NOPC (Nessus-based Offline Patch Checker) is a patch-checker for primarily Linux distribution and UNIX-based systems. It is a shell script that utilises Nessus’ nasls and gives instructions on what data is needed to be obtained from the system to perform to derive a list of missing security patches. This was developed for situations when network connectivity to the systems under review is not possible.
Key features
- The ability to perform analysis on the following Linux/Unix based distributions:
- AIX
- HP-UX
- MacOS X
- Solaris (Not 11)
- Debian
- FreeBSD
- Gentoo
- Mandrake
- Redhat
- Redhat Centos
- Redhat Fedora
- Slackware
- SuSE
- Ubuntu
- The ability to perform analysis on Cisco IOS/ASA devices
- Output in CSV format with CVSS scores
Overview
Ever tried to perform a patch analysis of a UNIX based machine without network access to it? It can be an eyesore and feel like a wrestling match to make reasonable sense of the output from tools like:
<br />$ /bin/rpm -qa –qf ‘%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n’ > patchlist.txt<br />Out of this evolved NOPC, which utilises Nessus’ ability to perform an accurate patch analysis with the information extracted from the system. NOPC instructs you on how to manually recover this same information.
Installation
As NOPC is a shell script, it can be run anywhere. Unzip and extract the download in a directory. There are 2 files:
- nopc.sh
- README.txt
The only prerequisite is that the system where the shell script has Nessus running with up to date nessus plugins. The script assumes the default locations for the nasl command line (/opt/nessus/bin/nasl) and nessus plugins directory (/opt/nessus/lib/plugins)
These locations can be defined with the ‘d’ option for the directory where NOPC will look for nessus plugins and the ‘n’ option for the location of the nasl command line.
<br />$ ./nopc.sh -d '/Library/Nessus/run/lib/nessus/plugins/'<br />$ ./nopc.sh -n '/local/bin/nasl'<br />Usage
Interactive Mode
Running through the interactive mode should be straight forward. NOPC asks for
the following:
* Output Type (e.g. list of missing patches, csv of missing patches)
* Distribution that missing patches to be checked against
* Specific system information required to perform checking (e.g. Patchlist, Release, OS Level, Hardware)<br />$ nopc.sh<br />Version: nopc.sh 0.4.7d<br />[+] Which output format would you like to use?<br /><%%KEEPWHITESPACE%%> 0 - Displays Outdated Packages only<br /><%%KEEPWHITESPACE%%> 1 - Displays NASL name and Outdated Packages<br /><%%KEEPWHITESPACE%%> 2 - CSV output of CVE, KB and description (comma)<br /><%%KEEPWHITESPACE%%> 3 - CSV output of CVE, CVSSv2, Severity, KB, Description (comma)<br /><%%KEEPWHITESPACE%%> 4 - CSV output of CVE, KB and description (tab)<br /><%%KEEPWHITESPACE%%> 5 - CSV output of CVE, CVSSv2, Severity, KB, Description (tab)<br /><br />Enter 1-5? 3<br />[+] What type of system have you got the patch output for?<br /><%%KEEPWHITESPACE%%> 1 - AIX<br /><%%KEEPWHITESPACE%%> 2 - HP-UX<br /><%%KEEPWHITESPACE%%> 3 - MacOS X *<br /><%%KEEPWHITESPACE%%> 4 - Solaris (!11) *<br /><%%KEEPWHITESPACE%%> 5 - Debian<br /><%%KEEPWHITESPACE%%> 6 - FreeBSD<br /><%%KEEPWHITESPACE%%> 7 - Gentoo<br /><%%KEEPWHITESPACE%%> 8 - Mandrake<br /><%%KEEPWHITESPACE%%> 9 - Redhat<br /><%%KEEPWHITESPACE%%> 10 - Redhat (Centos)<br /><%%KEEPWHITESPACE%%> 11 - Redhat (Fedora)<br /><%%KEEPWHITESPACE%%> 12 - Slackware<br /><%%KEEPWHITESPACE%%> 13 - SuSE *<br /><%%KEEPWHITESPACE%%> 14 - Ubuntu<br /><%%KEEPWHITESPACE%%> 15 - Cisco IOS/ASA *<br /><br /><%%KEEPWHITESPACE%%> * EXPERIMENTAL!!<br /><br />Enter 1-15? 1<br />[+] AIX Selected<br />[+] Run 'lslpp -Lc > patchlist.txt'<br />[+] Enter Location of file: aix-7.1-patchlist.txt<br />[+] Enter the AIX Release e.g. 6.1<br />[+] Enter Text Requested: 7.1<br />[+] Enter the output of 'oslevel -s' e.g. 6100-04-04-1441<br />[+] Enter Text Requested: 7100-03-04-1441<br />[+] To run this in a script the command would be:<br /><br />/opt/bin/nopc.sh -l '3' -s '1' 'aix-7.1-patchlist.txt' '7.1' '7100-03-04-1441'<br /><br />[+] Locating Nasls<br />[+] Checking for 11206 Missing Patches<br />NOPC, AIX<br />Plugin ID, CVE, CVSSv2, Severity, KB, Title<br />81920, "CVE-2014-8769", 6.4, Medium, "IV67588", "AIX 7.1 TL 3 : tcpdump (IV67588)"<br />82900, , 7.5, High, "openssl_advisory13", "AIX OpenSSL Advisory : openssl_advisory13.asc"<br />83135, "CVE-2015-0138, CVE-2015-2808", 4.3, Medium, "java_apr2015_advisory", "AIX Java Advisory : Multiple Vulnerabilities"<br />...<br />In the above case, several missing patches were identified.
Note that the output type and distribution can be bypassed if these details are known.
For example, for a detailed report of missing Redhat patches in csv format:<br />$ nopc.sh -l '3' -s '9'<br />Version: nopc.sh 0.4.7d<br />[+] Redhat Selected<br />[+] Run '/bin/rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}|%{EPOCH}\n' > patchlist.txt'<br />[+] Enter Location of file: patch-redhat-1.txt<br />[+] Enter the contents of /etc/redhat-release<br />[+] Enter Text Requested: Red Hat Enterprise Linux Server release 5<br />[+] Enter value of 'uname -m' e.g. x86_64, i686<br />[+] Enter Text Requested: i686<br />[+] To run this in a script the command would be:<br /><br />/opt/bin/nopc.sh -l '3' -s '9' 'patch-redhat-1.txt' 'Red Hat Enterprise Linux Server release 5' 'i686'<br /><br />[+] Locating Nasls<br />[+] Checking for 3620 Missing Patches<br />NOPC, Redhat<br />Plugin ID, CVE, CVSSv2, Severity, KB, Title<br />58262, "CVE-2012-0768, CVE-2012-0769", 10, High, "redhat-RHSA-2012-0359", "RHEL 5 / 6 : flash-plugin (RHSA-2012-0359)"<br />55813, "CVE-2011-2130, CVE-2011-2134, CVE-2011-2135, CVE-2011-2136, CVE-2011-2137, CVE-2011-2138, CVE-2011-2139, CVE-2011-2140, CVE-2011-2414, CVE-2011-2415, CVE-2011-2416, CVE-2011-2417, CVE-2011-2424, CVE-2011-2425", 10, High, "redhat-RHSA-2011-1144", "RHEL 5 / 6 : flash-plugin (RHSA-2011-1144)"<br />