Upgrade to Pro — share decks privately, control downloads, hide ads and more …

新機能 "Vuls Server" / Vuls Server

3f2e97dc4e6a5daaf1cb8a406c533176?s=47 Teppei Fukuda
August 27, 2018
3.8k

新機能 "Vuls Server" / Vuls Server

ワンライナーで始めるパッチマネジメント

3f2e97dc4e6a5daaf1cb8a406c533176?s=128

Teppei Fukuda

August 27, 2018
Tweet

Transcript

  1. ৽ػೳ "Vuls Server" ʙϫϯϥΠφʔͰ࢝ΊΔύονϚωδϝϯτʙ VulsࡇΓ#4 @knqyf263

  2. ࣗݾ঺հ • ෱ా మฏʢ@knqyf263ʣ • ΰʔϧυδϜͷϓϩςΠϯ ඒຯ͗͢͠Δ • Ұ౓ҿΜͩΒଞͷ͸ҿΊ ͳ͘ͳͬͨ

  3. ຖ೔ۜ࠲ͰΦγϟϨϥϯν

  4. ຊ೔ͷ಺༰ • ϚονϣΛ౗ͨͬͨ͢Ұͭͷํ๏ • Vuls Serverͷ঺հ ͕࣌ؒͳ͍ͷͰׂѪ

  5. ৽ػೳ୲౰෼ • NIRVANA࿈ܞɹˠɹ࡞ͬͨ • CPEݕ஌ਫ਼౓޲্ɹˠɹϚονϯάϥΠϒϥϦ࡞ͬͨ • ύονະఏڙͷ੬ऑੑݕ஌ɹˠ ɹ੬ऑੑDBߏஙπʔϧ࡞ͬͨ • αʔόϞʔυɹˠɹ࡞ͬͨ

    େମ࡞ͬͨ
  6. ैདྷͷVuls Vuls Scan Server Target Server Vuls Scan Server =

    Target Server ssh ϦϞʔτεΩϟϯ
 (Agent-less) ϩʔΧϧεΩϟϯ
 (Agent) Target Server ssh Scan Vuls Scan Server = Target Server Scan
  7. ϦϞʔτεΩϟϯ Scan Server ssh Target Server Target Server ssh

  8. ϩʔΧϧεΩϟϯ Vuls Scan Server = Target Server Scan Vuls Scan

    Server = Target Server Scan
  9. ͍͔ͭ͘ͷ໰୊͕ଘࡏ

  10. SSHஅΒΕΔύλʔϯ

  11. 7VMTͰ44)ͯ͠ ϦϞʔτεΩϟϯ ͍ͨ͠Ͱ͢ ಘମͷ஌Εͳ͍ πʔϧͰ͸44)ͤ͞·ͤΜ

  12. "OTJCMFͳΒطʹ ࢖ͬͯΔΜ͚ͩͲͶʙʙ

  13. ٽ͖৸ೖΓ

  14. όΠφϦΠϯετʔϧ அΒΕΔύλʔϯ

  15. 7VMTΠϯετʔϧͯ͠ ϩʔΧϧεΩϟϯ ͍ͨ͠Ͱ͢ ಘମͷ஌Εͳ͍ όΠφϦ͸ೖΕ·ͤΜ

  16. த਎͕෼͔Βͳ͍ͱͶʙ

  17. ٽ͖৸ೖΓ

  18. ݁Ռͷू໿ʹࠔΔύλʔϯ

  19. ؀ڥ͕ҟͳΔͨΊෳ਺VulsΛΠϯετʔϧ Vuls Scan Server Target Server ssh αʔϏε A Target

    Server ssh Vuls Scan Server Target Server ssh Target Server ssh αʔϏε B ωοτϫʔΫతʹૄ௨ੑ͕ͳ͔ͬͨΓ ݁ՌΛͲ͏ू໿ ͨ͠Βྑ͍ͷʁ
  20. ϩʔΧϧεΩϟϯ Scan ݁ՌΛͲ͏ू໿ ͨ͠Βྑ͍ͷʁ ੬ऑੑ%#͸શͯʹμ΢ϯϩʔυ ͢Δඞཁ͕͋Δͷʁ Scan Scan Scan

  21. ͦΜͳਓʹ͸ ৽ػೳ “Vuls Server”

  22. ࢖͍ํ $ vuls server -listen 0.0.0.0:5515 ... [Aug 25 20:17:45]

    INFO [localhost] Listening on 0.0.0.0:5515 ؆୯
  23. ͜ͷαʔόʹରͯ͠ ߏ੒৘ใΛPOST͢Δ͚ͩͰOK

  24. ίϚϯυྫ $ curl -X POST --data-binary "`rpm -qa --queryformat "%{NAME}

    %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} \n"`" http://192.168.33.1:5515/vuls ʢ্ͷྫͰ͸ϔομΛলུ͍ͯ͠ΔͷͰಈ͔ͳ͍ʣ SQNίϚϯυͷ݁ՌΛ1045͍ͯ͠Δ ຊ࣭తʹ͸͜Ε͚ͩ
  25. Vuls Server Server ᶄ)5511045 ᶅεΩϟϯ݁Ռ ᶃrpm࣮ߦ Ϩεϙϯε͸%#ʹೖΕΔͳΓͳΜͳΓࣗ༝

  26. Vuls Server Server )5511045 rpm࣮ߦ อଘ εΩϟϯ݁ՌΛαʔόʹอଘ͢Δ͜ͱ΋Մೳ

  27. Content-Type • text/plain • curlͱ͔Ͱୟ͘༻ • application/json • ϓϩάϥϜͰ੔ܗͯ͠POST͢Δ༻

  28. Endpoint • /vuls • JSONͱ͔ͷ౤͛ઌ • /health • ϔϧενΣοΫ༻

  29. ٯऻฤ

  30. SSHஅΒΕΔύλʔϯ

  31. 7VMTͰ44)ͯ͠ ϦϞʔτεΩϟϯ ͍ͨ͠Ͱ͢ ಘମͷ஌Εͳ͍ πʔϧͰ͸44)ͤ͞·ͤΜ

  32. "OTJCMFͳΒطʹ ࢖ͬͯΔΜ͚ͩͲͶʙʙ

  33. "OTJCMFͰ ྑ͍Ͱ͢Αʢসʣ

  34. Vuls Server Server ᶄ)5511045 εΩϟϯͯ͠อଘ ᶃ44) "OTJCMFͰऩूͨ͠ߏ੒৘ใΛ7VMT4FSWFSʹ౤͛Δ ୭͔044Ͱ ࡞ͬͯཉ͍͠

  35. όΠφϦΠϯετʔϧ அΒΕΔύλʔϯ

  36. 7VMTΠϯετʔϧ͠ ͯϩʔΧϧεΩϟϯ ͍ͨ͠Ͱ͢ ಘମͷ஌Εͳ͍ όΠφϦ͸ೖΕ·ͤΜ

  37. த਎͕෼͔Βͳ͍ͱͶʙ

  38. ϫϯϥΠφʔͰ͚͢Ͳ ཧղͰ͖·ͤΜ͔ʁʢসʣ

  39. ϫϯϥΠφʔͰOK Server )5511045 rpm࣮ߦ εΩϟϯͯ͠อଘ curl DVSMͳͲͷίϚϯυΛDSPOʹઃఆ͢Δ͚ͩ

  40. ݁Ռͷू໿ʹࠔΔύλʔϯ

  41. ϩʔΧϧεΩϟϯ Scan ݁ՌΛͲ͏ू໿ ͨ͠Βྑ͍ͷʁ ੬ऑੑ%#͸શͯʹμ΢ϯϩʔυ ͢Δඞཁ͕͋Δͷʁ Scan Scan Scan

  42. Vuls ServerʹPOSTͯ͠ू໿ Scan Scan Scan Scan Server อଘ ੬ऑੑ%#͸αʔόʹ͚ͩ μ΢ϯϩʔυ͢Ε͹0,

  43. -to-httpΦϓγϣϯͰૹ৴Մೳ $ vuls report -to-http vuls-server.local:5515 ؆୯

  44. αϯϓϧσʔλ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... SQNίϚϯυͷ ݁Ռͦͷ·· +40/ͰૹΔ͜ͱ΋Մೳ
  45. rpmίϚϯυ $ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n"

