Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
脆弱性検知ツールVulsの導入をしてから半年経ってみて
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
adachi.ryo
October 05, 2017
Technology
28k
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
脆弱性検知ツールVulsの導入をしてから半年経ってみて
adachi.ryo
October 05, 2017
More Decks by adachi.ryo
See All by adachi.ryo
横断SREがSRE社内留学制度 / Enablingになぜ踏み切ったのか
rvirus0817
0
550
SREチームをどう作り、どう育てるか ― Findy横断SREのマネジメント
rvirus0817
0
4.2k
ファインディの横断SREがTakumi byGMOと取り組む、セキュリティと開発スピードの両立
rvirus0817
1
4.9k
Findy Team+のSOC2取得までの道のり
rvirus0817
0
4.5k
FindyにおけるTakumi活用と脆弱性管理のこれから
rvirus0817
0
5.1k
技術的負債で信頼性が限界だったWordPress運用をShifterで完全復活させた話
rvirus0817
2
7.7k
Amazon Security Lakeを活用したセキュリティログの集約とAIによる可視化の最前線
rvirus0817
0
490
TechBull Membersの開発進捗どうですか!?
rvirus0817
0
2k
クラウド脆弱性の傾向とShisho Cloudの活用
rvirus0817
0
310
Other Decks in Technology
See All in Technology
Zenoh on Zephyr on LiteX
takasehideki
2
120
AIチャットの改善から見えた、良いAI体験とは / What Constitutes a Good AI Experience: Insights from Improving AI Chat
kubode
0
120
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
7.7k
スタートアップにAmazon EKSは早すぎる? マルチプロダクト戦略を加速する Platform Engineeringの実践 / Is Amazon EKS Too Soon for Startups? Practical Platform Engineering to Accelerate a Multi-Product Strategy
elmodev09
1
1.9k
toB プロダクトから見たWAF
tokai235
0
240
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
140
AIが自律的に回る開発ループを設計してチーム開発に組み込む
nekorush14
0
130
Deep Data Security 機能解説
oracle4engineer
PRO
2
230
FPC(フレキシブル)基板にZephyr実装してみた。
iotengineer22
0
180
4人目のSREはAgent
tanimuyk
0
270
[チョークトーク資料]AWS DevOps Agent を使いこなす / AWS Dev Ops Agent Chalk Talk AWS Summit Japan 2026
kinunori
4
800
FPGAの開発コンペでZephyrを使ってみた
iotengineer22
0
210
Featured
See All Featured
Darren the Foodie - Storyboard
khoart
PRO
3
3.4k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8.2k
