Alpine Linux - User contributions [en]

Cvechecker

2021-10-05T14:43:03Z

MaxPeal: update config urls form https://rawgit.com/sjvermeu/cvechecker/master/docs/userguide.html

{{Draft}}

[https://github.com/sjvermeu/cvechecker/wiki cvechecker] is an useful tool which helps to compare packeges installed in your distribution with the Common Vulnerabilities Exposure. Is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn’t able to detect the revision itself), yet it is still better than nothing. The idea is to automatize security check. But, clearly, this is not (and must not be) the only way to check security. With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system. You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).
Those are the steps:
* pull in the latest CVE entries as well as software/version detection rules (Adminsitrative task only)
* generate a list of files to scan
* gather installed software/version information
* output which CVE entries might affect your system
* generate a report informing you about the CVE entries

== Installation ==
cvechecker is available in edge main repo. If you are running a stable version of alpine, you can add the package from edge in this way:

{{Cmd|apk install cvechecker}}

== Configuration with sqlite ==
CVEChecker's installation scripts create an user and a group, both called "cvechecker", in order to have a user with minimum privileges to run cvechecker.
In this folder cvechecker will creates the database (according with the cvechecker.conf, we use sqlite3. But also mysql is supported. This could be useful if you want to share only one DB with many routers/servers running Alpine)

Before use cvechecker you should configure cvechecker to use sqlite, then populate the DB with cve entries.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
dbtype = "sqlite";
#dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "https://raw.github.com/sjvermeu/cvechecker/master/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

Now, you can initialize the DB with:

{{Cmd|cvechecker -i}}

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

== Configuration with MySQL ==

MySQL is another backend that cvechecker is able to use. Could be useful if you have several cvechecker installed in your network. In that way, you have only one "repository" of CVEs that needs to be updated.

{{Cmd|apk add mysql mysql-client
/etc/init.d/mysql setup
/etc/init.d/mysql start && rc-update add mysql default
/usr/bin/mysqladmin -u root password 'new-password'}}

create a db user for cvechecker:
{{Cmd|mysql -u root -p
mysql>CREATE DATABASE cvechecker;
mysql>CREATE USER 'cvechecker'@'%' IDENTIFIED BY 'cvecheckpass';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'localhost';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'%';
mysql>FLUSH PRIVILEGES;}}

I set % because the DB and the users should allow access from other hosts. You can restrict this to allow only your domain.

You have two way to create tables into DB:

=== Via .sql script ===

Login as cvechecker into mysql:

{{Cmd|mysql -D cvechecker -u cvechecker -p
mysql>source /usr/share/cvechecker/mysql_cvechecker.sql;}}

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

=== Via cvechecker ===

After you configured the DB, you can create tables with:

{{Cmd|cvechecker -i}}

But in order to make it works, you have to configure DB settings in cvechecker.conf.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
#dbtype = "sqlite";
dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "https://raw.github.com/sjvermeu/cvechecker/master/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

'''NOTE:'''
Running cvechecker -i (initialize database) it removes ALL entries in the DB.

=== Using CVEChecker ===

After the db is created, you have to pull the necessary data from the Internet:

{{Cmd|pullcves pull}}

According with the manual, "This will take a very long time, so please be patient (loading over half a million CVE entries in a database is a time consuming - but one-time - activity).
Future pulls will not take this much time as they will not redownload the CVE entries from all previous years (unless you ask it to)."

(If you're behind a proxy, you should set it from env variable or with wget.rc)

Could be useful to crontab this task, maybe every day. Become the cvecheker user and run "crontab -e".
Insert the following to run pullcves every day at 5:00 AM

* 5 * * * /usr/bin/pullcves pull

Now, make a list of executables file as well as /proc/version and allows cvechecker to verify if there are kernel-related CVE entries for your Linux kernel and software installed.

{{Cmd|find / -type f -perm -o+x > /tmp/cvecheck.tmp
cat /proc/version >> /tmp/cvecheck.tmp}}

Now, in /tmp/cvecheck.tmp you'll have all the binaries of your system with their version.
Check if there are cve with the following:

{{Cmd|cvechecker -b /tmp/cvecheck.tmp}}

If you want, you can create a report with the entries (if they are found):

{{Cmd|cvechecker -r}}

Simple script that helps to do it automatically. Copy and past it, save it as run_cvecheck.sh and give it exec permissions.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=<%EMAIL ADDRESS USED FOR THIS TASK%>
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
cvechecker -r > $tempfile > /dev/null 2>&1 # Create a report
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
rm $tempfile

{{Note|If you want to send emails, you have to add mailx and configure an smtp server (like ssmtp). But this information goes beyond the purpose of this doc.}}

In order to make the last rows sent via email, you should configure an smtp server. Widely used is ssmtp.
Could be a good idea run this script as cronjob.

