Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool
Monday, September 23, 2019
Edit
Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool - Hi friends mederc, In the article that you read this time with the title Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool, We have prepared this article well for you to read and retrieve information from it. hopefully fill the posts
Article Auditing,
Article Code Analysis,
Article Command Line,
Article Configuration,
Article Cygwin,
Article Debugging,
Article DevAudit,
Article Devops,
Article Linux,
Article Local root,
Article Mac,
Article PowerShell,
Article Scan,
Article vulnerabilities,
Article Vulnerability,
Article Vulners,
Article Windows, we write this you can understand. Alright, happy reading.
Title : Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool
link : Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool
As evolution progresses together with its capabilities mature, DevAudit volition locomote able to address the other risks on the OWASP Top 10 together with CWE lists similar Injection together with XSS. With the focus on spider web together with cloud together with distributed multi-user applications, software evolution today is increasingly a complex matter alongside safety issues together with potential vulnerabilities arising at all levels of the stack developers rely on to deliver applications. The goal of DevAudit is to render a platform for automating implementation of evolution safety reviews together with best practices at all levels of the solution stack from library packet dependencies to application together with server configuration to source code.
Features
Requirements
DevAudit is a .NET 4.6 application. To install locally on your machine y'all volition demand either the Microsoft .NET Framework 4.6 runtime on Windows, or Mono 4.4+ on Linux. .NET 4.6 should locomote already installed on most recent versions of Windows, if non together with thence it is available every bit a Windows characteristic that tin locomote turned on or installed from the Programs together with Features command panel applet on consumer Windows, or from the Add Roles together with Features selection inwards Server Manager on server versions of Windows. For older versions of Windows, the .NET 4.6 installer from Microsoft tin locomote establish here.
On Linux the minimum version of Mono supported is 4.4. Although DevAudit runs on Mono iv (.NET Framework 4.6 SDK or developer pack.Visual Studio 2015. Clone the DevAudit repository from https://github.com/OSSIndex/DevAudit.git
From a visual Studio 2015 or ,NETRun the
Run
Installing from the liberate archive files on Windows on Linux
Installing using the MSI Installer on Windows
The MSI installer for a liberate tin locomote establish on the Github releases page.
Installing using Chocolatey on Windows
DevAudit is also available on Chocolatey.
Installing using Docker on Linux
Pull the Devaudit icon from Docker Hub:
Concepts
Audit Target
Represents a logical grouping of auditing functions. DevAudit currently supports the next audit targets:
Audit Environment
Represents a logical surround where audits against audit targets are executed. Audit environments abstract the I/O together with command executions required for an audit together with allow identical functions to locomote performed against audit targets on whatever physical or network place the target's files together with executables are located. The follwing environments are currently supported :
Audit Options
These are dissimilar options that tin locomote enabled for the audit. You tin specify options that apply to the DevAudit computer program for example, to run inwards non-interactive mode, every bit good every bit options that apply to the target e.g if y'all laid the AppDevMode selection for auditing ASP.NET applications to truthful together with thence for certain audit rules volition non locomote enabled.
Basic Usage
The CLI is the main interface to the DevAudit computer program together with is suitable both for interactive utilization together with for non-interactive utilization inwards scheduled tasks, trounce scripts, CI create pipelines together with post-build tasks inwards developer IDEs. The basic DevAudit CLI syntax is:
If y'all are piping or redirecting the computer program output to a file together with thence y'all should e'er utilization the
When specifying file paths, an @ prefix earlier a path indicates to DevAudit that this path is relative to the root directory of the audit target e.g if y'all specify:
Audit Targets
Package Sources
Applications
Application Servers
The next are audit options mutual to all application servers:
Environments
There are currently five audit surround supported: local, remote hosts over SSH, remote hosts over WinRM, Docker containers, together with GitHub. Local environments are used yesteryear default when no other surround options are specified.
