安裝 OpenVAS 主機弱掃方案

  • Alpine 3.19 + Docker Compose
    • vCPU : 4
    • RAM : 8GB
    • SSD : 60GB
  • curl -f -L https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml -o docker-compose.yml

  • 修改符合需要設定
    1. gvmd 設定 SMTP 環境變數
    2. gsa 將 Listen IP Port 由 127.0.0.1:9392:80(只接受本機) 改為 0.0.0.0:9392:80 (接受所有來源)
    3. openvasd 開啟 API 服務 Listen IP Port: 0.0.0.0:3000:80
  • docker-compose.yml
    services:
      vulnerability-tests:
        image: greenbone/vulnerability-tests
        environment:/iii
          STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
        volumes:
          - vt_data_vol:/mnt
    
      notus-data:
        image: greenbone/notus-data
        volumes:
          - notus_data_vol:/mnt
    
      scap-data:
        image: greenbone/scap-data
        volumes:
          - scap_data_vol:/mnt
    
      cert-bund-data:
        image: greenbone/cert-bund-data
        volumes:
          - cert_data_vol:/mnt
    
      dfn-cert-data:
        image: greenbone/dfn-cert-data
        volumes:
          - cert_data_vol:/mnt
        depends_on:
          - cert-bund-data
    
      data-objects:
        image: greenbone/data-objects
        volumes:
          - data_objects_vol:/mnt
    
      report-formats:
        image: greenbone/report-formats
        volumes:
          - data_objects_vol:/mnt
        depends_on:
          - data-objects
    
      gpg-data:
        image: greenbone/gpg-data
        volumes:
          - gpg_data_vol:/mnt
    
      redis-server:
        image: greenbone/redis-server
        restart: on-failure
        volumes:
          - redis_socket_vol:/run/redis/
    
      pg-gvm:
        image: greenbone/pg-gvm:stable
        restart: on-failure
        volumes:
          - psql_data_vol:/var/lib/postgresql
          - psql_socket_vol:/var/run/postgresql
    
      gvmd:
        image: greenbone/gvmd:stable
        restart: on-failure
        environment:
          MTA_HOST: "smtp.gmail.com"
          MTA_PORT: "587"
          MTA_TLS: "on"
          MTA_STARTTLS: "on"
          MTA_AUTH: "on"
          MTA_USER: "<your_google_account>"
          MTA_FROM: "[email protected]"
          MTA_PASSWORD: "<your_google_password>"
        volumes:
          - gvmd_data_vol:/var/lib/gvm
          - scap_data_vol:/var/lib/gvm/scap-data/
          - cert_data_vol:/var/lib/gvm/cert-data
          - data_objects_vol:/var/lib/gvm/data-objects/gvmd
          - vt_data_vol:/var/lib/openvas/plugins
          - psql_data_vol:/var/lib/postgresql
          - gvmd_socket_vol:/run/gvmd
          - ospd_openvas_socket_vol:/run/ospd
          - psql_socket_vol:/var/run/postgresql
        depends_on:
          pg-gvm:
            condition: service_started
          scap-data:
            condition: service_completed_successfully
          cert-bund-data:
            condition: service_completed_successfully
          dfn-cert-data:
            condition: service_completed_successfully
          data-objects:
            condition: service_completed_successfully
          report-formats:
            condition: service_completed_successfully
    
      gsa:
        image: greenbone/gsa:stable
        restart: on-failure
        ports:
          - 0.0.0.0:9392:80
        volumes:
          - gvmd_socket_vol:/run/gvmd
        depends_on:
          - gvmd
      # Sets log level of openvas to the set LOG_LEVEL within the env
      # and changes log output to /var/log/openvas instead /var/log/gvm
      # to reduce likelyhood of unwanted log interferences
      configure-openvas:
        image: greenbone/openvas-scanner:stable
        volumes:
          - openvas_data_vol:/mnt
          - openvas_log_data_vol:/var/log/openvas
        command:
          - /bin/sh
          - -c
          - |
            printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf
            sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf
            chmod 644 /mnt/openvas.conf
            chmod 644 /mnt/openvas_log.conf
            touch /var/log/openvas/openvas.log
            chmod 666 /var/log/openvas/openvas.log
    
