diff options
author | Hasan ÇALIŞIR <hasan.calisir@psauxit.com> | 2019-02-07 04:51:45 +0300 |
---|---|---|
committer | Patrice Clement <monsieurp@gentoo.org> | 2019-03-13 15:58:51 +0100 |
commit | 87057ce7dbb83050472c6ee39f083a229aee2eed (patch) | |
tree | 64f3bdbd8e79e5c4329954da592bff8d06b93a31 /net-analyzer/openvas-scanner | |
parent | net-analyzer/openvas-libraries: version bump to 9.0.3. (diff) | |
download | gentoo-87057ce7dbb83050472c6ee39f083a229aee2eed.tar.gz gentoo-87057ce7dbb83050472c6ee39f083a229aee2eed.tar.bz2 gentoo-87057ce7dbb83050472c6ee39f083a229aee2eed.zip |
net-analyzer/openvas-scanner: version bump to 5.1.3.
Bump to 5.1.3.
This also brings new improvements and introduces the new USE flag 'extras'.
Introduces three new patches which fixes build and QA issues:
- gcc8.patch fixes gcc-8 build issue.
- nvt.patch fixes nvt category issue.
- cachedir.patch fixes unnecessary directory install QA issue.
Introduces two new useful scripts:
- first-start script checks setup and ready it for first time use.
- openvas-feed-sync script updates OpenVAS feeds from cron.
Introduces one new example file for proper redis configuration.
redis.conf.example is proper example config file for package.
systemd & init script files updated.
Because of new dependencies ~arm ~ppc keywords have been dropped.
This package is part of net-analyzer/openvas.
Reported-by: NP-Hardass <np-hardass@gentoo.org>
Acked-by: Hasan ÇALIŞIR <hasan.calisir@psauxit.com>
Tested-by: Hasan ÇALIŞIR <hasan.calisir@psauxit.com>
Signed-off-by: Hasan ÇALIŞIR <hasan.calisir@psauxit.com>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
Signed-off-by: Patrice Clement <monsieurp@gentoo.org>
Diffstat (limited to 'net-analyzer/openvas-scanner')
15 files changed, 1700 insertions, 95 deletions
diff --git a/net-analyzer/openvas-scanner/Manifest b/net-analyzer/openvas-scanner/Manifest index db79fe5dc715..2bb7d462564b 100644 --- a/net-analyzer/openvas-scanner/Manifest +++ b/net-analyzer/openvas-scanner/Manifest @@ -1 +1,2 @@ DIST openvas-scanner-5.0.4.tar.gz 236282 BLAKE2B 3105afe0fd819773b33c8194e0addaad70af4692578fe3bfbd76166004ca99e25f2f22a946810fe52da747242f1e45bae00766c4687676ec70df2d7349fa4509 SHA512 51267f832a104897a497b5dc71d1b804de4db77742e2234d111a00b1e0e01536613b16ff48d23a37013178b016b39408a25d18a694980c7e6fc600824e05e149 +DIST openvas-scanner-5.1.3.tar.gz 254159 BLAKE2B d90fa15e143ead53abce66f933a3a4cac327176cca0f23bd88fe771ed7726b1891784ae980644c8335e560d348753115e43cfae83af9704e2d1d02827163563f SHA512 5712ab275058877cfd656e268ed09c81db6617ae247c17092f1fcd037f692f2018daf21b09b82401f99a7361bb485f0e0f7d63f8ff2387839cfdd5a3aaf8424e diff --git a/net-analyzer/openvas-scanner/files/first-start b/net-analyzer/openvas-scanner/files/first-start new file mode 100755 index 000000000000..95811a56b19d --- /dev/null +++ b/net-analyzer/openvas-scanner/files/first-start @@ -0,0 +1,634 @@ +#!/bin/bash +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 +# This is OpenVAS first-start/check-setup script which make things automatically for first time use. + + +################################################################################################## +# If you use systemd or init.d(open-rc) for OpenVAS daemons you don't need to set below settings.# +# If you don't use any of them you can set the below command args to start daemons manually. # +################################################################################################## + +# OpenVAS Manager command args +OPENVAS_MANAGER_OPTIONS="" # e.g --foreground +OPENVAS_MANAGER_PORT="--port=9390" # Manager listen port +OPENVAS_MANAGER_LISTEN_ADDRESS="--listen=127.0.0.1" # Manager listen address +OPENVAS_MANAGER_SCANNER_HOST="--scanner-host=/var/run/openvassd.sock" # Scanner unix socket +OPENVAS_MANAGER_GNUTLS_PRIORITIES="--gnutls-priorities=SECURE256:+SUITEB192:+SECURE192:+SECURE128:+SUITEB128:-MD5:-SHA1:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-SSL3.0" + +# OpenVAS Scanner command args +OPENVAS_SCANNER_OPTIONS="" # e.g --foreground +OPENVAS_SCANNER_LISTEN_SOCKET="--unix-socket=/var/run/openvassd.sock" # Scanner listen socket + +# OpenVAS Security Assistant command args for reverse proxying | SSL PassThrough +OPENVAS_SECURITY_ASSISTANT_OPTIONS="--no-redirect" # Don't listen port 80 anymore for reverse proxy +OPENVAS_SECURITY_ASSISTANT_LISTEN_ADDRESS="--listen=127.0.0.1" # WebUI adress +OPENVAS_SECURITY_ASSISTANT_LISTEN_PORT="--port=9392" # WebUI Port +OPENVAS_SECURITY_ASSISTANT_MANAGER_LISTEN_ADDRESS="--mlisten=127.0.0.1" # WebUI Manager Address +OPENVAS_SECURITY_ASSISTANT_MANAGER_PORT="--mport=9390" # WebUI Manager Port +OPENVAS_SECURITY_ASSISTANT_GNUTLS_PRIORITIES="--gnutls-priorities=NORMAL" # TLS Settings + +##################################################################################################### + +# Update Environment +source /etc/profile &>/dev/null +source /etc/environment &>/dev/null +source ~/.bash_profile &>/dev/null + +# Check the needed executables.They are in our environment and have +x? +if ! [ -x "$(command -v openvasmd)" ] || + ! [ -x "$(command -v openvassd)" ] || + ! [ -x "$(command -v redis-server)" ] || + ! [ -x "$(command -v openvas-manage-certs)" ] || + ! [ -x "$(command -v greenbone-nvt-sync)" ] || + ! [ -x "$(command -v greenbone-scapdata-sync)" ] || + ! [ -x "$(command -v greenbone-certdata-sync)" ]; then + path="1" + else + path="0" +fi + +# Check Security-Assistant is exist +if ! [ -x "$(command -v gsad)" ]; then + gsad="1" + else + gsad="0" +fi +# Executables are not in our environment +if [ $path -eq 1 ]; then + echo "Can't find executables! If you installed OpenVAS to specific location e.g. /opt" + echo "please add these PATHS to /etc/profile,also sure that they are executable" + exit 1 +fi + +# Check systemd and enable services for Gentoo/Linux +if command -v systemctl &>/dev/null; then + systemctl="0" + echo "systemd found." + systemctl enable openvas-scanner.service &>/dev/null + if [ $? -eq 0 ]; then + echo "systemd.Gentoo --> openvas-scanner.service enabled." + fi + systemctl enable gvmd.service &>/dev/null + if [ $? -eq 0 ]; then + echo "systemd.Gentoo --> gvmd.service enabled." + fi + systemctl enable gsa.service &>/dev/null + if [ $? -eq 0 ]; then + echo "systemd.Gentoo --> gsa.service enabled." + fi + else + systemctl="1" +fi + +# Check open-rc if exist +if command -v rc-service &>/dev/null; then + open_rc="0" + else + open_rc="1" +fi + +# open-rc variables +if [ $systemctl -eq 1 ] && [ $open_rc -eq 0 ]; then + echo "open-rc found." + scanner_init="0" + manager_init="0" + assistant_init="0" + redis_init="0" +fi + +# Check status of OpenVAS-Scanner systemd unit +if [ $systemctl -eq 0 ] && + ([ "$(systemctl is-active openvas-scanner.service)" = "active" ] || + [ "$(systemctl list-unit-files | grep 'enabled' | grep 'openvas-scanner.service' | awk '{print $1}')" = "openvas-scanner.service" ]); then + scanner="0" + else + scanner="1" +fi + +# Check status of OpenVAS-Manager systemd unit +if [ $systemctl -eq 0 ] && + ([ "$(systemctl is-active gvmd.service)" = "active" ] || + [ "$(systemctl list-unit-files | grep 'enabled' | grep 'gvmd.service' | awk '{print $1}')" = "gvmd.service" ]); then + manager="0" + else + manager="1" +fi + +# Check status of OpenVAS-Assistant systemd unit +if [ $systemctl -eq 0 ] && + ([ "$(systemctl is-active gsa.service)" = "active" ] || + [ "$(systemctl list-unit-files | grep 'enabled' | grep 'gsa.service' | awk '{print $1}')" = "gsa.service" ]); then + assistant="0" + else + assistant="1" +fi + +# Check status of Redis systemd unit +if [ $systemctl -eq 0 ] && + ([ "$(systemctl is-active redis.service)" = "active" ] || + [ "$(systemctl list-unit-files | grep 'enabled' | grep 'redis.service' | awk '{print $1}')" = "redis.service" ]); then + redis="0" + else + redis="1" +fi + +# We need to find correct service name for restarting. +if [ $scanner -eq 1 ] || [ $manager -eq 1 ] || [ $assistant -eq 1 ] || [ $redis -eq 1 ]; then + WHICHM="ExecStart=$(type openvasmd | awk '{print $3}')" + WHICHS="ExecStart=$(type openvassd | awk '{print $3}')" + WHICHA="ExecStart=$(type gsad | awk '{print $3}')" + WHICHR="ExecStart=$(type redis-server | awk '{print $3}')" + + # If you have unordinary systemd path you can add here + DIR="/lib/systemd/system/ + /etc/systemd/system/ + /usr/lib/systemd/system/ + /usr/local/lib/systemd/system/" + + # Find OpenVAS daemons systemd files if exist + for i in $DIR; do + if [ -d "$i" ]; then + grep -rilnw "$i" -e "$WHICHM" | cut -d: -f1 | grep -oP "$i\K.