-
Notifications
You must be signed in to change notification settings - Fork 0
/
install_onenVAS.sh
executable file
·302 lines (256 loc) · 9.71 KB
/
install_onenVAS.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
#!/bin/bash -x
## Installation script for OpenVAS/Greenbone 20.08 on Ubuntu 20.08
## Based on:
# https://kifarunix.com/install-and-setup-gvm-11-on-ubuntu-20-04/#create-gvm-service-unit-file
# https://github.com/yu210148/gvm_install/blob/master/install_gvm.sh
install_packages() {
apt-get update && apt-get upgrade
useradd -r -d /opt/gvm -c "GVM User" -s /bin/bash gvm
mkdir /opt/gvm
chown gvm:gvm /opt/gvm
apt install gcc g++ make bison flex libksba-dev curl redis rsync libpcap-dev \
cmake git pkg-config libglib2.0-dev libgpgme-dev nmap libgnutls28-dev uuid-dev \
libssh-gcrypt-dev libldap2-dev gnutls-bin libmicrohttpd-dev libhiredis-dev \
zlib1g-dev libxml2-dev libradcli-dev clang-format libldap2-dev doxygen \
gcc-mingw-w64 xml-twig-tools libical-dev perl-base heimdal-dev libpopt-dev \
libsnmp-dev python3-setuptools python3-paramiko python3-lxml python3-defusedxml python3-dev gettext python3-polib xmltoman \
python3-pip texlive-fonts-recommended texlive-latex-extra --no-install-recommends xsltproc -y
# Install Yarn
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
apt update
apt install yarn -y
}
install_pg() {
# Install PostgreSQL
apt install postgresql postgresql-contrib postgresql-server-dev-all -y
sudo -Hiu postgres <<EOSU
createuser gvm
createdb -O gvm gvmd
EOSU
psql -U gvm gvmd -tc "create role dba with superuser noinherit; grant dba to gvm; create extension uuid-ossp"
systemctl restart postgresql
systemctl enable postgresql
}
clone_repos() {
# Building GVM 20 from Source Code
cp /etc/environment /etc/environment.bck
echo PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin\" >/etc/environment
echo "/opt/gvm/lib" >/etc/ld.so.conf.d/gvm.conf
# Build and Install GVM 20
su - gvm <<EOSU
rm -rf /tmp/gvm-source
mkdir /tmp/gvm-source
cd /tmp/gvm-source
git clone -b gvm-libs-20.08 https://github.com/greenbone/gvm-libs.git
git clone https://github.com/greenbone/openvas-smb.git
git clone -b openvas-20.08 https://github.com/greenbone/openvas.git
git clone -b ospd-20.08 https://github.com/greenbone/ospd.git
git clone -b ospd-openvas-20.08 https://github.com/greenbone/ospd-openvas.git
git clone -b gvmd-20.08 https://github.com/greenbone/gvmd.git
git clone -b gsa-20.08 https://github.com/greenbone/gsa.git
ls
EOSU
}
build_packages_Libs() {
# Build and Install GVM Libraries
su - gvm <<EOSU
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
cd /tmp/gvm-source
cd gvm-libs
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make install
# Build and Install OpenVAS scanner and OpenVAS SMB
cd ../../openvas-smb/
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make install
cd ../../openvas
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make install
EOSU
}
configure_services_OpenVAS() {
# Configuring OpenVAS Scanner
ldconfig
cp /tmp/gvm-source/openvas/config/redis-openvas.conf /etc/redis/
chown redis:redis /etc/redis/redis-openvas.conf
echo "db_address = /run/redis-openvas/redis.sock" >/opt/gvm/etc/openvas/openvas.conf
chown gvm:gvm /opt/gvm/etc/openvas/openvas.conf
usermod -aG redis gvm
echo "net.core.somaxconn = 1024" >>/etc/sysctl.conf
echo 'vm.overcommit_memory = 1' >>/etc/sysctl.conf
sysctl -p
cat <<EOT >/etc/systemd/system/disable_thp.service
[Unit]
Description=Disable Kernel Support for Transparent Huge Pages (THP)
[Service]
Type=simple
ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"
[Install]
WantedBy=multi-user.target
EOT
systemctl daemon-reload
systemctl enable --now disable_thp
systemctl enable --now redis-server@openvas
echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/openvas" >/etc/sudoers.d/gvm
sed 's/Defaults\s.*secure_path=\"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin\"/Defaults secure_path=\"\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin:\/snap\/bin:\/opt\/gvm\/sbin\"/g' /etc/sudoers | EDITOR='tee' visudo
echo "gvm ALL = NOPASSWD: /opt/gvm/sbin/gsad" >>/etc/sudoers.d/gvm
# Update NVTs
su - gvm <<EOSU
greenbone-nvt-sync
openvas --update-vt-info
EOSU
}
