Difference between revisions of "StarlingX/Security/CVE Scanning Procedure"

Latest revision as of 13:44, 24 April 2024

StarlingX CVE Scanning Procedure

StarlingX uses the Vuls vulnerability scanner (https://vuls.io/) for CVE scanning. Vuls is open-source, agent-less vulnerability scanner based on information from NVD, OVAL, etc.

Detailed Procedure for StarlingX

Once Starling X is up and running (under the configuration that you prefer) is possible to follow the instructions for vulsctl tool vulsctl tool using containers.

StarlingX has Docker previously installed
Manage Docker as a non-root user

   $ sudo groupadd docker
   $ sudo usermod -aG docker $USER

Start Docker:

   $ sudo systemctl start docker

Set up CentOS repositories to install: git, wget and yum-utils

* Copy from: CentOS-Base.repo to /etc/yum.repos.d/CentOS-Base.repo

   sudo yum -y install git wget yum-util

Set up SSH connection to the STX machine itself:

   sudo ssh-copy-id sysadmin@192.168.204.2

Clone Vulsctl

   $ git clone https://github.com/vulsio/vulsctl.git

Configure ssh conection to server to scan

   cat $HOME/vulsctl/config.toml
   [servers]
   [servers.localhost]
   host = "192.168.204.2"
   user = "sysadmin"
   port = "22"

Fetch Vulnerability Database

   cd vulsctl
   $ ./update-all.sh

Scan

   cd vulsctl
   ./scan.sh

Generate json report, edit the report.sh script first to use the -format-json

option

   cat vulsctl/report.sh
   #!/bin/sh
   docker pull vuls/vuls
   docker run --rm -it\
       -v $PWD:/vuls \
       vuls/vuls report \
       -log-dir=/vuls/log \
       -format-json \
       -config=/vuls/config.toml \
       -refresh-cve \
       $@

   ./report.sh

Filter the JSON report

Vuls scan generates reports for all the CVEs discovered and valid on the STX iso. However, according to the STX CVE policy:

Only CVEs meeting the criteria which follow are accepted for fixing:

Criticality >= 7
Base Vector as:

       * AV = Network
       * AC = Low
       * Au = None or Single
       * AI = Partial or Complete

And a fix is available upstream

The script is located at in Gerrit (latest: opendev.org)

It runs as:

   python cve_policy_filter.py <path to json file> <title of the report>

This generates a report in text and HTML format with the list of CVEs meeting the StarlingX criteria as well as future CVEs we need to take care int he future that does not have a fix in upstream yet.

References

Vuls Tutorial: https://vuls.io/docs/en/tutorial.html

@@ Line 7: / Line 7: @@
 ==== Detailed Procedure for StarlingX ====
 Once Starling X is up and running (under the configuration that you prefer) is
-possible to follow the instructions vor vulsctl
+possible to follow the instructions for vulsctl tool
 [https://vuls.io/docs/en/install-with-vulsctl.html vulsctl] tool using
 containers.
@@ Line 13: / Line 13: @@
 * StarlingX has Docker previously installed
 * Manage Docker as a non-root user
-<code>
      $ sudo groupadd docker
-</code>
-<code>
      $ sudo usermod -aG docker $USER
-</code>
 * Start Docker:
-<code>
      $ sudo systemctl start docker
-</code>
 * Set up CentOS repositories to install: git, wget and yum-utils
 	* Copy from:
-[https://raw.githubusercontent.com/cloudrouter/centos-repo/master/CentOS-Base.repo
+[https://raw.githubusercontent.com/cloudrouter/centos-repo/master/CentOS-Base.repo CentOS-Base.repo] to /etc/yum.repos.d/CentOS-Base.repo
-CentOS-Base.repo] to /etc/yum.repos.d/CentOS-Base.repo
-<code>
      sudo yum -y install git wget yum-util
-</code>
-* Set up SSH conection to the STX machine itself:
+* Set up SSH connection to the STX machine itself:
-<code>
      sudo ssh-copy-id sysadmin@192.168.204.2
-</code>
 * Clone Vulsctl
-<code>
      $ git clone https://github.com/vulsio/vulsctl.git
-</code>
 * Configure ssh conection to server to scan
-<code>
      cat $HOME/vulsctl/config.toml
      [servers]
@@ Line 57: / Line 39: @@
      user = "sysadmin"
      port = "22"
-</code>
 * Fetch Vulnerability Database
-<code>
      cd vulsctl
      $ ./update-all.sh
-</code>
 * Scan
-<code>
      cd vulsctl
      ./scan.sh
-</code>
-* Gerate json report, edit the report.sh script first to use the -format-json
+* Generate json report, edit the report.sh script first to use the -format-json
 option
-<code>
      cat vulsctl/report.sh
      #!/bin/sh
@@ Line 92: / Line 67: @@
      ./report.sh
-</code>
-* Filter the json report
-Vulscan generates reports for all the CVEs discovered and valid on the STX iso.
-However, according to the STX CVE policy:
-https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy
-Only CVEs meeting the criteria which follows are accepted for fixing:
+* Filter the JSON report
-Criticality >= 7
+Vuls scan generates reports for all the CVEs discovered and valid on the STX iso.
-Base Vector as:
+However, according to the [https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy STX CVE policy]:
-AV = Network
-AC = Low
-Au = None or Single
-AI = Partial or Complete
-And a fix is available upstream
+Only CVEs meeting the criteria which follow are accepted for fixing:
-The script filters the json file generated by vuls scan:
+* Criticality >= 7
-https://vuls.io/docs/en/install-with-vulsctl.html
+* Base Vector as:
+        * AV = Network
+        * AC = Low
+        * Au = None or Single
+        * AI = Partial or Complete
-The script is located at:
+* And a fix is available upstream
-https://review.opendev.org/#/c/685770/
+The script is located at in [https://review.opendev.org/#/c/685770/ Gerrit] (latest: [https://opendev.org/starlingx/tools/src/branch/master/cve_support opendev.org])
 It runs as:
-<code>
      python cve_policy_filter.py <path to json file> <title of the report>
-</code>
-This generates a report in txt and html format with the list of CVEs meeting
+This generates a report in text and HTML format with the list of CVEs meeting
 the StarlingX criteria as well as future CVEs we need to take care int he
 future that does not have a fix in upstream yet.