From f6d59a1c590683eaae97fc953bcdc1e69626f51c Mon Sep 17 00:00:00 2001 From: Shuichi Ohsawa Date: Sat, 14 Oct 2017 22:32:56 +0900 Subject: [PATCH 1/6] Update README --- README.md | 88 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 45 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 08f0328..36875d0 100644 --- a/README.md +++ b/README.md @@ -1,22 +1,35 @@ ec2-vuls-config === -ec2-vuls-config is useful cli to create config file for [Vuls](https://github.com/future-architect/vuls) in Amazon EC2. +ec2-vuls-config is useful command line tool to create config file for [Vuls](https://github.com/future-architect/vuls) in Amazon EC2. By specifying the EC2 tag, you select the scan target Automatically and rewrite the config file. -## How to install and settings +# Installation -### 1. Installation +## Step1. Set the `Name` and `vuls:scan` tag to EC2 instances that you want to scan +```console +Name : web-server-1 +vuls:scan : true ``` + +## Step2. Installation + +* Binary + +Download from [releases page](https://github.com/ohsawa0515/ec2-vuls-config/releases). + +* Go get + +```console $ go get -u github.com/ohsawa0515/ec2-vuls-config ``` -### 2. Set AWS credentials +## Step3. Set AWS credentials * Credential file (`$HOME/.aws/credentials`) -``` +```console [default] aws_access_key_id = aws_secret_access_key = @@ -24,33 +37,23 @@ aws_secret_access_key = * Environment variable -``` +```console $ export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID $ export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY ``` -### 3. Set AWS region +## Step4. Set AWS region -``` +```console $ export AWS_REGION=us-east-1 ``` -### 4. Set the `Name` and `vuls:scan` tag to EC2 instance that you want to scan - -e.g. - -``` -Name : web-server-1 -vuls:scan : true -``` - -### 5. Prepare config.toml for Vuls scan -See [README of Vuls](https://github.com/future-architect/vuls/blob/master/README.md#step6-config) or [config.toml.sample](https://github.com/ohsawa0515/ec2-vuls-config/blob/master/config.toml.sample) +## Step5. Prepare config.toml for Vuls scan -## Usage +See [vuls#configuration](https://github.com/future-architect/vuls#configuration) or [config.toml.sample](https://github.com/ohsawa0515/ec2-vuls-config/blob/master/config.toml.sample) -### Execute +## Step6. Execute By default, it is filtered under the following conditions. @@ -58,13 +61,13 @@ By default, it is filtered under the following conditions. - Linux (will not select Windows) - `vuls:scan` tag is set to `true` -``` +```console $ ec2-vuls-config ``` After execute, config.toml would be rewrites as follows. -``` +```toml [default] port = "22" user = "vuls" @@ -81,7 +84,7 @@ host = "192.0.2.11" ### ec2-vuls-config end ### ``` -### Tags +# Tags It can be reflected in config by setting a tag such as `vuls:user`, `vuls:port` and so on. @@ -98,21 +101,21 @@ keyPath = "" # Set value of tag as comma-separated. cpeNames = [ - +"", ] # Set value of tag as comma-separated. ignoreCves = [ - +"", ] # Example -`vuls:user` => vuls -`vuls:port` => 22 -`vuls:keyPath` => /opt/vuls/.ssh/id_rsa -`vuls:cpeNames` => cpe:/a:rubyonrails:ruby_on_rails:4.2.7.1,cpe:/a:rubyonrails:ruby_on_rails:4.2.8,cpe:/a:rubyonrails:ruby_on_rails:5.0.1 -`vuls:ignoreCves` => CVE-2014-2913,CVE-2016-6314 +# `vuls:user` => vuls +# `vuls:port` => 22 +# `vuls:keyPath` => /opt/vuls/.ssh/id_rsa +# `vuls:cpeNames` => cpe:/a:rubyonrails:ruby_on_rails:4.2.7.1,cpe:/a:rubyonrails:ruby_on_rails:4.2.8,cpe:/a:rubyonrails:ruby_on_rails:5.0.1 +# `vuls:ignoreCves` => CVE-2014-2913,CVE-2016-6314 [servers.web-server-1] host = "192.0.2.11" @@ -130,21 +133,20 @@ ignoreCves = [ ] ``` +# Command line options -### Options - -#### --config (-c) +## --config (-c) Specify the file path to the config.toml to be read. By default, `$PWD/config.toml`. e.g. -``` +```console $ ec2-vuls-config --config /path/to/config.toml ``` -#### --filters (-f) +## --filters (-f) In addition to the default condition, it is used for further filter. This option like [describe-instances command](http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html). @@ -154,33 +156,33 @@ e.g. * To scan all instances with name of `web-server` -``` +```console $ ec2-vuls-config --filters "Name=tag:Name,Values=web-server" ``` * To scan all instances with name of `app-server` and instance type `c3.large` -``` +```console $ ec2-vuls-config --filters "Name=tag:Name,Values=app-server Name=instance-type,Values=r3.large" ``` -#### --out (-o) +## --out (-o) Specify the path of the config file to be written. By default, `$PWD/config.toml`. e.g. -``` +```console $ ec2-vuls-config --out /path/to/config.toml ``` -#### --print (-p) +## --print (-p) Echo the standard output instead of write into specified config file. -## Contribution +# Contribution 1. Fork ([https://github.com/ohsawa0515/ec2-vuls-config/fork](https://github.com/ohsawa0515/ec2-vuls-config/fork)) 2. Create a feature branch @@ -190,6 +192,6 @@ Echo the standard output instead of write into specified config file. 6. Run `gofmt -s` 7. Create new Pull Request -## License +# License See [LICENSE](https://github.com/ohsawa0515/ec2-vuls-config/blob/master/LICENSE). From c7ec32a82e267fc816514a4c2e76e0c0f8cebf13 Mon Sep 17 00:00:00 2001 From: Shuichi Ohsawa Date: Sat, 14 Oct 2017 23:26:46 +0900 Subject: [PATCH 2/6] Use dep. --- .gitignore | 3 ++- Gopkg.lock | 32 ++++++++++++++++++++++++++++++++ Gopkg.toml | 30 ++++++++++++++++++++++++++++++ README.md | 2 ++ 4 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 Gopkg.lock create mode 100644 Gopkg.toml diff --git a/.gitignore b/.gitignore index 0c651c9..b04abf4 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,5 @@ .idea *.iml -config.toml \ No newline at end of file +config.toml +/vendor/ diff --git a/Gopkg.lock b/Gopkg.lock new file mode 100644 index 0000000..1d1ee47 --- /dev/null +++ b/Gopkg.lock @@ -0,0 +1,32 @@ +# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'. + + +[[projects]] + name = "github.com/aws/aws-sdk-go" + packages = ["aws","aws/awserr","aws/awsutil","aws/client","aws/client/metadata","aws/corehandlers","aws/credentials","aws/credentials/ec2rolecreds","aws/credentials/endpointcreds","aws/credentials/stscreds","aws/defaults","aws/ec2metadata","aws/endpoints","aws/request","aws/session","aws/signer/v4","internal/shareddefaults","private/protocol","private/protocol/ec2query","private/protocol/query","private/protocol/query/queryutil","private/protocol/rest","private/protocol/xml/xmlutil","service/ec2","service/sts"] + revision = "7cb0cfd8c7a20efc2ec149e50eb55fc770c673d8" + version = "v1.12.10" + +[[projects]] + name = "github.com/go-ini/ini" + packages = ["."] + revision = "3321baafb1bb36f5288e5fff1c7cc98abd4c173a" + version = "v1.29.2" + +[[projects]] + name = "github.com/jmespath/go-jmespath" + packages = ["."] + revision = "0b12d6b5" + +[[projects]] + name = "gopkg.in/urfave/cli.v1" + packages = ["."] + revision = "cfb38830724cc34fedffe9a2a29fb54fa9169cd1" + version = "v1.20.0" + +[solve-meta] + analyzer-name = "dep" + analyzer-version = 1 + inputs-digest = "cba87ef14c5dd634c3fd3427d7c6765ee839422ce463353c61ae66a13ad38aaf" + solver-name = "gps-cdcl" + solver-version = 1 diff --git a/Gopkg.toml b/Gopkg.toml new file mode 100644 index 0000000..e6bd216 --- /dev/null +++ b/Gopkg.toml @@ -0,0 +1,30 @@ + +# Gopkg.toml example +# +# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md +# for detailed Gopkg.toml documentation. +# +# required = ["github.com/user/thing/cmd/thing"] +# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"] +# +# [[constraint]] +# name = "github.com/user/project" +# version = "1.0.0" +# +# [[constraint]] +# name = "github.com/user/project2" +# branch = "dev" +# source = "github.com/myfork/project2" +# +# [[override]] +# name = "github.com/x/y" +# version = "2.4.0" + + +[[constraint]] + name = "github.com/aws/aws-sdk-go" + version = "1.12.10" + +[[constraint]] + name = "gopkg.in/urfave/cli.v1" + version = "1.20.0" diff --git a/README.md b/README.md index 36875d0..8d59193 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,8 @@ Download from [releases page](https://github.com/ohsawa0515/ec2-vuls-config/rele ```console $ go get -u github.com/ohsawa0515/ec2-vuls-config +$ go get -u github.com/golang/dep/... +$ dep ensure ``` ## Step3. Set AWS credentials From ce11ca38da4e12620e942a4ef071f3736ee65a84 Mon Sep 17 00:00:00 2001 From: Shuichi Ohsawa Date: Sun, 15 Oct 2017 09:49:24 +0900 Subject: [PATCH 3/6] Update README --- README.md | 40 +++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 8d59193..3114606 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ec2-vuls-config === -ec2-vuls-config is useful command line tool to create config file for [Vuls](https://github.com/future-architect/vuls) in Amazon EC2. +ec2-vuls-config is useful command line tool to create config file for [Vuls](https://github.com/future-architect/vuls) in Amazon EC2. By specifying the EC2 tag, you select the scan target Automatically and rewrite the config file. # Installation @@ -23,12 +23,27 @@ Download from [releases page](https://github.com/ohsawa0515/ec2-vuls-config/rele ```console $ go get -u github.com/ohsawa0515/ec2-vuls-config -$ go get -u github.com/golang/dep/... -$ dep ensure ``` ## Step3. Set AWS credentials - + +Example of IAM policy: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:DescribeInstances" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +} +``` + * Credential file (`$HOME/.aws/credentials`) ```console @@ -139,10 +154,7 @@ ignoreCves = [ ## --config (-c) -Specify the file path to the config.toml to be read. -By default, `$PWD/config.toml`. - -e.g. +Specify the file path to the config.toml to be read.By default, `$PWD/config.toml`. ```console $ ec2-vuls-config --config /path/to/config.toml @@ -150,11 +162,8 @@ $ ec2-vuls-config --config /path/to/config.toml ## --filters (-f) -In addition to the default condition, it is used for further filter. -This option like [describe-instances