Last active
November 20, 2019 09:19
-
-
Save fcolista/185a1e392bbea3d3dc0b7861408a2b74 to your computer and use it in GitHub Desktop.
AlpineLinux: openvas scripts configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # OpenVAS | |
| # $Id$ | |
| # Description: Script for checking completeness and readiness | |
| # of OpenVAS. | |
| # Reviewed for Alpine Linux distribution by: | |
| # Francesco Colista <fcolista@alpinelinux.org> | |
| # | |
| # Authors: | |
| # Jan-Oliver Wagner <jan-oliver.wagner@greenbone.net> | |
| # Michael Wiegand <michael.wiegand@greenbone.net> | |
| # | |
| # Copyright: | |
| # Copyright (C) 2011-2015 Greenbone Networks GmbH | |
| # | |
| # This program is free software; you can redistribute it and/or modify | |
| # it under the terms of the GNU General Public License version 2, | |
| # or at your option any later version, as published by the | |
| # Free Software Foundation | |
| # | |
| # This program is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| # GNU General Public License for more details. | |
| # | |
| # You should have received a copy of the GNU General Public License | |
| # along with this program; if not, write to the Free Software | |
| # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. | |
| LOG=/tmp/openvas-check-setup.log | |
| # Current default is OpenVAS-9: | |
| VER=$(apk info -d openvas-libraries | cut -d- -f3 | head -1 | cut -d. -f1) | |
| SCANNER_MAJOR=$(apk info -v | grep openvas-scanner | cut -d- -f3 | cut -d. -f1) | |
| SCANNER_MINOR=$(apk info -v | grep openvas-scanner | cut -d- -f3 | cut -d. -f2) | |
| MANAGER_MAJOR=$(apk info -v | grep openvas-manager | cut -d- -f3 | cut -d. -f1) | |
| MANAGER_MINOR=$(apk info -v | grep openvas-manager | cut -d- -f3 | cut -d. -f2) | |
| GSA_MAJOR=$(apk info -v | grep greenbone | cut -d- -f4 | cut -d. -f1) | |
| GSA_MINOR=$(apk info -v | grep greenbone | cut -d- -f4 | cut -d. -f2) | |
| CLI_MAJOR=$(apk info -v | grep openvas-cli | cut -d- -f3 | cut -d. -f1) | |
| CLI_MINOR=$(apk info -v | grep openvas-cli | cut -d- -f3 | cut -d. -f2) | |
| # Colorize output for a better reading | |
| ERROR=$(echo -en "\033[1;91m ERROR: \e[0m") | |
| OK=$(echo -en "\e[0;32m OK: \e[0m") | |
| FIX=$(echo -en "\e[33m FIX: \e[0m") | |
| WARNING=$(echo -en "\e[93m WARNING: \e[0m") | |
| SUGGEST=$(echo -en "\e[33m SUGGEST: \e[0m") | |
| HINT=$(echo -en "\e[33m HINT: \e[0m") | |
| CHECKING=$(echo -en "\e[96m CHECKING: \e[0m") | |
| echo "" | |
| echo " Test completeness and readiness of OpenVAS-$VER" | |
| echo "" | |
| echo " =] Script based on original openvas-check-setup script and adjusted for Alpine Linux [= " | |
| echo "" | |
| log_and_print() { | |
| echo -e " " $1 | |
| echo -e " " $1 >> $LOG | |
| } | |
| check_package() { | |
| apk info -eq $1 && return 0 || return 1 | |
| } | |
| check_failed() { | |
| echo "" | |
| echo " $ERROR: Your OpenVAS-$VER installation is not yet complete!" | |
| echo "" | |
| echo "Please follow the instructions marked with FIX above and run this" | |
| echo "script again." | |
| echo "" | |
| exit 1 | |
| } | |
| # LOG start | |
| echo "$0 " > $LOG | |
| echo " Mode: $MODE" >> $LOG | |
| echo " Date: " `date -R` >> $LOG | |
| echo "" >> $LOG | |
| echo "$CHECKING for enabled repositories for OpenVAS ... " | |
| if ! $(grep -q testing /etc/apk/repositories); then | |
| log_and_print "$ERROR: No testing repository enabled."; | |
| log_and_print "$FIX: Please add testing repository ." ; | |
| cat <<EOF | |
| If you want to fix the issue, do:" | |
| * echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories | |
| * apk update | |
| EOF | |
| fi | |
| echo "$CHECKING OpenVAS Scanner ... " | |
| echo "$CHECKING presence of OpenVAS Scanner ..." >> $LOG | |
| if ! $(check_package openvas-scanner); then | |
| log_and_print "$ERROR: No OpenVAS Scanner (openvassd) found."; | |
| log_and_print "$FIX: Please install OpenVAS Scanner." ; | |
| log_and_print "$FIX: apk add openvas-scanner" ; | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| echo "$CHECKING OpenVAS Scanner version ..." >> $LOG | |
| VERSION=$(openvassd --version 2>>$LOG | head -1 | sed -e "s/OpenVAS Scanner //") | |
| echo "" >> $LOG | |
| log_and_print "$OK: OpenVAS Scanner is present in version $VERSION." | |
| openvassd -s >> $LOG 2>&1 | |
| echo "$CHECKING OpenVAS Scanner CA cert ..." >> $LOG | |
| CAFILE=`openvassd -s 2>>$LOG | grep ca_file | sed -e "s/^ca_file = //"` | |
| if [ ! -e $CAFILE ]; then | |
| log_and_print "$ERROR: No CA certificate file of OpenVAS Scanner found." | |
| log_and_print "$FIX: Run 'openvas-manage-certs -a'." | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| log_and_print "$OK: OpenVAS Scanner CA Certificate is present as $CAFILE." | |
| echo "$CHECKING presence of redis ..." >> $LOG | |
| if ! $(check_package redis); then | |
| log_and_print "$ERROR: No redis-server installation found."; | |
| log_and_print "$FIX: You should install redis-server for improved scalability and ability to trace/debug the KB"; | |
| check_failed | |
| else | |
| VERSION=`redis-server --version | awk '{ print $3 }'` | |
| log_and_print "$OK: redis-server is present in version $VERSION." | |
| HAVE_REDIS=1 | |
| fi | |
| echo "" >> $LOG | |
| if [ $HAVE_REDIS -eq "1" ]; then | |
| echo "$CHECKING if redis-server is configured properly to run with openVAS ..." >> $LOG | |
| REDISSOCKET=`openvassd -s 2>>$LOG | grep kb_location | sed -e "s/^kb_location = //"` | |
| if [ -z "$REDISSOCKET" ]; then | |
| log_and_print "$ERROR: scanner is not configured to use a redis-server socket." | |
| log_and_print "$FIX: Configure the kb_location setting of the scanner to the path of the redis-server socket." | |
| check_failed | |
| else | |
| log_and_print "$OK: scanner (kb_location setting) is configured properly using the redis-server socket: $REDISSOCKET" | |
| echo "$CHECKING if redis-server is running ..." >> $LOG | |
| if [ -e $REDISSOCKET ]; then | |
| log_and_print "$OK: redis-server is running and listening on socket: $REDISSOCKET." | |
| else | |
| log_and_print "$ERROR: redis-server is not running or not listening on socket: $REDISSOCKET" | |
| log_and_print "$FIX: Please read the instruction in the README.alpine: /usr/share/doc/openvas-scanner/README.alpine" | |
| check_failed | |
| fi | |
| fi | |
| log_and_print "$OK: redis-server configuration is OK and redis-server is running." | |
| fi | |
| echo "" >> $LOG | |
| echo "$CHECKING NVT collection ..." >> $LOG | |
| PLUGINSFOLDER=`openvassd -s 2>>$LOG | grep plugins_folder | sed -e "s/^plugins_folder = //"` | |
| if [ ! -d $PLUGINSFOLDER ]; then | |
| log_and_print "$ERROR: Directory containing the NVT collection not found." | |
| log_and_print "$FIX: Run a NVT synchronization script like openvas-nvt-sync or greenbone-nvt-sync." | |
| check_failed | |
| fi | |
| OLDPLUGINSFOLDER=`echo "$PLUGINSFOLDER" | grep -q -v "/var/" 2>&1` | |
| if [ $? -eq "0" ]; then | |
| CONFFILE=`openvassd -s 2>>$LOG | grep config_file | sed -e "s/^config_file = //"` | |
| log_and_print "$ERROR: Your OpenVAS Scanner configuration seems to be from a pre-OpenVAS-4 installation and contains non-FHS compliant paths." | |
