Slide 1
Slide 1 text
৽ػೳ "Vuls Server"
ʙϫϯϥΠφʔͰ࢝ΊΔύονϚωδϝϯτʙ
VulsࡇΓ#4
@knqyf263
Slide 2
Slide 2 text
ࣗݾհ
• ా మฏʢ@knqyf263ʣ
• ΰʔϧυδϜͷϓϩςΠϯ
ඒຯ͗͢͠Δ
• ҰҿΜͩΒଞͷҿΊ
ͳ͘ͳͬͨ
Slide 3
Slide 3 text
ຖۜ࠲ͰΦγϟϨϥϯν
Slide 4
Slide 4 text
ຊͷ༰
• ϚονϣΛͨͬͨ͢Ұͭͷํ๏
• Vuls Serverͷհ
͕࣌ؒͳ͍ͷͰׂѪ
Slide 5
Slide 5 text
৽ػೳ୲
• NIRVANA࿈ܞɹˠɹ࡞ͬͨ
• CPEݕਫ਼্ɹˠɹϚονϯάϥΠϒϥϦ࡞ͬͨ
• ύονະఏڙͷ੬ऑੑݕɹˠ ɹ੬ऑੑDBߏஙπʔϧ࡞ͬͨ
• αʔόϞʔυɹˠɹ࡞ͬͨ
େମ࡞ͬͨ
Slide 6
Slide 6 text
ैདྷͷVuls
Vuls Scan
Server
Target Server
Vuls Scan Server
=
Target Server
ssh
ϦϞʔτεΩϟϯ
(Agent-less)
ϩʔΧϧεΩϟϯ
(Agent)
Target Server
ssh
Scan
Vuls Scan Server
=
Target Server
Scan
Slide 7
Slide 7 text
ϦϞʔτεΩϟϯ
Scan
Server
ssh
Target Server
Target Server
ssh
Slide 8
Slide 8 text
ϩʔΧϧεΩϟϯ
Vuls Scan Server
=
Target Server
Scan
Vuls Scan Server
=
Target Server
Scan
Slide 9
Slide 9 text
͍͔ͭ͘ͷ͕ଘࡏ
Slide 10
Slide 10 text
SSHஅΒΕΔύλʔϯ
Slide 11
Slide 11 text
7VMTͰ44)ͯ͠
ϦϞʔτεΩϟϯ
͍ͨ͠Ͱ͢
ಘମͷΕͳ͍
πʔϧͰ44)ͤ͞·ͤΜ
Slide 12
Slide 12 text
"OTJCMFͳΒطʹ
ͬͯΔΜ͚ͩͲͶʙʙ
Slide 13
Slide 13 text
ٽ͖৸ೖΓ
Slide 14
Slide 14 text
όΠφϦΠϯετʔϧ
அΒΕΔύλʔϯ
Slide 15
Slide 15 text
7VMTΠϯετʔϧͯ͠
ϩʔΧϧεΩϟϯ
͍ͨ͠Ͱ͢
ಘମͷΕͳ͍
όΠφϦೖΕ·ͤΜ
Slide 16
Slide 16 text
த͕͔Βͳ͍ͱͶʙ
Slide 17
Slide 17 text
ٽ͖৸ೖΓ
Slide 18
Slide 18 text
݁ՌͷूʹࠔΔύλʔϯ
Slide 19
Slide 19 text
ڥ͕ҟͳΔͨΊෳVulsΛΠϯετʔϧ
Vuls Scan
Server
Target Server
ssh
αʔϏε A
Target Server
ssh
Vuls Scan
Server
Target Server
ssh
Target Server
ssh
αʔϏε B
ωοτϫʔΫతʹૄ௨ੑ͕ͳ͔ͬͨΓ
݁ՌΛͲ͏ू
ͨ͠Βྑ͍ͷʁ
Slide 20
Slide 20 text
ϩʔΧϧεΩϟϯ
Scan
݁ՌΛͲ͏ू
ͨ͠Βྑ͍ͷʁ
੬ऑੑ%#શͯʹμϯϩʔυ
͢Δඞཁ͕͋Δͷʁ
Scan Scan Scan
Slide 21
Slide 21 text
ͦΜͳਓʹ
৽ػೳ “Vuls Server”
Slide 22
Slide 22 text
͍ํ
$ vuls server -listen 0.0.0.0:5515
...
