From 5d3ff181e96e7b45ddb10568cc0d2db9d5a8c85f Mon Sep 17 00:00:00 2001 From: Francesco Colista Date: Thu, 18 Aug 2016 12:26:10 +0000 Subject: Revert "community/openvas-scanner: moved from testing" This reverts commit 20c1f7f2330bfd49f9f8a86203aa49b3e34d41a4. --- .../openvas-scanner/001-cmakelist-fortify.patch | 21 ++++ .../openvas-scanner/002-execinfo-musl-fix.patch | 40 +++++++ testing/openvas-scanner/APKBUILD | 100 +++++++++++++++++ testing/openvas-scanner/openvas-nvt-sync.cron | 38 +++++++ .../openvas-scanner/openvas-scanner.post-install | 3 + testing/openvas-scanner/openvassd.conf | 118 +++++++++++++++++++++ testing/openvas-scanner/openvassd.confd | 27 +++++ testing/openvas-scanner/openvassd.initd | 26 +++++ testing/openvas-scanner/openvassd.logrotate | 11 ++ 9 files changed, 384 insertions(+) create mode 100644 testing/openvas-scanner/001-cmakelist-fortify.patch create mode 100644 testing/openvas-scanner/002-execinfo-musl-fix.patch create mode 100644 testing/openvas-scanner/APKBUILD create mode 100644 testing/openvas-scanner/openvas-nvt-sync.cron create mode 100644 testing/openvas-scanner/openvas-scanner.post-install create mode 100644 testing/openvas-scanner/openvassd.conf create mode 100644 testing/openvas-scanner/openvassd.confd create mode 100644 testing/openvas-scanner/openvassd.initd create mode 100644 testing/openvas-scanner/openvassd.logrotate (limited to 'testing') diff --git a/testing/openvas-scanner/001-cmakelist-fortify.patch b/testing/openvas-scanner/001-cmakelist-fortify.patch new file mode 100644 index 0000000000..e77214f945 --- /dev/null +++ b/testing/openvas-scanner/001-cmakelist-fortify.patch @@ -0,0 +1,21 @@ +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 588f5d8..a98929f 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -34,6 +34,7 @@ if (POLICY CMP0005) + endif (POLICY CMP0005) + + include (FindPkgConfig) ++include(CheckIncludeFile) + + if (NOT PKG_CONFIG_FOUND) + message(FATAL_ERROR "pkg-config executable not found. Aborting.") +@@ -225,7 +226,7 @@ configure_file (tools/greenbone-nvt-sync.in tools/greenbone-nvt-sync @ONLY) + + ## Program + +-set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now") ++set (HARDENING_FLAGS "-Wformat -Wformat-security -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector -Wl,-z,relro -Wl,-z,now") + + set (CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} -Werror") + set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${HARDENING_FLAGS} -Wall -D_BSD_SOURCE -D_ISOC99_SOURCE -D_SVID_SOURCE -D_DEFAULT_SOURCE") diff --git a/testing/openvas-scanner/002-execinfo-musl-fix.patch b/testing/openvas-scanner/002-execinfo-musl-fix.patch new file mode 100644 index 0000000000..8fd2164221 --- /dev/null +++ b/testing/openvas-scanner/002-execinfo-musl-fix.patch @@ -0,0 +1,40 @@ +diff --git a/src/sighand.c b/src/sighand.c +index 1ebf206..985e470 100644 +--- a/src/sighand.c ++++ b/src/sighand.c +@@ -30,7 +30,10 @@ + #include /* for errno() */ + #include /* for wait() */ + #include /* for shutdown() */ ++ ++#ifdef HAVE_EXECINFO_H + #include ++#endif + + #include "log.h" + #include "sighand.h" +@@ -112,6 +115,7 @@ sighand_chld (pid_t pid) + waitpid (pid, &status, WNOHANG); + } + ++#ifdef HAVE_EXECINFO_H + static void + print_trace () + { +@@ -126,13 +130,16 @@ print_trace () + log_write ("%s\n", symbols[i]); + g_free (symbols); + } ++#endif + + void + sighand_segv () + { + signal (SIGSEGV, _exit); + log_write ("SIGSEGV occured !"); ++ #ifdef HAVE_EXECINFO_H + print_trace (); ++ #endif + make_em_die (SIGTERM); + log_close (); + _exit (0); diff --git a/testing/openvas-scanner/APKBUILD b/testing/openvas-scanner/APKBUILD new file mode 100644 index 0000000000..09b3f3af50 --- /dev/null +++ b/testing/openvas-scanner/APKBUILD @@ -0,0 +1,100 @@ +# Contributor: Francesco Colista +# Maintainer: Francesco Colista +pkgname=openvas-scanner +_pkgname=openvassd +pkgver=5.0.5 +_pkgid=2266 +pkgrel=3 +pkgdesc="The OpenVAS scanning