Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脆弱性検知ツールVulsの導入をしてから半年経ってみて

Avatar for adachin0817 adachin0817
October 05, 2017

 脆弱性検知ツールVulsの導入をしてから半年経ってみて

Avatar for adachin0817

adachin0817

October 05, 2017
Tweet

More Decks by adachin0817

Other Decks in Technology

Transcript

  1. ࣗݾ঺հ ▸ Adachi Ryo ▸ @adachin0817 ▸ 2017/05~ ▸ ܦݧ

    
 ࣾ಺SE͔ΒϗεςΟϯάɺ 
 ΞυςΫͷΠϯϑϥΤϯδχΞ ▸ झຯ 
 HIPHOP
  2. SREνʔϜʹͳ͔ͬͯΒ ▸ ো֐ରԠ͸ϝϯόʔશһͰ ▸ infrastructure as code͸ඞਢ ▸ wikiͷॻ͖ํͳͲڭ͑Δ ▸

    ேձΛ࢝Ίͨ 
 ɾࡢ೔ԿΛ΍ͬͨͷ͔ 
 ɾࠓ೔ԿΛ΍Δͷ͔ 
 ɾԿʹͦΜͳʹϋϚ͍ͬͯΔͷ͔ 
 ɾڞ༗ࣄ߲ ▸ શϓϩδΣΫτରԠͰ͖ΔΑ͏ʹ
  3. VULSͱ͸ ▸ ʮVULnerability Scannerʯͷུ ▸ ϑϡʔνϟʔΞʔΩςΫτͷਆށࢯɺྛࢯʹΑΔ։ൃ ▸ Linuxαʔόʹଘࡏ͢Δ੬ऑੑΛεΩϟϯ ▸ OSύοέʔδ؅ཧର৅֎ͷϛυϧ΢ΣΞΛεΩϟϯ

    ▸ ΤʔδΣϯτϨεΞʔΩςΫνϟ(SSH) ▸ ઃఆϑΝΠϧͷςϯϓϨʔτࣗಈੜ੒ ▸ Email΍SlackͳͲ௨஌Մೳʢ೔ຊޠͰͷϨϙʔτ΋Մೳʣ
  4. Πϯετʔϧํ๏ ▸ ؆୯ͳͷͰׂѪ͍͖ͤͯͨͩ͞·͢ ▸ ࢀߟ͸ࢲͷϒϩάͰ ▸ https://blog.adachin.me/archives/5540 ▸ εΩϟϯ͍ͨ͠αʔόͰࣄલʹઃఆ͓ͯ͘͜͠ͱ 


    ɾvulsϢʔβ( ͳΜͰ΋)NOPASSʹsudoersݖݶΛ͚ͭΔ 
 ɾyum-plugin-changelog͕ೖ͍ͬͯΔ͜ͱ ▸ ↑͜͜Β΁Μ͸AnsibleԽ͓ͯ͘͠΂͖
  5. VULSίϚϯυ ▸ vulsσΟΫγϣφϦ(࠷৽੬ऑੑ৘ใߋ৽) 
 $ go-cve-dictionary fetchnvd -last2y 
 $

    go-cve-dictionary fetchjvn -latest ▸ vuls dryrun 
 $ vuls con fi gtest ▸ vuls εΩϟϯ 
 $ vuls scan ▸ ݁ՌΛαʔόͰ֬ೝ 
 $ vuls tui ▸ ݁ՌΛslackʹ௨஌ 
 $ vuls report -format-short-text -format-json -cvedb-path=$PWD/cve.sqlite3 -ovaldb- path=$PWD/oval.sqlite3 --lang=ja -to-slack -cvss-over=7
  6. VULS UPDATE TO 0.4.0 ▸ 2017/8/28 ▸ $ vuls -v

    
 vuls v0.4.0 0ba490c ▸ $ go version 
 go version go1.9 linux/amd64 ▸ Ξοϓσʔτ͠·ͨ͠ʂ
  7. VULS REPO V0.4.0 ▸ 0.4.0͔Βweb 
 αʔόΛ࣋ͨͳͯ͘΋ 
 OKʹʂ ▸

    goͷhttpύοέʔδͰ 
 ಈ͘(μΠδΣετೝূ΋) ▸ Port 5111