Claude Code どこまでも/ Claude Code Everywhere
nwiizo
65
56k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1.4k
Exploring anti-patterns in Rails
aemeredith
3
430
Getting science done with accelerated Python computing platforms
jacobtomlinson
2
240
Done Done
chrislema
186
16k
Are puppies a ranking factor?
jonoalderson
1
3.6k
Automating Front-end Workflow
addyosmani
1370
210k
Color Theory Basics | Prateek | Gurzu
gurzu
0
370
We Analyzed 250 Million AI Search Results: Here's What I Found
joshbly
1
1.4k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.8k
Transcript
੬ऑੑݕπʔϧVulsͷಋೖΛ ͔ͯ͠ΒܦͬͯΈͯ Adachi Ryo/SRE
ΞδΣϯμ ▸ ࣗݾհɺࢲ͕ೖࣾ͢Δલ ▸ SREνʔϜʹͳ͔ͬͯΒ ▸ SREνʔϜͷओͳۀɺར༻͍ͯ͠Δٕज़ ▸ VulsͱɺͿͬͪΌ͚੬ऑੑରԠͬͯ… ▸
VulsߏਤɺΠϯετʔϧํ๏ ▸ con fi g.tomlɺVulsίϚϯυ ▸ Vuls repo Vuls v0.4.0 ▸ ·ͱΊ
ࣗݾհ ▸ Adachi Ryo ▸ @adachin0817 ▸ 2017/05~ ▸ ܦݧ
ࣾSE͔ΒϗεςΟϯάɺ ΞυςΫͷΠϯϑϥΤϯδχΞ ▸ झຯ HIPHOP
ࢲ͕ೖࣾ͢Δલ ▸ Πϯϑϥϝϯόʔ͕͍ΔͷʹνʔϜͱͯ͠׆ಈͯ͠ͳ͔ͬͨ ▸ ͲΜͳϛυϧΣΞͬͯΔͳͲϝϯόʔ͕Ѳ͍ͯ͠ͳ͍ ▸ ΠϯϑϥϦϙδτϦ͕ͳ͍ ▸ infrastructure as
codeͬͯͳ͍ ▸ खಈͰΠϯετʔϧ͔aws cliͰཧ͍ͯ͠Δ ▸ ଐਓԽ͍ͯ͠Δ
SREνʔϜ ͱͯ͠ಈ͜͏ʂʂ
(28ষ) SREͷΛՃ͢Δํ๏: ৽ਓ͔ΒΦϯίʔϧ୲ ɺͦͯͦ͠ͷઌ
SREͷఆٛ ▸ αΠτͷ৴པੑΛอূ͢Δ(αΠτ৴པੑΤϯδχΞ) ▸ ӡ༻ۀͱαΠτͷ৴པੑ্ͷ2ͭͷׂΛ୲͏ ▸ ੵۃతʹίʔυΛهड़ ▸ ӡ༻ΛΫϥυࣗಈԽʹஔ͖͑Δ
SREʹٻΊΒΕΔͷ ᶃ ▸ Πϯϑϥٕज़ TCP/IPɺHTTPͳͲͷωοτϫʔΫϓϩτίϧʹ͍ͭͯͷ ͔ࣝΒɺύϑΥʔϚϯεվળɺϛυϧΣΞͷػೳࣝ ▸ ΞϓϦέʔγϣϯٕज़
Կ͔͠Βͷϓϩάϥϛϯάݴޠࣝ ʢPHPɺPythonɺRubyͳͲʣ ͪΖΜΠϯϑϥϓϩϏδϣχϯά
SREʹٻΊΒΕΔͷ ᶄ ▸ ηΩϡϦςΟࣝ ࠷ݶͷηΩϡϦςΟࣝඞਢ ▸ ίϛϡχέʔγϣϯೳྗ ϝϯόʔ։ൃνʔϜͱͷڞ༗
ڠྗ͠ͳ͕Β։ൃΛߦ͏ͨΊ
SREΤϯδχΞϦϯάʹՃ͑ͯಛΛൃش͢Δ ▸ ༏ΕͨϦόʔεΤϯδχΞϦϯάͷεΩϧΛ࣋ͭ →γεςϜͷಈ࡞Λཧղ͢Δ ▸ ౷ܭతʹߟ͑Δೳྗ͕ඞཁ →ੳൺֱΛ͏·͘ߦ͑ΔΑ͏ʹ܇࿅͢Δ ▸
ྟػԠมʹߦಈ →ࠜຊతͳݪҼΛൃݟʂ
SREڭҭํ๏
SREνʔϜʹͳ͔ͬͯΒ ▸ োରԠϝϯόʔશһͰ ▸ infrastructure as codeඞਢ ▸ wikiͷॻ͖ํͳͲڭ͑Δ ▸
ேձΛ࢝Ίͨ ɾࡢԿΛͬͨͷ͔ ɾࠓԿΛΔͷ͔ ɾԿʹͦΜͳʹϋϚ͍ͬͯΔͷ͔ ɾڞ༗ࣄ߲ ▸ શϓϩδΣΫτରԠͰ͖ΔΑ͏ʹ
SREνʔϜͷओͳۀ ▸ αʔόɺϛυϧΣΞͷՄ༻ੑͷҡ࣋ɾ্ ▸ αʔόɺϛυϧΣΞͷύϑΥʔϚϯεͷ্ ▸ ϩάऩू/ՄࢹԽɺੳج൫ͷߏஙɺӡ༻(Redash) ▸ αʔόϓϩϏδϣχϯά(Terraform,Ansible) ▸
ηΩϡϦςΟ/੬ऑੑͷ୲อ(Vuls) ▸ ։ൃڥͳͲͷϝϯς(Vagrant,docker) ▸ 24࣌ؒࢹରԠ(zabbix) ▸ DevOpsνʔϜͱͯ͠ۀվળ
VULSͬͯ·͔͢?
