This site uses cookies for managing your session and website analytics purposes. Allow Cookies

VulnIQ

VulnIQ Security Analyzer, code named terzi

VulnIQ security analyzer is one of the key components of the VulnIQ solution, with no additional cost. terzi can collect system information and run authenticated vulnerability scans on endpoints.

VulnIQ information engine acts as a hub for data that's needed to perform security analysis. terzi utilizes data from VulnIQ engine, by using VulnIQ engine APIs, to quickly and accurately report vulnerabilities.

How it works

  1. Collects list of installed software
  2. Uses VulnIQ APIs to determine vulnerabilities affecting each software based on versions
  3. Uses VulnIQ APIs to determine data that can be used to verify each vulnerability
  4. Executes verification actions, for example executes OVAL definitions to verify vulnerabilities
  5. Determines vulnerabilities with high accuracy

Modes of operation

  • Command line tool: Run terzi from the command line to collect system information, get a list of vulnerabilities affecting the system, execute an OVAL definition or an individual test.
  • Agent: Run terzi in agent mode and it will continuously collect data and push collected data to a central VulnIQ server.

Features

Lightweight
Most open source "vulnerability scanners" download a lot of data such as NVD feeds, vendor feeds etc to every endpoint. They download the entire NVD data, process it on the endpoint to generate a queryable database.
terzi does not download unnecessary data to endpoints. It uses VulnIQ engine APIs to fetch only the necessary data. terzi also consumes resources than alternatives.
Docker Support
terzi supports collecting data from running docker containers without installing anything in the containers themselves. Just run it on the host machine and pass the container name.
If you have 20 containers running on a host, you can scan all of them by running terzi on the host.
OVAL interpreter
terzi includes a fully featured OVAL (open vulnerability and assessment language) interpreter.
Several vendors such as Red Hat, Debian, Canonical, publish OVAL definitions which can be used to determine vulnerabilities with 100% accuracy.
Using vendor supplied OVAL definitions, you can get accurate scan results without any additional cost.

Case Study: Checking if an Ubuntu System is affected by a CVE with 100% accuracy

Canonical publishes OVAL definitions for all CVEs affecting Ubuntu systems. You can download the definitions file for your version of Ubuntu and run the checks for no additional cost.

In this example we want to check if a docker container running Ubuntu 18.04 (bionic) is vulnerable to CVE-2018-6954.
First we download OVAL definitions for Ubuntu bionic and find the OVAL definition for CVE-2018-6954, which is oval:com.ubuntu.bionic:def:201869540000000.

Instead of running a full scan we can simply run only this definition using the oval.sh script provided with Terzi, in the bin folder. Running an OVAL check is as simple as running the following command:

#bin/oval.sh -t Docker -n container_name -f ~/Downloads/com.ubuntu.bionic.cve.oval.xml -o oval:com.ubuntu.bionic:def:201869540000000

Running this command will generate the following output. By default, oval.sh generates a verbose plain text output, but you can adjust the verbosity by providing an option or switch to json output mode as you like.

OVALDefinitions Loading definitions OVALDefinitions Finished loading definitions Definition oval:com.ubuntu.bionic:def:201869540000000 Starting to evaluate definition Definition oval:com.ubuntu.bionic:def:201869540000000 Loaded definition - name CVE-2018-6954 on Ubuntu 18.04 LTS (bionic) - medium. - class VULNERABILITY Criteria Starting to evaluate criteria ExtendedDefinitionoval:com.ubuntu.bionic:def:100 Found child extended definition Definition oval:com.ubuntu.bionic:def:100 Starting to evaluate definition Definition oval:com.ubuntu.bionic:def:100 Loaded definition - name Check that Ubuntu 18.04 LTS (bionic) is installed. - class INVENTORY Criteria Starting to evaluate criteria Criteria Found child criterion - commentForChild The host is part of the unix family. Test oval:com.ubuntu.bionic:tst:100 Starting to evaluate test Test oval:com.ubuntu.bionic:tst:100 Loaded test - comment Is the host part of the unix family? Test oval:com.ubuntu.bionic:tst:100 Finished evaluating test - comment Is the host part of the unix family? - result TRUE Criteria Evaluated child criterion - criterionComment The host is part of the unix family. - test oval:com.ubuntu.bionic:tst:100 - result TRUE Criteria Found child criterion - commentForChild The host is running Ubuntu bionic. Test oval:com.ubuntu.bionic:tst:101 Starting to evaluate test Test oval:com.ubuntu.bionic:tst:101 Loaded test - comment Is the host running Ubuntu bionic? Test oval:com.ubuntu.bionic:tst:101 Starting to analyze test Object oval:com.ubuntu.bionic:obj:101 Loaded object - comment The singleton release codename object. Object oval:com.ubuntu.bionic:obj:101 Collected object - value [bionic] Object oval:com.ubuntu.bionic:obj:101 Analyzing object - existenceStatus EXISTS - collectionStatus EXISTS Object oval:com.ubuntu.bionic:obj:101 Existence result - existenceResult TRUE Object oval:com.ubuntu.bionic:obj:101 Results for state - state oval:com.ubuntu.bionic:ste:101 - resultsForState [TRUE] Test oval:com.ubuntu.bionic:tst:101 Object collection status is EXISTS and test has states. Final result after evaluating states: TRUE - finalResult TRUE - check AT_LEAST_ONE - stateResults [TRUE] Test oval:com.ubuntu.bionic:tst:101 Finished evaluating test - comment Is the host running Ubuntu bionic? - result TRUE Criteria Evaluated child criterion - criterionComment The host is running Ubuntu bionic. - test oval:com.ubuntu.bionic:tst:101 - result TRUE Criteria Final result after combining results - operator AND - finalResult TRUE Definition oval:com.ubuntu.bionic:def:100 Evaluated definition criteria - result TRUE Definition oval:com.ubuntu.bionic:def:100 Finished evaluating definition - name Check that Ubuntu 18.04 LTS (bionic) is installed. - result TRUE Criteria Finished evaluating extended definition - childResult TRUE ExtendedDefinitionoval:com.ubuntu.bionic:def:100 Child result is TRUE, applicability check will not change the outcome Criteria Found child criterion - commentForChild systemd package in bionic was vulnerable but has been fixed (note: '237-3ubuntu10.9'). Test oval:com.ubuntu.bionic:tst:2018168880000000 Starting to evaluate test Test oval:com.ubuntu.bionic:tst:2018168880000000 Loaded test - comment Does the 'systemd' package exist and is the version less than '237-3ubuntu10.9'? Test oval:com.ubuntu.bionic:tst:2018168880000000 Starting to analyze test Object oval:com.ubuntu.bionic:obj:2018168880000000 Loaded object - comment The 'systemd' package binaries. Object oval:com.ubuntu.bionic:obj:2018168880000000 Package is not installed. - package libpam-systemd Object oval:com.ubuntu.bionic:obj:2018168880000000 Package is installed. - package libsystemd0 - version 237-3ubuntu10.6 Object oval:com.ubuntu.bionic:obj:2018168880000000 Package is installed. - package libudev1 - version 237-3ubuntu10.6 Object oval:com.ubuntu.bionic:obj:2018168880000000 Package is not installed. - package systemd Object oval:com.ubuntu.bionic:obj:2018168880000000 Collected object - value [237-3ubuntu10.6, 237-3ubuntu10.6] Object oval:com.ubuntu.bionic:obj:2018168880000000 Analyzing object - existenceStatus EXISTS - collectionStatus EXISTS Object oval:com.ubuntu.bionic:obj:2018168880000000 Existence result - existenceResult TRUE Object oval:com.ubuntu.bionic:obj:2018168880000000 Results for state - state oval:com.ubuntu.bionic:ste:2018168880000000 - resultsForState [TRUE] Object oval:com.ubuntu.bionic:obj:2018168880000000 Results for state - state oval:com.ubuntu.bionic:ste:2018168880000000 - resultsForState [TRUE] Test oval:com.ubuntu.bionic:tst:2018168880000000 Object collection status is EXISTS and test has states. Final result after evaluating states: TRUE - finalResult TRUE - check AT_LEAST_ONE - stateResults [TRUE, TRUE] Test oval:com.ubuntu.bionic:tst:2018168880000000 Finished evaluating test - comment Does the 'systemd' package exist and is the version less than '237-3ubuntu10.9'? - result TRUE Criteria Evaluated child criterion - criterionComment systemd package in bionic was vulnerable but has been fixed (note: '237-3ubuntu10.9'). - test oval:com.ubuntu.bionic:tst:2018168880000000 - result TRUE Criteria Final result after combining results - operator AND - finalResult TRUE Definition oval:com.ubuntu.bionic:def:201869540000000 Evaluated definition criteria - result TRUE Definition oval:com.ubuntu.bionic:def:201869540000000 Finished evaluating definition - name CVE-2018-6954 on Ubuntu 18.04 LTS (bionic) - medium. - result TRUE ========================================================= RESULTS ========================================================= TRUE CVE-2018-6954 on Ubuntu 18.04 LTS (bionic) - medium. - vulnerability oval:com.ubuntu.bionic:def:201869540000000 - [CVE-2018-6954] =========================================================

Versions

Full Version
Full version of Terzi is available to VulnIQ customers for no additional cost. You will get access to downloads once your subscription is activated.
Free Version
You can download the free version of Terzi, VulnIQ security analyzer, from the releases page at github.
Please note that the free version has limited functionality. But should be good enough for many use cases.