Daemon" +url="http://www.openvas.org/" +arch="all" +license="GPL" +depends="redis nmap coreutils openssl" +depends_dev="" +makedepends="$depends_dev cmake openvas-libraries-dev glib-dev + doxygen xmltoman" +install="" +subpackages="$pkgname-doc" +source="http://wald.intevation.org/frs/download.php/$_pkgid/$pkgname-$pkgver.tar.gz + $_pkgname.initd + $_pkgname.confd + $_pkgname.conf + $_pkgname.logrotate + openvas-nvt-sync.cron + 001-cmakelist-fortify.patch + 002-execinfo-musl-fix.patch" + +_builddir="$srcdir"/$pkgname-$pkgver +prepare() { + local i + cd "$_builddir" + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} + +build() { + cd "$_builddir" + cmake -DCMAKE_BUILD_TYPE=Release \ + -DSBINDIR=/usr/bin \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DSYSCONFDIR=/etc \ + -DLOCALSTATEDIR=/var . + make || return 1 +} + +package() { + cd "$_builddir" + make DESTDIR="$pkgdir/" install + install -Dm644 "$srcdir/$_pkgname.logrotate" "$pkgdir/etc/logrotate.d/$_pkgname" + install -m755 -D "$srcdir"/$_pkgname.initd "$pkgdir"/etc/init.d/$_pkgname + install -m755 -D "$srcdir"/$_pkgname.confd "$pkgdir"/etc/conf.d/$_pkgname + install -m755 -D "$srcdir"/$_pkgname.conf "$pkgdir"/etc/openvas/$_pkgname.conf + install -Dm744 "$srcdir"/openvas-nvt-sync.cron \ + "$pkgdir"/etc/periodic/daily/openvas-nvt-sync + + mkdir -p "$pkgdir"/usr/share/doc/$_pkgname + cat >"$pkgdir"/usr/share/doc/$_pkgname/README.alpine <& /dev/null + +if [ $? -ne 0 ]; then + echo "Error updating OpenVAS plugins. Please run openvas-nvt-sync manually." + exit 1 +fi + +if [ "$notify_openvas_scanner" == "yes" ]; then + /etc/init.d/openvas-scanner reloadplugins +fi diff --git a/testing/openvas-scanner/openvas-scanner.post-install b/testing/openvas-scanner/openvas-scanner.post-install new file mode 100644 index 0000000000..1c27c059da --- /dev/null +++ b/testing/openvas-scanner/openvas-scanner.post-install @@ -0,0 +1,3 @@ +#!/bin/sh +echo "Remember to modify redis server in order to listen to a socket" +exit 0 diff --git a/testing/openvas-scanner/openvassd.conf b/testing/openvas-scanner/openvassd.conf new file mode 100644 index 0000000000..88f83f4bed --- /dev/null +++ b/testing/openvas-scanner/openvassd.conf @@ -0,0 +1,118 @@ +# Configuration file of the OpenVAS Security Scanner + +# Every line starting with a '#' is a comment + +[Misc] + +# Path to the security checks folder: +plugins_folder = /var/lib/openvas/plugins + +# Path to OpenVAS caching folder: +cache_folder = /var/cache/openvas + +# Path to OpenVAS include directories: +# (multiple entries are separated with colon ':') +include_folders = /var/lib/openvas/plugins + +# Maximum number of simultaneous hosts tested : +max_hosts = 30 + +# Maximum number of simultaneous checks against each host tested : +max_checks = 10 + +# Niceness. If set to 'yes', openvassd will renice itself to 10. +be_nice = no + +# Log file (or 'syslog') : +logfile = /var/log/openvas/openvassd.log + +# Shall we log every details of the attack ? (disk intensive) +log_whole_attack = no + +# Log the name of the plugins that are loaded by the server ? +log_plugins_name_at_load = no + +# Dump file for debugging output, use `-' for stdout +dumpfile = /var/log/openvas/openvassd.dump + +# Rules file : +rules = /etc/openvas/openvassd.rules + +# CGI paths to check for (cgi-bin:/cgi-aws:/ can do) +cgi_path = /cgi-bin:/scripts + +# Range of the ports the port scanners will scan : +# 'default' means that OpenVAS will scan ports found in its +# services file. +port_range = default + +# Optimize the test (recommended) : +optimize_test = yes + +# Optimization : +# Read timeout for the sockets of the tests : +checks_read_timeout = 5 + +# Ports against which two plugins should not be run simultaneously : +# non_simult_ports = Services/www, 139, Services/finger +non_simult_ports = 139, 445 + +# Maximum lifetime of a plugin (in seconds) : +plugins_timeout = 320 + +# Safe checks rely on banner grabbing : +safe_checks = yes + +# Automatically activate the plugins that are depended on +auto_enable_dependencies = yes + +# Do not echo data from plugins which have been automatically enabled +silent_dependencies = no + +# Designate hosts by MAC address, not IP address (useful for DHCP networks) +use_mac_addr = no + + +#--- Knowledge base saving (can be configured by the client) : +# Save the knowledge base on disk : +save_knowledge_base = no + +# Restore the KB for each test : +kb_restore = no + +# Only test hosts whose KB we do not have : +only_test_hosts_whose_kb_we_dont_have = no + +# Only test hosts whose KB we already have : +only_test_hosts_whose_kb_we_have = no + +# KB test replay : +kb_dont_replay_scanners = no +kb_dont_replay_info_gathering = no +kb_dont_replay_attacks = no +kb_dont_replay_denials = no +kb_max_age = 864000 +#--- end of the KB section + + +# If this option is set, OpenVAS will not scan a network incrementally +# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to +# slice the workload throughout the whole network (ie: it will scan +# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on... +slice_network_addresses = no + +# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes') +nasl_no_signature_check = yes + +#Certificates +cert_file=/var/lib/openvas/CA/servercert.pem +key_file=/var/lib/openvas/private/CA/serverkey.pem +ca_file=/var/lib/openvas/CA/cacert.pem + +# If you decide to protect your private key with a password, +# uncomment and change next line +# pem_password=password +# If you want to force the use of a client certificate, uncomment next line +# force_pubkey_auth = yes + +#end. diff --git a/testing/openvas-scanner/openvassd.confd b/testing/openvas-scanner/openvassd.confd new file mode 100644 index 0000000000..d48adef151 --- /dev/null +++ b/testing/openvas-scanner/openvassd.confd @@ -0,0 +1,27 @@ +#Listen on given address - by default scanner listens on all addresses +#SCANNER_LISTEN=--listen=127.0.0.1 + +#Listen on given port - by default 9391 +SCANNER_PORT=--port=9391 + +#Send the packets with the source IP of IP1,IP2,IP3.... +#SCANNER_SRCIP=--src-ip=127.0.0.1,192.168.1.2 + +# Extra Arguments +# SCANNER_EXTRA_ARGS="" + +# Set to yes if plugins should be automatically updated via a cron job +auto_plugin_update=no + +# Notify OpenVAS scanner after update by seding it SIGHUP? +notify_openvas_scanner=yes + +# Method to use to get updates. The default is via rsync +# Note that only wget and curl support retrieval via proxy +# update_method=rsync|wget|curl + +# Additionaly, you can specify the following variables +#NVT_DIR where to extract plugins (absolute path) +#OV_RSYNC_FEED URL of rsync feed +#OV_HTTP_FEED URL of http feed + diff --git a/testing/openvas-scanner/openvassd.initd b/testing/openvas-scanner/openvassd.initd new file mode 100644 index 0000000000..4b4de5e515 --- /dev/null +++ b/testing/openvas-scanner/openvassd.initd @@ -0,0 +1,26 @@ +#!/sbin/openrc-run +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +name="OpenVAS Scanner" +command="/usr/bin/openvassd" +command_args="${SCANNER_LISTEN} ${SCANNER_PORT} ${SCANNER_SRCIP} ${SCANNER_EXTRA_ARGS}" +pidfile="/run/openvassd.pid" +extra_stopped_commands="create_cache" + +depend() { + after bootmisc + need localmount net +} + +start_pre() { + checkpath --directory --mode 0775 --quiet /var/cache/openvas +} + +create_cache() { + checkpath --directory --mode 0775 --quiet /var/cache/openvas + ebegin "Generating initial Cache" + /usr/bin/openvassd --foreground --only-cache + eend $? +} diff --git a/testing/openvas-scanner/openvassd.logrotate b/testing/openvas-scanner/openvassd.logrotate new file mode 100644 index 0000000000..9316ba8d96 --- /dev/null +++ b/testing/openvas-scanner/openvassd.logrotate @@ -0,0 +1,11 @@ +# logrotate for openvas +/var/log/openvas/openvassd.log { + rotate 4 + weekly + compress + delaycompress + missingok + postrotate + /bin/kill -HUP `pidof openvassd` + endscript +} -- cgit v1.2.3