ҧ͍·͢
VULSͱ ▸ ʮVULnerability Scannerʯͷུ ▸ ϑϡʔνϟʔΞʔΩςΫτͷਆށࢯɺྛࢯʹΑΔ։ൃ ▸ Linuxαʔόʹଘࡏ͢Δ੬ऑੑΛεΩϟϯ ▸ OSύοέʔδཧର֎ͷϛυϧΣΞΛεΩϟϯ
▸ ΤʔδΣϯτϨεΞʔΩςΫνϟ(SSH) ▸ ઃఆϑΝΠϧͷςϯϓϨʔτࣗಈੜ ▸ EmailSlackͳͲ௨ՄೳʢຊޠͰͷϨϙʔτՄೳʣ
ͿͬͪΌ͚੬ऑੑରԠͬͯ… ▸ ωοτϝʔϧͰใΛಘΔ(ݟಀ͕ͪ͠ɺ͔Βͷ์ஔ) ▸ αʔό͕ϨΨγʔͳͷ͋ΓɺରԠ͠ͳ͍͍ͯ͘ͱ͔… ▸ ଞʹ੬ऑੑ͋ΔͷͰͱશαʔόௐࠪ͠ͳ͍ͱ͍͚ͳ͍ (ࠓߋযΓ) ▸ ੬ऑੑ༰Λ֬ೝ͢Δ͚ͩͰ͘ͳΔ
▸ ຯͳ࡞ۀ
JVN ੬ऑੑϨϙʔτ @JVNJP
ͪͳΈʹ ▸ ੬ऑੑରࡦใσʔλϕʔεJVN iPediaͷొঢ়گ [2017 ୈ2࢛ظʢ4݄ʙ6݄ʣ70,996݅ʂ
ߏਤ ▸ 2017/05~ ▸ CentOS 6.9 ▸ Zabbix3.0.10 ▸ Vuls
v0.3.0 ▸ Go v1.8.3
Πϯετʔϧ ํ๏ʂʁ
Πϯετʔϧํ๏ ▸ ؆୯ͳͷͰׂѪ͍͖ͤͯͨͩ͞·͢ ▸ ࢀߟࢲͷϒϩάͰ ▸ https://blog.adachin.me/archives/5540 ▸ εΩϟϯ͍ͨ͠αʔόͰࣄલʹઃఆ͓ͯ͘͜͠ͱ
ɾvulsϢʔβ( ͳΜͰ)NOPASSʹsudoersݖݶΛ͚ͭΔ ɾyum-plugin-changelog͕ೖ͍ͬͯΔ͜ͱ ▸ ↑͜͜ΒΜAnsibleԽ͓͖ͯ͘͠
CONFIG.TOML
VULSίϚϯυ ▸ vulsσΟΫγϣφϦ(࠷৽੬ऑੑใߋ৽) $ go-cve-dictionary fetchnvd -last2y $
go-cve-dictionary fetchjvn -latest ▸ vuls dryrun $ vuls con fi gtest ▸ vuls εΩϟϯ $ vuls scan ▸ ݁ՌΛαʔόͰ֬ೝ $ vuls tui ▸ ݁ՌΛslackʹ௨ $ vuls report -format-short-text -format-json -cvedb-path=$PWD/cve.sqlite3 -ovaldb- path=$PWD/oval.sqlite3 --lang=ja -to-slack -cvss-over=7
ఆظతʹ࣮ߦ͍ͨ͠߹ ▸ cronʹࠐΊOK ▸ scan࣌ʹϩά͕resultsԼʹཷ·ΔͷͰআ(5ੈ)
VULS REPO ▸ Web UI Load Error
VULS ΧελϚʔ αϙʔτʹฉ͍ͯΈͨ (2िؒϋϚͬͨͨΊ)
VULS SLACK ▸ ͳʹΒେܕόʔδϣϯ ग़Δ͔Β Ξοϓͯ͠ࢼͯ͘͠Εͱʂ
2017/08/25 V0.4.0 RELEASE!
VULS UPDATE TO 0.4.0 ▸ 2017/8/28 ▸ $ vuls -v
vuls v0.4.0 0ba490c ▸ $ go version go version go1.9 linux/amd64 ▸ Ξοϓσʔτ͠·ͨ͠ʂ
VULS V0.4.0 ▸ εΩϟϯਫ਼େ෯্ ▸ ϨϙʔτͷใྔΞοϓ(?͕ݮΔ) ▸ fast(sudoͳ͠ɺ αʔόෛՙͷεΩϟϯϞʔυ)
σϑΥϧτ
VULS REPO V0.4.0 ▸ 0.4.0͔Βweb αʔόΛ࣋ͨͳͯ͘ OKʹʂ ▸
goͷhttpύοέʔδͰ ಈ͘(μΠδΣετೝূ) ▸ Port 5111
VULS REPO ▸ ՄࢹԽ͢Δ͜ͱͰ੬ऑੑ͕Ͳͷ͘Β͍͋Δͷ͔அͰ͖Δ
VULS ੬ऑੑΞοϓσʔτϑϩʔਤ
VULS/ZABBIX SERVER 1ϲ݄ͷύϑΥʔϚϯε
Ͳ͜·Ͱ੬ऑੑରԠ͢Δͷ͔ ▸ ਖ਼ͯ͢Ξοϓσʔτ͢Δͷՙ͕ॏ͍… (Kernel࠶ىಈͱ͔)→ଟ͍ͷͰߜΔඞཁ͕͋Δ ▸ ୈࡾऀ͕߈ܸͦ͢͠͏ͳαʔό (LBͿΒԼ͕ͬͯΔͷϚετ) ▸
੬ऑੑ0ͱ͍ͬͯະͷͷ͋Δ ▸ Ͱ੬ऑੑͪΌΜͱΞοϓσʔτ͢Δํ͕҆৺
·ͱΊ ▸ Vulsͷಋೖ؆୯ͰӡӦָͪΜʂ ▸ Vulsͷ͓͔͛Ͱ੬ऑੑରԠΛΕͳ͍ʂ ▸ vuls scan࣌ʹෛՙͳ͍ʂVulsઐ༻αʔό͍Βͳ͍! ▸ ͜Ε͔ΒVulsඞਢʂ
ߦ͖·͠ΐ͏ʂʂʂ
͝ਗ਼ௌ ͋Γ͕ͱ͏ ͍͟͝·ͨ͠!