Red-Detector : Scan Your EC2 Instance To Find Its Vulnerabilities Using Vuls.io

Red-Detector is a tool to Scan your EC2 instance to find its vulnerabilities using Vuls (https://vuls.io/en/).

Audit your EC2 instance to find security misconfigurations using Lynis (https://cisofy.com/solutions/#lynis).

Scan your EC2 instance for signs of a rootkit using Chkrootkit (http://www.chkrootkit.org/).

Requirements

• Configured AWS account with the EC2 actions mentioned below. The policy containing these requirements can be found in red-detector-policy.json.

Actions details:

Required action premission	Why it is required
“AttachVolume”	Enables attaching the volume with the taken snapshot to the EC2 instance that is being used for the vulnerabilities scan.
“AuthorizeSecurityGroupIngress”	Enables attaching security group to the EC2 instance. Contains IP premmisions to ssh port and a random port generated for the scan UI access.
“DescribeInstances”	Enables access to the clients EC2 instances details.
“CreateKeyPair”	Enables the creation of a key pair that is being used as the key of the EC2 instance.
“CreateTags”	Enabled the creation of Tags on the Volume and Snapshot.
“DescribeRegions”	Enables access to the clients active regions to enable the user select the relevant one for the scan.
“RunInstances”	Enables the creation of an EC2 instance under the users client.
“ReportInstanceStatus”	Enables getting the current status of the created EC2 instance to make sure it is running.
“DescribeSnapshots”	Enables getting the current status of the taken snapshot to make sure it is available.
“DescribeImages”	Enables querying AMI’s to get the latest Ubuntu AMI.
“DescribeVolumeStatus”	Enables getting the current status of the volume being created.
“DescribeVolumes”	Enables getting details about a volume.
“CreateVolume”	Enables the creation of a volume, in order to attach it the taken snapshot and attach it to the EC2 instance used for the vulnerabilities scan.
“DescribeAvailabilityZones”	Enables access to the clients active availability zones to select one for the created volume that is being attach to the EC2 instance.
“DescribeVpcs”	Enables getting the clients default vpc. Used for the EC2s security group generation.
“CreateSecurityGroup”	Enables the creation of a security group that is being attached to the EC2 instance.
“CreateSnapshot”	Enables taking a snapshot. Used to take a snapshot of the chosen EC2 instance.
“DeleteSnapshot”	Enables deleting the stale snapshot was created during the process

• Running EC2 instance – Make sure you know the region and instance id of the EC2 instance you would like to scan. Supported versions:
  • Ubuntu: 14, 16, 18, 19, 20
  • Debian: 6, 8, 9
  • Redhat: 7, 8
  • Suse: 12
  • Amazon: 2
  • Oracle: 8

Installation

sudo git clone https://github.com/lightspin-tech/red-detector.git
pip3 install -r requirements.txt

Usage

Interactive

python3 main.py

Command arguments

usage: main.py [-h] [–region REGION] [–instance-id INSTANCE_ID] [–keypair KEYPAIR] [–log-level LOG_LEVEL]
optional arguments:
-h, –help show this help message and exit
–region REGION region name
–instance-id INSTANCE_ID EC2 instance id
–keypair KEYPAIR existing key pair name
–log-level LOG_LEVEL log level

Flow

• Run main.py.
• Region selection: use default region (us-east-1) or select a region. Notice that if the selected region does not contain any EC2 instances you will be asked to choose another region.
• EC2 inatance-id selection: you will get a list of all EC2 instances ids under your selected region and you will be asked to choose the inatance you would like to scan. Make sure to choose a valide answer (the number left to the desired id).
• Track the process progress… It takes about 30 minutes.
• Get a link to your report!

Troubleshooting

verbouse logging

python3 main.py –log-level DEBUG

scanners databases update process

• connect to the EC2 instance created ssh ubuntu@PUBLICIP -i KEYPAIR.pem
• watch the progress tail /var/log/user-data.log