Vuls is an agentless vulnerability scanner for Linux and FreeBSD servers. It makes the job of every system administrator much easier by automatically scanning for vulnerabilities and then informing the system administrator which services and servers are affected.
Abstract
For a system administrator, having to perform security vulnerability analysis and software update on a daily basis can be a burden. To avoid downtime in a production environment, it is common for a system administrator to choose not to use the automatic update option provided by the package manager and to perform update manually. This leads to the following problems.
- The system administrator will have to constantly watch out for any new vulnerabilities in NVD (National Vulnerability Database) or similar databases.
- It might be impossible for the system administrator to monitor all the software if there are a large number of software packages installed in the server.
- It is expensive to perform analysis to determine the servers affected by new vulnerabilities. The possibility of overlooking a server or two during analysis is there.
Vuls is a tool created to solve the problems listed above. It has the following characteristics.
- Informs users of the vulnerabilities that are related to the system.
- Informs users of the servers that are affected.
- Vulnerability detection is done automatically to prevent any oversight.
- A report is generated on a regular basis using CRON or other methods. to manage vulnerability.
Vuls Scanner
Vuls automatically scans through many different vulnerability databases including NVD, JVN and OVAL. This makes it easier for system administrators who must overlook servers which are running numerous software’s. After scanning the database, Vuls will generate a report which can be accessed through the GUI or a TUI. Vuls will give details about each vulnerability such as its severity level, description and released fixes. Vuls can also search for Non-OS packages and WordPress core, themes and plugins.
Features:
- Scan for all vulnerabilities in Linux and FreeBSD servers
- Vuls ensures a high-quality scan by scanning through multiple vulnerability servers
- Multiple scan modes are available depending on the resource availability of the server. These range from fast mode to deep mode (Fast Scan, Fast Root Scan, Remote and Local Scan, Server Mode)
- Dynamic and Static Analysis
- Scan vulnerability of Non-OS packages such as libraries of programming languages and network devices
- Scan through WordPress core, themes, plugins
Supported Platforms:
Requirements:
- Docker
- SQLite3, MySQL, PostgreSQL, Redis
- git
- gcc
- GNU Make
- go v1.13+ (The latest version is recommended)
Install
Install Docker:
$ sudo systemctl start docker
Clone Vulsctl and fetch vulnerability databases:
$ git clone https://github.com/vulsio/vulsctl.git $ cd vulsctl $ ./update-all.sh
Prepare config.toml in the same directory:
$ cat $HOME/vulsctl/config.toml [servers] [servers.hostos] host = "52.10.10.10" port = "22" user = "centos" keypath in the Vuls docker container keyPath = "/root/.ssh/id_rsa"
SSH before scanning to add fingerprint to $HOME/.ssh/known_hosts on the Docker host:
$ ssh centos@52.100.100.100 -i ~/.ssh/id_rsa.pem $ ./scan.sh $ ./report.sh $ ./tui.sh
Install With Docker
Run the following commands:
$ docker pull vuls/go-cve-dictionary $ docker run --rm vuls/go-cve-dictionary –v $ docker pull vuls/goval-dictionary $ docker run --rm vuls/goval-dictionary –v $ docker pull vuls/gost $ docker run --rm vuls/gost -v $ docker pull vuls/vuls $ docker run --rm vuls/vuls -v
How to use Vuls
Local Scanning Mode
Once you deployed Vuls, go ahead and create a config file:
$ cd $HOME $ cat config.toml [servers] [servers.localhost] host = "localhost" port = "local"
Run the following command to start scan:
$ vuls scan
Reporting
To view one line summary:
$ vuls report -format-one-line-text
To view short summary:
$ vuls report -format-list
Full report:
$ vuls report -format-full-text | less
To run Terminal Based User Interface:
$ vuls tui
Scan via Docker
Prepare log directory:
$ cd /path/to/working/dir $ mkdir go-cve-dictionary-log goval-dictionary-log gost-log go-exploitdb-log
Fetch various Vulnerability Directories:
$ for i in seq 2004 $(date +"%Y"); do \ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/go-cve-dictionary-log:/var/log/vuls \ vuls/go-cve-dictionary fetchnvd -years $i; \ done $ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/gost-log:/var/log/gost \ vuls/gost fetch redhat $ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/gost-log:/var/log/gost \ vuls/gost fetch redhat $ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/go-exploitdb-log:/var/log/go-exploitdb \ vuls/go-exploitdb fetch exploitdb
Create config.toml using this as a sample.
Configtest:
$ docker run --rm -it\
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v $PWD/vuls-log:/var/log/vuls \
vuls/vuls configtest \
-config=./config.toml # path to config.toml in docker
Scan:
$ docker run --rm -it \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v $PWD/vuls-log:/var/log/vuls \
-v /etc/localtime:/etc/localtime:ro \
-e "TZ=Asia/Tokyo" \
vuls/vuls scan \
-config=./config.toml # path to config.toml in docker
If Docker host is Debian or Ubuntu:
$ docker run --rm -it \
-v ~/.ssh:/root/.ssh:ro \
-v $PWD:/vuls \
-v $PWD/vuls-log:/var/log/vuls \
-v /etc/localtime:/etc/localtime:ro \
-v /etc/timezone:/etc/timezone:ro \
vuls/vuls scan \
-config=./config.toml # path to config.toml in docker