| log_and_print "$FIX: Delete your OpenVAS Scanner Configuration file ($CONFFILE)." | |
| check_failed | |
| fi | |
| NVTCOUNT=`find $PLUGINSFOLDER -name "*nasl" | wc -l` | |
| if [ $NVTCOUNT -lt "10" ]; then | |
| log_and_print "$ERROR: The NVT collection is very small." | |
| log_and_print "$FIX: Run greenbone-nvt-sync synchronization script." | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| log_and_print "$OK: NVT collection in $PLUGINSFOLDER contains $NVTCOUNT NVTs." | |
| echo "$CHECKING status of signature checking in OpenVAS Scanner ..." >> $LOG | |
| NOSIGCHECK=`openvassd -s 2>>$LOG | grep nasl_no_signature_check | sed -e "s/^nasl_no_signature_check = //"` | |
| if [ $NOSIGCHECK != "no" ]; then | |
| log_and_print "$WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner." | |
| log_and_print "$SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html)." | |
| log_and_print "$SUGGEST: Please run: sed -i -e \"s/nasl_no_signature_check.*/nasl_no_signature_check\=no/g\" /etc/openvas/openvassd.conf" | |
| else | |
| log_and_print "$OK: Signature checking of NVTs is enabled in OpenVAS Scanner." | |
| fi | |
| echo "" >> $LOG | |
| CACHEFOLDER=`openvassd -s 2>>$LOG | grep cache_folder | sed -e "s/^cache_folder = //"` | |
| CACHECOUNT=`find $CACHEFOLDER -name "*nvti" | wc -l` | |
| if [ $CACHECOUNT -lt $NVTCOUNT ]; then | |
| log_and_print "$WARNING: The initial NVT cache has not yet been generated." | |
| log_and_print "$SUGGEST: Start OpenVAS Scanner for the first time to generate the cache." | |
| log_and_print "$SUGGEST: Please run: rc-service openvassd create_cache && rc-service openvassd start"; | |
| else | |
| log_and_print "$OK: The NVT cache in $CACHEFOLDER contains $CACHECOUNT files for $NVTCOUNT NVTs." | |
| fi | |
| echo "" >> $LOG | |
| echo "$CHECKING OpenVAS Manager ... " | |
| echo "$CHECKING presence of OpenVAS Manager ..." >> $LOG | |
| if ! $(check_package openvas-manager); then | |
| log_and_print "$ERROR: No OpenVAS Manager (openvasmd) found."; | |
| log_and_print "$FIX: Please install OpenVAS Manager."; | |
| log_and_print "$FIX: Please run: apk add openvas-manager"; | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| VERSION=`openvasmd --version | head -1 | sed -e "s/OpenVAS Manager //"` | |
| echo "" >> $LOG | |
| log_and_print "$OK: OpenVAS Manager is present in version $VERSION." | |
| echo "$CHECKING OpenVAS Manager client certificate ..." >> $LOG | |
| CERTDIR=`dirname $CAFILE` | |
| CLIENTCERTFILE="$CERTDIR/clientcert.pem" | |
| if [ ! -e $CLIENTCERTFILE ]; then | |
| log_and_print "$ERROR: No client certificate file of OpenVAS Manager found." | |
| log_and_print "$FIX: Run 'openvas-manage-certs -a'." | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| log_and_print "$OK: OpenVAS Manager client certificate is present as $CLIENTCERTFILE." | |
| echo "$CHECKING OpenVAS Manager database ..." >> $LOG | |
| # Guess openvas state dir from $PLUGINSFOLDER | |
| STATEDIR=`dirname $PLUGINSFOLDER` | |
| TASKSDB="$STATEDIR/mgr/tasks.db" | |
| if [ ! -e $TASKSDB ]; then | |
| log_and_print "$ERROR: No OpenVAS Manager database found. (Tried: $TASKSDB)" | |
| log_and_print "$FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running." | |
| OPENVASSD_RUNNING=`ps -Af | grep -ic "[o]penvassd: waiting for incoming connections"` | |
| if [ $OPENVASSD_RUNNING -eq "0" ]; then | |
| log_and_print "$WARNING: OpenVAS Scanner is NOT running!" ; | |
| log_and_print "$SUGGEST: Start OpenVAS Scanner (openvassd)." ; | |
| log_and_print "$SUGGEST: Please run: rc-service openvassd start" ; | |