SSH
The SSH surround allows audits to locomote performed on whatever remote hosts accessible over SSH without requiring DevAudit to locomote installed on the remote host. SSH environments are cross-platform: y'all tin connect to a Linux remote host from a Windows machine running DevAudit. An SSH surround is created yesteryear the next options:
WinRM
The WinRM surround allows audits to locomote performed on whatever remote Windows hosts accessible over WinRM without requiring DevAudit to locomote installed on the remote host. WinRM environments are currently solely available on Windows machines running DevAudit. Influenza A virus subtype H5N1 WinRM surround is created yesteryear the next options:
Docker
This department discusses how to audit Docker images using DevAudit installed on the local machine. For running DevAudit every bit a containerized Docker app take in the department below on Docker Usage.
Influenza A virus subtype H5N1 Docker audit surround is specified yesteryear the next option:
GitHub
The GitHub audit surround allows audits to locomote performed straight on a GitHub projection repository. Influenza A virus subtype H5N1 GitHub surround is created yesteryear the
You tin utilization the
Program Options
Docker Usage
DevAudit also ships every bit a Docker containerized app which allows users on Linux to run DevAudit without the demand to install Mono together with create from source. To draw the DevAudit Docker icon from Docker Hub:
The electrical flow images are virtually 131 MB compressed. By default the icon labelled
You must mountain whatever directories on the Docker host machine that DevAudit needs to access on the DevAudit Docker container using the Docker -v option. If y'all mountain your local root directory at a mountain dot named /hostroot on the Docker icon together with thence DevAudit tin access files together with directories on your local machine using the same local paths. For example:
volition allow the DevAudit Docker container to audit the local directory /home/allisterb/vbot-debian/vbot.core. You must mountain your local root inwards this agency to audit other Docker containers from the DevAudit container e.g.
volition run a MySQL audit on a Docker container named
If y'all create non demand to mountain your entire root directory together with thence y'all tin mountain only the directory needed for the audit. For example:
volition mountain read-only the
If y'all wishing to utilization soul substitution files on the local Docker host for an audit over SSH, y'all tin mountain your directory that contains the needed substitution file together with and thence state DevAudit to utilization that file path e.g.
volition mountain the directory containing substitution files at /ssh together with allow the DevAudit container to utilization them.
Note that it's currently non possible for the Docker container to audit operating organization packet sources similar dpkg or rpm or application servers similar OpenSSH sshd on the local Docker host without mounting your local root directory at
For running audits over SSH from the DevAudit container it is non necessary to mountain the local root at
Troubleshooting
If y'all run across a põrnikas or other number alongside DevAudit at that spot are a distich of things y'all tin enable to assist us resolve it:
Known Issues
You are now reading the article Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool with the link address https://mederc.blogspot.com/2019/09/devaudit-open-source-cross-platform.html
Title : Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool
link : Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool
Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool
DevAudit is an open-source, cross-platform, multi-purpose safety auditing tool targeted at developers together with teams adopting DevOps together with DevSecOps that detects safety vulnerabilities at multiple levels of the solution stack. DevAudit provides a broad array of auditing capabilities that automate safety practices together with implementation of safety auditing inwards the software evolution life-cycle. DevAudit tin scan your operating organization together with application packet dependencies, application together with application server configurations, together with application code, for potential vulnerabilities based on information aggregated yesteryear providers similar OSS Index together with Vulners from a broad array of sources together with information feeds such every bit the National Vulnerability Database (NVD) CVE information feed, the Debian Security Advisories information feed, Drupal Security Advisories, together with many others.
DevAudit helps developers address at to the lowest degree iv of the OWASP Top 10 risks to spider web application development:
- A9 Using Components alongside Known Vulnerabilities
- A5 Security Misconfiguration
- A6 Sensitive Data Exposure
- A2 Broken Authentication together with Session Management
As evolution progresses together with its capabilities mature, DevAudit volition locomote able to address the other risks on the OWASP Top 10 together with CWE lists similar Injection together with XSS. With the focus on spider web together with cloud together with distributed multi-user applications, software evolution today is increasingly a complex matter alongside safety issues together with potential vulnerabilities arising at all levels of the stack developers rely on to deliver applications. The goal of DevAudit is to render a platform for automating implementation of evolution safety reviews together with best practices at all levels of the solution stack from library packet dependencies to application together with server configuration to source code.
