The Threat Oracle Engine (THOE) is the tool for scanning the system for known vulnerabilities based on the information obtained from online vulnerability databases, such as, for example, NVD database. THOE is a solution for industrial control systems, including embedded systems with limited resources, and it enables:
- Automatic detection of publicly known vulnerabilities affecting software and hardware used by a product during its development process and whole lifecycle.
- Searching for vulnerabilities published in different data sources, such as NVD, ExploitDB, etc. It is flexible enough to allow adding new sources.
- Continuous monitoring for vulnerabilities and configuration
- Local or remote search of vulnerabilities
THOE tool contributes to the CI/CD of the scenarios defined in VeriDevOps. In particular, THOE contributes to the CI/CD cycle in the plan and monitor phases.
Prerequisites for running THOE.
- OS: Ubuntu 22.04
- Kubernetes version 1.245
- Distro: microK8s
Instructions for running THOE.
-
Install a kubernetes cluster based on a single node
- Install microK8s.
$ sudo snap install microk8s --classic --channel=1.25/stable - Set permissions to access MicroK8s.
$ sudo usermod -a -G microk8s $USER
$ sudo chown -f -R $USER ~/.kube
$ su - $USER - Output status information, including the current state of the MicroK8s node and a list of all the available extensions.
$ microk8s status --wait-ready - Check that the Kubernetes cluster is up and running.
$ microk8s kubectl get nodes
- Install microK8s.
-
Install the necessary plugins
- To operate and deploy the PKI.
$ microk8s enable dns
$ microk8s enable hostpath-storage
$ microk8s enable cert-manager
$ microk8s enable ingress - Kubernetes LoadBalancer service.
NOTE: the CDIR subnet range can vary depending on the network interface used.
$ microk8s enable metallb
$ microk8s enable metallb:192.168.1.240/24
- To operate and deploy the PKI.
-
Check the resources/applications launched in the kubernetes cluster.
$ microk8s kubectl get pods -A -
Deployment
$ microk8s helm3 install thoe . --create-namespace -n thoe --set storageClassName=microk8s-hostpath --set domain={DOMAIN}
The main dashboard of THOE provides an overall statisticall analisys of the data that is stored on THOE, including the amount of known vulnerabilities and how critical are those vulnerabilities as specify by the NIST.
In the CVEs catalog you can see all the CVEs stored in THOE database. For now, THOE has more than 200K CVEs stored.
In the CPEs catalog you can see all the CPEs stored in THOE database. For now, THOE has more than 1M CPEs stored.
The Data Sources panel lists the data sources from which THOE obtains the information (i.e, NIST).
The Asset Manager page is where you define the set of components of your asset inventory, including HW platforms, SW applications and Operative Systems. THOE tracks the vulnerabilities associated to each one.
Within each asset, there is a list of components, with it associated CPE. The components defined here are monitored by THOE. THOE performs periodicall searchs to the public vulnerabilities databases in order to check if there are new vulnerabilities (CVEs) that may affect some component.
The Scheduler allows importing the CPEs and CVEs from data sources within a user-configurable period, as well as running the assets audit, which analyses the vulnerabilities associated with an asset.
The subscriptions page allows the user to subscribe to e-mails on both snapshot information (informs when an asset audit is completed) and alerts (informs with each new vulnerability found).
THOE log information is only accessible by system administrator users. It stores information about the status and events occurring in the different subsystems of THOE.
