Detect processes affected by update using yum-ps

Author: kotakanbe

README.ja.md

@@ -150,9 +150,12 @@ Vulsは上に挙げた手動運用での課題を解決するツールであり
     - Fastスキャン
         - root権限必要なし
         - スキャン対象サーバの負荷ほぼなし
-        - インターネットに接続していない環境でもスキャン可能 (RedHat, CentOS, OracleLinux, Ubuntu, Debian)
+        - インターネットに接続していない環境でもスキャン可能 (RedHat, CentOS, OracleLinux, Ubuntu and Debian)
     - Deepスキャン
+		- Root権限が必要
         - Changelogの差分を取得し、そこに書かれているCVE-IDを検知
+        - Updateに影響のあるプロセスの情報を、アップデート前に取得可能 (RedHat, CentOS, OracleLinux and Amazon Linux)
+
         - スキャン対象サーバに負荷がかかる場合がある
 - リモートスキャンとローカルスキャン
     - リモートスキャン
@@ -609,7 +612,8 @@ Vulsをスキャン対象サーバにデプロイする。Vulsはローカルホ
 | Raspbian    |1st time: Slow <br> From 2nd time: Fast|                      Need |        No |                                    Need |
 
 
-- Ubuntu, Debian, Raspbian
+#### Changelog
+- Ubuntu, Debian and Raspbian
 `apt-get changelog`でアップデート対象のパッケージのチェンジログを取得し、含まれるCVE IDをパースする。
 アップデート対象のパッケージが沢山ある場合、チェンジログの取得に時間がかかるので、初回のスキャンは遅い。  
 ただ、２回目以降はキャッシュしたchangelogを使うので速くなる。  
@@ -620,6 +624,10 @@ Vulsをスキャン対象サーバにデプロイする。Vulsはローカルホ
 - Amazon, RHEL and FreeBSD  
 `yum changelog`でアップデート対象のパッケージのチェンジログを取得する(パースはしない)。
 
+#### Detect processes affected by update using yum-ps
+- RedHat, CentOS, OracleLinux and Amazon Linux
+次回のソフトウェアアップデートに影響のあるプロセスを事前に知ることができる。
+
 ----
 
 # Use Cases
@@ -899,13 +907,13 @@ Deep Scan Modeでスキャンするためには、下記のパッケージが必
 | Distribution |            Release | Requirements |
 |:-------------|-------------------:|:-------------|
 | Ubuntu       |          12, 14, 16| -            |
-| Debian       |             7, 8, 9| aptitude, reboot-notifier   |
-| CentOS       |                6, 7| yum-plugin-changelog, yum-utils |
-| Amazon       |                All | yum-plugin-changelog, yum-utils |
+| Debian       |             7, 8, 9| aptitude, reboot-notifier     |
+| CentOS       |                6, 7| yum-plugin-changelog, yum-utils, yum-plugin-ps |
+| Amazon       |                All | yum-plugin-changelog, yum-utils, yum-plugin-ps  |
 | RHEL         |                  5 | yum-utils, yum-security, yum-changelog |
-| RHEL         |               6, 7 | yum-utils, yum-plugin-changelog |
+| RHEL         |               6, 7 | yum-utils, yum-plugin-changelog, yum-plugin-ps  |
 | Oracle Linux |                  5 | yum-utils, yum-security, yum-changelog |
-| Oracle Linux |               6, 7 | yum-utils, yum-plugin-changelog |
+| Oracle Linux |               6, 7 | yum-utils, yum-plugin-changelog, yum-plugin-ps  |
 | FreeBSD      |                 10 | -            |
 | Raspbian     |     Wheezy, Jessie | -            |
 
@@ -925,7 +933,13 @@ Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
 
 - RHEL 6, 7 / Oracle Linux 6, 7
 ```
-vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never --security updateinfo updates
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never --security updateinfo updates, /usr/bin/yum --color=never -q ps all
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
+
+- Amazon Linux, CentOS
+```
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never -q ps all
 Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
 ```
 
