Who should perform security scan
...
If you are developing VM based application code, Vuls (testing setup inside each VM) and Lynis (testing setup inside each VM) and Lynis (testing setup inside each VM) are needed.
Vuls scan usually takes around 10 to 20 mins.
Kuber-Hunter usually takes about 10 mins.
Lynis scan usually takes about 2 mins.
| Table of Contents | ||
|---|---|---|
|
Vuls
Vuls will be integrated with Blueprint Validation Framework (Bluval User Guide)
Below are the list of tasks for integration.
Installation
Install Vuls containers (are needed.
Vuls scan usually takes around 10 to 20 mins.
Kuber-Hunter usually takes about 10 mins.
Lynis scan usually takes about 2 mins.
| Table of Contents | ||
|---|---|---|
|
Vuls
Vuls will be integrated with Blueprint Validation Framework (Bluval User Guide)
Below are the list of tasks for integration.
Installation
Install Vuls containers (https://vuls.io/docs/en/install-with-docker.html). Vuls containers can be found at: https://hub.docker.com/u/vuls/
- Install go-cve-dictionary, run "docker pull vuls/go-cve-dictionary"
- Install goval-dictionary, run "docker pull vuls/goval-dictionary"
- Install gost, run "docker pull vuls/gost"
- Install vuls, run "docker pull vuls/vuls"
Set up and run
Detailed instruction can be found at https://vuls.io/docs/en/install-with-docker.html). Vuls containers can be found at: https://hub.docker.com/u/vuls/
...
- Prepare log dir
cd /path/to/working/dir
mkdir go-cve-dictionary-log goval-dictionary-log gost-log
- Fetch NVD
for i in `seq 2002 $(date +"%Y")`; do \ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/go-cve-dictionary
...
Set up and run
Detailed instruction can be found at https://vuls.io/docs/en/tutorial-docker.html
- Prepare log dir
...
mkdir go-cve-dictionary-log goval-dictionary-log gost-log
- Fetch NVD
for i in `seq 2002 $(date +"%Y")`; do \-log:/var/log/vuls \ vuls/go-cve-dictionary fetchnvd -years $i; \ done
- Fetch OVAL
- if you are using redhat/fedora
docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ vuls/goval-dictionary fetch-redhat 5 6 7 8
if you are using ubuntu/debian
$ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/gogoval-cve-dictionary-log:/var/log/vuls \ vuls/gogoval-cve-dictionary fetchnvd -years $i; \ done
...
dictionary fetch-ubuntu 16 17 18 19
- Fetch gost
docker run --rm -it i \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vulsgost \ vuls/goval-dictionary gost fetch - redhat 5 6 7 8
- Fetch gost
Or
$ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-log:/var/log/gost \ vuls/gost fetch redhatubuntu
- Config the SUT, configuration will be stored in config.toml
- SSH key generation & distribution: As Vuls connects to target server through SSH, and Vuls has to use SSH key-based authentication. There needs to be a way to generate SSH key pair, save the private key for Vuls container and dispatch the public key to target server. We probably don’t want to store the private key with the container image if the container image is public accessible.
[servers]
[servers.c74]
host = "54.249.93.16"
port = "22"
user = "vuls-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
- Start Vuls container to run tests
- docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ -e "TZ=Asia/Tokyo" \ vuls/vuls scan \ -config=./config.toml
- To get the report:
- $ docker run --rm -it -v ~/.ssh:/root/.ssh:ro -v $PWD:/vuls -v $PWD/vuls-log:/var/log/vuls -v /etc/localtime:/etc/localtime:ro -e "TZ=Asia/Tokyo" vuls/vuls report -config=./config.toml
- Write Bluval configuration file for security tests
- Push test results to LF Nexus
- Todo: How to tell test success or fail
- Todo: Sample Test result
- Show test results in Bluval UI
...
After running, detailed test logs are stored in /var/log/lynis.log, information for each test includes:
- Time of an action/event
- Reason(s) why a test failed or was skipped
- Output of (internal) tests
- Suggestions about configuration options or how to fix/improve things
- Threat/impact score
In addition to log file, Lynis also creates a report and stores it in /var/log/lynis-report.dat. The report file contains the following information:
- Remarks = #<remark>
- Section = [<section name>]
- Option/value = <option name>=<value of option>
...