
Vulnerability scanner for Linux and FreeBSD - snehesht
https://github.com/future-architect/vuls
======
DominoTree
TL;DR "Give a single machine root access across your entire enterprise so you
don't have to manually check each machine for security updates in the vendor-
supplied packages"

Instead of dealing with this thing, I suggest looking at some existing system
management tools like Landscape for Ubuntu or Spacewalk for CentOS/RHEL to
handle managed updates... or learning how to set up a cron job to email you
when security updates are available.

~~~
lamontcg
Also, it means that one machine is going to have to be ssh'ing into every
server that you have on a constant basis, which creates load on that
centralized server doing computational part of the ssh connection setup and
tear down and all the encryption and hmac'ing. And ssh is not designed to be a
lightweight protocol, and it would be simply awful to try to maintain
persistent authenticated ssh connections from the management host to every
server being monitored.

Really "agentless" is all a lie. The "agent" in most cases is usually sshd and
you can really do better.

Also for this kind of software it makes sense to simply leverage the
underlying configuration management system the admin is using. If they're
using chef/puppet/cfengine they push out the client over the top of an agent-
based protocol. If they're using ansible or salt they'll deploy it
"agentless"-ly.

They've actually done more work to support this root-trust remote management
model when they could have simplified the problem domain to just running their
code (as an agent) and reporting on the one host its running on.

It seems to have been developed to tick off a buzzword ("agentless") which
could have been avoided altogether.

------
mordocai
"Vuls doesn't support SSH password authentication. So you have to use SSH key-
based authentication. And also, SUDO with password is not supported for
security reasons. So you have to define NOPASSWORD in /etc/sudoers on target
servers."

No thank you.

~~~
Perixoog
Alternatively - pam_ssh_agent_auth

~~~
mordocai
I was complaining more about the sudo part. Probably should have just had that
in the quote.

~~~
LukeShu
I think you misunderstood Perixoog's comment. Sudo uses PAM to ask for the
password. pam_ssh_agent_auth is a PAM module that uses ssh-agent
authentication instead of a password. Perixoog is saying that instead of
setting NOPASSWORD, you could configure pam_ssh_agent in /etc/pam.d/sudo, and
have it use the pre-existing SSH authentication as the "password", instead of
having it prompt for a password.

But the part I'm concerned about is that they seem to think that having
password-less sudo is a security win.

~~~
smhenderson
_But the part I 'm concerned about is that they seem to think that having
password-less sudo is a security win._

I thought they were saying they don't want people's passwords. People reuse
them, naive people giving up an actual root password, etc.

Not sure they mean always using NOPASSWORD is good for security.

~~~
LukeShu
Sure, giving the password to an application is a mess. Because if the
application is compromised, the attacker now has the application's sudo
password (ie, the vuls user's password, not the root password), and that's a
bad deal. But just having it NOPASSWORD wide open is strictly worse. A knee-
jerk reaction is to avoid passwords because it's another attack surface that
can be broken open, but in this case just getting rid of it is strictly worse.
With SSH, disabling password auth is turning the locked door into a solid
brick wall. With this, NOPASSWORD is taking the door off the hinges because
you are afraid of someone picking it.

------
voltagex_

        // install aptitude
        cmd = util.PrependProxyEnv("apt-get install --force-yes -y aptitude")
    

I really don't like saying bad things about someone's project, but a "scanner"
really really really shouldn't be making configuration changes to boxes,
especially without prompting.

~~~
kotakanbe
I see. I will improve.

~~~
voltagex_
Excellent. Don't take the comments here too much to heart. Off the top of my
head, a couple of things you could look at:

* Don't use root where you don't need to - can you parse package lists / vulnerability databases as a normal user?

