脆弱性検知ツールVulsの導入をしてから半年経ってみて

Transcript

1. ੬ऑੑݕ஌πʔϧVulsͷಋೖΛ ͔ͯ͠Β൒೥ܦͬͯΈͯ Adachi Ryo/SRE

2. ΞδΣϯμ ▸ ࣗݾ঺հɺࢲ͕ೖࣾ͢Δલ
   ▸ SREνʔϜʹͳ͔ͬͯΒ ▸ SREνʔϜͷओͳۀ຿ɺར༻͍ͯ͠Δٕज़ ▸ Vulsͱ͸ɺͿͬͪΌ͚੬ऑੑରԠͬͯ… ▸

   Vulsߏ੒ਤɺΠϯετʔϧํ๏ ▸ con fi g.tomlɺVulsίϚϯυ ▸ Vuls repo Vuls v0.4.0 ▸ ·ͱΊ

3. ࣗݾ঺հ ▸ Adachi Ryo ▸ @adachin0817 ▸ 2017/05~ ▸ ܦݧ

   
 ࣾ಺SE͔ΒϗεςΟϯάɺ 
 ΞυςΫͷΠϯϑϥΤϯδχΞ ▸ झຯ 
 HIPHOP

4. ࢲ͕ೖࣾ͢Δલ ▸ Πϯϑϥϝϯόʔ͕͍ΔͷʹνʔϜͱͯ͠׆ಈͯ͠ͳ͔ͬͨ ▸ ͲΜͳϛυϧ΢ΣΞ࢖ͬͯΔͳͲϝϯόʔ͕೺Ѳ͍ͯ͠ͳ͍ ▸ ΠϯϑϥϦϙδτϦ͕ͳ͍ ▸ infrastructure as

