Vuls and VulsRepo install on CentOS
-
Configure vuls on CentOS 7
Install the epel-release repo package for needed depenencies
sudo yum -y install epel-releaseInstall dependencies
sudo yum -y install sqlite git gcc make wget yum-utils redis nanoDownload Go
wget https://dl.google.com/go/go1.10.1.linux-amd64.tar.gzExtract Go to /usr/local
sudo tar -C /usr/local -xzf go1.10.1.linux-amd64.tar.gzSetup Go environment
mkdir $HOME/go sudo nano /etc/profile.d/goenv.shgoenv.sh should contain
export GOROOT=/usr/local/go export GOPATH=$HOME/go export PATH=$PATH:$GOROOT/bin:$GOPATH/binUpdate the current environment with the goenv.sh information
source /etc/profile.d/goenv.shSetup Go CVE dictionary
sudo mkdir /var/log/vuls sudo chown youruser:youruser /var/log/vuls sudo chmod 700 /var/log/vuls mkdir -p $GOPATH/src/github.com/kotakanbe cd $GOPATH/src/github.com/kotakanbe git clone https://github.com/kotakanbe/go-cve-dictionary.git cd go-cve-dictionary make installSetup NVD vulnerablility data. This bit took a while on my 1cpu, 1GB ram, 100mb/sec VM. Seems to have spent most of it's time updating the database, so probably I/O bottlenecked in my case (single HDD). Also available in Japanese, see https://vuls.io/docs/en/install-manually-centos.html
cd $HOME for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; doneDeploy the Goval Dictionary
mkdir -p $GOPATH/src/github.com/kotakanbe cd $GOPATH/src/github.com/kotakanbe git clone https://github.com/kotakanbe/goval-dictionary.gitFetch the distribution specific goval scanners. Also officially supports Alpine and Oracle Linux, but I don't use either on my Home Lab box.
-
CentOS/Red Hat
goval-dictionary fetch-redhat 7
-
Debian
goval-dictionary fetch-debian 7 8 9 10
-
Ubuntu
goval-dictionary fetch-ubuntu 12 14 16 18
-
SUSE
goval-dictionary fetch-suse -opensuse 13.2
Deploy vuls
mkdir -p $GOPATH/src/github.com/future-architect cd $GOPATH/src/github.com/future-architect git clone https://github.com/future-architect/vuls.git cd vuls make installSetup and scan localhost
cd $HOME nano config.tomlconfig.toml file should be
[servers] [servers.localhost] host = "localhost" port = "local"Check the config
vuls configtestRun a scan
vuls scanThe scan will display a one-line report by default. If you want more detailed information, you can use 'vuls tui', or enable the web-based VulsRepo.
VulsRepo configuration
cd $HOME git clone https://github.com/usiusi360/vulsrepo.gitRun a scan with a report vulsrepo can read
vuls report -format-jsonCreate the config file and update the PATHs, instructions say to use hardcoded path statements instead of ~ or $HOME.
cd $HOME/vulsrepo/server cp vulsrepo-config.toml.sample vulsrepo-config.tomlSet the paths according to your environment
nano vulsrepo-config.toml [Server] rootPath = "/home/your user/vulsrepo" resultsPath = "/home/your user/results" serverPort = "5111" #serverIP = "127.0.0.1" #serverSSL = "yes" #serverCert = "cert.pem" #serverKey = "key.pem" #[Auth] #authFilePath = "/home/vuls-user/.htdigest" #realm = "vulsrepo_local"Update the vulsrepo.service file with the correct paths as well
nano ./scripts/vulsrepo.service [Unit] Description=vulsrepo daemon Documentation=https://github.com/usiusi360/vulsrepo [Service] ExecStart = /home/your user/vulsrepo/server/vulsrepo-server ExecRestart = /bin/kill -WINCH ${MAINPID} ; /home/your user/vulsrepo/server/vulsrepo-server ExecStop = /bin/kill -WINCH ${MAINPID} Restart = no Type = simple User = your user Group = your user group (normall the same as your user) [Install] WantedBy = multi-user.targetCopy the service file to /lib/systemd/system
sudo cp $HOME/vulsrepo/server/scripts/vulsrepo.service /lib/systemd/system/vulsrepo.serviceEnable the service
sudo systemctl enable vulsrepoStart the service
sudo systemctl start vulsrepoOpen the firewall port
sudo firewall-cmd --permanent --add-port=5111/tcp sudo firewall-cmd --reloadI have my instance running behind a reverse proxy that handles SSL. If you don't have a reverse proxy, GET SSL CONFIGURED NOW! vulsrepo.travisdh1.net
Setup basic authentication, so the entier internet can't see all of your vulnerabilities!
/home/your user/vulsrepo/server/vulsrepo-server -m Password: lots of gobblygook AuthFile Path : /home/travis/.htdigest realm : vulsrepo_local login user : vuls 2018/06/29 16:33:17 main.go:100: Create SuccessUpdate the server settings
nano /home/travis/vulsrepo/server/vulsrepo-config.toml [Server] rootPath = "/home/travis/vulsrepo" resultsPath = "/home/travis/results" serverPort = "5111" #serverIP = "127.0.0.1" #serverSSL = "yes" #serverCert = "cert.pem" #serverKey = "key.pem" #[Auth] authFilePath = "/home/travis/.htdigest" realm = "vulsrepo_local"Restart the service
sudo systemctl restart vulsrepoAdd a custom crontab to schedule scans. I set mine to run a scan every day a 1AM
crontab -e 0 1 * * * vuls report -format-jsonA few parting thoughts.
If I were to install this again, I'd create a different user for it to run as and install it in /opt. I'd also like to see a lot better security on the web-based viewer than what's currently in place before actually deploying this. I'd also just make all the configuration changes to the config files at once rather than editing the same file 2-3 times.
-
-
Do we need to configure any SELinux permissions?
-
This looks not super user friendly.
-
In further testing, a Fedora distribution breaks the scan. So it's functionality is questionable even in my home lab.
-
@black3dynamite said in Vuls and VulsRepo install on CentOS:
Do we need to configure any SELinux permissions?
I didn't need to.
-
@stacksofplates said in Vuls and VulsRepo install on CentOS:
This looks not super user friendly.
Better than the tui tho.
-
I was trying to understand how to read that report I posted from your site. I can't figure it out.
-
@stacksofplates said in Vuls and VulsRepo install on CentOS:
I was trying to understand how to read that report I posted from your site. I can't figure it out.
I honestly haven't dug into it yet, but it also doesn't look like it's worth the time either.