configure_services_GVM() {
# Build and Install Greenbone Vulnerability Manager
su - gvm <<EOSU
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
cd /tmp/gvm-source/gvmd
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make install
# Build and Install Greenbone Security Assistant
cd ../../gsa
mkdir build
cd build
cmake .. -DCMAKE_INSTALL_PREFIX=/opt/gvm
make
make install
# Update GVM CERT and SCAP data from the feed servers;
greenbone-scapdata-sync --rsync
greenbone-certdata-sync --rsync
greenbone-feed-sync --type GVMD_DATA
gvm-manage-certs -a
# Build and Install OSPd and OSPd-OpenVAS
export PKG_CONFIG_PATH=/opt/gvm/lib/pkgconfig:$PKG_CONFIG_PATH
mkdir -p /opt/gvm/lib/python3.8/site-packages/
export PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
cd /tmp/gvm-source/ospd
python3 setup.py install --prefix=/opt/gvm
cd ../ospd-openvas
python3 setup.py install --prefix=/opt/gvm
# Start OpenVAS Scanner, GSA and GVM services
/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock
EOSU
gsad
ps aux | grep -E "ospd-openvas|gsad|gvmd" | grep -v grep
}
configure_services() {
# Create OpenVAS service
cat <<EOT >/etc/systemd/system/openvas.service
[Unit]
Description=Control the OpenVAS service
After=redis.service
After=postgresql.service
[Service]
ExecStartPre=-rm -rf /opt/gvm/var/run/ospd-openvas.pid /opt/gvm/var/run/ospd.sock /opt/gvm/var/run/gvmd.sock
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/python3 /opt/gvm/bin/ospd-openvas \
--pid-file /opt/gvm/var/run/ospd-openvas.pid \
--log-file /opt/gvm/var/log/gvm/ospd-openvas.log \
--lock-file-dir /opt/gvm/var/run -u /opt/gvm/var/run/ospd.sock
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOT
systemctl daemon-reload
systemctl start openvas
# systemctl status openvas
systemctl enable openvas
# Create GSA Service Unit file
cat <<EOT >/etc/systemd/system/gsa.service
[Unit]
Description=Control the OpenVAS GSA service
After=openvas.service
[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/usr/bin/sudo /opt/gvm/sbin/gsad --mlisten=0.0.0.0 --mport=9392
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOT
cat <<EOT >/etc/systemd/system/gsa.path
[Unit]
Description=Start the OpenVAS GSA service when gvmd.sock is available
[Path]
PathChanged=/opt/gvm/var/run/gvmd.sock
Unit=gsa.service
[Install]
WantedBy=multi-user.target
EOT
# Create GVM Service unit file
cat <<EOT >/etc/systemd/system/gvm.service
[Unit]
Description=Control the OpenVAS GVM service
After=openvas.service
[Service]
Type=simple
User=gvm
Group=gvm
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/gvm/bin:/opt/gvm/sbin:/opt/gvm/.local/bin
Environment=PYTHONPATH=/opt/gvm/lib/python3.8/site-packages
ExecStart=/opt/gvm/sbin/gvmd --osp-vt-update=/opt/gvm/var/run/ospd.sock --listen=0.0.0.0 --port=9392
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOT
cat <<EOT >/etc/systemd/system/gvm.path
[Unit]
Description=Start the OpenVAS GVM service when opsd.sock is available
[Path]
PathChanged=/opt/gvm/var/run/ospd.sock
Unit=gvm.service
[Install]
WantedBy=multi-user.target
EOT
systemctl daemon-reload
systemctl enable --now openvas
systemctl enable --now gvm.{path,service}
systemctl enable --now gsa.{path,service}
}
run_services() {
# Create GVM Scanner
# sudo -Hiu gvm gvmd --create-scanner="Patrowl OpenVAS Scanner" --scanner-type="OpenVAS" --scanner-host=/opt/gvm/var/run/ospd.sock
sudo -Hiu gvm gvmd --get-scanners
# --> modify scanner changing sock: --scanner-host=/opt/gvm/var/run/ospd.sock
SCANNER_UUID=$(sudo -Hiu gvm gvmd --get-scanners | grep OpenVAS | cut -f1 -d" ")
sudo -Hiu gvm gvmd --modify-scanner=$SCANNER_UUID --scanner-host=/opt/gvm/var/run/ospd.sock
sudo -Hiu gvm gvmd --verify-scanner=$SCANNER_UUID
# Create OpenVAS (GVM) Admin User
sudo -Hiu gvm gvmd --create-user gvmadmin --password="Bonjour1**GVM"
# sudo -Hiu gvm gvmd --user=gvmadmin --new-password="Bonjour1**GVM"
# Add the user as import feed owner
USER_UUID=$(sudo -Hiu gvm gvmd --get-users --verbose | cut -f2 -d" ")
sudo -Hiu gvm gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value $USER_UUID
}
install_packages
install_pg
clone_repos
build_packages_Libs
configure_services_OpenVAS
configure_services_GVM
configure_services
run_services