Willy/TMP-Hosting
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
TMP-Hosting/openscap.md
Willy 08af135921 Update openscap.md
2026-06-09 20:15:26 +02:00

72 lines
No EOL
2.1 KiB
Markdown
Raw Blame History

## Installation d'OpenSCAP sur Debian12
```bash
sudo apt update
sudo apt install openscap-scanner openscap-utils ssg-debian
```
## Execution d'un audit de sécurité
```bash
wget https://www.debian.org/security/oval/oval-definitions-$(lsb_release -cs).xml.bz2
bunzip2 oval-definitions-$(lsb_release -cs).xml.bz2
oscap oval eval --report rapport-vulns.html oval-definitions-$(lsb_release -cs).xml
```
---
## Installer un paquet volontairement vulnérable
### Ajouter la source du snapshot
```bash
echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20230815T213225Z/ bookworm main' | tee /etc/apt/sources.list.d/snapshot-vuln.list
# Autre choix d'horodatages : https://snapshot.debian.org/archive/debian/?year=2023&month=8
```
### Epingler les paquets Apache vers le snapshot
```bash
tee /etc/apt/preferences.d/snapshot-apache.pref >/dev/null <<'EOF'
Package: apache2* libapr1* libaprutil1*
Pin: origin snapshot.debian.org
Pin-Priority: 1001
EOF
```
### Installer Apache (version ancienne)
```bash
apt update -o Acquire::Check-Valid-Until=false
apt install apache2
```
### Checker la version qui s'installe
```bash
apt-cache policy apache2
```
### Bloquer la mise à jour
```bash
apt-mark hold apache2 apache2-bin apache2-data apache2-utils
# "hold" empêche un futur "apt upgrade" d'annuler l'exercice
```
### Retirer l'épinglage et la source maintenent qu'une ancienne version est bloquée
```bash
rm /etc/apt/preferences.d/snapshot-apache.pref /etc/apt/sources.list.d/snapshot-vuln.list
apt update
```
### Relancer un scan
```bash
wget https://www.debian.org/security/oval/oval-definitions-$(lsb_release -cs).xml.bz2
bunzip2 -f oval-definitions-$(lsb_release -cs).xml.bz2
oscap oval eval --report rapport-vulns.html oval-definitions-$(lsb_release -cs).xml
```
Dans `rapport-vulns.html`, des CVE devrait ressortir en "vulnérable" pour les paquet en lien avec Apache (apache2, apache2-bin, libapr)
### Nettoyage après la démo
```bash
apt-mark unhold apache2 apache2-bin apache2-data apache2-utils
apt purge 'apache2*' 'libaprutil1*' 'libapr1*'
apt autoremove
```
Reference in a new issue View git blame Copy permalink