How to Setup Vuls Vulnerability Scanner in Linux

VULS is a security vulnerability scanner for Linux. It downloads the NVD (National Vulnerability Database) and inserts into a sqlite database. Vuls has built in CVE dictionary for this sqlite file. The servers are connected using key based authorization, hence we need to generate ssh keys and confirm the authorization between servers and scan target.

Since, vuls is an insider scanner. Logic behind the vuls system is searching for unattended upgrades and thereby reporting unsecure packages on a system.

Main features

  • Scan for any vulnerabilities in Linux Server
  • Scan middleware, programming language libraries and framework for vulnerability
  • Support software registered in CPE
  • User is required to only setup one machine that is connected to other target servers via SSH
  • Auto generation of configuration file template
  • Email and Slack notification is possible (supports Japanese language)
  • Scan result is viewable on necessary software, TUI Viewer terminal.

In this article, I'll provide step by step instructions on how to install Vuls scanner on an Ubuntu 16.04 server. Let's walk through the installation stages.

1) Pre-requisites

Vuls requires the following packages to be installed for its proper functioning.

  • sqlite3
  • git
  • gcc
  • go v1.6 or above

To install Sqlite3, use these commands below:

root@ubuntu:~#apt-get update.
root@ubuntu:~#apt-get install sqlite3 libsqlite3-dev.

To install git and gcc, you can use this command below:

root@ubuntu:~#apt-get install git gcc

Follow these steps to install Go in the server.

Depending on our server architecture, we can download the required package and extract to install.

[root@ubuntu src]# wget

2016-07-01 07:50:26 (93.6 MB/s) - ‘go1.6.2.linux-amd64.tar.gz’ saved [84840658/84840658]

[root@ubuntusrc]# tar -xzvf go1.6.2.linux-amd64.tar.gz -C /usr/local/

I've downloaded the package for a 64 bit architecture.

root@ubuntu~]# mkdir /root/go

Add these lines into /etc/profile.d/
[root@ubuntu ~]# cat /etc/profile.d/ export GOROOT=/usr/local/go export GOPATH=$HOME/go export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

Set the OS environment variable to current shell [root@ubuntu ~]# source /etc/profile.d/ [root@ubuntu bin]# go version go version go1.6.2 linux/amd64

2) Enable SSH key authentication between servers

You can create the SSH key pairs and add them to the vuls server to enhance the SSH connectivity b/w servers. I'm just creating an SSH key pair for my local server and adding the public key to the authorized_keys to enable local scan.

root@ubuntu:~# ssh-keygen -t rsa
root@ubuntu:~# cat ~/.ssh/ >> ~/.ssh/authorized_keys
root@ubuntu:~# chmod 600 ~/.ssh/authorized_keys

3) Deploy go-cve-dictionary

Now, we can move to our go work directory and deploy our go-cve-dictionary.  As mentioned before vuls watch out for any new vulnerabilities in NVD.

root@ubuntu:/usr/src# cd /root/go
root@ubuntu:~/go# go get
root@ubuntu:~/go# ls
bin hello-world hello-world.go pkg src

root@ubuntu:~/go#mkdir /var/log/vuls
root@ubuntu:~/go#chmod 700 /var/log/vuls

Firstly, go-cve-dictionary fetches vulnerability data from NVD and inserts into sqlite3.

root@ubuntu:~/go#for i in {2002..2016}; do go-cve-dictionary fetchnvd -years $i; done
0 / 1 [------------------------------------------------------------------------------------------------------------------------------] 0.00%[Sep 21 07:44:13] INFO Fetching...
[Sep 21 07:44:15] INFO Fetched 6721 CVEs
[Sep 21 07:44:15] INFO Opening DB. datafile: /root/go/cve.sqlite3
[Sep 21 07:44:15] INFO Migrating DB
[Sep 21 07:44:15] INFO Inserting CVEs...
6721 / 6721 [====================================================================================================================] 100.00% 13s
[Sep 21 07:44:29] INFO Refreshed 6721 Nvds.


Now we successfully collected vulnerability data, then started as server mode again.

root@ubuntu:~/go# go-cve-dictionary server
[Sep 22 05:47:48] INFO Opening DB. datafile: /root/go/cve.sqlite3
[Sep 22 05:47:48] INFO Migrating DB
[Sep 22 05:47:48] INFO Starting HTTP Server...
[Sep 22 05:47:48] INFO Listening on

root@ubuntu:~/go# ls -alh cve.sqlite3
-rw-r--r-- 1 root root 561M Sep 21 07:53 cve.sqlite3

4) Deploy vuls

Run this go command to deploy vuls.

root@ubuntu:/# go get

5) Creating vuls configuration

We can create the vuls configuration file in TOML format  to scan the target servers. I've just modified the vuls configuration file to scan my local server.

root@ubuntu:vuls# cat config.toml



host = "" port = "22" user = "root" keyPath = "/root/.ssh/id_rsa"

You can add as many servers as you need in the configuration file with these details and run a config test to validate.

root@ubuntu:/# vuls configtest
[Sep 21 03:01:56] INFO [localhost] Validating Config...
[Sep 21 03:01:56] INFO [localhost] Detecting Server/Contianer OS...
[Sep 21 03:01:56] INFO [localhost] Detecting OS of servers...
[Sep 21 03:01:57] INFO [localhost] (1/1) Detected: 45-33-77-70: ubuntu 16.04
[Sep 21 03:01:57] INFO [localhost] Detecting OS of containers...
[Sep 21 03:01:57] INFO [localhost] Checking sudo configuration...
[Sep 21 03:01:57] INFO [45-33-77-70] sudo ... OK
[Sep 21 03:01:57] INFO [localhost] SSH-able servers are below...

6) Setting up target servers for vuls

You can run this command "vuls prepare" to set up all the target servers specified in the vuls configuration file.

root@ubuntu:/# vuls prepare
INFO[0000] Start Preparing (config: /config.toml)
[Sep 21 03:02:46] INFO [localhost] Detecting OS...
[Sep 21 03:02:46] INFO [localhost] Detecting OS of servers...
[Sep 21 03:02:46] INFO [localhost] (1/1) Detected: 45-33-77-70: ubuntu 16.04
[Sep 21 03:02:46] INFO [localhost] Detecting OS of containers...
[Sep 21 03:02:46] INFO [localhost] Checking sudo configuration...
[Sep 21 03:02:46] INFO [45-33-77-70] sudo ... OK
[Sep 21 03:02:46] INFO [localhost] Installing...
[Sep 21 03:02:46] INFO [45-33-77-70] apt-get update...

7) Start scanning

We can scan our servers using the command "vuls scan".

root@ubuntu:~/go/vuls# vuls scan -report-json -cve-dictionary-dbpath=/root/go/cve.sqlite3
INFO[0000] Start scanning
INFO[0000] config: /root/go/vuls/config.toml
INFO[0000] cve-dictionary: /root/go/cve.sqlite3

We can even get a terminal based user interface to view our scan report. You can run this command "vuls tui" to access it.


That's all! You can refer this link for more options with Vuls scan command usage. I hope you enjoyed reading this article on vulnerability scanner. Please post your valuable comments and suggestions on this. You could also create a json reports of vuls output using VulsRepo. Have a good day :-)

Leave a Comment