From 2e7c34cf9f4b2e5d60cd972353ff4508a8292514 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Wed, 25 Jan 2017 08:00:14 +0900 Subject: [PATCH] Add -log-dir option --- README.ja.md | 73 ++++++++++++++++++++++++------------------ README.md | 32 ++++++++++++------ commands/configtest.go | 16 ++++++--- commands/prepare.go | 6 ++++ commands/report.go | 6 ++++ commands/scan.go | 6 ++++ config/config.go | 1 + scan/base_test.go | 2 +- util/logutil.go | 18 ++++++++--- 9 files changed, 109 insertions(+), 51 deletions(-) diff --git a/README.ja.md b/README.ja.md index 281eaf469c..15a6b08e52 100644 --- a/README.ja.md +++ b/README.ja.md @@ -76,7 +76,7 @@ Hello Vulsチュートリアルでは手動でのセットアップ方法で説 ---- -# Hello Vuls +# Hello Vuls 本チュートリアルでは、Amazon EC2にVulsをセットアップし、自分に存在する脆弱性をスキャンする方法を説明する。 手順は以下の通り @@ -136,7 +136,7 @@ $ wget https://storage.googleapis.com/golang/go1.7.1.linux-amd64.tar.gz $ sudo tar -C /usr/local -xzf go1.7.1.linux-amd64.tar.gz $ mkdir $HOME/go ``` -/etc/profile.d/goenv.sh を作成し、下記を追加する。 +/etc/profile.d/goenv.sh を作成し、下記を追加する。 ```bash export GOROOT=/usr/local/go @@ -229,7 +229,7 @@ $ vuls prepare ``` -$ vuls scan +$ vuls scan ... snip ... Scan Summary @@ -243,7 +243,7 @@ Scan Summary View one-line summary ``` -$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3 +$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3 One Line Summary ================ @@ -254,7 +254,7 @@ One Line Summary View short summary. ``` -$ vuls report -format-short-text -cvedb-path=$PWD/cve.sqlite3 +$ vuls report -format-short-text -cvedb-path=$PWD/cve.sqlite3 172-31-4-8 (amazon 2015.09) =========================== @@ -275,7 +275,7 @@ CVE-2016-0705 10.0 (High) Double free vulnerability in the dsa_priv_decode View full report. ``` -$ vuls report -format-full-text -cvedb-path=$PWD/cve.sqlite3 +$ vuls report -format-full-text -cvedb-path=$PWD/cve.sqlite3 172-31-4-82 (amazon 2015.09) ============================ @@ -359,13 +359,13 @@ Vulsをスキャン対象サーバにデプロイする。Vulsはローカルホ - Amazon, RHEL and FreeBSD 高速にスキャンし、スキャン対象サーバのリソース消費量は小さい。 -| Distribution| Scan Speed | +| Distribution| Scan Speed | |:------------|:-------------------| | Ubuntu | 初回は遅い / 2回目以降速い | | Debian | 初回は遅い / 2回目以降速い | | CentOS | 速い | -| Amazon | 速い | -| RHEL | 速い | +| Amazon | 速い | +| RHEL | 速い | | FreeBSD | 速い | ---- @@ -567,7 +567,7 @@ host = "172.31.4.82" Vulsは各サーバにSSHで接続するが、Goのネイティブ実装と、OSコマンドの2種類のSSH接続方法をサポートしている。 詳細は [-ssh-external option](/~https://github.com/future-architect/vuls/blob/master/README.ja.md#-ssh-external-option) を参照。 - + また、以下のSSH認証をサポートしている。 - SSH agent - SSH public key authentication (with password, empty password) @@ -575,7 +575,7 @@ host = "172.31.4.82" ---- -# Usage: Configtest +# Usage: Configtest configtestサブコマンドは、config.tomlで定義されたサーバ/コンテナに対してSSH可能かどうかをチェックする。 @@ -584,6 +584,7 @@ $ vuls configtest --help configtest: configtest [-config=/path/to/config.toml] + [-log-dir=/path/to/log] [-ask-key-password] [-ssh-external] [-debug] @@ -595,6 +596,8 @@ configtest: /path/to/toml (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/config.toml") -debug debug mode + -log-dir string + /path/to/log (default "/var/log/vuls") -ssh-external Use external ssh command. Default: Use the Go native implementation ``` @@ -635,6 +638,7 @@ $ vuls prepare -help prepare: prepare [-config=/path/to/config.toml] + [-log-dir=/path/to/log] [-ask-key-password] [-debug] [-ssh-external] @@ -646,6 +650,8 @@ prepare: /path/to/toml (default "$PWD/config.toml") -debug debug mode + -log-dir string + /path/to/log (default "/var/log/vuls") -ssh-external Use external ssh command. Default: Use the Go native implementation ``` @@ -660,6 +666,7 @@ scan: scan [-config=/path/to/config.toml] [-results-dir=/path/to/results] + [-log-dir=/path/to/log] [-cachedb-path=/path/to/cache.db] [-ssh-external] [-containers-only] @@ -675,17 +682,19 @@ scan: -cachedb-path string /path/to/cache.db (local cache of changelog for Ubuntu/Debian) -config string - /path/to/toml + /path/to/toml -containers-only Scan containers only. Default: Scan both of hosts and containers -debug debug mode -http-proxy string http://proxy-url:port (default: empty) + -log-dir string + /path/to/log (default "/var/log/vuls") -pipe Use stdin via PIPE -results-dir string - /path/to/results + /path/to/results -skip-broken [For CentOS] yum update changelog with --skip-broken option -ssh-external @@ -696,7 +705,7 @@ scan: Vulsは2種類のSSH接続方法をサポートしている。 -デフォルトでは、Goのネイティブ実装 (crypto/ssh) を使ってスキャンする。 +デフォルトでは、Goのネイティブ実装 (crypto/ssh) を使ってスキャンする。 これは、SSHコマンドがインストールされていない環境でも動作する(Windowsなど) 外部SSHコマンドを使ってスキャンするためには、`-ssh-external`を指定する。 @@ -706,7 +715,7 @@ CentOSでは、スキャン対象サーバの/etc/sudoersに以下を追加す Defaults:vuls !requiretty ``` -## -ask-key-password option +## -ask-key-password option | SSH key password | -ask-key-password | | |:-----------------|:-------------------|:----| @@ -715,7 +724,7 @@ Defaults:vuls !requiretty ## Example: Scan all servers defined in config file ``` -$ vuls scan -ask-key-password +$ vuls scan -ask-key-password ``` この例では、 - SSH公開鍵認証(秘密鍵パスフレーズ)を指定 @@ -742,7 +751,7 @@ For more details, see [Architecture section](/~https://github.com/future-architect [servers.localhost] host = "localhost" # or "127.0.0.1" - port = "local" + port = "local" ``` ## Example: Scan containers (Docker/LXD) @@ -808,6 +817,7 @@ report: [-lang=en|ja] [-config=/path/to/config.toml] [-results-dir=/path/to/results] + [-log-dir=/path/to/log] [-refresh-cve] [-cvedb-type=sqlite3|mysql] [-cvedb-path=/path/to/cve.sqlite3] @@ -850,7 +860,7 @@ report: -azure-key string Azure account key to use. AZURE_STORAGE_ACCESS_KEY environment variable is used if not specified -config string - /path/to/toml + /path/to/toml -cvedb-path string /path/to/sqlite3 (For get cve detail from cve.sqlite3) -cvedb-type string @@ -881,12 +891,14 @@ report: Don't report the unscored CVEs -lang string [en|ja] (default "en") + -log-dir string + /path/to/log (default "/var/log/vuls") -pipe Use stdin via PIPE -refresh-cve Refresh CVE information in JSON file under results dir -results-dir string - /path/to/results + /path/to/results -to-azure-blob Write report to Azure Storage blob (container/yyyyMMdd_HHmm/servername.json/xml/txt) -to-email @@ -920,12 +932,12 @@ With this sample command, it will .. ``` $ vuls scan \ - -cvedb-path=$PWD/cve.sqlite3 \ + -cvedb-path=$PWD/cve.sqlite3 \ -to-s3 \ -format-json \ -aws-region=ap-northeast-1 \ -aws-s3-bucket=vuls \ - -aws-profile=default + -aws-profile=default ``` この例では、 - 結果をJSON形式でS3に格納する。 @@ -940,12 +952,12 @@ $ vuls scan \ ``` $ vuls scan \ - -cvedb-path=$PWD/cve.sqlite3 \ + -cvedb-path=$PWD/cve.sqlite3 \ -to-azure-blob \ -format-xml \ -azure-container=vuls \ -azure-account=test \ - -azure-key=access-key-string + -azure-key=access-key-string ``` この例では、 - 結果をXML形式でBlobに格納する。 @@ -958,12 +970,12 @@ $ vuls scan \ $ export AZURE_STORAGE_ACCOUNT=test $ export AZURE_STORAGE_ACCESS_KEY=access-key-string $ vuls scan \ - -cve-dictionary-dbpath=$PWD/cve.sqlite3 \ + -cve-dictionary-dbpath=$PWD/cve.sqlite3 \ -report-azure-blob \ -azure-container=vuls ``` -## Example: IgnoreCves +## Example: IgnoreCves Slack, EMail, テキスト出力しないくないCVE IDがある場合は、設定ファイルに定義することでレポートされなくなる。 ただ、JSONファイルには以下のように出力される。 @@ -1100,7 +1112,7 @@ VulsとDependency Checkの連携すると以下の利点がある - 日本語のレポートが可能 - Dependency Checkは日本語レポートに対応していない - + # Usage: TUI ## Display the latest scan results @@ -1130,7 +1142,7 @@ tui: -refresh-cve Refresh CVE information in JSON file under results dir -results-dir string - /path/to/results + /path/to/results ``` Key binding is below. @@ -1171,7 +1183,7 @@ $ vuls history | peco | vuls tui -pipe [![asciicast](https://asciinema.org/a/emi7y7docxr60bq080z10t7v8.png)](https://asciinema.org/a/emi7y7docxr60bq080z10t7v8) -# Usage: go-cve-dictonary on different server +# Usage: go-cve-dictonary on different server Run go-cve-dictionary as server mode before scanning on 192.168.10.1 ``` @@ -1267,7 +1279,7 @@ CRONなどを使い、自動化のためにsudoと、秘密鍵のパスワード - 秘密鍵パスフレーズなしの公開鍵認証か、ssh-agentを使う - スキャンが重く感じる -vulsのスキャン対象に脆弱性が溜まりすぎると実行時間が長くなります +vulsのスキャン対象に脆弱性が溜まりすぎると実行時間が長くなります 脆弱性のある状態は溜めすぎないようにしましょう - クロスコンパイル @@ -1293,7 +1305,7 @@ Use Microsoft Baseline Security Analyzer. [MBSA](https://technet.microsoft.com/e ---- -# Related Projects +# Related Projects - [k1LoW/ssh_config_to_vuls_config](/~https://github.com/k1LoW/ssh_config_to_vuls_config) ssh_config to vuls config TOML format @@ -1340,4 +1352,3 @@ Please see [CHANGELOG](/~https://github.com/future-architect/vuls/blob/master/CHAN # License Please see [LICENSE](/~https://github.com/future-architect/vuls/blob/master/LICENSE). - diff --git a/README.md b/README.md index 045dae86a0..209a02618f 100644 --- a/README.md +++ b/README.md @@ -222,7 +222,7 @@ see [Usage: Prepare](/~https://github.com/future-architect/vuls#usage-prepare) ## Step8. Start Scanning ``` -$ vuls scan +$ vuls scan ... snip ... Scan Summary @@ -236,7 +236,7 @@ Scan Summary View one-line summary ``` -$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3 +$ vuls report -format-one-line-text -cvedb-path=$PWD/cve.sqlite3 One Line Summary ================ @@ -247,7 +247,7 @@ One Line Summary View short summary. ``` -$ vuls report -format-short-text +$ vuls report -format-short-text 172-31-4-8 (amazon 2015.09) =========================== @@ -268,7 +268,7 @@ CVE-2016-0705 10.0 (High) Double free vulnerability in the dsa_priv_decode View full report. ``` -$ vuls report -format-full-text +$ vuls report -format-full-text 