diff options
author | Francesco Colista <fcolista@alpinelinux.org> | 2016-08-18 11:59:23 +0000 |
---|---|---|
committer | Francesco Colista <fcolista@alpinelinux.org> | 2016-08-18 11:59:49 +0000 |
commit | 20c1f7f2330bfd49f9f8a86203aa49b3e34d41a4 (patch) | |
tree | 5dfd8cb78d65085c1f6a43fd01444fa92988a39d /community | |
parent | 0977a30ac83e81c7cbbbefbf41307ad75d7b7787 (diff) | |
download | aports-20c1f7f2330bfd49f9f8a86203aa49b3e34d41a4.tar.bz2 aports-20c1f7f2330bfd49f9f8a86203aa49b3e34d41a4.tar.xz |
community/openvas-scanner: moved from testing
Diffstat (limited to 'community')
-rw-r--r-- | community/openvas-scanner/001-cmakelist-fortify.patch | 21 | ||||
-rw-r--r-- | community/openvas-scanner/002-execinfo-musl-fix.patch | 40 | ||||
-rw-r--r-- | community/openvas-scanner/APKBUILD | 100 | ||||
-rw-r--r-- | community/openvas-scanner/openvas-nvt-sync.cron | 38 | ||||
-rw-r--r-- | community/openvas-scanner/openvas-scanner.post-install | 3 | ||||
-rw-r--r-- | community/openvas-scanner/openvassd.conf | 118 | ||||
-rw-r--r-- | community/openvas-scanner/openvassd.confd | 27 | ||||
-rw-r--r-- | community/openvas-scanner/openvassd.initd | 26 | ||||
-rw-r--r-- | community/openvas-scanner/openvassd.logrotate | 11 |
9 files changed, 384 insertions, 0 deletions
diff --git a/community/openvas-scanner/001-cmakelist-fortify.patch b/community/openvas-scanner/001-cmakelist-fortify.patch new file mode 100644 index 0000000000..e77214f945 --- /dev/null +++ b/community/openvas-scanner/001-cmakelist-fortify.patch @@ -0,0 +1,21 @@ +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 588f5d8..a98929f 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -34,6 +34,7 @@ if (POLICY CMP0005) + endif (POLICY CMP0005) + + include (FindPkgConfig) ++include(CheckIncludeFile) + + if (NOT PKG_CONFIG_FOUND) + message(FATAL_ERROR "pkg-config executable not found. Aborting.") +@@ -225,7 +226,7 @@ configure_file (tools/greenbone-nvt-sync.in tools/greenbone-nvt-sync @ONLY) + + ## Program + +-set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now") ++set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now") + + set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -Werror") + set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -D_BSD_SOURCE -D_ISOC99_SOURCE -D_SVID_SOURCE -D_DEFAULT_SOURCE") diff --git a/community/openvas-scanner/002-execinfo-musl-fix.patch b/community/openvas-scanner/002-execinfo-musl-fix.patch new file mode 100644 index 0000000000..8fd2164221 --- /dev/null +++ b/community/openvas-scanner/002-execinfo-musl-fix.patch @@ -0,0 +1,40 @@ +diff --git a/src/sighand.c b/src/sighand.c +index 1ebf206..985e470 100644 +--- a/src/sighand.c ++++ b/src/sighand.c +@@ -30,7 +30,10 @@ + #include <errno.h> /* for errno() */ + #include <sys/wait.h> /* for wait() */ + #include <sys/socket.h> /* for shutdown() */ ++ ++#ifdef HAVE_EXECINFO_H + #include <execinfo.h> ++#endif + + #include "log.h" + #include "sighand.h" +@@ -112,6 +115,7 @@ sighand_chld (pid_t pid) + waitpid (pid, &status, WNOHANG); + } + ++#ifdef HAVE_EXECINFO_H + static void + print_trace () + { +@@ -126,13 +130,16 @@ print_trace () + log_write ("%s\n", symbols[i]); + g_free (symbols); + } ++#endif + + void + sighand_segv () + { + signal (SIGSEGV, _exit); + log_write ("SIGSEGV occured !"); ++ #ifdef HAVE_EXECINFO_H + print_trace (); ++ #endif + make_em_die (SIGTERM); + log_close (); + _exit (0); diff --git a/community/openvas-scanner/APKBUILD b/community/openvas-scanner/APKBUILD new file mode 100644 index 0000000000..09b3f3af50 --- /dev/null +++ b/community/openvas-scanner/APKBUILD @@ -0,0 +1,100 @@ +# Contributor: Francesco Colista <fcolista@alpinelinux.org> +# Maintainer: Francesco Colista <fcolista@alpinelinux.org> +pkgname=openvas-scanner +_pkgname=openvassd +pkgver=5.0.5 +_pkgid=2266 +pkgrel=3 +pkgdesc="The OpenVAS scanning Daemon" +url="http://www.openvas.org/" +arch="all" +license="GPL" +depends="redis nmap coreutils openssl" +depends_dev="" +makedepends="$depends_dev cmake openvas-libraries-dev glib-dev + doxygen xmltoman" +install="" +subpackages="$pkgname-doc" +source="http://wald.intevation.org/frs/download.php/$_pkgid/$pkgname-$pkgver.tar.gz + $_pkgname.initd + $_pkgname.confd + $_pkgname.conf + $_pkgname.logrotate + openvas-nvt-sync.cron + 001-cmakelist-fortify.patch + 002-execinfo-musl-fix.patch" + +_builddir="$srcdir"/$pkgname-$pkgver +prepare() { + local i + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + +build() { + cd "$_builddir" + cmake -DCMAKE_BUILD_TYPE=Release \ + -DSBINDIR=/usr/bin \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DSYSCONFDIR=/etc \ + -DLOCALSTATEDIR=/var . + make || return 1 +} + +package() { + cd "$_builddir" + make DESTDIR="$pkgdir/" install + install -Dm644 "$srcdir/$_pkgname.logrotate" "$pkgdir/etc/logrotate.d/$_pkgname" + install -m755 -D "$srcdir"/$_pkgname.initd "$pkgdir"/etc/init.d/$_pkgname + install -m755 -D "$srcdir"/$_pkgname.confd "$pkgdir"/etc/conf.d/$_pkgname + install -m755 -D "$srcdir"/$_pkgname.conf "$pkgdir"/etc/openvas/$_pkgname.conf + install -Dm744 "$srcdir"/openvas-nvt-sync.cron \ + "$pkgdir"/etc/periodic/daily/openvas-nvt-sync + + mkdir -p "$pkgdir"/usr/share/doc/$_pkgname + cat >"$pkgdir"/usr/share/doc/$_pkgname/README.alpine <<EOF + ** In order to make openvas-scanner daemon start, redis server needs to run and listen to a socket. + ** This is a part of redis.conf that should be adjusted: + + unixsocket /tmp/redis.sock + unixsocketperm 700 + port 0 # prevent redis from listening on a TCP socket + timeout 0 + #DB = 1 + (#of parallel tasks) * (#of parallel hosts) + databases 128 + #CLI = 1 + (#of parallel tasks) * (#of parallel hosts) * (#of concurrent NVTs) + maxclients 512 + ** Further info can be found to: + https://svn.wald.intevation.org/svn/openvas/tags/openvas-scanner-release-$pkgver/doc/redis_config.txt + +EOF +} + +md5sums="8eb30120fa8f5aea3a55c729ca9d4939 openvas-scanner-5.0.5.tar.gz +2343f34f83401016cb01f564e9c6c222 openvassd.initd +2fe5c960c0e5e8db0e438de417a70e7a openvassd.confd +9fbfafb3f5001240d2d869ac3d365adf openvassd.conf +a9e8ef884da6a0b33d3b29867d2ffcea openvassd.logrotate +99ec960c1646038b41dbac7a8073500c openvas-nvt-sync.cron +4ccb1c805294a2ceff8c73bceaa8c064 