ec2-vuls-config is useful command line tool to create config file for Vuls in Amazon EC2.
By specifying the EC2 tag, you select the scan target Automatically and rewrite the config file.
Name : web-server-1
vuls:scan : true
- Binary
Download from releases page.
- Go get
$ go get -u github.com/ohsawa0515/ec2-vuls-config
Example of IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
- Credential file (
$HOME/.aws/credentials
)
[default]
aws_access_key_id = <YOUR_ACCESS_KEY_ID>
aws_secret_access_key = <YOUR_SECRET_ACCESS_KEY>
- Environment variable
$ export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID
$ export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY
$ export AWS_REGION=us-east-1
See vuls#configuration or config.toml.sample
By default, it is filtered under the following conditions.
- Status of EC2 instance is running
- Linux (will not select Windows)
vuls:scan
tag is set totrue
$ ec2-vuls-config
After execute, config.toml would be rewrites as follows.
[default]
port = "22"
user = "vuls"
keyPath = "/opt/vuls/.ssh/id_rsa"
[servers]
### Generate by ec2-vuls-config ###
# Updated 2000-01-01T00:01:00+09:00
[servers.web-server-1]
host = "192.0.2.11"
### ec2-vuls-config end ###
It can be reflected in config by setting a tag such as vuls:user
, vuls:port
and so on.
<...>
is the name of tag.
[servers]
[servers.<Name>]
host = "<<Private IP address of instance>>"
port = "<vuls:port>"
user = "<vuls:user>"
keyPath = "<vuls:keyPath>"
# Set value of tag as comma-separated.
cpeNames = [
"<vuls:cpeNames>",
]
# Set value of tag as comma-separated.
ignoreCves = [
"<vuls:ignoreCves>",
]
# Example
# `vuls:user` => vuls
# `vuls:port` => 22
# `vuls:keyPath` => /opt/vuls/.ssh/id_rsa
# `vuls:cpeNames` => cpe:/a:rubyonrails:ruby_on_rails:4.2.7.1,cpe:/a:rubyonrails:ruby_on_rails:4.2.8,cpe:/a:rubyonrails:ruby_on_rails:5.0.1
# `vuls:ignoreCves` => CVE-2014-2913,CVE-2016-6314
[servers.web-server-1]
host = "192.0.2.11"
user = "vuls"
port = "22"
keyPath = "/opt/vuls/.ssh/id_rsa"
cpeNames = [
"cpe:/a:rubyonrails:ruby_on_rails:4.2.7.1",
"cpe:/a:rubyonrails:ruby_on_rails:4.2.8",
"cpe:/a:rubyonrails:ruby_on_rails:5.0.1",
]
ignoreCves = [
"CVE-2014-2913",
"CVE-2016-6314",
]
Specify the file path to the config.toml to be read.By default, $PWD/config.toml
.
$ ec2-vuls-config --config /path/to/config.toml
In addition to the default condition, it is used for further filter. This option like describe-instances command.
Specify set of Name
and Value
and separate with a space.
- To scan all instances with name of
web-server
$ ec2-vuls-config --filters "Name=tag:Name,Values=web-server"
- To scan all instances with name of
app-server
and instance typec3.large
$ ec2-vuls-config --filters "Name=tag:Name,Values=app-server Name=instance-type,Values=r3.large"
Specify the path of the config file to be written.By default, $PWD/config.toml
.
$ ec2-vuls-config --out /path/to/config.toml
Echo the standard output instead of write into specified config file.
- Fork (https://github.com/ohsawa0515/ec2-vuls-config/fork)
- Create a feature branch
- Commit your changes
- Rebase your local changes against the master branch
- Run test suite with the
go test ./...
command and confirm that it passes - Run
gofmt -s
- Create new Pull Request
See LICENSE.