新機能 "Vuls Server" / Vuls Server

Transcript

1. ৽ػೳ "Vuls Server" ʙϫϯϥΠφʔͰ࢝ΊΔύονϚωδϝϯτʙ VulsࡇΓ#4 @knqyf263

2. ࣗݾ঺հ • ෱ా మฏʢ@knqyf263ʣ • ΰʔϧυδϜͷϓϩςΠϯ ඒຯ͗͢͠Δ • Ұ౓ҿΜͩΒଞͷ͸ҿΊ ͳ͘ͳͬͨ

3. ຖ೔ۜ࠲ͰΦγϟϨϥϯν

4. ຊ೔ͷ಺༰ • ϚονϣΛ౗ͨͬͨ͢Ұͭͷํ๏ • Vuls Serverͷ঺հ ͕࣌ؒͳ͍ͷͰׂѪ

5. ৽ػೳ୲౰෼ • NIRVANA࿈ܞɹˠɹ࡞ͬͨ • CPEݕ஌ਫ਼౓޲্ɹˠɹϚονϯάϥΠϒϥϦ࡞ͬͨ • ύονະఏڙͷ੬ऑੑݕ஌ɹˠ ɹ੬ऑੑDBߏஙπʔϧ࡞ͬͨ • αʔόϞʔυɹˠɹ࡞ͬͨ

   େମ࡞ͬͨ

6. ैདྷͷVuls Vuls Scan Server Target Server Vuls Scan Server =

   Target Server ssh ϦϞʔτεΩϟϯ
 (Agent-less) ϩʔΧϧεΩϟϯ
 (Agent) Target Server ssh Scan Vuls Scan Server = Target Server Scan

7. ϦϞʔτεΩϟϯ Scan Server ssh Target Server Target Server ssh

8. ϩʔΧϧεΩϟϯ Vuls Scan Server = Target Server Scan Vuls Scan

   Server = Target Server Scan

9. ͍͔ͭ͘ͷ໰୊͕ଘࡏ

10. SSHஅΒΕΔύλʔϯ

11. 7VMTͰ44)ͯ͠
    ϦϞʔτεΩϟϯ ͍ͨ͠Ͱ͢ ಘମͷ஌Εͳ͍
    πʔϧͰ͸44)ͤ͞·ͤΜ

12. "OTJCMFͳΒطʹ
    ࢖ͬͯΔΜ͚ͩͲͶʙʙ

13. ٽ͖৸ೖΓ

14. όΠφϦΠϯετʔϧ அΒΕΔύλʔϯ

15. 7VMTΠϯετʔϧͯ͠ ϩʔΧϧεΩϟϯ
    ͍ͨ͠Ͱ͢ ಘମͷ஌Εͳ͍
    όΠφϦ͸ೖΕ·ͤΜ

16. த਎͕෼͔Βͳ͍ͱͶʙ

17. ٽ͖৸ೖΓ

18. ݁Ռͷू໿ʹࠔΔύλʔϯ

19. ؀ڥ͕ҟͳΔͨΊෳ਺VulsΛΠϯετʔϧ Vuls Scan Server Target Server ssh αʔϏε A Target

    Server ssh Vuls Scan Server Target Server ssh Target Server ssh αʔϏε B ωοτϫʔΫతʹૄ௨ੑ͕ͳ͔ͬͨΓ ݁ՌΛͲ͏ू໿
    ͨ͠Βྑ͍ͷʁ

20. ϩʔΧϧεΩϟϯ Scan ݁ՌΛͲ͏ू໿ ͨ͠Βྑ͍ͷʁ ੬ऑੑ%#͸શͯʹμ΢ϯϩʔυ ͢Δඞཁ͕͋Δͷʁ Scan Scan Scan

21. ͦΜͳਓʹ͸ ৽ػೳ “Vuls Server”

22. ࢖͍ํ $ vuls server -listen 0.0.0.0:5515 ... [Aug 25 20:17:45]

    INFO [localhost] Listening on 0.0.0.0:5515 ؆୯

23. ͜ͷαʔόʹରͯ͠ ߏ੒৘ใΛPOST͢Δ͚ͩͰOK

24. ίϚϯυྫ $ curl -X POST --data-binary "`rpm -qa --queryformat "%{NAME}

    %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH} \n"`" http://192.168.33.1:5515/vuls ʢ্ͷྫͰ͸ϔομΛলུ͍ͯ͠ΔͷͰಈ͔ͳ͍ʣ SQNίϚϯυͷ݁ՌΛ1045͍ͯ͠Δ ຊ࣭తʹ͸͜Ε͚ͩ

25. Vuls Server Server ᶄ)551
    1045 ᶅεΩϟϯ݁Ռ ᶃrpm࣮ߦ Ϩεϙϯε͸%#ʹೖΕΔͳΓͳΜͳΓࣗ༝

26. Vuls Server Server )551
    1045 rpm࣮ߦ อଘ εΩϟϯ݁ՌΛαʔόʹอଘ͢Δ͜ͱ΋Մೳ

27. Content-Type • text/plain • curlͱ͔Ͱୟ͘༻ • application/json • ϓϩάϥϜͰ੔ܗͯ͠POST͢Δ༻

28. Endpoint • /vuls • JSONͱ͔ͷ౤͛ઌ • /health • ϔϧενΣοΫ༻

29. ٯऻฤ

30. SSHஅΒΕΔύλʔϯ

31. 7VMTͰ44)ͯ͠
    ϦϞʔτεΩϟϯ
    ͍ͨ͠Ͱ͢ ಘମͷ஌Εͳ͍
    πʔϧͰ͸44)ͤ͞·ͤΜ

32. "OTJCMFͳΒطʹ
    ࢖ͬͯΔΜ͚ͩͲͶʙʙ

33. "OTJCMFͰ
    ྑ͍Ͱ͢Αʢসʣ

34. Vuls Server Server ᶄ)551
    1045 εΩϟϯͯ͠อଘ ᶃ44) "OTJCMFͰऩूͨ͠ߏ੒৘ใΛ7VMT
    4FSWFSʹ౤͛Δ ୭͔044Ͱ
    ࡞ͬͯཉ͍͠

35. όΠφϦΠϯετʔϧ அΒΕΔύλʔϯ

36. 7VMTΠϯετʔϧ͠ ͯϩʔΧϧεΩϟϯ
    ͍ͨ͠Ͱ͢ ಘମͷ஌Εͳ͍
    όΠφϦ͸ೖΕ·ͤΜ

37. த਎͕෼͔Βͳ͍ͱͶʙ

38. ϫϯϥΠφʔͰ͚͢Ͳ
    ཧղͰ͖·ͤΜ͔ʁʢসʣ

39. ϫϯϥΠφʔͰOK Server )551
    1045 rpm࣮ߦ εΩϟϯͯ͠อଘ curl DVSMͳͲͷίϚϯυΛDSPOʹઃఆ͢Δ͚ͩ

40. ݁Ռͷू໿ʹࠔΔύλʔϯ

41. ϩʔΧϧεΩϟϯ Scan ݁ՌΛͲ͏ू໿ ͨ͠Βྑ͍ͷʁ ੬ऑੑ%#͸શͯʹμ΢ϯϩʔυ ͢Δඞཁ͕͋Δͷʁ Scan Scan Scan

42. Vuls ServerʹPOSTͯ͠ू໿ Scan Scan Scan Scan Server อଘ ੬ऑੑ%#͸αʔόʹ͚ͩ μ΢ϯϩʔυ͢Ε͹0,

43. -to-httpΦϓγϣϯͰૹ৴Մೳ $ vuls report -to-http vuls-server.local:5515 ؆୯

44. αϯϓϧσʔλ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... SQNίϚϯυͷ
    ݁Ռͦͷ·· +40/ͰૹΔ͜ͱ΋Մೳ

45. rpmίϚϯυ $ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n"