001-cmakelist-fortify.patch +12dc0fb6e1c1410ade5762744afaab71 002-execinfo-musl-fix.patch" +sha256sums="108d8aba9f53ae58b187cb2e297fc5a3e77ac5c2cd9db421fb20598fdfb2ad0a openvas-scanner-5.0.5.tar.gz +a842a6d29c5bf82296d771cfd44e152616277ed412b66f8a4ade81ac593d5615 openvassd.initd +3664ee9dad3627259dafb9494d4a794ccd184a1aeaba06b3b283a7eccd1ee0b8 openvassd.confd +c01dc363c4423dfa791690b6cef50df8ff46af02bbf008ac07575351ab94e0b3 openvassd.conf +c4623fe22f777e722915b6a4cf19030fa54a1fb18fe2ee074e3fb2a2fe6b81ed openvassd.logrotate +d3666d4cb7b639530a312b1dc49867b3b0de41209ea659924428df2d486cea40 openvas-nvt-sync.cron +11bf3922c6ae25a5ed9fbc0b5c567c8106058ed424ba2c4c50959c44fee8dfd9 001-cmakelist-fortify.patch +b5583f364f5b538634759c1df8f3bcd6b4218adcab2e9d18bdfd1904605ecf6d 002-execinfo-musl-fix.patch" +sha512sums="e439c8abb39e397a9d3842846c09fe7cb13c57294f528ae738bed8f962ac776a10a87d0299145be33b88307a7ab8dcb519808e897457bedba5cf0d02918483c9 openvas-scanner-5.0.5.tar.gz +528fc356c485daf3456e0e8f20ecd7bc93c772dd7afc8ec9d7a485cf89156f433fb4ae29a8b3cac7f126c8fa1ac4ca7f1cc4a10bd2388358fdd2e06a04a3c2e4 openvassd.initd +a47cf3add7a0e14175ccbae1c24c0e63ea7daf92ffa3e4d1bb988a2342e9b1ebfb597f0d20075ad22219dc2970d69e92bf8a3608cc156d4b5ca84723879bac71 openvassd.confd +0d203cd2dfcf0b77ce8d2546235de16f23ea71c7e601db557fcd67e9c8dc460029494f1a146daadb44101ae194d7fa4d511a488bb69094e5470de9e10acf008b openvassd.conf +5934a31ef4b7267fd741c41bb97fe2e1e42735d2324cce07145de1942efae3f5e42e8652ec0c3482dd53477be420a58124eae943f254105547abf065febb9046 openvassd.logrotate +92f1700ba15e04f0d830ac04db8c61bffb06104692fd91386a7f67ad8cc4bd1ea92651207a615c4bc56abc3a6c4f2fcf54fad52779fe5c6169d38f98b83513ea openvas-nvt-sync.cron +0e0087477ec313709c1d84480e9f2896628807010d039eb066627229e7f694434b66ae7f7cd44d379e714bd7ff23458bc46f721e953c2603d568fc350d2f0572 001-cmakelist-fortify.patch +5e63b56fc64867c5973eb3593afcf677dc4da900b20d0f82fa24659010da290c0cfc00fe1e67cd2fadd4c58af3df2059120edeef344eedf213ab8a87a0376e49 002-execinfo-musl-fix.patch" diff --git a/community/openvas-scanner/openvas-nvt-sync.cron b/community/openvas-scanner/openvas-nvt-sync.cron new file mode 100644 index 0000000000..ff1729f9f8 --- /dev/null +++ b/community/openvas-scanner/openvas-nvt-sync.cron @@ -0,0 +1,38 @@ +#!/bin/sh + +if [ -f /etc/openvas/openvassd.conf ]; then + . /etc/openvas/openvassd.conf +fi + +if [ "$auto_plugin_update" != "yes" ]; then + exit 0 +fi + +opts="" +case "$update_method" in + rsync) + opts = "$opts --rsync" + ;; + wget) + opts = "$opts --wget" + ;; + curl) + opts = "$opts --curl" + ;; +esac + +# Export openvas-nvt-sync's environment variables if they are defined +[ \! -z "$NVT_DIR" ] && export NVT_DIR +[ \! -z "$OV_RSYNC_FEED" ] && export OV_RSYNC_FEED +[ \! -z "$OV_HTTP_FEED" ] && export OV_HTTP_FEED + +/usr/sbin/openvas-nvt-sync $opts >& /dev/null + +if [ $? -ne 0 ]; then + echo "Error updating OpenVAS plugins. Please run openvas-nvt-sync manually." + exit 1 +fi + +if [ "$notify_openvas_scanner" == "yes" ]; then + /etc/init.d/openvas-scanner reloadplugins +fi diff --git a/community/openvas-scanner/openvas-scanner.post-install b/community/openvas-scanner/openvas-scanner.post-install new file mode 100644 index 0000000000..1c27c059da --- /dev/null +++ b/community/openvas-scanner/openvas-scanner.post-install @@ -0,0 +1,3 @@ +#!