■debian stretchにopenscapを導入してみる。 最新の状態でのチェック 脆弱性対策に向けた機械処理基盤SCAPと標準化動向 https://www.jpcert.or.jp/present/2010/20100125_IPA_Terada-sama.pdf $ lsb_release -d Description: Debian GNU/Linux 9.7 (stretch) ■今回はCLI版を選択する。 $ apt-cache search openscap libopenscap-dev - Set of libraries enabling integration of the SCAP line of standards libopenscap-perl - Set of libraries enabling integration of the SCAP line of standards libopenscap8 - Set of libraries enabling integration of the SCAP line of standards libopenscap8-dbg - Set of libraries enabling integration of the SCAP line of standards python-openscap - Set of libraries enabling integration of the SCAP line of standards $ apt-file search bin/oscap libopenscap8: /usr/bin/oscap ■インストールして定義ファイルを見ると、fedora14/rhel6用しかない様子。 $ sudo apt-get install -y libopenscap8 $ dpkg -L libopenscap8 | awk '/.xml$/' /usr/share/openscap/scap-fedora14-oval.xml /usr/share/openscap/scap-fedora14-xccdf.xml /usr/share/openscap/scap-rhel6-oval.xml /usr/share/openscap/scap-rhel6-xccdf.xml /usr/share/openscap/xsl/legacy-fixtpl-bash.xml ■リポジトリから、stretch用を選択してダウンロード。 $ wget -O - https://www.debian.org/security/oval/ 2>/dev/null | w3m -dump -T text/html | awk '/oval/' Index of /security/oval [ ] oval-definitions-buster.xml 2019-01-30 11:31 33M [ ] oval-definitions-jessie.xml 2019-01-30 11:31 39M [ ] oval-definitions-stretch.xml 2019-01-30 11:31 35M [ ] oval-definitions-wheezy.xml 2019-01-30 11:31 1.8M $ url=https://www.debian.org/security/oval/; \ wget -O - $url 2>/dev/null | \ awk -v url=$url '/stretch/{gsub(".*href=\"|\">.*","",$0);print "wget "url$0}' | sh $ ls oval-definitions-stretch.xml | awk '{print "md5sum "$1";du -h "$1}' | sh baa7ed8b8bc21a16bce605b748c77888 oval-definitions-stretch.xml 36M oval-definitions-stretch.xml $ sudo mv oval-definitions-stretch.xml /usr/share/openscap/ $ sudo chown root:root /usr/share/openscap/oval-definitions-stretch.xml ■実行してみる。 ローカルにインストールされているパッケージ情報のうち、 セキュリティフィックスが出ていて、 バージョンを上げていないパッケージに関してはtrue、 バージョンが上がっているものに関してはfalse $ time oscap oval eval --report stretch.html /usr/share/openscap/oval-definitions-stretch.xml ... Definition oval:org.debian:def:19991572: false Definition oval:org.debian:def:19991332: false Evaluation done. real 5m23.033s user 4m27.092s sys 0m6.696s ■CSV化、1000行飛ばしで表示 $ w3m -dump stretch.html | \ awk 'BEGIN{a=0;cnt=0} \ {if($0 ~ /ID/){a=1}}\ {if(a==1 && /[A-z0-9]/){gsub(" *│ *",",",$0);printf "%05d%s\n",cnt,$0;cnt++}}' > stretch.csv $ awk '(NR%1000==1)' stretch.csv 00000,ID,Result,Class,Reference ID,Title, 01000,oval:org.debian:def:201820507,false,vulnerability,[CVE-2018-20507],CVE-2018-20507, 02000,oval:org.debian:def:201812893,false,vulnerability,[CVE-2018-12893],CVE-2018-12893, 03000,oval:org.debian:def:20178065,false,vulnerability,[CVE-2017-8065],CVE-2017-8065, 04000,oval:org.debian:def:20172626,false,vulnerability,[CVE-2017-2626],CVE-2017-2626, 05000,oval:org.debian:def:201713133,false,vulnerability,[CVE-2017-13133],CVE-2017-13133, 06000,oval:org.debian:def:20169533,false,vulnerability,[CVE-2016-9533],CVE-2016-9533, 07000,oval:org.debian:def:20165032,false,vulnerability,[CVE-2016-5032],CVE-2016-5032, 08000,oval:org.debian:def:201610025,false,vulnerability,[CVE-2016-10025],CVE-2016-10025, 09000,oval:org.debian:def:20153439,false,vulnerability,[CVE-2015-3439],CVE-2015-3439, 10000,oval:org.debian:def:20148182,false,vulnerability,[CVE-2014-8182],CVE-2014-8182, 11000,oval:org.debian:def:20140159,false,vulnerability,[CVE-2014-0159],CVE-2014-0159, 12000,oval:org.debian:def:20132128,false,vulnerability,[CVE-2013-2128],CVE-2013-2128, 13000,oval:org.debian:def:20123411,false,vulnerability,[CVE-2012-3411],CVE-2012-3411, 14000,oval:org.debian:def:20112901,false,vulnerability,[CVE-2011-2901],CVE-2011-2901, 15000,oval:org.debian:def:20102544,false,vulnerability,[CVE-2010-2544],CVE-2010-2544, 16000,oval:org.debian:def:20090587,false,vulnerability,[CVE-2009-0587],CVE-2009-0587, 17000,oval:org.debian:def:20073765,false,vulnerability,[CVE-2007-3765],CVE-2007-3765, 18000,oval:org.debian:def:20053120,false,vulnerability,[CVE-2005-3120],CVE-2005-3120, 19000,oval:org.debian:def:20021220,false,vulnerability,[CVE-2002-1220],CVE-2002-1220, ■対処が必要なのはResult=trueのみ。 $ awk -F, '$3 ~ /true/' stretch.csv 00001,oval:org.debian:def:201819478,true,vulnerability,[CVE-2018-19478],CVE-2018-19478, 00002,oval:org.debian:def:201819477,true,vulnerability,[CVE-2018-19477],CVE-2018-19477, 00003,oval:org.debian:def:201819476,true,vulnerability,[CVE-2018-19476],CVE-2018-19476, 00004,oval:org.debian:def:201819475,true,vulnerability,[CVE-2018-19475],CVE-2018-19475, 00005,oval:org.debian:def:201819409,true,vulnerability,[CVE-2018-19409],CVE-2018-19409, 00006,oval:org.debian:def:20151855,true,vulnerability,,CVE-2015-1855, $ awk -F, '$3 ~ /true/{print $(NF-1)}' stretch.csv > cvelist.txt $ cat cvelist.txt CVE-2018-19478 CVE-2018-19477 CVE-2018-19476 CVE-2018-19475 CVE-2018-19409 CVE-2015-1855 ■ruby1.8とghostscript $ grep -A 5 -F -f cvelist.txt /usr/share/openscap/oval-definitions-stretch.xml | \ awk -v search=product '$0 ~ search{gsub(".*<"search".|.."search">.*","",$0);a[$0]+=1}END{for(n in a){print a[n],n}}' 1 ruby1.8 5 ghostscript ■CVEのページを見て対処を検討する。 今日はここまで。 $ grep -A 5 -F -f cvelist.txt /usr/share/openscap/oval-definitions-stretch.xml | awk '/title|prod|refere/{gsub("^ *","",$0);print}' <title>CVE-2015-1855</title> <product>ruby1.8</product> <title>CVE-2018-19409</title> <product>ghostscript</product> <reference ref_id="CVE-2018-19409" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19409" source="CVE"/> <title>CVE-2018-19475</title> <product>ghostscript</product> <reference ref_id="CVE-2018-19475" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19475" source="CVE"/> <title>CVE-2018-19476</title> <product>ghostscript</product> <reference ref_id="CVE-2018-19476" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19476" source="CVE"/> <title>CVE-2018-19477</title> <product>ghostscript</product> <reference ref_id="CVE-2018-19477" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19477" source="CVE"/> <title>CVE-2018-19478</title> <product>ghostscript</product> <reference ref_id="CVE-2018-19478" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19478" source="CVE"/>