172-31-4-82 (amazon 2015.09) ============================ @@ -300,7 +300,7 @@ Package libssl1.0.0-1.0.2f-2ubuntu1 -> libssl1.0.0-1.0.2g-1ubuntu4.5 Vuls has Terminal-Based User Interface to display the scan result. ``` -$ vuls tui +$ vuls tui ``` ![Vuls-TUI](img/hello-vuls-tui.png) @@ -588,6 +588,7 @@ $ vuls configtest --help configtest: configtest [-config=/path/to/config.toml] + [-log-dir=/path/to/log] [-ask-key-password] [-ssh-external] [-debug] @@ -599,6 +600,8 @@ configtest: /path/to/toml (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/config.toml") -debug debug mode + -log-dir string + /path/to/log (default "/var/log/vuls") -ssh-external Use external ssh command. Default: Use the Go native implementation ``` @@ -640,6 +643,7 @@ $ vuls prepare -help prepare: prepare [-config=/path/to/config.toml] + [-log-dir=/path/to/log] [-ask-key-password] [-assume-yes] [-debug] @@ -656,6 +660,8 @@ prepare: /path/to/toml (default "$PWD/config.toml") -debug debug mode + -log-dir string + /path/to/log (default "/var/log/vuls") -ssh-external Use external ssh command. Default: Use the Go native implementation ``` @@ -669,6 +675,7 @@ scan: scan [-config=/path/to/config.toml] [-results-dir=/path/to/results] + [-log-dir=/path/to/log] [-cachedb-path=/path/to/cache.db] [-ssh-external] [-containers-only] @@ -684,17 +691,19 @@ scan: -cachedb-path string /path/to/cache.db (local cache of changelog for Ubuntu/Debian) -config string - /path/to/toml + /path/to/toml -containers-only Scan containers only. Default: Scan both of hosts and containers -debug debug mode -http-proxy string http://proxy-url:port (default: empty) + -log-dir string + /path/to/log (default "/var/log/vuls") -pipe Use stdin via PIPE -results-dir string - /path/to/results + /path/to/results -skip-broken [For CentOS] yum update changelog with --skip-broken option -ssh-external @@ -750,7 +759,7 @@ For more details, see [Architecture section](/~https://github.com/future-architect [servers.localhost] host = "localhost" # or "127.0.0.1" - port = "local" + port = "local" ``` ## Example: Scan containers (Docker/LXD) @@ -817,6 +826,7 @@ report: [-lang=en|ja] [-config=/path/to/config.toml] [-results-dir=/path/to/results] + [-log-dir=/path/to/log] [-refresh-cve] [-cvedb-type=sqlite3|mysql] [-cvedb-path=/path/to/cve.sqlite3] @@ -859,7 +869,7 @@ report: -azure-key string Azure account key to use. AZURE_STORAGE_ACCESS_KEY environment variable is used if not specified -config string - /path/to/toml + /path/to/toml -cvedb-path string /path/to/sqlite3 (For get cve detail from cve.sqlite3) -cvedb-type string @@ -890,12 +900,14 @@ report: Don't report the unscored CVEs -lang string [en|ja] (default "en") + -log-dir string + /path/to/log (default "/var/log/vuls") -pipe Use stdin via PIPE -refresh-cve Refresh CVE information in JSON file under results dir -results-dir string - /path/to/results + /path/to/results -to-azure-blob Write report to Azure Storage blob (container/yyyyMMdd_HHmm/servername.json/xml/txt) -to-email diff --git a/commands/configtest.go b/commands/configtest.go index 7c3ffbd93d..5774bf0b46 100644 --- a/commands/configtest.go +++ b/commands/configtest.go @@ -34,6 +34,7 @@ import ( // ConfigtestCmd is Subcommand type ConfigtestCmd struct { configPath string + logDir string askKeyPassword bool sshExternal bool @@ -50,12 +51,13 @@ func (*ConfigtestCmd) Synopsis() string { return "Test configuration" } func (*ConfigtestCmd) Usage() string { return `configtest: configtest - [-config=/path/to/config.toml] - [-ask-key-password] - [-ssh-external] - [-debug] + [-config=/path/to/config.toml] + [-log-dir=/path/to/log] + [-ask-key-password] + [-ssh-external] + [-debug] - [SERVER]... + [SERVER]... ` } @@ -65,6 +67,9 @@ func (p *ConfigtestCmd) SetFlags(f *flag.FlagSet) { defaultConfPath := filepath.Join(wd, "config.toml") f.StringVar(&p.configPath, "config", defaultConfPath, "/path/to/toml") + defaultLogDir := util.GetDefaultLogDir() + f.StringVar(&p.logDir, "log-dir", defaultLogDir, "/path/to/log") + f.BoolVar(&p.debug, "debug", false, "debug mode") f.BoolVar( @@ -96,6 +101,7 @@ func (p *ConfigtestCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interfa c.Conf.Debug = p.debug c.Conf.SSHExternal = p.sshExternal + c.Conf.LogDir = p.logDir err = c.Load(p.configPath, keyPass) if err != nil { diff --git a/commands/prepare.go b/commands/prepare.go index cf1519acce..0fa70ef7b9 100644 --- a/commands/prepare.go +++ b/commands/prepare.go @@ -34,6 +34,7 @@ import ( type PrepareCmd struct { debug bool configPath string + logDir string askSudoPassword bool askKeyPassword bool @@ -62,6 +63,7 @@ func (*PrepareCmd) Usage() string { return `prepare: prepare [-config=/path/to/config.toml] + [-log-dir=/path/to/log] [-ask-key-password] [-assume-yes] [-debug] @@ -81,6 +83,9 @@ func (p *PrepareCmd) SetFlags(f *flag.FlagSet) { defaultConfPath := filepath.Join(wd, "config.toml") f.StringVar(&p.configPath, "config", defaultConfPath, "/path/to/toml") + defaultLogDir := util.GetDefaultLogDir() + f.StringVar(&p.logDir, "log-dir", defaultLogDir, "/path/to/log") + f.BoolVar( &p.askKeyPassword, "ask-key-password", @@ -154,6 +159,7 @@ func (p *PrepareCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{ c.Conf.Debug = p.debug c.Conf.SSHExternal = p.sshExternal c.Conf.AssumeYes = p.assumeYes + c.Conf.LogDir = p.logDir logrus.Info("Validating Config...") if !c.Conf.ValidateOnPrepare() { diff --git a/commands/report.go b/commands/report.go index a091797491..1bc14a89d7 100644 --- a/commands/report.go +++ b/commands/report.go @@ -39,6 +39,7 @@ type ReportCmd struct { debugSQL bool configPath string resultsDir string + logDir string refreshCve bool cvssScoreOver float64 @@ -87,6 +88,7 @@ func (*ReportCmd) Usage() string { [-lang=en|ja] [-config=/path/to/config.toml] [-results-dir=/path/to/results] + [-log-dir=/path/to/log] [-refresh-cve] [-cvedb-type=sqlite3|mysql] [-cvedb-path=/path/to/cve.sqlite3] @@ -133,6 +135,9 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) { defaultResultsDir := filepath.Join(wd, "results") f.StringVar(&p.resultsDir, "results-dir", defaultResultsDir, "/path/to/results") + defaultLogDir := util.GetDefaultLogDir() + f.StringVar(&p.logDir, "log-dir", defaultLogDir, "/path/to/log") + f.BoolVar( &p.refreshCve, "refresh-cve", @@ -243,6 +248,7 @@ func (p *ReportCmd) SetFlags(f *flag.FlagSet) { func (p *ReportCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus { c.Conf.Debug = p.debug c.Conf.DebugSQL = p.debugSQL + c.Conf.LogDir = p.logDir Log := util.NewCustomLogger(c.ServerInfo{}) if err := c.Load(p.configPath, ""); err != nil { diff --git a/commands/scan.go b/commands/scan.go index 8bade889d5..3fed745863 100644 --- a/commands/scan.go +++ b/commands/scan.go @@ -39,6 +39,7 @@ type ScanCmd struct { debug bool configPath string resultsDir string + logDir string cacheDBPath string httpProxy string askKeyPassword bool @@ -60,6 +61,7 @@ func (*ScanCmd) Usage() string { scan [-config=/path/to/config.toml] [-results-dir=/path/to/results] + [-log-dir=/path/to/log] [-cachedb-path=/path/to/cache.db] [-ssh-external] [-containers-only] @@ -85,6 +87,9 @@ func (p *ScanCmd) SetFlags(f *flag.FlagSet) { defaultResultsDir := filepath.Join(wd, "results") f.StringVar(&p.resultsDir, "results-dir", defaultResultsDir, "/path/to/results") + defaultLogDir := util.GetDefaultLogDir() + f.StringVar(&p.logDir, "log-dir", defaultLogDir, "/path/to/log") + defaultCacheDBPath := filepath.Join(wd, "cache.db") f.StringVar( &p.cacheDBPath, @@ -193,6 +198,7 @@ func (p *ScanCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) Log := util.NewCustomLogger(c.ServerInfo{}) c.Conf.ResultsDir = p.resultsDir + c.Conf.LogDir = p.logDir c.Conf.CacheDBPath = p.cacheDBPath c.Conf.SSHExternal = p.sshExternal c.Conf.HTTPProxy = p.httpProxy diff --git a/config/config.go b/config/config.go index e8a15deb30..1bb7bc773f 100644 --- a/config/config.go +++ b/config/config.go @@ -52,6 +52,7 @@ type Config struct { SkipBroken bool HTTPProxy string `valid:"url"` + LogDir string ResultsDir string CveDBType string CveDBPath string diff --git a/scan/base_test.go b/scan/base_test.go index b3de4305e6..342df07dd6 100644 --- a/scan/base_test.go +++ b/scan/base_test.go @@ -69,7 +69,7 @@ func TestParseLxdPs(t *testing.T) { | test1 | +-------+ | test2 | -+-------+` , ++-------+`, []config.Container{ { ContainerID: "test1", diff --git a/util/logutil.go b/util/logutil.go index f602c934a8..63e51be2aa 100644 --- a/util/logutil.go +++ b/util/logutil.go @@ -40,12 +40,13 @@ func NewCustomLogger(c config.ServerInfo) *logrus.Entry { } // File output - logDir := "/var/log/vuls" - if runtime.GOOS == "windows" { - logDir = filepath.Join(os.Getenv("APPDATA"), "vuls") + logDir := GetDefaultLogDir() + if 0 < len(config.Conf.LogDir) { + logDir = config.Conf.LogDir } + if _, err := os.Stat(logDir); os.IsNotExist(err) { - if err := os.Mkdir(logDir, 0666); err != nil { + if err := os.Mkdir(logDir, 0700); err != nil { logrus.Errorf("Failed to create log directory: %s", err) } } @@ -70,3 +71,12 @@ func NewCustomLogger(c config.ServerInfo) *logrus.Entry { fields := logrus.Fields{"prefix": whereami} return log.WithFields(fields) } + +// GetDefaultLogDir returns default log directory +func GetDefaultLogDir() string { + defaultLogDir := "/var/log/vuls" + if runtime.GOOS == "windows" { + defaultLogDir = filepath.Join(os.Getenv("APPDATA"), "vuls") + } + return defaultLogDir +}