• Vuls 漏洞扫描工具部署及效果展示


    Vuls 漏洞扫描工具部署及效果展示

    介绍

    Vuls根据NVD,OVAL等数据对主流Linux系统进行扫描,并具有完善的报告。

    • 支持系统

      Distribution Release
      Alpine 3.3 and later
      Ubuntu 14, 16, 18, 20
      Debian 8, 9, 10
      RHEL 5, 6, 7, 8
      Oracle Linux 5, 6, 7
      CentOS 6, 7, 8
      Amazon Linux All
      FreeBSD 10, 11
      SUSE Enterprise 11, 12
      Raspbian Jessie, Stretch, Buster
    • 支持的数据库

      Vulnerability Database:

      • NVD
      • JVN(Japanese)

      OVAL

      • Red Hat
      • Debian
      • Ubuntu
      • SUSE
      • Oracle Linux

      Security Advisory

      • Alpine-secdb
      • Red Hat Security Advisories
      • Debian Security Bug Tracker

      Commands(yum, zypper, pkg-audit)

      • RHSA / ALAS / ELSA / FreeBSD-SA
      • Changelog

      PoC, Exploit

      • Exploit Database
      • Metasploit-Framework modules

      CERT

      • US-CERT
      • JPCERT

      Libraries

      • Node.js Security Working Group
      • Ruby Advisory Database
      • Safety DB(Python)
      • PHP Security Advisories Database
      • RustSec Advisory Database

      WordPress

      • WPScan

    更多详情: 官网介绍

    参考链接

    1. Vuls官网手动安装教程
    2. Vuls安装记录
    3. Vuls漏洞库工具
    4. 计算机漏洞和安全性评估语言 本地部署
    5. Go Install Go语言安装

    安装步骤

    • 测试机器:CentOS

    • 环境要求 Vuls requires the following packages.

      1. SQLite3, MySQL, PostgreSQL, Redis
      2. git
      3. gccGNU Make
      4. Go 必须安装最新版Go,不然会有各种报错
    • 一. 环境部署:

      • 1.工具安装

        $ sudo yum -y install sqlite git gcc make wget
        
      • 2.Go 安装

        $ wget https://dl.google.com/go/go$latest_version.linux-amd64.tar.gz
        $ sudo tar -C /usr/local -xzf go$latest_version.linux-amd64.tar.gz
        $ mkdir $HOME/go
        
      • 3.配置Go环境变量

        $ vi  /etc/profile.d/goenv.sh
        
      • 4.在这个文件中添加以下环境变量

        export GOROOT=/usr/local/go 
        export GOPATH=$HOME/go 
        export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
        
      • 5.设置环境变量到系统中

        $ source /etc/profile.d/goenv.sh
        
      • 6.检测 go是否安装成功

        $ go version
        
    • 二. CVE库部署

      • 1.从github下载部署工具并安装

        $ sudo mkdir /var/log/vuls
        $ sudo chown <username> /var/log/vuls
        $ sudo chmod 700 /var/log/vuls
        $ mkdir -p $GOPATH/src/github.com/kotakanbe
        $ cd $GOPATH/src/github.com/kotakanbe
        $ git clone https://github.com/kotakanbe/go-cve-dictionary.git
        $ cd go-cve-dictionary
        $ make install
        
      • 2.获取cve漏洞数据 大概需要一小时 1.6G 下载成功后可以看到sqlite数据库 如果想缩短时间可以只获取最近几年的数据

        $ for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done
        
        [root@izbp1268h8zj95audt9fdez go-cve-dictionary]# ls -alh cve.sqlite3
        -rw-r--r-- 1 root root 1.6G Mar  1 19:04 cve.sqlite3
        
      • 踩坑

        • make install 失败1:可以使用--debug查看更多信息

        • Permission denied 错误是文件权限不够,没有可执行权限,提权即可

          [root@izbp1268h8zj95audt9fdez go-cve-dictionary]# make install
          GO111MODULE=on go install -ldflags "-X 'main.version=v0.5.8' -X 'main.revision=1aa7ea7'"
          /bin/sh: /usr/local/go/bin/go: Permission denied
          make: *** [install] Error 126
          [root@izbp1268h8zj95audt9fdez go-cve-dictionary]# make install --debug
          GNU Make 3.82
          Built for x86_64-redhat-linux-gnu
          Copyright (C) 2010  Free Software Foundation, Inc.
          License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
          This is free software: you are free to change and redistribute it.
          There is NO WARRANTY, to the extent permitted by law.
          Reading makefiles...
          Updating goal targets....
           File `install' does not exist.
          Must remake target `install'.
          Invoking recipe from GNUmakefile:31 to update target `install'.
          GO111MODULE=on go install -ldflags "-X 'main.version=v0.5.8' -X 'main.revision=1aa7ea7'"
          /bin/sh: /usr/local/go/bin/go: Permission denied
          
