aboutsummaryrefslogtreecommitdiffstats
path: root/community/openvas-scanner
diff options
context:
space:
mode:
Diffstat (limited to 'community/openvas-scanner')
-rw-r--r--community/openvas-scanner/001-cmakelist-fortify.patch21
-rw-r--r--community/openvas-scanner/002-execinfo-musl-fix.patch40
-rw-r--r--community/openvas-scanner/APKBUILD100
-rw-r--r--community/openvas-scanner/openvas-nvt-sync.cron38
-rw-r--r--community/openvas-scanner/openvas-scanner.post-install3
-rw-r--r--community/openvas-scanner/openvassd.conf118
-rw-r--r--community/openvas-scanner/openvassd.confd27
-rw-r--r--community/openvas-scanner/openvassd.initd26
-rw-r--r--community/openvas-scanner/openvassd.logrotate11
9 files changed, 384 insertions, 0 deletions
diff --git a/community/openvas-scanner/001-cmakelist-fortify.patch b/community/openvas-scanner/001-cmakelist-fortify.patch
new file mode 100644
index 0000000000..e77214f945
--- /dev/null
+++ b/community/openvas-scanner/001-cmakelist-fortify.patch
@@ -0,0 +1,21 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 588f5d8..a98929f 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -34,6 +34,7 @@ if (POLICY CMP0005)
+ endif (POLICY CMP0005)
+
+ include (FindPkgConfig)
++include(CheckIncludeFile)
+
+ if (NOT PKG_CONFIG_FOUND)
+ message(FATAL_ERROR "pkg-config executable not found. Aborting.")
+@@ -225,7 +226,7 @@ configure_file (tools/greenbone-nvt-sync.in tools/greenbone-nvt-sync @ONLY)
+
+ ## Program
+
+-set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now")
++set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now")
+
+ set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -Werror")
+ set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -D_BSD_SOURCE -D_ISOC99_SOURCE -D_SVID_SOURCE -D_DEFAULT_SOURCE")
diff --git a/community/openvas-scanner/002-execinfo-musl-fix.patch b/community/openvas-scanner/002-execinfo-musl-fix.patch
new file mode 100644
index 0000000000..8fd2164221
--- /dev/null
+++ b/community/openvas-scanner/002-execinfo-musl-fix.patch
@@ -0,0 +1,40 @@
+diff --git a/src/sighand.c b/src/sighand.c
+index 1ebf206..985e470 100644
+--- a/src/sighand.c
++++ b/src/sighand.c
+@@ -30,7 +30,10 @@
+ #include <errno.h> /* for errno() */
+ #include <sys/wait.h> /* for wait() */
+ #include <sys/socket.h> /* for shutdown() */
++
++#ifdef HAVE_EXECINFO_H
+ #include <execinfo.h>
++#endif
+
+ #include "log.h"
+ #include "sighand.h"
+@@ -112,6 +115,7 @@ sighand_chld (pid_t pid)
+ waitpid (pid, &status, WNOHANG);
+ }
+
++#ifdef HAVE_EXECINFO_H
+ static void
+ print_trace ()
+ {
+@@ -126,13 +130,16 @@ print_trace ()
+ log_write ("%s\n", symbols[i]);
+ g_free (symbols);
+ }
++#endif
+
+ void
+ sighand_segv ()
+ {
+ signal (SIGSEGV, _exit);
+ log_write ("SIGSEGV occured !");
++ #ifdef HAVE_EXECINFO_H
+ print_trace ();
++ #endif
+ make_em_die (SIGTERM);
+ log_close ();
+ _exit (0);
diff --git a/community/openvas-scanner/APKBUILD b/community/openvas-scanner/APKBUILD
new file mode 100644
index 0000000000..09b3f3af50
--- /dev/null
+++ b/community/openvas-scanner/APKBUILD
@@ -0,0 +1,100 @@
+# Contributor: Francesco Colista <fcolista@alpinelinux.org>
+# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
+pkgname=openvas-scanner
+_pkgname=openvassd
+pkgver=5.0.5
+_pkgid=2266
+pkgrel=3
+pkgdesc="The OpenVAS scanning Daemon"
+url="http://www.openvas.org/"
+arch="all"
+license="GPL"
+depends="redis nmap coreutils openssl"
+depends_dev=""
+makedepends="$depends_dev cmake openvas-libraries-dev glib-dev
+ doxygen xmltoman"
+install=""
+subpackages="$pkgname-doc"
+source="http://wald.intevation.org/frs/download.php/$_pkgid/$pkgname-$pkgver.tar.gz
+ $_pkgname.initd
+ $_pkgname.confd
+ $_pkgname.conf
+ $_pkgname.logrotate
+ openvas-nvt-sync.cron
+ 001-cmakelist-fortify.patch
+ 002-execinfo-musl-fix.patch"
+
+_builddir="$srcdir"/$pkgname-$pkgver
+prepare() {
+ local i
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
+
+build() {
+ cd "$_builddir"
+ cmake -DCMAKE_BUILD_TYPE=Release \
+ -DSBINDIR=/usr/bin \
+ -DCMAKE_INSTALL_PREFIX=/usr \
+ -DSYSCONFDIR=/etc \
+ -DLOCALSTATEDIR=/var .
+ make || return 1
+}
+
+package() {
+ cd "$_builddir"
+ make DESTDIR="$pkgdir/" install
+ install -Dm644 "$srcdir/$_pkgname.logrotate" "$pkgdir/etc/logrotate.d/$_pkgname"
+ install -m755 -D "$srcdir"/$_pkgname.initd "$pkgdir"/etc/init.d/$_pkgname
+ install -m755 -D "$srcdir"/$_pkgname.confd "$pkgdir"/etc/conf.d/$_pkgname
+ install -m755 -D "$srcdir"/$_pkgname.conf "$pkgdir"/etc/openvas/$_pkgname.conf
+ install -Dm744 "$srcdir"/openvas-nvt-sync.cron \
+ "$pkgdir"/etc/periodic/daily/openvas-nvt-sync
+
+ mkdir -p "$pkgdir"/usr/share/doc/$_pkgname
+ cat >"$pkgdir"/usr/share/doc/$_pkgname/README.alpine <<EOF
+ ** In order to make openvas-scanner daemon start, redis server needs to run and listen to a socket.
+ ** This is a part of redis.conf that should be adjusted:
+
+ unixsocket /tmp/redis.sock
+ unixsocketperm 700
+ port 0 # prevent redis from listening on a TCP socket
+ timeout 0
+ #DB = 1 + (#of parallel tasks) * (#of parallel hosts)
+ databases 128
+ #CLI = 1 + (#of parallel tasks) * (#of parallel hosts) * (#of concurrent NVTs)
+ maxclients 512
+ ** Further info can be found to:
+ https://svn.wald.intevation.org/svn/openvas/tags/openvas-scanner-release-$pkgver/doc/redis_config.txt
+
+EOF
+}
+
+md5sums="8eb30120fa8f5aea3a55c729ca9d4939 openvas-scanner-5.0.5.tar.gz
+2343f34f83401016cb01f564e9c6c222 openvassd.initd
+2fe5c960c0e5e8db0e438de417a70e7a openvassd.confd
+9fbfafb3f5001240d2d869ac3d365adf openvassd.conf
+a9e8ef884da6a0b33d3b29867d2ffcea openvassd.logrotate
+99ec960c1646038b41dbac7a8073500c openvas-nvt-sync.cron
+4ccb1c805294a2ceff8c73bceaa8c064 001-cmakelist-fortify.patch
+12dc0fb6e1c1410ade5762744afaab71 002-execinfo-musl-fix.patch"
