顯示頁面舊版反向連結Fold/unfold all回到頁頂 本頁是唯讀的,您可以看到原始碼,但不能更動它。您如果覺得它不應被鎖上,請詢問管理員。 ====== 安裝 OpenVAS 主機弱掃方案 ====== * Alpine 3.19 + Docker Compose * vCPU : 4 * RAM : 8GB * SSD : 60GB ===== 安裝程序 ===== * <cli> curl -f -O -L https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/docker-compose.yml -o docker-compose.yml curl -f -O -L https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/.env.example -o .env </cli> * {{repo>https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/docker-compose.yml | docker-compose.yml}} * 修改符合需要設定 - gsa 將 Listen IP Port 由 127.0.0.1:9392:80(只接受本機) 改為 0.0.0.0:9392:80 (接受所有來源) - openvasd 開啟 API 服務 Listen IP Port: 0.0.0.0:3000:80 * {{repo>https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/.env.example | .env}} * 修改 .env 內的 SMTP 設定 * 啟動服務 <cli> docker compose up -d docker compose logs -f </cli> * 設定管理者帳號密碼 <cli> docker compose exec -u gvmd gvmd gvmd --user=admin --new-password='<password>' </cli> * 開啟網頁進入管理介面 - http://server-ip:9392 (使用 admin 與設定的密碼登入) \\ {{:tech:螢幕擷取畫面_2024-07-16_152348.png|}} \\ {{:tech:螢幕擷取畫面_2024-07-16_152453.png|}} * 確認弱點資料庫更新狀況 \\ {{:tech:螢幕擷取畫面_2024-07-16_153723.png|}} * 設定更新 script <cli>wget https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/update.sh</cli> * {{repo>https://raw.githubusercontent.com/tryweb/docker-compose/refs/heads/main/openvas/update.sh | update.sh}} * 設定可執行權限<cli>chmod a+x update.sh</cli> ===== 問題與解法 ===== ==== 1. 手動更新弱點資料庫 ==== * 單純更新 notus-data vulnerability-tests scap-data dfn-cert-data cert-bund-data report-formats data-objects 似乎於更新後系統無法正常運作, 但關閉重啟就可以更新後系統正常運作 * <cli> docker compose stop docker compose pull docker compose up -d </cli> * 可以透過 gvmd 查看狀況 <cli> docker compose logs -f gvmd </cli>當出現類似以下訊息就表示已經正確更新與啟動<cli> : gvmd-1 | md manage: INFO:2024-07-25 15h12.53 utc:73: Updating CVSS scores and CVE counts for CPEs gvmd-1 | md manage: INFO:2024-07-25 15h14.21 utc:73: Updating placeholder CPEs gvmd-1 | md manage: INFO:2024-07-25 15h14.34 utc:73: Updating Max CVSS for DFN-CERT gvmd-1 | md manage: INFO:2024-07-25 15h14.36 utc:73: Updating DFN-CERT CVSS max succeeded. gvmd-1 | md manage: INFO:2024-07-25 15h14.36 utc:73: Updating Max CVSS for CERT-Bund gvmd-1 | md manage: INFO:2024-07-25 15h14.37 utc:73: Updating CERT-Bund CVSS max succeeded. gvmd-1 | md manage: INFO:2024-07-25 15h14.38 utc:73: update_scap_end: Updating SCAP info succeeded gvmd-1 | md manage: INFO:2024-07-25 15h14.39 utc:70: Assigning EPSS scores to VTs gvmd-1 | md manage: INFO:2024-07-25 15h14.56 utc:209: OSP service has different VT status (version 202407250605) from database (version 202407240611, 141853 VTs). Starting update ... gvmd-1 | md manage: INFO:2024-07-25 15h15.34 utc:209: Updating VTs in database ... 3 new VTs, 204 changed VTs gvmd-1 | md manage: INFO:2024-07-25 15h15.35 utc:209: Updating VTs in database ... done (141873 VTs). gvmd-1 | md manage: INFO:2024-07-25 15h15.35 utc:207: Assigning EPSS scores to VTs </cli> ==== 2. 寄信 SMTP 設定與除錯 ==== * 參考 - https://greenbone.github.io/docs/latest/22.4/container/workflows.html#setting-up-a-mail-transport-agent-inside-docker-container * 如果透過 Test Alert 發現異常, 可以進去 gvmd 容器內 debug <cli> docker exec -it root-gvmd-1 bash </cli> - 確認環境變數是否正確 Exp.