Deprecate prepare subcommand to minimize the root authority future-ar…

…chitect#375

README.ja.md

@@ -87,7 +87,7 @@ Hello Vulsチュートリアルでは手動でのセットアップ方法で説
 1. go-cve-dictionaryをデプロイ
 1. Vulsをデプロイ
 1. 設定
-1. Prepare
+1. 設定ファイルと、スキャン対象サーバの設定のチェック
 1. Scan
 1. Reporting
 1. TUI(Terminal-Based User Interface)で結果を参照する
@@ -216,15 +216,14 @@ port        = "22"
 user        = "ec2-user"
 keyPath     = "/home/ec2-user/.ssh/id_rsa"
 
-$ vuls configtest
 ```
 
-## Step7. Setting up target servers for Vuls  
+## Step7. Check config.toml and settings on the server before scanning
 
 ```
-$ vuls prepare
+$ vuls configtest
 ```
-詳細は [Usage: Prepare](https://github.com/future-architect/vuls#usage-prepare) を参照
+詳細は [Usage: configtest](#usage-configtest) を参照
 
 ## Step8. Start Scanning
 
@@ -327,7 +326,7 @@ $ vuls tui
 
 # Architecture
 
-## A. Scan via SSH Mode
+## A. Scan via SSH Mode (Remote Scan Mode)
 
 ![Vuls-Architecture](img/vuls-architecture.png)
 
@@ -585,8 +584,6 @@ host         = "172.31.4.82"
 
 # Usage: Configtest
 
-configtestサブコマンドは、config.tomlで定義されたサーバ/コンテナに対してSSH可能かどうかをチェックする。  
-
 ```
 $ vuls configtest --help
 configtest:
@@ -595,6 +592,7 @@ configtest:
                         [-log-dir=/path/to/log]
                         [-ask-key-password]
                         [-ssh-external]
+                        [-http-proxy=http://192.168.0.1:8080]
                         [-debug]
 
                         [SERVER]...
@@ -604,66 +602,70 @@ configtest:
         /path/to/toml (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/config.toml")
   -debug
         debug mode
+  -http-proxy string
+        http://proxy-url:port (default: empty)
   -log-dir string
         /path/to/log (default "/var/log/vuls")
   -ssh-external
         Use external ssh command. Default: Use the Go native implementation
 ```
 
-また、スキャン対象サーバに対してパスワードなしでSUDO可能な状態かもチェックする。  
-
-スキャン対象サーバ上の`/etc/sudoers`のサンプル
-
-- CentOS, RHEL, Amazon Linux
-```
-vuls ALL=(root) NOPASSWD: /usr/bin/yum
-```
-- Ubuntu, Debian, Raspbian
-```
-vuls ALL=(root) NOPASSWD: /usr/bin/apt-get
-```
-- Amazon Linux, FreeBSDはRoot権限なしでスキャン可能
-
-----
+configtestサブコマンドは以下をチェックする
+- config.tomlで定義されたサーバ/コンテナに対してSSH可能かどうか
+- スキャン対象のサーバ上に依存パッケーがインストールされているか
+- /etc/sudoers
 
-# Usage: Prepare
+## Dependencies on Target Servers
 
-Prepareサブコマンドは、Vuls内部で利用する以下のパッケージをスキャン対象サーバにインストールする。
+スキャンするためには、下記のパッケージが必要なので、手動かまたはAnsibleなどのツールで事前にインストールする必要がある。
 
 | Distribution|            Release | Requirements |
 |:------------|-------------------:|:-------------|
 | Ubuntu      |          12, 14, 16| -            |
 | Debian      |                7, 8| aptitude     |
-| CentOS      |                   5| yum-changelog |
 | CentOS      |                6, 7| yum-plugin-changelog |
-| Amazon      |                All | -            |
-| RHEL        |            5, 6, 7 | -            |
+| Amazon      |                All | - |
+| RHEL        |                  5 | yum-security             |
+| RHEL        |               6, 7 | -  |
 | FreeBSD     |                 10 | -            |
 | Raspbian    |     Wheezy, Jessie | -            |
 
+## Check /etc/sudoers 
+
+スキャン対象サーバに対してパスワードなしでSUDO可能な状態かもチェックする。  
+スキャン対象サーバ上の`/etc/sudoers`のサンプル
 
+- CentOS
+```
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --changelog --assumeno update *
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
 ```
-$ vuls prepare -help
-prepare:
-        prepare
-                        [-config=/path/to/config.toml]
-                        [-log-dir=/path/to/log]
-                        [-ask-key-password]
-                        [-debug]
-                        [-ssh-external]
 
