新機能 "Vuls Server" / Vuls Server

৽ػೳ "Vuls Server"
ʙϫϯϥΠφʔͰ࢝ΊΔύονϚωδϝϯτʙ
VulsࡇΓ#4
@knqyf263

View Slide

ࣗݾ঺հ
• ෱ా మฏʢ@knqyf263ʣ
• ΰʔϧυδϜͷϓϩςΠϯ
ඒຯ͗͢͠Δ
• Ұ౓ҿΜͩΒଞͷ͸ҿΊ
ͳ͘ͳͬͨ

View Slide

ຖ೔ۜ࠲ͰΦγϟϨϥϯν

View Slide

ຊ೔ͷ಺༰
• ϚονϣΛ౗ͨͬͨ͢Ұͭͷํ๏
• Vuls Serverͷ঺հ
͕࣌ؒͳ͍ͷͰׂѪ

View Slide

৽ػೳ୲౰෼
• NIRVANA࿈ܞɹˠɹ࡞ͬͨ
• CPEݕ஌ਫ਼౓޲্ɹˠɹϚονϯάϥΠϒϥϦ࡞ͬͨ
• ύονະఏڙͷ੬ऑੑݕ஌ɹˠ ɹ੬ऑੑDBߏஙπʔϧ࡞ͬͨ
• αʔόϞʔυɹˠɹ࡞ͬͨ
େମ࡞ͬͨ

View Slide

ैདྷͷVuls
Vuls Scan
Server
Target Server
Vuls Scan Server
=
Target Server
ssh
ϦϞʔτεΩϟϯ 
(Agent-less)
ϩʔΧϧεΩϟϯ 
(Agent)
Target Server
ssh
Scan
Vuls Scan Server
=
Target Server
Scan

View Slide

ϦϞʔτεΩϟϯ
Scan
Server
ssh
Target Server
Target Server
ssh

View Slide

ϩʔΧϧεΩϟϯ
Vuls Scan Server
=
Target Server
Scan
Vuls Scan Server
=
Target Server
Scan

View Slide

͍͔ͭ͘ͷ໰୊͕ଘࡏ

View Slide

SSHஅΒΕΔύλʔϯ

View Slide

7VMTͰ44)ͯ͠
ϦϞʔτεΩϟϯ
͍ͨ͠Ͱ͢
ಘମͷ஌Εͳ͍
πʔϧͰ͸44)ͤ͞·ͤΜ

View Slide

"OTJCMFͳΒطʹ
࢖ͬͯΔΜ͚ͩͲͶʙʙ

View Slide

ٽ͖৸ೖΓ

View Slide

όΠφϦΠϯετʔϧ
அΒΕΔύλʔϯ

View Slide

7VMTΠϯετʔϧͯ͠
ϩʔΧϧεΩϟϯ
͍ͨ͠Ͱ͢
ಘମͷ஌Εͳ͍
όΠφϦ͸ೖΕ·ͤΜ

View Slide

த਎͕෼͔Βͳ͍ͱͶʙ

View Slide

ٽ͖৸ೖΓ

View Slide

݁Ռͷू໿ʹࠔΔύλʔϯ

View Slide

؀ڥ͕ҟͳΔͨΊෳ਺VulsΛΠϯετʔϧ
Vuls Scan
Server
Target Server
ssh
αʔϏε A
Target Server
ssh
Vuls Scan
Server
Target Server
ssh
Target Server
ssh
αʔϏε B
ωοτϫʔΫతʹૄ௨ੑ͕ͳ͔ͬͨΓ
݁ՌΛͲ͏ू໿
ͨ͠Βྑ͍ͷʁ

View Slide

ϩʔΧϧεΩϟϯ
Scan
݁ՌΛͲ͏ू໿
ͨ͠Βྑ͍ͷʁ
੬ऑੑ%#͸શͯʹμ΢ϯϩʔυ
͢Δඞཁ͕͋Δͷʁ
Scan Scan Scan

View Slide

ͦΜͳਓʹ͸
৽ػೳ “Vuls Server”

View Slide

࢖͍ํ
$ vuls server -listen 0.0.0.0:5515
...
[Aug 25 20:17:45] INFO [localhost] Listening on 0.0.0.0:5515
؆୯

View Slide

͜ͷαʔόʹରͯ͠
ߏ੒৘ใΛPOST͢Δ͚ͩͰOK

View Slide

ίϚϯυྫ
$ curl -X POST --data-binary "`rpm -qa --queryformat
"%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}
\n"`" http://192.168.33.1:5515/vuls
ʢ্ͷྫͰ͸ϔομΛলུ͍ͯ͠ΔͷͰಈ͔ͳ͍ʣ
SQNίϚϯυͷ݁ՌΛ1045͍ͯ͠Δ
ຊ࣭తʹ͸͜Ε͚ͩ

View Slide

Vuls Server
Server
ᶄ)5511045
ᶅεΩϟϯ݁Ռ
ᶃrpm࣮ߦ
Ϩεϙϯε͸%#ʹೖΕΔͳΓͳΜͳΓࣗ༝

View Slide

Vuls Server
Server
)5511045
rpm࣮ߦ
อଘ
εΩϟϯ݁ՌΛαʔόʹอଘ͢Δ͜ͱ΋Մೳ

View Slide

Content-Type
• text/plain
• curlͱ͔Ͱୟ͘༻
• application/json
• ϓϩάϥϜͰ੔ܗͯ͠POST͢Δ༻

View Slide

Endpoint
• /vuls
• JSONͱ͔ͷ౤͛ઌ
• /health
• ϔϧενΣοΫ༻

View Slide

ٯऻฤ

View Slide

SSHஅΒΕΔύλʔϯ

View Slide

7VMTͰ44)ͯ͠
ϦϞʔτεΩϟϯ
͍ͨ͠Ͱ͢
ಘମͷ஌Εͳ͍
πʔϧͰ͸44)ͤ͞·ͤΜ

View Slide

"OTJCMFͳΒطʹ
࢖ͬͯΔΜ͚ͩͲͶʙʙ

View Slide

"OTJCMFͰ
ྑ͍Ͱ͢Αʢসʣ

View Slide

Vuls Server
Server
ᶄ)5511045
εΩϟϯͯ͠อଘ
ᶃ44)
"OTJCMFͰऩूͨ͠ߏ੒৘ใΛ7VMT4FSWFSʹ౤͛Δ
୭͔044Ͱ
࡞ͬͯཉ͍͠

View Slide

όΠφϦΠϯετʔϧ
அΒΕΔύλʔϯ

View Slide

7VMTΠϯετʔϧ͠
ͯϩʔΧϧεΩϟϯ
͍ͨ͠Ͱ͢
ಘମͷ஌Εͳ͍
όΠφϦ͸ೖΕ·ͤΜ

View Slide

த਎͕෼͔Βͳ͍ͱͶʙ

View Slide

ϫϯϥΠφʔͰ͚͢Ͳ
ཧղͰ͖·ͤΜ͔ʁʢসʣ

View Slide

ϫϯϥΠφʔͰOK
Server
)5511045
rpm࣮ߦ
εΩϟϯͯ͠อଘ
curl
DVSMͳͲͷίϚϯυΛDSPOʹઃఆ͢Δ͚ͩ

View Slide

݁Ռͷू໿ʹࠔΔύλʔϯ

View Slide

ϩʔΧϧεΩϟϯ
Scan
݁ՌΛͲ͏ू໿
ͨ͠Βྑ͍ͷʁ
੬ऑੑ%#͸શͯʹμ΢ϯϩʔυ
͢Δඞཁ͕͋Δͷʁ
Scan Scan Scan

View Slide

Vuls ServerʹPOSTͯ͠ू໿
Scan
Scan
Scan
Scan
Server
อଘ
੬ऑੑ%#͸αʔόʹ͚ͩ
μ΢ϯϩʔυ͢Ε͹0,

View Slide

-to-httpΦϓγϣϯͰૹ৴Մೳ
$ vuls report -to-http vuls-server.local:5515
؆୯

View Slide

αϯϓϧσʔλ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain
X-Vuls-OS-Family: centos
X-Vuls-OS-Release: 6.9
X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64
Content-Length: 13802
cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64
filesystem 0 2.4.30 3.el6 x86_64
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
SQNίϚϯυͷ
݁Ռͦͷ··
+40/ͰૹΔ͜ͱ΋Մೳ

View Slide

rpmίϚϯυ
$ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n"
...
bash 0 4.1.2 48.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
abrt-tui 0 2.0.8 43.el6.centos x86_64
nss-softokn-freebl 0 3.14.3 23.3.el6_8 x86_64
rsyslog 0 5.8.10 10.el6_6 x86_64
libattr 0 2.4.44 7.el6 x86_64
hypervfcopyd 0 0 0.17.20150108git.el6 x86_64
dbus-libs 1 1.2.24 8.el6_6 x86_64
cronie-anacron 0 1.4.4 16.el6_8.2 x86_64
zip 0 3.0 1.el6_7.1 x86_64
...
ߦύοέʔδ

View Slide

X-Vuls-Server-Nameϔομ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
αʔό໊ʢద౰ʹܾΊͯྑ͍ʣ

View Slide

X-Vuls-OS-Familyϔομ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
ॏཁ
SFEIBUDFOUPTEFCJBOVCVOUVͳͲͷܾΊΒΕͨจࣈྻ

View Slide

X-Vuls-OS-Releaseϔομ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
ॏཁ
ͱ͔ͳͲͷจࣈྻ

View Slide

X-Vuls-Kernel-Releaseϔομ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
ݕ஌ਫ਼౓ʹӨڹ
VOBNFSͰಘΒΕΔݱࡏͷΧʔωϧϦϦʔε

View Slide

HTTPϔομ
• X-Vuls-Server-Nameʢoptionalʣ
• ͜ͷ஋ͰαʔόΛࣝผ͍ͯ͠ΔͨΊɺಉ໊͡લΛ͚ͭΔͱอଘ࣌ʹ্ॻ͖͞ΕΔ
• X-Vuls-OS-Familyʢrequiredʣ
• redhat/centos/ubuntu/debianͳͲ
• X-Vuls-OS-Releaseʢrequiredʣ
• 6.9΍16.04ͳͲͷϦϦʔε൪߸
• X-Vuls-Kernel-Releaseϔομʢrequiredʣ
• 2.6.32-696.30.1.el6.x86_64ͳͲͷuname -rͰಘΒΕΔ஋
• X-Vuls-Kernel-Releaseϔομʢoptionalʣ
• DebianͷΈඞਢʢuname -aͰಘΒΕΔࠨ͔Β7൪໨͙Β͍ͷ஋ʣ

View Slide

ൃలฤ

View Slide

طଘͷߏ੒؅ཧπʔϧͱͷ౷߹
• Ansible
• Chef
• osquery
• AWS Systems Manager
• etc.

View Slide

AWS Systems Manager ΠϯϕϯτϦϚωʔδϟʔ
• AWS Systems Manager ΠϯϕϯτϦΛ࢖༻ͯ͠ɺAmazon
EC2 Πϯελϯε͓ΑͼΦϯϓϨϛεαʔόʔɺ·ͨ͸ϋ
ΠϒϦου؀ڥͷԾ૝Ϛγϯ (VM) ͔ΒɺΦϖϨʔςΟϯά
γεςϜ (OS)ɺΞϓϦέʔγϣϯɺΠϯελϯεͷϝλ
σʔλΛऩूͰ͖·͢ɻϝλσʔλΛরձ͢Δͱɺιϑτ΢Σ
ΞϙϦγʔʹैͬͯιϑτ΢ΣΞͱઃఆΛ࣮ߦ͍ͯ͠ΔΠϯ
ελϯεͱɺߋ৽͕ඞཁͳΠϯελϯεΛ͢͹΍͘೺ѲͰ͖
·͢ɻ
IUUQTEPDTBXTBNB[PODPNKB@KQTZTUFNTNBOBHFSMBUFTUVTFSHVJEFTZTUFNTNBOBHFSJOWFOUPSZIUNM

View Slide

SSMΤʔδΣϯτ͕
Πϯετʔϧ͞Ε͍ͯΕ͹
৭ʑ৘ใΛऩूͯ͘͠ΕΔ

View Slide

ૣ଎Πϯετʔϧͩʂ

View Slide

SSMΤʔδΣϯτͷΠϯετʔϧ
• SSM ΤʔδΣϯτ ͸ɺσϑΥϧτͰ͸ɺ࣍ͷ Amazon EC2 Amazon
Machine Image (AMI) ʹΠϯετʔϧ͞Ε·͢ɻ
• Windows Server (͢΂ͯͷ SKU)
• Amazon Linux
• Amazon Linux 2
• Ubuntu Server 16.04
• Ubuntu Server 18.04
IUUQTEPDTBXTBNB[PODPNKB@KQTZTUFNTNBOBHFSMBUFTUVTFSHVJEFTTNBHFOUIUNM

View Slide

طʹೖͬͯΔΒ͍͠

View Slide

IAMϩʔϧͷઃఆ
ʢͱΠϯϕϯτϦηοτΞοϓʣ
͚ͩ͢Ε͹ྑ͍

View Slide

View Slide

AWS Systems Manager ࿈ܞ
Server
ᶄ)5511045
εΩϟϯͯ͠อଘ
ᶃߏ੒৘ใऔಘ
"844ZTUFNT.BOBHFS͔Β৘ใऔಘͯ͠7VMT4FSWFSʹ౤͛Δ
"844ZTUFNT.BOBHFS
ΠϯϕϯτϦϚωʔδϟʔ
ద౰ͳεΫϦϓτ

View Slide

SSM࿈ܞͷ੍໿
• ศར͗ͯ͢࠷ߴΈ͍ͨʹॻ͖·੍͕ͨ͠໿͕͋Γ·͢
• RHEL/CentOS͡Όͳ͍ͱಈ͖·ͤΜ
• Ubuntu/Debian͸ιʔεύοέʔδ͕ඞཁͳͨΊ
• Amazon Linux͸OVALະରԠ
• RHEL/CentOS͸SSMΤʔδΣϯτೖͬͯͳ͍
• ͱ͸ݴ͑1ίϚϯυͰೖΔ

View Slide

Proof Of Concept
• αϯϓϧίʔυΛ࡞Γ·ͨ͠ 
https://github.com/knqyf263/ssm-to-vuls
• EC2ΠϯελϯεIDͱVuls ServerͷΞυϨεΛࢦఆ͢Δ
ͱΠϯϕϯτϦΛऔಘͯ͠JSONʹ੔ܗͯ͠Vuls Server
ʹPOST͠·͢
• ࣮ূίʔυͰ͋Γ࣮༻ʹ଱͑͏Δ΋ͷͰ͸ͳ͍ͨΊɺ
օ͞Μ͕࠷ߴͷπʔϧΛ࡞ͬͯ͘ΕΔ͜ͱΛظ଴͠·͢

View Slide

ಉ༷ʹଞͷߏ੒؅ཧπʔϧͱ΋
࿈ܞͰ͖Δ͸ͣʂʂ

View Slide

શ෦Vuls ServerͰྑ͍ͷͰ͸ʁ

View Slide

Vuls Serverͷ੍໿
• ରԠOS
• RHEL/CentOS/Ubuntu/Debian
• Amazon Linux΍FreeBSD͸ະରԠ
• ݕ஌ਫ਼౓
• ΤʔδΣϯτʹൺ΂͔ͯᷮʹྼΔ৔߹͕͋Δʢكʣ
• ෇Ճ৘ใ
• ΤʔδΣϯτͰ͸ϓϩηε৘ใ΍ߋ৽ޙͷύοέʔδόʔ
δϣϯͳͲ΋औಘ

View Slide

ͱ͸ݴ༷͑ʑͳ໰୊ΛղܾՄೳ
΍͸Γ࠷ߴ

View Slide

ίϯςφͱͯ͠LTʹσϓϩΠ͢Δͷ΋؆୯
࣌ؒͳ͍ͷͰׂѪ

View Slide

΍͸ΓVuls Server͸࠷ߴ
·ͱΊ
ଟ෼·ͩόά͋ΔͷͰ*TTVF଴ͬͯ·͢

View Slide

新機能 "Vuls Server" / Vuls Server

新機能 "Vuls Server" / Vuls Server

Teppei Fukuda

More Decks by Teppei Fukuda

Featured

Transcript