        • make install 失败2: go 包安装失败 这是因为下载网址被墙了,需要设置代理

          [root@izbp1268h8zj95audt9fdez go-cve-dictionary]# make install
          GO111MODULE=on go install -ldflags "-X 'main.version=v0.5.8' -X 'main.revision=1aa7ea7'"
          go: github.com/PuerkitoBio/goquery@v1.6.1: Get "https://proxy.golang.org/github.com/%21puerkito%21bio/goquery/@v/v1.6.1.mod": dial tcp 172.217.160.113:443: i/o timeout
          make: *** [install] Error 1
          
        • 如果需要设置代理 解决方法如下

          $ go env -w GOPROXY=https://goproxy.cn
          
    • 三.部署goval-dictionary

      • 1.从github下载工具并安装

        $ mkdir -p $GOPATH/src/github.com/kotakanbe
        $ cd $GOPATH/src/github.com/kotakanbe
        $ git clone https://github.com/kotakanbe/go-cve-dictionary.git
        $ cd go-cve-dictionary
        $ make install
        
      • 2.收集系统信息 (不同的系统命令不同 详情参阅: goval fetch用法)

        $ goval-dictionary fetch-redhat 7
        
      • 踩坑

        • make install失败3:还是包下载问题

          [root@izbp1268h8zj95audt9fdez goval-dictionary]# make install
          GO111MODULE=off go get -u golang.org/x/lint/golint
          package golang.org/x/lint/golint: unrecognized import path "golang.org/x/lint/golint": https fetch: Get "https://golang.org/x/lint/golint?go-get=1": dial tcp 216.239.37.1:443: i/o timeout
          make: *** [lint] Error 1
          
        • 一开始我以为还是代理的问题,设置来设置去还是不能解决,go env命令可以查看go的环境变量,我发现GO111MODULE已经设置为on,但是执行make install的时候,还是off,GO111MODULE涉及到包安装的方式。我分析了安装脚本之后发现脚本内GO111MODULE设置了off,于是修改了脚本。

              [root@izbp1268h8zj95audt9fdez goval-dictionary]# cat GNUmakefile 
              .PHONY: 
                  build 
                  install 
                  all 
                  vendor 
                  lint 
                  vet 
                  fmt 
                  fmtcheck 
                  pretest 
                  test 
                  cov 
                  clean
          
              SRCS = $(shell git ls-files '*.go')
              PKGS =  ./commands ./config ./db ./db/rdb ./fetcher ./models ./util
              VERSION := $(shell git describe --tags --abbrev=0)
              REVISION := $(shell git rev-parse --short HEAD)
              LDFLAGS := -X 'main.version=$(VERSION)' 
                  -X 'main.revision=$(REVISION)'
              GO := GO111MODULE=on go
              GO_OFF := GO111MODULE=off go
          
              all: build
          
              build: main.go pretest
                  $(GO) build -a -ldflags "$(LDFLAGS)" -o goval-dictionary $<
          
              b: 	main.go pretest
                  $(GO) build -ldflags "$(LDFLAGS)" -o goval-dictionary $<
          
              install: main.go pretest
                  $(GO) install -ldflags "$(LDFLAGS)"
          
              lint:
                  $(GO_OFF) get -u golang.org/x/lint/golint      // 把lint方法中的GO_OFF改为GO 
                  golint $(PKGS)
          
              vet:
                  echo $(PKGS) | xargs env $(GO) vet || exit;
                  ...
                  ...
                  ...
              ```
          
      • 踩坑

        • make install失败4: sum.go missing 问题

          [root@izbp1268h8zj95audt9fdez goval-dictionary]# make install
          GO111MODULE=on go get -u golang.org/x/lint/golint
          golint ./commands ./config ./db ./db/rdb ./fetcher ./models ./util
          echo ./commands ./config ./db ./db/rdb ./fetcher ./models ./util | xargs env GO111MODULE=on go vet || exit;
          /root/go/pkg/mod/github.com/mattn/go-isatty@v0.0.12/isatty_tcgets.go:6:8: missing go.sum entry for module providing package golang.org/x/sys/unix (imported by github.com/mattn/go-isatty); to add:
              go get github.com/mattn/go-isatty@v0.0.12
          make: *** [vet] Error 123
          
