...

Table of Contents

outline	true

Who should perform security scan

If you are working on driver code, Vuls and Lynis are needed.

If you are developing container based application code, Vuls, Lynis and Kuber-Hunter are needed.

If you are developing VM based application code, Vuls (testing setup inside each VM) and Lynis (testing setup inside each VM) are needed.

Vuls scan usually takes around 10 to 20 mins.

Kuber-Hunter usually takes about 10 mins.

Lynis scan usually takes about 2 mins. Table of Contentsoutlinetrue

Vuls

Vuls will be integrated with Blueprint Validation Framework (Bluval User Guide)

...

Install go-cve-dictionary, run "docker pull vuls/go-cve-dictionary"
Install goval-dictionary, run "docker pull vuls/goval-dictionary"
Install gost, run "docker pull vuls/gost"
Install vuls, run "docker pull vuls/vuls"

...

Detailed instruction can be found at https://vuls.io/docs/en/tutorial-docker.html

Prepare log dir

$ cd /path/to/working/dir

$ mkdir go-cve-dictionary-log goval-dictionary-log gost-log

Fetch NVD

$ for i in `seq 2002 $(date +"%Y")`; do \ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/go-cve-dictionary-log:/var/log/vuls \ vuls/go-cve-dictionary fetchnvd -years $i; \ done

Fetch OVAL
- if you are using redhat/fedora

$ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ vuls/goval-dictionary fetch-redhat 5 6 7 8

if you are using ubuntu/debian

$ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ vuls/goval-dictionary fetch-ubuntu 16 17 18 19

Fetch gost

$ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-log:/var/log/gost \ vuls/gost fetch redhat

Or

$ docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-log:/var/log/gost \ vuls/gost fetch ubuntu

Config the SUT, configuration will be stored in config.toml
- SSH key generation & distribution: As Vuls connects to target server through SSH, and Vuls has to use SSH key-based authentication. There needs to be a way to generate SSH key pair, save the private key for Vuls container and dispatch the public key to target server. We probably don’t want to store the private key with the container image if the container image is public accessible.

[servers]

[servers.c74]

host = "54.249.93.16"

port = "22"

user = "vuls-user"

keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker

Start Vuls container to run tests
- $ docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ -e "TZ=Asia/Tokyo" \ vuls/vuls scan \ -config=./config.toml
To get the report:
- $ docker run --rm -it -v ~/.ssh:/root/.ssh:ro -v $PWD:/vuls -v $PWD/vuls-log:/var/log/vuls -v /etc/localtime:/etc/localtime:ro -e "TZ=Asia/Tokyo" vuls/vuls report -config=./config.toml
Write Bluval configuration file for security tests
Push test results to LF Nexus
- Todo: How to tell test success or fail
- Todo: Sample Test result
Show test results in Bluval UI

...

After running, detailed test logs are stored in /var/log/lynis.log, information for each test includes:

Time of an action/event
Reason(s) why a test failed or was skipped
Output of (internal) tests
Suggestions about configuration options or how to fix/improve things
Threat/impact score

In addition to log file, Lynis also creates a report and stores it in /var/log/lynis-report.dat. The report file contains the following information:

Remarks = #<remark>
Section = [<section name>]
Option/value = <option name>=<value of option>

...

Versions Compared

Old Version 43

New Version 44

Key

Who should perform security scan

Vuls

Page Comparison

Versions Compared

Old Version 43

New Version 44

Key

Who should perform security scan

Vuls