   code΋΍ͬͯͳ͍ ▸ खಈͰΠϯετʔϧ͔aws cliͰ؅ཧ͍ͯ͠Δ ▸ ଐਓԽ͍ͯ͠Δ

5. SREνʔϜ 
 ͱͯ͠ಈ͜͏ʂʂ

6. (28ষ) 
 SREͷ੒௕ΛՃ଎͢Δํ๏: ৽ਓ͔ΒΦϯίʔϧ୲ ౰ɺͦͯͦ͠ͷઌ΁

7. SREͷఆٛ ▸ αΠτͷ৴པੑΛอূ͢Δ(αΠτ৴པੑΤϯδχΞ) ▸ ӡ༻ۀ຿ͱαΠτͷ৴པੑ޲্ͷ2ͭͷ໾ׂΛ୲͏ ▸ ੵۃతʹίʔυΛهड़ ▸ ӡ༻ΛΫϥ΢υ΍ࣗಈԽʹஔ͖׵͑Δ

8. SREʹٻΊΒΕΔ΋ͷ ᶃ ▸ Πϯϑϥٕज़ 
 TCP/IPɺHTTPͳͲͷωοτϫʔΫϓϩτίϧʹ͍ͭͯͷ஌ ͔ࣝΒɺύϑΥʔϚϯεվળɺϛυϧ΢ΣΞͷػೳ஌ࣝ ▸ ΞϓϦέʔγϣϯٕज़ 


   Կ͔͠Βͷϓϩάϥϛϯάݴޠ஌ࣝ 
 ʢPHPɺPythonɺRubyͳͲʣ 
 ΋ͪΖΜΠϯϑϥϓϩϏδϣχϯά΋

9. SREʹٻΊΒΕΔ΋ͷ ᶄ ▸ ηΩϡϦςΟ஌ࣝ 
 ࠷௿ݶͷηΩϡϦςΟ஌ࣝ͸ඞਢ ▸ ίϛϡχέʔγϣϯೳྗ 
 ϝϯόʔ΍։ൃνʔϜͱͷڞ༗΍

   
 ڠྗ͠ͳ͕Β։ൃΛߦ͏ͨΊ

10. SRE͸ΤϯδχΞϦϯάʹՃ͑ͯಛ௃Λൃش͢Δ ▸ ༏ΕͨϦόʔεΤϯδχΞϦϯάͷεΩϧΛ࣋ͭ 
 →γεςϜͷಈ࡞Λཧղ͢Δ ▸ ౷ܭతʹߟ͑Δೳྗ͕ඞཁ 
 →෼ੳ΍ൺֱΛ͏·͘ߦ͑ΔΑ͏ʹ܇࿅͢Δ ▸

    ྟػԠมʹߦಈ 
 →ࠜຊతͳݪҼΛൃݟʂ 


11. SREڭҭํ๏

12. SREνʔϜʹͳ͔ͬͯΒ ▸ ো֐ରԠ͸ϝϯόʔશһͰ ▸ infrastructure as code͸ඞਢ ▸ wikiͷॻ͖ํͳͲڭ͑Δ ▸

    ேձΛ࢝Ίͨ 
 ɾࡢ೔ԿΛ΍ͬͨͷ͔ 
 ɾࠓ೔ԿΛ΍Δͷ͔ 
 ɾԿʹͦΜͳʹϋϚ͍ͬͯΔͷ͔ 
 ɾڞ༗ࣄ߲ ▸ શϓϩδΣΫτରԠͰ͖ΔΑ͏ʹ

13. SREνʔϜͷओͳۀ຿ ▸ αʔόɺϛυϧ΢ΣΞͷՄ༻ੑͷҡ࣋ɾ޲্ ▸ αʔόɺϛυϧ΢ΣΞͷύϑΥʔϚϯεͷ޲্ ▸ ϩάऩू/ՄࢹԽɺ෼ੳج൫ͷߏஙɺӡ༻(Redash) ▸ αʔόϓϩϏδϣχϯά(Terraform,Ansible) ▸

    ηΩϡϦςΟ/੬ऑੑͷ୲อ(Vuls) ▸ ։ൃ؀ڥͳͲͷϝϯς(Vagrant,docker) ▸ 24࣌ؒ؂ࢹରԠ(zabbix) ▸ DevOpsνʔϜͱͯ͠ۀ຿վળ

14. VULS஌ͬͯ·͔͢?

15. ҧ͍·͢

16. VULSͱ͸ ▸ ʮVULnerability Scannerʯͷུ ▸ ϑϡʔνϟʔΞʔΩςΫτͷਆށࢯɺྛࢯʹΑΔ։ൃ ▸ Linuxαʔόʹଘࡏ͢Δ੬ऑੑΛεΩϟϯ ▸ OSύοέʔδ؅ཧର৅֎ͷϛυϧ΢ΣΞΛεΩϟϯ

    ▸ ΤʔδΣϯτϨεΞʔΩςΫνϟ(SSH) ▸ ઃఆϑΝΠϧͷςϯϓϨʔτࣗಈੜ੒ ▸ Email΍SlackͳͲ௨஌Մೳʢ೔ຊޠͰͷϨϙʔτ΋Մೳʣ

17. ͿͬͪΌ͚੬ऑੑରԠͬͯ… ▸ ωοτ΍ϝʔϧͰ৘ใΛಘΔ(ݟಀ͕ͪ͠ɺ͔Βͷ์ஔ) ▸ αʔό͕ϨΨγʔͳͷ΋͋ΓɺରԠ͠ͳ͍͍ͯ͘ͱ͔… ▸ ଞʹ΋੬ऑੑ͋ΔͷͰ͸ͱશαʔό΋ௐࠪ͠ͳ͍ͱ͍͚ͳ͍ (ࠓߋযΓ) ▸ ੬ऑੑ಺༰Λ֬ೝ͢Δ͚ͩͰ຾͘ͳΔ

    ▸ ஍ຯͳ࡞ۀ

18. JVN ੬ऑੑϨϙʔτ @JVNJP

19. ͪͳΈʹ ▸ ੬ऑੑରࡦ৘ใσʔλϕʔεJVN iPediaͷొ࿥ঢ়گ [2017೥ ୈ2࢛൒ظʢ4݄ʙ6݄ʣ70,996݅ʂ

20. ߏ੒ਤ ▸ 2017/05~ ▸ CentOS 6.9 ▸ Zabbix3.0.10 ▸ Vuls

    v0.3.0 ▸ Go v1.8.3

21. Πϯετʔϧ ํ๏͸ʂʁ

22. Πϯετʔϧํ๏ ▸ ؆୯ͳͷͰׂѪ͍͖ͤͯͨͩ͞·͢ ▸ ࢀߟ͸ࢲͷϒϩάͰ ▸ https://blog.adachin.me/archives/5540 ▸ εΩϟϯ͍ͨ͠αʔόͰࣄલʹઃఆ͓ͯ͘͜͠ͱ 


    ɾvulsϢʔβ( ͳΜͰ΋)NOPASSʹsudoersݖݶΛ͚ͭΔ 
 ɾyum-plugin-changelog͕ೖ͍ͬͯΔ͜ͱ ▸ ↑͜͜Β΁Μ͸AnsibleԽ͓ͯ͘͠΂͖