        • go.sum 是一个校验包的文件,多次尝试,找到了一个解决方法 go get

          ```
          [root@izbp1268h8zj95audt9fdez goval-dictionary]# go get
          go: downloading golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4
          go: downloading github.com/dgrijalva/jwt-go v1.0.2
          go: downloading github.com/k0kubun/pp v1.3.0
          ```
          
    • 四. 部署Vuls

      • 下载安装工具

        $ mkdir -p $GOPATH/src/github.com/future-architect 
        $ cd $GOPATH/src/github.com/future-architect 
        $ git clone https://github.com/future-architect/vuls.git 
        $ cd vuls 
        $ make install
        
      • 踩坑

      • git 问题1: error: RPC failed; 这个问题出现了多次,可能是git需要下载的包太大,可能是防火墙或者代理等网络情况

        [root@izbp1268h8zj95audt9fdez future-architect]# git clone https://github.com/future-architect/vuls.git
        Cloning into 'vuls'...
        remote: Enumerating objects: 7448, done.
        error: RPC failed; result=18, HTTP code = 200 | 20.00 KiB/s     
        fatal: The remote end hung up unexpectedly
        fatal: early EOF
        fatal: index-pack failed
        
      • 下面是我总结的解决方法 请逐一尝试

        1. 更新git

        2. 检查网络,浏览器访问仓库

        3. https:// 替换为 git://

        4. 增加缓冲区大小

          git config --global http.postBuffer 524288000
          
        5. 只拉去仓库浅层目录,然后再拉取完整仓库

          $ git clone http://github.com/large-repository --depth 1 
          $ cd large-repository 
          $ git fetch --unshallow
          
        • 网络问题比较复杂,如果以上都不能起效,最后还可以手动下载复制git仓库

        • 举例

          ```
          $ mkdir -p $GOPATH/src/golang.org/x 
          $ git clone https://github.com/golang/lint.git $GOPATH/src/golang.org/x/lint 
          $ go get -u golang.org/x/lint/golint
          ```
          
      • 但是我的情况还是有错 如下,最终修改Makefile文件 设置GO111MODULE=on 和上面提的一样

          ```
          [root@izbp1268h8zj95audt9fdez vuls]# make install
          GO111MODULE=off go get -u golang.org/x/lint/golint
          package golang.org/x/tools/go/ast/astutil: unrecognized import path "golang.org/x/tools/go/ast/astutil": https fetch: Get "https://golang.org/x/tools/go/ast/astutil?go-get=1": dial tcp 216.239.37.1:443: i/o timeout
          ```
        
    • 五.开始扫描和报告

      • 本地模式

      • 1.添加配置文件 .toml 文件内容如下

        $ cd $HOME
        $ touch config.toml
        $ cat config.toml
        [servers]
        
        [servers.localhost]
        host = "localhost"
        port = "local"
        
      • 2.配置文件检验

        $ vuls configtest
        
      • 踩坑

        • 配置文件读取失败
          [root@izbp1268h8zj95audt9fdez ~]# vuls configtest
          [Mar  2 16:03:43]  INFO [localhost] vuls-v0.15.9-build-20210302_155557_1d0c5de
          [Mar  2 16:03:43]  INFO [localhost] Validating config...
          [Mar  2 16:03:43]  INFO [localhost] Detecting Server/Container OS... 
          [Mar  2 16:03:43]  INFO [localhost] Detecting OS of servers... 
          [Mar  2 16:03:43] ERROR [localhost] Failed to configtest: Failed to init servers. err:
              github.com/future-architect/vuls/scanner.Scanner.Configtest
                  /root/go/src/github.com/future-architect/vuls/scanner/serverapi.go:107
            - No scannable host OS:
              github.com/future-architect/vuls/scanner.Scanner.initServers
                  /root/go/src/github.com/future-architect/vuls/scanner/serverapi.go:235
          
        • 已联系作者修改,更新至 ee38a87 提交以后 然后重新执行第四步的make install 重新安装
      • 3.开始扫描

        $ vuls scan
        ...
        ...
        ...
        Scan Summary
        ================
        localhost	centos7.7.1908	540 installed, 218 updatable   // 正确扫描结果
        
      • 踩坑

        • err: Failed to scan updatable packages

          [root@izbp1268h8zj95audt9fdez ~]# vuls scan
          [Mar  3 11:59:53]  INFO [localhost] vuls-v0.15.9-build-20210303_115852_1ec31d7
          [Mar  3 11:59:53]  INFO [localhost] Start scanning
          [Mar  3 11:59:53]  INFO [localhost] config: /root/config.toml
          [Mar  3 11:59:53]  INFO [localhost] Validating config...
          [Mar  3 11:59:53]  INFO [localhost] Detecting Server/Container OS... 
          [Mar  3 11:59:53]  INFO [localhost] Detecting OS of servers... 
          [Mar  3 11:59:53]  INFO [localhost] (1/1) Detected: localhost: centos 7.7.1908
          [Mar  3 11:59:53]  INFO [localhost] Detecting OS of containers... 
          [Mar  3 11:59:53]  INFO [localhost] Checking Scan Modes... 
          [Mar  3 11:59:53]  INFO [localhost] Detecting Platforms... 
          [Mar  3 11:59:55]  INFO [localhost] (1/1) localhost is running on other
          [Mar  3 11:59:55]  INFO [localhost] Detecting IPS identifiers... 
          [Mar  3 11:59:55]  INFO [localhost] (1/1) localhost has 0 IPS integration
          [Mar  3 11:59:55]  INFO [localhost] Scanning OS pkg in fast mode
          [Mar  3 12:00:05]  WARN [localhost] err: Failed to scan updatable packages:
              github.com/future-architect/vuls/scanner.(*redhatBase).scanPackages
                  /root/go/src/github.com/future-architect/vuls/scanner/redhatbase.go:231
            - Failed to SSH: execResult: servername: 
                cmd: repoquery --all --pkgnarrow=updates --qf='%{NAME} %{EPOCH} %{VERSION} %{RELEASE} %{REPO}'
                exitstatus: 127
                stdout: 
                stderr: /bin/sh: repoquery: command not found
              
                err: exit status 127:
              github.com/future-architect/vuls/scanner.(*redhatBase).scanUpdatablePackages
                  /root/go/src/github.com/future-architect/vuls/scanner/redhatbase.go:378
                  
          
        • 解决办法

          $ yum -y install yum-utils
          
      • 4.报告

        • 报告位置 /root/results/

        • View one-line summary

          $ vuls report -format-one-line-text
          
        • View short summary

          $ vuls report -format-list
          
        • View full report.

          $ vuls report -format-full-text | less
          
      • 5.进阶报告查看

        • 终端展示

          $ vuls tui
          

        • web UI 展示

        1. 获得扫描数据
          // 需要现有扫描数据 - 存放目录 /root/results
          $ vuls scan
          $ vuls report -format-json
          
        2. 安装WEB部署工具
          $ cd $HOME
          $ git clone https://github.com/ishiDACo/vulsrepo.git
          $ cd $HOME/vulsrepo/server
          $ cp vulsrepo-config.toml.sample vulsrepo-config.toml // 复制sample配置文件
          $ vi vulsrepo-config.toml                             // 根据自己的环境配置
          [Server]
          rootPath = "/home/vuls-user/vulsrepo"
          resultsPath  = "/opt/vuls/results"
          serverPort  = "5111"
          
        3. 运行
          $ pwd
          $HOME/vulsrepo/server
          
          $ ./vulsrepo-server
          
    • WEB Demo :https://monocosel.jp/vulsrepo/

  • 相关阅读:
    Delphi的字符(Char),字符串(String),字符串指针(PChar),字符数组arrayofchar(来自http://delphi.cjcsoft.net/论坛)
    关于Delphi中的字符串的浅析(瓢虫大作,里面有内存错误的举例)
    String[255]在高版本Delphi里还是被解释成Byte,总体长度256,使用StrPCopy可以给Array String拷贝字符串(内含许多实验测试)
    了解JVM加载实例化类的原理
    轻量级 Material Design 前端框架 MDUI (纯html,css,与css框架跟react vue不冲突)
    只学一点点:我的技术学习策略(虽然不赞同,但可以参考一下,针对不常用的技术可以这样,同时可以:寻找遁去的一,不用管别人怎么想;有学习的时间,不如自己写、自己实践,否则学完了都不知道是什么东西)
    clientdataset<---->json
    完全自定义窗体风格的实现
    监控其它进程
    用JSP+JavaBean开发模式实现一个销售额的查询
  • 原文地址:https://www.cnblogs.com/HsinTsao/p/14772698.html
Copyright © 2020-2023  润新知