@@ -935,7 +949,7 @@ vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
 Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
 ```
 
-- CentOS, Amazon Linux, FreeBSDは今のところRoot権限なしでスキャン可能
+- FreeBSDは今のところRoot権限なしでスキャン可能
 
 ----
 

README.md

@@ -154,10 +154,11 @@ Vuls is a tool created to solve the problems listed above. It has the following
 - Fast scan and Deep scan
     - Fast Scan
         - Scan without root privilege
-        - Scan with No internet access. (RedHat, CentOS, OracleLinux, Ubuntu, Debian)
+        - Scan with No internet access. (RedHat, CentOS, OracleLinux, Ubuntu and Debian)
         - Almost no load on the scan target server
     - Deep Scan
         - Scan with root privilege
+		- Detect processes affected by update using yum-ps (RedHat, CentOS, OracleLinux and Amazon Linux)
         - Parses the Changelog  
             Changelog has a history of version changes. When a security issue is fixed, the relevant CVE ID is listed.
             By parsing the changelog and analysing the updates between the installed version of software on the server and the newest version of that software
@@ -587,35 +588,36 @@ On the aggregation server, you can refer to the scanning result of each scan tar
 - Scan without Root Privilege
 - Scan with No internet access on some OS.
 
-| Distribution|                             Scan Speed | Need Root Privilege |       OVAL | Need Internet Access <br>on scan tareget|
-|:------------|:--------------------------------------:|:-------------------:|:----------:|:---------------------------------------:|
-| CentOS      |                                   Fast |　                No |  Supported |                                      No | 
-| RHEL        |                                   Fast |　                No |  Supported |                                      No |
-| Oracle      |                                   Fast |　                No |  Supported |                                      No |
-| Ubuntu      |                                   Fast |　                No |  Supported |                                      No |
-| Debian      |                                   Fast |　                No |  Supported |                                      No |
-| Raspbian    |1st time: Slow <br> From 2nd time: Fast |                Need |         No |                                    Need |
-| FreeBSD     |                                   Fast |　                No |         No |                                    Need |
-| Amazon      |                                   Fast |　                No |         No |                                    Need | 
+| Distribution|                             Scan Speed | Need Root |       OVAL | Need Internet Access <br>on scan tareget|
+|:------------|:--------------------------------------:|:---------:|:----------:|:---------------------------------------:|
+| CentOS      |                                   Fast |        No |  Supported |                                      No | 
+| RHEL        |                                   Fast |        No |  Supported |                                      No |
+| Oracle      |                                   Fast |        No |  Supported |                                      No |
+| Ubuntu      |                                   Fast |        No |  Supported |                                      No |
+| Debian      |                                   Fast |        No |  Supported |                                      No |
+| Raspbian    |1st time: Slow <br> From 2nd time: Fast |      Need |         No |                                    Need |
+| FreeBSD     |                                   Fast |        No |         No |                                    Need |
+| Amazon      |                                   Fast |        No |         No |                                    Need | 
 
 
 ---------
 
 ### Deep Scan
 ![Vuls-Scan-Flow](img/vuls-scan-flow.png)
 
-| Distribution|                            Scan Speed |       Need Root Privilege |      OVAL | Need Internet Access <br>on scan tareget|
-|:------------|:-------------------------------------:|:-------------------------:|:---------:|:---------------------------------------:|
-| CentOS      |                                  Slow |　                      No | Supported |                                    Need | 
-| RHEL        |                                  Slow |　                    Need | Supported |                                    Need |
-| Oracle      |                                  Slow |　                    Need | Supported |                                    Need |
-| Ubuntu      |1st time: Slow <br> From 2nd time: Fast|                      Need | Supported |                                    Need |
-| Debian      |1st time: Slow <br> From 2nd time: Fast|                      Need | Supported |                                    Need |
-| Raspbian    |1st time: Slow <br> From 2nd time: Fast|                      Need |        No |                                    Need |
-| FreeBSD     |                                  Fast |　                      No |        No |                                    Need |
-| Amazon      |                                  Slow |　                      No |        No |                                    Need |
+| Distribution|                            Scan Speed | Need Root |      OVAL | Need Internet Access <br>on scan tareget|
+|:------------|:-------------------------------------:|:---------:|:---------:|:---------------------------------------:|
+| CentOS      |                                  Slow |        No | Supported |                                    Need | 
+| RHEL        |                                  Slow |      Need | Supported |                                    Need |
+| Oracle      |                                  Slow |      Need | Supported |                                    Need |
+| Ubuntu      |1st time: Slow <br> From 2nd time: Fast|      Need | Supported |                                    Need |
+| Debian      |1st time: Slow <br> From 2nd time: Fast|      Need | Supported |                                    Need |
+| Raspbian    |1st time: Slow <br> From 2nd time: Fast|      Need |        No |                                    Need |
+| FreeBSD     |                                  Fast |        No |        No |                                    Need |
+| Amazon      |                                  Slow |        No |        No |                                    Need |
 
 
+#### Changelog
 - On Ubuntu, Debian and Raspbian
 Vuls issues `apt-get changelog` for each upgradable packages and parse the changelog.  
 `apt-get changelog` is slow and resource usage is heavy when there are many updatable packages on target server.   
@@ -627,6 +629,10 @@ Vuls issues `yum changelog` to get changelogs of upgradable packages at once and
 - On RHEL, Oracle, Amazon and FreeBSD
 Detect CVE IDs by using package manager.
 
+#### Detect processes affected by update using yum-ps
+- RedHat, CentOS, OracleLinux and Amazon Linux
+It is possible to know processes affecting software update in advance.
+
 ----
 
 # Use Cases
@@ -912,12 +918,12 @@ In order to scan with deep scan mode, the following dependencies are required, s
 |:-------------|-------------------:|:-------------|
 | Ubuntu       |          12, 14, 16| -            |
 | Debian       |             7, 8, 9| aptitude, reboot-notifier     |
-| CentOS       |                6, 7| yum-plugin-changelog, yum-utils |
-| Amazon       |                All | yum-plugin-changelog, yum-utils |
+| CentOS       |                6, 7| yum-plugin-changelog, yum-utils, yum-plugin-ps |
+| Amazon       |                All | yum-plugin-changelog, yum-utils, yum-plugin-ps  |
 | RHEL         |                  5 | yum-utils, yum-security, yum-changelog |
-| RHEL         |               6, 7 | yum-utils, yum-plugin-changelog |
+| RHEL         |               6, 7 | yum-utils, yum-plugin-changelog, yum-plugin-ps  |
 | Oracle Linux |                  5 | yum-utils, yum-security, yum-changelog |
-| Oracle Linux |               6, 7 | yum-utils, yum-plugin-changelog |
+| Oracle Linux |               6, 7 | yum-utils, yum-plugin-changelog, yum-plugin-ps  |
 | FreeBSD      |                 10 | -            |
 | Raspbian     |     Wheezy, Jessie | -            |
 
@@ -937,7 +943,13 @@ Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
 
 - RHEL 6, 7 / Oracle Linux 6, 7
 ```
-vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never --security updateinfo updates
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never repolist, /usr/bin/yum --color=never --security updateinfo list updates, /usr/bin/yum --color=never --security updateinfo updates, /usr/bin/yum --color=never -q ps all
+Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
+```
+
+- Amazon Linux, CentOS
+```
+vuls ALL=(ALL) NOPASSWD:/usr/bin/yum --color=never -q ps all
 Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
 ```
 
@@ -947,7 +959,7 @@ vuls ALL=(ALL) NOPASSWD: /usr/bin/apt-get update
 Defaults:vuls env_keep="http_proxy https_proxy HTTP_PROXY HTTPS_PROXY"
 ```
 