*" &>>/tmp/openvas_GVM_manager_service.out + grep -rilnw "$i" -e "$WHICHS" | cut -d: -f1 | grep -oP "$i\K.*" &>>/tmp/openvas_GVM_scanner_service.out + grep -rilnw "$i" -e "$WHICHA" | cut -d: -f1 | grep -oP "$i\K.*" &>>/tmp/openvas_GVM_assistant_service.out + grep -rilnw "$i" -e "$WHICHR" | cut -d: -f1 | grep -oP "$i\K.*" &>>/tmp/openvas_GVM_redis_service.out + fi + done + + manager_service="$(while IFS= read -r service; do + systemctl list-unit-files | grep -P "(^|\s)\K$service(?=\s|$)" | awk '{print $1}' + done < /tmp/openvas_GVM_manager_service.out)" + scanner_service="$(while IFS= read -r service; do + systemctl list-unit-files | grep -P "(^|\s)\K$service(?=\s|$)" | awk '{print $1}' + done < /tmp/openvas_GVM_scanner_service.out)" + assistant_service="$(while IFS= read -r service; do + systemctl list-unit-files | grep -P "(^|\s)\K$service(?=\s|$)" | awk '{print $1}' + done < /tmp/openvas_GVM_assistant_service.out)" + redis_service="$(while IFS= read -r service; do + systemctl list-unit-files | grep -P "(^|\s)\K$service(?=\s|$)" | awk '{print $1}' + done < /tmp/openvas_GVM_redis_service.out)" + + rm -rf /tmp/openvas_GVM* + COUNTM=$(wc -w <<< "${manager_service}") + COUNTS=$(wc -w <<< "${scanner_service}") + COUNTA=$(wc -w <<< "${assistant_service}") + COUNTR=$(wc -w <<< "${redis_service}") + + if [ -n "$manager_service" ] && [ $manager -eq 1 ]; then + if [ "$(systemctl list-unit-files | grep 'enabled' | grep $manager_service | awk '{print $1}')" = "$manager_service" ]; then + echo "systemd --> OpenVAS Manager '$manager_service' found." + else + echo "systemd --> '$manager_service' found but not enabled." + echo "are you sure this is the correct systemd service for Openvas Manager" + while true; do + read -n 1 -p "do you want to enable '$manager_service'? --> (Y)es | (N)o | (Q)uit" answer + echo + case $answer in + [Yy]* ) systemctl enable "$manager_service" &>/dev/null; echo "systemd --> '$manager_service' enabled"; break;; + [Nn]* ) manager_service=""; echo "it seems you are not sure.ok i don't use $manager_service"; break;; + [Qq]* ) exit;; + * ) echo "Please answer yes,no or quit.";; + esac + done + fi + fi + + if [ -n "$scanner_service" ] && [ $scanner -eq 1 ]; then + if [ "$(systemctl list-unit-files | grep 'enabled' | grep $scanner_service | awk '{print $1}')" = "$scanner_service" ]; then + echo "systemd --> OpenVAS Scanner '$scanner_service' found." + else + echo "systemd --> '$scanner_service' found but not enabled." + echo "are you sure this is the correct systemd service for Openvas Scanner" + while true; do + read -n 1 -p "do you want to enable '$scanner_service'? --> (Y)es | (N)o | (Q)uit" answer + echo + case $answer in + [Yy]* ) systemctl enable "$scanner_service" &>/dev/null; echo "systemd --> '$scanner_service' enabled"; break;; + [Nn]* ) scanner_service=""; echo "it seems you are not sure.ok i don't use $scanner_service"; break;; + [Qq]* ) exit;; + * ) echo "Please answer yes,no or quit.";; + esac + done + fi + fi + + if [ -n "$assistant_service" ] && [ $scanner -eq 1 ]; then + if [ "$(systemctl list-unit-files | grep 'enabled' | grep $assistant_service | awk '{print $1}')" = "$assistant_service" ]; then + echo "systemd --> GSA '$assistant_service' found." + else + echo "systemd --> '$assistant_service' found but not enabled." + echo "are you sure this is the correct systemd service for Greenbone Security Assistant" + while true; do + read -n 1 -p "do you want to enable '$assistant_service'? --> (Y)es | (N)o | (Q)uit" answer + echo + case $answer in + [Yy]* ) systemctl enable "$assistant_service" &>/dev/null; echo "systemd --> '$assistant_service' enabled"; break;; + [Nn]* ) assistant_service=""; echo "it seems you are not sure.ok i don't use $assistant_service"; break;; + [Qq]* ) exit;; + * ) echo "please answer yes,no or quit.";; + esac + done + fi + fi + + if [ -n "$redis_service" ] && [ $scanner -eq 1 ]; then + if [ "$(systemctl list-unit-files | grep 'enabled' | grep $redis_service | awk '{print $1}')" = "$redis_service" ]; then + echo "systemd --> redis '$redis_service' found." + else + echo "systemd --> '$redis_service' found but not enabled." + echo "are you sure this is the correct systemd service for redis-server" + while true; do + read -n 1 -p "do you want to enable '$redis_service'? --> (Y)es | (N)o | (Q)uit" answer + echo + case $answer in + [Yy]* ) systemctl enable "$redis_service" &>/dev/null; echo "systemd --> '$redis_service' enabled"; break;; + [Nn]* ) redis_service=""; echo "it seems you are not sure.ok i don't use $redis_service"; break;; + [Qq]* ) exit;; + * ) echo "please answer yes,no or quit.";; + esac + done + fi + fi + + if [ $COUNTM -gt 1 ] || [ $COUNTS -gt 1 ] || [ $COUNTR -gt 1 ]; then + echo "you have more than one enabled systemd service for single daemon" + echo " check OpenVAS and Redis systemd unit files to fix it" + exit 1 + fi +fi + +restart_redis () { +if [ $redis -eq 0 ]; then + systemctl restart redis.service &>/dev/null + if [ $? -eq 0 ]; then + echo "systemd --> redis.service is restarted." + else + echo "systemd --> redis.service cannot restarted." + exit 1 + fi +elif [[ -n "$redis_service" ]]; then + systemctl restart "$redis_service" &>/dev/null + if [ $? -eq 0 ]; then + echo "systemd --> $redis_service is restarted." + else + echo "systemd --> $redis_service cannot restarted." + exit 1 + fi +elif [[ -n "$redis_init" ]]; then + rc-service redis stop + sleep 5 + rc-service redis start + if [ $? -eq 0 ]; then + echo "open-rc --> redis is restarted." + else + echo "open-rc --> redis cannot restarted." + exit 1 + fi +fi +} + +build_nvt () { +if ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" &>/dev/null; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + openvassd --foreground --only-cache &>/dev/null + if [ $? -eq 0 ]; then + echo "building NVT cache is done." + else + echo "building NVT cache is failed.." + exit 1 + fi + else + openvassd --foreground --only-cache &>/dev/null + if [ $? -eq 0 ]; then + echo "building NVT cache is done." + else + echo "building NVT cache is failed.." + exit 1 + fi +fi +} + +create_user () { +GREEN="`tput setaf 2`" +RED="`tput setaf 1`" +norm="`tput sgr0`" +echo "creating WebUI User.." +openvasmd --create-user=admin --role=Admin &>/tmp/openvas_user.out +if [ $? -eq 0 ]; then + username="admin" + password="$(cat /tmp/openvas_user.out | awk '{print $5}' | cut -c2-)" + echo "${RED}!WebUI Address : ${GREEN}127.0.0.1:9392" + echo "${RED}!WebUI Username: ${GREEN}$username" + echo "${RED}!WebUI Password: ${GREEN}${password%??}${norm}" + else + echo "$(cat /tmp/openvas_user.out)" + echo "these are active users for WebUI" + openvasmd --get-users +fi +rm -rf /tmp/openvas_user.out +} + +# Redis & OpenVAS Scanner socket connection check for Gentoo/Linux +if [[ -e /etc/redis.conf ]]; then + if [ "$(openvassd -s | grep 'kb_location' | awk '{print $3}')" = "$(cat /etc/redis.conf | grep -P '(^|\s)\Kunixsocket(?=\s|$)' | awk '{print $2}')" ]; then + echo "redis server properly configured." + else + redis_sock="$(openvassd -s | grep 'kb_location' | awk '{print $3}')" + echo "redis server is not properly configured." + echo "be sure redis server listening unix socket at $redis_sock" + echo "you can find example redis.conf file in /etc/openvas/redis.conf.example" + exit 1 + fi +fi + +# Redis & OpenVAS Scanner socket connection check for other linux distros +if [[ -e /etc/redis/redis.conf ]]; then + if [ "$(openvassd -s | grep 'kb_location' | awk '{print $3}')" = "$(cat /etc/redis/redis.conf | grep -P '(^|\s)\Kunixsocket(?=\s|$)' | awk '{print $2}')" ]; then + echo "redis server properly configured." + else + redis_sock="$(openvassd -s | grep 'kb_location' | awk '{print $3}')" + echo "redis server is not properly configured." + echo "be sure redis server listening unix socket at $redis_sock" + exit 1 + fi +fi + +# Create certificates for fresh install +openvas-manage-certs -a &>/dev/null +if [ $? -eq 0 ]; then + echo "certificates created." + +elif [ "$(openvas-manage-certs -a | grep -ow 'Existing')" = "Existing" ]; then + echo "certificates already created." + +else + echo "certificates cannot created." + exit 1 +fi + +# Start to update FEED & First NVT. +try=0 +until [ $try -ge 5 ]; do + greenbone-nvt-sync &>/dev/null && break + echo "can't connected! trying to update greenbone-nvt again.." + try=$[$try+1] + sleep 30 +done + +# Check status +if [ $? -eq 0 ]; then + echo "greenbone-nvt-sync is done." + # Avoid your IP temporary banned because of multiple connection + sleep 5 + # Try to update scapdata. + try=0 + until [ $try -ge 5 ]; do + greenbone-scapdata-sync &>/dev/null && break + echo "can't connected! trying to update greenbone-scapdata again.." + try=$[$try+1] + sleep 30 + done + # Check status + if [ $? -eq 0 ]; then + echo "greenbone-scapdata-sync is done." + # Avoid your IP temporary banned because of multiple connection + sleep 5 + # Try to update certdata + try=0 + until [ $try -ge 5 ]; do + greenbone-certdata-sync &>/dev/null && break + echo "can't connected! Trying to update greenbone-certdata again.." + try=$[$try+1] + sleep 30 + done + # Check status + if [ $? -eq 0 ]; then + echo "greenbone-certdata-sync is done." + echo "building NVT cache this will take some time.." + build_nvt + # Check OpenVAS-Scanner is running + if ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" &>/dev/null; then + echo "OpenVAS-Scanner is running." + echo "building Database this will take some time.." + openvasmd --rebuild --progress &>/dev/null + elif [ $scanner -eq 0 ]; then + # Start OpenVAS-Scanner systemd unit & Rebuild Cache + echo "systemd --> OpenVAS-Scanner is not running! trying to up.." + systemctl start openvas-scanner.service &>/dev/null + if [ $? -eq 0 ]; then + # Wait for initialize + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 15 + echo "waiting for OpenVAS-Scanner to become ready.." + done + echo "systemd --> openvas-scanner.service started and waiting for connection." + echo "building database this will take some time.." + # Rebuild Cache + openvasmd --rebuild --progress &>/dev/null + else + echo "systemd --> openvas-scanner.service cannot started.." + exit 1 + fi + elif [[ -n "$scanner_service" ]]; then + echo "systemd --> OpenVAS-Scanner is down! trying to up.." + systemctl start "$scanner_service" &>/dev/null + if [ $? -eq 0 ]; then + # Wait for initialize + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 15 + echo "waiting for OpenVAS-Scanner to become ready.." + done + echo "systemd --> $scanner_service is started and waiting for connection." + echo "building database this will take some time.." + # Rebuild Cache + openvasmd --rebuild --progress &>/dev/null + else + echo "systemd --> $scanner_service cannot started.." + exit 1 + fi + elif [[ -n "$scanner_init" ]]; then + # Start OpenVAS-Scanner with init.d (open-rc) & Rebuild Cache + echo "open-rc --> OpenVAS-Scanner is down! trying to up.." + rc-service openvas-scanner start &>/dev/null + if [ $? -eq 0 ]; then + # Wait for initialize + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 15 + echo "waiting for OpenVAS-Scanner to become ready.." + done + echo "rc-service --> openvas-scanner started and waiting for connection." + echo "building database this will take some time.." + # Rebuild Cache + openvasmd --rebuild --progress &>/dev/null + else + echo "rc-service --> openvas-scanner cannot started.." + exit 1 + fi + else + echo "OpenVAS-Scanner is not running! Trying to up.." + openvassd "$OPENVAS_SCANNER_OPTIONS" "$OPENVAS_SCANNER_LISTEN_SOCKET" &>/dev/null + # Wait for initialize + if [ $? -eq 0 ]; then + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 15 + echo "waiting for OpenVAS-Scanner to become ready.." + done + else + echo "OpenVAS Scanner cannot started manually.." + exit 1 + fi + echo "OpenVAS-Scanner started manually and waiting for connection." + echo "building database this will take some time.." + # Rebuild Cache + openvasmd --rebuild --progress &>/dev/null + fi + # Check status + if [ $? -eq 0 ]; then + echo "building database is done" + create_user + # Restart OpenVAS-Scanner + if [ $scanner -eq 0 ]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + restart_redis + sleep 3 + systemctl restart openvas-scanner.service &>/dev/null + elif [[ -n "$scanner_service" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + restart_redis + sleep 3 + systemctl restart "$scanner_service" &>/dev/null + elif [[ -n "$scanner_init" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + restart_redis + sleep 3 + rc-service openvas-scanner start &>/dev/null + else + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + restart_redis + sleep 3 + openvassd "$OPENVAS_SCANNER_OPTIONS" "$OPENVAS_SCANNER_LISTEN_SOCKET" &>/dev/null + fi + if [ $? -eq 0 ]; then + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 10 + echo "waiting for OpenVAS-Scanner to become ready.." + done + echo "OpenVAS-Scanner is restarted." + # Restart OpenVAS-Manager + if [ $manager -eq 0 ]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvasmd(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + systemctl restart gvmd.service &>/dev/null + if [ $? -eq 0 ]; then + success="0" + echo "systemd --> gvmd.service is restarted." + echo "OpenVAS setup is ok." + else + echo "systemd --> gvmd.service cannot restarted." + echo "OpenVAS setup is not ok!" + exit 1 + fi + elif [[ -n "$manager_service" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvasmd(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + systemctl restart "$manager_service" &>/dev/null + if [ $? -eq 0 ]; then + success="0" + echo "systemd --> $manager_service is restarted" + echo "OpenVAS setup is ok." + else + echo "systemd --> $manager_service cannot restarted" + echo "OpenVAS setup is not ok!" + exit 1 + fi + elif [[ -n "$manager_init" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvasmd(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + rc-service gvmd start &>/dev/null + if [ $? -eq 0 ]; then + success="0" + echo "open-rc --> gvmd is restarted" + echo "OpenVAS setup is ok." + else + echo "open-rc --> gvmd cannot restarted" + echo "OpenVAS setup is not ok!" + exit 1 + fi + else + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvasmd(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + openvasmd "$OPENVAS_MANAGER_OPTIONS" "$OPENVAS_MANAGER_PORT" "$OPENVAS_MANAGER_LISTEN_ADDRESS" "$OPENVAS_MANAGER_SCANNER_HOST" "$OPENVAS_MANAGER_GNUTLS_PRIORITIES" &>/dev/null + if [ $? -eq 0 ]; then + success="0" + echo "OpenVAS-Manager is restarted manually" + echo "OpenVAS setup is ok." + else + echo "OpenVAS-Manager cannot restarted" + echo "OpenVAS setup is not ok!" + exit 1 + fi + fi + else + echo "OpenVAS setup is not ok! OpenVAS-scanner cannot restarted." + fi + else + echo "OpenVAS setup is not ok! OpenVAS database build failed." + fi + else + echo "OpenVAS setup is not ok! OpenVAS Certdata sync failed." + fi + else + echo "OpenVAS setup is not ok! OpenVAS Scapdata sync failed." + fi + else + echo "OpenVAS setup is not ok! OpenVAS NVT sync update failed." +fi + +# Restart WebUI +if [[ -n "$success" ]] && [ $gsad -eq 0 ]; then + WHICHA="$(type gsad | awk '{print $3}')" + if [ $assistant -eq 0 ]; then + # Time to restart OpenVAS-Security Assistant + ps aux | grep -v "grep" | grep -P "(^|\s)\K$WHICHA(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + systemctl restart gsa.service &>/dev/null + if [ $? -eq 0 ]; then + echo "systemd --> gsa.service (OpenVAS WebUI) is restarted and ready for connection" + else + echo "systemd --> gsa.service (OpenVAS-WebUI) cannot restarted" + fi + elif [[ -n "$assistant_service" ]]; then + if [ $COUNTA -eq 1 ]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\K$WHICHA(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + systemctl restart "$assistant_service" &>/dev/null + if [ $? -eq 0 ]; then + echo "systemd --> $assistant_service (OpenVAS WebUI) is restarted and ready for connection" + else + echo "systemd --> $assistan_service (OpenVAS WebUI) cannot restarted." + fi + else + echo "systemd --> OpenVAS WebUI cannot restarted! you have multiple enabled systemd services ($assistant_service)" + exit 1 + fi + elif [[ -n "$assistant_init" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\K$WHICHA(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + rc-service gsa start &>/dev/null + if [ $? -eq 0 ]; then + echo "open-rc --> gsa (OpenVAS WebUI) is restarted" + else + echo "open-rc --> gsa (OpenVAS WebUI) cannot restarted." + fi + else + ps aux | grep -v "grep" | grep -P "(^|\s)\K$WHICHA(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + gsad "$OPENVAS_SECURITY_ASSISTANT_OPTIONS" "$OPENVAS_SECURITY_ASSISTANT_LISTEN_ADDRESS" "$OPENVAS_SECURITY_ASSISTANT_LISTEN_PORT" "$OPENVAS_SECURITY_ASSISTANT_MANAGER_LISTEN_ADDRESS" "$OPENVAS_SECURITY_ASSISTANT_MANAGER_LISTEN_PORT" "$OPENVAS_SECURITY_ASSISTANT_GNUTLS_PRIORITIES" &>/dev/null + if [ $? -eq 0 ]; then + echo "OpenVAS WebUI is restarted" + else + echo "OpenVAS WebUI cannot restarted" + fi + fi +fi diff --git a/net-analyzer/openvas-scanner/files/openvas-feed-sync b/net-analyzer/openvas-scanner/files/openvas-feed-sync new file mode 100755 index 000000000000..de1c69038aba --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-feed-sync @@ -0,0 +1,627 @@ +#!/bin/bash +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 +# This is OpenVAS cron script that updates feed and reload daemons. +# Hasan ÇALIŞIR hsntgm@gmail.com | proxy maintainer + +# Mail settings +MAIL_TO="root" +MAIL_SUBJECT="CronJob-OpenVAS" + +# If you don't use systemd or open-rc for OpenVAS daemons you can set start command args here +# while we manually start/restart them. +#################################################################################################### + +# OpenVAS Manager command args +OPENVAS_MANAGER_OPTIONS="" # e.g --foreground +OPENVAS_MANAGER_PORT="--port=9390" # Manager listen port +OPENVAS_MANAGER_LISTEN_ADDRESS="--listen=127.0.0.1" # Manager listen address +OPENVAS_MANAGER_SCANNER_HOST="--scanner-host=/var/run/openvassd.sock" # Scanner unix socket +OPENVAS_MANAGER_GNUTLS_PRIORITIES="--gnutls-priorities=SECURE256:+SUITEB192:+SECURE192:+SECURE128:+SUITEB128:-MD5:-SHA1:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-SSL3.0" + +# OpenVAS Scanner command args +OPENVAS_SCANNER_OPTIONS="" # e.g --foreground +OPENVAS_SCANNER_LISTEN_SOCKET="--unix-socket=/var/run/openvassd.sock" # Scanner listen socket + +# OpenVAS Security Assistant command args for reverse proxying | SSL PassThrough +OPENVAS_SECURITY_ASSISTANT_OPTIONS="--no-redirect" # Don't listen port 80 anymore +OPENVAS_SECURITY_ASSISTANT_LISTEN_ADDRESS="--listen=127.0.0.1" # WebUI adress +OPENVAS_SECURITY_ASSISTANT_LISTEN_PORT="--port=9392" # WebUI Port +OPENVAS_SECURITY_ASSISTANT_MANAGER_LISTEN_ADDRESS="--mlisten=127.0.0.1" # WebUI Manager Address +OPENVAS_SECURITY_ASSISTANT_MANAGER_PORT="--mport=9390" # WebUI Manager Port +OPENVAS_SECURITY_ASSISTANT_GNUTLS_PRIORITIES="--gnutls-priorities=NORMAL" # TLS Settings + +##################################################################################################### + +# Update Environment +source /etc/profile &>/dev/null +source /etc/environment &>/dev/null +source ~/.bash_profile &>/dev/null + +# Check the needed executables if they are in our environment and have +x +if ! [ -x "$(command -v openvasmd)" ] || ! [ -x "$(command -v openvassd)" ] || ! [ -x "$(command -v redis-server)" ]; then + path="1" + else + path="0" +fi + +# Check Security-Assistant is exist +if ! [ -x "$(command -v gsad)" ]; then + gsad="1" + else + gsad="0" +fi + +# Executables are not in our environment +if [ $path -eq 1 ]; then + echo "OpenVAS CronJob Failed! If you installed OpenVAS to specific location e.g. /opt" | tee -a /tmp/openvas_mail.out + echo "please add these PATHS to /etc/profile e.g. 'PATH=$PATH:/opt/openvas/bin:/opt/openvas/sbin'" | tee -a /tmp/openvas_mail.out + echo "also sure that they are executable e.g. 'chmod +x /opt/openvas/sbin/openvassd'" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 +fi + +# Check systemd if exist +if command -v systemctl &>/dev/null; then + systemctl="0" + else + systemctl="1" +fi + +# Check open-rc if exist +if command -v rc-service &>/dev/null; then + open_rc="0" + else + open_rc="1" +fi + +# open-rc variables +if [ $systemctl -eq 1 ] && [ $open_rc -eq 0 ]; then + scanner_init="0" + manager_init="0" + assistant_init="0" + redis_init="0" +fi + +# Check OpenVAS-Scanner systemd unit(common name) is active or enabled +if [ $systemctl -eq 0 ] && ([ "$(systemctl is-active openvassd.service)" = "active" ] || [ "$(systemctl list-unit-files | grep 'enabled' | grep 'openvassd.service' | awk '{print $1}')" = "openvassd.service" ]); then + scanner="0" + else + scanner="1" +fi + +# Check OpenVAS-Manager systemd unit(common name) is active or enabled +if [ $systemctl -eq 0 ] && ([ "$(systemctl is-active openvasmd.service)" = "active" ] || [ "$(systemctl list-unit-files | grep 'enabled' | grep 'openvasmd.service' | awk '{print $1}')" = "openvasmd.service" ]); then + manager="0" + else + manager="1" +fi + +# Check OpenVAS-Assistant systemd unit(common name) is active or not +if [ $systemctl -eq 0 ] && ([ "$(systemctl is-active gsad.service)" = "active" ] || [ "$(systemctl list-unit-files | grep 'enabled' | grep 'gsad.service' | awk '{print $1}')" = "gsad.service" ]); then + assistant="0" + else + assistant="1" +fi + +# Check Redis systemd unit(common name) is active or not +if [ $systemctl -eq 0 ] && ([ "$(systemctl is-active redis.service)" = "active" ] || [ "$(systemctl list-unit-files | grep 'enabled' | grep 'redis.service' | awk '{print $1}')" = "redis.service" ]); then + redis="0" + else + redis="1" +fi + +# If you don't use common systemd service names for OpenVAS +# We need to find correct service name for restarting. +if [ $scanner -eq 1 ] || [ $manager -eq 1 ]; then + WHICHM="ExecStart=$(type openvasmd | awk '{print $3}')" + WHICHS="ExecStart=$(type openvassd | awk '{print $3}')" + WHICHA="ExecStart=$(type gsad | awk '{print $3}')" + WHICHR="ExecStart=$(type redis-server | awk '{print $3}')" + + # If you have unordinary systemd services PATH you can add here + DIR="/lib/systemd/system/ + /etc/systemd/system/ + /usr/lib/systemd/system/ + /usr/local/lib/systemd/system/" + + # Find OpenVAS daemons systemd files + for i in $DIR; do + if [ -d "$i" ]; then + grep -rilnw "$i" -e "$WHICHM" | cut -d: -f1 | grep -oP "$i\K.*" &>>/tmp/openvas_GVM_manager_service.out + grep -rilnw "$i" -e "$WHICHS" | cut -d: -f1 | grep -oP "$i\K.*" &>>/tmp/openvas_GVM_scanner_service.out + grep -rilnw "$i" -e "$WHICHA" | cut -d: -f1 | grep -oP "$i\K.*" &>>/tmp/openvas_GVM_assistant_service.out + grep -rilnw "$i" -e "$WHICHR" | cut -d: -f1 | grep -oP "$i\K.*" &>>/tmp/openvas_GVM_redis_service.out + fi + done + + # Time to get our exact systemd service searching in enabled services + manager_service="$(while IFS= read -r service; do + systemctl list-unit-files | grep "enabled" | grep -P "(^|\s)\K$service(?=\s|$)" | awk '{print $1}' + done < /tmp/openvas_GVM_manager_service.out)" + + scanner_service="$(while IFS= read -r service; do + systemctl list-unit-files | grep "enabled" | grep -P "(^|\s)\K$service(?=\s|$)" | awk '{print $1}' + done < /tmp/openvas_GVM_scanner_service.out)" + + assistant_service="$(while IFS= read -r service; do + systemctl list-unit-files | grep "enabled" | grep -P "(^|\s)\K$service(?=\s|$)" | awk '{print $1}' + done < /tmp/openvas_GVM_assistant_service.out)" + + redis_service="$(while IFS= read -r service; do + systemctl list-unit-files | grep "enabled" | grep -P "(^|\s)\K$service(?