<cli> root@1b2fce44fcf3:/# env MTA_PORT=587 HOSTNAME=1b2fce44fcf3 MTA_STARTTLS=on MTA_PASSWORD=xxxPasswordxxx MTA_TLS=on PWD=/ MTA_USER=jonathan HOME=/root MTA_AUTH=on MTA_HOST=smtp.gmail.com TERM=xterm MTA_FROM=jonathan@gmail.com SHLVL=1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin _=/usr/bin/env </cli> - 測試寄信看問題 Exp.<cli> root@1b2fce44fcf3:/# msmtp -d -f jonathan@gmail.com jonathan@ichiayi.com aaa bbb ccc . loaded system configuration file /etc/msmtprc ignoring user configuration file /root/.msmtprc: No such file or directory falling back to default account : : aliases = (not set) reading recipients from the command line <-- 220 smtp.gmail.com ESMTP ready --> EHLO localhost <-- 250-smtp.gmail.com <-- 250-PIPELINING <-- 250-SIZE 50000000 <-- 250-ETRN <-- 250-ENHANCEDSTATUSCODES <-- 250-8BITMIME <-- 250-DSN <-- 250 STARTTLS --> STARTTLS <-- 220 2.0.0 Start TLS msmtp: TLS certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. msmtp: could not send mail (account default from /etc/msmtprc) </cli> - 發現問題是無法驗證憑證, 透過安裝或更新信任根憑證來解決<cli> apt update apt install ca-certificates -y </cli>如果已經離開容器, 可以改用<cli> docker exec root-gvmd-1 apt update docker exec root-gvmd-1 apt install ca-certificates -y </cli> ==== 3. 檔案空間被 openvas.log 大量使用議題 ==== * 主要會將 log 寫入 /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log * 這紀錄檔案不特別處理, 一段時間有可能超過 100G * 解決方式: - 配合定期更新週期一起刪除, docker compose 啟動會自動建立 <cli> docker compose down rm /var/lib/docker/volumes/root_openvas_log_data_vol/_data/openvas.log docker compose pull docker compose up -d </cli> - 設定環境變數 LOG_LEVEL: 1 (只紀錄 ERROR 與 WARNING)<cli> vi docker-compose.yml</cli><file> : # Sets log level of openvas to the set LOG_LEVEL within the env # and changes log output to /var/log/openvas instead /var/log/gvm # to reduce likelyhood of unwanted log interferences configure-openvas: image: greenbone/openvas-scanner:stable environment: LOG_LEVEL: 1 volumes: - openvas_data_vol:/mnt - openvas_log_data_vol:/var/log/openvas command: - /bin/sh - -c - | : </file>重起 docker compose<cli> docker compose down docker compose up -d </cli> ==== 4. 當 pg-gvm log 出現 LOG: checkpoints are occurring too frequently ==== * 可能是執行環境的 DiskIO 比較慢出現的訊息, 可以加大 PostgreSQL 的 max_wal_size (預設是1GB) * Exp. 設定加大為 2GB - 建立 max_wal.conf<file> max_wal_size = 2GB </file> - 修改 docker-compose.yml <file> : pg-gvm: image: registry.community.greenbone.net/community/pg-gvm:stable restart: on-failure volumes: - psql_data_vol:/var/lib/postgresql - psql_socket_vol:/var/run/postgresql - ./max_wal.conf:/etc/postgresql/13/main/conf.d/max_wal.conf : </file> - 重起 docker compose <cli> docker compose down docker compose up -d </cli> - 檢視設定是否成功 <cli> $ docker compose exec pg-gvm psql -U gvmd -c "SHOW max_wal_size;" max_wal_size -------------- 2GB (1 row) </cli> - 檢視 pg-gvm log 是否不再出現 LOG: checkpoints are occurring too frequently <cli> docker compose logs -f pg-gvm </cli>如果還是出現, 可以考慮加大 max_wal_size Exp. 4GB ===== 參考網址 ===== * https://greenbone.github.io/docs/latest/22.4/container/index.html {{tag>openvas 主機弱掃}} tech/openvas.txt 上一次變更: 2025/04/10 15:20由 jonathan