/bin/sh +echo "Remember to modify redis server in order to listen to a socket" +exit 0 diff --git a/community/openvas-scanner/openvassd.conf b/community/openvas-scanner/openvassd.conf new file mode 100644 index 0000000000..88f83f4bed --- /dev/null +++ b/community/openvas-scanner/openvassd.conf @@ -0,0 +1,118 @@ +# Configuration file of the OpenVAS Security Scanner + +# Every line starting with a '#' is a comment + +[Misc] + +# Path to the security checks folder: +plugins_folder = /var/lib/openvas/plugins + +# Path to OpenVAS caching folder: +cache_folder = /var/cache/openvas + +# Path to OpenVAS include directories: +# (multiple entries are separated with colon ':') +include_folders = /var/lib/openvas/plugins + +# Maximum number of simultaneous hosts tested : +max_hosts = 30 + +# Maximum number of simultaneous checks against each host tested : +max_checks = 10 + +# Niceness. If set to 'yes', openvassd will renice itself to 10. +be_nice = no + +# Log file (or 'syslog') : +logfile = /var/log/openvas/openvassd.log + +# Shall we log every details of the attack ? (disk intensive) +log_whole_attack = no + +# Log the name of the plugins that are loaded by the server ? +log_plugins_name_at_load = no + +# Dump file for debugging output, use `-' for stdout +dumpfile = /var/log/openvas/openvassd.dump + +# Rules file : +rules = /etc/openvas/openvassd.rules + +# CGI paths to check for (cgi-bin:/cgi-aws:/ can do) +cgi_path = /cgi-bin:/scripts + +# Range of the ports the port scanners will scan : +# 'default' means that OpenVAS will scan ports found in its +# services file. +port_range = default + +# Optimize the test (recommended) : +optimize_test = yes + +# Optimization : +# Read timeout for the sockets of the tests : +checks_read_timeout = 5 + +# Ports against which two plugins should not be run simultaneously : +# non_simult_ports = Services/www, 139, Services/finger +non_simult_ports = 139, 445 + +# Maximum lifetime of a plugin (in seconds) : +plugins_timeout = 320 + +# Safe checks rely on banner grabbing : +safe_checks = yes + +# Automatically activate the plugins that are depended on +auto_enable_dependencies = yes + +# Do not echo data from plugins which have been automatically enabled +silent_dependencies = no + +# Designate hosts by MAC address, not IP address (useful for DHCP networks) +use_mac_addr = no + + +#--- Knowledge base saving (can be configured by the client) : +# Save the knowledge base on disk : +save_knowledge_base = no + +# Restore the KB for each test : +kb_restore = no + +# Only test hosts whose KB we do not have : +only_test_hosts_whose_kb_we_dont_have = no + +# Only test hosts whose KB we already have : +only_test_hosts_whose_kb_we_have = no + +# KB test replay : +kb_dont_replay_scanners = no +kb_dont_replay_info_gathering = no +kb_dont_replay_attacks = no +kb_dont_replay_denials = no +kb_max_age = 864000 +#--- end of the KB