VulnIQ security analyzer, code named Terzi
As part of our providing a complete solution vision, which aims to consolidate various security solutions into a single turnkey solution, VulnIQ has been developing a security analyzer.
Our vision contains three main pillars:
- VulnIQ security information engine which collects security information from external sources and makes the data available for consumption via APIs and a web UI. (See https://free.vulniq.com for the free version)
- VulnIQ security analyzer, Terzi which will collect data from internal systems utilizing data provided by the VulnIQ engine and feed the collected data into VulnIQ reporting engine.
- VulnIQ reporting engine which will utilize both data from the VulnIQ engine and data collected by Terzi to generate a complete picture of your internal systems. (Development in progress)
VulnIQ security analyzer is named Terzi. It allows VulnIQ customers to run vulnerability scans, run OVAL checks or collect system information from their systems. Terzi is by default designed to be used together with VulnIQ engine, but to make it more convenient for users, Terzi can also be used as a standalone tool for running OVAL definitions from other sources.
- Collecting list of installed software
- Running security scans and reporting vulnerabilities affecting the target system
- Running OVAL checks
- Pushing collected data to the VulnIQ reporting engine (development in progress)
Terzi supports all of the above also for Docker containers. For example if you have docker containers running on your machine, you can run Terzi on your machine and run checks against docker containers, without installing anything in docker containers themselves.
Free version of Terzi is available free of charge but please note that it is not open source, it's proprietary software. It is provided to the public only on an as is basis without any warranties of any kind, express or implied. The free version may be discontinued at any time without any prior notice.
The free version only supports command line mode.
Terzi includes a real OVAL (Open vulnerability and assessment language) interpreter, developed by VulnIQ. For now, it only supports objects needed to run OVAL definitions published by Debian and Red Hat (and probably other Linux vendors). As of release 0.9.0 the following definitions and environments were tested:
- Debian (stretch) definitions
- Ubuntu (bionic) definitions
- Red Hat definitions (only some of the definitions) on RHEL 7
When used in standalone mode: It can load and run OVAL definitions (oval_definitions as defined by OVAL) from a local file or URL. For example if you have a running docker container on your machined named terzi-rhel7 and you want to quickly run a Red Hat OVAL advisory, you can simply run the following command:
bin/oval.sh -t Docker -n rhel7-container-name \ -f https://www.redhat.com/security/data/oval/com.redhat.rhsa-20190049.xml
Or if you already downloaded Debian OVAL definitions, you can load and run definitions from the downloaded file. In the following example -o parameter instructs Terzi to use only a single definition with id oval:org.debian:def:20199956. Otherwise, when a definition id is not provided with -o, all definitions in the file will be run. (Note that Debian files contain hundreds if not thousands of definitions and it may take a long time, e.g 5-10+ minutes, to run thousands of definitions.)
bin/oval.sh -t Docker -n a-debian9-container -f ~/Downloads/oval-definitions-stretch.xml \ -o oval:org.debian:def:20199956
See Wiki pages, https://github.com/vulniq/security-analyzer/wiki, for more details and examples.
When used together with VulnIQ engine: Terzi can load OVAL definitions from VulnIQ engine. Instead of providing the entire oval_definitions file you just provide the oval id and Terzi automatically downloads all the necessary data from VulnIQ engine itself. When running vulnerability scans (not available in the free version, yet):
- Terzi first determines the list of vulnerabilities by using version numbers and utilizing VulnIQ APIs
- In the next step Terzi fetches the necessary OVAL data from VulnIQ engine and verifies the vulnerabilities to provide you with the most accurate results. Most other solutions, report vulnerabilities based only on version numbers but VulnIQ solution ensures high accuracy by running additional checks, such as OVAL checks.