    ... bash 0 4.1.2 48.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 abrt-tui 0 2.0.8 43.el6.centos x86_64 nss-softokn-freebl 0 3.14.3 23.3.el6_8 x86_64 rsyslog 0 5.8.10 10.el6_6 x86_64 libattr 0 2.4.44 7.el6 x86_64 hypervfcopyd 0 0 0.17.20150108git.el6 x86_64 dbus-libs 1 1.2.24 8.el6_6 x86_64 cronie-anacron 0 1.4.4 16.el6_8.2 x86_64 zip 0 3.0 1.el6_7.1 x86_64 ... ߦύοέʔδ
    

46. X-Vuls-Server-Nameϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... αʔό໊ʢద౰ʹܾΊͯྑ͍ʣ

47. X-Vuls-OS-Familyϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... ॏཁ SFEIBUDFOUPTEFCJBOVCVOUV
    ͳͲͷܾΊΒΕͨจࣈྻ

48. X-Vuls-OS-Releaseϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... ॏཁ ͱ͔ͳͲͷจࣈྻ

49. X-Vuls-Kernel-Releaseϔομ POST /vuls HTTP/1.1 User-Agent: XXX Host: 192.168.33.1:5515 Content-Type: text/plain

    X-Vuls-Server-Name: centos6.localdomain X-Vuls-OS-Family: centos X-Vuls-OS-Release: 6.9 X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64 Content-Length: 13802 cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64 filesystem 0 2.4.30 3.el6 x86_64 hal 0 0.5.14 14.el6 x86_64 ncurses-base 0 5.7 4.20090207.el6 x86_64 ... ݕ஌ਫ਼౓ʹӨڹ VOBNF
    SͰಘΒΕΔݱࡏͷΧʔωϧϦϦʔε

50. HTTPϔομ • X-Vuls-Server-Nameʢoptionalʣ • ͜ͷ஋ͰαʔόΛࣝผ͍ͯ͠ΔͨΊɺಉ໊͡લΛ͚ͭΔͱอଘ࣌ʹ্ॻ͖͞ΕΔ • X-Vuls-OS-Familyʢrequiredʣ • redhat/centos/ubuntu/debianͳͲ •

    X-Vuls-OS-Releaseʢrequiredʣ • 6.9΍16.04ͳͲͷϦϦʔε൪߸ • X-Vuls-Kernel-Releaseϔομʢrequiredʣ • 2.6.32-696.30.1.el6.x86_64ͳͲͷuname -rͰಘΒΕΔ஋ • X-Vuls-Kernel-Releaseϔομʢoptionalʣ • DebianͷΈඞਢʢuname -aͰಘΒΕΔࠨ͔Β7൪໨͙Β͍ͷ஋ʣ

51. ൃలฤ

52. طଘͷߏ੒؅ཧπʔϧͱͷ౷߹ • Ansible • Chef • osquery • AWS Systems

    Manager • etc.

53. AWS Systems Manager ΠϯϕϯτϦϚωʔδϟʔ • AWS Systems Manager ΠϯϕϯτϦΛ࢖༻ͯ͠ɺAmazon EC2

    Πϯελϯε͓ΑͼΦϯϓϨϛεαʔόʔɺ·ͨ͸ϋ ΠϒϦου؀ڥͷԾ૝Ϛγϯ (VM) ͔ΒɺΦϖϨʔςΟϯά γεςϜ (OS)ɺΞϓϦέʔγϣϯɺΠϯελϯεͷϝλ σʔλΛऩूͰ͖·͢ɻϝλσʔλΛরձ͢Δͱɺιϑτ΢Σ ΞϙϦγʔʹैͬͯιϑτ΢ΣΞͱઃఆΛ࣮ߦ͍ͯ͠ΔΠϯ ελϯεͱɺߋ৽͕ඞཁͳΠϯελϯεΛ͢͹΍͘೺ѲͰ͖ ·͢ɻ IUUQTEPDTBXTBNB[PODPN[email protected]TZTUFNTNBOBHFSMBUFTUVTFSHVJEFTZTUFNTNBOBHFSJOWFOUPSZIUNM

