Slide 1
Slide 1 text
ຊ൪αʔόͷ࣮ӡ༻PO($1
RPMҎ֎औΓࠐΉ࣮ӡ༻Ͱͷʹ͍ͭͯ
Slide 2
Slide 2 text
ϚογϡΞοϓͰ͢ʂ
ؾָʹฉ͍ͯԼ͍͞ʂ
Slide 3
Slide 3 text
ࣗݾհ facebook: yusuke.exzm
ࢯ໊ ୩ ༞հ
ܦྺ
GMO, Yahoo Japan, Squere Enix etc…
2010ʹgms(gloopsͷલ)ೖࣾ
גࣜձࣾgrasysͷදΛΓͳ͕ΒΤϯδχΞͬͯ·͢ɻ
৬छ
ΠϯϑϥΤϯδχΞ
Google Developer Expert, GCPUG Admin
publish
Fusion-IOΛ2011ʹຊ൪ಋೖ͠Fusion-IOࣾʹऔΓ্͛ΒΕΔ
SoftwareDesign2012.03هࣄ
2012DellͷCMग़ԋʢςϨϏ౦ژ ϫʔϧυϏδωεαςϥΠτʣ
IcingaʢnagiosͷforkʣͷϢʔβʔίϛϡχςΟʹܝࡌ
ຊॻ͖࢝Ί·ͨ͠
Slide 4
Slide 4 text
ձࣾհ
໊ࣾ גࣜձࣾgrasys
ઃཱ 201411݄13
ද ୩༞հ
ࣄۀ༰ Cloud Facilitator
ςΫχΧϧ/ϦηϦϯάύʔτφʔ
ਓ 8໊
Slide 5
Slide 5 text
γεςϜߏʢͬ͘͟Γʣ
ࠓͷओvulsͳͷͰ
΄Μͱʹͬ͘͟Γ
Slide 6
Slide 6 text
جຊతͳߏ
ops
product
servers
monitor
Google Cloud Platform
Compute Engine
Firewall
QPSU
ssh
opsͱ͍͏Πϯελϯε͕த৺
SSH౿Έ
ΦʔέετϨʔγϣϯ
vulsͷ࣮ߦ͜͜Ͱ
Slide 7
Slide 7 text
ࢹ
ΦʔέετϨʔγϣϯ
ίʔσΟωʔλʔ
ݴޠ
XXenv
ཁ݅ͰVersionࢦఆͳͲʹରԠ͢ΔͨΊ
ϛυϧΣΞ
ιʔε͔ΒίϯύΠϧٴͼBinary൛Λར༻
ཁ݅ͰVersionࢦఆͳͲʹରԠ͢ΔͨΊ
ϥΠϒϥϦ
ඞཁ͋Ειʔε͔ΒίϯύΠϧ
ཁ݅ͰVersionࢦఆͳͲʹରԠ͢ΔͨΊ
Πϯελϯε෦
consulͬͯΔΑʂίϯύΠϧ͚ͬ͜͏ͯ͠ΔΑʂ
Slide 8
Slide 8 text
twemproxy
supervisord
vuls
͍Ζ͍Ζͳݴޠ
͍Ζ͍ΖͳϛυϧΣΞ
͍Ζ͍ΖͳతͷγεςϜ
Slide 9
Slide 9 text
γεςϜʹ͍Ζ͍Ζ͋Δɾɾɾ
ɾzݹ͍ͷzΒɾɾɾ
ɾzྺ࢙zΒɾɾɾ
ɾzഎܠzΒɾɾɾ
ɾzࣄzΒɾɾɾ
31.͚ͩͰߏ͢Δ͜ͱ΄΅ͳ͍ɾɾɾ
৽نͷઃܭɾߏஙग़དྷΔݶΓ࠷৽൛Ͱ
Slide 10
Slide 10 text
લஔ͖͜͜·Ͱʂ
Slide 11
Slide 11 text
ຊ
31.ʹؔͳ͍ͷ
Ͳ͏ͬͯTDBOͨ͠Β͍͍͔ɾɾɾ
Slide 12
Slide 12 text
WVMTDPOpHUPNM
[servers.HOSTNAME]
host = "HOSTNAME"
cpeNames = [
"cpe:/a:djangoproject:django:1.6",
]
↑
ඥ͚ͳ͍ͱ͍͚ͳ͍
͋͞Ͳ͏ͬͯ͜ͷใΛɾɾɾ
cpeNamesͰ
֦ுͰ͖Δ͕ɾɾɾ
↓
Slide 13
Slide 13 text
DWFTRMJUFDQFTUBCMF
CREATE TABLE "cpes" (
"id" integer primary key autoincrement,
"created_at" datetime, "updated_at" datetime,
"deleted_at" datetime,
"jvn_id" integer, "nvd_id" integer,
"cpe_name" varchar(255),
"part" varchar(255), "vendor" varchar(255),
"product" varchar(255),
"version" varchar(255),
"update" varchar(255),
"edition" varchar(255),
"language" varchar(255)
);
←͜ΕͰselect͢Εʂ
Slide 14
Slide 14 text
31.Ҏ֎ͷऩू
kv
vuls/[hostname]
/usr/local, /optԼͷঢ়ଶΛऩू
cronͰconsulͷkey value storeʹJSONͷܗͰอଘ
Slide 15
Slide 15 text
KTPOGPSNBU
{