-- On CentOS, Amazon Linux, FreeBSD, it is possible to scan without root privilege for now.
+- On FreeBSD, it is possible to scan without root privilege for now.
 
 ----
 

models/packages.go

@@ -71,7 +71,7 @@ func (ps Packages) FormatUpdatablePacksSummary() string {
 	return fmt.Sprintf("%d updatable packages", nUpdatable)
 }
 
-// FindOne search a element by name-newver-newrel-arch
+// FindOne search a element
 func (ps Packages) FindOne(f func(Package) bool) (string, Package, bool) {
 	for key, p := range ps {
 		if f(p) {
@@ -83,14 +83,15 @@ func (ps Packages) FindOne(f func(Package) bool) (string, Package, bool) {
 
 // Package has installed packages.
 type Package struct {
-	Name       string
-	Version    string
-	Release    string
-	NewVersion string
-	NewRelease string
-	Arch       string
-	Repository string
-	Changelog  Changelog
+	Name          string
+	Version       string
+	Release       string
+	NewVersion    string
+	NewRelease    string
+	Arch          string
+	Repository    string
+	Changelog     Changelog
+	AffectedProcs []AffectedProc `json:",omitempty"`
 }
 
 // FormatVer returns package version-release
@@ -151,3 +152,13 @@ type Changelog struct {
 	Contents string
 	Method   DetectionMethod
 }
+
+// AffectedProc keep a processes information affected by software update
+type AffectedProc struct {
+	PID      string
+	ProcName string
+	CPU      string
+	RSS      string
+	State    string
+	Uptime   string
+}