=\s|$)" | awk '{print $1}' + done < /tmp/openvas_GVM_redis_service.out)" + + rm -rf /tmp/openvas_GVM* + COUNTM=$(wc -w <<< "${manager_service}") + COUNTS=$(wc -w <<< "${scanner_service}") + COUNTA=$(wc -w <<< "${assistant_service}") + COUNTR=$(wc -w <<< "${redis_service}") + + if [ $COUNTM -gt 1 ] || [ $COUNTS -gt 1 ] || [ $COUNTR -gt 1 ]; then + echo "OpenVAS CronJob Failed! You have multiple enabled systemd service for single OpenVAS daemon or redis" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi +fi + +# Start to update FEED & First NVT. +try=0 +until [ $try -ge 5 ]; do + greenbone-nvt-sync &>/dev/null && break + echo "Can't connected! Trying to update greenbone-nvt again.." &>>/tmp/openvas_mail.out + try=$[$try+1] + sleep 30 +done + +# Check status +if [ $? -eq 0 ]; then + echo "greenbone-nvt-sync is done" &>>/tmp/openvas_mail.out + # Avoid your IP temporary banned because of multiple connection + sleep 5 + # Try to update scapdata. + try=0 + until [ $try -ge 5 ]; do + greenbone-scapdata-sync &>/dev/null && break + echo "Can't connected! Trying to update greenbone-scapdata again.." &>>/tmp/openvas_mail.out + try=$[$try+1] + sleep 30 + done + + # Check status + if [ $? -eq 0 ]; then + echo "greenbone-scapdata-sync is done" &>>/tmp/openvas_mail.out + # Avoid your IP temporary banned because of multiple connection + sleep 5 + # Try to update certdata + try=0 + until [ $try -ge 5 ]; do + greenbone-certdata-sync &>/dev/null && break + echo "Can't connected! Trying to update greenbone-certdata again.." &>>/tmp/openvas_mail.out + try=$[$try+1] + sleep 30 + done + + # Check status + if [ $? -eq 0 ]; then + echo "greenbone-certdata-sync is done" &>>/tmp/openvas_mail.out + + # Check OpenVAS-Scanner is running + if ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" &>/dev/null; then + echo "OpenVAS-Scanner is running." &>>/tmp/openvas_mail.out + openvasmd --update --progress &>/dev/null + + elif [ $scanner -eq 0 ]; then + # Start OpenVAS-Scanner systemd unit & Rebuild Cache + echo "OpenVAS-Scanner is down! Trying to up.." &>>/tmp/openvas_mail.out + systemctl start openvassd.service &>/dev/null + + if [ $? -eq 0 ]; then + # Wait for initialize + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 15 + echo "Waiting for OpenVAS-Scanner to become ready.." &>>/tmp/openvas_mail.out + done + echo "openvassd.service started and waiting for connection." &>>/tmp/openvas_mail.out + # Rebuild Cache + openvasmd --update --progress &>/dev/null + else + echo "openvassd.service cannot started.." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$scanner_service" ]]; then + echo "OpenVAS-Scanner is down! Trying to up.." &>>/tmp/openvas_mail.out + systemctl start "$scanner_service" &>/dev/null + + if [ $? -eq 0 ]; then + # Wait for initialize + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 15 + echo "Waiting for OpenVAS-Scanner to become ready.." &>>/tmp/openvas_mail.out + done + echo "$scanner_service is started and waiting for connection." &>>/tmp/openvas_mail.out + # Rebuild Cache + openvasmd --update --progress &>/dev/null + else + echo "$scanner_service cannot started.." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$scanner_init" ]]; then + # Start OpenVAS-Scanner with init.d (open-rc) & Rebuild Cache + echo "OpenVAS-Scanner is down! Trying to up.." &>>/tmp/openvas_mail.out + rc-service openvassd start &>/dev/null + + if [ $? -eq 0 ]; then + # Wait for initialize + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 15 + echo "Waiting for OpenVAS-Scanner to become ready.." &>>/tmp/openvas_mail.out + done + echo "rc-service --> openvassd started and waiting for connection." &>>/tmp/openvas_mail.out + # Rebuild Cache + openvasmd --update --progress &>/dev/null + else + echo "rc-service --> openvassd cannot started.." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + else + echo "OpenVAS-Scanner is down! Trying to up.." &>>/tmp/openvas_mail.out + openvassd "$OPENVAS_SCANNER_OPTIONS" "$OPENVAS_SCANNER_LISTEN_SOCKET" &>/dev/null + # Wait for initialize + if [ $? -eq 0 ]; then + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 15 + echo "Waiting for OpenVAS-Scanner to become ready.." &>>/tmp/openvas_mail.out + done + else + echo "OpenVAS Scanner cannot started manually.." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + echo "OpenVAS-Scanner started manually and waiting for connection." &>>/tmp/openvas_mail.out + # Rebuild Cache + openvasmd --update --progress &>/dev/null + fi + + # Check status + if [ $? -eq 0 ]; then + echo "Updating NVT cache is done" &>>/tmp/openvas_mail.out + + # Restart OpenVAS-Scanner + if [ $scanner -eq 0 ]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 3 + + # Try to restart redis service before OpenVAS-Scanner + if [ $redis -eq 0 ]; then + systemctl restart redis.service &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> redis.service is restarted." &>>/tmp/openvas_mail.out + else + echo "systemd --> redis.service cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$redis_service" ]]; then + systemctl restart "$redis_service" &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> $redis_service is restarted." &>>/tmp/openvas_mail.out + else + echo "systemd --> $redis_service cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$redis_init" ]]; then + rc-service redis stop + sleep 5 + rc-service redis start + + if [ $? -eq 0 ]; then + echo "open-rc --> redis is restarted." &>>/tmp/openvas_mail.out + else + echo "open-rc --> redis cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + fi + systemctl restart openvassd.service &>/dev/null + + elif [[ -n "$scanner_service" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 3 + + # Try to restart redis service before OpenVAS-Scanner + if [ $redis -eq 0 ]; then + systemctl restart redis.service &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> redis.service is restarted." &>>/tmp/openvas_mail.out + else + echo "systemd --> redis.service cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$redis_service" ]]; then + systemctl restart "$redis_service" &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> $redis_service is restarted." &>>/tmp/openvas_mail.out + else + echo "systemd --> $redis_service cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$redis_init" ]]; then + rc-service redis stop + sleep 5 + rc-service redis start + + if [ $? -eq 0 ]; then + echo "open-rc --> redis is restarted." &>>/tmp/openvas_mail.out + else + echo "open-rc --> redis cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + fi + systemctl restart "$scanner_service" &>/dev/null + + elif [[ -n "$scanner_init" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 3 + + # Try to restart redis service before OpenVAS-Scanner + if [ $redis -eq 0 ]; then + systemctl restart redis.service &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> redis.service is restarted." &>>/tmp/openvas_mail.out + else + echo "systemd --> redis.service cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$redis_service" ]]; then + systemctl restart "$redis_service" &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> $redis_service is restarted." &>>/tmp/openvas_mail.out + else + echo "systemd --> $redis_service cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$redis_init" ]]; then + rc-service redis stop + sleep 5 + rc-service redis start + + if [ $? -eq 0 ]; then + echo "open-rc --> redis is restarted." &>>/tmp/openvas_mail.out + else + echo "open-rc --> redis cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + fi + rc-service openvassd start &>/dev/null + + else + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvassd:(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 3 + + # Try to restart redis service before OpenVAS-Scanner + if [ $redis -eq 0 ]; then + systemctl restart redis.service &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> redis.service is restarted." &>>/tmp/openvas_mail.out + else + echo "systemd --> redis.service cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$redis_service" ]]; then + systemctl restart "$redis_service" &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> $redis_service is restarted." &>>/tmp/openvas_mail.out + else + echo "systemd --> $redis_service cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$redis_init" ]]; then + rc-service redis stop + sleep 5 + rc-service redis start + + if [ $? -eq 0 ]; then + echo "open-rc --> redis is restarted." &>>/tmp/openvas_mail.out + else + echo "open-rc --> redis cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + fi + openvassd "$OPENVAS_SCANNER_OPTIONS" "$OPENVAS_SCANNER_LISTEN_SOCKET" &>/dev/null + fi + + if [ $? -eq 0 ]; then + until [ "$(ps aux | grep -v 'grep' | grep -ow 'openvassd: Waiting')" = "openvassd: Waiting" ]; do + sleep 10 + echo "Waiting for OpenVAS-Scanner to become ready.." &>>/tmp/openvas_mail.out + done + echo "OpenVAS-Scanner is restarted." &>>/tmp/openvas_mail.out + + # Restart OpenVAS-Manager + if [ $manager -eq 0 ]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvasmd(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + systemctl restart openvasmd.service &>/dev/null + + if [ $? -eq 0 ]; then + success="0" + echo "systemd --> openvasmd.service is restarted" &>>/tmp/openvas_mail.out + echo "OpenVAS CronJob Success!