| fi | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| log_and_print "$OK: OpenVAS Manager database found in $TASKSDB." | |
| echo "$CHECKING access rights of OpenVAS Manager database ..." >> $LOG | |
| TASKSDBPERMS=`stat -c "%a" "$TASKSDB"` | |
| if [ "$TASKSDBPERMS" != "600" ]; then | |
| log_and_print "$ERROR: The access rights of the OpenVAS Manager database are incorrect." | |
| log_and_print "$FIX: Run 'chmod 600 $TASKSDB'." | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| log_and_print "$OK: Access rights for the OpenVAS Manager database are correct." | |
| echo "$CHECKING sqlite3 presence ..." >> $LOG | |
| if $(check_package sqlite); then | |
| log_and_print "$OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled." | |
| HAVE_SQLITE=1 | |
| else | |
| log_and_print "$WARNING: Could not find sqlite3 binary, extended manager checks of the OpenVAS Manager installation are disabled."; | |
| log_and_print "$SUGGEST: Please run: apk add sqlite"; | |
| HAVE_SQLITE=0 | |
| fi | |
| echo "" >> $LOG | |
| if [ $HAVE_SQLITE -eq "1" ]; then | |
| echo "$CHECKING OpenVAS Manager database revision ..." >> $LOG | |
| TASKSDBREV=`sqlite3 $TASKSDB "select value from meta where name='database_version';"` | |
| if [ -z $TASKSDBREV ]; then | |
| log_and_print "$ERROR: Could not determine database revision, database corrupt or in invalid format." | |
| log_and_print "$FIX: Delete database at $TASKSDB and rebuild it." | |
| check_failed | |
| else | |
| log_and_print "$OK: OpenVAS Manager database is at revision $TASKSDBREV." | |
| fi | |
| echo "$CHECKING database revision expected by OpenVAS Manager ..." >> $LOG | |
| MANAGERDBREV=`openvasmd --version | grep "Manager DB revision" | sed -e "s/.*\ //"` | |
| if [ -z $MANAGERDBREV ]; then | |
| log_and_print "$ERROR: Could not determine database revision expected by OpenVAS Manager." | |
| log_and_print "$FIX: Ensure OpenVAS Manager is installed correctly." | |
| check_failed | |
| else | |
| log_and_print "$OK: OpenVAS Manager expects database at revision $MANAGERDBREV." | |
| fi | |
| if [ $TASKSDBREV -lt $MANAGERDBREV ]; then | |
| log_and_print "$ERROR: Database schema is out of date." | |
| log_and_print "$FIX: Run 'openvasmd --migrate'." | |
| check_failed | |
| else | |
| log_and_print "$OK: Database schema is up to date." | |
| fi | |
| echo "$CHECKING OpenVAS Manager database (NVT data) ..." >> $LOG | |
| DBNVTCOUNT=`sqlite3 $TASKSDB "select count(*) from nvts;"` | |
| if [ $DBNVTCOUNT -lt 20000 ]; then | |
| log_and_print "$ERROR: The number of NVTs in the OpenVAS Manager database is too low." | |
| log_and_print "$FIX: Make sure OpenVAS Scanner is running with an up-to-date NVT collection and run 'openvasmd --rebuild'." | |
| OPENVASSD_RUNNING=`ps -Af | grep -ic "[o]penvassd: waiting for incoming connections"` | |
| if [ $OPENVASSD_RUNNING -eq "0" ]; then | |
| log_and_print "$WARNING: OpenVAS Scanner is NOT running!" ; | |
| log_and_print "$SUGGEST: Start OpenVAS Scanner (openvassd)." ; | |
| log_and_print "$SUGGEST: Please run: rc-service openvassd start" ; | |
| fi | |
| check_failed | |
| else | |
| log_and_print "$OK: OpenVAS Manager database contains information about $DBNVTCOUNT NVTs." | |
| fi | |
| fi | |
| echo "$CHECKING if users exist ..." >> $LOG | |
| USERCOUNT=`openvasmd --get-users | sed -e "/^$/d" | wc -l` | |
| if [ $USERCOUNT -eq "0" ]; then | |
| log_and_print "$ERROR: No users found. You need to create at least one user to log in." | |
| log_and_print " It is recommended to have at least one user with role Admin." | |
| log_and_print "$FIX: create a user by running 'openvasmd --create-user=<name> --role=Admin && openvasmd --user=<name> --new-password=<password>'" | |
| check_failed | |
| else | |
| log_and_print "$OK: At least one user exists." | |
| fi | |
| echo "" >> $LOG | |
| # TODO: Do a check for presence of at least one Admin user. | |
| echo "$CHECKING OpenVAS SCAP database ..." >> $LOG | |
| # Guess openvas state dir from $PLUGINSFOLDER | |
| STATEDIR=`dirname $PLUGINSFOLDER` | |
| SCAPDB="$STATEDIR/scap-data/scap.db" | |
| if [ ! -e $SCAPDB ]; then | |
| log_and_print "$ERROR: No OpenVAS SCAP database found. (Tried: $SCAPDB)" | |
| log_and_print "$FIX: Run SCAP synchronization script : greenbone-scapdata-sync (will take a while...)" | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| log_and_print "$OK: OpenVAS SCAP database found in $SCAPDB." | |
| echo "$CHECKING OpenVAS CERT database ..." >> $LOG | |
| # Guess openvas state dir from $PLUGINSFOLDER | |
| STATEDIR=`dirname $PLUGINSFOLDER` | |
| CERTDB="$STATEDIR/cert-data/cert.db" | |
| if [ ! -e $CERTDB ]; then | |
| log_and_print "$ERROR: No OpenVAS CERT database found. (Tried: $CERTDB)" | |
| log_and_print "$FIX: Run CERT synchronization script : greenbone-certdata-sync (will take a while)" | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| log_and_print "$OK: OpenVAS CERT database found in $CERTDB." | |
| echo "$CHECKING xsltproc presence ..." >> $LOG | |
| if ! $(check_package libxslt); then | |
| log_and_print "$WARNING: Could not find xsltproc binary, most report formats will not work." | |
| log_and_print "$SUGGEST: Install xsltproc." | |
| log_and_print "$SUGGEST: Please run: apk add xsltproc."; | |
| else | |
| log_and_print "$OK: xsltproc found." | |
| fi | |
| echo "" >> $LOG | |
| echo "$CHECKING status of password policy ..." >> $LOG | |
| CONFFILE=`openvassd -s 2>>$LOG | grep config_file | sed -e "s/^config_file = //"` | |
| CONFDIR=`dirname $CONFFILE` | |
| grep -v "^[#]" $CONFDIR/pwpolicy.conf | grep -v "^$" > /dev/null 2>&1 | |
| if [ $? -ne "0" ]; then | |
| log_and_print "$WARNING: Your password policy is empty." | |
| log_and_print "$SUGGEST: Edit the $CONFDIR/pwpolicy.conf file to set a password policy." | |
| log_and_print "$SUGGEST: Please run: sed -i -e 's/^#\!\/\^.*/\!\/\^\.\{8,\}\$\//g' $CONFDIR/pwpolicy.conf && rc-service openvassd restart"; | |
| else | |
| log_and_print "$OK: The password policy file at $CONFDIR/pwpolicy.conf contains entries." | |
| fi | |
| echo "" >> $LOG | |
| echo "$CHECKING Greenbone Security Assistant (GSA) ... " | |
| echo "$CHECKING presence of Greenbone Security Assistant ..." >> $LOG | |
| if ! $(check_package greenbone-security-assistant); then | |
| log_and_print "$ERROR: No Greenbone Security Assistant (gsad) found."; | |
| log_and_print: "$FIX: Please install Greenbone Security Assistant"; | |
| log_and_print "$HINT: Please run: apk add greenbone-security-assistant."; | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| VERSION=`gsad --version | head -1 | sed -e "s/Greenbone Security Assistant //"` | |
| echo "" >> $LOG | |
| log_and_print "$OK: Greenbone Security Assistant is present in version $VERSION." | |
| echo "$CHECKING OpenVAS CLI ... " | |
| if ! $(check_package openvas-cli); then | |
| log_and_print "$ERROR: No OpenVAS CLI (omp) found."; | |
| log_and_print "$FIX: Please install OpenVAS CLI."; | |
| log_and_print "$HINT: Please run: apk add openvas-cli"; | |
| check_failed | |
| fi | |
| echo "" >> $LOG | |
| VERSION=`omp --version | head -1 | sed -e "s/OMP Command Line Interface //"` | |
| echo "" >> $LOG | |
| log_and_print "$OK: OpenVAS CLI version $VERSION." | |
| echo "$CHECKING if OpenVAS services are up and running ... " | |
| echo "$CHECKING netstat presence (not busybox) ..." >> $LOG | |
| if ! [ -f /bin/netstat ]; then | |
| log_and_print "$WARNING: Could not find netstat binary, checks of the OpenVAS services are disabled." | |
| log_and_print "$SUGGEST: Install netstat." | |
| log_and_print "$SUGGEST: Please run: apk add net-tools" | |
| HAVE_NETSTAT=0 | |
| else | |
| log_and_print "$OK: netstat found, extended checks of the OpenVAS services enabled." | |
| HAVE_NETSTAT=1 | |
| fi | |
| echo "" >> $LOG | |
| echo "$CHECKING ps presence (not busybox) ..." >> $LOG | |
| if ! [ -f /bin/ps ]; then | |
| log_and_print "$WARNING: Could not find ps binary, checks of the OpenVAS services are disabled." | |
| log_and_print "$SUGGEST: Install ps." | |
| log_and_print "$SUGGEST: Please run: apk add procps" | |
| else | |
| log_and_print "$OK: ps found, extended checks of the OpenVAS services enabled." | |
| fi | |
| echo "" >> $LOG | |
| if [ $HAVE_NETSTAT -eq "1" ]; then | |
| netstat -A inet -A inet6 -ntlp 2> /dev/null >> $LOG | |
| OPENVASMD_HOST=`netstat -antlp 2> /dev/null | grep openvasmd | awk -F\ '{print $4}' | awk -F: 'sub(FS $NF,x)'` | |
| OPENVASMD_PORT=`netstat -antlp 2> /dev/null | grep openvasmd | awk -F\ '{print $4}' | awk -F: '{print $NF}'` | |
| GSAD_HOST=`netstat -antlp 2> /dev/null | grep gsad | awk -F\ '{print $4}' | awk -F: 'sub(FS $NF,x)'` | |
| GSAD_PORT=`netstat -antlp 2> /dev/null | grep gsad | awk -F\ '{print $4}' | awk -F: '{print $NF}' | tail -1` | |
| case "$OPENVASMD_HOST" in | |
| "0.0.0.0"|"::") log_and_print "$OK: OpenVAS Manager is running and listening on all interfaces." ;; | |
| "127.0.0.1") log_and_print "$WARNING: OpenVAS Manager is running and listening only on the local interface." | |
| log_and_print "This means that you will not be able to access the OpenVAS Manager from the" | |
| log_and_print "outside using GSD or OpenVAS CLI." | |
| log_and_print "$SUGGEST: Ensure that OpenVAS Manager listens on all interfaces unless you want" | |
| log_and_print "a local service only." | |
| log_and_print "$SUGGEST: Please run: sed -i -e 's/MANAGER_LISTEN=.*/MANAGER_LISTEN=\"--listen=0.0.0.0\"/g' /etc/conf.d/openvasmd && rc-service openvasmd restart"; | |
| ;; | |
| "") log_and_print "$ERROR: OpenVAS Manager is NOT running!" | |
| log_and_print "$FIX: Start OpenVAS Manager (openvasmd)." | |
| log_and_print "$FIX: Please run : rc-service openvas-manager start" | |
| OPENVASMD_PORT="-1" ;; | |
| esac | |
| case $OPENVASMD_PORT in | |
| -1) ;; | |
| 9390) log_and_print "$OK: OpenVAS Manager is listening on port 9390, which is the default port." ;; | |
| *) log_and_print "$WARNING: OpenVAS Manager is listening on port $OPENVASMD_PORT, which is NOT the default port!" | |
| log_and_print "$SUGGEST: Ensure OpenVAS Manager is listening on port 9390." ;; | |
| esac | |
| case "$GSAD_HOST" in | |
| "0.0.0.0"|"::") log_and_print "$OK: Greenbone Security Assistant is running and listening on all interfaces." ;; | |
| "127.0.0.1") log_and_print "$WARNING: Greenbone Security Assistant is running and listening only on the local interface." | |
| log_and_print "This means that you will not be able to access the Greenbone Security Assistant from the" | |
| log_and_print "outside using a web browser." | |
| log_and_print "$SUGGEST: Ensure that Greenbone Security Assistant listens on all interfaces." | |
| log_and_print "$SUGGEST: Please run: sed -i -e 's/GSAD_LISTEN=.*/GSAD_LISTEN=\"--listen=0.0.0.0\"/g' /etc/conf.d/gsad && rc-service gsad restart"; | |
| ;; | |
| "") log_and_print "$ERROR: Greenbone Security Assistant is NOT running!" | |
| log_and_print "$FIX: Start Greenbone Security Assistant (gsad)." | |
| log_and_print "$FIX: Please run : rc-service gsad start" | |
| GSAD_PORT="-1" ;; | |
| esac | |
| case $GSAD_PORT in | |
| -1) ;; | |
| 80|443|9392) log_and_print "$OK: Greenbone Security Assistant is listening on port $GSAD_PORT, which is the default port." ;; | |
| *) log_and_print "$WARNING: Greenbone Security Assistant is listening on port $GSAD_PORT, which is NOT the default port!" | |
| log_and_print "$SUGGEST: Ensure Greenbone Security Assistant is listening on one of the following ports: 80, 443, 9392." ;; | |
| esac | |
| if [ $OPENVASMD_PORT -eq "-1" ] || [ $GSAD_PORT -eq "-1" ]; then | |
| check_failed | |
| fi | |
| fi | |
| echo "$CHECKING nmap installation ..." | |
| echo "$CHECKING presence of nmap ..." >> $LOG | |
| if $(check_package nmap); then | |
| VERSION=`nmap --version | awk '/Nmap version/ { print $3 }'` | |
| log_and_print "$OK: nmap is present in version $VERSION." | |
| else | |
| log_and_print "$WARNING: No nmap installation found."; | |
| log_and_print "$SUGGEST: You should install nmap for comprehensive network scanning (see http://nmap.org)" | |
| fi | |
| echo "" >> $LOG | |
| echo "$CHECKING presence of optional tools ..." | |
| echo "$CHECKING presence of pdflatex ..." >> $LOG | |
| if $(check_package texlive); then | |
| log_and_print "$OK: pdflatex found." | |
| HAVE_PDFLATEX=1 | |
| else | |
| log_and_print "$WARNING: Could not find pdflatex binary, the PDF report format will not work." | |
| log_and_print "$SUGGEST: Install pdflatex." | |
| log_and_print "$SUGGEST: apk add texlive" | |
| HAVE_PDFLATEX=0 | |
| fi | |
| echo "" >> $LOG | |
| if [ $HAVE_PDFLATEX -eq "1" ]; then | |
| echo "$CHECKING presence of LaTeX packages required for PDF report generation ..." >> $LOG | |
| PDFTMPDIR=`mktemp -d -t openvas-check-setup-tmp.XXXXXXXXXX` | |
| TEXFILE="$PDFTMPDIR/test.tex" | |
| cat <<EOT > $TEXFILE | |
| \documentclass{article} | |
| \pagestyle{empty} | |
| %\usepackage{color} | |
| \usepackage{tabularx} | |
| \usepackage{geometry} | |
| \usepackage{comment} | |
| \usepackage{longtable} | |
| \usepackage{titlesec} | |
| \usepackage{chngpage} | |
| \usepackage{calc} | |
| \usepackage{url} | |
| \usepackage[utf8x]{inputenc} | |
| \DeclareUnicodeCharacter {135}{{\textascii ?}} | |
| \DeclareUnicodeCharacter {129}{{\textascii ?}} | |
| \DeclareUnicodeCharacter {128}{{\textascii ?}} | |
| \usepackage{colortbl} | |
| % must come last | |
| \usepackage{hyperref} | |
| \definecolor{linkblue}{rgb}{0.11,0.56,1} | |
| \definecolor{inactive}{rgb}{0.56,0.56,0.56} | |
| \definecolor{openvas_debug}{rgb}{0.78,0.78,0.78} | |
| \definecolor{openvas_false_positive}{rgb}{0.2275,0.2275,0.2275} | |
| \definecolor{openvas_log}{rgb}{0.2275,0.2275,0.2275} | |
| \definecolor{openvas_hole}{rgb}{0.7960,0.1137,0.0902} | |
| \definecolor{openvas_note}{rgb}{0.3255,0.6157,0.7961} | |
| \definecolor{openvas_report}{rgb}{0.68,0.74,0.88} | |
| \definecolor{openvas_user_note}{rgb}{1.0,1.0,0.5625} | |
| \definecolor{openvas_user_override}{rgb}{1.0,1.0,0.5625} | |
| \definecolor{openvas_warning}{rgb}{0.9764,0.6235,0.1922} | |
| \hypersetup{colorlinks=true,linkcolor=linkblue,urlcolor=blue,bookmarks=true,bookmarksopen=true} | |
| \usepackage[all]{hypcap} | |
| %\geometry{verbose,a4paper,tmargin=24mm,bottom=24mm} | |
| \geometry{verbose,a4paper} | |
| \setlength{\parskip}{\smallskipamount} | |
| \setlength{\parindent}{0pt} | |
| \title{PDF Report Test} | |
| \pagestyle{headings} | |
| \pagenumbering{arabic} | |
| \begin{document} | |
| This is a test of the PDF generation capabilities of your OpenVAS installation. Please ignore. | |
| \end{document} | |
| EOT | |
| pdflatex -interaction batchmode -output-directory $PDFTMPDIR $TEXFILE > /dev/null 2>&1 | |
| if [ ! -f "$PDFTMPDIR/test.pdf" ]; then | |
| log_and_print "$WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work." | |
| log_and_print "$SUGGEST: Install required LaTeX packages." | |
| log_and_print "$FIX: please copy/paste the following commands: " | |
| cat<< EOF | |
| latest_tlmgr=$(curl -s ftp://ftp.tug.org/historic/systems/texlive/$(date +%Y)/ | grep texmf | grep -v sha | awk '{print $9}') | |
| latest_tlmgr_sum=$(curl -s ftp://ftp.tug.org/historic/systems/texlive/$(date +%Y)/ | grep texmf | grep sha512 | head -1 | awk '{print $9}' ) | |
| wget ftp://ftp.tug.org/historic/systems/texlive/\$(date +%Y)/\$latest_tlmgr | |
| wget ftp://ftp.tug.org/historic/systems/texlive/\$(date +%Y)/\$latest_tlmgr_sum | |
| sha512sum -c \$latest_tlmgr_sum && tar -C /usr/share --strip-components=1 -xvf \$latest_tlmgr || echo "Package corrupted. Download it again" | |
| apk fix texlive | |
| EOF | |
| log_and_print "$FIX: Or, if you are lazy, download the following script who does the dirty job for you: " | |
| log_and_print "$FIX: wget https://gist.githubusercontent.com/fcolista/f47eaf2856a637ed9cea3bcfc6b003e6/raw/2807307220e61d200ff86d0be32338bd5cd6beb9/fix-texlive.sh && chmod +x fix-texlive.sh && sh fix-texlive.sh" | |
| else | |
| log_and_print "$OK: PDF generation successful. The PDF report format is likely to work." | |
| fi | |
| if [ -f "$PDFTMPDIR/test.log" ]; then | |
| cat $PDFTMPDIR/test.log >> $LOG | |
| fi | |
| rm -rf $PDFTMPDIR | |
| fi | |
| echo "$CHECKING presence of ssh-keygen ..." >> $LOG | |
| if ! $( check_package openssh-keygen); then | |
| log_and_print "$WARNING: Could not find ssh-keygen binary, LSC credential generation for GNU/Linux targets will not work." | |
| log_and_print "$SUGGEST: Install ssh-keygen." | |
| log_and_print "$SUGGEST: Please run: apk add openssh-keygen" | |
| HAVE_SSHKEYGEN=0 | |
| else | |
| log_and_print "$OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work." | |
| HAVE_SSHKEYGEN=1 | |
| fi | |
| echo "" >> $LOG | |
| if [ $HAVE_SSHKEYGEN -eq "1" ]; then | |
| echo "$CHECKING presence of rpm ..." >> $LOG | |
| if $(check_package rpm); then | |
| log_and_print "$OK: rpm found, LSC credential package generation for RPM based targets is likely to work." | |
| HAVE_RPM=1 | |
| else | |
| log_and_print "$WARNING: Could not find rpm binary, LSC credential package generation for RPM and DEB based targets will not work." | |
| log_and_print "$SUGGEST: Install rpm." | |
| log_and_print "$SUGGEST: Please run: apk add rpm"; | |
| HAVE_RPM=0 | |
| fi | |
| echo "" >> $LOG | |
| if [ $HAVE_RPM -eq "1" ]; then | |
| echo "$CHECKING presence of alien ..." >> $LOG | |
| if $(check_package alien); then | |
| log_and_print "$OK: alien found, LSC credential package generation for DEB based targets is likely to work." | |
| HAVE_ALIEN=1 | |
| else | |
| log_and_print "$WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work." | |
| log_and_print "$SUGGEST: Install alien." | |
| log_and_print "$SUGGEST: Please run: apk add alien"; | |
| HAVE_ALIEN=0 | |
| fi | |
| echo "" >> $LOG | |
| fi | |
| fi | |
| echo "" | |
| echo "It seems like your OpenVAS-$VER installation is $OK." | |
| echo "" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment