Hello everyone! This video was recorded for the VMconf 22 Vulnerability Management conference, vmconf.pw. I will be talking about my open source project Scanvus. This project is already a year old and I use it almost every day.
Alternative video link (for Russia): https://vk.com/video-149273431_456239100
Scanvus (Simple Credentialed Authenticated Network VUlnerability Scanner) is a vulnerability scanner for Linux. Currently for Ubuntu, Debian, CentOS, RedHat, Oracle Linux and Alpine distributions. But in general for any Linux distribution supported by the Vulners Linux API. The purpose of this utility is to get a list of packages and Linux distribution version from some source, make a request to an external vulnerabililty detection API (only Vulners Linux API is currently supported), and show the vulnerability report.
Scanvus can show vulnerabilities for
- localhost
- remote host via SSH
- docker image
- inventory file of a certain format
This utility greatly simplifies Linux infrastructure auditing. And besides, this is a project in which I can try to implement my ideas on vulnerability detection.
Example of output
For all targets the output is the same. It contains information about the target and the type of check. Then information about the OS version and the number of Linux packages. And finally, the actual information about vulnerabilities: how many vulnerabilities were found and the criticality levels of these vulnerabilities. The table shows the criticality level, bulletin ID, CVE list for the bulletin, and a comparison of the invulnerable fixed package version with the actual installed version.
This report is not the only way to present results. You can optionally export the results to JSON (OS inventory data, raw vulnerability data from Vulners Linux API or processed vulnerability data).
Installation and configuration
For the Scanvus to work, you need to install python and python modules from requirements.txt. Then add the Vulners API key to credentials.py.
sudo apt-get update
sudo apt-get install python3.8 python3.8-pip git
git clone https://github.com/leonov-av/scanvus.git
cd scanvus/
pip3 install -r requirements.txt
# Set API Key in credentials.py
To detect vulnerabilities in docker images, you must install docker on your system. For example in Ubuntu, you should add docker repo and install packages docker-ce, docker-ce-cli, containerd.io.
sudo apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io
Then set up the docker group:
sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
docker run hello-world
And start the docker service:
service docker start
sudo chmod 666 /var/run/docker.sock
Supported targets
You can run a scan for the following targets:
Localhost
python3.8 scanvus.py --assessment-type "localhost"
In this case, the host where Scanvus is installed will be analyzed. This means that an inventory bash script will be executed directly on the host, packages and OS version will be collected, and then vulnerabilities will be detected.
Remote hosts via SSH (key authentication)
python3.8 scanvus.py --assessment-type "remote_ssh" --host "linuxserver1@corporation.com" --user-name "jsmith" --key-path "/home/jsmith/.ssh/id_rsa"
In this case, Scanvus will connect to the remote host via SSH using a key for authentication. It will then run an inventory bash script on the host, and this data will be used to identify vulnerabilities. Password authentication is not yet supported and does not seem to be particularly needed.
Docker images
python3.8 scanvus.py --assessment-type "docker_image" --docker-image "python:3.9.6-slim-bullseye"
In this case, Scanvus will try to launch a docker container and start executing bash commands in it. Scanvus will either run the entire inventory bash script there, or try to run individual inventory commands.
Is it always possible? Not really. For example, the docker container may not have a cat utility, a package management utility like rpm or dpkg, or even a shell like bash. I’ll try to find other ways to get the data I need without running a docker container. For now, in such cases, you can use specialized tools for analyzing docker base images, such as trivy, although they do not give as reliable results as detection based on package versions.
Inventory file
I think this is the most important feature of this project. It allows you to separate inventory and vulnerability detection. Let’s say you need to quickly check some Linux host that you don’t have access to and that access is hard to get. You can run Scanvus with the –show-inventory-script option, it will show a one-liner bash script for auditing.
python3.8 scanvus.py --show-inventory-script
You can then give this bash script to your system administrator, who will run it on systems you don’t have access to at all and pass the output of the scripts to you. And based on the output you get, you can detect vulnerabilities using Scanvus.
python3.8 scanvus.py --assessment-type inventory_file --inventory-file-path invent.txt
So, in theory, you can conduct audits without any access to the infrastructure at all.
Is it free? Not really.
As you can imagine, since Scanvus currently only uses the Vulners Linux API, it is not completely free. Of course, you can use it for free for non-commercial and research purposes (up to 100 credits per month), but for commercial use you will need to purchase a license from Vulners.
The main advantage of Vulners is that it supports literally all popular Linux distributions. Therefore, if you have a wide variety of Linux systems in your infrastructure, the Vulners Linux API is almost the only choice.
Will it be possible in the future to use Scanvus without Vulners Linux API? If there is an alternative API that can be used to detect Linux vulnerabilities by packages and OS version, then this can be done. 🙂 Maybe we can even think about a free API for some Linux systems. If you have any ideas on alternative assessment methods and APIs, write to avleonovchat in telegram.
In conclusion
Scanvus is a small but useful utility that I use regularly. If you like it too, please go to my github and give it a star. 😉
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: Сделал блогпост и видяшку про мой опенсурсный проект Scanvus | Александр В. Леонов