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + else + echo "systemd --> openvasmd.service cannot restarted" &>>/tmp/openvas_mail.out + echo "OpenVAS CronJob Failed!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$manager_service" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvasmd(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + systemctl restart "$manager_service" &>/dev/null + + if [ $? -eq 0 ]; then + success="0" + echo "systemd --> $manager_service is restarted" &>>/tmp/openvas_mail.out + echo "OpenVAS CronJob Success!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + else + echo "systemd --> $manager_service cannot restarted" &>>/tmp/openvas_mail.out + echo "OpenVAS CronJob Failed!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$manager_init" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvasmd(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + rc-service openvasmd start &>/dev/null + + if [ $? -eq 0 ]; then + success="0" + echo "open-rc --> openvasmd is restarted" &>>/tmp/openvas_mail.out + echo "OpenVAS CronJob Success!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + else + echo "open-rc --> openvasmd cannot restarted" &>>/tmp/openvas_mail.out + echo "OpenVAS CronJob Failed!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + else + ps aux | grep -v "grep" | grep -P "(^|\s)\Kopenvasmd(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + openvasmd "$OPENVAS_MANAGER_OPTIONS" "$OPENVAS_MANAGER_PORT" "$OPENVAS_MANAGER_LISTEN_ADDRESS" "$OPENVAS_MANAGER_SCANNER_HOST" "$OPENVAS_MANAGER_GNUTLS_PRIORITIES" &>/dev/null + + if [ $? -eq 0 ]; then + success="0" + echo "OpenVAS-Manager is restarted manually" &>>/tmp/openvas_mail.out + echo "OpenVAS CronJob Success!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + else + echo "OpenVAS-Manager cannot restarted" &>>/tmp/openvas_mail.out + echo "OpenVAS CronJob Failed!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + fi + else + echo "OpenVAS CronJob Failed! openvas-scanner cannot restarted" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + fi + else + echo "OpenVAS CronJob Failed! OpenVAS NVT cache build failed" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + fi + else + echo "OpenVAS CronJob Failed! OpenVAS Certdata sync failed!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + fi + else + echo "OpenVAS CronJob Failed! OpenVAS Scapdata sync failed!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + fi + else + echo "OpenVAS CronJob Failed! OpenVAS NVT sync update failed!" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null +fi +rm -rf /tmp/openvas_mail.out + +# Restart WebUI +if [[ -n "$success" ]] && [ $gsad -eq 0 ]; then + WHICHA="$(type gsad | awk '{print $3}')" + + if [ $assistant -eq 0 ]; then + # Time to restart OpenVAS-Security Assistant + ps aux | grep -v "grep" | grep -P "(^|\s)\K$WHICHA(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + systemctl restart gsad.service &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> gsad.service (OpenVAS WebUI) is restarted" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + else + echo "systemd --> gsad.service (OpenVAS-WebUI) cannot restarted" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + fi + + elif [[ -n "$assistant_service" ]]; then + if [ $COUNTA -eq 1 ]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\K$WHICHA(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + systemctl restart "$assistant_service" &>/dev/null + + if [ $? -eq 0 ]; then + echo "systemd --> $assistant_service (OpenVAS WebUI) is restarted" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + else + echo "systemd --> $assistan_service (OpenVAS WebUI) cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + fi + else + echo "systemd --> OpenVAS WebUI cannot restarted! You have multiple enabled systemd services ($assistant_service)" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + exit 1 + fi + + elif [[ -n "$assistant_init" ]]; then + ps aux | grep -v "grep" | grep -P "(^|\s)\K$WHICHA(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + rc-service gsad start &>/dev/null + + if [ $? -eq 0 ]; then + echo "open-rc --> gsad (OpenVAS WebUI) is restarted" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + else + echo "open-rc --> gsad (OpenVAS WebUI) cannot restarted." | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + fi + else + ps aux | grep -v "grep" | grep -P "(^|\s)\K$WHICHA(?=\s|$)" | awk '{print $2}' | xargs kill -9 &>/dev/null + sleep 5 + gsad "$OPENVAS_SECURITY_ASSISTANT_OPTIONS" "$OPENVAS_SECURITY_ASSISTANT_LISTEN_ADDRESS" "$OPENVAS_SECURITY_ASSISTANT_LISTEN_PORT" "$OPENVAS_SECURITY_ASSISTANT_MANAGER_LISTEN_ADDRESS" "$OPENVAS_SECURITY_ASSISTANT_MANAGER_LISTEN_PORT" "$OPENVAS_SECURITY_ASSISTANT_GNUTLS_PRIORITIES" &>/dev/null + + if [ $? -eq 0 ]; then + echo "OpenVAS WebUI is restarted" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + else + echo "OpenVAS WebUI cannot restarted" | tee -a /tmp/openvas_mail.out + echo -e "Subject:$MAIL_SUBJECT\n$(cat /tmp/openvas_mail.out)" | sendmail -t "$MAIL_TO" &>/dev/null + fi + fi + rm -rf /tmp/openvas_mail.out +fi diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner-5.1.3-cachedir.patch b/net-analyzer/openvas-scanner/files/openvas-scanner-5.1.3-cachedir.patch new file mode 100644 index 000000000000..98c657250197 --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-scanner-5.1.3-cachedir.patch @@ -0,0 +1,42 @@ +--- openvas-scanner-5.1.3/src/openvassd.c 2018-08-29 19:27:26.000000000 +0300 ++++ openvas-scanner-5.1.3/src/openvassd.c 2019-02-04 03:28:24.635539266 +0300 +@@ -103,7 +103,6 @@ + */ + static openvassd_option openvassd_defaults[] = { + {"plugins_folder", OPENVAS_NVT_DIR}, +- {"cache_folder", OPENVAS_CACHE_DIR}, + {"include_folders", OPENVAS_NVT_DIR}, + {"max_hosts", "30"}, + {"max_checks", "10"}, +--- openvas-scanner-5.1.3/src/CMakeLists.txt 2018-08-29 19:27:26.000000000 +0300 ++++ openvas-scanner-5.1.3/src/CMakeLists.txt 2019-02-04 03:22:20.078824664 +0300 +@@ -68,10 +68,6 @@ + add_definitions (-DOPENVAS_NVT_DIR=\\\"${OPENVAS_NVT_DIR}\\\") + endif (OPENVAS_NVT_DIR) + +-if (OPENVAS_CACHE_DIR) +- add_definitions (-DOPENVAS_CACHE_DIR=\\\"${OPENVAS_CACHE_DIR}\\\") +-endif (OPENVAS_CACHE_DIR) +- + if (OPENVAS_LOG_DIR) + add_definitions (-DOPENVAS_LOG_DIR=\\\"${OPENVAS_LOG_DIR}\\\") + endif (OPENVAS_LOG_DIR) +--- openvas-scanner-5.1.3/CMakeLists.txt 2018-08-29 19:27:26.000000000 +0300 ++++ openvas-scanner-5.1.3/CMakeLists.txt 2019-02-04 03:18:37.889999639 +0300 +@@ -166,7 +166,6 @@ + set (OPENVAS_DATA_DIR "${DATADIR}/openvas") + set (OPENVAS_STATE_DIR "${LOCALSTATEDIR}/lib/openvas") + set (OPENVAS_LOG_DIR "${LOCALSTATEDIR}/log/openvas") +-set (OPENVAS_CACHE_DIR "${LOCALSTATEDIR}/cache/openvas") + set (OPENVAS_SYSCONF_DIR "${SYSCONFDIR}/openvas") + + if (NOT OPENVAS_NVT_DIR) +@@ -265,7 +264,6 @@ + DESTINATION ${DATADIR}/doc/openvas-scanner/ ) + + install (DIRECTORY DESTINATION ${OPENVAS_NVT_DIR}) +-install (DIRECTORY DESTINATION ${OPENVAS_CACHE_DIR}) + + ## Tests + + diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner-5.1.3-gcc8.patch b/net-analyzer/openvas-scanner/files/openvas-scanner-5.1.3-gcc8.patch new file mode 100644 index 000000000000..4ec2e786e125 --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-scanner-5.1.3-gcc8.patch @@ -0,0 +1,42 @@ +--- openvas-scanner-5.1.3/src/ntp.c 2018-08-29 19:27:26.000000000 +0300 ++++ openvas-scanner-5.1.3/src/ntp.c 2019-02-02 00:57:56.832878754 +0300 +@@ -361,9 +361,7 @@ + } + + /*---------------------------------------------------------- +- + Communication protocol: timestamps +- + ----------------------------------------------------------*/ + + +@@ -391,7 +389,7 @@ + static int + __ntp_timestamp_scan_host (int soc, char *msg, char *host) + { +- char timestr[1024]; ++ char timestr[64]; + char *tmp; + time_t t; + int len; +--- openvas-scanner-5.1.3/src/pluginload.c 2018-08-29 19:27:26.000000000 +0300 ++++ openvas-scanner-5.1.3/src/pluginload.c 2019-02-02 00:59:24.494774959 +0300 +@@ -250,7 +250,7 @@ + g_slist_free_full (oids, g_free); + } + +-static int ++static void + plugins_reload_from_dir (void *folder) + { + GSList *files = NULL, *f; +--- openvas-scanner-5.1.3/src/processes.h 2018-08-29 19:27:26.000000000 +0300 ++++ openvas-scanner-5.1.3/src/processes.h 2019-02-02 01:06:42.772908314 +0300 +@@ -28,7 +28,7 @@ + #ifndef _OPENVAS_THREADS_H + #define _OPENVAS_THREADS_H + +-typedef int (*process_func_t) (void *); ++typedef void (*process_func_t) (void *); + pid_t create_process (process_func_t, void *); + int terminate_process (pid_t); diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner-5.1.3-nvt.patch b/net-analyzer/openvas-scanner/files/openvas-scanner-5.1.3-nvt.patch new file mode 100644 index 000000000000..67091fcf3e3b --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-scanner-5.1.3-nvt.patch @@ -0,0 +1,93 @@ +--- openvas-scanner-5.1.3/src/attack.c 2018-08-29 19:27:26.000000000 +0300 ++++ openvas-scanner-5.1.3/src/attack.c 2019-02-02 00:44:12.834888067 +0300 +@@ -97,9 +97,7 @@ + }; + + /******************************************************* +- + PRIVATE FUNCTIONS +- + ********************************************************/ + + /** +@@ -996,6 +994,14 @@ + sched = plugins_scheduler_init + (prefs_get ("plugin_set"), prefs_get_bool ("auto_enable_dependencies"), + network_phase); ++ if (sched == NULL) ++ { ++ error_message_to_client (global_socket, ++ "Failed to initialize the plugins scheduler.", ++ NULL, NULL); ++ return; ++ } ++ + + max_hosts = get_max_hosts_number (); + max_checks = get_max_checks_number (); +--- openvas-scanner-5.1.3/src/pluginscheduler.c 2018-08-29 19:27:26.000000000 +0300 ++++ openvas-scanner-5.1.3/src/pluginscheduler.c 2019-02-02 00:48:03.799598381 +0300 +@@ -486,7 +486,7 @@ + } + } + +-static void ++static int + plugins_scheduler_fill (plugins_scheduler_t sched) + { + int i; +@@ -500,6 +500,15 @@ + int category; + + category = nvticache_get_category (element->data); ++ if (category < 0) ++ { ++ log_write ("The NVT with oid %s has not category assigned. This is " ++ "considered a fatal error, since the NVTI Cache " ++ "structure stored in Redis is out dated or corrupted.", ++ (char *) element->data); ++ g_slist_free_full (list, g_free); ++ return 1; ++ } + scheduler_plugin = g_malloc0 (sizeof (struct scheduler_plugin)); + scheduler_plugin->running_state = PLUGIN_STATUS_UNRUN; + scheduler_plugin->oid = g_strdup (element->data); +@@ -529,6 +538,7 @@ + } + } + ++ return 0; + } + + plugins_scheduler_t +@@ -540,7 +550,11 @@ + /* Fill our lists */ + ret = g_malloc0 (sizeof (*ret)); + ret->hash = hash_init (); +- plugins_scheduler_fill (ret); ++ if (plugins_scheduler_fill (ret)) ++ { ++ plugins_scheduler_free (ret); ++ return NULL; ++ } + + plugins_scheduler_enable (ret, plugins_list, autoload); + +@@ -729,9 +743,12 @@ + void + plugins_scheduler_free (plugins_scheduler_t sched) + { +- int i; +- hash_destroy (sched->hash); +- for (i = ACT_FIRST; i <= ACT_LAST; i++) +- list_destroy (sched->list[i]); +- g_free (sched); ++ if (sched) ++ { ++ int i; ++ hash_destroy (sched->hash); ++ for (i = ACT_FIRST; i <= ACT_LAST; i++) ++ list_destroy (sched->list[i]); ++ g_free (sched); ++ } + } diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner-daemon.conf b/net-analyzer/openvas-scanner/files/openvas-scanner-daemon.conf new file mode 100644 index 000000000000..f14b5aae6f12 --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-scanner-daemon.conf @@ -0,0 +1,9 @@ +# OpenVAS Scanner command args + +# e.g --foreground +OPENVAS_SCANNER_OPTIONS="" + +# Scanner listen socket +OPENVAS_SCANNER_LISTEN_SOCKET="--unix-socket=/var/run/openvassd.sock" + + diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner.init b/net-analyzer/openvas-scanner/files/openvas-scanner.init new file mode 100644 index 000000000000..757b5801f29b --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-scanner.init @@ -0,0 +1,25 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +name="OpenVAS Scanner" +command="/usr/sbin/openvassd" +command_args="${OPENVAS_SCANNER_OPTIONS} ${OPENVAS_SCANNER_LISTEN_SOCKET}" +pidfile="/var/run/openvassd.pid" +command_background="true" + +depend() { + after bootmisc + need localmount net redis +} + +start_pre() { + checkpath --directory --mode 0775 --quiet /var/cache/openvas +} + +create_cache() { + checkpath --directory --mode 0775 --quiet /var/cache/openvas + ebegin "Generating initial Cache" + /usr/sbin/openvassd --foreground --only-cache + eend $? +} diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner.logrotate b/net-analyzer/openvas-scanner/files/openvas-scanner.logrotate new file mode 100644 index 000000000000..89f9e6d264df --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-scanner.logrotate @@ -0,0 +1,11 @@ +# logrotate for openvas scanner +/var/log/openvas/openvassd.messages { + rotate 4 + weekly + compress + delaycompress + missingok + postrotate + /bin/kill -HUP `pidof openvassd` + endscript +} diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner.service b/net-analyzer/openvas-scanner/files/openvas-scanner.service new file mode 100644 index 000000000000..4f30586ab517 --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-scanner.service @@ -0,0 +1,21 @@ +[Unit] +Description=OpenVAS Scanner +After=network.target +After=redis.service +Before=gvmd.service +Requires=redis.service + +[Service] +Type=forking +EnvironmentFile=-/etc/openvas/sysconfig/openvas-scanner-daemon.conf +ExecStart=/usr/sbin/openvassd $OPENVAS_SCANNER_OPTIONS $OPENVAS_SCANNER_LISTEN_SOCKET +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure +RestartSec=10 +KillMode=mixed +User=root +Group=root +TimeoutSec=1200 + +[Install] +WantedBy=multi-user.target diff --git a/net-analyzer/openvas-scanner/files/openvas-scanner.tmpfiles.d b/net-analyzer/openvas-scanner/files/openvas-scanner.tmpfiles.d new file mode 100644 index 000000000000..18e820caec1b --- /dev/null +++ b/net-analyzer/openvas-scanner/files/openvas-scanner.tmpfiles.d @@ -0,0 +1 @@ +d /var/cache/openvassd 0775 diff --git a/net-analyzer/openvas-scanner/files/openvassd.conf b/net-analyzer/openvas-scanner/files/openvassd.conf index 88f83f4bed97..b218a4a27b02 100644 --- a/net-analyzer/openvas-scanner/files/openvassd.conf +++ b/net-analyzer/openvas-scanner/files/openvassd.conf @@ -1,118 +1,53 @@ -# Configuration file of the OpenVAS Security Scanner +#You can get detailed informations from https://linux.die.net/man/8/openvassd -# Every line starting with a '#' is a comment - -[Misc] - -# Path to the security checks folder: plugins_folder = /var/lib/openvas/plugins - -# Path to OpenVAS caching folder: -cache_folder = /var/cache/openvas - -# Path to OpenVAS include directories: -# (multiple entries are separated with colon ':') include_folders = /var/lib/openvas/plugins - -# Maximum number of simultaneous hosts tested : max_hosts = 30 - -# Maximum number of simultaneous checks against each host tested : max_checks = 10 -# Niceness. If set to 'yes', openvassd will renice itself to 10. +#Resource friendly be_nice = no -# Log file (or 'syslog') : -logfile = /var/log/openvas/openvassd.log +#Logfile +logfile = /var/log/openvas/openvassd.messages -# Shall we log every details of the attack ? (disk intensive) log_whole_attack = no - -# Log the name of the plugins that are loaded by the server ? log_plugins_name_at_load = no - -# Dump file for debugging output, use `-' for stdout dumpfile = /var/log/openvas/openvassd.dump - -# Rules file : -rules = /etc/openvas/openvassd.rules - -# CGI paths to check for (cgi-bin:/cgi-aws:/ can do) cgi_path = /cgi-bin:/scripts -# Range of the ports the port scanners will scan : -# 'default' means that OpenVAS will scan ports found in its -# services file. -port_range = default - -# Optimize the test (recommended) : +#Turn off for push hard but increase false positive and slow down scans optimize_test = yes -# Optimization : -# Read timeout for the sockets of the tests : checks_read_timeout = 5 - -# Ports against which two plugins should not be run simultaneously : -# non_simult_ports = Services/www, 139, Services/finger +network_scan = no non_simult_ports = 139, 445 - -# Maximum lifetime of a plugin (in seconds) : plugins_timeout = 320 +scanner_plugins_timeout = 36000 -# Safe checks rely on banner grabbing : -safe_checks = yes +#Push harder to target +safe_checks = no -# Automatically activate the plugins that are depended on auto_enable_dependencies = yes - -# Do not echo data from plugins which have been automatically enabled -silent_dependencies = no - -# Designate hosts by MAC address, not IP address (useful for DHCP networks) use_mac_addr = no - - -#--- Knowledge base saving (can be configured by the client) : -# Save the knowledge base on disk : -save_knowledge_base = no - -# Restore the KB for each test : -kb_restore = no - -# Only test hosts whose KB we do not have : -only_test_hosts_whose_kb_we_dont_have = no - -# Only test hosts whose KB we already have : -only_test_hosts_whose_kb_we_have = no - -# KB test replay : -kb_dont_replay_scanners = no -kb_dont_replay_info_gathering = no -kb_dont_replay_attacks = no -kb_dont_replay_denials = no -kb_max_age = 864000 -#--- end of the KB section - - -# If this option is set, OpenVAS will not scan a network incrementally -# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to -# slice the workload throughout the whole network (ie: it will scan -# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on... -slice_network_addresses = no - -# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes') nasl_no_signature_check = yes - -#Certificates -cert_file=/var/lib/openvas/CA/servercert.pem -key_file=/var/lib/openvas/private/CA/serverkey.pem -ca_file=/var/lib/openvas/CA/cacert.pem - -# If you decide to protect your private key with a password, -# uncomment and change next line -# pem_password=password -# If you want to force the use of a client certificate, uncomment next line -# force_pubkey_auth = yes - -#end. +drop_privileges = no +unscanned_closed = yes +unscanned_closed_udp = yes +vhosts = +vhosts_ip = +report_host_details = yes + +#Redis listening socket (must be same with redis socket) +kb_location = /tmp/redis.sock + +timeout_retry = 3 +time_between_request = 0 + +#Config File +config_file = /etc/openvas/openvassd.conf + +#Certificates (default these are not needed here but setup-check script looking for them) +cert_file = /var/lib/openvas/CA/servercert.pem +key_file = /var/lib/openvas/private/CA/serverkey.pem +ca_file = /var/lib/openvas/CA/cacert.pem diff --git a/net-analyzer/openvas-scanner/files/redis.conf.example b/net-analyzer/openvas-scanner/files/redis.conf.example new file mode 100644 index 000000000000..6a41211aaae8 --- /dev/null +++ b/net-analyzer/openvas-scanner/files/redis.conf.example @@ -0,0 +1,57 @@ +bind 127.0.0.1 +protected-mode yes +port 0 +tcp-backlog 511 +unixsocket /tmp/redis.sock +unixsocketperm 700 +timeout 0 +tcp-keepalive 300 +daemonize no +supervised no +pidfile /run/redis/redis.pid +loglevel notice +logfile /var/log/redis/redis.log +databases 16 +always-show-logo yes +stop-writes-on-bgsave-error yes +rdbcompression yes +rdbchecksum yes +dbfilename dump.rdb +dir /var/lib/redis/ +slave-serve-stale-data yes +slave-read-only yes +repl-diskless-sync no +repl-diskless-sync-delay 5 +repl-disable-tcp-nodelay no +slave-priority 100 +lazyfree-lazy-eviction no +lazyfree-lazy-expire no +lazyfree-lazy-server-del no +slave-lazy-flush no +appendonly no +appendfilename "appendonly.aof" +appendfsync everysec +no-appendfsync-on-rewrite no +auto-aof-rewrite-percentage 100 +auto-aof-rewrite-min-size 64mb +aof-load-truncated yes +aof-use-rdb-preamble no +lua-time-limit 5000 +slowlog-log-slower-than 10000 +slowlog-max-len 128 +latency-monitor-threshold 0 +notify-keyspace-events "" +hash-max-ziplist-entries 512 +hash-max-ziplist-value 64 +list-max-ziplist-size -2 +list-compress-depth 0 +set-max-intset-entries 512 +zset-max-ziplist-entries 128 +zset-max-ziplist-value 64 +hll-sparse-max-bytes 3000 +activerehashing yes +client-output-buffer-limit normal 0 0 0 +client-output-buffer-limit slave 256mb 64mb 60 +client-output-buffer-limit pubsub 32mb 8mb 60 +hz 10 +aof-rewrite-incremental-fsync yes diff --git a/net-analyzer/openvas-scanner/metadata.xml b/net-analyzer/openvas-scanner/metadata.xml index 6f49eba8f496..fa26aa942e17 100644 --- a/net-analyzer/openvas-scanner/metadata.xml +++ b/net-analyzer/openvas-scanner/metadata.xml @@ -1,5 +1,15 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> <pkgmetadata> -<!-- maintainer-needed --> + <maintainer type="person"> + <email>hasan.calisir@psauxit.com</email> + <name>Hasan ÇALIŞIR</name> + </maintainer> + <maintainer type="project"> + <email>proxy-maint@gentoo.org</email> + <name>Proxy Maintainers</name> + </maintainer> + <use> + <flag name="extras">Html docs support</flag> + </use> </pkgmetadata> diff --git a/net-analyzer/openvas-scanner/openvas-scanner-5.1.3.ebuild b/net-analyzer/openvas-scanner/openvas-scanner-5.1.3.ebuild new file mode 100644 index 000000000000..c0e59479a726 --- /dev/null +++ b/net-analyzer/openvas-scanner/openvas-scanner-5.1.3.ebuild @@ -0,0 +1,97 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +CMAKE_MAKEFILE_GENERATOR="emake" +inherit cmake-utils systemd +MY_PN="openvas-scanner" + +DESCRIPTION="A remote security scanner for Linux (OpenVAS-scanner)" +HOMEPAGE="http://www.openvas.org/" +SRC_URI="https://github.com/greenbone/${MY_PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +SLOT="0" +LICENSE="GPL-2" +KEYWORDS="~amd64 ~x86" +IUSE="extras" + +DEPEND=" + dev-db/redis + dev-libs/libgcrypt:0= + >=net-analyzer/openvas-libraries-9.0.3 + net-libs/gnutls:=[tools] + net-libs/libssh:= + extras? ( dev-perl/CGI )" + +RDEPEND=" + ${DEPEND} + !net-analyzer/openvas-tools" + +BDEPEND=" + sys-devel/bison + sys-devel/flex + virtual/pkgconfig + extras? ( app-doc/doxygen[dot] + app-doc/xmltoman + app-text/htmldoc + dev-perl/SQL-Translator + )" + +PATCHES=( + "${FILESDIR}/${P}-gcc8.patch" + "${FILESDIR}/${P}-nvt.patch" + "${FILESDIR}/${P}-cachedir.patch" +) + +src_prepare() { + cmake-utils_src_prepare + # Fix for correct FHS/Gentoo policy paths for 5.1.3 + sed -i "s*/doc/openvas-scanner/*/doc/openvas-scanner-${PV}/*g" "$S"/CMakeLists.txt || die + if use extras; then + doxygen -u "$S"/doc/Doxyfile_full.in || die + fi +} + +src_configure() { + local mycmakeargs=( + "-DCMAKE_INSTALL_PREFIX=${EPREFIX}/usr" + "-DLOCALSTATEDIR=${EPREFIX}/var" + "-DSYSCONFDIR=${EPREFIX}/etc" + ) + cmake-utils_src_configure +} + +src_compile() { + cmake-utils_src_compile + if use extras; then + cmake-utils_src_make -C "${BUILD_DIR}" doc + cmake-utils_src_make doc-full -C "${BUILD_DIR}" doc + HTML_DOCS=( "${BUILD_DIR}"/doc/generated/html/. ) + fi +} + +src_install() { + cmake-utils_src_install + + insinto /etc/openvas + doins "${FILESDIR}"/openvassd.conf "${FILESDIR}"/redis.conf.example + + insinto /etc/openvas/sysconfig + doins "${FILESDIR}"/${MY_PN}-daemon.conf + + insinto /etc/openvas/scripts + doins "${FILESDIR}"/openvas-feed-sync "${FILESDIR}"/first-start + fperms 0755 /etc/openvas/scripts/{openvas-feed-sync,first-start} + + newinitd "${FILESDIR}/${MY_PN}.init" ${MY_PN} + newconfd "${FILESDIR}/${MY_PN}-daemon.conf" ${MY_PN} + + insinto /etc/logrotate.d + newins "${FILESDIR}/${MY_PN}.logrotate" ${MY_PN} + + systemd_newtmpfilesd "${FILESDIR}/${MY_PN}.tmpfiles.d" ${MY_PN}.conf + systemd_dounit "${FILESDIR}"/${MY_PN}.service + + keepdir /var/lib/openvas/plugins +} |