54. SSMΤʔδΣϯτ͕ Πϯετʔϧ͞Ε͍ͯΕ͹ ৭ʑ৘ใΛऩूͯ͘͠ΕΔ

55. ૣ଎Πϯετʔϧͩʂ

56. SSMΤʔδΣϯτͷΠϯετʔϧ • SSM ΤʔδΣϯτ ͸ɺσϑΥϧτͰ͸ɺ࣍ͷ Amazon EC2 Amazon Machine Image

    (AMI) ʹΠϯετʔϧ͞Ε·͢ɻ • Windows Server (͢΂ͯͷ SKU) • Amazon Linux • Amazon Linux 2 • Ubuntu Server 16.04 • Ubuntu Server 18.04 IUUQTEPDTBXTBNB[PODPN[email protected]TZTUFNTNBOBHFSMBUFTUVTFSHVJEFTTNBHFOUIUNM

57. طʹೖͬͯΔΒ͍͠

58. IAMϩʔϧͷઃఆ ʢͱΠϯϕϯτϦηοτΞοϓʣ ͚ͩ͢Ε͹ྑ͍

59. None

60. AWS Systems Manager ࿈ܞ Server ᶄ)551
    1045 εΩϟϯͯ͠อଘ ᶃߏ੒৘ใऔಘ "84
    4ZTUFNT
    .BOBHFS͔Β৘ใऔಘͯ͠7VMT
    4FSWFSʹ౤͛Δ "84
    4ZTUFNT
    .BOBHFS
    
    

    ΠϯϕϯτϦϚωʔδϟʔ ద౰ͳεΫϦϓτ

61. SSM࿈ܞͷ੍໿ • ศར͗ͯ͢࠷ߴΈ͍ͨʹॻ͖·੍͕ͨ͠໿͕͋Γ·͢ • RHEL/CentOS͡Όͳ͍ͱಈ͖·ͤΜ • Ubuntu/Debian͸ιʔεύοέʔδ͕ඞཁͳͨΊ • Amazon Linux͸OVALະରԠ

    • RHEL/CentOS͸SSMΤʔδΣϯτೖͬͯͳ͍ • ͱ͸ݴ͑1ίϚϯυͰೖΔ

62. Proof Of Concept • αϯϓϧίʔυΛ࡞Γ·ͨ͠
 https://github.com/knqyf263/ssm-to-vuls • EC2ΠϯελϯεIDͱVuls ServerͷΞυϨεΛࢦఆ͢Δ ͱΠϯϕϯτϦΛऔಘͯ͠JSONʹ੔ܗͯ͠Vuls

    Server ʹPOST͠·͢ • ࣮ূίʔυͰ͋Γ࣮༻ʹ଱͑͏Δ΋ͷͰ͸ͳ͍ͨΊɺ օ͞Μ͕࠷ߴͷπʔϧΛ࡞ͬͯ͘ΕΔ͜ͱΛظ଴͠·͢

63. ಉ༷ʹଞͷߏ੒؅ཧπʔϧͱ΋ ࿈ܞͰ͖Δ͸ͣʂʂ

64. શ෦Vuls ServerͰྑ͍ͷͰ͸ʁ

65. Vuls Serverͷ੍໿ • ରԠOS • RHEL/CentOS/Ubuntu/Debian • Amazon Linux΍FreeBSD͸ະରԠ •

    ݕ஌ਫ਼౓ • ΤʔδΣϯτʹൺ΂͔ͯᷮʹྼΔ৔߹͕͋Δʢكʣ • ෇Ճ৘ใ • ΤʔδΣϯτͰ͸ϓϩηε৘ใ΍ߋ৽ޙͷύοέʔδόʔ δϣϯͳͲ΋औಘ

66. ͱ͸ݴ༷͑ʑͳ໰୊ΛղܾՄೳ ΍͸Γ࠷ߴ

67. ίϯςφͱͯ͠LTʹσϓϩΠ͢Δͷ΋؆୯ ࣌ؒͳ͍ͷͰׂѪ

68. ΍͸ΓVuls Server͸࠷ߴ ·ͱΊ ଟ෼·ͩόά͋ΔͷͰ*TTVF଴ͬͯ·͢