      # shows logs of openvas
      openvas:
        image: greenbone/openvas-scanner:stable
        restart: on-failure
        volumes:
          - openvas_data_vol:/etc/openvas
          - openvas_log_data_vol:/var/log/openvas
        command:
          - /bin/sh
          - -c
          - |
            cat /etc/openvas/openvas.conf
            tail -f /var/log/openvas/openvas.log
        depends_on:
          configure-openvas:
            condition: service_completed_successfully
    
      openvasd:
        image: greenbone/openvas-scanner:stable
        restart: on-failure
        environment:
          # `service_notus` is set to disable everything but notus,
          # if you want to utilize openvasd directly removed `OPENVASD_MODE`
          OPENVASD_MODE: service_notus
          GNUPGHOME: /etc/openvas/gnupg
          LISTENING: 0.0.0.0:80
        volumes:
          - openvas_data_vol:/etc/openvas
          - openvas_log_data_vol:/var/log/openvas
          - gpg_data_vol:/etc/openvas/gnupg
          - notus_data_vol:/var/lib/notus
        # enable port forwarding when you want to use the http api from your host machine
        ports:
          - 0.0.0.0:3000:80
        depends_on:
          vulnerability-tests:
            condition: service_completed_successfully
          configure-openvas:
            condition: service_completed_successfully
          gpg-data:
            condition: service_completed_successfully
        networks:
          default:
            aliases:
              - openvasd
    
      ospd-openvas:
        image: greenbone/ospd-openvas:stable
        restart: on-failure
        hostname: ospd-openvas.local
        cap_add:
          - NET_ADMIN # for capturing packages in promiscuous mode
          - NET_RAW # for raw sockets e.g. used for the boreas alive detection
        security_opt:
          - seccomp=unconfined
          - apparmor=unconfined
        command:
          [
            "ospd-openvas",
            "-f",
            "--config",
            "/etc/gvm/ospd-openvas.conf",
            "--notus-feed-dir",
            "/var/lib/notus/advisories",
            "-m",
            "666"
          ]
        volumes:
          - gpg_data_vol:/etc/openvas/gnupg
          - vt_data_vol:/var/lib/openvas/plugins
          - notus_data_vol:/var/lib/notus
          - ospd_openvas_socket_vol:/run/ospd
          - redis_socket_vol:/run/redis/
          - openvas_data_vol:/etc/openvas/
          - openvas_log_data_vol:/var/log/openvas
        depends_on:
          redis-server:
            condition: service_started
          gpg-data:
            condition: service_completed_successfully
          vulnerability-tests:
            condition: service_completed_successfully
          configure-openvas:
            condition: service_completed_successfully
    
      gvm-tools:
        image: greenbone/gvm-tools
        volumes:
          - gvmd_socket_vol:/run/gvmd
          - ospd_openvas_socket_vol:/run/ospd
        depends_on:
          - gvmd
          - ospd-openvas
    
    volumes:
      gpg_data_vol:
      scap_data_vol:
      cert_data_vol:
      data_objects_vol:
      gvmd_data_vol:
      psql_data_vol:
      vt_data_vol:
      notus_data_vol:
      psql_socket_vol:
      gvmd_socket_vol:
      ospd_openvas_socket_vol:
      redis_socket_vol:
      openvas_data_vol:
      openvas_log_data_vol:
  • 啟動服務

    docker compose up -d
    docker compose logs -f

  • 設定管理者帳號密碼

    docker compose exec -u gvmd gvmd gvmd --user=admin --new-password='<password>'

  • 開啟網頁進入管理介面 - http://server-ip:9392 (使用 admin 與設定的密碼登入)

  • 確認弱點資料庫更新狀況
  • 設定更新 script

    vi update.sh

    docker compose down
    rm /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log
    docker compose pull
    docker compose up -d
    docker image prune -f
    chmod a+x update.sh
  • 單純更新 notus-data vulnerability-tests scap-data dfn-cert-data cert-bund-data report-formats data-objects 似乎於更新後系統無法正常運作, 但關閉重啟就可以更新後系統正常運作
  • docker compose stop
    docker compose pull
    docker compose up -d

