DEV Community

t.okazaki
t.okazaki

Posted on

Vuls: Open-source vulnerability scanner

Vuls is an open-source vulnerability scanner. It automates security vulnerability checks on the software installed on a system.
Vuls comes with an agent-less architecture, meaning that it uses SSH to scan remote hosts.

Vuls checks the following vulnerability information sources
see: https://github.com/future-architect/vuls#high-quality-scan

How to install

We will install Vuls in the AWS EC2 AmazonLinux2.

Logging on an EC2 instance by ec2-user

$ sudo yum -y install docker git
$ sudo usermod -aG docker ec2-user
$ cd /home/ec2-user/
$ git clone https://github.com/vulsio/vulsctl.git

# logging out and logging in the instance again.

$ sudo systemctl start docker

$ cd vulsctl && ./update-all.sh

# it takes about 20-30 minitues.
Enter fullscreen mode Exit fullscreen mode

Preparation

After Vuls is installed, we prepare the configuration file.

$ cp -p config.toml.template config.toml
$ vim config.toml
Enter fullscreen mode Exit fullscreen mode

specify default section.
Note that if you place the SSH key in your /home/ec2-user/.ssh/id_rsa, you have to write this way.
Because Vuls runs on Docker container and it mounts SSH key on "/root/.ssh/id_rsa" inside the container.

[default]
port               = "22"
user               = "ec2-user"
keyPath            = "/root/.ssh/id_rsa"
scanMode           = ["fast"]
Enter fullscreen mode Exit fullscreen mode

And you write the hostname or IP address of servers which you want to scan.

[servers.name]
host                = "10.10.1.251"
Enter fullscreen mode Exit fullscreen mode

If you want to scan local host, you need to specify the IP address which allocated to the interface instead of "127.0.0.1" .

Setting SSH keys

You have to register your public key to known_hosts of the scanned servers. To do this, you logging on the server onece or use following command.

Generate a key pair locally.

$ ssh-keygen -t rsa -b 4096
Enter fullscreen mode Exit fullscreen mode

Register a locally generated public key to the target host to be scanned.

ssh-copy-id ${USER}@${target_host}
Enter fullscreen mode Exit fullscreen mode

Add the target host in local known_hosts file.

$ ssh-keyscan ${target_host} >> ~/.ssh/known_hosts
Enter fullscreen mode Exit fullscreen mode

Scanning

Just execute the following shell script.

$ ./scan.sh -vvv

Using default tag: latest
latest: Pulling from vuls/vuls
Digest: sha256:e39edb92833e7d6f6490620e11221f1a456ca2dec4f5f3ab1c15e12c75ecdcbb
Status: Image is up to date for vuls/vuls:latest
docker.io/vuls/vuls:latest
[Jul 11 10:39:44]  INFO [localhost] Validating config...
[Jul 11 10:39:44]  INFO [localhost] Detecting Server/Container OS...
[Jul 11 10:39:44]  INFO [localhost] Detecting OS of servers...
[Jul 11 10:39:47]  INFO [localhost] (1/1) Detected: name: amazon 2 (Karoo)
[Jul 11 10:39:47]  INFO [localhost] Detecting OS of containers...
[Jul 11 10:39:47]  INFO [localhost] Checking Scan Modes...
[Jul 11 10:39:47]  INFO [localhost] Checking dependencies...
...(snip)...
[Jul 11 10:39:52]  INFO [localhost] Scanning vulnerabilities...
[Jul 11 10:39:52]  INFO [localhost] Scanning vulnerable OS packages...
[Jul 11 10:39:52]  INFO [name] Scanning in fast mode

One Line Summary
================
name    amazon2 (Karoo) 451 installed, 16 updatable

To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
Enter fullscreen mode Exit fullscreen mode

You can see the scan result on the command line.

$ ./report.sh

Using default tag: latest
latest: Pulling from vuls/vuls
...(snip)...
name (amazon2 (Karoo))
======================
Total: 10 (High:3 Medium:4 Low:3 ?:0), 10/10 Fixed, 451 installed, 16 updatable, 0 exploits, 0 modules, en: 0, ja: 2 alerts

+----------------+------+--------+-----+--------+---------+-------------------------------------------------+
|     CVE-ID     | CVSS | ATTACK | POC |  CERT  |  FIXED  |                       NVD                       |
+----------------+------+--------+-----+--------+---------+-------------------------------------------------+
| CVE-2018-20060 |  9.8 |  AV:N  |     |        |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-20060 |
| CVE-2019-17041 |  9.8 |  AV:N  |     |        |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-17041 |
| CVE-2019-17042 |  9.8 |  AV:N  |     |        |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-17042 |
| CVE-2019-6477  |  7.8 |  AV:N  |     | JPCERT |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-6477  |
| CVE-2020-12762 |  7.8 |  AV:L  |     |        |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-12762 |
| CVE-2018-5745  |  7.5 |  AV:N  |     |        |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2018-5745  |
| CVE-2019-6465  |  7.5 |  AV:N  |     | JPCERT |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2019-6465  |
| CVE-2020-0543  |  6.5 |  AV:L  |     |        |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-0543  |
| CVE-2020-0549  |  6.5 |  AV:L  |     |        |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-0549  |
| CVE-2020-0548  |  5.5 |  AV:L  |     |        |   fixed | https://nvd.nist.gov/vuln/detail/CVE-2020-0548  |
+----------------+------+--------+-----+--------+---------+-------------------------------------------------+
Enter fullscreen mode Exit fullscreen mode

The report files are generated in the directory named "results". Note that the report files and directory will be made as a root owner. If you want to access the files, you may change the permission the directory.

$ sudo chown -R ec2-user:ec2-user results/
Enter fullscreen mode Exit fullscreen mode

VulsRepo: watch the result on your browser

You can also view the scan result on your browser using VulsRepo.
Github: https://vuls.io/docs/en/vulsrepo.html

$ cd /home/ec2-user/
$ git clone https://github.com/ishiDACo/vulsrepo

$ cd vulsrepo/server
$ cp vulsrepo-config.toml.sample vulsrepo-config.toml
Enter fullscreen mode Exit fullscreen mode
$ vi vulsrepo-config.toml

[Server]
rootPath = "/home/ec2-user/vulsrepo"
resultsPath  = "/home/ec2-user/vulsctl/results
serverPort  = "5111"
Enter fullscreen mode Exit fullscreen mode
$ ./vulsrepo-server
 [ec2-user@ip-10-10-1-82 server]$ ./vulsrepo-server
2020/07/11 10:53:11 main.go:153: INFO: RootPath Load:  /home/ec2-user/vulsrepo
2020/07/11 10:53:11 main.go:160: INFO: ResultsPath Load:  /home/ec2-user/vulsctl/results
2020/07/11 10:53:11 main.go:128: Start: Listening port: :5111
Enter fullscreen mode Exit fullscreen mode

Access the server with port 5111 on your browser.
Actual screen images are shown in the official documentation.

Top comments (0)