Vuls is an open-source vulnerability scanner. It automates security vulnerability checks on the software installed on a system.
Vuls comes with an agent-less architecture, meaning that it uses SSH to scan remote hosts.
Vuls checks the following vulnerability information sources
see: https://github.com/future-architect/vuls#high-quality-scan
How to install
We will install Vuls in the AWS EC2 AmazonLinux2.
Logging on an EC2 instance by ec2-user
$ sudo yum -y install docker git
$ sudo usermod -aG docker ec2-user
$ cd /home/ec2-user/
$ git clone https://github.com/vulsio/vulsctl.git
# logging out and logging in the instance again.
$ sudo systemctl start docker
$ cd vulsctl && ./update-all.sh
# it takes about 20-30 minitues.
Preparation
After Vuls is installed, we prepare the configuration file.
$ cp -p config.toml.template config.toml
$ vim config.toml
specify default section.
Note that if you place the SSH key in your /home/ec2-user/.ssh/id_rsa, you have to write this way.
Because Vuls runs on Docker container and it mounts SSH key on "/root/.ssh/id_rsa" inside the container.
[default]
port = "22"
user = "ec2-user"
keyPath = "/root/.ssh/id_rsa"
scanMode = ["fast"]
And you write the hostname or IP address of servers which you want to scan.
[servers.name]
host = "10.10.1.251"
If you want to scan local host, you need to specify the IP address which allocated to the interface instead of "127.0.0.1" .
Setting SSH keys
You have to register your public key to known_hosts of the scanned servers. To do this, you logging on the server onece or use following command.
Generate a key pair locally.
$ ssh-keygen -t rsa -b 4096
Register a locally generated public key to the target host to be scanned.
ssh-copy-id ${USER}@${target_host}
Add the target host in local known_hosts file.
$ ssh-keyscan ${target_host} >> ~/.ssh/known_hosts
Scanning
Just execute the following shell script.
$ ./scan.sh -vvv
Using default tag: latest
latest: Pulling from vuls/vuls
Digest: sha256:e39edb92833e7d6f6490620e11221f1a456ca2dec4f5f3ab1c15e12c75ecdcbb
Status: Image is up to date for vuls/vuls:latest
docker.io/vuls/vuls:latest
[Jul 11 10:39:44] INFO [localhost] Validating config...
[Jul 11 10:39:44] INFO [localhost] Detecting Server/Container OS...
[Jul 11 10:39:44] INFO [localhost] Detecting OS of servers...
[Jul 11 10:39:47] INFO [localhost] (1/1) Detected: name: amazon 2 (Karoo)
[Jul 11 10:39:47] INFO [localhost] Detecting OS of containers...
[Jul 11 10:39:47] INFO [localhost] Checking Scan Modes...
[Jul 11 10:39:47] INFO [localhost] Checking dependencies...
...(snip)...
[Jul 11 10:39:52] INFO [localhost] Scanning vulnerabilities...
[Jul 11 10:39:52] INFO [localhost] Scanning vulnerable OS packages...
[Jul 11 10:39:52] INFO [name] Scanning in fast mode
One Line Summary
================
name amazon2 (Karoo) 451 installed, 16 updatable
To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
You can see the scan result on the command line.
$ ./report.sh
Using default tag: latest
latest: Pulling from vuls/vuls
...(snip)...
name (amazon2 (Karoo))
======================
Total: 10 (High:3 Medium:4 Low:3 ?:0), 10/10 Fixed, 451 installed, 16 updatable, 0 exploits, 0 modules, en: 0, ja: 2 alerts
+----------------+------+--------+-----+--------+---------+-------------------------------------------------+
| CVE-ID | CVSS | ATTACK | POC | CERT | FIXED | NVD |
+----------------+------+--------+-----+--------+---------+-------------------------------------------------+
| CVE-2018-20060 | 9.8 | AV:N | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-20060 |
| CVE-2019-17041 | 9.8 | AV:N | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-17041 |
| CVE-2019-17042 | 9.8 | AV:N | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-17042 |
| CVE-2019-6477 | 7.8 | AV:N | | JPCERT | fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-6477 |
| CVE-2020-12762 | 7.8 | AV:L | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-12762 |
| CVE-2018-5745 | 7.5 | AV:N | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-5745 |
| CVE-2019-6465 | 7.5 | AV:N | | JPCERT | fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-6465 |
| CVE-2020-0543 | 6.5 | AV:L | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-0543 |
| CVE-2020-0549 | 6.5 | AV:L | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-0549 |
| CVE-2020-0548 | 5.5 | AV:L | | | fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-0548 |
+----------------+------+--------+-----+--------+---------+-------------------------------------------------+
The report files are generated in the directory named "results". Note that the report files and directory will be made as a root owner. If you want to access the files, you may change the permission the directory.
$ sudo chown -R ec2-user:ec2-user results/
VulsRepo: watch the result on your browser
You can also view the scan result on your browser using VulsRepo.
Github: https://vuls.io/docs/en/vulsrepo.html
$ cd /home/ec2-user/
$ git clone https://github.com/ishiDACo/vulsrepo
$ cd vulsrepo/server
$ cp vulsrepo-config.toml.sample vulsrepo-config.toml
$ vi vulsrepo-config.toml
[Server]
rootPath = "/home/ec2-user/vulsrepo"
resultsPath = "/home/ec2-user/vulsctl/results
serverPort = "5111"
$ ./vulsrepo-server
[ec2-user@ip-10-10-1-82 server]$ ./vulsrepo-server
2020/07/11 10:53:11 main.go:153: INFO: RootPath Load: /home/ec2-user/vulsrepo
2020/07/11 10:53:11 main.go:160: INFO: ResultsPath Load: /home/ec2-user/vulsctl/results
2020/07/11 10:53:11 main.go:128: Start: Listening port: :5111
Access the server with port 5111 on your browser.
Actual screen images are shown in the official documentation.
Top comments (0)