command](http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html). -Specify Name and Value and separate with a space. - -e.g. +In addition to the default condition, it is used for further filter. This option like [describe-instances command](http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html). +Specify set of `Name` and `Value` and separate with a space. * To scan all instances with name of `web-server` @@ -170,10 +179,7 @@ $ ec2-vuls-config --filters "Name=tag:Name,Values=app-server Name=instance-type, ## --out (-o) -Specify the path of the config file to be written. -By default, `$PWD/config.toml`. - -e.g. +Specify the path of the config file to be written.By default, `$PWD/config.toml`. ```console $ ec2-vuls-config --out /path/to/config.toml From afb74f1e8ad1f1e949124fd4c4810f9caf1757eb Mon Sep 17 00:00:00 2001 From: Shuichi Ohsawa Date: Sun, 15 Oct 2017 09:50:02 +0900 Subject: [PATCH 4/6] Add Japanese README. --- README.ja.md | 207 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 207 insertions(+) create mode 100644 README.ja.md diff --git a/README.ja.md b/README.ja.md new file mode 100644 index 0000000..7abac6c --- /dev/null +++ b/README.ja.md @@ -0,0 +1,207 @@ +ec2-vuls-config +=== + +ec2-vuls-config は [Vuls](https://github.com/future-architect/vuls)スキャンのために、Amazon EC2インスタンスの情報を収集して設定ファイルを生成するのに役立つコマンドラインツールです。 +EC2タグを指定することで、自動的にスキャン対象を選定し、設定ファイルを書き換えます。 + +# Installation + +## Step1. スキャンしたいEC2インスタンスに`Name`タグと`vuls:scan`タグとその値を付与する + +```console +Name : web-server-1 +vuls:scan : true +``` + +## Step2. インストール + +* Binary + +[releases page](https://github.com/ohsawa0515/ec2-vuls-config/releases)からダウンロードできます。 + +* Go get + +```console +$ go get -u github.com/ohsawa0515/ec2-vuls-config +$ go get -u github.com/golang/dep/... +$ dep ensure +``` + +## Step3. AWSクレデンシャルを設定 + +IAMポリシー例: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:DescribeInstances" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +} +``` + +* Credential file (`$HOME/.aws/credentials`) + +```console +[default] +aws_access_key_id = +aws_secret_access_key = +``` + +* Environment variable + +```console +$ export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY_ID +$ export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_ACCESS_KEY +``` + +## Step4. AWSリージョンを設定 + +```console +$ export AWS_REGION=us-east-1 +``` + + +## Step5. 設定ファイル(config.toml)を用意する + +設定ファイルについては、[vuls#configuration](https://github.com/future-architect/vuls#configuration) か [config.toml.sample](https://github.com/ohsawa0515/ec2-vuls-config/blob/master/config.toml.sample) をご参照ください。 + +## Step6. 実行 + +デフォルトで以下のフィルタ条件が適用されています。 + +- EC2インスタンスのステータスがRunning +- Linux (Windowsは選択されない) +- `vuls:scan` タグの値は `true` のみ + +```console +$ ec2-vuls-config +``` + +実行後, 設定ファイル(config.toml)は以下のように追記されています。 + +```toml +[default] +port = "22" +user = "vuls" +keyPath = "/opt/vuls/.ssh/id_rsa" + +[servers] + +### Generate by ec2-vuls-config ### +# Updated 2000-01-01T00:01:00+09:00 + +[servers.web-server-1] +host = "192.0.2.11" + +### ec2-vuls-config end ### +``` + +# Tags + +`vuls:user`、` vuls:port`などのEC2タグを設定することで、設定ファイルにに反映させることができます。 + +`<...>` はタグ名です。 + +```toml +[servers] + +[servers.] +host = "<>" +port = "" +user = "" +keyPath = "" + +# Set value of tag as comma-separated. +cpeNames = [ +"", +] + +# Set value of tag as comma-separated. +ignoreCves = [ +"", +] + +# Example + +# `vuls:user` => vuls +# `vuls:port` => 22 +# `vuls:keyPath` => /opt/vuls/.ssh/id_rsa +# `vuls:cpeNames` => cpe:/a:rubyonrails:ruby_on_rails:4.2.7.1,cpe:/a:rubyonrails:ruby_on_rails:4.2.8,cpe:/a:rubyonrails:ruby_on_rails:5.0.1 +# `vuls:ignoreCves` => CVE-2014-2913,CVE-2016-6314 + +[servers.web-server-1] +host = "192.0.2.11" +user = "vuls" +port = "22" +keyPath = "/opt/vuls/.ssh/id_rsa" +cpeNames = [ +"cpe:/a:rubyonrails:ruby_on_rails:4.2.7.1", +"cpe:/a:rubyonrails:ruby_on_rails:4.2.8", +"cpe:/a:rubyonrails:ruby_on_rails:5.0.1", +] +ignoreCves = [ +"CVE-2014-2913", +"CVE-2016-6314", +] +``` + +# Command line options + +## --config (-c) + +読み込む設定ファイルのファイルパスを指定します。デフォルト: `$PWD/config.toml` + +```console +$ ec2-vuls-config --config /path/to/config.toml +``` + +## --filters (-f) + +デフォルトの条件に加えて、さらにフィルタリングしたい場合に使用します。フィルタリングは[describe-instances コマンド](http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html)のように指定できます。 +`Name`タグと`Value`タグのセットで指定し、スペース区切りで複数指定可能。 + +* `web-server`というNameタグのインスタンスをスキャンしたい場合 + +```console +$ ec2-vuls-config --filters "Name=tag:Name,Values=web-server" +``` + +* `app-server`というNameタグがついている、かつインスタンスタイプが`c3.large`のインスタンスをスキャンしたい場合 + +```console +$ ec2-vuls-config --filters "Name=tag:Name,Values=app-server Name=instance-type,Values=r3.large" +``` + +## --out (-o) + +設定ファイルの出力先を指定します。デフォルト: `$PWD/config.toml` + +```console +$ ec2-vuls-config --out /path/to/config.toml +``` + + +## --print (-p) + +設定ファイルに書き込む代わりに標準出力します。 + +# Contribution + +1. Fork ([https://github.com/ohsawa0515/ec2-vuls-config/fork](https://github.com/ohsawa0515/ec2-vuls-config/fork)) +2. Create a feature branch +3. Commit your changes +4. Rebase your local changes against the master branch +5. Run test suite with the `go test ./...` command and confirm that it passes +6. Run `gofmt -s` +7. Create new Pull Request + +# License + +See [LICENSE](https://github.com/ohsawa0515/ec2-vuls-config/blob/master/LICENSE). From 7c93052c9457de300fa533ac72bd820439a5a58f Mon Sep 17 00:00:00 2001 From: Shuichi Ohsawa Date: Sun, 15 Oct 2017 10:12:48 +0900 Subject: [PATCH 5/6] Add goreleaser --- .goreleaser.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .goreleaser.yml diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 0000000..aee7d80 --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,19 @@ +builds: + - binary: ec2-vuls-config + goos: + - windows + - darwin + - linux + goarch: + - amd64 + - 386 +archive: + format: zip + name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}" + files: + - README.md + - README.ja.md +release: + github: + owner: ohswa0515 + name: ec2-vuls-config \ No newline at end of file From 8cb3bc6dcfc532f812360bb3ad8978ce05461167 Mon Sep 17 00:00:00 2001 From: Shuichi Ohsawa Date: Sun, 15 Oct 2017 10:12:59 +0900 Subject: [PATCH 6/6] release v0.1.0 --- ec2-vuls-config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ec2-vuls-config.go b/ec2-vuls-config.go index 675a31f..436320e 100644 --- a/ec2-vuls-config.go +++ b/ec2-vuls-config.go @@ -13,7 +13,7 @@ func main() { app.Usage = "Generate Vuls config by filtering the Amazon EC2 information." app.Author = "Shuichi Ohsawa" app.Email = "ohsawa0515@gmail.com" - app.Version = "0.0.1" + app.Version = "0.1.0" app.Flags = []cli.Flag{ cli.StringFlag{