upload successful

# Linux 漏洞修补说明

最近斌哥跟我说,有用户咨询 EPM 是否支持检测并修复 Linux 服务器的漏洞,叫我自己研究一下🙂

老实说,我只知道 EPM 提供了 Redhat、Centos、SUSE、Ubuntu 这四款 Linux 操作系统的漏洞检测定义,也有修补功能,但是我没有测试过,正好借这个机会测一下

# 环境准备

操作系统 IP 地址 安装服务 备注
Windows Server 2019 192.168.80.203 EPM 核心服务器
CentOS 7 192.168.80.200 nginx、createrepo 测试客户端、提供 yum 源服务
CentOS Stream 8 192.168.80.135 EPM Agent 测试客户端

本次测试的 Linux 版本分别是 CentOS 7CentOS 8 Stream ,其中 CentOS7 作为本地仓库源

# 配置本地仓库

# 安装 Web 服务

首先登录到 Centos 7 上,安装 nginx 用于提供 web 服务,并添加开机启动

  1. yum install nginx -y
  2. systemctl start nginx
  3. systemctl enable nginx

upload successful

# 创建软件包目录

切换到 nginx 的网站根目录,创建对应的 linux 版本软件目录

  1. cd /usr/share/nginx/html/
  2. mkdir -p centos/7/{os,extras,updates,centosplus}/x86_64/Packages/
  3. mkdir -p centos/Packages/8-stream/{BaseOS,extras,centosplus,PowerTools,AppStream}/x86_64/os/Packages/

upload successful

# 同步源

rsync 同步国内公开的 yum 源,可以将命令写入脚本,添加计划任务,实现定期自动同步

先写个 CentOS 7 的 yum 源同步脚本

  1. vi sync_centos7.sh
l
#!/bin/bash
OS=centos/7/os/x86_64/Packages/
EXTRAS=centos/7/extras/x86_64/Packages/
UPDATES=centos/7/updates/x86_64/Packages/
CENTOSPLUS=centos/7/centosplus/x86_64/Packages/
URL=mirrors.tuna.tsinghua.edu.cn
LOCALPATH=/usr/share/nginx/html
# 备份源:
#		mirrors.ustc.edu.cn
#		mirrors.kernel.org
#		mirrors.neusoft.edu.cn
rsync -avz rsync://$URL/$OS $LOCALPATH/$OS
rsync -avz rsync://$URL/$EXTRAS $LOCALPATH/$EXTRAS
rsync -avz rsync://$URL/$UPDATES $LOCALPATH/$UPDATES
rsync -avz rsync://$URL/$CENTOSPLUS $LOCALPATH/$CENTOSPLUS
  1. chmod +x ./sync_centos7.sh # 添加脚本执行权限

  2. ./sync_centos7.sh # 执行脚本同步

请确保磁盘有足够的空间,接下来就是漫长的等待。。。

upload successful

经过了漫长的等待后终于结束了,查看目录大小为 39G,文件数量为 14662 个

upload successful

然后再写一个 centos 8 stream 的同步 yum 源脚本,并执行

l
OS=centos/Packages/8-stream/BaseOS/x86_64/os/
EXTRAS=centos/Packages/8-stream/extras/x86_64/os/
CENTOSPLUS=centos/Packages/8-stream/centosplus/x86_64/os/
POWERTOOLS=centos/Packages/8-stream/PowerTools/x86_64/os/
APPSTREAM=centos/Packages/8-stream/AppStream/x86_64/os/
URL=mirrors.tuna.tsinghua.edu.cn
LOCALPATH=/usr/share/nginx/html
# 备份源:
#               mirrors.ustc.edu.cn
#               mirrors.kernel.org
#               mirrors.neusoft.edu.cn
rsync -avz rsync://$URL/centos/8-stream/BaseOS/x86_64/os/ $LOCALPATH/$OS
rsync -avz rsync://$URL/centos/8-stream/extras/x86_64/os/ $LOCALPATH/$EXTRAS
rsync -avz rsync://$URL/centos/8-stream/centosplus/x86_64/os/ $LOCALPATH/$CENTOSPLUS
rsync -avz rsync://$URL/centos/8-stream/PowerTools/x86_64/os/ $LOCALPATH/$POWERTOOLS
rsync -avz rsync://$URL/centos/8-stream/AppStream/x86_64/os/ $LOCALPATH/APPSTREAM
  1. chmod +x ./sync_centos8.sh # 添加脚本执行权限

  2. ./sync_centos8.sh # 执行脚本同步

upload successfu

等待同步完成即可

# 创建 yum 源信息

同步完所有的软件包到本地后,接下来就需要用 createrepo 这个工具创建 yum 源信息,生成文件索引、依赖等元数据

首先安装 createrepo 工具

  • yum install createrepo -y

生成仓库元数据

  • createrepo /usr/share/nginx/html/centos/7/os/x86_64/Packages/

  • createrepo /usr/share/nginx/html/centos/7/extras/x86_64/Packages/

  • createrepo /usr/share/nginx/html/centos/7/updates/x86_64/Packages/

  • createrepo /usr/share/nginx/html/centos/7/centosplus/x86_64/Packages/

  • createrepo /usr/share/nginx/html/centos/Packages/8-stream/BaseOS/x86_64/os/Packages/

