Difference between revisions of "StarlingX/Security/CVE Scanning Procedure"
(→StarlingX CVE Scanning Procedure) |
(→Detailed Procedure for StarlingX) |
||
Line 7: | Line 7: | ||
==== Detailed Procedure for StarlingX ==== | ==== Detailed Procedure for StarlingX ==== | ||
Once Starling X is up and running (under the configuration that you prefer) is | Once Starling X is up and running (under the configuration that you prefer) is | ||
− | possible to follow the instructions | + | possible to follow the instructions for vulsctl tool |
[https://vuls.io/docs/en/install-with-vulsctl.html vulsctl] tool using | [https://vuls.io/docs/en/install-with-vulsctl.html vulsctl] tool using | ||
containers. | containers. | ||
Line 13: | Line 13: | ||
* StarlingX has Docker previously installed | * StarlingX has Docker previously installed | ||
* Manage Docker as a non-root user | * Manage Docker as a non-root user | ||
− | |||
− | |||
$ sudo groupadd docker | $ sudo groupadd docker | ||
− | |||
− | |||
− | |||
$ sudo usermod -aG docker $USER | $ sudo usermod -aG docker $USER | ||
− | |||
* Start Docker: | * Start Docker: | ||
− | |||
− | |||
$ sudo systemctl start docker | $ sudo systemctl start docker | ||
− | |||
* Set up CentOS repositories to install: git, wget and yum-utils | * Set up CentOS repositories to install: git, wget and yum-utils | ||
Line 32: | Line 23: | ||
[https://raw.githubusercontent.com/cloudrouter/centos-repo/master/CentOS-Base.repo | [https://raw.githubusercontent.com/cloudrouter/centos-repo/master/CentOS-Base.repo | ||
CentOS-Base.repo] to /etc/yum.repos.d/CentOS-Base.repo | CentOS-Base.repo] to /etc/yum.repos.d/CentOS-Base.repo | ||
− | |||
− | |||
sudo yum -y install git wget yum-util | sudo yum -y install git wget yum-util | ||
− | |||
− | * Set up SSH | + | * Set up SSH connection to the STX machine itself: |
− | |||
sudo ssh-copy-id sysadmin@192.168.204.2 | sudo ssh-copy-id sysadmin@192.168.204.2 | ||
− | |||
* Clone Vulsctl | * Clone Vulsctl | ||
− | |||
$ git clone https://github.com/vulsio/vulsctl.git | $ git clone https://github.com/vulsio/vulsctl.git | ||
− | |||
* Configure ssh conection to server to scan | * Configure ssh conection to server to scan | ||
− | |||
cat $HOME/vulsctl/config.toml | cat $HOME/vulsctl/config.toml | ||
[servers] | [servers] | ||
Line 57: | Line 40: | ||
user = "sysadmin" | user = "sysadmin" | ||
port = "22" | port = "22" | ||
− | |||
− | |||
* Fetch Vulnerability Database | * Fetch Vulnerability Database | ||
− | |||
cd vulsctl | cd vulsctl | ||
$ ./update-all.sh | $ ./update-all.sh | ||
− | |||
* Scan | * Scan | ||
− | |||
cd vulsctl | cd vulsctl | ||
./scan.sh | ./scan.sh | ||
− | |||
− | * | + | * Generate json report, edit the report.sh script first to use the -format-json |
option | option | ||
− | |||
cat vulsctl/report.sh | cat vulsctl/report.sh | ||
#!/bin/sh | #!/bin/sh | ||
Line 92: | Line 68: | ||
./report.sh | ./report.sh | ||
− | |||
− | * Filter the | + | * Filter the JSON report |
− | + | Vuls scan generates reports for all the CVEs discovered and valid on the STX iso. | |
However, according to the STX CVE policy: | However, according to the STX CVE policy: | ||
https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy | https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy | ||
− | Only CVEs meeting the criteria which | + | Only CVEs meeting the criteria which follow are accepted for fixing: |
− | |||
− | |||
− | |||
− | AV = Network | + | * Criticality >= 7 |
− | AC = Low | + | * Base Vector as: |
