README ¶
ec2-vuls-config
ec2-vuls-config is useful command line tool to create config file for Vuls in Amazon EC2.
By specifying the EC2 tag, you select the scan target Automatically and rewrite the config file.
Installation
Step1. Set the Name
and vuls:scan
tag to EC2 instances that you want to scan
Name : web-server-1
vuls:scan : true
Step2. Installation
- Binary
Download from releases page.
- Go get
$ go get -u github.com/ohsawa0515/ec2-vuls-config
Step3. Set AWS credentials
Example of IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
- Credential file (
$HOME/.aws/credentials
)
[default]
aws_access_key_id = <YOUR_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_SECRET_ACCESS_KEY>
- Environment variable
$ export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID
$ export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY
Step4. Set AWS region
$ export AWS_REGION=us-east-1
Step5. Prepare config.toml for Vuls scan
See vuls#configuration or config.toml.sample
Step6. Execute
By default, it is filtered under the following conditions.
- Status of EC2 instance is running
- Linux (will not select Windows)
vuls:scan
tag is set totrue
$ ec2-vuls-config
After execute, config.toml would be rewrites as follows.
[default]
port = "22"
user = "vuls"
keyPath = "/opt/vuls/.ssh/id_rsa"
[servers]
### Generate by ec2-vuls-config ###
# Updated 2000-01-01T00:01:00+09:00
[servers.web-server-1]
host = "192.0.2.11"
### ec2-vuls-config end ###
Tags
It can be reflected in config by setting a tag such as vuls:user
, vuls:port
and so on.
<...>
is the name of tag.
[servers]
[servers.<Name>]
host = "<<Private IP address of instance>>"
port = "<vuls:port>"
user = "<vuls:user>"
keyPath = "<vuls:keyPath>"
# Set value of tag as comma-separated.
cpeNames = [
"<vuls:cpeNames>",
]
# Set value of tag as comma-separated.
ignoreCves = [
"<vuls:ignoreCves>",
]
# Example
# `vuls:user` => vuls
# `vuls:port` => 22
# `vuls:keyPath` => /opt/vuls/.ssh/id_rsa
# `vuls:cpeNames` => cpe:/a:rubyonrails:ruby_on_rails:4.2.7.1,cpe:/a:rubyonrails:ruby_on_rails:4.2.8,cpe:/a:rubyonrails:ruby_on_rails:5.0.1
# `vuls:ignoreCves` => CVE-2014-2913,CVE-2016-6314
[servers.web-server-1]
host = "192.0.2.11"
user = "vuls"
port = "22"
keyPath = "/opt/vuls/.ssh/id_rsa"
cpeNames = [
"cpe:/a:rubyonrails:ruby_on_rails:4.2.7.1",
"cpe:/a:rubyonrails:ruby_on_rails:4.2.8",
"cpe:/a:rubyonrails:ruby_on_rails:5.0.1",
]
ignoreCves = [
"CVE-2014-2913",
"CVE-2016-6314",
]
Command line options
--config (-c)
Specify the file path to the config.toml to be read.By default, $PWD/config.toml
.
$ ec2-vuls-config --config /path/to/config.toml
--filters (-f)
In addition to the default condition, it is used for further filter. This option like describe-instances command.
Specify set of Name
and Value
and separate with a space.
- To scan all instances with name of
web-server
$ ec2-vuls-config --filters "Name=tag:Name,Values=web-server"
- To scan all instances with name of
app-server
and instance typec3.large
$ ec2-vuls-config --filters "Name=tag:Name,Values=app-server Name=instance-type,Values=r3.large"
--out (-o)
Specify the path of the config file to be written.By default, $PWD/config.toml
.
$ ec2-vuls-config --out /path/to/config.toml
--print (-p)
Echo the standard output instead of write into specified config file.
Contribution
- Fork (https://github.com/ohsawa0515/ec2-vuls-config/fork)
- Create a feature branch
- Commit your changes
- Rebase your local changes against the master branch
- Run test suite with the
go test ./...
command and confirm that it passes - Run
gofmt -s
- Create new Pull Request
License
See LICENSE.
Documentation ¶
There is no documentation for this package.