  • createrepo /usr/share/nginx/html/centos/Packages/8-stream/extras/x86_64/os/Packages/

  • createrepo /usr/share/nginx/html/centos/Packages/8-stream/centosplus/x86_64/os/Packages/

  • createrepo /usr/share/nginx/html/centos/Packages/8-stream/PowerTools/x86_64/os/Packages/

  • createrepo /usr/share/nginx/html/centos/Packages/8-stream/AppStream/x86_64/os/Packages/

upload successful

# nginx 配置

本地 yum 仓库配置完毕后,接下来就在 Web 服务器开启目录浏览功能

  • vi /etc/nginx/nginx.conf

在配置中添加 autoindex on; 即可

upload successful

添加后重启 nginx 服务,然后在浏览器中验证一下是否可以浏览

upload successful

# 修改本地源

修改 yum 源为本地仓库

# CentOS 7
  1. vi /etc/yum.repos.d/CentOS-Base.repo
l
[base]
name=CentOS-$releasever - Base
baseurl=http://192.168.80.200/centos/$releasever/os/$basearch/
enabled=1
gpgcheck=0
#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=http://192.168.80.200/centos/$releasever/updates/$basearch/
enabled=1
gpgcheck=0
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=http://192.168.80.200/centos/$releasever/extras/$basearch/
enabled=1
gpgcheck=0
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=http://192.168.80.200/centos/$releasever/centosplus/$basearch/
enabled=1
gpgcheck=0
  1. yum repolist # 查看仓库信息

upload successful

  1. 更新本地缓存
  • yum clean all && yum makecache
# CentOS 8 Stream
  1. vi /etc/yum.repos.d/CentOS-Base.repo
l
[base]
name=CentOS-8-stream - Base - 192.168.80.200
baseurl=http://192.168.80.200/centos/Packages/8-stream/BaseOS/$basearch/os/Packages/
enable=1
gpgcheck=0
#additional packages that may be useful
[extras]
name=CentOS-8-stream - Extras - 192.168.80.200
baseurl=http://192.168.80.200/centos/Packages/8-stream/extras/$basearch/os/Packages/
enable=1
gpgcheck=0
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-8-stream - Plus - 192.168.80.200
baseurl=http://192.168.80.200/centos/Packages/8-stream/centosplus/$basearch/os/Packages/
gpgcheck=0
enabled=1
[PowerTools]
name=CentOS-8-stream - PowerTools - 192.168.80.200
baseurl=http://192.168.80.200/centos/Packages/8-stream/PowerTools/$basearch/os/Packages/
gpgcheck=0
enabled=1
[AppStream]
name=CentOS-8-stream - AppStream - 192.168.80.200
baseurl=http://192.168.80.200/centos/Packages/8-stream/AppStream/$basearch/os/Packages/
enable=1
gpgkey=0
  1. 更新本地缓存
  • yum clean all && yum makecache

# EMP 漏洞修补测试

CentOS 7CentOS 8 stream 的本地仓库都已经建立好了,接下来就是在 EPM 服务器上测试漏洞检测和修复功能

首先在 EPM 控制台创建一个安全扫描任务,将这几台 Linux 设备拖到任务中执行漏洞扫描

upload successful

执行完后查看检测到的漏洞补丁,发现意见巨尴尬的事,原来 EPM 不支持 CentOS 8 Stream 漏洞检测,但是 CentOS 7 是没有问题的😅

测试 CentOS 7 的补丁,为了方便测试,我特定从源光盘镜像安装了一个旧版的 dovecot 包,然后在 EPM 的安全和修补信息中查看 dovecot 的更新包,创建修补任务推送下去执行,任务执行成功后,重新查看 dovecot 包信息,可以看到已经更新到指定的版本

upload successfu

# 吐槽

本次测试中发现一个比较严重的问题,就是修补任务无论如何都是返回成功的状态,这点可以通过系统日志判断,EPM 修复任务只是让客户端执行了从源下载安装的动作,之后会再执行一次漏洞扫描,而任务接受的状态应该是漏洞扫描这条指令的成功返回码

这点是需要管理员注意的,不能单纯的从任务中判断这个补丁是否已经修复,具体还是得从客户端的修补信息中缺少的补丁中查看是否已经修补成功,如果补丁修补成功则不会在缺少的补丁中出现

经过测试,只有仓库中不存在该程序包或者该程序包没有建立索引的情况下,客户端才会修补失败,如果管理员发现补丁任务显示修补成功,但是客户端程序没有更新,则需要在仓库查看是否存在该程序更新包,存在的话尝试重新建立 yum源 信息