− | Au = None or Single | + | * AV = Network |
− | AI = Partial or Complete | + | * AC = Low |
+ | * Au = None or Single | ||
+ | * AI = Partial or Complete | ||
− | And a fix is available upstream | + | * And a fix is available upstream |
− | The script filters the | + | The script filters the JSON file generated by vuls scan: |
https://vuls.io/docs/en/install-with-vulsctl.html | https://vuls.io/docs/en/install-with-vulsctl.html | ||
Line 120: | Line 94: | ||
It runs as: | It runs as: | ||
− | |||
python cve_policy_filter.py <path to json file> <title of the report> | python cve_policy_filter.py <path to json file> <title of the report> | ||
− | |||
− | This generates a report in | + | This generates a report in text and HTML format with the list of CVEs meeting |
the StarlingX criteria as well as future CVEs we need to take care int he | the StarlingX criteria as well as future CVEs we need to take care int he | ||
future that does not have a fix in upstream yet. | future that does not have a fix in upstream yet. |
Revision as of 19:55, 25 October 2019
StarlingX CVE Scanning Procedure
StarlingX uses the Vuls vulnerability scanner (https://vuls.io/) for CVE scanning. Vuls is open-source, agent-less vulnerability scanner based on information from NVD, OVAL, etc.
Detailed Procedure for StarlingX
Once Starling X is up and running (under the configuration that you prefer) is possible to follow the instructions for vulsctl tool vulsctl tool using containers.
- StarlingX has Docker previously installed
- Manage Docker as a non-root user
$ sudo groupadd docker $ sudo usermod -aG docker $USER
- Start Docker:
$ sudo systemctl start docker
- Set up CentOS repositories to install: git, wget and yum-utils
* Copy from: [https://raw.githubusercontent.com/cloudrouter/centos-repo/master/CentOS-Base.repo CentOS-Base.repo] to /etc/yum.repos.d/CentOS-Base.repo
sudo yum -y install git wget yum-util
- Set up SSH connection to the STX machine itself:
sudo ssh-copy-id sysadmin@192.168.204.2
- Clone Vulsctl
$ git clone https://github.com/vulsio/vulsctl.git
- Configure ssh conection to server to scan
cat $HOME/vulsctl/config.toml [servers] [servers.localhost] host = "192.168.204.2" user = "sysadmin" port = "22"
- Fetch Vulnerability Database
cd vulsctl $ ./update-all.sh
- Scan
cd vulsctl ./scan.sh
- Generate json report, edit the report.sh script first to use the -format-json
option
cat vulsctl/report.sh #!/bin/sh docker pull vuls/vuls docker run --rm -it\ -v $PWD:/vuls \ vuls/vuls report \ -log-dir=/vuls/log \ -format-json \ -config=/vuls/config.toml \ -refresh-cve \ $@
./report.sh
- Filter the JSON report
Vuls scan generates reports for all the CVEs discovered and valid on the STX iso. However, according to the STX CVE policy: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy
Only CVEs meeting the criteria which follow are accepted for fixing:
- Criticality >= 7
- Base Vector as:
* AV = Network * AC = Low * Au = None or Single * AI = Partial or Complete
- And a fix is available upstream
The script filters the JSON file generated by vuls scan: https://vuls.io/docs/en/install-with-vulsctl.html
The script is located at:
https://review.opendev.org/#/c/685770/
It runs as:
python cve_policy_filter.py <path to json file> <title of the report>
This generates a report in text and HTML format with the list of CVEs meeting the StarlingX criteria as well as future CVEs we need to take care int he future that does not have a fix in upstream yet.
References
- Vuls Tutorial: https://vuls.io/docs/en/tutorial.html