あなたのサーバは本当に安全ですか？今もっともイケてる脆弱性検知ツールVulsを使ってみたより

注意事項

2017年1月現在、以下方法で実施すると
go get github.com/kotakanbe/go-cve-dictionary
で以下のようなエラーとなり、インストールできない。

==============(上記方法)
package context: unrecognized import path “context” (import path does not begin with hostname)
==============(go-cve-dictionaryを手動でmakeしようとしたとき)
go install -ldflags “-X ‘main.version=v0.1.0’ -X ‘main.revision=7eb1f1a'”
main.go:4:2: cannot find package “context” in any of:
/root/go/src/github.com/kotakanbe/go-cve-dictionary/vendor/context (vendor tree)
/usr/lib/go/src/context (from $GOROOT)
/root/go/src/context (from $GOPATH)
Makefile:39: recipe for target ‘install’ failed
make: *** [install] Error 1
==============

“context”パッケージ？周りでエラーとなる模様。
vulsのgoの推奨バージョンが1.7.1以上となっているため
goは記事の方法でインストールするのではなく、最新をインストールすること。

Vuls(Vulnerability Scanner)とは

・脆弱性検知ツール
・golang製の脆弱性検知ツール
・Ubuntu,Debian,CentOS,Amazon Linux,RHELに対応

インストール方法

### 必須ソフトのインストール ###
root@hostname:/home/shimizu# aptitude install sqlite3 gcc git 
root@hostname:/home/shimizu# aptitude install software-properties-common
...
root@hostname:/home/shimizu# add-apt-repository ppa:ubuntu-lxc/lxd-stable
root@hostname:/home/shimizu# vi /etc/apt/sources.list.d/ubuntu-lxc-lxd-stable-jessie.list
# jessie → trusty に変更した
root@hostname:/home/shimizu# aptitude update
...
root@hostname:/home/shimizu# aptitude install golang-go

root@hostname:/home/shimizu# sqlite3 --version
3.8.7.1 2014-10-29 13:59:56 3b7b72c4685aa5cf5e675c2c47ebec10d9704221
root@hostname:/home/shimizu# gcc -dumpversion
4.9.2
root@hostname:/home/shimizu# git --version
git version 2.1.4
root@hostname:/home/shimizu# go version
go version go1.6 linux/amd64

### cveサーバを起動させる ###
root@hostname:/home/shimizu# mkdir /var/log/vuls
root@hostname:/home/shimizu# chmod 700 /var/log/vuls
root@hostname:/home/shimizu# mkdir /usr/local/src/vuls
root@hostname:/home/shimizu# mkdir /usr/local/go
root@hostname:/home/shimizu# cat /etc/profile.d/goenv.sh
export GOROOT=/usr/lib/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
root@hostname:/home/shimizu# source /etc/profile.d/goenv.sh
root@hostname:/home/shimizu# go get github.com/kotakanbe/go-cve-dictionary
...
root@hostname:/home/shimizu# for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i; done
 0 / 1 [--------------------------------------------------]   0.00%[May  9 01:22:38]  INFO Fetching... https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml.gz
...
[May  9 01:38:52]  INFO Refreshed 1533 Nvds.

root@hostname:/home/shimizu# go-cve-dictionary server
[May 10 00:05:32]  INFO Opening DB. datafile: /home/shimizu/cve.sqlite3
[May 10 00:05:32]  INFO Migrating DB
[May 10 00:05:34]  INFO Starting HTTP Sever...
[May 10 00:05:34]  INFO Listening on 127.0.0.1:1323
...

### vulsのインストール ###
root@hostname:/home/shimizu# go get github.com/future-architect/vuls

インストール注意点

go 1.6 on debian8

エラー http://ppa.launchpad.net jessie/main Sources
404 Not Found
エラー http://ppa.launchpad.net jessie/main amd64 Packages
404 Not Found

/etc/apt/sources.list.d/ubuntu-lxc-lxd-stable-jessie.list の jessieをtrustyに変更しないと発生するエラー

import path does not begin with hostname

公式の通り GOROOT=/usr/local/go とするとdebianでは以下のエラーとなり先に進めない

root@hostname:/home/shimizu# go get github.com/kotakanbe/go-cve-dictionary
package flag: unrecognized import path “flag” (import path does not begin with hostname)
package fmt: unrecognized import path “fmt” (import path does not begin with hostname)
package errors: unrecognized import path “errors” (import path does not begin with hostname)
package sync: unrecognized import path “sync” (import path does not begin with hostname)
package time: unrecognized import path “time” (import path does not begin with hostname)
package io: unrecognized import path “io” (import path does not begin with hostname)
package os: unrecognized import path “os” (import path does not begin with hostname)
package path: unrecognized import path “path” (import path does not begin with hostname)
package sort: unrecognized import path “sort” (import path does not begin with hostname)
…

GOPATH

/etc/profile.d/goenv.sh の設定をせずに、GOPATHだけ指定すると以下エラーとなりはまった
# github.com/jinzhu/gorm
src/github.com/jinzhu/gorm/utils.go:137: syntax error: unexpected range, expecting {

vulsを実行する

root@hostname:/home/shimizu# mkdir /root/vuls
root@hostname:/home/shimizu# cd /root/vuls/
root@hostname:~/vuls# cat config.toml
[servers]

[servers.server1]
host         = "127.0.0.1"
port        = "2022"
user        = "vulsuser"
keyPath     = "/home/vulsuser/.ssh/id_rsa"

root@hostname:~/vuls# vuls prepare -ask-sudo-password
sudo password: ********
INFO[0012] Start Preparing (config: /root/vuls/config.toml)
[May 10 01:13:27]  INFO [localhost] Detecting OS...
[May 10 01:13:27]  INFO [localhost] (1/1) Successfully detected. server1: debian 8.4
[May 10 01:13:27]  INFO [localhost] Installing...
[May 10 01:13:27]  INFO [server1:2022] apt-get update...
[May 10 01:13:59]  INFO [server1:2022] Installed: aptitude
[May 10 01:13:59]  INFO [localhost] Success

root@hostname:~/vuls# vuls scan -ask-sudo-password -lang=ja
sudo password: ********
INFO[0003] Start scanning (config: /root/vuls/config.toml)
[May 10 01:14:52]  INFO [localhost] Validating Config...
[May 10 01:14:52]  INFO [localhost] Detecting the type of OS...
[May 10 01:14:52]  INFO [localhost] (1/1) Successfully detected. server1: debian 8.4
[May 10 01:14:52]  INFO [localhost] Scanning vulnerabilities...
[May 10 01:14:52]  INFO [localhost] Check required packages for scanning...
[May 10 01:14:52]  INFO [localhost] Scanning vulnerable OS packages...
[May 10 01:15:22]  INFO [server1:2022] Fetching CVE details...
[May 10 01:15:22]  INFO [server1:2022] Done
[May 10 01:15:22]  INFO [localhost] Scanning vulnerable software specified in the CPE...
[May 10 01:15:22]  INFO [localhost] Reporting...

server1 (debian 8.4)
====================
No unsecure packages.

[May 10 01:15:22]  INFO [localhost] Insert to DB...

### 結果を表示する ###
root@hostname:~/vuls# vuls tui

参考URL

Install package golang
“unrecognized import path” with go get
話題の脆弱性検知ツールVULSのインストール手順、使用方法の紹介