So, you can do the same you did with pullcves: become the cvecheker user and run "crontab -e".

* 6 * * * /var/cvechecker/run_cvecheck.sh

=== Create Report ===

CVEChecker generate reports in a CSV format. Could be nice generate an html from this CSV.

This is a sample script that uses csv2xml and cvereport.xsl (two scripts that comes with cvechecker) that allows the generation of html file starting by csv.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=root@localhost
WEBDIR=/var/www/localhost/htdocs/cvechecker/
CONFFILE=/etc/cvechecker.conf
DATADIR=$(awk -F'=' '/^datadir/ {print $2}' ${CONFFILE} | awk -F'"' '{print $2}');
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
# Create Report.
# FYI: acknowledgements.xml is an hard-coded file name.
cvechecker -rC > $WEBDIR/report.csv
awk -F, -f ${DATADIR}/csv2xml.awk $WEBDIR/report.csv > ${DATADIR}/acknowledgements.xml
xsltproc ${DATADIR}/cvereport.xsl $DATADIR/acknowledgements.xml > ${WEBDIR}/report.html
printf "done\n".

'''Note''':
the html generated is pretty ugly, because cvereport.xsl has hard-coded the css file which is stored in /usr/share/cvechecker dir. Filename is report.css
You can copy the report.css file into $WEBDIR in order to have a nicer html file.

[[Category:Monitoring]]
[[Category:Security]]

Cvechecker

2021-10-05T14:37:27Z

MaxPeal: http://cvechecker.sourceforge.net is moved to https://github.com/sjvermeu/cvechecker/wiki

{{Draft}}

[https://github.com/sjvermeu/cvechecker/wiki cvechecker] is an useful tool which helps to compare packeges installed in your distribution with the Common Vulnerabilities Exposure. Is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn’t able to detect the revision itself), yet it is still better than nothing. The idea is to automatize security check. But, clearly, this is not (and must not be) the only way to check security. With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system. You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).
Those are the steps:
* pull in the latest CVE entries as well as software/version detection rules (Adminsitrative task only)
* generate a list of files to scan
* gather installed software/version information
* output which CVE entries might affect your system
* generate a report informing you about the CVE entries

== Installation ==
cvechecker is available in edge main repo. If you are running a stable version of alpine, you can add the package from edge in this way:

{{Cmd|apk install cvechecker}}

== Configuration with sqlite ==
CVEChecker's installation scripts create an user and a group, both called "cvechecker", in order to have a user with minimum privileges to run cvechecker.
In this folder cvechecker will creates the database (according with the cvechecker.conf, we use sqlite3. But also mysql is supported. This could be useful if you want to share only one DB with many routers/servers running Alpine)

Before use cvechecker you should configure cvechecker to use sqlite, then populate the DB with cve entries.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
dbtype = "sqlite";
#dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

Now, you can initialize the DB with:

{{Cmd|cvechecker -i}}

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

== Configuration with MySQL ==

MySQL is another backend that cvechecker is able to use. Could be useful if you have several cvechecker installed in your network. In that way, you have only one "repository" of CVEs that needs to be updated.

{{Cmd|apk add mysql mysql-client
/etc/init.d/mysql setup
/etc/init.d/mysql start && rc-update add mysql default
/usr/bin/mysqladmin -u root password 'new-password'}}

create a db user for cvechecker:
{{Cmd|mysql -u root -p
mysql>CREATE DATABASE cvechecker;
mysql>CREATE USER 'cvechecker'@'%' IDENTIFIED BY 'cvecheckpass';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'localhost';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'%';
mysql>FLUSH PRIVILEGES;}}

I set % because the DB and the users should allow access from other hosts. You can restrict this to allow only your domain.

You have two way to create tables into DB:

=== Via .sql script ===

Login as cvechecker into mysql:

{{Cmd|mysql -D cvechecker -u cvechecker -p
mysql>source /usr/share/cvechecker/mysql_cvechecker.sql;}}

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

=== Via cvechecker ===

After you configured the DB, you can create tables with:

{{Cmd|cvechecker -i}}

But in order to make it works, you have to configure DB settings in cvechecker.conf.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
#dbtype = "sqlite";
dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

'''NOTE:'''
Running cvechecker -i (initialize database) it removes ALL entries in the DB.