Features
- Cross-platform alongside a Docker icon also available. DevAudit runs on Windows together with Linux alongside *BSD together with Mac together with ARM Linux back upward planned. Only an up-to-date version of .NET or Mono is required to run DevAudit. Influenza A virus subtype H5N1 DevAudit Docker image tin also locomote pulled from Docker Hub together with run without the demand to install Mono.
- CLI interface. DevAudit has a CLI interface alongside an selection for non-interactive output together with tin locomote easily integrated into CI create pipelines or every bit post-build command-line tasks inwards developer IDEs. Work on integration of the heart audit library into IDE GUIs has already begun alongside the Audit.Net Visual Studio extension.
- Continuously updated vulnerabilties data. DevAudit uses backend information providers similar OSS Index together with Vulners which render continuously updated vulnerabilities information compiled from a wide range of safety information feeds together with sources such every bit the NVD CVE feeds, Drupal Security Advisories, together with thence on. Support for additional vulnerability together with packet information providers similar vFeed together with Libraries.io volition locomote added.
- Audit operating organization together with evolution packet dependencies. DevAudit audits Windows applications together with packages installed via Windows MSI, Chocolatey, together with OneGet, every bit good every bit Debian, Ubuntu, together with CentOS Linux packages installed via Dpkg, RPM together with YUM, for vulnerabilities reported for specific versions of the applications together with packages. For evolution packet dependencies together with libraries DevAudit audits NuGet v2 dependencies for .NET, Yarn/NPM together with Bower dependencies for nodejs, together with Composer packet dependencies for PHP. Support for other packet managers for dissimilar languages is added regularly.
- Audit application server configurations. DevAudit audits the server version together with the server configuration for the OpenSSH sshd, Apache httpd, MySQL/MariaDB, PostgreSQL, together with Nginx servers alongside many to a greater extent than coming. Configuration auditing is based on the Alpheus library together with is done using total syntactic analysis of the server configuration files. Server configuration rules are stored inwards YAML text files together with tin locomote customized to the needs of developers. Support for many to a greater extent than servers together with applications together with types of analysis similar database auditing is added regularly.
- Audit application configurations. DevAudit audits Microsoft ASP.NET applications together with detects vulnerabilities introduce inwards the application configuration. Application configuration rules are stored inwards YAML text files together with tin locomote customized to the needs of developers. Application configuration auditing for applications similar Drupal together with WordPress together with DNN CMS is coming.
- Audit application code yesteryear static analysis. DevAudit currently supports static analysis of .NET CIL bytecode. Analyzers reside inwards external script files together with tin locomote fully customized based on the needs of the developer. Support for C# source code analysis via Roslyn, PHP7 source code together with many to a greater extent than languages together with external static code analysis tools is coming.
- Remote agentless auditing. DevAudit tin connect to remote hosts via SSH alongside identical auditing features available inwards remote environments every bit inwards local environments. Only a valid SSH login is required to audit remote hosts together with DevAudit running on Windows tin connect to together with audit Linux hosts over SSH. On Windows DevAudit tin also remotely connect to together with audit other Windows machines using WinRM.
- Agentless Docker container auditing. DevAudit tin audit running Docker containers from the Docker host alongside identical features available inwards container environments every bit inwards local environments.
- GitHub repository auditing. DevAudit tin connect straight to a projection repository hosted on GitHub together with perform packet source together with application configuration auditing.
- PowerShell support. DevAudit tin also locomote run within the PowerShell organization direction surround every bit cmdlets. Work on PowerShell back upward is paused at introduce but volition resume inwards the nigh hereafter alongside back upward for cross-platform Powershell both on Windows together with Linux.
Requirements
DevAudit is a .NET 4.6 application. To install locally on your machine y'all volition demand either the Microsoft .NET Framework 4.6 runtime on Windows, or Mono 4.4+ on Linux. .NET 4.6 should locomote already installed on most recent versions of Windows, if non together with thence it is available every bit a Windows characteristic that tin locomote turned on or installed from the Programs together with Features command panel applet on consumer Windows, or from the Add Roles together with Features selection inwards Server Manager on server versions of Windows. For older versions of Windows, the .NET 4.6 installer from Microsoft tin locomote establish here.
On Linux the minimum version of Mono supported is 4.4. Although DevAudit runs on Mono iv (.NET Framework 4.6 SDK or developer pack.
build.cmd
script inwards the root DevAudit directory. DevAudit should compile without whatever errors../devaudit --help
together with y'all should take in the DevAudit version together with assist concealment printed.Installing from the liberate archive files on Windows on Linux
- Pre-requisites: You must cause got Mono 4.4+ on Linux or .NET 4.6 on Windows.
- Download the latest liberate archive file for Windows or Linux from the projection releases page. Unpack this file to a directory.
- From the directory where y'all unpacked the liberate archive run
devaudit --help
on Windows or./devaudit --help
on Linux. You should take in the version together with assist concealment printed.
- (Optional) Add the DevAudit installation directory to your PATH surround variable
Installing using the MSI Installer on Windows
The MSI installer for a liberate tin locomote establish on the Github releases page.
- Click on the releases link nigh the top of the page.
- Identify the liberate y'all would similar to install.
- A "DevAudit.exe" link should locomote visible for each liberate that has a pre-built installer.
- Download the file together with execute the installer. You volition locomote guided through a uncomplicated installation.
- Open a new command prompt or PowerShell window inwards club to cause got DevAudit inwards path.
- Run DevAudit.
Installing using Chocolatey on Windows
DevAudit is also available on Chocolatey.
- Install Chocolatey.
- Open an admin console or PowerShell window.
- Type
choco install devaudit
- Run DevAudit.
Installing using Docker on Linux
Pull the Devaudit icon from Docker Hub:
docker draw ossindex/devaudit
. The icon tagged ossindex/devaudit:latest
(which is the default icon that is downloaded) is built from the most recent liberate piece ossindex/devaudit:unstable
is built on the master copy branch of the source code together with contains the newest additions albeit alongside less testing.Concepts
Audit Target
Represents a logical grouping of auditing functions. DevAudit currently supports the next audit targets:
- Package Source. Influenza A virus subtype H5N1 packet source manages application together with library dependencies using a packet manager. Package managers install, withdraw or update applications together with library dependencies for an operating organization similar Debian Linux, or for a evolution linguistic communication or framework similar .NET or nodejs. Examples of packet sources are dpkg, yum, Chocolatey, Composer, together with Bower. DevAudit audits the names together with versions of installed packages against vulnerabilities reported for specific versions of those packages.
- Application. An application similar Drupal or a custom application built using a framework similar ASP.NET. DevAudit audits applications together with application modules together with plugins against vulnerabilities reported for specific versions of application binaries together with modules together with plugins. DevAudit tin also audit application configurations for known vulnerabilities, together with perform static analysis on application code looking for known weaknesses.
- Application Server. Application servers render continuously running services or daemons similar a spider web or database server for other applications to use, or for users to access services similar authentication. Examples of application servers are the OpenSSH sshd together with Apache httpd servers. DevAudit tin audit application server binaries, modules together with plugins against vulnerabilities reported for specific versions every bit good every bit audit server configurations for known server configuration vulnerabilities together with weaknesses.
Audit Environment
Represents a logical surround where audits against audit targets are executed. Audit environments abstract the I/O together with command executions required for an audit together with allow identical functions to locomote performed against audit targets on whatever physical or network place the target's files together with executables are located. The follwing environments are currently supported :
- Local. This is the default audit surround where audits are executed on the local machine.
- SSH. Audits are executed on a remote host connected over SSH. It is non necessary to cause got DevAudit installed on the remote host.
- WinRM. Audits are executed on a remote Windows host connected over WinRM. It is non necessary to cause got DevAudit installed on the remote host.
- Docker. Audits are executed on a running Docker container. It is non necessary to cause got DevAudit installed on the container image.
- GitHub. Audits are executed on a GitHub projection repository's file-system directly. It is non necessary to checkout or download the projection locally to perform the audit.
Audit Options
These are dissimilar options that tin locomote enabled for the audit. You tin specify options that apply to the DevAudit computer program for example, to run inwards non-interactive mode, every bit good every bit options that apply to the target e.g if y'all laid the AppDevMode selection for auditing ASP.NET applications to truthful together with thence for certain audit rules volition non locomote enabled.
Basic Usage
The CLI is the main interface to the DevAudit computer program together with is suitable both for interactive utilization together with for non-interactive utilization inwards scheduled tasks, trounce scripts, CI create pipelines together with post-build tasks inwards developer IDEs. The basic DevAudit CLI syntax is:
devaudit TARGET [ENVIRONMENT] | [OPTIONS]
where TARGET
specifies the audit target ENVIRONMENT
specifies the audit surround together with OPTIONS
specifies the options for the audit target together with environment. There are 2 ways to specify options: computer program options together with full general audit options that apply to to a greater extent than than i target tin locomote specified straight on the command-line every bit parameters . Target-specific options tin locomote specified alongside the -o
options using the format: -o OPTION1=VALUE1,OPTION2=VALUE2,....
alongside commas delimiting each selection key-value pair.If y'all are piping or redirecting the computer program output to a file together with thence y'all should e'er utilization the
-n --non-interactive
selection to disable whatever interactive user interface features together with animations.When specifying file paths, an @ prefix earlier a path indicates to DevAudit that this path is relative to the root directory of the audit target e.g if y'all specify:
-r c:\myproject -b @bin\Debug\app2.exe
DevAudit considers the path to the binary file every bit c:\myproject\bin\Debug\app2.exe.Audit Targets
Package Sources
-
msi
Do a packet audit of the Windows Installer MSI packet source on Windows machines.
-
choco
Do a packet audit of packages installed yesteryear the Choco packet manager.
-
oneget
Do a packet audit of the organization OneGet packet source on Windows.
-
nuget
Do a packet audit of a NuGet v2 packet source. You must specify the place of the NuGetpackages.config
file y'all wishing to audit using the-f
or--file
selection otherwise the electrical flow directory volition locomote searched for this file.
-
bower
Do a packet audit of a Bower packet source. You must specify the place of the Bowerpackages.json
file y'all wishing to audit using the-f
or--file
selection otherwise the electrical flow directory volition locomote searched for this file.
-
composer
Do a packet audit of a Composer packet source. You must specify the place of the Composercomposer.json
file y'all wishing to audit using the-f
or--file
selection otherwise the electrical flow directory volition locomote searched for this file.
-
dpkg
Do a packet audit of the organization dpkg packet source on Debian Linux together with derivatives.
-
rpm
Do a packet audit of the organization RPM packet source on RedHat Linux together with derivatives.
-
yum
Do a packet audit of the organization Yum packet source on RedHat Linux together with derivatives.
-
-f --file
Specify the place of the packet manager configuration file if needed. The NuGet, Bower together with Composer packet sources require this option.
-
--list-packages
Only listing the packages inwards the packet source scanned yesteryear DevAudit.
-
--list-artifacts
Only listing the artifacts establish on OSS Index for packages scanned yesteryear DevAudit.
list-packages
together with list-artifacts
options.Applications
-
aspnet
Do an application audit on a ASP.NET application. The relevant options are:
-r --root-directory
Specify the root directory of the application. This is only the top-level application directory that contains files similar Global.asax together with Web.config.-b --application-binary
Specify the application binary. The is the .NET assembly that contains the application's .NET bytecode. This file is unremarkably a .DLL together with located inwards the bin sub-folder of the ASP.NET application root directory.-c --configuration-file
or-o AppConfig=configuration-file
Specifies the ASP.NET application configuration file. This file is unremarkably named Web.config together with located inwards the application root directory. You tin override the default @Web.config value alongside this option.-o AppDevMode=enabled
Specifies that application evolution trend should locomote enabled for the audit. This trend tin locomote used when auditing an application that is nether development. Certain configuration rules that are tagged every bit disabled for AppDevMode (e.g running the application inwards ASP.NET debug mode) volition non locomote enabled during the audit.
-
netfx
Do an application audit on a .NET application. The relevant options are:
-r --root-directory
Specify the root directory of the application. This is only the top-level application directory that contains files similar App.config.-b --application-binary
Specify the application binary. The is the .NET assembly that contains the application's .NET bytecode. This file is unremarkably a .DLL together with located inwards the bin sub-folder of the ASP.NET application root directory.-c --configuration-file
or-o AppConfig=configuration-file
Specifies the .NET application configuration file. This file is unremarkably named App.config together with located inwards the application root directory. You tin override the default @App.config value alongside this option.-o GendarmeRules=RuleLibrary
Specifies that the Gendarme static analyzer should enabled for the audit alongside rules from the specified rules library used. For example:devaudit netfx -r /home/allisterb/vbot-debian/vbot.core -b @bin/Debug/vbot.core.dll --skip-packages-audit -o GendarmeRules=Gendarme.Rules.Naming
volition run the Gendarme static analyzer on the vbot.core.dll assembly using rules from Gendarme.Rules.Naming library. The consummate listing of rules libraries is (taken from the Gendarme wiki):
- Gendarme.Rules.BadPractice
- Gendarme.Rules.Concurrency
- Gendarme.Rules.Correctness
- Gendarme.Rules.Design
- Gendarme.Rules.Design.Generic
- Gendarme.Rules.Design.Linq
- Gendarme.Rules.Exceptions
- Gendarme.Rules.Gendarme
- Gendarme.Rules.Globalization
- Gendarme.Rules.Interoperability
- Gendarme.Rules.Interoperability.Com
- Gendarme.Rules.Maintainability
- Gendarme.Rules.NUnit
- Gendarme.Rules.Naming
- Gendarme.Rules.Performance
- Gendarme.Rules.Portability
- Gendarme.Rules.Security
- Gendarme.Rules.Security.Cas
- Gendarme.Rules.Serialization
- Gendarme.Rules.Smells
- Gendarme.Rules.Ui
-
drupal7
Do an application audit on a Drupal seven application.
-r --root-directory
Specify the root directory of the application. This is only the top-level directory of your Drupal seven install.
-
drupal8
Do an application audit on a Drupal 8 application.
-r --root-directory
Specify the root directory of the application. This is only the top-level directory of your Drupal 8 install.
-
--list-packages
Only listing the application plugins or modules scanned yesteryear DevAudit.
-
--list-artifacts
Only listing the artifacts establish on OSS Index for application plugins together with modules scanned yesteryear DevAudit.
-
--skip-packages-audit
Only create an appplication configuration or code analysis audit together with skip the packages audit.
Application Servers
-
sshd
Do an application server audit on an OpenSSH sshd-compatible server.
-
httpd
Do an application server audit on an Apache httpd-compatible server.
-
mysql
Do an application server audit on a MySQL-compatible server (like MariaDB or Oracle MySQL.)
-
nginx
Do an application server audit on a Nginx server.
-
pgsql
Do an application server audit on a PostgreSQL server.
./devaudit httpd -i httpd-2.2 -r /usr/local/apache2/ -c @conf/httpd.conf -b @bin/httpd
which audits an Apache Httpd server running on a Docker container named httpd-2.2.The next are audit options mutual to all application servers:
-r --root-directory
Specifies the root directory of the server. This is only the top-level of your server filesystem together with defaults to/
unless y'all desire a dissimilar server root.-c --configuration-file
Specifies the server configuration file. e.g inwards the to a higher identify audit the Apache configuration file is located at/usr/local/apache2/conf/httpd.conf
. If y'all don't specify the configuration file DevAudit volition endeavor to auto-detect the configuration file for the server selected.-b --application-binary
Specifies the server binary. e.g inwards the to a higher identify audit the Apache binary is located at/usr/local/apache2/bin/httpd
. If y'all don't specify the binary path DevAudit volition endeavor to auto-detect the server binary for the server selected.
-
--list-packages
Only listing the application plugins or modules scanned yesteryear DevAudit.
-
--list-artifacts
Only listing the artifacts establish on OSS Index for application plugins together with modules scanned yesteryear DevAudit.
-
--skip-packages-audit
Only create a server configuration audit together with skip the packages audit.
Environments
There are currently five audit surround supported: local, remote hosts over SSH, remote hosts over WinRM, Docker containers, together with GitHub. Local environments are used yesteryear default when no other surround options are specified.
SSH
The SSH surround allows audits to locomote performed on whatever remote hosts accessible over SSH without requiring DevAudit to locomote installed on the remote host. SSH environments are cross-platform: y'all tin connect to a Linux remote host from a Windows machine running DevAudit. An SSH surround is created yesteryear the next options:
-s SERVER [--ssh-port PORT] -u USER [-k KEYFILE] [-p | --password-text PASSWORD]
-s SERVER
Specifies the remote host or IP to connect to via SSH.-u USER
Specifies the user to login to the server with.--ssh-port PORT
Specifies the port on the remote host to connect to. The default is 22.-k KEYFILE
Specifies the OpenSSH compatible soul substitution file to utilization to connect to the remote server. Currently solely RSA or DSA keys inwards files inwards the PEM format are supported.-p
Provide a prompt alongside local echo disabled for interactive entry of the server password or substitution file passphrase.--password-text PASSWORD
Specify the user password or substitution file passphrase every bit plaintext on the command-line. Note that on Linux when your password contains exceptional characters y'all should utilization enclose the text on the command-line using single-quotes similar 'MyPa<ss'
to avoid the trounce interpreting the exceptional characters.WinRM
The WinRM surround allows audits to locomote performed on whatever remote Windows hosts accessible over WinRM without requiring DevAudit to locomote installed on the remote host. WinRM environments are currently solely available on Windows machines running DevAudit. Influenza A virus subtype H5N1 WinRM surround is created yesteryear the next options:
-w IP -u USER [-p | --password-text PASSWORD]
-w IP
Specifies the remote IP to connect to via WinRM.-u USER
Specifies the user to login to the server with.-p
Provide a prompt alongside local echo disabled for interactive entry of the server password or substitution file passphrase.--password-text PASSWORD
Specify the server password or substitution file passphrase every bit plaintext on the command-line.Docker
This department discusses how to audit Docker images using DevAudit installed on the local machine. For running DevAudit every bit a containerized Docker app take in the department below on Docker Usage.
Influenza A virus subtype H5N1 Docker audit surround is specified yesteryear the next option:
-i CONTAINER_NAME | -i CONTAINER_ID
CONTAINER_(NAME|ID)
Specifes the refer or id of a running Docker container to connect to. The container must locomote already running every bit DevAudit does non know how to get-go the container alongside the refer or the nation y'all require.GitHub
The GitHub audit surround allows audits to locomote performed straight on a GitHub projection repository. Influenza A virus subtype H5N1 GitHub surround is created yesteryear the
-g
option: -g "Owner=OWNER,Name=NAME,Branch=BRANCH"
OWNER
Specifies the possessor of the projectNAME
Specifies the refer of the projectPATH
Specifies the branch of the projection to connect toYou tin utilization the
-r
, -c
, together with -f
options every bit park to specify the path to file-system files together with directories required for the audit. e.g the next commad: devaudit aspnet -g "Owner=Dnnsoftware,Name=Dnn.Platforn,Branch=Release/9.0.2" -r /Website -c@web.config
volition create an ASP.NET audit on this repository https://github.com/dnnsoftware/Dnn.Platform/ using the /Website
source folder every bit the root directory together with the web.config
file every bit the ASP.NET configuration file. Note that filenames are case-sensitive inwards most environments.Program Options
-n --non-interactive
Run DevAudit inwards non-interactive trend alongside all interactive features together with animations of the CLI disabled. This trend is necessary for running DevAudit inwards trounce scripts for instance otherwise errors volition occure when DevAudit attempts to utilization interactive console features.-d --debug
Run DevAudit inwards debug mode. This volition impress a diversity of informational together with diagnostic messages. This trend is used for troubleshooting DevAudit errors together with bugs.Docker Usage
DevAudit also ships every bit a Docker containerized app which allows users on Linux to run DevAudit without the demand to install Mono together with create from source. To draw the DevAudit Docker icon from Docker Hub:
docker draw ossindex/devaudit[:label]
The electrical flow images are virtually 131 MB compressed. By default the icon labelled
latest
is pulled which is the most recent liberate of the program. An unstable
icon is also available which tracks the master copy branch of the source code. To run DevAudit every bit a containerized app:docker run -i -t ossindex/devaudit TARGET [ENVIRONMENT] | [OPTIONS]
The -i together with -t Docker options are necessary for running DevAudit interactively. If y'all don't specify these options together with thence y'all must run DevAudit inwards non-interactive trend yesteryear using the DevAudit selection -n.You must mountain whatever directories on the Docker host machine that DevAudit needs to access on the DevAudit Docker container using the Docker -v option. If y'all mountain your local root directory at a mountain dot named /hostroot on the Docker icon together with thence DevAudit tin access files together with directories on your local machine using the same local paths. For example:
docker run -i -t -v /:/hostroot:ro ossindex/devaudit netfx -r /home/allisterb/vbot-debian/vbot.core
volition allow the DevAudit Docker container to audit the local directory /home/allisterb/vbot-debian/vbot.core. You must mountain your local root inwards this agency to audit other Docker containers from the DevAudit container e.g.
