Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脆弱性検知ツールVulsの導入をしてから半年経ってみて

adachin0817
October 05, 2017

 脆弱性検知ツールVulsの導入をしてから半年経ってみて

adachin0817

October 05, 2017
Tweet

More Decks by adachin0817

Other Decks in Technology

Transcript

  1. ੬ऑੑݕ஌πʔϧVULSͷಋೖΛ
    ͔ͯ͠Β൒೥ܦͬͯΈͯ
    RYO ADACHI (ADACHIN)

    View Slide

  2. ɾ̏ɾ
    ΞδΣϯμ
    ▸ ࣗݾ঺հɺࢲ͕ೖࣾ͢Δલ
    ▸ ΠϯϑϥSREνʔϜʹͳ͔ͬͯΒ
    ▸ ΠϯϑϥSREνʔϜͷओͳۀ຿ɺར༻͍ͯ͠Δٕज़
    ▸ Vulsͱ͸ɺͿͬͪΌ͚੬ऑੑରԠͬͯ…
    ▸ Vulsߏ੒ਤɺΠϯετʔϧํ๏
    ▸ config.tomlɺVulsίϚϯυ
    ▸ Vuls repo Vuls v0.4.0ɾɾɾɾɾɾ
    ▸ ·ͱΊ

    View Slide

  3. ɾ̏ɾ
    ࣗݾ঺հ
    ▸ @adachin0817
    ▸ 2017/05~ 

    ϝϯόʔͷλεΫ؅ཧɺίʔυϨϏϡʔɺ৽ٕज़ݕূɺ

    ٕज़վળ νʔϜϚωδϝϯτ etc…..
    ▸ ܦݧ

    ࣾ಺SE͔ΒϗεςΟϯάɺΞυςΫͳͲͳͲ
    ▸ झຯ

    HIPHOP

    ϏδωεϚϯϥοϓτʔφϝϯτͷ

    ΫϧʔͰϥδΦ΋ग़·ͨ͠ʂ

    https://note.mu/shiburadi/n/nb8bb15a2b7f1

    View Slide

  4. ɾ̏ɾ
    ࢲ͕ೖࣾ͢Δલ
    ▸ ͦ΋ͦ΋Ϧʔμʔ͕๩͍͠(৽ਓʹڭ͑ΔՋ͕ͳ͍)
    ▸ Πϯϑϥϝϯόʔ͕͍ΔͷʹνʔϜͱͯ͠׆ಈͯ͠ͳ͔ͬͨ
    ▸ ͲΜͳϛυϧ΢ΣΞ࢖ͬͯΔͳͲϝϯόʔ͕೺Ѳ͍ͯ͠ͳ͍
    ▸ ΠϯϑϥϦϙδτϦ΋ͳ͍
    ▸ infrastructure as code΋΍ͬͯͳ͍
    ▸ खಈͰΠϯετʔϧ͔aws cliͰ͕Μ͹Δ
    ▸ Πϯϑϥwiki΋ͳ͍
    X

    View Slide

  5. SREνʔϜ

    ͱ͠
    ͯಈ͜͏ʂʂ

    View Slide

  6. (28ষ)

    SREͷ੒௕ΛՃ଎͢Δํ๏:
    ৽ਓ͔ΒΦϯίʔϧ୲౰ɺ
    ͦͯͦ͠ͷઌ΁

    View Slide

  7. ɾ̏ɾ
    SREͷఆٛ
    ▸ αΠτͷ৴པੑΛอূ͢Δ(αΠτ৴པੑΤϯδχΞ)μαΠ
    ▸ ӡ༻ۀ຿ͱαΠτͷ৴པੑ޲্ͷ2ͭͷ໾ׂΛ୲͏
    ▸ ੵۃతʹίʔυΛهड़
    ▸ ӡ༻ΛΫϥ΢υ΍ࣗಈԽʹஔ͖׵͑Δ