"middleware": [
{
"name":"[middleware name]",
"version":"[version]",
"update":"[patch version]"
}
],
"update_time": "YYYY-MM-DD HH:MM:MM",
"host": {
"Πϯελϯεใ͍Ζ͍Ζ",
"node_name": "yusuke"
}
}
ඞཁͳใΛϦετͰ
Slide 16
Slide 16 text
8FC"QQMJDBUJPO'SBNFXPSLͱ͔ʁ
middleware:
-
name: [product name]
version: [version num]
update: [patch version]
↑
औಘͰ͖ͳ͍ͷʹ͍ͭͯYAMLͰҙʹ֦ு
ͱ͍ͬͯϑϨʔϜϫʔΫ͕ΆΜΆΜมΘΔ͜ͱͳ͍ͷͰɾɾɾ
͕͢͞ʹ͍Ζ͍Ζ͋ͬͯࣗಈऩूϜϦͩͬͨ͆
Slide 17
Slide 17 text
࣮ࡍͷσʔλ͜Μͳײ͡
/opt/envutils/utils.pl middleware
Slide 18
Slide 18 text
WVMTͷUPNMੜ
1. consul HTTP API /v1/catalog/nodes
2. consul KV vuls/[hostname] JSONऔಘ
3. HostใͷTagΛར༻֦ͯ͠ுͷYAMLऔಘ
4. cve sqliteʹJSONͷproduct, version, updateͰselect
5. Template EngineͰvulsͷtomlΛग़ྗ
consul kv
vuls/[instance name]
cve.sqlite3
script
vuls
config.toml
extend
YAML
Instance Tagʹඥͮ͘:".-
100͘Β͍Ͱ
10ඵͰྃʂ
Slide 19
Slide 19 text
͋ͱTDBOΛճ͚ͩ͢ʂ
࣮ࡍcronͰճͯͨ͠Γ͢Δʂ
Slide 20
Slide 20 text
ΊͰͨ͠ΊͰͨ͠
Slide 21
Slide 21 text
QIQΒɺOHJOYΒɺSFEJTΒ
ख์͠Ͱ͍Ζ͍Ζ੬ऑੑใΛݕ͠
ରࡦ͢Δ͜ͱ͕Մೳʹʂ
͋Δݹ͍γεςϜΛTDBOͨ͠Β
ͻͱͭͷαʔόͰ݅Ҏ্ͰͯϏϏͬͨʂ
Slide 22
Slide 22 text
*OJU4DSJQUʹΑΔӡ༻ͷ؆қԽ
/etc/init.d/vuls
/etc/init.d/vuls: vuls init script
help:
example:
/etc/init.d/vuls [sub command]
sub command:
start: start server
stop: stop server
restart restart server
status server status
1st_setup setup, update_week, reconfig, prepare, start
full_setup setup, update_full, reconfig, prepare, start
reconfig: make config
setup: setup cve/nve database
prepare: prepare instance
scan: scan
history: scan history
report: for consul service report
tui: Terminal User Interface
update cve database
update_entire: dictionary entire update
update_month: dictionary month update
update_week: dictionary week update
update_full: dictionary full update
go-cve-dictionaly/vulsͷ
ىಈͱαϙʔτεΫϦϓτͱͯ͠
configੜͳͲͷϥούʔͱ͔
σΟϨΫτϦπϦʔͷੜͱ͔
ΖΖɾɾɾ
·ΔͬͱͬͯΔͷͰ
ࣾͷΤϯδχΞʹઆ໌ཁΒͣ
Slide 23
Slide 23 text
ൃදҎ্ʂ
Slide 24
Slide 24 text
ΑΖ͓͘͠ئ͍͠·͢ʂ
Slide 25
Slide 25 text
͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ
࣭͋͝Γ·ͨ͠Β͓ؾܰʹʂ
୩ ༞հ
facebook: yusuke.exzm