testing/openvas-scanner: updated init,confd, config files and added daily script for nvt sync

c6225fb3 · Francesco Colista · 26860ec8 · c6225fb3 · c6225fb3 · c6225fb3
Commit c6225fb3 authored 8 years ago by Francesco Colista
--- a/testing/openvas-scanner/APKBUILD
+++ b/testing/openvas-scanner/APKBUILD
@@ -4,7 +4,7 @@ pkgname=openvas-scanner
 _pkgname=openvassd
 pkgver=5.0.5
 _pkgid=2266
-pkgrel=2
+pkgrel=3
 pkgdesc="The OpenVAS scanning Daemon"
 url="http://www.openvas.org/"
 arch="all"
@@ -18,7 +18,9 @@ subpackages="$pkgname-doc"
 source="http://wald.intevation.org/frs/download.php/$_pkgid/$pkgname-$pkgver.tar.gz
 	$_pkgname.initd
 	$_pkgname.confd
+	$_pkgname.conf
 	$_pkgname.logrotate
+	openvas-nvt-sync.cron
 	001-cmakelist-fortify.patch
 	002-execinfo-musl-fix.patch"

@@ -49,6 +51,10 @@ package() {
 	install -Dm644 "$srcdir/$_pkgname.logrotate" "$pkgdir/etc/logrotate.d/$_pkgname"
 	install -m755 -D "$srcdir"/$_pkgname.initd "$pkgdir"/etc/init.d/$_pkgname
 	install -m755 -D "$srcdir"/$_pkgname.confd "$pkgdir"/etc/conf.d/$_pkgname
+	install -m755 -D "$srcdir"/$_pkgname.conf "$pkgdir"/etc/openvas/$_pkgname.conf
+	install -Dm744 "$srcdir"/openvas-nvt-sync.cron \
+		"$pkgdir"/etc/periodic/daily/openvas-nvt-sync
+
 	mkdir -p "$pkgdir"/usr/share/doc/$_pkgname
 	cat >"$pkgdir"/usr/share/doc/$_pkgname/README.alpine <<EOF
 	** In order to make openvas-scanner daemon start, redis server needs to run and  listen to a socket.
@@ -69,20 +75,26 @@ EOF
 } 

 md5sums="8eb30120fa8f5aea3a55c729ca9d4939  openvas-scanner-5.0.5.tar.gz
-d6b82094df510d6b4eb6c752e4234a49  openvassd.initd
-c07496f90bd607accb2f8dd851e86f9f  openvassd.confd
+2343f34f83401016cb01f564e9c6c222  openvassd.initd
+2fe5c960c0e5e8db0e438de417a70e7a  openvassd.confd
+9fbfafb3f5001240d2d869ac3d365adf  openvassd.conf
 a9e8ef884da6a0b33d3b29867d2ffcea  openvassd.logrotate
+99ec960c1646038b41dbac7a8073500c  openvas-nvt-sync.cron
 4ccb1c805294a2ceff8c73bceaa8c064  001-cmakelist-fortify.patch
 12dc0fb6e1c1410ade5762744afaab71  002-execinfo-musl-fix.patch"
 sha256sums="108d8aba9f53ae58b187cb2e297fc5a3e77ac5c2cd9db421fb20598fdfb2ad0a  openvas-scanner-5.0.5.tar.gz
-eca7ad3def89eaf59d7e22eac876c7316f7410c0448c65d86af2505957be8f65  openvassd.initd
-07474a6c6a5e1f0425f025c9293999572ddfa25f638a7d6ff4bc775399cbb667  openvassd.confd
+a842a6d29c5bf82296d771cfd44e152616277ed412b66f8a4ade81ac593d5615  openvassd.initd
+3664ee9dad3627259dafb9494d4a794ccd184a1aeaba06b3b283a7eccd1ee0b8  openvassd.confd
+c01dc363c4423dfa791690b6cef50df8ff46af02bbf008ac07575351ab94e0b3  openvassd.conf
 c4623fe22f777e722915b6a4cf19030fa54a1fb18fe2ee074e3fb2a2fe6b81ed  openvassd.logrotate
+d3666d4cb7b639530a312b1dc49867b3b0de41209ea659924428df2d486cea40  openvas-nvt-sync.cron
 11bf3922c6ae25a5ed9fbc0b5c567c8106058ed424ba2c4c50959c44fee8dfd9  001-cmakelist-fortify.patch
 b5583f364f5b538634759c1df8f3bcd6b4218adcab2e9d18bdfd1904605ecf6d  002-execinfo-musl-fix.patch"
 sha512sums="e439c8abb39e397a9d3842846c09fe7cb13c57294f528ae738bed8f962ac776a10a87d0299145be33b88307a7ab8dcb519808e897457bedba5cf0d02918483c9  openvas-scanner-5.0.5.tar.gz
-bad540e053cfcf46f39026d2468a6e03bf40ed9ad5c89e9b09ff56511e9e94544b354ad5fd1aa6fa2be806167bdbf0bf5d5690e3da2c540b49aadf7010037cbf  openvassd.initd
-7752e97ead538177d597815844cda200411eee2048afa8f978ccd09c7b8c6c53c4b83fa769ddb7ae19d1d1b28779c8ef047dde5a4dc6e8109a8dd8fd1068e883  openvassd.confd
+528fc356c485daf3456e0e8f20ecd7bc93c772dd7afc8ec9d7a485cf89156f433fb4ae29a8b3cac7f126c8fa1ac4ca7f1cc4a10bd2388358fdd2e06a04a3c2e4  openvassd.initd
+a47cf3add7a0e14175ccbae1c24c0e63ea7daf92ffa3e4d1bb988a2342e9b1ebfb597f0d20075ad22219dc2970d69e92bf8a3608cc156d4b5ca84723879bac71  openvassd.confd
+0d203cd2dfcf0b77ce8d2546235de16f23ea71c7e601db557fcd67e9c8dc460029494f1a146daadb44101ae194d7fa4d511a488bb69094e5470de9e10acf008b  openvassd.conf
 5934a31ef4b7267fd741c41bb97fe2e1e42735d2324cce07145de1942efae3f5e42e8652ec0c3482dd53477be420a58124eae943f254105547abf065febb9046  openvassd.logrotate
+92f1700ba15e04f0d830ac04db8c61bffb06104692fd91386a7f67ad8cc4bd1ea92651207a615c4bc56abc3a6c4f2fcf54fad52779fe5c6169d38f98b83513ea  openvas-nvt-sync.cron
 0e0087477ec313709c1d84480e9f2896628807010d039eb066627229e7f694434b66ae7f7cd44d379e714bd7ff23458bc46f721e953c2603d568fc350d2f0572  001-cmakelist-fortify.patch
 5e63b56fc64867c5973eb3593afcf677dc4da900b20d0f82fa24659010da290c0cfc00fe1e67cd2fadd4c58af3df2059120edeef344eedf213ab8a87a0376e49  002-execinfo-musl-fix.patch"
--- a/testing/openvas-scanner/openvas-nvt-sync.cron
+++ b/testing/openvas-scanner/openvas-nvt-sync.cron
+#!/bin/sh
+
+if [ -f /etc/openvas/openvassd.conf ]; then
+	. /etc/openvas/openvassd.conf
+fi
+
+if [ "$auto_plugin_update" != "yes" ]; then
+	exit 0
+fi
+
+opts=""
+case "$update_method" in
+	rsync)
+		opts = "$opts --rsync"
+		;;
+	wget)
+		opts = "$opts --wget"
+		;;
+	curl)
+		opts = "$opts --curl"
+		;;
+esac
+
+# Export openvas-nvt-sync's environment variables if they are defined
+[ \! -z "$NVT_DIR" ] && export NVT_DIR
+[ \! -z "$OV_RSYNC_FEED" ] && export OV_RSYNC_FEED
+[ \! -z "$OV_HTTP_FEED" ] && export OV_HTTP_FEED
+
+/usr/sbin/openvas-nvt-sync $opts >& /dev/null
+
+if [ $? -ne 0 ]; then
+	echo "Error updating OpenVAS plugins. Please run openvas-nvt-sync manually."
+	exit 1
+fi
+
+if [ "$notify_openvas_scanner" == "yes" ]; then
+	/etc/init.d/openvas-scanner reloadplugins
+fi
--- a/testing/openvas-scanner/openvassd.conf
+++ b/testing/openvas-scanner/openvassd.conf
+# Configuration file of the OpenVAS Security Scanner
+
+# Every line starting with a '#' is a comment
+
+[Misc]
+
+# Path to the security checks folder:
+plugins_folder = /var/lib/openvas/plugins
+
+# Path to OpenVAS caching folder:
+cache_folder = /var/cache/openvas
+
+# Path to OpenVAS include directories:
+# (multiple entries are separated with colon ':')
+include_folders = /var/lib/openvas/plugins
+
+# Maximum number of simultaneous hosts tested :
+max_hosts = 30
+
+# Maximum number of simultaneous checks against each host tested :
+max_checks = 10
+
+# Niceness. If set to 'yes', openvassd will renice itself to 10.
+be_nice = no
+
+# Log file (or 'syslog') :
+logfile = /var/log/openvas/openvassd.log
+
+# Shall we log every details of the attack ? (disk intensive)
+log_whole_attack = no
+
+# Log the name of the plugins that are loaded by the server ?
+log_plugins_name_at_load = no
+
+# Dump file for debugging output, use `-' for stdout
+dumpfile = /var/log/openvas/openvassd.dump
+
+# Rules file :
+rules = /etc/openvas/openvassd.rules
+
+# CGI paths to check for (cgi-bin:/cgi-aws:/ can do)
+cgi_path = /cgi-bin:/scripts
+
+# Range of the ports the port scanners will scan :
+# 'default' means that OpenVAS will scan ports found in its
+# services file.
+port_range = default
+
+# Optimize the test (recommended) :
+optimize_test = yes
+
+# Optimization :
+# Read timeout for the sockets of the tests :
+checks_read_timeout = 5
+
+# Ports against which two plugins should not be run simultaneously :
+# non_simult_ports = Services/www, 139, Services/finger
+non_simult_ports = 139, 445
+
+# Maximum lifetime of a plugin (in seconds) :
+plugins_timeout = 320
+
+# Safe checks rely on banner grabbing :
+safe_checks = yes
+
+# Automatically activate the plugins that are depended on
+auto_enable_dependencies = yes
+
+# Do not echo data from plugins which have been automatically enabled
+silent_dependencies = no
+
+# Designate hosts by MAC address, not IP address (useful for DHCP networks)
+use_mac_addr = no
+
+
+#--- Knowledge base saving (can be configured by the client) :
+# Save the knowledge base on disk :
+save_knowledge_base = no
+
+# Restore the KB for each test :
+kb_restore = no
+
+# Only test hosts whose KB we do not have :
+only_test_hosts_whose_kb_we_dont_have = no
+
+# Only test hosts whose KB we already have :
+only_test_hosts_whose_kb_we_have = no
+
+# KB test replay :
+kb_dont_replay_scanners = no
+kb_dont_replay_info_gathering = no
+kb_dont_replay_attacks = no
+kb_dont_replay_denials = no
+kb_max_age = 864000
+#--- end of the KB section
+
+
+# If this option is set, OpenVAS will not scan a network incrementally
+# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to
+# slice the workload throughout the whole network (ie: it will scan
+# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on...
+slice_network_addresses = no
+
+# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes')
+nasl_no_signature_check = yes
+
+#Certificates
+cert_file=/var/lib/openvas/CA/servercert.pem
+key_file=/var/lib/openvas/private/CA/serverkey.pem
+ca_file=/var/lib/openvas/CA/cacert.pem
+
+# If you decide to protect your private key with a password,
+# uncomment and change next line
+# pem_password=password
+# If you want to force the use of a client certificate, uncomment next line
+# force_pubkey_auth = yes
+
+#end.
--- a/testing/openvas-scanner/openvassd.confd
+++ b/testing/openvas-scanner/openvassd.confd
-# /etc/conf.d/openvassd: config file for /etc/init.d/openvassd
+#Listen on given address - by default scanner listens on all addresses
+#SCANNER_LISTEN=--listen=127.0.0.1
+
+#Listen on given port - by default 9391
+SCANNER_PORT=--port=9391
+
+#Send the packets with the source IP of IP1,IP2,IP3....
+#SCANNER_SRCIP=--src-ip=127.0.0.1,192.168.1.2
+
+# Extra Arguments
+# SCANNER_EXTRA_ARGS=""
+
+# Set to yes if plugins should be automatically updated via a cron job
+auto_plugin_update=no
+
+# Notify OpenVAS scanner after update by seding it SIGHUP?
+notify_openvas_scanner=yes
+
+# Method to use to get updates. The default is via rsync
+# Note that only wget and curl support retrieval via proxy
+# update_method=rsync|wget|curl
+
+# Additionaly, you can specify the following variables
+#NVT_DIR		where to extract plugins (absolute path)
+#OV_RSYNC_FEED		URL of rsync feed
+#OV_HTTP_FEED		URL of http feed

-OPENVAS_USER="root"
-OPENVAS_GROUP="root"
-OPENVAS_STRICT_RIGHT="yes"
--- a/testing/openvas-scanner/openvassd.initd
+++ b/testing/openvas-scanner/openvassd.initd
 #!/sbin/openrc-run
-# Copyright 1999-2010 Gentoo Foundation
+# Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: 
+# $Id$

-depend() {
-	need net
-}
+name="OpenVAS Scanner"
+command="/usr/bin/openvassd"
+command_args="${SCANNER_LISTEN} ${SCANNER_PORT} ${SCANNER_SRCIP} ${SCANNER_EXTRA_ARGS}"
+pidfile="/run/openvassd.pid"
+extra_stopped_commands="create_cache"

-sanity_test() {
-	if [ -z "${OPENVAS_USER}" ] ; then
-		eerror "OPENVAS_USER is empty"
-		return 1
-	fi
-	if [ $OPENVAS_USER != 'root' ] ; then
-		chown -R $OPENVAS_USER:$OPENVAS_GROUP /var/cache/openvas/ /var/lib/openvas/ /var/log/openvas/
-		chgrp -R $OPENVAS_USER /etc/openvas/ /var/lib/openvas/ /usr/share/openvas/openvasmd/global_report_formats/
-		chmod -R g+rX /etc/openvas/ /var/lib/openvas/
-	fi
+depend() {
+	after bootmisc
+	need localmount net
 }

-start() {
-	ebegin "Starting openvassd (scanner) as user ${OPENVAS_USER}"
-	sanity_test || return 1
-	#for using sbin tools when running as non root
-	export PATH="$PATH:/sbin:/usr/sbin"
-	start-stop-daemon --start --name openvassd --user "${OPENVAS_USER}" --exec /usr/bin/openvassd \
-		--pidfile /var/run/openvassd.pid
-	eend $? 
+start_pre() {
+	checkpath --directory --mode 0775 --quiet /var/cache/openvas
 }

-stop() {
-	ebegin "Stop openvassd (scanner)"
-	start-stop-daemon --stop --name openvassd \
-		--pidfile /var/run/openvassd.pid
+create_cache() {
+	checkpath --directory --mode 0775 --quiet /var/cache/openvas
+	ebegin "Generating initial Cache"
+	/usr/bin/openvassd --foreground --only-cache
 	eend $?
 }