    View Slide

  8. ɾ̏ɾ
    ͦ΋ͦ΋SREʹٻΊΒΕΔ΋ͷ ᶃ
    ▸ Πϯϑϥٕज़

    TCP/IPɺHTTPͳͲͷωοτϫʔΫϓϩτίϧʹ͍ͭͯͷ஌
    ͔ࣝΒɺύϑΥʔϚϯεվળɺϛυϧ΢ΣΞͷػೳ஌ࣝ
    ▸ ΞϓϦέʔγϣϯٕज़

    Կ͔͠Βͷϓϩάϥϛϯάݴޠ஌ࣝ

    ʢJavaɺPHPɺPythonɺRubyͳͲʣ

    ΋ͪΖΜΠϯϑϥϓϩϏδϣχϯά΋

    View Slide

  9. ɾ̏ɾ
    ͦ΋ͦ΋SREʹٻΊΒΕΔ΋ͷ ᶄ
    ▸ ηΩϡϦςΟ஌ࣝ

    ࠷௿ݶͷηΩϡϦςΟ஌ࣝ͸ඞਢ(iptablesͱ͔)
    ▸ ίϛϡχέʔγϣϯೳྗ

    ϝϯόʔ΍։ൃνʔϜͱͷڞ༗΍

    ڠྗ͍͋͠ͳ͕Β։ൃΛߦ͏ͨΊ

    (Ϧʔμʔ͸ίϛϡ঱Ͱ͢)

    View Slide

  10. ɾ̏ɾ
    SRE͸ΤϯδχΞϦϯάʹՃ͑ͯಛ௃Λൃش͢Δ
    ▸ ༏ΕͨϦόʔεΤϯδχΞϦϯάͷεΩϧΛ࣋ͭ

    ˠγεςϜͷಈ࡞Λཧղ͢Δ
    ▸ ౷ܭతʹߟ͑Δೳྗ͕ඞཁ

    ˠ෼ੳ΍ൺֱΛ͏·͘ߦ͑ΔΑ͏ʹ܇࿅͢Δ
    ▸ ྟػԠมʹߦಈ

    ˠࠜຊతͳݪҼΛൃݟʂ


    View Slide

  11. ɾ̏ɾ
    SREڭҭํ๏

    View Slide

  12. ɾ̏ɾ
    ΠϯϑϥSREνʔϜʹͳ͔ͬͯΒ
    ▸ ো֐ରԠ͸৽ਓͨͪʹ(੹೚ײΛ࣋ͨͤΔ)
    ▸ infrastructure as code͸Ͱ͖ͯ౰ͨΓલ
    ▸ wikiͷॻ͖ํͳͲڭ͑Δ
    ▸ ϓϧϦΫ͠·͘Γ
    ▸ ேձΛ࢝Ίͨ

    ɾࡢ೔ԿΛ΍ͬͨͷ͔

    ɾࠓ೔ԿΛ΍Δͷ͔

    ɾԿʹͦΜͳʹϋϚ͍ͬͯΔͷ͔

    ɾڞ༗ࣄ߲
    ▸ શϓϩδΣΫτରԠͰ͖ΔΑ͏ʹ

    View Slide

  13. ɾ̏ɾ
    ΠϯϑϥSREνʔϜͷओͳۀ຿
    ▸ αʔόɺϛυϧ΢ΣΞͷՄ༻ੑͷҡ࣋ɾ޲্
    ▸ αʔόɺϛυϧ΢ΣΞͷύϑΥʔϚϯεͷ޲্
    ▸ ϩάऩू/ՄࢹԽɺ෼ੳج൫ͷߏஙɺӡ༻(Quick Sight→Redash)
    ▸ αʔόϓϩϏδϣχϯά(Terraform,Ansible)
    ▸ ηΩϡϦςΟ/੬ऑੑͷ୲อ(Vuls)
    ▸ ։ൃ؀ڥͳͲͷϝϯς(Vagrant,docker)
    ▸ 24࣌ؒ؂ࢹରԠ(zabbix)
    ▸ DevOpsνʔϜͱͯ͠ۀ຿վળˠbitbucketҠߦͳͲ

    View Slide

  14. ͋ͯ͞ʂ

    View Slide

  15. VULS஌ͬͯ·͔͢?

    View Slide

  16. View Slide

  17. ҧ͍·͢

    View Slide

  18. ͪͳΈʹ

    ݟͨํ

    View Slide

  19. ɾ̏ɾ
    VULSͱ͸
    ▸ ʮVULnerability Scannerʯͷུ
    ▸ ϑϡʔνϟʔΞʔΩςΫτͷਆށࢯɺྛࢯʹΑΔ։ൃ
    ▸ Linuxαʔόʹଘࡏ͢Δ੬ऑੑΛεΩϟϯ
    ▸ OSύοέʔδ؅ཧର৅֎ͷϛυϧ΢ΣΞΛεΩϟϯ
    ▸ ΤʔδΣϯτϨεΞʔΩςΫνϟ(SSH)
    ▸ ઃఆϑΝΠϧͷςϯϓϨʔτࣗಈੜ੒
    ▸ Email΍SlackͳͲ௨஌Մೳʢ೔ຊޠͰͷϨϙʔτ΋Մೳʣ

