsa" # path to ssh private key in docker

Step5. 設定のテスト

$ docker run --rm -it\
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    vuls/vuls configtest \
    -config=./config.toml # path to config.toml in docker

使い方: configtest

Step6. スキャン

$ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    -v /etc/localtime:/etc/localtime:ro \
    -e "TZ=Asia/Tokyo" \
    vuls/vuls scan \
    -config=./config.toml # path to config.toml in docker

もしDockerのホストがDebianかUbuntuのときは、

$ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    -v /etc/localtime:/etc/localtime:ro \
    -v /etc/timezone:/etc/timezone:ro \
    vuls/vuls scan \
    -config=./config.toml # path to config.toml in docker

使い方: Scan

Step7. レポート

config.toml

[cveDict]
type = "sqlite3"
SQLite3Path = "/path/to/cve.sqlite3"

[ovalDict]
type = "sqlite3"
SQLite3Path = "/path/to/oval.sqlite3"

[gost]
type = "sqlite3"
SQLite3Path = "/path/to/gost.sqlite3"

[exploit]
type = "sqlite3"
SQLite3Path = "/path/to/go-exploitdb.sqlite3"

$ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    -v /etc/localtime:/etc/localtime:ro \
    vuls/vuls report \
    -format-list \
    -config=./config.toml # path to config.toml in docker

使い方: Report

スキャン結果を見るために、TUI(Terminal-Based User Interface) が使えます。

$ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    -v /etc/localtime:/etc/localtime:ro \
    vuls/vuls tui \
    -config=./config.toml # path to config.toml in docker

Vuls-TUI

Step8. スキャン結果の表示

$docker run -dt \
    -v $PWD:/vuls \
    -p 5111:5111 \
    ishiDACo/vulsrepo

VulsRepo

HTTP-Server mode

もしgo-cve-dictionaryとgoval-dictionaryをサーバモードで起動したい場合は、以下のようにしてコンテナを実行してください。

go-cve

$ docker run -dt \
    --name go-cve-dictionary \
    -v $PWD:/vuls \
    -v $PWD/go-cve-dictionary-log:/var/log/vuls \
    --expose 1323 \
    -p 1323:1323 \
    vuls/go-cve-dictionary server --bind=0.0.0.0

goval

$ docker run -dt \
    --name goval-dictionary \
    -v $PWD:/vuls \
    -v $PWD/goval-dictionary-log:/var/log/vuls \
    --expose 1324 \
    -p 1324:1324 \
    vuls/goval-dictionary server --bind=0.0.0.0

gost

$ docker run -dt \
    --name gost \
    -v $PWD:/vuls \
    -v $PWD/gost-log:/var/log/gost \
    --expose 1325 \
    -p 1325:1325 \
    vuls/gost server --bind=0.0.0.0

レポート

[cveDict]
type = "http"
url = "http://hostname:1323"

[ovalDict]
type = "http"
url = "http://hostname:1324"

[gost]
type = "http"
url = "http://hostname:1325"

[exploit]
type = "http"
url = "http://hostname:1326"

$ docker run --rm -it \
    -v ~/.ssh:/root/.ssh:ro \
    -v $PWD:/vuls \
    -v $PWD/vuls-log:/var/log/vuls \
    vuls/vuls report  \
    -config=./config.toml

MySQL5.7以上を使うとき

もしデータの取得中に以下のようなエラーが出た場合は、 sql_modeを定義してください。

Error 1292: Incorrect datetime value: '0000-00-00' for column 'issued' at row 1

https://github.com/kotakanbe/goval-dictionary/issues/45 を参照してください。

$ docker run --name mysql -p 3306:3306 -e MYSQL_ROOT_PASSWORD=chHUIDCUAUaidfhasuadasuda  -d mysql:8 --sql-mode="" --default-authentication-plugin=mysql_native_password
4e4440bbbcb556cf949c2ffcda15afe6ee7139752c08de8b1e4def47adde24ea

$ docker exec -it mysql bash               
[email protected]:/# mysql -uroot -h127.0.0.1 -pchHUIDCUAUaidfhasuadasuda
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.12 MySQL Community Server - GPL

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select @@GLOBAL.sql_mode;
+-------------------+
| @@GLOBAL.sql_mode |
+-------------------+
|                   |
+-------------------+
1 row in set (0.00 sec)

mysql> create database oval;
Query OK, 1 row affected (0.08 sec)

mysql> exit
Bye
[email protected]:/# exit
exit

bash-3.2$ go build && ./goval-dictionary fetch-ubuntu -dbtype mysql -dbpath "root:[email protected](127.0.0.1:3306)/oval?parseTime=true" 18
INFO[08-21|21:41:58] Fetching...                              URL=https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml


INFO[08-21|21:47:56] Fetched...                               URL=https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml
INFO[08-21|21:47:56] Finished fetching OVAL definitions
INFO[08-21|21:47:56] Fetched                                  URL=https://people.canonical.com/~ubuntu-security/oval/com.ubuntu.bionic.cve.oval.xml OVAL definitions=6319
INFO[08-21|21:47:56] Refreshing...                            Family=ubuntu Version=18


bash-3.2$ go build && ./goval-dictionary fetch-debian -dbtype mysql -dbpath "root:[email protected](127.0.0.1:3306)/oval?parseTime=true" 9
INFO[08-21|21:49:43] Fetching...                              URL=https://www.debian.org/security/oval/oval-definitions-stretch.xml
INFO[08-21|21:50:14] Fetched...                               URL=https://www.debian.org/security/oval/oval-definitions-stretch.xml
INFO[08-21|21:50:14] Finished fetching OVAL definitions
INFO[08-21|21:50:16] Fetched                                  URL=https://www.debian.org/security/oval/oval-definitions-stretch.xml OVAL definitions=17946
INFO[08-21|21:50:16] Refreshing...                            Family=debian Version=9
Remote Scan ModeScan Docker Image