Vuls and VulsRepo install on CentOS



  • Configure vuls on CentOS 7

    Install the epel-release repo package for needed depenencies

     sudo yum -y install epel-release
    

    Install dependencies

     sudo yum -y install sqlite git gcc make wget yum-utils redis nano
    

    Download Go

    wget https://dl.google.com/go/go1.10.1.linux-amd64.tar.gz
    

    Extract Go to /usr/local

    sudo tar -C /usr/local -xzf go1.10.1.linux-amd64.tar.gz
    

    Setup Go environment

    mkdir $HOME/go
    sudo nano /etc/profile.d/goenv.sh
    

    goenv.sh should contain

    export GOROOT=/usr/local/go
    export GOPATH=$HOME/go
    export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
    

    Update the current environment with the goenv.sh information

    source /etc/profile.d/goenv.sh
    

    Setup Go CVE dictionary

    sudo mkdir /var/log/vuls
    sudo chown youruser:youruser /var/log/vuls
    sudo chmod 700 /var/log/vuls
    mkdir -p $GOPATH/src/github.com/kotakanbe
    cd $GOPATH/src/github.com/kotakanbe
    git clone https://github.com/kotakanbe/go-cve-dictionary.git
    cd go-cve-dictionary
    make install
    

    Setup NVD vulnerablility data. This bit took a while on my 1cpu, 1GB ram, 100mb/sec VM. Seems to have spent most of it's time updating the database, so probably I/O bottlenecked in my case (single HDD). Also available in Japanese, see https://vuls.io/docs/en/install-manually-centos.html

    cd $HOME
    for i in `seq 2002 $(date +"%Y")`; do go-cve-dictionary fetchnvd -years $i; done
    

    Deploy the Goval Dictionary

    mkdir -p $GOPATH/src/github.com/kotakanbe
    cd $GOPATH/src/github.com/kotakanbe
    git clone https://github.com/kotakanbe/goval-dictionary.git
    

    Fetch the distribution specific goval scanners. Also officially supports Alpine and Oracle Linux, but I don't use either on my Home Lab box.

    1. CentOS/Red Hat

      goval-dictionary fetch-redhat 7

    2. Debian

      goval-dictionary fetch-debian 7 8 9 10

    3. Ubuntu

      goval-dictionary fetch-ubuntu 12 14 16 18

    4. SUSE

      goval-dictionary fetch-suse -opensuse 13.2

    Deploy vuls

    mkdir -p $GOPATH/src/github.com/future-architect
    cd $GOPATH/src/github.com/future-architect
    git clone https://github.com/future-architect/vuls.git
    cd vuls
    make install
    

    Setup and scan localhost

    cd $HOME
    nano config.toml
    

    config.toml file should be

    [servers]
    
    [servers.localhost]
    host = "localhost"
    port = "local"
    

    Check the config

    vuls configtest
    

    Run a scan

    vuls scan
    

    The scan will display a one-line report by default. If you want more detailed information, you can use 'vuls tui', or enable the web-based VulsRepo.

    VulsRepo configuration

    cd $HOME
    git clone https://github.com/usiusi360/vulsrepo.git
    

    Run a scan with a report vulsrepo can read

    vuls report -format-json
    

    Create the config file and update the PATHs, instructions say to use hardcoded path statements instead of ~ or $HOME.

    cd $HOME/vulsrepo/server
    cp vulsrepo-config.toml.sample vulsrepo-config.toml
    

    Set the paths according to your environment

    nano vulsrepo-config.toml
    
    [Server]
    rootPath = "/home/your user/vulsrepo"
    resultsPath  = "/home/your user/results"
    serverPort  = "5111"
    #serverIP = "127.0.0.1"
    #serverSSL = "yes"
    #serverCert = "cert.pem"
    #serverKey = "key.pem"
    
    #[Auth]
    #authFilePath = "/home/vuls-user/.htdigest"
    #realm = "vulsrepo_local"
    

    Update the vulsrepo.service file with the correct paths as well

    nano ./scripts/vulsrepo.service
    
    [Unit]
    Description=vulsrepo daemon
    Documentation=https://github.com/usiusi360/vulsrepo
    
    [Service]
    ExecStart = /home/your user/vulsrepo/server/vulsrepo-server
    ExecRestart = /bin/kill -WINCH ${MAINPID} ; /home/your user/vulsrepo/server/vulsrepo-server
    ExecStop = /bin/kill -WINCH ${MAINPID}
    Restart = no
    Type = simple
    User = your user
    Group = your user group (normall the same as your user)
    
    [Install]
    WantedBy = multi-user.target
    

    Copy the service file to /lib/systemd/system

    sudo cp $HOME/vulsrepo/server/scripts/vulsrepo.service /lib/systemd/system/vulsrepo.service
    

    Enable the service

    sudo systemctl enable vulsrepo
    

    Start the service

    sudo systemctl start vulsrepo
    

    Open the firewall port

    sudo firewall-cmd --permanent --add-port=5111/tcp
    sudo firewall-cmd --reload
    

    I have my instance running behind a reverse proxy that handles SSL. If you don't have a reverse proxy, GET SSL CONFIGURED NOW! vulsrepo.travisdh1.net

    Setup basic authentication, so the entier internet can't see all of your vulnerabilities!

    /home/your user/vulsrepo/server/vulsrepo-server -m
    
    Password: lots of gobblygook
    AuthFile Path	:  /home/travis/.htdigest
    realm		:  vulsrepo_local
    login user	:  vuls
    2018/06/29 16:33:17 main.go:100: Create Success
    

    Update the server settings

    nano /home/travis/vulsrepo/server/vulsrepo-config.toml
    
    [Server]
    rootPath = "/home/travis/vulsrepo"
    resultsPath  = "/home/travis/results"
    serverPort  = "5111"
    #serverIP = "127.0.0.1"
    #serverSSL = "yes"
    #serverCert = "cert.pem"
    #serverKey = "key.pem"
    
    #[Auth]
    authFilePath = "/home/travis/.htdigest"
    realm = "vulsrepo_local"
    

    Restart the service

    sudo systemctl restart vulsrepo
    

    Add a custom crontab to schedule scans. I set mine to run a scan every day a 1AM

    crontab -e
    
    0 1 * * * vuls report -format-json
    

    A few parting thoughts.

    If I were to install this again, I'd create a different user for it to run as and install it in /opt. I'd also like to see a lot better security on the web-based viewer than what's currently in place before actually deploying this. I'd also just make all the configuration changes to the config files at once rather than editing the same file 2-3 times.



  • Do we need to configure any SELinux permissions?



  • This looks not super user friendly.

    0_1530307413582_4928E669-DC4A-4551-B120-A4EF4BFB6161.png



  • In further testing, a Fedora distribution breaks the scan. So it's functionality is questionable even in my home lab.



  • @black3dynamite said in Vuls and VulsRepo install on CentOS:

    Do we need to configure any SELinux permissions?

    I didn't need to.



  • @stacksofplates said in Vuls and VulsRepo install on CentOS:

    This looks not super user friendly.

    0_1530307413582_4928E669-DC4A-4551-B120-A4EF4BFB6161.png

    Better than the tui tho.



  • I was trying to understand how to read that report I posted from your site. I can't figure it out.



  • @stacksofplates said in Vuls and VulsRepo install on CentOS:

    I was trying to understand how to read that report I posted from your site. I can't figure it out.

    I honestly haven't dug into it yet, but it also doesn't look like it's worth the time either.


Log in to reply