scribevulnpolicy

scribevulnpolicy

scribevulnpolicy is a tool that can be used to generate scribe policies that perform vulnerability scans of a given target platform.

The tool integrates with clair, more specifically the database clair maintains and uses this as a source of vulnerability data for various platforms. clair does an excellent job of keeping this database up to date from the various distributions, and scribevulnpolicy then queries this to create scan policies.

Quickstart

Get clair running

To get things up and running, first you will need a running instance of clair. clair is available as a docker image which can be used for this purpose.

Follow the instructions to get clair running with docker-compose.

Modify docker-compose configuration to expose database

Modify docker-compose.yml so the Postgres database used by clair is accessible to scribevulnpolicy. This can be done by just adding a new ports entry to docker-compose.yml for the postgres container.

Set environment variables

Set the required environment variables to access the Postgres instance.

export PGUSER=postgres
export PGPASSWORD=password
export PGHOST=127.0.0.1
export PGDATABASE=postgres

Generate policy

The list of available platforms can be determined by running scribevulnpolicy with the -V flag.

$ $GOPATH/bin/scribevulnpolicy -V
centos6
centos7

Not all platforms clair maintains vulnerability data for may be available in scribevulnpolicy, some require support to be added.

Finally, the policy can be generated.

$ $GOPATH/bin/scribevulnpolicy centos6 > centos6.json

This policy can then be run directly on the system using scribecmd, or through an integrated scanning tool such as mig where it will return any identified vulnerabilities on the system.