[Aug 25 20:17:45] INFO [localhost] Listening on 0.0.0.0:5515
؆୯
Slide 23
Slide 23 text
͜ͷαʔόʹରͯ͠
ߏใΛPOST͢Δ͚ͩͰOK
Slide 24
Slide 24 text
ίϚϯυྫ
$ curl -X POST --data-binary "`rpm -qa --queryformat
"%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}
\n"`" http://192.168.33.1:5515/vuls
ʢ্ͷྫͰϔομΛলུ͍ͯ͠ΔͷͰಈ͔ͳ͍ʣ
SQNίϚϯυͷ݁ՌΛ1045͍ͯ͠Δ
ຊ࣭తʹ͜Ε͚ͩ
Slide 25
Slide 25 text
Vuls Server
Server
ᶄ)5511045
ᶅεΩϟϯ݁Ռ
ᶃrpm࣮ߦ
Ϩεϙϯε%#ʹೖΕΔͳΓͳΜͳΓࣗ༝
Slide 26
Slide 26 text
Vuls Server
Server
)5511045
rpm࣮ߦ
อଘ
εΩϟϯ݁ՌΛαʔόʹอଘ͢Δ͜ͱՄೳ
Slide 27
Slide 27 text
Content-Type
• text/plain
• curlͱ͔Ͱୟ͘༻
• application/json
• ϓϩάϥϜͰܗͯ͠POST͢Δ༻
Slide 28
Slide 28 text
Endpoint
• /vuls
• JSONͱ͔ͷ͛ઌ
• /health
• ϔϧενΣοΫ༻
Slide 29
Slide 29 text
ٯऻฤ
Slide 30
Slide 30 text
SSHஅΒΕΔύλʔϯ
Slide 31
Slide 31 text
7VMTͰ44)ͯ͠
ϦϞʔτεΩϟϯ
͍ͨ͠Ͱ͢
ಘମͷΕͳ͍
πʔϧͰ44)ͤ͞·ͤΜ
Slide 32
Slide 32 text
"OTJCMFͳΒطʹ
ͬͯΔΜ͚ͩͲͶʙʙ
Slide 33
Slide 33 text
"OTJCMFͰ
ྑ͍Ͱ͢Αʢসʣ
Slide 34
Slide 34 text
Vuls Server
Server
ᶄ)5511045
εΩϟϯͯ͠อଘ
ᶃ44)
"OTJCMFͰऩूͨ͠ߏใΛ7VMT4FSWFSʹ͛Δ
୭͔044Ͱ
࡞ͬͯཉ͍͠
Slide 35
Slide 35 text
όΠφϦΠϯετʔϧ
அΒΕΔύλʔϯ
Slide 36
Slide 36 text
7VMTΠϯετʔϧ͠
ͯϩʔΧϧεΩϟϯ
͍ͨ͠Ͱ͢
ಘମͷΕͳ͍
όΠφϦೖΕ·ͤΜ
Slide 37
Slide 37 text
த͕͔Βͳ͍ͱͶʙ
Slide 38
Slide 38 text
ϫϯϥΠφʔͰ͚͢Ͳ
ཧղͰ͖·ͤΜ͔ʁʢসʣ
Slide 39
Slide 39 text
ϫϯϥΠφʔͰOK
Server
)5511045
rpm࣮ߦ
εΩϟϯͯ͠อଘ
curl
DVSMͳͲͷίϚϯυΛDSPOʹઃఆ͢Δ͚ͩ
Slide 40
Slide 40 text
݁ՌͷूʹࠔΔύλʔϯ
Slide 41
Slide 41 text
ϩʔΧϧεΩϟϯ
Scan
݁ՌΛͲ͏ू
ͨ͠Βྑ͍ͷʁ
੬ऑੑ%#શͯʹμϯϩʔυ
͢Δඞཁ͕͋Δͷʁ
Scan Scan Scan
Slide 42
Slide 42 text
Vuls ServerʹPOSTͯ͠ू
Scan
Scan
Scan
Scan
Server
อଘ
੬ऑੑ%#αʔόʹ͚ͩ
μϯϩʔυ͢Ε0,
Slide 43
Slide 43 text
-to-httpΦϓγϣϯͰૹ৴Մೳ
$ vuls report -to-http vuls-server.local:5515
؆୯
Slide 44
Slide 44 text
αϯϓϧσʔλ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain
X-Vuls-OS-Family: centos
X-Vuls-OS-Release: 6.9
X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64
Content-Length: 13802
cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64
filesystem 0 2.4.30 3.el6 x86_64
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
SQNίϚϯυͷ
݁Ռͦͷ··
+40/ͰૹΔ͜ͱՄೳ
Slide 45
Slide 45 text
rpmίϚϯυ
$ rpm -qa --queryformat "%{NAME} %{EPOCHNUM} %{VERSION} %{RELEASE} %{ARCH}\n"
...
bash 0 4.1.2 48.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
abrt-tui 0 2.0.8 43.el6.centos x86_64
nss-softokn-freebl 0 3.14.3 23.3.el6_8 x86_64
rsyslog 0 5.8.10 10.el6_6 x86_64
libattr 0 2.4.44 7.el6 x86_64
hypervfcopyd 0 0 0.17.20150108git.el6 x86_64
dbus-libs 1 1.2.24 8.el6_6 x86_64
cronie-anacron 0 1.4.4 16.el6_8.2 x86_64
zip 0 3.0 1.el6_7.1 x86_64
...