  • 可以透過 gvmd 查看狀況

    docker compose logs -f gvmd

    當出現類似以下訊息就表示已經正確更新與啟動

    :
    gvmd-1  | md manage:   INFO:2024-07-25 15h12.53 utc:73: Updating CVSS scores and CVE counts for CPEs
    gvmd-1  | md manage:   INFO:2024-07-25 15h14.21 utc:73: Updating placeholder CPEs
    gvmd-1  | md manage:   INFO:2024-07-25 15h14.34 utc:73: Updating Max CVSS for DFN-CERT
    gvmd-1  | md manage:   INFO:2024-07-25 15h14.36 utc:73: Updating DFN-CERT CVSS max succeeded.
    gvmd-1  | md manage:   INFO:2024-07-25 15h14.36 utc:73: Updating Max CVSS for CERT-Bund
    gvmd-1  | md manage:   INFO:2024-07-25 15h14.37 utc:73: Updating CERT-Bund CVSS max succeeded.
    gvmd-1  | md manage:   INFO:2024-07-25 15h14.38 utc:73: update_scap_end: Updating SCAP info succeeded
    gvmd-1  | md manage:   INFO:2024-07-25 15h14.39 utc:70: Assigning EPSS scores to VTs
    gvmd-1  | md manage:   INFO:2024-07-25 15h14.56 utc:209: OSP service has different VT status (version 202407250605) from database (version 202407240611, 141853 VTs). Starting update ...
    gvmd-1  | md manage:   INFO:2024-07-25 15h15.34 utc:209: Updating VTs in database ... 3 new VTs, 204 changed VTs
    gvmd-1  | md manage:   INFO:2024-07-25 15h15.35 utc:209: Updating VTs in database ... done (141873 VTs).
    gvmd-1  | md manage:   INFO:2024-07-25 15h15.35 utc:207: Assigning EPSS scores to VTs

  • 如果透過 Test Alert 發現異常, 可以進去 gvmd 容器內 debug

    docker exec -it root-gvmd-1 bash

    1. 確認環境變數是否正確 Exp.

      root@1b2fce44fcf3:/# env
      MTA_PORT=587
      HOSTNAME=1b2fce44fcf3
      MTA_STARTTLS=on
      MTA_PASSWORD=xxxPasswordxxx
      MTA_TLS=on
      PWD=/
      MTA_USER=jonathan
      HOME=/root
      MTA_AUTH=on
      MTA_HOST=smtp.gmail.com
      TERM=xterm
      [email protected]
      SHLVL=1
      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      _=/usr/bin/env

    2. 測試寄信看問題 Exp.

      root@1b2fce44fcf3:/# msmtp -d -f [email protected] [email protected]
      aaa
      bbb
      ccc
      .
      
      loaded system configuration file /etc/msmtprc
      ignoring user configuration file /root/.msmtprc: No such file or directory
      falling back to default account
      :
      :
      aliases = (not set)
      reading recipients from the command line
      <-- 220 smtp.gmail.com ESMTP ready
      --> EHLO localhost
      <-- 250-smtp.gmail.com
      <-- 250-PIPELINING
      <-- 250-SIZE 50000000
      <-- 250-ETRN
      <-- 250-ENHANCEDSTATUSCODES
      <-- 250-8BITMIME
      <-- 250-DSN
      <-- 250 STARTTLS
      --> STARTTLS
      <-- 220 2.0.0 Start TLS
      msmtp: TLS certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.
      msmtp: could not send mail (account default from /etc/msmtprc)

    3. 發現問題是無法驗證憑證, 透過安裝或更新信任根憑證來解決

      apt update
      apt install ca-certificates -y

      如果已經離開容器, 可以改用

      docker exec root-gvmd-1 apt update
      docker exec root-gvmd-1 apt install ca-certificates -y

  • 主要會將 log 寫入 /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log
  • 這紀錄檔案不特別處理, 一段時間有可能超過 100G
  • 解決方式:
    1. 配合定期更新週期一起刪除, docker compose 啟動會自動建立

      docker compose down
      rm /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log
      docker compose pull
      docker compose up -d

    2. 設定環境變數 LOG_LEVEL: 1 (只紀錄 ERROR 與 WARNING)

      vi docker-compose.yml

      :
        # Sets log level of openvas to the set LOG_LEVEL within the env
        # and changes log output to /var/log/openvas instead /var/log/gvm
        # to reduce likelyhood of unwanted log interferences
        configure-openvas:
          image: greenbone/openvas-scanner:stable
          environment:
            LOG_LEVEL: 1
          volumes:
            - openvas_data_vol:/mnt
            - openvas_log_data_vol:/var/log/openvas
          command:
            - /bin/sh
            - -c
            - |
      :

      重起 docker compose

      docker compose down
      docker compose up -d
  • tech/openvas.txt
  • 上一次變更: 2024/11/02 06:56
  • jonathan