section + + +# If this option is set, OpenVAS will not scan a network incrementally +# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to +# slice the workload throughout the whole network (ie: it will scan +# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on... +slice_network_addresses = no + +# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes') +nasl_no_signature_check = yes + +#Certificates +cert_file=/var/lib/openvas/CA/servercert.pem +key_file=/var/lib/openvas/private/CA/serverkey.pem +ca_file=/var/lib/openvas/CA/cacert.pem + +# If you decide to protect your private key with a password, +# uncomment and change next line +# pem_password=password +# If you want to force the use of a client certificate, uncomment next line +# force_pubkey_auth = yes + +#end. diff --git a/community/openvas-scanner/openvassd.confd b/community/openvas-scanner/openvassd.confd new file mode 100644 index 0000000000..d48adef151 --- /dev/null +++ b/community/openvas-scanner/openvassd.confd @@ -0,0 +1,27 @@ +#Listen on given address - by default scanner listens on all addresses +#SCANNER_LISTEN=--listen=127.0.0.1 + +#Listen on given port - by default 9391 +SCANNER_PORT=--port=9391 + +#Send the packets with the source IP of IP1,IP2,IP3.... +#SCANNER_SRCIP=--src-ip=127.0.0.1,192.168.1.2 + +# Extra Arguments +# SCANNER_EXTRA_ARGS="" + +# Set to yes if plugins should be automatically updated via a cron job +auto_plugin_update=no + +# Notify OpenVAS scanner after update by seding it SIGHUP? +notify_openvas_scanner=yes + +# Method to use to get updates. The default is via rsync +# Note that only wget and curl support retrieval via proxy +# update_method=rsync|wget|curl + +# Additionaly, you can specify the following variables +#NVT_DIR where to extract plugins (absolute path) +#OV_RSYNC_FEED URL of rsync feed +#OV_HTTP_FEED URL of http feed + diff --git a/community/openvas-scanner/openvassd.initd b/community/openvas-scanner/openvassd.initd new file mode 100644 index 0000000000..4b4de5e515 --- /dev/null +++ b/community/openvas-scanner/openvassd.initd @@ -0,0 +1,26 @@ +#!/sbin/openrc-run +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +name="OpenVAS Scanner" +command="/usr/bin/openvassd" +command_args="${SCANNER_LISTEN} ${SCANNER_PORT} ${SCANNER_SRCIP} ${SCANNER_EXTRA_ARGS}" +pidfile="/run/openvassd.pid" +extra_stopped_commands="create_cache" + +depend() { + after bootmisc + need localmount net +} + +start_pre() { + checkpath --directory --mode 0775 --quiet /var/cache/openvas +} + +create_cache() { + checkpath --directory --mode 0775 --quiet /var/cache/openvas + ebegin "Generating initial Cache" + /usr/bin/openvassd --foreground --only-cache + eend $? +} diff --git a/community/openvas-scanner/openvassd.logrotate b/community/openvas-scanner/openvassd.logrotate new file mode 100644 index 0000000000..9316ba8d96 --- /dev/null +++ b/community/openvas-scanner/openvassd.logrotate @@ -0,0 +1,11 @@ +# logrotate for openvas +/var/log/openvas/openvassd.log { + rotate 4 + weekly + compress + delaycompress + missingok + postrotate + /bin/kill -HUP `pidof openvassd` + endscript +} |