====== 安裝 OpenVAS 主機弱掃方案 ======
* Alpine 3.19 + Docker Compose
* vCPU : 4
* RAM : 8GB
* SSD : 60GB
===== 安裝程序 =====
*
curl -f -O -L https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/docker-compose.yml -o docker-compose.yml
curl -f -O -L https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/.env.example -o .env
* {{repo>https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/docker-compose.yml | docker-compose.yml}}
* 修改符合需要設定
- gsa 將 Listen IP Port 由 127.0.0.1:9392:80(只接受本機) 改為 0.0.0.0:9392:80 (接受所有來源)
- openvasd 開啟 API 服務 Listen IP Port: 0.0.0.0:3000:80
* {{repo>https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/.env.example | .env}}
* 修改 .env 內的 SMTP 設定
* 啟動服務
docker compose up -d
docker compose logs -f
* 設定管理者帳號密碼
docker compose exec -u gvmd gvmd gvmd --user=admin --new-password=''
* 開啟網頁進入管理介面 - http://server-ip:9392 (使用 admin 與設定的密碼登入) \\ {{:tech:螢幕擷取畫面_2024-07-16_152348.png|}} \\ {{:tech:螢幕擷取畫面_2024-07-16_152453.png|}}
* 確認弱點資料庫更新狀況 \\ {{:tech:螢幕擷取畫面_2024-07-16_153723.png|}}
* 設定更新 script wget https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/update.sh
* {{repo>https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/update.sh | update.sh}}
* 設定可執行權限chmod a+x update.sh
===== 問題與解法 =====
==== 1. 手動更新弱點資料庫 ====
* 單純更新 notus-data vulnerability-tests scap-data dfn-cert-data cert-bund-data report-formats data-objects 似乎於更新後系統無法正常運作, 但關閉重啟就可以更新後系統正常運作
*
docker compose stop
docker compose pull
docker compose up -d
* 可以透過 gvmd 查看狀況
docker compose logs -f gvmd
當出現類似以下訊息就表示已經正確更新與啟動
:
gvmd-1 | md manage: INFO:2024-07-25 15h12.53 utc:73: Updating CVSS scores and CVE counts for CPEs
gvmd-1 | md manage: INFO:2024-07-25 15h14.21 utc:73: Updating placeholder CPEs
gvmd-1 | md manage: INFO:2024-07-25 15h14.34 utc:73: Updating Max CVSS for DFN-CERT
gvmd-1 | md manage: INFO:2024-07-25 15h14.36 utc:73: Updating DFN-CERT CVSS max succeeded.
gvmd-1 | md manage: INFO:2024-07-25 15h14.36 utc:73: Updating Max CVSS for CERT-Bund
gvmd-1 | md manage: INFO:2024-07-25 15h14.37 utc:73: Updating CERT-Bund CVSS max succeeded.
gvmd-1 | md manage: INFO:2024-07-25 15h14.38 utc:73: update_scap_end: Updating SCAP info succeeded
gvmd-1 | md manage: INFO:2024-07-25 15h14.39 utc:70: Assigning EPSS scores to VTs
gvmd-1 | md manage: INFO:2024-07-25 15h14.56 utc:209: OSP service has different VT status (version 202407250605) from database (version 202407240611, 141853 VTs). Starting update ...
gvmd-1 | md manage: INFO:2024-07-25 15h15.34 utc:209: Updating VTs in database ... 3 new VTs, 204 changed VTs
gvmd-1 | md manage: INFO:2024-07-25 15h15.35 utc:209: Updating VTs in database ... done (141873 VTs).
gvmd-1 | md manage: INFO:2024-07-25 15h15.35 utc:207: Assigning EPSS scores to VTs
==== 2. 寄信 SMTP 設定與除錯 ====
* 參考 - https://greenbone.github.io/docs/latest/22.4/container/workflows.html#setting-up-a-mail-transport-agent-inside-docker-container
* 如果透過 Test Alert 發現異常, 可以進去 gvmd 容器內 debug
docker exec -it root-gvmd-1 bash
- 確認環境變數是否正確 Exp.
root@1b2fce44fcf3:/# env
MTA_PORT=587
HOSTNAME=1b2fce44fcf3
MTA_STARTTLS=on
MTA_PASSWORD=xxxPasswordxxx
MTA_TLS=on
PWD=/
MTA_USER=jonathan
HOME=/root
MTA_AUTH=on
MTA_HOST=smtp.gmail.com
TERM=xterm
MTA_FROM=jonathan@gmail.com
SHLVL=1
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
- 測試寄信看問題 Exp.
root@1b2fce44fcf3:/# msmtp -d -f jonathan@gmail.com jonathan@ichiayi.com
aaa
bbb
ccc
.
loaded system configuration file /etc/msmtprc
ignoring user configuration file /root/.msmtprc: No such file or directory
falling back to default account
:
:
aliases = (not set)
reading recipients from the command line
<-- 220 smtp.gmail.com ESMTP ready
--> EHLO localhost
<-- 250-smtp.gmail.com
<-- 250-PIPELINING
<-- 250-SIZE 50000000
<-- 250-ETRN
<-- 250-ENHANCEDSTATUSCODES
<-- 250-8BITMIME
<-- 250-DSN
<-- 250 STARTTLS
--> STARTTLS
<-- 220 2.0.0 Start TLS
msmtp: TLS certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.
msmtp: could not send mail (account default from /etc/msmtprc)
- 發現問題是無法驗證憑證, 透過安裝或更新信任根憑證來解決
apt update
apt install ca-certificates -y
如果已經離開容器, 可以改用
docker exec root-gvmd-1 apt update
docker exec root-gvmd-1 apt install ca-certificates -y
==== 3. 檔案空間被 openvas.log 大量使用議題 ====
* 主要會將 log 寫入 /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log
* 這紀錄檔案不特別處理, 一段時間有可能超過 100G
* 解決方式:
- 配合定期更新週期一起刪除, docker compose 啟動會自動建立
docker compose down
rm /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log
docker compose pull
docker compose up -d
- 設定環境變數 LOG_LEVEL: 1 (只紀錄 ERROR 與 WARNING)
vi docker-compose.yml
:
# Sets log level of openvas to the set LOG_LEVEL within the env
# and changes log output to /var/log/openvas instead /var/log/gvm
# to reduce likelyhood of unwanted log interferences
configure-openvas:
image: greenbone/openvas-scanner:stable
environment:
LOG_LEVEL: 1
volumes:
- openvas_data_vol:/mnt
- openvas_log_data_vol:/var/log/openvas
command:
- /bin/sh
- -c
- |
:
重起 docker compose
docker compose down
docker compose up -d
==== 4. 當 pg-gvm log 出現 LOG: checkpoints are occurring too frequently ====
* 可能是執行環境的 DiskIO 比較慢出現的訊息, 可以加大 PostgreSQL 的 max_wal_size (預設是1GB)
* Exp. 設定加大為 2GB
- 建立 max_wal.conf
max_wal_size = 2GB
- 修改 docker-compose.yml
:
pg-gvm:
image: registry.community.greenbone.net/community/pg-gvm:stable
restart: on-failure
volumes:
- psql_data_vol:/var/lib/postgresql
- psql_socket_vol:/var/run/postgresql
- ./max_wal.conf:/etc/postgresql/13/main/conf.d/max_wal.conf
:
- 重起 docker compose
docker compose down
docker compose up -d
- 檢視設定是否成功
$ docker compose exec pg-gvm psql -U gvmd -c "SHOW max_wal_size;"
max_wal_size
--------------
2GB
(1 row)
- 檢視 pg-gvm log 是否不再出現 LOG: checkpoints are occurring too frequently
docker compose logs -f pg-gvm
如果還是出現, 可以考慮加大 max_wal_size Exp. 4GB
===== 參考網址 =====
* https://greenbone.github.io/docs/latest/22.4/container/index.html
{{tag>openvas 主機弱掃}}