docker run -i -t -v /:/hostroot:ro ossindex/devaudit mysql -i myapp1 -r / -c /etc/my.cnf --skip-packages-audit
volition run a MySQL audit on a Docker container named
myapp1
from the ossindex/devaudit
container.If y'all create non demand to mountain your entire root directory together with thence y'all tin mountain only the directory needed for the audit. For example:
docker run -i -t -v /home/allisterb/vbot-debian/vbot.core:/vbot:ro ossindex/devaudit netfx -r /vbot -b @bin/Debug/vbot.core.dll
volition mountain read-only the
/home/allisterb/vbot-debian/vbot.core
directory every bit /vbot
on the DevAudit container which allows DevAudit to access it every bit the audit root directory for a netfx application audit at /vbot
.If y'all wishing to utilization soul substitution files on the local Docker host for an audit over SSH, y'all tin mountain your directory that contains the needed substitution file together with and thence state DevAudit to utilization that file path e.g.
docker -i -t -v /home/allisterb/.ssh:/ssh:ro run ossindex/devaudit dpkg -s localhost -u allisterb -p -k /ssh/mykey.key
volition mountain the directory containing substitution files at /ssh together with allow the DevAudit container to utilization them.
Note that it's currently non possible for the Docker container to audit operating organization packet sources similar dpkg or rpm or application servers similar OpenSSH sshd on the local Docker host without mounting your local root directory at
/hostroot
every bit described above. DevAudit must chroot into your local root directory from the Docker container when running executables similar dpkg or server binaries similar sshd together with httpd. You must also mountain your local root every bit described to a higher identify to audit other Docker containers from the DevAudit container every bit DevAudit also needs to chroot into your local root to execute local Docker commands to communicate alongside your other containers.For running audits over SSH from the DevAudit container it is non necessary to mountain the local root at
/hostroot
.Troubleshooting
If y'all run across a põrnikas or other number alongside DevAudit at that spot are a distich of things y'all tin enable to assist us resolve it:
- Use the -d selection to enable debugging output. Diagnostic information volition locomote emitted during the audit run.
- On Linux utilization the DEVAUDIT_TRACE variable to enable tracing computer program execution. The value of this variable must locomote inwards the format for Mono tracing e.g y'all tin laid DEVAUDIT_TRACE=N:DevAudit.AuditLibrary to describe all the calls made to the audit library duing an audit.
Known Issues
- On Windows y'all must utilization the
-n --non-interactive
computer program selection when piping or redirecting computer program output to a file otherwise a crash volition result. This demeanour may locomote changed inwards the hereafter to brand non-interactive trend the default. - There appears to locomote an number using the Windows console app ConEmu together with the Cygwin builds of the OpenSSH customer when SSHing into remote Linux hosts to run Mono apps. If y'all run DevAudit this agency y'all may notice foreign sequences appearing sometimes at the destination of console output. You may also cause got problems during keyboard interactive entry similar entering passwords for SSH audits where the incorrect password appears to locomote sent. If y'all are having problems entering passwords for SSH audits using ConEmu when working remotely, seek asset the backspace substitution for a minute or 2 to clear the input buffer earlier entering your password.
Thus the article Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool
That's all the article Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool this time, hopefully can benefit you all. okay, see you in another article posting.
You are now reading the article Devaudit - Open-Source, Cross-Platform, Multi-Purpose Safety Auditing Tool with the link address https://mederc.blogspot.com/2019/09/devaudit-open-source-cross-platform.html