Skip to content

Instantly share code, notes, and snippets.

@rotanase

rotanase/Dockerfile Secret

Last active January 13, 2021 08:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rotanase/fe4e37586e9649102dd460a69666aea8 to your computer and use it in GitHub Desktop.
Save rotanase/fe4e37586e9649102dd460a69666aea8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Dockerfile
FROM ubuntu:20.04
ENV DEBIAN_FRONTEND=noninteractive
ENV LANG=en_US.UTF-8
# Install dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
cmake \
curl \
doxygen \
gcc-mingw-w64 \
git \
glib2.0 \
gnutls-bin \
graphviz bison \
libgcrypt-dev \
libgnutls28-dev \
libgpgme-dev \
libhiredis-dev \
libical-dev \
libksba-dev \
libldap2-dev \
libmicrohttpd-dev \
libopenvas-dev heimdal-dev \
libpcap-dev \
libpopt-dev \
libpq-dev \
libpthread-stubs0-dev \
libradcli-dev \
libssh-dev \
libssl-dev \
libxml2-dev \
nmap \
nodejs \
npm \
openssh-client \
openssh-server \
pkg-config \
postgresql \
postgresql-contrib \
postgresql-server-dev-all \
python3-defusedxml \
python3-lxml \
python3-paramiko \
python3-pip \
python3-psutil \
python3-virtualenv \
redis-server \
rsync \
virtualenv \
wget \
xml-twig-tools \
xmltoman \
xsltproc \
&& rm -rf /var/lib/apt/lists/*
# Install Yarn
RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && \
apt-get update && \
apt-get install yarn -yq --no-install-recommends
# Install GVM-Libs
WORKDIR /build
RUN git clone -b gvm-libs-20.08 --single-branch https://github.com/greenbone/gvm-libs.git
WORKDIR /build/gvm-libs/build
RUN cmake -DCMAKE_BUILD_TYPE=Release ..&& \
make && \
make install && \
rm -rf /build
# Install OpenVAS SMB
WORKDIR /build
RUN git clone -b master --single-branch https://github.com/greenbone/openvas-smb.git
WORKDIR /build/openvas-smb/build
RUN cmake -DCMAKE_BUILD_TYPE=Release ..&& \
make && \
make install && \
rm -rf /build
# Install Greenbone Vulnerability Manager (GVMD)
WORKDIR /build
RUN git clone -b gvmd-20.08 --single-branch https://github.com/greenbone/gvmd.git
WORKDIR /build/gvmd/build
RUN cmake -DCMAKE_BUILD_TYPE=Release ..&& \
make && \
make install && \
rm -rf /build
# Install OpenVAS
WORKDIR /build
RUN git clone -b openvas-20.08 --single-branch https://github.com/greenbone/openvas.git
WORKDIR /build/openvas/build
RUN cmake -DCMAKE_BUILD_TYPE=Release ..&& \
make && \
make install && \
rm -rf /build
# Install Open Scanner Protocol daemon (OSPd)
WORKDIR /build
RUN git clone -b ospd-20.08 --single-branch https://github.com/greenbone/ospd.git
WORKDIR /build/ospd
RUN python3 setup.py install && \
rm -rf /build
# Install OSPD for OpenVAS
WORKDIR /build
RUN git clone -b ospd-openvas-20.08 --single-branch https://github.com/greenbone/ospd-openvas.git
WORKDIR /build/ospd-openvas
RUN python3 setup.py install && \
rm -rf /build
# Install Greenbone Vulnerability Management Python Library
RUN pip3 install python-gvm==20.11.3
# Install GVM-Tools
RUN pip3 install gvm-tools==20.10.1 && \
echo "/usr/local/lib" > /etc/ld.so.conf.d/openvas.conf && ldconfig && cd / && rm -rf /build
# Initial setup
COPY scripts/sshd_config /sshd_config
COPY scripts/* /
WORKDIR /
RUN chmod +x start.sh && \
./start.sh setup
ENTRYPOINT [ "./start.sh", "scan"]
Raw
sshd_config
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts yes
AllowStreamLocalForwarding yes
Raw
start.sh
#!/usr/bin/env bash
set -Eeuo pipefail
USERNAME=${USERNAME:-admin}
PASSWORD=${PASSWORD:-admin}
TIMEOUT=${TIMEOUT:-15}
RELAYHOST=${RELAYHOST:-smtp}
SMTPPORT=${SMTPPORT:-25}
HTTPS=${HTTPS:-true}
TZ=${TZ:-UTC}
SSHD=${SSHD:-true}
DB_PASSWORD=${DB_PASSWORD:-none}
RUN_TYPE=$1
if [ $RUN_TYPE == "setup" ]; then
echo "Running in setup mode"
elif [ $RUN_TYPE = "scan" ]; then
echo "Running in scan mode"
else
echo "Usage: ./start.sh [setup/scan]"
echo "Setup mode should be used when building the Docker image"
fi
if [ $RUN_TYPE == "setup" ]; then
echo en_US.UTF-8 UTF-8 > /etc/locale.gen
locale-gen en_US.UTF-8
fi
if [ ! -d "/run/redis" ]; then
mkdir /run/redis
fi
if [ -S /run/redis/redis.sock ]; then
rm /run/redis/redis.sock
fi
redis-server --unixsocket /run/redis/redis.sock --unixsocketperm 700 --timeout 0 --databases 512 --maxclients 4096 --daemonize yes --port 6379 --bind 0.0.0.0
echo "Wait for redis socket to be created..."
while [ ! -S /run/redis/redis.sock ]; do
sleep 1
done
echo "Testing redis status..."
X="$(redis-cli -s /run/redis/redis.sock ping)"
while [ "${X}" != "PONG" ]; do
echo "Redis not yet ready..."
sleep 1
X="$(redis-cli -s /run/redis/redis.sock ping)"
done
echo "Redis ready."
if [ ! -d /data ]; then
echo "Creating Data folder..."
mkdir /data
fi
if [ ! -d /data/database ]; then
echo "Creating Database folder..."
mkdir /data/database
chown postgres:postgres -R /data/database
su -c "/usr/lib/postgresql/12/bin/initdb /data/database" postgres
fi
chown postgres:postgres -R /data/database
echo "Starting PostgreSQL..."
/usr/bin/pg_ctlcluster --skip-systemctl-redirect 12 main start
if [ ! -d /data/ssh ]; then
echo "Creating SSH folder..."
mkdir /data/ssh
rm -rf /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
mv /etc/ssh/ssh_host_* /data/ssh/
fi
if [ ! -h /etc/ssh ]; then
rm -rf /etc/ssh
ln -s /data/ssh /etc/ssh
fi
if [ $RUN_TYPE == "setup" ]; then
echo "Running first start configuration..."
ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
echo "Creating Greenbone Vulnerability system user..."
useradd --home-dir /usr/local/share/gvm gvm
chown gvm:gvm -R /usr/local/share/openvas
chown gvm:gvm -R /usr/local/var/lib/openvas
chown gvm:gvm -R /usr/local/share/gvm
mkdir /usr/local/var/lib/gvm/cert-data
chown gvm:gvm -R /usr/local/var/lib/gvm
chmod 770 -R /usr/local/var/lib/gvm
chown gvm:gvm -R /usr/local/var/log/gvm
chown gvm:gvm -R /usr/local/var/run
fi
if [ $RUN_TYPE == "setup" ]; then
echo "Creating Greenbone Vulnerability Manager database"
su -c "createuser -DRS gvm" postgres
su -c "createdb -O gvm gvmd" postgres
su -c "psql --dbname=gvmd --command='create role dba with superuser noinherit;'" postgres
su -c "psql --dbname=gvmd --command='grant dba to gvm;'" postgres
su -c "psql --dbname=gvmd --command='create extension \"uuid-ossp\";'" postgres
su -c "psql --dbname=gvmd --command='create extension \"pgcrypto\";'" postgres
echo "listen_addresses = '*'" >> /data/database/postgresql.conf
echo "port = 5432" >> /data/database/postgresql.conf
echo "host all all 0.0.0.0/0 md5" >> /data/database/pg_hba.conf
echo "host all all ::/0 md5" >> /data/database/pg_hba.conf
chown postgres:postgres -R /data/database
fi
su -c "gvmd --migrate" gvm
if [ $DB_PASSWORD != "none" ]; then
su -c "psql --dbname=gvmd --command=\"alter user gvm password '$DB_PASSWORD';\"" postgres
fi
if [ ! -d /data/certs ]; then
echo "Creating certs folder..."
