Vuls is an open-source, agentless vulnerability scanner. Vuls can scan multiple systems at once and send reports via email or Slack. It has three scan modes (fast, fast root, and deep), which you can select according to the situation.
Prerequisites
Ubuntu 22.04 server with minimum 4 GB RAM
Slack Workspace
Step 1 – Installing Dependencies
Create Directory
sudo mkdir /usr/share/vuls-data
Accessibile to your username
sudo chown -R username /usr/share/vuls-data
sudo apt update
Download and compile the dependencies
sudo apt install sqlite git debian-goodies gcc make wget -y
Step 2 – Installing GO
sudo snap install go --classic
sudo nano /etc/profile.d/go-env.sh
export GOPATH=$HOME/go
export PATH=$PATH:$GOPATH/bin:/snap/bin
The export
command sets the given environment variable to the desired value. Here, you use it to populate GOPATH
and PATH
with appropriate values.
sudo chmod +x /etc/profile.d/go-env.sh
source /etc/profile.d/go-env.sh
Step 3 – Installing and Running go-cve-dictionary
Go package that provides access to the National Vulnerability Database. Then, you will run it to fetch vulnerability data that Vuls can use. The NVD is the US government’s repository of publicly reported cybersecurity vulnerabilities, containing vulnerability IDs (CVE — Common Vulnerabilities and Exposures), summaries, and impact analysis, and it is available in a machine-readable format.
sudo mkdir -p $GOPATH/src/github.com/vulsio
cd $GOPATH/src/github.com/vulsio
sudo git clone https://github.com/vulsio/go-cve-dictionary.git
cd go-cve-dictionary
sudo make install
sudo cp $GOPATH/bin/go-cve-dictionary /usr/local/bin
sudo mkdir /var/log/vuls
sudo chmod 700 /var/log/vuls
sudo chown -R USERNAME /var/log/vuls
go-cve-dictionary fetch nvd --dbpath /usr/share/vuls-data/cve.sqlite3
This command will fetch NVD vulnerability data from year 2002 to the current year and store it in a database under /usr/share/vuls-data
.
Step 4 – Installing goval-dictionary
OVAL stands for Open Vulnerability and Assessment Language, which is an open language used to express checks for determining whether software vulnerabilities exist on a given system.
cd $GOPATH/src/github.com/vulsio
sudo git clone https://github.com/vulsio/goval-dictionary.git
cd goval-dictionary
sudo make install
sudo cp $GOPATH/bin/goval-dictionary /usr/local/bin
sudo goval-dictionary fetch ubuntu --dbpath=/usr/share/vuls-data/oval.sqlite3 22
Step 5 – Installing GOST
GOST is a Go package that provides access to the Debian security bug tracker. You will then run it and fetch vulnerability data for Vuls to use. The Ubuntu security tracker collects all information about the vulnerability status of packages distributed with Ubuntu.
cd $GOPATH/src/github.com/vulsio
sudo git clone https://github.com/vulsio/gost.git
cd gost
sudo make install
sudo cp $GOPATH/bin/gost /usr/local/bin
sudo mkdir /var/log/gost
sudo chmod 700 /var/log/gost
sudo chown -R $USERNAME /var/log/gost
sudo gost fetch ubuntu --dbpath=/usr/share/vuls-data/gost.sqlite3
Step 6 – Install VULS
Now we have all the prerequisites installed we can now download and compile Vuls .
sudo mkdir -p $GOPATH/src/github.com/future-architect
cd $GOPATH/src/github.com/future-architect
sudo git clone https://github.com/future-architect/vuls.git
cd vuls
sudo make install
sudo cp $GOPATH/bin/vuls /usr/local/bin
cd /usr/share/vuls-data
sudo nano config.toml
[cveDict]
type = "sqlite3"
SQLite3Path = "/usr/share/vuls-data/cve.sqlite3"
[ovalDict]
type = "sqlite3"
SQLite3Path = "/usr/share/vuls-data/oval.sqlite3"
[gost]
type = "sqlite3"
SQLite3Path = "/usr/share/vuls-data/gost.sqlite3"
[servers]
[servers.localhost]
host = "localhost"
port = "local"
scanMode = [ "fast" ]
#scanMode = ["fast", "fast-root", "deep", "offline"]
Vuls provides four scan modes:
- Fast mode (default) scans without root privileges, has no dependencies, and is very light on the target server.
