Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
新機能 "Vuls Server" / Vuls Server
Teppei Fukuda
August 27, 2018
3
5.4k
新機能 "Vuls Server" / Vuls Server
ワンライナーで始めるパッチマネジメント
Teppei Fukuda
August 27, 2018
Tweet
Share
More Decks by Teppei Fukuda
See All by Teppei Fukuda
Simplify Cloud Native Security with Trivy
knqyf263
1
3.6k
セキュリティ・キャンプ全国大会2020 オンライン B8 / seccamp2020-b8
knqyf263
5
1.2k
企業でOSS開発をするということ
knqyf263
0
1k
Trivy - Container vulnerability scanning
knqyf263
1
1k
車輪の再発明 / reinventing the wheel
knqyf263
1
1k
HelmとService Brokerで始める検証環境自動構築 / Helm and Service Broker
knqyf263
7
2.3k
OSSの脆弱性を探すためにやったこと
knqyf263
15
3.7k
今すぐVulsにContributeするべき5つの理由
knqyf263
1
650
Featured
See All Featured
What's in a price? How to price your products and services
michaelherold
233
9.7k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
How GitHub (no longer) Works
holman
298
140k
It's Worth the Effort
3n
177
26k
Designing with Data
zakiwarfel
91
4.2k
Building Adaptive Systems
keathley
27
1.3k
Embracing the Ebb and Flow
colly
75
3.6k
For a Future-Friendly Web
brad_frost
166
7.8k
A Tale of Four Properties
chriscoyier
149
21k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.5k
Atom: Resistance is Futile
akmur
256
24k
Transcript
৽ػೳ "Vuls Server" ʙϫϯϥΠφʔͰ࢝ΊΔύονϚωδϝϯτʙ VulsࡇΓ#4 @knqyf263
ࣗݾհ • ా మฏʢ@knqyf263ʣ • ΰʔϧυδϜͷϓϩςΠϯ ඒຯ͗͢͠Δ • ҰҿΜͩΒଞͷҿΊ ͳ͘ͳͬͨ
ຖۜ࠲ͰΦγϟϨϥϯν
ຊͷ༰ • ϚονϣΛͨͬͨ͢Ұͭͷํ๏ • Vuls Serverͷհ ͕࣌ؒͳ͍ͷͰׂѪ
৽ػೳ୲ • NIRVANA࿈ܞɹˠɹ࡞ͬͨ • CPEݕਫ਼্ɹˠɹϚονϯάϥΠϒϥϦ࡞ͬͨ • ύονະఏڙͷ੬ऑੑݕɹˠ ɹ੬ऑੑDBߏஙπʔϧ࡞ͬͨ • αʔόϞʔυɹˠɹ࡞ͬͨ
େମ࡞ͬͨ
ैདྷͷVuls Vuls Scan Server Target Server Vuls Scan Server =
Target Server ssh ϦϞʔτεΩϟϯ (Agent-less) ϩʔΧϧεΩϟϯ (Agent) Target Server ssh Scan Vuls Scan Server = Target Server Scan
ϦϞʔτεΩϟϯ Scan Server ssh Target Server Target Server ssh
ϩʔΧϧεΩϟϯ Vuls Scan Server = Target Server Scan Vuls Scan
Server = Target Server Scan
͍͔ͭ͘ͷ͕ଘࡏ
SSHஅΒΕΔύλʔϯ
7VMTͰ44)ͯ͠ ϦϞʔτεΩϟϯ ͍ͨ͠Ͱ͢ ಘମͷΕͳ͍ πʔϧͰ44)ͤ͞·ͤΜ
"OTJCMFͳΒطʹ ͬͯΔΜ͚ͩͲͶʙʙ
ٽ͖৸ೖΓ
όΠφϦΠϯετʔϧ அΒΕΔύλʔϯ
7VMTΠϯετʔϧͯ͠ ϩʔΧϧεΩϟϯ ͍ͨ͠Ͱ͢ ಘମͷΕͳ͍ όΠφϦೖΕ·ͤΜ
த͕͔Βͳ͍ͱͶʙ
ٽ͖৸ೖΓ
݁ՌͷूʹࠔΔύλʔϯ
ڥ͕ҟͳΔͨΊෳVulsΛΠϯετʔϧ Vuls Scan Server Target Server ssh αʔϏε A Target
Server ssh Vuls Scan Server Target Server ssh Target Server ssh αʔϏε B ωοτϫʔΫతʹૄ௨ੑ͕ͳ͔ͬͨΓ ݁ՌΛͲ͏ू ͨ͠Βྑ͍ͷʁ
ϩʔΧϧεΩϟϯ Scan ݁ՌΛͲ͏ू ͨ͠Βྑ͍ͷʁ ੬ऑੑ%#શͯʹμϯϩʔυ ͢Δඞཁ͕͋Δͷʁ Scan Scan Scan
ͦΜͳਓʹ ৽ػೳ “Vuls Server”
͍ํ $ vuls server -listen 0.0.0.0:5515 ... [Aug 25 20:17:45]
INFO [localhost] Listening on 0.0.0.0:5515 ؆୯
͜ͷαʔόʹରͯ͠ ߏใΛPOST͢Δ͚ͩͰOK
ίϚϯυྫ $ curl -X POST --data-binary "`rpm -qa --queryformat "%{NAME}
%{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} \n"`" http://192.168.33.1:5515/vuls ʢ্ͷྫͰϔομΛলུ͍ͯ͠ΔͷͰಈ͔ͳ͍ʣ SQNίϚϯυͷ݁ՌΛ1045͍ͯ͠Δ ຊ࣭తʹ͜Ε͚ͩ
Vuls Server Server ᶄ)5511045 ᶅεΩϟϯ݁Ռ ᶃrpm࣮ߦ Ϩεϙϯε%#ʹೖΕΔͳΓͳΜͳΓࣗ༝
Vuls Server Server )5511045 rpm࣮ߦ อଘ εΩϟϯ݁ՌΛαʔόʹอଘ͢Δ͜ͱՄೳ
Content-Type • text/plain • curlͱ͔Ͱୟ͘༻ • application/json • ϓϩάϥϜͰܗͯ͠POST͢Δ༻
Endpoint • /vuls • JSONͱ͔ͷ͛ઌ • /health • ϔϧενΣοΫ༻
ٯऻฤ
SSHஅΒΕΔύλʔϯ
7VMTͰ44)ͯ͠ ϦϞʔτεΩϟϯ ͍ͨ͠Ͱ͢ ಘମͷΕͳ͍ πʔϧͰ44)ͤ͞·ͤΜ
"OTJCMFͳΒطʹ ͬͯΔΜ͚ͩͲͶʙʙ
"OTJCMFͰ ྑ͍Ͱ͢Αʢসʣ
Vuls Server Server ᶄ)5511045 εΩϟϯͯ͠อଘ ᶃ44) "OTJCMFͰऩूͨ͠ߏใΛ7VMT4FSWFSʹ͛Δ ୭͔044Ͱ ࡞ͬͯཉ͍͠
όΠφϦΠϯετʔϧ அΒΕΔύλʔϯ
7VMTΠϯετʔϧ͠ ͯϩʔΧϧεΩϟϯ ͍ͨ͠Ͱ͢ ಘମͷΕͳ͍ όΠφϦೖΕ·ͤΜ
த͕͔Βͳ͍ͱͶʙ
ϫϯϥΠφʔͰ͚͢Ͳ ཧղͰ͖·ͤΜ͔ʁʢসʣ
ϫϯϥΠφʔͰOK Server )5511045 rpm࣮ߦ εΩϟϯͯ͠อଘ curl DVSMͳͲͷίϚϯυΛDSPOʹઃఆ͢Δ͚ͩ
݁ՌͷूʹࠔΔύλʔϯ
ϩʔΧϧεΩϟϯ Scan ݁ՌΛͲ͏ू ͨ͠Βྑ͍ͷʁ ੬ऑੑ%#શͯʹμϯϩʔυ ͢Δඞཁ͕͋Δͷʁ Scan Scan Scan
Vuls ServerʹPOSTͯ͠ू Scan Scan Scan Scan Server อଘ ੬ऑੑ%#αʔόʹ͚ͩ μϯϩʔυ͢Ε0,
-to-httpΦϓγϣϯͰૹ৴Մೳ $ vuls report -to-http vuls-server.local:5515 ؆୯
αϯϓϧσʔλ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... SQNίϚϯυͷ ݁Ռͦͷ·· +40/ͰૹΔ͜ͱՄೳ
rpmίϚϯυ $ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n"
... bash 0 4.1.2 48.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 abrt-tui 0 2.0.8 43.el6.centos x86_64 nss-softokn-freebl 0 3.14.3 23.3.el6_8 x86_64 rsyslog 0 5.8.10 10.el6_6 x86_64 libattr 0 2.4.44 7.el6 x86_64 hypervfcopyd 0 0 0.17.20150108git.el6 x86_64 dbus-libs 1 1.2.24 8.el6_6 x86_64 cronie-anacron 0 1.4.4 16.el6_8.2 x86_64 zip 0 3.0 1.el6_7.1 x86_64 ... ߦύοέʔδ
X-Vuls-Server-Nameϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... αʔό໊ʢదʹܾΊͯྑ͍ʣ
X-Vuls-OS-Familyϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... ॏཁ SFEIBUDFOUPTEFCJBOVCVOUVͳͲͷܾΊΒΕͨจࣈྻ
X-Vuls-OS-Releaseϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... ॏཁ ͱ͔ͳͲͷจࣈྻ
X-Vuls-Kernel-Releaseϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... ݕਫ਼ʹӨڹ VOBNFSͰಘΒΕΔݱࡏͷΧʔωϧϦϦʔε
HTTPϔομ • X-Vuls-Server-Nameʢoptionalʣ • ͜ͷͰαʔόΛࣝผ͍ͯ͠ΔͨΊɺಉ໊͡લΛ͚ͭΔͱอଘ࣌ʹ্ॻ͖͞ΕΔ • X-Vuls-OS-Familyʢrequiredʣ • redhat/centos/ubuntu/debianͳͲ •
X-Vuls-OS-Releaseʢrequiredʣ • 6.916.04ͳͲͷϦϦʔε൪߸ • X-Vuls-Kernel-Releaseϔομʢrequiredʣ • 2.6.32-696.30.1.el6.x86_64ͳͲͷuname -rͰಘΒΕΔ • X-Vuls-Kernel-Releaseϔομʢoptionalʣ • DebianͷΈඞਢʢuname -aͰಘΒΕΔࠨ͔Β7൪͙Β͍ͷʣ
ൃలฤ
طଘͷߏཧπʔϧͱͷ౷߹ • Ansible • Chef • osquery • AWS Systems
Manager • etc.