mkdir -p /data/certs/CA
mkdir -p /data/certs/private
echo "Generating certs..."
gvm-manage-certs -a
cp /usr/local/var/lib/gvm/CA/* /data/certs/CA/
cp -r /usr/local/var/lib/gvm/private/* /data/certs/private/
chown gvm:gvm -R /data/certs
fi
if [ ! -h /usr/local/var/lib/gvm/CA ]; then
echo "Fixing certs CA folder..."
rm -rf /usr/local/var/lib/gvm/CA
ln -s /data/certs/CA /usr/local/var/lib/gvm/CA
chown gvm:gvm -R /data/certs
chown gvm:gvm -R /usr/local/var/lib/gvm/CA
fi
if [ ! -h /usr/local/var/lib/gvm/private ]; then
echo "Fixing certs private folder..."
rm -rf /usr/local/var/lib/gvm/private
ln -s /data/certs/private /usr/local/var/lib/gvm/private
chown gvm:gvm -R /data/certs
chown gvm:gvm -R /usr/local/var/lib/gvm/private
fi
if [ ! -d /data/plugins ]; then
echo "Creating NVT Plugins folder..."
mkdir /data/plugins
fi
if [ ! -h /usr/local/var/lib/openvas/plugins ]; then
echo "Fixing NVT Plugins folder..."
rm -rf /usr/local/var/lib/openvas/plugins
ln -s /data/plugins /usr/local/var/lib/openvas/plugins
chown gvm:gvm -R /data/plugins
chown gvm:gvm -R /usr/local/var/lib/openvas/plugins
fi
if [ ! -d /data/cert-data ]; then
echo "Creating CERT Feed folder..."
mkdir /data/cert-data
chown gvm:gvm -R /data/cert-data
fi
if [ ! -h /usr/local/var/lib/gvm/cert-data ]; then
echo "Fixing CERT Feed folder..."
rm -rf /usr/local/var/lib/gvm/cert-data
ln -s /data/cert-data /usr/local/var/lib/gvm/cert-data
chown gvm:gvm -R /data/cert-data
chown gvm:gvm -R /usr/local/var/lib/gvm/cert-data
fi
if [ ! -d /data/scap-data ]; then
echo "Creating SCAP Feed folder..."
mkdir /data/scap-data
chown gvm:gvm -R /data/scap-data
fi
if [ ! -h /usr/local/var/lib/gvm/scap-data ]; then
echo "Fixing SCAP Feed folder..."
rm -rf /usr/local/var/lib/gvm/scap-data
ln -s /data/scap-data /usr/local/var/lib/gvm/scap-data
chown gvm:gvm -R /data/scap-data
chown gvm:gvm -R /usr/local/var/lib/gvm/scap-data
fi
if [ ! -d /data/data-objects/gvmd ]; then
echo "Creating GVMd Data Objects folder..."
mkdir -p /data/data-objects/gvmd
fi
if [ ! -h /usr/local/var/lib/gvm/data-objects ]; then
echo "Fixing GVMd Data Objects folder..."
rm -rf /usr/local/var/lib/gvm/data-objects
ln -s /data/data-objects /usr/local/var/lib/gvm/data-objects
chown gvm:gvm -R /data/data-objects
chown gvm:gvm -R /usr/local/var/lib/gvm/data-objects
fi
# Sync NVTs, CERT data, and SCAP data on container start
if [ $RUN_TYPE == "setup" ]; then
/sync-all.sh
fi
###########################
#Remove leftover pid files#
###########################
if [ -f /var/run/ospd.pid ]; then
rm /var/run/ospd.pid
fi
if [ -S /tmp/ospd.sock ]; then
rm /tmp/ospd.sock
fi
if [ ! -d /var/run/ospd ]; then
mkdir /var/run/ospd
fi
echo "Starting Open Scanner Protocol daemon for OpenVAS..."
