From c6225fb3c5fc65bd8ba94dc561f8dd3100a10b9f Mon Sep 17 00:00:00 2001
From: Francesco Colista <fcolista@alpinelinux.org>
Date: Wed, 20 Apr 2016 09:11:28 +0000
Subject: [PATCH] testing/openvas-scanner: updated init,confd, config files and
added daily script for nvt sync
---
testing/openvas-scanner/APKBUILD | 26 ++--
testing/openvas-scanner/openvas-nvt-sync.cron | 38 ++++++
testing/openvas-scanner/openvassd.conf | 118 ++++++++++++++++++
testing/openvas-scanner/openvassd.confd | 30 ++++-
testing/openvas-scanner/openvassd.initd | 43 +++----
5 files changed, 217 insertions(+), 38 deletions(-)
create mode 100644 testing/openvas-scanner/openvas-nvt-sync.cron
create mode 100644 testing/openvas-scanner/openvassd.conf
diff --git a/testing/openvas-scanner/APKBUILD b/testing/openvas-scanner/APKBUILD
index 5110d553178a..09b3f3af502e 100644
--- a/testing/openvas-scanner/APKBUILD
+++ b/testing/openvas-scanner/APKBUILD
@@ -4,7 +4,7 @@ pkgname=openvas-scanner
_pkgname=openvassd
pkgver=5.0.5
_pkgid=2266
-pkgrel=2
+pkgrel=3
pkgdesc="The OpenVAS scanning Daemon"
url="http://www.openvas.org/"
arch="all"
@@ -18,7 +18,9 @@ subpackages="$pkgname-doc"
source="http://wald.intevation.org/frs/download.php/$_pkgid/$pkgname-$pkgver.tar.gz
$_pkgname.initd
$_pkgname.confd
+ $_pkgname.conf
$_pkgname.logrotate
+ openvas-nvt-sync.cron
001-cmakelist-fortify.patch
002-execinfo-musl-fix.patch"
@@ -49,6 +51,10 @@ package() {
install -Dm644 "$srcdir/$_pkgname.logrotate" "$pkgdir/etc/logrotate.d/$_pkgname"
install -m755 -D "$srcdir"/$_pkgname.initd "$pkgdir"/etc/init.d/$_pkgname
install -m755 -D "$srcdir"/$_pkgname.confd "$pkgdir"/etc/conf.d/$_pkgname
+ install -m755 -D "$srcdir"/$_pkgname.conf "$pkgdir"/etc/openvas/$_pkgname.conf
+ install -Dm744 "$srcdir"/openvas-nvt-sync.cron \
+ "$pkgdir"/etc/periodic/daily/openvas-nvt-sync
+
mkdir -p "$pkgdir"/usr/share/doc/$_pkgname
cat >"$pkgdir"/usr/share/doc/$_pkgname/README.alpine <<EOF
** In order to make openvas-scanner daemon start, redis server needs to run and listen to a socket.
@@ -69,20 +75,26 @@ EOF
}
md5sums="8eb30120fa8f5aea3a55c729ca9d4939 openvas-scanner-5.0.5.tar.gz
-d6b82094df510d6b4eb6c752e4234a49 openvassd.initd
-c07496f90bd607accb2f8dd851e86f9f openvassd.confd
+2343f34f83401016cb01f564e9c6c222 openvassd.initd
+2fe5c960c0e5e8db0e438de417a70e7a openvassd.confd
+9fbfafb3f5001240d2d869ac3d365adf openvassd.conf
a9e8ef884da6a0b33d3b29867d2ffcea openvassd.logrotate
+99ec960c1646038b41dbac7a8073500c openvas-nvt-sync.cron
4ccb1c805294a2ceff8c73bceaa8c064 001-cmakelist-fortify.patch
12dc0fb6e1c1410ade5762744afaab71 002-execinfo-musl-fix.patch"
sha256sums="108d8aba9f53ae58b187cb2e297fc5a3e77ac5c2cd9db421fb20598fdfb2ad0a openvas-scanner-5.0.5.tar.gz
-eca7ad3def89eaf59d7e22eac876c7316f7410c0448c65d86af2505957be8f65 openvassd.initd
-07474a6c6a5e1f0425f025c9293999572ddfa25f638a7d6ff4bc775399cbb667 openvassd.confd
+a842a6d29c5bf82296d771cfd44e152616277ed412b66f8a4ade81ac593d5615 openvassd.initd
+3664ee9dad3627259dafb9494d4a794ccd184a1aeaba06b3b283a7eccd1ee0b8 openvassd.confd
+c01dc363c4423dfa791690b6cef50df8ff46af02bbf008ac07575351ab94e0b3 openvassd.conf
c4623fe22f777e722915b6a4cf19030fa54a1fb18fe2ee074e3fb2a2fe6b81ed openvassd.logrotate
+d3666d4cb7b639530a312b1dc49867b3b0de41209ea659924428df2d486cea40 openvas-nvt-sync.cron
11bf3922c6ae25a5ed9fbc0b5c567c8106058ed424ba2c4c50959c44fee8dfd9 001-cmakelist-fortify.patch
b5583f364f5b538634759c1df8f3bcd6b4218adcab2e9d18bdfd1904605ecf6d 002-execinfo-musl-fix.patch"
sha512sums="e439c8abb39e397a9d3842846c09fe7cb13c57294f528ae738bed8f962ac776a10a87d0299145be33b88307a7ab8dcb519808e897457bedba5cf0d02918483c9 openvas-scanner-5.0.5.tar.gz
-bad540e053cfcf46f39026d2468a6e03bf40ed9ad5c89e9b09ff56511e9e94544b354ad5fd1aa6fa2be806167bdbf0bf5d5690e3da2c540b49aadf7010037cbf openvassd.initd
-7752e97ead538177d597815844cda200411eee2048afa8f978ccd09c7b8c6c53c4b83fa769ddb7ae19d1d1b28779c8ef047dde5a4dc6e8109a8dd8fd1068e883 openvassd.confd
+528fc356c485daf3456e0e8f20ecd7bc93c772dd7afc8ec9d7a485cf89156f433fb4ae29a8b3cac7f126c8fa1ac4ca7f1cc4a10bd2388358fdd2e06a04a3c2e4 openvassd.initd
+a47cf3add7a0e14175ccbae1c24c0e63ea7daf92ffa3e4d1bb988a2342e9b1ebfb597f0d20075ad22219dc2970d69e92bf8a3608cc156d4b5ca84723879bac71 openvassd.confd
+0d203cd2dfcf0b77ce8d2546235de16f23ea71c7e601db557fcd67e9c8dc460029494f1a146daadb44101ae194d7fa4d511a488bb69094e5470de9e10acf008b openvassd.conf
5934a31ef4b7267fd741c41bb97fe2e1e42735d2324cce07145de1942efae3f5e42e8652ec0c3482dd53477be420a58124eae943f254105547abf065febb9046 openvassd.logrotate
+92f1700ba15e04f0d830ac04db8c61bffb06104692fd91386a7f67ad8cc4bd1ea92651207a615c4bc56abc3a6c4f2fcf54fad52779fe5c6169d38f98b83513ea openvas-nvt-sync.cron
0e0087477ec313709c1d84480e9f2896628807010d039eb066627229e7f694434b66ae7f7cd44d379e714bd7ff23458bc46f721e953c2603d568fc350d2f0572 001-cmakelist-fortify.patch
5e63b56fc64867c5973eb3593afcf677dc4da900b20d0f82fa24659010da290c0cfc00fe1e67cd2fadd4c58af3df2059120edeef344eedf213ab8a87a0376e49 002-execinfo-musl-fix.patch"
diff --git a/testing/openvas-scanner/openvas-nvt-sync.cron b/testing/openvas-scanner/openvas-nvt-sync.cron
new file mode 100644
index 000000000000..ff1729f9f80a
--- /dev/null
+++ b/testing/openvas-scanner/openvas-nvt-sync.cron
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+if [ -f /etc/openvas/openvassd.conf ]; then
+ . /etc/openvas/openvassd.conf
+fi
+
+if [ "$auto_plugin_update" != "yes" ]; then
+ exit 0
+fi
+
+opts=""
+case "$update_method" in
+ rsync)
+ opts = "$opts --rsync"
+ ;;
+ wget)
+ opts = "$opts --wget"
+ ;;
+ curl)
+ opts = "$opts --curl"
+ ;;
+esac
+
+# Export openvas-nvt-sync's environment variables if they are defined
+[ \! -z "$NVT_DIR" ] && export NVT_DIR
+[ \! -z "$OV_RSYNC_FEED" ] && export OV_RSYNC_FEED
+[ \! -z "$OV_HTTP_FEED" ] && export OV_HTTP_FEED
+
+/usr/sbin/openvas-nvt-sync $opts >& /dev/null
+
+if [ $? -ne 0 ]; then
+ echo "Error updating OpenVAS plugins. Please run openvas-nvt-sync manually."
+ exit 1
+fi
+
+if [ "$notify_openvas_scanner" == "yes" ]; then
+ /etc/init.d/openvas-scanner reloadplugins
+fi
diff --git a/testing/openvas-scanner/openvassd.conf b/testing/openvas-scanner/openvassd.conf
new file mode 100644
index 000000000000..88f83f4bed97
--- /dev/null
+++ b/testing/openvas-scanner/openvassd.conf
@@ -0,0 +1,118 @@
+# Configuration file of the OpenVAS Security Scanner
+
+# Every line starting with a '#' is a comment
+
+[Misc]
+
+# Path to the security checks folder:
+plugins_folder = /var/lib/openvas/plugins
+
+# Path to OpenVAS caching folder:
+cache_folder = /var/cache/openvas
+
+# Path to OpenVAS include directories:
+# (multiple entries are separated with colon ':')
+include_folders = /var/lib/openvas/plugins
+
+# Maximum number of simultaneous hosts tested :
+max_hosts = 30
+
+# Maximum number of simultaneous checks against each host tested :
+max_checks = 10
+
+# Niceness. If set to 'yes', openvassd will renice itself to 10.
+be_nice = no
+
+# Log file (or 'syslog') :
+logfile = /var/log/openvas/openvassd.log
+
+# Shall we log every details of the attack ? (disk intensive)
+log_whole_attack = no
+
+# Log the name of the plugins that are loaded by the server ?
+log_plugins_name_at_load = no
+
+# Dump file for debugging output, use `-' for stdout
+dumpfile = /var/log/openvas/openvassd.dump
+
+# Rules file :
+rules = /etc/openvas/openvassd.rules
+
+# CGI paths to check for (cgi-bin:/cgi-aws:/ can do)
+cgi_path = /cgi-bin:/scripts
+
+# Range of the ports the port scanners will scan :
+# 'default' means that OpenVAS will scan ports found in its
+# services file.
+port_range = default
+
+# Optimize the test (recommended) :
+optimize_test = yes
+
+# Optimization :
+# Read timeout for the sockets of the tests :
+checks_read_timeout = 5
+
+# Ports against which two plugins should not be run simultaneously :
+# non_simult_ports = Services/www, 139, Services/finger
+non_simult_ports = 139, 445
+
+# Maximum lifetime of a plugin (in seconds) :
+plugins_timeout = 320
+
+# Safe checks rely on banner grabbing :
+safe_checks = yes
+
+# Automatically activate the plugins that are depended on
+auto_enable_dependencies = yes
+
+# Do not echo data from plugins which have been automatically enabled
+silent_dependencies = no
+
+# Designate hosts by MAC address, not IP address (useful for DHCP networks)
+use_mac_addr = no
+
+
+#--- Knowledge base saving (can be configured by the client) :
+# Save the knowledge base on disk :
+save_knowledge_base = no
+
+# Restore the KB for each test :
+kb_restore = no
+
+# Only test hosts whose KB we do not have :
+only_test_hosts_whose_kb_we_dont_have = no
+
+# Only test hosts whose KB we already have :
+only_test_hosts_whose_kb_we_have = no
+
+# KB test replay :
+kb_dont_replay_scanners = no
+kb_dont_replay_info_gathering = no
+kb_dont_replay_attacks = no
+kb_dont_replay_denials = no
+kb_max_age = 864000
+#--- end of the KB section
+
+
+# If this option is set, OpenVAS will not scan a network incrementally
+# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to
+# slice the workload throughout the whole network (ie: it will scan
+# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on...
+slice_network_addresses = no
+
+# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes')
+nasl_no_signature_check = yes
+
+#Certificates
+cert_file=/var/lib/openvas/CA/servercert.pem
+key_file=/var/lib/openvas/private/CA/serverkey.pem
+ca_file=/var/lib/openvas/CA/cacert.pem
+
+# If you decide to protect your private key with a password,
+# uncomment and change next line
+# pem_password=password
+# If you want to force the use of a client certificate, uncomment next line
+# force_pubkey_auth = yes
+
+#end.
diff --git a/testing/openvas-scanner/openvassd.confd b/testing/openvas-scanner/openvassd.confd
index 0d27b1511bb2..d48adef151ef 100644
--- a/testing/openvas-scanner/openvassd.confd
+++ b/testing/openvas-scanner/openvassd.confd
@@ -1,5 +1,27 @@
-# /etc/conf.d/openvassd: config file for /etc/init.d/openvassd
+#Listen on given address - by default scanner listens on all addresses
+#SCANNER_LISTEN=--listen=127.0.0.1
+
+#Listen on given port - by default 9391
+SCANNER_PORT=--port=9391
+
+#Send the packets with the source IP of IP1,IP2,IP3....
+#SCANNER_SRCIP=--src-ip=127.0.0.1,192.168.1.2
+
+# Extra Arguments
+# SCANNER_EXTRA_ARGS=""
+
+# Set to yes if plugins should be automatically updated via a cron job
+auto_plugin_update=no
+
+# Notify OpenVAS scanner after update by seding it SIGHUP?
+notify_openvas_scanner=yes
+
+# Method to use to get updates. The default is via rsync
+# Note that only wget and curl support retrieval via proxy
+# update_method=rsync|wget|curl
+
+# Additionaly, you can specify the following variables
+#NVT_DIR where to extract plugins (absolute path)
+#OV_RSYNC_FEED URL of rsync feed
+#OV_HTTP_FEED URL of http feed
-OPENVAS_USER="root"
-OPENVAS_GROUP="root"
-OPENVAS_STRICT_RIGHT="yes"
diff --git a/testing/openvas-scanner/openvassd.initd b/testing/openvas-scanner/openvassd.initd
index 560141d74f86..4b4de5e515b5 100644
--- a/testing/openvas-scanner/openvassd.initd
+++ b/testing/openvas-scanner/openvassd.initd
@@ -1,37 +1,26 @@
#!/sbin/openrc-run
-# Copyright 1999-2010 Gentoo Foundation
+# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header:
+# $Id$
-depend() {
- need net
-}
+name="OpenVAS Scanner"
+command="/usr/bin/openvassd"
+command_args="${SCANNER_LISTEN} ${SCANNER_PORT} ${SCANNER_SRCIP} ${SCANNER_EXTRA_ARGS}"
+pidfile="/run/openvassd.pid"
+extra_stopped_commands="create_cache"
-sanity_test() {
- if [ -z "${OPENVAS_USER}" ] ; then
- eerror "OPENVAS_USER is empty"
- return 1
- fi
- if [ $OPENVAS_USER != 'root' ] ; then
- chown -R $OPENVAS_USER:$OPENVAS_GROUP /var/cache/openvas/ /var/lib/openvas/ /var/log/openvas/
- chgrp -R $OPENVAS_USER /etc/openvas/ /var/lib/openvas/ /usr/share/openvas/openvasmd/global_report_formats/
- chmod -R g+rX /etc/openvas/ /var/lib/openvas/
- fi
+depend() {
+ after bootmisc
+ need localmount net
}
-start() {
- ebegin "Starting openvassd (scanner) as user ${OPENVAS_USER}"
- sanity_test || return 1
- #for using sbin tools when running as non root
- export PATH="$PATH:/sbin:/usr/sbin"
- start-stop-daemon --start --name openvassd --user "${OPENVAS_USER}" --exec /usr/bin/openvassd \
- --pidfile /var/run/openvassd.pid
- eend $?
+start_pre() {
+ checkpath --directory --mode 0775 --quiet /var/cache/openvas
}
-stop() {
- ebegin "Stop openvassd (scanner)"
- start-stop-daemon --stop --name openvassd \
- --pidfile /var/run/openvassd.pid
+create_cache() {
+ checkpath --directory --mode 0775 --quiet /var/cache/openvas
+ ebegin "Generating initial Cache"
+ /usr/bin/openvassd --foreground --only-cache
eend $?
}
--
GitLab