+sha256sums="108d8aba9f53ae58b187cb2e297fc5a3e77ac5c2cd9db421fb20598fdfb2ad0a openvas-scanner-5.0.5.tar.gz
+a842a6d29c5bf82296d771cfd44e152616277ed412b66f8a4ade81ac593d5615 openvassd.initd
+3664ee9dad3627259dafb9494d4a794ccd184a1aeaba06b3b283a7eccd1ee0b8 openvassd.confd
+c01dc363c4423dfa791690b6cef50df8ff46af02bbf008ac07575351ab94e0b3 openvassd.conf
+c4623fe22f777e722915b6a4cf19030fa54a1fb18fe2ee074e3fb2a2fe6b81ed openvassd.logrotate
+d3666d4cb7b639530a312b1dc49867b3b0de41209ea659924428df2d486cea40 openvas-nvt-sync.cron
+11bf3922c6ae25a5ed9fbc0b5c567c8106058ed424ba2c4c50959c44fee8dfd9 001-cmakelist-fortify.patch
+b5583f364f5b538634759c1df8f3bcd6b4218adcab2e9d18bdfd1904605ecf6d 002-execinfo-musl-fix.patch"
+sha512sums="e439c8abb39e397a9d3842846c09fe7cb13c57294f528ae738bed8f962ac776a10a87d0299145be33b88307a7ab8dcb519808e897457bedba5cf0d02918483c9 openvas-scanner-5.0.5.tar.gz
+528fc356c485daf3456e0e8f20ecd7bc93c772dd7afc8ec9d7a485cf89156f433fb4ae29a8b3cac7f126c8fa1ac4ca7f1cc4a10bd2388358fdd2e06a04a3c2e4 openvassd.initd
+a47cf3add7a0e14175ccbae1c24c0e63ea7daf92ffa3e4d1bb988a2342e9b1ebfb597f0d20075ad22219dc2970d69e92bf8a3608cc156d4b5ca84723879bac71 openvassd.confd
+0d203cd2dfcf0b77ce8d2546235de16f23ea71c7e601db557fcd67e9c8dc460029494f1a146daadb44101ae194d7fa4d511a488bb69094e5470de9e10acf008b openvassd.conf
+5934a31ef4b7267fd741c41bb97fe2e1e42735d2324cce07145de1942efae3f5e42e8652ec0c3482dd53477be420a58124eae943f254105547abf065febb9046 openvassd.logrotate
+92f1700ba15e04f0d830ac04db8c61bffb06104692fd91386a7f67ad8cc4bd1ea92651207a615c4bc56abc3a6c4f2fcf54fad52779fe5c6169d38f98b83513ea openvas-nvt-sync.cron
+0e0087477ec313709c1d84480e9f2896628807010d039eb066627229e7f694434b66ae7f7cd44d379e714bd7ff23458bc46f721e953c2603d568fc350d2f0572 001-cmakelist-fortify.patch
+5e63b56fc64867c5973eb3593afcf677dc4da900b20d0f82fa24659010da290c0cfc00fe1e67cd2fadd4c58af3df2059120edeef344eedf213ab8a87a0376e49 002-execinfo-musl-fix.patch"
diff --git a/community/openvas-scanner/openvas-nvt-sync.cron b/community/openvas-scanner/openvas-nvt-sync.cron
new file mode 100644
index 0000000000..ff1729f9f8
--- /dev/null
+++ b/community/openvas-scanner/openvas-nvt-sync.cron
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+if [ -f /etc/openvas/openvassd.conf ]; then
+ . /etc/openvas/openvassd.conf
+fi
+
+if [ "$auto_plugin_update" != "yes" ]; then
+ exit 0
+fi
+
+opts=""
+case "$update_method" in
+ rsync)
+ opts = "$opts --rsync"
+ ;;
+ wget)
+ opts = "$opts --wget"
+ ;;
+ curl)
+ opts = "$opts --curl"
+ ;;
+esac
+
+# Export openvas-nvt-sync's environment variables if they are defined
+[ \! -z "$NVT_DIR" ] && export NVT_DIR
+[ \! -z "$OV_RSYNC_FEED" ] && export OV_RSYNC_FEED
+[ \! -z "$OV_HTTP_FEED" ] && export OV_HTTP_FEED
+
+/usr/sbin/openvas-nvt-sync $opts >& /dev/null
+
+if [ $? -ne 0 ]; then
+ echo "Error updating OpenVAS plugins. Please run openvas-nvt-sync manually."
