Discover vulnerabilities with Google Tsunami

Before the Wave

Google Plans

The Tsunami plugins website contains a list of plugins that you can look forward to in the foreseeable future. Quite a few matches here are likely to become very helpful in everyday admin life. For example, Tsunami will be able in the future to automatically detect an unprotected Hashicorp Consul server exposed to the web. Overly communicative Docker API servers are on the Tsunami developers' wishlist, as are unconfigured Drupal and phpMyAdmin instances or completely open Kubernetes instances, which, in particular, have become a problem in recent months because many admins don't realize they even have a problem. As soon as the appropriate plugins are available in Tsunami, this case should no longer be a problem because the tool gives clear instructions in its command output as to the steps you should take.

Writing Your Own Checks

Tsunami lets you write your own checks. Although it is beyond the scope of this article to go into detail, I would like to offer you a few insights on this subject, too.

The examples directory is in the source code of the Tsunami plugins themselves, not in the scanner directories. The examples directory in turn offers three examples that relate to different problems: an unpatched vulnerability, an API accidentally exposed without protection, and a generic example that calls an external check command. If you are not familiar with Java, you probably won't be able to do much with these examples, but with a little knowledge of a programming language, you will quickly understand how Tsunami works and the features it offers (Figure 3). At the beginning of a plugin, you need to import several Tsunami modules that can be used to run various tests with generic parameters. Functions such as outputting a report after it has been generated are standardized and mean that the outputs of individual plugins appear reliably in the overall output of the tool.

Figure 3: The sample plugins make it clear that most of the Tsunami functionality comes from Google's own Java classes.

The examples in the Tsunami source code together with the existing modules in the other GitHub directory will make it easier for more experienced Java developers to get started. Some fairly rudimentary documentation [2] answers essential questions and provides explanations and examples.


Tsunami helps answer a very pressing question: Where in my environment do dangers lurk – ones that I don't even know about at the moment? Taking a proactive approach with Tsunami empowers you to fix problems before they turn into security vulnerabilities. In essence, Tsunami differs from other tools such as Chef in that it can be extended by plugins, although knowledge of Java is indispensable.

The only downer is the way deployment is handled; it currently lets you specify a single host as the target and forces you to jump through hoops. You can basically install at the command line or use Docker and the corresponding infrastructure; in fact, Docker might be the better choice in a production environment in most cases. However, if you do not have a CI/CD environment that lets you build your own Docker containers, you can look forward to a little more work just around the bend.

The Author

Freelance journalist Martin Gerhard Loschwitz focuses primarily on topics such as OpenStack, Kubernetes, and Chef.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.