-                        [SERVER]...
-  -ask-key-password
-        Ask ssh privatekey password before scanning
-  -config string
-        /path/to/toml (default "$PWD/config.toml")
-  -debug
-        debug mode
-  -log-dir string
-        /path/to/log (default "/var/log/vuls")
-  -ssh-external
-        Use external ssh command. Default: Use the Go native implementation
+- RHEL 5 
 ```
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never info-security
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
+
+- RHEL 6, 7
+```
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never --security updateinfo updates
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
+
+- Debian
+```
+vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
+
+- Ubuntu/Raspbian
+```
+vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
+
+- Amazon Linux, FreeBSDは今のところRoot権限なしでスキャン可能
 
 ----
 

README.md

@@ -93,7 +93,7 @@ This can be done in the following steps.
 1. Deploy go-cve-dictionary
 1. Deploy Vuls
 1. Configuration
-1. Prepare
+1. Check config.toml and settings on the server before scanning
 1. Scan
 1. Reporting
 1. TUI(Terminal-Based User Interface)
@@ -211,15 +211,15 @@ port        = "22"
 user        = "ec2-user"
 keyPath     = "/home/ec2-user/.ssh/id_rsa"
 
-$ vuls configtest
 ```
 
-## Step7. Setting up target servers for Vuls  
+## Step7. Check config.toml and settings on the server before scanning
 
 ```
-$ vuls prepare
+$ vuls configtest
 ```
-see [Usage: Prepare](https://github.com/future-architect/vuls#usage-prepare)
+
+see [Usage: configtest](#usage-configtest)
 
 ## Step8. Start Scanning
 
@@ -325,7 +325,7 @@ see https://github.com/future-architect/vuls/tree/master/setup/docker
 
 # Architecture
 
-## A. Scan via SSH Mode
+## A. Scan via SSH Mode (Remote Scan Mode)
 
 ![Vuls-Architecture](img/vuls-architecture.png)
 
@@ -589,7 +589,6 @@ You can customize your configuration using this template.
 
 # Usage: Configtest
 
-Configtest subcommand check if vuls is able to connect via ssh to servers/containers defined in the config.toml.  
 ```
 $ vuls configtest --help
 configtest:
@@ -607,72 +606,72 @@ configtest:
         /path/to/toml (default "/Users/kotakanbe/go/src/github.com/future-architect/vuls/config.toml")
   -debug
         debug mode
+  -http-proxy string
+        http://proxy-url:port (default: empty)
   -log-dir string
         /path/to/log (default "/var/log/vuls")
   -ssh-external
         Use external ssh command. Default: Use the Go native implementation
 ```
 
-And also, configtest subcommand checks sudo settings on target servers whether Vuls is able to SUDO with nopassword via SSH.  
-
-Example of /etc/sudoers on target servers
-- CentOS and RHEL
-```
-vuls ALL=(root) NOPASSWD: /usr/bin/yum
-```
-- Ubuntu, Debian and Raspbian
-```
-vuls ALL=(root) NOPASSWD: /usr/bin/apt-get
-```
-- It is possible to scan without root privilege for Amazon Linux, FreeBSD.
-
+The configtest subcommand checks the following
+- Whether vuls is able to connect via ssh to servers/containers defined in the config.toml
+- Whether Dependent package is installed on the scan target server
+- Check /etc/sudoers
 
+## Dependencies on Target Servers
 
-----
-
-# Usage: Prepare
-
-Prepare subcommand installs required packages on each server.
+In order to scan, the following dependencies are required, so you need to install them manually or with tools such as Ansible.
 
 | Distribution|            Release | Requirements |
 |:------------|-------------------:|:-------------|
 | Ubuntu      |          12, 14, 16| -            |
 | Debian      |                7, 8| aptitude     |
-| CentOS      |                   5| yum-changelog |
 | CentOS      |                6, 7| yum-plugin-changelog |
-| Amazon      |                All | -            |
-| RHEL        |            5, 6, 7 | -            |
+| Amazon      |                All | - |
+| RHEL        |                  5 | yum-security             |
+| RHEL        |               6, 7 | -  |
 | FreeBSD     |                 10 | -            |
 | Raspbian    |     Wheezy, Jessie | -            |
 
+## Check /etc/sudoers 
+
+The configtest subcommand checks sudo settings on target servers whether Vuls is able to SUDO with nopassword via SSH.  
+
+Example of /etc/sudoers on target servers
+
+- CentOS
+```
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --changelog --assumeno update *
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
 
+- RHEL 5 
+```
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never list-security --security, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never info-security
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
 ```
-$ vuls prepare -help
-prepare:
-	prepare
-			[-config=/path/to/config.toml]
-			[-log-dir=/path/to/log]
-			[-ask-key-password]
-			[-assume-yes]
-			[-debug]
-			[-ssh-external]
 
-			[SERVER]...
-  -ask-key-password
-    	Ask ssh privatekey password before scanning
-  -ask-sudo-password
-    	[Deprecated] THIS OPTION WAS REMOVED FOR SECURITY REASONS. Define NOPASSWD in /etc/sudoers on target servers and use SSH key-based authentication
-  -assume-yes
-    	Assume any dependencies should be installed
-  -config string
-    	/path/to/toml (default "$PWD/config.toml")
-  -debug
-    	debug mode
-  -log-dir string
-      /path/to/log (default "/var/log/vuls")
-  -ssh-external
-    	Use external ssh command. Default: Use the Go native implementation
+- RHEL 6, 7
 ```
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never check-update, /usr/bin/yum --color=never --security updateinfo updates
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
+
+- Debian
+```
+vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
+
+- Ubuntu/Raspbian
+```
+vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
+
+- On Amazon Linux, FreeBSD, it is possible to scan without root privilege for now.
+
 ----
 
 # Usage: Scan

commands/configtest.go

@@ -36,6 +36,7 @@ type ConfigtestCmd struct {
 	logDir         string
 	askKeyPassword bool
 	sshExternal    bool
+	httpProxy      string
 
 	debug bool
 }
@@ -54,6 +55,7 @@ func (*ConfigtestCmd) Usage() string {
 			[-log-dir=/path/to/log]
 			[-ask-key-password]
 			[-ssh-external]
+			[-http-proxy=http://192.168.0.1:8080]
 			[-debug]
 
 			[SERVER]...
@@ -78,6 +80,13 @@ func (p *ConfigtestCmd) SetFlags(f *flag.FlagSet) {
 		"Ask ssh privatekey password before scanning",
 	)
 
+	f.StringVar(
+		&p.httpProxy,
+		"http-proxy",
+		"",
+		"http://proxy-url:port (default: empty)",
+	)
+
 	f.BoolVar(
 		&p.sshExternal,
 		"ssh-external",
@@ -108,6 +117,7 @@ func (p *ConfigtestCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interfa
 		return subcommands.ExitUsageError
 	}
 	c.Conf.SSHExternal = p.sshExternal
+	c.Conf.HTTPProxy = p.httpProxy
 
 	var servernames []string
 	if 0 < len(f.Args()) {
@@ -144,7 +154,10 @@ func (p *ConfigtestCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interfa
 		return subcommands.ExitFailure
 	}
 
-	util.Log.Info("Checking sudo configuration...")
+	util.Log.Info("Checking dependendies...")
+	scan.CheckDependencies()
+
+	util.Log.Info("Checking sudo settings...")
 	scan.CheckIfSudoNoPasswd()
 
 	scan.PrintSSHableServerNames()