+ exit 1
+fi
+
+if [ "$notify_openvas_scanner" == "yes" ]; then
+ /etc/init.d/openvas-scanner reloadplugins
+fi
diff --git a/community/openvas-scanner/openvas-scanner.post-install b/community/openvas-scanner/openvas-scanner.post-install
new file mode 100644
index 0000000000..1c27c059da
--- /dev/null
+++ b/community/openvas-scanner/openvas-scanner.post-install
@@ -0,0 +1,3 @@
+#!/bin/sh
+echo "Remember to modify redis server in order to listen to a socket"
+exit 0
diff --git a/community/openvas-scanner/openvassd.conf b/community/openvas-scanner/openvassd.conf
new file mode 100644
index 0000000000..88f83f4bed
--- /dev/null
+++ b/community/openvas-scanner/openvassd.conf
@@ -0,0 +1,118 @@
+# Configuration file of the OpenVAS Security Scanner
+
+# Every line starting with a '#' is a comment
+
+[Misc]
+
+# Path to the security checks folder:
+plugins_folder = /var/lib/openvas/plugins
+
+# Path to OpenVAS caching folder:
+cache_folder = /var/cache/openvas
+
+# Path to OpenVAS include directories:
+# (multiple entries are separated with colon ':')
+include_folders = /var/lib/openvas/plugins
+
+# Maximum number of simultaneous hosts tested :
+max_hosts = 30
+
+# Maximum number of simultaneous checks against each host tested :
+max_checks = 10
+
+# Niceness. If set to 'yes', openvassd will renice itself to 10.
+be_nice = no
+
+# Log file (or 'syslog') :
+logfile = /var/log/openvas/openvassd.log
+
+# Shall we log every details of the attack ? (disk intensive)
+log_whole_attack = no
+
+# Log the name of the plugins that are loaded by the server ?
+log_plugins_name_at_load = no
+
+# Dump file for debugging output, use `-' for stdout
+dumpfile = /var/log/openvas/openvassd.dump
+
+# Rules file :
+rules = /etc/openvas/openvassd.rules
+
+# CGI paths to check for (cgi-bin:/cgi-aws:/ can do)
+cgi_path = /cgi-bin:/scripts
+
+# Range of the ports the port scanners will scan :
+# 'default' means that OpenVAS will scan ports found in its
+# services file.
+port_range = default
+
+# Optimize the test (recommended) :
+optimize_test = yes
+
+# Optimization :
+# Read timeout for the sockets of the tests :
+checks_read_timeout = 5
+
+# Ports against which two plugins should not be run simultaneously :
+# non_simult_ports = Services/www, 139, Services/finger
+non_simult_ports = 139, 445
+
+# Maximum lifetime of a plugin (in seconds) :
+plugins_timeout = 320
+
+# Safe checks rely on banner grabbing :
+safe_checks = yes
+
+# Automatically activate the plugins that are depended on
+auto_enable_dependencies = yes
+
+# Do not echo data from plugins which have been automatically enabled
+silent_dependencies = no
+
+# Designate hosts by MAC address, not IP address (useful for DHCP networks)
+use_mac_addr = no
+
+
+#--- Knowledge base saving (can be configured by the client) :
+# Save the knowledge base on disk :
+save_knowledge_base = no
+
+# Restore the KB for each test :
+kb_restore = no
+
+# Only test hosts whose KB we do not have :
+only_test_hosts_whose_kb_we_dont_have = no
+
+# Only test hosts whose KB we already have :
+only_test_hosts_whose_kb_we_have = no
+
+# KB test replay :
+kb_dont_replay_scanners = no
+kb_dont_replay_info_gathering = no
+kb_dont_replay_attacks = no
+kb_dont_replay_denials = no
+kb_max_age = 864000
+#--- end of the KB section
+
+
+# If this option is set, OpenVAS will not scan a network incrementally
+# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to
+# slice the workload throughout the whole network (ie: it will scan
+# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on...
+slice_network_addresses = no
+
+# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes')
+nasl_no_signature_check = yes
+
+#Certificates
+cert_file=/var/lib/openvas/CA/servercert.pem
+key_file=/var/lib/openvas/private/CA/serverkey.pem
+ca_file=/var/lib/openvas/CA/cacert.pem
+
+# If you decide to protect your private key with a password,
+# uncomment and change next line
+# pem_password=password
+# If you want to force the use of a client certificate, uncomment next line
+# force_pubkey_auth = yes
+
+#end.
diff --git a/community/openvas-scanner/openvassd.confd b/community/openvas-scanner/openvassd.confd
new file mode 100644
index 0000000000..d48adef151
--- /dev/null
+++ b/community/openvas-scanner/openvassd.confd
@@ -0,0 +1,27 @@
+#Listen on given address - by default scanner listens on all addresses
+#SCANNER_LISTEN=--listen=127.0.0.1
+
+#Listen on given port - by default 9391
+SCANNER_PORT=--port=9391
+
+#Send the packets with the source IP of IP1,IP2,IP3....
+#SCANNER_SRCIP=--src-ip=127.0.0.1,192.168.1.2
+
+# Extra Arguments
+# SCANNER_EXTRA_ARGS=""
+
+# Set to yes if plugins should be automatically updated via a cron job
+auto_plugin_update=no
+
+# Notify OpenVAS scanner after update by seding it SIGHUP?
+notify_openvas_scanner=yes
+
+# Method to use to get updates. The default is via rsync
+# Note that only wget and curl support retrieval via proxy
+# update_method=rsync|wget|curl
+
+# Additionaly, you can specify the following variables
+#NVT_DIR where to extract plugins (absolute path)
+#OV_RSYNC_FEED URL of rsync feed
+#OV_HTTP_FEED URL of http feed
+
diff --git a/community/openvas-scanner/openvassd.initd b/community/openvas-scanner/openvassd.initd
new file mode 100644
index 0000000000..4b4de5e515
--- /dev/null
+++ b/community/openvas-scanner/openvassd.initd
@@ -0,0 +1,26 @@
+#!/sbin/openrc-run
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+name="OpenVAS Scanner"
+command="/usr/bin/openvassd"
+command_args="${SCANNER_LISTEN} ${SCANNER_PORT} ${SCANNER_SRCIP} ${SCANNER_EXTRA_ARGS}"
+pidfile="/run/openvassd.pid"
+extra_stopped_commands="create_cache"
+
+depend() {
+ after bootmisc
+ need localmount net
+}
+
+start_pre() {
+ checkpath --directory --mode 0775 --quiet /var/cache/openvas
+}
+
+create_cache() {
+ checkpath --directory --mode 0775 --quiet /var/cache/openvas
+ ebegin "Generating initial Cache"
+ /usr/bin/openvassd --foreground --only-cache
+ eend $?
+}
diff --git a/community/openvas-scanner/openvassd.logrotate b/community/openvas-scanner/openvassd.logrotate
new file mode 100644
index 0000000000..9316ba8d96
--- /dev/null
+++ b/community/openvas-scanner/openvassd.logrotate
@@ -0,0 +1,11 @@
+# logrotate for openvas
+/var/log/openvas/openvassd.log {
+ rotate 4
+ weekly
+ compress
+ delaycompress
+ missingok
+ postrotate
+ /bin/kill -HUP `pidof openvassd`
+ endscript
+}