Import or update the vulnerability database with MicroK8s

This procedure details the steps to import or update the vulnerability database in your Cyberwatch instance deployed in offline mode with MicroK8s.

The vulnerability database can be updated from a web browser or from the command line. Browser-based import from a browser is suitable for occasional update of the vulnerability database, while command line import will be more suitable for frequent use as it can be automated.

Prerequisites

The procedure for importing the vulnerability database requires:

  • a machine connected to the Internet;
  • valid credentials to access the Cyberwatch repository;
  • a Cyberwatch instance deployed in offline mode with MicroK8s.

From a web browser

This section describes how to retrieve and import the vulnerability database from a web browser. It is suitable for occasional use.

  1. Download the vulnerability database from URL https://dl.cyberwatch.fr/download_database. The access is authenticated. The credentials are those sent by Cyberwatch.

  2. Log in to the web interface of your Cyberwatch instance with an Administrator account.

  3. Go to the admin overview.

  4. Click the “upload” button, near the “Security Database” title.

  5. Import the previously downloaded database file and click on “Update”.

From the command line

This section describes how to retrieve and import the vulnerability database from the command line. It is designed to be automated.

Download the database

  1. Export the Cyberwatch’s credentials (complete the commands):

     export CBW_USER=
     export CBW_PASSWORD=
    
  2. Download the vulnerability database:

    curl -u "$CBW_USER:$CBW_PASSWORD" \
       -sf https://dl.cyberwatch.fr/download_database \
       -o vulnerability_db.zip
    
  3. (Optional) Verify the integrity of the vulnerability database:

    1. Extract the archive:

      unzip vulnerability_db.zip
      
    2. Download Cyberwatch’s public key:

      curl https://dl.cyberwatch.fr/securitydb/cyberwatch.pub -o cyberwatch.pub
      
    3. Compute the sha256sum of the database:

      head -c -1 cyberwatch.sig > signature
      head -c -1 cyberwatch.db | sha256sum | cut -f1 -d' '| tr -d '\n' > cyberwatch.db.sha256
      
    4. Verify the signature:

      openssl dgst -sha256 -verify cyberwatch.pub -signature signature cyberwatch.db.sha256
      

      The output of this command must be Verified OK.

Import the archive in Cyberwatch

  1. Import the archive vulnerability_db.zip in the machine where Cyberwatch is deployed.

  2. Connect with SSH to the machine where Cyberwatch is deployed.

  3. Move the archive .zip to volume securitydb:

    mkdir -p /var/lib/volumes/cyberwatch/securitydb
    mv vulnerability_db.zip /var/lib/volumes/cyberwatch/securitydb
    
  4. Apply the changes:

    sudo cyberwatch restart
    
  5. Run the synchronization command:

    sudo cyberwatch exec sidekiq security_database_import_task