23. CONFIG.TOML

24. VULSίϚϯυ ▸ vulsσΟΫγϣφϦ(࠷৽੬ऑੑ৘ใߋ৽) 
 $ go-cve-dictionary fetchnvd -last2y 
 $

    go-cve-dictionary fetchjvn -latest ▸ vuls dryrun 
 $ vuls con fi gtest ▸ vuls εΩϟϯ 
 $ vuls scan ▸ ݁ՌΛαʔόͰ֬ೝ 
 $ vuls tui ▸ ݁ՌΛslackʹ௨஌ 
 $ vuls report -format-short-text -format-json -cvedb-path=$PWD/cve.sqlite3 -ovaldb- path=$PWD/oval.sqlite3 --lang=ja -to-slack -cvss-over=7

25. ఆظతʹ࣮ߦ͍ͨ͠৔߹ ▸ cronʹ࢓ࠐΊ͹OK ▸ scan࣌ʹϩά͕results഑Լʹཷ·ΔͷͰ࡟আ(5ੈ୅)

26. VULS REPO ▸ Web UI 
 Load Error

27. VULS ΧελϚʔ 
 αϙʔτʹฉ͍ͯΈͨ 
 (2िؒϋϚͬͨͨΊ)

28. VULS SLACK ▸ ͳʹ΍Βେܕόʔδϣϯ 
 ग़Δ͔Β 
 Ξοϓͯ͠ࢼͯ͘͠Εͱʂ

29. 2017/08/25 
 V0.4.0 RELEASE!

30. VULS UPDATE TO 0.4.0 ▸ 2017/8/28 ▸ $ vuls -v

    
 vuls v0.4.0 0ba490c ▸ $ go version 
 go version go1.9 linux/amd64 ▸ Ξοϓσʔτ͠·ͨ͠ʂ

31. VULS V0.4.0 ▸ εΩϟϯਫ਼౓େ෯޲্ ▸ Ϩϙʔτͷ৘ใྔΞοϓ(?͕ݮΔ) ▸ fast(sudoͳ͠ɺ 
 αʔό௿ෛՙͷεΩϟϯϞʔυ)

    
 σϑΥϧτ

32. VULS REPO V0.4.0 ▸ 0.4.0͔Βweb 
 αʔόΛ࣋ͨͳͯ͘΋ 
 OKʹʂ ▸

    goͷhttpύοέʔδͰ 
 ಈ͘(μΠδΣετೝূ΋) ▸ Port 5111

33. VULS REPO ▸ ՄࢹԽ͢Δ͜ͱͰ੬ऑੑ͕Ͳͷ͘Β͍͋Δͷ͔൑அͰ͖Δ

34. VULS ੬ऑੑΞοϓσʔτϑϩʔਤ

35. VULS/ZABBIX SERVER ໿1ϲ݄ͷύϑΥʔϚϯε

36. Ͳ͜·Ͱ੬ऑੑରԠ͢Δͷ͔ ▸ ਖ਼௚͢΂ͯΞοϓσʔτ͢Δͷ͸ՙ͕ॏ͍… 
 (Kernel࠶ىಈͱ͔)→ଟ͍ͷͰߜΔඞཁ͕͋Δ ▸ ௚઀ୈࡾऀ͕߈ܸ͠΍ͦ͢͏ͳαʔό 
 (LBͿΒԼ͕ͬͯΔ΋ͷ͸Ϛετ) ▸

    ੬ऑੑ0ͱ͍ͬͯ΋ະ஌ͷ΋ͷ΋͋Δ ▸ Ͱ΋੬ऑੑ͸ͪΌΜͱΞοϓσʔτ͢Δํ͕҆৺

37. ·ͱΊ ▸ Vulsͷಋೖ͸؆୯ͰӡӦ΋ָͪΜʂ ▸ Vulsͷ͓͔͛Ͱ੬ऑੑରԠΛ๨Εͳ͍ʂ ▸ vuls scan࣌ʹෛՙ΋ͳ͍ʂVulsઐ༻αʔό΋͍Βͳ͍! ▸ ͜Ε͔Β͸Vulsඞਢʂ

38. ߦ͖·͠ΐ͏ʂʂʂ

39. ͝ਗ਼ௌ 
 ͋Γ͕ͱ͏ 
 ͍͟͝·ͨ͠!