ߦύοέʔδ
Slide 46
Slide 46 text
X-Vuls-Server-Nameϔομ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain
X-Vuls-OS-Family: centos
X-Vuls-OS-Release: 6.9
X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64
Content-Length: 13802
cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64
filesystem 0 2.4.30 3.el6 x86_64
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
αʔό໊ʢదʹܾΊͯྑ͍ʣ
Slide 47
Slide 47 text
X-Vuls-OS-Familyϔομ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain
X-Vuls-OS-Family: centos
X-Vuls-OS-Release: 6.9
X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64
Content-Length: 13802
cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64
filesystem 0 2.4.30 3.el6 x86_64
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
ॏཁ
SFEIBUDFOUPTEFCJBOVCVOUVͳͲͷܾΊΒΕͨจࣈྻ
Slide 48
Slide 48 text
X-Vuls-OS-Releaseϔομ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain
X-Vuls-OS-Family: centos
X-Vuls-OS-Release: 6.9
X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64
Content-Length: 13802
cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64
filesystem 0 2.4.30 3.el6 x86_64
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
ॏཁ
ͱ͔ͳͲͷจࣈྻ
Slide 49
Slide 49 text
X-Vuls-Kernel-Releaseϔομ
POST /vuls HTTP/1.1
User-Agent: XXX
Host: 192.168.33.1:5515
Content-Type: text/plain
X-Vuls-Server-Name: centos6.localdomain
X-Vuls-OS-Family: centos
X-Vuls-OS-Release: 6.9
X-Vuls-Kernel-Release: 2.6.32-696.30.1.el6.x86_64
Content-Length: 13802
cryptsetup-luks-libs 0 1.2.0 11.el6 x86_64
filesystem 0 2.4.30 3.el6 x86_64
hal 0 0.5.14 14.el6 x86_64
ncurses-base 0 5.7 4.20090207.el6 x86_64
...
ݕਫ਼ʹӨڹ
VOBNFSͰಘΒΕΔݱࡏͷΧʔωϧϦϦʔε
Slide 50
Slide 50 text
HTTPϔομ
• X-Vuls-Server-Nameʢoptionalʣ
• ͜ͷͰαʔόΛࣝผ͍ͯ͠ΔͨΊɺಉ໊͡લΛ͚ͭΔͱอଘ࣌ʹ্ॻ͖͞ΕΔ
• X-Vuls-OS-Familyʢrequiredʣ
• redhat/centos/ubuntu/debianͳͲ
• X-Vuls-OS-Releaseʢrequiredʣ
• 6.916.04ͳͲͷϦϦʔε൪߸
• X-Vuls-Kernel-Releaseϔομʢrequiredʣ
• 2.6.32-696.30.1.el6.x86_64ͳͲͷuname -rͰಘΒΕΔ
• X-Vuls-Kernel-Releaseϔομʢoptionalʣ
• DebianͷΈඞਢʢuname -aͰಘΒΕΔࠨ͔Β7൪͙Β͍ͷʣ
Slide 51
Slide 51 text
ൃలฤ
Slide 52
Slide 52 text
طଘͷߏཧπʔϧͱͷ౷߹
• Ansible
• Chef
• osquery
• AWS Systems Manager
• etc.
