cloudflare_如何使用Cloudflare Flan进行连续漏洞扫描

cloudflare

“Know your infrastracture” is one of the main principles of security teams. But having continuous knowledge and understanding infrastructure weaknesses is especially important for the DevSecOps process.

“了解您的基础设施”是安全团队的主要原则之一。 但是，拥有持续的知识并了解基础架构的弱点对于DevSecOps流程尤其重要。

Also, it is important to get results the right way as quickly as possible. Cloudflare’s Flan tool is the greatest open-source solution for this issue that I’ve ever seen.

同样，重要的是尽快以正确的方式获得结果。 Cloudflare的Flan工具是我见过的最大的开源解决方案。

It helps to perform a scan and sends results immediately to GCS Bucket or AWS S3 Bucket.

它有助于执行扫描并将结果立即发送到GCS Bucket或AWS S3 Bucket。

But after using it several times, I discovered a little issue: It saves the report in the *.tex and *.xml formats. Those are not convenient for me. So in this article, you will read about the basic usage of Cloudflare’s Flan tool and how to make some changes to enable reporting in the *.html format.

但是在使用几次之后，我发现了一个小问题：它将报告保存为* .tex和* .xml格式。 这些对我来说不方便。 因此，在本文中，您将了解Cloudflare Flan工具的基本用法，以及如何进行一些更改以启用* .html格式的报告。

Cloudflare Flan的基本用法以执行漏洞扫描 (Basic Cloudflare Flan Usage to Perform Vulnerability Scan)

Clone the cloudflare/flan repository on GitHub:

在GitHub上克隆cloudflare / flan存储库：

$ git clone https://github.com/cloudflare/flan.git

Go to the downloaded directory:

进入下载目录：

$ cd flan

Edit the shared/ips.txt file and put your target IP addresses there:

编辑shared/ips.txt文件，并将目标IP地址放在此处：

$ nano shared/ips.txt

Save the file and run commands to start scanning:

保存文件并运行命令以开始扫描：

$ make build && make start

You will see the Nmap output during the scanning process:

您将在扫描过程中看到Nmap输出：

Also, the *.tex report will be saved in the shared/reports directory and the xml output will be saved in the shared/xml_files directory.

同样，*。tex报告将保存在shared/reports目录中，而xml输出将保存在shared/xml_files目录中。

You can read more about pushing scan results to a cloud in the official Readme.

您可以在官方自述文件中了解有关将扫描结果推送到云端的更多信息。

将Cloudflare Flan Nmap输出保存为HTML (Saving Cloudflare Flan Nmap Output to HTML)

After a quick search, I decided to use the HTML report how it is described on the official Nmap site.

快速搜索后，我决定使用HTML报告在Nmap官方网站上的描述方式 。

First of all, we need to add the xsltproc executable into the image of Cloudflare Flan. To perform it, we should install package libxslt (as Cloudflare Flan uses Alpine Linux for the image). Open the Dockerfile of the repository and change the second line as shown here (add libxslt to the end of the line):

首先，我们需要将xsltproc可执行文件添加到Cloudflare Flan的映像中。 要执行它，我们应该安装软件包libxslt (因为Cloudflare Flan使用Alpine Linux作为映像)。 打开存储库的Dockerfile并更改第二行，如下所示(将libxslt添加到该行的末尾)：

RUN apk add --no-cache nmap nmap-scripts git libxslt

The next step is to modify the run.sh script to perform the conversion of the xml report to an HTML report. Open run.sh for editing, find the working loop, and modify it how as shown below:

下一步是修改run.sh脚本，以执行xml报告到HTML报告的转换。 打开run.sh进行编辑，找到工作循环，然后对其进行修改，如下所示：

while IFS= read -r line
do
 current_time=$(date “+%Y.%m.%d-%H.%M.%S”)
 filename=$(get_filename $line)”.xml”
 # Added for html generation
 htmlreport=$(get_filename $line)”.html”
 # ^^^^^^^^^^^^^^^^^^^^^^^^^
 nmap -sV -oX $root_dir$xml_dir/$filename -oN - -v1 $@ --script=vulners/vulners.nse $line
 upload $xml_dir/$filename
 # Added for html generation
 xsltproc $root_dir$xml_dir/$filename -o $root_dir$xml_dir/$htmlreport
 # ^^^^^^^^^^^^^^^^^^^^^^^^^
done < /shared/ips.txt

Run the commands again:

再次运行命令：

$ make build && make start

After the command execution, we will find the HTML report in the directory shared/xml_files/YOUR_SCAN_TIME:

执行完命令后，我们将在目录shared/xml_files/YOUR_SCAN_TIME找到HTML报告：

Cloudflare果馅饼的其他调优 (Additional Tuning of Cloudflare Flan)

By default, Nmap scans only 1,000 well-known ports. But for your infrastructure, it may be useful to perform the vulnerability scanning of some non-standard ports. In this case, you should find in the file the run.sh command that runs Nmap and modify it according to your expectations:

默认情况下，Nmap仅扫描1,000个知名端口。 但是对于您的基础结构，对某些非标准端口执行漏洞扫描可能会很有用。 在这种情况下，您应该在文件中找到运行Nmap的run.sh命令并根据您的期望对其进行修改：

nmap -sV -oX $root_dir$xml_dir/$filename -oN --v1 $@ --script=vulners/vulners.nse $line

翻译自: https://medium.com/better-programming/continuous-vulnerability-scanning-with-cloudflare-flan-be924601cca8

cloudflare