    ... bash 0 4.1.2 48.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 abrt-tui 0 2.0.8 43.el6.centos x86_64 nss-softokn-freebl 0 3.14.3 23.3.el6_8 x86_64 rsyslog 0 5.8.10 10.el6_6 x86_64 libattr 0 2.4.44 7.el6 x86_64 hypervfcopyd 0 0 0.17.20150108git.el6 x86_64 dbus-libs 1 1.2.24 8.el6_6 x86_64 cronie-anacron 0 1.4.4 16.el6_8.2 x86_64 zip 0 3.0 1.el6_7.1 x86_64 ... ߦύοέʔδ
  46. X-Vuls-Server-Nameϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... αʔό໊ʢద౰ʹܾΊͯྑ͍ʣ
  47. X-Vuls-OS-Familyϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... ॏཁ SFEIBUDFOUPTEFCJBOVCVOUVͳͲͷܾΊΒΕͨจࣈྻ
  48. X-Vuls-OS-Releaseϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... ॏཁ ͱ͔ͳͲͷจࣈྻ
  49. X-Vuls-Kernel-Releaseϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... ݕ஌ਫ਼౓ʹӨڹ VOBNFSͰಘΒΕΔݱࡏͷΧʔωϧϦϦʔε
  50. HTTPϔομ • X-Vuls-Server-Nameʢoptionalʣ • ͜ͷ஋ͰαʔόΛࣝผ͍ͯ͠ΔͨΊɺಉ໊͡લΛ͚ͭΔͱอଘ࣌ʹ্ॻ͖͞ΕΔ • X-Vuls-OS-Familyʢrequiredʣ • redhat/centos/ubuntu/debianͳͲ •

    X-Vuls-OS-Releaseʢrequiredʣ • 6.9΍16.04ͳͲͷϦϦʔε൪߸ • X-Vuls-Kernel-Releaseϔομʢrequiredʣ • 2.6.32-696.30.1.el6.x86_64ͳͲͷuname -rͰಘΒΕΔ஋ • X-Vuls-Kernel-Releaseϔομʢoptionalʣ • DebianͷΈඞਢʢuname -aͰಘΒΕΔࠨ͔Β7൪໨͙Β͍ͷ஋ʣ
  51. ൃలฤ

  52. طଘͷߏ੒؅ཧπʔϧͱͷ౷߹ • Ansible • Chef • osquery • AWS Systems

    Manager • etc.
  53. AWS Systems Manager ΠϯϕϯτϦϚωʔδϟʔ • AWS Systems Manager ΠϯϕϯτϦΛ࢖༻ͯ͠ɺAmazon EC2

    Πϯελϯε͓ΑͼΦϯϓϨϛεαʔόʔɺ·ͨ͸ϋ ΠϒϦου؀ڥͷԾ૝Ϛγϯ (VM) ͔ΒɺΦϖϨʔςΟϯά γεςϜ (OS)ɺΞϓϦέʔγϣϯɺΠϯελϯεͷϝλ σʔλΛऩूͰ͖·͢ɻϝλσʔλΛরձ͢Δͱɺιϑτ΢Σ ΞϙϦγʔʹैͬͯιϑτ΢ΣΞͱઃఆΛ࣮ߦ͍ͯ͠ΔΠϯ ελϯεͱɺߋ৽͕ඞཁͳΠϯελϯεΛ͢͹΍͘೺ѲͰ͖ ·͢ɻ IUUQTEPDTBXTBNB[PODPNKB@KQTZTUFNTNBOBHFSMBUFTUVTFSHVJEFTZTUFNTNBOBHFSJOWFOUPSZIUNM
  54. SSMΤʔδΣϯτ͕ Πϯετʔϧ͞Ε͍ͯΕ͹ ৭ʑ৘ใΛऩूͯ͘͠ΕΔ

  55. ૣ଎Πϯετʔϧͩʂ

  56. SSMΤʔδΣϯτͷΠϯετʔϧ • SSM ΤʔδΣϯτ ͸ɺσϑΥϧτͰ͸ɺ࣍ͷ Amazon EC2 Amazon Machine Image

    (AMI) ʹΠϯετʔϧ͞Ε·͢ɻ • Windows Server (͢΂ͯͷ SKU) • Amazon Linux • Amazon Linux 2 • Ubuntu Server 16.04 • Ubuntu Server 18.04 IUUQTEPDTBXTBNB[PODPNKB@KQTZTUFNTNBOBHFSMBUFTUVTFSHVJEFTTNBHFOUIUNM
  57. طʹೖͬͯΔΒ͍͠

  58. IAMϩʔϧͷઃఆ ʢͱΠϯϕϯτϦηοτΞοϓʣ ͚ͩ͢Ε͹ྑ͍

  59. None
  60. AWS Systems Manager ࿈ܞ Server ᶄ)5511045 εΩϟϯͯ͠อଘ ᶃߏ੒৘ใऔಘ "844ZTUFNT.BOBHFS͔Β৘ใऔಘͯ͠7VMT4FSWFSʹ౤͛Δ "844ZTUFNT.BOBHFS

    ΠϯϕϯτϦϚωʔδϟʔ ద౰ͳεΫϦϓτ
  61. SSM࿈ܞͷ੍໿ • ศར͗ͯ͢࠷ߴΈ͍ͨʹॻ͖·੍͕ͨ͠໿͕͋Γ·͢ • RHEL/CentOS͡Όͳ͍ͱಈ͖·ͤΜ • Ubuntu/Debian͸ιʔεύοέʔδ͕ඞཁͳͨΊ • Amazon Linux͸OVALະରԠ

    • RHEL/CentOS͸SSMΤʔδΣϯτೖͬͯͳ͍ • ͱ͸ݴ͑1ίϚϯυͰೖΔ
  62. Proof Of Concept • αϯϓϧίʔυΛ࡞Γ·ͨ͠
 https://github.com/knqyf263/ssm-to-vuls • EC2ΠϯελϯεIDͱVuls ServerͷΞυϨεΛࢦఆ͢Δ ͱΠϯϕϯτϦΛऔಘͯ͠JSONʹ੔ܗͯ͠Vuls

    Server ʹPOST͠·͢ • ࣮ূίʔυͰ͋Γ࣮༻ʹ଱͑͏Δ΋ͷͰ͸ͳ͍ͨΊɺ օ͞Μ͕࠷ߴͷπʔϧΛ࡞ͬͯ͘ΕΔ͜ͱΛظ଴͠·͢
  63. ಉ༷ʹଞͷߏ੒؅ཧπʔϧͱ΋ ࿈ܞͰ͖Δ͸ͣʂʂ

  64. શ෦Vuls ServerͰྑ͍ͷͰ͸ʁ

  65. Vuls Serverͷ੍໿ • ରԠOS • RHEL/CentOS/Ubuntu/Debian • Amazon Linux΍FreeBSD͸ະରԠ •

    ݕ஌ਫ਼౓ • ΤʔδΣϯτʹൺ΂͔ͯᷮʹྼΔ৔߹͕͋Δʢكʣ • ෇Ճ৘ใ • ΤʔδΣϯτͰ͸ϓϩηε৘ใ΍ߋ৽ޙͷύοέʔδόʔ δϣϯͳͲ΋औಘ
  66. ͱ͸ݴ༷͑ʑͳ໰୊ΛղܾՄೳ ΍͸Γ࠷ߴ

  67. ίϯςφͱͯ͠LTʹσϓϩΠ͢Δͷ΋؆୯ ࣌ؒͳ͍ͷͰׂѪ

  68. ΍͸ΓVuls Server͸࠷ߴ ·ͱΊ ଟ෼·ͩόά͋ΔͷͰ*TTVF଴ͬͯ·͢