astrozinger


Vulnerability audits Part 2
April 23, 2013, 3:55 pm
Filed under: centOS, Linux, security | Tags: , , ,

As I explained in my first post about Vulnerability Scans, the results don’t necessarily tell the whole story.  Unfortunately the burden of proof is on the owner of the system rather than the auditor when trying to verify if a machine is vulnerable to the flagged list of vulnerabilities.  For this purpose I created a script to help alleviate some of the work required to do this check on an rpm based linux system – I have only tested it on CentOS but have no reason to believe it won’t work on others.

To use it you copy the code into a file – make it executable to root:

chmod 700 <filename>

Create another file called vulns.txt with the CVE list and run the code.  It will sort the output into patched, unconfirmed – with a url to read more about the CVE and incorrect format sections.  Tabs are not included in the pasted code, so if you would like it to look good, add your own tabs.

#!/bin/bash
################################################################
#
# This script is designed to check CVE vulnerabilities against the rpm install database.
# Vulnerability scanners scan against release versions of software which don’t correlate
# to backported security fixes in the CentOS rpms. Therefore there will be several
# false positives when running a vulnerability scan. Place this file along with a
# file called vulns.txt with the cve-xxxx-xxxx list, one per line.
#
################################################################

#Variables
NOW=$(date +”%m-%d-%Y-%H-%M”)
PATCHED=Patched$NOW.tmp
NOTPATCHED=NotPatched$NOW.tmp
PATCH_DETAIL=PatchedDetail$NOW.tmp
OUTPUT=Out$NOW.txt
INCORRECT=Incorrect$NOW.tmp
FILENAME=vulns.txt
BAD=0

#check for root, exit if not
if [[ $EUID -ne 0 ]]; then
echo “This script must be run as root”
exit 1
fi

#verify that vulns.txt exists
if [ ! -f $FILENAME ]
then
echo “$FILENAME does not exist. Please copy the CVE list into $FILENAME and run this again.”
exit 1
fi

#####Intro
echo “This script will search the rpm database for CVE patches.”
echo “Please press 1 for a quick overview of patched vulnerabilities”
echo “Please press 2 for an in depth query of vulnerabilties ~ 15seconds per entry”
read CHOICE

while [[ $CHOICE != “1” && $CHOICE != “2” ]]
do
echo “Please choose 1 or 2 or hit ctrl+v to exit”
read CHOICE
done

#####Quick
if [ $CHOICE -gt 0 ]
then
CVE=`rpm -qa –changelog | grep CVE`
while read line
do
if [ -n “${line}” ]
then
if [[ $line == CVE\-[0-9][0-9][0-9][0-9]-[0-9][0-9][0-9][0-9] ]]
then
OUT=`echo $CVE | grep -i $line`
RESULTS=$?
if [ $RESULTS -eq 0 ]
then
echo $line >> $PATCHED
echo $line – Patched
else
echo $line – http://web.nvd.nist.gov/view/vuln/detail?vulnId=$line >> $NOTPATCHED
echo $line – Needs further research
fi
else
echo $line – Incorrect format
echo $line >> $INCORRECT
BAD=1
fi
fi
done < $FILENAME
fi

#####Super Slow
if [ $CHOICE -eq 2 ]
then
echo “Matching CVE numbers to packages, this will take a few minutes.”
while read line
do
for pkg in `rpm -qa`;
do
OUT=`rpm -q –changelog ${pkg} | grep -i $line`
RESULTS=$?
if [ $RESULTS -eq 0 ]
then
echo $line – $pkg >> $PATCH_DETAIL
fi
done
done < $PATCHED

rm $PATCHED
mv $PATCH_DETAIL $PATCHED
fi

echo “These are confirmed patched” >> $OUTPUT
cat $PATCHED >> $OUTPUT
echo -e “\n” >> $OUTPUT
echo “These are unconfirmed and will require more research, a url is attached that might provide details” >> $OUTPUT
cat $NOTPATCHED >> $OUTPUT
echo -e “\n” >> $OUTPUT

if [ $BAD == “1” ]
then
echo “These lines were not in the correct format. Please fix them and run it again.” >> $OUTPUT
cat $INCORRECT >> $OUTPUT
rm $INCORRECT
fi
echo -e “\n\nYour output is in $OUTPUT”

rm $PATCHED
rm $NOTPATCHED

Advertisements

Leave a Comment so far
Leave a comment



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: