configtest
$ vuls configtest --help
configtest:
configtest
[-config=/path/to/config.toml]
[-log-dir=/path/to/log]
[-timeout=300]
[-debug]
[SERVER]...
-config string
/path/to/toml (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/config.toml")
-debug
debug mode
-http-proxy string
http://proxy-url:port (default: empty)
-log-dir string
/path/to/log (default "/var/log/vuls")
-timeout int
Timeout(Sec) (default 300)
configtestサブコマンドは、config.tomlで定義されたサーバ/コンテナに対してSSH可能かどうかをチェックする。
Dependencies
fast scan mode
| Distribution | Release | Requirements |
|---|---|---|
| Alpine | 3.2 and later | - |
| Ubuntu | 14, 16, 18, 20, 21, 22 | - |
| Debian | 7, 8, 9, 10, 11 | (reboot-notifier) |
| CentOS | 6, 7, 8, stream8, stream9 | - |
| AlmaLinux | 8, 9 | - |
| Rocky Linux | 8, 9 | - |
| Amazon | All | - |
| RHEL | 5, 6, 7, 8, 9 | - |
| Fedora | 32, 33, 34, 35 | - |
| Oracle Linux | 5, 6, 7 | - |
| openSUSE | tumbleweed | - |
| openSUSE Leap | 15.2, 15.3 | - |
| SUSE Enterprise | 11, 12, 15 | - |
| FreeBSD | 10, 11 | - |
| Raspbian | Jessie, Stretch, Buster | - |
fast-root scan mode
fast-rootのとき、configtestサブコマンドはスキャン対象のサーバにパッケージがインストールされていることと、/etc/sudoersを確認します。
| Distribution | Release | Requirements |
|---|---|---|
| Alpine | 3.2 and later | - |
| Ubuntu | 14, 16, 18, 20, 21, 22 | debian-goodies |
| Debian | 8, 9, 10, 11 | debian-goodies, reboot-notifier |
| CentOS | 6, 7, 8, stream8, stream9 | - |
| AlmaLinux | 8, 9 | - |
| Rocky Linux | 8, 9 | - |
| Amazon | All | - |
| RHEL | 6, 7 | - |
| RHEL | 8, 9 | lsof |
| Fedora | 32, 33, 34, 35 | - |
| Oracle Linux | 5, 6, 7 | - |
| openSUSE | tumbleweed | - |
| openSUSE Leap | 15.2, 15.3 | - |
| SUSE Enterprise | 11, 12, 15 | - |
| FreeBSD | 10, 11 | - |
| Raspbian | Jessie, Stretch, Buster | debian-goodies |
deep scan mode
fast-rootモードと同じです。
/etc/sudoers on Target Servers
configtestサブコマンドは、スキャン対象サーバのsudo設定を確認して、VulsがSSH越しにnopasswordでSUDOできるかも確認します。
if you got the below error, requiretty should be defined in /etc/sudoers.
stderr: sudo: sorry, you must have a tty to run sudo
Defaults:vuls !requiretty
/etc/sudoers
| Distribution | fast | fast-root | deep |
|---|---|---|---|
| Ubuntu 14, 16, 18, 20, 21, 22 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/apt-get update, /usr/bin/stat *, /usr/sbin/checkrestart, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/bin/lsof -i -P -n | fast-rootと同じ |
| Debian 8, 9, 10, 11 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/apt-get update, /usr/bin/stat *, /usr/sbin/checkrestart, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/bin/lsof -i -P -n | fast-rootと同じ |
| CentOS 6, 7, 8, stream8, stream9 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/stat, /usr/bin/needs-restarting, /usr/bin/which, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/sbin/lsof -i -P -n | fast-rootと同じ |
| AlmaLinux 8, 9 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/stat, /usr/bin/needs-restarting, /usr/bin/which, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/sbin/lsof -i -P -n | fast-rootと同じ |
| Rocky Linux 8 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/stat, /usr/bin/needs-restarting, /usr/bin/which, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/sbin/lsof -i -P -n | fast-rootと同じ |
| Amazon Linux | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/stat, /usr/bin/needs-restarting, /usr/bin/which, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/sbin/lsof -i -P -n | fast-rootと同じ |
| Amazon Linux 2 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/stat, /usr/bin/needs-restarting, /usr/bin/which, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/sbin/lsof -i -P -n | fast-rootと同じ |
| Amazon Linux 2022 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/stat, /usr/bin/needs-restarting, /usr/bin/which, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/sbin/lsof -i -P -n | same as fast-root |
| Amazon Linux 2023 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/stat, /usr/bin/needs-restarting, /usr/bin/which, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/sbin/lsof -i -P -n | same as fast-root |
| RHEL 6, 7, 8, 9 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/stat, /usr/bin/needs-restarting, /usr/bin/which, /usr/bin/repoquery, /usr/bin/yum makecache --assumeyes, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/bin/lsof -i -P -n, /usr/sbin/lsof -i -P -n | same as fast-root |
| Oracle Linux 6, 7 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/stat, /usr/bin/needs-restarting, /usr/bin/which, /usr/bin/repoquery, /usr/bin/yum makecache --assumeyes | same as fast-root |
| SUSE Enterprise 11, 12, 15 | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/which, /usr/bin/zypper ps, /usr/bin/which, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/bin/lsof -i -P -n, /usr/sbin/lsof -i -P -n | same as fast-root |
| FreeBSD 10 | - | - | - |
| Raspbian | - | vuls ALL=(ALL) NOPASSWD:SETENV: /usr/bin/apt-get update, /usr/bin/stat *, /usr/sbin/checkrestart, /bin/ls -l /proc/*/exe, /bin/cat /proc/*/maps, /usr/bin/lsof -i -P -n | same as fast-root |
If your server is behind a proxy, also add the following.
Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"