How to Setup Vuls Vulnerability Scanner in Linux

VULS is a security vulnerability scanner for Linux. It downloads the NVD (National Vulnerability Database) and inserts into a sqlite database. Vuls has built in CVE dictionary for this sqlite file. The servers are connected using key based authorization, hence we need to generate ssh keys and confirm the authorization between servers and scan target.

Since, vuls is an insider scanner. Logic behind the vuls system is searching for unattended upgrades and thereby reporting unsecure packages on a system.

Main features

  • Scan for any vulnerabilities in Linux Server
  • Scan middleware, programming language libraries and framework for vulnerability
  • Support software registered in CPE
  • User is required to only setup one machine that is connected to other target servers via SSH
  • Auto generation of configuration file template
  • Email and Slack notification is possible (supports Japanese language)
  • Scan result is viewable on necessary software, TUI Viewer terminal.

In this article, I'll provide step by step instructions on how to install Vuls scanner on an Ubuntu 16.04 server. Let's walk through the installation stages.

1) Pre-requisites

Vuls requires the following packages to be installed for its proper functioning.

  • sqlite3
  • git
  • gcc
  • go v1.6 or above

To install Sqlite3, use these commands below:

[email protected]:~#apt-get update.
[email protected]:~#apt-get install sqlite3 libsqlite3-dev.

To install git and gcc, you can use this command below:

[email protected]:~#apt-get install git gcc

Follow these steps to install Go in the server.

Depending on our server architecture, we can download the required package and extract to install.

[[email protected] src]# wget https://storage.googleapis.com/golang/go1.6.2.linux-amd64.tar.gz

2016-07-01 07:50:26 (93.6 MB/s) - ‘go1.6.2.linux-amd64.tar.gz’ saved [84840658/84840658] [[email protected]]# tar -xzvf go1.6.2.linux-amd64.tar.gz -C /usr/local/

I've downloaded the package for a 64 bit architecture.

[email protected]~]# mkdir /root/go

Add these lines into /etc/profile.d/goenv.sh

[[email protected] ~]# cat /etc/profile.d/goenv.sh
export GOROOT=/usr/local/go
export GOPATH=$HOME/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

Set the OS environment variable to current shell

[[email protected] ~]# source /etc/profile.d/goenv.sh

[[email protected] bin]# go version
go version go1.6.2 linux/amd64

2) Enable SSH key authentication between servers

You can create the SSH key pairs and add them to the vuls server to enhance the SSH connectivity b/w servers. I'm just creating an SSH key pair for my local server and adding the public key to the authorized_keys to enable local scan.

[email protected]:~# ssh-keygen -t rsa
[email protected]:~# cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
[email protected]:~# chmod 600 ~/.ssh/authorized_keys

3) Deploy go-cve-dictionary

Now, we can move to our go work directory and deploy our go-cve-dictionary.  As mentioned before vuls watch out for any new vulnerabilities in NVD.

[email protected]:/usr/src# cd /root/go
[email protected]:~/go# go get github.com/kotakanbe/go-cve-dictionary
[email protected]:~/go# ls
bin hello-world hello-world.go pkg src

[email protected]:~/go#mkdir /var/log/vuls
[email protected]:~/go#chmod 700 /var/log/vuls

Firstly, go-cve-dictionary fetches vulnerability data from NVD and inserts into sqlite3.

[email protected]:~/go#for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i; done
0 / 1 [------------------------------------------------------------------------------------------------------------------------------] 0.00%[Sep 21 07:44:13] INFO Fetching... https://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml.gz
[Sep 21 07:44:15] INFO Fetched 6721 CVEs
[Sep 21 07:44:15] INFO Opening DB. datafile: /root/go/cve.sqlite3
[Sep 21 07:44:15] INFO Migrating DB
[Sep 21 07:44:15] INFO Inserting CVEs...
6721 / 6721 [====================================================================================================================] 100.00% 13s
[Sep 21 07:44:29] INFO Refreshed 6721 Nvds.

sqlite3

Now we successfully collected vulnerability data, then started as server mode again.