=== Using CVEChecker ===

After the db is created, you have to pull the necessary data from the Internet:

{{Cmd|pullcves pull}}

According with the manual, "This will take a very long time, so please be patient (loading over half a million CVE entries in a database is a time consuming - but one-time - activity).
Future pulls will not take this much time as they will not redownload the CVE entries from all previous years (unless you ask it to)."

(If you're behind a proxy, you should set it from env variable or with wget.rc)

Could be useful to crontab this task, maybe every day. Become the cvecheker user and run "crontab -e".
Insert the following to run pullcves every day at 5:00 AM

* 5 * * * /usr/bin/pullcves pull

Now, make a list of executables file as well as /proc/version and allows cvechecker to verify if there are kernel-related CVE entries for your Linux kernel and software installed.

{{Cmd|find / -type f -perm -o+x > /tmp/cvecheck.tmp
cat /proc/version >> /tmp/cvecheck.tmp}}

Now, in /tmp/cvecheck.tmp you'll have all the binaries of your system with their version.
Check if there are cve with the following:

{{Cmd|cvechecker -b /tmp/cvecheck.tmp}}

If you want, you can create a report with the entries (if they are found):

{{Cmd|cvechecker -r}}

Simple script that helps to do it automatically. Copy and past it, save it as run_cvecheck.sh and give it exec permissions.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=<%EMAIL ADDRESS USED FOR THIS TASK%>
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
cvechecker -r > $tempfile > /dev/null 2>&1 # Create a report
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
rm $tempfile

{{Note|If you want to send emails, you have to add mailx and configure an smtp server (like ssmtp). But this information goes beyond the purpose of this doc.}}

In order to make the last rows sent via email, you should configure an smtp server. Widely used is ssmtp.
Could be a good idea run this script as cronjob.

So, you can do the same you did with pullcves: become the cvecheker user and run "crontab -e".

* 6 * * * /var/cvechecker/run_cvecheck.sh

=== Create Report ===

CVEChecker generate reports in a CSV format. Could be nice generate an html from this CSV.

This is a sample script that uses csv2xml and cvereport.xsl (two scripts that comes with cvechecker) that allows the generation of html file starting by csv.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=root@localhost
WEBDIR=/var/www/localhost/htdocs/cvechecker/
CONFFILE=/etc/cvechecker.conf
DATADIR=$(awk -F'=' '/^datadir/ {print $2}' ${CONFFILE} | awk -F'"' '{print $2}');
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
# Create Report.
# FYI: acknowledgements.xml is an hard-coded file name.
cvechecker -rC > $WEBDIR/report.csv
awk -F, -f ${DATADIR}/csv2xml.awk $WEBDIR/report.csv > ${DATADIR}/acknowledgements.xml
xsltproc ${DATADIR}/cvereport.xsl $DATADIR/acknowledgements.xml > ${WEBDIR}/report.html
printf "done\n".

'''Note''':
the html generated is pretty ugly, because cvereport.xsl has hard-coded the css file which is stored in /usr/share/cvechecker dir. Filename is report.css
You can copy the report.css file into $WEBDIR in order to have a nicer html file.

[[Category:Monitoring]]
[[Category:Security]]

EyeOS

2021-10-05T14:33:13Z

MaxPeal:

{{Obsolete|eyeOS is deprecated, the Project and source files https://sourceforge.net/projects/eyeos/ are dead and gone!}}

eyeOS is an open source web desktop following the cloud computing concept that leverages collaboration and communication among users. It is mainly written in PHP, XML, and JavaScript. It acts as a platform for web applications written using the eyeOS Toolkit. It includes a Desktop environment with 67 applications and system utilities

= Set up eyeOS on Alpine Linux =

This document will be a quick c/p guide to setup eyeOS on Alpine linux. What we will setup is the following:

* Lighttpd with PHP
* eyeOS

= Install lighttpd, and PHP =

{{:Setting Up Lighttpd With FastCGI}}

= Installing and configuring eyeOS =
Make webapps folder

{{Cmd|mkdir /usr/share/webapps/ -p}}

Download previous version:

{{Cmd|cd /usr/share/webapps/
wget http://sourceforge.net/projects/eyeos/files/eyeos/1.9.0.1/eyeOS_1.9.0.1.zip/download}}

Unpack and delete zip file

{{Cmd|unzip download
rm download}}

Also you can download latest version:

{{Cmd|cd /usr/share/webapps/
wget http://sourceforge.net/projects/eyeos/files/eyeos2/eyeos-2.5.tar.gz/download}}

Unpack and delete tar.gz file

{{Cmd|cd /usr/share/webapps/
tar -xvzf download}}<big><big><big>'''Project and source files''' https://sourceforge.net/projects/eyeos/ '''are dead and gone!'''</big></big></big>

Change Folder Persmissions

{{Cmd|chmod -R 777 /usr/share/webapps/eyeOS/}}

Make symlinks to eyeOS

{{Cmd|ln -s /usr/share/webapps/eyeOS/ /var/www/localhost/htdocs/eyeos}}

Unpack main package

{{Cmd|cd /usr/share/webapps/eyeOS/
mv /usr/share/webapps/eyeOS/package.eyepackage /usr/share/webapps/eyeOS/package.tar.gz
tar zxvf /usr/share/webapps/eyeOS/package.tar.gz}}

== Starting ==

Starting http service and adding to boot

{{Cmd|/etc/init.d/lighttpd start && rc-update add lighttpd default}}

== Config your eyeos ==
Browse to: http://WEBSERVER_IP_ADDRESS/eyeos

Please fill out the following form to install eyeOS:

Root Password
Retype Password
System Name
Allow users to create accounts

When you finish, press "Install eyeOS!" button, and thats all. :)
You have eyeOS cloud computing system working. To access it, go to http://WEBSERVER_IP_ADDRESS/eyeOS and enjoy!

[[Category:Desktop]]
[[Category:PHP]]

EyeOS

2021-10-05T14:27:25Z

MaxPeal: add the note: Project and source files are dead and gone!

<big><big><big><big>'''Project and source files''' https://sourceforge.net/projects/eyeos/ '''are dead and gone!'''</big></big></big></big>

eyeOS is an open source web desktop following the cloud computing concept that leverages collaboration and communication among users. It is mainly written in PHP, XML, and JavaScript. It acts as a platform for web applications written using the eyeOS Toolkit. It includes a Desktop environment with 67 applications and system utilities

= Set up eyeOS on Alpine Linux =

This document will be a quick c/p guide to setup eyeOS on Alpine linux. What we will setup is the following:

* Lighttpd with PHP
* eyeOS

= Install lighttpd, and PHP =

{{:Setting Up Lighttpd With FastCGI}}

= Installing and configuring eyeOS =
Make webapps folder

{{Cmd|mkdir /usr/share/webapps/ -p}}

Download previous version:

{{Cmd|cd /usr/share/webapps/
wget http://sourceforge.net/projects/eyeos/files/eyeos/1.9.0.1/eyeOS_1.9.0.1.zip/download}}

Unpack and delete zip file

{{Cmd|unzip download
rm download}}

Also you can download latest version:

{{Cmd|cd /usr/share/webapps/
wget http://sourceforge.net/projects/eyeos/files/eyeos2/eyeos-2.5.tar.gz/download}}

Unpack and delete tar.gz file

{{Cmd|cd /usr/share/webapps/
tar -xvzf download}}<big><big><big>'''Project and source files''' https://sourceforge.net/projects/eyeos/ '''are dead and gone!'''</big></big></big>

Change Folder Persmissions

{{Cmd|chmod -R 777 /usr/share/webapps/eyeOS/}}

Make symlinks to eyeOS

{{Cmd|ln -s /usr/share/webapps/eyeOS/ /var/www/localhost/htdocs/eyeos}}

Unpack main package

{{Cmd|cd /usr/share/webapps/eyeOS/
mv /usr/share/webapps/eyeOS/package.eyepackage /usr/share/webapps/eyeOS/package.tar.gz
tar zxvf /usr/share/webapps/eyeOS/package.tar.gz}}

== Starting ==

Starting http service and adding to boot

{{Cmd|/etc/init.d/lighttpd start && rc-update add lighttpd default}}

== Config your eyeos ==
Browse to: http://WEBSERVER_IP_ADDRESS/eyeos

Please fill out the following form to install eyeOS:

Root Password
Retype Password
System Name
Allow users to create accounts

When you finish, press "Install eyeOS!" button, and thats all. :)
You have eyeOS cloud computing system working. To access it, go to http://WEBSERVER_IP_ADDRESS/eyeOS and enjoy!

[[Category:Desktop]]
[[Category:PHP]]