- Fast root mode scans with root privileges and can detect upgraded but not yet restarted processes.
- Deep scan mode is the same as fast root mode but checks changelogs, which can lead to a high load on the target server.
- Offline mode scans the machine without internet access and can be used in conjunction with other modes.
vuls configtest
Output
[Jan 5 20:24:29] INFO [localhost] vuls-v0.22.0-build-20230105_201926_554ecc4
[Jan 5 20:24:29] INFO [localhost] Validating config...
[Jan 5 20:24:29] INFO [localhost] Detecting Server/Container OS...
[Jan 5 20:24:29] INFO [localhost] Detecting OS of servers...
[Jan 5 20:24:29] INFO [localhost] (1/1) Detected: localhost: ubuntu 22.10
[Jan 5 20:24:29] INFO [localhost] Detecting OS of containers...
[Jan 5 20:24:29] INFO [localhost] Checking Scan Modes...
[Jan 5 20:24:29] INFO [localhost] Checking dependencies...
[Jan 5 20:24:29] INFO [localhost] Dependencies... Pass
[Jan 5 20:24:29] INFO [localhost] Checking sudo settings...
[Jan 5 20:24:29] INFO [localhost] sudo ... No need
[Jan 5 20:24:29] INFO [localhost] It can be scanned with fast scan mode even if warn or err messages are displayed due to lack of dependent packages or sudo settings in fast-root or deep scan mode
[Jan 5 20:24:29] INFO [localhost] Scannable servers are below...
localhost
Now the VULS installed and configured on the local server.
Step 7 – Run a Local Scan
The default scan mode, if not explicitly specified, is fast
.
vuls scan
vuls tui
Vuls divides the report view into four panels:
- Scanned machines, located on the upper left, lists machines that Vuls scanned.
- Found vulnerabilities, located right of the machine list, shows the vulnerabilities Vuls found in installed packages.
- Detailed information, taking up the left part of the screen, shows detailed information about the vulnerability, pulled from the databases.
- Affected packages, located right of the detailed information, shows what the affected package versions are, and if there is a fixed version.
Step 8 – Configuring Multiple Traget Machines
Vuls uses the checkrestart
utility to check for packages that are updated but require restart. To ensure the target server has it, install it on your secondary server(s) by running the following command:
sudo apt install debian-goodies -y
That is all you need to do on the target server. You can now log out from the target and return to your initial server.
To add a new server for scanning, open config.toml
and add the following lines under the [servers]
mark:
[servers.target_name]
host = "target_ip"
port = "22"
user = "account_username"
keyPath = "/home/$username/.ssh/id_rsa"
scanMode = [ "deep" ] # "fast", "fast-root" or "deep"
Replace target_name
with your desired name, target_ip
with the IP of thearget server, account_username
with the username, and supply the path of your private RSA key for user $username, Vuls does not support SSH password authentication, so specifying a keyPath
is necessary.
Confirm the RSA keys on the local machine. To achieve this, you’ll log in to the target server from your first server with the appropriate key, like so
ssh account_username@target_ip -i /home/$username/.ssh/id_rsa
Input path of your private RSA key. Press YES to continue and then log out by pressing CTRL + D
.
chmod 600 account_rsa_key
vuls configtest
The output will detail everything that Vuls checked, such as dependencies, superuser access, and OS versions
FINALE
Now we have successfully set up Vuls with automated scanning and reporting on an Ubuntu 22.04 server. With Vuls, vulnerability assessment becomes more seamless in production environments. As an alternative to setting up cron
, it is also possible to use Vuls in a continuous deployment workflow, as its scans are lightweight and you can run them as needed.