    View Slide

  20. ɾ̏ɾ
    ͿͬͪΌ͚੬ऑੑରԠͬͯ…
    ▸ ωοτ΍ϝʔϧͰ৘ใΛಘΔ(ݟಀ͕ͪ͠ɺ͔Βͷ์ஔ)
    ▸ αʔό͕ϨΨγʔͳͷ΋͋ΓɺରԠ͠ͳ͍͍ͯ͘ͱ͔…(ఘΊ)
    ▸ ଞʹ΋੬ऑੑ͋ΔͷͰ͸ͱશαʔό΋ௐࠪ͠ͳ͍ͱ͍͚ͳ͍(ࠓߋযΓ)
    ▸ ੬ऑੑ಺༰Λ֬ೝ͢Δ͚ͩͰ຾͘ͳΔ(ਭ຾)
    ▸ ஍ຯͳ࡞ۀ….(ٽ͖ͦ͏)
    ▸ ΊΜͲ͍͘͞(ݱ࣮ಀආ)

    View Slide

  21. ɾ̏ɾ
    JVN ੬ऑੑϨϙʔτ @JVNJP

    View Slide

  22. ɾ̏ɾ
    ͪͳΈʹ
    ▸ ੬ऑੑରࡦ৘ใσʔλϕʔεJVN iPediaͷొ࿥ঢ়گ [2017೥
    ୈ2࢛൒ظʢ4݄ʙ6݄ʣ70,996݅!!!!!!!!!!!!!

    View Slide

  23. ͔ͩΒͦ͜

    VULSඞཁͳͷͰ͢

    View Slide

  24. ɾ̏ɾ
    ߏ੒ਤ
    ▸ 2017/05~
    ▸ CentOS 6.9
    ▸ Zabbix3.0.10
    ▸ Vuls v0.3.0
    ▸ Go v1.8.3

    View Slide

  25. Πϯετʔϧ
    ํ๏͸ʂʁ

    View Slide

  26. ɾ̏ɾ
    Πϯετʔϧํ๏
    ▸ ؆୯ͳͷͰׂѪ͍͖ͤͯͨͩ͞·͆͢
    ▸ ࢀߟ͸ࢲͷϒϩάͰ(pvՔ͗)

    https://blog.adachin.me/wordpress/archives/5540
    ▸ εΩϟϯ͍ͨ͠αʔόͰࣄલʹઃఆ͓ͯ͘͜͠ͱ

    ɾvulsϢʔβ( ͳΜͰ΋)NOPASSʹsudoersݖݶΛ͚ͭΔ

    ɾyum-plugin-changelog͕ೖ͍ͬͯΔ͜ͱ
    ▸ ↑͜͜Β΁Μ͸AnsibleԽ͓ͯ͘͠΂͖

    View Slide

  27. ɾ̏ɾ
    CONFIG.TOML

    View Slide

  28. ɾ̏ɾ
    VULSίϚϯυ
    ▸ vulsσΟΫγϣφϦ(࠷৽੬ऑੑ৘ใߋ৽)

    $ go-cve-dictionary fetchnvd -last2y

    $ go-cve-dictionary fetchjvn -latest
    ▸ vuls dryrun

    $ vuls configtest
    ▸ vuls εΩϟϯ

    $ vuls scan
    ▸ ݁ՌΛαʔόͰ֬ೝ

    $ vuls tui
    ▸ ݁ՌΛslackʹ௨஌

    $ vuls report -format-short-text -format-json -cvedb-path=$PWD/cve.sqlite3 -ovaldb-
    path=$PWD/oval.sqlite3 --lang=ja -to-slack -cvss-over=7

    View Slide

  29. ɾ̏ɾ
    ఆظతʹ࣮ߦ͍ͨ͠৔߹
    ▸ cronʹ࢓ࠐΊ͹OK
    ▸ scan࣌ʹϩά͕results഑Լʹཷ·ΔͷͰ࡟আ(5ੈ୅)

    View Slide

  30. ͦͯ͠ʂ

    View Slide

  31. ɾ̏ɾ
    VULS REPO
    ▸ Web UI

    ͜Ε͕Ͱ͖ͳ͍

    View Slide

  32. VULS ΧελϚʔ

    αϙʔτʹฉ͍ͯΈͨ

    (2िؒϋϚͬͨͨΊ)

    View Slide

  33. ɾ̏ɾ
    VULS SLACK
    ▸ ͳʹ΍Βେܕόʔδϣϯ

    ग़Δ͔Β

    Ξοϓͯ͠ࢼͯ͘͠Εͱʂ
    ▸ όϧεʂʂw

    View Slide

  34. 2017/08/25

    V0.4.0 RELEASE!

    View Slide

  35. ɾ̏ɾ
    VULS UPDATE TO 0.4.0
    ▸ 2017/8/28
    ▸ $ vuls -v

    vuls v0.4.0 0ba490c
    ▸ $ go version

    go version go1.9 linux/amd64
    ▸ Ξοϓσʔτ͠·ͨ͠ʂ

    View Slide

  36. ɾ̏ɾ
    VULS V0.4.0
    ▸ εΩϟϯਫ਼౓େ෯޲্
    ▸ Ϩϙʔτͷ৘ใྔΞοϓ(?͕ݮΔ)
    ▸ fast(sudoͳ͠ɺ

    αʔό௿ෛՙͷεΩϟϯϞʔυ)

    σϑΥϧτ

    View Slide

  37. ɾ̏ɾ
    VULS REPO V0.4.0
    ▸ 0.4.0͔Βweb

    αʔόΛ࣋ͨͳͯ͘΋

    OKʹʂ
    ▸ goͷhttpύοέʔδͰ

    ಈ͘(μΠδΣετೝূ΋)
    ▸ Port 5111

    View Slide

  38. ɾ̏ɾ
    VULS REPO
    ▸ ՄࢹԽ͢Δ͜ͱͰ੬ऑੑ͕Ͳͷ͘Β͍͋Δͷ͔൑அͰ͖Δ

    View Slide

  39. ɾ̏ɾ
    VULS ੬ऑੑΞοϓσʔτϑϩʔਤ

    View Slide

  40. ɾ̏ɾ
    VULS/ZABBIX SERVER ໿1ϲ݄ͷύϑΥʔϚϯε

    View Slide

  41. ɾ̏ɾ
    Ͳ͜·Ͱ੬ऑੑରԠ͢Δͷ͔
    ▸ ਖ਼௚͢΂ͯΞοϓσʔτ͢Δͷ͸ՙ͕ॏ͍…

    (Kernel࠶ىಈͱ͔)→ଟ͍
    ▸ ௚઀ୈࡾऀ͕߈ܸ͠΍ͦ͢͏ͳαʔό

    (LBͿΒԼ͕ͬͯΔ΋ͷ͸Ϛετ)
    ▸ AWS͸جຊηΩϡΞ
    ▸ ੬ऑੑ0ͱ͍ͬͯ΋ະ஌ͷ΋ͷ΋͋Δ….(Θ͔ΒΜ)
    ▸ Ͱ΋੬ऑੑ͸ͪΌΜͱΞοϓσʔτ͢Δํ͕҆৺

    View Slide

  42. ɾ̏ɾ
    ·ͱΊ
    ▸ Vulsͷಋೖ͸؆୯ͰӡӦ΋ָͪΜʂ
    ▸ Vulsͷ͓͔͛Ͱ੬ऑੑରԠΛ๨Εͳ͍ʂ
    ▸ vuls scan࣌ʹෛՙ΋ͳ͍ʂVulsઐ༻αʔό΋͍Βͳ͍!
    ▸ ͜Ε͔Β͸Vulsඞਢʂ
    ▸ όϧεόϧεεόϧʂ

    View Slide

  43. ɾ̏ɾ
    VULSͷͪΐΜ·͛(ਆށ͞Μ)
    ▸ ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ

    View Slide

  44. ߦ͖·͠ΐ͏ʂʂʂ

    View Slide

  45. ͝ਗ਼ௌ

    ͋Γ͕ͱ͏

    ͍͟͝·ͨ͠!
    ը૾ఏڙ

    ఱۭͷ৓ϥϐϡλ

    ਕἝ

    View Slide