* Would the design be better inverted? Systems push their list of installed packages / versions to your application to be checked.

~~~
kotakanbe
Thanks :)

> * Don't use root where you don't need to - can you parse package lists /
> vulnerability databases as a normal user?

Yes, Vuls can scan without root on FreeBSD and Amazon Linux. If you know how
to scan without root on CentOS, Debian, RHEL, Ubuntu, please let me know. I
also do'nt want to use root.

> * Would the design be better inverted? Systems push their list of installed
> packages / versions to your application to be checked.

Not so easy. The package version, release name is not semantic versioning
format.This is a output of show package versions command on Ubuntu.

    
    
      locales            2.13+git20120306-21  
      login              1:4.1.5.1-1.1ubuntu7  
      lsb-base           9.20160110
      make               4.1-6
      mawk               1.3.3-17ubuntu2
      mime-support       3.59ubuntu1
      multiarch-support  2.21-0ubuntu5
    

Impossible!!

~~~
voltagex_
But how is the command you mention getting that information? Couldn't you
parse the package database in the same way?

~~~
kotakanbe
Vuls parse the changelog of upgradable packages on Ubuntu, Debian, CentOS.

For details, see the flow chart in Scanning Flow section.
[https://github.com/future-architect/vuls#scanning-
flow](https://github.com/future-architect/vuls#scanning-flow)

------
Cieplak
Anyone know of good resources for securing USB and disk firmware? I've found
the CCC presentations rather enlightening, as well as Andrew Huang's amazing
work, but still feel like we live in the dark ages with respect to hardware
security.

~~~
Palomides
presumably an OS-level mitigation could intercept (some) attempts to write to
drive firmwares, but I'm not aware of any actual implementations. it's a very
ugly situation.

------
andrewvijay
Hypothetical question: If all these OS software was written in a memory safe
language like say rust, would it be possible to get rid of these 'off by two'
and 'out of bounds' error completely making the world a better place?

~~~
outworlder
Hypothetically, yes.

But please don't think of Rust (or anything else) as a silver bullet. If you
are doing systems programming you are going to deal with unsafe code somewhat
frequently. And, by not being exposed to this kind of programming often
enough, it's possible that more errors will slip through the cracks.

Then there's a whole class of errors that cannot be prevented by memory safe
languages. They cannot prevent crappy practices.

~~~
pjmlp
While true, it is quite different have to worry about lets say 10% of the code
easy tracked down by unsafe blocks, or every time a string, array, memory
allocation, numeric manipulation is performed.

------
loeg
How does this compare with, e.g., `pkg audit` for FreeBSD?
[https://www.freebsd.org/doc/handbook/security-
pkg.html](https://www.freebsd.org/doc/handbook/security-pkg.html)

~~~
viraptor
Freebsd doc says that their database is maintained by their developers. Vuln
page shows it takes data from nvd. I haven't looked into the details, but a
rough guess would be that pkg-audit is better is it's really kept up to date.
Nvd's version patterns have lots of issues in my experience and often need
manual verification.

~~~
kasabali
If I understand the diagram in the README right, this one is no different. It
just analyzes changelogs of not-yet-updated packages, which are in turn
prepared by distribution maintainers. NVD is just used for adding details of
the CVEs that has been found.

~~~
kotakanbe
>NVD is just used for adding details of the CVEs that has been found.

yes.

Vuls issues below command.

    
    
      FreeBSD ... pkg audit -F
      RHEL ... yum plugin security
      Amazon LInux ... yum plugin security
      CentOS ... analyze changelogs
      Debian ... analyze changelogs
      Ubuntu ... analyze changelogs

------
kotakanbe
VulsRepo is visualized based on the json report output in Vuls.
[https://github.com/usiusi360/vulsrepo](https://github.com/usiusi360/vulsrepo)

It is useful to analyze vulnerabilities that are detected by Vuls.

------
SteveNuts
Spring for Nessus if you're looking for a solid vulnerability scanner.

------
nik1aa5
Use `pkg audit` on FreeBSD and read the "periodic" emails.

~~~
crest
Or run pkg audit -F (with a nice random sleep) from your monitoring system.

~~~
kotakanbe
FreeBSD's pkg command is awesome.

Vuls issues pkg audit -F and parse the results, and then send notification via
slack or email with some additionarl informaiton ( NVD data )

------
kasabali
See debsecan for Debian

[https://packages.debian.org/jessie/debsecan](https://packages.debian.org/jessie/debsecan)