[email protected]:~/go# go-cve-dictionary server
[Sep 22 05:47:48] INFO Opening DB. datafile: /root/go/cve.sqlite3
[Sep 22 05:47:48] INFO Migrating DB
[Sep 22 05:47:48] INFO Starting HTTP Server...
[Sep 22 05:47:48] INFO Listening on 127.0.0.1:1323

[email protected]:~/go# ls -alh cve.sqlite3
-rw-r--r-- 1 root root 561M Sep 21 07:53 cve.sqlite3

4) Deploy vuls

Run this go command to deploy vuls.

[email protected]:/# go get github.com/future-architect/vuls

5) Creating vuls configuration

We can create the vuls configuration file in TOML format  to scan the target servers. I've just modified the vuls configuration file to scan my local server.

[email protected]:vuls# cat config.toml
[servers] [servers.45-33-77-70] host = "45.33.77.70"
port = "22"
user = "root"
keyPath = "/root/.ssh/id_rsa"

You can add as many servers as you need in the configuration file with these details and run a config test to validate.

[email protected]:/# vuls configtest
[Sep 21 03:01:56] INFO [localhost] Validating Config...
[Sep 21 03:01:56] INFO [localhost] Detecting Server/Contianer OS...
[Sep 21 03:01:56] INFO [localhost] Detecting OS of servers...
[Sep 21 03:01:57] INFO [localhost] (1/1) Detected: 45-33-77-70: ubuntu 16.04
[Sep 21 03:01:57] INFO [localhost] Detecting OS of containers...
[Sep 21 03:01:57] INFO [localhost] Checking sudo configuration...
[Sep 21 03:01:57] INFO [45-33-77-70] sudo ... OK
[Sep 21 03:01:57] INFO [localhost] SSH-able servers are below...
45-33-77-70

6) Setting up target servers for vuls

You can run this command "vuls prepare" to set up all the target servers specified in the vuls configuration file.

[email protected]:/# vuls prepare
INFO[0000] Start Preparing (config: /config.toml)
[Sep 21 03:02:46] INFO [localhost] Detecting OS...
[Sep 21 03:02:46] INFO [localhost] Detecting OS of servers...
[Sep 21 03:02:46] INFO [localhost] (1/1) Detected: 45-33-77-70: ubuntu 16.04
[Sep 21 03:02:46] INFO [localhost] Detecting OS of containers...
[Sep 21 03:02:46] INFO [localhost] Checking sudo configuration...
[Sep 21 03:02:46] INFO [45-33-77-70] sudo ... OK
[Sep 21 03:02:46] INFO [localhost] Installing...
[Sep 21 03:02:46] INFO [45-33-77-70] apt-get update...

7) Start scanning

We can scan our servers using the command "vuls scan".

[email protected]:~/go/vuls# vuls scan -report-json -cve-dictionary-dbpath=/root/go/cve.sqlite3
INFO[0000] Start scanning
INFO[0000] config: /root/go/vuls/config.toml
INFO[0000] cve-dictionary: /root/go/cve.sqlite3

vulscanfinal2+report

We can even get a terminal based user interface to view our scan report. You can run this command "vuls tui" to access it.

vuls_tui

That's all! You can refer this link for more options with Vuls scan command usage. I hope you enjoyed reading this article on vulnerability scanner. Please post your valuable comments and suggestions on this. You could also create a json reports of vuls output using VulsRepo. Have a good day :-)

Saheetha Shameer 3:50 am

About Saheetha Shameer

Self-motivated and dedicated Linux Administrator having 10 years of working experience on various web-hosting control panels and Unix distributions. I'm a quick learner and have a slight inclination towards following the current and emerging trends in the industry. I'm passionate about testing/reviewing new Linux applications and open source tools.

Author's All Posts
Like to become part of Linoxide Team and contribute tips? Contact us here.

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.