Slide 53
Slide 53 text
AWS Systems Manager ΠϯϕϯτϦϚωʔδϟʔ
• AWS Systems Manager ΠϯϕϯτϦΛ༻ͯ͠ɺAmazon
EC2 Πϯελϯε͓ΑͼΦϯϓϨϛεαʔόʔɺ·ͨϋ
ΠϒϦουڥͷԾϚγϯ (VM) ͔ΒɺΦϖϨʔςΟϯά
γεςϜ (OS)ɺΞϓϦέʔγϣϯɺΠϯελϯεͷϝλ
σʔλΛऩूͰ͖·͢ɻϝλσʔλΛরձ͢ΔͱɺιϑτΣ
ΞϙϦγʔʹैͬͯιϑτΣΞͱઃఆΛ࣮ߦ͍ͯ͠ΔΠϯ
ελϯεͱɺߋ৽͕ඞཁͳΠϯελϯεΛ͘͢ѲͰ͖
·͢ɻ
IUUQTEPDTBXTBNB[PODPNKB@KQTZTUFNTNBOBHFSMBUFTUVTFSHVJEFTZTUFNTNBOBHFSJOWFOUPSZIUNM
Slide 54
Slide 54 text
SSMΤʔδΣϯτ͕
Πϯετʔϧ͞Ε͍ͯΕ
৭ʑใΛऩूͯ͘͠ΕΔ
Slide 55
Slide 55 text
ૣΠϯετʔϧͩʂ
Slide 56
Slide 56 text
SSMΤʔδΣϯτͷΠϯετʔϧ
• SSM ΤʔδΣϯτ ɺσϑΥϧτͰɺ࣍ͷ Amazon EC2 Amazon
Machine Image (AMI) ʹΠϯετʔϧ͞Ε·͢ɻ
• Windows Server (ͯ͢ͷ SKU)
• Amazon Linux
• Amazon Linux 2
• Ubuntu Server 16.04
• Ubuntu Server 18.04
IUUQTEPDTBXTBNB[PODPNKB@KQTZTUFNTNBOBHFSMBUFTUVTFSHVJEFTTNBHFOUIUNM
Slide 57
Slide 57 text
طʹೖͬͯΔΒ͍͠
Slide 58
Slide 58 text
IAMϩʔϧͷઃఆ
ʢͱΠϯϕϯτϦηοτΞοϓʣ
͚ͩ͢Εྑ͍
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
AWS Systems Manager ࿈ܞ
Server
ᶄ)5511045
εΩϟϯͯ͠อଘ
ᶃߏใऔಘ
"844ZTUFNT.BOBHFS͔Βใऔಘͯ͠7VMT4FSWFSʹ͛Δ
"844ZTUFNT.BOBHFS
ΠϯϕϯτϦϚωʔδϟʔ
దͳεΫϦϓτ
Slide 61
Slide 61 text
SSM࿈ܞͷ੍
• ศར͗ͯ͢࠷ߴΈ͍ͨʹॻ͖·੍͕͕ͨ͋͠Γ·͢
• RHEL/CentOS͡Όͳ͍ͱಈ͖·ͤΜ
• Ubuntu/Debianιʔεύοέʔδ͕ඞཁͳͨΊ
• Amazon LinuxOVALະରԠ
• RHEL/CentOSSSMΤʔδΣϯτೖͬͯͳ͍
• ͱݴ͑1ίϚϯυͰೖΔ
Slide 62
Slide 62 text
Proof Of Concept
• αϯϓϧίʔυΛ࡞Γ·ͨ͠
https://github.com/knqyf263/ssm-to-vuls
• EC2ΠϯελϯεIDͱVuls ServerͷΞυϨεΛࢦఆ͢Δ
ͱΠϯϕϯτϦΛऔಘͯ͠JSONʹܗͯ͠Vuls Server
ʹPOST͠·͢
• ࣮ূίʔυͰ͋Γ࣮༻ʹ͑͏ΔͷͰͳ͍ͨΊɺ
օ͞Μ͕࠷ߴͷπʔϧΛ࡞ͬͯ͘ΕΔ͜ͱΛظ͠·͢
Slide 63
Slide 63 text
ಉ༷ʹଞͷߏཧπʔϧͱ
࿈ܞͰ͖Δͣʂʂ
Slide 64
Slide 64 text
શ෦Vuls ServerͰྑ͍ͷͰʁ
Slide 65
Slide 65 text
Vuls Serverͷ੍
• ରԠOS
• RHEL/CentOS/Ubuntu/Debian
• Amazon LinuxFreeBSDະରԠ
• ݕਫ਼
• ΤʔδΣϯτʹൺ͔ͯᷮʹྼΔ߹͕͋Δʢكʣ
• Ճใ
• ΤʔδΣϯτͰϓϩηεใߋ৽ޙͷύοέʔδόʔ
δϣϯͳͲऔಘ
Slide 66
Slide 66 text
ͱݴ༷͑ʑͳΛղܾՄೳ
Γ࠷ߴ
Slide 67
Slide 67 text
ίϯςφͱͯ͠LTʹσϓϩΠ͢Δͷ؆୯
࣌ؒͳ͍ͷͰׂѪ
Slide 68
Slide 68 text
ΓVuls Server࠷ߴ
·ͱΊ
ଟ·ͩόά͋ΔͷͰ*TTVFͬͯ·͢