AWS Systems Manager ΠϯϕϯτϦϚωʔδϟʔ • AWS Systems Manager ΠϯϕϯτϦΛ༻ͯ͠ɺAmazon EC2
Πϯελϯε͓ΑͼΦϯϓϨϛεαʔόʔɺ·ͨϋ ΠϒϦουڥͷԾϚγϯ (VM) ͔ΒɺΦϖϨʔςΟϯά γεςϜ (OS)ɺΞϓϦέʔγϣϯɺΠϯελϯεͷϝλ σʔλΛऩूͰ͖·͢ɻϝλσʔλΛরձ͢ΔͱɺιϑτΣ ΞϙϦγʔʹैͬͯιϑτΣΞͱઃఆΛ࣮ߦ͍ͯ͠ΔΠϯ ελϯεͱɺߋ৽͕ඞཁͳΠϯελϯεΛ͘͢ѲͰ͖ ·͢ɻ IUUQTEPDTBXTBNB[PODPN
[email protected]
TZTUFNTNBOBHFSMBUFTUVTFSHVJEFTZTUFNTNBOBHFSJOWFOUPSZIUNM
SSMΤʔδΣϯτ͕ Πϯετʔϧ͞Ε͍ͯΕ ৭ʑใΛऩूͯ͘͠ΕΔ
ૣΠϯετʔϧͩʂ
SSMΤʔδΣϯτͷΠϯετʔϧ • SSM ΤʔδΣϯτ ɺσϑΥϧτͰɺ࣍ͷ Amazon EC2 Amazon Machine Image
(AMI) ʹΠϯετʔϧ͞Ε·͢ɻ • Windows Server (ͯ͢ͷ SKU) • Amazon Linux • Amazon Linux 2 • Ubuntu Server 16.04 • Ubuntu Server 18.04 IUUQTEPDTBXTBNB[PODPN
[email protected]
TZTUFNTNBOBHFSMBUFTUVTFSHVJEFTTNBHFOUIUNM
طʹೖͬͯΔΒ͍͠
IAMϩʔϧͷઃఆ ʢͱΠϯϕϯτϦηοτΞοϓʣ ͚ͩ͢Εྑ͍
None
AWS Systems Manager ࿈ܞ Server ᶄ)5511045 εΩϟϯͯ͠อଘ ᶃߏใऔಘ "844ZTUFNT.BOBHFS͔Βใऔಘͯ͠7VMT4FSWFSʹ͛Δ "844ZTUFNT.BOBHFS
ΠϯϕϯτϦϚωʔδϟʔ దͳεΫϦϓτ
SSM࿈ܞͷ੍ • ศར͗ͯ͢࠷ߴΈ͍ͨʹॻ͖·੍͕͕ͨ͋͠Γ·͢ • RHEL/CentOS͡Όͳ͍ͱಈ͖·ͤΜ • Ubuntu/Debianιʔεύοέʔδ͕ඞཁͳͨΊ • Amazon LinuxOVALະରԠ
• RHEL/CentOSSSMΤʔδΣϯτೖͬͯͳ͍ • ͱݴ͑1ίϚϯυͰೖΔ
Proof Of Concept • αϯϓϧίʔυΛ࡞Γ·ͨ͠ https://github.com/knqyf263/ssm-to-vuls • EC2ΠϯελϯεIDͱVuls ServerͷΞυϨεΛࢦఆ͢Δ ͱΠϯϕϯτϦΛऔಘͯ͠JSONʹܗͯ͠Vuls
Server ʹPOST͠·͢ • ࣮ূίʔυͰ͋Γ࣮༻ʹ͑͏ΔͷͰͳ͍ͨΊɺ օ͞Μ͕࠷ߴͷπʔϧΛ࡞ͬͯ͘ΕΔ͜ͱΛظ͠·͢
ಉ༷ʹଞͷߏཧπʔϧͱ ࿈ܞͰ͖Δͣʂʂ
શ෦Vuls ServerͰྑ͍ͷͰʁ
Vuls Serverͷ੍ • ରԠOS • RHEL/CentOS/Ubuntu/Debian • Amazon LinuxFreeBSDະରԠ •
ݕਫ਼ • ΤʔδΣϯτʹൺ͔ͯᷮʹྼΔ߹͕͋Δʢكʣ • Ճใ • ΤʔδΣϯτͰϓϩηεใߋ৽ޙͷύοέʔδόʔ δϣϯͳͲऔಘ
ͱݴ༷͑ʑͳΛղܾՄೳ Γ࠷ߴ
ίϯςφͱͯ͠LTʹσϓϩΠ͢Δͷ؆୯ ࣌ؒͳ͍ͷͰׂѪ
ΓVuls Server࠷ߴ ·ͱΊ ଟ·ͩόά͋ΔͷͰ*TTVFͬͯ·͢