ospd-openvas --log-file /usr/local/var/log/gvm/ospd-openvas.log --unix-socket /var/run/ospd/ospd.sock --log-level DEBUG
while [ ! -S /var/run/ospd/ospd.sock ]; do
sleep 1
done
chmod 666 /var/run/ospd/ospd.sock
echo "Creating OSPd socket link from old location..."
rm -rf /tmp/ospd.sock
ln -s /var/run/ospd/ospd.sock /tmp/ospd.sock
echo "Starting Greenbone Vulnerability Manager..."
su -c "gvmd" gvm
echo "Waiting for Greenbone Vulnerability Manager to finish startup..."
until su -c "gvmd --get-users" gvm; do
sleep 1
done
if [ ! -f "/data/created_gvm_user" ]; then
echo "Creating Greenbone Vulnerability Manager admin user"
su -c "gvmd --role=\"Super Admin\" --create-user=\"$USERNAME\" --password=\"$PASSWORD\"" gvm
USERSLIST=$(su -c "gvmd --get-users --verbose" gvm)
IFS=' '
read -ra ADDR <<<"$USERSLIST"
echo "${ADDR[1]}"
su -c "gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value ${ADDR[1]}" gvm
touch /data/created_gvm_user
fi
if [ $SSHD == "true" ]; then
echo "Starting OpenSSH Server..."
if [ ! -d /data/scanner-ssh-keys ]; then
echo "Creating scanner SSH keys folder..."
mkdir /data/scanner-ssh-keys
chown gvm:gvm -R /data/scanner-ssh-keys
fi
if [ ! -h /usr/local/share/gvm/.ssh ]; then
echo "Fixing scanner SSH keys folder..."
rm -rf /usr/local/share/gvm/.ssh
ln -s /data/scanner-ssh-keys /usr/local/share/gvm/.ssh
chown gvm:gvm -R /data/scanner-ssh-keys
chown gvm:gvm -R /usr/local/share/gvm/.ssh
fi
if [ ! -d /sockets ]; then
mkdir /sockets
chown gvm:gvm -R /sockets
fi
echo "gvm:gvm" | chpasswd
rm -rf /var/run/sshd
mkdir -p /var/run/sshd
/usr/sbin/sshd -f /sshd_config -E /usr/local/var/log/gvm/sshd.log
fi
if [ $RUN_TYPE == "setup" ]; then
echo "Updating databases.. This may take a while"
grep -m 1 "Updating SCAP info succeeded" <(tail -F /usr/local/var/log/gvm/*)
chmod a+w+r /usr/local/var/run/gvmd.sock
echo "Setup finished"
else
echo "++++++++++++++++++++++++++++++++++++++++++++++"
echo "+ Your GVM 20.04 container is now ready to use! +"
echo "++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
echo "-----------------------------------------------------------"
echo "Server Public key: $(cat /etc/ssh/ssh_host_ed25519_key.pub)"
echo "-----------------------------------------------------------"
echo ""
echo "++++++++++++++++"
echo "+ Tailing logs +"
echo "++++++++++++++++"
tail -F /usr/local/var/log/gvm/*
fi
Raw
sync-all.sh
#!/usr/bin/env bash
echo "Updating NVTs..."
su -c "greenbone-nvt-sync --verbose" gvm && \
echo "Updating GVMd data..." && \
su -c "greenbone-feed-sync --type GVMD_DATA" gvm && \
echo "Updating SCAP data..." && \
su -c "greenbone-scapdata-sync --verbose" gvm && \
echo "Updating CERT data..." && \
su -c "greenbone-certdata-sync --verbose" gvm && \
sleep 10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment